Enterprise Flaw ‘GeminiJack’ ZeroClick in Gemini Fixed by Google: Case of Prompt Injection Attack
Google Fixes Gemini Enterprise Flaw
Continue ReadingVulnerability
Gladinet Triofox Patched Critical Unauthenticated Remote Access Vulnerability
Summary : A critical unauthenticated access vulnerability in Triofox is being actively exploited in the wild by threat actor UNC6485. Attackers exploit a Host header spoofing vulnerability to bypass authentication, create native admin accounts and chain abuse of the built-in antivirus feature to execute arbitrary code under SYSTEM privileges.
| OEM | Gladinet |
| Severity | Critical |
| CVSS Score | 9.1 |
| CVEs | CVE-2025-12480 |
| POC Available | YES |
| Actively Exploited | YES |
| Exploited in Wild | YES |
| Advisory Version | 1.0 |
Overview
Triofox is an enterprise file-sharing and remote access platform by Gladinet that enables secure file sync, sharing, and collaboration across on-premises and cloud environments. Immediate upgrade is mandatory to prevent full system compromise, ransomware and persistent remote access.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Unauthenticated Access via Host Header Spoofing & Antivirus RCE Chain | CVE-2025-12480 | Triofox | Critical | v16.7.10368.56560 or later |
Technical Summary
The vulnerability in the CanRunCriticalPage() function within GladPageUILib.dll, which allows access to setup pages, if the Host header is “localhost” – without validating the request origin. Attackers spoof this header externally to initiate the setup process, create a Cluster Admin account, and gain authenticated access.
Once logged in, attackers exploit the antivirus configuration feature, which allows arbitrary executable paths. By uploading a malicious script to a shared folder and setting it as the antivirus scanner, the file executes with SYSTEM-level privileges inherited from the Triofox service.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025- 12480 | Triofox < 16.7.10368.56560 | Host header attack bypasses authentication to AdminDatabase.aspx that enables admin account creation. Chained with antivirus path abuse to run uploaded payloads as SYSTEM | Authentication Bypass, Admin Account Creation, Remote Code Execution, Full System Compromise, Persistent Access, Data Exfiltration, Lateral Movement |
Indicators of Compromise (IOCs)
Host-Based Artifacts
| Artifact | Description | SHA-256 Hash |
| C:\Windows\appcompat\SAgentInst aller_16.7.10368.56560.exe | Installer containing Zoho UEMS Agent | 43c455274d41e58132be7f66139566a941190ceba46082eb 2ad7a6a261bfd63f |
| C:\Windows\temp\sihosts.exe | Plink | 50479953865b30775056441b10fdcb984126ba4f98af4f647 56902a807b453e7 |
| C:\Windows\temp\silcon.exe | PuTTy | 16cbe40fb24ce2d422afddb5a90a5801ced32ef52c22c2fc7 7b25a90837f28ad |
| C:\Windows\temp\file.exe | AnyDesk | ac7f226bdf1c6750afa6a03da2b483eee2ef02cd9c2d6af71e a7c6a9a4eace2f |
| C:\triofox\centre_report.bat | Attacker batch script filename | N/A |
Network-Based Artifacts
| IP Address | ASN | Description |
| 85.239.63[.]37 | AS62240 – Clouvider Limited | IP address of the attacker used to initially exploit CVE-2025-12480 to create the admin account and gain access to the Triofox instance |
| 65.109.204[.]197 | AS24950 – Hetzner Online GmbH | After a dormant period, the threat actor used this IP address to login back into the Triofox instance and carry out subsequent activities |
| 84.200.80[.]252 | AS214036 – Ultahost, Inc. | IP address hosting the installer for the Zoho UEMSAgent remote access tool |
| 216.107.136[.]46 | AS396356 – LATITUDE-SH | Plink C2 |
Source: cloud.google.com
Recommendations:
Upgrade Triofox to version 16.7.10368.56560 or latest from the official Gladinet portal.
Conclusion:
This vulnerability represents a severe supply-chain risk in enterprise file-sharing platforms, enabling zero-authentication RCE through misconfigured access controls and feature abuse. With active in-the-wild exploitation by UNC6485 and rapid post-patch attacks, delayed patching significantly increases breach likelihood.
Immediate upgrade, log monitoring, and network hardening are essential to prevent ransomware deployment, data theft, and network pivoting. This incident reinforces the need for secure-by-design input validation and principle of least privilege in remote access tools.
References:
Critical React Native CLI Vulnerability Enables OS Command Injection
Summary: React Native is an open source framework maintained by Meta . A critical remote code execution vulnerability in the @react-native-community/cli package, a core toolset used by React Native developers. The flaw allows unauthenticated remote attackers to execute arbitrary OS commands on machines running the React Native Metro development server.
| Severity | Critical |
| CVSS Score | 9.8 |
| CVEs | CVE-2025-11953 |
| POC Available | Yes |
| Actively Exploited | No |
| Advisory Version | 1.0 |
Overview
A critical remote code execution vulnerability in the @react-native-community/cli package, a core toolset used by React Native developers. The flaw allows unauthenticated remote attackers to execute arbitrary OS commands on machines running the React Native Metro development server.
The vulnerability comes from unsafe input handling in the /open-url endpoint using the insecure open() function, and a React Native CLI flaw that exposes the server to remote code execution. Immediate updates and mitigations are recommended for all using the affected package versions.
| Vulnerability Name | CVE ID | Product Affected | Severity | Affected Version |
| OS Command Injection | CVE-2025-11953 | @react-native-community/cli @react-native-community/cli-server-api | Critical | @react-native-community/cli-server-api versions 4.8.0 through 20.0.0-alpha.2 |
Technical Summary
The Metro development server’s /open-url HTTP POST endpoint unsafely passes unsanitized user input (url field) as an argument to the open() function from the open NPM package which leads to OS command injection.
On Windows, the vulnerability allows arbitrary shell command execution with full control over parameters via cmd /c start command invocation. On macOS/Linux, arbitrary executables can be launched with limited parameter control. Further exploitation may lead to full RCE, but not confirmed yet. The server binds to all interfaces by default (0.0.0.0), exposing the endpoint externally to unauthenticated network attackers.
| CVE ID | Component Affected | Vulnerability Details | Impact |
| CVE-2025-11953 | Development Server’s /open-url Endpoint | The React Native CLI’s Metro server binds to external interfaces by default and exposes a command injection flaw, letting remote attackers send POST requests to run arbitrary executables or shell commands on Windows. | Remote OS Command Injection |
Recommendations
- Update to @react-native-community/cli-server-api version 20.0.0 or later immediately.
If upgrading is not possible,
- Restrict the Metro server to localhost by adding the flag: –host 127.0.0.1 when starting the server.
- Integrate static and dynamic code analysis tools in development pipelines to detect injection risks early.
How these kind of security flaw can cause damage?
This vulnerability poses a critical threat to React Native developers using the Metro development server due to unauthenticated RCE via network exposure. For any unauthenticated network attacker this is privilege they can weaponize the flaw and send a specially crafted POST request to the server. Then run arbitrary commands.
The attack takes a different turn when it comes to Windows and the exploitation is severe. The attackers can also execute arbitrary shell commands with fully controlled arguments, while on Linux and macOS, it can be widely used to execute arbitrary binaries with limited parameter control.
The vulnerable endpoint, /open-stack-frame, is designed to help developers open a file in their editor at a specific line number when debugging errors. This endpoint accepts POST requests with parameters such as file and lineNumber.
The incident highlight requirement for more rigorous input validation and secure-by-default configurations in developer environments.
What should organizations looks for while selecting a comprehensive tools that can provide thorough combing across their IT environment, networks, applications and cloud infrastructure.
Detecting vulnerabilities, misconfigurations with GaarudNode from Intruceptlabs makes it a go to scanner
- GaarudNode excels at detecting vulnerabilities, misconfigurations, and compliance issues across a wide range of systems and applications.
- Provides a comprehensive security framework that ensures your applications are built, tested, and deployed with confidence.
- Any Application security tools are designed to identify a wide range of vulnerabilities across different stages of the software development lifecycle and other types of security issues.
- GaarudNode can be used for intrusion detection, making it a flexible tool for cybersecurity professionals on a budget.
- Prompt patching and secure server binding are essential to mitigate this type of risk. There is no current evidence of active exploitation, but the ease of exploitation makes this a high priority vulnerability to fix. Continuous, real-time monitoring of vulnerabilities is necessary to stay ahead of threats.
References:
Microsoft October Patch Fixes 175 Vulnerabilities, 6 Zero-Days & Critical Exploits
Summary: Microsoft’s October 2025 Patch Tuesday fixes 175 security vulnerabilities in the products Windows, Office, Azure, and .NET and others. It includes patches for 6 – zero-day vulnerabilities where three vulnerabilities have been exploited and three publicly known vulnerabilities.
Microsoft advises immediate deployment of updates and removal of affected drivers, while assessing legacy fax hardware for compatibility issues introduced by the driver removal in this month update.
The October 2025 security updates address critical and important vulnerabilities across a broad range of Microsoft products and services.
| OEM | Microsoft |
| Severity | Critical |
| Date of Announcement | 2025-10-14 |
| No. of Patches | 175 |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview
Major fixes address serious remote code execution issues in Office and WSUS, along with privilege escalation vulnerabilities in Windows and Azure. The update also removes the Agere Modem driver, which could affect older fax devices. Users & Administrator are urged to update the patch to immediately to stay protected.
Here are the CVE addresses for Microsoft & non-Microsoft:
- 175 Microsoft CVEs addressed
- 21 non-Microsoft CVEs addressed (Republished)
Breakdown of October 2025 Vulnerabilities
- 80 Elevation of Privilege (EoP)
- 31 Remote Code Execution (RCE)
- 28 Information Disclosure
- 11 Denial of Service (DoS)
- 11 Security Feature Bypass
- 12 Spoofing
- 2 Tampering
Source: Microsoft
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| Windows Agere Modem Driver Elevation of Privilege Vulnerability | CVE-2025-24990 | Windows 10, 11, Server 2016-2022 | High | 7.8 |
| Windows Remote Access Connection Manager Elevation of Privilege Vulnerability | CVE-2025-59230 | Windows 10, 11, Server 2016-2022 | High | 7.8 |
| Secure Boot Bypass Vulnerability in IGEL OS | CVE-2025-47827 | IGEL OS | Medium | 4.6 |
| Windows Server Update Service (WSUS) Remote Code Execution Vulnerability | CVE-2025-59287 | Windows Server | Critical | 9.8 |
| Microsoft Office Remote Code Execution Vulnerability | CVE-2025-59234 | Microsoft Office | High | 7.8 |
| Microsoft Excel Remote Code Execution Vulnerability | CVE-2025-59236 | Microsoft Excel (2016-2021) | High | 8.4 |
Technical Summary
October 2025 Patch Tuesday includes security updates addresses remote code execution, privilege escalation and information disclosure vulnerabilities in core Windows components, Office applications and Azure cloud services.
3 zero-days are actively exploited, including CVE-2025-24990 in the Agere Modem driver, where attackers can abuse the third-party component to gain administrative privileges without needing the modem hardware active, leading to local system compromise.
Additionally, exposes improper access controls in Windows Remote Access Connection Manager, enabling authorized attackers to escalate to SYSTEM privileges with moderate effort.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-24990 | Windows Agere Modem Driver | Third-party driver abused for admin privileges; removed in updates, may break fax modem hardware | Privilege Escalation |
| CVE-2025-59230 | Windows Remote Access Connection Manager | Improper access control allows local attackers to gain SYSTEM privileges | Privilege Escalation |
| CVE-2025-47827 | IGEL OS < v11 | Improper cryptographic signature verification enables Secure Boot bypass via crafted root filesystem | Security Feature Bypass |
| CVE-2025-59287 | Windows Server Update Service | Deserialization of untrusted data allows unauthenticated RCE over networks, prime for supply-chain attacks | Remote Code Execution |
| CVE-2025-59234 | Microsoft Office (2016-2021) | Use-after-free in Office allows RCE via malicious files, no authentication required | Remote Code Execution |
| CVE-2025-59236 | Microsoft Excel (2016-2021) | Use-after-free in Excel enables RCE via malicious files, potentially leading to system control | Remote Code Execution |
Source: Microsoft
In addition to several other publicly exploited Zero-Day & Critical severity issues were addressed
- CVE-2025-0033: AMD SEV-SNP Flaw – Race condition in AMD EPYC processors allows hypervisor to tamper with guest memory; needs privileged access. (Critical)
- CVE-2025-24052: Windows Agere Modem EoP – Flaw in modem driver enables local admin privilege escalation; driver removed, may affect fax hardware. (High)
- CVE-2025-2884: TCG TPM 2.0 Vulnerability – Out-of-bounds read in TPM cause info disclosure or DoS, impacting secure boot. (Medium)
- CVE‑2025‑49708: Microsoft Graphics Component EoP – Memory corruption enables network-based privilege escalation. (Critical)
- CVE-2025-59227: Microsoft Office RCE – Use-after-free affecting multiple Office versions. (Critical)
- CVE-2016-9535: LibTIFF Heap Buffer Overflow – RCE via malformed TIFF files in image processing. (Critical)
- CVE-2025-59291 & CVE-2025-59292: Azure Container Instances/Compute Gallery EoP – External file path control for local privilege escalation. (Critical)
Key Affected Products and Services
- Windows Core and Security Components
Updates for Windows Kernel, NTFS, BitLocker, NTLM, SMB, WinSock, PrintWorkflowUserSvc and Remote Desktop Services, with several vulnerabilities rated CVSS 7.8 or higher.
- Microsoft Office Suite
Patches for Excel, Word, PowerPoint, Visio, and SharePoint addressing RCE and information disclosure issues, particularly via malicious file execution.
- Azure and Cloud Services
Fixes for Azure Entra ID, Monitor Agent, Connected Machine Agent, PlayFab and Confidential Container Instances.
- Virtualization and Hyper-V
Vulnerabilities in Hyper-V and Virtual Secure Mode, including privilege escalation and DoS risks.
- Developer and Management Tools
Updates for PowerShell, Visual Studio and Configuration Manager addressing local privilege escalation.
- Communication & File Services
Patches for SMB, WSUS, and Connected Devices Platform with critical RCE and lateral movement risks.
- Browsers and Web Technologies
Microsoft Edge (Chromium-based) updates, including republished Chrome CVEs.
Remediation:
- Install the October 2025 security updates immediately to mitigate risks.
Here are some recommendations below
- Use EDR tools to monitor any indicators like Office crashes or logs.
- Disable unused services to prevent any remote access or other exploitation.
- Apply least privilege access in Office and Azure environments.
- Segment networks to reduce any lateral movement.
Conclusion:
Critical RCE flaws in Office and WSUS, along with privilege escalation bugs, pose significant risks for ransomware, data theft and lateral movement. Administrator, users & security teams should deploy patches immediately, enhance monitoring and apply mitigations to reduce exposure.
References:
Jenkins Security Patch Fixed HTTP/2 DoS and Permission Issues
Security advisory: Jenkins addressed critical security flaws in its built-in HTTP server related to the handling of HTTP/2 connections, where attackers could overwhelm servers causing denial of service. This mainly impacts Jenkins instances running with HTTP/2 enabled, which is not the default setting.
| Severity | High |
| CVSS Score | 7.7 |
| CVEs | CVE-2025-5115, CVE-2025-59474, CVE-2025-59475, CVE-2025-59476 |
| POC Available | No |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
Jenkins, a popular open-source automation server used for building and deploying software, recently patched several high & medium security flaws.
The high severity issue is a Denial-of-Service (DoS) vulnerability that could allow attackers to overwhelm the server and make it stop working properly even without needing to log in.
Other issues included the risk of unauthorized users viewing sensitive configuration information and the possibility of attackers inserting fake log entries to confuse system administrators. Jenkins released updates to fix these issues and strongly recommends users upgrade to the latest versions to stay protected.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| HTTP/2 Denial of Service in bundled Jetty | CVE-2025-5115 | Jenkins (bundled Jetty) | High | Weekly 2.524+, LTS 2.516.3+ |
| Missing permission check – agent names | CVE-2025-59474 | Jenkins core | Medium | Weekly 2.528+, LTS 2.516.3+ |
| Missing permission check – user profile menu | CVE-2025-59475 | Jenkins core | Medium | Weekly 2.528+, LTS 2.516.3+ |
| Log Message Injection Vulnerability | CVE-2025-59476 | Jenkins core | Medium | Weekly 2.528+, LTS 2.516.3+ |
Technical Summary
Additionally, permission checks in some user interface areas were incomplete, allowing unauthorized users to access sensitive information such as agent names and configuration details.
There was also a vulnerability in log message processing that could let attackers insert misleading entries to confuse administrators. All the issues are fixed in Jenkins latest version.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-5115 | Jenkins instances with embedded Jetty server with HTTP/2 enabled | It causes the Jetty server to repeatedly reset HTTP/2 streams (RST_STREAM) in response to malicious or malformed frames, leading to resource exhaustion and potential denial of service. | Denial of service |
| CVE-2025-59474 | Jenkins automation server | Permission check flaw allowing unauthorized users to view Jenkins agent/executor names via the side panel executor’s widget | Information Disclosure |
| CVE-2025-59475 | Jenkins automation server | Permission check flaw allowing authenticated users without Overall/Read permission to view sensitive configuration details via the Jenkins user profile dropdown menu. | Information Disclosure |
| CVE-2025-59476 | Jenkins automation server | An attacker can inject line breaks into Jenkins log messages, leading to forged or misleading log entries. | Misleading administrators |
Remediation:
- Users should immediately install the latest, patched version of Jenkins on all servers:
- Weekly Release: Update to Jenkins v2.528 or later.
- Long-Term Support (LTS): Update to Jenkins v2.516.3 or later
Here are some recommendations below.
- If immediate upgrade is not possible, users should disable HTTP/2 to mitigate the Denial-of-Service vulnerability.
- Always keep Jenkins core and plugins up to date with the latest security patches.
- Regularly audit and monitor access logs and system activity
Conclusion:
These security flaws could seriously impact Jenkins users, especially those relying on it for continuous integration and deployment. The DoS vulnerability is particularly dangerous because it can be triggered by anyone over the internet, even if they don’t have an account.
Enterprise admins & users should upgrade immediately to the patched versions or disable HTTP/2 to reduce the risk. Keeping Jenkins up to date and following good security practices along with restricting user permissions and monitoring logs is essential to prevent attacks and maintain the stability and safety of software delivery pipelines.
References:
Fake ChatGPT Desktop App used to deliver PipeMagic Malware
Microsoft finds that a fake ChatGPT Desktop App Delivering PipeMagic Backdoor,a part of sophisticated malware framework. The PipeMagic campaign represents a dangerous evolution in the global cybercrime landscape. The malicious campaign, powered by a new backdoor called PipeMagic, targets multiple industries including IT, finance, and real estate. The PipeMagic attack is centered around CVE-2025-29824, a critical Windows Common Log File System (CLFS) vulnerability
The PipeMagic campaign a malware to technical threat exploiting trust globally
As per Microsoft cybercriminals are disguising malware as widely popular ChatGPT Desktop Application to launch ransomware attacks across the globe.
PipeMagic’s evolution from malware to technical threat exploiting trust globally
The malware allows hackers to escalate privileges once inside a system, by leveraging the immense popularity of ChatGPT, attackers have successfully weaponized user trust.
Microsoft has linked the operation to Storm-2460, a financially motivated cybercrime group known for deploying ransomware through stealthy backdoors.
PipeMagic is a malware first detected in December 2022 while investigating a malicious campaign involving RansomExx. The victims were industrial companies in Southeast Asia. To penetrate the infrastructure, the attackers exploited the CVE-2017-0144 vulnerability.
The backdoor’s loader was a trojanized version of Rufus, a utility for formatting USB drives. PipeMagic supported two modes of operation – as a full-fledged backdoor providing remote access, and as a network gateway – and enabled the execution of a wide range of commands.
Pipemagic’s technique of attack
PipeMagic also reflects a growing trend where attackers combine fileless malware techniques with modular frameworks.
By running directly in memory, it avoids detection from traditional signature-based tools. The modular design means it can expand its functionality much like commercial software — essentially transforming cybercrime into a scalable business model.
Another key point is the use of cloud infrastructure for command-and-control. By hosting their servers on Azure, the hackers blend into normal enterprise traffic, making malicious communications far less suspicious. This tactic underscores the need for behavioral monitoring instead of relying solely on blacklists.
Microsoft attributes PipeMagic to a financially motivated group known as Storm-2460. This is a warning sign for future attacks in the broader cybersecurity landscape.
PipeMagic’s modus operandi could be an inspiration for future malware families and its modular framework could fuel a wave of ransomware-as-a-service operations. That possibility raises the stakes not just for enterprises but also for small businesses and even government institutions.
The first stage of the PipeMagic infection execution begins with a malicious in-memory dropper disguised as the open-source for chat GPT application project. The threat actor uses a modified version of the GitHub project that includes malicious code to decrypt and launch an embedded payload in memory.
The embedded payload is the PipeMagic malware, a modular backdoor that communicates with its C2 server over TCP. Once active, PipeMagic receives payload modules through a named pipe and its C2 server.
The malware self-updates by storing these modules in memory using a series of doubly linked lists.
These lists serve distinct purposes for staging, execution, and communication, enabling the threat actor to interact and manage capabilities of backdoor throughout its lifecycle.
By offloading network communication and backdoor tasks to discrete modules, PipeMagic maintains a modular, stealthy, and highly extensible architecture, making detection and analysis significantly challenging.
Microsoft Threat Intelligence encountered PipeMagic as part of research on an attack chain involving the exploitation of CVE-2025-29824, an elevation of privilege vulnerability in Windows Common Log File System (CLFS).
Firmware Vulnerabilities affecting Dell Laptops Could allow attackers to achieve persistent access
A set of vulnerabilities affecting millions of Dell laptops used by government agencies, cybersecurity professionals, and enterprises worldwide. The vulnerability known as “ReVault,” mainly target the Broadcom BCM5820X security chip embedded in Dell’s ControlVault3 firmware.
This subsequently create opportunities for attackers to steal passwords, biometric data, and maintain persistent access to compromised systems.
How does the vulnerability work
Most of the flaws reside in the firmware for ControlVault3 and ControlVault3+, which are hardware security components that store passwords, biometric templates, and security codes.
The lists includes:
- Two out-of-bounds vulnerabilities (CVE-2025-24311, CVE-2025-25050)
- An arbitrary free (CVE-2025-25215) flaw
- A stack-overflow bug (CVE-2025-24922)
- An unsafe-deserialization flaw (CVE-2025-24919)
According to the researchers, the vulnerabilities can be exploited in so-called ReVault attacks by:
- Attackers who have achieved non-administrative access/privileges on a vulnerable target laptop. The vulnerabilities may allow them to interact with the ControlVault firmware and leak key material that would allow them to permanently modify the firmware (i.e., effectively creating a potential backdoor into the system)
- Attackers that have physical access to the laptop. They could pry the device open, use a custom connector to access the Unified Security Hub board (which runs ControlVault) over USB, and exploit those vulnerabilities – all without having to log into the system beforehand or having knowledge of the full-disk encryption password.
“Another interesting consequence of this scenario is that if a system is configured to be unlocked with the user’s fingerprint, it is also possible to tamper with the CV firmware to accept any fingerprint,” as per researchers.
Technical details have not been publicly shared, but they have, of course, been privately reported to Dell and Broadcom.
These are 5 critical vulnerabilities of ReVault found by Cisco Talos researcher
ReVault Attack – Five Critical Vulnerabilities
ControlVault3 and ControlVault3+ systems:
- CVE-2025-24311: An out-of-bounds read vulnerability that enables information leakage
- CVE-2025-25050: An out-of-bounds write flaw allowing code execution
- CVE-2025-25215: An arbitrary memory free vulnerability
- CVE-2025-24922: A stack-based buffer overflow enabling arbitrary code execution
- CVE-2025-24919: An unsafe deserialization flaw in ControlVault’s Windows APIs
Importance of device security posture/Endpoint security
The incident highlight how device posture check is designed to evaluate threat that a device poses to an organization and its systems.
The persistent nature of these attacks represents a significant escalation in firmware-based threats, as the malicious code resides below the operating system level.
Here traditional antivirus solutions cannot detect or remove it. Now sophistication of cyber threats means that organizations need to become more proactive in terms of defense.
The identification and mitigation of a threat early on, via an effective and clearly defined security posture, reduces costs, lessens downtime, and minimizes reputational damage.
Periodic security audits are essential to have a complete check on all the security features of the organization. Such audits identify vulnerabilities in the current security controls and allow for ensuring things align properly with industry standards.
Importance of Endpoint security
End point security detect and prevent security threats like file-based malware attacks among other malicious activities. It also provides investigation and remediation capabilities needed to respond to dynamic security incidents and alerts.
Conclusion:
Protecting against endpoint attacks is challenging for organisation because endpoints exist where humans and machines intersect. With the increasing number of adversaries trying to breach organizations using sophisticated cyberattacks, quickly detecting potential threats will help speed the remediation process and keep data protected.
(Source: https://www.helpnetsecurity.com/2025/08/05/dell-laptops-firmware-vulnerabilities-revault-attacks/)
Linux Local Privilege Escalation via udisksd and libblockdev (CVE-2025-6019) PoC released
Summary : A local privilege escalation vulnerability poc has been released, tracked as CVE-2025-6019, discovered in the udisksd daemon and its backend libblockdev library, affecting widely used Linux distributions including Fedora and SUSE.
| Severity | High |
| CVSS Score | 7.0 |
| CVEs | CVE-2025-6019 |
| POC Available | Yes |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
CVE-2025-6019 is a local privilege escalation (LPE) vulnerability affecting systems where:
- udisksd is installed and running (e.g., Fedora, SUSE)
- Users in the allow active group are trusted to execute disk-related actions
- libblockdev fails to validate privileged backend operations under unprivileged contexts
This flaw allows unprivileged users in the “allow_active” group to escalate privileges and execute commands as root by exploiting insecure trust boundaries in D-Bus IPC communication.
| Vulnerability Name | CVE ID | Product Affected | Severity |
| Local Privilege Escalation Vulnerability | CVE-2025-6019 | udisksd / libblockdev | High |
Technical Summary
This vulnerability is triggered when an attacker in the “allow_active” group issues a crafted D-Bus request to the udisksd daemon using tools like udisksctl. Because the daemon improperly relies on group membership alone (without UID validation), it mistakenly grants root-level mount permissions.
An attacker can exploit this by
- Crafting a malicious disk image (like XFS with a SUID-root shell).
- Using “udisksctl mount -b /dev/loop0” to mount it as root.
- Escalating privileges and compromising the system.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-6019 | Fedora, SUSE, and other Linux distros using udisks2/libblockdev | Improper user validation in D-Bus authorization allows unprivileged users to perform privileged disk operations. | Local privilege escalation to root |
Remediation:
Here are the recommendations below
- Update “udisks2” and “libblockdev” to the latest versions provided by your distribution.
- Audit and restrict membership of the “allow_active” group.
- Disable unsafe or legacy D-Bus actions in system services where possible.
Conclusion:
CVE-2025-6019 highlights a breakdown in privilege boundary enforcement within a core system component used by many Linux desktop environments.
The availability of a public PoC, combined with the low complexity of exploitation, makes this vulnerability highly dangerous, particularly in multi-user or shared computing environments.
Organizations must act swiftly to patch vulnerable systems, reassess group-based privilege models and implement stricter D-Bus and Polkit rules to reduce attack surface.
References:
Citrix NetScaler ADC/Gateway Vulnerability Exploited in the Wild (CVE-2025-6543)
Summary : Security Advisory;
Citrix is warning that a vulnerability in NetScaler appliances tracked as CVE-2025-6543 is being actively exploited in the wild, causing devices to enter a denial of service condition.
The flaw impacts NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-47.46, 13.1 before 13.1-59.19, and NetScaler ADC 13.1-FIPS and NDcPP before 13.1-37.236-FIPS and NDcPP.
| OEM | Citrix |
| Severity | Critical |
| CVSS Score | 9.2 |
| CVEs | CVE-2025-6543 |
| POC Available | No |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview
A critical memory overflow vulnerability, CVE-2025-6543, has been discovered in NetScaler ADC and NetScaler Gateway products, potentially leading to denial-of-service and unintended control flow. The issue affects deployments configured as Gateway services. Active exploitation in the wild has been reported.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Memory overflow vulnerability | CVE-2025-6543 | NetScaler ADC and NetScaler Gateway | Critical | 14.1-47.46 / 13.1-59.19 / 13.1-37.236 |
Technical Summary
CVE-2025-6543 is a memory overflow vulnerability in NetScaler ADC and Gateway products that can result in denial-of-service (DoS) or arbitrary control flow, particularly when the system is configured as a Gateway or AAA virtual server.
The flaw stems from improper restriction of operations within memory buffer bounds (CWE-119). This vulnerability has been exploited in real-world attacks.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-6543 | NetScaler ADC & Gateway 14.1 before 14.1-47.46, 13.1 before 13.1-59.19 NetScaler ADC 13.1-FIPS and NDcPP before 13.1-37.236-FIPS and NDcPP | Memory overflow due to improper memory boundary restrictions when configured as Gateway or AAA virtual servers | Denial-of-Service and Unintended control flow |
Remediation:
- Immediate Action: Affected customers are strongly advised to upgrade to the fixed versions:
| Product Version | Recommended Fixed Build |
| NetScaler ADC / Gateway 14.1 | 14.1-47.46 or later |
| NetScaler ADC / Gateway 13.1 | 13.1-59.19 or later |
| NetScaler ADC 13.1-FIPS / NDcPP | 13.1-37.236 or later |
Note: Versions 12.1 and 13.0 are End-of-Life (EOL) and remain vulnerable. These should be replaced with supported, patched builds.
Customers using FIPS or NDcPP variants should contact Citrix Support directly for access to the fixed builds.
Conclusion:
CVE-2025-6543 represents a highly critical risk to organizations utilizing NetScaler Gateway or ADC for secure access and application delivery.
Organizations still using outdated or end-of-life (EOL) versions are especially vulnerable and should prioritize upgrading to supported builds.
This flaw follows a pattern of severe vulnerabilities affecting NetScaler products, including the recently disclosed CVE-2025-5777 (CVSS score: 9.3), which also posed a significant threat to enterprise infrastructure.
Together these issues highlight the urgent need for timely patching, continuous monitoring, and defense-in-depth strategies to safeguard critical network assets.
With both flaws being critical bugs, administrators are advised to apply the latest patches from Citrix as soon as possible.
Companies should also monitor their NetScaler instances for unusual user sessions, abnormal behavior, and to review access controls.
References:
Critical 0-Day RCE Vulnerability in Fortinet Products (CVE-2025-32756) Actively Exploited
Summary :
A critical unauthenticated Remote Code Execution (RCE) vulnerability, tracked as CVE-2025-32756, has been identified in multiple Fortinet products.
| OEM | Fortinet |
| Severity | Critical |
| CVSS Score | 9.8 |
| CVEs | CVE-2025-32756 |
| POC Available | Yes |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview
The flaw is currently under active exploitation, allowing attackers to take full control of affected systems via a buffer overflow in the /remote/hostcheck_validate endpoint. A public PoC is available, significantly increasing the risk to unpatched devices.
| Vulnerability Name | CVE ID | Product Affected | Severity |
| Remote Code Execution Vulnerability | CVE-2025-32756 | Fortinet Products | Critical |
Technical Summary
CVE-2025-32756 is a critical unauthenticated Remote Code Execution (RCE) vulnerability affecting multiple Fortinet products. The vulnerability resides in the /remote/hostcheck_validate endpoint and is due to improper bounds checking when parsing the enc parameter of the AuthHash cookie.
This allows attackers to trigger a stack-based buffer overflow and execute arbitrary code remotely without requiring authentication.
The exploit is publicly available as a Python script that sends a specially crafted HTTP POST request targeting the vulnerable endpoint. Upon successful exploitation, attackers can achieve full system control. Fortinet has confirmed that this vulnerability is being actively exploited in the wild, particularly targeting FortiVoice and other Fortinet appliances.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-32756 | FortiVoice, FortiMail, FortiNDR, FortiRecorder, FortiCamera | Stack-based buffer overflow via enc parameter in AuthHash cookie. Exploit uses a crafted POST request to /remote/hostcheck_validate. | Remote Code Execution, Full device takeover, persistence, data theft, log erasure. |
Remediation:
- Update Immediately: Apply the latest security patches provided by Fortinet.
- FortiVoice: 7.2.1+ / 7.0.7+ / 6.4.11+
- FortiMail: 7.6.3+ / 7.4.5+ / 7.2.8+ / 7.0.9+
- FortiNDR: 7.6.1+ / 7.4.8+ / 7.2.5+ / 7.0.7+
- FortiRecorder: 7.2.4+ / 7.0.6+ / 6.4.6+
- FortiCamera: 2.1.4+
- Disable Admin Interfaces (HTTP/HTTPS) as a temporary workaround
Indicator of Compromise
For a list of observed Indicators of Compromise (IOCs), including malicious IP addresses, backdoor file paths and payload hashes, refer to the table below:
| IP Addresses | FileHash-MD5 |
| 156.236.76.90 | 2c8834a52faee8d87cff7cd09c4fb946 |
| 198.105.127.124 | 4410352e110f82eabc0bf160bec41d21 |
| 218.187.69.244 | 489821c38f429a21e1ea821f8460e590 |
| 218.187.69.59 | ebce43017d2cb316ea45e08374de7315 |
| 43.228.217.173 | 364929c45703a84347064e2d5de45bcd |
| 43.228.217.82 |
Conclusion:
CVE-2025-32756 poses a severe threat to Fortinet users, with confirmed in-the-wild exploitation and publicly available PoC.
Organizations must patch all affected systems immediately, audit for compromise indicators, and block known malicious IPs. The vulnerability’s high impact and ease of exploitation warrant urgent action to prevent widespread breaches and data loss.
These activities suggest sophisticated threat actors are conducting comprehensive compromise operations rather than opportunistic attacks.
Security analysts have identified several IP addresses associated with the attacking threat actors, including 198.105.127.124, 43.228.217.173, 43.228.217.82, 156.236.76.90, 218.187.69.244, and 218.187.69.59.
References: