In Eclipse GlassFish version 7.0.15, it is possible to perform Stored Cross-Site Scripting attacks through the Administration Console.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-62g9-99m7-w8wv: Eclipse GlassFish is vulnerable to Stored XSS attacks through its Administration Console

In Eclipse GlassFish version 7.0.16 or earlier, it is possible to perform login brute force attacks as there is no limitation on the number of failed login attempts.

GHSA-99f7-hp6j-v6q4: Eclipse GlassFish is vulnerable to Login Brute Force attacks through unlimited failed login attempts

GHSA-mqxx-c43h-jj9v: Eclipse GlassFish is vulnerable to Stored XSS attacks through its Administration Console

The AI gold rush is on. But without identity-first security, every deployment becomes an open door. Most organizations secure native AI like a web app, but it behaves more like a junior employee with root access and no manager.
From Hype to High Stakes
Generative AI has moved beyond the hype cycle. Enterprises are:

Deploying LLM copilots to accelerate software development
Automating customer

AI Agents Act Like Employees With Root Access—Here's How to Regain Control

Amazon has emailed 200 million customers to warn them about a rather convincing phishing campaign.

Amazon has sent out an alert to its 200 million customers, warning them that scammers are impersonating Amazon in a Prime membership scam.

In the email, sent earlier this month, Amazon said it had noticed an increase in reports about fake Amazon emails:

> **What’s happening:**
> 
> Scammers are sending fake emails claiming your Amazon Prime subscription will automatically renew at an unexpected price.
> 
> The scammers might include personal information in the emails, obtained from other sources, in an attempt to appear legitimate.
> 
> These emails may also include a “cancel subscription” button leading to a fake Amazon login page.

Once someone clicks on the “Cancel’ button, they are taken to a fake Amazon login screen. Once they login there, the scammer then has their details that they can use to login to the actual Amazon site and purchase things, as well as login to any other online account that uses the same credentials.

The fake site might also request payment information and other personal details which, when entered, will go straight to the scammer who will be quick to use or sell them on.

Amazon’s customer base is so large that they are a target all year long. Amazon said its staff had handled cases including fake messages about Prime membership renewals, bogus refund offers, and calls claiming Amazon accounts have been hacked. At Malwarebytes, we’ve seen emails pretending to be from Amazon that tried to drive customers to fake websites like amazons.digital, a site we block for phishing.

**How to avoid falling for an Amazon scam**

*   If you receive an email like this, don’t click on any links.
*   Not sure if a message is from Amazon or not? You can check by going to the **Message Centre** under **Your Account**. Legitimate messages from Amazon will appear there.
*   Report the scam to Amazon itself, whether you’ve fallen for it or not.
*   Set up two-step verification for your Amazon account. This puts an extra barrier between you and the scammers if they do manage to get hold of your login details.
*   Like in this particular scam that Amazon is warning about, scammers sometimes include personal details about you which they have got from other sources (such as social media, the dark web, etc.). Check what information is already out there about you using our free Digital Footprint Scanner and then remove or change as much of it as you can.
*   Install web protection that can warn you of phishing sites, card skimmers, and other nasties that could lead to your data being taken.
*   Lastly, if you’ve fallen for this or a similar scam, change your Amazon password and anywhere else you use that password. Also, make sure to monitor your card statements for any unfamiliar charges, and contact your bank immediately if you see anything suspicious.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Amazon warns 200 million Prime customers that scammers are after their login info 

The decision between immediate action and delayed response made the difference between ransomware prevention and complete encryption in these two real-world Talos IR engagements.

Talos IR ransomware engagements and the significance of timeliness in incident response

Google on Tuesday rolled out fixes for six security issues in its Chrome web browser, including one that it said has been exploited in the wild.
The high-severity vulnerability in question is CVE-2025-6558 (CVSS score: 8.8), which has been described as an incorrect validation of untrusted input in the browser's ANGLE and GPU components.
"Insufficient validation of untrusted input in ANGLE and

Urgent: Google Releases Critical Chrome Update for CVE-2025-6558 Exploit Active in the Wild

Social engineering attacks have entered a new era—and they’re coming fast, smart, and deeply personalized.
It’s no longer just suspicious emails in your spam folder. Today’s attackers use generative AI, stolen branding assets, and deepfake tools to mimic your executives, hijack your social channels, and create convincing fakes of your website, emails, and even voice. They don’t just spoof—they

Deepfakes. Fake Recruiters. Cloned CFOs — Learn How to Stop AI-Driven Attacks in Real Time

Fake Telegram apps are being spread through 607 malicious domains to deliver Android malware, using blog-style pages and phishing tactics to trick users.

A new threat campaign is tricking Android users into downloading fake Telegram apps from hundreds of malicious domains, according to new research from BforeAI’s PreCrime Labs. The operation, active in recent weeks, uses lookalike websites, QR code redirections, and a modified APK laced with dangerous permissions and remote execution features.

The threat intelligence team identified 607 domains linked to the campaign. All pose as official Telegram download pages, most registered through the Gname registrar and hosted in China. Some sites use domain names like teleqram, telegramapp, and telegramdl to mimic the brand, targeting users who may not notice slight spelling changes.

****Fake App, Real Damage****

According to BforeAI’s blog post shared with Hackread.com ahead of publishing on Tuesday, victims are prompted to download what appears to be the Telegram Messenger app via links or QR codes.

Researchers also observed two versions of the APK, with 60MB and 70MB in size. Once installed, the app behaves like the real thing on the surface but quietly grants broad permissions and enables remote command execution.

What’s noticeable is that the phishing sites used in this campaign look like personal blogs or unofficial fan pages. A typical example redirects users to zifeiji(.)asia, a site styled with Telegram’s favicon, download buttons, and colors. Page titles are loaded with SEO phrases in Chinese like “Paper Plane Official Website Download” in what appears to be an attempt to improve visibility in search results while distracting users from the app’s real intent.

****Janus Vulnerability Resurfaces****

The malicious APK is signed with an older v1 signature scheme, making it vulnerable to the Janus vulnerability, which affects Android versions 5.0 through 8.0. Janus allows threat actors to insert harmful code into a legitimate APK without changing its signature. In this case, the malware retains a valid signature, helping it bypass standard detection methods.

Once on a device, the app leverages cleartext protocols (HTTP, FTP) and accesses external storage broadly. It also includes code that interacts with MediaPlayer and uses sockets to receive and act on remote commands. This level of control could be used to monitor activity, steal files, or launch further attacks.

For your information, the Janus vulnerability (CVE-2017-13156) is a serious security flaw in Android devices that allowed attackers to modify legitimate APK or DEX files without changing their cryptographic signature, making malicious apps appear trusted and unaltered.

**Firebase Exploitation Risks Persist**

One key finding relates to a now-deactivated Firebase database at tmessages2(.)firebaseio(.)com, previously used by the attackers. While the original database has gone offline, researchers warn that it could easily be reactivated by any attacker who registers a new Firebase project under the same name.

Older versions of the malware hardcoded to that endpoint would then connect to the new attacker-controlled database automatically. This tactic extends the campaign’s viability, even if the original operators move on.

The page distributing the malicious Telegram APK mimics a blog layout and prompts users to install the app, which requests a set of permissions categorised by severity due to their potential misuse. (Image via BforeAI)

**Embedded Tracking Scripts**

The malicious infrastructure also uses tracking JavaScript, such as ajs.js hosted on telegramt(.)net. The script collects device and browser details, sends the data to a remote server, and contains commented-out code to display a floating download banner targeting Android users. This setup is designed to increase installation rates by automatically detecting devices and tailoring the user experience.

**Domain Breakdown**

Out of the 607 domains, the top-level domain usage was as follows:

*   .com: 316
*   .top: 87
*   .xyz: 59
*   .online: 31
*   .site: 24

The high number of .com registrations suggest a deliberate effort to add credibility, while the use of low-cost domains supports wide distribution.

**Preventive Steps for Organisations**

To reduce the risk of exposure, BforeAI suggests that organisations take a few key precautions. First, set up automated domain monitoring to catch suspicious or lookalike site registrations before they become active. It’s also important to scan APK files, URLs, and related hash values using multiple threat intelligence sources to confirm whether they’re safe.

Where possible, block the delivery of APK or SVG attachments, especially if those file types aren’t needed for business use. Lastly, make sure users are trained to avoid downloading apps from unofficial sites, even if the page looks legitimate or mimics a well-known brand.

Phishing techniques have become sophisticated, and this campaign shows how old exploits like Janus can still be used against unsuspecting users. The use of QR codes, typosquatting, and repurposed cloud services adds a level of sophistication that makes simple filtering no longer enough.

Fake Telegram Apps Spread via 607 Domains in New Android Malware Attack

Metadata from the “raw” Epstein prison video shows approximately 2 minutes and 53 seconds were removed from one of two stitched-together clips. The cut starts right at the “missing minute.”

Newly uncovered metadata reveals that nearly three minutes of footage were cut from what the US Department of Justice and Federal Bureau of Investigation described as “full raw” surveillance video from the only functioning camera near Jeffrey Epstein’s prison cell the night before he was found dead. The video was released last week as part of the Trump administration’s commitment to fully investigate Epstein’s 2019 death but instead has raised new questions about how the footage was edited and assembled.

WIRED previously reported that the video had been stitched together in Adobe Premiere Pro from two video files, contradicting the Justice Department’s claim that it was “raw” footage. Now, further analysis shows that one of the source clips was approximately 2 minutes and 53 seconds longer than the segment included in the final video, indicating that footage appears to have been trimmed before release. It’s unclear what, if anything, the minutes cut from the first clip showed.

The nearly three-minute discrepancy may be related to the widely reported one-minute gap—between 11:58:58 pm and 12:00:00 am—that attorney general Pam Bondi has attributed to a nightly system reset. The metadata confirms that the first video file, which showed footage from August 9, 2019, continued for several minutes beyond what appears in the final version of the video and was trimmed to the 11:58:58 pm mark, right before the jump to midnight. The cut to the first clip doesn’t necessarily mean that there is additional time unaccounted for—the second clip picks up at midnight, which suggests the two would overlap—nor does it prove that the missing minute was cut from the video.

The footage was released at a moment of political tension. Trump allies had spent months speculating about the disclosure of explosive new evidence about Epstein’s death. But last week, the DOJ and FBI issued a memo stating that no “incriminating ‘client list’” exists and reaffirmed the government’s long-standing conclusion that Epstein—whom the US government accused of committing conspiracy to sex traffic minors and sex trafficking minors—died by suicide. That announcement triggered immediate backlash from pro-Trump influencers and media figures, who essentially accused the administration of a cover-up.

In response to detailed questions about how the video was assembled, WIRED sent a request for comment to the Department of Justice at 7:40 am on Tuesday morning. Just two minutes later, Natalie Baldassarre, a public affairs officer for the DOJ, replied tersely: “Refer you to the FBI.” The FBI declined WIRED’s request for comment.

On Friday, WIRED published an analysis of metadata embedded in the video, confirmed by independent video forensics experts, which indicates that the file was assembled from at least two source clips, saved multiple times, exported, and then uploaded to the DOJ’s website, where it was presented as “raw” footage.

WIRED’s initial analysis found that those saves took place over a 23-minute span; however, further analysis of additional metadata shows the file was actually edited and saved several times over a period of more than three and a half hours on May 23, 2025. Specifically, the file was created at 4:48 pm and last modified at 8:16 pm ET that day. The metadata also references “MJCOLE~1,” which is likely a shortened version of a longer username. While it likely begins with “MJCOLE,” the full name cannot be determined from the metadata alone.

Both analyses found that the two clips, labeled “2025-05-22 16-35-21.mp4” and “2025-05-22 21-12-48.mp4,” were stitched together. The first clip is 4 hours, 19 minutes, and 16 seconds long, but only the first 4 hours, 16 minutes, and 23.368 seconds appears in the published version, meaning nearly 2 minutes and 53 seconds were cut from the end. According to the metadata, the cut occurs just at 11:58:58 pm. The cut is milliseconds before the one-minute recording gap that Bondi said was caused by a quirk of the surveillance system. The second clip, “2025-05-22 21-12-48.mp4,” picks up immediately afterward, continuing the footage from 12:00:00 am until 6:40:00 am.

The analysis was first provided to WIRED by a researcher who requested anonymity for privacy reasons. WIRED reviewed its findings with two independent video forensics experts, each with over 15 years of experience in Premiere and video production, who confirmed that the edit occurred just before the missing minute mark and that approximately three minutes of footage were cut from the original clip.

The FBI released both “raw” and enhanced versions of the video. Both versions include internal comment markers, annotations typically used in editing software to flag moments of interest. The enhanced version, which the FBI referred to as Video 2, contains 15 such markers that apparently correspond to visible movement near “46 door” at New York’s Metropolitan Correctional Center (MCC). This door is near the cell block where Epstein was being held while awaiting trial on sex trafficking charges. These markers appear to have been left by analysts during their review, but they do not include the original comment text.

According to a 2023 report by the DOJ’s Office of the Inspector General (OIG), only two cameras in the vicinity of the Special Housing Unit (SHU), the area of the MCC where Epstein was held, were filming and recording at the time of his death. According to the report, the camera that recorded the footage the DOJ released July 7 captured video of a large portion of the SHU common area and parts of the stairways leading to various “tiers,” one of which housed Epstein’s cell.

The OIG report notes that the MCC’s surveillance system was outdated at the time of Epstein’s death, “had not been properly maintained,” and that the DVR hard drives that stored the video files “frequently malfunctioned and needed to be replaced.”

Both the 2023 OIG report and the DOJ-FBI memo published last week state that anyone entering or attempting to access the tier containing Epstein’s cell from the SHU common area on August 9 or 10, 2019, would have been visible on that camera. However, Epstein’s cell door itself was not within the camera’s field of view. The stairway leading to the tier where he was held was also partially obstructed and difficult to see clearly on the video. (A second camera, which covered the “ninth-floor fire exit and two of the floor’s four elevators,” was also filming at the time, according to the OIG report.)

Amid backlash from supporters and critics alike, President Donald Trump defended Bondi on Saturday, saying she was doing a “fantastic job.”

“What’s going on with my ‘boys’ and, in some cases, ‘gals?’ They’re all going after Attorney General Pam Bondi, who is doing a FANTASTIC JOB!” Trump wrote in a post on Truth Social. “We’re on one Team, MAGA, and I don’t like what’s happening. We have a PERFECT Administration, THE TALK OF THE WORLD, and ‘selfish people’ are trying to hurt it, all over a guy who never dies, Jeffrey Epstein.”

Tag

#web