Security advisory

Security Advisory

Critical Fluent Bit Vulnerabilities Allow RCE & Cloud Infrastructure at Risk 

Summary : Fluent Bit is a widely used opensource tool for collecting and forwarding logs in cloud and containers like Kubernetes environments. A chain of 5 critical vulnerabilities discovered by Oligo Security team and findings reveal that attackers can misuse via Remote code execution putting cloud and container at risk.

Severity Critical 
CVSS Score 9.1  
CVEs CVE-2025-12969, CVE-2025-12970, CVE-2025-12972, CVE-2025-12977, CVE-2025-12978 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

These vulnerabilities are CVE-2025-12977  CVE-2025-12970, CVE-2025-12969, CVE-2025-12978 , CVE-2025-12972. The vulnerabilities allow attackers to bypass authentication, manipulate log routing, achieve remote code execution, potentially leading to full compromise of cloud and Kubernetes environments using Fluent Bit for logging and observability.

Organizations relying on Fluent Bit must upgrade to the fixed versions and harden configurations to prevent remote takeover and log tampering. 

                      Vulnerability Name CVE ID Product Affected Severity CVSS Score Fixed Version 
​Fluent Bit Tag_Key Input Validation Bypass CVE-2025-12977 Fluent Bit Critical 9.1 v4.0.12+ , v4.1.1+ , v4.2.0+ 
Fluent Bit Docker Input Stack Buffer Overflow CVE-2025-12970 Fluent Bit High 8.8 v4.0.12+ , v4.1.1+ , v4.2.0+ 
Fluent Bit Forward Input Authentication Bypass CVE-2025-12969 Fluent Bit Medium 6.5 v4.0.12+ , v4.1.1+ , v4.2.0+ 
Fluent Bit Tag Spoofing via Partial Tag_Key Match CVE-2025-12978 Fluent Bit Medium 5.4 v4.0.12+ , v4.1.1+ , v4.2.0+ 
Fluent Bit File Output Path Traversal CVE-2025-12972 Fluent Bit Medium 5.3 v4.0.12+ , v4.1.1+ , v4.2.0+ 

Technical Summary 

Fluent Bit vulnerabilities center around unsafe handling of tags and inputs, enabling attackers to manipulate routing, file paths and memory in ways that directly impact host systems and downstream security tooling.

These flaws can allow path traversal and arbitrary file writes, which in many real-world setups may escalate to remote code execution and persistent node compromise.

Additional vulnerabilities include stack buffer overflows and missing authentication checks that let attackers crash agents, execute code and inject false telemetry into trusted logging pipelines. 

Source: Oligo.security 

CVE ID Vulnerability Details Impact 
CVE-2025-12977 Improper input validation allows injection of control chars, newlines, and path traversal sequences in tag values. Log corruption and output injection. 
CVE-2025-12970 Stack buffer overflow on container name copy due to lack of length check. Crash or RCE. 
CVE-2025-12969 Authentication bypass disables user-based auth, allowing unauthenticated log injection. Unauthorized log injection. 
CVE-2025-12978 Partial string comparison on Tag_Key lets attacker spoof tags by guessing first char. Manipulation of log routing and filtering. 
CVE-2025-12972 Path traversal via unsanitized tags causes arbitrary file write and possible remote code execution. Arbitrary file write and RCE. 

Remediation

  • Upgrade all Fluent Bit deployments to v4.2.0 / v4.1.1 / v4.0.12  or latest version. 

Here are some recommendations below  

  • Avoid using dynamic or untrusted tags in configuration for routing or file naming. 
  • Always set explicit fixed Path or File parameters in out_file outputs to prevent path traversal. 
  • Ensure forward inputs use both Shared_Key and Security.Users for proper authentication enforcement. 
  • Limit network access to Fluent Bit instances to trusted sources only. 
  • Run Fluent Bit with least privilege and restrict filesystem and configuration file write permissions. 
  • Monitor logs and telemetry for abnormal tag values or unexpected log routing changes. 

Conclusion: 
The Fluent Bit vulnerabilities enable attackers to hide activity, corrupt evidence and even gain direct control of cloud workloads.

This puts cloud systems at risk because security teams may not see the real activity happening inside their environment.

Organizations using Fluent Bit should patch immediately, restrict network access and enforcing strong authentication and least‑privilege deployment as urgent priorities to reduce the risk of remote takeover and systemic observability compromise. 

References

Security Advisory

SonicWall SSLVPN Vulnerability Allows Remote Attackers to Crash Firewalls  

Summary : A security flaw was discovered in SonicWall’s SonicOS SSLVPN component, affecting both hardware and virtual firewall appliances across Gen7 and Gen8 product lines.

OEM SonicWall 
Severity High 
CVSS Score 7.5 
CVEs CVE-2025-40601 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

The SonicWall vulnerability allows remote attackers, without any authentication, to crash into affected firewalls by sending specially crafted traffic to the SSLVPN service. There are no public exploitation in the wild but it is strongly advised customers to apply the available patches immediately to minimize risk. 

In simple terms, the component fails to validate the size or structure of certain data before copying it to a stack‐allocated buffer. Under malicious input, the overflow can overwrite the stack, leading the firewall device to crash.

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Stack-based buffer overflow in SonicOS SSLVPN service  CVE-2025-40601 SonicWall SonicOS Firewalls (Gen7 and Gen8 Hardware and Virtual)  High 7.3.1-7013 (Gen7), 8.0.3-8011 (Gen8) and latest one 

Technical Summary 

The vulnerability occurs due to a stack-based buffer overflow affecting the SSLVPN service of SonicOS. Devices with the SSLVPN interface enabled are vulnerable.

This flaw permits remote unauthenticated attackers to trigger a denial-of-service condition, leading to a full firewall crash and service outage.

The problem impacts a wide range of SonicWall firewall models including Gen7 (TZ270, NSa 2700 series etc) and Gen8 (TZ280, NSa 2800 series etc). Administrators are urged to upgrade to the latest versions and restrict SSLVPN access to trusted IPs or disable external-facing SSLVPN portals until remediation is complete. 

CVE ID Component Affected  Vulnerability Details Impact 
 CVE-2025-40601 SonicWall SonicOS SSLVPN service Stack-based buffer overflow allows remote unauthenticated attackers to send crafted requests causing a denial-of-service crash of the firewall. Only devices with SSLVPN enabled are vulnerable.  Remote denial-of-service 

Recommendations 

Update SonicWall immediately to the following fixed versions: 

  • Gen7 Hardware Firewalls: 7.3.1-7013 and higher versions 
  • Gen7 Virtual Firewalls : 7.3.1-7013 and higher versions 
  • Gen8 Firewalls: 8.0.3-8011 and higher. 

You can follow some below workaround here 

  • Temporarily disable the SSLVPN service if possible or restrict SSLVPN access only to trusted source IP addresses.  
  • Avoid exposing the SSLVPN service to untrusted internet sources until patched. 
  • Continuously monitor firewall and network logs for unusual SSLVPN activity or connection attempts that might indicate probing or exploitation attempts. 

Conclusion: 
There has no evidence of active exploitation for this vulnerability, but the issue makes unpatched firewalls highly attractive targets for threat actors capable of causing major network outages.

Organizations relying on SonicWall should prioritize applying the latest patches and review their SSLVPN exposure as part of broader incident prevention. For those unable to patch immediately, restricting or disabling external SSLVPN access is strongly recommended until fixes can be deployed. 

References

Security Advisory

Chrome V8 Type Confusion Vulnerability Actively Exploited In The Wild 

Summary : Security advisory: Google has released an urgent security update to patch two high-severity Type Confusion vulnerabilities in the V8 JavaScript engine. The CVEs vulnerabilities are CVE-2025-13223, CVE-2025-13224 .

OEM Google 
Severity High 
CVSS Score 8.8 
CVEs CVE-2025-13223, CVE-2025-13224 
POC Available No 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

One of these vulnerability (CVE-2025-13223) is already being actively exploited in the wild, allowing attackers to potentially execute arbitrary code through malicious web content. which attackers can bypass Chrome’s sandbox, steal sensitive data, or deploy malware. The fixes have been rolled out for Chrome Stable 142.0.7444.175/.176 across Windows, Mac, and Linux. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Type Confusion Vulnerability in V8 JavaScript Engine CVE-2025-13223 Google Chrome High v142.0.7444.175 / v142.0.7444.176 
Type Confusion Vulnerability in V8 JavaScript Engine CVE-2025-13224 Google Chrome High v142.0.7444.175 / v142.0.7444.176 

Technical Summary 

Both vulnerabilities occur from Type Confusion vulnerabilities in Chrome’s V8 engine, where incorrect data-type handling leads to memory corruption and possible code execution. The CVE-2025-13223 is already being exploited in the wild and may involve APT-driven activity.

Another vulnerability was found internally through Google’s Big Sleep fuzzing system as part of ongoing proactive defense.

These weaknesses can allow attackers to bypass browser security boundaries and execute malicious actions remotely. Urgent need for users and administrators to apply Chrome’s latest security updates immediately. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-13223 Google Chrome (V8 Engine) Type confusion due to improper type handling in V8 allowing memory corruption.  Remote Code Execution, Sandbox Escape 
CVE-2025-13224 Google Chrome (V8 Engine) Type confusion triggered during script execution, discovered via fuzzing Remote Code Execution, Browser Crash 

Remediation

  • Immediate Action: Users and organization administrators should update Chrome immediately to the following patched versions: 
  • Windows: 142.0.7444.175 / 142.0.7444.176 
  • MacOS: 142.0.7444.176 
  • Linux: 142.0.7444.175 

Here are some recommendations below 

  • Enforce Chrome auto-updates on all endpoints via enterprise policies. 
  • Monitor browser crash logs and unusual behaviors tied to JavaScript execution. 
  • Run updated vulnerability & patch management tools to ensure full endpoint compliance. 
  • Educate users to avoid suspicious links and unknown websites during active exploitation events 

Conclusion: 
With Chrome being the most widely used browser globally, prompt updates are essential for the new security vulnerabilities. Maintaining browsers at the latest versions remains the strongest defenses against modern web-based attacks in modern cyber world. 

References

Security Advisory

Zoho Analytics On-Premise Critical SQL Injection Vulnerability Allows Attackers to Takeover  Data   

Zoho Analytics on-premise installations were recently found to have a SQL Injection vulnerability- CVE-2025-8324  that exposes enterprise environments to risk. The flaw is prevalent in all Zohocorp ManageEngine products, built prior to the most recent patch and enables attackers to exploit weaknesses in the application’s input validation logic.

The flaw enables attackers to execute queries without authentication mainly arbitrary SQL injection, without prior authentication, leading to unauthorized data exposure and account takeovers.

OEM Zoho 
Severity Critical 
CVSS Score 9.8 
CVEs CVE-2025-8324 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview  Malicious actors can launch attacks remotely and takeover user accounts, sensitive analytics data and any connected business intelligence workflows. Administrators are urged to update to the latest version to mitigate this risk. 

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Unauthenticated SQL Injection  CVE-2025-8324 Zoho Analytics On-Premise  Critical 6171 and later 

Technical Summary 

At the root of this flaw is improper input validation for user-supplied parameters within specific URLs of the Zoho Analytics Plus backend.

This allows arbitrary SQL queries to be executed by anyone with network access to the service, even if they have no login credentials. Zoho has enforced input checks and removing vulnerable backend components altogether.  

CVE ID Component Affected  Vulnerability Details Impact 
 CVE-2025-8324 Zoho Analytics Plus On-Premise An unauthenticated SQL injection vulnerability caused by improper input validation allowing attackers to inject arbitrary SQL queries remotely without authentication.  Account takeover, user data leak 

Recommendations 

  • Organizations must update Zoho Analytics Plus On-Premises immediately to the Build 6171 version or later. 

Here are some recommendations you can follow   

  • Enforce patch deployment across all managed analytics instances to ensure consistency and security. 
  • Continuously monitor logs for unusual SQL query activities or access attempts that could indicate exploitation attempts. 

Conclusion: 
The Zoho Analytics On-Premise deployments, could enable full data and account compromise through unauthenticated SQL injection. CVE-2025-8324 represents a critical security risk, classified at the highest severity level due to its potential impact and ease of exploitation.

Although no active exploitation has been detected to date, the severity of the flaw demands immediate attention. Immediate patching is essential to secure environments and prevent any chance of data compromise or unauthorized access. 

References

Security Advisory

Mozilla Firefox Releases 145 Security Updates, 16 High-Severity Vulnerabilities across multiple Firefox versions & Platforms

Summary : Mozilla released the Firefox 145 Security Update on November 11, 2025, addressing 16 vulnerabilities affecting multiple components allowing arbitrary code execution.

The Mozilla Firefox advisory details reveal that exploiting these vulnerabilities requires attackers to deliver malicious content via compromised websites or through network attacks. The vulnerability landscape reveals concerning patterns in critical components where WebGPU graphics processing emerges as a significant attack surface, with five separate boundary condition flaws identified.

OEM Mozilla 
Severity High 
Date of Announcement 2025-11-11 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Vulnerability Name CVE ID Product Affected Severity 
Graphics Race Condition Enabling Remote Code Execution CVE-2025-13012 Firefox High 
WebAssembly Boundary Error RCE CVE-2025-13016 Firefox High 
WebGPU Boundary Error Leading to Remote Code Execution CVE-2025-13021 Firefox High 
WebGPU Boundary Error Leading to Remote Code Execution CVE-2025-13022 Firefox High 
WebGPU Sandbox Escape via Boundary Flaw CVE-2025-13023 Firefox High 
JavaScript Engine JIT Miscompilation RCE CVE-2025-13024 Firefox High 
WebGPU Boundary Error Leading to Remote Code Execution CVE-2025-13025 Firefox High 
WebGPU Sandbox Escape and Code Execution CVE-2025-13026 Firefox High 
Memory Safety Bugs Allowing Arbitrary Code Execution CVE-2025-13027 Firefox, Thunderbird High 

Mozilla released the Firefox 145 Security Update on November 11, 2025, addressing 16 vulnerabilities affecting multiple components.

The patched vulnerabilities include memory safety bugs, boundary errors, race conditions, and sandbox escapes that could allow remote code execution (RCE), privilege escalation or data exposure. Although no active exploitation has been reported. Users and administrators should upgrade immediately to prevent exploitation and maintain browser security integrity. 

Technical Summary 

Memory corruption and sandbox escape issues could allow attackers to run malicious code or bypass.

Firefox’s isolation controls, leading to full system compromise. WebRTC and multimedia use-after-free bugs further increase the risk of crashing or leaking live data.

Though no exploitation has been detected, users and enterprises should update immediately to reduce exposure to emerging browser-based threats. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-13012 Graphics Subsystem Race condition vulnerability leads to system crash or remote execution. Remote Code Execution 
CVE-2025-13016 JavaScript: WebAssembly Incorrect memory boundary validation allows code execution through crafted scripts. Remote Code Execution 
CVE-2025-13021 Graphics: WebGPU Boundary condition errors may cause memory corruption and remote code execution.  
Remote Code Execution  
CVE-2025-13022 Graphics: WebGPU Boundary error in WebGPU rendering pipeline allowing memory corruption Remote Code Execution 
CVE-2025-13023 Graphics: WebGPU Sandbox escape via boundary flaw enabling code execution outside browser process. Sandbox Escape, RCE 
CVE-2025-13024 JavaScript Engine: JIT JIT miscompilation allows stealthy remote code execution within browser context. Remote Code Execution 
CVE-2025-13025 Graphics: WebGPU Improper memory boundary control in WebGPU leads to RCE. Remote Code Execution 
CVE-2025-13026 Graphics: WebGPU Sandbox escape enabling remote code execution beyond browser sandbox. Sandbox Escape, RCE 
CVE-2025-13027 Firefox / Thunderbird Memory safety errors across multiple components allow arbitrary code execution. Remote Code Execution 

Source: Microsoft, Cybersecurity News 

In addition to several high severity vulnerabilities, the update also addresses several other Medium and Low severity vulnerabilities across browser subsystems – 

  • CVE-2025-13017: DOM Notifications Origin Bypass – Same-origin policy bypass may expose user data or notifications to untrusted sites. (Medium) 
  • CVE-2025-13018: DOM Security Mitigation Bypass – Allows limited circumvention of built-in browser security controls. (Medium) 
  • CVE-2025-2884: TCG TPM 2.0 Vulnerability – Out-of-bounds read in TPM cause info disclosure or DoS, impacting secure boot. (Medium) 
  • CVE-2025-13019: DOM Workers Origin Bypass – May expose cross-origin content or enable script injection. (Medium) 
  • CVE-2025-13013: DOM Core/HTML Mitigation Bypass – Allows controlled bypass of HTML sanitization in certain contexts. (Medium) 
  • CVE-2025-13014: Audio/Video Use-After-Free – Memory mismanagement issue that could leak multimedia data or crash browser. (Medium)  
  • CVE-2025-13015: Firefox UI Spoofing – Interface rendering flaw may allow deceptive UI elements. (Low) 

Recommendations: 

  • Update all Firefox to version 145 immediately to mitigate the vulnerabilities.  

Here are some recommendations below  

  • Enable automatic browser updates across all systems. 
  • Perform vulnerability scans to ensure no outdated browser versions remain. 
  • Restrict use of WebGPU or WebAssembly APIs in enterprise environments unless essential. 
  • Educate employees about risks from phishing, drive-by downloads and malicious extensions. 

Conclusion: 
The Firefox 145 update is a critical security release addressing sixteen vulnerabilities across graphics, WebGPU, JavaScript engine, DOM, and WebRTC components.

Immediate patching and adherence to strong security hygiene are essential to prevent remote code execution, sandbox escapes, and data leaks. Timely remediation ensures operational continuity and protection of both individual and enterprise users against evolving exploitation techniques targeting browser flaws. 

Improving browsing behavior significantly reduces risk exposure of users. Reporters Oskar L and Jamie Nicol highlighted how these bugs exploit WebGPU’s high-performance rendering, a feature increasingly targeted as web apps grow more graphics-intensive.

References

Security Advisory

Microsoft November Updates- Fixes 63 Vulnerabilities,1 Zero-Day Exploits ; Patch Now

Summary : Microsoft’s November 2025 Patch Tuesday resolves 63 vulnerabilities across multiple Microsoft components. The Microsoft Patch Tuesday also addresses four “Critical” vulnerabilities, two of which are remote code execution vulnerabilities, one is an elevation of privileges and the fourth is an information disclosure flaw.

OEM Microsoft 
Severity Critical 
Date of Announcement 2025-11-11 
No. of Patches 63 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview : Key Updates on Patch Tuesday

The update includes one actively exploited zero-day vulnerability (CVE-2025-62215) in the Windows Kernel and five additional Critical-rated vulnerabilities affecting Office, DirectX, GDI+, Visual Studio, and Nuance PowerScribe. 

This release continues Microsoft’s focus on privilege escalation and remote code execution (RCE) vulnerabilities, highlighting the urgent need for comprehensive patch management across enterprise systems. 

Here are the CVE addresses for Microsoft & non-Microsoft:  

  • 63 Microsoft CVEs addressed 
  • 5 non-Microsoft CVEs addressed (Republished) 

Breakdown of October 2025 Vulnerabilities 

  • 29 Elevation of Privilege (EoP) 
  • 16 Remote Code Execution (RCE) 
  • 11 Information Disclosure 
  • 3 Denial of Service (DoS) 
  • 2 Security Feature Bypass 
  • 2 Spoofing  

Source: Microsoft 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
Windows Kernel Elevation of Privilege Vulnerability (Zero-Day, Exploited in Wild) CVE-2025-62215 Windows 10, 11, Server 2016–2022 Critical 9.0 
Microsoft Office Use-After-Free Remote Code Execution Vulnerability CVE-2025- 62199 Microsoft Office (Word/Excel/Office Suite) Critical 9.8 
Nuance PowerScribe Missing Authorization Information Disclosure Vulnerability CVE-2025-30398 Nuance PowerScribe 360 Critical 9.1 
Windows DirectX Graphics Kernel Use-After-Free Vulnerability CVE-2025-60716 Windows DirectX Graphics Kernel Critical 8.8 
Microsoft GDI+ Heap-Based Buffer Overflow RCE Vulnerability CVE-2025-60724 Microsoft Graphics Component (GDI+) Critical 8.7 
Visual Studio Command Injection Remote Code Execution Vulnerability CVE-2025-62214 Microsoft Visual Studio / Visual Studio Code Critical 8.1 

Technical Summary 

The zero-day is a Windows Kernel bug that lets attackers gain full system control. Other critical & important vulnerabilities include Office and GDI+ vulnerabilities that could allow hackers to run malicious code or steal data.  

Microsoft also patched issues in Visual Studio, DirectX, and Azure services. Users and admins are strongly advised to install these updates right away to stay protected. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-62215 Windows Kernel Race conditions in shared resource execution enables local attackers to elevate privileges to SYSTEM (Zero-Day; Exploited in Wild) Elevation of Privilege 
CVE-2025-62199 Microsoft Office Use-after-free vulnerability in Office allows RCE via malicious documents, typically delivered through phishing campaigns Remote Code Execution 
CVE-2025-30398 Nuance PowerScribe 360 Missing authorization vulnerability allows disclosure of sensitive medical or user data over the network Information Disclosure 
CVE-2025-60716 Windows DirectX Graphics Kernel Use-after-free conditions allow local attackers to escalate privileges, potentially compromising the entire system Elevation of Privilege 
CVE-2025-60724 Microsoft GDI+ Heap-based buffer overflow allows attackers to execute arbitrary code remotely via crafted network traffic or malicious files Remote Code Execution 
CVE-2025-62214 Visual Studio Command injection vulnerability allows attackers to execute arbitrary code locally in developer environments Remote Code Execution 

Source: Microsoft 

In addition to several other Important severity vulnerabilities were addressed below –  

  • CVE-2025-59505: Windows Smart Card Reader – Double-free memory handling vulnerability enabling privilege escalation. 
  • CVE-2025-60704: Windows Kerberos – Missing cryptographic validation allows privilege escalation. 
  • CVE-2025-60719: Windows WinSock Driver – Untrusted pointer dereference enabling SYSTEM-level access. 
  • CVE-2025-59504: Azure Monitor Agent – Heap-based buffer overflow allowing local code execution. 
  • CVE-2025-60714: Windows OLE – Buffer overflow permitting local RCE. 
  • CVE-2025-62452: Windows RRAS – Heap overflow enabling network-based RCE. 
  • CVE-2025-59509: Windows Speech Recognition – Sensitive data exposure vulnerability. 
  • CVE-2025-62208 / CVE-2025-62209: Windows License Manager – Sensitive information insertion into logs. 
  • CVE-2025-62210 / CVE-2025-62211: Dynamics 365 Field Service – Cross-site scripting (XSS) spoofing. 
  • CVE-2025-62449 / CVE-2025-62453: VS Code / GitHub Copilot – Path traversal and AI output validation bypass & Others more Vulnerabilities. 

Source: Microsoft, bleepingcompute, cybersecuritynews 

Key Affected Products and Services 

The November 2025 security updates address critical and important vulnerabilities across a broad range of Microsoft products and services: 

  • Windows Core Components 

Updates for Kernel, Hyper-V, Kerberos, RRAS, WinSock, Smart Card, Bluetooth subsystems. 

  • Microsoft Office Suite 

Patches for Word, Excel, and related components impacted by RCE and Information Disclosure vulnerabilities. 

  • Azure & Cloud Services 

Fixes for Azure Monitor Agent, Dynamics 365, Entra ID, and related connectors. 

  • Graphics Components 

Patches for GDI+, DirectX, WSL GUI. 

  • Developer Tools 

Updates for Visual Studio, Visual Studio Code, and GitHub Copilot. 

  • Third-Party Applications 

Patches for Nuance PowerScribe (Medical domain). 

  • Mobile Platform Technologies 

Updates for Microsoft OneDrive for Android. 

Remediation: 

  • Install the November 2025 Microsoft security updates immediately across all Windows, Office, and Azure systems. 

Here are some recommendations below  

  • Monitor for Indicators of Compromise (IoCs) for privilege escalation attempts, new SYSTEM-level services, or unusual Office file crashes. 
  • Ensure Windows 10 ESU enrollment for extended support systems. 
  • Restrict local admin privileges and enforce least-privilege access. 
  • Leverage EDR/SIEM solutions to detect suspicious kernel and Office activity. 
  • Segment critical systems and disable unused network services (RRAS, SMB). 

Conclusion: 
Microsoft’s November 2025 Patch Tuesday resolves 63 vulnerabilities, including one actively exploited Zero-Day and multiple Critical RCE and EoP vulnerabilities in Office, Windows Kernel, GDI+, and Visual Studio. 

Given the confirmed exploitation and the presence of memory corruption vulnerabilities, immediate patch deployment is necessary to prevent potential ransomware and privilege escalation attacks in our modern cyber world. 

References

Security Advisory

Gladinet Triofox Patched Critical Unauthenticated Remote Access Vulnerability 

Summary : A critical unauthenticated access vulnerability in Triofox is being actively exploited in the wild by threat actor UNC6485. Attackers exploit a Host header spoofing vulnerability to bypass authentication, create native admin accounts and chain abuse of the built-in antivirus feature to execute arbitrary code under SYSTEM privileges.

OEM Gladinet 
Severity Critical 
CVSS Score 9.1 
CVEs CVE-2025-12480 
POC Available YES 
Actively Exploited YES 
Exploited in Wild YES 
Advisory Version 1.0 

Overview 

Triofox is an enterprise file-sharing and remote access platform by Gladinet that enables secure file sync, sharing, and collaboration across on-premises and cloud environments. Immediate upgrade is mandatory to prevent full system compromise, ransomware and persistent remote access. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Unauthenticated Access via Host Header Spoofing & Antivirus RCE Chain  CVE-2025-12480 Triofox Critical v16.7.10368.56560 or later 

Technical Summary 

The vulnerability in the CanRunCriticalPage() function within GladPageUILib.dll, which allows access to setup pages, if the Host header is “localhost” – without validating the request origin. Attackers spoof this header externally to initiate the setup process, create a Cluster Admin account, and gain authenticated access. 

Once logged in, attackers exploit the antivirus configuration feature, which allows arbitrary executable paths. By uploading a malicious script to a shared folder and setting it as the antivirus scanner, the file executes with SYSTEM-level privileges inherited from the Triofox service. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025- 12480 Triofox < 16.7.10368.56560 Host header attack bypasses authentication to AdminDatabase.aspx that enables admin account creation. Chained with antivirus path abuse to run uploaded payloads as SYSTEM Authentication Bypass, Admin Account Creation,  Remote Code Execution,  Full System Compromise,  Persistent Access, Data Exfiltration, Lateral Movement 

Indicators of Compromise (IOCs) 

Host-Based Artifacts 

Artifact Description SHA-256 Hash 
C:\Windows\appcompat\SAgentInst aller_16.7.10368.56560.exe Installer containing  Zoho UEMS Agent 43c455274d41e58132be7f66139566a941190ceba46082eb 2ad7a6a261bfd63f 
C:\Windows\temp\sihosts.exe Plink 50479953865b30775056441b10fdcb984126ba4f98af4f647 56902a807b453e7 
C:\Windows\temp\silcon.exe PuTTy 16cbe40fb24ce2d422afddb5a90a5801ced32ef52c22c2fc7 7b25a90837f28ad 
C:\Windows\temp\file.exe AnyDesk ac7f226bdf1c6750afa6a03da2b483eee2ef02cd9c2d6af71e a7c6a9a4eace2f 
C:\triofox\centre_report.bat Attacker batch script filename N/A 

Network-Based Artifacts 

IP Address ASN Description 
85.239.63[.]37 AS62240 – Clouvider Limited IP address of the attacker used to initially exploit CVE-2025-12480 to create the admin account and gain access to the Triofox instance 
65.109.204[.]197 AS24950 – Hetzner Online GmbH After a dormant period, the threat actor used this IP address to login back into the Triofox instance and carry out subsequent activities 
84.200.80[.]252 AS214036 – Ultahost, Inc. IP address hosting the installer for the Zoho UEMSAgent remote access tool 
216.107.136[.]46 AS396356 – LATITUDE-SH Plink C2 

Source: cloud.google.com 

Recommendations: 

Upgrade Triofox to version 16.7.10368.56560 or latest from the official Gladinet portal. 

Conclusion: 
This vulnerability  represents a severe supply-chain risk in enterprise file-sharing platforms, enabling zero-authentication RCE through misconfigured access controls and feature abuse. With active in-the-wild exploitation by UNC6485 and rapid post-patch attacks, delayed patching significantly increases breach likelihood.

Immediate upgrade, log monitoring, and network hardening are essential to prevent ransomware deployment, data theft, and network pivoting. This incident reinforces the need for secure-by-design input validation and principle of least privilege in remote access tools. 

References

Security Advisory

Amazon Workspace Client for Linux Token Vulnerability Fixed in Version 2025.0 

Summary : Amazon patched a vulnerability in the Linux version of its Workspace’s client that improperly handles authentication tokens in versions from 2023.0 through 2024.8.

OEM Amazon 
Severity High 
CVSS Score 8.8 
CVEs CVE-2025-12779 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

This flaw allows local users on the same machine such as in shared, multi-user environments to extract valid authentication tokens.

Often used to impersonate other users and gain unauthorized access to their virtual desktop sessions, exposing sensitive data and applications.

The issue does not allow remote exploitation, but it poses a significant risk in workplaces using shared Linux systems for Workspace’s access. 

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Improper Authentication Token Handling in Amazon WorkSpaces Client  CVE-2025-12779 Amazon WorkSpaces client for Linux   High 2025.0 

Technical Summary 

The root cause lies in insecure management of authentication tokens, enabling token extraction by unintended local users. This vulnerability was assigned to high severity, prompting Amazon to issue a fix in the 2025.0 version of the client.

The update improves session isolation and secures token handling, protecting against lateral token theft.

Users and Administrators are strongly advised to upgrade promptly to avoid unauthorized access risks associated with multi-user Linux setups commonly found in corporate or virtual machine environments. 

CVE ID Component Affected  Vulnerability Details Impact 
 CVE-2025-12779 Amazon WorkSpaces client for Linux (versions 2023.0 through 2024.8) Local users on shared Linux machines can extract authentication tokens due to improper token handling, allowing them to access other users’ Workspaces. Unauthorized access to another user’s workspace 

Recommendations 

  • Update the Amazon Workspace’s client for Linux immediately to version 2025.0 or later. 

Conclusion: 
This vulnerability highlights the criticality of robust token security in virtual desktop clients, especially for environments with shared access.

Amazon’s swift patch release underscores the need for continuous vigilance and timely updates to maintain secure remote workspace solutions and prevent privilege escalation through token leakage. Upgrading to the patched version effectively mitigates the exposure and secures user sessions. 

References

Security Advisory

Chrome Latest Update Fixes Multiple High-Severity Security Flaws 

Summary : The recent Google Chrome update fixed several serious security issues that could let hackers take control of the browser or steal personal data. These vulnerabilities were mostly related to memory handling and scripting errors in important parts of Chrome like the JavaScript engine (V8) and browser interfaces.

OEM Google 
Severity High 
CVSS Score 8.8 
CVEs CVE-2025-12725, CVE-2025-12726, CVE-2025-12727, CVE-2025-12728, CVE-2025-12729 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Problems like type confusion and memory misuse could allow attackers to run harmful code just by making users visit malicious websites. Some flaws also affected Chrome’s UI, media processing and extension systems exposing users to possible unauthorized access or data leaks. 

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Out-of-Bounds Write in WebGPU  CVE-2025-12725 Chrome   High 142.0.7444.134/135 
Inappropriate Implementation in Views (UI Rendering)  CVE-2025-12726 Chrome  High 142.0.7444.134/135 
Inappropriate Memory Handling in V8 JavaScript Engine CVE-2025-12727 Chrome  High 142.0.7444.134/135 
Inappropriate Implementation in Omnibox (Unified Search Bar) CVE-2025-12728 Chrome  Medium 142.0.7444.134/135 
Inappropriate Implementation in Omnibox (Unified Search Bar) CVE-2025-12729 Chrome  Medium 142.0.7444.134/135 

Technical Summary 

The bugs included memory corruption issues such as out-of-bound writings and use-after-free errors, which can lead to unpredictable behavior and remote code execution (RCE).

The JavaScript engine vulnerabilities involved mishandling data types or incorrect implementation, enabling attackers to break security boundaries.

Other issues involved UI security logic problems that could mislead users or weaken protections. Google patched all these weaknesses by tightening input validations, fixing memory lifecycle bugs, correcting UI behavior and strengthening internal security checks. 

CVE ID Component Affected  Vulnerability Details Impact 
 CVE-2025-12725 Google Chrome (WebGPU) Out-of-bounds write in WebGPU due to improper bounds checking, allowing attackers to overwrite memory beyond allocated limits.  Remote Code Execution / Browser Crash 
 CVE-2025-12726 Google Chrome (Views UI) Inappropriate implementation in the Views component causing memory corruption. UI rendering 
CVE-2025-12727 Google Chrome (V8 Engine) Improper handling in the V8 JavaScript engine enabling potential arbitrary code execution through crafted scripts. Remote Code Execution  
CVE-2025-12728 Google Chrome (Omnibox) Flaws in Omnibox’s implementation could allow UI spoofing or navigation bar manipulation. UI Spoofing  
CVE-2025-12729 Google Chrome (Omnibox) Similar flaws in Omnibox affecting input validation, leading to potential security bypasses or deceptive UI. UI Spoofing / Security Bypass 

Recommendations 

Update Chrome immediately to the following versions: 

  • For windows 142.0.7444.134/.135  
  • For MacOS 142.0.7444.135 
  • For Linux 142.0.7444.134 

You can update by Open Chrome Settings → Help → About Google Chrome, then allow Chrome to check for and install updates immediately. 

Along with update you can follow the recommendations below as well 

  • Enforce Chrome auto-updates across managed endpoints using enterprise policy controls. 
  • Actively monitor browser crash reports or any suspicious logs potentially linked to exploit attempts. 
  • Use vulnerability & patch management tools to ensure all endpoints are running the latest version of all applications.  

Conclusion: 
The Chrome security flaws can compromise devices just through browsing. Because millions use Chrome daily, these gaps were a high risk and google already patched those issues. Keeping any application to the latest version which is the best defense against cyber threats aiming at browsers. 

References

Blogs

Critical React Native CLI Vulnerability Enables OS Command Injection  

Summary: React Native is an open source framework maintained by Meta . A critical remote code execution vulnerability in the @react-native-community/cli package, a core toolset used by React Native developers. The flaw allows unauthenticated remote attackers to execute arbitrary OS commands on machines running the React Native Metro development server.

Severity  Critical 
CVSS Score  9.8 
CVEs  CVE-2025-11953 
POC Available  Yes 
Actively Exploited  No 
Advisory Version  1.0 

Overview 

A critical remote code execution vulnerability in the @react-native-community/cli package, a core toolset used by React Native developers. The flaw allows unauthenticated remote attackers to execute arbitrary OS commands on machines running the React Native Metro development server.

The vulnerability comes from unsafe input handling in the /open-url endpoint using the insecure open() function, and a React Native CLI flaw that exposes the server to remote code execution. Immediate updates and mitigations are recommended for all using the affected package versions. 

Vulnerability Name  CVE ID  Product Affected  Severity  Affected Version 
 OS Command Injection  CVE-2025-11953  @react-native-community/cli @react-native-community/cli-server-api  Critical  @react-native-community/cli-server-api versions 4.8.0 through 20.0.0-alpha.2 

Technical Summary 

The Metro development server’s /open-url HTTP POST endpoint unsafely passes unsanitized user input (url field) as an argument to the open() function from the open NPM package which leads to OS command injection.

On Windows, the vulnerability allows arbitrary shell command execution with full control over parameters via cmd /c start command invocation. On macOS/Linux, arbitrary executables can be launched with limited parameter control. Further exploitation may lead to full RCE, but not confirmed yet. The server binds to all interfaces by default (0.0.0.0), exposing the endpoint externally to unauthenticated network attackers. 

CVE ID  Component Affected  Vulnerability Details  Impact 
CVE-2025-11953  Development Server’s /open-url Endpoint  The React Native CLI’s Metro server binds to external interfaces by default and exposes a command injection flaw, letting remote attackers send POST requests to run arbitrary executables or shell commands on Windows.  Remote OS Command Injection 

Recommendations 

  • Update to @react-native-community/cli-server-api version 20.0.0 or later immediately. 

If upgrading is not possible, 

  • Restrict the Metro server to localhost by adding the flag: –host 127.0.0.1 when starting the server. 
  • Integrate static and dynamic code analysis tools in development pipelines to detect injection risks early. 

How these kind of security flaw can cause damage?

This vulnerability poses a critical threat to React Native developers using the Metro development server due to unauthenticated RCE via network exposure. For any unauthenticated network attacker this is privilege they can weaponize the flaw and send a specially crafted POST request to the server. Then run arbitrary commands.

The attack takes a different turn when it comes to Windows and the exploitation is severe. The attackers can also execute arbitrary shell commands with fully controlled arguments, while on Linux and macOS, it can be widely used to execute arbitrary binaries with limited parameter control.

The vulnerable endpoint, /open-stack-frame, is designed to help developers open a file in their editor at a specific line number when debugging errors. This endpoint accepts POST requests with parameters such as file and lineNumber.

The incident highlight requirement for more rigorous input validation and secure-by-default configurations in developer environments.

What should organizations looks for while selecting a comprehensive tools that can provide thorough combing across their IT environment, networks, applications and cloud infrastructure.

Detecting vulnerabilities, misconfigurations with GaarudNode from Intruceptlabs makes it a go to scanner

  • GaarudNode excels at detecting vulnerabilities, misconfigurations, and compliance issues across a wide range of systems and applications.
  • Provides a comprehensive security framework that ensures your applications are built, tested, and deployed with confidence.
  • Any Application security tools are designed to identify a wide range of vulnerabilities across different stages of the software development lifecycle and other types of security issues.
  • GaarudNode can be used for intrusion detection, making it a flexible tool for cybersecurity professionals on a budget.
  • Prompt patching and secure server binding are essential to mitigate this type of risk. There is no current evidence of active exploitation, but the ease of exploitation makes this a high priority vulnerability to fix. Continuous, real-time monitoring of vulnerabilities is necessary to stay ahead of threats.

References

 

 

Scroll to top