Threat Alerts

Two security flaws affecting widely-used enterprise software have been added to the catalog of actively exploited vulnerabilities, signaling immediate danger to organizations. The vulnerabilities impact office productivity software and infrastructure management platforms, with one receiving the maximum severity rating.
The first vulnerability, CVE-2009-0556 (CVSS Score 8.8), A code injection vulnerability in Microsoft Office PowerPoint that allows remote attackers to execute arbitrary code by means of memory corruption. The second flaw, CVE-2025-37164 (CVSS Score 10.0), A code injection vulnerability in HPW OneView that allows a remote unauthenticated user to perform remote code execution.
While specific details about the scope and origin of active exploitation campaigns remain undisclosed, the addition of these vulnerabilities to the known exploited catalog confirms real-world attacks are occurring. The public availability of working exploit code for the infrastructure management vulnerability has created an urgent situation, as threat actors can now readily weaponize the flaw against unpatched systems. Organizations running affected versions face significant exposure until patches are deployed across their environments.

Veeam has released critical security patches for its Backup & Replication software version 13, addressing four vulnerabilities that enable remote code execution. The most severe flaw, CVE-2025-59470 (CVSS 9.0), allows privileged operators to execute arbitrary code, posing significant risks to backup infrastructure integrity.

The vulnerabilities exploit insufficient input validation in backup operations, allowing users with Backup Operator or Tape Operator roles to escalate privileges. CVE-2025-59470 enables remote code execution as the postgres database user through malicious interval or order parameters. CVE-2025-55125 (CVSS 7.2) permits root-level code execution via crafted backup configuration files, while CVE-2025-59469 (CVSS 7.2) allows arbitrary file writes with root privileges. Additionally, CVE-2025-59468 (CVSS 6.7) affects Backup Administrator accounts through password parameter manipulation.

Given that backup systems serve as critical recovery infrastructure and are frequent targets for ransomware groups seeking to prevent data restoration, these security gaps represent substantial operational risks for organizations relying on Veeam’s backup solutions.

A database containing details of roughly 324,000 users from BreachForums was leaked online, exposing usernames, email addresses, password hashes, and account-related metadata linked to one of the most prominent cybercrime forums. While forum administrators disputed the incident and claimed the data originated from an old backup, the dataset appears authentic and highlights continued instability following repeated takedowns and internal disputes. Large-scale exposure of criminal communities remains rare, and this incident shows that even well-established malicious ecosystems are vulnerable to the same operational failures they exploit in victims; beyond individual user risk, the leak has broader defensive value by disrupting trust, hindering recruitment, and enabling independent analysis that may help weaken and deter future participation in cybercriminal networks.

Phishing actors are exploiting complex email routing scenarios and misconfigured spoof protections to deliver convincing spoofed emails that appear to originate from within target organizations. This attack vector has gained increased visibility since May 2025, enabling threat actors to bypass traditional email security measures and deliver credential phishing campaigns and financial scams that appear as internal communications.

The attack leverages organizations with MX records not pointing directly to Office 365 and improperly configured DMARC, SPF, and DKIM protections. Threat actors send emails where the recipient’s address appears in both “To” and “From” fields, making messages appear internally generated. These campaigns primarily utilize Tycoon2FA phishing-as-a-service platforms, employing lures themed around voicemail notifications, password resets, HR communications, and shared documents. The phishing infrastructure uses nested Google Maps URLs redirecting to actor-controlled domains, which then load custom CAPTCHA pages before directing victims to credential harvesting sites.

Beyond credential theft, attackers have expanded to financial scams targeting accounting departments with fake invoice schemes. These messages masquerade as email threads between executives and vendors, requesting urgent payments to fraudulent bank accounts. Email headers reveal authentication failures with SPF soft/hard fails, DMARC failures, and DKIM set to none, while X-MS-Exchange-Organization-InternalOrgSender shows True despite external origin. The combination of sophisticated social engineering and technical exploitation of email routing misconfigurations makes these attacks particularly effective against organizations lacking proper spoof protection enforcement.

A highly sophisticated intrusion targeting VMware ESXi infrastructure has been linked to a threat operation believed to originate from a Chinese-speaking developer ecosystem. The activity began with initial access via a compromised SonicWall VPN account and expanded through lateral movement using stolen domain admin credentials. From there, the attackers deployed a custom exploit framework designed to escape virtual machines and execute code directly on the ESXi hypervisor — a capability typically reserved for nation-state or well-resourced threat actors.

Analysis confirms the toolkit leverages three ESXi vulnerabilities disclosed in March 2025 and already exploited in the wild: CVE-2025-22226 (memory leak), CVE-2025-22224 (out-of-bounds write enabling VMX code execution), and CVE-2025-22225 (sandbox escape to ESXi kernel). The exploit chain disables VMware VMCI drivers, loads a custom unsigned exploit driver using BYOD techniques, leaks VMX memory via HGFS, corrupts VMX structures to hijack execution, and executes staged shellcode to drop a hypervisor-level backdoor. Final access is maintained via a VSOCK-based control channel invisible to network monitoring tools, providing shell execution and file operations on the ESXi host.

A new wave of GoBruteforcer botnet attacks is aggressively targeting Linux servers worldwide, with recent variants showing major engineering upgrades and an expanding operational footprint. The malware brute-forces weak credentials across exposed services including FTP, MySQL, PostgreSQL, and phpMyAdmin, leveraging modular components such as web shells, downloaders, and obfuscated IRC bots. Recent assessments indicate that a significant volume of internet-facing systems remain exposed, particularly those running default or poorly secured service stacks.

The 2025 variant introduces meaningful improvements that bolster stealth and operational efficiency. The bot’s IRC component has been rewritten in Go and heavily obfuscated, replacing older C-based code, while new process-masking techniques rename running processes and overwrite argument buffers to evade host-based monitoring. The botnet distributes campaign-specific credential packs through command-and-control channels using small but widely reused password lists, many of which map to common defaults or AI-suggested configuration names.

GoBruteforcer operators are combining broad opportunistic scanning with targeted financial campaigns. Investigations uncovered crypto-focused payloads deployed on compromised hosts, including wallet scanners and token harvesting tools tied to active theft. The botnet architecture supports fallback domains, host promotion into relay nodes, and rapid payload updates to maintain resilience.