Weekly Security Alert – June 23, 2025

Quick Answers

Q: What is the Grafana Ghost vulnerability (CVE-2025-4123)?
A: CVE-2025-4123 is a critical flaw in Grafana that enables account takeovers via malicious links; over 46,000 instances remain exposed as of June 2025.

Q: What vulnerabilities should IT teams patch immediately?
A: Critical flaws in Next.js, Kubernetes, Windows CLFS, SAP NetWeaver, and Erlang/OTP should be patched now to prevent high-impact exploits.

Q: Why is ipify[.]org flagged in threat hunts?
A: Threat actors may abuse ipify[.]org to identify infected systems’ public IP addresses, even though it’s commonly used for legitimate purposes.

The Threat Hunting Team at PDI utilizes trends and actionable intelligence to determine which hunts to prioritize. Here are the most significant hunts from the past week, along with the necessary log dependencies and a brief summary of each:

Threat Hunt: Potentially Malicious ipify[.]org API Calls
Date: 6/12/2025
Log Dependencies: EDR Solutions (SentinelOne, Crowdstrike)
Summary: Malware has been observed executing enumeration commands to gather information about infected machines. One such command may involve using the ipify API to determine the machine’s public IP address. Due to the high volume of legitimate usage, PDI’s threat hunters will continue to periodically monitor these API calls for signs of malicious activity.

Below are the top five trending vulnerabilities of the week. Trends are determined by criticality, activity, mentions, and exploitability. If your organization uses any of these technologies, you should prioritize patching against these threats.

• CVE-2025-29927 – Next.js is a React framework for building full-stack web applications. Prior to 14.2.25 and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommended that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 14.2.25 and 15.2.3.
• CVE-2025-1974 – A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
• CVE-2025-29824 – Use after free in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.
• CVE-2025-31324 – SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.
• CVE-2025-32433 – Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials. This issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. A temporary workaround involves disabling the SSH server or to prevent access via firewall rules.

PDI’s Threat Intelligence Team is constantly analyzing data from dark web marketplaces to keep a pulse on InfoStealer malware trends. The team identifies and studies these covert threats to arm our clients and guide our threat hunting operations. Our analysis of these cybercriminal exchanges aids in predicting and countering these InfoStealer threats, safeguarding our clients’ digital assets.

Ransomware Actors