-
The online world is changing fast. Every week, new scams, hacks, and tricks show how easy it’s become to turn everyday technology into a weapon. Tools made to help us work, connect, and stay safe are now being used to steal, spy, and deceive. Hackers don’t always break systems anymore — they use them. They hide inside trusted apps, copy real websites, and trick people into giving up control
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Samba has disclosed a severe remote code execution (RCE) flaw that could allow attackers to hijack Active Directory domain controllers.
Tracked as CVE-2025-10230, the vulnerability stems from improper validation in the Windows Internet Name Service (WINS) hook mechanism, earning a perfect CVSS 3.1 score of 10.0 for its ease of exploitation and devastating potential impact.
Samba, the open-source implementation of the SMB/CIFS networking protocol widely used in Linux and Unix environments to mimic Windows file sharing and authentication, has long been a cornerstone for cross-platform enterprise networks.
However, this flaw exposes organizations relying on it as an Active Directory Domain Controller (AD DC) to unauthenticated attacks.
Discovered by security researcher Igor Morgenstern of Aisle Research, the issue affects all Samba versions since 4.0 when specific configurations are enabled, namely, WINS support and a custom ‘wins hook’ script in the smb.conf file.
Samba RCE Vulnerability
WINS, a deprecated Microsoft protocol from the pre-DNS era, resolves NetBIOS names in legacy Windows networks.
By default, WINS support is disabled in Samba, but when activated on an AD DC alongside the ‘wins hook’ parameter, which triggers an external script on name changes, the system becomes a sitting duck.
Attackers can send crafted WINS name registration requests containing shell metacharacters within the 15-character NetBIOS limit.
These inject arbitrary commands into the hook script, executed via a shell without any authentication or user interaction required.
The vulnerability’s scope is narrow but perilous: it only impacts Samba in AD DC mode (roles like ‘domain controller’ or ‘active directory domain controller’).
Standalone or member servers, which use a different WINS implementation, remain unaffected. In practice, this could let remote threat actors on the network pivot to full system compromise, exfiltrating sensitive data, deploying ransomware, or escalating privileges in hybrid Windows-Linux setups common in enterprises.
Mitigations
Samba maintainers acted swiftly, releasing patches to their security portal and issuing updated versions: 4.23.2, 4.22.5, and 4.21.9.
Administrators should prioritize upgrades, especially in environments with legacy WINS dependencies.
As a workaround, disable the ‘wins hook’ parameter entirely or set ‘wins support = no’ in smb.conf Samba’s default configuration already avoids this risky combo, making most setups safe out of the box.
Experts urge a broader review: WINS is obsolete, and its use on modern domain controllers is rare and inadvisable. Even post-patch, admins might disable hooks altogether, as future Samba releases could drop support.
With attack surfaces expanding in hybrid clouds, this incident underscores the need to audit and phase out antiquated protocols before they become entry points for nation-state actors or cybercriminals.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Critical Samba RCE Vulnerability Enables Arbitrary Code Execution appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
PhantomVAI Loader, a newly renamed multi-stage .NET loader tracked by Unit 42, is being used in widespread phishing campaigns to deliver a variety of information-stealing malware families. Initially identified as Katz Stealer Loader for its role in deploying the Katz Stealer infostealer, this loader now supports AsyncRAT, XWorm, FormBook and DCRat payloads through an evasive […]
The post PhantomVAI Loader Launches Global Campaign to Distribute AsyncRAT, XWorm, FormBook, and DCRat appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert regarding a severe code execution vulnerability in Adobe Experience Manager Forms, urging organizations to patch immediately.
Tracked as CVE-2025-54253, this flaw affects the Java Enterprise Edition (JEE) version of the software and enables attackers to execute arbitrary code on vulnerable systems.
First disclosed by Adobe in early October 2025, the vulnerability has already been exploited in the wild, according to CISA’s Known Exploited Vulnerabilities Catalog.
Adobe Experience Manager Forms is a popular platform for creating and managing digital forms in enterprise environments, often used by businesses for customer interactions and document processing.
The unspecified nature of the vulnerability rated with a CVSS score of 9.8 out of 10 makes it particularly dangerous, as it requires no user interaction or authentication to trigger.
Attackers can leverage it to gain full control over affected servers, potentially leading to data theft, ransomware deployment, or further network compromise.
Exploitation and Real-World Impact
Reports indicate that threat actors have begun weaponizing CVE-2025-54253 in targeted attacks, though it’s unclear if ransomware groups are involved at this stage.
Security researchers from firms like Mandiant have observed exploitation attempts against unpatched instances hosted in cloud environments, where misconfigurations amplify the risk.
One notable incident involved a mid-sized financial services firm in Europe, where attackers used the flaw to deploy malware, resulting in a temporary service outage and data exfiltration.
CISA added the CVE to its catalog on October 15, 2025, emphasizing that federal agencies must apply mitigations by November 14 or discontinue use of the product.
This aligns with Binding Operational Directive 22-01, which mandates rapid response to actively exploited flaws in federal systems. Private sector organizations are also at high risk, especially those relying on Adobe’s suite for web content management.
Adobe has released patches for affected versions, including AEM Forms 6.5.13 and earlier. Users should apply updates promptly, enable multi-factor authentication, and segment networks to limit lateral movement.
For cloud deployments, following BOD 22-01 guidance is essential, including regular vulnerability scanning. This incident underscores the ongoing challenges in supply chain security, as Adobe products are integral to many digital ecosystems.
With exploitation confirmed, experts warn of potential escalation if patches lag. Organizations should prioritize auditing their AEM deployments to stay ahead of evolving threats.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post CISA Warns Of Adobe Experience Manager Forms 0-Day Vulnerability Exploited In Attacks appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Cybersecurity researchers at Zscaler have uncovered a sophisticated malware campaign that exploits search engine optimization (SEO) poisoning to distribute a trojanized version of the Ivanti Pulse Secure VPN client, targeting unsuspecting users seeking legitimate software downloads. The Zscaler Threat Hunting team recently detected a surge in malicious activity leveraging SEO manipulation, primarily targeting Bing search […]
The post Malicious Ivanti VPN Client Sites in Google Search Deliver Malware — Users Warned appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Cybersecurity researchers at Trend Micro have discovered an active attack campaign dubbed “Operation Zero Disco” that exploits a critical vulnerability in Cisco’s Simple Network Management Protocol (SNMP) implementation. The vulnerability, tracked as CVE-2025-20352, allows threat actors to execute remote code and deploy sophisticated Linux rootkits on vulnerable network devices. The campaign primarily targets older Cisco […]
The post Cisco SNMP Vulnerability Actively Exploited to Install Linux Rootkits appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Elastic Security Labs has officially released nightMARE version 0.16, a comprehensive Python library designed to streamline malware analysis and reverse engineering workflows. The open-source tool consolidates multiple analysis capabilities into a single framework, enabling security researchers to extract configuration data and intelligence indicators from widespread malware families more efficiently. The development of nightMARE addresses a […]
The post NightMARE: A Python Library for Advanced Malware Analysis and Threat Intelligence Extraction appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Microsoft has disclosed two critical vulnerabilities in its Windows BitLocker encryption feature, allowing attackers with physical access to bypass security protections and access encrypted data.
Released on October 14, 2025, as part of the latest Patch Tuesday updates, these flaws, tracked as CVE-2025-55338 and CVE-2025-55333, pose a significant risk to users relying on BitLocker for full-disk encryption on Windows devices.
Both vulnerabilities carry an “Important” severity rating and a CVSS v3.1 base score of 6.1, highlighting the potential for high-impact data breaches in scenarios involving device theft or tampering.
BitLocker, a built-in Windows tool designed to encrypt entire drives and protect sensitive information, has long been a cornerstone of enterprise and personal security.
However, these new issues stem from flaws in how the system handles ROM code patching and data comparisons, enabling unauthorized access without needing passwords or recovery keys.
For CVE-2025-55338, the problem lies in the missing ability to patch ROM code, which leaves a gap for physical attacks. Similarly, CVE-2025-55333 involves an incomplete comparison mechanism that fails to account for key factors, as defined under CWE-1023.
In both cases, an attacker could exploit the weaknesses to decrypt the system storage device, exposing confidential files, user credentials, and potentially corporate secrets.
Understanding The Attack Vector
These vulnerabilities require physical proximity to the target device, making them particularly relevant for scenarios like laptop theft or insider threats.
According to Microsoft’s analysis, exploitation involves low complexity with no user interaction or privileges needed, but the unchanged scope limits broader network propagation.
The vector string for both is CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, emphasizing high confidentiality and integrity impacts while availability remains unaffected.
Microsoft assesses exploitation as “less likely” since the flaws were not publicly disclosed prior to patching, and no active exploits have been observed.
Still, the official fix available through Windows Update urges immediate application, especially for mobile workers or those in high-risk environments.
CVE ID Description CVSS Base Score Attack Vector Severity Weakness CVE-2025-55338 Missing ROM code patching 6.1 Physical Important N/A CVE-2025-55333 Incomplete comparison with missing factors 6.1 Physical Important CWE-1023 Mitigations
The discovery of these issues by Alon Leviev from Microsoft’s Security Threat Operations and Response Management (STORM) team highlights ongoing efforts to fortify core OS components.
While not as devastating as remote code execution bugs, they remind users that physical security remains vital; no encryption is foolproof without safeguards like TPM modules and strong access controls.
Organizations should prioritize patching affected Windows 10 and 11 systems, conduct device audits, and consider multi-factor authentication for recovery options.
As cyber threats evolve, these vulnerabilities serve as a wake-up call to integrate BitLocker with layered defenses, ensuring data stays protected even in the hands of adversaries.
Microsoft recommends enabling automatic updates and monitoring for unusual physical access attempts to mitigate risks effectively.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Windows BitLocker Vulnerabilities Let Attackers Bypass Security Feature appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Microsoft has confirmed a critical issue affecting Windows Server 2025 systems following the installation of October 2025 security updates. The problem disrupts Active Directory directory synchronization, specifically impacting organizations managing large security groups with more than 10,000 members. Directory Sync Failures Impact Large Organizations The synchronization failure affects applications that rely on the Active Directory […]
The post Microsoft’s October 2025 Patches Disrupt Active Directory Sync on Server 2025 Systems appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
A sophisticated banking Trojan named Maverick has emerged in Brazil, leveraging WhatsApp as its primary distribution channel to compromise thousands of users.
The malware campaign was detected in mid-October 2025, with cybersecurity solutions blocking over 62,000 infection attempts in just the first ten days of the month.
The threat specifically targets Brazilian users through Portuguese-language messages containing malicious ZIP archives that bypass WhatsApp’s security filters.
The infection mechanism begins when victims receive a seemingly legitimate message on WhatsApp, often disguised as bank notifications or important documents.
These messages contain compressed ZIP files housing a weaponized .LNK file that initiates the attack chain. Once opened, the malware executes a complex series of commands through cmd[.]exe and PowerShell, contacting command-and-control servers with carefully validated authentication protocols to download additional payloads.
The entire infection process operates in a fully fileless manner, meaning all malicious components load directly into memory without writing files to disk, significantly complicating detection efforts.
Securelist researchers identified the malware as sharing substantial code similarities with Coyote, another Brazilian banking Trojan documented in 2024, though Maverick represents a distinct and more advanced threat.
The researchers noted that the malware employs artificial intelligence in its code-writing process, particularly for certificate decryption mechanisms and general development workflows.
This represents an concerning evolution in malware development techniques, where threat actors leverage AI tools to enhance their capabilities and evade traditional security measures.
.webp)
Infection chain (Source – Securelist) The banking Trojan implements geographic targeting by verifying the victim’s timezone, system language, region settings, and date formats to confirm Brazilian location before activating.
If these checks fail, the malware terminates execution, preventing analysis by researchers in other countries.
Once confirmed, Maverick deploys comprehensive surveillance capabilities including screenshot capture, browser monitoring, keylogging, mouse control, and overlay phishing pages designed to steal banking credentials from 26 Brazilian financial institutions, six cryptocurrency exchanges, and one payment platform.
Propagation Through Compromised WhatsApp Accounts
Perhaps the most alarming aspect of Maverick is its self-propagation mechanism that transforms infected devices into distribution nodes.
The malware utilizes WPPConnect, an open-source WhatsApp Web automation project, to hijack compromised accounts and automatically send malicious messages to the victim’s contact list.
This worm-like behavior creates exponential spread potential through one of the world’s most popular messaging platforms.
The command-and-control infrastructure demonstrates advanced operational security through multiple validation layers.
The C2 server authenticates each request using HMAC-256 signatures with the key “MaverickZapBot2025SecretKey12345” and validates User-Agent headers to ensure connections originate from the malware itself rather than security tools.
The API endpoints utilize encrypted shellcodes wrapped with Donut loaders, employing XOR encryption where decryption keys are stored in the final bytes of downloaded binaries.
The decryption algorithm extracts the last four bytes indicating key size, walks backward through the file to locate the encryption key, and applies XOR operations across the entire payload.
This sophisticated encryption scheme, combined with heavy code obfuscation using Control Flow Flattening techniques, significantly hampers reverse engineering efforts.
# Decryption Process $keySize = [BitConverter]::ToInt32($binary[-4..-1], 0) $keyStart = $binary.Length - 4 - $keySize $xorKey = $binary[$keyStart..($keyStart + $keySize - 1)]Kaspersky security products detect the threat with verdicts HEUR:Trojan.Multi.Powenot.a and HEUR:Trojan-Banker.MSIL.Maverick.gen, providing protection from the initial LNK file through all subsequent infection stages.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post New Banking Malware Abusing WhatsApp to Gain Complete Remote Access to Your Computer appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
