All news with #hardcoded secrets tag

Legacy Sitecore ViewState Zero-Day Allows WeepSteel Backdoors

🔐 Mandiant observed attackers exploiting a zero‑day ViewState deserialization flaw (CVE-2025-53690) in legacy Sitecore deployments that reused a sample ASP.NET machineKey. Adversaries delivered a WeepSteel reconnaissance backdoor to collect system and network data and disguised exfiltration as normal ViewState traffic. Sitecore advises replacing and encrypting static machineKey values and instituting regular key rotation to mitigate further risk.

Copeland OT Controller Flaws Risk Remote Control and Damage

⚠️ Security firm Armis disclosed 10 vulnerabilities, dubbed Frostbyte10, in Copeland LP E2 and E3 controllers used in heating, cooling, and refrigeration that could let attackers disable or remotely control equipment. Copeland issued firmware 2.31F01; organizations should deploy the update promptly to mitigate exposure. Combined flaws can enable unauthenticated remote code execution with root privileges; specific issues include a predictable default admin account (CVE-2025-6519), API endpoints that expose credential hashes, and unauthenticated file operations. Copeland says engineers acted quickly and that there are no known exploits to date.

Azure AD Client Credentials Exposed in Public appsettings

🔒 Resecurity’s HUNTER Team discovered that ClientId and ClientSecret values were inadvertently left in a publicly accessible appsettings.json file, exposing Azure AD credentials. These secrets permit direct authentication against Microsoft’s OAuth 2.0 endpoints and could allow attackers to impersonate trusted applications and access Microsoft 365 data. The exposed credentials could be harvested by automated bots or targeted adversaries. Organizations are advised to remove hardcoded secrets, rotate compromised credentials immediately, restrict public access to configuration files and adopt centralized secrets management such as Azure Key Vault.

SunPower PVS6 Hard-Coded Credentials Vulnerability

🔒 CISA warns of a high-severity vulnerability in SunPower PVS6 inverters (CVE-2025-9696) caused by hard-coded credentials in the Bluetooth Low Energy (BLE) interface. An attacker within Bluetooth range can exploit published protocol details and fixed encryption parameters to gain full device access, and CISA reports a CVSS v4 base score of 9.4. Successful exploitation could allow firmware replacement, disabling power production, modifying grid or firewall settings, creating SSH tunnels, and manipulating attached devices. SunPower did not respond to coordination; CISA advises minimizing network exposure, isolating control systems, using secure remote access methods such as up-to-date VPNs, and applying targeted intrusion detection and ICS best practices.

Widespread Data Theft via Salesloft Drift Targets Salesforce

🔒 GTIG warns of a widespread data-theft campaign by UNC6395 that abused compromised OAuth tokens for the Salesloft Drift connected app to export data from multiple Salesforce customer instances between Aug. 8 and Aug. 18, 2025. The actor executed SOQL queries against objects including Accounts, Cases, Users, and Opportunities to harvest credentials and secrets—observed items include AWS access keys, Snowflake tokens, and passwords. Salesloft and Salesforce revoked tokens and removed the Drift app from the AppExchange; impacted organizations should search for exposed secrets, rotate credentials, review Event Monitoring logs, and tighten connected-app scopes and IP restrictions.

Dissecting PipeMagic: Architecture of a Modular Backdoor

🔍 Microsoft Threat Intelligence details PipeMagic, a modular backdoor used by Storm-2460 that masquerades as an open-source ChatGPT Desktop Application. The malware is deployed via an in-memory MSBuild dropper and leverages named pipes and doubly linked lists to stage, self-update, and execute encrypted payload modules delivered from a TCP C2. Analysts observed exploitation of CVE-2025-29824 for privilege escalation followed by ransomware deployment, with victims across IT, finance, and real estate in multiple regions. The report includes selected IoCs, Defender detections, and mitigation guidance to help defenders detect and respond.

Langflow Misconfiguration Exposes Data of Pakistani Insurers

🔓 UpGuard secured a misconfigured Langflow instance that exposed data for roughly 97,000 insurance customers in Pakistan, including 945 individuals marked as politically exposed persons. The instance was used by Pakistan-based Workcycle Technologies to build AI chatbots for clients such as TPL Insurance and the Federal Board of Revenue. Exposed materials included PII, confidential business documents and credentials; access was removed after notification and UpGuard found no evidence of exploitation.

Amazon Engineer Exposed Credentials via Public GitHub Repo

🔒 UpGuard discovered a public GitHub repository on 13 January 2020 containing an Amazon Web Services engineer’s personal identity documents and numerous system credentials. The repository included AWS key pairs (including a file named rootkey.csv), API tokens, private keys, passwords, logs, and customer-related templates. UpGuard reported the exposure to AWS Security within hours and the repository was secured the same day. The incident highlights how rapid leak detection can prevent accidental disclosures from escalating.

Marketing PR Platform Exposed Data of Hundreds of Thousands

🔓 UpGuard identified an Amazon S3 bucket tied to iPR Software that publicly exposed over a terabyte of files, including a 17 GB MongoDB backup. The collection contained 477,000 media contacts, approximately 35,000 hashed passwords, client marketing assets, internal PR strategy documents, and credentials for Google, Twitter, and a MongoDB host. UpGuard notified iPR in October 2019; public access was removed in late November after follow-up and media engagement.