Weekly Security News – 31st March 2025

Vulnerabilities for Chrome, CrushFTP and Next.js, websites compromised, updates causing Remote Desktop issues...

Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly. 

Vulnerabilities and Patches

CrushFTP HTTPS Port Vulnerability Leads to Unauthorised Access

Two critical vulnerabilities have been identified in widely used software: CrushFTP and Next.js. CrushFTP, a file transfer solution, contains a vulnerability allowing unauthorised access through standard web ports, bypassing security measures. 

Additionally, Next.js, a popular React framework, suffers from CVE-2025-29927, which enables attackers to circumvent authorisation checks in middleware. 

Both vulnerabilities pose significant risks, potentially exposing sensitive data and compromising application security.

On March 21, 2025, CrushFTP developers disclosed this security flaw to customers via email, confirming that both version 10 and 11 installations are vulnerable if specific configurations are in place.

Mozilla Releases Urgent Patch for Windows Users Following Recently Exploited Chrome Zero-day

Mozilla has released an emergency security update for its Firefox browser on Windows systems to address a critical vulnerability that could allow attackers to escape browser sandboxes and potentially gain control of affected systems. 

The patch comes shortly after Google patched a similar zero-day vulnerability in Chrome that was being actively exploited in the wild.

According to the Mozilla Foundation Security advisory, the flaw involves an “incorrect handle” in Firefox’s IPC (Inter-Process Communication) code that could lead to sandbox escapes on Windows systems. 

Mozilla researcher Andrew McCreight is credited with discovering the vulnerability after Firefox developers identified a pattern similar to the recently exploited Chrome vulnerability.

“Following the recent Chrome sandbox escape (CVE-2025-2783), various Firefox developers identified a similar pattern in our IPC code,” the advisory states. 

“A compromised child process could cause the parent process to return an unintentionally powerful handle, leading to a sandbox escape”.

The vulnerability specifically affects Firefox running on Windows operating systems. Linux, macOS, and other operating systems are not vulnerable to this particular exploit.

Cyber Attacks

New SparrowDoor Backdoor Variants Found in Attacks on U.S. and Mexican Organisations

The Chinese threat actor known as FamousSparrow has been linked to a cyber-attack targeting a trade group in the United States and a research institute in Mexico to deliver its flagship backdoor SparrowDoor and ShadowPad.

The activity, observed in July 2024, marks the first time the hacking crew has deployed ShadowPad, a malware widely shared by Chinese state-sponsored actors.

“FamousSparrow deployed two previously undocumented versions of the SparrowDoor backdoor, one of them modular,” ESET said in a report shared with The Hacker News. “Both versions constitute considerable progress over previous ones and implement parallelization of commands.”

FamousSparrow was first documented by the Slovak cybersecurity company in September 2021 in connection with a series of cyber-attacks aimed at hotels, governments, engineering companies, and law firms with SparrowDoor, an implant exclusively used by the group.

150,000 Sites Compromised by JavaScript Injection Promoting Chinese Gambling Platforms

An ongoing campaign that infiltrates legitimate websites with malicious JavaScript injects to promote Chinese-language gambling platforms has ballooned to compromise approximately 150,000 sites to date.

“The threat actor has slightly revamped their interface but is still relying on an iframe injection to display a full-screen overlay in the visitor’s browser,” c/side security analyst Himanshu Anand said in a new analysis.

As of writing, there are over 135,800 sites containing the JavaScript payload, per statistics from PublicWWW.

As documented by the website security company last month, the campaign involves infecting websites with malicious JavaScript that’s designed to hijack the user’s browser window to redirect site visitors to pages promoting gambling platforms.

The redirections have been found to occur via JavaScript hosted on five different domains (e.g., “zuizhongyj[.]com”) that, in turn, serve the main payload responsible for performing the redirects.

c/side said it also observed another variant of the campaign that entails injecting scripts and iframe elements in HTML impersonating legitimate betting websites such as Bet365 by making use of official logos and branding.

The end goal is to serve a fullscreen overlay using CSS that causes the malicious gambling landing page to be displayed when visiting one of the infected sites in place of the actual web content.

“This attack demonstrates how threat actors constantly adapt, increasing their reach and using new layers of obfuscation,” Anand said. “Client-side attacks like these are on the rise, with more and more findings every day.”

In Other News...

Windows 11 KB5053656 update released with 38 changes and fixes

Microsoft has released the KB5053656 preview cumulative update for Windows 11 24H2 with 38 changes, including real-time translation on AMD and Intel-powered Copilot+ PCs and fixes for authentication and blue-screen issues.

The KB5053656 update is part of the company’s “optional non-security preview updates” schedule, which pushes updates at the end of each month to let Windows admins test bug fixes, improvements, and features that will roll out during next month’s Patch Tuesday release.

However, unlike regular Patch Tuesday cumulative updates, monthly non-security preview updates do not include security updates.

The video player is currently playing an ad.

On Copilot+ PCs with AMD and Intel CPUs, KB5053656 adds live captions and real-time translation with support for translating more than 44 languages into English.

This preview update also fixes an issue that can trigger a PDC_WATCHDOG_TIMEOUT bug check (blue screen) when resuming from sleep and several bugs causing Kerberos and FIDO Cached Credential authentication to stop responding in some scenarios.

You can install it by opening Settings, clicking on Windows Update, and then on ‘Check for Updates.’ Because this is an optional update, you will be asked if you want to install it by clicking the ‘Download and install’ link.

You can also manually download and install the KB5053656 preview update from the Microsoft Update Catalog.

WhatsApp's Meta AI is now rolling out in Europe, and it can't be turned off

You can’t escape Meta AI in WhatsApp even if you are based in one of the 41 European countries, with the feature now rolling out to more devices.

On March 19, WhatsApp owner Meta announced that a variety of AI upgrades would be coming to users in Europe after the company paused the rollout last year.

Since then, more users have started seeing the button to open Meta AI in WhatsApp.

The video player is currently playing an ad. You can skip the ad in 5 sec with a mouse or keyboard

One user from the United Kingdom told me that they saw the Meta AI chatbot automatically added to WhatsApp on iOS today.

Similarly, users on X and Reddit have reported that Meta AI is now appearing on WhatsApp in European countries like France, Germany, and others.

In addition to the “AI” button above the “New Chat” button, you’ll find shortcuts to Meta AI prompts when you try to search for a specific chat, group chat, or contact.

The chatbot built into WhatsApp is not as powerful as Meta AI’s web app, but it can answer your questions, reply with a large chunk of text, share links from Bing, and even create images.

You can also use Meta AI in WhatsApp to create stickers. However, it’s not possible to transcribe audio or summarize group chat.

As for privacy, Meta insists that your personal chats will not be used to train the AI models, but your conversation with Meta AI could be used to train future versions.

Unfortunately, it’s not possible to turn off Meta AI in WhatsApp.

Microsoft: Recent Windows updates cause Remote Desktop issues

Microsoft says that some customers might experience Remote Desktop and RDS connection issues after installing recent Windows updates released since January 2025.

“After installing the January 2025 Windows preview update (KB5050094) and later updates, users might experience unexpected disconnections with Remote Desktop Protocol (RDP) sessions, including Remote Desktop Services (RDS),” the company said in a new entry on the Windows release health dashboard.

“We’ve observed a significant increase in reports of this issue following the release of the March 2025 Windows security update (KB5053598).”

The video player is currently playing an ad.

Affected users may experience unexpected RDP disconnections after 65 seconds when establishing UDP connections from Windows 11 24H2 PCs to RDS hosts on systems running Windows Server 2016 earlier.

While Windows Server 2025 systems are not directly affected as RDS hosts, users may still experience disconnects when acting as RDP clients connecting to older servers.