Patch management

Security Advisory

SonicWall SSLVPN Vulnerability Allows Remote Attackers to Crash Firewalls  

Summary : A security flaw was discovered in SonicWall’s SonicOS SSLVPN component, affecting both hardware and virtual firewall appliances across Gen7 and Gen8 product lines.

OEM SonicWall 
Severity High 
CVSS Score 7.5 
CVEs CVE-2025-40601 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

The SonicWall vulnerability allows remote attackers, without any authentication, to crash into affected firewalls by sending specially crafted traffic to the SSLVPN service. There are no public exploitation in the wild but it is strongly advised customers to apply the available patches immediately to minimize risk. 

In simple terms, the component fails to validate the size or structure of certain data before copying it to a stack‐allocated buffer. Under malicious input, the overflow can overwrite the stack, leading the firewall device to crash.

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Stack-based buffer overflow in SonicOS SSLVPN service  CVE-2025-40601 SonicWall SonicOS Firewalls (Gen7 and Gen8 Hardware and Virtual)  High 7.3.1-7013 (Gen7), 8.0.3-8011 (Gen8) and latest one 

Technical Summary 

The vulnerability occurs due to a stack-based buffer overflow affecting the SSLVPN service of SonicOS. Devices with the SSLVPN interface enabled are vulnerable.

This flaw permits remote unauthenticated attackers to trigger a denial-of-service condition, leading to a full firewall crash and service outage.

The problem impacts a wide range of SonicWall firewall models including Gen7 (TZ270, NSa 2700 series etc) and Gen8 (TZ280, NSa 2800 series etc). Administrators are urged to upgrade to the latest versions and restrict SSLVPN access to trusted IPs or disable external-facing SSLVPN portals until remediation is complete. 

CVE ID Component Affected  Vulnerability Details Impact 
 CVE-2025-40601 SonicWall SonicOS SSLVPN service Stack-based buffer overflow allows remote unauthenticated attackers to send crafted requests causing a denial-of-service crash of the firewall. Only devices with SSLVPN enabled are vulnerable.  Remote denial-of-service 

Recommendations 

Update SonicWall immediately to the following fixed versions: 

  • Gen7 Hardware Firewalls: 7.3.1-7013 and higher versions 
  • Gen7 Virtual Firewalls : 7.3.1-7013 and higher versions 
  • Gen8 Firewalls: 8.0.3-8011 and higher. 

You can follow some below workaround here 

  • Temporarily disable the SSLVPN service if possible or restrict SSLVPN access only to trusted source IP addresses.  
  • Avoid exposing the SSLVPN service to untrusted internet sources until patched. 
  • Continuously monitor firewall and network logs for unusual SSLVPN activity or connection attempts that might indicate probing or exploitation attempts. 

Conclusion: 
There has no evidence of active exploitation for this vulnerability, but the issue makes unpatched firewalls highly attractive targets for threat actors capable of causing major network outages.

Organizations relying on SonicWall should prioritize applying the latest patches and review their SSLVPN exposure as part of broader incident prevention. For those unable to patch immediately, restricting or disabling external SSLVPN access is strongly recommended until fixes can be deployed. 

References

Security Advisory

Chrome V8 Type Confusion Vulnerability Actively Exploited In The Wild 

Summary : Security advisory: Google has released an urgent security update to patch two high-severity Type Confusion vulnerabilities in the V8 JavaScript engine. The CVEs vulnerabilities are CVE-2025-13223, CVE-2025-13224 .

OEM Google 
Severity High 
CVSS Score 8.8 
CVEs CVE-2025-13223, CVE-2025-13224 
POC Available No 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

One of these vulnerability (CVE-2025-13223) is already being actively exploited in the wild, allowing attackers to potentially execute arbitrary code through malicious web content. which attackers can bypass Chrome’s sandbox, steal sensitive data, or deploy malware. The fixes have been rolled out for Chrome Stable 142.0.7444.175/.176 across Windows, Mac, and Linux. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Type Confusion Vulnerability in V8 JavaScript Engine CVE-2025-13223 Google Chrome High v142.0.7444.175 / v142.0.7444.176 
Type Confusion Vulnerability in V8 JavaScript Engine CVE-2025-13224 Google Chrome High v142.0.7444.175 / v142.0.7444.176 

Technical Summary 

Both vulnerabilities occur from Type Confusion vulnerabilities in Chrome’s V8 engine, where incorrect data-type handling leads to memory corruption and possible code execution. The CVE-2025-13223 is already being exploited in the wild and may involve APT-driven activity.

Another vulnerability was found internally through Google’s Big Sleep fuzzing system as part of ongoing proactive defense.

These weaknesses can allow attackers to bypass browser security boundaries and execute malicious actions remotely. Urgent need for users and administrators to apply Chrome’s latest security updates immediately. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-13223 Google Chrome (V8 Engine) Type confusion due to improper type handling in V8 allowing memory corruption.  Remote Code Execution, Sandbox Escape 
CVE-2025-13224 Google Chrome (V8 Engine) Type confusion triggered during script execution, discovered via fuzzing Remote Code Execution, Browser Crash 

Remediation

  • Immediate Action: Users and organization administrators should update Chrome immediately to the following patched versions: 
  • Windows: 142.0.7444.175 / 142.0.7444.176 
  • MacOS: 142.0.7444.176 
  • Linux: 142.0.7444.175 

Here are some recommendations below 

  • Enforce Chrome auto-updates on all endpoints via enterprise policies. 
  • Monitor browser crash logs and unusual behaviors tied to JavaScript execution. 
  • Run updated vulnerability & patch management tools to ensure full endpoint compliance. 
  • Educate users to avoid suspicious links and unknown websites during active exploitation events 

Conclusion: 
With Chrome being the most widely used browser globally, prompt updates are essential for the new security vulnerabilities. Maintaining browsers at the latest versions remains the strongest defenses against modern web-based attacks in modern cyber world. 

References

Security Advisory

Zoho Analytics On-Premise Critical SQL Injection Vulnerability Allows Attackers to Takeover  Data   

Zoho Analytics on-premise installations were recently found to have a SQL Injection vulnerability- CVE-2025-8324  that exposes enterprise environments to risk. The flaw is prevalent in all Zohocorp ManageEngine products, built prior to the most recent patch and enables attackers to exploit weaknesses in the application’s input validation logic.

The flaw enables attackers to execute queries without authentication mainly arbitrary SQL injection, without prior authentication, leading to unauthorized data exposure and account takeovers.

OEM Zoho 
Severity Critical 
CVSS Score 9.8 
CVEs CVE-2025-8324 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview  Malicious actors can launch attacks remotely and takeover user accounts, sensitive analytics data and any connected business intelligence workflows. Administrators are urged to update to the latest version to mitigate this risk. 

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Unauthenticated SQL Injection  CVE-2025-8324 Zoho Analytics On-Premise  Critical 6171 and later 

Technical Summary 

At the root of this flaw is improper input validation for user-supplied parameters within specific URLs of the Zoho Analytics Plus backend.

This allows arbitrary SQL queries to be executed by anyone with network access to the service, even if they have no login credentials. Zoho has enforced input checks and removing vulnerable backend components altogether.  

CVE ID Component Affected  Vulnerability Details Impact 
 CVE-2025-8324 Zoho Analytics Plus On-Premise An unauthenticated SQL injection vulnerability caused by improper input validation allowing attackers to inject arbitrary SQL queries remotely without authentication.  Account takeover, user data leak 

Recommendations 

  • Organizations must update Zoho Analytics Plus On-Premises immediately to the Build 6171 version or later. 

Here are some recommendations you can follow   

  • Enforce patch deployment across all managed analytics instances to ensure consistency and security. 
  • Continuously monitor logs for unusual SQL query activities or access attempts that could indicate exploitation attempts. 

Conclusion: 
The Zoho Analytics On-Premise deployments, could enable full data and account compromise through unauthenticated SQL injection. CVE-2025-8324 represents a critical security risk, classified at the highest severity level due to its potential impact and ease of exploitation.

Although no active exploitation has been detected to date, the severity of the flaw demands immediate attention. Immediate patching is essential to secure environments and prevent any chance of data compromise or unauthorized access. 

References

Security Advisory

Microsoft November Updates- Fixes 63 Vulnerabilities,1 Zero-Day Exploits ; Patch Now

Summary : Microsoft’s November 2025 Patch Tuesday resolves 63 vulnerabilities across multiple Microsoft components. The Microsoft Patch Tuesday also addresses four “Critical” vulnerabilities, two of which are remote code execution vulnerabilities, one is an elevation of privileges and the fourth is an information disclosure flaw.

OEM Microsoft 
Severity Critical 
Date of Announcement 2025-11-11 
No. of Patches 63 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview : Key Updates on Patch Tuesday

The update includes one actively exploited zero-day vulnerability (CVE-2025-62215) in the Windows Kernel and five additional Critical-rated vulnerabilities affecting Office, DirectX, GDI+, Visual Studio, and Nuance PowerScribe. 

This release continues Microsoft’s focus on privilege escalation and remote code execution (RCE) vulnerabilities, highlighting the urgent need for comprehensive patch management across enterprise systems. 

Here are the CVE addresses for Microsoft & non-Microsoft:  

  • 63 Microsoft CVEs addressed 
  • 5 non-Microsoft CVEs addressed (Republished) 

Breakdown of October 2025 Vulnerabilities 

  • 29 Elevation of Privilege (EoP) 
  • 16 Remote Code Execution (RCE) 
  • 11 Information Disclosure 
  • 3 Denial of Service (DoS) 
  • 2 Security Feature Bypass 
  • 2 Spoofing  

Source: Microsoft 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
Windows Kernel Elevation of Privilege Vulnerability (Zero-Day, Exploited in Wild) CVE-2025-62215 Windows 10, 11, Server 2016–2022 Critical 9.0 
Microsoft Office Use-After-Free Remote Code Execution Vulnerability CVE-2025- 62199 Microsoft Office (Word/Excel/Office Suite) Critical 9.8 
Nuance PowerScribe Missing Authorization Information Disclosure Vulnerability CVE-2025-30398 Nuance PowerScribe 360 Critical 9.1 
Windows DirectX Graphics Kernel Use-After-Free Vulnerability CVE-2025-60716 Windows DirectX Graphics Kernel Critical 8.8 
Microsoft GDI+ Heap-Based Buffer Overflow RCE Vulnerability CVE-2025-60724 Microsoft Graphics Component (GDI+) Critical 8.7 
Visual Studio Command Injection Remote Code Execution Vulnerability CVE-2025-62214 Microsoft Visual Studio / Visual Studio Code Critical 8.1 

Technical Summary 

The zero-day is a Windows Kernel bug that lets attackers gain full system control. Other critical & important vulnerabilities include Office and GDI+ vulnerabilities that could allow hackers to run malicious code or steal data.  

Microsoft also patched issues in Visual Studio, DirectX, and Azure services. Users and admins are strongly advised to install these updates right away to stay protected. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-62215 Windows Kernel Race conditions in shared resource execution enables local attackers to elevate privileges to SYSTEM (Zero-Day; Exploited in Wild) Elevation of Privilege 
CVE-2025-62199 Microsoft Office Use-after-free vulnerability in Office allows RCE via malicious documents, typically delivered through phishing campaigns Remote Code Execution 
CVE-2025-30398 Nuance PowerScribe 360 Missing authorization vulnerability allows disclosure of sensitive medical or user data over the network Information Disclosure 
CVE-2025-60716 Windows DirectX Graphics Kernel Use-after-free conditions allow local attackers to escalate privileges, potentially compromising the entire system Elevation of Privilege 
CVE-2025-60724 Microsoft GDI+ Heap-based buffer overflow allows attackers to execute arbitrary code remotely via crafted network traffic or malicious files Remote Code Execution 
CVE-2025-62214 Visual Studio Command injection vulnerability allows attackers to execute arbitrary code locally in developer environments Remote Code Execution 

Source: Microsoft 

In addition to several other Important severity vulnerabilities were addressed below –  

  • CVE-2025-59505: Windows Smart Card Reader – Double-free memory handling vulnerability enabling privilege escalation. 
  • CVE-2025-60704: Windows Kerberos – Missing cryptographic validation allows privilege escalation. 
  • CVE-2025-60719: Windows WinSock Driver – Untrusted pointer dereference enabling SYSTEM-level access. 
  • CVE-2025-59504: Azure Monitor Agent – Heap-based buffer overflow allowing local code execution. 
  • CVE-2025-60714: Windows OLE – Buffer overflow permitting local RCE. 
  • CVE-2025-62452: Windows RRAS – Heap overflow enabling network-based RCE. 
  • CVE-2025-59509: Windows Speech Recognition – Sensitive data exposure vulnerability. 
  • CVE-2025-62208 / CVE-2025-62209: Windows License Manager – Sensitive information insertion into logs. 
  • CVE-2025-62210 / CVE-2025-62211: Dynamics 365 Field Service – Cross-site scripting (XSS) spoofing. 
  • CVE-2025-62449 / CVE-2025-62453: VS Code / GitHub Copilot – Path traversal and AI output validation bypass & Others more Vulnerabilities. 

Source: Microsoft, bleepingcompute, cybersecuritynews 

Key Affected Products and Services 

The November 2025 security updates address critical and important vulnerabilities across a broad range of Microsoft products and services: 

  • Windows Core Components 

Updates for Kernel, Hyper-V, Kerberos, RRAS, WinSock, Smart Card, Bluetooth subsystems. 

  • Microsoft Office Suite 

Patches for Word, Excel, and related components impacted by RCE and Information Disclosure vulnerabilities. 

  • Azure & Cloud Services 

Fixes for Azure Monitor Agent, Dynamics 365, Entra ID, and related connectors. 

  • Graphics Components 

Patches for GDI+, DirectX, WSL GUI. 

  • Developer Tools 

Updates for Visual Studio, Visual Studio Code, and GitHub Copilot. 

  • Third-Party Applications 

Patches for Nuance PowerScribe (Medical domain). 

  • Mobile Platform Technologies 

Updates for Microsoft OneDrive for Android. 

Remediation: 

  • Install the November 2025 Microsoft security updates immediately across all Windows, Office, and Azure systems. 

Here are some recommendations below  

  • Monitor for Indicators of Compromise (IoCs) for privilege escalation attempts, new SYSTEM-level services, or unusual Office file crashes. 
  • Ensure Windows 10 ESU enrollment for extended support systems. 
  • Restrict local admin privileges and enforce least-privilege access. 
  • Leverage EDR/SIEM solutions to detect suspicious kernel and Office activity. 
  • Segment critical systems and disable unused network services (RRAS, SMB). 

Conclusion: 
Microsoft’s November 2025 Patch Tuesday resolves 63 vulnerabilities, including one actively exploited Zero-Day and multiple Critical RCE and EoP vulnerabilities in Office, Windows Kernel, GDI+, and Visual Studio. 

Given the confirmed exploitation and the presence of memory corruption vulnerabilities, immediate patch deployment is necessary to prevent potential ransomware and privilege escalation attacks in our modern cyber world. 

References

Security Advisory

Amazon Workspace Client for Linux Token Vulnerability Fixed in Version 2025.0 

Summary : Amazon patched a vulnerability in the Linux version of its Workspace’s client that improperly handles authentication tokens in versions from 2023.0 through 2024.8.

OEM Amazon 
Severity High 
CVSS Score 8.8 
CVEs CVE-2025-12779 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

This flaw allows local users on the same machine such as in shared, multi-user environments to extract valid authentication tokens.

Often used to impersonate other users and gain unauthorized access to their virtual desktop sessions, exposing sensitive data and applications.

The issue does not allow remote exploitation, but it poses a significant risk in workplaces using shared Linux systems for Workspace’s access. 

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Improper Authentication Token Handling in Amazon WorkSpaces Client  CVE-2025-12779 Amazon WorkSpaces client for Linux   High 2025.0 

Technical Summary 

The root cause lies in insecure management of authentication tokens, enabling token extraction by unintended local users. This vulnerability was assigned to high severity, prompting Amazon to issue a fix in the 2025.0 version of the client.

The update improves session isolation and secures token handling, protecting against lateral token theft.

Users and Administrators are strongly advised to upgrade promptly to avoid unauthorized access risks associated with multi-user Linux setups commonly found in corporate or virtual machine environments. 

CVE ID Component Affected  Vulnerability Details Impact 
 CVE-2025-12779 Amazon WorkSpaces client for Linux (versions 2023.0 through 2024.8) Local users on shared Linux machines can extract authentication tokens due to improper token handling, allowing them to access other users’ Workspaces. Unauthorized access to another user’s workspace 

Recommendations 

  • Update the Amazon Workspace’s client for Linux immediately to version 2025.0 or later. 

Conclusion: 
This vulnerability highlights the criticality of robust token security in virtual desktop clients, especially for environments with shared access.

Amazon’s swift patch release underscores the need for continuous vigilance and timely updates to maintain secure remote workspace solutions and prevent privilege escalation through token leakage. Upgrading to the patched version effectively mitigates the exposure and secures user sessions. 

References

Blogs

Critical React Native CLI Vulnerability Enables OS Command Injection  

Summary: React Native is an open source framework maintained by Meta . A critical remote code execution vulnerability in the @react-native-community/cli package, a core toolset used by React Native developers. The flaw allows unauthenticated remote attackers to execute arbitrary OS commands on machines running the React Native Metro development server.

Severity  Critical 
CVSS Score  9.8 
CVEs  CVE-2025-11953 
POC Available  Yes 
Actively Exploited  No 
Advisory Version  1.0 

Overview 

A critical remote code execution vulnerability in the @react-native-community/cli package, a core toolset used by React Native developers. The flaw allows unauthenticated remote attackers to execute arbitrary OS commands on machines running the React Native Metro development server.

The vulnerability comes from unsafe input handling in the /open-url endpoint using the insecure open() function, and a React Native CLI flaw that exposes the server to remote code execution. Immediate updates and mitigations are recommended for all using the affected package versions. 

Vulnerability Name  CVE ID  Product Affected  Severity  Affected Version 
 OS Command Injection  CVE-2025-11953  @react-native-community/cli @react-native-community/cli-server-api  Critical  @react-native-community/cli-server-api versions 4.8.0 through 20.0.0-alpha.2 

Technical Summary 

The Metro development server’s /open-url HTTP POST endpoint unsafely passes unsanitized user input (url field) as an argument to the open() function from the open NPM package which leads to OS command injection.

On Windows, the vulnerability allows arbitrary shell command execution with full control over parameters via cmd /c start command invocation. On macOS/Linux, arbitrary executables can be launched with limited parameter control. Further exploitation may lead to full RCE, but not confirmed yet. The server binds to all interfaces by default (0.0.0.0), exposing the endpoint externally to unauthenticated network attackers. 

CVE ID  Component Affected  Vulnerability Details  Impact 
CVE-2025-11953  Development Server’s /open-url Endpoint  The React Native CLI’s Metro server binds to external interfaces by default and exposes a command injection flaw, letting remote attackers send POST requests to run arbitrary executables or shell commands on Windows.  Remote OS Command Injection 

Recommendations 

  • Update to @react-native-community/cli-server-api version 20.0.0 or later immediately. 

If upgrading is not possible, 

  • Restrict the Metro server to localhost by adding the flag: –host 127.0.0.1 when starting the server. 
  • Integrate static and dynamic code analysis tools in development pipelines to detect injection risks early. 

How these kind of security flaw can cause damage?

This vulnerability poses a critical threat to React Native developers using the Metro development server due to unauthenticated RCE via network exposure. For any unauthenticated network attacker this is privilege they can weaponize the flaw and send a specially crafted POST request to the server. Then run arbitrary commands.

The attack takes a different turn when it comes to Windows and the exploitation is severe. The attackers can also execute arbitrary shell commands with fully controlled arguments, while on Linux and macOS, it can be widely used to execute arbitrary binaries with limited parameter control.

The vulnerable endpoint, /open-stack-frame, is designed to help developers open a file in their editor at a specific line number when debugging errors. This endpoint accepts POST requests with parameters such as file and lineNumber.

The incident highlight requirement for more rigorous input validation and secure-by-default configurations in developer environments.

What should organizations looks for while selecting a comprehensive tools that can provide thorough combing across their IT environment, networks, applications and cloud infrastructure.

Detecting vulnerabilities, misconfigurations with GaarudNode from Intruceptlabs makes it a go to scanner

  • GaarudNode excels at detecting vulnerabilities, misconfigurations, and compliance issues across a wide range of systems and applications.
  • Provides a comprehensive security framework that ensures your applications are built, tested, and deployed with confidence.
  • Any Application security tools are designed to identify a wide range of vulnerabilities across different stages of the software development lifecycle and other types of security issues.
  • GaarudNode can be used for intrusion detection, making it a flexible tool for cybersecurity professionals on a budget.
  • Prompt patching and secure server binding are essential to mitigate this type of risk. There is no current evidence of active exploitation, but the ease of exploitation makes this a high priority vulnerability to fix. Continuous, real-time monitoring of vulnerabilities is necessary to stay ahead of threats.

References

 

 

Blogs Security Advisory

Critical Brash Vulnerability: Blink Engine Flaw Breaks Chromium Browsers 

Overview : Brash Vulnerability works on Google Chrome and all web browsers that run on Chromium.

A newly disclosed vulnerability, Brash, exposed a critical architectural flaw in Chromium’s Blink rendering engine. Blink is Chromium’s open-source rendering engine responsible for parsing HTML, CSS, and JavaScript, building the DOM and render trees, and executing script-driven updates to the browser interface.

It underpins the user experience of all Chromium-based browsers and is a core component of their performance and stability.

The issue allows a malicious web page to crash Chromium-based browsers within seconds, including Chrome, Microsoft Edge, Brave, Opera etc. The attack works by overloading Blink’s main UI thread using a flood of unthrottled DOM operations. A public proof-of-concept (PoC) exploit is available and can be tested on machines, that escalating the urgency for patching across all Chromium-based platforms.  

Technical Details  

Blink lacks any rate limiting or coalescing on rapid document. title updates, allowing an attacker to flood the browser with millions of DOM mutations per second.  

This saturates the browser’s main UI thread, causing extreme CPU usage and blocking event processing, which leads to the browser tab freezing or crashing within 15 to 60 seconds. The exploit can also be use to trigger after a delay or at a precise scheduled time, turning it into a highly controllable logic bomb.  

The exploit requires no special permissions beyond navigating to a malicious page, presenting a severe and immediate operational risk until patches are deployed. 

Attack Flow 

Recommendations 

You can follow the recommendations below 

  • Avoid clicking on suspicious or untrusted links, especially those prompting unexpected redirects or downloads. 
  • Keep all Chromium-based browsers (Chrome, Edge, Brave etc.) updated with the latest security patches as vendors release fixes. 
  • Enforce automatic browser updates within organizations to ensure all users receive critical patches promptly. 
  • Monitor computer endpoints for unusual CPU spikes related to browser processes, which can indicate ongoing exploitation attempts. 
  • Educate users and employees about the risk of drive-by attacks through malicious websites and the importance of security awareness. 

Conclusion: 
The Brash vulnerability reveals how a simple architectural oversight. It lets attackers crash browsers by flooding them with too many title updates too fast, causing the browser to freeze or crash. This attack can be scheduled to happen later, making it harder to detect.

Mozilla Firefox and Apple Safari are immune to the attack, as are all third-party browsers on iOS, given that they are all based on WebKit.

The best defense is to keep browsers updated, avoid suspicious links and stay alert for unusual computer slowdowns.  

References

Security Advisory

High-severity path traversal vulnerability was identified in Docker Compose

Docker Compose Path Traversal Vulnerability Enables Arbitrary File Write and System Compromise  

Summary: 

OEM Docker  
Severity High 
CVSS Score 8.9 
CVEs CVE-2025-62725 
Date of Announcement 2025-10-28 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

A high-severity path traversal vulnerability was identified in Docker Compose, a widely-used tool for defining and managing multi-container Docker applications.

This flaw occurs in the handling of remote OCI-based Compose artifacts, allowing an attacker to craft malicious artifact annotations that bypass directory restrictions. As a result, malicious files can be written outside the intended cache directory on the host system.

This vulnerability can be triggered even by seemingly harmless commands such as docker compose ps or docker compose config that resolve remote artifacts. Organizations should upgrade immediately to avoid possible system compromise. 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
Path Traversal in OCI Artifacts Allowing Arbitrary File Write CVE-2025-62725 Docker Compose CLI High 8.9 

Technical Summary 

Docker Compose added support for fetching Compose files as OCI artifacts from remote registries. These artifacts contain layers with annotations indicating file paths for writing.

The vulnerability exists because Docker Compose did not sanitize or validate these path annotations prior to writing files, allowing path traversal sequences to escape the cache directory.

Attackers can exploit this by publishing malicious OCI artifacts with crafted annotations, leading to arbitrary file writes anywhere the Compose process has permissions, potentially overwriting sensitive files such as SSH authorized_keys, escalating privileges and compromising the host. The flaw affects Docker Compose versions prior to v2.40.2. 

CVE ID System Affected  Vulnerability Details Impact 
 CVE-2025-62725   Docker Compose (Linux, Windows, macOS) Path traversal via malicious remote OCI artifact annotations allowing arbitrary file write outside the Compose cache directory. 
 		Arbitrary file write, potential system compromise, privilege escalation. 

Remediation 

Apply security patches immediately to mitigate risks from privilege escalation and container escape. 

  • Update Docker-compose to v2.40.2 or the latest one. 

Conclusion 

Docker Compose vulnerability poses a serious risk of arbitrary file writes and system compromise through malicious OCI artifacts.

Due to the ease of exploitation when using remote Compose files, all users and organizations should upgrade to the patched Docker Compose version immediately, scrutinize remote artifact usage, and enhance their container security hygiene to mitigate this significant threat. 

References 

Blogs Security Advisory

Copilot Studio SupplyChain Attack Steals OAuth Tokens via CoPhishing

Summary 

The CoPhish attack is a sophisticated phishing technique exploiting Microsoft Copilot Studio to steal OAuth tokens by tricking users into granting attackers unauthorized access to their Microsoft Entra ID accounts.

By Copilot Studio’s customizable AI agents, attackers create chatbots hosted on legitimate Microsoft domains that wrap traditional OAuth consent attacks in an authentic-looking interface, increasing the likelihood of successful deception. 

Technical Details 

The attackers often use a trial license or compromised tenant to create the agent, backdooring the authentication workflow so that, post-consent, OAuth tokens are exfiltrated via HTTP to attacker infrastructure.

Few Demo links like copilotstudio.microsoft.com add credibility, closely mimicking official Microsoft Copilot services, and victims see familiar branding and login flows.

While Microsoft has implemented consent policy updates including blocking risky permissions by default for most users significant gaps remain: unprivileged users can still approve internal apps and privileged admins retain broad consent authority.

Tokens exfiltrated by CoPhish can be used for impersonation, data theft or sending further phishing emails, often going undetected as the traffic is routed through Microsoft infrastructure. 

malicious CopilotStudio page                                                                                                                         Source: securitylabs.datadoghq.com 

Attack Flow 

Step Description 
1. Build Malicious Copilot Agent Attackers create a customized Copilot Studio chatbot, usually on a trial license within their own or a compromised Microsoft tenant, configuring it to appear as a legitimate assistant. 
2. Backdoor Authentication Workflow The agent’s “Login” topic is modified to include an HTTP request that will exfiltrate any OAuth tokens granted by users during authentication. 
3. Share Demo Link Attackers generate and distribute demo website URL (like, copilotstudio.microsoft.com) pointing to the malicious chatbot, mimicking official Copilot Studio services and passing basic domain trust checks. 
4. Victim and Trigger Consent Victims access the link, interact with the familiar interface, and are prompted to login, beginning an OAuth consent flow that requests broad Microsoft Graph permissions. 
5. Token Exfiltration After the victim consents, the agent collects the issued OAuth token and sends it via HTTP to an attacker-controlled server, often relaying through Microsoft IP addresses to avoid detection in standard traffic logs. 
6. Abuse Granted Permissions Attackers use the stolen token to impersonate the victim, accessing emails, calendars, and files or conducting further malicious actions such as sending phishing emails or stealing sensitive data. 
7. Persist and Retarget Due to policy gaps, attackers can repeat the process targeting both internal and privileged users, tailoring requested app permissions and adapting to Microsoft’s evolving security measures. 

                             Source: securitylabs.datadoghq.com 

Why It’s Effective 

  • Leverages trusted Microsoft domains and branding with realistic AI chatbot flows, bypassing phishing detection and user suspicion. 
  • Bypasses multi-factor authentication by stealing fully privileged OAuth tokens that persist until revoked. 
  • Targets both regular users and privileged admins by adapting requested permissions, making it scalable and versatile. 

Recommendations 

Here are some recommendations below 

  • Enforce strict Microsoft Entra ID consent policies to limit user approval of app permissions, especially high-risk scopes. 
  • Restrict or disable user creation and publishing of Copilot Studio agents unless explicitly authorized by admins. 
  • Monitor Entra ID audit logs and Microsoft Purview for suspicious app consent, agent creation or modifications in Copilot workflows. 
  • Apply Azure AD Conditional Access requiring MFA and device compliance for accessing Copilot Studio and related AI services. 
  • Implement tenant-level Data Loss Prevention (DLP) and sensitivity labeling 
  • Educate users on phishing risks and regularly reviewing/revoking app permissions and tokens. 

Conclusion: 
CoPhish highlights how AI-powered low-code platforms like Microsoft Copilot Studio can be exploited for advanced phishing attacks targeting identity systems.

Despite Microsoft’s improvements to consent policies, significant risks remain, requiring organizations to enforce strict consent controls, limit app creation, and monitor Entra ID logs vigilantly. As AI-driven tools grow, proactive security measures are essential to defend against these evolving hybrid threats leveraging trusted cloud services. 

References

Hashtags 

#Infosec #CyberSecurity #Microsoft #Copilot #Vulnerabilitymanagement # Patch Management #ThreatIntel CISO #CXO #Intrucept  

Security Advisory

TARmageddon Exploitable Tar Extraction Flaw Exposes Systems to Privilege Escalation 

Summary A critical vulnerability known as Tarmageddon (CVE-2025-62518) impacts multiple tar extraction utilities and libraries, including GNU tar, libarchive, Python’s tarfile module, and the Rust async-tar library. 

Severity High 
CVSS Score 7.8 
CVEs CVE-2025-62518 
POC Available Yes, public PoC and patches available (edera-dev GitHub) 
Actively Exploited Not confirmed widespread exploitation public PoC raises opportunistic risks 
Exploited in Wild No confirmed mass exploitation at time of writing 
Advisory Version 1.0 

Overview 


Tarmageddon (CVE-2025-62518) vulnerability Improper path sanitization and symlink-target validation during extraction enable a crafted tar archive to write files outside the intended extraction directory, leading to arbitrary file overwrite, privilege escalation, or remote code execution when executed by privileged or automated services. 

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Tar path traversal / symlink bypass (async-tar RCE vector) CVE-2025-62518 GNU tar, libarchive, Python tarfile, Rust async-tar and downstream tools High Patches released by maintainers; reference fixes in Edera patch repository  and vendor advisories 

Technical Summary 

Root cause: insufficient canonicalization of file paths and incomplete sanitization of symlink targets within tar archive headers. Behavioral details: Path traversal via ../ sequences and chained symlinks allows crafted archives to escape the extraction root and overwrite system binaries, configuration files, or startup scripts.

A public proof-of-concept confirms this behavior in affected async-tar implementations. Fix: apply upstream and distribution patches that normalize paths and validate symlink targets (edera-dev patches).

Exploitability: public PoC exists for CVE-2025-62518, highest risk when automated extractions run with elevated privileges (CI/CD, build, backup). Manual extraction is lower risk. Impact: Malicious extraction can overwrite critical files, allow service takeover or remote code execution, and lead to full host compromise if run as root. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-62518 Tar libraries and tools async-tar, GNU tar, libarchive, Python tarfile, and any tools that use them. Crafted tar entries can bypass path checks and write outside the extraction folder (PoC available). Can overwrite files, allow privilege escalation/RCE if run as root, and contaminate build/CI artifacts. 

Remediation

  • Apply patches immediately — update tar libraries and utilities with vendor or distribution fixes (Edera patches where applicable). 
  • Disable automatic extraction of untrusted archives in gateways, ingestion services and CI/CD systems. 
  • Use least privilege for extraction processes — avoid root / Administrator contexts. 
  • Replace unsafe extraction calls (e.g., tarfile.extractall()) with secure wrappers that validate path components and reject traversal or symlink abuses. 
  • Sandbox extraction inside containers or VMs with strict filesystem scoping (read-only mounts, AppArmor/SELinux confinement). 
  • Inventory and update all images, containers, and build artifacts that bundle tar utilities or tar libraries. 

Detection Guidance: Lab verification: Use the public PoC only in isolated virtual environments to validate that patched version block path traversal and symlink exploits. 

SIEM / EDR indicators: 

  • File create/write events to sensitive paths (/etc, /usr/bin, /var, application config dirs) immediately following tar extraction processes. 
  • Creation of symlinks or reparse-points by tar-related processes. 
  • Processes invoking tar or Python extraction libraries writing outside expected extraction directories. 

Conclusion: 
Tarmageddon (CVE-2025-62518) is a high-risk archive extraction vulnerability that affects widely used tar utilities and libraries, including GNU tar, libarchive, Python’s tarfile, and the Rust async-tar implementation.

This vulnerability should be treated as a Priority-1 patch event for any environment performing automated or privileged tar extractions. Organizations are strongly advised to apply vendor patches immediately, enforce sandboxed extraction workflows, and implement strict least-privilege and path-validation controls to prevent arbitrary file overwrites, privilege escalation, and potential supply-chain compromise. 

References:  

Scroll to top