Author: Gargi

Blogs

Identity Based Attacks, the Growing Risk; How do Orgs’ Navigate

In 2025 identity based attacks have surged up and research reveals how identity based attacks  have affected  identities, endpoints and cloud assets over 4 million past year as reported by threat detection report 2025 by  Red Canary.

As organizations grow and continue to harness technology, identity based attacks grow to and risk associated with them. And this brings us to understand he urgent need for strong identity protection as adversaries explore new techniques.

The Threat landscape is vast and have variety to support the attack includes evolving ransomware tactics, supply chain weaponization and attacks on non-human identities.

In this blog we take a look at what rate identity based attacks are growing and what is required to strengthen organizational strategies for resilience.

Of late the type of attacks that are taking center stage are Social engineering based attacks that has gained popularity as per CrowdStrike report.

Voice phishing (vishing) attacks surged by 442% between the first and second half of 2024 as groups like CURLY SPIDER trick employees into handing over login details.

Those who don’t steal credentials can buy them — access broker activity was up nearly 50% in 2024, reflecting the growing market for illicit access.

Further, more than half (52%) of observed vulnerabilities in 2024 were tied to initial access.

The weakest link in Identity threats

With the usage of cloud most of the enterprises are shifting workload to cloud or hybrid cloud environment and now cloud infrastructure remains one of the points where frequency of attack has increased to achieve initial access.

This also includes increases in  macOS threats, info stealers and business email compromise. VPN based abuse is hard to detect so a easy gateway for criminals to launch ransomware based attacks and these products are actually leveraging identity based attacks including insider threats.

Threat researchers from Sygnia have noticed misconfigured Identity and Access Management (IAM) policies are one of the biggest culprits in creating openings for lateral movement and privilege escalation by attackers.

Popular social media websites and apps are breeding grounds for identity based attack that started from social engineering tactics being deployed by state sponsored threat groups to deliver their harmful intentions.

Example: Hackers gained access to Microsoft 365 tenant and authenticated against Entra ID using captured session tokens. This technique not only bypassed multi-factor authentication (MFA), but also circumvented other security controls that were in place.

AWS access keys were discovered on the compromised devices as well, giving the attackers two ways into the AWS environment—through direct API access and the web console via compromised Entra ID users.

Now business are looking to move beyond passwords and weak MFA. Passkeys, Biometric authentication, Risk-based access, and Continuous identity verification will become non-negotiable.

Bolstering organizations identity governance, adopting zero trust principles and participating in identity-focused red team assessments will be the need of the hour.

What can security leaders do to Stay Ahead of Identity-Based Attacks in 2025?

Passwords aren’t enough these day nor are MFA as attackers are advanced in techniques and wont wait to break authentication when they can bypass, manipulate, or socially engineer their way in.

  • Go passwordless: FIDO2, Passkeys, Biometrics are not required or eliminate them
  • Enforce phishing-resistant authentication: No SMS, no email-based resets, no security questions.
  • Implement real-time identity monitoring: Spot privilege escalations before attackers use them.
  • Require device trust: If a device isn’t secure you are not secured.

Organizations can stay ahead of this growing threat by leveraging GaarudNode which seamlessly integrate to detect and mitigate exposed credentials in real time. 

GaarudNode is an all-in-one solution designed to empower development teams with the tools they need to secure their applications throughout the development lifecycle. By combining the power of SAST, DAST, SCA, API security, and CSPM, GaarudNode provides a comprehensive security framework that ensures your applications are built, tested, and deployed with confidence.
GaarudNode Identifies security flaws early in the development process by scanning source code, helping developers detect issues like insecure coding practices or logic errors.
Tests running applications in real-time to identify vulnerabilities such as SQL injection, Cross-Site Scripting (XSS), and other runtime threats.
Detects third-party libraries and open-source components, ensuring that your dependencies don’t introduce risks.
Continuously tests and monitors your APIs for vulnerabilities such as authentication flaws, data exposure, and insecure endpoints.


Do connect or DM for queries

Source: https://www.crowdstrike.com/en-us/blog/how-to-navigate-2025-identity-threat-landscape/

Security Advisory

OpenCTI Web-Hook Flaw Enables Full System Compromise

Summary

OEMFiligran
SeverityCritical
CVSS Score9.1
CVEsCVE-2025-24977
Actively ExploitedNo
Exploited in WildNo
Advisory Version1.0

Overview

A critical vulnerability (CVE-2025-24977) in the OpenCTI Platform allows authenticated users with specific permissions to execute arbitrary commands on the host infrastructure, leading to potential full system compromise.

Vulnerability NameCVE IDProduct AffectedSeverityFixed Version
​ Webhook Remote Code Execution vulnerability  CVE-2025-24977OpenCTI  Critical  6.4.11

Technical Summary

The vulnerability resides in OpenCTI’s webhook templating system, which is built on JavaScript. Users with elevated privileges can inject malicious JavaScript into web-hook templates.

Although the platform implements a basic sandbox to prevent the use of external modules, this protection can be bypassed, allowing attackers to gain command execution within the host container.

Due to common deployment practices using Docker or Kubernetes, where environment variables are used to pass sensitive data (eg: credentials, tokens), exploitation of this flaw may expose critical secrets and permit root-level access, leading to full infrastructure takeover.

CVE IDSystem AffectedVulnerability DetailsImpact
    CVE-2025-24977  OpenCTI (≤ v6.4.10)The webhook feature allows JavaScript-based message customization. Users with manage customizations permission can craft malicious JavaScript in templates to bypass restrictions and execute OS-level commands. Since OpenCTI is often containerized, attackers can gain root access and extract sensitive environment variables passed to the container.  Root shell access in the container, exposure of sensitive secrets, full system compromise, lateral movement within infrastructure.

Remediation:

  • Upgrade: Immediately update to OpenCTI version 6.4.11 or later.
  • Restrict user permissions: Especially the manage customizations capability — limit access to trusted personnel only.
  • Review and audit: Existing webhook configurations for signs of misuse, unauthorized scripts, or suspicious behavior.
  • Implement container hardening practices: Reduce risk of secret exposure by:
    • Avoiding storage of secrets in environment variables when possible.
    • Using dedicated secret management tools.
    • Running containers with least privilege and limiting runtime capabilities.

The misuse can grant the attacker a root shell inside a container, exposing internal server-side secrets and potentially compromising the entire infrastructure.

Conclusion:
CVE-2025-24977 presents a highly exploitable attack vector within the OpenCTI platform and must be treated as an urgent priority for remediation.

The combination of remote code execution, privileged access and secret exposure in containerized environments makes it especially dangerous.

Organizations leveraging OpenCTI should upgrade to the latest version without delay, review their deployment security posture, and enforce strict access control around webhook customization capabilities.

References:

Security Advisory

Apache Parquet Java Vulnerability Enables Remote Code Execution via Avro Schema 

Summary Security Advisory:

A high-severity remote code execution (RCE) has been identified in Apache Parquet Java, specifically within the parquet-avro module. Discovered by Apache contributor Gang Wu, this vulnerability affects all versions up to and including 1.15.1 and can allow attackers to execute arbitrary code when a system processes a specially crafted Parquet file. The issue is fixed in version 1.15.2. 

OEM Apache 
Severity High 
CVSS Score Not Available 
CVEs CVE-2025-46762 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Apache Parquet is an open-source, columnar storage format designed for efficient data processing, widely used by big data platforms and organizations engaged in data engineering and analytics.

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Remote Code Execution vulnerability  CVE-2025-46762 Apache Parquet Java  High  1.15.2 

Technical Summary 

CVE-2025-46762 arises from insecure schema parsing logic in the parquet-avro module of Apache Parquet Java. When the application uses the “specific” or “reflect” Avro data models to read a Parquet file, malicious actors can inject specially crafted metadata into the Avro schema portion of the file.

Upon deserialization, the system may inadvertently execute code from Java classes listed in the default trusted packages (e.g., java.util), resulting in remote code execution. The vulnerability is not present when using the safer “generic” Avro model. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-46762  Apache Parquet Java ≤1.15.1 Insecure deserialization in the parquet-avro module allows execution of arbitrary Java classes when processing Parquet files with embedded malicious Avro schemas. The issue is exploitable only when using the “specific” or “reflect” data models, and relies on the presence of pre-approved trusted packages like java.util.  Remote Code Execution (RCE), potential supply chain compromise, unauthorized code execution. 

Conditions for Exploitation: 

  • Applications must use parquet-avro to read Parquet files. 
  • The Avro “specific” or “reflect” deserialization models are used (not “generic”). 
  • Attacker-supplied or untrusted Parquet files are processed by the system. 

This creates significant risk in data processing environments such as Apache Spark, Flink, and Hadoop, where external Parquet files are commonly ingested. 

Remediation

  • Upgrade to Apache Parquet Java version 1.15.2: This version addresses the vulnerability by tightening controls around trusted packages and blocking unsafe deserialization. 
  • For users unable to upgrade immediately: apply the following JVM system property to disable trusted package deserialization: 

-Dorg.apache.parquet.avro.SERIALIZABLE_PACKAGES=”” 

Conclusion: 
CVE-2025-46762 presents a significant RCE threat within big data ecosystems that use Apache Parquet Java with the parquet-avro module. Systems relying on unsafe deserialization patterns are especially at risk. Prompt patching or configuration hardening is strongly recommended to safeguard against exploitation. 

References

Security Advisory

Tesla Model 3 VCSEC Vulnerability Allows Remote Code Execution via TPMS Exploit 

Summary of Security Advisory

A high-severity vulnerability (CVE-2025-2082) in Tesla Model 3’s Vehicle Controller Security (VCSEC) module allows attackers within wireless range to remotely execute arbitrary code by exploiting a flaw in the Tire Pressure Monitoring System (TPMS)

OEM Tesla 
Severity High 
CVSS Score 7.5 
CVEs CVE-2025-2082 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

This provides potentiality in giving access to critical vehicle controls; Tesla has addressed the issue in firmware version 2024.14. 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
​Remote Code Execution vulnerability  CVE-2025-2082 Tesla Model 3   High  7.5 

Technical Summary 

The vulnerability lies in the VCSEC module, responsible for security functions like immobilization, door locking, and TPMS monitoring.

An integer overflow occurs when the VCSEC processes malformed certificate responses transmitted via the TPMS subsystem. Exploiting this flaw enables memory corruption, leading to remote code execution.

The attack does not require user interaction or authentication and can be carried out over adjacent wireless interfaces such as Bluetooth Low Energy (BLE) or Ultra-Wideband (UWB).

Once compromised, attackers may issue unauthorized commands to the Controller Area Network (CAN) bus, which governs safety-critical systems including braking, steering, and acceleration. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-2082   Tesla Model 3 (pre-2024.14) Integer overflow in VCSEC module’s certificate handling logic triggered by malformed TPMS messages.  Remote code execution, unauthorized CAN bus access, potential control over critical systems 

Remediation

  • Update Tesla Firmware: Owners should update firmware version 2024.14 via the vehicle’s touchscreen or over-the-air (OTA) updates. 
  • Avoid Wireless Threats: Refrain from connecting to unknown BLE/UWB networks and using unauthorized TPMS accessories. 

Conclusion: 
This vulnerability demonstrates how auxiliary vehicle systems like TPMS can serve as entry points for serious security breaches. While Tesla’s prompt patch release, reflects good incident response, this case underscores the urgency for ongoing scrutiny of wireless automotive components. Owners must apply the firmware update and maintain secure update practices to reduce the risk of exploitation. 

References

Security Advisory

High-Severity Linux Kernel Flaw Exposes Systems to Root-Level Attacks

Security advisory: Linux Kernel Flaw raised from vulnerability related to improper memory handling when the splice() function is called. Specifically, the kTLS code fails to correctly update the internal accounting of the plaintext scatter-gather buffer, leading to an out-of-bounds memory write flaw. 

OEMLinux
SeverityHigh
CVSS Score7.8
CVEsCVE-2025-21756
POC AvailableYes
Actively ExploitedNo
Exploited in WildNo
Advisory Version1.0

Overview

A high-severity vulnerability (CVE-2025-21756) has been discovered in the Linux kernel’s Virtual Socket (vsock) implementation, allowing local privilege escalation to root via a use-after-free (UAF) condition caused by incorrect reference counting during socket binding operations.

Vulnerability NameCVE IDProduct AffectedSeverityCVSS Score
​ Use-After-Free vulnerability  CVE-2025-21756Linux kernel  High  7.8

Technical Summary

The kTLS subsystem in the Linux Kernel enables direct TLS encryption and authentication functions within the kernel, supporting secure communication for protocols like HTTPS, email, and other internet-connected applications.

CVE IDSystem AffectedVulnerability DetailsImpact
    CVE-2025-21756    Linux kernel (pre-6.6.79, 6.12.16, 6.13.4, and 6.14-rc1)Improper handling of reference counts in vsock_remove_sock() leads to premature freeing of vsock objects. Attackers can exploit the Use-After- Free (UAF) by reclaiming free memory using crafted pipe buffers and leveraging unprotected tools like vsock_diag_dump() to leak kernel pointers.      Local privilege escalation to root and potential full system compromise.

CVE-2025-21756 is a use-after-free vulnerability in the Linux kernel’s vsock subsystem. It arises due to incorrect reference counter management during transport reassignment of sockets, leading to memory corruption and potential privilege escalation.

Affected systems are particularly exposed in virtualized environments where vsock is actively used.

Remediation:

  • Update Linux Kernel: Users should update their systems immediately with the latest kernel versions
  • Restrict Local Access: Until patches are applied, limit vsock use in shared environments and restrict local access where feasible.
  • Monitor for Exploitation Attempts: Watch for anomalies related to the vsock subsystem, including unexpected kernel panics or vsock socket activity.
  • Review Security Module Configurations: While AppArmor and similar LSMs offer partial protection, ensure they are enabled and correctly configured.

Conclusion:
CVE-2025-21756 poses a significant threat to Linux systems, particularly in cloud and virtualized environments. Its discovery and detailed analysis by Michael Hoefler revealed not only a critical vulnerability but also advanced exploitation techniques capable of bypassing protections like AppArmor and KASLR.

Given the existence of public proof-of-concept code and reliable attack paths, organizations must prioritize patching and mitigation to avoid root-level compromise.

References:



Blogs

Frequency & Sophistication of DDoS Attack rise to198% in 1stQ 2025

Ways to protect enterprise assets and infrastructure is not only a CISO’s responsibility but a cause of worry for CXO, CTO ‘s as a powerful DDoS attack can cause havoc on revenues, productivity and reputation.

Threat mitigation from any DDoS attack, requires services from secured and trusted partners who can offer expertise and scale whenever required to mitigate the threats that emerge from DDoS attack.

This is also important from cost point of view as large enterprise bear the burnout and it requires expertise to constantly monitor and clean the traffic that get routed to customer network.

It is important organization find service oriented partners who have skilled networking capacity and processing power so that in face of attack, they can automatically respond to DDoS attacks, detect and mitigate.

According to MazeBolt research, even the best DDoS protections leave enterprises highly exposed. Typically, large-scale, global organizations are only 60% protected – leaving the door wide open for cybercriminals to exploit the gaps.

Statistics show from past DDoS attacks have taken down large services like Spotify, GitHub, Microsoft services like Outlook and OneDrive.

According to new data released by Netscout, distributed denial of service (DDoS) attacks are on the rise. There were 17 million such attacks in 2024 – up from 13 million the year before. It’s an astonishing rise that has big implications for your business.

Defining DDoS attack

When a cyber criminal or malicious actor push for a service with additional requests than it can handle, making the resources unavailable and non-functional subsequently bringing it down.

In cases DDoS attack forcefully shuts a website, network, or computer offline by overloading it with requests. We often hear Black Friday sales out in big giant displays, these often drive a lot of internet traffic towards the brand or one destination at once.

A DDoS attack works when several different IP addresses target the same platform at same time that can overwhelm the server in question and bring it down.

Often, this attack is carried botnets which are a collection of devices when infected with malware, they can controlled remotely by cyber criminals. DDoS attack is executed by several different actors at the same time.

Increase in DDoS Attack in 2025

DDoS attacks increased by 198% compared to the last quarter of 2024 and by 358% compared to the same quarter last year.

On April 3 attack targeted an unnamed online betting organization, lasting around 90 minutes, starting at 11:15 with a surge of 67Gbps, before escalating sharply to 217Gbps by 11:23, and peaked just short of 1Tbps at 965Gbps by 11:36.

Research shows A total of 20.5 million DDoS attacks were stopped during the period, of which 6.6 million attacks were directly targeted at Cloudflare’s infrastructure. Gaming servers were the most popular target for DDoS attacks. Attack patterns remains spotted during the 2024 UEFA European Football Championship, held in Germany, where spikes in DDoS activity also targeted online betting sites.

In Geopolitics DDoS has emerged as a tool that is often and can be abused to target attacks.

According to research by NETSCOUT, the second half of 2024 saw almost 9 million DDoS attacks, a 12.75% increase from the first six months. Israel in particular saw a 2,844% increase in attacks, seeing a high of 519 in one day.

The above mentioned Russian hacking group, NoName057(16), focused primarily on government services in the UK, Belgium, and Spain. Georgia also saw a 1,489% increase in attacks in the lead up to the “Russia Bill”, highlighting its use as a political weapon.

Network-layer DDoS attacks were the primary driver of the overall surge. In Q1 2025, 16.8 million of these attacks were blocked, representing a 509% year-over-year rise and a 397% increase from the prior quarter.

Hyper-volumetric attacks, defined as those exceeding 1 terabit per second (Tbps) or one billion packets per second (Bpps), have become increasingly common. Cloudflare reported approximately 700 such attacks during the quarter, averaging about eight per day.

Major targets of DDoS attack

Globally, there have been notable changes in the most-targeted locations. Germany moved up four spots to become the most attacked country in Q1 2025.

Turkey made an 11-place jump to secure second position, while China dropped to third. Hong Kong, India, and Brazil also appeared among the top most-attacked countries, with movements seen across several regions in the rankings. Australia, for its part, remained outside the global top ten.

Industries facing the most pressure have shifted this quarter as well. The Gambling & Casinos sector moved to the top position as the most targeted industry, after climbing four places.

Telecommunications dropped to second, and Information Technology & Services followed in third.

Other industries experiencing notable increases in attacks included Cyber Security, which jumped 37 places, and Airlines, Aviation & Aerospace. In Australia, the industries facing the most attacks were Telecommunications, Information Technology and Services, Human Resources, and Consumer Services.

The report detailed attack vectors and trends, showing that the most common technique at the network layer remains SYN flood attacks, followed by DNS flood and Mirai-launched attacks.

Among HTTP DDoS attacks, more than 60% were identified and blocked as known botnets, with others attributed to suspicious attributes, browser impersonation, and cache busting techniques.

Cloudflare observed significant surges in two emerging attack methods. CLDAP reflection/amplification attacks grew by 3,488% quarter-over-quarter, exploiting the connectionless nature of the protocol to overwhelm victims with reflected traffic.

Similarly, ESP reflection/amplification attacks rose 2,301%, underscoring vulnerabilities in systems using the Encapsulating Security Payload protocol.

Despite the increase in the volume and size of attacks, the report noted that 99% of network-layer DDoS attacks in Q1 2025 were below 1 Gbps and one million packets per second.

Likewise, 94% of HTTP attacks fell below one million requests per second. Most attacks were short-lived, with 89% of network-layer and 75% of HTTP attacks ending within 10 minutes, but the impact can persist much longer due to the resulting service disruptions.

Addressing the rise of DDoS attack & Mitigation solution

DDoS attack intends to disrupt some or all of its target’s services there are variety of DDoS attacks. They are all uniquely different. There are three common types of DDoS attacks:

  • Volumetric (Gbps)
  • Protocol (pps)
  • Application layer (rps) attacks.

An effective DDoS attack is launched when near by network detects easily the cheap IoT devices like toys, small appliances, thermostats, security camera and Wi-Fi routers. These devices makes it easy to launch an effective attack that can have massive impact.

Threat Mitigation of DDoS attack

Application Layer attacks can be detected early with solutions by monitoring visitor behavior, blocking known bad bots and constant testing.

To do this more effectively Intrucept recently launched Cyber Analytics platform

Cyber Analytics platform 𝘀𝗲𝗮𝗺𝗹𝗲𝘀𝘀𝗹𝘆 𝗯𝗿𝗶𝗻𝗴𝘀 𝘁𝗼𝗴𝗲𝘁𝗵𝗲𝗿 𝘁𝗵𝗲 𝗽𝗶𝗹𝗹𝗮𝗿𝘀 𝗼𝗳 𝗺𝗼𝗱𝗲𝗿𝗻 𝗰𝘆𝗯𝗲𝗿 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗶𝗻𝘁𝗼 𝗼𝗻𝗲 𝘂𝗻𝗶𝗳𝗶𝗲𝗱 𝗲𝗰𝗼𝘀𝘆𝘀𝘁𝗲𝗺 𝗶.𝗲. 𝗯𝗲𝘀𝘁-𝗶𝗻-𝗰𝗹𝗮𝘀𝘀 𝗮𝘀 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗽𝗿𝗼𝗱𝘂𝗰𝘁𝘀.

✅ XDR (Extended Detection & Response)
✅ Next-Gen SIEM (Security Information & Event Management)
✅ SOAR (Security Orchestration, Automation & Response)
✅ Threat Intelligence
✅ AI-Powered Security Analytics
𝗖𝘆𝗯𝗲𝗿 𝗔𝗻𝗮𝗹𝘆𝘁𝗶𝗰𝘀 𝗱𝗲𝗹𝗶𝘃𝗲𝗿𝘀:
Real-time threat detection across endpoints, cloud, networks, and apps
Automated incident response to reduce MTTR & human fatigue
AI-driven insights to power proactive, risk-based decision-making
Built for agility, scalability & actionable intelligence; our platform gives security teams the edge required to move from playing catch-up to staying ahead.
𝗖𝘆𝗯𝗲𝗿 𝗔𝗻𝗮𝗹𝘆𝘁𝗶𝗰𝘀 𝗿𝗲𝗽𝗿𝗲𝘀𝗲𝗻𝘁𝘀 𝗮 𝘀𝘁𝗲𝗽 𝗳𝗼𝗿𝘄𝗮𝗿𝗱 𝗶𝗻 𝗮𝗰𝗵𝗶𝗲𝘃𝗶𝗻𝗴 𝗯𝗲𝘁𝘁𝗲𝗿 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗼𝘂𝘁𝗰𝗼𝗺𝗲𝘀.

Sources; Targeted by 20.5 million DDoS attacks, up 358% year-over-year: Cloudflare’s 2025 Q1 DDoS Threat Report

DDoS attacks have skyrocketed 358% year-over-year, report says

Security Advisory

Critical SAP NetWeaver Zero-day Vulnerability Exploited in the Wild 

As per researchers hackers are actively exploiting a critical unrestricted-file-upload vulnerability in SAP NetWeaver Visual Composer. Regarding this urgent patch has been released by SAP to fix CVE-2025-31324, a zero-day vulnerability in SAP NetWeaver Visual Composer.

Critical SAP NetWeaver Zero-day Vulnerability Exploited in the Wild 

The vulnerability in SAP NetWeaver Visual Composer that may have allowed unauthenticated and unauthorized code execution in certain Java Servlets.

Several cybersecurity companies have reported active exploitation in the wild.

Summary 

OEM SAP 
Severity Critical 
CVSS Score 10.0 
CVEs CVE-2025-31324 
POC Available No 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

This vulnerability enables remote uploading and execution of malicious files by unauthenticated attackers, potentially compromising the entire system.

It is highly advised to implement patching or mitigation measures right away in order to guard against possible espionage, sabotage, data theft, and operational disruption. 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
Missing Authorization in Metadata Uploader  CVE-2025-31324 SAP  Critical  10.0 

Technical Summary 

The vulnerability stems from a missing authorization check in the Metadata Uploader component of SAP NetWeaver Visual Composer.

Attackers can exploit this by sending crafted unauthenticated POST requests to the development server/meta data uploader endpoint, allowing them to upload arbitrary JSP webshell files.

Once uploaded, attackers can interact with these shells via simple GET requests to execute arbitrary commands, resulting in remote code execution (RCE) with <sid>adm operating system privileges — effectively giving full control over SAP systems. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-31324  SAP NetWeaver Visual Composer (VCFRAMEWORK 7.50) Missing authorization check at /developmentserver/metadatauploader enables unauthenticated malicious file uploads. Webshells planted can be used to execute OS-level commands, deploy additional malware, and move laterally across the network. Full system compromise including: 
– Remote Command Execution 
– Privilege Escalation 
– Data Exfiltration 
– Ransomware Deployment 
– Potential Espionage/Sabotage/Fraud 

Key Exploitation Details: 

  • Exploited Path: /developmentserver/metadatauploader 
  • Common Webshell Files: helper.jsp, cache.jsp, and others with randomized names. 
  • Post-Exploitation Tools: 
  • Brute Ratel: Used for C2 operations, credential theft, privilege escalation. 
  • Heaven’s Gate: 32-to-64 bit transition technique for evading endpoint detection. 

Risk Factors: 

  • Systems where Visual Composer is enabled (even though it is not enabled by default). 
  • Systems exposed to the internet. 
  • Systems without custom security measures protecting the Metadata Uploader endpoint. 

Remediation

  • Apply SAP Patch: Updated the patches released by SAP without waiting for routine patch cycles. 
  • Restrict Access: Block external access to the /development server/metadata uploader endpoint via firewall or reverse proxy rules. 
  • Disable Visual Composer: If Visual Composer is not critical to business operations, disable it to remove the attack surface. 

Recommendations: 

  • Conduct Threat Hunting: 

Scan for suspicious JSP files (e.g., helper.jsp, cache.jsp) in these directories: 

  • /j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root 
  • /j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work 
  • /j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work/sync 
  • Monitoring and SIEM: Forward logs from the NetWeaver server to SIEM tools and monitor for unauthorized file upload activity. 
  • Utilize Open-Source Tools: Use scanners (such as those released by Onapsis) to check system vulnerability. 

Conclusion: 
Given the criticality and active exploitation of CVE-2025-31324, organizations running SAP NetWeaver Visual Composer should prioritize patching and mitigation efforts. The potential for full system compromise, ransomware attacks, and data exfiltration represents a severe business risk. Immediate action is strongly advised to secure SAP environments and prevent exploitation. 

References

Blogs

Deepfake’s pose a Challenge as Cyber-risk Increase

The Digital world is witnessing constant increase in threats from Deepfakes, a challenge for cyber leaders as cybersecurity related risk increase and digital trust.

Deepfakes being AI generated is much used by cybercriminals with intentions to bypass authenticated security protocols and appears realistic but fakes, often posing challenges to detect being generated via AI. We have three types of Deepfakes i.e. voice fakes or Audio, Deep Video maker fakes and shallow fakes or editing software like photoshop.

Growing Cyber Risk due to Deep Fakes

Due to these Deep fakes , which are quiet easier and more realistic to create, there has been deterioration of trust, propagation of misinformation that can be used widely and has potential to damage or conduct malicious exploitation across various domains across the industry verticals.

The cybersecurity industry has always came forward and explained what can be potential risk posed by Deep fakes and possible route to mitigate the risks posed by deepfakes, emphasizing the importance of interdisciplinary collaborations between industries. This will bring in proactive measures to ensure digital authenticity and trust in the face of evolving cyber frauds.

Failing to recognize a deep fake pose negative consequence both for individuals and organizational risk and this can be unable to recognize audio fakes or video fakes. The consequences can be from loss of trust to disinformation. From negative media coverage to falling prey to potential lawsuits and other legal ramifications and we cannot undermine cybersecurity related threats and phishing attacks.

There are case when Deep fakes have been ethically used but the numbers are less compare to malicious usage by cyber criminals. Synthetic media also termed as Deep fakes are created using deep learning algorithms, particularly generative adversarial networks (GANs).

These technologies can seamlessly swap faces in videos or alter audio, creating hyper-realistic but fabricated content. In creative industries, deepfakes offer capabilities such as virtual acting and voice synthesis.

 Generative Adversarial Networks (GANs) consists of two neural networks: a generator and a discriminator.

  • Generator: In this case the network creates synthetic data, such as images or videos from any random sound alert and mimic real data.

  • Discriminator generally evaluates the generated content against real data. 

Deepfakes uses deep learning algorithms to analyze and synthesize visual and audio content which are painful task to determine the real ones, posing significant challenge to ethical security concerns.

While posing threats Deep fakes also provide another gateway for cyber attack specifically Phishing attacks. Tricking victims or impersonating an individual or an entity may open doors for revealing sensitive information and threat to data security.
The audios created via Deepfake could be used to bypass voice recognition systems giving attackers access to secure systems and invading personal privacy.

Uses cases in Deepfakes to understand the reach and impact:

Scammers and Fraudsters can benefit as Deepfakes can develop audio replication and use them for malicious intent like asking financial help from individuals they encounter or voice clone as some important person and demand or extort money.

Identity Theft is often overlooked and this impacts mostly financial institutions and scammers can easily bypass such authentication by cloning voices. Scammers also may easily develop convincing replicas of government ID proofs to gain access to business information or a misuse it as a customer. 

Fusing images of high profile public figures with offensive images by employing deepfake technology without their knowledge by criminals and hackers are growing each day . This kind of act can eventually lead to demanding money by cyber criminals or face consequences leading to defaming.

Conspiracy against governments or national leaders by faking their image or creating false hoax where the image or voice is used by cyber criminals often hired by opposing systems in place to disturb peace and harmony and also sound business operations.

Email are the key entry point for cyberattacks and presently we see deepfake technology being used by cyber criminals to create realistic phishing emails. These emails  bypass conventional security filters an area we cannot afford to neglect.

How will you detect Deep fakes?

Few technicalities are definitely there that may not be recognizable but there are few minute and hairsplitting details.

In Video fakes its often seen no movement in the eye or unnatural facial expression. The skin colour may be sightly different and in-consistent body positioning including the mismatch lip-syncing and body structure and face structure not similar as what we used to witness or accustomed viewing.

Being a grave concern from cyber security perspective its important to remain alert on new evolving technologies on Deep fakes and know their usage to defend on all frontiers both at individual and organizational level.

As Deep fakes are AI driven and rising phishing attacks that imbibe deep fakes pose a challenge where in mostly social media profile are used. The available AI-enabled computers allow cybercriminals to use chatbots no body can detect as fake.

Mitigating the Digital Threat

  • Organizations or individuals require robust security measures to implement AI-based security solutions and develop improved knowledge of phishing methods in order to tackle the digital threat.
  • Remaining proactive in all level of cyber security to navigate the complex challenge of Deep fakes is important, while Deep fakes defiantly poses strong technical challenge but proactive cybersecurity practices can stop cybercriminals from luring victims in their trap.
  • Government bodies and tech institutions or organizations that are tech savy to have more collaborative efforts to recognize deep fakes and effectively deal with challenges.
  • The various regulations and more recently the DORA (Digital Operational Resilience Act ), will help navigate these challenges as more investments in open sources security will rise by countries and organizations.
  • Major investments in AI-driven detection tools are being soughed after at enterprise level, those having stronger authentication mechanisms and improved digital literacy are critical to mitigating these emerging threats.
  • Investing in Email security service that offers automated protection will assist in blocking major phishing attempts

    As per KPMG report, Deepfakes may be growing in sophistication and appear to be a daunting threat. However, by integrating deepfakes into the company’s cybersecurity and risk management, CISOs  in assosiations with CEO, and Chief Risk Officers (CRO) – can help their companies stay one step ahead of malicious actors.

    This calls for a broad understanding across the organization of the risks of deepfakes, and the need for an appropriate budget to combat this threat.

    If Deepfakes can be utilized to infiltrate an organization, the same technology can also protect it. Collaborating with deepfake cybersecurity specialists helps spread knowledge and continually test and improve controls and defenses, to avoid fraud, data loss and reputational damage.

    BISO Analytics:

    We at Intruceptlabs have a mission and that is to protect your organization from any cyber threat keeping confidentiality and integrity intact.

    We have BISO Analytics as a service to ensure business continues while you remain secured in the world of cybersecurity. BISO’s translates concepts and connects the dots between cybersecurity and business operations and functions are in synch with cyber teams.

    Sources: https://kpmg.com/xx/en/our-insights/risk-and-regulation/deepfake-threats.html

    AI-Driven Phishing And Deep Fakes: The Future Of Digital Fraud

Security Advisory

Windows Update Stack Privilege Escalation Vulnerability (CVE-2025-21204) – PoC Released  

The flaw, disclosed by researchers at Cyberdom Blog, poses a significant risk to millions of Windows users and organizations relying on windows.

OEM Windows 
Severity HIGH 
CVSS Score 7.8 
CVEs CVE-2025-21204 
POC Available Yes 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

A high-severity vulnerability in the Windows Update Stack, CVE-2025-21204, enables local attackers to escalate privileges to SYSTEM level by exploiting trusted path abuse through symbolic links. The flaw affects various versions of Windows 10, Windows 11, and Windows Server.

A working proof-of-concept (PoC) exploit has been publicly released by security researcher Elli Shlomo, increasing the urgency to patch. The issue is addressed in the April 2025 cumulative update KB5055523. 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
​Windows Update Stack Privilege Escalation  CVE-2025-21204 Windows  HIGH  7.8 

Technical Summary 

The vulnerability lies in how Windows Update processes such as MoUsoCoreWorker.exe and UsoClient.exe, which run with SYSTEM privileges, handle directory junctions. Attackers can delete the legitimate Tasks directory under C:\ProgramData\Microsoft\UpdateStack and replace it with a symbolic link pointing to an attacker-controlled path. This allows the execution of arbitrary code as SYSTEM without triggering traditional security mechanisms.

A public PoC developed by Elli Shlomo demonstrates this exploit using only native Windows features—no external binaries or code injection required. 

This opens the door for a range of attacks, including installing persistent malware, disabling security tools, or accessing sensitive data.

CVE ID System Affected Vulnerability Details Exploit Prerequisites Impact 
  CVE-2025-21204  Windows 10 (10.0.10240.0 < 10.0.10240.20978, etc.), Windows 11, Server Misuse of NTFS junctions allows local attackers to redirect C:\ProgramData\Microsoft\UpdateStack\Tasks to attacker-controlled locations. SYSTEM-level update processes follow these junctions and execute unauthorized code. Attackers must have local access and limited user privileges; no user interaction required   Local privilege escalation, Code execution 

Source: Cyberdom 

Recommendations

  • Apply the April 2025 cumulative update (KB5055523) immediately. 
  • Restrict ACLs on C:\ProgramData\Microsoft\UpdateStack. 
  • Use AppLocker or WDAC to block symbolic link creation in sensitive directories. 
  • Monitor file operations involving UpdateStack and inetpub, regardless of IIS presence. 
  • Detect attempts to create NTFS junctions targeting update directories. 

Conclusion: 
CVE-2025-21204 is an example of a rather low-level and impactful threat doing trusted path abuse rather than complex memory corruption. This vulnerability demonstrates how attackers will exploit trust assumptions built into the operating system via native components.

The only defenses available are to immediately patch and harden directory access controls to stop this low-level and minimally visible localized privilege escalation. 

References


 

Blogs

Intruder Alert! Security Breach Leading to Data Breach

Recently 2.9 billion records of data stolen in cyber breach from National Public Data that includes Social Security numbers. Cyber experts assume that sensitive information including Social Security numbers for millions of people could be in the hands of a hacking group.

Reports suggest that after the breach occurred the data may have been released on an online marketplace or dark web.

What does this mean and how does organizations fight to save their clients and brand value?

It is a big question and something that can give restlessness to CISO’s and security teams. The results of breach remains for months and the impact too. This can result in financial losses and if hackers can have unauthorized access to online accounts or financial documents, the result is far reaching.

What it can do is first damage the brand value and result in expenses incurred from investigations.

This include legal fees for lawyers and if suit is bought by any customer or client and goes up to customer notification including compensation, fines.

Loosing brand value due to breach affects regaining the confidence of customers or partners and clients. This is long term as chance of possible loss of business opportunities and lasting reputational damage exist.

Gaining unauthorized access to a device or system leads to security breach and that leads to data breach or other malicious activity and as we know the devastating consequences for organizations at large. Now this can be defined as being over powering and surpassing all security measures that protect data or network systems of the organization including physical hardware assets.

Mostly we are accustomed with few names as

Malware: The attacker infects a system with malware that’s designed to steal sensitive data, hijack system resources.

Phishing: This technique involves a seemingly legitimate email or text or fake websites that come in surface as a scam

Physical asset: Sometimes  attackers gets involved in stealing or meddling with a piece of organizations assets if he can hold on the equipment, tool to get access in enterprise system and steal data.

Breach details of national Public Data:

The hacking group USDoD claimed it had allegedly stolen personal records of 2.9 billion people from National Public Data, according to a class-action lawsuit filed in U.S. District Court in Fort Lauderdale, Florida, reported by Bloomberg Law. The breach was believed to have happened in or around April, according to the lawsuit.

One major aspect of the breach is the data also included information about the individuals’ relatives. One of the unique aspects of the data was the longevity — the addresses spanned decades of residence, and some relatives have been deceased for as long as two decades.

In addition to neglecting to inform the victims, National Public Data has not released a public statement regarding the breach. The Los Angeles Times reported that the company responded to email inquiries with “We are aware of certain third-party claims about consumer data and are investigating these issues.” The lawsuit mentions the lack of notification as a top concern of the Plaintiff.

(Source: www.usatoday.com)

In recent years, plenty of high-profile examples of security breaches have captured public attention . One security breach that actually captured attention was the Nvidia breach in 2022.

Nvidia, a major chip manufacturer, experienced a cyberattack where up to 1TB of data was stolen, including employee credentials and proprietary information.

The impact was that Hackers demanded Nvidia remove limitations on its GPUs, and internal source code was leaked. The company had to take several security measures to mitigate further damage.

This incident proved that hackers and cybercriminals are in equal terms powerful in their methods and tactics as cyber security teams . Each hacker pushed the boundaries of what was thought possible in the cyber world and their actions have had far-reaching consequences.

They targeted financial institutions and government agencies to exposing vulnerabilities in national defense systems. These incidents have served as wake-up calls, highlighting the critical need for robust cybersecurity measures and a better understanding of digital ethics and law

Preventing security breach:

Enterprise and security teams at times may take more time to rectify or better to prevent a security breach than to resolve one after it occurs. Though not all security breaches are avoidable, applying a few tried-and-tested best practices is always on the cards.

Tips for Best practices for preventing data breaches

Data breach prevention requires a comprehensive, proactive approach and a enterprise level if ots followed its better for security measure to remain strong that are being implemented.

  • A secure coding principles in best practice strategy: Writing secure code involves following best practices such as avoiding hardcoded credentials, implementing input validation, and ensuring proper data encryption. This way organization can reduce vulnerabilities that attackers might exploit.
  • Conducting Regular security audits: Conducting penetration testing and threat modeling helps identify weaknesses in your security framework and routine security assessments to mitigate potential threats.
  • Implementing practices with DevSecOps: Embedding security into the SDLC ensures security considerations are addressed at every stage of development. By integrating application security testing and practices like shift left testing into software development workflows, organizations can identify and fix vulnerabilities early in the process.
  • Creating incident response plans: Having a clear incident response plan allows organizations to detect, contain, and mitigate security breaches more efficiently. Security teams get enough time and  can respond quickly to security incidents, minimizing damage and reducing downtime.
  • Security training for Teams : Educating development teams on cybersecurity best practices helps them recognize threats and implement secure coding practices. Security teams should stay updated on emerging threats and modern security measures.

Protect yourself with GaarudNode from Intruceptlabs

GaarudNode is an all-in-one  solution designed to empower development teams with the tools they need to secure their applications throughout the development lifecycle. By combining the power of SAST, DAST, SCA, API security, and CSPM, GaarudNode provides a comprehensive security framework that ensures your applications are built, tested, and deployed with confidence.

  • Our Platform:
    • Identifies security flaws early in the development process by scanning source code, helping developers detect issues like insecure coding practices or logic errors.
    • Tests running applications in real-time to identify vulnerabilities such as SQL injection, Cross-Site Scripting (XSS), and other runtime threats.
    • Detects vulnerabilities in third-party libraries and open-source components, ensuring that your dependencies don’t introduce risks.
    • Continuously tests and monitors your APIs for vulnerabilities such as authentication flaws, data exposure, and insecure endpoints.

Do connect or DM for queries

(Sources:https://www.ibm.com/think/news/national-public-data-breach-publishes-private-data-billions-us-citizens)

Scroll to top