Project: openssl-static-gcc-dwarf 3.4.0
File: openssl
Address: 0063a0a0
rsa_ossl_private_encrypt
SVG:
dark https://tmr232.github.io/function-graph-overview/render/?graph=https%3A%2F%2Fraw.githubusercontent.com%2Fv-p-b%2Fghidra-function-graph-datasets%2Frefs%2Fheads%2Fmain%2F%2Fopenssl-static-gcc-dwarf%2F0063a0a0.json&colors=dark
light https://tmr232.github.io/function-graph-overview/render/?graph=https%3A%2F%2Fraw.githubusercontent.com%2Fv-p-b%2Fghidra-function-graph-datasets%2Frefs%2Fheads%2Fmain%2F%2Fopenssl-static-gcc-dwarf%2F0063a0a0.json&colors=light
Given that the web server on an ICS runs as the limited nr
user, both the Ivanti and the Mandiant advisory are missing any indication whatsoever how the threat actors are gaining root privileges.
I've reported 4 different ICS LPEs to Ivanti recently, but none of them have been fixed yet.
Back in the CVE-2025-0282 days, Ivanti made up a CVE-2025-0283 CVE to capture the LPE aspect of attacks happening in the wild. I say "made up" because I've seen no evidence whatsoever that any LPE was fixed between 22.7R2.5 and 22.7R2.6.
Knowing what's going on in an ICS device is a huge blind spot, but apparently seeing how attackers are LPE'ing is even blind-er.
Ivanti CVE-2025-22457 is being exploited ITW.
https://forums.ivanti.com/s/article/April-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-22457
Per Mandiant:
We assess it is likely the threat actor studied the patch for the vulnerability in ICS 22.7R2.6 and uncovered through a complicated process, it was possible to exploit 22.7R2.5 and earlier to achieve remote code execution.
Gee, who could have imagined that attackers are looking at patches? π€
1) This apparently was silently fixed for ICS in 22.7R2.6, as the fix for this was released in February. Per Ivanti, the buffer overflow was considered a "product bug" at that time, as opposed to a vulnerability. Ivanti Policy Secure and ZTA gateways are expected to receive a patch in late April.
2) The advisory still conveys the magical thinking if if your device shows signs of compromise, then you should perform a "factory reset." This is magical in that the ICT won't catch a compromise nor will the "factory reset" reset to factory condition if the attacker is bothering to try.
While Mandiant also parrots the magical thinking of running the ICT tool, which I guess is the best advice if you're not going to throw the device in the trash since there isn't an official integrity checking tool that is sound, they do throw out a tidbit of:
... and conduct anomaly detection of client TLS certificates presented to the appliance.
Bets on whether CVE-2025-22457 is an overflow in the handling of a field in a client-provided certificate? π
Suspected China-Nexus Threat Actor Actively Exploiting Critical Ivanti Connect Secure Vulnerability (CVE-2025-22457) https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploiting-critical-ivanti-vulnerability/
66 weeks in a row...whatchu know about it π° THE vuln research newsletter out NOW
MCPGhidra from @lauriewired
@u1f383 talks DirtyCOW
Mitigations galore with @standa_t and @slowerzs
XSS -> RCE with @chudypb and @watchtowrcyber
+ Jobs and MORE π
If I am looking at steampunk stuff you bet your ass I'm checking to make sure they haven't just gone 'fuck it, who cares if cogs can turn anyway'
I DO, KEVIN. I CARE.
Frida 16.7.0 is out w/ brand new APIs for observing the lifecycles of threads and modules, a profiler, multiple samplers for measuring cycles/time/etc., MemoryAccessMonitor providing access to thread ID and registers, and more π https://frida.re/news/2025/03/13/frida-16-7-0-released/
Go hack some more Ivanti shit. Someone else already has been.
sev:CRIT 9.0 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before version 22.8R2.2 allows a remote unauthenticated attacker to achieve remote code execution.
https://nvd.nist.gov/vuln/detail/CVE-2025-22457
Edit to add:
We are aware of a limited number of customers whose Ivanti Connect Secure (22.7R2.5 or earlier) and End-of-Support Pulse Connect Secure 9.1x appliances have been exploited at the time of disclosure. Pulse Connect Secure 9.1x reached End-of-Support on December 31, 2024, and no longer receive code support or changes.
#NotepadPlusPlus v8.7.9 released.
The author is totally my spirit animal.
#mac #windows #freeware
https://notepad-plus-plus.org/news/v879-we-are-with-ukraine/ https://notepad-plus-plus.org/news/v879-we-are-with-ukraine/
Edit: we is fedi-trending, guyzz! π€
Trend Micro released an advisory for Trend Vision One. There are five CVEs for broken access control and one for HTML injection.
https://success.trendmicro.com/en-US/solution/KA-0019386
CVE-2025-31282, CVE-2025-31283, CVE-2025-31284, CVE-2025-31285: Broken Access Control Vulnerabilities
CVE-2025-31286: HTML Injection Vulnerability