Weekly Threat Landscape Digest – Week 40

This week’s threat landscape (Week 40) highlights the continued evolution of adversaries who are combining technical exploits with social engineering and cloud-targeted tactics to secure persistence and expand their reach. Attackers are increasingly abusing identities, exploiting weak points in supply chains, and maintaining long-term stealth across hybrid infrastructures. For defenders, the priorities remain clear: shorten patching cycles, improve monitoring across cloud and on-premise assets, and enforce strict identity and access management. Resilience relies on consistently applying least privilege, mandating MFA, and strengthening automated defenses with ongoing awareness and training.
- Remote Code Execution Vulnerability in Microsoft Edge (Chromium-based)
Microsoft has disclosed a high-severity remote code execution vulnerability (CVE-2025-59251, CVSS 7.6) in its Chromium-based Edge browser. The flaw arises from improper handling of user interactions in network-based attack scenarios. Exploitation requires user interaction—clicking a malicious link—but once triggered, an unauthenticated attacker could execute arbitrary code in the victim’s session context, potentially exposing sensitive data, altering stored information, or causing denial of service in browser tabs.
Vulnerability Details
- CVE ID: CVE-2025-59251
- Vector: Network – via crafted malicious links
- Severity: High (CVSS 7.6)
- Attack Complexity: Low
- Privileges Required: Low (authenticated client)
- User Interaction: Required (clicking crafted link)
- Impact:
- Confidentiality (C:H): Exposure of sensitive browsing/session data
- Integrity (I:H): Modification of stored information
- Availability (A:L): Limited DoS (tab crashes)
Mitigation Guidance
- Update to Microsoft Edge v140.0.3485.81 or later immediately.
- Advise users to exercise caution with untrusted links until patches are applied.
- Enforce centralized browser update policies in enterprise environments.
Reference
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59251
- Critical XSS Vulnerability in Drupal JSON Field Module
A critical cross-site scripting (XSS) vulnerability (CVE-2025-10926) has been identified in the JSON Field module for Drupal 8.x. The flaw arises from improperly filtered field formatters, enabling attackers to inject malicious scripts into affected sites. Successful exploitation can lead to session hijacking, credential theft, defacement, or unauthorized actions within a victim’s browser.
Vulnerability Details
- CVE ID: CVE-2025-10926
- Component: JSON Field (Drupal 8.x module)
- Severity: Critical – 15/25
- Vulnerability Type: Cross-Site Scripting (XSS)
- Attack Complexity: Basic
- Authentication Required: None
- Affected Versions: JSON Field < 8.x-1.5
- Fixed Version: JSON Field 8.x-1.5
Impact
- Session hijacking and account takeover
- Theft of user credentials and sensitive information
- Unauthorized actions within user sessions
- Website defacement and content manipulation
Mitigation Guidance
- Upgrade immediately to JSON Field 8.x-1.5.
- Review site configurations and implement additional input sanitization controls.
- Monitor application logs for suspicious activity.
Reference
https://www.drupal.org/sa-contrib-2025-106
- Actively Exploited Critical Vulnerabilities in Cisco Products
Cisco has disclosed multiple actively exploited vulnerabilities affecting Cisco ASA 5500-X Series, Firepower Threat Defense (FTD), and Cisco IOS/IOS XE/IOS XR platforms. Two of the flaws—CVE-2025-20333 and CVE-2025-20363—are rated Critical and confirmed to be exploited in the wild, enabling attackers to achieve remote code execution (RCE). A third flaw, CVE-2025-20362, allows authentication bypass, further expanding the attack surface. Cisco PSIRT has confirmed global exploitation attempts, linking them to the ArcaneDoor campaign identified in 2024, which demonstrated advanced persistence via ASA ROM modifications.
Key Vulnerabilities
- CVE-2025-20333 – Critical (CVSS 9.9) → Authenticated RCE via VPN services (AnyConnect, SSL VPN, MUS).
- CVE-2025-20363 – Critical (CVSS 9.0 ASA/FTD, 8.5 IOS) → RCE via web services; unauthenticated attackers (ASA/FTD) or low-privilege users (IOS).
- CVE-2025-20362 – Medium → Authentication bypass via restricted URL access.
Impact
- Full compromise of ASA/FTD firewalls and VPN gateways.
- Unauthorized access and potential lateral movement into enterprise networks.
- High-value exploitation consistent with state-backed campaigns.
Mitigation Guidance
- Patch immediately: Apply Cisco’s released fixes for ASA, FTD, IOS, IOS XE, and IOS XR.
- Investigate environments: Review VPN/web logs, check for ROMMON compromise indicators, and inspect devices for unauthorized changes.
- Harden access: Disable unused VPN/web services, restrict VPN access to trusted IPs, enforce MFA.
- Monitor continuously: Enable Cisco Threat Detection, integrate with SIEM, and watch for brute force or lateral movement attempts.
- Incident response: Treat potentially compromised ASA devices as untrusted.
Reference
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/ciscosa-asaftd-webvpn-z5xP8EUB
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/ciscosa-http-code-exec-WmfP3h3O
- DLL Hijacking Vulnerability in Notepad++
A DLL hijacking vulnerability (CVE-2025-56383) was disclosed in Notepad++ v8.8.3. The flaw allows attackers to plant a malicious DLL in the application’s installation or plugin directory, causing Notepad++ to load and execute arbitrary code when launched. A public proof-of-concept (PoC) demonstrates DLL replacement and forwarding, which increases the likelihood of exploitation through installer tampering, supply chain compromise, or insider threats.
Vulnerability Details
- CVE ID: CVE-2025-56383
- Severity: Medium (CVSS ~6.5)
- Affected Software: Notepad++ v8.8.3 (confirmed)
- Attack Vector: Local placement or replacement of DLL files (Plugins dir, install path, or trojanized installer)
- Attack Complexity: Low (requires write access or supply chain compromise)
- User Interaction: Not required (triggered automatically when Notepad++ loads DLLs)
Impact
- Arbitrary code execution when Notepad++ is launched.
- Persistence and post-exploitation (dropping additional malware).
- Potential privilege escalation if Notepad++ is run with elevated rights.
- Lateral movement opportunities in enterprise environments.
Mitigation Guidance
- Validate existing Notepad++ installations and scan plugin/install directories for unauthorized DLLs.
- Apply strict file-permission restrictions to prevent DLL tampering by non-admin users.
- Only download and install Notepad++ from official repositories.
- Implement application allowlisting to block unauthorized DLLs.
- Monitor EDR/AV logs for anomalous DLL load activity.
References
- https://github.com/zer0t0/CVE-2025-56383-Proof-of-Concept
- https://github.com/notepad-plus-plus/notepad-plus-plus
- Root Access Vulnerability in TP-Link Tapo D230S1
A root access vulnerability (CVE-2025-10991) has been identified in TP-Link Tapo D230S1 smart devices. The flaw arises from an exposed UART (Universal Asynchronous Receiver-Transmitter) interface, which allows attackers with physical access to the device to gain root privileges. While this vulnerability requires local, physical access and does not enable remote exploitation, successful attacks grant full control over the device, exposing sensitive data and allowing the device to be weaponized as part of larger attack campaigns.
Vulnerability Details
- CVE ID: CVE-2025-10991
- Vulnerability Type: Root access via exposed UART interface
- Attack Vector: Physical (AV:P)
- Severity: High (CVSS v4.0 Base Score: 7.0)
- Affected Products/Versions: TP-Link Tapo D230S1 V1.20 firmware versions prior to 1.2.2 Build 20250907
- Fixed Version: 1.2.2 Build 20250907
Impact
- Confidentiality: High – attackers gain unrestricted access to stored and processed data.
- Integrity: High – device behavior and firmware can be modified or tampered with.
- Availability: High – attackers can disable, crash, or permanently brick the device.
- Broader Risk: Compromised devices may be repurposed for persistence, botnet activity, or staging attacks against other networks.
Mitigation Guidance
- Update firmware immediately to version 1.2.2 Build 20250907 or later.
- Limit physical access to devices in sensitive or critical environments.
- Implement device hardening controls to detect unauthorized tampering.
- Monitor devices for abnormal activity or signs of firmware modification.
- Train staff to recognize hardware tampering attempts in high-security areas.
References
- Root Access Vulnerability in TP-Link Tapo D230S1
A root access vulnerability (CVE-2025-10991) has been identified in TP-Link Tapo D230S1 smart devices. The flaw arises from an exposed UART (Universal Asynchronous Receiver-Transmitter) interface, which allows attackers with physical access to the device to gain root privileges. While this vulnerability requires local, physical access and does not enable remote exploitation, successful attacks grant full control over the device, exposing sensitive data and allowing the device to be weaponized as part of larger attack campaigns.
Vulnerability Details
- CVE ID: CVE-2025-10991
- Vulnerability Type: Root access via exposed UART interface
- Attack Vector: Physical (AV:P)
- Severity: High (CVSS v4.0 Base Score: 7.0)
- Affected Products/Versions: TP-Link Tapo D230S1 V1.20 firmware versions prior to 1.2.2 Build 20250907
- Fixed Version: 1.2.2 Build 20250907
Impact
- Confidentiality: High – attackers gain unrestricted access to stored and processed data.
- Integrity: High – device behavior and firmware can be modified or tampered with.
- Availability: High – attackers can disable, crash, or permanently brick the device.
- Broader Risk: Compromised devices may be repurposed for persistence, botnet activity, or staging attacks against other networks.
Mitigation Guidance
- Update firmware immediately to version 1.2.2 Build 20250907 or later.
- Limit physical access to devices in sensitive or critical environments.
- Implement device hardening controls to detect unauthorized tampering.
- Monitor devices for abnormal activity or signs of firmware modification.
- Train staff to recognize hardware tampering attempts in high-security areas.
References
- Security Updates – Apple (FontParser Vulnerability)
Apple has released security updates across its product ecosystem, addressing multiple issues including a vulnerability in FontParser (CVE-2025-43400). The flaw arises from an out-of-bounds write triggered by maliciously crafted font files, which could cause application crashes or memory corruption. Updates are available for iOS, iPadOS, macOS, and visionOS, and the UAE Cyber Security Council strongly recommends immediate installation.
Vulnerability Details
- CVE ID: CVE-2025-43400
- Vulnerability Type: Out-of-bounds write in FontParser
- Severity: Medium (CVSS v3 Base Score: 6.3)
- Impact: Processing a maliciously crafted font may lead to unexpected app termination or corrupt process memory
- Fix: Issue resolved with improved bounds checking
Affected Products / Fixed Versions
- iOS 26.0.1 and iPadOS 26.0.1 → iPhone 11 and later; iPad Pro 12.9″ (3rd gen+) & 11″ (1st gen+); iPad Air 3rd gen+; iPad 8th gen+; iPad mini 5th gen+
- iOS 18.7.1 and iPadOS 18.7.1 → iPhone XS and later; iPad Pro 13″, 12.9″ (3rd gen+), 11″ (1st gen+); iPad Air 3rd gen+; iPad 7th gen+; iPad mini 5th gen+
- macOS Tahoe 26.0.1 → macOS Tahoe
- macOS Sequoia 15.7.1 → macOS Sequoia
- macOS Sonoma 14.8.1 → macOS Sonoma
- visionOS 26.0.1 → Apple Vision Pro
Impact
- Application crashes and instability when processing crafted fonts
- Risk of process memory corruption, potentially exploitable in advanced attacks
- Increased exposure on devices handling untrusted content
Mitigation Guidance
- Install the latest available updates immediately for iOS, iPadOS, macOS, and visionOS.
- Encourage end-users to enable automatic updates for Apple devices.
- Monitor device and application logs for crashes related to font rendering as potential exploit indicators.
- Apply enterprise MDM policies to enforce update compliance across managed devices.
References
- Active Exploitation of VMware Aria Operations & VMware Tools Vulnerabilities
Broadcom has released security updates addressing multiple vulnerabilities in VMware Aria Operations and VMware Tools, including a zero-day (CVE-2025-41244) confirmed to be actively exploited in the wild by the UNC5174 threat group. The primary flaw is a local privilege escalation (LPE) that allows unprivileged local users to escalate privileges to root. Additional vulnerabilities (CVE-2025-41245 and CVE-2025-41246) increase the risk of credential disclosure and improper authorization across VMware environments. Exploitation activity has been observed since October 2024, with UNC5174 leveraging these vulnerabilities to achieve persistence and lateral expansion within hybrid-cloud infrastructures.
Vulnerability Details
- CVE-2025-41244 – Local Privilege Escalation (LPE)
- CVSS 3.1 Score: 7.8 (High)
- Affected Components: VMware Tools (open-vm-tools), Aria Operations SDMP
- Impact: Unprivileged users can escalate to root without authentication.
- Exploitation: Confirmed active exploitation by UNC5174.
- Root Cause:
- Credential-based mode: Flaws in Aria Operations metrics-collector scripts.
- Credential-less mode: Insecure regex handling in get-versions.sh (open-vm-tools).
- CVE-2025-41245 – Information Disclosure
- CVSS 3.1 Score: 4.9 (Moderate)
- Affected Component: VMware Aria Operations
- Impact: Non-admin users may disclose credentials of other Aria Operations users.
- Exploitation: Not yet observed.
- CVE-2025-41246 – Improper Authorization
- CVSS 3.1 Score: 7.6 (High)
- Affected Component: VMware Tools (Windows only)
- Impact: Non-admin VM users authenticated via vCenter/ESX may access other guest VMs with valid credentials.
- Exploitation: Not confirmed.
- Note: Linux and macOS builds of VMware Tools are unaffected.
Impacted Products
- VMware Aria Operations (versions 8.x, 5.x, 4.x, 3.x, 2.x)
- VMware Tools (Windows & Linux) – versions 11.x, 12.x, 13.x
- VMware Cloud Foundation (including Operations)
- VMware Telco Cloud Platform
- VMware Telco Cloud Infrastructure
Impact
- Privilege escalation leading to full root access on VMs.
- Exposure of credentials for lateral movement.
- Improper cross-VM access within vCenter-managed environments.
- Potential long-term persistence and control of hybrid-cloud infrastructures.
Mitigation Guidance
- Patch immediately by applying Broadcom’s security updates and KB guidance.
- Monitor for suspicious child processes spawned by vmtoolsd or Aria SDMP components.
- Investigate anomalous executions of get-versions.sh or custom SDMP scripts.
- Restrict guest VM access to sensitive/management networks.
- Enforce least-privilege access across VMware Aria Operations and VM accounts.
References
- Critical Vulnerability in HPE Telco Service Orchestrator
Hewlett Packard Enterprise (HPE) has released security updates addressing multiple vulnerabilities in its Telco Service Orchestrator platform, including a critical flaw (CVE-2025-54419) that could allow remote attackers to achieve code execution or cause severe system instability. Other vulnerabilities impact system confidentiality, integrity, and availability, enabling Denial of Service (DoS), SQL Injection, and unauthenticated information disclosure. These vulnerabilities pose a significant risk to telecom operators relying on HPE orchestration solutions.
Vulnerability Details
- CVE-2025-54419 – CVSS 10.0 (Critical) – Remote code execution / buffer overflow via network vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
- CVE-2025-58754 – CVSS 7.5 (High) – Denial of Service (DoS) condition (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
- CVE-2025-5878 – CVSS 7.3 (High) – SQL Injection, possible data modification/disclosure (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
- CVE-2025-8916 – CVSS 5.3 (Medium) – Unauthenticated Information Disclosure (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Impacted Products
- HPE Telco Service Orchestrator versions prior to 5.3.5
Fixed Version
- HPE Telco Service Orchestrator v5.3.5 or later
Impact
- Remote attackers may achieve arbitrary code execution through buffer overflow exploitation.
- SQL injection may enable attackers to manipulate or exfiltrate sensitive orchestration data.
- Attackers can induce Denial of Service (DoS) against orchestration nodes, causing outages.
- Unauthorized access may result in information leakage across telco environments.
Mitigation Guidance
- Upgrade immediately to HPE Telco Service Orchestrator v5.3.5 or later.
- Review system logs for indicators of compromise or unauthorized access.
- Apply network segmentation and limit external access to orchestration components.
- Enforce least privilege for all accounts interacting with orchestration services.
- Implement intrusion detection to flag unusual SQL queries or memory overflow attempts.
References
- Multiple Vulnerabilities in OpenSSL
OpenSSL has released security updates addressing multiple vulnerabilities across supported versions, including flaws that may result in denial of service, remote code execution, or private key exposure. While some of the vulnerabilities require specific conditions for exploitation, organizations running affected versions are strongly advised to apply patches immediately to mitigate risk.
Vulnerability Details
- CVE-2025-9230 – Out-of-bounds Read/Write in RFC 3211 KEK Unwrap
- Severity: Moderate
- Affected Versions: OpenSSL 3.5, 3.4, 3.3, 3.2, 3.0, 1.1.1, 1.0.2
- Impact:
- Denial of Service (DoS) via application crashes
- Potential remote code execution through memory corruption
- Exploitation Likelihood: Low (password-based CMS encryption is rarely used)
- Patched Versions: 3.5.4, 3.4.3, 3.3.5, 3.2.6, 3.0.18, 1.1.1zd & 1.0.2zm (Premium support only)
- CVE-2025-9231 – Timing Side-Channel in SM2 (64-bit ARM)
- Severity: Moderate
- Affected Versions: OpenSSL 3.5, 3.4, 3.3, 3.2
- Impact:
- Possible recovery of private keys through timing analysis of SM2 signature computations
- May be remotely exploitable in specific provider contexts
- Exploitation Likelihood: Medium (requires precise timing access)
- Patched Versions: 3.5.4, 3.4.3, 3.3.5, 3.2.6
- CVE-2025-9232 – Out-of-bounds Read in HTTP client no_proxy Handling
- Severity: Low
- Affected Versions: OpenSSL 3.5.0+, 3.4.0+, 3.3.3+, 3.2.4+, 3.1.8+, 3.0.16+
- Impact:
- Denial of Service (DoS) if attacker controls the URL and a specific no_proxy configuration is present
- Exploitation Likelihood: Very low (requires complex conditions)
- Patched Versions: 3.5.4, 3.4.3, 3.3.5, 3.2.6, 3.0.18
Impact
- Denial of Service conditions impacting OpenSSL-based applications.
- Potential memory corruption leading to remote code execution.
- Risk of private key exposure under specific cryptographic contexts.
Mitigation Guidance
- Apply the latest OpenSSL security updates immediately.
- Verify that all applications and services relying on OpenSSL are updated to patched versions.
- Restrict exposure of cryptographic operations to untrusted timing environments.
- Review application configurations for no_proxy usage where OpenSSL HTTP client functionality is deployed.
References
- Critical Privilege Escalation Vulnerability in FreeIPA
The FreeIPA Team has disclosed a critical privilege escalation vulnerability (CVE-2025-7493) affecting FreeIPA identity management environments. The flaw, with a CVSS score of 9.1, allows attackers with host-level accounts to escalate privileges and impersonate the domain administrator, leading to complete domain compromise. This vulnerability is related to a previous flaw (CVE-2025-4404) and stems from incomplete uniqueness checks in Kerberos attributes. It has been patched in FreeIPA version 4.12.5, which enforces stricter uniqueness validation in the 389-ds LDAP server and integrates enhanced Kerberos PAC validation.
Vulnerability Details
- CVE ID: CVE-2025-7493
- Severity: Critical (CVSS 9.1)
- Vulnerability Type: Privilege Escalation to Domain Administrator
- Attack Vector: Host-level account compromise enabling Kerberos principal spoofing
- Root Cause: Incomplete enforcement of Kerberos attribute uniqueness in 389-ds LDAP server and insufficient PAC validation
- Affected Product: FreeIPA versions prior to 4.12.5
- Fixed Version: FreeIPA 4.12.5 or later
Impact
- Complete domain compromise if exploited.
- Attackers can impersonate domain administrators.
- Potential unauthorized access to all systems and resources under centralized FreeIPA identity management.
- Persistence and lateral movement across enterprise environments.
Mitigation Guidance
- Immediately upgrade FreeIPA to version 4.12.5 or later.
- Enable Security Identifiers (SID) and Privilege Attribute Certificate (PAC) issuance for enhanced Kerberos validation.
- Review Kerberos principal configurations and audit for duplicate attributes.
- Monitor authentication logs for anomalies that could indicate impersonation attempts.
- Limit host-level account privileges to reduce initial compromise risks.
References
- Security Updates – NVIDIA License System (Delegated License Service)
NVIDIA has released security updates addressing multiple vulnerabilities in the Delegated License Service (DLS) component of the NVIDIA License System. The most severe flaw (CVE-2025-23293, CVSS 8.7 – High) could allow an unauthenticated attacker to access sensitive information and execute commands on the system, potentially leading to denial of service (DoS) and full system compromise. Additional vulnerabilities include SQL injection and unauthorized actions that could result in denial of service or information disclosure.
Vulnerability Details
- CVE-2025-23293 – Command Execution via Unauthenticated Access
- CVSS Score: 8.7 (High)
- Impact: Unauthenticated attackers may access sensitive information and execute system commands, potentially leading to denial of service and compromise.
- CVE-2025-23292 – SQL Injection
- CVSS Score: 4.6 (Medium)
- Impact: Attackers could perform unauthorized SQL actions, potentially resulting in partial denial of service.
- CVE-2025-23291 – Unauthorized Action / Information Disclosure
- CVSS Score: 2.4 (Low)
- Impact: Attackers may gain access to sensitive information.
Affected Products
- NVIDIA License System – Delegated License Service (DLS)
- Platforms: All supported platforms
- Affected Versions:
- All versions prior to v3.5.1
- All versions prior to v3.1.7
Fixed Versions
- NVIDIA DLS v3.5.1
- NVIDIA DLS v3.1.7
Impact
- Denial of service and potential full system compromise.
- SQL injection enabling unauthorized database actions.
- Information disclosure affecting confidentiality of licensing environments.
Mitigation Guidance
- Upgrade immediately to NVIDIA License System DLS v3.5.1 or v3.1.7 (depending on branch).
- Restrict network access to the DLS service from untrusted sources.
- Implement monitoring for suspicious command executions or abnormal SQL queries.
- Review system logs for signs of unauthorized access or DoS attempts.
References
- Security Updates – Splunk
Splunk has released security advisories addressing six vulnerabilities across Splunk Enterprise and Splunk Cloud Platform. The most critical issue (CVE-2025-20371) is an unauthenticated blind server-side request forgery (SSRF) vulnerability with a CVSS score of 7.5. Successful exploitation could allow attackers to perform REST API calls on behalf of high-privileged users, potentially leading to data exposure, privilege escalation, or lateral movement. Other vulnerabilities include improper access control, stored and reflected XSS, XML external entity (XXE) injection, and denial-of-service conditions via LDAP abuse.
Vulnerability Details
- CVE-2025-20366 – Improper Access Control (CVSS 6.5)
- Impact: Low-privileged users can retrieve sensitive search results by guessing job Search IDs (SIDs).
- Fix: Upgrade to patched versions.
- CVE-2025-20367 – Reflected XSS (CVSS 5.7)
- Impact: JavaScript payload injection possible via /app/search/table endpoint (dataset.command parameter).
- Fix: Apply vendor patches.
- CVE-2025-20368 – Stored XSS in Saved Searches (CVSS 5.7)
- Impact: Malicious payloads embedded in error messages or job details execute across users.
- Fix: Upgrade to patched versions.
- CVE-2025-20369 – XML External Entity (XXE) Injection (CVSS 4.6)
- Impact: Dashboard tab labels exploitable for XXE payloads; can cause denial of service.
- Fix: Upgrade to version 9.4.4 or higher.
- CVE-2025-20370 – Denial of Service via LDAP Bind Abuse (CVSS 4.9)
- Impact: Abusing the change_authentication capability may cause high CPU usage and Splunk instance crashes.
- Fix: Patch or remove risky capability from user roles.
- CVE-2025-20371 – Unauthenticated Blind SSRF (CVSS 7.5)
- Impact: Enables unauthenticated attackers to perform REST API calls on behalf of privileged users.
- Preconditions: enableSplunkWebClientNetloc must be enabled; phishing may be required.
- Fix: Patch to latest versions or disable enableSplunkWebClientNetloc.
Affected Products / Fixed Versions
- Splunk Enterprise: Fixed in versions 10.0.1, 9.4.4, 9.3.6, and 9.2.8
- Splunk Cloud Platform: Latest hotfixes deployed by Splunk
Impact
- Unauthorized retrieval of sensitive data.
- Privilege escalation through SSRF attacks.
- Persistent and reflected XSS leading to user session hijacking.
- Denial of service conditions via LDAP or XXE abuse.
Mitigation Guidance
- Apply vendor-provided patches immediately.
- For Splunk Cloud, ensure hotfix updates are deployed by Splunk.
- Disable risky features (e.g., enableSplunkWebClientNetloc) until patched.
- Review user roles and remove unnecessary capabilities.
- Monitor Splunk job execution and API logs for suspicious activity.
References
- Security Updates – Google Chrome
Google has released Chrome version 141.0.7390.54/55 to the stable channel for Windows, macOS, and Linux, addressing 21 security vulnerabilities. These include multiple high-severity heap buffer overflows and several medium-severity flaws across Chrome components such as WebGPU, Video, Storage, Media, Omnibox, Tabs, and V8. Two of the most critical vulnerabilities (CVE-2025-11205 and CVE-2025-11206) may allow memory corruption and potential remote code execution (RCE). Organizations and end-users are strongly urged to update immediately to mitigate exploitation risks.
Vulnerability Details
- High Severity
- CVE-2025-11205 – Heap buffer overflow in WebGPU → May lead to memory corruption and remote code execution.
- CVE-2025-11206 – Heap buffer overflow in Video → Exploitable via crafted video content, causing memory corruption and potential RCE.
- Medium Severity
- CVE-2025-11207 – Side-channel information leakage in Storage.
- CVE-2025-11208 – Inappropriate implementation in Media.
- CVE-2025-11209 – Inappropriate implementation in Omnibox.
- CVE-2025-11210 – Side-channel information leakage in Tabs.
- CVE-2025-11211 – Out-of-bounds read in Media.
- CVE-2025-11212 – Inappropriate implementation in Media.
- CVE-2025-11213 – Inappropriate implementation in Omnibox.
- CVE-2025-11215 – Off-by-one error in V8.
- Low Severity
- CVE-2025-11216 – Inappropriate implementation in Storage.
- CVE-2025-11219 – Use-after-free in V8.
Fixed Version
- Chrome 141.0.7390.54 (Linux)
- Chrome 141.0.7390.54/55 (Windows and macOS)
Impact
- Remote code execution (RCE) via memory corruption in WebGPU or Video.
- Potential exposure of sensitive information through side-channel leaks.
- Browser instability and crashes from out-of-bounds reads and use-after-free errors.
- Elevated risk for exploitation through crafted web content or malicious media files.
Mitigation Guidance
- Update immediately to Chrome 141.0.7390.54/55 or later.
- Enable automatic updates across enterprise-managed endpoints.
- Monitor browser crash logs and anomalous behavior for potential exploit attempts.
- Limit exposure to untrusted web or media content until patches are fully deployed.
References
- Remote Code Execution Vulnerability in NVIDIA Merlin Transformers4Rec
NVIDIA has released a critical security update for NVIDIA Merlin Transformers4Rec, addressing a high-severity vulnerability (CVE-2025-23298) in a Python dependency. The flaw arises from improper control of code generation, which could allow attackers to execute arbitrary code, escalate privileges, disclose sensitive information, or tamper with data. All platforms and versions of Transformers4Rec that do not include GitHub commit b7eaea5 are affected.
Vulnerability Details
- CVE ID: CVE-2025-23298
- Severity: High
- CVSS v3.1 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
- CWE: CWE-94 (Improper Control of Code Generation – “Code Injection”)
- Affected Products: NVIDIA Merlin Transformers4Rec (all platforms)
- Affected Versions: All versions excluding commit b7eaea5
- Fixed Version: Any branch including commit b7eaea5
Impact
- Arbitrary code execution on affected systems.
- Privilege escalation leading to higher-level access.
- Unauthorized information disclosure.
- Data tampering and integrity loss.
Mitigation Guidance
- Update NVIDIA Merlin Transformers4Rec to a version that includes GitHub commit b7eaea5.
- Review system and application logs for unusual activity suggesting exploitation attempts.
- Restrict privileges for local users and developers working with Transformers4Rec to reduce exploitation risk.
- Employ application allowlisting and code-signing validation where possible.
References
- BRICKSTORM Backdoor Campaign Targeting Legal and Technology Sectors
Researchers have uncovered a sophisticated espionage campaign leveraging the BRICKSTORM backdoor, attributed to the suspected China-linked threat actor UNC5221. Since March 2025, intrusions have been observed across legal, SaaS, BPO, and technology sectors. The BRICKSTORM malware, a Go-based backdoor with SOCKS proxy functionality, is deployed on edge appliances and VMware vSphere platforms where endpoint detection is limited. The campaign demonstrates advanced persistence, stealth, and long dwell times, with an average persistence of 393 days.
Technical Details
- Initial Access: Exploitation of zero-day vulnerabilities on edge appliances or use of stolen credentials.
- Backdoor: BRICKSTORM (Go-based, SOCKS proxy), obfuscated using Garble.
- C2 Infrastructure: Cloudflare Workers, Heroku apps, sslip.io/nip.io – infrastructure rotated with no reuse across victims.
- Credential Theft:
- BRICKSTEAL (Servlet Filter) harvesting vCenter/AD credentials.
- VM cloning to extract NTDS.dit and credential databases.
- Targeting of Secret Server credential vaults.
- Persistence:
- Modified init/systemd scripts for automatic execution.
- Local vCenter accounts created and deleted post-deployment.
- SLAYSTYLE web shell for fallback access.
- Exfiltration:
- SOCKS tunneling via BRICKSTORM.
- Microsoft 365 mail exfiltration through abused Enterprise Applications.
Impact
- Long-term persistence and covert espionage in enterprise and cloud environments.
- Compromise of VMware vSphere and Microsoft 365 ecosystems.
- Theft of highly privileged credentials, enabling full domain compromise.
- Covert data exfiltration and staging for zero-day exploitation.
Mitigation Guidance
- Asset Inventory: Catalog all edge appliances, virtualization platforms, and devices not monitored by EDR.
- Detection & Hunting:
- Use Mandiant’s BRICKSTORM scanner and shared YARA rules to scan filesystems/backups.
- Review vCenter VPXD logs for unusual VM cloning and deletion.
- Monitor /var/log/audit/sso-events/ for suspicious vCenter account activity.
- Hunt for M365 Enterprise Application abuse with mail.read or full_access_as_app scopes in UAL logs.
- Access Control:
- Enforce MFA for vSphere, vCenter, and Microsoft 365 logins.
- Disable or strictly limit SSH access to ESXi/vCenter appliances.
- Restrict internet access on appliances to vendor-approved update domains only.
References
- Oyster Backdoor Spread via Malicious Teams Setup Installers
A recent campaign reported by Blackpoint SOC highlights attackers abusing SEO poisoning and malvertising to lure victims into downloading trojanized Microsoft Teams installers. The fake installers, hosted on spoofed websites, deliver the Oyster backdoor (also known as Broomstick). The malware drops a malicious DLL, achieves persistence via scheduled tasks, and establishes command-and-control channels while masquerading as a legitimate collaboration application.
Vulnerability / Threat Details
- Threat Type: Backdoor (Oyster / Broomstick)
- Attack Vector: Malvertising and SEO poisoning leading to spoofed Teams download sites.
- Persistence: Creation of scheduled tasks using built-in system utilities to reload the DLL at startup.
- Payload: Malicious DLL providing remote C2 communications and stealthy long-term access.
- Masquerading: Operates under the guise of Microsoft Teams to evade detection.
Impact
- Unauthorized remote access to compromised endpoints.
- Persistence across reboots via scheduled task abuse.
- Covert C2 communication enabling long-term espionage and data exfiltration.
- Potential lateral movement within enterprise environments disguised as collaboration software.
Mitigation Guidance
- Download Microsoft Teams only from official Microsoft sources; avoid third-party or sponsored links.
- Configure security controls (AV/EDR) to detect scheduled task persistence anomalies.
- Monitor system logs for unusual DLL loads and persistence mechanisms.
- Enforce policies that restrict execution of installers from untrusted websites.
- Ensure up-to-date endpoint protection policies block known indicators (Symantec, Carbon Black, WebPulse).
- Educate users about SEO poisoning and malvertising risks.
Detection Coverage (Vendor Protections)
- Symantec Adaptive-based: ACM.Ps-Rd32!g1, ACM.Ps-Schtsk!g1
- Behavior-based: SONAR.Dropper
- Carbon Black: Covered by existing policies (blocking Known, Suspect, and PUP malware, with cloud scan delay).
- File-based: Trojan Horse, Trojan.Gen.MBT, WS.Malware.1
- Machine Learning-based: Heur.AdvML.A!300/400/500, Heur.AdvML.B!100/200
- Web-based: Malicious domains and IPs covered by WebPulse categories.
References
- Klopatra: New Android Banking Trojan Operation (Turkey-linked)
Cleafy reports a new Android RAT/banking trojan dubbed Klopatra (aka a novel family with no direct code lineage) active since late August 2025. Campaigns are focused on Spain and Italy, with >3,000 compromised devices across two main botnets. Klopatra blends Hidden VNC (for full remote control) with dynamic overlays (for credential theft), heavy use of native libraries, and Virbox commercial code protection—making detection and analysis difficult. Evidence from code artifacts, C2 responses, and operator notes indicates a Turkish-speaking threat group operating a private botnet (no public MaaS).
Threat Details
- Threat Type: Android banking trojan/RAT with Hidden VNC + overlay attacks.
- Initial Access: Dropper app posing as “Mobdro Pro IP TV + VPN” (side-loaded), uses JSON packer to deliver payload.
- Privilege Abuse: Leverages Accessibility Services to read screen, capture input, and automate actions.
- Evasion/Hardening: Virbox protector, native code, anti-debugging, runtime integrity checks, emulator detection.
- C2 & Ops: Cloudflare-fronted infra; unique per-victim infra (no reuse); average dwell time ~393 days; agile development with >40 builds since Mar 2025.
- Capabilities: Hidden VNC (black screen), standard VNC, UI automation (clicks/gestures), overlay injections, data collection (apps list, keystrokes, clipboard), screenshotting, defense evasion (targets AV packages).
Impact
- Full device takeover (fraudulent transactions performed invisibly with Hidden VNC).
- Theft of banking credentials and OTP workflows via overlays and Accessibility abuse.
- Long-term persistence, lateral fraud at scale (night-time/manual operator “hands-on” theft).
- Targeted campaigns against financial institutions and customers in Spain and Italy.
Mitigation Guidance
- User hardening: Block side-loading; educate on IPTV/pirated app lures; enforce Play Protect/enterprise store only.
- Mobile EDR/MDM: Enforce policies to prevent Accessibility abuse; alert on overlay permissions; deny battery-optimization exemptions for unapproved apps.
- Banking app defenses: Strengthen device integrity checks, Accessibility/overlay detection, and in-app risk scoring; increase friction for high-risk sessions (night-time, HVNC indicators).
- Network controls: Egress filtering from mobile device management networks; monitor for connections to listed IPs/domains and Cloudflare-fronted anomalies tied to campaigns.
- Incident response: If infected, rotate banking credentials, revoke device tokens, and review transactions during suspected dwell windows.
References
- Extortion Campaign Targeting Oracle E-Business Suite (EBS) Customers
Executives at numerous organizations have received extortion emails claiming theft of sensitive data from Oracle E-Business Suite (EBS). Google Threat Intelligence Group (GTIG) and Mandiant report the campaign began around September 29, 2025, with messages that purport affiliation with the Cl0p group and show overlaps with FIN11 infrastructure/use of compromised accounts. Attribution remains unconfirmed; investigators have not validated the data-theft claims. Oracle has since acknowledged the campaign and said attackers may be exploiting known, previously patched vulnerabilities, urging customers to update.
Threat Details
- Threat type: Email extortion campaign alleging EBS data theft; high-volume distribution to senior executives.
- Actor notes: Emails claim ties to Cl0p; overlaps with FIN11 observed (use of many compromised sender accounts; contact info matching Cl0p leak site). Attribution not yet confirmed by GTIG/Mandiant.
- Timeline: Activity observed on/around September 29, 2025; public warnings issued October 2–3, 2025.
- Access vector (under investigation): Oracle notes potential abuse of known vulnerabilities addressed in prior updates (e.g., July 2025 CPU). Details still emerging.
Impact
- Business disruption and coercion: Executive-level pressure, reputational risk, and potential ransom demands (reports cite multi-million USD).
- Potential data exposure: If any compromises are real, theft may include ERP data (finance, HR, supply chain). Not currently substantiated per GTIG/Mandiant.
- Follow-on risk: Credential reuse and lateral movement into other corporate systems if initial access was achieved via weak or unpatched EBS interfaces.
Mitigation Guidance
- Patch/upgrade immediately: Apply Oracle’s latest Critical Patch Update(s) relevant to EBS; verify July 2025 CPU fixes are in place for all internet-facing EBS components.
- Harden EBS access:
- Enforce MFA for all external/admin EBS access; restrict to trusted IPs/VPN; disable unused modules and interfaces.
- Review password reset flows and SSO integrations exposed to the internet.
- Email defenses & user comms: Block spoofed domains, tighten inbound authentication (SPF/DKIM/DMARC), and brief executives to route any extortion mail to IR—not to reply or negotiate. CyberScoop
- Threat hunting:
- Check for unusual logins to EBS portals; review web/app server logs for exploitation patterns; look for mass data export jobs and atypical REST/SOAP calls.
- Search mail gateways for indicators from reported campaigns and sender addresses tied to Cl0p leak sites. SecurityWeek
- Incident response readiness: Pre-stage legal/PR templates; coordinate with Oracle support and law enforcement as needed; preserve evidence.
References
- https://www.securityweek.com/cybercriminals-claim-theft-of-data-from-oracle-e-business-suite-customers/ SecurityWeek
- https://www.reuters.com/business/oracle-says-hackers-are-trying-extort-its-customers-2025-10-03/ Reuters
- https://www.securityweek.com/oracle-says-known-vulnerabilities-possibly-exploited-in-recent-extortion-attacks/ SecurityWeek
- https://cyberscoop.com/extortion-email-clop-oracle-customers/ CyberScoop