Advisory ID:  ngCERT-2025-050003

SUMMARY

ngCERT has issued an urgent alert regarding a critical vulnerability (CVE-2024-44276, CVSS 9.1 – Critical) in Apple’s Password App for iOS 18, enabling attackers to hijack user sessions and steal sensitive credentials. The flaw originates from the app’s reliance on an insecure HTTP protocol for data transmission, allowing adversaries on shared networks (e.g., public Wi-Fi) to intercept unencrypted traffic and redirect users to malicious phishing sites. These fraudulent pages mimic legitimate services to harvest login credentials, financial data, and other personal information.

Probability:    High

Damage:        Critical

Platform(s):   iOS, iPadOS

DESCRIPTION

The vulnerability in Apple’s password manager App was identified as an insecure data transmission protocol weakness susceptible to compromise by threat actors. Particularly, the App used unencrypted HTTP connections, as opposed to a more secure HTTPS, to fetch logos and icons while opening password reset pages. Attackers with privileged access, mostly connected to the same network as the user (i.e. Starbucks, airport, or hotel Wi-Fi), could intercept the HTTP request and redirect the user to a phishing website. Thereafter, threat actors can easily gather login credentials from victims and utilize them for other malicious activities. Nonetheless, Apple addressed the problem in a security update in its iOS 18.2 version..

CONSEQUENCES

Exploitation of the flaw could lead to phishing attacks and theft of login credentials. This could further result in:

1. Malware infiltrations.
2. Financial losses through fraudulent transactions.
3. Identity theft occasioned by stolen sensitive data.
4. Emotional distress.
5. Disruption of critical services leading.

SOLUTION/MITIGATION

While Apple has addressed the vulnerability in recent updates, ngCERT strongly advises all iOS 18 users to:

1. Install the latest security patch immediately via Settings > General > Software Update.
2. Avoid using the Password App on public or untrusted networks until updates are confirmed.
3. Enable HTTPS-only mode in browser settings to block insecure connections.

 REFERENCES

• https://www.analyticsinsight.net/news/apples-ios-182-update-fixes-critical-security-flaw-in-passwords-app
• https://www.techrepublic.com/article/apple-password-app-exposed-2025/
• https://www.tenable.com/cve/CVE-2024-44276  
• https://www.theverge.com/news/632108/apple-ios-passwords-app-bug-vulnerability-phishing-attacks

Advisory ID:  ngCERT-2025-050001

SUMMARY

ngCERT is aware of Microsoft Corporation’s announcement of the End-of-Support (EOS) for Windows 10 on October 14, 2025. After this date, Microsoft will no longer provide security updates, technical support, or bug fixes for the Windows 10 operating system (OS). This advisory highlights the security risks associated with the continued use of Windows 10 post-EOS and provides mitigation strategies for organizations and individuals.

Probability:    High

Damage:        Critical

Platform(s):   Windows

DESCRIPTION

Microsoft follows a lifecycle policy for its products, after which extended support is discontinued. Windows 10, a widely used OS in both enterprise and consumer environments, will reach its end of support in October 2025. Post-EOS, the OS will no longer receive:

• Security patches for newly discovered vulnerabilities.
• Technical assistance from Microsoft.
• Bug fixes or performance improvements.
  
  This discontinuation poses significant cybersecurity risks, as unpatched systems will be vulnerable to exploits targeting newly discovered flaws.

CONSEQUENCES

1. Loss of Productivity & Business Disruption: System crashes, compatibility issues with newer software, and a lack of vendor support may disrupt operations.
2. Increased Vulnerability to Cyberattacks as attackers may exploit unpatched security flaws, leading to malware infections, ransomware, and data breaches. Legacy systems running Windows 10 may become prime targets for cybercriminals.
3. Higher Long-Term Costs, as maintaining outdated systems may require costly custom support agreements or emergency migration efforts.
4. Non-Compliance with Regulatory Standards.

SOLUTION/MITIGATION

The following should be considered:

1. Upgrade to Windows 11 or a supported OS: Ensure hardware compatibility and migrate to Windows 11 or another supported OS before EOS.
2. Develop a Migration Plan: Inventory all Windows 10 devices and prioritize upgrades based on criticality. Ensure to test applications for compatibility before migration.
3. Consider Extended Security Updates (ESUs): If migration is delayed, enrol in Microsoft’s Extended Security Update (ESU) program (paid) for critical patches (limited duration)
4. Implement Strong Security Controls: Deploy Endpoint Detection & Response (EDR) solutions, enforce network segmentation to isolate legacy systems while also applying strict firewall rules and application whitelisting.
5. Switch to a Supported Alternative such as a Linux-based OS
6. Enhance Security Posture by using reputable antivirus/anti-malware solutions, as well as enabling multi-factor authentication (MFA) and regular backups.

 REFERENCES

• • https://support.microsoft.com/en-us/windows/windows-10-supports-ends-on-october-14-2025-2ca8b313-1946-43d3-b55c-2b95b107f281
  • ttps://blogs.windows.com/windowsexperience/2024/10/31/how-to-prepare-for-windows-10-end-of-support-by-moving-to-windows-11-today/
  • https://www.uscloud.com/blog/windows-10-end-of-life/

Advisory ID:  ngCERT-2025-050002

SUMMARY

A critical directory traversal vulnerability (CVE-2024-45711) has been identified in SolarWinds Serv-U, a widely used file transfer and management solution. This flaw allows unauthenticated attackers to execute arbitrary code or trigger denial-of-service (DoS) conditions on vulnerable systems by exploiting improper handling of environment variables..

CVE:               CVE-2024-45711

Probability:    High

Damage:        Critical

Platform(s):   Windows

DESCRIPTION

SolarWinds Serv-U, (CVE-2024-45711) is a directory traversal vulnerability in SolarWinds Serv-U, a software used for file transfer and management. This flaw allows authenticated attackers to exploit the way the software handles environment variables, which can lead to unauthorized access to system files and directories. The vulnerability does not require authentication to exploit, meaning an attacker can exploit it simply by sending specially crafted network messages to a vulnerable system. If successfully exploited, an attacker could manipulate file paths and access sensitive system resources, potentially leading to remote code execution based on the privileges of the authenticated user. While most exploitation attempts may result in a denial of service, remote code execution is theoretically possible in some scenarios.

Technical Details

• Root Cause: Improper validation of environment variables enables attackers to manipulate file paths and access restricted directories.
• Attack Vector: Remote exploitation via specially crafted network requests. No authentication is required.
• Impact:

• Remote Code Execution (RCE): Attackers can execute arbitrary code with the privileges of the Serv-U process (often SYSTEM-level access).
• Data Exposure: Unauthorized access to sensitive system files or directories.
• Denial-of-Service (DoS): Exploitation may crash the service, disrupting file transfer operations.
  
  Key Risk Factors

• Critical Severity: CVSS 9.1 due to low attack complexity, no authentication requirement, and high impact on confidentiality, integrity, and availability.
• Widespread Exposure: Serv-U is broadly deployed in enterprise environments for secure file transfers.
• Theoretical RCE: While most attacks may cause DoS, RCE is feasible under specific conditions.

SOLUTION/MITIGATION

The following are recommended:

1. Immediate Patching:

• Apply the latest SolarWinds Serv-U security update (refer to SolarWinds advisory SB-2024-XXXX).
• Confirm patch installation via the SolarWinds dashboard.

2. Restrict Network Access:

• Limit Serv-U exposure to the internet using firewalls or VPNs.
• Segment internal networks to minimize lateral movement risks.

3. Monitor for Exploitation:

• Deploy intrusion detection systems (IDS) to flag anomalous network traffic (e.g., unexpected path traversal attempts).
• Audit logs for unauthorized access to system directories.

4. Contingency Planning:

• Back up critical data and configurations regularly.
• Prepare incident response protocols for potential DoS or RCE incidents.

5. User Awareness:

• Educate staff on risks of unpatched file transfer systems. 

REFERENCES

• SolarWinds Serv-U is vulnerable to a directory traversal...· CVE-2024-45711 · GitHub Advisory Database · GitHub
• CVE-2024-45711 : SolarWinds Serv-U Directory Traversal Vulnerability | SecurityVulnerability.io
• SolarWinds Serv-U: CVE-2024-45711: Directory Traversal Vulnerability in Serv-U
• CVE-2024-45711 : SolarWinds Serv-U is vulnerable to a directory traversal vulnerability where r
• SolarWinds Serv-U 15.4.2.0 < 15.5 / 15.4.0 < 15.5 Multiple Vul... | Tenable®

Advisory ID: NCC-CSIRT-2025-005

Summary: 

Researchers from antifraud security vendor Cleafy discovered a new wave of Android malware called "SuperCard” that exploits Near Field Communication (NFC) technology to execute instant cash-out attacks. Once installed, this malware silently initiates unauthorised financial transactions by leveraging NFC-enabled payment services. The sophistication of this malware introduces severe risks to mobile banking, digital wallets, and the broader cashless economy. 

Damage/Probability: HIGH/Critical

Product(s): Android devices with NFC capability, Digital wallets (Google Pay, OEM-specific wallets), Banking apps with NFC-integrated payment systems.

Version(s): All types and versions

Platform(s): Android operating System

Description: 

According to the researchers, the "SuperCard X" is a Chinese-speaking malware-as-a-service (M-a-a-S). It employs a novel NFC-relay technique, enabling threat actors (TAs) to fraudulently authorize point-of-sale (POS) payments and ATM withdrawals by intercepting and relaying NFC communications from compromised devices. The malware operates by covertly activating the device’s NFC functionality and triggering payment processes without the user's consent. It targets Android devices, especially those with poorly secured NFC configurations or outdated security patches. Once near a legitimate NFC payment terminal, the malware authorizes fraudulent transactions, effectively draining funds within seconds. 

Consequences:  

• Financial loss for individuals and businesses.

• Compromise of personal and financial data.

• Reputational damage to financial service providers.

• Increased erosion of trust in mobile cashless transactions.

Solution: 

• Always install the latest security patches and Android OS updates.

• Disable NFC functionality when not in use.

• Only install applications from trusted sources (Google Play Store) and verify app permissions.

• Deploy reputable mobile security solutions that monitor and block NFC abuse.

• Be vigilant about unfamiliar or excessive permissions requested by apps.

References:

• https://www.darkreading.com/threat-intelligence/nfc-android-malware-instant-cash-outs

• https://cybernews.com/security/android-malware-contactless-card-theft-supercard/

• https://www.malwarebytes.com/blog/news/2025/04/android-malware-turns-phones-into-malicious-tap-to-pay-machines

• https://cybersecuritynews.com/new-android-supercard-x-malware-employs-nfc-relay-technique/#google_vignette

• https://www.bleepingcomputer.com/news/security/supercard-x-android-malware-use-stolen-cards-in-nfc-relay-attacks/