At a glance.
- Maximum severity vulnerability can lead to server bricking.
- Exploit code published for critical Apache Tomcat vulnerability.
- Veeam issues patch for critical flaw affecting Backup & Replication software.
- Stalkerware company sustains data breach.
- Pennsylvania education union discloses breach.
Maximum severity vulnerability can lead to server bricking.
A maximum severity vulnerability (CVE-2024-54085) in American Megatrends International's (AMI's) MegaRAC Baseboard Management Controller (BMC) software could allow attackers to hijack and brick vulnerable servers, BleepingComputer reports. MegaRAC BMC is a remote server management tool used by major server vendors, including HPE, Asus, and ASRock. Since these servers are used by many cloud service and data center providers, the vulnerability poses a significant risk to the cloud computing supply chain.
Eclypsium, which discovered the vulnerability, explains, "Vulnerabilities in a component supplier affect many hardware vendors, which can be passed on to many cloud services. As such, these vulnerabilities can pose a risk to servers and hardware that an organization owns directly and the hardware that supports the cloud services. Organizations with large server farms, data centers, cloud & hosting providers, hyper-scaler environments, and VDI environments are potentially impacted. Fortune 500 companies that host their own data centers are likely affected (due to the large number of top-tier OEM server vendors being impacted)."
Eclypsium adds, "AMI has released patches to its OEM computing manufacturers’ customers. Those vendors must incorporate the fixes into updates and publish notifications to their customers. Note that patching these vulnerabilities is a non-trivial exercise, requiring device downtime."
Exploit code published for critical Apache Tomcat vulnerability.
An exploit has been published for a critical remote code execution vulnerability (CVE-2025-24813) in Apache Tomcat that was patched last Monday, the Register reports. Researchers at Wallarm observed exploitation in the wild beginning last Wednesday, several days before the exploit was released. The researchers note that the attack is "dead simple to execute and requires no authentication."
The exploit, which was published by a user on a Chinese forum, allows attackers to take over vulnerable Tomcat servers with just one PUT API request.
Veeam issues patch for critical flaw affecting Backup & Replication software.
Data backup firm Veeam has issued a patch for a critical remote code execution flaw (CVE-2025-23120) affecting its Backup & Replication software, SecurityWeek reports. The vulnerability, which received a CVSS score of 9.9, can allow authenticated users to execute arbitrary code on domain-joined backup servers.
Researchers at watchTowr discovered the vulnerability, explaining that the flaw originates from Veeam's reliance on a blacklist-based approach to deserialization. The researchers state, "Once we figured out how to reach the deserialization sink based on the blacklist, this game becomes quite simple. Put simply - you only need to find a deserialization gadget which is not blacklisted and leads to some potentially malicious impact."
Stalkerware company sustains data breach.
TechCrunch reports that consumer-grade spyware operation SpyX sustained a breach last year that affected almost 2 million people. Troy Hunt at Have I Been Pwned received a copy of the data, saying it exposed nearly 2 million email addresses in addition to "IP addresses, countries of residence, device information and 6-digit PINs in the password field." The dump also contained "a collection of iCloud credentials likely used to monitor targets directly via the cloud" and the target's plain text Apple password.
Device monitoring software products like SpyX are ostensibly designed for parental control, but TechCrunch notes that these products are frequently abused.
Pennsylvania education union discloses breach.
Pennsylvania's largest public-sector union, the Pennsylvania State Education Association (PSEA), has disclosed a data breach affecting more than 500,000 people, BleepingComputer reports. The union said an attacker breached its network in July 2024 and stole names, dates of birth, driver’s license numbers or State IDs, Social Security numbers, passwords, routing numbers, payment card numbers, PINs, and expiration dates, and passport numbers. The breach also affected health insurance information and medical data.
