CISA Includes Erlang SSH and Roundcube Vulnerabilities in Known Exploited Threats Catalog

On June 10, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two significant security vulnerabilities affecting Erlang/Open Telecom Platform (OTP) SSH and Roundcube to its Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation. The identified vulnerabilities are:

  • CVE-2025-32433 (CVSS score: 10.0): A critical missing authentication flaw in the Erlang/OTP SSH server that could enable an attacker to execute arbitrary commands without proper credentials, potentially leading to unauthenticated remote code execution. (Patched in April 2025 in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20)

  • CVE-2024-42009 (CVSS score: 9.3): A cross-site scripting (XSS) vulnerability in RoundCube Webmail that may allow a remote attacker to compromise a victim’s email account by exploiting a desanitization flaw in program/actions/mail/show.php. (Fixed in August 2024 in versions 1.6…)

CISA Updates KEV Catalog with Critical Vulnerabilities in Erlang SSH and Roundcube

On June 10, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced the addition of two significant vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, both of which are currently being actively exploited. These vulnerabilities pertain to the Erlang/Open Telecom Platform (OTP) SSH server and the Roundcube Webmail client, highlighting the ongoing risks in the cybersecurity landscape.

The first vulnerability, identified as CVE-2025-32433, has received a critical Common Vulnerability Scoring System (CVSS) score of 10.0. This flaw exists due to a lack of authentication for essential functions within the Erlang/OTP SSH server. As a result, attackers could potentially gain the ability to execute arbitrary commands without the need for valid credentials, leading to unauthenticated remote code execution. The issue was addressed in April 2025 with the release of updated versions: OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20.

The second entry, CVE-2024-42009, carries a CVSS score of 9.3 and affects the Roundcube Webmail application. This cross-site scripting (XSS) vulnerability allows remote attackers to exploit a desanitization flaw present in the file program/actions/mail/show.php. By crafting a malicious email, attackers can steal credentials and potentially send unauthorized emails from a victim’s account. This critical vulnerability was remedied in August 2024, with updates made available in version 1.6.

The targets of these vulnerabilities primarily involve users and organizations relying on Erlang OTP for server operations and those using Roundcube for email management. As these platforms are widely utilized across various sectors, including finance, telecommunications, and service delivery, the implications of these vulnerabilities are significant. Attackers leveraging these weaknesses pose a considerable risk, not just to individual users, but also to the integrity of organizational data.

Considering the nature of these vulnerabilities, it is essential to recognize potential adversary tactics that may have been employed during exploitation. According to the MITRE ATT&CK framework, initial access could have been achieved through social engineering or phishing techniques, especially in the context of the Roundcube vulnerability. Persistence might have been established by embedding malicious scripts, while privilege escalation could be a consequent step, enabling further attacks within compromised systems.

Organizations should prioritize immediate updates or patches to mitigate risks associated with these vulnerabilities. Given the persistent threat landscape and the potential for widespread exploitation, vigilant cybersecurity measures are imperative. Business owners are encouraged to conduct comprehensive assessments of their systems to ensure that their defenses are robust against such vulnerabilities. The importance of timely updates and security best practices cannot be overstated in the face of evolving cyber threats.

Source link

Related Posts

Researcher Uncovers Vulnerability Exposing Phone Numbers Linked to Google Accounts

Jun 10, 2025
Vulnerability / API Security

Google has acted to resolve a security flaw that could allow malicious actors to brute-force recovery phone numbers associated with Google accounts, potentially compromising user privacy and security. Singaporean security researcher “brutecat” identified that the vulnerability exploited a weakness in the company’s account recovery feature. The issue involved a now-obsolete version of the Google username recovery form (“accounts.google[.]com/signin/usernamerecovery”) that lacked sufficient anti-abuse measures to limit excessive requests. This page allows users to check if a recovery email or phone number is linked to a specific display name (e.g., “John Smith”). By bypassing the CAPTCHA rate limits, attackers could rapidly test various permutations of a Google account’s phone number, leading to possible exploitation.

Title: Over 20 Configuration Vulnerabilities Discovered in Salesforce Industry Cloud, Including Five CVEs

Date: June 10, 2025
Category: Vulnerability / SaaS Security

Cybersecurity experts have identified more than 20 configuration vulnerabilities within Salesforce Industry Cloud (formerly known as Salesforce Industries), potentially exposing sensitive data to unauthorized users. These vulnerabilities impact key components such as FlexCards, Data Mappers, Integration Procedures (IProcs), Data Packs, OmniOut, and OmniScript Saved Sessions. “While low-code platforms like Salesforce Industry Cloud simplify application development, neglecting security measures can lead to significant risks,” said Aaron Costello, Chief of SaaS Security Research at AppOmni, in a statement to The Hacker News. If not mitigated, these misconfigurations may enable cybercriminals and unauthorized individuals to access encrypted sensitive information about employees and customers, session data reflecting user interactions with Salesforce Industry Cloud, credentials for Salesforce and other corporate systems, and critical business logic. Following a responsible disclosure process, more information is anticipated.

Microsoft Addresses 67 Vulnerabilities, Including Active WEBDAV Zero-Day Exploit

On June 11, 2025, Microsoft unveiled patches for 67 security vulnerabilities, among which is a zero-day flaw in Web Distributed Authoring and Versioning (WebDAV) that has been actively exploited. Of these vulnerabilities, 11 are classified as Critical, while 56 are deemed Important. The update addresses 26 remote code execution issues, 17 information disclosure vulnerabilities, and 14 privilege escalation risks. Additionally, the patches follow the resolution of 13 vulnerabilities in the Chromium-based Edge browser since last month’s Patch Tuesday. The zero-day exploit, designated CVE-2025-33053 (CVSS score: 8.8), allows remote code execution through deceptive URLs. Microsoft credited Check Point researchers Alexandra Gofman and David Driker for identifying and reporting this critical vulnerability. Notably, CVE-2025-33053 marks the first zero-day vulnerability…

SinoTrack GPS Devices Exposed: Default Passwords Allow Remote Vehicle Control

June 11, 2025
IoT Security / Vulnerability

Recent security vulnerabilities in SinoTrack GPS devices could enable unauthorized remote control of specific functions in connected vehicles, including location tracking. According to an advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), “Successful exploitation of these vulnerabilities could allow an attacker to access device profiles without authorization through the common web management interface.” This access may enable attackers to execute functions such as tracking vehicle location and, where applicable, disconnecting the fuel pump.

The vulnerabilities impact all versions of the SinoTrack IoT PC Platform. Below is a brief overview of the identified flaws:

  • CVE-2025-5484 (CVSS score: 8.3) – Weak authentication in the central SinoTrack device management interface due to the reliance on a default password and a username that serves as an identifier.