Threat Alerts

CVE-2025-24813, a critical vulnerability in Apache Tomcat, is now being actively exploited in the wild, following the release of a public proof-of-concept (PoC) just 30 hours after disclosure. The flaw affects Apache Tomcat versions 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, and 9.0.0-M1 to 9.0.98, potentially leading to remote code execution (RCE) or unauthorized access to sensitive files under certain conditions. Exploitation is possible when Tomcat’s file-based session persistence is enabled with default configurations or when PUT requests are allowed for injecting arbitrary content.

The attack method consists of two main stages. First, the attacker uploads a serialized Java session file containing a Base64-encoded payload to the session storage directory via a PUT request. Then, they trigger deserialization by sending a GET request with a JSESSIONID pointing to the malicious session file. This flaw is particularly dangerous as it requires no authentication and can be exploited with minimal effort when file-based session storage is in use. Attackers will likely refine their techniques to extend the attack beyond session storage, potentially deploying malicious JSP files, altering configurations, or even installing persistent backdoors.

A newly discovered vulnerability in Veeam Backup & Replication, tracked as CVE-2025-23120 (CVSS Score 9.9), has emerged as a critical threat for enterprise environments. This flaw enables authenticated domain users to execute arbitrary code remotely, exposing a direct path to compromising backup infrastructures. CVE-2025-23120 vulnerability stems from a deserialization flaw in the Veeam Backup & Replication software’s .NET-based components. These components mishandle serialized data, allowing malicious actors to craft input that executes arbitrary code on the server.

The flaw only affects installations joined to a Windows domain – a configuration many organizations adopt despite Veeam’s longstanding guidance to avoid it. In such cases, any domain user can exploit the vulnerability, regardless of their privilege level.

Active exploitation of two recently patched critical vulnerabilities in Cisco Smart Licensing Utility has been identified. These flaws, CVE-2024-20439 (CVSS Score 9.8) and CVE-2024-20440 (CVSS Score 9.8) pose significant risks to organizations using affected Cisco products. The first vulnerability is a static credential backdoor that allows unauthorized remote attackers to gain administrative access, while the second involves excessive information disclosure in debug log files.

The vulnerabilities are interconnected, with attackers potentially using the backdoor credentials to access sensitive log files containing additional credentials and information. Initially, no active exploitation was observed when Cisco first disclosed and patched these issues. However, following the publication of exploit details including the backdoor credentials, attack activity has been detected in the wild.

A critical Windows zero-day vulnerability, identified as ZDI-CAN-25373, has been actively exploited since 2017 by at least 11 state-sponsored hacking groups from countries including North Korea, Iran, Russia, and China. This flaw allows attackers to execute hidden malicious commands on victims’ machines by leveraging specially crafted Windows Shortcut (.lnk) files. By padding command-line arguments within these shortcuts with specific whitespace characters—such as spaces, tabs, and line feeds—attackers can conceal malicious commands from users inspecting the file properties, effectively hiding the true danger of the file.

Despite the severity and widespread exploitation of this vulnerability, Microsoft has classified it as low severity and does not plan to issue a security patch. It is considered a user-interface problem rather than a security flaw, advising caution when downloading files from unknown sources. Organizations are urged to implement security measures and maintain vigilance against suspicious .lnk files.

The HellCat ransomware-as-a-service operation is actively targeting exposed Jira ticketing systems worldwide, impacting several high-profile organizations. Leveraging stolen credentials and vulnerable configurations, the group has gained access to internal systems, using Jira’s central role in enterprise workflows to exfiltrate sensitive data. The campaign highlights how Jira’s integration with technical operations makes it a valuable entry point for ransomware actors.

One European technology provider confirmed its internal ticketing system had been breached, resulting in the theft of nearly 44 GB of data. Other incidents linked to the group include the exfiltration of hundreds of thousands of internal files and customer records. These attacks demonstrate the critical need to secure publicly exposed Jira instances and monitor for suspicious access behavior across development and support infrastructure.

New variants of the Albabat ransomware have emerged, showcasing the group’s intent to expand beyond Windows and now target Linux and macOS systems as well. These updated versions, observed in active development, leverage GitHub as part of the ransomware’s infrastructure by using it to host configuration files that define infection behavior. The malware avoids encrypting specific folders and file types while targeting a broad set of file extensions. It also terminates a list of processes to ensure successful encryption and disrupt user activity. Notably, Albabat retrieves its configuration via the GitHub API using a unique User-Agent string, demonstrating efforts to obfuscate communication and evade detection.

The ransomware gathers detailed system, user, and geolocation data from infected machines and uploads the information to a PostgreSQL database, enabling attackers to monitor infections and coordinate ransom demands. Evidence suggests that binaries for Linux and macOS exist, based on the presence of related commands and data collection scripts in the configuration. The use of a GitHub repository—still active through token-authenticated access—highlights how the group streamlines operations while maintaining operational security. Commit history and repository metadata also suggest ongoing development of an upcoming version 2.5, which includes newly added cryptocurrency wallets for ransom payments.