Intrucept

Blogs Security Advisory

Cyber-Security News at a Glance: June1st -June15th, 2025

The current cybersecurity landscape continues to evolve, marked by persistent challenges and digital technologies transforming the cyber world. Across industries such as healthcare and financial services, in the month of June,2025, organizations navigated advanced threats, cyber attacks on retail sector including Security advisory’s etc.

Let’s explore the key trends and incidents from June1st -June15th, 2025

Microsoft June 2025 Patch Tuesday addresses a total of 67 vulnerabilities across its product ecosystem. Critical flaws in WebDAV, SMB, SharePoint and Remote Desktop Services highlight the urgency of installing this month’s updates.

Microsoft June 2025 Patch Tuesday – 67 Vulnerabilities Fixed Including 2 Zero-Days 

NCSC UK, released set of 6 principles to build Cyber Security culture & Boost Resilience for Orgs

The U.K. National Cyber Security Centre on Wednesday published six cybersecurity culture principles developed through extensive research with industry and government partners.

The principles define the cultural foundations essential for building a cyber-resilient organization and offer guidance on how to cultivate that environment.

NCSC UK, released set of 6 principles to build Cyber Security culture & Boost Resilience for Orgs

Critical 0-Day RCE Vulnerability in Fortinet Products (CVE-2025-32756) Actively Exploited 

A critical unauthenticated Remote Code Execution (RCE) vulnerability, tracked as CVE-2025-32756, has been identified in multiple Fortinet products.

The flaw is currently under active exploitation, allowing attackers to take full control of affected systems via a buffer overflow in the /remote/hostcheck_validate endpoint. A public PoC is available, significantly increasing the risk to unpatched devices. 

CVE-2025-32756 is a critical unauthenticated Remote Code Execution (RCE) vulnerability affecting multiple Fortinet products. The vulnerability resides in the /remote/hostcheck_validate endpoint and is due to improper bounds checking when parsing the enc parameter of the AuthHash cookie.

POC Released for Critical RCE Vulnerability in AWS Amplify Codegen-UI 

 A critical security vulnerability has been disclosed in AWS Amplify Studio’s UI generation framework, with researchers releasing a proof-of-concept exploit demonstrating remote code execution capabilities.  AWS addressed the issue in version 2.20.3, replacing the unsafe eval() with a sandboxed expression evaluator. 

Vulnerable versions used eval() to interpret stringified JavaScript expressions in UI components. This allowed injection of malicious expressions such as shell commands, due to the absence of validation or blacklisting.  

Splunk Enterprise & Cloud platform found that  (XSS) vulnerability existed & affects their multiple versions

Splunk has disclosed a medium-severity cross-site scripting (XSS) vulnerability affecting multiple versions of its Enterprise and Cloud Platform products that could allow low-privileged attackers to execute malicious JavaScript code in users’ browsers.

A security vulnerability identified as CVE-2025-20297 has been found in older versions of Splunk Enterprise and Splunk Cloud Platform.

Reflected XSS Vulnerability in Splunk Enterprise & Cloud Platform 

(DoS) Vulnerability has been identified in ModSecurity, an open-source web application

The issue affects versions prior to 2.9.10 and related to the “sanitiseArg” action, which can be exploited by adding an excessive number of arguments, ultimately causing the system to fail or crash. The vulnerability has been fixed in version 2.9.10. 

This vulnerability is similar to this CVE-2025-47947 issue, presents a significant risk, especially for organizations relying on ModSecurity 2.x versions for web application protection. 

High Risk DoS Vulnerability in ModSecurity WAF 

Multiple vulnerabilities have been discovered in IBM QRadar Suite Software and Cloud Pak, affecting versions 1.10.0.0 through 1.11.2.0.

The company released patches on June 3, 2025, addressing five distinct Common Vulnerabilities and Exposures (CVEs) that affect enterprise security infrastructure used by organizations worldwide.

The most critical vulnerability (CVE-2025-25022) allows unauthenticated access to sensitive configuration files. IBM has released version 1.11.3.0 to address these issues. 

Critical Vulnerabilities Patched in IBM QRadar Suite & Cloud Pak for Security 

Google has released a critical out-of-band security update for its Chrome browser to address CVE-2025-5419.

Rated as high-severity zero-day vulnerability in the V8 JavaScript engine that is currently being actively exploited in the wild. Google has released a critical out-of-band security update for its Chrome browser to address CVE-2025-5419.

This vulnerability allows attackers to execute arbitrary code on users’ systems through specially crafted web content, making it a serious threat requiring immediate attention. 

Google Chrome Patches Actively Exploited Zero-Day Vulnerability 

Ways to combat Cyber Threats; Strengthen your SOC’s readiness involves 3 key strategies

Cyber threats are no longer limited to human attackers, with AI-driven “bad bot” attacks now accounting for 1/3 as per research. These attacks can be automated, allowing attackers to launch more extensive and efficient campaigns

Organizations are now exposed new risks, providing cybercriminals with more entry points and potential “surface areas” to exploit as they go digital and adopt to innovations and wider use of digital technologies.

Some of the types of bad bots are DDoS bots, which disrupt a website or online service by overwhelming it with traffic from multiple sources.

IntruceptLabs now offers Mirage Cloak and to summarise Mirage Cloak offers various deception methods to detect and stop threats before they cause damage.

These methods include adding decoys to the network, deploying breadcrumbs on current enterprise assets, using baits as tripwires on endpoints.

 This is executed by setting up lures with intentionally misconfigured or vulnerable services or applications.

The flexible framework also lets customers add new deception methods as needed.

Conclusion: Organizations can better protect their digital assets and ensure business continuity by understanding the key components and best practices for building a successful SOC.

At the end  we must accept that to defend against any sort of AI attack, SOC teams must evolve with right collaborations and effective communication between partners seamlessly to evaluate information to stay ahead of attackers.

Blogs

NCSC UK, released set of 6 principles to build Cyber Security culture & Boost Resilience for Orgs

In recent times we witnessed many organizations who are facing numerous cyber attacks hold confidential customer, employee and supplier personal data. Such data is attractive to attackers, as they can steal it and demand ransom payments to stop them revealing it out in public. There is a constant fear against threat actors looming and that actually demands organizations to be cyber resilient.

What is the way out to create a cyber resilience culture that are meaningful both for employees and leaders ?

The U.K. National Cyber Security Centre on Wednesday published six cybersecurity culture principles developed through extensive research with industry and government partners.

The principles define the cultural foundations essential for building a cyber-resilient organization and offer guidance on how to cultivate that environment.

The principles are based on many factors on what leads to weak or misaligned cultures leading to poor security outcomes so that organizations understand how outcomes have deeper cultural issues and require urgent attention.

Cyber attack on Retail sector

This was followed by multiple cyber-attacks on the retail sector have gathered media attention over the first half of 2025. This included breaches on Co-op, Harrods, Adidas, The North Face, and Cartier.

Notably, a long-term disruption for UK brand Marks and Spencer, whose online sales are still paused seven weeks after the initial attack, was caused by phishing on a third-party supplier.

Over the Easter weekend, customers in M&S stores were unable to make contactless payments, click and collect services were unavailable. M&S has been quick to respond to cyber attacks faced and been applauded for its response to the attack, particularly its handling of external communications. 

The newly released Operational Resilience Report 2025 has found organizations are taking a more integrated approach to resilience. Recognizing that people are vital to cybersecurity,

Cyber security culture The 6 principles laid by  National Cyber Security Centre (NCSC) to build a cyber security culture within an organization.

  • Frame cybersecurity as an enabler, supporting the organization to achieve its goals
  • Build the safety, trust, and processes to encourage openness around security
  • Embrace change to manage new threats and use new opportunities to improve resilience
  • The organization’s social norms promote secure behaviours
  • Leaders take responsibility for the impact they have on security culture
  • Provide well-maintained cybersecurity rules and guidelines, which are accessible and easy to understand.

The first principle identifies that cybersecurity exists to protect the technology and information that keep an organization running.

But when it operates in isolation, its role as an enabler of every other function is often overlooked. This disconnect creates tension. Security may be seen as a blocker, its policies misunderstood or ignored, and controls bypassed, opening the door to further risk.

A shared purpose across the organization changes this dynamic. When everyone understands and works toward common goals, decisions reflect what supports the whole rather than just individual departments. Cybersecurity becomes part of how work gets done, not an obstacle in the way.

An effective culture recognises that secure behaviour is essential to meeting shared goals. Staff understand the value of cybersecurity in protecting systems and information. Controls are designed with an awareness of how people work, and security teams engage directly to reduce friction.

Clarity around purpose, consistent internal messaging, and strong leadership support all help integrate cybersecurity into the wider mission.

When people no longer see security as a separate concern, but as part of their contribution to organizational success, stronger and more resilient practices follow.

No amount of training can replace the value of open dialogue, especially when facing unfamiliar or fast-moving threats. When people are comfortable reporting mistakes, raising concerns, or suggesting improvements, the organization becomes more adaptive and resilient.

The second principle  depends on a culture where people feel safe to speak up.

Without psychological safety, self-protection takes over. People stay silent, avoid reporting errors or tolerate behaviour that undermines security. Fear of blame or punishment blocks the flow of vital information and ideas.

To counter this, organizations need trusted, accessible channels for communication. Whether through help desks, portals, or local experts, these paths must be easy to use and free from friction. When people do reach out, their efforts should be acknowledged and, where possible, acted upon.

Security incidents should be investigated to understand what happened and how to improve, not to assign fault. Fair treatment and transparent processes build trust and make it more likely that people will engage in the future. Psychological safety is not a soft extra. It is a core condition for real-time responsiveness and continuous learning in security. When people trust the system and those behind it, they help protect it.

The third principle On cyber resilient organizations treat change as a constant and improvement as a shared responsibility. In cybersecurity, this mindset is critical.

As threats evolve and technologies shift, staying still is not neutral, it increases exposure and limits growth. Rather than viewing incidents or disruptions as setbacks, forward-looking organizations treat them as signals for refinement. Ignoring these moments in favour of maintaining the status quo leads to blind spots and missed opportunities.

Change must be coordinated across the organization. If one area races ahead or stalls without alignment, the imbalance can cause harm. Cybersecurity teams have a key role in guiding this process. They help ensure that risks are managed by those equipped to handle them, instead of being pushed onto teams lacking the resources or context to respond effectively.

Strong cultures embrace change as a path to better outcomes. They are measured in how and when they implement changes, mindful of fatigue and disruption. People feel supported during transitions and trust that new risks are handled responsibly. To sustain this, organizations need systems in place to identify emerging challenges and bring the right voices into decision-making. Clear roles, timely choices, and shared accountability allow security and resilience to move forward together.

The fourth principle identifies that workplace behaviour is shaped not just by formal rules but by unwritten ones picked up through observation.

These social norms often influence how people approach cybersecurity. When aligned with security goals, they help reinforce good habits and guide new staff toward secure practices.

But not all norms work in favour of security. Some, like cutting corners to be helpful or following senior examples, can quietly encourage risky behaviour. These norms are hard to change if they help people get their work done more easily than formal processes allow. Addressing this requires understanding the values behind these norms. Without doing so, even well-designed policies will be ignored, increasing risk and weakening trust in security measures.

A strong security culture identifies both helpful and harmful social norms and finds ways to align them with formal policies.

This may involve redesigning controls to support productivity or shifting behaviors through influence, incentives, and role models.

The fifth principle recognizes that cybersecurity culture depends on leadership that leads by example.

When leaders align with a shared purpose, model secure behaviors, and foster trust, they help embed security into daily work. Their influence shapes norms and drives change.

Leaders who engage openly and share lessons from past challenges build confidence and inspire action. Those who ignore this responsibility risk undermining progress, as teams often follow their lead. Strong leadership means linking security to business goals, promoting learning, and removing incentives for risky behaviour.

Supporting leaders with the right knowledge and encouraging honest dialogue strengthens a culture where security becomes a collective effort.

The sixth principle calls for creating a cyber-secure workplace that depends on finding the right balance between clear expectations and practical flexibility.

Rules must support people in solving problems locally while setting consistent standards across the organization. When done well, this balance builds trust between staff and leadership.

Overly rigid rules risk becoming outdated and burdensome, while vague guidance leaves teams confused and vulnerable. Both extremes can lead to frustration and disengagement from cybersecurity efforts. A better approach involves understanding where different teams struggle, inviting their input, and refining the rules based on real-world use and ongoing feedback.

Security rules should be integrated into daily workflows and onboarding. They must be easy to find, clearly written, and regularly updated, with changes communicated. Where gaps exist or the rules do not apply, teams must have quick access to experts who can help manage risk at the moment.

In practice, effective cybersecurity guidance is inclusive, tested for usability, and aligned with organizational goals. People should know what is mandatory and what is advisory. Feedback is actively used to improve the rules, and outdated material is removed to prevent confusion.

IntruceptLabs products are influencing cyber culture by promoting proactive security measures, automation, and a focus on user behavior and training.

IntruceptLabs enable organizations to improve their security posture by providing tools for patching vulnerabilities, managing access, and responding to threats, ultimately contributing to a more secure and resilient cyber environment. 

GaarudNode is an all-in-one  solution designed to empower development teams with the tools they need to secure their applications throughout the development lifecycle. By combining the power of SAST, DAST, SCA, API security, and CSPM, GaarudNode provides a comprehensive security framework that ensures your applications are built, tested, and deployed with confidence.

The platform offers:

  • Identifies security flaws early in the development process by scanning source code, helping developers detect issues like insecure coding practices or logic errors.
  • Tests running applications in real-time to identify vulnerabilities such as SQL injection, Cross-Site Scripting (XSS), and other runtime threats.
  • Detects vulnerabilities in third-party libraries and open-source components, ensuring that your dependencies don’t introduce risks.
  • Continuously tests and monitors your APIs for vulnerabilities such as authentication flaws, data exposure, and insecure endpoints.

Conclusion:

The importance of cyber resilience helps set businesses who have a solid response plan and test it regularly so that the organization is prepared for any cyber incidents.

The cyber-security incident plan should be part of a wider business continuity plan, considering the impact of a cyber incident on the business and defining steps to recover and respond.

NCSC emphasized that creating the culture takes time and is not a one-off exercise, but needs a focused and sustained effort from cyber security professionals, innovators and culture specialists, and organisations’ leaders.

Sources: https://www.thebci.org/news/retail-under-attack-the-growing-movement-towards-operational-resilience.html

Security Advisory

Critical 0-Day RCE Vulnerability in Fortinet Products (CVE-2025-32756) Actively Exploited 

Summary :

A critical unauthenticated Remote Code Execution (RCE) vulnerability, tracked as CVE-2025-32756, has been identified in multiple Fortinet products.

OEM Fortinet 
Severity Critical 
CVSS Score 9.8 
CVEs CVE-2025-32756 
POC Available Yes 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

The flaw is currently under active exploitation, allowing attackers to take full control of affected systems via a buffer overflow in the /remote/hostcheck_validate endpoint. A public PoC is available, significantly increasing the risk to unpatched devices. 

Vulnerability Name CVE ID Product Affected Severity 
Remote Code Execution Vulnerability  CVE-2025-32756 Fortinet Products  Critical 

Technical Summary 

CVE-2025-32756 is a critical unauthenticated Remote Code Execution (RCE) vulnerability affecting multiple Fortinet products. The vulnerability resides in the /remote/hostcheck_validate endpoint and is due to improper bounds checking when parsing the enc parameter of the AuthHash cookie.

This allows attackers to trigger a stack-based buffer overflow and execute arbitrary code remotely without requiring authentication. 

The exploit is publicly available as a Python script that sends a specially crafted HTTP POST request targeting the vulnerable endpoint. Upon successful exploitation, attackers can achieve full system control. Fortinet has confirmed that this vulnerability is being actively exploited in the wild, particularly targeting FortiVoice and other Fortinet appliances. 

CVE ID System Affected  Vulnerability Details Impact 
  CVE-2025-32756  FortiVoice, FortiMail, FortiNDR, FortiRecorder, FortiCamera Stack-based buffer overflow via enc parameter in AuthHash cookie. Exploit uses a crafted POST request to /remote/hostcheck_validate.   Remote Code Execution, Full device takeover, persistence, data theft, log erasure. 

Remediation

  • Update Immediately: Apply the latest security patches provided by Fortinet. 
  • FortiVoice: 7.2.1+ / 7.0.7+ / 6.4.11+ 
  • FortiMail: 7.6.3+ / 7.4.5+ / 7.2.8+ / 7.0.9+ 
  • FortiNDR: 7.6.1+ / 7.4.8+ / 7.2.5+ / 7.0.7+ 
  • FortiRecorder: 7.2.4+ / 7.0.6+ / 6.4.6+ 
  • FortiCamera: 2.1.4+ 
  • Disable Admin Interfaces (HTTP/HTTPS) as a temporary workaround 

Indicator of Compromise 

For a list of observed Indicators of Compromise (IOCs), including malicious IP addresses, backdoor file paths and payload hashes, refer to the table below:  

IP Addresses FileHash-MD5 
156.236.76.90 2c8834a52faee8d87cff7cd09c4fb946 
198.105.127.124 4410352e110f82eabc0bf160bec41d21 
218.187.69.244 489821c38f429a21e1ea821f8460e590 
218.187.69.59 ebce43017d2cb316ea45e08374de7315 
43.228.217.173 364929c45703a84347064e2d5de45bcd 
43.228.217.82   

Conclusion: 
CVE-2025-32756 poses a severe threat to Fortinet users, with confirmed in-the-wild exploitation and publicly available PoC.

Organizations must patch all affected systems immediately, audit for compromise indicators, and block known malicious IPs. The vulnerability’s high impact and ease of exploitation warrant urgent action to prevent widespread breaches and data loss. 

These activities suggest sophisticated threat actors are conducting comprehensive compromise operations rather than opportunistic attacks.

Security analysts have identified several IP addresses associated with the attacking threat actors, including 198.105.127.124, 43.228.217.173, 43.228.217.82, 156.236.76.90, 218.187.69.244, and 218.187.69.59.

References

Security Advisory

POC Released for Critical RCE Vulnerability in AWS Amplify Codegen-UI  

Summary: A critical security vulnerability has been disclosed in AWS Amplify Studio’s UI generation framework, with researchers releasing a proof-of-concept exploit demonstrating remote code execution capabilities.

OEM AWS 
Severity Critical 
CVSS Score 9.5 
CVEs CVE-2025-4318 
POC Available Yes 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

A critical vulnerability has been discovered in AWS Amplify Studio’s UI generation tool, @aws-amplify/codegen-ui, which allows Remote Code Execution (RCE) during build or render time.

Tracked as CVE-2025-4318, this flaw originates from unsafe evaluation of user-defined JavaScript expressions without proper input validation or sandboxing.

It has been assigned a CVSS score of 9.5. Exploitation could lead to unauthorized command execution, leakage of AWS secrets, or full compromise of CI/CD environments. AWS addressed the issue in version 2.20.3, replacing the unsafe eval() with a sandboxed expression evaluator. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Unsafe Expression Evaluation in Codegen-UI  CVE-2025-4318 @aws-amplify/codegen-ui  Critical  2.20.3 

Technical Summary 

The vulnerability stems from how AWS Amplify Studio processed dynamic expressions defined in component fields (eg: label, placeholder).

In affected versions, these expressions were directly evaluated using eval() without any filtering or validation, assuming they were safe.

This behavior enabled attackers to inject malicious code into UI schemas that would execute during the build or runtime process particularly dangerous in CI/CD pipelines where secrets and environment variables are accessible. 

A working Proof-of-Concept (PoC) has been developed and shared by researchers, which simulates the exploit using a crafted JSON component, a Node.js script and a Python server. The PoC demonstrates successful RCE via malicious input evaluated by the vulnerable tool. 

CVE ID System Affected  Vulnerability Details Impact 
  CVE-2025-4318  AWS Amplify Studio (<=2.20.2) Vulnerable versions used eval() to interpret stringified JavaScript expressions in UI components. This allowed injection of malicious expressions such as shell commands, due to the absence of validation or blacklisting.    RCE, exposure of secrets, CI/CD compromise, unauthorized system control 

Remediation

Upgrade Immediately: Update @aws-amplify/codegen-ui to version 2.20.3 or later, which replaces unsafe evaluation logic with a sandboxed function (safeEval) and a keyword blacklist. 

Conclusion: 
CVE-2025-4318 is a severe RCE vulnerability in AWS Amplify Studio caused by unsafe evaluation of JavaScript expressions during UI component rendering or generation.

A fully functional PoC exploit has been published, which clearly demonstrates the risk of using eval() in dynamic application code without input validation. 

The fixed version mitigates this risk by introducing a sandboxed evaluation mechanism and filtering dangerous keywords. Organizations using Amplify Studio should upgrade immediately and audit all inputs and build processes for safety. 

AWS security teams have advised developers to immediately upgrade to version 2.20.3 or later and audit all existing component schemas for potentially unsafe expressions.

The incident highlights the critical importance of implementing secure coding practices in low-code development platforms where user input directly influences code generation and execution processes.

References

Security Advisory

Critical Credential Reuse Vulnerability in Cisco ISE Cloud Deployments 

Summary 

OEM Cisco 
Severity Critical 
CVSS Score 9.9 
CVEs CVE-2025-20286 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Cisco has disclosed a critical vulnerability in Identity Services Engine (ISE) cloud deployments that allows unauthenticated remote attackers to gain administrative access across multiple instances due to improperly generated static credentials.

Tracked as CVE-2025-20286, with a CVSS score of 9.9, this flaw affects ISE deployments on AWS, Microsoft Azure, and Oracle Cloud Infrastructure (OCI). Cisco has released hotfixes and announced permanent fixes for impacted versions. 

Vulnerability Name CVE ID Product Affected Severity 
​Cisco ISE Shared Credential Vulnerability  CVE-2025-20286 Cisco ISE   Critical 

Technical Summary 

The vulnerability stems from improper generation of credentials during the setup of Cisco ISE on cloud platforms. Each deployment of the same ISE version on a given platform (eg – AWS 3.1) shares identical static credentials. This oversight enables an attacker to extract credentials from one deployment and reuse them to access others, if network access is available. 

This issue is only to cloud-hosted Primary Administration nodes. Traditional on-premises deployments or hybrid setups with local admin nodes are not affected. 

CVE ID System Affected  Vulnerability Details Impact 
  CVE-2025-20286  Cisco ISE 3.1 – 3.4 Static credentials reused across same-version cloud deployments. Credentials can be extracted from one instance and reused across others on the same cloud platform   Access sensitive data 

Remediation

Apply Hotfix Immediately: Install the universal hotfix ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz on ISE versions 3.1 to 3.4. 

Cisco ISE Release Hot Fix First Fixed Release 
3.0 and earlier Not applicable. Not affected. 
3.1 ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz Migrate to a fixed release. 
This hot fix applies to Releases 3.1 through 3.4. 
3.2 ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz Migrate to a fixed release. 
This hot fix applies to Releases 3.1 through 3.4. 
3.3 ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz 3.3P8 (November 2025) 
This hot fix applies to Releases 3.1 through 3.4. 
3.4 ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz 3.4P3 (October 2025) 
This hot fix applies to Releases 3.1 through 3.4. 
3.5 Not applicable. Planned release (Aug 2025) 

Conclusion: 
CVE-2025-20286 presents a severe security risk to organizations using Cisco ISE on public cloud platforms. By exploiting shared static credentials, attackers can potentially move laterally between cloud deployments.

Although no active exploitation has been reported, a proof-of-concept (PoC) exploit is available, heightening the urgency for remediation. 

Organizations should apply hotfixes immediately, upgrade to secured versions, and tighten cloud network access policies to mitigate the risk. On-premises and hybrid deployments remain unaffected, offering a safer architectural alternative. 

References

Security Advisory

High Risk DoS Vulnerability in ModSecurity WAF 

Summary 

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx.

OEM ModSecurity 
Severity HIGH 
CVSS Score 7.5 
CVEs CVE-2025-48866 
CWEs CWE-1050 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

A Denial of Service (DoS) vulnerability has been identified in ModSecurity, an open-source web application firewall (WAF) used with Apache, Nginx and IIS.

The issue affects versions prior to 2.9.10 and related to the “sanitiseArg” action, which can be exploited by adding an excessive number of arguments, ultimately causing the system to fail or crash. The vulnerability has been fixed in version 2.9.10. 

There is no user interaction required to trigger, exploiting it can lead to significant resource consumption, resulting in service disruption. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Denial of Service (DoS) vulnerability  CVE-2025-48866 Modsecurity WAF  High  v2.9.10 

Technical Summary 

The vulnerability arises from the behavior of the “sanitiseArg” (also referred to as “sanitizeArg”) action in ModSecurity. This action sanitizes a specific argument passed to a rule (e.g.- password), masking it in the logs by replacing its value with asterisks (*). 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-48866  ModSecurity (mod_security2.x) prior to v2.9.10 When a rule uses the sanitiseArg action, it processes each argument that matches the specified name (e.g – password).  If a large number of matching arguments (e.g.- 500 or more) are passed, ModSecurity repeatedly adds them to memory, which can lead to excessive memory consumption and potentially crash the system. System crashes due to resource exhaustion (DoS)   

Remediation

Apply Patches Promptly: Upgrade to ModSecurity version 2.9.10 or the latest one. 

Avoid using the “sanitizeArg” or “sanitizeArg” actions in your rules. If these actions are not used, the engine will not be affected by the vulnerability.  

Conclusion: 
This vulnerability is similar to this CVE-2025-47947 issue, presents a significant risk, especially for organizations relying on ModSecurity 2.x versions for web application protection. 

Although the vulnerability is rated as high, it requires a specific set of conditions to be exploited. But to ensure the continued stability and security of web applications, the fix needs to be applied as soon as possible. 

References

Security Advisory

Critical Vulnerabilities Patched in IBM QRadar Suite & Cloud Pak for Security 

Summary : Security Advisory

Multiple vulnerabilities have been discovered in IBM QRadar Suite Software and Cloud Pak, affecting versions 1.10.0.0 through 1.11.2.0.

The company released patches on June 3, 2025, addressing five distinct Common Vulnerabilities and Exposures (CVEs) that affect enterprise security infrastructure used by organizations worldwide.

OEM IBM 
Severity Critical 
CVSS Score 9.6 
CVEs CVE-2025-25022, CVE-2025-2502, CVE-2025-25020, CVE-2025-25019, CVE-2025-1334 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

These include risks such as remote code execution, information disclosure, session hijacking, and denial of service. The most critical vulnerability (CVE-2025-25022) allows unauthenticated access to sensitive configuration files. IBM has released version 1.11.3.0 to address these issues. 

Vulnerability Name CVE ID Product Affected CVSS Score Severity 
​Information Disclosure Vulnerability  CVE-2025-25022 IBM Cloud Pak, QRadar Suite  9.6  Critical 
Code Execution Vulnerability  CVE-2025-25021 IBM QRadar SIEM  7.2  High 
Denial of Service Vulnerability  CVE-2025-25020 IBM QRadar SIEM  6.5  Medium 
Session Hijacking Vulnerability  CVE-2025-25019 IBM QRadar SIEM  4.8  Medium 
Web Cache Disclosure Vulnerability  CVE-2025-1334 IBM QRadar Suite  4.0  Medium 

Technical Summary 

The identified vulnerabilities affect both the IBM QRadar Suite and Cloud Pak, exposing them to a variety of threats such as unauthorized access, arbitrary code execution, and denial of service.

These flaws arise from weaknesses in session handling, code generation, API validation, and file configuration security. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-25022   QRadar SIEM Unauthenticated access to sensitive config files due to poor protections.   Information disclosure, RCE 
   CVE-2025-25021    QRadar SIEM Privileged code execution due to improper script code generation in case management.   Remote Code Execution 
  CVE-2025-25020   QRadar SIEM API input validation flaw allowing service crash via malformed data   Denial of Service 
   CVE-2025-25019    QRadar SIEM Sessions not invalidated upon logout, enabling impersonation by attackers. Session Hijacking 
  CVE-2025-1334   QRadar Suite Cached web content readable by other users, compromising multi-user data confidentiality. Local Info Disclosure 

Remediation

  • Apply Latest Fix: Upgrade to IBM QRadar Suite Software and Cloud Pak version 1.11.3.0 or later. 

Refer to IBM’s official installation and upgrade documentation for detailed steps.  

Conclusion: 
These vulnerabilities pose significant security risks, especially CVE-2025-25022 with a critical severity score of 9.6. Organizations using the affected IBM QRadar and Cloud Pak versions should prioritize upgrading to latest version to mitigate exposure.

IBM has acknowledged these issues and released patches to address all five vulnerabilities. 

Notably, IBM has identified no effective workarounds or mitigations for these vulnerabilities, making patching the only viable protection strategy.

References

Security Advisory

Critical 0-Day Vulnerabilities in Qualcomm Adreno GPU Drivers Actively Exploited  

Summary 

OEM Qualcomm 
Severity HIGH 
CVSS Score 8.6 
CVEs CVE-2025-21479, CVE-2025-21480, CVE-2025-27038 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

Three actively exploited zero-day vulnerabilities in Qualcomm’s Adreno GPU drivers (CVE-2025-21479, CVE-2025-21480, CVE-2025-27038) have been disclosed and patched.

These flaws impact billions of Android devices across vendors such as Samsung, Google, Xiaomi, and OnePlus. Qualcomm released patches to OEMs in May 2025, urging immediate integration to mitigate severe memory corruption and code execution threats. 

Vulnerability Name CVE ID Product Affected CVSS Score Severity 
​Incorrect Authorization Vulnerability  CVE-2025-21479 Qualcomm Adreno GPU Driver  8.6  High 
Incorrect Authorization Vulnerability  CVE-2025-21480 Qualcomm Adreno GPU Driver  8.6  High 
Use-After-Free Vulnerability  CVE-2025-27038 Qualcomm Adreno GPU Driver  7.5  High 

Technical Summary 

These vulnerabilities reside within Qualcomm’s Adreno GPU driver, specifically in the Graphics component. The flaws allow attackers to corrupt memory, escalate privileges or execute arbitrary code. Two issues (CVE-2025-21479, CVE-2025-21480) result from incorrect authorization mechanisms in GPU microcode and the third (CVE-2025-27038) is a use-after-free flaw that can be exploited via malicious content rendered through Chrome. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-21479   Android (Adreno GPU) Unauthorized command execution during specific GPU microcode sequences causes memory corruption.   Privilege escalation, system compromise. 
   CVE-2025-21480    Android (Adreno GPU) Similar unauthorized GPU command flaw allowing memory corruption via improper authorization checks.   Memory corruption, remote code execution. 
  CVE-2025-27038   Android (Chrome/Adreno) Use-after-free condition in graphics rendering pipeline (via Chrome) allows attacker control over freed memory space.   Arbitrary code execution. 

Recommendations

  • Apply OEM Patches Immediately: Qualcomm released fixes in May 2025 to all OEMs; users should install the latest firmware updates from their device manufacturers. 
  • Check for Updates: Go to Settings → System → Software Update and apply the latest security patches as soon as available. 
  • Apply Security Updates: Users should ensure their Android devices receive the latest security updates. 
  • Monitor Manufacturer Communications: Stay informed about patch availability specific to your device model via official OEM channels. 

Conclusion: 
These zero-day vulnerabilities in Qualcomm’s Adreno GPU drivers highlight ongoing security risks in mobile hardware components.

Exploited in limited, targeted attacks potentially by spyware vendors or state-sponsored actors these flaws pose significant threats to Android devices worldwide. 

In response to confirmed exploitation, CISA has added all three CVEs (CVE-2025-21479, CVE-2025-21480, CVE-2025-27038) to its Known Exploited Vulnerabilities (KEV) catalog, mandating swift action for federal systems.

Timely patching by OEMs and proactive updates by users are critical to mitigating these risks and preventing further exploitation. 

References

 

Security Advisory

Google Chrome Patches Actively Exploited Zero-Day Vulnerability 

Summary : Security Advisory

Google has released a critical out-of-band security update for its Chrome browser to address CVE-2025-5419.

Rated as high-severity zero-day vulnerability in the V8 JavaScript engine that is currently being actively exploited in the wild.

OEM Google 
Severity HIGH 
CVSS Score 8.8 
CVEs CVE-2025-5419 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

This vulnerability allows attackers to execute arbitrary code on users’ systems through specially crafted web content, making it a serious threat requiring immediate attention. 

In addition to the zero-day fix, this update also includes a patch for CVE-2025-5068, a medium severity use-after-free vulnerability in Blink, chrome’s rendering engine.

While less critical, such flaws can still result in memory corruption and possible code execution. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Out-of-bounds memory access vulnerability  CVE-2025-5419 Google Chrome  High  137.0.7151.68/.69 (Win/Mac), 137.0.7151.68 (Linux) 

Technical Summary 

This high-severity vulnerability is caused by an out-of-bounds read and write weakness in Chrome’s V8 JavaScript engine, reported one week ago by Clement Lecigne and Benoît Sevens of Google’s Threat Analysis Group.

This flaw affects the V8 JavaScript engine and allows attackers to execute arbitrary code via crafted web content.

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-5419  Chrome (all platforms) Out-of-bounds read and write in the V8 JavaScript engine; triggered via malicious HTML   Arbitrary code execution, memory compromise, remote attack 

Remediation

Apply Patches Promptly: Upgrade to Chrome version 137.0.7151.68/.69 or later for Windows and macOS, and 137.0.7151.68 or later for Linux to mitigate the vulnerabilities. 

General Recommendation: 

  • Prioritize Zero-Day Fixes: Treat this patch as high priority due to confirmed in-the-wild exploitation. Immediate action is critical to prevent potential system compromise. 
  • Update Chromium-Based Browsers: Ensure Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi are updated as soon as vendor-specific patches are released. 
  • Automate Browser Updates: Enable automatic updates in Chrome and Chromium environments to maintain timely patching against emerging threats. 
  • Enterprise Patch Rollout: Administrators should fast-track deployment of the fixed version across all endpoints, particularly in high-risk or externally exposed environments. 
  • Monitor for Threat Activity: Continuously monitor browser and network activity for signs of exploitation attempts targeting vulnerable versions. 

Conclusion: 
CVE-2025-5419 poses a significant security risk with confirmed active exploitation in the wild.

Google’s swift action highlights the urgency of this threat. All users are strongly advised to update their Chrome browsers immediately. Delaying this update could expose systems to compromise through malicious web content exploiting this zero-day vulnerability. 

While Chrome will automatically update when new security patches are available, users can speed up the process by going to the Chrome menu > Help > About Google Chrome, letting the update finish, and clicking the ‘Relaunch’ button to install it immediately.

References

Blogs

Ways to combat Cyber Threats; Strengthen your SOC’s readiness involves 3 key strategies

Cyber threats are no longer limited to human attackers, with AI-driven “bad bot” attacks now accounting for 1/3 as per research. These attacks can be automated, allowing attackers to launch more extensive and efficient campaigns

Organizations are now exposed new risks, providing cybercriminals with more entry points and potential “surface areas” to exploit as they go digital and adopt to innovations and wider use of digital technologies.

Some of the types of bad bots are DDoS bots, which disrupt a website or online service by overwhelming it with traffic from multiple sources.

Cybercriminals are using Gen-AI tools to improve the efficiency and yield of their campaigns – with Check Point Research’s recent AI Security Report 2025 flagging the use of the technology for malicious activities like AI-enhanced impersonation and social engineering.

Account takeover bots, which use stolen credentials to access users’ online accounts; web content scraping bots, which copy and reuse website content without permission; and social media bots, which spread fake news and propaganda on social media platforms.

The purpose of Bad Bot is expose critical flaws and vulnerabilities within the security frameworks that IT leaders have established in their architectures and operations.

Unfortunately, traditional security operations centers (SOCs) are built to detect threats based on predefined rules and human-driven logic or characteristics.

 AI-powered bots use automation and adaptive methods to execute more sophisticated and dynamic attacks that can bypass these existing defences.

Vulnerabilities are evolving so SOC team have more responsibilities then before as BOTs are AI powered.

Here we outlined three strategies to strengthen your SOC readiness

1.SOC team an essential or important component of business are in Fatigue Zone:

SOCs continuously monitor your organization’s network, systems, and applications to identify potential vulnerabilities and detect any signs of malicious activity.

SOC team quickly takes action to contain the threat and minimize damage, ultimately reducing the overall impact on your business.

Ponemon institute research say SOC teams are fatigued and one research pointed that 65% has fatigue and burn out issues.

That means Cyber security need to support the SOC teams and research found highlight that a lack of visibility and having to perform repetitive tasks are major contributors to analyst burnout.

Threat hunting teams have a difficult time identifying threats because they have too many IOCs to track, too much internal traffic to compare against IOCs.

Sometimes organizations have lack internal resources and expertise and too many false positives. 

Bringing out SOC team from fatigue issue is as important as investing on training, upskilling on cyber skills and development to keep your team’s spirit high.

Establish Key Performance Indicators (KPIs) to measure the effectiveness of your SOC. Monitor these KPIs closely and use them to identify areas for improvement.

2. How do Organization harness Nex-gen technology to combat cyber Threats

Staying abreast of industry trends and best practices to ensure your SOC teams remains at the forefront of cyber security or ahead of the curve with Nex-gen technologies.

So that SOC teams can detect and respond to threats more quickly and efficiently, get holistic view of organizations security posture, AI and ML can augment the SOC team by automating routine task.

Many organizations are adopting hybrid cloud infrastructure and SaaS applications for productivity and cost efficiency reasons. But organizations face difficulty of managing and securing the data on those platforms, which is again leading to higher breach costs.

Darktrace report says 78% of the more than 1,500 security executives responding to a recent survey said that AI-powered threats are having a significant impact on their organizations – with many admitting they lack the knowledge, skills, and personnel to successfully defend against those threats.

Many organizations are already leveraging AI as a cyber-security tool.

Now more IT leaders say they are integrating AI into their cloud strategies for use in advanced security and threat detection.

Organizations can encounter several challenges when integrating AI into their cloud strategies.

Along with SOC team who seamlessly integrate across the organization, same is for AI. Seamless integrations of AI will make it easier for AI-assisted threat detection, notification, enrichment and remediation.

The purpose is AI should focus on tuning models that is organization specific environment. Once done AI will integrate threat intelligence and filtering will be done based on specific context.  This will help reinforcing trust with customers and stakeholders.

3. Investing in Predictive Threat Modelling priority  for Nex-gen SOC Teams

In this era where AI is being leveraged by organisation to derive accuracy, SOC teams who are evolving will prefer investing in intelligence predictive threat models that are proactive in nature to anticipate risks and refine their response strategies.

When organizations have a Threat Intelligence-Driven SOC  it is easier to transform security operations from reactive to proactive defence. Most of the organization builds and operates its own SOC. That is done by employing a dedicated team of cyber security professionals who offers to take complete control over security operations but can be resource-intensive.

AI makes the process easier, as having AI-driven analytics will assist detect anomalous behaviours and zero-day threats.

Further with implementing predictive threat modelling to anticipate emerging attack patterns and leveraging the right frameworks, tools and best practices will help organizations build an intelligence-driven SOC. And with an intelligence-driven SOC team, anticipating any cyber threats can be dealt with efficiency.

IntruceptLabs now offers Mirage Cloak and to summarise Mirage Cloak offers various deception methods to detect and stop threats before they cause damage.

These methods include adding decoys to the network, deploying breadcrumbs on current enterprise assets, using baits as tripwires on endpoints.

 This is executed by setting up lures with intentionally misconfigured or vulnerable services or applications.

The flexible framework also lets customers add new deception methods as needed.

Conclusion: Organizations can better protect their digital assets and ensure business continuity by understanding the key components and best practices for building a successful SOC.

At the end  we must accept that to defend against any sort of AI attack, SOC teams must evolve with right collaborations and effective communication between partners seamlessly to evaluate information to stay ahead of attackers.

Sources: What is SOC (Security Operations Center)?

Scroll to top