The US Cybersecurity and Infrastructure Security Agency (CISA) on Monday added four security flaws to its known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.
Here’s a list of defects –
CVE-2014-3931 (CVSS score: 9.8) – Multi-router-looking glass (MRLG) buffer overflow vulnerability that allows remote attackers to cause arbitrary memory writes and memory corruption CVE-2016-10033 (CVSS score: 9.8) Application or as a result, Denial of Service (DOS) Condition CVE-2019-5418 (CVSS score: 7.5) – Ruby on Rails action view path traversal vulnerability CVE-2019-9621 (CVSS: 7.5SS: 7.5SS: 7.5SS: 7.5SS: 7.5SS: 7.5SS: 7.5SS: 7.5) Zimbra collaboration suite that can lead to unauthorized access to internal resources and remote code execution
Currently, there are no public reports on how the first three vulnerabilities are exploited in actual attacks. Meanwhile, the abuse of CVE-2019-9621 was attributed to a dropping webshell and cobalt strike by Trend Micro on a Chinese-related threat actor known as Earthluska in September 2023.
In light of active exploitation, a Federal Private Enforcement Division (FCEB) agency is recommended to apply necessary updates to ensure the network by July 28, 2025.
Technical details for Citrix Bleed 2
The development has released a technical analysis of key security flaws in WatchTowr Labs and Horizon3.CITRIX Netscaler ADC (CVE-2025-5777aka Citrix Bleed 2).
“In the wild, we see active exploitation of both CVE-2025-5777 and CVE-2025-6543,” Watchtwal CEO Benjamin Harris told Hacker News. “The vulnerability allows memory reading. We believe an attacker is using it to read sensitive information (for example, information sent within an HTTP request is processed in memory), credentials, valid Citrix session tokens, and more.”
The findings show that a login request can be sent to the “/p/u/doauthentication.do” endpoint, which can cause it to reflect the login value that the response user has suspended (and other endpoints) regardless of success or failure.
Note that Horizon3.AI can use the vulnerability to leak around 127 bytes of data via specially created HTTP requests using “login=”, which is modified without equal signs or values.
WatchTowr explained that it has the drawback of being attributed to the use of the SNPRINTF function, along with a format string containing the “%.*S” format.
“The %.*s format tells you snprintf: ‘print it on n characters or stop at the first null byte (\\ 0) – either the first.” That null byte will eventually appear somewhere in memory, so the leak won’t run indefinitely, but you get a small number of bytes with each call,” the company said.
“So, every time you press that endpoint without = it pulls more initialized stack data into the response. It may repeat enough and ultimately end up landing on something worthwhile.”
Source link
