A critical security vulnerability discovered in ESPHome’s web server component has exposed thousands of smart home devices to unauthorized access, effectively nullifying basic authentication protections on ESP-IDF platform implementations.

The flaw, designated CVE-2025-57808 with a CVSS score of 8.1, affects ESPHome version 2025.8.0 and allows attackers to bypass authentication mechanisms without any knowledge of legitimate credentials.

The vulnerability stems from a fundamental logic error in the HTTP basic authentication check within ESPHome’s web_server_idf component.

When processing authentication requests, the system’s AsyncWebServerRequest::authenticate function only compares bytes up to the length of the client-supplied authorization value, rather than validating the complete credential string.

This implementation flaw creates two distinct attack vectors that completely compromise device security.

The most severe aspect of this vulnerability involves empty authorization headers, where attackers can gain full access by simply sending a request with Authorization: Basic followed by an empty string.

GitHub analysts identified that this attack vector requires no prior knowledge of usernames or passwords, making it particularly dangerous for network-adjacent attackers.

Additionally, the flaw accepts partial password matches, meaning an attacker who discovers even a substring of the correct password can successfully authenticate.

Attack Mechanism and Technical Exploitation

The vulnerability’s technical foundation lies in the improper string comparison logic that processes base64-encoded credentials.

When a legitimate device is configured with credentials like user:somereallylongpass (encoded as dXNlcjpzb21lcmVhbGx5bG9uZ3Bhc3M=), the flawed authentication check accepts shorter strings such as dXNlcjpz (representing user:s) as valid credentials.

Practical exploitation requires minimal technical sophistication. Attackers can utilize simple curl commands to demonstrate the vulnerability:-

curl -D- -H 'Authorization: Basic ' http://target.local/

This command bypasses authentication entirely, returning HTTP 200 responses instead of the expected 401 Unauthorized status.

The vulnerability becomes particularly concerning when Over-The-Air (OTA) update functionality is enabled, as attackers gain complete control over device firmware and configuration settings.

ESPHome addressed this critical flaw in version 2025.8.1, implementing proper credential validation that compares complete authorization strings rather than partial matches.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post ESPHome Web Server Authentication Bypass Vulnerability Exposes Smart Devices appeared first on Cyber Security News.

Google has officially debunked widespread reports claiming the company issued a major security warning to Gmail users, clarifying that such claims are entirely false.

The technology giant addressed the misinformation directly on September 1, 2025, emphasizing that no broad security alert was ever issued to its user base.

These inaccurate reports had circulated across various platforms, causing unnecessary concern among Gmail’s billions of users worldwide.

The false claims emerged amid ongoing cybersecurity discussions, with various sources incorrectly attributing security warnings to Google that the company never made.

Google’s response came as part of their commitment to maintaining transparent communication about actual security threats while combating the spread of misinformation that could undermine user confidence in their email platform.

Google analysts identified the source of confusion as misinterpreted security communications and emphasized their robust defense mechanisms.

The company’s security infrastructure continues to demonstrate exceptional effectiveness, blocking more than 99.9% of phishing and malware attempts before they reach users’ inboxes.

This statistic underscores the sophisticated nature of Gmail’s multi-layered security architecture, which employs machine learning algorithms, behavioral analysis, and real-time threat detection systems.

Advanced Threat Detection and Mitigation Systems

Gmail’s security framework operates through a complex ecosystem of interconnected protection layers that continuously evolve to address emerging threats.

The platform utilizes advanced machine learning models that analyze email patterns, sender reputation, and content characteristics to identify potential malicious communications.

These systems process millions of emails daily, automatically quarantining suspicious messages while allowing legitimate communications to flow seamlessly to users’ inboxes.

Google recommends users adopt additional security measures, including implementing passkeys as secure password alternatives and following established best practices for identifying and reporting phishing attempts to maintain optimal account protection.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post Google Confirms That Claims of Major Gmail Security Warning are False appeared first on Cyber Security News.

A sophisticated spear-phishing campaign has emerged targeting senior executives and C-suite personnel across multiple industries, leveraging Microsoft OneDrive as the primary attack vector.

The campaign utilizes carefully crafted emails masquerading as internal HR communications about salary amendments to trick high-profile targets into surrendering their corporate credentials.

This latest threat represents a concerning escalation in social engineering tactics, combining personalized content with advanced evasion techniques to bypass traditional security measures.

The attackers employ a methodical approach, beginning with “warming up” recipient inboxes by sending benign preliminary emails days before launching the actual phishing attempt.

The malicious emails feature subject lines containing “Salary amendment” or “FIN_SALARY” references and appear as legitimate OneDrive document-sharing notifications.

Each message is meticulously customized with the recipient’s name and company details, significantly enhancing the campaign’s credibility and likelihood of success.

Stripe OLT analysts identified this campaign while monitoring threat landscape activities, discovering that attackers are utilizing Amazon Simple Email Service (SES) infrastructure for delivery while rotating through approximately 80 different domains and subdomains to evade detection.

The phishing infrastructure spans multiple service providers, including Cloudflare for DNS services, Akamai Cloud for hosting, and primarily Mat Bao Corporation for domain registration, demonstrating the campaign’s sophisticated operational security approach.

Advanced Evasion Techniques

The campaign employs particularly clever anti-detection mechanisms that exploit email client display differences. When viewed in standard light mode, email buttons appear as innocuous “Open” and “Share” labels.

However, switching to dark mode reveals concealed padding containing randomized alphanumeric strings such as “twPOpenHuxv” and “gQShareojxYl” that fragment high-value trigger words, effectively circumventing string-based detection rules employed by secure email gateways.

The credential harvesting page presents a convincing Microsoft Office/OneDrive login interface that requests authentication details under the pretense of accessing a secure salary document.

These phishing URLs are designed for single-use access, automatically self-destructing after being visited to eliminate forensic evidence and complicate incident response efforts.

Security teams can implement targeted hunting queries to identify potential compromise attempts.

The following KQL query can detect emails matching observed subject patterns:-

EmailEvents
| where Subject contains "FIN_SALARY"
| where EmailDirection == "Inbound"
| project Timestamp, RecipientEmailAddress, SenderMailFromDomain, Subject

Organizations should immediately block identified malicious domains including letzdoc.com, hr-fildoc.com, and docutransit.com while implementing enhanced awareness training specifically targeting executives and their administrative staff who remain primary targets for these sophisticated attacks.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post New Phishing Attack Via OneDrive Attacking C-level Employees for Corporate Credentials appeared first on Cyber Security News.

Commercial surveillance vendors have evolved from niche technology suppliers into a sophisticated multi-billion-dollar ecosystem that poses unprecedented threats to journalists, activists, and civil society members worldwide.

A comprehensive new report by Sekoia.io’s Threat Detection & Research team reveals how these private companies have industrialized spyware deployment, transforming targeted surveillance from isolated technical components into fully integrated solutions that rival state-sponsored cyber capabilities.

The commercial spyware industry emerged prominently during the Arab Spring protests between 2010-2013, when authoritarian governments desperately sought rapid surveillance tools to monitor dissidents and suppress popular movements.

Early vendors like Gamma Group’s FinFisher and Hacking Team’s Remote Control System capitalized on this demand, selling their products to regimes across the Middle East and North Africa.

This period marked the beginning of a lucrative market that would eventually generate millions of euros per deployment.

Between 2016 and 2021, the industry underwent significant industrialization, with Israeli companies like NSO Group, Candiru, and Intellexa leading technological advancement.

These firms, often founded by former members of Israel’s Unit 8200 cyber warfare division, introduced zero-click exploitation techniques that eliminated the need for victim interaction.

Sekoia analysts identified that this sophistication breakthrough fundamentally changed the threat landscape, enabling remote device compromise through vulnerabilities in messaging applications without requiring users to click malicious links.

Infection Mechanisms

The infection mechanisms employed by commercial spyware demonstrate remarkable technical sophistication across multiple attack vectors.

Zero-click exploits represent the most advanced category, automatically compromising devices upon message receipt without user interaction.

Recent analysis of Paragon’s Graphite spyware revealed exploitation of WhatsApp’s automatic content preview feature, where malicious PDFs trigger zero-day vulnerabilities during preview generation.

The attack sequence begins when the target’s phone number is silently added to a WhatsApp group, followed by transmission of a specially crafted PDF file.

Attack Flow:
1. Target enumeration and phone number acquisition
2. Silent addition to attacker-controlled WhatsApp group
3. Malicious PDF transmission with embedded exploit
4. Automatic content preview triggers vulnerability
5. Payload execution and persistent implant installation

One-click exploits employ sophisticated social engineering, leveraging current events and trusted relationships to lure targets.

The technique often involves impersonating known contacts or organizations relevant to the victim’s work or activism.

For instance, following a civil rights activist’s arrest, adversaries might impersonate another prominent activist and send malicious content referencing the incident, exploiting the urgency and emotional context to increase engagement probability.

The command-and-control infrastructure supporting these operations has become increasingly complex, utilizing multi-tier architectures to obscure attribution.

Predator spyware operations now employ five distinct infrastructure layers, with the newest layer involving Czech company FoxItech s.r.o., whose owner has connections to Intellexa consortium payment recipients.

This architectural evolution demonstrates how commercial spyware vendors continuously adapt to evade detection and regulatory oversight.

Physical access vectors remain significant, particularly at border crossings where authorities can install spyware during device inspections.

Serbian authorities reportedly used Cellebrite’s Universal Forensic Extraction Device to unlock devices before installing NoviPsy spyware for ongoing surveillance of activists and journalists.

This hybrid approach combining legitimate forensic tools with commercial spyware exemplifies the blurred boundaries between lawful investigation and unauthorized surveillance that characterizes the current threat landscape.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post New Report on Commercial Spyware Vendors Detailing Their Targets and Infection Chains appeared first on Cyber Security News.