With the release of Kali Linux 2025.3, a major update introduces an innovative tool that combines artificial intelligence and cybersecurity: the Gemini Command-Line Interface (CLI).
This new open-source package integrates Google’s powerful Gemini AI directly into the terminal, offering penetration testers and security professionals an intelligent assistant designed to streamline and automate complex security workflows.
The introduction of the Gemini CLI marks a pivotal moment in the evolution of penetration testing.
For years, security operations have involved manually chaining together various tools for reconnaissance, enumeration, and exploitation.
Gemini CLI Automates Work Flows
This AI-powered agent promises to transform these workflows by automating repetitive tasks and dynamically adapting reconnaissance strategies.
By offloading the tedious work, the Gemini CLI frees up valuable time for security analysts, allowing them to focus on deeper analysis, vulnerability remediation, and the strategic aspects of application security that still require human expertise.
This shift allows for a more efficient and effective security posture, where human judgment is augmented, not replaced, by machine intelligence. For security professionals, the practical applications are extensive.
The Gemini CLI can assist in testing for common vulnerabilities, including the OWASP Top 10, by providing AI-guided suggestions for both identification and remediation.
Instead of manually scripting connections between different tools, an analyst can now use natural language prompts to direct the AI to perform a sequence of actions.
For example, a tester could instruct Gemini to conduct a port scan, identify services, and then launch a series of vulnerability checks against any discovered web servers.
This capability significantly accelerates the initial phases of a penetration test without sacrificing the rigor and precision that skilled analysts provide. The tool is designed to complement the analyst’s skills, acting as a force multiplier.
The goal is not to replace the critical thinking and intuition of a seasoned expert but to handle the laborious processes that can consume a significant portion of an assessment.
With features like an interactive mode and even a “YOLO” (You Only Live Once) mode to automatically accept all suggested actions, it provides flexibility for different use cases, from careful, supervised testing to rapid, automated scans.
The integration keeps the human operator firmly in control, ensuring that the AI serves as a powerful assistant rather than an autonomous agent.
Getting started with the new tool is straightforward for any Kali user. The gemini-cli package is a lightweight addition, with an installed size of just 12.04 MB.
It can be installed with a simple command: sudo apt install gemini-cli. As the cybersecurity landscape continues to evolve, the integration of AI tools like the Gemini CLI into standard platforms like Kali Linux signifies a clear direction for the industry.
Professionals who embrace these advancements, learning to leverage AI to enhance their natural abilities, will be best positioned to tackle the next generation of security challenges.
A publicly available proof-of-concept (PoC) exploit has been released for CVE-2025-32463, a local privilege escalation (LPE) flaw in the Sudo utility that can grant root access under specific configurations.
Security researcher Rich Mirch is credited with identifying the weakness, while a functional PoC and usage guide have been published in an open GitHub repository, accelerating the urgency for patching across Linux environments that rely on Sudo’s chroot functionality.
According to the project documentation, versions 1.9.14 through 1.9.17 are vulnerable, with fixes available in 1.9.17p1 and later. Systems running legacy builds prior to 1.9.14 are not impacted because the chroot feature did not exist in those releases.
Local Privilege Escalation Flaw (CVE-2025-32463)
The vulnerability resides in how Sudo handles chroot-related invocation paths and environment when executing commands with elevated privileges.
Under certain conditions, a low-privileged user can exploit the chroot feature to pivot out of the constrained environment and execute commands as root.
This turns a standard LPE scenario into full system compromise when Sudo policies permit chroot usage.
The PoC demonstrates a straightforward exploitation flow: verify the target Sudo version, run the exploit script, and observe the effective UID/GID change to root.
PoC Exploit code
In testing screenshots, the user transitions from uid=1001 to uid=0 after executing the script, confirming successful escalation.
The project explicitly categorizes the issue as “Local Privilege Escalation to Root via Sudo chroot in Linux,” emphasizing that weaponization hinges on local account access and specific Sudo configurations that enable chroot execution.
Risk Factors
Details
Affected Products
Sudo versions 1.9.14 through 1.9.17
Impact
Local privilege escalation
Exploit Prerequisites
Local user access with ability to invoke sudo under misconfigured chroot settings
CVSS 3.1 Score
Not yet assigned
Mitigations
Immediate remediation is to upgrade Sudo to 1.9.17p1 or newer across affected hosts. Where upgrades must be staged, administrators should harden Sudoers policies to deny or tightly restrict use of chroot, and enforce least privilege.
Mandatory access control frameworks such as AppArmor or SELinux can further constrain Sudo behavior and contain abuse paths during change windows.
From a detection perspective, defenders should monitor for anomalous Sudo invocations referencing chroot or unusual working directories, correlate privilege transitions (uid changes to 0) from non-standard shells or paths, and alert on rapid “id → exploit → id” sequences commonly seen during exploitation tests.
A critical use-after-free vulnerability, identified as CVE-2025-49844, has been discovered in Redis servers, enabling authenticated attackers to achieve remote code execution.
This high-severity flaw affects all versions of Redis that utilize the Lua scripting engine, presenting a significant threat to a wide range of deployments that rely on the popular in-memory data store.
The core of the issue lies in how Redis handles memory management within its Lua scripting component. An authenticated user with permissions to run Lua scripts can craft a malicious script to manipulate the server’s garbage collector.
This manipulation triggers a use-after-free condition, a memory corruption flaw where the application attempts to access memory after it has already been freed.
Vulnerability Details
A skilled attacker can exploit this condition to hijack the application’s execution flow, ultimately leading to the execution of arbitrary code on the server. This provides the attacker with control over the Redis instance and the underlying system.
The potential for remote code execution makes this a critical vulnerability. A successful exploit could allow an attacker to compromise the confidentiality, integrity, and availability of the data stored within the Redis database.
Attackers could steal sensitive information, modify or delete records, or cause a denial-of-service condition. Furthermore, a compromised Redis server can serve as a foothold for attackers to move laterally across a network, escalating their privileges and targeting other internal systems.
The flaw’s impact is widespread, as it affects all Redis versions that support Lua scripting, a feature that has been integral to the platform for many years.
CVE ID
Affected Product(s)
Impact
Exploit Prerequisites
CVSS 3.1 Score
CVE-2025-49844
All Redis versions with Lua scripting
Remote Code Execution
Authenticated access with permissions to execute Lua scripts
To be determined
Mitigations
While organizations await a formal security patch, a robust workaround is available to mitigate the risk. Administrators are strongly advised to prevent users from executing Lua scripts, which is the primary attack vector.
This can be implemented by modifying Redis Access Control Lists (ACLs) to restrict the EVAL and EVALSHA commands. By blocking these commands, any attempt to run a malicious script will be denied, effectively neutralizing the threat.
This workaround provides an immediate defense without needing to update the redis-server executable and should be prioritized for all production environments.
The issue was responsibly disclosed by researchers Benny Isaacs, Nir Brakha, and Sagi Tzadik of Wiz, who collaborated with Trend Micro’s Zero Day Initiative.
Modern ransomware operations have evolved far beyond simple opportunistic attacks into sophisticated, multi-stage campaigns that exploit legitimate Remote Access Tools (RATs) to maintain stealth and persistence while systematically dismantling organizational defenses. Ransomware is one of the most disruptive cyber threats, encrypting critical organizational data and demanding ransom payments for restoration. While early campaigns relied on […]
A sophisticated technique uncovered where threat actors abuse Amazon Web Services‘ X-Ray distributed tracing service to establish covert command and control (C2) communications, demonstrating how legitimate cloud infrastructure can be weaponized for malicious purposes.
AWS X-Ray, designed to help developers analyze application performance through distributed tracing, has been repurposed by red team researchers into a steganographic communication channel called XRayC2.
This technique leverages X-Ray’s annotation system, which allows arbitrary key-value data storage, to transmit commands and exfiltrate data through legitimate AWS API calls to xray.[region].amazonaws.com endpoints.
Weaponizing AWS X-Ray for Covert Command and Control
According to Dhiraj, the attack methodology exploits X-Ray’s trace segments functionality, where malicious payloads are embedded within seemingly benign monitoring data.
Attackers utilize the service’s PutTraceSegments, GetTraceSummaries, and BatchGetTraces API endpoints to establish bidirectional communication channels that blend seamlessly with legitimate cloud traffic.
The implant establishes presence through beacon markers containing system information encoded in trace annotations, including service type identifiers like “health_check” and unique instance identifiers.
Command Delivery (Controller → Implant)
Command delivery occurs through base64-encoded payloads stored in configuration annotations, while result exfiltration leverages execution_result fields within trace data structures.
This technique demonstrates sophisticated evasion capabilities by implementing custom AWS Signature Version 4 (SigV4) authentication, creating legitimate AWS API traffic that integrates naturally with standard network logs.
The malicious communication employs randomized beacon intervals between 30 and 60 seconds and utilizes HMAC-SHA256 signing with access keys, following Amazon’s canonical request format.
Result Exfiltration (Implant → Controller)
The XRayC2 toolkit requires minimal AWS permissions, utilizing the AWSXRayDaemonWriteAccess policy alongside custom permissions for trace manipulation.
This approach significantly reduces the attack surface compared to traditional C2 infrastructure while maintaining persistent access through cloud-native services.
Detection of this technique presents challenges for security teams, as the malicious traffic appears as standard application performance monitoring activities.
Organizations should implement enhanced monitoring of X-Ray API usage patterns, establish baseline metrics for trace annotation data volumes, and scrutinize unusual service interactions within their AWS environments to identify potential abuse of legitimate cloud services for covert communications.
QNAP has released a security advisory detailing a vulnerability in its NetBak Replicator utility that could allow local attackers to execute unauthorized code.
The flaw, identified as CVE-2025-57714, has been rated as “Important” and affects specific versions of the backup and restore software. The company has already issued a patch and is urging users to update their systems to prevent potential exploitation.
This vulnerability stems from an unquoted search path or element within the NetBak Replicator software. This type of flaw occurs when the path to an executable file is not properly enclosed in quotation marks.
If a local attacker has already gained access to a user account on the system, they can place a malicious executable in a parent directory of the legitimate program’s path.
The operating system may then inadvertently execute the malicious file instead of the intended one, leading to unauthorized code execution with the permissions of the running application.
Affected Products
The vulnerability specifically impacts NetBak Replicator versions 4.5.x. According to the advisory released on October 4, 2025, a successful exploit requires an attacker to have prior access to a local user account.
From there, they can leverage the unquoted search path to execute arbitrary commands or code. This could allow the attacker to escalate privileges, install persistent malware, or manipulate data on the compromised system.
While the attack requires local access, it represents a significant risk in multi-user environments or as a post-exploitation technique for privilege escalation.
CVE ID
Affected Product(s)
Impact
Prerequisites
CVSS 3.1 Score
CVE-2025-57714
NetBak Replicator 4.5.x
Unauthorized code execution
Local attacker with user account access
Not Publicly Disclosed
Mitigations
QNAP has addressed the security flaw in NetBak Replicator version 4.5.15.0807 and all subsequent releases.
The company strongly recommends that all users of the affected software versions update to the latest patched version immediately to protect their devices from potential attacks.
Users can find the latest software updates by visiting the official QNAP Utilities webpage. Regularly updating software is a critical security practice that ensures systems are protected against newly discovered vulnerabilities and threats. The discovery of this vulnerability was credited to Kazuma Matsumoto of GMO Cybersecurity by IERAE, Inc.
A critical security vulnerability has been discovered in Redis Server that could allow authenticated attackers to achieve remote code execution through a use-after-free flaw in the Lua scripting engine. The vulnerability, tracked as CVE-2025-49844, affects all versions of Redis that support Lua scripting functionality. Critical Memory Corruption Flaw Discovered Security researchers from Wiz, including Benny […]
PsExec represents one of the most contradictory tools in the cybersecurity landscape, a legitimate system administration utility that has become a cornerstone of malicious lateral movement campaigns.
Recent threat intelligence reports indicate that PsExec remains among the top five tools used in cyberattacks as of 2025, with ransomware groups like Medusa, LockBit, and Kasseika actively leveraging it for network propagation.
This persistent abuse underscores the critical need for security professionals to understand both the technical mechanics of PsExec and the sophisticated ways threat actors exploit its capabilities.
PsExec operates through a sophisticated multi-stage process that leverages core Windows protocols and services.
When executed legitimately, PsExec creates a temporary service on the target machine called PSEXESVC, which acts as a conduit for remote command execution.
The tool begins by authenticating to the target system via the SMB (Server Message Block) protocol, then connects to the ADMIN$ administrative share, which maps directly to the C:\Windows directory.
The authentication process utilizes either current logon credentials or explicitly provided username and password combinations.
Upon successful authentication, PsExec establishes a DCE/RPC (Distributed Computing Environment/Remote Procedure Call) connection to the target’s Service Control Manager (SCM) through the svcctl named pipe.
This connection enables PsExec to create and manage services remotely, providing the foundation for its remote execution capabilities.
The service creation process involves uploading the PSEXESVC.exe binary to the target’s ADMIN$ share, then registering it as a Windows service through the SCM interface.
Once installed, the service creates named pipes for communication, typically psexecsvc for standard input/output, with additional pipes for stdin, stdout, and stderr.
These pipes facilitate full-duplex communication between the local and remote systems, enabling interactive command execution.
Attack Vectors And Malicious Exploitation
Threat actors have weaponized PsExec’s legitimate functionality to achieve multiple malicious objectives within compromised networks.
The 2025 CyberProof Mid-Year Threat Landscape Report identifies PsExec as one of the top five tools used in attacks, highlighting its continued relevance in modern threat campaigns.
Attackers primarily exploit PsExec for lateral movement after obtaining valid administrative credentials through various means, including credential dumping, password spraying, or exploiting stored credentials.
The lateral movement process typically follows a predictable pattern. Attackers first compromise an initial system and harvest credentials with local administrator privileges on target machines.
They then use PsExec to execute commands remotely, often deploying additional malware, creating backdoors, or establishing persistence mechanisms.
The tool’s ability to run commands with SYSTEM-level privileges makes it particularly attractive for disabling security controls and deploying ransomware payloads.
Recent ransomware campaigns demonstrate sophisticated PsExec abuse patterns. The Medusa ransomware group uses PsExec with the -c flag to copy batch scripts to remote machines and execute them with SYSTEM privileges.
These scripts often disable Windows Defender, create firewall rules to allow remote desktop connections, and modify registry settings to facilitate persistent access.
Similarly, LockBit affiliates have been observed using PsExec to remotely edit boot configuration data registry entries related to hypervisors, specifically targeting VMware ESXi environments.
Detection Artifacts And Forensic Analysis
PsExec execution generates numerous forensic artifacts that security teams can monitor to detect malicious activity. The most reliable indicator is Windows Event ID 7045, which records service installation events in the System log.
When PsExec creates the PSEXESVC service, this event captures the service name, executable path, and account context, providing clear evidence of remote execution attempts.
PsExec Detection Artifacts and Their Forensic Value for Security Teams
Network-based detection opportunities center on SMB traffic analysis and named pipe monitoring. Security Event ID 5145 logs network share access, including connections to the ADMIN$ share that PsExec requires for file uploads.
The creation of named pipes with patterns like “-stdin,” “-stdout,” and “*-stderr” provides additional detection signals, particularly when these pipes appear without corresponding legitimate PSEXESVC service entries.
Advanced detection approaches focus on behavioral analysis rather than signature-based methods.
The combination of SMB authentication (Event ID 4624), service creation (Event ID 7045), and named pipe activity within short time windows creates high-confidence indicators of PsExec usage.
Organizations with robust logging can correlate these events with process creation monitoring (Sysmon Event ID 1) to build comprehensive attack timelines.
Evasion Techniques And Variants
Sophisticated threat actors employ various techniques to evade detection while maintaining PsExec’s functionality. Service name customization represents the most common evasion method, using the -r parameter to specify alternative service names instead of the default PSEXESVC.
This simple modification can bypass detection rules that rely solely on service name matching, requiring defenders to implement more sophisticated behavioral detection logic.
Custom PsExec implementations further complicate detection efforts. Tools like Impacket provide PsExec-style functionality with configurable service names, pipe names, and communication protocols.
These alternatives follow similar operational patterns but use different artifacts, requiring detection rules that focus on behavioral indicators rather than specific tool signatures.
Registry manipulation presents another evasion avenue. Attackers can delete the EulaAccepted registry key that PsExec creates upon first use, eliminating forensic evidence on source systems.
Some groups employ custom-compiled versions that bypass the EULA acceptance requirement entirely, further reducing their forensic footprint.
Real-World Attack Campaigns
Contemporary threat groups demonstrate sophisticated PsExec integration within broader attack chains.
The Kasseika ransomware group combines PsExec with Bring Your Own Vulnerable Driver (BYOVD) attacks, using PsExec to deploy malicious batch files that load vulnerable drivers for antivirus evasion.
This multi-stage approach showcases how modern attackers layer multiple techniques to achieve their objectives while evading detection.
BlackSuit ransomware operators utilize PsExec alongside PowerShell, Cobalt Strike, and Mimikatz to establish comprehensive network control.
Their campaigns demonstrate PsExec’s role in rapid network enumeration and payload deployment, with attackers using the tool to execute reconnaissance scripts and deploy encryption payloads across multiple systems simultaneously.
Intelligence reports indicate that PsExec abuse continues evolving, with threat actors adapting their techniques to bypass emerging detection capabilities.
The tool’s legitimate status and widespread deployment in enterprise environments ensure its continued relevance in attack scenarios.
Mitigation Strategies
Effective PsExec abuse prevention requires layered security controls addressing both technical and procedural aspects. Network segmentation represents the foundational defense, limiting lateral movement opportunities even when attackers obtain valid credentials.
Organizations should implement strict firewall rules controlling SMB traffic between network segments and monitoring administrative share access.
Credential hygiene practices significantly reduce PsExec abuse potential. Implementing least-privilege principles, regular password rotations, and privileged access management (PAM) solutions limits the administrative credentials available to attackers.
Organizations should particularly focus on protecting service accounts and shared administrative credentials that often provide widespread network access.
Detection engineering requires comprehensive logging and monitoring capabilities. Security teams should implement alerts for Event ID 7045 service installations, particularly those with unusual service names or executable paths.
Named pipe monitoring through Event ID 5145 provides additional detection opportunities, especially when combined with SMB connection analysis.
Advanced defensive measures include application whitelisting, endpoint detection and response (EDR) deployment, and behavioral analysis platforms. These technologies can identify PsExec abuse through pattern recognition and anomaly detection, even when attackers employ evasion techniques.
Regular threat hunting exercises focusing on lateral movement indicators help organizations identify sophisticated attacks that bypass automated detection systems.
The persistent abuse of PsExec in modern attack campaigns demonstrates the ongoing challenge of securing legitimate administrative tools.
As threat actors continue refining their techniques, security teams must maintain vigilance through comprehensive monitoring, robust detection capabilities, and proactive threat hunting practices.
Understanding PsExec’s technical mechanics and attack patterns enables defenders to implement effective countermeasures while preserving the tool’s legitimate administrative value.
SpyCloud Labs analysts have successfully reverse-engineered Asgard Protector, a sophisticated crypter tool prominently used to hide malicious payloads from antivirus detection systems. This crypter has gained particular notoriety for being the preferred choice among sellers of LummaC2, currently the most prevalent commodity infostealer in the cyberthreat landscape. The analysis reveals intricate evasion techniques that demonstrate the evolving […]
QNAP Systems has disclosed a critical security vulnerability in its NetBak Replicator software that could enable local attackers to execute malicious code on affected systems. The vulnerability, tracked as CVE-2025-57714, stems from an unquoted search path element flaw that poses significant security risks to organizations using the backup solution. Vulnerability Details and Impact Assessment The […]
