Intrucept

Security Advisory

Chrome Security Update Fixed Active Zero-Day Exploit & Multiple High-Severity Vulnerabilities 

Security advisory : Google has issued a Stable Channel Update for Chrome to address 4 high-severity vulnerabilities, including one zero-day vulnerability (CVE-2025-10585) actively exploited in the wild.

OEM Google 
Severity High 
CVSS Score N/A 
CVEs CVE-2025-10585, CVE-2025-10500, CVE-2025-10501, CVE-2025-10502 
POC Available No 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

This flaw, a Type Confusion in the V8 JavaScript and WebAssembly engine, can allow remote attackers to execute arbitrary code outside of Chrome’s security sandbox when users visit maliciously crafted web pages. Users and administrators are urged to update to the latest Chrome version immediately to mitigate potential exploitation 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​ Type Confusion in V8 Engine  CVE-2025-10585 Chrome (Windows, Mac, Linux)  High  140.0.7339.185/.186 

Technical Summary 

The zero-day vulnerability in Chrome’s V8 engine arises from a type of confusion flaw, where object types are misinterpreted, leading to logical errors and memory corruption.

Attackers can exploit this issue when users visit maliciously crafted websites, enabling arbitrary code execution and possible sandbox escape.

This flaw has been confirmed as actively exploited in the wild. In addition to this zero-day, the update also fixes three other high-severity issues, a use-after-free in the Dawn graphics abstraction layer that could lead to memory corruption, a use-after-free in WebRTC that may enable remote code execution, and a heap buffer overflow in ANGLE that could result in program crashes or arbitrary code execution. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-10585 Google Chrome (Windows, Mac, Linux) Type confusion in the V8 JavaScript engine could allow memory corruption, arbitrary code execution, and potential sandbox escape Remote Code Execution / Sandbox Escape 

Other Vulnerabilities  

In addition to the zero-day, Google patched three other high-severity vulnerabilities in the same stable channel release. 

Vulnerability Name CVE ID Affected Component Severity 
​Use-after-free in Dawn CVE-2025-10500 Chrome GPU Renderer Component (Dawn)  High 
Use-after-free in WebRTC CVE-2025-10501 Chrome WebRTC Audio/Video Communication Module High 
Heap Buffer Overflow in ANGLE CVE-2025-10502 Chrome Graphics Translation Engine (ANGLE) High 

Recommendations

Update Chrome immediately to the following versions: 

  • Windows/Mac: Chrome 140.0.7339.185/.186 
  • Linux: Chrome 140.0.7339.185 

Here are some Recommendations below 

  • Manual Update Check: Navigate to “Settings → Help → About Google Chrome” to trigger the update. 
  • Patch Management: Ensure enterprise update policies enforce Chrome auto-updates. 
  • Threat Monitoring: Keep monitoring logs for any signs of exploitation 

Conclusion: 
There are high vulnerabilities in Google Chrome, including an actively exploited zero-day flaw in the V8 JavaScript engine that poses a significant risk of remote code execution and sandbox escape.

Given the severity and confirmed exploitation in the wild, it is imperative that all users and administrators promptly update to the latest Chrome versions to mitigate potential attacks. Immediate action is essential to safeguard systems, data, and user privacy in light of these emerging threats. 

References

  • https://cybersecuritynews.com/google-chrome-0-day-vulnerability-exploited/  

Blogs Security Advisory

Shai-Hulud NPM Supply Chain Attack Expands to 470+ Packages 

Summary: A large-scale malicious campaign, nicknamed the Shai-Hulud attack, has impacted the npm ecosystem with over 500 trojanized packages, including those packages maintained by CrowdStrike. The attack originated from a sophisticated phishing campaign that exploited the fundamental trust relationships within the npm ecosystem. 

The JavaScript ecosystem is under a massive threat following a major supply chain attack. Hence, millions of crypto users and developers are now at risk. With more than a billion of these packages downloaded already, thousands of blockchain wallets and applications could be suffer varying exploits.

  • Malicious NPM updates spread malware that steals and replaces crypto addresses.
  • Developers encouraged developer to cease on-chain operation and inspect HD wallets thoroughly.

The attackers injected malicious scripts that

  • Run secret-scanning tools on developer systems, 
  • Steal GitHub, npm and cloud credentials, 
  • Insert persistent GitHub Actions workflows for long-term access, and 
  • Exfiltrate sensitive data to attacker-controlled endpoints. 

This attack is ongoing and all users of npm packages should take immediate steps to secure tokens, audit their environments and verify package integrity. 

Issue Details 

Initial discovery on September 14, 2025, when suspicious versions of @ctrl/tinycolor and ~40 other packages were flagged. By September 16, the attack had spread to include CrowdStrike-namespaced packages and dozens from @ctrl, @nativescript-community, rxnt, @operato, and others. 

Malware behavior 

  • Downloads and runs TruffleHog, a legitimate secret scanner. 
  • Harvests secrets from local machines and CI/CD agents (npm tokens, GitHub PATs, AWS/GCP cloud keys). 
  • Writes malicious workflows into .github/workflows (shai-hulud-workflow.yml). 
  • Continuously exfiltrates findings to a fixed webhook endpoint or pushes them into new GitHub repos under the victim’s account. 

Attack Flow 

Here are some popular packages with affected versions 

Package Version 
@ctrl/ngx-codemirror 7.0.1, 7.0.2 
@ctrl/tinycolor 4.1.1, 4.1.2 
@crowdstrike/foundry-js 0.19.1, 0.19.2 
@crowdstrike/logscale-dashboard 1.205.1, 1.205.2 
@nativescript-community/sqlite 3.5.2 – 3.5.5 
@nativescript-community/text 1.6.9 – 1.6.13 
@nstudio/nativescript-checkbox 2.0.6 – 2.0.9 
@nstudio/angular 20.0.4 – 20.0.6 
eslint-config-crowdstrike 11.0.2, 11.0.3 
remark-preset-lint-crowdstrike 4.0.1, 4.0.2 

Attack Indicators 

Malicious Workflow Filenames 

  • .github/workflows/shai-hulud-workflow.yml 
  • .github/workflows/shai-hulud.yaml 

Exfiltration Endpoint 

  • hxxps://webhook[.]site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7 

Hashes of Malicious Payloads 

SHA-256 Hash Notes 
46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09 Large batch, Sept 15–16 
b74caeaa75e077c99f7d44f46daaf9796a3be43ecf24f2a1fd381844669da777 CrowdStrike-related packages burst (Sept 16) 
de0e25a3e6c1e1e5998b306b7141b3dc4c0088da9d7bb47c1c00c91e6e4f85d6 First observed compromise (Sept 14) 
81d2a004a1bca6ef87a1caf7d0e0b355ad1764238e40ff6d1b1cb77ad4f595c3 Sept 14 small burst 
83a650ce44b2a9854802a7fb4c202877815274c129af49e6c2d1d5d5d55c501e ~25 packages, Sept 14 
4b2399646573bb737c4969563303d8ee2e9ddbd1b271f1ca9e35ea78062538db Burst of ~17 packages, Sept 14–15 
dc67467a39b70d1cd4c1f7f7a459b35058163592f4a9e8fb4dffcbba98ef210c Multiple reuse across Sept 15–16 

Recommendations

Organizations and developers using npm should take immediate actions: 

  1. Uninstall or downgrade 
    Pin dependencies to known-safe versions until patched releases are confirmed. 
  1. Rotate credentials 
    Immediately revoke and reissue: 
  • npm access tokens 
  • GitHub personal access tokens / org tokens 
  • Cloud credentials (AWS, GCP, Azure) 
  1. Audit systems 
  • Inspect developer machines and CI/CD build agents for signs of the malicious bundle.js. 
  • Check .github/workflows for unauthorized files named “shai-hulud-*”. 
  • Review repositories for suspicious commits or new repos labeled “Shai-Hulud Migration”. 
  1. Monitor and log 
  • Search event logs for unusual npm publish activity. 
  • Investigate GitHub Actions runs designed to exfiltrate secrets. 
  1. Harden pipelines 
  • Pin package versions and use integrity checks (e.g.- lockfiles, checksums). 
  • Limit exposure of sensitive tokens in build environments. 
  • Rotate all build-related secrets regularly. 

 
Conclusion 
This incident is significant compromises in the npm ecosystem, impacting hundreds of widely used packages across various namespaces.

The attackers’ tactics such as credential theft, manipulation of GitHub workflows, and widespread package propagation, highlighting the growing sophistication of modern supply chain attacks.

Developers and organizations are strongly advised to take immediate action by removing affected package versions, rotating any exposed secrets, auditing their build environments and strengthening CI/CD security. Continuous monitoring and rapid response are essential to reducing risk and maintaining trust in open-source software. 

The attack’s browser API-level operation revealed critical blind spots in enterprise security monitoring, particularly for organizations handling cryptocurrency transactions.

References

Security Advisory

Spring Security & Framework Authorization Bypass Vulnerabilities Patched 

Security advisory: Two new security vulnerabilities have been discovered in the Spring Framework and Spring Security components identified as CVE-2025-41248 and CVE-2025-41249.

Severity Medium 
CVSS Score 4.4 
CVEs CVE-2025-41248, CVE-2025-41249 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

These issues affect applications that use method-level security annotations like @PreAuthorize to control access to certain methods or features. Under specific conditions when generics are used in parent classes or interfaces, these annotations may not be properly detected, which could allow unauthorized users to access restricted functionality. 

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Spring Security Authorization Bypass Vulnerability  CVE-2025-41248 Spring Security  Medium 6.5.4 (Open Source) 6.4.10 (Open Source)  
Spring Framework Annotation Detection Vulnerability CVE-2025-41249 Spring Framework Medium 6.2.11 (Open Source) 6.1.23 (Commercial Support) 5.3.45 (Commercial Support)  

Technical Summary 

The vulnerability arises when Spring applications use inheritance (where a class inherits methods from another class) and generics (a way to define methods or classes that can handle different types of data) together. If a secured method, like one marked with the @PreAuthorize annotation (used to enforce security checks), is declared in a generic superclass or interface without clear type definitions, Spring might fail to recognize the security annotation at runtime. This means unauthorized users could potentially access these methods. This issue affects Spring Security versions 6.4.0 to 6.5.3 and Spring Framework versions 5.3.0 to 6.2.10. The Spring team has since released updates to better handle security annotations in such cases, ensuring proper authorization checks. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-41248 Spring Security 6.4.0 – 6.4.9 6.5.0 – 6.5.3 Spring Security may fail to detect method-level security annotations applied to generic superclasses or interfaces, resulting in unauthorized access. Unauthorized access  
CVE-2025-41249 Spring Framework 6.2.0 – 6.2.10 6.1.0 – 6.1.22 5.3.0 – 5.3.44 Older, unsupported versions are also affected.  Spring Framework does not consistently recognize security annotations on methods declared in generic superclasses or interfaces, which can lead to authorization bypass. Authorization bypass. 

Remediation

Users should immediately update to the latest patched versions of Spring Security and Spring Framework: 

Spring Security 
Affected Version Fix Version 
6.5.x 6.5.4 
6.4.x 6.4.10 
Spring Framework 
Affected Version Fix Version 
6.2.x 6.2.11 
6.1.x 6.1.23 
6.0.x N/A (OOS) 
5.3.x 5.3.45 

Conclusion: 
These vulnerabilities cause Spring Security and Spring Framework to sometimes miss detecting method-level security annotations in generic type hierarchies. This can allow unauthorized users to bypass authorization checks, exposing protected functionality. While the severity is medium, it is important to update to the fixed versions promptly and review security annotation usage on generics to maintain proper access control. 

References

 

Security Advisory

VoidProxy PhaaS Uses MFA Bypass, Hijacking Google & Microsoft Logins

Security Advisory

Security researchers from Okta have uncovered a stealthy and sophisticated Phishing-as-a-Service (PhaaS) framework known as VoidProxy.

This has been used to hijack Microsoft, Google and even integrated SSO accounts protected by providers like Okta. Unlike traditional phishing kits, VoidProxy employs Adversary-in-the-Middle (AiTM) tactics to capture real-time credentials, MFA tokens and bypassing several standard authentication protections.

VoidProxy’s infrastructure leverages disposable domains, Cloudflare protections, dynamic DNS which all of mimicking as legitimate enterprise setups becoming extremely difficult to detect, analyze. The attackers are running phishing campaigns with little technical effort, enabling wide-scale compromises that lead to email compromise, fraud and data breaches.

Its attack chain is built to evade modern email security, identity defenses, and analysis tools by leveraging the following:

  • CAPTCHA Filtering: Victims are first shown a CAPTCHA challenge before any phishing content loads. This helps block bots and automated security scanners.
  • Cloudflare Workers: Used to deliver customized phishing pages and smartly direct traffic to the attacker’s backend servers.
  • URL Redirection Chains: The phishing links in emails go through several redirects (often using shortened URLs) before landing on fake login pages. This helps bypass spam filters and security tools.
  • Dynamic DNS: These services let attackers quickly create domain names that point to specific IP addresses, making their infrastructure flexible and harder to track.    

Once a user enters their credentials and MFA tokens, the session is hijacked via a reverse proxy server, allowing the attacker to immediately access the legitimate account.

Here are some shortened url links

Attack Flow

StepDescription
1. DeliveryPhishing emails are sent from compromised accounts on email delivery services (like Postmarkapp or Constant Contact) increasing trust and shortening URL services for bypassing spam filters.
2. Redirecting & FilterClicking the phishing link redirects victims through several short URLs and presents a Cloudflare captcha to ensure human interaction.
3. PhishingVictims land on a fake Microsoft or Google login page using realistic subdomain patterns like “login.<phishing_domain>.<.com/.io>”. Additionally, integrated SSO accounts are redirected to additional fake SSO pages mimicking the login flows.
4. AiTM Session HijackThe backend proxy captures credentials, MFA tokens and session cookies, allowing attackers full account access.
5. ExfiltrationSession cookies and credentials are routed to the attacker’s admin panel in real-time. Integration with bots or webhooks enables instant alerts to the attackers.

Why It’s Effective

AiTM Infrastructure: Unlike static phishing kits, VoidProxy runs a live proxy in the middle of the authentication flow, stealing session tokens or mfa token immediately after login.

CAPTCHA & Cloudflare Layers: These challenges ensure only real human victims reach the phishing payload, filtering out scanners and sandboxes.

Integrated SSO Targeting: Accounts using Okta or other SSO providers are redirected to accurate second-stage phishing pages, increasing the likelihood of a full compromise.

Recommendations:

Here are some recommendations below

  • Harden the authentication by bind sessions to IP addresses (IP Session Binding) to block cookie replay attacks.
  • Block access from rarely used IP ranges or unmanaged devices.
  • Provide user awareness training to help recognize phishing links, suspicious email senders and fake login prompts.
  • Keep monitoring for any indications of suspicious activities.

Conclusion
VoidProxy’s layered architecture, real-time session hijacking and deep evasion mechanisms make it a potential threat even for environments with multi-factor authentication in place. We require a shift from traditional phishing detection toward real-time risk-based access controls, strong authenticators and persistent user education.

References:

Blogs

FBI Issues Alarm as Hackers Group target Salesforce Data Paltform; Releases IOC

FBI issued fresh alert major Hackers group mainly associated with cybercriminal groups tracked as UNC6040 and UNC6395 for orchestrating a string of data theft and extortion attacks on Salesforce stealing data. FBI released indicators of compromise (IoCs) associated with two cybercriminal groups tracked as UNC6040 and UNC6395.

“The Federal Bureau of Investigation (FBI) is releasing this FLASH to disseminate Indicators of Compromise (IOCs) associated with recent malicious cyber activities by cyber criminal groups UNC6040 and UNC6395, responsible for a rising number of data theft and extortion intrusions,” as per FBI’s advisory.

Federal Bureau of Investigation has issued a urgent alert detailing the activities of two sophisticated cybercriminal groups, UNC6040 and UNC6395, which have been aggressively targeting Salesforce platforms.

These actors, linked to data theft and extortion schemes, exploit vulnerabilities in OAuth tokens and employ social engineering tactics like vishing to breach high-value targets.

Data Exfiltration or Data extraction/Theft

Data exfiltration occurs in two ways, through outsider attacks and via insider threats. Both are major risks, and organizations must ensure their data is protected by detecting and preventing data exfiltration at all times.

An attack from outside the organization occurs when an individual infiltrates a network to steal corporate data and potentially user credentials. This typically is a result of a cyber criminal injecting malware onto a device, such as a computer or smartphone, that is connected to a corporate network. 

Some strands of malware are designed to spread across an organization’s network and infiltrate other devices, searching for sensitive corporate data in an attempt to exfiltrate information. Many malware will lay dormant on a network to avoid detection by organizations’ security systems until data is exfiltrated subversively or information is gradually collected over a period of time.

Attacks can result from malicious insiders stealing their own organization’s data and sending documents to their personal email address or cloud storage services, potentially to sell to cyber criminals. They can also be caused by careless employee behavior that sees corporate data fall into the hands of bad actors.

Threat monitoring through Intrusion Detection System

Intrusion Detection system often network and searches for known threats and suspicious or malicious traffic. When it detects a possible threat, the IDS sends an alert to the organization’s IT and security teams. IDS applications can be either software, which runs on hardware or network security solutions, or cloud-based, which protects data and resources in cloud environments.

Vishing Attack Lashed by Cyber Criminal

Vishing attacks, where perpetrators impersonate trusted IT support personnel to trick employees into granting access or revealing credentials. Once inside, they manipulate connected third-party applications, such as Salesloft’s Drift AI chatbot, to siphon sensitive data.

This method has proven alarmingly effective, as evidenced by the compromise of Google’s corporate Salesforce instance earlier this year, which exposed contact data for small and medium-sized businesses

UNC6040 & UNC6395 attack methodology

UNC6040, often associated with the notorious ShinyHunters collective, has refined a supply-chain attack vector that leverages OAuth token abuse. By compromising tokens from integrated apps, attackers gain persistent access without triggering immediate alarms.

As per FBI UNC6040, threat actors have utilized phishing panels, directing victims to visit from their mobile phones or work computers during the social engineering calls.

On the other hand UNC6395, has been attributed a widespread data theft campaign targeting Salesforce instances in August 2025 by exploiting compromised OAuth tokens for the Salesloft Drift application. They target third party application.

In an update issued this week, Salesloft said the attack was made possible due to the breach of its GitHub account from March through June 2025.

Salesloft has taken has separated the Drift infrastructure and kept in isolation, also taken the artificial intelligence (AI) chatbot application offline. 

Salesloft and Salesforce collaborated to revoke all active access and refresh tokens for the Drift application on August 20, 2025. This action successfully terminated the threat actors’ access to the compromised Salesforce platforms through this specific vector.250912.pdf

Cyber Experts reflect UNC6040’s operations extend beyond Salesforce, potentially linking to broader campaigns involving SaaS-to-SaaS connections.

Cybersecurity firms Proofpoint, SpyCloud, Tanium, and Tenable have confirmed that information in their Salesforce instances was compromised as part of the recent Salesforce–Salesloft Drift attack

Read more on cyber attacks: https://intruceptlabs.com/2025/09/tenable-more-cyber-vendors-impacted-by-third-party-salesforce-breach/

Posts on X from cybersecurity accounts, including shares from The Cyber Security Hub, underscore the real-time buzz around these threats, with users warning of the rapid spread of similar tactics across cloud ecosystems as of September 13, 2025.

IOC released from FBI include extensive list of IOCs, including IP addresses, malicious URLs, and user-agent strings associated with both UNC6040 and UNC6395.

This will assist network defenders detect and block related activity. The agency strongly recommends that organizations take several steps to mitigate the risk of compromise. Initially believed to only impact organizations that used the Drift integration, the campaign was later found to have affected other Salesforce customers as well.

(Sources: https://cybersecuritynews.com/fbi-iocs-salesforce-instances/)

Security Advisory

Angular SSR Vulnerability Allows Cross-Request Data Exposure (CVE-2025-59052) 

Security Advisory: A high security flaw was discovered in Angular’s server-side rendering (SSR) functionality that could lead to cross-request data leakage due to a global race condition. This is identified as CVE-2025-59052, affects multiple versions of Angular’s @angular/platform-server, @angular/ssr and @nguniversal/common packages.

With data breaches at highest, Organizations using vulnerable Angular versions should update immediately or implement recommended workarounds to avoid potential data breaches.

Severity High 
CVSS Score 7.1 
CVEs CVE-2025-59052 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Angular is a popular open-source web application framework developed by Google, used to build dynamic, single-page applications (SPAs) and server-rendered apps using HTML, TypeScript and JavaScript.

When multiple SSR requests are processed concurrently, sensitive state information may be inadvertently shared, potentially exposing user tokens or private data across unrelated sessions. The Angular has released patches across all active branches and urges developers to update immediately. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​ Race condition vulnerability  CVE-2025-59052 Angular platform-server, ssr  High  v18.2.14, v19.2.15/16, v20.3.0, v21.0.0-next.3 

Technical Summary 

Angular uses a dependency injection (DI) container called the platform injector during SSR to hold request-specific data. This container was implemented as a global module-scoped variable, introducing a race condition when multiple requests were processed simultaneously.

This flaw could cause data meant for one user to be sent in the response to another, potentially leaking authentication tokens, headers, or private content.

Affected APIs include bootstrapApplicationgetPlatform, destroyPlatform. These changes introduce SSR-only breaking changes, with automatic migration schematics available through the Angular CLI update process. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-59052 Angular SSR v16 to v21 Race condition in global DI container during SSR could leak user data across requests Cross-Request Data Leakage 

Recommendations

Upgrade Angular packages to the latest patched versions: 

Package Affected Versions Fixed Versions 
@angular/platform-server >=16.0.0-next.0 <18.2.14 
>=19.0.0-next.0 <19.2.15 
>=20.0.0-next.0 <20.3.0 
>=21.0.0-next.0 <21.0.0-next.3 		18.2.14 
19.2.15 
20.3.0 
21.0.0-next.3 
@angular/ssr >=17.0.0-next.0 <18.2.21 
>=19.0.0-next.0 <19.2.16 
>=20.0.0-next.0 <20.3.0 
>=21.0.0-next.0 <21.0.0-next.3 		18.2.21 
19.2.16 
20.3.0 
21.0.0-next.3 

If Immediate Upgrade is Not Possible, you can follow the recommendations below 

  • Disable SSR via server routes or build configurations 
  • Remove asynchronous behavior from custom bootstrap functions 
  • Eliminate use of getPlatform() in server-side code 
  • Ensure ngJitMode is set to false in production builds 

Conclusion: 
The Angular SSR vulnerability CVE-2025-59052 is the high severity issue with global state management during concurrent request processing, resulting in potential cross-request data exposure.

Though not yet exploited in the wild, the risk is significant for SSR-enabled Angular apps. Developers are urged to apply updates promptly or follow the provided mitigation steps to secure their applications. 

As per reports this vulnerability requires no special privileges or user interaction, making it both easy to exploit and dangerous in high-traffic applications.

References

Hashtags 

#Infosec #CyberSecurity #Angular #SecurityAdvisory #WebSecurity #Vulnerabilitymanagement #DevSecOps #PatchManagement #CISO #CXO #Intrucept 

Blogs

Jaguar Land Rover Data Hack reveal Significance of Security & Privacy by Design

Jaguar Land Rover announced suffering they hit by a cyberattack in August that severely disrupted its production and retail activities. Cyber criminals stole data, held by the carmaker, it has said, as its factories in the UK and abroad face prolonged closure. This massive data hack reveal that every stakeholder in the supply chain must be embed and lazed with security and privacy by design.

Principle of security by design

So the ever evolving automotive industry and modern vehicles are more of software, which means more coding which goes upto 100 million codes and this is growing in numbers and run more applications then ever before.

So the more coding and software, the more lucrative it is for attackers to target systems and codes and if security flaws exist then its a heaven for cyber criminal as it is now easy target for data privacy leaks etc.

Best practices for Securing by Design principles and software development are enough to address the emerging risk to automotive systems and other systems within the vehicle.

According to the BBC, three plants were affected: the ones in Solihull, Halewood and Wolverhampton. Also the cyberattack forced the company to disconnect some systems, which led to factories in China, Slovakia and India getting shut down and workers being instructed to stay at home. 

As per the company suppliers and retailers for JLR are also affected, some operating without computer systems and databases normally used for sourcing spare parts for garages or registering vehicles.

Scattered Spider group behind the cyber attack

As per reports the notorious Scattered Spider  the hackers group is credited for the attack on JLR. The threat actor was also linked to recent attacks against major UK retailers, as well as several other industries worldwide. 

This is the second cyberattack that hit JLR this year. In March, the Hellcat ransomware group claimed to data theft which were in hundreds of gigabytes of data from the carmaker.

July we witnessed how Scattered spider group targeted the aviation and retail sector

https://intruceptlabs.com/2025/07/scattered-spider-group-target-aviation-sector-third-party-providers-to-vendors-are-at-risk-solutions-that-will-improve-security-posture/

Addressing cyber security challenges in Automotive security

Organization addressing such cyber incident in near future will require dedication that will extend to all levels. This includes data layer, connection layer, authentication layer and more.

If organizations are proactive enough in establishing comprehensive protective measures and ensuring reliable systems that wont fail and in place, ultimately will create safe environment for entire ecosystem more resilient against cyber disruptions.

Cybersecurity challenges in automotive innovation

The integration of advanced technology has brought the automotive industry face-to-face with complex cybersecurity challenges. Vehicle technology, now deeply intertwined with software, exposes both consumers and manufacturers to varied threats.

The challenge for manufacturers is finding the right balance between advancing connected features and securing those very connections against evolving threats.

Transformation in Automotive industry while navigating cautiously in the midst of cyber attack

The year 2025 is transformative for automotive industry as the industry witnessing many groundbreaking technological advancements that is lazed with challenges in cybersecurity and supply chain resilience.

Navigate cyber challenges

For automotive industry as a whole, opportunities are huge for the industry as a whole but will take concrete shape when fitted with with robust architecture, zero-trust security frameworks and being transparent. There is a need to have more collaborative mindset and approaches among manufacturers, suppliers and leaders in technology of which cyber security is now important part.

Intercept offers Mirage Cloak

Mirage Cloak the Deception Technology, offers various deception methods to detect and stop threats before they cause damage.

These methods include adding decoys to the network, deploying breadcrumbs on current enterprise assets, using baits as tripwires on endpoints, and setting up lures with intentionally misconfigured or vulnerable services or applications. The flexible framework also lets customers add new deception methods as needed.

Sources: https://www.theguardian.com/business/2025/sep/10/jaguar-land-rover-says-cyber-attack-has-affected-some-data

Security Advisory

Microsoft Patch Tuesday has 86 Fixes, 2-0Day Vulnerabilities

September 2025 Patch Tuesday update, addressing 86 security issues in products like Microsoft Windows, Microsoft Office etc.

This includes two publicly known zero-day bugs in the Windows SMB Server and another in Newtonsoft.Json. Here are the CVE addressed for Microsoft & non-Microsoft.

Organizations are strongly encouraged to prioritize patching of systems tied to network services, virtualization and productivity tools to mitigate risks of exploitation. 

OEM Microsoft 
Severity Critical 
Date of Announcement 2025-09-09 
No. of Patches 86 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Here are the CVE addressed for Microsoft & non-Microsoft 

  • 81 Microsoft CVEs addressed 
  • 5 non-Microsoft CVEs addressed 

Breakdown of September 2025 Vulnerabilities 

  • 41 Elevation of Privilege (EoP) 
  • 22 Remote Code Execution (RCE) 
  • 16 Information Disclosure 
  • 4 Denial of Service (DoS) 
  • 2 Security Feature Bypass 
  • 1 Spoofing  
Vulnerability Name CVE ID Product Affected Severity CVSS Score 
Windows SMB Elevation of Privilege Vulnerability  CVE-2025-55234 Windows Server, Windows 10, 11  High 8.8 
Improper Handling of Exceptional Conditions in Newtonsoft.Json CVE-2024-21907 Microsoft SQL Server High 7.5 

Technical Summary 

September 2025 Patch Tuesday includes security updates addressing denial-of-service and privilege escalation vulnerabilities in commonly used libraries and services.

One of the publicly disclosed zero-day CVE-2024-21907 affects the popular .NET library Newtonsoft.Json, where deserialization of crafted JSON can lead to application crashes.

Additionally, CVE-2025-55234 highlights a potential for relay attacks in SMB Server configurations that lack hardening measures such as signing and Extended Protection for Authentication (EPA). Microsoft advises assessing current SMB deployments using new audit capabilities introduced in this month’s updates. 

CVE ID System Affected  Vulnerability Details Impact 
 CVE-2025-55234 Microsoft SMB Server Lack of hardening (signing & EPA) in SMB Server can allow attackers to perform relay attacks, potentially resulting in elevation of privilege. Privilege Escalation 
CVE-2024-21907 Newtonsoft.Json < 13.0.1 Improper handling of crafted input to JsonConvert.DeserializeObject may trigger a StackOverflowException, leading to a denial-of-service condition. Denial of Service 

Source: Microsoft and NVD 

In addition to the publicly disclosed zero day vulnerability, several other Critical & High severity issues were addressed 

  • CVE202555232: Microsoft High Performance Compute Pack (HPC), deserialization of untrusted data vulnerability enabling unauthorized remote code execution over a network interface. 
  • CVE202554918: Windows NTLM, improper authentication vulnerability that enables elevation of privilege over a network, with potential for lateral movement across enterprise systems. 
  • CVE202554110: Windows Kernel, integer overflow vulnerability allowing local privilege escalation through exploitation of kernel memory operations. 
  • CVE202554098: Windows Hyper-V, improper access control flaw permitting local privilege escalation from guest to host in virtualized environments. 
  • CVE202554916: Windows NTFS, stack-based buffer overflow vulnerability enabling local attackers to execute arbitrary code with elevated privileges. 

Key Affected Products and Services 

The September 2025 security updates address critical and important vulnerabilities across a broad range of Microsoft products and services: 

  • Windows Core and Security Components 

Includes updates for Windows Kernel, NTFS, TCP/IP, Defender Firewall, LSASS, BitLocker, NTLM, Win32K, and RRAS (Routing and Remote Access Service), with several vulnerabilities rated CVSS 8.8 or higher. 

  • Microsoft Office Suite 

Patches released for Excel, Word, PowerPoint, Visio, and SharePoint addressing RCE and information disclosure issues, especially through Preview Pane vectors. 

  • Azure and Cloud Services 

Fixes affect Azure Virtual Machine Agent, Azure Arc, and High-Performance Compute Pack (HPC). 

  • Virtualization and Hyper-V 

Multiple vulnerabilities in Hyper‑V and Virtual Hard Drive components, including privilege escalation and denial-of-service risks. 

  • Developer and Management Tools 

Patches applied to PowerShell, AutoZone, Windows Management Services and Capability Access Management, addressing local privilege escalation. 

  • Communication & File Services 

Updates cover SMB, SMBv3, MSMQ and Connected Devices Platform, with critical RCE and lateral movement vectors in enterprise environments. 

  • Browsers and Web Technologies 

Microsoft Edge (Chromium-based) updates, along with republished Chrome CVEs for continued coverage of known browser threats. 

Remediation: 

Apply Patches Promptly: Install the September 2025 security updates immediately to mitigate risks. 

Conclusion: 
Microsoft’s September 2025 Patch Tuesday addresses 86 vulnerabilities, including several critical and high rated issues across Windows, Office, Hyper-V and Azure components etc.

Notably, multiple flaws affect Windows Routing and Remote Access Service (RRAS), SQL Server, and Microsoft High Performance Compute Pack (HPC), with potential for remote code execution (RCE) and privilege escalation.

Microsoft fixed an elevation of privileges flaw in SMB Server that is exploited through relay attacks.

“SMB Server might be susceptible to relay attacks depending on the configuration. An attacker who successfully exploited these vulnerabilities could perform relay attacks and make the users subject to elevation of privilege attacks,” explains Microsoft.

References

Blogs

Tenable & More Cyber Vendor’s Impacted by Third Party Salesforce Breach

Proofpoint, Tenable, CyberArk are other Third-Party vendors impacted by Salesforce Breach.

In an advisory released Tenable disclosed that it “was among the many organizations impacted” in the Salesloft Drift attacks, during which “an unauthorized user had access to a portion of some of our customers’ information stored in our Salesforce instance.”

Impacted data includes “subject lines and initial descriptions provided by our customers when opening a Tenable support case” as well as standard contact information such as name, business email address, phone number and location reference.

Tenable products and data stored in the vendor’s products, were not affected, the company said. CRN has reached out to Tenable for further comment.

Tenable stated that standard business contact information, such as customer names, email addresses, phone numbers and location details, was also accessed. At this point, the company stated there is no evidence that this information has been misused.

The information accessed by the unauthorized party was limited to data within Tenable’s Salesforce environment. This included:

  • Commonly available business contact information, such as customer names, business email addresses, and phone numbers.
  • Regional and location references associated with customer accounts.
  • Subject lines and initial descriptions that customers provided when opening a support case.

Third party vendor’s prime target of cyber attack increase Enterprise Cyber Risk

Targeting vendors indicate how critical it is to maintain third-party risk and be cautious while managing security risks associated with these external partners, focal point of target and critical for any organization’s data security.

The Tenable and other vendors being targeted increase the responsibility of enterprise based Third-party cyber risk associated as vendors can be targets for cyberattacks.

If their security measures are weak, your company’s data could be compromised. Ensuring vendors have strong cybersecurity protocols is essential to protecting sensitive information.

Enterprise security posture indicate how third-party security is a set of practices that can identify these risks and protect your organization from security threats associated with any third-party entity.

Risks arising from third-party vendors, contractors and business partners who have access to your data and systems is more then critical.

Three more well-known cybersecurity vendors have joined the lengthy list of companies impacted in the recent breach of a third-party Salesforce application, with Proofpoint, Tenable and CyberArk disclosing they were affected in the widespread Salesloft Drift attacks.

CyberArk, a publicly traded identity security vendor that Palo Alto Networks has a deal to acquire for $25 billion.

In similar pattern an unauthorized actor accessed Proofpoint’s Salesforce tenant through the compromised Drift integration and viewed certain information stored in our Salesforce instance,” the company said.

Attack module

The attacks involved stolen authentication tokens for Salesloft-owned workflow automation app Drift, which threat actors have used to steal data from Salesforce CRM systems. It’s unclear how threat actors obtained the tokens.

As per researchers, breach at Tenable was not an isolated attack but is linked to a wider, sophisticated campaign that security experts have been tracking. This campaign specifically exploits a vulnerability in the integration between Salesforce and Salesloft Drift, a popular sales engagement platform.

Security Advisory

Vulnerability in Spring Cloud Gateway Server WebFlux Discovered; Target of Ease by Attackers

Security Advisory: CVE-2025-41243, A critical vulnerability has been disclosed in Spring Cloud Gateway Server WebFlux. This vulnerability allows attackers to modify sensitive Spring Environment properties under specific configurations.

Severity Critical 
CVSS Score 10.0 
CVEs CVE-2025-41243 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

The vulnerability has been assigned the maximum CVSS score of 10.0. It arises when actuator endpoints are exposed without proper security controls, potentially allowing attackers to compromise application behavior. Organizations and users of affected versions are strongly urged to upgrade to the fixed releases. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Spring Expression Language Property Modification  CVE-2025-41243  Spring Cloud Gateway WebFlux  Critical   v4.3.1,  
v4.2.5, v4.1.11, v3.1.11  

Technical Summary 

CVE-2025-41243 is a critical vulnerability occurs when the Spring Boot actuator is included as a dependency and the gateway actuator endpoint is explicitly exposed via the “management.endpoints.web.exposure.include=gateway” configuration.

In such cases, if actuator endpoints are unsecured or exposed to public networks, an attacker could exploit them to modify Spring Environment properties at runtime. This could cause unauthorized access, configuration tampering, and potential application compromise. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-41243    4.3.0 – 4.3.x 4.2.0 – 4.2.x 4.1.0 – 4.1.x 4.0.0 – 4.0.x 3.1.0 – 3.1.x Older, unsupported versions   Improperly secured actuator endpoints in Spring Cloud Gateway WebFlux allow unauthorized modification of Spring Environment properties. Unauthorized access potential privilege escalation 

Remediation – 

Upgrade Immediately patch to fixed versions: 

Affected Version Range Upgrade To 
4.3.x 4.3.1 
4.2.x 4.2.5 
4.1.x and 4.0.x 4.1.11 
3.1.x 3.1.11 
Unsupported versions Migrate to a supported release 

If you are unable to upgrade right now, here are the recommendations below 

  • Remove gateway from the “management.endpoints.web.exposure.include” property or secure the actuator endpoints. 
  • Secure actuator endpoints with proper authentication and access controls. 
  • Regularly audit and harden application configuration files. 
  • Monitor application and network logs for suspicious activity or unauthorized access attempts. 
  • Implement firewall rules or reverse proxies to restrict access to sensitive endpoints. 
  • Ensure all systems follow patch management and update policies. 

Conclusion 
CVE-2025-41243 is a critical vulnerability affecting Spring Cloud Gateway WebFlux, allowing remote attackers to modify environment properties when actuator endpoints are misconfigured and exposed.

While no active exploitation has been observed in the wild, vulnerability poses a high risk to application integrity and security due to its CVSS score of 10.0 and ease of exploitation in exposed systems.

Organizations are strongly advised to upgrade to the fixed versions, secure actuator endpoints, and follow best practices to reduce attack surface and prevent future exploitation. 

References 

Scroll to top