Zero-day vulnerabilities continue to pose increasing risks, enabling attackers to weaponize undisclosed weaknesses ahead of defensive fixes. Following a disclosure of a critical zero-day in Gladinet’s Triofox (CVE-2025-12480), a new zero-day vulnerability is already being exploited in the wild, underscoring the narrow window defenders have to act. Apple has confirmed that a newly discovered WebKit zero-day vulnerability, known as CVE-2025-14174, alongside CVE-2025-43529, has been actively exploited in highly targeted attacks. CVE-2025-14174 and CVE-2025-43529 affect all Apple devices capable of rendering web content, including Safari and every browser on iOS and iPadOS, leaving any unpatched system exposed to compromise.

WebKit, the cross-platform browser engine behind Safari and numerous applications on macOS, iOS, Linux, and Windows, continues to be a high-value target for attackers, particularly because it is mandatory for all browsers on iOS and iPadOS. For instance, in the early spring of 2025, a zero-day flaw tracked as CVE-2025-24201 was discovered in WebKit weaponized via maliciously crafted web content to break out of the Web Content sandbox. 

With the latest fixes, Apple has now addressed nine zero-day vulnerabilities exploited in the wild in 2025. This reflects a clear trend that attackers are heavily investing in browser engines and rendering pipelines to bypass sandboxing and silently compromise critical targets. 

Register for SOC Prime’s AI-Native Detection Intelligence Platform for SOC teams backed by cutting-edge technologies and top cybersecurity expertise to outscale cyber threats and build a resilient cybersecurity posture. Click Explore Detections to access the comprehensive collection of SOC content for vulnerability exploit detection, filtered by the custom “CVE” tag.

Explore Detections

Detections from the dedicated rule set can be applied across 40+ SIEM, EDR, and Data Lake platforms and are mapped to the latest MITRE ATT&CK® framework v18.1. Security teams can also leverage Uncoder AI to accelerate detection engineering end-to-end by generating rules directly from live threat reports, refining and validating detection logic, auto-visualizing Attack Flows, converting IOCs into custom hunting queries, and instantly translating detection code across diverse language formats.

CVE-2025-14174 Analysis

On December 12, Apple issued out-of-band security patches across its ecosystem after confirming that two WebKit zero-day vulnerabilities are under active exploitation in the wild. The weaponized security issues are CVE-2025-43529, a use-after-free vulnerability in WebKit that could allow attackers to achieve arbitrary code execution, and CVE-2025-14174 (with a CVSS of 8.8), a WebKit zero-day that may result in memory corruption when handling maliciously crafted web pages. Both flaws can be exploited through specially crafted web content, requiring no app installation or user interaction beyond visiting a malicious page

Apple confirmed it is aware that the flaws may have been exploited in an extremely sophisticated attack against specific targeted individuals running iOS versions prior to iOS 26.

Notably, CVE-2025-14174 is the same vulnerability Google patched in Chrome on December 10, 2025. Google described it as an out-of-bounds memory access issue in ANGLE, its open-source graphics library, specifically within the Metal renderer. Because ANGLE is shared across platforms, this points to cross-browser exploitation rather than an isolated bug.

Both vulnerabilities were identified through collaboration between Apple Security Engineering and Architecture and Google Threat Analysis Group. The fact that both flaws affect WebKit strongly suggests they were weaponized for highly targeted surveillance campaigns. Any device capable of rendering WebKit content, including iPhone 11 and later, supported iPads, Apple Watch Series 6+, Apple TV, and Vision Pro, was within scope. 

Apple released fixes across almost its entire ecosystem, including iOS and iPadOS (26.2 and 18.7.3), macOS Tahoe 26.2, tvOS 26.2, watchOS 26.2, visionOS 26.2, and Safari 26.2 for macOS Sonoma and Sequoia.

As potential CVE-2025-43529 and CVE-2025-14174 mitigation measures, Organizations should enforce immediate OS and browser updates across all Apple devices, verify MDM compliance to prevent patch deferral, and treat any delay in applying updates as a real security exposure. Defenders should assume modern web-based exploits can bypass app-level controls, actively monitor for anomalous browser or network behavior following patch deployment, and, for high-risk users, recognize that patch latency directly expands the attack surface.

WebKit zero-days underscore a critical reality: today’s most dangerous attacks often begin in the browser. The combination of stealthy exploitation, zero user interaction, and the potential for complete device takeover makes these vulnerabilities especially dangerous and demands rapid, decisive action from defenders. Rely on SOC Prime Platform to reach ​​the world’s largest detection intelligence dataset, adopt an end-to-end pipeline that spans detection through simulation while streamlining security operations and speeding up response workflows, reduce engineering overhead, and always stay ahead of emerging threats. 

The post CVE-2025-14174 Vulnerability: A New Memory Corruption Zero-Day Vulnerability in Apple WebKit Exploited in Targeted Attacks appeared first on SOC Prime.

A newly disclosed maximum-severity vulnerability in React Server Components (RSC), known as React2Shell (CVE-2025-55182), has rapidly escalated into a serious threat. Multiple China-aligned state-backed groups have been observed exploiting the flaw in the wild to achieve RCE against vulnerable React deployments. In response to the exploitation of CVE-2025-55182, the React team also released additional fixes for newly identified RSC issues that could lead to denial-of-service (DoS) attacks or source code disclosure, tracked as CVE-2025-55183 and CVE-2025-55184, as well as CVE-2025-67779, which addresses an incomplete fix for CVE-2025-55184 with the same security impact.

The React2Shell exploitation has acquired a fast pace, with in-the-wild attacks going beyond stopping at opportunistic scans. For instance, shortly after the disclosure of CVE-2025-55182, researchers identified EtherRAT, an advanced implant deployed through React2Shell. Its capabilities mirror DPRK’s “Contagious Interview” operations, suggesting either a tactical pivot by North Korea-linked actors or the sharing of sophisticated tools among state-sponsored groups. Explore more about the attack details along with mitigation and response guidance, and get relevant detections, simulations, and full threat intel using SOC Prime’s Active Threats. 

With the React2Shell attacks unfolding, defenders stumbled upon a set of new RSC vulnerabilities mentioned above, which require ultra-responsiveness from security teams to minimize the risks of exploitation attempts. Sign up for SOC Prime’s vendor-agnostic platform for real-time defense to get access to ​​the world’s largest detection intelligence dataset, adopt a full pipeline from detection to simulation to accelerate security workflows, and take advantage of AI and top cybersecurity expertise to take your SOC to the next level. Press Explore Detections to drill down to the full collection of SOC content addressing current and existing vulnerabilities, filtered by the relevant “CVE” tag.

Explore Detections

Detection content from this collection can be instantly converted into multiple  SIEM, EDR, and Data Lake formats and is aligned with the latest MITRE ATT&CK® v18.1. Explore AI-native detection intelligence and comprehensive threat context to reduce analyst fatigue and boost operational effectiveness.

For security teams looking for ways to accelerate detection engineering workflows, SOC Prime curates Uncoder AI. Seamlessly convert IOCs into custom performance-optimized queries ready to run in your SIEM or EDR environment, craft detection logic directly from threat reports in an automated fashion, visualize Attack Flows, validate and fine-tune detection logic for accuracy and precision, and translate rules across diverse language formats in a matter of seconds. 

CVE-2025-55183 and CVE-2025-55184 Analysis

Following the weaponization of React2Shell, researchers uncovered additional vulnerabilities while analyzing the effectiveness of the initial patches. These newly identified issues do not enable RCE, and the existing fixes successfully block that attack vector, according to the React team. However, they introduce new risks: two denial-of-service flaws (CVE-2025-55184 and CVE-2025-67779, with the CVSS score of 7.5) and a source code disclosure issue tracked as CVE-2025-55183, with a CVSS score of 5.3.

CVE-2025-55184 stems from unsafe deserialization in Server Function request handling, which can trigger an infinite loop and effectively hang the server, while CVE-2025-55183 allows specially crafted requests to leak Server Function source code under specific conditions. 

All issues affect the same RSC packages and versions as CVE-2025-55182, with fixes available in versions 19.0.3, 19.1.4, and 19.2.3. The React team notes that follow-on disclosures are a common outcome after major vulnerabilities, reflecting deeper scrutiny of adjacent code paths rather than failed remediation. As highly recommended CVE-2025-55183 and CVE-2025-55184 mitigation measures, the vendor strongly advises users to update promptly, given ongoing exploitation activity.

The escalating exploitation of React2Shell, followed closely by newly uncovered RSC vulnerabilities, underscores the need for defenders to remain highly vigilant and continuously strengthen their security posture to reduce exposure to similar threats. By leveraging SOC Prime’s AI-Native Detection Intelligence Platform, organizations can enhance real-time defense at scale while increasing their engineering team productivity, accelerating workflows by adopting the full lifecycle from detection to simulation, and operationalizing threat intel faster across tools, teams, and environments.

The post CVE-2025-55183 and CVE-2025-55184: New React RSC Vulnerabilities Expose Applications to Denial of Service Attacks and Source Code Leaks appeared first on SOC Prime.

Hot on the heels of CVE-2025-66516, the maximum-severity Apache Tika XXE vulnerability, a couple of other security flaws have emerged in Windows products. In its December 2025 security update, Microsoft addressed 57 vulnerabilities, including two zero-days, CVE-2025-62221 and CVE-2025-54100.

Microsoft’s technologies underpin a vast share of the global digital infrastructure, making the security of its ecosystem especially critical. The 2025 BeyondTrust Microsoft Vulnerabilities Report notes that 2024 set a new record with 1,360 disclosed Microsoft vulnerabilities—an 11% jump from the previous year—with Elevation of Privilege (EoP) and RCE issues standing out as the most severe. That trend continued into 2025, with Tenable noting that Microsoft delivered patches for 1,129 CVEs in 2025—the second consecutive year the company exceeded the thousand-vulnerability threshold. In the December 2025 Patch Tuesday rollout, EoP flaws made up half of all addressed vulnerabilities, with RCE vulnerabilities following at roughly one-third (33.9%). The above-mentioned zero-days addressed in the December 2025 Patch Tuesday also fit into these threat categories. 

Register for SOC Prime Platform, the industry-first AI-Native Detection Intelligence Platform for real-time defense, to explore a collection of 600,000+ detection rules addressing the latest threats and equip your team with AI and top cybersecurity expertise. Click Explore Detections to reach the extensive rule set for vulnerability exploit detection, pre-filtered using the custom “CVE” tag.

Explore Detections

All detection rules can be used across multiple SIEM, EDR, and Data Lake platforms and are aligned with the latest MITRE ATT&CK® framework v18.1. Explore AI-native threat intelligence, including CTI references, attack timelines, audit configurations, triage recommendations, and more threat context each rule is enriched with.

Security teams can also significantly reduce detection engineering overhead with Uncoder AI by instantly converting detection logic across multiple language formats for enhanced translation accuracy, crafting detections from raw threat reports, visualizing Attack Flows, accelerating enrichment and fine-tuning while streamlining validation workflows. 

CVE-2025-62221and CVE-2025-54100 Analysis

Microsoft is wrapping up the year by releasing patches for 57 security vulnerabilities in Windows products covered in its December 2025 security update release, including two zero-days with a CVSS score of 7.8, CVE-2025-62221 and CVE-2025-54100.

The actively exploited flaw, CVE-2025-62221, is a use-after-free elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver that allows an authenticated local attacker to escalate privileges to SYSTEM. By exploiting this flaw, adversaries can gain full control of affected Windows systems without user interaction, though local access is required.

The vendor has confirmed 2025-62221 active exploitation in the wild; however, specific attack methods remain undisclosed. The vulnerability impacts systems with the Cloud Files minifilter, which is present even if apps like OneDrive, Google Drive, or iCloud aren’t installed. 

Due to the increasing exploitation risks, CISA has recently added CVE-2025-62221 to its KEV catalog, requiring Federal Civilian Executive Branch agencies to apply the update by December 30, 2025. 

Another zero-day, CVE-2025-54100, is an RCE flaw in Windows PowerShell that allows unauthenticated attackers to run arbitrary code if they can get a user to execute a crafted PowerShell command, for instance, via Invoke-WebRequest.

The risk becomes more pronounced when paired with common social-engineering tactics: adversaries could trick a user or administrator into running a PowerShell snippet that retrieves malicious content from a remote server, triggering a parsing bug and enabling code execution or implant delivery. Although the issue is publicly known, Microsoft reports no active exploitation and currently rates the likelihood of exploitation as low. The flaw requires no privileges but does rely on user interaction, making social engineering the most probable attack path.

As potential  2025-62221 and CVE-2025-54100 mitigation measures, organizations that rely on the corresponding Windows products are urged to apply the patches immediately. With SOC Prime’s AI-Native Detection Intelligence Platform, SOC teams can source detection content from the largest and up-to-date repository, seamlessly adopt the full pipeline from detection to simulation into their security processes, orchestrate workflows in their natural language, and smoothly navigate the ever-changing threat landscape while strengthening defenses at scale.

The post CVE-2025-62221 and CVE-2025-54100: Windows Elevation of Privilege and RCE Zero-Day Vulnerabilities Patched appeared first on SOC Prime.

Another maximum-severity vulnerability with the highest CVSS score of 10.0 has surfaced shortly after the recent React2Shell disclosure. Labeled CVE-2025-66516, the critical flaw affecting Apache Tika could expose systems to XML External Entity (XXE) attacks.

In 2025, Apache products were repeatedly targeted due to newly discovered vulnerabilities. Early in the year, CVE-2025-24813 demonstrated how quickly a critical Apache Tomcat flaw could be weaponized, with attackers exploiting unsafe deserialization for RCE on unpatched servers within just 30 hours of disclosure. Months later, two more vulnerabilities in Apache Tomcat, CVE-2025-55752 and CVE-2025-55754, surfaced, again leaving systems exposed to potential RCE attacks. At the end of 2025, another Apache critical flaw affecting a set of Tika components requires ultra-responsiveness from defenders to reduce the risks of exploitation. 

Sign up for SOC Prime Platform, the vendor-agnostic product suite for real-time defendense, to explore an extensive collection of high-quality detection content and AI-native intelligence, backed by top industry expertise, to help SOC teams navigate the ever-evolving cyber threat landscape. Click Explore Detections to drill down to the comprehensive rule stack for vulnerability exploit detection conveniently filtered by the custom “CVE” tag. 

Explore Detections

Detection content can be converted to dozens of SIEM, EDR, and Data Lake solutions in an automated fashion and is mapped with MITRE ATT&CK®. Each content item is enriched with AI-native threat intelligence, such as CTI references, attack timelines, audit configurations, triage recommendations, and more metadata for streamlined threat research.

Moreover, Uncoder AI assists security teams in their daily detection engineering operations. Use the solution to instantly convert IOCs into performance-optimized hunting queries, craft detection code from raw threat reports, visualize Attack Flows, perform cross-platform translation, seamlessly validate syntax and detection logic, etc. 

CVE-2025-66516 Analysis

A newly disclosed maximum-severity XXE vulnerability tracked as CVE-2025-66516 affects multiple Apache Tika components, including tika-core (1.13–3.2.1), tika-pdf-module (2.0.0–3.2.1), and tika-parsers (1.13–1.28.5), according to the corresponding vendor’s advisory. The flaw allows attackers to trigger XML External Entity injection by embedding a malicious XFA file inside a PDF. 

XXE injection is a type of security flaw in which adversaries manipulate how an application handles XML input. By doing so, threat actors may gain unauthorized access to files on the server and, in certain scenarios, even execute code remotely.

CVE-2025-66516 represents the same underlying weakness as CVE-2025-54988 but significantly broadens the scope of impacted packages. Although the earlier CVE identified the entry point in the tika-parser-pdf-module, the root cause and fix reside in tika-core, meaning users who updated only the PDF parser without upgrading tika-core to version 3.2.2 or later remain exposed. Additionally, the original advisory did not account for the 1.x release line, where PDFParser resides in the “org.apache.tika:tika-parsers” module.

Given the severity of this flaw and its expanded impact across the Tika ecosystem, users should update all affected modules as urgent CVE-2025-66516 mitigation measures. SOC Prime curates its AI-Native Detection Intelligence Platform to help global organizations outscale cyber threats of any sophistication, including emerging CVEs and high-profile attacks. Leveraging SOC Prime’s product suite, defenders can integrate the full pipeline from detection to simulation directly into their security operations, take advantage of the world’s largest detection intelligence dataset to stay ahead of the latest threats, and explore the benefits of the innovative Shif-Left Detection approach to maximize resource effectiveness.

The post CVE-2025-66516: Maximum-Severity Vulnerability in Apache Tika Could Lead to XML External Entity Injection Attack appeared first on SOC Prime.

A new maximum-severity flaw (with a CVSS score of 10.0) in React Server Components (RSC), dubbed React2shell, causes a stir in the cyber threat landscape, hot on the heels of the recent exploitation of two high-severity Android Framework vulnerabilities (CVE-2025-48633 and CVE-2025-48572). Defenders have observed that multiple Chinese nation-backed groups exploit the React2Shell vulnerability, which enables RCE, putting vulnerable deployments at significant risk. 

For years, China has conducted offensive cyber operations targeting U.S. and international organizations across various sectors, often leveraging nation-state-linked APT groups such as Mustang Panda or APT41 to collect intelligence and sensitive data. 

For a half-decade, China’s nation-backed cyber operations have increasingly emphasized stealth and operational security, creating a more complex and challenging threat landscape for organizations across industries, including the public sector, as well as for the global cybersecurity community. China-linked APT groups remain the fastest and most active state-sponsored actors, often weaponizing new exploits almost immediately after disclosure. The CrowdStrike 2025 Global Threat Report indicates that China-linked threat actors increased state-sponsored cyber operations by 150%.

Register for the SOC Prime Platform, the AI-Native Detection Intelligence Platform for SOC teams to help your organization preempt emerging threats of any sophistication, advanced APT attacks, and evolving vulnerability exploitation campaigns. Click Explore Detections to access a comprehensive collection of SOC content for vulnerability exploitation, smartly filtered by a custom “CVE” tag.

Explore Detections

All detections can be applied across diverse SIEM, EDR, and Data Lake systems and are mapped to the MITRE ATT&CK® framework. They are also enriched with AI-native detection intelligence and actionable metadata, including CTI references, attack timelines, audit configuration, triage recommendations for a streamlined threat research and CTI analysis, helping teams boost operational efficiency.

Security teams can also rely on Uncoder AI to accelerate detection engineering workflows end-to-end and take advantage of automated IOC conversion into custom hunting queries, automated detection logic generation directly from threat reports, Attack Flow visualization, ATT&CK tags prediction, and AI-assisted content across multiple language formats—all within a single solution. 

React2Shell Vulnerability Analysis

Defenders recently uncovered a novel maximum-severity vulnerability in React Server Components tracked as CVE-2025-55182, aka React2Shell, which affects React 19.x and Next.js 15.x/16.x with App Router. This pre-authentication RCE flaw was responsibly reported to Meta by Lachlan Davidson, with React and Vercel jointly issuing patches on December 3, 2025. Public PoC exploits surfaced roughly 30 hours after disclosure, followed shortly by the researcher’s own PoCs. 

React2Shell arises from unsafe deserialization of payloads sent via HTTP requests to Server Function endpoints. This logical deserialization flaw in processing RSC payloads allows an unauthenticated attacker to send a crafted HTTP request to any Server Function endpoint, which React then deserializes, enabling execution of arbitrary JavaScript code on the server.

Amazon threat intel teams report that China-linked state-sponsored collectives, both established and previously unknown clusters, including Earth Lamia and Jackpot Panda, are already attempting to weaponize the flaw, which enables unauthenticated RCE through unsafe handling of RSC payloads. 

Adversaries are leveraging both automated scanners and manually executed PoCs, with some tools using evasion tactics like randomized user agents. Their activity extends well beyond CVE‑2025‑55182, with Amazon’s monitoring showing the same Chinese clusters exploiting other recent vulnerabilities, such as CVE‑2025‑1338. This underscores a systematic model, in which adversaries track new disclosures, immediately fold public exploits into their tooling, and launch broad campaigns across multiple CVEs at once to maximize target reach.

Notably, many adversaries rely on publicly posted PoCs that do not function in real deployments. The GitHub community has flagged numerous examples that misinterpret the vulnerability, including demos that improperly register dangerous modules or remain exploitable even after patching. Yet attackers continue to use them, highlighting clear behavioral trends, like rapid adoption over validation, high‑volume scanning, low barriers to entry due to public exploit availability, and log noise that can obscure more targeted attacks.

AWS MadPot telemetry confirms that adversaries are persistently iterating on their exploitation attempts. The unattributed cluster (IP 183[.]6.80.214) spent nearly an hour on December 4 repeatedly testing payloads, issuing 100+ requests over 52 minutes, running Linux commands, attempting file writes to /tmp/pwned.txt, and trying to read /etc/passwd. This demonstrates that attackers are not simply firing off automated scans but are actively debugging and refining techniques against live systems.

Notably, the threat also impacts Next.js applications using App Router. Originally assigned CVE‑2025‑66478 with a CVSS score of 10.0, it has since been marked by the NIST NVD as a duplicate of the React2Shell vulnerability.

Wiz reported that 39% of cloud environments have systems susceptible to CVE‑2025‑55182 and CVE‑2025‑66478. Although AWS services are not impacted, given the critical nature of both vulnerabilities, users are strongly urged to apply patches immediately to ensure maximum protection.

Organizations running React or Next.js on EC2, in containers, or in other self-managed environments should apply updates without delay. To minimize risks from React2Shell exploitation, immediately update affected React and Next.js applications following the AWS Security Bulletin for patched versions. As an interim measure, defenders are recommended to deploy the custom AWS WAF rule provided in the bulletin to block exploit attempts. 

Meanwhile, Cloudflare announced that it has implemented a new protection in its cloud-based WAF as a potential React2Shell mitigation step. According to the company, all customers, both free and paid, are safeguarded, provided their React application traffic is routed through Cloudflare’s proxy.

As the number of vulnerabilities actively exploited continues to rise, forward-looking organizations are prioritizing proactive cyber defenses to ensure strong and resilient security postures. SOC Prime’s AI-Native Detection Intelligence Platform helps organizations elevate their cyber defenses at scale by empowering AI technologies and top cybersecurity expertise while maximizing resource effectiveness.

The post React2Shell Vulnerability: Maximum-Severity Flaw in React Server Components Actively Exploited by China-Backed Groups  appeared first on SOC Prime.

Following the early-November disclosure of CVE-2025-48593, a critical zero-click flaw in the Android System component, a couple of other vulnerabilities in the Android framework have come to the spotlight due to their active exploitation, posing emerging risks to global organizations potentially affected by the threat. 

The two newly uncovered flaws within the Android Framework include high-severity vulnerabilities tracked as CVE-2025-48633 and CVE-2025-48572. Google has instantly responded to the threat by addressing these vulnerabilities in its monthly security updates. However, the vendor has not yet provided further insight into how these vulnerabilities are being leveraged in the wild, whether adversaries are chaining them or exploiting them independently, or the overall scope of the malicious activity.

As of November 30, the number of reported CVEs has surpassed 42,000, marking a 16.9% increase compared to 2024. The pace remains high, with an average of 128 newly disclosed vulnerabilities each day. These patterns underscore the continued urgency for proactive defense and the growing need for real-time delivery of threat detection content, enabling defenders to spot and mitigate new risks before they gain traction.

Register today for the SOC Prime Platform, the industry’s leading vendor-agnostic suite designed for real-time defense. It offers the full pipeline from detection to simulation and features the world’s largest detection intelligence dataset, with emerging threats updated daily to help organizations stay ahead of the curve. Use the Explore Detections button to view context-enriched SOC content for vulnerability exploitation, conveniently filtered by a dedicated “CVE” tag.

Explore Detections

Detection logic is compatible with dozens of leading SIEM, EDR, and Data Lake technologies and is aligned with the MITRE ATT&CK® framework for consistent threat mapping. Each detection algorithm is enhanced with AI-native detection intelligence and comprehensive metadata, including CTI references, attack timelines, audit configuration, triage recommendations, and more actionable threat context.

Security teams can further leverage Uncoder AI to streamline detection engineering by converting IOCs into custom hunting queries, generating detection logic directly from threat reports, visualizing Attack Flow diagrams, predicting ATT&CK tags, translating content across multiple formats, and automating a wide range of daily workflows end-to-end. 

CVE-2025-48633 and CVE-2025-48572 Analysis

Google has recently issued its December 2025 Android Security Bulletin, resolving 100+ vulnerabilities across multiple components, including the Framework, System, Kernel, and third-party hardware drivers. The vendor confirmed that two of these flaws, CVE-2025-48633,  an information disclosure issue, and CVE-2025-48572, a privilege escalation flaw, have been exploited in real-world attacks and may be subject to limited, targeted abuse. The December bulletin includes two patch levels to help device manufacturers deploy shared fixes more rapidly. 

On December 2, 2025, CISA added CVE-2025-48633 and CVE-2025-48572 to its Known Exploited Vulnerabilities catalog, mandating that U.S. federal agencies patch them by December 23, 2025, due to the significant risk they pose.

Security enhancements in modern Android versions significantly reduce the likelihood of successful exploitation. As feasible CVE-2025-48633 and CVE-2025-48572 mitigation steps, users should update their devices to the latest Android release and promptly apply security patches. In addition, Google Play Protect, enabled by default, helps detect and block harmful apps, particularly critical for those customers who install software from outside Google Play.

With the constantly increasing volumes of vulnerabilities exploited in the wild, proactive cyber defense measures are becoming a top priority for progressive organizations concerned about maintaining robust cyber resilience. By leveraging SOC Prime’s AI-native detection intelligence platform built for real-time defense, security teams can take their enterprise security protection to the next level and strengthen the organization’s cybersecurity posture.

The post CVE-2025-48633 and CVE-2025-48572: Android Framework Information Disclosure and Privilege Escalation Vulnerabilities Exploited in the Wild appeared first on SOC Prime.

Following the early November reveal of CVE-2025-48593, a critical RCE issue in the Android System component, another maximum-severity vulnerability is causing a stir in the cyber threat landscape. The newly identified Grafana flaw, tracked as CVE-2025-41115, could enable privilege escalation or user impersonation in specific configurations. 

Grafana, as a popular open-source analytics platform, has been abused for offensive purposes throughout the last half-decade, posing a threat to its global users. For instance, in mid-June 2025, researchers uncovered an XSS vulnerability in Grafana, CVE-2025-4123, enabling adversaries to execute malicious plugins and compromise user accounts without requiring elevated permissions. 

Such vulnerabilities underscore the growing volume of security issues impacting open-source ecosystems. The 2025 Open Source Security and Risk Analysis (OSSRA) report revealed that 86% of reviewed applications contained vulnerable open-source components, and 81% included flaws rated high or critical. These trends reinforce the ongoing need for proactive vigilance and real-time threat detection content, ensuring defenders can identify and mitigate emerging risks before they escalate.

Register now for the SOC Prime Platform, the industry-leading vendor-agnostic product suite built for real-time defenders, to discover a broad collection of curated detection content and AI-native threat intelligence, helping security teams stay ahead of attackers. Click Explore Detections to get access to context-enriched SOC content for vulnerability exploit detection filtered by the corresponding custom “CVE” tag.

Explore Detections

Detection algorithms can be applied across dozens of widely adopted SIEM, EDR, and Data Lake solutions and are aligned with the MITRE ATT&CK® framework. Additionally, each rule is enriched with AI-native threat intel, including CTI links, attack timelines, audit configurations, triage recommendations, and other in-depth metadata.

Security teams can also take advantage of Uncoder AI to instantly convert IOCs into custom hunting queries, generate detection code from raw threat reports, visualize Attack Flow diagrams, enable ATT&CK tags prediction, translate detection content across multiple formats, and perform other daily detection engineering tasks end-to-end. 

CVE-2025-41115 Analysis

Grafana has recently rolled out updated builds of Grafana Enterprise 12.3, along with refreshed versions 12.2.1, 12.1.3, and 12.0.6, each addressing a newly discovered maximum-severity vulnerability (CVE-2025-41115). The issue was discovered during an internal audit on November 4, 2025. The flaw has the highest possible CVSS score of 10.0 and affects the SCIM (System for Cross-domain Identity Management) feature, introduced in mid-spring 2025 and currently in public preview.

The issue appears in Grafana 12.x when SCIM provisioning is both enabled and configured. A malicious or compromised SCIM client can provision a user with a numeric externalId, potentially overriding internal user IDs and enabling impersonation, even of an admin account, or escalating privileges.

Exploitation requires both the enableSCIM feature flag and the user_sync_enabled option in the [auth.scim] configuration block to be enabled.

The vulnerability impacts Grafana Enterprise versions 12.0.0 through 12.2.1. Due to the fact that Grafana directly maps the SCIM externalId to its internal user.uid, numeric values can be misinterpreted as existing user IDs. In specific cases, this could cause a newly created user to be treated as an internal account with elevated privileges.Grafana instantly released patches as urgent CVE-2025-41115 mitigation measures. Due to the vulnerability severity, organizations are strongly encouraged to update immediately to reduce the risk of attacks. Rely on SOC Prime Platform that curates the world’s largest detection intelligence dataset and constantly updated detection content against emerging threats to reinforce your organization’s cybersecurity posture and preempt cyber attacks that matter most.

The post CVE-2025-41115: A Maximum-Severity Privilege Escalation Vulnerability in the Grafana SCIM Component  appeared first on SOC Prime.

AI-based threats are expected to grow exponentially. The main weakness on the defender side is no longer coming up with good detection ideas, but turning those ideas into production rules quickly enough and at a sufficient scale.

AI-Native Malware Will Outpace Traditional SIEMs Without Automated Rule Deployment

Future malware families are likely to embed small LLMs or similar models directly into their code. This enables behavior that is very hard for traditional defenses to handle:

• Self-modifying code that keeps changing to avoid signatures.
• Context-aware evasion, where the malware “looks” at local logs, running processes, and security tools and adapts its tactics on the fly.
• Autonomous “AI ransomware agents” that call external platforms for instructions, fetch new payloads, negotiate ransom, and then redeploy in a different form.
  
  

Malware starts to behave less like a static binary and more like a flexible service that learns and iterates inside each victim environment.

Most SIEM setups are not designed for this world. Even leading platforms usually support a few hundred rules at maх. That is not enough to cover the volume and variety of AI-driven techniques across large, complex estates. In practice, serious coverage means thousands of active rules mapped to specific log sources, assets, and use cases.

Here, the hard limit is SOC capacity. Every rule has a cost: tuning, false positive handling, documentation, and long-term maintenance. And to keep the workload under control, teams disable or, more often, never onboard a significant part of the potential detection content.

Switching off a rule that is already in monitoring means explicitly taking responsibility for removing a layer of defense, so with limited capacity, it often feels safer to block new rules than to retire existing ones.

For years, the main concern has been alert fatigue – when there are too many alerts for too few analysts. In an AI-native threat landscape, another problem becomes more important: coverage gaps. The most dangerous attack is the one that never triggers an alert because the required rule was never written, never approved, or never deployed.

This shifts the role of SOC leadership. The focus moves from micromanaging individual rules to managing the overall detection portfolio:

• Which behaviors and assets are covered?
• Which blind spots are accepted, and why?
• How fast can the rule set change when a new technique, exploit, or campaign appears?
  
  

Traditional processes make this even harder. Manual QA, slow change control, and ticket-driven deployments can stretch the time from “we know how to detect this” to “this rule is live in production” into days or weeks. AI-driven campaigns can adapt within hours.

To close this gap, SOC operations will need to become AI-assisted themselves:

• AI-supported rule generation and conversion from threat reports, hunting queries, and research into ready-to-deploy rules across multiple query languages.
• Automated coverage mapping against frameworks like MITRE ATT&CK and against real telemetry (streams, topics, indices, log sources) to see what is actually monitored.
• Intelligent prioritization of which rules to enable, silence, or tune based on risk, business criticality, and observed impact.
• Tight integration with real-time event streaming platforms, so new rules can be tested, rolled out, and rolled back safely across very large volumes of data.
  
  

Without this level of automation and streaming-first design, SIEM becomes a bottleneck. AI-native threats will not wait for weekly change windows; detection intelligence and rule deployment must operate at streaming speed.

AI-Native Detection Intelligence Will Become the New Standard

By 2026, cybersecurity vendors will be judged on how deeply AI is embedded into their detection lifecycle, not on whether they simply “use AI” as a marketing label. Enterprise buyers, especially at Fortune 100 scale, will treat AI-native detection intelligence as a requirement.

Concretely, large customers will demand:

• Self-managed, private LLMs that do not leak proprietary telemetry or logic to public clouds.
• GPU-efficient models optimized specifically for detection intelligence workloads, not generic chat or content tasks.
• Clear guarantees that data stays within well-defined trust boundaries.
  
  

On the product side, AI will touch every part of the detection stack:

• AI-generated detection rules aligned with frameworks like MITRE ATT&CK (already in place at SOC Prime).
• At SOC Prime alone, the volume of AI-generated detection rules has been growing at roughly 2x month over month, increasing from about 60 rules in June 2025 to nearly 1,000 in October 2025. This growth is driven both by faster deployment of new rules and by emerging AI-powered malware that require AI to fight AI.
• AI-driven enrichment, tuning, and log-source adaptation so that rules stay relevant as telemetry changes.
• AI-assisted retrospective investigations that can automatically replay new logic over historical data.
• AI-based prioritization of threat content based on customer stack, geography, sector, and risk profile.

In other words, AI becomes part of the detection “factory”: how rules are produced, maintained, and retired across many environments. By 2026, AI-supported detection intelligence will no longer be a value-add feature; it will be the baseline expectation for serious security platforms.

Foundation Model Providers Will Own a New Security Layer – and Need LLM Firewalls

As large language models become part of the core infrastructure for software development, operations, and support, foundation model providers inevitably join the cybersecurity responsibility chain. When their models are used to generate phishing campaigns, malware, or exploit code at scale, pushing all responsibility to end-user organizations is no longer realistic.

Foundation model providers will be expected to detect and limit clearly malicious use cases and to control how their APIs are used, while still allowing legitimate security testing and research. This includes:

• Screening prompts for obvious signs of malicious intent, such as step-by-step instructions for gaining initial access, escalating privileges, moving laterally, or exfiltrating data.
• Watching for suspicious usage patterns across tenants such as automated loops, infrastructure-like behavior, or repeated generation of offensive security content.
• Applying graduated responses: rate limiting, extra verification, human review, or hard blocking when abuse is obvious.
  
  

Generic “don’t help with hacking” filters are not enough. A dedicated security layer for LLM traffic is needed – an LLM firewall.

An LLM firewall sits between applications and the model and focuses on cyber risk:

• It performs semantic inspection of prompts and outputs for indicators of attack planning and execution.
• It enforces policy: what is allowed, what must be masked or transformed, and what must be blocked entirely.
• It produces security telemetry that can be fed into SIEM, SOAR, and streaming analytics for investigation and correlation with other signals.
  
  

Products like AI DR Bastion are designed with this role in mind: a protective layer around LLM usage that specializes in detecting and stopping offensive cyber use.

This type of control can help:

• Enterprises that consume LLMs, by reducing the risk that internal users or applications can easily weaponize models.
• Model and platform providers, by giving them a concrete mechanism to show that they are actively controlling abuse of their APIs.
  
  

As LLMs are embedded into CI/CD pipelines, developer assistants, customer support flows, incident response tools, and even malware itself, the boundary between “AI security” and “application security” disappears. Model providers, platform teams, and security organizations will share responsibility for how these systems are used.

In this architecture, LLM firewalls become a standard layer, similar to how WAFs and API gateways are standard today – working alongside SIEM and real-time streaming analytics to ensure that the same AI capabilities that accelerate business outcomes do not become a force multiplier for attackers.

The “Shift-Left Detection” Era Will Begin

By 2026, many enterprise security programs will recognize that pushing all telemetry into a SIEM first, and only then running detection, is both financially unsustainable and operationally too slow.

The next-generation stack will move detection logic closer to where data is produced and transported:

• Directly in event brokers, ETL pipelines, and streaming platforms such as Confluent Kafka.
• As part of the data fabric, not only at the end of the pipeline.
  
  

The result is a “shift-left detection” model:

• More than half of large enterprises are expected to start evaluating or piloting architectures where real-time detection runs in the streaming layer.
• The SIEM evolves toward a compliance, investigation, and retention layer, while first-line detection logic executes on the data in motion.
• Vendor-neutral, high-performance detection rules that can run at streaming scale become a key differentiator.
  
  

In this model, threat detection content is no longer tied to a single SIEM engine. Rules and analytics need to be:

• Expressed in formats that can execute on streaming platforms and in multiple backends.
• Managed as a shared catalog that can be pushed “before the SIEM” and still traced, audited, and tuned over time.
  
  

SOC Prime’s product direction for 2026 is aligned with this shift: building a line-speed pipeline that runs before the SIEM and integrates directly with streaming platforms. This makes it possible to combine:

• AI-native detection intelligence at scale,
• Real-time execution on event streams, and
• Downstream correlation, retention, and compliance in SIEM and data platforms.
  
  

Taken together, AI-native malware, LLM abuse, AI-driven detection intelligence, and shift-left detection architectures define the next wave of cyber threats – and the shape of the defenses needed to meet them.

The post AI Malware and LLM Abuse: The Next Wave of Cyber Threats appeared first on SOC Prime.

Hot on the heels of the disclosure of the critical unauthenticated RCE vulnerability in Microsoft WSUS (CVE-2025-59287), Microsoft has addressed another severe flaw under active exploitation. During its November 2025 Patch Tuesday release, the software giant released fixes for more than 60 vulnerabilities, including a critical zero-day, tracked as CVE-2025-62215. This Windows Kernel privilege escalation flaw poses a significant risk as it enables attackers to gain elevated system privileges, potentially compromising the integrity of affected devices.

Microsoft technologies support millions of organizations worldwide, making them a cornerstone of today’s digital ecosystem. According to the 2025 BeyondTrust Microsoft Vulnerabilities Report, 2024 saw a record 1,360 security vulnerabilities across Microsoft products, an 11% increase from the previous year. Among these, Remote Code Execution (RCE) and Elevation of Privilege (EoP) vulnerabilities remain the most critical. Alarmingly, EoP flaws alone represented 40% of all reported issues, highlighting the serious risk posed by vulnerabilities that allow attackers to escalate privileges and gain control over systems.

Sign up for the SOC Prime Platform to access the global active threats feed, which offers real-time cyber threat intelligence and curated detection algorithms to address emerging threats. All the rules are compatible with multiple SIEM, EDR, and Data Lake formats and mapped to the MITRE ATT&CK® framework. Additionally, each rule is enriched with CTI links, attack timelines, audit configurations, triage recommendations, and more relevant context. Press the Explore Detections button to see the entire detection stack for proactive defense against critical vulnerabilities filtered by the “CVE” tag.

Explore Detections

Security engineers can also leverage Uncoder AI, an IDE and co-pilot for detection engineering. With Uncoder, defenders can instantly convert IOCs into custom hunting queries, craft detection code from raw threat reports, generate Attack Flow diagrams, enable ATT&CK tags prediction, leverage AI-driven query optimization, and translate detection content across multiple platforms.

CVE-2025-62215 Analysis

On November 11, 2025, Microsoft’s latest Patch Tuesday update addressed 63 vulnerabilities, including a zero-day that is already being exploited in the wild. CVE-2025-62215, with a CVSS score of 7.0, is a privilege escalation vulnerability in the Windows Kernel caused by a race condition that allows attackers to manipulate system memory and potentially take control of the affected device.

Security engineers say the exploit is straightforward in concept: an attacker who already has low‑privileged local access can run a specially crafted program that repeatedly tries to provoke the timing error. Specifically, the attack forces multiple threads to touch the same kernel resource without proper synchronization, confusing the kernel’s memory handling so it frees the same block twice. That “double free” corrupts the kernel heap and gives the attacker a path to overwrite memory and seize control of execution flow.

Although the full scope of real-world exploitation isn’t yet clear, experts believe CVE-2025-62215 is primarily being used after an initial compromise (via phishing, RCE, or sandbox escape) to elevate privileges, harvest credentials, and move laterally. Chained with other bugs, this flaw can turn a minor foothold into a full system takeover, so prompt patching and layered defenses remain critical. Users are urged to patch their instances instantly following the dedicated Microsoft advisory.

Ivanti experts point out that the CVE-2025-62215 affects all currently supported Windows OS editions, as well as Windows 10 Extended Security Updates (ESU). This underscores that running Windows 10 past its end-of-life without ESU coverage carries a real risk. 

Microsoft has also released an out-of-band update for consumer devices not enrolled in the ESU program. This update resolves an issue that could prevent the ESU enrollment wizard from completing successfully, ensuring users can maintain security coverage even on older Windows 10 systems.

The rising frequency and impact of vulnerability exploitation emphasize the need for proactive security measures and adherence to best cybersecurity practices to enhance an organization’s defenses. SOC Prime’s complete product suite, backed by AI, automated capabilities, and real-time CTI, serves as the future-proof solution to help organizations outscale cyber threats they anticipate most.

The post CVE-2025-62215: Microsoft Patches Windows Kernel Zero-Day Vulnerability Under Active Exploitation appeared first on SOC Prime.

Following the disclosure of CVE-2024-1086, a Linux kernel privilege escalation flaw actively exploited in ransomware campaigns, another critical vulnerability has emerged, allowing attackers to bypass authentication and conduct further malicious operations. 

In 2025, Gladinet came under the crosshairs of threat actors, flagged for critical vulnerabilities in its products actively exploited in the wild. A zero-day in Gladinet CentreStack and Triofox (CVE-2025-30406) allowed remote code execution via flawed cryptographic key management. Later, CVE-2025-11371 was observed on patched instances, letting attackers retrieve machine keys from Web.config and forge ViewState payloads that bypass integrity checks, triggering unsafe server-side deserialization and remote code execution via the earlier flaw. 

Most recently, Google’s Mandiant researchers spotted a third critical Triofox vulnerability (CVE-2025-12480), which lets attackers bypass authentication to create admin accounts and deploy remote access tools using the platform’s antivirus feature.

Detect CVE-2025-12480 Exploitation Attempts

Cybercriminals are increasingly exploiting vulnerabilities as a primary gateway into systems. ENISA’s Threat Landscape 2025 report shows that exploitation accounted for over one-fifth (21.3%) of initial access vectors, with 68% of these incidents followed by malware deployment. Combined with over 42,000 new vulnerabilities recorded by NIST this year, the trends illustrate a relentless pressure on cybersecurity teams. Every unpatched system is a potential entry point, making early detection essential to prevent large-scale compromise.

The recently identified CVE-2025-12480 vulnerability in Gladinet’s Triofox highlights this growing threat, underscoring the importance of proactive defenses to stay ahead of modern attacks. 

Register now for the SOC Prime Platform to access an extensive collection of curated detection content and AI-native threat intelligence, helping your team outscale offensive campaigns exploiting CVE-2025-12480. Press the Explore Detections button below to dive directly into a relevant detection stack.

Explore Detections

Also, you can use the “UNC6485” tag to search for more content addressing adversary TTPs related to the threat cluster activity behind these attacks. For a broader range of SOC content for vulnerability exploit detection, security engineers can also apply the “CVE” tag.

All the rules are compatible with multiple SIEM, EDR, and Data Lake formats and mapped to the MITRE ATT&CK® framework. Additionally, each rule is enriched with CTI links, attack timelines, audit configurations, triage recommendations, and more relevant context.

Security engineers can also leverage Uncoder AI, an IDE and co-pilot for detection engineering. With Uncoder, defenders can instantly convert IOCs into custom hunting queries, craft detection code from raw threat reports, generate Attack Flow diagrams, enable ATT&CK tags prediction, leverage AI-driven query optimization, and translate detection content across multiple platforms. For instance, cyber defenders can generate the Attack Flow diagram based on Google Mandiant’s latest research in seconds.

CVE-2025-12480 Analysis

On November 10, 2025, Google’s Mandiant Threat Defense published an in-depth analysis of CVE-2025-12480 (CVSS score 9.1), a zero-day vulnerability in Gladinet’s Triofox file-sharing and remote access platform. The vulnerability was actively weaponized by the hacking group tracked as UNC6485 as far back as August 24, 2025, allowing attackers to bypass authentication and execute malicious code with system-level privileges.

Mandiant researchers reported that UNC6485 exploited the CVE-2025-12480 vulnerability in Triofox to reach protected configuration pages. Using these pages, attackers created a native admin account named Cluster Admin through the setup process. This new account was then leveraged to upload and execute malicious files via the platform’s antivirus feature.

The antivirus feature allows users to specify an arbitrary path for the selected antivirus. Since this configured process runs under the SYSTEM account, attackers could execute arbitrary scripts with full system privileges. In this case, adversaries used the batch script centre_report.bat, which downloaded a Zoho Unified Endpoint Management System (UEMS) installer from 84.200.80[.]252 and deployed remote access tools like Zoho Assist and AnyDesk.

The attack began with a clever manipulation of HTTP host headers. By changing the host header to “localhost“, attackers abused the CanRunCriticalPage() function, which improperly trusted the HTTP host without verifying the request origin. This allowed remote access to pages that should have been restricted and spoofing the attackers’ source IP address. Once access was gained, attackers used the Cluster Admin account to execute malicious scripts via the antivirus configuration path. 

To evade detection, UNC6485 downloaded tools such as Plink and PuTTY to establish an encrypted SSH tunnel to a command-and-control (C2) server over port 433, ultimately enabling inbound RDP traffic for persistent remote access.

The vulnerability affected Triofox v16.4.10317.56372 and has been fixed in v16.7.10368.56560. Users are strongly urged to upgrade to the patched version immediately. Mitigation steps for CVE-2025-12480 also include auditing all administrator accounts for unauthorized entries, reviewing and verifying antivirus configurations, and monitoring for unusual outbound SSH traffic to detect any ongoing compromises. Also, to stay ahead of attackers and proactively detect potential vulnerability exploitation attempts, security teams can rely on SOC Prime’s complete product suite backed by AI, automation capabilities, and real-time threat intel, while strengthening the organization’s defenses at scale.

The post CVE-2025-12480 Detection: Hackers Exploit the Now-Patched Unauthenticated Access Control Vulnerability in Gladinet’s Triofox  appeared first on SOC Prime.

As the effects of CVE-2024-1086 continue to unfold, a new vulnerability has emerged, posing a menace to cyber defenders. Google has flagged a critical zero-click flaw in the Android System component responsible for managing essential device functions. CVE-2025-48593  allows attackers to execute malicious code remotely without any user interaction, potentially giving them full control over affected devices. If exploited, it could lead to data theft, ransomware deployment, or even the use of compromised smartphones as nodes in larger botnet attacks, making it one of the most urgent security risks for mobile users today.

Mobile devices have become indispensable in both personal and professional life. According to Verizon’s 2024 report, 80% of companies consider mobile devices critical to their operations, which makes them especially attractive targets for enterprise-grade cyber attackers in 2025. Many apps still contain security weaknesses, and threats such as zero-click exploits and advanced malware are on the rise, highlighting the urgent need for proactive security measures.

Sign up for the SOC Prime Platform to access the global active threats feed, which offers real-time cyber threat intelligence and curated detection algorithms to address emerging threats. All the rules are compatible with multiple SIEM, EDR, and Data Lake formats and mapped to the MITRE ATT&CK® framework. Additionally, each rule is enriched with CTI links, attack timelines, audit configurations, triage recommendations, and more relevant context. Press Explore Detections to see the entire detection stack for proactive defense against critical vulnerabilities filtered by the “CVE” tag.

Explore Detections

Security engineers can also leverage Uncoder AI, an IDE and co-pilot for detection engineering. With Uncoder, defenders can instantly convert IOCs into custom hunting queries, craft detection code from raw threat reports, generate Attack Flow diagrams, enable ATT&CK tags prediction, leverage AI-driven query optimization, and translate detection content across multiple platforms.

CVE-2025-48593 Analysis

On November 3, 2025, Google released its November Android Security Bulletin, highlighting several major vulnerabilities in the Android System component. Among them, CVE-2025-48593 stands out as critical. This flaw allows attackers to execute malicious code remotely without requiring any user interaction or additional privileges, making it extremely dangerous for mobile users. 

According to Google, the vulnerability stems from insufficient validation of user input and affects Android versions 13 through 16. The flaw’s critical rating underscores its ease of exploitation and the potential for adversaries to gain unauthorized access to sensitive data, personal communications, and device resources.

Alongside this critical RCE vulnerability, Google also disclosed CVE-2025-48581, a high-severity elevation-of-privilege flaw that impacts Android 16 exclusively, allowing attackers to escalate privileges on affected devices.

These disclosures are part of Google’s coordinated vulnerability disclosure process, which notifies Android partners and device manufacturers at least one month before the public bulletin release. This timeline ensures manufacturers have sufficient time to develop, test, and distribute patches before vulnerabilities become widely known. Devices with a security patch level of 2025-11-01 or later include fixes for all vulnerabilities addressed in this bulletin. Source code patches are set to appear in the Android Open Source Project (AOSP) within 48 hours of the bulletin’s publication to ensure swift patch rollout.

As potential CVE-2025-48593 mitigation measures, users should check their device’s current security patch level through settings and install any available updates immediately. The fusion of zero-click exploitability and system-level control underscores the urgency of applying patches to safeguard sensitive data and preserve device security. 

The increasing volumes of RCE vulnerabilities uncovered in popular software products require ultra-resilience from defenders. By leveraging SOC Prime’s AI-Native Detection Intelligence Platform, organizations can anticipate, detect, validate, and respond to cyber threats faster and more effectively, while maximizing team productivity.

The post CVE-2025-48593: Critical Zero-Click Vulnerability in Android Enables Remote Code Execution appeared first on SOC Prime.

AI-driven cyber-attacks are rapidly reshaping the threat landscape for businesses, introducing a new level of sophistication and risk. Cybercriminals are increasingly using artificial intelligence to power financially motivated attacks, with cyber threats like FunLocker ransomware and Koske malware as the most recent examples. 

In a recent discovery, Microsoft’s Detection and Response Team (DART) identified a highly advanced backdoor that leverages the OpenAI Assistants API in a completely novel way—as a command-and-control (C2) communication channel. This method allows attackers to discreetly manage and coordinate malicious operations within infected systems, avoiding traditional security defenses. The discovery highlights how AI is being used in cybercrime, underscoring the need for businesses to remain vigilant and adapt their security strategies.

Detect SesameOp Backdoor Attacks

Organizations are entering a new era of cyber risk as attackers increasingly harness artificial intelligence to target critical business systems. Generative AI is not only creating new vulnerabilities but also enabling more sophisticated and adaptive attack methods. The Splunk State of Security 2025 Report finds that security leaders anticipate threat actors will use generative AI to make attacks more effective (32%), increase their frequency (28%), invent entirely new attack techniques (23%), and conduct detailed reconnaissance (17%). These trends underscore the urgent need for organizations to rethink cybersecurity strategies and adopt more intelligent, proactive defenses against AI-powered threats.

Register for the SOC Prime Platform to benefit from the defensive capabilities of AI and detect SesameOp backdoor attacks at the earliest stages of development. The Platform delivers timely threat intelligence and actionable detection content, backed by a complete product suite for real-time cyber defense. Click Explore Detections below to access detection rules specifically addressing SesameOp malware activity, or use the “SesameOp” tag in the Threat Detection Marketplace.

Explore Detections

All detections are compatible with multiple SIEM, EDR, and Data Lake solutions and mapped to the MITRE ATT&CK® framework. Additionally, each rule is packed with detailed metadata, including threat intel references, attack timelines, triage recommendations, and more.

Security engineers can also leverage Uncoder AI, an IDE and co-pilot for detection engineering. With Uncoder, defenders can instantly convert IOCs into custom hunting queries, craft detection code from raw threat reports, generate Attack Flow diagrams, enable ATT&CK tags prediction, leverage AI-driven query optimization, and translate detection content across multiple platforms. For instance, security professionals can use Microsoft’s DART research details to generate an Attack Flow diagram in several clicks.

SesameOp Malware Attacks Analysis

Microsoft researchers have recently identified a novel backdoor dubbed SesameOp, distinguished by its innovative use of the OpenAI Assistants API for C2 operations. Unlike conventional methods, adversaries leveraged the OpenAI API as a covert communication channel to issue and manage commands within compromised environments. A component of the malware used the API as a relay mechanism to retrieve instructions and execute them on infected systems. The OpenAI Assistants API, used by the backdoor for C2 operations, lets developers embed AI-powered agents into applications and workflows. 

Discovered in July 2025 during Microsoft’s investigation of a long-term intrusion, SesameOp was found within a network where attackers had maintained persistence for several months. The analysis revealed a tricky structure of internal web shells linked to persistent malicious processes embedded in compromised Microsoft Visual Studio utilities via .NET AppDomainManager injection, a known defense evasion tactic.

Further hunting for similarly altered Visual Studio utilities uncovered additional components designed to support communication with the internal web shell network. One such component was identified as the new SesameOp malware. SesameOp is a custom backdoor built for long-term persistence, allowing attackers to stealthily control compromised systems, suggesting the operation’s main objective was prolonged espionage.

The infection chain includes a loader (Netapi64.dll) and a .NET backdoor (OpenAIAgent.Netapi64) that uses the OpenAI Assistants API as its C2 channel. The DLL, heavily obfuscated with Eazfuscator.NET, is built for stealth, persistence, and encrypted communication. At runtime, Netapi64.dll is injected into the host process via .NET AppDomainManager injection, triggered by a specially crafted a .config file bundled with the host executable.

OpenAIAgent.Netapi64 houses the backdoor’s core functionality. Despite its name, it does not use OpenAI SDKs or run models locally; rather, it polls the OpenAI Assistants API to retrieve compressed, encrypted commands, decrypts and executes them on the host, and then returns the results as API messages. Compression and encryption are used to keep both incoming payloads and outgoing responses under the radar.

Malicious messages use three description types: SLEEP (pause the thread), Payload (extract instructions from the message and run them in a separate thread), and Result (return execution output to OpenAI with the description set to “Result”). Although the identities of the adversaries linked to the offensive campaign remain unknown, the case highlights the continued abuse of legitimate services to hide malicious activity. To raise awareness, Microsoft shared its findings with OpenAI, which disabled the suspected API key and account. OpenAI plans to deprecate this API in August 2026, replacing it with the new Responses API.

As potential mitigation steps to preempt SesameOp backdoor attacks, the vendor recommends regularly auditing firewalls and web server logs, securing all Internet-facing systems, and using endpoint and network protections to block C2 communications. It’s essential to ensure that tamper protection and real-time protection are enabled in Microsoft Defender, run endpoint detection in block mode, and configure automated investigation and remediation to quickly address the potential threat. Additionally, teams should enable cloud-delivered protection and block potentially unwanted applications to reduce the risk posed by evolving attacks.The growing use of cyber-attacks employing innovative methods and AI technology demands heightened vigilance from defenders to stay ahead of adversaries.

The emergence of SesameOp, a backdoor that uniquely exploits the OpenAI API as a C2 channel to covertly coordinate malicious activity, reflects the trend of increasingly sophisticated tactics employed by threat actors. By relying on AI-Native Detection Intelligence Platform for SOC teams, which provides real-time, cross-platform detection intelligence to anticipate, detect, validate, and respond to cyber threats faster and more effectively, global organizations can build a resilient cybersecurity ecosystem and preempt attacks that matter most. 

The post SesameOp Backdoor Detection: Microsoft Discovers New Malware Abusing OpenAI Assistants API in Cyber-Attacks appeared first on SOC Prime.

Immediately after reports of CVE-2025-59287, a critical RCE flaw in WSUS systems, being exploited in the wild, another high-severity Linux kernel flaw has been observed being actively weaponized in ransomware attacks. CISA confirmed its exploitation and warned that abusing  CVE-2024-1086 in offensive campaigns allows attackers with local access to gain root privileges on affected systems.

For the third year running, exploited vulnerabilities remain the most common technical root cause of ransomware attacks, involved in 32% of incidents, according to The State of Ransomware 2025 report by Sophos. Ransomware groups are increasingly leveraging software flaws as a primary entry point into enterprise systems, while social engineering and stolen credentials continue to play a major role in attacks. With over 40,000 new vulnerabilities logged by NIST this year, organizations face a growing challenge, as proactively identifying and fixing these flaws is essential to reducing the attack surface and defending against increasingly sophisticated ransomware threats.

Sign up for the SOC Prime Platform to access the global active threats feed, which offers real-time cyber threat intelligence and curated detection algorithms to address emerging threats. All the rules are compatible with multiple SIEM, EDR, and Data Lake formats and mapped to the MITRE ATT&CK® framework. Additionally, each rule is enriched with CTI links, attack timelines, audit configurations, triage recommendations, and more relevant context. Press the Explore Detections button to see the entire detection stack for proactive defense against critical vulnerabilities filtered by the “CVE” tag.

Explore Detections

Additionally, cyber defenders might bullet proof their defenses with a curated detection stack addressing ransomware attacks. Just search for relevant detection content in Threat Detection Marketplace using “Ransomware” tag.

Security engineers can also leverage Uncoder AI, an IDE and co-pilot for detection engineering. With Uncoder, defenders can instantly convert IOCs into custom hunting queries, craft detection code from raw threat reports, generate Attack Flow diagrams, enable ATT&CK tags prediction, leverage AI-driven query optimization, and translate detection content across multiple platforms.

CVE-2024-1086 Analysis

CISA has recently released an urgent warning about a critical Linux kernel flaw, identified as CVE-2024-1086. This critical use-after-free bug (with a CVSS score of 7.8), hidden within the netfilter: nf_tables component, allows adversaries with local access to gain root privileges on affected systems and potentially deploy ransomware, which could severely disrupt enterprise systems worldwide or possibly cause arbitrary code execution.

The flaw was disclosed and patched in January 2024, though it originated from code introduced back in 2014. It was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on May 30, 2024, and in late October 2025, CISA issued a notification confirming that the vulnerability is known to be actively used in ransomware campaigns. Notably, the proof-of-concept (PoC) exploit for the flaw is available since March 2024, when a researcher using the alias “Notselwyn” published a CVE-2024-1086 PoC on GitHub, demonstrating local privilege escalation on Linux kernels from 5.14 through 6.6.

Exploiting this vulnerability, attackers can bypass security controls, gain administrative access, and move laterally across networks. Once root privileges are obtained, ransomware operators can disable endpoint protections, encrypt critical files, exfiltrate sensitive data, and establish persistent access.

The netfilter subsystem, responsible for packet filtering and network address translation, makes this vulnerability particularly valuable for attackers seeking to manipulate network traffic or weaken security mechanisms. Typically, CVE-2024-1086 is exploited after adversaries gain an initial foothold through phishing, stolen credentials, or internet-facing vulnerabilities, turning limited user access into full administrative control.

CISA’s classification of CVE-2024-1086 as a vulnerability “known to be used in ransomware campaigns” underscores its severity and the urgent need for organizations to verify patch deployment and implement mitigating controls across Linux environments.

As a potential CVE-2024-1086 mitigation measure, the vendor advises disabling namespace creation for unprivileged users. To turn it off temporarily, running sudo sysctl -w kernel.unprivileged_userns_clone=0 is recommended, while executing echo kernel.unprivileged_userns_clone=0 | \ sudo tee /etc/sysctl.d/99-disable-unpriv-userns.conf serves asa persistent change after reboot. 

Enhancing proactive cyber defense strategies is crucial for organizations to effectively and promptly reduce the risks of vulnerability exploitation. By leveraging SOC Prime’s complete product suite for enterprise-ready security protection backed by top cybersecurity expertise and AI, global organizations can future-proof cyber defense and strengthen their cybersecurity posture. 

The post CVE-2024-1086 Vulnerability: Critical Privilege Escalation Flaw in Linux Kernel Exploited in the Ransomware Attacks appeared first on SOC Prime.

Since a full-fledged war in Ukraine, russia-backed hacking collectives have intensified their malicious activity against Ukraine and its allies in the cyber front line to conduct espionage operations and cripple the critical systems. For instance, a nefarious Sandworm APT group (aka UAC-0082, UAC-0145, APT44) has been attacking Ukrainian organizations for over a decade, primarily targeting government agencies and the critical infrastructure sector.

The Symantec and Carbon Black researchers have recently uncovered a two-month-long campaign targeting a major business services company in Ukraine and a separate week-long attack against a local state body. Notably, attackers primarily relied on Living-off-the-Land (LotL) techniques and dual-use tools to achieve persistent access. 

Detect Latest Attacks Against Ukraine by russian Hackers

Cyber defenders are facing growing pressure as russian threat actors evolve their tactics and sharpen their stealth capabilities. Since the beginning of the war in Ukraine, these state-backed APT groups have intensified operations, exploiting the conflict to experiment with and refine cutting-edge cyberattack strategies. And this activity has a global impact as russia-linked actors now rank second worldwide among APT attack sources, according to ESET APT Activity Report for Q4 2024–Q1 2025.

Register for the SOC Prime Platform to detect potential russian APT attacks at the earliest stage possible. Click the Explore Detections button below to access a curated stack of detection rules designed to identify and respond to the most recent campaign leveraging LotL tactics, dual-use tools, and a custom Sandworm-linked webshell to target Ukrainian organizations.

Explore Detections

Alternatively, cyber defenders might search for relevant detection content right in the Threat Detection Marketplace by using “Sandworm” or “Seashell Blizzard” tags. 

All the rules in the SOC Prime Platform are compatible with multiple SIEM, EDR, and Data Lake solutions and are mapped to the MITRE ATT&CK® framework. Additionally, each rule is packed with detailed metadata, including threat intel references, attack timelines, triage recommendations, and more.

Additionally, security experts might streamline threat investigation using Uncoder AI, a private IDE & co-pilot for threat-informed detection engineering. Generate detection algorithms from raw threat reports, enable fast IOC sweeps, predict ATT&CK tags, optimize query code with AI tips, and translate it across multiple SIEM, EDR, and Data Lake languages. For instance, security professionals can use Symantec and Carbon Black most recent report to generate an Attack Flow diagram in several clicks.

Ukraine Attacked by russian Hackers: The Latest Campaign Analysis

The russia-linked threat actors have been launching intensive attacks on Ukrainian organizations since the onset of russia’s full-scale invasion. The Symantec and Carbon Black Threat Hunting team has recently identified a persistent two-month-long campaign compromising a major business services company and a week-long intrusion into a local state entity. Both campaigns apparently intended to collect sensitive data and maintain persistent network access. Instead of deploying large-scale malware, the adversaries primarily used LotL techniques and dual-use tools to operate stealthily within the environments. 

Adversaries infiltrated the business services company by installing webshells on publicly accessible servers, likely by exploiting unpatched vulnerabilities. Among the tools used was Localolive, a custom webshell previously linked by Microsoft to a Sandworm subgroup (also known as Seashell Blizzard) and observed in an earlier long-running Sandworm intrusion campaign codenamed BadPilot to establish initial access. 

Sandworm APT associated with Russia’s GRU military intelligence is notorious for espionage and destructive operations. The group has been linked to malicious operations targeting Ukraine’s power grid, the VPNFilter attacks against routers, and the AcidRain wiper campaign against Viasat satellite modems, and is also known for targeting IoT devices. In February 2025, the group was behind another long-term campaign active since 2023, in which adversaries employed trojanized Microsoft Key Management Service (KMS) activators and fake Windows updates to compromise Ukrainian systems.

Malicious activity at the targeted organization began in late June 2025, when attackers attempted to install a webshell from a remote IP address. After gaining access, they executed a series of reconnaissance commands (whoami, systeminfo, tasklist, net group) to map the environment. They then disabled Windows Defender scans for the Downloads folder, suggesting admin-level privileges, and created a scheduled task to perform periodic memory dumps, likely to extract credentials. 

Two days later, a second webshell was deployed, followed by additional network reconnaissance. Activity later spread to other systems. On the second computer, adversaries searched for Symantec software, listed files, and checked for KeePass processes, indicating an attempt to access stored passwords. Subsequent actions included more memory dumps (using rdrleakdiag), reconfiguration of Windows Defender, and the execution of suspicious binaries, such as service.exe and cloud.exe, whose names resembled webshells used elsewhere in the intrusion. Another notable aspect of the intrusion was the use of a legitimate MikroTik router management tool (winbox64.exe), which the attackers placed in the Downloads folder of the affected systems. Notably, CERT-UA also reported the use of winbox64.exe in April 2024, linking it to a Sandworm campaign aimed to disrupt the information and communication technology (ICT) systems of the energy, water, and heat supply sector across 20 organizations in Ukraine. 

While defenders found no direct evidence linking the recent intrusions to Sandworm, they assumed that the operations appeared to originate from russia. The investigation further revealed the use of multiple PowerShell backdoors and suspicious executables likely representing malware, though none of these samples have yet been recovered for analysis.

Adversaries displayed deep expertise with native Windows tools, proving how a skilled operator can escalate activity and exfiltrate sensitive information, including credentials, while remaining on the network with almost no visible traces. As potential mitigation measures to reduce the risks of russian-backed attacks, defenders recommend applying the Symantec Protection Bulletin.

With the increasing attempts of russia-backed hacking collectives to compromise Ukraine and its allies, organizations should be ready to thwart such stealthy threats before they escalate into attacks. By relying on SOC Prime’s complete product suite backed by AI, automation, and real-time threat intelligence, security teams can preempt cyber-attacks of any sophistication and fortify the organization’s defenses. Exclusively for MDE customers, SOC Prime also curates a Bear Fence pack to enable automated threat hunting for APT28 and 48 more russia’s state-sponsored actors, letting teams automatically hunt for Fancy Bear and its siblings through an exclusive Attack Detective scenario using 242 hand-picked behavior rules, over 1 million IOCs, and a dynamic AI-driven TTP feed.

The post Detect russian Attacks Targeting Ukraine: Hackers Apply the Custom Sandworm-Linked Webshell and Living-off-the-Land Tactics for Persistence appeared first on SOC Prime.

Following the recent Tomcat RCE vulnerability disclosures (CVE-2025-55752 and CVE-2025-55754), researchers have identified another critical RCE flaw in Microsoft Windows Server Update Services (WSUS) systems. The vulnerability tracked as CVE-2025-59287 permits remote adversaries to execute code on affected systems and is currently leveraged in in-the-wild attacks, with a PoC exploit publicly available. 

Detect CVE-2025-59287 Exploitation Attempts

With more than 1.4 billion devices powered by Windows and millions of organizations relying on Azure and Microsoft 365, Microsoft technologies form the backbone of today’s digital world. According to the 2025 BeyondTrust Microsoft Vulnerabilities Report, a record 1,360 security vulnerabilities were reported across Microsoft products in 2024, an 11% rise compared to the previous high. This surge highlights how rapidly the attack surface continues to expand and reinforces the need for organizations to stay proactive as cyber threats evolve.

The recently identified CVE-2025-59287 vulnerability in Microsoft WSUS is a clear example of this growing trend, reminding security teams that proactive defense is essential in staying ahead of modern threats.

Register now for the SOC Prime Platform to reach an extensive collection of curated detection content and AI-native threat intelligence, helping your team outscale offensive campaigns exploiting CVE-2025-59287. Press the Explore Detections button below to immediately drill down to a relevant detection stack.

Explore Detections

For a broader range of SOC content for vulnerability exploit detection, security engineers can also apply the “CVE” tag.

All the rules are compatible with multiple SIEM, EDR, and Data Lake formats and mapped to the MITRE ATT&CK® framework. Additionally, each rule is enriched with CTI links, attack timelines, audit configurations, triage recommendations, and more relevant context.

Security engineers can also leverage Uncoder AI, an IDE and co-pilot for detection engineering. With Uncoder, defenders can instantly convert IOCs into custom hunting queries, craft detection code from raw threat reports, generate Attack Flow diagrams, enable ATT&CK tags prediction, leverage AI-driven query optimization, and translate detection content across multiple platforms. For instance, cyber defenders can generate the Attack Flow diagram based on Bitdefender’s latest research in seconds.

CVE-2025-59287 Analysis

Defenders have recently uncovered a novel campaign targeting vulnerable Windows Server Update Services (WSUS). Microsoft has released an out-of-band security update to address the new flaw behind RCE attacks that is being actively exploited in the wild, with a public PoC exploit already available.

The flaw, tracked as CVE-2025-59287 with a CVSS score of 9.8, is a critical RCE vulnerability. Although initially patched during last week’s Patch Tuesday, the vendor issued an additional update following evidence of real-world exploitation.

The flaw results from improper deserialization of untrusted data within WSUS. If exploited successfully, this vulnerability enables unauthenticated, remote adversaries to run arbitrary code with the same privileges as the compromised WSUS process. Such access can be used to establish persistence, commonly by deploying a webshell, which in turn grants the attacker full interactive remote control over the affected system. 

The vulnerability lies in the WSUS component responsible for managing client authorization and reporting, specifically within the ClientWebService web service. When the server processes a specially crafted SOAP request, typically directed to an endpoint such as SyncUpdates, it attempts to decrypt and deserialize an attacker-supplied AuthorizationCookie object using the insecure .NET BinaryFormatter.

Attackers exploit CVE-2025-59287 by embedding a malicious object chain within the serialized payload. This chain leverages legitimate constructor calls that, during deserialization, trigger the execution of arbitrary code, such as spawning a command shell or downloading additional payloads. The only prerequisite for a successful attack is network access to the vulnerable WSUS instance, which is most often reachable over ports 8530 (HTTP) or 8531 (HTTPS), though configurations using 80 or 443 are also possible.

Threat actors have been observed exploiting the vulnerability to execute commands via w3wp.exe and wsusservice.exe processes, download multi-stage payloads, conduct reconnaissance, and establish persistent C2 channels. These intrusions appear to be part of pre-ransomware campaigns, where attackers automate initial access before transitioning to manual, human-operated attacks.

Notably, several incidents have been observed using the webhook[.]site as a makeshift C2 channel. Although the service is intended for developers to capture and inspect HTTP payloads, adversaries exploit its ease of use and disposable URLs to exfiltrate command output and confirm exploitation. The traffic generated this way often appears benign due to the domain’s widespread, trusted reputation, making it useful for stealthy post-exploitation signaling.

According to Bitdefender’s technical advisory, there can be four potential attack scenarios:

• In the first one, adversaries leverage the compromised process to download two files via PowerShell for a primary payload delivery, an executable dcrsproxy.exe and a companion file (rcpkg.db). The chain shows w3wp.exe spawning cmd.exe, which runs the PowerShell download-and-execute commands. 
• In the next scenario, adversaries run whoami through the worker process and pipe the output to curl, sending the result to a webhook[.]site URL to confirm the exploit and assess privileges for follow-on actions, such as privilege escalation or lateral movement. 
• The third use case involves in-memory exfiltration, where an encoded PowerShell command is executed from the service process to run an in-memory exfiltration routine that gathers network details and posts them to a disposable webhook, thereby evading command-line detections. 
• Finally, another attack scenario involves the use of DNS beaconing. Threat actors apply the IIS process to issue DNS lookups and to download and install a malicious MSI via msiexec, then gather system or network details to establish long-term C2 persistence.

As the WSUS Server Role is not enabled by default on Windows servers, the systems without it are not vulnerable; however, enabling the role on an unpatched server introduces risk. In cases when immediately installing the October 23, 2025 out-of-band update is not possible, Microsoft recommends temporary CVE mitigations such as disabling the WSUS Server Role—though clients will stop receiving updates—or blocking inbound traffic to ports 8530 and 8531 at the host firewall to render WSUS inoperative, while stressing that applying the patch as soon as possible remains the safest course of action. 

The rising frequency and impact of vulnerability exploitation emphasize the need for proactive security measures and adherence to best cybersecurity practices to enhance an organization’s defenses. SOC Prime’s complete product suite, backed by AI, automated capabilities, and real-time CTI, serves as the future-proof solution to help organizations outscale cyber threats they anticipate most.

The post CVE-2025-59287 Detection: A Critical Unauthenticated RCE Vulnerability in Microsoft WSUS Under Active Exploitation appeared first on SOC Prime.

In March 2025, CVE-2025-24813 served as a stark reminder of how quickly a critical Apache Tomcat vulnerability can turn into an active threat. Less than 30 hours after its disclosure, attackers were already exploiting unsafe deserialization to execute code remotely, taking control of unpatched servers. Now, just months later, a duo of new vulnerabilities (CVE-2025-55752, CVE-2025-55754) has been brought to the spotlight, once again opening the door to RCE attacks.

Apache Tomcat is a free open-source Java servlet container that hosts Java-based web apps and implements Java Servlet and JavaServer Pages (JSP) specifications. It powers hundreds of thousands of websites and enterprise systems worldwide, including government agencies, large corporations, and critical infrastructure. Yet, such widespread use of open-source software brings a serious layer of concern. According to the 2025 Open Source Security and Risk Analysis (OSSRA) Report, 86% of commercial codebases evaluated contained open-source software vulnerabilities, and 81% of those contained high- or critical-risk vulnerabilities.

Sign up for the SOC Prime Platform to access the global active threats feed, which offers real-time cyber threat intelligence and curated detection algorithms to address emerging threats, like flaws in open-source software. All the rules are compatible with multiple SIEM, EDR, and Data Lake formats and mapped to the MITRE ATT&CK® framework. Additionally, each rule is enriched with CTI links, attack timelines, audit configurations, triage recommendations, and more relevant context. Press the Explore Detections button to see the entire detection stack for proactive defense against critical vulnerabilities filtered by the “CVE” tag.

Explore Detections

Additionally, security experts might streamline threat investigation using Uncoder AI, a private IDE & co-pilot for threat-informed detection engineering. Generate detection algorithms from raw threat reports, enable fast IOC sweeps, predict ATT&CK tags, optimize query code with AI tips, and translate it across multiple SIEM, EDR, and Data Lake languages.

CVE-2025-55752 and CVE-2025-55754 Analysis

On October 27, 2025, the Apache Software Foundation confirmed two novel vulnerabilities affecting Apache Tomcat versions 9, 10, and 11. 

Of the two newly reported flaws, CVE-2025-55752 is considered the more severe, earning an “Important” rating. This vulnerability emerged from a regression during the resolution of a previous bug (bug 60013) and allows attackers to exploit directory traversal through rewritten URLs. By crafting request URIs that are normalized before decoding, malicious actors can potentially bypass Tomcat’s built-in protections for critical directories, including /WEB-INF/ and /META-INF/. The risk escalates if HTTP PUT requests are enabled, as attackers could upload malicious files, potentially leading to remote code execution on the server. However, in most production setups, PUT requests are restricted to trusted users, which limits the likelihood of immediate exploitation.

The second flaw,  CVE-2025-55754, carries a “Low” severity rating but remains noteworthy. It stems from Tomcat’s inadequate handling of ANSI escape sequences in console logs. When running in a console environment (particularly on Windows systems) attackers can send specially crafted URLs that inject escape sequences into log output. These sequences can manipulate the console display or clipboard contents, creating opportunities to trick administrators into executing unintended actions. While primarily observed on Windows, similar attack vectors could exist on other platforms, broadening the potential impact of this vulnerability.

CVE-2025-55752 and CVE-2025-55754 Mitigation

The vulnerabilities impact Apache Tomcat versions 11.0.0-M1 through 11.0.10, 10.1.0-M1 through 10.1.44, and 9.0.0-M11 through 9.0.108, plus some EOL versions like 8.5.60 to 8.5.100.​

To address these issues, administrators should upgrade to the patched releases—Tomcat 11.0.11, 10.1.45, and 9.0.109—and verify all deployed instances to ensure no affected versions remain in use. 

Additional mitigation measures include disabling or restricting HTTP PUT requests unless strictly necessary, reviewing console and logging configurations (especially on Windows systems), and actively monitoring for unusual activity, such as unexpected file uploads or suspicious log entries. By taking these steps, organizations can significantly reduce the risk of exploitation and maintain the security and stability of their web applications and critical infrastructure.

Enhancing proactive cyber defense strategies is crucial for organizations to effectively and promptly reduce the risks of vulnerability exploitation. By leveraging SOC Prime’s complete product suite for enterprise-ready security protection backed by top cybersecurity expertise and AI, and built on zero-trust milestones, global organizations can future-proof defenses at scale and strengthen their cybersecurity posture. 

The post CVE-2025-55752 and CVE-2025-55754: Apache Tomcat Vulnerabilities Expose Servers to RCE Attacks appeared first on SOC Prime.

In the wake of confirmed exploits targeting two Microsoft Edge zero-days, CVE-2025-59230 and CVE-2025-24990, yet another critical vulnerability has come into the spotlight, now listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog. Identified as CVE-2025-61932, the newly discovered critical vulnerability impacts Motex LANSCOPE Endpoint Manager and is being weaponized in real-world attacks.

With over 40,000 new CVEs already logged by NIST this year, cybersecurity teams face mounting pressure to stay ahead. Vulnerability exploitation remains the leading attack vector, and as cyber threats grow more sophisticated, proactive detection is essential to reducing the attack surface and mitigating risk.

Sign up for the SOC Prime Platform to access the global active threats feed, which offers real-time cyber threat intelligence and curated detection algorithms to address emerging threats. All the rules are compatible with multiple SIEM, EDR, and Data Lake formats and mapped to the MITRE ATT&CK® framework. Additionally, each rule is enriched with CTI links, attack timelines, audit configurations, triage recommendations, and more relevant context. Press the Explore Detections button to see the entire detection stack for proactive defense against critical vulnerabilities filtered by the “CVE” tag.

Explore Detections

Security engineers can also leverage Uncoder AI, an IDE and co-pilot for detection engineering. With Uncoder, defenders can instantly convert IOCs into custom hunting queries, craft detection code from raw threat reports, generate Attack Flow diagrams, enable ATT&CK tags prediction, leverage AI-driven query optimization, and translate detection content across multiple platforms.

CVE-2025-61932 Analysis

A new critical vulnerability, tracked as CVE-2025-61932 with a CVSS v4 score of 9.3, affects on-premises instances of Motex LANSCOPE Endpoint Manager,  particularly the Client Program and Detection Agent components. 

The flaw has been recently added to CISA’s KEV catalog, following the reports of its active exploitation in in-the-wild attacks. The authoring agency has stated that Motex LANSCOPE Endpoint Manager suffers from insufficient verification of communication channel sources, which could give adversaries the green light to remotely execute arbitrary code by sending specially crafted network packets.

The vulnerability affects Lanscope Endpoint Manager versions 9.4.7.1 and earlier and has been patched in the 9.3.2.7, 9.3.3.9, and 9.4.0.5–9.4.7.3 releases. It remains unclear how the flaw is being exploited in real-world scenarios, who is responsible, or the extent of the attacks. However, a Japan Vulnerability Notes (JVN) advisory issued earlier this week revealed that Motex confirmed at least one customer had received a malicious packet suspected of targeting this vulnerability.

Additionally, Japan’s JPCERT/CC reported evidence of active exploitation, noting that unauthorized packets were observed targeting specific ports in domestic customer environments starting after April 2025. Based on available information, the vulnerability is likely being leveraged to deploy an unidentified backdoor on affected systems.

As potential CVE-2025-61932 mitigation measures, given its ongoing exploitation, FCEB agencies have been urged to patch the flaw by November 12, 2025, to protect their networks from potential compromise. Enhancing proactive cyber defense strategies is crucial for organizations to effectively and promptly reduce the risks of vulnerability exploitation. By leveraging SOC Prime’s complete product suite for enterprise-ready security protection backed by top cybersecurity expertise and AI, and built on zero-trust milestones, global organizations can future-proof defenses at scale and strengthen their cybersecurity posture. 

The post CVE-2025-61932 Exploitation: A New Critical Motex LANSCOPE Endpoint Manager Vulnerability Used in Real-World Attacks appeared first on SOC Prime.