Cybersecurity

Blogs

Azure AD configuration file for ASP.NET Core apps credentials leaked by Cybercriminals

A critical flaw in AzureD supported cyber criminals to get access to the digital keys in Azure cloud environment and discovered by Resecurity researchers .

The action enabled unauthorized token requests against Microsoft’s OAuth 2.0 endpoints and giving adversaries a direct path to Microsoft Graph and Microsoft 365 data.

A small critical cloud misconfiguration can give access to cyber attackers to infiltrate and this happened to Azure D when their Cloud native application configuration file for ASP.NET Core applications has been leaking credentials for Azure ActiveDirectory (AD).

Cloud application are not merely hosted in the cloud instead they are built to thrive in a cloud environment, providing unprecedented scalability, resilience and flexibility making them game changer.

Recently the publicly accessible configuration file for ASP.NET Core applications has been leaking credentials for Azure ActiveDirectory (AD). This potentially led attackers to authenticate directly via Microsoft’s OAuth 2.0 endpoints and infiltrate Azure cloud environments.

This issue cannot be overlooked by enterprise as the discovery by Resecurity’s HUNTER team exposed Azure AD credentials  ClientId and ClientSecret — exposed in an Application Settings (appsettings.json) file on the public Internet.

Once the credentials lands up in hackers domain any malicious activates can be conducted and compromise an organization’s Azure-based cloud deployment simultaneously retrieve sensitive data from SharePoint or Exchange Online etc. Further abuse of Graph API for privilege escalation or persistence; and the deployment of malicious applications under the organization’s tenant.

Exploiting AzureD Flaw The attack flow

To exploit the flaw, an attacker can first use the leaked ClientId and ClientSecret to authenticate against Azure AD using the Client Credentials from OAuth2 flow to acquire an access token.

Once this is acquired, the attacker then can send a GET request to the Microsoft Graph API to enumerate users within the tenant.

This allows them to collect usernames and emails; build a list for password spraying or phishing; and/or identify naming conventions and internal accounts, according to the post.

Cyber attacker also can query the Microsoft Graph API to copy OAuth2 to take permission grants within the tenant, revealing which applications have been authorized for further permissions, they hold.

Once acquired token allows an attacker to use group information to identify privilege clusters and business-critical teams.

Protecting Enterprise from getting Azure secrets exposed.

Enterprise failing to practice regular scanning, penetration tests, or code reviews, exposed cloud files can remain unnoticed until attackers discover them and exploit them, according to the post.

Further for better security posture enterprise can restricting file access; removing secrets from code and configuration files; rotating exposed credentials immediately; enforcing least privilege principles and setting up monitoring and alerts on credential use, according to the post.

Importance of automation in cloud native application

Implement continuous integration and continuous deployment (CI/CD) pipelines to automate building, deploying, and testing cloud native applications. Manage and provision cloud infrastructure using code, allowing for version control and repeatability. 

Several benefits of following best practices when developing cloud native apps, like increased scalability, fewer occurrences of critical failures, and high efficiency

Enterprises having product based focus will go for cloud-first approach and ask questions on how to go about cloud computing etc.

What could have happened or will happen if not looked into Azure Active Directory (Azure AD) flaw?

Azure Active Directory (Azure AD) termed as high impact in terms of vulnerability.

Once authenticated, attackers can:

  • Retrieve sensitive SharePoint, OneDrive, or Exchange Online data via Graph API calls.
  • Enumerate users, groups, and roles, mapping out the tenant’s privilege model.
  • Abuse permission grants to escalate privileges or install malicious service principals.
  • Deploy rogue applications under the compromised tenant, creating persistence and backdoors.

Enterprises must perform compliance checks to ensure that application designed meets industry standards and regulatory requirements. Once robust auditing and reporting mechanisms is on track that changes any access to sensitive data. 

Source: JSON Config File Leaks Azure AD Credentials

Critical Flaw in Azure AD Lets Attackers Steal Credentials and Install Malicious Apps

Security Advisory

Threat Actors Exploiting Microsoft Teams to Gain Remote Access & Transfer Malware 

Security Advisory:

A new wave of social engineering attacks is exploiting Microsoft Teams, one of the most trusted enterprise collaboration platforms as a malware delivery channel.

Threat actors are impersonating IT support staff to trick employees into installing remote access tools and running malicious PowerShell scripts, enabling full compromise of victim environments. 

This campaign represents an evolution beyond traditional phishing, weaponizing corporate communication channels that employees inherently trust. Once access is established, attackers deploy multifunctional malware loaders such as DarkGate and Matanbuchus, with capabilities for credential theft, persistence, lateral movement and ransomware deployment. 

Technical Summary 

Security researchers have observed financially motivated threat groups abusing Microsoft Teams chats and calls to impersonate IT administrators. Attackers create malicious or compromised Teams accounts often using convincing display names like “IT SUPPORT ” or “Help Desk Specialist” as looking like legitimate and verified account to initiate direct conversations with employees. The social engineering process typically follows this chain 

Attack Process                                                                             Source: permiso.io 

It included the malware features 

  • Credential theft via GUI-based Windows prompts. 
  • Persistence using Scheduled Tasks (e.g. Google LLC Updater) or Registry Run keys. 
  • Encrypted C2 communications with hardcoded AES keys & IVs. 
  • Process protection via RtlSetProcessIsCritical, making malware harder to remove. 
  • Harvesting system info for reconnaissance and follow-on payloads. 

The campaigns have been linked to threat actor groups such as Water Gamayun (aka EncryptHub), known for blending social engineering, custom malware and ransomware operations. 

Element Detail 
Initial Access Direct messages/calls via Microsoft Teams impersonating IT staff 
Social Engineering Fake IT accounts with display names like “IT SUPPORT ✅” and onmicrosoft.com domains 
Malicious Tools QuickAssist, AnyDesk, PowerShell-based loaders (DarkGate, Matanbuchus) 
Persistence Scheduled Tasks (Google LLC Updater), Registry autoruns 
Payload Features Credential theft, system profiling, encrypted C2, remote execution 
Target Enterprise employees, IT professionals, developers 
Objective Credential theft, long-term access, ransomware deployment 

IOCs 

Organizations are urged to block the following indicators immediately: 

Indicator Type 
https://audiorealteak[.]com/payload/build.ps1 URL 
https://cjhsbam[.]com/payload/runner.ps1 URL 
104.21.40[.]219 IPv4 
193.5.65[.]199 IPv4 
Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) AppleWebKit/534.6 (KHTML, like Gecko) Chrome/7.0.500.0 Safari/534.6 UA 
&9*zS7LY%ZN1thfI Initialization Vector 
123456789012345678901234r0hollah Encryption Key 
62088a7b-ae9f-2333-77a-6e9c921cb48e Mutex 
Help Desk Specialist  User Display Name 
IT SUPPORT User Display Name 
Marco DaSilva IT Support  User Display Name 
IT SUPPORT  User Display Name 
Help Desk User Display Name 
@cybersecurityadm.onmicrosoft.com User Principal Name 
@updateteamis.onmicrosoft.com User Principal Name 
@supportbotit.onmicrosoft.com User Principal Name 
@replysupport.onmicrosoft.com User Principal Name 
@administratoritdep.onmicrosoft.com User Principal Name 
@luxadmln.onmicrosoft.com User Principal Name 
@firewalloverview.onmicrosoft.com User Principal Name 

Remediation

  1. Strengthen Microsoft Teams Security 
  • Restrict external tenants and enforce strict access control on Teams. 
  • Implement anomaly detection for suspicious Teams account activity. 
  • Block installation of unauthorized remote access tools (QuickAssist, AnyDesk). 

2. Enhance Endpoint & Network Defenses 

  • Monitor PowerShell execution with EDR/XDR solutions. 
  • Detect persistence artifacts (scheduled tasks, autorun keys, rundll32 activity). 
  • Block known IoCs at DNS/firewall levels. 

 3. Employee Awareness & MFA Security 

  • Train employees to verify IT support requests through independent channels. 
  • Warn staff against installing software via unsolicited Teams messages. 
  • Enforce multi-factor authentication (MFA) for all accounts. 

Conclusion: 
By shifting malware delivery into Microsoft Teams, attackers are exploiting a platform that enterprises inherently trust. The blending of social engineering with technical abuse of PowerShell and remote access tools makes this campaign particularly dangerous, enabling attackers to infiltrate organizations without relying on traditional email phishing. 

Organizations must treat collaboration platforms as high-value attack surfaces not just communication tools. Strengthening monitoring, restricting external interactions and training employees to validate IT requests are critical to defending against this evolving threat.  

References

Security Advisory

Critical Chrome Use-After-Free Vulnerability in ANGLE Graphics Library 

Security Advisory: A critical use-after-free vulnerability has been identified in the ANGLE graphics library used by Google Chrome which enables applications designed for OpenGL ES (OpenGL used on mobile and embedded devices) or WebGL (a web-based 3D graphics API) to run on platforms that primarily use other graphics APIs, such as DirectX on Windows or Vulkan on Android.

OEM Google Chrome 
Severity High 
CVSS Score 8.8 
CVEs CVE-2025-9478 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

This vulnerability could allow attackers to take control of your device simply by visiting a harmful website using HTML or WebGL which is just opening the wrong page could let hackers run their own code on our system. 

Google has already fixed this problem in the latest Chrome update (version 139.0.7258.154/.155 for Windows & macOS and 139.0.7258.154 for Linux). Users and administrators are strongly advised to apply the latest updates immediately. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​ Use-After-Free Vulnerability in ANGLE  CVE-2025- 9478 Google Chrome  High  v139.0.7258.154/.155 (Win/Mac), v139.0.7258.154 (Linux) 

Technical Summary 

This security issue happens when Chrome accidentally reuses computer memory that should no longer be in use. This is exploited by the attacker, if we visit a harmful website designed by cybercriminals, it can secretly run special graphics commands (through WebGL or Canvas). This could corrupt our system’s memory, crash our browser, or allow hackers to run their own code on our device remotely. 

CVE ID System Affected  Vulnerability Details Impact 
 CVE-2025- 9478 Chrome < 139.0.7258.154 A Vulnerability in Chrome’s graphics engine lets attackers reuse cleared memory through specially designed HTML/WebGL input. Remote code execution,  
Data theft  
 

Remediation

  • Update to Chrome latest versions 139.0.7258.154/.155 on Windows/macOS or 139.0.7258.154 on Linux or the later one. 

Here are some recommendations below 

  • Keep monitoring the logs for suspicious activities unusual WebGL or graphics API call. 
  • Conduct user awareness training to educate users about the risks of malicious websites, avoiding unknown links. 

Conclusion: 
This is a high-severity Chrome vulnerability that could allow remote code execution via malicious WebGL content. Although not yet exploited in the wild but immediate patching is essential. Users should update Chrome, monitor unusual graphics activity and stay informed about malicious website risks to ensure strong browser security. 

References

Cybersecurity News

ENISA to operate the EU Cybersecurity Reserve with EUR 36 million

ENISA to operate the EU Cybersecurity Reserve with EUR 36 million

Continue Reading
Security Advisory

Multiple Critical Vulnerabilities in Citrix NetScaler ADC/Gateway 

Security Advisory: Multiple vulnerabilities have been discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway One Actively Exploited in Wild .

Citrix credited Jimi Sebree of Horizon3.ai, Jonathan Hetzer of Schramm & Partnerfor and Francois Hammerli for discovering and reporting the vulnerabilities.

Severity Critical 
CVSS Score 9.2 
CVEs CVE-2025-7775, CVE-2025-7776, CVE-2025-8424 
POC Available No 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 
A critical zero-day vulnerability, tracked as CVE-2025-7775, puts over 28,200 Citrix instances at risk worldwide.

This flaw allows attackers to run malicious code on affected systems without authentication. The issue is actively being exploited in the wild and immediate action is needed to secure systems.  Another two flaws were fixed in the latest updates.  

Vulnerability Name CVE ID Product Affected Severity 
Memory overflow vulnerability leading to RCE CVE-2025-7775 NetScaler ADC & Gateway 9.2 
Memory overflow vulnerability leading to unpredictable behavior CVE-2025-7776 NetScaler ADC & Gateway 8.8 
Improper access control on the NetScaler Management Interface CVE-2025-8424 NetScaler ADC & Gateway 8.7 

Technical Summary 

The NetScaler ADC and NetScaler Gateway appliances are affected by multiple critical vulnerabilities that pose significant risks ranging from Remote Code Execution (RCE) and Denial of Service (DoS) to improper access control.

These include memory overflow flaws in configurations such as VPN virtual servers, load balancing virtual servers using IPv6 or DBS IPv6 services, and misconfigurations involving PCoIP profiles. Additionally, the management interface is exposed due to weak access control mechanisms, which could allow unauthorized administrative access if attackers reach key management IP addresses like NSIP or SNIP. CISA has added one vulnerability (CVE-2025-7775) to its Known Exploited Vulnerabilities (KEV) Catalog and strongly urges organizations to apply patches immediately to prevent active exploitation. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-7775  NetScaler ADC & Gateway  A critical memory overflow vulnerability in NetScaler ADC and Gateway that can lead to Remote Code Execution or DoS when configured as a Gateway (e.g., VPN, ICA Proxy, CVPN, RDP Proxy), AAA virtual server, or LB virtual server using IPv6 or DBS IPv6 services including CR virtual servers of type HDX. Remote Code Execution or DoS  
CVE-2025-7776  NetScaler ADC & Gateway A memory overflow vulnerability under analysis, currently known to cause unpredictable system behavior and potential DoS when a PCoIP Profile is bound to a Gateway-configured NetScaler instance (VPN, ICA Proxy, CVPN, RDP Proxy), Erroneous behavior and DoS 
CVE-2025-8424 NetScaler ADC & Gateway An improper access control vulnerability on the NetScaler Management Interface, allowing unauthorized access when attackers can reach management IPs (NSIP, Cluster Management IP, local GSLB Site IP, or SNIP with Management Access), affecting NetScaler ADC and Gateway appliances. Unauthorized access 

Recommendations 

NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.  

  • NetScaler ADC and NetScaler Gateway 14.1-47.48 and later releases 
  • NetScaler ADC and NetScaler Gateway 13.1-59.22 and later releases of 13.1 
  • NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.241 and later releases of 13.1-FIPS and 13.1-NDcPP 
  • NetScaler ADC 12.1-FIPS and 12.1-NDcPP 12.1-55.330 and later releases of 12.1-FIPS and 12.1-NDcPP 

Here are some other recommendations below 

  • Monitor systems for unusual activity or unauthorized changes. 
  • Limit access to Citrix instances from untrusted networks. 
  • Use firewalls to block suspicious traffic targeting Citrix instances. 

Conclusion: 

Combined with additional high-severity vulnerabilities the overall threat landscape demands immediate attention. Organizations are strongly urged to apply the latest patches, restrict access to management interfaces and closely monitor for signs of compromise. Delayed action could result in significant operational and security impacts. 

The active exploitation of CVE-2025-7775 highlights a critical security threat affecting multiple NetScaler ADC and Gateway instances globally. This zero-day confirmed exploitation in the wild poses a severe risk of Remote Code Execution and service disruption.

References

  

'Lightweight cryptography' standard to protect small devices finalized
Blogs

NIST Wrapped Up ‘Lightweight Cryptography’ Algorithm to protect small devices, as IoT & Embedded Devices being prime Target of cybercriminals

The National Institute of Standards and Technology (NIST) has finalized four lightweight cryptographic algorithms designed to safeguard data generated and transmitted by the Internet of Things (IoT) and other small-scale technologies.

The four lightweight cryptographic algorithms that NIST has finalized the standard after a multiyear public review process followed by extensive interaction with the design community.

In the wake of  IoT and embedded devices increasingly targeted by cybercriminals, the lightweight cryptography standard ensures strong security without overburdening limited hardware, paving the way for safer adoption in critical sectors like healthcare, transportation, and smart infrastructure.

There are many connected device such as smart home systems, fitness tracker and other IoT applications that lack the processing power and memory to run conventional encryption methods.

NIST’s new lightweight cryptography standard addresses this challenge by offering algorithms that require significantly less computing power and time, while still providing strong protection against cyberattacks.

The new framework, Ascon-Based Lightweight Cryptography Standards for Constrained Devices (NIST SP 800-232), provides tools for authenticated encryption and hashing while minimizing energy, time, and memory usage.

Selected in 2023 after a global review, the Ascon algorithm family forms the core of the standard. Originally developed in 2014 by researchers at Graz University of Technology, Infineon Technologies, and Radboud University, Ascon has already proven its resilience through the CAESAR competition, where it was recognized as a leading lightweight encryption solution.

Key Features of the Standard

The standard is the result of a multiyear public review and extensive collaboration with the cryptographic design community. Its adoption will help ensure that even resource-constrained devices can securely protect sensitive information.

As NIST emphasizes, “it’s the little things that matter most.” With this new standard in place, even the smallest of networked electronics now have robust defenses against cyber threats.

Four related algorithms are now ready for use to protect data created and transmitted by the Internet of Things and other electronics.

Many networked devices do not possess the electronic resources that larger computers do, but they still need protection from cyberattacks. NIST’s lightweight cryptography standard will help. 

The four algorithms in the standard require less computing power and time than more conventional cryptographic methods do, making them useful for securing data from resource-constrained devices such as those making up the Internet of Things. 

In the standard are four variants from the Ascon family that give designers different options for different use cases. The variants focus on two of the main tasks of lightweight cryptography: authenticated encryption with associated data (AEAD) and hashing. 

ASCON-128 AEAD – Enables secure data encryption and integrity checks while resisting side-channel attacks.

ASCON-Hash 256 – Provides lightweight integrity verification for firmware updates, passwords, and digital signatures.

ASCON-XOF 128 / ASCON-CXOF 128 – Flexible hash functions with customizable lengths for efficiency and collision resistance.

The CXOF variant also adds the ability to attach a customized “label” a few characters long to the hash. If many small devices perform the same encryption operation, there is a small but significant chance that two of them could output the same hash, which would offer attackers a clue about how to defeat the encryption. Adding customized labels would allow users to sidestep this potential problem.

McKay said the NIST team intends the standard not only to be of immediate use, but also to be expandable to meet future needs.

NIST researchers emphasize the standard’s immediate applicability across industries, from smart appliances to healthcare. Future updates may expand functionalities, including a dedicated message authentication code.

In India, regulatory bodies have issued frameworks such as TEC’s Code of Practice for Securing Consumer IoT Devices and the IoT System Certification Scheme to enforce baseline security.

These measures focus on secure boot, encrypted communications, and safe software updates for connected devices.

Sources: ‘Lightweight cryptography’ standard to protect small devices finalized

Security Advisory

Docker Desktop Vulnerability Allows Full Host Compromise via Exposed API 

A critical vulnerability has been discovered in Docker Desktop for Windows, macOS and Linux distributions.

The vulnerability allows malicious containers to gain full access to the host system by misusing an exposed Docker Engine API endpoint.

Docker Desktop

Docker a must to have in modern enterprise infrastructure, as a strong foundation pillar that powers cloud-native applications including CI/CD pipelines and microservices at massive scale. Any vulnerabilities in Docker images and runtimes are particularly dangerous as they can open the door to severe supply-chain attacks, container escapes, data leaks, and even full host compromise. 

OEM Docker 
Severity Critical 
CVSS Score 9.3 
CVEs CVE-2025-9074 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

The vulnerability, considered as CVE-2025-9074, which affects Docker Desktop versions prior to 4.44.3. This exploitation requires no special configuration and can be triggered with minimal interaction. Docker has addressed this issue in version 4.44.3, administrator or user are suggested to upgrade to the latest version. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Docker Engine API Exposure / Container Escape  CVE-2025-9074 Docker Desktop 
(Windows, macOS, Linux) 		 Critical  v4.44.3 

Technical Summary 

The vulnerability comes from Docker Desktop’s internal API endpoint (http://192.168.65.7:2375) being accessible from any container running locally. The endpoint with lack of authentication allows privileged API commands such as creating new containers, mounting host directories, and controlling images. 

On Windows with WSL, this becomes riskier because attackers could mount your C: drive with the same rights, giving them full access to the machine. With the safety settings like Enhanced Container Isolation (ECI) or disabling TCP exposure, don’t fully block this problem. 

CVE ID System Affected  Vulnerability Details Impact 
 CVE-2025-9074  v4.25 before v4.44.3  An internal HTTP API is automatically open to containers on the default network. This could allow us to run powerful commands – creating containers, managing images or accessing the host system  Full host compromise, including file system and resource access 

Remediation

  • Upgrade to Docker Desktop version 4.44.3 or later across all supported platforms. 

Recommendations: 

Here are some recommendations below  

  • Don’t depend only on container isolation, treat development tools as part of the security perimeter. 
  • Use network segmentation and zero-trust controls to protect container workloads. 
  • Monitor container traffic for unauthorized API access attempts. 
  • Apply strict IAM rules and give users only the permissions they really need on Docker hosts. 

Conclusion: 
CVE-2025-9074 is a critical container escape vulnerability exposing host systems to complete compromise. While no active exploitation has been reported, the weakness is easy to exploit. Immediate patching and environment hardening are strongly recommended for all Docker Desktop users. 

References: 

Security Advisory

Apple Patches Zero-Day Vulnerability Exploited in Targeted Attacks (CVE-2025-43300) 

Security Advisory : Apple has released critical security patches to address a newly discovered zero-day vulnerability, CVE-2025-43300, that was found to be actively exploited in targeted attacks.

To protect users, Apple has issued patches in iOS 18.6.2, iPadOS 18.6.2, iPadOS 17.7.10 and the latest macOS versions.

OEM Apple 
Severity High 
CVSS Score 8.8 
CVEs CVE-2025-43300 
POC Available No 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview  The vulnerability resides in Apple’s ImageIO framework, which is used for handling image files across iOS, iPadOS, and macOS platforms. According to Apple, the flaw may have been used in sophisticated, targeted attacks, although exact details have not been disclosed.

The vulnerability affects a wide range of devices, including iPhones starting from the XS, multiple iPad models and Macs running macOS Ventura, Sonoma and Sequoia. This marks the seventh zero-day exploited in the wild that Apple has addressed in 2025, underscoring the increasing frequency and severity of threats targeting Apple users. 

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
An out-of-bounds write issue   CVE-2025-43300 iPhone, iPad, macOS  High iOS 18.6.2, iPadOS 18.6.2, iPadOS 17.7.10, macOS 13.7.8, macOS 14.7.8, macOS 15.6.1 

Technical Summary 

The vulnerability, CVE-2025-43300, is classified as an out-of-bounds write issue within the ImageIO framework.

It can be exploited when a specially crafted image file is processed, causing memory corruption that could allow an attacker to execute arbitrary code on the affected device.

This makes it a critical security flaw, particularly because the attack vector image files are common and often considered low risk. Apple has mitigated vulnerability by improving bounds by checking in the affected code.

The exploitation of this bug in the wild indicates a high level of sophistication, likely by advanced persistent threat actors targeting specific individuals. The technical nature of the bug aligns with a broader trend in which attackers exploit flaws in media-handling components to achieve remote code execution. As such, this patch not only fixes a critical issue but also highlights the need for continued vigilance and timely system updates. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-43300 iPhones, iPads, Macs. Critical out-of-bounds write vulnerability in Apple’s ImageIO framework that allows remote code execution by processing a malicious image. It has been actively exploited in highly targeted attacks on iOS, iPadOS, and macOS devices, prompting urgent patches.  Remote code execution via malicious image zero-click attack surface 

Apple has so far fixed a total of seven zero-day vulnerabilities in 2025 that were actively exploited in real-world attacks, including CVE-2025-43300, reflecting an ongoing effort to patch critical security flaws across iOS, iPadOS, and macOS platforms. 

  • CVE-2025-24085: A memory corruption flaw in WebKit that could allow remote code execution via malicious web content. 
  • CVE-2025-24200: An elevation of privilege vulnerability in the kernel, enabling attackers to gain higher system privileges. 
  • CVE-2025-2420: A logic issue in the kernel that could lead to arbitrary code execution by a malicious app. 
  • CVE-2025-31200: A vulnerability in the CoreGraphics framework allowing remote code execution when processing malicious PDF files. 
  • CVE-2025-31201: An issue in the IOMobileFrameBuffer kernel extension that could permit a local attacker to escalate privileges. 
  • CVE-2025-43200: A flaw in the AppleAVD driver leading to a potential kernel privilege escalation. 
  • CVE-2025-43300: An out-of-bounds write vulnerability in the ImageIO framework actively exploited through malicious images, enabling remote code execution. 

Remediation

Update your Apple devices immediately to the latest patched versions: 

  • iPhone – iOS 18.6.2 
  • iPad – iPadOS 18.6.2/17.7.10 
  • macOS – macOS Ventura 13.7.8, Sonoma 14.7.8 or Sequoia 15.6.1. 

Conclusion: 
Apple has urgently patched seven critical zero-day vulnerabilities in 2025, including CVE-2025-43300, that were actively exploited in targeted attacks.

Users are strongly advised to update their devices immediately to stay protected against these serious threats. 

In addition, CISA has added CVE-2025-43300 to its Known Exploited Vulnerabilities (KEV) Catalog under BOD 22-01, requiring federal agencies to remediate the flaw within specified timelines.

While the directive is mandatory for federal agencies, CISA strongly urges all organizations to prioritize remediation of KEV-listed vulnerabilities to reduce their exposure to active threats. 

References

Security Advisory

Microsoft Patch Tuesday August Patches 119 Vulnerabilities; Publicly Disclosed Kerberos Zero‑Day

Microsoft Patch Tuesday : Key points:

119 vulnerabilities discovered & 13 are classified as Critical rating meaning as per Microsoft’ they could be abused by malware or malcontents to gain remote access to a Windows system with little or no help from users.

CVE-2025-53779 is Windows Kerberos Elevation of Privilege Vulnerability

The vulnerabilities fall into multiple categories, including Remote Code Execution (RCE), Elevation of Privilege (EoP), Information Disclosure, Spoofing, Denial of Service (DoS), and Tampering. Below is a detailed breakdown of the vulnerabilities by category, along with key insights for organizations to prioritize their patching efforts.

OEM Microsoft 
Severity Critical 
Date of Announcement 2025-08-12 
No. of Patches  119 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Microsoft has released security updates addressing 119 vulnerabilities in the August 2025 Patch Tuesday cycle, including one publicly disclosed zero-day in Windows Kerberos. Of these, 13 are classified as Critical, covering a wide range of products such as Windows components, Office, Azure, Exchange and SharePoint. 

  • 111 Microsoft CVEs addressed 
  • 8 non-Microsoft CVEs addressed 

Breakdown of August 2025 Vulnerabilities 

  • 44 Elevation of Privilege Vulnerabilities 
  • 35 Remote Code Execution Vulnerabilities 
  • 18 Information Disclosure Vulnerabilities 
  • 9 Spoofing Vulnerabilities 
  • 4 Denial of Service Vulnerabilities 
  • 1 Tampering vulnerabilities 
Vulnerability Name CVE ID Product Affected Severity CVSS Score 
Windows Kerberos Elevation of Privilege Vulnerability CVE-2025-53779 Windows Server 2025 High 7.2 

Technical Summary 

The August 2025 Patch Tuesday addresses a publicly disclosed zero-day vulnerability CVE-2025-53779 in Windows Kerberos.

This elevation of privilege flaw, related to improper path handling in domain-managed service accounts (dMSA), could allow a local attacker to gain domain administrator privileges.

Microsoft also patched several critical Remote Code Execution (RCE) vulnerabilities across Windows Graphics, GDI+, Office, DirectX, and Hyper-V. Many of these vulnerabilities require minimal or no user interaction, such as simply opening a file in the preview pane or processing crafted image or network messages, making them high-risk for enterprise environments. 

CVE ID System Affected Vulnerability Details Impact 
CVE-2025-53779 Microsoft Windows Server 2025 Relative path traversal in Windows Kerberos allows an authorized attacker to elevate privileges over a network. Privilege escalation 

Source: Microsoft and NVD 

In addition to the publicly disclosed vulnerability, several other critical and high-severity issues were addressed: 

  • CVE202550165 and CVE202553766: Graphics-related RCEs, particularly vulnerable due to their ability to execute code without user interaction and potential wormable behavior. 
  • CVE202553792: Azure Portal, privilege escalation vulnerability, critical impact on cloud administration surface. 
  • CVE202550171: Remote Desktop Server, allows remote code execution over RDP. 
  • CVE202553778: Windows NTLM, elevation of privilege exploitation includes lateral movement across enterprise networks. 
  • CVE202553786: Microsoft Exchange Server, hybrid environment vulnerability with potential for cloud environment hijacking. 

Key Affected Products and Services 

The vulnerabilities addressed in August 2025 impact a wide range of Microsoft products and services, including: 

  • Windows Core and Authentication Systems 

Includes fixes in Windows Server (Kerberos), Windows Graphics Component, GDI+, DirectX Graphics Kernel, NTLM, Hyper‑V, MSMQ, Remote Desktop and more. 

  • Microsoft Office Suite and Productivity Tools 

Microsoft Office and Word, notably through Preview Pane RCE flaws, as well as SharePoint (RCE and EoP), Exchange Server (Privilege Escalation in hybrid setups) and Teams. 

  • Cloud and Azure Ecosystem 

Critical issues in Azure Virtual Machines (spoofing and info disclosure), Azure Stack Hub and potentially Azure Portal. 

  • Virtualization and Hypervisor Technologies 

Updates include vulnerabilities in Hyper‑V (RCE and privilege escalation) and DirectX graphics kernel components relevant to virtualization. 

  • Development Tools 

Fixes include vulnerabilities affecting Visual Studio and GitHub Copilot, reinforcing development environments. 

  • Messaging and Queuing Services 

Includes a critical RCE in Microsoft Message Queuing (MSMQ). 

  • Browsers: 
    Microsoft Edge (Chromium-based). 

Remediation

  • Apply Patches Promptly: Install the August 2025 security updates immediately to mitigate risks. 

Conclusion: 

Microsoft’s August 2025 Patch Tuesday, disclosed zero-day CVE-2025-53779 is another privilege escalation flaw in Windows Kerberos that stems from a case of relative path traversal. Akamai researcher Yuval Gordon has been credited with discovering and reporting the bug.

Aside from the vulnerabilities patched and disclosed in the regular monthly patch release for August, it is worth noting that one week ahead of the monthly update, Microsoft disclosed 4 vulnerabilities affecting Microsoft cloud services.

References

Blogs

Automotive Security under fire as Firmware Flipper Zero of Dark Web break Rolling Code security of Latest Vehicles

Security researchers discovered Firmware for device related to Flipper Zero and showcased by YouTube channel Talking Sasquatch.

A cyber threat that can bring in significant escalation in automotive cybersecurity that demands a single intercepted signal to compromise a vehicle’s entire key automotive functionality. Rolling code security systems basically protects millions of modern vehicles.

Automative vehicles may use encryption to avoid eavesdropping (i.e., capture and decoding of signals) or tampering attacks (i.e., “flipping” lock signals to unlocks). However, replaying signals, even if they are encrypted, is straightforward.

Rolling code security

That is where rolling code come in action and have been introduced wherein a particular code2 (e.g., an “unlock” code) is considered disposable, i.e., it is only used once. In a nutshell, every button click on the key fob triggers a counter in the key fob and in the vehicle upon reception to roll, making it valid for subsequent use in the future. (https://dl.acm.org/doi/full/10.1145/3627827)

Single capture attack method: For this new attack to work, all that is needed is a single button-press capture from the keyfob, without any jamming. Just from that single capture, it is able to emulate all the keyfob’s functions, including lock, unlock, and unlock trunk. A consequence of this is that the original keyfob gets out of sync, and will no longer function.

According to the Talking Sasquatch, the attack works by simply reverse engineering the rolling code sequence, either through sequence leaks or prior brute forcing of the sequence from a large list of known codes.

Challenges in Automotive landscape

The automotive landscape has transformed into a convergence of software and mechanics, introducing exciting possibilities for vehicle performance and convenience. New concerns on vulnerabilities raises eyes about how malicious actors can exploit codes.

Regardless of the method, videos demonstrating the attack show that only a single capture is needed to emulate a keyfob completely.

Affected vehicles include Chrysler, Dodge, Fiat, Ford, Hyundai, Jeep, Kia, Mitsubishi and Subaru. As of yet, there appears to be no easy fix for this, other than mass vehicle recalls.

Secure coding

It is advised that regular code reviews is published that uses latest static analysis tools help detect vulnerabilities early in the development process.

Keep a secured update mechanisms enable swift responses to emerging threats that can address security vulnerabilites

Let’s understand the importance of of security and feel responsible for it and that requires best practices, cyber security culture and implementing early testing.

What can manufactures do to avoid cyber security lapses

For manufactures its advisable DevSecOps and automotive fuzzing tools that offer great solutions to prevent crashes further they improve efficiency and accuracy of their testing efforts and minimize costs.

GaarudNode from Intruceptlabs

GaarudNode is an all-in-one  solution designed to empower development teams with the tools they need to secure their applications throughout the development lifecycle. By combining the power of SAST, DAST, SCA, API security, and CSPM, GaarudNode provides a comprehensive security framework that ensures your applications are built, tested, and deployed with confidence.

Sources: https://www.rtl-sdr.com/flipperzero-darkweb-firmware-bypasses-rolling-code-security/)

Scroll to top