Insights

advisory ID: ADV-2025-ALL-05
date issued: 14 May 2025
severity: Critical (CVE-2025-29966), High (CVE-2025-30397)
CVSs scores:

CVSS Base Score: 9.8 CRITICAL 

A critical vulnerability in Erlang's Open Telecom Platform (OTP) SSH implementation has recently been published. OTP is a collection of middleware, libraries and tools written in the Erlang programming language and is used by a large number of global companies for communications. According to https://erlang-companies.org, companies that may be affected include Ericsson, T-Mobile, BT and Bet365 (that reportedly use it in it's live betting infrastructure) and major products that may be affected include WhatsApp, Klarna and Discord. 

 

The vulnerability has the highest severity possible with a CVSS score of 10 out of 10. This is likely because it may allow an attacker to perform unauthenticated remote code execution on a target server. The attack complexity has been described at low, meaning exploitation is likely trivial. Any network facing server with the Erlang OTP implementation of SSH enabled that isn't version OTP-27.3.3, OTP-26.2.5.11 or OTP-25.3.2.20 should be considered vulnerable. The current recommendation is to either update to these versions, or disabling the SSH server or access to it temporarily until it's patched. 

 

If you are currently or have been vulnerable to this exploitation, please feel free to reach out to Integrity360 for more advice. We are monitoring the situation and will provide more updates as they arise.

Foundational security organisation MITRE announced on the 15th April that the funding it received to maintain the CVE and CWE program would not be renewed. This was important, because MITRE, along with NIST and the CISA, are a huge contributor to the CVE program.
 
The announcement came abruptly, with the funding organisation DHS declining to comment on the reason at this time, however they provided the following statement:
 
"Although CISA's contract with the MITRE Corporation will lapse after April 16th, we are urgently working to mitigate impact and to maintain CVE services on which global stakeholders rely."
 
This meant that after 16th April 2025, the CVE database, which is critical for tracking and understanding vulnerabilities, might experience disruption. This meant that vulnerabilities discovered after this time would not likely be tracked and published until a resolution is found (this is not thought to affect CVE records dating before the 16th).
 
All cybersecurity tools and processes rely on the CVE database to track and respond to newly discovered vulnerabilities across the environment. A disruption in this service, even temporary, would have affected the visibility of emerging threats and delayed the publication of official CVE records. This, in turn, could have impacted the accuracy of vulnerability scans, the speed of detection, and the prioritisation of response actions.
 
Integrity360 learned that on the morning (EST) of the 16th, the U.S. Government had (at the last minute) extended it's funding for the program, buying more time for a more long-term approach to be agreed.
 
Integrity360 is monitoring the situation and will provide more updates as they arise.
 
Below is the original MITRE letter that was circulated on the 15th April, explaining the halting of the service.

This advisory highlights a critical zero-day vulnerability in Fortinet's FortiOS and FortiProxy products that is being actively exploited in the wild. The flaw allows unauthenticated remote code execution via the SSL VPN interface, potentially giving attackers full control over affected devices. With multiple versions impacted across FortiOS and FortiProxy, and threat actors reportedly selling related exploits on dark web forums, the risk of widespread exploitation is high. Fortinet strongly urges immediate patching and additional mitigation steps, making this advisory crucial for organisations relying on Fortinet products to secure their networks. 

Fortinet has released security updates to address a critical security flaw impacting FortiSwitch that could permit an attacker to make unauthorized password changes.

Holiseum will form a new Integrity360 services practice focused on OT/IoT and as a regional hub for the group in France

 

As the cyber threat landscape evolves, staying ahead of emerging risks is crucial. Discover the key trends shaping cyber security in 2025 and how to prepare.

When a new security vulnerability emerges, there’s often a small window of time to respond before attackers start exploiting it in the wild. For LDAPNightmare (CVE-2024-49112), that window is quickly closing.

Microsoft’s latest Patch Tuesday release addressed 16 critical vulnerabilities, all classified as remote code execution flaws—a stark reminder of the importance of proactive patch management.

The recently discovered vulnerabilities in Veeam Service Provider Console, tracked as CVE-2024-42448 and CVE-2024-42449, have been classified as critical and high severity. If exploited, these vulnerabilities could severely undermine system integrity and operational security, jeopardising sensitive data and backup operations.

If you were to look at a stock image of a hacker, it would show a hooded figure hunched over the desk who’s lost in the sea of green text and numbers that flash across the screen.