===================== = End-of-Day report = =====================

Timeframe: Dienstag 23-09-2025 18:00 − Mittwoch 24-09-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a

===================== = News = =====================

∗∗∗ Supermicro server motherboards can be infected with unremovable malware ∗∗∗ --------------------------------------------- One of the two vulnerabilities is the result of an incomplete patch Supermicro released in January, said Alex Matrosov, founder and CEO of Binarly, the security firm that discovered it. [..] The two new vulnerabilities—tracked as CVE-2025-7937 and CVE-2025-6198—reside inside silicon soldered onto Supermicro motherboards that run servers inside data centers. [..] Supermicro said it has updated the BMC firmware to mitigate the vulnerabilities. The company is currently testing and validating affected products. --------------------------------------------- https://arstechnica.com/security/2025/09/supermicro-server-motherboards-can-...

∗∗∗ PyPI urges users to reset credentials after new phishing attacks ∗∗∗ --------------------------------------------- The Python Software Foundation has warned victims of a new wave of phishing attacks using a fake Python Package Index (PyPI) website to reset credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pypi-urges-users-to-reset-cre...

∗∗∗ YiBackdoor: A New Malware Family With Links to IcedID and Latrodectus ∗∗∗ --------------------------------------------- Zscaler ThreatLabz has identified a new malware family that we named YiBackdoor, which was first observed in June 2025. The malware is particularly interesting because it contains significant code overlaps with IcedID and Latrodectus. Similar to Zloader and Qakbot, IcedID was originally designed for facilitating banking and wire fraud. --------------------------------------------- https://www.zscaler.com/blogs/security-research/yibackdoor-new-malware-famil...

∗∗∗ Fake Malwarebytes, LastPass, and others on GitHub serve malware ∗∗∗ --------------------------------------------- Fake software—including Malwarebytes and LastPass—is currently circulating on GitHub pages, in a large-scale campaign targeting Mac users. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/09/fake-malwarebytes-lastpass-an...

∗∗∗ Betrugs-Website mit Fake-Investitionsprojekt im Stil von orf.at ∗∗∗ --------------------------------------------- Plus gefälschtes Video von Bundespräsident Van der Bellen. Die Täter wollen persönliche Daten abgreifen und 250 Euro abkassieren --------------------------------------------- https://www.derstandard.at/story/3000000289130/betrugs-website-mit-fake-inve...

∗∗∗ Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors ∗∗∗ --------------------------------------------- Google Threat Intelligence Group (GTIG) is tracking BRICKSTORM malware activity, which is being used to maintain persistent access to victim organizations in the United States. [..] The value of these targets extends beyond typical espionage missions, potentially providing data to feed development of zero-days and establishing pivot points for broader access to downstream victims. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionag...

∗∗∗ Is This Bad? This Feels Bad. (Fortra GoAnywhere CVE-2025-10035) ∗∗∗ --------------------------------------------- On Thursday, September 18, Fortra published a security advisory fi-2025-012 titled: Deserialization Vulnerability in GoAnywhere MFT's License Servlet. The title in itself is reason for alarm, with the description going further to explain how we likely got to a CVSS 10.0 [..] No mystery is complete without a few unanswered questions. Despite our usual routine of reverse engineering and creative detours, we’ve ended this one with more questions than usual. --------------------------------------------- https://labs.watchtowr.com/is-this-bad-this-feels-bad-goanywhere-cve-2025-10...

∗∗∗ Mobilfunk-Server mit 100.000 SIM-Karten in New York beschlagnahmt ∗∗∗ --------------------------------------------- Rund um das New Yorker Hauptquartier der UNO wurden 300 SIM-Karten-Server und 100.000 SIM-Karten entdeckt. Deren Zweck ist undeutlich. --------------------------------------------- https://heise.de/-10668021

∗∗∗ Cyberattacke auf Flughäfen: Weiterhin Probleme am BER und eine Festnahme ∗∗∗ --------------------------------------------- Auch Tage nach der Cyberattacke halten die Beeinträchtigungen am Flughafen BER an. In Großbritannien wurde indessen ein Tatverdächtiger festgenommen. --------------------------------------------- https://heise.de/-10669658

∗∗∗ How MCP Authentication Flaws Enable RCE in Claude Code, Gemini CLI, and More ∗∗∗ --------------------------------------------- During our security testing, we discovered that connecting to a malicious MCP server via common coding tools like Claude Code and Gemini CLI could give attackers instant control over user computers. --------------------------------------------- https://verialabs.com/blog/from-mcp-to-shell/

===================== = Vulnerabilities = =====================

∗∗∗ Unpatched flaw in OnePlus phones lets rogue apps text messages ∗∗∗ --------------------------------------------- A vulnerability in multiple OnePlus OxygenOS versions allows any installed app to access SMS data and metadata without requiring permission or user interaction. [..] The flaw, tracked as CVE-2025-10184, and discovered by Rapid7 researchers, is currently unpatched and exploitable. --------------------------------------------- https://www.bleepingcomputer.com/news/security/unpatched-flaw-in-oneplus-pho...

∗∗∗ Two Critical Flaws Uncovered in Wondershare RepairIt Exposing User Data and AI Models ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed two security flaws in Wondershare RepairIt that exposed private user data and potentially exposed the system to artificial intelligence (AI) model tampering and supply chain risks. [..] Successful exploitation of the two flaws can allow an attacker to circumvent authentication protection on the system and launch a supply chain attack, ultimately resulting in the execution of arbitrary code on customers' endpoints. [..] The cybersecurity company said it responsibly disclosed the two issues through its Zero Day Initiative (ZDI) in April 2025, but not that it has yet to receive a response from the vendor despite repeated attempts. In the absence of a fix, users are recommended to "restrict interaction with the product." CVE-2025-10643, CVE-2025-10644 --------------------------------------------- https://thehackernews.com/2025/09/two-critical-flaws-uncovered-in.html

∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel and kernel-rt), Fedora (expat), Red Hat (kernel and multiple packages), SUSE (avahi, busybox, busybox-links, kernel, sevctl, tcpreplay, thunderbird, and tor), and Ubuntu (isc-kea, linux, linux-aws, linux-gcp, linux-gke, linux-gkeop, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-aws-6.8, linux-gcp-6.8, linux-aws-fips, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-realtime, python-pip, and rabbitmq-server). --------------------------------------------- https://lwn.net/Articles/1039311/

∗∗∗ Libraesva ESG Security advisory: command injection vulnerability (CVE-2025-59689) ∗∗∗ --------------------------------------------- https://docs.libraesva.com/knowledgebase/security-advisory-command-injection...

∗∗∗ ZDI-25-907: Autodesk Revit RFA File Parsing Type Confusion Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-907/

∗∗∗ Google Chrome: Chrome for Android Update ∗∗∗ --------------------------------------------- http://chromereleases.googleblog.com/2025/09/chrome-for-android-update_23.ht...

∗∗∗ Google Chrome: Stable Channel Update for Desktop ∗∗∗ --------------------------------------------- http://chromereleases.googleblog.com/2025/09/stable-channel-update-for-deskt...

∗∗∗ AutomationDirect CLICK PLUS ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-266-01

∗∗∗ Mitsubishi Electric MELSEC-Q Series CPU Module ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-266-02

∗∗∗ Viessmann Vitogate 300 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-266-04