Critical Authentication Bypass and DoS Vulnerabilities Discovered in ruby-saml
Two high-severity security flaws, CVE-2025-25291 and CVE-2025-25292, have been found in the ruby-saml library, which is widely used for security assertion markup language (SAML) authentication and SSO. These vulnerabilities stem from inconsistencies in how REXML and Nokogiri parse XML data, leading to a parser differential that attackers can exploit through a Signature Wrapping attack. If an attacker has access to a valid SAML signature key, they can craft malicious SAML assertions to bypass authentication and gain unauthorized access to any user account within an affected system. This flaw presents a significant risk to organizations relying on SAML for authentication, as it could lead to account takeovers and privilege escalation. The vulnerabilities affect ruby-saml versions below 1.12.4 and between 1.13.0 and 1.18.0, requiring urgent patching to mitigate potential exploitation. In addition to the authentication bypass issue, another vulnerability, CVE-2025-25293, was identified in the same library, allowing a remote denial-of-service attack when processing compressed SAML responses. Attackers could exploit this flaw to overwhelm or crash authentication services, leading to potential service disruptions. These vulnerabilities, reported by GitHub Security Lab, were disclosed in November 2024 and have since been addressed in ruby-saml versions 1.12.4 and 1.18.0. With CVSS scores of 8.8 and 7.7, these flaws pose serious security risks, and users are strongly urged to update their ruby-saml installations immediately to prevent unauthorized access and potential downtime.
China-Linked UNC3886 Exploits Juniper MX Routers with Custom Backdoors
The China-based cyber espionage group UNC3886 has been found targeting end-of-life Juniper MX routers, deploying custom backdoors to establish long-term access while avoiding detection. These backdoors include appid, to, irad, lmpad, jdosd, and oemd, each designed for file transfer, remote command execution, packet sniffing, logging manipulation, and UDP-based access. The group exploits a parser bypass in Junos OS' Verified Exec (veriexec) protections, allowing them to execute malicious payloads by injecting backdoors into memory. The TinyShell-based malware used in this campaign enables them to maintain persistence and manipulate system logs to erase traces of their activity. UNC3886's ability to compromise edge devices underscores a broader trend among espionage groups targeting networking infrastructure to gain high-level access without triggering traditional security alerts. Investigations into the mid-2024 campaign revealed that the attackers gained initial access through legitimate credentials, allowing them to disable logging, execute payloads, and restore logs to avoid suspicion. The Juniper vulnerability CVE-2025-21590 (CVSS 6.7) contributed to these attacks, allowing privileged attackers to inject arbitrary code into affected devices. Juniper Networks launched Project RedPenguin in July 2024 to investigate the infections and released security updates to patch the flaw in multiple versions of Junos OS. Mandiant advised organizations to update their Juniper devices, apply the latest mitigations, and use the Juniper Malware Removal Tool (JMRT) to detect and eliminate potential infections.
Update: Medusa Ransomware Targets Over 300 Critical Infrastructure Organizations in the U.S.
The Medusa ransomware operation has impacted over 300 organizations across critical infrastructure sectors in the United States as of February 2025, according to a joint advisory issued by CISA, the FBI, and MS-ISAC. Affected industries include medical, education, legal, insurance, technology, and manufacturing. The advisory urges organizations to take immediate defensive measures, including patching vulnerabilities, segmenting networks to limit lateral movement, and filtering network traffic to block untrusted access. Medusa first appeared in January 2021, but its activity surged in 2023 with the launch of the Medusa Blog leak site, where stolen data is published to pressure victims into paying ransoms. The group has claimed over 400 victims worldwide, gaining attention in March 2023 for leaking Minneapolis Public Schools’ data and again in November 2023 for exposing files from Toyota Financial Services after the company refused to pay an $8 million ransom. Originally a closed ransomware variant, Medusa has since evolved into a Ransomware-as-a-Service model, allowing affiliates to carry out attacks. At the same time, its developers handle core operations, including ransom negotiations. The group recruits Initial Access Brokers on cybercriminal forums, offering payments between $100 to $1 million for exclusive partnerships. The name Medusa has led to some confusion, as it is also used by unrelated cybercrime operations, including a Mirai-based botnet with ransomware capabilities and an Android malware-as-a-service operation (MaaS) known as TangleBot. Medusa ransomware is also distinct from the MedusaLocker ransomware operation. The advisory follows a similar alert issued last month by CISA and the FBI, warning that over 70 countries have experienced breaches from Ghost ransomware attacks, further highlighting the ongoing and widespread ransomware threat to critical industries. We will provide more insights into the Medusa ransomware group in a future report, so stay tuned to our blog portal for further updates and in-depth analysis.
