End-of-Day report
Timeframe: Donnerstag 03-04-2025 18:00 - Freitag 04-04-2025 18:00
Handler: Guenes Holler
Co-Handler: Felician Fuchs
News
Europcar GitLab breach exposes data of up to 200,000 customers
A hacker breached the GitLab repositories of multinational car-rental company Europcar Mobility Group and stole source code for Android and iOS applications, as well as some personal information belonging to up to 200,000 users.
https://www.bleepingcomputer.com/news/security/europcar-gitlab-breach-exposes-data-of-up-to-200-000-customers/
Is The Sofistication In The Room With Us? - X-Forwarded-For and Ivanti Connect Secure (CVE-2025-22457)
Exploitation is always a tricky subject. Vendors want to minimize disruption to their userbase and avoid unnecessary patching, but they also need to balance that with the userbase's safety. [..] It appears that this is what happened here - Ivanti made a judgment call, believing that exploiting the vulnerability, given the requirement that the payload must comprise only of 0123456789., was impossible. Unfortunately, an advanced attacker seems to have proved them wrong.
https://labs.watchtowr.com/is-the-sofistication-in-the-room-with-us-x-forwarded-for-and-ivanti-connect-secure-cve-2025-22457/
NVD Quietly Sweeps 100K+ CVEs Into a -Deferred- Black Hole
Without much fanfare, the NVD has begun mass-labeling older CVEs as "Deferred," effectively giving up on enriching them with detailed metadata like CVSS scores, CWEs, and CPEs. In an April 2 update, the NVD announced that all CVEs published before 2018 will be marked as Deferred-a move thats already resulted in 20,000 Deferred CVEs overnight, with potentially 100,000 more to come: All CVEs with a published date prior to 01/01/2018 will be marked as Deferred within the NVD.
https://socket.dev/blog/nvd-quietly-sweeps-100k-cves-into-a-deferred-black-hole?utm_medium=feed
Lazarus Expands Malicious npm Campaign: 11 New Packages Add Malware Loaders and Bitbucket Payloads
North Korean threat actors behind the Contagious Interview operation have expanded their presence in the npm ecosystem, publishing additional malicious packages that deliver the previously identified BeaverTail malware and introducing new packages with remote access trojan (RAT) loader functionality. These latest samples employ hexadecimal string encoding to evade automated detection systems and manual code audits, signaling a variation in the threat actors- obfuscation techniques.
https://socket.dev/blog/lazarus-expands-malicious-npm-campaign-11-new-packages-add-malware-loaders-and-bitbucket
Vulnerabilities
DWFX File Parsing Vulnerabilities in Autodesk Navisworks Desktop Software
Autodesk Navisworks is affected by multiple DWFX vulnerabilities listed below. Exploitation of these vulnerabilities can lead to code execution. Exploitation of these vulnerabilities requires user interaction.
https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0002
Kritische Lücke mit Höchstwertung in Apache Parquet geschlossenen
Wie aus einem Eintrag in der Openwall-Mailingliste hervorgeht, haben die Entwickler die Schwachstelle in der Version 1.15.1 geschlossen. Alle vorigen Ausgaben sind verwundbar. Die Lücke (CVE-2025-30065) gilt als "kritisch" und ist mit dem höchstmöglichen CVSS Score 10 von 10 eingestuft. Sie betrifft konkret das parquet-avro-Modul der Java-Bibliothek von Apache Parquet.
https://www.heise.de/news/Kritische-Luecke-mit-Hoechstwertung-in-Apache-Parquet-geschlossenen-10340107.html
Security updates for Friday
Security updates have been issued by AlmaLinux (firefox), Debian (atop and thunderbird), Fedora (webkitgtk), Mageia (microcode), Oracle (expat), SUSE (apparmor, assimp-devel, aws-efs-utils, expat, firefox, ghostscript, go1.23, gotosocial, govulncheck-vulndb, GraphicsMagick, headscale, libmozjs-128-0, libsaml-devel, openvpn, perl-Data-Entropy, and xz), and Ubuntu (gnupg2, kernel, linux-azure-fips, linux-iot, openvpn, ruby-saml, and xz-utils).
https://lwn.net/Articles/1016484/
Cisco: Hochriskante Lücken in Meraki und Enterprise Chat
In der Anyconnect-VPN-Software von Ciscos Meraki MX- und Z-Reihen sowie in Enterprise Chat and Email haben die Entwickler Sicherheitslücken mit hohem Risiko entdeckt. Aktualisierte Firm- und Software steht bereit, um sie zu schließen. Admins sollten sie zügig installieren.
https://heise.de/-10340333
Hitachi Energy TRMTracker
https://www.cisa.gov/news-events/ics-advisories/icsa-25-093-02
B&R APROL
https://www.cisa.gov/news-events/ics-advisories/icsa-25-093-05
Hitachi Energy RTU500 Series
https://www.cisa.gov/news-events/ics-advisories/icsa-25-093-01