CISA

Blogs

Vulnerability Tracked in Oracle is being Exploited; CISA

CISA, the cyber security agency from US has added a serious vulnerability in Oracle E-Business Suite.As per CISA the flaw tracked in an Oracle E-Business Suite flaw tracked as CVE-2025-61884 is being exploited in attacks, adding it to its Known Exploited Vulnerabilities catalog.

Vulnerability CVE-2025-61884

Oracle published CVE-2025-61884, a server-side request forgery (SSRF) vulnerability in the Oracle Configurator runtime component, on October 11.

The bug received a CVSS score of 7.5 and does not require authentication to exploit. According to the company, attackers can use this vulnerability to gain “unauthorized access to critical data or full access to all Oracle Configurator data.”

Government organizations in the US must install patches before November 10. However, Oracle itself has not yet confirmed the exploitation.

In early October, Mandiant revealed that the Clop ransomware gang had begun sending extortion emails to companies, claiming that they had stolen data from Oracle E-Business Suite instances using zero-day flaws.

Oracle responded to this news by stating that the threat actors had exploited previously patched flaws disclosed in July.

As per Bleeping computers CVE-2025-61884 addresses the flaw by validating an attacker-supplied “return_url” using a regular expression. If the validation fails, the request is blocked.

To this day, it remains unclear why Oracle listed the ShinyHunters exploit as an IOC for CVE-2025-61882, when it is actually intended for CVE-2025-61884.
Oracle EBS under attack

 Orcale E-Business Suit is under targeted atatck by threat actors and investigations by various research teams from Mandiant and Crowdstrike revealed that Oracle EBS had been targeted in two different campaigns.

  • July campaign: Used an exploit that targeted an SSRF flaw in the “/configurator/UiServlet” endpoint, which is now confirmed as CVE-2025-61884.
  • August campaign: Used a different exploit against the “/OA_HTML/SyncServlet” endpoint, and was fixed under CVE-2025-61882 through mod_security rules to block the endpoint and by stubbing out the SYNCSERVLET class. This flaw is attributed to Clop.

Oracle disclosed CVE-2025-61884 on October 11 but did not confirm whether it had been exploited, despite having fixed the exploit used in the July attacks. Earlier when the vulnerability CVE-2025-61884 was discovered concerns an information disclosure flaw in the Runtime UI component.

Last week Oracle released an emergency patch this weekend for a critical vulnerability in E-Business Suite. This software flaw can be exploited by attackers without authentication to steal sensitive data.Oracle has assigned the vulnerability a CVSS score of 7.5, which underscores the severity of the problem.

CISA also confirmed that five new vulnerabilities are actually being used to attack systems in the real world. These 5 new CVE’s hit everything from business apps to CMS platforms to core Windows components.

These are

  • Oracle EBS bugs give attackers an unauthenticated RCE path and data access through SSRF.
  • The SMB flaw enables lateral movement inside networks.
  • The Kentico pair lets attackers take over CMS environments used for staging and publishing.
  • The Apple vulnerability shows the ongoing risk of legacy systems that missed critical patches.

Threat Mitigation by Oracle E Business Suit when hunting for Threat indicators

• Look for weird patterns in Oracle EBS requests – could be a SSRF issue

• See if there are any spikes in SMB share privileges & check Kentico logs for anything fishy

• Browser logs are the place to look for JavaScriptCore crashes or just weird execution

Oracle released critical patch for a wide range of products and this include

The Critical Patch Update provides security updates for a wide range of product families: Oracle Database Server, Oracle Application Express, Oracle Blockchain Platform, Oracle GoldenGate, Oracle NoSQL Database, Oracle REST Data Services, Oracle Commerce, Oracle Communications Applications, Oracle Communications, Oracle Construction and Engineering, Oracle E-Business Suite, Oracle Enterprise Manager, Oracle Financial Services Applications, Oracle Fusion Middleware, Oracle Analytics, Oracle Health Sciences Applications, Oracle HealthCare Applications, Oracle Hospitality Applications, Oracle Hyperion, Oracle Insurance Applications, Oracle Java SE, Oracle JD Edwards, Oracle MySQL, Oracle PeopleSoft, Oracle Retail Applications, Oracle Siebel CRM, Oracle Supply Chain, Oracle Systems, Oracle Utilities Applications, and Oracle Virtualization.

Sources: CISA confirms hackers exploited Oracle E-Business Suite SSRF flaw

October 2025 Critical Patch Update Released | security

Cybersecurity News

CISA Warns Critical Cisco Firewall Vulnerabilities Under Active Exploitation  

4 Actively exploited Zero-days affecting millions of devices,. This include 3 targeted by Nation-state actor “ArcaneDoor”.

Security Advisory: Cisco has released critical security updates to address two zero-day vulnerabilities referring to CVE-2025-20333 and CVE-2025-20362 in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software.

CISA has also added in their KEV catalog and including additional actions tailored to each agency’s status in Emergency Directive ED 25-03 document.

CISA said ‘”The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution [RCE] on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade,”.

CISA has reported that an advanced threat actor ArcaneDoor, threat actor has demonstrated a capability to successfully modify ASA ROM at least as early as 2024. These zero-day vulnerabilities in the Cisco ASA platform are also present in specific versions of Cisco Firepower appliances’ Secure Boot would detect the identified manipulation of the ROM.  

Severity Critical 
CVSS Score 9.9  
CVEs CVE-2025-20333, CVE-2025-20362 
POC Available No 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.1 

Overview 

The flaws discovered are actively exploited in the wild which allow attackers to execute arbitrary code or access restricted endpoints without authentication. Admins are urged to immediately apply Cisco’s fixed releases to mitigate these actively exploited zero-day vulnerabilities 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Buffer Overflow Vulnerability  CVE-2025-20333  Cisco Secure Firewall Adaptive Security Appliance (ASA), Cisco Secure Firewall Threat Defense (FTD)  Critical Update to the latest version 
Missing Authorization Vulnerability CVE-2025-20362  Cisco Secure Firewall Adaptive Security Appliance (ASA), Cisco Secure Firewall Threat Defense (FTD) Medium  Update to the latest version 

Technical Summary 

Cisco has released security updates to address multiple vulnerabilities in the VPN web server of Secure Firewall ASA and FTD Software.

The most severe issue is a critical remote code execution vulnerability that could allow an authenticated attacker with valid VPN credentials to send specially crafted HTTP(S) requests and execute arbitrary code with root-level privileges, potentially resulting in full compromise of the affected device and control of its operations.

In addition, a medium-severity vulnerability was identified that could enable unauthenticated attackers to bypass access controls and access restricted web resources without authentication, potentially exposing sensitive information or limited administrative functions.

Both vulnerabilities are caused by improper validation of user-supplied HTTP(S) input, making them exploitable over the network.

Cisco has confirmed that there are no workarounds available, and administrators are strongly advised to upgrade to the fixed software versions immediately to ensure the security and integrity of their environments. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-20333  Cisco Secure Firewall ASA Software, Cisco Secure FTD Software  Improper input validation in the VPN web server enables authenticated remote users to send crafted HTTP requests that allow arbitrary code execution with root privileges. Remote Code Execution  
CVE-2025-20362  Cisco Secure Firewall ASA Software, Cisco Secure FTD Software  The VPN web server does not properly validate HTTP(S) user-supplied input. Attackers can exploit this by sending specially crafted requests to bypass authentication and access restricted URL endpoints. Unauthorized access  

Recommendations

  • Install the fixed software releases for Cisco Secure Firewall ASA and FTD Software 
  • Use the Cisco Software Checker to identify the earliest fixed release for your software version. 
  • Navigate the device management interface (Cisco Secure Firewall Management Center or Device Manager) to apply updates. 
  • Restart devices after installation and ensure auto-updates are enabled. 
  • Review the Configure Threat Detection for VPN Services section in the Cisco Secure Firewall ASA Firewall CLI Configuration Guide to enable protection against VPN-related attacks. 

Conclusion: 
These vulnerabilities present a significant risk as they are actively being exploited in the wild and can lead to complete system compromise or unauthorized access to sensitive resources.

Since no workarounds are available, applying the latest Cisco security updates is the only effective remediation. Administrators should prioritize immediate patching across all affected devices to protect their environment from ongoing exploitation attempts and ensure continued resilience of critical firewall infrastructure. 

References

Security Advisory

Critical WhatsApp Zero-Day Vulnerability Allows Remote Code Execution  

Summary 

OEM WhatsApp 
Severity Medium 
CVSS Score 5.4 
CVEs CVE-2025-55177 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

A security vulnerability recently discovered in WhatsApp’s linked device feature that allows users to access WhatsApp across multiple devices, such as phones and computers.

CISA has added this flaw to its Known Exploited Vulnerabilities (KEV) Catalog, highlighting its significance. The flaw allows attackers to send crafted messages that forced WhatsApp to load malicious content from a rogue website without any user interaction. WhatsApp and Apple already patched the issue and users are urged to update their apps immediately to stay protected.

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
WhatsApp Incorrect Authorization Vulnerability  CVE-2025-55177 WhatsApp  Medium 2.25.21.73 and later. 
 
WB iOS 2.25.21.78 and later.  
WhatsApp Desktop for Mac 2.25.21.78 and later. 

Technical Summary 

The vulnerability was due to incomplete authorization of synchronization messages in WhatsApp’s linked device feature. This flaw allowed an attacker to send crafted sync messages that could trick WhatsApp into processing content from an arbitrary URL, even if the message came from an untrusted source.

This could result in WhatsApp loading and executing malicious content on the target device without any user interaction. The impact of the attack was significantly increased when combined with a separate Apple OS vulnerability (CVE-2025-43300), making it suitable for sophisticated, targeted exploitation.

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-55177 WhatsApp for iOS (v2.22.25.2 to v2.25.21.72) 
 WhatsApp Business for iOS (v2.22.25.2 to v2.25.21.77) 
 WhatsApp Desktop for Mac (v2.22.25.2 to v2.25.21.77		Incomplete authorization in the linked device sync feature allowed attackers to send crafted sync messages that caused WhatsApp to load content from an arbitrary URL without user interaction. This could be used to execute malicious code on the device. Remote code execution,.  Potential full device compromise.  

Remediation

Update the WhatsApp in iOS and mac devices to the latest version 

  • WhatsApp for iOS: Update to v2.25.21.73 or latest version 
  • WhatsApp Business for iOS: Update to v2.25.21.78 or latest version  
  • WhatsApp Desktop for Mac: Update to v2.25.21.78 or latest version 

Conclusion: 
The WhatsApp vulnerability highlights the growing risks of zero-click attacks, where devices can be compromised without any user interaction. This flaw has been exploited in targeted attacks and poses a serious threat to user security and privacy. It is important for all users to keep their apps and operating systems up to date and follow trusted security recommendations

References

Security Advisory

Apple Patches Zero-Day Vulnerability Exploited in Targeted Attacks (CVE-2025-43300) 

Security Advisory : Apple has released critical security patches to address a newly discovered zero-day vulnerability, CVE-2025-43300, that was found to be actively exploited in targeted attacks.

To protect users, Apple has issued patches in iOS 18.6.2, iPadOS 18.6.2, iPadOS 17.7.10 and the latest macOS versions.

OEM Apple 
Severity High 
CVSS Score 8.8 
CVEs CVE-2025-43300 
POC Available No 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview  The vulnerability resides in Apple’s ImageIO framework, which is used for handling image files across iOS, iPadOS, and macOS platforms. According to Apple, the flaw may have been used in sophisticated, targeted attacks, although exact details have not been disclosed.

The vulnerability affects a wide range of devices, including iPhones starting from the XS, multiple iPad models and Macs running macOS Ventura, Sonoma and Sequoia. This marks the seventh zero-day exploited in the wild that Apple has addressed in 2025, underscoring the increasing frequency and severity of threats targeting Apple users. 

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
An out-of-bounds write issue   CVE-2025-43300 iPhone, iPad, macOS  High iOS 18.6.2, iPadOS 18.6.2, iPadOS 17.7.10, macOS 13.7.8, macOS 14.7.8, macOS 15.6.1 

Technical Summary 

The vulnerability, CVE-2025-43300, is classified as an out-of-bounds write issue within the ImageIO framework.

It can be exploited when a specially crafted image file is processed, causing memory corruption that could allow an attacker to execute arbitrary code on the affected device.

This makes it a critical security flaw, particularly because the attack vector image files are common and often considered low risk. Apple has mitigated vulnerability by improving bounds by checking in the affected code.

The exploitation of this bug in the wild indicates a high level of sophistication, likely by advanced persistent threat actors targeting specific individuals. The technical nature of the bug aligns with a broader trend in which attackers exploit flaws in media-handling components to achieve remote code execution. As such, this patch not only fixes a critical issue but also highlights the need for continued vigilance and timely system updates. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-43300 iPhones, iPads, Macs. Critical out-of-bounds write vulnerability in Apple’s ImageIO framework that allows remote code execution by processing a malicious image. It has been actively exploited in highly targeted attacks on iOS, iPadOS, and macOS devices, prompting urgent patches.  Remote code execution via malicious image zero-click attack surface 

Apple has so far fixed a total of seven zero-day vulnerabilities in 2025 that were actively exploited in real-world attacks, including CVE-2025-43300, reflecting an ongoing effort to patch critical security flaws across iOS, iPadOS, and macOS platforms. 

  • CVE-2025-24085: A memory corruption flaw in WebKit that could allow remote code execution via malicious web content. 
  • CVE-2025-24200: An elevation of privilege vulnerability in the kernel, enabling attackers to gain higher system privileges. 
  • CVE-2025-2420: A logic issue in the kernel that could lead to arbitrary code execution by a malicious app. 
  • CVE-2025-31200: A vulnerability in the CoreGraphics framework allowing remote code execution when processing malicious PDF files. 
  • CVE-2025-31201: An issue in the IOMobileFrameBuffer kernel extension that could permit a local attacker to escalate privileges. 
  • CVE-2025-43200: A flaw in the AppleAVD driver leading to a potential kernel privilege escalation. 
  • CVE-2025-43300: An out-of-bounds write vulnerability in the ImageIO framework actively exploited through malicious images, enabling remote code execution. 

Remediation

Update your Apple devices immediately to the latest patched versions: 

  • iPhone – iOS 18.6.2 
  • iPad – iPadOS 18.6.2/17.7.10 
  • macOS – macOS Ventura 13.7.8, Sonoma 14.7.8 or Sequoia 15.6.1. 

Conclusion: 
Apple has urgently patched seven critical zero-day vulnerabilities in 2025, including CVE-2025-43300, that were actively exploited in targeted attacks.

Users are strongly advised to update their devices immediately to stay protected against these serious threats. 

In addition, CISA has added CVE-2025-43300 to its Known Exploited Vulnerabilities (KEV) Catalog under BOD 22-01, requiring federal agencies to remediate the flaw within specified timelines.

While the directive is mandatory for federal agencies, CISA strongly urges all organizations to prioritize remediation of KEV-listed vulnerabilities to reduce their exposure to active threats. 

References

Blogs

Surge in Ransomware attack reveal sophistication of Threat actors that strategically focuses on industries to incentivizes Ransom payment

  • The United States remains the primary target for Ransomware attacks
  • UK is preparing to ban any Ransomware payments  for critical infrastructure companies
  • Manufacturing, Technology and Healthcare top targeted sectors, with the Oil & Gas industry experiencing a remarkable 935% increase in attacks as per Zscaler report
  • RaaS market growth drivers

There has been improvement in cyber resilience but it has been observed when too many entities pay ransom, each payment provides gateway for next attack as the payment incentivise.

Ransomware attack target pattern reveals how threat actors are strategically focusing on industries where operational disruption, data sensitivity, and regulatory concerns create maximum leverage.

In the beginning of July 2025, Federal authorities, including the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA), have issued a high-priority advisory warning about the escalating threat posed by the Medusa ransomware group.

Medusa ransomware group ramped up its attacks, increasingly targeting users of major email service providers like Gmail and Outlook. Medusa’s reach extends across multiple industries, with healthcare, education, legal services, insurance, technology, and manufacturing among the hardest hit.

Now UK is preparing to ban any Ransomware payments  for critical infrastructure companies, local governments, schools and publicly funded entities like the NHS. The new ransomware payment proposal is just one part of a package of new regulations slated to soon go into effect in the UK, mostly centered on the Cyber Resilience Bill.

The new UK rules would additionally require all business types that are not impacted to notify the government when they intend to make a ransomware payment and may be required to seek guidance on the possibility of the payment violating sanctions on cybercriminal groups.

Surge in ransomware attacks

Zscaler  released its annual ThreatLabz 2025 Ransomware Report, revealing a dramatic 146% surge in ransomware attacks blocked by their cloud platform

The report highlights a significant shift in attack strategies, with threat actors increasingly focusing on data extortion over encryption.

Key findings show that ransomware groups stole 238 TB of data, representing a 92% increase year-over-year.

The report identifies Manufacturing, Technology, and Healthcare as the most targeted sectors, with the Oil & Gas industry experiencing a remarkable 935% increase in attacks.

The United States remains the primary target, accounting for 50% of all attacks with 3,671 incidents. RansomHub emerged as the most active group with 833 publicly named victims, followed by Akira (520) and Clop (488).

Ransomware and Crypto market

Well ransomware technique might have changed its pattern but not tactics, with crytpcurrencies it marked a major change and turning point in the world of cyber security.

How can we forget WannaCry (2017), it was perhaps the most infamous ransomware attack in history, caused global disruption by exploiting a Windows vulnerability.

The demand was Bitcoin, but its scale and method were more advanced but not the first.

BlackSuit ransomware extortion sites seized in Operation Checkmate

Law enforcement has seized the dark web extortion sites of the BlackSuit ransomware operation, which has targeted and breached the networks of hundreds of organizations worldwide over the past several years.

Yesterday 28 july,  the websites on the BlackSuit .onion domains were replaced with seizure banners announcing that the ransomware gang’s sites were taken down by the U.S. Homeland Security Investigations federal law enforcement agency as part of a joint international action codenamed Operation Checkmate.

Key trends Key driving the Ransomware Protection Market


The demand for ransomware protection solutions is further fuelled by the growing number of cyber-attacks targeting businesses, particularly in the BFSI sector, which remains the largest revenue generator in the market.

The demand for RaaS based products growing due to corporate digitization, and the advent of crypto currency like Bitcoin are the key market drivers enhancing the market demand and growth.

This  include technological advancements and increasing cyber threats.

  • Market size in 2024: USD 32.24 billion; projected to reach USD 93.35 billion by 2032.
  • End-point security segment accounted for 35% of market revenue.
  • BFSI sector generated the most income, with significant ransomware attacks reported.
  • Managed services segment dominated the market, catering to SMEs for enhanced cyber security.

Of all the reasons, cyber attacks now focus on any vulnerability as many businesses are switching to cloud services. In response to the ransom, distributed denial-of-service (DDoS) attacks are launched, which continue until the ransom is paid or the data risks being permanently lost.

Cybercriminals may breach into sites for trading cryptocurrencies and steal money. Crypto currency is currently the most widely used payment method in the event of a ransomware attack

Email remained the primary entry point in 96% of the reviewed breaches, accounting for 93%.

Social attacks are roughly three times more likely to cause breaches in businesses than physical vulnerabilities, highlighting the importance of regular staff cybersecurity training.

It has caused business to start researching ransomware defenses and has significantly increased demand for these defenses in the market under investigation.

Around the world, there are more data leaks and other security breaches. Phishing attacks have been used against numerous businesses from various industries at some point.

APEC market for Ransomware expected to grow

The Asia-Pacific Ransomware Protection Market is expected to grow at the fastest CAGR from 2023 to 2032.

This is due to the growing economies of China, India, and Australia spending extensively on cyber security solutions; Asia Pacific is also predicted to have growth potential in the ransomware prevention market.

Moreover, China’s Ransomware Protection market held the largest market share, and The Asia-Pacific region’s fastest-growing market for ransomware protection was India.

The market for Ransomware Protection industry has recently provided some of the most important benefits. Major players in the Ransomware Protection market, are attempting to increase market demand by investing in research and development operations.

Ransomware Protection Industry Developments

Intrucept has launched Intru360 gives security analysts and SOC managers a clear view across the organization, helping them fully understand the extent and context of an attack. It also simplifies workflows by automatically handling alerts, allowing for faster detection of both known and unknown threats.

Identify latest threats without having to purchase, implement, and oversee several solutions or find, hire, and manage a team security analyst.

Unify latest threat intelligence and security technologies to prioritize the threats that pose the greatest risk to your company.

Here are some features we offer:

  • Over 400 third-party and cloud integrations.
  • More than 1,100 preconfigured correlation rules.
  • Ready-to-use threat analytics, threat intelligence service feeds, and prioritization based on risk.
  • Prebuilt playbooks and automated response capabilities.

Source:

 BlackSuit ransomware extortion sites seized in Operation Checkmate

Ransomware attacks surge despite international enforcement effort | Cybersecurity Dive

Ransomware Protection Market Size, Growth Analysis – 2032

Blogs

Increased Funding on Cyber Offensive operation against Cyber Defense budget cut by Trump Admin; How wise a decision? Lets explore

Major new legislation commits over $1billion to US cyber offensives. Defining Cyber-offensive operations will include exploiting flaws in software or hack devices or deploy spyware.

This also include collecting internet traffic data and may involve targeted cyberattacks using zero-day exploits. Organizations often build the necessary infrastructure for such activities or gathers Intelligence as a part of these activates.

Trump administration, through the Department of Defense, has announced plans to spend $1 billion over four years on “offensive cyber operations.”

Along side recently the Trump regime announced that cyber offensive operation against Russia will be paused, highlighting that US govt now focuses mainly on China, moving away from eastern Europe.

It’s not clear what tools or software would qualify, but the legislation notes that the funds would go towards enhancing and improving the capabilities of the US Indo-Pacific Command, potentially focusing on the US’s biggest geopolitical rival, China.

The ongoing trade war with China is one of the main reason for Trump regime to shift focus from Russia , and in recent months security researchers have seen Chinese state hackers linked to People’s Liberation Army and the Ministry of State Security target companies in the fields of robotics, artificial intelligence, cloud computing and high-end medical device manufacturing. 

The legislation does not provide detailed information on what “offensive cyber operations” entail or which tools and software will be funded. The investment comes at a time when the U.S. has simultaneously reduced its cybersecurity defense budget by $1 billion. Few months back we witnessed how the US Cybersecurity and Infrastructure Security Agency (CISA) reaffirmed its commitment to defending against all cyberthreats after budget cuts was announced.

Over 1,000 CISA staff have departed since early 2025 through a combination of layoffs, buyouts, and voluntary resignations. What remains is a hollowed-out workforce facing rising cyber threats with fewer tools and teammates.

CISA maintained although the continued efforts to undermine and weaken cybersecurity teams capabilities, however counter-productive that may be in protecting US infrastructure.

Senator Ron Wyden has concerns. “Vastly expanding U.S. government hacking is going to invite retaliation — not just against federal agencies, but also rural hospitals, local governments and private companies who don’t stand a chance against nation-state hackers,” Wyden told the news site.

The US administration simultaneously enacted cuts to the nation’s cybersecurity defense allocations, by slashing $1 billion from the U.S. cyber defense budget. The cuts pose a significant risk as the country faces increasing cyber threats, particularly from Chinese adversaries.

However, the move to a more offensive cyber stance has been critiqued by Democratic Senator and Senate intelligence committee member Ron Wyden, who said that the offensive strategy, combined with Trump and DOGE’s massive cuts to defensive cyber operations such as slashing the budget and the termination of staff from the US Cybersecurity and Infrastructure Security Agency (CISA), only invites retaliation from the US’ largest geopolitical rival.

“The Trump administration has slashed funding for cyber security and government technology and left our country wide open to attack by foreign hackers,” Wyden told TechCrunch.

How wise decision it is to cut cyber defense budget while increasing Cyber offensive spending?

The layoffs at CISA have led to concerns the U.S. is less well protected against cyber threats from the likes of China, Russia and Iran.

Obviously there will be reduction in capacity to defend against cyberattacks, especially large-scale coordinated campaigns. The federal government has inadvertently provided adversaries with a map of its blind spots by scaling back critical cybersecurity programs.

This increase in budget for Cyber offensive operation is seen as an aggressive push and might provoke retaliatory attacks on vulnerable targets, such as local governments and healthcare entities. According to the report, the bill does not specify what the “offensive cyber operations” are or what software would qualify for funding.

At the same time The Trump administration has halted US offensive cyber operations against Russia, sparking concerns over national security and potential Russian cyber threats.

The Trump administration is well aware of the nation state attack and advance techniques cyber adversaries adopt to, a national threat to infrastructure security that cannot be compromised.

Every year there has been increase in cyber security budget if we take a look at from 2017 to 2024. The US government civilian agencies spent more on cybersecurity in each successive year than they did the prior year.

(Source: https://techcrunch.com)

Soucrce: Trump seeks unprecedented $1.23 billion cut to federal cyber budget | CSO Online

Security Advisory

ToolShell Zero-Day Exploits in Microsoft SharePoint Enable Full Remote Takeover 

Summary : Security Advisory


Two newly discovered zero-day vulnerabilities (CVE-2025-53770 and CVE-2025-53771) in Microsoft SharePoint Server are being actively exploited in the wild.

There is currently no patch available to plug this security hole, but Microsoft says that customers running on-premises SharePoint Servers can stop attackers from exploiting the vulnerability by configuring Antimalware Scan Interface (AMSI) integration in SharePoint and deploying Defender AV on all SharePoint servers.

OEM Microsoft 
Severity Critical 
CVSS Score 9.8 
CVEs CVE-2025-53770, CVE-2025-53771 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

These flaws allow unauthenticated remote code execution on on-premises servers, bypassing authentication and gaining full control over affected systems. Microsoft has released urgent security updates for supported SharePoint versions to address this issue. 

                   Vulnerability Name CVE ID Product Affected Severity CVSS Score 
SharePoint Server Remote Code CVE-2025-53770 SharePoint Server (on-prem) Critical 9.8 
Execution Vulnerability CVE-2025-53771 SharePoint Server (on-prem) Medium 6.3 

Technical Summary 

The vulnerabilities CVE-2025-53770 and CVE-2025-53771 stem from insecure handling of cryptographic key material and deserialization logic in on-premises Microsoft SharePoint Servers. These flaws enable a chained remote code execution attack dubbed ToolShell, where an unauthenticated attacker can gain full control of vulnerable servers. 

ToolShell is a sophisticated evolution of vulnerabilities CVE-2025-49704 and CVE-2025-49706, which were disclosed and patched in early July 2025 following demonstrations at Pwn2Own Berlin. Within days, attackers had bypassed these initial patches, forcing Microsoft to issue updated patches with new CVEs (53770, 53771). These latest variants are actively exploited in the wild. 

The exploit begins with a crafted request to the SharePoint endpoint /ToolPane.aspx, which exposes the internal configuration mechanism. By exploiting deserialization weaknesses, attackers extract cryptographic secrets, specifically the ValidationKey and DecryptionKey  which are used to sign the VIEWSTATE payloads. 

With these secrets, an attacker can generate malicious, signed payloads that are trusted by SharePoint’s security model, allowing arbitrary code execution without any authentication. This effectively turns SharePoint’s trust mechanism into a delivery vector for persistent compromise. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-53770 SharePoint 2016, 2019 Exploits deserialization in /ToolPane.aspx to steal crypto keys and craft signed __VIEWSTATE payloads Remote Code Execution, full system compromise 
CVE-2025-53771 SharePoint 2016, 2019 Variant of CVE-2025-49706; bypasses earlier fixes using enhanced payload injection techniques Persistent access without credentials 

Remediation: To mitigate potential attacks customers should follow:

Organizations running on-premises Microsoft SharePoint Servers must take the following steps immediately: 

  1. Apply Security Updates: 
  • SharePoint Subscription Edition: KB5002768 
  1. Enable AMSI Protection: 
  • Enable Antimalware Scan Interface (AMSI) in Full Mode for SharePoint. 
  • AMSI was turned on by default in Sept 2023 updates for 2016/2019. 
  1. Rotate Cryptographic Keys: 
  • Use Update-SPMachineKey (PowerShell) or Central Admin. 
  • Restart IIS using iisreset.exe after key rotation. 
  1. Deploy Endpoint Protection: 
  • Use Microsoft Defender for Endpoint or equivalent XDR tools. 

CISA Alert and Advisory Inclusion: 

The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-53770 to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies and private-sector partners are required to apply mitigations immediately due to confirmed active exploitation. CISA emphasized that such vulnerabilities pose an unacceptable risk to federal systems and critical infrastructure. 

Indicators of Compromise (IOCs): 

Type Value (Obfuscated/Generalized) Description 
IP Address 107.191.58[.]76, 104.238.159[.]149 Observed in initial and second attack waves 
User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0 User-Agent string seen in exploitation requests 
URL Path POST /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx Exploit entry point targeting ToolPane 

Conclusion: 
The ToolShell exploit chain represents a critical security threat to organizations using on-premises SharePoint Servers.

The vulnerabilities are not theoretical, attackers are actively exploiting them to gain full control of systems, exfiltrate cryptographic secrets and establish long-term persistence. With official patches now available, immediate action is required to prevent compromise, contain exposure and ensure ongoing system integrity. 

References

Security Advisory

Microsoft June 2025 Patch Tuesday – 67 Vulnerabilities Fixed Including 2 Zero-Days 

Summary : Microsoft’s June 2025 Patch Tuesday addresses a total of 67 vulnerabilities across its product ecosystem. Critical flaws in WebDAV, SMB, SharePoint and Remote Desktop Services highlight the urgency of installing this month’s updates.

OEM Microsoft 
Severity Critical 
Date of Announcement 2025-06-10 
No. of Vulnerabilities Patched 67 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

These include multiple high-risk flaws and two zero-day vulnerabilities one actively exploited and one publicly disclosed affecting core components like Windows WebDAV and the SMB Client. 

  • 67 Microsoft CVEs addressed 
  • 3 non-Microsoft CVEs addressed 

Breakdown of May 2025 Vulnerabilities 

  • 25 Remote Code Execution (RCE) 
  • 17 Information Disclosure 
  • 14 Elevation of Privilege (EoP) 
  • 6 Denial of Service (DoS)  
  • 3 Security Feature Bypass 
  • 2 Spoofing 
  • 2 Chromium (Edge) Vulnerabilities 
  • 1 Windows Secure Boot 
Vulnerability Name CVE ID Product Affected Severity CVSS Score 
WebDAV Remote Code Execution (Exploited in the wild)  CVE-2025-33053 Windows High 8.8 
SMB Client Elevation of Privilege (Publicly disclosed) CVE-2025-33073 Windows  High 8.8 

Technical Summary 

Two zero-day vulnerabilities in Microsoft’s ecosystem were addressed in June 2025. One of these, CVE-2025-33053, has been exploited in the wild and affects the deprecated but still present WebDAV component in Windows. The other, CVE-2025-33073, was publicly disclosed and affects the Windows SMB client, enabling attackers to elevate privileges. 

CVE ID System Affected Vulnerability Details Impact 
CVE-2025-33053 Windows 10,11 and Windows Server WebDAV RCE triggered when a user clicks a malicious link. Exploited by APT group “Stealth Falcon.” Exploitation complexity is low. Remote Code Execution 
CVE-2025-33073 Windows 10,11 and Windows Server EoP flaw in SMB Client. Exploitation may occur by connecting to a malicious SMB server. Privilege elevation to SYSTEM is possible. Elevation of Privilege  

Source: Microsoft and NVD 

In addition to the zero-day vulnerabilities, several other critical and high-severity issues were addressed: 

  • CVE-2025-47162, CVE-2025-47164, CVE-2025-47167: Microsoft Office, Preview Pane-based RCE vulnerabilities, exploitation more likely (CVSS 8.4) 
  • CVE-2025-47172: Microsoft SharePoint Server, SQL injection-based RCE (CVSS 8.8) 
  • CVE-2025-29828: Windows Cryptographic Services, memory release issue (CVSS 8.1) 
  • CVE-2025-32710: Windows Remote Desktop Services, use-after-free vulnerability (CVSS 8.1) 
  • CVE-2025-29976: Microsoft SharePoint, Local privilege escalation (CVSS 7.8) 
  • CVE-2025-30393: Microsoft Excel, RCE via malicious Excel file (CVSS 7.8) 
  • CVE-2025-24063: Windows Kernel, Local privilege escalation, marked “Exploitation More Likely” (CVSS 7.8) 
  • CVE-2025-32702: Visual Studio, Command injection RCE via malicious project file (CVSS 7.8) 
  • CVE-2025-26685: Microsoft Defender for Identity, Spoofing via NTLM fallback, exploitable in adjacent networks (CVSS 6.5) 

Remediation

  • Apply Patches Promptly: Install the June 2025 security updates immediately to mitigate risks. 

General Recommendations: 

  • Prioritize Zero-Days: Focus on patching the two confirmed zero-day vulnerabilities, especially those allowing Elevation of Privilege and remote code execution. 
  • Disable Deprecated Services: If not required, disable WebDAV (WebClient service) and SMBv1 to reduce exposure. 
  • Enforce SMB Signing: Use Group Policy to mandate SMB signing, reducing the risk from CVE-2025-33073. 
  • Monitor for Exploitation Attempts: Watch for suspicious SMB or WebDAV traffic in logs and endpoint detection systems. 
  •  Enable Auto Updates Where Feasible: For individual endpoints and less tightly controlled systems, enable automatic updates to maintain regular patch schedule. 

Conclusion: 

Microsoft’s June 2025 Patch Tuesday addresses two important zero-day vulnerabilities, including an actively exploited RCE in WebDAV tracked as CVE-2025-33053.

Organizations should prioritize these patches to mitigate risk from real-world threats. The CVE-2025-33053 vulnerability has also been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, emphasizing its urgency. 

References

Security Advisory

Critical 0-Day Vulnerabilities in Qualcomm Adreno GPU Drivers Actively Exploited  

Summary 

OEM Qualcomm 
Severity HIGH 
CVSS Score 8.6 
CVEs CVE-2025-21479, CVE-2025-21480, CVE-2025-27038 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

Three actively exploited zero-day vulnerabilities in Qualcomm’s Adreno GPU drivers (CVE-2025-21479, CVE-2025-21480, CVE-2025-27038) have been disclosed and patched.

These flaws impact billions of Android devices across vendors such as Samsung, Google, Xiaomi, and OnePlus. Qualcomm released patches to OEMs in May 2025, urging immediate integration to mitigate severe memory corruption and code execution threats. 

Vulnerability Name CVE ID Product Affected CVSS Score Severity 
​Incorrect Authorization Vulnerability  CVE-2025-21479 Qualcomm Adreno GPU Driver  8.6  High 
Incorrect Authorization Vulnerability  CVE-2025-21480 Qualcomm Adreno GPU Driver  8.6  High 
Use-After-Free Vulnerability  CVE-2025-27038 Qualcomm Adreno GPU Driver  7.5  High 

Technical Summary 

These vulnerabilities reside within Qualcomm’s Adreno GPU driver, specifically in the Graphics component. The flaws allow attackers to corrupt memory, escalate privileges or execute arbitrary code. Two issues (CVE-2025-21479, CVE-2025-21480) result from incorrect authorization mechanisms in GPU microcode and the third (CVE-2025-27038) is a use-after-free flaw that can be exploited via malicious content rendered through Chrome. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-21479   Android (Adreno GPU) Unauthorized command execution during specific GPU microcode sequences causes memory corruption.   Privilege escalation, system compromise. 
   CVE-2025-21480    Android (Adreno GPU) Similar unauthorized GPU command flaw allowing memory corruption via improper authorization checks.   Memory corruption, remote code execution. 
  CVE-2025-27038   Android (Chrome/Adreno) Use-after-free condition in graphics rendering pipeline (via Chrome) allows attacker control over freed memory space.   Arbitrary code execution. 

Recommendations

  • Apply OEM Patches Immediately: Qualcomm released fixes in May 2025 to all OEMs; users should install the latest firmware updates from their device manufacturers. 
  • Check for Updates: Go to Settings → System → Software Update and apply the latest security patches as soon as available. 
  • Apply Security Updates: Users should ensure their Android devices receive the latest security updates. 
  • Monitor Manufacturer Communications: Stay informed about patch availability specific to your device model via official OEM channels. 

Conclusion: 
These zero-day vulnerabilities in Qualcomm’s Adreno GPU drivers highlight ongoing security risks in mobile hardware components.

Exploited in limited, targeted attacks potentially by spyware vendors or state-sponsored actors these flaws pose significant threats to Android devices worldwide. 

In response to confirmed exploitation, CISA has added all three CVEs (CVE-2025-21479, CVE-2025-21480, CVE-2025-27038) to its Known Exploited Vulnerabilities (KEV) catalog, mandating swift action for federal systems.

Timely patching by OEMs and proactive updates by users are critical to mitigating these risks and preventing further exploitation. 

References

 

Blogs

NIST & CISA Proposed Metric for Vulnerability Exploitation Probability

The National Institute of Standards and Technology (NIST) is proposing a new metric to determine the likelihood of any software or hardware vulnerability being exploited.

The new metric is “Likely Exploited Vulnerabilities” (LEV), that aims to close a key gap in vulnerability management.

This new data point can benefit the SecOps teams who are working to release an effective patch management strategy and address the development flaws.

NIST now wants members of cyber security community to come forward and validate the method as predicting which ones is important for the efficiency and cost effectiveness of enterprise vulnerability remediation.

However NIST proposed that predicting ones which is important for the efficiency and cost effectiveness of enterprise vulnerability remediation efforts is important.

Currently, such remediation efforts rely on the Exploit Prediction Scoring System (EPSS), which has known inaccurate values, and Known Exploited Vulnerability (KEV) lists, which may not be comprehensive.

The proposed likelihood metric may augment EPSS remediation (correcting some inaccuracies) and KEV lists (enabling measurements of comprehensiveness). However, collaboration with industry is necessary to provide necessary performance measurements.

Importance of Metric for Vulnerability Exploitation Probability

Remediating vulnerabilities is time-consuming and costly. According to the paper, most companies only manage to patch about 16% of the vulnerabilities affecting their systems each month.

Meanwhile, research shows that only about 5% of vulnerabilities are exploited in the wild.

It is found organizations would spend their limited resources patching that small but dangerous subset, but identifying them has proven difficult.

That’s where LEV comes in to assist organizations prioritize vulnerabilities that are likely to have already been used in attacks, the metric could make patching efforts more targeted and effective.

In a recently published paper, Peter Mell (formerly of NIST) and Jonathan Spring of CISA presented a vulnerability exploitation metric that builds upon the existing Exploit Prediction Scoring System (EPSS) and CISA’s Known Exploited Vulnerabilities (KEV) catalog.

The researchers noted that studies show only about 5% of known vulnerabilities are exploited in the wild, while organizations typically remediate only 16% of vulnerabilities each month.

The researchers outline four key ways LEV could be used:

1. Estimate how many vulnerabilities have been exploited.
2. Check how complete KEV lists are.
3. Identify high-risk vulnerabilities missing from those lists.
4. Fix blind spots in EPSS, which sometimes underestimates risk for already-exploited bugs.

Introducing the LEV Metric

Mell and Spring’s new metric—called Likely Exploited Vulnerabilities (LEV) probabilities—aims to address the limitations of both EPSS and the KEV catalog. While EPSS provides 30-day exploitation probabilities, it has known inaccuracies, particularly underestimating risk for already-exploited vulnerabilities. KEV, on the other hand, is limited by its reliance on known exploit data and may not be comprehensive.

LEV probabilities are designed to:

  • Estimate how many and which vulnerabilities are likely to have been exploited
  • Assess the completeness of the KEV catalog
  • Enhance KEV-based prioritization by identifying likely-exploited vulnerabilities not yet listed
  • Improve EPSS-based prioritization by correcting underestimations

Key Findings

The researchers compared LEV and EPSS scores for specific vulnerabilities, showing significant differences.

For example:

  • CVE-2023-1730 (SupportCandy WordPress plugin SQL injection): before 3.1.5, the LEV probability was 0.70, while the peak EPSS score was 0.16.
  • CVE-2023-29373 (Microsoft ODBC Driver RCE – Remote Code Execution vulnerability): the LEV probability was 0.54350, while the peak EPSS probability was 0.08.

The LEV analysis identified hundreds of vulnerabilities with probabilities near 1.0. However, many of these are not listed in current KEV catalogs. NIST is actively seeking collaboration with partners as real-world validation is must for LEV to be a promising idea rather than a trusted tool.

NIST is currently seeking industry partners with relevant datasets to empirically evaluate the effectiveness of LEV probabilities through real-world performance measurements.

Sources: https://www.helpnetsecurity.com/2025/05/26/nist-likely-exploited-vulnerabilities/#:~:text=LEV%20aims%20to%20bridge%20that,%2C%20not%20replace%2C%20existing%20methods.

Scroll to top