Ransomware attackers Exploit VMware ESXi arbitrary-write vulnerability
VMware ESXi VMware vulnerabilities
Continue ReadingVPN
Data Breach at SoundCloud Involves Unauthorized Access to Users Data
SoundCloud Data Breach
Continue Reading
Urgent OpenVPN Security Patch to Stop Remote Denial of Service Attacks
OpenVPN vulnerabilities
Continue Reading
Apple Releases iOS & iPadOS 26.1 Update, Fixed Multiple Security Vulnerabilities
Summary: Apple released iOS 26.1 and iPadOS 26, addressed multiple security vulnerabilities across core system components including WebKit, Kernel, Accessibility, Apple Neural Engine, CloudKit etc.
| OEM | Apple |
| Severity | High |
| CVEs | CVE-2025-43438, CVE-2025-43429, CVE-2025-43442, CVE-2025-43455, CVE-2025-43398 & others |
| POC Available | No |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview:
These vulnerabilities could enable malicious apps to escape sandboxes, access sensitive user data, execute arbitrary code via web content, monitor keystrokes or disable theft protection mechanisms. Affected devices include iPhone 11 & later and iPad models from 3rd gen onward etc. Immediate update is strongly recommended to prevent any breaches, system crashes.
| Vulnerability Name | CVE ID | Product Affected | Fixed Version |
| WebKit Use-After-Free (Safari Crash/RCE) | CVE-2025-43438 | iOS, iPadOS | iOS/iPadOS 26.1 |
| WebKit Buffer Overflow (RCE Risk) | CVE-2025-43429 | iOS, iPadOS | iOS/iPadOS 26.1 |
| App Installed Detection via Accessibility | CVE-2025-43442 | iOS, iPadOS | iOS/iPadOS 26.1 |
| Sensitive Screenshot in Embedded Views | CVE-2025-43455 | iOS, iPadOS | iOS/iPadOS 26.1 |
| Kernel Memory Corruption / DoS | CVE-2025-43398 | iOS, iPadOS | iOS/iPadOS 26.1 |
Technical Summary:
The iOS/iPadOS 26.1 update fixes major security issues in sandbox protection, memory handling, privacy settings, and the WebKit browser engine. These critical vulnerabilities could allow apps or websites to access restricted data or execute malicious code. Key impact issues mentioned below.
| CVE ID | Component Affected | Vulnerability Details | Impact |
| CVE-2025-43438 | WebKit | Use-after-free in Safari triggers crash or code execution via malicious web content | Remote Code Execution, System Compromise |
| CVE-2025-43429 | WebKit | Buffer overflow in content processing allows arbitrary code execution | Remote Code Execution, Service Compromise |
| CVE-2025-43442 | Accessibility | Permissions flaw allows apps to detect installed apps (fingerprinting) | Privacy Violation, User Tracking |
| CVE-2025-43455 | Apple Account | Malicious apps can screenshot sensitive embedded UI (login views) | Credential, PII Exposure |
| CVE-2025-43398 | Kernel | Memory mishandling leads to system termination or kernel corruption | Denial of Service, Potential Privilege Escalation |
Additionally, there are multiple high & medium vulnerabilities have been disclosed that enable sandbox escapes, data leaks, and web-based attacks with significant impact potential. Here are some cves in the below table
| Vulnerability Name | CVE ID | Affected Component |
| Sandbox Escape via Assets | CVE-2025-43407 | Assets |
| Sandbox Escape via CloudKit Symlink | CVE-2025-43448 | CloudKit |
| Stolen Device Protection Bypass | CVE-2025-43422 | Stolen Device Protection |
| Cross-Origin Data Exfiltration | CVE-2025-43480 | WebKit |
| Keystroke Monitoring via WebKit | CVE-2025-43495 | WebKit |
| Apple Neural Engine Kernel Corruption | CVE-2025-43447, CVE-2025-43462 | Apple Neural Engine |
| Canvas Cross-Origin Image Theft | CVE-2025-43392 | WebKit Canvas |
| Contacts Data Leak in Logs | CVE-2025-43426 | Contacts |
| Lock Screen Content Leak | CVE-2025-43350 | Control Center |
| Address Bar Spoofing | CVE-2025-43493 | Safari |
| UI Spoofing in Safari | CVE-2025-43503 | Safari |
Recommendations:
Update all eligible devices immediately (Settings > General > Software Update products) to the following fixed versions as soon as possible and check the updated version from the Apple security website.
Patches are available and should be applied immediately.
For environments where immediate patching is not immediately feasible, you can also follow the recommendations below.
- Enable Stolen Device Protection and Lockdown Mode (where applicable)
- Restrict app installations to trusted sources.
- Avoid visiting untrusted websites from browser
- Use VPN and enable Advanced Data Protection for iCloud
- Monitor for anomalous app behavior or battery drain
Conclusion:
The iOS/iPadOS 26.1 update fixes several security vulnerabilities that could affect user privacy, device stability, and system protection.
Organizations and Individual using Apple devices must prioritize deployment of this update to mitigate risks of data exfiltration, spyware and other attack vectors. Timely patching remains the most effective control against zero-day exploitation on new vulnerabilities in digital ecosystems.
References:
Samsung Galaxy S25 Zero-Day Exploit Exposes Camera & Location
Summary
At Pwn2Own Ireland 2025, researchers Ben R. and Georgi G. from Interrupt Labs successfully exploited a zero-day vulnerability in the Samsung Galaxy S25. The flaw allowed them to gain remote control of the device, activate the camera, and track the user’s real-time location without interaction.
This achievement, earning them $50,000 and 5 Master of Pwn points, highlighted ongoing security weaknesses even in flagship smartphones with extensive testing. The exploit’s discovery underlined broader concerns about the pace of Android feature development outstripping security hardening efforts across system and multimedia libraries.
The Galaxy S25 zero-day exploit underscores the persistent threat of critical security flaws even in top-tier consumer devices. Although discovered in a controlled, ethical hacking event, such vulnerabilities pose substantial risks if leveraged by malicious actors.
Vulnerability Details
The vulnerability originated from an improper input validation issue within the Galaxy S25’s software stack. Through carefully crafted malicious inputs, the researchers bypassed Samsung’s built-in security safeguards and executed arbitrary code remotely.
The exploit provided persistent access, enabling control over cameras, GPS, and potentially other sensitive device components, effectively transforming the smartphone into a covert surveillance tool. Because the issue existed at a deep system level, it required no user interaction, making it particularly severe. The vulnerability had not been previously disclosed, meaning Samsung and the public were both unaware until the competition’s revelation.
Key characteristics:
The key characteristics of the Samsung Galaxy S25 zero-day vulnerability are as follows:
- Type of Vulnerability: Improper input validation bug within the device’s software stack, allowing remote code execution without user interaction.
- Impact: Enables attackers to take full control of the device, activate the camera, and track real-time GPS location, effectively turning the device into a surveillance tool.
- Discovery and Exploit: Uncovered during Pwn2Own Ireland 2025 by researchers Ben R. and Georgi G., showcasing a sophisticated exploit chain that bypassed Samsung’s security measures.
- Persistence: Vulnerability allows persistent access, which can be exploited silently without user awareness or interaction.
- Disclosure and Remediation: The flaw was previously undisclosed, with responsible disclosure leading to Samsung preparing a security patch. No official statement has been issued yet, but a fix is anticipated.
- Severity and Potential Damage: The exploit can compromise sensitive personal data, private communications, and location, highlighting significant privacy and security risks.
Attack Flow
| Step | Description |
| 1. Craft Malicious Input | Attackers develop specially crafted malicious inputs targeting the vulnerable components within the Samsung Galaxy S25’s software stack, particularly exploiting the improper input validation flaw. |
| 2. Deliver Payload | The malicious payload is delivered via crafted multimedia or system input, such as manipulated images or software commands, that bypass Samsung’s existing safeguards. |
| 3. Bypass Security Measures | The input validation flaw allows the malicious data to bypass security checks, executing remote code without requiring user interaction or consent, gaining initial access to the device’s system. |
| 4. Gain Persistent Control | Once the malicious code executes, attackers establish persistent control over the device, enabling continuous access to core functionalities like camera activation and GPS tracking silently and covertly. |
| 5. Exploit Device Capabilities | Attackers leverage control to activate the device’s camera and GPS in real-time, turning the device into a surveillance tool capable of capturing photos, videos, and tracking location discreetly. |
| 6. Maintain Stealth & Avoid Detection | The exploit chain is designed to evade detection by Samsung’s defenses during the attack window, allowing attackers to operate covertly without triggering security alerts or user notifications. |
| 7. Exploit and Monetize | The compromised device becomes a tool for espionage, data theft, or targeted surveillance, which can be exploited for malicious purposes or sold on criminal markets if attacker exploits are monetized. |
Proof-of-Concept
The proof-of-concept for the Samsung Galaxy S25 zero-day vulnerability (CVE-2025-21043) demonstrates how specially crafted malicious images can exploit an out-of-bounds write flaw in Samsung’s closed-source image parsing library libimagecodec.quram.so. This flaw allows remote code execution with elevated privileges without requiring user interaction.
The exploit involves delivering a malicious payload embedded in an image file that, when processed by the vulnerable library, triggers memory corruption leading to arbitrary code execution and persistent control over the device.
This has been confirmed in cybersecurity forums and independent analyses, with active exploitation observed in the wild primarily via social engineering through messaging platforms like WhatsApp. The PoC confirms that attackers can bypass conventional security mechanisms and gain deep system control, enabling surveillance actions such as camera activation and location tracking. This underscores the critical need for applying the latest security patches released by Samsung.
Source: https://x.com/thezdi/status/1981316237897396298
Why It’s Effective
- Code Execution via Input Validation Flaw: Exploits improper input validation within the Galaxy S25’s software stack, allowing malicious payloads to bypass safeguards and execute remote code seamlessly alongside legitimate system processes.
- Zero-Click Capability: Operates without requiring any user interaction, enabling silent compromise through automated payloads that trigger upon data processing or system-level input handling.
- Persistent Access: Establishes continuous control after initial compromise, granting long-term ability to activate hardware components like camera and GPS without detection by standard security mechanisms.
- Stealth Operations: Exploit chain hides within multimedia and system library processes, avoiding visible alerts or performance anomalies that might indicate compromise to the user.
- Advanced Evasion: Utilizes legitimate system libraries and resource calls, reducing the likelihood of being flagged by mobile antivirus or Samsung Knox runtime protections.
- High Impact Vector: Enables complete device surveillance, capturing photos, videos, and location data covertly, illustrating real-world severity when attackers weaponize such system-level access.
Remediation:
- Update Samsung Galaxy devices immediately with the latest September 2025 Security Maintenance Release (SMR) patch that fixes CVE-2025-21043.
- Manually check for software updates via Settings > Software Update > Download and Install to ensure the fix is applied promptly.
- Enable automatic security updates on Samsung devices for timely future patching without delay.
- For enterprises, enforce patch deployment policies through Mobile Device Management (MDM) or Enterprise Mobility Management (EMM) tools to cover all mobile endpoints.
- Restrict app permissions, especially camera and location access, to minimize exposure in case of compromise.
- Avoid opening images from untrusted sources or suspicious messaging apps, as the vulnerability exploits image parsing.
- Implement continuous mobile threat detection to identify abnormal device behavior indicative of compromise.
- Educate users and IT teams about the critical nature of this vulnerability and the importance of timely patching.
This ensures comprehensive mitigation of vulnerability while reducing risk and exposure to active exploits.
Conclusion:
This incident reinforces the value of responsible disclosure mechanisms like Pwn2Own, where manufacturers receive detailed technical reports to develop patches before public release. Samsung has yet to issue a formal statement but is expected to roll out a security update imminently.
In the meantime, users are advised to enable automatic updates, remain cautious with app permissions and untrusted networks, and monitor official channels for patches to mitigate potential exploitation risks.
References:
WatchGuard Patched Critical Vulnerability, Allowing RCE in Firebox Appliances
Security Advisory : A critical vulnerability has been found in WatchGuard Firebox appliances that allows remote unauthenticated attackers to execute arbitrary code through an out-of-bounds write in the IKEv2 VPN process.
| OEM | WatchGuard |
| Severity | Critical |
| CVSS Score | 9.3 |
| CVEs | CVE-2025-9242 |
| POC Available | No |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
The vulnerability, tracked as CVE-2025-9242, which affects multiple Fireware OS versions. Users and administrators are strongly advised to upgrade to the latest patched versions of Fireware OS immediately to stay protected.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Out-of-Bounds Write Vulnerability in IKEv2 Process | CVE-2025-9242 | WatchGuard Firebox Appliances with Fireware OS | Critical | v2025.1.1, v12.11.4, v12.5.13 (T15 & T35 models), 12.3.1_Update3 (FIPS-certified) |
Technical Summary
Malicious actors could exploit this due to an out-of-bounds write vulnerability in the WatchGuard Fireware OS iked process.
Remote unauthenticated attackers can send crafted IKE_SA_INIT and IKE_SA_AUTH packets to trigger a stack-based buffer overflow in the ike2_ProcessPayload_CERT function, overflowing a 520-byte stack buffer without proper bounds checking.
This impacts VPN setups using IKEv2 or dynamic gateways and can continue even after deleting them if any static peers are still active on UDP port 500.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025- 9242 | WatchGuard Firebox Appliances with Fireware OS 11.10.2-11.12.4_Update1, 12.0-12.11.3, 2025.1 | Insufficient bounds checking in IKEv2 negotiations allows oversized identification payloads to cause buffer overflow, enabling control flow hijacking and ROP chains for code execution | Arbitrary Code Execution, System Compromise, Data Exfiltration, Ransomware Deployment, Pivoting to Internal Networks |
Recommendations:
You can update to the latest versions from the below table
| Vulnerable Version | Resolved Version |
| 2025.1 | 2025.1.1 |
| 12.x | 12.11.4 |
| 12.5.x (T15 & T35 models) | 12.5.13 |
| 12.3.1 (FIPS-certified release) | 12.3.1_Update3 (B722811) |
| 11.x | End of Life |
Here are some recommendations below –
- Disable unnecessary IKEv2 VPN configurations and restrict access to trusted networks only.
- Monitor logs for anomalous traffic.
- Implement network segmentation to limit lateral movement and regularly audit VPN setups.
Conclusion:
This critical vulnerability in WatchGuard Firebox appliances could allow remote attackers to achieve code execution and compromise perimeter defenses.
Although no exploits are in the wild but its unauthenticated nature and detailed public analysis make it a significant security risk requiring immediate action. Upgrading to the fixed version and applying recommended mitigations are strongly advised to ensure organizational security.
References:
Zero-Day Exploitation in SonicWall Targeted by Akira Ransomware
Summary
A critical zero-day vulnerability is suspected in SonicWall SSL VPN appliances, which are currently being actively exploited by threat actors linked to the Akira ransomware group. These attacks began last month and exploit even fully patched devices and systems with multi-factor authentication (MFA) enabled. In many cases, attackers move quickly, encrypting victim systems within hours of gaining access.
Detailed Observation
The ongoing attacks targeting SonicWall SSL VPN appliances suggest the presence of a zero-day vulnerability that allows threat actors to gain unauthorized access to enterprise networks.
This exploitation may be limited to TZ and NSa-series SonicWall firewalls with SSLVPN enabled. The attack patterns indicate that the attackers may be exploiting a flaw in the VPN’s authentication or session management mechanisms which they can be able to bypass the MFA.
Security researchers also observed that the threat actors often used legitimate credentials, including recently rotated passwords, implying either credential theft or session hijacking.
These login attempts were traced back to Virtual Private Servers (VPS), a common tactic to obscure the attacker’s origin. Once threat actors on the network, they abuse the privileged accounts, then start establishing C2 and move laterally in the network, then at the last stage before deploying the ransomware they are disabling the defenses to smooth deploy.
The ransomware group suggests Akira, has been seen deploying malware and encrypting data within hours, showcasing a high level of automation and operational efficiency.
The pattern and speed of these attacks point to a well-orchestrated campaign that likely began months earlier (as early as October 2024) but surged in mid-July 2025. This level of sophistication, combined with the failure of traditional defenses, strongly supports the theory that attackers are leveraging an undisclosed vulnerability in SonicWall’s SSL VPN stack.
Remediation:
Until an official SonicWall patch is released, organizations should take the following immediate actions:
- Disable SonicWall SSL VPN if possible, especially for external access.
- Enforce network segmentation to limit the radius of any potential breach.
- Monitor access logs for suspicious login attempts (especially from VPS-hosting IP ranges).
- Block known malicious IPs and ASNs used in previous attacks.
- Rotate all VPN credentials, especially for admin or privileged users.
- Harden MFA configuration (though current evidence shows bypasses are possible).
- Enable IP reputation and botnet protection features in SonicWall firewalls.
- Audit all VPN user accounts, removing any inactive or unnecessary ones.
IOCs
| Attacker IP | Threat Actors used tools | ASN/CIDR hosting adversary infrastructure | User & Password created |
| 42.252.99[.]59 | w.exe | AS24863 – LINK-NET – 45.242.96.0/22 | backupSQL (U) |
| 45.86.208[.]240 | win.exe | AS62240 – Clouvider – 45.86.208.0/22 | lockadmin (U) |
| 77.247.126[.]239 | C:\ProgramData\winrar.exe | AS62240 – Clouvider – 77.247.126.0/24 | Password123$ (P) |
| 104.238.205[.]105 | C:\ProgramData\OpenSSHa.msi | AS23470 – ReliableSite LLC – 104.238.204.0/22 | Msnc?42da (P) |
| 104.238.220[.]216 | C:\Program Files\OpenSSH\sshd.exe | AS23470 – ReliableSite LLC – 104.238.220.0/22 | VRT83g$%ce (P) |
| 181.215.182[.]64 | C:\programdata\ssh\cloudflared.exe | AS174 – COGENT-174 – 181.215.182.0/24 | |
| 193.163.194[.]7 | C:\Program Files\FileZilla FTP Client\fzsftp.exe | AS62240 – Clouvider – 193.163.194.0/24 | |
| 193.239.236[.]149 | C:\ProgramData\1.bat | AS62240 – Clouvider – 193.239.236.0/23 | |
| 194.33.45[.]155 | C:\ProgramData\2.bat | AS62240 – Clouvider – 194.33.45.0/24 |
- Source: huntress.com
Conclusion:
The exploitation of a suspected zero-day in SonicWall SSL VPN poses an immediate and critical threat to enterprise environments.
The ability of attackers to bypass authentication and deploy ransomware within hours is highly dangerous and points to a sophisticated, active campaign.
Organizations using SonicWall VPNs must take preemptive steps now, including disabling VPN access if feasible and aggressively monitoring for anomalies, until SonicWall releases a formal patch or mitigation advisory
References:
Zero Trust 2.0” Strategy by White House to Streamline Compliance; A Shift in Threat landscape
Zero trust isn’t just for security teams, but a strategy where organizations meet compliance standards, vendors behavior, govt policies. Overall zero trust is a shift in how an entire enterprise thinks how to access risk and more than a checklist.
The White House is developing a “Zero Trust 2.0” strategy to focus on targeted, high-impact cybersecurity initiatives and improve the efficiency of federal cyber investments.
Trump admin Officials aim to streamline compliance regimes and tailor software security requirements, especially differentiating critical from low-risk software.
The administration is also preparing new guidance on drone procurement and use, restricting purchases from certain foreign entities, and finalizing instructions for agencies to adopt post-quantum cryptography following recent NIST standards.
The zero-trust security architecture was introduced by Forrester Research in 2010. Zero trust is a cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated.
Nick Polk, branch director for federal cybersecurity at the Office of Management and Budget, said OMB is looking toward the next iteration of the federal zero trust strategy.
“We’re still coalescing around the exact strategy here, but it likely will be focused on specific initiatives we can undertake for the entire government,” Polk said a July 16 online meeting of the Information Security and Privacy Advisory Board.
AI & Zero Trust
AI tools help build a Zero Trust foundation for enterprises fixing different layers of security and focus on elevating security strategies . Now with the advent of AI-driven advancements, the path forward offers some intriguing prospects for AI and zero trust synergies.
AI and Zero Trust intersecting will unlock key opportunities for holistic cyber security maturity, further AI generates an informed narrative for granting or denying resource access. The security approach seamlessly aligns with a core tenet on principle of Zero Trust and least privilege.
Key Security Updates
Nick Polk also explained some of the key changes in President Donald Trump’s June cybersecurity executive order. Trump maintained many Biden-era initiatives, but canceled a plan to require federal software vendors to submit “artifacts” that demonstrate the security of their product.
“That was really a key instance of compliance over security, requiring an excessive amount of different artifacts from each software vendor, changing requirements midstream, when software providers were already working on getting the security software development form and agencies were already working on collecting it,” Polk said, pointing to a continued requirement for agencies to collect secure software attestation forms from contractors.
How Zero trust help organizations security posture
Organizations who place Zero Trust architecture will have access control policies and definitely use micro segmentation . Required to minimize the damage from ransomware attack can cause.
Attackers not only find it more difficult to breach the system in the first place, they’re limited in their ability to expand made possible by Zero trust when put in place.
Ransomware attack, typically involves an initial infection, lateral movement and data exfiltration with or without encryption. Zero Trust implementation bring organization to address each step as it happens or before it happens. Ransomware will attack a business, consumer, or device e
According to Gartner, at least 70% of new remote access deployments will be served mainly by ZTNA instead of VPN services by 2025 — up from less than 10% at the end of 2021.
Zero trust is based on the principle of least-privilege access, meaning it has to be assumed that no user or application should be inherently trusted. Zero Trust Network Access (ZTNA) takes a completely different approach than VPNs to securing access for remote workers.
Implementing zero trust will connect users to network and no risk is involved with network. Users are connected directly to only the applications and data they need, preventing the lateral movement of malicious users with overly permissive access to sensitive data and resources.
Behavioral Analytics and Anomaly Detection with AI its much easier to detect and entity actions
Automating Threat Response and Remediation is faster with AI as, AI takes the lead in automating response measures by swift device isolation.
AI involves real time risk assessments and determines when to give access resource.
In few years from now many organization will attain the optimal posture for Zero Trust as AI and zero trust emerge as strong significant partner for a better security maturity and posture.
(Source: https://www.computer.org/csdl/magazine/co/2022/02/09714079/1AZLiSNNvIk)
Source: https://www.govcon.community/c/news-summary/trump-admin-focuses-on-zero-trust-2-0-cybersecurity-efficiencies
Identity Based Attacks, the Growing Risk; How do Orgs’ Navigate
In 2025 identity based attacks have surged up and research reveals how identity based attacks have affected identities, endpoints and cloud assets over 4 million past year as reported by threat detection report 2025 by Red Canary.
As organizations grow and continue to harness technology, identity based attacks grow to and risk associated with them. And this brings us to understand he urgent need for strong identity protection as adversaries explore new techniques.
The Threat landscape is vast and have variety to support the attack includes evolving ransomware tactics, supply chain weaponization and attacks on non-human identities.
In this blog we take a look at what rate identity based attacks are growing and what is required to strengthen organizational strategies for resilience.
Of late the type of attacks that are taking center stage are Social engineering based attacks that has gained popularity as per CrowdStrike report.
Voice phishing (vishing) attacks surged by 442% between the first and second half of 2024 as groups like CURLY SPIDER trick employees into handing over login details.
Those who don’t steal credentials can buy them — access broker activity was up nearly 50% in 2024, reflecting the growing market for illicit access.
Further, more than half (52%) of observed vulnerabilities in 2024 were tied to initial access.
The weakest link in Identity threats
With the usage of cloud most of the enterprises are shifting workload to cloud or hybrid cloud environment and now cloud infrastructure remains one of the points where frequency of attack has increased to achieve initial access.
This also includes increases in macOS threats, info stealers and business email compromise. VPN based abuse is hard to detect so a easy gateway for criminals to launch ransomware based attacks and these products are actually leveraging identity based attacks including insider threats.
Threat researchers from Sygnia have noticed misconfigured Identity and Access Management (IAM) policies are one of the biggest culprits in creating openings for lateral movement and privilege escalation by attackers.
Popular social media websites and apps are breeding grounds for identity based attack that started from social engineering tactics being deployed by state sponsored threat groups to deliver their harmful intentions.
Example: Hackers gained access to Microsoft 365 tenant and authenticated against Entra ID using captured session tokens. This technique not only bypassed multi-factor authentication (MFA), but also circumvented other security controls that were in place.
AWS access keys were discovered on the compromised devices as well, giving the attackers two ways into the AWS environment—through direct API access and the web console via compromised Entra ID users.
Now business are looking to move beyond passwords and weak MFA. Passkeys, Biometric authentication, Risk-based access, and Continuous identity verification will become non-negotiable.
Bolstering organizations identity governance, adopting zero trust principles and participating in identity-focused red team assessments will be the need of the hour.
What can security leaders do to Stay Ahead of Identity-Based Attacks in 2025?
Passwords aren’t enough these day nor are MFA as attackers are advanced in techniques and wont wait to break authentication when they can bypass, manipulate, or socially engineer their way in.
- Go passwordless: FIDO2, Passkeys, Biometrics are not required or eliminate them
- Enforce phishing-resistant authentication: No SMS, no email-based resets, no security questions.
- Implement real-time identity monitoring: Spot privilege escalations before attackers use them.
- Require device trust: If a device isn’t secure you are not secured.
Organizations can stay ahead of this growing threat by leveraging GaarudNode which seamlessly integrate to detect and mitigate exposed credentials in real time.
GaarudNode is an all-in-one solution designed to empower development teams with the tools they need to secure their applications throughout the development lifecycle. By combining the power of SAST, DAST, SCA, API security, and CSPM, GaarudNode provides a comprehensive security framework that ensures your applications are built, tested, and deployed with confidence.
GaarudNode Identifies security flaws early in the development process by scanning source code, helping developers detect issues like insecure coding practices or logic errors.
Tests running applications in real-time to identify vulnerabilities such as SQL injection, Cross-Site Scripting (XSS), and other runtime threats.
Detects third-party libraries and open-source components, ensuring that your dependencies don’t introduce risks.
Continuously tests and monitors your APIs for vulnerabilities such as authentication flaws, data exposure, and insecure endpoints.
Do connect or DM for queries
Source: https://www.crowdstrike.com/en-us/blog/how-to-navigate-2025-identity-threat-landscape/
Important Security Alert: SonicWall Issues Patch for SSL-VPN Vulnerabilities
SonicWall has released an Critical advisory urging administrators to address a critical vulnerability in its SSL-VPN product.
The flaw, identified as CVE-2024-53704, poses a significant security risk, allowing attackers to exploit the system remotely. Administrators are strongly encouraged to update their systems immediately to mitigate potential threats. SonicWall has released an Critical advisory urging administrators to address a critical vulnerability in its SSL-VPN product.
Key Details:
- The vulnerability allows unauthenticated remote attackers to execute arbitrary code on affected systems.
- It impacts SonicWall’s SSL-VPN products, widely used for secure remote access.
- Exploitation of this bug could lead to severe consequences, including unauthorized access to sensitive data, network infiltration, and system compromise.
Summary
| OEM | SonicWall |
| Severity | High |
| CVSS | 8.2 |
| CVEs | CVE-2024-53704 |
| Exploited in Wild | No |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
The security flaw, tracked as CVE-2024-53704, presents a serious risk, enabling remote exploitation by attackers. Administrators are highly advised to apply the necessary patches without delay to protect against potential threats.
| Vulnerability Name | CVE ID | Product Affected | Severity | Affected Version |
| Improper Authentication | CVE-2024-53704 | SonicWall | High | 7.1.x (7.1.1-7058 and older), 7.1.2-7019 8.0.0-8035 |
| A privilege escalation vulnerability | CVE-2024-53706 | SonicWall | High | 7.1.x (7.1.1-7058 and older), 7.1.2-7019 |
| A weakness in the SSLVPN authentication token generator | CVE-2024-40762 | SonicWall | High | 7.1.x (7.1.1-7058 and older), 7.1.2-7019 |
| A server-side request forgery (SSRF) vulnerability | CVE-2024-53705 | SonicWall | Medium | 6.5.4.15-117n and older 7.0.x (7.0.1-5161 and older) |
Technical Summary
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2024-53704 | Gen7 Firewalls, Gen7 NSv, TZ80 | An Improper Authentication vulnerability in the SSLVPN authentication mechanism allows a remote attacker to bypass authentication. | Bypass authentication |
| CVE-2024-53706 | Gen7 Cloud Platform NSv | A vulnerability in the Gen7 SonicOS Cloud platform NSv (AWS and Azure editions only), allows a remote authenticated local low-privileged attacker to elevate privileges to `root` and potentially lead to code execution. | Allow attackers to gain root privileges and potentially execute code. |
| CVE-2024-40762 | Gen7 Firewalls, Gen7 NSv, TZ80 | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in the SonicOS SSLVPN authentication token generator that, in certain cases, can be predicted by an attacker potentially resulting in authentication bypass. | Weak PRNG in authentication tokens can lead to authentication bypass in SSLVPN. |
| CVE-2024-53705 | Gen6 Hardware Firewalls, Gen7 Firewalls, Gen7 NSv | A Server-Side Request Forgery vulnerability in the SonicOS SSH management interface allows a remote attacker to establish a TCP connection to an IP address on any port when the user is logged in to the firewall. | Allow attackers to establish TCP connections to arbitrary IP addresses and ports |
Remediation:
- Update: Impacted users are recommended to upgrade to the following versions to address the security risk:
| Firewalls Versions | Fixes and Releases |
| Gen 6 / 6.5 hardware firewalls | SonicOS 6.5.5.1-6n or newer |
| Gen 6 / 6.5 NSv firewalls | SonicOS 6.5.4.v-21s-RC2457 or newer |
| Gen 7 firewalls | SonicOS 7.0.1-5165 or newer; 7.1.3-7015 and higher |
| TZ80: SonicOS | SonicOS 8.0.0-8037 or newer |
Recommendations:
- Patch Without Delay: Install the latest firmware update from SonicWall to resolve this vulnerability. Detailed instructions are available in SonicWall’s official advisory.
- Monitor Network Activity: Regularly monitor network traffic for signs of suspicious or unauthorized access.
- Limit Access: Restrict VPN access to trusted users and enforce Multi-Factor Authentication (MFA) for all accounts.
- Stay Updated: Subscribe to SonicWall’s security alerts and updates to stay informed about upcoming vulnerabilities.
References:
Recent Comments