Vulnerabilities News

A critical security vulnerability has recently been discovered in certain versions of Zoom Clients for Windows that could expose users to cybersecurity risks, including privilege escalation via network access. The flaw, identified as /CVE-2025-49457, has been classified with a CVSS score of 9.6, signaling its high severity. The vulnerability could allow unauthenticated attackers to exploit a weak search path issue within the Zoom application, enabling them to escalate privileges without requiring user interaction.  This issue affects Zoom Workplace for Windows, Zoom Rooms, Zoom Rooms Controller, and Zoom Meeting SDK for Windows, all versions before 6.3.10. However, users of versions 6.1.16 and 6.2.12 are not impacted, despite being part of the broader vulnerable product set. The flaw was first reported by Zoom Offensive Security and has now been acknowledged by the company, with updates already made available. How does the CVE-2025-49457 Vulnerability work?  The core of the CVE-2025-49457 vulnerability lies in an untrusted search path within certain Zoom products. An untrusted search path is a security issue where an application looks for critical files or libraries in locations that may be vulnerable to manipulation. If exploited, this flaw could allow attackers to manipulate the search path in a way that triggers privilege escalation, providing them with unauthorized access to higher system permissions. The risk is threatening because it does not require authentication, making it especially dangerous in networked environments. The vulnerability is categorized as critical because it could lead to cybersecurity breaches. Zoom Clients running on Windows systems before version 6.3.10 are at immediate risk, and Zoom has urged users to upgrade to the latest versions of the software to mitigate potential threats. Affected Versions and Recommended Action  The following versions of Zoom Clients for Windows are vulnerable to CVE-2025-49457:  Zoom Workplace for Windows before version 6.3.10  Zoom Workplace VDI for Windows before version 6.3.10 (except 6.1.16 and 6.2.12)  Zoom Rooms for Windows before version 6.3.10  Zoom Rooms Controller for Windows before version 6.3.10  Zoom Meeting SDK for Windows before version 6.3.10  Users who are running any of the affected versions are strongly advised to immediately update to the latest version available. Zoom’s latest release, version 6.3.10, addresses this vulnerability and is available for download on the company’s website.  The Broader Context of Zoom Vulnerabilities  This latest issue is part of a broader trend of Zoom vulnerabilities being uncovered in recent years. Zoom has faced increasing scrutiny due to its rapid growth during the global shift to remote work. As the software gained millions of new users, security flaws became more apparent. Other known vulnerabilities in Zoom have included cross-site scripting (XSS) flaws, authentication bypass vulnerabilities, and buffer overflow issues.   Conclusion   Timely patching is crucial for protecting systems against vulnerabilities like CVE-2025-49457. Unpatched software, especially in enterprise environments where Zoom is widely used, presents a cybersecurity risk for attackers.   This latest flaw highlights the need for organizations and users to prioritize regular updates to prevent exploitation. Without timely patches, even trusted applications like Zoom can be compromised. Staying up to date with security fixes is the best defense against Zoom vulnerabilities, ensuring a secure digital environment.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two high-risk vulnerabilities in N-able N-central to its Known Exploited Vulnerabilities (KEV) catalog, warning organizations of active exploitation in the wild.   Identified as CVE-2025-8875, a deserialization vulnerability, and CVE-2025-8876, a command injection vulnerability, both issues pose cybersecurity risks to system integrity and are prompting immediate security action across enterprises.  Decoding N-able N-central Vulnerabilities: CVE-2025-8875 and CVE-2025-8876  According to the release notes from N-able, these vulnerabilities were addressed in the 2025.3.1 version of N-central, which began rolling out on August 14, 2025, following final updates on August 13, 2025. While both vulnerabilities require authentication to exploit, they remain a substantial risk to unpatched environments. If successfully leveraged, these flaws could allow attackers to execute arbitrary code or commands, potentially leading to full system compromise.  CVE-2025-8875 refers specifically to an insecure deserialization vulnerability, a common issue in software that mishandles untrusted data during object deserialization. When exploited, this flaw can allow remote attackers to gain unauthorized control over system functions. Meanwhile, CVE-2025-8876, the command injection vulnerability, could permit authenticated attackers to inject and execute arbitrary commands on the underlying server, leading to potential data breaches or service disruptions.  Immediate Mitigation Steps  N-able is urging all users, especially those managing on-premises deployments, to upgrade to version 2025.3.1 without delay. The company emphasized that details of both CVEs will remain restricted for three weeks post-release in line with its responsible disclosure policies.  “There is a potential risk to the security of your N-central environment if unpatched,” the release notes warned. “You must upgrade your on-premises N-central to 2025.3.1.”  Additionally, Multi-Factor Authentication (MFA) must be enabled and enforced across all N-able products, particularly for administrative accounts. The company reiterated that MFA is not just a recommendation but a critical safeguard in mitigating risks from these vulnerabilities.  What’s New in the 2025.3.1 Release  Aside from security fixes, the latest N-central release brings several new features and enhancements focused on usability, performance, and visibility:  Expanded Audit Logging: New user-initiated events, including SSH login/logout and scheduled task changes, are now captured and exportable to Syslog for better traceability.  Device Management API Updates: Admins can now automatically add devices via the /api/device endpoint, streamlining deployments. Additionally, application names are more clearly visible through updated asset calls.  Asset Tagging Capabilities (Preview): New features allow the categorization of devices using customizable asset tags across organizational levels, Partner, SO, Customer, and Site.  These enhancements are designed to help partners manage large, distributed environments with greater control and efficiency.  Continued Focus on Compliance  N-able also confirmed ongoing development toward a CMMC Level 2-compliant version of N-central. This compliance is crucial for partners working with the U.S. Department of Defense (DoD) or managing sensitive federal contracts. The new version is being tailored for on-premises deployments to meet stringent federal cybersecurity standards.  Bug Fixes Address System Stability  A series of bug fixes was also included in the 2025.3.1 update, targeting issues such as failed PSA exports due to long passwords, broken remote support configurations, outdated asset mappings, and system errors caused by identifier overflows.  Among notable fixes:  Take Control setup failures have been resolved for smoother remote support sessions.  Scheduled tasks stuck due to network shares have been corrected.  Malformed HP drive mappings and redundant asset name prefixes have also been addressed.  Conclusion  The inclusion of CVE-2025-8875 and CVE-2025-8876 in CISA’s Known Exploited Vulnerabilities catalog highlights the critical nature of these actively exploited flaws in N-able N-central. The presence of both a deserialization vulnerability and a command injection vulnerability creates a direct risk, particularly in systems lacking robust access controls or up-to-date security practices.  Organizations are strongly urged to upgrade to N-central version 2025.3.1, enforce multi-factor authentication (MFA), monitor for suspicious activity, and leverage the enhanced audit log features to strengthen their security posture. With threat actors already exploiting these vulnerabilities, timely action is not just recommended; it is imperative. 

Fortinet has urgently notified users of a critical OS command injection vulnerability in its FortiSIEM platform, identified as CVE-2025-25256, which is now being actively exploited in the wild. According to Fortinet’s security advisory, the flaw received a CVSS score of 9.8, indicating its extreme severity. What’s at Risk and Which Versions Are Affected? This vulnerability stems from improper sanitization of special elements used within operating system commands (classified under CWE-78). As a result, unauthenticated threat actors can remotely execute arbitrary code or commands through crafted CLI requests—without any user interaction. The affected FortiSIEM versions include: 6.1 through 6.6 6.7.0 to 6.7.9 (upgrade to 6.7.10+) 7.0.0 to 7.0.3 (upgrade to 7.0.4+) 7.1.0 to 7.1.7 (upgrade to 7.1.8+) 7.2.0 to 7.2.5 (upgrade to 7.2.6+) 7.3.0 to 7.3.1 (upgrade to 7.3.2+) 7.4 is not affected What Fortinet Recommends for FortiSIEM Bug Fortinet urges immediate action — either patch to a fixed version or restrict access to the phMonitor port (TCP 7900), which is commonly used for internal discovery and synchronization. Limiting access to this port to trusted internal hosts or IPs may mitigate risk temporarily. Fortinet also confirmed that working exploit code is circulating in the wild. Unfortunately, these exploits do not generate distinctive indicators of compromise (IoCs), making detection challenging. Brute-Force Attacks on Fortinet SSL VPNs This advisory comes on the heels of GreyNoise’s discovery of a sudden surge in brute-force attempts targeting Fortinet SSL VPN devices. On August 3, 2025, more than 780 unique IP addresses—from countries including the US, Canada, Russia, and the Netherlands—attempted unauthorized access to VPN endpoints on numerous continents. GreyNoise further observed that this brute-force tooling shifted focus around August 5, transitioning from FortiOS-targeted attacks to hitting FortiManager (FGFM) systems instead—suggesting attackers may be adapting their strategy mid-operation. This pattern is consistent with GreyNoise’s broader research showing that spikes in brute-force activity often precede new CVE disclosures targeting the same vendor, typically within a six-week period. CVE-2025-25256 Vulnerability Summary Issue Details Vulnerability CVE-2025-25256 – critical OS command injection in FortiSIEM (CVSS 9.8) Exploit Status Actively exploited; lacks clear IoCs Affected Versions FortiSIEM 6.1–7.3.1 (except 7.4) Recommended Action Patch to latest fixed version; restrict access to phMonitor port (7900) Related Attack Trends Large-scale brute-force attacks on SSL VPN and shifts toward FortiManager Strategic Insight Brute-force spikes are often a precursor to new vulnerability disclosures Organizations running FortiSIEM must prioritize immediate patching. If updates cannot be applied right away, tightening access to critical internal ports like 7900 (phMonitor) can serve as a temporary buffer. Meanwhile, the recent wave of brute-force attacks against Fortinet devices—especially the shift toward FortiManager—signals a broader, coordinated effort that intensifies the urgency. Also read: Fortinet FortiSIEM Vulnerabilities Expose Systems to Remote Code Execution

Microsoft has disclosed a serious vulnerability in its collaboration platform, Microsoft Teams, that could open the door to Remote Code Execution (RCE) attacks. The flaw, tracked as CVE-2025-53783, carries a CVSS score of 7.5 and is categorized as “Important.”  The issue arises from a heap-based buffer overflow, a well-known software weakness classified under CWE-122. In this type of vulnerability, an application writes more data to a buffer located in the heap than it was allocated to hold. This can result in adjacent memory corruption, giving attackers a pathway to inject and execute arbitrary code.  In the context of Microsoft Teams, this means a successful exploit could allow malicious actors to read private communications, alter message content, or delete messages altogether.  Although the flaw does not require administrative privileges, it does depend on user interaction. For instance, the victim might need to click on a specially crafted link or open a malicious file within the Teams environment. This requirement slightly mitigates the threat, but does not eliminate it, particularly in corporate settings where social engineering remains an effective tactic.  Exploitability and Risk Assessment for CVE-2025-53783 Vulnerability  Microsoft has assessed CVE-2025-53783 as “Exploitation Less Likely” under its exploitability index. The complexity of crafting a working exploit and the specific conditions needed for it to succeed reduce the likelihood of immediate widespread attacks.   That said, the vulnerability still uses a network-based attack vector, meaning attackers can launch attacks remotely without needing physical access to devices.  No known in-the-wild exploits or public exploit code have surfaced as of the disclosure date.   Patch Available, Immediate Action Recommended  Microsoft has released a patch addressing CVE-2025-53783, and all organizations using Microsoft Teams are urged to apply it without delay. The patch is part of Microsoft’s August 2025 Patch Tuesday release, which covers a total of 110 vulnerabilities, including several with higher severity ratings. Administrators should also reinforce best practices such as user education on phishing, regular software updates, and network activity monitoring. Given the widespread use of Teams in enterprise environments, the consequences of a successful attack could include exposure of sensitive business data and disruption of internal communications. Additionally, IT teams should evaluate their incident response plans and ensure that they have better data backup and recovery procedures in place, especially if data integrity is compromised in the wake of an exploit. Other Vulnerabilities in the August 2025 Update  While CVE-2025-53783 is notable for its potential to enable Remote Code Execution in a widely used platform, it is not the only issue addressed this month. Microsoft’s August update includes fixes for several high-risk vulnerabilities, including:  CVE-2025-53767: A 10.0-severity Azure OpenAI Elevation of Privilege vulnerability, now mitigated.  CVE-2025-53792: A 9.1-severity Azure Portal Elevation of Privilege issue.  CVE-2025-50171, CVE-2025-50165, and CVE-2025-53766: All rated 9.0 or higher; these flaws span components such as Remote Desktop and Windows Graphics.  The update also addressed 13 vulnerabilities rated 8.8, affecting components like SQL Server, SharePoint, and Windows Media. One NTLM flaw, rated 8.8, was specifically highlighted as high-risk.  Among the ten vulnerabilities considered most likely to be exploited:  CVE-2025-53786: An 8.0-severity vulnerability affecting Exchange Server Hybrid Deployments. Shadowserver reported that 28,000 Exchange instances remain unpatched.  Other notable flaws include CVE-2025-53778 (Windows NTLM), CVE-2025-50177 (MSMQ), and CVE-2025-53132 (Win32k). 

Adobe has issued a new set of security patches addressing more than 60 vulnerabilities across 13 of its widely used software products. This update, part of the company’s routine Adobe Patch Tuesday cycle, includes critical fixes for applications ranging from Adobe Commerce and Illustrator to its Substance 3D suite.  The Adobe security update rollout includes advisories APSB25-71 through APSB25-84 (excluding APSB25-82), reflecting Adobe’s ongoing efforts to resolve a growing array of security threats, many of which could lead to arbitrary code execution, denial-of-service (DoS), memory leaks, and unauthorized privilege escalation.  Decoding the Latest Adobe Security Update  The most pressing fixes in this Adobe security update come under APSB25-71, which addresses multiple critical vulnerabilities in Adobe Commerce, Magento Open Source, and Commerce B2B. Six distinct CVEs were highlighted in this category, affecting versions 2.4.8‑p1 and earlier. These include:  CVE‑2025‑49554: Improper input validation (DoS)  CVE‑2025‑49555: CSRF vulnerability (privilege escalation)  CVE‑2025‑49556: Authentication bypass (arbitrary file system read)  CVE‑2025‑49557: Stored XSS (privilege escalation)  CVE‑2025‑49558 & CVE‑2025‑49559: TOCTOU and path traversal vulnerabilities (security feature bypass)  Adobe assigned these issues a priority rating of 2, urging users to update immediately to mitigate the risk of exploitation. The patched versions now extend to 2.4.8‑p2 and 2.4.7‑p7 for Commerce, and up to 1.5.2‑p2 for Commerce B2B.  Substance 3D Products Hit Hard  A notable chunk of the Adobe vulnerabilities was discovered in the Substance 3D product line, including Viewer, Modeler, Painter, Sampler, and Stager, across bulletins APSB25-72, 76, 77, 78, and 81. These include critical code execution bugs caused by heap-based buffer overflows and out-of-bounds writes.  Key CVEs in this category:  CVE‑2025‑49560 and CVE‑2025‑49569 (Substance 3D Viewer)  CVE‑2025‑49571 to CVE‑2025‑49573 and CVE‑2025‑54186 to 54235 (Substance 3D Modeler)  CVE‑2025‑54187 to CVE‑2025‑54195 (Substance 3D Painter)  CVE‑2025‑54205 (Substance 3D Sampler)  CVE‑2025‑54222 and CVE‑2025‑54237 (Substance 3D Stager)  These vulnerabilities are largely related to unsafe memory operations, posing risks of crashes, data corruption, and remote code execution. The priority rating across these products is marked as 3, indicating that important but less urgent action is required; however, updates are still strongly advised. Popular Creative Tools Also Affected  Adobe Illustrator (APSB25‑74)  Multiple high-impact bugs were found in Illustrator 2024 and 2025, including:  CVE‑2025‑49563: Out-of-bounds write  CVE‑2025‑49564: Stack-based buffer overflow  CVE‑2025‑49567: NULL pointer dereference (DoS)  CVE‑2025‑49568: Use-after-free (code execution)  Users are urged to upgrade to Illustrator 2025 version 29.7 or later and Illustrator 2024 version 28.7.9 or later.  Adobe Photoshop (APSB25‑75)  A critical out-of-bounds write bug (CVE‑2025‑49570) in Photoshop 2025 and 2024 could allow arbitrary code execution. Updated versions are available as 26.9 and 25.12.4, respectively.  Adobe Animate (APSB25‑73)  Two vulnerabilities, including a use-after-free flaw (CVE‑2025‑49561) and a memory leak (CVE‑2025‑49562), were patched in Animate versions 23.0.13 and 24.0.10.  Adobe InDesign, InCopy, and FrameMaker Also Patched  Adobe InDesign (APSB25‑79) and InCopy (APSB25‑80) received several critical patches covering heap overflows, use-after-free errors, and out-of-bounds writes.  InCopy Fixes:  CVE-2025-54215 to CVE-2025-54223: All critical vulnerabilities allow arbitrary code execution  Affected versions: InCopy 20.4 and 19.5.4, and earlier  Updated versions: 20.5 and 19.5.5  InDesign Fixes:  CVE-2025-54206 to CVE-2025-54228: Critical memory-related issues  Updates are available through Creative Cloud or manual update channels  FrameMaker (APSB25‑83) was also updated to fix critical use-after-free bugs (CVE‑2025‑54229 to 54232) and a memory leak (CVE‑2025‑54233). The updates apply to the 2020 and 2022 releases.  Adobe Dimension Receives Low-Key But Necessary Fix  APSB25‑84 addresses a single, important memory leak vulnerability in Adobe Dimension (CVE‑2025‑54238). Though no exploits are known to exist in the wild, the vulnerability still warrants action. Users should move to version 4.1.4 across both Windows and macOS.  No Known Exploits But Risks Remain  The organization emphasized that it is not aware of any active exploits for the vulnerabilities disclosed in this Adobe security update. Nonetheless, the company strongly recommends updating to patched versions immediately.   Exploitable vulnerabilities such as buffer overflows, improper input validation, and use-after-free issues remain a serious concern even if not yet weaponized in the wild.  Research Contributions  Multiple independent researchers and security professionals contributed to the discovery and responsible disclosure of these Adobe vulnerabilities. Contributors included:  Francis Provencher (prl)  Jony (jony_juice)  yjdfy  voidexploit  kaiksi, blaklis, akashhamal0x01, wohlie, and others  Their efforts were acknowledged in Adobe’s official bulletins.  Conclusion  With over 60 vulnerabilities addressed, the August Adobe security update is among the more extensive security update cycles in recent months. While none of the flaws have been publicly exploited as of this writing, the nature of many, especially those that enable code execution, means organizations and individuals should not delay applying the necessary patches.  Administrators managing enterprise deployments are advised to use the Adobe Admin Console or Creative Cloud Packager to implement updates across systems. For individual users, the Creative Cloud Desktop App provides access to the latest secure versions. 

The Dutch National Cyber Security Centre (NCSC) has confirmed that a serious vulnerability in Citrix NetScaler systems, identified as CVE-2025-6543, has been exploited in targeted attacks against multiple critical organizations in the Netherlands. The exploitation began months before the vulnerability was publicly disclosed, and investigations indicate that attackers used advanced methods to evade detection.  Background and Timeline  According to the NCSC, exploitation of CVE-2025-6543 began as early as May 2025, rendering it a zero-day vulnerability at the time. On June 25, Citrix officially disclosed the vulnerability and released a patch; however, signs of compromise were already present in several systems prior to this date.  On July 16, the NCSC identified active exploitation of the vulnerability and launched a wider investigation. Findings have since confirmed that multiple Dutch organizations were affected.  Scope and Technical Details of CVE-2025-6543  The attacks targeted Citrix NetScaler ADC and NetScaler Gateway products. These are widely used to manage secure access to applications and internal networks, including remote work environments. The vulnerability allowed attackers to place malicious web shells on exposed systems, giving them remote control and persistent access even after the vulnerability was patched.  Three vulnerabilities are under investigation:  CVE-2025-6543 (confirmed exploited)  CVE-2025-5349  CVE-2025-5777  The latter two have not been confirmed as exploited in all environments but remain under scrutiny. Patching affected systems does not guarantee removal of the attacker, as access may have already been established.  Attack Methods  The actors behind the attacks used techniques to erase forensic traces from compromised systems. This has made post-incident investigations difficult. In many cases, there is uncertainty about whether the threat actor is still active or what data may have been accessed or exfiltrated.  Indicators of Compromise (IOCs) have been found, but the NCSC notes that each case requires deeper investigation to determine the extent of compromise. Organizations are expected to conduct their forensic analysis if suspicious activity is detected.  Risk and Response  The NCSC states that updating Citrix devices is not enough to remove the threat if a system has already been compromised. The attacker can retain access even after a patch is applied. As such, organizations should not assume that patching closes the incident.  Recommended actions include:  Conducting full forensic investigations if a compromise is suspected.  Implementing defense-in-depth security strategies.  Monitoring for new IOCs related to the Citrix vulnerability.  Reaching out to cert@ncsc.nl for technical assistance if compromise is confirmed.  Organizations that have not already done so should apply the security updates provided by Citrix and inspect their systems for signs of exploitation, including unauthorized access or web shells.  Conclusion   The exploitation of CVE-2025-6543 in Citrix NetScaler devices remains an active threat, with investigations continuing in collaboration with affected organizations, security firms, and response teams.   The full scope and impact are still unknown, as is the identity of those responsible, and it is likely that additional systems may have been compromised without detection.   Given the stealth and persistence demonstrated in these attacks, organizations should not assume that patching alone is sufficient and must take further steps to verify the security and integrity of their systems. 

A new zero-day vulnerability in WinRAR (CVE-2025-8088) is being exploited in the wild by the Russia-aligned hacking group RomCom, according to newly published research from ESET. The flaw, silently targeting global enterprises, shows the group’s increasing sophistication and its growing use of supply-chain-style exploits in spear-phishing campaigns. What’s the Vulnerability? First reported by ESET researchers on July 18, the vulnerability is a path traversal exploit leveraging Windows alternate data streams (ADSes) to conceal malicious files inside a seemingly benign RAR archive. When users extract what appears to be a harmless job application or document, the malicious payload is silently deployed—without raising suspicion unless closely inspected. Within days, WinRAR patched the vulnerability—first issuing a beta fix and rolling out a full update by July 30. RomCom’s Exploitation Playbook The affected years-long APT group RomCom (also tracked as Storm-0978, UNC2596, or Tropical Scorpius) has now exploited a third major zero-day in recent years, adding to its previous abuses of CVE-2023-36884 (via Microsoft Word) and the Firefox–Windows zero-click chain (CVE-2024-9680 and CVE-2024-49039). This campaign targeted financial, manufacturing, defense, and logistics firms across Europe and Canada—industries consistent with RomCom’s known intelligence and geopolitical objectives. Security teams should note that the malicious archive contained ADS entries with nested paths to drop a DLL into %TEMP% and a .LNK file into the Windows Startup folder—achieving persistence via a COM hijack. Why it Matters WinRAR is ubiquitous. Its prevalence makes this exploit especially dangerous—malicious archives can spread far and wide and be executed by unsuspecting users. Attack efficiency: Targeted spear-phishing with plausible resumes increases click-through rates—especially when the lure aligns with hiring or recruitment. Stealth delivery: ADS utilization skirts casual detection; deceptions in UI (WinRAR hides deep file paths unless scrolled) amplify the risk. Resourceful OPSEC: Rapid patching by WinRAR and quick discovery by ESET signal high technical capability on both sides. Together, these factors make RomCom’s campaign notably potent. Immediate Takeaways and Mitigations Update WinRAR Immediately: All users of WinRAR, its UnRAR.dll, command-line tools, and source code should upgrade to versions ≥ 7.13. Monitor Archive Extraction Behavior: Deploy behavioral controls or sandboxing around archive extraction processes. Scrutinize Job-Related Attachments: HR and hiring processes are increasingly weaponized. Implement attachment scanning and out-of-band validation for unsolicited applicant documents. Share Intelligence: RomCom’s prominence and zero-day use should be a shared red flag in the CISO and threat-intel communities. RomCom’s Escalating Zero-Day Strategy This campaign confirms that RomCom has made zero-days a core part of its operational archetype—bridging cybercrime and espionage tactics with precision. Their ability to weaponize WinRAR’s ADS feature for stealthy deployment elevates the threat level considerably. For defenders, the key isn’t merely patching—but also detecting phishing-at-scale, scanning compressed content dynamically, and educating users about hidden payload risks. RomCom’s latest move demonstrates that even everyday utilities can become stealthy vectors for nation-linked espionage. The race to catch invisible exploits—and the groups behind them—is escalating fast.

Xerox Corporation has issued urgent security updates addressing two high-impact vulnerabilities in its FreeFlow Core software. The flaws, now tracked as CVE-2025-8355 and CVE-2025-8356, have the potential to expose enterprise environments to server-side request forgery (SSRF) and remote code execution (RCE) attacks if left unpatched.  Disclosed in Security Bulletin XRX25-013, published on August 8, 2025, the vulnerabilities specifically impact FreeFlow Core version 8.0.4. Xerox has categorized both vulnerabilities as “IMPORTANT” in severity and urges users to upgrade to version 8.0.5, which contains the necessary security fixes.  Details of the Xerox Vulnerabilities: CVE-2025-8355 and CVE-2025-8356  The first issue, CVE-2025-8355, arises from an XML External Entity (XXE) processing flaw. In affected systems, improperly sanitized XML input can allow attackers to manipulate entity declarations, enabling SSRF attacks. This allows an adversary to craft XML payloads that force the server to initiate unintended requests to internal services or external targets. Such requests can be used to probe internal infrastructure, exfiltrate data, or bypass access controls.  The second vulnerability, CVE-2025-8356, is a path traversal flaw that may lead to remote code execution. By exploiting poorly validated file path inputs, an attacker could access directories outside the intended scope of the application. If leveraged correctly, this vulnerability could allow malicious actors to execute arbitrary code on the host system, resulting in a complete system compromise.  Both flaws are rated under the Common Vulnerability Scoring System (CVSS) 3.1 with a base score of 7.5, classified as “HIGH” by Xerox. The associated vector string is: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. However, it’s worth noting that the National Vulnerability Database (NVD) has not yet published its own CVSS assessment at the time of the bulletin’s release. Discovery and Responsible Disclosure  These vulnerabilities in Xerox systems were discovered by Jimi Sebree, a security researcher with Horizon3.ai. Sebree collaborated directly with Xerox’s internal security team to ensure a coordinated disclosure and timely patch release.  Xerox acknowledged the researcher’s role in the bulletin, stating:  “Thank you to Jimi Sebree with Horizon3.ai for working with the Xerox Team to identify and mitigate these vulnerabilities.”  This responsible disclosure process enabled Xerox to develop and test patches before the flaws became widely known, reducing the potential for exploitation in the wild.  Risks to Organizations  The presence of both CVE-2025-8355 and CVE-2025-8356 in FreeFlow Core 8.0.4 elevates the cyber threats for organizations relying on the platform for document workflow automation. Exploiting these vulnerabilities could lead to:  Unauthorized access to internal services via SSRF  Exposure or theft of sensitive information  Execution of malicious code on Xerox servers  Full system compromise  Broader network reconnaissance and lateral movement  Given the critical role that FreeFlow Core plays in document processing infrastructures, these issues could severely disrupt business operations and compromise sensitive data if not addressed.  Conclusion  To address the critical Xerox vulnerabilities identified as CVE-2025-8355 and CVE-2025-8356, organizations are strongly advised to upgrade to FreeFlow Core version 8.0.5 immediately, as it contains essential patches to prevent SSRF and remote code execution attacks.   The update is available through Xerox’s official support channels. In addition to applying the patch, system administrators should audit current deployments, enforce proper network segmentation, implement strict input validation for XML processing, and monitor logs for unusual activity.  

A new class of USB-based attacks has come to light. These attacks are not just targeting removable devices, but existing, trusted peripherals already connected to systems: Linux webcams. Attackers can now exploit vulnerabilities in commonly used USB webcams running embedded Linux, transforming them into BadUSB devices capable of injecting keystrokes and executing covert operations independently of the host operating system. This threat, now referred to as “BadCam”, builds upon the original concept of BadUSB attacks, first introduced by Karsten Nohl and Jakob Lell at Black Hat 2014. At the core of the issue lies a fundamental flaw in the USB specification, which lacks mandatory enforcement of firmware signature validation. This oversight allows USB devices, like flash drives, keyboards, and now webcams, to be reprogrammed to impersonate trusted Human Interface Devices (HIDs), silently executing commands once plugged into a host. What sets BadCam apart is its method of exploitation. Unlike traditional BadUSB attacks that rely on unsuspecting users inserting malicious USB sticks, BadCam enables attackers to remotely hijack Linux-powered webcams already attached to a system, making them stealthy and persistent attack vectors without any need for physical access. This BadCam threat was revealed by cybersecurity researchers Jesse Michael and Mickey Shkatov from Eclypsium. The BadCam Targets: Lenovo Webcams with Linux Firmware  The research focused on two specific models:  Lenovo 510 FHD Webcam (GXC1D66063, FRU: 5C21E09202)  Lenovo Performance FHD Webcam (4XC1D66055, FRU: 5C21D66059)  Both cameras are built on SigmaStar SSC9351D SoCs, dual-core ARM Cortex-A7 processors running embedded Linux with USB Gadget support. This hardware configuration enables these webcams to masquerade as other USB peripherals, such as keyboards or network adapters. Eclypsium discovered that the firmware on these devices lacks signature validation. As a result, attackers who gain remote access to a system can reflash the webcam’s firmware to install malicious code. Once compromised, the webcam can simulate keyboard input (i.e., emulate a Rubber Ducky or Bash Bunny) and launch stealthy attacks. Attack Vectors: Physical and Remote  Two primary attack scenarios were outlined:  Supply Chain or Physical Access: An attacker can deliver a compromised webcam (or physically access a machine) and plug in the weaponized device.  Remote Firmware Injection: More critically, an attacker with remote access to a computer can identify an attached Linux webcam and push a malicious firmware update to it, converting it into a BadUSB attack platform without user interaction.  In both cases, the weaponized webcam retains its camera functionality, making detection extremely difficult. Moreover, because the malware resides in the peripheral’s firmware and not the host OS, even reformatting the computer won’t remove the threat. The infected camera can re-infect the host repeatedly.  The Implications for USB Security  While this research highlights two Lenovo webcams, the implications extend far beyond them. Many USB peripherals running Linux, from cameras to IoT devices, may lack proper firmware validation. Any device that supports the Linux USB Gadget subsystem could theoretically be exploited in similar ways. As Eclypsium warns, this is not just about webcams, but a growing class of embedded USB devices that now represent viable targets for BadUSB attacks. The Linux USB Gadget framework allows devices to present themselves as any USB class (mass storage, HID, serial, etc.). This capability, combined with insufficient firmware protections, creates a potent cocktail for attackers aiming to create stealthy, persistent, and modular BadUSB devices.  Proof-of-Concept  The researchers demonstrated how a malicious firmware update could be delivered using simple commands over USB. A short sequence, such as probing the SPI flash, erasing memory, and writing a new binary, completely replaces the original firmware. They cited the specific build:  objectivec  CopyEdit  FW VERSION: CMK-HD510-OT1917-FW-4.6.2 Linux 4.9.84 armv7l GNU/Linux This update process essentially enables full control over the camera, turning it into a hidden attacker tool.  Real-World Risks and Persistent Threats  What sets this attack apart is the level of persistence it offers. Once compromised, the webcam becomes a persistent backdoor. Even a wiped and rebuilt host system remains vulnerable if the compromised webcam is plugged back in.  The stealthy nature of these attacks means that traditional endpoint detection tools are ineffective. Since the malicious logic operates at the firmware level, it’s invisible to antivirus software or OS-level monitoring tools.  Timeline and Vendor Response  The vulnerability was responsibly disclosed by Eclypsium to Lenovo starting in March 2025. A series of communications and fixes followed:  July 29, 2025: Lenovo confirms a firmware fix and schedules advisory publication.  August 8, 2025: Findings presented, and Lenovo publishes firmware update tools.  Lenovo has since released updated firmware tools addressing the signature validation issues in the affected webcam models. Users can visit Lenovo’s support site to download version 4.8.0 of the firmware.  Conclusion  The weaponization of Linux webcams represents a profound shift in USB attack surfaces. These devices, once thought of as passive input peripherals, are now proven capable of being transformed into active attack components through remote firmware compromise. Organizations must urgently adopt stricter device verification, enforce firmware signature validation, and rethink trust assumptions around USB peripherals, especially those powered by Linux. 

Google has released its latest Android Security Bulletin for August 2025, addressing multiple vulnerabilities across the Android ecosystem. Among the most notable vulnerabilities, CVE-2025-21479 and CVE-2025-27038 were reportedly exploited in the wild before this month’s security release. These are joined by CVE-2025-21480, another serious Qualcomm flaw disclosed in June 2025.  The two primary vulnerabilities, CVE-2025-21479 and CVE-2025-27038, have received CVSS scores of 8.6 and 7.5, respectively, indicating high to critical severity. A third, CVE-2025-21480, also scored 8.6 and is being closely monitored. All three were first publicly disclosed by Qualcomm in June, and while precise methods of exploitation have not been publicly revealed, there is credible intelligence suggesting they have been actively used in targeted attacks.  According to Qualcomm’s disclosure, CVE-2025-21479 involves an incorrect authorization issue in the Graphics component, which can allow unauthorized command execution within GPU microcode, leading to potential memory corruption. CVE-2025-27038 is categorized as a use-after-free vulnerability, also within the Graphics component, and could result in memory corruption when rendering graphics through Adreno GPU drivers, particularly in Chrome environments.  The Google Threat Analysis Group has indicated that these vulnerabilities, CVE-2025-21479, CVE-2025-21480, and CVE-2025-27038, are subject to “limited, targeted exploitation.” However, no further technical details about the attack vectors or threat actors involved have been disclosed.  Android Security Bulletin: Security Patch Level and Coverage  Devices patched to the 2025-08-05 level will be protected against all vulnerabilities listed in this month’s Android Security Bulletin, including the Qualcomm-related ones. Users can verify their device’s patch level through the Settings menu. Google emphasizes that Android partners were alerted to these vulnerabilities at least a month in advance, in line with their coordinated disclosure process. The bulletin also states that all relevant patches will be pushed to the Android Open-Source Project (AOSP) within 48 hours of the bulletin’s release. As of August 4, 2025, this process is already underway.  Critical System Vulnerability Also Addressed  Aside from the Qualcomm vulnerabilities, the bulletin highlights another critical flaw in the Android System component: CVE-2025-48530, a remote code execution (RCE) vulnerability. This issue could allow attackers to execute arbitrary code remotely without requiring user interaction or elevated privileges. Devices running Android 16 are particularly at risk, though mitigations are in place for earlier versions. Google has assessed this vulnerability as critical due to the potential damage an exploit could cause, particularly if existing security measures are bypassed. Additional Vulnerabilities in Framework and System Components  The August 2025 bulletin also lists multiple other vulnerabilities, grouped according to their affected components. In the Framework component, CVE-2025-22441 and CVE-2025-48533 were marked as high-severity elevation of privilege (EoP) vulnerabilities. These flaws affect devices running Android versions 13 through 16.  The System component was also home to vulnerabilities like CVE-2025-48530, which, as mentioned, could enable remote code execution. Each of these issues has been patched accordingly in the respective Android version lines.  Conclusion  To mitigate the risk associated with these vulnerabilities, including CVE-2025-21479 and CVE-2025-21480, Google continues to rely on a layered security approach. Central to this is Google Play Protect, which comes pre-enabled on devices with Google Mobile Services and scans for potentially harmful apps, particularly vital for users who install apps outside the Play Store.   Additionally, newer Android versions incorporate better defenses such as improved memory protections, sandboxing, and runtime checks to make exploitation more challenging. Notably, the August 2025 Android Security Bulletin confirms there are no new fixes delivered through Project Mainline this month, with all updates consolidated in the August 1 and August 5 security patch levels. Devices must be updated to one of these patch levels to be fully protected, with 2025-08-05 covering all known vulnerabilities to date. The bulletin also clarifies common vulnerability classifications, including Remote Code Execution (RCE), Elevation of Privilege (EoP), and Denial of Service (DoS), providing transparency for both users and developers.