Security

We’re delighted to announce the release of Vulnerability-Lookup 2.18.0 — packed with exciting new features!

What's New

Integration with Rulezet

Rulezet is an open-source platform for sharing, evaluating, improving, and managing cybersecurity detection rules (YARA, Sigma, Suricata, etc.). Its goal is to foster collaboration among professionals and enthusiasts to enhance the quality and reliability of detection rules.

Vulnerability-Lookup can now be configured to interface with the API of any Rulezet instance, providing insights into existing detection rules related to security vulnerabilities.
The default Rulezet instance enabled in Vulnerability-Lookup is hosted at https://rulezet.org/ and currently offers more than 122,000 security rules.

Detection rules related to vulnerabilities are displayed on the vulnerability details page (in a dedicated tab) and on bundle details pages.

You can even query the remote Rulezet instance via the Vulnerability-Lookup API:

$ curl --silent 'https://vulnerability.circl.lu/api/rulezet/search_rules_by_vulnerabilities/CVE-2020-27130?page=1&per_page=50' | jq
{
  "metadata": {
    "count": 3,
    "page": 1,
    "per_page": 50
  },
  "data": [
    {
      "id": 122599,
      "uuid": "84846673-015e-450b-8a73-2ba481b5a6ce",
      "vulnerability_id": "CVE-2020-27130",
      "format": "suricata",
      "title": "Exploit CVE-2020-27130 on Cisco Security Manager - Upload webshell",
      "description": "Rule for security (detection rule in many format)",
      "raw": "alert http any any -> any any (msg:\"Exploit CVE-2020-27130 on  Cisco Security Manager - Upload webshell\"; flow:to_server,established; content:\"POST\"; http_method; content:\"/cwhp/XmpFileUploadServlet\"; startswith; http_uri; pcre:\"/filename=\\\".*\\.\\.\\/.+\\\"\\r\\n/P\"; reference:cve,CVE-2020-27130; classtype:web-application-attack; sid:2020271303; rev:1;)",
      "detail_url": "https://rulezet.org/rule/detail_rule/122599",
      "creation_date": "2025-11-06 13:03",
      "updated_date": "2025-11-13 09:33"
    },
    {
      "id": 122598,
      "uuid": "538dafc1-d49c-4fd6-bdb5-57b997346fe6",
      "vulnerability_id": "CVE-2020-27130",
      "format": "suricata",
      "title": "Exploit CVE-2020-27130 on Cisco Security Manager - Download arbitrary directory as a zip file",
      "description": "Rule for security (detection rule in many format)",
      "raw": "alert http any any -> any any (msg:\"Exploit CVE-2020-27130 on Cisco Security Manager - Download arbitrary directory as a zip file\"; flow:to_server,established; content:\"GET\"; http_method; pcre:\"/^\\/cwhp\\/(Xmp|Sample)FileDownloadServlet/U\"; content:\"../\"; distance:0; http_uri; reference:cve,CVE-2020-27130; classtype:web-application-attack; sid:2020271302; rev:1;)",
      "detail_url": "https://rulezet.org/rule/detail_rule/122598",
      "creation_date": "2025-11-06 13:03",
      "updated_date": "2025-11-06 13:03"
    },
    {
      "id": 122597,
      "uuid": "2cd8fb2a-e97b-4390-8dca-d416b2858c66",
      "vulnerability_id": "CVE-2020-27130",
      "format": "suricata",
      "title": "Exploit CVE-2020-27130 on Cisco Security Manager - Download arbitrary file",
      "description": "Rule for security (detection rule in many format)",
      "raw": "alert http any any -> any any (msg:\"Exploit CVE-2020-27130 on Cisco Security Manager - Download arbitrary file\"; flow:to_server,established; content:\"GET\"; http_method; pcre:\"/^\\/athena\\/(xdmProxy\\/(xdmConfig|xdmResources)|itf\\/resultsFrame\\.jsp)/U\"; content:\"../\"; distance:0; http_uri; reference:cve,CVE-2020-27130; classtype:web-application-attack; sid:2020271301; rev:1;)",
      "detail_url": "https://rulezet.org/rule/detail_rule/122597",
      "creation_date": "2025-11-06 13:03",
      "updated_date": "2025-11-06 13:03"
    }
  ]
}

Thanks to Théo Geffe for making this integration possible.

Indexing Information Related to Assigners (CNA)

Information about security advisory assigners is now indexed. CNAs from the official CVE Program source (cvelistv5) are indexed in Kvrocks, with GNAs planned for the future.
The API exposes this data via a new assigners endpoint. From an API perspective, both CNAs and GNAs are treated as assigners, though they will be stored in dedicated indexes.

Updates include:

• Enhanced search capabilities related to assigners.
• Improved /stats page.
• Updated vulnerability details page: display the assigner name with a link.
• A new page listing assigners, similar to the existing CWE list.

Implemented in PR #283.

Website

• new: [website] Add PROTECT_USER_PAGES option to restrict user profile pages to authenticated users. Closes (#277)

Vulnerability Sources

• Added ABB CSAF feed (0d984a8) by @neutrinoguy
• It now possible to enable a list of enabled feeders via the config/modules.cfg file. (e4a1acb)

Changes

• chg: [website] Account creation via the API is now rate-limited to 3 registrations per hour per IP. (3a12de2)
• Additional validation checks have been added to reject email addresses that are disposable (MISP list), from blocked domains, or with invalid MX records. (3a12de2)
• chg: [website] Improved email address check in both the API endpoint and in the form controller. (bb090fc)
• chg: [website] user.last_seen is now updated after successful login. (fb5796e)
• chg: [API] Improved date parsing for sightings (d7bc9fd)
• chg: [website] Harmonization of the templates for the details views of bundles and comments. (c7f90aa)
• chg: [feeders] Improved use of the kvrocks counters for vendors and cwe rankings. (1205670)
• chg: [notifications] add random jitter to reschedule execution times (d974315)
• various minor improvements to the backend, user interface and documentation.

Refreshed views

Fixes

• fix: [website] Redirect the user to the user_bp.watchlist view if notifications are found. (4f6e0bc)
• fix: [API] Delete notifications of the user to delete. (2371962)
• Rename flatpickr to flatpickr.js and update template reference (8dcc804) by @DocArmoryTech

Changelog

📂 For the full list of changes, check the GitHub release:
https://github.com/vulnerability-lookup/vulnerability-lookup/releases/tag/v2.18.0

Thank you to all contributors and testers!

Feedback and Support

If you find any issues or have suggestions, please open a ticket on our GitHub repository:
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/
We appreciate your feedback!

Follow Us on Fediverse/Mastodon

Stay updated on security advisories in real-time by following us on Mastodon:
https://social.circl.lu/@vulnerability_lookup/

Internal documents reveal Meta projected it would earn $16 billion - about 10% of its 2024 revenue - from running ads for scams and banned goods[^1]. The company shows users an estimated 15 billion "higher risk" scam advertisements daily, generating about $7 billion in annual revenue from these fraudulent ads[^2].

Meta's own safety staff estimated that its platforms were involved in one-third of all successful scams in the US, while in Britain, Meta's products were linked to 54% of all payments-related scam losses in 2023[^2].

Rather than aggressively combat fraud, Meta charges suspected scammers higher ad rates as a "disincentive"[^2]. The company's anti-fraud team operates under strict revenue limits - they can only take actions that would reduce ad revenue by 0.15% ($135 million) even though scam ads generate $7 billion yearly[^2].

Internal memos show Meta concluded that potential regulatory fines of up to $1 billion would be far less than their revenue from fraudulent ads[^2]. "It is easier to advertise scams on Meta platforms than Google," stated an internal Meta review from April 2025[^2].

Meta spokesman Andy Stone claimed these documents "present a selective view that distorts Meta's approach to fraud and scams" and said the company had "reduced user reports of scam ads globally by 58 percent" over 18 months[^2].

[^1]: Reuters - Meta is earning a fortune on fraudulent ads [^2]: Gulf Times - Internal documents show Meta is earning a fortune on fraudulent ads

https://archive.is/LeS5L

How did the changes in the binary test files tests/files/bad-3-corrupt_lzma2.xz and tests/files/good-large_compressed.lzma, and the makefile change in m4/build-to-host.m4) manifest to the Debian maintainer? Was there a chance of noticing something odd?

(Summary by Apertus PublicAI)

The Microsoft Digital Defense Report 2025 provides an in-depth look at the current state of cybersecurity, emerging threats, and the future of digital defense. The report is structured around three key areas:

Current Threat Landscape: It highlights the current cybersecurity landscape, including the rise of state-sponsored threats, advanced persistent threats (APTs), ransomware, and the increased use of AI in cyber attacks. It discusses the growing trend of cyber threats targeting cloud services, supply chains, and IoT devices.

The report also mentions the evolving threat landscape in the context of the war in Ukraine, emphasizing the impact of cyber warfare and espionage on global digital security.

Emerging Trends and Technologies: The report covers the impact of AI and machine learning on both cybersecurity and cyber threats. On one hand, AI is being used to enhance threat detection and response, but it's also being used by malicious actors to launch more sophisticated attacks.

It discusses the challenges and opportunities in securing the metaverse, including new attack vectors and the need for new security paradigms in virtual and augmented reality environments.

There's also an emphasis on the role of 5G and edge computing in the future of digital defense, highlighting both the potential for improved security (through improved connectivity and data processing capabilities) and new vulnerabilities. Defense Strategies and Recommendations: Microsoft advocates for a shift towards more proactive and predictive approaches to cybersecurity, including the use of AI and automation for threat detection and incident response.

It stresses the importance of a "defense-in-depth" strategy that combines multiple layers of security, including identity and access management, endpoint security, and cloud security.

The report highlights the need for collaboration between the public and private sectors, as well as across international borders, to combat the increasingly globalized nature of cyber threats.

It also touches on the importance of securing software supply chains, enhancing user education and awareness, and the role of cybersecurity as a core aspect of business continuity and resilience planning.

Special Focus on Government and Industry Responses: The report offers insights into how governments and industries worldwide are responding to these threats, including legislative and regulatory efforts, international cooperation, and industry best practices.

It discusses the role of national cybersecurity agencies and international organizations in setting standards and coordinating responses to global threats. There's also a focus on the importance of addressing the skills gap in cybersecurity, with recommendations for education and training programs to ensure there are enough skilled professionals to meet the growing demand.

Future Outlook: Microsoft provides a forward-looking perspective on what the next few years might hold, including predictions for how AI, quantum computing, and the evolution of digital infrastructure might shape both threats and defenses. It also outlines the need for continuous innovation in cybersecurity technologies and practices to stay ahead of threats.

The Microsoft Digital Defense Report 2025 serves as a comprehensive guide for organizations and governments looking to understand the current state of cybersecurity and prepare for future threats, emphasizing collaboration, innovation, and a proactive approach to digital defense.

https://archive.ph/g1RBd

Introduction

This vulnerability report has been generated using data aggregated on Vulnerability-Lookup, with contributions from the platform’s community.

It highlights the most frequently mentioned vulnerability for September 2025, based on sightings collected from various sources, including MISP, Exploit-DB, Bluesky, Mastodon, GitHub Gists, The Shadowserver Foundation, Nuclei, SPLOITUS, and more. For further details, please visit this page.

The Month at a Glance

September 2025 has been marked by a diverse set of vulnerability sightings across multiple platforms and software ecosystems. The data collected through Vulnerability-Lookup indicates that both newly disclosed and previously known vulnerabilities continued to see active exploitation and discussion in the wild.

CVE-2025-10585, affecting Google Chrome, dominated the reports with 94 sightings. Other frequently sighted vulnerabilities include CVE-2025-10035 in Fortra’s GoAnywhere MFT and CVE-2025-42957 in SAP S/4HANA, both of which reflect persistent enterprise-level risks. These instances underscore the continued need for rapid patch deployment and robust monitoring in enterprise environments.

Network and infrastructure devices also remained a focus for adversaries. Vulnerabilities such as CVE-2023-51767 in OpenSSH and several router-specific CVEs like CVE-2017-18368 highlight the ongoing relevance of securing network endpoints against unauthorized access and exploitation. Similarly, Linux-based vulnerabilities, including CVE-2024-50264, accounted for a significant number of sightings, reinforcing the importance of kernel updates and system hardening practices.

From a severity perspective, most sightings fell into the High and Critical categories, with VLAI confidence scores often exceeding 0.95. This aligns with global observations of attackers prioritizing high-impact targets, such as widely used browsers, enterprise software, and critical network infrastructure. For example, Adobe Commerce, Sitecore Experience Manager, and Microsoft Entra were all associated with vulnerabilities of critical severity, underlining the necessity for organizations to prioritize patching and risk mitigation.

September 2025 reinforces several key trends in the cybersecurity landscape: high-severity vulnerabilities remain prevalent across browsers, enterprise software, and networking devices; unpublished vulnerabilities are actively exploited; and community-driven data aggregation plays a critical role in timely awareness and response. Organizations are encouraged to review patch management processes, monitor community sightings, and leverage threat intelligence feeds to mitigate exposure to these ongoing threats.

This month’s report features a new section dedicated to Known Exploited Vulnerabilities catalogs.

Top 10 Vendors of the Month

Top 15 vulnerabilities of the Month

Known Exploited Vulnerabilities

New entries have been added to major Known Exploited Vulnerabilities catalogs.

CISA

ENISA

Top 10 Weaknesses of the Month

Click the image for more information.

Unpublished Vulnerabilities in the Wild

Sightings detected between 2025-09-01 and 2025-09-30 that are associated with unpublished vulnerabilities.

Continuous Exploitation

• CVE-2024-28995 - SolarWinds Serv-U
• CVE-2023-42344
• CVE-2019-1653 - Cisco Small Business RV Series Router Firmware

Insights from Contributors

• SAP Security Patch Day - September 2025
• npm.js - account qix and duckdb_admin compromised and associated CVEs allocated
• Cisco AnyConnect/ASA - vulnerabilities
• Subverting code integrity checks to locally backdoor Signal, 1Password, Slack, and more

Thank you

Thank you to all the contributors and our diverse sources!

If you want to contribute to the next report, you can create your account.

Feedback and Support

If you have suggestions, please feel free to open a ticket on our GitHub repository. Your feedback is invaluable to us!
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/

Funding

The main objective of Federated European Team for Threat Analysis (FETTA) is improvement of Cyber Threat Intelligence (CTI) products available to the public and private sector in Poland, Luxembourg, and the European Union as a whole.
Developing actionable CTI products (reports, indicators, etc) is a complex task and requires an in-depth understanding of the threat landscape and the ability to analyse and interpret large amounts of data. Many SOCs and CSIRTs build their capabilities in this area independently, leading to a fragmented approach and duplication of work.

The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to provide a systematic response facility to computer security threats and incidents. The organization brings to the table its extensive experience in cybersecurity incident management, threat intelligence, and proactive response strategies. With a strong background in developing innovative open source cybersecurity tools and solutions, CIRCL’s contribution to the FETTA project is instrumental in achieving enhanced collaboration and intelligence sharing across Europe.

Press release

https://archive.ph/O2RmG

We’re delighted to announce the release of Vulnerability-Lookup 2.16.0 — packed with exciting new features!

What's New

Backend

• Introduced source-scoped kvrocks counters and source-scoped sorted indexes for vulnerability advisories by state (published, updated, reserved). (#211, PR #215)
  Examples of newly available queries:

  • GET published:count:github:2025-09
  • ZREVRANGE index:csaf_certbund:published 0 9 WITHSCORES
  • ZREVRANGE vendors:ranking:2025-08 0 9 WITHSCORES

• Added feeders for CERT-FR Avis and CERT-FR Alerte. (b99291f)

API

The Stats API endpoint now delivers statistics on CVE publications, with filters available by source, date, and advisory state. These new endpoints leverage the new indexes provided by the kvrocks backend. The result can be returned as JSON (default) or Markdown table. (0d153ed)

Frontend

• Added a new public statistics page displaying various insights on CVE publications. This new page features several interactive charts powered by the new Stats API endpoints. (0d153ed, c842876)

• Added XSLT support for various RSS/Atom feeds. The XSLT is injected immediately after feed generation, before delivery to the user. (241c6ca)

Migration Notes

• To reset the indexes, you can execute bin/index_vulnerabilities.py which is using various reindexing utilities. This will delete indexes and counters! Alternatively, you can rerun the appropriate feeder with the --reimport parameter.

Changes

• Improved search page: (82b9f95, f9f5c58)

  • Filtering on sources, vendors, and products.
  • Sorting based on advisory state (reserved, published, updated) and order (ascending/descending).
  • Displaying all vulnerabilities related to a vendor with pagination (without specifying a product).

• Improved recent page: vulnerabilities from multiple sources can now be sorted by publication or update date. (df1e472c)

• Improved admin dashboard for user management. (#221)

• Improved Vulnerability API endpoint: The GET List endpoint now provides more advanced filtering by source and advisory state. (0d153ed)

• Various improvements related to the vulnerability description pages.

Fixes

• NDJSON data dumps: fixed an issue where dumps did not actually contain newlines. (#218)
• Prevent reimport of already ingested vulnerabilities from flaky CSAF sources. (#1848619)

Changelog

📂 For the full list of changes, check the GitHub release:
https://github.com/vulnerability-lookup/vulnerability-lookup/releases/tag/v2.16.0

🙏 A big thank you to all contributors and testers!

Feedback and Support

If you find any issues or have suggestions, please open a ticket on our GitHub repository:
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/
We appreciate your feedback!

Follow Us on Fediverse/Mastodon

Stay updated on security advisories in real-time by following us on Mastodon:
https://social.circl.lu/@vulnerability_lookup/

HUMAN Security's Satori team has uncovered "SlopAds," a sophisticated ad fraud operation involving 224 Android apps downloaded over 38 million times across 228 countries[^1]. The apps use steganography to hide malicious code within PNG files and create hidden WebViews to generate fraudulent ad impressions and clicks[^1].

Key findings:

• Generated 2.3 billion daily bid requests at peak
• Heaviest traffic from US (30%), India (10%), and Brazil (7%)
• Only activated fraud for downloads traced to threat actor ad campaigns
• Used attribution tools and multiple layers of obfuscation to avoid detection
• Operated through extensive network of command-and-control servers

Google has removed the identified apps and enabled Google Play Protect warnings to block future installations[^1]. HUMAN's Ad Fraud Defense and Ad Click Defense customers are protected from SlopAds' impact[^1].

[^1]: HUMAN Security - Satori Threat Intelligence Alert: SlopAds Covers Fraud with Layers of Obfuscation

App list Domain list

Introduction

This vulnerability report has been generated using data aggregated on Vulnerability-Lookup, with contributions from the platform’s community.

It highlights the most frequently mentioned vulnerability for August 2025, based on sightings collected from various sources, including MISP, Exploit-DB, Bluesky, Mastodon, GitHub Gists, The Shadowserver Foundation, Nuclei, and more. For further details, please visit this page.

The Month at a Glance

August 2025 saw continued activity across a range of products and vendors, with WinRAR, Microsoft Exchange (the previous month highlighted Microsoft SharePoint), and NetScaler ADC leading the sightings. Notably, several critical vulnerabilities were actively exploited, including NetScaler ADC (CVE-2025-6543 and CVE-2025-5777) and FortiSIEM (CVE-2025-25256).

Web applications remain a frequent target, with cross-site scripting (CWE-79) and SQL injection (CWE-89) dominating the weakness landscape. The report also highlights unpublished vulnerabilities that attracted attention, suggesting ongoing targeted exploitation and zero-day activity.

Overall, the month emphasizes the importance of timely patching, monitoring for continuous exploitation, and vigilance against both well-known and emerging threats.

Top 10 vulnerabilities of the Month

Top 10 Weaknesses of the Month

| CWE | Count | |

| ----- | | CWE-79 | 639 | | CWE-89 | 374 | | CWE-74 | 282 | | CWE-94 | 236 | | CWE-121 | 206 | | CWE-78 | 165 | | CWE-416 | 157 | | CWE-122 | 157 | | CWE-119 | 150 | | CWE-22 | 140 |

Most wanted vulnerabilities

Sightings detected between 2025-08-01 and 2025-08-31 that are associated with unpublished vulnerabilities.

Unpublished vulnerabilities with limited sightings:

Continuous Exploitation

• CVE-2023-42344 - OpenCMS (also in the "Most wanted vulnerabilities" section)
• CVE-2015-2051 - D-Link DIR-645 - Sightings from MISP and Shadowserver
• CVE-2025-5777 - NetScaler ADC - Sightings from Shadowserver and many more.

Insights from Contributors

NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2025-7775, CVE-2025-7776 and CVE-2025-8424

NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2025-7775, CVE-2025-7776 and CVE-2025-8424.
Multiple vulnerabilities have been discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). Refer below for further details.

More information

Citrix forgot to tell you CVE-2025–6543 has been used as a zero day since May 2025

Back in late June, Citrix posted a patch for CVE-2025–6543, which they described as “Memory overflow vulnerability leading to unintended control flow and Denial of Service”. Denial of service? Piff the magic dragon, who cares.

No technical details were ever published about the vulnerability. That changes today.

What they forgot to tell you: it allows remote code execution, it was used to widespread compromise Netscaler remote access systems and maintain network access even after patching, webshells have been deployed, and Citrix knew this and just didn’t mention it.

More information

Cache Me If You Can (Sitecore Experience Platform Cache Poisoning to RCE)

The vulnerability affects Sitecore Experience Platform, a widely used Content Management System (CMS). The issue is a cache poisoning attack, which means an attacker can trick the system into storing malicious data in its cache. Later, when the system serves cached content, it unknowingly executes this malicious content.

In this specific case, the cache poisoning can escalate to remote code execution (RCE), meaning the attacker could run arbitrary code on the server, potentially taking full control of the website and the underlying system.

More information

Thank you

Thank you to all the contributors and our diverse sources!

If you want to contribute to the next report, you can create your account.

Feedback and Support

If you have suggestions, please feel free to open a ticket on our GitHub repository. Your feedback is invaluable to us!
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/

We are excited to announce the release of Vulnerability-Lookup 2.15.0!
This version brings new features, performance improvements, and several bug fixes.

What's New

Detecting vulnerabilities known only through sightings

The dashboard now highlights vulnerabilities discovered via our sighting tools, including scraping social networks, MISP, Nuclei templates, Shadowserver, Gist, and more. This gives you better visibility of unpublished advisories.

Batch user deletion for admins

Admins can now delete multiple users at once using checkboxes and a confirmation modal. CSRF protection is included to ensure safe operations.

Changes

• Better logging
  We improved logging for access, warnings, and errors in the web app, including the HTTP status codes returned in unexpected situations.
  Issue #199
  Commits: a6b99bf, 9c37e7e, d2e826f

• Faster vendor/product vulnerability searches
  The search page is now faster thanks to pipelines and pagination. A Bootstrap pagination component has been added when vendor and product are specified.
  Commit aeb6ae0

• New API option
  Added advisory_status parameter to the /sighting endpoint.
  Commit de5873c

• Faster Organization/Product search
  The find_vulnerabilities function now finds matching vulnerabilities for all vendor/product combinations much faster.
  Commit 67d2516

• Search page improvements
  We made several graphical and functional enhancements to the search page.
  Commits: 82c6f2d, 0f249d1, 94e53c0

• About page improvements
  Better handling of GNAs and a link to the recent activity page.
  Commits: 70308f5, 168fcff

• Dashboard updates
  Various improvements related to recently imported vulnerabilities and new filters in the "Evolution for the last month" table.

Changelog

📂 For the full list of changes, check the GitHub release:
https://github.com/vulnerability-lookup/vulnerability-lookup/releases/tag/v2.15.0

🙏 A big thank you to all contributors and testers!

Feedback and Support

If you find any issues or have suggestions, please open a ticket on our GitHub repository:
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/
We appreciate your feedback!

Follow Us on Fediverse/Mastodon

Stay updated on security advisories in real-time by following us on Mastodon:
https://social.circl.lu/@vulnerability_lookup/