Researchers Find New Exploit Bypassing Patched NVIDIA Container Toolkit Vulnerability - Related to find, active, firewall, under, bug

CISA and FDA Warn of Critical Backdoor in Contec CMS8000 Patient Monitors

The [website] Cybersecurity and Infrastructure Security Agency (CISA) and the Food and Drug Administration (FDA) have issued alerts about the presence of hidden functionality in Contec CMS8000 patient monitors and Epsimed MN-120 patient monitors.

The vulnerability, tracked as CVE-2025-0626, carries a CVSS v4 score of [website] on a scale of [website] The flaw, alongside two other issues, was reported to CISA by an anonymous external researcher.

"The affected product sends out remote access requests to a hard-coded IP address, bypassing existing device network settings to do so," CISA mentioned in an advisory. "This could serve as a backdoor and lead to a malicious actor being able to upload and overwrite files on the device."

"The reverse backdoor provides automated connectivity to a hard-coded IP address from the Contec CMS8000 devices, allowing the device to download and execute unverified remote files. Publicly available records show that the IP address is not associated with a medical device manufacturer or medical facility but a third-party university."

Two other identified vulnerabilities in the devices are listed below -.

CVE-2024-12248 (CVSS v4 score: [website] - An out-of-bounds write vulnerability that could allow an attacker to send specially formatted UDP requests in order to write arbitrary data, resulting in remote code execution.

(CVSS v4 score: [website] - An out-of-bounds write vulnerability that could allow an attacker to send specially formatted UDP requests in order to write arbitrary data, resulting in remote code execution CVE-2025-0683 (CVSS v4 score: [website] - A privacy leakage vulnerability that causes plain-text patient data to be transmitted to a hard-coded public IP address when the patient is attached to the monitor.

Successful exploitation of CVE-2025-0683 could allow the device with that unspecified IP address to gain access to confidential patient information or open the door to an adversary-in-the-middle (AitM) scenario.

The security holes affect the following products -.

CMS8000 Patient Monitor: Firmware version [website].

CMS8000 Patient Monitor: Firmware version [website].

CMS8000 Patient Monitor: Firmware version [website].

CMS8000 Patient Monitor: All versions (CVE-2025-0626 and CVE-2025-0683).

"These cybersecurity vulnerabilities can allow unauthorized actors to bypass cybersecurity controls, gaining access to and potentially manipulating the device," the FDA stated, adding it's "not aware of any cybersecurity incidents, injuries, or deaths related to these cybersecurity vulnerabilities at this time."

Given that these vulnerabilities remain unpatched, CISA is recommending that organizations unplug and remove any Contec CMS8000 devices from their networks. It's worth noting that the devices are also re-labeled and sold under the name Epsimed MN-120.

It's also advised to check the patient monitors for any signs of unusual functioning, such as "inconsistencies between the displayed patient vitals and the patient's actual physical state."

CMS8000 Patient Monitor is manufactured by Contec Medical Systems, a developer of medical devices that are located in Qinhuangdao, China. On its website, the organization indicates its products are FDA-approved and distributed to over 130 countries and regions.

Cybersecurity researchers have discovered a malvertising campaign that's targeting Microsoft advertisers with bogus Google ads that aim to take them t......

Multiple state-sponsored groups are experimenting with the AI-powered Gemini assistant from Google to increase productivity and to conduct research on......

​Mizuno USA, a subsidiary of Mizuno Corporation, one of the world's largest sporting goods manufacturers, confirmed in data breach notification letter......

Firewall Bug Under Active Attack Triggers CISA Warning

CISA is warning that Palo Alto Networks’ PAN-OS is under active attack and needs to be patched ASAP.

Software running Palo Alto Networks’ firewalls is under attack, prompting [website] Cybersecurity and Infrastructure Security Agency (CISA) to issue a warning to public and federal IT security teams to apply available fixes. Federal agencies urged to patch the bug by September 9.

Earlier this month, Palo Alto Networks issued a fix for the high-severity bug (CVE-2022-0028) that it says adversaries attempted to exploit. The flaw could be used by remote hackers to carry out reflected and amplified denial-of-service (DoS) attacks without having to authenticate targeted systems.

Palo Alto Networks maintains the flaw can only be exploited on a limited number of systems, under certain conditions and that the vulnerable systems are not part of a common firewall configuration. Any additional attacks exploiting the bug have either not occurred or been publicly reported.

Affected products include those running the PAN-OS firewall software include PA-Series, VM-Series and CN-Series devices. PAN-OS versions vulnerable to attack, with patches available, include PAN-OS prior to [website], PAN-OS prior to [website], PAN-OS prior to [website], PAN-OS prior to [website], PAN-OS prior to [website] and PAN-OS prior to [website].

; “A PAN-OS URL filtering policy misconfiguration could allow a network-based attacker to conduct reflected and amplified TCP denial-of-service (RDoS) attacks. The DoS attack would appear to originate from a Palo Alto Networks PA-Series (hardware), VM-Series (virtual) and CN-Series (container) firewall against an attacker-specified target.”.

The advisory describes the non-standard configuration at risk as the “firewall configuration must have a URL filtering profile with one or more blocked categories assigned to a security rule with a source zone that has an external facing network interface.”.

The configuration is likely unintended by the network administrator, the advisory presented.

On Monday, CISA added the Palo Alto Networks bug to its list of Known Exploited Vulnerabilities Catalog.

The CISA Known Exploited Vulnerabilities (KEV) Catalog is a curated list of flaws that have been exploited in the wild. It is also a list of KEVs that the agency “strongly recommends” public and private organizations pay close attention to in order to “prioritize remediation” to “reduce the likelihood of compromise by known threat actors.”.

Reflective and Amplification DoS Attacks.

One of the most notable evolutions in the DDoS landscape is the growth in the peak size of volumetric attacks. Attackers continue to use reflection/amplification techniques to exploit vulnerabilities in DNS, NTP, SSDP, CLDAP, Chargen and other protocols to maximize the scale of their attacks.

Reflected and amplified denial-of-service attacks are not new and have steadily become more common over the years.

Distributed denial of service attacks, bent on taking websites offline by overwhelming domains or specific application infrastructure with massive traffic flows, continue to pose a major challenge to businesses of all stripes. Being knocked offline impacts revenue, customer service and basic business functions – and worryingly, the bad actors behind these attacks are honing their approaches to become ever more successful over time.

Unlike limited volume DDoS attacks, reflective and amplified DoS attacks can produce much higher volumes of disruptive traffic. This type of attack allows an adversary to magnify the amount of malicious traffic they generate while obscuring the insights of the attack traffic. An HTTP-based DDoS attack, for example, sends junk HTTP requests to a target’s server tying up resources and locking out individuals from using a particular site or service.

A TCP attack, believed used in the recent Palo Alto Networks attack, is when an attacker sends a spoofed SYN packet, with the original source IP replaced by the victim’s IP address, to a range of random or pre-selected reflection IP addresses. The services at the reflection addresses reply with a SYN-ACK packet to the victim of the spoofed attack. If the victim does not respond, the reflection service will continue to retransmit the SYN-ACK packet, resulting in amplification. The amount of amplification depends on the number of SYN-ACK retransmits by the reflection service, which can be defined by the attacker.

A 59-year-old man from Irvine, California, was sentenced to 87 months in prison for his involvement ...

Federal authorities have arrested and indicted a 20-year-old [website] Army soldier on suspicion of being...

Netgear has fixed two critical vulnerabilities affecting multiple WiFi router models and urged custo...

Researchers Find New Exploit Bypassing Patched NVIDIA Container Toolkit Vulnerability

Cybersecurity researchers have discovered a bypass for a now-patched security vulnerability in the NVIDIA Container Toolkit that could be exploited to break out of a container's isolation protections and gain complete access to the underlying host.

The new vulnerability is being tracked as CVE-2025-23359 (CVSS score: [website] It affects the following versions -.

NVIDIA Container Toolkit (All versions up to and including [website] - Fixed in version [website].

NVIDIA GPU Operator (All versions up to and including [website] - Fixed in version [website].

"NVIDIA Container Toolkit for Linux contains a Time-of-Check Time-of-Use (TOCTOU) vulnerability when used with default configuration, where a crafted container image could gain access to the host file system," the organization mentioned in an advisory on Tuesday.

"A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering."

Cloud security firm Wiz, which shared additional technical specifics of the flaw, mentioned it's a bypass for another vulnerability (CVE-2024-0132, CVSS score: [website] that was addressed by NVIDIA in September 2024.

In a nutshell, the vulnerability enables bad actors to mount the host's root file system into a container, granting them unfettered access to all files. Furthermore, the access can be leveraged to launch privileged containers and achieve full host compromise via the runtime Unix socket.

Wiz researchers security researchers Shir Tamari, Ronen Shustin, and Andres Riancho introduced their source code analysis of the container toolkit found that the file paths used during mount operations could be manipulated using a symbolic link such that it makes it possible to mount from outside the container ([website], the root directory) into a path within "/usr/lib64."

While the access to the host file system afforded by the container escape is read-only, this limitation can be circumvented by interacting with the Unix sockets to spawn new privileged containers and gain unrestricted access to the file system.

"This elevated level of access also allowed us to monitor network traffic, debug active processes, and perform a range of other host-level operations," the researchers expressed.

Besides updating to the latest version, people of the NVIDIA Container Toolkit are recommended to not disable the "--no-cntlibs" flag in production environments.

CISOs are finding themselves more involved in AI teams, often leading the cross-functional effort and AI strategy. But there aren't many resources to ......

Ivanti has released security updates for Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), and Ivanti Secure Access Client (ISAC) to address mu......

Microsoft today issued security updates to fix at least 56 vulnerabilities in its Windows operating systems and supported software, including two zero......