Insights

advisory ID: ADV-2025-ALL-05
date issued: 14 May 2025
severity: Critical (CVE-2025-29966), High (CVE-2025-30397)
CVSs scores:

CVSS Base Score: 9.8 CRITICAL 

A critical vulnerability in Erlang's Open Telecom Platform (OTP) SSH implementation has recently been published. OTP is a collection of middleware, libraries and tools written in the Erlang programming language and is used by a large number of global companies for communications. According to https://erlang-companies.org, companies that may be affected include Ericsson, T-Mobile, BT and Bet365 (that reportedly use it in it's live betting infrastructure) and major products that may be affected include WhatsApp, Klarna and Discord. 

 

The vulnerability has the highest severity possible with a CVSS score of 10 out of 10. This is likely because it may allow an attacker to perform unauthenticated remote code execution on a target server. The attack complexity has been described at low, meaning exploitation is likely trivial. Any network facing server with the Erlang OTP implementation of SSH enabled that isn't version OTP-27.3.3, OTP-26.2.5.11 or OTP-25.3.2.20 should be considered vulnerable. The current recommendation is to either update to these versions, or disabling the SSH server or access to it temporarily until it's patched. 

 

If you are currently or have been vulnerable to this exploitation, please feel free to reach out to Integrity360 for more advice. We are monitoring the situation and will provide more updates as they arise.

Foundational security organisation MITRE announced on the 15th April that the funding it received to maintain the CVE and CWE program would not be renewed. This was important, because MITRE, along with NIST and the CISA, are a huge contributor to the CVE program.
 
The announcement came abruptly, with the funding organisation DHS declining to comment on the reason at this time, however they provided the following statement:
 
"Although CISA's contract with the MITRE Corporation will lapse after April 16th, we are urgently working to mitigate impact and to maintain CVE services on which global stakeholders rely."
 
This meant that after 16th April 2025, the CVE database, which is critical for tracking and understanding vulnerabilities, might experience disruption. This meant that vulnerabilities discovered after this time would not likely be tracked and published until a resolution is found (this is not thought to affect CVE records dating before the 16th).
 
All cybersecurity tools and processes rely on the CVE database to track and respond to newly discovered vulnerabilities across the environment. A disruption in this service, even temporary, would have affected the visibility of emerging threats and delayed the publication of official CVE records. This, in turn, could have impacted the accuracy of vulnerability scans, the speed of detection, and the prioritisation of response actions.
 
Integrity360 learned that on the morning (EST) of the 16th, the U.S. Government had (at the last minute) extended it's funding for the program, buying more time for a more long-term approach to be agreed.
 
Integrity360 is monitoring the situation and will provide more updates as they arise.
 
Below is the original MITRE letter that was circulated on the 15th April, explaining the halting of the service.

This advisory highlights a critical zero-day vulnerability in Fortinet's FortiOS and FortiProxy products that is being actively exploited in the wild. The flaw allows unauthenticated remote code execution via the SSL VPN interface, potentially giving attackers full control over affected devices. With multiple versions impacted across FortiOS and FortiProxy, and threat actors reportedly selling related exploits on dark web forums, the risk of widespread exploitation is high. Fortinet strongly urges immediate patching and additional mitigation steps, making this advisory crucial for organisations relying on Fortinet products to secure their networks. 

Fortinet has released security updates to address a critical security flaw impacting FortiSwitch that could permit an attacker to make unauthorized password changes.

A critical vulnerability, CVE-2025-22457, has been identified in Ivanti Connect Secure (ICS), Pulse Connect Secure (PCS), Ivanti Policy Secure, and ZTA Gateways. This stack-based buffer overflow allows remote, unauthenticated attackers to execute arbitrary code on affected devices. The flaw is currently being actively exploited by a suspected Chinese advanced persistent threat (APT) group, UNC5221, to deploy custom malware families, TRAILBLAZE and BRUSHFIRE, facilitating persistent access and deep network intrusion.

Next.js is a popular development library for web developers. In the authentication section of the library in affected versions, there is a vulnerability which would allow an attacker to bypass authentication, potentially gaining access to sensitive data or maninpulating targeted accounts. 

A critical remote code execution (RCE) vulnerability, identified as CVE-2025-23120, has been discovered in Veeam Backup & Replication (VBR). This flaw allows authenticated domain users to execute arbitrary code on the affected system. The vulnerability has been assigned a CVSS v3.1 score of 9.9, indicating its critical severity. 

Overview: 

MITRE Caldera is an open-source cyber security platform designed for automating adversary emulation, red teaming, and threat hunting. It allows security teams to simulate real-world cyber threats, test defences, and improve incident response. 

CVE-2025-21298 is a critical vulnerability present in the windows OLE that enables a remote code execution with a CVSS severity of 9.8. Object Linking and Embedding (OLE) is a proprietary technology developed by Microsoft that allows embedding and linking to documents and objects.

UPDATED ON 12/02/2025: