Table of Contents
In this week’s Security Advisory
- Veeam Patches Critical Backup & Replication Vulnerability
- CrushFTP Patches Authentication Bypass Vulnerability
- Ingress NGINX Controller Vulnerable to Unauthenticated RCE
- New Vulnerability in VMware Tools for Windows
Veeam Patches Critical Backup & Replication Vulnerability
Veeam has now patched a critical vulnerability affecting its Backup & Replication product. The vulnerability, CVE-2025-23120 (CVSS 9.9/10), could allow for remote code execution by authenticated domain users.
Affected Versions
Veeam Backup & Replication version 12.3.0.310 and all earlier version 12 builds.
Recommendations
- Upgrade to Veeam Backup & Replication build 12.3.1.1139.
More Reading / Information
- https://www.securityweek.com/veeam-patches-critical-vulnerability-in-backup-replication/
- https://www.veeam.com/kb4724
CrushFTP Patches Authentication Bypass Vulnerability
CrushFTP released an update to address a newly discovered critical vulnerability. This vulnerability can lead to an unauthenticated attacker accessing unpatched servers if they are accessible over HTTPS. CrushFTP indicates that the vulnerability is mitigated when the DMZ feature of the service is activated . Currently, there are no reports of this being exploited in the wild, however, it is still recommended to patch as soon as possible.
Affected Versions
- CrushFTP 11.0.0 to 11.3.0.
- CrushFTP 10.0.0 to 10.8.3.
Recommendations
- Update CrushFTP 11.0.0 to 11.3.0 to 11.3.1 or later.
- Update CrushFTP 10.0.0 to 10.8.3 to 10.8.4 or later.
More Reading / Information
- https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-unauthenticated-access-flaw-immediately/
- https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update
Ingress NGINX Controller Vulnerable to Unauthenticated RCE
Patches are now available to address five new vulnerabilities discovered in the Ingress NGINX Controller for Kubernetes. These vulnerabilities can be chained together to achieve unauthenticated remote code execution and directory traversal. The vulnerabilities are CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, and CVE-2025-1974, with the highest being a CVSS 9.8/10
Affected Versions
- Ingress NGINX Controller versions prior to 1.11.5.
- Ingress NGINX Controller version 1.12.0-beta.0 and later.
Recommendations
- Upgrade to Ingress NGINX Controller versions 1.12.1, 1.11.5, or 1.10.7.
- If you can’t upgrade right away, you can significantly reduce your risk by turning off the Validating Admission Controller feature of ingress-nginx.
More Reading / Information
- https://thehackernews.com/2025/03/critical-ingress-nginx-controller.html
- https://kubernetes.io/blog/2025/03/24/ingress-nginx-cve-2025-1974/
New Vulnerability in VMware Tools for Windows
VMware released a patch for an authentication bypass vulnerability in VMware Tools for Windows. The vulnerability is being tracked as CVE-2025-22230 (CVSS 7.8/10). VMware Tools for Windows is a suite of utilities and drivers that enhances the performance and management of virtual machines. The Linux and macOS versions of the utilities are not affected.
Affected Versions
- All versions of VMware Tools for Windows before v12.5.1.
Recommendations
- Upgrade to VMware Tools for Windows v12.5.1.
More Reading / Information
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25518
- https://www.securityweek.com/vmware-patches-authentication-bypass-flaw-in-windows-tools-suite/
Recommendations
Please review your environment to ensure the above-mentioned issues are patched in a timely manner. It is security best practice to regularly update and/or patch software to the latest versions. The vulnerabilities above highlight the security benefits of limiting deployed software to “vendor-supported versions” only. This dramatically increases the likelihood that new vulnerabilities have a patch issued for them. Likewise, CyberMaxx strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.