Advisory ID: NCC-CSIRT-2025-009
Summary:
Researchers at the German cybersecurity firm ERNW disclosed three vulnerabilities affecting Airoha Bluetooth SoCs, chipsets commonly used in True Wireless Stereo (TWS) earbuds, headphones, speakers, and microphones from major vendors. The flaws could enable attackers to hijack devices within ~10 m Bluetooth range, access call history, contacts, audio streams, and even remotely activate microphones via the Hands-Free Profile (HFP).
Damage/Probability: MEDIUM/Critical
Product(s):
- Sony Microphone
- Bose QuietComfort/Noise Cancelling Earbuds
- JBL Live Earbuds
- Beyerdynamic Amiron Microphone
- Marshall ACTON/MAJOR/STANMORE Microphone
- Jabra Elite Microphone
Version(s):
- Sony (e.g., WH‑1000XM3/4/5)
- All versions of Bose QuietComfort/Noise Cancelling Earbuds,
- JBL Live Buds 3
- Beyerdynamic Amiron 300
- All versions of Marshall ACTON/MAJOR/STANMORE
- Jabra Elite 8 Active
Platform(s):
Bluetooth
Description:
The researchers identified three security vulnerabilities in Airoha Bluetooth System-on-Chip (SoC) firmware used in a wide range of Bluetooth audio devices. These flaws exist in both Bluetooth Classic and Bluetooth Low Energy (BLE) protocols and primarily affect devices implementing the Hands-Free Profile (HFP) and proprietary debug interfaces.
1. CVE-2025-20700 – Unauthenticated GATT Access over BLE
-
Airoha SoCs expose BLE GATT services without proper access control. An attacker in range (~10 meters) can perform unauthenticated reads and writes to GATT characteristics. This allows:
- Extraction of metadata (e.g., media status, battery level)
- Memory manipulation and limited device control
2. CVE-2025-20701 – Unauthorized Access via Bluetooth Classic
Bluetooth Classic implementations fail to enforce authentication before accepting control commands. An attacker can:
- Connect to the device without pairing
- Hijack control channels used for media playback and HFP
- Initiate silent calls and activate voice assistants
3. CVE-2025-20702 – Exploitable Debug Protocol
Airoha firmware includes an undocumented debug protocol accessible over Bluetooth. This allows attackers to:
- Dump RAM and Flash memory
- Extract Bluetooth link keys and other sensitive data
- Inject or alter memory contents
- Activate microphone and audio streams remotely
The exploitation Conditions include:
- Proximity: All exploits require physical proximity (typically <10 m).
- No user interaction: Attacks can be carried out without pairing or user consent.
- Complexity: While requiring specialized knowledge, tools and public documentation lower the barrier for advanced attackers.
Impacts:
The flaws let nearby attackers secretly turn Bluetooth audio devices into listening tools, steal call data, and access device memory, posing a serious privacy and surveillance risk.
Solutions:
- Check for firmware updates from device vendors regularly—many are only beginning to release patches following Airoha’s SDK update.
- Temporarily disable Bluetooth or set devices to undiscoverable, especially in sensitive environments.
- Avoid using vulnerable audio devices where confidentiality is critical (e.g., meetings, investigations).
References:
- https://www.techradar.com/pro/security/this-worrying-bluetooth-security-flaw-could-let-hackers-spy-on-your-device-via-microphone
-
https://www.archynewsy.com/bluetooth-security-hacker-microphone-spy-risk/#google_vignette
-
https://www.blackhatethicalhacking.com/news/bluetooth-bugs-in-sony-bose-jbl-devices-could-let-hackers-spy-or-place-calls/#google_vignette
Advisory ID: NCC-CSIRT-2025-008
Summary:
Recent research by Cybernews has found about 30 leaked data collections containing nearly 16 billion stolen login details, the largest number ever recorded. Most of this information was gathered through infostealer malware (e.g., RedLine, Raccoon, Vidar, etc.), rather than through direct hacks of major companies. Although the data comes from many separate incidents, its massive size and recent nature make it a serious threat for large-scale misuse of login credentials.
Damage/Probability: HIGH/Critical
Product(s):
- Windows OS
- Web browsers
- Password managers
Version(s):
- Windows OS (all types and versions)
- Web browsers (all types and versions)
- Password managers (all types and versions)
Platform(s):
- Google (Gmail, Workspace)
- Apple (iCloud, Apple ID)
- Microsoft (Outlook, Office 365)
- Facebook / Meta
- GitHub
- Telegram
- Amazon
- Banking and fintech platforms
- Government (.gov) and enterprise accounts
Description:
Infostealer malware stole over 16 billion usernames, passwords, and session tokens from infected systems in a massive credential leak. Attackers delivered the malware through phishing emails, fake software installers, and malicious advertisements.
Once compromised, users executed the malware, which harvested the following from their systems:
- Credentials stored in browsers
- Session cookies and tokens are used to bypass multi-factor authentication (MFA)
- Autofill and clipboard data
The attackers then exfiltrated the stolen data to servers they controlled and compiled it into large breach datasets. This data enables them to take over accounts, perform credential stuffing attacks, commit identity theft, and bypass MFA protections.
This incident does not stem from a vulnerability in a specific product. Instead, it results from a widespread malware campaign targeting endpoint users worldwide.
Consequences:
-
Account takeover, session hijacking, and identity theft across widely used online platforms.
-
Organizational risk due to the exposure of corporate and government email credentials.
-
Data can be used for phishing, financial fraud, or business email compromise (BEC).
Solution:
A. Immediate Actions for All Users:
- Change all passwords, prioritize financial, corporate, and administrative accounts.
- Enable Multi-Factor Authentication (MFA), prefer non-SMS methods (e.g., authenticator apps, hardware keys)
- Adopt passkeys/passwordless methods where available (Apple, Google, Facebook)
- Use reputable password managers to generate and store complex, unique credentials.
- Run endpoint malware scans to detect and remove infostealer infections).
- Monitor account activity and respond quickly to unauthorized access.
B. Organizational Measures:
- Enforce regular password rotations and MFA policies.
- Deploy EDR solutions and threat intelligence tools to detect infostealer presence (e.g., Hudson Rock, commercial EDR suites)
- Educate users on phishing and malware risks; implement training programs.
- Audit use of session tokens and cookies; enforce token invalidation on password reset.
- Restrict access to sensitive systems using least-privilege and enforce robust logging.
References:
Advisory ID: NCC-CSIRT-2025-007
Summary:
Qualys Threat Research Unit (TRU) recently discovered two interconnected Local Privilege Escalation (LPE) vulnerabilities affecting many mainstream Linux distributions. The issues, tracked as CVE‑2025‑6018 and CVE‑2025‑6019, enable unprivileged users to escalate privileges to root, with CVE‑6019 alone being sufficient to compromise systems with minimal user permissions.
Damage/Probability: HIGH/Critical
Product(s):
-
openSUSE, SUSE Linux
-
Ubuntui
-
Debian
-
Fedora
-
Arch Linux
Version(s):
-
openSUSE Leap 15, SUSE Linux Enterprise 15 (CVE‑6018 & CVE‑6019 chain)
-
Ubuntu (22.04, 24.04 LTS)
-
Debian 12 (Bookworm)
-
Fedora 39/40
-
Arch Linux Rolling‑release distros using udisks2
-
Any other Linux systems deploying unpatched versions of libblockdev/udisks2
Platform(s): Linux OS
Description:
The reported vulnerability involves a local privilege escalation flaw in the udisks2 service, specifically within its libblockdev component. Identified as CVE‑2025‑6019, the flaw allows a local, unprivileged user to gain root access by exploiting insecure handling of device mount operations via the D-Bus interface.
On affected systems, attackers can manipulate mount paths and symbolic links to overwrite or execute files as root. When combined with a second flaw (CVE‑2025‑6018) found in the PAM configuration of SUSE-based distributions, the attack chain becomes easier by automatically granting certain users elevated privileges (marked as active).
The flaw affects multiple Linux distributions, including Ubuntu, Debian, Fedora, and openSUSE. The exploitation requires only local access and standard tools like udisksctl, making it low-complexity but high-impact..
Consequences:
-
A complete local-to-root exploit chain exists, combining both CVEs to achieve full system compromise.
-
CVE‑2025‑6019 alone is exploitable on multiple major distributions, including Ubuntu, Debian, Fedora, and openSUSE Leap 15, even without leveraging CVE‑6018.
-
Recovery from root compromise includes potential for system-wide backdoors, agent tampering, persistence mechanisms, and lateral movement across networks.
Solution:
- Immediate Patching
-
Apply vendor updates for both PAM (for SUSE) and libblockdev/udisks2 across all distributions.
-
Confirm that CVE‑2025‑6019 is patched—even on systems using older versions of udisks2
2. Access Restriction Controls
-
Restrict or tightly control D‑Bus access to udisks2.
-
On shared or multi-user systems, constrain which users can mount or manage devices.
3. Security Policy Reinforcement
-
Reinforce D‑Bus interactions using AppArmor or SELinux to limit udisks2
-
Temporarily disable udisks2 on systems that do not require dynamic device management.
4. Proactive Monitoring
-
Log and inspect all udisksctl invocations and D‑Bus activity related to storage management.
-
Look for anomalous mount operations, symlink manipulations, or unexpected processes invoking udisks2.
5. Patch Chain Dependencies
-
Particularly for SUSE-based systems, patch PAM appropriately to prevent exploitation of CVE‑6018 before CVE‑6019 is leveraged.
References:
-
https://www.infosecurity-magazine.com/news/linux-flaws-allowing-root-access/
-
https://cyberpress.org/privilege-escalation-vulnerabilities/
-
https://securityonline.info/critical-linux-root-exploit-chain-discovered-in-pam-udisks-affecting-major-distros/
-
https://www.securityweek.com/linux-security-new-flaws-allow-root-access-cisa-warns-of-old-bug-exploitation/
-
https://www.blackhatethicalhacking.com/new-linux-vulnerabilities-allow-instant-root-access-across-major-distros/
Advisory ID: ngCERT-2025-050014
Probability: High
Damage: Critical
Platform(s): Web Application
SUMMARY
ngCERT is aware of a critical vulnerability referred to as the Directory Traversal vulnerability. Directory Traversal, also known as Path Traversal or directory climbing, is a web application server flaw that enables attackers to gain unauthorized access to files and directories on a server by manipulating file paths. This flaw arises from weak input validation, which allows attackers to navigate outside the designated directory structure. The severity of the impact can vary, however, it often results in significant consequences such as data breaches or unauthorised system access. Additionally, following best practices like regular vulnerability testing, code audits, and implementing access control is essential for preventing exploitation.
DESCRIPTION
Directory Traversal is a security vulnerability in web application servers caused by an HTTP exploit. It occurs due to weak input validation or insecure file-handling practices. This flaw allows an attacker to manipulate file paths, gaining access to directories and files outside the designated directory structure on a web server. Malicious attackers exploit this vulnerability by manipulating URL paths or parameters through the server’s file system by taking advantage of sequences like “../” (Unix) or “..\” (Windows) and retrieve sensitive information, such as configuration or password files, or other critical data. Directory Traversal can lead to the exposure of sensitive system or application details, unauthorized access to restricted files, and the potential for further attacks that compromise the server or other connected systems.
CONSEQUENCES
Falling prey to these attacks could potentially lead to:
- Authentication Bypass: Directory traversal can be used to bypass authentication mechanisms and gain unauthorized privileges.
- Data Exposure: Confidential information, such as configuration files or user data, may be exposed.
- Unauthorized Access: Attackers gain access to sensitive files and directories.
- Data Manipulation: Attackers can modify or delete critical files, leading to service disruptions.
SOLUTION/MITIGATION
ngCERT recommends the following:
- Minimize network exposure for all control system devices and ensure that they are not accessible from the Internet.
- Implement a location control system, networks and remote devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version. Also, recognize that a VPN is only as secure as the connected devices.
- Perform proper impact analysis and risk assessment before deploying defensive measures.
REFERENCES
Advisory ID: ngCERT-2025-050012
Probability: High
Damage: Critical
Platform(s): Windows operating system
SUMMARY
Lumma Stealer (also known as LummaC2) is a potent and widely distributed information-stealing malware targeting Windows systems. Operated as Malware-as-a-Service (MaaS) via illicit cybercrime markets, it was recently disrupted by Microsoft in response to its escalating threat profile. Lumma Stealer poses a high risk due to its commercial availability, sophisticated evasion, broad data theft capabilities, and network propagation. Its recent disruption highlights active law enforcement attention, but residual infections and potential re-emergence remain concerns. ngCERT urges organizations to reassess their security measures and implement strategies to mitigate infection risks.
DESCRIPTION
Lumma Stealer is a fast-spreading information-stealing malware distributed via underground forums as Malware-as-a-Service (MaaS). It targets Microsoft Windows (MS-Windows) systems through phishing emails, malicious downloads, or cracked software. Once installed, it enables cybercriminals to remotely steal data.
CONSEQUENCES
KEY CHARACTERISTICS & IMPACT:
- Infection Vectors: Primarily spreads through phishing emails, malicious advertisements (malvertising), pirated software, and cracked games. Installs silently, functioning as a backdoor.
- Data Theft: Actively steals sensitive information including:Login credentials (browsers, applications)
- Financial data (banking details, cards)
- Login credentials (browsers, applications)
- Cryptocurrency wallet information
- Browser cookies & session data
- Other confidential files.
- Persistence & Evasion: Employs advanced techniques like code injection and encrypted communication with Command-and-Control (C2) servers to evade detection.
- Lateral Movement: Capable of spreading within compromised networks, amplifying damage.
- Monetisation: Stolen data is typically sold on dark web markets or used directly for financial fraud and identity theft.
Lumma Stealer poses a high risk due to its commercial availability, sophisticated evasion, broad data theft capabilities, and network propagation
SOLUTION/MITIGATION
The following mitigations should be considered:
- User Awareness: Train staff/users to identify phishing attempts and avoid downloading pirated/cracked software.
- Endpoint Protection: Ensure robust, updated anti-malware solutions with behavioral detection capabilities.
- Network Monitoring: Implement monitoring for suspicious outbound traffic (C2 communication) and lateral movement attempts.
- Patch Management: Keep all systems and software rigorously updated.
- Least Privilege: Enforce strict access controls to limit the impact of lateral movement.
Assessment: Lumma Stealer represents a significant ongoing threat to organizational and personal data security, requiring vigilant defensive measures.
REFERENCES
- CRITICAL SURGE IN SEXTORTION ATTACKS TARGETING NIGERIAN INDIVIDUALS
- RISKS ASSOCIATED WITH END-OF-LIFE CISCO CATALYST 1900, 2900, AND 3900 SERIES ROUTERS
- ESCALATION OF SIDEWINDER (APT GROUP) CYBER ESPIONAGE CAMPAIGNS TARGETING CRITICAL SECTORS IN AFRICA AND ASIA
- New 'Defendnot' Tool Exploits Windows to Disable Microsoft Defender