Overview

Cyble’s weekly vulnerability insights to clients cover key vulnerabilities discovered between January 22 and January 28, 2025. The findings highlight a range of vulnerabilities across various platforms, including critical issues that are already being actively exploited.

Notably, the Cybersecurity and Infrastructure Security Agency (CISA) added two vulnerabilities to their Known Exploited Vulnerability (KEV) catalog this week. Among these, the zero-day vulnerability CVE-2025-23006 stands out as a critical threat affecting SonicWall’s SMA1000 appliances.

In this week’s analysis, Cyble delves into multiple vulnerabilities across widely used software tools and plugins, with particular attention to SimpleHelp remote support software, Ivanti’s Cloud Services Appliance, and issues within RealHome’s WordPress theme. As always, Cyble has also tracked underground activity, providing insights into Proof of Concepts (POCs) circulating among cyber criminals.

Weekly Vulnerability Insights

1. CVE-2025-23006 – SonicWall SMA1000 Appliances (Critical Zero-Day Vulnerability)

A severe deserialization vulnerability in SonicWall’s SMA1000 series appliances has been identified as a zero-day, impacting systems that are not yet patched. With a CVSSv3 score of 9.8, this vulnerability is critical and allows remote attackers to exploit deserialization flaws, leading to the potential execution of arbitrary code.

This vulnerability was added to the KEV catalog by CISA on January 23, 2025, marking it as actively exploited in the wild. Organizations using SMA1000 appliances should prioritize patching as soon as an official update becomes available.

2. SimpleHelp Remote Support Software Vulnerabilities (Critical and High Severity)

Three vulnerabilities were discovered in SimpleHelp’s remote support software, used by IT professionals for remote customer assistance. These flaws include:

1. CVE-2024-57726: A privilege escalation vulnerability that allows unauthorized users to gain administrative access due to insufficient backend authorization checks.
2. CVE-2024-57727: A path traversal vulnerability that could expose sensitive configuration files, including those containing hashed passwords.
3. CVE-2024-57728: An arbitrary code execution vulnerability that can be exploited by attackers with administrative access to upload malicious files to the server.

These vulnerabilities pose considerable risks to users of SimpleHelp, potentially leading to unauthorized access or full system compromise. The vulnerabilities have been confirmed to be actively exploited, with proof-of-concept code already circulating in underground forums.

3. CVE-2024-8963 – Ivanti Cloud Services Appliance (Critical Administrative Bypass)

Ivanti’s Cloud Services Appliance (CSA) suffers from multiple vulnerabilities that have been chained by threat actors to gain initial access and implant malicious code. The most critical issue is CVE-2024-8963, an administrative bypass flaw that allows unauthenticated attackers to exploit other vulnerabilities in the appliance. Other related flaws include:

1. CVE-2024-9379: SQL injection vulnerability that permits remote attackers to execute arbitrary SQL commands.
2. CVE-2024-8190 and CVE-2024-9380: Remote code execution vulnerabilities, allowing attackers to run arbitrary code on vulnerable systems.

The severity of these vulnerabilities has prompted both CISA and the FBI to issue warnings about their active exploitation. Despite patches being available since September 2024, the ongoing exploitation of these vulnerabilities highlights the urgency of updating and patching vulnerable systems.

4. CVE-2024-32444 – RealHome WordPress Theme (Critical Privilege Escalation)

A critical privilege escalation vulnerability in the RealHome WordPress theme allows attackers to register as administrators on affected sites. This flaw enables them to take full control over websites, compromising sensitive data and content. As of January 2025, no patch has been released for this vulnerability, leaving many WordPress sites exposed.

5. CVE-2025-24085 – Apple iOS and macOS (Use-After-Free Zero-Day Vulnerability)

Apple’s iOS and macOS systems are affected by a use-after-free vulnerability in the Core Media component. This zero-day flaw, which has a CVSS score of 7.8, could allow attackers to execute arbitrary code with elevated privileges on affected devices running versions prior to iOS 17.2. While no public exploit code has been observed, the vulnerability remains a serious risk for iOS and macOS users.

Vulnerabilities Under Active Exploitation

Several vulnerabilities continue to be actively exploited, especially in high-value systems used by organizations worldwide. Among them are:

• CVE-2024-38063: A critical Remote Code Execution (RCE) vulnerability in Windows TCP/IP, triggered by a flaw in IPv6 packet handling. This issue allows attackers to execute arbitrary code remotely, with no user interaction required, making it a “zero-click” vulnerability.
• CVE-2024-55591: A critical authentication bypass vulnerability affecting FortiOS and FortiProxy versions 7.0.0 through 7.2.12. Attackers exploiting this flaw can bypass authentication mechanisms and gain unauthorized access to affected systems.
• CVE-2023-32315: This vulnerability affects Ignite Realtime’s Openfire server, allowing unauthenticated attackers to perform path traversal and gain access to sensitive server files.

Cyble also noted a significant incident involving CVE-2025-0411, a critical vulnerability in 7-Zip that allows remote attackers to execute arbitrary code. Proof of concept for this flaw was shared on deep web forums, signaling increased interest among cyber criminals.

Underground Activity and Exploitation Trends

Cyble Research tracked discussions of known vulnerabilities across underground forums and Telegram channels. The most notable trends include:

• CVE-2025-0411 (7-Zip): This flaw has been weaponized and is being sold on underground forums. Attackers can use it to execute arbitrary code on vulnerable systems.
• CVE-2024-38063 (Windows TCP/IP): Exploit code for this vulnerability has circulated among threat actors, enabling them to remotely execute code on systems with vulnerable TCP/IP stacks.
• CVE-2023-32315 (Openfire Server): Malicious actors are actively discussing how to exploit this path traversal flaw to gain unauthorized access to server environments.

Recommendations for Mitigating Exploitation Risks

To mitigate the risks posed by these vulnerabilities, Cyble offers the following recommendations:

1. Regularly update all software and hardware systems with the latest patches from official vendors. Immediate patching of known exploited vulnerabilities, such as those listed in the KEV catalog, is critical.
2. Use network segmentation to limit the exposure of critical systems to the internet. This reduces the potential attack surface and helps contain breaches if they occur.
3. Implement a robust incident response plan, testing it regularly to ensure it aligns with emerging threats. Ensure that your organization is prepared to act quickly in the event of an attack.
4. Educate employees and administrators on the latest phishing and social engineering tactics and how to recognize malicious activities on their networks.
5. Enforce MFA across all sensitive systems to add an extra layer of protection against unauthorized access.

Conclusion

This week’s Weekly Vulnerability Insights report highlights the continued risks associated with high-severity vulnerabilities and emphasizes the importance of patching, monitoring, and threat intelligence sharing. Organizations must remain vigilant and ensure their systems are protected from known exploited vulnerabilities and emerging zero-day threats. Cyble’s AI-driven platforms, like Cyble Vision and Cyble Hawk, help organizations stay ahead of evolving threats. Book a free demo today and strengthen your defense against cyber adversaries with Cyble’s cutting-edge cybersecurity solutions.

To access full IT vulnerability and other reports from Cyble, click here.

The post Cyble’s Weekly Vulnerability Update: Critical SonicWall Zero-Day and Exploited Flaws Discovered appeared first on Cyble.

Blog – Cyble – ​Read More

Overview

Cyble dark web researchers investigated more than 250 dark web claims by threat actors in January 2025, with more than a quarter of those targeting U.S.-based organizations.

Of threat actors (TAs) on the dark web targeting U.S. organizations during the month, 15 were ransomware groups claiming successful attacks or selling data from those attacks.

Ransomware group claims accounted for about 40% of the Cyble investigations. Most of the investigations examined threat actors claiming to be selling data stolen from organizations, or selling access to those organizations’ networks.

Several investigations focused on cyberattacks orchestrated by hacktivist groups – including a new Russian threat group identified here for the first time.

‘Sector 16’ Teams Up With Russian Hacktivists Z-Pentest

New on the scene is a group calling itself “Sector 16,” which teamed with Z-Pentest – a threat group profiled by Cyble last month – in an attack on a Supervisory Control and Data Acquisition (SCADA) system managing oil pumps and storage tanks in Texas. The groups shared a video showcasing the system interface, revealing real-time data on tank levels, pump pressures, casing pressures, and alarm management features.

Both groups put their logos on the video, suggesting a close alliance between the two (image below).

Sector 16 also claimed responsibility for unauthorized access to the control systems of a U.S. oil and gas production facility, releasing a video purportedly demonstrating their access to the facility’s operational data and systems. The video reveals control interfaces associated with the monitoring and management of critical infrastructure. Displayed systems include shutdown management, production monitoring, tank level readings, gas lift operations, and Lease Automatic Custody Transfer (LACT) data, all critical components in the facility’s operations. Additionally, they were also able to access valve control interfaces, pressure monitoring, and flow measurement data, highlighting the potential extent of access.

Russian hacktivist groups have posted several videos of their members tampering with critical infrastructure control panels in recent months, perhaps more to establish credibility or threaten than to inflict actual damage, although in one case, Z-Pentest claimed to disrupt a U.S. oil well system.

Among other hacktivist groups active in January, pro-Islamic hacktivists Mr. Hamza – who united with Z-Pentest and other pro-Russian groups in European attacks in December – teamed with Velvet Team to claim responsibility for a series of Distributed Denial-of-Service (DDoS) attacks on the U.S. government and military platforms. Targeted systems include a U.S. Army development and communications network, an FBI portal for bank robbery information, and the United States Africa Command’s official platform.

Active Ransomware Groups and Targets

The 15 active ransomware groups observed by Cyble in January included:

• CL0P
• INC
• Lynx
• Akira
• Rhysida
• SafePay
• RansomHub
• Monti
• Qilin
• BianLian
• Medusa
• Cactus
• FOG
• LockBit
• BlackBasta

CL0P has claimed at least 115 victims from attacks on Cleo MFT vulnerabilities.

Victims claimed by the 15 ransomware groups span a wide range of sectors, including a major port, a chip equipment maker, an automotive parts manufacturer, major universities and colleges, state and local police, defense contractors, a casino, a water utility, multiple government agencies, a food company, a plumbing equipment manufacturer, a telecom company, numerous healthcare companies, and more.

Several victims had been targeted previously by other ransomware groups.

Data Breach Claims

Some of the U.S. data breach claims Cyble investigated in January included:

A threat actor offering a SIM-swapping service targeting subscribers of a U.S.-based telecommunications service suggests that the TA may possess unauthorized access to an internal portal that facilitates such swap requests, or they could be leveraging insider access.

A TA advertised a web shell and unauthorized admin access to an undisclosed U.S. government website.

Another threat actor offered unauthorized access to an undisclosed ISP, a router manufacturer, a real estate company, and a logistics and transportation organization. The TA claimed to have gained root access to the company’s servers.

One TA advertised data stolen from a large IT company, claiming that the compromised data included source code from private GitHub repos, Docker builds, certificates (private and public keys), and more.

Another TA claimed to be selling unauthorized network access to a subdomain belonging to a major retail corporation for $16,000, claiming that the access could be leveraged to illicitly execute arbitrary commands on the compromised system.

Conclusion

Dark web monitoring is an important tool for detecting leaks early before they escalate into much bigger cyberattacks and data breaches.

Along with cybersecurity best practices such as zero trust, risk-based vulnerability management, segmentation, tamper-proof backups, and network and endpoint monitoring, there are a number of ways organizations can reduce risk and limit any cyber attacks that do occur.

The post Dark Web Activity January 2025: A New Hacktivist Group Emerges appeared first on Cyble.

Blog – Cyble – ​Read More