Intrucept

Security Advisory

Critical SAP NetWeaver Vulnerabilities Addressed in May 2025 Patch โ€“ Immediate Action Requiredย 

Summaryย : SAP has released critical security updates for its May 2025 patch, including fixes for two actively exploited zero-day vulnerabilities in SAP NetWeaver Visual Composer.

SAP Visual Composer is not installed by default, however it is enabled because it was a core component used by business process specialists to develop business application components without coding.

OEMย  SAPย 
Severityย  Criticalย 
Date of Announcementย  2025-05-13ย 
No. of Vulnerabilities Patchedย  16ย 
Actively Exploitedย  Yesย 
Exploited in Wildย  Yesย 
Advisory Versionย  1.0ย 

Overviewย 

The most severe issue, CVE-2025-31324 (CVSS 10.0), is a critical unauthenticated file upload vulnerability that has been exploited in the wild since January 2025 for remote code execution (RCE).ย 

This issue was originally addressed in an SAP security note issued on April 24, 2025, and has since been supplemented by a second vulnerability, CVE-2025-42999, involving insecure deserialization.

These vulnerabilities have been used together in chained attacks to gain full system access on vulnerable SAP NetWeaver servers.ย 

Vulnerability Nameย  CVE IDย  Product Affectedย  Severityย  CVSS Scoreย 
Unauthenticated File Upload (RCE)ย  CVE-2025-31324ย  SAP NetWeaverย  Criticalย  10.0ย 
Insecure Deserialization (RCE)ย  CVE-2025-42999ย  SAP NetWeaverย  Criticalย  9.1ย 

Technical Summaryย 

Attackers have leveraged two flaws in SAP NetWeaver Visual Composer in chained exploit scenarios to gain unauthorized remote access and execute arbitrary commands.

CVE-2025-31324 enables unauthenticated file uploads, and CVE-2025-42999 allows privileged users to exploit insecure data deserialization for command execution.

These vulnerabilities have impacted hundreds of internet-facing SAP instances, including systems operated by major enterprises.ย 

CVE IDย  System Affectedย  Vulnerability Detailsย  Impactย 
CVE-2025-31324ย  SAP NetWeaver Visual Composerย  Unauthenticated file upload vulnerability in development server.ย  Remote Code Execution (RCE) without privilegesย 
CVE-2025-42999ย  SAP NetWeaver Visual Composerย  Insecure deserialization in Visual Composer user-accessible function.ย  Remote Code Execution (RCE) without privilegesย 

Source: SAPย 

In addition to the actively exploited vulnerabilities, several other High Severity Vulnerabilities were also addressed:ย 

  • CVE-2025-30018: SAP Supplier Relationship Management (Live Auction Cockpit) โ€“ Multiple vulnerabilities (CVSS 8.6)ย 
  • CVE-2025-43010: SAP S/4HANA Cloud Private Edition / On Premise (SCM Master Data Layer) โ€“ Code injection (CVSS 8.3)ย 
  • CVE-2025-43000: SAP Business Objects Business Intelligence Platform (PMW) โ€“ Information disclosure (CVSS 7.9)ย 
  • CVE-2025-43011: SAP Landscape Transformation (PCL Basis) โ€“ Missing authorization check (CVSS 7.7)ย 
  • CVE-2024-39592: SAP PDCE โ€“ Missing authorization check (CVSS 7.7)ย 

Remediation:ย 

  • Apply Patches Promptly: Install the May 2025 security updates immediately to mitigate risks from CVE-2025-42999 and other high-severity vulnerabilities, including CVE-2025-31324, along with additional security improvements across various SAP products.ย 

General Recommendations:ย 

  • Disable Visual Composer Service: If possible, disable the Visual Composer service to further reduce risk.ย 
  • Restrict Access to Metadata Upload Functions: Limit access to the metadata uploader to trusted users to prevent unauthorized file uploads.ย 
  • Monitor for Suspicious Activity: Continuously monitor the SAP NetWeaver environment for any signs of suspicious activity related to the vulnerabilities.ย 

Conclusion:ย 

  • The dual exploitation of CVE-2025-31324 and CVE-2025-42999 underscores the critical need for proactive patching and vigilant monitoring of enterprise SAP environments.
  • The vulnerabilities are being exploited by sophisticated threat actors, including the Chinese APT group Chaya_004, with over 2,000 exposed NetWeaver instances and hundreds already compromised.ย 
  • In response to the severity, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included CVE-2025-31324 in its Known Exploited Vulnerabilities Catalog and has mandated federal agencies to remediate by May 20, 2025, under Binding Operational Directive 22-01. Organizations are strongly urged to act immediately to protect their SAP environments.ย 

References:ย 

ย 

ย 

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Security Advisory

Microsoft May 2025 Patch Tuesday Released; Fixed 83 Vulnerabilities, Including 5 Zero-Days

May 2025 Patch Tuesday by Microsoft

Continue Reading
Security Advisory

FBI Warnsย  End-of-Life Routers Exploited in Active Botnet and Proxy Campaignsย 

Summary 

The FBI issued an alert warning of ongoing exploitation of 13 EOL Linksys/Cisco routers by cybercriminal groups operating the 5Socks and Anyproxy services.

The threat actors are using known vulnerabilities in outdated firmware to install malware, hijack routers, and leverage them as part of a botnet or proxy service used to mask malicious activities.ย 

The malware establishes persistent access via regular communication with a command & control (C2) server, and affected devices are being rented out to other criminals.

The FBI strongly recommends replacing EOL devices with with newer and actively supported model or at least disabling remote management features immediately.ย 

Technical Details 

Attack Overview 

  • Entry Point: Remote administration services exposed to the Internet.ย 
  • Authentication Bypass: Attackers bypass password protection to gain shell/root access.ย 
  • Malware Capabilities:ย 
  • Maintains persistent presence through C2 check-ins every 60 seconds to 5 minutes.ย 
  • Opens ports to act as proxy relays.ย 
  • Enables the sale of infected routers as “proxy-as-a-service” infrastructure.ย 

Confirmed Vulnerable Devices 

The FBI has identified the following end-of-life (EOL) routers from Cisco and Linksys as actively targeted in these campaigns: 

  • E1200ย 
  • E2500ย 
  • E1000ย 
  • E4200ย 
  • E1500ย 
  • E300ย 
  • E3200ย 
  • WRT320Nย 
  • E1550ย 
  • WRT610Nย 
  • E100ย 
  • M10ย 
  • WRT310Nย 

Indicators of Compromise (IOCs) 

Since the malware is router-based, it is difficult for an end user to know if their device is compromised due to the inability of antivirus tools to scan these devices.

Below is a list of files associated with the malware’s router exploitation campaign:ย 

Name Hash 
0_forumdisplay-php_sh_gn-37-sh 661880986a026eb74397c334596a2762 
1_banana.gif_to_elf_t 62204e3d5de02e40e9f2c51eb991f4e8 
2_multiquote_off.gif_to_elf_gn-p_forward- 
hw-data-to-exploit-server 		9f0f0632b8c37746e739fe61f373f795 
3_collapse_tcat_gif_sh_s3-sh 22f1f4c46ac53366582e8c023dab4771 
4_message_gif_to_elf_k cffe06b0adcc58e730e74ddf7d0b4bb8 
5_viewpost_gif_to_elf_s 084802b4b893c482c94d20b55bfea47d 
6_vk_gif_to_elf_b e9eba0b62506645ebfd64becdd4f16fc 
7_slack_gif_DATA 41e8ece38086156959804becaaee8985 
8_share_gif_DATA 1f7b16992651632750e7e04edd00a45e 
banana.gif-upx 2667a50869c816fa61d432781c731ed2 
message.gif-upx 0bc534365fa55ac055365d3c31843de7 

Recommended Mitigations

  • Replace Vulnerable Devices: Immediately replace EOL routers with models still supported by vendors and receiving firmware/security updates.ย 
  • Disable Remote Administration: Turn off any form of remote management via web, SSH, or Telnet.ย 
  • Reboot Compromised Devices: This can temporarily disrupt malware persistence, though not permanently remove it.ย 
  • Network Segmentation: Isolate critical devices from consumer routers or IoT networks.ย 
  • Implement Monitoring Tools: Use firewalls or network sensors that detect unusual traffic or device behavior.ย 

“End of life routers were breached by cyber actors using variants of TheMoon malware botnet,” reads the FBI bulletin.

“Recently, some routers at end of life, with remote administration turned on, were identified as compromised by a new variant of TheMoon malware. This malware allows cyber actors to install proxies on unsuspecting victim routers and conduct cyber crimes anonymously.”

References


Security Advisory

OpenCTI Web-Hook Flaw Enables Full System Compromise

Summary

OEMFiligran
SeverityCritical
CVSS Score9.1
CVEsCVE-2025-24977
Actively ExploitedNo
Exploited in WildNo
Advisory Version1.0

Overview

A critical vulnerability (CVE-2025-24977) in the OpenCTI Platform allows authenticated users with specific permissions to execute arbitrary commands on the host infrastructure, leading to potential full system compromise.

Vulnerability NameCVE IDProduct AffectedSeverityFixed Version
โ€‹ Webhook Remote Code Execution vulnerability  CVE-2025-24977OpenCTI  Critical  6.4.11

Technical Summary

The vulnerability resides in OpenCTIโ€™s webhook templating system, which is built on JavaScript. Users with elevated privileges can inject malicious JavaScript into web-hook templates.

Although the platform implements a basic sandbox to prevent the use of external modules, this protection can be bypassed, allowing attackers to gain command execution within the host container.

Due to common deployment practices using Docker or Kubernetes, where environment variables are used to pass sensitive data (eg: credentials, tokens), exploitation of this flaw may expose critical secrets and permit root-level access, leading to full infrastructure takeover.

CVE IDSystem AffectedVulnerability DetailsImpact
    CVE-2025-24977ย  OpenCTI (โ‰ค v6.4.10)The webhook feature allows JavaScript-based message customization. Users with manage customizations permission can craft malicious JavaScript in templates to bypass restrictions and execute OS-level commands. Since OpenCTI is often containerized, attackers can gain root access and extract sensitive environment variables passed to the container.ย  Root shell access in the container, exposure of sensitive secrets, full system compromise, lateral movement within infrastructure.

Remediation:

  • Upgrade: Immediately update to OpenCTI version 6.4.11 or later.
  • Restrict user permissions: Especially the manage customizations capability โ€” limit access to trusted personnel only.
  • Review and audit: Existing webhook configurations for signs of misuse, unauthorized scripts, or suspicious behavior.
  • Implement container hardening practices: Reduce risk of secret exposure by:
    • Avoiding storage of secrets in environment variables when possible.
    • Using dedicated secret management tools.
    • Running containers with least privilege and limiting runtime capabilities.

The misuse can grant the attacker a root shell inside a container, exposing internal server-side secrets and potentially compromising the entire infrastructure.

Conclusion:
CVE-2025-24977 presents a highly exploitable attack vector within the OpenCTI platform and must be treated as an urgent priority for remediation.

The combination of remote code execution, privileged access and secret exposure in containerized environments makes it especially dangerous.

Organizations leveraging OpenCTI should upgrade to the latest version without delay, review their deployment security posture, and enforce strict access control around webhook customization capabilities.

References:

Security Advisory

Apache Parquet Java Vulnerability Enables Remote Code Execution via Avro Schemaย 

Summaryย Security Advisory:

A high-severity remote code execution (RCE) has been identified in Apache Parquet Java, specifically within the parquet-avro module. Discovered by Apache contributor Gang Wu, this vulnerability affects all versions up to and including 1.15.1 and can allow attackers to execute arbitrary code when a system processes a specially crafted Parquet file. The issue is fixed in version 1.15.2.ย 

OEM Apache 
Severity High 
CVSS Score Not Available 
CVEs CVE-2025-46762 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Apache Parquet is an open-source, columnar storage format designed for efficient data processing, widely used by big data platforms and organizations engaged in data engineering and analytics.

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
โ€‹Remote Code Execution vulnerabilityย  CVE-2025-46762 Apache Parquet Javaย  High  1.15.2 

Technical Summary 

CVE-2025-46762 arises from insecure schema parsing logic in the parquet-avro module of Apache Parquet Java. When the application uses the โ€œspecificโ€ or โ€œreflectโ€ Avro data models to read a Parquet file, malicious actors can inject specially crafted metadata into the Avro schema portion of the file.

Upon deserialization, the system may inadvertently execute code from Java classes listed in the default trusted packages (e.g., java.util), resulting in remote code execution. The vulnerability is not present when using the safer โ€œgenericโ€ Avro model.ย 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-46762 ย Apache Parquet Java โ‰ค1.15.1ย Insecure deserialization in the parquet-avro module allows execution of arbitrary Java classes when processing Parquet files with embedded malicious Avro schemas. The issue is exploitable only when using the โ€œspecificโ€ or โ€œreflectโ€ data models, and relies on the presence of pre-approved trusted packages like java.util.ย ย Remote Code Execution (RCE), potential supply chain compromise, unauthorized code execution.ย 

Conditions for Exploitation: 

  • Applications must use parquet-avro to read Parquet files.ย 
  • The Avro โ€œspecificโ€ or โ€œreflectโ€ deserialization models are used (not โ€œgenericโ€).ย 
  • Attacker-supplied or untrusted Parquet files are processed by the system.ย 

This creates significant risk in data processing environments such as Apache Spark, Flink, and Hadoop, where external Parquet files are commonly ingested. 

Remediation

  • Upgrade to Apache Parquet Java version 1.15.2: This version addresses the vulnerability by tightening controls around trusted packages and blocking unsafe deserialization.ย 
  • For users unable to upgrade immediately: apply the following JVM system property to disable trusted package deserialization:ย 

-Dorg.apache.parquet.avro.SERIALIZABLE_PACKAGES=”” 

Conclusion: 
CVE-2025-46762 presents a significant RCE threat within big data ecosystems that use Apache Parquet Java with the parquet-avro module. Systems relying on unsafe deserialization patterns are especially at risk. Prompt patching or configuration hardening is strongly recommended to safeguard against exploitation. 

References

Security Advisory

Tesla Model 3 VCSEC Vulnerability Allows Remote Code Execution via TPMS Exploitย 

Summaryย of Security Advisory

A high-severity vulnerability (CVE-2025-2082) in Tesla Model 3’s Vehicle Controller Security (VCSEC) module allows attackers within wireless range to remotely execute arbitrary code by exploiting a flaw in the Tire Pressure Monitoring System (TPMS)

OEM Tesla 
Severity High 
CVSS Score 7.5 
CVEs CVE-2025-2082 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

This provides potentiality in giving access to critical vehicle controls; Tesla has addressed the issue in firmware version 2024.14.ย 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
โ€‹Remote Code Execution vulnerabilityย ย CVE-2025-2082ย Tesla Model 3ย ย  High  7.5 

Technical Summary 

The vulnerability lies in the VCSEC module, responsible for security functions like immobilization, door locking, and TPMS monitoring.

An integer overflow occurs when the VCSEC processes malformed certificate responses transmitted via the TPMS subsystem. Exploiting this flaw enables memory corruption, leading to remote code execution.

The attack does not require user interaction or authentication and can be carried out over adjacent wireless interfaces such as Bluetooth Low Energy (BLE) or Ultra-Wideband (UWB).

Once compromised, attackers may issue unauthorized commands to the Controller Area Network (CAN) bus, which governs safety-critical systems including braking, steering, and acceleration.ย 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-2082   Tesla Model 3 (pre-2024.14) Integer overflow in VCSEC moduleโ€™s certificate handling logic triggered by malformed TPMS messages.  Remote code execution, unauthorized CAN bus access, potential control over critical systems 

Remediation

  • Update Tesla Firmware: Owners should update firmware version 2024.14 via the vehicleโ€™s touchscreen or over-the-air (OTA) updates.ย 
  • Avoid Wireless Threats: Refrain from connecting to unknown BLE/UWB networks and using unauthorized TPMS accessories.ย 

Conclusion: 
This vulnerability demonstrates how auxiliary vehicle systems like TPMS can serve as entry points for serious security breaches. While Teslaโ€™s prompt patch release, reflects good incident response, this case underscores the urgency for ongoing scrutiny of wireless automotive components. Owners must apply the firmware update and maintain secure update practices to reduce the risk of exploitation. 

References

Blogs

Frequency & Sophistication of DDoS Attack rise to198% in 1stQ 2025

Ways to protect enterprise assets and infrastructure is not only a CISO’s responsibility but a cause of worry for CXO, CTO ‘s as a powerful DDoS attack can cause havoc on revenues, productivity and reputation.

Threat mitigation from any DDoS attack, requires services from secured and trusted partners who can offer expertise and scale whenever required to mitigate the threats that emerge from DDoS attack.

This is also important from cost point of view as large enterprise bear the burnout and it requires expertise to constantly monitor and clean the traffic that get routed to customer network.

It is important organization find service oriented partners who have skilled networking capacity and processing power so that in face of attack, they can automatically respond to DDoS attacks, detect and mitigate.

According to MazeBolt research, even the best DDoS protections leave enterprises highly exposed. Typically, large-scale, global organizations are only 60% protected – leaving the door wide open for cybercriminals to exploit the gaps.

Statistics show from past DDoS attacks have taken down large services like Spotify, GitHub, Microsoft services like Outlook and OneDrive.

According to new data released by Netscout, distributed denial of service (DDoS) attacks are on the rise. There were 17 million such attacks in 2024 โ€“ up from 13 million the year before. Itโ€™s an astonishing rise that has big implications for your business.

Defining DDoS attack

When a cyber criminal or malicious actor push for a service with additional requests than it can handle, making the resources unavailable and non-functional subsequently bringing it down.

In cases DDoS attack forcefully shuts a website, network, or computer offline by overloading it with requests. We often hear Black Friday sales out in big giant displays, these often drive a lot of internet traffic towards the brand or one destination at once.

A DDoS attack works when several different IP addresses target the same platform at same time that can overwhelm the server in question and bring it down.

Often, this attack is carried botnets which are a collection of devices when infected with malware, they can controlled remotely by cyber criminals. DDoS attack is executed by several different actors at the same time.

Increase in DDoS Attack in 2025

DDoS attacks increased by 198% compared to the last quarter of 2024 and by 358% compared to the same quarter last year.

On April 3 attack targeted an unnamed online betting organization, lasting around 90 minutes, starting at 11:15 with a surge of 67Gbps, before escalating sharply to 217Gbps by 11:23, and peaked just short of 1Tbps at 965Gbps by 11:36.

Research shows A total of 20.5 million DDoS attacks were stopped during the period, of which 6.6 million attacks were directly targeted at Cloudflareโ€™s infrastructure. Gaming servers were the most popular target for DDoS attacks. Attack patterns remains spotted during the 2024 UEFA European Football Championship, held in Germany, where spikes in DDoS activity also targeted online betting sites.

In Geopolitics DDoS has emerged as a tool that is often and can be abused to target attacks.

According to research by NETSCOUT, the second half of 2024 saw almost 9 million DDoS attacks, a 12.75% increase from the first six months. Israel in particular saw a 2,844% increase in attacks, seeing a high of 519 in one day.

The above mentioned Russian hacking group, NoName057(16), focused primarily on government services in the UK, Belgium, and Spain. Georgia also saw a 1,489% increase in attacks in the lead up to the โ€œRussia Billโ€, highlighting its use as a political weapon.

Network-layer DDoS attacks were the primary driver of the overall surge. In Q1 2025, 16.8 million of these attacks were blocked, representing a 509% year-over-year rise and a 397% increase from the prior quarter.

Hyper-volumetric attacks, defined as those exceeding 1 terabit per second (Tbps) or one billion packets per second (Bpps), have become increasingly common. Cloudflare reported approximately 700 such attacks during the quarter, averaging about eight per day.

Major targets of DDoS attack

Globally, there have been notable changes in the most-targeted locations. Germany moved up four spots to become the most attacked country in Q1 2025.

Turkey made an 11-place jump to secure second position, while China dropped to third. Hong Kong, India, and Brazil also appeared among the top most-attacked countries, with movements seen across several regions in the rankings. Australia, for its part, remained outside the global top ten.

Industries facing the most pressure have shifted this quarter as well. The Gambling & Casinos sector moved to the top position as the most targeted industry, after climbing four places.

Telecommunications dropped to second, and Information Technology & Services followed in third.

Other industries experiencing notable increases in attacks included Cyber Security, which jumped 37 places, and Airlines, Aviation & Aerospace. In Australia, the industries facing the most attacks were Telecommunications, Information Technology and Services, Human Resources, and Consumer Services.

The report detailed attack vectors and trends, showing that the most common technique at the network layer remains SYN flood attacks, followed by DNS flood and Mirai-launched attacks.

Among HTTP DDoS attacks, more than 60% were identified and blocked as known botnets, with others attributed to suspicious attributes, browser impersonation, and cache busting techniques.

Cloudflare observed significant surges in two emerging attack methods. CLDAP reflection/amplification attacks grew by 3,488% quarter-over-quarter, exploiting the connectionless nature of the protocol to overwhelm victims with reflected traffic.

Similarly, ESP reflection/amplification attacks rose 2,301%, underscoring vulnerabilities in systems using the Encapsulating Security Payload protocol.

Despite the increase in the volume and size of attacks, the report noted that 99% of network-layer DDoS attacks in Q1 2025 were below 1 Gbps and one million packets per second.

Likewise, 94% of HTTP attacks fell below one million requests per second. Most attacks were short-lived, with 89% of network-layer and 75% of HTTP attacks ending within 10 minutes, but the impact can persist much longer due to the resulting service disruptions.

Addressing the rise of DDoS attack & Mitigation solution

DDoS attack intends to disrupt some or all of its targetโ€™s services there are variety of DDoS attacks. They are all uniquely different. There are three common types of DDoS attacks:

  • Volumetric (Gbps)
  • Protocol (pps)
  • Application layer (rps) attacks.

An effective DDoS attack is launched when near by network detects easily the cheap IoT devices like toys, small appliances, thermostats, security camera and Wi-Fi routers. These devices makes it easy to launch an effective attack that can have massive impact.

Threat Mitigation of DDoS attack

Application Layer attacks can be detected early with solutions by monitoring visitor behavior, blocking known bad bots and constant testing.

To do this more effectively Intrucept recently launched Cyber Analytics platform

Cyber Analytics platform ๐˜€๐—ฒ๐—ฎ๐—บ๐—น๐—ฒ๐˜€๐˜€๐—น๐˜† ๐—ฏ๐—ฟ๐—ถ๐—ป๐—ด๐˜€ ๐˜๐—ผ๐—ด๐—ฒ๐˜๐—ต๐—ฒ๐—ฟ ๐˜๐—ต๐—ฒ ๐—ฝ๐—ถ๐—น๐—น๐—ฎ๐—ฟ๐˜€ ๐—ผ๐—ณ ๐—บ๐—ผ๐—ฑ๐—ฒ๐—ฟ๐—ป ๐—ฐ๐˜†๐—ฏ๐—ฒ๐—ฟ ๐˜€๐—ฒ๐—ฐ๐˜‚๐—ฟ๐—ถ๐˜๐˜† ๐—ถ๐—ป๐˜๐—ผ ๐—ผ๐—ป๐—ฒ ๐˜‚๐—ป๐—ถ๐—ณ๐—ถ๐—ฒ๐—ฑ ๐—ฒ๐—ฐ๐—ผ๐˜€๐˜†๐˜€๐˜๐—ฒ๐—บ ๐—ถ.๐—ฒ. ๐—ฏ๐—ฒ๐˜€๐˜-๐—ถ๐—ป-๐—ฐ๐—น๐—ฎ๐˜€๐˜€ ๐—ฎ๐˜€ ๐˜€๐—ฒ๐—ฐ๐˜‚๐—ฟ๐—ถ๐˜๐˜† ๐—ฝ๐—ฟ๐—ผ๐—ฑ๐˜‚๐—ฐ๐˜๐˜€.

โœ… XDR (Extended Detection & Response)
โœ… Next-Gen SIEM (Security Information & Event Management)
โœ… SOAR (Security Orchestration, Automation & Response)
โœ… Threat Intelligence
โœ… AI-Powered Security Analytics
๐—–๐˜†๐—ฏ๐—ฒ๐—ฟ ๐—”๐—ป๐—ฎ๐—น๐˜†๐˜๐—ถ๐—ฐ๐˜€ ๐—ฑ๐—ฒ๐—น๐—ถ๐˜ƒ๐—ฒ๐—ฟ๐˜€:
Real-time threat detection across endpoints, cloud, networks, and apps
Automated incident response to reduce MTTR & human fatigue
AI-driven insights to power proactive, risk-based decision-making
Built for agility, scalability & actionable intelligence; our platform gives security teams the edge required to move from playing catch-up to staying ahead.
๐—–๐˜†๐—ฏ๐—ฒ๐—ฟ ๐—”๐—ป๐—ฎ๐—น๐˜†๐˜๐—ถ๐—ฐ๐˜€ ๐—ฟ๐—ฒ๐—ฝ๐—ฟ๐—ฒ๐˜€๐—ฒ๐—ป๐˜๐˜€ ๐—ฎ ๐˜€๐˜๐—ฒ๐—ฝ ๐—ณ๐—ผ๐—ฟ๐˜„๐—ฎ๐—ฟ๐—ฑ ๐—ถ๐—ป ๐—ฎ๐—ฐ๐—ต๐—ถ๐—ฒ๐˜ƒ๐—ถ๐—ป๐—ด ๐—ฏ๐—ฒ๐˜๐˜๐—ฒ๐—ฟ ๐˜€๐—ฒ๐—ฐ๐˜‚๐—ฟ๐—ถ๐˜๐˜† ๐—ผ๐˜‚๐˜๐—ฐ๐—ผ๐—บ๐—ฒ๐˜€.

Sources; Targeted by 20.5 million DDoS attacks, up 358% year-over-year: Cloudflareโ€™s 2025 Q1 DDoS Threat Report

DDoS attacks have skyrocketed 358% year-over-year, report says

Blogs

Deepfake’s pose a Challenge as Cyber-risk Increase

The Digital world is witnessing constant increase in threats from Deepfakes, a challenge for cyber leaders as cybersecurity related risk increase and digital trust.

Deepfakes being AI generated is much used by cybercriminals with intentions to bypass authenticated security protocols and appears realistic but fakes, often posing challenges to detect being generated via AI. We have three types of Deepfakes i.e. voice fakes or Audio, Deep Video maker fakes and shallow fakes or editing software like photoshop.

Growing Cyber Risk due to Deep Fakes

Due to these Deep fakes , which are quiet easier and more realistic to create, there has been deterioration of trust, propagation of misinformation that can be used widely and has potential to damage or conduct malicious exploitation across various domains across the industry verticals.

The cybersecurity industry has always came forward and explained what can be potential risk posed by Deep fakes and possible route to mitigate the risks posed by deepfakes, emphasizing the importance of interdisciplinary collaborations between industries. This will bring in proactive measures to ensure digital authenticity and trust in the face of evolving cyber frauds.

Failing to recognize a deep fake pose negative consequence both for individuals and organizational risk and this can be unable to recognize audio fakes or video fakes. The consequences can be from loss of trust to disinformation. From negative media coverage to falling prey to potential lawsuits and other legal ramifications and we cannot undermine cybersecurity related threats and phishing attacks.

There are case when Deep fakes have been ethically used but the numbers are less compare to malicious usage by cyber criminals. Synthetic media also termed as Deep fakes are created using deep learning algorithms, particularly generative adversarial networks (GANs).

These technologies can seamlessly swap faces in videos or alter audio, creating hyper-realistic but fabricated content. In creative industries, deepfakes offer capabilities such as virtual acting and voice synthesis.

 Generative Adversarial Networks (GANs) consists of two neural networks: a generator and a discriminator.

  • Generator: In this case the network creates synthetic data, such as images or videos from any random sound alert and mimic real data.

  • Discriminator generally evaluates the generated content against real data. 

Deepfakes uses deep learning algorithms to analyze and synthesize visual and audio content which are painful task to determine the real ones, posing significant challenge to ethical security concerns.

While posing threats Deep fakes also provide another gateway for cyber attack specifically Phishing attacks. Tricking victims or impersonating an individual or an entity may open doors for revealing sensitive information and threat to data security.
The audios created via Deepfake could be used to bypass voice recognition systems giving attackers access to secure systems and invading personal privacy.

Uses cases in Deepfakes to understand the reach and impact:

Scammers and Fraudsters can benefit as Deepfakes can develop audio replication and use them for malicious intent like asking financial help from individuals they encounter or voice clone as some important person and demand or extort money.

Identity Theft is often overlooked and this impacts mostly financial institutions and scammers can easily bypass such authentication by cloning voices. Scammers also may easily develop convincing replicas of government ID proofs to gain access to business information or a misuse it as a customer. 

Fusing images of high profile public figures with offensive images by employing deepfake technology without their knowledge by criminals and hackers are growing each day . This kind of act can eventually lead to demanding money by cyber criminals or face consequences leading to defaming.

Conspiracy against governments or national leaders by faking their image or creating false hoax where the image or voice is used by cyber criminals often hired by opposing systems in place to disturb peace and harmony and also sound business operations.

Email are the key entry point for cyberattacks and presently we see deepfake technology being used by cyber criminals to create realistic phishing emails. These emails  bypass conventional security filters an area we cannot afford to neglect.

How will you detect Deep fakes?

Few technicalities are definitely there that may not be recognizable but there are few minute and hairsplitting details.

In Video fakes its often seen no movement in the eye or unnatural facial expression. The skin colour may be sightly different and in-consistent body positioning including the mismatch lip-syncing and body structure and face structure not similar as what we used to witness or accustomed viewing.

Being a grave concern from cyber security perspective its important to remain alert on new evolving technologies on Deep fakes and know their usage to defend on all frontiers both at individual and organizational level.

As Deep fakes are AI driven and rising phishing attacks that imbibe deep fakes pose a challenge where in mostly social media profile are used. The available AI-enabled computers allow cybercriminals to use chatbots no body can detect as fake.

Mitigating the Digital Threat

  • Organizations or individuals require robust security measures to implement AI-based security solutions and develop improved knowledge of phishing methods in order to tackle the digital threat.
  • Remaining proactive in all level of cyber security to navigate the complex challenge of Deep fakes is important, while Deep fakes defiantly poses strong technical challenge but proactive cybersecurity practices can stop cybercriminals from luring victims in their trap.
  • Government bodies and tech institutions or organizations that are tech savy to have more collaborative efforts to recognize deep fakes and effectively deal with challenges.
  • The various regulations and more recently the DORA (Digital Operational Resilience Act ), will help navigate these challenges as more investments in open sources security will rise by countries and organizations.
  • Major investments in AI-driven detection tools are being soughed after at enterprise level, those having stronger authentication mechanisms and improved digital literacy are critical to mitigating these emerging threats.
  • Investing in Email security service that offers automated protection will assist in blocking major phishing attempts

    As per KPMG report, Deepfakes may be growing in sophistication and appear to be a daunting threat. However, by integrating deepfakes into the companyโ€™s cybersecurity and risk management, CISOs ย in assosiations with CEO, and Chief Risk Officers (CRO) โ€“ can help their companies stay one step ahead of malicious actors.

    This calls for a broad understanding across the organization of the risks of deepfakes, and the need for an appropriate budget to combat this threat.

    If Deepfakes can be utilized to infiltrate an organization, the same technology can also protect it. Collaborating with deepfake cybersecurity specialists helps spread knowledge and continually test and improve controls and defenses, to avoid fraud, data loss and reputational damage.

    BISO Analytics:

    We at Intruceptlabs have a mission and that is to protect your organization from any cyber threat keeping confidentiality and integrity intact.

    We have BISO Analytics as a service to ensure business continues while you remain secured in the world of cybersecurity. BISO’s translates concepts and connects the dots between cybersecurity and business operations and functions are in synch with cyber teams.

    Sources: https://kpmg.com/xx/en/our-insights/risk-and-regulation/deepfake-threats.html

    AI-Driven Phishing And Deep Fakes: The Future Of Digital Fraud

Security Advisory

Windows Update Stack Privilege Escalation Vulnerability (CVE-2025-21204) โ€“ PoC Releasedย ย 

The flaw, disclosed by researchers at Cyberdom Blog, poses a significant risk to millions of Windows users and organizations relying on windows.

OEM Windows 
Severity HIGH 
CVSS Score 7.8 
CVEs CVE-2025-21204 
POC Available Yes 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

A high-severity vulnerability in the Windows Update Stack, CVE-2025-21204, enables local attackers to escalate privileges to SYSTEM level by exploiting trusted path abuse through symbolic links. The flaw affects various versions of Windows 10, Windows 11, and Windows Server.

A working proof-of-concept (PoC) exploit has been publicly released by security researcher Elli Shlomo, increasing the urgency to patch. The issue is addressed in the April 2025 cumulative update KB5055523.ย 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
โ€‹Windows Update Stack Privilege Escalation  CVE-2025-21204 Windows  HIGH  7.8 

Technical Summary 

The vulnerability lies in how Windows Update processes such as MoUsoCoreWorker.exe and UsoClient.exe, which run with SYSTEM privileges, handle directory junctions. Attackers can delete the legitimate Tasks directory under C:\ProgramData\Microsoft\UpdateStack and replace it with a symbolic link pointing to an attacker-controlled path. This allows the execution of arbitrary code as SYSTEM without triggering traditional security mechanisms.

A public PoC developed by Elli Shlomo demonstrates this exploit using only native Windows featuresโ€”no external binaries or code injection required.ย 

This opens the door for a range of attacks, including installing persistent malware, disabling security tools, or accessing sensitive data.

CVE ID System Affected Vulnerability Details Exploit Prerequisites Impact 
  CVE-2025-21204  Windows 10 (10.0.10240.0 < 10.0.10240.20978, etc.), Windows 11, Server Misuse of NTFS junctions allows local attackers to redirect C:\ProgramData\Microsoft\UpdateStack\Tasks to attacker-controlled locations. SYSTEM-level update processes follow these junctions and execute unauthorized code. Attackers must have local access and limited user privileges; no user interaction required   Local privilege escalation, Code execution 

Source: Cyberdom 

Recommendations

  • Apply the April 2025 cumulative update (KB5055523) immediately.ย 
  • Restrict ACLs on C:\ProgramData\Microsoft\UpdateStack.ย 
  • Use AppLocker or WDAC to block symbolic link creation in sensitive directories.ย 
  • Monitor file operations involving UpdateStack and inetpub, regardless of IIS presence.ย 
  • Detect attempts to create NTFS junctions targeting update directories.ย 

Conclusion:ย 
CVE-2025-21204 is an example of a rather low-level and impactful threat doing trusted path abuse rather than complex memory corruption. This vulnerability demonstrates how attackers will exploit trust assumptions built into the operating system via native components.

The only defenses available are to immediately patch and harden directory access controls to stop this low-level and minimally visible localized privilege escalation.ย 

References


ย 

Security Advisory

Windows 11 DLL Flaws Open Doors to Privilege Escalation!ย 

Summary 

Security researcher John Ostrowski of Compass Security has uncovered two privilege escalation vulnerabilities in Microsoft Windows CVE-2025-24076 and CVE-2025-24994.

DLL hijacking is a technique that exploits how Windows applications load DLLs.

OEM Windows 
Severity HIGH 
CVSS Score 7.3 
CVEs CVE-2025-24994, CVE-2025-24076 
No. of Vulnerabilities Patched 02 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

These flaws, found in the Mobile Devices management component, stem from insecure DLL loading behavior that could allow unprivileged users to escalate privileges to SYSTEM via a DLL hijacking attack. Microsoft has released fixes for both vulnerabilities as part of its March 2025 Patch Tuesday rollout.ย 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
โ€‹Windows Cross Device Service Elevation of Privilege Vulnerability  CVE-2025-24076 Windows  HIGH  7.3 
โ€‹Windows Cross Device Service Elevation of Privilege Vulnerability CVE-2025-24994 Windows HIGH 7.3 

Technical Summary 

The vulnerability arises due to Windows 11’s “Mobile devices” functionality loading a DLL from a user-writable location without verifying its signature. This enables unprivileged users to replace the DLL with a malicious proxy that executes with elevated privileges. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-24076 ย Windows 11 Version 22H2, 22H3, 23H2, 24H2.ย ย Exploits a race condition in the โ€œMobile devicesโ€ feature via DLL hijacking. The system process loads CrossDevice.Streaming.Source.dll from a user-writable directory (%PROGRAMDATA%\CrossDevice\), allowing privilege escalation when replaced with a malicious DLL. Attackers used Opportunistic Locks and API hooking (via Detours) to reliably exploit the narrow timing window.ย   Allows SYSTEM-level privilege escalation 
CVE-2025-24994 Windows 11 Version 22H2, 22H3, 23H2, 24H2ย Involves a similar DLL hijacking flaw in a user-to-user context. A user-level process loads a DLL without signature validation, allowing a malicious DLL to be executed under another userโ€™s context. This vector is less severe but still exploitable.ย  Allows user-to-user privilege escalation 

Remediation

  • Implement Security Updates to make sure to install the current security patches made available by Microsoft, specifically March 2025 updates, into affected systems.ย 
  • Turn off Cross Device Service if not needed, disable the “Mobile Devices” feature in Windows 11 to avoid exploitation of the vulnerabilities.ย 
  • Look for Suspicious Activity constantly scan system logs for suspect activity, particularly attempts to alter or load DLL files in protected processes.ย 
  • Restrict User Permissions prevent non-administrative users from changing system files or running processes with elevated privileges.ย 
  • Support DLL Signature Verification makes all programs support DLL signature verification so that no applications can load unsigned or altered DLL files.ย 

Conclusion:ย 
The discovered DLL hijacking vulnerabilities in Windows 11’s โ€œMobile devicesโ€ feature demonstrate how legacy attack techniques remain potent when integrated into new OS functionalities.

The presence of a working Proof-of-Concept (PoC) reinforces the practical risk posed by these flaws. Organizations should immediately apply the March 2025 security updates and consider employing EDR solutions to monitor for related behavior. Continued vigilance and file access control hardening remain essential in defending against such privilege escalation attacks.ย ย 

While CVE-2025-24076 enables SYSTEM-level access but CVE-2025-24994ย arises from a related user-level process failing to validate DLLs.

This opens the door to user-to-user attacks, though its impact is far less severe compared to its SYSTEM-targeting sibling.

References


ย 

Scroll to top