Notes | Brutkey

LPE in BIG-IP APM VPN browser client for macOS.

https://my.f5.com/manage/s/article/K000151782

A sev:CRIT ../ in Xerox in 2025.

https://nvd.nist.gov/vuln/detail/CVE-2025-8356

The write-up on this from Horizon3 dot ai:

https://horizon3.ai/attack-research/attack-blogs/from-support-ticket-to-zero-day/

cR0w
@cR0w@infosec.exchange

Check your HTTP/2 shit. Similar to the Rapid Reset vuln, this is another DoS in HTTP/2 they're calling Made You Reset.

https://www.imperva.com/blog/madeyoureset-turning-http-2-server-against-itself/

Patches in NGINX, Envoy, Apache, and HAProxy added thresholds for stream resets and behavioral analytics to flag clients abusing the protocol.

Tomcat also has an advisory for it:

https://lists.apache.org/thread/9ydfg0xr0tchmglcprhxgwhj0hfwxlyf

The MadeYouReset vulnerability was found to affect several widely used HTTP/2 server implementations, including Netty, Jetty, Apache Tomcat, IBM WebSphere, and BIG-IP.

https://deepness-lab.org/publications/madeyoureset/

cR0w
@cR0w@infosec.exchange

sev:MED session fixation in Tomcat via rewrite valve.

https://lists.apache.org/thread/v6bknr96rl7l1qxkl1c03v0qdvbbqs47

If the rewrite valve was enabled for a web application, an attacker was able to craft a URL that, if a victim clicked on it, would cause the victim's interaction with that resource to occur in the context of the attacker's session.