Microsoft Patched Critical Azure Bastion Elevation of Privilege Vulnerability
Azure Bastion Elevation of Privilege Vulnerability CVE-2025-49752
Continue ReadingSecurity Advisory
SonicWall SSLVPN Vulnerability Allows Remote Attackers to Crash Firewalls
Summary : A security flaw was discovered in SonicWall’s SonicOS SSLVPN component, affecting both hardware and virtual firewall appliances across Gen7 and Gen8 product lines.
| OEM | SonicWall |
| Severity | High |
| CVSS Score | 7.5 |
| CVEs | CVE-2025-40601 |
| POC Available | No |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
The SonicWall vulnerability allows remote attackers, without any authentication, to crash into affected firewalls by sending specially crafted traffic to the SSLVPN service. There are no public exploitation in the wild but it is strongly advised customers to apply the available patches immediately to minimize risk.
In simple terms, the component fails to validate the size or structure of certain data before copying it to a stack‐allocated buffer. Under malicious input, the overflow can overwrite the stack, leading the firewall device to crash.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Stack-based buffer overflow in SonicOS SSLVPN service | CVE-2025-40601 | SonicWall SonicOS Firewalls (Gen7 and Gen8 Hardware and Virtual) | High | 7.3.1-7013 (Gen7), 8.0.3-8011 (Gen8) and latest one |
Technical Summary
The vulnerability occurs due to a stack-based buffer overflow affecting the SSLVPN service of SonicOS. Devices with the SSLVPN interface enabled are vulnerable.
This flaw permits remote unauthenticated attackers to trigger a denial-of-service condition, leading to a full firewall crash and service outage.
The problem impacts a wide range of SonicWall firewall models including Gen7 (TZ270, NSa 2700 series etc) and Gen8 (TZ280, NSa 2800 series etc). Administrators are urged to upgrade to the latest versions and restrict SSLVPN access to trusted IPs or disable external-facing SSLVPN portals until remediation is complete.
| CVE ID | Component Affected | Vulnerability Details | Impact |
| CVE-2025-40601 | SonicWall SonicOS SSLVPN service | Stack-based buffer overflow allows remote unauthenticated attackers to send crafted requests causing a denial-of-service crash of the firewall. Only devices with SSLVPN enabled are vulnerable. | Remote denial-of-service |
Recommendations
Update SonicWall immediately to the following fixed versions:
- Gen7 Hardware Firewalls: 7.3.1-7013 and higher versions
- Gen7 Virtual Firewalls : 7.3.1-7013 and higher versions
- Gen8 Firewalls: 8.0.3-8011 and higher.
You can follow some below workaround here
- Temporarily disable the SSLVPN service if possible or restrict SSLVPN access only to trusted source IP addresses.
- Avoid exposing the SSLVPN service to untrusted internet sources until patched.
- Continuously monitor firewall and network logs for unusual SSLVPN activity or connection attempts that might indicate probing or exploitation attempts.
Conclusion:
There has no evidence of active exploitation for this vulnerability, but the issue makes unpatched firewalls highly attractive targets for threat actors capable of causing major network outages.
Organizations relying on SonicWall should prioritize applying the latest patches and review their SSLVPN exposure as part of broader incident prevention. For those unable to patch immediately, restricting or disabling external SSLVPN access is strongly recommended until fixes can be deployed.
References:
Chrome V8 Type Confusion Vulnerability Actively Exploited In The Wild
Summary : Security advisory: Google has released an urgent security update to patch two high-severity Type Confusion vulnerabilities in the V8 JavaScript engine. The CVEs vulnerabilities are CVE-2025-13223, CVE-2025-13224 .
| OEM | |
| Severity | High |
| CVSS Score | 8.8 |
| CVEs | CVE-2025-13223, CVE-2025-13224 |
| POC Available | No |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview
One of these vulnerability (CVE-2025-13223) is already being actively exploited in the wild, allowing attackers to potentially execute arbitrary code through malicious web content. which attackers can bypass Chrome’s sandbox, steal sensitive data, or deploy malware. The fixes have been rolled out for Chrome Stable 142.0.7444.175/.176 across Windows, Mac, and Linux.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Type Confusion Vulnerability in V8 JavaScript Engine | CVE-2025-13223 | Google Chrome | High | v142.0.7444.175 / v142.0.7444.176 |
| Type Confusion Vulnerability in V8 JavaScript Engine | CVE-2025-13224 | Google Chrome | High | v142.0.7444.175 / v142.0.7444.176 |
Technical Summary
Both vulnerabilities occur from Type Confusion vulnerabilities in Chrome’s V8 engine, where incorrect data-type handling leads to memory corruption and possible code execution. The CVE-2025-13223 is already being exploited in the wild and may involve APT-driven activity.
Another vulnerability was found internally through Google’s Big Sleep fuzzing system as part of ongoing proactive defense.
These weaknesses can allow attackers to bypass browser security boundaries and execute malicious actions remotely. Urgent need for users and administrators to apply Chrome’s latest security updates immediately.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-13223 | Google Chrome (V8 Engine) | Type confusion due to improper type handling in V8 allowing memory corruption. | Remote Code Execution, Sandbox Escape |
| CVE-2025-13224 | Google Chrome (V8 Engine) | Type confusion triggered during script execution, discovered via fuzzing | Remote Code Execution, Browser Crash |
Remediation:
- Immediate Action: Users and organization administrators should update Chrome immediately to the following patched versions:
- Windows: 142.0.7444.175 / 142.0.7444.176
- MacOS: 142.0.7444.176
- Linux: 142.0.7444.175
Here are some recommendations below
- Enforce Chrome auto-updates on all endpoints via enterprise policies.
- Monitor browser crash logs and unusual behaviors tied to JavaScript execution.
- Run updated vulnerability & patch management tools to ensure full endpoint compliance.
- Educate users to avoid suspicious links and unknown websites during active exploitation events
Conclusion:
With Chrome being the most widely used browser globally, prompt updates are essential for the new security vulnerabilities. Maintaining browsers at the latest versions remains the strongest defenses against modern web-based attacks in modern cyber world.
References:
Zoho Analytics On-Premise Critical SQL Injection Vulnerability Allows Attackers to Takeover Data
Zoho Analytics on-premise installations were recently found to have a SQL Injection vulnerability- CVE-2025-8324 that exposes enterprise environments to risk. The flaw is prevalent in all Zohocorp ManageEngine products, built prior to the most recent patch and enables attackers to exploit weaknesses in the application’s input validation logic.
The flaw enables attackers to execute queries without authentication mainly arbitrary SQL injection, without prior authentication, leading to unauthorized data exposure and account takeovers.
| OEM | Zoho |
| Severity | Critical |
| CVSS Score | 9.8 |
| CVEs | CVE-2025-8324 |
| POC Available | No |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview Malicious actors can launch attacks remotely and takeover user accounts, sensitive analytics data and any connected business intelligence workflows. Administrators are urged to update to the latest version to mitigate this risk.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Unauthenticated SQL Injection | CVE-2025-8324 | Zoho Analytics On-Premise | Critical | 6171 and later |
Technical Summary
At the root of this flaw is improper input validation for user-supplied parameters within specific URLs of the Zoho Analytics Plus backend.
This allows arbitrary SQL queries to be executed by anyone with network access to the service, even if they have no login credentials. Zoho has enforced input checks and removing vulnerable backend components altogether.
| CVE ID | Component Affected | Vulnerability Details | Impact |
| CVE-2025-8324 | Zoho Analytics Plus On-Premise | An unauthenticated SQL injection vulnerability caused by improper input validation allowing attackers to inject arbitrary SQL queries remotely without authentication. | Account takeover, user data leak |
Recommendations
- Organizations must update Zoho Analytics Plus On-Premises immediately to the Build 6171 version or later.
Here are some recommendations you can follow
- Enforce patch deployment across all managed analytics instances to ensure consistency and security.
- Continuously monitor logs for unusual SQL query activities or access attempts that could indicate exploitation attempts.
Conclusion:
The Zoho Analytics On-Premise deployments, could enable full data and account compromise through unauthenticated SQL injection. CVE-2025-8324 represents a critical security risk, classified at the highest severity level due to its potential impact and ease of exploitation.
Although no active exploitation has been detected to date, the severity of the flaw demands immediate attention. Immediate patching is essential to secure environments and prevent any chance of data compromise or unauthorized access.
References:
Mozilla Firefox Releases 145 Security Updates, 16 High-Severity Vulnerabilities across multiple Firefox versions & Platforms
Summary : Mozilla released the Firefox 145 Security Update on November 11, 2025, addressing 16 vulnerabilities affecting multiple components allowing arbitrary code execution.
The Mozilla Firefox advisory details reveal that exploiting these vulnerabilities requires attackers to deliver malicious content via compromised websites or through network attacks. The vulnerability landscape reveals concerning patterns in critical components where WebGPU graphics processing emerges as a significant attack surface, with five separate boundary condition flaws identified.
| OEM | Mozilla |
| Severity | High |
| Date of Announcement | 2025-11-11 |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
| Vulnerability Name | CVE ID | Product Affected | Severity |
| Graphics Race Condition Enabling Remote Code Execution | CVE-2025-13012 | Firefox | High |
| WebAssembly Boundary Error RCE | CVE-2025-13016 | Firefox | High |
| WebGPU Boundary Error Leading to Remote Code Execution | CVE-2025-13021 | Firefox | High |
| WebGPU Boundary Error Leading to Remote Code Execution | CVE-2025-13022 | Firefox | High |
| WebGPU Sandbox Escape via Boundary Flaw | CVE-2025-13023 | Firefox | High |
| JavaScript Engine JIT Miscompilation RCE | CVE-2025-13024 | Firefox | High |
| WebGPU Boundary Error Leading to Remote Code Execution | CVE-2025-13025 | Firefox | High |
| WebGPU Sandbox Escape and Code Execution | CVE-2025-13026 | Firefox | High |
| Memory Safety Bugs Allowing Arbitrary Code Execution | CVE-2025-13027 | Firefox, Thunderbird | High |
Mozilla released the Firefox 145 Security Update on November 11, 2025, addressing 16 vulnerabilities affecting multiple components.
The patched vulnerabilities include memory safety bugs, boundary errors, race conditions, and sandbox escapes that could allow remote code execution (RCE), privilege escalation or data exposure. Although no active exploitation has been reported. Users and administrators should upgrade immediately to prevent exploitation and maintain browser security integrity.
Technical Summary
Memory corruption and sandbox escape issues could allow attackers to run malicious code or bypass.
Firefox’s isolation controls, leading to full system compromise. WebRTC and multimedia use-after-free bugs further increase the risk of crashing or leaking live data.
Though no exploitation has been detected, users and enterprises should update immediately to reduce exposure to emerging browser-based threats.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-13012 | Graphics Subsystem | Race condition vulnerability leads to system crash or remote execution. | Remote Code Execution |
| CVE-2025-13016 | JavaScript: WebAssembly | Incorrect memory boundary validation allows code execution through crafted scripts. | Remote Code Execution |
| CVE-2025-13021 | Graphics: WebGPU | Boundary condition errors may cause memory corruption and remote code execution. | Remote Code Execution |
| CVE-2025-13022 | Graphics: WebGPU | Boundary error in WebGPU rendering pipeline allowing memory corruption | Remote Code Execution |
| CVE-2025-13023 | Graphics: WebGPU | Sandbox escape via boundary flaw enabling code execution outside browser process. | Sandbox Escape, RCE |
| CVE-2025-13024 | JavaScript Engine: JIT | JIT miscompilation allows stealthy remote code execution within browser context. | Remote Code Execution |
| CVE-2025-13025 | Graphics: WebGPU | Improper memory boundary control in WebGPU leads to RCE. | Remote Code Execution |
| CVE-2025-13026 | Graphics: WebGPU | Sandbox escape enabling remote code execution beyond browser sandbox. | Sandbox Escape, RCE |
| CVE-2025-13027 | Firefox / Thunderbird | Memory safety errors across multiple components allow arbitrary code execution. | Remote Code Execution |
Source: Microsoft, Cybersecurity News
In addition to several high severity vulnerabilities, the update also addresses several other Medium and Low severity vulnerabilities across browser subsystems –
- CVE-2025-13017: DOM Notifications Origin Bypass – Same-origin policy bypass may expose user data or notifications to untrusted sites. (Medium)
- CVE-2025-13018: DOM Security Mitigation Bypass – Allows limited circumvention of built-in browser security controls. (Medium)
- CVE-2025-2884: TCG TPM 2.0 Vulnerability – Out-of-bounds read in TPM cause info disclosure or DoS, impacting secure boot. (Medium)
- CVE-2025-13019: DOM Workers Origin Bypass – May expose cross-origin content or enable script injection. (Medium)
- CVE-2025-13013: DOM Core/HTML Mitigation Bypass – Allows controlled bypass of HTML sanitization in certain contexts. (Medium)
- CVE-2025-13014: Audio/Video Use-After-Free – Memory mismanagement issue that could leak multimedia data or crash browser. (Medium)
- CVE-2025-13015: Firefox UI Spoofing – Interface rendering flaw may allow deceptive UI elements. (Low)
Recommendations:
- Update all Firefox to version 145 immediately to mitigate the vulnerabilities.
Here are some recommendations below
- Enable automatic browser updates across all systems.
- Perform vulnerability scans to ensure no outdated browser versions remain.
- Restrict use of WebGPU or WebAssembly APIs in enterprise environments unless essential.
- Educate employees about risks from phishing, drive-by downloads and malicious extensions.
Conclusion:
The Firefox 145 update is a critical security release addressing sixteen vulnerabilities across graphics, WebGPU, JavaScript engine, DOM, and WebRTC components.
Immediate patching and adherence to strong security hygiene are essential to prevent remote code execution, sandbox escapes, and data leaks. Timely remediation ensures operational continuity and protection of both individual and enterprise users against evolving exploitation techniques targeting browser flaws.
Improving browsing behavior significantly reduces risk exposure of users. Reporters Oskar L and Jamie Nicol highlighted how these bugs exploit WebGPU’s high-performance rendering, a feature increasingly targeted as web apps grow more graphics-intensive.
References:
Microsoft November Updates- Fixes 63 Vulnerabilities,1 Zero-Day Exploits ; Patch Now
Summary : Microsoft’s November 2025 Patch Tuesday resolves 63 vulnerabilities across multiple Microsoft components. The Microsoft Patch Tuesday also addresses four “Critical” vulnerabilities, two of which are remote code execution vulnerabilities, one is an elevation of privileges and the fourth is an information disclosure flaw.
| OEM | Microsoft |
| Severity | Critical |
| Date of Announcement | 2025-11-11 |
| No. of Patches | 63 |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview : Key Updates on Patch Tuesday
The update includes one actively exploited zero-day vulnerability (CVE-2025-62215) in the Windows Kernel and five additional Critical-rated vulnerabilities affecting Office, DirectX, GDI+, Visual Studio, and Nuance PowerScribe.
This release continues Microsoft’s focus on privilege escalation and remote code execution (RCE) vulnerabilities, highlighting the urgent need for comprehensive patch management across enterprise systems.
Here are the CVE addresses for Microsoft & non-Microsoft:
- 63 Microsoft CVEs addressed
- 5 non-Microsoft CVEs addressed (Republished)
Breakdown of October 2025 Vulnerabilities
- 29 Elevation of Privilege (EoP)
- 16 Remote Code Execution (RCE)
- 11 Information Disclosure
- 3 Denial of Service (DoS)
- 2 Security Feature Bypass
- 2 Spoofing
Source: Microsoft
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| Windows Kernel Elevation of Privilege Vulnerability (Zero-Day, Exploited in Wild) | CVE-2025-62215 | Windows 10, 11, Server 2016–2022 | Critical | 9.0 |
| Microsoft Office Use-After-Free Remote Code Execution Vulnerability | CVE-2025- 62199 | Microsoft Office (Word/Excel/Office Suite) | Critical | 9.8 |
| Nuance PowerScribe Missing Authorization Information Disclosure Vulnerability | CVE-2025-30398 | Nuance PowerScribe 360 | Critical | 9.1 |
| Windows DirectX Graphics Kernel Use-After-Free Vulnerability | CVE-2025-60716 | Windows DirectX Graphics Kernel | Critical | 8.8 |
| Microsoft GDI+ Heap-Based Buffer Overflow RCE Vulnerability | CVE-2025-60724 | Microsoft Graphics Component (GDI+) | Critical | 8.7 |
| Visual Studio Command Injection Remote Code Execution Vulnerability | CVE-2025-62214 | Microsoft Visual Studio / Visual Studio Code | Critical | 8.1 |
Technical Summary
The zero-day is a Windows Kernel bug that lets attackers gain full system control. Other critical & important vulnerabilities include Office and GDI+ vulnerabilities that could allow hackers to run malicious code or steal data.
Microsoft also patched issues in Visual Studio, DirectX, and Azure services. Users and admins are strongly advised to install these updates right away to stay protected.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-62215 | Windows Kernel | Race conditions in shared resource execution enables local attackers to elevate privileges to SYSTEM (Zero-Day; Exploited in Wild) | Elevation of Privilege |
| CVE-2025-62199 | Microsoft Office | Use-after-free vulnerability in Office allows RCE via malicious documents, typically delivered through phishing campaigns | Remote Code Execution |
| CVE-2025-30398 | Nuance PowerScribe 360 | Missing authorization vulnerability allows disclosure of sensitive medical or user data over the network | Information Disclosure |
| CVE-2025-60716 | Windows DirectX Graphics Kernel | Use-after-free conditions allow local attackers to escalate privileges, potentially compromising the entire system | Elevation of Privilege |
| CVE-2025-60724 | Microsoft GDI+ | Heap-based buffer overflow allows attackers to execute arbitrary code remotely via crafted network traffic or malicious files | Remote Code Execution |
| CVE-2025-62214 | Visual Studio | Command injection vulnerability allows attackers to execute arbitrary code locally in developer environments | Remote Code Execution |
Source: Microsoft
In addition to several other Important severity vulnerabilities were addressed below –
- CVE-2025-59505: Windows Smart Card Reader – Double-free memory handling vulnerability enabling privilege escalation.
- CVE-2025-60704: Windows Kerberos – Missing cryptographic validation allows privilege escalation.
- CVE-2025-60719: Windows WinSock Driver – Untrusted pointer dereference enabling SYSTEM-level access.
- CVE-2025-59504: Azure Monitor Agent – Heap-based buffer overflow allowing local code execution.
- CVE-2025-60714: Windows OLE – Buffer overflow permitting local RCE.
- CVE-2025-62452: Windows RRAS – Heap overflow enabling network-based RCE.
- CVE-2025-59509: Windows Speech Recognition – Sensitive data exposure vulnerability.
- CVE-2025-62208 / CVE-2025-62209: Windows License Manager – Sensitive information insertion into logs.
- CVE-2025-62210 / CVE-2025-62211: Dynamics 365 Field Service – Cross-site scripting (XSS) spoofing.
- CVE-2025-62449 / CVE-2025-62453: VS Code / GitHub Copilot – Path traversal and AI output validation bypass & Others more Vulnerabilities.
Source: Microsoft, bleepingcompute, cybersecuritynews
Key Affected Products and Services
The November 2025 security updates address critical and important vulnerabilities across a broad range of Microsoft products and services:
- Windows Core Components
Updates for Kernel, Hyper-V, Kerberos, RRAS, WinSock, Smart Card, Bluetooth subsystems.
- Microsoft Office Suite
Patches for Word, Excel, and related components impacted by RCE and Information Disclosure vulnerabilities.
- Azure & Cloud Services
Fixes for Azure Monitor Agent, Dynamics 365, Entra ID, and related connectors.
- Graphics Components
Patches for GDI+, DirectX, WSL GUI.
- Developer Tools
Updates for Visual Studio, Visual Studio Code, and GitHub Copilot.
- Third-Party Applications
Patches for Nuance PowerScribe (Medical domain).
- Mobile Platform Technologies
Updates for Microsoft OneDrive for Android.
Remediation:
- Install the November 2025 Microsoft security updates immediately across all Windows, Office, and Azure systems.
Here are some recommendations below
- Monitor for Indicators of Compromise (IoCs) for privilege escalation attempts, new SYSTEM-level services, or unusual Office file crashes.
- Ensure Windows 10 ESU enrollment for extended support systems.
- Restrict local admin privileges and enforce least-privilege access.
- Leverage EDR/SIEM solutions to detect suspicious kernel and Office activity.
- Segment critical systems and disable unused network services (RRAS, SMB).
Conclusion:
Microsoft’s November 2025 Patch Tuesday resolves 63 vulnerabilities, including one actively exploited Zero-Day and multiple Critical RCE and EoP vulnerabilities in Office, Windows Kernel, GDI+, and Visual Studio.
Given the confirmed exploitation and the presence of memory corruption vulnerabilities, immediate patch deployment is necessary to prevent potential ransomware and privilege escalation attacks in our modern cyber world.
References:
Gladinet Triofox Patched Critical Unauthenticated Remote Access Vulnerability
Summary : A critical unauthenticated access vulnerability in Triofox is being actively exploited in the wild by threat actor UNC6485. Attackers exploit a Host header spoofing vulnerability to bypass authentication, create native admin accounts and chain abuse of the built-in antivirus feature to execute arbitrary code under SYSTEM privileges.
| OEM | Gladinet |
| Severity | Critical |
| CVSS Score | 9.1 |
| CVEs | CVE-2025-12480 |
| POC Available | YES |
| Actively Exploited | YES |
| Exploited in Wild | YES |
| Advisory Version | 1.0 |
Overview
Triofox is an enterprise file-sharing and remote access platform by Gladinet that enables secure file sync, sharing, and collaboration across on-premises and cloud environments. Immediate upgrade is mandatory to prevent full system compromise, ransomware and persistent remote access.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Unauthenticated Access via Host Header Spoofing & Antivirus RCE Chain | CVE-2025-12480 | Triofox | Critical | v16.7.10368.56560 or later |
Technical Summary
The vulnerability in the CanRunCriticalPage() function within GladPageUILib.dll, which allows access to setup pages, if the Host header is “localhost” – without validating the request origin. Attackers spoof this header externally to initiate the setup process, create a Cluster Admin account, and gain authenticated access.
Once logged in, attackers exploit the antivirus configuration feature, which allows arbitrary executable paths. By uploading a malicious script to a shared folder and setting it as the antivirus scanner, the file executes with SYSTEM-level privileges inherited from the Triofox service.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025- 12480 | Triofox < 16.7.10368.56560 | Host header attack bypasses authentication to AdminDatabase.aspx that enables admin account creation. Chained with antivirus path abuse to run uploaded payloads as SYSTEM | Authentication Bypass, Admin Account Creation, Remote Code Execution, Full System Compromise, Persistent Access, Data Exfiltration, Lateral Movement |
Indicators of Compromise (IOCs)
Host-Based Artifacts
| Artifact | Description | SHA-256 Hash |
| C:\Windows\appcompat\SAgentInst aller_16.7.10368.56560.exe | Installer containing Zoho UEMS Agent | 43c455274d41e58132be7f66139566a941190ceba46082eb 2ad7a6a261bfd63f |
| C:\Windows\temp\sihosts.exe | Plink | 50479953865b30775056441b10fdcb984126ba4f98af4f647 56902a807b453e7 |
| C:\Windows\temp\silcon.exe | PuTTy | 16cbe40fb24ce2d422afddb5a90a5801ced32ef52c22c2fc7 7b25a90837f28ad |
| C:\Windows\temp\file.exe | AnyDesk | ac7f226bdf1c6750afa6a03da2b483eee2ef02cd9c2d6af71e a7c6a9a4eace2f |
| C:\triofox\centre_report.bat | Attacker batch script filename | N/A |
Network-Based Artifacts
| IP Address | ASN | Description |
| 85.239.63[.]37 | AS62240 – Clouvider Limited | IP address of the attacker used to initially exploit CVE-2025-12480 to create the admin account and gain access to the Triofox instance |
| 65.109.204[.]197 | AS24950 – Hetzner Online GmbH | After a dormant period, the threat actor used this IP address to login back into the Triofox instance and carry out subsequent activities |
| 84.200.80[.]252 | AS214036 – Ultahost, Inc. | IP address hosting the installer for the Zoho UEMSAgent remote access tool |
| 216.107.136[.]46 | AS396356 – LATITUDE-SH | Plink C2 |
Source: cloud.google.com
Recommendations:
Upgrade Triofox to version 16.7.10368.56560 or latest from the official Gladinet portal.
Conclusion:
This vulnerability represents a severe supply-chain risk in enterprise file-sharing platforms, enabling zero-authentication RCE through misconfigured access controls and feature abuse. With active in-the-wild exploitation by UNC6485 and rapid post-patch attacks, delayed patching significantly increases breach likelihood.
Immediate upgrade, log monitoring, and network hardening are essential to prevent ransomware deployment, data theft, and network pivoting. This incident reinforces the need for secure-by-design input validation and principle of least privilege in remote access tools.
References:
Amazon Workspace Client for Linux Token Vulnerability Fixed in Version 2025.0
Summary : Amazon patched a vulnerability in the Linux version of its Workspace’s client that improperly handles authentication tokens in versions from 2023.0 through 2024.8.
| OEM | Amazon |
| Severity | High |
| CVSS Score | 8.8 |
| CVEs | CVE-2025-12779 |
| POC Available | No |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
This flaw allows local users on the same machine such as in shared, multi-user environments to extract valid authentication tokens.
Often used to impersonate other users and gain unauthorized access to their virtual desktop sessions, exposing sensitive data and applications.
The issue does not allow remote exploitation, but it poses a significant risk in workplaces using shared Linux systems for Workspace’s access.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Improper Authentication Token Handling in Amazon WorkSpaces Client | CVE-2025-12779 | Amazon WorkSpaces client for Linux | High | 2025.0 |
Technical Summary
The root cause lies in insecure management of authentication tokens, enabling token extraction by unintended local users. This vulnerability was assigned to high severity, prompting Amazon to issue a fix in the 2025.0 version of the client.
The update improves session isolation and secures token handling, protecting against lateral token theft.
Users and Administrators are strongly advised to upgrade promptly to avoid unauthorized access risks associated with multi-user Linux setups commonly found in corporate or virtual machine environments.
| CVE ID | Component Affected | Vulnerability Details | Impact |
| CVE-2025-12779 | Amazon WorkSpaces client for Linux (versions 2023.0 through 2024.8) | Local users on shared Linux machines can extract authentication tokens due to improper token handling, allowing them to access other users’ Workspaces. | Unauthorized access to another user’s workspace |
Recommendations
- Update the Amazon Workspace’s client for Linux immediately to version 2025.0 or later.
Conclusion:
This vulnerability highlights the criticality of robust token security in virtual desktop clients, especially for environments with shared access.
Amazon’s swift patch release underscores the need for continuous vigilance and timely updates to maintain secure remote workspace solutions and prevent privilege escalation through token leakage. Upgrading to the patched version effectively mitigates the exposure and secures user sessions.
References:
Chrome Latest Update Fixes Multiple High-Severity Security Flaws
Summary : The recent Google Chrome update fixed several serious security issues that could let hackers take control of the browser or steal personal data. These vulnerabilities were mostly related to memory handling and scripting errors in important parts of Chrome like the JavaScript engine (V8) and browser interfaces.
| OEM | |
| Severity | High |
| CVSS Score | 8.8 |
| CVEs | CVE-2025-12725, CVE-2025-12726, CVE-2025-12727, CVE-2025-12728, CVE-2025-12729 |
| POC Available | No |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
Problems like type confusion and memory misuse could allow attackers to run harmful code just by making users visit malicious websites. Some flaws also affected Chrome’s UI, media processing and extension systems exposing users to possible unauthorized access or data leaks.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Out-of-Bounds Write in WebGPU | CVE-2025-12725 | Chrome | High | 142.0.7444.134/135 |
| Inappropriate Implementation in Views (UI Rendering) | CVE-2025-12726 | Chrome | High | 142.0.7444.134/135 |
| Inappropriate Memory Handling in V8 JavaScript Engine | CVE-2025-12727 | Chrome | High | 142.0.7444.134/135 |
| Inappropriate Implementation in Omnibox (Unified Search Bar) | CVE-2025-12728 | Chrome | Medium | 142.0.7444.134/135 |
| Inappropriate Implementation in Omnibox (Unified Search Bar) | CVE-2025-12729 | Chrome | Medium | 142.0.7444.134/135 |
Technical Summary
The bugs included memory corruption issues such as out-of-bound writings and use-after-free errors, which can lead to unpredictable behavior and remote code execution (RCE).
The JavaScript engine vulnerabilities involved mishandling data types or incorrect implementation, enabling attackers to break security boundaries.
Other issues involved UI security logic problems that could mislead users or weaken protections. Google patched all these weaknesses by tightening input validations, fixing memory lifecycle bugs, correcting UI behavior and strengthening internal security checks.
| CVE ID | Component Affected | Vulnerability Details | Impact |
| CVE-2025-12725 | Google Chrome (WebGPU) | Out-of-bounds write in WebGPU due to improper bounds checking, allowing attackers to overwrite memory beyond allocated limits. | Remote Code Execution / Browser Crash |
| CVE-2025-12726 | Google Chrome (Views UI) | Inappropriate implementation in the Views component causing memory corruption. | UI rendering |
| CVE-2025-12727 | Google Chrome (V8 Engine) | Improper handling in the V8 JavaScript engine enabling potential arbitrary code execution through crafted scripts. | Remote Code Execution |
| CVE-2025-12728 | Google Chrome (Omnibox) | Flaws in Omnibox’s implementation could allow UI spoofing or navigation bar manipulation. | UI Spoofing |
| CVE-2025-12729 | Google Chrome (Omnibox) | Similar flaws in Omnibox affecting input validation, leading to potential security bypasses or deceptive UI. | UI Spoofing / Security Bypass |
Recommendations
Update Chrome immediately to the following versions:
- For windows 142.0.7444.134/.135
- For MacOS 142.0.7444.135
- For Linux 142.0.7444.134
You can update by Open Chrome Settings → Help → About Google Chrome, then allow Chrome to check for and install updates immediately.
Along with update you can follow the recommendations below as well
- Enforce Chrome auto-updates across managed endpoints using enterprise policy controls.
- Actively monitor browser crash reports or any suspicious logs potentially linked to exploit attempts.
- Use vulnerability & patch management tools to ensure all endpoints are running the latest version of all applications.
Conclusion:
The Chrome security flaws can compromise devices just through browsing. Because millions use Chrome daily, these gaps were a high risk and google already patched those issues. Keeping any application to the latest version which is the best defense against cyber threats aiming at browsers.
References:
Apple Releases iOS & iPadOS 26.1 Update, Fixed Multiple Security Vulnerabilities
Summary: Apple released iOS 26.1 and iPadOS 26, addressed multiple security vulnerabilities across core system components including WebKit, Kernel, Accessibility, Apple Neural Engine, CloudKit etc.
| OEM | Apple |
| Severity | High |
| CVEs | CVE-2025-43438, CVE-2025-43429, CVE-2025-43442, CVE-2025-43455, CVE-2025-43398 & others |
| POC Available | No |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview:
These vulnerabilities could enable malicious apps to escape sandboxes, access sensitive user data, execute arbitrary code via web content, monitor keystrokes or disable theft protection mechanisms. Affected devices include iPhone 11 & later and iPad models from 3rd gen onward etc. Immediate update is strongly recommended to prevent any breaches, system crashes.
| Vulnerability Name | CVE ID | Product Affected | Fixed Version |
| WebKit Use-After-Free (Safari Crash/RCE) | CVE-2025-43438 | iOS, iPadOS | iOS/iPadOS 26.1 |
| WebKit Buffer Overflow (RCE Risk) | CVE-2025-43429 | iOS, iPadOS | iOS/iPadOS 26.1 |
| App Installed Detection via Accessibility | CVE-2025-43442 | iOS, iPadOS | iOS/iPadOS 26.1 |
| Sensitive Screenshot in Embedded Views | CVE-2025-43455 | iOS, iPadOS | iOS/iPadOS 26.1 |
| Kernel Memory Corruption / DoS | CVE-2025-43398 | iOS, iPadOS | iOS/iPadOS 26.1 |
Technical Summary:
The iOS/iPadOS 26.1 update fixes major security issues in sandbox protection, memory handling, privacy settings, and the WebKit browser engine. These critical vulnerabilities could allow apps or websites to access restricted data or execute malicious code. Key impact issues mentioned below.
| CVE ID | Component Affected | Vulnerability Details | Impact |
| CVE-2025-43438 | WebKit | Use-after-free in Safari triggers crash or code execution via malicious web content | Remote Code Execution, System Compromise |
| CVE-2025-43429 | WebKit | Buffer overflow in content processing allows arbitrary code execution | Remote Code Execution, Service Compromise |
| CVE-2025-43442 | Accessibility | Permissions flaw allows apps to detect installed apps (fingerprinting) | Privacy Violation, User Tracking |
| CVE-2025-43455 | Apple Account | Malicious apps can screenshot sensitive embedded UI (login views) | Credential, PII Exposure |
| CVE-2025-43398 | Kernel | Memory mishandling leads to system termination or kernel corruption | Denial of Service, Potential Privilege Escalation |
Additionally, there are multiple high & medium vulnerabilities have been disclosed that enable sandbox escapes, data leaks, and web-based attacks with significant impact potential. Here are some cves in the below table
| Vulnerability Name | CVE ID | Affected Component |
| Sandbox Escape via Assets | CVE-2025-43407 | Assets |
| Sandbox Escape via CloudKit Symlink | CVE-2025-43448 | CloudKit |
| Stolen Device Protection Bypass | CVE-2025-43422 | Stolen Device Protection |
| Cross-Origin Data Exfiltration | CVE-2025-43480 | WebKit |
| Keystroke Monitoring via WebKit | CVE-2025-43495 | WebKit |
| Apple Neural Engine Kernel Corruption | CVE-2025-43447, CVE-2025-43462 | Apple Neural Engine |
| Canvas Cross-Origin Image Theft | CVE-2025-43392 | WebKit Canvas |
| Contacts Data Leak in Logs | CVE-2025-43426 | Contacts |
| Lock Screen Content Leak | CVE-2025-43350 | Control Center |
| Address Bar Spoofing | CVE-2025-43493 | Safari |
| UI Spoofing in Safari | CVE-2025-43503 | Safari |
Recommendations:
Update all eligible devices immediately (Settings > General > Software Update products) to the following fixed versions as soon as possible and check the updated version from the Apple security website.
Patches are available and should be applied immediately.
For environments where immediate patching is not immediately feasible, you can also follow the recommendations below.
- Enable Stolen Device Protection and Lockdown Mode (where applicable)
- Restrict app installations to trusted sources.
- Avoid visiting untrusted websites from browser
- Use VPN and enable Advanced Data Protection for iCloud
- Monitor for anomalous app behavior or battery drain
Conclusion:
The iOS/iPadOS 26.1 update fixes several security vulnerabilities that could affect user privacy, device stability, and system protection.
Organizations and Individual using Apple devices must prioritize deployment of this update to mitigate risks of data exfiltration, spyware and other attack vectors. Timely patching remains the most effective control against zero-day exploitation on new vulnerabilities in digital ecosystems.
References:
Recent Comments