Be Careful With Fake Zoom Client Downloads
Miscreants are tricking victims into downloading fake Zoom clients (and likely other meeting software) by first sending them fake meeting invites that direct victims to a page that offers malware for download as an update to the Zoom client.
https://isc.sans.edu/diary/Be%20Careful%20With%20Fake%20Zoom%20Client%20Downloads/32014
Python tarfile Vulnerability
Recently, the Python tarfile module introduced a filter option to help mitigate some of the insecure behavior common to software unpacking archives. This filter is, however, not working quite as well as it should.
https://mail.python.org/archives/list/[email protected]/thread/MAXIJJCUUMCL7ATZNDVEGGHUMQMUUKLG/
Hewlett Packard Enterprise Insight Remote Support processAttachmentDataStream Directory Traversal Remote Code Execution Vulnerability
HP fixed, among other vulnerabilities, a critical remote code execution vulnerability in Insight Remote Support (IRS)
https://www.zerodayinitiative.com/advisories/ZDI-25-325/

Phishing e-mail that hides malicious links from Outlook users
Jan found a phishing email that hides the malicious link from Outlook users. The email uses specific HTML comment clauses Outlook interprets to render or not render specific parts of the email s HTML code. Jan suggests that the phishing email is intented to not expose users of
https://isc.sans.edu/diary/Phishing%20e-mail%20that%20hides%20malicious%20link%20from%20Outlook%20users/32010
Amazon changing default logging from blocking to non-blocking
Amazon will change the default logging mode from blocking to non-blocking. Non-blocking logging will not stop the application if logging fails, but may result in a loss of logs.
https://aws.amazon.com/blogs/containers/preventing-log-loss-with-non-blocking-mode-in-the-awslogs-container-log-driver/
Cisco Removes Backdoor
Cisco fixed a Cisco Identity Services Engine on Cloud Platforms Static Credential Vulnerability.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-aws-static-cred-FPMjUcm7
Infoblox Vulnerability Details disclosed
Details regarding several vulnerabilities recently patched in Infoblox s NetMRI have been made public. In particular an unauthenticated remote code execution issue should be considered critical.
https://rhinosecuritylabs.com/research/infoblox-multiple-cves/

vBulletin Exploits CVE-2025-48827, CVE-2025-48828
We do see exploit attempts for the vBulletin flaw disclosed about a week ago. The flaw is only exploitable if vBulltin is run on PHP 8.1, and was patched over a year ago. However, vBulltin never disclosed the type of vulnerability that was patched.
https://isc.sans.edu/diary/vBulletin%20Exploits%20%28CVE-2025-48827%2C%20CVE-2025-48828%29/32006
Google Chrome 0-Day Patched
Google released a security update for Google Chrome patching three flaws. One of these is already being exploited.
https://chromereleases.googleblog.com/
Roundcube Update
Roundcube patched a vulnerability that allows any authenticated user to execute arbitrary code.
https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10
HP Vulnerabilities in StoreOnce
HP patched multiple vulnerabilities in StoreOnce. These issues could lead to remote code execution
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbst04847en_us&docLocale=en_US

Simple SSH Backdoor
Xavier came across a simple SSH backdoor taking advantage of the ssh client preinstalled on recent Windows systems. The backdoor is implemented via an SSH configuration file that instructs the SSH client to connect to a remote system and forward a shell on a random port. This will make the shell accessible to anybody able to connect to the C2 host.
https://isc.sans.edu/diary/Simple%20SSH%20Backdoor/32000
Google Chrome to Distrust CAs
Google Chrome will remove the Chunghwa Telecom and Netlock certificate authorities from its list of trusted CAs. Any certificates issued after July 31st will not be trusted. Certificates issued before the deadline will be trusted until they expire.
https://security.googleblog.com/2025/05/sustaining-digital-certificate-security-chrome-root-store-changes.html
Microsoft Emergency Update to Fix Crashes Caused by May Patch
Microsoft released an emergency update for a bug caused by one of the patches released in May. Due to the bug, systems may not restart after the patch is applied. This affects, first of all, virtual systems running in Azure and HyperV but apparently has also affected some physical systems.
https://learn.microsoft.com/en-us/windows/release-health/status-windows-11-23h2#kb5058405-might-fail-to-install-with-recovery-error-0xc0000098-in-acpi-sys
Qualcomm Adreno Graphics Processing Unit Patch (Exploited!)
Qualcomm released an update for the driver for its Adreno GPU. The patched vulnerability is already being exploited against Android devices.
https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2025-bulletin.html

A PNG Image With an Embedded Gift
Xavier shows how Python code attached to a PNG image can be used to implement a command and control channel or a complete remote admin kit.
https://isc.sans.edu/diary/A+PNG+Image+With+an+Embedded+Gift/31998
Cisco IOS XE WLC Arbitrary File Upload Vulnerability (CVE-2025-20188) Analysis
Horizon3 analyzed a recently patched flaw in Cisco Wireless Controllers. This arbitrary file upload flaw can easily be used to execute arbitrary code.
https://horizon3.ai/attack-research/attack-blogs/cisco-ios-xe-wlc-arbitrary-file-upload-vulnerability-cve-2025-20188-analysis/
Don't Call That "Protected" Method: Dissecting an N-Day vBulletin RCE
A change in PHP 8.1 can expose methods previously expected to be safe . vBulletin fixed a related flaw about a year ago without explicitly highlighting the security impact of the fix. A blog post now exposed the flaw and provided exploit examples. We have seen exploit attempts against honeypots starting May 25th, two days after the blog was published.
https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce

Alternate Data Streams: Adversary Defense Evasion and Detection
Good Primer of alternate data streams and how they are abused, as well as how to detect and defend against ADS abuse.
https://isc.sans.edu/diary/Alternate%20Data%20Streams%20%3F%20Adversary%20Defense%20Evasion%20and%20Detection%20%5BGuest%20Diary%5D/31990
Connectwise Breach Affects ScreenConnect Customers
Connectwise s ScreenConnect solution was compromised, leading to attacks against a small number of customers. This is yet another example of how attackers are taking advantage of remote access solutions.
https://www.connectwise.com/company/trust/advisories
Mark Your Calendar: APT41 Innovative Tactics
Google detected attacks leveraging Google s calendar solution as a command and control channel.
https://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics
Webs of Deception: Using the SANS ICS Kill Chain to Flip the Advantage to the Defender
Defending a small Industrial Control System (ICS) against sophisticated threats can seem futile. The resource disparity between small ICS defenders and sophisticated attackers poses a significant security challenge.
https://www.sans.edu/cyber-research/webs-deception-using-sans-ics-kill-chain-flip-advantage-defender/

Exploring a Use Case of Artificial Intelligence Assistance with Understanding an Attack
Jennifer Wilson took a weird string found in a recent honeypot sample and worked with ChatGPT to figure out what it is all about.
https://isc.sans.edu/diary/%5BGuest%20Diary%5D%20Exploring%20a%20Use%20Case%20of%20Artificial%20Intelligence%20Assistance%20with%20Understanding%20an%20Attack/31980
Ransomware Deployed via SimpleHelp Vulnerabilities
Ransomware actors are using vulnerabilities in SimpleHelp to gain access to victim s networks via MSPs. The exploited vulnerabilities were patched in January.
https://news.sophos.com/en-us/2025/05/27/dragonforce-actors-target-simplehelp-vulnerabilities-to-attack-msp-customers/
OS Command Injection in Everetz Equipment
Broadcast equipment manufactured by Everetz is susceptible to an OS command injection vulnerability. Everetz has not responded to researchers reporting the vulnerability so far and there is no patch available.
https://www.onekey.com/resource/security-advisory-remote-code-execution-on-evertz-svdn-cve-2025-4009

SSH authorized_keys File
One of the most common techniques used by many bots is to add rogue keys to the authorized_keys file, implementing an SSH backdoor. Managing these files and detecting unauthorized changes is not hard and should be done if you operate Unix systems.
https://isc.sans.edu/diary/Securing%20Your%20SSH%20authorized_keys%20File/31986
REMOTE COMMAND EXECUTION ON SMARTBEDDED METEOBRIDGE (CVE-2025-4008)
Weatherstation software Meteobridge suffers from an easily exploitable unauthenticated remote code execution vulnerability
https://www.onekey.com/resource/security-advisory-remote-command-execution-on-smartbedded-meteobridge-cve-2025-4008
https://forum.meteohub.de/viewtopic.php?t=18687
Manageengine ADAuditPlus SQL Injection
Zoho patched two SQL Injection vulnerabilities in its ManageEngine ADAuditPlus product
https://www.manageengine.com/products/active-directory-audit/cve-2025-41407.html
https://www.manageengine.com/products/active-directory-audit/cve-2025-36527.html
Dero Miner Infects Containers through Docker API
Kaspersky found yet another botnet infecting docker containers to spread crypto coin miners. The initial access happens via exposed docker APIs.
https://securelist.com/dero-miner-infects-containers-through-docker-api/116546/

SVG Steganography
Steganography is not only limited to pixel-based images but can be used to embed messages into vector-based formats like SVG.
https://isc.sans.edu/diary/SVG%20Steganography/31978
Fortinet Vulnerability Details CVE-2025-32756
Horizon3.ai shows how it was able to find the vulnerability in Fortinet s products, and how to possibly exploit this issue. The vulnerability is already being exploited in the wild and was patched May 13th
https://horizon3.ai/attack-research/attack-blogs/cve-2025-32756-low-rise-jeans-are-back-and-so-are-buffer-overflows/
Remote Prompt Injection in GitLab Duo Leads to Source Code Theft
An attacker may leave instructions (prompts) for GitLab Duo embedded in the source code. This could be used to exfiltrate source code and secrets or to inject malicious code into an application.
https://www.legitsecurity.com/blog/remote-prompt-injection-in-gitlab-duo

Resilient Secure Backup Connectivity for SMB/Home Users
Establishing resilient access to a home network via a second ISP may lead to unintended backdoors. Secure the access and make sure you have the visibility needed to detect abuse.
https://isc.sans.edu/diary/Resilient%20Secure%20Backup%20Connectivity%20for%20SMB%20Home%20Users/31972
BadSuccessor: Abusing dMSA to Escalate Privileges in Active Directory
An attacker with the ability to create service accounts may be able to manipulate these accounts to mark them as migrated accounts, inheriting all privileges the original account had access to.
https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory
Flaw in samlify That Opens Door to SAML Single Sign-On Bypass CVE-2025-47949
The samlify Node.js library does not verify SAML assertions correctly. It will consider the entire assertion valid, not just the original one. An attacker may use this to obtain additional privileges or authenticate as a different user
https://www.endorlabs.com/learn/cve-2025-47949-reveals-flaw-in-samlify-that-opens-door-to-saml-single-sign-on-bypass