Tag: Cyber Threats

Aug 13, 2025Ravie LakshmananVulnerability / Network Security

Fortinet is alerting customers of a critical security flaw in FortiSIEM for which it said there exists an exploit in the wild.

The vulnerability, tracked as CVE-2025-25256, carries a CVSS score of 9.8 out of a maximum of 10.0.

“An improper neutralization of special elements used in an OS command (‘OS Command Injection’) vulnerability [CWE-78] in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted CLI requests,” the company said in a Tuesday advisory.

The following versions are impacted by the flaw –

• FortiSIEM 6.1, 6.2, 6.3, 6.4, 6.5, 6.6 (Migrate to a fixed release)
• FortiSIEM 6.7.0 through 6.7.9 (Upgrade to 6.7.10 or above)
• FortiSIEM 7.0.0 through 7.0.3 (Upgrade to 7.0.4 or above)
• FortiSIEM 7.1.0 through 7.1.7 (Upgrade to 7.1.8 or above)
• FortiSIEM 7.2.0 through 7.2.5 (Upgrade to 7.2.6 or above)
• FortiSIEM 7.3.0 through 7.3.1 (Upgrade to 7.3.2 or above)
• FortiSIEM 7.4 (Not affected)

Fortinet acknowledged in its advisory that a “practical exploit code for this vulnerability was found in the wild,” but did not share any additional specifics about the nature of the exploit and where it was found. It also noted that the exploitation code does not appear to produce distinctive indicators of compromise (IoCs).

As workarounds, the network security company is recommending that organizations limit access to the phMonitor port (7900).

The disclosure comes a day after GreyNoise warned of a “significant spike” in brute-force traffic aimed at Fortinet SSL VPN devices, with dozens of IP addresses from the United States, Canada, Russia, and the Netherlands probing devices located across the world.

Aug 13, 2025The Hacker NewsArtificial Intelligence / Identity Security

The AI revolution isn’t coming. It’s already here. From copilots that write our emails to autonomous agents that can take action without us lifting a finger, AI is transforming how we work.

But here’s the uncomfortable truth: Attackers are evolving just as fast.

Every leap forward in AI gives bad actors new tools — deepfake scams so real they trick your CFO, bots that can bypass human review, and synthetic identities that slip quietly into your systems. The fight is no longer at your network’s edge. It’s at your login screen.

And that’s why identity has become the last line of defense.

Why This Matters Now

Legacy security can’t keep up. Traditional models were built for slower threats and predictable patterns. AI doesn’t play by those rules.

Today’s attackers:

• Scale at machine speed.
• Use deepfakes to impersonate trusted people.
• Exploit APIs through autonomous agents.
• Create fake “non-human” identities that look perfectly legitimate.

The only security control that can adapt and scale as fast as AI? Identity. If you can’t verify who — or what — is accessing your systems, you’ve already lost.

The Webinar That Connects the Dots

In AI’s New Attack Surface: Why Identity Is the Last Line of Defense, Okta’s Karl Henrik Smith will show you:

• Where AI is creating hidden vulnerabilities — and how to find them before attackers do.
• How “synthetic identities” work (and why they’re scarier than you think).
• The blueprint for an “identity security fabric” that protects humans and non-human actors.
• How to build secure-by-design AI apps without slowing innovation.

Whether you’re a developer, security architect, or tech leader, you’ll leave with a clear, practical plan for staying ahead of AI-powered threats.

Watch this Webinar Now

The next wave of cyberattacks won’t be about if someone can get past your defenses — it’ll be about how fast they can.

Put identity where it belongs: at the center of your security strategy. Reserve your spot now →

Microsoft on Tuesday rolled out fixes for a massive set of 111 security flaws across its software portfolio, including one flaw that has been disclosed as publicly known at the time of the release.

Of the 111 vulnerabilities, 16 are rated Critical, 92 are rated Important, two are rated Moderate, and one is rated Low in severity. Forty-four of the vulnerabilities relate to privilege escalation, followed by remote code execution (35), information disclosure (18), spoofing (8), and denial-of-service (4) defects.

This is in addition to 16 vulnerabilities addressed in Microsoft’s Chromium-based Edge browser since the release of last month’s Patch Tuesday update, including two spoofing bugs affecting Edge for Android.

Included among the vulnerabilities is a privilege escalation vulnerability impacting Microsoft Exchange Server hybrid deployments (CVE-2025-53786, CVSS score: 8.0) that Microsoft disclosed last week.

The publicly disclosed zero-day is CVE-2025-53779 (CVSS score: 7.2), another privilege escalation flaw in Windows Kerberos that stems from a case of relative path traversal. Akamai researcher Yuval Gordon has been credited with discovering and reporting the bug.

It’s worth mentioning here that the issue was publicly detailed back in May 2025 by the web infrastructure and security company, giving it the codename BadSuccessor. The novel technique essentially allows a threat actor with sufficient privileges to compromise an Active Directory (AD) domain by misusing delegated Managed Service Account (dMSA) objects.

“The good news here is that successful exploitation of CVE-2025-53779 requires an attacker to have pre-existing control of two attributes of the hopefully well protected dMSA: msds-groupMSAMembership, which determines which users may use credentials for the managed service account, and msds-ManagedAccountPrecededByLink, which contains a list of users on whose behalf the dMSA can act,” Adam Barnett, lead software engineer at Rapid7, told The Hacker News.

“However, abuse of CVE-2025-53779 is certainly plausible as the final link of a multi-exploit chain which stretches from no access to total pwnage.”

“An attacker who already has a compromised privileged account can use it to move from limited administrative rights to full domain control,” Walters added. “It can also be paired with methods such as Kerberoasting or Silver Ticket attacks to maintain persistence.”

“With domain administrator privileges, attackers can disable security monitoring, modify Group Policy, and tamper with audit logs to hide their activity. In multi-forest environments or organizations with partner connections, this flaw could even be leveraged to move from one compromised domain to others in a supply chain attack.”

Satnam Narang, senior staff research engineer at Tenable, said the immediate impact of BadSuccessor is limited, as only 0.7% of Active Directory domains had met the prerequisite at the time of disclosure. “To exploit BadSuccessor, an attacker must have at least one domain controller in a domain running Windows Server 2025 in order to achieve domain compromise,” Narang pointed out.

Some of notable Critical-rated vulnerabilities patched by Redmond this month are below –

• CVE-2025-53767 (CVSS score: 10.0) – Azure OpenAI Elevation of Privilege Vulnerability
• CVE-2025-53766 (CVSS score: 9.8) – GDI+ Remote Code Execution Vulnerability
• CVE-2025-50165 (CVSS score: 9.8) – Windows Graphics Component Remote Code Execution Vulnerability
• CVE-2025-53792 (CVSS score: 9.1) – Azure Portal Elevation of Privilege Vulnerability
• CVE-2025-53787 (CVSS score: 8.2) – Microsoft 365 Copilot BizChat Information Disclosure Vulnerability
• CVE-2025-50177 (CVSS score: 8.1) – Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability
• CVE-2025-50176 (CVSS score: 7.8) – DirectX Graphics Kernel Remote Code Execution Vulnerability

Microsoft noted that the three cloud service CVEs impacting Azure OpenAI, Azure Portal, and Microsoft 365 Copilot BizChat have already been remediated, and that they require no customer action.

Check Point, which disclosed CVE-2025-53766 alongside CVE-2025-30388, said the vulnerabilities allow attackers to execute arbitrary code on the affected system, leading to a full system compromise.

“The attack vector involves interacting with a specially crafted file. When a user opens or processes this file, the vulnerability is triggered, allowing the attacker to take control,” the cybersecurity company said.

The Israeli firm revealed that it also uncovered a vulnerability in a Rust-based component of the Windows kernel that can result in a system crash that, in turn, triggers a hard reboot.

“For organizations with large or remote workforces, the risk is significant: attackers could exploit this flaw to simultaneously crash numerous computers across an enterprise, resulting in widespread disruption and costly downtime,” Check Point said. “This discovery highlights that even with advanced security technologies like Rust, continuous vigilance and proactive patching are essential to maintaining system integrity in a complex software environment.”

Another vulnerability of importance is CVE-2025-50154 (CVSS score: 6.5), an NTLM hash disclosure spoofing vulnerability that’s actually a bypass for a similar bug (CVE-2025-24054, CVSS score: 6.5) that was plugged by Microsoft in March 2025.

“The original vulnerability demonstrated how specially crafted requests could trigger NTLM authentication and expose sensitive credentials,” Cymulate researcher Ruben Enkaoua said. “This new vulnerability […] allows an attacker to extract NTLM hashes without any user interaction, even on fully patched systems. By exploiting a subtle gap left in the mitigation, an attacker can trigger NTLM authentication requests automatically, enabling offline cracking or relay attacks to gain unauthorized access.”

Aug 13, 2025Ravie LakshmananEndpoint Security / Cybercrime

Cybersecurity researchers have discovered a new campaign that employs a previously undocumented ransomware family called Charon to target the Middle East’s public sector and aviation industry.

The threat actor behind the activity, according to Trend Micro, exhibited tactics mirroring those of advanced persistent threat (APT) groups, such as DLL side-loading, process injection, and the ability to evade endpoint detection and response (EDR) software.

The DLL side-loading techniques resemble those previously documented as part of attacks orchestrated by a China-linked hacking group called Earth Baxia, which was flagged by the cybersecurity company as targeting government entities in Taiwan and the Asia-Pacific region to deliver a backdoor known as EAGLEDOOR following the exploitation of a now-patched security flaw affecting OSGeo GeoServer GeoTools.

“The attack chain leveraged a legitimate browser-related file, Edge.exe (originally named cookie_exporter.exe), to sideload a malicious msedge.dll (SWORDLDR), which subsequently deployed the Charon ransomware payload,” researchers Jacob Santos, Ted Lee, Ahmed Kamal, and Don Ovid Ladore said.

Like other ransomware binaries, Charon is capable of disruptive actions that terminate security-related services and running processes, as well as delete shadow copies and backups, thereby minimizing the chances of recovery. It also employs multithreading and partial encryption techniques to make the file-locking routine faster and more efficient.

Another notable aspect of the ransomware is the use of a driver compiled from the open-source Dark-Kill project to disable EDR solutions by means of what’s called a bring your own vulnerable driver (BYOVD) attack. However, this functionality is never triggered during the execution, suggesting that the feature is likely under development.

There is evidence to suggest that the campaign was targeted rather than opportunistic. This stems from the use of a customized ransom note that specifically calls out the victim organization by name, a tactic not observed in traditional ransomware attacks. It’s currently not known how the initial access was obtained.

Despite the technical overlaps with Earth Baxia, Trend Micro has emphasized that this could mean one of three things –

• Direct involvement of Earth Baxia
• A false flag operation designed to deliberately imitate Earth Baxia’s tradecraft, or
• A new threat actor that has independently developed similar tactics

“Without corroborating evidence such as shared infrastructure or consistent targeting patterns, we assess this attack demonstrates limited but notable technical convergence with known Earth Baxia operations,” Trend Micro pointed out.

Regardless of the attribution, the findings exemplify the ongoing trend of ransomware operators increasingly adopting sophisticated methods for malware deployment and defense evasion, further blurring the lines between cybercrime and nation-state activity.

“This convergence of APT tactics with ransomware operations poses an elevated risk to organizations, combining sophisticated evasion techniques with the immediate business impact of ransomware encryption,” the researchers concluded.

The disclosure comes as eSentire detailed an Interlock ransomware campaign that leveraged ClickFix lures to drop a PHP-based backdoor that, in turn, deploys NodeSnake (aka Interlock RAT) for credential theft and a C-based implant that supports attacker-supplied commands for further reconnaissance and ransomware deployment.

“Interlock Group employs a complex multi-stage process involving PowerShell scripts, PHP/NodeJS/C backdoors, highlighting the importance of monitoring suspicious process activity, LOLBins, and other TTPs,” the Canadian company said.

The findings show that ransomware continues to be an evolving threat, even as victims continue to pay ransoms to quickly recover access to systems. Cybercriminals, on the other hand, have begun resorting to physical threats and DDoS attacks as a way of putting pressure on victims.

Statistics shared by Barracuda show that 57% of organizations experienced a successful ransomware attack in the last 12 months, of which 71% that had experienced an email breach were also hit with ransomware. What’s more, 32% paid a ransom, but only 41% of the victims got all their data back.

Aug 12, 2025Ravie LakshmananMalware / Container Security

New research has uncovered Docker images on Docker Hub that contain the infamous XZ Utils backdoor, more than a year after the discovery of the incident.

More troubling is the fact that other images have been built on top of these infected base images, effectively propagating the infection further in a transitive manner, Binarly REsearch said in a report shared with The Hacker News.

The firmware security company said it discovered a total of 35 images that ship with the backdoor. The incident once again highlights the risks faced by the software supply chain.

The XZ Utils supply chain event (CVE-2024-3094, CVSS score: 10.0) came to light in late March 2024, when Andres Freund sounded the alarm on a backdoor embedded within XZ Utils versions 5.6.0 and 5.6.1.

Further analysis of the malicious code and the broader compromise led to several startling discoveries, the first and foremost being that the backdoor could lead to unauthorized remote access and enable the execution of arbitrary payloads through SSH.

Specifically, the backdoor — placed in the liblzma.so library and used by the OpenSSH server — was designed such that it triggered when a client interacts with the infected SSH server.

By hijacking the RSA_public_decrypt function using the glibc’s IFUNC mechanism, the malicious code allowed an attacker possessing a specific private key to bypass authentication and execute root commands remotely,” Binarly explained.

The second finding was that the changes were pushed by a developer named “Jia Tan” (JiaT75), who spent almost two years contributing to the open-source project to build trust until they were given maintainer responsibilities, signaling the meticulous nature of the attack.

“This is clearly a very complex state-sponsored operation with impressive sophistication and multi-year planning,” Binary noted at the time. “Such a complex and professionally designed comprehensive implantation framework is not developed for a one-shot operation.”

The latest research from the company shows that the impact of the incident continues to send aftershocks through the open-source ecosystem even after all these months.

This includes the discovery of 12 Debian Docker images that contain one of the XZ Utils backdoor, and another set of second-order images that include the compromised Debian images.

Binarly said it reported the base images to the Debian maintainers, who said they have “made an intentional choice to leave these artifacts available as a historical curiosity, especially given the following extremely unlikely (in containers/container image use cases) factors required for exploitation.”

However, the company pointed out that leaving publicly available Docker images that contain a potential network-reachable backdoor carries a significant security risk, despite the criteria required for successful exploitation – the need for network access to the infected device with the SSH service running.

“The xz-utils backdoor incident demonstrates that even short-lived malicious code can remain unnoticed in official container images for a long time, and that can propagate in the Docker ecosystem,” it added.

“The delay underscores how these artifacts may silently persist and propagate through CI pipelines and container ecosystems, reinforcing the critical need for continuous binary-level monitoring beyond simple version tracking.”

Aug 12, 2025Ravie LakshmananThreat Intelligence / Enterprise Security

Cybersecurity researchers are warning of a “significant spike” in brute-force traffic aimed at Fortinet SSL VPN devices.

The coordinated activity, per threat intelligence firm GreyNoise, was observed on August 3, 2025, with over 780 unique IP addresses participating in the effort.

As many as 56 unique IP addresses have been detected over the past 24 hours. All the IP addresses have been classified as malicious, with the IPs originating from the United States, Canada, Russia, and the Netherlands. Targets of the brute-force activity include the United States, Hong Kong, Brazil, Spain, and Japan.

“Critically, the observed traffic was also targeting our FortiOS profile, suggesting deliberate and precise targeting of Fortinet’s SSL VPNs,” GreyNoise said. “This was not opportunistic — it was focused activity.”

The company also pointed out that it identified two distinct assault waves spotted before and after August 5: One, a long-running, brute-force activity tied to a single TCP signature that remained relatively steady over time, and Two, which involved a sudden and concentrated burst of traffic with a different TCP signature.

“While the August 3 traffic has targeted the FortiOS profile, traffic fingerprinted with TCP and client signatures – a meta signature – from August 5 onward was not hitting FortiOS,” the company noted. “Instead, it was consistently targeting our FortiManager.”

“This indicated a shift in attacker behavior – potentially the same infrastructure or toolset pivoting to a new Fortinet-facing service.”

On top of that, a deeper examination of the historical data associated with the post-August 5 TCP fingerprint has uncovered an earlier spike in June featuring a unique client signature that resolved to a FortiGate device in a residential ISP block managed by Pilot Fiber Inc.

This has raised the possibility that the brute-force tooling was either initially tested or launched from a home network. An alternative hypothesis is the use of a residential proxy.

The development comes against the backdrop of findings that spikes in malicious activity are often followed by the disclosure of a new CVE affecting the same technology within six weeks.

“These patterns were exclusive to enterprise edge technologies like VPNs, firewalls, and remote access tools – the same kinds of systems increasingly targeted by advanced threat actors,” the company noted in its Early Warning Signals report published late last month.

The Hacker News has reached out to Fortinet for further comment, and we will update if we hear back.

Aug 12, 2025Ravie LakshmananCybercrime / Financial Security

An ongoing data extortion campaign targeting Salesforce customers may soon turn its attention to financial services and technology service providers, as ShinyHunters and Scattered Spider appear to be working hand in hand, new findings show.

“This latest wave of ShinyHunters-attributed attacks reveals a dramatic shift in tactics, moving beyond the group’s previous credential theft and database exploitation,” ReliaQuest said in a report shared with The Hacker News.

These include the use of adoption of tactics that mirror those of Scattered Spider, such as highly-targeted vishing (aka voice phishing) and social engineering attacks, leveraging apps that masquerade as legitimate tools, employing Okta-themed phishing pages to trick victims into entering credentials during vishing, and VPN obfuscation for data exfiltration.

ShinyHunters, which first emerged in 2020, is a financially motivated threat group that has orchestrated a series of data breaches targeting major corporations and monetizing them on cybercrime forums like RaidForums and BreachForums. Interestingly, the ShinyHunters persona has been a key participant in these platforms both as a contributor and administrator.

“The ShinyHunters persona partnered with Baphomet to relaunch the second instance of BreachForums (v2) in June 2023 and later launched the June 2025 instance (v4) alone,” Sophos noted in a recent report. “The interim version (v3) abruptly disappeared in April 2025, and the cause is unclear.”

While the relaunch of the forum was short-lived and the bulletin board went offline around June 9, the threat actor has since been linked to attacks targeting Salesforce instances globally, a cluster of extortion-related activity that Google is tracking under the moniker UNC6240.

Coinciding with these developments was the arrest of four individuals suspected of running BreachForums, including ShinyHunters, by French law enforcement authorities. However, the threat actor told DataBreaches.Net that “France rushed to make FALSE, INACCURATE arrests,” raising the possibility that an “associate” member may have been caught.

And that’s not all. On August 8, a new Telegram channel conflating ShinyHunters, Scattered Spider, and LAPSUS$ called “scattered lapsu$ hunters” emerged, with the channel members also claiming to be developing a ransomware-as-a-service solution called ShinySp1d3r that they said will rival LockBit and DragonForce. Three days later, the channel disappeared.

Both Scattered Spider and LAPSUS$ have ties to a broader, nebulous collective dubbed The Com, a notorious network of experienced English-speaking cybercriminals that’s known to engage in a wide range of malicious activities, including SIM swapping, extortion, and physical crime.

ReliaQuest said it has identified a coordinated set of ticket-themed phishing domains and Salesforce credential harvesting pages that are likely created for similar campaigns targeting Salesforce that are aimed at high-profile companies across various industry verticals.

These domains, the company said, were registered using infrastructure typically associated with phishing kits commonly used to host single sign-on (SSO) login pages — a hallmark of Scattered Spider’s attacks impersonating Okta sign-in pages.

Furthermore, an analysis of over 700 domains registered in 2025 that matched Scattered Spider phishing patterns has revealed that domain registrations targeting financial companies have increased by 12% since July 2025, while targeting of technology firms has decreased by 5%, suggesting that banks, insurance companies and financial services could be next in line.

The tactical overlaps aside, that the two groups may be collaborating is borne out by the fact that they have targeted the same sectors (i.e., retail, insurance, and aviation) around the same time.

“Supporting this theory is evidence such as the appearance of a BreachForums’ user with the alias ‘Sp1d3rHunters,’ who was linked to a past ShinyHunters breach, as well as overlapping domain registration patterns,” researchers Kimberley Bromley and Ivan Righi said, adding the account was created in May 2024.

“If these connections are legitimate, they suggest that collaboration or overlap between ShinyHunters and Scattered Spider may have been ongoing for more than a year. The synchronized timing and similar targeting of these previous attacks strongly support the likelihood of coordinated efforts between the two groups.”

Aug 12, 2025Ravie LakshmananCyber Espionage / Windows Security

A previously undocumented threat actor dubbed Curly COMrades has been observed targeting entities in Georgia and Moldova as part of a cyber espionage campaign designed to facilitate long-term access to target networks.

“They repeatedly tried to extract the NTDS database from domain controllers — the primary repository for user password hashes and authentication data in a Windows network,” Bitdefender said in a report shared with The Hacker News. “Additionally, they attempted to dump LSASS memory from specific systems to recover active user credentials, potentially plain-text passwords, from machines where users were logged on.”

The activity, tracked by the Romanian cybersecurity company since mid-2024, has singled out judicial and government bodies in Georgia, as well as an energy distribution company in Moldova.

Curly COMrades are assessed to be operating with goals that are aligned with Russia’s geopolitical strategy. It gets its name from the heavy reliance on the curl utility for command-and-control (C2) and data transfer, and the hijacking of the component object model (COM) objects.

The end goal of the attacks is to enable long-term access to carry out reconnaissance and credential theft, and leverage that information to burrow deeper into the network, collect data using custom tools, and exfiltrate to attacker-controlled infrastructure.

“The overall behavior indicates a methodical approach in which the attackers combined standard attack techniques with tailored implementations to blend into legitimate system activity,” the company pointed out. “Their operations were characterized by repeated trial-and-error, use of redundant methods, and incremental setup steps – all aimed at maintaining a resilient and low-noise foothold across multiple systems.”

A notable aspect of the attacks is the use of legitimate tools like Resocks, SSH, and Stunnel to create multiple conduits into internal networks and remotely execute commands using the stolen credentials. Another proxy tool deployed besides Resocks is SOCKS5. The exact initial access vector employed by the threat actor is currently not known.

Persistent access to the infected endpoints is accomplished by means of a bespoke backdoor called MucorAgent, which hijacks class identifiers (CLSIDs) – globally unique identifiers that identify a COM class object – to target Native Image Generator (Ngen), an ahead-of-time compilation service that’s part of the .NET Framework.

“Ngen, a default Windows .NET Framework component that pre-compiles assemblies, provides a mechanism for persistence via a disabled scheduled task,” Bitdefender noted. “This task appears inactive, yet the operating system occasionally enables and executes it at unpredictable intervals (such as during system idle times or new application deployments), making it a great mechanism for restoring access covertly.”

Abusing the CLSID linked to Ngen underscores the adversary’s technical prowess, while granting them the ability to execute malicious commands under the highly privileged SYSTEM account. It’s suspected that there likely exists a more reliable mechanism for executing the specific task given the overall unpredictability associated with Ngen.

A modular .NET implant, MucorAgent is launched via a three-stage process and is capable of executing an encrypted PowerShell script and uploading the output to a designated server. Bitdefender said it did not recover any other PowerShell payloads.

“The design of the MucorAgent suggests that it was likely intended to function as a backdoor capable of executing payloads on a periodic basis,” the company explained. “Each encrypted payload is deleted after being loaded into memory, and no additional mechanism for regularly delivering new payloads was identified.”

Also weaponized by Curly COMrades are legitimate-but-compromised websites for use as relays during C2 communications and data exfiltration in a bid to fly under the radar by blending malicious traffic with normal network activity. Some of the other tools observed in the attacks are listed below –

• CurlCat, which is used to facilitate bidirectional data transfer between standard input and output streams (STDIN and STDOUT) and C2 server over HTTPS by routing the traffic through a compromised site
• RuRat, a legitimate Remote Monitoring and Management (RMM) program for persistent access
• Mimikatz, which is used to extract credentials from memory
• Various built-in commands like netstat, tasklist, systeminfo, ipconfig, and ping to conduct discovery
• Powershell scripts that use curl to exfiltrate stolen data (e.g., credentials, domain information, and internal application data)

“The campaign analyzed revealed a highly persistent and adaptable threat actor employing a wide range of known and customized techniques to establish and maintain long-term access within targeted environments,” Bitdefender said.

“The attackers relied heavily on publicly available tools, open-source projects, and LOLBins, showing a preference for stealth, flexibility, and minimal detection rather than exploiting novel vulnerabilities.”

Aug 12, 2025The Hacker NewsBrowser Security / Zero Trust

Most security tools can’t see what happens inside the browser, but that’s where the majority of work, and risk, now lives. Security leaders deciding how to close that gap often face a choice: deploy a dedicated Enterprise Browser or add an enterprise-grade control layer to the browsers employees already use and trust.

The Ultimate Battle: Enterprise Browsers vs. Enterprise Browser Extensions examines this choice across nine “rounds”: adoption, data protection, BYOD, productivity, management overhead, remote access, Zero Trust alignment, supply-chain security, and future-readiness, to show where each approach excels, and where trade-offs emerge.

Each round uses practical, enterprise scenarios to compare the two models, making it easier to see not just what they can do, but how they perform at scale.

The Browser Is Now the Workspace

The browser has become the primary workspace for enterprise users. It is where sensitive data is created, accessed, and moved through copy/paste actions, form submissions, uploads, downloads, and increasingly through GenAI prompts.

Default-browser habits are deeply ingrained. Forcing a switch can slow adoption, especially in hybrid environments where unmanaged devices and contractors play a role.

Extension ecosystems are both valuable and risky. They expand functionality but also widen the potential attack surface. The guide makes clear that neither Enterprise Browsers nor Enterprise Browser Extensions replace the rest of the security stack, instead, each addresses the in-session gap in a different way. One of the clearest examples of that gap is how GenAI usage plays out in the browser.

GenAI: The Use Case That Tests Both Models

Enterprise adoption of GenAI tools has introduced high-impact, in-session risks for browser security:

• Proprietary code, business plans, and sensitive records can be pasted into prompts with no audit trail.
• Identity context matters, controls must distinguish work from personal accounts in real time.
• Coverage must extend to unmanaged devices, third parties, and temporary access users.
• Extension governance must balance productivity with the ability to detect and restrict risky behavior.

The guide uses scenarios like these to stress-test both approaches in multiple rounds, revealing where coverage, control depth, and operational overhead diverge.

Enterprise Browser vs. Secure Browser Extension: Side-by-Side Comparison in Nine Rounds

The Ultimate Battle organizes the comparison into nine operationally relevant rounds. Rather than listing features, it tests how each model responds to real conditions, from enabling BYOD access without weakening data-in-use controls to managing risky extensions without disrupting workflows.

Where the differences show most clearly:

Coverage

• Enterprise Browser: Strong control inside its own environment, but adoption depends on users switching defaults and keeping sensitive activity within the EB.
• Secure Browser Extension: Runs in mainstream browsers (Chrome/Edge) to cover managed, unmanaged, and contractor devices without changing the user’s primary workflow.

Control & Enforcement

• Enterprise Browser: Deep guardrails within the EB, including session isolation and strict separation of work and personal contexts.
• Enterprise Browser Extension: DOM-level visibility to apply warnings, redactions, or blocks on copy/paste, form fills, uploads, downloads, and GenAI prompts; policies can be identity-bound to differentiate corporate and personal activity.

Integration & Operations

• Enterprise Browser: Integrates cleanly while usage stays inside the EB, but requires parallel browser management and related support.
• Enterprise Browser Extension: Streams browser-layer telemetry to SIEM/XDR, influences IAM/ZTNA decisions, and updates centrally without retraining users on a new browser.

Making the Enterprise Browser vs. Secure Browser Extension Decision

The guide is designed to help security teams turn abstract pros and cons into a decision that fits their environment and risk profile. The choice between an Enterprise Browser and an Enterprise Browser Extension is not purely technical, it’s about balancing depth of control with breadth of coverage, while factoring in adoption patterns and long-term manageability.

The comparison document presents these trade-offs in a structured, scenario-driven format, enabling teams to map them to their own environments and make an informed call. Download the full comparison to see how each approach performs where it matters most for your organization.

Aug 12, 2025Ravie LakshmananVulnerability / Threat Intelligence

The Dutch National Cyber Security Centre (NCSC-NL) has warned of cyber attacks exploiting a recently disclosed critical security flaw impacting Citrix NetScaler ADC products to breach organizations in the country.

The NCSC-NL said it discovered the exploitation of CVE-2025-6543 targeting several critical organizations within the Netherlands, and that investigations are ongoing to determine the extent of the impact.

CVE-2025-6543 (CVSS score: 9.2) is a critical security vulnerability in NetScaler ADC that results in unintended control flow and denial-of-service (DoS) when the devices are configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.

The vulnerability was first disclosed in late June 2025, with patches released in the following versions –

• NetScaler ADC and NetScaler Gateway 14.1 prior to 14.1-47.46
• NetScaler ADC and NetScaler Gateway 13.1 prior to 13.1-59.19
• NetScaler ADC 13.1-FIPS and NDcPP prior to 13.1-37.236-FIPS and NDcPP

As of June 30, 2025, CVE-2025-6543 has been added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog. Another flaw in the same product (CVE-2025-5777, CVSS score: 9.3) was also placed on the list last month.

NCSC-NL described the activity as likely the work of a sophisticated threat actor, adding the vulnerability has been exploited as a zero-day since early May 2025 – almost two months before it was publicly disclosed – and the attackers took steps to erase traces in an effort to conceal the compromise. The exploitation was discovered on July 16, 2025.

“During the investigation, malicious web shells were found on Citrix devices,” the agency said. “A web shell is a piece of rogue code that gives an attacker remote access to the system. The attacker can place a web shell by abusing a vulnerability.”

To mitigate the risk arising from CVE-2025-6543, organizations are advised to apply the latest updates, and terminate permanent and active sessions by running the following commands –

• kill icaconnection -all
• kill pcoipConnection -all
• kill aaa session -all
• kill rdp connection -all
• clear lb persistentSessions

Organizations can also run a shell script made available by NCSC-NL to hunt for indicators of compromise associated with the exploitation of CVE-2025-6543.

“Files with a different .php extension in Citrix NetScaler system folders may be an indication of abuse,” NCSC-NL said. “Check for newly created accounts on the NetScaler, and specifically for accounts with increased rights.”