SANS Stormcast Wednesday Mar 26th: XWiki Exploit; File Converter Correction; VMWare Vulnerability; Draytek Router Reboots; MMC Exploit Details;

XWiki Search Vulnerablity Exploit Attempts (CVE-2024-3721)

Our honeypot detected an increase in exploit attempts for an XWiki command injection vulnerablity. The vulnerability was patched last April, but appears to be exploited more these last couple days. The vulnerability affects the search feature and allows the attacker to inject Groovy code templates.

https://isc.sans.edu/diary/X-Wiki%20Search%20Vulnerability%20exploit%20attempts%20%28CVE-2024-3721%29/31800

Correction: FBI Image Converter Warning

The FBI's Denver office warned of online file converters, not downloadable conversion tools

https://www.fbi.gov/contact-us/field-offices/denver/news/fbi-denver-warns-of-online-file-converter-scam

VMWare Vulnerability

Broadcom released a fix for a VMWare Tools vulnerability. The vulnerability allows users of a Windows virtual machine to escalate privileges within the machine.

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25518

Draytek Reboots

Over the weekend, users started reporting Draytek routers rebooting and getting stuck in a reboot loop. Draytek now published advise as to how to fix the problem.

https://faq.draytek.com.au/docs/draytek-routers-rebooting-how-to-solve-this-issue/

Microsoft Managemnt Console Exploit CVE-2025-26633

TrendMicro released details showing how the MMC vulnerability Microsoft patched as part of its patch tuesday this month was exploited.

https://www.trendmicro.com/en_us/research/25/c/cve-2025-26633-water-gamayun.html