Google on Wednesday announced the 0.1 Beta version of GUAC (short for Graph for Understanding Artifact Composition) for organizations to secure their software supply chains.
To that end, the search giant is making available the open source framework as an API for developers to integrate their own tools and policy engines.
GUAC aims to aggregate software security metadata from different sources Read More
Related Posts
Multiple Sonicwall VPN Vulnerabilities Let Attackers Bypass Authentication
Multiple Sonicwall VPN Vulnerabilities Let Attackers Bypass Authentication
A new security advisory has been released regarding several vulnerabilities in SonicWall’s SonicOS software, which could enable attackers to bypass authentication mechanisms.
These vulnerabilities affect a variety of SonicWall hardware products, potentially compromising network security.
Vulnerability Summary
The advisory highlights four significant vulnerabilities within the SonicOS framework:
- CVE-2024-40762 concerns the use of a cryptographically weak pseudo-random number generator (PRNG) within the SSLVPN authentication token generator. This weakness can be exploited by attackers, allowing them to predict authentication tokens in certain scenarios, leading to a potential authentication bypass. The CVSS score for this vulnerability is categorized at 7.1, classified under CWE-338.
- CVE-2024-53704 represents an improper authentication vulnerability within the SSLVPN mechanism. This flaw allows remote attackers to bypass authentication processes, posing a serious threat to network integrity. It has a CVSS score of 8.2 and falls under CWE-287.
- CVE-2024-53705 relates to a server-side request forgery (SSRF) vulnerability found in the SSH management interface of SonicOS. This vulnerability permits remote attackers to establish TCP connections to arbitrary IP addresses on any port while a user is logged into the firewall. It is rated with a CVSS score of 6.5 and classified under CWE-918.
- CVE-2024-53706 highlights a local privilege escalation vulnerability specifically in the Gen7 SonicOS Cloud platform, affecting AWS and Azure editions. This vulnerability allows low-privileged, authenticated users to escalate their privileges to root, potentially leading to unauthorized code execution. Its CVSS score is 7.8 and is categorized under CWE-269.
Affected Products
These vulnerabilities affect various models of SonicWall hardware firewalls and the Gen7 Cloud platform. The table below summarizes the relevant CVEs and affected versions:
| CVE ID | Affected Products | Fixed Version |
| CVE-2024-40762 | Gen6 and Gen7 Firewall series | 7.0.1-5165 and higher |
| CVE-2024-53704 | Gen6 and Gen7 Firewall series | 7.1.3-7015 and higher |
| CVE-2024-53705 | Gen6 and Gen7 Firewalls | 7.0.1-5165 and higher |
| CVE-2024-53706 | Gen7 Cloud NSv (AWS and Azure editions only) | 7.1.3-7015 and higher |
SonicWall has not found any evidence of these vulnerabilities being exploited in the wild. However, they strongly urge users to upgrade their SonicWall Firewall products to the latest patched versions available on the SonicWall website.
Additionally, users should limit access to SSLVPN and SSH management to trusted sources or disable these features if not in use. For further information on securing your systems, users can refer to SonicWall’s technical support.
By addressing these vulnerabilities swiftly, IT departments can better protect their networks against potential attacks, ensuring the integrity and confidentiality of their data.
ANY.RUN Threat Intelligence Lookup - Extract Millions of IOC's for Interactive Malware Analysis: Try for Free
The post Multiple Sonicwall VPN Vulnerabilities Let Attackers Bypass Authentication appeared first on Cyber Security News.
2,048 Ivanti VPN Instances Vulnerable to Exploited Zero-Day Attacks
2,048 Ivanti VPN Instances Vulnerable to Exploited Zero-Day Attacks
A critical security vulnerability in Ivanti Connect Secure VPN appliances has left 2,048 instances worldwide exposed to potential exploitation, with the United States hosting the highest number of vulnerable systems.
The vulnerability tracked as CVE-2025-0282, has been actively exploited since mid-December 2024.
The vulnerability is a critical stack-based buffer overflow with a CVSS score of 9.0 that allows unauthenticated remote code execution. It affects multiple Ivanti products, including Connect Secure versions prior to 22.7R2.5, Policy Secure prior to 22.7R1.2, and Neurons for ZTA gateways prior to 22.7R2.3.
Shadowserver observed that 2,048 instances worldwide are vulnerable.
We have started reporting unpatched Ivanti Connect Secure instances likely vulnerable to the new known to be exploited in the wild CVE-2025-0282.
We see 2048 likely vulnerable instances worldwide on 2024-01-09. Top: US
Dashboard overview by country: https://t.co/curshSlWem pic.twitter.com/feZDRXw2TH
— The Shadowserver Foundation (@Shadowserver) January 10, 2025
Mandiant’s investigation revealed that threat actors are executing sophisticated attacks using version-specific exploitation techniques. The attack sequence typically involves:
- Initial reconnaissance to identify appliance versions
- Disabling of security features, including SELinux
- Filesystem remounting for write access
- Deployment of web shells for persistence
- Removal of log entries to avoid detection
The exploitation has been linked to UNC5337, a China-nexus threat group, though multiple threat actors appear to be involved.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
The attackers have deployed various malware families, including DRYHOOK and PHASEJAM, demonstrating sophisticated capabilities in maintaining persistent access and facilitating data theft.
Mitigation Steps
Ivanti has released emergency patches for Connect Secure (version 22.7R2.5), while updates for Policy Secure and Neurons for ZTA are scheduled for January 21, 2025. The company strongly recommends that organizations:
- Immediately apply available patches
- Monitor systems using the Integrity Checker Tool (ICT)
- Perform both internal and external ICT scans
- Conduct factory resets before upgrading to the latest version
The widespread exploitation of this vulnerability follows a pattern of critical zero-day attacks against Ivanti products, including previous incidents that affected major organizations and government agencies.
With thousands of systems still vulnerable, security experts warn of a potential escalation in exploitation attempts by both nation-state actors and cybercriminal groups.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
The post 2,048 Ivanti VPN Instances Vulnerable to Exploited Zero-Day Attacks appeared first on Cyber Security News.
Malware Found in Healthcare Patient Monitors Linked to Chinese IP Address
Malware Found in Healthcare Patient Monitors Linked to Chinese IP Address
A critical cybersecurity vulnerability has been uncovered in Contec CMS8000 patient monitors, revealing embedded malware that poses significant risks to patient safety and data security.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) reported that the devices include a backdoor linked to a hard-coded IP address associated with a Chinese university.
The Contec CMS8000 patient monitor, widely used in hospitals and healthcare facilities, was found to have three major vulnerabilities.
CISA analysts reported the following three vulnerabilities:-
- Out-of-Bounds Write (CWE-787):
- Attackers can exploit this flaw by sending specially crafted UDP requests, enabling remote code execution.
- CVE-2024-12248 has been assigned to this vulnerability with a CVSS v4 score of 9.3, indicating critical severity.
- Hidden Backdoor Functionality (CWE-912):
- The device’s firmware contains a backdoor that sends patient data to a hard-coded IP address and allows remote file uploads.
- The backdoor executes commands such as
ifconfig eth0 upto enable network connectivity and mounts a remote NFS share at/mnt/. - CVE-2025-0626 is associated with this issue, with a CVSS v4 score of 7.7.
- Privacy Leakage (CWE-359):
- Patient data, including names, IDs, and medical details, is transmitted in plain text over port 515 to the hard-coded IP.
- This vulnerability (CVE-2025-0683) has a CVSS v4 score of 8.2.
Impact
These vulnerabilities enable attackers to remotely execute arbitrary code on the devices, exfiltrate sensitive patient information, and modify device configurations, which could result in incorrect vital sign readings.
The malware’s behavior was confirmed through reverse engineering of the firmware, which revealed suspicious network traffic directed to the Chinese IP address. Notably, the backdoor bypasses logging mechanisms, making detection difficult.
Despite repeated notifications from CISA, Contec Health has not provided effective patches. The vulnerabilities persist even in updated firmware versions. Hospitals are advised to monitor these devices closely for signs of tampering or abnormal behavior.
Forensic analysis suggests that this backdoor may be part of broader state-sponsored cyber activities aimed at healthcare systems globally. With healthcare increasingly reliant on interconnected devices, robust cybersecurity measures are more critical than ever.
CISA and the FDA recommend immediate action to secure Contec CMS8000 monitors by disconnecting them from networks, implementing firewalls to block unauthorized access, and using subnet isolation for medical devices.
Additionally, regularly updating firmware and applying patches when available helps mitigate security risks.
Collect Threat Intelligence with TI Lookup to Improve Your Company’s Security - Get 50 Free Request
The post Malware Found in Healthcare Patient Monitors Linked to Chinese IP Address appeared first on Cyber Security News.