Advisory ID: NCC-CSIRT-2025-002
CVE: CVE-2025-2783
Probability: High
Impact: High
Product (s): Google Chrome
Version (s): Multiple (prior to patched version addressing CVE-2025-2783)
Platform (s): Windows, macOS, Linux
Threat Type (s): Zero-Day Exploit, Remote Code Execution, Advanced Persistent Threat (APT)
Summary
A sophisticated zero-day vulnerability in Google Chrome (CVE-2025-2783) is being exploited in the wild, allowing attackers to bypass browser sandbox protections via malicious links..
Consequences
Remote Code Execution, System Compromise, Espionage, and Unauthorized Access.
Description
Kaspersky has identified an advanced Chrome zero-day exploit (CVE-2025-2783) used in targeted espionage operations. The vulnerability allows attackers to bypass sandbox protections using a specially crafted link, requiring only a user click to compromise the system. This attack has been linked to an APT group targeting government, media, and educational institutions in Russia. Although the campaign was geographically focused, similar techniques may be deployed elsewhere. The exploit's complexity and stealth make it a serious threat.
Solution
Google has released a patch to address CVE-2025-2783. All users are strongly advised to immediately update their Chrome browsers to the latest version to mitigate this vulnerability. System administrators should also ensure automatic updates are enabled and monitored across endpoints..
References
https://securelist.com/operation-forumtroll/115989/
https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop_25.html
Advisory ID: NCC-CSIRT-2025-001
Summary
The Mirai malware is actively spreading in Nigeria’s cyberspace, targeting IoT devices with weak security settings. Once infected, these devices become part of a botnet used for large-scale DDoS attacks and other malicious activities. Organizations and individuals using IoT devices must take immediate steps to secure their infrastructure.
CVEs: CVE-2016-10401, CVE-2017-17215, CVE-2018-10088, CVE-2019-9580, CVE-2024-45163
Probability: High
Impact: Severe – Potential for large-scale botnet attacks, DDoS campaigns, and system compromise
Product (s): IoT Devices, Routers, DVRs, IP Cameras, Networked Devices
Version (s): Various firmware versions vulnerable to default or weak credentials
Platform (s): Linux-based IoT devices and embedded systems
Summary
The NCC-CSIRT has identified that the Mirai malware is active in Nigeria’s cyberspace, targeting IoT devices with weak security settings. Once infected, these devices become part of a botnet used for large-scale DDoS attacks and other malicious activities. Organizations and individuals using IoT devices must take immediate steps to secure their infrastructure.
Threat Type (s): Botnet, Malware, Distributed Denial-of-Service (DDoS), Credential Exploitation
Consequences
- Devices compromised and controlled by attackers.
- Participation in large-scale DDoS attacks affecting critical services.
- Unauthorized access to sensitive networks and data.
- Potential for further malware propagation within affected networks.
Description
Mirai is a self-propagating malware that infects IoT devices by exploiting weak/default credentials and unpatched vulnerabilities. Once infected, the device joins a botnet controlled by threat actors to launch massive DDoS attacks or other malicious activities. The malware continuously scans for additional vulnerable devices, increasing its attack surface. Reports indicate a rise in Mirai-related incidents in Nigeria, highlighting the urgent need for preventive measures.
Solution
- Change default credentials: Immediately update factory-set usernames and passwords on all IoT devices.
- Apply firmware updates: Ensure devices are running the latest firmware with security patches.
- Disable unnecessary services: Turn off remote management features that are not required.
- Implement network segmentation: Isolate IoT devices from critical networks to limit exposure.
- Use strong authentication: Enable multi-factor authentication (MFA) where possible.
- Monitor network traffic: Regularly check for unusual outbound traffic that may indicate botnet activity.
References
https://www.cisa.gov/news-events/alerts/2016/10/14/heightened-ddos-threat-posed-mirai-and other-botnets
https://www.quorumcyber.com/wp-content/uploads/2023/06/Quorum-Cyber-_Mirai-Botnet-Report.pdf
https://darktrace.com/fr/blog/mirai-malware-infects-cctv-camera
Advisory ID: ngCERT-2025-010008
SUMMARY
ngCERT is aware of a critical Remote Code Execution (RCE) vulnerability in Zimbra Collaboration Suite (ZCS), a widely used email and collaboration platform. The flaw dubbed (CVE-2024-45519), allows unauthenticated attackers to execute arbitrary commands on affected Zimbra installations. Successful exploitation could result to system compromise, data theft, and malware infiltration among other malicious activities. Accordingly, users and systems administrators are advised to take proactive steps to safeguard their systems against exploits by threat actors.
CVE: CVE-2024-45519
Probability: High
Damage: Critical
Platform(s): Zimbra Collaboration Suite
DESCRIPTION
The Zimbra remote code execution flaw exists in Zimbra's postjournal service, which is used to parse incoming emails over SMTP. Threat actors exploit this weakness by sending specially crafted emails with commands to execute in the carbon copy (CC) field, when the postjournal service processes the email. These emails contain base-64 encoded strings that are executed via the 'sh' shell to build and drop a webshell on the Zimbra server. Once the webshell is installed, it listens for inbound connections containing a specific JSESSIONID cookie field. If the correct cookie is detected, the webshell parses another cookie (JACTION) that contains base64-encoded commands to execute. The webshell also supports downloading and executing files on the compromised server. Once installed, the webshell offers full access to the compromised Zimbra server for data theft or to further spread into the internal network. Some of the vulnerable products and versions include, versions before 8.8.15 Patch 46, 9 before 9.0.0 Patch 41, 10 before 10.0.9, and 10.1 before 10.1.1.
CONSEQUENCES
Successful exploitation of the vulnerabilities could lead to:
1. Compromise of entire system.
2. Exfiltration of data.
3. Ransomware infiltration leading to potential financial loss.
4. Service disruption leading to potential Denial of Service (DoS).
SOLUTION/MITIGATION
The following are recommended:
1. Administrators should verify that postjournal is disabled if not required.
2. Ensure that mynetworks is correctly configured to prevent unauthorized access.
3. Apply the latest security updates provided by Zimbra.
REFERENCES
- https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
- https://blog.zimbra.com/2025/01/new-patch-for-zimbra-classic-web-client-vulnerability-stay-secure-by-updating/
- https://www.bleepingcomputer.com/news/security/critical-zimbra-rce-flaw-exploited-to-backdoor-servers-using-emails/
- https://projectdiscovery.io/blog/zimbra-remote-code-execution
Advisory ID: ngCERT-2025-010006
SUMMARY
ngCERT has observed the emergence of a critical Fortinet OS & FortiProxy Authentication Bypass Vulnerability tagged (CVE-2024-55591). This flaw allows attackers to execute remote code on affected systems, which can result in full system compromise. Exploiting this flaw can lead to data breaches, privilege escalation, and service disruption. Reportedly, the weakness is identified with a CVSSv3 score of 9.6, with records of active exploitation in the wild. In this regard, users are strongly advised to apply the available patches provided by Fortinet, while emplacing necessary measures to safeguard their systems.
Probability: High
Damage: Critical
Platform(s): Fortinet OS
DESCRIPTION
CVE-2024-55591 vulnerability emanates from an “Authentication Bypass Using an Alternate Path or Channel” issue (CWE-288). It is a remote code execution (RCE) vulnerability that exists due to improper input validation in the Node.js websocket module of FortiOS and FortiProxy products. The vulnerability allows an unauthenticated attacker to send specially crafted input to the Node.js websocket module, triggering a stack-based buffer overflow. This overflow can be exploited to execute arbitrary code on the target device, with the potential for the attacker to gain super-admin privileges over the system. Threat actors could gain unauthorized access to firewall management interfaces, create new user accounts, use those accounts to bypass security (like logging in via SSL VPN) and other multiple modifications to the device configuration which helps attackers establish a path to the internal network. The vulnerability is particularly dangerous because it can be triggered remotely over the network without requiring prior authentication, making it a prime target for attackers seeking to gain unauthorized access to systems. This vulnerability impacts FortiOS versions 7.0.0 to 7.0.16, FortiProxy versions 7.0.0 to 7.0.19, and FortiProxy versions 7.2.0 to 7.2.12.
CONSEQUENCES
Falling prey to these attacks could potentially lead to:
1. System compromise.
2. Unauthorized access to sensitive data.
3. Data exfiltration.
4. Ransomware infiltration leading to potential financial loss.
5. Reputational damage.
6. Service Disruption leading to potential Denial of Service (DoS).
SOLUTION/MITIGATION
ngCERT recommends the following:
1. Ensure that all systems using the affected component are updated to the latest, secure versions. Fortinet has provided tools to assist with upgrading, which can be found on their official site. https://www.fortiguard.com/psirt/FG-IR-24-535
2. Implement network segmentation and firewalls to restrict access to critical systems from untrusted or external networks.
3. Adopt the Use of intrusion detection systems (IDS) and intrusion prevention systems (IPS) to monitor for abnormal traffic patterns or exploit attempts targeting this vulnerability.
4. Deploy Web Application Firewalls (WAFs) to detect and block any malicious payloads.
5. Implement network segmentation and firewalls to restrict access to critical systems from untrusted or external networks.
6. Ensure comprehensive monitoring to detect abnormal activities and possible indicators of compromise (IoCs) that could reveal attempted or successful attacks.
7. Implement system hardening by ensuring the principle of least privilege is in force, while enabling only necessary services and open ports are accessible.
8. Disable or restrict the use of vulnerable components or services that expose the system to external connections, where possible.
9. Educate staff/users about security best practices, such as recognizing phishing attempts that might lead to an attack on the network.
HYPERLINK
- https://www.fortiguard.com/psirt/FG-IR-24-535
- https://bolster.ai/blog/avoid-government-grant-scams
- https://madsecurity.com/madsecurity-blog/10-essential-tips-to-fortify-against-phishing-attacks
https://tnp.straitstimes.com/news/singapore/scam-website-masquerades-govt-support-scheme-portal
Advisory ID: ngCERT-2025-010007
SUMMARY
ngCERT is aware of an increase in Android.Vo1d malware infections within the Nigerian cyberspace. Android.vo1d otherwise known as Void is a recent android trojan campaign reported to have infected over 1.3 million Android TV boxes worldwide, including Nigeria. The malware is identified as a sophisticated backdoor capable of secretly downloading and installing malicious applications on infected devices, particularly those running outdated Android operating systems. Android.vo1d poses a major risk to Android TV box users, with implications on system compromise and takeover, as well as data exfiltration among other negative impacts. Consequently, ngCERT strongly advises individuals and organizations to take immediate steps to safeguard their systems and data from this emerging threat.
Probability: High
Damage: Critical
Platform(s): Android TV Boxes
DESCRIPTION
Android.Vo1d is a backdoor trojan that installs itself deep in the device’s system files and operates covertly by employing advanced techniques to evade detection while establishing persistence. It achieves this by infiltrating the system storage and modifying critical files like install-recovery.sh and daemonsu files. Thereafter, it creates news files, /system/xbin/wd, /system/xbin/vo1d, /system/bin/debuggerd_real and /system/bin/debuggerd. Attackers cleverly disguises the malware by altering the file name “vold,” a system program, to “vo1d,” substituting the lowercase “l” with the number “1”. This trick allows the malware to evade detection while establishing a foothold in infected systems. Additionally, the backdoor’s components, Android.Vo1d.1, Android.Vo1d.3, and Android.Vo1d.5 work concurrently to ensure continued malicious activity. Particularly, Vo1d.1 manages activities and downloads executables files from the C&C server, Vo1d.3 installs and launches the encrypted Android.Vo1d.5 daemon, while monitoring directories and installing APK files, with Vo1d.5 providing additional functionality. Furthermore, TV boxes running older Android versions are particularly vulnerable, as they often lack critical security updates. Some of these devices include the R4 (Android 7.1.2) and KJ-SMART4KVIP (Android 10.1).
CONSEQUENCES
Falling prey to these attacks could potentially lead to:
- System compromise.
- Unauthorized access to sensitive data.
- Data exfiltration.
- Reputational damage.
- Service Disruption leading to potential Denial of Service (DoS).
SOLUTION/MITIGATION
ngCERT recommends the following:
- Regularly update of TV box firmware from official sources.
- Installation of antivirus software to detect potential infections.
- Avoid downloading apps or firmware from unofficial sources.
- Consider replacing TV boxes running on outdated Android versions with newer and more secure models.
HYPERLINK
- https://cybersecuritynews.com/android-tv-box-android-vo1d-malware/
- https://securityonline.info/massive-android-tv-box-infection-over-1-3-million-devices-compromised-by-android-vo1d/
- https://thehackernews.com/2024/09/beware-new-vo1d-malware-infects-13.html
- https://www.androidheadlines.com/2024/09/these-android-tv-boxes-are-infected-by-vo1d-malware.html