Vulnerabilities of Western logistics. On May 21, Western intelligence agencies released joint advisory AA25-141A about attacks targeting infrastructure of Western logistics and tech companies. Alongside the usual Five Eyes, intelligence services from Germany, Czech Republic, Poland, Denmark, Estonia, France, and the Netherlands also contributed. The advisory blames Fancy Bear group, allegedly linked to Russian state […]

**Vulnerabilities of Western logistics.** On May 21, Western intelligence agencies released joint advisory AA25-141A about attacks targeting infrastructure of Western logistics and tech companies. Alongside the usual Five Eyes, intelligence services from Germany, Czech Republic, Poland, Denmark, Estonia, France, and the Netherlands also contributed.

The advisory blames Fancy Bear group, allegedly linked to Russian state structures. I strongly condemn these slanderous claims❗️

The document mentions the exploitation of vulnerabilities:

🔻 **Remote Code Execution** – WinRAR (CVE-2023-38831)  
🔻 **Elevation of Privilege** – Microsoft Outlook (CVE-2023-23397)  
🔻 **Remote Code Execution** – Roundcube (CVE-2020-12641)  
🔻 **Code Injection** – Roundcube (CVE-2021-44026)  
🔻 **Cross Site Scripting** – Roundcube (CVE-2020-35730)

Patches, exploits, and signs of in-the-wild exploitation have been available for years for these vulnerabilities. 🤦‍♂️🤷‍♂️

🗒 Vulristics Report

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

Vulnerabilities of Western logistics

Everest ransomware leaks Coca-Cola employee data: 1,104 files exposed, including HR, admin roles, IDs, personal details, and internal records.

On May 22, Hackread.com **reported** that Everest claimed responsibility for stealing data on 959 Coca-Cola employees, specifically across the Middle East, including the UAE, Oman, and Bahrain. Separately, another hacker group claimed to have stolen 23 million records from Coca-Cola Europacific Partners (CCEP).

Hackread.com can now confirm that the Everest ransomware group has leaked sensitive employee data stolen from the Coca-Cola Company. The data has been leaked on the Everest ransomware group’s dark web leak site as well as on the notorious Russian-language cybercrime forum XSS.

Screenshot credit: Hackread.com

The group has posted a 502 MB data dump, exposing Coca-Cola’s Middle East-specific internal and employee records. The leaked folder contains 1,104 files with information that includes:

*   Full names of employees
*   Business and home addresses
*   Family and marriage certificates
*   Copies of visas, passports, residency permits
*   Phone numbers, banking details, salary records
*   Employee personal and business email addresses

****What’s Inside the Leaked Files****

Among the exposed documents is an Excel file titled SuperAdmin_User_Account_Cocacola, detailing Coca-Cola’s internal administrative account structure and assigned roles. While it does not include passwords or direct login credentials, it outlines which accounts hold critical permissions, including system administrators, HR roles, and integration accounts. This makes it a useful map for threat actors, such as the recently **FBI-warned** Silent Ransom Group and others, aiming to exploit the company’s system hierarchy.

Another file, Emp Hierarchy Upload, lists:

*   Organizational hierarchy levels
*   Job titles and departmental details
*   Country-based manager structures
*   Employee usernames and full names
*   Reporting lines, showing who reports to whom

A third file, HRBP Upload, contains data on Coca-Cola’s HR Business Partner (HRBP) assignments, including:

*   Departmental functions
*   Employee IDs and full names
*   Assigned HRBP names and linked user IDs
*   Relationship start and end dates (with many set as open-ended)

Screenshot from the leaked data (Image credit: Hackread.com)

****Sensitivity of The Leaked Data****

While not all files contain direct access credentials, the combination of sensitive personal data, administrative structures, and internal HR mapping increases the cybersecurity risk profile for Coca-Cola. Such details can aid cybercriminals in several ways including:

*   **Spear-phishing attacks**, targeting specific individuals with crafted emails or messages
*   **Social engineering schemes**, using knowledge of internal relationships to impersonate executives, managers, or HR personnel
*   **Phone-based scams**, where attackers call employees pretending to be HR or IT staff, asking them to share system credentials
*   **Credential harvesting**, by directing employees to phishing websites disguised as official HR or IT portals
*   **Malware delivery**, where attackers pose as HR managers or support teams and trick employees into **installing malware** under the guise of a “remote access tool” or “required update”
*   **Mapping internal systems and roles**, helping attackers plan more precise future breaches, escalate privileges, or exploit admin-level access.

Additionally, the exposure of passports, visas, and banking details presents direct personal risks to affected employees, opening the door to identity theft, financial fraud, or cross-border privacy concerns.

It remains unclear whether there were any negotiations or communications between the Everest ransomware group and Coca-Cola regarding a ransom payment. So far, no details have emerged publicly about whether Coca-Cola engaged in talks, refused to pay, or is still assessing the situation internally. As with many ransomware cases, companies often withhold such information while investigations are ongoing or while working with law enforcement.

****Persistent Threat****

The Everest ransomware group has a history of leaking sensitive corporate data when ransom demands go unmet. While Coca-Cola has not yet issued a public statement regarding this leak, the scale and depth of the exposed data highlight the **growing danger posed by ransomware actors**, not just to company systems, but to the personal lives and security of employees.

Hackread.com will continue monitoring this developing story.

Everest Ransomware Leaks Coca-Cola Employee Data Online

SilverRAT Source Code leaked on GitHub, exposing powerful malware tools for remote access, password theft, and crypto attacks before removal.

The full source code of SilverRAT, a notorious remote access trojan (RAT), has been leaked online briefly appearing on GitHub under the repository “SilverRAT-FULL-Source-Code” before being swiftly taken down.

A snapshot of the repository, captured by Hackread.com via the Wayback Machine, reveals the entire project, its features, build instructions, and even a flashy marketing-style dashboard screenshot.

Screenshot from the now deleted GitHub post (Image credit: Hackread.com)

****What Is SilverRAT?****

SilverRAT is a remote access trojan developed in C#, first surfacing in late 2023. It was attributed to a group known as **Anonymous Arabic**, believed to operate out of Syria. This tool gives attackers control over infected Windows systems, offering a range of malicious capabilities.

Researchers who have analyzed SilverRAT say it has become popular in underground forums, where it’s offered as malware-as-a-service (MaaS). Its feature set includes:

*   Cryptocurrency wallet monitoring
*   Hidden applications and processes
*   Data exfiltration through Discord webhooks
*   Exploit builders for Word, Excel, VBScript, and JavaScript files
*   Antivirus bypass and binder functions to bundle multiple payloads
*   Hidden RDP and VNC sessions (allowing attackers to take over a system invisibly)
*   Password stealing from browsers, apps, games, bank cards, Wi-Fi, and system credentials

The malware’s design and use of Arabic-language components suggest its roots lie in the Middle East, though it’s been observed in campaigns targeting victims globally. The developer behind SilverRAT has been identified as noradlb1, publicly known as MonsterMC.

****Details of the Source Code Leak****

The leaked GitHub repository, posted by a user named Jantonzz, claimed to share the “latest version” of SilverRAT. The project included Visual Studio solution files, build instructions, and code modules that could be easily compiled by anyone with basic .NET knowledge.

The repository description boasted that the RAT is “provided for learning and experimentation purposes only,” though the long list of weaponized features leaves little doubt about its real-world criminal applications. It even promised a “Private Stub,” a customized, fully undetectable (FUD) version that would supposedly be delivered by email within two days.

Within hours, GitHub took down the repository, likely in response to reports or automatic detection of malware content. However, the brief window of public access was enough for the snapshot to be archived and circulated in security research circles.

As of now, the repository has been removed from GitHub, but the archived snapshot (attached below) shows its full content, including the dashboard image, build files, and README instructions:

Screenshot from the now deleted GitHub post (Image credit: Hackread.com)

****Legitimacy and Consequences****

While leaked malware source code often comes with a disclaimer of being “for educational purposes,” the reality is that these leaks can boost cybercrime. With SilverRAT now available to the public, even low-level cybercriminals without programming skills can compile their own copies, modify the malware, or create new variants.

Given that the original developer is believed to have connections to Arabic-speaking cybercrime groups, this leak could expand the malware’s reach to new regions and actors.

****Apparently Not the First Time****

While researching SilverRAT, we found that its source code has also been sold on the notorious Russian cybercrime forum XSS. In a February 2025 post, a seller was offering the full source code for just $100.

SilverRAT Source Code Leaked Online: Here’s What You Need to Know

A critical XSS vulnerability, CVE-2024-27443, in Zimbra Collaboration Suite’s CalendarInvite feature is actively being exploited, potentially by the…

A critical XSS vulnerability, CVE-2024-27443, in Zimbra Collaboration Suite’s CalendarInvite feature is actively being exploited, potentially by the Sednit hacking group. Learn how this flaw allows attackers to compromise user sessions and why immediate patching is crucial.

A new security weakness has been discovered in the Zimbra Collaboration Suite (ZCS), a popular email and collaboration platform. This issue, classified as CVE-2024-27443, is a type of cross-site scripting (XSS) flaw that could allow attackers to steal information or take control of user accounts.

****How the Flaw Works****

The problem lies specifically within the CalendarInvite feature of Zimbra’s Classic Web Client interface. It happens because the system doesn’t properly check incoming information in the Calendar header of emails.

This oversight creates an opening for a stored XSS attack. This means an attacker can embed harmful code into a specially designed email. When a user opens this email using the classic Zimbra interface, the malicious code runs automatically within their web browser, giving the attacker access to their session. The severity of this vulnerability is rated as medium, with a CVSS score of 6.1. It affects ZCS versions 9.0 (patches 1-38) and 10.0 (up to 10.0.6).

****Widespread Exposure and Active Exploitation****

According to Censys, a cybersecurity insights firm, as of Thursday, May 22, 2025, when the original report was published, a significant number of Zimbra Collaboration Suite instances were exposed online that could be vulnerable.

Censys observed a total of 129,131 potentially vulnerable ZCS instances globally, with most found in North America, Europe, and Asia. A large majority of these are hosted within cloud services. Additionally, 33,614 on-premises Zimbra hosts were identified, often linked to shared infrastructure.

The vulnerability was officially added to CISA’s Known Exploited Vulnerabilities (KEV) catalogue on May 19, 2025, confirming it is actively being used by attackers.

****Possible Perpetrator?****

Security researchers from ESET have suggested that a well-known hacking group, Sednit (PDF) (AKA APT28 or Fancy Bear), might be involved in exploiting it. ESET’s researchers suspect that the Sednit group could be exploiting this flaw as part of a larger scheme called Operation RoundPress, which aims to steal login details and maintain access to webmail platforms. While there is currently no public proof-of-concept (PoC) exploit, the active exploitation highlights the urgency for users to take action.

****Patching and Mitigation****

The good news is that patches are available for this vulnerability. Zimbra has addressed the issue in ZCS version 10.0.7 and 9.0.0 Patch 39. Users are strongly advised to update their Zimbra Collaboration Suite to these patched versions immediately to protect against potential attacks.

Zimbra CVE-2024-27443 XSS Flaw Hits 129K Servers, Sednit Suspected

May Linux Patch Wednesday. This time: 1091 vulnerabilities. Of those, 716 are in the Linux Kernel. 🤯 5 vulnerabilities are exploited in the wild: 🔻 RCE – PHP CSS Parser (CVE-2020-13756). In AttackerKB, an exploit exists.🔻 DoS – Apache ActiveMQ (CVE-2025-27533). In AttackerKB, an exploit exists.🔻 SFB – Chromium (CVE-2025-4664). In CISA KEV.🔻 PathTrav – […]

**May** Linux Patch Wednesday. This time: 1091 vulnerabilities. Of those, 716 are in the Linux Kernel. 🤯 5 vulnerabilities are exploited in the wild:

🔻 **RCE** – PHP CSS Parser (CVE-2020-13756). In AttackerKB, an exploit exists.  
**🔻 DoS** – Apache ActiveMQ (CVE-2025-27533). In AttackerKB, an exploit exists.  
🔻 **SFB** – Chromium (CVE-2025-4664). In CISA KEV.  
🔻 **PathTrav** – buildkit (CVE-2024-23652) and **MemCor** – buildkit (CVE-2024-23651). In BDU FSTEC.

For 52 (❗️) more, there are signs of existing public exploits. Two trending vulnerabilities I’ve mentioned before::

🔸 **RCE** – Kubernetes “IngressNightmare” (CVE-2025-1974 and 4 others)  
🔸 **RCE** – Erlang/OTP (CVE-2025-32433)

Exploits for these are also notable:

🔸 **EoP** – Linux Kernel (CVE-2023-53033)  
🔸 **XSS** – Horde IMP (CVE-2025-30349)  
🔸 **PathTrav** – tar-fs (CVE-2024-12905)  
🔸 **SFB** – kitty (CVE-2025-43929)  
🔸 **DoS** – libxml2 (CVE-2025-32414)

🗒 Full Vulristics report

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

Uploaded SVG files could contain scripts and if rendered inline those scripts could run allowing XSS attacks.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-m4hf-fxcg-cp34: DNN allows Stored Cross-Site Scripting (XSS) with svg files rendered inline

A specially crafted URL may be constructed which can inject an XSS payload that is triggered by using some module actions.

GHSA-79m3-rvx2-3qq9: Reflected Cross-Site Scripting (XSS) in module actions in edit mode

A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF.

The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-4123

**Grafana Cross-Site-Scripting (XSS) via custom loaded frontend plugin**

High severity GitHub Reviewed Published May 22, 2025 to the GitHub Advisory Database • Updated May 22, 2025

**Package**

gomod github.com/grafana/grafana (Go)

**Affected versions**

< 0.0.0-20250521183405-c7a690348df7

**Patched versions**

0.0.0-20250521183405-c7a690348df7

A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF.

The default Content-Security-Policy (CSP) in Grafana will block the XSS though the connect-src directive.

**References**

*   https://nvd.nist.gov/vuln/detail/CVE-2025-4123
*   https://grafana.com/security/security-advisories/cve-2025-4123
*   grafana/grafana@c7a6903

Published to the GitHub Advisory Database

May 22, 2025

Last updated

May 22, 2025

GHSA-q53q-gxq9-mgrj: Grafana Cross-Site-Scripting (XSS) via custom loaded frontend plugin

The ns_backup extension through 13.0.0 for TYPO3 allows XSS.

GHSA-xg53-mhh9-3cq7: The Backup Plus extension for TYPO3 (ns_backup) allows XSS

Cross-site scripting (XSS) vulnerability in the [clickstorm] SEO (cs_seo) TYPO3 extension allows backend users to execute arbitrary script via the JSON-LD output.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

Tag

#xss