Security Advisory: Weekly Advisory April 23rd, 2025

In this week’s Security Advisory

• SonicWall SMA Appliance Vulnerability Under Active Exploitation
• Cisco Patches High Severity WebEx Vulnerability
• Atlassian Releases April Patch Cycle
• DKIM Replay Attack Exploits Google OAuth in Phishing Campaigns

SonicWall SMA Appliance Vulnerability Under Active Exploitation

SonicWall updated a security advisory originally released in 2021, noting that the vulnerability is believed to be actively exploited. The vulnerability, CVE-2021-20035 (7.2/10), can allow an authenticated user to inject arbitrary commands as a “nobody” user and execute code remotely. This vulnerability affects the SonicWall SMA 100 series product and the SMA 200, 210, 400, 410, and 500v platforms.

Affected Versions

• 10.2.1.0-17sv and earlier.
• 10.2.0.7-34sv and earlier.
• 9.0.0.10-28sv and earlier.

Recommendations

• 10.2.1.1-19sv and higher.
• 10.2.0.8-37sv and higher.
• 9.0.0.11-31sv and higher.

More Reading / Information

• https://www.bleepingcomputer.com/news/security/sonicwall-sma-vpn-devices-targeted-in-attacks-since-january/
• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0022

Cisco Patches High Severity WebEx Vulnerability

Cisco released a patch for a new vulnerability affecting its Webx product. The vulnerability, CVE-2025-20236 (CVSS 8.8/10), allows unauthenticated attackers the ability to gain client-side remote code execution using malicious meeting links by tricking users into downloading arbitrary files. The patch provides improved input validation of URL’s within the WebEx App to address the issue.

Affected Versions

• Cisco WebEx 44.6.
• Cisco WebEx 44.7.

Recommendations

• Upgrade Cisco WebEx 44.6 to version 44.6.2.30589.
• For Cisco WebEx 44.7, migrate to a fixed release.

More Reading / Information

• https://www.bleepingcomputer.com/news/security/cisco-webex-bug-lets-hackers-gain-code-execution-via-meeting-links/
• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-app-client-rce-ufyMMYLC
• https://sec.cloudapps.cisco.com/security/center/publicationListing.x

Atlassian Releases April Patch Cycle

Atlassian released patches for seven high-severity vulnerabilities, including four vulnerabilities impacting dependencies in Bamboo, Confluence, and Jira data-center versions only. If exploited, these vulnerabilities can lead to several issues, like Denial-of-Service and XML external entity injections.

Affected Versions

• A full list of affected versions can be found here.

Recommendations

• Apply the latest updates to affected products.

More Reading / Information

• https://www.securityweek.com/vulnerabilities-patched-in-atlassian-cisco-products/
• https://confluence.atlassian.com/security/security-bulletin-april-15-2025-1540723536.html

DKIM Replay Attack Exploits Google OAuth in Phishing Campaigns

Scammers are utilizing Google Sites, a free web-building platform, to deploy fake support portals to steal credentials. To lure users to this portal, the scammers are registering a domain and creating a Google account for “me@domain”. The attacker will then create a Google OAuth app, name the OAuth application the entire text of the phishing message they want to send, include a lot of white space at the end, and then grant it access to their new account. Granting the OAuth app access to their account will trigger a security alert message from Google to the spammer, which will display the entirety of the phishing message they want to send. They will then forward this message to the victims. Since DKIM only verifies the message and headers and not the envelope, the message passes signature validation and displays in the inbox as if it were sent directly from Google. By using “me@domain,” the eventual message will default in the victim’s inbox as being sent “to me,” which Gmail uses as shorthand for your address.

Google has told the user who reported this issue that they will be working to fix the OAuth bug that makes this attack vector possible.

Recommendations

View who the message was sent to and check to see if the “To” field is your email address.
Never rely solely on a message’s domain, authentication status, or visual design to determine legitimacy.
Verify login pages manually—don’t follow embedded links, especially in urgent-sounding emails.
Scroll to the bottom of the email and check if the email for which access was granted was your email address.

More Reading / Information

• https://www.bleepingcomputer.com/news/security/phishers-abuse-google-oauth-to-spoof-google-in-dkim-replay-attack/
• https://www.legal.io/articles/5636309/DKIM-Replay-Attack-Exploits-Google-Infrastructure-in-Sophisticated-Phishing-Scheme

Recommendations

Please review your environment to ensure the above-mentioned issues are patched in a timely manner. It is security best practice to regularly update and/or patch software to the latest versions. The vulnerabilities above highlight the security benefits of limiting deployed software to “vendor-supported versions” only. This dramatically increases the likelihood that new vulnerabilities have a patch issued for them. Likewise, CyberMaxx strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.