Advisory ID:  ngCERT-2025-050002

SUMMARY

A critical directory traversal vulnerability (CVE-2024-45711) has been identified in SolarWinds Serv-U, a widely used file transfer and management solution. This flaw allows unauthenticated attackers to execute arbitrary code or trigger denial-of-service (DoS) conditions on vulnerable systems by exploiting improper handling of environment variables..

CVE:               CVE-2024-45711

Probability:    High

Damage:        Critical

Platform(s):   Windows

DESCRIPTION

SolarWinds Serv-U, (CVE-2024-45711) is a directory traversal vulnerability in SolarWinds Serv-U, a software used for file transfer and management. This flaw allows authenticated attackers to exploit the way the software handles environment variables, which can lead to unauthorized access to system files and directories. The vulnerability does not require authentication to exploit, meaning an attacker can exploit it simply by sending specially crafted network messages to a vulnerable system. If successfully exploited, an attacker could manipulate file paths and access sensitive system resources, potentially leading to remote code execution based on the privileges of the authenticated user. While most exploitation attempts may result in a denial of service, remote code execution is theoretically possible in some scenarios.

Technical Details

• Root Cause: Improper validation of environment variables enables attackers to manipulate file paths and access restricted directories.
• Attack Vector: Remote exploitation via specially crafted network requests. No authentication is required.
• Impact:

• Remote Code Execution (RCE): Attackers can execute arbitrary code with the privileges of the Serv-U process (often SYSTEM-level access).
• Data Exposure: Unauthorized access to sensitive system files or directories.
• Denial-of-Service (DoS): Exploitation may crash the service, disrupting file transfer operations.
  
  Key Risk Factors

• Critical Severity: CVSS 9.1 due to low attack complexity, no authentication requirement, and high impact on confidentiality, integrity, and availability.
• Widespread Exposure: Serv-U is broadly deployed in enterprise environments for secure file transfers.
• Theoretical RCE: While most attacks may cause DoS, RCE is feasible under specific conditions.

SOLUTION/MITIGATION

The following are recommended:

1. Immediate Patching:

• Apply the latest SolarWinds Serv-U security update (refer to SolarWinds advisory SB-2024-XXXX).
• Confirm patch installation via the SolarWinds dashboard.

2. Restrict Network Access:

• Limit Serv-U exposure to the internet using firewalls or VPNs.
• Segment internal networks to minimize lateral movement risks.

3. Monitor for Exploitation:

• Deploy intrusion detection systems (IDS) to flag anomalous network traffic (e.g., unexpected path traversal attempts).
• Audit logs for unauthorized access to system directories.

4. Contingency Planning:

• Back up critical data and configurations regularly.
• Prepare incident response protocols for potential DoS or RCE incidents.

5. User Awareness:

• Educate staff on risks of unpatched file transfer systems. 

REFERENCES

• SolarWinds Serv-U is vulnerable to a directory traversal...· CVE-2024-45711 · GitHub Advisory Database · GitHub
• CVE-2024-45711 : SolarWinds Serv-U Directory Traversal Vulnerability | SecurityVulnerability.io
• SolarWinds Serv-U: CVE-2024-45711: Directory Traversal Vulnerability in Serv-U
• CVE-2024-45711 : SolarWinds Serv-U is vulnerable to a directory traversal vulnerability where r
• SolarWinds Serv-U 15.4.2.0 < 15.5 / 15.4.0 < 15.5 Multiple Vul... | Tenable®

Advisory ID: NCC-CSIRT-2025-005

Summary: 

Researchers from antifraud security vendor Cleafy discovered a new wave of Android malware called "SuperCard” that exploits Near Field Communication (NFC) technology to execute instant cash-out attacks. Once installed, this malware silently initiates unauthorised financial transactions by leveraging NFC-enabled payment services. The sophistication of this malware introduces severe risks to mobile banking, digital wallets, and the broader cashless economy. 

Damage/Probability: HIGH/Critical

Product(s): Android devices with NFC capability, Digital wallets (Google Pay, OEM-specific wallets), Banking apps with NFC-integrated payment systems.

Version(s): All types and versions

Platform(s): Android operating System

Description: 

According to the researchers, the "SuperCard X" is a Chinese-speaking malware-as-a-service (M-a-a-S). It employs a novel NFC-relay technique, enabling threat actors (TAs) to fraudulently authorize point-of-sale (POS) payments and ATM withdrawals by intercepting and relaying NFC communications from compromised devices. The malware operates by covertly activating the device’s NFC functionality and triggering payment processes without the user's consent. It targets Android devices, especially those with poorly secured NFC configurations or outdated security patches. Once near a legitimate NFC payment terminal, the malware authorizes fraudulent transactions, effectively draining funds within seconds. 

Consequences:  

• Financial loss for individuals and businesses.

• Compromise of personal and financial data.

• Reputational damage to financial service providers.

• Increased erosion of trust in mobile cashless transactions.

Solution: 

• Always install the latest security patches and Android OS updates.

• Disable NFC functionality when not in use.

• Only install applications from trusted sources (Google Play Store) and verify app permissions.

• Deploy reputable mobile security solutions that monitor and block NFC abuse.

• Be vigilant about unfamiliar or excessive permissions requested by apps.

References:

• https://www.darkreading.com/threat-intelligence/nfc-android-malware-instant-cash-outs

• https://cybernews.com/security/android-malware-contactless-card-theft-supercard/

• https://www.malwarebytes.com/blog/news/2025/04/android-malware-turns-phones-into-malicious-tap-to-pay-machines

• https://cybersecuritynews.com/new-android-supercard-x-malware-employs-nfc-relay-technique/#google_vignette

• https://www.bleepingcomputer.com/news/security/supercard-x-android-malware-use-stolen-cards-in-nfc-relay-attacks/

Advisory ID: NCC-CSIRT-2025-004

Summary: 

Multiple vulnerabilities have been identified in older versions of NTP, which could be exploited to cause Denial of Service, remote code execution, or time spoofing. 

Version(s): CVE-2023-26554, CVE-2023-26555, CVE-2023-26556

Damage/Probability: HIGH/HIGH

Product(s): Network Time Protocol Daemon (ntpd) 

Version(s): Network Time Protocol Daemon (ntpd)

Platform(s): Unix/Linux systems, BSD, Windows.

Description: 

The vulnerabilities stem from memory corruption, improper input validation, and insecure control message handling in NTP. Exploitation could allow attackers to crash services, gain remote access, or manipulate time across devices, affecting logs, certificates, and other security mechanisms.

Consequences:  

• Disruption of network synchronization

• Unauthorized control of system time
• Remote system compromise
• Interruption of time-based authentication systems

Solution: 

• Upgrade to NTP version 4.2.8p16 or later

• Consider migrating to Chrony for secure time synchronization
• Restrict NTP access via firewalls
• Disable unused features like monlist and control mode
• Monitor NTP traffic for anomalies

References:

• https://nvd.nist.gov/vuln/detail/CVE-2023-26554

• https://nvd.nist.gov/vuln/detail/CVE-2023-26555

• https://nvd.nist.gov/vuln/detail/CVE-2023-26556

• https://support.ntp.org/

• https://chrony.tuxfamily.org/

Advisory ID: NCC-CSIRT-2025-003

Summary: 

The Nigerian Communications Commission’s Computer Security Incident Response Team (NCC-CSIRT) wishes to inform critical stakeholders and constituents across the telecommunications, maritime, logistics, financial, and public sectors of an escalating cyber threat posed by SideWinder Advanced Persistent Threat (APT) group also known as T-APT-04 or RattleSnake, a sophisticated cyber espionage group operating primarily from the Indian subcontinent. 

Damage/Probability: CRITICAL/HIGH

Platform(s): Microsoft Office documents and XML files

Description: 

SideWinder employs spear-phishing as its primary attack vector, leveraging malicious Microsoft Office documents and Open Extensible Markup Language (XML) files embedded with exploit code. A known exploit includes the memory corruption vulnerability in Microsoft Office’s Equation Editor (CVE-2017-11882).

Their malicious toolkit includes:

• StealerBot – used for credential theft and sensitive data exfiltration.
• Advanced Remote Access Trojans (RATs) – enabling persistent backdoor access to victim systems.
• Command-and-Control (C2) Infrastructure – often hidden via encrypted tunnels and obfuscated traffic.

Consequences:  

• Compromise of sensitive data and classified government information.

• Disruption of maritime logistics and operational technologies.

• Threats to national critical infrastructure, including telecommunications and banking networks.

• Long-term surveillance and unauthorized network access.

Solution:  

 To mitigate the identified threat, the following steps are recommended: 

• Immediately apply security updates to Microsoft Office applications, particularly to mitigate CVE-2017-11882 and other known vulnerabilities.

• Use the latest supported versions of all software applications.

• Deploy advanced email security gateways with attachment and link scanning capabilities.

• Enable attachment sandboxing and disable automatic execution of macros.  

• Conduct regular employee awareness sessions on phishing identification and reporting procedures.

• Encourage verification of suspicious emails, especially those requesting credentials or urging urgency.

• Employ Endpoint Detection and Response (EDR) tools capable of detecting malware signatures associated with StealerBot and RATs.

• Enable logging and continuous monitoring of endpoint activities.

• Segment critical networks from general-purpose IT environments.

• Enforce least-privilege access policies and implement multifactor authentication (MFA).

• Review and update documented procedures and workflows used during cybersecurity incident response.

• Ensure rapid communication channels with NCC-CSIRT for threat reporting and coordination.

• Proactively monitor for Indicators of Compromise (IoC) associated with SideWinder campaigns.

References:

• https://cyberpress.org/sidewinder-apt-hackers-attack-military-government/

• https://thehackernews.com/2025/03/sidewinder-apt-targets-maritime-nuclear.html

• https://www.group-ib.com/media-center/press-releases/sidewinder-apt-report/

• https://attack.mitre.org/groups/G0121/

• https://securityonline.info/sidewinder-apt-a-decade-of-evolution-and-global-expansion/

• https://undercodenews.com/sidewinder-apt-expanding-operations-with-enhanced-cyberattack-tactics/

• https://cybersecuritynews.com/sidewinder-apt-group-attacking-military-government-entities/

• https://rewterz.com/threat-advisory/sidewinder-apt-targets-maritime-nuclear-and-it-sectors-across-asia-the-middle-east-and-africa-active-iocs