Cybersecurity

Uncategorized

Google Chrome Zero-Day Vulnerability (CVE-2025-6554) Actively Exploited – Patch Now 

Summary : Security Advisory: Google has issued an urgent security update for Chrome browser users worldwide, addressing a high-severity zero-day vulnerability in the Chrome browser CVE-2025-6554 actively being exploited by cybercriminals.

OEM Google 
Severity High 
CVSS Score N/A 
CVEs CVE-2025-6554 
POC Available No 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

This is a type confusion flaw in Chrome’s V8 JavaScript engine allows arbitrary code execution and it’s actively being exploited in the wild. 

The vulnerability was discovered by Clément Lecigne of Google’s Threat Analysis Group (TAG) on June 25, 2025, and a temporary mitigation was pushed on June 26, 2025. This internal discovery highlights the ongoing security monitoring efforts within Google’s infrastructure.

The mitigation measure passed through a configuration change pushed to all stable channel users across all platforms.

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Type Confusion in V8 Engine vulnerability  CVE-2025-6554 Google Chrome  High  138.0.7204.96/.97 (Windows)  
138.0.7204.92/.93 (Mac)  
138.0.7204.96 (Linux) 

Technical Summary 

CVE-2025-6554 is a type confusion vulnerability in Chrome’s V8 JavaScript engine. It allows threat actors to exploit memory misinterpretation and execute arbitrary code, potentially compromising the browser or the underlying system. Google has confirmed active exploitation of this flaw. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-6554 Chrome on Windows, macOS, Linux Type confusion in the V8 JavaScript engine allows improper memory handling, leading to code execution  Remote code execution.  Potential system compromise.  

Remediation

A full fix is available in the latest stable channel update. Users are strongly advised to update immediately to ensure full protection. 

  • Users should immediately update Google Chrome to the latest patched version: 
  • Windows: 138.0.7204.96/.97 
  • macOS: 138.0.7204.92/.93 
  • Linux: 138.0.7204.96 

Conclusion: 

The exploitation of CVE-2025-6554 in the wild highlights the urgency of applying the latest Chrome security update. Type confusion vulnerabilities like this can lead to full system compromise and are highly sought-after by cybercriminals. Users and organizations should take immediate action to mitigate potential risks. 

Organizations using Chrome in enterprise environments should prioritize this update across their networks.

The combination of confirmed active exploitation and the high-severity rating makes this patch deployment critical for maintaining organizational cybersecurity posture.

Refer to Intruceptlabs products & solution for better cyber security posture with Intru360, Gaarud Node

References

Security Advisory

Critical Unauthenticated RCE Vulnerabilities in Cisco ISE and ISE-PIC 

Cisco has disclosed two critical vulnerabilities CVE-2025-20281 and CVE-2025-20282 affecting its Identity Services Engine (ISE) and Passive Identity Connector (ISE-PIC).

These vulnerabilities allow unauthenticated, remote attackers to execute arbitrary commands on the underlying operating system with root privileges. The first flaw CVE-2025-20281 impacts ISE versions 3.3 and later, while the second CVE-2025-20282 is limited to version 3.4.

Summary 

OEM Cisco 
Severity Critical 
CVSS Score 10.0 
CVEs CVE-2025-20281, CVE-2025-20282 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Cisco has disclosed two critical vulnerabilities CVE-2025-20281 and CVE-2025-20282 affecting its Identity Services Engine (ISE) and Passive Identity Connector (ISE-PIC).

These vulnerabilities allow unauthenticated, remote attackers to execute arbitrary commands on the underlying operating system with root privileges. The first flaw CVE-2025-20281 impacts ISE versions 3.3 and later, while the second CVE-2025-20282 is limited to version 3.4.

Both issues stem from insecure API implementations that fail to validate user input and uploaded files respectively.  

Given the critical nature of these bugs both scoring CVSS 9.8 & 10.0 Cisco has issued immediate fixes, with no workarounds available. Organizations using the affected versions are urged to apply the patches without delay. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​API Unauthenticated RCE vulnerability  CVE-2025-20281 ISE & ISE-PIC   Critical  3.3 Patch 6, 3.4 Patch 2 
Internal API Arbitrary File Execution vulnerability  CVE-2025-20282 ISE & ISE-PIC   Critical  3.4 Patch 2 

Technical Summary 

Two independent vulnerabilities allow an attacker to gain full control over affected Cisco ISE systems without authentication: 

  • CVE-2025-20281: Triggered via crafted requests to a public API, exploiting insufficient input validation to achieve RCE as root. 
  • CVE-2025-20282: Abuses an internal API that lacks file validation, enabling the upload and execution of malicious files in privileged directories. 

These vulnerabilities align with CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and CWE-269 (Improper Privilege Management). 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-20281 Cisco ISE & ISE-PIC 3.3 and later Insufficient validation in a public API allows remote attackers to send crafted requests, leading to unauthenticated command execution as the root user.  Remote code execution  
CVE-2025-20282 Cisco ISE & ISE-PIC 3.4 only An internal API fails to validate uploaded files. Attackers can upload files to system directories and execute them with root privileges.   Remote code execution 

Remediation

Cisco has released patches for affected versions of ISE and ISE-PIC. There are no known workarounds, and customers are strongly encouraged to apply the following updates: 

Cisco ISE / ISE-PIC Version CVE-2025-20281 Fixed In CVE-2025-20282 Fixed In 
3.2 and earlier Not affected Not affected 
3.3 3.3 Patch 6 Not affected 
3.4 3.4 Patch 2 3.4 Patch 2 

Conclusion: 
These vulnerabilities represent a severe risk to network security infrastructure, particularly because they impact Cisco ISE a cornerstone for identity and access control in many enterprises. The unauthenticated remote nature of the exploits, combined with root-level access and no required user interaction, significantly increases the threat surface.  

Although Cisco’s PSIRT has stated that there are no known instances of public exploitation, the ease of exploitation and severity (CVSS 10.0) make these vulnerabilities highly attractive to threat actors. Organizations should immediately apply the available patches and review their system logs for any signs of suspicious activity targeting ISE infrastructure. 

References

Security Advisory

Citrix NetScaler ADC/Gateway Vulnerability Exploited in the Wild (CVE-2025-6543) 

Summary : Security Advisory;

Citrix is warning that a vulnerability in NetScaler appliances tracked as CVE-2025-6543 is being actively exploited in the wild, causing devices to enter a denial of service condition.

The flaw impacts NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-47.46, 13.1 before 13.1-59.19, and NetScaler ADC 13.1-FIPS and NDcPP before 13.1-37.236-FIPS and NDcPP.

OEM Citrix 
Severity Critical 
CVSS Score 9.2 
CVEs CVE-2025-6543 
POC Available No 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

A critical memory overflow vulnerability, CVE-2025-6543, has been discovered in NetScaler ADC and NetScaler Gateway products, potentially leading to denial-of-service and unintended control flow. The issue affects deployments configured as Gateway services. Active exploitation in the wild has been reported. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Memory overflow vulnerability  CVE-2025-6543 NetScaler ADC and NetScaler Gateway  Critical  14.1-47.46 / 13.1-59.19 / 13.1-37.236 

Technical Summary 

CVE-2025-6543 is a memory overflow vulnerability in NetScaler ADC and Gateway products that can result in denial-of-service (DoS) or arbitrary control flow, particularly when the system is configured as a Gateway or AAA virtual server.

The flaw stems from improper restriction of operations within memory buffer bounds (CWE-119). This vulnerability has been exploited in real-world attacks. 

CVE ID System Affected  Vulnerability Details Impact 
  CVE-2025-6543 NetScaler ADC & Gateway 14.1 before 14.1-47.46, 13.1 before 13.1-59.19 NetScaler ADC 13.1-FIPS and NDcPP before 13.1-37.236-FIPS and NDcPP Memory overflow due to improper memory boundary restrictions when configured as Gateway or AAA virtual servers  Denial-of-Service and Unintended control flow 

Remediation

  • Immediate Action: Affected customers are strongly advised to upgrade to the fixed versions: 
Product Version Recommended Fixed Build 
NetScaler ADC / Gateway 14.1 14.1-47.46 or later 
NetScaler ADC / Gateway 13.1 13.1-59.19 or later 
NetScaler ADC 13.1-FIPS / NDcPP 13.1-37.236 or later 

Note: Versions 12.1 and 13.0 are End-of-Life (EOL) and remain vulnerable. These should be replaced with supported, patched builds. 

Customers using FIPS or NDcPP variants should contact Citrix Support directly for access to the fixed builds. 

Conclusion: 
CVE-2025-6543 represents a highly critical risk to organizations utilizing NetScaler Gateway or ADC for secure access and application delivery.

Organizations still using outdated or end-of-life (EOL) versions are especially vulnerable and should prioritize upgrading to supported builds. 

This flaw follows a pattern of severe vulnerabilities affecting NetScaler products, including the recently disclosed CVE-2025-5777 (CVSS score: 9.3), which also posed a significant threat to enterprise infrastructure.

Together these issues highlight the urgent need for timely patching, continuous monitoring, and defense-in-depth strategies to safeguard critical network assets. 

With both flaws being critical bugs, administrators are advised to apply the latest patches from Citrix as soon as possible.

Companies should also monitor their NetScaler instances for unusual user sessions, abnormal behavior, and to review access controls.

References

Security Advisory

Privilege Escalation in Notepad++ v8.8.1 Installer via Binary Planting with Public PoC Available 

Security Advisory: A high-severity privilege escalation vulnerability has been discovered in the Notepad++ v8.8.1 and prior installer, which allows local attackers to gain SYSTEM-level privileges through uncontrolled executable search paths (binary planting).

The installer searches for executable dependencies in the current working directory without verification, allowing attackers to place malicious executables that will be loaded with SYSTEM privileges during installation.

OEM Notepad++ 
Severity High 
CVSS Score 7.3 
CVEs CVE-2025-49144 
POC Available Yes 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Exploitation requires minimal user interaction and a public Proof of Concept (PoC) is available. The issue is resolved in version v8.8.2. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Privilege Escalation Vulnerability  CVE-2025-49144 Notepad++  High  v8.8.2 

Technical Summary 

The Notepad++ installer improperly searches for executable dependencies in the current directory without verifying their authenticity.

This insecure behavior allows attackers to place a malicious executable (e.g. regsvr32.exe) in the same directory as the installer. Upon execution the malicious file is loaded with SYSTEM-level privileges, granting full control over the machine. 

In real world scenario, an attacker could use social engineering or clickjacking to trick users into downloading both the legitimate installer and a malicious executable to the same directory (typically Downloads folder – which is known as Vulnerable directory). Upon running the installer, the attack executes automatically with SYSTEM privileges.

CVE ID System Affected  Vulnerability Details Impact 
  CVE-2025-49144  Notepad++ v8.8.1 and prior. The installer invokes executables without absolute path (e.g. regsvr32), allowing a malicious binary in the same directory to be executed with elevated privileges.  SYSTEM privilege escalation and full machine control 

Proof of Concept (PoC): 

  • Execution Flow: Attacker places a fake regsvr32.exe in the same directory as the Notepad++ installer. 
  • Trigger: When the user runs the installer, it loads the attacker’s file with SYSTEM privileges. 
  • Evidence: 
  • Process Monitor logs confirm that the installer is searching for executables in the local directory. 
  • Public PoC materials are hosted and shared, confirming reproducibility 

Remediation

  • Immediate Action: Upgrade to Notepad++ v8.8.2 or later which explicitly sets absolute paths when invoking executables like regsvr32. 

Recommendations: 

  • Configuration Check: Avoid executing installers from user-writable locations like the Downloads folder. Ensure installers are run from isolated, trusted directories. 
  • Environment Hardening: Implement endpoint detection for binary planting, restrict execution in commonly targeted directories. 

Conclusion: 
CVE-2025-49144 is a critical privilege escalation vulnerability with a working public PoC. It leverages a fundamental flaw in the Notepad++ installer’s handling of executable paths.

Given the low barrier to exploit and high impact, especially in environments where Notepad++ is widely used, immediate remediation is strongly advised. The presence of similar flaws in past versions highlights the persistent risk of insecure software packaging. 

This is a critical security vulnerability requiring immediate attention. While Microsoft classifies some binary planting issues as “Defense-in-Depth,” the severity of gaining SYSTEM privileges with minimal user interaction warrants priority remediation.

References

Blogs

16 Billion Passwords Leaked in Largest Data Breach; Impact of Infostealer Malware

Data Breach with 30 exposed Datasets & contained approx 10 to 3.5 billion records making it one of the largest data breach.

According to a report security researchers from Cybernews found about a Data breach that leaked important data or passwords that was mostly generated by various cybercriminals using info stealing malware. They exposed data was made to look like a breach but these login credentials were gathered from social media, corporate platforms, VPNs etc via infostealer.

Now cybercriminals have unprecedented access to personal credentials and these credentials be used for account takeover, identity theft and targeted phishing activities.

The concern is the structure and recency of these datasets as they are not old breaches being recycled. This is fresh, weaponizable intelligence at scale”, added researchers.

The data sets contains a mix of details from stealer malware, credential stuffing sets and repackaged leaks. There is no way to compare these datasets, but likely to contain at least some duplicated information. This makes it hard to determine how many people were affected by the data breach.

What are Data sets & how deadly can be Infostealer as a malware?

Datasets are basically structure collection of data collected over the years or so and organized as case specific models

In 2024 datasets containing billions of passwords have previously found their way on the internet. Last year, researchers came across what they called the Mother of All Breaches, which contained more than 26 billion records.

The data breach that happened had data in sets, following a particular pattern, containing an URL followed by a username and password. To those unaware, this is exactly how infostealing malware collects information and sends it to threat actors.

The exposed data came from platforms widely used round the world starting from Google, Apple, Github, Telegram & Facebook. So data was first collected over a period of time, further made into data sets and grouped together.

Info stealers are malware programs that are designed to silently steal usernames and passwords Basically designed to swipe of credentials from people’s devices and send them to threat actors for further them for sale on dark web forums.

An infostealer is malware that attempts to steal credentials, cryptocurrency wallets, and other data from an infected device. Over the years, infostealers have become a massive problem, leading to breaches worldwide. No device is spare from infostealer’s impact including Windows and Macs, and when executed, will gather all the credentials it can find stored on a device and save them in what is called a “log.”

If a organization or individual is infected with an infostealer and have hundreds of credentials saved in their browser, the infostealer will steal them all and store them in the log. These logs are then uploaded to the threat actor, where the credentials can be used for further attacks or sold on cybercrime marketplaces.

An infostealer log is generally an archive containing numerous text files and other stolen data.

Fig1:

(Image courtesy: Bleeping computers)

A devastating data breach is a nightmare for customers and affected organizations, but breaches can have a positive side also. Each incident is a learning opportunity. It’s easier to defend critical data when we understand the mistakes made by others and the tactics used by attackers.

How to be secure & keep your Data safe

If users are in midst of data breach or may find that their data is not safe as an infostealer might be there in your systems or devices then scan your device with an antivirus program. Once done then change password or your newly entered credentials could be stolen again. The system is clean so password hygiene can be maintained time to time.

At times even unique passwords won’t help you stay protected if you are hacked, fall for a phishing attack, or install malware. Its better not to change all credentials in one go instead having a cyber security hygiene in routine is better as an option.

Intru360

For organizations to stop and detect any intrusion by attackers prefer to have Intru360 in your list of cyber security go to products from Intruceptlabs.

Intru360 gives security analysts and SOC managers a clear view across the organization, helping them fully understand the extent and context of an attack. It also simplifies workflows by automatically handling alerts, allowing for faster detection of both known and unknown threats.

Globally every year cyberattacks are growing and mutating each month. Organizations have their Intelligent intrusion network detection systems in place analyze and detect anomalous traffic to face these threats.

Do visit our website for more information.

Source: https://www-bleepingcomputer-com.cdn.ampproject.org/c/s/www.bleepingcomputer.com/news/security/no-the-16-billion-credentials-leak-is-not-a-new-data-breach/amp/

Uncategorized

Privilege Escalation Vulnerability in AI Engine WordPress Plugin, Allows Subscriber-Level Account Takeover 

Summary :Security Advisory: A critical privilege escalation vulnerability (CVE-2025-5071) was discovered in the AI Engine WordPress plugin, allowing subscriber-level users to gain administrator privileges when the MCP (Model Context Protocol) module is enabled.

OEM WordPress 
Severity High 
CVSS Score 8.8 
CVEs CVE-2025-5071 
POC Available Yes 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

The AI Engine plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the ‘Meow_MWAI_Labs_MCP::can_access_mcp’ function in versions 2.8.0 to 2.8.3.

This makes it possible for authenticated attackers, with subscriber-level access and above, to have full access to the MCP and run various commands like ‘wp_create_user’, ‘wp_update_user’ and ‘wp_update_option’, which can be used for privilege escalation, and ‘wp_update_post’, ‘wp_delete_post’, ‘wp_update_comment’ and ‘wp_delete_comment’, which can be used to edit and delete posts and comments.

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Privilege Escalation Vulnerability  CVE-2025-5071 AI Engine WordPress Plugin  High  2.8.4 

Technical Summary 

AI Engine is a WordPress plugin that recently introduced support for MCP (Model Context Protocol), which allows AI agents – such as Claude or ChatGPT – to control and manage the WordPress website by executing various commands, managing media files, editing users, and performing complex tasks more reliably than through standard APIs.

The vulnerability stems from insufficient authorization checks in the can_access_mcp () function within the plugin, enabling any authenticated (logged-in) user to bypass Bearer Token validation and access MCP endpoints.

This access can be exploited to escalate user privileges by executing commands such as wp_update_user, ultimately leading to full site compromise. 

CVE ID System Affected  Vulnerability Details Impact 
  CVE-2025-5071  WordPress with AI Engine Plugin 2.8.0–2.8.3 The can_access_mcp() function incorrectly grants MCP endpoint access to all logged-in users. Even when Bearer Token authentication is enabled, lack of empty value checks in the token validation logic allows privilege escalation.  Complete site compromise 

Remediation

  • Immediate Action: Update the AI Engine plugin to version 2.8.4 or later. 
  • Configuration Check: Ensure that MCP and Dev Tools modules remain disabled unless it’s necessary. 

Conclusion: 
The CVE-2025-5071 vulnerability in the AI Engine WordPress plugin highlights the potential risks when advanced modules like MCP are misconfigured.

Even though the feature is disabled by default, sites that have enabled it become susceptible to complete takeover by authenticated users.

Website administrators are urged to update to version 2.8.4 immediately and verify that security best practices are enforced to prevent such escalations. With over 100,000 active installations, this flaw presents a significant risk to the WordPress ecosystem if left unpatched. 

References

t  

Security Advisory

Veeam Backup Patched Critical Vulnerabilities Enabling RCE & Privilege Escalation 

Summary ; Security Advisory

Veeam disclosed three critical vulnerabilities affecting its widely deployed backup software. Veeam Backup & Replication is an enterprise-grade data protection solution used to back up, recover and replicate virtual machines, cloud workloads including physical servers.

OEM Veeam 
Severity Critical 
CVSS Score 9.9 
CVEs CVE-2025-23121, CVE-2025-24286, CVE-2025-24287 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Multiple high-impact vulnerabilities have been disclosed in Veeam Backup & Replication and Veeam Agent for Microsoft Windows, impacting versions prior to 12.3.2 and 6.3.2 respectively.

The most critical issue (CVE-2025-23121) may allow a remote code execution (RCE) on the backup server by an authenticated domain user, effectively granting complete control over backup infrastructure. 

The vulnerabilities also include risks of unauthorized modification of backup jobs (CVE-2025-24286) and privilege escalation via local directory manipulation (CVE-2025-24287). These flaws could enable attackers to execute arbitrary code or gain elevated permissions. 

These flaws pose significant risks to organizations relying on Veeam for data integrity and disaster recovery. The data protection system of an organization may get affected if compromised and threaten domain-joined backup servers.

Vulnerability Name CVE ID Product Affected Severity 
Remote Code Execution via Authenticated Domain User  CVE-2025-23121 Veeam Backup & Replication  Critical (9.9) 
Arbitrary Code Execution via Backup Operator Role Abuse  CVE-2025-24286 Veeam Backup & Replication  High (7.2) 
Privilege Escalation via Directory Manipulation  CVE-2025-24287 Veeam Agent for Microsoft Windows  Medium (6.1) 

Technical Summary 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-23121  Veeam Backup & Replication 12.3.1.1139 and all earlier v12 builds A remote code execution vulnerability affecting domain-joined Veeam backup servers. An authenticated domain user may execute arbitrary commands with elevated privileges.   Remote Code Execution 
  CVE-2025-24286 Veeam Backup & Replication 12.3.1.1139 and earlier  Authenticated users with the Backup Operator role can modify backup job configurations to inject and execute code.   Arbitrary Code Execution 
  CVE-2025-24287  Veeam Agent for Microsoft Windows 6.3.1.1074 and earlier  Local users can manipulate directory contents leading to code execution with elevated privileges.  Local Privilege Escalation  

Remediation

Users are strongly advised to apply the following updates to mitigate the risks: 

  • Upgrade Veeam Backup & Replication to 12.3.2 (build 12.3.2.3617) or later 
  • Upgrade Veeam Agent for Microsoft Windows to 6.3.2 (build 6.3.2.1205) or later 

Here are some recommendations below 

  • Limit backup server access to trusted users only to reduce the risk of unauthorized control. 
  • Apply least privilege principles for backup roles so users have only the permissions they need. 
  • Regularly monitor backup job changes and system logs to detect suspicious activity early. 
  • Provide security awareness training to staff focusing on backup and recovery best practices. 

Conclusion:  For Security Best practices

Veeam has released patches to address all three vulnerabilities and urged organizations to update Veeam Backup & Replication 12.3.2 (build 12.3.2.3617) and Veeam Agent for Microsoft Windows 6.3.2 (build 6.3.2.1205) as soon as possible.

For security best practices maintaining up-to-date backup systems, prompt patching and adherence to security best practices are essential to prevent potential exploitation and data compromise.

The critical nature of vulnerabilities demands backup and disaster recovery along with strict access controls and ongoing monitoring as essential tips to safeguard infrastructure that have been backed up from potential attacks. 

References

Security Advisory

Google Chrome Zero-Day CVE-2025-2783 Exploited in APT Group TaxOff Campaigns 

Summary 

A newly-patched zero-day vulnerability in Google Chrome CVE-2025-2783 which was exploited in the wild by a threat actor TaxOff, leading to the deployment of Trinper which an advanced backdoor.

The CVE-2025-2783 exploited a sandbox escape vulnerability within Google Chrome’s Mojo IPC (Inter-Process Communication) framework, which allowed attackers to bypass the browser’s security sandbox and lead to RCE. 

TaxOff Threat Actor 

TaxOff is a highly sophisticated Advanced Persistent Threat (APT) group primarily targeting government organizations which is known for its use of advanced social engineering tactics, often involving phishing campaigns that exploit themed around financial reporting and regulatory compliance. 

The CVE-2025-2783 vulnerability was first detected in March 2025 after Kaspersky reported real-world exploitation.

TaxOff used a phishing-based delivery method, which involved embedding a malicious link in emails masquerading as invitations to legitimate events like the Primakov Readings forum.

Once the link was clicked, the CVE-2025-2783 exploit was triggered, leading to the deployment of the Trinper backdoor. It was a one-click compromise that delivered a highly tailored payload with surgical precision. 

Trinper Backdoor 

This is a multi-threaded C++ backdoor that collected host data, logged keystrokes, exfiltrated targeted documents like document, excel or pdf files and maintained remote access.

But this wasn’t just a “plug-and-play” backdoor. Trinper’s loader employed five layers of encryption, utilizing ChaCha20, modified BLAKE2b hashes, and even machine-specific environmental checks. It was decrypted only on intended systems, using unique hardware identifiers like firmware UUIDs and PEB structures. 

Source: global.ptsecurity.com 

Interestingly, researchers found that Team46, a different APT group shares many similarities with TaxOff in terms of TTPs. This overlap raises the possibility that TaxOff and Team46 are the same group operating under different aliases.

Both groups have used PowerShell-based loaders and Cobalt Strike as their primary exploitation vectors. 

This flaw allows threat actors to:

  • Execute arbitrary code
  • Bypass Chrome’s built-in security sandbox
  • Potentially gain remote control over the system

Recommendation 

The rapid exploitation of CVE-2025-2783 highlights the critical importance of timely patch management. Google released a fix for this vulnerability in March 2025, and all users are strongly advised to update their Chrome browsers to the latest version immediately. 

In addition to patching, organizations should implement the following defensive measures 

  • Enhance email filtering systems and provide regular phishing awareness training for employees. 
  • Continuously monitor systems for unusual or suspicious behavior related to script execution or network anomalies. 
  • Restrict the execution of unsigned or obfuscated scripts and macros, particularly in email attachments or downloaded files, using tools like AppLocker or Microsoft Defender ASR. 

References

Security Advisory

Apache Tomcat Vulnerabilities Expose Systems to DoS & Authentication Bypass  

Security Advisory; Summary

Multiple vulnerabilities have been identified in Apache Tomcat affecting various versions and critical security updates provided to address four newly discovered vulnerabilities in Apache Tomcat. The disclosed Apache Tomcat vulnerabilities pose serious threats, especially in high-availability or internet-exposed environments.

Apache Tomcat is one of the world’s most widely used open-source Java servlet containers.

OEM Apache 
Severity High 
CVSS Score 8.4 
CVEs CVE-2025-48976, CVE-2025-48988, CVE-2025-49125, CVE-2025-49124 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

The affected versions 9.0.x, 10.1.x and 11.0.x, also include high-impact denial-of-service (DoS) vulnerabilities and a moderate authentication bypass flaw as well as a Windows installer issue that may allow privilege escalation via side-loading. 

Timely patching is essential to prevent potential service disruptions and unauthorized access. 

Vulnerability Name CVE ID Product Affected Severity 
​Memory Exhaustion via Multipart Header Exploitation  CVE-2025-48976 Apache Tomcat  High 
Multipart Upload Resource Exhaustion  CVE-2025-48988 Apache Tomcat  High 
Security Constraint Bypass (Pre/PostResources)  CVE-2025-49125 Apache Tomcat  High 
Windows Installer Side-Loading Risk  CVE-2025-49124 Apache Tomcat  High 

Technical Summary 

The vulnerabilities affect Tomcat’s handling of multipart HTTP requests, resource mounting and Windows installation process. Exploitation may result in denial-of-service (via memory exhaustion), privilege escalation (via installer abuse) and authentication bypass. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-48976 Apache Tomcat 9.0.0.M1–9.0.105, 10.1.0-M1–10.1.41, 11.0.0-M1–11.0.7 Fixed memory allocation limit in multipart header processing could be exploited to consume memory and cause DoS.  Denial-of-service attack. 
  CVE-2025-48988 Apache Tomcat 9.0.0.M1–9.0.105, 10.1.0-M1–10.1.41, 11.0.0-M1–11.0.7 Multipart request body with many parts can trigger high memory usage due to improper limit handling between parameters and parts.  Denial-of-service attack. 
  CVE-2025-49125  Tomcat with Pre/Post Resources enabled Lack of resource path normalization allows attackers to access resources outside root bypassing auth controls. Authentication and Authorization Bypass. 
  CVE-2025-49124  Tomcat Windows Installers Installer invoked icacls.exe without full path, making it vulnerable to side-loading attacks via PATH manipulation. Privilege Escalation. 

Remediation

Update Immediately: Users of the affected versions should apply one of the following mitigations. 

  • Upgrade to Apache Tomcat 11.0.8 or later 
  • Upgrade to Apache Tomcat 10.1.42 or later   
  • Upgrade to Apache Tomcat 9.0.106 or later 

Conclusion: 

Attackers could exploit these flaws to cause denial-of-service, escalate privileges or bypass authentication and authorization controls. 

The Apache Software Foundation credits the TERASOLUNA Framework Security Team of NTT DATA Group Corporation and T. Doğa Gelişli for identifying these issues.

Tomcat is widely used in enterprise and cloud environments, prompt patching is essential to prevent potential exploitation, service outages, or unauthorized access.

References

  • https://lists.apache.org/thread/0jwb3d3sjyfk5m6xnnj7h9m7ngxz23db 

Blogs Security Advisory

Cyber-Security News at a Glance: June1st -June15th, 2025

The current cybersecurity landscape continues to evolve, marked by persistent challenges and digital technologies transforming the cyber world. Across industries such as healthcare and financial services, in the month of June,2025, organizations navigated advanced threats, cyber attacks on retail sector including Security advisory’s etc.

Let’s explore the key trends and incidents from June1st -June15th, 2025

Microsoft June 2025 Patch Tuesday addresses a total of 67 vulnerabilities across its product ecosystem. Critical flaws in WebDAV, SMB, SharePoint and Remote Desktop Services highlight the urgency of installing this month’s updates.

Microsoft June 2025 Patch Tuesday – 67 Vulnerabilities Fixed Including 2 Zero-Days 

NCSC UK, released set of 6 principles to build Cyber Security culture & Boost Resilience for Orgs

The U.K. National Cyber Security Centre on Wednesday published six cybersecurity culture principles developed through extensive research with industry and government partners.

The principles define the cultural foundations essential for building a cyber-resilient organization and offer guidance on how to cultivate that environment.

NCSC UK, released set of 6 principles to build Cyber Security culture & Boost Resilience for Orgs

Critical 0-Day RCE Vulnerability in Fortinet Products (CVE-2025-32756) Actively Exploited 

A critical unauthenticated Remote Code Execution (RCE) vulnerability, tracked as CVE-2025-32756, has been identified in multiple Fortinet products.

The flaw is currently under active exploitation, allowing attackers to take full control of affected systems via a buffer overflow in the /remote/hostcheck_validate endpoint. A public PoC is available, significantly increasing the risk to unpatched devices. 

CVE-2025-32756 is a critical unauthenticated Remote Code Execution (RCE) vulnerability affecting multiple Fortinet products. The vulnerability resides in the /remote/hostcheck_validate endpoint and is due to improper bounds checking when parsing the enc parameter of the AuthHash cookie.

POC Released for Critical RCE Vulnerability in AWS Amplify Codegen-UI 

 A critical security vulnerability has been disclosed in AWS Amplify Studio’s UI generation framework, with researchers releasing a proof-of-concept exploit demonstrating remote code execution capabilities.  AWS addressed the issue in version 2.20.3, replacing the unsafe eval() with a sandboxed expression evaluator. 

Vulnerable versions used eval() to interpret stringified JavaScript expressions in UI components. This allowed injection of malicious expressions such as shell commands, due to the absence of validation or blacklisting.  

Splunk Enterprise & Cloud platform found that  (XSS) vulnerability existed & affects their multiple versions

Splunk has disclosed a medium-severity cross-site scripting (XSS) vulnerability affecting multiple versions of its Enterprise and Cloud Platform products that could allow low-privileged attackers to execute malicious JavaScript code in users’ browsers.

A security vulnerability identified as CVE-2025-20297 has been found in older versions of Splunk Enterprise and Splunk Cloud Platform.

Reflected XSS Vulnerability in Splunk Enterprise & Cloud Platform 

(DoS) Vulnerability has been identified in ModSecurity, an open-source web application

The issue affects versions prior to 2.9.10 and related to the “sanitiseArg” action, which can be exploited by adding an excessive number of arguments, ultimately causing the system to fail or crash. The vulnerability has been fixed in version 2.9.10. 

This vulnerability is similar to this CVE-2025-47947 issue, presents a significant risk, especially for organizations relying on ModSecurity 2.x versions for web application protection. 

High Risk DoS Vulnerability in ModSecurity WAF 

Multiple vulnerabilities have been discovered in IBM QRadar Suite Software and Cloud Pak, affecting versions 1.10.0.0 through 1.11.2.0.

The company released patches on June 3, 2025, addressing five distinct Common Vulnerabilities and Exposures (CVEs) that affect enterprise security infrastructure used by organizations worldwide.

The most critical vulnerability (CVE-2025-25022) allows unauthenticated access to sensitive configuration files. IBM has released version 1.11.3.0 to address these issues. 

Critical Vulnerabilities Patched in IBM QRadar Suite & Cloud Pak for Security 

Google has released a critical out-of-band security update for its Chrome browser to address CVE-2025-5419.

Rated as high-severity zero-day vulnerability in the V8 JavaScript engine that is currently being actively exploited in the wild. Google has released a critical out-of-band security update for its Chrome browser to address CVE-2025-5419.

This vulnerability allows attackers to execute arbitrary code on users’ systems through specially crafted web content, making it a serious threat requiring immediate attention. 

Google Chrome Patches Actively Exploited Zero-Day Vulnerability 

Ways to combat Cyber Threats; Strengthen your SOC’s readiness involves 3 key strategies

Cyber threats are no longer limited to human attackers, with AI-driven “bad bot” attacks now accounting for 1/3 as per research. These attacks can be automated, allowing attackers to launch more extensive and efficient campaigns

Organizations are now exposed new risks, providing cybercriminals with more entry points and potential “surface areas” to exploit as they go digital and adopt to innovations and wider use of digital technologies.

Some of the types of bad bots are DDoS bots, which disrupt a website or online service by overwhelming it with traffic from multiple sources.

IntruceptLabs now offers Mirage Cloak and to summarise Mirage Cloak offers various deception methods to detect and stop threats before they cause damage.

These methods include adding decoys to the network, deploying breadcrumbs on current enterprise assets, using baits as tripwires on endpoints.

 This is executed by setting up lures with intentionally misconfigured or vulnerable services or applications.

The flexible framework also lets customers add new deception methods as needed.

Conclusion: Organizations can better protect their digital assets and ensure business continuity by understanding the key components and best practices for building a successful SOC.

At the end  we must accept that to defend against any sort of AI attack, SOC teams must evolve with right collaborations and effective communication between partners seamlessly to evaluate information to stay ahead of attackers.

Scroll to top