Spring Break vacationers could open themselves up to online scams and cyberthreats this year, according to new research from Malwarebytes.

This year, Spring Break vacationers are packing more than their flip-flops, bucket hats, and sunglasses—they’re also packing a few cybersecurity anxieties for the trip.

According to new research from Malwarebytes, 52% of people said they “worry about being scammed while traveling,” while another 40% admitted that they “worry about my kids or family sharing trip details online.” While most people said they will act on these concerns—63% will make sure their security software is up to date, 53% will back up their data—roughly 10% of people said they will take no precautions whatsoever into protecting their security or privacy while on vacation.

The findings reveal that the public approaches cybersecurity as a patchwork quilt, implementing some best practices while forgoing others, and engaging in a few behaviors that carry significant risk online.

For this research, Malwarebytes conducted a pulse survey of its customers in March via the Alchemer Survey Platform.

Broadly, Malwarebytes found that:

*   52% of people “agreed” or “strongly agreed” that they “worry about being scammed while traveling.”
*   20% of people “agreed” or “strongly agreed” that they “don’t really think about protecting my data while traveling.”
*   38% of people said they will book their next travel opportunity through a “general search,” which could leave them vulnerable to malvertising.
*   Apps are a way of life, as 66% of people said they use between one and six apps specifically for travel (such as hotel apps, airline apps, and translation apps). A particularly plugged-in 8% of people said they manage more than seven apps for the same purposes.
*   To stay cybersecure and private on vacation, the majority of people will backup their data (53%), ensure their security software is up to date (63%), and set up credit card transaction alerts (56%), but 10% will take none of these—or other—steps.
*   53% of people refuse to take a single laptop with them on vacation, whereas just 1% leave even their smartphone behind—talk about a holiday.

****Risky business break****

The cybersecurity risks around personal vacations are unlike those around the holidays for major organizations and businesses, in which cybercriminals know that low staffing will leave companies more vulnerable to an attack or breach.

Instead, far-flung Spring Breakers can engage in a series of behaviors both before and during their holidays that leave them open to online scams and theft.

Take, for example, the 38% of people who told Malwarebytes that they would conduct a “general search online” in booking their next vacation. While Google searches are probably one of the most common tasks for any vacation planning, the results that people see can be manipulated through a type of cybercrime called malvertising, short for “malicious advertising.” 

In malvertising, cybercriminals will create a fake website that looks like a popular service, like Facebook, Slack, or eBay. Cybercriminals will also pay a small sum so that these fake websites show up near the top of Google’s sponsored results for relevant searches. Once users click on the websites, which appear legitimate, they’re tricked into downloading malware or handing over sensitive information to scammers.

A safer option for vacationers is to book travel directly with an airline or hotel chain. Many participants wrote this approach into the Malwarebytes survey when selecting the “Other” option (14%). Interestingly, the 29% of respondents who said they use a travel agent for booking likely also receive some extra safeguards, simply because another, experienced, person is involved in the process.

But in the same way that cybercriminals have begun abusing Google search results to send victims to dangerous websites, they’ve also done the same to trick users into downloading fake versions of popular apps.

Android “phishing” apps are a serious threat to users today—Malwarebytes detected 22,800 of them last year alone—and, as we wrote before, they represent the next step in camouflaged cyber-scamming:

> “By disguising themselves as legitimate apps—including for services like TikTok, Spotify, and WhatsApp—Android phishing apps can trick victims into typing in their real usernames and passwords on bogus login screens that are controlled entirely by cybercriminals.”

The threat here endures long after the app is installed. If enough victims unwittingly send their passwords, cyber thieves could bundle the login credentials for sale on the dark web. Once the passwords are sold, the new, malicious owners will attempt to use individual passwords for a variety of common online accounts—testing whether, say, an email account password is the same one used for a victim’s online banking system, their mortgage payment platform, or their Social Security portal.

This wouldn’t be too much a problem if modern traveling didn’t involve so many apps.

According to our survey, 44% of people manage between two to four apps specifically for travel purposes, and 9% manage between five and six apps. And while 20% of people use zero apps for travel and 14% use just one app, there are 8% of people who rely on more than seven apps strictly for travel purposes.

That could include airlines apps, hotel apps, translation apps, and more. But as more apps help with traveling needs, more opportunities arise for those apps to be falsely emulated and maliciously advertised online.

As for what people do while physically on vacation, many engaged in online behaviors that could prove risky, but they can hardly be criticized for it.

For example, 25% of people said they scan QR codes while on vacation. These codes could lead people to malicious websites, but QR codes have become normalized at restaurants that no longer have physical menus. And 33% of people “log into financial institution sites or apps to manage \[their\] budget, check purchases, etc.” This type of activity was susceptible to online eavesdropping many years ago, but everyday internet connections have become far more secure in the past decade. That said, it’s inspiring to see that 41% of people “download or install a VPN” to provide an extra level of security when browsing on public Wi-Fi.

****Safe travels****

Cybersecurity is probably the last thing people want to “pack” before going away on a break, but, thankfully, it’s something that a majority of people said they do.

For instance, 63% said they “check that \[their\] security software is up to date,” while 53% said they “backup \[their\] data.” Similarly, 56% said they “set up credit card transaction alerts.” And while it isn’t quite a majority, 47% said they turn on “Find my Device” features which can help in case of a lost or stolen device. Interestingly, people do not commit to the same precautions for their bags—just 21% of survey participants said they “put a tracker in \[their\] luggage.”

Still, there’s progress to be made.

Not only did 10% of survey participants share that they take zero cybersecurity or data privacy precautions before traveling, but 20% also agreed or strongly agreed with the statement “I don’t really think about protecting my data while traveling.”

For safety abroad, here are a few tips travelers can take before and during their next vacation:

*   **Backup your data before you head out**. Losing a device or having it stolen while on vacation won’t just ruin the trip itself—it will return the return journey, too. Backing up your data will help ensure that any lost device doesn’t lead to lost files.
*   **Turn on “Find My” features**. To respond to a lost or stolen device, turn on the “Find My” features on iPhones and Androids before your vacation so you can track a device’s location in real time.
*   **Protect your devices with antivirus and cybersecurity tools**. Modern cybersecurity tools don’t just stop viruses from landing on your devices, they also warn you about dangerous websites and links that could steal your info.
*   **Update your software**. Ensure that your devices are running on the latest versions of their operating systems. This helps prevent any known weaknesses from being exploited by cybercriminals.
*   **Use a password manager and 2FA**. Your most sensitive accounts shouldn’t just have a unique password. They should also be protected by two-factor authentication, which requires more than a password for anyone to login.
*   **Consider a VPN**. If you are doing something sensitive online, it never hurts to use a VPN. Bonus: If you’re travelling to another country where your favourite streaming shows aren’t available, a VPN can help here too.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 1 in 10 people do nothing to stay secure and private on vacation 

A list of topics we covered in the week of March 10 to March 16 of 2025

March 14, 2025 - A shocking amount of iOS apps in Apple's App Store contained hard-coded secrets. Secrets that could lead criminals to user data.

March 13, 2025 - To parents worried about their children's presence on Roblox, the CEO said don't let your kids be on Roblox.

March 12, 2025 - Apple has patched a vulnerability in iOS and iPadOS that was under active exploitation in extremely sophisticated attacks.

March 12, 2025 - Sports betting is a multi-billion-dollar industry, but behind the flashing lights and promises of easy money lies a hidden underworld of deception.

March 12, 2025 - Google spies on Android device users, starting from even before they have logged in to their Google account.

 A week in security (March 10 &#8211; March 16) 

Plus: A nominee to lead CISA emerges, Elon Musk visits the NSA, a renowned crypto cracking firm’s secret (and problematic) cofounder is revealed, and more.

Knifings, firebombings, shootings, and murder-for-hire plots—all linked to a splinter group of the 764 crime network called “No Lives Matter.” According to its own manifesto, the group seeks to “purify mankind through endless attacks” and has released at least two “kill guides” tied to violent plots in the US and Europe. Intelligence documents reviewed by WIRED reveal growing concern among analysts, but experts remain unsure how to stop the group’s spread.

On Monday, X experienced intermittent outages after a botnet flooded the social network with junk traffic in an attempt to take down its system. Elon Musk stated that the distributed denial-of-service attack originated from Ukrainian IP addresses, implying that the country—already under siege by a Russian invasion and frequently mocked by the centibillionaire—may have been responsible. Security experts tell WIRED that this is not how DDoS attacks work.

Meanwhile, inside the Cybersecurity and Infrastructure Security Agency, mass layoffs are hurting US cyberdefense, weakening protections against foreign adversaries. Vital staff cuts have left employees overworked and strained international partnerships, according to interviews with staff at the agency that helps safeguard cities, businesses, and nonprofits from cyberattacks. “A lot of people are scared,” says one employee. “We’re waiting for that other shoe to drop. We don't know what's coming.” As WIRED takes you inside the agencies at the center of the uncertainty and chaos of the second Trump administration, we've updated our quick and easy guide to using Signal to help you get the most out of the messaging app’s end-to-end encryption.

That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click on the headlines to read the full stories. And stay safe out there.

Those “green bubbles,” the cross-platform text messages that annoy iPhone owners and keep Android users relegated to a group-chat underclass, aren’t just a cultural disconnect. They’re also a security issue: Text messages sent between Android and iOS devices—unlike blue-bubble iMessage texts or Android-to-Android messages—aren’t end-to-end encrypted, leaving them open to surveillance or interception. Now, that may finally be changing.

The GSM Association, responsible for many widely used telecom standards, this week announced that its Rich Communication Services (or RCS) protocol will now support end-to-end encryption for cross-platform texting, and Apple revealed that it will now integrate that feature of RCS into its iOS devices. Until now, Apple and Google had both supported RCS’s other features in texts sent between iOS and Android, but not end-to-end encryption, which ensures that only the devices sending and receiving messages can decrypt them and not any server or snoop that sees them in transit.

Neither Apple nor the GSMA has said exactly when the new privacy features are launching. Until then, anyone sending cross-platform messages would be wise to stick with apps like WhatsApp or Signal that have long provided end-to-end encryption—and have also helped Android and iPhone users avoid personal disputes over bubble colors.

**Sean Plankey Nominated as Head of CISA, America’s Top Cybersecurity Agency**

The White House has tapped Sean Plankey to run CISA, the agency within the Department of Homeland Security primarily responsible for American digital defense. Plankey, long considered the leading contender for the role, served in multiple cybersecurity positions in the first Trump administration and previously held senior roles in US Cyber Command. In that DOD agency focused on cyber offense, he served as a weapons and tactics branch chief and earned a Bronze Star for hacking operations in Afghanistan. CISA, like many federal agencies, has faced hundreds of personnel cuts in recent weeks, and its previous director, Chris Krebs, came under harsh criticism under the previous Trump administration for the agency’s work to counter disinformation and secure elections. Krebs was fired in a Trump tweet near the end of his term after CISA described the 2020 election, whose results Trump baselessly contested, as the “most secure in American history.”

**Elon Musk Visits the National Security Agency**

Not even the National Security Agency has been spared from Elon Musk’s scorched-earth campaign to gut the federal government. On Wednesday, The Wall Street Journal reported that Musk had visited the intelligence agency in Fort Meade, meeting with leadership to discuss staff reductions and operational changes, according to current and former US officials who spoke to the Journal.

Despite being one of the most insulated branches of US intelligence, the NSA has still found itself pulled into Musk’s orbit. The visit to Fort Meade is another sign of the sweeping nature of his influence and the extraordinary access the world’s richest man has been granted over even the most secretive federal operations.

Last month, staff at the intelligence agency received emails offering deferred resignations, signaling impending changes. Then, a week ahead of his visit, Musk publicly called for an overhaul of the intelligence and cybersecurity agency. Posting to his social media site X, Musk wrote, “The NSA needs an overhaul,” alongside an apparent agency recruitment graphic featuring a group of college-aged people of color and a list of universities where the NSA was conducting outreach—seemingly mocking the agency’s recruitment efforts.

**A Buzzy Crypto Cracking Firm Had a Hidden CoFounder Accused of Sexual Assault**

The cryptocurrency recovery firm Unciphered has made headlines with its feats of whitehat wallet cracking on behalf of customers who have lost access to their cryptocurrency fortunes. In the fall of 2023, for instance, the company cracked a model of encrypted IronKey USB drive believed to hold 7,000-plus bitcoins now worth well over half a billion dollars. Now, The Washington Post reports that one of the cofounders of that company was Morgan Marquis-Boire, a once-lauded hacker and security researcher for Google and Citizen Lab who was later accused of sexually assaulting multiple women. The reported involvement of Marquis-Boire, who has largely disappeared from the cybersecurity world after facing the sex crime accusations in 2017, was kept secret from even many of the startup’s staff, and the revelations of his role have left the company in “disarray,” according to the Post.

**A Reporter Behind an Indian Hacker-for-Hire Story Is Fighting to Regain His Citizenship**

In November of 2023, Raphael Satter was one of a team of Reuters reporters who published an in-depth feature on Appin Technology, a startup that allegedly hacked numerous celebrity and civil society targets on behalf of clients. A group with a similar name responded by suing, and obtained a court ruling that for a time successfully censored Reuters’ story—a remarkable case of an Indian judge restricting free speech internationally. Satter is now fighting a different battle following publication of that story. In late 2023, his Overseas Citizen of India (OCI) card—a kind of international citizenship extended to foreign citizens of Indian origin and those married to Indians—was revoked around the same time as the judge filed the injunction. A letter sent to Satter in December of that year accused him of “maliciously creating adverse and biased opinion against Indian institutions in the international arena.” Satter is now petitioning a Delhi court to reverse that revocation, which has prevented him from entering India to visit family there.

End-to-End Encrypted Texts Between Android and iPhone Are Coming

A clever malware deployment scheme first spotted in targeted attacks last year has now gone mainstream. In this scam, dubbed "ClickFix," the visitor to a hacked or malicious website is asked to distinguish themselves from bots by pressing a combination of keyboard keys that causes Microsoft Windows to download password-stealing malware.

A clever malware deployment scheme first spotted in targeted attacks last year has now gone mainstream. In this scam, dubbed “**ClickFix**,” the visitor to a hacked or malicious website is asked to distinguish themselves from bots by pressing a combination of keyboard keys that causes **Microsoft Windows** to download password-stealing malware.

ClickFix attacks mimic the “Verify You are a Human” tests that many websites use to separate real visitors from content-scraping bots. This particular scam usually starts with a website popup that looks something like this:

This malware attack pretends to be a CAPTCHA intended to separate humans from bots.

Clicking the “I’m not a robot” button generates a pop-up message asking the user to take three sequential steps to prove their humanity.

Executing this series of keypresses prompts Windows to download password-stealing malware.

Step 1 involves simultaneously pressing the keyboard key with the Windows icon and the letter “R,” which opens a Windows “Run” prompt that will execute any specified program that is already installed on the system.

Step 2 asks the user to press the “CTRL” key and the letter “V” at the same time, which pastes malicious code from the site’s virtual clipboard.

Step 3 — pressing the “Enter” key — causes Windows to download and launch malicious code through “**mshta.exe**,” a Windows program designed to run Microsoft HTML application files.

“This campaign delivers multiple families of commodity malware, including XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot, and NetSupport RAT,” **Microsoft** wrote in a blog post on Thursday. “Depending on the specific payload, the specific code launched through mshta.exe varies. Some samples have downloaded PowerShell, JavaScript, and portable executable (PE) content.”

According to Microsoft, hospitality workers are being tricked into downloading credential-stealing malware by cybercriminals impersonating **Booking.com**. The company said attackers have been sending malicious emails impersonating Booking.com, often referencing negative guest reviews, requests from prospective guests, or online promotion opportunities — all in a bid to convince people to step through one of these ClickFix attacks.

In November 2024, KrebsOnSecurity reported that hundreds of hotels that use booking.com had been subject to targeted phishing attacks. Some of those lures worked, and allowed thieves to gain control over booking.com accounts. From there, they sent out phishing messages asking for financial information from people who’d just booked travel through the company’s app.

Earlier this month, the security firm **Arctic Wolf** warned about ClickFix attacks targeting people working in the healthcare sector. The company said those attacks leveraged malicious code stitched into the widely used physical therapy video site HEP2go that redirected visitors to a ClickFix prompt.

An alert (PDF) released in October 2024 by the **U.S. Department of Health and Human Services** warned that the ClickFix attack can take many forms, including fake **Google Chrome** error pages and popups that spoof **Facebook**.

ClickFix tactic used by malicious websites impersonating Google Chrome, Facebook, PDFSimpli, and reCAPTCHA. Source: Sekoia.

The ClickFix attack — and its reliance on mshta.exe — is reminiscent of phishing techniques employed for years that hid exploits inside **Microsoft Office** **macros**. Malicious macros became such a common malware threat that Microsoft was forced to start blocking macros by default in Office documents that try to download content from the web.

Alas, the email security vendor **Proofpoint** has documented plenty of ClickFix attacks via phishing emails that include HTML attachments spoofing Microsoft Office files. When opened, the attachment displays an image of Microsoft Word document with a pop-up error message directing users to click the “Solution” or “How to Fix” button.

HTML files containing ClickFix instructions. Examples for attachments named “Report\_” (on the left) and “scan\_doc\_” (on the right). Image: Proofpoint.

Organizations that wish to do so can take advantage of Microsoft Group Policy restrictions to prevent Windows from executing the “run” command when users hit the Windows key and the “R” key simultaneously.

ClickFix: How to Infect Your PC in Three Easy Steps

The UK, France, Sweden, and EU have made fresh attacks on end-to-end encryption. Some of the attacks are more “crude” than those in recent years, experts say.

Over the past decade, encrypted communication has become the norm for billions of people. Every day, Signal, iMessage, and WhatsApp keep billions of messages, photos, videos, and calls private by using end-to-end encryption by default—while Zoom, Discord, and various other services all have options to enable the protection. But despite the technology’s mainstream rise, long-standing threats to weaken encryption keep piling up.

Over the past few months, there has been a surge in government and law enforcement efforts that would effectively undermine encryption, privacy advocates and experts say, with some of the emerging threats being the most “blunt” and aggressive of those in recent memory. Officials in the UK, France, and Sweden have all made moves since the start of 2025 that could undermine or eliminate the protections of end-to-end encryption, adding to a multiyear European Union plan to scan private chats and Indian efforts that could damage encryption.

These latest assaults on encryption come as intelligence agencies and law enforcement officials in the United States have recently backtracked on years of anti-encryption attitudes and now recommend that people use encrypted communication platforms whenever they can. The drastic shift in attitude followed the China-backed Salt Typhoon hacker group’s widespread breach of major US telecoms, and it comes as the second Trump administration ramps up potential surveillance of millions of undocumented migrants living in the US. Simultaneously, the administration has been straining longtime, crucial international intelligence-sharing agreements and partnerships.

“The trend is bleak,” says Carmela Troncoso, a longtime privacy and cryptography researcher and the scientific director at the Max-Planck Institute for Security and Privacy in Germany. “We see these new policies coming up as mushrooms trying to undermine encryption.”

End-to-end encryption is designed so only the sender and receiver of messages have access to their contents—governments, tech companies, and telecom providers can’t snoop on what people are saying. Those privacy and security guarantees have made encryption a target for law enforcement and governments for decades, because officials claim that the protection makes it prohibitively difficult to investigate urgent threats such as child sexual abuse material and terrorism.

As a result, governments around the world have frequently proposed technical mechanisms to bypass encryption and allow access to messages for investigations. Cryptographers and technologists have repeatedly and definitively warned, though, that any backdoor created to access end-to-end encrypted communications could be exploited by hackers or authoritarian governments, compromising everyone’s safety. Additionally, it is likely that criminals would find ways to continue to use self-made encryption tools to conceal their messages, meaning that backdoors in mainstream products would succeed at undermining protections for the public without eliminating its use by bad actors.

Broadly, the recent threats to encryption have come in three forms, says Namrata Maheshwari, the encryption policy lead at international nonprofit Access Now. First, there are those where governments or law enforcement agencies are asking for backdoors to be built into encrypted platforms to gain “lawful access” to content. At the end of February, for example, Apple pulled its encrypted iCloud backup system, called Advanced Data Protection, from use in the UK after the country’s lawmakers reportedly hit the Cupertino company with a secret order demanding Apple provide access to encrypted files. To do so, Apple would have had to create a backdoor. The order, which has been criticized by the Trump administration, is set to be challenged in a secret court hearing on March 14.

Meanwhile, lawmakers in Sweden are also considering legislation that would require encrypted messaging companies, such as Signal and WhatsApp, to keep copies of messages that people send on their platforms so they could allow law enforcement to access suspects’ histories. Signal has said it would pull out of Sweden if the potential law goes ahead. While in France earlier this year, a proposed amendment to a drug trafficking law outlined plans to require encrypted messaging services to hand over decrypted chat messages within 72 hours of a request or face fines of up to 2 percent of annual global revenue. This week, the proposal was reportedly scrapped, while some politicians said they supported the idea.

“We’re seeing some democracies revert back to very crude approaches to circumventing encryption that we maybe thought were something of the past,” Callum Voge, the director of governmental affairs and advocacy at nonprofit Internet Society, says of efforts that could require a backdoor to be created.

In January, the head of EU law enforcement agency Europol told the Financial Times that tech companies have a “social responsibility” to provide access to encrypted messages. “Anonymity is not a fundamental right,” Catherine De Bolle told the publication. The comments expanded upon a previous statement from European police chiefs saying “we do not accept that there need be a binary choice between cybersecurity or privacy on the one hand and public safety on the other.”

The second threat, Maheshwari says, relates to an increase in proposals related to a technology known as “client-side scanning.” The process, which is sometimes called “on-device scanning,” involves scanning messages locally on a person’s device before they are encrypted, and comparing them against a database of prohibited content that is held elsewhere. Client-side scanning is an effort to contort encryption backdoors into something more palatable to privacy proponents by keeping people’s personal data on their own devices.

Ultimately, though, cryptographers and digital rights advocates have repeatedly warned that client-side scanning does not sidestep the fundamental dangers posed by creating a way for a third party to access encrypted data. The Internet Society’s Voge describes such efforts as a more “sophisticated” way that democracies have been trying to circumvent encryption in recent years.

For instance, politicians in the EU have been fiercely debating plans to scan billions of messages for potential child sexual abuse material using client-side scanning for more than three years. The unresolved debates have proved highly controversial, with multiple countries pushing to weaken encryption. “Scanning for one type of content, for instance, opens the door for bulk surveillance and could create a desire to search other encrypted messaging systems across content types,” Apple officials said in a letter first reported by WIRED in August 2023, after the company ditched its own, separate plans to introduce a form of client-side scanning on iPhones.

“It’s very divided in Europe, \[there are\] countries strongly in favor of scanning and countries strongly against it as well,” Voge says of the EU’s long-running chat monitoring plans. In May 2023, WIRED obtained leaked documents that stated many European countries’ positions on encryption. At the time, Spanish officials said they would like to prevent end-to-end encryption entirely in the EU, while many others were in favor of scanning people’s messages. Other countries, such as Germany, were against weakening encryption. Dutch political documentation says the country’s intelligence agency, AIVD, considers client-side scanning to be “too great a security risk for the digital resilience of the Netherlands.”

Finally, Maheshwari says, there is always the looming threat of potential bans or blocks for encrypted services. Toward the end of 2024, Russian officials blocked access to Signal amid the country’s ongoing full-scale war against Ukraine and widescale efforts to censor and control information environments. India has an ongoing lawsuit against WhatsApp, which could threaten its ability to operate in the country or necessitate that the platform retreat from end-to-end encryption in that market. Maheshwari also points out that while all virtual private networks do not specifically use end-to-end encryption, India has already banned multiple VPN services.

While each potential proposal that could undermine encryption is slightly different, the Internet Society’s Voge says that they’ve been met with some “stronger” pro-encryption voices coming from government or law enforcement services around the world, particularly when it comes to protecting national security.

In December, two officials from the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI, encouraged more people to use encrypted communications systems after China’s Salt Typhoon hackers gained deep access to US telecoms providers, exposing unencrypted calls and texts. “Encryption is your friend, whether it’s on text messaging or if you have the capacity to use encrypted voice communication,” one of the officials said.

Voge points out that as well as CISA and the FBI’s calls to use encrypted messaging, the Swedish armed forces has specifically cleared Signal for use with unclassified material, saying it can stop messages and calls from being intercepted by third parties.

Ahead of the UK’s March 14 legal hearing about the backdoor order reportedly made to Apple, US senators and privacy groups urged there to be more transparency about the demands and the risks to global encryption it presents. A bipartisan group of five members of Congress said the “cloak of secrecy” should be removed.

UK civil liberties groups Privacy International and Liberty also filed legal challenges over the secrecy of the proceedings. “While the UK Government seems to have come for Apple today, tomorrow it may be any other big tech companies, such as Google and Microsoft, and the day after it could be Signal, your VPN Provider, Proton and others,” Privacy International said in a statement.

Ultimately, Access Now’s Maheshwari says, efforts to defend encryption will almost certainly continue, as they have for decades, to protect people’s human rights.

“Encryption right now is exceptionally important because it's a crucial enabler of the full spectrum of human rights,” Maheshwari says. “It’s not just privacy. It is what enables you to speak freely, to exercise your freedom of expression, to organize, to assemble, to associate.”

A New Era of Attacks on Encryption Is Starting to Heat Up

## Summary
An unauthorized attacker can leverage the whitelisted route `/api/v1/attachments` to upload arbitrary files when the `storageType` is set to **local** (default).

## Details
When a new request arrives, the system first checks if the URL starts with `/api/v1/`. If it does, the system then verifies whether the URL is included in the whitelist (*whitelistURLs*). If the URL is whitelisted, the request proceeds; otherwise, the system enforces authentication.

@ */packages/server/src/index.ts*
```typescript
           this.app.use(async (req, res, next) => {
                // Step 1: Check if the req path contains /api/v1 regardless of case
                if (URL_CASE_INSENSITIVE_REGEX.test(req.path)) {
                    // Step 2: Check if the req path is case sensitive
                    if (URL_CASE_SENSITIVE_REGEX.test(req.path)) {
                        // Step 3: Check if the req path is in the whitelist
                        const isWhitelisted = whitelistURLs.some((url) => req.path.startsWith(url))
                        if (isWhitelisted) {
                            next()
                        } else if (req.headers['x-request-from'] === 'internal') {
                            basicAuthMiddleware(req, res, next)
                        } else {
                            const isKeyValidated = await validateAPIKey(req)
                            if (!isKeyValidated) {
                                return res.status(401).json({ error: 'Unauthorized Access' })
                            }
                            next()
                        }
                    } else {
                        return res.status(401).json({ error: 'Unauthorized Access' })
                    }
                } else {
                    // If the req path does not contain /api/v1, then allow the request to pass through, example: /assets, /canvas
                    next()
                }
            }
```

**The whitelist is defined as follows**

```typescript
export const WHITELIST_URLS = [
    '/api/v1/verify/apikey/',
    '/api/v1/chatflows/apikey/',
    '/api/v1/public-chatflows',
    '/api/v1/public-chatbotConfig',
    '/api/v1/prediction/',
    '/api/v1/vector/upsert/',
    '/api/v1/node-icon/',
    '/api/v1/components-credentials-icon/',
    '/api/v1/chatflows-streaming',
    '/api/v1/chatflows-uploads',
    '/api/v1/openai-assistants-file/download',
    '/api/v1/feedback',
    '/api/v1/leads',
    '/api/v1/get-upload-file',
    '/api/v1/ip',
    '/api/v1/ping',
    '/api/v1/version',
    '/api/v1/attachments',
    '/api/v1/metrics'
]
```
This means that every route in the whitelist does not require authentication. Now, let's examine the `/api/v1/attachments` route.

@ */packages/server/src/routes/attachments/index.ts*
```typescript
const router = express.Router()
// CREATE
router.post('/:chatflowId/:chatId', getMulterStorage().array('files'), attachmentsController.createAttachment)
export default router
```
After several calls, the request reaches the `createFileAttachment` function @ (*packages/server/src/utils/createAttachment.ts*)
Initially, the function retrieves *chatflowid* and *chatId* from the request without any additional validation. The only check performed is whether these parameters exist in the request.

```typescript
    const chatflowid = req.params.chatflowId
    if (!chatflowid) {
        throw new Error(
            'Params chatflowId is required! Please provide chatflowId and chatId in the URL: /api/v1/attachments/:chatflowId/:chatId'
        )
    }

    const chatId = req.params.chatId
    if (!chatId) {
        throw new Error(
            'Params chatId is required! Please provide chatflowId and chatId in the URL: /api/v1/attachments/:chatflowId/:chatId'
        )
    }
```

Next, the function retrieves the uploaded files and attempts to add them to the storage by calling the `addArrayFilesToStorage` function.

```typescript
const files = (req.files as Express.Multer.File[]) || []
    const fileAttachments = []
    if (files.length) {
        // ...
        for (const file of files) {
            const fileBuffer = await getFileFromUpload(file.path ?? file.key)  // get the uploaded file
            const fileNames: string[] = []
            file.originalname = Buffer.from(file.originalname, 'latin1').toString('utf8')
            // add it to the storage
            const storagePath = await addArrayFilesToStorage(file.mimetype, 
                                                             fileBuffer,
                                                             file.originalname,
                                                             fileNames,
                                                             chatflowid, chatId) // add it to the storage

            // ...

            await removeSpecificFileFromUpload(file.path ?? file.key) // delete from tmp
           //  ...

                fileAttachments.push({
                    name: file.originalname,
                    mimeType: file.mimetype,
                    size: file.size,
                    content
                })
            } catch (error) {
                throw new Error(`Failed operation: createFileAttachment - ${getErrorMessage(error)}`)
            }
        }
    }

    return fileAttachments
```

Now lets take a look at `addArrayFilesToStorage` function @ (*/packages/components/src/storageUtils.ts*)

```typescript
export const addArrayFilesToStorage = async (mime: string, bf: Buffer, fileName: string, fileNames: string[], ...paths: string[]) => {
    const storageType = getStorageType()

    const sanitizedFilename = _sanitizeFilename(fileName)
    if (storageType === 's3') {
      // ...
    } else {
        const dir = path.join(getStoragePath(), ...paths) // PATH TRAVERSAL.
        if (!fs.existsSync(dir)) {
            fs.mkdirSync(dir, { recursive: true })
        }
        const filePath = path.join(dir, sanitizedFilename)
        fs.writeFileSync(filePath, bf)
        fileNames.push(sanitizedFilename)
        return 'FILE-STORAGE::' + JSON.stringify(fileNames)
    }
}
```

As noted in the comment, to construct the directory, the function joins the output of the `getStoragePath` function with `...paths`, which are essentially the `chatflowid` and `chatId` extracted earlier from the request.
However, as mentioned previously, these values are not validated to ensure they are UUIDs or numbers. As a result, an attacker could manipulate these variables to set the **dir** variable to any value.
Combined with the fact that the filename is also provided by the user, this leads to **unauthenticated arbitrary file upload**.

## POC
This is the a HTTP request. As observed, we are not authenticated, and by manipulating the `chatId` parameter, we can perform a path traversal. In this example, we overwrite the `api.json` file, which contains the API keys for the system.

![File Uplaod Vulnerability.](https://lh3.googleusercontent.com/d/1zcr-MSJUnRbGRmnoD_meo5uh8Hf8FaEK)

> in this example, the **dir** variable will be
```typescript
var dir = '/root/.flowise/storage/test/../../../../../../../../root/.flowise/'
```
> and the file name is `api.json`

And the API Keys in the UI

![File Uplaod Vulnerability.](https://lh3.googleusercontent.com/d/1Y0jl8uQuzpp0EFyUzCItifiG5UW35hhV)

### Impact
This vulnerability could potentially lead to
* Remote Code Execution
* Server Takeover
* Data Theft
And more

**Summary**

An unauthorized attacker can leverage the whitelisted route /api/v1/attachments to upload arbitrary files when the storageType is set to **local** (default).

**Details**

When a new request arrives, the system first checks if the URL starts with /api/v1/. If it does, the system then verifies whether the URL is included in the whitelist (_whitelistURLs_). If the URL is whitelisted, the request proceeds; otherwise, the system enforces authentication.

@ _/packages/server/src/index.ts_

           this.app.use(async (req, res, next) \=> {
                // Step 1: Check if the req path contains /api/v1 regardless of case
                if (URL\_CASE\_INSENSITIVE\_REGEX.test(req.path)) {
                    // Step 2: Check if the req path is case sensitive
                    if (URL\_CASE\_SENSITIVE\_REGEX.test(req.path)) {
                        // Step 3: Check if the req path is in the whitelist
                        const isWhitelisted \= whitelistURLs.some((url) \=> req.path.startsWith(url))
                        if (isWhitelisted) {
                            next()
                        } else if (req.headers\['x-request-from'\] \=== 'internal') {
                            basicAuthMiddleware(req, res, next)
                        } else {
                            const isKeyValidated \= await validateAPIKey(req)
                            if (!isKeyValidated) {
                                return res.status(401).json({ error: 'Unauthorized Access' })
                            }
                            next()
                        }
                    } else {
                        return res.status(401).json({ error: 'Unauthorized Access' })
                    }
                } else {
                    // If the req path does not contain /api/v1, then allow the request to pass through, example: /assets, /canvas
                    next()
                }
            }

**The whitelist is defined as follows**

export const WHITELIST\_URLS \= \[
    '/api/v1/verify/apikey/',
    '/api/v1/chatflows/apikey/',
    '/api/v1/public-chatflows',
    '/api/v1/public-chatbotConfig',
    '/api/v1/prediction/',
    '/api/v1/vector/upsert/',
    '/api/v1/node-icon/',
    '/api/v1/components-credentials-icon/',
    '/api/v1/chatflows-streaming',
    '/api/v1/chatflows-uploads',
    '/api/v1/openai-assistants-file/download',
    '/api/v1/feedback',
    '/api/v1/leads',
    '/api/v1/get-upload-file',
    '/api/v1/ip',
    '/api/v1/ping',
    '/api/v1/version',
    '/api/v1/attachments',
    '/api/v1/metrics'
\]

This means that every route in the whitelist does not require authentication. Now, let's examine the /api/v1/attachments route.

@ _/packages/server/src/routes/attachments/index.ts_

const router \= express.Router()
// CREATE
router.post('/:chatflowId/:chatId', getMulterStorage().array('files'), attachmentsController.createAttachment)
export default router

After several calls, the request reaches the createFileAttachment function @ (_packages/server/src/utils/createAttachment.ts_)  
Initially, the function retrieves _chatflowid_ and _chatId_ from the request without any additional validation. The only check performed is whether these parameters exist in the request.

    const chatflowid \= req.params.chatflowId
    if (!chatflowid) {
        throw new Error(
            'Params chatflowId is required! Please provide chatflowId and chatId in the URL: /api/v1/attachments/:chatflowId/:chatId'
        )
    }

    const chatId \= req.params.chatId
    if (!chatId) {
        throw new Error(
            'Params chatId is required! Please provide chatflowId and chatId in the URL: /api/v1/attachments/:chatflowId/:chatId'
        )
    }

Next, the function retrieves the uploaded files and attempts to add them to the storage by calling the addArrayFilesToStorage function.

const files \= (req.files as Express.Multer.File\[\]) || \[\]
    const fileAttachments \= \[\]
    if (files.length) {
        // ...
        for (const file of files) {
            const fileBuffer \= await getFileFromUpload(file.path ?? file.key)  // get the uploaded file
            const fileNames: string\[\] \= \[\]
            file.originalname \= Buffer.from(file.originalname, 'latin1').toString('utf8')
            // add it to the storage
            const storagePath \= await addArrayFilesToStorage(file.mimetype, 
                                                             fileBuffer,
                                                             file.originalname,
                                                             fileNames,
                                                             chatflowid, chatId) // add it to the storage

            // ...

            await removeSpecificFileFromUpload(file.path ?? file.key) // delete from tmp
           //  ...

                fileAttachments.push({
                    name: file.originalname,
                    mimeType: file.mimetype,
                    size: file.size,
                    content
                })
            } catch (error) {
                throw new Error(\`Failed operation: createFileAttachment - ${getErrorMessage(error)}\`)
            }
        }
    }

    return fileAttachments

Now lets take a look at addArrayFilesToStorage function @ (_/packages/components/src/storageUtils.ts_)

export const addArrayFilesToStorage \= async (mime: string, bf: Buffer, fileName: string, fileNames: string\[\], ...paths: string\[\]) \=> {
    const storageType \= getStorageType()

    const sanitizedFilename \= \_sanitizeFilename(fileName)
    if (storageType \=== 's3') {
      // ...
    } else {
        const dir \= path.join(getStoragePath(), ...paths) // PATH TRAVERSAL.
        if (!fs.existsSync(dir)) {
            fs.mkdirSync(dir, { recursive: true })
        }
        const filePath \= path.join(dir, sanitizedFilename)
        fs.writeFileSync(filePath, bf)
        fileNames.push(sanitizedFilename)
        return 'FILE-STORAGE::' + JSON.stringify(fileNames)
    }
}

As noted in the comment, to construct the directory, the function joins the output of the getStoragePath function with ...paths, which are essentially the chatflowid and chatId extracted earlier from the request.  
However, as mentioned previously, these values are not validated to ensure they are UUIDs or numbers. As a result, an attacker could manipulate these variables to set the **dir** variable to any value.  
Combined with the fact that the filename is also provided by the user, this leads to **unauthenticated arbitrary file upload**.

**POC**

This is the a HTTP request. As observed, we are not authenticated, and by manipulating the chatId parameter, we can perform a path traversal. In this example, we overwrite the api.json file, which contains the API keys for the system.

> in this example, the **dir** variable will be

var dir \= '/root/.flowise/storage/test/../../../../../../../../root/.flowise/'

> and the file name is api.json

And the API Keys in the UI

**Impact**

This vulnerability could potentially lead to

*   Remote Code Execution
*   Server Takeover
*   Data Theft  
    And more

**References**

*   GHSA-h42x-xx2q-6v6g
*   FlowiseAI/Flowise@c2b830f

GHSA-h42x-xx2q-6v6g: Flowise Pre-auth Arbitrary File Upload

UNC3886 hackers target Juniper routers with custom backdoor malware, exploiting outdated systems for stealthy access and espionage. Learn how to stay protected.

Cybersecurity researchers at Google’s Mandiant have exposed a series of attacks which took place in mid-2024 targeting Juniper routers running the Junos OS operating system. These attacks, linked to a Chinese hacking group known as UNC3886, involved planting custom-built malware designed to secretly control the devices while evading detection.

****What Happened?****

Mandiant’s investigation revealed that UNC3886 deployed backdoors disguised as legitimate system processes on Juniper MX routers running outdated hardware and software. These routers, using end-of-life (EOL) configurations, were easier targets due to vulnerabilities in their security systems. The malware leveraged Junos OS’s Veriexec, a file integrity monitor, to avoid detection. Instead of disabling Veriexec, the attackers injected malicious code into legitimate processes

According to the company’s blog post shared with Hackread.com ahead of publishing on Wednesday, these backdoors were built on the foundation of a publicly available hacking tool called TINYSHELL.

What makes these attacks particularly alarming is how the hackers customized their malware to integrate into the Juniper environment. The malicious programs were disguised as legitimate system processes, mimicking names like “appid” (a play on a real Juniper process) to avoid raising suspicion. Beyond stealth, the malware included features to disable logging on the routers, effectively erasing traces of the attackers’ activities and making it harder for security teams to spot the intrusion.

To carry out their attacks, the hackers exploited the inner workings of Junos OS, the operating system powering Juniper’s routers and other networking gear. Junos OS is built on a modified version of FreeBSD, a Unix-like system, and offers two ways to interact with it: a command-line interface (CLI) for standard operations and a shell mode that provides deeper access to the underlying system. The attackers used this shell mode to execute their malicious commands.

****How Did the Hackers Make This Happen?****

The attackers gained access by using stolen credentials to infiltrate router management interfaces. Once inside, they injected malware into legitimate processes, such as the cat command, leveraging named pipes and memory manipulation to **evade detection**.

To cover their tracks, some backdoors disabled logging functions, effectively erasing evidence of their presence. For instance, the lmpad backdoor altered system logs and disabled SNMP alerts, making it significantly harder for defenders to spot unauthorized access.

****The Malware Toolkit****

UNC3886 deployed six customized backdoors, all derived from the open-source TINYSHELL framework but specifically adapted for Junos OS. Each variant had unique functionalities:

*   **appid** and **to**: These were active backdoors with hardcoded command-and-control (C2) servers, allowing attackers to upload/download files, execute shell commands, and route traffic through proxies.

*   **irad**: A passive backdoor that remained dormant until triggered by specific “magic strings” in network traffic. Once activated, it could launch remote shells or relay connections.

*   **lmpad**: This hybrid backdoor acted as both a backdoor and a stealth tool. It disabled logging, modified system files, and patched memory to prevent audit logs from recording malicious activity.

*   **jdosd** and **oemd**: These passive backdoors used encrypted **UDP/TCP channels** for covert file transfers and remote command execution, making detection even more challenging.

****About UNC3886****

UNC3886 is a well-known hacking group with a track record of targeting network devices and virtualization technologies, often using previously unknown vulnerabilities (known as **zero-day exploits**). The group’s main focus is on espionage against industries like defence, technology, and telecommunications, particularly in the US and Asia.

While other Chinese hacking campaigns, such as those attributed to groups like **Volt Typhoon** or **Salt Typhoon**, have made headlines, Mandiant found no direct technical connections between UNC3886’s activities and those operations. This suggests that UNC3886 is a distinct threat, operating with its own tools and strategies.

****Why Does This Matter?****

Routers and other network devices are the backbone of modern IT infrastructure, directing traffic and connecting systems across organizations. But unlike laptops or servers, these devices often lack proper security monitoring tools, making them attractive targets for attackers. Once compromised, a router can provide a gateway to an entire network, allowing hackers to spy on communications, steal data, or launch further attacks.

The fact that UNC3886 targeted older, unsupported Juniper devices highlights another issue such as how many organizations continue to rely on outdated equipment, either due to budget restrictions or oversight. These systems are **sitting ducks** for skilled attackers, as they no longer receive patches for newly discovered vulnerabilities.

****What Should Organizations Do?****

Mandiant and Juniper Networks have worked together to address the issue, and they’ve outlined steps organizations can take to protect themselves:

*   **Upgrade Devices**: Replace end-of-life Juniper hardware and software with supported versions. Juniper has released updated software images that include fixes and improved detection capabilities.

*   **Run Security Scans**: Use Juniper’s Malware Removal Tool (JMRT) to perform a Quick Scan and Integrity Check on your devices after upgrading. This can help identify and remove any malicious programs.

*   **Monitor and Harden Networks**: Strengthen security around network devices by limiting access, using strong authentication, and regularly reviewing logs for unusual activity, even though attackers may try to disable logging.

*   **Stay Informed**: Keep up with security advisories from vendors like Juniper and reports from cybersecurity firms like Mandiant to stay ahead of emerging threats.

Chinese Cyber Espionage Group UNC3886 Backdoored Juniper Routers

Tel Aviv, Israel, 12th March 2025, CyberNewsWire

**Tel Aviv, Israel, March 12th, 2025, CyberNewsWire**

CYREBRO, the AI-native Managed Detection and Response (MDR) solution, announced today that it won Silver in the category of Security Operations Center (SOC) solutions at the annual 2025 Globee Awards. The program aims to raise awareness about cybersecurity issues and honor those who have made significant contributions in protecting organizations and individuals from cyber threats.

This award comes on the heels of significant advancements for CYREBRO, solidifying its position as a future-proof cybersecurity leader. The company has recently launched its proprietary security data lake, enabling unparalleled threat analysis and faster, more precise detection. This innovation, coupled with a strategic partnership with Google Cloud, enhances CYREBRO’s ability to scale and deliver cutting-edge security solutions across diverse environments.

CYREBRO’s commitment to global expansion is evident in its rapidly growing customer base across new markets, demonstrating the universal need for proactive threat detection and response across companies of all sizes.

CYREBRO remains steadfast in its 100% channel-based strategy, empowering its partners to deliver exceptional MDR services to their clients. This approach ensures seamless integration and personalized service, maximizing the value of CYREBRO’s MDR capabilities.

> “We are honored to receive this prestigious award,” said Ori Arbel, CYREBRO CTO. “This recognition validates our relentless pursuit of innovation and our dedication to empowering businesses with robust cybersecurity defenses. We’re particularly proud of the strides we’ve made in enhancing our platform, directly translating to superior security outcomes for our partners and customers.”

**About CYREBRO**

CYREBRO is an AI-native, end-to-end Managed Detection and Response (MDR) solution, designed for hands-off or hands-on control through its future-proof SOC platform.

With its advanced Security Data Lake revolutionizing SIEM and SOAR capabilities, CYREBRO includes 24/7 SOC monitoring and threat intelligence, augmented with exceptionally swift incident response and forensic investigations. CYREBRO delivers precision-guided threat detection and response across any tech stack, providing clear, actionable insights to ensure world-class security and compliance.

With comprehensive visibility and expert guidance, CYREBRO empowers over 900 businesses of all sizes to manage threats proactively, enhancing their security posture and delivering full and complete protection.

**Contact**

**CMO**  
**Gil Harel**  
**CYREBRO**  
**\[email protected\]**

CYREBRO’s AI-Native MDR Platform Earns Silver at the 2025 Globee Cybersecurity Awards

San Jose, United States / California, 12th March 2025, CyberNewsWire

**San Jose, United States / California, March 12th, 2025, CyberNewsWire**

Aptori’s AI-Driven AppSec Platform Proactively Eliminates Vulnerabilities to Minimize Risk and Ensure Compliance.

**Aptori**, a leader in AI-driven application security, today announced the launch of its **AI-driven AppSec Platform** on **Google Cloud Marketplace** as part of graduating from Google Cloud’s **ISV Startup Springboard program**. This new agentic AI solution leverages semantic reasoning to analyze application code and logic in real time, delivering deterministic vulnerability detection, contextual risk prioritization, and automated remediation.

Aptori’s AI-driven approach goes beyond traditional static analysis. Unlike conventional tools, its proprietary semantic reasoning technology understands application logic and behavior in real-time, allowing it to detect complex security flaws—including business logic vulnerabilities, API misconfigurations, and runtime threats—that other solutions often miss. The result is deeper coverage and more precise security insights.

Acting as a proactive teammate, Aptori’s **AI Security Engineer** works alongside developers and security teams to identify security weaknesses, assess risk, and implement fixes in real-time. As a core component of the AI-Driven AppSec Platform, the AI Security Engineer provides deep semantic understanding of code and applications, accelerating secure development while ensuring compliance and reducing the risk of breaches.

Aptori’s participation in the **Google for Startups Accelerator: AI-First** program has further advanced its capabilities. By integrating **Gemini models** with its semantic reasoning technology, the AI Security Engineer now delivers exceptionally precise code fixes, accelerating remediation with unparalleled speed and accuracy.

>  “Bringing Aptori’s AI Security Engineer to Google Cloud Marketplace will help customers quickly deploy, manage, and grow the solution on Google Cloud’s trusted global infrastructure,” said **Dai Vu, Managing Director, Marketplace & ISV GTM Programs at Google Cloud.** “Aptori can now securely scale and support customers on their digital transformation journeys.”

> “We’re thrilled to work with Google Cloud to empower global enterprises with seamless solutions to tackle evolving security and compliance challenges,” said **Sumeet Singh, CEO & Founder of Aptori**. “CISOs are under immense pressure to protect sensitive data, ensure compliance, and mitigate risks—while security teams struggle to keep up with the pace of development. Now, with AI-driven semantic analysis detecting vulnerabilities and delivering precise fixes in real time, we’re empowering security teams to stay ahead of threats, enforce compliance, and make proactive security a competitive advantage.”

**Key Benefits of the Aptori AI-Driven AppSec Platform**

*   **Automated Vulnerability Detection –** Leverages semantic reasoning to identify security weaknesses in code, containers, applications, APIs, and cloud infrastructure, detecting risks beyond traditional static analysis.
*   **Automated Risk Remediation** – Aptori’s AI Agents integrate seamlessly into your SDLC to continuously detect, triage, and remediate vulnerabilities with AI-driven code fixes—accelerating secure development and minimizing the risk of breaches and data leaks.
*   **Continuous Compliance –** Seamlessly integrates into CI/CD pipelines, automating compliance with standards such as SOC 2, PCI DSS, HIPAA, HITRUST, NIS2, and ISO security frameworks, ensuring ePHI and sensitive data remain protected.

Aptori’s selection for the **Google Cloud** **ISV Startup Springboard** program marks a new era in AI-driven security, revolutionizing how organizations protect their applications at scale. Watch the **video** to learn more about Aptori’s transformative approach to security.

Users can explore how Aptori’s AI-powered application security solutions integrate with Google Cloud to enhance compliance, accelerate secure development, and mitigate risk. Explore the details at the **Aptori AI Security Center**.

**About Aptori**

Founded in 2021 and based in San Jose, California, **Aptori** is a leading innovator in AI-driven application security and vulnerability management. By harnessing advanced AI technology and Google Cloud’s Gemini, Aptori accurately identifies security vulnerabilities in code, applications, APIs, and infrastructure, enabling proactive threat detection, automated remediation, and ongoing compliance. Seamlessly integrated into CI/CD pipelines, Aptori continuously detects and remediates vulnerabilities while ensuring compliance with standards such as SOC 2, PCI DSS, HIPAA, HITRUST, NIS2, and ISO security frameworks.

Trusted by leading global enterprises, Aptori dramatically reduces vulnerability remediation time and accelerates secure software releases—empowering development and security teams to stay ahead of evolving cyber threats. 

Users can discover how Aptori empowers security teams with proactive protection, AI-driven vulnerability management, and streamlined compliance. Users can learn more at https://aptori.com.

LinkedIn: https://www.linkedin.com/company/aptori/

**Contact**

**Harinder Singh**  
**Aptori**  
**\[email protected\]**

Aptori Now on Google Cloud Marketplace for AI-Powered Security and Automated Risk Remediation

Microsoft's March 2025 Patch Tuesday fixes six actively exploited zero-day vulnerabilities, including critical RCE and privilege escalation flaws. Learn how these vulnerabilities impact Windows systems and why immediate patching is essential.

Microsoft has released its March 2025 security updates, addressing a total of 57 vulnerabilities, including six that were actively being exploited before the patch was available as part of the company’s Patch Tuesday. Additionally, one vulnerability was publicly disclosed before a fix was released, bringing the total number of zero-day flaws to seven.

For your information, Patch Tuesday is the second Tuesday of each month when Microsoft releases security updates, bug fixes, and software patches for Windows, Office, and other Microsoft products. It is a scheduled update cycle aimed at improving security and stability.

The March 2025 Patch Tuesday update addresses several security issues, including 23 elevations of privilege vulnerabilities, 3 security feature bypass vulnerabilities, 23 remote code execution vulnerabilities, 4 information disclosure vulnerabilities, 1 denial of service vulnerability, and 3 spoofing vulnerabilities. These counts do not include vulnerabilities patched in Mariner or Microsoft Edge earlier in the month.

Six of the zero-day vulnerabilities were being actively exploited. One, tracked as CVE-2025-24983, enables local attackers to gain system-level privileges by exploiting a race condition in the Windows Win32 Kernel Subsystem where multiple processes simultaneously access or modify shared resources. This flaw affects various Windows versions.

CVE-2025-24991 and CVE-2025-24984 are information disclosure vulnerabilities found in Windows NTFS that allow an attacker with physical access to a Windows device to read sensitive information from the system’s memory, and access portions of “heap memory,” a dynamic allocation region, by inserting a malicious USB drive, potentially stealing sensitive data or credentials. The publicly disclosed zero-day vulnerability, CVE-2025-26630, is a remote code execution (RCE) flaw in Microsoft Access caused by a use-after-free memory bug.

Other zero-day vulnerabilities include CVE-2025-24985, another RCE flaw in the Windows Fast FAT File System Driver caused by an integer overflow. CVE-2025-24993 is a remote code execution vulnerability in Windows NTFS caused by a heap-based buffer overflow. These vulnerabilities can be exploited by tricking users into mounting a crafted VHD file, allowing attackers to execute their code.

Finally, CVE-2025-26633, a security feature bypass in the Microsoft Management Console. The attacker must convince a user to interact with a malicious link or file, such as a specially crafted MMC (.msc) file. If successful, the attacker can circumvent security measures and gain unauthorized access to administrative tools and system settings,

The six critical vulnerabilities, all RCE flaws with CVSS scores ranging between 7.8 through 8.8, affect various Microsoft products. Two of these impact Windows Remote Desktop Services (CVE-2025-24045 and CVE-2025-24035), while the others relate to Microsoft Office, Windows Domain Name Service (CVE-2025-24064), Remote Desktop Client, and Windows Subsystem for Linux Kernel (CVE-2025-24084).

The NTFS and FAT RCE flaws are highlighted as particularly concerning, as they are part of an exploit chain that includes the NTFS information disclosure vulnerabilities. These vulnerabilities are related to mounting virtual hard disk (VHD) files, which could be used to deliver malware payloads.

In addition to Microsoft, other vendors have also released security updates or advisories in March 2025. These include Broadcom, Cisco, Edimax, Google, Ivanti, Fortinet, Paragon, and SAP.

Experts emphasize the importance of applying these patches promptly, particularly those addressing zero-day vulnerabilities. CVE-2025-24057 and CVE-2025-26630 require Office updates and users of Office 2016 need to install two specific patches.

> Security updates for March 2025 are now available. Details are available here: https://t.co/ItXjYLFR2w #PatchTuesday #SecurityUpdateGuide pic.twitter.com/Wx1JOTwTZ2
> 
> — Security Response (@msftsecresponse) March 11, 2025

****Expert Insights on Key Vulnerabilities****

Cybersecurity experts at Immersive have highlighted several vulnerabilities that warrant immediate attention:

*   **Windows NTFS / FAT Remote Code Execution (CVE-2025-24984, CVE-2025-24985, CVE-2025-24991, CVE-2025-24993)**
    
    These four actively exploited flaws relate to **remote code execution via Virtual Hard Disk (VHD) files**. While not remotely exploitable over a network, attackers can trick users into mounting malicious VHDs, potentially delivering malware. Organizations should monitor for VHD files in emails or downloads and apply security restrictions where possible. _Kev Breen, Senior Director of Threat Research, Immersive_.
    

*   **Microsoft Management Console Security Bypass (CVE-2025-26633)**
    
    Attackers are exploiting this flaw to **bypass security restrictions via social engineering**. Users may receive malicious .msc files through phishing emails or compromised websites. Security teams should monitor for .msc executions from untrusted sources to detect potential exploitation. _Kev Breen, Senior Director of Threat Research, Immersive_.
    

*   **Windows Remote Desktop Services RCE (CVE-2025-24035)**
    
    This critical vulnerability enables **remote attackers to execute arbitrary code** on systems with Remote Desktop Gateway enabled. Successful exploitation could lead to malware deployment, lateral movement, and security tool evasion. _Ben Hopkins, Cybersecurity Engineer, Immersive_.
    

*   **Mark of the Web (MoTW) Bypass (CVE-2025-24061)**
    
    Attackers can exploit this flaw to **bypass Windows’ security warnings** on downloaded files. Malicious .url files or web-based lures can trick users into executing harmful content. As similar vulnerabilities have been actively exploited in the past, this remains a high-risk issue. _Ben Hopkins, Cybersecurity Engineer, Immersive_.
    

*   **Win32 Kernel Subsystem Privilege Escalation (CVE-2025-24983)**
    
    A race condition vulnerability allows attackers to escalate privileges to the SYSTEM level, gaining full control over affected systems. This can enable security evasion and credential theft using tools like Mimikatz. Microsoft has confirmed in-the-wild exploitation, reinforcing the need for immediate patching. _Natalie Silva, Lead Cybersecurity Engineer, Immersive_.
    

Security experts emphasize that organizations should prioritize patching these vulnerabilities, especially those actively exploited, to reduce the risk of compromise.

Tag

#google