Intrucept

Blogs

Iran & Israel war shaping cyber warfare; Hacktivism a tool used widely for Proxy Warfare

Iran & Israel war shaping cyber warfare; Hacktivism a tool used widely for Proxy Warfare

The latest in geo -politics is Israeli air strikes on Iran that triggered Hacktivist to attack and they chose social media platform to announce their activities ‘The Telegram platform’. Now cyber war fare is taking a different path and has no borders and enemy is not visible. One shot of attack is enough to bring down and cripple and entire system starting from banking systems to power grids.

Hacktivist group often uses Telegram as first approach to share about their cyber-attacks and victims list. The hacktivist group DieNet claimed that they will attack Israeli radio stations and   announced it in Telegram.

Israeli cyber officials expect more spear-phishing, malware and similar patterns of attack attempts in the days ahead. Iran is currently engaged in a cyber-conflict with Israel and uses major two hacktivist groups that helps conduct destructive cyber-attacks, linked to Iran’s Ministry of Intelligence and Security (MOIS).

According to NSFOCUS Fuying Lab, hacker groups targeting Israel and Iran have been active since 2025. Up to now, there are about 170 hacker groups attacking Israel, with about 1,345 cyber attacks on Israel, including about 447 cyber attacks launched against Israel after the conflict broke out. (The Hacktivist Cyber Attacks in the Iran-Israel Conflict – Security Boulevard)

In the past Russia has used “hacktivism” as a tool for proxy warfare for various forms of cyber activities to create fear and uncertainty on their opponent.

The Iranian Cyber Units or forces are mostly linked to MOIS and IRGC the hackers group who use fake identities or front groups to hide their state connections.

Surge in Disruptive Cyber Operations

According to Radware, a global cybersecurity provider, Israel has faced an average of 30 DDoS attacks per day since the conflict’s onset. These attacks primarily target government and public institutions (27%), manufacturing (20%), telecommunications (12%), and media platforms (9%).

DDoS operations overload online services, rendering them inaccessible and often accompany website defacements and data leaks to maximise disruption during crises.

The pro-Iranian hacker group’s attacks on Israel peaked on June 16, the day after the Israeli military’s “massive strike” against multiple Iranian weapons production sites, including surface-to-surface missile production sites, detection radar bases and surface-to-air missile launchers in Tehran.

The targets of attack were mainly concentrated on Israeli government and public sector, national defense, aerospace, education and other industries.

The War in disguise-fought with malicious coding

Now along with tanks and war machineries, another kind of war is being simultaneous wagged i.e. cyber warfare. Here it is unconventional warfare no border no clear enemy. Everything is in disguise to create more sensation and install fear. This is being conducted by either by various state sponsored espionage or individual groups who are posing challenge for nation security.

And sometimes this kind of cyber-attack is fatal as malicious code on any application software can damage the system. Imagine doctors not able to open the required files in their system to check patient history on time, due to swarm of malicious code being pushed in their system and is life threatening for the patient as there is a delay to start treatment.

Again malicious code threats are hidden in software and mask their presence to evade detection by traditional security technologies.

Once any encrypted coding being pushed by threat actors inside organizations network, they can enter network and mail, overload with email messages, steal data like passwords and even reformat hard drives.

Hacktivist are now more empowered and Cyber warfare is now fought in disguise to exert influence and destabilize adversaries. Many methods used by Iran in destructive cyber attacks mirror those used by large ransomware groups, such as abusing vulnerabilities in VPN applications to gain entrance. 

Emergence of New Axis in Cyber warfare

Those countries who lack in having a resilient cyber security infrastructure or organizations particularly fragile are soft targets becomes unintended battlegrounds in the global cyber war.

They make the easy victims either via hacking; data theft, cyber extortion and sometimes major cyber-attack that can sabotage their government systems.

If your capability suffers and able to provide effective defense then remaining vulnerable is an option slowly loosing creditability.

Either as a organization or country this growing disparity in cyber defense capacity has emerged as a new axis of global inequality and thriving grounds for threat actors.

The wave of cyber activity in this present state of Iran and Israel war, highlights how modern conflicts extend beyond physical battlegrounds. Attacks on infrastructure highlights the strategic importance of digital resilience.

Iranian state-sponsored hackers, particularly the APT35 group (also known as Charming Kitten), reportedly used AI to enhance their cyberattacks.

According to Check Point, these operations targeted Israeli cybersecurity experts, computer scientists, and tech executives with sophisticated phishing attempts. The attackers used fake messages and emails designed to trick people into sharing sensitive information, along with realistic decoys and fake login pages mimicking Google’s. 

Here are recommendations to secure your networks against cyber-attacks, happening in disguise. How to improve organizational resilience.

  • First have clear visibility across your network as traffic flows, without visibility it is not possible to stop attack. You can’t defend if your enemy is not visible. Once you have visibility, you can see across the threat landscape in your network and gather intelligence.
  • Now with insights one gathers it’s time to turn insights into action and understand the tactics employed by threat actors. These insights are keys to set up proactive defense.
  • Bring Intrucept as a part of your Security team. We are here to assist you as you need a deeper understanding of evolving threats and ways to mitigate them. Our next gen SIEM is a comprehensive solution for Security Information. It gathers information and then interprets, centralizing all security data for organizations.

For visibility Intru360 gives security analysts and SOC managers a clear view across the organization, helping them fully understand the extent and context of an attack.

  • Simply your workflows with Intru360, which automatically handles alerts, allow faster detection of both known and unknown threats.
  • When it is question of cyber security and threats most organizations face, one need’s to have confidence in the threat intelligence one uses
  • Once you are able to identify latest threats and you will not have to purchase, implement and oversee several solutions and even manage a team security analyst, it is easier. You get to save time and reduce complexity while researching for threats.

At the end we can say its not only responsibility for Government to respond or remain alert to cyber attacks and hackers foul play.

The present decade will witness more cyber war that is parallel along side when two nations go at war with each other deploying different AI-driven tools in their attacks. It is high time to stay alert and practice safe cyber security measures at individual level and enterprise level.

Sources: Reflections of the Israel-Iran Conflict on the Cyber World – SOCRadar® Cyber Intelligence Inc.

https://8am.media/eng/the-role-of-cyber-warfare-in-shaping-global-power-dynamics/#
Security Advisory

Critical Unauthenticated RCE Vulnerabilities in Cisco ISE and ISE-PIC 

Cisco has disclosed two critical vulnerabilities CVE-2025-20281 and CVE-2025-20282 affecting its Identity Services Engine (ISE) and Passive Identity Connector (ISE-PIC).

These vulnerabilities allow unauthenticated, remote attackers to execute arbitrary commands on the underlying operating system with root privileges. The first flaw CVE-2025-20281 impacts ISE versions 3.3 and later, while the second CVE-2025-20282 is limited to version 3.4.

Summary 

OEM Cisco 
Severity Critical 
CVSS Score 10.0 
CVEs CVE-2025-20281, CVE-2025-20282 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Cisco has disclosed two critical vulnerabilities CVE-2025-20281 and CVE-2025-20282 affecting its Identity Services Engine (ISE) and Passive Identity Connector (ISE-PIC).

These vulnerabilities allow unauthenticated, remote attackers to execute arbitrary commands on the underlying operating system with root privileges. The first flaw CVE-2025-20281 impacts ISE versions 3.3 and later, while the second CVE-2025-20282 is limited to version 3.4.

Both issues stem from insecure API implementations that fail to validate user input and uploaded files respectively.  

Given the critical nature of these bugs both scoring CVSS 9.8 & 10.0 Cisco has issued immediate fixes, with no workarounds available. Organizations using the affected versions are urged to apply the patches without delay. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​API Unauthenticated RCE vulnerability  CVE-2025-20281 ISE & ISE-PIC   Critical  3.3 Patch 6, 3.4 Patch 2 
Internal API Arbitrary File Execution vulnerability  CVE-2025-20282 ISE & ISE-PIC   Critical  3.4 Patch 2 

Technical Summary 

Two independent vulnerabilities allow an attacker to gain full control over affected Cisco ISE systems without authentication: 

  • CVE-2025-20281: Triggered via crafted requests to a public API, exploiting insufficient input validation to achieve RCE as root. 
  • CVE-2025-20282: Abuses an internal API that lacks file validation, enabling the upload and execution of malicious files in privileged directories. 

These vulnerabilities align with CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and CWE-269 (Improper Privilege Management). 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-20281 Cisco ISE & ISE-PIC 3.3 and later Insufficient validation in a public API allows remote attackers to send crafted requests, leading to unauthenticated command execution as the root user.  Remote code execution  
CVE-2025-20282 Cisco ISE & ISE-PIC 3.4 only An internal API fails to validate uploaded files. Attackers can upload files to system directories and execute them with root privileges.   Remote code execution 

Remediation

Cisco has released patches for affected versions of ISE and ISE-PIC. There are no known workarounds, and customers are strongly encouraged to apply the following updates: 

Cisco ISE / ISE-PIC Version CVE-2025-20281 Fixed In CVE-2025-20282 Fixed In 
3.2 and earlier Not affected Not affected 
3.3 3.3 Patch 6 Not affected 
3.4 3.4 Patch 2 3.4 Patch 2 

Conclusion: 
These vulnerabilities represent a severe risk to network security infrastructure, particularly because they impact Cisco ISE a cornerstone for identity and access control in many enterprises. The unauthenticated remote nature of the exploits, combined with root-level access and no required user interaction, significantly increases the threat surface.  

Although Cisco’s PSIRT has stated that there are no known instances of public exploitation, the ease of exploitation and severity (CVSS 10.0) make these vulnerabilities highly attractive to threat actors. Organizations should immediately apply the available patches and review their system logs for any signs of suspicious activity targeting ISE infrastructure. 

References

Security Advisory

Citrix NetScaler ADC/Gateway Vulnerability Exploited in the Wild (CVE-2025-6543) 

Summary : Security Advisory;

Citrix is warning that a vulnerability in NetScaler appliances tracked as CVE-2025-6543 is being actively exploited in the wild, causing devices to enter a denial of service condition.

The flaw impacts NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-47.46, 13.1 before 13.1-59.19, and NetScaler ADC 13.1-FIPS and NDcPP before 13.1-37.236-FIPS and NDcPP.

OEM Citrix 
Severity Critical 
CVSS Score 9.2 
CVEs CVE-2025-6543 
POC Available No 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

A critical memory overflow vulnerability, CVE-2025-6543, has been discovered in NetScaler ADC and NetScaler Gateway products, potentially leading to denial-of-service and unintended control flow. The issue affects deployments configured as Gateway services. Active exploitation in the wild has been reported. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Memory overflow vulnerability  CVE-2025-6543 NetScaler ADC and NetScaler Gateway  Critical  14.1-47.46 / 13.1-59.19 / 13.1-37.236 

Technical Summary 

CVE-2025-6543 is a memory overflow vulnerability in NetScaler ADC and Gateway products that can result in denial-of-service (DoS) or arbitrary control flow, particularly when the system is configured as a Gateway or AAA virtual server.

The flaw stems from improper restriction of operations within memory buffer bounds (CWE-119). This vulnerability has been exploited in real-world attacks. 

CVE ID System Affected  Vulnerability Details Impact 
  CVE-2025-6543 NetScaler ADC & Gateway 14.1 before 14.1-47.46, 13.1 before 13.1-59.19 NetScaler ADC 13.1-FIPS and NDcPP before 13.1-37.236-FIPS and NDcPP Memory overflow due to improper memory boundary restrictions when configured as Gateway or AAA virtual servers  Denial-of-Service and Unintended control flow 

Remediation

  • Immediate Action: Affected customers are strongly advised to upgrade to the fixed versions: 
Product Version Recommended Fixed Build 
NetScaler ADC / Gateway 14.1 14.1-47.46 or later 
NetScaler ADC / Gateway 13.1 13.1-59.19 or later 
NetScaler ADC 13.1-FIPS / NDcPP 13.1-37.236 or later 

Note: Versions 12.1 and 13.0 are End-of-Life (EOL) and remain vulnerable. These should be replaced with supported, patched builds. 

Customers using FIPS or NDcPP variants should contact Citrix Support directly for access to the fixed builds. 

Conclusion: 
CVE-2025-6543 represents a highly critical risk to organizations utilizing NetScaler Gateway or ADC for secure access and application delivery.

Organizations still using outdated or end-of-life (EOL) versions are especially vulnerable and should prioritize upgrading to supported builds. 

This flaw follows a pattern of severe vulnerabilities affecting NetScaler products, including the recently disclosed CVE-2025-5777 (CVSS score: 9.3), which also posed a significant threat to enterprise infrastructure.

Together these issues highlight the urgent need for timely patching, continuous monitoring, and defense-in-depth strategies to safeguard critical network assets. 

With both flaws being critical bugs, administrators are advised to apply the latest patches from Citrix as soon as possible.

Companies should also monitor their NetScaler instances for unusual user sessions, abnormal behavior, and to review access controls.

References

Security Advisory

Privilege Escalation in Notepad++ v8.8.1 Installer via Binary Planting with Public PoC Available 

Security Advisory: A high-severity privilege escalation vulnerability has been discovered in the Notepad++ v8.8.1 and prior installer, which allows local attackers to gain SYSTEM-level privileges through uncontrolled executable search paths (binary planting).

The installer searches for executable dependencies in the current working directory without verification, allowing attackers to place malicious executables that will be loaded with SYSTEM privileges during installation.

OEM Notepad++ 
Severity High 
CVSS Score 7.3 
CVEs CVE-2025-49144 
POC Available Yes 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Exploitation requires minimal user interaction and a public Proof of Concept (PoC) is available. The issue is resolved in version v8.8.2. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Privilege Escalation Vulnerability  CVE-2025-49144 Notepad++  High  v8.8.2 

Technical Summary 

The Notepad++ installer improperly searches for executable dependencies in the current directory without verifying their authenticity.

This insecure behavior allows attackers to place a malicious executable (e.g. regsvr32.exe) in the same directory as the installer. Upon execution the malicious file is loaded with SYSTEM-level privileges, granting full control over the machine. 

In real world scenario, an attacker could use social engineering or clickjacking to trick users into downloading both the legitimate installer and a malicious executable to the same directory (typically Downloads folder – which is known as Vulnerable directory). Upon running the installer, the attack executes automatically with SYSTEM privileges.

CVE ID System Affected  Vulnerability Details Impact 
  CVE-2025-49144  Notepad++ v8.8.1 and prior. The installer invokes executables without absolute path (e.g. regsvr32), allowing a malicious binary in the same directory to be executed with elevated privileges.  SYSTEM privilege escalation and full machine control 

Proof of Concept (PoC): 

  • Execution Flow: Attacker places a fake regsvr32.exe in the same directory as the Notepad++ installer. 
  • Trigger: When the user runs the installer, it loads the attacker’s file with SYSTEM privileges. 
  • Evidence: 
  • Process Monitor logs confirm that the installer is searching for executables in the local directory. 
  • Public PoC materials are hosted and shared, confirming reproducibility 

Remediation

  • Immediate Action: Upgrade to Notepad++ v8.8.2 or later which explicitly sets absolute paths when invoking executables like regsvr32. 

Recommendations: 

  • Configuration Check: Avoid executing installers from user-writable locations like the Downloads folder. Ensure installers are run from isolated, trusted directories. 
  • Environment Hardening: Implement endpoint detection for binary planting, restrict execution in commonly targeted directories. 

Conclusion: 
CVE-2025-49144 is a critical privilege escalation vulnerability with a working public PoC. It leverages a fundamental flaw in the Notepad++ installer’s handling of executable paths.

Given the low barrier to exploit and high impact, especially in environments where Notepad++ is widely used, immediate remediation is strongly advised. The presence of similar flaws in past versions highlights the persistent risk of insecure software packaging. 

This is a critical security vulnerability requiring immediate attention. While Microsoft classifies some binary planting issues as “Defense-in-Depth,” the severity of gaining SYSTEM privileges with minimal user interaction warrants priority remediation.

References

Blogs

16 Billion Passwords Leaked in Largest Data Breach; Impact of Infostealer Malware

Data Breach with 30 exposed Datasets & contained approx 10 to 3.5 billion records making it one of the largest data breach.

According to a report security researchers from Cybernews found about a Data breach that leaked important data or passwords that was mostly generated by various cybercriminals using info stealing malware. They exposed data was made to look like a breach but these login credentials were gathered from social media, corporate platforms, VPNs etc via infostealer.

Now cybercriminals have unprecedented access to personal credentials and these credentials be used for account takeover, identity theft and targeted phishing activities.

The concern is the structure and recency of these datasets as they are not old breaches being recycled. This is fresh, weaponizable intelligence at scale”, added researchers.

The data sets contains a mix of details from stealer malware, credential stuffing sets and repackaged leaks. There is no way to compare these datasets, but likely to contain at least some duplicated information. This makes it hard to determine how many people were affected by the data breach.

What are Data sets & how deadly can be Infostealer as a malware?

Datasets are basically structure collection of data collected over the years or so and organized as case specific models

In 2024 datasets containing billions of passwords have previously found their way on the internet. Last year, researchers came across what they called the Mother of All Breaches, which contained more than 26 billion records.

The data breach that happened had data in sets, following a particular pattern, containing an URL followed by a username and password. To those unaware, this is exactly how infostealing malware collects information and sends it to threat actors.

The exposed data came from platforms widely used round the world starting from Google, Apple, Github, Telegram & Facebook. So data was first collected over a period of time, further made into data sets and grouped together.

Info stealers are malware programs that are designed to silently steal usernames and passwords Basically designed to swipe of credentials from people’s devices and send them to threat actors for further them for sale on dark web forums.

An infostealer is malware that attempts to steal credentials, cryptocurrency wallets, and other data from an infected device. Over the years, infostealers have become a massive problem, leading to breaches worldwide. No device is spare from infostealer’s impact including Windows and Macs, and when executed, will gather all the credentials it can find stored on a device and save them in what is called a “log.”

If a organization or individual is infected with an infostealer and have hundreds of credentials saved in their browser, the infostealer will steal them all and store them in the log. These logs are then uploaded to the threat actor, where the credentials can be used for further attacks or sold on cybercrime marketplaces.

An infostealer log is generally an archive containing numerous text files and other stolen data.

Fig1:

(Image courtesy: Bleeping computers)

A devastating data breach is a nightmare for customers and affected organizations, but breaches can have a positive side also. Each incident is a learning opportunity. It’s easier to defend critical data when we understand the mistakes made by others and the tactics used by attackers.

How to be secure & keep your Data safe

If users are in midst of data breach or may find that their data is not safe as an infostealer might be there in your systems or devices then scan your device with an antivirus program. Once done then change password or your newly entered credentials could be stolen again. The system is clean so password hygiene can be maintained time to time.

At times even unique passwords won’t help you stay protected if you are hacked, fall for a phishing attack, or install malware. Its better not to change all credentials in one go instead having a cyber security hygiene in routine is better as an option.

Intru360

For organizations to stop and detect any intrusion by attackers prefer to have Intru360 in your list of cyber security go to products from Intruceptlabs.

Intru360 gives security analysts and SOC managers a clear view across the organization, helping them fully understand the extent and context of an attack. It also simplifies workflows by automatically handling alerts, allowing for faster detection of both known and unknown threats.

Globally every year cyberattacks are growing and mutating each month. Organizations have their Intelligent intrusion network detection systems in place analyze and detect anomalous traffic to face these threats.

Do visit our website for more information.

Source: https://www-bleepingcomputer-com.cdn.ampproject.org/c/s/www.bleepingcomputer.com/news/security/no-the-16-billion-credentials-leak-is-not-a-new-data-breach/amp/

Uncategorized

Privilege Escalation Vulnerability in AI Engine WordPress Plugin, Allows Subscriber-Level Account Takeover 

Summary :Security Advisory: A critical privilege escalation vulnerability (CVE-2025-5071) was discovered in the AI Engine WordPress plugin, allowing subscriber-level users to gain administrator privileges when the MCP (Model Context Protocol) module is enabled.

OEM WordPress 
Severity High 
CVSS Score 8.8 
CVEs CVE-2025-5071 
POC Available Yes 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

The AI Engine plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the ‘Meow_MWAI_Labs_MCP::can_access_mcp’ function in versions 2.8.0 to 2.8.3.

This makes it possible for authenticated attackers, with subscriber-level access and above, to have full access to the MCP and run various commands like ‘wp_create_user’, ‘wp_update_user’ and ‘wp_update_option’, which can be used for privilege escalation, and ‘wp_update_post’, ‘wp_delete_post’, ‘wp_update_comment’ and ‘wp_delete_comment’, which can be used to edit and delete posts and comments.

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Privilege Escalation Vulnerability  CVE-2025-5071 AI Engine WordPress Plugin  High  2.8.4 

Technical Summary 

AI Engine is a WordPress plugin that recently introduced support for MCP (Model Context Protocol), which allows AI agents – such as Claude or ChatGPT – to control and manage the WordPress website by executing various commands, managing media files, editing users, and performing complex tasks more reliably than through standard APIs.

The vulnerability stems from insufficient authorization checks in the can_access_mcp () function within the plugin, enabling any authenticated (logged-in) user to bypass Bearer Token validation and access MCP endpoints.

This access can be exploited to escalate user privileges by executing commands such as wp_update_user, ultimately leading to full site compromise. 

CVE ID System Affected  Vulnerability Details Impact 
  CVE-2025-5071  WordPress with AI Engine Plugin 2.8.0–2.8.3 The can_access_mcp() function incorrectly grants MCP endpoint access to all logged-in users. Even when Bearer Token authentication is enabled, lack of empty value checks in the token validation logic allows privilege escalation.  Complete site compromise 

Remediation

  • Immediate Action: Update the AI Engine plugin to version 2.8.4 or later. 
  • Configuration Check: Ensure that MCP and Dev Tools modules remain disabled unless it’s necessary. 

Conclusion: 
The CVE-2025-5071 vulnerability in the AI Engine WordPress plugin highlights the potential risks when advanced modules like MCP are misconfigured.

Even though the feature is disabled by default, sites that have enabled it become susceptible to complete takeover by authenticated users.

Website administrators are urged to update to version 2.8.4 immediately and verify that security best practices are enforced to prevent such escalations. With over 100,000 active installations, this flaw presents a significant risk to the WordPress ecosystem if left unpatched. 

References

t  

Security Advisory

Veeam Backup Patched Critical Vulnerabilities Enabling RCE & Privilege Escalation 

Summary ; Security Advisory

Veeam disclosed three critical vulnerabilities affecting its widely deployed backup software. Veeam Backup & Replication is an enterprise-grade data protection solution used to back up, recover and replicate virtual machines, cloud workloads including physical servers.

OEM Veeam 
Severity Critical 
CVSS Score 9.9 
CVEs CVE-2025-23121, CVE-2025-24286, CVE-2025-24287 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Multiple high-impact vulnerabilities have been disclosed in Veeam Backup & Replication and Veeam Agent for Microsoft Windows, impacting versions prior to 12.3.2 and 6.3.2 respectively.

The most critical issue (CVE-2025-23121) may allow a remote code execution (RCE) on the backup server by an authenticated domain user, effectively granting complete control over backup infrastructure. 

The vulnerabilities also include risks of unauthorized modification of backup jobs (CVE-2025-24286) and privilege escalation via local directory manipulation (CVE-2025-24287). These flaws could enable attackers to execute arbitrary code or gain elevated permissions. 

These flaws pose significant risks to organizations relying on Veeam for data integrity and disaster recovery. The data protection system of an organization may get affected if compromised and threaten domain-joined backup servers.

Vulnerability Name CVE ID Product Affected Severity 
Remote Code Execution via Authenticated Domain User  CVE-2025-23121 Veeam Backup & Replication  Critical (9.9) 
Arbitrary Code Execution via Backup Operator Role Abuse  CVE-2025-24286 Veeam Backup & Replication  High (7.2) 
Privilege Escalation via Directory Manipulation  CVE-2025-24287 Veeam Agent for Microsoft Windows  Medium (6.1) 

Technical Summary 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-23121  Veeam Backup & Replication 12.3.1.1139 and all earlier v12 builds A remote code execution vulnerability affecting domain-joined Veeam backup servers. An authenticated domain user may execute arbitrary commands with elevated privileges.   Remote Code Execution 
  CVE-2025-24286 Veeam Backup & Replication 12.3.1.1139 and earlier  Authenticated users with the Backup Operator role can modify backup job configurations to inject and execute code.   Arbitrary Code Execution 
  CVE-2025-24287  Veeam Agent for Microsoft Windows 6.3.1.1074 and earlier  Local users can manipulate directory contents leading to code execution with elevated privileges.  Local Privilege Escalation  

Remediation

Users are strongly advised to apply the following updates to mitigate the risks: 

  • Upgrade Veeam Backup & Replication to 12.3.2 (build 12.3.2.3617) or later 
  • Upgrade Veeam Agent for Microsoft Windows to 6.3.2 (build 6.3.2.1205) or later 

Here are some recommendations below 

  • Limit backup server access to trusted users only to reduce the risk of unauthorized control. 
  • Apply least privilege principles for backup roles so users have only the permissions they need. 
  • Regularly monitor backup job changes and system logs to detect suspicious activity early. 
  • Provide security awareness training to staff focusing on backup and recovery best practices. 

Conclusion:  For Security Best practices

Veeam has released patches to address all three vulnerabilities and urged organizations to update Veeam Backup & Replication 12.3.2 (build 12.3.2.3617) and Veeam Agent for Microsoft Windows 6.3.2 (build 6.3.2.1205) as soon as possible.

For security best practices maintaining up-to-date backup systems, prompt patching and adherence to security best practices are essential to prevent potential exploitation and data compromise.

The critical nature of vulnerabilities demands backup and disaster recovery along with strict access controls and ongoing monitoring as essential tips to safeguard infrastructure that have been backed up from potential attacks. 

References

Security Advisory

Apache Tomcat Vulnerabilities Expose Systems to DoS & Authentication Bypass  

Security Advisory; Summary

Multiple vulnerabilities have been identified in Apache Tomcat affecting various versions and critical security updates provided to address four newly discovered vulnerabilities in Apache Tomcat. The disclosed Apache Tomcat vulnerabilities pose serious threats, especially in high-availability or internet-exposed environments.

Apache Tomcat is one of the world’s most widely used open-source Java servlet containers.

OEM Apache 
Severity High 
CVSS Score 8.4 
CVEs CVE-2025-48976, CVE-2025-48988, CVE-2025-49125, CVE-2025-49124 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

The affected versions 9.0.x, 10.1.x and 11.0.x, also include high-impact denial-of-service (DoS) vulnerabilities and a moderate authentication bypass flaw as well as a Windows installer issue that may allow privilege escalation via side-loading. 

Timely patching is essential to prevent potential service disruptions and unauthorized access. 

Vulnerability Name CVE ID Product Affected Severity 
​Memory Exhaustion via Multipart Header Exploitation  CVE-2025-48976 Apache Tomcat  High 
Multipart Upload Resource Exhaustion  CVE-2025-48988 Apache Tomcat  High 
Security Constraint Bypass (Pre/PostResources)  CVE-2025-49125 Apache Tomcat  High 
Windows Installer Side-Loading Risk  CVE-2025-49124 Apache Tomcat  High 

Technical Summary 

The vulnerabilities affect Tomcat’s handling of multipart HTTP requests, resource mounting and Windows installation process. Exploitation may result in denial-of-service (via memory exhaustion), privilege escalation (via installer abuse) and authentication bypass. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-48976 Apache Tomcat 9.0.0.M1–9.0.105, 10.1.0-M1–10.1.41, 11.0.0-M1–11.0.7 Fixed memory allocation limit in multipart header processing could be exploited to consume memory and cause DoS.  Denial-of-service attack. 
  CVE-2025-48988 Apache Tomcat 9.0.0.M1–9.0.105, 10.1.0-M1–10.1.41, 11.0.0-M1–11.0.7 Multipart request body with many parts can trigger high memory usage due to improper limit handling between parameters and parts.  Denial-of-service attack. 
  CVE-2025-49125  Tomcat with Pre/Post Resources enabled Lack of resource path normalization allows attackers to access resources outside root bypassing auth controls. Authentication and Authorization Bypass. 
  CVE-2025-49124  Tomcat Windows Installers Installer invoked icacls.exe without full path, making it vulnerable to side-loading attacks via PATH manipulation. Privilege Escalation. 

Remediation

Update Immediately: Users of the affected versions should apply one of the following mitigations. 

  • Upgrade to Apache Tomcat 11.0.8 or later 
  • Upgrade to Apache Tomcat 10.1.42 or later   
  • Upgrade to Apache Tomcat 9.0.106 or later 

Conclusion: 

Attackers could exploit these flaws to cause denial-of-service, escalate privileges or bypass authentication and authorization controls. 

The Apache Software Foundation credits the TERASOLUNA Framework Security Team of NTT DATA Group Corporation and T. Doğa Gelişli for identifying these issues.

Tomcat is widely used in enterprise and cloud environments, prompt patching is essential to prevent potential exploitation, service outages, or unauthorized access.

References

  • https://lists.apache.org/thread/0jwb3d3sjyfk5m6xnnj7h9m7ngxz23db 

Blogs Security Advisory

Cyber-Security News at a Glance: June1st -June15th, 2025

The current cybersecurity landscape continues to evolve, marked by persistent challenges and digital technologies transforming the cyber world. Across industries such as healthcare and financial services, in the month of June,2025, organizations navigated advanced threats, cyber attacks on retail sector including Security advisory’s etc.

Let’s explore the key trends and incidents from June1st -June15th, 2025

Microsoft June 2025 Patch Tuesday addresses a total of 67 vulnerabilities across its product ecosystem. Critical flaws in WebDAV, SMB, SharePoint and Remote Desktop Services highlight the urgency of installing this month’s updates.

Microsoft June 2025 Patch Tuesday – 67 Vulnerabilities Fixed Including 2 Zero-Days 

NCSC UK, released set of 6 principles to build Cyber Security culture & Boost Resilience for Orgs

The U.K. National Cyber Security Centre on Wednesday published six cybersecurity culture principles developed through extensive research with industry and government partners.

The principles define the cultural foundations essential for building a cyber-resilient organization and offer guidance on how to cultivate that environment.

NCSC UK, released set of 6 principles to build Cyber Security culture & Boost Resilience for Orgs

Critical 0-Day RCE Vulnerability in Fortinet Products (CVE-2025-32756) Actively Exploited 

A critical unauthenticated Remote Code Execution (RCE) vulnerability, tracked as CVE-2025-32756, has been identified in multiple Fortinet products.

The flaw is currently under active exploitation, allowing attackers to take full control of affected systems via a buffer overflow in the /remote/hostcheck_validate endpoint. A public PoC is available, significantly increasing the risk to unpatched devices. 

CVE-2025-32756 is a critical unauthenticated Remote Code Execution (RCE) vulnerability affecting multiple Fortinet products. The vulnerability resides in the /remote/hostcheck_validate endpoint and is due to improper bounds checking when parsing the enc parameter of the AuthHash cookie.

POC Released for Critical RCE Vulnerability in AWS Amplify Codegen-UI 

 A critical security vulnerability has been disclosed in AWS Amplify Studio’s UI generation framework, with researchers releasing a proof-of-concept exploit demonstrating remote code execution capabilities.  AWS addressed the issue in version 2.20.3, replacing the unsafe eval() with a sandboxed expression evaluator. 

Vulnerable versions used eval() to interpret stringified JavaScript expressions in UI components. This allowed injection of malicious expressions such as shell commands, due to the absence of validation or blacklisting.  

Splunk Enterprise & Cloud platform found that  (XSS) vulnerability existed & affects their multiple versions

Splunk has disclosed a medium-severity cross-site scripting (XSS) vulnerability affecting multiple versions of its Enterprise and Cloud Platform products that could allow low-privileged attackers to execute malicious JavaScript code in users’ browsers.

A security vulnerability identified as CVE-2025-20297 has been found in older versions of Splunk Enterprise and Splunk Cloud Platform.

Reflected XSS Vulnerability in Splunk Enterprise & Cloud Platform 

(DoS) Vulnerability has been identified in ModSecurity, an open-source web application

The issue affects versions prior to 2.9.10 and related to the “sanitiseArg” action, which can be exploited by adding an excessive number of arguments, ultimately causing the system to fail or crash. The vulnerability has been fixed in version 2.9.10. 

This vulnerability is similar to this CVE-2025-47947 issue, presents a significant risk, especially for organizations relying on ModSecurity 2.x versions for web application protection. 

High Risk DoS Vulnerability in ModSecurity WAF 

Multiple vulnerabilities have been discovered in IBM QRadar Suite Software and Cloud Pak, affecting versions 1.10.0.0 through 1.11.2.0.

The company released patches on June 3, 2025, addressing five distinct Common Vulnerabilities and Exposures (CVEs) that affect enterprise security infrastructure used by organizations worldwide.

The most critical vulnerability (CVE-2025-25022) allows unauthenticated access to sensitive configuration files. IBM has released version 1.11.3.0 to address these issues. 

Critical Vulnerabilities Patched in IBM QRadar Suite & Cloud Pak for Security 

Google has released a critical out-of-band security update for its Chrome browser to address CVE-2025-5419.

Rated as high-severity zero-day vulnerability in the V8 JavaScript engine that is currently being actively exploited in the wild. Google has released a critical out-of-band security update for its Chrome browser to address CVE-2025-5419.

This vulnerability allows attackers to execute arbitrary code on users’ systems through specially crafted web content, making it a serious threat requiring immediate attention. 

Google Chrome Patches Actively Exploited Zero-Day Vulnerability 

Ways to combat Cyber Threats; Strengthen your SOC’s readiness involves 3 key strategies

Cyber threats are no longer limited to human attackers, with AI-driven “bad bot” attacks now accounting for 1/3 as per research. These attacks can be automated, allowing attackers to launch more extensive and efficient campaigns

Organizations are now exposed new risks, providing cybercriminals with more entry points and potential “surface areas” to exploit as they go digital and adopt to innovations and wider use of digital technologies.

Some of the types of bad bots are DDoS bots, which disrupt a website or online service by overwhelming it with traffic from multiple sources.

IntruceptLabs now offers Mirage Cloak and to summarise Mirage Cloak offers various deception methods to detect and stop threats before they cause damage.

These methods include adding decoys to the network, deploying breadcrumbs on current enterprise assets, using baits as tripwires on endpoints.

 This is executed by setting up lures with intentionally misconfigured or vulnerable services or applications.

The flexible framework also lets customers add new deception methods as needed.

Conclusion: Organizations can better protect their digital assets and ensure business continuity by understanding the key components and best practices for building a successful SOC.

At the end  we must accept that to defend against any sort of AI attack, SOC teams must evolve with right collaborations and effective communication between partners seamlessly to evaluate information to stay ahead of attackers.

Blogs

NCSC UK, released set of 6 principles to build Cyber Security culture & Boost Resilience for Orgs

In recent times we witnessed many organizations who are facing numerous cyber attacks hold confidential customer, employee and supplier personal data. Such data is attractive to attackers, as they can steal it and demand ransom payments to stop them revealing it out in public. There is a constant fear against threat actors looming and that actually demands organizations to be cyber resilient.

What is the way out to create a cyber resilience culture that are meaningful both for employees and leaders ?

The U.K. National Cyber Security Centre on Wednesday published six cybersecurity culture principles developed through extensive research with industry and government partners.

The principles define the cultural foundations essential for building a cyber-resilient organization and offer guidance on how to cultivate that environment.

The principles are based on many factors on what leads to weak or misaligned cultures leading to poor security outcomes so that organizations understand how outcomes have deeper cultural issues and require urgent attention.

Cyber attack on Retail sector

This was followed by multiple cyber-attacks on the retail sector have gathered media attention over the first half of 2025. This included breaches on Co-op, Harrods, Adidas, The North Face, and Cartier.

Notably, a long-term disruption for UK brand Marks and Spencer, whose online sales are still paused seven weeks after the initial attack, was caused by phishing on a third-party supplier.

Over the Easter weekend, customers in M&S stores were unable to make contactless payments, click and collect services were unavailable. M&S has been quick to respond to cyber attacks faced and been applauded for its response to the attack, particularly its handling of external communications. 

The newly released Operational Resilience Report 2025 has found organizations are taking a more integrated approach to resilience. Recognizing that people are vital to cybersecurity,

Cyber security culture The 6 principles laid by  National Cyber Security Centre (NCSC) to build a cyber security culture within an organization.

  • Frame cybersecurity as an enabler, supporting the organization to achieve its goals
  • Build the safety, trust, and processes to encourage openness around security
  • Embrace change to manage new threats and use new opportunities to improve resilience
  • The organization’s social norms promote secure behaviours
  • Leaders take responsibility for the impact they have on security culture
  • Provide well-maintained cybersecurity rules and guidelines, which are accessible and easy to understand.

The first principle identifies that cybersecurity exists to protect the technology and information that keep an organization running.

But when it operates in isolation, its role as an enabler of every other function is often overlooked. This disconnect creates tension. Security may be seen as a blocker, its policies misunderstood or ignored, and controls bypassed, opening the door to further risk.

A shared purpose across the organization changes this dynamic. When everyone understands and works toward common goals, decisions reflect what supports the whole rather than just individual departments. Cybersecurity becomes part of how work gets done, not an obstacle in the way.

An effective culture recognises that secure behaviour is essential to meeting shared goals. Staff understand the value of cybersecurity in protecting systems and information. Controls are designed with an awareness of how people work, and security teams engage directly to reduce friction.

Clarity around purpose, consistent internal messaging, and strong leadership support all help integrate cybersecurity into the wider mission.

When people no longer see security as a separate concern, but as part of their contribution to organizational success, stronger and more resilient practices follow.

No amount of training can replace the value of open dialogue, especially when facing unfamiliar or fast-moving threats. When people are comfortable reporting mistakes, raising concerns, or suggesting improvements, the organization becomes more adaptive and resilient.

The second principle  depends on a culture where people feel safe to speak up.

Without psychological safety, self-protection takes over. People stay silent, avoid reporting errors or tolerate behaviour that undermines security. Fear of blame or punishment blocks the flow of vital information and ideas.

To counter this, organizations need trusted, accessible channels for communication. Whether through help desks, portals, or local experts, these paths must be easy to use and free from friction. When people do reach out, their efforts should be acknowledged and, where possible, acted upon.

Security incidents should be investigated to understand what happened and how to improve, not to assign fault. Fair treatment and transparent processes build trust and make it more likely that people will engage in the future. Psychological safety is not a soft extra. It is a core condition for real-time responsiveness and continuous learning in security. When people trust the system and those behind it, they help protect it.

The third principle On cyber resilient organizations treat change as a constant and improvement as a shared responsibility. In cybersecurity, this mindset is critical.

As threats evolve and technologies shift, staying still is not neutral, it increases exposure and limits growth. Rather than viewing incidents or disruptions as setbacks, forward-looking organizations treat them as signals for refinement. Ignoring these moments in favour of maintaining the status quo leads to blind spots and missed opportunities.

Change must be coordinated across the organization. If one area races ahead or stalls without alignment, the imbalance can cause harm. Cybersecurity teams have a key role in guiding this process. They help ensure that risks are managed by those equipped to handle them, instead of being pushed onto teams lacking the resources or context to respond effectively.

Strong cultures embrace change as a path to better outcomes. They are measured in how and when they implement changes, mindful of fatigue and disruption. People feel supported during transitions and trust that new risks are handled responsibly. To sustain this, organizations need systems in place to identify emerging challenges and bring the right voices into decision-making. Clear roles, timely choices, and shared accountability allow security and resilience to move forward together.

The fourth principle identifies that workplace behaviour is shaped not just by formal rules but by unwritten ones picked up through observation.

These social norms often influence how people approach cybersecurity. When aligned with security goals, they help reinforce good habits and guide new staff toward secure practices.

But not all norms work in favour of security. Some, like cutting corners to be helpful or following senior examples, can quietly encourage risky behaviour. These norms are hard to change if they help people get their work done more easily than formal processes allow. Addressing this requires understanding the values behind these norms. Without doing so, even well-designed policies will be ignored, increasing risk and weakening trust in security measures.

A strong security culture identifies both helpful and harmful social norms and finds ways to align them with formal policies.

This may involve redesigning controls to support productivity or shifting behaviors through influence, incentives, and role models.

The fifth principle recognizes that cybersecurity culture depends on leadership that leads by example.

When leaders align with a shared purpose, model secure behaviors, and foster trust, they help embed security into daily work. Their influence shapes norms and drives change.

Leaders who engage openly and share lessons from past challenges build confidence and inspire action. Those who ignore this responsibility risk undermining progress, as teams often follow their lead. Strong leadership means linking security to business goals, promoting learning, and removing incentives for risky behaviour.

Supporting leaders with the right knowledge and encouraging honest dialogue strengthens a culture where security becomes a collective effort.

The sixth principle calls for creating a cyber-secure workplace that depends on finding the right balance between clear expectations and practical flexibility.

Rules must support people in solving problems locally while setting consistent standards across the organization. When done well, this balance builds trust between staff and leadership.

Overly rigid rules risk becoming outdated and burdensome, while vague guidance leaves teams confused and vulnerable. Both extremes can lead to frustration and disengagement from cybersecurity efforts. A better approach involves understanding where different teams struggle, inviting their input, and refining the rules based on real-world use and ongoing feedback.

Security rules should be integrated into daily workflows and onboarding. They must be easy to find, clearly written, and regularly updated, with changes communicated. Where gaps exist or the rules do not apply, teams must have quick access to experts who can help manage risk at the moment.

In practice, effective cybersecurity guidance is inclusive, tested for usability, and aligned with organizational goals. People should know what is mandatory and what is advisory. Feedback is actively used to improve the rules, and outdated material is removed to prevent confusion.

IntruceptLabs products are influencing cyber culture by promoting proactive security measures, automation, and a focus on user behavior and training.

IntruceptLabs enable organizations to improve their security posture by providing tools for patching vulnerabilities, managing access, and responding to threats, ultimately contributing to a more secure and resilient cyber environment. 

GaarudNode is an all-in-one  solution designed to empower development teams with the tools they need to secure their applications throughout the development lifecycle. By combining the power of SAST, DAST, SCA, API security, and CSPM, GaarudNode provides a comprehensive security framework that ensures your applications are built, tested, and deployed with confidence.

The platform offers:

  • Identifies security flaws early in the development process by scanning source code, helping developers detect issues like insecure coding practices or logic errors.
  • Tests running applications in real-time to identify vulnerabilities such as SQL injection, Cross-Site Scripting (XSS), and other runtime threats.
  • Detects vulnerabilities in third-party libraries and open-source components, ensuring that your dependencies don’t introduce risks.
  • Continuously tests and monitors your APIs for vulnerabilities such as authentication flaws, data exposure, and insecure endpoints.

Conclusion:

The importance of cyber resilience helps set businesses who have a solid response plan and test it regularly so that the organization is prepared for any cyber incidents.

The cyber-security incident plan should be part of a wider business continuity plan, considering the impact of a cyber incident on the business and defining steps to recover and respond.

NCSC emphasized that creating the culture takes time and is not a one-off exercise, but needs a focused and sustained effort from cyber security professionals, innovators and culture specialists, and organisations’ leaders.

Sources: https://www.thebci.org/news/retail-under-attack-the-growing-movement-towards-operational-resilience.html

Scroll to top