watchTowr reveals active exploitation of SonicWall SMA 100 vulnerabilities (CVE-2024-38475 & CVE-2023-44221) potentially leading to full system takeover…

watchTowr reveals active exploitation of SonicWall SMA 100 vulnerabilities (CVE-2024-38475 & CVE-2023-44221) potentially leading to full system takeover and session hijacking. Learn about affected models, available patches, and CISA’s urgent warning.

Cybersecurity researchers at watchTowr have spotted malicious threat actors actively leveraging known security vulnerabilities in SonicWall’s widely used SMA 100 (Secure Mobile Access) appliances.

This discovery, documented in their latest blog post shared with Hackread.com, reveals how attackers are combining two specific vulnerabilities to potentially gain complete administrative control over these devices.

Evidence suggests these techniques are already being employed in real-world attacks, making immediate awareness and action critical for affected businesses. The investigation started after clients reported unusual activity on the SonicWall system, leading to the discovery of a vulnerability in the Apache web server software tracked as CVE-2024-38475, discovered by Orange Tsai. The flaw allows unauthorized file reading, and its presence in the SonicWall configuration makes the appliance vulnerable.

The second critical vulnerability, CVE-2023-44221, is a command injection flaw discovered by Wenjie Zhong (H4lo) of DBappSecurity Co., Ltd. This weakness allows an attacker who has already gained some level of access to execute their own commands on the affected system.

The combination of these two vulnerabilities is particularly concerning. The file read vulnerability (CVE-2024-38475) can be used to extract sensitive information, such as administrator session tokens, effectively bypassing the need for login credentials. Once this initial foothold is established, the command injection vulnerability (CVE-2023-44221) can be exploited to execute arbitrary commands, potentially leading to session hijacking and full system compromise.

The vulnerabilities affect the SMA 100 series appliances, including models SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v. The blog post reveals the technical steps involved, including exploiting the Apache “Filename Confusion” and “DocumentRoot Confusion,” and accessing sensitive files like the session database.

Researchers even demonstrated how to overcome challenges in reliably extracting this data by using techniques like requesting the file in chunks to exploit the command injection flaw, and even bypass initial attempts at security measures implemented in the SonicWall software.

In their report, watchTowr researchers note that these vulnerabilities could be chained together to achieve a complete system takeover. Reportedly, CVE-2023-44221 was patched in December 2023 (firmware version 10.2.1.10-62sv and higher), and CVE-2024-38475 was patched in December 2024 (firmware version 10.2.1.14-75sv and higher).

WatchTowr has also developed a tool (Detection Artefact Generator) to detect and exploit vulnerabilities. This tool can help organizations assess their risk, implement necessary patches, and secure measures

The fact that CISA added these vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalogue on May 1, 2025, and mandated federal agencies to apply the patches by May 22, 2025, highlights the urgency of the situation. That’s why it is crucial to promptly address them in critical edge devices like the SonicWall SMA100.

watchTowr Warns of Active Exploitation of SonicWall SMA 100 Devices

Oligo Security uncovers “AirBorne,” a set of 23 vulnerabilities in Apple AirPlay affecting billions of devices. Learn how…

Oligo Security uncovers “AirBorne,” a set of 23 vulnerabilities in Apple AirPlay affecting billions of devices. Learn how these flaws enable remote control (RCE) and data theft on iPhones, Macs, CarPlay, and more.

Cybersecurity firm Oligo has revealed major vulnerabilities, dubbed AirBorne, in Apple’s AirPlay, a wireless system used by iPhones, iPads, Macs, and third-party devices for audio and video streaming. These flaws in Apple’s AirPlay software tools for other companies could let hackers take control of devices on the same Wi-Fi network.

Apple has released updates for its devices and provided fixes to third-party makers, urging users to update. However, not all companies update quickly. Oligo identified 23 vulnerabilities, leading to 17 security identifiers (CVEs), that could enable various attacks, including taking complete control of a device without user interaction (Zero-Click RCE), reading any file (Local Arbitrary File Read), stealing private information, and intercepting communications. Attackers could combine these to fully control devices.

Two key vulnerabilities (CVE-2025-24252 and CVE-2025-24132) could allow wormable attacks, spreading harmful software automatically across networks. This could lead to serious issues like spying and ransomware. Millions of Apple devices and third-party AirPlay devices, including those in cars (CarPlay), are potentially affected.

Oligo demonstrated Zero-Click RCE on macOS (CVE-2025-24252) under certain network settings, potentially allowing malware to spread. They also found One-Click RCE on macOS (CVE-2025-24271) under different settings. Speakers and receivers using AirPlay SDK are vulnerable to Zero-Click RCE (CVE-2025-24132), allowing eavesdropping. CarPlay devices are also at risk of RCE, which could distract drivers or enable tracking.

Oligo’s research found that many basic AirPlay commands were accessible without strong security. The vulnerabilities often relate to how the AirPlay software handles data in a format called “plist.”

For your information, plist is AirPlay’s system that combines HTTP and RTSP protocols to communicate over port 7000. Commands, particularly those with extra information, are sent as HTTP data in plist format.

Oligo gave one example of a type of confusion vulnerability (CVE-2025-24129) that happens because the AirPlay software doesn’t properly check the type of data it receives in a plist. If it expects a list of items but gets something else, it can cause the program to crash.

Crashing a device’s AirPlay could allow attackers to intercept communications. For example, crashing the AirPlay server on a device could allow an attacker to pretend to be that device on the network and intercept communications. They gave a scenario where an attacker could crash a TV’s AirPlay, fake its identity, and then record a meeting being streamed to it, researchers noted.

Oligo’s in-depth technical report published on April 29, 2025, urges users and organizations to immediately update all Apple and third-party AirPlay devices to the latest software. They also suggest disabling AirPlay when not in use and limiting AirPlay access on networks.

In a comment to Hackread.com, cybersecurity expert and Head of Business Product at NordPass, Karolis Arbaciauskas stated that “Many third-party AirPlay devices don’t get timely updates like Apple’s, so vulnerabilities may remain. To exploit them, an attacker needs access to your Wi-Fi, so secure your router with updates and a strong password.”

“Factory-set passwords are often weak, so always change them. Use at least eight random characters with numbers and symbols, and consider a password manager to make this easier,” Karolis advised. “Avoid using AirPlay on public Wi-Fi, which is often insecure. If possible, use your phone’s hotspot instead, or at least avoid open networks and use a VPN.”

Billions of Apple Devices at Risk from “AirBorne” AirPlay Vulnerabilities

Fake Qantas emails in a sophisticated phishing scam steal credit card and personal info from Australians, bypassing major…

Fake Qantas emails in a sophisticated phishing scam steal credit card and personal info from Australians, bypassing major email security filters.

Australian airline Qantas is being targeted by criminals with fake emails claiming to be from the airline. Security experts at Cofense Intelligence, who discovered this attack, found that these convincing emails trick users into giving away their credit card information and personal information like phone numbers and addresses.

These fake Qantas emails mimic real marketing emails, using the same colours, and layout as real ones and “with appropriate branding and functional links.” One clever trick the criminals used was to include an “unsubscribe” link in the emails, just like real marketing emails do.

However, the links in the fake emails didn’t go to Qantas’s official website. Instead, they went to other websites. Experts believe the criminals might have used these fake unsubscribe links to see which email addresses were real and active.

Interestingly, according to Cofense’s report, the fake emails mentioned that Qantas was celebrating its 103rd anniversary. However, Qantas’s 103rd anniversary was actually in 2023, two years ago. This was one of the few mistakes in the otherwise very convincing emails.

Source: Cofense Intelligence

The emails tricked people into clicking on links to fake websites, often containing the phrase “auth/auhs1” followed by random words related to Qantas or coupons. These websites generally disappeared within a day and asked for personal information in a multi-step process, including name, phone number, email address, and home address. This collected contact information, along with the date of birth, could be used for targeted scams or password guessing.

These fake websites allegedly attempted to set up multi-factor authentication after a user entered their credit card information, but this failed. Experts believe that this extra step was added to deceive victims into believing there was a problem with their end rather than the website.

Researchers observed that cybercriminals behind this campaign seemed to be particularly targeting people in Australia. Even though some people in the United States also received these emails, the offers were in Australian dollars, and Qantas is based in Australia.

This suggests the attackers preferred Australian victims. Moreover, they highlighted that the campaign successfully bypassed multiple Secure Email Gateways (SEGs), including Microsoft APT, Proofpoint, and Mimecast, indicating a sophisticated approach by the attackers.

This campaign started around February 2025 but seemed to slow down in mid-March 2025. It shows how criminals are constantly trying new and sophisticated ways to trick people online, making it important for everyone to be very careful about the emails they receive and the websites they visit.

Phishing Emails Impersonating Qantas Target Credit Card Info

Cybersecurity researchers have discovered three malicious Go modules that include obfuscated code to fetch next-stage payloads that can irrevocably overwrite a Linux system's primary disk and render it unbootable.
The names of the packages are listed below -

github[.]com/truthfulpharm/prototransform
github[.]com/blankloggia/go-mcp
github[.]com/steelpoor/tlsproxy

"Despite appearing legitimate,

Malicious Go Modules Deliver Disk-Wiping Linux Malware in Advanced Supply Chain Attack

Plus: France blames Russia for a series of cyberattacks, the US is taking steps to crack down on a gray market allegedly used by scammers, and Microsoft pushes the password one step closer to death.

Researchers unveiled a cluster of vulnerabilities in Apple’s wireless media streaming platform AirPlay this week that leave millions of third-party devices like speakers and TVs vulnerable to takeover if an attacker is on the same Wi-Fi network as the victim gadget. These “AirBorne” vulnerabilities have all been patched—including some that potentially impacted Apple’s Mac computers—but, in practice, third-party devices may not all get fixes, and even if they do, patch adoption could be low.

Records reviewed by WIRED show that utilizing car subscription features can substantially raise your risk of being subjected to government surveillance, because such services generate troves of data that are valuable to law enforcement. WIRED also did a deep dive on North Korea’s yearslong campaign to place IT workers inside companies in North American, the United Kingdom, and Europe. The schemes are more effective than ever as scammers incorporate AI into their workflows.

WhatsApp designed a special cloud processing platform called Private Processing to allow new AI tools to work in the secure messenger without compromising its end-to-end encryption. Experts warn, though, that it could create enticing targets for hackers. And we have a guide for navigating the privacy risks of using ChatGPT’s new image generator to do seemingly fun and innocuous projects like making an action figure version of yourself.

But wait, there's more! Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**Three British Retailers Hacked in Spate of Cyberattacks**

Three separate retailers in the UK—including the supermarket Co-op and thedepartment stores Marks & Spencer and Harrods—have all revealed they have recently been subject to cyberattacks, with the intrusions and widespread impact seemingly ongoing. Toward the end of April, Marks & Spencer revealed it had been the victim of a “cyber incident.” Over the following two weeks, it has been forced to pause online orders within its apps, some food has been missing from its shelves, and it has paused recruitment and other “normal processes.” Staff at Co-op have been told to keep webcams turned on during remote meetings and check who is attending calls, after shutting down parts of its IT systems in response to its own hack. Harrods, meanwhile, told customers to “not do anything differently at this point.”

At the time of writing, none of the retailers have detailed the specific nature of the cyberattacks or the full scale of the impacts. It is also unclear if the attacks are linked. Bloomberg has reported a ransomware cartel dubbed DragonForce has claimed it and its partners were behind the attacks. The so-called cartel provides “infrastructure and tools” to hackers but “doesn't require affiliates to deploy its ransomware,” according to research from security firm Secureworks. The hacked companies did not respond to Bloomberg about the claims.

Bleeping Computer originally reported that the threat actors known as Scattered Spider were allegedly behind the attack on Marks & Spencer. The publication reported that the company’s servers were encrypted by ransomware, with the intrusion beginning as early as February. The attribution to Scattered Spider has not been confirmed by Marks & Spencer.

Over the past two years, Scattered Spider has emerged as one of the most prolific and dangerous sets of hackers currently operating. The threat actors are not a well-defined group of hackers. Instead, they’re more a loose collective that uses social engineering—such as phishing and voice calls—to gain initial access into company networks. Scattered Spider members are often English-speaking, teenaged, and can be members of the heinous criminal group the Com. The hackers have been active since June 2022 and have targeted more than 100 companies—including the high-profile hacks on Caesar's Entertainment and MGM Resorts in 2023.

**France (Finally) Names Russian Hackers for the First Time**

French authorities have condemned Russia’s military intelligence agency, accusing it of orchestrating a series of high-profile cyberattacks—including the hacking of Emmanuel Macron’s 2017 presidential campaign, a brazen 2015 assault on the TV channel TV5 Monde, and recent intrusion attempts targeting organizations involved in preparing the 2024 Paris Olympic Games.

French authorities have also disclosed the name and location of a GRU unit tied to the notorious hacking group APT28—information that had never before been officially released. Unit 20728 is based in the southern Russian city of Rostov-on-Don and operates out of the "166th Information Research Center."

This marks the first time French officials have publicly assigned blame to a foreign intelligence service following an internal attribution process. The timing is significant, coming as Paris positions itself at the forefront of Europe’s support for Ukraine.

**US Moves to Crack Down on ‘Largest Illicit Marketplace’**

The Trump administration has taken the first step toward blacklisting a Cambodian financial conglomerate at the center of a global money laundering network. On Thursday, the Treasury Department designated Huione Group as a money-laundering operation, alleging that the company and its affiliates have laundered more than $4 billion for criminals, including North Korean hackers and online scammers.

These scammers—who defraud victims through bogus investments and other schemes—rely on Huione and its affiliates to move funds abroad to evade both law enforcement and anti-money-laundering systems. The proposed action represents the most significant effort yet to crack down on Huione, which is tied to what experts believe to be the “largest illicit marketplace”: Huione Guarantee. According to WIRED’s January report, the marketplace has likely facilitated over $24 billion in gray-market transactions. Experts believe the platform operates as a one-stop shop for scammers, offering everything from victim contact lists and deepfake tools to fake investment websites and other illicit services.

**New Microsoft Accounts Won’t Need Passwords Anymore**

Slowly but surely, the password is dying. Over the past two years, passkeys—a stronger method of authentication that doesn’t require you to remember or use a password—have become more common. The rollout of the technology has been piecemeal, but big tech companies have worked for years to create the alternative, which is more secure than passwords. This week, Microsoft announced that people setting up new accounts with the company won’t have to create passwords at all. “New Microsoft accounts will now be ‘passwordless by default,’” the company wrote in a blog post. Microsoft is also pushing people further away from passwords and will “detect” the best way for people to lo in to their accounts if they have set up alternatives to passwords.

Hacking Spree Hits UK Retail Giants

An Iranian state-sponsored threat group has been attributed to a long-term cyber intrusion aimed at a critical national infrastructure (CNI) in the Middle East that lasted nearly two years.
The activity, which lasted from at least May 2023 to February 2025, entailed "extensive espionage operations and suspected network prepositioning – a tactic often used to maintain persistent access for future

Iranian Hackers Maintain 2-Year Access to Middle East CNI via VPN Flaws and Malware

The U.S. Department of Justice (DoJ) on Thursday announced charges against a 36-year-old Yemeni national for allegedly deploying the Black Kingdom ransomware against global targets, including businesses, schools, and hospitals in the United States.
Rami Khaled Ahmed of Sana'a, Yemen, has been charged with one count of conspiracy, one count of intentional damage to a protected computer, and one

U.S. Charges Yemeni Hacker Behind Black Kingdom Ransomware Targeting 1,500 Systems

Grokability Snipe-IT before 8.1.0 has incorrect authorization for accessing asset information.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-h3vp-qwmx-5j25: Grokability Snipe-IT has incorrect authorization for accessing asset information

In the obfstr crate before 0.4.4 for Rust, the obfstr! argument type is not restricted to string slices, leading to invalid UTF-8 conversion that produces an invalid value.

GHSA-v2p5-q653-9j99: obfstr Type Confusion vulnerability

A photo taken this week showed Mike Waltz using an app that looks like—but is not—Signal to communicate with top officials. "I don't even know where to start with this," says one expert.

On ThursdaY, Reuters published a photo depicting then-United States national security adviser Mike Waltz checking his phone during a cabinet meeting held by President Trump in the White House. If you enlarge the portion of the image that captures Waltz’s screen, it seems to show him using the end-to-end encrypted messaging app Signal. But if you look more closely, a notification on the screen refers to the app as “TM SGNL.” During a White House cabinet meeting on Wednesday, then, Waltz was apparently using an Israeli-made app called TeleMessage Signal to message with people who appear to be top US officials, including JD Vance, Marco Rubio, and Tulsi Gabbard.

After senior Trump administration cabinet members used vanishing Signal messages to coordinate March military strikes in Yemen—and accidentally included the editor in chief of The Atlantic in the group chat—the “SignalGate” scandal highlighted concerning breaches of traditional government “operational security” protocol as well as compliance issues with federal records-retention laws. At the center of the debacle was Waltz, who was ousted by Trump as US national security adviser on Thursday. Waltz created the “Houthi PC Small Group” chat and was the member who added top Atlantic editor Jeffrey Goldberg. "I take full responsibility. I built the group," Waltz told Fox News in late March. "We've got the best technical minds looking at how this happened," he added at the time.

SignalGate had nothing to do with Signal. The app was functioning normally and was simply being used at an inappropriate time for an incredibly sensitive discussion that should have been carried out on special-purpose, hardened federal devices and software platforms. If you're going to flout the protocols, though, Signal is (relatively speaking) a good place to do it, because the app is designed so only the senders and receivers of messages in a group chat can read them. And the app is built to collect as little information as possible about its users and their associates. This means that if US government officials were chatting on the app, spies or malicious hackers could only access their communications by directly compromising participants' devices—a challenge that is potentially surmountable but at least limits possible access points. Using an app like TeleMessage Signal, though, presumably in an attempt to comply with data retention requirements, opens up numerous other paths for adversaries to access messages.

"I don't even know where to start with this," says Jake Williams, a former NSA hacker and vice president of research and development at Hunter Strategy. “It's mind-blowing that the federal government is using Israeli tech to route extremely sensitive data for archival purposes. You just know that someone is grabbing a copy of that data. Even if TeleMessage isn't willingly giving it up, they have just become one of the biggest nation-state targets out there.”

TeleMessage was founded in Israel in 1999 by former Israel Defense Forces technologists and run out of the country until it was acquired last year by the US-based digital communications archiving company Smarsh. The service creates duplicates of communication apps that are outfitted with a “mobile archiver” tool to record and store messages sent through the app.

“Capture, archive and monitor mobile communication: SMS, MMS, Voice Calls, WhatsApp, WeChat, Telegram & Signal,” TeleMessage says on its website. For Signal it adds, “Record and capture Signal calls, texts, multimedia and files on corporate-issued and employee BYOD phones.” (BYOD stands for bring your own device.) In other words, there are TeleMessage versions of Signal for essentially any mainstream consumer device. The company says that using TeleMessage Signal, users can “Maintain all Signal app features and functionality as well as the Signal encryption,” adding that the app provides “End-to-End encryption from the mobile phone through to the corporate archive.” The existence of “the corporate archive,” though, undermines the privacy and security of the end-to-end encryption scheme.

TeleMessage apps are not approved for use under the US government's Federal Risk and Authorization Management Program or FedRAMP. TeleMessage and Smarsh did not immediately return requests for comment about whether their products are used by the US federal government and in what capacity.

"As we have said many times, Signal is an approved app for government use and is loaded on government phones,” White House press secretary Anna Kelly tells WIRED. She did not answer questions about whether the White House approves of federal officials using TeleMessage Signal—which is a different app from Signal—or whether other officials aside from Waltz have used the app or currently use it.

The Cybersecurity and Infrastructure Security Agency does not create policy around federal technology use but does release public guidance. When asked about Waltz’s apparent use of TeleMessage Signal, CISA simply referred WIRED to its best-practices guide for mobile communications. The document specifically advises, “When selecting an end-to-end encrypted messaging app, evaluate the extent to which the app and associated services collect and store metadata.”

It is not clear when Waltz started using TeleMessage Signal and whether he was already using it during SignalGate or started using it afterward in response to criticisms that turning on Signal's disappearing messages feature is in conflict with federal data-retention laws.

“I have no doubt the leadership of the US national security apparatus ran this software through a full information-assurance process to ensure there was no information leakage to foreign nations,” says Johns Hopkins cryptographer Matt Green. “Because if they didn’t, we are screwed.”

Latest News