Cyber Threat

Critical Session Management Vulnerability in Apache Roller

Summary Security Advisory

Apache Roller, a widely used Java-based blogging platform, enabling users to create, manage, and publish blog content. It supports features like user authentication, content management, and customizable themes.

OEM	Apache
Severity	Critical
CVSS Score	10.0
CVEs	CVE-2025-24859
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

A critical security vulnerability (CVE-2025-24859) has been discovered in Apache Roller (versions 1.0.0 to 6.1.4), where old sessions are not invalidated after a password change, allowing attackers to maintain unauthorized access if they have stolen a session token. This flaw poses a significant risk of session hijacking and unauthorized access, and users are advised to upgrade to version 6.1.5 to mitigate the issue.

Vulnerability Name	CVE ID	Product Affected	Severity
Insufficient Session Expiration on Password Change	CVE-2025-24859	Apache Roller	Critical

Technical Summary

The vulnerability centers on insufficient session expiration.

When a user or administrator changes a password, Apache Roller versions before 6.1.5 do not properly invalidate existing sessions.

As a result, any session tokens before the password change remain valid.

This means that if an attacker has already compromised a user’s credentials and established a session, they can continue to access the application even after the password is updated, effectively bypassing a key security control.

This can be a big security threat, particularly in systems used by many users or administrators, where it’s important to keep sessions secure.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-24859	Apache Roller 1.0.0 – 6.1.4	Sessions are not invalidated after password change, allowing persistent access through old sessions if compromised.	Unauthorized Access / Session Hijacking

Remediation:

Apply Patches Promptly: Upgrade immediately to Apache Roller version 6.1.5, which implements proper centralized session invalidation.

Conclusion:

CVE-2025-24859 represents a critical access control threat to Apache Roller implementations.

Although no active exploitation has been observed still now, it’s easy for attackers to misuse sessions if they gain access. Its important for organizations using Apache Roller to quickly update to version 6.1.5 to fix this problem.

This is a critical step in maintaining the security of blog sites and protecting user data.

CVE-2025-24859 highlights the importance of robust session management in web applications.

References:

https://securityonline.info/cve-2025-24859-cvssv4-10-apache-roller-flaw-exposes-blogs-to-unauthorized-access/

https://nvd.nist.gov/vuln/detail/CVE-2025-24859

https://www.openwall.com/lists/oss-security/2025/04/11/1

https://lists.apache.org/thread/vxv52vdr8nhtjlj6v02w43fdvo0cxw23

Android Malware Crocodilus; Threat for cryptocurrency wallet Users

Crocodilus is a new banking malware that evades detection from Google’s play protect.

The Android malware has been specifically targeting to steal sensitive cryptocurrency wallet credentials through social engineering. Its convincing overlay screen warns users to back up their wallet key within 12 hours or risk losing access says security researchers.

Why threat researchers call this trojan ?

Crocodilus includes all the necessary features of modern banking malware: overlay attacks, keylogging, remote access, and “hidden” remote control capabilities. Also the malware is distributed via a proprietary dropper that bypasses Android 13 (and later) security protections as per researchers of Threat fabric.

Unlike any banking trojan which takes over devices, Crocodilus is similar in pattern and uses tactics to load a fake overlay on top of the real app to intercept the victim’s account credentials. These are targeted mostly for banking or cryptocurrency app users.

Another data theft feature of Crocodilus is a keylogger and the malware monitors all Accessibility events and captures all the elements displayed on the screen, i.e. it is an accessibility Logger.

Intricacies of Crocodilus Malware

The modus operandi of the malware makes it easier to preform task to gains access to accessibility service, to unlock access to screen content, perform navigation gestures, monitor for app launches.

The malware also offers remote access Trojan (RAT) functionality, which enables its operators to tap on the screen, navigate the user interface, perform swipe actions.

The malware is fitted with dedicated RAT command to take a screenshot of the Google Authenticator application and capture one-time password codes used for two-factor authentication account protection.

Android users are advised to avoid downloading APKs from outside Google Play and to ensure that Play Protect is always active on their devices.

Researchers discovered source code of malware revealing debug messages left by the developer(s), reveal Turkish speaking.

The Expanding Threat landscape with evolving Modern Malware’s

The Crocodilus malware designed to go after high valued assets that targets cryptocurrency wallets and Banks. These malware can make the defense line up of banking system weak and researchers advise to adopt a layered security approach that includes thorough device and behavior-based risk analysis on their customers’ devices.

Modern malware has the capability to break the security defenses of organization even if they are protected by cutting edge solutions to defend. As the threat landscape expand so are sophisticated attacks rising.

Modern malware can bypass most security solutions, including email filtering, anti-virus applications, sandboxing, and even IPS/IDS and sometime few file-less malware leaves no footprint on your computer and is executed exclusively in run-time memory.

In this sophisticated war against threat criminals enterprise security requires is taking services for active threat hunting and be diligent in scanning files meant for downloads.

To improve enterprise security the important aspects needs to be covered increase usage of multi-layer defenses. Protecting against modern malware is an ongoing effort, and rarely it is “set and forget.” Utilize multiple layers of security, including anti-virus software, network layer protection, secure web gateways, and other tools for best results.

Keep improving your security posture against modern malware is an ongoing effort and includes multiple layers of security. With anti-virus software, advanced network layer protection, secure web gateways, and other tools the security posture at enterprise level increases.

Remember your best defenses can be in trouble, so continue monitoring, adapt and train employees, while using comprehensive multi-layer approach to security.

Source: https://www.threatfabric.com/blogs/exposing-crocodilus-new-device-takeover-malware-targeting-android-devices

Phishing Crusade Targeted approx 12,000 GitHub Repositories; Victims directed to “gitsecurityapp”

A large-scale phishing campaign has targeted nearly 12,000 GitHub repositories with phony security alerts, reported BleepingComputers.

The alerts, opened as issues on the repositories, inform users of unauthorized login attempts and provide links to change their passwords, review active sessions, or set up MFA.

If a user clicks any of these links, they’ll be taken to a GitHub authorization page for an OAuth app that will grant the attacker control of the account.

The campaign is ongoing, though GitHub appears to be responding to the attacks.

Users were directed to all links within the message to a GitHub authorization page for a malicious OAuth application called “gitsecurityapp.” If authorized, the app grants attackers full control over the user’s account and repositories, including the ability to delete repositories, modify workflows, and read or write organization data.

This consistent messaging across all affected repositories aims to create a sense of urgency and panic, prompting developers to take immediate action.

The fraudulent alert directs users to update their passwords, review active sessions, and enable two-factor authentication. However, these links lead to a GitHub authorization page for a malicious OAuth app named “gitsecurityapp.”

Upon authorization, an access token is generated and sent to various web pages hosted on onrender.com, granting the attacker full control.

(Image courtesy: Bleeping Computers)

The attack, which was first detected on March 16, remains active, though GitHub appears to be removing affected repositories.

Pointers Developers to take key inputs from this incident.

Last week, a supply chain attack on the tj-actions/changed-files GitHub Action caused malicious code to write CI/CD secrets to the workflow logs for 23,000 repositories.

If those logs had been public, then the attacker would have been able to steal the secrets.

The tj-actions developers cannot pinpoint exactly how the attackers compromised a GitHub personal access token (PAT) used by a bot to perform malicious code changes as per threat researchers.

Key pointers for User saftey:

For users who have mistakenly authorized the malicious OAuth app revoking access to suspicious OAuth apps through GitHub’s settings.
Affected users should review their repository workflows, check for unauthorized private gists, and rotate their credentials to prevent further damage.
This attack highlights the increasing threat of phishing campaigns targeting GitHub users.
As GitHub continues to investigate and respond, developers must remain vigilant and verify any security alerts before taking action.
Rotate your credentials and authorization tokens.

Wiz suggests that potentially impacted projects run this GitHub query to check for references to reviewdog/action-setup@v1 in repositories.

If double-encoded base64 payloads are found in workflow logs, this should be taken as a confirmation their secrets were leaked.

Developers should immediately remove all references to affected actions across branches, delete workflow logs, and rotate any potentially exposed secrets.

(Sourece: Bleeping computers)

CTI & SOC Team’s Compliment Holistic Threat Hunting

SOC & CTI Compliment each other in threat Hunting

7Zip Mark-Of-The-Web Vulnerability

A high severity vulnerability in 7-Zip is exploiting in the wild. This vulnerability, identified as a Mark-of-the-Web (MoTW) bypass, allows attackers to craft a double archive file that, when extracted, bypasses MoTW protections.

OEM	7Zip
Severity	High
CVSS	7.0
CVEs	CVE-2025-0411
Exploited in Wild	Yes
Patch/Remediation Available	Yes
Advisory Version	1.0

Overview

The vulnerability enables threat actors to create archives containing malicious scripts or executables, which, due to the flaw, will not receive the usual MoTW protection.

This exposes Windows users to potential attacks and has recently been added to the CISA Known Exploited Vulnerabilities Catalog. Furthermore, a Proof of Concept (PoC) for this vulnerability has been publicly released, increasing the risk of exploitation.

7-Zip vulnerability allows attackers to bypass the Mark of the Web (MotW) Windows security feature and was exploited by Russian hackers as a zero-day since September 2024.

Vulnerability Name	CVE ID	Product Affected	Severity
MOTW Bypass vulnerability	CVE-2025-0411	7zip	High

Technical Summary

This vulnerability bypasses the Mark-of-the-Web (MoTW) feature, a security measure in Windows operating systems that flags files originating from the internet as potentially untrusted. MoTW is typically applied to files like downloaded documents, images, or executable files, which prompts a warning when opened. However, this vulnerability occurs when 7-Zip fails to properly propagate MoTW protections to files inside double-encapsulated archives.

An attacker can craft an archive containing another archive (a “double archive”), and 7-Zip did not properly propagate MoTW protections to the content to the inner archive.

This flaw allows any malicious content in the inner archive to be executed without triggering any security warnings. Consequently, this exposes Windows users to the risk of remote code execution and other malicious activities.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-0411	7Zip Prior to v24.09	This flaw allows attackers to execute arbitrary code through double-encapsulated archives that bypass MoTW protections.	Arbitrary remote code injection, potential system compromise

Remediation:

Update 7zip to v24.09 or the latest version. Installing the latest version will ensure that vulnerability is addressed, protecting systems from potential exploitation.

Generic Recommendations

Exercise Caution with File Extraction: Always verify the source before extracting files, especially from unfamiliar or untrusted sources.
Enhance User Awareness: Educate users on identifying phishing attempts and avoiding clicks on suspicious links or attachments.
Monitor for Anomalies: Continuously monitor systems for signs of exploitation, unusual file extraction behaviors, or unauthorized access attempts.

Conclusion

The MoTW bypass vulnerability in 7-Zip represents a serious security concern for Windows users, as it allows attackers to circumvent protective measures and execute malicious code. Updating to the latest version of 7-Zip is the recommended action to ensure systems are protected against this vulnerability.

References:

#CyberSecurity #7Zip #SecurityAdvisory #VulnerabilityManagement #CISO #CXO #PatchManagement #Intrucept

New Regulations & Directives to Boost Cyber Defense; DORA & NIS2

DORA & NIS2
EU Regulations to Strengthen Cyber defense

Banshee Stealer: A Growing Threat to macOS Users

Overview

Cybersecurity researchers at Check Point Research (CPR) have discovered a sophisticated macOS malware called Banshee Stealer, putting over 100 million macOS users globally at risk. The malware, designed to exfiltrate sensitive user data, demonstrates advanced evasion techniques, posing a significant threat to users and organizations relying on macOS.

Key Threat Details:

Malware Capabilities:

Data Theft: Banshee Stealer targets browser credentials, cryptocurrency wallets, and sensitive files, compromising user security.

User Deception: It displays fake system pop-ups to trick users into revealing their macOS passwords, facilitating unauthorized access.

Encryption and Exfiltration: Stolen data is compressed, encrypted, and transmitted to command-and-control (C&C) servers through stealthy channels, making detection challenging.

C&C decryption Source: Cybersecurity News

Evasion Tactics:

Advanced Encryption: The malware utilizes encryption techniques similar to Apple’s XProtect, camouflaging itself to evade detection by traditional antivirus systems.

Stealth Operations: It operates seamlessly within system processes, avoiding scrutiny from debugging tools and remaining undetected for extended periods.

Distribution Mechanisms:

Phishing Websites: Banshee Stealer impersonates trusted software downloads, including Telegram and Chrome, to deceive users into downloading malicious files.

Fake GitHub Repositories: It distributes DMG files with deceptive reviews and stars to gain user trust, facilitating the spread of the malware.

Repository releases source: Cybersecurity News

Recent Developments:

Expanded Targeting: The latest version of Banshee Stealer has removed geographic restrictions, such as the Russian language check, broadening its target audience globally.

Source Code Leak: Following a source code leak, there has been increased activity, enabling other threat actors to develop variants and intensify the threat landscape.

Impact:

Users: Compromised browser data, cryptocurrency wallets, and personal files can lead to identity theft and financial losses.

Organizations: Potential data breaches can result in reputational damage, financial losses, and legal implications.

Global Threat: The malware’s expanded targeting underscores the need for enhanced vigilance among macOS users worldwide.

Indicators of Compromise (IOCs):

The IOCs listed below are associated with the threat. For the full list of IOCs, please refer to the link .

IP Address and Domain	File Hash
41.216.183[.]49	00c68fb8bcb44581f15cb4f888b4dec8cd6d528cacb287dc1bdeeb34299b8c93
Alden[.]io	1dcf3b607d2c9e181643dd6bf1fd85e39d3dc4f95b6992e5a435d0d900333416
api7[.]cfd	3bcd41e8da4cf68bb38d9ef97789ec069d393306a5d1ea5846f0c4dc0d5beaab
Authorisev[.]site	b978c70331fc81804dea11bf0b334aa324d94a2540a285ba266dd5bbfbcbc114

Recommendations:

To mitigate the risks associated with Banshee Stealer, consider implementing the following proactive measures:

Avoid Untrusted Downloads:

Refrain from downloading software from unverified sources, particularly free or “cracked” versions.

Verify the authenticity of GitHub repositories before downloading any files.

Strengthening System Defenses:

Regularly update macOS and all installed applications to patch known vulnerabilities.

Deploy advanced security solutions with real-time threat detection and proactive intelligence.

Enhance Awareness and Training:

Educate users on identifying phishing websites and suspicious downloads.

Encourage caution when responding to system prompts or entering credentials.

Enable Two-Factor Authentication (2FA):

Secure accounts with 2FA to minimize the impact of stolen credentials.

Monitor System Activity:

Regularly review system logs for unauthorized changes or suspicious activity.

Use tools to monitor unexpected outgoing data transmissions.

Utilize threat intelligence feeds to detect and block IOCs like malicious IPs, domains, and file hashes.

Continuously monitor network traffic, emails, and file uploads to identify and mitigate threats early.

Conclusion:

The rise of the Banshee malware exemplifies the increasing sophistication of threats targeting macOS. Users and organizations must adopt layered security defenses, maintain vigilance, and prioritize awareness to mitigate the risks of advanced malware like Banshee. By leveraging updated tools and practices, you can safeguard critical systems and data from evolving cyber threats.

References:

https://blog.checkpoint.com/research/cracking-the-code-how-banshee-stealer-targets-macos-users/

https://cybersecuritynews.com/banshee-malware-targets-macos/#google_vignette

https://otx.alienvault.com/pulse/677fe682d3832164346deca1

Cybersecurity Trends for 2025; Responsible AI to gain Importance

Cyber security trends as per research and data available shows that responsible AI will gain importance with more public scrutiny of risks growing along with remediation practices. Organizations will now require to balance taking risks with AI and having rapid remediation strategies available.

As per experts the areas that will get attention will be cloud security and data location. In 2025, new laws may require that sensitive data stay within national borders, affecting how companies manage and store data across regions. As businesses and critical services become increasingly dependent on cloud services, some countries may prioritize cloud availability in national emergency plans, recognizing that stable cloud access is mandatory for crisis management. This shift could lead towards the establishment of a new program like Cloud Service Priority (CSP), treating cloud infrastructure as important as utilities like electricity and telecoms.

How organization need to prepare themselves as big and small businesses and brands will see dramatically increased risks, as bad actors using AI will launch convincing impersonation attacks. This will make it easier with higher accuracy than ever to fool customers and clients.

Key Cyber Security Trends of 2025

As organization navigate through 2025 we will witness that threat actors will increasingly use AI for sophisticated phishing, vishing, and social engineering attacks.

Gen-AI

Generative AI is driving an unprecedented surge in cyber fraud, with nearly 47% of organisations identifying adversarial AI-powered attacks as their primary concern, according to the World Economic Forum’s Global Cybersecurity Outlook 2025.

Due to technological advancements the Cyberspace is growing more complex due to technological advancements as they are interconnected to supply chains. Collaboration between public and private sectors is essential to secure the benefits of digitalization at all levels.

Digitalization

76% of cybersecurity leaders report difficulties navigating a patchwork of global policies and 66% of organizations expect AI to transform cybersecurity, only 37% have implemented safeguards to secure these tools before deployment.

IoT Devices Vulnerable

Hackers will grow attacks on IoT devices as per research by Analytics insights report 2025 as over 30 billion devices across the globe will be connected through the Internet of Things. IoT enhance productivity offering convenience but due to their low-security backgrounds hackers may utilize opportunity to obtain sensitive information, or form massive botnets to execute Distributed Denial-of-Service (DDoS) attacks. (Analytics insight)

Ransomware

Attackers have resorted to different methods of extortion, involving ransom demands along with DDoS attacks. Encryption and fileless ransomware are being developed in an attempt to evade detection. RaaS makes it increasingly easy for non-technical users to carry out advanced attacks and the trend is growing. Experts predict that, by 2025, ransomware attacks will occur globally every two seconds prime targets remain in the healthcare, education, and government sectors.

AI /ML

To survive in highly competitive environment hackers will continue using AI so as organization will continue with previous theme of 2024 application of artificial intelligence and this will expand along with machine learning (ML) as these tools are the game changer in in a cybersecurity strategy.

Quantum Computing

The year 2025 will witness the rise and development of Quantum Computing and computers.An exciting technological development; however, it also generates grave challenges for cybersecurity. Quantum computers solve complex problems much faster than classical computers, making traditional cryptography algorithms vulnerable to quantum attacks is equally necessary to be proactive, with an immediate focus on quantum-safe encryption that would last to provide safety to the digital security systems in the years to follow. McKinsey poll says, 72% of tech executives, investors and quantum computing academics believe that “a fully fault-tolerant quantum computer” will be here by 2035, while 28% think this won’t happen until at least 2040. With Quantum computing business can protect their data and stay ahead of quantum threats with the right tools and strategies in place.

Regulations

Regulatory changes and compliance will evolve in 2025 as government across the European countries are gearing up with regulation being prepared to protect against surge of ransomware attacks, introducing stringent measures to combat the growing menace of cyber extortion. The EU emerged as a frontrunner in cybersecurity regulation, with the Network and Information Security (NIS2) Directive coming into full force.

BISO Analytics: In 2025 we will witness rise of virtual CISO (vCISO) or CSO consultant roles over full-time in-house roles. Also Shifting CISO responsibilities have brought about an increasing role for BISOs. The cybersecurity team has a lot to handle as companies face more cyber threats, compliance requirements, growing remote workforces, and rapid adoption of new cloud-based technologies. With such a large scope of duty, the CISO is often over stretched and in this complex cybersecurity environment having a BISO will bring in support to entire cyber security strategy.
BISO ‘s may also be called upon to interact with marketing and corporate communications, bringing their research into potential attack vectors, typical points of vulnerability, and unique understanding of the hackers mindset and guide organizations that are increasingly battening cybersecurity strategy to deal with various attack vectors.

Intrucept offers BISO Analytics as a services. BISOs are crucial for strategies requiring technical cybersecurity and strategic business input.

Organizations need bespoke solutions to defend against attacks across email, social, and other channels as we witness evolving nature of attacks demands continuous weekly innovation to stay ahead. The use of Multifactor authentication reduces the danger in identity and access management EDR solutions with feeds of threat intelligence will gain prominence. Intrucept is dedicated in helping organizations to run fast and be secure. We will always find that being easy and slowing down is a tendency but we as organization try to enable our customers to maintain speed (and even accelerate).

References:

McKinsey Lock Down! Top Cybersecurity Threats We May Witness in 2025 Healthcare Trends Shaping 2025 And Insights For Industry Leaders Lock Down! Top Cybersecurity Threats We May Witness in 2025
Healthcare Trends Shaping 2025 And Insights For Industry Leaders
https://www.cisecurity.org/insights/blog/12-cis-experts-cybersecurity-predictions-2025

Ivanti Connect Secure VPN Actively Being Exploited in the Wild

Ivanti announced two critical vulnerabilities impacting its Connect Secure (ICS) VPN appliances: CVE-2025-0282 and CVE-2025-0283. Notably, CVE-2025-0282 has been actively exploited in the wild since mid-December 2024.

As per Ivanti threat actors have attempted to bypass detection by the ICT, Ivanti has provided examples demonstrating the differences between successful scans and unsuccessful ones on compromised devices to help users identify potential compromises.

Summary

OEM	Ivanti
Severity	Critical
CVSS	9.0
CVEs	CVE-2025-0282, CVE-2025-0283
Exploited in Wild	Yes
Patch/Remediation Available	Yes
Advisory Version	1.0

Overview

This stack-based buffer overflow flaw allows unauthenticated attackers to execute arbitrary code on affected devices. Another Vulnerability, CVE-2025-0283, could allow a local authenticated attacker to escalate privileges. Ivanti has released patches for Connect Secure and recommends immediate updates to mitigate the risk.

Vulnerability Name	CVE ID	Product Affected	Severity	Affected Version
Stack-Based Buffer Overflow Vulnerability	CVE-2025-0282	Ivanti	Critical	22.7R2 through 22.7R2.4  22.7R1 through 22.7R1.2  22.7R2 through 22.7R2.3
Stack-Based Buffer Overflow Vulnerability	CVE-2025-0283	Ivanti	High	22.7R2.4 and prior 9.1R18.9 and prior  22.7R1.2 and prior 22.7R2.3 and prior

Technical Summary

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-0282	Ivanti Connect Secure, Ivanti Policy Secure, Ivanti Neurons for ZTA gateways	A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.	RCE, System compromise, Data theft, Network breaches, and Service disruptions.
CVE-2025-0283	Ivanti Connect Secure, Ivanti Policy Secure, Ivanti Neurons for ZTA gateways	A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a local authenticated attacker to escalate their privileges	Allow Local Authenticated Attackers to Escalate Privileges.

Remediation:

Ensure that the appropriate patches or updates are applied to the relevant Ivanti
Organizations using ICS appliances are strongly advised to apply these patches and follow Ivanti’s Security Advisory to safeguard their systems.

versions as listed below:

Affected Version(s)	Fixes and Releases
22.7R2 through 22.7R2.4	22.7R2.5
22.7R2.4 and prior,  9.1R18.9 and prior	22.7R2.5
22.7R2 through 22.7R2.3	22.7R2.5, Patch planned availability Jan. 21
22.7R2.3 and prior	22.7R2.5, Patch planned availability Jan. 21
22.7R1 through 22.7R1.2	Patch planned availability Jan. 21
22.7R1.2 and prior	Patch planned availability Jan. 21

Ivanti Connect Secure: Upgrade to version 22.7R2.5, perform a clean ICT scan, and factory reset appliances before putting them into production for added security.

Ivanti Connect Secure (Compromise Detected): Perform a factory reset and upgrade to version 22.7R2.5 to remove malware and ensure continued monitoring with security tools.

Ivanti Policy Secure: Ensure the appliance is not exposed to the internet, as the risk of exploitation is lower, and expect a fix on January 21, 2025.

Ivanti Neurons for ZTA Gateways: Ensure ZTA gateways are connected to a controller for protection, with a fix available on January 21, 2025.

General Recommendation

Regularly update software and systems to address known vulnerabilities.

Implement continuous monitoring to identify any unauthorized access or suspicious activities.

Use strong authentication and access controls to minimize unauthorized access and reduce attack surfaces.

Create and Maintain an incident response plan to quickly mitigate the impact of any security breach.

References:

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283?language=en_US

https://nvd.nist.gov/vuln/detail/CVE-2025-0283

https://nvd.nist.gov/vuln/detail/CVE-2025-0282

https://thehackernews.com/2025/01/ivanti-flaw-cve-2025-0282-actively.html

Zero-Day Vulnerability in Windows Exposes NTLM Credentials

Summary

OEM	Microsoft
Severity	Critical
Date of Announcement	2024-12-12
CVE	Not yet assigned
Exploited in Wild	No
Patch/Remediation Available	Yes (No official patch)
Advisory Version	1.0
Vulnerability Name	NTLM Zero-Day

Overview

A recently discovered zero-day vulnerability in Windows, enables attackers to steal user credentials through a malicious file viewed in File Explorer. This “clickless” exploit bypasses the need for user interaction, creating significant security risks. While Microsoft investigates, 0patch has released an unofficial micropatch to mitigate the threat. Users are advised to apply the patch or implement mitigations to reduce exposure.

Vulnerability Name	CVE ID	Product Affected	Severity
NTLM zero-day	Not Yet Assigned	Microsoft Windows	Critical

Technical Summary

CVE ID	System Affected	Vulnerability Details	Impact
Not Yet Assigned	Windows 7 to 11 (24H2), Server 2008 R2 to 2022	A zero-day vulnerability that allows NTLM credential theft by viewing a malicious file in File Explorer. The flaw forces an outbound NTLM connection, leaking NTLM hashes. Exploitation requires no user interaction beyond viewing a malicious file, which can be delivered through shared folders, USB drives, or malicious downloads in the browser's default folder.	Enables attackers to steal NTLM credentials and gain unauthorized access of the affected systems.

Remediations

Apply the 0patch Micropatch:
- Register for a free account at 0patch Central.
- Install the 0patch agent to automatically receive the micropatch.
Disable NTLM Authentication:
- Navigate to Security Settings > Local Policies > Security Options in Group Policy.
- Configure “Network security: Restrict NTLM” policies to limit NTLM usage.

General Recommendations

Only enable patches or configurations after testing them on non-critical devices to ensure minimal impact.
Stay updated on Microsoft’s response and the availability of an official patch through trusted news sources or Microsoft’s advisories.
Inform users about the risks of handling unfamiliar files and downloading content from untrusted sources.
Monitor systems for suspicious NTLM-related activity.

Critical Session Management Vulnerability in Apache Roller

Android Malware Crocodilus; Threat for cryptocurrency wallet Users

Phishing Crusade Targeted approx 12,000 GitHub Repositories; Victims directed to “gitsecurityapp”

CTI & SOC Team’s Compliment Holistic Threat Hunting

7Zip Mark-Of-The-Web Vulnerability

New Regulations & Directives to Boost Cyber Defense; DORA & NIS2

Banshee Stealer: A Growing Threat to macOS Users

Cybersecurity Trends for 2025; Responsible AI to gain Importance

Ivanti Connect Secure VPN Actively Being Exploited in the Wild

Zero-Day Vulnerability in Windows Exposes NTLM Credentials

Summary

Overview

Technical Summary

Remediations

General Recommendations

References

Recent Posts

Recent Comments

Search

Recent Comments

Recent Posts

Archives