Cybersecurity company Zscaler has confirmed it fell victim to a widespread supply-chain attack that exposed customer contact information through compromised Salesforce credentials linked to marketing platform Salesloft Drift.
The breach, disclosed on August 31, 2025, stems from a larger campaign targeting Salesloft Drift’s OAuth tokens that has impacted over 700 organizations worldwide.
Zscaler emphasized that the incident was confined to its Salesforce environment and did not affect any of its core security products, services, or underlying infrastructure.
The security incident originated from a sophisticated supply-chain attack orchestrated by threat actor UNC6395, which Google Threat Intelligence Group and Mandiant researchers have been tracking since early August 2025.
Between August 8-18, 2025, attackers systematically compromised OAuth tokens associated with Salesloft Drift, an AI-powered chat agent integrated with Salesforce databases for sales workflow automation.
UNC6395 demonstrated advanced operational capabilities by using these stolen tokens to authenticate directly into Salesforce customer instances, bypassing multi-factor authentication entirely. The threat actors employed Python tools to automate the data theft process across hundreds of targeted organizations.
Information Compromised at Zscaler
According to Zscaler’s official statement, the compromised data was limited to commonly available business contact details and Salesforce-specific content, including:
Names and business email addresses
Job titles and phone numbers
Regional and location details
Zscaler product licensing and commercial information
Plain text content from certain support cases (excluding attachments, files, and images)
“After extensive investigation, Zscaler has currently found no evidence to suggest misuse of this information,” the company stated. However, the breach highlights the vulnerability of third-party integrations in modern SaaS environments.
The Zscaler incident represents just one piece of what security researchers are calling the largest SaaS breach campaign of 2025. Google’s Threat Intelligence Group estimates that over 700 organizations have been impacted by this supply-chain attack.
Initially believed to target only Salesforce integrations, the campaign’s scope expanded significantly when Google confirmed on August 28 that OAuth tokens for Drift Email were also compromised, providing attackers with limited access to Google Workspace accounts. Most victims are technology and software companies, creating potential cascading supply-chain risks.
Zscaler acted swiftly to contain the incident by revoking Salesloft Drift’s access to its Salesforce data and rotating API access tokens as a precautionary measure. The company launched a comprehensive investigation in collaboration with Salesforce and implemented additional safeguards to prevent similar incidents.
On August 20, 2025, Salesloft and Salesforce collaborated to revoke all active access and refresh tokens associated with the Drift application. Salesforce also removed the Drift application from its AppExchange marketplace pending further investigation.
This incident underscores critical vulnerabilities in SaaS-to-SaaS integrations that often bypass traditional security controls. OAuth tokens, once compromised, provide persistent access without triggering authentication alerts or requiring passwords.
While no evidence of data misuse has been found, Zscaler urges customers to maintain heightened vigilance against potential phishing attacks or social engineering attempts that could leverage the exposed contact details. The company emphasizes that official Zscaler support will never request authentication details through unsolicited communications.
Organizations using third-party SaaS integrations are advised to review all connected applications, revoke overly broad permissions, and implement continuous monitoring for unusual query activity or large-scale data exports.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Cybersecurity researchers are calling attention to a new shift in the Android malware landscape where dropper apps, which are typically used to deliver banking trojans, to also distribute simpler malware such as SMS stealers and basic spyware.
These campaigns are propagated via dropper apps masquerading as government or banking apps in India and other parts of Asia, ThreatFabric said in a report
The Wireshark team has rolled out version 4.4.9, a maintenance release for the world’s most popular network protocol analyzer.
This update focuses on stability and reliability, delivering a series of important bug fixes and enhancing support for several existing protocols.
The new version is now available for all supported platforms, including Windows, macOS, and Linux.
Wireshark, an indispensable tool for network administrators, security professionals, and developers, allows for in-depth analysis of network traffic. It is used extensively for troubleshooting network issues, examining security problems, and for educational purposes.
The project is hosted by the non-profit Wireshark Foundation, which relies on community contributions and sponsorships to continue its work in promoting protocol analysis education.
This latest release addresses several vulnerabilities and operational bugs. A significant fix resolves a crash in the SSH dissector (wnpa-sec-2025-03), a critical issue for anyone analyzing secure shell traffic. Other notable corrections include:
An incorrect dissection of the RDM Product Detail List ID.
Failures in SCCP LUDT segmentation decoding.
An issue preventing Ciscodump from initiating captures on Cisco IOS devices.
A problem with the display of the closing context tag in BACnet WritePropertyMultiple.
A bug in the LZ77 decoder that caused it to read a 16-bit length instead of the correct 32-bit length.
While version 4.4.9 does not introduce support for any new protocols, it does bring updates to several existing ones. Users will find improved support for BACapp, LIN, MySQL, RDM, SABP, SCCP, sFlow, and SSH.
These enhancements ensure that Wireshark can more accurately parse and display data for these protocols, reflecting the latest standards and vendor-specific implementations.
The update does not include any new or updated capture file support or changes to file format decoding. The development team’s focus for this release has been squarely on refining the existing feature set and ensuring the tool remains stable and secure for its large user base.
Network professionals are encouraged to upgrade to version 4.4.9 to benefit from the recent fixes and protocol updates, ensuring a more secure and efficient network analysis experience.
The Wireshark Foundation has officially launched the Wireshark Certified Analyst (WCA-101) certification, marking a significant milestone in professional network analysis education.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
A group claiming to be a coalition of hackers has reportedly issued an ultimatum to Google, threatening to release the company’s databases unless two of its employees are terminated.
The demand, which appeared in a Telegram post, specifically named Austin Larsen and Charles Carmakal, both members of Google’s Threat Intelligence Group.
According to a post seen by Newsweek, the self-proclaimed hacking collective, calling itself “Scattered LapSus Hunters,” also insisted that Google suspend all investigations by its Threat Intelligence Group into the network’s activities.
The group’s name is an apparent reference to its composition, which it claims includes members from established hacking communities such as Scattered Spider, LapSus, and ShinyHunters.
Currently, the group has not provided any evidence to substantiate its claim of accessing Google’s databases. Furthermore, there have been no recent confirmed breaches of Google’s internal information systems.
This threat emerges in the wake of a separate incident disclosed by Google in August. The company confirmed that ShinyHunters, one of the groups allegedly part of the new coalition, had successfully obtained data from Salesforce.
Salesforce is a third-party vendor that provides various services to Google, and the breach occurred within the vendor’s systems, not Google’s own infrastructure.
The formation of a supergroup like “Scattered LapSus Hunters” would represent a significant escalation in the cyber threat landscape. Scattered Spider is known for its sophisticated social engineering tactics, while LapSus gained notoriety for its aggressive and high-profile attacks on major tech companies.
ShinyHunters has a long history of large-scale data breaches and selling stolen information on the dark web. The potential collaboration of these entities could pose a formidable challenge to even the most well-defended corporations.
Newsweek has reportedly reached out to Google for a statement regarding the alleged threats, but a response was not immediately received as the request was made outside of standard business hours.
The situation remains under observation as the tech community awaits Google’s official response and further developments.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
The telecommunications landscape is facing an unprecedented crisis as SIM swapping attacks surge to alarming levels, with the United Kingdom alone reporting a staggering 1,055% increase in incidents during 2024, jumping from just 289 cases in 2023 to nearly 3,000 cases.
This explosive growth in telecommunications fraud has prompted urgent calls for enhanced security measures, with embedded SIM (eSIM) technology emerging as a promising solution to combat this escalating threat.
As cybercriminals increasingly target the vulnerabilities inherent in traditional SIM card systems, eSIM technology offers advanced security features that could significantly reduce the success rate of these sophisticated attacks.
Understanding SIM Swapping Attacks
SIM swapping, also known as SIM hijacking, represents a sophisticated form of identity theft where attackers manipulate mobile carriers into transferring a victim’s phone number to a SIM card under their control.
The attack methodology follows a predictable pattern: cybercriminals first gather personal information about their targets through data breaches, social media reconnaissance, or phishing campaigns.
Armed with details such as names, addresses, birthdates, and account security questions, attackers then contact the victim’s mobile carrier, impersonating the legitimate customer and requesting a SIM transfer due to a “lost” or “damaged” device.
The attack’s effectiveness stems from its exploitation of SMS-based two-factor authentication (2FA) systems that many organizations still rely upon for security verification.
Once attackers control the victim’s phone number, they can intercept verification codes sent via SMS, enabling them to reset passwords and gain unauthorized access to banking accounts, cryptocurrency wallets, email services, and social media platforms.
The Princeton University study revealed that 80% of first attempts at SIM swap fraud were successful across major U.S. wireless carriers, highlighting the widespread vulnerabilities in current authentication processes.
Explosive Growth of SIM Swapping Threats
The scale of SIM swapping attacks has reached crisis levels globally, with multiple indicators pointing to an accelerating trend. The FBI investigated 1,075 SIM swap attacks in 2023, resulting in losses approaching $50 million.
In 2024, IDCARE reported a 240% surge in SIM swap cases, with 90% of incidents occurring without any victim interaction. The financial impact extends beyond individual losses, as demonstrated by T-Mobile’s $33 million settlement for a cryptocurrency-related SIM swap attack that occurred in 2020.
Several factors contribute to this dramatic increase in SIM swapping fraud. The widespread reliance on SMS-based 2FA creates enormous criminal ROI, as a single successful port grants access to an entire digital financial life.
Record data breaches have provided attackers with over 7 billion compromised credentials on dark web markets during 2024, supplying the personal information necessary to bypass carrier identity verification. The cryptocurrency bull market of 2025 has created attractive high-value targets, with individual attacks potentially netting multimillion-dollar scores.
SIM Swapping Attack on Raise
Additionally, cost-cutting measures by telecommunications companies have introduced new vulnerabilities. Global carriers have increasingly outsourced customer support operations, where agents facing time-to-answer pressure are statistically more prone to “verification bypass fatigue”.
AI-powered social engineering tools now enable attackers to create convincing voice-cloning impersonations and GPT-scripted call dialogues that defeat legacy knowledge-based verification systems.
eSIM Technology: A Technical Overview
Embedded SIM (eSIM) technology represents a fundamental shift in mobile connectivity architecture, moving from removable physical cards to integrated digital solutions.
An eSIM is a small chip (typically measuring 6mm × 5mm) that is soldered directly onto a device’s motherboard during manufacturing, utilizing the same electrical interface as traditional SIM cards as defined by ISO/IEC 7816 standards.
The technology operates through an embedded Universal Integrated Circuit Card (eUICC) that can be remotely programmed with carrier profiles.
eSIM architecture
The eSIM ecosystem relies on remote SIM provisioning (RSP) protocols developed by the GSMA, enabling secure over-the-air profile management.
When activating an eSIM, the Local Profile Assistant (LPA) software contacts a Subscription Manager (SM) service via HTTPS, using X.509 certificates validated by the GSMA certificate authority.
The system employs challenge-response authentication to establish secure channels between the eUICC and SM, ensuring that network authentication keys remain protected through end-to-end encryption.
Each eSIM contains a permanent eUICC ID (EID) programmed during manufacturing, which serves as the foundation for secure provisioning services.
The technology supports multiple carrier profiles on a single device, allowing users to switch between networks digitally without physical SIM card replacement.
This digital-first approach eliminates many vulnerabilities associated with physical SIM management while introducing new layers of cryptographic protection.
How eSIM Technology Strengthens Security Against SIM Swapping
eSIM technology addresses the fundamental vulnerabilities that enable traditional SIM swapping attacks by introducing several critical security enhancements. The most significant protection comes from eliminating physical access risks.
Unlike removable SIM cards that can be extracted and transferred between devices, eSIMs are permanently embedded in device hardware, making physical theft virtually impossible without sophisticated engineering tools. This embedded nature immediately eliminates the easiest method of SIM hijacking.
The digital activation process for eSIM profiles requires multi-layered authentication that is significantly more robust than traditional carrier verification procedures.
eSIM activation typically involves scanning QR codes or using secure in-app processes that must be confirmed directly on the target device.
This digital provisioning process, governed by GSMA security standards, adds multiple verification layers that make unauthorized transfers exceptionally difficult compared to the social engineering tactics used against call center representatives.
SIM Card vs eSIM
Advanced encryption protocols form another critical defense mechanism in eSIM technology. eSIMs employ end-to-end encryption for all data storage and transmission, making interception and manipulation significantly more challenging than traditional SIM cards. The cryptographic keys injected during manufacturing create secure authentication chains that cannot be easily replicated or compromised. Additionally, eSIM profiles cannot be cloned or duplicated, eliminating a major attack vector that affects physical SIM cards.
Remote management capabilities provide enhanced security control for both users and carriers. If a device is lost or stolen, eSIM profiles can be immediately deactivated remotely, severing the device’s connection to the network and preventing unauthorized usage. This rapid response capability is crucial for minimizing damage in security incidents and provides users with direct control over their mobile identity.
The biometric and device-based authentication requirements for eSIM management create additional security layers. Many eSIM implementations require biometric verification, device PINs, or other security measures that are tied directly to the physical device, making it much harder for remote attackers to manipulate carrier representatives into transferring services. This shifts authentication from knowledge-based systems vulnerable to social engineering to possession-based factors that require physical device access.
Regulatory Response and Industry Initiatives
The telecommunications industry and regulatory bodies have recognized the critical need to address SIM swapping vulnerabilities through comprehensive policy measures.
The Federal Communications Commission (FCC) approved new rules in October 2023 designed to establish uniform frameworks for protecting customers against SIM swap and port-out fraud.
These regulations require wireless providers to adopt secure customer authentication methods before redirecting phone numbers to new devices or providers, maintain detailed records of SIM change requests, and implement employee training programs for handling fraud attempts.
Protection layers
The FCC’s rules also establish safeguards preventing employees from accessing customer personal information until proper authentication is completed.
While the implementation timeline has faced industry pushback, with compliance deadlines extended pending Office of Management and Budget (OMB) review, the regulatory framework represents a significant step toward standardizing anti-fraud protections across carriers.
The FCC has indicated that OMB approval would likely come in late November 2024, with providers encouraged to use this timeline for system implementation and testing.
Industry initiatives complement regulatory efforts through technological solutions and best practices. The GSMA’s comprehensive eSIM security framework includes rigorous certification programs such as the eUICC Security Assurance (eSA) Scheme and Security Accreditation Scheme (SAS), which establish stringent security requirements for eSIM implementations.
These certification processes ensure that eSIM entities meet high security standards and reduce risks of data breaches and attacks through verified security controls.
Limitations and Considerations
Despite its significant security advantages, eSIM technology faces several limitations that must be acknowledged in comprehensive security strategies. Social engineering vulnerabilities remain a persistent threat, as eSIM activation can still be manipulated through sophisticated impersonation attacks targeting carrier customer service systems.
While eSIM activation processes are more secure than traditional SIM swaps, determined attackers with sufficient personal information about victims may still succeed in convincing carriers to provision new eSIM profiles.
Software-based vulnerabilities introduce new attack vectors that don’t exist with physical SIM cards. eSIMs rely heavily on software systems and cloud infrastructure, creating potential targets for sophisticated cyberattacks.
If carrier account credentials or email accounts are compromised, attackers might be able to activate eSIM profiles on devices they control. Additionally, eSIMs are vulnerable to specialized attacks such as memory exhaustion, locking profile attacks, and inflated profile attacks that exploit the digital nature of the technology.
Compatibility and adoption challenges also limit eSIM’s immediate impact on SIM swapping prevention. Many older devices and certain geographic regions have limited eSIM support, forcing continued reliance on physical SIM cards.
The transition period creates mixed security environments where some users benefit from enhanced eSIM protection while others remain vulnerable to traditional attacks. Furthermore, the complexity of eSIM management may create usability barriers for some consumers, potentially leading to security misconfigurations.
The dramatic surge in SIM swapping attacks, with incident rates increasing by over 1,000% in some regions, represents a critical threat to mobile communications security that demands immediate technological and regulatory intervention.
eSIM technology offers a promising solution through its embedded architecture, advanced encryption protocols, multi-layered authentication requirements, and remote management capabilities that directly address the vulnerabilities exploited in traditional SIM swapping attacks.
The combination of physical security improvements, cryptographic protections, and enhanced verification processes makes eSIM significantly more resistant to the social engineering tactics that have proven devastatingly effective against conventional SIM card systems.
However, the transition to eSIM technology must be accompanied by comprehensive security frameworks, regulatory oversight, and continued vigilance against evolving attack methodologies. While eSIMs represent a substantial improvement in mobile security architecture, they cannot eliminate all risks associated with telecommunications fraud.
The most effective defense strategy will combine eSIM adoption with multi-factor authentication systems that don’t rely solely on SMS verification, robust user education programs, and continued industry cooperation to identify and mitigate emerging threats.
As the telecommunications industry works to implement FCC regulations and advance eSIM adoption, the focus must remain on creating layered security approaches that protect users across all technology platforms while maintaining the accessibility and usability that modern mobile communications require.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Criminal IP, the AI-powered threat intelligence and attack surface management (ASM) platform developed by AI SPERA, announced its official entry into the European market through a strategic partnership with DotForce, a premier cybersecurity distributor based in Italy. The collaboration will extend Criminal IP’s advanced capabilities to enterprises and public institutions across Southern Europe, including Spain […]
Microsoft is issuing a direct call to its hardware partners, urging original equipment manufacturers (OEMs) to address configuration issues that prevent crucial USB-C troubleshooting notifications from functioning correctly in Windows 11.
These built-in alerts are designed to enhance user experience by identifying and helping to resolve common problems such as slow charging, faulty connections, and the use of unsupported accessories.
While Windows 11 includes a robust system for notifying users of USB-C port issues, the feature’s effectiveness is entirely dependent on how manufacturers configure their hardware.
According to a recent technical update, if users aren’t seeing these helpful alerts, the problem likely stems from incorrect platform settings implemented by the OEM, not a flaw within the Windows operating system itself.
The core of the issue lies in the Advanced Configuration and Power Interface (ACPI) specification, a markup that enables the operating system to communicate with and manage hardware components.
Microsoft has identified several common errors in how OEMs are implementing this. These include missing or incorrect ACPI descriptors that fail to properly identify USB-C ports, mislabeling port types (such as identifying a standard USB-A port as Type-C), and confusing internal ports with externally accessible ones, which can suppress necessary notifications.
To resolve these inconsistencies, Microsoft has laid out a clear set of validation and testing protocols for manufacturers. OEMs are being directed to use the Windows Hardware Lab Kit (HLK) to validate their USB port descriptors and ensure that specific ACPI methods, namely _UPC (USB Port Capabilities) and _PLD (Physical Location of Device), are implemented correctly.
The company is also advising partners to conduct rigorous testing with a variety of charging scenarios, including underpowered chargers and hubs, to confirm that notifications appear as expected for the end-user.
Microsoft also addressed security considerations, acknowledging that some OEMs may disable data transfer over USB-C in certain environments.
In such cases, the company recommends that the policy should only apply to externally accessible ports and that manufacturers should consider providing users with a toggle to enable or disable data transfer themselves.
The message to manufacturers is clear: audit all USB port configurations, validate notification behaviors across all supported devices, and coordinate with the Microsoft Windows Hardware Compatibility Program (WHCP) to ensure new platforms meet the required standards.
By taking these steps, OEMs can ensure their customers receive the seamless and reliable device experience that Windows 11 aims to provide.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
In a significant security move, Microsoft announced on August 26, 2025, that it will require mandatory multifactor authentication (MFA) for all accounts signing in to the Azure portal and related administrative centers.
The policy, first introduced in 2024, aims to dramatically reduce account compromise by enforcing an additional layer of identity verification across Azure and Microsoft 365 admin portals.
Starting October 2024, sign-ins to the Azure portal, Microsoft Entra admin center, and Microsoft Intune admin center will require MFA for any create, read, update, or delete operation. Full enforcement across CLI, PowerShell, mobile, and IaC tools follows on October 1, 2025, significantly strengthening administrative security.
Microsoft research shows that enabling MFA blocks over 99.2 percent of account compromise attacks, making it one of the most effective defenses against unauthorized access.
Having offered optional MFA for years, Microsoft will now enforce it by default for critical administrative access points. The announcement underscores the company’s commitment to safeguarding cloud resources for its customers.
Scope of Enforcement
Enforcement is rolling out in two phases:
Phase 1 (October 2024 – February 2025)
Azure portal sign-in for all CRUD operations.
Microsoft Entra admin center sign-in for all CRUD operations.
Microsoft Intune admin center sign-in for all CRUD operations.
Microsoft 365 admin center sign-in requirements begin in February 2025.
Phase 1 does not yet cover Azure CLI, Azure PowerShell, Azure mobile app, Infrastructure as Code (IaC) tools, or REST API endpoints.
Phase 2 (October 1, 2025)
Azure CLI and Azure PowerShell for create, update, and delete operations.
Azure mobile app for create, update, and delete operations.
IaC tools and REST API endpoints for create, update, and delete operations.
Read-only operations remain exempt.
Administrators relying on user accounts for scripted automation should transition to workload identities, such as managed identities or service principals, to avoid disruption when Phase 2 enforcement begins, Microsoft said.
Affected Applications and Timelines
Application Name
Enforcement Start
Azure portal
Second half of 2024
Microsoft Entra admin center
Second half of 2024
Microsoft Intune admin center
Second half of 2024
Microsoft 365 admin center
February 2025
Azure CLI & PowerShell
October 1, 2025
Azure mobile app
October 1, 2025
IaC tools & REST API
October 1, 2025
All user accounts accessing the applications listed above must complete MFA upon enforcement. Break-glass and emergency-access accounts also require MFA; organizations are encouraged to configure passkeys (FIDO2) or certificate-based authentication for these critical accounts. Workload identities remain unaffected, but any user-based service accounts must comply.
The OAuth 2.0 Resource Owner Password Credentials (ROPC) flow is incompatible with MFA. Applications using MSAL’s ROPC APIs must migrate to interactive or certificate-based flows.
Developers should update any code that relies on AcquireTokenByUsernamePassword or UsernamePasswordCredential in Azure Identity, following Microsoft’s migration guides for .NET, Go, Java, Node.js, and Python.
Organizations can prepare by:
Verifying MFA configuration via the Microsoft Entra ID portal.
Applying or updating Conditional Access policies (requires Entra ID P1/P2).
Enabling security defaults if Conditional Access is unavailable.
Migrating user-based service accounts to workload identities.
Tenants needing more time may postpone Phase 1 enforcement until September 30, 2025, by having a Global Administrator select a new start date at https://aka.ms/managemfaforazure. Similarly, Phase 2 can be deferred until July 1, 2026, via https://aka.ms/postponePhase2MFA.
After enforcement, Azure portal banners will notify administrators of required MFA, and sign-in logs will identify MFA challenges. Microsoft strongly recommends immediate MFA adoption to secure high-value administrative accounts and mitigate the growing threat of credential-based attacks.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
A newly discovered critical security vulnerability in the Next.js framework, designated CVE-2025-29927, poses a significant threat to web applications by allowing malicious actors to completely bypass authorization mechanisms.
This vulnerability arises from improper handling of the x-middleware-subrequest header within Next.js middleware execution, potentially exposing sensitive administrative areas and protected resources to unauthorized access.
The vulnerability affects multiple versions of the popular React-based web framework, with different exploitation techniques depending on the specific version in use.
Key Takeaways 1. CVE-2025-29927 exploits x-middleware-subrequest to bypass Next.js authorization. 2. Attackers set the header to middleware names to skip checks. 3. Grants unauthorized access, so implement layered security.
Security researchers have demonstrated that attackers can manipulate HTTP headers to circumvent authentication and authorization controls, gaining access to restricted areas without proper credentials.
Next.js Framework Vulnerability
NullSecurityX reports that the core of this vulnerability lies in Next.js’s middleware processing logic, specifically how it handles the x-middleware-subrequest header.
This header was originally designed to prevent infinite middleware loops by identifying internal subrequests. However, flawed implementation allows external requests to abuse this mechanism.
The vulnerable code pattern follows this structure:
When an attacker includes the appropriate x-middleware-subrequest header value in their HTTP request, the middleware incorrectly identifies it as an internal subrequest and skips authorization checks entirely. The exploitation varies across Next.js versions:
Version 12.2 and Earlier: Attackers use x-middleware-subrequest: pages/_middleware to bypass middleware located in the pages directory.
Version 12.2 and Later: The header value changes to x-middleware-subrequest: middleware for middleware files named middleware.ts.
Version 13.2.0 and Later: Despite recursion depth protections, the fundamental vulnerability persists through repeated middleware names in the header.
Practical exploitation scenarios demonstrate the severity of this vulnerability. Attackers can craft simple HTTP requests to access protected administrative panels.
This request bypasses middleware protection and grants unauthorized access to admin functionality.
The vulnerability becomes particularly dangerous when combined with JSON Web Token (JWT) or cookie-based authentication systems, where the header manipulation allows complete circumvention of token validation.
Automated exploitation tools can systematically test multiple protected routes simultaneously.
Ability to craft HTTP requests with custom x-middleware-subrequest header
CVSS 3.1 Score
9.8 (Critical)
Security researchers have developed proof-of-concept scripts that iterate through common administrative endpoints (/admin, /dashboard, /settings) while injecting the malicious header, quickly identifying vulnerable access points across entire applications.
The vulnerability’s impact extends beyond simple authorization bypass. In applications that rely solely on Next.js middleware for security controls, attackers can potentially access sensitive user data, modify application configurations, or execute administrative functions without proper authentication.
Organizations running Next.js applications should immediately assess their middleware implementations and apply available security patches.
This discovery highlights the critical importance of defense-in-depth security strategies, where authorization controls exist at multiple application layers rather than relying solely on middleware-based protection mechanisms.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
A novel phishing campaign emerged in late August 2025 that specifically targeted hoteliers and vacation rental managers through malicious search engine advertisements.
Rather than relying on mass email blasts or social media lures, attackers purchased sponsored ads on platforms such as Google Search, typosquatting legitimate service providers’ names to redirect unsuspecting users.
By mimicking brands like SiteMinder and RoomRaccoon, the adversaries ensured that their malicious domains appeared above authentic listings, dramatically increasing the likelihood of victim engagement.
Example of malvertising showing two fake websites promoted above a legitimate domain (Source – okta Security)
Once a victim clicked on a sponsored link, they were presented with highly convincing fake login portals.
These pages replicated the exact look and feel of established property management and guest messaging platforms, complete with corporate logos, form fields for usernames, passwords, and even multi-factor authentication prompts.
The attackers went so far as to implement social engineering techniques that coaxed users into divulging one-time passwords sent via SMS or email.
By harvesting not only static credentials but dynamic OTP codes, the campaign was engineered for maximal account takeover potential.
okta Security analysts identified this campaign after observing a sudden spike in outbound traffic from a large Russian datacenter proxy provider to multiple hospitality domains.
Analysis of phishing page source code revealed Russian-language comments and error messages such as “Ошибка запроса” (“Request error”), indicating possible ties to Russian-speaking threat actors.
Moreover, the phishing sites employed JavaScript beaconing scripts to track visitor interactions in real time, collecting geolocation data, session duration, and bot-detection metrics.
Beyond the initial credential harvesting phase, the attackers demonstrated sophisticated persistence tactics. By integrating beaconing functions, they were able to monitor whether victims entered correct credentials and OTPs. A simplified version of their JavaScript beaconing mechanism appears below:
function sendRequest() {
fetch("/mksd95jld43").catch(error => console.error("Ошибка запроса"));
}
// Запускаем запрос каждые 10 секунд
setInterval(sendRequest, 10000);
Phishing pages (Source – okta Security)
This looped request every ten seconds, ensuring continuous data exfiltration whenever victims interacted with the phishing pages.
Infection Mechanism
Delving deeper into the infection mechanism, the campaign’s reliance on malvertising sets it apart from traditional phishing operations.
Rather than exploiting browser vulnerabilities directly, the attackers weaponized search engine advertising to poison the user’s journey from the outset.
By bidding on high-value keywords—often the exact names of hospitality platforms—the malicious ads appeared alongside or above genuine results.
Victims searching for “SiteMinder login” or “RoomRaccoon channel manager” would instead encounter URLs like siteminder.live and rocmracooon.cfd, both of which were visually indistinguishable from legitimate domains.
Example of malvertising directing users to another phishing site (Source – okta Security)
Upon landing, the phishing pages initiated the JavaScript beacon to confirm victim presence and to capture responses to form fields.
The code forced periodic outbound connections to command-and-control endpoints, ensuring that credentials and OTPs were relayed immediately.
In addition, the attackers engineered the login forms to accept multiple MFA methods—SMS, email, and authenticator apps—thereby maximizing their chances of bypassing any single factor of defense.
Detection of this infection mechanism requires vigilant monitoring of ad campaigns and domain registrations.
Organizations should implement adaptive risk assessments to flag sudden requests from unfamiliar networks and promptly investigate any deviations from normal user activity.
By combining threat intelligence with real-time monitoring of ad ecosystems, defenders can disrupt this sophisticated malvertising-driven phishing strategy before it compromises critical hotel management infrastructure.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
.webp)
.webp)
.webp)