CISO

Security Advisory

Microsoft November Updates- Fixes 63 Vulnerabilities,1 Zero-Day Exploits ; Patch Now

Summary : Microsoft’s November 2025 Patch Tuesday resolves 63 vulnerabilities across multiple Microsoft components. The Microsoft Patch Tuesday also addresses four “Critical” vulnerabilities, two of which are remote code execution vulnerabilities, one is an elevation of privileges and the fourth is an information disclosure flaw.

OEM Microsoft 
Severity Critical 
Date of Announcement 2025-11-11 
No. of Patches 63 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview : Key Updates on Patch Tuesday

The update includes one actively exploited zero-day vulnerability (CVE-2025-62215) in the Windows Kernel and five additional Critical-rated vulnerabilities affecting Office, DirectX, GDI+, Visual Studio, and Nuance PowerScribe. 

This release continues Microsoft’s focus on privilege escalation and remote code execution (RCE) vulnerabilities, highlighting the urgent need for comprehensive patch management across enterprise systems. 

Here are the CVE addresses for Microsoft & non-Microsoft:  

  • 63 Microsoft CVEs addressed 
  • 5 non-Microsoft CVEs addressed (Republished) 

Breakdown of October 2025 Vulnerabilities 

  • 29 Elevation of Privilege (EoP) 
  • 16 Remote Code Execution (RCE) 
  • 11 Information Disclosure 
  • 3 Denial of Service (DoS) 
  • 2 Security Feature Bypass 
  • 2 Spoofing  

Source: Microsoft 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
Windows Kernel Elevation of Privilege Vulnerability (Zero-Day, Exploited in Wild) CVE-2025-62215 Windows 10, 11, Server 2016–2022 Critical 9.0 
Microsoft Office Use-After-Free Remote Code Execution Vulnerability CVE-2025- 62199 Microsoft Office (Word/Excel/Office Suite) Critical 9.8 
Nuance PowerScribe Missing Authorization Information Disclosure Vulnerability CVE-2025-30398 Nuance PowerScribe 360 Critical 9.1 
Windows DirectX Graphics Kernel Use-After-Free Vulnerability CVE-2025-60716 Windows DirectX Graphics Kernel Critical 8.8 
Microsoft GDI+ Heap-Based Buffer Overflow RCE Vulnerability CVE-2025-60724 Microsoft Graphics Component (GDI+) Critical 8.7 
Visual Studio Command Injection Remote Code Execution Vulnerability CVE-2025-62214 Microsoft Visual Studio / Visual Studio Code Critical 8.1 

Technical Summary 

The zero-day is a Windows Kernel bug that lets attackers gain full system control. Other critical & important vulnerabilities include Office and GDI+ vulnerabilities that could allow hackers to run malicious code or steal data.  

Microsoft also patched issues in Visual Studio, DirectX, and Azure services. Users and admins are strongly advised to install these updates right away to stay protected. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-62215 Windows Kernel Race conditions in shared resource execution enables local attackers to elevate privileges to SYSTEM (Zero-Day; Exploited in Wild) Elevation of Privilege 
CVE-2025-62199 Microsoft Office Use-after-free vulnerability in Office allows RCE via malicious documents, typically delivered through phishing campaigns Remote Code Execution 
CVE-2025-30398 Nuance PowerScribe 360 Missing authorization vulnerability allows disclosure of sensitive medical or user data over the network Information Disclosure 
CVE-2025-60716 Windows DirectX Graphics Kernel Use-after-free conditions allow local attackers to escalate privileges, potentially compromising the entire system Elevation of Privilege 
CVE-2025-60724 Microsoft GDI+ Heap-based buffer overflow allows attackers to execute arbitrary code remotely via crafted network traffic or malicious files Remote Code Execution 
CVE-2025-62214 Visual Studio Command injection vulnerability allows attackers to execute arbitrary code locally in developer environments Remote Code Execution 

Source: Microsoft 

In addition to several other Important severity vulnerabilities were addressed below –  

  • CVE-2025-59505: Windows Smart Card Reader – Double-free memory handling vulnerability enabling privilege escalation. 
  • CVE-2025-60704: Windows Kerberos – Missing cryptographic validation allows privilege escalation. 
  • CVE-2025-60719: Windows WinSock Driver – Untrusted pointer dereference enabling SYSTEM-level access. 
  • CVE-2025-59504: Azure Monitor Agent – Heap-based buffer overflow allowing local code execution. 
  • CVE-2025-60714: Windows OLE – Buffer overflow permitting local RCE. 
  • CVE-2025-62452: Windows RRAS – Heap overflow enabling network-based RCE. 
  • CVE-2025-59509: Windows Speech Recognition – Sensitive data exposure vulnerability. 
  • CVE-2025-62208 / CVE-2025-62209: Windows License Manager – Sensitive information insertion into logs. 
  • CVE-2025-62210 / CVE-2025-62211: Dynamics 365 Field Service – Cross-site scripting (XSS) spoofing. 
  • CVE-2025-62449 / CVE-2025-62453: VS Code / GitHub Copilot – Path traversal and AI output validation bypass & Others more Vulnerabilities. 

Source: Microsoft, bleepingcompute, cybersecuritynews 

Key Affected Products and Services 

The November 2025 security updates address critical and important vulnerabilities across a broad range of Microsoft products and services: 

  • Windows Core Components 

Updates for Kernel, Hyper-V, Kerberos, RRAS, WinSock, Smart Card, Bluetooth subsystems. 

  • Microsoft Office Suite 

Patches for Word, Excel, and related components impacted by RCE and Information Disclosure vulnerabilities. 

  • Azure & Cloud Services 

Fixes for Azure Monitor Agent, Dynamics 365, Entra ID, and related connectors. 

  • Graphics Components 

Patches for GDI+, DirectX, WSL GUI. 

  • Developer Tools 

Updates for Visual Studio, Visual Studio Code, and GitHub Copilot. 

  • Third-Party Applications 

Patches for Nuance PowerScribe (Medical domain). 

  • Mobile Platform Technologies 

Updates for Microsoft OneDrive for Android. 

Remediation: 

  • Install the November 2025 Microsoft security updates immediately across all Windows, Office, and Azure systems. 

Here are some recommendations below  

  • Monitor for Indicators of Compromise (IoCs) for privilege escalation attempts, new SYSTEM-level services, or unusual Office file crashes. 
  • Ensure Windows 10 ESU enrollment for extended support systems. 
  • Restrict local admin privileges and enforce least-privilege access. 
  • Leverage EDR/SIEM solutions to detect suspicious kernel and Office activity. 
  • Segment critical systems and disable unused network services (RRAS, SMB). 

Conclusion: 
Microsoft’s November 2025 Patch Tuesday resolves 63 vulnerabilities, including one actively exploited Zero-Day and multiple Critical RCE and EoP vulnerabilities in Office, Windows Kernel, GDI+, and Visual Studio. 

Given the confirmed exploitation and the presence of memory corruption vulnerabilities, immediate patch deployment is necessary to prevent potential ransomware and privilege escalation attacks in our modern cyber world. 

References

Security Advisory

Gladinet Triofox Patched Critical Unauthenticated Remote Access Vulnerability 

Summary : A critical unauthenticated access vulnerability in Triofox is being actively exploited in the wild by threat actor UNC6485. Attackers exploit a Host header spoofing vulnerability to bypass authentication, create native admin accounts and chain abuse of the built-in antivirus feature to execute arbitrary code under SYSTEM privileges.

OEM Gladinet 
Severity Critical 
CVSS Score 9.1 
CVEs CVE-2025-12480 
POC Available YES 
Actively Exploited YES 
Exploited in Wild YES 
Advisory Version 1.0 

Overview 

Triofox is an enterprise file-sharing and remote access platform by Gladinet that enables secure file sync, sharing, and collaboration across on-premises and cloud environments. Immediate upgrade is mandatory to prevent full system compromise, ransomware and persistent remote access. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Unauthenticated Access via Host Header Spoofing & Antivirus RCE Chain  CVE-2025-12480 Triofox Critical v16.7.10368.56560 or later 

Technical Summary 

The vulnerability in the CanRunCriticalPage() function within GladPageUILib.dll, which allows access to setup pages, if the Host header is “localhost” – without validating the request origin. Attackers spoof this header externally to initiate the setup process, create a Cluster Admin account, and gain authenticated access. 

Once logged in, attackers exploit the antivirus configuration feature, which allows arbitrary executable paths. By uploading a malicious script to a shared folder and setting it as the antivirus scanner, the file executes with SYSTEM-level privileges inherited from the Triofox service. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025- 12480 Triofox < 16.7.10368.56560 Host header attack bypasses authentication to AdminDatabase.aspx that enables admin account creation. Chained with antivirus path abuse to run uploaded payloads as SYSTEM Authentication Bypass, Admin Account Creation,  Remote Code Execution,  Full System Compromise,  Persistent Access, Data Exfiltration, Lateral Movement 

Indicators of Compromise (IOCs) 

Host-Based Artifacts 

Artifact Description SHA-256 Hash 
C:\Windows\appcompat\SAgentInst aller_16.7.10368.56560.exe Installer containing  Zoho UEMS Agent 43c455274d41e58132be7f66139566a941190ceba46082eb 2ad7a6a261bfd63f 
C:\Windows\temp\sihosts.exe Plink 50479953865b30775056441b10fdcb984126ba4f98af4f647 56902a807b453e7 
C:\Windows\temp\silcon.exe PuTTy 16cbe40fb24ce2d422afddb5a90a5801ced32ef52c22c2fc7 7b25a90837f28ad 
C:\Windows\temp\file.exe AnyDesk ac7f226bdf1c6750afa6a03da2b483eee2ef02cd9c2d6af71e a7c6a9a4eace2f 
C:\triofox\centre_report.bat Attacker batch script filename N/A 

Network-Based Artifacts 

IP Address ASN Description 
85.239.63[.]37 AS62240 – Clouvider Limited IP address of the attacker used to initially exploit CVE-2025-12480 to create the admin account and gain access to the Triofox instance 
65.109.204[.]197 AS24950 – Hetzner Online GmbH After a dormant period, the threat actor used this IP address to login back into the Triofox instance and carry out subsequent activities 
84.200.80[.]252 AS214036 – Ultahost, Inc. IP address hosting the installer for the Zoho UEMSAgent remote access tool 
216.107.136[.]46 AS396356 – LATITUDE-SH Plink C2 

Source: cloud.google.com 

Recommendations: 

Upgrade Triofox to version 16.7.10368.56560 or latest from the official Gladinet portal. 

Conclusion: 
This vulnerability  represents a severe supply-chain risk in enterprise file-sharing platforms, enabling zero-authentication RCE through misconfigured access controls and feature abuse. With active in-the-wild exploitation by UNC6485 and rapid post-patch attacks, delayed patching significantly increases breach likelihood.

Immediate upgrade, log monitoring, and network hardening are essential to prevent ransomware deployment, data theft, and network pivoting. This incident reinforces the need for secure-by-design input validation and principle of least privilege in remote access tools. 

References

Blogs

Encryption: A Foundation for Organizational Security Against Threats

Encryption is often taken as last line of defense and organizations are using encryption to secure their data. Understanding and adopting the latest encryption technologies is crucial for keeping data secure. In current scenario when attackers are equally lazed with latest technologies, companies can strengthen their cybersecurity strategies and continue to adapt encryption as last line of their defense. When organizations enhance their encryption practices today, they can protect their digital assets for the future.

As cyber attacks are evolving so as encryption advances. Now numerous key developments will shape the future of cybersecurity. Once inside the network, cyber criminals can easily view and steal sensitive data. If that data is encrypted, they have no way of accessing it without a decryption key, saving the data from being compromised.

For example, the continuous evolution of quantum computing presents challenges and opportunities for encryption. Quantum-resistant algorithms must increase in speed to enhance security against quantum attacks.

The FinWise Data Breach a Stark Example

On May 31, 2024, the ex-employee accessed FinWise Bank’s systems after leaving the company and leaked sensitive personal information belonging to 689,000 customers of American First Finance (AFF). Even more alarming, this unauthorized access went undetected for more than a year before being discovered by the bank on June 18, 2025.

The FinWise Data breach revealed lapses like time gap between the initial breach and its discovery. The Bank came to understand about the incident and notified affected customers in June 2025 which was over a year after the breach occurred. This was a huge time gap and lawsuits allege that the stolen data may not have been adequately encrypted and secured, causing public criticism and concern.

Security experts emphasize that a well-designed information protection framework must not only encrypt critical financial data but also proactively detect and prevent abnormal access attempts.

Quantum computing & Encryption

Organizations who relies on encryption to keep its critical business communications and data safe are secure now. But as per RAND, experts expect quantum computers capable of breaking today’s encryption standards to arrive by the 2030sOpens a new window .

In the latest updates The Federal Trade Commission (FTC) has sent letters to major tech companies in the United States, urging them to resist foreign governments’ demands to weaken encryption. 

The letters were sent by FTC Chairman Andrew Ferguson to Akamai, Alphabet (Google), Amazon, Apple, Cloudflare, Discord, GoDaddy, Meta, Microsoft, Signal, Snap, Slack, and X.

Traditional encryption relies on math problems that would take classical computers centuries to solve. RSA encryption, which protects much of today’s internet traffic, works because factoring massive numbers is impossibly hard for regular computers. But tomorrow’s computers will make quick work of it. According to the MIT Technology Review, researchers have shown that a quantum computer with 20 million noisy qubits could crack RSA-2048 in just 8 hoursOpens a new window .

The question is Encryption alone is sufficient to protect data

As per researchers Encryption alone is no longer sufficient to protect privacy in LLM interactions, as metadata patterns can be exploited to infer sensitive subjects and corporate intent. Researchers at Microsoft have revealed a new side channel attack named Whisper Leak that can reveal the topic of encrypted conversations between users and language models, even without access to the underlying text.

The discovery highlights a growing blind spot in AI security where encryption alone no longer guarantees privacy in model interactions.

What we must know about Whisper Leak the side channel attack

Whisper Leak exploits often exploits a side channel in network communication rather than a flaw in encryption itself. LLM services generate responses step by step, by producing one token at a time instead of the entire response at once. Also, the communications with AI-powered chatbots are often encrypted with HPPS over TLS (HTTPS), ensuring the authenticity of the server and security through encryption.

A side channel attack breaks cryptography by using information leaked by cryptography, such as monitoring the electromagnetic field (EMF) radiation emitted by a computer screen to view information before it’s encrypted in a van Eck phreaking attack, aka Transient Electromagnetic Pulse Emanation STandard (TEMPEST). 

Encryption the last line in defense & Helps Orgs Embrace GDPR

If sensitive information is no longer required, the best way to protect it is to delete it. However, when files are deleted from a hard drive they leave traces that can be reconstructed by thieves and hackers. By encrypting the files before deletion, the remnants that remain on the drive will remain encrypted and remain inaccessible should they be reconstructed. In this way, encryption protects your privacy, even when the files are gone.

Companies should, therefore, ensure that all devices leaving the workplace are encrypted. Most phones have a native encryption option that can be easily activated, while laptops can have either their hard drives or sensitive data encrypted depending on the tools an organization wants to use.

Nowadays data protection is no longer an option. Companies can’t ignore the problem and hope they won’t be targeted by malicious threat actors.

GDPR itself recommends encryption as an effective tool for data protection as do data protection standards such as the CIS Controls which advocate a data security strategy based on a combination of encryption, integrity protection and data loss prevention techniques.

At the end Encryption ensures that, whether these devices are lost, stolen or forgotten, the data on them is useless to anyone who tries to access it without a decryption key.

(Source: https://www.bleepingcomputer.com/news/security/finwise-data-breach-shows-why-encryption-is-your-last-defense/)

Sources: https://www.csoonline.com/

Security Advisory

Amazon Workspace Client for Linux Token Vulnerability Fixed in Version 2025.0 

Summary : Amazon patched a vulnerability in the Linux version of its Workspace’s client that improperly handles authentication tokens in versions from 2023.0 through 2024.8.

OEM Amazon 
Severity High 
CVSS Score 8.8 
CVEs CVE-2025-12779 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

This flaw allows local users on the same machine such as in shared, multi-user environments to extract valid authentication tokens.

Often used to impersonate other users and gain unauthorized access to their virtual desktop sessions, exposing sensitive data and applications.

The issue does not allow remote exploitation, but it poses a significant risk in workplaces using shared Linux systems for Workspace’s access. 

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Improper Authentication Token Handling in Amazon WorkSpaces Client  CVE-2025-12779 Amazon WorkSpaces client for Linux   High 2025.0 

Technical Summary 

The root cause lies in insecure management of authentication tokens, enabling token extraction by unintended local users. This vulnerability was assigned to high severity, prompting Amazon to issue a fix in the 2025.0 version of the client.

The update improves session isolation and secures token handling, protecting against lateral token theft.

Users and Administrators are strongly advised to upgrade promptly to avoid unauthorized access risks associated with multi-user Linux setups commonly found in corporate or virtual machine environments. 

CVE ID Component Affected  Vulnerability Details Impact 
 CVE-2025-12779 Amazon WorkSpaces client for Linux (versions 2023.0 through 2024.8) Local users on shared Linux machines can extract authentication tokens due to improper token handling, allowing them to access other users’ Workspaces. Unauthorized access to another user’s workspace 

Recommendations 

  • Update the Amazon Workspace’s client for Linux immediately to version 2025.0 or later. 

Conclusion: 
This vulnerability highlights the criticality of robust token security in virtual desktop clients, especially for environments with shared access.

Amazon’s swift patch release underscores the need for continuous vigilance and timely updates to maintain secure remote workspace solutions and prevent privilege escalation through token leakage. Upgrading to the patched version effectively mitigates the exposure and secures user sessions. 

References

Security Advisory

Chrome Latest Update Fixes Multiple High-Severity Security Flaws 

Summary : The recent Google Chrome update fixed several serious security issues that could let hackers take control of the browser or steal personal data. These vulnerabilities were mostly related to memory handling and scripting errors in important parts of Chrome like the JavaScript engine (V8) and browser interfaces.

OEM Google 
Severity High 
CVSS Score 8.8 
CVEs CVE-2025-12725, CVE-2025-12726, CVE-2025-12727, CVE-2025-12728, CVE-2025-12729 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Problems like type confusion and memory misuse could allow attackers to run harmful code just by making users visit malicious websites. Some flaws also affected Chrome’s UI, media processing and extension systems exposing users to possible unauthorized access or data leaks. 

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Out-of-Bounds Write in WebGPU  CVE-2025-12725 Chrome   High 142.0.7444.134/135 
Inappropriate Implementation in Views (UI Rendering)  CVE-2025-12726 Chrome  High 142.0.7444.134/135 
Inappropriate Memory Handling in V8 JavaScript Engine CVE-2025-12727 Chrome  High 142.0.7444.134/135 
Inappropriate Implementation in Omnibox (Unified Search Bar) CVE-2025-12728 Chrome  Medium 142.0.7444.134/135 
Inappropriate Implementation in Omnibox (Unified Search Bar) CVE-2025-12729 Chrome  Medium 142.0.7444.134/135 

Technical Summary 

The bugs included memory corruption issues such as out-of-bound writings and use-after-free errors, which can lead to unpredictable behavior and remote code execution (RCE).

The JavaScript engine vulnerabilities involved mishandling data types or incorrect implementation, enabling attackers to break security boundaries.

Other issues involved UI security logic problems that could mislead users or weaken protections. Google patched all these weaknesses by tightening input validations, fixing memory lifecycle bugs, correcting UI behavior and strengthening internal security checks. 

CVE ID Component Affected  Vulnerability Details Impact 
 CVE-2025-12725 Google Chrome (WebGPU) Out-of-bounds write in WebGPU due to improper bounds checking, allowing attackers to overwrite memory beyond allocated limits.  Remote Code Execution / Browser Crash 
 CVE-2025-12726 Google Chrome (Views UI) Inappropriate implementation in the Views component causing memory corruption. UI rendering 
CVE-2025-12727 Google Chrome (V8 Engine) Improper handling in the V8 JavaScript engine enabling potential arbitrary code execution through crafted scripts. Remote Code Execution  
CVE-2025-12728 Google Chrome (Omnibox) Flaws in Omnibox’s implementation could allow UI spoofing or navigation bar manipulation. UI Spoofing  
CVE-2025-12729 Google Chrome (Omnibox) Similar flaws in Omnibox affecting input validation, leading to potential security bypasses or deceptive UI. UI Spoofing / Security Bypass 

Recommendations 

Update Chrome immediately to the following versions: 

  • For windows 142.0.7444.134/.135  
  • For MacOS 142.0.7444.135 
  • For Linux 142.0.7444.134 

You can update by Open Chrome Settings → Help → About Google Chrome, then allow Chrome to check for and install updates immediately. 

Along with update you can follow the recommendations below as well 

  • Enforce Chrome auto-updates across managed endpoints using enterprise policy controls. 
  • Actively monitor browser crash reports or any suspicious logs potentially linked to exploit attempts. 
  • Use vulnerability & patch management tools to ensure all endpoints are running the latest version of all applications.  

Conclusion: 
The Chrome security flaws can compromise devices just through browsing. Because millions use Chrome daily, these gaps were a high risk and google already patched those issues. Keeping any application to the latest version which is the best defense against cyber threats aiming at browsers. 

References

Blogs

AI Surge in CyberSecurity Redefining Threat & Defense; Reshaping Software Development & Security

Currently enterprise Cyber Security strategy with AI has become a game changer, reshaping is critical for both threat and defense. Embracing Gen AI for a robust defensive system empowers organizations to analyze vast amount of data is key requirement for enterprise security where software development is key to enterprise security , embracing ‘security by design’.

In 2024-2025, we have witnessed how mainstream enterprise deployment of AI has changed the strategic cyber security requirement. Thereby creating a strong defense mechanism around enterprise security, redefining the threat landscape and shaping software development.

AI is changing the way we look at products being a risk multiplier. How organization balancing innovation with protection?

AI can track and break commonly used passwords within minutes. So this is scary as more powers are in the hands of hackers, on the other side AI can improve password security again a boon. The Dark Web is already selling Fraud GPT and Worm GPT.

For Organizational cyber security strategy AI is being used now to tackle threats and cyber defense. Again AI has the capability to accelerate the speed of cyber attacks.

So what are leaders deciding when chasing AI based products. The way leaders are looking at products is products that give practical and actionable outlook and being embedded in delivery workflows.

Strategically, this means evolving away from rigid, checkbox-based compliance toward dynamic, adaptive security models that reflect how modern teams really build software—especially in AI-accelerated environments.

As per statistics 2025 witnessed the following AI based cyber attacks.16% of all breaches in 2025 involved attackers using AI. (IBM),and other AI attacks included 37% used phishing attacks and 35% used deepfake attacks. (IBM). 63% of breached organizations had no AI governance policy or were still developing one, highlighting the governance gap around AI adoption (IBM).

OpenText has released their survey and the report entails, AI is rapidly changing the threat landscape for organizations . Organizations are navigating a high-stake balancing act to enable innovation while managing risk.

Here are the key findings

Top AI-related concerns among respondents include data leakage (29%), AI-enabled attacks (27%), and deepfakes (16%).

95% of respondents are confident in their ability to recover from a ransomware attack, but only 15% of those attacked fully recovered their data.

88% allow employees to use GenAI tools, yet less than half (48%) have a formal AI use policy.

Enterprises lead AI governance (52%) compared to SMBs (43%) by having a formal AI policy in place.

52% report increased phishing or ransomware due to AI; 44% have seen deepfake-style impersonation attempts.

Surge in AI Threats via sophisticated attacks

One of the reasons cited by threat researchers is organizations are embracing GenAI, allowing employees to use generative AI tools and few less then 50% have a formal AI-use or data privacy policy in place, the report noted.

This is added with hackers innovative way in tricking using AI, bypassing any defense mechanism which is traditional. 

AI tools are now being used to create such convincing phishing emails, fake websites and even deepfake videos to injecting malicious code giving leverage to cyber criminals

In the last few months we witnessed how Ransomware attacks round the world surged and quite complex in nature as third-party service providers or software supply chains were prime targets. The Qantas airline breach and M&S data beach that hit UK’s top retail brand.

While Qantas did not to Information Age whether AI voice deepfakes were used in the breach, the cybercrime group experts believe may be linked to the hack — dubbed ‘Scattered Spider’ — has a track record of using voice-based phishing (or ‘vishing’) in its attacks. This is clear AI being used and surge is quite high in AI based cyber attacks.

AI for Cyber Defense for Organizational Cyber Security Strategy

It is not hackers who are benefiting but for Organizations it is a game changer as AI being used to detect attack at faster pace meaning mean time.

Findings of this survey reinforces that protecting against ransomware now depends not just on internal defenses, but also on how effectively organizations’, partners, and technology providers collaborate to close security gaps before they are exploited.

Key pointer for building pragmatic and strategic choices and this approach starts with embracing security by design approach in developmental life cycle.

  • Continuously Embedding security in developer workflows keeping automating, scanning, policy enforcement and anomaly detection in tools used by developers.
  • Cybersecurity AI tools are better at identifying patterns and anomalies in large datasets including vulnerabilities. teams have to highly prioritize and contextualize them in term of developing products.
  • Supposedly there is an attack and the security tools not able to detect. So continuous testing is mandatory.
  • Developers can favor simple solutions that favors pragmatic security patterns and transparency in architecture. In this way trust is developed with clients.

Few important developers keep in focus is to sponsor bug bounties, publish advisories using standards like the Common Security Advisory Framework (CSAF) and provide context on severity and exploitability.

Threat researcher suggest organizations who are building in products accept all vulnerability reports, investigate them, and fix the issues. Any critically important advisory to be used for root cause analysis to improve tools, training and various threat models. Developers are suggested to give feedback for external tools if they help them evolve. Understanding no software can ever be perfect.

Offerings from IntruceptLabs are exactly what you need to develop organizational cyber defense capabilities

Intru360

Intru360 gives security analysts and SOC managers a clear view across the organization, helping them fully understand the extent and context of an attack. It also simplifies workflows by automatically handling alerts, allowing for faster detection of both known and unknown threats.

Identify latest threats without having to purchase, implement, and oversee several solutions or find, hire, and manage a team security analyst. Unify latest threat intelligence and security technologies to prioritize the threats that pose the greatest risk to your company.

Here are some features we offer:

  • Over 400 third-party and cloud integrations.
  • More than 1,100 preconfigured correlation rules.
  • Ready-to-use threat analytics, threat intelligence service feeds, and prioritization based on risk.
  • Prebuilt playbooks and automated response capabilities.

(Sources: https://www.mckinsey.com/about-us/new-at-mckinsey-blog/ai-is-the-greatest-threat-and-defense-in-cybersecurity-today)

Sources: https://investors.opentext.com/press-releases/press-releases-details/2025/OpenText-Cybersecurity-2025-Global-Ransomware-Survey-Rising-Confidence-Meets-a-Growing-AI-Threat/default.aspx)

Blogs

Critical React Native CLI Vulnerability Enables OS Command Injection  

Summary: React Native is an open source framework maintained by Meta . A critical remote code execution vulnerability in the @react-native-community/cli package, a core toolset used by React Native developers. The flaw allows unauthenticated remote attackers to execute arbitrary OS commands on machines running the React Native Metro development server.

Severity  Critical 
CVSS Score  9.8 
CVEs  CVE-2025-11953 
POC Available  Yes 
Actively Exploited  No 
Advisory Version  1.0 

Overview 

A critical remote code execution vulnerability in the @react-native-community/cli package, a core toolset used by React Native developers. The flaw allows unauthenticated remote attackers to execute arbitrary OS commands on machines running the React Native Metro development server.

The vulnerability comes from unsafe input handling in the /open-url endpoint using the insecure open() function, and a React Native CLI flaw that exposes the server to remote code execution. Immediate updates and mitigations are recommended for all using the affected package versions. 

Vulnerability Name  CVE ID  Product Affected  Severity  Affected Version 
 OS Command Injection  CVE-2025-11953  @react-native-community/cli @react-native-community/cli-server-api  Critical  @react-native-community/cli-server-api versions 4.8.0 through 20.0.0-alpha.2 

Technical Summary 

The Metro development server’s /open-url HTTP POST endpoint unsafely passes unsanitized user input (url field) as an argument to the open() function from the open NPM package which leads to OS command injection.

On Windows, the vulnerability allows arbitrary shell command execution with full control over parameters via cmd /c start command invocation. On macOS/Linux, arbitrary executables can be launched with limited parameter control. Further exploitation may lead to full RCE, but not confirmed yet. The server binds to all interfaces by default (0.0.0.0), exposing the endpoint externally to unauthenticated network attackers. 

CVE ID  Component Affected  Vulnerability Details  Impact 
CVE-2025-11953  Development Server’s /open-url Endpoint  The React Native CLI’s Metro server binds to external interfaces by default and exposes a command injection flaw, letting remote attackers send POST requests to run arbitrary executables or shell commands on Windows.  Remote OS Command Injection 

Recommendations 

  • Update to @react-native-community/cli-server-api version 20.0.0 or later immediately. 

If upgrading is not possible, 

  • Restrict the Metro server to localhost by adding the flag: –host 127.0.0.1 when starting the server. 
  • Integrate static and dynamic code analysis tools in development pipelines to detect injection risks early. 

How these kind of security flaw can cause damage?

This vulnerability poses a critical threat to React Native developers using the Metro development server due to unauthenticated RCE via network exposure. For any unauthenticated network attacker this is privilege they can weaponize the flaw and send a specially crafted POST request to the server. Then run arbitrary commands.

The attack takes a different turn when it comes to Windows and the exploitation is severe. The attackers can also execute arbitrary shell commands with fully controlled arguments, while on Linux and macOS, it can be widely used to execute arbitrary binaries with limited parameter control.

The vulnerable endpoint, /open-stack-frame, is designed to help developers open a file in their editor at a specific line number when debugging errors. This endpoint accepts POST requests with parameters such as file and lineNumber.

The incident highlight requirement for more rigorous input validation and secure-by-default configurations in developer environments.

What should organizations looks for while selecting a comprehensive tools that can provide thorough combing across their IT environment, networks, applications and cloud infrastructure.

Detecting vulnerabilities, misconfigurations with GaarudNode from Intruceptlabs makes it a go to scanner

  • GaarudNode excels at detecting vulnerabilities, misconfigurations, and compliance issues across a wide range of systems and applications.
  • Provides a comprehensive security framework that ensures your applications are built, tested, and deployed with confidence.
  • Any Application security tools are designed to identify a wide range of vulnerabilities across different stages of the software development lifecycle and other types of security issues.
  • GaarudNode can be used for intrusion detection, making it a flexible tool for cybersecurity professionals on a budget.
  • Prompt patching and secure server binding are essential to mitigate this type of risk. There is no current evidence of active exploitation, but the ease of exploitation makes this a high priority vulnerability to fix. Continuous, real-time monitoring of vulnerabilities is necessary to stay ahead of threats.

References

 

 

Blogs

ESMA Prioritize Cyber Risk, & Cyber Resilience to Secure Financial Sector

ESMA Focuses on Cyber Risk, Digital Resilience & Cyber Resilience for Financial Sector ensuring DORA requirements are followed. This also marks how Digital resilience and ESG compliance are strategic imperatives for EU financial institutions.

The financial sector faces a growing range of multi-vector threats, ranging from ransomware and phishing to IoT exposures and many more cyber threat. Being uniquely exposed the financial sector is prone to cyber risk. Financial firms have huge sensitive data and transactions they handle are targets of cyber criminal activity round the world.

Keeping this in focus the European Securities and Markets Authority (ESMA), announced updates that reinforces EU’s commitment to digital operational resilience and ESG.

Cyber risk and digital resilience will remain central to its Union Strategic Supervisory Priorities (USSPs) for 2026 and further the European Commission’s plan to expand the authority of ESMA over cryptocurrency and capital markets but critics have other view on this.

Now that EU’s Digital Operational Resilience Act (Dora) is in force and this mandates financial institutions they must ensure robust ICT risk management and align with supervisory expectations. ESMA urges continued collaboration between NCAs to strengthen cyber resilience across the EU.

According to ESMA, this alignment allows European supervisors to better coordinate efforts to reinforce information and communications technology (ICT) risk management while improving the overall digital resilience of securities markets across the EU.

ESMA and national regulators have shown what the authority described as strong commitment to overseeing financial entities’ compliance with DORA through proactive monitoring and capacity building.

Strategic Importance ESMA aligning with Cyber Resilience & ESG

From above alignment it is clear that ESG disclosures remain a top priority, with 2026 efforts targeting high-risk areas.

  • Cyber Resilience Front and Center: ESMA confirmed that cyber risk and digital resilience will remain top priorities in its 2026 Union Strategic Supervisory Priorities (USSPs), extending the focus introduced under DORA in 2025.
  • Supervisory Coordination Deepens: National competent authorities (NCAs) are being urged to continue proactive supervision and strengthen coordination across the EU to ensure consistent application of DORA requirements.
  • Digital Risk as Systemic Risk: The renewed emphasis reflects a shift in EU financial regulation, treating technology and cyber resilience as critical to overall market stability.
  • ESG Oversight Continues: ESG disclosures will remain a key supervisory theme, with regulators targeting high-risk areas and consolidating progress made since the initiative began in 2022.
  • New Priorities: ESMA plans to assess additional supervisory topics in 2026 that may require heightened EU-wide oversight in the coming years.

With ESMA setting in renewed focus underscores a broader shift within European financial regulation, and digital resilience is fundamental part of systemic stability. Added focus for 2026, it will assess potential new topics in other areas that may require intensified supervisory work across the EU in future years.

What does this mean for Financial organizations across EU

For financial firms, this means supervisors are likely to dig deeper into how technology risks are identified, managed, and tested, from cloud dependencies to incident response. ESMA said it may introduce new areas of supervisory attention in 2026 and beyond as it refines its Union-wide agenda

(Sources: ESMA urges stronger cyber risk oversight across the EU)

Security Advisory

Apple Releases iOS & iPadOS 26.1 Update, Fixed Multiple Security Vulnerabilities 

Summary: Apple released iOS 26.1 and iPadOS 26, addressed multiple security vulnerabilities across core system components including WebKit, Kernel, Accessibility, Apple Neural Engine, CloudKit etc.

OEM Apple 
Severity High 
CVEs CVE-2025-43438, CVE-2025-43429, CVE-2025-43442, CVE-2025-43455, CVE-2025-43398 & others 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview: 

These vulnerabilities could enable malicious apps to escape sandboxes, access sensitive user data, execute arbitrary code via web content, monitor keystrokes or disable theft protection mechanisms. Affected devices include iPhone 11 & later and iPad models from 3rd gen onward etc. Immediate update is strongly recommended to prevent any breaches, system crashes. 

                Vulnerability Name CVE ID Product Affected Fixed Version 
WebKit Use-After-Free (Safari Crash/RCE) CVE-2025-43438 iOS, iPadOS iOS/iPadOS 26.1 
WebKit Buffer Overflow (RCE Risk)  CVE-2025-43429 iOS, iPadOS iOS/iPadOS 26.1 
App Installed Detection via Accessibility  CVE-2025-43442 iOS, iPadOS iOS/iPadOS 26.1 
Sensitive Screenshot in Embedded Views CVE-2025-43455 iOS, iPadOS iOS/iPadOS 26.1 
Kernel Memory Corruption / DoS  CVE-2025-43398 iOS, iPadOS iOS/iPadOS 26.1 

Technical Summary: 

The iOS/iPadOS 26.1 update fixes major security issues in sandbox protection, memory handling, privacy settings, and the WebKit browser engine. These critical vulnerabilities could allow apps or websites to access restricted data or execute malicious code. Key impact issues mentioned below.

CVE ID Component Affected  Vulnerability Details Impact 
 CVE-2025-43438 WebKit Use-after-free in Safari triggers crash or code execution via malicious web content  Remote Code Execution, System Compromise 
 CVE-2025-43429 WebKit Buffer overflow in content processing allows arbitrary code execution Remote Code Execution, Service Compromise 
CVE-2025-43442 Accessibility Permissions flaw allows apps to detect installed apps (fingerprinting) Privacy Violation, User Tracking 
CVE-2025-43455 Apple Account Malicious apps can screenshot sensitive embedded UI (login views) Credential, PII Exposure 
CVE-2025-43398 Kernel Memory mishandling leads to system termination or kernel corruption Denial of Service, Potential Privilege Escalation 

Additionally, there are multiple high & medium vulnerabilities have been disclosed that enable sandbox escapes, data leaks, and web-based attacks with significant impact potential. Here are some cves in the below table 

Vulnerability Name CVE ID Affected Component 
Sandbox Escape via Assets CVE-2025-43407 Assets 
Sandbox Escape via CloudKit Symlink CVE-2025-43448 CloudKit 
Stolen Device Protection Bypass CVE-2025-43422 Stolen Device Protection 
Cross-Origin Data Exfiltration CVE-2025-43480 WebKit 
Keystroke Monitoring via WebKit CVE-2025-43495 WebKit 
Apple Neural Engine Kernel Corruption CVE-2025-43447, CVE-2025-43462 Apple Neural Engine 
Canvas Cross-Origin Image Theft CVE-2025-43392 WebKit Canvas 
Contacts Data Leak in Logs CVE-2025-43426 Contacts 
Lock Screen Content Leak CVE-2025-43350 Control Center 
Address Bar Spoofing CVE-2025-43493 Safari 
UI Spoofing in Safari CVE-2025-43503 Safari 

Recommendations: 

Update all eligible devices immediately (Settings > General > Software Update products) to the following fixed versions as soon as possible and check the updated version from the Apple security website

Patches are available and should be applied immediately.  

For environments where immediate patching is not immediately feasible, you can also follow the recommendations below. 

  • Enable Stolen Device Protection and Lockdown Mode (where applicable) 
  • Restrict app installations to trusted sources. 
  • Avoid visiting untrusted websites from browser 
  • Use VPN and enable Advanced Data Protection for iCloud 
  • Monitor for anomalous app behavior or battery drain  

Conclusion: 
The iOS/iPadOS 26.1 update fixes several security vulnerabilities that could affect user privacy, device stability, and system protection.

Organizations and Individual using Apple devices must prioritize deployment of this update to mitigate risks of data exfiltration, spyware and other attack vectors. Timely patching remains the most effective control against zero-day exploitation on new vulnerabilities in digital ecosystems. 

References

Blogs

Regulations for Start-Ups & SME’s Helps address Cyber Risk & Business Strategy

This decade has witnessed huge technological, digital and cyber security uprise and challenges which shaped the way of doing business and business strategy. Now every company is powered by software and technology and cybersecurity a top priority for organizations everywhere. Regulations are of high importance for business strategy and cyber risks. Startups under the Startup India initiative can self-certify their compliance with labor and environmental laws, reducing the risk of inspections and penalties.

For every start up owners placing their business for long term success is ultimate goal and positioning the business requires set of regulations that can bring both opportunities and challenges. Compliance brings in additional challenge but integrating compliance brings in transparency and subsequent valued positioning for clients who value transparency.

That’s putting a lot of pressure on cybersecurity leaders to level up their governance, risk, and compliance programs. India’s push towards digitization has transformed how businesses interact with regulators and the government has rolled out a range of tax incentives to bolster the growth of startups and SMEs. Further the government has been recognizing the role of innovation in the startup ecosystem and to further this strengthened IP protections.

Sector specific regulations

The government has also taken a proactive approach to sector-specific regulations and this has been for most important sectors from fintech to ecommerce, healthcare etc. Regulatory sandboxes by RBI and SEBI allow fintech startups to test new products in a controlled environment. New draft e-commerce rules aim to ensure transparency, fair competition, and consumer protection.

For emerging vibrant business it is important that business leaders stay abreast to staying abreast new regulatory changes that will help leverage the full potential of upcoming India’s vibrant business landscape.

Prioritizing Cyber security for Business Continuity with Regulations

Recently Akshay Joshi, head of World Economic Forum’s Centre for Cybersecurity highlighted that significant challenges lies in prioritizing cybersecurity and addressing these requires a combination of strong incentives and regulatory support,.

“There needs to be incentives that are brought into the mix for appropriate investments into cybersecurity,” Joshi said, emphasizing that regulation plays a crucial role.

As per WEF’s annual Global Cybersecurity Outlook Report, which found that roughly 70% of respondents agree that regulations are “really effective in terms of ensuring a baseline of cybersecurity.”

(Source: Startups and SMEs need incentives and regulations to prioritise cybersecurity: WEF official | Company Business News)

As startups and SME’s navigate through business challenges and every day there is a fresh rules emerging across industries, understanding their impact on business for CEO’S is crucial for staying ahead. By understanding the different types of regulations, startups can better navigate the landscape for your business.

For every start up owners placing their business for long term success is ultimate goal and positioning the business requires set of regulations that can bring both opportunities and challenges.

Without regulations in place innovation will be stalled and so the fair set up within the ecosystem. In the beginning embracing regulations may be daunting task but regulations play important role for startups specifically cyber security based start ups who are constantly battling warfare’s that is equivalent to cripple critical infrastructure and damage organizations affecting economies at a scale that is equivalent to any physical attack.

For Cyber security Startups any regulatory updates often focus on data privacy, financial practices and data security. For instance, recent data protection laws require companies to enhance their data security measures to safeguard customer data and information, This is done so to foster trust and loyalty among users and increase brand value.

There are Compliance that are driven by regulations and can pose challenges for start ups as this increases operational costs. These changes may demand additional investments in legal counsel or technology to ensure adherence.

If any Startup is handling customer data and if they invest in data protection solutions which is essential to bring in confidence for their customers. With GDPR and CCPA regulations, organizations might face fines for non-compliance and loose trust from investors that may restrict further funding.

Startups that proactively integrate compliance into their core strategy can position themselves as industry leaders, appealing to customers who value transparency.

Conclusion:

Cyber security is every where and is crucial from point of network and cloud security to AI, privacy, governance, forensics, and risk management, each domain plays a crucial role in keeping organizations resilient. For customers it means that their data is in safe hands.

Having a discipline structure and frameworks in place increases brand value.  However, cybercriminals are increasingly focused on targets that have weaker defenses and start ups are prime in their targets.

Any organization who implement regulations, audits certification and follow compliance enhances their defenses.
They might be handling sensitive data, but staying compliant with regulations like GDPR and HIPAA is essential. Regular security audits and employee training can significantly reliability and confidence among investors.

For business to thrive and grow regulations are step ahead towards creativity, innovation and growth,. This helps business to stay ahead of competitors and establish a reputation for innovation, also for avoiding penalties, legal consequences and reputational damage.

Scroll to top