Security advisory:Patch Now! Critical Command Injection in GitHub Action tj-actions/branch-names Affects 5,000+ public repositories.
Summary:
A critical vulnerability has been identified in the tj-actions/branch-names’ GitHub Action workflow which allows arbitrary command execution in downstream workflows. This issue arises due to inconsistent input sanitization and unescaped output, enabling malicious actors to exploit specially crafted branch names or tags.
Severity
Critical
CVSS Score
9.1
CVEs
CVE-2025-54416
POC Available
Yes
Actively Exploited
No
Exploited in Wild
No
Advisory Version
1.0
Overview This issue arises due to inconsistent input sanitization and unescaped output, enabling malicious actors to exploit specially crafted branch names or tags. While internal sanitization mechanisms have been implemented, the action outputs remain vulnerable, exposing consuming workflows to significant security risks. This is fixed in version 9.0.0
The flaw allows attackers to run any command during GitHub Actions workflows by creating specially crafted branch names or tags.
Vulnerability Name
CVE ID
Product Affected
Severity
Fixed Version
Command Injection in branch-names GitHub Action
CVE-2025-54416
tj-actions/branch-names GitHub Action <v8.2.1
9.1
v9.0.0 or later
Technical Summary
This Vulnerability puts many CI/CD pipelines at serious risk, including the possibility of stealing secrets or injecting malicious code into releases.
The vulnerability exists due to unsafe usage of the eval command in the action’s script. Although some escaping was done using printf “%q”, developers later used eval printf “%s” to unescaped values, which reintroduced command injection risks.
Any branch name containing malicious shell code can trigger execution during workflows.
The vulnerability affects GitHub Action workflows that use tj-actions/branch-names. It allows attackers to inject and execute arbitrary shell commands by creating a branch with malicious content. The issue is caused by the unsafe use of eval when handling branch names and tags in output generation.
CVE ID
System Affected
Vulnerability Details
Impact
CVE-2025-54416
GitHub repositories using tj-actions/branch-names < v8.2.1
Unsafe use of eval leads to command injection
Attacker can run arbitrary commands, steal secrets, alter source code, or compromise workflows
Proof of Concept (POC)
Remediation:
Update immediately to tj-actions/branch-names version v9.0.0 or higher.
The vulnerable eval code has been replaced with safe printf usage.
Review your workflows to ensure no malicious activity has occurred.
Check logs for strange branch names or unexpected shell activity.
Conclusion: This command injection flaw is extremely dangerous due to its simplicity and the number of projects it affects. GitHub Actions workflows that use branch names or tags from pull requests are especially at risk. Attackers don’t need access to the code just the ability to open a pull request.
All developers and security teams should act now by updating to the latest version and reviewing usage of GitHub Actions in their workflows.
The United States remains the primary target for Ransomware attacks
UK is preparing to ban any Ransomware payments for critical infrastructure companies
Manufacturing, Technology and Healthcare top targeted sectors, with the Oil & Gas industry experiencing a remarkable 935% increase in attacks as per Zscaler report
RaaS market growth drivers
There has been improvement in cyber resilience but it has been observed when too many entities pay ransom, each payment provides gateway for next attack as the payment incentivise.
Ransomware attack target pattern reveals how threat actors are strategically focusing on industries where operational disruption, data sensitivity, and regulatory concerns create maximum leverage.
In the beginning of July 2025, Federal authorities, including the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA), have issued a high-priority advisory warning about the escalating threat posed by the Medusa ransomware group.
Medusa ransomware group ramped up its attacks, increasingly targeting users of major email service providers like Gmail and Outlook. Medusa’s reach extends across multiple industries, with healthcare, education, legal services, insurance, technology, and manufacturing among the hardest hit.
Now UK is preparing to ban any Ransomware payments for critical infrastructure companies, local governments, schools and publicly funded entities like the NHS. The new ransomware payment proposal is just one part of a package of new regulations slated to soon go into effect in the UK, mostly centered on the Cyber Resilience Bill.
The new UK rules would additionally require all business types that are not impacted to notify the government when they intend to make a ransomware payment and may be required to seek guidance on the possibility of the payment violating sanctions on cybercriminal groups.
Surge in ransomware attacks
Zscaler released its annual ThreatLabz 2025 Ransomware Report, revealing a dramatic 146% surge in ransomware attacks blocked by their cloud platform
The report highlights a significant shift in attack strategies, with threat actors increasingly focusing on data extortion over encryption.
Key findings show that ransomware groups stole 238 TB of data, representing a 92% increase year-over-year.
The report identifies Manufacturing, Technology, and Healthcare as the most targeted sectors, with the Oil & Gas industry experiencing a remarkable 935% increase in attacks.
The United States remains the primary target, accounting for 50% of all attacks with 3,671 incidents. RansomHub emerged as the most active group with 833 publicly named victims, followed by Akira (520) and Clop (488).
Ransomware and Crypto market
Well ransomware technique might have changed its pattern but not tactics, with crytpcurrencies it marked a major change and turning point in the world of cyber security.
How can we forget WannaCry (2017), it was perhaps the most infamous ransomware attack in history, caused global disruption by exploiting a Windows vulnerability.
The demand was Bitcoin, but its scale and method were more advanced but not the first.
BlackSuit ransomware extortion sites seized in Operation Checkmate
Law enforcement has seized the dark web extortion sites of the BlackSuit ransomware operation, which has targeted and breached the networks of hundreds of organizations worldwide over the past several years.
Yesterday 28 july, the websites on the BlackSuit .onion domains were replaced with seizure banners announcing that the ransomware gang’s sites were taken down by the U.S. Homeland Security Investigations federal law enforcement agency as part of a joint international action codenamed Operation Checkmate.
Key trends Key driving the Ransomware Protection Market
The demand for ransomware protection solutions is further fuelled by the growing number of cyber-attacks targeting businesses, particularly in the BFSI sector, which remains the largest revenue generator in the market.
The demand for RaaS based products growing due to corporate digitization, and the advent of crypto currency like Bitcoin are the key market drivers enhancing the market demand and growth.
This include technological advancements and increasing cyber threats.
Market size in 2024: USD 32.24 billion; projected to reach USD 93.35 billion by 2032.
End-point security segment accounted for 35% of market revenue.
BFSI sector generated the most income, with significant ransomware attacks reported.
Managed services segment dominated the market, catering to SMEs for enhanced cyber security.
Of all the reasons, cyber attacks now focus on any vulnerability as many businesses are switching to cloud services. In response to the ransom, distributed denial-of-service (DDoS) attacks are launched, which continue until the ransom is paid or the data risks being permanently lost.
Cybercriminals may breach into sites for trading cryptocurrencies and steal money. Crypto currency is currently the most widely used payment method in the event of a ransomware attack
Email remained the primary entry point in 96% of the reviewed breaches, accounting for 93%.
Social attacks are roughly three times more likely to cause breaches in businesses than physical vulnerabilities, highlighting the importance of regular staff cybersecurity training.
It has caused business to start researching ransomware defenses and has significantly increased demand for these defenses in the market under investigation.
Around the world, there are more data leaks and other security breaches. Phishing attacks have been used against numerous businesses from various industries at some point.
APEC market for Ransomware expected to grow
The Asia-Pacific Ransomware Protection Market is expected to grow at the fastest CAGR from 2023 to 2032.
This is due to the growing economies of China, India, and Australia spending extensively on cyber security solutions; Asia Pacific is also predicted to have growth potential in the ransomware prevention market.
Moreover, China’s Ransomware Protection market held the largest market share, and The Asia-Pacific region’s fastest-growing market for ransomware protection was India.
The market for Ransomware Protection industry has recently provided some of the most important benefits. Major players in the Ransomware Protection market, are attempting to increase market demand by investing in research and development operations.
Ransomware Protection Industry Developments
Intrucept has launched Intru360 gives security analysts and SOC managers a clear view across the organization, helping them fully understand the extent and context of an attack. It also simplifies workflows by automatically handling alerts, allowing for faster detection of both known and unknown threats.
Identify latest threats without having to purchase, implement, and oversee several solutions or find, hire, and manage a team security analyst.
Unify latest threat intelligence and security technologies to prioritize the threats that pose the greatest risk to your company.
Here are some features we offer:
Over 400 third-party and cloud integrations.
More than 1,100 preconfigured correlation rules.
Ready-to-use threat analytics, threat intelligence service feeds, and prioritization based on risk.
Prebuilt playbooks and automated response capabilities.
Data Stolen from various government based organizations across South east-Asia via State-Backed HazyBeacon Malware that Uses AWS Lambda was discovered and tracked by researchers Palo Alto Networks Unit 42 under the moniker CL-STA-1020.
Here “CL” stands for “cluster” and “STA” refers to “state-backed motivation, data collected include information about recent tariffs and trade disputes. The initial access vector used to deliver the malware is currently not known, although evidence shows the use of DLL side-loading techniques to deploy it on compromised hosts. Specifically, it involves planting a malicious version of a DLL called “mscorsvc.dll” along with the legitimate Windows executable, “mscorsvw.exe.”
Campaign executionflow
As per researchers backdoor leverages AWS Lambda URLs as command and control (C2) infrastructure. AWS Lambda URLs are a feature of AWS Lambda that allows users to invoke serverless functions directly over HTTPS.
This technique uses legitimate cloud functionality to hide in plain sight, creating a reliable, scalable and difficult-to-detect communication channel.
Figure 1 shows the high-level execution flow of this attack.
The malware is using a newly discovered Windows backdoor dubbed HazyBeacon.
Secondly, it exploits a legitimate feature of the AWS Lambda serverless compute service called Lambda URLs, to hide its malicious activities
AWS Lambda URLs are a part of AWS Lambda that allow users to invoke serverless functions directly over HTTPS.
In this attack, the HazyBeacon backdoor uses the service to establish C2 communications, allowing the actor to engage in covert intelligence gathering.
Researchers at Trellix, revealed the attacker tactic of using Lambda to obscure C2 activity in late June, noting that such obscurity “makes network-based detection nearly impossible without decryption or deep behavioral analysis,” according to their report.
During backdoor deployment, attackers also establish persistence on the compromised Windows endpoint by creating a Windows service named msdnetsvc, which ensures that the HazyBeacon DLL would be loaded even after rebooting the system.
Unit 42 included a list of indicators of compromise (IoCs) in the post to help identify a potential attack. Defenders can set their machine-learning models and analysis techniques to be triggered by those IoCs, as well as use behavioral threat protection to detect and block the execution of processes with malicious behavior in their cloud environments.
How the malware reaches out to serverless AWS Lambda endpoints
These URLs are hosted on cloud infrastructure that’s globally trusted
Traffic looks like regular HTTPS communication
Detection becomes near-impossible for traditional firewalls or EDRs
This use of cloud-native tools for C2 is a growing trend in advanced persistent threats (APTs).
South east Asia a focal point of target
The reason why Southeast Asia has increasingly becoming a focal point for cyber espionage mainly due various sensitive trade negotiations being done by countries, defense enhancement taken up by countries as a part of modernization and power alignment between U.S.–China.
Why threat actors chose this area via targeting government agencies as the data stolen carried various intelligence inputs that were based on foreign policy direction, infrastructure planning and various regulatory shifts that further influence the behavior of global markets.
HazyBeacon reflects a broader aspect and trend in cyber security related to advanced persistent threats using trusted platforms as covert channels.
This cloud-based malware cluster, similar techniques have been observed in threats using Google Workspace, Microsoft Teams, or Dropbox APIs to evade detection and facilitate persistent access.
Once the malware is on the system, it doesn’t want to leave. HazyBeacon registers itself as a Windows service, making sure it gets relaunched after every reboot.
Organizations who detect and mitigate this emerging threats also understand how attackers exploit cloud services for malicious purposes.
The misuse of AWS Lambda occurs when the malicious DLL, mscorsvc.dll, establishes a C2 channel through an AWS Lambda URL. AWS Lambda runs code in response to events without requiring server provisioning or management; the URLs feature, introduced in 2022, extends this functionality by providing customers with a way to configure dedicated HTTPS endpoints for Lambda functions.
Summary : Sophos has resolved several critical security vulnerabilities in its Firewall products, the most severe vulnerability could allow remote code execution without authentication, potentially giving attackers full control over impacted systems.
OEM
Sophos
Severity
Critical
CVSS Score
9.8
CVEs
CVE-2025-6704, CVE-2025-7624
POC Available
No
Actively Exploited
Yes
Exploited in Wild
Yes
Advisory Version
1.0
Overview
To address the issue, the Sophos has issued hotfixes for five separate vulnerabilities. Two of these are rated as critical and present a serious threat to enterprise networks around the globe.
Vulnerability Name
CVE ID
Product Affected
Severity
Fixed Version
Arbitrary file writing vulnerability in Secure PDF eXchange (SPX) feature
CVE-2025-6704
Sophos Firewall
Critical
SFOS 21.0 MR2 (21.0.2) and later
SQL injection vulnerability in legacy SMTP proxy
CVE-2025-7624
Sophos Firewall
Critical
SFOS 21.0 MR2 (21.0.2) and later
Technical Summary
The CVE-2025-6704 and CVE-2025-7624 are identified in Sophos Firewall versions prior to 21.0 MR2 (21.0.2), both with a CVSS v3.1 base score of 9.8, indicating critical severity.
The CVE-2025-6704 involves an arbitrary file writing vulnerability within the Secure PDF eXchange (SPX) feature.
SPX is enabled and the firewall operates in High Availability (HA) mode, attackers can exploit this flaw to execute arbitrary code remotely without authentication. This pre-authentication remote code execution can lead to full system compromise, affecting confidentiality, integrity and availability.
CVE-2025-7624 pertains to an SQL injection vulnerability in the legacy (transparent) SMTP proxy of Sophos Firewall. If a quarantining policy is active for email and the system was upgraded from a version older than 21.0 GA, this weakness could potentially allow remote code execution.
Exploitation of this flaw can lead to unauthorized access, manipulation of firewall configurations, and potential lateral movement within the network.
CVE ID
System Affected
Vulnerability Details
Impact
CVE-2025-6704
v21.5 GA and older
A rare SPX feature flaw in HA mode can allow pre-auth remote code execution, affecting 0.05% of devices.
Pre-auth remote code execution (RCE) in Sophos Firewall SPX feature
CVE-2025-7624
v21.5 GA and older
An SQL injection in the legacy SMTP proxy can enable remote code execution if email quarantine is active and SFOS was upgraded from pre-21.0 GA. It affects up to 0.73% of devices.
Remote code execution via SMTP proxy
In addition to the Critical Severity vulnerabilities, two other High and one medium severity issues were addressed.
CVE-2025-7382 – Command Injection in WebAdmin Interface (CVSS 8.8)
A WebAdmin command injection flaw allows adjacent pre-auth code execution on HA auxiliary devices if admin OTP is enabled.
CVE-2024-13974 – Business Logic Vulnerability in Up2Date Component (CVSS 8.1)
A business logic flaw in Up2Date lets attackers control firewall DNS to enable remote code execution.
CVE-2024-13973 – Post-Auth SQLi Vulnerability in WebAdmin (CVSS 6.8)
A post-auth SQL injection in WebAdmin allows admins to execute arbitrary code.
Remediation:
Users should immediately update Sophos Firewall to the latest patched version:
For CVE-2025-6704, CVE-2025-7624, CVE-2025-7382: Upgrade to Sophos Firewall 21.0 MR2 (21.0.2) or later.
For CVE-2024-13974 and CVE-2024-13973: Upgrade to Sophos Firewall 21.0 MR1 (20.0.1) or later.
If you are not using the Secure PDF eXchange (SPX) feature or legacy SMTP proxy, consider disabling them until they are patched.
Users operating legacy versions prior to the supported range must upgrade their systems to receive these critical security protections and maintain adequate defense against potential exploitation attempts.
Conclusion: In Sophos Firewalls that allow attackers to execute code remotely without logging in. Although only a small percentage of devices are affected, the flaws are serious.
Fortunately, Sophos quickly pushed automatic fixes, and no attacks have been seen so far. Users should verify their firewalls are fully updated and have auto update enabled to stay protected.
The impact scope for this vulnerability reaches up to 0.73% of deployed devices. Both critical vulnerabilities were discovered and responsibly disclosed through Sophos’ bug bounty program by external security researchers.
Summary : Security Advisory: Two command injection vulnerabilities have been found in Nokia’s WaveSuite Network Operations Center (WS-NOC), a key tool used to manage telecom and enterprise networks.
OEM
Nokia
Severity
Critical
CVSS Score
9.0
CVEs
CVE-2025-24936, CVE-2025-24938
POC Available
No
Actively Exploited
No
Exploited in Wild
No
Advisory Version
1.0
Overview
These vulnerabilities allow attackers with limited access to run malicious commands on the system’s operating system. The vulnerabilities affect WS-NOC versions 23.6, 23.12, and 24.6. Nokia has released fixes in version 24.6 FP3 and newer.
Vulnerability Name
CVE ID
Product Affected
Severity
Fixed Version
Command Injection Vulnerability
CVE-2025-24936
Nokia WS-NOC
Critical
v24.6 FP3 & later
Command Injection Vulnerability
CVE-2025-24938
Nokia WS-NOC
High
v24.6 FP3 & later
Technical Summary
The first vulnerability, CVE-2025-24936, CVSS- 9.0 due to the system doesn’t properly check parts of a web address (URL). The attacker with low privileged access can trick the system into running malicious commands, as if they were part of the system itself. As this flaw has been published, attackers can remotely target exposed or inadequately secured administrative pages.
The second issue, with the CVE-2025-24938, CVSS- 8.4 affects to new user accounts are created through the web interface. In this case, with high privileged access – administrators can intentionally enter harmful commands because their input isn’t being filtered properly.
CVE ID
System Affected
Vulnerability Details
Impact
CVE-2025- 24936
WS-NOC 23.6, 23.12, 24.6
Unfiltered URL input enables command injection by low-privileged users.
Remote code execution
CVE-2025- 24938
WS-NOC 23.6, 23.12, 24.6
Insufficient input validation during account creation enables command injection.
Privilege escalation, Remote code execution
Remediation:
Immediate Action: Upgrade WS-NOC to version 24.6 FP3 or latest one to mitigate both vulnerabilities.
Recommendations:
Configuration Check: Restrict admin panel and WS-NOC access to trusted, internal networks only.
Environment Hardening: Regularly audit user privileges, conduct input validation reviews, and deploy security monitoring for unusual command executions originating from the WS-NOC application.
Conclusion:
CVE-2025-24936 and CVE-2025-24938 are critical command injection vulnerabilities in Nokia WaveSuite NOC, which is used in telecom systems around the world. These vulnerabilities allow attackers to execute malicious commands with limited access. As these systems are part of critical infrastructure, prompt patching is essential to prevent potential remote attacks and network disruption.
Major new legislation commits over $1billion to US cyber offensives. Defining Cyber-offensive operations will include exploiting flaws in software or hack devices or deploy spyware.
This also include collecting internet traffic data and may involve targeted cyberattacks using zero-day exploits. Organizations often build the necessary infrastructure for such activities or gathers Intelligence as a part of these activates.
Trump administration, through the Department of Defense, has announced plans to spend $1 billion over four years on “offensive cyber operations.”
Along side recently the Trump regime announced that cyber offensive operation against Russia will be paused, highlighting that US govt now focuses mainly on China, moving away from eastern Europe.
It’s not clear what tools or software would qualify, but the legislation notes that the funds would go towards enhancing and improving the capabilities of the US Indo-Pacific Command, potentially focusing on the US’s biggest geopolitical rival, China.
The ongoing trade war with China is one of the main reason for Trump regime to shift focus from Russia , and in recent months security researchers have seen Chinese state hackers linked to People’s Liberation Army and the Ministry of State Security target companies in the fields of robotics, artificial intelligence, cloud computing and high-end medical device manufacturing.
The legislation does not provide detailed information on what “offensive cyber operations” entail or which tools and software will be funded. The investment comes at a time when the U.S. has simultaneously reduced its cybersecurity defense budget by $1 billion. Few months back we witnessed how the US Cybersecurity and Infrastructure Security Agency (CISA) reaffirmed its commitment to defending against all cyberthreats after budget cuts was announced.
Over 1,000 CISA staff have departed since early 2025 through a combination of layoffs, buyouts, and voluntary resignations. What remains is a hollowed-out workforce facing rising cyber threats with fewer tools and teammates.
CISA maintained although the continued efforts to undermine and weaken cybersecurity teams capabilities, however counter-productive that may be in protecting US infrastructure.
Senator Ron Wyden has concerns. “Vastly expanding U.S. government hacking is going to invite retaliation — not just against federal agencies, but also rural hospitals, local governments and private companies who don’t stand a chance against nation-state hackers,” Wyden told the news site.
The US administration simultaneously enacted cuts to the nation’s cybersecurity defense allocations, by slashing $1 billion from the U.S. cyber defense budget. The cuts pose a significant risk as the country faces increasing cyber threats, particularly from Chinese adversaries.
However, the move to a more offensive cyber stance has been critiqued by Democratic Senator and Senate intelligence committee member Ron Wyden, who said that the offensive strategy, combined with Trump and DOGE’s massive cuts to defensive cyber operations such as slashing the budget and the termination of staff from the US Cybersecurity and Infrastructure Security Agency (CISA), only invites retaliation from the US’ largest geopolitical rival.
“The Trump administration has slashed funding for cyber security and government technology and left our country wide open to attack by foreign hackers,” Wyden told TechCrunch.
How wise decision it is to cut cyber defense budget while increasing Cyber offensive spending?
The layoffs at CISA have led to concerns the U.S. is less well protected against cyber threats from the likes of China, Russia and Iran.
Obviously there will be reduction in capacity to defend against cyberattacks, especially large-scale coordinated campaigns. The federal government has inadvertently provided adversaries with a map of its blind spots by scaling back critical cybersecurity programs.
This increase in budget for Cyber offensive operation is seen as an aggressive push and might provoke retaliatory attacks on vulnerable targets, such as local governments and healthcare entities. According to the report, the bill does not specify what the “offensive cyber operations” are or what software would qualify for funding.
At the same time The Trump administration has halted US offensive cyber operations against Russia, sparking concerns over national security and potential Russian cyber threats.
The Trump administration is well aware of the nation state attack and advance techniques cyber adversaries adopt to, a national threat to infrastructure security that cannot be compromised.
Every year there has been increase in cyber security budget if we take a look at from 2017 to 2024. The US government civilian agencies spent more on cybersecurity in each successive year than they did the prior year.
Two newly discovered zero-day vulnerabilities (CVE-2025-53770 and CVE-2025-53771) in Microsoft SharePoint Server are being actively exploited in the wild.
There is currently no patch available to plug this security hole, but Microsoft says that customers running on-premises SharePoint Servers can stop attackers from exploiting the vulnerability by configuring Antimalware Scan Interface (AMSI) integration in SharePoint and deploying Defender AV on all SharePoint servers.
OEM
Microsoft
Severity
Critical
CVSS Score
9.8
CVEs
CVE-2025-53770, CVE-2025-53771
Actively Exploited
Yes
Exploited in Wild
Yes
Advisory Version
1.0
Overview
These flaws allow unauthenticated remote code execution on on-premises servers, bypassing authentication and gaining full control over affected systems. Microsoft has released urgent security updates for supported SharePoint versions to address this issue.
Vulnerability Name
CVE ID
Product Affected
Severity
CVSS Score
SharePoint Server Remote Code
CVE-2025-53770
SharePoint Server (on-prem)
Critical
9.8
Execution Vulnerability
CVE-2025-53771
SharePoint Server (on-prem)
Medium
6.3
Technical Summary
The vulnerabilities CVE-2025-53770 and CVE-2025-53771 stem from insecure handling of cryptographic key material and deserialization logic in on-premises Microsoft SharePoint Servers. These flaws enable a chained remote code execution attack dubbed ToolShell, where an unauthenticated attacker can gain full control of vulnerable servers.
ToolShell is a sophisticated evolution of vulnerabilities CVE-2025-49704 and CVE-2025-49706, which were disclosed and patched in early July 2025 following demonstrations at Pwn2Own Berlin. Within days, attackers had bypassed these initial patches, forcing Microsoft to issue updated patches with new CVEs (53770, 53771). These latest variants are actively exploited in the wild.
The exploit begins with a crafted request to the SharePoint endpoint /ToolPane.aspx, which exposes the internal configuration mechanism. By exploiting deserialization weaknesses, attackers extract cryptographic secrets, specifically the ValidationKey and DecryptionKey which are used to sign the VIEWSTATE payloads.
With these secrets, an attacker can generate malicious, signed payloads that are trusted by SharePoint’s security model, allowing arbitrary code execution without any authentication. This effectively turns SharePoint’s trust mechanism into a delivery vector for persistent compromise.
CVE ID
System Affected
Vulnerability Details
Impact
CVE-2025-53770
SharePoint 2016, 2019
Exploits deserialization in /ToolPane.aspx to steal crypto keys and craft signed __VIEWSTATE payloads
Remote Code Execution, full system compromise
CVE-2025-53771
SharePoint 2016, 2019
Variant of CVE-2025-49706; bypasses earlier fixes using enhanced payload injection techniques
Persistent access without credentials
Remediation:To mitigate potential attacks customers should follow:
Organizations running on-premises Microsoft SharePoint Servers must take the following steps immediately:
Enable Antimalware Scan Interface (AMSI) in Full Mode for SharePoint.
AMSI was turned on by default in Sept 2023 updates for 2016/2019.
Rotate Cryptographic Keys:
Use Update-SPMachineKey (PowerShell) or Central Admin.
Restart IIS using iisreset.exe after key rotation.
Deploy Endpoint Protection:
Use Microsoft Defender for Endpoint or equivalent XDR tools.
CISA Alert and Advisory Inclusion:
The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-53770 to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies and private-sector partners are required to apply mitigations immediately due to confirmed active exploitation. CISA emphasized that such vulnerabilities pose an unacceptable risk to federal systems and critical infrastructure.
Indicators of Compromise (IOCs):
Type
Value (Obfuscated/Generalized)
Description
IP Address
107.191.58[.]76, 104.238.159[.]149
Observed in initial and second attack waves
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
User-Agent string seen in exploitation requests
URL Path
POST /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx
Exploit entry point targeting ToolPane
Conclusion: The ToolShell exploit chain represents a critical security threat to organizations using on-premises SharePoint Servers.
The vulnerabilities are not theoretical, attackers are actively exploiting them to gain full control of systems, exfiltrate cryptographic secrets and establish long-term persistence. With official patches now available, immediate action is required to prevent compromise, contain exposure and ensure ongoing system integrity.
Zero trust isn’t just for security teams, but a strategy where organizations meet compliance standards, vendors behavior, govt policies. Overall zero trust is a shift in how an entire enterprise thinks how to access risk and more than a checklist.
The White House is developing a “Zero Trust 2.0” strategy to focus on targeted, high-impact cybersecurity initiatives and improve the efficiency of federal cyber investments.
Trump admin Officials aim to streamline compliance regimes and tailor software security requirements, especially differentiating critical from low-risk software.
The administration is also preparing new guidance on drone procurement and use, restricting purchases from certain foreign entities, and finalizing instructions for agencies to adopt post-quantum cryptography following recent NIST standards.
The zero-trust security architecture was introduced by Forrester Research in 2010. Zero trust is a cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated.
Nick Polk, branch director for federal cybersecurity at the Office of Management and Budget, said OMB is looking toward the next iteration of the federal zero trust strategy.
“We’re still coalescing around the exact strategy here, but it likely will be focused on specific initiatives we can undertake for the entire government,” Polk said a July 16 online meeting of the Information Security and Privacy Advisory Board.
AI & Zero Trust
AI tools help build a Zero Trust foundation for enterprises fixing different layers of security and focus on elevating security strategies . Now with the advent of AI-driven advancements, the path forward offers some intriguing prospects for AI and zero trust synergies.
AI and Zero Trust intersecting will unlock key opportunities for holistic cyber security maturity, further AI generates an informed narrative for granting or denying resource access. The security approach seamlessly aligns with a core tenet on principle of Zero Trust and least privilege.
Key Security Updates
NickPolk also explained some of the key changes in President Donald Trump’s June cybersecurity executive order. Trump maintained many Biden-era initiatives, but canceled a plan to require federal software vendors to submit “artifacts” that demonstrate the security of their product.
“That was really a key instance of compliance over security, requiring an excessive amount of different artifacts from each software vendor, changing requirements midstream, when software providers were already working on getting the security software development form and agencies were already working on collecting it,” Polk said, pointing to a continued requirement for agencies to collect secure software attestation forms from contractors.
How Zero trust help organizations security posture
Organizations who place Zero Trust architecture will have access control policies and definitely use micro segmentation . Required to minimize the damage from ransomware attack can cause.
Attackers not only find it more difficult to breach the system in the first place, they’re limited in their ability to expand made possible by Zero trust when put in place.
Ransomware attack, typically involves an initial infection, lateral movement and data exfiltration with or without encryption. Zero Trust implementation bring organization to address each step as it happens or before it happens. Ransomware will attack a business, consumer, or device e
According to Gartner, at least 70% of new remote access deployments will be served mainly by ZTNA instead of VPN services by 2025 — up from less than 10% at the end of 2021.
Zero trust is based on the principle of least-privilege access, meaning it has to be assumed that no user or application should be inherently trusted. Zero Trust Network Access (ZTNA) takes a completely different approach than VPNs to securing access for remote workers.
Implementing zero trust will connect users to network and no risk is involved with network. Users are connected directly to only the applications and data they need, preventing the lateral movement of malicious users with overly permissive access to sensitive data and resources.
Behavioral Analytics and Anomaly Detection with AI its much easier to detect and entity actions
Automating Threat Response and Remediation is faster with AI as, AI takes the lead in automating response measures by swift device isolation.
AI involves real time risk assessments and determines when to give access resource.
In few years from now many organization will attain the optimal posture for Zero Trust as AI and zero trust emerge as strong significant partner for a better security maturity and posture.
Summary : VMware fixed four vulnerabilities in VMware ESXi, Workstation, Fusion and VMware Tools that were exploited as zero-days during the Pwn2Own Berlin 2025 hacking contest in May 2025.
Overview These vulnerabilities, now tracked as CVE-2025-41236, CVE-2025-41237, CVE-2025-41238 and CVE-2025-41239, could allow attackers with local administrative privileges on a virtual machine to execute arbitrary code on the host system or leak sensitive memory content.
VMware has released critical patches for affected products, including ESXi 7/8, Workstation Pro 17.x, Fusion 13.x and VMware Tools.
Use of uninitialized memory in vSockets allows information disclosure to attackers with local VM admin rights.
Memory leak from host to guest
Remediation:
Users and administrators are strongly advised to immediately apply the following patches to mitigate the vulnerabilities:
VMware ESXi users must update to ESXi80U3f-24784735, ESXi80U2e-24789317 for 8.x and ESXi70U3w-24784741 for 7.x versions.
VMware Workstation Pro users should update to version 17.6.4 or later.
VMware Fusion users to version 13.6.4 or later.
For VMware Tools, apply the 13.0.1.0 or later, especially for Windows guests where the vSockets vulnerability (CVE-2025-41239) is relevant.
Conclusion:
These vulnerabilities pose a serious threat to virtualization security, especially in environments using VMware Workstation and Fusion. A successful exploit could enable attackers to escape the virtual machine and compromise the host system.
Administrators should prioritize patching to avoid exposure and reduce the risk of virtual infrastructure compromise. Regular audits of virtual networking components and least-privilege access controls within guest VMs are also recommended.
Google has issued a critical emergency update for the Chrome browser to address CVE-2025-6558, a zero-day vulnerability that is actively being exploited in the wild. This high-severity flaw exists in Chrome’s ANGLE and GPU components, which are responsible for rendering graphics in the browser.
Summary
OEM
Google
Severity
High
CVSS Score
8.8
CVEs
CVE-2025-6558
POC Available
No
Actively Exploited
Yes
Exploited in Wild
Yes
Advisory Version
1.0
Overview
Exploitation of this vulnerability could allow attackers to execute malicious code or gain unauthorized access to user systems. The update is being rolled out for Windows, macOS and Linux platforms.
Vulnerability Name
CVE ID
Product Affected
Severity
Fixed Version
Improper Input Validation in ANGLE/GPU Stack vulnerability
CVE-2025-6558 is a high-severity vulnerability caused by improper validation of untrusted input in Chrome’s ANGLE (Almost Native Graphics Layer Engine) and GPU components. These components translate graphics instructions and interact closely with the system’s native APIs.
The flaw was discovered by Google’s Threat Analysis Group (TAG) and is being actively exploited in real-world attacks. If left unpatched, it could enable attackers to compromise the browser rendering process and potentially execute arbitrary code on the user’s device.
CVE ID
System Affected
Vulnerability Details
Impact
CVE-2025-6558
Chrome on Windows, macOS, Linux
Untrusted input is incorrectly validated, allowing malicious manipulation of graphics rendering
Remote code execution through active exploitation
Additional Vulnerabilities Patched in This Update
In addition to the zero-day CVE-2025-6558, Google also addressed two other high-severity vulnerabilities as part of this update:
CVE-2025-7656 – An integer overflow vulnerability in Chrome’s V8 JavaScript engine, which could be exploited to corrupt memory and potentially achieve remote code execution. This flaw was reported by security researcher Shaheen Fazim.
CVE-2025-7657 – A use-after-free vulnerability in the WebRTC (Web Real-Time Communication) component. Improper memory handling in real-time communication features could allow attackers to crash the browser or execute arbitrary code remotely. This issue was reported by researcher jakebiles.
Remediation:
Users should immediately update Google Chrome to the latest patched version:
Windows & Mac: 138.0.7204.157/.158
Linux: 138.0.7204.157
Conclusion: CVE-2025-6558 highlights the growing complexity of securing browser components such as ANGLE and GPU. With confirmed active exploitation, users and administrators must prioritize this update to prevent potential remote code execution attacks.
Timely patching remains one of the most effective defenses against modern browser-based threats.
