Weaponized File Name Flaw Allows RCE via Glob – The Register

by Anika Shah - Technology
0 comments

Glob file Matching Library Contains Years-Old RCE Flaw

Researchers have urged users of the glob file pattern matching library to update their installations, following the discovery of a years-old remote code execution (RCE) flaw in the tool’s command-line interface (CLI).

Glob is a widely used tool for finding files using wildcards and is a fundamental part of the JavaScript stack. The vulnerability resides specifically within glob’s CLI tool and its -c flag, which is used to execute commands on matching files.

Discovered by security researchers at AISLE, the 7.5-rated vulnerability (CVE-2025-64756) doesn’t affect all glob users. The issue stems from glob being programmed with shell: true enabled by default. This means that when a file is found using the CLI tool with the -c flag, it’s passed to a shell for execution.

On POSIX systems (like Linux, macOS, and BSD), shell metacharacters within a filename are executed as code. Consequently, a file processed by glob -c with a maliciously crafted name can be exploited to execute an attacker’s desired commands.

## Security Roundup: Glob Vulnerability, Drone Threats, and DNS Hijacking

Glob v10.5.0, v11.1.0, and v12.0.0 fix the issue; glob users who can check off all the vulnerability criteria are advised to update quickly.

### CISA warns of drone threat

The USA’s Cybersecurity and Infrastructure Security Agency (CISA) last week warned critical infrastructure managers to “be air aware” as the threat from unmanned aircraft systems (UAS – aka drones) continues to grow.

Drones, CISA said, can be used to deliver hazardous payloads that could damage infrastructure and harm people, conduct surveillance, and even possibly assist in cyberattacks.

“We continue to observe concerning UAS activity over sensitive critical infrastructure sites,which could interfere with regular facility operations,disrupt emergency response or authorized flight operations,and provide intelligence to malign actors,” CISA noted.

While the agency doesn’t have any information to suggest domestic or foreign extremists are currently using drones to plan attacks, intelligence suggests they have considered it.

### Do you know were your DNS is pointing?

ESET researchers have discovered an attacker-in-the-middle kit being used by Chinese-aligned threat actors that could be deploying malicious updates on networks while leaving scant evidence of its activities.

ESET said the PlushDaemon APT group is behind the “EdgeStepper” network implant that hijacks DNS traffic and sends it to malicious nodes controlled by the threat actors.

Security Roundup: EdgeStepper Malware, Samourai Wallet Founders Sentenced, and Cox Enterprises Data Breach

Here’s a rundown of recent security news, covering a new malware threat, legal consequences for cryptocurrency laundering, and a data breach impacting a major media conglomerate.

EdgeStepper Malware Targets Network Device updates

A new malware dubbed EdgeStepper is targeting network devices, exploiting vulnerabilities or weak credentials to gain access. According to security researchers, the malware operates by monitoring network traffic for devices attempting to connect to software update domains.Once detected, it intercepts the traffic and delivers a malicious update package, spreading the infection across the compromised network. The vendor believes attackers are leveraging existing software flaws and easily guessable passwords to initially install EdgeStepper. This highlights the critical importance of patching vulnerabilities and enforcing strong password policies on all network-connected devices.

Samourai Wallet Cofounders head to Prison for Money Laundering

The cofounders of cryptocurrency laundering service Samourai Wallet have been sentenced to prison by the Justice Department. Keonne Rodriguez, CEO of Samourai, received a five-year sentence, while William Lonergan Hill, the CTO, was sentenced to four years. The pair operated a service explicitly marketed to criminals for concealing illicit funds. The service facilitated the laundering of over 80,000 Bitcoin, valued at approximately $2 billion at the time of the transactions. This case underscores the increasing scrutiny and legal consequences surrounding cryptocurrency-related financial crimes. https://www.justice.gov/usao-sdny/pr/founders-samourai-wallet-cryptocurrency-mixing-service-sentenced-five-and-four-years

Cox Enterprises Reports Data Breach Following Clop Ransomware Attack on Oracle

media conglomerate Cox Enterprises has admitted to a data breach affecting 9,479 individuals. The breach resulted from the Clop ransomware gang’s attack on Oracle E-Business Suite software. Cox Enterprises has begun notifying affected individuals, with breach notifications indicating exposure of customer names, and fields for reporting other potentially compromised information. The Maine Attorney General’s office has also documented the breach, though specific details of the exposed data remain limited.This incident is part of a wider wave of breaches linked to the Clop ransomware group exploiting vulnerabilities in Oracle products. Cox Enterprises has experienced previous security incidents, including a 2015 breach where an employee was socially engineered into handing over customer data. https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/314b7585-15e4-4574-b102-6593275436d2.html

note: I have updated the information with verified links and clarified details where necessary. I have also removed the image tag as it doesn’t contribute to the text-based summary.

Related Posts

Leave a Comment