At a glance.
- Critical Roundcube flaw has an exploit.
- Iranian threat actor targets Iraqi and Kurdish officials.
- FBI issues advisory on the BADBOX 2.0 botnet.
Critical Roundcube flaw has an exploit.
A threat actor is selling a working exploit for CVE-2025-49113, a critical flaw in Roundcube Webmail that was patched on June 1st, BleepingComputer reports. The vulnerability, which received a CVSS score of 9.9, involves deserialization of untrusted data and can allow an authenticated threat actor to achieve remote code execution.
FearsOff CEO Kirill Firsov, who discovered and reported the flaw, published technical details following reports of exploitation. Firsov notes that while an attacker needs login credentials in order to exploit the flaw, these can be obtained via cross-site request forgery (CSRF). The threat actor selling the exploit also claims that the credentials can be extracted from the logs.
Iranian threat actor targets Iraqi and Kurdish officials.
ESET has published a report on a cyberespionage campaign attributed to the Iranian threat actor "BladedFeline." The campaign is targeting Kurdish and Iraqi officials with several strains of custom malware. ESET writes, "We found two reverse tunnels, a variety of supplementary tools, and most notably, a backdoor that we named Whisper and a malicious IIS module we dubbed PrimeCache. Whisper is a backdoor that logs into a compromised webmail account on a Microsoft Exchange server and uses it to communicate with the attackers via email attachments. PrimeCache also serves as a backdoor."
The researchers note that PrimeCache is similar to the RDAT backdoor used by OilRig, a threat actor associated with Iran's Ministry of Intelligence and Security. ESET believes BladedFeline is a subgroup of OilRig. The researchers expect the threat actor to continue targeting organizations within Iraq and the Kurdistan Regional Government (KRG): "The KRG’s diplomatic relationship with Western nations, coupled with the oil reserves in the Kurdistan region, makes it an enticing target for Iran-aligned threat actors to spy on and potentially manipulate. In Iraq, these threat actors are most probably trying to counter the influence of Western governments following the US invasion and occupation of the country."
FBI issues advisory on the BADBOX 2.0 botnet.
The US Federal Bureau of Investigation (FBI) warns that millions of IoT devices have been infected with the BADBOX 2.0 botnet malware. The malware, which is often pre-installed on devices prior to purchase, primarily affects smart devices that were manufactured in China, including "TV streaming devices, digital projectors, aftermarket vehicle infotainment systems, digital picture frames, and other products." The malware can also infect devices after purchase via backdoors in required applications that are installed during the setup process.
The FBI advises users to be on the lookout for the following indicators of BADBOX 2.0 activity:
- "The presence of suspicious marketplaces where apps are downloaded.
- "Requiring Google Play protect settings to be disabled.
- "Generic TV streaming devices advertised as unlocked or capable of accessing free content.
- "IoT devices advertised from unrecognizable brands.
- "Android devices that are not Play Protect certified.
- "Unexplained or suspicious Internet traffic."
