In 2024, as the Russia-Ukraine war prolongs and military and economic cooperation between North Korea and Russia deepens, cyberspace has become a central battleground for international conflict. Russia is leveraging cyber-attacks to alleviate economic pressure from international sanctions and to enhance its war-fighting capabilities, targeting key industries in major countries around the globe. In November […]
GitHub on Monday announced that it will be changing its authentication and publishing options “in the near future” in response to a recent wave of supply chain attacks targeting the npm ecosystem, including the Shai-Hulud attack.
This includes steps to address threats posed by token abuse and self-replicating malware by allowing local publishing with required two-factor authentication (2FA),
Cloudflare announced today that it has successfully mitigated the largest distributed denial-of-service (DDoS) attack ever recorded. The hyper-volumetric assault peaked at a staggering 22.2 terabits per second (Tbps) and 10.6 billion packets per second (Bpps), shattering the previous record of 11.5 Tbps. This new high-water mark highlights a dramatic escalation in the scale and speed […]
Cybersecurity researchers are calling attention to a search engine optimization (SEO) poisoning campaign likely undertaken by a Chinese-speaking threat actor using a malware called BadIIS in attacks targeting East and Southeast Asia, particularly with a focus on Vietnam.
The activity, dubbed Operation Rewrite, is being tracked by Palo Alto Networks Unit 42 under the moniker CL-UNK-1037, where “
Check Point Research has identified a long-running campaign by the Iranian-aligned threat actor Nimbus Manticore—also known as UNC1549, Smoke Sandstorm, and the “Iranian Dream Job” operation—targeting defense manufacturers, telecommunications, and aviation entities aligned with IRGC priorities. Recent activity demonstrates a sharpened focus on Western Europe, notably Denmark, Sweden, and Portugal, with spear-phishing lures impersonating aerospace, […]
A critical cross-site scripting (XSS) vulnerability affecting both Lectora Desktop and Lectora Online has been disclosed, enabling attackers to inject JavaScript through crafted URL parameters. Discovered by security researcher Mohammad Jassim and documented by the CERT® Coordination Center on September 22, 2025, this flaw poses a risk of client-side code execution, session hijacking, and user […]
A critical security flaw in Libraesva ESG email security gateways has been identified and patched, allowing threat actors to execute arbitrary commands through specially crafted email attachments.
The vulnerability, tracked as CVE-2025-59689, affects multiple versions of the popular email security platform and has already been exploited by what security researchers believe to be a foreign state-sponsored threat actor.
The vulnerability stems from improper input sanitization during the removal of active code from files contained within compressed archive formats.
When Libraesva ESG processes emails containing specially crafted compressed attachments, the security gateway fails to properly sanitize input parameters, creating an opportunity for command injection attacks.
Libraesva ESGCommand Injection Vulnerability
This flaw affects all Libraesva ESG versions starting from version 4.5, making it a widespread security concern for organizations relying on the platform for email security.
The attack vector requires minimal user interaction, as the malicious payload is delivered through standard email channels.
Attackers can craft compressed archives containing payload files designed to manipulate the application’s sanitization logic.
Once the sanitization bypass is achieved, threat actors gain the ability to execute arbitrary shell commands under a non-privileged user account, potentially compromising the entire email security infrastructure.
Risk Factors
Details
Affected Products
Libraesva ESG 4.5 through 5.5
Impact
Execution of arbitrary shell commands as a non-privileged user
Exploit Prerequisites
Receipt and processing of a specially crafted compressed email attachment using specific archive formats
CVSS 3.1 Score
6.1 (Medium)
Mitigations
Libraesva demonstrated exceptional incident response capabilities, deploying fixes across all affected systems within 17 hours of discovery.
The company released emergency patches for multiple versions: ESG 5.0.31, 5.1.20, 5.2.31, 5.3.16, 5.4.8, and 5.5.7.
These patches were automatically deployed to all ESG 5.x installations through the platform’s automated update channel, ensuring comprehensive coverage for both cloud and on-premise deployments.
The remediation package included not only the core fix addressing the sanitization flaw but also automated indicators of compromise (IoCs) scanning capabilities and a self-assessment module.
This comprehensive approach ensures that affected appliances can verify patch integrity and detect any residual threats from potential exploitation attempts.
Cloud customers received automatic updates without requiring manual intervention, while on-premise customers with version 5.x appliances were automatically upgraded through telemetry-confirmed deployments.
Organizations still running version 4.x installations, which have reached end-of-support status, must manually upgrade to version 5.x to receive protection against this vulnerability.
The single confirmed exploitation incident, attributed to a foreign hostile state entity, underscores the critical nature of this security flaw and the importance of maintaining current software versions in email security infrastructure deployments.
Over the weekend, a sophisticated ransomware attack compromised Collins Aerospace’s Muse check-in and boarding systems, forcing key hubs including Heathrow, Brussels, and Berlin to return to manual processes.
Airlines reported hundreds of delayed and cancelled flights as security teams raced to contain the breach, restore encrypted data, and deploy software patches.
The Guardian stated that on Friday evening, threat actors deployed a ransomware payload believed to be a variant of the REvil/Sodinokibi family against Collins Aerospace’s virtual machines in its cloud-hosted environment.
Collins Aerospace Systems Ransomware Attack
The attack leveraged a spear-phishing email containing a malicious macro, which executed a PowerShell script to download the payload from a command-and-control (C2) server.
Once active, the ransomware used AES-256 encryption to lock file shares and virtual disks, appending the extension “.locked” and dropping a ransom note demanding payment in Monero.
Initial forensic analysis indicates the intruders exploited a zero-day vulnerability in the Citrix ADC appliance to gain a foothold, before escalating privileges via Windows Registry modifications and deploying Mimikatz for credential harvesting.
Lateral movement was detected across the network using SMB and RDP protocols, with persistence established through scheduled tasks and modified Group Policy Objects (GPOs).
The European Union Agency for Cybersecurity (ENISA) confirms that Collins Aerospace experienced file encryption on its primary Domain Controllers, propagating the impact to airport kiosks, bag-drop systems, and boarding gates.
While Collins Aerospace works on decryptor utilities and hotfixes, airport operators have implemented manual check-in counters and paper boarding passes, extending passenger processing times by up to two hours, Guardian said.
Heathrow reports that “the vast majority of flights are operating as normal, although check-in may take longer than usual.”
Brussels Airport cancelled 40 departing and 23 arriving flights on Monday alone, and Dublin warned of potential future disruptions despite no immediate cancellations.
Jonathan Hall KC, the UK government’s independent terrorism legislation reviewer, has suggested that a state-sponsored actor potentially leveraging advanced persistent threat (APT) tactics could be behind the breach.
However, Collins Aerospace has not publicly attributed the attack to any group. In its Monday statement, RTX, the parent company, affirmed that “system integrity is being verified” and urged customers to apply the latest Muse software update (version 7.4.2).
Passengers are advised to verify flight status online and arrive no more than three hours before long-haul departures and two hours before short-haul services.
Passengers across Europe are facing another day of flight delays after a cyber-attack struck the company behind the check-in and boarding software used at many airports. London Heathrow, Brussels, Dublin and Berlin have been worst hit since Friday, when the attack first took hold. Automatic kiosks and bag-drop machines went offline, forcing airline staff to […]
A recent malware campaign making the rounds in Latin America offers a stark example of how cybercriminals are evolving and finetuning their playbooks. Victims receive emails dressed up to look as though they come from trusted institutions, warning of lawsuits or court summons. This tried-and-tested social-engineering tactic exploits urgency to trick recipients into clicking links […]
