Vulnerabilities for DELL, WordPress, Ivanti & Four-Faith, phishing campaign impersonating CrowdStrike...
Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.
Vulnerabilities and Patches
Dell Update Package Framework Vulnerability Let Attackers Escalate Privileges
A critical security vulnerability has been identified in Dell’s Update Package (DUP) Framework, potentially exposing systems to privilege escalation and denial-of-service attacks.
The vulnerability tracked as CVE-2025-22395, affects DUP Framework versions before 22.01.02 and has been assigned a CVSS score of 8.2, categorizing it as “high severity.”
The flaw allows a local attacker with low privileges to exploit the framework, enabling the execution of arbitrary remote scripts on the server.
This could result in unauthorized system access, disruption of services, and potential compromise of sensitive data.
The vulnerability stems from improper handling of permissions during update processes, making it possible for attackers to escalate their privileges.
Dell has acknowledged the issue but has not disclosed specific technical details regarding the exploitation process.
However, security experts emphasize that this vulnerability could have significant implications for organizations relying on Dell’s update mechanisms for BIOS, firmware, and driver updates.
Dell has released an updated version of the DUP Framework (22.01.02) that addresses the issue. Users are strongly advised to update to this version or later to mitigate risks associated with CVE-2025-22395.
For systems still running affected versions, Dell recommends avoiding the use of the “Extract” option in Microsoft Windows environments. Instead, users should utilize the command prompt for extracting update packages.
To determine the file version of a DUP, users can right-click on the package file in File Explorer, navigate to “Properties,” and check the “Details” tab.
Cyber Attacks
Gravy Analytics Hacked – Attackers Allegedly Claiming 17TB Data Stolen
Hackers have claimed to have breached Gravy Analytics, a prominent location intelligence company, and its subsidiary Venntel.
The attackers allege they have exfiltrated 17 terabytes of data, including sensitive customer information, industry insights, and smartphone location data that could reveal individuals’ precise movements.
This breach has sparked alarm over the potential misuse of such data and its implications for privacy. The hackers announced their claim on the XSS cybercrime forum, sharing samples of the stolen data totalling 1.4GB.
The leaked samples reportedly include historical smartphone location data with precise latitude and longitude coordinates, timestamps, and other sensitive details.
Screenshots posted by the attackers also suggest they gained root access to Gravy Analytics’ servers and control over its domains and Amazon S3 buckets, which are often used for large-scale data storage.
The hackers warned Gravy Analytics that they would begin publishing the stolen data if the company did not respond within 24 hours.
As of January 8, 2025, Gravy Analytics’ website remains offline, adding to speculation about the company’s response to the breach.
Fake CrowdStrike job offer emails target devs with crypto miners
CrowdStrike is warning that a phishing campaign is impersonating the cybersecurity company in fake job offer emails to trick targets into infecting themselves with a Monero cryptocurrency miner (XMRig).
The company discovered the malicious campaign on January 7, 2025, and based on the phishing email’s content, it likely didn’t start much earlier.
The attack starts with a phishing email sent to job seekers, supposedly from a CrowdStrike employment agent, thanking them for applying for a developer position at the company.
The email directs targets to download a supposed “employee CRM application” from a website designed to appear like a legitimate Crowdstrike portal.
This is supposedly part of the company’s effort to “streamline their onboarding process by rolling out a new applicant CRM app.”
In Other News...
Hackers Actively Exploited Ivanti VPN 0-Day Vulnerability (CVE-2025-0282): Technical Analysis
Ivanti publicly disclosed two critical vulnerabilities CVE-2025-0282 and CVE-2025-0283 affecting its Connect Secure (ICS) VPN appliances.
The announcement comes amidst alarming reports of active zero-day exploitation of CVE-2025-0282, identified by cybersecurity firm Mandiant as having begun in mid-December 2024.
The exploitation has raised concerns about potential network breaches and downstream compromises for affected organizations.
CVE-2025-0282, the more severe of the two issues, is described as an unauthenticated stack-based buffer overflow vulnerability.
Its exploitation can enable attackers to achieve remote code execution without needing authentication, providing them with a foothold to deploy malware or conduct further attacks within a compromised network.
CVE-2025-0283 has not yet been detailed to the same extent but is also considered critical. Mandiant’s ongoing investigations suggest that CVE-2025-0282 is being exploited in targeted campaigns against multiple organizations.
Attackers have demonstrated sophisticated techniques to probe ICS appliance versions before launching attacks, specifically targeting vulnerabilities in specific software versions.
Mirai Botnet Variant Exploits Four-Faith Router Vulnerability for DDoS Attacks
A Mirai botnet variant has been found exploiting a newly disclosed security flaw impacting Four-Faith industrial routers since early November 2024 with the goal of conducting distributed denial-of-service (DDoS) attacks.
The botnet maintains approximately 15,000 daily active IP addresses, with the infections primarily scattered across China, Iran, Russia, Turkey, and the United States.
Exploiting an arsenal of over 20 known security vulnerabilities and weak Telnet credentials for initial access, the malware is known to have been active since February 2024. The botnet has been dubbed “gayfemboy” in reference to the offensive term present in the source code.
QiAnXin XLab said it observed the malware leveraging a zero-day vulnerability in industrial routers manufactured by China-based Four-Faith to deliver the artifacts as early as November 9, 2024.
The vulnerability in question is CVE-2024-12856 (CVSS score: 7.2), which refers to an operating system (OS) command injection bug affecting router models F3x24 and F3x36 by taking advantage of unchanged default credentials.
Once launched, the malware attempts to hide malicious processes and implements a Mirai-based command format to scan for vulnerable devices, update itself, and launch DDoS attacks against targets of interest.
Unpatched critical flaws impact Fancy Product Designer WordPress plugin
Premium WordPress plugin Fancy Product Designer from Radykal is vulnerable to two critical severity flaws that remain unfixed in the current latest version.
With more than 20,000 sales, the plugin allows customization of product designs (e.g. clothing, mugs, phone cases) on WooCommerce sites by changing colours, transforming text, or modifying the size.
While examining the plugin, Patchstack’s Rafie Muhammad discovered on March 17, 2024, that the plugin was vulnerable to the following two critical flaws:
CVE-2024-51919 (CVSS score: 9.0): Unauthenticated arbitrary file upload vulnerability caused by an insecure implementation of file upload functions ‘save_remote_file’ and ‘fpd_admin_copy_file,’ that do not properly validate or restrict file types. Attackers can exploit this by supplying a remote URL to upload malicious files, achieving remote code execution (RCE).
CVE-2024-51818 (CVSS score: 9.3): Unauthenticated SQL injection flaw caused by the improper sanitization of user inputs due to the use of the insufficient ‘strip_tags.’ User-supplied input is directly integrated into database queries without proper validation, potentially leading to database compromise, data retrieval, modification, and deletion.