Latest Squid caching proxy vulnerabilities #

Squid has disclosed a heap-based buffer overflow vulnerability in certain versions of the Squid caching proxy due to incorrect buffer management when processing a Uniform Resource Name (URN). This vulnerability allows a remote server to perform a buffer overflow attack by delivering specially crafted URN Trivial-HTTP responses. Successful exploitation may lead to remote code execution (RCE) or the disclosure of up to 4KB of data from Squid’s allocated heap memory. This leaked memory may contain security credentials or other confidential data. This vulnerability has been designated CVE-2025-54574 and has been rated critical with a CVSS score of 9.3.

The following versions are affected

• Squid 2.x versions up to and including 2.7.STABLE9
• Squid 3.x versions up to and including 3.5.28
• Squid 4.x versions up to and including 4.17
• Squid 5.x versions up to and including 5.9
• Squid 6.x versions up to and including 6.3

What is the impact? #

Successful exploitation of the vulnerability would allow an adversary to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise.

Are updates or workarounds available? #

Users are encouraged to update to the latest version as quickly as possible:

• Squid 6.x upgrade to version 6.4 or later
• For all other stable releases upgrade to the latest patch version available in the patch archives

If you are using a prepackaged version of Squid, refer to your package vendor for information on the availability of updated packages.

Workaround: Mitigate the vulnerability by disabling URN access permissions through adding the following configuration changes:

acl URN proto URN
http_access deny URN

How to find potentially vulnerable systems with runZero #

From the Software Inventory, use the following query to locate potentially impacted assets:

vendor:"Squid Cache" and product:"Squid" and version:<6.4

Latest Tridium Niagara vulnerabilities #

Tridium (a Honeywell company) has disclosed ten vulnerabilities in certain versions of Niagara Framework and Niagara Enterprise Security.

• The use of a password hash with insufficient computational effort leaves the system susceptible to cryptanalysis by an adversary. This vulnerability has been designated CVE-2025-3937 and has been rated high with a CVSS score of 7.7.
• Incorrect permission assignment for critical system resources may allow an adversary to manipulate sensitive files, potentially leading to unauthorized data alteration, system instability, or privilege escalation. This vulnerability has been designated CVE-2025-3944 and has been rated high with a CVSS score of 7.2.
• Argument delimiters are not properly neutralized potentially allowing an adversary to inject argument and control the executed command. This vulnerability has been designated CVE-2025-3945 and has been rated high with a CVSS score of 7.2.
• A critical cryptographic step was omitted or incorrectly performed undermining the security strength and leaves the system susceptible to cryptanalysis by an adversary. This vulnerability has been designated CVE-2025-3938 and has been rated medium with a CVSS score of 6.8.
• Incorrect permission assignment for a critical resource may be exploited allowing an adversary to bypass intended access control security levels, potentially leading to unauthorized access, modification, or deletion of a security-critical resource. This vulnerability has been designated CVE-2025-3936 and has been rated medium with a CVSS score of 6.5.
• Improper handling of the Windows ::DATA Alternate Data Stream (ADS) may allow an adversary to manipulate input data, potentially leading to unexpected application behavior. This vulnerability has been designated CVE-2025-3941 and has been rated medium with a CVSS score of 5.4.
• Through observable discrepancies in system responses when processing cryptographic operations or sensitive data, this vulnerability leaves the system susceptible to cryptanalysis by an adversary. This vulnerability has been designated CVE-2025-3939 and has been rated medium with a CVSS score of 5.3.
• Incorrect or insufficient use of an input validation framework allows an adversary to manipulate input data, circumventing intended security checks and potentially leading to other issues. This vulnerability has been designated CVE-2025-3940 and has been rated medium with a CVSS score of 5.3.
• Improper neutralization of untrusted input when writing data to log files may allow an adversary to inject malicious data into log entries. This vulnerability has been designated CVE-2025-3942 and has been rated medium with a CVSS score of 4.3.
• The anti-CSRF refresh token appears within HTTP GET request query strings allowing an adversary to potentially capture the sensitive parameter and perform parameter injection attacks. This vulnerability has been designated CVE-2025-3943 and has been rated medium with a CVSS score of 4.1.

The following versions are affected

• Niagara Framework and Niagara Enterprise Security versions 0 through 4.10.10 (4.10u10)
• Niagara Framework and Niagara Enterprise Security versions 0 through 4.14.1 (4.14u1)
• Niagara Framework and Niagara Enterprise Security versions 0 through 4.15

What is the impact? #

A proposed exploit chain involving two of these vulnerabilities (CVE-2025-3943, CVE-2025-3944) carries a prerequisite that the Niagara system has been misconfigured, disabling encryption on a Niagara device. This misconfiguration should produce a warning on the security dashboard, which would need to remain unaddressed by system administrators. Successful exploitation of these vulnerabilities, under specific conditions, could enable an adjacent adversary to compromise both the Station and Platform environments, and achieve arbitrary code execution on the device.

Are updates or workarounds available? #

Users are encouraged to update to the latest version as quickly as possible:

• Niagara Framework and Niagara Enterprise Security to version 4.10.11 (4.10u11) and later releases
• Niagara Framework and Niagara Enterprise Security to version 4.14.2 (4.14u2) and later releases
• Niagara Framework and Niagara Enterprise Security to version 4.15.1 (4.15u1) and later releases

How to find potentially vulnerable systems with runZero #

From the Asset Inventory, use the following query to locate potentially vulnerable assets:

os:Tridium hw:Niagara

In Episode 20 of runZero Hour, we sat down with ProjectDiscovery co-founders Rishi Sharma and Sandeep Singh for a wide-ranging conversation on how open source is driving the next wave of security tooling and what it means for practitioners in the field. Our CEO HD Moore also dropped by to share some exciting updates on runZero’s recent collaboration on the Nuclei project.

Here’s a recap of what we covered:

How Nuclei became the standard for vulnerability detection #

What started as a tool to automate repetitive bug bounty tasks is now a best-in-class vulnerability scanner with over 10,000 detection templates and over 100,000 users. ProjectDiscovery’s open source model and approach to community collaboration have helped scale Nuclei into a critical tool for security professionals and researchers alike.

The growing ecosystem around ProjectDiscovery #

Beyond Nuclei, ProjectDiscovery has released 20+ tools (including Subfinder, DNSX, and HTTPX) that chain together for reconnaissance, service discovery, web crawling, and vulnerability scanning. Each tool can work independently or plug into broader workflows using command-line pipes, creating a powerful, modular toolkit for modern offensive and defensive security teams. These tools aren’t just open source, they are provided under one of the most permissive licenses available (the MIT License), simplifying integrations and collaboration with commercial tools and services.

runZero’s engineering collaboration with ProjectDiscovery #

HD Moore shared how runZero is contributing back by working with the ProjectDiscovery team to support in-process concurrency and eliminate race conditions. These updates make it possible to run thousands of Nuclei engines with different configurations in the same process, enabling new approaches to embedding and integration.

ProjectDiscovery’s roadmap for Nuclei #

From headless, browser-based testing and auto-generated templates to more robust authenticated scanning and better fuzzing support, ProjectDiscovery is doubling down on usability and coverage. They’re also experimenting with AI-driven template generation, with a focus on maintaining quality and control. Check out their public roadmap for upcoming features.

A tale of two scanning models #

Nuclei supports automatic targeting using the “autoscan” (-as) flag. This feature uses technology detection templates to then select specific follow-on checks for individual systems and services. 

runZero takes a different approach; we handle the service discovery, fingerprinting, and targeting logic within the runZero scanner, and then run thousands of individual Nuclei engines that are each tuned for a single service for precise vulnerability scanning.  

Both models work great and whether you want to run a single Nuclei engine or thousands of concurrent engines, the code base now supports both!

Shared commitment to open source and community standards #

Everyone agreed: if you’re using open source in your product, you should give back. That’s why runZero is contributing patches, detection templates, test coverage, and new features into the ProjectDiscovery ecosystem. We’re excited to be part of the open source community and are working on two big updates; porting SSHamble to Nuclei and integrating our excrypto package to simplify TLS communication across the ecosystem.

Bonus: A printer bug and the return of CVEs #

The team wrapped up with a fun (and very real) story: Stephen Fewer (of Rapid7) reported eight new vulnerabilities in printers made by Brother. One of these issues included the ability for an attacker to obtain detailed device information, including the printer serial number, through an unauthenticated web page. This is important because Rapid7 also discovered that the default password is derived from this serial number and the process can be reversed. Even worse, Brother isn’t able to address this in a firmware update, and the fix will only be available in devices built using a new manufacturing process. The funny part is that runZero has been detecting and reporting Brother printer serial numbers for years, using the eSCL protocol, and we didn’t consider it a vulnerability until the recent vulnerability disclosure. As a result, we’re now tracking the eSCL serial number leak as a follow-on issue with JPCERT/CC, building off Rapid7’s recent investigation.

Watch the Episode #

Check out the whole episode below, and never miss another one – subscribe to the series!

Latest Cisco Identity Services Engine (ISE) & Cisco ISE Passive Identity Connector (ISE-PIC) vulnerabilities #

Three vulnerabilities have been disclosed in certain versions of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) that could allow an unauthenticated, remote adversary to issue execute commands on the underlying operating system as the root user. There is evidence that this vulnerability is being actively exploited in the wild.

• Cisco ISE and Cisco ISE-PIC are at risk of an insufficient validation of user-supplied input vulnerability in a specific API. This could allow an unauthenticated, remote adversary to execute arbitrary code on the underlying operating system as the root user via a specially crafted API request. Successful exploitation could allow the adversary to obtain root privileges on an affected device. The adversary does not require any valid credentials to be able to exploit the vulnerability. This vulnerability has been designated CVE-2025-20281 and has been rated critical with a CVSS score of 9.8.
• Cisco ISE and Cisco ISE-PIC are at risk of an improper privilege management vulnerability in an internal API due to a lack of file validation checks to prevent uploaded files from being stored in privileged directories on an affected system. This could allow an unauthenticated, remote adversary to upload arbitrary files to an affected device and then execute those files on the underlying operating system as the root user. Successful exploitation could allow the adversary to store malicious files on an affected system and then execute arbitrary code or obtain root privileges on an affected device. This vulnerability has been designated CVE-2025-20282 and has been rated critical with a CVSS score of 10.0
• Cisco ISE and Cisco ISE-PIC are at risk of an insufficient validation of user-supplied input vulnerability in a specific API. This could allow an unauthenticated, remote adversary to execute arbitrary code on the underlying operating system as the root user via a specially crafted API request. Successful exploitation could allow the adversary to obtain root privileges on an affected device. The adversary does not require any valid credentials to be able to exploit the vulnerability. This vulnerability has been designated CVE-2025-20337 and has been rated critical with a CVSS score of 10.0.

The following versions are affected

• Cisco ISE or ISE-PIC release 3.3 prior to version 3.3 Patch 7
• Cisco ISE or ISE-PIC release 3.4 prior to version 3.4 Patch 2

What is the impact? #

Successful exploitation of this vulnerability by an attacker would allow credentials extracted from a Cisco ISE instance to be used on others from the same release on the same cloud platform. This could allow the attacker to access sensitive data, execute limited administrative operations, modify system configurations or disrupt services within the impacted systems.

Are any updates or workarounds available? #

Cisco has released updates in the form of patches for releases 3.3 and 3.4. Users should update to the latest version of the affected software.

• Cisco ISE or ISE-PIC release 3.3 to version 3.3 Patch 7 and later releases
• Cisco ISE or ISE-PIC release 3.4 to version 3.4 Patch 2 and later releases

Since the initial (version 1.0) advisory publication, Cisco released an improved fix for release 3.3 and recommends upgrading as follows:

• Release 3.3 Patch 6 should be up upgraded to Release 3.3 Patch 7
• Hot patch ise-apply-CSCwo99449_3.3.0.430_patch4-SPA.tar.gz or ise-apply-CSCwo99449_3.4.0.608_patch1-SPA.tar.gz should be up upgraded to Release 3.3 Patch 7 or Release 3.4 Patch 2

How do I find Cisco ISE installations with runZero? #

From the Software Inventory, use the following query to locate potentially impacted installations:

vendor:="Cisco" AND product:="Identity Services Engine"

June 2024: CVE-2025-20286 #

A vulnerability has been disclosed in certain cloud-deployed versions of Cisco Identity Services Engine (ISE) in Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI). The vulnerability exists due to improper credential generation in cloud platform deployments resulting in shared credentials across deployments based on release and cloud platform.

It is important to note that Cisco ISE is affected by this vulnerability when the Primary Administration node is deployed in the cloud. An on-premises Primary Administration node is not affected.

The following platforms and versions are affected

• AWS Cisco ISE 3.1, 3.2, 3.3 and 3.4
• Azure Cisco ISE 3.2, 3.3 and 3.4
• OCI Cisco ISE 3.2, 3.3 and 3.4 

This vulnerability has been designated CVE-2025-20286 and has a CVSS score of 9.9 (critical).

What is the impact? #

Successful exploitation of this vulnerability by an attacker would allow credentials extracted from a Cisco ISE instance to be used on others from the same release on the same cloud platform. This could allow the attacker to access sensitive data, execute limited administrative operations, modify system configurations or disrupt services within the impacted systems.

Latest Microsoft SharePoint Server vulnerabilities #

Microsoft has disclosed two vulnerabilities in certain versions of on-premises Microsoft SharePoint Server:

• SharePoint Server deserializes untrusted data without sufficiently ensuring that the resulting data will be valid resulting in a remote code execution (RCE) vulnerability. The vulnerability allows an unauthenticated adversary to remotely execute code on the vulnerable server. This vulnerability has been designated CVE-2025-53770 and has been rated critical with a CVSS score of 9.8. This vulnerability is a variant of a remote code execution vulnerability designated CVE-2025-49704 that was patched earlier this month. There is evidence that this vulnerability is being actively exploited in the wild.
• SharePoint Server improperly limits a pathname to a restricted directory allowing path traversal in Microsoft Office SharePoint resulting in a spoofing vulnerability. The vulnerability allows an authorized adversary to perform spoofing over a network. This vulnerability has been designated CVE-2025-53771 and has been rated medium with a CVSS score of 6.3. This vulnerability is a variant of a spoofing vulnerability designated CVE-2025-49706 that was patched earlier this month.

The following versions are affected

• Microsoft SharePoint Enterprise Server 2016 versions currently unknown
• Microsoft SharePoint Server 2019 versions currently unknown
• Microsoft SharePoint Server Subscription Edition versions 16.0.0 prior to 16.0.18526.20508

What is the impact? #

Successful exploitation of these vulnerabilities would allow an adversary to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise.

Are any updates or workarounds available? #

As of 7/20/2025 security updates are available for Microsoft SharePoint Server Subscription Edition. A patch is currently unavailable for other affected versions, but Microsoft is actively working on a security update.

• Mitigate attacks against on-premises SharePoint Server environments by configuring the Windows Antimalware Scan Interface (AMSI) integration in SharePoint and deploying Defender AV on all SharePoint servers. This should stop an unauthenticated adversary from successfully exploiting the vulnerability.
• Rotate SharePoint Server ASP.NET machine keys.

• Upgrade affected systems to the new versions when a patch is available.

How do I find Microsoft SharePoint Server installations with runZero? #

From the Software Inventory, use the following query to locate potentially impacted assets:

vendor:="Microsoft" AND product:="SharePoint Server%"

German Cybersecurity Specialist Appointed as Primary Distributor for runZero to Drive Expansion in the DACH-Region

London, United Kingdom – July 24, 2025 – runZero, a leader in exposure management, today announced a strategic partnership with Aqaio, a German value-added distributor specializing in advanced IT security solutions. As runZero’s primary channel partner in Germany, Aqaio will spearhead regional growth efforts by delivering runZero’s expanded exposure management platform to organizations navigating today’s increasingly complex cyber threat landscape.

This alliance represents a significant milestone in runZero’s wider EMEA growth strategy. Leveraging Aqaio’s deep market expertise and established channel network, runZero can now accelerate its European expansion while offering localized support tailored to the specific needs of German organizations.

Partnership highlights include:

• Localized Expertise: Aqaio brings in-depth knowledge of the German cybersecurity market, enabling specialized customer engagement and faster time-to-value.
• Expanded Channel Reach: A top-tier network of resellers and systems integrators gain access to runZero’s powerful exposure management platform, enabling them to offer comprehensive proactive cyber defense to their end customers.
• Streamlined Distribution and Support: Aqaio will facilitate seamless implementation via dedicated consulting, logistics, and certified training services for partners and end users.

“This partnership with runZero is a strategic win for our channel ecosystem,” said Richard Hellmeier, CEO at Aqaio. “They are no longer selling just another product — they’re delivering a vital capability. runZero’s technology is fast to deploy, easy to integrate, and solves a foundational security challenge. It aligns perfectly with our mission to deliver holistic and forward-looking solutions to the market.”

“In today’s rapidly shifting threat landscape, partnerships like this are essential to delivering resilient, scalable cybersecurity,” said Joe Taborek, Chief Revenue Officer at runZero. “Aqaio’s proven expertise and reach across the German market empower us to extend access to the runZero Platform and strengthen cyber readiness from the ground up. Together, we’re helping build a safer, smarter digital future.”

About Aqaio

Aqaio partners with resellers, system integrators, and OEMs. We focus on new technological developments, which we supplement and expand with complementary solutions from market and technology leaders in the IT security field. We also provide 2nd level support and training for our partners and their end-customers. The product portfolio consists of high-end IT products that complement each other and can be combined to create integrated solutions. Additionally, Aqaio offers services such as consulting, marketing support, logistics, training, and technical support. For more information, visit: https://aqaio.com/

Latest VMware ESXi vulnerabilities #

Broadcom has disclosed four vulnerabilities in certain versions of VMware ESXi, Workstation, Fusion, and Tools that, when combined, allow an adversary who already has privileged access (administrator or root) in a VM’s guest OS or has compromised a VM’s guest OS or services and gained privileged access to escape into the hypervisor and execute arbitrary code on the vulnerable system.

• VMware ESXi, Workstation, and Fusion contain an integer-overflow vulnerability due to an out-of-bounds write in the VMXNET3 virtual network adapter. An adversary with local administrative privileges on a virtual machine with the VMXNET3 virtual network adapter may exploit the vulnerability and execute arbitrary code on the host. Non-VMXNET3 virtual adapters are not affected by the vulnerability. This vulnerability has been designated CVE-2025-41236 and has been rated critical with a CVSS score of 9.3.
• VMware ESXi, Workstation, and Fusion contain an integer-underflow vulnerability due to an out-of-bounds write in the VMCI (Virtual Machine Communication Interface). An adversary with local administrative privileges on a virtual machine may exploit the vulnerability and execute arbitrary code as the virtual machine’s VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the Workstation or Fusion host machine. This vulnerability has been designated CVE-2025-41237 and has been rated critical with a CVSS score of 9.3.
• VMware ESXi, Workstation, and Fusion contain a heap-overflow vulnerability in the PVSCSI (Paravirtualized SCSI) controller that leads to an out of-bounds write. An adversary with local administrative privileges on a virtual machine may exploit the vulnerability and execute arbitrary code as the virtual machine’s VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox and exploitable only with configurations that are unsupported. On Workstation and Fusion, this may lead to code execution on the Workstation or Fusion host machine. This vulnerability has been designated CVE-2025-41238 and has been rated critical with a CVSS score of 9.3.
• VMware ESXi, Workstation, Fusion, and VMware Tools contain an information disclosure vulnerability due to the usage of an uninitialised memory in vSockets. An adversary with local administrative privileges on a virtual machine may exploit the vulnerability and leak memory from processes communicating with vSockets. This vulnerability has been designated CVE-2025-41239 and has been rated high with a CVSS score of 7.1.

The following versions are affected

• VMware ESXi versions 7.0 prior to 7.0.3 build-24784741
• VMware ESXi versions 8.0 prior to 8.0.2 build-24789317
• VMware ESXi versions 8.0 prior to 8.0.3 build-24784735
• VMware Workstation version 17.x prior to 17.6.4
• VMware Fusion version 13.x prior to 13.6.4
• VMware Tools on Windows version 11.x.x or 12.x.x prior to 12.5.3
• VMware Tools on Windows version 13.x.x prior to 13.0.1.0

What is the impact? #

Successful exploitation of these vulnerabilities would allow an adversary with privileged access in a VM’s guest OS to escape into the hypervisor and execute arbitrary code on the vulnerable system, potentially leading to complete system compromise.

Are updates or workarounds available? #

VMware has released updates for supported versions of the impact products to address these vulnerabilities. All users are urged to update as quickly as possible.

How to find VMware installations with runZero #

From the Asset Inventory, use the following query to locate assets running vulnerable versions of VMware ESXi:

os:"vmware esxi" AND ((os_version:>7 AND os_version:<"7.0.3 build-24784741") OR (os_version:>8 AND (os_version:<"8.0.2 build-24789317" OR os_version:<"8.0.3 build-24784735")))

Vulnerable versions of Workstation and Fusion can be found in the Software inventory using the following query:

vendor:vmware AND ((product:Workstation AND version:<17.6.4) OR (product:Fusion AND version:<13.6.4))

All versions of Workstation and Fusion can be found in the Software inventory using the following query:

vendor:vmware AND (product:Workstation OR product:Fusion)

March 2025: (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226) #

On March 4th, 2025, Broadcom disclosed several vulnerabilities in all versions of its VMware ESXi, Workstation, and Fusion products. They also indicated that these are known to be exploited in the wild. Public information indicates that these vulnerabilities are potentially being leveraged by ransomware groups.

• CVE-2025-22224 is rated critical with a CVSSv3 base score of 9.3. Successful exploitation of this vulnerability would allow a local administrative user in a guest virtual machine to execute arbitrary code as the guest virtual machine’s VMX process on a vulnerable host system. Impacts VMware ESXi and Workstation.
• CVE-2025-22225 is rated important with a CVSSv3 base score of 8.2. Successful exploitation of this vulnerability would allow a malicious actor with privileges within the VMX process to trigger an arbitrary kernel write leading to an escape of the sandbox. Impacts VMware ESXi.
• CVE-2025-22226 is rated important with a CVSSv3 base score of 7.1. Successful exploitation of this vulnerability would allow a local administrative user in a guest virtual machine to leak memory from the VMX process on a vulnerable host system. Impacts VMware ESXi, Workstation, and Fusion.

What is the impact? #

Upon successful exploitation of these vulnerabilities, an attacker with administrative rights in a guest virtual machine would be able to perform a VM Escape and execute code on the hypervisor host.

Are updates or workarounds available? #

VMware has released updates for supported versions of the impact products to address these vulnerabilities. All users are urged to update as quickly as possible. Users of unsupported version should review the download portals for their product to see if Broadcom has made patches available. They have reportedly done so for VMware ESXi 6.5 and 6.7. That said, Broadcom strongly encourages all customers using vSphere 6.5 and 6.7 to update to vSphere 8.

How to find VMware installations with runZero #

From the Asset Inventory, use the following query to locate assets running vulnerable versions of VMware ESXi:

os:"vmware esxi" AND (os_version:<6 OR (os_version:>6 AND os_version:<"6.7.0 build-24514018")   OR (os_version:>7 AND os_version:<"7.0.3 build-24585291") OR (os_version:>8 AND os_version:<"8.0.2") OR (os_version:>"8.0.2" AND os_version:<"8.0.2 build-24585300") OR (os_version:>"8.0.3" AND os_version:<"8.0.3 build-24585383"))

Additionally, using the runZero VMware integration, use the following Asset Inventory query to locate virtual machines running inside VMware, which could be potential sources of exploitation:

source:vmware

Vulnerable versions of Workstation and Fusion can be found in the Software inventory using the following query:

vendor:vmware AND ((product:Workstation AND version:<17.6.3) OR (product:Fusion AND version:<13.6.3))

All versions of Workstation and Fusion can be found in the Software inventory using the following query:

vendor:vmware AND (product:Workstation OR product:Fusion)

Multiple CVEs (June 2024) #

Broadcom has disclosed a vulnerability in their ESXi product that involves a domain group that could contain members that are granted full administrative access to the ESXi hypervisor host by default without proper validation.

CVE-2024-37085 is rated medium with CVSS score of 6.8 and allows an attacker with sufficient Active Directory (AD) permissions to bypass authentication.

What is the impact? #

A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group (‘ESXi Admins’ by default) after it was deleted from AD. The three ways this can be exploited are:

1. Creating the AD group ‘ESX Admins’ to the domain and adding a user to it (known to be exploited in the wild)

2. Renaming another AD group in the domain to ‘ESX Admins’ and adding a new or existing user to it

3. Refreshing the privileges in the ESXi hypervisor when the ‘ESX Admin’ group is unassigned as the management group.

Are updates or workarounds available? #

How to find potentially vulnerable systems runZero #

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

os:ESXi

Additionally, using the runZero VMware integration, use the following query to locate virtual machines running inside VMware, which could be potential sources of exploitation:

source:vmware

Multiple CVEs (March 2024) #

On March 5th, 2024, VMware disclosed several vulnerabilities in its ESXi, Workstation, and Fusion products.

The vulnerabilities, reported as CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, and CVE-2024-22255 allow code running inside virtual machines to access the host system in unauthorized ways.

The CVSS scores range from 7.1 (high) to 9.3 (critical); the vulnerabilities affecting ESXi are limited to high severity, but the vendor has indicated that taken together the vulnerabilities should be considered critical.

What is the impact? #

Upon successful exploitation of these vulnerabilities, an attacker who can execute code inside a virtual machine can access the host system and perform actions ranging from arbitrary code execution to sensitive information disclosure.

Are updates or workarounds available? #

VMware has released new versions of these products to address these vulnerabilities. All users are urged to update as quickly as possible.

How to find VMware installations with runZero #

From the Asset Inventory, use the following query to locate assets running potentially vulnerable versions of VMware ESXi or running VMware products:

os:ESXi

Additionally, using the runZero VMware integration, use the following query to locate virtual machines running inside VMware, which could be potential sources of exploitation:

source:vmware

Additional fingerprinting research is ongoing, and additional queries will be published as soon as possible.

CVE-2021-21974 (February 2023) #

In February 2023, popular hypervisor ESXi made the news due to fresh targeting by a new strain of ransomware. Known as ESXiArgs, this ransomware leveraged a 2-year old heap overflow issue in the OpenSLP service that can be used to execute remote code on exploitable targets (CVE-2021-21974). Many vulnerable public-facing ESXi servers had already been affected by this malware (at the time over 1,900 via Censys search results).

What was the impact? #

Targets of this new ransomware campaign were older ESXi servers running certain versions of 6.5, 6.7, or 7 releases and also had the OpenSLP service enabled (it has not been enabled by default in ESXi releases since 2021). Upon successful exploitation of CVE-2021-21974, the ESXiArgs ransomware encrypted a number of file types on the target system, including VM-related files with extensions .vmxf, .vmx, .vmdk, .vmsd, and .nvram. Ransom notes were saved as HTML files on compromised systems for admins and users to subsequently discover. While some of these ransom notes claim to have stolen data from vulnerable targets, no data exfiltration had been observed at the time.

VMware made patches available when the OpenSLP heap-overflow vulnerability was initially reported in 2021. The following ESXi releases had been patched against this attack vector and exploited by the ESXiArgs campaign:

• ESXi version 7+ (ESXi70U1c-17325551 and later)
• ESXi version 6.7+ (ESXi670-202102401-SG and later)
• ESXi version 6.5+ (ESXi650-202102101-SG and later)

VMware also offered patched releases for Cloud Foundation (ESXi), which included an ESXi component:

• Cloud Foundation (ESXi) version 4.2+
• Patching instructions for Cloud Foundation (ESXi) version 3.x can be found here

Patching (and also ensuring that your ESXi servers were running a supported, not end-of-life/end-of-support version) was the best course of action. If patching was not a near-term option, VMware recommended mitigation via disabling the OpenSLP service.

Latest CrushFTP vulnerability: CVE-2025-54309 #

CrushFTP disclosed a vulnerability in certain versions of their file transfer product, which fails to protect the alternate channel AS2 (Applicability Statement 2) data transfer protocol via HTTP(S) when a DMZ proxy instance is not used. The mishandling of AS2 validation allows a remote adversary to bypass the intended security measures, and obtain administrative access via HTTP(S). This vulnerability has been designated CVE-2025-54309 and has been rated critical with a CVSS score of 9.0. There is evidence that this vulnerability is being actively exploited in the wild.

The following versions are affected:

• CrushFTP versions 10.x prior to 10.8.5
• CrushFTP versions 11.x prior to 11.3.4_23

What is the impact? #

Successful exploitation of this vulnerability would allow an adversary to execute administrative functions within the CrushFTP service without authentication, potentially leading to complete system compromise and data integrity issues.

Are updates or workarounds available? #

Users are encouraged to update to the latest version as quickly as possible.

• CrushFTP release 10.x upgrade to version 10.8.5 or later
• CrushFTP release 11.x upgrade to version 11.3.4_23 or later

How to find potentially vulnerable systems with runZero #

From the Software Inventory, use the following query to locate systems running potentially vulnerable software:

vendor:=CrushFTP AND product:CrushFTP

April 2025: (CVE-2025-31161) #

CrushFTP disclosed that a vulnerability in their file transfer product allows an unauthenticated remote attacker to bypass authentication on some HTTPS interfaces. Since the original disclosure, a CVE was assigned, CVE-2025-2825, and later, CVE-2025-31161. This vulnerability is being exploited in the wild.

What is the impact? #

Successfully exploiting this vulnerability would allow an attacker to execute administrative functions within the CrushFTP service without authentication. Versions of CrushFTP 11 prior to 11.3.1 and CrushFTP 10 prior to 10.8.4 are vulnerable.

Are updates or workarounds available? #

CrushFTP has released versions 11.3.1 and 10.8.4 to address this issue. The vendor has also indicated that enabling the DMZ setting in the CrushFTP configuration will mitigate this issue. CrushFTP administrators are advised to update at their earliest opportunity.

Previous CrushFTP vulnerability (April 2024) #

CrushFTP disclosed that a vulnerability in their file transfer product allows an unauthenticated attacker to access the host’s file system. No CVE has yet to be assigned for this issue and CrowdStrike has indicated that this issue is being actively exploited in the wild. Additional details can be found in this article by Sergiu Gatlan at BleepingComputer.

What is the impact? #

This issue affects all CrushFTP versions prior to 10.7.1 and CrushFTP 11 releases prior to patch 11.1.0. An unauthenticated attacker can abuse this issue to read files from the host’s file system.