Intrucept

Security Advisory

7Zip Mark-Of-The-Web Vulnerability

A high severity vulnerability in 7-Zip is exploiting in the wild. This vulnerability, identified as a Mark-of-the-Web (MoTW) bypass, allows attackers to craft a double archive file that, when extracted, bypasses MoTW protections.

OEM7Zip
SeverityHigh
CVSS7.0
CVEsCVE-2025-0411
Exploited in WildYes
Patch/Remediation AvailableYes
Advisory Version1.0

Overview

The vulnerability enables threat actors to create archives containing malicious scripts or executables, which, due to the flaw, will not receive the usual MoTW protection.

This exposes Windows users to potential attacks and has recently been added to the CISA Known Exploited Vulnerabilities Catalog. Furthermore, a Proof of Concept (PoC) for this vulnerability has been publicly released, increasing the risk of exploitation.

7-Zip vulnerability allows attackers to bypass the Mark of the Web (MotW) Windows security feature and was exploited by Russian hackers as a zero-day since September 2024.

Vulnerability NameCVE IDProduct AffectedSeverity
  MOTW Bypass vulnerability  CVE-2025-0411  7zip  High

Technical Summary

This vulnerability bypasses the Mark-of-the-Web (MoTW) feature, a security measure in Windows operating systems that flags files originating from the internet as potentially untrusted. MoTW is typically applied to files like downloaded documents, images, or executable files, which prompts a warning when opened. However, this vulnerability occurs when 7-Zip fails to properly propagate MoTW protections to files inside double-encapsulated archives.

An attacker can craft an archive containing another archive (a “double archive”), and 7-Zip did not properly propagate MoTW protections to the content to the inner archive.

This flaw allows any malicious content in the inner archive to be executed without triggering any security warnings. Consequently, this exposes Windows users to the risk of remote code execution and other malicious activities.

CVE IDSystem AffectedVulnerability DetailsImpact
CVE-2025-04117Zip Prior to v24.09    This flaw allows attackers to execute arbitrary code through double-encapsulated archives that bypass MoTW protections.Arbitrary remote code injection, potential system compromise

Remediation:

Update 7zip to v24.09 or the latest version. Installing the latest version will ensure that vulnerability is addressed, protecting systems from potential exploitation.

Generic Recommendations

  • Exercise Caution with File Extraction: Always verify the source before extracting files, especially from unfamiliar or untrusted sources.
  • Enhance User Awareness: Educate users on identifying phishing attempts and avoiding clicks on suspicious links or attachments.
  • Monitor for Anomalies: Continuously monitor systems for signs of exploitation, unusual file extraction behaviors, or unauthorized access attempts.

Conclusion

The MoTW bypass vulnerability in 7-Zip represents a serious security concern for Windows users, as it allows attackers to circumvent protective measures and execute malicious code. Updating to the latest version of 7-Zip is the recommended action to ensure systems are protected against this vulnerability.

References:

#CyberSecurity #7Zip #SecurityAdvisory #VulnerabilityManagement #CISO #CXO #PatchManagement #Intrucept

Security Advisory

Active Exploitation of Microsoft Outlook RCE Vulnerability (CVE-2024-21413) 

A critical remote code execution (RCE) vulnerability, CVE-2024-21413, affecting Microsoft Outlook has been actively exploited.

CISA has directed U.S. federal agencies to secure their systems against ongoing cyberattacks targeting this vulnerability, tracked as CVE-2024–21413. The flaw was originally discovered by Check Point vulnerability researcher Haifei Li and is a result of improper input validation when processing emails containing malicious links.

OEM Microsoft 
Severity Critical 
CVSS 9.8 
CVEs CVE-2024-21413 
Exploited in Wild Yes 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

The flaw allows attackers to bypass security protections, leading to NTLM credential theft and arbitrary code execution. The vulnerability is critical, and Microsoft has released patches to mitigate the risk. 

Vulnerability Name CVE ID Product Affected Severity 
 Remote Code Execution Vulnerability  CVE-2024-21413  Microsoft  Critical 

Technical Summary 

The CVE-2024-21413 vulnerability arises due to improper input validation in Microsoft Outlook when handling emails containing malicious links. Exploitation of this flaw enables attackers to bypass Protected View, a security feature designed to prevent execution of harmful content embedded in Office files. 

By manipulating URLs with the file:// protocol and inserting an exclamation mark followed by arbitrary text, attackers can evade Outlook’s built-in security measures, tricking users into opening malicious Office files in editing mode instead of read-only mode. The Preview Pane also serves as an attack vector, enabling zero-click exploitation. Here is the POC also available for this vulnerabilty. 

CVE ID System Affected Vulnerability Details Impact 
CVE-2024-21413 Microsoft Office LTSC 2021, Microsoft 365 Apps, 
Microsoft Outlook 2016, Microsoft Office 2019   		Exploits improper input validation to bypass Outlook security protections using manipulated hyperlinks.  NTLM credential theft, remote code execution, potential full system compromise  

Remediation

  1. Apply Security Patches: Ensure that all the Microsoft Office products are updated with the latest security patches. 
  1. Disable NTLM Authentication: Where feasible, reduce reliance on NTLM authentication to prevent credential theft. 

General Remediation: 

  1. Monitor Network Activity: Watch unusual outbound connections to attacker-controlled servers. 
  1. User Awareness Training: Educate employees on recognizing phishing attempts and avoiding click on suspicious links or attachments. 
  1. Enable Advanced Threat Protection: Use security tools like Microsoft Defender to enhance security monitoring and detection. 
  1. Regularly Update Software: Maintain a routine patching schedule to ensure all systems are protected against known vulnerabilities. 
  1. Restrict Macros and External Content: Configure Microsoft Office to block macros and disable automatic external content execution. 

Conclusion: 

The exploitation of CVE-2024-21413 underscores the ongoing threat posed by improperly validated inputs in widely used enterprise software. With this vulnerability being actively exploited and the POC publicly available, organizations must prioritize patching, strengthen monitoring, and follow best security practices to minimize risks. CISA has included CVE-2024-21413 in its Known Exploited Vulnerabilities (KEV) catalog, emphasizing the need for immediate action. 

References: 

Blogs

The Baltic Sea Ship Accident & not Sabotage; Highlights Ship Downtime Issues

Recently the undersea Fibre optic cable between Latvia and Sweden was damaged and reports said it was result of external influence which prompted NATO to deploy patrol ships to the area and triggering a sabotage investigation by Swedish authorities. Also the cargo ship Vezhen was  seized as part of the probe by Sweden’s Security Service.

The incident took place on Jan. 26 and was one of several in recent months, triggered a hunt for vessels suspected of involvement.

The prosecutor said the Vezhen’s anchor severed the cable but that the incident was related to a combination of bad weather, equipment deficiencies and poor seamanship. Images shared by Swedish media showed that the ship appeared to have a damaged anchor.

The cable belongs to Latvia’s state broadcaster, LVRTC, which said in a statement there had been “disruptions in data transmission services”, but that end users would be mostly unaffected.

A second vessel, the Silver Dania, a Norwegian cargo ship with an all-Russian crew, was seized in Norway at the request of Latvian authorities but was cleared of wrongdoing and released. Baltic Sea region is on high alert after a string of power cable, telecom link, and gas pipeline outages since Russia invaded Ukraine in 2022.

We cannot deny the scope of Hybrid attack in the Baltic region that targeted critical undersea infrastructure (CUI), particularly fiber-optic cables, in the Baltic and Arctic regions since 2021. Mostly the prime suspect was Russia, but in this case the Vezhen ship was suspected to have incurred an accident and not sabotage, a Swedish prosecutor said on Monday, adding that the Maltese-flagged vessel had been released.

Ship downtime a major issue the marine industry faces

What is ship downtime and how does it affect?

Any breakdown in service during operation or runtime amounts to downtime in maritime industry.

Sometimes downtimes are unpredictable and unplanned which makes it harder as it incurs expenses to deal with. Repairs, emergency parts, and dry-docking fees can add up fast.

Importance of Data analytics:

This is where predictive maintenance and data analytics come into picture making it possible to provide an overview on what is pending task regarding maintenance of ship or other issues that needs immediate inspection. This can also be cyber security related issue or hybrid attacks targeting critical undersea infrastructure (CUI), particularly fiber-optic cables, have surged in the Baltic and Arctic regions.

The Baltic sea ship broke down due to combination of bad weather and and deficiencies in equipment and seamanship contributed to the cable break,” as per reports by investigators

Whether it’s an engine breakdown, a port delay, or a sudden maintenance issue, every hour of downtime costs money. And there are times when this hurts the most because you don’t see it coming and affecting profitability, delivery and supply chain disruptions.

Crew Issues – Fatigue-related mistakes or medical emergencies that delay voyages.

Mechanical Failures – Think engine breakdowns, generator issues, and propulsion failures.

Electrical Problems – A failed control system or communication outage.

Other problems falls under planned downtime

  • Routine Maintenance – Regular engine inspections, oil changes, and system checks.
  • Mandatory Surveys – Required ship inspections and certifications from regulatory authorities (like IMO).
  • Retrofits & Upgrades – Adding fuel-saving devices, ballast water treatment systems, or new tech.

Rise of Hybrid Attack on undersea cables in Baltic Sea and artic region

Since 2021 Russian hybrid attacks targeting critical undersea infrastructure (CUI), particularly fiber-optic cables, have surged in the Baltic and Arctic regions since 2021 causing disruptions threatening essential communication channels, exposing vulnerabilities of Northern Europe’s infrastructure.

More incidents were noticed in 2023 and 2024 involving Chinese vessels damaging Baltic subsea cables raise concerns over possible Russian-Chinese hybrid warfare collaboration despite no direct evidence confirming this, complicating Western deterrence efforts. (https://jamestown.org/program/hybrid-attacks-rise-on-undersea-cables-in-baltic-and-arctic-regions/)

Financial Implications

Any disruption of events that causes downtime in shipping such as piracy, bad weather and accidents blocking major shipping lanes causes major financial losses on global economy. Attacks such as cyber-attacks are growing with each passing day and quite predominant on risk landscape like the maritime industry, forcing organizations account of in its operations and work on legacy technologies replacing them with advanced technology systems to counter any attacks or sabotage or foul play.

Companies that have proven their ability to manage these risks and remain agile for recovery are more likely to secure favorable finance options.

Innovations in Maritime industry

Maritime transport is seen key player in global trade and the intricacies of networks of shipping
routes, ports, forced globalization to strengthened their operation strategies for the world economy to grow surpassing numerous challenges. Innovations is high on demand for safety systems form part of the ongoing development where digital based systems are part of ships in current scenario. E.g. the Intelligent awareness (IA) systems will be nex- gen of digital technologies to provide safety net for smooth operation of ships on transit that include utilizing sensors, high-resolution displays, and intelligent software.

Maritime chokepoints are critical points in shipping routes.as they facilitate substantial trade volumes and connect the world. Due to disruptions and very limited routes that are valid for ship passages there are negative impacts on supply chains, leading to systemic consequences, affecting food security, energy supply and whole of the global economy.

Sources: https://www.reuters.com/world/europe/baltic-undersea-cable-damaged-by-external-influence-sunday-latvian-broadcaster-2025-01-26/

www.shipuniverse.com

Security Advisory

Zero-Day Vulnerability in Microsoft Sysinternals Tools  

Summary 

A critical 0-Day vulnerability has been identified in nearly all Microsoft Sysinternals tools, allowing attackers to exploit DLL injection techniques to execute arbitrary code. This presents a significant risk to IT administrators and developers who rely on these utilities for system analysis and troubleshooting.

OEM Microsoft 
Severity High 
Date of Announcement 2025-02-05 
CVEs Not Yet Assigned 
Exploited in Wild No 
Patch/Remediation Available No 
Advisory Version 1.0 
Vulnerability Name Zero-Day  

Overview 

Despite being reported to Microsoft over 90 days ago, the vulnerability remains unpatched, as Microsoft considers it a “defense-in-depth” issue rather than a critical security flaw. 

Vulnerability Name CVE ID Product Affected Severity Impact 
            zero-day  Not Yet Assigned Microsoft Sysinternals Tools (Process Explorer, Autoruns, Bginfo, and potentially others)          High Arbitrary Code Execution, Privilege Escalation, Malware Deployment 

Technical Summary 

The vulnerability is caused by improper handling of DLL loading paths in affected Sysinternals utilities. When these tools search for required DLLs, they follow a specific search order, which may include untrusted locations such as network shares or user-writable directories. 

The issue arises from how Sysinternals tools prioritize DLL search paths, favoring untrusted directories such as: 

  • The Current Working Directory (CWD) 
  • Network locations (e.g., shared drives) 
  • User-writable paths over secure system directories 

This flaw allows attackers to place a malicious DLL in the same directory as a Sysinternals executable, tricking the application into loading the rogue DLL instead of the legitimate system DLL. 

Exploit Workflow 

  1. Attacker crafts a malicious DLL (e.g., cryptbase.dll or TextShaping.dll) containing a payload such as a reverse shell, ransomware, or trojan. 
  1. The DLL is placed in the same directory as a vulnerable Sysinternals tool. 
  1. The user unknowingly executes the tool (e.g., Bginfo.exe or procexp.exe) from that directory. 
  1. The malicious DLL is loaded instead of the legitimate system DLL. 
  1. Attackers gains code execution with the privileges of the running process (potentially SYSTEM privileges if run with admin rights). 

Recommendations 

  1. Avoid Running Sysinternals Tools from Network Locations 
  • Always copy tools to a local trusted directory before execution. 
  • Disable execution of .exe files from network drives if feasible. 
  1. Restrict DLL Search Paths 
  • Use SafeDLLSearchMode to prioritize secure directories. 
  • Implement DLL redirection to force tools to load DLLs from trusted paths. 
  1. Implement Application Control Policies 
  • Use AppLocker or Windows Defender Application Control (WDAC) to block unauthorized DLLs from loading. 
  • Restrict execution of Sysinternals tools to trusted admin-only directories. 
  1. Verify DLL Integrity Before Execution 
  • Use SigCheck (Sysinternals) to ensure all loaded DLLs are digitally signed. 
  • Block execution of unsigned or suspicious DLLs in sensitive directories. 
  1. Monitor for Suspicious DLL Loading Behavior 
  • Enable Sysmon logging to detect anomalous DLL loads (Event ID 7). 
  • Monitor for executions of Sysinternals tools from network shares (Event ID 4688). 

Conclusion 

Despite being responsibly disclosed to Microsoft in October 2024, the vulnerability in Sysinternals tools remains unpatched as of February 2025. Microsoft classifies it as a “defense-in-depth” issue, dismissing it as non-critical, while security researchers highlight its severe impact on enterprises, especially those running tools from network shares. This leaves users reliant on manual mitigations to avoid exploitation.

The Sysinternals tools, developed by Microsoft, are a widely-utilized suite of utilities designed to provide in-depth insights into the processes, services, and configurations of Windows systems. 

References

Security Advisory

macOS Security at Risk: PoC Exploit for CVE-2025-24118 Kernel Flaw 

macOS Security at Risk: PoC Exploit for CVE-2025-24118 Kernel Flaw 

A newly discovered race condition in Apple’s macOS kernel (XNU) could allow attackers to escalate privileges, corrupt memory, and potentially achieve kernel-level code execution.

Tracked as CVE-2025-24118 and assigned a CVSS score of 9.8 (Critical), this vulnerability was patched in macOS Sonoma 14.7.3, macOS Sequoia 15.3, and iPadOS 17.7.4.

This vulnerability can be reliably triggered by an unprivileged local attacker using a multi-threaded attack that forces frequent credential updates. 

OEM Apple 
Severity Critical 
CVSS 9.8 
CVEs CVE-2025-24118 
Exploited in Wild No 
Publicly POC Available Yes 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

A proof-of-concept (PoC) exploit is publicly available, making it critical for users to apply the patch on priority. The vulnerability arises from a race condition in Apple’s XNU kernel due to improper handling of per-thread credentials in read-only structures.

Vulnerability Name CVE ID Product Affected Severity 
 Race Condition Vulnerability  CVE-2025-24118   Apple  Critical 

Technical Summary 

This issue results from a combination of Safe Memory Reclamation (SMR), per-thread credentials, read-only page mappings and memcpy behavior, leading to unauthorized credential modification. 

CVE ID System Affected Vulnerability Details Impact 
CVE-2025-24118  macOS Sonoma prior to 14.7.3  
macOS Sequoia prior to 15.3 
iPadOS prior to 17.7.4   		A concurrency issue in XNU kernel allows corruption of a thread’s kauth_cred_t credential pointer through a non-atomic memory update. This results in a time-of-check to time-of-use (TOCTOU) race condition. Privilege escalation, memory corruption, potential kernel-level code execution  

Remediation

  • Patch Installation: Users should upgrade to macOS Sonoma 14.7.3, macOS Sequoia 15.3, and iPadOS 17.7.4 to mitigate the risk. 

Conclusion: 

CVE-2025-24118 is a critical race condition vulnerability in Apple’s XNU kernel that allows local attackers to escalate privileges and compromise system integrity. Users and organizations are strongly advised to apply the latest patches provided by Apple to protect against potential exploits.

References: 

Blogs

Complexities Compounding in Cyber Landscape; WEF Global Cybersecurity Outlook 2025 Analysis

WEF Global Cybersecurity Outlook 2025

Continue Reading
Security Advisory

High-Severity SMB Server Flaws (CVE-2024-56626 & CVE-2024-56627) in Linux Kernel 

High-Severity SMB Server Flaws (CVE-2024-56626 & CVE-2024-56627) in Linux Kernel 

Jordy Zomer, a Security researcher have recently discovered two critical vulnerabilities in KSMBD, the in-kernel SMB server for Linux. These vulnerabilities, CVE-2024-56626 and CVE-2024-56627, could allow attackers to gain control of vulnerable systems.

SUMMARY

OEM  Linux 
Severity  High 
CVSS  7.8 
CVEs  CVE-2024-56626, CVE-2024-56627  
Exploited in Wild   No 
Publicly POC Available  Yes 
Patch/Remediation Available  Yes 
Advisory Version  1.0 

These vulnerabilities affect Linux kernel versions greater than 5.15 and have been addressed in version 6.13-rc2. Proof-of-concept (PoC) exploits have been publicly released, emphasizing the critical nature of these issues. 

Vulnerability Name  CVE ID  Product Affected  Severity  Affected Version 
Out-of-bounds write vulnerability in ksmbd.  CVE-2024-56626  Linux  High  Linux kernel versions greater than 5.15  
Out-of-bounds read vulnerability in ksmbd.  CVE-2024-56627   Linux  High  Linux kernel versions greater than 5.15  

Technical Summary 

CVE ID  System Affected  Vulnerability Details  Impact 
CVE-2024-56626     Linux Kernel  A vulnerability in ksmbd’s ksmbd_vfs_stream_write allowed negative offsets from clients, causing out-of-bounds writes and potential memory corruption. It was triggered when using vfs objects = streams_xattr in ksmbd.conf. The issue has been fixed in recent kernel updates.    Attackers can execute arbitrary code with kernel privileges  
CVE-2024-56627      Linux Kernel  A vulnerability in ksmbd’s ksmbd_vfs_stream_write allowed negative client offsets, enabling out-of-bounds writes and potential memory corruption. This issue occurred when the vfs objects = streams_xattr parameter was set in ksmbd.conf and has been resolved in recent kernel updates.   Attackers can read sensitive kernel memory, leading to information disclosure 

Remediation

  • Update: Ensure that the appropriate patches or updates are applied to the relevant versions 

 listed below 

Version  Fixes and Releases 
 kernel version > 5.15  kernel version 6.13-rc2  

Conclusion: 

The discovery of CVE-2024-56626 and CVE-2024-56627 highlights critical security flaws in the Linux kernel’s SMB server implementation. Given the availability of proof-of-concept exploits, immediate action is essential to protect systems from potential exploitation. Regularly updating systems and applying security patches are vital practices to maintain a secure environment. 

References: 

 

 

Security Advisory

Cisco Meeting Management to Prone to Attack Vectors; Vulnerability CVE-2025-20156 

Cisco has warned about a new privilege escalation vulnerability in its Meeting Management tool that could allow a remote attacker to gain administrator privileges on exposed instances.

The vulnerability, CVE-2025-20156  was disclosed by Cisco on January 22 and is awaiting further analysis by the US National Vulnerability Database (NVD)

OEM Cisco 
Severity Critical 
CVSS 9.9 
CVEs CVE-2025-20156 
Exploited in Wild No 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

A critical vulnerability (CVE-2025-20156) in Cisco Meeting Management could allow attackers to gain unauthorized administrative access. This issue affects versions prior to 3.9.1 and has been classified as critical. Cisco strongly recommends updating to the latest fixed version to address this risk. 

Vulnerability Name CVE ID Product Affected Severity 
 Privilege Escalation Vulnerability  CVE-2025-20156  Cisco  Critical 

Technical Summary 

A critical security vulnerability has been identified in Cisco Meeting Management. This flaw resides in the REST API and stems from improper enforcement of authorization protocols for REST API users. Remote, authenticated attackers with low-level privileges can exploit this issue by sending specially crafted API requests to specific endpoints. A successful exploit could allow attackers to escalate their privileges to administrator level and gain control over edge nodes managed by Cisco Meeting Management. 

CVE ID System Affected Vulnerability Details Impact 
CVE-2025-20156  Cisco Meeting Management  prior to version 3.9.1 Insufficient authorization checks in the REST API allow attackers to send crafted API requests to escalate privileges.  Attackers can gain full administrative control and disrupt business operations.  

Remediation

  1. Update to the Latest Version: 
  • Upgrade Cisco Meeting Management to version 3.9.1or later. 
  1. Regular Security Practices: 
  • Monitor Cisco’s security advisories. 
  • Regularly update systems to address emerging threats. 

Conclusion: 

CVE-2025-20156 poses a critical risk to Cisco Meeting Management users. Exploiting this flaw could disrupt operations by granting attacker’s administrative control. Immediate updates are crucial to mitigate the risk and protect affected systems. 

References: 

  • https://cybersecuritynews.com/cisco-meeting-management-vulnerability/ 

Blogs

New Regulations & Directives to Boost Cyber Defense; DORA & NIS2

DORA & NIS2
EU Regulations to Strengthen Cyber defense

Continue Reading
Security Advisory

Zero-Day Vulnerability in Windows (CVE-2024-49138): PoC Released, Exploited in the Wild

Summary

OEM

Microsoft

Severity

Critical

CVSS Score

7.8

CVE

CVE-2024-49138

Exploited in Wild

Yes

Patch/Remediation Available

Yes

Advisory Version

1.0

Publicly POC Available

Yes


Overview

The vulnerability CVE-2024-49138, affecting the Windows Common Log File System (CLFS) driver, enables attackers to gain SYSTEM privileges via a heap-based buffer overflow. Security researcher MrAle_98 published a proof-of-concept (PoC) exploit, increasing its potential misuse.

Vulnerability Name

CVE ID

Product Affected

Severity

CLFS Privilege Escalation

CVE-2024-49138

Microsoft Windows

High

Technical Summary

CVE-2024-49138 is a heap-based buffer overflow vulnerability in the Windows Common Log File System (CLFS) driver, allowing attackers to escalate privileges to SYSTEM level. It affects a wide range of Windows systems, including the latest versions, such as Windows 11 23H2. Initially discovered by CrowdStrike’s Advanced Research Team, Microsoft confirmed active exploitation prior to its December 2024 patch release. Security researcher MrAle_98 published a proof-of-concept exploit on GitHub, increasing the likelihood of threat actor replication and exploitation.

CVE ID

System Affected

Vulnerability Details

Impact

CVE-2024-49138

Windows 10, Windows 11, Windows Server 2008–2025

Heap buffer overflow in CLFS driver enabling SYSTEM access. Exploited in the wild and PoC publicly released.

Enables attackers to elevate their privileges to SYSTEM level, granting them complete control over an affected device.

Remediations

  1. Update Systems: Apply Microsoft’s December 2024 patches without delay.
  2. Monitor Systems: Be alert for unusual privilege escalations or indicators of compromise.
  3. Limit Access: Implement robust access controls and harden systems.

Conclusion:

The public release of a proof-of-concept exploit heightens risks, making immediate patching essential. Organizations must prioritize updates, monitor for exploitation, and implement strict access controls.

References

Scroll to top