Tor Browser 15.0.1 is now available for download, bringing essential security patches and bug fixes to users across all platforms.
The latest release includes critical security updates from Firefox 140.5.0esr, addressing multiple vulnerabilities that could impact browser security and user privacy.
The update upgrades the Tor Browser to Firefox 140.5.0esr and includes critical security fixes from Firefox 145.
Users on Windows, macOS, and Linux will benefit from the upgraded Firefox engine, which resolves several security concerns identified in the Mozilla security advisories.
Tor Browser 15.0.1 Released
The issue with the default zoom resetting to 100% has been fixed, addressing a common disappointment for users who prefer their own zoom levels. The upgrade message notification on the about: tor page now displays correctly.
Linux users will notice improved text rendering with the restoration of Noto CJK fonts, replacing Jigmo due to readability concerns, affecting the self-upgrade window.
Android users benefit from an updated GeckoView to version 140.5.0esr and a critical fix ensuring the extension update job functions properly on mobile devices.
Tor Browser 15.0.1 updates NoScript to version 13.4, enhancing script management and security. A new feature adds the “No AI” version of DuckDuckGo to the list of available search engines, giving privacy-conscious users another search option that respects their data.
The development team also improved the search engine sorting mechanism, switching from alphabetical arrangement to the intended order for better usability.
Users can download Tor Browser 15.0.1 from the official Tor Project website and distribution directory, report any bugs, or provide suggestions for future improvements through their support channels.
This release highlights our commitment to user privacy and security in a challenging digital environment. Users are strongly recommended to update immediately to ensure they have the latest security patches and improvements.
Authentication coercion represents a sophisticated and evolving threat targeting Windows and Active Directory environments across organizations globally.
This attack method exploits the fundamental communication mechanisms embedded within every Windows operating system, manipulating machines into automatically transmitting sensitive credentials to attacker-controlled infrastructure.
The emergence of this threat vector reflects a significant shift in how threat actors adapt their strategies to bypass increasingly sophisticated defense mechanisms.
The attack’s sophistication lies in its ability to leverage legitimate Windows functionality against itself. Attackers establish malicious listeners designed to appear as trusted resources within an organization’s network.
When a compromised or targeted machine attempts to connect to what it believes is a legitimate server, it automatically sends hashed credentials to the attacker.
This process occurs through Remote Procedure Call (RPC) functions, which serve as the backbone for inter-process communication across Windows and Active Directory infrastructure.
The attack requires no special permissions, making it accessible to threat actors operating with minimal technical expertise once proof-of-concept tools become available.
Recent threat intelligence indicates this attack method poses significant risks due to its widespread exploitation capabilities.
Palo Alto Networks security analysts identified authentication coercion techniques being weaponized through rare and lesser-known RPC protocols, allowing attackers to evade traditional detection mechanisms.
The security researchers noted this represents a concerning trend where threat actors deliberately misuse obscure RPC functions to avoid triggering conventional monitoring alerts.
The technical mechanics of authentication coercion center on RPC message protocols and their parameter handling.
Remote Procedure Call functions are designed for both local and remote system communication, with many accepting Universal Naming Convention (UNC) paths as parameters.
When attackers craft malicious RPC requests containing attacker-controlled UNC paths, the targeted machine’s automatic authentication behavior becomes weaponized.
For instance, the ElfrOpenBELW function within the MS-EVEN EventLog Remoting Protocol can be exploited in this manner, though this particular interface rarely appears in normal organizational network traffic.
Authentication coercion mechanisms
A detailed analysis of authentication coercion mechanisms reveals multiple exploitation vectors through different protocols.
The MS-RPRN Print System Remote Protocol, MS-EFSR Encrypting File System Remote Protocol, MS-DFSNM Distributed File System Namespace Management Protocol, and MS-FSRVP File Server Remote VSS Protocol all present exploitable opnums that threat actors leverage.
A summary of the attack stages seen on a customer network (Source – Palo Alto Networks)
Well-documented tools including PrinterBug, PrintNightmare, PetitPotam, DFSCoerce, and ShadowCoerce demonstrate how readily available exploit frameworks simplify execution of these attacks.
The impact of successful authentication coercion extends far beyond simple credential theft. Organizations face complete domain compromise scenarios where attackers steal NTLM hashes of critical infrastructure including Domain Controllers and Certificate Authority servers.
These credentials enable lateral movement, privilege escalation through DCSync attacks, and establishment of persistent access mechanisms.
In documented incidents, threat actors have executed NTLM relay attacks leveraging stolen machine account hashes against certificate authorities, creating pathways for long-term persistence and sensitive data exfiltration.
Organizations must implement robust detection strategies focusing on anomalous RPC traffic patterns, including unusual source-destination combinations, suspicious UNC path parameters, and calls targeting rarely-used interfaces.
Critical preventive measures include enforcing SMB signing across domains, disabling unused RPC services on critical assets, implementing Extended Protection for Authentication, and utilizing Windows RPC filters through netsh utilities.
Modern endpoint detection and response platforms provide behavioral analysis capabilities essential for identifying these subtle attack patterns before successful credential harvesting occurs.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
A Server-Side Request Forgery (SSRF) vulnerability in OpenAI’s ChatGPT. The flaw, lurking in the Custom GPT “Actions” feature, allowed attackers to trick the system into accessing internal cloud metadata, potentially exposing sensitive Azure credentials.
The bug, discovered by Open Security during casual experimentation, highlights the risks of user-controlled URL handling in AI tools.
SSRF vulnerabilities occur when applications blindly fetch resources from user-supplied URLs, enabling attackers to coerce servers into querying unintended destinations. This can bypass firewalls, probe internal networks, or extract data from privileged services.
As cloud adoption grows, SSRF’s dangers amplify; major providers like AWS, Azure, and Google Cloud expose metadata endpoints, such as Azure’s at http://169.254.169.254, which contain instance details and API tokens.
The Open Web Application Security Project (OWASP) added SSRF to its Top 10 list in 2021, underscoring its prevalence in modern apps.
The researcher, experimenting with Custom GPTs, a premium ChatGPT Plus tool for building tailored AI assistants, noticed the “Actions” section. This lets users define external APIs via OpenAPI schemas, allowing the GPT to call them for tasks like weather lookups.
The interface includes a “Test” button to verify requests and supports authentication headers. Spotting the potential for SSRF, the researcher tested by pointing the API URL to Azure’s Instance Metadata Service (IMDS).
Initial attempts failed because the feature enforced HTTPS URLs, while IMDS uses HTTP. Undeterred, the researcher bypassed this using a 302 redirect from an external HTTPS endpoint (via tools like ssrf.cvssadvisor.com) to the internal metadata URL. The server followed the redirect, but Azure blocked access without the “Metadata: true” header.
Further probing revealed a workaround: the authentication settings allowed custom “API keys.” Naming one “Metadata” with value “true” injected the required header.
Success! The GPT returned IMDS data, including an OAuth2 token for Azure’s management API (requested via /metadata/identity/oauth2/token?resource=https://management.azure.com/).
This token granted direct access to OpenAI’s cloud environment, enabling resource enumeration or escalation.
The impact was severe. In cloud setups, such tokens could pivot to full compromise, as seen in past Open Security pentests where SSRF led to remote code execution across hundreds of instances.
For ChatGPT, it risked leaking production secrets, though the researcher noted it wasn’t the most catastrophic they’d found.
Reported promptly to OpenAI’s Bugcrowd program, the vulnerability was assigned high severity and received a swift patch. OpenAI confirmed the fix, preventing further exploitation.
Microsoft has disclosed a critical SQL injection vulnerability in SQL Server that could allow authenticated attackers to escalate their privileges over a network. Tracked as CVE-2025-59499 and assigned an Important severity rating, the vulnerability stems from improper neutralization of special elements in SQL commands, exposing enterprise databases to potential unauthorized administrative access. The vulnerability, disclosed […]
Microsoft has disclosed two critical security vulnerabilities affecting GitHub Copilot and Visual Studio Code that could allow attackers to bypass important security protections. Both flaws were reported on November 11, 2025, and carry “Important” severity ratings, posing immediate risks to developers using these widely adopted tools. CVE ID Affected Product Impact Type Max Severity CVSS […]
Google has released a new stable Chrome update that addresses a serious flaw in its V8 JavaScript engine. The update, now available as version 142.0.7444.162/.163 for Windows, 142.0.7444.162 for Mac, and 142.0.7444.162 for Linux, will roll out to users over the coming days and weeks. CVE ID Severity Affected Component Description CVE-2025-13042 High V8 JavaScript […]
Google on Tuesday unveiled a new privacy-enhancing technology called Private AI Compute to process artificial intelligence (AI) queries in a secure platform in the cloud.
The company said it has built Private AI Compute to “unlock the full speed and power of Gemini cloud models for AI experiences, while ensuring your personal data stays private to you and is not accessible to anyone else, not
A newly identified Android remote access trojan (RAT) dubbed KomeX has surfaced on underground hacker forums, generating widespread concern within the cybersecurity community.
Marketed by a threat actor under the alias “Gendirector,” KomeX is built atop the infamous BTMOB RAT codebase and presents a formidable arsenal of spying and device control features.
Recognized for its sophistication, KomeX is designed to compromise Android devices en masse, making it an enticing tool for cybercriminals seeking to monetize mobile infections.
The malware’s distribution tactics rely heavily on malicious Android apps pushed via unofficial marketplace sources and phishing campaigns.
Victims are typically enticed to install tampered applications or unwittingly click on convincing social engineering lures.
What sets KomeX apart is its aggressive approach to obtaining device permissions almost immediately after installation, drastically expanding its reach and resilience once embedded in a target system.
KrakenLabs security analysts were instrumental in identifying and dissecting KomeX after its forum debut.
Their analysis revealed the trojan’s ability to bypass Google Play Protect, stripping Android devices of a fundamental protective barrier against malware.
Among its notable capabilities are high-fidelity live screen streaming, stealth audio and video capture via camera and microphone, instant access to SMS interception and manipulation, live geolocation tracking, remote control of all major apps, and full filesystem access layered with a covert keylogger.
Upon installation, KomeX abuses accessibility features to silently grant these permissions, enabling deep integration and persistent access.
To resist removal, KomeX employs a fake uninstall module — simulating app deletion but secretly continuing operations in the background.
Its infection lifecycle includes initial delivery, privilege escalation, secret data exfiltration, and durable anti-removal tactics, showcasing a complete, professional malware engineering approach.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
A large-scale phishing campaign has emerged, exploiting Meta’s Business Suite to compromise credentials across thousands of small and medium-sized businesses worldwide.
Check Point security researchers identified approximately 40,000 phishing emails distributed to more than 5,000 customers, primarily targeting industries including automotive, education, real estate, hospitality, and finance across the U.S., Europe, Canada, and Australia.
The sophisticated attack leverages legitimate Meta infrastructure, making detection substantially more difficult than traditional phishing attempts.
The campaign demonstrates a troubling evolution in threat tactics. Rather than relying on spoofed domains and fake infrastructure, attackers have weaponized Meta’s native Business invitation feature to establish credibility.
This approach exploits user trust in established platforms and circumvents conventional email security filters that typically flag suspicious sender addresses.
Example of a real phishing email we caught (Source – Check Point)
By originating from the legitimate facebookmail.com domain, these messages appear authentic and indistinguishable from genuine Meta notifications.
Check Point security analysts identified the campaign after observing repetitive patterns in email subjects and structure consistent with template-driven mass distribution.
New Phishing Attack
The attackers created fraudulent Facebook Business pages adorned with official Meta branding and logos, then deployed these fake pages to send Business Portfolio invitations containing embedded malicious links.
Recipients were redirected to credential harvesting pages hosted on domains such as vercel.app, where sensitive information was extracted and intercepted.
The infection mechanism relies on social engineering and domain trust exploitation. Emails utilized urgent language such as “Action Required,” “You’re Invited to Join the Free Advertising Credit Program,” and “Account Verification Required,” compelling users to click embedded links.
The messages perfectly mimicked legitimate Meta notifications, including proper formatting and branding elements.
Once victims clicked the links, they were redirected to phishing websites designed specifically to capture login credentials and other sensitive account information.
Organizations should implement multi-factor authentication to prevent unauthorized access even when credentials are compromised.
Additionally, employees must receive training emphasizing credential verification and cautious link evaluation, regardless of sender legitimacy.
Advanced email security solutions incorporating behavioral analysis and artificial intelligence-driven detection provide enhanced protection against this evolving threat landscape.
Direct navigation to official Meta accounts rather than clicking email links represents another crucial defensive measure against these sophisticated credential theft attempts.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Microsoft has disclosed a significant vulnerability in Windows Remote Desktop Services (RDS) that could allow authorized attackers to escalate their privileges on affected systems.
Tracked as CVE-2025-60703, the flaw stems from an untrusted pointer dereference, a classic memory safety issue that has plagued software for years, and carries an “Important” severity rating from the company.
The vulnerability affects the core of Windows RDS, a widely used protocol for remote access to Windows machines. According to Microsoft’s advisory, an authorized local attacker could exploit this weakness to gain elevated privileges, potentially reaching SYSTEM-level access.
This means a user with standard credentials on a compromised machine could bypass security controls and execute arbitrary code with administrative rights.
While the issue requires local authentication, it poses a serious risk in multi-user environments, such as enterprise networks or shared servers, where insider threats or initial footholds (like through phishing) are common.
Technically, CVE-2025-60703 falls under CWE-822: Untrusted Pointer Dereference, where the software fails to validate a pointer before dereferencing it, leading to potential memory corruption.
Microsoft classifies the exploitability as “Unlikely” at this stage, with no public disclosure or evidence of active exploitation. The CVSS score, sourced directly from Microsoft, underscores its importance without escalating to Critical status, likely due to the local attack vector.
Affected versions span multiple Windows releases, including Windows 10, 11, and Server editions with RDS enabled components integral to remote work setups post-pandemic.
Product
Affected Versions
Patched By (KB/Update)
Windows Server 2012 R2
All versions before November 2025 ESU
KB5068905 (November 2025 security update)
Windows Server 2008
All versions before November 2025 ESU
November 2025 ESU security update
Windows Server 2008 R2
All ESU-eligible versions before update
November 2025 ESU cumulative update
Windows 7 ESU
All ESU-eligible versions before update
November 2025 ESU cumulative update
Windows 8.1 ESU
All ESU-eligible versions before update
November 2025 ESU cumulative update
Microsoft urges immediate patching, with updates rolled out via Windows Update. Organizations relying on RDS for virtual desktop infrastructure (VDI) or remote administration should prioritize deployment.
As an added precaution, experts recommend enforcing least-privilege principles, monitoring for unusual privilege escalations, and segmenting networks to limit lateral movement.
This disclosure comes amid a surge in Windows-targeted threats, including recent zero-day vulnerabilities in other Microsoft products. While not yet weaponized, CVE-2025-60703 serves as a reminder of the enduring challenges in securing remote access protocols.
Security teams are advised to review Microsoft’s full advisory and test patches in staging environments to avoid disruptions.
.webp)
.webp)
New Android RAT for sale: 
Claimed features include:.webp)