June 2025 – My information Resource (blog.mir.net)

Multiple Vulnerabilities in Adobe Products Could Allow for Arbitrary Code Execution – PATCH: NOW

Multiple vulnerabilities have been discovered in Adobe products, the most severe of which could allow for arbitrary code execution.

Adobe InCopy is a word processor within Adobe Creative Cloud that allows copywriters and editors to write, edit, and format text in InDesign documents, while designers work on the same file in InDesign simultaneously.
Adobe Experience Manager (AEM) is a comprehensive content management system (CMS) and digital asset management (DAM) platform that helps businesses create, manage, and deliver digital experiences across multiple channels.
Adobe Commerce is a comprehensive, enterprise-grade e-commerce platform, formerly known as Magento Commerce, that allows businesses to build, personalize, and manage online stores.
Adobe InDesign is a professional-grade software used for desktop publishing and page layout design.
Adobe Substance 3D Sampler is a 3D scanning and material creation software that transforms real-life pictures into photorealistic materials, 3D objects, and HDR environments.
Adobe Acrobat Reader is a free software that serves as the industry standard for viewing, printing, and interacting with PDFs.
Adobe Substance 3D Painter is a software application primarily used for texturing 3D models.

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights

THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

Adobe Substance 3D Painter 11.0.1 and earlier versions
Adobe InCopy 20.2 and earlier versions
Adobe InCopy 19.5.3 and earlier versions
Adobe Experience Manager (AEM)
AEM Cloud Service (CS) 6.5.22 and earlier versions
Adobe Commerce 2.4.8
Adobe Commerce 2.4.7-p5 and earlier versions
Adobe Commerce 2.4.6-p10 and earlier versions
Adobe Commerce 2.4.5-p12 and earlier versions
Adobe Commerce 2.4.4-p13 and earlier versions
Adobe Commerce B2B 1.5.2 and earlier versions
Adobe Commerce B2B 1.5.2 and earlier 1.4.2-p5 and earlier versions
Adobe Commerce B2B 1.5.2 and earlier 1.3.5-p10 and earlier versions
Adobe Commerce B2B 1.5.2 and earlier 1.3.4-p12 and earlier versions
Adobe Commerce B2B 1.5.2 and earlier 1.3.3-p13 and earlier versions
Magento Open Source 2.4.8
Magento Open Source 2.4.7-p5 and earlier versions
Magento Open Source 2.4.6-p10 and earlier versions
Magento Open Source 2.4.5-p12 and earlier versions
Adobe InDesign ID20.2 and earlier versions
Adobe InDesign ID19.5.3 and earlier versions
Adobe Substance 3D Sampler 5.0 and earlier versions
Acrobat DC 25.001.20521 and earlier versions
Acrobat Reader DC 25.001.20521 and earlier versions
Acrobat 2024 24.001.30235 and earlier versions
Acrobat 2020 20.005.30763 and earlier versions
Acrobat Reader 2020 20.005.30763 and earlier versions

RISK:
Government:

Large and medium government entities: High
Small government entities: Medium

Businesses:

Large and medium business entities: High
Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Adobe products, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows

Tactic: Execution (TA0002)
Technique: Exploitation for Client Execution (T1203):

Substance 3D Painter:

Out-of-bounds Write (CVE-2025-47108)

Adobe InCopy:

Integer Overflow or Wraparound (CVE-2025-30327)
Heap-based Buffer Overflow (CVE-2025-47107)

Adobe Experience Manager:

Improper Authorization (CVE-2025-46840)
Improper Input Validation (CVE-2025-46837, CVE-2025-47096)
Cross-site Scripting (DOM-based XSS) (CVE-2025-46838, CVE-2025-46848, CVE-2025-46854, CVE-2025-46865, CVE-2025-46866, CVE-2025-46870, CVE-2025-46872, CVE-2025-46877, CVE-2025-46890, CVE-2025-46898, CVE-2025-46954, CVE-2025-46955, CVE-2025-46956, CVE-2025-46959, CVE-2025-46963, CVE-2025-46964, CVE-2025-46966, CVE-2025-46970, CVE-2025-46972, CVE-2025-46973, CVE-2025-46974, CVE-2025-46975, CVE-2025-46976, CVE-2025-46977, CVE-2025-46984, CVE-2025-46988, CVE-2025-46989, CVE-2025-47005, CVE-2025-47022, CVE-2025-47025, CVE-2025-47027, CVE-2025-47032, CVE-2025-47033, CVE-2025-47034, CVE-2025-47035, CVE-2025-47036, CVE-2025-47037, CVE-2025-47038, CVE-2025-47039, CVE-2025-47040, CVE-2025-47041, CVE-2025-47042, CVE-2025-47044, CVE-2025-47045, CVE-2025-47047, CVE-2025-47048, CVE-2025-47049, CVE-2025-47050, CVE-2025-47051, CVE-2025-47052, CVE-2025-47056, CVE-2025-47057, CVE-2025-47063, CVE-2025-47102, CVE-2025-47117)
Cross-site Scripting (Stored XSS) (CVE-2025-46841, CVE-2025-46842, CVE-2025-46843, CVE-2025-46844, CVE-2025-46846, CVE-2025-46845, CVE-2025-46847, CVE-2025-46850, CVE-2025-46851, CVE-2025-46853, CVE-2025-46855, CVE-2025-46858, CVE-2025-46859, CVE-2025-46860, CVE-2025-46861, CVE-2025-46862, CVE-2025-46863, CVE-2025-46864, CVE-2025-46871, CVE-2025-46873, CVE-2025-46876, CVE-2025-46878, CVE-2025-46879, CVE-2025-46880, CVE-2025-46881, CVE-2025-46882, CVE-2025-46883, CVE-2025-46884, CVE-2025-46885, CVE-2025-46886, CVE-2025-46887, CVE-2025-46888, CVE-2025-46891, CVE-2025-46892, CVE-2025-46893, CVE-2025-46894, CVE-2025-46895, CVE-2025-46899, CVE-2025-46900, CVE-2025-46901, CVE-2025-46902, CVE-2025-46903, CVE-2025-46904, CVE-2025-46905, CVE-2025-46906, CVE-2025-46907, CVE-2025-46908, CVE-2025-46909, CVE-2025-46910, CVE-2025-46911, CVE-2025-46912, CVE-2025-46913, CVE-2025-46914, CVE-2025-46915, CVE-2025-46916, CVE-2025-46917, CVE-2025-46918, CVE-2025-46919, CVE-2025-46920, CVE-2025-46922, CVE-2025-46923, CVE-2025-46924, CVE-2025-46926, CVE-2025-46927, CVE-2025-46929, CVE-2025-46930, CVE-2025-46931, CVE-2025-46933, CVE-2025-46934, CVE-2025-46935, CVE-2025-46939, CVE-2025-46940, CVE-2025-46941, CVE-2025-46942, CVE-2025-46943, CVE-2025-46944, CVE-2025-46945, CVE-2025-46946, CVE-2025-46947, CVE-2025-46950, CVE-2025-46953, CVE-2025-46957, CVE-2025-46958, CVE-2025-46960, CVE-2025-46965, CVE-2025-46967, CVE-2025-46968, CVE-2025-46971, CVE-2025-46978, CVE-2025-46979, CVE-2025-46981, CVE-2025-46982, CVE-2025-46983, CVE-2025-46985, CVE-2025-46986, CVE-2025-46987, CVE-2025-46990, CVE-2025-46991, CVE-2025-46992, CVE-2025-46995, CVE-2025-46997, CVE-2025-46999, CVE-2025-47000, CVE-2025-47002, CVE-2025-47003, CVE-2025-47004, CVE-2025-47006, CVE-2025-47007, CVE-2025-47008, CVE-2025-47010, CVE-2025-47011, CVE-2025-47012, CVE-2025-47013, CVE-2025-47014, CVE-2025-47015, CVE-2025-47016, CVE-2025-47017, CVE-2025-47019, CVE-2025-47020, CVE-2025-47021, CVE-2025-47026, CVE-2025-47029, CVE-2025-47030, CVE-2025-47031, CVE-2025-47055, CVE-2025-47060, CVE-2025-47062, CVE-2025-47065, CVE-2025-47066, CVE-2025-47067, CVE-2025-47068, CVE-2025-47069, CVE-2025-47070, CVE-2025-47071, CVE-2025-47072, CVE-2025-47073, CVE-2025-47074, CVE-2025-47075, CVE-2025-47076, CVE-2025-47077, CVE-2025-47078, CVE-2025-47079, CVE-2025-47080, CVE-2025-47081, CVE-2025-47082, CVE-2025-47083, CVE-2025-47084, CVE-2025-47085, CVE-2025-47086, CVE-2025-47087, CVE-2025-47088, CVE-2025-47089, CVE-2025-47090, CVE-2025-47091, CVE-2025-47092, CVE-2025-47093, CVE-2025-47100, CVE-2025-47113, CVE-2025-47114, CVE-2025-47115, CVE-2025-47116)
Cross-site Scripting (Reflected XSS) (CVE-2025-46857, CVE-2025-46874, CVE-2025-46875, CVE-2025-47094)
Improper Access Control (CVE-2025-46889)
URL Redirection to Untrusted Site (‘Open Redirect’) (CVE-2025-47095)

Adobe Commerce:

Cross-site Scripting (Reflected XSS) (CVE-2025-47110)
Improper Authorization (CVE-2025-43585)
Improper Access Control (CVE-2025-27206, CVE-2025-27207, CVE-2025-43586)

Adobe InDesign:

Heap-based Buffer Overflow (CVE-2025-30317)
Out-of-bounds Write (CVE-2025-43558, CVE-2025-43590, CVE-2025-43593)
Use After Free (CVE-2025-43589, CVE-2025-47106)
Out-of-bounds Read (CVE-2025-47104, CVE-2025-47105)
NULL Pointer Dereference (CVE-2025-30321)

Substance 3D Sampler:

Out-of-bounds Write (CVE-2025-43581, CVE-2025-43588)

Adobe Acrobat and Reader:

Use After Free (CVE-2025-43573, CVE-2025-43574, CVE-2025-43576, CVE-2025-43550, CVE-2025-43577)
Out-of-bounds Write (CVE-2025-43575)
Out-of-bounds Read (CVE-2025-43578, CVE-2025-47112)
NULL Pointer Dereference (CVE-2025-47111)
Information Exposure (CVE-2025-43579)

RECOMMENDATIONS:

We recommend the following actions be taken:

Apply the stable channel update provided by Adobe to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
- Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 7.2 : Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
- Safeguard 7.6 : Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets: Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.
- Safeguard 7.7 : Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
- Safeguard 16.13 Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
- Safeguard 18.1 : Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
- Safeguard 18.2 : Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
- Safeguard 18.3 : Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
- Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
- Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021: Restrict Web-Based Content)
- Safeguard 2.3: Address Unauthorized Software: Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently.
- Safeguard 2.7: Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
- Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
- Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.
Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
- Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
Block execution of code on a system through application control, and/or script blocking. (M1038:Execution Prevention)
- Safeguard 2.5 : Allowlist Authorized Software: Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently.
- Safeguard 2.6 : Allowlist Authorized Libraries: Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently.
- Safeguard 2.7 : Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040: Behavior Prevention on Endpoint)
- Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
- Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.

REFERENCES:

Critical Patches Issued for Microsoft Products, June 10, 2025 – PATCH: NOW

Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

Windows Storage Management Provider
Windows Cryptographic Services
.NET and Visual Studio
Windows Remote Desktop Services
Windows Win32K – GRFX
Windows Common Log File System Driver
Windows Installer
Remote Desktop Client
Windows Media
Windows SMB
Windows Recovery Driver
Windows Storage Port Driver
Windows Local Security Authority Subsystem Service (LSASS)
Windows DHCP Server
Windows DWM Core Library
WebDAV
Microsoft Local Security Authority Server (lsasrv)
Windows Local Security Authority (LSA)
Windows Routing and Remote Access Service (RRAS)
Windows Kernel
Windows Standards-Based Storage Management Service
App Control for Business (WDAC)
Windows Netlogon
Windows KDC Proxy Service (KPSSVC)
Windows Shell
Microsoft Office
Microsoft Office SharePoint
Microsoft Office Excel
Microsoft Office Word
Microsoft Office Outlook
Microsoft Office PowerPoint
Windows Remote Access Connection Manager
Windows Security App
Visual Studio
Windows SDK
Power Automate
Microsoft AutoUpdate (MAU)
Windows Hello
Nuance Digital Engagement Platform

RISK:
Government:

Large and medium government entities: High
Small government entities: Medium

Businesses:

Large and medium business entities: High
Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution.

A full list of all vulnerabilities can be found in the Microsoft link in the References section.

Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged-on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:

Apply appropriate patches or appropriate mitigations provided by Microsoft to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
- Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
Apply the Principle of Least Privilege to all systems and services and run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
- Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
- Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
Remind all users not to visit untrusted websites or follow links/open files provided by unknown or untrusted sources. (M1017: User Training)
- Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.
Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040: Behavior Prevention on Endpoint)
- Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
- Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.

REFERENCES:

Microsoft:
https://msrc.microsoft.com/update-guide/releaseNote/2025-Jun
https://msrc.microsoft.com/update-guide

Multiple Vulnerabilities in Mozilla Products Could Allow for Arbitrary Code Execution – PATCH: NOW

Multiple vulnerabilities have been discovered in Mozilla Firefox, the most severe of which could allow for arbitrary code execution. Mozilla Firefox is a web browser used to access the Internet. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

Firefox versions prior to 139.0.4

RISK:

Government:

Large and medium government entities: HIGH
Small government: MEDIUM

Businesses:

Large and medium business entities: HIGH
Small business entities: MEDIUM

Home Users: LOW

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Mozilla Firefox, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows:

Tactic: Initial Access (TA0001):
Technique: Drive-by Compromise (T1189)

Certain canvas operations could have led to memory corruption. (CVE-2025-49709)
An integer overflow was present in OrderedHashTable used by the JavaScript engine. (CVE-2025-49710)

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:

Apply appropriate updates provided by Mozilla to vulnerable systems immediately after appropriate testing. (M1051:Update Software)
- Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
- Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
- Safeguard 9.1: Ensure Use of Only Fully Supported Browsers and Email Clients: Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor.
Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026:Privileged Account Management)
- Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
- Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050:Exploit Protection)
- Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.

Restrict use of certain websites, block downloads/attachments, block JavaScript, restrict browser extensions, etc. (M1021:Restrict Web-Based Content)
- Safeguard 9.2: Use DNS Filtering Services: Use DNS filtering services on all enterprise assets to block access to known malicious domains.
- Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
- Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.
Block execution of code on a system through application control, and/or script blocking. (M1038:Execution Prevention)
- Safeguard 2.5: Allowlist Authorized Software: Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently.
- Safeguard 2.6: Allowlist Authorized Libraries: Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently.
- Safeguard 2.7: Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040:Behavior Prevention on Endpoint)
- Safeguard 13.2: Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
- Safeguard 13.7: Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.
Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources. Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. (M1017:User Training)
- Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.

REFERENCES:

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49709
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49710

Mozilla:
https://www.mozilla.org/en-US/security/advisories/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-47/

Primary Mitigations to Reduce Cyber Threats to Operational Technology

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Environmental Protection Agency (EPA), and the Department of Energy (DOE)—hereafter referred to as “the authoring organizations”—are aware of cyber incidents affecting the operational technology (OT) and industrial control systems (ICS) of critical infrastructure entities in the United States. The authoring organizations urge critical infrastructure entities to review and act now to improve their cybersecurity posture against cyber threat activities specifically and intentionally targeting internet-connected OT and ICS.

The authoring organizations recommend critical infrastructure asset owners and operators implement the mitigations found in their Fact Sheet to defend against OT cyber threats. Additionally, CISA recommends critical infrastructure organizations review and implement, if possible, the listed resources to enhance their security posture.

Cybercriminals Impersonate NJ MVC in Recent SMS Text Phishing Messages

Over the last week, the NJCCIC has received several incident reports from NJ residents regarding an SMS text phishing (SMiShing) scam impersonating the Department of Motor Vehicles (DMV). These messages claim that the user has an outstanding traffic ticket and payment is due. If not paid by May 29, the user will have their vehicle registration and driving privileges suspended, receive a toll booth charge increase, and their credit score will be impacted. The URL displayed in the message includes “ezpassnj” and “.gov” in an attempt to appear legitimate. The message itself does not allow the user to click the included link directly but instead instructs them to reply to the message with “Y” and reopen the message to click the link or to copy the URL to their browser. These links lead to fraudulent websites that attempt to extract personally identifiable information, financial details, or account credentials.

This SMiShing scheme is similar to others that have circulated impersonating NJ toll services and EZ-Pass claiming the user has an outstanding toll that needs to be paid to avoid a late fee.

The NJ MVC only sends text messages to remind residents about scheduled MVC appointments. It does not send text messages regarding driver’s licenses or vehicle registration status.

New Jersey E-ZPass does not send unsolicited text messages to collect payments. If your account is in collections and being handled by Credit Collection Services, you may receive text messages from Credit Collection Services regarding your account. Their text message will list a phone number, their website www.ccspayment.com, and reference a file number.

Intuit Credential Phishing

The NJCCIC’s email security solution observed a new phishing campaign targeting Intuit login credentials. In this campaign, threat actors send an email impersonating accounting software Intuit QuickBooks. While the spoofed email address may appear to come from Intuit at first glance, the domain used in this campaign is intuit[.]net, which is not an official Intuit domain.

Users are prompted to click the link provided to fix a payment record discrepancy. The threat actors use a URL shortener provided by X (t.co) to obfuscate the link’s destination. If clicked, users are redirected to a phishing page designed to appear as the Intuit login page. If credentials are entered, the information is forwarded to threat actors. This campaign may also collect short message service (SMS) multi-factor authentication (MFA) codes.

Threat Actors Continue to Exploit and Capitalize on the Travel Industry

As the unofficial summer travel season is underway, many people will be busy with upcoming travel plans. Threat actors will also be busy performing reconnaissance, exploiting vulnerabilities, and capitalizing on travel websites and accounts. They continue to create spoofed travel website domains or attempt to exploit and compromise legitimate travel websites or accounts. Threat actors deceive potential victims using social engineering tactics, such as impersonation, phishing, pretexting, or creating urgency. Travel fraud can appear as manipulated destination photos, fake confirmation links, irresistible offers, or discounted travel.

The NJCCIC’s email security solution detected multiple spam campaigns sent to New Jersey State employees. The above campaign appears to be from a travel and expense management website that claims to find the lowest prices on flights, hotels, and car rentals. These unsolicited communications typically push unwanted advertising, collect personally identifiable information (PII), steal funds, or distribute malware.

In a separate campaign, threat actors compromised a travel savings card website and emailed potential victims to book their next getaway using their travel savings balance. The subject line specifies that their travel savings balance is available. Other subject lines in this campaign reference “summer is calling,” “beach vacations booking fast,” “deals you don’t want to miss,” and “new month, new deals!” The threat actors attempt to convince their targets to click the “Login Now” button, which directs users to a landing page that prompts them to log in using their Google account credentials. Further analysis indicates this campaign includes stealer malware to exfiltrate credentials and data.

Additionally, the proliferation of artificial intelligence (AI) threatens the travel industry. In 2024, travel was the most attacked industry by advanced bots, accounting for 27 percent of all bot attacks, up from 21 percent in 2023. Threat actors can create and deploy malicious bots, create spoofed websites, generate fake reviews and articles, craft sophisticated phishing emails, exploit vulnerabilities, hijack accounts, and exfiltrate data. They have increasingly created fraudulent websites that impersonate official government pages for passports, visas, and TSA PreChecks . Travelers are at risk of fraud, misinformation, and malicious intent when planning or managing trips and itineraries; therefore, they should remain vigilant and employ cybersecurity best practices to help protect themselves from identity theft, financial loss, and disrupted travel.

Vishing Scams: Who is Really Calling You?

The NJCCIC continues to receive reports of fraudulent phone calls in vishing scams.
Typically, threat actors acquire publicly available information found online and impersonate specific organizations or individuals. They contact the recipient to extort money or convince their targets to divulge sensitive information, grant access to their accounts or devices, or purchase fraudulent goods or services.

In one report, an educational institution received repeated suspicious phone calls from different phone numbers, including spoofed official ones, to appear legitimate.

The threat actors claimed to be “Online IT Training” and asked for the head of the information technology department. When questioned, the threat actors could not respond “off script.”

Threat actors are increasingly leveraging voice cloning and artificial intelligence (AI) technologies to carry out impersonation and extortion scams. They can find and capture snippets of a person’s voice online, through social media platforms, in outgoing voicemail messages, or when the recipient caller answers a call.

They can weaponize AI technology with the captured audio to clone a person’s voice and create fraudulent schemes, such as family emergencies, kidnappings, robberies, or car accidents. In one reported vishing scam, the threat actors impersonated the target’s daughter, claiming to be involved in a car accident.

A male voice was also on the line, claiming to be a local law enforcement officer and reporting that the daughter supposedly admitted to using her cell phone while driving. He indicated that she was being held for charges of injuring the other driver, who was pregnant. The purported officer stated that a bail bond agent would contact them to post bail. Minutes later, a male caller posing as a bail bond agent contacted the target to indicate bail was set at $15,000 cash only and threatened not to tell anyone because it would go on the daughter’s permanent record.

After hanging up with the threat actors, the target called their daughter to confirm the call’s legitimacy before going to the bank. The daughter revealed she was not on the call or involved in a car accident.

More Ransomware Groups Adopt Tactic of Impersonating IT Support

Over the last year, cybersecurity researchers and analysts reported that ransomware groups have adopted a tactic of impersonating IT support and using email bombing to convince users to provide the threat actors with access to the targeted organization’s network.

In a recent incident reported by Sophos, the 3AM ransomware group spoofed a targeted organization’s official IT department phone number to call one of the organization’s users. Just before the call, the threat actors initiated email bombing, sending the user 24 unsolicited emails in just a few minutes. When the threat actors called the user using the spoofed number, they referenced the email bombing and convinced them to open Microsoft Quick Assist and grant remote access.

In this incident, the threat actors were able to steal over 800GB of data, though many additional actions were mainly blocked due to the company’s strict multi-factor authentication (MFA) policies and security software. However, in other incidents, once remote access is obtained, the threat actors could install malware, steal data, move laterally, elevate privileges, and encrypt data in a ransomware attack.

Multiple Vulnerabilities in Google ChromeCould Allow for Arbitrary Code Execution

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged-on user. Depending on the privileges associated with the user, threat actors could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Threat Intelligence Google is aware that an exploit for CVE-2025-5419 exists in the wild.

Systems Affected

Chrome prior to 137.0.7151.68/.69 for Windows and Mac Chrome prior to 137.0.7151.68 for Linux

Risk
Government: – Large and medium government entities: High – Small government entities: Medium

Businesses: – Large and medium business entities: High
– Small business entities: Medium

Home Users: Low

Recommendations

Apply appropriate updates provided by Google to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Restrict execution of code to a virtual environment on or in transit to an endpoint system. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. Restrict use of certain websites, block downloads/attachments, block JavaScript, restrict browser extensions, etc. Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments, especially from untrusted sources. Remind users not to visit untrusted websites or follow links provided by unknown or untrusted sources.

Reference
Google:
https://chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop.html