Top 5 Cybersecurity Events of the Week by Jet CSIRT: Critical Vulnerabilities and Emerging Threats

Here’s the translated and rephrased text while retaining the original meaning:

Today’s top five highlights include a critical vulnerability in Langflow, an old exploit affecting Zyxel network equipment, a privilege escalation flaw in Linux, a GitHub repository attack, and a new malicious campaign utilizing Cloudflare Tunnel subdomains.

1. **Critical vulnerability in Langflow leads to Flodrix botnet infection**

Trend Micro researchers have identified active exploitation of a severe vulnerability, CVE-2025-3248 (CVSS: 9.8), in Langflow—a widely used platform for LLM frameworks. This vulnerability allows attackers to remotely execute code without authentication through a specially crafted HTTP POST request to /predict. As a result, a script is triggered that deploys the malicious Flodrix botnet, capable of conducting Distributed Denial of Service (DDoS) attacks, gaining remote access, and installing cryptocurrency miners and info stealers. The attack affects versions prior to 1.3.0, and Trend Micro experts recommend updating to the latest version and restricting external access to the admin interface.

2. **Exploitation of an old vulnerability for attacking Zyxel network devices**

The GreyNoise service has detected a surge in attempts to exploit a vulnerability in Zyxel network equipment. Designated CVE-2023-28771 (CVSS: 9.8), this flaw, discovered in 2023, allows unauthorized attackers to execute certain operating system commands remotely by sending specially crafted packets to the targeted device. On June 16, 244 active traffic sources were reported within a 24-hour period, attempting to send malicious IKE packets through UDP port 500. The attacks originated from various locations globally, including major cloud hosting providers. Despite the short duration of activity, the scale and distribution suggest a coordinated campaign. It is advised to update Zyxel firmware to a version that fixes the vulnerability, restrict external access to UDP/500, and set up monitoring for suspicious IKE traffic.

3. **CISA alerts about active exploitation of a privilege escalation vulnerability in Linux**

The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2023-0386 (CVSS: 7.8) to its Known Exploited Vulnerabilities (KEV) catalog, indicating that the flaw is actively being exploited. The vulnerability affects the OverlayFS subsystem in the Linux kernel, allowing local users to escalate their privileges to root due to improper ownership management. Ubuntu and other Debian-based distributions are particularly vulnerable. It is crucial to urgently verify kernel versions and apply available security updates.

4. **Water Curse: Attack via GitHub repositories gains momentum**

Trend Micro experts reported that the Water Curse malicious campaign has compromised 76 GitHub accounts, using them to host malicious code within popular open-source projects. The attack begins by injecting hidden malicious dependencies that download multi-stage scripts, executing harmful code on the machines of developers and DevOps engineers. The primary goal is to collect credentials and establish backdoors within corporate environments. The malware employs supply chain poisoning techniques and disguises itself as legitimate updates. It is recommended to enable two-factor authentication (2FA) on all GitHub development accounts, isolate build environments, and implement release signing.

5. **New malicious campaign utilizes Cloudflare Tunnel subdomains for malware delivery**

Securonix researchers uncovered a sophisticated operation named SERPENTINE#CLOUD, in which attackers leverage Cloudflare Tunnel and WebDAV to conceal their command channels and deliver Remote Access Trojans (RATs). The campaign starts with a widespread distribution of infected emails disguised as invoices. These emails contain masked .lnk files that trigger a loading sequence: an in-memory Python loader. The attackers utilize Living-off-the-Land techniques and clandestine routing through Cloudflare, allowing them to bypass security measures. Targeting corporate Windows users, this campaign exhibits a high degree of resilience against detection. Securonix recommends monitoring tunnel traffic and auditing unusual Python interpreter calls.