Cybersecurity researchers have uncovered a critical security flaw in Securden Unified PAM that allows attackers to completely bypass authentication mechanisms and gain unauthorized access to sensitive credentials and system functions.

The vulnerability, designated as CVE-2025-53118 with a CVSS score of 9.4, represents one of four serious security issues discovered in the privileged access management solution that could enable complete system compromise.

The authentication bypass vulnerability exploits a fundamental flaw in how Securden Unified PAM handles session management.

Attackers can navigate to the /thirdparty-access endpoint to automatically receive a securdensession cookie, which can then be leveraged to obtain CSRF tokens and securdenpost cookies through the /get_csrf_token URL.

This cookie-based authentication mechanism fails to properly validate user authorization, instead only checking for the presence of these session tokens.

The discovery emerged during continuous red teaming exercises conducted through Rapid7’s Vector Command service.

Rapid7 analysts identified the vulnerabilities while performing routine security assessments, quickly recognizing the severe implications for organizations relying on the PAM solution for credential management and access control.

Beyond the primary authentication bypass, researchers uncovered three additional vulnerabilities that compound the security risk.

These include an unauthenticated unrestricted file upload flaw (CVE-2025-53119), a path traversal vulnerability in file upload functionality (CVE-2025-53120), and a shared SSH key infrastructure issue (CVE-2025-6737) that affects Securden’s cloud gateway services.

Exploitation Mechanism and Technical Analysis

The authentication bypass vulnerability demonstrates particularly sophisticated attack vectors through its exploitation of backup functionality.

Once attackers obtain the necessary session tokens, they can access the /configure_schedule endpoint to trigger encrypted password backups with administrator privileges.

The attack leverages the SCHEDULE_ENCRYPTED_HTML_BACKUP type to extract complete credential databases, requiring only that a superadmin account exists within the system.

Technical analysis reveals that successful exploitation requires removing the X-Requested-With header during authentication bypass requests, as the server returns errors when this header is present.

Attackers can specify custom backup locations, including external SMB shares or the application’s static webroot folder, enabling direct download of encrypted credential files.

The backup filenames follow predictable patterns based on backup timestamps, making them susceptible to brute-force discovery attacks.

The vulnerability’s impact extends beyond simple credential theft. When combined with the file upload vulnerabilities, attackers can achieve complete remote code execution by overwriting system files like postgresBackup.bat with malicious PowerShell commands.

This multi-stage attack chain transforms what initially appears as an authentication issue into full system compromise capability.

Securden has addressed these vulnerabilities in version 11.4.4, emphasizing the critical importance of immediate updates for all affected installations to prevent potential exploitation of these serious security flaws.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post Securden Unified PAM Vulnerability Let Attackers Bypass Authentication appeared first on Cyber Security News.

A sophisticated new variant of the Hook Android banking trojan has emerged with unprecedented capabilities that position it among the most advanced mobile malware families observed to date.

This latest version, designated Hook Version 3, represents a significant evolution in Android banking malware sophistication, introducing a comprehensive arsenal of 107 remote commands with 38 newly added functionalities that blur the traditional boundaries between banking trojans, ransomware, and spyware.

The malware’s distribution strategy has expanded beyond conventional phishing websites to include GitHub repositories, where threat actors are actively leveraging the platform’s legitimacy to host and disseminate malicious APK files.

This approach provides attackers with enhanced credibility and broader reach, as victims are more likely to trust applications hosted on reputable platforms.

The GitHub distribution method has also been observed hosting other malware families including Ermac and Brokewell, indicating a systematic approach to malware-as-a-service operations.

Zimperium analysts identified several groundbreaking capabilities that distinguish this variant from its predecessors, including ransomware-style overlay attacks, fraudulent NFC interfaces, and sophisticated lock screen bypass mechanisms.

The malware maintains its foundation on Android Accessibility Services abuse while introducing transparent overlays for silent user gesture capture and real-time screen streaming capabilities that provide attackers with unprecedented device control.

Advanced Overlay Attack Mechanisms

Hook Version 3’s most notable advancement lies in its sophisticated overlay attack system, which implements multiple deception layers to capture sensitive user data.

The ransomware-style overlay functionality deploys full-screen warning messages demanding cryptocurrency payments, with wallet addresses and amounts dynamically retrieved from command-and-control servers.

The embedded HTML content within the APK enables immediate deployment when the “ransome” command is received, while the “delete_ransome” command allows remote dismissal.

The fake NFC overlay system demonstrates the malware’s evolving capabilities through the “takenfc” command, which creates deceptive Near Field Communication scanning screens using fullscreen WebView overlays.

Although the current implementation lacks complete JavaScript integration for data exfiltration, its presence indicates ongoing development toward comprehensive NFC-based social engineering attacks.

Perhaps most concerning is the lock screen bypass mechanism, which combines overlay techniques with programmatic device unlocking.

The “unlock_pin” command sequence acquires WakeLock privileges, performs swipe-up gestures to reveal lock screens, and systematically inputs captured PINs through simulated button presses, effectively circumventing Android’s primary security barrier and granting attackers complete device access for subsequent malicious activities.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post New Hook Android Banking Malware With New Advanced Capabilities and Supports 107 Remote Commands appeared first on Cyber Security News.

A significant milestone for cybersecurity experts is the disclosure of specific tactics, methods, and procedures (TTPs) used by Mustang Panda, an advanced persistent threat (APT) group based in China, which has illuminated their intricate activities. First observed in 2017 but potentially active since 2014, Mustang Panda is a state-sponsored actor specializing in cyber espionage, targeting […]

The post China-Based Threat Actor Mustang Panda’s TTPs Leaked appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.