Proximus Luxembourg CSIRT

MongoBleed (CVE-2025-14847) is basically Heartbleed for MongoDB - unauthenticated memory disclosure - public POC, trivial to exploit - leaks creds, tokens, cloud keys straight from RAM - huge exposed surface on the internet Good writeups and technical details here: doublepulsar.com/merry-christma… ox.security/blog/attackers… blog.ecapuano.com/p/hunting-mong… Patch fast, rotate secrets, and assume exposed instances were scanned(!)

🚨🚨CVE-2025-55182 (CVSS 10.0): RCE in React Server Components A decoding bug in React Server Function payloads enables full unauthenticated RCE on vulnerable RSC backends. 🔥PoC: github.com/ejpir/CVE-2025… Search by vul.cve Filter👉vul.cve="CVE-2025-55182" ZoomEye Dork👉http.body="react.production.min.js" || http.body="React.createElement(" || app="React Router" || app="React.js" 3.1M+ exposed React targets. ZoomEye Link: zoomeye.ai/searchResult?q… Refer: 1. react.dev/blog/2025/12/0… 2. hub.zoomeye.ai/detail/6930f01… #RCE #ZoomEye #cybersecurity #infosec #OSINT

⚠️⚠️ CVE-2025-55182(CVSS 10.0) && CVE-2025-66478(CVSS 10.0) : Catastrophic React Flaw allows Unauthenticated RCE on Next.js and React Server Components. 🔥PoC: github.com/ejpir/CVE-2025… github.com/BankkRoll/Quic… 🔗FOFA Link: en.fofa.info/result?qbase64… 🎯8.7M Results are found on the en.fofa.info nearly year. FOFA Query: app="NEXT.JS" || app="React.js" 🔖Refer: securityonline.info/catastrophic-r… #OSINT #FOFA #CyberSecurity #Vulnerability

Proud to once again support our LE partners in Operation Endgame Season 3 86M stolen data items from 525K victim IPs across 226 countries included in our new Rhadamanthys Historic Bot Victims Special Report, run overnight 2025-11-12 More details: shadowserver.org/news/rhadamant…

🚨 Nation-state affiliated threat actors have compromised F5’s systems & downloaded portions of its BIG-IP source code—posing serious risk to FCEB agencies. Follow the guidance in ED 26-01 immediately to protect systems from potential exploits. 🔗 go.dhs.gov/isY

What really bothers me is that neither F5’s statement nor the attestation letters from NCC Group or IOActive mention when the breach actually happened. They only say that F5 “learned” about it in August 2025. That’s not when it started. There must be forensic evidence pointing to the first signs of compromise - timestamps, login traces, file access logs, anything. Was it weeks before they noticed? Months? Maybe even years? They don’t say. Not even approximately. When companies omit that detail, it’s usually one of two things: - They genuinely have no clue when the attackers got in (which would be disastrous), or - They it started long before discovery and don’t want to admit how far back it goes. Either way, that’s the part that stinks the most.

⚠️ OpenSSH Vulnerability Exploited Via ProxyCommand to Execute Remote Code Read more: cybersecuritynews.com/openssh-vulner… A new command injection vulnerability in OpenSSH, tracked as CVE-2025-61984, has been disclosed, which could allow an attacker to achieve remote code execution on a victim's machine. The core of the vulnerability lies in OpenSSH's failure to properly sanitize control characters, such as newlines, within usernames. An attacker can create a username that includes a newline character followed by a malicious command. When a shell like Bash, Fish, or csh processes the ProxyCommand, the crafted syntax error on the first line, the command fails, but the shell does not exit. #cybersecuritynews #vulnerability

What’s much more interesting to me than detecting vulnerable services from server responses is detecting exploited services from log files. Detecting services by server responses is useful, especially for red teams and anyone scanning their own network, but it’s only the first step. If you’ve found vulnerable hosts you NEED indicators to assess whether they’re already compromised: log lines showing exploitation - request lines, error traces, odd referrer strings, replayed payloads. IOCs in log form are equally important. I wrote a YARA rule four days ago based on the leaked PoC but have no proof it works as expected. Would appreciate any help - raw log entries, request samples, or rule snippets that show real exploitation.

On 10/4/25, #Oracle published an advisory & patch for CVE-2025-61882 – an RCE vuln affecting the Oracle Concurrent Processing product within E-Business Suite (EBS). Claims of exploitation in-the-wild at the hands of #Cl0p are supported. More in our blog: r-7.co/46VXYbM

🚨 Oracle just rushed a patch for CVE-2025-61882 — a 9.8 critical flaw in E-Business Suite already exploited by Cl0p in live data theft attacks. The zero-day lets attackers seize control without a username or password. Experts warn many may already be breached. Details here ↓ thehackernews.com/2025/10/oracle…

Cisco ASA/FP - Be on the lookout for calls to these URLs 👇 GET /+CSCOU+/MacTunnelStart.jar GET /+CSCOL+/csvrloader64.cab GET /+CSCOL+/csvrloader.jar - Contain the Cisco SSL VPN Relay Loader - Likely used for version fingerprinting (CVE-2025-20333 / CVE-2025-20362)

Cisco ASA/Firepower - Be on the lookout for this url 👇 (/+CSCOL+/csvrloader64.cab) - Contains an archive for the Cisco SSL VPN Relay Loader - Likely can be used for version fingerprinting (little info out there about the loader) (CVE-2025-20333 / CVE-2025-20362)

🚨 On September 25, 2025, #Cisco published advisories for 3 vulnerabilities affecting multiple different Cisco products. CVE-2025-20333 & CVE-2025-20362 are known to be exploited in the wild; CVE-2025-20363 is at high risk thereof. More in our blog: r-7.co/4pLZs0Y

Current exposure to recently disclosed zero day vulnerability (CVE-2025-20333) affecting Cisco ASA Panels 55,852 panels exposed to the internet as of 25/09 Shodan query: product:"Cisco ASA SSL VPN"

Another Cisco 0-Day Alert 🚨 Two zero-day vulnerabilities actively being exploited in Cisco ASA and FTD (CVE-2025-20333 and CVE-2025-20362) We have added a Cisco ASA decoy into the free decoy templates - go hunt that 0day! 👉console.defusedcyber.com/signup

👀 New Microsoft threat report shows how attackers are using AI for evasion and obfuscation in a phishing campaign! One part is very interesting, the team spotted 5 AI fingerprints in the code. But instead of hiding the attack (the initial goal), these fingerprints actually became detection artefacts! Here are the 5 fingerprints you have probably already seen some of them in the wild: ・Overly descriptive and redundant naming ・Modular and over-engineered code structure ・Generic comments ・Formulaic obfuscation techniques ・Unusual use of CDATA and XML declaration Blog: microsoft.com/en-us/security…

🚨 A self-replicating worm known as Shai-Hulud has compromised over 500 packages in the world’s largest JavaScript registry npm—causing widespread supply chain issues. Review detection and remediation recommendations in our alert 👉 go.dhs.gov/iAY

🛡️🥶 EDR-Freeze abuses WerFaultSecure.exe to suspend AV/EDR via MiniDumpWriteDump — no BYOVD needed. zerosalarium.com/2025/09/EDR-Fr… I wrote a DefenderXDR KQL to catch it by mapping WerFaultSecure PID to core MDE processes. 🫡 detections.ai/share/rule/cic… #CyberSecurity #EDRFreeze #RedTeam #DefenderXDR

Another wave of these npm supply chain attacks just hit this morning, less than 24 hours later. This time targeting Crowdstrike packages (!!) x.com/feross/status/…

Palo Alto Networks data breach exposes customer info, support tickets - @LawrenceAbrams bleepingcomputer.com/news/security/… bleepingcomputer.com/news/security/…