Threatintellegence

Security Advisory

Mozilla Firefox Releases 145 Security Updates, 16 High-Severity Vulnerabilities across multiple Firefox versions & Platforms

Summary : Mozilla released the Firefox 145 Security Update on November 11, 2025, addressing 16 vulnerabilities affecting multiple components allowing arbitrary code execution.

The Mozilla Firefox advisory details reveal that exploiting these vulnerabilities requires attackers to deliver malicious content via compromised websites or through network attacks. The vulnerability landscape reveals concerning patterns in critical components where WebGPU graphics processing emerges as a significant attack surface, with five separate boundary condition flaws identified.

OEM Mozilla 
Severity High 
Date of Announcement 2025-11-11 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Vulnerability Name CVE ID Product Affected Severity 
Graphics Race Condition Enabling Remote Code Execution CVE-2025-13012 Firefox High 
WebAssembly Boundary Error RCE CVE-2025-13016 Firefox High 
WebGPU Boundary Error Leading to Remote Code Execution CVE-2025-13021 Firefox High 
WebGPU Boundary Error Leading to Remote Code Execution CVE-2025-13022 Firefox High 
WebGPU Sandbox Escape via Boundary Flaw CVE-2025-13023 Firefox High 
JavaScript Engine JIT Miscompilation RCE CVE-2025-13024 Firefox High 
WebGPU Boundary Error Leading to Remote Code Execution CVE-2025-13025 Firefox High 
WebGPU Sandbox Escape and Code Execution CVE-2025-13026 Firefox High 
Memory Safety Bugs Allowing Arbitrary Code Execution CVE-2025-13027 Firefox, Thunderbird High 

Mozilla released the Firefox 145 Security Update on November 11, 2025, addressing 16 vulnerabilities affecting multiple components.

The patched vulnerabilities include memory safety bugs, boundary errors, race conditions, and sandbox escapes that could allow remote code execution (RCE), privilege escalation or data exposure. Although no active exploitation has been reported. Users and administrators should upgrade immediately to prevent exploitation and maintain browser security integrity. 

Technical Summary 

Memory corruption and sandbox escape issues could allow attackers to run malicious code or bypass.

Firefox’s isolation controls, leading to full system compromise. WebRTC and multimedia use-after-free bugs further increase the risk of crashing or leaking live data.

Though no exploitation has been detected, users and enterprises should update immediately to reduce exposure to emerging browser-based threats. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-13012 Graphics Subsystem Race condition vulnerability leads to system crash or remote execution. Remote Code Execution 
CVE-2025-13016 JavaScript: WebAssembly Incorrect memory boundary validation allows code execution through crafted scripts. Remote Code Execution 
CVE-2025-13021 Graphics: WebGPU Boundary condition errors may cause memory corruption and remote code execution.  
Remote Code Execution  
CVE-2025-13022 Graphics: WebGPU Boundary error in WebGPU rendering pipeline allowing memory corruption Remote Code Execution 
CVE-2025-13023 Graphics: WebGPU Sandbox escape via boundary flaw enabling code execution outside browser process. Sandbox Escape, RCE 
CVE-2025-13024 JavaScript Engine: JIT JIT miscompilation allows stealthy remote code execution within browser context. Remote Code Execution 
CVE-2025-13025 Graphics: WebGPU Improper memory boundary control in WebGPU leads to RCE. Remote Code Execution 
CVE-2025-13026 Graphics: WebGPU Sandbox escape enabling remote code execution beyond browser sandbox. Sandbox Escape, RCE 
CVE-2025-13027 Firefox / Thunderbird Memory safety errors across multiple components allow arbitrary code execution. Remote Code Execution 

Source: Microsoft, Cybersecurity News 

In addition to several high severity vulnerabilities, the update also addresses several other Medium and Low severity vulnerabilities across browser subsystems – 

  • CVE-2025-13017: DOM Notifications Origin Bypass – Same-origin policy bypass may expose user data or notifications to untrusted sites. (Medium) 
  • CVE-2025-13018: DOM Security Mitigation Bypass – Allows limited circumvention of built-in browser security controls. (Medium) 
  • CVE-2025-2884: TCG TPM 2.0 Vulnerability – Out-of-bounds read in TPM cause info disclosure or DoS, impacting secure boot. (Medium) 
  • CVE-2025-13019: DOM Workers Origin Bypass – May expose cross-origin content or enable script injection. (Medium) 
  • CVE-2025-13013: DOM Core/HTML Mitigation Bypass – Allows controlled bypass of HTML sanitization in certain contexts. (Medium) 
  • CVE-2025-13014: Audio/Video Use-After-Free – Memory mismanagement issue that could leak multimedia data or crash browser. (Medium)  
  • CVE-2025-13015: Firefox UI Spoofing – Interface rendering flaw may allow deceptive UI elements. (Low) 

Recommendations: 

  • Update all Firefox to version 145 immediately to mitigate the vulnerabilities.  

Here are some recommendations below  

  • Enable automatic browser updates across all systems. 
  • Perform vulnerability scans to ensure no outdated browser versions remain. 
  • Restrict use of WebGPU or WebAssembly APIs in enterprise environments unless essential. 
  • Educate employees about risks from phishing, drive-by downloads and malicious extensions. 

Conclusion: 
The Firefox 145 update is a critical security release addressing sixteen vulnerabilities across graphics, WebGPU, JavaScript engine, DOM, and WebRTC components.

Immediate patching and adherence to strong security hygiene are essential to prevent remote code execution, sandbox escapes, and data leaks. Timely remediation ensures operational continuity and protection of both individual and enterprise users against evolving exploitation techniques targeting browser flaws. 

Improving browsing behavior significantly reduces risk exposure of users. Reporters Oskar L and Jamie Nicol highlighted how these bugs exploit WebGPU’s high-performance rendering, a feature increasingly targeted as web apps grow more graphics-intensive.

References

Blogs

AI Surge in CyberSecurity Redefining Threat & Defense; Reshaping Software Development & Security

Currently enterprise Cyber Security strategy with AI has become a game changer, reshaping is critical for both threat and defense. Embracing Gen AI for a robust defensive system empowers organizations to analyze vast amount of data is key requirement for enterprise security where software development is key to enterprise security , embracing ‘security by design’.

In 2024-2025, we have witnessed how mainstream enterprise deployment of AI has changed the strategic cyber security requirement. Thereby creating a strong defense mechanism around enterprise security, redefining the threat landscape and shaping software development.

AI is changing the way we look at products being a risk multiplier. How organization balancing innovation with protection?

AI can track and break commonly used passwords within minutes. So this is scary as more powers are in the hands of hackers, on the other side AI can improve password security again a boon. The Dark Web is already selling Fraud GPT and Worm GPT.

For Organizational cyber security strategy AI is being used now to tackle threats and cyber defense. Again AI has the capability to accelerate the speed of cyber attacks.

So what are leaders deciding when chasing AI based products. The way leaders are looking at products is products that give practical and actionable outlook and being embedded in delivery workflows.

Strategically, this means evolving away from rigid, checkbox-based compliance toward dynamic, adaptive security models that reflect how modern teams really build software—especially in AI-accelerated environments.

As per statistics 2025 witnessed the following AI based cyber attacks.16% of all breaches in 2025 involved attackers using AI. (IBM),and other AI attacks included 37% used phishing attacks and 35% used deepfake attacks. (IBM). 63% of breached organizations had no AI governance policy or were still developing one, highlighting the governance gap around AI adoption (IBM).

OpenText has released their survey and the report entails, AI is rapidly changing the threat landscape for organizations . Organizations are navigating a high-stake balancing act to enable innovation while managing risk.

Here are the key findings

Top AI-related concerns among respondents include data leakage (29%), AI-enabled attacks (27%), and deepfakes (16%).

95% of respondents are confident in their ability to recover from a ransomware attack, but only 15% of those attacked fully recovered their data.

88% allow employees to use GenAI tools, yet less than half (48%) have a formal AI use policy.

Enterprises lead AI governance (52%) compared to SMBs (43%) by having a formal AI policy in place.

52% report increased phishing or ransomware due to AI; 44% have seen deepfake-style impersonation attempts.

Surge in AI Threats via sophisticated attacks

One of the reasons cited by threat researchers is organizations are embracing GenAI, allowing employees to use generative AI tools and few less then 50% have a formal AI-use or data privacy policy in place, the report noted.

This is added with hackers innovative way in tricking using AI, bypassing any defense mechanism which is traditional. 

AI tools are now being used to create such convincing phishing emails, fake websites and even deepfake videos to injecting malicious code giving leverage to cyber criminals

In the last few months we witnessed how Ransomware attacks round the world surged and quite complex in nature as third-party service providers or software supply chains were prime targets. The Qantas airline breach and M&S data beach that hit UK’s top retail brand.

While Qantas did not to Information Age whether AI voice deepfakes were used in the breach, the cybercrime group experts believe may be linked to the hack — dubbed ‘Scattered Spider’ — has a track record of using voice-based phishing (or ‘vishing’) in its attacks. This is clear AI being used and surge is quite high in AI based cyber attacks.

AI for Cyber Defense for Organizational Cyber Security Strategy

It is not hackers who are benefiting but for Organizations it is a game changer as AI being used to detect attack at faster pace meaning mean time.

Findings of this survey reinforces that protecting against ransomware now depends not just on internal defenses, but also on how effectively organizations’, partners, and technology providers collaborate to close security gaps before they are exploited.

Key pointer for building pragmatic and strategic choices and this approach starts with embracing security by design approach in developmental life cycle.

  • Continuously Embedding security in developer workflows keeping automating, scanning, policy enforcement and anomaly detection in tools used by developers.
  • Cybersecurity AI tools are better at identifying patterns and anomalies in large datasets including vulnerabilities. teams have to highly prioritize and contextualize them in term of developing products.
  • Supposedly there is an attack and the security tools not able to detect. So continuous testing is mandatory.
  • Developers can favor simple solutions that favors pragmatic security patterns and transparency in architecture. In this way trust is developed with clients.

Few important developers keep in focus is to sponsor bug bounties, publish advisories using standards like the Common Security Advisory Framework (CSAF) and provide context on severity and exploitability.

Threat researcher suggest organizations who are building in products accept all vulnerability reports, investigate them, and fix the issues. Any critically important advisory to be used for root cause analysis to improve tools, training and various threat models. Developers are suggested to give feedback for external tools if they help them evolve. Understanding no software can ever be perfect.

Offerings from IntruceptLabs are exactly what you need to develop organizational cyber defense capabilities

Intru360

Intru360 gives security analysts and SOC managers a clear view across the organization, helping them fully understand the extent and context of an attack. It also simplifies workflows by automatically handling alerts, allowing for faster detection of both known and unknown threats.

Identify latest threats without having to purchase, implement, and oversee several solutions or find, hire, and manage a team security analyst. Unify latest threat intelligence and security technologies to prioritize the threats that pose the greatest risk to your company.

Here are some features we offer:

  • Over 400 third-party and cloud integrations.
  • More than 1,100 preconfigured correlation rules.
  • Ready-to-use threat analytics, threat intelligence service feeds, and prioritization based on risk.
  • Prebuilt playbooks and automated response capabilities.

(Sources: https://www.mckinsey.com/about-us/new-at-mckinsey-blog/ai-is-the-greatest-threat-and-defense-in-cybersecurity-today)

Sources: https://investors.opentext.com/press-releases/press-releases-details/2025/OpenText-Cybersecurity-2025-Global-Ransomware-Survey-Rising-Confidence-Meets-a-Growing-AI-Threat/default.aspx)

Blogs Security Advisory

Samsung Galaxy S25 Zero-Day Exploit Exposes Camera & Location 

Summary 

At Pwn2Own Ireland 2025, researchers Ben R. and Georgi G. from Interrupt Labs successfully exploited a zero-day vulnerability in the Samsung Galaxy S25. The flaw allowed them to gain remote control of the device, activate the camera, and track the user’s real-time location without interaction.

This achievement, earning them $50,000 and 5 Master of Pwn points, highlighted ongoing security weaknesses even in flagship smartphones with extensive testing. The exploit’s discovery underlined broader concerns about the pace of Android feature development outstripping security hardening efforts across system and multimedia libraries. 

The Galaxy S25 zero-day exploit underscores the persistent threat of critical security flaws even in top-tier consumer devices. Although discovered in a controlled, ethical hacking event, such vulnerabilities pose substantial risks if leveraged by malicious actors.

Vulnerability Details 

The vulnerability originated from an improper input validation issue within the Galaxy S25’s software stack. Through carefully crafted malicious inputs, the researchers bypassed Samsung’s built-in security safeguards and executed arbitrary code remotely.

The exploit provided persistent access, enabling control over cameras, GPS, and potentially other sensitive device components, effectively transforming the smartphone into a covert surveillance tool. Because the issue existed at a deep system level, it required no user interaction, making it particularly severe. The vulnerability had not been previously disclosed, meaning Samsung and the public were both unaware until the competition’s revelation. 

Key characteristics: 

The key characteristics of the Samsung Galaxy S25 zero-day vulnerability are as follows: 

  • Type of Vulnerability: Improper input validation bug within the device’s software stack, allowing remote code execution without user interaction.​ 
  • Impact: Enables attackers to take full control of the device, activate the camera, and track real-time GPS location, effectively turning the device into a surveillance tool.​ 
  • Discovery and Exploit: Uncovered during Pwn2Own Ireland 2025 by researchers Ben R. and Georgi G., showcasing a sophisticated exploit chain that bypassed Samsung’s security measures.​ 
  • Persistence: Vulnerability allows persistent access, which can be exploited silently without user awareness or interaction.​ 
  • Disclosure and Remediation: The flaw was previously undisclosed, with responsible disclosure leading to Samsung preparing a security patch. No official statement has been issued yet, but a fix is anticipated.​ 
  • Severity and Potential Damage: The exploit can compromise sensitive personal data, private communications, and location, highlighting significant privacy and security risks. 

Attack Flow 

Step Description 
1. Craft Malicious Input  Attackers develop specially crafted malicious inputs targeting the vulnerable components within the Samsung Galaxy S25’s software stack, particularly exploiting the improper input validation flaw. 
2. Deliver Payload The malicious payload is delivered via crafted multimedia or system input, such as manipulated images or software commands, that bypass Samsung’s existing safeguards. 
3. Bypass Security Measures The input validation flaw allows the malicious data to bypass security checks, executing remote code without requiring user interaction or consent, gaining initial access to the device’s system. 
4. Gain Persistent Control Once the malicious code executes, attackers establish persistent control over the device, enabling continuous access to core functionalities like camera activation and GPS tracking silently and covertly. 
5. Exploit Device Capabilities Attackers leverage control to activate the device’s camera and GPS in real-time, turning the device into a surveillance tool capable of capturing photos, videos, and tracking location discreetly. 
6. Maintain Stealth & Avoid Detection The exploit chain is designed to evade detection by Samsung’s defenses during the attack window, allowing attackers to operate covertly without triggering security alerts or user notifications. 
7. Exploit and Monetize The compromised device becomes a tool for espionage, data theft, or targeted surveillance, which can be exploited for malicious purposes or sold on criminal markets if attacker exploits are monetized. 

Proof-of-Concept 

The proof-of-concept for the Samsung Galaxy S25 zero-day vulnerability (CVE-2025-21043) demonstrates how specially crafted malicious images can exploit an out-of-bounds write flaw in Samsung’s closed-source image parsing library libimagecodec.quram.so. This flaw allows remote code execution with elevated privileges without requiring user interaction.

The exploit involves delivering a malicious payload embedded in an image file that, when processed by the vulnerable library, triggers memory corruption leading to arbitrary code execution and persistent control over the device.

This has been confirmed in cybersecurity forums and independent analyses, with active exploitation observed in the wild primarily via social engineering through messaging platforms like WhatsApp. The PoC confirms that attackers can bypass conventional security mechanisms and gain deep system control, enabling surveillance actions such as camera activation and location tracking. This underscores the critical need for applying the latest security patches released by Samsung.  

Source: https://x.com/thezdi/status/1981316237897396298 

Why It’s Effective 

  • Code Execution via Input Validation Flaw: Exploits improper input validation within the Galaxy S25’s software stack, allowing malicious payloads to bypass safeguards and execute remote code seamlessly alongside legitimate system processes. 
  • Zero-Click Capability: Operates without requiring any user interaction, enabling silent compromise through automated payloads that trigger upon data processing or system-level input handling. 
  • Persistent Access: Establishes continuous control after initial compromise, granting long-term ability to activate hardware components like camera and GPS without detection by standard security mechanisms. 
  • Stealth Operations: Exploit chain hides within multimedia and system library processes, avoiding visible alerts or performance anomalies that might indicate compromise to the user. 
  • Advanced Evasion: Utilizes legitimate system libraries and resource calls, reducing the likelihood of being flagged by mobile antivirus or Samsung Knox runtime protections. 
  • High Impact Vector: Enables complete device surveillance, capturing photos, videos, and location data covertly, illustrating real-world severity when attackers weaponize such system-level access. 

Remediation

  • Update Samsung Galaxy devices immediately with the latest September 2025 Security Maintenance Release (SMR) patch that fixes CVE-2025-21043. 
  • Manually check for software updates via Settings > Software Update > Download and Install to ensure the fix is applied promptly. 
  • Enable automatic security updates on Samsung devices for timely future patching without delay. 
  • For enterprises, enforce patch deployment policies through Mobile Device Management (MDM) or Enterprise Mobility Management (EMM) tools to cover all mobile endpoints. 
  • Restrict app permissions, especially camera and location access, to minimize exposure in case of compromise. 
  • Avoid opening images from untrusted sources or suspicious messaging apps, as the vulnerability exploits image parsing. 
  • Implement continuous mobile threat detection to identify abnormal device behavior indicative of compromise. 
  • Educate users and IT teams about the critical nature of this vulnerability and the importance of timely patching. 

This ensures comprehensive mitigation of vulnerability while reducing risk and exposure to active exploits. 

Conclusion: 


This incident reinforces the value of responsible disclosure mechanisms like Pwn2Own, where manufacturers receive detailed technical reports to develop patches before public release. Samsung has yet to issue a formal statement but is expected to roll out a security update imminently.

In the meantime, users are advised to enable automatic updates, remain cautious with app permissions and untrusted networks, and monitor official channels for patches to mitigate potential exploitation risks. 

References

Security Advisory

VoidProxy PhaaS Uses MFA Bypass, Hijacking Google & Microsoft Logins

Security Advisory

Security researchers from Okta have uncovered a stealthy and sophisticated Phishing-as-a-Service (PhaaS) framework known as VoidProxy.

This has been used to hijack Microsoft, Google and even integrated SSO accounts protected by providers like Okta. Unlike traditional phishing kits, VoidProxy employs Adversary-in-the-Middle (AiTM) tactics to capture real-time credentials, MFA tokens and bypassing several standard authentication protections.

VoidProxy’s infrastructure leverages disposable domains, Cloudflare protections, dynamic DNS which all of mimicking as legitimate enterprise setups becoming extremely difficult to detect, analyze. The attackers are running phishing campaigns with little technical effort, enabling wide-scale compromises that lead to email compromise, fraud and data breaches.

Its attack chain is built to evade modern email security, identity defenses, and analysis tools by leveraging the following:

  • CAPTCHA Filtering: Victims are first shown a CAPTCHA challenge before any phishing content loads. This helps block bots and automated security scanners.
  • Cloudflare Workers: Used to deliver customized phishing pages and smartly direct traffic to the attacker’s backend servers.
  • URL Redirection Chains: The phishing links in emails go through several redirects (often using shortened URLs) before landing on fake login pages. This helps bypass spam filters and security tools.
  • Dynamic DNS: These services let attackers quickly create domain names that point to specific IP addresses, making their infrastructure flexible and harder to track.    

Once a user enters their credentials and MFA tokens, the session is hijacked via a reverse proxy server, allowing the attacker to immediately access the legitimate account.

Here are some shortened url links

Attack Flow

StepDescription
1. DeliveryPhishing emails are sent from compromised accounts on email delivery services (like Postmarkapp or Constant Contact) increasing trust and shortening URL services for bypassing spam filters.
2. Redirecting & FilterClicking the phishing link redirects victims through several short URLs and presents a Cloudflare captcha to ensure human interaction.
3. PhishingVictims land on a fake Microsoft or Google login page using realistic subdomain patterns like “login.<phishing_domain>.<.com/.io>”. Additionally, integrated SSO accounts are redirected to additional fake SSO pages mimicking the login flows.
4. AiTM Session HijackThe backend proxy captures credentials, MFA tokens and session cookies, allowing attackers full account access.
5. ExfiltrationSession cookies and credentials are routed to the attacker’s admin panel in real-time. Integration with bots or webhooks enables instant alerts to the attackers.

Why It’s Effective

AiTM Infrastructure: Unlike static phishing kits, VoidProxy runs a live proxy in the middle of the authentication flow, stealing session tokens or mfa token immediately after login.

CAPTCHA & Cloudflare Layers: These challenges ensure only real human victims reach the phishing payload, filtering out scanners and sandboxes.

Integrated SSO Targeting: Accounts using Okta or other SSO providers are redirected to accurate second-stage phishing pages, increasing the likelihood of a full compromise.

Recommendations:

Here are some recommendations below

  • Harden the authentication by bind sessions to IP addresses (IP Session Binding) to block cookie replay attacks.
  • Block access from rarely used IP ranges or unmanaged devices.
  • Provide user awareness training to help recognize phishing links, suspicious email senders and fake login prompts.
  • Keep monitoring for any indications of suspicious activities.

Conclusion
VoidProxy’s layered architecture, real-time session hijacking and deep evasion mechanisms make it a potential threat even for environments with multi-factor authentication in place. We require a shift from traditional phishing detection toward real-time risk-based access controls, strong authenticators and persistent user education.

References:

Security Advisory

Google Chrome Zero-Day CVE-2025-2783 Exploited in APT Group TaxOff Campaigns 

Summary 

A newly-patched zero-day vulnerability in Google Chrome CVE-2025-2783 which was exploited in the wild by a threat actor TaxOff, leading to the deployment of Trinper which an advanced backdoor.

The CVE-2025-2783 exploited a sandbox escape vulnerability within Google Chrome’s Mojo IPC (Inter-Process Communication) framework, which allowed attackers to bypass the browser’s security sandbox and lead to RCE. 

TaxOff Threat Actor 

TaxOff is a highly sophisticated Advanced Persistent Threat (APT) group primarily targeting government organizations which is known for its use of advanced social engineering tactics, often involving phishing campaigns that exploit themed around financial reporting and regulatory compliance. 

The CVE-2025-2783 vulnerability was first detected in March 2025 after Kaspersky reported real-world exploitation.

TaxOff used a phishing-based delivery method, which involved embedding a malicious link in emails masquerading as invitations to legitimate events like the Primakov Readings forum.

Once the link was clicked, the CVE-2025-2783 exploit was triggered, leading to the deployment of the Trinper backdoor. It was a one-click compromise that delivered a highly tailored payload with surgical precision. 

Trinper Backdoor 

This is a multi-threaded C++ backdoor that collected host data, logged keystrokes, exfiltrated targeted documents like document, excel or pdf files and maintained remote access.

But this wasn’t just a “plug-and-play” backdoor. Trinper’s loader employed five layers of encryption, utilizing ChaCha20, modified BLAKE2b hashes, and even machine-specific environmental checks. It was decrypted only on intended systems, using unique hardware identifiers like firmware UUIDs and PEB structures. 

Source: global.ptsecurity.com 

Interestingly, researchers found that Team46, a different APT group shares many similarities with TaxOff in terms of TTPs. This overlap raises the possibility that TaxOff and Team46 are the same group operating under different aliases.

Both groups have used PowerShell-based loaders and Cobalt Strike as their primary exploitation vectors. 

This flaw allows threat actors to:

  • Execute arbitrary code
  • Bypass Chrome’s built-in security sandbox
  • Potentially gain remote control over the system

Recommendation 

The rapid exploitation of CVE-2025-2783 highlights the critical importance of timely patch management. Google released a fix for this vulnerability in March 2025, and all users are strongly advised to update their Chrome browsers to the latest version immediately. 

In addition to patching, organizations should implement the following defensive measures 

  • Enhance email filtering systems and provide regular phishing awareness training for employees. 
  • Continuously monitor systems for unusual or suspicious behavior related to script execution or network anomalies. 
  • Restrict the execution of unsigned or obfuscated scripts and macros, particularly in email attachments or downloaded files, using tools like AppLocker or Microsoft Defender ASR. 

References

Security Advisory

Palo Alto Firewall Vulnerabilities Under Active Exploitation 

An authentication bypass vulnerability (CVE-2025-0108) in Palo Alto Networks PAN-OS allows unauthenticated attackers with network access to bypass authentication on the management web interface.

Summary 

OEM Palo Alto 
Severity High 
Date of Announcement 2025-02-19 
CVEs CVE-2025-0108 
CVSS Score 8.8 
Exploited in Wild Yes 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

‘Palo Alto Networks says threat actors used a publicly available PoC exploit in attack attempts against firewall customers with PAN-OS management interfaces exposed to the internet’.

This poses a significant risk, particularly when the interface is exposed to the internet or untrusted networks. CISA has added it to its Known Exploited Vulnerabilities catalog due to active exploitation. 

Vulnerability Name CVE ID Product Affected Severity Affected Version 
 Authentication Bypass Vulnerability  CVE-2025-0108  Pan OS         High PAN-OS 10.1: 10.1.0 through 10.1.14 PAN-OS 10.2: 10.2.0 through 10.2.13 PAN-OS 11.1: 11.1.0* through 11.1.6 PAN-OS 11.2: 11.2.0 through 11.2.4 

Technical Summary 

This authentication bypass flaw enables attackers to invoke specific PHP scripts without proper authorization, potentially compromising the integrity and confidentiality of the system. Attackers are chaining it with CVE-2024-9474 and CVE-2025-0111 to target unpatched instances. The risk is highest when the management interface is exposed directly to the internet, potentially enabling unauthorized access and manipulation of system configurations. 

Vulnerability Name Details Severity Impact 
 Authentication Bypass Vulnerability  This is an authentication bypass in PAN-OS allowing unauthenticated attackers to invoke PHP scripts on the management interface, compromising system integrity. The vulnerability is critical when exposed to the internet and can be exploited by chaining CVE-2024-9474 and CVE-2025-0111.         High Root access of the affected system, unauthorized file exfiltration. 

Recommendations 

  • Apply the security updates released on February 12, 2025, for PAN-OS versions 10.1, 10.2, 11.1, and 11.2 immediately. 

Here are the details of the required upgrades: 

Version Updated Version 
PAN-OS 11.2 Upgrade to 11.2.4-h4 or later 
PAN-OS 11.1 Upgrade to 11.1.6-h1 or later 
PAN-OS 10.2 Upgrade to 10.2.13-h3 or later 
PAN-OS 10.1 Upgrade to 10.1.14-h9 or later 

General Recommendations 

  • Restrict access to PAN-OS management interfaces to trusted IPs only. 
  • Continuously monitor for suspicious activity, including unauthorized file access and PHP script executions. 
  • Follow best practices for firewall security, including network segmentation and regular vulnerability assessments. 
  • Block IP addresses reported by GreyNoise that are actively targeting CVE-2025-0108, as well as any additional threat intelligence sources identifying malicious activity. 

Conclusion 

The active exploitation of these vulnerabilities highlights the critical need for timely patch management and robust access controls. Given the increasing attack surface and publicly available proof-of-concept exploits, organizations should prioritize remediation to prevent potential breaches. Palo Alto Networks urges customers to secure their firewalls immediately to mitigate this growing threat. 

The vulnerability is therefore of high severity on the CVSS and users were warned that while the PHP scripts that can be invoked, do not themselves enable remote code execution.

References

  • https://www.securityweek.com/palo-alto-networks-confirms-exploitation-of-firewall-vulnerability/ 
  • https://www.greynoise.io/blog/greynoise-observes-active-exploitation-of-pan-os-authentication-bypass-vulnerability-cve-2025-0108#GreyNoise   

Security Advisory

Active Exploitation of Microsoft Outlook RCE Vulnerability (CVE-2024-21413) 

A critical remote code execution (RCE) vulnerability, CVE-2024-21413, affecting Microsoft Outlook has been actively exploited.

CISA has directed U.S. federal agencies to secure their systems against ongoing cyberattacks targeting this vulnerability, tracked as CVE-2024–21413. The flaw was originally discovered by Check Point vulnerability researcher Haifei Li and is a result of improper input validation when processing emails containing malicious links.

OEM Microsoft 
Severity Critical 
CVSS 9.8 
CVEs CVE-2024-21413 
Exploited in Wild Yes 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

The flaw allows attackers to bypass security protections, leading to NTLM credential theft and arbitrary code execution. The vulnerability is critical, and Microsoft has released patches to mitigate the risk. 

Vulnerability Name CVE ID Product Affected Severity 
 Remote Code Execution Vulnerability  CVE-2024-21413  Microsoft  Critical 

Technical Summary 

The CVE-2024-21413 vulnerability arises due to improper input validation in Microsoft Outlook when handling emails containing malicious links. Exploitation of this flaw enables attackers to bypass Protected View, a security feature designed to prevent execution of harmful content embedded in Office files. 

By manipulating URLs with the file:// protocol and inserting an exclamation mark followed by arbitrary text, attackers can evade Outlook’s built-in security measures, tricking users into opening malicious Office files in editing mode instead of read-only mode. The Preview Pane also serves as an attack vector, enabling zero-click exploitation. Here is the POC also available for this vulnerabilty. 

CVE ID System Affected Vulnerability Details Impact 
CVE-2024-21413 Microsoft Office LTSC 2021, Microsoft 365 Apps, 
Microsoft Outlook 2016, Microsoft Office 2019   		Exploits improper input validation to bypass Outlook security protections using manipulated hyperlinks.  NTLM credential theft, remote code execution, potential full system compromise  

Remediation

  1. Apply Security Patches: Ensure that all the Microsoft Office products are updated with the latest security patches. 
  1. Disable NTLM Authentication: Where feasible, reduce reliance on NTLM authentication to prevent credential theft. 

General Remediation: 

  1. Monitor Network Activity: Watch unusual outbound connections to attacker-controlled servers. 
  1. User Awareness Training: Educate employees on recognizing phishing attempts and avoiding click on suspicious links or attachments. 
  1. Enable Advanced Threat Protection: Use security tools like Microsoft Defender to enhance security monitoring and detection. 
  1. Regularly Update Software: Maintain a routine patching schedule to ensure all systems are protected against known vulnerabilities. 
  1. Restrict Macros and External Content: Configure Microsoft Office to block macros and disable automatic external content execution. 

Conclusion: 

The exploitation of CVE-2024-21413 underscores the ongoing threat posed by improperly validated inputs in widely used enterprise software. With this vulnerability being actively exploited and the POC publicly available, organizations must prioritize patching, strengthen monitoring, and follow best security practices to minimize risks. CISA has included CVE-2024-21413 in its Known Exploited Vulnerabilities (KEV) catalog, emphasizing the need for immediate action. 

References: 

Scroll to top