Overview

The Singapore Computer Emergency Response Team (SingCERT) has released its latest Security Bulletin, summarizing vulnerabilities reported in the past week from the National Institute of Standards and Technology (NIST)’s National Vulnerability Database (NVD).

This bulletin provides essential insights for businesses and security professionals to mitigate risks associated with these vulnerabilities.

The vulnerabilities have been categorized based on the Common Vulnerability Scoring System v3 (CVSSv3) base scores, which assess their severity levels:

• Critical: CVSS score of 9.0 to 10.0
• High: CVSS score of 7.0 to 8.9
• Medium: CVSS score of 4.0 to 6.9
• Low: CVSS score of 0.1 to 3.9
• None: CVSS score of 0.0

Let’s take a closer look at the critical vulnerabilities reported this week and the potential threats they pose.

Critical Vulnerabilities

1. CVE-2024-56064
   Product: Azzaroco WP SuperBackup
   Description: This vulnerability allows unrestricted uploads of malicious files, such as web shells, to a server. Exploited attackers can execute arbitrary code.
   Affected Versions: Up to 2.3.3
   CVSS Score: 10.0
2. CVE-2024-56046
   Product: VibeThemes WPLMS
   Description: Similar to the above, this vulnerability allows attackers to upload malicious files, compromising server integrity.
   Affected Versions: Up to 1.9.9
   CVSS Score: 10.0
3. CVE-2024-56799
   Product: Simofa (Static Website Deployment Tool)
   Description: A design flaw in the RouteLoader class leaves certain API routes accessible without authentication.
   Affected Versions: Prior to 0.2.7
   CVSS Score: 10.0
4. CVE-2024-8950
   Product: Arne Informatics Piramit Automation
   Description: SQL Injection vulnerability enabling attackers to execute blind SQL injection, potentially exposing sensitive data.
   Affected Versions: Before 27.09.2024
   CVSS Score: 9.9
5. CVE-2024-56066
   Product: Inspry Agency Toolkit
   Description: A missing authorization vulnerability that allows privilege escalation, compromising user roles and permissions.
   Affected Versions: Up to 1.0.23
   CVSS Score: 9.8
6. CVE-2024-13061
   Product: Electronic Official Document Management System (2100 Technology)
   Description: Authentication bypass vulnerability where attackers can deceive the server to obtain user tokens, granting unauthorized access.
   CVSS Score: 9.8
7. CVE-2024-12108
   Product: WhatsUp Gold
   Description: Public API vulnerability allowing attackers to gain unauthorized access to the server.
   Affected Versions: Released before 2024.0.2
   CVSS Score: 9.6

Other Notable Vulnerabilities

• CVE-2024-47919
  Product: Tiki Wiki CMS
  Description: OS Command Injection vulnerability, potentially allowing attackers to execute arbitrary commands.
  CVSS Score: 9.8
• CVE-2024-11281
  Product: WooCommerce Point of Sale Plugin
  Description: Insufficient validation on user IDs allows unauthenticated attackers to change admin account emails and reset passwords.
  CVSS Score: 9.8
• CVE-2024-54450
  Product: Kurmi Provisioning Suite
  Description: Forged IP addresses in authentication logs may deceive admins, complicating forensic investigations.
  CVSS Score: 9.4
• CVE-2024-56431
  Product: libtheora
  Description: Integer overflow in the Huffman tree unpacking functionality, leading to potential memory corruption.
  CVSS Score: 9.8

Vulnerabilities in Focus

The bulletin highlighted recurring patterns among this week’s critical vulnerabilities:

• Privilege Escalation: Many vulnerabilities, such as those in AI Magic, Simple Dashboard, and SSL Wireless SMS Notification, involve incorrect privilege assignments, enabling attackers to escalate their privileges.
• SQL Injection: Products like SmartAgent and VibeThemes WPLMS suffer from SQL injection vulnerabilities, exposing sensitive databases.
• Authentication Bypass: Products such as Electronic Official Document Management System and Kurmi Provisioning Suite lack robust authentication mechanisms, allowing attackers unauthorized access.

What This Means for Organizations

These vulnerabilities underline the importance of patch management and proactive monitoring. Affected organizations must:

1. Apply Patches Promptly: Ensure that systems and software are updated with the latest security patches as soon as possible.
2. Strengthen Access Controls: Implement robust authentication and privilege management mechanisms to minimize unauthorized access.
3. Conduct Regular Security Audits: Periodic vulnerability assessments and penetration tests can help identify and fix weaknesses.
4. Educate Employees: Train staff on cybersecurity best practices, especially for avoiding phishing and social engineering attacks that exploit these vulnerabilities.

Conclusion

The SingCERT Security Bulletin serves as a vital resource for identifying and addressing vulnerabilities that could significantly impact organizations. By taking immediate action on these critical threats, businesses can safeguard their systems, data, and users from exploitation.

For detailed information, visit the full report at SingCERT’s Security Bulletin.

Source: https://www.csa.gov.sg/alerts-advisories/security-bulletins/2025/sb-2025-001

The post Weekly Vulnerability Roundup: Highlights from SingCERT’s Security Bulletin appeared first on Cyble.

Blog – Cyble – ​Read More

Every year, Kaspersky experts briefly turn into soothsayers. No, our colleagues don’t reach for crystal balls, tarot cards or horoscopes to see into the cybersecurity future; their predictions are based on an analysis of the global trends and threats we encounter in our daily work.

And they’re often spot-on: for 2024, we predicted a rise in scams tied to play-to-earn (P2E) games, the proliferation of voice deepfakes, and other trends.

Now, let’s look at which cyberthreats and trends we believe will dominate in 2025:

• AI will become an everyday work tool.
• Scammers scamming in relation to new games and movies.
• Subscription scams will flourish.
• Social networks could be banned.
• User rights over personal data will expand.

AI will become an everyday work tool

In 2025, we expect artificial intelligence to solidify its role in our everyday lives. Major platforms like Google and Bing have integrated AI into search results over the past year, and users worldwide are hooked on ChatGPT and its many counterparts. Predicting how exactly AI will develop is tricky, but one thing is certain: what’s popular with regular users is inevitably twice as popular with scammers. Therefore, we urge you to exercise caution when using AI tools — and remind you that throughout 2024, we repeatedly reported on the associated threats.

How hackers can read your chats with ChatGPT or Microsoft Copilot

How to use ChatGPT, Gemini, and other AI securely

Trojans in AI models

With the popularization of artificial intelligence in 2025, the associated risks will be seen more clearly and frequently. Malicious actors are already adept at exploiting AI, so we should expect even more problems, such as those linked to deepfakes.

Scammers look forward to new games and movies

Fraudsters never miss major releases in the entertainment industry, and 2025 will be no exception. While gamers eagerly anticipate long-awaited titles like Mafia: Old Country, Civilization VII, and Death Stranding 2, attackers are already devising new schemes involving fake preorders and digital keys. We won’t even mention the dangers of downloading games from torrent sites — the risks are abundantly clear.

Movie enthusiasts won’t be overlooked either, as scammers join the rest of us in anticipating sequels and remakes like Superman, Jurassic World Rebirth, Captain America: Brave New World, Return to Silent Hill, and Tron: Ares. Be especially cautious — fraudsters may offer tickets to early screenings, sell fake merchandise, and exploit the love of cinema in every possible way. So get some reliable protection to be entertained securely.

Subscription scams will flourish

In recent years, the world has shifted significantly toward subscription-based models for goods and services, and scammers have capitalized on the trend — just think of the fake Telegram Premium subscription scam we’ve detailed on our blog.

As the number of subscription services continues to grow, some users might be tempted to “buy a subscription at a discount” or even “download the program for free”, playing right into the hands of scammers. Remember: if it sounds too good to be true, it probably is. Download programs and apps only from official sources, and ensure your devices have reliable protection, as malware can even be found in legitimate app stores.

Social networks may be banned

In Australia, access to popular social-media platforms has already been banned for all children under 16 without exception. Ten years ago, such an initiative would have been laughed off: “Just set your age to over 16 and carry on as usual”. But advancements in AI have changed everything. Reliable age verification systems are now being implemented, making it much harder to bypass such restrictions. The future of children’s access to social media, not only in Australia but worldwide, depends largely on the effectiveness of these systems.

If successful, this practice could easily be adopted by other countries, starting with Australia’s closest economic partners. While a complete ban on social media in 2025 seems unlikely, it’s highly probable that similar practices will be introduced elsewhere, leading to restrictions for certain user groups.

User rights over personal data will expand

Good news for anyone concerned about their personal data privacy: in 2025, users will gain greater control over their information! This is thanks to the gradual expansion of rights related to data portability, which may simplify the transfer of data between the platforms processing it.

Privacy policies such as the GDPR (EU) and CRPA (California, USA) are inspiring similar reforms across other U.S. states and in Asia. And let’s not forget the 2024 case where the European Center for Digital Human Rights upheld user rights against Meta, preventing the tech giant from using private personal data to train its AI models. So, we could see a shift in 2025 in the digital world’s balance of power — tilting it more in favor of individual users.

Kaspersky official blog – ​Read More