Researchers at Rapid7 have found a new zero-day vulnerability in PostgreSQL that they say is linked to a chain of attacks against a BeyondTrust Remote Support product.

The vulnerability (CVE-2025-1094) affects the PostgreSQL interactive terminal psql and allows SQL statements containing untrusted but correctly escaped input to trigger SQL injection. The researchers said they were able to inject a command that executed the id command on the system, confirming the potential for full system compromise.

In December 2024, China-backed threat actors exploited a zero-day vulnerability in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products. The threat actors successfully compromised machines at the U.S. Treasury Department.

Rapid7 found that in every scenario it examined, the BeyondTrust exploit (CVE-2024-12356) required leveraging the newly uncovered PostgreSQL flaw.

The PostgreSQL team released an urgent patch and warned that versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected. The project did not acknowledge the zero-day exploitation.

Fortinet has issued updates to address a high-severity vulnerability in its FortiOS Security Fabric, the company’s integrated cybersecurity platform. Exploiting the vulnerability (CVE-2024-40591 – CVSS score: 8.0) can allow an authenticated administrator with Security Fabric permissions to escalate their privileges to the super-admin level.

The flaw is caused by an incorrect privilege assignment and affects multiple versions of FortiOS, including 7.6.0, 7.4.0 through 7.4.4, 7.2.0 through 7.2.9, 7.0.0 through 7.0.15, and all versions of 6.4.

An attacker who gains control of an upstream FortiGate device can exploit the vulnerability by connecting a targeted FortiGate to the compromised upstream device. They can then leverage the improper privilege assignment to gain super-admin access. With this level of access, the attacker has extensive control over the affected system.

Users are urged to update their FortiOS installations immediately to mitigate this risk. Specific patches have been released for each affected branch: versions 7.6.1, 7.4.5, 7.2.10, and 7.0.16, respectively. Users running version 6.4 are advised to migrate to a patched release.

Palo Alto Networks has patched a high-severity vulnerability in its PAN-OS software that could result in an authentication bypass.

Exploiting the flaw (CVE-2025-0108 – CVSS score: 7.8) “enables an unauthenticated attacker with network access to the management web interface to bypass the authentication otherwise required by the PAN-OS management web interface and invoke certain PHP scripts,” Palo Alto said in an advisory.

Invoking these PHP scripts does not enable remote code execution, explained Palo Alto; however, “it can negatively impact the integrity and confidentiality of PAN-OS.”

The vulnerability relates to a discrepancy in how the interface’s Nginx and Apache components handle incoming requests, resulting in a directory traversal attack.

Researchers have discovered a name confusion vulnerability in the way that AWS software projects retrieve Amazon Machine Image (AMI) IDs. The problem, which the researchers have called “whoAMI”, affects AWS users searching for and loading AMIs under three circumstances:

• When retrieving AMIs by using the “ec2:DescribeImages” API without specifying an owner.

• When using wildcards to specify AMIs instead of specific AMI IDs in scripts.

• When using infrastructure tools such as Terraform with the “most_recent=true” setting, which then automatically picks the newest AMI matching a specified filter.

To carry out an attack, the attacker simply has to craft a malicious AMI with features such as a backdoor, publish it under a name that is similar to other legitimate images on the public Community AMI catalog, and then wait for somebody to accidentally launch it. Anybody can publish AMIs and make them available on the marketplace so an attacker does not need to compromise another AWS account before they can carry out this attack.

According to the researchers, up to 1% of organizations they monitor are susceptible to this issue but there is no evidence so far that this technique has been used in the wild.

AWS users are advised to review their code, configurations, and scripts to ensure that they are using safe methods for AMI retrieval. They can also implement a new feature called “Allowed AMIs” which allows them to create a list of trusted AMI providers. Terraform 5.77 has also been updated to warn users when the “most_recent = true” setting is used without an owner filter also being specified.

A threat actor with suspected ties to Russia is targeting the 365 accounts of individuals at organizations of interest using device code phishing, according to a Microsoft Threat Intelligence Center report.

Targeted individuals work in the government, NGO, IT services and technology, defense, telecommunications, health, and energy/oil and gas sectors in Europe, North America, Africa, and the Middle East.

Microsoft tracks the threat actors behind the activity as Storm-237 and, based on interests, victimology, and tradecraft, it believes the activity is associated with a nation-state operation that aligns with Russia’s interests.

As part of these device code phishing attacks, which have been underway since at least August 2024, the threat actors generate device code sign-in requests and trick targeted users into inputting the codes into login pages for productivity apps. Exploiting the device code authentication flow has allowed Storm-2372 to gain access to targeted systems, capture authentication tokens, and use those valid tokens to achieve lateral movement and steal data, according to Microsoft.

Storm-237 initiates the attack after first establishing a connection with the target by “falsely posing as a prominent person relevant to the target” over popular messaging platforms. Some time afterward, the attackers send a fake online meeting invitation via email or message. “The invitations lure the user into completing a device code authentication request emulating the experience of the messaging service, which provides Storm-2372 initial access to victim accounts and enables Graph API data collection activities, such as email harvesting,” explained Microsoft. This provides the attackers with access to the victim’s Microsoft services without needing a password for as long as the stolen tokens remain valid. However, as the attackers are now using the specific client ID for Microsoft Authentication Broker in the device code sign-in flow, it allows them to generate new tokens.

To counter device code phishing attacks used by Storm-2372, Microsoft advises blocking device code flow where possible and enforcing Conditional Access policies in Microsoft Entra ID to limit its use to trusted devices or networks.

Threat actors have begun to leverage a SonicWall firewall vulnerability after proof-of-concept (PoC) code for the flaw was published last week.

The vulnerability (CVE-2024-53704) is an authentication bypass caused by an issue in the SSLVPN authentication mechanism of SonicOS. SonicWall addressed the flaw in January with the release of SonicOS versions 7.1.3-7015 and 8.0.0-8037. At the time, the company said it had no evidence of the vulnerability being exploited in attacks.

According to Arctic Wolf researchers, activity targeting CVE-2024-53704 started shortly after Bishop Fox published technical details and a PoC exploit for it on February 10.

The public PoC enables unauthenticated attackers to bypass multi-factor authentication (MFA) protections, access private information, and interrupt VPN sessions. “Historically, threat actors have leveraged authentication bypass vulnerabilities on firewall and VPN gateways to deploy ransomware. In late 2024, Arctic Wolf observed Akira ransomware affiliates targeting SSL VPN user accounts on SonicWall devices as an initial access vector,” warned Arctic Wolf.

“Customers must immediately update all unpatched firewalls (7.1.x & 8.0.0). If applying the firmware update is not possible, disable SSLVPN,” SonicWall said in its advisory.

Vulnerabilities found in Xerox VersaLink multifunction printers (MFPs) could allow attackers to retrieve authentication credentials via pass-back attacks targeting LDAP and SMB/FTP services, according to Rapid7 researchers.

“This pass-back style attack leverages a vulnerability that allows a malicious actor to alter the MFP’s configuration and cause the MFP device to send authentication credentials back to the malicious actor,” explained the researchers. “If a malicious actor can successfully leverage these issues, it would allow them to capture credentials for Windows Active Directory. This means they could then move laterally within an organization’s environment and compromise other critical Windows servers and file systems.”

Researchers have uncovered a new variant of the XCSSET macOS modular malware that targets users’ sensitive information, including digital wallets and data from the legitimate Notes app.

“Its first known variant since 2022, this latest XCSSET malware features enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies,” Microsoft’s Threat Intelligence team said in a post shared on X.

First discovered in August 2020, XCSSET is a sophisticated modular macOS malware known to target users by infecting Apple Xcode projects.

The new and enhanced features add to XCSSET’s previously known capabilities, such as targeting digital wallets, collecting data from the Notes app, and exfiltrating system information and files.

The latest findings from Microsoft mark the first major revision of the malware since 2022.

Financial technology giant Finastra is informing customers that their personal information was stolen in a data breach that began when hackers accessed its systems in October 2024.

In breach notification letters, the company said the security incident was first detected on November 7 after Finastra identified malicious activity on some of its systems.

“Our investigation revealed that an unauthorized third party accessed a Secure File Transfer Platform (SFTP) at various times between October 31, 2024 and November 8, 2024. Findings from the investigation indicate that on October 31, 2024, the unauthorized third party obtained certain files from the SFTP,” the company said. However it added that there was “no indication the unauthorized third party further copied, retained, or shared any of the data” and that it believed “the risk to individuals whose personal data was involved is low.”

Finastra, which provides financial services software applications to more than 8,100 financial institutions across 130 countries, provided little information about the breach, such as what data was accessed, how many victims were impacted, or who was behind it. However, it appears likely this notification may be linked to a since-deleted post made by a threat actor known as “abyss0” on the BreachForums online cybercrime community in November claiming to sell 400 GB of data allegedly stolen from Finastra’s network.

A malware campaign carried out by a group tracked as TA2727 uses compromised websites to get unsuspecting users to install fake updates. Depending on the location of the visitor and the platform/browser used, the user may be redirected by traffic distribution services (TDS) to various fake websites that ask them to install an update for their browser.

If the user visiting the compromised website is a macOS user, they will be redirected to a website offering a fake update to the browser they are using such as Safari or Chrome. Clicking the update button on the fake website downloads a DMG file that contains FrigidStealer. When opened, it displays instructions to the user on how to install the update. The instruction tells the user to right-click on the file and open it, which bypasses macOS Gatekeeper, which is supposed to help protect the computer from potentially malicious apps.

Once installed and executed, FrigidStealer prompts the user for their password to “update files”, after that it goes about collecting various information, files, credentials, cookies, and anything of potential value and then exfiltrates it to the command-and-control (C&C) server at askforupdate[.]org.

Windows users are also catered for and will be offered an MSI file, which when installed, runs DOILoader, which in turn decodes and runs the commonly used Lumma Stealer malware.

Android users may be asked to install updates too via an APK file. Installing the update would result in the installation of the older Marcher banking Trojan, which has been in circulation since 2013.

Juniper Networks has issued updates to address a critical vulnerability in its Session Smart Router, Session Smart Conductor, and WAN Assurance Router products.

The vulnerability (CVE-2025-21589) is an authentication bypass that involves an “alternate path or channel vulnerability,” according to Juniper’s advisory. Exploiting the flaw can allow a network-based attacker to take administrative control of a targeted device.

The vulnerability impacts the following products and versions:

• Session Smart Router: From 5.6.7 before 5.6.17, from 6.0.8, from 6.1 before 6.1.12-lts, from 6.2 before 6.2.8-lts, and from 6.3 before 6.3.3-r2

• Session Smart Conductor: From 5.6.7 before 5.6.17, from 6.0.8, from 6.1 before 6.1.12-lts, from 6.2 before 6.2.8-lts, and from 6.3 before 6.3.3-r2

• WAN Assurance Managed Routers: From 5.6.7 before 5.6.17, from 6.0.8, from 6.1 before 6.1.12-lts, from 6.2 before 6.2.8-lts, and from 6.3 before 6.3.3-r2

Organizations using the affected products are advised to update as soon as possible. Juniper said it is not aware of malicious exploitation.

New Snake Keylogger variant evades detection with AutoIt-compiled payload

Researchers have discovered a new variant of the Snake Keylogger malware primarily targeting users in Asia and Europe.

Snake Keylogger (aka 404 Keylogger) is a Microsoft .NET-based data stealer. The latest variant discovered by FortiGuard Labs spreads through phishing emails containing malicious attachments or links. The malware targets popular web browsers, stealing sensitive information such as credentials and data by logging keystrokes, capturing credentials, and monitoring the clipboard. Stolen data is then exfiltrated to a command-and-control (C&C) server via email (SMTP), Telegram bots, and HTTP POST requests.

The malware employs AutoIt, a scripting language frequently used for Windows automation, to deliver and execute its malicious payload. “The use of AutoIt not only complicates static analysis by embedding the payload within the compiled script but also enables dynamic behavior that mimics benign automation tools,” explained FortiGuard Labs’ Kevin Su.