Threat actors continue to use Scheduled Tasks and other built-in Windows features to create persistence in the ever-changing world of cybersecurity threats, frequently avoiding the need of external tools or complex zero-day exploits. As of 2025, despite advancements in attack techniques such as rootkits and dead-drop command-and-control (C2) mechanisms, traditional methods remain prevalent due to […]
Microsoft has acknowledged that the August 2025 security update—KB5063878—can cause significant performance degradation on both Windows 11, version 24H2, and supported Windows 10 releases. The company’s Windows release health dashboard confirms reports of severe stuttering, lag, and choppy audio/video playback when using Network Device Interface (NDI) streaming in applications such as OBS (Open Broadcaster Software) […]
A critical security flaw in Tableau Server could enable attackers to upload and execute malicious files, potentially leading to complete system compromise.
The vulnerability, tracked as CVE-2025-26496 with a CVSS score of 9.6, affects multiple versions of both Tableau Server and Tableau Desktop across Windows and Linux platforms.
Key Takeaways 1. Tableau Server allows malicious file uploads and code execution through type confusion attacks. 2. Five vulnerabilities enable file upload bypass and path traversal attacks. 3. Upgrade all Tableau Server versions
Tableau Server File Upload Vulnerabilities
Salesforce Security identified five distinct vulnerabilities during a proactive security assessment, with fixes included in the July 22, 2025 Maintenance Release.
The most severe vulnerability, CVE-2025-26496, involves Access of Resource Using Incompatible Type (‘Type Confusion’) in the File Upload modules, allowing Local Code Inclusion attacks.
The vulnerability affects Tableau Server versions before 2025.1.4, before 2024.2.13, and before 2023.3.20.
This type confusion flaw occurs when the application incorrectly handles data types during file processing, potentially allowing attackers to bypass security controls and execute arbitrary code on the target system.
Additional critical vulnerabilities include CVE-2025-26497 (CVSS 7.7) and CVE-2025-26498 (CVSS 7.7), both involving Unrestricted Upload of File with Dangerous Type affecting the Flow Editor and establish-connection-no-undo modules respectively.
These flaws enable Absolute Path Traversal attacks, allowing attackers to write files to arbitrary locations on the server filesystem.
Path Traversal Vulnerabilities
Two path traversal vulnerabilities, CVE-2025-52450 and CVE-2025-52451, both scoring 8.5 on CVSS, affect the tabdoc API’s create-data-source-from-file-upload modules.
CVE-2025-52450 represents an Improper Limitation of a Pathname to a Restricted Directory vulnerability, while CVE-2025-52451 involves Improper Input Validation.
These vulnerabilities allow attackers to perform directory traversal attacks using malicious payloads to access sensitive system files outside the intended upload directory.
The improper input validation enables attackers to bypass path sanitization mechanisms through techniques like double encoding (%252e%252e%252f) or Unicode normalization attacks.
The affected modules process user-supplied file paths without adequate validation, potentially allowing attackers to overwrite critical system files, access configuration data, or plant webshells for persistent access.
In enterprise environments, these vulnerabilities could facilitate lateral movement and privilege escalation attacks.
CVE ID
Vulnerability Type
CVSS 3.1 Score
Severity
CVE-2025-26496
Access of Resource Using Incompatible Type (‘Type Confusion’)
9.6
Critical
CVE-2025-26497
Unrestricted Upload of File with Dangerous Type
7.7
High
CVE-2025-26498
Unrestricted Upload of File with Dangerous Type
7.7
High
CVE-2025-52450
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
8.5
High
CVE-2025-52451
Improper Input Validation
8.5
High
Immediate Patching Required
Organizations running affected Tableau Server versions must immediately upgrade to the latest supported maintenance release.
The vulnerability disclosure follows responsible disclosure practices, with Salesforce providing patches before public disclosure.
System administrators should prioritize patching due to the critical CVSS scores and the potential for remote code execution.
The combination of file upload and path traversal vulnerabilities creates a dangerous attack vector that could lead to complete server compromise, data exfiltration, and deployment of ransomware or other malicious payloads.
Security teams should also review access logs for suspicious file upload activities, implement Web Application Firewall (WAF) rules to detect path traversal attempts, and conduct post-patch security assessments to ensure no compromise occurred prior to remediation.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
A federal court has handed down a four-year prison term to a former software developer who sabotaged his employer’s global network with a custom “kill switch,” crippling operations and inflicting hundreds of thousands in losses. Davis Lu, 55, a Chinese national legally residing and working in Houston, was sentenced on August 21 by U.S. District […]
As part of the ongoing analysis of the KorPlug malware family, this second installment focuses on the complex second-stage payload, expanding on earlier discoveries of DLL side-loading methods that use legitimate programs to execute code initially. The payload, a malicious DLL with SHA-256 hash b6b239fe0974cf09fe8ee9bc5d0502174836a79c53adccdbb1adeb1f15c6845c, measures 638,976 bytes (624 KB) and is structured as an […]
Threat actors are increasingly abusing native evaluation and execution functions to conceal and execute malicious payloads within innocent-looking packages on PyPI. Security researchers warn that while static analysis libraries such as hexora can detect many obfuscation techniques, attackers continue innovating ways to slip harmful code past simple scanners. Supply chain attacks targeting Python packages have surged, with […]
The National Institute of Standards and Technology (NIST) has officially released NIST Special Publication 800-232, establishing the Ascon family of algorithms as the new standard for lightweight cryptography designed specifically for resource-constrained devices.
Published in August 2025, this groundbreaking standard addresses critical security gaps in Internet of Things (IoT) devices, embedded systems, and low-power sensors where traditional cryptographic solutions like AES-GCM may prove too resource-intensive.
Key Takeaways 1. NIST SP 800-232 standardizes the Ascon family—using 320-bit states and Ascon-p/p permutations. 2. Ascon-AEAD128 delivers 128-bit security. 3. Ascon-Hash256, XOF128, and CXOF128 use a 64-bit sponge (Ascon-p) to produce 256-bit or variable-length outputs.
Ascon Algorithm Family Multi-Layered Protection
The newly standardized Ascon family comprises four distinct cryptographic primitives, each serving specific security functions.
Ascon-AEAD128 serves as the primary authenticated encryption scheme, offering 128-bit security strength in single-key environments with nonce-based operation.
The standard also includes Ascon-Hash256, a cryptographic hash function producing 256-bit digests with 128-bit security strength.
Two eXtendable Output Functions (XOFs) complete the suite: Ascon-XOF128 and Ascon-CXOF128.
The latter introduces customization string capabilities, enabling domain separation for applications requiring distinct outputs from identical inputs.
All algorithms utilize the same underlying Ascon-p permutations with varying round counts, specifically Ascon-p for initialization/finalization and Ascon-p for data processing phases.
The Ascon standard implements a Substitution-Permutation Network (SPN) structure operating on a 320-bit internal state divided into five 64-bit words.
The permutation function consists of three layers: constant-addition, substitution, and linear diffusion, providing robust cryptographic security while maintaining computational efficiency.
Key technical specifications include a 128-bit rate and 192-bit capacity for Ascon-AEAD128, while hash functions operate with a 64-bit rate and 256-bit capacity.
The standard mandates specific initial values: 0x00001000808c0001 for Ascon-AEAD128, 0x0000080100cc0002 for Ascon-Hash256, and distinct IVs for XOF variants to ensure algorithm separation.
Enhanced Security Features
NIST’s standard incorporates advanced security measures, including nonce-masking implementation options and truncation capabilities for authentication tags.
The specification requires a minimum of 32-bit truncated tags, with careful risk analysis mandated for tags shorter than 64 bits.
Data processing limits are established at 2⁵⁴ bytes per key to maintain security margins. For enhanced protection, the nonce-masking option maintains full 128-bit security regardless of key count.
This comprehensive approach ensures robust protection against forgery attempts while supporting practical deployment constraints in resource-limited environments.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
A novel macOS infostealer malware, designated as Mac.c, has emerged as a formidable contender in the underground malware-as-a-service (MaaS) ecosystem. Developed openly by a threat actor operating under the pseudonym “mentalpositive,” Mac.c represents a streamlined derivative of the notorious Atomic MacOS Stealer (AMOS), optimized for rapid data exfiltration with minimal footprint. This malware leverages native […]
Shortly after the May 2025 rollout of 107 Copilot Agents in Microsoft 365 tenants, security specialists discovered that the “Data Access” restriction meant to block agent availability is being ignored.
Key Takeaways 1. The “NoUsersCanAccessAgent” policy is bypassed, leaving some Copilot Agents installable. 2. Manual per-agent PowerShell revocations add overhead and risk. 3. Mitigate by auditing inventories, enforcing Conditional Access, and monitoring.
Despite administrators configuring the Copilot Agent Access Policy to disable user access, certain Microsoft-published and third-party agents remain readily installable, potentially exposing sensitive corporate data and workflows to unauthorized use.
When administrators set:
The expectation is that all Copilot Agents are hidden from end-user installation across Teams, Outlook, and other Microsoft 365 services.
However, testing by cybersecurity researcher Steven Lim shows that agents such as “ExpenseTrackerBot” and “HRQueryAgent” continue to appear in the Copilot panel despite the global policy restriction.
In many organizations, manual intervention is now required:
This workaround must be run per-agent and per-tenant, introducing operational overhead and risk of oversight in large deployments. For external publisher agents, similar manual revocation is necessary, further complicating lifecycle management.
Copilot Policy Flaw
Unauthorized access to AI-driven agents can lead to:
Data exfiltration via “ExportDataAgent” or “SearchFileAgent” that query SharePoint or OneDrive content beyond intended scope.
Execution of custom RPA workflows through agents like “AutoInvoiceProcessor” without formal change control or audit logging.
Compliance violations if unapproved AI models process sensitive PII or regulated data.
Mitigations
To mitigate these risks, M365 administrators should:
Run a weekly discovery script to detect any agents bypassing the global policy:
Integrate Azure AD Conditional Access to require MFA or device compliance for installing any Copilot Agent and feed agent invocation logs.
Further, report policy enforcement failures via the Service Health Dashboard and track the resolution of identified bugs.
As AI agents become integral to productivity, it is critical that access policies designed to govern them actually function as intended.
Administrators must proactively audit, monitor, and enforce controls to prevent inadvertent exposure of enterprise data and preserve compliance.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
The advanced persistent threat (APT) actor known as Transparent Tribe has been observed targeting both Windows and BOSS (Bharat Operating System Solutions) Linux systems with malicious Desktop shortcut files in attacks targeting Indian Government entities.
“Initial access is achieved through spear-phishing emails,” CYFIRMA said. “Linux BOSS environments are targeted via weaponized .desktop
