All news with #privilege escalation tag

Google ships September Android patches for 120 flaws

🔒 Google has released its September 2025 Android security updates addressing 120 vulnerabilities, including two issues that Google says have been exploited in limited, targeted attacks. The two highlighted flaws are CVE-2025-38352 (CVSS 7.4), affecting the Linux Kernel, and CVE-2025-48543, impacting the Android Runtime; both can enable local privilege escalation with no user interaction. Google issued patch levels 2025-09-01 and 2025-09-05 to let partners deploy common fixes more quickly and credited Benoît Sevens of TAG with reporting the kernel issue.

Schneider Electric Saitel RTU Privilege Escalation Advisory

⚠ Schneider Electric disclosed an improper privilege management vulnerability (CVE-2025-8453, CVSS 6.7) affecting Saitel DR and Saitel DP Remote Terminal Units that could allow an authenticated privileged engineer with console access to escalate privileges and potentially execute arbitrary code. Schneider released HUe firmware 11.06.30 for Saitel DR to remediate the issue; a remediation plan for Saitel DP is pending. CISA notes the vulnerability is not remotely exploitable and recommends limiting physical and console access, enforcing root ownership and restrictive permissions on configuration files, and following ICS defensive guidance.

Storm-0501 Deletes Azure Data and Backups After Exfiltration

🔒 Microsoft Threat Intelligence details a campaign by Storm-0501 that exfiltrated data from a large enterprise’s Azure environment, then deleted backups and encrypted remaining resources to block recovery. The actor abused Entra Connect synchronization, elevated to Global Administrator, and used Azure Owner privileges to steal storage keys and transfer blobs via AzCopy. Microsoft recommends enabling blob backups, least privilege, logging, and Azure Backup to mitigate these cloud-native ransomware tactics.

Storm-0501 Exploits Entra ID to Exfiltrate Azure Data

🔐 Microsoft Threat Intelligence reports that the financially motivated actor Storm-0501 has refined cloud-native techniques to rapidly exfiltrate and delete data in hybrid Azure environments. The group leveraged on-premises footholds—using tools such as Evil-WinRM and a DCSync attack—to compromise an Entra Connect server and identify a non-human synced Global Admin account without MFA. With that account the attackers registered a threat actor-owned federated tenant as a backdoor, escalated Azure privileges, and proceeded to mass-extract data and remove resources and backups before extorting victims through compromised Microsoft Teams accounts. Microsoft has updated Entra ID behavior, released Entra Connect 2.5.3.0 to support Modern Authentication, and recommended enabling TPM, enforcing MFA, and other hardening controls.

BadCam: Reflashed Webcams Enable BadUSB-Style Attacks

🔒 Researchers demonstrated BadCam, a BadUSB-style attack presented at BlackHat that reflashes a webcam's firmware so a standard camera can act as a programmable HID device. The proof-of-concept targeted Lenovo 510 FHD and Lenovo Performance FHD models using a SigmaStar SoC, exploiting lack of cryptographic firmware verification and Linux USB Gadget support to present keyboard/network interfaces. Standard scans and OS reinstalls won't remove such implants, so organizations should apply firmware patches, USB control policies, and HID monitoring to mitigate the risk.

Storm-0501 Debuts Brutal Hybrid Ransomware Chain Attack

🚨 Microsoft Threat Intelligence says financially motivated group Storm-0501 has refined a brutal hybrid ransomware chain that leverages hijacked privileged accounts to pivot from on‑prem Active Directory into Azure, exploiting visibility gaps to exfiltrate, encrypt, and mass‑delete cloud resources and backups. The actor used Evil‑WinRM for lateral movement and DCSync to harvest credentials, abused a non‑MFA synced global admin to reset passwords, and created a malicious federated domain for broad persistence. After exfiltration they deleted backups where possible, encrypted remaining cloud data, and initiated extortion via a compromised Microsoft Teams account. CISOs are urged to enforce least privilege, audit on‑prem assets, close cloud visibility gaps, and rehearse ransomware playbooks.

Docker fixes critical container escape CVE-2025-9074

🚨Docker has released an urgent patch for CVE-2025-9074, a critical container escape flaw in Docker Desktop for Windows and macOS that carries a CVSS score of 9.3. A malicious container could reach the Docker Engine API at 192.168.65.7:2375 without authentication, create and start new containers that bind the host C:\ drive and thereby access or modify host files. The issue is fixed in version 4.44.3; Enhanced Container Isolation (ECI) does not mitigate the vulnerability. Linux desktop installations are not affected because they use a host named pipe instead of a TCP socket.

Chinese Developer Jailed for Deploying Malicious Code

⚖️ A software developer was sentenced to four years in prison after deploying malicious code inside his US employer's network, the Department of Justice said. The defendant, identified as Davis Lu, introduced infinite-loop logic, deleted coworker profile files and implemented a credential-dependent kill-switch that locked out thousands of users in September 2019. The sabotage followed a corporate realignment that reduced his access; investigators found deleted encrypted data and internet searches showing intent to escalate privileges and rapidly delete files while obstructing remediation.

CISA Adds Three New Vulnerabilities to KEV Catalog

⚠️ CISA added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog on August 25, 2025: CVE-2024-8069 and CVE-2024-8068 affecting Citrix Session Recording, and CVE-2025-48384, a Git link following vulnerability. CISA states these defects are supported by evidence of active exploitation and represent frequent attack vectors that pose significant risk to the federal enterprise. While BOD 22-01 binds Federal Civilian Executive Branch agencies to remediate listed CVEs by the required due dates, CISA urges all organizations to prioritize timely remediation and incorporate these entries into vulnerability management workflows.

Chinese Groups Escalate Cloud and Telecom Espionage

🛡️ CrowdStrike warns that China-linked groups Murky Panda, Genesis Panda, and Glacial Panda have intensified cloud and telecommunications espionage, abusing trusted cloud relationships and internet-facing appliances to gain access. The actors exploit N-day and zero-day flaws, deploy web shells, and steal cloud credentials to establish persistence with tools such as CloudedHope. Targets include government, technology, financial, and telecom sectors, with operations tailored to covert intelligence collection and long-term access.

FUJIFILM Synapse Mobility Privilege Escalation Advisory

🔒 FUJIFILM Healthcare Americas Corporation has released fixes for a privilege-escalation vulnerability (CVE-2025-54551) affecting Synapse Mobility. The issue is an external control of an assumed-immutable web parameter that can be abused remotely with low attack complexity; CVSS v4 score is 5.3. FUJIFILM recommends upgrading to 8.2 or applying patches for 8.0–8.1.1. Immediate mitigations include disabling the configurator search function or unchecking "Allow plain text accession number," and CISA advises minimizing network exposure and using secure remote access.

Rockwell FactoryTalk Linx Access Control Flaw Risk

⚠️ Rockwell Automation's FactoryTalk Linx contains an improper access control vulnerability in the Network Browser that can be triggered by changing process.env.NODE_ENV to 'development', which disables FTSP token validation. An attacker with local access could create, modify, or delete Linx drivers on affected systems running versions prior to 6.50. The issue is tracked as CVE-2025-7972 (CVSS v4: 8.4) and Rockwell advises updating to 6.50 or applying recommended mitigations and network isolation.

Rockwell Viewpoint Privilege Escalation Security Advisory

🛡️ Rockwell Automation's FactoryTalk Viewpoint (version 14.00 and earlier) contains a privilege-escalation vulnerability tracked as CVE-2025-7973 that arises from improper handling of MSI repair operations. An attacker who can trigger a repair can hijack the SYSTEM-run cscript.exe console to spawn an elevated command prompt, enabling full privilege escalation; CVSS v4 is 8.5 (low attack complexity). Update to 15.00 or apply vendor-recommended mitigations; the issue is not remotely exploitable and no public exploitation has been reported.

Microsoft Patch Tuesday: August 2025 Security Fixes

🔒 Microsoft released fixes for more than 100 vulnerabilities in August 2025, including at least 13 rated Critical. Notable flaws include CVE-2025-53786, which lets attackers pivot from compromised on‑premises Exchange Server instances into cloud tenant services, and CVE-2025-53779 (BadSuccessor), a Kerberos dMSA weakness that can yield domain admin rights. Other high‑risk bugs affect GDI+, Word preview and NTLM; several fixes require configuration steps beyond patch installation.

ReVault: Deep Analysis of Dell ControlVault3 Firmware

🔒 This deep-dive by Philippe Laulheret (Talos) dissects Dell's ControlVault3 ecosystem, exposing firmware decryption, memory-corruption flaws, and exploit chains that cross the device/host boundary. The researchers recovered hardcoded keys, reverse-engineered the SCD/SMAU update mechanism, and achieved arbitrary code execution in firmware, enabling persistence and a demonstrated Windows Hello bypass. Practical attacks include forging SCD blobs, backdooring firmware to escalate to SYSTEM, and physically extracting the USH board over USB for rapid compromise.

CISA Issues Emergency Directive for Microsoft Exchange

⚠️ CISA issued Emergency Directive 25-02 directing federal civilian agencies to immediately update and secure hybrid Microsoft Exchange environments to address a post-authentication privilege escalation vulnerability. The flaw, tracked as CVE-2025-53786, could allow an actor with administrative access on an Exchange server to escalate privileges and affect identities and administrative access in connected cloud services. CISA says it is not aware of active exploitation but mandates agencies implement vendor mitigation guidance and will monitor and support compliance. All organizations using hybrid Exchange configurations are urged to adopt the recommended mitigations.

Talos Discloses Multiple WWBN, MedDream, ThreadX Flaws

🔒 Cisco Talos disclosed multiple vulnerabilities across WWBN AVideo, MedDream PACS Premium, and the Eclipse ThreadX FileX component. The issues include several reflected and stored XSS flaws, a race condition and incomplete blacklist handling in AVideo that can be chained to achieve arbitrary code execution, privilege escalation and credential exposure in MedDream, and a RAM-disk buffer overflow in FileX that can lead to remote code execution on embedded devices. All affected vendors issued patches per Cisco’s disclosure policy, and Talos advises deploying vendor fixes and using Snort rule updates and Talos advisories for detection and mitigation guidance.

Microsoft .NET Bounty Program Raises Awards to $40,000

🔒 Microsoft has expanded the .NET Bounty Program, increasing maximum awards to $40,000 and broadening coverage to include all supported .NET and ASP.NET versions, adjacent technologies like F#, templates, and GitHub Actions. The program simplifies award tiers, aligns impact categories with other Microsoft bounty programs, and defines report quality as complete (working exploit) or not complete, encouraging detailed, actionable submissions.