Critical Vulnerability in cPanel & WHM; Patch Now
Critical vulnerability in cPanel and WHM that allows attackers to bypass authentication and gain root access to servers
Continue ReadingApplication security
Enterprise Security at Risk as Critical Flaw Found in OpenAI’s Codex
Codex Enabled GitHub Token Theft
Continue Reading
CVE-2026-33409-Parse Server Authentication Bypass via partial authData; Successful exploitation Lead to Creating Valid User Session
Parse Server Authentication Bypass via partial authData; Successful exploitation Lead to Creating Valid User Session
Continue Reading
Python Regression & Email Header- Ubuntu Security Updates Patch Now
Summary: USN-8018-1 fixed vulnerabilities in python3. That update introduced regressions. The patches for CVE-2025-15366 and CVE-2025-15367 caused behavior regressions in IMAP and POP3 handling, which upstream chose to avoid by not backporting them.
| OEM | Python |
| Severity | Medium |
| CVSS Score | 6.5 |
| CVEs | CVE-2026-0865, CVE-2025-15366, CVE-2025-15367 |
| POC Available | No |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
Python is a widely used high-level programming language that powers many enterprise applications, automation frameworks, DevOps pipelines, web platforms and email-processing services. Many Linux distributions – Ubuntu provide Python runtime packages as core system components.
Ubuntu released USN-8018-2 to address regressions introduced in the previous security update USN-8018-1. The earlier update attempted to fix vulnerabilities related to email header parsing and input validation but unintentionally introduced compatibility issues affecting IMAP, POP3, and WSGI header processing.
The new advisory prioritizes the fix for CVE-2026-0865, while also addressing issues related to CVE-2025-15366 and CVE-2025-15367.
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score | Fixed Version |
| WSGI Header Parsing Regression Vulnerability | CVE-2026-0865 | Python | Medium | 6.5 | Updated Python packages |
| Email Header Injection Vulnerability | CVE-2025-15366 | Python | Medium | 5.9 | Updated Python packages |
| Improper Email Header Parsing Vulnerability | CVE-2025-15367 | Python | Medium | 5.9 | Updated Python packages |
Technical Summary
These vulnerabilities affect multiple Python versions distributed within Ubuntu systems.
The original security update introduced patches intended to address email header parsing vulnerabilities. However, those fixes resulted in unintended behavioural regressions.
The CVE-2026-0865 patch incorrectly rejected horizontal tab characters in WSGI headers, potentially causing web applications relying on Python frameworks to malfunction.
Additionally, patches for CVE-2025-15366 and CVE-2025-15367 affected IMAP and POP3 email processing behavior, which allow upstream developers to avoid backporting those changes due to compatibility concerns.
Ubuntu released updated packages to resolve these regressions while maintaining protection against the underlying vulnerabilities.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2026-0865 | Python (multiple Ubuntu packages) | Incorrect rejection of horizontal tabs in WSGI headers after patch | Web application compatibility issues |
| CVE-2025-15366 | Python email parsing library | Improper parsing allowing email header injection | Email spoofing or message manipulation |
| CVE-2025-15367 | Python email processing modules | Improper validation of message headers | Header manipulation in email processing |
Affected Packages
The following Python packages are affected –
python3.4 python3.5 python3.6 python3.7 python3.8
python3.10 python3.12 python3.13 python3.14
Remediation:
Apply the latest Ubuntu security updates immediately-
Fixed Package Versions
| Ubuntu Release | Fixed Package Version |
| Ubuntu 25.10 | python3.13 – 3.13.7-1ubuntu0.4 / python3.14 – 3.14.0-1ubuntu0.3 |
| Ubuntu 24.04 LTS | python3.12 – 3.12.3-1ubuntu0.12 |
| Ubuntu 22.04 LTS | python3.10 – 3.10.12-1 22.04.15 |
| Ubuntu 20.04 LTS | python3.8 – 3.8.10-0ubuntu1 20.04.18 |
| Ubuntu 18.04 LTS | Updated ESM packages |
| Ubuntu 16.04 LTS | Updated ESM packages |
| Ubuntu 14.04 LTS | Updated ESM packages |
If immediate patching is not possible, apply the following temporary mitigations-
- Restrict access to email-processing services where Python handles inbound messages.
- Validate and sanitize email headers within application logic.
- Monitor logs for abnormal IMAP/POP3 parsing errors.
- Test Python-based web applications to detect WSGI header parsing issues.
You can follow the recommendations below as a best practice-
- Maintain regular patch management for system packages.
- Monitor Python runtime libraries for security advisories.
- Implement secure email validation mechanisms within applications.
- Use application security testing tools to detect input-validation weaknesses.
- Monitor logs for abnormal email header patterns or parsing failures.
Conclusion:
The vulnerabilities addressed in USN-8018-2 highlight the risks associated with improper email header parsing and regression issues in widely used programming libraries such as Python. The primary concern, CVE-2026-0865, affects WSGI header handling and could disrupt web applications, while CVE-2025-15366 and CVE-2025-15367 relate to email header parsing weaknesses.
Organizations using Python-based applications or email processing services should prioritize updating affected Ubuntu packages to ensure both security and application stability.
References:
Adversarial Prompt Engineering can bypass Robust Safety Mechanisms; GPT-5 Jailbreak reveal’s the bypass Security strategy
OpenAI’s Advance AI system revealed Critical Vulnerabilities as attack vectors like storytelling and echo chamber module being used by GPT-5.
The breakthrough demonstrates how adversarial prompt engineering can bypass even the most robust safety mechanisms, This raised serious concerns about enterprise deployment readiness and the effectiveness of current AI alignment strategies discovered in august.
What is to Jailbreak in GPT-5
GPT-5 Jailbroken, in two parts by researchers who bypassed safety protocol using echo chamber and storytelling attacks.
As Storytelling attacks are highly effective and traditional methods. This kind of attacks requires additional security before deployment.
When researchers of NeuralTrust reported, the echo chamber attack leverages GPT-5’s enhanced reasoning capabilities against itself by creating recursive validation loops that gradually remove all safety protocols.
So the researchers’ employed a technique called contextual anchoring, where malicious prompts are embedded within seemingly legitimate conversation threads that establish false consensus.
The interesting part is the latest attack aimed at GPT-5, researchers found that it’s possible to infect harmful procedural content by framing it in the context of a story by feeding as input to the AI system.
Using a set of keywords and creating sentences using those words and subsequently expanding on those themes.
The attack modelled in form of a “persuasion” loop within a conversational context, while slowly-but-steadily taking the model on a path that minimizes refusal triggers and allows the “story” to move forward without issuing explicit malicious prompts.
These jailbreaks can be executed with nearly identical prompts across platforms, allowing attackers to bypass built-in content moderation and security protocols. Result is generating illicit or dangerous content.
Enterprise environment exposed to risk
If a malicious user deliberately inputs a crafted prompt into a customer service chatbot that instructs the LLM to ignore safety rules, query confidential databases. This could trigger more actions like emailing internal content.
Similarly in the context of GPT -5, what happened the attackers constructed elaborate fictional frameworks that gradually introduce prohibited elements while maintaining plausible deniability.
The outcome as per researchers is storytelling attacks can achieve 95% success rates against unprotected GPT-5 instances, compared to traditional jailbreaking methods that achieve only 30-40% effectiveness.
Once successfully exploited both echo chamber and storytelling attack vectors demonstrates that unless enterprises are ready with their baseline safety measures, deploying any kind of enterprise-grade applications is useless.
Enterprises who are ready to implement a comprehensive AI security strategy, that include prompt hardening, real-time monitoring and automated threat detection systems before production deployment will be better secured.
Sources: Researchers Uncover GPT-5 Jailbreak and Zero-Click AI Agent Attacks Exposing Cloud and IoT Systems
New Malware Strikes on Users Data, infects Devices has bypass mechanism;
How deadly the malware is warns Researchers. Linux malware variant offers advanced features and evasion mechanisms
PSA stealer malware affected more then 4,000 computers in 62 countries
A brand new malware related to Linux been found infecting thousands of computers around the world, stealing people’s login credentials, payment information and browser cookies, warns security researchers from SentinelLabs and Beazley Security. More than 4,000 computers were infected with PSA Stealer in 62 countries, the two companies said, suggesting that the campaign is rather successful.
As per researcher PSA Stealer is apparently being distributed through phishing emails and malicious landing pages. The malicious attachments contain a legitimate program (such as a PDF reader) and a weaponized DLL. The program sideloads the DLL, successfully deploying the malware while not raising any alarms.
More than 4,000 computers were infected with PSA Stealer in 62 countries, the two companies said, suggesting that the campaign is rather successful.
The joint report detailing the activities of PXA Stealer, a new Python-based infostealer for the Linux platform. Spotted in late 2024, and has since grown into a formidable threat, successfully evading defense tools while wreaking havoc across the globe.
Key pointers on installing the applications /malware (Side Loading)
The malware PSA can target browser extensions for various crypto wallets, including Exodus, Magic Eden, Crypto.com and many more
Can pull data from sites such as Coinbase, Kraken, and PayPal.
Finally, it can inject a DLL into running browser instances to bypass encryption mechanisms.
PSA Stealer is apparently being distributed through phishing emails and malicious landing pages
The malicious attachments contain a legitimate program (such as a PDF reader) and a weaponized DLL.
The program sideloads the DLL, successfully deploying the malware while not raising any alarms.
Hackers who are from Vietnamize origin are selling data selling it on the black market – in a Telegram group. The majority of the victims are located in South Korea, the US, the Netherlands, Hungary, and Austria.
So far, more than 200,000 were stolen passwords, as well as hundreds of credit card information and more than four million cookies.
Vulnerability in SAP NetWeaver recently discovered by threat researchers from from Palo Alto Networks’ Unit 42 is being exploited to deploy Linux malware is capable of running arbitrary system commands and deploying additional payloads, experts have warned.
Security researchers from Palo Alto Networks’ Unit 42 discovered a piece of malware called Auto-Color, a backdoor, from Linux and dubbed for its ability to rename itself after installation.
The researchers found it was capable of opening reverse shells, executing arbitrary system commands, acting as a proxy, uploading and modifying files.
This also include adjusting settings dynamically. It was also discovered that the backdoor remains mostly dormant if its C2 server is unreachable, effectively evading detection by staying inactive until the operator instructions arrive.
Mitigating threat from Malware
Malware is any software intentionally designed to damage, disrupt, or gain unauthorized access to computer systems. In cybersecurity the diversity of malware include viruses, worms, spyware and ransomware. Each has unique attack methods, so it’s essential to understand their nature and behavior to mitigate potential risks.
How does Malware spread & threat Malware pose?
All channels available at disposal should be monitored when we think of malware and how they spread. All types of malware can spread in various ways, using technical vulnerabilities and human inattention to infiltrate systems and networks, but some methods prove more successful than others. Understanding how malware typically presents itself and spreads can help businesses stay vigilant against its damage.
Deceive & Defend against Malware with Mirage Cloak from IntruceptLabs
Mirage Cloak offers various deception methods to detect and stop threats before they cause damage. These methods include adding decoys to the network, deploying breadcrumbs on current enterprise assets, using baits as tripwires on endpoints, and setting up lures with intentionally misconfigured or vulnerable services or applications. The flexible framework also lets customers add new deception methods as needed.
- Our AI-powered proactive defense system identifies potential threats in real time, giving you the upper hand in protecting your network and assets.
- By leveraging advanced artificial intelligence, our system reduces false positives, allowing your security team to focus on genuine threats and respond effectively.
- With machine learning capabilities, our defense system continuously learns and evolves, adapting to new attack vectors and staying ahead of cyber threats.
Do connect with us for any query: https://intruceptlabs.com/contact/
Analyzing the newly discovered Vulnerability in Gemini CLI; Impact on Software coding
Google’s Gemini command line interface (CLI) AI agent
Its not been one month when Google’s Gemini CLI vulnerability discovered by Tracebit researchers and found attackers could use prompt injection attacks to steal sensitive data.
Google’s Gemini CLI, an open-source AI agent for coding could allow attackers exploit to hide malicious commands, using “a toxic combination of improper validation, prompt injection and misleading UX,” as Tracebit explains.
After reports of the vulnerability surfaced, Google classified the situation as Priority 1 and Severity 1 on July 23, releasing the improved version two days later.
Those planning to use Gemini CLI should immediately upgrade to its latest version (0.1.14). Additionally, users could use the tool’s sandboxing mode for additional security and protection.
Disclosure of the vulnerability
Researchers reported on vulnerability directly to Google through its Bug Hunters programme. According to a timeline provided by Tracebit, the vulnerability was initially reported to Google’s Vulnerability Disclosure Programme (VDP) on 27 June, just two days after Gemini CLI’s public release.
Impact of the vulnerability
A detailed analysis found that in the patched version of Gemini CLI, attempts at code injection display the malicious command to users. This require explicit approval for any additional binaries to be executed. This change is intended to prevent the silent execution that the original vulnerability enabled.
Tracebit’s researchers played an important role in discovering and reporting the issue which is symbol of independent security research, particularly as AI-powered tools become central to software development workflows.
LLM integral to software development but hackers are using it too
Gemini CLI integrates Google’s LLM with traditional command line tools such as PowerShell or Bash. This allows developers to use natural language prompts to speed up tasks such as analyzing and debugging code, generating documentation, and understanding new repositories (“repos”).
As developers worldwide are using LLMs to help them develop code faster, attackers worldwide are using LLMs to help them understand and attack applications faster.
Tracebit also discovered that malicious commands could easily be hidden in Gemini CLI This is possible by by packing the command line with blank characters, pushing the malicious commands out of the user’s sight.
More vigilance required when examining and running third-party or untrusted code, especially in tools leveraging AI to assist in software development.
Through the use of LLMs, AI excels at educating users, finding patterns and automate repetitive tasks.
Sam Cox, Tracebit’s founder, says he personally tested the exploit, which ultimately allowed him to execute any command — including destructive ones. “That’s exactly why I found this so concerning,” Cox told Ars Technica. “The same technique would work for deleting files, a fork bomb or even installing a remote shell giving the attacker remote control of the user’s machine.”
Source: https://in.mashable.com/tech/97813/if-youre-coding-with-gemini-cli-you-need-this-security-update
Critical Vulnerability identified in tj-actions/branch-names’ GitHub Action workflow
Security advisory: Patch Now! Critical Command Injection in GitHub Action tj-actions/branch-names Affects 5,000+ public repositories.
Summary:
A critical vulnerability has been identified in the tj-actions/branch-names’ GitHub Action workflow which allows arbitrary command execution in downstream workflows. This issue arises due to inconsistent input sanitization and unescaped output, enabling malicious actors to exploit specially crafted branch names or tags.
| Severity | Critical |
| CVSS Score | 9.1 |
| CVEs | CVE-2025-54416 |
| POC Available | Yes |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
This issue arises due to inconsistent input sanitization and unescaped output, enabling malicious actors to exploit specially crafted branch names or tags. While internal sanitization mechanisms have been implemented, the action outputs remain vulnerable, exposing consuming workflows to significant security risks. This is fixed in version 9.0.0
The flaw allows attackers to run any command during GitHub Actions workflows by creating specially crafted branch names or tags.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Command Injection in branch-names GitHub Action | CVE-2025-54416 | tj-actions/branch-names GitHub Action <v8.2.1 | 9.1 | v9.0.0 or later |
Technical Summary
This Vulnerability puts many CI/CD pipelines at serious risk, including the possibility of stealing secrets or injecting malicious code into releases.
The vulnerability exists due to unsafe usage of the eval command in the action’s script. Although some escaping was done using printf “%q”, developers later used eval printf “%s” to unescaped values, which reintroduced command injection risks.
Any branch name containing malicious shell code can trigger execution during workflows.
The vulnerability affects GitHub Action workflows that use tj-actions/branch-names. It allows attackers to inject and execute arbitrary shell commands by creating a branch with malicious content. The issue is caused by the unsafe use of eval when handling branch names and tags in output generation.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-54416 | GitHub repositories using tj-actions/branch-names < v8.2.1 | Unsafe use of eval leads to command injection | Attacker can run arbitrary commands, steal secrets, alter source code, or compromise workflows |
Proof of Concept (POC)
Remediation:
- Update immediately to tj-actions/branch-names version v9.0.0 or higher.
- The vulnerable eval code has been replaced with safe printf usage.
- Review your workflows to ensure no malicious activity has occurred.
- Check logs for strange branch names or unexpected shell activity.
Conclusion:
This command injection flaw is extremely dangerous due to its simplicity and the number of projects it affects. GitHub Actions workflows that use branch names or tags from pull requests are especially at risk. Attackers don’t need access to the code just the ability to open a pull request.
All developers and security teams should act now by updating to the latest version and reviewing usage of GitHub Actions in their workflows.
References:
CitrixBleed 2: Critical CVE-2025-5777 Vulnerability Under Active Exploitation with Public PoC Available
Summary ; A critical vulnerability identified as CVE-2025-5777 has been discovered in Citrix NetScaler ADC and NetScaler Gateway products configured as Gateway or AAA virtual servers.
The Citrix NetScaler is a networking gadget that delivers application access across distributed enterprise environments.
Originally developed to optimize traffic and improve the performance of web applications, NetScaler has evolved into a comprehensive solution for load balancing, SSL offloading, web application firewalling (WAF), secure remote access, and gateway functionalities such as VPN and ICA proxy for Citrix Virtual Apps and Desktops.
| OEM | Citrix |
| Severity | Critical |
| CVSS Score | 9.3 |
| CVEs | CVE-2025-5777 |
| POC Available | Yes |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview
This out-of-bounds read flaw enables unauthenticated attackers to leak sensitive memory content, such as session tokens, by sending crafted HTTP POST requests.
The vulnerability is actively exploited in the wild, with public PoC exploits and scanning tools available. Citrix has released patches, and urgent remediation is strongly recommended.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Out-of-bounds read vulnerability | CVE-2025-5777 | NetScaler ADC & Gateway | Critical | 14.1-43.56, 13.1-58.32, 13.1-FIPS/NDcPP 13.1 37.235, 12.1-FIPS 12.1-55.328 |
Technical Summary
CVE-2025-5777 arises from improper input validation during login requests on affected NetScaler devices. An attacker can exploit the flaw by submitting a malformed authentication request (eg. missing an equal sign in a POST login parameter). This leads the system to read uninitialized memory and leak up to 127 bytes of sensitive data.
Attackers can extract session tokens and bypass multi-factor authentication (MFA) to hijack legitimate user sessions.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-5777 | NetScaler ADC & Gateway 14.1 < 14.1-43.56 13.1 < 13.1-58.32 13.1-FIPS/NDcPP < 13.1-37.235 12.1-FIPS < 12.1-55.328 EOL: 12.1, 13.0. | Insufficient input validation allows attackers to trigger a memory leak via malformed authentication requests. | Session hijacking, MFA bypass, unauthorized access |
Proof of Concept (PoC):
- Execution Flow
Attacker submits a malformed HTTP POST to:
POST /p/u/doAuthentication.do HTTP/1.0
Host: <NetScaler-IP>
Content-Length: 5
Connection: keep-alive
login
(Note: the ‘login’ parameter is included without an ‘=’ or value.) *
- Memory Leak Trigger
Due to insufficient input validation, the backend neither initializes nor validates the ‘login’ field. This causes up to 127 bytes of uninitialized stack memory to be included in the XML response ‘<InitialValue>’ tag potentially containing session tokens or sensitive internal data.
Source: horizon3
Remediation:
- Immediate Action: Upgrade to the latest fixed versions: – NetScaler ADC & Gateway 14.1-43.56 or later
– NetScaler ADC & Gateway 13.1-58.32 or later
– NetScaler ADC 13.1-FIPS/NDcPP 13.1-37.235 or later
– NetScaler ADC 12.1-FIPS 12.1-55.328 or later
– EOL versions (12.1, 13.0) must be upgraded to supported releases.
Recommendations:
- Session Invalidation: After patching, terminate all active ICA and PCoIP sessions using:
kill icaconnection -all
kill pcoipConnection -all.
- Audit: Review authentication and session logs for suspicious activity, including repeated POST requests and session reuse across unexpected IPs.
- Upgrade Legacy Systems: Migrate EOL devices to supported versions as they will not receive security fixes.
Conclusion:
CVE-2025-5777 (CitrixBleed 2) represents a critical memory leak vulnerability that is being actively exploited, with working public exploits widely circulated.
Attackers can extract session tokens and take over sessions even with MFA in place. Shodan scans reveal over 50,000 exposed NetScaler instances, with more than 1,200 unpatched as of late June 2025
Given its severity, public exploitation, and impact, organizations must act immediately to patch vulnerable systems, revoke active sessions, and migrate away from unsupported versions.
This vulnerability echoes the risks of the original CitrixBleed, emphasizing the importance of proactive defense in depth.
References:
Hashtags
#Infosec #CyberSecurity #Critix #NetScaler #SecurityAdvisory #Vulnerabilitymanagement # Patch Management #CISO #CXO #Intrucept
Critical Privilege Escalation Vulnerability in Motors WordPress Theme
Summary: A critical privilege escalation vulnerability (CVE-2025-4322) has been identified in the Motors WordPress theme, a widely used premium theme tailored for car dealerships, rentals, and vehicle listings.
| OEM | WordPress |
| Severity | Critical |
| CVSS Score | 9.8 |
| CVEs | CVE-2025-4322 |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview This vulnerability affects versions up to 5.6.67 and could allow unauthenticated attackers to reset passwords for any user, including administrators, leading to complete site compromise. The issue has been addressed in version 5.6.68, and immediate patching is strongly recommended.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Privilege Escalation via Password Reset Bypass | CVE-2025-4322 | Motors WordPress Theme | Critical | 5.6.68 |
Technical Summary
The vulnerability arises from insufficient input validation in the Login Register widget of the Motors theme, specifically within the password-recovery.php template. An attacker can manipulate the hash_check parameter using an invalid UTF-8 character, which is improperly sanitized by the esc_attr() function. This allows the attacker to bypass password reset validations and change passwords without authorization, even for administrator accounts.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-4322 | Motors WordPress Theme (<= 5.6.67) | The password-recovery.php file fails to properly validate whether the stm_lost_password_hash exists and is correct. If the hash is empty (e.g. – no reset was requested), an attacker can bypass the check using an invalid UTF-8 character. The esc_attr() sanitization strips the invalid character after validation, resulting in a successful hash match and unauthorized password update. | Complete site compromise. |
Remediation:
- Immediately update: To mitigate the vulnerability, users of the Motors WordPress theme should immediately update to version 5.6.68 or later.
Conclusion:
CVE-2025-4322 is a critical privilege escalation vulnerability affecting over 22,000+ WordPress sites using the Motors theme.
Exploiting this flaw, unauthenticated attackers can reset administrator passwords and gain full control of vulnerable sites. The vulnerability was responsibly disclosed and swiftly addressed by the vendor, with a patched version (5.6.68) released.
Given the ease of exploitation and potential for full site compromise, users are strongly advised to update immediately.
Organizations relying on the Motors theme should also implement multi-layered security practices, such as web application firewalls, routine patching, and access monitoring, to safeguard their digital assets against similar threats in the future.
References:
Recent Comments