Patches
An advisory from CISA highlights a local privilege escalation in Rockwell Automation’s FactoryTalk ViewPoint, fixed in version 15.00. Abuse of MSI repair handling can hijack the cscript.exe console running as SYSTEM to spawn an elevated command prompt. The issue is not remotely exploitable but carries high impact if triggered; recommended actions include updating where possible and reducing exposure of control networks. In parallel, CISA relayed Rockwell’s notice on Micro800 controllers that combines Azure RTOS flaws and an input‑validation defect. Exploitation could enable remote code execution, privilege escalation, or place devices into a fault state; Rockwell advises migrating or updating affected firmware branches to current releases and following its security best practices.
Two additional Rockwell issues affect FLEX 5000 I/O modules and FactoryTalk Linx. According to CISA, improper input validation of CIP Class 32 requests can remotely force certain FLEX 5000 modules into a persistent fault that requires a power cycle to clear; firmware V2.012 addresses the defects. Separately, CISA reports that FactoryTalk Linx Network Browser prior to version 6.50 can have FTSP token validation disabled if NODE_ENV is set to “development,” enabling local, unauthenticated driver management changes with high integrity and availability impact; Rockwell recommends upgrading to 6.50 and hardening system configurations.
Siemens advisories also focus on local abuse risks and physical-access protections. CISA details a deserialization flaw in engineering and automation platforms where a Windows Named Pipe accessible to local users can lead to type confusion and code execution within the affected application. Mitigations include restricting host access, running applications on single‑user systems where feasible, and following Siemens operational guidance. In addition, CISA notes an authentication bypass in RUGGEDCOM ROX II that permits a root shell via Built‑In‑Self‑Test mode when an attacker has physical access to the serial interface; Siemens advises configuring a secure boot password and operating devices in protected environments. Across these advisories, there are no reports to CISA of public exploitation at the time of publication, but operators are urged to perform impact analysis before applying changes and to keep operational networks isolated and monitored.
Research
A report from Talos describes a large malvertising campaign delivering a modular framework the team calls PS1Bot. The operation favors in‑memory execution using PowerShell and C# modules to reduce disk artifacts while enabling credential theft, keylogging, screenshots, and targeted collection of browser‑stored passwords and cryptocurrency wallets. Talos shares detections (Snort SIDs and ClamAV) and urges cautious handling of ad‑sourced downloads, keeping security tools current, and preferring dedicated password managers. The briefing also references conference research ranging from AI guardrail bypass techniques to firmware and API issues in ControlVault3 that could enable login bypass or persistence if left unpatched.
On AI‑enabled offense, Check Point summarizes Carnegie Mellon findings on whether large language models can autonomously plan and execute multi‑host intrusions. Raw models often fail at tool choice and parameter handling; the proposed scaffolding layer, Incalmo, constrains operations and validates inputs to markedly improve task completion and cross‑host coordination in testing. While not a claim of immediate, widespread autonomy, the work illustrates how structured orchestration could lower attacker effort and, importantly, where defenders can harden interfaces, validate parameters, and monitor provenance to blunt abuse.
Platforms
Palo Alto detailed a package of quantum‑security capabilities spanning software, hardware, and operational tooling. PAN‑OS 12.1 Orion adds a Cryptographic Inventory to classify deployed crypto as secure, weak, or vulnerable and supports NIST‑standard algorithms alongside prestandard post‑quantum candidates, enabling quantum‑safe VPNs and TLS with hybrid options. New PA‑5500 Series NGFWs emphasize high‑throughput encrypted traffic handling with hardware acceleration, while platform features include ETSI 014 protocol support for QKD and a cipher translation proxy to bridge legacy systems during migration. The aim is to help organizations address “harvest‑now, decrypt‑later” concerns and manage staged adoption without disrupting operations.
AWS announced its Spring 2025 renewal of PCI 3DS, adding Amazon Verified Permissions, AWS B2B Data Interchange, and AWS Resource Explorer to scope, along with new covered Regions in Thailand, Malaysia, and Mexico. Customers can access the Attestation of Compliance and responsibility summaries via AWS Artifact to streamline evidence collection and clarify shared‑responsibility boundaries for regulated workloads. Separately, CrowdStrike introduced Falcon Next‑Gen Identity Security, unifying real‑time initial‑access prevention, modern privileged access, identity threat detection and response, and SaaS identity security across human, non‑human, and AI agent identities through a single platform and lightweight sensor.
Incidents
CrowdStrike outlines SCATTERED SPIDER’s evolution into identity‑centric social engineering and rapid, paired exfiltration‑plus‑ransomware operations. The post details tactics such as help‑desk impersonation, MFA fatigue, and unauthorized identity federation, and provides practical detection content using Falcon Next‑Gen SIEM. Examples include rules for bursty failed push notifications followed by success, monitoring of identity provider modifications and privileged role events, and patterns indicating cloud or SaaS data exfiltration—underscoring the need to correlate identity, endpoint, cloud, and SaaS telemetry to disrupt the end‑to‑end intrusion chain.