Security researchers have observed renewed exploit campaigns targeting an eight-year-old backdoor in Hikvision cameras to harvest configuration files, user lists, and snapshots. Attackers automate scans across IP ranges, appending a base64-encoded “auth” parameter to management URLs. When decoded, the string commonly reveals “admin:11,” enabling unauthorized access. Organizations relying on older camera firmware are at heightened […]
Cisco has warned of a high-severity security flaw in IOS Software and IOS XE Software that could allow a remote attacker to execute arbitrary code or trigger a denial-of-service (DoS) condition under specific circumstances.
The company said the vulnerability, CVE-2025-20352 (CVSS score: 7.7), has been exploited in the wild, adding it became aware of it “after local Administrator credentials were
Persistent, stealthy, and cross-platform, the BRICKSTORM backdoor has emerged as a significant threat to U.S. technology and legal organizations. Tracked by Google Threat Intelligence Group (GTIG) and investigated by Mandiant Consulting, BRICKSTORM campaigns have maintained undetected access for an average of 393 days, targeting legal services firms, SaaS providers, BPOs, and technology companies to harvest […]
A critical vulnerability in Hikvision security cameras, first disclosed in 2017, is being actively exploited by hackers to gain unauthorized access to sensitive information.
SANS researchers observed a recent surge in malicious activity targeting a specific flaw, identified as CVE-2017-7921, which carries a critical severity score of 10.0 on the CVSS scale.
The exploit attempts are characterized by suspicious web requests to specific URLs on vulnerable cameras, such as /System/deviceInfo?auth=YWRtaW46MTEK.
The base64 encoded string in the request YWRtaW46MTEK, decodes to admin:11. This suggests that attackers are not using a sophisticated backdoor but are rather attempting to brute-force devices with weak and easily guessable passwords.
Hikvision Camera Vulnerability Exploited
The core of the issue lies in a vulnerability in the firmware of numerous Hikvision camera models that allows improper authentication. This flaw allows a remote, unauthenticated attacker to bypass security measures and escalate their privileges, effectively gaining control over the device.
By sending a specially crafted request, an attacker can download the camera’s configuration file, which may contain user credentials, or even change user passwords to lock out legitimate owners.
While Hikvision has released firmware patches to address this vulnerability, hundreds of thousands of devices remain unpatched and exposed on the internet.
The problem is compounded by the fact that many other manufacturers rebrand and sell Hikvision cameras under their own names, making it difficult for users to identify if their devices are affected.
A successful exploit can have severe consequences. Attackers can not only view live and recorded footage but also use the compromised camera as a pivot point to launch further attacks against the internal network.
The downloaded configuration files, though encrypted, use weak encryption with a static key, making it possible for attackers to decrypt them and harvest user credentials.
The current wave of attacks appears to be taking advantage of poor security practices by users. The use of a simple password like “11” may be due to the limited user interface on some Hikvision DVRs, which often feature only a numeric on-screen keyboard, making it cumbersome to enter complex alphanumeric passwords.
While placing credentials in a URL is discouraged due to the risk of them being logged, it is a convenient feature that allows for creating direct login links.
To mitigate the risk, owners of Hikvision cameras are strongly advised to update their devices’ firmware to the latest version. It is also crucial to use strong, unique passwords and to avoid exposing the camera’s management interface directly to the internet.
If remote access is necessary, it should be done through a secure VPN connection.
Critical vulnerabilities discovered in Supermicro Baseboard Management Controller (BMC) firmware have exposed a troubling pattern where inadequate security fixes create new attack vectors, allowing sophisticated adversaries to bypass signature verification mechanisms and maintain persistent control over enterprise server infrastructure.
These flaws, affecting multiple generations of Supermicro motherboards, demonstrate how design weaknesses in firmware validation processes can undermine the fundamental security assumptions of server hardware.
The vulnerabilities emerged following an investigation into supposedly fixed security issues, revealing that vendor patches implemented in January 2025 were insufficient to address the underlying authentication flaws.
The original vulnerability, CVE-2024-10237, was discovered by NVIDIA’s Offensive Security Research Team and involved fundamental flaws in BMC firmware image authentication design that could allow attackers with administrative access to upload malicious firmware updates.
Binarly analysts identified a bypass technique for the vendor’s CVE-2024-10237 fix, resulting in the assignment of CVE-2025-7937.
During their extended analysis of different Supermicro products, researchers discovered a similar vulnerability employing distinct exploitation techniques, assigned CVE-2025-6198.
The exploitation of this second vulnerability revealed capabilities extending beyond mere firmware updates, enabling attackers to bypass the BMC Root of Trust (RoT) security feature entirely.
Supermicro BMC validation process (Source – Binarly)
The attack vectors leverage design flaws in the three-step firmware validation process used across Supermicro’s BMC implementations.
Initially, the system retrieves a public key from the BMC SPI flash chip forming part of the currently running firmware, while extracting cryptographic signature values from uploaded image blobs using RSA-4096 verification.
The process then analyzes embedded tables representing different firmware regions, calculating SHA-512 hash digests of signed regions before verifying signatures against calculated digests.
These vulnerabilities grant attackers complete persistent control over both BMC systems and main server operating systems, representing a critical escalation pathway that compromises fundamental hardware security assumptions in enterprise environments.
Exploitation Mechanisms and Signature Bypass Techniques
The bypass techniques exploit fundamental weaknesses in how firmware validation logic processes region tables embedded within uploaded images.
For CVE-2025-7937, attackers circumvent the supposed fixes by introducing custom fwmap tables before original ones, containing single elements that encompass all signed regions concatenated together.
Exploitation for this firmware (Source – Binarly)
The exploit leverages the fact that fwmap tables are located in memory by signature rather than fixed positions, allowing manipulation of the validation sequence.
In the X12STW-F firmware version 01.06.17, the original validation process defines six distinct regions with specific offsets and signing requirements.
The bypass technique creates a consolidated entry at offset 0x100000 with size 0x2b32c00 marked as signed boot content, effectively wrapping all legitimate signed regions into a single validated block while inserting malicious content in the bootloader space.
For CVE-2025-6198, the exploitation technique targets the auth_bmc_sig function within the OP-TEE environment, manipulating the sig_table section located at offset 0x100000.
This alternative validation method processes region information differently, storing offsets in the first four bytes and custom-transformed size values in remaining bytes.
By modifying kernel regions and updating corresponding sig_table entries, attackers maintain signature validity while executing arbitrary code during BMC boot processes.
The successful exploitation of these techniques results in persistent arbitrary code execution capabilities, with modified kernel images bypassing authentication mechanisms during boot sequences.
Binarly researchers demonstrated successful validation and flashing of modified images through UART debugging interfaces, confirming that customized kernels execute without triggering security mechanisms, effectively compromising the entire BMC security model.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
A critical vulnerability in the Linux Kernel’s ksmbd file sharing component allows remote attackers to execute code with kernel privileges. Tracked as CVE-2025-38561, this flaw affects Linux distributions that include the ksmbd SMB server implementation. Authentication is required, but a successful exploit can grant full control of the affected host. Vendors and administrators should apply […]
Russia-linked threat actors continue targeting civil society with sophisticated social engineering campaigns and lightweight malware tools in September 2025. The campaign delivers two previously undocumented malware families: a downloader dubbed BAITSWITCH and a PowerShell-based backdoor named SIMPLEFIX. COLDRIVER, also tracked as Star Blizzard, Callisto, and UNC4057, has historically focused on credential phishing campaigns against NGOs, think tanks, journalists, […]
A severe vulnerability in the Linux kernel’s ksmbd SMB server implementation has been disclosed, potentially allowing authenticated remote attackers to execute arbitrary code on affected systems.
The vulnerability, tracked as CVE-2025-38561 and assigned a CVSS score of 8.5, represents a significant security risk for Linux systems utilizing the kernel-based SMB server functionality.
The flaw disclosed by the Zero Day initiative stems from improper handling of the Preauth_HashValue field within the smb2_sess_setup function.
This race condition vulnerability occurs due to inadequate locking mechanisms when performing operations on kernel objects, creating an opportunity for attackers to manipulate memory structures and achieve code execution within kernel context.
LinuxKsmbd Vulnerability (CVE-2025-38561)
The vulnerability specifically targets the ksmbd service, which provides in-kernel SMB server functionality as an alternative to the traditional Samba implementation.
Unlike user-space SMB servers, ksmbd operates directly within the kernel space, making successful exploitation particularly dangerous as it grants attackers kernel-level privileges.
The attack requires initial authentication to the SMB service, meaning attackers must possess valid credentials or successfully authenticate through other means before triggering the vulnerability.
Once authenticated, the race condition in the session setup process can be exploited to corrupt memory structures and redirect code execution flow.
Technical analysis reveals that the vulnerability manifests during SMB2 session establishment when the server processes authentication hash values.
The lack of proper synchronization between concurrent operations creates a window where memory corruption can occur, potentially leading to arbitrary code execution with kernel privileges.
The vulnerability disclosure follows responsible disclosure practices, with researcher Nicholas Zubrisky of Trend Research reporting the issue to Linux maintainers on July 22, 2025.
Risk Factors
Details
Affected Products
Linux Kernel (ksmbd SMB server implementation)
Impact
Remote Code Execution
Exploit Prerequisites
Authentication required – Valid SMB credentials needed to access ksmbd service
CVSS 3.1 Score
8.5 (High)
Mitigations
Linux maintainers have released patches addressing this vulnerability, with the fix available in the stable kernel tree under commit 44a3059c4c8cc635a1fb2afd692d0730ca1ba4b6.
System administrators should prioritize updating their Linux kernels to versions containing this security fix, particularly on systems exposed to untrusted networks or users.
Organizations utilizing ksmbd for file-sharing services should implement additional security measures, including network segmentation, strict authentication controls, and monitoring for suspicious SMB traffic patterns.
Consider temporarily disabling ksmbd services on non-critical systems until patching can be completed.
A critical vulnerability in NVIDIA’s Merlin Transformers4Rec library allows attackers to achieve remote code execution with root privileges. Discovered by the Trend Micro Zero Day Initiative (ZDI) Threat Hunting Team, the flaw stems from unsafe deserialization in the model checkpoint loading functionality. Tracked as CVE-2025-23298, this vulnerability underscores the persistent security challenges in machine learning […]
Cisco has disclosed a critical zero-day vulnerability in its IOS and IOS XE software that is being actively exploited by threat actors in real-world attacks. The flaw, tracked as CVE-2025-20352, affects the Simple Network Management Protocol (SNMP) subsystem and allows both denial-of-service attacks and remote code execution depending on the attacker’s privilege level. Critical SNMP Stack […]
.webp)
.webp)