A critical vulnerability in the Linux kernel’s netfilter subsystem has been discovered that allows local attackers to escalate privileges through an out-of-bounds write condition. The flaw, identified as CVE-2024-53141, affects the ipset bitmap functionality and could enable unprivileged users to gain root access on vulnerable systems. CVE ID CVE-2024-53141 Affected Versions Up to commit 041bd1e4 in Torvalds’s Linux […]
Over 1,000 exposed and unpatched N-able N-central Remote Monitoring and Management (RMM) servers are vulnerable to two newly disclosed zero-day vulnerabilities – CVE-2025-8875 and CVE-2025-8876.
As of August 15, 2025, exactly 1,077 unique IPs have been identified as running outdated N-central versions, presenting a significant risk to managed service providers (MSPs) and their clients.
These vulnerabilities are now tracked in the CISA Known Exploited Vulnerabilities (KEV) catalog, underlining their severity.
The Shadowserver Foundation scan data reveals that unpatched servers are concentrated in the United States (440 IPs), Canada (112 IPs), the Netherlands (110 IPs), and the United Kingdom (98 IPs), with additional exposed instances found in Australia and South Africa.
Top affected countries
N-able N-central Vulnerabilities
Both vulnerabilities affect HTTP-accessible N-central deployments and remain exploitable until administrators apply the newly released version 2025.3.1 security patch.
CVE-2025-8875 and CVE-2025-8876 are classified as authentication-required RCE (Remote Code Execution) vulnerabilities.
While authentication limits initial attack vectors, threat actors who obtain credentials—through phishing or prior compromises—can exploit these flaws to execute arbitrary commands, escalate privileges, and potentially pivot within MSP-managed environments.
N-able’s recommended upgrade path is critical: “You must upgrade your on-premises N-central to 2025.3.1.
Details of the CVEs will be published three weeks after the release as per our security practices.”
The update introduces vital audit logging improvements for SSH and scheduled tasks (such as “SSH Login”, “Scheduled Task Edited”, “Script Deleted”) and supports Syslog export for enhanced compliance monitoring.
Administrators can configure the new audit logging using:
Alongside these security upgrades, N-central’s Device Management API has improved automation. MSPs can now onboard endpoints in bulk via POST /api/device and retrieve application details using:
These enhancements empower defenders to audit user activity and accelerate device onboarding, but require timely remediation.
Any instances receiving Shadowserver alerts should be immediately reviewed for compromise and patched using N-able’s official update.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Oracle has announced the release of VirtualBox 7.2, a major update to the popular open-source virtualization platform that introduces significant enhancements for Windows 11/Arm virtualization, comprehensive GUI improvements, and numerous bug fixes.
Released on August 14, 2025, this version marks a substantial advancement in cross-platform virtualization capabilities, particularly targeting the growing Arm-based computing ecosystem while maintaining robust support for traditional x86_64 architectures.
Key Takeaways 1. VirtualBox 7.2 introduces full virtualization of Windows 11/Arm guests on both Arm and x86‑64 hosts (via Hyper‑V). 2. Redesigned interface with sidebar tools and tabbed VM panels improves usability. 3. Hardware-accelerated 3D/video, TPM 2.0 save-state security, and over 50 bug fixes.
GUI Enhancements and Interface Improvements
The most immediately noticeable change in VirtualBox 7.2 involves a complete redesign of the user interface architecture.
The development team has relocated global and VM tools from traditional hamburger menus to a more accessible global tools taskbar positioned vertically on the left side of the interface, complemented by VM tools tabs displayed horizontally above the right-hand panel.
This restructuring addresses long-standing user experience concerns regarding tool accessibility and workflow efficiency.
Additional interface refinements include improvements to the Preferences and Settings pages with enhanced NLS (Native Language Support) fixing, better handling of keyboard LEDs in the Soft Keyboard feature, and the addition of a checkbox for making Shared Folders global across all virtual machines.
The clone VM wizard has also received critical bug fixes that previously prevented users from including snapshots in clone operations, addressing GitHub issue GH-59.
Windows/Arm Support and Cross-Platform Virtualization
The headline feature of VirtualBox 7.2 centers on comprehensive Windows/Arm host support, now included in the unified Windows installer package.
This implementation enables Arm virtualization of VMs and specifically supports Windows 11/Arm guest systems, complete with dedicated Guest Additions for the new OS type.
The Windows/Arm guest environment now includes a WDDM Graphics driver supporting both 2D and 3D rendering modes, alongside full Shared Folder functionality.
For macOS Arm hosts, VirtualBox 7.2 introduces experimental 3D acceleration support using DXMT technology, replacing the previous non-functional solution that relied on DXVK over MoltenVK.
However, this update notably removes 3D acceleration support for macOS hosts using Intel CPUs.
The VMM (Virtual Machine Manager) has received substantial improvements for both x86_64 and Arm CPU feature reporting when utilizing Windows Hyper-V as the virtualization engine, including enhanced xsave/xrestor instruction handling and support for x86_64-v3 instruction set extensions featuring AVX and AVX2 capabilities.
Bug Fixes and Performance Optimizations
VirtualBox 7.2 addresses numerous critical issues across multiple subsystems. The VMM/HM (Hardware Management) component now properly supports Nested Virtualization on Intel CPUs, while the graphics subsystem avoids assertions when guests attempt to use VMSVGA 3D functions with disabled features.
Storage improvements include fixes for VMDK image corruption during resizing operations and the integration of NVMe storage controller emulation into the open-source base package.
Network functionality has received comprehensive attention, with multiple NAT (Network Address Translation) fixes improving DNS server handling and VM settings preservation.
The TPM (Trusted Platform Module) implementation now properly handles save state operations, while ACPI support has been added for Arm VMs.
Linux compatibility extends to kernel version 6.17, ensuring continued support for cutting-edge distributions.
Safely detonate suspicious files to uncover threats, enrich your investigations, and cut incident response time. Start with an ANYRUN sandbox trial →
Chinese-speaking cybercriminals are using ghost-tapping techniques to take advantage of Near Field Communication (NFC) relay tactics in a sophisticated evolution of payment card fraud. They are mainly targeting mobile payment services such as Apple Pay and Google Pay. This attack vector involves relaying stolen payment card credentials from compromised devices to mules’ burner phones, enabling […]
Cybersecurity researchers have discovered a malicious package in the Python Package Index (PyPI) repository that introduces malicious behavior through a dependency that allows it to establish persistence and achieve code execution.
The package, named termncolor, realizes its nefarious functionality through a dependency package called colorinal by means of a multi-stage malware operation, Zscaler
A critical security vulnerability has been discovered in Rockwell Automation’s ControlLogix Ethernet communication modules, potentially allowing remote attackers to execute arbitrary code on industrial control systems.
The vulnerability, tracked as CVE-2025-7353, affects multiple ControlLogix Ethernet modules and carries a maximum CVSS score of 9.8, indicating severe security implications for industrial automation environments.
Key Takeaways 1. Critical flaw in Rockwell ControlLogix Ethernet modules due to the enabled web debugger agent. 2. Attackers can remotely execute code, dump memory, and control industrial systems. 3. Update immediately; implement network segmentation if patching is delayed.
Rockwell Automation published the security advisory on August 14, 2025, after discovering the flaw during internal testing procedures.
The CVE-2025-7353 vulnerability stems from an insecure default configuration in the web-based debugger (WDB) agent that remains enabled on production devices.
This debugging interface, intended for development purposes, creates a significant attack vector when left active in operational environments.
The vulnerability allows unauthenticated remote attackers to establish connections using specific IP addresses to access the WDB agent functionality.
The flaw is classified under CWE-1188: Initialization of a Resource with an Insecure Default, highlighting the fundamental security issue of shipping products with debugging capabilities enabled by default.
The CVSS 3.1 vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H indicates that the vulnerability can be exploited over the network with low complexity, requires no privileges or user interaction, and provides high impact across confidentiality, integrity, and availability.
The vulnerability impacts several ControlLogix Ethernet communication modules, including 1756-EN2T/D, 1756-EN2F/C, 1756-EN2TR/C, 1756-EN3TR/B, and 1756-EN2TP/A models running firmware version 11.004 or below.
These modules serve as critical communication interfaces between ControlLogix programmable automation controllers (PACs) and Ethernet networks in industrial environments.
Successful exploitation enables attackers to perform memory dumps, modify system memory, and control the execution flow of the affected devices.
This level of access could potentially allow attackers to manipulate industrial processes, access sensitive operational data, or disrupt manufacturing operations.
The web-based debugger agent provides low-level system access typically reserved for authorized development and maintenance personnel.
Risk Factors
Details
Affected Products
Rockwell Automation ControlLogix Ethernet Modules:- 1756-EN2T/D- 1756-EN2F/C- 1756-EN2TR/C- 1756-EN3TR/B- 1756-EN2TP/A(All running firmware version 11.004 or below)
Impact
Execute remote code
Exploit Prerequisites
– Network access to target device- Specific IP address connection to WDB agent- No authentication required- No user interaction needed
CVSS 3.1 Score
9.8 (Critical)
Mitigations
Rockwell Automation has released firmware version 12.001 to address the vulnerability across all affected ControlLogix Ethernet modules.
Organizations should prioritize updating to this corrected version as the primary mitigation strategy. The update disables the insecure default configuration of the WDB agent, eliminating the primary attack vector.
For environments where immediate firmware updates are not feasible, Rockwell Automation recommends implementing comprehensive security best practices.
These include network segmentation to isolate industrial control systems, implementation of proper firewall rules to restrict access to debugging interfaces, and continuous monitoring of network traffic for suspicious activities.
Organizations should also conduct thorough security assessments of their industrial automation infrastructure to identify similar vulnerabilities in other systems.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Use-after-free (UAF) vulnerabilities represent one of the most critical and prevalent security threats in modern software systems, particularly affecting applications written in memory-unsafe languages like C and C++.
These vulnerabilities occur when a program continues to use a memory location after it has been freed, creating opportunities for attackers to manipulate program execution flow, corrupt data, or achieve arbitrary code execution.
The severity of use-after-free vulnerabilities is underscored by their frequent appearance in high-profile security advisories and their exploitation in real-world attacks against web browsers, operating systems, and critical infrastructure software.
How Use-After-Free Vulnerability Occurs
Use-after-free vulnerabilities emerge from fundamental flaws in memory management practices within applications that manually handle dynamic memory allocation and deallocation.
The vulnerability manifests when a program deallocates a memory region using functions like free() in C or delete in C++, but subsequently attempts to access or manipulate the same memory location through dangling pointers.
This creates a dangerous condition where the freed memory may have been reallocated for different purposes, leading to unpredictable program behavior.
The following concise C code demonstrates the core mechanism of a use-after-free vulnerability:
how it occurs
The technical mechanics of use-after-free vulnerabilities involve several critical stages in the memory lifecycle. Initially, a program allocates memory dynamically using allocation functions such as malloc(), calloc(), or the new operator, creating a valid pointer to a memory region.
During normal execution, the program may legitimately free this memory using free() or delete, marking the memory region as available for reuse by the memory allocator.
However, if the program fails to set the pointer to NULL after freeing the memory, or if multiple pointers reference the same memory location, subsequent access attempts create use-after-free conditions.
The vulnerability becomes particularly dangerous when the freed memory is reallocated for different data structures or objects with varying layouts and purposes.
Modern memory allocators often reuse freed memory blocks quickly to optimize performance, meaning that a use-after-free access might interact with completely different data than originally intended.
This memory reuse can lead to type confusion vulnerabilities, where the program interprets data of one type as another, potentially allowing attackers to manipulate object properties, function pointers, or other critical program state.
Common programming patterns that introduce use-after-free vulnerabilities include improper cleanup in object destructors, race conditions in multithreaded applications, and complex object lifetime management in callback-heavy architectures.
Web browsers, which manage numerous objects with intricate relationships and event-driven lifecycles, are particularly susceptible to these vulnerabilities due to their complex JavaScript engines and DOM manipulation capabilities.
Exploiting Use-After-Free Vulnerability
The exploitation of use-after-free vulnerabilities requires sophisticated techniques that leverage the predictable behavior of memory allocators and the specific memory layout patterns of target applications.
Attackers typically employ a multi-stage approach that begins with triggering the vulnerability through carefully crafted input or interaction sequences, followed by precise memory manipulation to achieve desired exploitation outcomes.
The following concise C code demonstrates the core mechanism of a use-after-free vulnerability:
Use-After-Free Vulnerability
Heap Spraying and Memory Layout Controlrepresents the foundational technique in use-after-free exploitation. Attackers first trigger the freeing of a target object, then immediately allocate numerous objects of the same size to increase the probability that one of their controlled objects occupies the freed memory location.
This technique, known as heap spraying, allows attackers to replace the freed object with malicious data structures containing crafted function pointers, object properties, or other exploitable elements.
Real-world exploitation examples demonstrate the severity of these vulnerabilities. In 2019, researchers discovered CVE-2019-5786, a use-after-free vulnerability in Google Chrome FileReader implementation that affected millions of users worldwide.
The vulnerability occurred when JavaScript code triggered the destruction of FileReader objects while asynchronous file operations were still pending, creating a window where freed memory could be accessed during callback execution.
Attackers exploited this vulnerability by carefully timing JavaScript execution to control the freed memory contents, ultimately achieving arbitrary code execution within the browser’s renderer process.
Advanced exploitation techniques involve Return-Oriented Programming (ROP) and Jump-Oriented Programming (JOP) to bypass modern security mitigations like Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR).
Attackers leverage use-after-free vulnerabilities to overwrite function pointers or virtual function tables, redirecting program execution to carefully chosen instruction sequences that perform attacker-controlled operations without requiring executable memory regions.
The Pointer Authentication Bypass technique has emerged as attackers adapt to newer processor security features.
On systems with pointer authentication capabilities, attackers use use-after-free vulnerabilities to leak authentic pointer values, then reuse these authenticated pointers in subsequent exploitation stages to bypass pointer integrity checks.
Mitigating Use-After-Free Vulnerability
Comprehensive mitigation of use-after-free vulnerabilities requires a multi-layered approach combining secure coding practices, automated detection tools, and runtime protection mechanisms.
The most effective strategies address vulnerabilities at multiple stages of the software development lifecycle, from initial design through deployment and maintenance.
The following table provides a comprehensive overview of mitigation techniques categorized by their implementation approach and effectiveness:
Mitigation Category
Technique
Description
Implementation Phase
Effectiveness
Performance Impact
Static Analysis
Code Review
Manual examination of code for memory management flaws
Runtime memory error detection with immediate crash on UAF
Testing/Debug
Very High
High (2-3x slowdown)
Dynamic Analysis
Valgrind Memcheck
Comprehensive memory error detection during testing
Testing
High
Very High (10-50x slowdown)
Dynamic Analysis
Hardware-Assisted Sanitizers
Intel MPX, ARM Memory Tagging for runtime detection
Runtime
High
Low-Medium
Language Solutions
Memory-Safe Languages
Rust, Go, Swift with ownership/borrowing systems
Design
Very High
None to Low
Language Solutions
Managed Languages
Java, C#, Python with garbage collection
Design
Very High
Variable
Runtime Protection
Control Flow Integrity (CFI)
Prevents hijacking of corrupted function pointers
Runtime
Medium-High
Low
Runtime Protection
Pointer Authentication
ARM/Intel hardware pointer signing
Runtime
High
Very Low
Runtime Protection
Stack Canaries
Detection of stack-based corruption
Runtime
Low (UAF specific)
Very Low
Coding Practices
Pointer Nullification
Setting pointers to NULL after free()
Development
Medium
None
Coding Practices
Reference Counting
Smart pointers and automated lifetime management
Development
High
Low
Coding Practices
Object Ownership Models
Clear ownership hierarchies and RAII patterns
Design/Development
High
None
Allocator-Based
Debug Allocators
Allocators that detect use-after-free (Debug CRT, Guard Malloc)
Testing/Debug
High
High
Allocator-Based
Hardened Allocators
Production allocators with UAF detection (Scudo, PartitionAlloc)
Runtime
Medium-High
Low-Medium
Memory Safety Tools and Static Analysis provide the first line of defense against use-after-free vulnerabilities. AddressSanitizer (ASan), a runtime error detector integrated into major compiler toolchains, instruments memory allocation and deallocation operations to detect use-after-free conditions immediately upon occurrence.
When ASan detects a use-after-free access, it terminates the program and provides detailed diagnostic information, including stack traces for both the original allocation and the erroneous access attempt.
Dynamic analysis tools like Valgrind’s Memcheck offer comprehensive memory error detection capabilities during testing phases, identifying not only use-after-free vulnerabilities but also related issues such as memory leaks and buffer overflows.
These tools employ shadow memory techniques to track the state of every allocated byte, enabling precise detection of improper memory access patterns.
Language-Level Mitigations represent a fundamental approach to eliminating entire classes of memory safety vulnerabilities. Modern programming languages like Rust enforce memory safety through ownership systems and borrow checking, making use-after-free vulnerabilities impossible to introduce through normal language constructs.
Similarly, managed languages like Java and C# eliminate manual memory management entirely, relying on garbage collection to prevent premature memory deallocation.
Runtime Protection Mechanisms provide additional security layers for applications that must continue using memory-unsafe languages. Control Flow Integrity (CFI) prevents attackers from hijacking program control flow through corrupted function pointers, significantly reducing the impact of successful use-after-free exploits.
Hardware-assisted solutions like Intel’s Control-flow Enforcement Technology (CET) and ARM’s Pointer Authentication provide processor-level protections against common exploitation techniques.
Secure Coding Practices remain essential for preventing use-after-free vulnerabilities in existing codebases. These practices include immediately setting pointers to NULL after freeing memory, implementing reference counting systems for shared objects, and designing clear object ownership models that prevent ambiguous lifetime management. Code review processes should specifically focus on memory management patterns, particularly in complex scenarios involving callbacks, event handlers, and multithreaded access.
Use-after-free vulnerabilities continue to pose significant security risks to modern software systems, requiring comprehensive mitigation strategies that combine technological solutions with disciplined development practices.
While automated detection tools and runtime protections provide valuable safeguards, the fundamental solution lies in transitioning to memory-safe programming languages and architectures.
Organizations maintaining legacy codebases must implement rigorous testing regimens, deploy runtime protection mechanisms, and maintain continuous vigilance against these persistent and evolving threats.
The ongoing arms race between attackers developing sophisticated exploitation techniques and defenders implementing advanced mitigations underscores the critical importance of proactive security measures throughout the software development lifecycle.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Organizations handling various forms of sensitive data or personally identifiable information (PII) require adherence to regulatory compliance standards and frameworks. These compliance standards also apply to organizations operating in regulated sectors such as healthcare, finance, government contracting, or education. Some of these standards and frameworks include, but are not limited to:
Phrack Magazine’s latest issue #72 has unveiled a significant data leak from a suspected North Korean hacking operation, including exploit tactics, compromised system details, and a sophisticated Linux rootkit. The dump, linked to a Chinese threat actor targeting South Korean and Taiwanese government and private sectors, shows overlaps with the North Korean Kimsuky APT group. […]
In an era where users rely on vigilance against shady websites and file hashing via platforms like VirusTotal, a new wave of trojan horses is challenging traditional defenses. These threats masquerade as legitimate desktop applications, such as recipe savers, AI-powered image enhancers, and virtual assistants, all while embedding malicious capabilities. For instance, the JustAskJacky app, […]
