CWE-506
Embedded Malicious Code
The product contains code that appears to be malicious in nature.
CVE-2017-20201 (GCVE-0-2017-20201)
Vulnerability from cvelistv5
Published
2025-10-08 22:04
Modified
2025-10-14 14:19
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-506 - Embedded Malicious Code
Summary
CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 (32-bit builds) contained a malicious pre-entry-point loader that diverts execution from __scrt_common_main_seh into a custom loader. That loader decodes an embedded blob into shellcode, allocates executable heap memory, resolves Windows API functions at runtime, and transfers execution to an in-memory payload. The payload performs anti-analysis checks, gathers host telemetry, encodes the data with a two-stage obfuscation, and attempts HTTPS exfiltration to hard-coded C2 servers or month-based DGA domains. Potential impacts include remote data collection and exfiltration, stealthy in-memory execution and persistence, and potential lateral movement. CCleaner was developed by Piriform, which was acquired by Avast in July 2017; Avast later merged with NortonLifeLock to form the parent company now known as Gen Digital. According to vendor advisories, the compromised CCleaner build was released on August 15, 2017 and remediated on September 12, 2017 with v5.34; the compromised CCleaner Cloud build was released on August 24, 2017 and remediated on September 15, 2017 with v1.07.3214.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Piriform | CCleaner |
Version: 5.33.6162 |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2017-20201",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-14T14:06:37.177224Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-14T14:19:01.201Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.crowdstrike.com/en-us/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"__scrt_common_main_seh"
],
"platforms": [
"Windows",
"32 bit"
],
"product": "CCleaner",
"vendor": "Piriform",
"versions": [
{
"status": "affected",
"version": "5.33.6162"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"__scrt_common_main_seh"
],
"platforms": [
"Windows",
"32 bit"
],
"product": "CCleaner Cloud",
"vendor": "Piriform",
"versions": [
{
"status": "affected",
"version": "1.07.3191"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Morphisec"
},
{
"lang": "en",
"type": "finder",
"value": "Cisco Talos"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 (32-bit builds) contained a malicious pre-entry-point loader that diverts execution from __scrt_common_main_seh into a custom loader. That loader decodes an embedded blob into shellcode, allocates executable heap memory, resolves Windows API functions at runtime, and transfers execution to an in-memory payload. The payload performs anti-analysis checks, gathers host telemetry, encodes the data with a two-stage obfuscation, and attempts HTTPS exfiltration to hard-coded C2 servers or month-based DGA domains. Potential impacts include remote data collection and exfiltration, stealthy in-memory execution and persistence, and potential lateral movement. CCleaner was developed by Piriform, which was acquired by Avast in July 2017; Avast later merged with NortonLifeLock to form the parent company now known as Gen Digital. According to vendor advisories, the compromised CCleaner build was released on August 15, 2017 and remediated on September 12, 2017 with v5.34; the compromised CCleaner Cloud build was released on August 24, 2017 and remediated on September 15, 2017 with v1.07.3214.\u003cbr\u003e"
}
],
"value": "CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 (32-bit builds) contained a malicious pre-entry-point loader that diverts execution from __scrt_common_main_seh into a custom loader. That loader decodes an embedded blob into shellcode, allocates executable heap memory, resolves Windows API functions at runtime, and transfers execution to an in-memory payload. The payload performs anti-analysis checks, gathers host telemetry, encodes the data with a two-stage obfuscation, and attempts HTTPS exfiltration to hard-coded C2 servers or month-based DGA domains. Potential impacts include remote data collection and exfiltration, stealthy in-memory execution and persistence, and potential lateral movement. CCleaner was developed by Piriform, which was acquired by Avast in July 2017; Avast later merged with NortonLifeLock to form the parent company now known as Gen Digital. According to vendor advisories, the compromised CCleaner build was released on August 15, 2017 and remediated on September 12, 2017 with v5.34; the compromised CCleaner Cloud build was released on August 24, 2017 and remediated on September 15, 2017 with v1.07.3214."
}
],
"impacts": [
{
"capecId": "CAPEC-186",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-186 Malicious Software Update"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-506",
"description": "CWE-506 Embedded Malicious Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-08T22:04:08.894Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://blog.avast.com/update-to-the-ccleaner-5.33.6162-security-incident"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://blog.avast.com/progress-on-ccleaner-investigation"
},
{
"tags": [
"product"
],
"url": "https://www.ccleaner.com/"
},
{
"tags": [
"technical-description"
],
"url": "https://www.crowdstrike.com/en-us/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ccleaner.com/knowledge/security-notification-ccleaner-v5336162-ccleaner-cloud-v1073191"
},
{
"tags": [
"technical-description"
],
"url": "https://www.morphisec.com/blog/morphisec-discovers-ccleaner-backdoor/"
},
{
"tags": [
"technical-description"
],
"url": "https://blog.talosintelligence.com/avast-distributes-malware/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/ccleaner-and-ccleaner-cloud-malicious-backdoor-supply-chain-compromise"
}
],
"source": {
"discovery": "UNKNOWN"
},
"tags": [
"x_known-exploited-vulnerability"
],
"title": "CCleaner v5.33.6162 \u0026 CCleaner Cloud v1.07.3191 Malicious Backdoor Supply Chain Compromise",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2017-20201",
"datePublished": "2025-10-08T22:04:08.894Z",
"dateReserved": "2025-10-08T17:15:41.323Z",
"dateUpdated": "2025-10-14T14:19:01.201Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-20202 (GCVE-0-2017-20202)
Vulnerability from cvelistv5
Published
2025-10-08 22:04
Modified
2025-10-14 14:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-506 - Embedded Malicious Code
Summary
Web Developer for Chrome v0.4.9 contained malicious code that generated a domain via a DGA and fetched a remote script. The fetched script conditionally loaded follow-on modules that performed extensive ad substitution and malvertising, displayed fake “repair” alerts that redirected users to affiliate programs, and attempted to harvest credentials when users logged in. Injected components enumerate common banner sizes for substitution, replace third-party ad calls, and redirect victim traffic to affiliate landing pages. Potential impacts include user-level code execution in the browser context, large-scale ad fraud and traffic hijacking, credential theft, and exposure to additional payloads delivered by the actor. The compromise was reported on by the maintainer of Web Developer for Chrome on August 2, 2017 and remediated in v0.5.0.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Web Developer for Chrome | Web Developer for Chrome |
Version: 0.4.9 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2017-20202",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-14T14:08:26.864721Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-14T14:18:49.449Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.proofpoint.com/us/threat-insight/post/threat-actor-goes-chrome-extension-hijacking-spree"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Web Developer for Chrome",
"vendor": "Web Developer for Chrome",
"versions": [
{
"status": "affected",
"version": "0.4.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Web Developer for Chrome v0.4.9 contained malicious code that generated a domain via a DGA and fetched a remote script. The fetched script conditionally loaded follow-on modules that performed extensive ad substitution and malvertising, displayed fake \u201crepair\u201d alerts that redirected users to affiliate programs, and attempted to harvest credentials when users logged in. Injected components enumerate common banner sizes for substitution, replace third-party ad calls, and redirect victim traffic to affiliate landing pages. Potential impacts include\u0026nbsp;user-level code execution in the browser context, large-scale ad fraud and traffic hijacking, credential theft, and exposure to additional payloads delivered by the actor.\u0026nbsp;The compromise was reported on by the maintainer of Web Developer for Chrome on August 2, 2017 and remediated in v0.5.0.\u003cbr\u003e"
}
],
"value": "Web Developer for Chrome v0.4.9 contained malicious code that generated a domain via a DGA and fetched a remote script. The fetched script conditionally loaded follow-on modules that performed extensive ad substitution and malvertising, displayed fake \u201crepair\u201d alerts that redirected users to affiliate programs, and attempted to harvest credentials when users logged in. Injected components enumerate common banner sizes for substitution, replace third-party ad calls, and redirect victim traffic to affiliate landing pages. Potential impacts include\u00a0user-level code execution in the browser context, large-scale ad fraud and traffic hijacking, credential theft, and exposure to additional payloads delivered by the actor.\u00a0The compromise was reported on by the maintainer of Web Developer for Chrome on August 2, 2017 and remediated in v0.5.0."
}
],
"impacts": [
{
"capecId": "CAPEC-186",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-186 Malicious Software Update"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-506",
"description": "CWE-506 Embedded Malicious Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-08T22:04:12.297Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://web.archive.org/web/20170803163618/https://chrispederick.com/blog/web-developer-for-chrome-compromised/"
},
{
"tags": [
"technical-description"
],
"url": "https://ui.vision/blog/chrome-extension-adware/"
},
{
"tags": [
"technical-description"
],
"url": "https://www.proofpoint.com/us/threat-insight/post/threat-actor-goes-chrome-extension-hijacking-spree"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/piedpiperRichard/076516da60f45842f1a6e6ae35a9a240/"
},
{
"tags": [
"product"
],
"url": "https://chromewebstore.google.com/detail/web-developer/bfbameneiokkgbdmiekhjnmfkcnldhhm?pli=1"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/web-developer-for-chrome-malicious-backdoor-supply-chain-compromise"
}
],
"source": {
"discovery": "UNKNOWN"
},
"tags": [
"x_known-exploited-vulnerability"
],
"title": "Web Developer for Chrome v0.4.9 Malicious Backdoor Supply Chain Compromise",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2017-20202",
"datePublished": "2025-10-08T22:04:12.297Z",
"dateReserved": "2025-10-08T19:02:59.368Z",
"dateUpdated": "2025-10-14T14:18:49.449Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-20203 (GCVE-0-2017-20203)
Vulnerability from cvelistv5
Published
2025-10-09 17:01
Modified
2025-10-15 16:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-506 - Embedded Malicious Code
Summary
NetSarang Xmanager Enterprise 5.0 Build 1232, Xmanager 5.0 Build 1045, Xshell 5.0 Build 1322, Xftp 5.0 Build 1218, and Xlpd 5.0 Build 1220 contain a malicious nssock2.dll that implements a multi-stage, DNS-based backdoor. The dormant library contacts a C2 DNS server via a specially crafted TXT record for a month‑generated domain. After receiving a decryption key, it then downloads and executes arbitrary code, creates an encrypted virtual file system (VFS) in the registry, and grants the attacker full remote code execution, data exfiltration, and persistence. NetSarang released builds for each product line that remediated the compromise: Xmanager Enterprise Build 1236, Xmanager Build 1049, Xshell Build 1326, Xftp Build 1222, and Xlpd Build 1224. Kaspersky Lab identified an instance of exploitation in the wild in August 2017.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| NetSarang Computer, Inc. | Xmanager Enterprise |
Version: 5.0 Build 1232 |
||||||||||||||||||||||
|
||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2017-20203",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-15T16:14:00.667763Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T16:14:17.865Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"nssock2.dll"
],
"product": "Xmanager Enterprise",
"vendor": "NetSarang Computer, Inc.",
"versions": [
{
"status": "affected",
"version": "5.0 Build 1232"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"nssock2.dll"
],
"product": "Xmanager",
"vendor": "NetSarang Computer, Inc.",
"versions": [
{
"status": "affected",
"version": "5.0 Build 1045"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"nssock2.dll"
],
"product": "Xshell",
"vendor": "NetSarang Computer, Inc.",
"versions": [
{
"status": "affected",
"version": "5.0 Build 1322"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"nssock2.dll"
],
"product": "Xftp",
"vendor": "NetSarang Computer, Inc.",
"versions": [
{
"status": "affected",
"version": "5.0 Build 1218"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"nssock2.dll"
],
"product": "Xlpd",
"vendor": "NetSarang Computer, Inc.",
"versions": [
{
"status": "affected",
"version": "5.0 Build 1220"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kaspersky Lab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "NetSarang Xmanager Enterprise 5.0 Build 1232,\u0026nbsp;Xmanager 5.0 Build 1045,\u0026nbsp;Xshell 5.0 Build 1322,\u0026nbsp;Xftp 5.0 Build 1218, and Xlpd 5.0 Build 1220 contain a malicious nssock2.dll that implements a multi-stage, DNS-based backdoor. The dormant library contacts a C2 DNS server via a specially crafted TXT record for a month\u2011generated domain. After receiving a decryption key, it then downloads and executes arbitrary code, creates an encrypted virtual file system (VFS) in the registry, and grants the attacker full remote code execution, data exfiltration, and persistence. NetSarang released builds for each product line that remediated the compromise: Xmanager Enterprise Build 1236, Xmanager Build 1049, Xshell Build 1326, Xftp Build 1222, and Xlpd Build 1224. Kaspersky Lab identified an instance of exploitation in the wild in August 2017."
}
],
"value": "NetSarang Xmanager Enterprise 5.0 Build 1232,\u00a0Xmanager 5.0 Build 1045,\u00a0Xshell 5.0 Build 1322,\u00a0Xftp 5.0 Build 1218, and Xlpd 5.0 Build 1220 contain a malicious nssock2.dll that implements a multi-stage, DNS-based backdoor. The dormant library contacts a C2 DNS server via a specially crafted TXT record for a month\u2011generated domain. After receiving a decryption key, it then downloads and executes arbitrary code, creates an encrypted virtual file system (VFS) in the registry, and grants the attacker full remote code execution, data exfiltration, and persistence. NetSarang released builds for each product line that remediated the compromise: Xmanager Enterprise Build 1236, Xmanager Build 1049, Xshell Build 1326, Xftp Build 1222, and Xlpd Build 1224. Kaspersky Lab identified an instance of exploitation in the wild in August 2017."
}
],
"impacts": [
{
"capecId": "CAPEC-186",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-186 Malicious Software Update"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-506",
"description": "CWE-506 Embedded Malicious Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-09T17:01:08.016Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://web.archive.org/web/20181022035109/https://www.netsarang.com/news/security_exploit_in_july_18_2017_build.html"
},
{
"tags": [
"technical-description"
],
"url": "https://usa.kaspersky.com/about/press-releases/shadowpad-attackers-hid-backdoor-in-software-used-by-hundreds-of-large-companies-worldwide"
},
{
"tags": [
"technical-description"
],
"url": "https://securelist.com/shadowpad-in-corporate-networks/81432/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/netsarang-malicious-backdoor-supply-chain-compromise"
}
],
"source": {
"discovery": "UNKNOWN"
},
"tags": [
"x_known-exploited-vulnerability"
],
"title": "NetSarang v5.0 Malicious Backdoor Supply Chain Compromise",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2017-20203",
"datePublished": "2025-10-09T17:01:08.016Z",
"dateReserved": "2025-10-08T19:40:07.189Z",
"dateUpdated": "2025-10-15T16:14:17.865Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-25117 (GCVE-0-2018-25117)
Vulnerability from cvelistv5
Published
2025-10-15 01:23
Modified
2025-10-15 18:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-506 - Embedded Malicious Code
Summary
VestaCP commit a3f0fa1 (2018-05-31) up to commit ee03eff (2018-06-13) contain embedded malicious code that resulted in a supply-chain compromise. New installations created from the compromised installer since at least May 2018 were subject to installation of Linux/ChachaDDoS, a multi-stage DDoS bot that uses Lua for second- and third-stage components. The compromise leaked administrative credentials (base64-encoded admin password and server domain) to an external URL during installation and/or resulted in the installer dropping and executing a DDoS malware payload under local system privileges. Compromised servers were subsequently observed participating in large-scale DDoS activity. Vesta acknowledged exploitation in the wild in October 2018.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Vesta | Control Panel (CP) |
Version: commit a3f0fa1 (2018-05-31) < commit ee03eff (2018-06-13) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2018-25117",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-15T18:54:21.234917Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T18:56:00.958Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Debian installer"
],
"product": "Control Panel (CP)",
"vendor": "Vesta",
"versions": [
{
"lessThan": "commit ee03eff (2018-06-13)",
"status": "affected",
"version": "commit a3f0fa1 (2018-05-31)",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kaspersky Labs"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "VestaCP commit a3f0fa1 (2018-05-31) up to commit ee03eff (2018-06-13) contain embedded malicious code that resulted in a supply-chain compromise. New installations created from the compromised installer since at least May 2018 were subject to installation of Linux/ChachaDDoS, a multi-stage DDoS bot that uses Lua for second- and third-stage components. The compromise leaked administrative credentials (base64-encoded admin password and server domain) to an external URL during installation and/or resulted in the installer dropping and executing a DDoS malware payload under local system privileges. Compromised servers were subsequently observed participating in large-scale DDoS activity. Vesta acknowledged exploitation in the wild in October 2018.\u003cbr\u003e"
}
],
"value": "VestaCP commit a3f0fa1 (2018-05-31) up to commit ee03eff (2018-06-13) contain embedded malicious code that resulted in a supply-chain compromise. New installations created from the compromised installer since at least May 2018 were subject to installation of Linux/ChachaDDoS, a multi-stage DDoS bot that uses Lua for second- and third-stage components. The compromise leaked administrative credentials (base64-encoded admin password and server domain) to an external URL during installation and/or resulted in the installer dropping and executing a DDoS malware payload under local system privileges. Compromised servers were subsequently observed participating in large-scale DDoS activity. Vesta acknowledged exploitation in the wild in October 2018."
}
],
"impacts": [
{
"capecId": "CAPEC-441",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-441 Malicious Logic Insertion"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-506",
"description": "CWE-506 Embedded Malicious Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T01:23:35.427Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://www.welivesecurity.com/2018/10/18/new-linux-chachaddos-malware-distributed-servers-vestacp-installed/"
},
{
"tags": [
"patch"
],
"url": "https://github.com/outroll/vesta/commit/ee03eff016e03cb76fac7ae3a0f9d1ef0f8ee35b#diff-df8da0c91e9086454c60cd468849630dL1270"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/outroll/vesta/commit/a3f0fa1501d424477786e3e7150bb05c0b99518f#diff-df8da0c91e9086454c60cd468849630dR1256"
},
{
"tags": [
"issue-tracking"
],
"url": "https://forum.vestacp.com/viewtopic.php?f=10\u0026t=17641\u0026p=73282"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://forum.vestacp.com/viewtopic.php?f=10\u0026t=17641\u0026start=180#p73907"
},
{
"tags": [
"product"
],
"url": "https://vestacp.com/"
},
{
"tags": [
"product"
],
"url": "https://github.com/outroll/vesta"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/vestacp-debian-installer-malicious-backdoor-supply-chain-compromise"
}
],
"source": {
"discovery": "UNKNOWN"
},
"tags": [
"x_known-exploited-vulnerability"
],
"title": "VestaCP Debian Installer Malicious Backdoor Supply Chain Compromise",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2018-25117",
"datePublished": "2025-10-15T01:23:35.427Z",
"dateReserved": "2025-10-14T16:07:20.780Z",
"dateUpdated": "2025-10-15T18:56:00.958Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-3094 (GCVE-0-2024-3094)
Vulnerability from cvelistv5
Published
2024-03-29 16:51
Modified
2025-08-19 01:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-506 - Embedded Malicious Code
Summary
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0.
Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Version: 5.6.0 Version: 5.6.1 |
||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3094",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-02T04:00:23.138684Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-30T15:37:17.662Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-08-19T00:24:09.962Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.binarly.io/blog/persistent-risk-xz-utils-backdoor-still-lurking-in-docker-images"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2024-3094"
},
{
"tags": [
"x_transferred"
],
"url": "https://ariadne.space/2024/04/02/the-xz-utils-backdoor-is-a-symptom-of-a-larger-problem/"
},
{
"tags": [
"x_transferred"
],
"url": "https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/"
},
{
"tags": [
"x_transferred"
],
"url": "https://aws.amazon.com/security/security-bulletins/AWS-2024-002/"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.netbsd.org/tnf/entry/statement_on_backdoor_in_xz"
},
{
"tags": [
"x_transferred"
],
"url": "https://boehs.org/node/everything-i-know-about-the-xz-backdoor"
},
{
"tags": [
"x_transferred"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024"
},
{
"tags": [
"x_transferred"
],
"url": "https://bugs.gentoo.org/928134"
},
{
"name": "RHBZ#2272210",
"tags": [
"issue-tracking",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272210"
},
{
"tags": [
"x_transferred"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1222124"
},
{
"tags": [
"x_transferred"
],
"url": "https://discourse.nixos.org/t/cve-2024-3094-malicious-code-in-xz-5-6-0-and-5-6-1-tarballs/42405"
},
{
"tags": [
"x_transferred"
],
"url": "https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/advisories/GHSA-rxwq-x6h5-x525"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/amlweems/xzbot"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/karcherm/xz-malware"
},
{
"tags": [
"x_transferred"
],
"url": "https://gynvael.coldwind.pl/?lang=en\u0026id=782"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-security-announce/2024/msg00057.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lwn.net/Articles/967180/"
},
{
"tags": [
"x_transferred"
],
"url": "https://news.ycombinator.com/item?id=39865810"
},
{
"tags": [
"x_transferred"
],
"url": "https://news.ycombinator.com/item?id=39877267"
},
{
"tags": [
"x_transferred"
],
"url": "https://news.ycombinator.com/item?id=39895344"
},
{
"tags": [
"x_transferred"
],
"url": "https://openssf.org/blog/2024/03/30/xz-backdoor-cve-2024-3094/"
},
{
"tags": [
"x_transferred"
],
"url": "https://research.swtch.com/xz-script"
},
{
"tags": [
"x_transferred"
],
"url": "https://research.swtch.com/xz-timeline"
},
{
"tags": [
"x_transferred"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2024-3094"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.alpinelinux.org/vuln/CVE-2024-3094"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.archlinux.org/CVE-2024-3094"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240402-0001/"
},
{
"tags": [
"x_transferred"
],
"url": "https://tukaani.org/xz-backdoor/"
},
{
"tags": [
"x_transferred"
],
"url": "https://twitter.com/LetsDefendIO/status/1774804387417751958"
},
{
"tags": [
"x_transferred"
],
"url": "https://twitter.com/debian/status/1774219194638409898"
},
{
"tags": [
"x_transferred"
],
"url": "https://twitter.com/infosecb/status/1774595540233167206"
},
{
"tags": [
"x_transferred"
],
"url": "https://twitter.com/infosecb/status/1774597228864139400"
},
{
"tags": [
"x_transferred"
],
"url": "https://ubuntu.com/security/CVE-2024-3094"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.darkreading.com/vulnerabilities-threats/are-you-affected-by-the-backdoor-in-xz-utils"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.kali.org/blog/about-the-xz-backdoor/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.openwall.com/lists/oss-security/2024/03/29/4"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.tenable.com/blog/frequently-asked-questions-cve-2024-3094-supply-chain-backdoor-in-xz-utils"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.theregister.com/2024/03/29/malicious_backdoor_xz/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.vicarius.io/vsociety/vulnerabilities/cve-2024-3094"
},
{
"tags": [
"x_transferred"
],
"url": "https://xeiaso.net/notes/2024/xz-vuln/"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/30/12"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/30/27"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/29/12"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/29/10"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/30/36"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/04/16/5"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/29/8"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/30/5"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/29/5"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/29/4"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/tukaani-project/xz",
"defaultStatus": "unaffected",
"packageName": "xz",
"versions": [
{
"status": "affected",
"version": "5.6.0"
},
{
"status": "affected",
"version": "5.6.1"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unaffected",
"packageName": "xz",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"packageName": "xz",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"packageName": "xz",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "unaffected",
"packageName": "xz",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "unaffected",
"packageName": "xz",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:8"
],
"defaultStatus": "unaffected",
"packageName": "xz",
"product": "Red Hat JBoss Enterprise Application Platform 8",
"vendor": "Red Hat"
}
],
"credits": [
{
"lang": "en",
"value": "Red Hat would like to thank Andres Freund for reporting this issue."
}
],
"datePublic": "2024-03-29T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. \r\nThrough a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Critical"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-506",
"description": "Embedded Malicious Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-19T01:03:12.439Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2024-3094"
},
{
"name": "RHBZ#2272210",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272210"
},
{
"url": "https://www.openwall.com/lists/oss-security/2024/03/29/4"
},
{
"url": "https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-03-27T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-03-29T00:00:00+00:00",
"value": "Made public."
}
],
"title": "Xz: malicious code in distributed source",
"x_redhatCweChain": "CWE-506: Embedded Malicious Code"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2024-3094",
"datePublished": "2024-03-29T16:51:12.588Z",
"dateReserved": "2024-03-29T15:38:13.249Z",
"dateUpdated": "2025-08-19T01:03:12.439Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-4978 (GCVE-0-2024-4978)
Vulnerability from cvelistv5
Published
2024-05-23 01:56
Modified
2025-07-30 01:37
Severity ?
8.4 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
VLAI Severity ?
EPSS score ?
CWE
- CWE-506 - Embedded Malicious Code
Summary
Justice AV Solutions Viewer Setup 8.3.7.250-1 contains a malicious binary when executed and is signed with an unexpected authenticode signature. A remote, privileged threat actor may exploit this vulnerability to execute of unauthorized PowerShell commands.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Justice AV Solutions | Viewer |
Version: 8.3.7.250 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:javs:viewer:8.3.7.250:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "viewer",
"vendor": "javs",
"versions": [
{
"status": "affected",
"version": "8.3.7.250"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4978",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-30T11:12:54.307588Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2024-05-29",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-4978"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T01:37:03.206Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"timeline": [
{
"lang": "en",
"time": "2024-05-29T00:00:00+00:00",
"value": "CVE-2024-4978 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:55:10.367Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://twitter.com/2RunJack2/status/1775052981966377148"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.rapid7.com/blog/post/2024/05/23/cve-2024-4978-backdoored-justice-av-solutions-viewer-software-used-in-apparent-supply-chain-attack/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.javs.com/downloads/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Viewer",
"vendor": "Justice AV Solutions",
"versions": [
{
"status": "affected",
"version": "8.3.7.250"
}
]
}
],
"datePublic": "2024-05-23T00:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Justice AV Solutions Viewer Setup 8.3.7.250-1 contains a malicious binary when executed and is signed with an unexpected authenticode signature. A remote, privileged threat actor may exploit this vulnerability to execute of unauthorized PowerShell commands.\u0026nbsp;"
}
],
"value": "Justice AV Solutions Viewer Setup 8.3.7.250-1 contains a malicious binary when executed and is signed with an unexpected authenticode signature. A remote, privileged threat actor may exploit this vulnerability to execute of unauthorized PowerShell commands."
}
],
"impacts": [
{
"capecId": "CAPEC-122",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-122 Privilege Abuse"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-506",
"description": "CWE-506 Embedded Malicious Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-29T17:11:59.027Z",
"orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
"shortName": "cisa-cg"
},
"references": [
{
"url": "https://twitter.com/2RunJack2/status/1775052981966377148"
},
{
"url": "https://www.rapid7.com/blog/post/2024/05/23/cve-2024-4978-backdoored-justice-av-solutions-viewer-software-used-in-apparent-supply-chain-attack/"
},
{
"url": "https://www.javs.com/downloads/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Malicious Code in Justice AV Solutions (JAVS) Viewer",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
"assignerShortName": "cisa-cg",
"cveId": "CVE-2024-4978",
"datePublished": "2024-05-23T01:56:37.946Z",
"dateReserved": "2024-05-15T21:03:53.551Z",
"dateUpdated": "2025-07-30T01:37:03.206Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-10894 (GCVE-0-2025-10894)
Vulnerability from cvelistv5
Published
2025-09-24 21:20
Modified
2025-09-25 14:04
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-506 - Embedded Malicious Code
Summary
Malicious code was inserted into the Nx (build system) package and several related plugins. The tampered package was published to the npm software registry, via a supply-chain attack. Affected versions contain code that scans the file system, collects credentials, and posts them to GitHub as a repo under user's accounts.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Version: 20.12.0 Version: 21.8.0 Version: 21.7.0 Version: 20.11.0 Version: 21.6.0 Version: 20.10.0 Version: 20.9.0 Version: 21.5.0 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10894",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-25T13:51:05.714060Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-25T13:51:09.059Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/nrwl/nx/security/advisories/GHSA-cxm3-wv7p-598c"
},
{
"tags": [
"exploit"
],
"url": "https://www.stepsecurity.io/blog/supply-chain-security-alert-popular-nx-build-system-package-compromised-with-data-stealing-malware"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/nrwl/nx",
"defaultStatus": "unaffected",
"packageName": "nx",
"versions": [
{
"status": "affected",
"version": "20.12.0"
},
{
"status": "affected",
"version": "21.8.0"
},
{
"status": "affected",
"version": "21.7.0"
},
{
"status": "affected",
"version": "20.11.0"
},
{
"status": "affected",
"version": "21.6.0"
},
{
"status": "affected",
"version": "20.10.0"
},
{
"status": "affected",
"version": "20.9.0"
},
{
"status": "affected",
"version": "21.5.0"
}
]
},
{
"collectionURL": "https://github.com/nrwl/nx",
"defaultStatus": "unaffected",
"packageName": "nx/devkit",
"versions": [
{
"status": "affected",
"version": "20.9.0"
},
{
"status": "affected",
"version": "21.5.0"
}
]
},
{
"collectionURL": "https://nx.dev/powerpack",
"defaultStatus": "unaffected",
"packageName": "nx/enterprise-cloud",
"versions": [
{
"status": "affected",
"version": "3.2.0"
}
]
},
{
"collectionURL": "https://github.com/nrwl/nx",
"defaultStatus": "unaffected",
"packageName": "nx/eslint",
"versions": [
{
"status": "affected",
"version": "21.5.0"
}
]
},
{
"collectionURL": "https://github.com/nrwl/nx",
"defaultStatus": "unaffected",
"packageName": "nx/js",
"versions": [
{
"status": "affected",
"version": "20.9.0"
},
{
"status": "affected",
"version": "21.5.0"
}
]
},
{
"collectionURL": "https://github.com/nrwl/nx",
"defaultStatus": "unaffected",
"packageName": "nx/key",
"versions": [
{
"status": "affected",
"version": "3.2.0"
}
]
},
{
"collectionURL": "https://github.com/nrwl/nx",
"defaultStatus": "unaffected",
"packageName": "nx/node",
"versions": [
{
"status": "affected",
"version": "20.9.0"
},
{
"status": "affected",
"version": "21.5.0"
}
]
},
{
"collectionURL": "https://github.com/nrwl/nx",
"defaultStatus": "unaffected",
"packageName": "nx/workspace",
"versions": [
{
"status": "affected",
"version": "20.9.0"
},
{
"status": "affected",
"version": "21.5.0"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:multicluster_globalhub"
],
"defaultStatus": "unaffected",
"packageName": "multicluster-globalhub/multicluster-globalhub-grafana-rhel9",
"product": "Multicluster Global Hub",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:serverless:1"
],
"defaultStatus": "unaffected",
"packageName": "openshift-serverless-1/kn-backstage-plugins-eventmesh-rhel8",
"product": "OpenShift Serverless",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:acm:2"
],
"defaultStatus": "unaffected",
"packageName": "rhacm2/acm-grafana-rhel9",
"product": "Red Hat Advanced Cluster Management for Kubernetes 2",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:ansible_automation_platform:2"
],
"defaultStatus": "unaffected",
"packageName": "automation-gateway",
"product": "Red Hat Ansible Automation Platform 2",
"vendor": "Red Hat"
}
],
"datePublic": "2025-09-23T16:51:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Malicious code was inserted into the Nx (build system) package and several related plugins. The tampered package was published to the npm software registry, via a supply-chain attack. Affected versions contain code that scans the file system, collects credentials, and posts them to GitHub as a repo under user\u0027s accounts."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-506",
"description": "Embedded Malicious Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-25T14:04:07.023Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2025-10894"
},
{
"url": "https://access.redhat.com/security/supply-chain-attacks-NPM-packages"
},
{
"name": "RHBZ#2396282",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2396282"
},
{
"url": "https://github.com/nrwl/nx/security/advisories/GHSA-cxm3-wv7p-598c"
},
{
"url": "https://www.stepsecurity.io/blog/supply-chain-security-alert-popular-nx-build-system-package-compromised-with-data-stealing-malware"
},
{
"url": "https://www.wiz.io/blog/s1ngularity-supply-chain-attack"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-17T21:01:13.505000+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2025-09-23T16:51:00+00:00",
"value": "Made public."
}
],
"title": "Nx: nx/devkit: malicious versions of nx and plugins published to npm",
"x_redhatCweChain": "CWE-506: Embedded Malicious Code"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2025-10894",
"datePublished": "2025-09-24T21:20:31.242Z",
"dateReserved": "2025-09-23T16:30:03.636Z",
"dateUpdated": "2025-09-25T14:04:07.023Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30066 (GCVE-0-2025-30066)
Vulnerability from cvelistv5
Published
2025-03-15 00:00
Modified
2025-07-30 01:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-506 - Embedded Malicious Code
Summary
tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code.)
References
| URL | Tags | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| tj-actions | changed-files |
Version: 1 < 46 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30066",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-22T03:55:44.803134Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2025-03-18",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-30066"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T01:36:16.435Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"timeline": [
{
"lang": "en",
"time": "2025-03-18T00:00:00+00:00",
"value": "CVE-2025-30066 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-03-18T21:05:17.427Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/alerts/2025/03/18/supply-chain-compromise-third-party-github-action-cve-2025-30066"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "changed-files",
"vendor": "tj-actions",
"versions": [
{
"lessThan": "46",
"status": "affected",
"version": "1",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:tj-actions:changed-files:*:*:*:*:*:*:*:*",
"versionEndExcluding": "46",
"versionStartIncluding": "1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code.)"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-506",
"description": "CWE-506 Embedded Malicious Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-18T21:59:21.617Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/github/docs/blob/962a1c8dccb8c0f66548b324e5b921b5e4fbc3d6/content/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions.md?plain=1#L191-L193"
},
{
"url": "https://github.com/tj-actions/changed-files/issues/2463"
},
{
"url": "https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised"
},
{
"url": "https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/"
},
{
"url": "https://news.ycombinator.com/item?id=43368870"
},
{
"url": "https://web.archive.org/web/20250315060250/https://github.com/tj-actions/changed-files/issues/2463"
},
{
"url": "https://news.ycombinator.com/item?id=43367987"
},
{
"url": "https://github.com/rackerlabs/genestack/pull/903"
},
{
"url": "https://github.com/chains-project/maven-lockfile/pull/1111"
},
{
"url": "https://sysdig.com/blog/detecting-and-mitigating-the-tj-actions-changed-files-supply-chain-attack-cve-2025-30066/"
},
{
"url": "https://github.com/espressif/arduino-esp32/issues/11127"
},
{
"url": "https://github.com/modal-labs/modal-examples/issues/1100"
},
{
"url": "https://github.com/tj-actions/changed-files/issues/2464"
},
{
"url": "https://github.com/tj-actions/changed-files/blob/45fb12d7a8bedb4da42342e52fe054c6c2c3fd73/README.md?plain=1#L20-L28"
},
{
"url": "https://www.wiz.io/blog/github-action-tj-actions-changed-files-supply-chain-attack-cve-2025-30066"
},
{
"url": "https://www.stream.security/post/github-action-supply-chain-attack-exposes-secrets-what-you-need-to-know-and-how-to-respond"
},
{
"url": "https://www.sweet.security/blog/cve-2025-30066-tj-actions-supply-chain-attack"
},
{
"url": "https://github.com/tj-actions/changed-files/issues/2477"
},
{
"url": "https://blog.gitguardian.com/compromised-tj-actions/"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-30066",
"datePublished": "2025-03-15T00:00:00.000Z",
"dateReserved": "2025-03-15T00:00:00.000Z",
"dateUpdated": "2025-07-30T01:36:16.435Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30154 (GCVE-0-2025-30154)
Vulnerability from cvelistv5
Published
2025-03-19 15:15
Modified
2025-07-30 01:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-506 - Embedded Malicious Code
Summary
reviewdog/action-setup is a GitHub action that installs reviewdog. reviewdog/action-setup@v1 was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps exposed secrets to Github Actions Workflow Logs. Other reviewdog actions that use `reviewdog/action-setup@v1` that would also be compromised, regardless of version or pinning method, are reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30154",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-25T03:55:16.734240Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2025-03-24",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-30154"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T01:36:16.303Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"timeline": [
{
"lang": "en",
"time": "2025-03-24T00:00:00+00:00",
"value": "CVE-2025-30154 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "reviewdog",
"vendor": "reviewdog",
"versions": [
{
"status": "affected",
"version": "= 1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "reviewdog/action-setup is a GitHub action that installs reviewdog. reviewdog/action-setup@v1 was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps exposed secrets to Github Actions Workflow Logs. Other reviewdog actions that use `reviewdog/action-setup@v1` that would also be compromised, regardless of version or pinning method, are reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-506",
"description": "CWE-506: Embedded Malicious Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T15:15:29.113Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/reviewdog/reviewdog/security/advisories/GHSA-qmg3-hpqr-gqvc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/reviewdog/reviewdog/security/advisories/GHSA-qmg3-hpqr-gqvc"
},
{
"name": "https://github.com/reviewdog/reviewdog/issues/2079",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/reviewdog/reviewdog/issues/2079"
},
{
"name": "https://github.com/reviewdog/action-setup/commit/3f401fe1d58fe77e10d665ab713057375e39b887",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/reviewdog/action-setup/commit/3f401fe1d58fe77e10d665ab713057375e39b887"
},
{
"name": "https://github.com/reviewdog/action-setup/commit/f0d342d24037bb11d26b9bd8496e0808ba32e9ec",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/reviewdog/action-setup/commit/f0d342d24037bb11d26b9bd8496e0808ba32e9ec"
},
{
"name": "https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup"
}
],
"source": {
"advisory": "GHSA-qmg3-hpqr-gqvc",
"discovery": "UNKNOWN"
},
"title": "Multiple Reviewdog actions were compromised during a specific time period"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-30154",
"datePublished": "2025-03-19T15:15:29.113Z",
"dateReserved": "2025-03-17T12:41:42.566Z",
"dateUpdated": "2025-07-30T01:36:16.303Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-34252 (GCVE-0-2025-34252)
Vulnerability from cvelistv5
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. This vulnerability has been reassigned as CVE-2017-20203 ( https://www.cve.org/CVERecord?id=CVE-2017-20203 ) to have the year of the CVE correspond to the year of public disclosure.
Replaced by CVE-2017-20203
Show details on NVD website{
"containers": {
"cna": {
"providerMetadata": {
"dateUpdated": "2025-10-09T16:58:14.274Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"rejectedReasons": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. This vulnerability has been reassigned as CVE-2017-20203 (\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.cve.org/CVERecord?id=CVE-2017-20203\"\u003ehttps://www.cve.org/CVERecord?id=CVE-2017-20203\u003c/a\u003e) to have the year of the CVE correspond to the year of public disclosure."
}
],
"value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. This vulnerability has been reassigned as CVE-2017-20203 ( https://www.cve.org/CVERecord?id=CVE-2017-20203 ) to have the year of the CVE correspond to the year of public disclosure."
}
],
"replacedBy": [
"CVE-2017-20203"
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34252",
"datePublished": "2025-10-07T21:01:40.739Z",
"dateRejected": "2025-10-09T16:58:14.274Z",
"dateReserved": "2025-04-15T19:15:22.578Z",
"dateUpdated": "2025-10-09T16:58:14.274Z",
"state": "REJECTED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Phase: Testing
Description:
- Remove the malicious code and start an effort to ensure that no more malicious code exists. This may require a detailed review of all code, as it is possible to hide a serious attack in only one or two lines of code. These lines may be located almost anywhere in an application and may have been intentionally obfuscated by the attacker.
CAPEC-442: Infected Software
An adversary adds malicious logic, often in the form of a computer virus, to otherwise benign software. This logic is often hidden from the user of the software and works behind the scenes to achieve negative impacts. Many times, the malicious logic is inserted into empty space between legitimate code, and is then called when the software is executed. This pattern of attack focuses on software already fielded and used in operation as opposed to software that is still under development and part of the supply chain.
CAPEC-448: Embed Virus into DLL
An adversary tampers with a DLL and embeds a computer virus into gaps between legitimate machine instructions. These gaps may be the result of compiler optimizations that pad memory blocks for performance gains. The embedded virus then attempts to infect any machine which interfaces with the product, and possibly steal private data or eavesdrop.
CAPEC-636: Hiding Malicious Data or Code within Files
Files on various operating systems can have a complex format which allows for the storage of other data, in addition to its contents. Often this is metadata about the file, such as a cached thumbnail for an image file. Unless utilities are invoked in a particular way, this data is not visible during the normal use of the file. It is possible for an attacker to store malicious data or code using these facilities, which would be difficult to discover.