Microsoft September 2025 Patch Tuesday – 81 Vulnerabilities Fixed Including 22 RCE

9/9/2025

cyber security, Cyber Security News, Windows

Microsoft has released its September 2025 Patch Tuesday updates, addressing a total of 81 security vulnerabilities across its product suite. The security patches cover a wide range of software, including Windows, Microsoft Office, Azure, and SQL Server.

Among the fixes are 22 Remote Code Execution (RCE) vulnerabilities, making this a significant update for system administrators. Of the 81 flaws, 8 are rated as Critical, with the remaining 73 classified as Important in severity.

Impact	Count
Elevation of Privilege (EoP)	38
Remote Code Execution (RCE)	22
Information Disclosure	14
Denial of Service (DoS)	4
Security Feature Bypass	2
Spoofing	1
Total	81

The vulnerabilities cover various categories, with Remote Code Execution (RCE), Elevation of Privilege (EoP), and Information Disclosure being the most frequently addressed types in this month’s release.

Critical Remote Code Execution Flaws

This month’s update resolves several critical RCE vulnerabilities that could allow attackers to execute arbitrary code on affected systems. Among the most severe are multiple race condition flaws in the Graphics Kernel (CVE-2025-55226, CVE-2025-55236) and the Windows Graphics Component (CVE-2025-55228), which an authorized attacker could exploit to execute code locally.

Microsoft Office also received a critical patch for a heap-based buffer overflow vulnerability (CVE-2025-54910) that enables local code execution.

Additionally, a critical RCE vulnerability in Windows Hyper-V (CVE-2025-55224) was fixed. This flaw, stemming from a race condition, could allow a local attacker to execute arbitrary code. These types of vulnerabilities are particularly dangerous as they can often be exploited to gain initial access or move laterally within a network.

Widespread Elevation of Privilege and Other Flaws

A significant portion of the September update is dedicated to fixing Elevation of Privilege vulnerabilities across the Windows ecosystem. A critical EoP flaw in Windows NTLM (CVE-2025-54918) could allow an authorized attacker to elevate their privileges over the network.

Other important EoP vulnerabilities were patched in PowerShell Direct (CVE-2025-49734), Windows Ancillary Function Driver for WinSock (CVE-2025-54099), and the Windows Kernel (CVE-2025-54110).

The update also addresses numerous information disclosure vulnerabilities, particularly in the Windows Routing and Remote Access Service (RRAS), with six distinct CVEs (CVE-2025-53797, CVE-2025-53798, CVE-2025-54095, CVE-2025-54096, CVE-2025-54097, CVE-2025-55225) related to buffer over-read and out-of-bounds read issues.

While not as severe as RCEs, these flaws can leak sensitive memory information that aids attackers in crafting more complex exploits.

Patches for SharePoint, Azure, and Excel

Beyond the core operating system, Microsoft has patched critical and important flaws in its enterprise and productivity software.

A significant RCE vulnerability in Microsoft SharePoint (CVE-2025-54897) was addressed, which could be exploited by an authorized attacker over the network through the deserialization of untrusted data.

Microsoft Excel received a barrage of fixes for seven different RCE vulnerabilities (CVE-2025-54896, CVE-2025-54898, CVE-2025-54899, CVE-2025-54900, CVE-2025-54902, CVE-2025-54903, CVE-2025-54904).

These flaws, mostly related to use-after-free and out-of-bounds read issues, allow an attacker to execute code locally if a user opens a specially crafted file.

Several Elevation of Privilege vulnerabilities were also patched in Azure services, including Azure Arc (CVE-2025-55316) and the Azure Connected Machine Agent (CVE-2025-49692).

Microsoft urges all customers to apply the September 2025 security updates promptly to protect their systems from potential exploitation. Administrators should prioritize patching the critical RCE and Elevation of Privilege vulnerabilities to mitigate the most severe risks.

Of the 81 vulnerabilities addressed in Microsoft’s September 2025 Patch Tuesday, none were reported as publicly disclosed or actively exploited. The release includes patches for 8 Critical and 73 Important severity flaws.

Below is a comprehensive table of all vulnerabilities fixed in this update:

CVE	Vulnerability Details	Actively Exploited	Type	Severity
Critical Vulnerabilities
CVE-2025-54918	Improper authentication in Windows NTLM allows for network-based privilege elevation.	No	Elevation of Privilege	Critical
CVE-2025-55226	A race condition in the Graphics Kernel can be exploited for local code execution.	No	Remote Code Execution	Critical
CVE-2025-55228	A race condition in the Windows Graphics Component allows local code execution.	No	Remote Code Execution	Critical
CVE-2025-55236	A race condition in the Graphics Kernel could lead to local code execution.	No	Remote Code Execution	Critical
CVE-2025-53799	Use of an uninitialized resource in the Windows Imaging Component leads to information disclosure.	No	Information Disclosure	Critical
CVE-2025-53800	A flaw in the Microsoft Graphics Component can be used for local privilege elevation.	No	Elevation of Privilege	Critical
CVE-2025-54910	A heap-based buffer overflow in Microsoft Office allows for local remote code execution.	No	Remote Code Execution	Critical
CVE-2025-55224	A race condition in Windows Hyper-V can be used for local code execution.	No	Remote Code Execution	Critical
Important Vulnerabilities
CVE-2024-21907	A flaw in Newtonsoft.Json used by SQL Server can lead to a denial-of-service condition.	No	Denial of Service	Important
CVE-2025-49734	A flaw in PowerShell Direct allows for local privilege escalation.	No	Elevation of Privilege	Important
CVE-2025-53797	A buffer over-read in RRAS allows for information disclosure over a network.	No	Information Disclosure	Important
CVE-2025-53798	A buffer over-read in RRAS allows for information disclosure over a network.	No	Information Disclosure	Important
CVE-2025-54095	An out-of-bounds read in RRAS allows for network-based information disclosure.	No	Information Disclosure	Important
CVE-2025-54096	An out-of-bounds read in RRAS allows for network-based information disclosure.	No	Information Disclosure	Important
CVE-2025-54097	An out-of-bounds read in RRAS allows for network-based information disclosure.	No	Information Disclosure	Important
CVE-2025-54099	A stack-based buffer overflow in the Ancillary Function Driver for WinSock allows privilege elevation.	No	Elevation of Privilege	Important
CVE-2025-54101	A use-after-free flaw in the Windows SMBv3 Client allows for remote code execution.	No	Remote Code Execution	Important
CVE-2025-54102	A use-after-free flaw in the Connected Devices Platform Service can be used for privilege elevation.	No	Elevation of Privilege	Important
CVE-2025-54106	An integer overflow in RRAS could allow an attacker to execute code over the network.	No	Remote Code Execution	Important
CVE-2025-54110	An integer overflow in the Windows Kernel can be used for local privilege elevation.	No	Elevation of Privilege	Important
CVE-2025-54111	A use-after-free flaw in Windows UI XAML allows for local privilege elevation.	No	Elevation of Privilege	Important
CVE-2025-54894	A vulnerability in the Local Security Authority Subsystem Service leads to privilege elevation.	No	Elevation of Privilege	Important
CVE-2025-54895	An integer overflow in SPNEGO NEGOEX allows for local privilege elevation.	No	Elevation of Privilege	Important
CVE-2025-54896	A use-after-free vulnerability in Microsoft Excel allows for local code execution.	No	Remote Code Execution	Important
CVE-2025-54897	Deserialization of untrusted data in SharePoint can lead to remote code execution.	No	Remote Code Execution	Important
CVE-2025-54898	An out-of-bounds read in Microsoft Excel can be used for local code execution.	No	Remote Code Execution	Important
CVE-2025-54899	Freeing memory not on the heap in Microsoft Excel can lead to local code execution.	No	Remote Code Execution	Important
CVE-2025-54902	An out-of-bounds read in Microsoft Excel allows for local code execution.	No	Remote Code Execution	Important
CVE-2025-54903	A use-after-free vulnerability in Microsoft Excel allows for local code execution.	No	Remote Code Execution	Important
CVE-2025-54904	A use-after-free vulnerability in Microsoft Excel allows for local code execution.	No	Remote Code Execution	Important
CVE-2025-54905	An untrusted pointer dereference in Microsoft Word can lead to information disclosure.	No	Information Disclosure	Important
CVE-2025-54906	Freeing memory not on the heap in Microsoft Office can lead to local code execution.	No	Remote Code Execution	Important
CVE-2025-54907	A heap-based buffer overflow in Microsoft Visio allows for local code execution.	No	Remote Code Execution	Important
CVE-2025-54908	A use-after-free vulnerability in Microsoft PowerPoint allows for local code execution.	No	Remote Code Execution	Important
CVE-2025-54913	A race condition in Windows UI XAML Maps can be used for local privilege elevation.	No	Elevation of Privilege	Important
CVE-2025-54916	A stack-based buffer overflow in Windows NTFS allows for local code execution.	No	Remote Code Execution	Important
CVE-2025-54919	A race condition in the Windows Graphics Component leads to local code execution.	No	Remote Code Execution	Important
CVE-2025-55223	A race condition in the DirectX Graphics Kernel allows for local privilege elevation.	No	Elevation of Privilege	Important
CVE-2025-55225	An out-of-bounds read in RRAS allows for network-based information disclosure.	No	Information Disclosure	Important
CVE-2025-55232	Deserialization of untrusted data in HPC Pack can lead to remote code execution.	No	Remote Code Execution	Important
CVE-2025-55245	Improper link resolution in Xbox Gaming Services can lead to local privilege elevation.	No	Elevation of Privilege	Important
CVE-2025-55243	Exposure of sensitive information in Microsoft OfficePlus can lead to spoofing.	No	Spoofing	Important
CVE-2025-55316	External control of a file name or path in Azure Arc allows for privilege elevation.	No	Elevation of Privilege	Important
CVE-2025-55317	Improper link resolution in Microsoft AutoUpdate can be used for local privilege elevation.	No	Elevation of Privilege	Important
CVE-2025-49692	Improper access control in the Azure Connected Machine Agent allows local privilege elevation.	No	Elevation of Privilege	Important
CVE-2025-47997	A race condition in SQL Server can lead to network-based information disclosure.	No	Information Disclosure	Important
CVE-2025-53796	A buffer over-read in RRAS allows for information disclosure over a network.	No	Information Disclosure	Important
CVE-2025-53801	An untrusted pointer dereference in the DWM Core Library can lead to local privilege elevation.	No	Elevation of Privilege	Important
CVE-2025-53802	A use-after-free flaw in the Windows Bluetooth Service can be used for local privilege elevation.	No	Elevation of Privilege	Important
CVE-2025-53803	An error message in the Windows Kernel could disclose sensitive information locally.	No	Information Disclosure	Important
CVE-2025-53804	Exposure of sensitive information in a Windows Kernel-Mode Driver can lead to local information disclosure.	No	Information Disclosure	Important
CVE-2025-53805	An out-of-bounds read in HTTP.sys can lead to a denial of service.	No	Denial of Service	Important
CVE-2025-53806	A buffer over-read in RRAS allows for information disclosure over a network.	No	Information Disclosure	Important
CVE-2025-53807	A race condition in the Microsoft Graphics Component allows for local privilege elevation.	No	Elevation of Privilege	Important
CVE-2025-53808	A type confusion flaw in the Windows Defender Firewall Service can lead to local privilege elevation.	No	Elevation of Privilege	Important
CVE-2025-53809	Improper input validation in LSASS can lead to a denial of service.	No	Denial of Service	Important
CVE-2025-53810	A type confusion flaw in the Windows Defender Firewall Service can lead to local privilege elevation.	No	Elevation of Privilege	Important
CVE-2025-54091	An integer overflow in Windows Hyper-V can be used for local privilege elevation.	No	Elevation of Privilege	Important
CVE-2025-54092	A race condition in Windows Hyper-V can be used for local privilege elevation.	No	Elevation of Privilege	Important
CVE-2025-54093	A race condition in the Windows TCP/IP Driver allows for local privilege elevation.	No	Elevation of Privilege	Important
CVE-2025-54094	A type confusion flaw in the Windows Defender Firewall Service can lead to local privilege elevation.	No	Elevation of Privilege	Important
CVE-2025-54098	Improper access control in Windows Hyper-V can be used for local privilege elevation.	No	Elevation of Privilege	Important
CVE-2025-54103	A use-after-free flaw in Windows Management Service can be used for local privilege elevation.	No	Elevation of Privilege	Important
CVE-2025-54104	A type confusion flaw in the Windows Defender Firewall Service can lead to local privilege elevation.	No	Elevation of Privilege	Important
CVE-2025-54105	A race condition in the Brokering File System can be used for local privilege elevation.	No	Elevation of Privilege	Important
CVE-2025-54107	Improper path resolution in MapUrlToZone can lead to a security feature bypass.	No	Security Feature Bypass	Important
CVE-2025-54108	A race condition in the Capability Access Management Service allows for local privilege elevation.	No	Elevation of Privilege	Important
CVE-2025-54109	A type confusion flaw in the Windows Defender Firewall Service can lead to local privilege elevation.	No	Elevation of Privilege	Important
CVE-2025-54112	A use-after-free flaw in Microsoft Virtual Hard Disk can be used for local privilege elevation.	No	Elevation of Privilege	Important
CVE-2025-54113	A heap-based buffer overflow in RRAS allows for remote code execution.	No	Remote Code Execution	Important
CVE-2025-54114	A race condition in the Connected Devices Platform Service can lead to a denial of service.	No	Denial of Service	Important
CVE-2025-54115	A race condition in Windows Hyper-V can be used for local privilege elevation.	No	Elevation of Privilege	Important
CVE-2025-54116	Improper access control in Windows MultiPoint Services allows for local privilege elevation.	No	Elevation of Privilege	Important
CVE-2025-54900	A heap-based buffer overflow in Microsoft Excel allows for local code execution.	No	Remote Code Execution	Important
CVE-2025-54901	A buffer over-read in Microsoft Excel can lead to local information disclosure.	No	Information Disclosure	Important
CVE-2025-54911	A use-after-free flaw in Windows BitLocker can be used for local privilege elevation.	No	Elevation of Privilege	Important
CVE-2025-54912	A use-after-free flaw in Windows BitLocker can be used for local privilege elevation.	No	Elevation of Privilege	Important
CVE-2025-54915	A type confusion flaw in the Windows Defender Firewall Service can lead to local privilege elevation.	No	Elevation of Privilege	Important
CVE-2025-54917	A protection mechanism failure in MapUrlToZone can lead to a security feature bypass.	No	Security Feature Bypass	Important
CVE-2025-55227	A command injection vulnerability in SQL Server allows for network-based privilege elevation.	No	Elevation of Privilege	Important
CVE-2025-55234	A flaw in Windows SMB could allow an attacker to perform relay attacks, leading to privilege elevation.	No	Elevation of Privilege	Important

It is also essential to ensure the latest servicing stack updates, as detailed in advisory ADV990001, are installed to ensure successful patching.

Other Patch Tuesday Updates

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post Microsoft September 2025 Patch Tuesday – 81 Vulnerabilities Fixed Including 22 RCE appeared first on Cyber Security News.

¶¶¶¶¶

‘Whole-of-nation’ effort needed to deter nation-state hackers, new White House cyber director says

9/9/2025

·

Policy

The U.S. needs a "whole-of-nation approach" to deterring and warding off cyber attacks backed by foreign states, President Donald Trump’s newly confirmed national cyber director said Tuesday.

Such attacks will continue until officials impose more severe consequences on bad actors, Sean Cairncross said in his first public address since his confirmation last month to lead the Office of the National Cyber Director.

The nation “must send a message this behavior is unacceptable” and will come at a cost, Cairncross said at the Billington Cyber Summit, specifically mentioning China, which has backed campaigns that target telecommunications networks and other critical infrastructure across the country.

“Engagement and increased involvement with the private sector is necessary for our success," he said. “I’m committed to marshalling a unified, whole-of-nation approach on this, working in lockstep with our allies who share our commitment to democratic values, privacy and liberty…Together, we’ll explore concepts of operation to enable our extremely capable private sector, from exposing malign actions to shifting adversaries’ risk calculus and bolstering resilience."

During a subsequent appearance at a Tuesday event hosted by Politico, Cairncross said, “I think it is important that we really start to shape adversary behavior” and that “we can’t be ambiguous” when it comes to deterring threat actors.

The U.S. already conducts clandestine intrusions into adversaries’ networks under legal authorities granted to the National Security Agency, U.S. Cyber Command and others. But lawmakers on both sides of the political aisle have argued the nation hasn’t been assertive enough in its tactics, especially in the wake of the major Chinese hacks.

Sen. Angus King, I-Maine, also said at Politico’s event that as long as cyberthreat actors “feel that there’s going to be no response, there’s no cost, they’re going to continue to do it.”

King noted that he sponsored an amendment to the 2026 National Defense Authorization Act with Sen. Tom Cotton, R-Ark., that “charges the Secretary of Defense with developing a deterrent strategy over the next year and a half that will try to remedy this gap in our overall cyber defense.”

“It doesn’t necessarily have to be cyber for cyber,” he said about countering digital attacks with a more offensive approach. “It can be some other kind of response, but it has to hurt.”

Trump administration officials and industry partners have also discussed whether privateering contracts, once used to deputize pirate ships, could offer inspiration for authorizing private sector hacking operations against China, Nextgov/FCW reported in May.

The new ONCD leader also wants to continue efforts to boost the U.S. cybersecurity workforce, a goal that was a focal point for the office during the Biden administration under then-Director Harry Coker. In his first term, Trump signed an executive order focused on the cyber workforce.

“We need a pipeline that develops and shares talent,” Cairncross said. “It should be pragmatic and accessible, reconciling and taking advantage of existing avenues within academia, vocational schools, corporations and venture capital opportunities to not only educate and train our existing cyber workforce, but to also recruit new talent, preparing the next generation to design and deploy exquisite emerging technologies.”

Cairncross’s responsibilities include coordinating cybersecurity efforts between various government agencies, developing and implementing national cybersecurity policies and advising the president on critical cyber issues.

He also said that ONCD is working to get government systems’ security in order: “We’re working on policies to harden our networks, update our technologies and ensure that we’re prepared for a post-quantum future.”
]]>

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
FortiDDoS Vulnerability Lets Hackers Execute Unauthorized OS Commands

9/9/2025

·

CVE/vulnerability, cyber security, Cyber Security News, vulnerability

Fortinet has disclosed a significant OS command injection vulnerability in its FortiDDoS-F appliances that could allow privileged attackers to execute unauthorized code or commands through the command-line interface (CLI). The security flaw, identified as CVE-2024-45325, affects multiple versions of the FortiDDoS-F product line and carries a CVSS 3.1 score of 6.5, indicating medium severity. Vulnerability Details […]

The post FortiDDoS Vulnerability Lets Hackers Execute Unauthorized OS Commands appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
The D Brief: Israel bombs Qatar, Syria, Gaza; Caribbean buildup; Marines’ JLTV choice; Headset head-to-head; And a bit more.

9/9/2025

·

Threats
Breaking: Israel’s military carried out an attack inside Qatar’s capital city on Tuesday, which is more than 1,000 miles away, including “a precise [air] strike targeting the senior leadership of the Hamas terrorist organization,” the Israeli Defense Forces announced on social media.

Targets inside Doha included Khalil al-Hayya, the top negotiator for Hamas, according to Reuters, citing Israeli media. The IDF says those it sought to kill “are directly responsible for the brutal October 7 massacre, and have been orchestrating and managing the war against the State of Israel.” Unnamed sources told Reuters separately that the negotiating team survived the Tuesday strikes in Doha; the claim has not been verified at press time.

Bibi: “Today's action against the top terrorist chieftains of Hamas was a wholly independent Israeli operation,” Israeli Prime Minister Benjamin Netanyahu wrote on social media. “Israel initiated it, Israel conducted it, and Israel takes full responsibility,” he added. According to Axios, “The assassination attempt in the Qatari capital comes amid a renewed U.S. effort to reach a Gaza hostage and ceasefire deal between Israel and Hamas.”

Notable: Israel’s Channel 12 reported U.S. President Donald Trump authorized the Israeli strikes, according to an Israeli official.

Qatar’s top diplomat condemned the “cowardly Israeli attack,” which he said struck “residential buildings housing several members of the Political Bureau of Hamas.”

Jordan’s top diplomat also condemned “the cowardly Israeli aggression against the sisterly State of Qatar as a flagrant violation of international law,” Foreign Minister Ayman Safadi wrote on social media.

Safadi added that he expects more attacks from Israel outside its own borders, warning, “Israel will continue to escalate its aggression, its brutal wars, and its violations of international law, and its threats to regional and international security and peace, unless the international community, particularly the Security Council, takes the necessary steps to deter it and curb its aggression.” His Kuwaiti counterpart expressed similar disdain for the attack on social media Tuesday as well.

Israel also attacked at least three targets in Syria on Monday, Charles Lister of the Middle East Institute flagged on social media. Saudi Arabia’s foreign ministry condemned those attacks on social media on Tuesday, describing them as a “flagrant violation of international law and the 1974 Disengagement Agreement between Syria and Israel.”

ICYMI: The Israeli military destroyed Syria’s Ministry of Defense in a series of airstrikes in July. MEI’s Lister has a bit more on that situation, here.

New: Israel used leaflets to warn the estimated million or so people still living in Gaza City to evacuate ahead of an upcoming attack by ground forces, the Associated Press reported Tuesday from the Gaza Strip. “Previously, the military has warned specific sections of Gaza City to evacuate ahead of concentrated operations or strikes,” but never the full city until now.

However, “many families can’t evacuate even if they want to, because displacement sites are overcrowded and because it can cost more than $1,000 in transportation and other costs to move to southern Gaza, a prohibitive amount for many,” AP reports, citing United Nations officials.

Notable: “Hamas' armed wing, the al-Qassam Brigades, on Tuesday claimed responsibility for a shooting that killed six people on the outskirts of Jerusalem” on Monday, Reuters reports.

By the way: Israel’s military has destroyed at least 50 high-rise buildings in Gaza over just the past two days, which Bibi described as “only the beginning of the main intensive operation, the ground incursion of our forces.”

Big picture: “We are in an intense war against terrorism on several fronts: in Gaza, in Judea and Samaria, in Lebanon, and in Iran that backs them all,” Netanyahu announced Monday.

Panning out: “Israel has been accused of genocide, including this month by the world's biggest group of genocide scholars, over its nearly two-year campaign in the Palestinian enclave that has killed more than 64,000 people according to local authorities,” Reuters adds.

Welcome to this Tuesday edition of The D Brief, a newsletter dedicated to developments affecting the future of U.S. national security, brought to you by Ben Watson with Bradley Peniston. It’s more important than ever to stay informed, so thank you for reading. Share your tips and feedback here. And if you’re not already subscribed, you can do that here. On this day in 1948, Soviet army Capt. Kim Il Sung was appointed the first-ever premier of North Korea, which had just been founded with the help of the Soviet military.

Caribbean ops

The U.S. naval presence in the Caribbean is up sixfold, counting not by number of hulls but their total displacement, write CSIS’s Mark Cancian and Chris Park, who use that lens and several others in their new report, “Going to War with the Cartels: The Military Implications.”

The effort extends from Trump’s campaign vow to “demolish the foreign drug cartels.” But now, Cancian and Park ask, “With Secretary of Defense Pete Hegseth warning that military action ‘won’t stop” with the Sept. 3 attack on a speedboat, “what does a war on cartels mean in military terms?” Read their analysis, here.

FWIW: “Members of the U.S. Congress have asked for the legal rationale for the deadly strike, noting that the administration has yet to say how it knew who was in the boat or what it was carrying,” Reuters reports. In response, White House officials “had agreed to provide a classified briefing for congressional staff on Friday, but the meeting was abruptly rescheduled for Tuesday.” Read more, here.

Commentary: “A killing at sea marks America’s descent into lawless power.” Jon Duffy, a retired Navy captain who held command at sea as well as policy positions in the Pentagon, on Capitol Hill, and on the National Security Council, writes that the U.S. “has crossed a dangerous line” with the speedboat strike. “This was not a counterdrug operation. It was not law enforcement. It was killing without process. And it was, to all appearances, against the letter and the spirit of the law.”

Duffy adds, “This strike is not only about 11 lives lost at sea. It is about the precedent set when the military is unmoored from law, and when silence from senior leaders normalizes the abuse….The oath is clear: unlawful orders—foreign or domestic—must be disobeyed. To stand silent as the military is misused is not restraint. It is betrayal.” Read that, here.

Related: “Republicans in Congress are eager for Trump to expand his use of the military on US soil,” AP reported Monday.

Around the Defense Department

Marines press ahead with JLTV purchase after Army quits program. The Marine Corps will keep buying the Humvee-replacing Joint Light Tactical Vehicle, though it may end up with fewer than planned if the Army’s sudden exit drives up the cost per vehicle. Defense One’s Meghann Myers has a bit more, here.

Anduril and Palantir-backed startup Rivet are officially competing to make the Army’s futuristic wearable gear with virtual displays, Defense One’s Myers reported separately Monday.

The $350 million competition is a follow-on project to the Integrated Visual Augmentation System, which was just a headset. This new program—called Soldier Borne Mission Command—includes complementary computers and wearables like watches. In the end, Anduril founder Palmer Luckey told reporters on Monday, there will probably be “dozens” of different headsets under the program, rather than one contractor picked to make one product.

For what it’s worth, Luckey has dubbed himself “the world’s best head-mounted display designer,” going back to his creation of the Oculus Rift, an early, commercially-available VR headset. “There's nobody better than me, and I know what I'm doing, and I'm going to make sure that we do it the right way,” he said Monday. Continue reading, here.

New: Space Development Agency Director Derek Tournear is leaving soon to take a job at Auburn University, Breaking Defense reported Monday.

Tournear’s been in the post since October 2019, which is long enough to leave with a few accomplishments under his belt, he said in an interview. Those include “proving that Link 16 could be used by satellites to transmit targeting data to weapons platforms in the air, on land and at sea,” and “proving that satellites based in low Earth orbit (LEO) could successfully detect and track missiles.” Continue reading, here.

Related: Need a “Golden Dome” primer? Shera Frankel of the New York Times turned in this explainer Monday (gift link).

Additional reading:
- “New docuseries shows a different side of fighter pilots: humility,” Military Times reported Monday ahead of the premiere on National Geographic next Tuesday;
- “In a First, Korean Women Target U.S. Military in Suit Over Prostitution,” the New York Times reported Monday from Seoul;
- “Monterey's Defense Language Institute to keep name despite Department of War name change,” local KSBW reported Monday;
- “White House Deletes Video With Bizarre Stolen Valor Claim,” The Daily Beast reported Sunday.
]]>
¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
Salat Stealer Exfiltrates Browser Credentials Via Sophisticated C2 Infrastructure

9/9/2025

·

cyber security, Cyber Security News, Threats
Salat Stealer has emerged as a pervasive threat targeting Windows endpoints with a focus on harvesting browser-stored credentials and cryptocurrency wallet data.

First detected in August 2025, this Go-based infostealer leverages a range of evasion tactics, including UPX packing and process masquerading, to slip past conventional defenses.

Its operators advertise the malware through social engineering campaigns on mainstream platforms, promoting fake software cracks and game cheats that deliver the initial payload.

Upon execution, Salat Stealer silently injects itself into trusted directories under names like Lightshot.exe and Procmon.exe, blending with legitimate processes to avoid suspicion.

Cyfirma researchers identified the malware’s multi-layered approach within days of its initial sightings.

The threat employs both registry run keys and scheduled tasks to maintain persistence, creating entries under names such as RuntimeBroker and Lightshot that execute at logon and repeat every three minutes for an extended period.

Packed with UPX 4.1.0, the binary’s high entropy value of 7.999 disguises its true behavior until runtime.

Dynamic analysis revealed that child processes spawn under familiar file paths—C:\Program Files (x86)\Windows NT\Lightshot.exe, for example—making detection by endpoint agents more challenging.

Cyfirma analysts noted that Salat Stealer’s communication with its command-and-control (C2) infrastructure is both resilient and covert.

Initial contact uses lightweight UDP packets of approximately 45 bytes sent to IP 104.21.80.1, likely serving as keep-alive beacons.

In parallel, the stealer establishes an encrypted HTTPS channel to salat.cn/salat, with DNS resolutions pointing to 172.67.194.254 and 104.21.60.88.

When this primary domain is unreachable, a built-in JavaScript routine fetches a list of fallback domains—‘webrat.in’, ‘webrat.top’, and others—from sniff_domain_list.txt, iterating through each via calls to /alive.php until it locates an active panel for redirection.

The impact of Salat Stealer extends beyond simple credential theft, as it also targets browser extensions for cryptocurrency wallets such as MetaMask, Trust Wallet, and Phantom.

Targeting Browser Credentials (Source – Cyfirma)

By scanning the Chrome extension settings directory, the malware extracts seed phrases and private keys, putting users at risk of irreversible financial loss.

A similar approach applied to desktop wallet applications—including Electrum, Exodus, and Coinomi—allows the stealer to harvest wallet databases and configuration files.

All exfiltrated data is temporarily stored in the Temp folder under randomized filenames before transmission to the C2 panel.

Infection and Persistence Mechanisms

Salat Stealer’s infection chain begins with a social engineering lure that convinces the victim to execute a malicious archive.

Upon launch, the executable unpacks itself using UPX and immediately spawns child processes that masquerade as legitimate utilities.

Command and Control Communication (Source – Cyfirma)

Persistence is achieved through dual mechanisms: registry run keys and scheduled tasks.

The following code snippet, part of the “Defender Excluder” script module available in the C2 panel, exemplifies how the malware hardens its foothold:-
```
if (Get-Command Add-MpPreference -ErrorAction SilentlyContinue) {
  $ProgramFilesX86 = [System.Environment]::GetFolderPath("ProgramFilesX86")
  Add-MpPreference -ExclusionPath $ProgramFilesX86
  $AppData = [System.Environment]::GetFolderPath("ApplicationData")
  Add-MpPreference -ExclusionPath $AppData
  $LocalAppData = [System.Environment]::GetFolderPath("LocalApplicationData")
  Add-MpPreference -ExclusionPath $LocalAppData
}
```
This script quietly adds critical directories to Windows Defender’s exclusion list, ensuring that neither the main payload nor its auxiliary tools are scanned.

Persistence Mechanism through Registry Run Keys (Source – Cyfirma)

Simultaneously, tasked entries named Lightshot and RuntimeBroker are configured to trigger at every logon and at scheduled intervals.

By combining registry and task scheduler techniques, Salat Stealer sustains long-term access and evasion, demonstrating the growing sophistication of modern MaaS operations.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post Salat Stealer Exfiltrates Browser Credentials Via Sophisticated C2 Infrastructure appeared first on Cyber Security News.
¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

FortiDDoS OS Command Injection Vulnerability Let Attackers Execute Unauthorized Commands

9/9/2025

cyber security, Cyber Security News, vulnerability, Vulnerability News

Fortinet has disclosed a medium-severity vulnerability in its FortiDDoS-F product line that could allow a privileged attacker to execute unauthorized commands. Tracked as CVE-2024-45325, the flaw is an OS command injection vulnerability residing within the product’s command-line interface (CLI).

The vulnerability, identified as CWE-78, stems from an improper neutralization of special elements used in an OS command. An attacker with high privileges and local access to the system could exploit this weakness by sending specially crafted requests to the CLI.

A successful exploit would allow the attacker to execute arbitrary code or commands with the permissions of the application, potentially leading to a full system compromise.

The vulnerability has been assigned a CVSSv3 score of 6.5, categorizing it as medium severity.

The CVSS vector, AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, indicates that an attacker requires local access and high-level privileges, and no user interaction is needed.

Despite the high privilege requirement, the potential impact on confidentiality, integrity, and availability is high. The issue was internally discovered and reported by Théo Leleu of Fortinet’s Product Security team.

Affected Versions and Mitigation

Fortinet has confirmed that multiple versions of FortiDDoS-F are affected by this vulnerability. The advisory, FG-IR-24-344, published on September 9, 2025, outlines the specific versions and the recommended actions for administrators.

Version	Affected Range	Solution
FortiDDoS-F 7.2	Not affected	Not Applicable
FortiDDoS-F 7.0	7.0.0 through 7.0.2	Upgrade to 7.0.3 or above
FortiDDoS-F 6.6	All versions	Migrate to a fixed release
FortiDDoS-F 6.5	All versions	Migrate to a fixed release
FortiDDoS-F 6.4	All versions	Migrate to a fixed release
FortiDDoS-F 6.3	All versions	Migrate to a fixed release
FortiDDoS-F 6.2	All versions	Migrate to a fixed release
FortiDDoS-F 6.1	All versions	Migrate to a fixed release

Administrators running vulnerable versions are strongly urged to apply the recommended updates or migrate to a patched release to prevent potential exploitation.

Organizations using FortiDDoS-F 7.0 should upgrade to version 7.0.3 immediately, while those on older branches (6.1 through 6.6) must plan a migration to a secure version.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post FortiDDoS OS Command Injection Vulnerability Let Attackers Execute Unauthorized Commands appeared first on Cyber Security News.

¶¶¶¶¶

Multiple Vulnerabilities Discovered in Ivanti Connect Secure, Policy Secure, and ZTA Gateways

9/9/2025

·

CVE/vulnerability, cyber security, Cyber Security News, Vulnerabilities, vulnerability

Ivanti on September 9 released a security advisory detailing six medium and five high severity vulnerabilities impacting Ivanti Connect Secure, Policy Secure, ZTA Gateways, and Neurons for Secure Access. No evidence of customer exploitation has surfaced so far. Patches and fixes are available immediately to address issues ranging from missing authorization checks and cross-site request forgery (CSRF) flaws to […]

The post Multiple Vulnerabilities Discovered in Ivanti Connect Secure, Policy Secure, and ZTA Gateways appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
Beware of Phishing Email from Kimusky Hackers With Subject Spetember Tax Return Due Date Notice

9/9/2025

·

cyber security, Cyber Security News, Threats
A new wave of phishing attacks purporting to originate from South Korea’s National Tax Service has emerged, leveraging familiar electronic document notifications to trick recipients into divulging their Naver credentials.

Distributed on August 25, 2025, the email mimics the official format used by Naver’s secure document service, displaying the sender as “National Tax Service” and warning that failure to view the “September Tax Return Payment Due Notice” by August 31 will result in alternative delivery methods.

The message conveys urgency and legitimacy through a plausible subject line and formatting, but subtle anomalies reveal its malicious intent.

Upon closer inspection of the email header, forensic analysis shows that the message was dispatched from Mail.ru infrastructure rather than an official NTS server.

The return‐path is schimmel2025@list.ru, and the sender IP 95.163.59.13 corresponds to send174.i.mail.ru. Despite passing SPF, DKIM, and DMARC checks, the email’s ARC chain indicates the first authenticated-received-chain step only, without organizational endorsement.

Kim Soo-Ki’s National Tax Service phishing email (Source – Wezard4u Tistory)

Wezard4u Tistory analysts identified that the absence of official NTS domain records in DNS lookups is a clear red flag for cyber defenders and informed users of these inconsistencies.

Embedded within the body of the email is a link to hxxp://n-info.bill-nts.server-on.net/users2/?m=3Duggcf%3N…&wreply=recipient@naver.com, where the “m” parameter conceals a percent-encoded and ROT13/Base64-mixed URL.

Decoding reveals a redirection to nid.naver.com, a fabricated login portal designed to harvest credentials.

The malicious site replicates Naver’s login interface with precise styling, prompting users to enter their username and password under the guise of viewing an official document.

Phishing email header (Source – Wezard4u Tistory)

JavaScript injected into the page captures input fields and posts them to a remote server controlled by Kimsuky.

Detection Evasion Techniques

Kimsuky’s payload employs multiple evasion tactics to bypass automated filters and human scrutiny.

By fragmenting the redirect URL across percent-encoding, Base64, and ROT13 layers, the attackers obfuscate the true destination of the link, complicating URL pattern matching by security gateways.

A simplified Python snippet illustrates the decoding process discovered in the link analysis:-
```
import urllib.parse, codecs, base64

raw_param = "uggcf%253N%252S%252Sznvy(.)anire(.)pbz"
decoded = urllib.parse.unquote(raw_param)
rot13 = codecs.decode(decoded, "rot_13")
payload = base64.b64decode(rot13)
print(payload.decode())
```
This routine transforms the encoded string into nid.naver.com, confirming the phishing destination.

Additionally, the email relies on legitimate Mail.ru TLSv1.3 encryption, ensuring transmission encryption from the sender server to Naver’s mail gateway and further reducing suspicion.

By combining header forgery, layered URL obfuscation, and realistic UI replication, Kimsuky achieves a high success rate in credential theft campaigns.

Cybersecurity teams should monitor for Mail.ru–origin traffic masquerading with official domain names and implement decoding routines to flag mixed-encoding URLs.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post Beware of Phishing Email from Kimusky Hackers With Subject Spetember Tax Return Due Date Notice appeared first on Cyber Security News.
¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
Ivanti Endpoint Manager Vulnerabilities Allow Remote Code Execution by Attackers

9/9/2025

·

CVE/vulnerability, cyber security, Cyber Security News, vulnerability

Ivanti released Security Advisory for Endpoint Manager versions 2024 SU3 and 2022 SU8, detailing two high‐severity flaws (CVE-2025-9712 and CVE-2025-9872). Both issues stem from insufficient filename validation and require only minimal user interaction, potentially granting full control over affected systems. Vulnerability Overview The two vulnerabilities share identical characteristics and impact: CVE Number Description CVSS Score […]

The post Ivanti Endpoint Manager Vulnerabilities Allow Remote Code Execution by Attackers appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
Zoom Security Update Fixes Vulnerabilities in Windows Client and Workplace Platform

9/9/2025

·

CVE/vulnerability, cyber security, Cyber Security News, vulnerability

Zoom has released an urgent security update for its Windows client and Workplace platform to address multiple flaws, including a critical vulnerability that could allow attackers to hijack or manipulate the application. Users are strongly encouraged to apply the patch immediately to protect their systems. Update Details The new release covers ten security bulletins targeting […]

The post Zoom Security Update Fixes Vulnerabilities in Windows Client and Workplace Platform appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

Critical Remote Code Execution Flaws

Widespread Elevation of Privilege and Other Flaws

Patches for SharePoint, Azure, and Excel

Other Patch Tuesday Updates

Caribbean ops

Around the Defense Department

Infection and Persistence Mechanisms

Affected Versions and Mitigation

Detection Evasion Techniques