Intrucept

Blogs

Hackers Weaponizing AI Extension to steal Crypto Assets Through Malicious Packages

The amount of crypto  malware has doubled in the first quarter of 2025 as per research.

Kaspersky GReAT (Global Research and Analysis Team) experts have discovered open-source packages that download the Quasar backdoor and a stealer designed to exfiltrate cryptocurrency. The malicious packages are intended for the Cursor AI development environment, which is based on Visual Studio Code — a tool used for AI-assisted coding.

The fake extension, published under the name “Solidity Language,” had accumulated 54,000 downloads before being detected and removed.

What makes this attack particularly insidious is its exploitation of search ranking algorithms to position the malicious extension above legitimate alternatives.

How the Threat actors deceive the developers

During an incident response, a blockchain developer from Russia reached out to Kaspersky after installing one of these fake extensions on his computer, which allowed attackers to steal approximately $500,000 worth of crypto assets.

The threat actor behind these packages managed to deceive the developer by making the malicious package rank higher than the legitimate one. The attacker achieved this by artificially inflating the malicious package’s downloads count to 54,000.

After the malicious extension downloaded by the developer was discovered and removed from the repository, the threat actor republished it and artificially inflated its installation count to a higher number – 2 million, compared to 61,000 for the legitimate package.

The extension was removed from the platform following a request from Kaspersky.

The attackers leveraged the Open VSX registry’s relevance-based ranking system, which considers factors including recency of updates, download counts, and ratings. The attack infrastructure reveals a well-organized operation extending beyond this single incident.

In 2025, threat actors are actively publishing clones of legitimate software packages that, once installed, execute harmful payloads ranging from cryptocurrency theft to full codebase deletion.

The discovery leads us to think how cyber criminals take advantage of the trust inherent in open-source environments by embedding harmful code. All third-party code should be treated as untrusted until proven.

The threat actor behind these packages managed to deceive the developer by making the malicious package rank higher than the legitimate one. The attacker achieved this by artificially inflating the malicious package’s downloads count to 54,000.

After installation, the victim gained no actual functionality from the extension. Instead, malicious ScreenConnect software was installed on the computer, granting threat actors remote access to the infected device.

Using this access, they deployed the open-source Quasar backdoor along with a stealer that collects data from browsers, email clients, and crypto wallets. With these tools, the threat actors were able to obtain the developer’s wallet seed phrases and subsequently steal cryptocurrency from the accounts.

Mitigation Strategies from Intruceptlabs

GaarudNode is an all-in-one  solution designed to empower development teams with the tools they need to secure their applications throughout the development lifecycle. By combining the power of SAST, DAST, SCA, API security, and CSPM, GaarudNode provides a comprehensive security framework that ensures your applications are built, tested, and deployed with confidence.

Source: https://www.kaspersky.com/about/press-releases/kaspersky-uncovers-500k-crypto-heist-through-malicious-packages-targeting-cursor-developers

Security Advisory

Critical Flaws Expose Schneider DCE to Remote Exploits – Patch Now 

Summary : Schneider Electric has found critical security flaws in its EcoStruxure IT Data Center Expert software (version 8.3 and earlier) which allow attackers to run harmful codes, steal data or disrupt data center operations. The EcoStruxure IT Data Center is a scalable monitoring solution for data center equipment. Through the web interface the flaw allows unauthenticated remote code execution when HTTP is enabled, though it is disabled by default.

Severity Critical 
CVSS Score 10.0 
CVEs CVE-2025-50121, CVE-2025-50122, CVE-2025-50123, CVE-2025-50125 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

The most severe flaw lets attackers execute commands remotely without logging in and other risks include weak password generation and privilege misuse.

Schneider urges users to upgrade to version 9.0. as a priority, if users are unable to update right now, users should secure their systems by limiting access, disabling unused services, using VPNs and security best practices. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
OS Command Injection  CVE-2025-50121 EcoStruxure IT Data Center Expert (DCE)  Critical  v 9.0 
Insufficient Entropy (Weak Root Password Generation)  CVE-2025-50122 EcoStruxure IT Data Center Expert (DCE)  High  v 9.0 
Insufficient Entropy (Weak Root Password Generation) CVE-2025-50123 EcoStruxure IT Data Center Expert (DCE) High v 9.0 
Insufficient Entropy (Weak Root Password Generation)  CVE-2025-50125 EcoStruxure IT Data Center Expert (DCE) High v 9.0 

Technical Summary 

The vulnerabilities have been identified in the system that exposes it to remote takeover, unauthorized access and internal data exposure.

At the core of the risk is a command injection flaw in the web interface, where unsanitized input allows attackers to execute system-level commands without authentication.

Compounding the issue is a weak password generation mechanism that uses low-entropy values, making root credentials easier to predict if installation or update packages are obtained.

Privileged users can also exploit unsafe input handling, specifically in fields like the hostname to inject and execute arbitrary code.

Furthermore, improper validation of internal HTTP requests allows attackers to perform server-side request forgery (SSRF), potentially accessing internal services and sensitive resources without credentials. 

CVE ID CVSS Score System Affected  Vulnerability Details Impact 
CVE-2025-50121 10.0 Web interface Allows unauthenticated attackers to run system commands via malicious folder in web interface. Unauthenticated RCE, full system compromise. 
CVE-2025-50122 8.3 Password generation system Allows unauthenticated attackers to run system commands via malicious folder in web interface. Root access by reverse-engineering password generation, leading to full control. 
CVE-2025-50123 7.2 Server console interface Allows unauthenticated attackers to run system commands via malicious folder in web interface. Arbitrary command execution by privileged users, risking internal misuse or escalation  
CVE-2025-50125 7.2 HTTP request handler Attackers manipulate hidden URLs to access internal services or run code without login. Unauthorized access to internal services, RCE and data exposure. 

In addition to the Critical and High Severity vulnerabilities, Two other medium severity issues were addressed. 

CVE-2025-50124 – Improper Privilege Management (CVSS 6.9) 
This issue allows privilege escalation through a setup script by a user already holding elevated access via the console. 

CVE-2025-6438 – XML External Entity (XXE) Injection (CVSS 6.8) 

 Attackers could exploit SOAP API calls to inject malicious XML entities and gain unauthorized file access. 

Remediation

  • Immediately upgrade to EcoStruxure DCE version 9.0 or the latest one to fix critical security flaws. 

Schneider recommends hardening DCE instances per the EcoStruxure IT Data Center Expert Security Handbook and adopting cybersecurity best practices.

Attackers could gain full access, run harmful commands, or steal data. It is strongly advised to update to version 9.0 or apply strict security measures to reduce the risks immediately.

IoT and Evolving Threat landscape

Industrial IoT security threats have evolved from theoretical concerns to active, persistent dangers that target manufacturing operations worldwide.

The convergence of traditional operational technology with modern information technology has created attack vectors that cybercriminals, nation-state actors, and industrial espionage operations actively exploit.

The financial impact of industrial cybersecurity incidents continues to escalate, with the average cost of a manufacturing sector data breach reaching $4.97 million in 2024, not including potential regulatory fines, business interruption losses, and long-term reputation damage. 

The security flaws in Schneider’s EcoStruxure IT Data Center Expert software exposes the dynamic threat landscape that may exist in Industrial IoT .


These vulnerabilities in Schneider Electric’s EcoStruxure DCE can seriously affect system security and data center operations. 

References

Security Advisory

Microsoft Plug 140 Vulnerabilities in July Patch Tuesday; SQL Server Zero-Day Disclosed 

Summary : July Patch Tuesday

The July 2025 Patch Tuesday addresses a publicly disclosed zero-day vulnerability CVE-2025-49719 in Microsoft SQL Server.

OEM Microsoft 
Severity Critical 
Date of Announcement 2025-07-08 
No. of Patches  140 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Microsoft has released security updates addressing 140 vulnerabilities as part of July 2025 Patch Tuesday, including one publicly disclosed zero-day vulnerability affecting Microsoft SQL Server. Fourteen(14) of the vulnerabilities are classified as Critical, with ten(10) enabling Remote Code Execution (RCE).

Microsoft products impacted span across Windows, SQL Server, Microsoft Office, SharePoint, Hyper-V, Visual Studio and Azure services 

  • 130 Microsoft CVEs addressed 
  • 10 non-Microsoft CVEs addressed 

Breakdown of July 2025 Vulnerabilities 

  • 41 Remote Code Execution (RCE) 
  • 18 Information Disclosure 
  • 53 Elevation of Privilege (EoP) 
  • 5 Denial of Service (DoS)  
  • 8 Security Feature Bypass 
  • 4 Spoofing 
  • 1 Data Tampering 
Vulnerability Name CVE ID Product Affected Severity CVSS Score 
SQL Server Information Disclosure CVE-2025-49719 Microsoft SQL Server High 7.5 

Technical Summary 

The information disclosure flaw arises from improper input validation, enabling a remote unauthenticated attacker to access data from uninitialized memory.

Microsoft also resolved a significant number of critical RCE vulnerabilities, particularly in Microsoft Office, SharePoint and Windows core components like Hyper-V and KDC Proxy. Several vulnerabilities can be triggered through minimal user interaction, such as viewing a document in the preview pane or interacting with network services. 

CVE ID System Affected Vulnerability Details Impact 
CVE-2025-49719 Microsoft SQL Server Publicly disclosed information disclosure via improper input validation; attackers may access uninitialized memory Unauthorized data disclosure 

Source: Microsoft and NVD 

In addition to the publicly disclosed vulnerability, several other critical and high-severity issues were addressed: 

  • CVE-2025-49701 and CVE-2025-49704: Microsoft SharePoint, RCE over the Internet via authenticated access (CVSS 8.8) 
  • CVE-2025-49735: Windows KDC Proxy Service, Use-after-free vulnerability allowing unauthenticated RCE (CVSS 8.1) 
  • CVE-2025-47981: SPNEGO Extended Negotiation, Heap buffer overflow enabling RCE through crafted messages (CVSS 9.8) 
  • CVE-2025-48822: Hyper-V Discrete Device Assignment (DDA), RCE via PCI passthrough flaw in virtual environments (CVSS 8.6) 
  • CVE-2025-49717: Microsoft SQL Server, Heap-based buffer overflow enabling authenticated RCE (CVSS 8.5) 
  • CVE-2025-49695 to CVE-2025-49703: Microsoft Office/Word, Multiple RCEs via heap overflow, out-of-bounds read, type confusion (CVSS 8.4 & 7.8) 
  • CVE-2025-36357: AMD L1 Data Queue, Side-channel transient execution attack. 
  • CVE-2025-36350: AMD Store Queue, Speculative execution side-channel leak. 

Key Affected Products and Services 

The vulnerabilities addressed in July 2025 impact a wide range of Microsoft products and services, including: 

  • Windows Components: 
    Windows Kernel, BitLocker, SSDP Service, Hyper-V, KDC Proxy and Routing and Remote Access Service (RRAS). 
  • Microsoft Office Suite: 
    Excel, Word, PowerPoint, and SharePoint with several vulnerabilities enabling Remote Code Execution (RCE) or Elevation of Privilege (EoP). 
  • Cloud and Enterprise Services: 
    Azure Monitor Agent, Microsoft Intune and Microsoft SQL Server. 
  • Development Tools: 
    Visual Studio and the Python extension for Visual Studio Code. 
  • Browsers: 
    Microsoft Edge (Chromium-based). 

Remediation

  • Apply Patches Promptly: Install the July 2025 security updates immediately to mitigate risks. 

Conclusion: 

The July 2025 Patch Tuesday reflects a large-scale update effort from Microsoft, addressing both known and undisclosed security risks. The zero-day (CVE-2025-49719) highlights ongoing concerns with SQL Server, while critical vulnerabilities in Office, SharePoint and core Windows services demand urgent patching.

Organizations should prioritize deployment of these patches and remain vigilant for any post-patch exploitation attempts, especially in externally facing applications. 

References

Security Advisory

CitrixBleed 2: Critical CVE-2025-5777 Vulnerability Under Active Exploitation with Public PoC Available

Summary ; A critical vulnerability identified as CVE-2025-5777 has been discovered in Citrix NetScaler ADC and NetScaler Gateway products configured as Gateway or AAA virtual servers.

The Citrix NetScaler is a networking gadget that delivers application access across distributed enterprise environments.

Originally developed to optimize traffic and improve the performance of web applications, NetScaler has evolved into a comprehensive solution for load balancing, SSL offloading, web application firewalling (WAF), secure remote access, and gateway functionalities such as VPN and ICA proxy for Citrix Virtual Apps and Desktops.

OEM Citrix 
Severity Critical 
CVSS Score 9.3 
CVEs CVE-2025-5777 
POC Available Yes 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

This out-of-bounds read flaw enables unauthenticated attackers to leak sensitive memory content, such as session tokens, by sending crafted HTTP POST requests. 

The vulnerability is actively exploited in the wild, with public PoC exploits and scanning tools available. Citrix has released patches, and urgent remediation is strongly recommended. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​ Out-of-bounds read vulnerability  CVE-2025-5777 NetScaler ADC & Gateway  Critical  14.1-43.56,   13.1-58.32, 13.1-FIPS/NDcPP 13.1 37.235, 12.1-FIPS 12.1-55.328 

Technical Summary 

CVE-2025-5777 arises from improper input validation during login requests on affected NetScaler devices. An attacker can exploit the flaw by submitting a malformed authentication request (eg. missing an equal sign in a POST login parameter). This leads the system to read uninitialized memory and leak up to 127 bytes of sensitive data. 

Attackers can extract session tokens and bypass multi-factor authentication (MFA) to hijack legitimate user sessions. 

CVE ID System Affected  Vulnerability Details Impact 
 CVE-2025-5777 NetScaler ADC & Gateway 14.1 < 14.1-43.56 13.1 < 13.1-58.32 13.1-FIPS/NDcPP < 13.1-37.235 12.1-FIPS < 12.1-55.328 EOL: 12.1, 13.0. Insufficient input validation allows attackers to trigger a memory leak via malformed authentication requests. Session hijacking, MFA bypass, unauthorized access 

Proof of Concept (PoC): 

  • Execution Flow 

Attacker submits a malformed HTTP POST to: 

POST /p/u/doAuthentication.do HTTP/1.0 

Host: <NetScaler-IP> 

Content-Length: 5 

Connection: keep-alive 

login  

(Note: the ‘login’ parameter is included without an ‘=’ or value.) * 

  • Memory Leak Trigger 

Due to insufficient input validation, the backend neither initializes nor validates the ‘login’ field. This causes up to 127 bytes of uninitialized stack memory to be included in the XML response ‘<InitialValue>’ tag potentially containing session tokens or sensitive internal data.  

    Source: horizon3 

Remediation

  • Immediate Action: Upgrade to the latest fixed versions:  – NetScaler ADC & Gateway 14.1-43.56 or later 
    – NetScaler ADC & Gateway 13.1-58.32 or later 
    – NetScaler ADC 13.1-FIPS/NDcPP 13.1-37.235 or later 
     – NetScaler ADC 12.1-FIPS 12.1-55.328 or later 
     – EOL versions (12.1, 13.0) must be upgraded to supported releases. 

Recommendations: 

  • Session Invalidation: After patching, terminate all active ICA and PCoIP sessions using: 
      kill icaconnection -all 
      kill pcoipConnection -all. 
  • Audit: Review authentication and session logs for suspicious activity, including repeated POST requests and session reuse across unexpected IPs. 
  • Upgrade Legacy Systems: Migrate EOL devices to supported versions as they will not receive security fixes. 

Conclusion: 
CVE-2025-5777 (CitrixBleed 2) represents a critical memory leak vulnerability that is being actively exploited, with working public exploits widely circulated.

Attackers can extract session tokens and take over sessions even with MFA in place. Shodan scans reveal over 50,000 exposed NetScaler instances, with more than 1,200 unpatched as of late June 2025 

Given its severity, public exploitation, and impact, organizations must act immediately to patch vulnerable systems, revoke active sessions, and migrate away from unsupported versions.

This vulnerability echoes the risks of the original CitrixBleed, emphasizing the importance of proactive defense in depth. 

References

Hashtags 

#Infosec #CyberSecurity #Critix #NetScaler #SecurityAdvisory #Vulnerabilitymanagement # Patch Management #CISO #CXO #Intrucept  

Security Advisory

Grafana Rolls out Updates on Critical Chromium Vulnerabilities; CVE-2025-6554 a Zero day Vulnerability

Summary : Grafana has issued urgent patches to address multiple high-severity vulnerabilities stemming from underlying flaws in the Chromium V8 JavaScript engine.

OEM Google 
Severity High 
CVSS Score 8.1 
CVEs CVE-2025-6554, CVE-2025-5959, CVE-2025-6191 CVE-2025-6192 
POC Available No 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

The most critical of these, CVE-2025-6554, is a zero-day vulnerability that was actively exploited in the wild. Several of these bugs, if unpatched, could allow attackers to execute arbitrary code, perform memory corruption or bypass sandbox protections via malicious HTML content.

Grafana users running affected versions of Image Renderer and Synthetic Monitoring Agent are strongly advised to update immediately. 

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Type Confusion in V8 Engine vulnerability  CVE-2025-6554 Google Chrome  High  138.0.7204.96/.97 (Windows)  
138.0.7204.92/.93 (Mac)  
138.0.7204.96 (Linux) 
Type Confusion in V8 Engine vulnerability CVE-2025-5959 Google Chrome High 137.0.7151.103/.104 (Windows & Mac) 137.0.7151.103 (Linux) 
Integer overflow in V8 Engine vulnerability CVE-2025-6191 Google- Chrome High 137.0.7151.119/.120 (Windows & Mac) 137.0.7151.119 (Linux) 
Use-after-free in Metrics (Profiler) in Google Chrome CVE-2025-6192 Google- Chrome High 137.0.7151.119/.120 (Windows & Mac) 137.0.7151.119 (Linux) 

Technical Summary 

Grafana has patched four high-severity Chromium V8 vulnerabilities in its Image Renderer and Synthetic Monitoring Agent. The most critical, CVE-2025-6554 is a zero-day type confusion bug that was actively exploited. Other flaws include CVE-2025-5959 (remote code execution), CVE-2025-6191 (integer overflow) and CVE-2025-6192 (use-after-free).

Affected versions are Image Renderer < 3.12.9 and Synthetic Monitoring Agent < 0.38.3. Users should update immediately to stay protected. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-6554 Chrome on Windows, macOS, Linux Type confusion in the V8 JavaScript engine allows improper memory handling, leading to code execution  Remote code execution.  Potential system compromise.  
CVE-2025-5959 Chrome on Windows, macOS, Linux Type Confusion in V8 in Google Chrome prior to allowing a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Remote code execution.  Potential system compromise. 
CVE-2025-6191 Chrome on Windows, macOS, Linux Integer overflows in V8 in Google Chrome prior to allowing a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. Arbitrary code execution. Memory Corruption. 
CVE-2025-6192 Chrome on Windows, macOS, Linux Use after free in Metrics in Google Chrome prior to allowing a remote attacker to potentially exploit heap corruption via a crafted HTML page. Arbitrary code execution.  

Remediation

  • Users should immediately update Google Chrome to the latest patched version: 
  • Windows: 138.0.7204.96/.97, 137.0.7151.103/.104, 137.0.7151.119/.120 
  • macOS: 138.0.7204.92/.93, 137.0.7151.103/.104, 137.0.7151.119/.120 
  • Linux: 138.0.7204.96, 137.0.7151.103, 137.0.7151.119 

Other Chromium-based browsers (Edge, Brave, Opera etc.) should also be updated as patches become available from their respective vendors. 

Conclusion: 
The criticality of CVE-2025-6554, CVE-2025-5959, CVE-2025-6191, CVE-2025-6192 in the wild highlights the urgency of applying the latest Chrome security update.

Type confusion vulnerabilities like this can lead to full system compromise and are highly sought-after by cybercriminals. Users and organizations should take immediate action to mitigate potential risks. 

References

Security Advisory

Linux Local Privilege Escalation via udisksd and libblockdev (CVE-2025-6019) PoC released 

Summary : A local privilege escalation vulnerability poc has been released, tracked as CVE-2025-6019, discovered in the udisksd daemon and its backend libblockdev library, affecting widely used Linux distributions including Fedora and SUSE.

Severity High 
CVSS Score 7.0 
CVEs CVE-2025-6019 
POC Available Yes 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

CVE-2025-6019 is a local privilege escalation (LPE) vulnerability affecting systems where: 

  • udisksd is installed and running (e.g., Fedora, SUSE) 
  • Users in the allow active group are trusted to execute disk-related actions 
  • libblockdev fails to validate privileged backend operations under unprivileged contexts 

This flaw allows unprivileged users in the “allow_active” group to escalate privileges and execute commands as root by exploiting insecure trust boundaries in D-Bus IPC communication. 

Vulnerability Name CVE ID Product Affected Severity 
​Local Privilege Escalation Vulnerability  CVE-2025-6019 udisksd / libblockdev  High 

Technical Summary 

This vulnerability is triggered when an attacker in the “allow_active” group issues a crafted D-Bus request to the udisksd daemon using tools like udisksctl. Because the daemon improperly relies on group membership alone (without UID validation), it mistakenly grants root-level mount permissions. 

An attacker can exploit this by  

  • Crafting a malicious disk image (like XFS with a SUID-root shell). 
  • Using “udisksctl mount -b /dev/loop0” to mount it as root. 
  • Escalating privileges and compromising the system. 
CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-6019 Fedora, SUSE, and other Linux distros using udisks2/libblockdev Improper user validation in D-Bus authorization allows unprivileged users to perform privileged disk operations.  Local privilege escalation to root 

Remediation

Here are the recommendations below 

  • Update “udisks2” and “libblockdev” to the latest versions provided by your distribution. 
  • Audit and restrict membership of the “allow_active” group. 
  • Disable unsafe or legacy D-Bus actions in system services where possible. 

Conclusion: 
CVE-2025-6019 highlights a breakdown in privilege boundary enforcement within a core system component used by many Linux desktop environments.

The availability of a public PoC, combined with the low complexity of exploitation, makes this vulnerability highly dangerous, particularly in multi-user or shared computing environments. 

Organizations must act swiftly to patch vulnerable systems, reassess group-based privilege models and implement stricter D-Bus and Polkit rules to reduce attack surface. 

References

Security Advisory

12-Year-Old Sudo Vulnerability & Chroot Flaw Enable Privilege Escalation  

Summary : Security Advisory: Two critical vulnerabilities CVE-2025-32462 and CVE-2025-32463 have been identified in the widely used Sudo utility, enabling local privilege escalation to root. System administrators rely on Sudo to enforce the principle of least privilege and maintain an audit trail of administrative actions.

The flaw, present in Sudo’s codebase for over 12 years, was discovered by Rich Mirch of the Stratascale Cyber Research Unit and affects both stable (v1.9.0–1.9.17) and legacy (v1.8.8–1.8.32) versions of Sudo.

Severity Critical 
CVSS Score 9.3 
CVEs CVE-2025-32463, CVE-2025-32462 
POC Available Yes 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

These flaws affect both legacy and modern versions of Sudo and impact Linux and Unix-like systems, including Ubuntu and macOS. One vulnerability (CVE-2025-32462)remained undiscovered for over 12 years. Both have been fixed in Sudo version 1.9.17p1. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Chroot Option Arbitrary Code Execution vulnerability  CVE-2025-32463 Sudo  Critical  1.9.17p1 
Host Option Privilege Escalation vulnerability  CVE-2025-32462 Sudo   Low  1.9.17p1 

Technical Summary 

CVE-2025-32463 – Chroot Privilege Escalation via Path Confusion 

Introduced in Sudo version 1.9.14, this vulnerability abuses the –chroot (-R) feature, allowing attackers to run commands as root even if not permitted in the sudoers file.

The flaw arises because Sudo began resolving paths inside the chroot environment before validating permissions. This allowed attackers to trick Sudo into referencing malicious configuration files (e.g., fake /etc/nsswitch.conf) and loading arbitrary shared libraries (e.g.-libnss_/woot1337.so.2) during the privilege escalation process. 

CVE-2025-32462 – Host Option Bypass 

CVE-2025-32462 exploits improper handling of the –host (-h) option in Sudo, allowing users to bypass hostname-based access restrictions and execute commands as root. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-32463 Stable 1.9.0 – 1.9.17  Exploits the -R chroot option to load attacker-controlled shared libraries, leading to root access even when user lacks necessary permissions.  Arbitrary code execution as root 
CVE-2025-32462 Stable 1.9.0 – 1.9.17 Legacy 1.8.8 – 1.8.32  Allows local users to abuse the -h option to bypass Host or Host_Alias restrictions and execute commands as root across unintended systems.  Local privilege escalation to root 

Remediation

Upgrade Sudo to version 1.9.17p1 or later or the appropriate patched package version provided by your Linux distribution. 

Conclusion: 
These Sudo vulnerabilities, especially CVE-2025-32463 with a CVSS score of 9.3, represent a serious threat to system integrity. Exploitable without complex tooling and with a public Proof-of-Concept (PoC) already available, this vulnerability underscores the risks posed by long-standing design flaws in foundational system utilities.

Administrators are strongly advised.

Update Sudo to version 1.9.17p1 or later on all systems. Organizations must act swiftly to patch affected systems, audit privileged access, and secure their Sudo configurations.

This incident reinforces the urgent need for continuous security reviews even for the most trusted and widely deployed open-source components and prevent unauthorized privilege escalation on affected systems.

References

Blogs

Cyber-Breach on Qantas Airliner re-echo’s Cyber Risk associated with Third Party

Third-party vendors are critical to and business or industry – but they confirm to significant amount of cyber risk. Qanatas airline confirmed of cyber attack where nearly  six million customers data may have been compromised. The airliner issued statement that said credit card details, financial information, and passport details were not part of the breach.

Qantas said in a statement: “We are continuing to investigate the proportion of the data that has been stolen, though we expect it will be significant. An initial review has confirmed the data includes some customers’ names, email addresses, phone numbers, birth dates and frequent flyer numbers.”

The alarming aspect of a third-party data breach is the sheer scale of impact. Hackers have the potential to attack thousands of organizations in one fell swoop.

KPMG, study showed how 73% of organizations have experienced at least one significant disruption from a third-party cyber incident within the last three years. 

Qantas Group chief executive Vanessa Hudson said the company was working closely with the National Cyber Security Coordinator and the Australian Cyber Security Centre.

We sincerely apologies to our customers and we recognize the uncertainty this will cause. Our customers trust us with their personal information, and we take that responsibility seriously,” she said.

In the breach that affected Qantas airliner which is one of the oldest, did not point to any hackers group. This data breach is one of Australia’s biggest breach in years which caused major setback and reputation damage to an airliner.

Last week, FBI said Scattered Spider group  was targeting airlines and that Hawaiian Airlines (HAII.UL) and Canada’s WestJet had already reported breaches. Read more on our blogs:

Key pointer of the Qantas Breach

The Cyber hacker broke into a database containing the personal information of millions of customer.

The breach was executed by hackers who targeted a call center and gained access to a third-party customer service platform containing six million names, email addresses, phone numbers, birth dates and frequent flyer numbers.

Third party risk management is complex but neglecting can be fatal for organizations whose data volume is huge such as airliners.

The airline is emailing affected customers and has set up a dedicated support line at 1800 971 541 (or +61 2 8028 0534 from overseas).

If we observe in recent past 2020, the solar Winds attack that happened where Solar winds confirmed that its network had been penetrated by a malicious actor and a complex malware program inserted into software updates of its technology platform – SolarWinds OrionⓇ.

Such is the magnitude of the attack that the malware program comprised a multistage process, scanning downstream customer networks to detect security tools it could avoid or disable, and stealthily connecting to the attacker’s command and control servers. The malware persisted for months before initial detection.

The solar winds attack cost to the company amounted to significant loss with Incident response and forensic services cost companies 11% of their annual revenue (an average of $12 million). 

How to make sure your vendor don’t create unnecessary risk that pose challenge for organization at large

First ensure your third party vendor’s meet the required robust security posture

Vendor risk assessment must be done holistically by streamlining due diligence

Upon discovery of any vulnerabilities, it is important that customizing and updating security requirements of the newly discovered threats and patch.

As a part of better threat mitigation strategy it is important that to automate vendors onboarding this will provide agility.

Managing Third party risk with Intru360

A research with KPMG found that found 61% of businesses underestimate third party risk management and often also struggle to have a healthy operation model and scale it same time.

KPMG research further found that Third-party/nth-party risk management that covers all third-party relationships over the entire life cycle; subjects vendors that support critical activities or are heavily relied upon to more comprehensive and rigorous oversight; and considers transition, contingency, recovery, and duplicity alternatives.

With most of the technology investments fail to provide visibility into third-party risk, we at Intercept help you to expand the scope and cover third parties related risk areas by identifying.

Intru360 gives security analysts and SOC managers a clear view across the organization, helping them fully understand the extent and context of an attack. It also simplifies workflows by automatically handling alerts, allowing for faster detection of both known and unknown threats.

In vendor security and management here are some of the features we offer to make sure cyber health of each and every supplier is checked and alerts are placed to get notification.

Prebuilt playbooks and automated response capabilities.

Over 400 third-party and cloud integrations.

More than 1,100 preconfigured correlation rules.

Ready-to-use threat analytics, threat intelligence service feeds, and prioritization based on risk.

Sources: https://www.techtarget.com/whatis/feature/SolarWinds-hack-explained-Everything-you-need-to-know

https://kpmg.com/us/en/articles/2022/ten-key-regulatory-challenges-2023-risk-governance.html
https://www.sbs.com.au/news/article/qantas-data-breach-everything-we-know-so-far-about-stolen-customer-details/49iggxre0

Blogs

Scattered Spider Group Target Aviation Sector; Third Party Providers to Vendors at Risk. Solutions to Improve Security Posture

Recently the Scattered Spider Hacker group or cybercriminals are targeting the airline industry at large and keen interest on aviation sector.

The Scattered Spider group relies mostly on social engineering techniques that can impersonate employees or contractors to deceive IT help desks into granting access” and frequently involves methods to bypass multifactor authentication (MFA), as per observation by FBI.

Earlier the group breached at least two major US airlines in June, bypassed security protocols by exploiting remote access tools and manipulating support staff as reported by CNN .

There is a growing cyber risk on aviation sector and how the air traffic control is managed during attack which makes subsequent aviation systems vulnerable to cyberattacks due to outdated technology in many cases.

And cyber criminals are resorting to advanced techniques by which they can halt operations via cyberattacks that have the ability to take over or invade technology systems which in turn disrupt information flow from the aircraft to pilots to the airlines’ operations center resulting in chaos and delay in flight operations.

Every operation and service delivered by airlines is supported by technology and once that is not responding ,subsequent operations are halted i.e. flight management software, air traffic control communications, baggage handling systems and in-flight entertainment platforms will fail inevitability.
Recently the Scattered Spider group was behind a big data breach potentially exposing Social Security numbers, insurance claims and health information of tens of millions of customers.

Repercussions of Data Breaches Impacting Third parties

Cybercriminals often take advantage of fragile cyber security posture linked to smaller third parties that provide services to larger, well-established enterprises or industry. In-fact many vendors dont have cybersecurity protection and proper cybersecurity awareness in place to mitigate against attacks.

Cyber attacks have evolved to become increasingly complex, making vendor risk management critical. With rise in digital transformation, cloud services and AI technology has given cyber criminals greater potential to penetrate unsecured networks and systems more then ever.

Address the Threat Landscape with Best Practices

Data breaches that originate from third-party vendors cause big fines and legal consequences are huge and affect primary organization. Along with these challenges, organizations often rely on third parties for critical services and cyber criminals take advantage of these vulnerability.

Organizations can still take steps to mitigate and defend against these attacks even as they onboard new vendors or service providers.

Let us see the emerging threats across third-party vendors:

  • Supply chain attacks by cybercriminals often target companies that supply services to many different companies (e.g. MSPs, IT) they cause great impact as IoT and other hardware devices manufactured by third parties can be infected malicious firmware .These malware can steal sensitive data. 
  • Ransomware-as-a-Service (RaaS)The dark web often sells kits (RaaS) and now it is combined with generative AI making attractive for cyber criminals to launch attacks. RaaS can disrupt critical services of organizations.
  • Threat from third parties Unintentional human error occur where providers misconfigure not so accurate data or data deletion happens or poor cybersecurity practices of easy passwords circulating among users. There could also be vendors with financial motives who don’t go through the same security process known as insider threat and don’t pass security test laid for regular employees.
  • Software supply chain attacks As we witnessed outsourcing third-party SaaS services and cloud technology makes it easy to target vulnerabilities in software code. This impacting hundreds of well-established organizations using the same software and same chain of malware flows.
  • Cloud vulnerabilities The provider or cloud service is responsible for securing the cloud infrastructure while the customer or vendor is responsible for securing their data and applications. A lack of proper security measures by the customer or third party can result in data breaches, data loss or supply chain attacks. Since cloud service or data center is all outsources so security lapse may happen
  • Advanced Persistent Threats (APTs) is linked to State-sponsored attacks who generally target third parties to penetrate into systems over an extended period of time. For example, they might compromise a third-party network to gain lateral access to the main organization’s IT infrastructure, making it difficult to detect in time.   
  • Deepfake and social engineering attacks. Emerging AI-technology can manipulate employee or C-level executives to trick users into divulging information to execute identity fraud, phishing attacks, sign fraudulent contracts, or gain unauthorized access to restricted systems and networks. 
  • Zero-day exploits exploited by cyber criminals before they are identified by developers and third-party providers and patched. At times if patch is slow process attackers launch attacks during this delay.   

Solutions that will improve Security Posture with Intru360 from Intruceptlabs

The new business environment demands IT support for a wider range of monitoring, security and compliance requirements. This creates significant burdens on network performance and network security as more appliances need access to incoming data.

Intrucept platform (Intru360) cover overall risk, detection, prevention, correlation, investigation, and response across endpoints, users, networks, and SaaS applications, offering end-to-end visibility.

Intru360 gives security analysts and SOC managers a clear view across the organization, helping them fully understand the extent and context of an attack. It also simplifies workflows by automatically handling alerts, allowing for faster detection of both known and unknown threats.

Identify latest threats without having to purchase, implement, and oversee several solutions or find, hire, and manage a team security analyst.

Sources: https://www.darkreading.com/cyberattacks-data-breaches/scattered-spider-hacking-spree-airline-sector

Uncategorized

Google Chrome Zero-Day Vulnerability (CVE-2025-6554) Actively Exploited – Patch Now 

Summary : Security Advisory: Google has issued an urgent security update for Chrome browser users worldwide, addressing a high-severity zero-day vulnerability in the Chrome browser CVE-2025-6554 actively being exploited by cybercriminals.

OEM Google 
Severity High 
CVSS Score N/A 
CVEs CVE-2025-6554 
POC Available No 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

This is a type confusion flaw in Chrome’s V8 JavaScript engine allows arbitrary code execution and it’s actively being exploited in the wild. 

The vulnerability was discovered by Clément Lecigne of Google’s Threat Analysis Group (TAG) on June 25, 2025, and a temporary mitigation was pushed on June 26, 2025. This internal discovery highlights the ongoing security monitoring efforts within Google’s infrastructure.

The mitigation measure passed through a configuration change pushed to all stable channel users across all platforms.

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Type Confusion in V8 Engine vulnerability  CVE-2025-6554 Google Chrome  High  138.0.7204.96/.97 (Windows)  
138.0.7204.92/.93 (Mac)  
138.0.7204.96 (Linux) 

Technical Summary 

CVE-2025-6554 is a type confusion vulnerability in Chrome’s V8 JavaScript engine. It allows threat actors to exploit memory misinterpretation and execute arbitrary code, potentially compromising the browser or the underlying system. Google has confirmed active exploitation of this flaw. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-6554 Chrome on Windows, macOS, Linux Type confusion in the V8 JavaScript engine allows improper memory handling, leading to code execution  Remote code execution.  Potential system compromise.  

Remediation

A full fix is available in the latest stable channel update. Users are strongly advised to update immediately to ensure full protection. 

  • Users should immediately update Google Chrome to the latest patched version: 
  • Windows: 138.0.7204.96/.97 
  • macOS: 138.0.7204.92/.93 
  • Linux: 138.0.7204.96 

Conclusion: 

The exploitation of CVE-2025-6554 in the wild highlights the urgency of applying the latest Chrome security update. Type confusion vulnerabilities like this can lead to full system compromise and are highly sought-after by cybercriminals. Users and organizations should take immediate action to mitigate potential risks. 

Organizations using Chrome in enterprise environments should prioritize this update across their networks.

The combination of confirmed active exploitation and the high-severity rating makes this patch deployment critical for maintaining organizational cybersecurity posture.

Refer to Intruceptlabs products & solution for better cyber security posture with Intru360, Gaarud Node

References

Scroll to top