Weekly Top 10: 05.12.2025: Critical Code Execution Flaw Patched in LangFlow; CISA Warns Threat Actors are Targeting Energy and Transportation Systems Sectors, Google Patches Zero-Click RCE Flaw on Android, and More.

WEEKLY TOP TEN: May 12, 2025, 16:00 GMT

1. Three Critical Vulnerabilities in SonicWall’s SMA Appliances Discovered
   
   SonicWall issued an advisory to patch three critical vulnerabilities, CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821, which impact its Secure Mobile Access (SMA) appliances with versions older than 10.2.1.15-81sv. These flaws, found by Rapid7 researcher Ryan Emmons, can be used one after another to run code remotely as an administrator on affected devices, such as SMA 200, 210, 400, 410, and 500v models. Notably, CVE-2025-32819 has been observed in active attacks, allowing threat actors to delete the primary SQLite database, reset the admin password, and gain unauthorized access to the SMA web interface. Subsequent exploitation of CVE-2025-32820 and CVE-2025-32821 enables attackers to write to the /bin directory and execute arbitrary code with root privileges.
2. Active Exploitation of OttoKit’s WordPress Plugin Allowing Unauthenticated Privilege Escalation
   
   ​A critical unauthenticated privilege escalation vulnerability (CVE-2025-27007) in the OttoKit WordPress plugin was discovered by researcher Denver Jackson and reported to Patchstack. This flaw resides in the ‘create_wp_connection’ function and allows attackers to bypass authentication checks when application passwords are not set. On April 21, 2025, Patchstack released a patch for OttoKit version 1.0.83, forcing most users to update by April 24. However, exploitation began approximately 90 minutes after public disclosure on May 5, 2025, with attackers targeting REST API endpoints to create rogue administrator accounts on vulnerable sites.
3. New ‘Bring Your Own Installer’ Attack Bypasses SentinelOne EDR Anti-Tamper Feature
   
   Researchers from Aon’s Stroz Friedberg incident response team have identified a novel attack method termed “Bring Your Own Installer” (BYOI), which targets misconfigured deployments of SentinelOne’s Endpoint Detection and Response (EDR) solution. This technique enables attackers to bypass the platform’s anti-tamper protections by exploiting a flaw in the agent’s upgrade and downgrade processes. In a reported case, a hacker got local admin access to a server that anyone could reach, then used the downgrade feature to turn off SentinelOne’s protections without needing the usual code to remove anti-tamper measures, and ended up installing a version of Babuk ransomware. SentinelOne has acknowledged the vulnerability and released an advisory, urging customers to apply the newly introduced configuration option designed to mitigate this risk.
4. Critical Code Execution Flaw Patched in LangFlow
   
   The critical vulnerability CVE-2025-3248 has been identified in LangFlow, an open-source Python-based web application. This flaw stems from a missing authentication check in the “/api/v1/valicate/code” endpoint, allowing for arbitrary code execution in versions 1.3.0 and older. Users are strongly advised to update to the latest version and avoid exposing Langflow instances to the internet to mitigate potential exploitation.
5. Play Ransomware Group Seen Using Windows Zero-Day
   
   ​The Play ransomware group, also known as Balloonfly, has been identified as exploiting a Windows zero-day privilege escalation vulnerability (CVE-2025-29824) prior to Microsoft’s patch release in April 2025. Microsoft had previously attributed exploitation of this same vulnerability to another group, Storm-2460. Until Symantec reported that Balloonfly targeted a U.S.-based organization using this flaw, deploying a custom infostealer named Grixba along with other malicious tools disguised as legitimate software.
6. Chinese Threat Group Exploiting RCE Flaw in SAP NetWeaver
   
   A group linked to China, called Chaya_004, is currently taking advantage of a serious security flaw (CVE-2025-31324) in SAP NetWeaver’s Visual Composer, which lets attackers without permission upload harmful files through the “/developmentserver/metadatauploader” link. This flaw has been under active exploitation since at least March 2025, targeting industries such as energy, manufacturing, and government sectors. The attackers have deployed a Golang-based reverse shell named SuperShell and have utilized various tools, including Cobalt Strike and SoftEther VPN. Despite SAP releasing an emergency patch on April 24, 2025, exploitation continues, with multiple threat actors leveraging previously established web shells to compromise systems.
7. CISA Warns Threat Actors are Targeting Energy and Transportation Systems Sectors
   
   ​The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the FBI, EPA, and Department of Energy, has issued a warning about “unsophisticated” cyber actors targeting industrial control systems (ICS) and operational technology (OT) within the nation’s energy and transportation sectors. Despite employing basic intrusion techniques, these threat actors can cause significant disruptions, including defacement, configuration changes, operational interruptions, and even physical damage, particularly when organizations exhibit poor cyber hygiene and have exposed assets. CISA emphasizes the importance of reducing the attack surface by removing publicly accessible ICS/SCADA systems and implementing robust security measures to mitigate potential breaches.
8. Google Patches Zero-Click RCE Flaw on Android
   
   ​Google has released its May 2025 Android security updates, addressing 45 vulnerabilities, notably including an actively exploited zero-click flaw in FreeType, a popular font rendering library, identified as CVE-2025-27363. Discovered by Facebook security researchers in March 2025, this high-severity arbitrary code execution vulnerability affects FreeType versions up to 2.13.0. The flaw arises from an out-of-bounds write during the parsing of malicious TrueType GX or variable fonts, potentially allowing attackers to execute arbitrary code without user interaction. While specifics of the exploitation remain undisclosed, both Facebook and Google have acknowledged indications of limited, targeted attacks.
9. Wiper Malware Hidden in Go Modules Targets Linux Servers
   
   A recent supply-chain attack has targeted Linux servers by embedding disk-wiping malware within malicious Go modules hosted on GitHub. The campaign, uncovered in April 2025 by security firm Socket, involved three modules: ‘prototransform,’ ‘go-mcp,’ and ‘tlsproxy,’ which contained obfuscated code designed to download and execute a destructive Bash script named done.sh. This script verifies it is operating in a Linux environment before using the ‘dd’ command to overwrite the primary storage volume with zeros, effectively erasing all data and rendering the system unbootable. The malicious modules have since been removed from GitHub, but the incident serves as an urgent reminder for developers and organizations to scrutinize third-party dependencies and implement robust supply-chain security measures.
10. Wormable AirPlay Flaws Allows Zero-Click RCE
    
    ​Israeli cybersecurity firm Oligo has disclosed a series of critical vulnerabilities in Apple’s AirPlay protocol, collectively dubbed “AirBorne,” which pose significant security risks to Apple and third-party devices supporting AirPlay. Notably, vulnerabilities such as CVE-2025-24252 and CVE-2025-24132 can be chained to create a wormable zero-click remote code execution (RCE) exploit, allowing attackers to compromise devices over public Wi-Fi networks without user interaction. These vulnerabilities affect various Apple platforms, including iOS, macOS, tvOS, and visionOS, as well as third-party devices utilizing the AirPlay SDK. Apple has addressed these issues in recent updates, and users are strongly advised to update their devices to the latest software versions to mitigate potential threats.