All news with #privilege escalation tag

Microsoft Patches 56 Flaws Including Active Zero-Days

🛡️ Microsoft released December 2025 patches addressing 56 Windows vulnerabilities, three rated Critical and 53 Important. The update fixes 29 privilege-escalation flaws, 18 remote code execution bugs and other defects, and includes two zero-days and one actively exploited use-after-free (CVE-2025-62221) in the Cloud Files Mini Filter Driver. Administrators are urged to prioritize the KEV-listed fix and follow vendor guidance for mitigation and monitoring.

BYOVD Loader Used to Disable EDR in DeadLock Ransomware

🔐 Cisco Talos reported a novel Bring Your Own Vulnerable Driver (BYOVD) loader used to disable endpoint security and deliver DeadLock ransomware. The attacker exploited a Baidu Antivirus driver vulnerability (CVE-2024-51324) via a loader named EDRGay.exe and driver DriverGay.sys to terminate EDR processes at kernel level. A PowerShell payload bypassed UAC, disabled Windows Defender, stopped backup and database services, and removed all volume shadow copies. DeadLock uses a custom timing-based stream cipher and extensive kill and exclusion lists to encrypt files while avoiding system corruption.

December 2025 Patch Tuesday: One Zero-Day, 57 CVEs Addressed

🔔 Microsoft’s December 2025 Patch Tuesday addresses 57 CVEs, including one actively exploited Important zero‑day in the Windows Cloud Files Mini Filter Driver and two publicly disclosed Important zero‑days impacting GitHub Copilot for JetBrains and PowerShell. Two Critical RCE flaws in Microsoft Office increase urgency for enterprise patching and remediation. Organizations should prioritize applying Microsoft fixes, adopt layered mitigations where patches are delayed, and use CrowdStrike Falcon dashboards to track affected assets and remediation progress.

Critical King Addons WordPress Plugin Flaw Exploited

⚠️ A critical privilege-escalation vulnerability in the King Addons plugin for Elementor (CVE-2025-8489, CVSS 9.8) is being actively exploited to create administrative accounts. The flaw stems from an insecure handle_register_ajax() implementation that permits unauthenticated users to specify the administrator role during registration via the "/wp-admin/admin-ajax.php" endpoint. A patch is available in version 51.1.35 (released September 25, 2025); administrators should update immediately and audit for unauthorized admin users.

Mirion Medical EC2 NMIS BioDose: High-Risk Vulnerabilities

⚠️ Mirion Medical's EC2 Software NMIS BioDose versions prior to 23.0 contain multiple high-severity vulnerabilities (CVSS v4: 8.7) that are remotely exploitable and can enable code execution, data disclosure, and unauthorized access. The issues include incorrect permission assignment, client-side authentication, and hard-coded credentials affecting installed executables, the embedded SQL Server, and database accounts. Mirion recommends updating to v23.0 or later; CISA advises isolating control networks, minimizing exposure, and using secure remote access while performing impact analysis.

Google Issues December Patch for 107 Android Flaws

🔒 Google released its December 2025 Android security update addressing 107 vulnerabilities across Framework, System, Kernel and components from Arm, Imagination Technologies, MediaTek, Qualcomm, and Unison. Two high-severity Framework defects — CVE-2025-48633 (information disclosure) and CVE-2025-48572 (privilege elevation) — are reported as exploited in the wild. A separate critical Framework issue, CVE-2025-48631, could enable remote DoS without added privileges. Google published two patch levels, 2025-12-01 and 2025-12-05, and users should update promptly when vendors release device-specific builds.

Talos Discloses Multiple Dell, Lasso, GL.iNet Flaws

🔒 Cisco Talos disclosed multiple vulnerabilities across Dell ControlVault, the Entr'ouvert Lasso SAML library, and the GL.iNet Slate AX travel router. Issues range from a hard-coded password and privilege escalation in ControlVault to memory corruption and buffer overflows that can enable arbitrary code execution, a type confusion bug and DoS in Lasso, and an OTA firmware downgrade in GL.iNet. Vendors have issued patches under Cisco’s disclosure policy and Snort rule updates are available to detect exploitation. Administrators should apply vendor updates, verify OTA integrity mechanisms, and deploy IDS signatures promptly.

JackFix uses fake Windows update pop-ups to deliver stealers

⚠️ Cybersecurity researchers report a JackFix campaign that uses fake Windows Update pop-ups on cloned adult sites to trick users into running mshta.exe and PowerShell commands. According to Acronis and Huntress, the attack chain leverages obfuscation, privilege escalation and can deploy multiple stealers including Rhadamanthys, RedLine and Vidar. Organizations are advised to train users and consider disabling the Windows Run box via Group Policy or Registry changes to reduce risk.

Grafana warns of critical admin-spoofing flaw in Enterprise

⚠️ Grafana Labs has disclosed a maximum-severity vulnerability (CVE-2025-41115) in Grafana Enterprise that can allow new SCIM-provisioned users to be treated as administrators or used for privilege escalation. The flaw is only exploitable when SCIM provisioning is enabled and both the 'enableSCIM' feature flag and 'user_sync_enabled' option are true, because numeric SCIM externalId values were mapped directly to internal user.uid values. Affected self-managed Enterprise releases include 12.0.0 through 12.2.1; administrators should upgrade to a patched release (12.3.0, 12.2.1, 12.1.3, or 12.0.6) or disable SCIM. Grafana Cloud and managed services have already received patches.

Grafana fixes critical SCIM flaw enabling user impersonation

🔒 Grafana has released security updates to address a maximum-severity flaw (CVE-2025-41115) in its SCIM provisioning component that can enable user impersonation or privilege escalation under specific configurations. The issue allows a malicious or compromised SCIM client to provision a user with a numeric externalId that may be mapped to an internal user ID. It affects Grafana Enterprise 12.0.0–12.2.1 and was fixed in 12.0.6+security-01, 12.1.3+security-01, 12.2.1+security-01 and 12.3.0. Grafana discovered the bug during an audit on November 4, 2025 and urges immediate patching.

ServiceNow Now Assist agents vulnerable by default settings

🔒 AppOmni disclosed a second-order prompt injection that abuses ServiceNow's Now Assist agent discovery and agent-to-agent collaboration to perform unauthorized actions. A benign agent parsing attacker-crafted prompts can recruit other agents to read or modify records, exfiltrate data, or escalate privileges — all enabled by default configuration choices. AppOmni recommends supervised execution, disabling autonomous overrides, agent segmentation, and active monitoring to reduce risk.

Schneider Electric PowerChute Serial Shutdown Fixes

🔒 Schneider Electric has released updates for PowerChute Serial Shutdown to address multiple vulnerabilities that may be exploited locally on the network. The issues include path traversal (CWE-22, CVE-2025-11565), excessive authentication attempts (CWE-307, CVE-2025-11566), and incorrect default permissions (CWE-276, CVE-2025-11567) with CVSS scores up to 7.8. Schneider Electric published version 1.4 with fixes for Windows and Linux; administrators should upgrade and apply recommended permissions and network isolation measures.

Dragon Breath Deploys RONINGLOADER to Deliver Gh0st RAT

🔒 Elastic Security Labs and Unit 42 describe a China‑focused campaign in which the actor Dragon Breath uses a multi‑stage loader named RONINGLOADER to deliver a modified Gh0st RAT. The attack leverages trojanized NSIS installers that drop two embedded packages—one benign and one stealthy—to load a DLL and an encrypted tp.png file containing shellcode. The loader employs signed drivers, WDAC tampering, and Protected Process Light abuse to neutralise endpoint protections popular in the Chinese market before injecting a persistent high‑privilege backdoor.

Siemens Spectrum Power 4 Vulnerabilities and Patches

🔒 Siemens disclosed multiple vulnerabilities in Spectrum Power 4 that allow privilege escalation and remote command execution in affected versions prior to V4.70 SP12 Update 2. Several issues carry high severity ratings (CVSS v4 up to 8.7) and include weaknesses such as incorrect privilege and permission assignments (CWE-266, CWE-732), incorrect use of privileged APIs (CWE-648), and inclusion of untrusted control-sphere functionality (CWE-829). Siemens recommends updating to V4.70 SP12 Update 2 and limiting network exposure; CISA reiterates defensive best practices.

Siemens Altair Grid Engine Vulnerabilities Advisory Notice

⚠️ Siemens Altair Grid Engine contains multiple local vulnerabilities that can enable privilege escalation and arbitrary code execution with superuser rights. One issue discloses password hashes in error messages (CWE-209, CVE-2025-40760, CVSS 5.5) and another allows library path hijacking via uncontrolled environment variables (CWE-427, CVE-2025-40763, CVSS 7.8). Siemens and CISA recommend updating to V2026.0.0 and applying mitigations such as removing setuid bits from affected binaries where appropriate.

Active Directory Under Siege: Risks in Hybrid Environments

🔐 Active Directory remains the critical authentication backbone for most enterprises, and its growing complexity across on‑premises and cloud hybrids has expanded attackers' opportunities. The article highlights common AD techniques — Golden Ticket, DCSync, and Kerberoasting — and frequent vulnerabilities such as weak and reused passwords, lingering service accounts, and poor visibility. It recommends layered defenses: strong password hygiene, privileged access management, zero‑trust conditional access, continuous monitoring, and rapid patching. The piece stresses that AD security is continuous and highlights solutions that block compromised credentials in real time.

Microsoft Patches 63 Flaws Including Kernel Zero‑Day

🔒 Microsoft released patches for 63 vulnerabilities, four rated Critical and 59 Important, including a Windows Kernel zero-day (CVE-2025-62215) that Microsoft says is being exploited in the wild. The flaws span privilege escalation, remote code execution, information disclosure and DoS, with notable heap-overflow issues in Graphics Component and WSL GUI. Administrators are urged to prioritize updates where exploits are known or where vulnerabilities permit privilege escalation or remote code execution.

Microsoft Fixes Windows Kernel Zero Day in November

🔒 Microsoft released its November Patch Tuesday updates addressing over 60 CVEs, including an actively exploited Windows kernel zero-day (CVE-2025-62215). The flaw is a race-condition and double-free that can let low-privileged local attackers corrupt kernel memory and escalate to system privileges, though exploitation requires precise timing and local code execution. Administrators should also prioritise a critical GDI+ RCE (CVE-2025-60724, CVSS 9.8) that can be triggered by parsing specially crafted metafiles. Microsoft additionally issued an out-of-band update (KB5071959) to resolve Windows 10 Consumer ESU enrollment failures.

Microsoft November 2025 Patch Tuesday: 63 Vulnerabilities

🔒 Microsoft released its November 2025 Patch Tuesday addressing 63 vulnerabilities across Windows, Office, Visual Studio and other components, including five labeled Critical. One important kernel elevation flaw, CVE-2025-62215, has been observed exploited in the wild. Critical issues include RCE in GDI+, Office, and Visual Studio, plus a DirectX elevation-of-privilege; Microsoft rates several as less likely to be exploited. Cisco Talos published Snort and Snort 3 rules and advises customers to apply updates and rule packs promptly.

CPU Spike Reveals RansomHub Intrusion Before Ransomware

🔍 Varonis responded after a server CPU spike exposed an active intrusion later attributed to RansomHub affiliates. The attacker gained initial access via a SocGholish JavaScript masquerading as a browser update, then deployed a persistent Python-based SOCKS proxy and automated reconnaissance to hunt credentials and enumerate Active Directory. Within hours the actor obtained Domain Admin privileges and initiated broad discovery and exfiltration; Varonis developed an unpacker, identified IOCs, and coordinated containment and remediation that prevented ransomware with zero downtime.