Tag: Cyber Security

Dec 11, 2025Ravie LakshmananZero-Day / Vulnerability

Google on Wednesday shipped security updates for its Chrome browser to address three security flaws, including one it said has come under active exploitation in the wild.

The vulnerability, rated high in severity, is being tracked under the Chromium issue tracker ID “466192044.” Unlike other disclosures, Google has opted to keep information about the CVE identifier, the affected component, and the nature of the flaw under wraps.

However, a GitHub commit for the Chromium bug ID has revealed that the issue resides in Google’s open-source Almost Native Graphics Layer Engine (ANGLE) library, with the commit message stating “Metal: Don’t use pixelsDepthPitch to size buffers. pixelsDepthPitch is based on GL_UNPACK_IMAGE_HEIGHT, which can be smaller than the image height.”

This indicates the problem is likely a buffer overflow vulnerability in ANGLE’s Metal renderer triggered by improper buffer sizing, which could lead to memory corruption, program crashes, or arbitrary code execution.

“Google is aware that an exploit for 466192044 exists in the wild,” the company noted, adding that more details are “under coordination.”

Naturally, the tech giant has also not disclosed any specifics on the identity of the threat actor behind the attacks, who may have been targeted, or the scale of such efforts.

This is typically done so as to ensure that a majority of the users have applied the fixes and to prevent other bad actors from reverse engineering the patch and developing their own exploits.

With the latest update, Google has addressed eight zero-day flaws in Chrome that have been either actively exploited or demonstrated as a proof-of-concept (PoC) since the start of the year. The list includes CVE-2025-2783, CVE-2025-4664, CVE-2025-5419, CVE-2025-6554, CVE-2025-6558, CVE-2025-10585, and CVE-2025-13223.

Also addressed by Google are two other medium-severity vulnerabilities –

• CVE-2025-14372 – Use-after-free in Password Manager
• CVE-2025-14373 – Inappropriate implementation in Toolbar

To safeguard against potential threats, it’s advised to update their Chrome browser to versions 143.0.7499.109/.110 for Windows and Apple macOS, and 143.0.7499.109 for Linux. To make sure the latest updates are installed, users can navigate to More > Help > About Google Chrome and select Relaunch.

Users of other Chromium-based browsers, such as Microsoft Edge, Brave, Opera, and Vivaldi, are also advised to apply the fixes as and when they become available.

Dec 10, 2025The Hacker NewsCloud Security / Threat Detection

Cloud security is changing. Attackers are no longer just breaking down the door; they are finding unlocked windows in your configurations, your identities, and your code.

Standard security tools often miss these threats because they look like normal activity. To stop them, you need to see exactly how these attacks happen in the real world.

Next week, the Cortex Cloud team at Palo Alto Networks is hosting a technical deep dive to walk you through three recent investigations and exactly how to defend against them.

Secure your spot for the live session ➜

What Experts Will Cover

This isn’t a high-level overview. We are looking at specific, technical findings from the field. In this session, our experts will break down three distinct attack vectors that are bypassing traditional security right now:

1. AWS Identity Misconfigurations: We will show how attackers abuse simple setup errors in AWS identities to gain initial access without stealing a single password.
2. Hiding in AI Models: You will see how adversaries mask malicious files in production by mimicking the naming structures of your legitimate AI models.
3. Risky Kubernetes Permissions: We will examine “overprivileged entities”—containers that have too much power—and how attackers exploit them to take over infrastructure.

We won’t just talk about the problems; we will show you the mechanics of the attacks. Register now to see the full breakdown of these threats.

Why This Matters for Your Team

The core issue with these threats is the visibility gap. Often, the Cloud team builds the environment, and the SOC (Security Operations Center) monitors it, but neither side sees the full picture.

In this webinar, we will demonstrate how Code-to-Cloud detection fixes this. We will show you how to use runtime intelligence and audit logs to spot these threats early.

The Takeaway

By the end of this session, you will have actionable insights on how to:

• Audit your cloud logs for “invisible” intruders.
• Clean up risky permissions in Kubernetes.
• Apply AI-aware controls to protect your development pipeline.

Don’t wait until you find these vulnerabilities in a breach report. Join us next week and get the knowledge you need to close the gaps.

Register for the Webinar ➜

Dec 10, 2025Ravie LakshmananVulnerability / Malware

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a security flaw impacting the WinRAR file archiver and compression utility to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

The vulnerability, tracked as CVE-2025-6218 (CVSS score: 7.8), is a path traversal bug that could enable code execution. However, for exploitation to succeed, it requires a prospective target to visit a malicious page or open a malicious file.

“RARLAB WinRAR contains a path traversal vulnerability allowing an attacker to execute code in the context of the current user,” CISA said in an alert.

The vulnerability was patched by RARLAB with WinRAR 7.12 in June 2025. It only affects Windows-based builds. Versions of the tool for other platforms, including Unix and Android, are not affected.

“This flaw could be exploited to place files in sensitive locations — such as the Windows Startup folder — potentially leading to unintended code execution on the next system login,” RARLAB noted at the time.

The development comes in the wake of multiple reports from BI.ZONE, Foresiet, SecPod, and Synaptic Security, the vulnerability has been exploited by two different threat actors tracked as GOFFEE (aka Paper Werewolf), Bitter (aka APT-C-08 or Manlinghua), and Gamaredon.

In an analysis published in August 2025, the Russian cybersecurity vendor said there are indications that GOFFEE may be exploited CVE-2025-6218 along with CVE-2025-8088 (CVSS score: 8.8), another path traversal flaw in WinRAR, in attacks targeting organizations in the country in July 2025 via phishing emails.

It has since emerged that the South Asia-focused Bitter APT has also weaponized the vulnerability to facilitate persistence on the compromised host and ultimately drop a C# trojan by means of a lightweight downloader. The attack leverages a RAR archive (“Provision of Information for Sectoral for AJK.rar”) that contains a benign Word document and a malicious macro template.

“The malicious archive drops a file named Normal.dotm into Microsoft Word’s global template path,” Foresiet said last month. “Normal.dotm is a global template that loads every time Word is opened. By replacing the legitimate file, the attacker ensures their malicious macro code executes automatically, providing a persistent backdoor that bypasses standard email macro blocking for documents received after the initial compromise.”

The C# trojan is designed to contact an external server (“johnfashionaccess[.]com”) for command-and-control (C2) and enable keylogging, screenshot capture, remote desktop protocol (RDP) credential harvesting, and file exfiltration. It’s assessed that the RAR archives are propagated via spear-phishing attacks.

Last but not least, CVE-2025-6218 has also been exploited by a Russian hacking group known as Gamaredon in phishing campaigns targeting Ukrainian military, governmental, political, and administrative entities to infect them with a malware referred to as Pteranodon. The activity was first observed in November 2025.

“This is not an opportunistic campaign,” a security researcher who goes by the name Robin said. “It is a structured, military-oriented espionage and sabotage operation consistent with, and likely coordinated by, Russian state intelligence.”

It’s worth noting that the adversary has also extensively abused CVE-2025-8088, using it to deliver malicious Visual Basic Script malware and even deploying a new wiper codenamed GamaWiper.

“This marks the first observed instance of Gamaredon conducting destructive operations rather than its traditional espionage activities,” ClearSky said in a November 30, 2025, post on X.

In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary fixes by December 30, 2025, to secure their networks.

Dec 10, 2025Ravie LakshmananHardware Security / Vulnerability

Three security vulnerabilities have been disclosed in the Peripheral Component Interconnect Express (PCIe) Integrity and Data Encryption (IDE) protocol specification that could expose a local attacker to serious risks.

The flaws impact PCIe Base Specification Revision 5.0 and onwards in the protocol mechanism introduced by the IDE Engineering Change Notice (ECN), according to the PCI Special Interest Group (PCI-SIG).

“This could potentially result in security exposure, including but not limited to, one or more of the following with the affected PCIe component(s), depending on the implementation: (i) information disclosure, (ii) escalation of privilege, or (iii) denial of service,” the consortium noted.

PCIe is a widely used high-speed standard to connect hardware peripherals and components, including graphics cards, sound cards, Wi-Fi and Ethernet adapters, and storage devices, inside computers and servers. Introduced in PCIe 6.0, PCIe IDE is designed to secure data transfers through encryption and integrity protections.

The three IDE vulnerabilities, discovered by Intel employees Arie Aharon, Makaram Raghunandan, Scott Constable, and Shalini Sharma, are listed below –

• CVE-2025-9612 (Forbidden IDE Reordering) – A missing integrity check on a receiving port may allow re-ordering of PCIe traffic, leading the receiver to process stale data.
• CVE-2025-9613 (Completion Timeout Redirection) – Incomplete flushing of a completion timeout may allow a receiver to accept incorrect data when an attacker injects a packet with a matching tag.
• CVE-2025-9614 (Delayed Posted Redirection) – Incomplete flushing or re-keying of an IDE stream may result in the receiver consuming stale, incorrect data packets.

PCI-SIG said that successful exploitation of the aforementioned vulnerabilities could undermine the confidentiality, integrity, and security objectives of IDE. However, the attacks hinge on obtaining physical or low-level access to the targeted computer’s PCIe IDE interface, making them low-severity bugs (CVSS v3.1 score: 3.0/CVSS v4 score: 1.8).

“All three vulnerabilities potentially expose systems implementing IDE and Trusted Domain Interface Security Protocol (TDISP) to an adversary that can breach isolation between trusted execution environments,” it said.

In an advisory released Tuesday, the CERT Coordination Center (CERT/CC) urged manufacturers to follow the updated PCIe 6.0 standard and apply the Erratum #1 guidance to their IDE implementations. Intel and AMD have published their own alerts, stating the issues impact the following products –

• Intel Xeon 6 Processors with P-cores
• Intel Xeon 6700P-B/6500P-B series SoC with P-Cores.
• AMD EPYC 9005 Series Processors
• AMD EPYC Embedded 9005 Series Processors

“End users should apply firmware updates provided by their system or component suppliers, especially in environments that rely on IDE to protect sensitive data,” CERT/CC said.

Dec 10, 2025Ravie LakshmananEnterprise Security / Web Services

New research has uncovered exploitation primitives in the .NET Framework that could be leveraged against enterprise-grade applications to achieve remote code execution.

WatchTowr Labs, which has codenamed the “invalid cast vulnerability” SOAPwn, said the issue impacts Barracuda Service Center RMM, Ivanti Endpoint Manager (EPM), and Umbraco 8. But the number of affected vendors is likely to be longer given the widespread use of .NET.

The findings were presented today by watchTowr security researcher Piotr Bazydlo at the Black Hat Europe security conference, which is being held in London.

SOAPwn essentially allows attackers to abuse Web Services Description Language (WSDL) imports and HTTP client proxies to execute arbitrary code in products built on the foundations of .NET due to errors in the way they handle Simple Object Access Protocol (SOAP) messages.

“It is usually abusable through SOAP clients, especially if they are dynamically created from the attacker-controlled WSDL,” Bazydlo said.

As a result, .NET Framework HTTP client proxies can be manipulated into using file system handlers and achieve arbitrary file write by passing as URL something like “file://<attacker-controlled input>” into a SOAP client proxy, ultimately leading to code execution. To make matters worse, it can be used to overwrite existing files since the attacker controls the full write path.

In a hypothetical attack scenario, a threat actor could leverage this behavior to supply a Universal Naming Convention (UNC) path (e.g., “file://attacker.server/poc/poc”) and cause the SOAP request to be written to an SMB share under their control. This, in turn, can allow an attacker to capture the NTLM challenge and crack it.

That’s not all. The research also found that a more powerful exploitation vector can be weaponized in applications that generate HTTP client proxies from WSDL files using the ServiceDescriptionImporter class by taking advantage of the fact that it does not validate the URL used by the generated HTTP client proxy.

In this technique, an attacker can provide a URL that points to a WSDL file they control to vulnerable applications, and obtain remote code execution by dropping a fully functional ASPX web shell or additional payloads like CSHTML web shells or PowerShell scripts.

Following responsible disclosure in March 2024 and July 2025, Microsoft has opted not to fix the vulnerability, stating the issue stems from either an application issue or behavior, and that “users should not consume untrusted input that can generate and run code.”

The findings illustrate how expected behavior in a popular framework can become a potential exploit path that leads to NTLM relaying or arbitrary file writes. The issue has since been addressed in Barracuda Service Center RMM version 2025.1.1 (CVE-2025-34392, CVSS score: 9.8) and Ivanti EPM version 2024 SU4 SR1 (CVE-2025-13659, CVSS score: 8.8).

“It is possible to make SOAP proxies write SOAP requests into files rather than sending them over HTTP,” Bazydlo said. “In many cases, this leads to remote code execution through webshell uploads or PowerShell script uploads. The exact impact depends on the application using the proxy classes.”

React2Shell continues to witness heavy exploitation, with threat actors leveraging the maximum-severity security flaw in React Server Components (RSC) to deliver cryptocurrency miners and an array of previously undocumented malware families, according to new findings from Huntress.

This includes a Linux backdoor called PeerBlight, a reverse proxy tunnel named CowTunnel, and a Go-based post-exploitation implant referred to as ZinFoq.

The cybersecurity company said it has observed attackers targeting numerous organizations via CVE-2025-55182, a critical security vulnerability in RSC that allows unauthenticated remote code execution. As of December 8, 2025, these efforts have been aimed at a wide range of sectors, but prominently the construction and entertainment industries.

The first recorded exploitation attempt on a Windows endpoint by Huntress dates back to December 4, 2025, when an unknown threat actor exploited a vulnerable instance of Next.js to drop a shell script, followed by commands to drop a cryptocurrency miner and a Linux backdoor.

In two other cases, attackers were observed launching discovery commands and attempting to download several payloads from a command-and-control (C2) server. Some of the notable intrusions also singled out Linux hosts to drop the XMRig cryptocurrency miner, not to mention leveraged a publicly available GitHub tool to identify vulnerable Next.js instances before commencing the attack.

“Based on the consistent pattern observed across multiple endpoints, including identical vulnerability probes, shell code tests, and C2 infrastructure, we assess that the threat actor is likely leveraging automated exploitation tooling,” Huntress researchers said. “This is further supported by the attempts to deploy Linux-specific payloads on Windows endpoints, indicating the automation does not differentiate between target operating systems.”

A brief description of some of the payloads downloaded in these attacks is as follows –

• sex.sh, a bash script that retrieves XMRig 6.24.0 directly from GitHub
• PeerBlight, a Linux backdoor that shares some code overlaps with two malware families RotaJakiro and Pink that came to light in 2021, installs a systemd service to ensure persistence, and masquerades as a “ksoftirqd” daemon process to evade detection
• CowTunnel, a reverse proxy that initiates an outbound connection to attacker-controlled Fast Reverse Proxy (FRP) servers, effectively bypassing firewalls that are configured to only monitor inbound connections
• ZinFoq, a Linux ELF binary that implements a post-exploitation framework with interactive shell, file operations, network pivoting, and timestomping capabilities
• d5.sh, a dropper script responsible for deploying the Sliver C2 framework
• fn22.sh, a “d5.sh” variant with an added self-update mechanism to fetch a new version of the malware and restart it
• wocaosinm.sh, a variant of the Kaiji DDoS malware that incorporates remote administration, persistence, and evasion capabilities

PeerBlight supports capabilities to establish communications with a hard-coded C2 server (“185.247.224[.]41:8443”), allowing it to upload/download/delete files, spawn a reverse shell, modify file permissions, run arbitrary binaries, and update itself. The backdoor also makes use of a domain generation algorithm (DGA) and BitTorrent Distributed Hash Table (DHT) network as fallback C2 mechanisms.

“Upon joining the DHT network, the backdoor registers itself with a node ID beginning with the hardcoded prefix LOLlolLOL,” the researchers explained. “This 9-byte prefix serves as an identifier for the botnet, with the remaining 11 bytes of the 20-byte DHT node ID randomized.”

“When the backdoor receives DHT responses containing node lists, it scans for other nodes whose IDs start with LOLlolLOL. When it finds a matching node, it knows this is either another infected machine or an attacker-controlled node that can provide C2 configuration.”

Huntress said it identified over 60 unique nodes with the LOLlolLOL prefix, adding that multiple conditions have to be met in order for an infected bot to share its C2 configuration with another node: a valid client version, configuration availability on the responding bot’s side, and the correct transaction ID.

Even when all the necessary conditions are satisfied, the bots are designed such that they only share the configuration about one-third of the time based on a random check, possibly in a bid to reduce network noise and avoid detection.

ZinFoq, in a similar manner, beacons out to its C2 server and is equipped to parse incoming instructions to run commands using using “/bin/bash,” enumerate directories, read or delete files, download more payloads from a specified URL, exfiltrate files and system information, start/stop SOCKS5 proxy, enable/disable TCP port forwarding, alter file access and modification times, and establish a reverse pseudo terminal (PTY) shell connection.

ZinFoq also takes steps to clear bash history and disguises itself as one of 44 legitimate Linux system services (e.g., “/sbin/audispd,” “/usr/sbin/ModemManager,” “/usr/libexec/colord,” or “/usr/sbin/cron -f”) to conceal its presence.

Organizations relying on react-server-dom-webpack, react-server-dom-parcel, or react-server-dom-turbopack are advised to update immediately, given the “potential ease of exploitation and the severity of the vulnerability,” Huntress said.

The development comes as the Shadowserver Foundation said it detected over 165,000 IP addresses and 644,000 domains with vulnerable code as of December 8, 2025, after “scan targeting improvements.” More than 99,200 instances are located in the U.S., followed by Germany (14,100), France (6,400), and India (4,500).

Fortinet, Ivanti, and SAP have moved to address critical security flaws in their products that, if successfully exploited, could result in an authentication bypass and code execution.

The Fortinet vulnerabilities affect FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager and relate to a case of improper verification of a cryptographic signature. They are tracked as CVE-2025-59718 and CVE-2025-59719 (CVSS scores: 9.8).

“An Improper Verification of Cryptographic Signature vulnerability [CWE-347] in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML message, if that feature is enabled on the device,” Fortinet said in an advisory.

The company, however, noted that the FortiCloud SSO login feature is not enabled in the default factory settings. FortiCloud SSO login is enabled when an administrator registers the device to FortiCare and has not disabled the toggle “Allow administrative login using FortiCloud SSO” in the registration page.

To temporarily protect their systems against attacks exploiting these vulnerabilities, organizations are advised to disable the FortiCloud login feature (if enabled) until it can be updated. This can be done in two ways –

• Go to System -> Settings -> Switch “Allow administrative login using FortiCloud SSO” to Off
• Run the below command in the CLI –

config system global
set admin-forticloud-sso-login disable
end

Ivanti Releases Fix for Critical EPM Flaw

Ivanti has also shipped updates to address four security flaws in Endpoint Manager (EPM), one of which is a critical severity bug in the EPM core and remote consoles. The vulnerability, assigned the CVE identifier CVE-2025-10573, carries a CVSS score of 9.6.

“Stored XSS in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote unauthenticated attacker to execute arbitrary JavaScript in the context of an administrator session,” Ivanti said.

Rapid7 security researcher Ryan Emmons, who discovered and reported the shortcoming on August 15, 2025, said it allows an attacker with unauthenticated access to the primary EPM web service to join fake managed endpoints to the EPM server so as to poison the administrator web dashboard with malicious JavaScript.

“When an Ivanti EPM administrator views one of the poisoned dashboard interfaces during normal usage, that passive user interaction will trigger client-side JavaScript execution, resulting in the attacker gaining control of the administrator’s session,” Emmons said.

Douglas McKee, director of vulnerability intelligence at Rapid7, said in a statement that CVE-2025-10573 represents a serious risk as it’s trivial to exploit and can be done so by sending a fake device report to the server using a basic file format.

“While the attack only fully executes when an administrator views the dashboard, this is a routine and necessary task for IT staff; consequently, the likelihood of triggering the exploit during normal operations is high, ultimately allowing the attacker to take control of the administrator’s session,” McKee added.

Ensar Seker, CISO at threat intelligence company SOCRadar, also emphasized that the user interaction requirement doesn’t reduce the vulnerability’s threat level and that it has a “significant” exploitation potential when combined with social engineering.

“Remote code execution via JavaScript injection is no longer theoretical in supply chain attacks; it’s become operationally viable,” Seker said. “Organizations must act swiftly to patch, and more importantly, implement rigorous user interface sanitization and privilege segmentation.”

The company noted that user interaction is required to exploit the flaw and that it’s not aware of any attacks in the wild. It has been patched in EPM version 2024 SU4 SR1.

Also patched in the same version are three other high-severity vulnerabilities (CVE-2025-13659, CVE-2025-13661, and CVE-2025-13662) that could allow a remote, unauthenticated attacker to achieve arbitrary code execution. CVE-2025-13662, like in the case of CVE-2025-59718 and CVE-2025-59719, stems from improper verification of cryptographic signatures in the patch management component.

SAP Fixes Three Critical Flaws

Lastly, SAP has pushed December security updates to address 14 vulnerabilities across multiple products, including three critical-severity flaws. They are listed below –

• CVE-2025-42880 (CVSS score: 9.9) – A code injection vulnerability in SAP Solution Manager
• CVE-2025-55754 (CVSS score: 9.6) – Multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud
• CVE-2025-42928 (CVSS score: 9.1) – A deserialization vulnerability in SAP jConnect SDK for Sybase Adaptive Server Enterprise (ASE)

Boston-based SAP security platform Onapsis has been credited with reporting CVE-2025-42880 and CVE-2025-42928. The company said it identified a remote-enabled function module in SAP Solution Manager that enables an authenticated attacker to inject arbitrary code.

“Given the central role of SAP Solution Manager in the SAP system landscape, we strongly recommend a timely patch,” Onapsis security researcher Thomas Fritsch said.

CVE-2025-42928, on the other hand, allows for remote code execution by providing specially crafted input to the SAP jConnect SDK component. However, a successful exploitation requires elevated privileges.

With security vulnerabilities in Fortinet, Ivanti, and SAP’s software frequently exploited by bad actors, it’s essential that users move quickly to apply the fixes.

Microsoft closed out 2025 with patches for 56 security flaws in various products across the Windows platform, including one vulnerability that has been actively exploited in the wild.

Of the 56 flaws, three are rated Critical, and 53 are rated Important in severity. Two other defects are listed as publicly known at the time of the release. These include 29 privilege escalation, 18 remote code execution, four information disclosure, three denial-of-service, and two spoofing vulnerabilities.

In total, Microsoft has addressed a total of 1,275 CVEs in 2025, according to data compiled by Fortra. Tenable’s Satnam Narang said 2025 also marks the second consecutive year where the Windows maker has patched over 1,000 CVEs. It’s the third time it has done so since Patch Tuesday’s inception.

The update is in addition to 17 shortcomings the tech giant patched in its Chromium-based Edge browser since the release of the November 2025 Patch Tuesday update. This also consists of a spoofing vulnerability in Edge for iOS (CVE-2025-62223, CVSS score: 4.3).

The vulnerability that has come under active exploitation is CVE-2025-62221 (CVSS score: 7.8), a use-after-free in Windows Cloud Files Mini Filter Driver that could allow an authorized attacker to elevate privileges locally and obtain SYSTEM permissions.

“File system filter drivers, aka minifilters, attach to the system software stack, and intercept requests targeted at a file system, and extend or replace the functionality provided by the original target,” Adam Barnett, lead software engineer at Rapid7, said in a statement. “Typical use cases include data encryption, automated backup, on-the-fly compression, and cloud storage.”

“The Cloud Files minifilter is used by OneDrive, Google Drive, iCloud, and others, although as a core Windows component, it would still be present on a system where none of those apps were installed.”

It’s currently not known how the vulnerability is being abused in the wild and in what context, but successful exploitation requires an attacker to obtain access to a susceptible system through some other means. Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) have been credited with discovering and reporting the flaw.

The exploitation of CVE-2025-62221 has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to the Known Exploited Vulnerabilities (KEV) catalog, mandating Federal Civilian Executive Branch (FCEB) agencies to apply the patch by December 30, 2025.

The remaining two zero-days are listed below –

• CVE-2025-54100 (CVSS score: 7.8) – A command injection vulnerability in Windows PowerShell that allows an unauthorized attacker to execute code locally
• CVE-2025-64671 (CVSS score: 8.4) – A command injection vulnerability in GitHub Copilot for JetBrains that allows an unauthorized attacker to execute code locally

“This is a command injection flaw in how Windows PowerShell processes web content,” Action1’s Alex Vovk said about CVE-2025-54100. “It lets an unauthenticated attacker execute arbitrary code in the security context of a user who runs a crafted PowerShell command, such as Invoke-WebRequest.”

“The threat becomes significant when this vulnerability is combined with common attack patterns. For example, an attacker can use social engineering to persuade a user or admin to run a PowerShell snippet using Invoke-WebRequest, allowing a remote server to return crafted content that triggers the parsing flaw and leads to code execution and implant deployment.”

It’s worth noting that CVE-2025-64671 comes in the wake of a broader set of security vulnerabilities collectively named IDEsaster that was recently disclosed by security researcher Ari Marzouk. The issues arise as a result of adding agentic capabilities to an integrated development environment (IDE), exposing new security risks in the process.

These attacks leverage prompt injections against the artificial intelligence (AI) agents embedded into IDEs and combine them with the base IDE layer to result in information disclosure or command execution.

“This uses an ‘old’ attack chain of using a vulnerable tool, so not exactly part of the IDEsaster novel attack chain,” Marzouk, who is credited with discovering and reporting the flaw, told The Hacker News. “Specifically, a vulnerable ‘execute command’ tool where you can bypass the user-configured allow list.”

Marzouk also said multiple IDEs were found vulnerable to the same attack, including Kiro.dev, Cursor (CVE-2025-54131), JetBrains Junie (CVE-2025-59458), Gemini CLI, Windsurf, and Roo Code (CVE-2025-54377, CVE-2025-57771, and CVE-2025-65946). Furthermore, GitHub Copilot for Visual Studio Code has been found to be susceptible to the vulnerability, although, in this case, Microsoft assigned it a “Medium” severity rating with no CVE.

“The vulnerability states that it’s possible to gain code execution on affected hosts by tricking the LLM into running commands that bypass the guardrails and appending instructions in the user’s ‘auto-approve’ settings,” Kev Breen, senior director of cyber threat research at Immersive, said.

“This can be achieved through ‘Cross Prompt Injection,’ which is where the prompt is modified not by the user but by the LLM agents as they craft their own prompts based on the content of files or data retrieved from a Model Context Protocol (MCP) server that has risen in popularity with agent-based LLMs.”

Software Patches from Other Vendors

In addition to Microsoft, security updates have also been released by other vendors over the past several weeks to rectify multiple vulnerabilities, including —

• Adobe
• Amazon Web Services
• AMD
• Arm
• ASUS
• Atlassian
• Bosch
• Broadcom (including VMware)
• Canon
• Cisco
• Citrix
• CODESYS
• Dell
• Devolutions
• Drupal
• F5
• Fortinet
• Fortra
• GitLab
• Google Android and Pixel
• Google Chrome
• Google Cloud
• Google Pixel Watch
• Hitachi Energy
• HP
• HP Enterprise (including Aruba Networking and Juniper Networks)
• IBM
• Imagination Technologies
• Intel
• Ivanti
• Lenovo
• Linux distributions AlmaLinux, Alpine Linux, Amazon Linux, Arch Linux, Debian, Gentoo, Oracle Linux, Mageia, Red Hat, Rocky Linux, SUSE, and Ubuntu
• MediaTek
• Mitsubishi Electric
• MongoDB
• Moxa
• Mozilla Firefox and Firefox ESR
• NVIDIA
• OPPO
• Progress Software
• Qualcomm
• React
• Rockwell Automation
• Samsung
• SAP
• Schneider Electric
• Siemens
• SolarWinds
• Splunk
• Synology
• TP-Link
• WatchGuard
• Zoom, and
• Zyxel

Google on Monday announced a set of new security features in Chrome, following the company’s addition of agentic artificial intelligence (AI) capabilities to the web browser.

To that end, the tech giant said it has implemented layered defenses to make it harder for bad actors to exploit indirect prompt injections that arise as a result of exposure to untrusted web content and inflict harm.

Chief among the features is a User Alignment Critic, which uses a second model to independently evaluate the agent’s actions in a manner that’s isolated from malicious prompts. This approach complements Google’s existing techniques, like spotlighting, which instruct the model to stick to user and system instructions rather than abiding by what’s embedded in a web page.

“The User Alignment Critic runs after the planning is complete to double-check each proposed action,” Google said. “Its primary focus is task alignment: determining whether the proposed action serves the user’s stated goal. If the action is misaligned, the Alignment Critic will veto it.”

The component is designed to view only metadata about the proposed action and is prevented from accessing any untrustworthy web content, thereby ensuring that it is not poisoned through malicious prompts that may be included in a website. With the User Alignment Critic, the idea is to provide safeguards against any malicious attempts to exfiltrate data or hijack the intended goals to carry out the attacker’s bidding.

“When an action is rejected, the Critic provides feedback to the planning model to re-formulate its plan, and the planner can return control to the user if there are repeated failures,” Nathan Parker from the Chrome security team said.

Google is also enforcing what’s called Agent Origin Sets to ensure that the agent only has access to data from origins that are relevant to the task at hand or data sources the user has opted to share with the agent. This aims to address site isolation bypasses where a compromised agent can interact with arbitrary sites and enable it to exfiltrate data from logged-in sites.

This is implemented by means of a gating function that determines which origins are related to the task and categorizes them into two sets –

• Read-only origins, from which Google’s Gemini AI model is permitted to consume content
• Read-writable origins, to which the agent can type or click on in addition to reading from

Another key pillar underpinning the new security architecture relates to transparency and user control, allowing the agent to create a work log for user observability and request their explicit approval before navigating to sensitive sites, such as banking and healthcare portals, permitting sign-ins via Google Password Manager, or completing web actions like purchases, payments, or sending messages.

Lastly, the agent also checks each page for indirect prompt injections and operates alongside Safe Browsing and on-device scam detection to block potentially suspicious content.

“This prompt-injection classifier runs in parallel to the planning model’s inference, and will prevent actions from being taken based on content that the classifier determined has intentionally targeted the model to do something unaligned with the user’s goal,” Google said.

To further incentivize research and poke holes in the system, the company said it will pay up to $20,000 for demonstrations that result in a breach of the security boundaries. These include indirect prompt injections that allow an attacker to –

• Carry out rogue actions without confirmation
• Exfiltrate sensitive data without an effective opportunity for user approval
• Bypass a mitigation that should have ideally prevented the attack from succeeding in the first place

“By extending some core principles like origin-isolation and layered defenses, and introducing a trusted-model architecture, we’re building a secure foundation for Gemini’s agentic experiences in Chrome,” Google said. “We remain committed to continuous innovation and collaboration with the security community to ensure Chrome users can explore this new era of the web safely.”

The announcement follows research from Gartner that called on enterprises to block the use of agentic AI browsers until the associated risks, such as indirect prompt injections, erroneous agent actions, and data loss, can be appropriately managed.

The research also warns of a possible scenario where employees “might be tempted to use AI browsers and automate certain tasks that are mandatory, repetitive, and less interesting.” This could cover cases where an individual dodges mandatory cybersecurity training by instructing the AI browser to complete it on their behalf.

“Agentic browsers, or what many call AI browsers, have the potential to transform how users interact with websites and automate transactions while introducing critical cybersecurity risks,” the advisory firm said. “CISOs must block all AI browsers in the foreseeable future to minimize risk exposure.”

The development comes as the U.S. National Cyber Security Centre (NCSC) said that large language models (LLMs) may suffer from a persistent class of vulnerability known as prompt injection and that the problem can never be resolved in its entirety.

“Current large language models (LLMs) simply do not enforce a security boundary between instructions and data inside a prompt,” said David C, NCSC technical director for Platforms Research. “Design protections need to therefore focus more on deterministic (non-LLM) safeguards that constrain the actions of the system, rather than just attempting to prevent malicious content reaching the LLM.”

Zero Trust helps organizations shrink their attack surface and respond to threats faster, but many still struggle to implement it because their security tools don’t share signals reliably. 88% of organizations admit they’ve suffered significant challenges in trying to implement such approaches, according to Accenture. When products can’t communicate, real-time access decisions break down.

The Shared Signals Framework (SSF) aims to fix this with a standardized way to exchange security events. Yet adoption is uneven. For example, Kolide Device Trust doesn’t currently support SSF.

Scott Bean, Senior IAM and Security Engineer at MongoDB, proposed a way to solve the problem, giving teams an easy and intuitive way to operationalize SSF across their environment.

In this guide, we’ll share an overview of the workflow, plus step-by-step instructions for getting it up and running.

The problem – IAM tools don’t support SSF

A core requirement of Zero Trust is continuous, reliable signals about user and device posture. But many tools don’t support SSF for Continuous Access Evaluation Protocol (CAEP), making it hard to share or act on these signals.

Teams often face three challenges:

• Tools lack native SSF support
• Signals require enrichment or correlation
• Managing SSF endpoints and token handling adds overhead

Without this interoperability, organizations struggle to apply consistent policies — and in cases like Kolide Device Trust, critical device events never reach systems like Okta.

The solution – a SSF transmitter that turns Kolide issues into CAEP events

Because SSF is built on HTTPS requests, the OpenID standard works with Tines’ HTTP Action.

Scott developed a new workflow integrating Kolide Device Trust with Tines, enabling it to send SSF signals to Okta. If a device is non-compliant, Kolide sends a message to the workflow via webhook. Tines enriches the signal, makes sure it can be linked to a user, builds a Security Event Token (SET), and then sends it to Okta.

In this way, Tines acts as the connective tissue that makes SSF work across the distributed IT environment, even if individual tools don’t natively support the standard.

If you want to go deeper into identity modernization, the Tines IAM guide explores how teams are unifying device trust, access decisions, and least-privilege enforcement with automation. Scott’s workflow is one of several real-world patterns inside.

Workflow overview

Required tools:

• Tines – workflow orchestration and AI platform
• Kolide – device trust and posture monitoring
• Okta – identity platform receiving CAEP events

Required credentials:

• Tines API Key – `Team` Scoped with the `Editor` role
• Kolide API Key – Read Only
• Kolide Webhook Signing Secret

Required resources:

Okta domain, such as example.okta.com, example.oktapreview.com, or a branded domain.

How it works:

The workflow creates a proof-of-concept SSF transmitter that can be registered with Okta and sends device compliance change CAEP events (sent as SETs), based on issues generated in Kolide. There are three elements:

1. Generate and store SET signing keys (SETs are signed JSON Web Tokens):

• Creates an RSA key pair and converts it to JWK format.
• Publishes the public key for SSF receivers to validate SET signatures.
• Stores the private JWK keyset as a Tines secret.

2. Expose SSF transmitter API

SSF receivers (like Okta) need:

• a .well-known/sse-configuration endpoint describing the transmitter
• a JWK endpoint exposing the public key used to verify SET signatures
• a webhook trigger acts as the SSF API surface
• logic returns the .well-known config
• logic returns the JWKs

Once this is live, teams can register a new SSF receiver in Okta under:

• Security → Device Integrations → Receive shared signals

And create a new stream using the API’s URL and the new `.well-known` endpoint

3. Create, sign and send of SETs from Kolide events

• Receives Kolide issue events via webhook and validates them using the signing secret.
• Fetches device and user metadata from Kolide.
• Builds a SET for a Device Compliance Change CAEP event.
• Signs the SET with the stored private key using the JWT_SIGN formula.
• Sends the signed token to Okta’s security-events endpoint.

This delivers real-time device-compliance updates to Okta so access policies can respond immediately.

Configuring the workflow — a step-by-step guide

You can build and run this entire workflow using Tines Community Edition.

1. Log into Tines or create a new account.

2. Navigate to the pre-built workflow in the library. Select import. This should take you straight to your new pre-built workflow.

3. Gather the required credentials

• Tines API Key (team-scoped with Editor role)
• Kolide API Key (read-only)
• Kolide Webhook Signing Secret

These ensure authenticated calls to Kolide and secure webhook validation.

4. Collect your required resources

You’ll need an Okta tenant domain, such as:

• example.oktapreview.com
• example.okta.com
• or your custom Okta brand domain

This domain is used when sending signed SETs to Okta’s security-events endpoint.

Note: In the example provided, Scott set up as a `push` rather than a `poll` provider as tokens are sent based off of inbound webhooks, so there’s no need to store state.

5. Generate your SET signing keys

• Use the Generate JWK keyset action to create RSA keys
• Convert both public and private keys to JWK format (two event transforms)
• Store the resulting keyset using a Tines secret

This is required before Okta will accept and verify your SETs.

6. Publish the SSF transmitter API

The SSF API webhook contains two branches:

• .well-known endpoint
  • Trigger: well-known
  • Event transform: returns the SSF configuration declaring the transmitter’s capabilities
• JWKS endpoint
  • Trigger: JWKs
  • Event transform: returns the public JWKs so Okta can verify signatures

Once live, Okta can register this transmitter as a shared signals sender.

7. Connect Kolide and process device issues

The Kolide integration flow follows these steps:

• Webhook: Kolide webhook – receives issue opened/resolved events
• Get device details – fetches metadata for the device involved
• Device has a user – branching logic to confirm a user is associated
• Get user details – look up user metadata for the CAEP payload

Depending on whether the issue is new or resolved:

• Build SET – construct the CAEP device_compliance_change event
• Sign SET – use the RSA private key stored earlier to produce an SSF-compliant SET
• Send SET – send the final signed token to Okta’s security-events endpoint

As soon as Okta receives and verifies the SET, the associated user risk level updates.

Bringing it all together

SSF exists to help security tools speak the same language, delivering continuous insight into risk and device posture. But when key tools don’t support the standard, gaps open up, and access policies lag behind real-world changes.

Tines bridges these gaps by enabling new intelligent workflows. They ensure that even tools that don’t support SSF can send information in the same standardized way. By using Tines to generate, sign, and deliver compliance signals in real time, you get the benefits of SSF even when the source tool wasn’t built for it.

If you’d like to try this workflow yourself, you can spin it up in minutes with a free Tines account. And if you want to see how device posture fits into a broader identity strategy, this guide to modern IAM workflows offers practical patterns and real-world workflows like Scott’s you can start building on today.