VulnerabilityManagement

Security Advisory

Mozilla Firefox Releases 145 Security Updates, 16 High-Severity Vulnerabilities across multiple Firefox versions & Platforms

Summary : Mozilla released the Firefox 145 Security Update on November 11, 2025, addressing 16 vulnerabilities affecting multiple components allowing arbitrary code execution.

The Mozilla Firefox advisory details reveal that exploiting these vulnerabilities requires attackers to deliver malicious content via compromised websites or through network attacks. The vulnerability landscape reveals concerning patterns in critical components where WebGPU graphics processing emerges as a significant attack surface, with five separate boundary condition flaws identified.

OEM Mozilla 
Severity High 
Date of Announcement 2025-11-11 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Vulnerability Name CVE ID Product Affected Severity 
Graphics Race Condition Enabling Remote Code Execution CVE-2025-13012 Firefox High 
WebAssembly Boundary Error RCE CVE-2025-13016 Firefox High 
WebGPU Boundary Error Leading to Remote Code Execution CVE-2025-13021 Firefox High 
WebGPU Boundary Error Leading to Remote Code Execution CVE-2025-13022 Firefox High 
WebGPU Sandbox Escape via Boundary Flaw CVE-2025-13023 Firefox High 
JavaScript Engine JIT Miscompilation RCE CVE-2025-13024 Firefox High 
WebGPU Boundary Error Leading to Remote Code Execution CVE-2025-13025 Firefox High 
WebGPU Sandbox Escape and Code Execution CVE-2025-13026 Firefox High 
Memory Safety Bugs Allowing Arbitrary Code Execution CVE-2025-13027 Firefox, Thunderbird High 

Mozilla released the Firefox 145 Security Update on November 11, 2025, addressing 16 vulnerabilities affecting multiple components.

The patched vulnerabilities include memory safety bugs, boundary errors, race conditions, and sandbox escapes that could allow remote code execution (RCE), privilege escalation or data exposure. Although no active exploitation has been reported. Users and administrators should upgrade immediately to prevent exploitation and maintain browser security integrity. 

Technical Summary 

Memory corruption and sandbox escape issues could allow attackers to run malicious code or bypass.

Firefox’s isolation controls, leading to full system compromise. WebRTC and multimedia use-after-free bugs further increase the risk of crashing or leaking live data.

Though no exploitation has been detected, users and enterprises should update immediately to reduce exposure to emerging browser-based threats. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-13012 Graphics Subsystem Race condition vulnerability leads to system crash or remote execution. Remote Code Execution 
CVE-2025-13016 JavaScript: WebAssembly Incorrect memory boundary validation allows code execution through crafted scripts. Remote Code Execution 
CVE-2025-13021 Graphics: WebGPU Boundary condition errors may cause memory corruption and remote code execution.  
Remote Code Execution  
CVE-2025-13022 Graphics: WebGPU Boundary error in WebGPU rendering pipeline allowing memory corruption Remote Code Execution 
CVE-2025-13023 Graphics: WebGPU Sandbox escape via boundary flaw enabling code execution outside browser process. Sandbox Escape, RCE 
CVE-2025-13024 JavaScript Engine: JIT JIT miscompilation allows stealthy remote code execution within browser context. Remote Code Execution 
CVE-2025-13025 Graphics: WebGPU Improper memory boundary control in WebGPU leads to RCE. Remote Code Execution 
CVE-2025-13026 Graphics: WebGPU Sandbox escape enabling remote code execution beyond browser sandbox. Sandbox Escape, RCE 
CVE-2025-13027 Firefox / Thunderbird Memory safety errors across multiple components allow arbitrary code execution. Remote Code Execution 

Source: Microsoft, Cybersecurity News 

In addition to several high severity vulnerabilities, the update also addresses several other Medium and Low severity vulnerabilities across browser subsystems – 

  • CVE-2025-13017: DOM Notifications Origin Bypass – Same-origin policy bypass may expose user data or notifications to untrusted sites. (Medium) 
  • CVE-2025-13018: DOM Security Mitigation Bypass – Allows limited circumvention of built-in browser security controls. (Medium) 
  • CVE-2025-2884: TCG TPM 2.0 Vulnerability – Out-of-bounds read in TPM cause info disclosure or DoS, impacting secure boot. (Medium) 
  • CVE-2025-13019: DOM Workers Origin Bypass – May expose cross-origin content or enable script injection. (Medium) 
  • CVE-2025-13013: DOM Core/HTML Mitigation Bypass – Allows controlled bypass of HTML sanitization in certain contexts. (Medium) 
  • CVE-2025-13014: Audio/Video Use-After-Free – Memory mismanagement issue that could leak multimedia data or crash browser. (Medium)  
  • CVE-2025-13015: Firefox UI Spoofing – Interface rendering flaw may allow deceptive UI elements. (Low) 

Recommendations: 

  • Update all Firefox to version 145 immediately to mitigate the vulnerabilities.  

Here are some recommendations below  

  • Enable automatic browser updates across all systems. 
  • Perform vulnerability scans to ensure no outdated browser versions remain. 
  • Restrict use of WebGPU or WebAssembly APIs in enterprise environments unless essential. 
  • Educate employees about risks from phishing, drive-by downloads and malicious extensions. 

Conclusion: 
The Firefox 145 update is a critical security release addressing sixteen vulnerabilities across graphics, WebGPU, JavaScript engine, DOM, and WebRTC components.

Immediate patching and adherence to strong security hygiene are essential to prevent remote code execution, sandbox escapes, and data leaks. Timely remediation ensures operational continuity and protection of both individual and enterprise users against evolving exploitation techniques targeting browser flaws. 

Improving browsing behavior significantly reduces risk exposure of users. Reporters Oskar L and Jamie Nicol highlighted how these bugs exploit WebGPU’s high-performance rendering, a feature increasingly targeted as web apps grow more graphics-intensive.

References

Security Advisory

Microsoft November Updates- Fixes 63 Vulnerabilities,1 Zero-Day Exploits ; Patch Now

Summary : Microsoft’s November 2025 Patch Tuesday resolves 63 vulnerabilities across multiple Microsoft components. The Microsoft Patch Tuesday also addresses four “Critical” vulnerabilities, two of which are remote code execution vulnerabilities, one is an elevation of privileges and the fourth is an information disclosure flaw.

OEM Microsoft 
Severity Critical 
Date of Announcement 2025-11-11 
No. of Patches 63 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview : Key Updates on Patch Tuesday

The update includes one actively exploited zero-day vulnerability (CVE-2025-62215) in the Windows Kernel and five additional Critical-rated vulnerabilities affecting Office, DirectX, GDI+, Visual Studio, and Nuance PowerScribe. 

This release continues Microsoft’s focus on privilege escalation and remote code execution (RCE) vulnerabilities, highlighting the urgent need for comprehensive patch management across enterprise systems. 

Here are the CVE addresses for Microsoft & non-Microsoft:  

  • 63 Microsoft CVEs addressed 
  • 5 non-Microsoft CVEs addressed (Republished) 

Breakdown of October 2025 Vulnerabilities 

  • 29 Elevation of Privilege (EoP) 
  • 16 Remote Code Execution (RCE) 
  • 11 Information Disclosure 
  • 3 Denial of Service (DoS) 
  • 2 Security Feature Bypass 
  • 2 Spoofing  

Source: Microsoft 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
Windows Kernel Elevation of Privilege Vulnerability (Zero-Day, Exploited in Wild) CVE-2025-62215 Windows 10, 11, Server 2016–2022 Critical 9.0 
Microsoft Office Use-After-Free Remote Code Execution Vulnerability CVE-2025- 62199 Microsoft Office (Word/Excel/Office Suite) Critical 9.8 
Nuance PowerScribe Missing Authorization Information Disclosure Vulnerability CVE-2025-30398 Nuance PowerScribe 360 Critical 9.1 
Windows DirectX Graphics Kernel Use-After-Free Vulnerability CVE-2025-60716 Windows DirectX Graphics Kernel Critical 8.8 
Microsoft GDI+ Heap-Based Buffer Overflow RCE Vulnerability CVE-2025-60724 Microsoft Graphics Component (GDI+) Critical 8.7 
Visual Studio Command Injection Remote Code Execution Vulnerability CVE-2025-62214 Microsoft Visual Studio / Visual Studio Code Critical 8.1 

Technical Summary 

The zero-day is a Windows Kernel bug that lets attackers gain full system control. Other critical & important vulnerabilities include Office and GDI+ vulnerabilities that could allow hackers to run malicious code or steal data.  

Microsoft also patched issues in Visual Studio, DirectX, and Azure services. Users and admins are strongly advised to install these updates right away to stay protected. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-62215 Windows Kernel Race conditions in shared resource execution enables local attackers to elevate privileges to SYSTEM (Zero-Day; Exploited in Wild) Elevation of Privilege 
CVE-2025-62199 Microsoft Office Use-after-free vulnerability in Office allows RCE via malicious documents, typically delivered through phishing campaigns Remote Code Execution 
CVE-2025-30398 Nuance PowerScribe 360 Missing authorization vulnerability allows disclosure of sensitive medical or user data over the network Information Disclosure 
CVE-2025-60716 Windows DirectX Graphics Kernel Use-after-free conditions allow local attackers to escalate privileges, potentially compromising the entire system Elevation of Privilege 
CVE-2025-60724 Microsoft GDI+ Heap-based buffer overflow allows attackers to execute arbitrary code remotely via crafted network traffic or malicious files Remote Code Execution 
CVE-2025-62214 Visual Studio Command injection vulnerability allows attackers to execute arbitrary code locally in developer environments Remote Code Execution 

Source: Microsoft 

In addition to several other Important severity vulnerabilities were addressed below –  

  • CVE-2025-59505: Windows Smart Card Reader – Double-free memory handling vulnerability enabling privilege escalation. 
  • CVE-2025-60704: Windows Kerberos – Missing cryptographic validation allows privilege escalation. 
  • CVE-2025-60719: Windows WinSock Driver – Untrusted pointer dereference enabling SYSTEM-level access. 
  • CVE-2025-59504: Azure Monitor Agent – Heap-based buffer overflow allowing local code execution. 
  • CVE-2025-60714: Windows OLE – Buffer overflow permitting local RCE. 
  • CVE-2025-62452: Windows RRAS – Heap overflow enabling network-based RCE. 
  • CVE-2025-59509: Windows Speech Recognition – Sensitive data exposure vulnerability. 
  • CVE-2025-62208 / CVE-2025-62209: Windows License Manager – Sensitive information insertion into logs. 
  • CVE-2025-62210 / CVE-2025-62211: Dynamics 365 Field Service – Cross-site scripting (XSS) spoofing. 
  • CVE-2025-62449 / CVE-2025-62453: VS Code / GitHub Copilot – Path traversal and AI output validation bypass & Others more Vulnerabilities. 

Source: Microsoft, bleepingcompute, cybersecuritynews 

Key Affected Products and Services 

The November 2025 security updates address critical and important vulnerabilities across a broad range of Microsoft products and services: 

  • Windows Core Components 

Updates for Kernel, Hyper-V, Kerberos, RRAS, WinSock, Smart Card, Bluetooth subsystems. 

  • Microsoft Office Suite 

Patches for Word, Excel, and related components impacted by RCE and Information Disclosure vulnerabilities. 

  • Azure & Cloud Services 

Fixes for Azure Monitor Agent, Dynamics 365, Entra ID, and related connectors. 

  • Graphics Components 

Patches for GDI+, DirectX, WSL GUI. 

  • Developer Tools 

Updates for Visual Studio, Visual Studio Code, and GitHub Copilot. 

  • Third-Party Applications 

Patches for Nuance PowerScribe (Medical domain). 

  • Mobile Platform Technologies 

Updates for Microsoft OneDrive for Android. 

Remediation: 

  • Install the November 2025 Microsoft security updates immediately across all Windows, Office, and Azure systems. 

Here are some recommendations below  

  • Monitor for Indicators of Compromise (IoCs) for privilege escalation attempts, new SYSTEM-level services, or unusual Office file crashes. 
  • Ensure Windows 10 ESU enrollment for extended support systems. 
  • Restrict local admin privileges and enforce least-privilege access. 
  • Leverage EDR/SIEM solutions to detect suspicious kernel and Office activity. 
  • Segment critical systems and disable unused network services (RRAS, SMB). 

Conclusion: 
Microsoft’s November 2025 Patch Tuesday resolves 63 vulnerabilities, including one actively exploited Zero-Day and multiple Critical RCE and EoP vulnerabilities in Office, Windows Kernel, GDI+, and Visual Studio. 

Given the confirmed exploitation and the presence of memory corruption vulnerabilities, immediate patch deployment is necessary to prevent potential ransomware and privilege escalation attacks in our modern cyber world. 

References

Security Advisory

Chrome Latest Update Fixes Multiple High-Severity Security Flaws 

Summary : The recent Google Chrome update fixed several serious security issues that could let hackers take control of the browser or steal personal data. These vulnerabilities were mostly related to memory handling and scripting errors in important parts of Chrome like the JavaScript engine (V8) and browser interfaces.

OEM Google 
Severity High 
CVSS Score 8.8 
CVEs CVE-2025-12725, CVE-2025-12726, CVE-2025-12727, CVE-2025-12728, CVE-2025-12729 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Problems like type confusion and memory misuse could allow attackers to run harmful code just by making users visit malicious websites. Some flaws also affected Chrome’s UI, media processing and extension systems exposing users to possible unauthorized access or data leaks. 

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Out-of-Bounds Write in WebGPU  CVE-2025-12725 Chrome   High 142.0.7444.134/135 
Inappropriate Implementation in Views (UI Rendering)  CVE-2025-12726 Chrome  High 142.0.7444.134/135 
Inappropriate Memory Handling in V8 JavaScript Engine CVE-2025-12727 Chrome  High 142.0.7444.134/135 
Inappropriate Implementation in Omnibox (Unified Search Bar) CVE-2025-12728 Chrome  Medium 142.0.7444.134/135 
Inappropriate Implementation in Omnibox (Unified Search Bar) CVE-2025-12729 Chrome  Medium 142.0.7444.134/135 

Technical Summary 

The bugs included memory corruption issues such as out-of-bound writings and use-after-free errors, which can lead to unpredictable behavior and remote code execution (RCE).

The JavaScript engine vulnerabilities involved mishandling data types or incorrect implementation, enabling attackers to break security boundaries.

Other issues involved UI security logic problems that could mislead users or weaken protections. Google patched all these weaknesses by tightening input validations, fixing memory lifecycle bugs, correcting UI behavior and strengthening internal security checks. 

CVE ID Component Affected  Vulnerability Details Impact 
 CVE-2025-12725 Google Chrome (WebGPU) Out-of-bounds write in WebGPU due to improper bounds checking, allowing attackers to overwrite memory beyond allocated limits.  Remote Code Execution / Browser Crash 
 CVE-2025-12726 Google Chrome (Views UI) Inappropriate implementation in the Views component causing memory corruption. UI rendering 
CVE-2025-12727 Google Chrome (V8 Engine) Improper handling in the V8 JavaScript engine enabling potential arbitrary code execution through crafted scripts. Remote Code Execution  
CVE-2025-12728 Google Chrome (Omnibox) Flaws in Omnibox’s implementation could allow UI spoofing or navigation bar manipulation. UI Spoofing  
CVE-2025-12729 Google Chrome (Omnibox) Similar flaws in Omnibox affecting input validation, leading to potential security bypasses or deceptive UI. UI Spoofing / Security Bypass 

Recommendations 

Update Chrome immediately to the following versions: 

  • For windows 142.0.7444.134/.135  
  • For MacOS 142.0.7444.135 
  • For Linux 142.0.7444.134 

You can update by Open Chrome Settings → Help → About Google Chrome, then allow Chrome to check for and install updates immediately. 

Along with update you can follow the recommendations below as well 

  • Enforce Chrome auto-updates across managed endpoints using enterprise policy controls. 
  • Actively monitor browser crash reports or any suspicious logs potentially linked to exploit attempts. 
  • Use vulnerability & patch management tools to ensure all endpoints are running the latest version of all applications.  

Conclusion: 
The Chrome security flaws can compromise devices just through browsing. Because millions use Chrome daily, these gaps were a high risk and google already patched those issues. Keeping any application to the latest version which is the best defense against cyber threats aiming at browsers. 

References

Security Advisory

Apple Releases iOS & iPadOS 26.1 Update, Fixed Multiple Security Vulnerabilities 

Summary: Apple released iOS 26.1 and iPadOS 26, addressed multiple security vulnerabilities across core system components including WebKit, Kernel, Accessibility, Apple Neural Engine, CloudKit etc.

OEM Apple 
Severity High 
CVEs CVE-2025-43438, CVE-2025-43429, CVE-2025-43442, CVE-2025-43455, CVE-2025-43398 & others 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview: 

These vulnerabilities could enable malicious apps to escape sandboxes, access sensitive user data, execute arbitrary code via web content, monitor keystrokes or disable theft protection mechanisms. Affected devices include iPhone 11 & later and iPad models from 3rd gen onward etc. Immediate update is strongly recommended to prevent any breaches, system crashes. 

                Vulnerability Name CVE ID Product Affected Fixed Version 
WebKit Use-After-Free (Safari Crash/RCE) CVE-2025-43438 iOS, iPadOS iOS/iPadOS 26.1 
WebKit Buffer Overflow (RCE Risk)  CVE-2025-43429 iOS, iPadOS iOS/iPadOS 26.1 
App Installed Detection via Accessibility  CVE-2025-43442 iOS, iPadOS iOS/iPadOS 26.1 
Sensitive Screenshot in Embedded Views CVE-2025-43455 iOS, iPadOS iOS/iPadOS 26.1 
Kernel Memory Corruption / DoS  CVE-2025-43398 iOS, iPadOS iOS/iPadOS 26.1 

Technical Summary: 

The iOS/iPadOS 26.1 update fixes major security issues in sandbox protection, memory handling, privacy settings, and the WebKit browser engine. These critical vulnerabilities could allow apps or websites to access restricted data or execute malicious code. Key impact issues mentioned below.

CVE ID Component Affected  Vulnerability Details Impact 
 CVE-2025-43438 WebKit Use-after-free in Safari triggers crash or code execution via malicious web content  Remote Code Execution, System Compromise 
 CVE-2025-43429 WebKit Buffer overflow in content processing allows arbitrary code execution Remote Code Execution, Service Compromise 
CVE-2025-43442 Accessibility Permissions flaw allows apps to detect installed apps (fingerprinting) Privacy Violation, User Tracking 
CVE-2025-43455 Apple Account Malicious apps can screenshot sensitive embedded UI (login views) Credential, PII Exposure 
CVE-2025-43398 Kernel Memory mishandling leads to system termination or kernel corruption Denial of Service, Potential Privilege Escalation 

Additionally, there are multiple high & medium vulnerabilities have been disclosed that enable sandbox escapes, data leaks, and web-based attacks with significant impact potential. Here are some cves in the below table 

Vulnerability Name CVE ID Affected Component 
Sandbox Escape via Assets CVE-2025-43407 Assets 
Sandbox Escape via CloudKit Symlink CVE-2025-43448 CloudKit 
Stolen Device Protection Bypass CVE-2025-43422 Stolen Device Protection 
Cross-Origin Data Exfiltration CVE-2025-43480 WebKit 
Keystroke Monitoring via WebKit CVE-2025-43495 WebKit 
Apple Neural Engine Kernel Corruption CVE-2025-43447, CVE-2025-43462 Apple Neural Engine 
Canvas Cross-Origin Image Theft CVE-2025-43392 WebKit Canvas 
Contacts Data Leak in Logs CVE-2025-43426 Contacts 
Lock Screen Content Leak CVE-2025-43350 Control Center 
Address Bar Spoofing CVE-2025-43493 Safari 
UI Spoofing in Safari CVE-2025-43503 Safari 

Recommendations: 

Update all eligible devices immediately (Settings > General > Software Update products) to the following fixed versions as soon as possible and check the updated version from the Apple security website

Patches are available and should be applied immediately.  

For environments where immediate patching is not immediately feasible, you can also follow the recommendations below. 

  • Enable Stolen Device Protection and Lockdown Mode (where applicable) 
  • Restrict app installations to trusted sources. 
  • Avoid visiting untrusted websites from browser 
  • Use VPN and enable Advanced Data Protection for iCloud 
  • Monitor for anomalous app behavior or battery drain  

Conclusion: 
The iOS/iPadOS 26.1 update fixes several security vulnerabilities that could affect user privacy, device stability, and system protection.

Organizations and Individual using Apple devices must prioritize deployment of this update to mitigate risks of data exfiltration, spyware and other attack vectors. Timely patching remains the most effective control against zero-day exploitation on new vulnerabilities in digital ecosystems. 

References

Security Advisory

Critical Apache Tomcat Vulnerabilities Enable RCE 

Summary : Security Advisory : Apache Tomcat’s security updates address two critical issues affecting widely deployed server components. Attackers can now exploit flaws in Apache Tomcat where improper URL handling and inadequate input neutralization allow unauthorized access to restricted directories.

OEM Oracle 
Severity Critical 
CVSS Score 9.6 
CVEs CVE-2025-55754, CVE-2025-55752 
POC Available No 
Actively Exploited No 
Advisory Version 1.0 

Overview  One issue allows attackers to bypass URL protections and upload malicious files, leading to remote code execution if misconfigured and another permits attackers to manipulate console outputs on Windows systems using crafted log entries.

Organizations should promptly update their servers, review configuration settings and enhance monitoring to mitigate these risks. 

Vulnerability Name CVE ID Product Affected Severity Affected Version 
Improper Neutralization of Escape, Meta, or Control Sequences Vulnerability CVE-2025-55754 Apache Tomcat Critical 11.0.0-M1 through 11.0.10,  10.1.0-M1 through 10.1.44,  9.0.0.40 through 9.0.108. 
Path Traversal Vulnerability  CVE-2025-55752 Apache Tomcat  High 11.0.0-M1 through 11.0.10, 
10.1.0-M1 through 10.1.44, 9.0.0.M11 through 9.0.108. 

Technical Summary This enable malicious file uploads, and inject control sequences affecting console behavior or system integrity.

These weaknesses increase the risk of unauthorized code execution and compromise of application environments. 

CVE ID Component Affected Vulnerability Details Impact 
CVE-2025-55752 URL Rewrite Handler (Apache Tomcat Core) A directory traversal flaw resulting from improper URL normalization and decoding order, allowing attackers to bypass /WEB-INF/ and /META-INF/ protections. If PUT requests are enabled, malicious actors can upload files to sensitive directories, potentially executing arbitrary code. Remote code execution, full server compromise if Tomcat is misconfigured with PUT enabled. 
CVE-2025-55754 Logging/Console Output Improper neutralization of ANSI escape sequences in Tomcat log messages allows crafted URLs to inject control sequences. On Windows systems with ANSI-capable consoles, attackers can manipulate the console display and clipboard or potentially induce command execution via social engineering. Console manipulation, potential administrator trickery, clipboard hijacking; less severe but can be chained for larger attacks. 

Recommendations 

Update Apache Tomcat to the following versions immediately: 

  • For 11.x version updated to v11.0.11 or latest 
  • For 10.x version updated to v10.1.45 or latest 
  • For 9.x version updated to v9.0.109 or latest 

If you not updating immediately you can follow some recommendations below 

  • Disable or restrict PUT requests unless absolutely needed to prevent unauthorized file uploads. 
  • Limit network access to Tomcat management interfaces to trusted administrators and secure sensitive directories. 
  • Monitor logs and serves activity regularly for unusual or suspicious behavior indicative of exploitation attempts. 

Conclusion: 
The patches released by Apache Tomcat fix critical remote code execution and console manipulation bugs that could compromise servers.

Though no widespread exploitation is confirmed yet, immediate patching is strongly recommended to prevent serious security incidents. Security teams should apply these updates and monitor any suspicious server activity. 

References

Blogs Security Advisory

Copilot Studio SupplyChain Attack Steals OAuth Tokens via CoPhishing

Summary 

The CoPhish attack is a sophisticated phishing technique exploiting Microsoft Copilot Studio to steal OAuth tokens by tricking users into granting attackers unauthorized access to their Microsoft Entra ID accounts.

By Copilot Studio’s customizable AI agents, attackers create chatbots hosted on legitimate Microsoft domains that wrap traditional OAuth consent attacks in an authentic-looking interface, increasing the likelihood of successful deception. 

Technical Details 

The attackers often use a trial license or compromised tenant to create the agent, backdooring the authentication workflow so that, post-consent, OAuth tokens are exfiltrated via HTTP to attacker infrastructure.

Few Demo links like copilotstudio.microsoft.com add credibility, closely mimicking official Microsoft Copilot services, and victims see familiar branding and login flows.

While Microsoft has implemented consent policy updates including blocking risky permissions by default for most users significant gaps remain: unprivileged users can still approve internal apps and privileged admins retain broad consent authority.

Tokens exfiltrated by CoPhish can be used for impersonation, data theft or sending further phishing emails, often going undetected as the traffic is routed through Microsoft infrastructure. 

malicious CopilotStudio page                                                                                                                         Source: securitylabs.datadoghq.com 

Attack Flow 

Step Description 
1. Build Malicious Copilot Agent Attackers create a customized Copilot Studio chatbot, usually on a trial license within their own or a compromised Microsoft tenant, configuring it to appear as a legitimate assistant. 
2. Backdoor Authentication Workflow The agent’s “Login” topic is modified to include an HTTP request that will exfiltrate any OAuth tokens granted by users during authentication. 
3. Share Demo Link Attackers generate and distribute demo website URL (like, copilotstudio.microsoft.com) pointing to the malicious chatbot, mimicking official Copilot Studio services and passing basic domain trust checks. 
4. Victim and Trigger Consent Victims access the link, interact with the familiar interface, and are prompted to login, beginning an OAuth consent flow that requests broad Microsoft Graph permissions. 
5. Token Exfiltration After the victim consents, the agent collects the issued OAuth token and sends it via HTTP to an attacker-controlled server, often relaying through Microsoft IP addresses to avoid detection in standard traffic logs. 
6. Abuse Granted Permissions Attackers use the stolen token to impersonate the victim, accessing emails, calendars, and files or conducting further malicious actions such as sending phishing emails or stealing sensitive data. 
7. Persist and Retarget Due to policy gaps, attackers can repeat the process targeting both internal and privileged users, tailoring requested app permissions and adapting to Microsoft’s evolving security measures. 

                             Source: securitylabs.datadoghq.com 

Why It’s Effective 

  • Leverages trusted Microsoft domains and branding with realistic AI chatbot flows, bypassing phishing detection and user suspicion. 
  • Bypasses multi-factor authentication by stealing fully privileged OAuth tokens that persist until revoked. 
  • Targets both regular users and privileged admins by adapting requested permissions, making it scalable and versatile. 

Recommendations 

Here are some recommendations below 

  • Enforce strict Microsoft Entra ID consent policies to limit user approval of app permissions, especially high-risk scopes. 
  • Restrict or disable user creation and publishing of Copilot Studio agents unless explicitly authorized by admins. 
  • Monitor Entra ID audit logs and Microsoft Purview for suspicious app consent, agent creation or modifications in Copilot workflows. 
  • Apply Azure AD Conditional Access requiring MFA and device compliance for accessing Copilot Studio and related AI services. 
  • Implement tenant-level Data Loss Prevention (DLP) and sensitivity labeling 
  • Educate users on phishing risks and regularly reviewing/revoking app permissions and tokens. 

Conclusion: 
CoPhish highlights how AI-powered low-code platforms like Microsoft Copilot Studio can be exploited for advanced phishing attacks targeting identity systems.

Despite Microsoft’s improvements to consent policies, significant risks remain, requiring organizations to enforce strict consent controls, limit app creation, and monitor Entra ID logs vigilantly. As AI-driven tools grow, proactive security measures are essential to defend against these evolving hybrid threats leveraging trusted cloud services. 

References

Hashtags 

#Infosec #CyberSecurity #Microsoft #Copilot #Vulnerabilitymanagement # Patch Management #ThreatIntel CISO #CXO #Intrucept  

Blogs Security Advisory

Samsung Galaxy S25 Zero-Day Exploit Exposes Camera & Location 

Summary 

At Pwn2Own Ireland 2025, researchers Ben R. and Georgi G. from Interrupt Labs successfully exploited a zero-day vulnerability in the Samsung Galaxy S25. The flaw allowed them to gain remote control of the device, activate the camera, and track the user’s real-time location without interaction.

This achievement, earning them $50,000 and 5 Master of Pwn points, highlighted ongoing security weaknesses even in flagship smartphones with extensive testing. The exploit’s discovery underlined broader concerns about the pace of Android feature development outstripping security hardening efforts across system and multimedia libraries. 

The Galaxy S25 zero-day exploit underscores the persistent threat of critical security flaws even in top-tier consumer devices. Although discovered in a controlled, ethical hacking event, such vulnerabilities pose substantial risks if leveraged by malicious actors.

Vulnerability Details 

The vulnerability originated from an improper input validation issue within the Galaxy S25’s software stack. Through carefully crafted malicious inputs, the researchers bypassed Samsung’s built-in security safeguards and executed arbitrary code remotely.

The exploit provided persistent access, enabling control over cameras, GPS, and potentially other sensitive device components, effectively transforming the smartphone into a covert surveillance tool. Because the issue existed at a deep system level, it required no user interaction, making it particularly severe. The vulnerability had not been previously disclosed, meaning Samsung and the public were both unaware until the competition’s revelation. 

Key characteristics: 

The key characteristics of the Samsung Galaxy S25 zero-day vulnerability are as follows: 

  • Type of Vulnerability: Improper input validation bug within the device’s software stack, allowing remote code execution without user interaction.​ 
  • Impact: Enables attackers to take full control of the device, activate the camera, and track real-time GPS location, effectively turning the device into a surveillance tool.​ 
  • Discovery and Exploit: Uncovered during Pwn2Own Ireland 2025 by researchers Ben R. and Georgi G., showcasing a sophisticated exploit chain that bypassed Samsung’s security measures.​ 
  • Persistence: Vulnerability allows persistent access, which can be exploited silently without user awareness or interaction.​ 
  • Disclosure and Remediation: The flaw was previously undisclosed, with responsible disclosure leading to Samsung preparing a security patch. No official statement has been issued yet, but a fix is anticipated.​ 
  • Severity and Potential Damage: The exploit can compromise sensitive personal data, private communications, and location, highlighting significant privacy and security risks. 

Attack Flow 

Step Description 
1. Craft Malicious Input  Attackers develop specially crafted malicious inputs targeting the vulnerable components within the Samsung Galaxy S25’s software stack, particularly exploiting the improper input validation flaw. 
2. Deliver Payload The malicious payload is delivered via crafted multimedia or system input, such as manipulated images or software commands, that bypass Samsung’s existing safeguards. 
3. Bypass Security Measures The input validation flaw allows the malicious data to bypass security checks, executing remote code without requiring user interaction or consent, gaining initial access to the device’s system. 
4. Gain Persistent Control Once the malicious code executes, attackers establish persistent control over the device, enabling continuous access to core functionalities like camera activation and GPS tracking silently and covertly. 
5. Exploit Device Capabilities Attackers leverage control to activate the device’s camera and GPS in real-time, turning the device into a surveillance tool capable of capturing photos, videos, and tracking location discreetly. 
6. Maintain Stealth & Avoid Detection The exploit chain is designed to evade detection by Samsung’s defenses during the attack window, allowing attackers to operate covertly without triggering security alerts or user notifications. 
7. Exploit and Monetize The compromised device becomes a tool for espionage, data theft, or targeted surveillance, which can be exploited for malicious purposes or sold on criminal markets if attacker exploits are monetized. 

Proof-of-Concept 

The proof-of-concept for the Samsung Galaxy S25 zero-day vulnerability (CVE-2025-21043) demonstrates how specially crafted malicious images can exploit an out-of-bounds write flaw in Samsung’s closed-source image parsing library libimagecodec.quram.so. This flaw allows remote code execution with elevated privileges without requiring user interaction.

The exploit involves delivering a malicious payload embedded in an image file that, when processed by the vulnerable library, triggers memory corruption leading to arbitrary code execution and persistent control over the device.

This has been confirmed in cybersecurity forums and independent analyses, with active exploitation observed in the wild primarily via social engineering through messaging platforms like WhatsApp. The PoC confirms that attackers can bypass conventional security mechanisms and gain deep system control, enabling surveillance actions such as camera activation and location tracking. This underscores the critical need for applying the latest security patches released by Samsung.  

Source: https://x.com/thezdi/status/1981316237897396298 

Why It’s Effective 

  • Code Execution via Input Validation Flaw: Exploits improper input validation within the Galaxy S25’s software stack, allowing malicious payloads to bypass safeguards and execute remote code seamlessly alongside legitimate system processes. 
  • Zero-Click Capability: Operates without requiring any user interaction, enabling silent compromise through automated payloads that trigger upon data processing or system-level input handling. 
  • Persistent Access: Establishes continuous control after initial compromise, granting long-term ability to activate hardware components like camera and GPS without detection by standard security mechanisms. 
  • Stealth Operations: Exploit chain hides within multimedia and system library processes, avoiding visible alerts or performance anomalies that might indicate compromise to the user. 
  • Advanced Evasion: Utilizes legitimate system libraries and resource calls, reducing the likelihood of being flagged by mobile antivirus or Samsung Knox runtime protections. 
  • High Impact Vector: Enables complete device surveillance, capturing photos, videos, and location data covertly, illustrating real-world severity when attackers weaponize such system-level access. 

Remediation

  • Update Samsung Galaxy devices immediately with the latest September 2025 Security Maintenance Release (SMR) patch that fixes CVE-2025-21043. 
  • Manually check for software updates via Settings > Software Update > Download and Install to ensure the fix is applied promptly. 
  • Enable automatic security updates on Samsung devices for timely future patching without delay. 
  • For enterprises, enforce patch deployment policies through Mobile Device Management (MDM) or Enterprise Mobility Management (EMM) tools to cover all mobile endpoints. 
  • Restrict app permissions, especially camera and location access, to minimize exposure in case of compromise. 
  • Avoid opening images from untrusted sources or suspicious messaging apps, as the vulnerability exploits image parsing. 
  • Implement continuous mobile threat detection to identify abnormal device behavior indicative of compromise. 
  • Educate users and IT teams about the critical nature of this vulnerability and the importance of timely patching. 

This ensures comprehensive mitigation of vulnerability while reducing risk and exposure to active exploits. 

Conclusion: 


This incident reinforces the value of responsible disclosure mechanisms like Pwn2Own, where manufacturers receive detailed technical reports to develop patches before public release. Samsung has yet to issue a formal statement but is expected to roll out a security update imminently.

In the meantime, users are advised to enable automatic updates, remain cautious with app permissions and untrusted networks, and monitor official channels for patches to mitigate potential exploitation risks. 

References

Blogs

Vulnerability Tracked in Oracle is being Exploited; CISA

CISA, the cyber security agency from US has added a serious vulnerability in Oracle E-Business Suite.As per CISA the flaw tracked in an Oracle E-Business Suite flaw tracked as CVE-2025-61884 is being exploited in attacks, adding it to its Known Exploited Vulnerabilities catalog.

Vulnerability CVE-2025-61884

Oracle published CVE-2025-61884, a server-side request forgery (SSRF) vulnerability in the Oracle Configurator runtime component, on October 11.

The bug received a CVSS score of 7.5 and does not require authentication to exploit. According to the company, attackers can use this vulnerability to gain “unauthorized access to critical data or full access to all Oracle Configurator data.”

Government organizations in the US must install patches before November 10. However, Oracle itself has not yet confirmed the exploitation.

In early October, Mandiant revealed that the Clop ransomware gang had begun sending extortion emails to companies, claiming that they had stolen data from Oracle E-Business Suite instances using zero-day flaws.

Oracle responded to this news by stating that the threat actors had exploited previously patched flaws disclosed in July.

As per Bleeping computers CVE-2025-61884 addresses the flaw by validating an attacker-supplied “return_url” using a regular expression. If the validation fails, the request is blocked.

To this day, it remains unclear why Oracle listed the ShinyHunters exploit as an IOC for CVE-2025-61882, when it is actually intended for CVE-2025-61884.
Oracle EBS under attack

 Orcale E-Business Suit is under targeted atatck by threat actors and investigations by various research teams from Mandiant and Crowdstrike revealed that Oracle EBS had been targeted in two different campaigns.

  • July campaign: Used an exploit that targeted an SSRF flaw in the “/configurator/UiServlet” endpoint, which is now confirmed as CVE-2025-61884.
  • August campaign: Used a different exploit against the “/OA_HTML/SyncServlet” endpoint, and was fixed under CVE-2025-61882 through mod_security rules to block the endpoint and by stubbing out the SYNCSERVLET class. This flaw is attributed to Clop.

Oracle disclosed CVE-2025-61884 on October 11 but did not confirm whether it had been exploited, despite having fixed the exploit used in the July attacks. Earlier when the vulnerability CVE-2025-61884 was discovered concerns an information disclosure flaw in the Runtime UI component.

Last week Oracle released an emergency patch this weekend for a critical vulnerability in E-Business Suite. This software flaw can be exploited by attackers without authentication to steal sensitive data.Oracle has assigned the vulnerability a CVSS score of 7.5, which underscores the severity of the problem.

CISA also confirmed that five new vulnerabilities are actually being used to attack systems in the real world. These 5 new CVE’s hit everything from business apps to CMS platforms to core Windows components.

These are

  • Oracle EBS bugs give attackers an unauthenticated RCE path and data access through SSRF.
  • The SMB flaw enables lateral movement inside networks.
  • The Kentico pair lets attackers take over CMS environments used for staging and publishing.
  • The Apple vulnerability shows the ongoing risk of legacy systems that missed critical patches.

Threat Mitigation by Oracle E Business Suit when hunting for Threat indicators

• Look for weird patterns in Oracle EBS requests – could be a SSRF issue

• See if there are any spikes in SMB share privileges & check Kentico logs for anything fishy

• Browser logs are the place to look for JavaScriptCore crashes or just weird execution

Oracle released critical patch for a wide range of products and this include

The Critical Patch Update provides security updates for a wide range of product families: Oracle Database Server, Oracle Application Express, Oracle Blockchain Platform, Oracle GoldenGate, Oracle NoSQL Database, Oracle REST Data Services, Oracle Commerce, Oracle Communications Applications, Oracle Communications, Oracle Construction and Engineering, Oracle E-Business Suite, Oracle Enterprise Manager, Oracle Financial Services Applications, Oracle Fusion Middleware, Oracle Analytics, Oracle Health Sciences Applications, Oracle HealthCare Applications, Oracle Hospitality Applications, Oracle Hyperion, Oracle Insurance Applications, Oracle Java SE, Oracle JD Edwards, Oracle MySQL, Oracle PeopleSoft, Oracle Retail Applications, Oracle Siebel CRM, Oracle Supply Chain, Oracle Systems, Oracle Utilities Applications, and Oracle Virtualization.

Sources: CISA confirms hackers exploited Oracle E-Business Suite SSRF flaw

October 2025 Critical Patch Update Released | security

Security Advisory

WatchGuard Patched Critical Vulnerability, Allowing RCE in Firebox Appliances 

Security Advisory : A critical vulnerability has been found in WatchGuard Firebox appliances that allows remote unauthenticated attackers to execute arbitrary code through an out-of-bounds write in the IKEv2 VPN process.

OEM WatchGuard 
Severity Critical 
CVSS Score 9.3 
CVEs CVE-2025-9242 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

The vulnerability, tracked as CVE-2025-9242, which affects multiple Fireware OS versions. Users and administrators are strongly advised to upgrade to the latest patched versions of Fireware OS immediately to stay protected. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Out-of-Bounds Write Vulnerability in IKEv2 Process  CVE-2025-9242 WatchGuard Firebox Appliances with Fireware OS Critical v2025.1.1, v12.11.4, v12.5.13 (T15 & T35 models), 12.3.1_Update3 (FIPS-certified) 

Technical Summary 

Malicious actors could exploit this due to an out-of-bounds write vulnerability in the WatchGuard Fireware OS iked process.

Remote unauthenticated attackers can send crafted IKE_SA_INIT and IKE_SA_AUTH packets to trigger a stack-based buffer overflow in the ike2_ProcessPayload_CERT function, overflowing a 520-byte stack buffer without proper bounds checking.

This impacts VPN setups using IKEv2 or dynamic gateways and can continue even after deleting them if any static peers are still active on UDP port 500. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025- 9242 WatchGuard Firebox Appliances with Fireware OS 11.10.2-11.12.4_Update1, 12.0-12.11.3, 2025.1 Insufficient bounds checking in IKEv2 negotiations allows oversized identification payloads to cause buffer overflow, enabling control flow hijacking and ROP chains for code execution Arbitrary Code Execution, System Compromise,  Data Exfiltration,  Ransomware Deployment, Pivoting to Internal Networks 

Recommendations: 

You can update to the latest versions from the below table 

Vulnerable Version Resolved Version 
2025.1 2025.1.1 
12.x 12.11.4 
12.5.x (T15 & T35 models) 12.5.13 
12.3.1 (FIPS-certified release) 12.3.1_Update3 (B722811) 
11.x End of Life 

Here are some recommendations below –  

  • Disable unnecessary IKEv2 VPN configurations and restrict access to trusted networks only. 
  • Monitor logs for anomalous traffic. 
  • Implement network segmentation to limit lateral movement and regularly audit VPN setups. 

Conclusion: 
This critical vulnerability in WatchGuard Firebox appliances could allow remote attackers to achieve code execution and compromise perimeter defenses.

Although no exploits are in the wild but its unauthenticated nature and detailed public analysis make it a significant security risk requiring immediate action. Upgrading to the fixed version and applying recommended mitigations are strongly advised to ensure organizational security. 

References

Security Advisory

TP-Link Security Update, Omada Gateway Exploits Fixed in October Release 

Summary: TP-Link’s October 2025 security updates fixes 4 vulnerabilities in its Omada Gateway devices, including multiple models commonly used in business networks.

OEM TP-Link 
Severity Critical 
CVSS Score 9.3 
CVEs CVE-2025-6541, CVE-2025-6542, CVE-2025-7850, CVE-2025-7851 
Date of Announcement 2025-10-21 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview: 

The vulnerabilities allow attackers to execute remote commands, even without authentication, potentially compromising systems. Some vulnerabilities also let authenticated users inject commands or gain root access, which could lead to traffic interception, configuration changes or malware installation. Security teams are advised to update firmware immediately, review network configurations and change passwords to reduce the risk of exploitation. 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
OS Command Injection Vulnerability CVE-2025-6542 TP-Link Omada Gateways Critical 9.3 
Command Injection Vulnerability CVE-2025-7850 TP-Link Omada Gateways Critical 9.3 

Technical Summary: 

TP-Link Omada Gateways allows attackers to run arbitrary commands. The most critical one, CVE-2025-6542, a remote attacker can take full control of the device without logging in through the web interface. Another one allows logged-in users to inject commands and gain root access. The issues show the risks of exposed management portals. TP-Link recommends updating firmware, limiting network access and monitoring systems for any signs of attack. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-6542 TP-Link Omada Gateways (ER605, ER7206, ER8411 & Others) Unauthenticated remote attackers can execute arbitrary OS commands on the device Remote Code Execution,  System Compromise, Malware Deployment 
CVE-2025-7850 TP-Link Omada Gateways (ER7412-M2, ER7212PC, & Others) Command injection exploitable after admin authentication on the web portal System Compromise,  Root-Level Control 

Additional Vulnerabilities: 

The following high-severity vulnerabilities were also addressed in October 2025 TP-Link security updates for Omada Gateways – 

Vulnerability Name CVE ID Affected Component Severity 
Authenticated Arbitrary OS Command Execution in Omada Gateways CVE-2025-6541 TP-Link Omada Gateways High 
Root Shell Access Under Restricted Conditions in Omada Gateways CVE-2025-7851 TP-Link Omada Gateways High 

Remediation: 

Install the October 2025 firmware updates immediately via the TP-Link support portal to mitigate risks. Here is the below table with the updated version information for the models. 

Model Affected Versions Fixed Version 
ER8411 < 1.3.3 Build 20251013 Rel.44647 >= 1.3.3 Build 20251013 Rel.44647 
ER7412-M2 < 1.1.0 Build 20251015 Rel.63594 >= 1.1.0 Build 20251015 Rel.63594 
ER707-M2 < 1.3.1 Build 20251009 Rel.67687 >= 1.3.1 Build 20251009 Rel.67687 
ER7206 < 2.2.2 Build 20250724 Rel.11109 >= 2.2.2 Build 20250724 Rel.11109 
ER605 < 2.3.1 Build 20251015 Rel.78291 >= 2.3.1 Build 20251015 Rel.78291 
ER706W < 1.2.1 Build 20250821 Rel.80909 >= 1.2.1 Build 20250821 Rel.80909 
ER706W-4G < 1.2.1 Build 20250821 Rel.82492 >= 1.2.1 Build 20250821 Rel.82492 
ER7212PC < 2.1.3 Build 20251016 Rel.82571 >= 2.1.3 Build 20251016 Rel.82571 
G36 < 1.1.4 Build 20251015 Rel.84206 >= 1.1.4 Build 20251015 Rel.84206 
G611 < 1.2.2 Build 20251017 Rel.45512 >= 1.2.2 Build 20251017 Rel.45512 
FR365 < 1.1.10 Build 20250626 Rel.81746 >= 1.1.10 Build 20250626 Rel.81746 
FR205 < 1.0.3 Build 20251016 Rel.61376 >= 1.0.3 Build 20251016 Rel.61376 
FR307-M2 < 1.2.5 Build 20251015 Rel.76743 >= 1.2.5 Build 20251015 Rel.76743 

Here are some recommendations below 

  • Restrict network access to the management interface and enable trusted networks only. 
  • Apply least privilege principles and regular security audits for network devices. 
  • Disable remote management if not required and segment networks to limit lateral movement. 

Conclusion: 

There is no active exploitation noticed but organizations must prioritize firmware updates to prevent data breaches, malware and intrusions. Security teams should deploy updates immediately, enhance monitoring and implement mitigations to safeguard critical infrastructure. 

References

 

Scroll to top