Apple iOS & iPadOS Patch 0-Days Vulnerabilities, Exploited in Targeted Attacks
Apple iOS & iPadOS Patch Zero-Days Vulnerabilities, Exploited in Targeted Attacks
Continue ReadingPoC
TARmageddon Exploitable Tar Extraction Flaw Exposes Systems to Privilege Escalation
Summary A critical vulnerability known as Tarmageddon (CVE-2025-62518) impacts multiple tar extraction utilities and libraries, including GNU tar, libarchive, Python’s tarfile module, and the Rust async-tar library.
| Severity | High |
| CVSS Score | 7.8 |
| CVEs | CVE-2025-62518 |
| POC Available | Yes, public PoC and patches available (edera-dev GitHub) |
| Actively Exploited | Not confirmed widespread exploitation public PoC raises opportunistic risks |
| Exploited in Wild | No confirmed mass exploitation at time of writing |
| Advisory Version | 1.0 |
Overview
Tarmageddon (CVE-2025-62518) vulnerability Improper path sanitization and symlink-target validation during extraction enable a crafted tar archive to write files outside the intended extraction directory, leading to arbitrary file overwrite, privilege escalation, or remote code execution when executed by privileged or automated services.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Tar path traversal / symlink bypass (async-tar RCE vector) | CVE-2025-62518 | GNU tar, libarchive, Python tarfile, Rust async-tar and downstream tools | High | Patches released by maintainers; reference fixes in Edera patch repository and vendor advisories |
Technical Summary
Root cause: insufficient canonicalization of file paths and incomplete sanitization of symlink targets within tar archive headers. Behavioral details: Path traversal via ../ sequences and chained symlinks allows crafted archives to escape the extraction root and overwrite system binaries, configuration files, or startup scripts.
A public proof-of-concept confirms this behavior in affected async-tar implementations. Fix: apply upstream and distribution patches that normalize paths and validate symlink targets (edera-dev patches).
Exploitability: public PoC exists for CVE-2025-62518, highest risk when automated extractions run with elevated privileges (CI/CD, build, backup). Manual extraction is lower risk. Impact: Malicious extraction can overwrite critical files, allow service takeover or remote code execution, and lead to full host compromise if run as root.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-62518 | Tar libraries and tools async-tar, GNU tar, libarchive, Python tarfile, and any tools that use them. | Crafted tar entries can bypass path checks and write outside the extraction folder (PoC available). | Can overwrite files, allow privilege escalation/RCE if run as root, and contaminate build/CI artifacts. |
Remediation:
- Apply patches immediately — update tar libraries and utilities with vendor or distribution fixes (Edera patches where applicable).
- Disable automatic extraction of untrusted archives in gateways, ingestion services and CI/CD systems.
- Use least privilege for extraction processes — avoid root / Administrator contexts.
- Replace unsafe extraction calls (e.g., tarfile.extractall()) with secure wrappers that validate path components and reject traversal or symlink abuses.
- Sandbox extraction inside containers or VMs with strict filesystem scoping (read-only mounts, AppArmor/SELinux confinement).
- Inventory and update all images, containers, and build artifacts that bundle tar utilities or tar libraries.
Detection Guidance: Lab verification: Use the public PoC only in isolated virtual environments to validate that patched version block path traversal and symlink exploits.
SIEM / EDR indicators:
- File create/write events to sensitive paths (/etc, /usr/bin, /var, application config dirs) immediately following tar extraction processes.
- Creation of symlinks or reparse-points by tar-related processes.
- Processes invoking tar or Python extraction libraries writing outside expected extraction directories.
Conclusion:
Tarmageddon (CVE-2025-62518) is a high-risk archive extraction vulnerability that affects widely used tar utilities and libraries, including GNU tar, libarchive, Python’s tarfile, and the Rust async-tar implementation.
This vulnerability should be treated as a Priority-1 patch event for any environment performing automated or privileged tar extractions. Organizations are strongly advised to apply vendor patches immediately, enforce sandboxed extraction workflows, and implement strict least-privilege and path-validation controls to prevent arbitrary file overwrites, privilege escalation, and potential supply-chain compromise.
References:
Microsoft Teams Access Token Vulnerability Allows Attack Vector for Data Exfiltration
Summary: Microsoft Teams Access Token Vulnerability: New Attack Vector for Data Exfiltration
A recently uncovered vulnerability in Microsoft Teams for Windows allows attackers with local access to extract encrypted authentication tokens, granting unauthorized access to chats, emails and SharePoint files.
This technique, detailed by researcher Brahim El Fikhi on October 23, 2025, leverages the Windows Data Protection API (DPAPI) to decrypt tokens stored in a Chromium-like Cookies database.
Attackers can use these tokens for impersonation, lateral movement, or social engineering, bypassing recent security enhancements and posing significant risks to enterprise environments.
Vulnerability Details
The vulnerability, identified in Microsoft Teams desktop applications, involves the extraction of encrypted access tokens stored in the SQLite Cookies database at %AppData%\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\EBWebView\Cookies. Unlike earlier versions that stored tokens in plaintext (a flaw exposed by Vectra AI in 2022), current versions use AES-256-GCM encryption protected by DPAPI, tied to user or machine credentials. However, attackers with local access can decrypt these tokens using tools like ProcMon and Mimikatz, exploiting the embedded msedgewebview2.exe process that handles authentication via login.microsoftonline.com.
Source: blog.randorisec.fr, cybersecuritynews
Attack Flow
| Step | Description |
| Craft | Attackers use ProcMon to monitor msedgewebview2.exe and identify the Cookies database write operations. |
| Access | The ms-teams.exe process is terminated to unlock the Cookies file, which is locked during operation. |
| Extract | The encrypted token is retrieved from the Cookies database, with fields like host_key (e.g., teams.microsoft.com), name, and encrypted_value (prefixed with “v10”). |
| Decrypt | The DPAPI-protected master key is extracted from %AppData%\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\EBWebView\Local State and decrypted using Windows APIs or tools like Mimikatz. |
| Exploit | Decrypted tokens are used with tools like GraphSpy to access Teams chats, send messages, read emails, or interact with SharePoint via Microsoft Graph API |
Why It’s Effective
- Local Access Exploitation: The attack requires only local access, achievable via malware or compromised endpoints, bypassing MFA and remote defenses.
- Stealthy Execution: The use of standard Windows APIs (DPAPI) and embedded browser processes evades traditional monitoring.
- Authority Abuse: Tokens enable impersonation through trusted APIs, amplifying risks of phishing or data theft via Teams, Outlook, or SharePoint.
Recommendations:
- Monitor Processes – Deploy EDR rules to detect abnormal ms-teams.exe terminations or msedgewebview2.exe file writes.
- Enforce Encryption – Use app-bound encryption and prefer web-based Teams to avoid local token storage.
- Token Rotation – Implement Entra ID policies to rotate access tokens regularly and audit Graph API logs for anomalies.
- Limit Privileges – Restrict local admin access to prevent DPAPI key extraction.
- User Awareness – Train users to recognize phishing attempts via Teams or email, especially those leveraging impersonation
Conclusion:
This vulnerability underscores the evolving threat landscape for collaboration platforms like Microsoft Teams. As attackers refine techniques to exploit trusted systems, organizations must enhance endpoint monitoring and adopt stricter access controls. By implementing the outlined mitigations, security teams can reduce the risk of token-based attacks and safeguard sensitive data.
References:
7-Zip Security Flaw Allows Malicious File Writes and Potential Exploits
Summary Security Advisory: 7-Zip Security Flaw
A vulnerability in 7-Zip (versions before 25.01) allows attackers to abuse symbolic links in archive files to write files outside the intended extraction directory.
| Severity | Low |
| CVSS Score | 3.6 |
| CVEs | CVE-2025-55188 |
| POC Available | No |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
This can lead to overwriting sensitive files, potentially enabling code execution or privilege escalation. The flaw is primarily exploitable on Linux systems due to common file permission models but can also impact Windows under specific conditions. Affected archive formats include ZIP, TAR, 7Z and RAR.
The security flaw was reported and discoverd by security researcher lunbun, who identified that 7-Zip fails to properly validate symbolic links when extracting certain archive formats.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| 7-Zip Arbitrary File Write via Symbolic Link Flaw | CVE-2025-55188 | 7-Zip | Low | 25.01 and later. |
Technical Summary
Cause: Improper validation of symbolic links during archive extraction.
Attack Vector: Malicious archives can contain symlinks pointing outside the extraction directory.
Impact: Overwrites arbitrary files on the system. On Linux, this can replace startup scripts, configuration files, or binaries to gain elevated privileges. On Windows, exploitation requires write access to target paths.
Affected Formats: ZIP, TAR, 7Z, RAR.
| CVE ID | CVSS Score | System Affected | Vulnerability Details | Impact |
| CVE-2025-55188 | 3.6 | Linux, Windows 7-Zip versions | 7-Zip mishandles symbolic links in archives, letting attackers write files anywhere on the system during extraction. | Code execution, Privilege escalation |
Recommendations:
Here are some recommendations below
- Update 7-Zip to version 25.01 or latest one.
- Avoid extracting archives from untrusted sources.
- Always consider using sandboxed environments for unknown files extraction.
Conclusion:
While CVE-2025-55188 carries a low CVSS score, the real-world impact can be severe in certain environments, especially on Linux systems with high-privilege extraction processes.
Immediate patching to 7-Zip 25.01 or later is strongly advised to mitigate the risk of arbitrary file overwrite attacks.
The researcher has submitted a request for reevaluation of the CVSS score and offered to provide proof-of-concept demonstrations to package repository maintainers who require additional verification.
References:
New Cyberattack Methodology ‘Man in Prompt’, User’s at Risk, Target-AI Tools
AI tools like ChatGPT, Google Gemini and others being afflicted by malicious actors via injecting harmful instructions into leading GenAI tools. These were overlooked previously and attack methodology targets the browser extensions installed by various organizations.
The attack methodology named as ‘Man in Prompt’, exercise its attack with new class exploit targeting the AI tools as per LayerX’s researchers.
As per the research any browser extension, even without any special permissions, can access the prompts of both commercial and internal LLMs and inject them with prompts to steal data, exfiltrate it and cover their tracks.
The exploit has been tested on all top commercial LLMs, with proof-of-concept demos provided for ChatGPT and Google Gemini.
The question is how do they impact Users & organizations at large & how does the AI tools function within web browsers?
For organizations the implications can be high then expected as AI tools are most sought after and slowly organization across verticals are relying on AI tools.
The LLMs used and tested on many organizations are mostly trained ones. They carry huge data set of information which are mostly confidential and possibility of being vulnerable to such attack rises .
The attack methodology named as ‘Man in Prompt’, exercise its attack with new class exploit targeting the AI tools as per LayerX’s researchers. As per the research any browser extension, even without any special permissions, can access the prompts of both commercial and internal LLMs and inject them with prompts to steal data, exfiltrate it, and cover their tracks.
The attack methodology named as ‘Man in Prompt’, exercise its attack with new class exploit targeting the AI tools as per LayerX’s researchers. As per the research any browser extension, even without any special permissions, can access the prompts of both commercial and internal LLMs and inject them with prompts to steal data, exfiltrate it, and cover their tracks.
LayerX researcher termed this type of attack as ‘hacking copilots’ that are equipped to steal organizational information.
The prompts given are a part of the web page structure where input fields are known as the Document Object Model, or DOM. So virtually any browser extension with basic scripting access to the DOM can read or alter what users type into AI prompts, even without requiring special permissions.
Bad actors can use compromised extensions to carry out activities including manipulating a user’s input to the AI.
- Perform prompt injection attacks, altering the user’s input or inserting hidden instructions.
- Extract data directly from the prompt, response, or session.
- Compromise model integrity, tricking the LLM into revealing sensitive information or performing unintended actions
Understanding the attack scenario
Proof-of-concept attacks against major platforms
For ChatGPT, an extension with minimal declared permissions could inject a prompt, extract the AI’s response and remove chat history from the user’s view to reduce detection.
LayerX implemented an exploit that can steal internal data from corporate environments using Google Gemini via its integration into Google Workspace.
Over the last few months, Google has rolled out new integrations of its Gemini AI into Google Workspace. Currently, this feature is available to organizations using Workspace and paying users.
Gemini integration is implemented directly within the page as added code on top of the existing page. It modifies and directly writes to the web application’s Document Object Model (DOM), giving it control and access to all functionality within the application
These platforms are vulnerable to any exploit which Layer X researchers showcased that without any special permissions shows how practically any user is vulnerable to such an attack.
Threat mitigation
These kind of attacks creates a blind spot for traditional security tools like endpoint Data Loss Prevention (DLP) systems or Secure Web Gateways, as they lack visibility into these DOM-level interactions. Blocking AI tools by URL alone also won’t protect internal AI deployments.
LayerX advises organisations to adjust their security strategies towards inspecting in-browser behaviour.
Key recommendations include monitoring DOM interactions within AI tools to detect suspicious activity, blocking risky extensions based on their behavior rather than just their listed permissions, and actively preventing prompt tampering and data exfiltration in real-time at the browser layer.
(Source: https://layerxsecurity.com/blog/man-in-the-prompt-top-ai-tools-vulnerable-to-injection/)
Privilege Escalation in Notepad++ v8.8.1 Installer via Binary Planting with Public PoC Available
Security Advisory: A high-severity privilege escalation vulnerability has been discovered in the Notepad++ v8.8.1 and prior installer, which allows local attackers to gain SYSTEM-level privileges through uncontrolled executable search paths (binary planting).
The installer searches for executable dependencies in the current working directory without verification, allowing attackers to place malicious executables that will be loaded with SYSTEM privileges during installation.
| OEM | Notepad++ |
| Severity | High |
| CVSS Score | 7.3 |
| CVEs | CVE-2025-49144 |
| POC Available | Yes |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
Exploitation requires minimal user interaction and a public Proof of Concept (PoC) is available. The issue is resolved in version v8.8.2.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Privilege Escalation Vulnerability | CVE-2025-49144 | Notepad++ | High | v8.8.2 |
Technical Summary
The Notepad++ installer improperly searches for executable dependencies in the current directory without verifying their authenticity.
This insecure behavior allows attackers to place a malicious executable (e.g. regsvr32.exe) in the same directory as the installer. Upon execution the malicious file is loaded with SYSTEM-level privileges, granting full control over the machine.
In real world scenario, an attacker could use social engineering or clickjacking to trick users into downloading both the legitimate installer and a malicious executable to the same directory (typically Downloads folder – which is known as Vulnerable directory). Upon running the installer, the attack executes automatically with SYSTEM privileges.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-49144 | Notepad++ v8.8.1 and prior. | The installer invokes executables without absolute path (e.g. regsvr32), allowing a malicious binary in the same directory to be executed with elevated privileges. | SYSTEM privilege escalation and full machine control |
Proof of Concept (PoC):
- Execution Flow: Attacker places a fake regsvr32.exe in the same directory as the Notepad++ installer.
- Trigger: When the user runs the installer, it loads the attacker’s file with SYSTEM privileges.
- Evidence:
- Process Monitor logs confirm that the installer is searching for executables in the local directory.
- A video demonstration confirms successful SYSTEM-level access via reverse shell.
- Public PoC materials are hosted and shared, confirming reproducibility
Remediation:
- Immediate Action: Upgrade to Notepad++ v8.8.2 or later which explicitly sets absolute paths when invoking executables like regsvr32.
Recommendations:
- Configuration Check: Avoid executing installers from user-writable locations like the Downloads folder. Ensure installers are run from isolated, trusted directories.
- Best Practice: Adopt Microsoft’s secure library and binary loading practices.
- Environment Hardening: Implement endpoint detection for binary planting, restrict execution in commonly targeted directories.
Conclusion:
CVE-2025-49144 is a critical privilege escalation vulnerability with a working public PoC. It leverages a fundamental flaw in the Notepad++ installer’s handling of executable paths.
Given the low barrier to exploit and high impact, especially in environments where Notepad++ is widely used, immediate remediation is strongly advised. The presence of similar flaws in past versions highlights the persistent risk of insecure software packaging.
This is a critical security vulnerability requiring immediate attention. While Microsoft classifies some binary planting issues as “Defense-in-Depth,” the severity of gaining SYSTEM privileges with minimal user interaction warrants priority remediation.
References:
POC Released for Critical RCE Vulnerability in AWS Amplify Codegen-UI
Summary: A critical security vulnerability has been disclosed in AWS Amplify Studio’s UI generation framework, with researchers releasing a proof-of-concept exploit demonstrating remote code execution capabilities.
| OEM | AWS |
| Severity | Critical |
| CVSS Score | 9.5 |
| CVEs | CVE-2025-4318 |
| POC Available | Yes |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
A critical vulnerability has been discovered in AWS Amplify Studio’s UI generation tool, @aws-amplify/codegen-ui, which allows Remote Code Execution (RCE) during build or render time.
Tracked as CVE-2025-4318, this flaw originates from unsafe evaluation of user-defined JavaScript expressions without proper input validation or sandboxing.
It has been assigned a CVSS score of 9.5. Exploitation could lead to unauthorized command execution, leakage of AWS secrets, or full compromise of CI/CD environments. AWS addressed the issue in version 2.20.3, replacing the unsafe eval() with a sandboxed expression evaluator.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Unsafe Expression Evaluation in Codegen-UI | CVE-2025-4318 | @aws-amplify/codegen-ui | Critical | 2.20.3 |
Technical Summary
The vulnerability stems from how AWS Amplify Studio processed dynamic expressions defined in component fields (eg: label, placeholder).
In affected versions, these expressions were directly evaluated using eval() without any filtering or validation, assuming they were safe.
This behavior enabled attackers to inject malicious code into UI schemas that would execute during the build or runtime process particularly dangerous in CI/CD pipelines where secrets and environment variables are accessible.
A working Proof-of-Concept (PoC) has been developed and shared by researchers, which simulates the exploit using a crafted JSON component, a Node.js script and a Python server. The PoC demonstrates successful RCE via malicious input evaluated by the vulnerable tool.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-4318 | AWS Amplify Studio (<=2.20.2) | Vulnerable versions used eval() to interpret stringified JavaScript expressions in UI components. This allowed injection of malicious expressions such as shell commands, due to the absence of validation or blacklisting. | RCE, exposure of secrets, CI/CD compromise, unauthorized system control |
Remediation:
Upgrade Immediately: Update @aws-amplify/codegen-ui to version 2.20.3 or later, which replaces unsafe evaluation logic with a sandboxed function (safeEval) and a keyword blacklist.
Conclusion:
CVE-2025-4318 is a severe RCE vulnerability in AWS Amplify Studio caused by unsafe evaluation of JavaScript expressions during UI component rendering or generation.
A fully functional PoC exploit has been published, which clearly demonstrates the risk of using eval() in dynamic application code without input validation.
The fixed version mitigates this risk by introducing a sandboxed evaluation mechanism and filtering dangerous keywords. Organizations using Amplify Studio should upgrade immediately and audit all inputs and build processes for safety.
AWS security teams have advised developers to immediately upgrade to version 2.20.3 or later and audit all existing component schemas for potentially unsafe expressions.
The incident highlights the critical importance of implementing secure coding practices in low-code development platforms where user input directly influences code generation and execution processes.
References:
Critical Credential Reuse Vulnerability in Cisco ISE Cloud Deployments
Summary
| OEM | Cisco |
| Severity | Critical |
| CVSS Score | 9.9 |
| CVEs | CVE-2025-20286 |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
Cisco has disclosed a critical vulnerability in Identity Services Engine (ISE) cloud deployments that allows unauthenticated remote attackers to gain administrative access across multiple instances due to improperly generated static credentials.
Tracked as CVE-2025-20286, with a CVSS score of 9.9, this flaw affects ISE deployments on AWS, Microsoft Azure, and Oracle Cloud Infrastructure (OCI). Cisco has released hotfixes and announced permanent fixes for impacted versions.
| Vulnerability Name | CVE ID | Product Affected | Severity |
| Cisco ISE Shared Credential Vulnerability | CVE-2025-20286 | Cisco ISE | Critical |
Technical Summary
The vulnerability stems from improper generation of credentials during the setup of Cisco ISE on cloud platforms. Each deployment of the same ISE version on a given platform (eg – AWS 3.1) shares identical static credentials. This oversight enables an attacker to extract credentials from one deployment and reuse them to access others, if network access is available.
This issue is only to cloud-hosted Primary Administration nodes. Traditional on-premises deployments or hybrid setups with local admin nodes are not affected.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-20286 | Cisco ISE 3.1 – 3.4 | Static credentials reused across same-version cloud deployments. Credentials can be extracted from one instance and reused across others on the same cloud platform | Access sensitive data |
Remediation:
Apply Hotfix Immediately: Install the universal hotfix ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz on ISE versions 3.1 to 3.4.
| Cisco ISE Release | Hot Fix | First Fixed Release |
| 3.0 and earlier | Not applicable. | Not affected. |
| 3.1 | ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz | Migrate to a fixed release. |
| This hot fix applies to Releases 3.1 through 3.4. | ||
| 3.2 | ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz | Migrate to a fixed release. |
| This hot fix applies to Releases 3.1 through 3.4. | ||
| 3.3 | ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz | 3.3P8 (November 2025) |
| This hot fix applies to Releases 3.1 through 3.4. | ||
| 3.4 | ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz | 3.4P3 (October 2025) |
| This hot fix applies to Releases 3.1 through 3.4. | ||
| 3.5 | Not applicable. | Planned release (Aug 2025) |
Conclusion:
CVE-2025-20286 presents a severe security risk to organizations using Cisco ISE on public cloud platforms. By exploiting shared static credentials, attackers can potentially move laterally between cloud deployments.
Although no active exploitation has been reported, a proof-of-concept (PoC) exploit is available, heightening the urgency for remediation.
Organizations should apply hotfixes immediately, upgrade to secured versions, and tighten cloud network access policies to mitigate the risk. On-premises and hybrid deployments remain unaffected, offering a safer architectural alternative.
References:
High-Severity Linux Kernel Flaw Exposes Systems to Root-Level Attacks
Security advisory: Linux Kernel Flaw raised from vulnerability related to improper memory handling when the splice() function is called. Specifically, the kTLS code fails to correctly update the internal accounting of the plaintext scatter-gather buffer, leading to an out-of-bounds memory write flaw.
| OEM | Linux |
| Severity | High |
| CVSS Score | 7.8 |
| CVEs | CVE-2025-21756 |
| POC Available | Yes |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
A high-severity vulnerability (CVE-2025-21756) has been discovered in the Linux kernel’s Virtual Socket (vsock) implementation, allowing local privilege escalation to root via a use-after-free (UAF) condition caused by incorrect reference counting during socket binding operations.
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| Use-After-Free vulnerability | CVE-2025-21756 | Linux kernel | High | 7.8 |
Technical Summary
The kTLS subsystem in the Linux Kernel enables direct TLS encryption and authentication functions within the kernel, supporting secure communication for protocols like HTTPS, email, and other internet-connected applications.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-21756 | Linux kernel (pre-6.6.79, 6.12.16, 6.13.4, and 6.14-rc1) | Improper handling of reference counts in vsock_remove_sock() leads to premature freeing of vsock objects. Attackers can exploit the Use-After- Free (UAF) by reclaiming free memory using crafted pipe buffers and leveraging unprotected tools like vsock_diag_dump() to leak kernel pointers. | Local privilege escalation to root and potential full system compromise. |
CVE-2025-21756 is a use-after-free vulnerability in the Linux kernel’s vsock subsystem. It arises due to incorrect reference counter management during transport reassignment of sockets, leading to memory corruption and potential privilege escalation.
Affected systems are particularly exposed in virtualized environments where vsock is actively used.
Remediation:
- Update Linux Kernel: Users should update their systems immediately with the latest kernel versions
- Restrict Local Access: Until patches are applied, limit vsock use in shared environments and restrict local access where feasible.
- Monitor for Exploitation Attempts: Watch for anomalies related to the vsock subsystem, including unexpected kernel panics or vsock socket activity.
- Review Security Module Configurations: While AppArmor and similar LSMs offer partial protection, ensure they are enabled and correctly configured.
Conclusion:
CVE-2025-21756 poses a significant threat to Linux systems, particularly in cloud and virtualized environments. Its discovery and detailed analysis by Michael Hoefler revealed not only a critical vulnerability but also advanced exploitation techniques capable of bypassing protections like AppArmor and KASLR.
Given the existence of public proof-of-concept code and reliable attack paths, organizations must prioritize patching and mitigation to avoid root-level compromise.
References:
Multiple High-Severity Vulnerabilities Patched in Zoom
Summary
Multiple high-severity vulnerabilities have been identified in Zoom applications, including Zoom Workplace, Rooms Controller, Rooms Client, and Meeting SDK, causing exposure of Sensitive Data.
The most critical flaws, patched in Zoom’s March 11, 2025, security bulletin, include CVE-2025-27440 (heap-based buffer overflow), CVE-2025-27439 (buffer underflow), CVE-2025-0151 (use-after-free) CVE-2025-0150 (incorrect behavior order in iOS Workplace Apps).
All rated high severity with CVSS scores ranging from 7.1 to 8.5.
| OEM | Zoom |
| Severity | High |
| CVSS | 8.5 |
| CVEs | CVE-2025-27440, CVE-2025-27439, CVE-2025-0151, CVE-2025-0150, CVE-2025-0149 |
| Publicly POC Available | No |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
These vulnerabilities could allow attackers to escalate privileges, execute arbitrary code, or cause denial-of-service (DoS) attacks. Zoom has released patches addressing these issues in version 6.3.0.
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| Heap-Based Buffer Overflow Vulnerability | CVE-2025-27440 | ZOOM | High | 8.5 |
| Buffer Underflow Vulnerability | CVE-2025-27439 | ZOOM | High | 8.5 |
| Use-After-Free Vulnerability | CVE-2025-0151 | ZOOM | High | 8.5 |
| Incorrect Behavior Order Vulnerability | CVE-2025-0150 | ZOOM | High | 7.1 |
| Insufficient Data Verification Vulnerability | CVE-2025-0149 | ZOOM | Medium | 6.5 |
Technical Summary
These vulnerabilities could be exploited to gain unauthorized access, execute arbitrary code, or disrupt services through privilege escalation and memory corruption techniques. Exploitation requires authentication and network access, posing a risk to enterprise users.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-27440 | Zoom Workplace Apps ( Windows, macOS, and Linux, as well as mobile apps for iOS and Android.) | Heap-based buffer overflow, allowing attackers to inject malicious code | Privilege Escalation |
| CVE-2025-27439 | Zoom Workplace Apps | Buffer underflow, leading to unexpected crashes or data leakage | Denial of Service, Data Exposure |
| CVE-2025-0151 | Zoom Workplace Apps | Use-after-free issue leading to memory corruption and arbitrary code execution | Privilege Escalation |
| CVE-2025-0150 | Zoom Workplace Apps (iOS) | Incorrect behavior order allowing unauthorized access to authentication tokens | Information Disclosure |
| CVE-2025-0149 | Zoom Workplace Apps | Insufficient verification of data authenticity, allowing malformed network packets to bypass security checks | Denial of Service |
Remediation:
- Apply Patches Promptly: Ensure all Zoom applications are updated to version 6.3.0 or later, which includes fixes for 12 vulnerabilities disclosed in March 2025 alone.
Conclusion:
The recent vulnerabilities in Zoom highlight the ongoing challenges in securing widely used communication platforms. While Zoom has acted swiftly in providing patches, the recurrence of memory corruption and input validation flaws suggests architectural challenges.
Organizations should maintain a proactive security stance, ensuring timely updates and implementing stringent controls to safeguard sensitive data.
Organizations must treat Zoom not as a neutral utility but as a high-risk vector requiring stringent controls.
References: