Overview : Brash Vulnerability works on Google Chrome and all web browsers that run on Chromium.
A newly disclosed vulnerability, Brash, exposed a critical architectural flaw in Chromium’s Blink rendering engine. Blink is Chromium’s open-source rendering engine responsible for parsing HTML, CSS, and JavaScript, building the DOM and render trees, and executing script-driven updates to the browser interface.
It underpins the user experience of all Chromium-based browsers and is a core component of their performance and stability.
The issue allows a malicious web page to crash Chromium-based browsers within seconds, including Chrome, Microsoft Edge, Brave, Opera etc. The attack works by overloading Blink’s main UI thread using a flood of unthrottled DOM operations. A public proof-of-concept (PoC) exploit is available and can be tested on machines, that escalating the urgency for patching across all Chromium-based platforms.
Technical Details
Blink lacks any rate limiting or coalescing on rapid document. title updates, allowing an attacker to flood the browser with millions of DOM mutations per second.
This saturates the browser’s main UI thread, causing extreme CPU usage and blocking event processing, which leads to the browser tab freezing or crashing within 15 to 60 seconds. The exploit can also be use to trigger after a delay or at a precise scheduled time, turning it into a highly controllable logic bomb.
The exploit requires no special permissions beyond navigating to a malicious page, presenting a severe and immediate operational risk until patches are deployed.
Attack Flow
Recommendations
You can follow the recommendations below
Avoid clicking on suspicious or untrusted links, especially those prompting unexpected redirects or downloads.
Keep all Chromium-based browsers (Chrome, Edge, Brave etc.) updated with the latest security patches as vendors release fixes.
Enforce automatic browser updates within organizations to ensure all users receive critical patches promptly.
Monitor computer endpoints for unusual CPU spikes related to browser processes, which can indicate ongoing exploitation attempts.
Educate users and employees about the risk of drive-by attacks through malicious websites and the importance of security awareness.
Conclusion: The Brash vulnerability reveals how a simple architectural oversight. It lets attackers crash browsers by flooding them with too many title updates too fast, causing the browser to freeze or crash. This attack can be scheduled to happen later, making it harder to detect.
Mozilla Firefox and Apple Safari are immune to the attack, as are all third-party browsers on iOS, given that they are all based on WebKit.
The best defense is to keep browsers updated, avoid suspicious links and stay alert for unusual computer slowdowns.
Docker Compose Path Traversal VulnerabilityEnables Arbitrary File Write and System Compromise
Summary:
OEM
Docker
Severity
High
CVSS Score
8.9
CVEs
CVE-2025-62725
Date of Announcement
2025-10-28
Actively Exploited
No
Exploited in Wild
No
Advisory Version
1.0
Overview
A high-severity path traversal vulnerability was identified in Docker Compose, a widely-used tool for defining and managing multi-container Docker applications.
This flaw occurs in the handling of remote OCI-based Compose artifacts, allowing an attacker to craft malicious artifact annotations that bypass directory restrictions. As a result, malicious files can be written outside the intended cache directory on the host system.
This vulnerability can be triggered even by seemingly harmless commands such as docker compose ps or docker compose config that resolve remote artifacts. Organizations should upgrade immediately to avoid possible system compromise.
Vulnerability Name
CVE ID
Product Affected
Severity
CVSS Score
Path Traversal in OCI Artifacts Allowing Arbitrary File Write
CVE-2025-62725
Docker Compose CLI
High
8.9
Technical Summary
Docker Compose added support for fetching Compose files as OCI artifacts from remote registries. These artifacts contain layers with annotations indicating file paths for writing.
The vulnerability exists because Docker Compose did not sanitize or validate these path annotations prior to writing files, allowing path traversal sequences to escape the cache directory.
Attackers can exploit this by publishing malicious OCI artifacts with crafted annotations, leading to arbitrary file writes anywhere the Compose process has permissions, potentially overwriting sensitive files such as SSH authorized_keys, escalating privileges and compromising the host. The flaw affects Docker Compose versions prior to v2.40.2.
CVE ID
System Affected
Vulnerability Details
Impact
CVE-2025-62725
Docker Compose (Linux, Windows, macOS)
Path traversal via malicious remote OCI artifact annotations allowing arbitrary file write outside the Compose cache directory.
Arbitrary file write, potential system compromise, privilege escalation.
Remediation
Apply security patches immediately to mitigate risks from privilege escalation and container escape.
Update Docker-compose to v2.40.2 or the latest one.
Conclusion
Docker Compose vulnerability poses a serious risk of arbitrary file writes and system compromise through malicious OCI artifacts.
Due to the ease of exploitation when using remote Compose files, all users and organizations should upgrade to the patched Docker Compose version immediately, scrutinize remote artifact usage, and enhance their container security hygiene to mitigate this significant threat.
Summary : Security Advisory : Apache Tomcat’s security updates address two critical issues affecting widely deployed server components. Attackers can now exploit flaws in Apache Tomcat where improper URL handling and inadequate input neutralization allow unauthorized access to restricted directories.
OEM
Oracle
Severity
Critical
CVSS Score
9.6
CVEs
CVE-2025-55754, CVE-2025-55752
POC Available
No
Actively Exploited
No
Advisory Version
1.0
Overview One issue allows attackers to bypass URL protections and upload malicious files, leading to remote code execution if misconfigured and another permits attackers to manipulate console outputs on Windows systems using crafted log entries.
Organizations should promptly update their servers, review configuration settings and enhance monitoring to mitigate these risks.
Vulnerability Name
CVE ID
Product Affected
Severity
Affected Version
Improper Neutralization of Escape, Meta, or Control Sequences Vulnerability
CVE-2025-55754
Apache Tomcat
Critical
11.0.0-M1 through 11.0.10, 10.1.0-M1 through 10.1.44, 9.0.0.40 through 9.0.108.
Path Traversal Vulnerability
CVE-2025-55752
Apache Tomcat
High
11.0.0-M1 through 11.0.10, 10.1.0-M1 through 10.1.44, 9.0.0.M11 through 9.0.108.
Technical Summary This enable malicious file uploads, and inject control sequences affecting console behavior or system integrity.
These weaknesses increase the risk of unauthorized code execution and compromise of application environments.
CVE ID
Component Affected
Vulnerability Details
Impact
CVE-2025-55752
URL Rewrite Handler (Apache Tomcat Core)
A directory traversal flaw resulting from improper URL normalization and decoding order, allowing attackers to bypass /WEB-INF/ and /META-INF/ protections. If PUT requests are enabled, malicious actors can upload files to sensitive directories, potentially executing arbitrary code.
Remote code execution, full server compromise if Tomcat is misconfigured with PUT enabled.
CVE-2025-55754
Logging/Console Output
Improper neutralization of ANSI escape sequences in Tomcat log messages allows crafted URLs to inject control sequences. On Windows systems with ANSI-capable consoles, attackers can manipulate the console display and clipboard or potentially induce command execution via social engineering.
Console manipulation, potential administrator trickery, clipboard hijacking; less severe but can be chained for larger attacks.
Recommendations
Update Apache Tomcat to the following versions immediately:
For 11.x version updated to v11.0.11 or latest
For 10.x version updated to v10.1.45 or latest
For 9.x version updated to v9.0.109 or latest
If you not updating immediately you can follow some recommendations below
Disable or restrict PUT requests unless absolutely needed to prevent unauthorized file uploads.
Limit network access to Tomcat management interfaces to trusted administrators and secure sensitive directories.
Monitor logs and serves activity regularly for unusual or suspicious behavior indicative of exploitation attempts.
Conclusion: The patches released by Apache Tomcat fix critical remote code execution and console manipulation bugs that could compromise servers.
Though no widespread exploitation is confirmed yet, immediate patching is strongly recommended to prevent serious security incidents. Security teams should apply these updates and monitor any suspicious server activity.
The CoPhish attack is a sophisticated phishing technique exploiting Microsoft Copilot Studio to steal OAuth tokens by tricking users into granting attackers unauthorized access to their Microsoft Entra ID accounts.
By Copilot Studio’s customizable AI agents, attackers create chatbots hosted on legitimate Microsoft domains that wrap traditional OAuth consent attacks in an authentic-looking interface, increasing the likelihood of successful deception.
Technical Details
The attackers often use a trial license or compromised tenant to create the agent, backdooring the authentication workflow so that, post-consent, OAuth tokens are exfiltrated via HTTP to attacker infrastructure.
Few Demo links like copilotstudio.microsoft.com add credibility, closely mimicking official Microsoft Copilot services, and victims see familiar branding and login flows.
While Microsoft has implemented consent policy updates including blocking risky permissions by default for most users significant gaps remain: unprivileged users can still approve internal apps and privileged admins retain broad consent authority.
Tokens exfiltrated by CoPhish can be used for impersonation, data theft or sending further phishing emails, often going undetected as the traffic is routed through Microsoft infrastructure.
Attackers create a customized Copilot Studio chatbot, usually on a trial license within their own or a compromised Microsoft tenant, configuring it to appear as a legitimate assistant.
2. Backdoor Authentication Workflow
The agent’s “Login” topic is modified to include an HTTP request that will exfiltrate any OAuth tokens granted by users during authentication.
3. Share Demo Link
Attackers generate and distribute demo website URL (like, copilotstudio.microsoft.com) pointing to the malicious chatbot, mimicking official Copilot Studio services and passing basic domain trust checks.
4. Victim and Trigger Consent
Victims access the link, interact with the familiar interface, and are prompted to login, beginning an OAuth consent flow that requests broad Microsoft Graph permissions.
5. Token Exfiltration
After the victim consents, the agent collects the issued OAuth token and sends it via HTTP to an attacker-controlled server, often relaying through Microsoft IP addresses to avoid detection in standard traffic logs.
6. Abuse Granted Permissions
Attackers use the stolen token to impersonate the victim, accessing emails, calendars, and files or conducting further malicious actions such as sending phishing emails or stealing sensitive data.
7. Persist and Retarget
Due to policy gaps, attackers can repeat the process targeting both internal and privileged users, tailoring requested app permissions and adapting to Microsoft’s evolving security measures.
Source: securitylabs.datadoghq.com
Why It’s Effective
Leverages trusted Microsoft domains and branding with realistic AI chatbot flows, bypassing phishing detection and user suspicion.
Bypasses multi-factor authentication by stealing fully privileged OAuth tokens that persist until revoked.
Targets both regular users and privileged admins by adapting requested permissions, making it scalable and versatile.
Recommendations
Here are some recommendations below
Enforce strict Microsoft Entra ID consent policies to limit user approval of app permissions, especially high-risk scopes.
Restrict or disable user creation and publishing of Copilot Studio agents unless explicitly authorized by admins.
Monitor Entra ID audit logs and Microsoft Purview for suspicious app consent, agent creation or modifications in Copilot workflows.
Apply Azure AD Conditional Access requiring MFA and device compliance for accessing Copilot Studio and related AI services.
Implement tenant-level Data Loss Prevention (DLP) and sensitivity labeling
Educate users on phishing risks and regularly reviewing/revoking app permissions and tokens.
Conclusion: CoPhish highlights how AI-powered low-code platforms like Microsoft Copilot Studio can be exploited for advanced phishing attacks targeting identity systems.
Despite Microsoft’s improvements to consent policies, significant risks remain, requiring organizations to enforce strict consent controls, limit app creation, and monitor Entra ID logs vigilantly. As AI-driven tools grow, proactive security measures are essential to defend against these evolving hybrid threats leveraging trusted cloud services.
Summary A critical vulnerability known as Tarmageddon (CVE-2025-62518) impacts multiple tar extraction utilities and libraries, including GNU tar, libarchive, Python’s tarfile module, and the Rust async-tar library.
Severity
High
CVSS Score
7.8
CVEs
CVE-2025-62518
POC Available
Yes, public PoC and patches available (edera-dev GitHub)
Actively Exploited
Not confirmed widespread exploitation public PoC raises opportunistic risks
Exploited in Wild
No confirmed mass exploitation at time of writing
Advisory Version
1.0
Overview
Tarmageddon (CVE-2025-62518) vulnerability Improper path sanitization and symlink-target validation during extraction enable a crafted tar archive to write files outside the intended extraction directory, leading to arbitrary file overwrite, privilege escalation, or remote code execution when executed by privileged or automated services.
Vulnerability Name
CVE ID
Product Affected
Severity
Fixed Version
Tar path traversal / symlink bypass (async-tar RCE vector)
CVE-2025-62518
GNU tar, libarchive, Python tarfile, Rust async-tar and downstream tools
High
Patches released by maintainers; reference fixes in Edera patch repository and vendor advisories
Technical Summary
Root cause: insufficient canonicalization of file paths and incomplete sanitization of symlink targets within tar archive headers. Behavioral details: Path traversal via ../ sequences and chained symlinks allows crafted archives to escape the extraction root and overwrite system binaries, configuration files, or startup scripts.
A public proof-of-concept confirms this behavior in affected async-tar implementations. Fix: apply upstream and distribution patches that normalize paths and validate symlink targets (edera-dev patches).
Exploitability: public PoC exists for CVE-2025-62518, highest risk when automated extractions run with elevated privileges (CI/CD, build, backup). Manual extraction is lower risk. Impact: Malicious extraction can overwrite critical files, allow service takeover or remote code execution, and lead to full host compromise if run as root.
CVE ID
System Affected
Vulnerability Details
Impact
CVE-2025-62518
Tar libraries and tools async-tar, GNU tar, libarchive, Python tarfile, and any tools that use them.
Crafted tar entries can bypass path checks and write outside the extraction folder (PoC available).
Can overwrite files, allow privilege escalation/RCE if run as root, and contaminate build/CI artifacts.
Remediation:
Apply patches immediately — update tar libraries and utilities with vendor or distribution fixes (Edera patches where applicable).
Disable automatic extraction of untrusted archives in gateways, ingestion services and CI/CD systems.
Use least privilege for extraction processes — avoid root / Administrator contexts.
Replace unsafe extraction calls (e.g., tarfile.extractall()) with secure wrappers that validate path components and reject traversal or symlink abuses.
Sandbox extraction inside containers or VMs with strict filesystem scoping (read-only mounts, AppArmor/SELinux confinement).
Inventory and update all images, containers, and build artifacts that bundle tar utilities or tar libraries.
Detection Guidance: Lab verification: Use the public PoC only in isolated virtual environments to validate that patched version block path traversal and symlink exploits.
SIEM / EDR indicators:
File create/write events to sensitive paths (/etc, /usr/bin, /var, application config dirs) immediately following tar extraction processes.
Creation of symlinks or reparse-points by tar-related processes.
Processes invoking tar or Python extraction libraries writing outside expected extraction directories.
Conclusion: Tarmageddon (CVE-2025-62518) is a high-risk archive extraction vulnerability that affects widely used tar utilities and libraries, including GNU tar, libarchive, Python’s tarfile, and the Rust async-tar implementation.
This vulnerability should be treated as a Priority-1 patch event for any environment performing automated or privileged tar extractions. Organizations are strongly advised to apply vendor patches immediately, enforce sandboxed extraction workflows, and implement strict least-privilege and path-validation controls to prevent arbitrary file overwrites, privilege escalation, and potential supply-chain compromise.
At Pwn2Own Ireland 2025, researchers Ben R. and Georgi G. from Interrupt Labs successfully exploited a zero-day vulnerability in the Samsung Galaxy S25. The flaw allowed them to gain remote control of the device, activate the camera, and track the user’s real-time location without interaction.
This achievement, earning them $50,000 and 5 Master of Pwn points, highlighted ongoing security weaknesses even in flagship smartphones with extensive testing. The exploit’s discovery underlined broader concerns about the pace of Android feature development outstripping security hardening efforts across system and multimedia libraries.
The Galaxy S25 zero-day exploit underscores the persistent threat of critical security flaws even in top-tier consumer devices. Although discovered in a controlled, ethical hacking event, such vulnerabilities pose substantial risks if leveraged by malicious actors.
Vulnerability Details
The vulnerability originated from an improper input validation issue within the Galaxy S25’s software stack. Through carefully crafted malicious inputs, the researchers bypassed Samsung’s built-in security safeguards and executed arbitrary code remotely.
The exploit provided persistent access, enabling control over cameras, GPS, and potentially other sensitive device components, effectively transforming the smartphone into a covert surveillance tool. Because the issue existed at a deep system level, it required no user interaction, making it particularly severe. The vulnerability had not been previously disclosed, meaning Samsung and the public were both unaware until the competition’s revelation.
Key characteristics:
The key characteristics of the Samsung Galaxy S25 zero-day vulnerability are as follows:
Type of Vulnerability: Improper input validation bug within the device’s software stack, allowing remote code execution without user interaction.
Impact: Enables attackers to take full control of the device, activate the camera, and track real-time GPS location, effectively turning the device into a surveillance tool.
Discovery and Exploit: Uncovered during Pwn2Own Ireland 2025 by researchers Ben R. and Georgi G., showcasing a sophisticated exploit chain that bypassed Samsung’s security measures.
Persistence: Vulnerability allows persistent access, which can be exploited silently without user awareness or interaction.
Disclosure and Remediation: The flaw was previously undisclosed, with responsible disclosure leading to Samsung preparing a security patch. No official statement has been issued yet, but a fix is anticipated.
Severity and Potential Damage: The exploit can compromise sensitive personal data, private communications, and location, highlighting significant privacy and security risks.
Attack Flow
Step
Description
1. Craft Malicious Input
Attackers develop specially crafted malicious inputs targeting the vulnerable components within the Samsung Galaxy S25’s software stack, particularly exploiting the improper input validation flaw.
2. Deliver Payload
The malicious payload is delivered via crafted multimedia or system input, such as manipulated images or software commands, that bypass Samsung’s existing safeguards.
3. Bypass Security Measures
The input validation flaw allows the malicious data to bypass security checks, executing remote code without requiring user interaction or consent, gaining initial access to the device’s system.
4. Gain Persistent Control
Once the malicious code executes, attackers establish persistent control over the device, enabling continuous access to core functionalities like camera activation and GPS tracking silently and covertly.
5. Exploit Device Capabilities
Attackers leverage control to activate the device’s camera and GPS in real-time, turning the device into a surveillance tool capable of capturing photos, videos, and tracking location discreetly.
6. Maintain Stealth & Avoid Detection
The exploit chain is designed to evade detection by Samsung’s defenses during the attack window, allowing attackers to operate covertly without triggering security alerts or user notifications.
7. Exploit and Monetize
The compromised device becomes a tool for espionage, data theft, or targeted surveillance, which can be exploited for malicious purposes or sold on criminal markets if attacker exploits are monetized.
Proof-of-Concept
The proof-of-concept for the Samsung Galaxy S25 zero-day vulnerability (CVE-2025-21043) demonstrates how specially crafted malicious images can exploit an out-of-bounds write flaw in Samsung’s closed-source image parsing library libimagecodec.quram.so. This flaw allows remote code execution with elevated privileges without requiring user interaction.
The exploit involves delivering a malicious payload embedded in an image file that, when processed by the vulnerable library, triggers memory corruption leading to arbitrary code execution and persistent control over the device.
This has been confirmed in cybersecurity forums and independent analyses, with active exploitation observed in the wild primarily via social engineering through messaging platforms like WhatsApp. The PoC confirms that attackers can bypass conventional security mechanisms and gain deep system control, enabling surveillance actions such as camera activation and location tracking. This underscores the critical need for applying the latest security patches released by Samsung.
Code Execution via Input Validation Flaw: Exploits improper input validation within the Galaxy S25’s software stack, allowing malicious payloads to bypass safeguards and execute remote code seamlessly alongside legitimate system processes.
Zero-Click Capability: Operates without requiring any user interaction, enabling silent compromise through automated payloads that trigger upon data processing or system-level input handling.
Persistent Access: Establishes continuous control after initial compromise, granting long-term ability to activate hardware components like camera and GPS without detection by standard security mechanisms.
Stealth Operations: Exploit chain hides within multimedia and system library processes, avoiding visible alerts or performance anomalies that might indicate compromise to the user.
Advanced Evasion: Utilizes legitimate system libraries and resource calls, reducing the likelihood of being flagged by mobile antivirus or Samsung Knox runtime protections.
High Impact Vector: Enables complete device surveillance, capturing photos, videos, and location data covertly, illustrating real-world severity when attackers weaponize such system-level access.
Remediation:
Update Samsung Galaxy devices immediately with the latest September 2025 Security Maintenance Release (SMR) patch that fixes CVE-2025-21043.
Manually check for software updates via Settings > Software Update > Download and Install to ensure the fix is applied promptly.
Enable automatic security updates on Samsung devices for timely future patching without delay.
For enterprises, enforce patch deployment policies through Mobile Device Management (MDM) or Enterprise Mobility Management (EMM) tools to cover all mobile endpoints.
Restrict app permissions, especially camera and location access, to minimize exposure in case of compromise.
Avoid opening images from untrusted sources or suspicious messaging apps, as the vulnerability exploits image parsing.
Implement continuous mobile threat detection to identify abnormal device behavior indicative of compromise.
Educate users and IT teams about the critical nature of this vulnerability and the importance of timely patching.
This ensures comprehensive mitigation of vulnerability while reducing risk and exposure to active exploits.
Conclusion:
This incident reinforces the value of responsible disclosure mechanisms like Pwn2Own, where manufacturers receive detailed technical reports to develop patches before public release. Samsung has yet to issue a formal statement but is expected to roll out a security update imminently.
In the meantime, users are advised to enable automatic updates, remain cautious with app permissions and untrusted networks, and monitor official channels for patches to mitigate potential exploitation risks.
Summary: Microsoft Teams Access Token Vulnerability: New Attack Vector for Data Exfiltration
A recently uncovered vulnerability in Microsoft Teams for Windows allows attackers with local access to extract encrypted authentication tokens, granting unauthorized access to chats, emails and SharePoint files.
This technique, detailed by researcher Brahim El Fikhi on October 23, 2025, leverages the Windows Data Protection API (DPAPI) to decrypt tokens stored in a Chromium-like Cookies database.
Attackers can use these tokens for impersonation, lateral movement, or social engineering, bypassing recent security enhancements and posing significant risks to enterprise environments.
Vulnerability Details
The vulnerability, identified in Microsoft Teams desktop applications, involves the extraction of encrypted access tokens stored in the SQLite Cookies database at %AppData%\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\EBWebView\Cookies. Unlike earlier versions that stored tokens in plaintext (a flaw exposed by Vectra AI in 2022), current versions use AES-256-GCM encryption protected by DPAPI, tied to user or machine credentials. However, attackers with local access can decrypt these tokens using tools like ProcMon and Mimikatz, exploiting the embedded msedgewebview2.exe process that handles authentication via login.microsoftonline.com.
Attackers use ProcMon to monitor msedgewebview2.exe and identify the Cookies database write operations.
Access
The ms-teams.exe process is terminated to unlock the Cookies file, which is locked during operation.
Extract
The encrypted token is retrieved from the Cookies database, with fields like host_key (e.g., teams.microsoft.com), name, and encrypted_value (prefixed with “v10”).
Decrypt
The DPAPI-protected master key is extracted from %AppData%\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\EBWebView\Local State and decrypted using Windows APIs or tools like Mimikatz.
Exploit
Decrypted tokens are used with tools like GraphSpy to access Teams chats, send messages, read emails, or interact with SharePoint via Microsoft Graph API
Why It’s Effective
Local Access Exploitation: The attack requires only local access, achievable via malware or compromised endpoints, bypassing MFA and remote defenses.
Stealthy Execution: The use of standard Windows APIs (DPAPI) and embedded browser processes evades traditional monitoring.
Authority Abuse: Tokens enable impersonation through trusted APIs, amplifying risks of phishing or data theft via Teams, Outlook, or SharePoint.
Recommendations:
Monitor Processes– Deploy EDR rules to detect abnormal ms-teams.exe terminations or msedgewebview2.exe file writes.
Enforce Encryption – Use app-bound encryption and prefer web-based Teams to avoid local token storage.
Token Rotation – Implement Entra ID policies to rotate access tokens regularly and audit Graph API logs for anomalies.
Limit Privileges – Restrict local admin access to prevent DPAPI key extraction.
User Awareness – Train users to recognize phishing attempts via Teams or email, especially those leveraging impersonation
Conclusion: This vulnerability underscores the evolving threat landscape for collaboration platforms like Microsoft Teams. As attackers refine techniques to exploit trusted systems, organizations must enhance endpoint monitoring and adopt stricter access controls. By implementing the outlined mitigations, security teams can reduce the risk of token-based attacks and safeguard sensitive data.
Security Advisory : A critical vulnerability has been found in WatchGuard Firebox appliances that allows remote unauthenticated attackers to execute arbitrary code through an out-of-bounds write in the IKEv2 VPN process.
OEM
WatchGuard
Severity
Critical
CVSS Score
9.3
CVEs
CVE-2025-9242
POC Available
No
Actively Exploited
No
Exploited in Wild
No
Advisory Version
1.0
Overview
The vulnerability, tracked as CVE-2025-9242, which affects multiple Fireware OS versions. Users and administrators are strongly advised to upgrade to the latest patched versions of Fireware OS immediately to stay protected.
Vulnerability Name
CVE ID
Product Affected
Severity
Fixed Version
Out-of-Bounds Write Vulnerability in IKEv2 Process
Malicious actors could exploit this due to an out-of-bounds write vulnerability in the WatchGuard Fireware OS iked process.
Remote unauthenticated attackers can send crafted IKE_SA_INIT and IKE_SA_AUTH packets to trigger a stack-based buffer overflow in the ike2_ProcessPayload_CERT function, overflowing a 520-byte stack buffer without proper bounds checking.
This impacts VPN setups using IKEv2 or dynamic gateways and can continue even after deleting them if any static peers are still active on UDP port 500.
CVE ID
System Affected
Vulnerability Details
Impact
CVE-2025- 9242
WatchGuard Firebox Appliances with Fireware OS 11.10.2-11.12.4_Update1, 12.0-12.11.3, 2025.1
Insufficient bounds checking in IKEv2 negotiations allows oversized identification payloads to cause buffer overflow, enabling control flow hijacking and ROP chains for code execution
Arbitrary Code Execution, System Compromise, Data Exfiltration, Ransomware Deployment, Pivoting to Internal Networks
Recommendations:
You can update to the latest versions from the below table
Vulnerable Version
Resolved Version
2025.1
2025.1.1
12.x
12.11.4
12.5.x (T15 & T35 models)
12.5.13
12.3.1 (FIPS-certified release)
12.3.1_Update3 (B722811)
11.x
End of Life
Here are some recommendations below –
Disable unnecessary IKEv2 VPN configurations and restrict access to trusted networks only.
Monitor logs for anomalous traffic.
Implement network segmentation to limit lateral movement and regularly audit VPN setups.
Conclusion: This critical vulnerability in WatchGuard Firebox appliances could allow remote attackers to achieve code execution and compromise perimeter defenses.
Although no exploits are in the wild but its unauthenticated nature and detailed public analysis make it a significant security risk requiring immediate action. Upgrading to the fixed version and applying recommended mitigations are strongly advised to ensure organizational security.
Summary: TP-Link’s October 2025 security updates fixes 4 vulnerabilities in its Omada Gateway devices, including multiple models commonly used in business networks.
The vulnerabilities allow attackers to execute remote commands, even without authentication, potentially compromising systems. Some vulnerabilities also let authenticated users inject commands or gain root access, which could lead to traffic interception, configuration changes or malware installation. Security teams are advised to update firmware immediately, review network configurations and change passwords to reduce the risk of exploitation.
Vulnerability Name
CVE ID
Product Affected
Severity
CVSS Score
OS Command Injection Vulnerability
CVE-2025-6542
TP-Link Omada Gateways
Critical
9.3
Command Injection Vulnerability
CVE-2025-7850
TP-Link Omada Gateways
Critical
9.3
Technical Summary:
TP-Link Omada Gateways allows attackers to run arbitrary commands. The most critical one, CVE-2025-6542, a remote attacker can take full control of the device without logging in through the web interface. Another one allows logged-in users to inject commands and gain root access. The issues show the risks of exposed management portals. TP-Link recommends updating firmware, limiting network access and monitoring systems for any signs of attack.
Command injection exploitable after admin authentication on the web portal
System Compromise, Root-Level Control
Additional Vulnerabilities:
The following high-severity vulnerabilities were also addressed in October 2025 TP-Link security updates for Omada Gateways –
Vulnerability Name
CVE ID
Affected Component
Severity
Authenticated Arbitrary OS Command Execution in Omada Gateways
CVE-2025-6541
TP-Link Omada Gateways
High
Root Shell Access Under Restricted Conditions in Omada Gateways
CVE-2025-7851
TP-Link Omada Gateways
High
Remediation:
Install the October 2025 firmware updates immediately via the TP-Link support portal to mitigate risks. Here is the below table with the updated version information for the models.
Model
Affected Versions
Fixed Version
ER8411
< 1.3.3 Build 20251013 Rel.44647
>= 1.3.3 Build 20251013 Rel.44647
ER7412-M2
< 1.1.0 Build 20251015 Rel.63594
>= 1.1.0 Build 20251015 Rel.63594
ER707-M2
< 1.3.1 Build 20251009 Rel.67687
>= 1.3.1 Build 20251009 Rel.67687
ER7206
< 2.2.2 Build 20250724 Rel.11109
>= 2.2.2 Build 20250724 Rel.11109
ER605
< 2.3.1 Build 20251015 Rel.78291
>= 2.3.1 Build 20251015 Rel.78291
ER706W
< 1.2.1 Build 20250821 Rel.80909
>= 1.2.1 Build 20250821 Rel.80909
ER706W-4G
< 1.2.1 Build 20250821 Rel.82492
>= 1.2.1 Build 20250821 Rel.82492
ER7212PC
< 2.1.3 Build 20251016 Rel.82571
>= 2.1.3 Build 20251016 Rel.82571
G36
< 1.1.4 Build 20251015 Rel.84206
>= 1.1.4 Build 20251015 Rel.84206
G611
< 1.2.2 Build 20251017 Rel.45512
>= 1.2.2 Build 20251017 Rel.45512
FR365
< 1.1.10 Build 20250626 Rel.81746
>= 1.1.10 Build 20250626 Rel.81746
FR205
< 1.0.3 Build 20251016 Rel.61376
>= 1.0.3 Build 20251016 Rel.61376
FR307-M2
< 1.2.5 Build 20251015 Rel.76743
>= 1.2.5 Build 20251015 Rel.76743
Here are some recommendations below
Restrict network access to the management interface and enable trusted networks only.
Apply least privilege principles and regular security audits for network devices.
Disable remote management if not required and segment networks to limit lateral movement.
Conclusion:
There is no active exploitation noticed but organizations must prioritize firmware updates to prevent data breaches, malware and intrusions. Security teams should deploy updates immediately, enhance monitoring and implement mitigations to safeguard critical infrastructure.
Overview:LinkPro rootkit targets GNU/Linux systems:LinkPro is a newly discovered Linux rootkit that leverages eBPF (extended Berkeley Packet Filter) technology to stealthily hide its presence on infected systems. The sophisticated Linux rootkit linkpro was uncovered by Synacktiv CSIRT during an investigation of a compromised AWS infrastructure and evade detection in Linux Systems.
This threat was deployed in an AWS environment after attackers exploited a vulnerable Jenkins server to distribute a malicious Docker image containing a Rust downloader that fetched a memory-resident vShell backdoor. This rootkit’s use of eBPF, a legitimate kernel feature, makes detection challenging in Linux as it operates at a low level within the Linux kernel.
Leveraging extended Berkeley Packet Filter (eBPF) technology, where linkpro backdoor evades detection by hiding its processes and network activity, activating remotely via a “magic packet.”
Source: www.synacktiv.com
Issues Details: The attack, originating from a vulnerable Jenkins server, deployed a malicious Docker image across AWS EKS clusters, enabling credential theft and lateral movement. This highlights the misuse of ebpf for advanced persistent threats (apts) in cloud environments.
The LinkPro rootkit targets GNU/Linux systems, exploiting eBPF kernel capabilities to achieve stealth and remote activation.
It embeds multiple ELF modules, including two eBPF programs that hook into critical kernel system calls like getdents and sys_bpf to hide files, processes, and its own presence from detection tools.
If kernel support for these hooks is unavailable, LinkPro falls back to user-space concealment by loading a malicious shared library via /etc/ld.so.preload. This sophisticated rootkit deploys an advanced network packet filtering mechanism, activating only upon receiving a specific “magic packet” (a TCP SYN with a window size of 54321), allowing the attacker to control the system covertly.
LinkPro masquerades as the legitimate systemd-resolved service for persistence and uses encrypted channels such as HTTP, DNS tunneling, and raw TCP/UDP for command and control. Its design enables attackers to execute arbitrary commands, perform file operations, and establish proxy tunnels, making it a highly adaptable and stealthy tool for persistent intrusions targeting cloud-native Linux systems.
Attack Flow
IOCs
IOC Type
Indicator
Description
Network
/api/client/file/download?Path=…
URL used to download tools/payloads onto the compromised host.
Patch the vulnerable Jenkins server (CVE-2024-23897) to prevent initial access.
Restrict public exposure of CI/CD tools and enforce strict network segmentation.
Monitor for suspicious Docker container deployments and unexpected host filesystem mounts.
Watch for unusual or unauthorized eBPF program activity using kernel auditing tools.
Regularly update Linux kernels and apply available security patches.
Conclusion: The LinkPro rootkit is anadvanced Linux malware that uses eBPF at the kernel level to stay hidden and persist on systems.
It spreads through Jenkins vulnerabilities, container escapes and remote activation, highlighting the critical vigilance organizations must maintain to continuously monitor and secure their environments.
To protect against it, companies should focus on timely patching and monitoring suspicious activities.
Recent Comments