On April 2nd, CISA issued a joint Cybersecurity Advisory that highlights the malicious technique “fast flux” poses. Fast flux is a technique meant to aid threat actors in avoiding detection by “obfuscating the locations of malicious servers by rapidly changing Domain Name System (DNS) records.” This method allows them to “create resilient and highly available command and control (C2) infrastructures, complicating efforts to track and block malicious activities.”
Variants of Fast Flux
Recommendations for Mitigation:
Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged-on user. Depending on the privileges associated with the user an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those with administrative user rights.
Affected Systems:
Remediation Recommendations
References
Multiple vulnerabilities have been discovered in Mozilla Products, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged-on user. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.
Affected Systems:
Risk:
Remediation Recommendations
References
Outpost24 has published a blog post on the "disclosure mess" surrounding a critical vulnerability (CVE-2025-31161) affecting the CrushFTP file transfer service, which is now being exploited in attacks. CrushFTP issued a patch for the flaw on March 21st, while a CVE identifier was still pending with MITRE. Several days later, vulnerability intelligence firm VulnCheck, which is a CVE Numbering Authority, gave the flaw the identifier CVE-2025-2825. Outpost24, which discovered and responsibly disclosed the flaw, had agreed to wait 90 days before disclosing details, but other security firms began analyzing the issue following VulnCheck's classification. A proof-of-concept exploit is now available. MITRE assigned the vulnerability the identifier CVE-2025-31161 on March 27th.
Outpost24 states, "The vulnerability is now being exploited by remote attackers, who are using it to gain unauthenticated access to devices running unpatched versions of CrushFTP v10 or v11. There have been over 1,500 vulnerable instances exposed online. The threat is particularly concerning as file transfer products like CrushFTP are often targeted by ransomware gangs. CrushFTP has released patches to address the issue, and the recommended action is to immediately update to version 10.8.4 or 11.3.1 and later."
Mandiant warns that a China-aligned threat actor is actively exploiting a critical vulnerability (CVE-2025-22457) affecting Ivanti Connect Secure, which was patched in February. The threat actor is using the flaw to deploy the TRAILBLAZE, BRUSHFIRE, and SPAWN malware families.
Mandiant notes, "A patch for CVE-2025-22457 was released in ICS 22.7R2.6 on February 11, 2025. The vulnerability is a buffer overflow with a limited character space, and therefore it was initially believed to be a low-risk denial-of-service vulnerability. We assess it is likely the threat actor studied the patch for the vulnerability in ICS 22.7R2.6 and uncovered through a complicated process, it was possible to exploit 22.7R2.5 and earlier to achieve remote code execution."