Security advisory

Security Advisory

Critical Remote Code Execution in Nokia WaveSuite NOC 

Summary : Security Advisory: Two command injection vulnerabilities have been found in Nokia’s WaveSuite Network Operations Center (WS-NOC), a key tool used to manage telecom and enterprise networks.

OEM Nokia 
Severity Critical 
CVSS Score 9.0 
CVEs CVE-2025-24936, CVE-2025-24938   
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

These vulnerabilities allow attackers with limited access to run malicious commands on the system’s operating system. The vulnerabilities affect WS-NOC versions 23.6, 23.12, and 24.6. Nokia has released fixes in version 24.6 FP3 and newer. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​ Command Injection Vulnerability  CVE-2025-24936 Nokia WS-NOC  Critical  v24.6 FP3 & later 
​ Command Injection Vulnerability  CVE-2025-24938 Nokia WS-NOC  High  v24.6 FP3 & later 

Technical Summary 

The first vulnerability, CVE-2025-24936, CVSS- 9.0 due to the system doesn’t properly check parts of a web address (URL). The attacker with low privileged access can trick the system into running malicious commands, as if they were part of the system itself. As this flaw has been published, attackers can remotely target exposed or inadequately secured administrative pages. 

The second issue, with the CVE-2025-24938, CVSS- 8.4 affects to new user accounts are created through the web interface. In this case, with high privileged access – administrators can intentionally enter harmful commands because their input isn’t being filtered properly. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025- 24936 WS-NOC 23.6, 23.12, 24.6 Unfiltered URL input enables command injection by low-privileged users. Remote code execution 
CVE-2025- 24938 WS-NOC 23.6, 23.12, 24.6 Insufficient input validation during account creation enables command injection. Privilege escalation, Remote code execution 

Remediation

  • Immediate Action: Upgrade WS-NOC to version 24.6 FP3 or latest one to mitigate both vulnerabilities. 

Recommendations: 

  • Configuration Check: Restrict admin panel and WS-NOC access to trusted, internal networks only. 
  • Environment Hardening: Regularly audit user privileges, conduct input validation reviews, and deploy security monitoring for unusual command executions originating from the WS-NOC application. 

Conclusion: 

CVE-2025-24936 and CVE-2025-24938 are critical command injection vulnerabilities in Nokia WaveSuite NOC, which is used in telecom systems around the world. These vulnerabilities allow attackers to execute malicious commands with limited access. As these systems are part of critical infrastructure, prompt patching is essential to prevent potential remote attacks and network disruption. 

References

Security Advisory

ToolShell Zero-Day Exploits in Microsoft SharePoint Enable Full Remote Takeover 

Summary : Security Advisory


Two newly discovered zero-day vulnerabilities (CVE-2025-53770 and CVE-2025-53771) in Microsoft SharePoint Server are being actively exploited in the wild.

There is currently no patch available to plug this security hole, but Microsoft says that customers running on-premises SharePoint Servers can stop attackers from exploiting the vulnerability by configuring Antimalware Scan Interface (AMSI) integration in SharePoint and deploying Defender AV on all SharePoint servers.

OEM Microsoft 
Severity Critical 
CVSS Score 9.8 
CVEs CVE-2025-53770, CVE-2025-53771 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

These flaws allow unauthenticated remote code execution on on-premises servers, bypassing authentication and gaining full control over affected systems. Microsoft has released urgent security updates for supported SharePoint versions to address this issue. 

                   Vulnerability Name CVE ID Product Affected Severity CVSS Score 
SharePoint Server Remote Code CVE-2025-53770 SharePoint Server (on-prem) Critical 9.8 
Execution Vulnerability CVE-2025-53771 SharePoint Server (on-prem) Medium 6.3 

Technical Summary 

The vulnerabilities CVE-2025-53770 and CVE-2025-53771 stem from insecure handling of cryptographic key material and deserialization logic in on-premises Microsoft SharePoint Servers. These flaws enable a chained remote code execution attack dubbed ToolShell, where an unauthenticated attacker can gain full control of vulnerable servers. 

ToolShell is a sophisticated evolution of vulnerabilities CVE-2025-49704 and CVE-2025-49706, which were disclosed and patched in early July 2025 following demonstrations at Pwn2Own Berlin. Within days, attackers had bypassed these initial patches, forcing Microsoft to issue updated patches with new CVEs (53770, 53771). These latest variants are actively exploited in the wild. 

The exploit begins with a crafted request to the SharePoint endpoint /ToolPane.aspx, which exposes the internal configuration mechanism. By exploiting deserialization weaknesses, attackers extract cryptographic secrets, specifically the ValidationKey and DecryptionKey  which are used to sign the VIEWSTATE payloads. 

With these secrets, an attacker can generate malicious, signed payloads that are trusted by SharePoint’s security model, allowing arbitrary code execution without any authentication. This effectively turns SharePoint’s trust mechanism into a delivery vector for persistent compromise. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-53770 SharePoint 2016, 2019 Exploits deserialization in /ToolPane.aspx to steal crypto keys and craft signed __VIEWSTATE payloads Remote Code Execution, full system compromise 
CVE-2025-53771 SharePoint 2016, 2019 Variant of CVE-2025-49706; bypasses earlier fixes using enhanced payload injection techniques Persistent access without credentials 

Remediation: To mitigate potential attacks customers should follow:

Organizations running on-premises Microsoft SharePoint Servers must take the following steps immediately: 

  1. Apply Security Updates: 
  • SharePoint Subscription Edition: KB5002768 
  1. Enable AMSI Protection: 
  • Enable Antimalware Scan Interface (AMSI) in Full Mode for SharePoint. 
  • AMSI was turned on by default in Sept 2023 updates for 2016/2019. 
  1. Rotate Cryptographic Keys: 
  • Use Update-SPMachineKey (PowerShell) or Central Admin. 
  • Restart IIS using iisreset.exe after key rotation. 
  1. Deploy Endpoint Protection: 
  • Use Microsoft Defender for Endpoint or equivalent XDR tools. 

CISA Alert and Advisory Inclusion: 

The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-53770 to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies and private-sector partners are required to apply mitigations immediately due to confirmed active exploitation. CISA emphasized that such vulnerabilities pose an unacceptable risk to federal systems and critical infrastructure. 

Indicators of Compromise (IOCs): 

Type Value (Obfuscated/Generalized) Description 
IP Address 107.191.58[.]76, 104.238.159[.]149 Observed in initial and second attack waves 
User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0 User-Agent string seen in exploitation requests 
URL Path POST /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx Exploit entry point targeting ToolPane 

Conclusion: 
The ToolShell exploit chain represents a critical security threat to organizations using on-premises SharePoint Servers.

The vulnerabilities are not theoretical, attackers are actively exploiting them to gain full control of systems, exfiltrate cryptographic secrets and establish long-term persistence. With official patches now available, immediate action is required to prevent compromise, contain exposure and ensure ongoing system integrity. 

References

Security Advisory

Critical Zero-Day Vulnerabilities in VMware Exploited at Pwn2Own 2025 – Patch Immediately  

Summary : VMware fixed four vulnerabilities in VMware ESXi, Workstation, Fusion and VMware Tools that were exploited as zero-days during the Pwn2Own Berlin 2025 hacking contest in May 2025.

OEM Broadcom 
Severity Critical 
CVSS Score 9.3 
CVEs CVE-2025-41236, CVE-2025-41237, CVE-2025-41238, CVE-2025-41239 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 
These vulnerabilities, now tracked as CVE-2025-41236, CVE-2025-41237, CVE-2025-41238 and CVE-2025-41239, could allow attackers with local administrative privileges on a virtual machine to execute arbitrary code on the host system or leak sensitive memory content.

VMware has released critical patches for affected products, including ESXi 7/8, Workstation Pro 17.x, Fusion 13.x and VMware Tools. 

                   Vulnerability Name CVE ID Product Affected Severity Fixed Version 
VMXNET3 Integer Overflow CVE-2025-41236 ESXi, Workstation, Fusion Critical (CVSS 9.3) ESXi80U3f-24784735, ESXi70U3w-24784741, ESXi80U2e24789317, 
Workstation 17.6.4, Fusion 13.6.4 
VMCI Integer UnderfloCVE-2025-41237 ESXi, Workstation, Fusion Critical (CVSS 9.3) Same as above 
PVSCSI Heap Overflow CVE-2025-41238 ESXi, Workstation, Fusion Critical (CVSS 9.3) Same as above 
vSockets Info Disclosure CVE-2025-41239 ESXi, Workstation, Fusion,  VMware Tools High (CVSS 7.1) VMware Tools 13.0.1.0, same ESXi/Workstation/Fusion versions 

Technical Summary 

These vulnerabilities impact key virtualization components, potentially enabling virtual machine breakout or data leakage from the host system.

The exploitation requires local admin privileges on the guest VM and varies in impact depending on the platform (ESXi, Workstation, or Fusion). 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-41236 ESXi 7/8, Workstation 17.x, Fusion 13.x Integer overflow in VMXNET3 adapter allows arbitrary code execution on the host via specially crafted network packets from a guest VM. Host code execution from guest VM 
CVE-2025-41237 Same as above Integer underflow in VMCI component can lead to out-of-bounds write and code execution in the VMX process on the host. VM breakout; Host compromise (Workstation/Fusion) 
CVE-2025-41238 Same as above Heap overflow in the PVSCSI controller allows out-of-bounds write more severe on Workstation/Fusion than ESXi due to sandbox restrictions. Host compromise (desktop platforms); limited on ESXi 
CVE-2025-41239 ESXi 7/8, Workstation 17.x, Fusion 13.x,  VMware Tools Use of uninitialized memory in vSockets allows information disclosure to attackers with local VM admin rights. Memory leak from host to guest 

Remediation

Users and administrators are strongly advised to immediately apply the following patches to mitigate the vulnerabilities: 

  • VMware ESXi users must update to ESXi80U3f-24784735, ESXi80U2e-24789317 for 8.x and ESXi70U3w-24784741 for 7.x versions. 
  • VMware Workstation Pro users should update to version 17.6.4 or later. 
  • VMware Fusion users to version 13.6.4 or later. 
  • For VMware Tools, apply the 13.0.1.0 or later, especially for Windows guests where the vSockets vulnerability (CVE-2025-41239) is relevant. 

Conclusion: 


These vulnerabilities pose a serious threat to virtualization security, especially in environments using VMware Workstation and Fusion. A successful exploit could enable attackers to escape the virtual machine and compromise the host system.

Administrators should prioritize patching to avoid exposure and reduce the risk of virtual infrastructure compromise. Regular audits of virtual networking components and least-privilege access controls within guest VMs are also recommended. 

References

Security Advisory

CVE-2025-34067: Critical RCE in HikCentral Puts Global Surveillance at Risk, PoC Available 

Summary:  A critical RCE vulnerability has been found in the Hikvision HikCentral security management system, mainly in the apply CT component.

OEM Hikvision 
Severity Critical 
CVSS Score 10.0 
CVEs CVE-2025-34067 
POC Available Yes 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

It helps attackers to take full control of servers that manage security cameras and building systems without user interaction and authentication. The issue comes from a weakness in an old part of the software – Fastjson, a Java library.

Hackers can use this flaw to run harmful code remotely over the network. A PoC to exploit this vulnerability has been published already. 

Vulnerability Name CVE ID Product Affected Severity 
​ Remote Code Execution Vulnerability CVE-2025-34067 HikCentral (applyCT) Critical 

Technical Summary 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-34067 HikCentral  The /bic/ssoService/v1/applyCT endpoint is vulnerable due to the use of an outdated Fastjson library with unsafe auto-type deserialization enabled. Attackers can send malicious JSON payloads containing LDAP references to attacker-controlled Java classes. Remote code execution  

A security flaw exists in the “/bic/ssoService/v1/applyCT” endpoint, which accepts JSON input. This allows attackers to send specially designed data that tricks the system into loading malicious code from an attacker-controlled server.

Since the system processes this data before checking if the user is logged in, even someone without any login credentials can exploit it. If successful, the attacker can run harmful code under the HikCentral service’s permissions. This helped them move through the network, access or control camera feeds, DVRs/NVRs, and other connected systems across the enterprise.Proof of Concept (PoC): 

(Source: PeiQi0 )

Remediation

  • Apply Patches: Users should contact HIKVISION support for immediate remediation guidance and apply any security updates or hotfixes provided by the vendor. 
  • Update Fastjson Library: Ensure the Fastjson library is updated to a secure patched version. 

Recommendations: 

  • Configuration Check: If patching isn’t possible, block or redirect all traffic to the “/bic/ssoService/” endpoints – especially on systems that are accessible from the internet. 
  • Network Segmentation: Isolate surveillance and physical security networks from business-critical systems. 
  • Monitoring: Check logs for outbound LDAP traffic, suspicious Java class loads, or unexpected command execution from the HikCentral host. 

Conclusion: 
This vulnerability helps attackers to take full control of the system, Publicly available code makes it easy for attackers to exploit this flaw. Because of the critical risk, it has received the maximum severity score (CVSS 10.0).  

If not fixed, attackers could turn off security cameras, change alarm settings, delete important evidence, and even watch staff movements live. To protect against this threat, it’s urgent to install the latest patch, isolate the system from the internet and closely monitor for suspicious activity. 

References

Security Advisory

SEO Poisoning Campaign Targets IT Admins with Weaponized PuTTY & WinSCP 

SEO poisoning & malvertising campaign Summary 

A sophisticated SEO poisoning and malvertising campaign has been active since early June 2025, targeting IT administrators with Trojanized installers of commonly used tools like PuTTY and WinSCP. 

Attackers are manipulating search engine results and sponsored ads to lead users to fake websites, which deliver backdoored versions of these tools. Arctic Wolf security researchers have uncovered thia malvertising campaign that has been targeting IT professionals since early June 2025.

The malicious campaign leverages search engine manipulation to promote fake download sites that closely mimic legitimate software repositories. 

Technical Summary 

A threat campaign has been leveraging SEO poisoning and malicious advertisements to trick IT professionals into downloading Trojanized versions of PuTTY and WinSCP from fake websites. Once installed, a malware known as Oyster (aka Broomstick) creates persistent access within the victim’s environment, posing a severe risk to enterprise infrastructure. 

This malware establishes persistence by creating a scheduled task that triggers every three minutes, invoking rundll32.exe to execute a malicious DLL named twain_96.dll using the DllRegisterServer export function, a technique commonly used to bypass traditional detection.  

The attackers specifically target IT administrators and system operators due to their elevated privileges, which allows rapid lateral movement, access to sensitive systems such as domain controllers and the potential deployment of additional payloads like ransomware.

The campaign’s effectiveness stems from its exploitation of everyday workflows, especially IT admins’ reliance on search engines to download tools making it both highly targeted and socially engineered for success. 

Element Detail 
Initial Access SEO poisoning and fake sponsored ads redirect users to malicious download sites. 
Malicious Tools Trojanized installers of PuTTY and WinSCP. 
Payload Backdoor malware is known as Oyster/Broomstick. 
Persistence Scheduled Task every 3 minutes executing twain_96.dll using rundll32.exe via DllRegisterServer. 
Target IT admins with elevated privileges (Domain Admins, Server Admins). 
Objective Network penetration, domain controller access, data exfiltration, possible ransomware deployment. 

Malicious Sponsored PuTTY Ad on Bing.       Source: Arcticwolf 

Observed Malicious Domains 

Organizations are urged to block the following domains immediately: 

  • updaterputty[.]com 
  • zephyrhype[.]com 
  • putty[.]run 
  • putty[.]bet 
  • puttyy[.]org 

These domains host fake versions of PuTTY and WinSCP and are actively used in the ongoing campaign. 

Remediation

1. Enforce Trusted Software Acquisition Policies 

  • Mandate the use of verified internal software repositories or direct access to official vendor websites. 
  • Where feasible, implement ad-blocking or web filtering to restrict access to software download categories known to be targeted by malvertising. 

2. Strengthen Network and Endpoint Security Controls 

  • Block known malicious domains at firewall and DNS levels. 
  • Continuously monitor endpoints for suspicious behavior, including: 
  • The creation of unauthorized or high frequency scheduled tasks. 
  • DLL execution via rundll32.exe, especially involving non-standard DLLs such as twain_96.dll. 
  • Deploy or enhance EDR/XDR solutions to detect backdoor persistence methods. 

3. User Awareness 

  • Educate IT staff on SEO poisoning and the risks of downloading tools via search results. 

Conclusion: 
By focusing on widely used administrative tools like PuTTY and WinSCP, threat actors are exploiting the trust and habits of IT professionals through convincing social engineering and poisoned search results.

This approach turns essential tools into delivery mechanisms for backdoors and persistent threats, compromising high-privilege users at the core of enterprise infrastructure.  

Organizations must respond decisively by reinforcing endpoint monitoring, tightening software acquisition policies and implementing robust network-level defenses to mitigate the risks posed by this rapidly evolving threat landscape. 

References

Security Advisory

Critical Flaws Expose Schneider DCE to Remote Exploits – Patch Now 

Summary : Schneider Electric has found critical security flaws in its EcoStruxure IT Data Center Expert software (version 8.3 and earlier) which allow attackers to run harmful codes, steal data or disrupt data center operations. The EcoStruxure IT Data Center is a scalable monitoring solution for data center equipment. Through the web interface the flaw allows unauthenticated remote code execution when HTTP is enabled, though it is disabled by default.

Severity Critical 
CVSS Score 10.0 
CVEs CVE-2025-50121, CVE-2025-50122, CVE-2025-50123, CVE-2025-50125 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

The most severe flaw lets attackers execute commands remotely without logging in and other risks include weak password generation and privilege misuse.

Schneider urges users to upgrade to version 9.0. as a priority, if users are unable to update right now, users should secure their systems by limiting access, disabling unused services, using VPNs and security best practices. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
OS Command Injection  CVE-2025-50121 EcoStruxure IT Data Center Expert (DCE)  Critical  v 9.0 
Insufficient Entropy (Weak Root Password Generation)  CVE-2025-50122 EcoStruxure IT Data Center Expert (DCE)  High  v 9.0 
Insufficient Entropy (Weak Root Password Generation) CVE-2025-50123 EcoStruxure IT Data Center Expert (DCE) High v 9.0 
Insufficient Entropy (Weak Root Password Generation)  CVE-2025-50125 EcoStruxure IT Data Center Expert (DCE) High v 9.0 

Technical Summary 

The vulnerabilities have been identified in the system that exposes it to remote takeover, unauthorized access and internal data exposure.

At the core of the risk is a command injection flaw in the web interface, where unsanitized input allows attackers to execute system-level commands without authentication.

Compounding the issue is a weak password generation mechanism that uses low-entropy values, making root credentials easier to predict if installation or update packages are obtained.

Privileged users can also exploit unsafe input handling, specifically in fields like the hostname to inject and execute arbitrary code.

Furthermore, improper validation of internal HTTP requests allows attackers to perform server-side request forgery (SSRF), potentially accessing internal services and sensitive resources without credentials. 

CVE ID CVSS Score System Affected  Vulnerability Details Impact 
CVE-2025-50121 10.0 Web interface Allows unauthenticated attackers to run system commands via malicious folder in web interface. Unauthenticated RCE, full system compromise. 
CVE-2025-50122 8.3 Password generation system Allows unauthenticated attackers to run system commands via malicious folder in web interface. Root access by reverse-engineering password generation, leading to full control. 
CVE-2025-50123 7.2 Server console interface Allows unauthenticated attackers to run system commands via malicious folder in web interface. Arbitrary command execution by privileged users, risking internal misuse or escalation  
CVE-2025-50125 7.2 HTTP request handler Attackers manipulate hidden URLs to access internal services or run code without login. Unauthorized access to internal services, RCE and data exposure. 

In addition to the Critical and High Severity vulnerabilities, Two other medium severity issues were addressed. 

CVE-2025-50124 – Improper Privilege Management (CVSS 6.9) 
This issue allows privilege escalation through a setup script by a user already holding elevated access via the console. 

CVE-2025-6438 – XML External Entity (XXE) Injection (CVSS 6.8) 

 Attackers could exploit SOAP API calls to inject malicious XML entities and gain unauthorized file access. 

Remediation

  • Immediately upgrade to EcoStruxure DCE version 9.0 or the latest one to fix critical security flaws. 

Schneider recommends hardening DCE instances per the EcoStruxure IT Data Center Expert Security Handbook and adopting cybersecurity best practices.

Attackers could gain full access, run harmful commands, or steal data. It is strongly advised to update to version 9.0 or apply strict security measures to reduce the risks immediately.

IoT and Evolving Threat landscape

Industrial IoT security threats have evolved from theoretical concerns to active, persistent dangers that target manufacturing operations worldwide.

The convergence of traditional operational technology with modern information technology has created attack vectors that cybercriminals, nation-state actors, and industrial espionage operations actively exploit.

The financial impact of industrial cybersecurity incidents continues to escalate, with the average cost of a manufacturing sector data breach reaching $4.97 million in 2024, not including potential regulatory fines, business interruption losses, and long-term reputation damage. 

The security flaws in Schneider’s EcoStruxure IT Data Center Expert software exposes the dynamic threat landscape that may exist in Industrial IoT .


These vulnerabilities in Schneider Electric’s EcoStruxure DCE can seriously affect system security and data center operations. 

References

Security Advisory

Microsoft Plug 140 Vulnerabilities in July Patch Tuesday; SQL Server Zero-Day Disclosed 

Summary : July Patch Tuesday

The July 2025 Patch Tuesday addresses a publicly disclosed zero-day vulnerability CVE-2025-49719 in Microsoft SQL Server.

OEM Microsoft 
Severity Critical 
Date of Announcement 2025-07-08 
No. of Patches  140 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Microsoft has released security updates addressing 140 vulnerabilities as part of July 2025 Patch Tuesday, including one publicly disclosed zero-day vulnerability affecting Microsoft SQL Server. Fourteen(14) of the vulnerabilities are classified as Critical, with ten(10) enabling Remote Code Execution (RCE).

Microsoft products impacted span across Windows, SQL Server, Microsoft Office, SharePoint, Hyper-V, Visual Studio and Azure services 

  • 130 Microsoft CVEs addressed 
  • 10 non-Microsoft CVEs addressed 

Breakdown of July 2025 Vulnerabilities 

  • 41 Remote Code Execution (RCE) 
  • 18 Information Disclosure 
  • 53 Elevation of Privilege (EoP) 
  • 5 Denial of Service (DoS)  
  • 8 Security Feature Bypass 
  • 4 Spoofing 
  • 1 Data Tampering 
Vulnerability Name CVE ID Product Affected Severity CVSS Score 
SQL Server Information Disclosure CVE-2025-49719 Microsoft SQL Server High 7.5 

Technical Summary 

The information disclosure flaw arises from improper input validation, enabling a remote unauthenticated attacker to access data from uninitialized memory.

Microsoft also resolved a significant number of critical RCE vulnerabilities, particularly in Microsoft Office, SharePoint and Windows core components like Hyper-V and KDC Proxy. Several vulnerabilities can be triggered through minimal user interaction, such as viewing a document in the preview pane or interacting with network services. 

CVE ID System Affected Vulnerability Details Impact 
CVE-2025-49719 Microsoft SQL Server Publicly disclosed information disclosure via improper input validation; attackers may access uninitialized memory Unauthorized data disclosure 

Source: Microsoft and NVD 

In addition to the publicly disclosed vulnerability, several other critical and high-severity issues were addressed: 

  • CVE-2025-49701 and CVE-2025-49704: Microsoft SharePoint, RCE over the Internet via authenticated access (CVSS 8.8) 
  • CVE-2025-49735: Windows KDC Proxy Service, Use-after-free vulnerability allowing unauthenticated RCE (CVSS 8.1) 
  • CVE-2025-47981: SPNEGO Extended Negotiation, Heap buffer overflow enabling RCE through crafted messages (CVSS 9.8) 
  • CVE-2025-48822: Hyper-V Discrete Device Assignment (DDA), RCE via PCI passthrough flaw in virtual environments (CVSS 8.6) 
  • CVE-2025-49717: Microsoft SQL Server, Heap-based buffer overflow enabling authenticated RCE (CVSS 8.5) 
  • CVE-2025-49695 to CVE-2025-49703: Microsoft Office/Word, Multiple RCEs via heap overflow, out-of-bounds read, type confusion (CVSS 8.4 & 7.8) 
  • CVE-2025-36357: AMD L1 Data Queue, Side-channel transient execution attack. 
  • CVE-2025-36350: AMD Store Queue, Speculative execution side-channel leak. 

Key Affected Products and Services 

The vulnerabilities addressed in July 2025 impact a wide range of Microsoft products and services, including: 

  • Windows Components: 
    Windows Kernel, BitLocker, SSDP Service, Hyper-V, KDC Proxy and Routing and Remote Access Service (RRAS). 
  • Microsoft Office Suite: 
    Excel, Word, PowerPoint, and SharePoint with several vulnerabilities enabling Remote Code Execution (RCE) or Elevation of Privilege (EoP). 
  • Cloud and Enterprise Services: 
    Azure Monitor Agent, Microsoft Intune and Microsoft SQL Server. 
  • Development Tools: 
    Visual Studio and the Python extension for Visual Studio Code. 
  • Browsers: 
    Microsoft Edge (Chromium-based). 

Remediation

  • Apply Patches Promptly: Install the July 2025 security updates immediately to mitigate risks. 

Conclusion: 

The July 2025 Patch Tuesday reflects a large-scale update effort from Microsoft, addressing both known and undisclosed security risks. The zero-day (CVE-2025-49719) highlights ongoing concerns with SQL Server, while critical vulnerabilities in Office, SharePoint and core Windows services demand urgent patching.

Organizations should prioritize deployment of these patches and remain vigilant for any post-patch exploitation attempts, especially in externally facing applications. 

References

Security Advisory

CitrixBleed 2: Critical CVE-2025-5777 Vulnerability Under Active Exploitation with Public PoC Available

Summary ; A critical vulnerability identified as CVE-2025-5777 has been discovered in Citrix NetScaler ADC and NetScaler Gateway products configured as Gateway or AAA virtual servers.

The Citrix NetScaler is a networking gadget that delivers application access across distributed enterprise environments.

Originally developed to optimize traffic and improve the performance of web applications, NetScaler has evolved into a comprehensive solution for load balancing, SSL offloading, web application firewalling (WAF), secure remote access, and gateway functionalities such as VPN and ICA proxy for Citrix Virtual Apps and Desktops.

OEM Citrix 
Severity Critical 
CVSS Score 9.3 
CVEs CVE-2025-5777 
POC Available Yes 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

This out-of-bounds read flaw enables unauthenticated attackers to leak sensitive memory content, such as session tokens, by sending crafted HTTP POST requests. 

The vulnerability is actively exploited in the wild, with public PoC exploits and scanning tools available. Citrix has released patches, and urgent remediation is strongly recommended. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​ Out-of-bounds read vulnerability  CVE-2025-5777 NetScaler ADC & Gateway  Critical  14.1-43.56,   13.1-58.32, 13.1-FIPS/NDcPP 13.1 37.235, 12.1-FIPS 12.1-55.328 

Technical Summary 

CVE-2025-5777 arises from improper input validation during login requests on affected NetScaler devices. An attacker can exploit the flaw by submitting a malformed authentication request (eg. missing an equal sign in a POST login parameter). This leads the system to read uninitialized memory and leak up to 127 bytes of sensitive data. 

Attackers can extract session tokens and bypass multi-factor authentication (MFA) to hijack legitimate user sessions. 

CVE ID System Affected  Vulnerability Details Impact 
 CVE-2025-5777 NetScaler ADC & Gateway 14.1 < 14.1-43.56 13.1 < 13.1-58.32 13.1-FIPS/NDcPP < 13.1-37.235 12.1-FIPS < 12.1-55.328 EOL: 12.1, 13.0. Insufficient input validation allows attackers to trigger a memory leak via malformed authentication requests. Session hijacking, MFA bypass, unauthorized access 

Proof of Concept (PoC): 

  • Execution Flow 

Attacker submits a malformed HTTP POST to: 

POST /p/u/doAuthentication.do HTTP/1.0 

Host: <NetScaler-IP> 

Content-Length: 5 

Connection: keep-alive 

login  

(Note: the ‘login’ parameter is included without an ‘=’ or value.) * 

  • Memory Leak Trigger 

Due to insufficient input validation, the backend neither initializes nor validates the ‘login’ field. This causes up to 127 bytes of uninitialized stack memory to be included in the XML response ‘<InitialValue>’ tag potentially containing session tokens or sensitive internal data.  

    Source: horizon3 

Remediation

  • Immediate Action: Upgrade to the latest fixed versions:  – NetScaler ADC & Gateway 14.1-43.56 or later 
    – NetScaler ADC & Gateway 13.1-58.32 or later 
    – NetScaler ADC 13.1-FIPS/NDcPP 13.1-37.235 or later 
     – NetScaler ADC 12.1-FIPS 12.1-55.328 or later 
     – EOL versions (12.1, 13.0) must be upgraded to supported releases. 

Recommendations: 

  • Session Invalidation: After patching, terminate all active ICA and PCoIP sessions using: 
      kill icaconnection -all 
      kill pcoipConnection -all. 
  • Audit: Review authentication and session logs for suspicious activity, including repeated POST requests and session reuse across unexpected IPs. 
  • Upgrade Legacy Systems: Migrate EOL devices to supported versions as they will not receive security fixes. 

Conclusion: 
CVE-2025-5777 (CitrixBleed 2) represents a critical memory leak vulnerability that is being actively exploited, with working public exploits widely circulated.

Attackers can extract session tokens and take over sessions even with MFA in place. Shodan scans reveal over 50,000 exposed NetScaler instances, with more than 1,200 unpatched as of late June 2025 

Given its severity, public exploitation, and impact, organizations must act immediately to patch vulnerable systems, revoke active sessions, and migrate away from unsupported versions.

This vulnerability echoes the risks of the original CitrixBleed, emphasizing the importance of proactive defense in depth. 

References

Hashtags 

#Infosec #CyberSecurity #Critix #NetScaler #SecurityAdvisory #Vulnerabilitymanagement # Patch Management #CISO #CXO #Intrucept  

Security Advisory

Grafana Rolls out Updates on Critical Chromium Vulnerabilities; CVE-2025-6554 a Zero day Vulnerability

Summary : Grafana has issued urgent patches to address multiple high-severity vulnerabilities stemming from underlying flaws in the Chromium V8 JavaScript engine.

OEM Google 
Severity High 
CVSS Score 8.1 
CVEs CVE-2025-6554, CVE-2025-5959, CVE-2025-6191 CVE-2025-6192 
POC Available No 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

The most critical of these, CVE-2025-6554, is a zero-day vulnerability that was actively exploited in the wild. Several of these bugs, if unpatched, could allow attackers to execute arbitrary code, perform memory corruption or bypass sandbox protections via malicious HTML content.

Grafana users running affected versions of Image Renderer and Synthetic Monitoring Agent are strongly advised to update immediately. 

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Type Confusion in V8 Engine vulnerability  CVE-2025-6554 Google Chrome  High  138.0.7204.96/.97 (Windows)  
138.0.7204.92/.93 (Mac)  
138.0.7204.96 (Linux) 
Type Confusion in V8 Engine vulnerability CVE-2025-5959 Google Chrome High 137.0.7151.103/.104 (Windows & Mac) 137.0.7151.103 (Linux) 
Integer overflow in V8 Engine vulnerability CVE-2025-6191 Google- Chrome High 137.0.7151.119/.120 (Windows & Mac) 137.0.7151.119 (Linux) 
Use-after-free in Metrics (Profiler) in Google Chrome CVE-2025-6192 Google- Chrome High 137.0.7151.119/.120 (Windows & Mac) 137.0.7151.119 (Linux) 

Technical Summary 

Grafana has patched four high-severity Chromium V8 vulnerabilities in its Image Renderer and Synthetic Monitoring Agent. The most critical, CVE-2025-6554 is a zero-day type confusion bug that was actively exploited. Other flaws include CVE-2025-5959 (remote code execution), CVE-2025-6191 (integer overflow) and CVE-2025-6192 (use-after-free).

Affected versions are Image Renderer < 3.12.9 and Synthetic Monitoring Agent < 0.38.3. Users should update immediately to stay protected. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-6554 Chrome on Windows, macOS, Linux Type confusion in the V8 JavaScript engine allows improper memory handling, leading to code execution  Remote code execution.  Potential system compromise.  
CVE-2025-5959 Chrome on Windows, macOS, Linux Type Confusion in V8 in Google Chrome prior to allowing a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Remote code execution.  Potential system compromise. 
CVE-2025-6191 Chrome on Windows, macOS, Linux Integer overflows in V8 in Google Chrome prior to allowing a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. Arbitrary code execution. Memory Corruption. 
CVE-2025-6192 Chrome on Windows, macOS, Linux Use after free in Metrics in Google Chrome prior to allowing a remote attacker to potentially exploit heap corruption via a crafted HTML page. Arbitrary code execution.  

Remediation

  • Users should immediately update Google Chrome to the latest patched version: 
  • Windows: 138.0.7204.96/.97, 137.0.7151.103/.104, 137.0.7151.119/.120 
  • macOS: 138.0.7204.92/.93, 137.0.7151.103/.104, 137.0.7151.119/.120 
  • Linux: 138.0.7204.96, 137.0.7151.103, 137.0.7151.119 

Other Chromium-based browsers (Edge, Brave, Opera etc.) should also be updated as patches become available from their respective vendors. 

Conclusion: 
The criticality of CVE-2025-6554, CVE-2025-5959, CVE-2025-6191, CVE-2025-6192 in the wild highlights the urgency of applying the latest Chrome security update.

Type confusion vulnerabilities like this can lead to full system compromise and are highly sought-after by cybercriminals. Users and organizations should take immediate action to mitigate potential risks. 

References

Security Advisory

12-Year-Old Sudo Vulnerability & Chroot Flaw Enable Privilege Escalation  

Summary : Security Advisory: Two critical vulnerabilities CVE-2025-32462 and CVE-2025-32463 have been identified in the widely used Sudo utility, enabling local privilege escalation to root. System administrators rely on Sudo to enforce the principle of least privilege and maintain an audit trail of administrative actions.

The flaw, present in Sudo’s codebase for over 12 years, was discovered by Rich Mirch of the Stratascale Cyber Research Unit and affects both stable (v1.9.0–1.9.17) and legacy (v1.8.8–1.8.32) versions of Sudo.

Severity Critical 
CVSS Score 9.3 
CVEs CVE-2025-32463, CVE-2025-32462 
POC Available Yes 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

These flaws affect both legacy and modern versions of Sudo and impact Linux and Unix-like systems, including Ubuntu and macOS. One vulnerability (CVE-2025-32462)remained undiscovered for over 12 years. Both have been fixed in Sudo version 1.9.17p1. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Chroot Option Arbitrary Code Execution vulnerability  CVE-2025-32463 Sudo  Critical  1.9.17p1 
Host Option Privilege Escalation vulnerability  CVE-2025-32462 Sudo   Low  1.9.17p1 

Technical Summary 

CVE-2025-32463 – Chroot Privilege Escalation via Path Confusion 

Introduced in Sudo version 1.9.14, this vulnerability abuses the –chroot (-R) feature, allowing attackers to run commands as root even if not permitted in the sudoers file.

The flaw arises because Sudo began resolving paths inside the chroot environment before validating permissions. This allowed attackers to trick Sudo into referencing malicious configuration files (e.g., fake /etc/nsswitch.conf) and loading arbitrary shared libraries (e.g.-libnss_/woot1337.so.2) during the privilege escalation process. 

CVE-2025-32462 – Host Option Bypass 

CVE-2025-32462 exploits improper handling of the –host (-h) option in Sudo, allowing users to bypass hostname-based access restrictions and execute commands as root. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-32463 Stable 1.9.0 – 1.9.17  Exploits the -R chroot option to load attacker-controlled shared libraries, leading to root access even when user lacks necessary permissions.  Arbitrary code execution as root 
CVE-2025-32462 Stable 1.9.0 – 1.9.17 Legacy 1.8.8 – 1.8.32  Allows local users to abuse the -h option to bypass Host or Host_Alias restrictions and execute commands as root across unintended systems.  Local privilege escalation to root 

Remediation

Upgrade Sudo to version 1.9.17p1 or later or the appropriate patched package version provided by your Linux distribution. 

Conclusion: 
These Sudo vulnerabilities, especially CVE-2025-32463 with a CVSS score of 9.3, represent a serious threat to system integrity. Exploitable without complex tooling and with a public Proof-of-Concept (PoC) already available, this vulnerability underscores the risks posed by long-standing design flaws in foundational system utilities.

Administrators are strongly advised.

Update Sudo to version 1.9.17p1 or later on all systems. Organizations must act swiftly to patch affected systems, audit privileged access, and secure their Sudo configurations.

This incident reinforces the urgent need for continuous security reviews even for the most trusted and widely deployed open-source components and prevent unauthorized privilege escalation on affected systems.

References

Scroll to top