Svoboda Cybersecurity Brief May 10, 2025
May 10, 2025bulletproof VPN - stay anonymous
SAP NetWeaver zero-day exploited since January
Hundreds of SAP NetWeaver instances worldwide have been compromised since January 2025 via exploitation of CVE-2025-31324 (CVSS 10.0), an unauthenticated file upload flaw allowing RCE. Attackers have been uploading webshells and executing arbitrary commands, targeting industries like energy, manufacturing, and government.
Impact: Complete system compromise via RCE. Active exploitation observed since January 2025.
Mitigation: Apply SAP’s April patch immediately, restrict access to /developmentserver/metadatauploader endpoint, monitor for suspicious activity, and consider disabling Visual Composer service.
Source: SecurityWeek
Chinese threat actor targets SAP NetWeaver flaw
A Chinese hacker group tracked as Chaya_004 has been exploiting CVE-2025-31324 in SAP NetWeaver since late April 2025, deploying Chinese-language tools including the SuperShell reverse shell. Infrastructure analysis revealed servers on Chinese cloud providers. The group has highly specialized SAP knowledge based on attack sophistication.
Source: BleepingComputer
German police dismantle 20-year-old router botnet
German and Dutch authorities seized infrastructure of the Anyproxy/5socks botnet that compromised thousands of EOL routers since 2004 to sell residential proxy access. Four suspects allegedly earned $46 million by offering proxy services for cybercrime activities. The botnet used TheMoon malware variant to infect unpatched Linksys/Cisco routers.
Impact: Compromised devices used for anonymity in attacks like DDoS, brute forcing, and data theft.
Mitigation: Replace EOL routers, regularly reboot devices, change default credentials.
Source: TheHackerNews
Malicious npm packages trojanize Cursor AI editor
Three malicious npm packages (sw-cur, sw-cur1, aiide-cur) modified Cursor IDE’s main.js to inject persistent backdoors on macOS systems. The packages, downloaded 3,200+ times, claimed to provide “cheapest Cursor API” access while stealing credentials and fetching encrypted payloads from attacker servers.
Impact: Code execution within IDE context, credential theft, and potential supply chain compromise.
Mitigation: Reinstall Cursor from trusted source, audit npm packages, rotate credentials.
Source: SecurityWeek
Masimo health tech firm hit by cyberattack
California-based Masimo Corporation disclosed a cyberattack impacting manufacturing operations since April 27, 2025. The breach caused production slowdowns and shipping delays due to network disruptions. The company filed an SEC notice but hasn’t shared breach details or attributed the attack.
Source: DataBreaches
160,000 affected in Valsoft Corporation breach
Valsoft subsidiary Aspire USA exposed personal data including SSNs and financial details during a February 2025 breach. Attackers accessed systems for 3 days before being interrupted mid-data transfer. The company offered 12 months of credit monitoring but stated no evidence of misuse exists.
Source: SecurityWeek
Google Chrome adds on-device AI scam detection
Chrome 137 (releasing next week) will use local Gemini Nano AI to detect tech support scams by analyzing page content offline. The feature, part of Enhanced Protection mode, evaluates scam patterns like fake alerts and will expand to cover package/toll scams later. Android support arrives in 2025.
Source: BleepingComputer
Share this brief: https://svo.bz/4Ecd
If you want to support us, you can donate here: Donate