Sysdig discovered North Korea-linked EtherRAT, a stealthy new backdoor using Ethereum smart contracts for C2 after exploiting the critical React2Shell vulnerability (CVE-2025-55182).

A team of cybersecurity researchers at Sysdig, a firm specialising in protecting cloud and container-based apps, has found a new malware called EtherRAT being deployed to exploit the severe CVE-2025-55182 React2Shell vulnerability.

The discovery was made on December 5, 2025, just two days after the vulnerability was publicly revealed.

****A Maximum Severity Vulnerability****

This flaw was first disclosed on December 3, 2025, by researcher Lachlan Davidson and affects React Server Components (RSCs), including frameworks like Next.js. It is a maximum-severity issue that allows an unauthenticated attacker to perform Remote Code Execution (RCE) on a server via an unsafe deserialization flaw. CISA added this flaw to its Known Exploited Vulnerabilities (KEV) catalogue on December 5, 2025, confirming it was actively being used in attacks.

****From Basic Theft to Advanced EtherRAT****

The latest research from Sysdig TRT reveals that the danger of the React2Shell vulnerability is rapidly expanding. While early exploitation was dominated by payloads from opportunistic cryptominers and sophisticated China-nexus groups deploying credential harvesters and backdoors, Sysdig’s investigation revealed that EtherRAT represents an escalation in this activity.

EtherRAT is a persistent access implant that combines methods from at least three known campaigns into a single, previously unreported attack chain. The malware itself is unique because it uses Ethereum smart contracts for command-and-control (C2) resolution, installs five separate Linux defences to ensure it remains active, and downloads its own Node.js software directly from nodejs.org. According to researchers, this specific blend of features has never been seen before in an exploit of the React2Shell vulnerability.

****EtherRAT’s Command Centre and Attribution****

The most prominent feature of EtherRAT is its Command-and-Control (C2) centre. Instead of relying on a standard website address that could be blocked, it uses Ethereum smart contracts (code stored on a decentralised ledger). This shows its extreme resilience because the program checks nine different public connection points for the Ethereum network, using the address that the majority of them agree on. This consensus mechanism is a way to protect against a single authority shutting it down.

To guarantee a permanent backdoor, the program is designed for long-term stealth, establishing five different ways to ensure it restarts on a system. TRT also believe that the software is linked to North Korean hacking groups because of a “significant overlap with North Korea-linked ‘Contagious Interview‘ (DPRK) tooling.”

Specifically, the way EtherRAT encrypts its files closely matches the BeaverTail malware, a known North Korean tool. The researchers provided a comparison image showing that the file encryption method closely matches the North Korean-linked campaign tooling.

Image credit: Sysdig

Sysdig TRT concluded in the blog post shared with Hackread.com that the advanced design of EtherRAT “represents a significant evolution in React2Shell exploitation.”

Casey Ellis, Founder at Bugcrowd, weighed in on the significance of the EtherRAT discovery, sharing their comments with Hackread.com, stating, _“_From an attacker’s perspective, react2shell is the kind of vulnerability that affords massive opportunity for crime, but that also has a relatively narrow window for exploitation… All of this rolls out to some very speedy and coordinated campaigns, just like the one being described here._“_

Mike McGuire, Senior Security Solutions Manager at Black Duck, a Burlington, Massachusetts-based provider of application security solutions, also commented on the issue, explaining, “The EtherRAT findings show once again that the gap between public disclosure and nation-state exploitation is basically zero. What stands out is the move away from quick hits like cryptomining toward persistent, stealthy access meant for long-term operations.”

“React2Shell is especially concerning because it hits the JavaScript ecosystem at the framework level, which gives attackers a broad reach. By combining a new RCE with things like blockchain-based command and control and a bundled Node.js runtime, the attackers make it much harder for defenders to spot or block them using traditional signals. In simple terms, it lets them blend in and stay hidden for longer,” McGuire added.

“The broader takeaway is that attackers will continue to pivot quickly to weaknesses deep in the web application stack. Organisations need to assume these vulnerabilities will be targeted immediately and make sure their patching processes, SBOM-driven visibility, and monitoring can keep up,” he advised.

North Korean Hackers Deploy EtherRAT Malware in React2Shell Exploits

The update patches three zero-days and introduces a new PowerShell warning meant to help you avoid accidentally running unsafe code from the web.

These updates from Microsoft fix serious security issues, including three that attackers are already exploiting to take control of Windows systems.

In total, the security update resolves 57 Microsoft security vulnerabilities. Microsoft isn’t releasing new features for Windows 10 anymore, so Windows 10 users will only see security updates and fixes for bugs introduced by previous security updates.

**What’s been fixed**

Microsoft releases important security updates on the second Tuesday of every month—known as “Patch Tuesday.” This month’s patches fix critical flaws in Windows 10, Windows 11, Windows Server, Office, and related services.

There are three zero‑days: CVE‑2025‑62221 is an actively exploited privilege‑escalation bug in the Windows Cloud Files Mini Filter Driver. Two are publicly disclosed flaws: CVE-2025-64671, which is a GitHub Copilot for JetBrains remote code execution (RCE) vulnerability, and CVE‑2025‑54100, an RCE issue in Windows PowerShell.

PowerShell received some extra attention, as from now on users will be warned whenever the Invoke‑WebRequest command fetches web pages without safe parameters.​

The warning is to prevent accidental script execution from web content. It highlights the risk that script code embedded in a downloaded page might run during parsing, and recommends using the -UseBasicParsing switch to avoid running any page scripts.

There is no explicit statement from Microsoft tying the new Invoke‑WebRequest warning directly to ClickFix, but it clearly addresses the abuse pattern that ClickFix and similar campaigns rely on: tricking users into running web‑fetched PowerShell code without understanding what it does.

**How to apply fixes and check you’re protected**

These updates fix security problems and keep your Windows PC protected. Here’s how to make sure you’re up to date:

1\. Open **Settings**

*   Click the **Start** button (the Windows logo at the bottom left of your screen).
*   Click on **Settings** (it looks like a little gear).

2\. Go to **Windows Update**

*   In the Settings window, select **Windows Update** (usually at the bottom of the menu on the left).

3. **Check for updates**

*   Click the button that says **Check for updates**.
*   Windows will search for the latest Patch Tuesday updates.
*   If you have selected automatic updates earlier, you may see this under **Update history**:

*   Or you may see a **Restart required** message, which means all you have to do is restart your system and you’re done updating.
*   If not, continue with the steps below.

4. **Download and Install**

*   If updates are found, they’ll start downloading right away. Once complete, you’ll see a button that says **Install** or **Restart now**.
*   Click **Install** if needed and follow any prompts. Your computer will usually need a restart to finish the update. If it does, click **Restart now**.

**5\. Double-check you’re up to date**

*   After restarting, go back to **Windows Update** and check again. If it says **You’re up to date**, you’re all set!

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**About the author**

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

 December Patch Tuesday fixes three zero-days, including one that hijacks Windows devices 

Improper Symbolic link handling in the PutContents API in Gogs allows Local Execution of Code.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-mq8m-42gh-wq7r: Gogs vulnerable to a bypass of CVE-2024-55947

New records about the infamous sex offender are released seemingly every week. Here’s a quick rundown of who’s releasing the Epstein documents, what they contain—and what they’re releasing next.

For the past few months, the House Oversight and Government Reform Committee has engaged in a sprawling and extremely public investigation of disgraced financier and convicted sex offender Jeffrey Epstein. Keeping track of it all can be hard, even for the sharpest observers.

While initial public interest in what Epstein-related documents the federal government possesses has focused on investigative files held by the Department of Justice, the Oversight Committee’s inquiry expands far past that. In addition to subpoenaing the DOJ, the committee has sent letters or issued subpoenas to several other entities, including the US Treasury Department, the Attorney General of the US Virgin Islands, the Estate of Jeffrey Epstein, and multiple banks.

In some cases, those entities were instructed to send separate copies of the same documents to both Democrats and Republicans on the committee. Those lawmakers have released their own selections of documents to the public, sometimes on the same day and sometimes consisting of overlapping sets of pages.

These releases have varied in format, from screenshots of multiple emails stitched together into a single PDF file, to a Google Drive link containing a 30,000-page dump still in an e-discovery format.

In short, it’s kind of confusing to know what’s been released, what hasn’t, and what’s still expected to come. WIRED reviewed letters and subpoenas sent by the House Oversight Committee, as well as what’s been released so far to the public, to make clear what the many Epstein document releases entail and where the public can access them. And the Oversight Committee isn’t the only part of the government working to release additional documents—the DOJ was recently granted motions to unseal grand jury materials by three different federal judges, and is expected to release an additional dump of documents later this month to comply with the Epstein Files Transparency Act.

Meanwhile, the Oversight Committee appears to be zeroing in on Epstein’s financial records–in public statements, it has said that both the banks and the Treasury are complying with its requests, but it has yet to release documents from them. WIRED identified three gaps in the committee’s releases from Epstein’s estate, which a committee aide confirmed and said included information about Epstein’s bank accounts and cash ledgers.

**US Department of Justice**

In early August, the committee subpoenaed Pam Bondi in her capacity as attorney general, requesting documents and communications related to the DOJ’s lawsuits against Jeffrey Epstein and Ghislaine Maxwell, the 2007 Florida investigation into Epstein, and Epstein’s death, among other things.

An initial 33,295 pages of “Epstein-related records” were produced to the committee and later released in September. At the time, committee Democrats claimed that “97 percent of the pages included information previously released” by various law enforcement agencies. The documents include surveillance footage the night Epstein was found dead in his jail cell, public court filings from the investigations mentioned in the subpoena’s requests for production, and a memo from Bondi to FBI director Kash Patel about releasing the Epstein files. (In other words, documents and communications related to the lawsuits.)

A press release from late November reiterated that the DOJ had produced “roughly 33,000 pages of records to date,” and the Oversight Committee had not released additional documents from the DOJ as of early December. Congress has since passed the Epstein Files Transparency Act, which will require the DOJ to publish all unclassified records related to the investigation and prosecution of Epstein “in a searchable and downloadable format” (much to the relief of those who plan on poring over what’s released.)

**The US Treasury**

In late August, US representative James Comer sent a letter to Treasury secretary Scott Bessent requesting Suspicious Activity Reports (SARs) and “accompanying material” related to Epstein and Maxwell. SARs in particular are closely guarded, and unauthorized disclosure of them is a violation of federal law.

The letter requested documents no later than September 15, 2025. An Oversight Committee press release from late November said that “the Department of Treasury is fully cooperating with the committee’s request,” but so far no documents have been released to the public.

Others in Congress have been frustrated by how the Treasury has handled past requests related to Epstein. According to a September letter sent by Senator Ron Wyden to Bessent, staffers on the Senate Finance Committee were allowed to do what’s called an “in camera review” of thousands of Treasury records related to Epstein’s financial activities in February of last year, when President Joe Biden was still in office. While the staffers were given a limited time to view these records in person, the Treasury didn’t hand over actual copies. Wyden wrote that not having the records was impeding his office’s investigation into Epstein’s finances, which has been ongoing since 2022.

Wyden recently introduced a bill called Produce Epstein Treasury Records Act that, if passed, would compel the Treasury to produce copies of certain documents to the Senate Finance Committee, including SARs related to Epstein and his associates.

**The Estate of Jeffrey Epstein**

In late August, the Oversight Committee subpoenaed the Estate of Jeffrey Epstein, naming co-executors Darren Indyke and Richard Kahn, and requesting 16 categories of documents with an initial deadline of September 8 for them to respond.

On the day of the initial deadline, the committee released documents related to four of the requests: the 2007 non-prosecution agreement between Epstein and the US Attorney’s Office for the Southern District of Florida, Epstein’s will, and entries included in Epstein’s equally infamous “Black Book” and “Birthday Book.” The committee later followed up with additional Black Book pages and unredacted versions of two pages previously included in the first release.

From there, things have ramped up, and the committee has started publishing releases in the style of legal e-discovery productions, often including both image and text versions of the same pages. Some of the releases include a load file that, in normal circumstances, contains information about which pages are supposed to be part of what document, along with other metadata that makes it easier to search through the pages using document review software. Other releases do not.

In October, the committee released thousands of additional pages of documents. Then in November, it released an additional tranche of around 20,000 pages. Many of these documents include emails from a Gmail inbox owned by Epstein, text messages, and documents related to court filings.

Notably, because all the pages released so far include what are called “Bates Numbers” in the bottom-right corner, it’s possible to deduce that there are at least three gaps in what the committee has received so far from the Epstein estate and what it has released to the public. A committee aide confirmed to WIRED that these gaps include nondisclosure agreements and settlement documents, information about Epstein’s bank accounts, and cash ledgers.

**J.P. Morgan and Deutsche Bank**

In November, the Oversight Committee issued subpoenas to J.P. Morgan and Deutsche Bank. The committee only published the cover letters for the subpoenas, so it’s unclear what specific document requests were made. However, the cover letters both note that the committee was aware that Epstein held accounts at each of the banks.

On December 3, Oversight Committee Democrats noted in a press release that the committee had received records from both entities and intended to release files to the public after review.

**The US Virgin Islands Attorney General**

Also in November, the Oversight Committee sent a letter to the US Virgin Islands attorney general, Gordon Rhea, requesting all documents the AG’s office has related to any investigations into Epstein and Maxwell. The letter named two matters related to the Epstein Estate, and one case against J.P Morgan Chase.

While the committee Democrats recently released video and images of Epstein’s compound, the committee has not yet released any other documents produced by the AG’s office.

**Upcoming Releases**

More document releases are expected this month. The Epstein Files Transparency Act requires the DOJ to release “all unclassified records, documents, communications, and investigative materials” related to the investigation and prosecution of Epstein by December 19. Those documents are supposed to be released in a searchable format.

Democrats on the Oversight Committee also promised to release records they received from J.P. Morgan and Deutsche Bank, but didn’t give a specific date to expect them.

Following the passage of the Epstein Files Transparency Act, the DOJ filed several motions to unseal grand jury transcripts and exhibits related to matters involving Epstein and Maxwell. As of December 9, federal judges—one in Florida and two in New York—granted three of the government’s motions, but those documents have not yet been released.

A Complete Guide to the Jeffrey Epstein Document Dumps

GhostFrame uses dynamic subdomains and hidden iframes to help attackers slip past basic security tools.

GhostFrame is a new phishing-as-a-service (PhaaS) kit, tracked since September 2025, that has already powered more than a million phishing attacks.

Threat analysts spotted a series of phishing attacks featuring tools and techniques they hadn’t seen before. A few months later, they had linked over a million attempts to this same kit, which they named GhostFrame for its stealthy use of iframes. The kit hides its malicious activity inside iframes loaded from constantly changing subdomains.

An iframe is a small browser window embedded inside a web page, allowing content to load from another site without sending you away–like an embedded YouTube video or a Google Map. That embedded bit is usually an iframe and is normally harmless.

GhostFrame abuses it in several ways. It dynamically generates a unique subdomain for each victim and can rotate subdomains even during an active session, undermining domain‑based detection and blocking. It also includes several anti‑analysis tricks: disabling right‑click, blocking common keyboard shortcuts, and interfering with browser developer tools, which makes it harder for analysts or cautious users to inspect what is going on behind the scenes.

As a PhaaS kit, GhostFrame is able to spoof legitimate services by adjusting page titles and favicons to match the brand being impersonated. This and its detection-evasion techniques show how PhaaS developers are innovating around web architecture (iframes, subdomains, streaming features) and not just improving email templates.

Hiding sign-in forms inside non‑obvious features (like image streaming or large‑file handlers) is another attempt to get around static content scanners. Think of it as attackers hiding a fake login box inside a “video player” instead of putting the login box directly on the page, so many security tools don’t realize it’s a login box at all. Those tools are often tuned to look for normal HTML forms and password fields in the page code, and here the sensitive bits are tucked away in a feature that is supposed to handle big image or file data streams.

Normally, an image‑streaming or large‑file function is just a way to deliver big images or other “binary large objects” (BLOBs) efficiently to the browser. Instead of putting the login form directly on the page, GhostFrame turns it into what looks like image data. To the user, it looks just like a real Microsoft 365 login screen, but to a basic scanner reading the HTML, it looks like regular, harmless image handling.

Generally speaking, the rise of GhostFrame illuminates a trend that PhaaS is arming less-skilled cybercriminals while raising the bar for defenders. We recently covered Sneaky 2FA and Lighthouse as examples of PhaaS kits that are extremely popular among attackers.

**So, what can we do?**

Pairing a password manager with multi-factor authentication (MFA) offers the best protection.

But as always, you’re the first line of defense. Don’t click on links in unsolicited messages of any type before verifying and confirming they were sent by someone you trust. Staying informed is important as well, because you know what to expect and what to look for.

And remember: it’s not just about trusting what you see on the screen. Layered security stops attackers before they can get anywhere.

Another effective security layer to defend against phishing attacks is Malwarebytes’ free browser extension, Browser Guard, which detects and blocks phishing attacks heuristically.

**We don’t just report on threats—we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.

**About the author**

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

 GhostFrame phishing kit fuels widespread attacks against millions 

Ukrainian national Victoria Dubranova is in U.S. custody, accused of supporting Russian hacker group NoName057 in cyberattacks on critical infrastructure. She has pleaded not guilty.

The US Justice Department has indicted Ukrainian national Victoria Eduardovna Dubranova, 33, also known as “Vika,” a.k.a. “Tory,” a.k.a. “SovaSonya,” for her alleged role in a series of cyberattacks aimed at disrupting critical infrastructure around the world.

According to court documents, her work supported two well-known Russian-aligned hacking groups, NoName057(16) and CyberArmyofRussia\_Reborn (CARR), also known as Z-Pentest, both believed to have backing from Russian state entities.

Dubranova was extradited to the United States earlier this year and now faces charges in two separate cases. One involves her alleged involvement with CARR, while the second ties her to NoName, another politically motivated group targeting Western countries. She pleaded not guilty to both indictments and is set to face trial in 2026.

In July 2025, police dismantled over 100 servers linked to NoName057(16) and arrested two individuals in coordinated operations across France and Spain. While those arrests targeted the same group Dubranova is accused of supporting, her extradition details remain undisclosed, and there is no public confirmation connecting her to those arrests.

Victoria Eduardovna Dubranova (Image credit: US Department of Justice – Via Courthouse News)

The Justice Department says these weren’t random cyberattacks or financially motivated ransomware campaigns. These were focused efforts designed to disrupt water systems, food supply chains, and public services.

CARR, for example, took responsibility for hacking drinking water systems in multiple U.S. states, causing major spills and system failures. The group also claimed attacks on a meat processing facility in Los Angeles, spoiling thousands of pounds of food and triggering an ammonia leak.

NoName, on the other hand, leaned heavily on its custom DDoS tool called “DDoSia” to knock government websites offline. The group recruited volunteers globally to launch these attacks, offering cryptocurrency rewards and leaderboard rankings to incentivise participation. It ran through an infrastructure built by a Russian state-sponsored IT group known as CISM, which had been operating under a 2018 order from the Russian president.

According to the DoJ’s press release, both groups received guidance and support from Russian government bodies. The CARR indictment references a GRU (Glavnoye Razvedyvatelnoye Upravleniye, Russia’s primary military intelligence agency) officer who provided direction on attack targets and paid for access to cybercriminal services. US authorities say that at times, CARR had over 100 members, including minors, and an online following in the tens of thousands.

****Reward Offered for Leads on Cyber Group CARR****

The US State Department is offering up to $2 million for information leading to the identification or location of individuals associated with the Cyber Army of Russia Reborn (CARR).

Authorities are particularly interested in three individuals, including Yuliya Pankratova, Denis Degtyarenko and “Cyber\_1ce\_Killer,” an individual linked to a GRU officer.

Poster credit: Reward for Justice

As for Dubranova, her charges carry significant penalties. In the CARR case, she faces a maximum sentence of 27 years for conspiracy, damaging protected systems, fraud, and identity theft. In the NoName case, the maximum is five years for a separate conspiracy charge.

****Governments in Conflict While Cybercriminals Move in Quiet Accord****

The arrest shows how cybercriminal networks exploit geopolitical conflict. While Russian and Ukrainian forces clash on traditional battlefields, hackers affiliated with adversarial states continue to work across borders.

This is not an isolated incident. In July 2025, the suspected administrator of XSS.IS, a major Russian-language cybercrime forum long believed by the cybersecurity community and law enforcement to have ties to Russian intelligence, was arrested in Ukraine during a joint operation involving French police and Europol.

Earlier, in 2024, Ukrainian authorities detained a cryptor-developer suspected of aiding notorious ransomware groups Conti and LockBit by building tools that helped their malware evade antivirus detection.

Ukrainian Woman in US Custody for Aiding Russian NoName057 Hacker Group

A flaw was found in Keycloak Admin REST (Representational State Transfer) API. This vulnerability allows information disclosure of sensitive role metadata via insufficient authorization checks on the /admin/realms/{realm}/roles endpoint.

Skip to content

**Navigation Menu**

*   *   AI CODE CREATION
        
        *   GitHub CopilotWrite better code with AI
            
        *   GitHub SparkBuild and deploy intelligent apps
            
        *   GitHub ModelsManage and compare prompts
            
        *   MCP RegistryNewIntegrate external tools
            
        
    
    View all features
    

*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

Appearance settings

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-14082

**Keycloak Admin REST (Representational State Transfer) API does not properly enforce permissions**

Low severity GitHub Reviewed Published Dec 10, 2025 to the GitHub Advisory Database • Updated Dec 10, 2025

**Package**

maven org.keycloak:keycloak-services (Maven)

**Affected versions**

<= 26.4.7

**Description**

Published to the GitHub Advisory Database

Dec 10, 2025

Last updated

Dec 10, 2025

**EPSS score**

GHSA-6q37-7866-h27j: Keycloak Admin REST (Representational State Transfer) API does not properly enforce permissions

Microsoft closed out 2025 with patches for 56 security flaws in various products across the Windows platform, including one vulnerability that has been actively exploited in the wild.
Of the 56 flaws, three are rated Critical, and 53 are rated Important in severity. Two other defects are listed as publicly known at the time of the release. These include 29 privilege escalation, 18 remote code

Microsoft closed out 2025 with patches for 56 security flaws in various products across the Windows platform, including one vulnerability that has been actively exploited in the wild.

Of the 56 flaws, three are rated Critical, and 53 are rated Important in severity. Two other defects are listed as publicly known at the time of the release. These include 29 privilege escalation, 18 remote code execution, four information disclosure, three denial-of-service, and two spoofing vulnerabilities.

In total, Microsoft has addressed a total of 1,275 CVEs in 2025, according to data compiled by Fortra. Tenable's Satnam Narang said 2025 also marks the second consecutive year where the Windows maker has patched over 1,000 CVEs. It's the third time it has done so since Patch Tuesday's inception.

The update is in addition to 17 shortcomings the tech giant patched in its Chromium-based Edge browser since the release of the November 2025 Patch Tuesday update. This also consists of a spoofing vulnerability in Edge for iOS (CVE-2025-62223, CVSS score: 4.3).

The vulnerability that has come under active exploitation is CVE-2025-62221 (CVSS score: 7.8), a use-after-free in Windows Cloud Files Mini Filter Driver that could allow an authorized attacker to elevate privileges locally and obtain SYSTEM permissions.

"File system filter drivers, aka minifilters, attach to the system software stack, and intercept requests targeted at a file system, and extend or replace the functionality provided by the original target," Adam Barnett, lead software engineer at Rapid7, said in a statement. "Typical use cases include data encryption, automated backup, on-the-fly compression, and cloud storage."

"The Cloud Files minifilter is used by OneDrive, Google Drive, iCloud, and others, although as a core Windows component, it would still be present on a system where none of those apps were installed."

It's currently not known how the vulnerability is being abused in the wild and in what context, but successful exploitation requires an attacker to obtain access to a susceptible system through some other means. Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) have been credited with discovering and reporting the flaw.

According to Mike Walters, president and co-founder of Action1, a threat actor could gain low-privileged access through methods like phishing, web browser exploits, or another known remote code execution flaw, and then chain it with CVE-2025-62221 to seize control of the host.

Armed with this access, the attacker could deploy kernel components or abuse signed drivers to evade defenses and maintain persistence, and can be weaponized to achieve a domain-wide compromise when coupled with credential theft scenarios.

The exploitation of CVE-2025-62221 has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to the Known Exploited Vulnerabilities (KEV) catalog, mandating Federal Civilian Executive Branch (FCEB) agencies to apply the patch by December 30, 2025.

The remaining two zero-days are listed below -

*   CVE-2025-54100 (CVSS score: 7.8) - A command injection vulnerability in Windows PowerShell that allows an unauthorized attacker to execute code locally
*   CVE-2025-64671 (CVSS score: 8.4) - A command injection vulnerability in GitHub Copilot for JetBrains that allows an unauthorized attacker to execute code locally

"This is a command injection flaw in how Windows PowerShell processes web content," Action1's Alex Vovk said about CVE-2025-54100. "It lets an unauthenticated attacker execute arbitrary code in the security context of a user who runs a crafted PowerShell command, such as Invoke-WebRequest."

"The threat becomes significant when this vulnerability is combined with common attack patterns. For example, an attacker can use social engineering to persuade a user or admin to run a PowerShell snippet using Invoke-WebRequest, allowing a remote server to return crafted content that triggers the parsing flaw and leads to code execution and implant deployment."

It's worth noting that CVE-2025-64671 comes in the wake of a broader set of security vulnerabilities collectively named IDEsaster that was recently disclosed by security researcher Ari Marzouk. The issues arise as a result of adding agentic capabilities to an integrated development environment (IDE), exposing new security risks in the process.

These attacks leverage prompt injections against the artificial intelligence (AI) agents embedded into IDEs and combine them with the base IDE layer to result in information disclosure or command execution.

"This uses an 'old' attack chain of using a vulnerable tool, so not exactly part of the IDEsaster novel attack chain," Marzouk, who is credited with discovering and reporting the flaw, told The Hacker News. "Specifically, a vulnerable 'execute command' tool where you can bypass the user-configured allow list."

Marzouk also said multiple IDEs were found vulnerable to the same attack, including Kiro.dev, Cursor (CVE-2025-54131), JetBrains Junie (CVE-2025-59458), Gemini CLI, Windsurf, and Roo Code (CVE-2025-54377, CVE-2025-57771, and CVE-2025-65946). Furthermore, GitHub Copilot for Visual Studio Code has been found to be susceptible to the vulnerability, although, in this case, Microsoft assigned it a "Medium" severity rating with no CVE.

"The vulnerability states that it's possible to gain code execution on affected hosts by tricking the LLM into running commands that bypass the guardrails and appending instructions in the user's 'auto-approve' settings," Kev Breen, senior director of cyber threat research at Immersive, said.

"This can be achieved through 'Cross Prompt Injection,' which is where the prompt is modified not by the user but by the LLM agents as they craft their own prompts based on the content of files or data retrieved from a Model Context Protocol (MCP) server that has risen in popularity with agent-based LLMs."

**Software Patches from Other Vendors**

In addition to Microsoft, security updates have also been released by other vendors over the past several weeks to rectify multiple vulnerabilities, including —

*   Adobe
*   Amazon Web Services
*   AMD
*   Arm
*   ASUS
*   Atlassian
*   Bosch
*   Broadcom (including VMware)
*   Canon
*   Cisco
*   Citrix
*   CODESYS
*   Dell
*   Devolutions
*   Drupal
*   F5
*   Fortinet
*   Fortra
*   GitLab
*   Google Android and Pixel
*   Google Chrome
*   Google Cloud
*   Google Pixel Watch
*   Hitachi Energy
*   HP
*   HP Enterprise (including Aruba Networking and Juniper Networks)
*   IBM
*   Imagination Technologies
*   Intel
*   Ivanti
*   Lenovo
*   Linux distributions AlmaLinux, Alpine Linux, Amazon Linux, Arch Linux, Debian, Gentoo, Oracle Linux, Mageia, Red Hat, Rocky Linux, SUSE, and Ubuntu
*   MediaTek
*   Mitsubishi Electric
*   MongoDB
*   Moxa
*   Mozilla Firefox and Firefox ESR
*   NVIDIA
*   OPPO
*   Progress Software
*   Qualcomm
*   React
*   Rockwell Automation
*   Samsung
*   SAP
*   Schneider Electric
*   Siemens
*   SolarWinds
*   Splunk
*   Synology
*   TP-Link
*   WatchGuard
*   Zoom, and
*   Zyxel

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Microsoft Issues Security Fixes for 56 Flaws, Including Active Exploit and Two Zero-Days

Portugal updates its cybercrime law (Decree Law 125/2025) to grant ethical hackers a 'safe harbour' from prosecution. Learn the strict rules researchers must follow, including immediate disclosure to the CNCS, and how other nations are following this trend.

Portugal has recently taken a significant step forward for online safety by updating its cybercrime law. This change, which was made public in the official Portuguese Journal (Diário da República) on December 4th under Decree Law No. 125/2025, basically gives cybersecurity researchers and ethical hackers (experts who use their skills for good) a ‘safe harbour’ from prosecution.

The change was first spotted and publicised by security expert Daniel Cuthbert, the Global Head of Cyber Security Research for the Santander Group and co-chair of the UK Government’s Cyber Security Advisory Board.

> Portugal: not just a country of amazing Pasteis de Nata's but now solid cyber laws too. They've amended their Cybercrime Law by adding Article 8-A to Law 109/2009.https://t.co/7CNpTe70vx
> 
> E daí?
> 
> — Daniel Cuthbert (@dcuthbert) December 5, 2025

****What the New Law Means****

This new rule is enshrined in Article 8.º-A and titled “Acts not punishable due to public interest in cybersecurity,” which makes an exception for actions that previously could have been considered illegal, like unauthorised access to a computer system or data interception. The purpose is to allow experts to find security holes/vulnerabilities and help make our computer systems safer.

However, this protection comes with strict rules to prevent misuse; the researcher must be acting solely to identify flaws and contribute to better cybersecurity, with no intention of making money beyond their normal professional pay. Also, they are strictly forbidden from causing harm, such as disrupting a service or stealing personal information.

Furthermore, they must not use aggressive or deceptive methods like Denial-of-Service (DoS) attacks (overwhelming a system to shut it down), phishing, password theft, or malware deployment.

The law also requires researchers to quickly report their findings to the system’s owner, the data protection regulator, and Portugal’s National Cybersecurity Centre (CNCS). Any data they collect during their work must be kept secret and deleted within 10 days after the security hole is fixed.

****A Growing International Trend****

Portugal is not alone in recognising the value of these ethical hackers. Other countries are looking to follow suit to avoid shutting out people who are vital to our digital resilience. In the UK, for example, Security Minister Dan Jarvis said on December 3rd that the government intends to update the country’s Computer Misuse Act.

He explained that the current law makes security experts feel limited in their work and that they should be welcomed, not constrained. The UK is exploring adding a “statutory defence” to shield researchers from legal trouble, provided they follow certain rules.

As we know it, our digital world relies on finding and fixing vulnerabilities before criminals exploit them. These legal changes reflect a growing understanding that ethical hacking is a public-interest activity that is key to defending everyone’s online security.

New Portuguese Law Shields Ethical Hackers from Prosecution

Fortinet, Ivanti, and SAP have moved to address critical security flaws in their products that, if successfully exploited, could result in an authentication bypass and code execution.
The Fortinet vulnerabilities affect FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager and relate to a case of improper verification of a cryptographic signature. They are tracked as CVE-2025-59718 and

Fortinet, Ivanti, and SAP have moved to address critical security flaws in their products that, if successfully exploited, could result in an authentication bypass and code execution.

The Fortinet vulnerabilities affect FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager and relate to a case of improper verification of a cryptographic signature. They are tracked as **CVE-2025-59718** and **CVE-2025-59719** (CVSS scores: 9.8).

"An Improper Verification of Cryptographic Signature vulnerability \[CWE-347\] in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML message, if that feature is enabled on the device," Fortinet said in an advisory.

The company, however, noted that the FortiCloud SSO login feature is not enabled in the default factory settings. FortiCloud SSO login is enabled when an administrator registers the device to FortiCare and has not disabled the toggle "Allow administrative login using FortiCloud SSO" in the registration page.

To temporarily protect their systems against attacks exploiting these vulnerabilities, organizations are advised to disable the FortiCloud login feature (if enabled) until it can be updated. This can be done in two ways -

*   Go to System -> Settings -> Switch "Allow administrative login using FortiCloud SSO" to Off
*   Run the below command in the CLI -

    config system global
    set admin-forticloud-sso-login disable
    end

**Ivanti Releases Fix for Critical EPM Flaw**

Ivanti has also shipped updates to address four security flaws in Endpoint Manager (EPM), one of which is a critical severity bug in the EPM core and remote consoles. The vulnerability, assigned the CVE identifier **CVE-2025-10573**, carries a CVSS score of 9.6.

"Stored XSS in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote unauthenticated attacker to execute arbitrary JavaScript in the context of an administrator session," Ivanti said.

Rapid7 security researcher Ryan Emmons, who discovered and reported the shortcoming on August 15, 2025, said it allows an attacker with unauthenticated access to the primary EPM web service to join fake managed endpoints to the EPM server so as to poison the administrator web dashboard with malicious JavaScript.

"When an Ivanti EPM administrator views one of the poisoned dashboard interfaces during normal usage, that passive user interaction will trigger client-side JavaScript execution, resulting in the attacker gaining control of the administrator's session," Emmons said.

The company noted that user interaction is required to exploit the flaw and that it's not aware of any attacks in the wild. It has been patched in EPM version 2024 SU4 SR1.

Also patched in the same version are three other high-severity vulnerabilities (CVE-2025-13659, CVE-2025-13661, and CVE-2025-13662) that could allow a remote, unauthenticated attacker to achieve arbitrary code execution. CVE-2025-13662, like in the case of CVE-2025-59718 and CVE-2025-59719, stems from improper verification of cryptographic signatures in the patch management component.

**SAP Fixes Three Critical Flaws**

Lastly, SAP has pushed December security updates to address 14 vulnerabilities across multiple products, including three critical-severity flaws. They are listed below -

*   **CVE-2025-42880** (CVSS score: 9.9) - A code injection vulnerability in SAP Solution Manager
*   **CVE-2025-55754** (CVSS score: 9.6) - Multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud
*   **CVE-2025-42928** (CVSS score: 9.1) - A deserialization vulnerability in SAP jConnect SDK for Sybase Adaptive Server Enterprise (ASE)

Boston-based SAP security platform Onapsis has been credited with reporting CVE-2025-42880 and CVE-2025-42928. The company said it identified a remote-enabled function module in SAP Solution Manager that enables an authenticated attacker to inject arbitrary code.

"Given the central role of SAP Solution Manager in the SAP system landscape, we strongly recommend a timely patch," Onapsis security researcher Thomas Fritsch said.

CVE-2025-42928, on the other hand, allows for remote code execution by providing specially crafted input to the SAP jConnect SDK component. However, a successful exploitation requires elevated privileges.

With security vulnerabilities in Fortinet, Ivanti, and SAP's software frequently exploited by bad actors, it's essential that users move quickly to apply the fixes.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Tag

#auth