Weekly Threat Landscape Digest – Week 2

1. Critical Remote Code Execution Vulnerability in n8n (CVE-2025-68668)

A critical vulnerability in n8n, an open-source workflow automation platform, could allow an authenticated user with workflow creation or modification privileges to execute arbitrary operating system commands on the underlying host. The issue arises due to insufficient sandbox enforcement within the Python Code Node, potentially resulting in full system compromise.

Technical Details

• CVE: CVE-2025-68668
• Severity: Critical (CVSS v3.1: 9.9)
• Vulnerability Type: Protection Mechanism Failure / Sandbox Bypass
• Affected Component: Python Code Node (Pyodide-based execution)
• Attack Prerequisite:
  • Authenticated access
  • Permission to create or modify workflows
• Potential Impact:
  • Arbitrary operating system command execution
  • Compromise of server confidentiality and integrity
  • Privilege escalation equivalent to the n8n service process
  • Lateral movement to connected systems

Affected Versions

• n8n: Versions 1.0.0 up to (but not including) 2.0.0

Fixed Versions

• n8n: 2.0.0 or later

Recommendations

• Upgrade immediately to n8n version 2.0.0 or later
• Restrict workflow creation and modification privileges to trusted administrators only
• Audit existing workflows for suspicious or unauthorized Python code execution
• Monitor host and application logs for abnormal command execution behavior
• Run n8n using least-privileged service accounts and isolate it from critical systems

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-68668

2. Critical Remote Code Execution (RCE) Vulnerabilities in Veeam Backup & Replication

Multiple security vulnerabilities have been identified in Veeam Backup & Replication, including critical and high-severity Remote Code Execution (RCE) flaws. These issues could allow users with privileged backup roles (Backup Administrator, Backup Operator, Tape Operator) to execute arbitrary code or write files on the underlying system, potentially leading to full system compromise.

Technical Details

• Affected Product: Veeam Backup & Replication
• Attack Prerequisite:
  • Authenticated access
  • Privileged backup roles (Backup Administrator / Backup Operator / Tape Operator)
• Potential Impact:
  • Remote code execution as root or postgres
  • Arbitrary file write on the host system
  • Complete compromise of backup infrastructure
  • Abuse of backup systems for lateral movement

Vulnerability Breakdown

• CVE-2025-59470:
  • Allows Backup or Tape Operator to perform RCE as postgres via malicious interval or order parameters
  • CVSS v3.1: 9.0 (Critical)
• CVE-2025-55125:
  • Allows Backup or Tape Operator to perform RCE as root using a malicious backup configuration file
  • CVSS v3.1: 7.2 (High)
• CVE-2025-59468:
  • Allows Backup Administrator to perform RCE as postgres via malicious password parameter
  • CVSS v3.1: 6.7 (Medium)
• CVE-2025-59469:
  • Allows Backup or Tape Operator to write arbitrary files as root
  • CVSS v3.1: 7.2 (High)

Affected Versions

• Veeam Backup & Replication: Version 13.0.1.180 and all earlier v13 builds

Not Affected

• Versions 12.x and earlier

Fixed Versions

• Veeam Backup & Replication: 13.0.1.1071

Recommendations

• Upgrade immediately to Veeam Backup & Replication version 13.0.1.1071
• Restrict Backup Administrator, Backup Operator, and Tape Operator roles to trusted personnel only
• Review backup job configurations for unauthorized or suspicious modifications
• Monitor backup servers for abnormal process execution and file write activity
• Isolate backup infrastructure from production environments where possible

References

• https://www.veeam.com/kb4792

3. High-Severity Vulnerability in Google Chrome (CVE-2026-0628)

Google has released security updates to address a high-severity vulnerability in the Google Chrome browser. The issue stems from insufficient enforcement of security policies within Chrome WebView, which could allow attackers to bypass security restrictions under specific conditions.

Technical Details

• CVE: CVE-2026-0628
• Severity: High
• Vulnerability Type: Insufficient Policy Enforcement
• Affected Component: Chrome WebView
• Attack Scenario:
  • Exploitation may allow bypassing of security controls
  • Could weaken application sandboxing and security boundaries

Affected Versions

• Chrome versions prior to the patched 143.x releases

Fixed Versions

• Stable Channel (Desktop):
  • Chrome 143.0.7499.192 / 143.0.7499.193 (Windows & macOS)
  • Chrome 143.0.7499.192 (Linux)
• Android:
  • Chrome 143.0.7499.192
• Extended Stable (Desktop):
  • Chrome 142.0.7444.265 (Windows & macOS)

Potential Impact

• Bypass of browser-enforced security policies
• Reduced effectiveness of WebView security controls
• Increased risk of exploitation through malicious web content

Recommendations

• Update Google Chrome to the latest available version immediately
• Ensure automatic browser updates are enabled across endpoints
• Monitor endpoints for outdated Chrome installations
• Restrict installation of untrusted browser extensions

References

• https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop.html
• https://chromereleases.googleblog.com/

4. Samsung Android Security Patch Update – January 2026

Samsung Mobile has released its January 2026 Security Maintenance Release (SMR-JAN-2026) as part of its monthly Android security update program. The update addresses multiple High and Critical severity vulnerabilities across Android, Samsung Semiconductor components, and Samsung-specific software, with potential risks including local privilege escalation, memory corruption, carrier lock bypass, and arbitrary code execution.

Technical Details

• Update Name: SMR-JAN-2026
• Covered Components:
  • Google Android Security Bulletin patches
  • Samsung Semiconductor (chipset/driver) patches
  • Samsung Vulnerabilities and Exposures (SVE)
• Primary Risk Areas:
  • Local privilege escalation
  • Use-after-free and out-of-bounds memory access
  • Kernel and driver-level vulnerabilities
  • Potential arbitrary code execution

Google Android Security Bulletin – January 2026

• Critical:
  • CVE-2024-43859
• High Severity:
  • CVE-2024-43766
  • CVE-2025-32348
  • CVE-2025-48609, CVE-2025-48635
  • CVE-2025-54957
  • CVE-2026-0007, CVE-2026-0008, CVE-2026-0010, CVE-2026-0011
  • CVE-2025-20760 through CVE-2025-20795
  • CVE-2025-47339, CVE-2025-47348, CVE-2025-47388, CVE-2025-47394, CVE-2025-47396
• Not Applicable to Samsung Devices:
  • CVE-2025-47346
  • CVE-2025-47395

Samsung Semiconductor Patches

• High Severity CVEs:
  • CVE-2025-27807
  • CVE-2025-49495
  • CVE-2025-52519
  • CVE-2025-53966
• Risk Note: Chipset and driver-level vulnerabilities increase impact due to proximity to kernel and hardware execution layers

Samsung Vulnerabilities and Exposures (SVE)

• High Severity SVEs:
  • SVE-2025-1716 (CVE-2026-20969) – Android 13, 14, 15, 16 (selected devices)
  • SVE-2025-2103 (CVE-2026-20971) – Android 13, 14, 15, 16
  • SVE-2025-2316 (CVE-2026-20973) – Android 13, 14, 15, 16
  • SVE-2025-2394 (CVE-2026-20974) – Android 13, 14, 15, 16 (selected devices)
• Moderate Severity SVEs:
  • SVE-2025-1183 (CVE-2026-20968) – Android 13, 14, 15, 16
  • SVE-2025-1990 (CVE-2026-20970) – Android 15, 16
  • SVE-2025-2255 (CVE-2026-20972) – Android 13, 14, 15, 16

Affected Devices

• Selected Samsung devices running Android 13, 14, 15, and 16

Recommendations

• Deploy SMR-JAN-2026 updates immediately across all eligible Samsung devices
• Enforce device compliance checks to prevent access from unpatched endpoints
• Prioritize patching for devices with elevated privileges or corporate access
• Monitor mobile endpoints for signs of privilege escalation or exploitation

References

• https://security.samsungmobile.com/securityUpdate.smsb

5. Cisco Patches ISE and Snort 3 Vulnerabilities Following Public PoC Release

Cisco has released security updates to address multiple medium-severity vulnerabilities affecting Cisco Identity Services Engine (ISE), ISE Passive Identity Connector (ISE-PIC), and Snort 3 Detection Engine. One of the vulnerabilities in Cisco ISE includes a publicly available proof-of-concept (PoC) exploit and could allow authenticated attackers to access sensitive system files, while additional flaws in Snort 3 could lead to information disclosure or service disruption.

Technical Details

• Attack Scenarios:
  • Authenticated attacker with administrative privileges exploiting Cisco ISE licensing functionality
  • Unauthenticated remote attacker exploiting DCE/RPC handling in Snort 3
• Potential Impact:
  • Unauthorized access to sensitive system files
  • Information disclosure from security inspection engines
  • Denial of service and reduced availability of security controls

Cisco ISE / ISE-PIC Vulnerability

• CVE: CVE-2026-20029
• Severity: Medium (CVSS v3.1: 4.9)
• Vulnerability Type: Improper XML Parsing / Arbitrary File Read
• Affected Component: Web-based management interface (licensing feature)
• Exploit Status: Public PoC available; no confirmed exploitation in the wild
• Affected Versions:
  • Cisco ISE / ISE-PIC releases earlier than 3.2
  • Cisco ISE / ISE-PIC 3.2 (fixed in Patch 8)
  • Cisco ISE / ISE-PIC 3.3 (fixed in Patch 8)
  • Cisco ISE / ISE-PIC 3.4 (fixed in Patch 4)
• Not Affected:
  • Cisco ISE / ISE-PIC 3.5
• Workarounds: None available

Snort 3 DCE/RPC Vulnerabilities

• CVE-2026-20026:
  • Severity: Medium (CVSS: 5.8)
  • Impact: Denial of service via Snort 3 engine restart
• CVE-2026-20027:
  • Severity: Medium (CVSS: 5.3)
  • Impact: Information disclosure via DCE/RPC request processing
• Affected Products:
  • Cisco Secure Firewall Threat Defense (FTD) Software (when Snort 3 is enabled)
  • Cisco IOS XE Software
  • Cisco Meraki software

Recommendations

• Upgrade Cisco ISE and ISE-PIC to the latest fixed patch versions immediately
• Apply updates for affected Snort 3–based Cisco products without delay
• Restrict administrative access to Cisco ISE management interfaces
• Monitor systems for suspicious file access attempts and Snort engine restarts
• Track Cisco advisories closely due to frequent targeting of Cisco products

References

• https://thehackernews.com/2026/01/cisco-patches-ise-security.html
• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort3-dcerpc-vulns-J9HNF4tH

6. Multiple Critical Remote Code Execution Vulnerabilities in n8n

Two critical Remote Code Execution (RCE) vulnerabilities have been identified in n8n that could allow unauthenticated attackers or low-privileged authenticated users to fully compromise affected instances. Successful exploitation could result in complete takeover of automated workflows, stored credentials, API keys, OAuth tokens, and connected enterprise systems.

Threat Overview

n8n is currently affected by two maximum-severity RCE vulnerabilities, one requiring no authentication and another exploitable by low-privileged users. When combined, these flaws present a systemic security risk, particularly for internet-exposed or weakly controlled n8n deployments.

Vulnerability Breakdown

• CVE-2026-21858 – Unauthenticated RCE via Content-Type Confusion
  • Severity: Critical
  • CVSS: 10.0
  • Authentication Required: No
  • Impact: Arbitrary file read, authentication bypass, full remote code execution
  • Affected Versions: All versions ≤ 1.65.0
  • Fixed In: 1.121.0
• CVE-2026-21877 – Authenticated RCE via Arbitrary File Write
  • Severity: Critical
  • CVSS v3.1: 10.0
  • Authentication Required: Yes (low privilege)
  • Impact: Arbitrary file write and execution leading to full RCE
  • Affected Versions: ≥ 0.123.0 and < 1.121.3
  • Fixed In: 1.121.3

Potential Impact

• Complete compromise of n8n instances
• Exposure of API keys, OAuth tokens, database credentials, and cloud secrets
• Unauthorized modification or takeover of automation workflows
• Rapid escalation to enterprise-wide compromise via connected systems

Related Recent n8n Critical Vulnerabilities

• CVE-2025-68613 (CVSS 9.9): Authenticated RCE via dynamic code resource misuse
• CVE-2025-68668 (CVSS 9.9): Sandbox escape leading to arbitrary command execution

Recommendations

• Upgrade n8n immediately to version 1.121.3 or later
• Restrict external access to n8n management interfaces
• Enforce strict access controls and least-privilege permissions
• Rotate all stored secrets, API keys, and credentials following patching
• Monitor logs for suspicious file access, workflow modification, or execution behavior

References

• https://github.com/n8n-io/n8n/security/advisories/GHSA-v4pr-fm98-w9pg
• https://github.com/advisories/GHSA-v364-rw7m-3263

7. Security Updates for GitLab Community Edition (CE) and Enterprise Edition (EE)

GitLab has released security updates to address multiple security vulnerabilities affecting both Community Edition (CE) and Enterprise Edition (EE). The issues include high-severity cross-site scripting (XSS), missing authorization controls, denial of service, and information disclosure, which could be exploited to compromise user sessions, bypass access controls, or disrupt GitLab services.

Technical Details

• Affected Products: GitLab Community Edition (CE), GitLab Enterprise Edition (EE)
• Vulnerability Types:
  • Cross-site scripting (XSS)
  • Missing or insufficient authorization
  • Denial of service
  • Information disclosure
• Potential Impact:
  • Execution of malicious scripts in user sessions
  • Bypass of authorization controls
  • Unauthorized configuration changes
  • Service disruption and data exposure

Vulnerability Breakdown

• CVE-2025-9222: Stored XSS in GitLab Flavored Markdown placeholders (CVSS 8.7)
• CVE-2025-13761: XSS vulnerability in Web IDE (CVSS 8.0)
• CVE-2025-13772: Missing authorization in Duo Workflows API (EE) (CVSS 7.1)
• CVE-2025-13781: Missing authorization in AI GraphQL mutation (EE) (CVSS 6.5)
• CVE-2025-10569: Denial of service in import functionality (CVSS 6.5)
• CVE-2025-11246: Insufficient access control in GraphQL runnerUpdate mutation (CVSS 5.4)
• CVE-2025-3950: Information disclosure in Mermaid diagram rendering (CVSS 3.5)
• Third-Party Library Update:
  • libpng upgraded to v1.6.51, addressing CVE-2025-65018 and CVE-2025-64720

Affected Versions

• GitLab CE and EE versions prior to the patched releases

Fixed Versions

• GitLab CE / EE: 18.7.1, 18.6.3, 18.5.5

Recommendations

• Upgrade GitLab CE and EE to the latest fixed versions immediately
• Restrict access to Web IDE, GraphQL APIs, and workflow automation features
• Review user roles and permissions for over-privileged access
• Monitor GitLab logs for suspicious script execution or unauthorized API activity
• Ensure third-party dependencies are kept up to date

References

• https://about.gitlab.com/releases/2026/01/07/patch-release-gitlab-18-7-1-released/

8. Security Updates for Chrome OS

Google has released security updates for Chrome OS under the Long Term Support (LTS) channel to address multiple medium to high severity vulnerabilities. The updates remediate memory safety issues and implementation flaws that could be exploited to cause system instability or, under certain conditions, arbitrary code execution.

Technical Details

• Update Channel: Chrome OS Long Term Support (LTS)
• Vulnerability Types:
  • Use-after-free
  • Out-of-bounds read
  • Type confusion / bad casting
  • Inappropriate implementation flaws
• Potential Impact:
  • Memory corruption
  • Application or system crashes
  • Potential arbitrary code execution

Vulnerability Breakdown

• CVE-2025-38349 (High): Use-after-free vulnerability affecting the epoll system call interface
• CVE-2025-12443 (Medium): Out-of-bounds read vulnerability in WebXR
• CVE-2025-13720 (Medium): Bad cast issue in the Loader component
• CVE-2025-13632 (Medium): Inappropriate implementation in DevTools

Affected Versions

• Chrome OS versions prior to the patched LTS release

Fixed Versions

• Chrome OS LTS: 138.0.7204.300 (Platform Version 16295.85.0)

Recommendations

• Apply the latest Chrome OS LTS security updates immediately
• Ensure managed Chrome OS devices are enrolled and compliant with update policies
• Monitor endpoints for abnormal crashes or instability following exploitation attempts
• Restrict administrative access on Chrome OS devices where possible

References

• https://chromereleases.googleblog.com/2026/01/long-term-support-channel-updatefor.html

9. High-Severity Vulnerability in Apache Kyuubi (CVE-2025-66518)

A high-severity vulnerability has been identified in Apache Kyuubi, a distributed gateway providing secure, serverless SQL access to large-scale data lakes. The flaw could allow unauthorized users to access the server’s local file system, weakening data security and multi-tenant isolation mechanisms.

Technical Details

• CVE: CVE-2025-66518
• Severity: High (CVSS v3.1: 8.8)
• Vulnerability Type: Improper Input Validation / Path Traversal
• Affected Component: Kyuubi Server (org.apache.kyuubi:kyuubi-server)
• Root Cause: Missing path normalization when validating file paths against the kyuubi.session.local.dir.allow.list configuration
• Attack Prerequisite:
  • Network access to Apache Kyuubi Server via supported frontend protocols

Potential Impact

• Unauthorized access to local directories
• Reading of sensitive configuration or system files
• Bypass of administrative access controls
• Compromise of multi-tenant isolation guarantees

Affected Versions

• Apache Kyuubi versions 1.6.0 through 1.10.2

Fixed Versions

• Apache Kyuubi 1.10.3 or later

Recommendations

• Upgrade Apache Kyuubi to version 1.10.3 or later immediately
• Restrict access to Kyuubi frontend protocols to trusted users and networks
• Review and harden local directory allow-list configurations
• Monitor Kyuubi logs for suspicious file access or path traversal attempts
• Apply least-privilege principles for services interacting with Kyuubi

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-66518

10. Authenticated Remote Code Execution Vulnerability in Craft CMS (CVE-2025-68455)

A high-severity authenticated Remote Code Execution (RCE) vulnerability has been identified in Craft CMS, affecting both the 4.x and 5.x branches. The flaw allows an authenticated administrator to execute arbitrary commands on the underlying server by abusing Yii’s behavior attachment mechanism in combination with wildcard event listeners.

Technical Details

• CVE: CVE-2025-68455
• Severity: High (CVSS v3.1: 8.8)
• Vulnerability Type: Authenticated Remote Code Execution (RCE)
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: High (Administrator access to Craft CMS Control Panel)
• User Interaction Required: None
• Affected Component: Yii behavior handling via AttributeTypecastBehavior
• Root Cause: Abuse of legitimate Yii Behavior class enabling code execution through PHP Reflection and magic methods, bypassing prior mitigations (including CVE-2024-4990)

Potential Impact

• Arbitrary command execution on the hosting server
• Full compromise of the Craft CMS instance
• Exposure or manipulation of application data and configuration
• Potential lateral movement within the hosting environment

Affected Versions

• Craft CMS 5.x: ≥ 5.0.0-RC1 and ≤ 5.8.20
• Craft CMS 4.x: ≥ 4.0.0-RC1 and ≤ 4.16.16

Fixed Versions

• Craft CMS 5.x: 5.8.21
• Craft CMS 4.x: 4.16.17

Recommendations

• Upgrade Craft CMS to the latest patched versions immediately
• Restrict administrative access to the Craft CMS Control Panel
• Monitor application and server logs for suspicious command execution activity
• Apply least-privilege principles for CMS administrators
• Review custom plugins or integrations relying on Yii behaviors

References

• https://github.com/advisories/GHSA-255j-qw47-wjh5

11. High-Severity Vulnerability in Forcepoint One Data Loss Prevention (DLP) Client (CVE-2025-14026)

A high-severity vulnerability has been identified in the Forcepoint One Data Loss Prevention (DLP) Client that could allow attackers to bypass sandbox restrictions and execute arbitrary code on protected endpoints. Successful exploitation may weaken DLP enforcement and significantly reduce endpoint security.

Technical Details

• CVE: CVE-2025-14026
• Severity: High (CVSS v3.1: 7.8)
• Vulnerability Type: Sandbox Bypass / Arbitrary Code Execution
• Affected Component: Forcepoint One DLP Client (bundled Python runtime)
• Root Cause:
  • The client ships with a legacy Python 2.5.4 runtime intended for internal use
  • The ctypes library was removed to restrict system-level access
  • An attacker can restore the missing ctypes module and apply a version-header patch, re-enabling system-level function access
• Attack Prerequisite:
  • Local access to the endpoint or ability to interact with the DLP client environment

Potential Impact

• Arbitrary code execution within the DLP client process
• Bypass of DLP enforcement and policy controls
• Evasion of endpoint security monitoring
• Alteration of DLP client behavior on protected systems

Affected Versions

• Forcepoint One DLP Client: Version 23.04.5642 and potentially earlier releases containing the bundled Python runtime

Fixed Versions

• Forcepoint One Endpoint: v23.11 and later (Forcepoint DLP v10.2+)

Recommendations

• Upgrade Forcepoint One DLP Client to v23.11 or later immediately
• Restrict local administrative access on endpoints running the DLP client
• Monitor endpoints for abnormal DLP client behavior or unauthorized module loading
• Review DLP policy enforcement logs for signs of bypass or tampering
• Apply defense-in-depth controls alongside endpoint DLP solutions

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-14026

12. Critical Remote Root Compromise in H3C Wireless Infrastructure (CVE-2025-60262)

A critical security misconfiguration has been identified in select H3C wireless products that could allow unauthenticated remote attackers to obtain root-level access to affected devices. The issue stems from an unsafe vsftpd configuration, enabling full device takeover without authentication.

Technical Details

• CVE: CVE-2025-60262
• Severity: Critical
• CVSS v3.x: 9.8
• Vulnerability Type: Security Misconfiguration / Improper Access Control
• Root Cause:
  • Anonymous FTP uploads are incorrectly assigned root ownership
  • Unsafe vsftpd configuration allowing privilege escalation
• Attack Prerequisite:
  • Network access to affected devices
  • No authentication required

Potential Impact

• Unauthenticated remote root access
• Full compromise of wireless controllers and access points
• Ability to modify firmware, configuration, or network traffic
• Disruption of wireless services and lateral movement within the network

Affected Products

• H3C M102G Wireless Controller
  • Firmware: HM1A0V200R010
• H3C BA1500L Wireless Access Point
  • Firmware: SWBA1A0V100R006

Recommendations

• Immediately identify and inventory all H3C wireless controllers and access points
• Verify firmware versions against the affected builds
• Apply vendor-released firmware updates as soon as available
• Disable anonymous FTP access if not explicitly required
• Block FTP access at the network perimeter where possible
• Monitor devices for unauthorized file uploads or configuration changes

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-60262

13. High-Severity Vulnerabilities in AzeoTech DAQFactory

Multiple high-severity memory corruption vulnerabilities have been identified in AzeoTech DAQFactory that could be exploited through maliciously crafted .ctl files. Successful exploitation may result in information disclosure, application crashes, or arbitrary code execution within the context of the running process.

Technical Details

• Vulnerability Class: Memory corruption during .ctl file parsing
• Attack Prerequisite:
  • Ability to load a specially crafted .ctl file into DAQFactory
• Trigger Condition: Parsing of malicious .ctl control files

Vulnerability Breakdown

• CVE-2025-66590 (CWE-787): Out-of-bounds write leading to memory corruption, system crash, or arbitrary code execution
• CVE-2025-66589 (CWE-125): Out-of-bounds read resulting in information disclosure or application crash
• CVE-2025-66588 (CWE-824): Access of uninitialized pointer potentially enabling arbitrary code execution
• CVE-2025-66586 (CWE-843): Type confusion causing memory corruption and code execution
• CVE-2025-66585 (CWE-416): Use-after-free allowing execution of attacker-controlled code

Potential Impact

• Arbitrary code execution in the DAQFactory process
• Exposure of sensitive process or system information
• Application instability or denial of service
• Increased risk in industrial and operational environments

Affected Versions

• AzeoTech DAQFactory: ≤ 20.7 (Build 2555)

Fixed Versions

• AzeoTech DAQFactory: 21.1 or later

Recommendations

• Apply the vendor-recommended mitigation or workaround immediately
• Upgrade to DAQFactory 21.1 or later where possible
• Restrict loading of .ctl files to trusted sources only
• Monitor systems for unexpected application crashes or abnormal behavior
• Isolate DAQFactory deployments within segmented industrial networks

References

• https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-03

14. High-Severity Race Condition Vulnerability in Linux Kernel (CVE-2025-68260)

A high-severity race condition vulnerability has been identified in the Linux kernel’s Rust Binder module that could lead to kernel crashes, memory corruption, and system instability. Successful exploitation may result in denial-of-service (DoS) conditions through kernel panics and unexpected system reboots.

Technical Details

• CVE: CVE-2025-68260
• Severity: High (CVSS: 7.1)
• Vulnerability Type: Race Condition / Improper Synchronization
• Affected Component: Rust Binder module (drivers/android/binder/node.rs)
• Root Cause:
  • Unsafe manipulation of linked list pointers in the Node::release function
  • List entries are moved to a temporary stack-based list and iterated after releasing a lock
  • Concurrent access to prev and next pointers creates a race window leading to memory corruption
• Attack Prerequisite:
  • Local access to trigger concurrent binder operations

Potential Impact

• Kernel panics and system crashes
• Memory corruption and page faults
• Kernel oops messages
• Service disruption and denial of service

Affected Versions

• Linux Kernel: 6.18

Fixed Versions

• Linux Kernel: 6.18.1 or later
• Linux Kernel: 6.19-rc1 or later

Recommendations

• Update affected systems to a fixed Linux kernel version immediately
• Monitor systems for kernel crashes or instability until patching is complete
• Maintain regular kernel updates to reduce exposure to race condition vulnerabilities
• Review systems using Android Binder functionality for elevated risk

References

• https://lore.kernel.org/linux-cve-announce/2025121614-CVE-2025-68260-558d@gregkh/T/#u 
• https://www.tenable.com/cve/CVE-2025-68260

15. Critical Vulnerability in jsPDF (CVE-2025-68428)

A critical security vulnerability has been identified in jsPDF, a widely used JavaScript library for PDF document generation. The flaw allows unauthenticated remote attackers to read arbitrary files from the server file system when jsPDF is used in Node.js environments, resulting in severe confidentiality impact.

Technical Details

• CVE: CVE-2025-68428
• Severity: Critical
• CVSS v4.0: 9.2 / 10
• Vulnerability Type:
  • Local File Inclusion (LFI)
  • Path Traversal
• Associated Weaknesses:
  • CWE-35: Path Traversal
  • CWE-73: External Control of File Name or Path
• Affected Component: jsPDF (Node.js builds only)
• Root Cause: Improper validation of file paths passed to multiple jsPDF methods

Potential Impact

• Unauthorized reading of sensitive local files
• Exposure of configuration secrets, credentials, and application data
• Exfiltration of sensitive files embedded into generated PDF documents
• High risk of data leakage in server-side PDF generation workflows

Affected Versions

• jsPDF: Versions ≤ 3.0.4

Fixed Versions

• jsPDF: 4.0.0 or later

Workarounds

• Enable the Node.js –permission flag to restrict file system access
  • Available from Node.js v20.0.0
  • Stable for production in v22.13.0, v23.5.0, and v24.0.0

Recommendations

• Upgrade jsPDF to version 4.0.0 or later immediately
• Treat this issue as priority one for Node.js-based deployments
• Apply compensating controls if immediate upgrade is not possible
• Review applications generating PDFs for untrusted input paths

References

• https://github.com/parallax/jsPDF/security/advisories/GHSA-f8cm-6447-x5h2 

16. Multiple Vulnerabilities in Eaton UPS Companion (EUC) Software

Multiple vulnerabilities have been identified in Eaton UPS Companion (EUC) software that could be exploited to achieve arbitrary code execution on the host system. Successful exploitation may compromise systems used to monitor and manage critical power infrastructure, leading to operational disruption.

Technical Details

• Affected Product: Eaton UPS Companion (EUC)
• Attack Prerequisite:
  • Local file system access to the host or installer directory
• Potential Impact:
  • Arbitrary code execution
  • Host system compromise
  • Disruption of power monitoring and management operations

Vulnerability Breakdown

• CVE-2025-59887 – Insecure Library Loading (DLL Hijacking):
  • Severity: High (CVSS: 8.6)
  • Description: The EUC installer is vulnerable to insecure library loading, allowing a malicious library placed in the installation directory to be loaded instead of a legitimate system library, resulting in code execution with the privileges of the installing user
• CVE-2025-59888 – Unquoted Search Path Vulnerability:
  • Severity: Medium (CVSS: 6.7)
  • Description: Improper quotation of executable search paths may allow an attacker with file system access to execute arbitrary code on the host

Affected Versions

• Eaton UPS Companion (EUC): Versions prior to 3.0

Fixed Versions

• Eaton UPS Companion (EUC): 3.0 or later

Recommendations

• Upgrade Eaton UPS Companion to version 3.0 or later immediately
• Restrict local access to systems hosting EUC software
• Monitor installation directories for unauthorized or suspicious files
• Apply vendor-provided mitigations or workarounds where upgrades are delayed
• Harden endpoints managing power infrastructure with additional security controls

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-59887
• https://nvd.nist.gov/vuln/detail/CVE-2025-59888

17. Critical Hardcoded Credential Vulnerability in RustFS (CVE-2025-68926)

A critical security vulnerability has been identified in RustFS, a distributed object storage system implemented in Rust. The flaw arises from the use of a hardcoded static authentication token within the gRPC communication layer, allowing any attacker with network access to the exposed gRPC port to fully authenticate as an internal cluster node.

Technical Details

• CVE: CVE-2025-68926
• Severity: Critical
• CVSS v3.1: 9.8
• Vulnerability Type: Hardcoded Credentials / Authentication Bypass
• Affected Component: gRPC authentication mechanism
• Root Cause:
  • Static authentication token embedded in the gRPC layer
  • Token grants implicit trust equivalent to an internal cluster node
• Attack Prerequisite:
  • Network access to the RustFS gRPC service

Potential Impact

• Complete authentication bypass
• Unauthorized access as a trusted cluster node
• Full compromise of RustFS storage operations
• Unauthorized data access, modification, or deletion
• Potential lateral movement within storage infrastructure

Affected Versions

• RustFS: Versions ≤ alpha.77

Fixed Versions

• RustFS: alpha.78 or later

Recommendations

• Upgrade RustFS to alpha.78 or later immediately
• Restrict network access to RustFS gRPC ports using firewall rules
• Rotate all cluster credentials and secrets following upgrade
• Audit cluster activity logs for unauthorized access attempts
• Avoid exposing internal storage services directly to untrusted networks

References

• https://github.com/rustfs/rustfs/security/advisories/GHSA-h956-rh7x-ppgj

18. Multiple Vulnerabilities in QNAP QTS and QuTS hero Operating Systems

Multiple security vulnerabilities have been identified in QNAP QTS and QuTS hero operating systems that could allow authenticated attackers to cause denial-of-service (DoS), access sensitive data, manipulate memory, or crash system processes. The issues span multiple weakness categories, including NULL pointer dereference, buffer overflow, format string injection, path traversal, out-of-bounds read, and uncontrolled resource allocation.

Technical Details

• Affected Platforms: QNAP QTS, QNAP QuTS hero
• Attack Prerequisite:
  • Authenticated access (user or administrator, depending on vulnerability)
• Potential Impact:
  • Denial-of-service (DoS)
  • Memory corruption and process crashes
  • Unauthorized access to sensitive system or application data
  • Resource exhaustion affecting system availability

First Vulnerability Set

• NULL Pointer Dereference (DoS):
  • CVE-2025-44013, CVE-2025-52426, CVE-2025-52430, CVE-2025-52431, CVE-2025-53405, CVE-2025-53414, CVE-2025-53589, CVE-2025-53590, CVE-2025-53592, CVE-2025-53596
  • Impact: Administrator-level attackers can trigger denial-of-service
• Buffer Overflow:
  • CVE-2025-52863, CVE-2025-52864, CVE-2025-52872, CVE-2025-53593
  • Impact: Memory modification or process crashes by authenticated users
• Format String Injection:
  • CVE-2025-53591
  • Impact: Exposure of sensitive data or memory manipulation by administrators
• Out-of-Bounds Read:
  • CVE-2025-54164, CVE-2025-54165, CVE-2025-54166
  • Impact: Unauthorized disclosure of sensitive system data
• Uncontrolled Resource Allocation:
  • CVE-2025-47208, CVE-2025-57705
  • Impact: Resource exhaustion leading to service disruption

Fixed Versions (First Set)

• QTS 5.2.x: 5.2.7.3256 build 20250913 or later
• QuTS hero h5.2.x: h5.2.7.3256 build 20250913 or later
• QuTS hero h5.3.x: h5.3.1.3250 build 20250912 or later

Second Vulnerability Set

• Exposure of Sensitive Information:
  • CVE-2025-9110
  • Impact: Unauthorized access to application or system data
• Buffer Overflow:
  • CVE-2025-48721, CVE-2025-62852
  • Impact: Memory corruption or process crashes by administrators
• Path Traversal:
  • CVE-2025-59380, CVE-2025-59381
  • Impact: Reading of unexpected files or sensitive system data

Fixed Versions (Second Set)

• QTS 5.2.x: 5.2.8.3332 build 20251128 or later
• QuTS hero h5.2.x: h5.2.8.3321 build 20251117 or later
• QuTS hero h5.3.x: h5.3.1.3250 build 20250912 or later

Recommendations

• Upgrade QNAP systems to the latest patched versions immediately
• Restrict administrative access to QTS and QuTS hero management interfaces
• Monitor NAS devices for abnormal crashes, memory errors, or unauthorized data access
• Apply least-privilege principles for user and administrator accounts
• Review QNAP security advisories regularly due to recurring vulnerability disclosures

References

• https://www.qnap.com/en/security-advisory/qsa-25-50
• https://www.qnap.com/en/security-advisory/qsa-25-51

19. Multiple Vulnerabilities in Apache NuttX RTOS Filesystem

The Apache Software Foundation has released security updates addressing multiple vulnerabilities in Apache NuttX RTOS affecting the virtual filesystem (VFS) layer. These issues could allow attackers to trigger memory corruption, unexpected filesystem behavior, or denial-of-service conditions, particularly in deployments where filesystem services are exposed over the network (e.g., FTP).

Technical Details

• Affected Component: Virtual Filesystem (VFS) layer
• Attack Surface: Network-exposed filesystem services (e.g., FTP)
• Potential Impact:
  • Heap memory corruption
  • Root filesystem instability
  • System crashes and denial of service

Vulnerability Breakdown

• CVE-2025-48769:
  • Severity: Moderate
  • Type: Use After Free
  • Impact: Heap corruption leading to system instability or crashes
• CVE-2025-48768:
  • Severity: Low
  • Type: Logic flaw
  • Impact: Removal of root filesystem inode causing denial of service

Affected Versions

• Apache NuttX RTOS versions prior to the fixed releases

Fixed Versions

• For CVE-2025-48769: Upgrade to Apache NuttX RTOS 12.11.0 or later
• For CVE-2025-48768: Upgrade to Apache NuttX RTOS 12.10.0 or later

Recommendations

• Upgrade Apache NuttX RTOS to the latest fixed version immediately
• Avoid exposing filesystem services over untrusted networks
• Apply network segmentation and access controls for embedded and IoT devices
• Monitor devices for filesystem errors or unexpected crashes

References

• https://lists.apache.org/thread/0rs1tcj7pld0porfvyqvzpmkqswoqykc
• https://lists.apache.org/thread/7m83v11ldfq7bvw72n9t5sccocczocjn

20. GlassWorm Malware Campaign Expands to macOS with Hardware Wallet Trojan Capability

A new wave of the GlassWorm malware campaign has been identified targeting macOS systems, marking a significant evolution in capability and tradecraft. Originally focused on Windows-based VS Code extensions, the threat actor has now pivoted to macOS-exclusive payloads, encrypted JavaScript delivery, blockchain-based command-and-control (C2), and hardware wallet trojanization targeting cryptocurrency users.

Threat Overview

GlassWorm is an adaptive malware campaign delivered via malicious VS Code extensions hosted on Open VSX. The latest wave leverages AES-256-CBC encrypted JavaScript payloads with delayed execution to evade sandbox detection, retrieves C2 infrastructure via the Solana blockchain, and targets developer and cryptocurrency environments on macOS.

Key Technical Changes (Wave 4)

• Platform Shift: Windows → macOS exclusive
• Execution: AppleScript-based execution replacing PowerShell
• Persistence: LaunchAgents replacing Registry/Scheduled Tasks
• Payload Delivery: Encrypted JavaScript (AES-256-CBC) embedded in compiled extensions
• Evasion: 15-minute execution delay to bypass sandbox timeouts
• C2 Mechanism: Solana blockchain transactions containing base64-encoded C2 URLs

New Capabilities

• Hardware Wallet Trojanization:
  • Targets Ledger Live and Trezor Suite applications
  • Replaces legitimate wallet software with trojanized versions
  • Enables transaction manipulation, fake addresses, seed phrase capture, and interception of device communication
  • Capability present but payloads not fully active at time of analysis

Data Theft Scope

• Cryptocurrency Assets:
  • 50+ browser wallets (MetaMask, Phantom, Coinbase Wallet, Trust Wallet, Rabby, etc.)
  • Desktop wallets (Electrum, Exodus, Atomic, Monero, Bitcoin Core)
• Developer Credentials:
  • GitHub tokens, NPM tokens, SSH keys, Git credentials
• System Credentials:
  • macOS Keychain passwords and database
  • Browser cookies and local storage (Chrome, Firefox, Brave, Edge)
• Exfiltration:
  • Data staged in /tmp/ijewf/, compressed, and exfiltrated over HTTP

Infrastructure Indicators

• C2 Servers:
  • 45.32.151.157 (primary C2, reused from earlier waves)
  • 217.69.11.60 (earlier C2)
• Exfiltration Server:
  • 45.32.150.251
• Blockchain C2:
  • Solana wallet: BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC

Malicious Extensions (Open VSX)

• studio-velte-distributor.pro-svelte-extension
• cudra-production.vsce-prettier-pro
• Puccin-development.full-access-catppuccin-pro-extension

Impact

• Full compromise of developer workstations
• Credential theft across development, cloud, and crypto environments
• Potential complete loss of cryptocurrency assets
• High risk to organizations with macOS-based developer fleets

Recommendations

• Immediately audit and remove the listed malicious VS Code extensions
• Rotate all developer credentials, API keys, and crypto-related secrets
• Reinstall wallet applications from trusted sources and validate integrity
• Restrict extension installation via policy and enforce allow-listing
• Monitor endpoints for delayed execution behavior and LaunchAgent persistence
• Treat macOS developer environments as high-value targets

References

• https://www.koi.ai/blog/glassworm-goes-mac-fresh-infrastructure-new-tricks

21. VVS Discord Stealer Leveraging PyArmor for Obfuscation and Detection Evasion

A malware campaign known as VVS Stealer (also styled VVS $tealer) has been analyzed targeting Discord users, employing advanced PyArmor-based obfuscation techniques to evade static analysis, signature-based detection, and reverse engineering. The stealer is written in Python, distributed via PyInstaller, and actively marketed on Telegram since at least April 2025.

Threat Overview

VVS Stealer is a Python-based infostealer designed to compromise Discord accounts and extract browser data. The malware employs PyArmor Pro (v9.1.4) with BCC mode, AES-128-CTR encryption, delayed execution logic, and obfuscated JavaScript payloads to hinder detection and analysis. It supports credential theft, session hijacking, persistence, and stealth techniques such as fake error prompts.

Key Technical Characteristics

• Language: Python 3.11
• Packaging: PyInstaller
• Obfuscation: PyArmor Pro with BCC mode
• Encryption: AES-128-CTR for bytecode and string constants
• Evasion: Heavy anti-analysis and encrypted payload staging
• Expiration Logic: Malware self-terminates after 2026-10-31

Primary Capabilities

• Discord Data Theft:
  • Extraction and decryption of Discord tokens
  • Collection of user profile data, Nitro status, MFA, billing details, guilds, and friends
• Discord Injection:
  • JavaScript injection into Discord’s Electron-based ASAR archives
  • Intercepts password changes, payment actions, and backup code access
  • Hijacks active Discord sessions
• Browser Data Theft:
  • Targets Chromium and Firefox-based browsers
  • Steals cookies, passwords, autofill data, and browsing history
• Persistence:
  • Copies itself to Windows Startup directory
• Stealth Techniques:
  • Displays fake fatal error pop-ups to mislead victims

Exfiltration Mechanism

• Data compressed into ZIP archives and exfiltrated via Discord webhook URLs
• Uses fixed User-Agent impersonating Chrome on Windows

Impact

• Full compromise of Discord accounts
• Credential theft across browsers and developer environments
• Persistent reinfection capability
• High risk of account takeover, financial fraud, and identity abuse

Recommendations

• Immediately investigate endpoints with Discord injection behavior
• Rotate all Discord tokens, browser credentials, and stored passwords
• Block known malicious webhook URLs and monitor outbound webhook traffic
• Enhance endpoint monitoring for PyInstaller and PyArmor artifacts
• Educate users against installing untrusted software advertised via Telegram

References

• https://unit42.paloaltonetworks.com/vvs-stealer/

22. Kimwolf Android Botnet Abusing Residential Proxy Networks (AISURU Variant)

The Kimwolf Android botnet has been reported to have infected more than 2 million Android devices by tunneling traffic through residential proxy networks, effectively converting compromised devices into proxy nodes that can be abused for large-scale malicious activity. Researchers attributed Kimwolf as a strain of the AISURU botnet family, active since at least August 2025, with capabilities ranging from DDoS to reverse shell and file operations. 

Threat Overview

Kimwolf operates as a multi-purpose Android botnet with proxy-forwarding as a core feature, enabling attackers to route traffic through victim residential IP addresses. This increases attacker anonymity and can help bypass geo/IP-based filtering while supporting large-scale attack infrastructure.

Key Capabilities

• Residential proxy tunneling / proxy forwarding (device becomes a traffic relay node)
• DDoS attack execution (multiple DDoS techniques reported)
• Reverse shell (remote interactive access)
• File management (basic remote file operations)

Attribution / Activity

• Reported as part of the AISURU botnet family
• Observed in the threat landscape since at least August 2025
• Reported infections: >2 million Android devices

Impact

• Large-scale abuse of consumer Android devices for proxy infrastructure and botnet operations
• Increased risk of downstream attacks originating from legitimate residential IP addresses
• Potential service disruption via DDoS and operational compromise via remote access tooling

Defensive Coverage (Broadcom / Symantec)

Broadcom notes protections across multiple security layers, including Carbon Black policy-based blocking, file-based detections (e.g., Linux.Mirai, Trojan.Gen.NPE, WS.Malware.1/2), mobile reputation and risk detections (e.g., Android.Reputation.2, AppRisk:Generisk), and web controls via WebPulse category coverage. 

Recommendations

• Inventory and isolate high-risk Android/IoT-style devices (especially unmanaged or rarely patched endpoints)
• Apply OS/firmware updates and remove unknown/sideloaded apps where applicable
• Enforce network segmentation for IoT/Android devices and restrict outbound traffic where possible
• Monitor for unusual outbound proxy-like traffic patterns (high-volume, long-lived connections, diverse destinations)
• Ensure endpoint protections and reputation services are enabled and tuned for mobile/Android coverage

References

• https://www.broadcom.com/support/security-center/protection-bulletin/kimwolf-android-botnet

23. DarkSpectre Browser Extension Threat Campaign

A large-scale, highly sophisticated browser extension–based threat campaign, attributed to a threat actor dubbed DarkSpectre, has been identified impacting major web browsers. The operation has been active for over seven years and has compromised more than 8.8 million users worldwide through multiple malware waves, abusing the browser extension trust model to enable long-term, stealthy compromise.

DarkSpectre operates through seemingly legitimate browser extensions that remain benign for extended periods, accumulate trust, ratings, and verified status, and later activate malicious functionality through time-delayed logic, remote configuration, and external payload delivery. Over 300 browser extensions have been impacted during the campaign’s lifetime.

Affected Platforms

• Google Chrome
• Microsoft Edge
• Mozilla Firefox
• Opera Browser

Key Techniques and Abuse Mechanisms

• Supply Chain Abuse: Exploitation of browser marketplace trust and post-approval execution gaps
• Delayed Activation: Malicious logic triggered 48–72 hours after installation with probabilistic execution to evade sandbox detection
• Remote Payload Delivery: Encoded JavaScript payloads downloaded post-installation without extension updates
• Steganography: Payloads disguised as image files (PNG) and decoded at runtime
• Obfuscated Execution: Use of eval-based logic to execute attacker-controlled scripts

Zoom Stealer Campaign (Corporate Espionage Focus)

A notable sub-campaign, Zoom Stealer, marks a shift from monetization-driven crime to systematic corporate intelligence collection. The extensions abused excessive permissions to monitor video conferencing platforms in real time.

• Targeted Data:
  • Meeting URLs and embedded passwords
  • Meeting IDs, schedules, and registration status
  • Participant lists, speaker profiles, titles, and affiliations
  • Corporate branding assets
• Exfiltration:
  • Persistent WebSocket connections
  • Real-time data streaming
  • Backend aggregation via Firebase and cloud services

Impact

• Unauthorized access to confidential corporate meetings
• Credential harvesting and session hijacking
• Corporate espionage enabling spear-phishing, impersonation, and strategic intelligence theft
• Long-term undetected persistence due to delayed activation and trusted extension status

Dormant “Sleeper” Extensions

• 85+ extensions currently benign
• Years of positive reputation and user trust
• Designed to be weaponized later via updates or remote configuration

Recommendations

• Conduct a full audit of installed browser extensions across the organization
• Remove extensions with excessive or unrelated permissions
• Restrict extension installation to approved publishers via policy
• Rotate compromised meeting links, credentials, and access tokens
• Monitor for delayed extension behavior and outbound WebSocket connections

References

• https://www.koi.ai/blog/darkspectre-unmasking-the-threat-actor-behind-7-8-millioninfected-browsers