Infosec

Blogs

AI Surge in CyberSecurity Redefining Threat & Defense; Reshaping Software Development & Security

Currently enterprise Cyber Security strategy with AI has become a game changer, reshaping is critical for both threat and defense. Embracing Gen AI for a robust defensive system empowers organizations to analyze vast amount of data is key requirement for enterprise security where software development is key to enterprise security , embracing ‘security by design’.

In 2024-2025, we have witnessed how mainstream enterprise deployment of AI has changed the strategic cyber security requirement. Thereby creating a strong defense mechanism around enterprise security, redefining the threat landscape and shaping software development.

AI is changing the way we look at products being a risk multiplier. How organization balancing innovation with protection?

AI can track and break commonly used passwords within minutes. So this is scary as more powers are in the hands of hackers, on the other side AI can improve password security again a boon. The Dark Web is already selling Fraud GPT and Worm GPT.

For Organizational cyber security strategy AI is being used now to tackle threats and cyber defense. Again AI has the capability to accelerate the speed of cyber attacks.

So what are leaders deciding when chasing AI based products. The way leaders are looking at products is products that give practical and actionable outlook and being embedded in delivery workflows.

Strategically, this means evolving away from rigid, checkbox-based compliance toward dynamic, adaptive security models that reflect how modern teams really build software—especially in AI-accelerated environments.

As per statistics 2025 witnessed the following AI based cyber attacks.16% of all breaches in 2025 involved attackers using AI. (IBM),and other AI attacks included 37% used phishing attacks and 35% used deepfake attacks. (IBM). 63% of breached organizations had no AI governance policy or were still developing one, highlighting the governance gap around AI adoption (IBM).

OpenText has released their survey and the report entails, AI is rapidly changing the threat landscape for organizations . Organizations are navigating a high-stake balancing act to enable innovation while managing risk.

Here are the key findings

Top AI-related concerns among respondents include data leakage (29%), AI-enabled attacks (27%), and deepfakes (16%).

95% of respondents are confident in their ability to recover from a ransomware attack, but only 15% of those attacked fully recovered their data.

88% allow employees to use GenAI tools, yet less than half (48%) have a formal AI use policy.

Enterprises lead AI governance (52%) compared to SMBs (43%) by having a formal AI policy in place.

52% report increased phishing or ransomware due to AI; 44% have seen deepfake-style impersonation attempts.

Surge in AI Threats via sophisticated attacks

One of the reasons cited by threat researchers is organizations are embracing GenAI, allowing employees to use generative AI tools and few less then 50% have a formal AI-use or data privacy policy in place, the report noted.

This is added with hackers innovative way in tricking using AI, bypassing any defense mechanism which is traditional. 

AI tools are now being used to create such convincing phishing emails, fake websites and even deepfake videos to injecting malicious code giving leverage to cyber criminals

In the last few months we witnessed how Ransomware attacks round the world surged and quite complex in nature as third-party service providers or software supply chains were prime targets. The Qantas airline breach and M&S data beach that hit UK’s top retail brand.

While Qantas did not to Information Age whether AI voice deepfakes were used in the breach, the cybercrime group experts believe may be linked to the hack — dubbed ‘Scattered Spider’ — has a track record of using voice-based phishing (or ‘vishing’) in its attacks. This is clear AI being used and surge is quite high in AI based cyber attacks.

AI for Cyber Defense for Organizational Cyber Security Strategy

It is not hackers who are benefiting but for Organizations it is a game changer as AI being used to detect attack at faster pace meaning mean time.

Findings of this survey reinforces that protecting against ransomware now depends not just on internal defenses, but also on how effectively organizations’, partners, and technology providers collaborate to close security gaps before they are exploited.

Key pointer for building pragmatic and strategic choices and this approach starts with embracing security by design approach in developmental life cycle.

  • Continuously Embedding security in developer workflows keeping automating, scanning, policy enforcement and anomaly detection in tools used by developers.
  • Cybersecurity AI tools are better at identifying patterns and anomalies in large datasets including vulnerabilities. teams have to highly prioritize and contextualize them in term of developing products.
  • Supposedly there is an attack and the security tools not able to detect. So continuous testing is mandatory.
  • Developers can favor simple solutions that favors pragmatic security patterns and transparency in architecture. In this way trust is developed with clients.

Few important developers keep in focus is to sponsor bug bounties, publish advisories using standards like the Common Security Advisory Framework (CSAF) and provide context on severity and exploitability.

Threat researcher suggest organizations who are building in products accept all vulnerability reports, investigate them, and fix the issues. Any critically important advisory to be used for root cause analysis to improve tools, training and various threat models. Developers are suggested to give feedback for external tools if they help them evolve. Understanding no software can ever be perfect.

Offerings from IntruceptLabs are exactly what you need to develop organizational cyber defense capabilities

Intru360

Intru360 gives security analysts and SOC managers a clear view across the organization, helping them fully understand the extent and context of an attack. It also simplifies workflows by automatically handling alerts, allowing for faster detection of both known and unknown threats.

Identify latest threats without having to purchase, implement, and oversee several solutions or find, hire, and manage a team security analyst. Unify latest threat intelligence and security technologies to prioritize the threats that pose the greatest risk to your company.

Here are some features we offer:

  • Over 400 third-party and cloud integrations.
  • More than 1,100 preconfigured correlation rules.
  • Ready-to-use threat analytics, threat intelligence service feeds, and prioritization based on risk.
  • Prebuilt playbooks and automated response capabilities.

(Sources: https://www.mckinsey.com/about-us/new-at-mckinsey-blog/ai-is-the-greatest-threat-and-defense-in-cybersecurity-today)

Sources: https://investors.opentext.com/press-releases/press-releases-details/2025/OpenText-Cybersecurity-2025-Global-Ransomware-Survey-Rising-Confidence-Meets-a-Growing-AI-Threat/default.aspx)

Blogs

Critical React Native CLI Vulnerability Enables OS Command Injection  

Summary: React Native is an open source framework maintained by Meta . A critical remote code execution vulnerability in the @react-native-community/cli package, a core toolset used by React Native developers. The flaw allows unauthenticated remote attackers to execute arbitrary OS commands on machines running the React Native Metro development server.

Severity  Critical 
CVSS Score  9.8 
CVEs  CVE-2025-11953 
POC Available  Yes 
Actively Exploited  No 
Advisory Version  1.0 

Overview 

A critical remote code execution vulnerability in the @react-native-community/cli package, a core toolset used by React Native developers. The flaw allows unauthenticated remote attackers to execute arbitrary OS commands on machines running the React Native Metro development server.

The vulnerability comes from unsafe input handling in the /open-url endpoint using the insecure open() function, and a React Native CLI flaw that exposes the server to remote code execution. Immediate updates and mitigations are recommended for all using the affected package versions. 

Vulnerability Name  CVE ID  Product Affected  Severity  Affected Version 
 OS Command Injection  CVE-2025-11953  @react-native-community/cli @react-native-community/cli-server-api  Critical  @react-native-community/cli-server-api versions 4.8.0 through 20.0.0-alpha.2 

Technical Summary 

The Metro development server’s /open-url HTTP POST endpoint unsafely passes unsanitized user input (url field) as an argument to the open() function from the open NPM package which leads to OS command injection.

On Windows, the vulnerability allows arbitrary shell command execution with full control over parameters via cmd /c start command invocation. On macOS/Linux, arbitrary executables can be launched with limited parameter control. Further exploitation may lead to full RCE, but not confirmed yet. The server binds to all interfaces by default (0.0.0.0), exposing the endpoint externally to unauthenticated network attackers. 

CVE ID  Component Affected  Vulnerability Details  Impact 
CVE-2025-11953  Development Server’s /open-url Endpoint  The React Native CLI’s Metro server binds to external interfaces by default and exposes a command injection flaw, letting remote attackers send POST requests to run arbitrary executables or shell commands on Windows.  Remote OS Command Injection 

Recommendations 

  • Update to @react-native-community/cli-server-api version 20.0.0 or later immediately. 

If upgrading is not possible, 

  • Restrict the Metro server to localhost by adding the flag: –host 127.0.0.1 when starting the server. 
  • Integrate static and dynamic code analysis tools in development pipelines to detect injection risks early. 

How these kind of security flaw can cause damage?

This vulnerability poses a critical threat to React Native developers using the Metro development server due to unauthenticated RCE via network exposure. For any unauthenticated network attacker this is privilege they can weaponize the flaw and send a specially crafted POST request to the server. Then run arbitrary commands.

The attack takes a different turn when it comes to Windows and the exploitation is severe. The attackers can also execute arbitrary shell commands with fully controlled arguments, while on Linux and macOS, it can be widely used to execute arbitrary binaries with limited parameter control.

The vulnerable endpoint, /open-stack-frame, is designed to help developers open a file in their editor at a specific line number when debugging errors. This endpoint accepts POST requests with parameters such as file and lineNumber.

The incident highlight requirement for more rigorous input validation and secure-by-default configurations in developer environments.

What should organizations looks for while selecting a comprehensive tools that can provide thorough combing across their IT environment, networks, applications and cloud infrastructure.

Detecting vulnerabilities, misconfigurations with GaarudNode from Intruceptlabs makes it a go to scanner

  • GaarudNode excels at detecting vulnerabilities, misconfigurations, and compliance issues across a wide range of systems and applications.
  • Provides a comprehensive security framework that ensures your applications are built, tested, and deployed with confidence.
  • Any Application security tools are designed to identify a wide range of vulnerabilities across different stages of the software development lifecycle and other types of security issues.
  • GaarudNode can be used for intrusion detection, making it a flexible tool for cybersecurity professionals on a budget.
  • Prompt patching and secure server binding are essential to mitigate this type of risk. There is no current evidence of active exploitation, but the ease of exploitation makes this a high priority vulnerability to fix. Continuous, real-time monitoring of vulnerabilities is necessary to stay ahead of threats.

References

 

 

Security Advisory

Apple Releases iOS & iPadOS 26.1 Update, Fixed Multiple Security Vulnerabilities 

Summary: Apple released iOS 26.1 and iPadOS 26, addressed multiple security vulnerabilities across core system components including WebKit, Kernel, Accessibility, Apple Neural Engine, CloudKit etc.

OEM Apple 
Severity High 
CVEs CVE-2025-43438, CVE-2025-43429, CVE-2025-43442, CVE-2025-43455, CVE-2025-43398 & others 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview: 

These vulnerabilities could enable malicious apps to escape sandboxes, access sensitive user data, execute arbitrary code via web content, monitor keystrokes or disable theft protection mechanisms. Affected devices include iPhone 11 & later and iPad models from 3rd gen onward etc. Immediate update is strongly recommended to prevent any breaches, system crashes. 

                Vulnerability Name CVE ID Product Affected Fixed Version 
WebKit Use-After-Free (Safari Crash/RCE) CVE-2025-43438 iOS, iPadOS iOS/iPadOS 26.1 
WebKit Buffer Overflow (RCE Risk)  CVE-2025-43429 iOS, iPadOS iOS/iPadOS 26.1 
App Installed Detection via Accessibility  CVE-2025-43442 iOS, iPadOS iOS/iPadOS 26.1 
Sensitive Screenshot in Embedded Views CVE-2025-43455 iOS, iPadOS iOS/iPadOS 26.1 
Kernel Memory Corruption / DoS  CVE-2025-43398 iOS, iPadOS iOS/iPadOS 26.1 

Technical Summary: 

The iOS/iPadOS 26.1 update fixes major security issues in sandbox protection, memory handling, privacy settings, and the WebKit browser engine. These critical vulnerabilities could allow apps or websites to access restricted data or execute malicious code. Key impact issues mentioned below.

CVE ID Component Affected  Vulnerability Details Impact 
 CVE-2025-43438 WebKit Use-after-free in Safari triggers crash or code execution via malicious web content  Remote Code Execution, System Compromise 
 CVE-2025-43429 WebKit Buffer overflow in content processing allows arbitrary code execution Remote Code Execution, Service Compromise 
CVE-2025-43442 Accessibility Permissions flaw allows apps to detect installed apps (fingerprinting) Privacy Violation, User Tracking 
CVE-2025-43455 Apple Account Malicious apps can screenshot sensitive embedded UI (login views) Credential, PII Exposure 
CVE-2025-43398 Kernel Memory mishandling leads to system termination or kernel corruption Denial of Service, Potential Privilege Escalation 

Additionally, there are multiple high & medium vulnerabilities have been disclosed that enable sandbox escapes, data leaks, and web-based attacks with significant impact potential. Here are some cves in the below table 

Vulnerability Name CVE ID Affected Component 
Sandbox Escape via Assets CVE-2025-43407 Assets 
Sandbox Escape via CloudKit Symlink CVE-2025-43448 CloudKit 
Stolen Device Protection Bypass CVE-2025-43422 Stolen Device Protection 
Cross-Origin Data Exfiltration CVE-2025-43480 WebKit 
Keystroke Monitoring via WebKit CVE-2025-43495 WebKit 
Apple Neural Engine Kernel Corruption CVE-2025-43447, CVE-2025-43462 Apple Neural Engine 
Canvas Cross-Origin Image Theft CVE-2025-43392 WebKit Canvas 
Contacts Data Leak in Logs CVE-2025-43426 Contacts 
Lock Screen Content Leak CVE-2025-43350 Control Center 
Address Bar Spoofing CVE-2025-43493 Safari 
UI Spoofing in Safari CVE-2025-43503 Safari 

Recommendations: 

Update all eligible devices immediately (Settings > General > Software Update products) to the following fixed versions as soon as possible and check the updated version from the Apple security website

Patches are available and should be applied immediately.  

For environments where immediate patching is not immediately feasible, you can also follow the recommendations below. 

  • Enable Stolen Device Protection and Lockdown Mode (where applicable) 
  • Restrict app installations to trusted sources. 
  • Avoid visiting untrusted websites from browser 
  • Use VPN and enable Advanced Data Protection for iCloud 
  • Monitor for anomalous app behavior or battery drain  

Conclusion: 
The iOS/iPadOS 26.1 update fixes several security vulnerabilities that could affect user privacy, device stability, and system protection.

Organizations and Individual using Apple devices must prioritize deployment of this update to mitigate risks of data exfiltration, spyware and other attack vectors. Timely patching remains the most effective control against zero-day exploitation on new vulnerabilities in digital ecosystems. 

References

Security Advisory

Critical Apache Tomcat Vulnerabilities Enable RCE 

Summary : Security Advisory : Apache Tomcat’s security updates address two critical issues affecting widely deployed server components. Attackers can now exploit flaws in Apache Tomcat where improper URL handling and inadequate input neutralization allow unauthorized access to restricted directories.

OEM Oracle 
Severity Critical 
CVSS Score 9.6 
CVEs CVE-2025-55754, CVE-2025-55752 
POC Available No 
Actively Exploited No 
Advisory Version 1.0 

Overview  One issue allows attackers to bypass URL protections and upload malicious files, leading to remote code execution if misconfigured and another permits attackers to manipulate console outputs on Windows systems using crafted log entries.

Organizations should promptly update their servers, review configuration settings and enhance monitoring to mitigate these risks. 

Vulnerability Name CVE ID Product Affected Severity Affected Version 
Improper Neutralization of Escape, Meta, or Control Sequences Vulnerability CVE-2025-55754 Apache Tomcat Critical 11.0.0-M1 through 11.0.10,  10.1.0-M1 through 10.1.44,  9.0.0.40 through 9.0.108. 
Path Traversal Vulnerability  CVE-2025-55752 Apache Tomcat  High 11.0.0-M1 through 11.0.10, 
10.1.0-M1 through 10.1.44, 9.0.0.M11 through 9.0.108. 

Technical Summary This enable malicious file uploads, and inject control sequences affecting console behavior or system integrity.

These weaknesses increase the risk of unauthorized code execution and compromise of application environments. 

CVE ID Component Affected Vulnerability Details Impact 
CVE-2025-55752 URL Rewrite Handler (Apache Tomcat Core) A directory traversal flaw resulting from improper URL normalization and decoding order, allowing attackers to bypass /WEB-INF/ and /META-INF/ protections. If PUT requests are enabled, malicious actors can upload files to sensitive directories, potentially executing arbitrary code. Remote code execution, full server compromise if Tomcat is misconfigured with PUT enabled. 
CVE-2025-55754 Logging/Console Output Improper neutralization of ANSI escape sequences in Tomcat log messages allows crafted URLs to inject control sequences. On Windows systems with ANSI-capable consoles, attackers can manipulate the console display and clipboard or potentially induce command execution via social engineering. Console manipulation, potential administrator trickery, clipboard hijacking; less severe but can be chained for larger attacks. 

Recommendations 

Update Apache Tomcat to the following versions immediately: 

  • For 11.x version updated to v11.0.11 or latest 
  • For 10.x version updated to v10.1.45 or latest 
  • For 9.x version updated to v9.0.109 or latest 

If you not updating immediately you can follow some recommendations below 

  • Disable or restrict PUT requests unless absolutely needed to prevent unauthorized file uploads. 
  • Limit network access to Tomcat management interfaces to trusted administrators and secure sensitive directories. 
  • Monitor logs and serves activity regularly for unusual or suspicious behavior indicative of exploitation attempts. 

Conclusion: 
The patches released by Apache Tomcat fix critical remote code execution and console manipulation bugs that could compromise servers.

Though no widespread exploitation is confirmed yet, immediate patching is strongly recommended to prevent serious security incidents. Security teams should apply these updates and monitor any suspicious server activity. 

References

Security Advisory

Microsoft Teams Access Token Vulnerability Allows Attack Vector for Data Exfiltration

Summary: Microsoft Teams Access Token Vulnerability: New Attack Vector for Data Exfiltration

A recently uncovered vulnerability in Microsoft Teams for Windows allows attackers with local access to extract encrypted authentication tokens, granting unauthorized access to chats, emails and SharePoint files.

This technique, detailed by researcher Brahim El Fikhi on October 23, 2025, leverages the Windows Data Protection API (DPAPI) to decrypt tokens stored in a Chromium-like Cookies database.

Attackers can use these tokens for impersonation, lateral movement, or social engineering, bypassing recent security enhancements and posing significant risks to enterprise environments.

Vulnerability Details

The vulnerability, identified in Microsoft Teams desktop applications, involves the extraction of encrypted access tokens stored in the SQLite Cookies database at %AppData%\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\EBWebView\Cookies. Unlike earlier versions that stored tokens in plaintext (a flaw exposed by Vectra AI in 2022), current versions use AES-256-GCM encryption protected by DPAPI, tied to user or machine credentials. However, attackers with local access can decrypt these tokens using tools like ProcMon and Mimikatz, exploiting the embedded msedgewebview2.exe process that handles authentication via login.microsoftonline.com.

Source: blog.randorisec.fr, cybersecuritynews
Attack Flow

StepDescription
CraftAttackers use ProcMon to monitor msedgewebview2.exe and identify the Cookies database write operations.
AccessThe ms-teams.exe process is terminated to unlock the Cookies file, which is locked during operation.
ExtractThe encrypted token is retrieved from the Cookies database, with fields like host_key (e.g., teams.microsoft.com), name, and encrypted_value (prefixed with “v10”).
DecryptThe DPAPI-protected master key is extracted from %AppData%\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\EBWebView\Local State and decrypted using Windows APIs or tools like Mimikatz.
ExploitDecrypted tokens are used with tools like GraphSpy to access Teams chats, send messages, read emails, or interact with SharePoint via Microsoft Graph API

Why It’s Effective

  • Local Access Exploitation: The attack requires only local access, achievable via malware or compromised endpoints, bypassing MFA and remote defenses.
  • Stealthy Execution: The use of standard Windows APIs (DPAPI) and embedded browser processes evades traditional monitoring.
  • Authority Abuse: Tokens enable impersonation through trusted APIs, amplifying risks of phishing or data theft via Teams, Outlook, or SharePoint.

Recommendations:

  • Monitor Processes Deploy EDR rules to detect abnormal ms-teams.exe terminations or msedgewebview2.exe file writes.
  • Enforce Encryption – Use app-bound encryption and prefer web-based Teams to avoid local token storage.
  • Token Rotation – Implement Entra ID policies to rotate access tokens regularly and audit Graph API logs for anomalies.
  • Limit Privileges – Restrict local admin access to prevent DPAPI key extraction.
  • User Awareness – Train users to recognize phishing attempts via Teams or email, especially those leveraging impersonation

Conclusion:
This vulnerability underscores the evolving threat landscape for collaboration platforms like Microsoft Teams. As attackers refine techniques to exploit trusted systems, organizations must enhance endpoint monitoring and adopt stricter access controls. By implementing the outlined mitigations, security teams can reduce the risk of token-based attacks and safeguard sensitive data.

References:

Blogs

Vulnerability Tracked in Oracle is being Exploited; CISA

CISA, the cyber security agency from US has added a serious vulnerability in Oracle E-Business Suite.As per CISA the flaw tracked in an Oracle E-Business Suite flaw tracked as CVE-2025-61884 is being exploited in attacks, adding it to its Known Exploited Vulnerabilities catalog.

Vulnerability CVE-2025-61884

Oracle published CVE-2025-61884, a server-side request forgery (SSRF) vulnerability in the Oracle Configurator runtime component, on October 11.

The bug received a CVSS score of 7.5 and does not require authentication to exploit. According to the company, attackers can use this vulnerability to gain “unauthorized access to critical data or full access to all Oracle Configurator data.”

Government organizations in the US must install patches before November 10. However, Oracle itself has not yet confirmed the exploitation.

In early October, Mandiant revealed that the Clop ransomware gang had begun sending extortion emails to companies, claiming that they had stolen data from Oracle E-Business Suite instances using zero-day flaws.

Oracle responded to this news by stating that the threat actors had exploited previously patched flaws disclosed in July.

As per Bleeping computers CVE-2025-61884 addresses the flaw by validating an attacker-supplied “return_url” using a regular expression. If the validation fails, the request is blocked.

To this day, it remains unclear why Oracle listed the ShinyHunters exploit as an IOC for CVE-2025-61882, when it is actually intended for CVE-2025-61884.
Oracle EBS under attack

 Orcale E-Business Suit is under targeted atatck by threat actors and investigations by various research teams from Mandiant and Crowdstrike revealed that Oracle EBS had been targeted in two different campaigns.

  • July campaign: Used an exploit that targeted an SSRF flaw in the “/configurator/UiServlet” endpoint, which is now confirmed as CVE-2025-61884.
  • August campaign: Used a different exploit against the “/OA_HTML/SyncServlet” endpoint, and was fixed under CVE-2025-61882 through mod_security rules to block the endpoint and by stubbing out the SYNCSERVLET class. This flaw is attributed to Clop.

Oracle disclosed CVE-2025-61884 on October 11 but did not confirm whether it had been exploited, despite having fixed the exploit used in the July attacks. Earlier when the vulnerability CVE-2025-61884 was discovered concerns an information disclosure flaw in the Runtime UI component.

Last week Oracle released an emergency patch this weekend for a critical vulnerability in E-Business Suite. This software flaw can be exploited by attackers without authentication to steal sensitive data.Oracle has assigned the vulnerability a CVSS score of 7.5, which underscores the severity of the problem.

CISA also confirmed that five new vulnerabilities are actually being used to attack systems in the real world. These 5 new CVE’s hit everything from business apps to CMS platforms to core Windows components.

These are

  • Oracle EBS bugs give attackers an unauthenticated RCE path and data access through SSRF.
  • The SMB flaw enables lateral movement inside networks.
  • The Kentico pair lets attackers take over CMS environments used for staging and publishing.
  • The Apple vulnerability shows the ongoing risk of legacy systems that missed critical patches.

Threat Mitigation by Oracle E Business Suit when hunting for Threat indicators

• Look for weird patterns in Oracle EBS requests – could be a SSRF issue

• See if there are any spikes in SMB share privileges & check Kentico logs for anything fishy

• Browser logs are the place to look for JavaScriptCore crashes or just weird execution

Oracle released critical patch for a wide range of products and this include

The Critical Patch Update provides security updates for a wide range of product families: Oracle Database Server, Oracle Application Express, Oracle Blockchain Platform, Oracle GoldenGate, Oracle NoSQL Database, Oracle REST Data Services, Oracle Commerce, Oracle Communications Applications, Oracle Communications, Oracle Construction and Engineering, Oracle E-Business Suite, Oracle Enterprise Manager, Oracle Financial Services Applications, Oracle Fusion Middleware, Oracle Analytics, Oracle Health Sciences Applications, Oracle HealthCare Applications, Oracle Hospitality Applications, Oracle Hyperion, Oracle Insurance Applications, Oracle Java SE, Oracle JD Edwards, Oracle MySQL, Oracle PeopleSoft, Oracle Retail Applications, Oracle Siebel CRM, Oracle Supply Chain, Oracle Systems, Oracle Utilities Applications, and Oracle Virtualization.

Sources: CISA confirms hackers exploited Oracle E-Business Suite SSRF flaw

October 2025 Critical Patch Update Released | security

Security Advisory

WatchGuard Patched Critical Vulnerability, Allowing RCE in Firebox Appliances 

Security Advisory : A critical vulnerability has been found in WatchGuard Firebox appliances that allows remote unauthenticated attackers to execute arbitrary code through an out-of-bounds write in the IKEv2 VPN process.

OEM WatchGuard 
Severity Critical 
CVSS Score 9.3 
CVEs CVE-2025-9242 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

The vulnerability, tracked as CVE-2025-9242, which affects multiple Fireware OS versions. Users and administrators are strongly advised to upgrade to the latest patched versions of Fireware OS immediately to stay protected. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Out-of-Bounds Write Vulnerability in IKEv2 Process  CVE-2025-9242 WatchGuard Firebox Appliances with Fireware OS Critical v2025.1.1, v12.11.4, v12.5.13 (T15 & T35 models), 12.3.1_Update3 (FIPS-certified) 

Technical Summary 

Malicious actors could exploit this due to an out-of-bounds write vulnerability in the WatchGuard Fireware OS iked process.

Remote unauthenticated attackers can send crafted IKE_SA_INIT and IKE_SA_AUTH packets to trigger a stack-based buffer overflow in the ike2_ProcessPayload_CERT function, overflowing a 520-byte stack buffer without proper bounds checking.

This impacts VPN setups using IKEv2 or dynamic gateways and can continue even after deleting them if any static peers are still active on UDP port 500. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025- 9242 WatchGuard Firebox Appliances with Fireware OS 11.10.2-11.12.4_Update1, 12.0-12.11.3, 2025.1 Insufficient bounds checking in IKEv2 negotiations allows oversized identification payloads to cause buffer overflow, enabling control flow hijacking and ROP chains for code execution Arbitrary Code Execution, System Compromise,  Data Exfiltration,  Ransomware Deployment, Pivoting to Internal Networks 

Recommendations: 

You can update to the latest versions from the below table 

Vulnerable Version Resolved Version 
2025.1 2025.1.1 
12.x 12.11.4 
12.5.x (T15 & T35 models) 12.5.13 
12.3.1 (FIPS-certified release) 12.3.1_Update3 (B722811) 
11.x End of Life 

Here are some recommendations below –  

  • Disable unnecessary IKEv2 VPN configurations and restrict access to trusted networks only. 
  • Monitor logs for anomalous traffic. 
  • Implement network segmentation to limit lateral movement and regularly audit VPN setups. 

Conclusion: 
This critical vulnerability in WatchGuard Firebox appliances could allow remote attackers to achieve code execution and compromise perimeter defenses.

Although no exploits are in the wild but its unauthenticated nature and detailed public analysis make it a significant security risk requiring immediate action. Upgrading to the fixed version and applying recommended mitigations are strongly advised to ensure organizational security. 

References

Blogs

Unpatched Systems, Software’s Exposes Business to Cyber Threats

Remember when Qantas, Australia’s flagship airline confirmed a cyberattack exposing data from its frequent flyer program and customer accounts. The data was upto 6 million, which is staggering in number. This means any kind of exploits are malicious programs designed to take advantage of bugs or vulnerabilities in unpatched software or operating systems to gain unauthorised access. When left unpatched, these weak points act as open doors for cybercriminals.

Kaspersky research shows that the share of exploits targeting critical vulnerabilities in operating systems reached 64% in Q2 2025 (up from 48% in Q1 2025), with third-party apps (29%) and browsers (7%) following.

Unpatched Systems, Software’s exposes Business to Cyber Threats

The breach originated from a third-party customer service platform, proving that even indirect systems can expose millions of records we all knew. This was a clear case how unpatched software’s but Qantas denied any of its service platform was vulnerable and there was no sign the platform was compromised.

Similarly 1.5 billion records across 760 global companies record exposed to data breach when Salesforce was hit and the hacking group claimed to have breached Salesforce through compromised integrations with third-party tools like Drift and SalesLoft, stealing huge amounts of CRM data. And as recent Salesloft Drift cyberattack may have also compromised some Google Workspace accounts.

The above case are all about software vulnerabilities when left unpatched. Latest data from cybersecurity and privacy company Kaspersky revealed that existing vulnerabilities in business networks continue to leave Malaysian enterprises exposed to cyberattacks.

Globally, in Q2 2025, the most common exploits targeted vulnerable Microsoft Office products with unpatched security flaws, according to Kaspersky’s findings. Its solutions detected the most exploits on the Windows platform for the following vulnerabilities:

  • CVE-2018-0802: Remote code execution vulnerability in the Equation Editor component
  • CVE-2017-11882: Another remote code execution vulnerability in Equation Editor
  • CVE-2017-0199: Vulnerability in Microsoft Office and WordPad allowing attackers to gain control of the system

(Source: Kaspersky: Unpatched Systems Expose Malaysian Businesses To Exploits – TechTRP)

The report also revealed that the top 10 most exploited vulnerabilities included both new zero-day flaws and older unpatched issues that organisations continue to overlook. A zero-day vulnerability is a software flaw discovered by attackers before the vendor is aware of it. As no patch exists at the time, zero-day attacks often succeed.

Key findings from Kaspersky reports to secure your unpatched systems

  • Increased Exploitation: In the first half of 2025, more Windows and Linux users encountered vulnerability exploits compared to the previous year.
  • Targeted Vulnerabilities: Common exploits in Q2 2025 targeted Microsoft Office products with unpatched security flaws, such as those in the Equation Editor (CVE-2018-0802 and CVE-2017-11882).
  • End of Support: The end of free support for Windows 10 means millions of users will no longer receive critical security patches, leaving their systems vulnerable to new threats.
  • High volume of attacks: Kaspersky solutions blocked over 700,000 exploits targeting Indian organizations in the first half of 2025, averaging more than 4,000 per day

Attackers increasingly use methods to escalate privileges and exploit weaknesses in digital systems. As the number of vulnerabilities continues to grow, it is very important to constantly prioritize patching known vulnerabilities and use software that can mitigate post-exploitation actions. CISOs should counter the consequences of exploitation by searching for and neutralizing command and control implants that can be used by attackers on a compromised system,” says Alexander Kolesnikov, a security expert at Kaspersky.

What Businesses can do to remain Secure from Cyber threats when systems are unpatched?

For legacy systems and applications there is a lack ongoing vendor support, leaving remote code execution vulnerabilities open for exploitation. These attacks enable full system control with little user interaction.

How to Fix:

Apply host-based intrusion prevention and patch virtualization and replace or containerize legacy apps. It is important to isolate critical workloads in secure enclaves as being in legacy catagory they are prone to any kind of cyber threats and intrusion.

Follow more below recommendations

Conduct 24/7 monitoring of your infrastructure, focusing on perimeter defenses and using tools that can detect and block malicious software.

  • Utilize solutions for vulnerability assessment, patch management
  • Prioritize defense strategies & threat detection like phishing emails and web threats
  • Deploy comprehensive cybersecurity solutions that include incident response, employee training, and access to updated threat intelligence.
  • Implement a robust patch management process

Security Advisory

Advanced eBPF Rootkit LinkPro Evade Detection in Linux Systems via Magic TCP Packets

Overview: LinkPro rootkit targets GNU/Linux systems: LinkPro is a newly discovered Linux rootkit that leverages eBPF (extended Berkeley Packet Filter) technology to stealthily hide its presence on infected systems. The sophisticated Linux rootkit linkpro was uncovered by Synacktiv CSIRT during an investigation of a compromised AWS infrastructure and evade detection in Linux Systems.

This threat was deployed in an AWS environment after attackers exploited a vulnerable Jenkins server to distribute a malicious Docker image containing a Rust downloader that fetched a memory-resident vShell backdoor. This rootkit’s use of eBPF, a legitimate kernel feature, makes detection challenging in Linux as it operates at a low level within the Linux kernel. 

Leveraging extended Berkeley Packet Filter (eBPF) technology, where linkpro backdoor evades detection by hiding its processes and network activity, activating remotely via a “magic packet.”

Source: www.synacktiv.com 

Issues Details: The attack, originating from a vulnerable Jenkins server, deployed a malicious Docker image across AWS EKS clusters, enabling credential theft and lateral movement. This highlights the misuse of ebpf for advanced persistent threats (apts) in cloud environments. 

The LinkPro rootkit targets GNU/Linux systems, exploiting eBPF kernel capabilities to achieve stealth and remote activation.

It embeds multiple ELF modules, including two eBPF programs that hook into critical kernel system calls like getdents and sys_bpf to hide files, processes, and its own presence from detection tools.

If kernel support for these hooks is unavailable, LinkPro falls back to user-space concealment by loading a malicious shared library via /etc/ld.so.preload. This sophisticated rootkit deploys an advanced network packet filtering mechanism, activating only upon receiving a specific “magic packet” (a TCP SYN with a window size of 54321), allowing the attacker to control the system covertly. 

LinkPro masquerades as the legitimate systemd-resolved service for persistence and uses encrypted channels such as HTTP, DNS tunneling, and raw TCP/UDP for command and control. Its design enables attackers to execute arbitrary commands, perform file operations, and establish proxy tunnels, making it a highly adaptable and stealthy tool for persistent intrusions targeting cloud-native Linux systems. 

Attack Flow 

IOCs 

IOC Type Indicator Description 
  Network /api/client/file/download?Path=… URL used to download tools/payloads onto the compromised host. 
/reverse/handshake /reverse/heartbeat /reverse/operation Endpoints the implant calls in reverse mode to receive operator commands. 
18.199.101.111 Destination IP used by LinkPro in forward (active) mode. 
   File /etc/systemd/system/systemd-resolveld.service Malicious systemd service file named to look like systemd-resolved. 
/root/.tmp~data.ok Location/name of the LinkPro binary, disguised as a system file. 
/usr/lib/.system/.tmp~data.resolveld Alternate disguised location for the LinkPro binary. 
/etc/libld.so Malicious library loaded via /etc/ld.so.preload as a fallback concealment method. 
   Host Systemd-resolveld Fake service name intended to be mistaken for systemd-resolved. 
Conf_map eBPF map holding the internal port used by the Knock module. 
Knock_map eBPF map containing authorized IP addresses for the Knock module. 
Main_ebpf_progs eBPF map listing programs that the Hide module manages. 
Pids_to_hide_map eBPF map listing process IDs the rootkit hides. 
Hashes D5b2202b7308b25bda8e106552dafb8b6e739ca62287ee33ec77abe4016e698b Passive linkpro backdoor 
1368f3a8a8254feea14af7dc928af6847cab8fcceec4f21e0166843a75e81964 Active linkpro backdoor 
B11a1aa2809708101b0e2067bd40549fac4880522f7086eb15b71bfb322ff5e7 Ld_Preload module (libld.so) 
B8c8f9888a8764df73442ea78393fe12464e160d840c0e7e573f5d9ea226e164 Hide ebpf module 
364c680f0cab651bb119aa1cd82fefda9384853b1e8f467bcad91c9bdef097d3 Knock ebpf module 
0da5a7d302ca5bc15341f9350a130ce46e18b7f06ca0ecf4a1c37b4029667dbb Vget downloader 

Recommendations

Here are some recommendations below 

  • Patch the vulnerable Jenkins server (CVE-2024-23897) to prevent initial access. 
  • Restrict public exposure of CI/CD tools and enforce strict network segmentation. 
  • Monitor for suspicious Docker container deployments and unexpected host filesystem mounts. 
  • Watch for unusual or unauthorized eBPF program activity using kernel auditing tools. 
  • Regularly update Linux kernels and apply available security patches. 

Conclusion: 
The LinkPro rootkit is anadvanced Linux malware that uses eBPF at the kernel level to stay hidden and persist on systems.

It spreads through Jenkins vulnerabilities, container escapes and remote activation,  highlighting the critical vigilance organizations must maintain to continuously monitor and secure their environments.

To protect against it, companies should focus on timely patching and monitoring suspicious activities. 

References

Security Advisory

Microsoft October Patch Fixes 175 Vulnerabilities, 6 Zero-Days & Critical Exploits 

Summary:  Microsoft’s October 2025 Patch Tuesday fixes 175 security vulnerabilities in the products Windows, Office, Azure, and .NET and others. It includes patches for 6 – zero-day vulnerabilities where three vulnerabilities have been exploited and three publicly known vulnerabilities.  

Microsoft advises immediate deployment of updates and removal of affected drivers, while assessing legacy fax hardware for compatibility issues introduced by the driver removal in this month update.

The October 2025 security updates address critical and important vulnerabilities across a broad range of Microsoft products and services. 

OEM Microsoft 
Severity Critical 
Date of Announcement 2025-10-14 
No. of Patches 175 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

Major fixes address serious remote code execution issues in Office and WSUS, along with privilege escalation vulnerabilities in Windows and Azure. The update also removes the Agere Modem driver, which could affect older fax devices. Users & Administrator are urged to update the patch to immediately to stay protected. 

Here are the CVE addresses for Microsoft & non-Microsoft:  

  • 175 Microsoft CVEs addressed 
  • 21 non-Microsoft CVEs addressed (Republished) 

Breakdown of October 2025 Vulnerabilities 

  • 80 Elevation of Privilege (EoP) 
  • 31 Remote Code Execution (RCE) 
  • 28 Information Disclosure 
  • 11 Denial of Service (DoS) 
  • 11 Security Feature Bypass 
  • 12 Spoofing  
  • 2 Tampering 

Source: Microsoft 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
Windows Agere Modem Driver Elevation of Privilege Vulnerability CVE-2025-24990 Windows 10, 11, Server 2016-2022 High 7.8 
Windows Remote Access Connection Manager Elevation of Privilege Vulnerability CVE-2025-59230 Windows 10, 11, Server 2016-2022 High 7.8 
Secure Boot Bypass Vulnerability in IGEL OS CVE-2025-47827 IGEL OS Medium 4.6 
Windows Server Update Service (WSUS) Remote Code Execution Vulnerability CVE-2025-59287 Windows Server Critical 9.8 
Microsoft Office Remote Code Execution Vulnerability CVE-2025-59234 Microsoft Office High 7.8 
Microsoft Excel Remote Code Execution Vulnerability CVE-2025-59236 Microsoft Excel (2016-2021) High 8.4 

Technical Summary 

October 2025 Patch Tuesday includes security updates addresses remote code execution, privilege escalation and information disclosure vulnerabilities in core Windows components, Office applications and Azure cloud services.

3 zero-days are actively exploited, including CVE-2025-24990 in the Agere Modem driver, where attackers can abuse the third-party component to gain administrative privileges without needing the modem hardware active, leading to local system compromise.  

Additionally, exposes improper access controls in Windows Remote Access Connection Manager, enabling authorized attackers to escalate to SYSTEM privileges with moderate effort.  

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-24990 Windows Agere Modem Driver Third-party driver abused for admin privileges; removed in updates, may break fax modem hardware Privilege Escalation 
CVE-2025-59230 Windows Remote Access Connection Manager Improper access control allows local attackers to gain SYSTEM privileges Privilege Escalation 
CVE-2025-47827 IGEL OS < v11 Improper cryptographic signature verification enables Secure Boot bypass via crafted root filesystem Security Feature Bypass 
CVE-2025-59287 Windows Server Update Service Deserialization of untrusted data allows unauthenticated RCE over networks, prime for supply-chain attacks Remote Code Execution 
CVE-2025-59234 Microsoft Office (2016-2021) Use-after-free in Office allows RCE via malicious files, no authentication required Remote Code Execution 
CVE-2025-59236 Microsoft Excel (2016-2021) Use-after-free in Excel enables RCE via malicious files, potentially leading to system control Remote Code Execution 

Source: Microsoft 

In addition to several other publicly exploited Zero-Day & Critical severity issues were addressed 

  • CVE-2025-0033: AMD SEV-SNP Flaw – Race condition in AMD EPYC processors allows hypervisor to tamper with guest memory; needs privileged access. (Critical) 
  • CVE-2025-24052: Windows Agere Modem EoP – Flaw in modem driver enables local admin privilege escalation; driver removed, may affect fax hardware. (High) 
  • CVE-2025-2884: TCG TPM 2.0 Vulnerability – Out-of-bounds read in TPM cause info disclosure or DoS, impacting secure boot. (Medium) 
  • CVE202549708: Microsoft Graphics Component EoP – Memory corruption enables network-based privilege escalation.  (Critical) 
  • CVE-2025-59227: Microsoft Office RCE – Use-after-free affecting multiple Office versions. (Critical) 
  • CVE-2016-9535: LibTIFF Heap Buffer Overflow – RCE via malformed TIFF files in image processing. (Critical) 
  • CVE-2025-59291 & CVE-2025-59292: Azure Container Instances/Compute Gallery EoP – External file path control for local privilege escalation. (Critical) 

Key Affected Products and Services 

  • Windows Core and Security Components 

Updates for Windows Kernel, NTFS, BitLocker, NTLM, SMB, WinSock, PrintWorkflowUserSvc and Remote Desktop Services, with several vulnerabilities rated CVSS 7.8 or higher. 

  • Microsoft Office Suite 

Patches for Excel, Word, PowerPoint, Visio, and SharePoint addressing RCE and information disclosure issues, particularly via malicious file execution. 

  • Azure and Cloud Services 

Fixes for Azure Entra ID, Monitor Agent, Connected Machine Agent, PlayFab and Confidential Container Instances. 

  • Virtualization and Hyper-V 

Vulnerabilities in Hyper-V and Virtual Secure Mode, including privilege escalation and DoS risks. 

  • Developer and Management Tools 

Updates for PowerShell, Visual Studio and Configuration Manager addressing local privilege escalation. 

  • Communication & File Services 

Patches for SMB, WSUS, and Connected Devices Platform with critical RCE and lateral movement risks. 

  • Browsers and Web Technologies 

Microsoft Edge (Chromium-based) updates, including republished Chrome CVEs. 

Remediation: 

  • Install the October 2025 security updates immediately to mitigate risks. 

Here are some recommendations below  

  • Use EDR tools to monitor any indicators like Office crashes or logs. 
  • Disable unused services to prevent any remote access or other exploitation. 
  • Apply least privilege access in Office and Azure environments. 
  • Segment networks to reduce any lateral movement. 

Conclusion: 
Critical RCE flaws in Office and WSUS, along with privilege escalation bugs, pose significant risks for ransomware, data theft and lateral movement. Administrator, users & security teams should deploy patches immediately, enhance monitoring and apply mitigations to reduce exposure. 

References

Scroll to top