TRENDING TOPICS MAY 21, 2025

PowerDNS Fixes Critical Flaw in DNSdist Load Balancer with May 2025 Update 

PowerDNS has released a critical update for its DNSdist load balancer to address CVE-2025-30193, a vulnerability that allows remote, unauthenticated attackers to launch denial-of-service (DoS) attacks. The issue affects all versions prior to 1.9.10, which was released on May 20, 2025, and stems from how DNSdist handles certain TCP connection states. By crafting specific TCP requests, attackers can overwhelm the service and cause disruptions across DNS infrastructure without needing access credentials. The vulnerability was initially flagged in PowerDNS's public IRC channel, where further investigation confirmed its potential impact. Security researchers warn that organizations using DNSdist, particularly those relying on it as a front-end DNS load balancer, should patch immediately to avoid the risk of service outages. DNS-based DoS attacks are typically associated with UDP, making this TCP-based method a more targeted and less detectable vector. PowerDNS has provided temporary mitigation for environments that are unable to update immediately by adjusting the setMaxTCPQueriesPerConnection directive. Setting this to 50 has been shown to prevent exploitation without affecting legitimate traffic. However, this is only a stopgap, PowerDNS and security experts stress that updating to version 1.9.10 is the only reliable fix. In addition to the DoS vulnerability, the latest release includes other essential security enhancements, including fixes for memory handling issues, improved cache behavior, and tighter control over TCP socket connections. Updated packages are already available across PowerDNS’s distribution channels, and users are encouraged to verify and deploy them as soon as possible. Given the simplicity of the attack method and the public nature of its disclosure, the risk of exploitation is high if left unaddressed. 

Update: SideWinder APT Exploits Legacy Office Flaws in Targeted Attacks Across South Asia  

Acronis Threat Research Unit has uncovered a stealthy campaign conducted by the SideWinder APT group, targeting military and government entities in Sri Lanka, Bangladesh, and Pakistan through early 2025. The attackers exploit two long-known Microsoft Office vulnerabilities, CVE-2017-0199 and CVE-2017-11882, to deliver credential-stealing malware, taking advantage of poor patching practices in critical infrastructure. Victims are lured through emails crafted to impersonate government or military organizations, often embedding malicious Word or RTF files that trigger code execution when opened. Once exploited, the malware checks the victim's IP address and browser headers to ensure it's a legitimate target; if not, a harmless file is served instead. This geofenced targeting makes analysis difficult and helps the attackers remain undetected in non-targeted regions. The infection process involves obfuscated shellcode loaders and customized payloads for each victim, using memory injection to avoid writing to disk and reduce forensic visibility. The final stage of the attack uses a credential-harvesting DLL, “StealerBot,” which is injected through common Windows processes and collects extensive system and user information before exfiltrating it to constantly rotating command-and-control servers. Persistence is maintained using shortcut files placed in the Windows Startup folder, ensuring the malware runs again after a reboot. SideWinder’s infrastructure mimics official domains to increase the credibility of phishing lures and avoid early detection. Lures observed in this campaign include fake military invitations and government briefings, tailored to specific divisions and institutions in South Asia. Organizations are advised to patch legacy Office vulnerabilities immediately and restrict the execution of scripting tools such as mshta.exe and wscript.exe. Disabling Office macros, improving phishing awareness, and using behavior-based detection tools are key to stopping these threats. The campaign highlights how APT actors continue to succeed by combining outdated exploits with modern, evasive delivery techniques. 

Palo Alto Networks Fixes XSS Flaw in GlobalProtect Portal, Urges Timely Patching 

Palo Alto Networks has disclosed a reflected cross-site scripting (XSS) vulnerability, CVE-2025-0133, affecting the GlobalProtect gateway and portal features in PAN-OS firewalls. The issue, discovered by cybersecurity firm XBOW and disclosed in May 2025, allows remote attackers to inject malicious JavaScript into authenticated users’ browsers via crafted links. While exploitation requires the user to be logged into the portal, the impact is significant for environments using Clientless VPN, which exposes session cookies and sensitive data that can be hijacked for credential theft or session impersonation. The vulnerability stems from improper input handling in the Captive Portal interface and does not permit changes to firewall configurations or service disruption. The risk level varies: CVSS 5.1 for standard setups, and 6.9 (Medium) for configurations with Clientless VPN enabled due to the elevated data exposure. Affected PAN-OS versions include 11.2.x (prior to 11.2.7), 11.1.x (prior to 11.1.11), and 10.2.x (prior to 10.2.17). Systems running PAN-OS 10.1.x will not receive patches, as it reaches end-of-life in August 2025. Palo Alto recommends upgrading as patches become available over the coming months. In the meantime, administrators can disable Clientless VPN if not actively used and enable Threat IDs 510003 and 510004 to detect and block exploitation attempts. Prisma Access and Cloud NGFW customers are unaffected due to automatic protections. Although no in-the-wild attacks have been reported, the availability of a public proof-of-concept raises the likelihood of future exploitation, especially in sectors slow to patch. Organizations should review portal access logs, educate users on link-based phishing, and prioritize updating vulnerable systems to avoid exposure to browser-based attacks.

💡
Hunter Strategy encourages our readers to look for updates in our daily Trending Topics and on Twitter.