Cyberespionage Group Blind Eagle Infects 1,600 Orgs in Colombia
URL manipulation attack; An agile attack methodology
Continue ReadingMonth: March 2025
Multiple High-Severity Vulnerabilities Patched in Zoom
Summary
Multiple high-severity vulnerabilities have been identified in Zoom applications, including Zoom Workplace, Rooms Controller, Rooms Client, and Meeting SDK, causing exposure of Sensitive Data.
The most critical flaws, patched in Zoom’s March 11, 2025, security bulletin, include CVE-2025-27440 (heap-based buffer overflow), CVE-2025-27439 (buffer underflow), CVE-2025-0151 (use-after-free) CVE-2025-0150 (incorrect behavior order in iOS Workplace Apps).
All rated high severity with CVSS scores ranging from 7.1 to 8.5.
| OEM | Zoom |
| Severity | High |
| CVSS | 8.5 |
| CVEs | CVE-2025-27440, CVE-2025-27439, CVE-2025-0151, CVE-2025-0150, CVE-2025-0149 |
| Publicly POC Available | No |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
These vulnerabilities could allow attackers to escalate privileges, execute arbitrary code, or cause denial-of-service (DoS) attacks. Zoom has released patches addressing these issues in version 6.3.0.
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| Heap-Based Buffer Overflow Vulnerability | CVE-2025-27440 | ZOOM | High | 8.5 |
| Buffer Underflow Vulnerability | CVE-2025-27439 | ZOOM | High | 8.5 |
| Use-After-Free Vulnerability | CVE-2025-0151 | ZOOM | High | 8.5 |
| Incorrect Behavior Order Vulnerability | CVE-2025-0150 | ZOOM | High | 7.1 |
| Insufficient Data Verification Vulnerability | CVE-2025-0149 | ZOOM | Medium | 6.5 |
Technical Summary
These vulnerabilities could be exploited to gain unauthorized access, execute arbitrary code, or disrupt services through privilege escalation and memory corruption techniques. Exploitation requires authentication and network access, posing a risk to enterprise users.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-27440 | Zoom Workplace Apps ( Windows, macOS, and Linux, as well as mobile apps for iOS and Android.) | Heap-based buffer overflow, allowing attackers to inject malicious code | Privilege Escalation |
| CVE-2025-27439 | Zoom Workplace Apps | Buffer underflow, leading to unexpected crashes or data leakage | Denial of Service, Data Exposure |
| CVE-2025-0151 | Zoom Workplace Apps | Use-after-free issue leading to memory corruption and arbitrary code execution | Privilege Escalation |
| CVE-2025-0150 | Zoom Workplace Apps (iOS) | Incorrect behavior order allowing unauthorized access to authentication tokens | Information Disclosure |
| CVE-2025-0149 | Zoom Workplace Apps | Insufficient verification of data authenticity, allowing malformed network packets to bypass security checks | Denial of Service |
Remediation:
- Apply Patches Promptly: Ensure all Zoom applications are updated to version 6.3.0 or later, which includes fixes for 12 vulnerabilities disclosed in March 2025 alone.
Conclusion:
The recent vulnerabilities in Zoom highlight the ongoing challenges in securing widely used communication platforms. While Zoom has acted swiftly in providing patches, the recurrence of memory corruption and input validation flaws suggests architectural challenges.
Organizations should maintain a proactive security stance, ensuring timely updates and implementing stringent controls to safeguard sensitive data.
Organizations must treat Zoom not as a neutral utility but as a high-risk vector requiring stringent controls.
References:
High-Severity RCE Vulnerability in WinDbg (CVE-2025-24043)
Security Advisory
A high-severity remote code execution (RCE) vulnerability exists in Microsoft’s WinDbg debugging tool and related .NET diagnostic packages.
The vulnerability poses severe supply chain risks, as WinDbg is widely embedded in CI/CD pipelines and enterprise developer toolchains.
Compromised debugging sessions could lead to lateral movement across networks, credential theft, persistent backdoor injections, and disruption of crash dump analysis workflows.
Microsoft confirmed no viable workarounds other than immediate patching, as the lack of certificate pinning in the affected packages worsens the risk, enabling attackers to leverage forged or stolen Microsoft Authenticode certificates.
| OEM | Microsoft |
| Severity | HIGH |
| CVSS | 7.5 |
| CVEs | CVE-2025-24043 |
| Publicly POC Available | No |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
This issue is caused by insufficient validation of cryptographic signatures in the SOS debugging extension, potentially allowing attackers with network access to execute arbitrary code. Microsoft has released patches to address the vulnerability.
| Vulnerability Name | CVE ID | Product Affected | Severity |
| Remote Code Execution Vulnerability | CVE-2025-24043 | Microsoft Windows | High |
Technical Summary
The vulnerability arises from the SOS debugging extension’s failure to properly validate cryptographic signatures during debugging operations.
This enables attackers with authenticated network access to inject malicious debugging components, leading to arbitrary code execution with SYSTEM privileges. The attack vector leverages NuGet package integrations in Visual Studio and .NET CLI environments, increasing the risk of supply chain compromises.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-24043 | WinDbg and associated .NET diagnostic packages | Flaw in cryptographic signature validation in the SOS debugging extension allows tampered components to be loaded. | Arbitrary code execution |
Remediation:
- Update Affected Packages: Ensure that all instances of affected NuGet packages are updated to the latest patched versions. Refer to the table below for the affected and patched versions.
- Upgrade WinDbg: Make sure that WinDbg is updated to the most recent release available.
- Audit Dependencies: Review all .NET Core project dependencies to identify and replace vulnerable packages.
- Monitor Network Activity: Implement monitoring for any suspicious network activity related to windbg.exe.
- Enforce Security Policies: Apply security policies, such as Windows Defender Application Control, to prevent the execution of unsigned debugging components.
The table below outlines the affected and patched versions of the relevant packages:
| Package Name | Affected Version | Patched Version |
| dotnet-sos | < 9.0.607501 | 9.0.607501 |
| dotnet-dump | < 9.0.557512 | 9.0.607501 |
| dotnet-debugger-extensions | 9.0.557512 | 9.0.607601 |
Conclusion:
CVE-2025-24043 highlights the need to secure developer toolchains, as debugging environments are becoming more targeted in cyberattacks. Organizations using .NET diagnostics should quickly apply patches and implement strict security measures to reduce the risk of exploitation. With no effective workarounds available, postponing remediation heightens the chances of an attack. Prompt action is essential to safeguard critical development and production environments.
The security impact extends beyond developers, as the exploitation of debugging tools could facilitate attacks on production infrastructure.
Additional security measures include certificate transparency logging for NuGet packages and enforcing Windows Defender Application Control (WDAC) policies to restrict unsigned debugger extensions. While no active exploits have been reported, the patching window is critical, and organizations using .NET diagnostics must act immediately before threat actors weaponize the vulnerability.
References:
- https://securityonline.info/windbg-remote-code-execution-vulnerability-cve-2025-24043-exposes-critical-security-risk/
PoC Released for High-Severity Linux Kernel UVC Driver Vulnerability
| OEM | Linux |
| Severity | HIGH |
| CVSS | 7.8 |
| CVEs | CVE-2024-53104 |
| Actively Exploited | Yes |
| Publicly POC Available | Yes |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
CVE-2024-53104 is a high-severity out-of-bounds write vulnerability in the Linux kernel’s USB Video Class (UVC) driver, leading to privilege escalation. The issue affects Linux kernel versions 2.6.26 and later. The vulnerability has gained renewed attention as a proof-of-concept (PoC) exploit has now been publicly released, increasing the risk of exploitation. A patch has been released to address this vulnerability, but unpatched systems remain at high risk.
| Vulnerability Name | CVE ID | Product Affected | Severity |
| out-of-bounds write vulnerability | CVE-2024-53104 | Linux Kernel | High |
Technical Summary
The vulnerability exists in the uvc_parse_format function of the UVC driver (uvc_driver.c). It arises due to improper parsing of UVC_VS_UNDEFINED frames, leading to incorrect buffer allocation and out-of-bounds writes.
An attacker could exploit this flaw by inserting a malicious USB device or manipulating video streams, potentially leading to memory corruption, privilege escalation, or arbitrary code execution.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2024-53104 | Linux Kernel (2.6.26 and later) | Incorrect parsing of UVC_VS_UNDEFINED frames in uvc_parse_format, leading to miscalculated buffer sizes and memory corruption. | Privilege escalation, system instability, arbitrary code execution |
Remediation:
- Apply Security Patches: Ensure that the latest security patches provided by the Linux distribution maintainers are promptly applied to mitigate vulnerability.
Recommendations
- Implement USB Device Control Policies: Organizations should establish and enforce USB device control policies to prevent unauthorized usage and ensure only approved devices can be connected.
- Deploy Log Monitoring and Analysis Tools: Implement security monitoring tools to continuously monitor logs for potential security incidents, such as exploitation attempts or suspicious activity.
Conclusion:
CVE-2024-53104 is a major vulnerability that poses a substantial risk to Linux systems since it allows for privilege escalation and arbitrary code execution. Users and administrators are strongly urged to apply the latest security patches to mitigate the risk of exploitation. Additionally, implementing a multi-layered security approach can further enhance system protection.
The Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities (KEV) list, emphasizing the need for immediate remediation.
CISA has ordered federal agencies to secure their systems within three weeks against a high-severity Linux kernel flaw actively exploited in attacks.
References:
- https://cybersecuritynews.com/poc-exploit-linux-kernel-write-vulnerability/
- https://hackyboiz.github.io/2025/03/08/j0ker/2025-03-08/
- https://lore.kernel.org/linux-cve-announce/2024120232-CVE-2024-53104-d781@gregkh/T/
DISA Unveils Data Strategy for Next 2 yrs; Focus on Strengthening Data Architecture, Governance
Data Strategy for Fiscal yr 25-27, by DISA
Continue Reading
Critical Security Flaw in Kibana Requires Immediate Attention
Kibana is a robust tool for data visualization and exploration that can be used to search, examine, and track data that is stored in Elasticsearch. A vital part of many organizations’ data analysis procedures, it offers real-time insights through interactive dashboards.
Elastic released security updates to address a critical vulnerability, tracked as CVE-2025-25012 (CVSS score of 9.9), impacting the Kibana data visualization dashboard software for Elasticsearch.
| OEM | Elastic |
| Severity | Critical |
| CVSS | 9.9 |
| CVEs | CVE-2025-25012 |
| Exploited in Wild | No |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
A critical security vulnerability (CVE-2025-25012) has been identified in Kibana, affecting versions 8.15.0 to 8.17.2. The flaw allows attackers to execute arbitrary code, potentially compromising affected systems. Elastic has released a patch in Kibana version 8.17.3to address this issue, and users are strongly advised to update immediately.
| Vulnerability Name | CVE ID | Product Affected | Severity |
| Arbitrary code execution Vulnerability | CVE-2025-25012 | Elastic | Critical |
Technical Summary
This vulnerability arises from improper handling of JavaScript object prototypes in Kibana’s file upload and HTTP request processing functionalities.
Attackers can exploit this flaw to inject malicious payloads, modify application behavior, and execute arbitrary code. The vulnerability is classified under CWE-1321 (Improper Control of Prototype-Based Attribute Modifications) and aligns with the MITRE ATT&CK framework under tactic T1059 (Command and Scripting Interpreter).
Affected Versions and Exploitation Conditions:
- Kibana 8.15.0 – 8.17.0: Exploitable by users with the Viewer role.
- Kibana 8.17.1 – 8.17.2: Requires privileges fleet-all, integrations-all, and actions:execute-advanced-connectors.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-25012 | Kibana 8.15.0 – 8.17.2 | Prototype pollution via crafted file uploads and HTTP requests, allowing manipulation of JavaScript object properties and security controls. | Remote Code Execution, Unauthorized Data Access, Lateral Movement |
Remediation:
- Upgrade: Elastic has released a security patch to address the issue. It is highly recommended to upgrade to Kibana 8.17.3 or a later version
- Temporary Mitigation: If upgrading is not feasible in the short term, apply the following measure to reduce risk:
- Disable the Integration Assistant feature by setting xpack.integration_assistant.enabled: false in kibana.yml.
Conclusion:
Organizations utilizing Kibana should take urgent action to patch CVE-2025-25012 by upgrading to version 8.17.3.
The vulnerability is highly severe, particularly for environments using Kibana for security monitoring, as attackers could exploit this flaw to disable alerts and manipulate detection pipelines. If patching is not immediately possible, temporary mitigations should be applied to reduce the risk of exploitation. Ensuring real-time vulnerability monitoring and implementing strict access controls are also recommended to safeguard against similar threats in the future.
References:
Image
Critical VMware Vulnerabilities Exploited in the Wild – Patch Immediately
Broadcom released a security alert on Tuesday morning to warn VMware customers about three zero-days that have been exploited in the wild.
Continue Reading
Critical Vulnerabilities in IBM Storage: Authentication Bypass and Code Execution Risks
Critical Vulnerabilities in IBM Storage:
Continue Reading
Decade-Old Threat: CVE-2018-8639 Still Poses Risks to Unpatched Windows Systems
CVE-2018-8639 is a privilege escalation flaw in the Win32k component of Microsoft Windows that lets attackers run any code in kernel mode. This vulnerability, which was first fixed by Microsoft in December 2018, still poses a risk to unpatched computers.
| OEM | Microsoft |
| Severity | High |
| CVSS | 7.8 |
| CVEs | CVE-2018-8639 |
| Exploited in Wild | Yes |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview on Vulnerability
The vulnerability gives hackers the ability to install persistent malware, get around security measures, and alter system operations covertly. The Cybersecurity and Infrastructure Security Agency (CISA) has included this vulnerability in its Known Exploited Vulnerabilities (KEV) catalog, further highlighting its ongoing threat.
| Vulnerability Name | CVE ID | Product Affected | Severity |
| Privilege Escalation Vulnerability | CVE-2018-8639 | Windows | High |
Technical Summary
The vulnerability exists within the Win32k.sys driver, which handles graphical user interface (GUI) interactions.
Designated as CWE-404: Improper Resource Shutdown or Release, the flaw enables authenticated local attackers to improperly release system resources, leading to privilege escalation. Exploiting this vulnerability grants kernel-mode execution rights, allowing attackers to bypass security mechanisms, install persistent malware, and manipulate system functions without detection.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2018-8639 | Windows 7, 8.1, 10, RT 8.1, Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019 | Improper Resource Shutdown or Release in Win32k.sys driver, enabling privilege escalation. | System compromise, unauthorized access, potential malware persistence |
Remediation:
- Organizations and individuals must apply Microsoft’s security updates released in December 2018 (KB4483235) to mitigate the risk.
- Additionally, it is essential to apply all available updates from Windows to ensure comprehensive protection against known vulnerabilities.
General Recommendations:
- Implement network segmentation to isolate critical assets and minimize the impact of potential security breaches.
- Adopting the principle of least privilege (PoLP) to limit user access.
- Continuous monitoring of anomalous kernel-mode activities.
Conclusion:
Unpatched Windows systems are particularly vulnerable, especially in industrial control systems (ICS) and healthcare facilities where obsolete software is ubiquitous. While Microsoft has fixed the issue, firms that rely on legacy systems must implement additional security measures. Cyber adversaries are always refining their exploitation techniques, making proactive security strategies critical to reducing risk.
References:
- https://nvd.nist.gov/vuln/detail/cve-2018-8639
- https://github.com/ze0r/CVE-2018-8639-exp
- ‹ Previous
- 1
- 2
- 3
- Next ›