A critical vulnerability in WatchGuard Firebox firewalls could allow attackers to gain complete administrative access to the devices without any authentication.
The flaw, tracked as CVE-2025-59396, stems from insecure default configurations that expose SSH access on port 4118 using hardcoded credentials.
WatchGuard Firebox appliances through September 10, 2025, ship with default SSH credentials (admin:readwrite) that remain accessible on port 4118.
This means that any attacker with network access to the device can remotely connect and gain full administrative privileges.
The vulnerability requires no special exploit tools; simple SSH clients like PuTTY are sufficient to establish a connection.
According to the advisory released on GitHub, there is a dangerous misconfiguration that affects the entire Firebox firewall series.
Aspect
Details
CVE ID
CVE-2025-59396
Vendor
WatchGuard
Product
Firebox Series
Affected Component
SSH Service (Port 4118)
Attack Vector
Remote unauthenticated access
CVSS Impacts
RCE, Privilege Escalation, Information Disclosure
WatchGuard Firebox Firewall Vulnerability
An unauthenticated remote attacker can retrieve sensitive network information, including ARP tables, network configurations, and user account details. They can also access feature keys and device location data.
More critically, attackers can modify or turn off firewall rules and security policies, effectively turning off network protections.
This opens the door to lateral movement throughout the internal network, allowing attackers to spread to other systems and exfiltrate valuable data.
In worst-case scenarios, attackers could completely interrupt network services or shut down critical infrastructure protected by the firewall.
GitHub-intimate organizations using WatchGuard Firebox devices should immediately check their configurations. Change default SSH credentials immediately if they haven’t been modified.
WatchGuard administrators should also restrict SSH access on port 4118 if not required, or limit it to authorized IP addresses only.
Check WatchGuard’s security advisories for firmware patches and follow their remediation guidance. This vulnerability highlights the persistent threat posed by default credentials in network security appliances.
Firewall devices, by their nature, protect critical network infrastructure; leaving them exposed with default passwords essentially defeats their entire purpose.
Ferocious Kitten, a covert cyber-espionage group active since at least 2015, has emerged as a persistent threat to Persian-speaking dissidents and activists within Iran. The group, known for its careful targeting and evolving tactics, deploys its custom implant “MarkiRAT” to perform keystroke and clipboard logging, screenshot capture, credential theft, and much more, advancing its clandestine […]
Email-based threats have reached a critical inflection point in the third quarter of 2025.
Threat actors are systematically exploiting weaknesses in traditional email security defenses by targeting the world’s two largest email ecosystems: Microsoft Outlook and Google Gmail.
The Q3 Email Threat Trends Report reveals that over 90 percent of phishing attacks now concentrate on these two platforms, signaling a deliberate shift in attacker strategy toward high-value targets.
The scale of this campaign is staggering. VIPRE security researchers analyzed 1.8 billion emails across the quarter and identified 26 million more malicious messages compared to the same period last year—a 13 percent year-over-year increase.
What’s particularly alarming is that attackers are no longer relying on sophisticated malware alone. Instead, they are weaponizing simplicity itself, leveraging everyday methods in extraordinarily clever ways to slip past conventional security layers.
The attack landscape has fundamentally shifted. Malicious emails are now evenly split between content-based threats and link-based attacks, each accounting for approximately 48 to 52 percent of detected threats.
More concerning is that 148,000 previously unknown malicious attachments bypassed traditional filters during the quarter, caught only through advanced sandboxing techniques.
Additionally, VIPRE detected over 67,000 malicious links that had never been encountered before, underscoring the continuous evolution of threat delivery mechanisms.
Vipre security analysts identified a sophisticated evasion pattern emerging across these campaigns.
Threat actors are using compromised legitimate URLs and open redirect techniques to mask their malicious landing pages.
Approximately 79.4 percent of phishing URLs exploit compromised websites rather than newly registered domains, allowing attackers to inherit the reputation scores of legitimate enterprises.
When a user clicks what appears to be a trusted link originating from a known organization, they are silently redirected to a credential harvesting page.
This technique defeats email security tools that scan only the top-level URL without analyzing full request chains.
The targeting of Outlook and Google represents a calculated business decision by attackers. Both platforms host massive enterprise and personal user bases, making them high-probability targets for credential theft and business email compromise attacks.
Infection mechanism
By focusing on these two ecosystems, threat actors eliminate the need for platform-specific customization while maximizing potential returns on their operational investment.
The infection mechanism employed in these campaigns typically begins with social engineering.
Phishing attachments predominantly consist of PDF files, which represent 75 percent of all malicious attachments.
These documents are universally trusted as legitimate business correspondence, providing the perfect trojan horse for initial compromise.
Upon opening, users encounter fake login screens or requests for credential verification, often disguised as urgent security alerts or account verification requirements specific to their email provider.
Persistence tactics have evolved beyond traditional malware installation. Instead of establishing persistence through system-level modifications, attackers now focus on account takeover through credential harvesting.
Once email credentials are compromised, attackers gain persistent access to both the inbox and connected cloud services, enabling lateral movement through organizational networks.
Detection evasion remains central to these attacks. By splitting multi-step redirect chains across parent URLs and landing pages, attackers ensure that security scanners analyzing individual components miss the complete attack chain.
When combined with the 60 percent surge in commercial spam creating background noise, the distinction between legitimate and malicious messages becomes increasingly difficult for both automated systems and human operators to identify.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
KnowBe4 Threat Labs has uncovered a sophisticated phishing campaign that marks a turning point in cybercriminal capabilities. The threat landscape is shifting dramatically with the emergence of Quantum Route Redirect. This powerful automation tool transforms complex phishing operations into simple, streamlined attacks accessible to even less-skilled threat actors. Discovered in early August, Quantum Route Redirect […]
Devolutions Server has been found vulnerable to a critical security flaw that allows low-privileged authenticated users to impersonate other accounts by replaying pre-MFA cookies. The vulnerability, identified as CVE-2025-12485, carries a critical CVSS score of 9.4 and affects all versions up to 2025.3.5. The company has released patches to address this and a second vulnerability […]
A sophisticated new ransomware operation dubbed VanHelsing has emerged as a rapidly expanding threat in the cybercriminal landscape. First observed on March 7, 2025, this operation functions as a Ransomware-as-a-Service (RaaS) platform, licensing its destructive capabilities to affiliated threat actors and demonstrating alarming speed in scaling attacks across diverse infrastructure platforms. VanHelsing operates under a […]
A security vulnerability has been discovered in WatchGuard Firebox devices that could allow attackers to bypass authentication mechanisms and gain unauthorized SSH access to affected systems. Tracked as CVE-2025-59396, this flaw poses a significant threat to organizations that rely on WatchGuard firewalls for network security and remote management. CVE Details Information CVE ID CVE-2025-59396 Affected […]
Zoom has issued multiple security bulletins detailing patches for several vulnerabilities affecting its Workplace applications.
The disclosures, published today, highlight two high-severity issues alongside medium-rated flaws, underscoring the ongoing challenges in securing video conferencing tools used by millions in hybrid work environments.
These updates come as cybersecurity experts warn of increasing exploitation attempts on collaboration software, potentially exposing users to unauthorized access and system disruptions.
Zoom Security Vulnerabilities
The most pressing concerns stem from ZSB-25043 and ZSB-25042, both rated high severity. In Zoom Workplace for Android, an improper authorization handling flaw (CVE-2025-64741) could enable attackers to bypass access controls, allowing unauthorized actions within the app, such as joining meetings without permission or accessing sensitive session data.
This vulnerability affects Android versions prior to the latest patch, where flawed permission checks might let malicious actors manipulate user privileges over the network.
Similarly, the Zoom Workplace VDI Client for Windows suffers from improper verification of cryptographic signatures (CVE-2025-64740), opening doors to attacks like accepting tampered updates or intercepting communications.
Security researchers note that such signature validation failures have historically led to supply chain compromises, where attackers inject malware into legitimate-looking software distributions.
Complementing these are two medium-severity path manipulation vulnerabilities. ZSB-25041 impacts various Zoom Clients with external control of file name or path (CVE-2025-64739), potentially allowing adversaries to redirect file operations to unintended locations, risking data leakage or arbitrary code execution if exploited in tandem with other flaws.
A parallel issue in Zoom Workplace for macOS (ZSB-25040, CVE-2025-64738) shares this risk, where attackers could leverage crafted inputs to traverse directories and overwrite critical files.
These path traversal bugs echo common web app weaknesses but are adapted for desktop clients, emphasizing the need for robust input sanitization in cross-platform tools.
Rounding out the bulletins is ZSB-25015, an updated advisory from April 2025, now covering null pointer dereferences in Zoom Workplace Apps for Windows (CVE-2025-30670 and CVE-2025-30671).
Initially published on April 8 and revised on November 10, this medium-severity issue could cause application crashes or denial-of-service conditions when the software mishandles null references during processing.
While not directly exploitable for code execution, it highlights persistent stability concerns in Windows environments, where repeated crashes might disrupt business operations.
Zoom urges immediate updates to the latest versions across affected platforms, including Android, Windows, macOS, and VDI clients, to mitigate these risks.
The company maintains its policy of not disclosing exploitation details, focusing instead on rapid patching, but independent analyses suggest these flaws could be chained for broader impacts like privilege escalation in enterprise settings.
As remote work persists, organizations should prioritize patch management, enable multi-factor authentication, and monitor for anomalous app behavior.
This wave of bulletins follows a pattern of frequent Zoom updates throughout 2025, addressing over a dozen vulnerabilities since August, including critical untrusted search path issues.
With CVEs assigned today, the National Vulnerability Database is expected to provide further scoring soon, but early assessments peg the high-severity flaws at CVSS scores above 7.5. For users, the message is clear: timely updates remain the frontline defense against evolving threats in unified communications platforms.
SAP released its monthly Security Patch Day updates, addressing 18 new security notes and providing two updates to existing ones, focusing on vulnerabilities that could enable remote code execution and various injection attacks across its product ecosystem.
These patches are crucial for enterprises relying on SAP systems, as unpatched flaws could expose sensitive data and operational disruptions to threat actors.
SAP urges customers to prioritize applying these fixes via the Support Portal to safeguard their landscapes from potential exploits.
Critical Vulnerabilities Patched
Among the most severe issues is CVE-2025-42890 in SQL Anywhere Monitor (Non-GUI), version 17.0, which stems from insecure key and secret management practices.
This critical vulnerability, scored at CVSS 10.0, allows unauthenticated attackers over the network to compromise confidentiality, integrity, and availability with high impact, potentially leading to full system takeover through exposed credentials.
Similarly, an update to CVE-2025-42944 in SAP NetWeaver AS Java (SERVERCORE 7.50) reinforces protections against insecure deserialization, maintaining its CVSS 10.0 rating and enabling unauthenticated remote code execution via malicious payloads.
Security experts highlight that such deserialization flaws have been exploited in the wild, underscoring the urgency for immediate patching.
Another high-impact flaw, CVE-2025-42887 in SAP Solution Manager (ST 720), introduces a code injection vulnerability exploitable by authenticated users with low privileges, earning a CVSS score of 9.9.
Attackers could leverage this to achieve cross-scope escalation, executing arbitrary code and disrupting core business functions. This aligns with broader trends in SAP vulnerabilities where injection attacks target foundational components, amplifying risks in enterprise environments.
The patch day also tackles multiple injection-related issues at medium severity, including CVE-2025-42892 for OS command injection in SAP Business Connector (version 4.8), CVSS 6.8, which could allow high-privileged adjacent attackers to run unauthorized commands.
CVE-2025-42884 involves JNDI injection in SAP NetWeaver Enterprise Portal (EP-BASIS 7.50), potentially leading to unauthorized lookups and data leaks, rated at CVSS 6.5.
Additionally, CVE-2025-42889 addresses SQL injection in SAP Starter Solution (PL SAFT) across various versions, enabling low-privileged users to manipulate database queries.
High-severity notes include CVE-2025-42940, a memory corruption issue in SAP CommonCryptoLib (version 8) with CVSS 7.5, which could cause denial-of-service without authentication.
Medium-priority fixes cover path traversal (CVE-2025-42894), open redirects (CVE-2025-42924), reflected XSS (CVE-2025-42886), and missing authentication (CVE-2025-42885) in components like SAP HANA 2.0 and Business One. Lower-severity updates address missing authorizations and cache poisoning in S/4HANA and Fiori.
SAP November 2025 Vulnerability Details
The following table summarizes the 18 new and 2 updated security notes from SAP’s November 2025 Patch Day, including note numbers, associated CVEs, vulnerability titles, affected products, versions, priorities, and CVSS v3.0 scores.sap
These vulnerabilities highlight ongoing challenges in SAP’s legacy and modern stacks, where code execution paths remain prime targets for advanced persistent threats.
Enterprises should conduct vulnerability scans, segment networks, and test patches in staging before production rollout to mitigate risks. By addressing these flaws promptly, organizations can maintain resilience against evolving cyber threats in mission-critical SAP deployments.
Google Mandiant has disclosed active exploitation of CVE-2025-12480, a critical unauthenticated access vulnerability in Gladinet’s Triofox file-sharing platform.
The threat cluster tracked as UNC6485 has been weaponizing this flaw since August 2025 to gain unauthorized administrative access and establish persistent remote control over compromised systems.
The vulnerability stems from improper access control validation in Triofox versions 16.4.10317.56372 and earlier.
Attribute
Details
CVE ID
CVE-2025-12480
Vendor
Gladinet
Product
Triofox
Vulnerability Type
Unauthenticated Access Control / Host Header Injection
Severity
Critical
CVSS Score
9.8 (estimated)
Threat Actors Leverage the HTTP Host Header Attack
Attackers exploit an HTTP host header injection technique, modifying the Host header to “localhost” to bypass authentication checks and access the sensitive AdminDatabase.aspx configuration page.
This page typically displays only during initial setup. However, it becomes exposed when the authentication function CanRunCriticalPage() fails to validate the request origin properly.
exploitation chain
Once authenticated, attackers create new administrative accounts and escalate privileges within the application.
The exploitation chain becomes particularly dangerous when combined with Triofox’s built-in anti-virus feature misconfiguration.
Attackers can set arbitrary executable paths for the anti-virus scanner, which then runs under the SYSTEM account the highest privilege level in Windows environments.
Antivirus Feature Misconfiguration
In documented attacks, threat actors uploaded malicious batch scripts to published file shares, then configured them as the anti-virus engine path.
Anti-virus engine path set to a malicious batch script
When files are uploaded to the share, the malicious script executes automatically with SYSTEM privileges, enabling complete system compromise. Post-exploitation activities reveal the severity of these breaches.
Attackers deployed Zoho Unified Endpoint Management agents, followed by AnyDesk. They renamed the Plink utilities to establish encrypted SSH reverse tunnels to command-and-control servers.
This infrastructure enabled attackers to forward RDP traffic over encrypted channels, maintaining persistent remote desktop access while evading network-based detection systems.
Mandiant successfully contained the affected environment within 16 minutes of alert detection, leveraging Google Security Operations’ composite detection capabilities.
Gladinet released a patched version 16.7.10368.56560 addressing the vulnerability.
Mandiant recommends immediate upgrades across all affected deployments and comprehensive audits of administrative accounts.
Verification that anti-virus engines execute only authorized binaries, and monitoring for anomalous outbound SSH tunnel traffic indicating potential compromise or lateral movement attempts within enterprise networks.
