Overview

phpMyAdmin, a popular web-based tool for managing MySQL and MariaDB databases, has recently released version 5.2.2, addressing multiple vulnerabilities that posed a medium severity risk. This widely-used tool is a basis for database administrators, offering strong features and ease of use. However, the vulnerabilities discovered could potentially expose users to risks such as unauthorized actions, session hijacking, and data theft.

The update resolves two cross-site scripting (XSS) vulnerabilities (CVE-2025-24530 and CVE-2025-24529) and a potential issue in the glibc/iconv library (CVE-2024-2961). These vulnerabilities underline the importance of staying up to date with security patches to safeguard sensitive data and ensure secure database management.

According to the advisory:

• Reported By: The vulnerability was reported by a security researcher identified as “bluebird.”
• Severity: Moderate.
• Solution: Users are encouraged to upgrade to version 5.2.2 or apply the patch.

Vulnerability Details

Three significant vulnerabilities were identified in phpMyAdmin versions prior to 5.2.2:

1. CVE-2025-24530: XSS in “Check Tables”

• Description: This XSS vulnerability allows an attacker to exploit the “Check Tables” feature by crafting a malicious table name. This could result in injecting malicious scripts into the application.
• Impact: Successful exploitation could lead to session hijacking, data theft, and unauthorized actions.
• CWE ID: CWE-661 (Improper Neutralization of Input During Web Page Generation).
• Fix: This issue was resolved through commit a45efd0eb9415240480adeefc587158c766bc4a0.

2. CVE-2025-24529: XSS in “Insert”

• Description: This vulnerability involves the “Insert” functionality, which could be manipulated to execute malicious scripts.
• Impact: Exploitation could compromise user accounts and sensitive data by injecting malicious code into user sessions.

3. CVE-2024-2961: Vulnerability in glibc/iconv Library

• Description: A potential issue with the glibc/iconv library could lead to arbitrary code execution under specific circumstances.
• Impact: If exploited, this vulnerability could allow attackers to execute unauthorized code, leading to system compromise.

Affected Versions and Fixed Releases

• Affected Versions: All phpMyAdmin 5.x versions prior to 5.2.2.
• Fixed Versions: phpMyAdmin 5.2.2 and newer.

The vulnerabilities have been classified as medium severity, but given the potential for significant damage, users are strongly encouraged to upgrade to the latest version immediately.

Potential Impact of Exploitation

If these vulnerabilities are exploited, the consequences could include:

• Session Hijacking: Attackers could take control of user sessions, gaining unauthorized access to sensitive data and functionalities.
• Data Theft: Sensitive information, such as database credentials or user data, could be stolen.
• Malicious Code Execution: Exploitation of the glibc/iconv vulnerability could allow attackers to run arbitrary code, potentially compromising the entire system.
• Unauthorized Actions: Malicious scripts injected into the application could execute unauthorized actions, disrupting normal operations.

Recommendations for Users

To mitigate these risks, users are advised to take the following actions immediately:

1. Upgrade to Version 5.2.2 or Later
   Ensure your phpMyAdmin installation is updated to the latest version to benefit from the security patches.
2. Apply the Patch
   If an upgrade is not immediately possible, apply the patch provided by the phpMyAdmin team for the identified vulnerabilities.
3. Monitor and Review Logs
   Regularly review application and server logs to detect any unusual activity that might indicate attempted exploitation.
4. Limit Access
   Restrict access to phpMyAdmin to trusted users and IP addresses using firewall rules or .htaccess configuration.
5. Enable Web Application Firewalls (WAFs)
   Deploy a WAF to monitor and block malicious traffic targeting known vulnerabilities.
6. Regularly Backup Databases
   Maintain frequent backups of your databases to mitigate the risk of data loss in case of a breach.

How phpMyAdmin Addresses Security

phpMyAdmin is an open-source project that has a long-standing reputation for being reliable and secure. It provides:

• Frequent Updates: The team regularly patches vulnerabilities, as demonstrated by the release of version 5.2.2.
• Extensive Documentation: Detailed guidance on operations and security measures to help users safeguard their installations.
• Community Support: phpMyAdmin has a robust community that actively reports and helps resolve security issues.
• Multi-Language Support: The tool is translated into 72 languages, making it accessible globally.

The project is also a member of the Software Freedom Conservancy, which supports free and open-source software projects.

Why Staying Updated Matters

Database management tools like phpMyAdmin are critical components of many IT infrastructures. Security vulnerabilities in such tools can expose organizations to significant risks, especially in industries like e-commerce, healthcare, and finance, where sensitive data is handled regularly.

By promptly applying updates, organizations can:

• Protect sensitive data.
• Prevent unauthorized access.
• Mitigate risks associated with zero-day vulnerabilities.

sphpMyAdmin remains a powerful tool for database management, and with continued vigilance and timely updates, users can confidently rely on it to handle their MySQL and MariaDB operations securely.

Source:

https://jocert.ncsc.jo/EN/ListDetails/Security_Alerts__Advisorites/1203/91

https://www.phpmyadmin.net/security/PMASA-2025-1

https://www.phpmyadmin.net

The post phpMyAdmin 5.2.2 Addresses Critical XSS and Library Vulnerabilities appeared first on Cyble.

Blog – Cyble – ​Read More

Overview

The digital world in Southeast Asia is evolving rapidly, with nations striving to balance innovation, inclusivity, and security. The recently held 5th ASEAN Digital Ministers’ Meeting (ADGMIN) in Bangkok, Thailand, marked a significant milestone in this journey. The meeting highlighted the importance of cybersecurity in shaping a resilient digital future for the region. The ASEAN Digital Masterplan 2025 (ADM 2025) continues to serve as a guiding framework for fostering collaboration, enabling trust in digital services, and promoting the safe and inclusive use of technology.

From addressing online scams to operationalizing the ASEAN Regional Computer Emergency Response Team (CERT) and advancing AI governance, the event showcased ASEAN’s commitment to fortifying its digital ecosystem against cyber threats. With an emphasis on collaboration and proactive measures, the meeting highlighted the pressing need to enhance cybersecurity frameworks, strengthen cross-border data governance, and address emerging challenges posed by technologies like generative AI.

Key Cybersecurity Highlights

1. ASEAN Regional CERT Operationalization: One of the significant milestones discussed was the operationalization of the ASEAN Regional Computer Emergency Response Team (CERT). This initiative aims to enhance collaboration among member states, facilitate real-time information sharing, and strengthen the region’s preparedness against cyberattacks. CERT’s operationalization highlights ASEAN’s focus on collective resilience in cyberspace.
2. Tackling Online Scams: Online scams remain a pressing issue across ASEAN. The ASEAN Working Group on Anti-Online Scams (WG-AS) released its Report on Online Scams Activities in ASEAN (2023–2024), offering insights into the threat landscape. The report outlines key recommendations for regional collaboration to combat scams effectively. The ASEAN Recommendations on Anti-Online Scams provide a framework for governments to develop policies aimed at mitigating online fraud, with a focus on cross-border scams and fraudulent activities exploiting digital platforms.
3. Promoting Responsible State Behavior in Cyberspace: ASEAN adopted the Checklist for Responsible State Behavior in Cyberspace, aligning with global norms to promote peace and security online. This initiative focuses on fostering cooperation and ensuring responsible use of digital tools while mitigating risks.
4. Strengthening Cross-Border Data Governance: Data governance was another key topic, with ASEAN showcasing its advancements in:
   • The ASEAN Model Contractual Clauses (MCCs) for trusted cross-border data flows.
   • The Operational Framework for Cross-Border Privacy Rules (CBPR) is used to align global privacy standards.
   • The ASEAN Guide on Data Anonymization enables innovative data use while ensuring privacy.

These efforts are designed to enhance trust in digital transactions and support regional and global interoperability.

5. Focus on Generative AI Governance: With the rapid adoption of generative AI, the newly expanded ASEAN Guide on AI Governance and Ethics emphasizes responsible AI deployment. Policy recommendations aim to address challenges like misinformation, biases, and cybersecurity vulnerabilities. This move positions ASEAN as a leader in ethical AI practices.

Resilient Digital Infrastructure

Cybersecurity also took the spotlight in discussions about protecting critical infrastructure:

• Submarine Cables: Recognizing their importance, ASEAN established a Working Group on Submarine Cables (WG-SC) to secure and enhance the resilience of this critical backbone of internet connectivity.
• Digital Identification Systems: Efforts to build strong digital ID systems were discussed, with ASEAN focusing on seamless, secure cross-border digital interactions.

Partnerships and Regional Collaboration

The 5th ASEAN Digital Ministers’ Meeting underscored the critical role of international partnerships in strengthening regional cybersecurity frameworks. Recognizing that cyber threats often transcend borders, ASEAN engaged dialogue partners, including China, Japan, and Russia, to deepen collaboration on cybersecurity challenges and solutions.

• China shared insights into its ongoing initiatives to fight cybercrime and protect critical infrastructure, offering opportunities for ASEAN member states to collaborate on knowledge sharing, threat intelligence, and best practices in cybersecurity.
• Japan emphasized its commitment to strengthening cybersecurity resilience across the Asia-Pacific, showcasing its advancements in secure digital infrastructure and its expertise in managing cross-border cyber risks. Through its partnership, Japan is also supporting ASEAN’s capacity-building programs to develop skilled cybersecurity professionals.
• Russia, leveraging its experience in battling cyberattacks and ransomware, highlighted the importance of establishing joint efforts for threat intelligence sharing and developing strategies to mitigate advanced persistent threats (APTs) targeting the region.

In addition to these collaborations, ASEAN reaffirmed its collective efforts to address specific threats, such as SIM card-related fraud and cross-border scams, which have been on the rise across member states.

The meeting also opened doors for expanding technical cooperation and joint training exercises, enabling member states and dialogue partners to boost their collective defense mechanisms.

By welcoming input from global players and tackling region-specific issues, ASEAN demonstrated its commitment to promoting a unified, secure digital future while strengthening its presence on the global cybersecurity stage. These partnerships are vital in ensuring that the region remains resilient in the face of evolving cyber threats and continues to thrive in its digital transformation journey.

Closing thoughts

The Bangkok Digital Declaration reaffirmed ASEAN’s focus on cybersecurity as a foundation for innovation and inclusivity. With the final review of the ASEAN Digital Masterplan 2025 (ADM 2025) underway, the groundwork is being laid for the next phase of ASEAN’s digital transformation.

By prioritizing cybersecurity and fostering collaboration, ASEAN is positioning itself as a global leader in building a secure and innovative digital ecosystem. The region’s progress at the ADGMIN meeting reflects its determination to address emerging challenges and unlock the potential of a truly connected digital future.

Source: https://asean.org/wp-content/uploads/2025/01/15-ENDORSED-JOINT-MEDIA-STATEMENT-5th-ADGSOM-v2-Cleaned.pdf

https://asean.org/joint-media-statement-of-the-5th-asean-digital-ministers-meeting-and-related-meetings

The post United Against Cybercrime: ASEAN Ministers Forge New Security Pathways appeared first on Cyble.

Blog – Cyble – ​Read More

Threat actors chained together four vulnerabilities in Ivanti Cloud Service Appliances (CSA) in confirmed attacks on multiple organizations in September, according to an advisory released this week by the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA). 

The agencies urged users to upgrade to the latest supported version of Ivanti CSA, and to conduct threat hunting on networks using recommended detection techniques and Indicators of Compromise (IoCs). 

The January 22 advisory builds on October 2024 advisories from CISA and Ivanti and offers new information on the ways threat actors can chain together vulnerabilities in an attack. The four vulnerabilities were exploited as zero days, leading some to suspect sophisticated nation-state threat actors, possibly linked to the People’s Republic of China (PRC). 

The Ivanti CSA Exploit Chains 

CVE-2024-8963, a critical administrative bypass vulnerability, was used in both exploit chains, first in conjunction with the CVE-2024-8190 and CVE-2024-9380 remote code execution (RCE) vulnerabilities, and in the second chain with CVE-2024-9379, a SQL injection vulnerability. 

The vulnerabilities were chained to gain initial access, conduct RCE attacks, obtain credentials, and implant web shells on victim networks. In one case, the threat actors (TAs) moved laterally to two servers. 

The vulnerabilities affect Ivanti CSA 4.6x versions before 519, and two of the vulnerabilities (CVE-2024-9379 and CVE-2024-9380) affect CSA versions 5.0.1 and below. However, Ivanti says the CVEs have not been exploited in version 5.0. 

The First Exploit Chain 

In the RCE attacks, the threat actors sent a GET request to datetime.php to obtain session and cross-site request forgery (CSRF) tokens, followed by a POST request to the same endpoint using the TIMEZONE input field to manipulate the setSystemTimeZone function and execute code, which in some of the attacks consisted of base64-encoded Python scripts that harvested encrypted admin credentials from the database. 

The TAs used the credentials to log in and leverage CVE-2024-9380 to execute commands from a privileged account, using a GET request sent to /gsb/reports[.]php and a POST request using the TW_ID input field to implant web shells for persistence. 

The Second Exploit Chain 

The agencies cited just one confirmed compromise using the CVE-2024-9379 SQL injection vulnerability. 

The TAs used GET /client/index.php%3f.php/gsb/broker.php for initial access, then used CVE-2024-9379 to try to create a web shell by sending GET and POST requests to /client/index.php%3F.php/gsb/broker.php. 

The POST body used this string in the lockout attempts input box: 

LOCKOUTATTEMPTS = 1 ;INSERT INTO user_info(username, accessed, attempts) VALUES (”’echo -n TnNhV1Z1ZEM5b1pXeHdMbk>>/.k”’, NOW(), 10) 

The LOCKOUTATTEMPTS command was handled properly by the application, but the SQL injection portion was not. Nonetheless, the application processed both commands, and the TAs were able to add a user to the user_info table. 

After they inserted valid bash code into the user_info table, the threat actors tried to log in as the user, possibly hoping the application would handle the bash code improperly. Instead of evaluating the validity of the login, the application ran echo -n TnNhV1Z1ZEM5b1pXeHdMbk>>./k as code. 

“The threat actors repeated the process of echo commands until they built a valid web shell,” FBI and CISA said. “However, there were no observations that the threat actors were successful.” 

Detecting Ivanti CSA Attacks 

Three of the victim organizations were able to rapidly detect the malicious activity and replaced affected virtual machines with clean versions. 

In one of the cases, an admin detected creation of suspicious accounts. Admin credentials were likely exfiltrated in that case, but there were no signs of lateral movement. 

A second organization had an endpoint protection platform (EPP) that detected when the TAs executed base64 encoded script to create webshells. 

A third organization used IoCs from the first two to detect malicious activity such as the download and deployment of Obelisk and GoGo Scanner, which generated logs that were used to further detect malicious activity. 

Ivanti CSA Mitigations 

The CISA and FBI advisory also contains IoCs and incident response and mitigation recommendations. The agencies noted that “Removing malicious administrator accounts may not fully mitigate risk considering threat actors may have established additional persistence mechanisms.” 

In addition to updating to the latest supported version of CSA, the mitigations generally follow security best practices: 

• Install endpoint detection and response (EDR) on the system 
• Establish a baseline and maintain detailed logs of network traffic, account behavior, and software 
• Keep operating systems, software, and firmware up to date with timely patching, which the advisory said is “one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.” Organizations should patch vulnerable software and hardware systems within 24 to 48 hours of vulnerability disclosure, and known exploited vulnerabilities in internet-facing systems should be prioritized. 
• Properly secure remote access tools with application controls and allowlisting to block unlisted applications from executing 
• Limit the use of remote desktop protocol (RDP) and other remote desktop services, and rigorously apply best practices if the services are essential 

Conclusion 

Like many joint advisories from CISA and the FBI, the Ivanti CSA advisory offers good insight into threat actor behavior and IoCs and gives organizations practical, cost-effective steps organizations can take to better secure themselves. 

Cyble’s vulnerability management service can help organizations accelerate the critical process of detecting and prioritizing internet-facing vulnerabilities as part of its top-rated, AI-powered threat intelligence platform. 

The post Anatomy of an Exploit Chain: CISA, FBI Detail Ivanti CSA Attacks  appeared first on Cyble.

Blog – Cyble – ​Read More

• Cisco Talos observed an increase in the number of email threats leveraging hidden text salting (also known as “poisoning”) in the second half of 2024.
• Hidden text salting is a simple yet effective technique for bypassing email parsers, confusing spam filters, and evading detection engines that rely on keywords. The idea is to include some characters into the HTML source of an email that are not visually recognizable.
• Talos observed this technique being used for various purposes, including evading brand name extraction by email parsers, confusing language detection procedures, and evading spam filters and detection engines in HTML smuggling.

Introduction to hidden text salting

Hidden text salting (or “poisoning”) is an effective technique employed by threat actors to craft emails that can evade parsers, confuse spam filters, and bypass detection systems that rely on keywords. In this approach, features of the Hypertext Markup Language (HTML) and Cascading Style Sheets (CSS) are used to include comments and irrelevant content that are not visible to the victim when the email is rendered in an email client but can impact the efficacy of parsers and detection engines.

Due to the simplicity of hidden text salting and the number of ways threat actors can insert gibberish content in emails, this approach can introduce significant challenges to email parsers, spam filters, and detection engines.

Technical explanation

Talos has observed the use of hidden text salting for multiple purposes, such as evading brand name extraction by email parsers. Below is an example of a phishing email that impersonates the Wells Fargo brand.

The HTML source of the above email is shown below. The <style> tag is used to define style information for an email via CSS. Inside the <style> element, one can specify how HTML elements should render in a browser or email client. The <style> element must be included inside the <head> section of the document. In this example, threat actors have set the display property to inline-block. When inline-block is used instead of inline, one can set a width and height on the element. In this case, the block’s width is set to zero. Additionally, the overflow property is set to “hidden,” resulting in the content outside the element box not being shown to the victim when the email is rendered in the email client.

As a second example, the following email shows a phishing email, sent to another customer, that impersonates the Norton LifeLock brand.

In this case, threat actors have inserted Zero-Width SPace (ZWSP) and Zero-Width Non-Joiner (ZWNJ) characters between the letters of Norton LifeLock to evade detection. Although these characters are not visible to the naked eye, they are still considered characters or strings of characters by most email parsers. Therefore, one can consider them invisible characters.

Hidden text salting has also been used to confuse language detection procedures, thus evading possible spam filters that rely on such procedures. The example below shows a phishing email that impersonates the Harbor Freight brand. As it is visually obvious, the language of this email is English.

However, a closer inspection of the email’s headers shows that the language of this email has been identified as French, as it is saved in the LANG field of Microsoft’s X-Forefront-Antispam-Report anti-spam header. The LANG field specifies the language in which the message was written, and the X-Forefront-Antispam-Report header contains information about the message and how it was processed. This header is added to each message by Exchange Online Protection (EOP), Microsoft’s cloud-based filtering service.

When the HTML source of this email is inspected, several French words and sentences are found that are visually hidden. In this case, threat actors have used the display property of the div element to hide the French words, thus confusing the language detection module of Microsoft.

Another case where hidden text salting has been used is in HTML smuggling in order to bypass detection engines (see the example below).

A snippet of the HTML attachment from the above email is shown below. Threat actors have inserted multiple irrelevant comments between the base64-encoded characters to prevent file attachment parsers from easily putting these strings together and decoding them.

Mitigation

The above cases are just a few examples demonstrating how simple and effective this technique is in evading detection. Detecting email content concealed through this technique, which is used to poison the HTML source of an email, is important since it poses significant challenges in identifying email threats that leverage this method. A few mitigation and detection strategies are discussed below that could be helpful in this mission.

Advanced filtering techniques: One mitigation strategy is to investigate and develop advanced filtering techniques that can more effectively detect hidden text salting and content concealment. For example, filtering systems could be made to identify questionable usage of CSS properties like visibility (e.g., “visibility: hidden”) and display (e.g., “display: none”) that are frequently used to conceal text. These systems could also examine the structure of the HTML source of emails to find the excessive use of inline styles or unusual nesting of elements that might suggest an effort to hide content.

Relying on visual features: Although improved filtering systems can be very useful in detecting hidden text salting and email threats that use this technique to avoid detection, threat actors can swiftly develop new techniques. Therefore, relying on some features in addition to the text domain, such as the visual characteristics of emails, could be helpful.

Protection

Protecting against these sophisticated and devious threats requires a comprehensive email security solution that harnesses AI powered detections. Secure Email Threat Defense utilizes unique deep and machine learning models, including Natural Language Processing, in its advanced threat detection systems that leverage multiple engines. These simultaneously evaluate different portions of an incoming email to uncover known, emerging, and targeted threats. This differentiated AI technology also extracts and analyzes the content of image-only emails that aim to evade text-based detections.

Secure Email Threat Defense identifies malicious techniques used in attacks targeting your organization, derives unparalleled context for specific business risks, provides searchable threat telemetry, and categorizes threats to understand which parts of your organization are most vulnerable to attack.  

Start fortifying your environment against advanced threats. Sign up for a free trial of Email Threat Defense today.  

Cisco Talos Blog – ​Read More

Overview 

Government entities and organizations in Ukraine are on high alert after the Computer Emergency Response Team of Ukraine (CERT-UA) uncovered a social engineering campaign targeting unsuspecting users with malicious AnyDesk requests.    

The attackers are impersonating CERT-UA, a legitimate government agency, to trick victims into granting remote access to their computers using AnyDesk, a popular remote desktop application.    

Here’s a breakdown of the attack and how to stay safe: 

Deceptive Tactics 

• Impersonation: Attackers are using the CERT-UA name, logo, and even a specific AnyDesk ID (1518341498, though this may change) to establish trust with potential victims.    
• Pretext for Access: The attackers claim to be conducting a “security audit” to check the level of protection on the target’s device.    

CERT-UA’s Clarification 

CERT-UA has confirmed that it may use remote access tools like AnyDesk in specific situations. However, they emphasize that such actions only occur “with prior approval” established through official communication channels. 

Indicators of Compromise 

• Unsolicited AnyDesk connection requests, particularly those mentioning a security audit.    
• AnyDesk requests from users named “CERT-UA” or with the AnyDesk ID 1518341498 (be wary of variations).    

Recommendations to Stay Safe 

• Be Wary of Unsolicited Requests: Never grant remote access to your device unless you have initiated the request and can confirm the identity of the person on the other end. 
• Multi-Factor Authentication: Enable multi-factor authentication on any remote access software you use for an extra layer of security. 
• Verification is Key: If you’re unsure about the legitimacy of a remote access request, contact the organization the requester claims to represent through a verified communication channel (e.g., phone number from the official website). 
• Only Use When Needed: Disable remote access software when not in use to minimize the attack surface. 
• Report Suspicious Activity: If you encounter a suspicious AnyDesk request claiming to be from CERT-UA, report it to the agency immediately. 

By following these steps, you can significantly reduce the risk of falling victim to this impersonation attempt and protect your devices from unauthorized access. 

By staying informed about common social engineering tactics and implementing strong security practices, especially during these times of heightened geopolitical tensions, you can make it significantly harder for attackers to gain a foothold in your systems. 

References: 

https://cert.gov.ua/article/6282069

The post CERT-UA Warns of Malicious AnyDesk Requests Under the Pretext of Phony “Security Audits”   appeared first on Cyble.

Blog – Cyble – ​Read More