Daily Brief

Ivanti has issued updates for two critical vulnerabilities in its Endpoint Manager Mobile (EPMM) software that enable remote code execution. These vulnerabilities were linked to two open-source libraries used in EPMM, though the specific libraries weren't disclosed. A very limited number of customers have reportedly been affected by these exploits, according to Ivanti. The vulnerabilities affect only the on-premises version of EPMM and not other Ivanti products like Ivanti Neurons for MDM or Ivanti Sentry. Ivanti recommends that the risk can be significantly mitigated by filtering access to the API via built-in Portal ACLs or an external web application firewall. Additionally, Ivanti released patches for an unrelated authentication bypass issue in on-premise Neurons for ITSM, which also poses severe risks but has not been exploited. Users are encouraged to update their Ivanti software instances promptly to prevent potential exploits by threat actors.

Microsoft disclosed five actively exploited vulnerabilities, emphasizing the need for immediate patching across Windows platforms and servers. Significantly, Microsoft’s Azure platform also demanded attention with three notable vulnerabilities addressed, including a critical authentication bypass in its DevOps platform. Adobe released patches targeting critical flaws in multiple applications, such as Photoshop and Illustrator, capable of arbitrary code execution. Apple's patch round included a fix for an exploited flaw in its watchOS and a broad series of updates across various platforms including iOS, macOS, and Safari, targeting both security improvements and bug fixes. SAP revealed 18 new fixes, including re-releases for critical vulnerabilities affecting its NetWeaver platform. Ivanti introduced patches for critical and high-severity vulnerabilities in their products, emphasizing security enhancements for ITSM and Cloud Services Application. The collective updates underscore a widespread and proactive effort by tech firms to mitigate vulnerabilities amidst rising security threats.

Researchers from ETH Zurich have identified a new class of vulnerabilities, named Branch Predictor Race Conditions (BPRC), that circumvent Intel's defenses against Spectre vulnerabilities. The new exploit, called Branch Privilege Injection (BPI), enables unprivileged code to mimic kernel-level branch predictions, effectively bypassing Intel’s Indirect Branch Restricted Speculation and Indirect Branch Predictor Barrier. This vulnerability affects all Intel x86 processors since the 9th generation and has implications for both individual computers and cloud services by potentially allowing malicious programs to access sensitive data across different security domains. Intel has released a microcode update to mitigate the newly discovered vulnerabilities and has seen a performance impact of up to 2.7% during mitigation tests. Despite these patches, the fundamental issue related to speculative execution remains a challenge, and vulnerabilities like Spectre are likely to persist as long as this method is used in CPU design. AMC and ARM chips are reportedly not affected by this specific vulnerability. Intel encourages users to contact their system manufacturers for the appropriate updates and continues to enhance its hardware mitigations against such speculative execution vulnerabilities.

SAP released patches for a newly exploited zero-day vulnerability in its NetWeaver servers. The patch addresses vulnerabilities discovered during investigations of prior attacks leveraging a different zero-day flaw fixed in April. Cybersecurity firms linked attacks exploiting these vulnerabilities to a Chinese threat actor and observed significant compromises in Fortune 500 companies. Attackers used a combination of unauthorized file uploads and insecure deserialization to execute commands remotely on affected systems. SAP has urged customers to update their systems promptly and monitor any suspicious server activity. The United States Cybersecurity and Infrastructure Security Agency (CISA) has included the previous flaw in its Known Exploited Vulnerabilities Catalog, requiring federal agencies to secure their systems swiftly. Over 2000 SAP NetWeaver servers remain exposed online, posing risks of further attacks.

The Trump administration is poised to accept a $400 million luxury Boeing 747-8 from the royal family of Qatar, intended as a temporary Air Force One. Retrofitting the aircraft to meet U.S. presidential security standards could take years and be extremely costly, potentially interfering with the ongoing program to replace the current VC-25A aircraft. Security experts question the practicability of adapting a foreign-owned jet, citing massive expenses and the need for advanced security measures—such as in-flight refueling capabilities and fortified hull and windows. The aircraft is set to be transferred to Trump’s presidential library foundation after his term, raising legal and ethical issues regarding the acceptance of such a valuable gift from a foreign power. Retrofitting would include intensive inspections and replacements in communications, engines, and security systems to guard against electronic and physical threats. There are concerns about potential espionage risks, as foreign actors could embed surveillance devices; extensive countermeasures would be required to ensure complete security. If accepted, the aircraft might not be operational until after Trump’s office term, making the arrangement impractical despite its initial no-cost appeal.

North Korea's threat group Konni (Opal Sleet, TA406) specifically targeted Ukrainian government sectors to collect intelligence concerning the ongoing conflict. The operation was intended to inform North Korean leadership about the risks to its troops in Ukraine and evaluate additional support requirements for Russia. Phishing emails impersonating think tanks were used to bait recipients into clicking malicious links, leading to malware installation for espionage activities. The emails contained attachments that, when opened, deployed PowerShell scripts designed to capture data from the infected systems and ensure persistence of the network breach. Proofpoint researchers noted that this strategic intelligence gathering might affect the durability of the conflict and North Korea’s future involvement. Various tactics were used, including fake security alerts from Microsoft to capture credentials, enhancing the ability to hijack accounts. The complexity of the cybersecurity landscape in Ukraine is deepened by this detected activity, adding to the extensive cybersecurity threats posed by Russian state-sponsored operations.

Twilio has refuted allegations of a security breach after a hacker claimed to possess over 89 million Steam user records, including 2FA codes. The leaked data set comprises 3,000 records with one-time passcodes and phone numbers purportedly tied to Steam user accounts. An independent games journalist suggests the incident may involve a supply-chain issue at Twilio, possibly due to compromised admin accounts or API key misuse. Twilio has initiated an investigation and confirmed serious attention to the claims but insists there is no evidence supporting a breach of their systems. Speculations arise that the leak could stem from another SMS intermediary involved in the 2FA process between Twilio and Steam. Steam, operated by Valve Corporation, and having over 120 million monthly users, has not commented on the breach claims. Steam users are advised to activate the Steam Guard Mobile Authenticator and monitor their accounts for any unauthorized access.

Ivanti has issued updates for its Endpoint Manager Mobile (EPMM) to address two zero-day vulnerabilities that could allow remote code execution. The vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, involve an authentication bypass and a remote code execution flaw, respectively. Attackers could exploit these vulnerabilities by chaining them to execute arbitrary code unauthenticated. While the exploitation has been limited to a few incidents, Ivanti urges customers to install the relevant patches for their on-prem EPMM products immediately. The identified vulnerabilities are linked to two unnamed open-source libraries used by EPMM. Ivanti has advised customers to contact their support team for further guidance and has confirmed that other products like Ivanti Neurons for MDM are not affected. The advisory also notes that hundreds of Ivanti EPMM instances remain exposed online, especially in Germany and the United States.

Commvault patched a critical vulnerability, CVE-2025-34028, in its Command Center software, which was under active exploitation with a CVSS severity score of 10. The critical issue, a path traversal bug, allowed attackers to execute remote code by sending specially crafted ZIP files including malicious .jsp files. Although updates were issued to address this vulnerability, they were initially not effective for users of the free trial version of the software. Security researcher Will Dorman discovered that the supposedly fixed versions still permitted the exploitation of the vulnerability and required additional, hard-to-find updates. After Dorman's communication with Commvault, the company revised its advisory to specify that additional updates were needed and made these updates more accessible. Initially, free trial users had to wait for a month to receive updates; however, following Dorman’s intervention, Commvault changed its policy to allow instant access to patches for all users. Commvault has since adjusted its patching policy, ensuring both licensed and unlicensed users can access and deploy patches immediately upon availability.

Google announced improvements to the Advanced Protection feature in Android 16, targeting device-level security against sophisticated spyware. The enhancements include verified boot, runtime integrity checks, strong sandboxing, USB port lockdown, and app isolation. Advanced Protection prevents the disabling of security settings, and enforces hardened security across all Google and third-party apps. New features include intrusion logging, which preserves privacy and stores data securely in the cloud, and prevents auto-reconnection to weak Wi-Fi networks. Additional updates in Android 16 focus on data security and privacy, such as in-call scam protections and the Key Verifier mechanism for verifying contacts' identities to combat text-based fraud. Android 16 will integrate improved Scam Detection in Messages and Phone apps using AI, and expand device loss protection features with the new Find Hub.

Fortinet issued security updates for a critical vulnerability in FortiVoice systems, tagged CVE-2025-32756. The vulnerability, a stack-based buffer overflow, was exploited in targeted attacks using crafted HTTP requests to achieve remote code execution. CVE-2025-32756 also affects other Fortinet products, including FortiMail, FortiNDR, FortiRecorder, and FortiCamera. Attackers utilized tactics like deleting system crash logs and enabling 'fcgi debugging' to obscure their activities and log sensitive data. Six IP addresses have been identified from which the attacks were conducted, with related malware deployment and credential harvesting activities observed. Fortinet provided mitigation advice for those unable to immediately apply the security updates, recommending the disabling of HTTP/HTTPS administrative interfaces on impacted devices. This security breach is part of a larger trend noted by Fortinet and others, including a recent FortiSwitch vulnerability and a symlink backdoor impacting thousands of devices.

Ivanti has released updates addressing a critical auth bypass vulnerability in its Neurons for ITSM product, tracked as CVE-2025-22462. The vulnerability allows unauthenticated attackers administrative access and impacts on-premises systems running specified earlier versions. A proper configuration such as securing the IIS website or implementing DMZs reduces the risk of exploitation. Ivanti also warned of another vulnerability (CVE-2025-22460) in its Cloud Services Appliance that could allow local privilege escalation. The company advised that the fix for the CSA flaw is not automatically applied during upgrades and requires specific reinstall or mitigation steps. No active exploitation of these vulnerabilities has been discovered, though the company continues to monitor for any potential misuse. Previous vulnerabilities in Ivanti products have been exploited by nation-state actors, highlighting the importance of timely patch management. Ivanti's ongoing patches follow the exploitation of other security flaws in its products, emphasizing a pattern of targeted cyberattacks.

China-nexus nation-state actors have exploited a critical SAP NetWeaver vulnerability (CVE-2025-31324) to target and compromise critical infrastructure worldwide. The exploitation activity has primarily impacted networks in sectors such as natural gas distribution, water management utilities, medical device manufacturing, and oil and gas exploration, particularly in the UK, USA, and Saudi Arabia. Dutch cybersecurity firm EclecticIQ has attributed the attacks to several Chinese threat groups (UNC5221, UNC5174, and CL-STA-0048), using the vulnerability to deploy web shells for persistent access and remote command execution. The server associated with the attacks contained multiple files which helped map out both current breaches and planned targets. Three different Chinese hacking groups are actively using this SAP flaw to conduct extensive reconnaissance and maintain remote control over affected systems. Besides the exploit, another critical vulnerability in NetWeaver's Visual Composer Metadata Uploader (CVE-2025-42999) was reported, urging affected users to update their systems as quickly as possible due to active exploitation risk. Continued targeting of widely-used platforms like SAP NetWeaver by sophisticated threat actors emphasizes the strategic importance of these systems, posing significant risks for enterprises globally.

A newly identified flaw in modern Intel CPUs named 'branch privilege injection' allows attackers to leak sensitive data from privileged memory areas. This vulnerability affects all Intel processors from the 9th generation onwards and could lead to the leakage of passwords, cryptographic keys, and other sensitive information. The flaw was discovered by ETH Zurich researchers, who demonstrated that Spectre v2 mitigations could be bypassed using a novel branch predictor race condition exploit. The exploit involves misleading the CPU's branch predictor, causing speculative execution to proceed with attacker-controlled operations that expose sensitive data. Demonstrated effectiveness on Ubuntu 24.04, the attack achieved data leak rates of up to 5.6 KB/sec with 99.8% accuracy. While ARM and AMD processors were tested for similar vulnerabilities, none exhibited the flawed behavior affecting Intel CPUs. Intel has released microcode updates to mitigate the vulnerability, which introduce a performance overhead between 1.6% to 8.3%. Researchers urge users to apply the latest BIOS/UEFI and OS updates to protect against the exploit, which will be detailed further in their upcoming technical paper at USENIX Security 2025.

A malicious package named "solana-token" was found on Python Package Index (PyPI), designed to steal source code and developer secrets. The package, impersonating a Solana blockchain application tool, was downloaded 761 times before being removed. Deployed first in early April 2024, the package exfiltrates data to a predetermined IP address under the guise of a blockchain function. Targeting developers intending to create their own blockchains, the malicious package could hide and transfer sensitive crypto-related secrets. The exact distribution method of this malware is unknown, but it was likely promoted in developer communities. The incident highlights the ongoing risk of supply chain attacks, particularly within the cryptocurrency sector. Security expert Karlo Zanki emphasizes the need for development teams to robustly monitor and vet third-party software to fend off such malicious intrusions.