VulnerabilityManagement

Security Advisory

Critical Apache Tomcat Vulnerabilities Enable RCE 

Summary : Security Advisory : Apache Tomcat’s security updates address two critical issues affecting widely deployed server components. Attackers can now exploit flaws in Apache Tomcat where improper URL handling and inadequate input neutralization allow unauthorized access to restricted directories.

OEM Oracle 
Severity Critical 
CVSS Score 9.6 
CVEs CVE-2025-55754, CVE-2025-55752 
POC Available No 
Actively Exploited No 
Advisory Version 1.0 

Overview  One issue allows attackers to bypass URL protections and upload malicious files, leading to remote code execution if misconfigured and another permits attackers to manipulate console outputs on Windows systems using crafted log entries.

Organizations should promptly update their servers, review configuration settings and enhance monitoring to mitigate these risks. 

Vulnerability Name CVE ID Product Affected Severity Affected Version 
Improper Neutralization of Escape, Meta, or Control Sequences Vulnerability CVE-2025-55754 Apache Tomcat Critical 11.0.0-M1 through 11.0.10,  10.1.0-M1 through 10.1.44,  9.0.0.40 through 9.0.108. 
Path Traversal Vulnerability  CVE-2025-55752 Apache Tomcat  High 11.0.0-M1 through 11.0.10, 
10.1.0-M1 through 10.1.44, 9.0.0.M11 through 9.0.108. 

Technical Summary This enable malicious file uploads, and inject control sequences affecting console behavior or system integrity.

These weaknesses increase the risk of unauthorized code execution and compromise of application environments. 

CVE ID Component Affected Vulnerability Details Impact 
CVE-2025-55752 URL Rewrite Handler (Apache Tomcat Core) A directory traversal flaw resulting from improper URL normalization and decoding order, allowing attackers to bypass /WEB-INF/ and /META-INF/ protections. If PUT requests are enabled, malicious actors can upload files to sensitive directories, potentially executing arbitrary code. Remote code execution, full server compromise if Tomcat is misconfigured with PUT enabled. 
CVE-2025-55754 Logging/Console Output Improper neutralization of ANSI escape sequences in Tomcat log messages allows crafted URLs to inject control sequences. On Windows systems with ANSI-capable consoles, attackers can manipulate the console display and clipboard or potentially induce command execution via social engineering. Console manipulation, potential administrator trickery, clipboard hijacking; less severe but can be chained for larger attacks. 

Recommendations 

Update Apache Tomcat to the following versions immediately: 

  • For 11.x version updated to v11.0.11 or latest 
  • For 10.x version updated to v10.1.45 or latest 
  • For 9.x version updated to v9.0.109 or latest 

If you not updating immediately you can follow some recommendations below 

  • Disable or restrict PUT requests unless absolutely needed to prevent unauthorized file uploads. 
  • Limit network access to Tomcat management interfaces to trusted administrators and secure sensitive directories. 
  • Monitor logs and serves activity regularly for unusual or suspicious behavior indicative of exploitation attempts. 

Conclusion: 
The patches released by Apache Tomcat fix critical remote code execution and console manipulation bugs that could compromise servers.

Though no widespread exploitation is confirmed yet, immediate patching is strongly recommended to prevent serious security incidents. Security teams should apply these updates and monitor any suspicious server activity. 

References

Blogs Security Advisory

Copilot Studio SupplyChain Attack Steals OAuth Tokens via CoPhishing

Summary 

The CoPhish attack is a sophisticated phishing technique exploiting Microsoft Copilot Studio to steal OAuth tokens by tricking users into granting attackers unauthorized access to their Microsoft Entra ID accounts.

By Copilot Studio’s customizable AI agents, attackers create chatbots hosted on legitimate Microsoft domains that wrap traditional OAuth consent attacks in an authentic-looking interface, increasing the likelihood of successful deception. 

Technical Details 

The attackers often use a trial license or compromised tenant to create the agent, backdooring the authentication workflow so that, post-consent, OAuth tokens are exfiltrated via HTTP to attacker infrastructure.

Few Demo links like copilotstudio.microsoft.com add credibility, closely mimicking official Microsoft Copilot services, and victims see familiar branding and login flows.

While Microsoft has implemented consent policy updates including blocking risky permissions by default for most users significant gaps remain: unprivileged users can still approve internal apps and privileged admins retain broad consent authority.

Tokens exfiltrated by CoPhish can be used for impersonation, data theft or sending further phishing emails, often going undetected as the traffic is routed through Microsoft infrastructure. 

malicious CopilotStudio page                                                                                                                         Source: securitylabs.datadoghq.com 

Attack Flow 

Step Description 
1. Build Malicious Copilot Agent Attackers create a customized Copilot Studio chatbot, usually on a trial license within their own or a compromised Microsoft tenant, configuring it to appear as a legitimate assistant. 
2. Backdoor Authentication Workflow The agent’s “Login” topic is modified to include an HTTP request that will exfiltrate any OAuth tokens granted by users during authentication. 
3. Share Demo Link Attackers generate and distribute demo website URL (like, copilotstudio.microsoft.com) pointing to the malicious chatbot, mimicking official Copilot Studio services and passing basic domain trust checks. 
4. Victim and Trigger Consent Victims access the link, interact with the familiar interface, and are prompted to login, beginning an OAuth consent flow that requests broad Microsoft Graph permissions. 
5. Token Exfiltration After the victim consents, the agent collects the issued OAuth token and sends it via HTTP to an attacker-controlled server, often relaying through Microsoft IP addresses to avoid detection in standard traffic logs. 
6. Abuse Granted Permissions Attackers use the stolen token to impersonate the victim, accessing emails, calendars, and files or conducting further malicious actions such as sending phishing emails or stealing sensitive data. 
7. Persist and Retarget Due to policy gaps, attackers can repeat the process targeting both internal and privileged users, tailoring requested app permissions and adapting to Microsoft’s evolving security measures. 

                             Source: securitylabs.datadoghq.com 

Why It’s Effective 

  • Leverages trusted Microsoft domains and branding with realistic AI chatbot flows, bypassing phishing detection and user suspicion. 
  • Bypasses multi-factor authentication by stealing fully privileged OAuth tokens that persist until revoked. 
  • Targets both regular users and privileged admins by adapting requested permissions, making it scalable and versatile. 

Recommendations 

Here are some recommendations below 

  • Enforce strict Microsoft Entra ID consent policies to limit user approval of app permissions, especially high-risk scopes. 
  • Restrict or disable user creation and publishing of Copilot Studio agents unless explicitly authorized by admins. 
  • Monitor Entra ID audit logs and Microsoft Purview for suspicious app consent, agent creation or modifications in Copilot workflows. 
  • Apply Azure AD Conditional Access requiring MFA and device compliance for accessing Copilot Studio and related AI services. 
  • Implement tenant-level Data Loss Prevention (DLP) and sensitivity labeling 
  • Educate users on phishing risks and regularly reviewing/revoking app permissions and tokens. 

Conclusion: 
CoPhish highlights how AI-powered low-code platforms like Microsoft Copilot Studio can be exploited for advanced phishing attacks targeting identity systems.

Despite Microsoft’s improvements to consent policies, significant risks remain, requiring organizations to enforce strict consent controls, limit app creation, and monitor Entra ID logs vigilantly. As AI-driven tools grow, proactive security measures are essential to defend against these evolving hybrid threats leveraging trusted cloud services. 

References

Hashtags 

#Infosec #CyberSecurity #Microsoft #Copilot #Vulnerabilitymanagement # Patch Management #ThreatIntel CISO #CXO #Intrucept  

Blogs Security Advisory

Samsung Galaxy S25 Zero-Day Exploit Exposes Camera & Location 

Summary 

At Pwn2Own Ireland 2025, researchers Ben R. and Georgi G. from Interrupt Labs successfully exploited a zero-day vulnerability in the Samsung Galaxy S25. The flaw allowed them to gain remote control of the device, activate the camera, and track the user’s real-time location without interaction.

This achievement, earning them $50,000 and 5 Master of Pwn points, highlighted ongoing security weaknesses even in flagship smartphones with extensive testing. The exploit’s discovery underlined broader concerns about the pace of Android feature development outstripping security hardening efforts across system and multimedia libraries. 

The Galaxy S25 zero-day exploit underscores the persistent threat of critical security flaws even in top-tier consumer devices. Although discovered in a controlled, ethical hacking event, such vulnerabilities pose substantial risks if leveraged by malicious actors.

Vulnerability Details 

The vulnerability originated from an improper input validation issue within the Galaxy S25’s software stack. Through carefully crafted malicious inputs, the researchers bypassed Samsung’s built-in security safeguards and executed arbitrary code remotely.

The exploit provided persistent access, enabling control over cameras, GPS, and potentially other sensitive device components, effectively transforming the smartphone into a covert surveillance tool. Because the issue existed at a deep system level, it required no user interaction, making it particularly severe. The vulnerability had not been previously disclosed, meaning Samsung and the public were both unaware until the competition’s revelation. 

Key characteristics: 

The key characteristics of the Samsung Galaxy S25 zero-day vulnerability are as follows: 

  • Type of Vulnerability: Improper input validation bug within the device’s software stack, allowing remote code execution without user interaction.​ 
  • Impact: Enables attackers to take full control of the device, activate the camera, and track real-time GPS location, effectively turning the device into a surveillance tool.​ 
  • Discovery and Exploit: Uncovered during Pwn2Own Ireland 2025 by researchers Ben R. and Georgi G., showcasing a sophisticated exploit chain that bypassed Samsung’s security measures.​ 
  • Persistence: Vulnerability allows persistent access, which can be exploited silently without user awareness or interaction.​ 
  • Disclosure and Remediation: The flaw was previously undisclosed, with responsible disclosure leading to Samsung preparing a security patch. No official statement has been issued yet, but a fix is anticipated.​ 
  • Severity and Potential Damage: The exploit can compromise sensitive personal data, private communications, and location, highlighting significant privacy and security risks. 

Attack Flow 

Step Description 
1. Craft Malicious Input  Attackers develop specially crafted malicious inputs targeting the vulnerable components within the Samsung Galaxy S25’s software stack, particularly exploiting the improper input validation flaw. 
2. Deliver Payload The malicious payload is delivered via crafted multimedia or system input, such as manipulated images or software commands, that bypass Samsung’s existing safeguards. 
3. Bypass Security Measures The input validation flaw allows the malicious data to bypass security checks, executing remote code without requiring user interaction or consent, gaining initial access to the device’s system. 
4. Gain Persistent Control Once the malicious code executes, attackers establish persistent control over the device, enabling continuous access to core functionalities like camera activation and GPS tracking silently and covertly. 
5. Exploit Device Capabilities Attackers leverage control to activate the device’s camera and GPS in real-time, turning the device into a surveillance tool capable of capturing photos, videos, and tracking location discreetly. 
6. Maintain Stealth & Avoid Detection The exploit chain is designed to evade detection by Samsung’s defenses during the attack window, allowing attackers to operate covertly without triggering security alerts or user notifications. 
7. Exploit and Monetize The compromised device becomes a tool for espionage, data theft, or targeted surveillance, which can be exploited for malicious purposes or sold on criminal markets if attacker exploits are monetized. 

Proof-of-Concept 

The proof-of-concept for the Samsung Galaxy S25 zero-day vulnerability (CVE-2025-21043) demonstrates how specially crafted malicious images can exploit an out-of-bounds write flaw in Samsung’s closed-source image parsing library libimagecodec.quram.so. This flaw allows remote code execution with elevated privileges without requiring user interaction.

The exploit involves delivering a malicious payload embedded in an image file that, when processed by the vulnerable library, triggers memory corruption leading to arbitrary code execution and persistent control over the device.

This has been confirmed in cybersecurity forums and independent analyses, with active exploitation observed in the wild primarily via social engineering through messaging platforms like WhatsApp. The PoC confirms that attackers can bypass conventional security mechanisms and gain deep system control, enabling surveillance actions such as camera activation and location tracking. This underscores the critical need for applying the latest security patches released by Samsung.  

Source: https://x.com/thezdi/status/1981316237897396298 

Why It’s Effective 

  • Code Execution via Input Validation Flaw: Exploits improper input validation within the Galaxy S25’s software stack, allowing malicious payloads to bypass safeguards and execute remote code seamlessly alongside legitimate system processes. 
  • Zero-Click Capability: Operates without requiring any user interaction, enabling silent compromise through automated payloads that trigger upon data processing or system-level input handling. 
  • Persistent Access: Establishes continuous control after initial compromise, granting long-term ability to activate hardware components like camera and GPS without detection by standard security mechanisms. 
  • Stealth Operations: Exploit chain hides within multimedia and system library processes, avoiding visible alerts or performance anomalies that might indicate compromise to the user. 
  • Advanced Evasion: Utilizes legitimate system libraries and resource calls, reducing the likelihood of being flagged by mobile antivirus or Samsung Knox runtime protections. 
  • High Impact Vector: Enables complete device surveillance, capturing photos, videos, and location data covertly, illustrating real-world severity when attackers weaponize such system-level access. 

Remediation

  • Update Samsung Galaxy devices immediately with the latest September 2025 Security Maintenance Release (SMR) patch that fixes CVE-2025-21043. 
  • Manually check for software updates via Settings > Software Update > Download and Install to ensure the fix is applied promptly. 
  • Enable automatic security updates on Samsung devices for timely future patching without delay. 
  • For enterprises, enforce patch deployment policies through Mobile Device Management (MDM) or Enterprise Mobility Management (EMM) tools to cover all mobile endpoints. 
  • Restrict app permissions, especially camera and location access, to minimize exposure in case of compromise. 
  • Avoid opening images from untrusted sources or suspicious messaging apps, as the vulnerability exploits image parsing. 
  • Implement continuous mobile threat detection to identify abnormal device behavior indicative of compromise. 
  • Educate users and IT teams about the critical nature of this vulnerability and the importance of timely patching. 

This ensures comprehensive mitigation of vulnerability while reducing risk and exposure to active exploits. 

Conclusion: 


This incident reinforces the value of responsible disclosure mechanisms like Pwn2Own, where manufacturers receive detailed technical reports to develop patches before public release. Samsung has yet to issue a formal statement but is expected to roll out a security update imminently.

In the meantime, users are advised to enable automatic updates, remain cautious with app permissions and untrusted networks, and monitor official channels for patches to mitigate potential exploitation risks. 

References

Blogs

Vulnerability Tracked in Oracle is being Exploited; CISA

CISA, the cyber security agency from US has added a serious vulnerability in Oracle E-Business Suite.As per CISA the flaw tracked in an Oracle E-Business Suite flaw tracked as CVE-2025-61884 is being exploited in attacks, adding it to its Known Exploited Vulnerabilities catalog.

Vulnerability CVE-2025-61884

Oracle published CVE-2025-61884, a server-side request forgery (SSRF) vulnerability in the Oracle Configurator runtime component, on October 11.

The bug received a CVSS score of 7.5 and does not require authentication to exploit. According to the company, attackers can use this vulnerability to gain “unauthorized access to critical data or full access to all Oracle Configurator data.”

Government organizations in the US must install patches before November 10. However, Oracle itself has not yet confirmed the exploitation.

In early October, Mandiant revealed that the Clop ransomware gang had begun sending extortion emails to companies, claiming that they had stolen data from Oracle E-Business Suite instances using zero-day flaws.

Oracle responded to this news by stating that the threat actors had exploited previously patched flaws disclosed in July.

As per Bleeping computers CVE-2025-61884 addresses the flaw by validating an attacker-supplied “return_url” using a regular expression. If the validation fails, the request is blocked.

To this day, it remains unclear why Oracle listed the ShinyHunters exploit as an IOC for CVE-2025-61882, when it is actually intended for CVE-2025-61884.
Oracle EBS under attack

 Orcale E-Business Suit is under targeted atatck by threat actors and investigations by various research teams from Mandiant and Crowdstrike revealed that Oracle EBS had been targeted in two different campaigns.

  • July campaign: Used an exploit that targeted an SSRF flaw in the “/configurator/UiServlet” endpoint, which is now confirmed as CVE-2025-61884.
  • August campaign: Used a different exploit against the “/OA_HTML/SyncServlet” endpoint, and was fixed under CVE-2025-61882 through mod_security rules to block the endpoint and by stubbing out the SYNCSERVLET class. This flaw is attributed to Clop.

Oracle disclosed CVE-2025-61884 on October 11 but did not confirm whether it had been exploited, despite having fixed the exploit used in the July attacks. Earlier when the vulnerability CVE-2025-61884 was discovered concerns an information disclosure flaw in the Runtime UI component.

Last week Oracle released an emergency patch this weekend for a critical vulnerability in E-Business Suite. This software flaw can be exploited by attackers without authentication to steal sensitive data.Oracle has assigned the vulnerability a CVSS score of 7.5, which underscores the severity of the problem.

CISA also confirmed that five new vulnerabilities are actually being used to attack systems in the real world. These 5 new CVE’s hit everything from business apps to CMS platforms to core Windows components.

These are

  • Oracle EBS bugs give attackers an unauthenticated RCE path and data access through SSRF.
  • The SMB flaw enables lateral movement inside networks.
  • The Kentico pair lets attackers take over CMS environments used for staging and publishing.
  • The Apple vulnerability shows the ongoing risk of legacy systems that missed critical patches.

Threat Mitigation by Oracle E Business Suit when hunting for Threat indicators

• Look for weird patterns in Oracle EBS requests – could be a SSRF issue

• See if there are any spikes in SMB share privileges & check Kentico logs for anything fishy

• Browser logs are the place to look for JavaScriptCore crashes or just weird execution

Oracle released critical patch for a wide range of products and this include

The Critical Patch Update provides security updates for a wide range of product families: Oracle Database Server, Oracle Application Express, Oracle Blockchain Platform, Oracle GoldenGate, Oracle NoSQL Database, Oracle REST Data Services, Oracle Commerce, Oracle Communications Applications, Oracle Communications, Oracle Construction and Engineering, Oracle E-Business Suite, Oracle Enterprise Manager, Oracle Financial Services Applications, Oracle Fusion Middleware, Oracle Analytics, Oracle Health Sciences Applications, Oracle HealthCare Applications, Oracle Hospitality Applications, Oracle Hyperion, Oracle Insurance Applications, Oracle Java SE, Oracle JD Edwards, Oracle MySQL, Oracle PeopleSoft, Oracle Retail Applications, Oracle Siebel CRM, Oracle Supply Chain, Oracle Systems, Oracle Utilities Applications, and Oracle Virtualization.

Sources: CISA confirms hackers exploited Oracle E-Business Suite SSRF flaw

October 2025 Critical Patch Update Released | security

Security Advisory

WatchGuard Patched Critical Vulnerability, Allowing RCE in Firebox Appliances 

Security Advisory : A critical vulnerability has been found in WatchGuard Firebox appliances that allows remote unauthenticated attackers to execute arbitrary code through an out-of-bounds write in the IKEv2 VPN process.

OEM WatchGuard 
Severity Critical 
CVSS Score 9.3 
CVEs CVE-2025-9242 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

The vulnerability, tracked as CVE-2025-9242, which affects multiple Fireware OS versions. Users and administrators are strongly advised to upgrade to the latest patched versions of Fireware OS immediately to stay protected. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Out-of-Bounds Write Vulnerability in IKEv2 Process  CVE-2025-9242 WatchGuard Firebox Appliances with Fireware OS Critical v2025.1.1, v12.11.4, v12.5.13 (T15 & T35 models), 12.3.1_Update3 (FIPS-certified) 

Technical Summary 

Malicious actors could exploit this due to an out-of-bounds write vulnerability in the WatchGuard Fireware OS iked process.

Remote unauthenticated attackers can send crafted IKE_SA_INIT and IKE_SA_AUTH packets to trigger a stack-based buffer overflow in the ike2_ProcessPayload_CERT function, overflowing a 520-byte stack buffer without proper bounds checking.

This impacts VPN setups using IKEv2 or dynamic gateways and can continue even after deleting them if any static peers are still active on UDP port 500. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025- 9242 WatchGuard Firebox Appliances with Fireware OS 11.10.2-11.12.4_Update1, 12.0-12.11.3, 2025.1 Insufficient bounds checking in IKEv2 negotiations allows oversized identification payloads to cause buffer overflow, enabling control flow hijacking and ROP chains for code execution Arbitrary Code Execution, System Compromise,  Data Exfiltration,  Ransomware Deployment, Pivoting to Internal Networks 

Recommendations: 

You can update to the latest versions from the below table 

Vulnerable Version Resolved Version 
2025.1 2025.1.1 
12.x 12.11.4 
12.5.x (T15 & T35 models) 12.5.13 
12.3.1 (FIPS-certified release) 12.3.1_Update3 (B722811) 
11.x End of Life 

Here are some recommendations below –  

  • Disable unnecessary IKEv2 VPN configurations and restrict access to trusted networks only. 
  • Monitor logs for anomalous traffic. 
  • Implement network segmentation to limit lateral movement and regularly audit VPN setups. 

Conclusion: 
This critical vulnerability in WatchGuard Firebox appliances could allow remote attackers to achieve code execution and compromise perimeter defenses.

Although no exploits are in the wild but its unauthenticated nature and detailed public analysis make it a significant security risk requiring immediate action. Upgrading to the fixed version and applying recommended mitigations are strongly advised to ensure organizational security. 

References

Security Advisory

TP-Link Security Update, Omada Gateway Exploits Fixed in October Release 

Summary: TP-Link’s October 2025 security updates fixes 4 vulnerabilities in its Omada Gateway devices, including multiple models commonly used in business networks.

OEM TP-Link 
Severity Critical 
CVSS Score 9.3 
CVEs CVE-2025-6541, CVE-2025-6542, CVE-2025-7850, CVE-2025-7851 
Date of Announcement 2025-10-21 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview: 

The vulnerabilities allow attackers to execute remote commands, even without authentication, potentially compromising systems. Some vulnerabilities also let authenticated users inject commands or gain root access, which could lead to traffic interception, configuration changes or malware installation. Security teams are advised to update firmware immediately, review network configurations and change passwords to reduce the risk of exploitation. 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
OS Command Injection Vulnerability CVE-2025-6542 TP-Link Omada Gateways Critical 9.3 
Command Injection Vulnerability CVE-2025-7850 TP-Link Omada Gateways Critical 9.3 

Technical Summary: 

TP-Link Omada Gateways allows attackers to run arbitrary commands. The most critical one, CVE-2025-6542, a remote attacker can take full control of the device without logging in through the web interface. Another one allows logged-in users to inject commands and gain root access. The issues show the risks of exposed management portals. TP-Link recommends updating firmware, limiting network access and monitoring systems for any signs of attack. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-6542 TP-Link Omada Gateways (ER605, ER7206, ER8411 & Others) Unauthenticated remote attackers can execute arbitrary OS commands on the device Remote Code Execution,  System Compromise, Malware Deployment 
CVE-2025-7850 TP-Link Omada Gateways (ER7412-M2, ER7212PC, & Others) Command injection exploitable after admin authentication on the web portal System Compromise,  Root-Level Control 

Additional Vulnerabilities: 

The following high-severity vulnerabilities were also addressed in October 2025 TP-Link security updates for Omada Gateways – 

Vulnerability Name CVE ID Affected Component Severity 
Authenticated Arbitrary OS Command Execution in Omada Gateways CVE-2025-6541 TP-Link Omada Gateways High 
Root Shell Access Under Restricted Conditions in Omada Gateways CVE-2025-7851 TP-Link Omada Gateways High 

Remediation: 

Install the October 2025 firmware updates immediately via the TP-Link support portal to mitigate risks. Here is the below table with the updated version information for the models. 

Model Affected Versions Fixed Version 
ER8411 < 1.3.3 Build 20251013 Rel.44647 >= 1.3.3 Build 20251013 Rel.44647 
ER7412-M2 < 1.1.0 Build 20251015 Rel.63594 >= 1.1.0 Build 20251015 Rel.63594 
ER707-M2 < 1.3.1 Build 20251009 Rel.67687 >= 1.3.1 Build 20251009 Rel.67687 
ER7206 < 2.2.2 Build 20250724 Rel.11109 >= 2.2.2 Build 20250724 Rel.11109 
ER605 < 2.3.1 Build 20251015 Rel.78291 >= 2.3.1 Build 20251015 Rel.78291 
ER706W < 1.2.1 Build 20250821 Rel.80909 >= 1.2.1 Build 20250821 Rel.80909 
ER706W-4G < 1.2.1 Build 20250821 Rel.82492 >= 1.2.1 Build 20250821 Rel.82492 
ER7212PC < 2.1.3 Build 20251016 Rel.82571 >= 2.1.3 Build 20251016 Rel.82571 
G36 < 1.1.4 Build 20251015 Rel.84206 >= 1.1.4 Build 20251015 Rel.84206 
G611 < 1.2.2 Build 20251017 Rel.45512 >= 1.2.2 Build 20251017 Rel.45512 
FR365 < 1.1.10 Build 20250626 Rel.81746 >= 1.1.10 Build 20250626 Rel.81746 
FR205 < 1.0.3 Build 20251016 Rel.61376 >= 1.0.3 Build 20251016 Rel.61376 
FR307-M2 < 1.2.5 Build 20251015 Rel.76743 >= 1.2.5 Build 20251015 Rel.76743 

Here are some recommendations below 

  • Restrict network access to the management interface and enable trusted networks only. 
  • Apply least privilege principles and regular security audits for network devices. 
  • Disable remote management if not required and segment networks to limit lateral movement. 

Conclusion: 

There is no active exploitation noticed but organizations must prioritize firmware updates to prevent data breaches, malware and intrusions. Security teams should deploy updates immediately, enhance monitoring and implement mitigations to safeguard critical infrastructure. 

References

 

Blogs

Unpatched Systems, Software’s Exposes Business to Cyber Threats

Remember when Qantas, Australia’s flagship airline confirmed a cyberattack exposing data from its frequent flyer program and customer accounts. The data was upto 6 million, which is staggering in number. This means any kind of exploits are malicious programs designed to take advantage of bugs or vulnerabilities in unpatched software or operating systems to gain unauthorised access. When left unpatched, these weak points act as open doors for cybercriminals.

Kaspersky research shows that the share of exploits targeting critical vulnerabilities in operating systems reached 64% in Q2 2025 (up from 48% in Q1 2025), with third-party apps (29%) and browsers (7%) following.

Unpatched Systems, Software’s exposes Business to Cyber Threats

The breach originated from a third-party customer service platform, proving that even indirect systems can expose millions of records we all knew. This was a clear case how unpatched software’s but Qantas denied any of its service platform was vulnerable and there was no sign the platform was compromised.

Similarly 1.5 billion records across 760 global companies record exposed to data breach when Salesforce was hit and the hacking group claimed to have breached Salesforce through compromised integrations with third-party tools like Drift and SalesLoft, stealing huge amounts of CRM data. And as recent Salesloft Drift cyberattack may have also compromised some Google Workspace accounts.

The above case are all about software vulnerabilities when left unpatched. Latest data from cybersecurity and privacy company Kaspersky revealed that existing vulnerabilities in business networks continue to leave Malaysian enterprises exposed to cyberattacks.

Globally, in Q2 2025, the most common exploits targeted vulnerable Microsoft Office products with unpatched security flaws, according to Kaspersky’s findings. Its solutions detected the most exploits on the Windows platform for the following vulnerabilities:

  • CVE-2018-0802: Remote code execution vulnerability in the Equation Editor component
  • CVE-2017-11882: Another remote code execution vulnerability in Equation Editor
  • CVE-2017-0199: Vulnerability in Microsoft Office and WordPad allowing attackers to gain control of the system

(Source: Kaspersky: Unpatched Systems Expose Malaysian Businesses To Exploits – TechTRP)

The report also revealed that the top 10 most exploited vulnerabilities included both new zero-day flaws and older unpatched issues that organisations continue to overlook. A zero-day vulnerability is a software flaw discovered by attackers before the vendor is aware of it. As no patch exists at the time, zero-day attacks often succeed.

Key findings from Kaspersky reports to secure your unpatched systems

  • Increased Exploitation: In the first half of 2025, more Windows and Linux users encountered vulnerability exploits compared to the previous year.
  • Targeted Vulnerabilities: Common exploits in Q2 2025 targeted Microsoft Office products with unpatched security flaws, such as those in the Equation Editor (CVE-2018-0802 and CVE-2017-11882).
  • End of Support: The end of free support for Windows 10 means millions of users will no longer receive critical security patches, leaving their systems vulnerable to new threats.
  • High volume of attacks: Kaspersky solutions blocked over 700,000 exploits targeting Indian organizations in the first half of 2025, averaging more than 4,000 per day

Attackers increasingly use methods to escalate privileges and exploit weaknesses in digital systems. As the number of vulnerabilities continues to grow, it is very important to constantly prioritize patching known vulnerabilities and use software that can mitigate post-exploitation actions. CISOs should counter the consequences of exploitation by searching for and neutralizing command and control implants that can be used by attackers on a compromised system,” says Alexander Kolesnikov, a security expert at Kaspersky.

What Businesses can do to remain Secure from Cyber threats when systems are unpatched?

For legacy systems and applications there is a lack ongoing vendor support, leaving remote code execution vulnerabilities open for exploitation. These attacks enable full system control with little user interaction.

How to Fix:

Apply host-based intrusion prevention and patch virtualization and replace or containerize legacy apps. It is important to isolate critical workloads in secure enclaves as being in legacy catagory they are prone to any kind of cyber threats and intrusion.

Follow more below recommendations

Conduct 24/7 monitoring of your infrastructure, focusing on perimeter defenses and using tools that can detect and block malicious software.

  • Utilize solutions for vulnerability assessment, patch management
  • Prioritize defense strategies & threat detection like phishing emails and web threats
  • Deploy comprehensive cybersecurity solutions that include incident response, employee training, and access to updated threat intelligence.
  • Implement a robust patch management process

Security Advisory

Fortinet Released Security Update’s; Patched Multiple High & Medium Severity Vulnerabilities

Summary: Fortinet disclosed multiple critical security vulnerabilities impacting several of its core products, including FortiPAM, FortiSwitch Manager and FortiOS platforms and patched them.

The vulnerabilities encompass issues such as improper privilege escalation, heap-based buffer overflow, weak authentication, improper certificate validation, denial-of-service risk, and race condition flaws in authentication modules.

One of the high severity issue is a weak authentication mechanism vulnerability (CVE-2025-49201) in FortiPAM & FortiSwitch Manager, and a heap overflow flaw (CVE-2025-57740) in the SSL VPN RDP bookmark functionality.

OEM Fortinet 
Severity High 
CVSS Score 7.8 
CVEs CVE-2025-49201, CVE-2025-58325, CVE-2025-57740, CVE-2025-57741 & others 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

These vulnerabilities pose significant risks to enterprise environments, potentially allowing attackers to bypass authentication controls or execute arbitrary code within targeted systems. Users & Administrators are urged to update to the patched version. 

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Weak Authentication Mechanism CVE-2025-49201 FortiPAM, FortiSwitch Manager  High FortiPAM 1.5.1, 1.4.3 or later / FortiSwitch Manager 7.2.5 or later 
CLI Command Functionality Bypass  CVE-2025-58325 FortiOS High FortiOS 7.6.1+, 7.4.6+, 7.2.11+, 7.0.16+ 
Heap Overflow – Remote Code Execution (FortiProxy SSL VPN Bookmarks) CVE-2025-57741 FortiProxy High FortiProxy 7.2.5+, 7.0.5+ 
Heap Overflow – Remote Code Execution (SSL VPN RDP Bookmark) CVE-2025-57740 FortiOS, FortiProxy, FortiPAM, FortiSwitch Manager. Medium FortiOS 7.4.4+ / 7.2.8+ / 7.0.15+, FortiProxy 7.4.4+ / 7.2.10+, FortiPAM 1.3.0+, FortiSwitch Manager 7.2.4+ 

Technical Summary 

Multiple critical and medium-severity vulnerabilities have been identified across several Fortinet products, including FortiOS, FortiPAM, FortiProxy, FortiAnalyzer, and FortiSwitchManager.

Other vulnerabilities could allow attackers to escalate privileges, execute unauthorized code, or bypass authentication, threatening system integrity and confidentiality.

Additional flaws may enable unauthenticated users to disrupt services, intercept network traffic, or exploit race conditions to gain improper access within centralized management and authentication platforms. As the Fortinet released the security updates, quick deploy of the patches to ensure resilience against exploitation and to protect enterprise assets. 

CVE ID Component Affected  Vulnerability Details Impact 
 CVE-2025-49201 FortiPAM, FortiSwitch Manager This flaw enables remote attackers to bypass authentication by sending specially crafted HTTP requests, allowing unauthorized code or command execution within privileged access management and switch management interfaces.  Authentication Bypass / Remote Code Execution 
 CVE-2025-57740 FortiOS, FortiProxy, FortiPAM, FortiSwitch Manager This heap-based buffer overflow in the SSL VPN RDP bookmark feature can be triggered by authenticated users through crafted bookmark data, resulting in memory corruption and possible code execution in the VPN context. Remote Code Execution / System Compromise 
CVE-2025-58325 FortiOS A CLI command functionality bypass allows attackers to execute restricted administrative commands through improper input validation, potentially escalating privileges or modifying critical system parameters. Privilege Escalation / Remote Code Execution 
CVE-2025-57741 FortiProxy This heap overflow vulnerability in FortiProxy’s SSL VPN RDP bookmarks can result in memory corruption, giving attackers a pathway to execute arbitrary code remotely during VPN session initialization. Remote Code Execution / Service Compromise 

Additionally, multiple vulnerabilities have been disclosed that enable remote authentication bypass and include other issues with significant impact potential. 

Vulnerability Name CVE ID Affected Component Severity 
 FGFM protocol allows unauthenticated reset of the connection CVE-2025-26008 FortiOS, FortiProxy, FortiPAM, FortiSwitchManager. Medium 
Heap Overflow in fgfmsd CVE-2025-50571 FortiAnalyzer/Cloud, FortiManager/Cloud. Medium 
Heap buffer overflow in websocket CVE-2025-22258 FortiOS,FortiPAM, FortiProxy, FortiSRA Medium 
Improper autorization over static files CVE-2025-54822 FortiOS, FortiProxy Medium 
Insufficient Session Expiration in SSLVPN using SAML authentication CVE-2025-25252 FortiOS Medium 
Missing authentication check in OFTP service CVE-2025-53845 FortiAnalyzer Medium 
Race condion in FortiCloud SSO SAML authentication CVE-2025-54973 FortiAnalyzer Medium 
Stack-based buffer overflow on fortitoken import feature CVE-2025-46718 FortiOS, FortiProxy Medium 

Recommendations 

Update Fortinet products to the following fixed versions as soon as possible and check the updated version from the Fortinet website 

  • FortiPAM: Upgrade to version 1.5.1 or later, or 1.4.3 or latest version 
  • FortiSwitch Manager: Upgrade to version 7.2.5 or higher 
  • FortiOS: Upgrade to versions 7.6.6+, 7.4.9+, 7.2.11+,7.0.16+ depending on the release series 
  • FortiProxy: Upgrade to 7.6.3+, 7.4.9+ and latest version 
  • FortiAnalyzer: Upgrade to 7.6.3+, 7.4.7+, 7.2.11+, 7.0.14+ latest version 

Patches are available and should be applied immediately. For environments where immediate patching is not immediately feasible, you can also follow the below recommendations : 

  • Enable multi-factor authentication (MFA) to reduce unauthorized access risk 
  • Restrict network access to management interfaces to trusted personnel only 
  • Monitor logs for unusual brute-force attempts or anomalous login activity 
  • Apply the principle of least privilege to limit access to VPN and management services 
  • Use firewalls with strict whitelisting to block external attack vectors to vulnerable services 

Conclusion: 
The recent Fortinet advisories underscore the critical importance of timely vulnerability management, particularly for products controlling privileged access and remote connectivity.

The flaws in authentication and memory management can jeopardize the security posture of enterprise environments.

Organizations should urgently apply patches, monitor for suspicious login and session activity, and implement proactive security measures to reduce exploitation risks. Proactive response and regular updates are essential to maintaining robust security against evolving threats targeting critical infrastructure. 

References

Hashtags 

#Infosec #CyberSecurity #Fortinet #FortiPAM #SQL #RCE #SecurityAdvisory #Vulnerabilitymanagement # PatchManagement #CISO #CXO #Intrucept  

Security Advisory

Microsoft October Patch Fixes 175 Vulnerabilities, 6 Zero-Days & Critical Exploits 

Summary:  Microsoft’s October 2025 Patch Tuesday fixes 175 security vulnerabilities in the products Windows, Office, Azure, and .NET and others. It includes patches for 6 – zero-day vulnerabilities where three vulnerabilities have been exploited and three publicly known vulnerabilities.  

Microsoft advises immediate deployment of updates and removal of affected drivers, while assessing legacy fax hardware for compatibility issues introduced by the driver removal in this month update.

The October 2025 security updates address critical and important vulnerabilities across a broad range of Microsoft products and services. 

OEM Microsoft 
Severity Critical 
Date of Announcement 2025-10-14 
No. of Patches 175 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

Major fixes address serious remote code execution issues in Office and WSUS, along with privilege escalation vulnerabilities in Windows and Azure. The update also removes the Agere Modem driver, which could affect older fax devices. Users & Administrator are urged to update the patch to immediately to stay protected. 

Here are the CVE addresses for Microsoft & non-Microsoft:  

  • 175 Microsoft CVEs addressed 
  • 21 non-Microsoft CVEs addressed (Republished) 

Breakdown of October 2025 Vulnerabilities 

  • 80 Elevation of Privilege (EoP) 
  • 31 Remote Code Execution (RCE) 
  • 28 Information Disclosure 
  • 11 Denial of Service (DoS) 
  • 11 Security Feature Bypass 
  • 12 Spoofing  
  • 2 Tampering 

Source: Microsoft 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
Windows Agere Modem Driver Elevation of Privilege Vulnerability CVE-2025-24990 Windows 10, 11, Server 2016-2022 High 7.8 
Windows Remote Access Connection Manager Elevation of Privilege Vulnerability CVE-2025-59230 Windows 10, 11, Server 2016-2022 High 7.8 
Secure Boot Bypass Vulnerability in IGEL OS CVE-2025-47827 IGEL OS Medium 4.6 
Windows Server Update Service (WSUS) Remote Code Execution Vulnerability CVE-2025-59287 Windows Server Critical 9.8 
Microsoft Office Remote Code Execution Vulnerability CVE-2025-59234 Microsoft Office High 7.8 
Microsoft Excel Remote Code Execution Vulnerability CVE-2025-59236 Microsoft Excel (2016-2021) High 8.4 

Technical Summary 

October 2025 Patch Tuesday includes security updates addresses remote code execution, privilege escalation and information disclosure vulnerabilities in core Windows components, Office applications and Azure cloud services.

3 zero-days are actively exploited, including CVE-2025-24990 in the Agere Modem driver, where attackers can abuse the third-party component to gain administrative privileges without needing the modem hardware active, leading to local system compromise.  

Additionally, exposes improper access controls in Windows Remote Access Connection Manager, enabling authorized attackers to escalate to SYSTEM privileges with moderate effort.  

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-24990 Windows Agere Modem Driver Third-party driver abused for admin privileges; removed in updates, may break fax modem hardware Privilege Escalation 
CVE-2025-59230 Windows Remote Access Connection Manager Improper access control allows local attackers to gain SYSTEM privileges Privilege Escalation 
CVE-2025-47827 IGEL OS < v11 Improper cryptographic signature verification enables Secure Boot bypass via crafted root filesystem Security Feature Bypass 
CVE-2025-59287 Windows Server Update Service Deserialization of untrusted data allows unauthenticated RCE over networks, prime for supply-chain attacks Remote Code Execution 
CVE-2025-59234 Microsoft Office (2016-2021) Use-after-free in Office allows RCE via malicious files, no authentication required Remote Code Execution 
CVE-2025-59236 Microsoft Excel (2016-2021) Use-after-free in Excel enables RCE via malicious files, potentially leading to system control Remote Code Execution 

Source: Microsoft 

In addition to several other publicly exploited Zero-Day & Critical severity issues were addressed 

  • CVE-2025-0033: AMD SEV-SNP Flaw – Race condition in AMD EPYC processors allows hypervisor to tamper with guest memory; needs privileged access. (Critical) 
  • CVE-2025-24052: Windows Agere Modem EoP – Flaw in modem driver enables local admin privilege escalation; driver removed, may affect fax hardware. (High) 
  • CVE-2025-2884: TCG TPM 2.0 Vulnerability – Out-of-bounds read in TPM cause info disclosure or DoS, impacting secure boot. (Medium) 
  • CVE202549708: Microsoft Graphics Component EoP – Memory corruption enables network-based privilege escalation.  (Critical) 
  • CVE-2025-59227: Microsoft Office RCE – Use-after-free affecting multiple Office versions. (Critical) 
  • CVE-2016-9535: LibTIFF Heap Buffer Overflow – RCE via malformed TIFF files in image processing. (Critical) 
  • CVE-2025-59291 & CVE-2025-59292: Azure Container Instances/Compute Gallery EoP – External file path control for local privilege escalation. (Critical) 

Key Affected Products and Services 

  • Windows Core and Security Components 

Updates for Windows Kernel, NTFS, BitLocker, NTLM, SMB, WinSock, PrintWorkflowUserSvc and Remote Desktop Services, with several vulnerabilities rated CVSS 7.8 or higher. 

  • Microsoft Office Suite 

Patches for Excel, Word, PowerPoint, Visio, and SharePoint addressing RCE and information disclosure issues, particularly via malicious file execution. 

  • Azure and Cloud Services 

Fixes for Azure Entra ID, Monitor Agent, Connected Machine Agent, PlayFab and Confidential Container Instances. 

  • Virtualization and Hyper-V 

Vulnerabilities in Hyper-V and Virtual Secure Mode, including privilege escalation and DoS risks. 

  • Developer and Management Tools 

Updates for PowerShell, Visual Studio and Configuration Manager addressing local privilege escalation. 

  • Communication & File Services 

Patches for SMB, WSUS, and Connected Devices Platform with critical RCE and lateral movement risks. 

  • Browsers and Web Technologies 

Microsoft Edge (Chromium-based) updates, including republished Chrome CVEs. 

Remediation: 

  • Install the October 2025 security updates immediately to mitigate risks. 

Here are some recommendations below  

  • Use EDR tools to monitor any indicators like Office crashes or logs. 
  • Disable unused services to prevent any remote access or other exploitation. 
  • Apply least privilege access in Office and Azure environments. 
  • Segment networks to reduce any lateral movement. 

Conclusion: 
Critical RCE flaws in Office and WSUS, along with privilege escalation bugs, pose significant risks for ransomware, data theft and lateral movement. Administrator, users & security teams should deploy patches immediately, enhance monitoring and apply mitigations to reduce exposure. 

References

Security Advisory

Ivanti Endpoint Manager Vulnerabilities Expose Systems to RCE, SQL & Privilege Escalation Risks 

Summary : Security Advisory: Ivanti has publicly disclosed 13 vulnerabilities affecting its Endpoint Manager (EPM) 2024 and earlier releases. It includes 2 high-severity issues, 1 enabling remote code execution (RCE) and the other supporting privilege escalation alongside 11 medium-severity SQL injection flaws. Successful exploitation could lead to privilege escalation or remote code execution. 

OEM Ivanti 
Severity High 
CVSS Score 8.8 
CVEs CVE-2025-11622, CVE-2025-9713 & CVEs for SQL 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

These vulnerabilities are considered critical for enterprise environments, as they could permit attackers to gain unauthorized access, execute arbitrary code, or extract sensitive database information from vulnerable endpoints.

Administrators are urged to update to the latest version to mitigate the attack and prevent potential exploitation. 

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Insecure Deserialization  CVE-2025-11622 Ivanti Endpoint Manager 2024 SU3 SR1 and prior  High 2024 SU4   
Path Traversal – Remote Code Execution  CVE-2025-9713 Ivanti Endpoint Manager 2024 SU3 SR1 and prior High 

Technical Summary 

2 severe vulnerabilities in Ivanti Endpoint Manager significantly increase the risk to affected systems. One of the issues involves insecure deserialization, which may allow a local authenticated attacker to elevate their privileges and gain unauthorized access to sensitive functions or data.

Another notable vulnerability is a path traversal flaw that can lead to remote code execution when triggered by a remote unauthenticated attacker, provided certain user interaction occurs. In addition to these, multiple instances of SQL injection have been identified across various components of the application. These flaws could be exploited by remote authenticated users to retrieve unauthorized information from the backend database, potentially exposing sensitive data. 

These vulnerabilities underscores the importance of implementing secure coding practices, validating user input, and applying timely security patches to minimize risk and protect system assets. 

CVE ID Component Affected  Vulnerability Details Impact 
 CVE-2025-11622 Ivanti Endpoint Manager  This flaw allows a local authenticated attacker to escalate privileges on the EPM Core server by exploiting deserialization routines.  Privilege Escalation / Remote Code Execution 
 CVE-2025-9713 Ivanti Endpoint Manager  This enables remote unauthenticated attackers to achieve remote code execution, with user interaction required to trigger malicious file import or configuration actions. Remote Code Execution / System Compromise 

In addition, releasing eleven CVEs for SQL injection vulnerabilities that permit remote authenticated attackers to access and read arbitrary data from the database.  

Vulnerability Name CVE ID Affected Component Severity 
SQL Injection Flaws CVE-2025-1162 
CVE-2025-62383 
CVE-2025-62384 
CVE-2025-62385 
CVE-2025-62386 
CVE-2025-62387 
CVE-2025-62388 
CVE-2025-62389 
CVE-2025-62390 
CVE-2025-62391 
CVE-2025-62392 		Ivanti Endpoint Manager  Medium 

Recommendations 

Update Ivanti Endpoint Manager to the following versions when available: 

  • 2024 SU4 for high-severity vulnerabilities (targeted release November 12, 2025) 
  • 2024 SU5 for SQL injection vulnerabilities (scheduled Q1 2026) 

Patches are currently under development, here are some mitigations below to protect the environment  

  • Use Ivanti EPM 2024 SU3 SR1 to reduce the risk associated with the insecure deserialization vulnerability.  
  • Limit access to the EPM Core server to local administrators only. 
  • Use a firewall with a strict whitelisting configuration to block remote access. 
  • Avoid importing untrusted configuration files into the EPM Core server. 
  • Remove the reporting database user from the EPM configuration to mitigate the SQL injection vulnerabilities. But this action will disable reporting functionality, as the reporting database user is required to run reports. 

Conclusion: 
These vulnerabilities pose a significant threat to organizations relying on Ivanti Endpoint Manager for enterprise device management, potentially enabling privilege escalation, remote code execution, and unauthorized data access. Enterprises are strongly urged to implement Ivanti’s recommended mitigations without delay to reduce immediate risk. Additionally, organizations should prepare for the timely deployment of the upcoming security updates as they become available. Proactive action is essential to maintaining the security and integrity of endpoint management infrastructure. 

References

Scroll to top