In early May 2025, Unit 42 researchers observed that AdaptixC2 was used to infect several systems. While many C2 frameworks garner public attention, AdaptixC2 has remained largely under the radar—until Unit 42 documented its deployment by real-world threat actors. This article examines AdaptixC2’s capabilities, recent infection scenarios, and guidance for defenders to anticipate and block […]
Critical vulnerabilities were identified in Chaos Mesh, a popular Cloud Native Computing Foundation chaos engineering platform used for fault injection testing in Kubernetes environments.
The security flaws, collectively dubbed “Chaotic Deputy,” comprise four CVEs that enable complete cluster compromise through relatively simple exploitation techniques.
Key Takeaways 1. “Chaotic Deputy” in Chaos Mesh <2.7.3 allows unauthenticated GraphQL and command injection. 2. Attackers exploit port 10082 and Chaos Daemon to hijack pods and steal tokens. 3. Upgrade or disable the control server.
The vulnerability set includes CVE-2025-59358, CVE-2025-59359, CVE-2025-59360, and CVE-2025-59361, with three of these carrying critical CVSS 9.8 severity ratings.
These vulnerabilities affect Chaos Mesh versions prior to 2.7.3 and can be exploited by attackers with initial network access to the Kubernetes cluster, even when running within unprivileged pods.
Chaos Mesh Vulnerabilities
JFrog reports that the primary attack vector involves exploiting an unauthenticated GraphQL server exposed by the Chaos Controller Manager component.
CVE-2025-59358 represents a missing authentication flaw that allows unauthorized access to the /query endpoint on port 10082.
This GraphQL interface, intended as a debugging tool, operates without proper authentication controls in default configurations.
The remaining three CVEs involve OS command injection vulnerabilities within GraphQL mutations including cleanTcs, killProcesses, and cleanIptables.
These mutations directly concatenate user input into command execution functions, allowing attackers to inject arbitrary shell commands through parameters like device names, process IDs, and iptables chains.
Attackers can exploit these command injection flaws to execute the tc qdisc del dev [DEVICE] root, kill [PIDS], and iptables -F [CHAIN] commands with malicious payloads.
The vulnerable code paths sink directly into the ExecBypass method, which executes commands on target pods without proper input sanitization.
The Chaos Daemon component runs with privileged permissions in DaemonSet mode, providing attackers with extensive cluster access once initial exploitation succeeds.
Through the /proc/<PID>/root filesystem mounting mechanism and the nsexec binary, attackers can execute arbitrary commands on any pod within the cluster.
Total cluster takeover
The attack progression involves mapping pod names to process IDs through exposed APIs, then leveraging the proc filesystem to access service account tokens located at /proc/<PID>/root/var/run/secrets/kubernetes.io/serviceaccount/token.
This technique enables privilege escalation by stealing tokens from high-privilege service accounts.
CVE
Title
Impact
CVSS 3.1 Score
Severity
CVE-2025-59358
Missing authentication (DoS)
Unauthorized access to GraphQL server, causing cluster-wide DoS
7.5
High
CVE-2025-59359
OS command injection in cleanTcs
Arbitrary shell command execution on pods
9.8
Critical
CVE-2025-59360
OS command injection in killProcesses
Arbitrary shell command execution on pods
9.8
Critical
CVE-2025-59361
OS command injection in cleanIptables
Arbitrary shell command execution on pods
9.8
Critical
Organizations using Chaos Mesh should immediately upgrade to version 2.7.3 or implement the temporary workaround by disabling the control server using helm install chaos-mesh chaos-mesh/chaos-mesh -n=chaos-mesh –version 2.7.x –set enableCtrlServer=false.
Detection can be performed using kubectl commands to identify vulnerable deployments and confirm the presence of the exposed GraphQL endpoint on port 10082.
Free live webinar on new malware tactics from our analysts! Learn advanced detection techniques -> Register for Free
A medium-severity vulnerability has been discovered in the official Kubernetes C# client, which could allow an attacker to intercept and manipulate sensitive communications.
The flaw, rated 6.8 on the CVSS scale, stems from improper certificate validation logic.
This weakness exposes applications using the client to Man-in-the-Middle (MiTM) attacks, potentially leading to the compromise of credentials, tokens, and other confidential data transmitted to the Kubernetes API server.
Flawed Certificate Validation
The core of the vulnerability lies in how the Kubernetes C# client handles TLS/HTTPS connections that use custom Certificate Authorities (CAs) specified in a kubeconfig file.
The client’s validation process correctly checks if a presented certificate is well-formed, but fails to verify the trust chain against the specified CA properly.
This means it will accept a certificate signed by any valid authority, rather than exclusively trusting the custom CA defined by the user.
An attacker positioned on the same network as the client can exploit this by presenting a forged but validly signed certificate.
This allows them to impersonate the Kubernetes API server, establishing a MiTM position where they can decrypt, read, and alter all traffic between the client and the server.
This vulnerability affects all versions of the Kubernetes C# client up to and including 17.0.13. Environments are considered vulnerable if they utilize the C# client to connect to a Kubernetes API server over an untrusted network while specifying a custom CA via the certificate-authority field in the kubeconfig file.
The primary and most effective mitigation is to upgrade to the patched version, 17.0.14 or newer, which correctly enforces trust chain validation.
For organizations unable to patch immediately, a workaround involves moving the custom CA certificate from the kubeconfig file into the system’s main trust store, reads the advisory.
However, this action carries its own risks, as it causes all processes on the machine to begin trusting certificates signed by that CA.
Mitigations
To determine if their applications are affected, administrators should first identify all instances of the Kubernetes C# client in their environment.
A thorough review of kubeconfig files is necessary to check for the use of the certificate-authority field within cluster configurations.
System administrators should also inspect client-side application logs for any unexpected certificate warnings or connection errors, which could indicate an attempted or successful exploit.
Given the potential for data interception and API command manipulation, security teams are strongly advised to prioritize the deployment of the fixed client version.
Proactive auditing and prompt patching are crucial to securing Kubernetes environments against this impersonation threat.
Free live webinar on new malware tactics from our analysts! Learn advanced detection techniques -> Register for Free
A global ad fraud and click fraud operation, dubbed SlopAds, comprising 224 Android apps that collectively amassed more than 38 million downloads across 228 countries and territories. Under the guise of AI-themed utilities, these apps employ advanced obfuscation techniques—such as steganography and hidden WebViews—to deliver a fraud payload that generates billions of ad impressions and […]
Conor Brian Fitzpatrick, the 22-year-old founder of BreachForums, has been resentenced to three years in federal prison for operating one of the world’s largest cybercriminal marketplaces.
The New York resident was sentenced on September 16, 2025, for creating and administering a platform that facilitated the sale of stolen data and harbored child sexual abuse material (CSAM).
Key Takeaways 1. Conor Fitzpatrick received three years for running BreachForums. 2. The forum amassed 330 K users and 14 B stolen records. 3. He forfeited domains, devices, and crypto amid the DOJ crackdown.
The resentencing follows a U.S. Court of Appeals for the Fourth Circuit decision on January 21, 2025, which vacated Fitzpatrick’s original lenient sentence of 17 days served and ordered a new sentencing hearing.
Fitzpatrick pleaded guilty to access device conspiracy (18 U.S.C. § 1029), access device solicitation, and possession of CSAM under federal statutes.
BreachForums: The Global Hub for Stolen Data
BreachForums emerged in March 2022 as the successor to RaidForums, which law enforcement seized in February 2022.
The platform rapidly expanded to over 330,000 registered users, establishing itself as the premier English-language hacking forum globally.
The Department of Justice stated that the forum maintained access to 888 datasets containing over 14 billion individual records of stolen information.
Notable breaches included a database with contact information for approximately 200 million users of a major U.S. social networking platform and sensitive details of 87,760 InfraGard members—a critical infrastructure protection partnership between the FBI and private sector entities.
The platform also trafficked credentials from telecommunications providers, healthcare services, and internet service providers.
As part of his plea agreement, Fitzpatrick forfeited over 100 domain names associated with BreachForums’ infrastructure, more than a dozen electronic devices used in the criminal enterprise, and cryptocurrency proceeds generated from the illegal marketplace.
The Computer Crime and Intellectual Property Section (CCIPS) led the prosecution, which has secured convictions of over 180 cybercriminals since 2020 and facilitated the return of over $350 million to victims.
Acting Assistant Attorney General Matthew R. Galeotti emphasized the Justice Department’s commitment to dismantling cybercriminal infrastructure, stating that operators of similar forums should expect relentless investigation and prosecution.
The FBI’s Washington Field Office conducted the investigation under its Cyber Division’s ongoing efforts to combat dark web marketplaces that enable data theft, fraud, and other cybercrimes targeting critical infrastructure and private citizens.
Free live webinar on new malware tactics from our analysts! Learn advanced detection techniques -> Register for Free
Two cybersecurity industry leaders have made significant announcements regarding their participation in the upcoming MITRE ATT&CK Evaluations, marking a notable shift in how major security vendors approach independent testing validation. Diagram illustrating core features of Palo Alto Networks’ Cortex XDR cybersecurity platform, including threat intelligence, endpoint protection, and automation Palo Alto Networks Steps Back After […]
Microsoft’s Digital Crimes Unit (DCU) has seized control of 338 websites facilitating RaccoonO365, the rapidly expanding phishing-as-a-service platform that enables anyone to harvest Microsoft 365 credentials. Acting under a court order from the Southern District of New York, the DCU disrupted the operation’s technical infrastructure, denying cybercriminals access to victims and cutting off their revenue […]
Conor Brian Fitzpatrick, the founder and operator of BreachForums, has been resentenced to three more years in prison after a federal appeals court vacated his earlier light sentence. Authorities say Fitzpatrick created and ran one of the world’s largest English-language hacker forums, where criminals bought and sold stolen data. The Justice Department and FBI emphasized […]
Cybersecurity researchers have tied a fresh round of cyber attacks targeting financial services to the notorious cybercrime group known as Scattered Spider, casting doubt on their claims of going “dark.”
Threat intelligence firm ReliaQuest said it has observed indications that the threat actor has shifted their focus to the financial sector. This is supported by an increase in lookalike domains
Malicious advertising campaigns have surged in sophistication, with cybercriminals exploiting and even operating adtech firms to deliver malware, credential stealers and phishing schemes directly through mainstream ad networks. A cluster of interconnected companies—run through shell corporations, hosted on compromised infrastructure, and registered en masse via a notorious registrar—has enabled a prolific threat actor, dubbed “Vane […]
