Infosec

Security Advisory

Google Chrome Patched High-Severity Memory Vulnerabilities  

Summary : Security Advisory: Google recently rolled out an update for Chrome to address two high & and one medium severity vulnerabilities.

OEM Google 
Severity High 
CVSS Score 8.0 
CVEs CVE-2025-11458, CVE-2025-11460, CVE-2025-11211 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

A heap buffer overflow in the Sync component and a use-after-free (UAF) vulnerability in the Storage component have been fixed, along with other security issues.

Users and administrators are advised to apply the latest patch as soon as possible to ensure their systems remain secure. 

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Heap Buffer Overflow in Sync  CVE-2025-11458 Chrome (Windows, Mac, Linux)  High 141.0.7390.65/66 
Use-After-Free in Storage  CVE-2025-11460 Chrome (Windows, Mac, Linux) High 141.0.7390.65/66 
Out-of-Bounds Read in WebCodecs CVE-2025-11211 Chrome (Windows, Mac, Linux) Medium 141.0.7390.65/66 

Technical Summary 

Google released an update for the Chrome Stable channel, addresses three significant security vulnerabilities related to memory safety. The update addresses multiple critical memory-related vulnerabilities within Chrome’s core components.

These include a flaw that could allow attackers to corrupt memory during browser data synchronization, potentially enabling arbitrary code execution, and another vulnerability in the storage system that involves improper memory handling after an object is freed, which could also lead to exploitation through crafted web content.

Additionally, a medium-severity issue was fixed in the media processing API that could cause exposure of sensitive memory or impact browser stability when handling certain media files. These fixes are part of ongoing efforts to improve browser security by mitigating risks of remote code execution, data exposure, and crashes. 

CVE ID Component Affected  Vulnerability Details Impact 
 CVE-2025-11458 Chrome Sync component Heap buffer overflow in the Sync component could allow memory corruption and potentially enable arbitrary code execution when handling synchronization data.  Remote Code Execution / Data Leakage 
 CVE-2025-11460 Chrome Storage component Use-after-free in the Storage component could allow attackers to access freed memory, potentially leading to code execution or information disclosure. Remote Code Execution / Browser Instability 
CVE-2025-11211 Chrome WebCodecs API Out-of-bounds read in the WebCodecs API could expose memory contents or crash the browser when processing malformed media inputs. Memory Disclosure / Browser Crash 

Recommendations 

Update Chrome immediately to the following versions: 

  • Windows/Mac: Chrome v141.0.7390.65/66 
  • Linux: Chrome v141.0.7390.65 

Here are bellow recommended actions 

  • Manual Update Check: Navigate to Settings → Help → About Google Chrome to force update. 
  • Enterprise Patch Management: Enforce Chrome auto-updates across managed systems. 
  • Threat Monitoring: Actively monitor browser crash reports, endpoint security alerts, and system/network logs for suspicious behavior. 

Conclusion: 
This update reflects Chrome’s continued commitment to robust browser security by addressing multiple critical memory vulnerabilities that could otherwise be exploited for remote code execution, data exposure, or browser instability.

Promptly applying updates is essential to reduce potential attack surfaces, maintain browser stability, and safeguard user data against emerging threats. 

References

Blogs

DoW Announced Implementation of CSRMC to Deliver Real Time Cyber Defense, Address Legacy Shortcomming’s

Managing cyber risk across the cyber security set up of an enterprise is harder than ever and keeping architectures and systems secure also compliant can be challenging and over whelming.

DoW (Deprtament of war) recently announced implementing of a groundbreaking Cybersecurity Risk Management Construct (CSRMC).

This is a transformative framework to deliver real-time cyber defense at operational speed and its five-phase construct that ensures a hardened, verifiable, continuously monitored and actively defended environment to ensure that U.S. warfighters maintain technological superiority against rapidly evolving cyber threats.

In comparison the previous Risk management framework dependent on static checklists and manual processes . The framework failed to account for operational needs and cyber survivability requirements. 

How (CSRMC) is going to address legacy infrastructure shortcoming?

CSRMC addresses these gaps by shifting from “snapshot in time” assessments to dynamic, automated, and continuous risk management, enabling cyber defense at the speed of relevance required for modern warfare.

The construct is composed of a five-phase lifecycle and ten foundational tenets.

The Five-Phase Lifecycle

The new construct organizes cybersecurity into five phases aligned to system development and operations:

  1. Design Phase – Security is embedded at the outset, ensuring resilience is built into system architecture.
  2. Build Phase – Secure designs are implemented as systems achieve Initial Operating Capability (IOC).
  3. Test Phase – Comprehensive validation and stress testing are performed prior to Full Operating Capability (FOC).
  4. Onboard Phase – Automated continuous monitoring is activated at deployment to sustain system visibility.
  5. Operations Phase – Real-time dashboards and alerting mechanisms provide immediate threat detection and rapid response.

Ten Foundational Tenets

The CSRMC has 10 core principal

  • Automation – driving efficiency and scale
  • Critical Controls – identifying and tracking the controls that matter most to cybersecurity
  • Continuous Monitoring and ATO – enabling real-time situational awareness to achieve constant ATO posture
  • DevSecOps – supporting secure, agile development and deployment
  • Cyber Survivability – enabling operations in contested environments
  • Training – upskilling personnel to meet evolving challenges
  • Enterprise Services & Inheritance – reducing duplication and compliance burdens
  • Operationalization – ensuring stakeholders near real-time visibility of cybersecurity risk posture
  • Reciprocity – reuse assessments across systems
  • Cybersecurity Assessments – integrating threat-informed testing to validate security

“This construct represents a cultural fundamental shift in how the Department approaches cybersecurity,” said Kattie Arrington, performing the duties of the DoW CIO. “With automation, continuous monitoring, and resilience at its core, the CSRMC empowers the DoW to defend against today’s adversaries while preparing for tomorrow’s challenges.”

With the above tenants DoW is ensuring cyber survivability and mission assurance in every domain,air, land, sea, space, and cyberspace.

Addressing Cyber security risk management

Cybersecurity risk management isn’t simply the job of the security team; everyone in the organization has a role to play. Often siloed, employees and business unit leaders view risk management from their business function.

Intru360 gives security analysts and SOC managers a clear view across the organization, helping them fully understand the extent and context of an attack. It also simplifies workflows by automatically handling alerts, allowing for faster detection of both known and unknown threats.

Identify latest threats without having to purchase, implement, and oversee several solutions or find, hire, and manage a team security analyst. Unify latest threat intelligence and security technologies to prioritize the threats that pose the greatest risk to your company.

GaarudNode is an all-in-one  solution designed to empower development teams with the tools they need to secure their applications throughout the development lifecycle. By combining the power of SAST, DAST, SCA, API security, and CSPM, GaarudNode provides a comprehensive security framework that ensures your applications are built, tested, and deployed with confidence.

Mirage Cloak offers various deception methods to detect and stop threats before they cause damage. These methods include adding decoys to the network, deploying breadcrumbs on current enterprise assets, using baits as tripwires on endpoints, and setting up lures with intentionally misconfigured or vulnerable services or applications. The flexible framework also lets customers add new deception methods as needed.

BISO Analytics stands out as the pioneering security analytics platform designed to assist enterprises in effectively handling their first-party, third-party, and emerging risks, all within a single platform. This comprehensive solution facilitates a quicker and safer progression for your business.

By adopting a groundbreaking approach, BISO Analytics integrates open, data-centric cyber risk management practices, offering organizations a consolidated view of their cyber risk landscape across the entire attack surface.

BISO Analytics empowers CXO, mid-management, and operational teams with real-time, reliable, and defensible data that not only complies with regulatory standards but also aligns with the expectations of the board regarding safeguarding shareholder value and fortifying the business.

Why it is important to implement cybersecurity risk management at organisational level

Having an effective cybersecurity risk management program can only be implemented in an organization through a structured process. This requires careful planning, resource allocation and commitment to improving security framework.

Registering documents that assess risk related activities include high asset inventories like all systems and data. When risk are registered it contain records of determined risk, data theft or results of assessment and planned treatments.

Organizations that possess all documentation involving controls and their implementation level. In this scenario organizations actually understands what exactly is risk assessment and identifying what can go wrong in an organization’s system either anything that is via threats, vulnerabilities and their possible impact.

As the saying goes we can’t protect what you don’t understand and one can’t manage what they don’t assess.

Visit our website for more informed details on our products.

(Source: www.miragenews.com/war-dept-unveils-new-cybersecurity-risk-1540279/)

Blogs

Discord Security Incident Reveal Support Ticket Stolen in Third-Party Breach 

Summary 

In today’s interconnected digital world, trust often reaches beyond the main platforms to include the network of partners that support them. Recently, Discord disclosed an incident tied not to its own systems, but to a third-party customer service provider whose systems were compromised, exposing limited user information.

The company emphasized that its core infrastructure remained secure, with the issue confined to the external vendor’s network. The cyber attack appears to be financially motivated, as hackers demanded a ransom from Discord in exchange not to reveal any information that they ceased.

Breach Breakdown 

Discord confirmed that an unauthorized party gained access to the vendor’s systems by exploiting that firm’s ticketing platform. Through that entry point, attackers were able to view limited user information exchanged during support requests like names, Discord handles, emails and some contact details.

For a small number of affected users, the exposure extended to scanned government-issued IDs, such as passports or driver’s licenses, typically used to verify age or ownership. 

Discord as well clarified that its core infrastructure like chat servers, authentication databases, and private messaging systems were not breached. This wasn’t a platform intrusion, but rather a supply chain compromise through one of the company’s external service tools. 

Upon discovering the breach, Discord revoked the vendor’s access immediately, launched an internal investigation. Law enforcement agencies have also joined the effort to identify the perpetrators and prevent further misuse of stolen data. 

Discord already notified data protection authorities, contacted affected users directly via noreply@discord.com, and reviewed all vendor relationships to ensure compliance with data protection standards. The company also pledged to strengthen third-party systems and increase security oversight for partners with data access.

Additionally, Discord advised users to watch for phishing attempts and reiterated that it will never contact them by phone regarding the incident. 

Recommendations

Here are some recommendations below 

  • Always verify the sender before clicking links in security emails. 
  • Enable multifactor authentication to protect your account even if credentials leak. 
  • Stay alert for phishing emails, especially those that sound urgent or official. 
  • Keep your data footprint minimal by sharing only what’s necessary. 
  • Regularly assess vendor security and treat third-party reviews as a key defense measure. 

Conclusion 
This incident underscores that even well-secured platforms like Discord remain vulnerable through their third-party partners. It highlights the growing importance of robust vendor risk management, transparent communication, and continuous security auditing.

For users, it’s a reminder to stay cautious, enable strong authentication measures, and practice vigilance against phishing or social engineering attempts following any major data disclosure. 

Discord was created as a communication platform for gamers, who represent more than 90% of the userbase, but expanded to various other communities, allowing text messages, voice chats and video calls.

References

Security Advisory

Radware Uncovers Server Side Attack Targeting ChatGPT Known as Shadowleak

Researchers at Radware uncovered a server-side data theft attack targeting ChatGPT, termed as ShadowLeak. The experts discovered the zero-click vulnerability in ChatGPT’s Deep Research agent when connected to Gmail and browsing. 

In this attack type ‘Service-side’ pose greater risk as enterprise defenses cannot detect exfiltration because it runs from the provider’s infrastructure.

ShadowLeak a Server side attack

For any normal user there would be no visible signs of data loss as the AI agent acts as a trusted proxy, sending sensitive data to attacker-controlled endpoints. These server-side requests face fewer URL restrictions, letting attackers export data to virtually any destination.

Shadowleak is an uncovered security flaw affecting ChatGPT’s Deep Research Agent. Which can connect to services like Gmail to help users analyze their emails.

Attackers could hide invisible instructions in a regular looking email. When the user asked ChatGPT to review their mailbox contents selecting deep research.

Vulnerability Details 

ChatGPT’s Deep Research Agent was vulnerable because it could be tricked into following hidden instructions that were inside a seemingly ordinary email. When users ask the agent to analyze their inbox, any attacker can craft the message with invisible commands and cause AI to leak private data without warning.

These hidden instructions used tricks to fool the AI and get around its built-in safety checks. Some of those tricks included: 

  • Pretending to Have Permission: The prompt told the agent that it had “full authorization” to access outside websites, even though it didn’t. 
  • Hiding the Real Purpose: It disguised the hacker’s website as something safe sounding, like a “compliance validation system.” 
  • Telling the Agent to Keep Trying: If the AI couldn’t reach the attacker’s website the first time, the prompt told it to try again helping it sneak past any temporary protections. 
  • Creating Urgency: The prompt warned the agent that if it didn’t follow the instructions, it might not complete the report properly pushing it to obey. 
  • Hiding the Stolen Info: The agent was told to encode the personal data using Base64, which made the data harder to spot and helped hide the theft. 

After reading the fake email, the agent would go look through the user’s real emails (like HR messages) and find personal info such as full names and addresses.

Without alerting the user, the AI would send that information to the attacker’s server, happening silently in the background, with no warning or visible signs. 

This attack is not limited only to Gmail, also applies to any data sources Deep Research accesses, including Google Drive, Dropbox, Outlook, Teams and more. Any connected service that feeds text into the agent can pose a risk to hidden prompts, making sensitive business data vulnerable to exfiltration. 

Source: radware.com 

Attack Flow 

Step Description 
Malicious Email Crafting Attackers create a legitimate email embedded with hidden, invisible prompt instructions to extract sensitive data. Use social engineering and obfuscation. 
Email Delivery and Receipt The victim receives the email in Gmail without needing to open it; hidden commands are present in the email’s HTML body. 
User Invokes Deep Research The victim asks ChatGPT’s Deep Research Agent to analyze their inbox or specific emails, triggering the agent’s activity. 
Parsing Hidden Instructions The agent reads and interprets the hidden malicious prompt embedded within the attacker’s email. 
Extraction of Sensitive Data Following the instructions, the agent locates and extracts personal information like names and addresses from real emails. 
Data Exfiltration to Attacker The agent uses internal tools to send the extracted, often Base64-encoded data to an attacker-controlled external server. 
Victim Remains Unaware The entire process happens silently on OpenAI’s servers with no visible alerts or client-side traces for the user or admins. 

Why It’s Effective 

This “zero-click” attack happened entirely on OpenAI’s servers, where traditional security tools couldn’t detect or stop it, and victims never saw any warning. OpenAI was informed by radware security team in June 2025 and OpenAI fully patched the issue by September. 

The attack runs silently in a trusted cloud environment, invisible to users and traditional security tools.

It tricks the AI into repeatedly sending encoded sensitive data, bypassing safety checks and ensuring successful data theft. This stealthy, zero-click nature means no user interaction is required, making detection extremely difficult and allowing the attacker to exfiltrate data unnoticed over extended periods. 

Recommendations

Here are some recommendations below 

  • Email Sanitization: Normalize and strip hidden or suspicious HTML/CSS elements from emails before they are processed by AI agents. This reduces the risk of hidden prompt injections. 
  • Strict Agent Permissions: Limit AI agent access only to the data and tools necessary for its tasks, minimizing exposure to sensitive information. 
  • Behavior Monitoring: Continuously monitor AI agent actions and behavior in real time to detect anomalies or actions deviating from user intent. 
  • Regular Patch Management: Keep AI tools, connectors and integrated systems up to date with the latest security fixes and improvements. 
  • Awareness and Training: Educate users and administrators about the types of attacks AI agents are vulnerable to, fostering vigilance and quick incident response. 

Conclusion 


The ShadowLeak vulnerability underscores the critical risks posed when powerful AI tools operate without sufficient safeguards. By hiding secret commands inside emails, attackers were able to steal personal information without the user knowing.

This case highlights the need for strong safety measures, including limiting AI access to sensitive information, sanitizing inputs to prevent hidden commands, and continuously monitoring agent behavior to detect anomalies.

As more AI tools are used, it’s important to keep strong security controls and oversight to use these technologies safely and protect sensitive data from new threats. 

References

Security Advisory

Jenkins Security Patch Fixed HTTP/2 DoS and Permission Issues  

Security advisory: Jenkins addressed critical security flaws in its built-in HTTP server related to the handling of HTTP/2 connections, where attackers could overwhelm servers causing denial of service. This mainly impacts Jenkins instances running with HTTP/2 enabled, which is not the default setting.

Severity High 
CVSS Score 7.7 
CVEs CVE-2025-5115, CVE-2025-59474, CVE-2025-59475, CVE-2025-59476 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Jenkins, a popular open-source automation server used for building and deploying software, recently patched several high & medium security flaws.

The high severity issue is a Denial-of-Service (DoS) vulnerability that could allow attackers to overwhelm the server and make it stop working properly even without needing to log in.

Other issues included the risk of unauthorized users viewing sensitive configuration information and the possibility of attackers inserting fake log entries to confuse system administrators. Jenkins released updates to fix these issues and strongly recommends users upgrade to the latest versions to stay protected. 

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
HTTP/2 Denial of Service in bundled Jetty  CVE-2025-5115 Jenkins (bundled Jetty)  High Weekly 2.524+, LTS 2.516.3+ 
Missing permission check – agent names CVE-2025-59474 Jenkins core Medium Weekly 2.528+, LTS 2.516.3+ 
Missing permission check – user profile menu CVE-2025-59475 Jenkins core Medium Weekly 2.528+, LTS 2.516.3+ 
Log Message Injection Vulnerability CVE-2025-59476 Jenkins core Medium Weekly 2.528+, LTS 2.516.3+ 

Technical Summary 

Additionally, permission checks in some user interface areas were incomplete, allowing unauthorized users to access sensitive information such as agent names and configuration details.

There was also a vulnerability in log message processing that could let attackers insert misleading entries to confuse administrators. All the issues are fixed in Jenkins latest version. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-5115 Jenkins instances with embedded Jetty server with HTTP/2 enabled It causes the Jetty server to repeatedly reset HTTP/2 streams (RST_STREAM) in response to malicious or malformed frames, leading to resource exhaustion and potential denial of service.  Denial of service 
CVE-2025-59474 Jenkins automation server Permission check flaw allowing unauthorized users to view Jenkins agent/executor names via the side panel executor’s widget Information Disclosure 
CVE-2025-59475 Jenkins automation server Permission check flaw allowing authenticated users without Overall/Read permission to view sensitive configuration details via the Jenkins user profile dropdown menu. Information Disclosure 
CVE-2025-59476 Jenkins automation server An attacker can inject line breaks into Jenkins log messages, leading to forged or misleading log entries. Misleading administrators 

Remediation

  • Users should immediately install the latest, patched version of Jenkins on all servers: 
  • Weekly Release: Update to Jenkins v2.528 or later. 
  • Long-Term Support (LTS): Update to Jenkins v2.516.3 or later 

Here are some recommendations below. 

  • If immediate upgrade is not possible, users should disable HTTP/2 to mitigate the Denial-of-Service vulnerability. 
  • Always keep Jenkins core and plugins up to date with the latest security patches. 
  • Regularly audit and monitor access logs and system activity 
     

Conclusion: 
These security flaws could seriously impact Jenkins users, especially those relying on it for continuous integration and deployment. The DoS vulnerability is particularly dangerous because it can be triggered by anyone over the internet, even if they don’t have an account.

Enterprise admins & users should upgrade immediately to the patched versions or disable HTTP/2 to reduce the risk. Keeping Jenkins up to date and following good security practices along with restricting user permissions and monitoring logs is essential to prevent attacks and maintain the stability and safety of software delivery pipelines. 

References

Security Advisory

VoidProxy PhaaS Uses MFA Bypass, Hijacking Google & Microsoft Logins

Security Advisory

Security researchers from Okta have uncovered a stealthy and sophisticated Phishing-as-a-Service (PhaaS) framework known as VoidProxy.

This has been used to hijack Microsoft, Google and even integrated SSO accounts protected by providers like Okta. Unlike traditional phishing kits, VoidProxy employs Adversary-in-the-Middle (AiTM) tactics to capture real-time credentials, MFA tokens and bypassing several standard authentication protections.

VoidProxy’s infrastructure leverages disposable domains, Cloudflare protections, dynamic DNS which all of mimicking as legitimate enterprise setups becoming extremely difficult to detect, analyze. The attackers are running phishing campaigns with little technical effort, enabling wide-scale compromises that lead to email compromise, fraud and data breaches.

Its attack chain is built to evade modern email security, identity defenses, and analysis tools by leveraging the following:

  • CAPTCHA Filtering: Victims are first shown a CAPTCHA challenge before any phishing content loads. This helps block bots and automated security scanners.
  • Cloudflare Workers: Used to deliver customized phishing pages and smartly direct traffic to the attacker’s backend servers.
  • URL Redirection Chains: The phishing links in emails go through several redirects (often using shortened URLs) before landing on fake login pages. This helps bypass spam filters and security tools.
  • Dynamic DNS: These services let attackers quickly create domain names that point to specific IP addresses, making their infrastructure flexible and harder to track.    

Once a user enters their credentials and MFA tokens, the session is hijacked via a reverse proxy server, allowing the attacker to immediately access the legitimate account.

Here are some shortened url links

Attack Flow

StepDescription
1. DeliveryPhishing emails are sent from compromised accounts on email delivery services (like Postmarkapp or Constant Contact) increasing trust and shortening URL services for bypassing spam filters.
2. Redirecting & FilterClicking the phishing link redirects victims through several short URLs and presents a Cloudflare captcha to ensure human interaction.
3. PhishingVictims land on a fake Microsoft or Google login page using realistic subdomain patterns like “login.<phishing_domain>.<.com/.io>”. Additionally, integrated SSO accounts are redirected to additional fake SSO pages mimicking the login flows.
4. AiTM Session HijackThe backend proxy captures credentials, MFA tokens and session cookies, allowing attackers full account access.
5. ExfiltrationSession cookies and credentials are routed to the attacker’s admin panel in real-time. Integration with bots or webhooks enables instant alerts to the attackers.

Why It’s Effective

AiTM Infrastructure: Unlike static phishing kits, VoidProxy runs a live proxy in the middle of the authentication flow, stealing session tokens or mfa token immediately after login.

CAPTCHA & Cloudflare Layers: These challenges ensure only real human victims reach the phishing payload, filtering out scanners and sandboxes.

Integrated SSO Targeting: Accounts using Okta or other SSO providers are redirected to accurate second-stage phishing pages, increasing the likelihood of a full compromise.

Recommendations:

Here are some recommendations below

  • Harden the authentication by bind sessions to IP addresses (IP Session Binding) to block cookie replay attacks.
  • Block access from rarely used IP ranges or unmanaged devices.
  • Provide user awareness training to help recognize phishing links, suspicious email senders and fake login prompts.
  • Keep monitoring for any indications of suspicious activities.

Conclusion
VoidProxy’s layered architecture, real-time session hijacking and deep evasion mechanisms make it a potential threat even for environments with multi-factor authentication in place. We require a shift from traditional phishing detection toward real-time risk-based access controls, strong authenticators and persistent user education.

References:

Security Advisory

Angular SSR Vulnerability Allows Cross-Request Data Exposure (CVE-2025-59052) 

Security Advisory: A high security flaw was discovered in Angular’s server-side rendering (SSR) functionality that could lead to cross-request data leakage due to a global race condition. This is identified as CVE-2025-59052, affects multiple versions of Angular’s @angular/platform-server, @angular/ssr and @nguniversal/common packages.

With data breaches at highest, Organizations using vulnerable Angular versions should update immediately or implement recommended workarounds to avoid potential data breaches.

Severity High 
CVSS Score 7.1 
CVEs CVE-2025-59052 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Angular is a popular open-source web application framework developed by Google, used to build dynamic, single-page applications (SPAs) and server-rendered apps using HTML, TypeScript and JavaScript.

When multiple SSR requests are processed concurrently, sensitive state information may be inadvertently shared, potentially exposing user tokens or private data across unrelated sessions. The Angular has released patches across all active branches and urges developers to update immediately. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​ Race condition vulnerability  CVE-2025-59052 Angular platform-server, ssr  High  v18.2.14, v19.2.15/16, v20.3.0, v21.0.0-next.3 

Technical Summary 

Angular uses a dependency injection (DI) container called the platform injector during SSR to hold request-specific data. This container was implemented as a global module-scoped variable, introducing a race condition when multiple requests were processed simultaneously.

This flaw could cause data meant for one user to be sent in the response to another, potentially leaking authentication tokens, headers, or private content.

Affected APIs include bootstrapApplicationgetPlatform, destroyPlatform. These changes introduce SSR-only breaking changes, with automatic migration schematics available through the Angular CLI update process. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-59052 Angular SSR v16 to v21 Race condition in global DI container during SSR could leak user data across requests Cross-Request Data Leakage 

Recommendations

Upgrade Angular packages to the latest patched versions: 

Package Affected Versions Fixed Versions 
@angular/platform-server >=16.0.0-next.0 <18.2.14 
>=19.0.0-next.0 <19.2.15 
>=20.0.0-next.0 <20.3.0 
>=21.0.0-next.0 <21.0.0-next.3 		18.2.14 
19.2.15 
20.3.0 
21.0.0-next.3 
@angular/ssr >=17.0.0-next.0 <18.2.21 
>=19.0.0-next.0 <19.2.16 
>=20.0.0-next.0 <20.3.0 
>=21.0.0-next.0 <21.0.0-next.3 		18.2.21 
19.2.16 
20.3.0 
21.0.0-next.3 

If Immediate Upgrade is Not Possible, you can follow the recommendations below 

  • Disable SSR via server routes or build configurations 
  • Remove asynchronous behavior from custom bootstrap functions 
  • Eliminate use of getPlatform() in server-side code 
  • Ensure ngJitMode is set to false in production builds 

Conclusion: 
The Angular SSR vulnerability CVE-2025-59052 is the high severity issue with global state management during concurrent request processing, resulting in potential cross-request data exposure.

Though not yet exploited in the wild, the risk is significant for SSR-enabled Angular apps. Developers are urged to apply updates promptly or follow the provided mitigation steps to secure their applications. 

As per reports this vulnerability requires no special privileges or user interaction, making it both easy to exploit and dangerous in high-traffic applications.

References

Hashtags 

#Infosec #CyberSecurity #Angular #SecurityAdvisory #WebSecurity #Vulnerabilitymanagement #DevSecOps #PatchManagement #CISO #CXO #Intrucept 

Blogs

Jaguar Land Rover Data Hack reveal Significance of Security & Privacy by Design

Jaguar Land Rover announced suffering they hit by a cyberattack in August that severely disrupted its production and retail activities. Cyber criminals stole data, held by the carmaker, it has said, as its factories in the UK and abroad face prolonged closure. This massive data hack reveal that every stakeholder in the supply chain must be embed and lazed with security and privacy by design.

Principle of security by design

So the ever evolving automotive industry and modern vehicles are more of software, which means more coding which goes upto 100 million codes and this is growing in numbers and run more applications then ever before.

So the more coding and software, the more lucrative it is for attackers to target systems and codes and if security flaws exist then its a heaven for cyber criminal as it is now easy target for data privacy leaks etc.

Best practices for Securing by Design principles and software development are enough to address the emerging risk to automotive systems and other systems within the vehicle.

According to the BBC, three plants were affected: the ones in Solihull, Halewood and Wolverhampton. Also the cyberattack forced the company to disconnect some systems, which led to factories in China, Slovakia and India getting shut down and workers being instructed to stay at home. 

As per the company suppliers and retailers for JLR are also affected, some operating without computer systems and databases normally used for sourcing spare parts for garages or registering vehicles.

Scattered Spider group behind the cyber attack

As per reports the notorious Scattered Spider  the hackers group is credited for the attack on JLR. The threat actor was also linked to recent attacks against major UK retailers, as well as several other industries worldwide. 

This is the second cyberattack that hit JLR this year. In March, the Hellcat ransomware group claimed to data theft which were in hundreds of gigabytes of data from the carmaker.

July we witnessed how Scattered spider group targeted the aviation and retail sector

https://intruceptlabs.com/2025/07/scattered-spider-group-target-aviation-sector-third-party-providers-to-vendors-are-at-risk-solutions-that-will-improve-security-posture/

Addressing cyber security challenges in Automotive security

Organization addressing such cyber incident in near future will require dedication that will extend to all levels. This includes data layer, connection layer, authentication layer and more.

If organizations are proactive enough in establishing comprehensive protective measures and ensuring reliable systems that wont fail and in place, ultimately will create safe environment for entire ecosystem more resilient against cyber disruptions.

Cybersecurity challenges in automotive innovation

The integration of advanced technology has brought the automotive industry face-to-face with complex cybersecurity challenges. Vehicle technology, now deeply intertwined with software, exposes both consumers and manufacturers to varied threats.

The challenge for manufacturers is finding the right balance between advancing connected features and securing those very connections against evolving threats.

Transformation in Automotive industry while navigating cautiously in the midst of cyber attack

The year 2025 is transformative for automotive industry as the industry witnessing many groundbreaking technological advancements that is lazed with challenges in cybersecurity and supply chain resilience.

Navigate cyber challenges

For automotive industry as a whole, opportunities are huge for the industry as a whole but will take concrete shape when fitted with with robust architecture, zero-trust security frameworks and being transparent. There is a need to have more collaborative mindset and approaches among manufacturers, suppliers and leaders in technology of which cyber security is now important part.

Intercept offers Mirage Cloak

Mirage Cloak the Deception Technology, offers various deception methods to detect and stop threats before they cause damage.

These methods include adding decoys to the network, deploying breadcrumbs on current enterprise assets, using baits as tripwires on endpoints, and setting up lures with intentionally misconfigured or vulnerable services or applications. The flexible framework also lets customers add new deception methods as needed.

Sources: https://www.theguardian.com/business/2025/sep/10/jaguar-land-rover-says-cyber-attack-has-affected-some-data

Security Advisory

Microsoft Patch Tuesday has 86 Fixes, 2-0Day Vulnerabilities

September 2025 Patch Tuesday update, addressing 86 security issues in products like Microsoft Windows, Microsoft Office etc.

This includes two publicly known zero-day bugs in the Windows SMB Server and another in Newtonsoft.Json. Here are the CVE addressed for Microsoft & non-Microsoft.

Organizations are strongly encouraged to prioritize patching of systems tied to network services, virtualization and productivity tools to mitigate risks of exploitation. 

OEM Microsoft 
Severity Critical 
Date of Announcement 2025-09-09 
No. of Patches 86 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Here are the CVE addressed for Microsoft & non-Microsoft 

  • 81 Microsoft CVEs addressed 
  • 5 non-Microsoft CVEs addressed 

Breakdown of September 2025 Vulnerabilities 

  • 41 Elevation of Privilege (EoP) 
  • 22 Remote Code Execution (RCE) 
  • 16 Information Disclosure 
  • 4 Denial of Service (DoS) 
  • 2 Security Feature Bypass 
  • 1 Spoofing  
Vulnerability Name CVE ID Product Affected Severity CVSS Score 
Windows SMB Elevation of Privilege Vulnerability  CVE-2025-55234 Windows Server, Windows 10, 11  High 8.8 
Improper Handling of Exceptional Conditions in Newtonsoft.Json CVE-2024-21907 Microsoft SQL Server High 7.5 

Technical Summary 

September 2025 Patch Tuesday includes security updates addressing denial-of-service and privilege escalation vulnerabilities in commonly used libraries and services.

One of the publicly disclosed zero-day CVE-2024-21907 affects the popular .NET library Newtonsoft.Json, where deserialization of crafted JSON can lead to application crashes.

Additionally, CVE-2025-55234 highlights a potential for relay attacks in SMB Server configurations that lack hardening measures such as signing and Extended Protection for Authentication (EPA). Microsoft advises assessing current SMB deployments using new audit capabilities introduced in this month’s updates. 

CVE ID System Affected  Vulnerability Details Impact 
 CVE-2025-55234 Microsoft SMB Server Lack of hardening (signing & EPA) in SMB Server can allow attackers to perform relay attacks, potentially resulting in elevation of privilege. Privilege Escalation 
CVE-2024-21907 Newtonsoft.Json < 13.0.1 Improper handling of crafted input to JsonConvert.DeserializeObject may trigger a StackOverflowException, leading to a denial-of-service condition. Denial of Service 

Source: Microsoft and NVD 

In addition to the publicly disclosed zero day vulnerability, several other Critical & High severity issues were addressed 

  • CVE202555232: Microsoft High Performance Compute Pack (HPC), deserialization of untrusted data vulnerability enabling unauthorized remote code execution over a network interface. 
  • CVE202554918: Windows NTLM, improper authentication vulnerability that enables elevation of privilege over a network, with potential for lateral movement across enterprise systems. 
  • CVE202554110: Windows Kernel, integer overflow vulnerability allowing local privilege escalation through exploitation of kernel memory operations. 
  • CVE202554098: Windows Hyper-V, improper access control flaw permitting local privilege escalation from guest to host in virtualized environments. 
  • CVE202554916: Windows NTFS, stack-based buffer overflow vulnerability enabling local attackers to execute arbitrary code with elevated privileges. 

Key Affected Products and Services 

The September 2025 security updates address critical and important vulnerabilities across a broad range of Microsoft products and services: 

  • Windows Core and Security Components 

Includes updates for Windows Kernel, NTFS, TCP/IP, Defender Firewall, LSASS, BitLocker, NTLM, Win32K, and RRAS (Routing and Remote Access Service), with several vulnerabilities rated CVSS 8.8 or higher. 

  • Microsoft Office Suite 

Patches released for Excel, Word, PowerPoint, Visio, and SharePoint addressing RCE and information disclosure issues, especially through Preview Pane vectors. 

  • Azure and Cloud Services 

Fixes affect Azure Virtual Machine Agent, Azure Arc, and High-Performance Compute Pack (HPC). 

  • Virtualization and Hyper-V 

Multiple vulnerabilities in Hyper‑V and Virtual Hard Drive components, including privilege escalation and denial-of-service risks. 

  • Developer and Management Tools 

Patches applied to PowerShell, AutoZone, Windows Management Services and Capability Access Management, addressing local privilege escalation. 

  • Communication & File Services 

Updates cover SMB, SMBv3, MSMQ and Connected Devices Platform, with critical RCE and lateral movement vectors in enterprise environments. 

  • Browsers and Web Technologies 

Microsoft Edge (Chromium-based) updates, along with republished Chrome CVEs for continued coverage of known browser threats. 

Remediation: 

Apply Patches Promptly: Install the September 2025 security updates immediately to mitigate risks. 

Conclusion: 
Microsoft’s September 2025 Patch Tuesday addresses 86 vulnerabilities, including several critical and high rated issues across Windows, Office, Hyper-V and Azure components etc.

Notably, multiple flaws affect Windows Routing and Remote Access Service (RRAS), SQL Server, and Microsoft High Performance Compute Pack (HPC), with potential for remote code execution (RCE) and privilege escalation.

Microsoft fixed an elevation of privileges flaw in SMB Server that is exploited through relay attacks.

“SMB Server might be susceptible to relay attacks depending on the configuration. An attacker who successfully exploited these vulnerabilities could perform relay attacks and make the users subject to elevation of privilege attacks,” explains Microsoft.

References

Security Advisory

Vulnerability in Spring Cloud Gateway Server WebFlux Discovered; Target of Ease by Attackers

Security Advisory: CVE-2025-41243, A critical vulnerability has been disclosed in Spring Cloud Gateway Server WebFlux. This vulnerability allows attackers to modify sensitive Spring Environment properties under specific configurations.

Severity Critical 
CVSS Score 10.0 
CVEs CVE-2025-41243 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

The vulnerability has been assigned the maximum CVSS score of 10.0. It arises when actuator endpoints are exposed without proper security controls, potentially allowing attackers to compromise application behavior. Organizations and users of affected versions are strongly urged to upgrade to the fixed releases. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Spring Expression Language Property Modification  CVE-2025-41243  Spring Cloud Gateway WebFlux  Critical   v4.3.1,  
v4.2.5, v4.1.11, v3.1.11  

Technical Summary 

CVE-2025-41243 is a critical vulnerability occurs when the Spring Boot actuator is included as a dependency and the gateway actuator endpoint is explicitly exposed via the “management.endpoints.web.exposure.include=gateway” configuration.

In such cases, if actuator endpoints are unsecured or exposed to public networks, an attacker could exploit them to modify Spring Environment properties at runtime. This could cause unauthorized access, configuration tampering, and potential application compromise. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-41243    4.3.0 – 4.3.x 4.2.0 – 4.2.x 4.1.0 – 4.1.x 4.0.0 – 4.0.x 3.1.0 – 3.1.x Older, unsupported versions   Improperly secured actuator endpoints in Spring Cloud Gateway WebFlux allow unauthorized modification of Spring Environment properties. Unauthorized access potential privilege escalation 

Remediation – 

Upgrade Immediately patch to fixed versions: 

Affected Version Range Upgrade To 
4.3.x 4.3.1 
4.2.x 4.2.5 
4.1.x and 4.0.x 4.1.11 
3.1.x 3.1.11 
Unsupported versions Migrate to a supported release 

If you are unable to upgrade right now, here are the recommendations below 

  • Remove gateway from the “management.endpoints.web.exposure.include” property or secure the actuator endpoints. 
  • Secure actuator endpoints with proper authentication and access controls. 
  • Regularly audit and harden application configuration files. 
  • Monitor application and network logs for suspicious activity or unauthorized access attempts. 
  • Implement firewall rules or reverse proxies to restrict access to sensitive endpoints. 
  • Ensure all systems follow patch management and update policies. 

Conclusion 
CVE-2025-41243 is a critical vulnerability affecting Spring Cloud Gateway WebFlux, allowing remote attackers to modify environment properties when actuator endpoints are misconfigured and exposed.

While no active exploitation has been observed in the wild, vulnerability poses a high risk to application integrity and security due to its CVSS score of 10.0 and ease of exploitation in exposed systems.

Organizations are strongly advised to upgrade to the fixed versions, secure actuator endpoints, and follow best practices to reduce attack surface and prevent future exploitation. 

References 

Scroll to top