Cybersafe Solutions Security Advisory Bulletin March 28, 2025

In this week's Security Advisory:

• Veeam Patches Critical Backup & Replication Vulnerability.
• CrushFTP Patches Authentication Bypass Vulnerability
• Ingress NGINX Controller Vulnerable to Unauthenticated RCE
• New Vulnerability in VMware Tools for Windows

Veeam has now patched a critical vulnerability affecting its Backup & Replication product. The vulnerability, CVE-2025-23120 (CVSS 9.9/10), could allow for remote code execution by authenticated domain users.

Affected Versions

• Veeam Backup & Replication version 12.3.0.310 and all earlier version 12 builds.

More Reading/Information

• https://www.securityweek.com/veeam-patches-critical-vulnerability-in-backup-replication/
• https://www.veeam.com/kb4724

CrushFTP Patches Authentication Bypass Vulnerability

CrushFTP released an update to address a newly discovered critical vulnerability. This vulnerability can lead to an unauthenticated attacker accessing unpatched servers if they are accessible over HTTPS. CrushFTP indicates that the vulnerability is mitigated when the DMZ feature of the service is activated . Currently, there are no reports of this being exploited in the wild, however, it is still recommended to patch as soon as possible.

Affected Versions

• CrushFTP 11.0.0 to 11.3.0.
• CrushFTP 10.0.0 to 10.8.3.

More Reading/Information

• https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-unauthenticated-access-flaw-immediately/
• https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update

Ingress NGINX Controller Vulnerable to Unauthenticated RCE

Patches are now available to address five new vulnerabilities discovered in the Ingress NGINX Controller for Kubernetes. These vulnerabilities can be chained together to achieve unauthenticated remote code execution and directory traversal. The vulnerabilities are CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, and CVE-2025-1974, with the highest being a CVSS 9.8/10.

Affected Versions

• • Ingress NGINX Controller versions prior to 1.11.5.
  • Ingress NGINX Controller version 1.12.0-beta.0 and later.

More Reading/Information

• https://thehackernews.com/2025/03/critical-ingress-nginx-controller.html
• https://kubernetes.io/blog/2025/03/24/ingress-nginx-cve-2025-1974/

New Vulnerability in VMware Tools for Windows

VMware released a patch for an authentication bypass vulnerability in VMware Tools for Windows. The vulnerability is being tracked as CVE-2025-22230 (CVSS 7.8/10). VMware Tools for Windows is a suite of utilities and drivers that enhances the performance and management of virtual machines. The Linux and macOS versions of the utilities are not affected.

Affected Versions

• All versions of VMware Tools for Windows before v12.5.1.

More Reading/Information

• https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25518
• https://www.securityweek.com/vmware-patches-authentication-bypass-flaw-in-windows-tools-suite/

Recommendations

Please review your environment to ensure the above-mentioned issues are patched in a timely manner.  It is security best practice to regularly update and/or patch software to the latest versions.  The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only.  This dramatically increases the likelihood that new vulnerabilities have a patch issued for them.  Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.