Cybersecurity

Critical 0-Day RCE Vulnerability in Fortinet Products (CVE-2025-32756) Actively Exploited

Summary :

A critical unauthenticated Remote Code Execution (RCE) vulnerability, tracked as CVE-2025-32756, has been identified in multiple Fortinet products.

OEM	Fortinet
Severity	Critical
CVSS Score	9.8
CVEs	CVE-2025-32756
POC Available	Yes
Actively Exploited	Yes
Exploited in Wild	Yes
Advisory Version	1.0

Overview

The flaw is currently under active exploitation, allowing attackers to take full control of affected systems via a buffer overflow in the /remote/hostcheck_validate endpoint. A public PoC is available, significantly increasing the risk to unpatched devices.

Vulnerability Name	CVE ID	Product Affected	Severity
Remote Code Execution Vulnerability	CVE-2025-32756	Fortinet Products	Critical

Technical Summary

CVE-2025-32756 is a critical unauthenticated Remote Code Execution (RCE) vulnerability affecting multiple Fortinet products. The vulnerability resides in the /remote/hostcheck_validate endpoint and is due to improper bounds checking when parsing the enc parameter of the AuthHash cookie.

This allows attackers to trigger a stack-based buffer overflow and execute arbitrary code remotely without requiring authentication.

The exploit is publicly available as a Python script that sends a specially crafted HTTP POST request targeting the vulnerable endpoint. Upon successful exploitation, attackers can achieve full system control. Fortinet has confirmed that this vulnerability is being actively exploited in the wild, particularly targeting FortiVoice and other Fortinet appliances.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-32756	FortiVoice, FortiMail, FortiNDR, FortiRecorder, FortiCamera	Stack-based buffer overflow via enc parameter in AuthHash cookie. Exploit uses a crafted POST request to /remote/hostcheck_validate.	Remote Code Execution, Full device takeover, persistence, data theft, log erasure.

Remediation:

Update Immediately: Apply the latest security patches provided by Fortinet.

FortiVoice: 7.2.1+ / 7.0.7+ / 6.4.11+

FortiMail: 7.6.3+ / 7.4.5+ / 7.2.8+ / 7.0.9+

FortiNDR: 7.6.1+ / 7.4.8+ / 7.2.5+ / 7.0.7+

FortiRecorder: 7.2.4+ / 7.0.6+ / 6.4.6+

FortiCamera: 2.1.4+

Disable Admin Interfaces (HTTP/HTTPS) as a temporary workaround

Indicator of Compromise

For a list of observed Indicators of Compromise (IOCs), including malicious IP addresses, backdoor file paths and payload hashes, refer to the table below:

IP Addresses	FileHash-MD5
156.236.76.90	2c8834a52faee8d87cff7cd09c4fb946
198.105.127.124	4410352e110f82eabc0bf160bec41d21
218.187.69.244	489821c38f429a21e1ea821f8460e590
218.187.69.59	ebce43017d2cb316ea45e08374de7315
43.228.217.173	364929c45703a84347064e2d5de45bcd
43.228.217.82

Conclusion:
CVE-2025-32756 poses a severe threat to Fortinet users, with confirmed in-the-wild exploitation and publicly available PoC.

Organizations must patch all affected systems immediately, audit for compromise indicators, and block known malicious IPs. The vulnerability’s high impact and ease of exploitation warrant urgent action to prevent widespread breaches and data loss.

These activities suggest sophisticated threat actors are conducting comprehensive compromise operations rather than opportunistic attacks.

Security analysts have identified several IP addresses associated with the attacking threat actors, including 198.105.127.124, 43.228.217.173, 43.228.217.82, 156.236.76.90, 218.187.69.244, and 218.187.69.59.

References:

https://fortiguard.fortinet.com/psirt/FG-IR-25-254

https://github.com/kn0x0x/CVE-2025-32756-POC

https://otx.alienvault.com/pulse/6824a0fede556d118cac2b22

https://cybersecuritynews.com/poc-exploit-fortinet-0-day-vulnerability/

POC Released for Critical RCE Vulnerability in AWS Amplify Codegen-UI

Summary: A critical security vulnerability has been disclosed in AWS Amplify Studio’s UI generation framework, with researchers releasing a proof-of-concept exploit demonstrating remote code execution capabilities.

OEM	AWS
Severity	Critical
CVSS Score	9.5
CVEs	CVE-2025-4318
POC Available	Yes
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview

A critical vulnerability has been discovered in AWS Amplify Studio’s UI generation tool, @aws-amplify/codegen-ui, which allows Remote Code Execution (RCE) during build or render time.

Tracked as CVE-2025-4318, this flaw originates from unsafe evaluation of user-defined JavaScript expressions without proper input validation or sandboxing.

It has been assigned a CVSS score of 9.5. Exploitation could lead to unauthorized command execution, leakage of AWS secrets, or full compromise of CI/CD environments. AWS addressed the issue in version 2.20.3, replacing the unsafe eval() with a sandboxed expression evaluator.

Vulnerability Name	CVE ID	Product Affected	Severity	Fixed Version
Unsafe Expression Evaluation in Codegen-UI	CVE-2025-4318	@aws-amplify/codegen-ui	Critical	2.20.3

Technical Summary

The vulnerability stems from how AWS Amplify Studio processed dynamic expressions defined in component fields (eg: label, placeholder).

In affected versions, these expressions were directly evaluated using eval() without any filtering or validation, assuming they were safe.

This behavior enabled attackers to inject malicious code into UI schemas that would execute during the build or runtime process particularly dangerous in CI/CD pipelines where secrets and environment variables are accessible.

A working Proof-of-Concept (PoC) has been developed and shared by researchers, which simulates the exploit using a crafted JSON component, a Node.js script and a Python server. The PoC demonstrates successful RCE via malicious input evaluated by the vulnerable tool.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-4318	AWS Amplify Studio (<=2.20.2)	Vulnerable versions used eval() to interpret stringified JavaScript expressions in UI components. This allowed injection of malicious expressions such as shell commands, due to the absence of validation or blacklisting.	RCE, exposure of secrets, CI/CD compromise, unauthorized system control

Remediation:

Upgrade Immediately: Update @aws-amplify/codegen-ui to version 2.20.3 or later, which replaces unsafe evaluation logic with a sandboxed function (safeEval) and a keyword blacklist.

Conclusion:
CVE-2025-4318 is a severe RCE vulnerability in AWS Amplify Studio caused by unsafe evaluation of JavaScript expressions during UI component rendering or generation.

A fully functional PoC exploit has been published, which clearly demonstrates the risk of using eval() in dynamic application code without input validation.

The fixed version mitigates this risk by introducing a sandboxed evaluation mechanism and filtering dangerous keywords. Organizations using Amplify Studio should upgrade immediately and audit all inputs and build processes for safety.

AWS security teams have advised developers to immediately upgrade to version 2.20.3 or later and audit all existing component schemas for potentially unsafe expressions.

The incident highlights the critical importance of implementing secure coding practices in low-code development platforms where user input directly influences code generation and execution processes.

References:

https://securityonline.info/cve-2025-4318-cvss-9-5-aws-amplify-rce-flaw-exposed-with-poc-ci-cd-pipelines-at-risk/

https://blog.securelayer7.net/cve-2025-4318-aws-amplify-rce/#Developing-a-Proof-of-Concept-Exploit

https://github.com/aws-amplify/amplify-codegen-ui/releases/tag/v2.20.3

Critical Credential Reuse Vulnerability in Cisco ISE Cloud Deployments

Summary

OEM	Cisco
Severity	Critical
CVSS Score	9.9
CVEs	CVE-2025-20286
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview

Cisco has disclosed a critical vulnerability in Identity Services Engine (ISE) cloud deployments that allows unauthenticated remote attackers to gain administrative access across multiple instances due to improperly generated static credentials.

Tracked as CVE-2025-20286, with a CVSS score of 9.9, this flaw affects ISE deployments on AWS, Microsoft Azure, and Oracle Cloud Infrastructure (OCI). Cisco has released hotfixes and announced permanent fixes for impacted versions.

Vulnerability Name	CVE ID	Product Affected	Severity
Cisco ISE Shared Credential Vulnerability	CVE-2025-20286	Cisco ISE	Critical

Technical Summary

The vulnerability stems from improper generation of credentials during the setup of Cisco ISE on cloud platforms. Each deployment of the same ISE version on a given platform (eg – AWS 3.1) shares identical static credentials. This oversight enables an attacker to extract credentials from one deployment and reuse them to access others, if network access is available.

This issue is only to cloud-hosted Primary Administration nodes. Traditional on-premises deployments or hybrid setups with local admin nodes are not affected.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-20286	Cisco ISE 3.1 – 3.4	Static credentials reused across same-version cloud deployments. Credentials can be extracted from one instance and reused across others on the same cloud platform	Access sensitive data

Remediation:

Apply Hotfix Immediately: Install the universal hotfix ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz on ISE versions 3.1 to 3.4.

Cisco ISE Release	Hot Fix	First Fixed Release
3.0 and earlier	Not applicable.	Not affected.
3.1	ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz	Migrate to a fixed release.
	This hot fix applies to Releases 3.1 through 3.4.
3.2	ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz	Migrate to a fixed release.
	This hot fix applies to Releases 3.1 through 3.4.
3.3	ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz	3.3P8 (November 2025)
	This hot fix applies to Releases 3.1 through 3.4.
3.4	ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz	3.4P3 (October 2025)
	This hot fix applies to Releases 3.1 through 3.4.
3.5	Not applicable.	Planned release (Aug 2025)

Conclusion:
CVE-2025-20286 presents a severe security risk to organizations using Cisco ISE on public cloud platforms. By exploiting shared static credentials, attackers can potentially move laterally between cloud deployments.

Although no active exploitation has been reported, a proof-of-concept (PoC) exploit is available, heightening the urgency for remediation.

Organizations should apply hotfixes immediately, upgrade to secured versions, and tighten cloud network access policies to mitigate the risk. On-premises and hybrid deployments remain unaffected, offering a safer architectural alternative.

References:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-aws-static-cred-FPMjUcm7

https://cybersecuritynews.com/cisco-ise-credential-vulnerability/

Reflected XSS Vulnerability in Splunk Enterprise & Cloud Platform

Summary

Splunk has disclosed a medium-severity cross-site scripting (XSS) vulnerability affecting multiple versions of its Enterprise and Cloud Platform products that could allow low-privileged attackers to execute malicious JavaScript code in users’ browsers.

OEM	Cisco
Severity	MEDIUM
CVSS Score	4.3
CVEs	CVE-2025-20297
CWEs	CWE-79
Exploited in Wild	No
Advisory Version	1.0

Overview

A security vulnerability identified as CVE-2025-20297 has been found in older versions of Splunk Enterprise and Splunk Cloud Platform.

This issue allows low privileged users to execute unauthorized JavaScript code in a victim’s browser using a specific Splunk feature that generates Pdf from dashboards.

Although the vulnerability is rated as Medium (CVSS 4.3) but it could be a significant risk in environments where Splunk Web is widely accessed by users.

The vulnerability specifically targets instances with Splunk Web enabled, which represents the majority of production deployments given the component’s central role in dashboard management and user interface functionality.

Vulnerability Name	CVE ID	Product Affected	Severity	Fixed Version
Reflected Cross Site Scripting	CVE-2025-20297	Splunk Enterprise & Cloud	Medium	Check the remediation section.

Technical Summary

The vulnerability lies in the pdfgen/render REST endpoint used to create dashboard PDFs. In vulnerable versions, a low \privileged user (not an admin or power user) can inject a malicious script via this endpoint.

If a legitimate user interacts with the resulting PDF or link, their browser may execute the injected script without their consent, this is working as reflected XSS.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-20297	Splunk Enterprise & Cloud multiple versions	Low-privileged users can exploit the pdfgen/render endpoint to inject unauthorized JavaScript code into a victim’s browser.	Code Execution/Reflected xss.

Remediation:

Splunk has released updates, that addressed the vulnerability:

Splunk Enterprise: Upgrade to version 9.4.2, 9.3.4, 9.2.6, 9.1.9 or latest.

Splunk Cloud Platform: Upgrade to version 9.3.2411.102, 9.3.2408.111, 9.2.2406.118 or latest.

If you cannot upgrade immediately, you can disable Splunk Web to prevent exploitation. For this you can review the web.conf configuration file and follow the Splunk guidance on disabling unnecessary components.

Disabling Splunk Web may impact users who rely on the web interface so consider access controls or network-based restrictions as temporary mitigations.

Conclusion:
While CVE-2025-20297 is rated as a medium severity vulnerability, it should not be ignored in the environments where many users interact with Splunk dashboards. Attackers with limited permissions could potentially target higher privileged users by modifying malicious links or payloads.

Organizations should prioritize upgrading Splunk to the fixed versions or implementing the workarounds immediately.

Even though this vulnerability requires some user interaction, the risks include unauthorized access to sensitive data through potential session hijacking.

While Splunk has not provided specific detection methods for this vulnerability, organizations should monitor access patterns to the pdfgen/render endpoint and review user privilege assignments to minimize potential exposure

This vulnerability poses a significant risk to organizations relying on Splunk’s data analytics platform for security monitoring and business intelligence operations.

References:

https://advisory.splunk.com/advisories/SVD-2025-0601

https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents

High Risk DoS Vulnerability in ModSecurity WAF

Summary

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx.

OEM	ModSecurity
Severity	HIGH
CVSS Score	7.5
CVEs	CVE-2025-48866
CWEs	CWE-1050
Exploited in Wild	No
Advisory Version	1.0

Overview

A Denial of Service (DoS) vulnerability has been identified in ModSecurity, an open-source web application firewall (WAF) used with Apache, Nginx and IIS.

The issue affects versions prior to 2.9.10 and related to the “sanitiseArg” action, which can be exploited by adding an excessive number of arguments, ultimately causing the system to fail or crash. The vulnerability has been fixed in version 2.9.10.

There is no user interaction required to trigger, exploiting it can lead to significant resource consumption, resulting in service disruption.

Vulnerability Name	CVE ID	Product Affected	Severity	Fixed Version
Denial of Service (DoS) vulnerability	CVE-2025-48866	Modsecurity WAF	High	v2.9.10

Technical Summary

The vulnerability arises from the behavior of the “sanitiseArg” (also referred to as “sanitizeArg”) action in ModSecurity. This action sanitizes a specific argument passed to a rule (e.g.- password), masking it in the logs by replacing its value with asterisks (*).

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-48866	ModSecurity (mod_security2.x) prior to v2.9.10	When a rule uses the sanitiseArg action, it processes each argument that matches the specified name (e.g – password). If a large number of matching arguments (e.g.- 500 or more) are passed, ModSecurity repeatedly adds them to memory, which can lead to excessive memory consumption and potentially crash the system.	System crashes due to resource exhaustion (DoS)

Remediation:

Apply Patches Promptly: Upgrade to ModSecurity version 2.9.10 or the latest one.

Avoid using the “sanitizeArg” or “sanitizeArg” actions in your rules. If these actions are not used, the engine will not be affected by the vulnerability.

Conclusion:
This vulnerability is similar to this CVE-2025-47947 issue, presents a significant risk, especially for organizations relying on ModSecurity 2.x versions for web application protection.

Although the vulnerability is rated as high, it requires a specific set of conditions to be exploited. But to ensure the continued stability and security of web applications, the fix needs to be applied as soon as possible.

References:

https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-f82j-8pp7-cw2w

https://cybersecuritynews.com/modsecurity-waf-vulnerability-crash-system/

https://nvd.nist.gov/vuln/detail/CVE-2025-48866

Critical Vulnerabilities Patched in IBM QRadar Suite & Cloud Pak for Security

Summary : Security Advisory

Multiple vulnerabilities have been discovered in IBM QRadar Suite Software and Cloud Pak, affecting versions 1.10.0.0 through 1.11.2.0.

The company released patches on June 3, 2025, addressing five distinct Common Vulnerabilities and Exposures (CVEs) that affect enterprise security infrastructure used by organizations worldwide.

OEM	IBM
Severity	Critical
CVSS Score	9.6
CVEs	CVE-2025-25022, CVE-2025-2502, CVE-2025-25020, CVE-2025-25019, CVE-2025-1334
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview

These include risks such as remote code execution, information disclosure, session hijacking, and denial of service. The most critical vulnerability (CVE-2025-25022) allows unauthenticated access to sensitive configuration files. IBM has released version 1.11.3.0 to address these issues.

Vulnerability Name	CVE ID	Product Affected	CVSS Score	Severity
Information Disclosure Vulnerability	CVE-2025-25022	IBM Cloud Pak, QRadar Suite	9.6	Critical
Code Execution Vulnerability	CVE-2025-25021	IBM QRadar SIEM	7.2	High
Denial of Service Vulnerability	CVE-2025-25020	IBM QRadar SIEM	6.5	Medium
Session Hijacking Vulnerability	CVE-2025-25019	IBM QRadar SIEM	4.8	Medium
Web Cache Disclosure Vulnerability	CVE-2025-1334	IBM QRadar Suite	4.0	Medium

Technical Summary

The identified vulnerabilities affect both the IBM QRadar Suite and Cloud Pak, exposing them to a variety of threats such as unauthorized access, arbitrary code execution, and denial of service.

These flaws arise from weaknesses in session handling, code generation, API validation, and file configuration security.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-25022	QRadar SIEM	Unauthenticated access to sensitive config files due to poor protections.	Information disclosure, RCE
CVE-2025-25021	QRadar SIEM	Privileged code execution due to improper script code generation in case management.	Remote Code Execution
CVE-2025-25020	QRadar SIEM	API input validation flaw allowing service crash via malformed data	Denial of Service
CVE-2025-25019	QRadar SIEM	Sessions not invalidated upon logout, enabling impersonation by attackers.	Session Hijacking
CVE-2025-1334	QRadar Suite	Cached web content readable by other users, compromising multi-user data confidentiality.	Local Info Disclosure

Remediation:

Apply Latest Fix: Upgrade to IBM QRadar Suite Software and Cloud Pak version 1.11.3.0 or later.

Refer to IBM’s official installation and upgrade documentation for detailed steps.

Conclusion:
These vulnerabilities pose significant security risks, especially CVE-2025-25022 with a critical severity score of 9.6. Organizations using the affected IBM QRadar and Cloud Pak versions should prioritize upgrading to latest version to mitigate exposure.

IBM has acknowledged these issues and released patches to address all five vulnerabilities.

Notably, IBM has identified no effective workarounds or mitigations for these vulnerabilities, making patching the only viable protection strategy.

References:

https://www.ibm.com/support/pages/node/7235432

https://www.ibm.com/docs/en/cloud-paks/cp-security/1.11.0?topic=installing

https://www.ibm.com/docs/en/cloud-paks/cp-security/1.11.0?topic=upgrading

Google Chrome Patches Actively Exploited Zero-Day Vulnerability

Summary : Security Advisory

Google has released a critical out-of-band security update for its Chrome browser to address CVE-2025-5419.

Rated as high-severity zero-day vulnerability in the V8 JavaScript engine that is currently being actively exploited in the wild.

OEM	Google
Severity	HIGH
CVSS Score	8.8
CVEs	CVE-2025-5419
Actively Exploited	Yes
Exploited in Wild	Yes
Advisory Version	1.0

Overview

This vulnerability allows attackers to execute arbitrary code on users’ systems through specially crafted web content, making it a serious threat requiring immediate attention.

In addition to the zero-day fix, this update also includes a patch for CVE-2025-5068, a medium severity use-after-free vulnerability in Blink, chrome’s rendering engine.

While less critical, such flaws can still result in memory corruption and possible code execution.

Vulnerability Name	CVE ID	Product Affected	Severity	Fixed Version
Out-of-bounds memory access vulnerability	CVE-2025-5419	Google Chrome	High	137.0.7151.68/.69 (Win/Mac), 137.0.7151.68 (Linux)

Technical Summary

This high-severity vulnerability is caused by an out-of-bounds read and write weakness in Chrome’s V8 JavaScript engine, reported one week ago by Clement Lecigne and Benoît Sevens of Google’s Threat Analysis Group.

This flaw affects the V8 JavaScript engine and allows attackers to execute arbitrary code via crafted web content.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-5419	Chrome (all platforms)	Out-of-bounds read and write in the V8 JavaScript engine; triggered via malicious HTML	Arbitrary code execution, memory compromise, remote attack

Remediation:

Apply Patches Promptly: Upgrade to Chrome version 137.0.7151.68/.69 or later for Windows and macOS, and 137.0.7151.68 or later for Linux to mitigate the vulnerabilities.

General Recommendation:

Prioritize Zero-Day Fixes: Treat this patch as high priority due to confirmed in-the-wild exploitation. Immediate action is critical to prevent potential system compromise.

Update Chromium-Based Browsers: Ensure Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi are updated as soon as vendor-specific patches are released.

Automate Browser Updates: Enable automatic updates in Chrome and Chromium environments to maintain timely patching against emerging threats.

Enterprise Patch Rollout: Administrators should fast-track deployment of the fixed version across all endpoints, particularly in high-risk or externally exposed environments.

Monitor for Threat Activity: Continuously monitor browser and network activity for signs of exploitation attempts targeting vulnerable versions.

Conclusion:
CVE-2025-5419 poses a significant security risk with confirmed active exploitation in the wild.

Google’s swift action highlights the urgency of this threat. All users are strongly advised to update their Chrome browsers immediately. Delaying this update could expose systems to compromise through malicious web content exploiting this zero-day vulnerability.

While Chrome will automatically update when new security patches are available, users can speed up the process by going to the Chrome menu > Help > About Google Chrome, letting the update finish, and clicking the ‘Relaunch’ button to install it immediately.

References:

https://chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop.html

https://cybersecuritynews.com/chrome-0-day-vulnerability-exploited-in-the-wild/

AI seen as potential for improved threat detection & cost optimization; Wipro Report

As sophisticated cyber threat grows so is the cost and leaders are now preferring to leverage AI for improved threat detection, incident response and cost optimization.

Wipro report on ‘State of Cybersecurity Report 2025’ say 35% cybersecurity leaders which is nearly 33%, globally are opting for AI-driven automation at the forefront of their strategic priorities.

The report surveyed over 100 global cybersecurity leaders and consultants and found that AI-driven automation and cost optimization were among the main cybersecurity priorities for organizations.

Key findings:

30% of respondents state that investing in AI automation to bolster cybersecurity operations and reduce costs is a top priority.

Other strategies used by CISOs to optimize costs include tools rationalization (26%), security and risk management process optimization (23%) and operating model simplification (20%).
The report also highlights the growing role of AI in managing cyber threats and how investing in advanced AI-driven security solutions, continuously monitoring AI developments.

Fostering a culture of innovation and adaptation within cybersecurity teams can play a significant role in risk management.

Many CISOs are leveraging AI to improve threat detection and response times (31 %) and to build enhanced incident response capabilities (24%).

“Cybersecurity budgets are struggling to keep pace with the growing sophistication of cyber threats,” said Tony Buffomante, SVP & Global Head — Cybersecurity & Risk Services, Wipro Limited. “AI offers a solution by helping organizations strengthen defenses while optimizing costs. This allows CISOs to adopt a more outcome-driven focus by prioritizing risk-adjusted returns on investments.

However, even with AI’s growing significance, the implementation of Zero Trust security frameworks remains the predominant investment focus for nearly all surveyed leaders.

AI The crime enabler

In the beginning of 2025, reports came from various sources attackers are weaponizing AI and what cyber security leaders will do about it.

We all know how AI AI has been a good force in helping organizations detect anomalies, automate security responses and to some extent strengthen defense measures. But cost is high and requires lot of investments which many organizations are unbale to do.

At the same time cybercriminals have started to leverage the same technology to supercharge their attacks. The dark web we all know has long been a marketplace for malware and stolen credentials, but in 2025, we’re seeing a surge in AI-powered Cybercrime-as-a-Service (CaaS). Even low-skilled hackers can now rent AI-driven attack tools, making sophisticated threats accessible to a wider pool of cybercriminals.

But what is concerning the type of attacks that selects high-value targets, customizes ransom demands and known as Automated ransomware.

Also malicious actors deploying AI Bots scan for vulnerabilities and analyze defenses, to launch cyber attacks with precisions.

Lot of voice and video spoofing kits have arrived in the market embedded with AI tools that generate convincing deepfake audio or video for fraud and impersonation scams.

Wake up call for Business & Organization

The rise of AI-powered cyber threats is a wake-up call for businesses, governments, and individuals alike and the ‘State of Cybersecurity Report 2025‘ exactly pin-points the necessity to have AI automation to bolster cybersecurity operations and reduce costs.

The next wave of cyber crime is going to be more tactful embedded with AI. AI can analyze vast amounts of publicly available data to create detailed psychological profiles of potential victims.

This enables cyber criminals and prepares them for highly targeted and persuasive social engineering attacks. Having automation driven by AI allows attacks to unfold much more rapidly, leaving defenders with less time to react.

Conclusion: AI-Powered Security Solutions: Just as attackers are leveraging AI, so too must defenders. Implementing AI-powered security tools will act as first line defense and will be able to adapt to new threats in real-time.

Sources: CISOs Increasingly Rely on AI to Navigate Cost Pressures and Enhance Resilience: Wipro Report

BadSuccessor Vulnerability in Windows Server 2025 Enables Domain Admin Privilege Escalation

Summary : A critical privilege escalation vulnerability, BadSuccessor, affects Windows Server 2025 through its Delegated Managed Service Account (dMSA) feature.

Akamai researchers have discovered a serious design vulnerability in Windows Server 2025 related to the use of delegated managed service accounts (dMSAs). This flaw allows an attacker with least privilege to escalate to domain administrator privileges without directly interacting with privileged accounts or modifying group memberships.

OEM	Microsoft
Severity	Medium
CVSS Score	6.5
CVEs	N/A
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview

First discovered by Yuval Gordon, a researcher at Akamai, the flaw allows attackers with minimal Active Directory (AD) permissions – specifically CreateChild rights on an Organizational Unit (OU) to escalate privileges to Domain Administrator.

The attack has been weaponized in a publicly available proof-of-concept tool called SharpSuccessor, developed by Logan Goins, with contributions from researchers Jim Sykora and Garrett Foster.

Microsoft has acknowledged vulnerability but classified it as moderate severity, and no patch is currently available.

Vulnerability Name	CVE ID	Product Affected	Severity	Impact
BadSuccessor vulnerability	N/A	Windows Server 2025	Medium	Privilege escalation

Technical Summary

BadSuccessor exploits the design of Delegated Managed Service Accounts (dMSA), a feature introduced in Windows Server 2025 to facilitate the migration from legacy service accounts and mitigate Kerberoasting risks.

The flaw occurs during the dMSA migration process, where the attacker manipulates two AD attributes msDS-ManagedAccountPrecededByLink and msDS-DelegatedMSAState to simulate the replacement of a privileged account.

Active Directory’s Key Distribution Center (KDC), when processing Kerberos Ticket Granting Tickets (TGTs), embeds both the attacker’s dMSA and the original account’s Security Identifiers (SIDs) into the Privilege Attribute Certificate (PAC).

This causes the attacker’s dMSA to inherit the permissions of the target user, effectively granting Domain Admin privileges without any need to compromise the original account.

Key Points:

Requires only CreateChild permissions on an Organizational Unit (OU) a common delegation in AD environments.

Exploitable even if dMSAs are not actively in use, as long as a Windows Server 2025 domain controller is present.

91% of environments analyzed by Akamai had non-admin users with enough permissions to launch the attack.

Example Exploitation Chain:

Create a malicious dMSA:

Picture 2, Picture SharpSuccessor.exe add /impersonate:Administrator /path:”ou=test,dc=lab,dc=lan” /account:jdoe /name:attacker_dMSA

Obtain a TGT using Rubeus:

Rubeus.exe tgtdeleg /nowrap

Request a service ticket impersonating the high-privilege user:

Picture 5, Picture Rubeus.exe asktgs /user:attacker_dmsa$ /service:cifs/[DC_FQDN] /opsec /dmsa /nowrap /ptt /ticket:[Base64_TGT]

A computer screen with white text

AI-generated content may be incorrect., Picture This grants the attacker full access to Domain Controllers, allowing for lateral movement and credential harvesting using legitimate Kerberos workflows.

Recommendations:

Restrict dMSA Creation: Limit CreateChild permissions on Organizational Units (OUs) to trusted administrators only.

Audit Permissions: Use Akamai’s PowerShell script to identify and revoke risky dMSA creation rights: Get-BadSuccessorOUPermissions.ps1

Harden High-Privilege Accounts: Apply Authentication Policy Silos to isolate sensitive accounts.

Monitor for Abuse: Watch for unusual Kerberos activity involving dMSA accounts.

Apply Patch When Available: Microsoft is working on a fix apply it as soon as it’s released.

Conclusion:
BadSuccessor represents a serious flaw in the dMSA architecture of Windows Server 2025, enabling attackers to gain domain wide privileges using only commonly granted permissions.

While Microsoft’s classification of the issue as “moderate” is based on its technical complexity, the broad exposure and ease of exploitation via SharpSuccessor demand urgent action. Organizations must review Active Directory permissions and implement hardened access control policies immediately.

References:

https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory

https://github.com/logangoins/SharpSuccessor?tab=readme-ov-file

https://cybersecuritynews.com/sharpsuccessor-poc-badsuccessor/

NIST & CISA Proposed Metric for Vulnerability Exploitation Probability

The National Institute of Standards and Technology (NIST) is proposing a new metric to determine the likelihood of any software or hardware vulnerability being exploited.

The new metric is “Likely Exploited Vulnerabilities” (LEV), that aims to close a key gap in vulnerability management.

This new data point can benefit the SecOps teams who are working to release an effective patch management strategy and address the development flaws.

NIST now wants members of cyber security community to come forward and validate the method as predicting which ones is important for the efficiency and cost effectiveness of enterprise vulnerability remediation.

However NIST proposed that predicting ones which is important for the efficiency and cost effectiveness of enterprise vulnerability remediation efforts is important.

Currently, such remediation efforts rely on the Exploit Prediction Scoring System (EPSS), which has known inaccurate values, and Known Exploited Vulnerability (KEV) lists, which may not be comprehensive.

The proposed likelihood metric may augment EPSS remediation (correcting some inaccuracies) and KEV lists (enabling measurements of comprehensiveness). However, collaboration with industry is necessary to provide necessary performance measurements.

Importance of Metric for Vulnerability Exploitation Probability

Remediating vulnerabilities is time-consuming and costly. According to the paper, most companies only manage to patch about 16% of the vulnerabilities affecting their systems each month.

Meanwhile, research shows that only about 5% of vulnerabilities are exploited in the wild.

It is found organizations would spend their limited resources patching that small but dangerous subset, but identifying them has proven difficult.

That’s where LEV comes in to assist organizations prioritize vulnerabilities that are likely to have already been used in attacks, the metric could make patching efforts more targeted and effective.

In a recently published paper, Peter Mell (formerly of NIST) and Jonathan Spring of CISA presented a vulnerability exploitation metric that builds upon the existing Exploit Prediction Scoring System (EPSS) and CISA’s Known Exploited Vulnerabilities (KEV) catalog.

The researchers noted that studies show only about 5% of known vulnerabilities are exploited in the wild, while organizations typically remediate only 16% of vulnerabilities each month.

The researchers outline four key ways LEV could be used:

1. Estimate how many vulnerabilities have been exploited.
2. Check how complete KEV lists are.
3. Identify high-risk vulnerabilities missing from those lists.
4. Fix blind spots in EPSS, which sometimes underestimates risk for already-exploited bugs.

Introducing the LEV Metric

Mell and Spring’s new metric—called Likely Exploited Vulnerabilities (LEV) probabilities—aims to address the limitations of both EPSS and the KEV catalog. While EPSS provides 30-day exploitation probabilities, it has known inaccuracies, particularly underestimating risk for already-exploited vulnerabilities. KEV, on the other hand, is limited by its reliance on known exploit data and may not be comprehensive.

LEV probabilities are designed to:

Estimate how many and which vulnerabilities are likely to have been exploited
Assess the completeness of the KEV catalog
Enhance KEV-based prioritization by identifying likely-exploited vulnerabilities not yet listed
Improve EPSS-based prioritization by correcting underestimations

Key Findings

The researchers compared LEV and EPSS scores for specific vulnerabilities, showing significant differences.

For example:

CVE-2023-1730 (SupportCandy WordPress plugin SQL injection): before 3.1.5, the LEV probability was 0.70, while the peak EPSS score was 0.16.
CVE-2023-29373 (Microsoft ODBC Driver RCE – Remote Code Execution vulnerability): the LEV probability was 0.54350, while the peak EPSS probability was 0.08.

The LEV analysis identified hundreds of vulnerabilities with probabilities near 1.0. However, many of these are not listed in current KEV catalogs. NIST is actively seeking collaboration with partners as real-world validation is must for LEV to be a promising idea rather than a trusted tool.

NIST is currently seeking industry partners with relevant datasets to empirically evaluate the effectiveness of LEV probabilities through real-world performance measurements.

Sources: https://www.helpnetsecurity.com/2025/05/26/nist-likely-exploited-vulnerabilities/#:~:text=LEV%20aims%20to%20bridge%20that,%2C%20not%20replace%2C%20existing%20methods.

POC Released for Critical RCE Vulnerability in AWS Amplify Codegen-UI

High Risk DoS Vulnerability in ModSecurity WAF

Google Chrome Patches Actively Exploited Zero-Day Vulnerability

AI seen as potential for improved threat detection & cost optimization; Wipro Report

BadSuccessor Vulnerability in Windows Server 2025 Enables Domain Admin Privilege Escalation

NIST & CISA Proposed Metric for Vulnerability Exploitation Probability

Introducing the LEV Metric

Key Findings

Recent Posts

Recent Comments

Search

Recent Comments

Recent Posts

Archives