CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Critical Vulnerabilities in Fluent Bit Logging Agent

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

Critical vulnerabilities in Fluent Bit, a widely used telemetry agent, have been disclosed. These flaws affect log, metric, and trace handling across banking, cloud, and SaaS platforms. The issues include improper input validation, path traversal bugs, and authentication bypasses, allowing attackers to manipulate logs, overwrite files, and execute code. Patches are available in versions v4.1.1 and v4.0.12, but older versions remain at risk. The vulnerabilities could distort observability pipelines, impacting financial services, security products, and SaaS environments. Immediate patching and configuration hardening are recommended. AWS has urged customers to update to the latest version of Fluent Bit for optimal protection. The flaws could enable attackers to disrupt cloud services, manipulate data, and burrow deeper into cloud and Kubernetes infrastructure.

Timeline

  1. 24.11.2025 17:00 2 articles · 1d ago

    Critical Fluent Bit Vulnerabilities Disclosed and Patched

    Critical vulnerabilities in Fluent Bit were disclosed and patched in versions v4.1.1 and v4.0.12, released in early October 2025. The flaws include improper input validation, path traversal bugs, and authentication bypasses, allowing attackers to manipulate logs, overwrite files, and execute code. Immediate patching and configuration hardening are recommended to mitigate the risks. AWS has urged customers to update to the latest version of Fluent Bit for optimal protection. The flaws could enable attackers to disrupt cloud services, manipulate data, and burrow deeper into cloud and Kubernetes infrastructure.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Increased Botnet Activity Targeting PHP Servers, IoT Devices, and Cloud Gateways

Botnets such as Mirai, Gafgyt, and Mozi are exploiting known vulnerabilities and cloud misconfigurations to target PHP servers, IoT devices, and cloud gateways. This trend is driven by the widespread use of PHP in web applications and the prevalence of cloud misconfigurations, which expand the attack surface. The attacks aim at remote code execution (RCE) and data theft. The vulnerabilities exploited include CVE-2022-47945 in ThinkPHP, CVE-2021-3129 in Laravel Ignition, and CVE-2017-9841 in PHPUnit. Additionally, insecure configurations and exposed AWS credentials are being targeted. IoT devices with outdated firmware and cloud-native environments are also at risk, with botnets being used for credential stuffing and password spraying campaigns. Xdebug debugging sessions are being exploited to gain insight into application behavior or extract sensitive data. The scanning activity often originates from cloud infrastructures like Amazon Web Services (AWS), Google Cloud, Microsoft Azure, Digital Ocean, and Akamai Cloud, illustrating how threat actors are abusing legitimate services to their advantage while obscuring their true origins.

Open in new tab

Critical Command Injection Vulnerabilities in TP-Link Omada Gateways

TP-Link Omada and Festa VPN routers are affected by six critical command injection vulnerabilities, including newly discovered CVE-2025-7850 and CVE-2025-7851. These flaws allow for arbitrary OS command execution and root access, potentially leading to full compromise, data theft, lateral movement, and persistence. The vulnerabilities affect multiple Omada gateway models and firmware versions. Firmware updates have been released to address these issues. TP-Link Omada gateways are full-stack solutions for small to medium businesses, including router, firewall, and VPN gateway functionalities. The flaws, CVE-2025-6542 and CVE-2025-6541, can be exploited remotely without authentication or via the web management interface. Two additional severe flaws, CVE-2025-8750 and CVE-2025-7851, can allow authenticated command injection and root access under certain conditions. The newly discovered vulnerabilities, CVE-2025-7850 and CVE-2025-7851, are due to an incomplete fix of a previous vulnerability, CVE-2024-21827, leaving residual debug code and insecure private key usage.

Open in new tab

Cisco IOS and IOS XE SNMP Zero-Day Exploited in Attacks

Cisco has released security updates to address a high-severity zero-day vulnerability (CVE-2025-20352) in Cisco IOS and IOS XE Software. The flaw is a stack-based buffer overflow in the Simple Network Management Protocol (SNMP) subsystem, actively exploited in attacks. This vulnerability allows authenticated, remote attackers to cause denial-of-service (DoS) conditions or gain root control of affected systems. The vulnerability impacts all devices with SNMP enabled, including specific Cisco devices running Meraki CS 17 and earlier. Cisco advises customers to upgrade to a fixed software release, specifically Cisco IOS XE Software Release 17.15.4a, to remediate the vulnerability. Temporary mitigation involves limiting SNMP access to trusted users and disabling the affected Object Identifiers (OIDs) on devices. Additionally, Cisco patched 13 other security vulnerabilities, including two with available proof-of-concept exploit code. Cisco also released patches for 14 vulnerabilities in IOS and IOS XE, including eight high-severity vulnerabilities. Proof-of-concept exploit code exists for two of the vulnerabilities, but exploitation is not confirmed. Three additional medium-severity bugs affect Cisco’s SD-WAN vEdge, Access Point, and Wireless Access Point (AP) software. Cybersecurity researchers have disclosed details of a new campaign, codenamed "Operation Zero Disco", that exploited CVE-2025-20352 to deploy Linux rootkits on older, unprotected systems. The attacks targeted Cisco 9400, 9300, and legacy 3750G series devices, and involved the exploitation of a modified Telnet vulnerability (based on CVE-2017-3881) to enable memory access. The rootkits allowed attackers to achieve remote code execution and gain persistent unauthorized access by setting universal passwords and installing hooks into the Cisco IOS daemon (IOSd) memory space. The attacks singled out victims running older Linux systems without endpoint detection response solutions, using spoofed IPs and Mac email addresses. The rootkit sets a universal password that includes the word "disco" in it, and the malware installs several hooks onto the IOSd, resulting in fileless components disappearing after a reboot. Newer switch models provide some protection via Address Space Layout Randomization (ASLR). The campaign used a UDP controller on infected switches to toggle logs, bypass authentication, and conceal configuration changes. The rootkit allowed attackers to hide running-config items such as account names, EEM scripts, and ACLs. The rootkit could bypass VTY ACLs and reset the last running-config write timestamp. The rootkit could toggle or delete device logs. The attacks against 32-bit builds included an SNMP exploit that split command payloads across packets. For 64-bit targets, attackers needed guest shell access at level 15 to install a fileless backdoor and use a UDP controller for remote management. The rootkit granted several covert capabilities, including acting as a UDP listener on any port for remote commands. The rootkit created a universal password by modifying IOSd memory. The rootkit could hide running-config items such as account names, EEM scripts, and ACLs. The rootkit could bypass VTY ACLs and reset the last running-config write timestamp. The rootkit could toggle or delete device logs. The attacks targeted older Linux hosts lacking endpoint detection response, where fileless components could disappear after reboot, yet still enable lateral movement. Trend Research recovered multiple exploit variants for 32-bit and 64-bit platforms. The operation impacted Cisco 9400 series, 9300 series, and legacy 3750G devices. Cisco provided forensic support that helped confirm affected models and assisted the investigation. The attacks involved a Telnet variant used to permit arbitrary memory access.

Open in new tab

Critical deserialization flaw in DELMIA Apriso MOM actively exploited

A critical deserialization vulnerability (CVE-2025-5086) in Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) software is actively exploited, with a CVSS score of 9.0. The flaw affects versions from Release 2020 through Release 2025 and allows for remote code execution (RCE). In addition to CVE-2025-5086, two more vulnerabilities (CVE-2025-6205 and CVE-2025-6204) in DELMIA Apriso have been identified and are actively exploited. CVE-2025-6205 is a critical-severity missing authorization flaw, and CVE-2025-6204 is a high-severity code injection vulnerability. Both were patched by Dassault Systèmes in early August 2025. The vulnerabilities can be chained together to create accounts with elevated privileges and place executable files into a web-served directory. The product exposes a SOAP-based message processor endpoint that accepts XML payloads for bulk employee/identity provisioning and a file upload API used by portal components but that is accessible only post-authentication. DELMIA Apriso is used in production processes for digitalizing and monitoring, and is deployed in automotive, aerospace, electronics, high-tech, and industrial machinery divisions. CISA has added these flaws to its Known Exploited Vulnerabilities (KEV) catalog, and FCEB agencies are advised to apply updates by November 18, 2025, to secure their networks. Additionally, a new vulnerability (CVE-2025-24893) in XWiki has been identified and is actively exploited. This flaw allows for arbitrary remote code execution through a request to the /bin/get/Main/SolrSearch endpoint and is being exploited in a two-stage attack chain that delivers a cryptocurrency miner. The vulnerability was reported by John Kwak of Trend Micro in May 2024 and was addressed in XWiki versions 15.10.11, 16.4.1, and 16.5.0RC1 in June 2024. Technical details on the bug emerged roughly half a year later, and an NVD advisory was published in February 2025. Numerous proof-of-concept (PoC) exploits targeting the vulnerability have been available since early 2025. CrowdSec observed the vulnerability being abused for reconnaissance earlier this year but noted a decline in activity. VulnCheck identified in-the-wild attacks exploiting CVE-2025-24893 to deploy a cryptocurrency miner. The attacks proceed in a two-pass workflow separated by at least 20 minutes: the first pass stages a downloader, and the second pass executes it. The observed traffic originates from an IP address geolocated to Vietnam that has been associated with other malicious activity. The RondoDox botnet has been observed targeting unpatched XWiki instances to exploit CVE-2025-24893. VulnCheck observed a spike in exploitation attempts, with peaks on November 7 and November 11, 2025. RondoDox is adding new exploitation vectors to rope susceptible devices into a botnet for conducting DDoS attacks using HTTP, UDP, and TCP protocols. The first RondoDox exploit was observed on November 3, 2025. Other attacks have been observed exploiting the flaw to deliver cryptocurrency miners, establish a reverse shell, and conduct general probing activity using a Nuclei template for CVE-2025-24893.

Open in new tab

N-able N-central vulnerabilities exploited in the wild

Over 800 N-able N-central servers remain unpatched against two critical security flaws, CVE-2025-8875 and CVE-2025-8876, which have been actively exploited in the wild. These vulnerabilities allow for command execution and command injection, respectively. The issues have been addressed in N-central versions 2025.3.1 and 2024.6 HF2, released on August 13, 2025. N-able has urged customers to enable multi-factor authentication (MFA) for admin accounts to mitigate potential risks. The exploitation of these vulnerabilities highlights the importance of timely patching and robust security measures in managing remote monitoring and management (RMM) systems. The active exploitation in the wild underscores the need for vigilance and proactive security practices among cybersecurity professionals. CISA has added the flaws to its Known Exploited Vulnerabilities Catalog and ordered federal agencies to patch their systems within one week.

Open in new tab