Author: Gargi

Critical Security Flaw in Kibana Requires Immediate Attention 

Kibana is a robust tool for data visualization and exploration that can be used to search, examine, and track data that is stored in Elasticsearch. A vital part of many organizations’ data analysis procedures, it offers real-time insights through interactive dashboards. 

Elastic released security updates to address a critical vulnerability, tracked as CVE-2025-25012 (CVSS score of 9.9), impacting the Kibana data visualization dashboard software for Elasticsearch.

OEM Elastic 
Severity Critical 
CVSS 9.9 
CVEs CVE-2025-25012 
Exploited in Wild No 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

A critical security vulnerability (CVE-2025-25012) has been identified in Kibana, affecting versions 8.15.0 to 8.17.2. The flaw allows attackers to execute arbitrary code, potentially compromising affected systems. Elastic has released a patch in Kibana version 8.17.3to address this issue, and users are strongly advised to update immediately. 

Vulnerability Name CVE ID Product Affected Severity 
 Arbitrary code execution Vulnerability  CVE-2025-25012  Elastic  Critical 

Technical Summary 

This vulnerability arises from improper handling of JavaScript object prototypes in Kibana’s file upload and HTTP request processing functionalities.

Attackers can exploit this flaw to inject malicious payloads, modify application behavior, and execute arbitrary code. The vulnerability is classified under CWE-1321 (Improper Control of Prototype-Based Attribute Modifications) and aligns with the MITRE ATT&CK framework under tactic T1059 (Command and Scripting Interpreter). 

Affected Versions and Exploitation Conditions: 

  • Kibana 8.15.0 – 8.17.0: Exploitable by users with the Viewer role. 
  • Kibana 8.17.1 – 8.17.2: Requires privileges fleet-all, integrations-all, and actions:execute-advanced-connectors. 
CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-25012   Kibana 8.15.0 – 8.17.2   Prototype pollution via crafted file uploads and HTTP requests, allowing manipulation of JavaScript object properties and security controls.  Remote Code Execution, Unauthorized Data Access, Lateral Movement  

Remediation

  • Upgrade: Elastic has released a security patch to address the issue. It is highly recommended to upgrade to Kibana 8.17.3 or a later version 
  • Temporary Mitigation: If upgrading is not feasible in the short term, apply the following measure to reduce risk: 
  • Disable the Integration Assistant feature by setting xpack.integration_assistant.enabled: false in kibana.yml. 

Conclusion: 

Organizations utilizing Kibana should take urgent action to patch CVE-2025-25012 by upgrading to version 8.17.3.

The vulnerability is highly severe, particularly for environments using Kibana for security monitoring, as attackers could exploit this flaw to disable alerts and manipulate detection pipelines. If patching is not immediately possible, temporary mitigations should be applied to reduce the risk of exploitation. Ensuring real-time vulnerability monitoring and implementing strict access controls are also recommended to safeguard against similar threats in the future. 

References: 

Image 

Critical VMware Vulnerabilities Exploited in the Wild – Patch Immediately 

Broadcom released a security alert on Tuesday morning to warn VMware customers about three zero-days that have been exploited in the wild.

Continue Reading

Decade-Old Threat: CVE-2018-8639 Still Poses Risks to Unpatched Windows Systems 

CVE-2018-8639 is a privilege escalation flaw in the Win32k component of Microsoft Windows that lets attackers run any code in kernel mode. This vulnerability, which was first fixed by Microsoft in December 2018, still poses a risk to unpatched computers.

OEM Microsoft 
Severity High 
CVSS 7.8 
CVEs CVE-2018-8639 
Exploited in Wild Yes 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview on Vulnerability

The vulnerability gives hackers the ability to install persistent malware, get around security measures, and alter system operations covertly. The Cybersecurity and Infrastructure Security Agency (CISA) has included this vulnerability in its Known Exploited Vulnerabilities (KEV) catalog, further highlighting its ongoing threat. 

Vulnerability Name CVE ID Product Affected Severity 
 Privilege Escalation Vulnerability  CVE-2018-8639  Windows  High 

Technical Summary 

The vulnerability exists within the Win32k.sys driver, which handles graphical user interface (GUI) interactions.

Designated as CWE-404: Improper Resource Shutdown or Release, the flaw enables authenticated local attackers to improperly release system resources, leading to privilege escalation. Exploiting this vulnerability grants kernel-mode execution rights, allowing attackers to bypass security mechanisms, install persistent malware, and manipulate system functions without detection. 

CVE ID System Affected Vulnerability Details Impact 
CVE-2018-8639 Windows 7, 8.1, 10, RT 8.1, Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019  Improper Resource Shutdown or Release in Win32k.sys driver, enabling privilege escalation. System compromise, unauthorized access, potential malware persistence 

Remediation

  • Organizations and individuals must apply Microsoft’s security updates released in December 2018 (KB4483235) to mitigate the risk. 
  • Additionally, it is essential to apply all available updates from Windows to ensure comprehensive protection against known vulnerabilities.  

General Recommendations: 

  • Implement network segmentation to isolate critical assets and minimize the impact of potential security breaches. 
  • Adopting the principle of least privilege (PoLP) to limit user access. 
  • Continuous monitoring of anomalous kernel-mode activities. 

Conclusion: 

Unpatched Windows systems are particularly vulnerable, especially in industrial control systems (ICS) and healthcare facilities where obsolete software is ubiquitous. While Microsoft has fixed the issue, firms that rely on legacy systems must implement additional security measures. Cyber adversaries are always refining their exploitation techniques, making proactive security strategies critical to reducing risk. 

References: 

  • https://nvd.nist.gov/vuln/detail/cve-2018-8639  
  • https://github.com/ze0r/CVE-2018-8639-exp 

High-Severity DoS Vulnerability in Cisco NX-OS Software

MPLS Encapsulated IPv6 Denial of Service Vulnerability

OEM CISCO 
Severity High 
CVSS score 7.4 
CVEs CVE-2025-20111 
Exploited in Wild No 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

A high-severity vulnerability (CVE-2025-20111) in Cisco Nexus 3000 and 9000 Series Switches operating in standalone NX-OS mode could allow unauthenticated attackers to trigger a denial-of-service (DoS) condition by sending crafted ethernet frames, leading to unexpected device reloads. 

Vulnerability Name CVE ID Product Affected Severity 
 Denial of service vulnerability  CVE-2025-20111   Cisco Nexus   High 

Technical Summary 

The vulnerability originates from improper handling of specific Ethernet frames within the health monitoring diagnostics of Cisco Nexus switches.

An unauthenticated, adjacent attacker can exploit this flaw by sending a sustained rate of crafted Ethernet frames to a vulnerable device. Successful exploitation results in repeated device reloads, disrupting network operations and potentially impacting high-availability environments. 

CVE ID System Affected Vulnerability Details Impact 
 CVE-2025-20111  Nexus 3000 Series: 3100, 3200, 3400, and 3600 models Nexus 9000 Series: 9200, 9300, and 9400 switches running standalone NX-OS Improper handling of specific Ethernet frames in health monitoring diagnostics  Repeated device reboots, potential network downtime  

Remediation

  • Apply Software Updates: Cisco has released patched software versions to address the vulnerability. Network administrators should upgrade affected devices immediately. 
  • Use Cisco Software Checker: Organizations should verify their exposure using Cisco’s Software Checker tool to identify the earliest fixed release. 
  • Implement Workarounds: If immediate patching is not feasible, organizations can mitigate risks using Access Control Lists (ACLs) to filter anomalous Ethernet frames targeting the health monitoring subsystem. 

Conclusion: 

CVE-2025-20111 presents a significant risk to enterprise and data center networks relying on Cisco Nexus switches. While there is no known active exploitation, organizations should prioritize patching and mitigation strategies to prevent service disruptions. Proactive monitoring and adherence to Cisco’s security advisories will help ensure network resilience against potential exploitation. 

References: 

Orange Group Suffered Data Breach; Threat Actors Exposes Compromised Data

Threat actors aimed infiltrating on Orange’s systems; A case of Ransomware cannot be denied on the data breach that took place.

Orange has confirmed it has recently experienced a cyber-attack, that exposed compromised data. Orange insists it is still investigating the case. The data breach on Orange group when analyzed found it included thousands of internal documents, including sensitive user records and employee data, after infiltrating the company’s infrastructure.

As per reports one of Orange’s non-critical apps breached in an attack aimed at its Romanian operations after HellCat ransomware gang member “Rey” alleged exfiltrating thousands of internal files with user records and employee details, which have been leaked on Tuesday, according to BleepingComputer.

Key Breach details on Orange Group

  • The data breach aimed at Infiltration of Orange’s systems for more than a month via the exploitation of Jira software and internal portal vulnerabilities.
  • This facilitated the eventual breach and can be a ransomware case as of almost 6.5 GB of corporate data including about 12,000 files over a nearly three-hour period on Sunday.
  • The hacker, known by the alias Rey, is a member of the HellCat ransomware group, noted the intrusion to be independent from the HellCat ransomware operation.
  • The threat actor claims that they have stolen thousands of internal documents of current and former Orange Romania employee, contractor, and partner email addresses, some of which dated from over five years ago, as well as mostly expired partial payment card details.
  • The hacker claims that they gained access to Orange’s systems by exploiting compromised credentials and vulnerabilities in the company’s Jira software (used for issue tracking) and other internal portals.
  • The point was getting access to the company’s systems for over a month before executing the data exfiltration as per the hacker. They also stated that they had dropped a ransom note on the compromised system, but Orange did not engage in negotiations.
  • Orange emphasized that the attack has not impacted operations amid an ongoing investigation into the incident. The company is yet to disclose whether affected individuals will be notified or if additional security measures will be introduced to prevent similar breaches in the future.

Cyber Security Implications 

From cybersecurity point the incident reflected how major organization face cyber threats and what is their strategy for incident response?

How far is the preparedness of enterprises against a ransomware attack?

These are some of the eminent questions organizations must face in order to defend their brand name..Is it proactive, are organizations prepared as Ransomware groups are focusing with advanced techniques.

Cyber security preparedness the next step

It is important that security teams be on their toes to stop any ransomware attack at the source.

AI on the endpoints is the requirement of the day, detecting atypical behavior to predict and block attack advances, at the same time before encryption, having visibility full visibility from the kernel to the cloud enables one to spot signs of compromise .This can also be any ransomware chain or any early indicators of compromise.

Experts keep on warning how to protect assets from getting compromised warning customers and employees to remain vigilant for potential phishing attempts based on the data that has been leaked.

AI Leveraging Ransomware campaigns

Earlier we witnessed cybercriminals would encrypt data and provide the decryption key once payment was received.

Now threats has doubled up with double or triple extortion attacks to expose stolen information on data leak sites in exchange for larger ransoms.

The greater availability of artificial intelligence and machine learning tools has led to these gangs be more sophisticated in their attack methods. Now the attack vectors leverage AI and ML capabilities to evade detection, spread more effectively to reach their final goals.

AI Reshaping Cyber security Roadmap

AI in cybersecurity firstly integrates artificial intelligence technologies that are required to gain critical insights and automate time-consuming processes and this includes machine learning and neural networks, into security frameworks.

These technologies are a must to enable cybersecurity teams and systems to analyze vast amounts of data, recognize attack patterns, and being able to adapt new evolving threats that can be performed with minimal human intervention. Read our blog: AI Reshaping Roadmap for Cyber security

With AI capabilities what is the next scenario we may witness in Ransomware campaigns

    • Making ransom calls using Voice Cloning

    • Malware that can target key personnel within the organization

    • The ability to decipher financial data and demand ransom amounts accordingly

AI-driven systems learn from experiences and AI will empowers organizations, enterprises in future and still doing to enhance their cybersecurity posture and reduce the likelihood of breaches, identify potential risks by acting independently.

Sources:

https://www.scworld.com/brief/orange-group-hack-confirmed-following-leak-by-hellcat-ransomware-member

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Critical WordPress Security Flaw in Everest Forms Plugin 

UAE Cyber Security Council has observed a critical vulnerability in Everest Forms WordPress
plugin

Continue Reading
Scroll to top