CISO

Security Advisory

CitrixBleed 2: Critical CVE-2025-5777 Vulnerability Under Active Exploitation with Public PoC Available

Summary ; A critical vulnerability identified as CVE-2025-5777 has been discovered in Citrix NetScaler ADC and NetScaler Gateway products configured as Gateway or AAA virtual servers.

The Citrix NetScaler is a networking gadget that delivers application access across distributed enterprise environments.

Originally developed to optimize traffic and improve the performance of web applications, NetScaler has evolved into a comprehensive solution for load balancing, SSL offloading, web application firewalling (WAF), secure remote access, and gateway functionalities such as VPN and ICA proxy for Citrix Virtual Apps and Desktops.

OEM Citrix 
Severity Critical 
CVSS Score 9.3 
CVEs CVE-2025-5777 
POC Available Yes 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

This out-of-bounds read flaw enables unauthenticated attackers to leak sensitive memory content, such as session tokens, by sending crafted HTTP POST requests. 

The vulnerability is actively exploited in the wild, with public PoC exploits and scanning tools available. Citrix has released patches, and urgent remediation is strongly recommended. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​ Out-of-bounds read vulnerability  CVE-2025-5777 NetScaler ADC & Gateway  Critical  14.1-43.56,   13.1-58.32, 13.1-FIPS/NDcPP 13.1 37.235, 12.1-FIPS 12.1-55.328 

Technical Summary 

CVE-2025-5777 arises from improper input validation during login requests on affected NetScaler devices. An attacker can exploit the flaw by submitting a malformed authentication request (eg. missing an equal sign in a POST login parameter). This leads the system to read uninitialized memory and leak up to 127 bytes of sensitive data. 

Attackers can extract session tokens and bypass multi-factor authentication (MFA) to hijack legitimate user sessions. 

CVE ID System Affected  Vulnerability Details Impact 
 CVE-2025-5777 NetScaler ADC & Gateway 14.1 < 14.1-43.56 13.1 < 13.1-58.32 13.1-FIPS/NDcPP < 13.1-37.235 12.1-FIPS < 12.1-55.328 EOL: 12.1, 13.0. Insufficient input validation allows attackers to trigger a memory leak via malformed authentication requests. Session hijacking, MFA bypass, unauthorized access 

Proof of Concept (PoC): 

  • Execution Flow 

Attacker submits a malformed HTTP POST to: 

POST /p/u/doAuthentication.do HTTP/1.0 

Host: <NetScaler-IP> 

Content-Length: 5 

Connection: keep-alive 

login  

(Note: the ‘login’ parameter is included without an ‘=’ or value.) * 

  • Memory Leak Trigger 

Due to insufficient input validation, the backend neither initializes nor validates the ‘login’ field. This causes up to 127 bytes of uninitialized stack memory to be included in the XML response ‘<InitialValue>’ tag potentially containing session tokens or sensitive internal data.  

    Source: horizon3 

Remediation

  • Immediate Action: Upgrade to the latest fixed versions:  – NetScaler ADC & Gateway 14.1-43.56 or later 
    – NetScaler ADC & Gateway 13.1-58.32 or later 
    – NetScaler ADC 13.1-FIPS/NDcPP 13.1-37.235 or later 
     – NetScaler ADC 12.1-FIPS 12.1-55.328 or later 
     – EOL versions (12.1, 13.0) must be upgraded to supported releases. 

Recommendations: 

  • Session Invalidation: After patching, terminate all active ICA and PCoIP sessions using: 
      kill icaconnection -all 
      kill pcoipConnection -all. 
  • Audit: Review authentication and session logs for suspicious activity, including repeated POST requests and session reuse across unexpected IPs. 
  • Upgrade Legacy Systems: Migrate EOL devices to supported versions as they will not receive security fixes. 

Conclusion: 
CVE-2025-5777 (CitrixBleed 2) represents a critical memory leak vulnerability that is being actively exploited, with working public exploits widely circulated.

Attackers can extract session tokens and take over sessions even with MFA in place. Shodan scans reveal over 50,000 exposed NetScaler instances, with more than 1,200 unpatched as of late June 2025 

Given its severity, public exploitation, and impact, organizations must act immediately to patch vulnerable systems, revoke active sessions, and migrate away from unsupported versions.

This vulnerability echoes the risks of the original CitrixBleed, emphasizing the importance of proactive defense in depth. 

References

Hashtags 

#Infosec #CyberSecurity #Critix #NetScaler #SecurityAdvisory #Vulnerabilitymanagement # Patch Management #CISO #CXO #Intrucept  

Security Advisory

Grafana Rolls out Updates on Critical Chromium Vulnerabilities; CVE-2025-6554 a Zero day Vulnerability

Summary : Grafana has issued urgent patches to address multiple high-severity vulnerabilities stemming from underlying flaws in the Chromium V8 JavaScript engine.

OEM Google 
Severity High 
CVSS Score 8.1 
CVEs CVE-2025-6554, CVE-2025-5959, CVE-2025-6191 CVE-2025-6192 
POC Available No 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

The most critical of these, CVE-2025-6554, is a zero-day vulnerability that was actively exploited in the wild. Several of these bugs, if unpatched, could allow attackers to execute arbitrary code, perform memory corruption or bypass sandbox protections via malicious HTML content.

Grafana users running affected versions of Image Renderer and Synthetic Monitoring Agent are strongly advised to update immediately. 

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Type Confusion in V8 Engine vulnerability  CVE-2025-6554 Google Chrome  High  138.0.7204.96/.97 (Windows)  
138.0.7204.92/.93 (Mac)  
138.0.7204.96 (Linux) 
Type Confusion in V8 Engine vulnerability CVE-2025-5959 Google Chrome High 137.0.7151.103/.104 (Windows & Mac) 137.0.7151.103 (Linux) 
Integer overflow in V8 Engine vulnerability CVE-2025-6191 Google- Chrome High 137.0.7151.119/.120 (Windows & Mac) 137.0.7151.119 (Linux) 
Use-after-free in Metrics (Profiler) in Google Chrome CVE-2025-6192 Google- Chrome High 137.0.7151.119/.120 (Windows & Mac) 137.0.7151.119 (Linux) 

Technical Summary 

Grafana has patched four high-severity Chromium V8 vulnerabilities in its Image Renderer and Synthetic Monitoring Agent. The most critical, CVE-2025-6554 is a zero-day type confusion bug that was actively exploited. Other flaws include CVE-2025-5959 (remote code execution), CVE-2025-6191 (integer overflow) and CVE-2025-6192 (use-after-free).

Affected versions are Image Renderer < 3.12.9 and Synthetic Monitoring Agent < 0.38.3. Users should update immediately to stay protected. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-6554 Chrome on Windows, macOS, Linux Type confusion in the V8 JavaScript engine allows improper memory handling, leading to code execution  Remote code execution.  Potential system compromise.  
CVE-2025-5959 Chrome on Windows, macOS, Linux Type Confusion in V8 in Google Chrome prior to allowing a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Remote code execution.  Potential system compromise. 
CVE-2025-6191 Chrome on Windows, macOS, Linux Integer overflows in V8 in Google Chrome prior to allowing a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. Arbitrary code execution. Memory Corruption. 
CVE-2025-6192 Chrome on Windows, macOS, Linux Use after free in Metrics in Google Chrome prior to allowing a remote attacker to potentially exploit heap corruption via a crafted HTML page. Arbitrary code execution.  

Remediation

  • Users should immediately update Google Chrome to the latest patched version: 
  • Windows: 138.0.7204.96/.97, 137.0.7151.103/.104, 137.0.7151.119/.120 
  • macOS: 138.0.7204.92/.93, 137.0.7151.103/.104, 137.0.7151.119/.120 
  • Linux: 138.0.7204.96, 137.0.7151.103, 137.0.7151.119 

Other Chromium-based browsers (Edge, Brave, Opera etc.) should also be updated as patches become available from their respective vendors. 

Conclusion: 
The criticality of CVE-2025-6554, CVE-2025-5959, CVE-2025-6191, CVE-2025-6192 in the wild highlights the urgency of applying the latest Chrome security update.

Type confusion vulnerabilities like this can lead to full system compromise and are highly sought-after by cybercriminals. Users and organizations should take immediate action to mitigate potential risks. 

References

Security Advisory

Linux Local Privilege Escalation via udisksd and libblockdev (CVE-2025-6019) PoC released 

Summary : A local privilege escalation vulnerability poc has been released, tracked as CVE-2025-6019, discovered in the udisksd daemon and its backend libblockdev library, affecting widely used Linux distributions including Fedora and SUSE.

Severity High 
CVSS Score 7.0 
CVEs CVE-2025-6019 
POC Available Yes 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

CVE-2025-6019 is a local privilege escalation (LPE) vulnerability affecting systems where: 

  • udisksd is installed and running (e.g., Fedora, SUSE) 
  • Users in the allow active group are trusted to execute disk-related actions 
  • libblockdev fails to validate privileged backend operations under unprivileged contexts 

This flaw allows unprivileged users in the “allow_active” group to escalate privileges and execute commands as root by exploiting insecure trust boundaries in D-Bus IPC communication. 

Vulnerability Name CVE ID Product Affected Severity 
​Local Privilege Escalation Vulnerability  CVE-2025-6019 udisksd / libblockdev  High 

Technical Summary 

This vulnerability is triggered when an attacker in the “allow_active” group issues a crafted D-Bus request to the udisksd daemon using tools like udisksctl. Because the daemon improperly relies on group membership alone (without UID validation), it mistakenly grants root-level mount permissions. 

An attacker can exploit this by  

  • Crafting a malicious disk image (like XFS with a SUID-root shell). 
  • Using “udisksctl mount -b /dev/loop0” to mount it as root. 
  • Escalating privileges and compromising the system. 
CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-6019 Fedora, SUSE, and other Linux distros using udisks2/libblockdev Improper user validation in D-Bus authorization allows unprivileged users to perform privileged disk operations.  Local privilege escalation to root 

Remediation

Here are the recommendations below 

  • Update “udisks2” and “libblockdev” to the latest versions provided by your distribution. 
  • Audit and restrict membership of the “allow_active” group. 
  • Disable unsafe or legacy D-Bus actions in system services where possible. 

Conclusion: 
CVE-2025-6019 highlights a breakdown in privilege boundary enforcement within a core system component used by many Linux desktop environments.

The availability of a public PoC, combined with the low complexity of exploitation, makes this vulnerability highly dangerous, particularly in multi-user or shared computing environments. 

Organizations must act swiftly to patch vulnerable systems, reassess group-based privilege models and implement stricter D-Bus and Polkit rules to reduce attack surface. 

References

Security Advisory

12-Year-Old Sudo Vulnerability & Chroot Flaw Enable Privilege Escalation  

Summary : Security Advisory: Two critical vulnerabilities CVE-2025-32462 and CVE-2025-32463 have been identified in the widely used Sudo utility, enabling local privilege escalation to root. System administrators rely on Sudo to enforce the principle of least privilege and maintain an audit trail of administrative actions.

The flaw, present in Sudo’s codebase for over 12 years, was discovered by Rich Mirch of the Stratascale Cyber Research Unit and affects both stable (v1.9.0–1.9.17) and legacy (v1.8.8–1.8.32) versions of Sudo.

Severity Critical 
CVSS Score 9.3 
CVEs CVE-2025-32463, CVE-2025-32462 
POC Available Yes 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

These flaws affect both legacy and modern versions of Sudo and impact Linux and Unix-like systems, including Ubuntu and macOS. One vulnerability (CVE-2025-32462)remained undiscovered for over 12 years. Both have been fixed in Sudo version 1.9.17p1. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Chroot Option Arbitrary Code Execution vulnerability  CVE-2025-32463 Sudo  Critical  1.9.17p1 
Host Option Privilege Escalation vulnerability  CVE-2025-32462 Sudo   Low  1.9.17p1 

Technical Summary 

CVE-2025-32463 – Chroot Privilege Escalation via Path Confusion 

Introduced in Sudo version 1.9.14, this vulnerability abuses the –chroot (-R) feature, allowing attackers to run commands as root even if not permitted in the sudoers file.

The flaw arises because Sudo began resolving paths inside the chroot environment before validating permissions. This allowed attackers to trick Sudo into referencing malicious configuration files (e.g., fake /etc/nsswitch.conf) and loading arbitrary shared libraries (e.g.-libnss_/woot1337.so.2) during the privilege escalation process. 

CVE-2025-32462 – Host Option Bypass 

CVE-2025-32462 exploits improper handling of the –host (-h) option in Sudo, allowing users to bypass hostname-based access restrictions and execute commands as root. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-32463 Stable 1.9.0 – 1.9.17  Exploits the -R chroot option to load attacker-controlled shared libraries, leading to root access even when user lacks necessary permissions.  Arbitrary code execution as root 
CVE-2025-32462 Stable 1.9.0 – 1.9.17 Legacy 1.8.8 – 1.8.32  Allows local users to abuse the -h option to bypass Host or Host_Alias restrictions and execute commands as root across unintended systems.  Local privilege escalation to root 

Remediation

Upgrade Sudo to version 1.9.17p1 or later or the appropriate patched package version provided by your Linux distribution. 

Conclusion: 
These Sudo vulnerabilities, especially CVE-2025-32463 with a CVSS score of 9.3, represent a serious threat to system integrity. Exploitable without complex tooling and with a public Proof-of-Concept (PoC) already available, this vulnerability underscores the risks posed by long-standing design flaws in foundational system utilities.

Administrators are strongly advised.

Update Sudo to version 1.9.17p1 or later on all systems. Organizations must act swiftly to patch affected systems, audit privileged access, and secure their Sudo configurations.

This incident reinforces the urgent need for continuous security reviews even for the most trusted and widely deployed open-source components and prevent unauthorized privilege escalation on affected systems.

References

Blogs

Cyber-Breach on Qantas Airliner re-echo’s Cyber Risk associated with Third Party

Third-party vendors are critical to and business or industry – but they confirm to significant amount of cyber risk. Qanatas airline confirmed of cyber attack where nearly  six million customers data may have been compromised. The airliner issued statement that said credit card details, financial information, and passport details were not part of the breach.

Qantas said in a statement: “We are continuing to investigate the proportion of the data that has been stolen, though we expect it will be significant. An initial review has confirmed the data includes some customers’ names, email addresses, phone numbers, birth dates and frequent flyer numbers.”

The alarming aspect of a third-party data breach is the sheer scale of impact. Hackers have the potential to attack thousands of organizations in one fell swoop.

KPMG, study showed how 73% of organizations have experienced at least one significant disruption from a third-party cyber incident within the last three years. 

Qantas Group chief executive Vanessa Hudson said the company was working closely with the National Cyber Security Coordinator and the Australian Cyber Security Centre.

We sincerely apologies to our customers and we recognize the uncertainty this will cause. Our customers trust us with their personal information, and we take that responsibility seriously,” she said.

In the breach that affected Qantas airliner which is one of the oldest, did not point to any hackers group. This data breach is one of Australia’s biggest breach in years which caused major setback and reputation damage to an airliner.

Last week, FBI said Scattered Spider group  was targeting airlines and that Hawaiian Airlines (HAII.UL) and Canada’s WestJet had already reported breaches. Read more on our blogs:

Key pointer of the Qantas Breach

The Cyber hacker broke into a database containing the personal information of millions of customer.

The breach was executed by hackers who targeted a call center and gained access to a third-party customer service platform containing six million names, email addresses, phone numbers, birth dates and frequent flyer numbers.

Third party risk management is complex but neglecting can be fatal for organizations whose data volume is huge such as airliners.

The airline is emailing affected customers and has set up a dedicated support line at 1800 971 541 (or +61 2 8028 0534 from overseas).

If we observe in recent past 2020, the solar Winds attack that happened where Solar winds confirmed that its network had been penetrated by a malicious actor and a complex malware program inserted into software updates of its technology platform – SolarWinds OrionⓇ.

Such is the magnitude of the attack that the malware program comprised a multistage process, scanning downstream customer networks to detect security tools it could avoid or disable, and stealthily connecting to the attacker’s command and control servers. The malware persisted for months before initial detection.

The solar winds attack cost to the company amounted to significant loss with Incident response and forensic services cost companies 11% of their annual revenue (an average of $12 million). 

How to make sure your vendor don’t create unnecessary risk that pose challenge for organization at large

First ensure your third party vendor’s meet the required robust security posture

Vendor risk assessment must be done holistically by streamlining due diligence

Upon discovery of any vulnerabilities, it is important that customizing and updating security requirements of the newly discovered threats and patch.

As a part of better threat mitigation strategy it is important that to automate vendors onboarding this will provide agility.

Managing Third party risk with Intru360

A research with KPMG found that found 61% of businesses underestimate third party risk management and often also struggle to have a healthy operation model and scale it same time.

KPMG research further found that Third-party/nth-party risk management that covers all third-party relationships over the entire life cycle; subjects vendors that support critical activities or are heavily relied upon to more comprehensive and rigorous oversight; and considers transition, contingency, recovery, and duplicity alternatives.

With most of the technology investments fail to provide visibility into third-party risk, we at Intercept help you to expand the scope and cover third parties related risk areas by identifying.

Intru360 gives security analysts and SOC managers a clear view across the organization, helping them fully understand the extent and context of an attack. It also simplifies workflows by automatically handling alerts, allowing for faster detection of both known and unknown threats.

In vendor security and management here are some of the features we offer to make sure cyber health of each and every supplier is checked and alerts are placed to get notification.

Prebuilt playbooks and automated response capabilities.

Over 400 third-party and cloud integrations.

More than 1,100 preconfigured correlation rules.

Ready-to-use threat analytics, threat intelligence service feeds, and prioritization based on risk.

Sources: https://www.techtarget.com/whatis/feature/SolarWinds-hack-explained-Everything-you-need-to-know

https://kpmg.com/us/en/articles/2022/ten-key-regulatory-challenges-2023-risk-governance.html
https://www.sbs.com.au/news/article/qantas-data-breach-everything-we-know-so-far-about-stolen-customer-details/49iggxre0

Uncategorized

Google Chrome Zero-Day Vulnerability (CVE-2025-6554) Actively Exploited – Patch Now 

Summary : Security Advisory: Google has issued an urgent security update for Chrome browser users worldwide, addressing a high-severity zero-day vulnerability in the Chrome browser CVE-2025-6554 actively being exploited by cybercriminals.

OEM Google 
Severity High 
CVSS Score N/A 
CVEs CVE-2025-6554 
POC Available No 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

This is a type confusion flaw in Chrome’s V8 JavaScript engine allows arbitrary code execution and it’s actively being exploited in the wild. 

The vulnerability was discovered by Clément Lecigne of Google’s Threat Analysis Group (TAG) on June 25, 2025, and a temporary mitigation was pushed on June 26, 2025. This internal discovery highlights the ongoing security monitoring efforts within Google’s infrastructure.

The mitigation measure passed through a configuration change pushed to all stable channel users across all platforms.

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Type Confusion in V8 Engine vulnerability  CVE-2025-6554 Google Chrome  High  138.0.7204.96/.97 (Windows)  
138.0.7204.92/.93 (Mac)  
138.0.7204.96 (Linux) 

Technical Summary 

CVE-2025-6554 is a type confusion vulnerability in Chrome’s V8 JavaScript engine. It allows threat actors to exploit memory misinterpretation and execute arbitrary code, potentially compromising the browser or the underlying system. Google has confirmed active exploitation of this flaw. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-6554 Chrome on Windows, macOS, Linux Type confusion in the V8 JavaScript engine allows improper memory handling, leading to code execution  Remote code execution.  Potential system compromise.  

Remediation

A full fix is available in the latest stable channel update. Users are strongly advised to update immediately to ensure full protection. 

  • Users should immediately update Google Chrome to the latest patched version: 
  • Windows: 138.0.7204.96/.97 
  • macOS: 138.0.7204.92/.93 
  • Linux: 138.0.7204.96 

Conclusion: 

The exploitation of CVE-2025-6554 in the wild highlights the urgency of applying the latest Chrome security update. Type confusion vulnerabilities like this can lead to full system compromise and are highly sought-after by cybercriminals. Users and organizations should take immediate action to mitigate potential risks. 

Organizations using Chrome in enterprise environments should prioritize this update across their networks.

The combination of confirmed active exploitation and the high-severity rating makes this patch deployment critical for maintaining organizational cybersecurity posture.

Refer to Intruceptlabs products & solution for better cyber security posture with Intru360, Gaarud Node

References

Security Advisory

Critical Unauthenticated RCE Vulnerabilities in Cisco ISE and ISE-PIC 

Cisco has disclosed two critical vulnerabilities CVE-2025-20281 and CVE-2025-20282 affecting its Identity Services Engine (ISE) and Passive Identity Connector (ISE-PIC).

These vulnerabilities allow unauthenticated, remote attackers to execute arbitrary commands on the underlying operating system with root privileges. The first flaw CVE-2025-20281 impacts ISE versions 3.3 and later, while the second CVE-2025-20282 is limited to version 3.4.

Summary 

OEM Cisco 
Severity Critical 
CVSS Score 10.0 
CVEs CVE-2025-20281, CVE-2025-20282 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Cisco has disclosed two critical vulnerabilities CVE-2025-20281 and CVE-2025-20282 affecting its Identity Services Engine (ISE) and Passive Identity Connector (ISE-PIC).

These vulnerabilities allow unauthenticated, remote attackers to execute arbitrary commands on the underlying operating system with root privileges. The first flaw CVE-2025-20281 impacts ISE versions 3.3 and later, while the second CVE-2025-20282 is limited to version 3.4.

Both issues stem from insecure API implementations that fail to validate user input and uploaded files respectively.  

Given the critical nature of these bugs both scoring CVSS 9.8 & 10.0 Cisco has issued immediate fixes, with no workarounds available. Organizations using the affected versions are urged to apply the patches without delay. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​API Unauthenticated RCE vulnerability  CVE-2025-20281 ISE & ISE-PIC   Critical  3.3 Patch 6, 3.4 Patch 2 
Internal API Arbitrary File Execution vulnerability  CVE-2025-20282 ISE & ISE-PIC   Critical  3.4 Patch 2 

Technical Summary 

Two independent vulnerabilities allow an attacker to gain full control over affected Cisco ISE systems without authentication: 

  • CVE-2025-20281: Triggered via crafted requests to a public API, exploiting insufficient input validation to achieve RCE as root. 
  • CVE-2025-20282: Abuses an internal API that lacks file validation, enabling the upload and execution of malicious files in privileged directories. 

These vulnerabilities align with CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and CWE-269 (Improper Privilege Management). 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-20281 Cisco ISE & ISE-PIC 3.3 and later Insufficient validation in a public API allows remote attackers to send crafted requests, leading to unauthenticated command execution as the root user.  Remote code execution  
CVE-2025-20282 Cisco ISE & ISE-PIC 3.4 only An internal API fails to validate uploaded files. Attackers can upload files to system directories and execute them with root privileges.   Remote code execution 

Remediation

Cisco has released patches for affected versions of ISE and ISE-PIC. There are no known workarounds, and customers are strongly encouraged to apply the following updates: 

Cisco ISE / ISE-PIC Version CVE-2025-20281 Fixed In CVE-2025-20282 Fixed In 
3.2 and earlier Not affected Not affected 
3.3 3.3 Patch 6 Not affected 
3.4 3.4 Patch 2 3.4 Patch 2 

Conclusion: 
These vulnerabilities represent a severe risk to network security infrastructure, particularly because they impact Cisco ISE a cornerstone for identity and access control in many enterprises. The unauthenticated remote nature of the exploits, combined with root-level access and no required user interaction, significantly increases the threat surface.  

Although Cisco’s PSIRT has stated that there are no known instances of public exploitation, the ease of exploitation and severity (CVSS 10.0) make these vulnerabilities highly attractive to threat actors. Organizations should immediately apply the available patches and review their system logs for any signs of suspicious activity targeting ISE infrastructure. 

References

Security Advisory

Citrix NetScaler ADC/Gateway Vulnerability Exploited in the Wild (CVE-2025-6543) 

Summary : Security Advisory;

Citrix is warning that a vulnerability in NetScaler appliances tracked as CVE-2025-6543 is being actively exploited in the wild, causing devices to enter a denial of service condition.

The flaw impacts NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-47.46, 13.1 before 13.1-59.19, and NetScaler ADC 13.1-FIPS and NDcPP before 13.1-37.236-FIPS and NDcPP.

OEM Citrix 
Severity Critical 
CVSS Score 9.2 
CVEs CVE-2025-6543 
POC Available No 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

A critical memory overflow vulnerability, CVE-2025-6543, has been discovered in NetScaler ADC and NetScaler Gateway products, potentially leading to denial-of-service and unintended control flow. The issue affects deployments configured as Gateway services. Active exploitation in the wild has been reported. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Memory overflow vulnerability  CVE-2025-6543 NetScaler ADC and NetScaler Gateway  Critical  14.1-47.46 / 13.1-59.19 / 13.1-37.236 

Technical Summary 

CVE-2025-6543 is a memory overflow vulnerability in NetScaler ADC and Gateway products that can result in denial-of-service (DoS) or arbitrary control flow, particularly when the system is configured as a Gateway or AAA virtual server.

The flaw stems from improper restriction of operations within memory buffer bounds (CWE-119). This vulnerability has been exploited in real-world attacks. 

CVE ID System Affected  Vulnerability Details Impact 
  CVE-2025-6543 NetScaler ADC & Gateway 14.1 before 14.1-47.46, 13.1 before 13.1-59.19 NetScaler ADC 13.1-FIPS and NDcPP before 13.1-37.236-FIPS and NDcPP Memory overflow due to improper memory boundary restrictions when configured as Gateway or AAA virtual servers  Denial-of-Service and Unintended control flow 

Remediation

  • Immediate Action: Affected customers are strongly advised to upgrade to the fixed versions: 
Product Version Recommended Fixed Build 
NetScaler ADC / Gateway 14.1 14.1-47.46 or later 
NetScaler ADC / Gateway 13.1 13.1-59.19 or later 
NetScaler ADC 13.1-FIPS / NDcPP 13.1-37.236 or later 

Note: Versions 12.1 and 13.0 are End-of-Life (EOL) and remain vulnerable. These should be replaced with supported, patched builds. 

Customers using FIPS or NDcPP variants should contact Citrix Support directly for access to the fixed builds. 

Conclusion: 
CVE-2025-6543 represents a highly critical risk to organizations utilizing NetScaler Gateway or ADC for secure access and application delivery.

Organizations still using outdated or end-of-life (EOL) versions are especially vulnerable and should prioritize upgrading to supported builds. 

This flaw follows a pattern of severe vulnerabilities affecting NetScaler products, including the recently disclosed CVE-2025-5777 (CVSS score: 9.3), which also posed a significant threat to enterprise infrastructure.

Together these issues highlight the urgent need for timely patching, continuous monitoring, and defense-in-depth strategies to safeguard critical network assets. 

With both flaws being critical bugs, administrators are advised to apply the latest patches from Citrix as soon as possible.

Companies should also monitor their NetScaler instances for unusual user sessions, abnormal behavior, and to review access controls.

References

Security Advisory

Privilege Escalation in Notepad++ v8.8.1 Installer via Binary Planting with Public PoC Available 

Security Advisory: A high-severity privilege escalation vulnerability has been discovered in the Notepad++ v8.8.1 and prior installer, which allows local attackers to gain SYSTEM-level privileges through uncontrolled executable search paths (binary planting).

The installer searches for executable dependencies in the current working directory without verification, allowing attackers to place malicious executables that will be loaded with SYSTEM privileges during installation.

OEM Notepad++ 
Severity High 
CVSS Score 7.3 
CVEs CVE-2025-49144 
POC Available Yes 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Exploitation requires minimal user interaction and a public Proof of Concept (PoC) is available. The issue is resolved in version v8.8.2. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Privilege Escalation Vulnerability  CVE-2025-49144 Notepad++  High  v8.8.2 

Technical Summary 

The Notepad++ installer improperly searches for executable dependencies in the current directory without verifying their authenticity.

This insecure behavior allows attackers to place a malicious executable (e.g. regsvr32.exe) in the same directory as the installer. Upon execution the malicious file is loaded with SYSTEM-level privileges, granting full control over the machine. 

In real world scenario, an attacker could use social engineering or clickjacking to trick users into downloading both the legitimate installer and a malicious executable to the same directory (typically Downloads folder – which is known as Vulnerable directory). Upon running the installer, the attack executes automatically with SYSTEM privileges.

CVE ID System Affected  Vulnerability Details Impact 
  CVE-2025-49144  Notepad++ v8.8.1 and prior. The installer invokes executables without absolute path (e.g. regsvr32), allowing a malicious binary in the same directory to be executed with elevated privileges.  SYSTEM privilege escalation and full machine control 

Proof of Concept (PoC): 

  • Execution Flow: Attacker places a fake regsvr32.exe in the same directory as the Notepad++ installer. 
  • Trigger: When the user runs the installer, it loads the attacker’s file with SYSTEM privileges. 
  • Evidence: 
  • Process Monitor logs confirm that the installer is searching for executables in the local directory. 
  • Public PoC materials are hosted and shared, confirming reproducibility 

Remediation

  • Immediate Action: Upgrade to Notepad++ v8.8.2 or later which explicitly sets absolute paths when invoking executables like regsvr32. 

Recommendations: 

  • Configuration Check: Avoid executing installers from user-writable locations like the Downloads folder. Ensure installers are run from isolated, trusted directories. 
  • Environment Hardening: Implement endpoint detection for binary planting, restrict execution in commonly targeted directories. 

Conclusion: 
CVE-2025-49144 is a critical privilege escalation vulnerability with a working public PoC. It leverages a fundamental flaw in the Notepad++ installer’s handling of executable paths.

Given the low barrier to exploit and high impact, especially in environments where Notepad++ is widely used, immediate remediation is strongly advised. The presence of similar flaws in past versions highlights the persistent risk of insecure software packaging. 

This is a critical security vulnerability requiring immediate attention. While Microsoft classifies some binary planting issues as “Defense-in-Depth,” the severity of gaining SYSTEM privileges with minimal user interaction warrants priority remediation.

References

Blogs

Oxford City Council Latest Prey of Cyber criminal; Personal Data on legacy system exposed

The Oxford City Council informed it suffered a data breach where attackers accessed personally identifiable information from legacy systems. The incident which took place over the weekend of 7 and 8 June, witnessed how attackers accessed historic data stored over a decade held on legacy systems.

The leaked personal information are of individuals who worked on elections administered by the council between 2001 and 2022, including poll station workers and ballot counters. Most of these people, said the council, will be current or former council officers.

‘”No evidence to suggest that any of the accessed information has been shared with third parties,” said the council in a statement.

The automated systems were able to detect the breach and resulted in disruption to some of their services last week. But the have been working hard to minimize impact on residents.

The council’s email systems and wider digital services remain secure and safe to use, it said, and the council has reported the incident to the relevant government authorities and law enforcement agencies.

According to the Information Commissioner’s Office (ICO), cyber attacks on local authority systems rose by a quarter between 2022 and 2023, while personal data breaches rocketed by 58%.

Major cyber attacks on institutions based in UK

The Oxford attack is the latest of many to affect UK councils. In 2025 alone, Gateshead and West Lothian councils have reported material attacks on their systems, with ransomware groups claiming responsibility for both.

Nottingham City Council also suffered a freak service outage earlier this year, which turned off the lights at the authority’s office building, although that was caused by a datacenter electrical fault rather than intruders.

Legacy Systems Vulnerable to cyber attacks:

A study by Accenture found that 85% of IT leaders in government agencies believe not updating legacy systems threatens their future.

When legacy systems were developed, these applications may have been on top of then-current cybersecurity practices. But with the passage of even a short time, the threat landscape evolves while many legacy systems get left behind.

Legacy systems are the workhorses of many businesses and dependable as these aging software and hardware applications keep core operations running. Legacy dependencies can stall a strategic move to the cloud and digital transformation. 

These outdated software applications, databases, and codebases were once reliable. Presently the software’s struggle to keep pace with digital trends.

Few examples of Legacy system

  • Old Enterprise Resource Planning (ERP) systems: These were often built with a monolithic architecture, making them inflexible and difficult to integrate with newer technologies.
  • Outdated databases: Hierarchical and older relational database systems may lack the features and security needed for modern applications.
  • Custom code: Businesses may still rely on proprietary software written in languages like COBOL, posing challenges for maintenance and updates.

Protect your Network & Digital environment with Intru360

If you are storing sensitive information like passwords, API keys, certificates, and other secrets, it’s critical to ensure they are kept secure.

Many developers often overlook this crucial step, either hardcoding secrets directly into their code or storing them in an insecure manner.

Sometimes lack of attention can have disastrous consequences as we have witnessed many high-profile breaches over the years.

  • For seamless business continuity even in the face of cyber threats while maintaining productivity and profitability Intru360 have been introduced to proactive cybersecurity measures and protect your valuable information.
  • Stay safe, stay informed and protect your digital environment as Intru360 gives security analysts and SOC managers a clear view across the organization, helping them fully understand the extent and context of an attack.
  • Intru360 simplifies workflows by automatically handling alerts, allowing for faster detection of both known and unknown threats.
  • Identify latest threats without having to purchase, implement, and oversee several solutions or find, hire, and manage a team security analyst.
  • Unify latest threat intelligence and security technologies to prioritize the threats that pose the greatest risk to your company.

 

(Sources: https://www.theregister.com/2025/06/20/oxford_city_council_breach/)

https://www.secopsolution.com/blog/common-vulnerabilities-in-legacy-systems-and-how-to-mitigate-them

Scroll to top