Infosec

Google Chrome Zero-Day CVE-2025-2783 Exploited in APT Group TaxOff Campaigns

Summary

A newly-patched zero-day vulnerability in Google Chrome CVE-2025-2783 which was exploited in the wild by a threat actor TaxOff, leading to the deployment of Trinper which an advanced backdoor.

The CVE-2025-2783 exploited a sandbox escape vulnerability within Google Chrome’s Mojo IPC (Inter-Process Communication) framework, which allowed attackers to bypass the browser’s security sandbox and lead to RCE.

TaxOff Threat Actor

TaxOff is a highly sophisticated Advanced Persistent Threat (APT) group primarily targeting government organizations which is known for its use of advanced social engineering tactics, often involving phishing campaigns that exploit themed around financial reporting and regulatory compliance.

The CVE-2025-2783 vulnerability was first detected in March 2025 after Kaspersky reported real-world exploitation.

TaxOff used a phishing-based delivery method, which involved embedding a malicious link in emails masquerading as invitations to legitimate events like the Primakov Readings forum.

Once the link was clicked, the CVE-2025-2783 exploit was triggered, leading to the deployment of the Trinper backdoor. It was a one-click compromise that delivered a highly tailored payload with surgical precision.

Trinper Backdoor

This is a multi-threaded C++ backdoor that collected host data, logged keystrokes, exfiltrated targeted documents like document, excel or pdf files and maintained remote access.

But this wasn’t just a “plug-and-play” backdoor. Trinper’s loader employed five layers of encryption, utilizing ChaCha20, modified BLAKE2b hashes, and even machine-specific environmental checks. It was decrypted only on intended systems, using unique hardware identifiers like firmware UUIDs and PEB structures.

Source: global.ptsecurity.com

Interestingly, researchers found that Team46, a different APT group shares many similarities with TaxOff in terms of TTPs. This overlap raises the possibility that TaxOff and Team46 are the same group operating under different aliases.

Both groups have used PowerShell-based loaders and Cobalt Strike as their primary exploitation vectors.

This flaw allows threat actors to:

Execute arbitrary code
Bypass Chrome’s built-in security sandbox
Potentially gain remote control over the system

Recommendation

The rapid exploitation of CVE-2025-2783 highlights the critical importance of timely patch management. Google released a fix for this vulnerability in March 2025, and all users are strongly advised to update their Chrome browsers to the latest version immediately.

In addition to patching, organizations should implement the following defensive measures

Enhance email filtering systems and provide regular phishing awareness training for employees.

Continuously monitor systems for unusual or suspicious behavior related to script execution or network anomalies.

Restrict the execution of unsigned or obfuscated scripts and macros, particularly in email attachments or downloaded files, using tools like AppLocker or Microsoft Defender ASR.

References:

https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/team46-and-taxoff-two-sides-of-the-same-coin

https://thehackernews.com/2025/06/google-chrome-zero-day-cve-2025-2783.html

https://intruceptlabs.com/2025/03/critical-chrome-vulnerability-cve-2025-2783-exploited-in-cyber-espionage-campaign/

NCSC UK, released set of 6 principles to build Cyber Security culture & Boost Resilience for Orgs

In recent times we witnessed many organizations who are facing numerous cyber attacks hold confidential customer, employee and supplier personal data. Such data is attractive to attackers, as they can steal it and demand ransom payments to stop them revealing it out in public. There is a constant fear against threat actors looming and that actually demands organizations to be cyber resilient.

What is the way out to create a cyber resilience culture that are meaningful both for employees and leaders ?

The U.K. National Cyber Security Centre on Wednesday published six cybersecurity culture principles developed through extensive research with industry and government partners.

The principles define the cultural foundations essential for building a cyber-resilient organization and offer guidance on how to cultivate that environment.

The principles are based on many factors on what leads to weak or misaligned cultures leading to poor security outcomes so that organizations understand how outcomes have deeper cultural issues and require urgent attention.

Cyber attack on Retail sector

This was followed by multiple cyber-attacks on the retail sector have gathered media attention over the first half of 2025. This included breaches on Co-op, Harrods, Adidas, The North Face, and Cartier.

Notably, a long-term disruption for UK brand Marks and Spencer, whose online sales are still paused seven weeks after the initial attack, was caused by phishing on a third-party supplier.

Over the Easter weekend, customers in M&S stores were unable to make contactless payments, click and collect services were unavailable. M&S has been quick to respond to cyber attacks faced and been applauded for its response to the attack, particularly its handling of external communications.

The newly released Operational Resilience Report 2025 has found organizations are taking a more integrated approach to resilience. Recognizing that people are vital to cybersecurity,

Cyber security culture The 6 principles laid by National Cyber Security Centre (NCSC) to build a cyber security culture within an organization.

Frame cybersecurity as an enabler, supporting the organization to achieve its goals
Build the safety, trust, and processes to encourage openness around security
Embrace change to manage new threats and use new opportunities to improve resilience
The organization’s social norms promote secure behaviours
Leaders take responsibility for the impact they have on security culture
Provide well-maintained cybersecurity rules and guidelines, which are accessible and easy to understand.

The first principle identifies that cybersecurity exists to protect the technology and information that keep an organization running.

But when it operates in isolation, its role as an enabler of every other function is often overlooked. This disconnect creates tension. Security may be seen as a blocker, its policies misunderstood or ignored, and controls bypassed, opening the door to further risk.

A shared purpose across the organization changes this dynamic. When everyone understands and works toward common goals, decisions reflect what supports the whole rather than just individual departments. Cybersecurity becomes part of how work gets done, not an obstacle in the way.

An effective culture recognises that secure behaviour is essential to meeting shared goals. Staff understand the value of cybersecurity in protecting systems and information. Controls are designed with an awareness of how people work, and security teams engage directly to reduce friction.

Clarity around purpose, consistent internal messaging, and strong leadership support all help integrate cybersecurity into the wider mission.

When people no longer see security as a separate concern, but as part of their contribution to organizational success, stronger and more resilient practices follow.

No amount of training can replace the value of open dialogue, especially when facing unfamiliar or fast-moving threats. When people are comfortable reporting mistakes, raising concerns, or suggesting improvements, the organization becomes more adaptive and resilient.

The second principle depends on a culture where people feel safe to speak up.

Without psychological safety, self-protection takes over. People stay silent, avoid reporting errors or tolerate behaviour that undermines security. Fear of blame or punishment blocks the flow of vital information and ideas.

To counter this, organizations need trusted, accessible channels for communication. Whether through help desks, portals, or local experts, these paths must be easy to use and free from friction. When people do reach out, their efforts should be acknowledged and, where possible, acted upon.

Security incidents should be investigated to understand what happened and how to improve, not to assign fault. Fair treatment and transparent processes build trust and make it more likely that people will engage in the future. Psychological safety is not a soft extra. It is a core condition for real-time responsiveness and continuous learning in security. When people trust the system and those behind it, they help protect it.

The third principle On cyber resilient organizations treat change as a constant and improvement as a shared responsibility. In cybersecurity, this mindset is critical.

As threats evolve and technologies shift, staying still is not neutral, it increases exposure and limits growth. Rather than viewing incidents or disruptions as setbacks, forward-looking organizations treat them as signals for refinement. Ignoring these moments in favour of maintaining the status quo leads to blind spots and missed opportunities.

Change must be coordinated across the organization. If one area races ahead or stalls without alignment, the imbalance can cause harm. Cybersecurity teams have a key role in guiding this process. They help ensure that risks are managed by those equipped to handle them, instead of being pushed onto teams lacking the resources or context to respond effectively.

Strong cultures embrace change as a path to better outcomes. They are measured in how and when they implement changes, mindful of fatigue and disruption. People feel supported during transitions and trust that new risks are handled responsibly. To sustain this, organizations need systems in place to identify emerging challenges and bring the right voices into decision-making. Clear roles, timely choices, and shared accountability allow security and resilience to move forward together.

The fourth principle identifies that workplace behaviour is shaped not just by formal rules but by unwritten ones picked up through observation.

These social norms often influence how people approach cybersecurity. When aligned with security goals, they help reinforce good habits and guide new staff toward secure practices.

But not all norms work in favour of security. Some, like cutting corners to be helpful or following senior examples, can quietly encourage risky behaviour. These norms are hard to change if they help people get their work done more easily than formal processes allow. Addressing this requires understanding the values behind these norms. Without doing so, even well-designed policies will be ignored, increasing risk and weakening trust in security measures.

A strong security culture identifies both helpful and harmful social norms and finds ways to align them with formal policies.

This may involve redesigning controls to support productivity or shifting behaviors through influence, incentives, and role models.

The fifth principle recognizes that cybersecurity culture depends on leadership that leads by example.

When leaders align with a shared purpose, model secure behaviors, and foster trust, they help embed security into daily work. Their influence shapes norms and drives change.

Leaders who engage openly and share lessons from past challenges build confidence and inspire action. Those who ignore this responsibility risk undermining progress, as teams often follow their lead. Strong leadership means linking security to business goals, promoting learning, and removing incentives for risky behaviour.

Supporting leaders with the right knowledge and encouraging honest dialogue strengthens a culture where security becomes a collective effort.

The sixth principle calls for creating a cyber-secure workplace that depends on finding the right balance between clear expectations and practical flexibility.

Rules must support people in solving problems locally while setting consistent standards across the organization. When done well, this balance builds trust between staff and leadership.

Overly rigid rules risk becoming outdated and burdensome, while vague guidance leaves teams confused and vulnerable. Both extremes can lead to frustration and disengagement from cybersecurity efforts. A better approach involves understanding where different teams struggle, inviting their input, and refining the rules based on real-world use and ongoing feedback.

Security rules should be integrated into daily workflows and onboarding. They must be easy to find, clearly written, and regularly updated, with changes communicated. Where gaps exist or the rules do not apply, teams must have quick access to experts who can help manage risk at the moment.

In practice, effective cybersecurity guidance is inclusive, tested for usability, and aligned with organizational goals. People should know what is mandatory and what is advisory. Feedback is actively used to improve the rules, and outdated material is removed to prevent confusion.

IntruceptLabs products are influencing cyber culture by promoting proactive security measures, automation, and a focus on user behavior and training.

IntruceptLabs enable organizations to improve their security posture by providing tools for patching vulnerabilities, managing access, and responding to threats, ultimately contributing to a more secure and resilient cyber environment.

GaarudNode is an all-in-one solution designed to empower development teams with the tools they need to secure their applications throughout the development lifecycle. By combining the power of SAST, DAST, SCA, API security, and CSPM, GaarudNode provides a comprehensive security framework that ensures your applications are built, tested, and deployed with confidence.

The platform offers:

Identifies security flaws early in the development process by scanning source code, helping developers detect issues like insecure coding practices or logic errors.
Tests running applications in real-time to identify vulnerabilities such as SQL injection, Cross-Site Scripting (XSS), and other runtime threats.
Detects vulnerabilities in third-party libraries and open-source components, ensuring that your dependencies don’t introduce risks.
Continuously tests and monitors your APIs for vulnerabilities such as authentication flaws, data exposure, and insecure endpoints.

Conclusion:

The importance of cyber resilience helps set businesses who have a solid response plan and test it regularly so that the organization is prepared for any cyber incidents.

The cyber-security incident plan should be part of a wider business continuity plan, considering the impact of a cyber incident on the business and defining steps to recover and respond.

NCSC emphasized that creating the culture takes time and is not a one-off exercise, but needs a focused and sustained effort from cyber security professionals, innovators and culture specialists, and organisations’ leaders.

Sources: https://www.thebci.org/news/retail-under-attack-the-growing-movement-towards-operational-resilience.html

Reflected XSS Vulnerability in Splunk Enterprise & Cloud Platform

Summary

Splunk has disclosed a medium-severity cross-site scripting (XSS) vulnerability affecting multiple versions of its Enterprise and Cloud Platform products that could allow low-privileged attackers to execute malicious JavaScript code in users’ browsers.

OEM	Cisco
Severity	MEDIUM
CVSS Score	4.3
CVEs	CVE-2025-20297
CWEs	CWE-79
Exploited in Wild	No
Advisory Version	1.0

Overview

A security vulnerability identified as CVE-2025-20297 has been found in older versions of Splunk Enterprise and Splunk Cloud Platform.

This issue allows low privileged users to execute unauthorized JavaScript code in a victim’s browser using a specific Splunk feature that generates Pdf from dashboards.

Although the vulnerability is rated as Medium (CVSS 4.3) but it could be a significant risk in environments where Splunk Web is widely accessed by users.

The vulnerability specifically targets instances with Splunk Web enabled, which represents the majority of production deployments given the component’s central role in dashboard management and user interface functionality.

Vulnerability Name	CVE ID	Product Affected	Severity	Fixed Version
Reflected Cross Site Scripting	CVE-2025-20297	Splunk Enterprise & Cloud	Medium	Check the remediation section.

Technical Summary

The vulnerability lies in the pdfgen/render REST endpoint used to create dashboard PDFs. In vulnerable versions, a low \privileged user (not an admin or power user) can inject a malicious script via this endpoint.

If a legitimate user interacts with the resulting PDF or link, their browser may execute the injected script without their consent, this is working as reflected XSS.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-20297	Splunk Enterprise & Cloud multiple versions	Low-privileged users can exploit the pdfgen/render endpoint to inject unauthorized JavaScript code into a victim’s browser.	Code Execution/Reflected xss.

Remediation:

Splunk has released updates, that addressed the vulnerability:

Splunk Enterprise: Upgrade to version 9.4.2, 9.3.4, 9.2.6, 9.1.9 or latest.

Splunk Cloud Platform: Upgrade to version 9.3.2411.102, 9.3.2408.111, 9.2.2406.118 or latest.

If you cannot upgrade immediately, you can disable Splunk Web to prevent exploitation. For this you can review the web.conf configuration file and follow the Splunk guidance on disabling unnecessary components.

Disabling Splunk Web may impact users who rely on the web interface so consider access controls or network-based restrictions as temporary mitigations.

Conclusion:
While CVE-2025-20297 is rated as a medium severity vulnerability, it should not be ignored in the environments where many users interact with Splunk dashboards. Attackers with limited permissions could potentially target higher privileged users by modifying malicious links or payloads.

Organizations should prioritize upgrading Splunk to the fixed versions or implementing the workarounds immediately.

Even though this vulnerability requires some user interaction, the risks include unauthorized access to sensitive data through potential session hijacking.

While Splunk has not provided specific detection methods for this vulnerability, organizations should monitor access patterns to the pdfgen/render endpoint and review user privilege assignments to minimize potential exposure

This vulnerability poses a significant risk to organizations relying on Splunk’s data analytics platform for security monitoring and business intelligence operations.

References:

https://advisory.splunk.com/advisories/SVD-2025-0601

https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents

High Risk DoS Vulnerability in ModSecurity WAF

Summary

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx.

OEM	ModSecurity
Severity	HIGH
CVSS Score	7.5
CVEs	CVE-2025-48866
CWEs	CWE-1050
Exploited in Wild	No
Advisory Version	1.0

Overview

A Denial of Service (DoS) vulnerability has been identified in ModSecurity, an open-source web application firewall (WAF) used with Apache, Nginx and IIS.

The issue affects versions prior to 2.9.10 and related to the “sanitiseArg” action, which can be exploited by adding an excessive number of arguments, ultimately causing the system to fail or crash. The vulnerability has been fixed in version 2.9.10.

There is no user interaction required to trigger, exploiting it can lead to significant resource consumption, resulting in service disruption.

Vulnerability Name	CVE ID	Product Affected	Severity	Fixed Version
Denial of Service (DoS) vulnerability	CVE-2025-48866	Modsecurity WAF	High	v2.9.10

Technical Summary

The vulnerability arises from the behavior of the “sanitiseArg” (also referred to as “sanitizeArg”) action in ModSecurity. This action sanitizes a specific argument passed to a rule (e.g.- password), masking it in the logs by replacing its value with asterisks (*).

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-48866	ModSecurity (mod_security2.x) prior to v2.9.10	When a rule uses the sanitiseArg action, it processes each argument that matches the specified name (e.g – password). If a large number of matching arguments (e.g.- 500 or more) are passed, ModSecurity repeatedly adds them to memory, which can lead to excessive memory consumption and potentially crash the system.	System crashes due to resource exhaustion (DoS)

Remediation:

Apply Patches Promptly: Upgrade to ModSecurity version 2.9.10 or the latest one.

Avoid using the “sanitizeArg” or “sanitizeArg” actions in your rules. If these actions are not used, the engine will not be affected by the vulnerability.

Conclusion:
This vulnerability is similar to this CVE-2025-47947 issue, presents a significant risk, especially for organizations relying on ModSecurity 2.x versions for web application protection.

Although the vulnerability is rated as high, it requires a specific set of conditions to be exploited. But to ensure the continued stability and security of web applications, the fix needs to be applied as soon as possible.

References:

https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-f82j-8pp7-cw2w

https://cybersecuritynews.com/modsecurity-waf-vulnerability-crash-system/

https://nvd.nist.gov/vuln/detail/CVE-2025-48866

Critical Vulnerabilities Patched in IBM QRadar Suite & Cloud Pak for Security

Summary : Security Advisory

Multiple vulnerabilities have been discovered in IBM QRadar Suite Software and Cloud Pak, affecting versions 1.10.0.0 through 1.11.2.0.

The company released patches on June 3, 2025, addressing five distinct Common Vulnerabilities and Exposures (CVEs) that affect enterprise security infrastructure used by organizations worldwide.

OEM	IBM
Severity	Critical
CVSS Score	9.6
CVEs	CVE-2025-25022, CVE-2025-2502, CVE-2025-25020, CVE-2025-25019, CVE-2025-1334
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview

These include risks such as remote code execution, information disclosure, session hijacking, and denial of service. The most critical vulnerability (CVE-2025-25022) allows unauthenticated access to sensitive configuration files. IBM has released version 1.11.3.0 to address these issues.

Vulnerability Name	CVE ID	Product Affected	CVSS Score	Severity
Information Disclosure Vulnerability	CVE-2025-25022	IBM Cloud Pak, QRadar Suite	9.6	Critical
Code Execution Vulnerability	CVE-2025-25021	IBM QRadar SIEM	7.2	High
Denial of Service Vulnerability	CVE-2025-25020	IBM QRadar SIEM	6.5	Medium
Session Hijacking Vulnerability	CVE-2025-25019	IBM QRadar SIEM	4.8	Medium
Web Cache Disclosure Vulnerability	CVE-2025-1334	IBM QRadar Suite	4.0	Medium

Technical Summary

The identified vulnerabilities affect both the IBM QRadar Suite and Cloud Pak, exposing them to a variety of threats such as unauthorized access, arbitrary code execution, and denial of service.

These flaws arise from weaknesses in session handling, code generation, API validation, and file configuration security.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-25022	QRadar SIEM	Unauthenticated access to sensitive config files due to poor protections.	Information disclosure, RCE
CVE-2025-25021	QRadar SIEM	Privileged code execution due to improper script code generation in case management.	Remote Code Execution
CVE-2025-25020	QRadar SIEM	API input validation flaw allowing service crash via malformed data	Denial of Service
CVE-2025-25019	QRadar SIEM	Sessions not invalidated upon logout, enabling impersonation by attackers.	Session Hijacking
CVE-2025-1334	QRadar Suite	Cached web content readable by other users, compromising multi-user data confidentiality.	Local Info Disclosure

Remediation:

Apply Latest Fix: Upgrade to IBM QRadar Suite Software and Cloud Pak version 1.11.3.0 or later.

Refer to IBM’s official installation and upgrade documentation for detailed steps.

Conclusion:
These vulnerabilities pose significant security risks, especially CVE-2025-25022 with a critical severity score of 9.6. Organizations using the affected IBM QRadar and Cloud Pak versions should prioritize upgrading to latest version to mitigate exposure.

IBM has acknowledged these issues and released patches to address all five vulnerabilities.

Notably, IBM has identified no effective workarounds or mitigations for these vulnerabilities, making patching the only viable protection strategy.

References:

https://www.ibm.com/support/pages/node/7235432

https://www.ibm.com/docs/en/cloud-paks/cp-security/1.11.0?topic=installing

https://www.ibm.com/docs/en/cloud-paks/cp-security/1.11.0?topic=upgrading

Critical 0-Day Vulnerabilities in Qualcomm Adreno GPU Drivers Actively Exploited

Summary

OEM	Qualcomm
Severity	HIGH
CVSS Score	8.6
CVEs	CVE-2025-21479, CVE-2025-21480, CVE-2025-27038
Actively Exploited	Yes
Exploited in Wild	Yes
Advisory Version	1.0

Overview

Three actively exploited zero-day vulnerabilities in Qualcomm’s Adreno GPU drivers (CVE-2025-21479, CVE-2025-21480, CVE-2025-27038) have been disclosed and patched.

These flaws impact billions of Android devices across vendors such as Samsung, Google, Xiaomi, and OnePlus. Qualcomm released patches to OEMs in May 2025, urging immediate integration to mitigate severe memory corruption and code execution threats.

Vulnerability Name	CVE ID	Product Affected	CVSS Score	Severity
Incorrect Authorization Vulnerability	CVE-2025-21479	Qualcomm Adreno GPU Driver	8.6	High
Incorrect Authorization Vulnerability	CVE-2025-21480	Qualcomm Adreno GPU Driver	8.6	High
Use-After-Free Vulnerability	CVE-2025-27038	Qualcomm Adreno GPU Driver	7.5	High

Technical Summary

These vulnerabilities reside within Qualcomm’s Adreno GPU driver, specifically in the Graphics component. The flaws allow attackers to corrupt memory, escalate privileges or execute arbitrary code. Two issues (CVE-2025-21479, CVE-2025-21480) result from incorrect authorization mechanisms in GPU microcode and the third (CVE-2025-27038) is a use-after-free flaw that can be exploited via malicious content rendered through Chrome.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-21479	Android (Adreno GPU)	Unauthorized command execution during specific GPU microcode sequences causes memory corruption.	Privilege escalation, system compromise.
CVE-2025-21480	Android (Adreno GPU)	Similar unauthorized GPU command flaw allowing memory corruption via improper authorization checks.	Memory corruption, remote code execution.
CVE-2025-27038	Android (Chrome/Adreno)	Use-after-free condition in graphics rendering pipeline (via Chrome) allows attacker control over freed memory space.	Arbitrary code execution.

Recommendations:

Apply OEM Patches Immediately: Qualcomm released fixes in May 2025 to all OEMs; users should install the latest firmware updates from their device manufacturers.

Check for Updates: Go to Settings → System → Software Update and apply the latest security patches as soon as available.

Apply Security Updates: Users should ensure their Android devices receive the latest security updates.

Monitor Manufacturer Communications: Stay informed about patch availability specific to your device model via official OEM channels.

Conclusion:
These zero-day vulnerabilities in Qualcomm’s Adreno GPU drivers highlight ongoing security risks in mobile hardware components.

Exploited in limited, targeted attacks potentially by spyware vendors or state-sponsored actors these flaws pose significant threats to Android devices worldwide.

In response to confirmed exploitation, CISA has added all three CVEs (CVE-2025-21479, CVE-2025-21480, CVE-2025-27038) to its Known Exploited Vulnerabilities (KEV) catalog, mandating swift action for federal systems.

Timely patching by OEMs and proactive updates by users are critical to mitigating these risks and preventing further exploitation.

References:

https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2025-bulletin.html

https://securityonline.info/actively-exploited-qualcomm-gpu-zero-days-added-to-cisas-kev-catalog/

BadSuccessor Vulnerability in Windows Server 2025 Enables Domain Admin Privilege Escalation

Summary : A critical privilege escalation vulnerability, BadSuccessor, affects Windows Server 2025 through its Delegated Managed Service Account (dMSA) feature.

Akamai researchers have discovered a serious design vulnerability in Windows Server 2025 related to the use of delegated managed service accounts (dMSAs). This flaw allows an attacker with least privilege to escalate to domain administrator privileges without directly interacting with privileged accounts or modifying group memberships.

OEM	Microsoft
Severity	Medium
CVSS Score	6.5
CVEs	N/A
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview

First discovered by Yuval Gordon, a researcher at Akamai, the flaw allows attackers with minimal Active Directory (AD) permissions – specifically CreateChild rights on an Organizational Unit (OU) to escalate privileges to Domain Administrator.

The attack has been weaponized in a publicly available proof-of-concept tool called SharpSuccessor, developed by Logan Goins, with contributions from researchers Jim Sykora and Garrett Foster.

Microsoft has acknowledged vulnerability but classified it as moderate severity, and no patch is currently available.

Vulnerability Name	CVE ID	Product Affected	Severity	Impact
BadSuccessor vulnerability	N/A	Windows Server 2025	Medium	Privilege escalation

Technical Summary

BadSuccessor exploits the design of Delegated Managed Service Accounts (dMSA), a feature introduced in Windows Server 2025 to facilitate the migration from legacy service accounts and mitigate Kerberoasting risks.

The flaw occurs during the dMSA migration process, where the attacker manipulates two AD attributes msDS-ManagedAccountPrecededByLink and msDS-DelegatedMSAState to simulate the replacement of a privileged account.

Active Directory’s Key Distribution Center (KDC), when processing Kerberos Ticket Granting Tickets (TGTs), embeds both the attacker’s dMSA and the original account’s Security Identifiers (SIDs) into the Privilege Attribute Certificate (PAC).

This causes the attacker’s dMSA to inherit the permissions of the target user, effectively granting Domain Admin privileges without any need to compromise the original account.

Key Points:

Requires only CreateChild permissions on an Organizational Unit (OU) a common delegation in AD environments.

Exploitable even if dMSAs are not actively in use, as long as a Windows Server 2025 domain controller is present.

91% of environments analyzed by Akamai had non-admin users with enough permissions to launch the attack.

Example Exploitation Chain:

Create a malicious dMSA:

Picture 2, Picture SharpSuccessor.exe add /impersonate:Administrator /path:”ou=test,dc=lab,dc=lan” /account:jdoe /name:attacker_dMSA

Obtain a TGT using Rubeus:

Rubeus.exe tgtdeleg /nowrap

Request a service ticket impersonating the high-privilege user:

Picture 5, Picture Rubeus.exe asktgs /user:attacker_dmsa$ /service:cifs/[DC_FQDN] /opsec /dmsa /nowrap /ptt /ticket:[Base64_TGT]

A computer screen with white text

AI-generated content may be incorrect., Picture This grants the attacker full access to Domain Controllers, allowing for lateral movement and credential harvesting using legitimate Kerberos workflows.

Recommendations:

Restrict dMSA Creation: Limit CreateChild permissions on Organizational Units (OUs) to trusted administrators only.

Audit Permissions: Use Akamai’s PowerShell script to identify and revoke risky dMSA creation rights: Get-BadSuccessorOUPermissions.ps1

Harden High-Privilege Accounts: Apply Authentication Policy Silos to isolate sensitive accounts.

Monitor for Abuse: Watch for unusual Kerberos activity involving dMSA accounts.

Apply Patch When Available: Microsoft is working on a fix apply it as soon as it’s released.

Conclusion:
BadSuccessor represents a serious flaw in the dMSA architecture of Windows Server 2025, enabling attackers to gain domain wide privileges using only commonly granted permissions.

While Microsoft’s classification of the issue as “moderate” is based on its technical complexity, the broad exposure and ease of exploitation via SharpSuccessor demand urgent action. Organizations must review Active Directory permissions and implement hardened access control policies immediately.

References:

https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory

https://github.com/logangoins/SharpSuccessor?tab=readme-ov-file

https://cybersecuritynews.com/sharpsuccessor-poc-badsuccessor/

RCE Risk in D-Link Routers due to Hardcoded Telnet Credentials

Summary A significant security flaw (CVE-2025-46176) has exposed thousands of D-Link routers to remote code execution attacks through hardcoded Telnet credentials embedded in firmware. This is affecting its DIR-605L and DIR-816L routers.

If successful exploitation happens this will enables attackers to modify router configurations, deploy malware, or pivot into internal networks.

OEM	D-link
Severity	Medium
CVSS Score	6.5
CVEs	CVE-2025-46176
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview

The flaw exposes devices to remote command execution (RCE) through hardcoded Telnet credentials.

The vulnerability has been rated medium in severity (CVSS 6.5), with no official firmware patch available as of May 2025.

Vulnerability Name	CVE ID	Product Affected	Severity	Fixed Version
Hardcoded Telnet Credentials vulnerability	CVE-2025-46176	D-Link Router	Medium	No official fix available

Technical Summary

The vulnerability arises from hardcoded Telnet credentials in the router firmware, which allows unauthenticated remote attackers to execute arbitrary commands.

Firmware analysis revealed embedded credentials in configuration files used during Telnet service initialization.

Security experts recommended retiring these EOL devices due to absence of security support and the impossibility of removing hardcoded credentials through configuration changes.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-46176	D-Link DIR-605L v2.13B01, DIR-816L v2.06B01	Telnet service (/usr/sbin/telnetd -l /bin/sh -u Alphanetworks:$image_sign) uses hardcoded credentials from image_sign file, exposing plaintext passwords.	RCE

Recommendations:

As of May 2025, no firmware updates are available to fix the vulnerability. Recommended temporary mitigations include :

Disable Telnet access via the router’s web interface.
Block Telnet port (23) using firewall rules:

“iptables -A INPUT -p tcp –dport 23 -j DROP”

Restrict WAN access to management interfaces.
Monitor D-Link’s official support page for firmware updates.

Conclusion:
Security researchers discovered the flaw through firmware analysis, revealing that both router models contain default Telnet credentials that cannot be changed by users.

While exploitation likelihood is currently assessed as low, vulnerability enables unauthenticated attackers to gain control of the routers, affecting confidentiality, integrity and availability.

Immediate mitigation is advised, especially for publicly exposed devices and Security experts strongly recommend retiring these EOL devices due to the absence of security support and the impossibility of removing hardcoded credentials through configuration changes.

Threat from Legacy Devices:

The vulnerability in Telnet revealed security risks that legacy networking equipment carry with them and is embedded hardcoded credentials in IoT devices.

Inadequate security, harboring multiple unpatched vulnerabilities and relying on inadequate security controls that fail to address underlying risks. This poses a threat not only to device itself, but also to the network and connected critical assets.

References:

Linux Kernel Exploitation in ksmbd (CVE-2025-37899) Discovered with AI Assistance

Summary: A high-severity use-after-free vulnerability (CVE-2025-37899) has been discovered in the ksmbd component of the Linux kernel, which implements the SMB3 protocol for file sharing.

OEM	Linux
Severity	High
CVSS Score	N/A
CVEs	CVE-2025-37899
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview

The vulnerability, confirmed on May 20, 2025 which was uncovered through AI-assisted code analysis using OpenAI’s o3 model. It affects multiple versions of the Linux kernel and may lead to arbitrary code execution with kernel privileges. As of now, no official fix is available, but Linux distributions including SUSE team are actively working on patches.

Vulnerability Name	CVE ID	Product Affected	Severity
ksmbd use-after-free vulnerability	CVE-2025-37899	Linux kernel	High

Technical Summary

The vulnerability lies in the ksmbd kernel server component responsible for SMB3 protocol handling.

A use-after-free bug occurs when one thread processes a logoff command and frees the sess->user object, while another thread bound to the same session attempts to access the same object simultaneously. This results in a race condition that can lead to memory corruption and potentially enable attackers to execute arbitrary code with kernel privileges.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-37899	Linux kernel (ksmbd)	A race condition during handling of SMB2 LOGOFF commands. sess->user is freed in one thread while still being accessed in another, leading to a classic use-after-free vulnerability. The absence of synchronization around sess->user allows attackers to exploit the freed memory during concurrent SMB operations.	Kernel memory corruption, privilege escalation, remote code execution

Remediation:

Fix status: As of now, an official fix has not been released. Linux distributions, including SUSE, are actively developing and testing patches.

General Recommendations

Monitor your distribution’s security advisories and apply patches as soon as they are available.
Consider disabling or restricting ksmbd (in-kernel SMB3 server) if not explicitly required.
Use firewall rules to restrict access to SMB services to trusted networks.
Employ kernel hardening options (e.g. memory protections, SELinux/AppArmor policies).
Audit SMB traffic for signs of abnormal session setup and teardown behavior.

Conclusion:
CVE-2025-37899 highlights the increasing role of AI in modern vulnerability discovery and the complex nature of concurrency bugs in kernel components. While no fix is yet available, administrators should apply defense-in-depth strategies and watch for updates from their Linux vendors.

The discovery underscores the importance of rigorous code audits, especially in components exposed to network traffic and multithreaded processing.

References:

CISCO ISE & UIC Security Flaws Allow DoS, Privilege Escalation

Summary: Cisco has disclosed multiple vulnerabilities affecting its Identity Services Engine (ISE) and Unified Intelligence Center (UIC).

The ISE bug, tracked as CVE-2025-20152, impacts the RADIUS message processing feature and could be exploited remotely, without authentication, to cause ISE to reload, leading to a denial of service (DoS) condition.

OEM	CISCO
Severity	HIGH
CVSS Score	8.6
CVEs	CVE-2025-20152, CVE-2025-20113, CVE-2025-20114
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview

This include a critical denial-of-service (DoS) vulnerability in the RADIUS protocol processing (CVE-2025-20152) and two privilege escalation flaws (CVE-2025-20113, CVE-2025-20114).

These unpatched issues, could result in network disruption and unauthorized access to sensitive data.

Vulnerability Name	CVE ID	Product Affected	Severity	Fixed Version
RADIUS DoS Vulnerability	CVE-2025-20152	Cisco Identity Services Engine	High	ISE 3.4 Patch 1 (3.4P1)
Privilege Escalation Vulnerability	CVE-2025-20113	Unified Intelligence Center	High	UIC 12.5(1)SU ES04, 12.6(2)ES04
Privilege Escalation Vulnerability	CVE-2025-20114	Unified Intelligence Center	High	UIC 12.5(1)SU ES04, 12.6(2)ES04

Technical Summary

The vulnerabilities identified in ISE and UIC products are critical and the allow an authenticated attacker to elevate their privileges to those of an administrator, for a limited set of functions on a vulnerable system by potentially accessing or manipulating unauthorized data.

Medium-severity bugs were also resolved in Webex, Webex Meetings, Secure Network Analytics Manager, Secure Network Analytics Virtual Manager, ISE, Duo, Unified Communications and Contact Center Solutions, and Unified Contact Center Enterprise (CCE).

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-20152	CISCO ISE 3.4	Improper handling of malformed RADIUS authentication requests can cause a system reload.	Denial of Service (DoS), Network Disruption
CVE-2025-20113	Unified Intelligence Center 12.5, 12.6	Insufficient server-side validation in API/HTTP requests may allow an authenticated attacker to escalate privileges to Admin level for certain functions.	Privilege Escalation, Unauthorized Data Access
CVE-2025-20114	Unified Intelligence Center 12.5, 12.6	Insufficient input validation in API allows IDOR attacks, enabling attackers to access data of other users.	Horizontal Privilege Escalation, Data Exposure

Remediation:

Cisco has released security updates to address these vulnerabilities:

For CVE-2025-20152 (Cisco ISE):

Upgrade to ISE 3.4P1 or later. No workarounds exist; RADIUS services are enabled by default, making immediate patching critical.

For CVE-2025-20113 and CVE-2025-20114 (UIC):

Upgrade to:

UIC 12.5(1)SU ES04 or later.
- UIC 12.6(2)ES04 or later.
- Unified CCX users should migrate to a fixed release if using affected versions.

Administrators are advised to verify product versions and apply patches through official Cisco channels.

Conclusion:
These vulnerabilities pose significant security risks especially CVE-2025-20152, which affects the core authentication protocol in many Cisco ISE deployments.

Organizations should prioritize updates to mitigate risks of denial-of-service attacks and unauthorized data access. No exploitation in the wild has been observed so far, but given the critical nature, immediate action is strongly recommended.

References:

Google Chrome Zero-Day CVE-2025-2783 Exploited in APT Group TaxOff Campaigns

NCSC UK, released set of 6 principles to build Cyber Security culture & Boost Resilience for Orgs

High Risk DoS Vulnerability in ModSecurity WAF

Critical 0-Day Vulnerabilities in Qualcomm Adreno GPU Drivers Actively Exploited

BadSuccessor Vulnerability in Windows Server 2025 Enables Domain Admin Privilege Escalation

RCE Risk in D-Link Routers due to Hardcoded Telnet Credentials

Linux Kernel Exploitation in ksmbd (CVE-2025-37899) Discovered with AI Assistance

CISCO ISE & UIC Security Flaws Allow DoS, Privilege Escalation

Recent Posts

Recent Comments

Search

Recent Comments

Recent Posts

Archives