Karl.Fail

Tag: critical

  • Critical Vulnerability in Apple Devices: App May Enumerate Installed Apps (CVE-2025-30426)

    Overview of CVE-2025-30426

    A critical vulnerability has been discovered in several Apple devices, including iOS, iPadOS, macOS, tvOS, and visionOS. Tracked as CVE-2025-30426, this issue allows an app to enumerate a user’s installed apps without proper authorization. This vulnerability has been addressed with additional entitlement checks in the latest updates: tvOS 18.4, iPadOS 17.7.6, iOS 18.4, macOS Sequoia 15.4, and visionOS 2.4.

    Details of the Vulnerability

    The issue arises when an app gains access to sensitive information about the apps installed on a device. By exploiting this vulnerability, an attacker can potentially gather a list of all installed apps, which could lead to unauthorized access to personal information and further exploitation of the system.

    This vulnerability has been classified as CWE-200, which refers to the exposure of sensitive information to an unauthorized actor. The flaw impacts a wide range of Apple devices, including iPhones, iPads, Macs, Apple TVs, and Vision Pro devices, running versions prior to the latest security patches.

    CVSS Score and Impact

    The CVSS v3.1 score for CVE-2025-30426 is a critical 9.8. The CVSS vector string for this vulnerability is: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. This means:

    • Attack Vector (AV): Network – The vulnerability can be exploited remotely.
    • Attack Complexity (AC): Low – The exploit does not require complex conditions to execute.
    • Privileges Required (PR): None – No special privileges are needed to exploit the vulnerability.
    • User Interaction (UI): None – The vulnerability can be exploited without user interaction.
    • Confidentiality Impact (C): High – Sensitive user data can be accessed.
    • Integrity Impact (I): High – The attacker can alter system data.
    • Availability Impact (A): High – The attacker can cause disruptions to the system.

    Mitigation

    To mitigate the risks associated with CVE-2025-30426, Apple users are strongly advised to update their devices to the latest versions of iOS, iPadOS, tvOS, macOS, and visionOS. These updates address the vulnerability by adding additional entitlement checks to prevent unauthorized apps from enumerating installed apps.

    For more information, you can visit Apple’s official security advisory pages: Apple Security Updates.

    Conclusion

    The CVE-2025-30426 vulnerability underscores the importance of protecting sensitive user information on mobile and desktop devices. Users of Apple devices should ensure they apply the latest security updates to prevent potential exploitation.

  • CVE-2025-4632: Critical Path Traversal Vulnerability in Samsung MagicINFO 9 Server

    Overview

    On May 13, 2025, Samsung disclosed a critical vulnerability identified as CVE-2025-4632 in its MagicINFO 9 Server product. The issue affects all versions prior to 21.1052 and allows unauthenticated remote attackers to write arbitrary files to the server with system-level privileges. This flaw is a classic example of a Path Traversal vulnerability, categorized under CWE-22.

    What is Path Traversal?

    Path Traversal, also known as Directory Traversal, occurs when an application fails to properly restrict file paths, enabling attackers to manipulate variables referencing files. This can result in unauthorized file access or writing, potentially overwriting sensitive or executable files.

    Technical Details

    The vulnerability is caused by improper limitation of a pathname to a restricted directory. In the case of MagicINFO 9 Server, attackers can exploit this flaw via network access without authentication, sending specially crafted requests that include manipulated path values. If successful, they can upload malicious files, such as web shells, effectively gaining control over the system.

    Severity and CVSS Score

    This issue has been rated CRITICAL under the CVSS v3.1 scoring system, with a base score of 9.8. The vector string is:

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    This score indicates that the attack is possible over a network, requires no user interaction or privileges, and results in a full compromise of confidentiality, integrity, and availability.

    Impact

    According to CAPEC-650, this vulnerability may allow attackers to upload a web shell to the server, providing persistent remote access and the ability to execute arbitrary commands. Given that the server processes these actions as system authority, the impact can be total system compromise.

    Mitigation

    Samsung has released an update in version 21.1052 to patch this vulnerability. All users and administrators of MagicINFO 9 Server should:

    • Immediately upgrade to version 21.1052 or later
    • Audit server logs for suspicious file write operations
    • Implement strict network-level protections to limit exposure

    Conclusion

    CVE-2025-4632 underscores the dangers of insufficient file path validation in enterprise systems. Given the critical nature of this bug and its potential for full system takeover, it is imperative for affected users to update immediately and follow best practices in application hardening.

    For more details, consult the official Samsung security bulletin: SVP-MAY-2025.

  • CVE-2025-4318: Critical Eval Injection Vulnerability in AWS Amplify Studio

    Overview

    On May 5, 2025, a critical vulnerability identified as CVE-2025-4318 was disclosed in AWS Amplify Studio, specifically within the aws-amplify/amplify-codegen-ui package. This flaw affects versions prior to 2.20.3 and has been categorized as a severe security risk due to improper input validation in UI component property expressions. It allows the injection and execution of arbitrary JavaScript code during component rendering and build processes.

    Technical Details

    This vulnerability is rooted in CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code, also known as Eval Injection. This means the application evaluates user-supplied inputs using functions like eval() without proper validation or sanitization, enabling attackers to execute malicious code.

    In this case, any authenticated user with permissions to create or modify components in Amplify Studio can exploit this flaw by injecting JavaScript into component properties. This code would then execute during UI component generation, leading to potentially full compromise of application data and behavior.

    CVSS Score and Severity

    Using the CVSS 4.0 standard, this vulnerability has been assigned a base score of 9.5, indicating critical severity. The associated vector string is:

    CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

    This scoring reflects that the attack is possible over a network, requires low complexity and no user interaction or privileges, and results in high impact across confidentiality, integrity, and availability.

    Potential Impacts

    The identified CAPEC categories related to this vulnerability are:

    • CAPEC-592: Stored XSS – Malicious scripts persist in the system and execute when rendered to users.
    • CAPEC-251: Local Code Inclusion – Executing unauthorized local code on the server or build system.

    These vectors signify the exploit’s ability to compromise both user data and application logic.

    Affected Products

    The vulnerability impacts the amplify-codegen-ui package used by Amazon Amplify Studio, affecting all versions before 2.20.3. Users of earlier versions are strongly advised to upgrade immediately to mitigate risk.

    Mitigation

    Amazon has addressed this vulnerability in version 2.20.3 of the package. Developers and system administrators should:

    • Upgrade to the latest version of amplify-codegen-ui.
    • Audit existing components for unsafe JavaScript injection patterns.
    • Implement stricter access control to prevent unauthorized component modifications.

    Conclusion

    CVE-2025-4318 represents a critical security issue in a widely-used AWS development tool. Due to its severity and the potential for full application compromise, all users of Amplify Studio must prioritize patching and review access policies. This incident also underscores the need for robust input validation practices, particularly in dynamic code execution contexts.

    For more information, refer to the official Amazon security bulletin: AWS-2025-010.

  • CVE-2025-24977: Critical Code Injection Vulnerability in OpenCTI

    Overview

    A critical vulnerability has been disclosed in OpenCTI, tracked as CVE-2025-24977. This flaw allows authenticated users with specific permissions to execute arbitrary code on the underlying infrastructure and access sensitive server-side secrets. The issue affects all versions prior to 6.4.11 and has been assigned a CVSS v3.1 score of 9.1, marking it as critical in severity.

    What is OpenCTI?

    OpenCTI (Open Cyber Threat Intelligence) is a widely adopted open-source platform for managing and sharing cyber threat intelligence. It allows organizations to structure, store, and visualize complex threat information. Because of its deep integration into security ecosystems, vulnerabilities in OpenCTI can have far-reaching consequences.

    Technical Details

    The vulnerability stems from the improper control of code generation within the application (classified as CWE-94: Code Injection). Specifically, a user with the manage customizations capability can:

    • Execute commands on the host infrastructure using the web hook functionality.
    • Gain a root shell inside a container hosting OpenCTI.
    • Access internal secrets and sensitive environment details.

    This behavior is particularly dangerous because it breaks container isolation and could lead to lateral movement across other infrastructure components.

    CVSS Breakdown

    • Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: High
    • User Interaction: None
    • Scope: Changed
    • Confidentiality, Integrity, Availability: High

    Affected Versions

    All OpenCTI versions prior to 6.4.11 are affected by this vulnerability.

    Mitigation

    The vulnerability has been patched in OpenCTI version 6.4.11. All users are strongly advised to:

    • Upgrade to version 6.4.11 or later immediately.
    • Audit user roles and permissions, especially the manage customizations capability.
    • Monitor systems for unauthorized command execution or suspicious container activity.

    Conclusion

    CVE-2025-24977 exemplifies the risk of insufficient controls around customization and hook-based functionality in security platforms. Organizations using OpenCTI should treat this vulnerability with urgency due to the high potential impact on infrastructure integrity and data confidentiality.

    For more technical details and updates, refer to the official GitHub advisory.

  • CVE-2025-24032: Authentication Bypass in PAM-PKCS#11 Due to Insecure Default `cert_policy` Setting

    Overview

    On February 10, 2025, a critical vulnerability was published under the identifier CVE-2025-24032, affecting the PAM-PKCS#11 module maintained by OpenSC. This Linux-PAM login module facilitates user authentication via X.509 certificates and is commonly integrated into secure systems that use smartcards or cryptographic tokens. The vulnerability has been rated CRITICAL with a CVSS v4.0 base score of 9.2.

    Technical Details

    The vulnerability stems from the default setting of the cert_policy configuration parameter in pam_pkcs11. If left as none-its default-pam_pkcs11 does not verify that the presented token can perform private key operations such as signing. Instead, it only checks if the certificate exists on a token and whether the user has access to it.

    This creates a severe security gap. An attacker can fabricate a token containing a victim’s public certificate and pair it with a known PIN. If no private key validation is enforced, the system cannot distinguish this fake token from a legitimate one, allowing unauthorized logins.

    Affected Versions

    The issue affects all versions from pam_pkcs11-0.6.0 up to but not including 0.6.13.

    CVSS v4.0 Vector

    CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/S:C/C:H/I:H/A:L

    • Attack Vector: Network
    • Attack Complexity: Low
    • Attack Requirements: Present (crafted token needed)
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
    • Confidentiality & Integrity Impact: High
    • Availability Impact: Low

    Mitigation

    Users are strongly advised to upgrade to pam_pkcs11 version 0.6.13 or later. The patched version enforces signature-based validation by default. As an immediate workaround, administrators should set cert_policy = signature; explicitly in the pam_pkcs11.conf file.

    Conclusion

    CVE-2025-24032 exemplifies the risks of insecure defaults in authentication modules. In critical environments using smartcard-based login, overlooking private key validation opens doors for silent impersonation. Updating PAM-PKCS#11 and revisiting configuration settings is imperative to mitigate this threat.

  • CVE-2025-21556: Critical Authorization Flaw in Oracle Agile PLM Framework

    Overview

    Oracle has disclosed a critical vulnerability identified as CVE-2025-21556 in the Oracle Agile PLM Framework, specifically affecting version 9.3.6. This flaw exists in the Agile Integration Services component and carries a CVSS v3.1 base score of 9.9, marking it as a highly severe issue with broad impact potential across integrated systems.

    Technical Details

    The vulnerability is classified under CWE-863: Incorrect Authorization. It allows a low-privileged attacker with network access via HTTP to exploit insufficient authorization checks. Due to a scope change, this issue may affect not only Agile PLM itself but also other integrated systems, amplifying the risk.

    The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, which indicates:

    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed (other systems may be affected)
    • Confidentiality, Integrity, and Availability Impact: High

    Impact

    Successful exploitation can result in full compromise of the Oracle Agile PLM Framework, including:

    • Unauthorized access to sensitive enterprise supply chain data
    • Manipulation of critical PLM records and workflows
    • Disruption or takeover of related systems due to the scope change

    These impacts are particularly severe in organizations that heavily rely on Agile PLM for product lifecycle and supply chain management.

    Affected Systems

    • Oracle Agile PLM Framework version 9.3.6

    Mitigation

    Oracle has released a patch as part of the January 2025 Critical Patch Update. Organizations should:

    • Apply the security patch immediately
    • Audit access controls and integration boundaries
    • Monitor for signs of privilege misuse or lateral movement

    Conclusion

    CVE-2025-21556 serves as a high-impact example of how incorrect authorization mechanisms can be leveraged for system takeover. Given its ease of exploitation and critical nature, immediate remediation is advised for all affected environments running Oracle Agile PLM Framework 9.3.6.

  • CVE-2025-21547: Critical Remote Exploit in Oracle Hospitality OPERA 5

    Overview

    On January 21, 2025, Oracle disclosed a critical vulnerability identified as CVE-2025-21547 in the Oracle Hospitality OPERA 5 system, a widely used platform in the hospitality industry for property management. The vulnerability affects versions 5.6.19.20, 5.6.25.8, 5.6.26.6, and 5.6.27.1. It is remotely exploitable by unauthenticated attackers over HTTP and carries a CVSS v3.1 base score of 9.1, rated as Critical.

    Technical Details

    This vulnerability resides in the Opera Servlet component and is classified under CWE-400: Uncontrolled Resource Consumption. An unauthenticated attacker can send specially crafted HTTP requests that either grant unauthorized access to sensitive data or trigger a complete Denial-of-Service (DoS) by overloading system resources.

    The CVSS v3.1 vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H, which translates to:

    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: High

    Impact

    Successful exploitation can lead to:

    • Unauthorized access to critical and sensitive hospitality data
    • Total denial of service (DoS), crashing the OPERA 5 application
    • Operational disruption of hotel management systems and guest services

    Given the central role OPERA 5 plays in reservation, billing, and room management, the impact on affected organizations could be severe.

    Affected Versions

    • Oracle Hospitality OPERA 5 version 5.6.19.20
    • Oracle Hospitality OPERA 5 version 5.6.25.8
    • Oracle Hospitality OPERA 5 version 5.6.26.6
    • Oracle Hospitality OPERA 5 version 5.6.27.1

    Mitigation

    Oracle addressed this vulnerability in its January 2025 Critical Patch Update. Organizations should:

    • Apply the latest patches immediately
    • Restrict external HTTP access to OPERA instances
    • Monitor for signs of resource exhaustion or unusual HTTP activity

    Conclusion

    CVE-2025-21547 highlights the ongoing risks of web-facing enterprise software, especially in sectors like hospitality where uptime and data integrity are mission-critical. Prompt patching and hardening of network access controls are essential to prevent potential data breaches and service outages.

  • CVE-2025-21535: Critical Unauthenticated Remote Exploit in Oracle WebLogic Server

    Overview

    Oracle has disclosed a critical vulnerability tracked as CVE-2025-21535 in its Oracle WebLogic Server product, part of Oracle Fusion Middleware. The vulnerability affects versions 12.2.1.4.0 and 14.1.1.0.0 and allows unauthenticated attackers with network access to take full control of the server via the T3 or IIOP protocol.

    Technical Details

    This vulnerability is found in the Core component of WebLogic Server. It has been classified under CWE-306: Missing Authentication for Critical Function, indicating a failure to enforce proper authentication checks on sensitive functions. The result is a flaw that is easily exploitable by a remote attacker with no prior access.

    The CVSS v3.1 base score is 9.8 (Critical) and the vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating:

    • Remote exploitability over the network
    • Low complexity
    • No privileges required
    • No user interaction needed
    • High impact on confidentiality, integrity, and availability

    Impact

    If successfully exploited, the vulnerability can result in:

    • Complete system compromise
    • Data breach and unauthorized modification
    • Denial of service or full disruption of applications relying on WebLogic

    The vulnerability enables threat actors to execute arbitrary code or commands, making it suitable for automated exploitation and malware deployment in enterprise environments.

    Affected Versions

    • Oracle WebLogic Server 12.2.1.4.0
    • Oracle WebLogic Server 14.1.1.0.0

    Organizations running these versions should consider themselves at high risk if mitigation is not applied promptly.

    Mitigation

    Oracle addressed the issue in its January 2025 Critical Patch Update (CPU). Organizations are urged to:

    • Apply the relevant security patches immediately
    • Restrict T3 and IIOP access at the network level
    • Monitor logs for signs of unauthorized access or unusual traffic

    According to CISA’s SSVC framework, the issue has total technical impact and is automatable, highlighting the urgency of applying mitigation measures.

    Conclusion

    CVE-2025-21535 presents a critical threat to organizations running Oracle WebLogic Server. Its unauthenticated, remote nature and high impact across all core security domains make it a priority vulnerability. Timely patching and strong network controls are essential to minimize risk.

  • CVE-2025-21524: Critical Unauthenticated Remote Takeover in JD Edwards EnterpriseOne Tools

    Overview

    On January 21, 2025, Oracle published details on CVE-2025-21524, a critical vulnerability in its JD Edwards EnterpriseOne Tools product. The flaw impacts all versions prior to 9.2.9.0 and allows unauthenticated attackers with network access via HTTP to fully compromise the system. With a CVSS v3.1 base score of 9.8, this vulnerability demands immediate attention from all enterprises relying on this platform.

    Technical Details

    This vulnerability lies in the Monitoring and Diagnostics SEC component and is classified as CWE-306: Missing Authentication for Critical Function. In essence, the flaw enables an attacker to invoke critical application functions without authentication. Because the vulnerable interface is exposed over HTTP and requires no prior access, it is considered easily exploitable.

    The CVSS v3.1 vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H highlights the high impact:

    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
    • Impact: High on Confidentiality, Integrity, and Availability

    Affected Versions

    All versions of JD Edwards EnterpriseOne Tools prior to 9.2.9.0 are affected. Oracle recommends upgrading to version 9.2.9.0 or later as part of its January 2025 Critical Patch Update (CPU).

    Impact

    Successful exploitation of CVE-2025-21524 could result in:

    • Complete takeover of the JD Edwards environment
    • Unauthorized data access and modification
    • Disruption of business-critical ERP workflows

    Due to the critical nature and low exploitation complexity, this vulnerability poses a serious risk to enterprise resource planning (ERP) infrastructure.

    Mitigation

    Organizations should take the following steps:

    • Immediately apply the Oracle patch to upgrade JD Edwards EnterpriseOne Tools to 9.2.9.0 or later
    • Restrict HTTP access to JD Edwards instances until patched
    • Monitor for suspicious activity or unauthorized access attempts

    Conclusion

    CVE-2025-21524 is a clear example of the dangers posed by missing authentication checks in enterprise software. With the potential for full remote system takeover, affected organizations must act promptly to patch their systems and harden their network exposure.

    For official guidance, visit the Oracle January 2025 Security Advisory.

  • CVE-2025-21415: Critical Privilege Escalation in Azure AI Face Service

    Overview

    Microsoft has disclosed a critical vulnerability identified as CVE-2025-21415 in the Azure AI Face Service. This flaw allows for an elevation of privilege through an authentication bypass via spoofing. With a CVSS v3.1 base score of 9.9, the vulnerability poses a significant threat to cloud-based identity and access controls.

    What is Azure AI Face Service?

    Azure AI Face Service is part of Microsoft’s Cognitive Services platform, enabling facial recognition features such as identity verification, emotion detection, and face grouping. It is widely used in security, access control, and user engagement systems that rely on biometric authentication.

    Technical Details

    The vulnerability is categorized under CWE-290: Authentication Bypass by Spoofing. This means that an attacker can potentially forge or manipulate identity credentials to gain unauthorized access. In this case, a low-privileged authenticated user can elevate their access rights without direct interaction or additional validation steps.

    The CVSS vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H highlights key aspects of the risk:

    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
    • Impact: High on confidentiality, integrity, and availability

    Affected Systems

    The vulnerability affects the Azure AI Face Service as a whole. Microsoft has not specified particular version numbers, as the service is hosted and maintained within the Azure cloud infrastructure. The issue is exclusive to the cloud-hosted environment and cannot be mitigated by on-premises patching.

    Mitigation and Recommendations

    Microsoft has addressed the issue via backend updates. There is no manual patch required by customers. However, organizations should:

    • Review access logs for suspicious activity
    • Audit user roles and privileges
    • Ensure applications using Face API enforce additional identity verification layers

    According to CISA’s SSVC assessment, the vulnerability has total technical impact, although it is currently not known to be exploited and not automatable.

    Conclusion

    CVE-2025-21415 emphasizes the importance of secure authentication design, especially in services that manage biometric data. Cloud customers leveraging the Azure AI Face Service should ensure identity access policies are reviewed and monitored frequently. For more details, visit the Microsoft Security Advisory.