Security researchers gained admin access to Reviver’s backend and could track the GPS location of every digital license plate in California, Canada’s regulators reclassified stablecoins as securities forcing Tether off Crypto.com, a critical RCE vulnerability in the JsonWebToken library threatens over 22,000 projects, and a SugarCRM zero-day allowed attackers to take full server control — already hitting 12% of exposed instances before a patch was available.
Stories Covered
California Digital License Plates Had an Admin Backdoor That Let Anyone Track Every Car
Security researchers discovered that Reviver — the company behind digital license plates approved for use in California — had a backend administrative account type that, once accessed, allowed a researcher to do significantly more than just view plates. With admin access, the researcher could track the GPS location of any plate in real time, modify the personalized message displayed on the bottom of any plate, and update or delete any plate in the system. California has permitted digital license plates for some time; Reviver markets them as the modern successor to traditional stamped metal plates, with features including GPS tracking for vehicle recovery and customizable display text. The same features that make the plates useful to vehicle owners — remote tracking, remote update capability — become attack surface when the administrative controls behind them are accessible. The researchers reported the vulnerability responsibly to Reviver, which patched the issue promptly. The existence of a privileged account type with this level of access across the entire fleet is consistent with what developers and testers implement for backend system maintenance, but any such account represents a high-value target: gaining it would have given an attacker persistent visibility into the physical location of every Reviver-equipped vehicle in California without the individual vehicle owners knowing.
Canada Reclassifies Stablecoins as Securities, Tether Delisted From Crypto.com Canada
The Canadian Securities Administrators (CSA) published its position that stablecoins — cryptocurrencies pegged to external assets like the US dollar — should be treated as securities or derivatives rather than currency. The Ontario Securities Commission enforcing this position meant that Tether (USDT), the largest stablecoin by market capitalization and the third-largest digital asset overall, could no longer be offered on regulated Canadian exchanges without complying with securities regulations it had not previously been subject to. Crypto.com announced it would delist Tether in Canada by January 31st, converting any remaining user balances to USD Coin (USDC), a stablecoin issued by Circle, a registered US money service business already operating under regulated frameworks. The distinction matters: USDT and USDC both claim a 1:1 peg to the US dollar, but Tether has faced prior legal scrutiny over whether its reserves actually back its outstanding supply at the stated 1:1 ratio. USDC, by contrast, operates under regulatory visibility that gives it a cleaner compliance profile. The Canadian move is part of a broader global pattern of regulators attempting to assert jurisdiction over crypto assets that exist outside traditional securities definitions — with stablecoins being particularly targeted because their dollar-pegged nature makes them functional substitutes for fiat currency in ways pure cryptocurrencies are not.
JsonWebToken CVE-2022-23529: RCE in a Library With 10 Million Weekly Downloads
A high-severity remote code execution vulnerability was disclosed in the JsonWebToken (JWT) library, tracked as CVE-2022-23529 and patched in version 9.0.0. The JWT library is developed and maintained by Auth0 (owned by Okta) and is one of the most widely deployed authentication libraries in the Node.js ecosystem — it has over 10 million weekly downloads on NPM and is used by more than 22,000 projects. Any application running JWT version 8.5.1 or below is potentially vulnerable to remote code execution, meaning an attacker could run arbitrary code on the server hosting the application without requiring valid credentials or prior access. The disclosure underscores the supply chain risk pattern: rather than attacking a single application, finding a critical vulnerability in a widely-used library creates simultaneous exposure across thousands of codebases. Developers running any version of jsonwebtoken below 9.0.0 should update immediately. This is not a vulnerability that benefits from a wait-and-see approach — the library is so widely distributed that exploitation attempts against unpatched instances were essentially certain to follow the public disclosure.
SugarCRM Zero-Day: Authentication Bypass and Full Server Takeover, 12% of Servers Hit
A zero-day vulnerability in SugarCRM — a customer relationship management platform used by businesses — was publicly disclosed in late December 2022 and exploited in the wild before a patch was available. The vulnerability is an authentication bypass flaw: attackers could send commands to the server without needing to log in. Once bypassing authentication, the attack chain involved manipulating a server-side file to obtain a session cookie, then using that cookie to upload a malicious image file containing embedded code. The code in the image established a remote session on the server, giving the attacker full control. From that position, attackers can install persistent backdoors, launch further attacks using the compromised server’s resources, and access or exfiltrate any data the SugarCRM instance holds about customers and business operations. The original disclosure included Google Dorks — specialized search queries that identify publicly exposed SugarCRM instances — which gave attackers a ready-made targeting list. By the time reporting was published, approximately 354 of the roughly 3,000 SugarCRM servers exposed to the internet had already been compromised, representing about 12% of the total exposed population. SugarCRM released a hotfix in early January 2023 and applied it directly to cloud-hosted instances; administrators running on-premises deployments needed to apply the patch manually. If you run SugarCRM on your own infrastructure and have not applied the hotfix, treat the server as potentially compromised and investigate before patching.
Leave a Reply