Supplychain

Cybersecurity News

CISA added FileZen CVE-2026-25108 to its KEV Catalog; Patch Now

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-25108 to its Known Exploited Vulnerabilities (KEV) catalog, that is being exploited in the wild.

Findings from CISA also confirmed about the flaw, that it affects Soliton Systems K.K. FileZen, a file transfer product. It has been included in KEV, sensing urgency for organizations still running vulnerable versions of the product.

“Soliton Systems K.K FileZen contains an OS command injection vulnerability when a user logs-in to the affected product and sends a specially crafted HTTP request,” CISA said.

Key Findings from FileZen CVE-2026-25108 vulnerability added in CISA’s KEV list

The primary reason after evaluation by threat researcher’s were –

FileZen CVE-2026-25108 is an OS command injection vulnerability. According to NVD, when the FileZen Antivirus Check Option is enabled, a logged-in user can send a specially crafted HTTP request and execute arbitrary operating system commands. In such scenario an attacker with valid access could potentially run commands on the underlying server, creating serious risk to confidentiality, integrity, and availability.

  • The vulnerability carries a CVSS v4 score of 8.7 (High) from JPCERT/CC, and NVD also lists a CVSS v3.1 score of 8.8 (High).
  • Being a high-severity, actively exploited flaw tied to direct command execution and class of bug occurs when an application improperly handles input that ends up being interpreted by the operating system as a command.
  • For attackers it becomes easy to manipulate server behavior and potentially execute arbitrary commands

Why CISA added FileZen CVE-2026-25108 to its KEV

  • The vulnerability is not unauthenticated and any exploitation by attackers will requires a user to be logged in and it’s still not safe.
  • What we witnessed in case of many real-world attacks always begins with stolen credentials or weak passwords or previously compromised accounts of less privileged.
  • Any availability of any valid account could escalate the flaw like FileZen CVE-2026-25108 can pave way for an deeper compromise in future.
  • This is exactly why CISA’s KEV addition matters so much. A KEV listing means the issue has moved beyond theoretical risk and into confirmed real-world exploitation.
Impact of the Vulnerability as assessed by vendor JVN (Japan Vulnerability Notes)

JVN states that if a user logs in to the affected product and sends a specially crafted HTTP request, an arbitrary OS command may be executed.

Soliton similarly says there is a possibility that a remote third party could execute arbitrary OS commands within FileZen.

The practical impact of that can be severe. Depending on server configuration and user privileges, successful exploitation could allow an attacker to:

  • Run unauthorized commands on the server
  • Manipulate files or processes
  • Establish persistence
  • Access sensitive transferred data
  • Use the compromised FileZen environment as a pivot point into internal systems

Technical Analysis of CVE-2026-25108

OS command injection occurs when an application transmits unsafe data-such as cookies, form fields, or HTTP headers-to an operating system shell. In the case of FileZen, the vulnerability manifests during the file processing phase when the Antivirus Check Option is active. The system’s internal logic processes HTTP requests in a manner that allows an attacker to append shell commands to legitimate parameters.

Remediation & understanding why it is essential to integrate with threat intelligence monitoring platform

Organizations utilizing these versions must prioritize the transition to version 5.0.11 or later. When vendor platform Soliton indicated that simply disabling the Antivirus Check Option may reduce the immediate attack surface but does not replace the requirement for a full firmware update.

As per vendor’s suggestion a resetting of password for all users if an organization suspects a compromise. Integration with cyber threat intelligence platform will provide early warning indicators of exploitation as cyber threat intelligence platforms collect data from various sources to provide early warning indicators of exploitation.

CISA has set a deadline of March 17, 2026, for Federal Civilian Executive Branch (FCEB) agencies to remediate CVE-2026-25108. This mandate specifically applies to federal agencies, it serves as a stark reminder for private sector organizations. The inclusion in the KEV catalog implies that the vulnerability is being used in the wild, likely by state-sponsored actors or organized cybercriminal groups.




Sources; CVE-2026-25108 CISA Confirms Active Exploitation of FileZen

Blogs

Threat Landscape Expands in Supply Chain Due to Ransomware Attacks

How Ransomware Supply Chain Attacks Works

Continue Reading
Blogs

Jaguar Land Rover Data Hack reveal Significance of Security & Privacy by Design

Jaguar Land Rover announced suffering they hit by a cyberattack in August that severely disrupted its production and retail activities. Cyber criminals stole data, held by the carmaker, it has said, as its factories in the UK and abroad face prolonged closure. This massive data hack reveal that every stakeholder in the supply chain must be embed and lazed with security and privacy by design.

Principle of security by design

So the ever evolving automotive industry and modern vehicles are more of software, which means more coding which goes upto 100 million codes and this is growing in numbers and run more applications then ever before.

So the more coding and software, the more lucrative it is for attackers to target systems and codes and if security flaws exist then its a heaven for cyber criminal as it is now easy target for data privacy leaks etc.

Best practices for Securing by Design principles and software development are enough to address the emerging risk to automotive systems and other systems within the vehicle.

According to the BBC, three plants were affected: the ones in Solihull, Halewood and Wolverhampton. Also the cyberattack forced the company to disconnect some systems, which led to factories in China, Slovakia and India getting shut down and workers being instructed to stay at home. 

As per the company suppliers and retailers for JLR are also affected, some operating without computer systems and databases normally used for sourcing spare parts for garages or registering vehicles.

Scattered Spider group behind the cyber attack

As per reports the notorious Scattered Spider  the hackers group is credited for the attack on JLR. The threat actor was also linked to recent attacks against major UK retailers, as well as several other industries worldwide. 

This is the second cyberattack that hit JLR this year. In March, the Hellcat ransomware group claimed to data theft which were in hundreds of gigabytes of data from the carmaker.

July we witnessed how Scattered spider group targeted the aviation and retail sector

https://intruceptlabs.com/2025/07/scattered-spider-group-target-aviation-sector-third-party-providers-to-vendors-are-at-risk-solutions-that-will-improve-security-posture/

Addressing cyber security challenges in Automotive security

Organization addressing such cyber incident in near future will require dedication that will extend to all levels. This includes data layer, connection layer, authentication layer and more.

If organizations are proactive enough in establishing comprehensive protective measures and ensuring reliable systems that wont fail and in place, ultimately will create safe environment for entire ecosystem more resilient against cyber disruptions.

Cybersecurity challenges in automotive innovation

The integration of advanced technology has brought the automotive industry face-to-face with complex cybersecurity challenges. Vehicle technology, now deeply intertwined with software, exposes both consumers and manufacturers to varied threats.

The challenge for manufacturers is finding the right balance between advancing connected features and securing those very connections against evolving threats.

Transformation in Automotive industry while navigating cautiously in the midst of cyber attack

The year 2025 is transformative for automotive industry as the industry witnessing many groundbreaking technological advancements that is lazed with challenges in cybersecurity and supply chain resilience.

Navigate cyber challenges

For automotive industry as a whole, opportunities are huge for the industry as a whole but will take concrete shape when fitted with with robust architecture, zero-trust security frameworks and being transparent. There is a need to have more collaborative mindset and approaches among manufacturers, suppliers and leaders in technology of which cyber security is now important part.

Intercept offers Mirage Cloak

Mirage Cloak the Deception Technology, offers various deception methods to detect and stop threats before they cause damage.

These methods include adding decoys to the network, deploying breadcrumbs on current enterprise assets, using baits as tripwires on endpoints, and setting up lures with intentionally misconfigured or vulnerable services or applications. The flexible framework also lets customers add new deception methods as needed.

Sources: https://www.theguardian.com/business/2025/sep/10/jaguar-land-rover-says-cyber-attack-has-affected-some-data

Security Advisory

High-Severity RCE Vulnerability in WinDbg (CVE-2025-24043) 

Security Advisory

A high-severity remote code execution (RCE) vulnerability exists in Microsoft’s WinDbg debugging tool and related .NET diagnostic packages.

The vulnerability poses severe supply chain risks, as WinDbg is widely embedded in CI/CD pipelines and enterprise developer toolchains.

Compromised debugging sessions could lead to lateral movement across networks, credential theft, persistent backdoor injections, and disruption of crash dump analysis workflows.

Microsoft confirmed no viable workarounds other than immediate patching, as the lack of certificate pinning in the affected packages worsens the risk, enabling attackers to leverage forged or stolen Microsoft Authenticode certificates.

OEM Microsoft 
Severity HIGH 
CVSS 7.5  
CVEs CVE-2025-24043 
Publicly POC Available No 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

This issue is caused by insufficient validation of cryptographic signatures in the SOS debugging extension, potentially allowing attackers with network access to execute arbitrary code. Microsoft has released patches to address the vulnerability. 

Vulnerability Name CVE ID Product Affected Severity 
 Remote Code Execution Vulnerability  CVE-2025-24043  Microsoft Windows   High 

Technical Summary 

The vulnerability arises from the SOS debugging extension’s failure to properly validate cryptographic signatures during debugging operations.

This enables attackers with authenticated network access to inject malicious debugging components, leading to arbitrary code execution with SYSTEM privileges. The attack vector leverages NuGet package integrations in Visual Studio and .NET CLI environments, increasing the risk of supply chain compromises. 

CVE ID System Affected Vulnerability Details Impact 
 CVE-2025-24043  WinDbg and associated .NET diagnostic packages   Flaw in cryptographic signature validation in the SOS debugging extension allows tampered components to be loaded.  Arbitrary code execution  

Remediation

  • Update Affected Packages: Ensure that all instances of affected NuGet packages are updated to the latest patched versions. Refer to the table below for the affected and patched versions. 
  •  Upgrade WinDbg: Make sure that WinDbg is updated to the most recent release available. 
  • Audit Dependencies: Review all .NET Core project dependencies to identify and replace vulnerable packages. 
  • Monitor Network Activity: Implement monitoring for any suspicious network activity related to windbg.exe. 
  • Enforce Security Policies: Apply security policies, such as Windows Defender Application Control, to prevent the execution of unsigned debugging components. 

The table below outlines the affected and patched versions of the relevant packages: 

Package Name Affected Version Patched Version 
dotnet-sos < 9.0.607501 9.0.607501 
dotnet-dump < 9.0.557512 9.0.607501 
dotnet-debugger-extensions 9.0.557512 9.0.607601 

Conclusion: 

CVE-2025-24043 highlights the need to secure developer toolchains, as debugging environments are becoming more targeted in cyberattacks. Organizations using .NET diagnostics should quickly apply patches and implement strict security measures to reduce the risk of exploitation. With no effective workarounds available, postponing remediation heightens the chances of an attack. Prompt action is essential to safeguard critical development and production environments. 

The security impact extends beyond developers, as the exploitation of debugging tools could facilitate attacks on production infrastructure.

Additional security measures include certificate transparency logging for NuGet packages and enforcing Windows Defender Application Control (WDAC) policies to restrict unsigned debugger extensions. While no active exploits have been reported, the patching window is critical, and organizations using .NET diagnostics must act immediately before threat actors weaponize the vulnerability.

References: 

  • https://securityonline.info/windbg-remote-code-execution-vulnerability-cve-2025-24043-exposes-critical-security-risk/ 

Blogs

New Regulations & Directives to Boost Cyber Defense; DORA & NIS2

DORA & NIS2
EU Regulations to Strengthen Cyber defense

Continue Reading
Cybersecurity News

Blue Yonder SaaS giant breached by Termite Ransomware Gang

The company acknowledged it is investigating claims by a public threat group linked to the November ransomware attack. 

Continue Reading
Security Advisory

Advisory on MUT-8694: Threat Actors Exploiting Developer Trust in Open-Source Libraries

MUT-8694: Threat Actors Exploiting Developer Trust in Open-Source Libraries

Overview

In November 2024, a supply chain attack designated as MUT-8694 was identified, targeting developers relying on npm and PyPI package repositories. This campaign exploits trust in open-source ecosystems, utilizing typosquatting to distribute malicious packages. The malware predominantly affects Windows users, delivering advanced infostealer payloads.

MUT-8694 Campaign Details

The threat actors behind MUT-8694 use malicious packages that mimic legitimate libraries to infiltrate developer environments. The campaign employs techniques such as:

  • Typosquatting: Using package names that closely resemble popular or legitimate libraries.
  • Payload Delivery: Embedded scripts download malware such as Blank Grabber and Skuld Stealer hosted on GitHub and repl.it.
  • Targeted Ecosystems: npm and PyPI, critical platforms for developers.

             Source: Datadog

Key Findings

One identified package, larpexodus (version 0.1), executed a PowerShell command to download and run a Windows PE32 binary from github[.]com/holdthaw/main/CBLines.exe. Analysis revealed the binary was an infostealer malware, Blank Grabber, compiled from an open-source project hosted on GitHub. Further inspection of the repository exposed another stealer, Skuld Stealer, indicating the involvement of multiple commodity malware samples.

Capabilities of Malware

The deployed malware variants include advanced features that allow:

  • Credential Harvesting: Exfiltrating usernames, passwords, and sensitive data.
  • Cryptocurrency Wallet Theft: Targeting and compromising crypto assets.
  • Application Data Exfiltration: Stealing configuration files from popular applications

Affected Packages

Some known malicious packages include:

  • larpexodus (PyPI): Executes a PowerShell script to download malware.
  • Impersonations of npm libraries: Host binaries leading to infostealer deployment.

Remediation:

To mitigate the risks associated with this attack, users should:

  • Audit Installed Packages: Use tools like npm audit or pip audit to identify vulnerabilities.
  • Validate Package Sources: Verify package publishers and cross-check names carefully before installation.
  • Monitor Network Activity: Look for unusual connections to GitHub or repl.it domains.
  • Use Security Tools: Implement solutions that detect malicious dependencies.

General Recommendations:

  • Avoid downloading software from unofficial or unverified sources.
  • Regularly update packages and dependencies to the latest versions.
  • Conduct periodic security awareness training for developers and IT teams.

References:

Scroll to top