October 2025 – My information Resource (blog.mir.net)

Vulnerability in Oracle E-Business SuiteCould Allow for Remote Code Execution

This Multi-State Information Sharing and Analysis Center (MS-ISAC) Advisory is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cybercriminals.

A vulnerability has been discovered in Oracle E-Business Suite, which could allow for remote code execution. Oracle E-Business Suite (EBS) is a comprehensive suite of integrated business applications that runs core enterprise functions. Successful exploitation of this vulnerability could allow a threat actor to execute code in the context of the affected component. A threat actor could then install programs; view, change, or delete data; or create new accounts with full user rights.

Threat Intelligence

Oracle is aware that CVE-2025-61882 has been exploited in the wild.

Systems Affected

Oracle E-Business Suite, versions 12.2.3-12.2.14

Risk

Government:
– Large and medium government entities: High
– Small government entities: Medium

Businesses:
– Large and medium business entities: High
– Small business entities: Medium

Home Users: Low

Recommendations

Apply appropriate updates provided by Oracle or other vendors which use this software to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Use vulnerability scanning to find potentially exploitable software vulnerabilities to remediate them. Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.

Reference

Oracle:
https://www.oracle.com/security-alerts/alert-cve-2025-61882.html

Ransomware Groups Continue to Push It to the Limit

Ransomware remains a persistent and ever-evolving threat to businesses of all sizes and sectors. While the tactics, techniques, and procedures (TTPs) may vary, the end goal is often the same – a substantial payday.

After months of silence, LockBit recently reemerged with an announcement of its “LockBit 5.0 Affiliate Program,” which grants its affiliates the ability to target critical infrastructure usually off-limits under standard ransomware-as-a-service (RaaS) rules. Shortly after LockBit reentered the ransomware scene, three well-known groups—Qilin, LockBit, and DragonForce—announced they were forming an alliance. Their goal is to collaborate and share techniques, infrastructure, and resources.

Another cybercrime group known for deploying ransomware, Storm-1175, has been exploiting a vulnerability in GoAnywhere MFT. During their multi-stage attack, they exploited CVE-2025-10035, which enabled remote code execution. After gaining access, they installed remote device management tools, such as SimpleHelp and MeshAgent, to allow them to drop web shells and move laterally across networks using Windows utilities. In one attack, they were able to drop RClone and Medusa ransomware.

Ransomware attacks are typically opportunistic, and a wide range of businesses have become victims. Asahi Group Holdings, a Japanese brewery and food giant, recently experienced an attack on its manufacturing operations, with Qilin RaaS claiming responsibility for the incident. While Asahi immediately shut down operations and isolated affected systems, it is still working to fully restore its systems and get everything back online.

Salt Typhoon APT: A Strategic Threat Assessment

Salt Typhoon continues to target US critical infrastructure through sustained and coordinated cyber operations. The group, an advanced persistent threat (APT) linked to the People’s Republic of China (PRC), focuses much of its activity in communications, government, and defense. These intrusions enable the theft of sensitive national security information while advancing China’s efforts to expand its disruptive cyber capabilities. This access could be leveraged to impede the US military’s ability to respond effectively during a crisis or conflict.

The NJCCIC has assessed that Salt Typhoon poses a high-risk threat to public and private infrastructure in the United States, including organizations in New Jersey. Our latest threat analysis report provides an in-depth Threat Actor Profile (TAP) that includes:

An overview of ongoing threat activity, targeting patterns, objectives, and key incidents. A risk assessment evaluating the likelihood and potential impact of attacks. An outline of the tactics, techniques, and procedures (TTPs) employed. Examples of real-world cyber intrusions and campaigns. Defensive guidance and resources for network administrators and critical infrastructure operators.

NYMJCSC 2025 – October 30th

The 2025 NY Metro Joint Cyber Security Conference is in the planning stage, celebrating our 12^th year featuring keynotes, panels and sessions aimed at educating everyone on the various aspects of information security and technology. Workshops featuring in-depth extended classroom-style educational courses to expand your knowledge and foster security discussions will take place virtually post-conference.

We are pleased to announce our opening keynote Richard Greenberg, CISSP, a well-known Cyber Security Leader and Evangelist, CISO, Advisor, and ISSA Hall of Fame, Distinguished Fellow & Honor Roll.

Conference attendees are invited to our after-party graciously sponsored by The Cyber Breakfast Club.

New York Metro Joint Cyber Security Conference –

Vulnerabilities in F5 Devices

The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive ED 26-01: Mitigate Vulnerabilities in F5 Devices to direct Federal Civilian Executive Branch agencies to inventory F5 BIG-IP products, evaluate if the networked management interfaces are accessible from the public internet, and apply newly released updates from F5.

A nation-state affiliated cyber threat actor has compromised F5 systems and exfiltrated data, including portions of the BIG-IP proprietary source code and vulnerability information, which provides the actor with a technical advantage to exploit F5 devices and software. This poses an imminent threat to federal networks using F5 devices and software.

Successful exploitation of the impacted F5 products could enable a threat actor to access embedded credentials and Application Programming Interface (API) keys, move laterally within an organization’s network, exfiltrate data, and establish persistent system access. This could potentially lead to a full compromise of target information systems.

Although ED 26-01 and the associated guidance are directed to federal agencies, all public and private sector organizations are urged to review the Emergency Directive and associated resources and take steps to mitigate these vulnerabilities.

Key Actions Required:

Inventory: Identify all instances of F5 BIG-IP hardware devices and F5OS, BIG-IP TMOS, Virtual Edition, BIG-IP Next, BIG-IP IQ software, and BNK / CNF. Harden Public-Facing Hardware and Software Appliances: Identify if physical or virtual BIG-IP devices exposed to the public internet provide public access to the networked management interface. Update Instances of BIG-IP Hardware and Software Applications: Apply the latest vendor updates by October 22, for the following products: F5OS, BIG-IP TMOS, BIG-IQ, and BNK / CNF— validate the F5 published MD5 checksums for its software image files and other F5 downloaded software. For other devices, update with the latest software release by October 31, and apply the latest F5-provided asset hardening guidance. Disconnect End of Support Devices: Disconnect all public-facing F5 devices that have reached their end-of-support date. Report mission-critical exceptions to CISA. Mitigate Against Cookie Leakage: If CISA notifies an agency of a BIG-IP cookie leakage vulnerability, the agency shall follow CISA’s accompanying mitigation instructions. Report: Submit a complete inventory of F5 products and actions taken to CISA by 11:59 p.m. EDT, October 29.

Multiple Vulnerabilities in Mozilla Products Could Allow for Arbitrary Code Execution – PATCH: NOW

Multiple vulnerabilities have been discovered in Mozilla products, the most severe of which could allow for arbitrary code execution.

Mozilla Firefox is a web browser used to access the Internet.
Mozilla Firefox ESR is a version of the web browser intended to be deployed in large organizations.
Mozilla Thunderbird is an email client.
Mozilla Thunderbird ESR is a version of the email client intended to be deployed in large organizations.

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

Firefox versions prior to 144
Firefox ESR versions prior to 115.29
Firefox ESR versions prior to 140.4
Thunderbird versions prior to 144
Thunderbird versions prior to 140.4
Thunderbird ESR versions prior to 140.4

RISK:
Government:

Large and medium government entities: HIGH
Small government: MEDIUM

Businesses:

Large and medium business entities: HIGH
Small business entities: MEDIUM

Home Users: LOW

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Mozilla products, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows:

Tactic: Initial Access (TA0001):

Technique: Drive-by Compromise (T1189)

Use-after-free in MediaTrackGraphImpl. (CVE-2025-11708)
Out of bounds read/write in a privileged process triggered by WebGL textures. (CVE-2025-11709)
Cross-process information leaked due to malicious IPC messages. (CVE-2025-11710)
Some non-writable Object properties could be modified. (CVE-2025-11711)
Memory safety bugs fixed in Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144. (CVE-2025-11714)
Memory safety bugs fixed in Firefox ESR 140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144. (CVE-2025-11715)
Memory safety bug fixed in Firefox 144 and Thunderbird 144. (CVE-2025-11721)

Additional lower severity vulnerabilities include:

Sandboxed iframes allowed links to open in external apps (Android only). (CVE-2025-11716)
The password edit screen was not hidden in Android card view. (CVE-2025-11717)
An OBJECT tag type attribute overrode browser behavior on web resources without a content-type. (CVE-2025-11712)
Address bar could be spoofed on Android using visibilitychange. (CVE-2025-11718)
Potential user-assisted code execution in “Copy as cURL” command. (CVE-2025-11713)
Use-after-free caused by the native messaging web extension API on Windows. (CVE-2025-11719)
Spoofing risk in Android custom tabs. (CVE-2025-11720)

RECOMMENDATIONS:
We recommend the following actions be taken:

Apply appropriate updates provided by Mozilla to vulnerable systems immediately after appropriate testing. (M1051:Update Software)
- Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
- Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
- Safeguard 9.1: Ensure Use of Only Fully Supported Browsers and Email Clients: Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor.
Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026:Privileged Account Management)
- Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
- Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050:Exploit Protection)
- Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
Restrict use of certain websites, block downloads/attachments, block JavaScript, restrict browser extensions, etc. (M1021:Restrict Web-Based Content)
- Safeguard 9.2: Use DNS Filtering Services: Use DNS filtering services on all enterprise assets to block access to known malicious domains.
- Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
- Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.
Block execution of code on a system through application control, and/or script blocking. (M1038:Execution Prevention)
- Safeguard 2.5: Allowlist Authorized Software: Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently.
- Safeguard 2.6: Allowlist Authorized Libraries: Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently.
- Safeguard 2.7: Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040:Behavior Prevention on Endpoint)
- Safeguard 13.2: Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
- Safeguard 13.7: Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.
Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources. Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. (M1017:User Training)
- Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.

REFERENCES:

Multiple Vulnerabilities in Ivanti Products Could Allow for Remote Code Execution – PATCH NOW

Multiple vulnerabilities have been discovered in Ivanti products, the most severe of which could allow for remote code execution. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution in the context of the system.

Ivanti Endpoint Manager is a client-based unified endpoint management software.
Ivanti Endpoint Manager Mobile (Ivanti EPMM) is a mobile management software engine that enables mobile device, application, and content management.
Ivanti Neurons for Mobile Device Management (MDM) is a platform designed to streamline the management and security of mobile devices across various operating systems.

Depending on the privileges associated with the system, an attacker could then install programs; view, change, or delete data. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

Ivanti Endpoint Manager 2024 SU3 SR1 and prior
Ivanti Endpoint Manager 2022 SU8 SR2 and prior
Ivanti Endpoint Manager Mobile (EPMM) 12.6.0.1 and prior
Ivanti Endpoint Manager Mobile (EPMM) 12.5.0.2 and prior
Ivanti Endpoint Manager Mobile (EPMM) 12.4.0.3 and prior
Ivanti Neurons for MDM R118 and prior

RISK:
Government:

Large and medium government entities: High
Small government entities: Medium

Businesses:

Large and medium business entities: High
Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Ivanti products, the most severe of which could allow for remote code execution. Details of these vulnerabilities are as follows:

Tactic: Initial Access (TA0001):

Technique: Exploit Public-Facing Application (T1190):

Path traversal in Ivanti Endpoint Manager allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required. (CVE-2025-9713)

Details of lower severity vulnerabilities:

OS command injection in the admin panel of Ivanti EPMM before version 12.6.0.2, 12.5.0.4, and 12.4.0.4 allows a remote authenticated attacker with admin privileges to achieve remote code execution. (CVE-2025-10242, CVE-2025-10243, CVE-2025-10985)
Missing authorization in Ivanti Neurons for MDM before R118 allows a remote authenticated attacker with admin privileges to unenroll arbitrary devices, causing the targeted device to disappear from the Unified Endpoint Manager UI. (CWE-862)
An MFA bypass in the authentication process of Ivanti Neurons for MDM before R119 allows a remote authenticated attacker to bypass two-factor authentication. (CWE-308)
Missing Authentication in Ivanti Neurons for MDM before R119 allows a remote unauthenticated attacker to access sensitive user information via an API endpoint. (CWE-306)
Path traversal in the admin panel of Ivanti EPMM before version 12.6.0.2, 12.5.0.4, and 12.4.0.4 allows a remote authenticated attacker with admin privileges to write data in unintended locations on disk. 4.7. (CVE-2025-10986, CVSS: CVSS)
Insecure deserialization in Ivanti Endpoint Manager allows a local authenticated attacker to escalate their privileges. (CVE-2025-11622)
SQL injection in Ivanti Endpoint Manager allows a remote authenticated attacker to read arbitrary data from the database. (CVE-2025-11623, CVE-2025-62392, CVE-2025-62390, CVE-2025-62389, CVE-2025-62388, CVE-2025-62387, CVE-2025-62385, CVE-2025-62391, CVE-2025-62383, CVE-2025-62386, CVE-2025-62384)

Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution in the context of the system. Depending on the privileges associated with the system, an attacker could then install programs; view, change, or delete data.

RECOMMENDATIONS:
We recommend the following actions be taken:

Apply appropriate updates provided by Ivanti to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
- Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 7.2: Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
- Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
- Safeguard 7.5 : Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
- Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
- Safeguard 12.1: Ensure Network Infrastructure is Up-to-Date: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
- Safeguard 18.1: Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
- Safeguard 18.2: Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
- Safeguard 18.3: Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
- Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
- Safeguard 5.5: Establish and Maintain an Inventory of Service Accounts: Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. (M1016: Vulnerability Scanning)
- Safeguard 16.13: Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. (M1030: Network Segmentation)
- Safeguard 12.2: Establish and Maintain a Secure Network Architecture: Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum.
Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
- Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.

REFERENCES:

Critical Patches Issued for Microsoft Products, October 14, 2025 – PATCH NOW

Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution. Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged-on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLEGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

Agere Windows Modem Driver
Microsoft PowerShell
Windows Failover Cluster
Azure Connected Machine Agent
Microsoft Brokering File System
Virtual Secure Mode
Microsoft Graphics Component
Windows Kernel
Windows Device Association Broker service
Windows Digital Media
Windows Hello
Windows Virtualization-Based Security (VBS) Enclave
Xbox
Microsoft Exchange Server
Visual Studio
.NET
.NET, .NET Framework, Visual Studio
ASP.NET Core
Microsoft Configuration Manager
Azure Monitor
Windows Storage Management Provider
Connected Devices Platform Service (Cdpsvc)
Windows Hyper-V
Windows BitLocker
Windows PrintWorkflowUserSvc
Windows NTFS
Windows Cloud Files Mini Filter Driver
Windows NDIS
Windows Remote Desktop Protocol
Windows USB Video Driver
Windows DirectX
Windows DWM
Windows Resilient File System (ReFS)
Windows Error Reporting
Windows WLAN Auto Config Service
NtQueryInformation Token function (ntifs.h)
Azure Local
Windows Routing and Remote Access Service (RRAS)
Microsoft Windows
Windows Ancillary Function Driver for WinSock
Microsoft Windows Speech
Remote Desktop Client
Windows Cryptographic Services
Windows COM
Windows SMB Server
Windows Connected Devices Platform Service
Windows Bluetooth Service
Windows Local Session Manager (LSM)
Inbox COM Objects
Windows Remote Desktop
Windows File Explorer
Windows High Availability Services
Windows Core Shell
Microsoft Windows Search Component
Storport.sys Driver
Windows Management Services
Windows SSDP Service
Windows ETL Channel
Software Protection Platform (SPP)
Data Sharing Service Client
Network Connection Status Indicator (NCSI)
Windows Remote Desktop Services
Windows StateRepository API
Windows Resilient File System (ReFS) Deduplication Service
Windows MapUrlToZone
Windows Push Notification Core
Azure Entra ID
Microsoft Office Word
Microsoft Office Excel
Microsoft Office Visio
Microsoft Office
Microsoft Office SharePoint
Windows Remote Access Connection Manager
Microsoft Office PowerPoint
Windows Health and Optimized Experiences Service
Azure PlayFab
JDBC Driver for SQL Server
Copilot
Windows DWM Core Library
Active Directory Federation Services
Microsoft Failover Cluster Virtual Driver
Redis Enterprise
Windows Authentication Methods
Windows SMB Client
XBox Gaming Services
Windows NTLM
Azure Monitor Agent
Windows Server Update Service
GitHub
Confidential Azure Container Instances
Windows Taskbar Live
Internet Explorer
Microsoft Defender for Linux
Windows Remote Procedure Call

RISK:
Government:

Large and medium government entities: High
Small government entities: Medium

Businesses:

Large and medium business entities: High
Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution.

A full list of all vulnerabilities can be found in the Microsoft link in the Reference section.

Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged-on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:

Apply appropriate updates provided by Microsoft to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
- Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 7.2: Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
- Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
- Safeguard 7.5 : Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
- Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
- Safeguard 12.1: Ensure Network Infrastructure is Up-to-Date: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
- Safeguard 18.1: Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
- Safeguard 18.2: Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
- Safeguard 18.3: Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
- Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
- Safeguard 5.5: Establish and Maintain an Inventory of Service Accounts: Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. (M1016: Vulnerability Scanning)
- Safeguard 16.13: Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. (M1030: Network Segmentation)
- Safeguard 12.2: Establish and Maintain a Secure Network Architecture: Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum.
Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
- Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.

REFERENCES:

Microsoft:
https://msrc.microsoft.com/update-guide/en-us
https://msrc.microsoft.com/update-guide/releaseNote/2025-Oct

Multiple Vulnerabilities in Adobe Products Could Allow for Arbitrary Code Execution – PATCH: NOW

Multiple vulnerabilities have been discovered in Adobe products, the most severe of which could allow for arbitrary code execution.

Adobe Connect is a software suite for online collaboration.
Adobe Commerce is an enterprise-grade eCommerce platform that provides tools for creating and managing online stores for both B2B and B2C businesses.
Magento Open Source is a free, downloadable eCommerce platform from Adobe that provides the core tools to create and manage an online store.
Adobe Creative Cloud is a subscription service that provides access to Adobe’s suite of creative software applications.
Adobe Bridge is a digital asset management and file browser for Creative Cloud applications.
Adobe Animate is a multimedia creation tool used for designing interactive animations.
Adobe Experience Manager (AEM) is a comprehensive content management and digital asset management system.
Adobe Substance 3D Viewer is a free, standalone desktop application (currently in beta) designed to help designers and artists visualize and work with 3D models, textures, and materials.
Adobe Substance 3D Modeler is a sculpting and 3D modeling application within Adobe’s Substance 3D suite that combines virtual reality (VR) and desktop experiences for natural, gestural creation of 3D models.
Adobe FrameMaker is an authoring and publishing application primarily used for creating and managing long, complex technical and structured documents.
Adobe Illustrator is used for creating vector-based graphics like logos, icons, and illustrations that can be scaled to any size without losing quality.
Adobe Dimension is a 3D design application for creating photorealistic product mockups, brand visualizations, and other 3D graphics.
Adobe Substance 3D Stager is a professional software for creating and rendering 3D scenes to produce photorealistic images.

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights

THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

Adobe Connect 12.9 and earlier versions
Adobe Commerce 2.4.9-alpha2 and earlier versions
Adobe Commerce B2B 1.5.3-alpha2 and earlier versions
Magento Open Source 2.4.9-alpha2 and earlier versions
Adobe Creative Cloud Desktop Application 6.7.0.278 and earlier versions
Adobe Bridge 14.1.8 (LTS) and earlier versions
Adobe Bridge 15.1.1 and earlier versions
Adobe Animate 2023 23.0.13 and earlier versions
Adobe Animate 2024 24.0.10 and earlier versions
Adobe Experience Manager (AEM) Screens 6.5.22 Screens FP11.6
Adobe Substance 3D Viewer 0.25.2 and earlier versions
Adobe Substance 3D Modeler 1.22.3 and earlier versions
Adobe FrameMaker 2020 Release Update 9 and earlier versions
Adobe FrameMaker 2022 Release Update 7 and earlier versions
Adobe Illustrator 2025 29.7 and earlier versions
Adobe Illustrator 2024 28.7.9 and earlier versions
Adobe Dimension 4.1.4 and earlier versions
Adobe Substance 3D Stager 3.1.4 and earlier versions

RISK:
Government:

Large and medium government entities: High
Small government entities: Medium

Businesses:

Large and medium business entities: High
Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Adobe products, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows

Tactic: Execution (TA0002)
Technique: Exploitation for Client Execution (T1203):

Adobe Connect:

Cross-site Scripting (DOM-based XSS) (CVE-2025-49552, CVE-2025-49553)
URL Redirection to Untrusted Site (‘Open Redirect’) (CVE-2025-54196, CVE-2025-49552)

Adobe Commerce:

Improper Access Control (CVE-2025-54263)
Cross-site Scripting (Stored XSS) (CVE-2025-54264, CVE-2025-54266)
Incorrect Authorization (CVE-2025-54265, CVE-2025-54267)

Adobe Creative Cloud Desktop Application:

Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-2025-54271)

Adobe Bridge:

Heap-based Buffer Overflow (CVE-2025-54268, CVE-2025-54278)

Adobe Animate:

Use After Free (CVE-2025-54279)
Heap-based Buffer Overflow (CVE-2025-61804)
Out-of-bounds Read (CVE-2025-54269)
NULL Pointer Dereference (CVE-2025-54270)

Adobe Experience Manager Screens:

Cross-site Scripting (Reflected XSS) (CVE-2025-54272)
Cross-site Scripting (Stored XSS) (CVE-2025-54296, CVE-2025-54297)

Substance 3D Viewer:

Out-of-bounds Write (CVE-2025-54273, CVE-2025-54280, CVE-2025-54275)
Stack-based Buffer Overflow (CVE-2025-54274)

Substance 3D Modeler:

Out-of-bounds Read (CVE-2025-54276)

Adobe FrameMaker:

Use After Free (CVE-2025-54281)
Heap-based Buffer Overflow (CVE-2025-54282)

Adobe Illustrator:

Out-of-bounds Write (CVE-2025-54283, CVE-2025-54284)

Adobe Dimension:

Out-of-bounds Read (CVE-2025-61798, CVE-2025-61799)
Integer Overflow or Wraparound (CVE-2025-61800)
Use After Free (CVE-2025-61801)

Substance 3D Stager:

Use After Free (CVE-2025-61802)
Integer Overflow or Wraparound (CVE-2025-61803, CVE-2025-61807)
Out-of-bounds Read (CVE-2025-61805, CVE-2025-61806)

RECOMMENDATIONS:

We recommend the following actions be taken:

Apply the stable channel update provided by Adobe to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
- Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 7.2: Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
- Safeguard 7.6: Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets: Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.
- Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
- Safeguard 16.13: Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
- Safeguard 18.1: Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
- Safeguard 18.2: Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
- Safeguard 18.3: Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
- Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
- Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021: Restrict Web-Based Content)
- Safeguard 2.3: Address Unauthorized Software: Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently.
- Safeguard 2.7: Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
- Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
- Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.
Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
- Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
Block execution of code on a system through application control, and/or script blocking. (M1038:Execution Prevention)
- Safeguard 2.5: Allowlist Authorized Software: Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently.
- Safeguard 2.6: Allowlist Authorized Libraries: Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently.
- Safeguard 2.7: Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040: Behavior Prevention on Endpoint)
- Safeguard 13.2: Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
- Safeguard 13.7: Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.

REFERENCES:

Credential Theft Phishing Campaign Employs Tactics to Evade Detection

The NJCCIC identified a phishing campaign that uses tactics to make detection more difficult, leading to increased account compromises.

Users receive an initial encrypted email with an encrypted link to “Read the message,” which leads to a legitimate Microsoft 365 login page with the URL beginning with “hxxps://outlook.office365[.]com/Encryption/retrieve.ashx…”

Once login credentials are submitted, the user is directed to a webpage titled “Secure Document Access” with a URL ending in “mysharepoint[.]html.” This webpage requests the user to verify their identity to continue, beginning with their full name.

They are then redirected to a fraudulent Microsoft 365 login page to submit their credentials again. This time, if the credentials are submitted, they are stolen by the threat actor behind the scheme and used to compromise the user’s account and target their contacts to perpetuate the phishing campaign. The webpage URLs used in this campaign are personalized to include the recipient’s email address in order to convey legitimacy.