This week in cybersecurity saw the disclosure of critical remote code execution vulnerabilities, the resurgence of a worm-like threat in the npm registry, and details of a state-sponsored intrusion into Microsoft’s corporate email systems. Security teams and developers are urged to review and apply necessary patches for several high-impact flaws affecting widely used enterprise software.

The week’s developments underscore the ongoing threats to both software supply chains and core enterprise infrastructure, highlighting the importance of timely patch management and robust security monitoring.

High-Severity Vulnerabilities Demand Urgent Patching

Multiple critical vulnerabilities were disclosed, requiring immediate attention. A significant flaw in Jenkins, tracked as CVE-2024-23897, allows unauthenticated attackers with Overall/Read permission to read arbitrary files on the Jenkins controller file system. In some cases, this flaw can lead to remote code execution (RCE). Jenkins released versions 2.442 and LTS 2.426.3 to address the issue.

Additionally, Fortinet disclosed a critical out-of-bounds write vulnerability in the FortiOS SSL VPN. The flaw, identified as CVE-2024-21762, enables a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted HTTP requests. Fortinet has released patches and advised administrators to update their systems.

Supply Chain Threats and M365 Corporate Breach

The npm open-source package registry faced another security incident where a worm-like malware campaign was identified. The attack involved publishing numerous packages that, upon installation, would steal developer credentials and automatically publish new, malicious packages to spread the infection further. This campaign utilized typosquatting and dependency confusion techniques to trick developers into installing the compromised packages.

In other major news, Microsoft reported a security breach where the Russian state-sponsored group known as Midnight Blizzard (formerly Nobelium) gained access to its corporate email systems. The intrusion, which began in late November 2023, was detected in January 2024. The threat actor used a password spray attack to compromise a legacy, non-production test tenant account. From there, they accessed and exfiltrated emails and attached documents from the accounts of senior leadership and employees in cybersecurity and legal departments.

Mozilla also addressed a high-impact security flaw in its latest browser update. Firefox 122 patched CVE-2024-0746, a use-after-free vulnerability that could lead to a sandbox escape and remote code execution if exploited by an attacker.

Source: https://thehackernews.com/2025/12/weekly-recap-hot-cves-npm-worm-returns.html