Security advisory

Security Advisory

TARmageddon Exploitable Tar Extraction Flaw Exposes Systems to Privilege Escalation 

Summary A critical vulnerability known as Tarmageddon (CVE-2025-62518) impacts multiple tar extraction utilities and libraries, including GNU tar, libarchive, Python’s tarfile module, and the Rust async-tar library. 

Severity High 
CVSS Score 7.8 
CVEs CVE-2025-62518 
POC Available Yes, public PoC and patches available (edera-dev GitHub) 
Actively Exploited Not confirmed widespread exploitation public PoC raises opportunistic risks 
Exploited in Wild No confirmed mass exploitation at time of writing 
Advisory Version 1.0 

Overview 


Tarmageddon (CVE-2025-62518) vulnerability Improper path sanitization and symlink-target validation during extraction enable a crafted tar archive to write files outside the intended extraction directory, leading to arbitrary file overwrite, privilege escalation, or remote code execution when executed by privileged or automated services. 

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Tar path traversal / symlink bypass (async-tar RCE vector) CVE-2025-62518 GNU tar, libarchive, Python tarfile, Rust async-tar and downstream tools High Patches released by maintainers; reference fixes in Edera patch repository  and vendor advisories 

Technical Summary 

Root cause: insufficient canonicalization of file paths and incomplete sanitization of symlink targets within tar archive headers. Behavioral details: Path traversal via ../ sequences and chained symlinks allows crafted archives to escape the extraction root and overwrite system binaries, configuration files, or startup scripts.

A public proof-of-concept confirms this behavior in affected async-tar implementations. Fix: apply upstream and distribution patches that normalize paths and validate symlink targets (edera-dev patches).

Exploitability: public PoC exists for CVE-2025-62518, highest risk when automated extractions run with elevated privileges (CI/CD, build, backup). Manual extraction is lower risk. Impact: Malicious extraction can overwrite critical files, allow service takeover or remote code execution, and lead to full host compromise if run as root. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-62518 Tar libraries and tools async-tar, GNU tar, libarchive, Python tarfile, and any tools that use them. Crafted tar entries can bypass path checks and write outside the extraction folder (PoC available). Can overwrite files, allow privilege escalation/RCE if run as root, and contaminate build/CI artifacts. 

Remediation

  • Apply patches immediately — update tar libraries and utilities with vendor or distribution fixes (Edera patches where applicable). 
  • Disable automatic extraction of untrusted archives in gateways, ingestion services and CI/CD systems. 
  • Use least privilege for extraction processes — avoid root / Administrator contexts. 
  • Replace unsafe extraction calls (e.g., tarfile.extractall()) with secure wrappers that validate path components and reject traversal or symlink abuses. 
  • Sandbox extraction inside containers or VMs with strict filesystem scoping (read-only mounts, AppArmor/SELinux confinement). 
  • Inventory and update all images, containers, and build artifacts that bundle tar utilities or tar libraries. 

Detection Guidance: Lab verification: Use the public PoC only in isolated virtual environments to validate that patched version block path traversal and symlink exploits. 

SIEM / EDR indicators: 

  • File create/write events to sensitive paths (/etc, /usr/bin, /var, application config dirs) immediately following tar extraction processes. 
  • Creation of symlinks or reparse-points by tar-related processes. 
  • Processes invoking tar or Python extraction libraries writing outside expected extraction directories. 

Conclusion: 
Tarmageddon (CVE-2025-62518) is a high-risk archive extraction vulnerability that affects widely used tar utilities and libraries, including GNU tar, libarchive, Python’s tarfile, and the Rust async-tar implementation.

This vulnerability should be treated as a Priority-1 patch event for any environment performing automated or privileged tar extractions. Organizations are strongly advised to apply vendor patches immediately, enforce sandboxed extraction workflows, and implement strict least-privilege and path-validation controls to prevent arbitrary file overwrites, privilege escalation, and potential supply-chain compromise. 

References:  

Security Advisory

Microsoft Teams Access Token Vulnerability Allows Attack Vector for Data Exfiltration

Summary: Microsoft Teams Access Token Vulnerability: New Attack Vector for Data Exfiltration

A recently uncovered vulnerability in Microsoft Teams for Windows allows attackers with local access to extract encrypted authentication tokens, granting unauthorized access to chats, emails and SharePoint files.

This technique, detailed by researcher Brahim El Fikhi on October 23, 2025, leverages the Windows Data Protection API (DPAPI) to decrypt tokens stored in a Chromium-like Cookies database.

Attackers can use these tokens for impersonation, lateral movement, or social engineering, bypassing recent security enhancements and posing significant risks to enterprise environments.

Vulnerability Details

The vulnerability, identified in Microsoft Teams desktop applications, involves the extraction of encrypted access tokens stored in the SQLite Cookies database at %AppData%\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\EBWebView\Cookies. Unlike earlier versions that stored tokens in plaintext (a flaw exposed by Vectra AI in 2022), current versions use AES-256-GCM encryption protected by DPAPI, tied to user or machine credentials. However, attackers with local access can decrypt these tokens using tools like ProcMon and Mimikatz, exploiting the embedded msedgewebview2.exe process that handles authentication via login.microsoftonline.com.

Source: blog.randorisec.fr, cybersecuritynews
Attack Flow

StepDescription
CraftAttackers use ProcMon to monitor msedgewebview2.exe and identify the Cookies database write operations.
AccessThe ms-teams.exe process is terminated to unlock the Cookies file, which is locked during operation.
ExtractThe encrypted token is retrieved from the Cookies database, with fields like host_key (e.g., teams.microsoft.com), name, and encrypted_value (prefixed with “v10”).
DecryptThe DPAPI-protected master key is extracted from %AppData%\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\EBWebView\Local State and decrypted using Windows APIs or tools like Mimikatz.
ExploitDecrypted tokens are used with tools like GraphSpy to access Teams chats, send messages, read emails, or interact with SharePoint via Microsoft Graph API

Why It’s Effective

  • Local Access Exploitation: The attack requires only local access, achievable via malware or compromised endpoints, bypassing MFA and remote defenses.
  • Stealthy Execution: The use of standard Windows APIs (DPAPI) and embedded browser processes evades traditional monitoring.
  • Authority Abuse: Tokens enable impersonation through trusted APIs, amplifying risks of phishing or data theft via Teams, Outlook, or SharePoint.

Recommendations:

  • Monitor Processes Deploy EDR rules to detect abnormal ms-teams.exe terminations or msedgewebview2.exe file writes.
  • Enforce Encryption – Use app-bound encryption and prefer web-based Teams to avoid local token storage.
  • Token Rotation – Implement Entra ID policies to rotate access tokens regularly and audit Graph API logs for anomalies.
  • Limit Privileges – Restrict local admin access to prevent DPAPI key extraction.
  • User Awareness – Train users to recognize phishing attempts via Teams or email, especially those leveraging impersonation

Conclusion:
This vulnerability underscores the evolving threat landscape for collaboration platforms like Microsoft Teams. As attackers refine techniques to exploit trusted systems, organizations must enhance endpoint monitoring and adopt stricter access controls. By implementing the outlined mitigations, security teams can reduce the risk of token-based attacks and safeguard sensitive data.

References:

Security Advisory

WatchGuard Patched Critical Vulnerability, Allowing RCE in Firebox Appliances 

Security Advisory : A critical vulnerability has been found in WatchGuard Firebox appliances that allows remote unauthenticated attackers to execute arbitrary code through an out-of-bounds write in the IKEv2 VPN process.

OEM WatchGuard 
Severity Critical 
CVSS Score 9.3 
CVEs CVE-2025-9242 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

The vulnerability, tracked as CVE-2025-9242, which affects multiple Fireware OS versions. Users and administrators are strongly advised to upgrade to the latest patched versions of Fireware OS immediately to stay protected. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Out-of-Bounds Write Vulnerability in IKEv2 Process  CVE-2025-9242 WatchGuard Firebox Appliances with Fireware OS Critical v2025.1.1, v12.11.4, v12.5.13 (T15 & T35 models), 12.3.1_Update3 (FIPS-certified) 

Technical Summary 

Malicious actors could exploit this due to an out-of-bounds write vulnerability in the WatchGuard Fireware OS iked process.

Remote unauthenticated attackers can send crafted IKE_SA_INIT and IKE_SA_AUTH packets to trigger a stack-based buffer overflow in the ike2_ProcessPayload_CERT function, overflowing a 520-byte stack buffer without proper bounds checking.

This impacts VPN setups using IKEv2 or dynamic gateways and can continue even after deleting them if any static peers are still active on UDP port 500. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025- 9242 WatchGuard Firebox Appliances with Fireware OS 11.10.2-11.12.4_Update1, 12.0-12.11.3, 2025.1 Insufficient bounds checking in IKEv2 negotiations allows oversized identification payloads to cause buffer overflow, enabling control flow hijacking and ROP chains for code execution Arbitrary Code Execution, System Compromise,  Data Exfiltration,  Ransomware Deployment, Pivoting to Internal Networks 

Recommendations: 

You can update to the latest versions from the below table 

Vulnerable Version Resolved Version 
2025.1 2025.1.1 
12.x 12.11.4 
12.5.x (T15 & T35 models) 12.5.13 
12.3.1 (FIPS-certified release) 12.3.1_Update3 (B722811) 
11.x End of Life 

Here are some recommendations below –  

  • Disable unnecessary IKEv2 VPN configurations and restrict access to trusted networks only. 
  • Monitor logs for anomalous traffic. 
  • Implement network segmentation to limit lateral movement and regularly audit VPN setups. 

Conclusion: 
This critical vulnerability in WatchGuard Firebox appliances could allow remote attackers to achieve code execution and compromise perimeter defenses.

Although no exploits are in the wild but its unauthenticated nature and detailed public analysis make it a significant security risk requiring immediate action. Upgrading to the fixed version and applying recommended mitigations are strongly advised to ensure organizational security. 

References

Security Advisory

TP-Link Security Update, Omada Gateway Exploits Fixed in October Release 

Summary: TP-Link’s October 2025 security updates fixes 4 vulnerabilities in its Omada Gateway devices, including multiple models commonly used in business networks.

OEM TP-Link 
Severity Critical 
CVSS Score 9.3 
CVEs CVE-2025-6541, CVE-2025-6542, CVE-2025-7850, CVE-2025-7851 
Date of Announcement 2025-10-21 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview: 

The vulnerabilities allow attackers to execute remote commands, even without authentication, potentially compromising systems. Some vulnerabilities also let authenticated users inject commands or gain root access, which could lead to traffic interception, configuration changes or malware installation. Security teams are advised to update firmware immediately, review network configurations and change passwords to reduce the risk of exploitation. 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
OS Command Injection Vulnerability CVE-2025-6542 TP-Link Omada Gateways Critical 9.3 
Command Injection Vulnerability CVE-2025-7850 TP-Link Omada Gateways Critical 9.3 

Technical Summary: 

TP-Link Omada Gateways allows attackers to run arbitrary commands. The most critical one, CVE-2025-6542, a remote attacker can take full control of the device without logging in through the web interface. Another one allows logged-in users to inject commands and gain root access. The issues show the risks of exposed management portals. TP-Link recommends updating firmware, limiting network access and monitoring systems for any signs of attack. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-6542 TP-Link Omada Gateways (ER605, ER7206, ER8411 & Others) Unauthenticated remote attackers can execute arbitrary OS commands on the device Remote Code Execution,  System Compromise, Malware Deployment 
CVE-2025-7850 TP-Link Omada Gateways (ER7412-M2, ER7212PC, & Others) Command injection exploitable after admin authentication on the web portal System Compromise,  Root-Level Control 

Additional Vulnerabilities: 

The following high-severity vulnerabilities were also addressed in October 2025 TP-Link security updates for Omada Gateways – 

Vulnerability Name CVE ID Affected Component Severity 
Authenticated Arbitrary OS Command Execution in Omada Gateways CVE-2025-6541 TP-Link Omada Gateways High 
Root Shell Access Under Restricted Conditions in Omada Gateways CVE-2025-7851 TP-Link Omada Gateways High 

Remediation: 

Install the October 2025 firmware updates immediately via the TP-Link support portal to mitigate risks. Here is the below table with the updated version information for the models. 

Model Affected Versions Fixed Version 
ER8411 < 1.3.3 Build 20251013 Rel.44647 >= 1.3.3 Build 20251013 Rel.44647 
ER7412-M2 < 1.1.0 Build 20251015 Rel.63594 >= 1.1.0 Build 20251015 Rel.63594 
ER707-M2 < 1.3.1 Build 20251009 Rel.67687 >= 1.3.1 Build 20251009 Rel.67687 
ER7206 < 2.2.2 Build 20250724 Rel.11109 >= 2.2.2 Build 20250724 Rel.11109 
ER605 < 2.3.1 Build 20251015 Rel.78291 >= 2.3.1 Build 20251015 Rel.78291 
ER706W < 1.2.1 Build 20250821 Rel.80909 >= 1.2.1 Build 20250821 Rel.80909 
ER706W-4G < 1.2.1 Build 20250821 Rel.82492 >= 1.2.1 Build 20250821 Rel.82492 
ER7212PC < 2.1.3 Build 20251016 Rel.82571 >= 2.1.3 Build 20251016 Rel.82571 
G36 < 1.1.4 Build 20251015 Rel.84206 >= 1.1.4 Build 20251015 Rel.84206 
G611 < 1.2.2 Build 20251017 Rel.45512 >= 1.2.2 Build 20251017 Rel.45512 
FR365 < 1.1.10 Build 20250626 Rel.81746 >= 1.1.10 Build 20250626 Rel.81746 
FR205 < 1.0.3 Build 20251016 Rel.61376 >= 1.0.3 Build 20251016 Rel.61376 
FR307-M2 < 1.2.5 Build 20251015 Rel.76743 >= 1.2.5 Build 20251015 Rel.76743 

Here are some recommendations below 

  • Restrict network access to the management interface and enable trusted networks only. 
  • Apply least privilege principles and regular security audits for network devices. 
  • Disable remote management if not required and segment networks to limit lateral movement. 

Conclusion: 

There is no active exploitation noticed but organizations must prioritize firmware updates to prevent data breaches, malware and intrusions. Security teams should deploy updates immediately, enhance monitoring and implement mitigations to safeguard critical infrastructure. 

References

 

Security Advisory

Fortinet Released Security Update’s; Patched Multiple High & Medium Severity Vulnerabilities

Summary: Fortinet disclosed multiple critical security vulnerabilities impacting several of its core products, including FortiPAM, FortiSwitch Manager and FortiOS platforms and patched them.

The vulnerabilities encompass issues such as improper privilege escalation, heap-based buffer overflow, weak authentication, improper certificate validation, denial-of-service risk, and race condition flaws in authentication modules.

One of the high severity issue is a weak authentication mechanism vulnerability (CVE-2025-49201) in FortiPAM & FortiSwitch Manager, and a heap overflow flaw (CVE-2025-57740) in the SSL VPN RDP bookmark functionality.

OEM Fortinet 
Severity High 
CVSS Score 7.8 
CVEs CVE-2025-49201, CVE-2025-58325, CVE-2025-57740, CVE-2025-57741 & others 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

These vulnerabilities pose significant risks to enterprise environments, potentially allowing attackers to bypass authentication controls or execute arbitrary code within targeted systems. Users & Administrators are urged to update to the patched version. 

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Weak Authentication Mechanism CVE-2025-49201 FortiPAM, FortiSwitch Manager  High FortiPAM 1.5.1, 1.4.3 or later / FortiSwitch Manager 7.2.5 or later 
CLI Command Functionality Bypass  CVE-2025-58325 FortiOS High FortiOS 7.6.1+, 7.4.6+, 7.2.11+, 7.0.16+ 
Heap Overflow – Remote Code Execution (FortiProxy SSL VPN Bookmarks) CVE-2025-57741 FortiProxy High FortiProxy 7.2.5+, 7.0.5+ 
Heap Overflow – Remote Code Execution (SSL VPN RDP Bookmark) CVE-2025-57740 FortiOS, FortiProxy, FortiPAM, FortiSwitch Manager. Medium FortiOS 7.4.4+ / 7.2.8+ / 7.0.15+, FortiProxy 7.4.4+ / 7.2.10+, FortiPAM 1.3.0+, FortiSwitch Manager 7.2.4+ 

Technical Summary 

Multiple critical and medium-severity vulnerabilities have been identified across several Fortinet products, including FortiOS, FortiPAM, FortiProxy, FortiAnalyzer, and FortiSwitchManager.

Other vulnerabilities could allow attackers to escalate privileges, execute unauthorized code, or bypass authentication, threatening system integrity and confidentiality.

Additional flaws may enable unauthenticated users to disrupt services, intercept network traffic, or exploit race conditions to gain improper access within centralized management and authentication platforms. As the Fortinet released the security updates, quick deploy of the patches to ensure resilience against exploitation and to protect enterprise assets. 

CVE ID Component Affected  Vulnerability Details Impact 
 CVE-2025-49201 FortiPAM, FortiSwitch Manager This flaw enables remote attackers to bypass authentication by sending specially crafted HTTP requests, allowing unauthorized code or command execution within privileged access management and switch management interfaces.  Authentication Bypass / Remote Code Execution 
 CVE-2025-57740 FortiOS, FortiProxy, FortiPAM, FortiSwitch Manager This heap-based buffer overflow in the SSL VPN RDP bookmark feature can be triggered by authenticated users through crafted bookmark data, resulting in memory corruption and possible code execution in the VPN context. Remote Code Execution / System Compromise 
CVE-2025-58325 FortiOS A CLI command functionality bypass allows attackers to execute restricted administrative commands through improper input validation, potentially escalating privileges or modifying critical system parameters. Privilege Escalation / Remote Code Execution 
CVE-2025-57741 FortiProxy This heap overflow vulnerability in FortiProxy’s SSL VPN RDP bookmarks can result in memory corruption, giving attackers a pathway to execute arbitrary code remotely during VPN session initialization. Remote Code Execution / Service Compromise 

Additionally, multiple vulnerabilities have been disclosed that enable remote authentication bypass and include other issues with significant impact potential. 

Vulnerability Name CVE ID Affected Component Severity 
 FGFM protocol allows unauthenticated reset of the connection CVE-2025-26008 FortiOS, FortiProxy, FortiPAM, FortiSwitchManager. Medium 
Heap Overflow in fgfmsd CVE-2025-50571 FortiAnalyzer/Cloud, FortiManager/Cloud. Medium 
Heap buffer overflow in websocket CVE-2025-22258 FortiOS,FortiPAM, FortiProxy, FortiSRA Medium 
Improper autorization over static files CVE-2025-54822 FortiOS, FortiProxy Medium 
Insufficient Session Expiration in SSLVPN using SAML authentication CVE-2025-25252 FortiOS Medium 
Missing authentication check in OFTP service CVE-2025-53845 FortiAnalyzer Medium 
Race condion in FortiCloud SSO SAML authentication CVE-2025-54973 FortiAnalyzer Medium 
Stack-based buffer overflow on fortitoken import feature CVE-2025-46718 FortiOS, FortiProxy Medium 

Recommendations 

Update Fortinet products to the following fixed versions as soon as possible and check the updated version from the Fortinet website 

  • FortiPAM: Upgrade to version 1.5.1 or later, or 1.4.3 or latest version 
  • FortiSwitch Manager: Upgrade to version 7.2.5 or higher 
  • FortiOS: Upgrade to versions 7.6.6+, 7.4.9+, 7.2.11+,7.0.16+ depending on the release series 
  • FortiProxy: Upgrade to 7.6.3+, 7.4.9+ and latest version 
  • FortiAnalyzer: Upgrade to 7.6.3+, 7.4.7+, 7.2.11+, 7.0.14+ latest version 

Patches are available and should be applied immediately. For environments where immediate patching is not immediately feasible, you can also follow the below recommendations : 

  • Enable multi-factor authentication (MFA) to reduce unauthorized access risk 
  • Restrict network access to management interfaces to trusted personnel only 
  • Monitor logs for unusual brute-force attempts or anomalous login activity 
  • Apply the principle of least privilege to limit access to VPN and management services 
  • Use firewalls with strict whitelisting to block external attack vectors to vulnerable services 

Conclusion: 
The recent Fortinet advisories underscore the critical importance of timely vulnerability management, particularly for products controlling privileged access and remote connectivity.

The flaws in authentication and memory management can jeopardize the security posture of enterprise environments.

Organizations should urgently apply patches, monitor for suspicious login and session activity, and implement proactive security measures to reduce exploitation risks. Proactive response and regular updates are essential to maintaining robust security against evolving threats targeting critical infrastructure. 

References

Hashtags 

#Infosec #CyberSecurity #Fortinet #FortiPAM #SQL #RCE #SecurityAdvisory #Vulnerabilitymanagement # PatchManagement #CISO #CXO #Intrucept  

Security Advisory

Elastic Patched Critical Jinjava Template Injection in Elastic Cloud Enterprise(ECE) 

Summary : Security Advisory: Elastic disclosed vulnerability in Elastic Cloud Enterprise (ECE) that allows attackers with admin access to steal sensitive data or execute any commands through Jinjava template injection. This flaw impacts ECE versions from 2.5.0 up to and including 3.8.1, as well as versions 4.0.0 through 4.0.1.

OEM Elastic Cloud Enterprise (ECE) 
Severity Critical 
CVSS Score 9.1 
CVEs CVE-2025-37729 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview  

The vulnerability with CVE-2025-37729, affects multiple ECE versions starting from 2.5.0 up to and including 3.8.1, and versions starting from 4.0.0 up to and including 4.0.1. Users & Administrators are strongly advised to upgrade to the latest version of ECE immediately to stay protected. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Improper Neutralization of Special Elements Vulnerability  CVE-2025-37729 Elastic Cloud Enterprise  Critical v3.8.2 &  
v4.0.2 

Technical Summary 

Improper neutralization of special elements can be used to issuing commands via a specially crafted string where Jinjava variables are evaluated.

Malicious actors are exploiting due to an improper neutralization of special characters vulnerability in the Jinjava template engine used by ECE.

Attackers with admin-level access to the ECE admin console and deployments with the Logging+Metrics feature enabled can inject malicious Jinjava expressions through specially crafted payloads. This vulnerability can allow them to exfiltrate sensitive data or execute arbitrary command on the system.  

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025- 37729 Elastic Cloud Enterprise (ECE) v2.5.0-3.8.1, v4.0.0-v4.0.1 Improper sanitization of user-supplied input in Jinjava templates allows admin users to inject malicious expressions, enabling code execution and data exfiltration Sensitive Data Leakage, Arbitrary Command Execution, Potential Full System Compromise 

Recommendations: 

Upgrade the Elastic Cloud Enterprise versions to v3.8.2 and v4.0.2 or the latest one. 

Here are some recommendations below 

  • Keep admin access restricted to trusted accounts only for the ECE admin console. 
  • You can monitor the request logs for malicious payloads using the query payload.name : int3rpr3t3r or payload.name : forPath. Implement strict access controls and regularly audit admin privileges. 

Conclusion: 
This is critical vulnerability in Elastic Cloud Enterprise that could allow attackers to data exfiltration and arbitrary command execution.

Although exploitation needs administrative access, but its high impact makes it a major security risk & needs immediate action. Upgrading to the fixed version and applying recommended actions are strongly advised by the organizations to stay secure. 

References

 

Security Advisory

Chrome Security Update Fixed Active Zero-Day Exploit & Multiple High-Severity Vulnerabilities 

Security advisory : Google has issued a Stable Channel Update for Chrome to address 4 high-severity vulnerabilities, including one zero-day vulnerability (CVE-2025-10585) actively exploited in the wild.

OEM Google 
Severity High 
CVSS Score N/A 
CVEs CVE-2025-10585, CVE-2025-10500, CVE-2025-10501, CVE-2025-10502 
POC Available No 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

This flaw, a Type Confusion in the V8 JavaScript and WebAssembly engine, can allow remote attackers to execute arbitrary code outside of Chrome’s security sandbox when users visit maliciously crafted web pages. Users and administrators are urged to update to the latest Chrome version immediately to mitigate potential exploitation 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​ Type Confusion in V8 Engine  CVE-2025-10585 Chrome (Windows, Mac, Linux)  High  140.0.7339.185/.186 

Technical Summary 

The zero-day vulnerability in Chrome’s V8 engine arises from a type of confusion flaw, where object types are misinterpreted, leading to logical errors and memory corruption.

Attackers can exploit this issue when users visit maliciously crafted websites, enabling arbitrary code execution and possible sandbox escape.

This flaw has been confirmed as actively exploited in the wild. In addition to this zero-day, the update also fixes three other high-severity issues, a use-after-free in the Dawn graphics abstraction layer that could lead to memory corruption, a use-after-free in WebRTC that may enable remote code execution, and a heap buffer overflow in ANGLE that could result in program crashes or arbitrary code execution. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-10585 Google Chrome (Windows, Mac, Linux) Type confusion in the V8 JavaScript engine could allow memory corruption, arbitrary code execution, and potential sandbox escape Remote Code Execution / Sandbox Escape 

Other Vulnerabilities  

In addition to the zero-day, Google patched three other high-severity vulnerabilities in the same stable channel release. 

Vulnerability Name CVE ID Affected Component Severity 
​Use-after-free in Dawn CVE-2025-10500 Chrome GPU Renderer Component (Dawn)  High 
Use-after-free in WebRTC CVE-2025-10501 Chrome WebRTC Audio/Video Communication Module High 
Heap Buffer Overflow in ANGLE CVE-2025-10502 Chrome Graphics Translation Engine (ANGLE) High 

Recommendations

Update Chrome immediately to the following versions: 

  • Windows/Mac: Chrome 140.0.7339.185/.186 
  • Linux: Chrome 140.0.7339.185 

Here are some Recommendations below 

  • Manual Update Check: Navigate to “Settings → Help → About Google Chrome” to trigger the update. 
  • Patch Management: Ensure enterprise update policies enforce Chrome auto-updates. 
  • Threat Monitoring: Keep monitoring logs for any signs of exploitation 

Conclusion: 
There are high vulnerabilities in Google Chrome, including an actively exploited zero-day flaw in the V8 JavaScript engine that poses a significant risk of remote code execution and sandbox escape.

Given the severity and confirmed exploitation in the wild, it is imperative that all users and administrators promptly update to the latest Chrome versions to mitigate potential attacks. Immediate action is essential to safeguard systems, data, and user privacy in light of these emerging threats. 

References

  • https://cybersecuritynews.com/google-chrome-0-day-vulnerability-exploited/  

Security Advisory

Angular SSR Vulnerability Allows Cross-Request Data Exposure (CVE-2025-59052) 

Security Advisory: A high security flaw was discovered in Angular’s server-side rendering (SSR) functionality that could lead to cross-request data leakage due to a global race condition. This is identified as CVE-2025-59052, affects multiple versions of Angular’s @angular/platform-server, @angular/ssr and @nguniversal/common packages.

With data breaches at highest, Organizations using vulnerable Angular versions should update immediately or implement recommended workarounds to avoid potential data breaches.

Severity High 
CVSS Score 7.1 
CVEs CVE-2025-59052 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Angular is a popular open-source web application framework developed by Google, used to build dynamic, single-page applications (SPAs) and server-rendered apps using HTML, TypeScript and JavaScript.

When multiple SSR requests are processed concurrently, sensitive state information may be inadvertently shared, potentially exposing user tokens or private data across unrelated sessions. The Angular has released patches across all active branches and urges developers to update immediately. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​ Race condition vulnerability  CVE-2025-59052 Angular platform-server, ssr  High  v18.2.14, v19.2.15/16, v20.3.0, v21.0.0-next.3 

Technical Summary 

Angular uses a dependency injection (DI) container called the platform injector during SSR to hold request-specific data. This container was implemented as a global module-scoped variable, introducing a race condition when multiple requests were processed simultaneously.

This flaw could cause data meant for one user to be sent in the response to another, potentially leaking authentication tokens, headers, or private content.

Affected APIs include bootstrapApplicationgetPlatform, destroyPlatform. These changes introduce SSR-only breaking changes, with automatic migration schematics available through the Angular CLI update process. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-59052 Angular SSR v16 to v21 Race condition in global DI container during SSR could leak user data across requests Cross-Request Data Leakage 

Recommendations

Upgrade Angular packages to the latest patched versions: 

Package Affected Versions Fixed Versions 
@angular/platform-server >=16.0.0-next.0 <18.2.14 
>=19.0.0-next.0 <19.2.15 
>=20.0.0-next.0 <20.3.0 
>=21.0.0-next.0 <21.0.0-next.3 		18.2.14 
19.2.15 
20.3.0 
21.0.0-next.3 
@angular/ssr >=17.0.0-next.0 <18.2.21 
>=19.0.0-next.0 <19.2.16 
>=20.0.0-next.0 <20.3.0 
>=21.0.0-next.0 <21.0.0-next.3 		18.2.21 
19.2.16 
20.3.0 
21.0.0-next.3 

If Immediate Upgrade is Not Possible, you can follow the recommendations below 

  • Disable SSR via server routes or build configurations 
  • Remove asynchronous behavior from custom bootstrap functions 
  • Eliminate use of getPlatform() in server-side code 
  • Ensure ngJitMode is set to false in production builds 

Conclusion: 
The Angular SSR vulnerability CVE-2025-59052 is the high severity issue with global state management during concurrent request processing, resulting in potential cross-request data exposure.

Though not yet exploited in the wild, the risk is significant for SSR-enabled Angular apps. Developers are urged to apply updates promptly or follow the provided mitigation steps to secure their applications. 

As per reports this vulnerability requires no special privileges or user interaction, making it both easy to exploit and dangerous in high-traffic applications.

References

Hashtags 

#Infosec #CyberSecurity #Angular #SecurityAdvisory #WebSecurity #Vulnerabilitymanagement #DevSecOps #PatchManagement #CISO #CXO #Intrucept 

Security Advisory

Microsoft Patch Tuesday has 86 Fixes, 2-0Day Vulnerabilities

September 2025 Patch Tuesday update, addressing 86 security issues in products like Microsoft Windows, Microsoft Office etc.

This includes two publicly known zero-day bugs in the Windows SMB Server and another in Newtonsoft.Json. Here are the CVE addressed for Microsoft & non-Microsoft.

Organizations are strongly encouraged to prioritize patching of systems tied to network services, virtualization and productivity tools to mitigate risks of exploitation. 

OEM Microsoft 
Severity Critical 
Date of Announcement 2025-09-09 
No. of Patches 86 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Here are the CVE addressed for Microsoft & non-Microsoft 

  • 81 Microsoft CVEs addressed 
  • 5 non-Microsoft CVEs addressed 

Breakdown of September 2025 Vulnerabilities 

  • 41 Elevation of Privilege (EoP) 
  • 22 Remote Code Execution (RCE) 
  • 16 Information Disclosure 
  • 4 Denial of Service (DoS) 
  • 2 Security Feature Bypass 
  • 1 Spoofing  
Vulnerability Name CVE ID Product Affected Severity CVSS Score 
Windows SMB Elevation of Privilege Vulnerability  CVE-2025-55234 Windows Server, Windows 10, 11  High 8.8 
Improper Handling of Exceptional Conditions in Newtonsoft.Json CVE-2024-21907 Microsoft SQL Server High 7.5 

Technical Summary 

September 2025 Patch Tuesday includes security updates addressing denial-of-service and privilege escalation vulnerabilities in commonly used libraries and services.

One of the publicly disclosed zero-day CVE-2024-21907 affects the popular .NET library Newtonsoft.Json, where deserialization of crafted JSON can lead to application crashes.

Additionally, CVE-2025-55234 highlights a potential for relay attacks in SMB Server configurations that lack hardening measures such as signing and Extended Protection for Authentication (EPA). Microsoft advises assessing current SMB deployments using new audit capabilities introduced in this month’s updates. 

CVE ID System Affected  Vulnerability Details Impact 
 CVE-2025-55234 Microsoft SMB Server Lack of hardening (signing & EPA) in SMB Server can allow attackers to perform relay attacks, potentially resulting in elevation of privilege. Privilege Escalation 
CVE-2024-21907 Newtonsoft.Json < 13.0.1 Improper handling of crafted input to JsonConvert.DeserializeObject may trigger a StackOverflowException, leading to a denial-of-service condition. Denial of Service 

Source: Microsoft and NVD 

In addition to the publicly disclosed zero day vulnerability, several other Critical & High severity issues were addressed 

  • CVE202555232: Microsoft High Performance Compute Pack (HPC), deserialization of untrusted data vulnerability enabling unauthorized remote code execution over a network interface. 
  • CVE202554918: Windows NTLM, improper authentication vulnerability that enables elevation of privilege over a network, with potential for lateral movement across enterprise systems. 
  • CVE202554110: Windows Kernel, integer overflow vulnerability allowing local privilege escalation through exploitation of kernel memory operations. 
  • CVE202554098: Windows Hyper-V, improper access control flaw permitting local privilege escalation from guest to host in virtualized environments. 
  • CVE202554916: Windows NTFS, stack-based buffer overflow vulnerability enabling local attackers to execute arbitrary code with elevated privileges. 

Key Affected Products and Services 

The September 2025 security updates address critical and important vulnerabilities across a broad range of Microsoft products and services: 

  • Windows Core and Security Components 

Includes updates for Windows Kernel, NTFS, TCP/IP, Defender Firewall, LSASS, BitLocker, NTLM, Win32K, and RRAS (Routing and Remote Access Service), with several vulnerabilities rated CVSS 8.8 or higher. 

  • Microsoft Office Suite 

Patches released for Excel, Word, PowerPoint, Visio, and SharePoint addressing RCE and information disclosure issues, especially through Preview Pane vectors. 

  • Azure and Cloud Services 

Fixes affect Azure Virtual Machine Agent, Azure Arc, and High-Performance Compute Pack (HPC). 

  • Virtualization and Hyper-V 

Multiple vulnerabilities in Hyper‑V and Virtual Hard Drive components, including privilege escalation and denial-of-service risks. 

  • Developer and Management Tools 

Patches applied to PowerShell, AutoZone, Windows Management Services and Capability Access Management, addressing local privilege escalation. 

  • Communication & File Services 

Updates cover SMB, SMBv3, MSMQ and Connected Devices Platform, with critical RCE and lateral movement vectors in enterprise environments. 

  • Browsers and Web Technologies 

Microsoft Edge (Chromium-based) updates, along with republished Chrome CVEs for continued coverage of known browser threats. 

Remediation: 

Apply Patches Promptly: Install the September 2025 security updates immediately to mitigate risks. 

Conclusion: 
Microsoft’s September 2025 Patch Tuesday addresses 86 vulnerabilities, including several critical and high rated issues across Windows, Office, Hyper-V and Azure components etc.

Notably, multiple flaws affect Windows Routing and Remote Access Service (RRAS), SQL Server, and Microsoft High Performance Compute Pack (HPC), with potential for remote code execution (RCE) and privilege escalation.

Microsoft fixed an elevation of privileges flaw in SMB Server that is exploited through relay attacks.

“SMB Server might be susceptible to relay attacks depending on the configuration. An attacker who successfully exploited these vulnerabilities could perform relay attacks and make the users subject to elevation of privilege attacks,” explains Microsoft.

References

Blogs

Tenable & More Cyber Vendor’s Impacted by Third Party Salesforce Breach

Proofpoint, Tenable, CyberArk are other Third-Party vendors impacted by Salesforce Breach.

In an advisory released Tenable disclosed that it “was among the many organizations impacted” in the Salesloft Drift attacks, during which “an unauthorized user had access to a portion of some of our customers’ information stored in our Salesforce instance.”

Impacted data includes “subject lines and initial descriptions provided by our customers when opening a Tenable support case” as well as standard contact information such as name, business email address, phone number and location reference.

Tenable products and data stored in the vendor’s products, were not affected, the company said. CRN has reached out to Tenable for further comment.

Tenable stated that standard business contact information, such as customer names, email addresses, phone numbers and location details, was also accessed. At this point, the company stated there is no evidence that this information has been misused.

The information accessed by the unauthorized party was limited to data within Tenable’s Salesforce environment. This included:

  • Commonly available business contact information, such as customer names, business email addresses, and phone numbers.
  • Regional and location references associated with customer accounts.
  • Subject lines and initial descriptions that customers provided when opening a support case.

Third party vendor’s prime target of cyber attack increase Enterprise Cyber Risk

Targeting vendors indicate how critical it is to maintain third-party risk and be cautious while managing security risks associated with these external partners, focal point of target and critical for any organization’s data security.

The Tenable and other vendors being targeted increase the responsibility of enterprise based Third-party cyber risk associated as vendors can be targets for cyberattacks.

If their security measures are weak, your company’s data could be compromised. Ensuring vendors have strong cybersecurity protocols is essential to protecting sensitive information.

Enterprise security posture indicate how third-party security is a set of practices that can identify these risks and protect your organization from security threats associated with any third-party entity.

Risks arising from third-party vendors, contractors and business partners who have access to your data and systems is more then critical.

Three more well-known cybersecurity vendors have joined the lengthy list of companies impacted in the recent breach of a third-party Salesforce application, with Proofpoint, Tenable and CyberArk disclosing they were affected in the widespread Salesloft Drift attacks.

CyberArk, a publicly traded identity security vendor that Palo Alto Networks has a deal to acquire for $25 billion.

In similar pattern an unauthorized actor accessed Proofpoint’s Salesforce tenant through the compromised Drift integration and viewed certain information stored in our Salesforce instance,” the company said.

Attack module

The attacks involved stolen authentication tokens for Salesloft-owned workflow automation app Drift, which threat actors have used to steal data from Salesforce CRM systems. It’s unclear how threat actors obtained the tokens.

As per researchers, breach at Tenable was not an isolated attack but is linked to a wider, sophisticated campaign that security experts have been tracking. This campaign specifically exploits a vulnerability in the integration between Salesforce and Salesloft Drift, a popular sales engagement platform.

Scroll to top