Your Weekly Cybersecurity Update (7 Mar 2025)

• Critical VMware ESXi, Workstation, Fusion Vulnerabilities Seen Exploited in Wild

• CISA Identifies Five New Vulnerabilities Currently Being Exploited

• US Charges 12 Chinese Contract Hackers and Law Enforcement Officers in Global Computer Intrusion Campaigns

• Cyberattack at Polish Space Agency

• Misconfigured AWS Accounts Are Fueling Phishing Campaigns

Critical VMware ESXi, Workstation, Fusion Vulnerabilities Seen Exploited in Wild

On March 4th, Microsoft’s Threat Intelligence Center (MSTIC) uncovered three critical vulnerabilities in VMware products actively exploited in the wild. VMware ESXi, Workstation, Fusion, Cloud Foundation, and Telco Cloud Platform products are affected, allowing remote code execution (RCE) and privilege escalation. The vulnerabilities, identified as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, were discovered following targeted threat actor activity. CISA has since added the bugs to its Known Exploited Vulnerabilities Catalog. Attackers can exploit these flaws to gain unauthorised access to systems, execute arbitrary code remotely, and escalate privileges, posing a significant risk to environments relying on these VMware solutions.

Two of these vulnerabilities are classified as Critical and pose significant risks to VMware users, while one, CVE-202522226, is marked as Important but still requires immediate attention due to its potential for data leakage.

Vulnerability Details:

1. CVE-2025-22224: A Time-of-Check Time-of-Use (TOCTOU) vulnerability in VMware ESXi and Workstation that leads to an out-of-bounds write. An attacker with local administrative privileges on a virtual machine could exploit this to execute code as the VMX process running on the host. This vulnerability has a CVSSv3 base score of 9.3, categorising it as critical.

2. CVE-2025-22225: This is an arbitrary write vulnerability in VMware ESXi. An attacker with privileges within the VMX process could trigger an arbitrary kernel write, leading to a sandbox escape. This vulnerability has a CVSSv3 base score of 8.2, which is considered high severity.

3. CVE-2025-22226: This is an information disclosure vulnerability due to an out-of-bounds read in the Host Guest File System (HGFS) affecting VMware ESXi, Workstation, and Fusion. An attacker with administrative privileges on a virtual machine could exploit this to leak memory from the VMX process. This vulnerability has a CVSSv3 base score of 7.1, which is also considered high severity.

Affected Products and Versions:

• VMware ESXi: Versions 7.0 and 8.0

• VMware Workstation: Version 17.x

• VMware Fusion: Version 13.x

• VMware Cloud Foundation: Versions 4.x and 5.x

• VMware Telco Cloud Platform: Versions 2.x through 5.x

Exploitation and Impact:

These vulnerabilities have been observed being exploited in the wild. CVE-2025-22224 has been exploited to achieve hypervisor escapes, allowing attackers to execute code on the host machine from within a virtual machine. Such exploitation can lead to unauthorised access, data breaches, and potential disruption of services. 

Mitigation and Recommendations:

Broadcom has released patches to address these vulnerabilities. Users and administrators are strongly advised to apply the following updates:

Given the active exploitation of these vulnerabilities, applying these patches promptly to mitigate potential risks is imperative. 

For more detailed information and guidance, please refer to Broadcom’s official advisory: 

Additionally, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added these vulnerabilities to its Known Exploited Vulnerabilities Catalog, underscoring the urgency of addressing these issues. 

Organizations utilising VMware products should assess their environments for exposure to these vulnerabilities and prioritise the implementation of the recommended patches to safeguard their systems.

CISA Identifies Five New Vulnerabilities Currently Being Exploited

The Cybersecurity and Infrastructure Security Agency (CISA) has recently added several vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, indicating active exploitation in the wild. Based on evidence of active exploitation, CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities Catalog.

• CVE-2023-20118 Cisco Small Business RV Series Routers Command Injection Vulnerability

• CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability

• CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability

• CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability

• CVE-2024-4885 Progress WhatsUp Gold Path Traversal Vulnerability

Two critical vulnerabilities affecting Cisco Small Business RV Series Routers and Microsoft Windows have been highlighted.

1. CVE-2023-20118: Cisco Small Business RV Series Routers Command Injection Vulnerability

This vulnerability affects multiple Cisco Small Business RV Series Routers models, including RV016, RV042, RV042G, RV082, RV320, and RV325. The flaw arises from improper user input validation within the web-based management interface, allowing an authenticated, remote attacker to execute arbitrary commands on the affected device. Successful exploitation could grant the attacker root-level privileges, leading to unauthorised access to sensitive data and potential complete control over the device. Cisco has acknowledged this vulnerability but has not released patches for the affected routers, exposing them to possible attacks. 

2. CVE-2018-8639: Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability

This elevation of privilege vulnerability exists in the Microsoft Windows Win32k component due to improper handling of objects in memory. An attacker who successfully exploits this vulnerability could run arbitrary code in kernel mode, allowing them to install programs, view, change, delete data, or create new accounts with full user rights. This vulnerability affects multiple versions of Windows, including Windows 7, Windows 10, and Windows Server editions. Despite being identified in 2018, it poses a risk, particularly to systems without the necessary security updates. 

Recommendations:

• For Cisco Routers: Administrators should assess the exposure of affected router models and consider replacing them with supported devices. Additionally, implementing network segmentation can help mitigate potential exploitation.

• For Microsoft Windows: Ensure all systems are updated with the latest security patches provided by Microsoft. Regularly review and apply security updates to mitigate known vulnerabilities.

US Charges 12 Chinese Contract Hackers and Law Enforcement Officers in Global Computer Intrusion Campaigns

The U.S. Department of Justice has indicted 12 Chinese nationals, including two officers from the Ministry of Public Security (MPS) and Anxun Information Technology Co. Ltd. (i-Soon) employees, for their involvement in global cyber intrusion campaigns. 

Key Details:

• Defendants: The indictment names two MPS officers and eight employees of i-Soon, including its CEO, Wu Haibo. 

• Victims: Targets included U.S. federal and state agencies, foreign ministries in Asia, U.S.-based dissidents, and a prominent religious organization in the United States.

• Operations: The defendants allegedly conducted intrusions under the direction of the MPS and China’s Ministry of State Security (MSS) and on their own initiative, selling stolen data to various Chinese government agencies. 

Government Actions:

• Domain Seizure: The DOJ has seized the domain used by i-Soon to advertise its hacker-for-hire services. 

• Rewards: The U.S. State Department is offering a reward of up to $10 million for information leading to the identification or location of key defendants, including i-Soon’s CEO Wu Haibo. 

These charges underscore the ongoing efforts by Chinese state-sponsored actors to infiltrate and exploit critical infrastructure and sensitive information globally. The U.S. government’s response highlights the seriousness with which it views these cyber threats and its commitment to holding perpetrators accountable.

Cyberattack at Polish Space Agency

The Polish Space Agency (POLSA) experienced a cybersecurity incident over the weekend, which caused its systems to be disconnected from the Internet to contain the breach. 

Incident Details:

• Detection and Response: Polish cybersecurity services detected unauthorised access to POLSA’s IT infrastructure. In response, affected systems were secured, and the agency’s network was disconnected from the internet to protect data. 

• Ongoing Investigation: An investigation is underway to assess the breach's impact and identify the perpetrators. POLSA is collaborating with the Polish Computer Security Incident Response Team (CSIRT NASK) and the Polish Military Computer Security Incident Response Team (CSIRT MON) to restore services. 

• Communication Disruptions: Internal sources indicate that POLSA’s email systems were compromised during the attack, prompting staff to use alternative communication methods, such as phones, until secure channels are reestablished. 

Poland has been a frequent target of cyberattacks, often attributed to its support for Ukraine. While the specific actors behind the POLSA breach have not been identified, the incident raises concerns about critical infrastructure security and state-sponsored groups' potential motives. 

As the investigation continues, POLSA and relevant authorities are working diligently to restore normal operations and enhance the agency’s cybersecurity posture to prevent future incidents.

Misconfigured AWS Accounts Are Fueling Phishing Campaigns

JavaGhost, a threat actor active since 2019, has evolved from defacing websites to conducting sophisticated phishing campaigns targeting Amazon Web Services (AWS) environments. By exploiting misconfigured AWS accounts, they gain unauthorised access and utilise native AWS services to distribute phishing emails, bypassing traditional email security measures. 

Attack Methodology:

1. Initial Access: JavaGhost identifies and exploits exposed AWS Identity and Access Management (IAM) access keys, often due to misconfigurations or inadvertent exposures, allowing them to access AWS environments via the command-line interface (CLI). 

2. Evasion Techniques: They avoid using standard API calls like GetCallerIdentity, which are typically monitored to avoid detection. Instead, they utilise alternative calls such as GetServiceQuota, GetSendQuota, and GetAccount to gather necessary information without raising alarms. 

3. Establishing Phishing Infrastructure: Once inside, JavaGhost sets up phishing operations by:

   • Creating multiple Amazon Simple Email Service (SES) email identities and configuring DomainKeys Identified Mail (DKIM) settings to ensure email authenticity.

   • Setting up AWS WorkMail organisations and adding users, enabling them to send phishing emails that appear legitimate. 

4. Persistence Mechanisms: They create new IAM users with administrative privileges, some of which remain unused, potentially serving as backdoors for future access. Additionally, they leave identifiable markers, such as EC2 security groups named “Java_Ghost” with the description “We Are There But Not Visible,” reflecting their historical slogan. 

Implications:

By leveraging legitimate AWS services within compromised environments, JavaGhost’s phishing emails originate from trusted sources, making them more convincing and challenging to detect. This strategy not only reduces their operational costs but also increases the likelihood of successful phishing attempts. 

Recommendations for Organisations:

• Secure Access Keys: Regularly rotate and securely store AWS access keys to prevent unauthorised use.

• Implement Multi-Factor Authentication (MFA): Enforce MFA for all IAM users to add an extra layer of security.

• Principle of Least Privilege: Assign IAM permissions based on the minimum required access to perform job functions.

• Monitor AWS Logs: Regularly review AWS CloudTrail logs for unusual activities, such as unexpected IAM user creations or modifications.

By proactively addressing these areas, organisations can mitigate the risks posed by threat actors like JavaGhost and enhance the overall security of their AWS environments.