Cybercriminals continue to evolve their email phishing arsenals, reviving legacy tactics while layering on advanced evasions to slip past automated filters and human scrutiny. In 2025, attackers are noted tried-and-true approaches—like password-protected attachments and calendar invites—with new twists such as QR codes, multi-stage verification chains, and live API integrations. These refinements not only prolong the […]
GitLab has urgently released patch versions 18.5.1, 18.4.3, and 18.3.5 for its Community Edition (CE) and Enterprise Edition (EE) to address multiple critical security flaws, including several high-severity denial-of-service (DoS) vulnerabilities.
These updates fix issues allowing specially crafted payloads to overwhelm systems, alongside access control and authorization bugs affecting authenticated users.
The company emphasizes immediate upgrades for all self-managed installations, noting that GitLab[.]com is already protected, and Dedicated customers require no action.
Among the most pressing fixes are three DoS vulnerabilities rated high or medium severity, enabling remote attackers to crash GitLab instances without authentication.
The first, CVE-2025-10497, targets event collection, where unauthenticated users send crafted payloads to trigger resource exhaustion and service denial.
Impacting CE/EE versions from 17.10 prior to the patches, it carries a CVSS score of 7.5, highlighting low complexity and high availability impact.
Similarly, CVE-2025-11447 exploits JSON validation in GraphQL requests, allowing unauthenticated actors to flood the system with malicious payloads starting from version 11.0.
This flaw also scores 7.5 on CVSS, affecting a broad range of installations and potentially halting API responses. A medium-severity DoS issue, CVE-2025-11974, arises during file uploads to specific API endpoints, where large files from unauthenticated sources consume excessive resources.
Versions from 11.7 are vulnerable, with a CVSS of 6.5, though it requires low-privilege access in some scenarios.
These vulnerabilities were reported via GitLab’s HackerOne program or discovered internally, underscoring the platform’s exposure to event processing, data validation, and upload mechanisms.
CVE ID
Description
Severity
CVSS Score
Impacted Versions (CE/EE unless noted)
CVE-2025-10497
DoS in event collection
High
7.5
17.10 before 18.3.5, 18.4 before 18.4.3, 18.5 before 18.5.1
CVE-2025-11447
DoS in JSON validation
High
7.5
11.0 before 18.3.5, 18.4 before 18.4.3, 18.5 before 18.5.1
CVE-2025-11974
DoS in upload
Medium
6.5
11.7 before 18.3.5, 18.4 before 18.4.3, 18.5 before 18.5.1
Beyond DoS threats, the patches remediate higher-impact issues like CVE-2025-11702, a high-severity improper access control in the runner API for EE, allowing authenticated users to hijack runners across projects with a CVSS of 8.5.
CVE-2025-11971 fixes incorrect authorization in CE pipeline builds, enabling unauthorized executions via commit manipulation (CVSS 6.5).
Lower-severity flaws include business logic errors in EE group memberships (CVE-2025-6601, CVSS 3.8) and missing authorizations in quick actions (CVE-2025-11989, CVSS 3.7), which could lead to unintended access or command execution.
These fixes align with GitLab’s biannual patch schedule, with full details public 30 days post-release on their issue tracker. Bug fixes in the updates address Redis gem downgrades, connection pool errors, and Geo routing leaks across versions.
Mitigations
GitLab strongly urges upgrading all affected self-managed instances immediately to mitigate these risks, applicable to Omnibus, source, and Helm deployments.
Following best practices like regular patching enhances security hygiene, as outlined in their handbook. With no reported exploits yet, proactive updates prevent potential disruptions in development workflows.
When users authenticate to Microsoft cloud services, their activities generate authentication events recorded across multiple logging systems.
Microsoft Entra sign-in logs and Microsoft 365 audit logs capture identical authentication events but represent this critical security data using different formats.
Security analysts investigating incidents frequently encounter the UserAuthenticationMethod field in Microsoft 365 sign-in events, which displays cryptic numeric values such as 16, 272, or 33554432 without official documentation from Microsoft explaining their meaning.
This undocumented field has posed challenges for security teams attempting to analyze authentication patterns, identify suspicious login activities, or assess phishing-resistant authentication adoption.
The lack of documentation meant incident responders working in environments where only Microsoft 365 audit logs were available struggled to understand what authentication methods users employed during sign-in events.
Through systematic correlation analysis between Microsoft Entra sign-in logs and Microsoft 365 audit logs, Sekoia analysts discovered that the UserAuthenticationMethod field operates as a bitfield where each bit position represents a distinct authentication method.
This breakthrough enables security professionals to decode these numeric values into human-readable authentication method descriptions.
The research team mapped each bit position to specific authentication methods by leveraging shared correlation identifiers between the logging systems.
Microsoft 365 audit logs contain an InterSystemsId field while Entra ID logs include a correlationId field, both referencing identical authentication events.
By matching events across sources, researchers correlated numeric UserAuthenticationMethod values with detailed authentication method descriptions found in Entra ID’s authenticationMethodDetail fields.
Decoding the Bitfield Mapping Technique
The bitfield structure allows multiple authentication methods to appear simultaneously in one numeric value.
For instance, value 272 converts to binary as 100010000, activating bit 4 representing Password Hash Sync (decimal value 16) and bit 8 representing via Staged Rollout (decimal value 256), indicating “Password Hash Sync via Staged Rollout” as the authentication mechanism.
The mapping encompasses 28 documented bit positions, including Password in the cloud at bit 0 (decimal 1), Temporary Access Pass at bit 1, Seamless SSO at bit 2, Windows Hello for Business at bit 18 (decimal 262144), and Passkey at bit 25 (decimal 33554432).
However, several bits remain unmapped including positions 5, 7, 9-17, 22, and 26.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
CyberProof researchers detected a significant surge in Remcos (Remote Control & Surveillance Software) campaigns throughout September and October 2025, exploiting sophisticated fileless techniques to evade endpoint detection and response (EDR) solutions. By leveraging highly obfuscated PowerShell scripts and process hollowing into Microsoft’s RMClient.exe, attackers are gaining stealthy persistence and targeting browser credentials. Although Remcos is […]
China-based threat actors have exploited the critical ToolShell vulnerability in Microsoft SharePoint servers to infiltrate networks across multiple continents, targeting government agencies and critical infrastructure in a suspected espionage campaign.
This vulnerability, identified as CVE-2025-53770, enables unauthenticated remote code execution and has been actively used since its disclosure in July 2025, despite Microsoft’s rapid patching efforts.
Security researchers from Symantec report that the attacks began shortly after patches were released, affecting organizations in the Middle East, Africa, South America, and beyond.
ToolShell stems from a deserialization of untrusted data issue in on-premises SharePoint servers, allowing attackers to execute arbitrary code without authentication.
It builds on earlier flaws like CVE-2025-49704 and CVE-2025-49706, which were demonstrated at the Pwn2Own Berlin event in May 2025.
The exploit chain typically involves an authentication bypass (CVE-2025-53771), where a crafted POST request to the ToolPane.aspx endpoint tricks the server into granting access, followed by injecting malicious payloads for code execution.
Microsoft confirmed exploitation by at least three Chinese-linked groups Budworm (Linen Typhoon), Sheathminer (Violet Typhoon), and Storm-2603 shortly after patching on July 21, 2025.
These actors have leveraged ToolShell for zero-day attacks, compromising file systems and enabling persistent access.
Targets And Attack Patterns
The campaign’s scope is broad, with confirmed breaches in a Middle Eastern telecom firm, two African government departments, South American agencies, a U.S. university, an African state technology entity, a Middle Eastern government department, and a European finance company.
Initial access in the Middle East occurred on July 21, 2025, via a webshell deployment, followed by DLL sideloading of malware using legitimate binaries from Trend Micro and BitDefender.
In South American cases, attackers exploited SQL and Apache HTTP servers with Adobe ColdFusion, using a renamed “mantec.exe” to mimic Symantec tools and sideload malicious DLLs.
Evidence points to mass scanning for vulnerable servers, with selective follow-up on high-value targets for credential theft and lateral movement.
The attackers deployed Zingdoor, a Go-based HTTP backdoor linked to the Glowworm group (aka Earth Estries or FamousSparrow), first documented in 2023 for espionage against government and tech sectors.
ShadowPad, a modular RAT associated with APT41-nexus groups like Blackfly, was also used via DLL sideloading for command execution and updates.
KrustyLoader, a Rust-written loader tied to UNC5221 (a China-nexus actor), delivered second-stage payloads like Sliver, an open-source C2 framework abused for red-team emulation.
Living-off-the-land tools included Certutil for downloads, Procdump and LsassDumper for credential dumping, GoGo Scanner for reconnaissance, Revsocks for proxying, and the PetitPotam exploit (CVE-2021-36942) for privilege escalation.
IoCs
This activity highlights ToolShell’s widespread abuse beyond initial reports, underscoring the need for urgent patching of on-premises SharePoint instances.
With over 400 compromises detected and links to Salt Typhoon tactics, the operations suggest state-sponsored espionage focused on persistent, stealthy network access.
Threat actors with ties to China exploited the ToolShell security vulnerability in Microsoft SharePoint to breach a telecommunications company in the Middle East after it was publicly disclosed and patched in July 2025.
Also targeted were government departments in an African country, as well as government agencies in South America, a university in the U.S., as well as likely a state technology
Oracle has disclosed two critical vulnerabilities in its E-Business Suite’s Marketing product that could hand full control to remote attackers.
Dubbed CVE-2025-53072 and CVE-2025-62481, these flaws affect the Marketing Administration component and carry a perfect storm CVSS score of 9.8, marking them as among the most severe threats disclosed this year.
Organizations relying on Oracle’s suite for customer relationship management and marketing automation now face urgent patching needs to avert potential data breaches and system takeovers.
The vulnerabilities stem from weaknesses in how the Marketing Administration handles HTTP requests. An unauthenticated attacker needs only network access, no special privileges, or user interaction to exploit them.
Once triggered, the flaws enable full compromise of the Oracle Marketing module, granting attackers high-level access to confidentiality, integrity, and availability.
This could mean stealing sensitive customer data, altering marketing campaigns, or disrupting operations entirely.
In today’s threat landscape, where ransomware groups and nation-state actors hunt for easy entry points, such exposures in widely used ERP systems like Oracle E-Business Suite amplify the danger.
Details Of The Flaws
Both CVEs target versions 12.2.3 through 12.2.14 of Oracle Marketing, with no mitigations in place beyond applying the latest security patches.
Oracle’s advisory highlights that the issues remain unchanged from initial assessments, underscoring their straightforward exploitability.
The CVSS 3.1 vector for each (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) breaks down to network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, and high impacts across all categories.
CVE ID
Component
Attack Vector
Requires Auth?
CVSS 3.1 Score
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact
Affected Versions
CVE-2025-53072
Marketing Administration
HTTP (Network)
No
9.8
Low
None
None
Unchanged
High
High
High
12.2.3-12.2.14
CVE-2025-62481
Marketing Administration
HTTP (Network)
No
9.8
Low
None
None
Unchanged
High
High
High
12.2.3-12.2.14
These entries reveal a pattern: identical scoring and vectors suggest related coding errors, possibly in input validation or session handling, though Oracle has not released specifics to avoid aiding attackers.
Mitigations
The disclosure arrives amid a surge in supply chain attacks targeting enterprise tools, echoing recent breaches at companies like Cisco and Microsoft.
For businesses in retail, finance, or e-commerce where Oracle E-Business Suite powers core marketing functions, these vulnerabilities could expose terabytes of customer profiles to theft or manipulation, leading to regulatory fines under GDPR or CCPA.
In the interim, experts recommend network segmentation, web application firewalls tuned for HTTP anomalies, and monitoring for unusual Marketing Administration traffic.
Cybersecurity firms like Mandiant warn that exploit code may surface soon on dark web forums, given the high incentive.
As enterprises scramble, this incident highlights the need for proactive vulnerability management in legacy systems. With no evidence of active exploitation yet, the window for defense remains open but it’s narrowing fast.
Threat actors are increasingly targeting Azure Blob Storage, Microsoft’s flagship object storage solution, to infiltrate organizational repositories and disrupt critical workloads. With its capacity to handle exabytes of unstructured data for AI, high performance computing, analytics, media streaming, enterprise backup, and IoT ingestion, Blob Storage has become an attractive vector for sophisticated campaigns aiming to […]
SharkStealer, a Golang-based information stealer, has been observed leveraging the Binance Smart Chain (BSC) Testnet as a covert dead-drop mechanism for command-and-control (C2) communications. By adopting an “EtherHiding” pattern, the malware retrieves encrypted C2 details from smart contracts through Ethereum RPC calls, decrypts the payload in memory, and initiates contact—all while blending in with legitimate […]
Cybercriminals are increasingly exploiting a legitimate Microsoft 365 feature designed for enterprise convenience, turning Exchange Online’s Direct Send into a dangerous vector for phishing campaigns and business email compromise attacks. Security researchers across the industry are sounding the alarm as malicious actors leverage this trusted pathway to bypass authentication checks and deliver convincing internal-looking messages […]
