Advisory ID:   ngCERT-2025-100009

SUMMARY

ngCERT cautions on active exploitation of Zero-Dayvulnerabilities in Windows Remote Access Connection Manager (RasMan) and Windows Agere Modem Driver services, dubbed (CVE-2025-59230 and CVE-2025-24990). Both flaws are elevation of privilege (EoP) vulnerabilities stemming from improper access control, allowing local attackers to escalate to SYSTEM-level privileges. Notably, other vulnerabilities related to privileged escalation have been identified as (CVE-2025-49708 and CVE-2025-55315) with CVSS scores: 9.9. Although these vulnerabilities were addressed in Microsoft's October 2025 Patch Tuesday updates, Windows system users are at high risk of compromise and attacks. The ongoing exploitation of these vulnerabilities by attackers underscores the critical need for organizations to deploy security patches without delay..

Damage:      Critical (CVSS Score: 7.8)

Probability:  High 

Platform(s): Windows System (Remote Access Connection Manager and Windows Agere Modem Driver)

DESCRIPTION

The initial attack chain for CVE-2025-59230 begins when attackers obtain initial low-privilege local access, often through phishing, malware, or social engineering. The exploiter then sends specially crafted requests to the RasMan service, which manages remote network connections. Due to improper access controls, these requests bypass restrictions, allowing arbitrary code execution and escalation to SYSTEM privileges. This grants full system control, including data manipulation and persistence, with functional exploit code observed in the wild. For CVE-2025-24990, the exploitation process begins with low-privilege local access on a system where the driver is present (default in supported Windows versions, even without active hardware). The attacker interacts with the driver, triggering an untrusted pointer dereference that manipulates kernel memory. This leads to arbitrary code execution in kernel mode, escalating privileges to administrator or SYSTEM level. The chain can integrate with other flaws, such as CVE-2025-24052, for broader attacks like ransomware deployment, and also affect legacy fax modem setups.

CONSEQUENCES

Successful exploitation of the aforementioned flaws can result in:

1. Full system compromise.
2. Data breaches.
3. Malware infiltration.
4. Data deletion and exfiltration.
5. Ransomware deployment and attack.
6. Financial losses.
7. Reputational damage.

SOLUTION/MITIGATION

ngCERT recommends the following:

1. Immediately apply Microsoft's October 2025 security updates, followed by a system restart.
2. For CVE-2025-59230, disable the RasMan service if not needed for remote access or VPN.
3. Monitor logs for suspicious privilege escalations using tools like Sysmon or EDR.
4. For CVE-2025-24990, audit and remove dependencies on Agere Modem hardware.
5. Disable fax modem functionality through Group Policy if patching is delayed.
6. Restrict local logons to trusted accounts and implement least-privilege principles with AppLocker or Device Guard.
7. Conduct vulnerability scans to identify exposed systems.

HYPERLINK

• https://x.com/DarkWebInformer/status/1979747123571855770
• https://thehackernews.com/2025/10/two-new-windows-zero-days-exploited-in.html
• https://gbhackers.com/hackers-exploit-windows-remote-access-connection-manager-0-day/
• https://socprime.com/blog/cve-2025-59230-and-2025-24990-vulnerabilities/

Advisory ID:   ngCERT-2025-100008

SUMMARY

ngCERT has observed a growing dependence on SSL/TLS (Secure Sockets Layer/Transport Layer Security) protocols, which are essential for securing data transmission across digital networks, particularly the internet. While SSL, introduced in the 1990s, has been deprecated due to significant security flaws, TLS, currently at version 1.3, serves as the modern, robust standard. TLS secures communication by encrypting data, authenticating parties through digital certificates, and ensuring data integrity via a secure handshake process that negotiates cryptographic parameters and exchanges keys. Beyond its role in securing websites (HTTPS), TLS also protects email, VoIP, messaging applications, and VPNs. Proper implementation is critical to defending sensitive information such as login credentials, financial data, and personal records from threats like man-in-the-middle attacks, data interception, and protocol downgrades. ngCERT advises organisations to disable outdated protocols (SSL, TLS 1.0/1.1), enforce strong cipher suites, maintain up-to-date systems, and use valid, trusted digital certificates to reduce risk and ensure secure communications.

Damage:      Critical 

Probability:  High 

Platform(s):  Web

DESCRIPTION

SSL/TLS (Secure Sockets Layer/Transport Layer Security) are cryptographic protocols fundamental to securing data transmission over digital networks by providing confidentiality, authentication, and data integrity. SSL, developed in the 1990s, was widely used but is now obsolete due to inherent vulnerabilities. It has been replaced by TLS, which is the current industry standard. TLS protects data by encrypting information transmitted between clients and servers, verifying identities using digital certificates issued by trusted Certificate Authorities (CAs), and ensuring that data is not modified during transit. The process begins with a TLS handshake in which both parties agree on supported cryptographic algorithms (cipher suites), exchange keys securely, and establish a session key for encrypted communication. TLS 1.3, the latest version, improves security by removing insecure algorithms, reducing handshake latency, and simplifying protocol operations. TLS underpins the security of a wide range of services including HTTPS websites, secure email (SMTP, IMAP, POP3), VPNs, VoIP, and messaging apps. As online services increasingly handle sensitive information, TLS plays a vital role in defending against cyber threats such as man-in-the-middle attacks, certificate spoofing, protocol downgrade attacks, and data interception. It is a cornerstone of modern digital security and privacy in today's interconnected world.

CONSEQUENCES

1. Data Exposure: Unencrypted or improperly secured transmissions may allow attackers to intercept passwords, personal data, and financial details.
2. Man-in-the-Middle (MitM) Attacks: Attackers can intercept or manipulate data by impersonating legitimate communication endpoints.
3. Protocol Downgrade Attacks: Attackers may force connections to use outdated and vulnerable SSL/TLS versions.
4. Certificate Issues: Use of expired, misissued, or untrusted certificates can cause service disruptions and trigger browser warnings.
5. Loss of User Trust: Security incidents can damage brand reputation and reduce customer confidence in digital services.
6. Regulatory Non-Compliance: Inadequate data protection may violate laws such as GDPR, HIPAA, or PCI-DSS, leading to penalties.
7. Financial Loss: Breaches and compliance failures can result in legal costs, fines, and lost revenue.
8. Compromised Integrity: Data may be altered in transit without detection, causing misinformation or injecting malicious payloads.
9. Service Disruption: Exploited vulnerabilities in SSL/TLS implementations can result in denial-of-service or related attacks.

SOLUTION/MITIGATION

ngCERT recommends the following:

1. Use Latest TLS Versions: Disable SSL, TLS 1.0, and TLS 1.1; enforce TLS 1.2 or TLS 1.3 for all encrypted communications.
2. Implement Strong Cipher Suites: Use modern, secure encryption algorithms; avoid outdated or weak ciphers such as RC4, DES, or MD5.
3. Obtain Certificates from Trusted CAs: Ensure all digital certificates are issued by reputable Certificate Authorities.
4. Regularly Renew and Manage Certificates: Track certificate expiration dates and renew or revoke them as needed to avoid security lapses.
5. Enable Certificate Validation: Ensure clients validate server certificates to detect spoofed or forged certificates.
6. Use Certificate Pinning (Where Applicable): Bind clients to specific, trusted certificates to prevent impersonation attacks.
7. Keep Software Up to Date: Regularly patch TLS libraries (e.g., OpenSSL), web servers, and dependent applications.
8. Perform Regular Security Audits: Conduct vulnerability assessments and penetration tests focused on TLS configurations.
9. Enforce HTTP Strict Transport Security (HSTS): Mandate HTTPS-only connections to prevent downgrade attacks and mixed-content issues.

HYPERLINK

• www.acunetix.com/blog/articles/tls-vulnerabilities-attacks-final-part/
• www.freecodecamp.org/news/attacks-on-ssl-tls-and-how-to-protect-your-system/
• certera.com/blog/common-ssl-tls-challenges-issues-attacks-to-exploits/
• akimbocore.com/article/hardening-ssl-tls-common-ssl-security-issues-vulnerabilities/

Advisory ID:   ngCERT-2025-100006

SUMMARY

ngCERT warns of a new Pixnapping attack that allows malicious Android apps to covertly steal sensitive on-screen data, such as two-factor authentication (2FA) codes, messages, and emails, within seconds. These malicious apps initially gain access through phishing attempts and exploit Android APIs and a hardware side channel that affects nearly all modern Android devices, running versions 13-16. The attackers target banking, cryptocurrency, and social media accounts for data exfiltration, account takeover, financial and privacy losses. Organisations and individuals using Android devices for sensitive communications or SMS-based two-factor authentication (2FA) are at a high risk. Immediate actions, including app updates and vetting, permission restrictions, and adoption of non-SMS 2FA, are critical to mitigate these threats.

Damage:      Critical 

Probability:  High 

Platform(s):  Android Mobile Devices (Google Pixel and Samsung Galaxy S25), Applications Using SMS-Based                            2FA, Messaging Apps

DESCRIPTION

Pixnapping is a sneaky cyberattack that lets hackers steal sensitive information, like two-factor authentication (2FA) codes and private messages, from Android phones by analysing what's displayed on the screen. Disguised as a legitimate app, a malicious app which gained initial access to target phones through phishing attempts, often tricks apps like Google Authenticator or messaging apps into showing data. Afterwards, the malware uses special techniques to "read" the screen pixel by pixel without any permissions, making it hard to spot. By measuring how long it takes to render certain parts of the screen, the app figures out what’s being shown, such as text or numbers and can harvest data, such as 2FA codes, in seconds on devices. This attack, which spreads through fake apps downloaded from untrustworthy sources, poses a serious threat as it bypasses normal security. Although a side channel information disclosure vulnerability in Android, CVE-2025-48561, exploited in the attack has been partially fixed, a complete patch is expected in December 2025.

INDICATOR OF COMPROMISE

The following are observed Indicators of Compromise (IoCs):

1. CVE Exploitation: Presence of CVE-2025-48561 vulnerabilities on unpatched Android 13-16 devices.

2. Suspicious Apps: Apps with no declared permissions but exhibiting overlay or blur behaviours.

3. Behavioural Anomalies: Unusual rendering delays, semi-transparent overlays, or repeated app invocations.

4. Network/Activity Patterns: Anomalous Intent usage or VSync timing measurements in app processes.

5. App Enumeration: Unauthorised detection of installed apps like Authenticator or messaging tools.

6. Device-Specific Signs: Performance issues on Pixel/Samsung devices during sensitive app usage.

CONSEQUENCES

Successful Pixnapping exploitation can result in:

1. Sensitive Data Theft: Extraction of 2FA codes, private messages, emails, and location data, leading to account takeovers.
2. Financial and Privacy Losses: Unauthorised access to banking or payment apps (e.g., Venmo), enabling fraud or blackmail.
3. User Profiling: Detection of installed apps without permissions, aiding targeted attacks or surveillance.
4. Delayed Detection: Stealthy operation hides from users; partial patches can be bypassed, prolonging exposure until full fixes.
5. Broader Impacts: Compromises corporate or personal security, with recovery times averaging 14-25 seconds for 2FA theft on Pixels.

SOLUTION/MITIGATION

ngCERT recommends the following to defend against Pixnapping:

1. Patch Management: Apply Android security updates immediately; install the September 2025 patch for partial mitigation and await the complete fix in December.
2. App Installation Practices: Download apps only from Google Play; avoid side-loading or third-party sources.
3. 2FA Enhancements: Switch to app-based or hardware 2FA (e.g., Authy, YubiKey) over SMS or visible codes.
4. Device Hardening: Enable Google Play Protect, restrict app permissions, and use an antivirus with behavioural analysis.
5. Monitoring: Review app logs for unusual Intent invocations or overlays; employ mobile threat detection tools.
6. Developer Guidance: Limit visible sensitive data; no app-level fixes available yet; monitor Google advisories.
7. Awareness: Educate users on phishing risks leading to malicious app installs.

HYPERLINK

• https://arstechnica.com/security/2025/10/no-fix-yet-for-attack-that-lets-hackers-pluck-2fa-codes-from-android-phones/
• https://www.pixnapping.com/
• https://www.theregister.com/2025/10/13/android_pixnapping_attack_captures_2fa_codes/
• https://source.android.com/docs/security/bulletin/2025-09-01

Advisory ID: NCC-CSIRT-2025-020

Summary: 

CISA has added five newly exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalogue, confirming real-world attacks against major software products, including Oracle EBS and Microsoft Windows. The new entries include:

• A server-side request forgery (SSRF) issue (CVE-2025-61884) in Oracle EBS that can be triggered without authentication.
• A prior Oracle EBS remote code execution vulnerability (CVE-2025-61882) is already being exploited.
• A Microsoft Windows SMB Client privilege escalation flaw (CVE-2025-33073).
• Authentication bypass vulnerabilities in Kentico Xperience CMS (CVE-2025-2746 & CVE-2025-2747) enabling administrative control.
• An Apple JavaScriptCore arbitrary code execution flaw (CVE-2022-48503) affecting web content processing.

CISA has set a remediation deadline of November 10, 2025, for federal agencies.

Damage/Probability: Critical/High

Product(s): 

• Oracle E‑Business Suite (EBS) – Runtime component/Configurator
• Microsoft Windows SMB Client
• Kentico Xperience CMS
• Apple JavaScriptCore

Version(s): 

• Oracle EBS: vulnerabilities CVE-2025-61884 (SSRF) and CVE-2025-61882 (RCE)
• Microsoft Windows SMB Client: CVE-2025-33073 (improper access control)
• Kentico Xperience CMS: CVE-2025-2746 & CVE-2025-2747 (authentication bypass)
• Apple JavaScriptCore: CVE-2022-48503 (array-index validation)

Platform(s): 

Enterprise ERP systems, Windows client environments, CMS web platforms, Apple/macOS devices using WebKit/JavaScriptCore.

Description: 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added five actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalogue, confirming real-world attacks targeting major enterprise and consumer technologies from Oracle, Microsoft, Kentico, and Apple.

Two of the vulnerabilities affect Oracle E-Business Suite (EBS), a Server-Side Request Forgery (SSRF) flaw (CVE-2025-61884) and a Remote Code Execution (RCE) flaw (CVE-2025-61882). These issues reside in the Oracle Configurator runtime component and allow unauthenticated attackers to send crafted HTTP requests that can reach internal services, databases, or cloud resources. Exploitation of these vulnerabilities has been observed in the wild, with some threat actors using them for data exfiltration and lateral movement within enterprise networks.

The third flaw, CVE-2025-33073, impacts the Microsoft Windows SMB Client, where improper access control allows local attackers to escalate privileges. This vulnerability is particularly concerning in enterprise environments that use legacy SMB configurations or lack strict SMB signing and network segmentation, as attackers could exploit it to gain elevated rights and persistence.

Two additional vulnerabilities, CVE-2025-2746 and CVE-2025-2747, affect Kentico Xperience CMS. They stem from improper handling of authentication requests in the staging synchronization component, allowing unauthenticated users to bypass login controls and gain administrative access to web servers. Once exploited, attackers can modify website content, deploy web shells, or redirect users to malicious domains.

Lastly, CVE-2022-48503, a vulnerability in Apple’s JavaScriptCore (used in WebKit-based browsers), results from improper validation of array indices. This flaw allows attackers to execute arbitrary code on macOS and iOS devices when victims visit malicious or compromised websites. Although initially disclosed in 2022, it remains under active exploitation, highlighting how older vulnerabilities continue to be leveraged against unpatched systems.

CISA’s analysis confirms that these vulnerabilities are being actively exploited in the wild, and federal agencies have been mandated to patch affected systems by 10 November 2025. Organizations are strongly advised to prioritize remediation, implement network segmentation where patching cannot be done immediately, and monitor for signs of compromise, particularly unusual HTTP requests, unauthorized administrative access, or suspicious privilege escalation activities.

Impacts: 

• Unauthorized access to enterprise resources via Oracle EBS SSRF or RCE leading to data exfiltration or lateral movement.
• Compromise of Windows clients via SMB Client privilege escalation, enabling attackers to gain elevated rights and persist.
• Administrative takeover of web content and infrastructure via Kentico CMS authentication bypass, enabling further malware deployment or defacement.
• Exploitation of macOS/iOS devices via Apple JavaScriptCore flaw, enabling arbitrary code execution through web content, risking endpoint compromise in enterprise “bring your own device” (BYOD) contexts.
• High risk for organizations that delayed or skipped patching, attackers often move quickly after CVEs are public and listed by CISA’s KEV.

Solutions:  

• Prioritise Patching: Immediately apply vendor patches for the listed CVEs: Oracle EBS, Microsoft Windows (SMB Client), Kentico CMS, Apple devices.
• Confirm Asset Inventory: Ensure you know whether you run affected versions of Oracle EBS, Windows SMB Client endpoints, Kentico CMS installations, or macOS/iOS devices vulnerable to JavaScriptCore exploits.
• Isolate & Segment: Until patched, segregate vulnerable systems, especially Oracle EBS and CMS platforms, with stricter network segmentation and restricted access.
• Harden Configurations: For Windows SMB, enforce SMB signing, disable SMBv1/SMBv2 legacy, and monitor unusual local privilege escalations. For CMS, disable staging sync server access if unused and review user authentication flows.
• Monitor Logs & Network: Look for abnormal HTTP requests from Oracle servers to internal services (SSRF), sudden administrative logins in CMS, privilege escalation events in Windows, or unusual web content processing on Apple devices.
• Validate Remediation: After patching, run vulnerability scans and penetration tests focusing on these CVEs; verify no persistence or backdoor remains.

References:

• https://www.cisa.gov/news-events/alerts/2025/10/20/cisa-adds-five-known-exploited-vulnerabilities-catalog

• https://thehackernews.com/2025/10/five-new-exploited-bugs-land-in-cisas.html

• https://www.scworld.com/brief/oracle-ebs-microsoft-apple-kentico-bugs-added-to-cisas-vulnerabilities-list

• https://vulert.com/blog/cisa-kev-exploited-vulnerabilities-october-2025/