Threat mitigation

Critical Vulnerabilities Patched in IBM QRadar Suite & Cloud Pak for Security

Summary : Security Advisory

Multiple vulnerabilities have been discovered in IBM QRadar Suite Software and Cloud Pak, affecting versions 1.10.0.0 through 1.11.2.0.

The company released patches on June 3, 2025, addressing five distinct Common Vulnerabilities and Exposures (CVEs) that affect enterprise security infrastructure used by organizations worldwide.

OEM	IBM
Severity	Critical
CVSS Score	9.6
CVEs	CVE-2025-25022, CVE-2025-2502, CVE-2025-25020, CVE-2025-25019, CVE-2025-1334
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview

These include risks such as remote code execution, information disclosure, session hijacking, and denial of service. The most critical vulnerability (CVE-2025-25022) allows unauthenticated access to sensitive configuration files. IBM has released version 1.11.3.0 to address these issues.

Vulnerability Name	CVE ID	Product Affected	CVSS Score	Severity
Information Disclosure Vulnerability	CVE-2025-25022	IBM Cloud Pak, QRadar Suite	9.6	Critical
Code Execution Vulnerability	CVE-2025-25021	IBM QRadar SIEM	7.2	High
Denial of Service Vulnerability	CVE-2025-25020	IBM QRadar SIEM	6.5	Medium
Session Hijacking Vulnerability	CVE-2025-25019	IBM QRadar SIEM	4.8	Medium
Web Cache Disclosure Vulnerability	CVE-2025-1334	IBM QRadar Suite	4.0	Medium

Technical Summary

The identified vulnerabilities affect both the IBM QRadar Suite and Cloud Pak, exposing them to a variety of threats such as unauthorized access, arbitrary code execution, and denial of service.

These flaws arise from weaknesses in session handling, code generation, API validation, and file configuration security.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-25022	QRadar SIEM	Unauthenticated access to sensitive config files due to poor protections.	Information disclosure, RCE
CVE-2025-25021	QRadar SIEM	Privileged code execution due to improper script code generation in case management.	Remote Code Execution
CVE-2025-25020	QRadar SIEM	API input validation flaw allowing service crash via malformed data	Denial of Service
CVE-2025-25019	QRadar SIEM	Sessions not invalidated upon logout, enabling impersonation by attackers.	Session Hijacking
CVE-2025-1334	QRadar Suite	Cached web content readable by other users, compromising multi-user data confidentiality.	Local Info Disclosure

Remediation:

Apply Latest Fix: Upgrade to IBM QRadar Suite Software and Cloud Pak version 1.11.3.0 or later.

Refer to IBM’s official installation and upgrade documentation for detailed steps.

Conclusion:
These vulnerabilities pose significant security risks, especially CVE-2025-25022 with a critical severity score of 9.6. Organizations using the affected IBM QRadar and Cloud Pak versions should prioritize upgrading to latest version to mitigate exposure.

IBM has acknowledged these issues and released patches to address all five vulnerabilities.

Notably, IBM has identified no effective workarounds or mitigations for these vulnerabilities, making patching the only viable protection strategy.

References:

https://www.ibm.com/support/pages/node/7235432

https://www.ibm.com/docs/en/cloud-paks/cp-security/1.11.0?topic=installing

https://www.ibm.com/docs/en/cloud-paks/cp-security/1.11.0?topic=upgrading

Critical 0-Day Vulnerabilities in Qualcomm Adreno GPU Drivers Actively Exploited

Summary

OEM	Qualcomm
Severity	HIGH
CVSS Score	8.6
CVEs	CVE-2025-21479, CVE-2025-21480, CVE-2025-27038
Actively Exploited	Yes
Exploited in Wild	Yes
Advisory Version	1.0

Overview

Three actively exploited zero-day vulnerabilities in Qualcomm’s Adreno GPU drivers (CVE-2025-21479, CVE-2025-21480, CVE-2025-27038) have been disclosed and patched.

These flaws impact billions of Android devices across vendors such as Samsung, Google, Xiaomi, and OnePlus. Qualcomm released patches to OEMs in May 2025, urging immediate integration to mitigate severe memory corruption and code execution threats.

Vulnerability Name	CVE ID	Product Affected	CVSS Score	Severity
Incorrect Authorization Vulnerability	CVE-2025-21479	Qualcomm Adreno GPU Driver	8.6	High
Incorrect Authorization Vulnerability	CVE-2025-21480	Qualcomm Adreno GPU Driver	8.6	High
Use-After-Free Vulnerability	CVE-2025-27038	Qualcomm Adreno GPU Driver	7.5	High

Technical Summary

These vulnerabilities reside within Qualcomm’s Adreno GPU driver, specifically in the Graphics component. The flaws allow attackers to corrupt memory, escalate privileges or execute arbitrary code. Two issues (CVE-2025-21479, CVE-2025-21480) result from incorrect authorization mechanisms in GPU microcode and the third (CVE-2025-27038) is a use-after-free flaw that can be exploited via malicious content rendered through Chrome.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-21479	Android (Adreno GPU)	Unauthorized command execution during specific GPU microcode sequences causes memory corruption.	Privilege escalation, system compromise.
CVE-2025-21480	Android (Adreno GPU)	Similar unauthorized GPU command flaw allowing memory corruption via improper authorization checks.	Memory corruption, remote code execution.
CVE-2025-27038	Android (Chrome/Adreno)	Use-after-free condition in graphics rendering pipeline (via Chrome) allows attacker control over freed memory space.	Arbitrary code execution.

Recommendations:

Apply OEM Patches Immediately: Qualcomm released fixes in May 2025 to all OEMs; users should install the latest firmware updates from their device manufacturers.

Check for Updates: Go to Settings → System → Software Update and apply the latest security patches as soon as available.

Apply Security Updates: Users should ensure their Android devices receive the latest security updates.

Monitor Manufacturer Communications: Stay informed about patch availability specific to your device model via official OEM channels.

Conclusion:
These zero-day vulnerabilities in Qualcomm’s Adreno GPU drivers highlight ongoing security risks in mobile hardware components.

Exploited in limited, targeted attacks potentially by spyware vendors or state-sponsored actors these flaws pose significant threats to Android devices worldwide.

In response to confirmed exploitation, CISA has added all three CVEs (CVE-2025-21479, CVE-2025-21480, CVE-2025-27038) to its Known Exploited Vulnerabilities (KEV) catalog, mandating swift action for federal systems.

Timely patching by OEMs and proactive updates by users are critical to mitigating these risks and preventing further exploitation.

References:

https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2025-bulletin.html

https://securityonline.info/actively-exploited-qualcomm-gpu-zero-days-added-to-cisas-kev-catalog/

RCE Risk in D-Link Routers due to Hardcoded Telnet Credentials

Summary A significant security flaw (CVE-2025-46176) has exposed thousands of D-Link routers to remote code execution attacks through hardcoded Telnet credentials embedded in firmware. This is affecting its DIR-605L and DIR-816L routers.

If successful exploitation happens this will enables attackers to modify router configurations, deploy malware, or pivot into internal networks.

OEM	D-link
Severity	Medium
CVSS Score	6.5
CVEs	CVE-2025-46176
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview

The flaw exposes devices to remote command execution (RCE) through hardcoded Telnet credentials.

The vulnerability has been rated medium in severity (CVSS 6.5), with no official firmware patch available as of May 2025.

Vulnerability Name	CVE ID	Product Affected	Severity	Fixed Version
Hardcoded Telnet Credentials vulnerability	CVE-2025-46176	D-Link Router	Medium	No official fix available

Technical Summary

The vulnerability arises from hardcoded Telnet credentials in the router firmware, which allows unauthenticated remote attackers to execute arbitrary commands.

Firmware analysis revealed embedded credentials in configuration files used during Telnet service initialization.

Security experts recommended retiring these EOL devices due to absence of security support and the impossibility of removing hardcoded credentials through configuration changes.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-46176	D-Link DIR-605L v2.13B01, DIR-816L v2.06B01	Telnet service (/usr/sbin/telnetd -l /bin/sh -u Alphanetworks:$image_sign) uses hardcoded credentials from image_sign file, exposing plaintext passwords.	RCE

Recommendations:

As of May 2025, no firmware updates are available to fix the vulnerability. Recommended temporary mitigations include :

Disable Telnet access via the router’s web interface.
Block Telnet port (23) using firewall rules:

“iptables -A INPUT -p tcp –dport 23 -j DROP”

Restrict WAN access to management interfaces.
Monitor D-Link’s official support page for firmware updates.

Conclusion:
Security researchers discovered the flaw through firmware analysis, revealing that both router models contain default Telnet credentials that cannot be changed by users.

While exploitation likelihood is currently assessed as low, vulnerability enables unauthenticated attackers to gain control of the routers, affecting confidentiality, integrity and availability.

Immediate mitigation is advised, especially for publicly exposed devices and Security experts strongly recommend retiring these EOL devices due to the absence of security support and the impossibility of removing hardcoded credentials through configuration changes.

Threat from Legacy Devices:

The vulnerability in Telnet revealed security risks that legacy networking equipment carry with them and is embedded hardcoded credentials in IoT devices.

Inadequate security, harboring multiple unpatched vulnerabilities and relying on inadequate security controls that fail to address underlying risks. This poses a threat not only to device itself, but also to the network and connected critical assets.

References:

Linux Kernel Exploitation in ksmbd (CVE-2025-37899) Discovered with AI Assistance

Summary: A high-severity use-after-free vulnerability (CVE-2025-37899) has been discovered in the ksmbd component of the Linux kernel, which implements the SMB3 protocol for file sharing.

OEM	Linux
Severity	High
CVSS Score	N/A
CVEs	CVE-2025-37899
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview

The vulnerability, confirmed on May 20, 2025 which was uncovered through AI-assisted code analysis using OpenAI’s o3 model. It affects multiple versions of the Linux kernel and may lead to arbitrary code execution with kernel privileges. As of now, no official fix is available, but Linux distributions including SUSE team are actively working on patches.

Vulnerability Name	CVE ID	Product Affected	Severity
ksmbd use-after-free vulnerability	CVE-2025-37899	Linux kernel	High

Technical Summary

The vulnerability lies in the ksmbd kernel server component responsible for SMB3 protocol handling.

A use-after-free bug occurs when one thread processes a logoff command and frees the sess->user object, while another thread bound to the same session attempts to access the same object simultaneously. This results in a race condition that can lead to memory corruption and potentially enable attackers to execute arbitrary code with kernel privileges.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-37899	Linux kernel (ksmbd)	A race condition during handling of SMB2 LOGOFF commands. sess->user is freed in one thread while still being accessed in another, leading to a classic use-after-free vulnerability. The absence of synchronization around sess->user allows attackers to exploit the freed memory during concurrent SMB operations.	Kernel memory corruption, privilege escalation, remote code execution

Remediation:

Fix status: As of now, an official fix has not been released. Linux distributions, including SUSE, are actively developing and testing patches.

General Recommendations

Monitor your distribution’s security advisories and apply patches as soon as they are available.
Consider disabling or restricting ksmbd (in-kernel SMB3 server) if not explicitly required.
Use firewall rules to restrict access to SMB services to trusted networks.
Employ kernel hardening options (e.g. memory protections, SELinux/AppArmor policies).
Audit SMB traffic for signs of abnormal session setup and teardown behavior.

Conclusion:
CVE-2025-37899 highlights the increasing role of AI in modern vulnerability discovery and the complex nature of concurrency bugs in kernel components. While no fix is yet available, administrators should apply defense-in-depth strategies and watch for updates from their Linux vendors.

The discovery underscores the importance of rigorous code audits, especially in components exposed to network traffic and multithreaded processing.

References:

CISCO ISE & UIC Security Flaws Allow DoS, Privilege Escalation

Summary: Cisco has disclosed multiple vulnerabilities affecting its Identity Services Engine (ISE) and Unified Intelligence Center (UIC).

The ISE bug, tracked as CVE-2025-20152, impacts the RADIUS message processing feature and could be exploited remotely, without authentication, to cause ISE to reload, leading to a denial of service (DoS) condition.

OEM	CISCO
Severity	HIGH
CVSS Score	8.6
CVEs	CVE-2025-20152, CVE-2025-20113, CVE-2025-20114
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview

This include a critical denial-of-service (DoS) vulnerability in the RADIUS protocol processing (CVE-2025-20152) and two privilege escalation flaws (CVE-2025-20113, CVE-2025-20114).

These unpatched issues, could result in network disruption and unauthorized access to sensitive data.

Vulnerability Name	CVE ID	Product Affected	Severity	Fixed Version
RADIUS DoS Vulnerability	CVE-2025-20152	Cisco Identity Services Engine	High	ISE 3.4 Patch 1 (3.4P1)
Privilege Escalation Vulnerability	CVE-2025-20113	Unified Intelligence Center	High	UIC 12.5(1)SU ES04, 12.6(2)ES04
Privilege Escalation Vulnerability	CVE-2025-20114	Unified Intelligence Center	High	UIC 12.5(1)SU ES04, 12.6(2)ES04

Technical Summary

The vulnerabilities identified in ISE and UIC products are critical and the allow an authenticated attacker to elevate their privileges to those of an administrator, for a limited set of functions on a vulnerable system by potentially accessing or manipulating unauthorized data.

Medium-severity bugs were also resolved in Webex, Webex Meetings, Secure Network Analytics Manager, Secure Network Analytics Virtual Manager, ISE, Duo, Unified Communications and Contact Center Solutions, and Unified Contact Center Enterprise (CCE).

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-20152	CISCO ISE 3.4	Improper handling of malformed RADIUS authentication requests can cause a system reload.	Denial of Service (DoS), Network Disruption
CVE-2025-20113	Unified Intelligence Center 12.5, 12.6	Insufficient server-side validation in API/HTTP requests may allow an authenticated attacker to escalate privileges to Admin level for certain functions.	Privilege Escalation, Unauthorized Data Access
CVE-2025-20114	Unified Intelligence Center 12.5, 12.6	Insufficient input validation in API allows IDOR attacks, enabling attackers to access data of other users.	Horizontal Privilege Escalation, Data Exposure

Remediation:

Cisco has released security updates to address these vulnerabilities:

For CVE-2025-20152 (Cisco ISE):

Upgrade to ISE 3.4P1 or later. No workarounds exist; RADIUS services are enabled by default, making immediate patching critical.

For CVE-2025-20113 and CVE-2025-20114 (UIC):

Upgrade to:

UIC 12.5(1)SU ES04 or later.
- UIC 12.6(2)ES04 or later.
- Unified CCX users should migrate to a fixed release if using affected versions.

Administrators are advised to verify product versions and apply patches through official Cisco channels.

Conclusion:
These vulnerabilities pose significant security risks especially CVE-2025-20152, which affects the core authentication protocol in many Cisco ISE deployments.

Organizations should prioritize updates to mitigate risks of denial-of-service attacks and unauthorized data access. No exploitation in the wild has been observed so far, but given the critical nature, immediate action is strongly recommended.

References:

Deepfake’s pose a Challenge as Cyber-risk Increase

The Digital world is witnessing constant increase in threats from Deepfakes, a challenge for cyber leaders as cybersecurity related risk increase and digital trust.

Deepfakes being AI generated is much used by cybercriminals with intentions to bypass authenticated security protocols and appears realistic but fakes, often posing challenges to detect being generated via AI. We have three types of Deepfakes i.e. voice fakes or Audio, Deep Video maker fakes and shallow fakes or editing software like photoshop.

Growing Cyber Risk due to Deep Fakes

Due to these Deep fakes , which are quiet easier and more realistic to create, there has been deterioration of trust, propagation of misinformation that can be used widely and has potential to damage or conduct malicious exploitation across various domains across the industry verticals.

The cybersecurity industry has always came forward and explained what can be potential risk posed by Deep fakes and possible route to mitigate the risks posed by deepfakes, emphasizing the importance of interdisciplinary collaborations between industries. This will bring in proactive measures to ensure digital authenticity and trust in the face of evolving cyber frauds.

Failing to recognize a deep fake pose negative consequence both for individuals and organizational risk and this can be unable to recognize audio fakes or video fakes. The consequences can be from loss of trust to disinformation. From negative media coverage to falling prey to potential lawsuits and other legal ramifications and we cannot undermine cybersecurity related threats and phishing attacks.

There are case when Deep fakes have been ethically used but the numbers are less compare to malicious usage by cyber criminals. Synthetic media also termed as Deep fakes are created using deep learning algorithms, particularly generative adversarial networks (GANs).

These technologies can seamlessly swap faces in videos or alter audio, creating hyper-realistic but fabricated content. In creative industries, deepfakes offer capabilities such as virtual acting and voice synthesis.

Generative Adversarial Networks (GANs) consists of two neural networks: a generator and a discriminator.

Generator: In this case the network creates synthetic data, such as images or videos from any random sound alert and mimic real data.

Discriminator generally evaluates the generated content against real data.

Deepfakes uses deep learning algorithms to analyze and synthesize visual and audio content which are painful task to determine the real ones, posing significant challenge to ethical security concerns.

While posing threats Deep fakes also provide another gateway for cyber attack specifically Phishing attacks. Tricking victims or impersonating an individual or an entity may open doors for revealing sensitive information and threat to data security.
The audios created via Deepfake could be used to bypass voice recognition systems giving attackers access to secure systems and invading personal privacy.

Uses cases in Deepfakes to understand the reach and impact:

Scammers and Fraudsters can benefit as Deepfakes can develop audio replication and use them for malicious intent like asking financial help from individuals they encounter or voice clone as some important person and demand or extort money.

Identity Theft is often overlooked and this impacts mostly financial institutions and scammers can easily bypass such authentication by cloning voices. Scammers also may easily develop convincing replicas of government ID proofs to gain access to business information or a misuse it as a customer.

Fusing images of high profile public figures with offensive images by employing deepfake technology without their knowledge by criminals and hackers are growing each day . This kind of act can eventually lead to demanding money by cyber criminals or face consequences leading to defaming.

Conspiracy against governments or national leaders by faking their image or creating false hoax where the image or voice is used by cyber criminals often hired by opposing systems in place to disturb peace and harmony and also sound business operations.

Email are the key entry point for cyberattacks and presently we see deepfake technology being used by cyber criminals to create realistic phishing emails. These emails bypass conventional security filters an area we cannot afford to neglect.

How will you detect Deep fakes?

Few technicalities are definitely there that may not be recognizable but there are few minute and hairsplitting details.

In Video fakes its often seen no movement in the eye or unnatural facial expression. The skin colour may be sightly different and in-consistent body positioning including the mismatch lip-syncing and body structure and face structure not similar as what we used to witness or accustomed viewing.

Being a grave concern from cyber security perspective its important to remain alert on new evolving technologies on Deep fakes and know their usage to defend on all frontiers both at individual and organizational level.

As Deep fakes are AI driven and rising phishing attacks that imbibe deep fakes pose a challenge where in mostly social media profile are used. The available AI-enabled computers allow cybercriminals to use chatbots no body can detect as fake.

Mitigating the Digital Threat

Organizations or individuals require robust security measures to implement AI-based security solutions and develop improved knowledge of phishing methods in order to tackle the digital threat.

Remaining proactive in all level of cyber security to navigate the complex challenge of Deep fakes is important, while Deep fakes defiantly poses strong technical challenge but proactive cybersecurity practices can stop cybercriminals from luring victims in their trap.

Government bodies and tech institutions or organizations that are tech savy to have more collaborative efforts to recognize deep fakes and effectively deal with challenges.
The various regulations and more recently the DORA (Digital Operational Resilience Act ), will help navigate these challenges as more investments in open sources security will rise by countries and organizations.

Major investments in AI-driven detection tools are being soughed after at enterprise level, those having stronger authentication mechanisms and improved digital literacy are critical to mitigating these emerging threats.

Investing in Email security service that offers automated protection will assist in blocking major phishing attempts
As per KPMG report, Deepfakes may be growing in sophistication and appear to be a daunting threat. However, by integrating deepfakes into the company’s cybersecurity and risk management, CISOs in assosiations with CEO, and Chief Risk Officers (CRO) – can help their companies stay one step ahead of malicious actors.

This calls for a broad understanding across the organization of the risks of deepfakes, and the need for an appropriate budget to combat this threat.

If Deepfakes can be utilized to infiltrate an organization, the same technology can also protect it. Collaborating with deepfake cybersecurity specialists helps spread knowledge and continually test and improve controls and defenses, to avoid fraud, data loss and reputational damage.

BISO Analytics:

We at Intruceptlabs have a mission and that is to protect your organization from any cyber threat keeping confidentiality and integrity intact.

We have BISO Analytics as a service to ensure business continues while you remain secured in the world of cybersecurity. BISO’s translates concepts and connects the dots between cybersecurity and business operations and functions are in synch with cyber teams.

Sources: https://kpmg.com/xx/en/our-insights/risk-and-regulation/deepfake-threats.html

AI-Driven Phishing And Deep Fakes: The Future Of Digital Fraud

Leadership role in Effective Vulnerability Management

Leadership role in Vulnerability Management

Critical Security Flaw in Kibana Requires Immediate Attention

Kibana is a robust tool for data visualization and exploration that can be used to search, examine, and track data that is stored in Elasticsearch. A vital part of many organizations’ data analysis procedures, it offers real-time insights through interactive dashboards.

Elastic released security updates to address a critical vulnerability, tracked as CVE-2025-25012 (CVSS score of 9.9), impacting the Kibana data visualization dashboard software for Elasticsearch.

OEM	Elastic
Severity	Critical
CVSS	9.9
CVEs	CVE-2025-25012
Exploited in Wild	No
Patch/Remediation Available	Yes
Advisory Version	1.0

Overview

A critical security vulnerability (CVE-2025-25012) has been identified in Kibana, affecting versions 8.15.0 to 8.17.2. The flaw allows attackers to execute arbitrary code, potentially compromising affected systems. Elastic has released a patch in Kibana version 8.17.3to address this issue, and users are strongly advised to update immediately.

Vulnerability Name	CVE ID	Product Affected	Severity
Arbitrary code execution Vulnerability	CVE-2025-25012	Elastic	Critical

Technical Summary

This vulnerability arises from improper handling of JavaScript object prototypes in Kibana’s file upload and HTTP request processing functionalities.

Attackers can exploit this flaw to inject malicious payloads, modify application behavior, and execute arbitrary code. The vulnerability is classified under CWE-1321 (Improper Control of Prototype-Based Attribute Modifications) and aligns with the MITRE ATT&CK framework under tactic T1059 (Command and Scripting Interpreter).

Affected Versions and Exploitation Conditions:

Kibana 8.15.0 – 8.17.0: Exploitable by users with the Viewer role.

Kibana 8.17.1 – 8.17.2: Requires privileges fleet-all, integrations-all, and actions:execute-advanced-connectors.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-25012	Kibana 8.15.0 – 8.17.2	Prototype pollution via crafted file uploads and HTTP requests, allowing manipulation of JavaScript object properties and security controls.	Remote Code Execution, Unauthorized Data Access, Lateral Movement

Remediation:

Upgrade: Elastic has released a security patch to address the issue. It is highly recommended to upgrade to Kibana 8.17.3 or a later version

Temporary Mitigation: If upgrading is not feasible in the short term, apply the following measure to reduce risk:

Disable the Integration Assistant feature by setting xpack.integration_assistant.enabled: false in kibana.yml.

Conclusion:

Organizations utilizing Kibana should take urgent action to patch CVE-2025-25012 by upgrading to version 8.17.3.

The vulnerability is highly severe, particularly for environments using Kibana for security monitoring, as attackers could exploit this flaw to disable alerts and manipulate detection pipelines. If patching is not immediately possible, temporary mitigations should be applied to reduce the risk of exploitation. Ensuring real-time vulnerability monitoring and implementing strict access controls are also recommended to safeguard against similar threats in the future.

References: