Customer portal
Articles Tagged with

SOS Intelligence

"SOS
CVE Top 10

The SOS Intelligence CVE Chatter Weekly Top Ten – 02 February 2026

by Amir Hadzipasic
February 2, 2026

 

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

 

 

1.  CVE-2025-59287

A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild and was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček
from ESET.

https://nvd.nist.gov/vuln/detail/CVE-2025-59287

 

 

2. CVE-2025-8088

A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild and was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček
from ESET.

https://nvd.nist.gov/vuln/detail/CVE-2025-8088

 

 

3. CVE-2024-49113

Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-49113

 

 

4. CVE-2025-54100

A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild and was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček
from ESET.

https://nvd.nist.gov/vuln/detail/CVE-2025-54100

 

 

5. CVE-2025-14847

A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild and was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček
from ESET.

https://nvd.nist.gov/vuln/detail/CVE-2025-14847

 

 

6. CVE-2025-21204

A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild and was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček
from ESET.

https://nvd.nist.gov/vuln/detail/CVE-2025-21204

 

 

7. CVE-2025-24118

A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild and was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček
from ESET.

https://nvd.nist.gov/vuln/detail/CVE-2025-24118

 

 

8. CVE-2024-38063

A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild and was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček
from ESET.

https://nvd.nist.gov/vuln/detail/CVE-2024-38063

 

 

9. CVE-2025-68613

A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild and was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček
from ESET.

https://nvd.nist.gov/vuln/detail/CVE-2025-68613

 

 

10. CVE-2024-34102

A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild and was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček
from ESET.

https://nvd.nist.gov/vuln/detail/CVE-2024-34102

 

"SOS
SOS Intelligence Webinar

SOS Intelligence platform updates and roadmap for 2026 webinar

by Amir Hadzipasic
January 29, 2026

Can you believe a month has already past this year?! Join us on February 12th at 1.30pm to learn about the updates that we have made for the SOS Intelligence platform plus a peek into what is planned in the coming months.

Sign up now

What we will discuss:

  • AI Analyst
  • CVE Intelligence
  • Telegram Research

Hosted by Jon Moss with SOS Intelligence Founder and CEO, Amir Hadzipasic and Threat Intelligence Analyst Daniel Collyer.

Sign up to the webinar to receive a recording via email if you cannot attend on the day. By signing up you will also receive our newsletter for future events. You can always unsubscribe with one click.

Looking forward to seeing you!

Stay safe,

Amir

"SOS
CVE Top 10

The SOS Intelligence CVE Chatter Weekly Top Ten – 26 January 2026

by Amir Hadzipasic
January 26, 2026

 

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

 

 

1.  CVE-2025-59287

n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Execution (RCE) vulnerability in their workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations. This issue has been fixed in versions 1.120.4, 1.121.1, and 1.122.0. Users are strongly advised to upgrade to a patched version, which introduces additional safeguards to restrict expression evaluation. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only; and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully eliminate the risk and should only be used as short-term measures.

https://nvd.nist.gov/vuln/detail/CVE-2025-59287

 

 

2. CVE-2025-31133

The following versions of Spring Cloud Gateway Server Webflux may be vulnerable to the ability to expose environment variables and system properties to attackers.

An application should be considered vulnerable when all the following are true:

* The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable).
* An admin or untrusted third party using Spring Expression Language (SpEL) to access environment variables or system properties via routes.
* An untrusted third party could create a route that uses SpEL to access environment variables or system properties if: * The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway and management.endpoint.gateway.enabled=trueor management.endpoint.gateway.access=unrestricte.
* The actuator endpoints are available to attackers.
* The actuator endpoints are unsecured.

https://nvd.nist.gov/vuln/detail/CVE-2025-31133

 

 

3. CVE-2025-41253

The following versions of Spring Cloud Gateway Server Webflux may be vulnerable to the ability to expose environment variables and system properties to attackers.

An application should be considered vulnerable when all the following are true:

* The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable).
* An admin or untrusted third party using Spring Expression Language (SpEL) to access environment variables or system properties via routes.
* An untrusted third party could create a route that uses SpEL to access environment variables or system properties if: * The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway and management.endpoint.gateway.enabled=trueor management.endpoint.gateway.access=unrestricte.
* The actuator endpoints are available to attackers.
* The actuator endpoints are unsecured.

https://nvd.nist.gov/vuln/detail/CVE-2025-41253

 

 

4. CVE-2025-52472

The following versions of Spring Cloud Gateway Server Webflux may be vulnerable to the ability to expose environment variables and system properties to attackers.

An application should be considered vulnerable when all the following are true:

* The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable).
* An admin or untrusted third party using Spring Expression Language (SpEL) to access environment variables or system properties via routes.
* An untrusted third party could create a route that uses SpEL to access environment variables or system properties if: * The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway and management.endpoint.gateway.enabled=trueor management.endpoint.gateway.access=unrestricte.
* The actuator endpoints are available to attackers.
* The actuator endpoints are unsecured.

https://nvd.nist.gov/vuln/detail/CVE-2025-52472

 

 

5. CVE-2025-52565

The following versions of Spring Cloud Gateway Server Webflux may be vulnerable to the ability to expose environment variables and system properties to attackers.

An application should be considered vulnerable when all the following are true:

* The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable).
* An admin or untrusted third party using Spring Expression Language (SpEL) to access environment variables or system properties via routes.
* An untrusted third party could create a route that uses SpEL to access environment variables or system properties if: * The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway and management.endpoint.gateway.enabled=trueor management.endpoint.gateway.access=unrestricte.
* The actuator endpoints are available to attackers.
* The actuator endpoints are unsecured.

https://nvd.nist.gov/vuln/detail/CVE-2025-52565

 

 

6. CVE-2025-52881

The following versions of Spring Cloud Gateway Server Webflux may be vulnerable to the ability to expose environment variables and system properties to attackers.

An application should be considered vulnerable when all the following are true:

* The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable).
* An admin or untrusted third party using Spring Expression Language (SpEL) to access environment variables or system properties via routes.
* An untrusted third party could create a route that uses SpEL to access environment variables or system properties if: * The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway and management.endpoint.gateway.enabled=trueor management.endpoint.gateway.access=unrestricte.
* The actuator endpoints are available to attackers.
* The actuator endpoints are unsecured.

https://nvd.nist.gov/vuln/detail/CVE-2025-52881

 

 

7. CVE-2025-55449

The following versions of Spring Cloud Gateway Server Webflux may be vulnerable to the ability to expose environment variables and system properties to attackers.

An application should be considered vulnerable when all the following are true:

* The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable).
* An admin or untrusted third party using Spring Expression Language (SpEL) to access environment variables or system properties via routes.
* An untrusted third party could create a route that uses SpEL to access environment variables or system properties if: * The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway and management.endpoint.gateway.enabled=trueor management.endpoint.gateway.access=unrestricte.
* The actuator endpoints are available to attackers.
* The actuator endpoints are unsecured.

https://nvd.nist.gov/vuln/detail/CVE-2025-55449

 

 

8. CVE-2025-61757

The following versions of Spring Cloud Gateway Server Webflux may be vulnerable to the ability to expose environment variables and system properties to attackers.

An application should be considered vulnerable when all the following are true:

* The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable).
* An admin or untrusted third party using Spring Expression Language (SpEL) to access environment variables or system properties via routes.
* An untrusted third party could create a route that uses SpEL to access environment variables or system properties if: * The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway and management.endpoint.gateway.enabled=trueor management.endpoint.gateway.access=unrestricte.
* The actuator endpoints are available to attackers.
* The actuator endpoints are unsecured.

https://nvd.nist.gov/vuln/detail/CVE-2025-61757

 

 

9. CVE-2025-62712

The following versions of Spring Cloud Gateway Server Webflux may be vulnerable to the ability to expose environment variables and system properties to attackers.

An application should be considered vulnerable when all the following are true:

* The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable).
* An admin or untrusted third party using Spring Expression Language (SpEL) to access environment variables or system properties via routes.
* An untrusted third party could create a route that uses SpEL to access environment variables or system properties if: * The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway and management.endpoint.gateway.enabled=trueor management.endpoint.gateway.access=unrestricte.
* The actuator endpoints are available to attackers.
* The actuator endpoints are unsecured.

https://nvd.nist.gov/vuln/detail/CVE-2025-62712

 

 

10. CVE-2025-64446

The following versions of Spring Cloud Gateway Server Webflux may be vulnerable to the ability to expose environment variables and system properties to attackers.

An application should be considered vulnerable when all the following are true:

* The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable).
* An admin or untrusted third party using Spring Expression Language (SpEL) to access environment variables or system properties via routes.
* An untrusted third party could create a route that uses SpEL to access environment variables or system properties if: * The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway and management.endpoint.gateway.enabled=trueor management.endpoint.gateway.access=unrestricte.
* The actuator endpoints are available to attackers.
* The actuator endpoints are unsecured.

https://nvd.nist.gov/vuln/detail/CVE-2025-64446

 

"SOS
CVE Top 10

The SOS Intelligence CVE Chatter Weekly Top Ten – 19 January 2026

by Amir Hadzipasic
January 19, 2026

 

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

 

 

1.  CVE-2025-59287

JumpServer is an open source bastion host and an operation and maintenance security audit system. In JumpServer versions prior to v3.10.20-lts and v4.10.11-lts, an authenticated, non-privileged user can retrieve connection tokens belonging to other users via the super-connection API endpoint (/api/v1/authentication/super-connection-token/). When accessed from a web browser, this endpoint returns connection tokens created by all users instead of restricting results to tokens owned by or authorized for the requester. An attacker who obtains these tokens can use them to initiate connections to managed assets on behalf of the original token owners, resulting in unauthorized access and privilege escalation across sensitive systems. This vulnerability is fixed in v3.10.20-lts and v4.10.11-lts.

https://nvd.nist.gov/vuln/detail/CVE-2025-59287

 

 

2. CVE-2024-49113

Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network.

https://nvd.nist.gov/vuln/detail/CVE-2024-49113

 

 

3. CVE-2025-14847

Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Server v5.0 versions prior to 5.0.32, MongoDB Server v4.4 versions prior to 4.4.30, MongoDB Server v4.2 versions greater than or equal to 4.2.0, MongoDB Server v4.0 versions greater than or equal to 4.0.0, and MongoDB Server v3.6 versions greater than or equal to 3.6.0.

https://nvd.nist.gov/vuln/detail/CVE-2025-14847

 

 

4. CVE-2025-8088

A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild and was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček
from ESET.

https://nvd.nist.gov/vuln/detail/CVE-2025-8088

 

 

5. CVE-2024-38063

Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network.

https://nvd.nist.gov/vuln/detail/CVE-2024-38063

 

 

6. CVE-2025-24118

Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network.

https://nvd.nist.gov/vuln/detail/CVE-2025-24118

 

 

7. CVE-2025-31133

JumpServer is an open source bastion host and an operation and maintenance security audit system. In JumpServer versions prior to v3.10.20-lts and v4.10.11-lts, an authenticated, non-privileged user can retrieve connection tokens belonging to other users via the super-connection API endpoint (/api/v1/authentication/super-connection-token/). When accessed from a web browser, this endpoint returns connection tokens created by all users instead of restricting results to tokens owned by or authorized for the requester. An attacker who obtains these tokens can use them to initiate connections to managed assets on behalf of the original token owners, resulting in unauthorized access and privilege escalation across sensitive systems. This vulnerability is fixed in v3.10.20-lts and v4.10.11-lts.

https://nvd.nist.gov/vuln/detail/CVE-2025-31133

 

 

8. CVE-2025-41253

JumpServer is an open source bastion host and an operation and maintenance security audit system. In JumpServer versions prior to v3.10.20-lts and v4.10.11-lts, an authenticated, non-privileged user can retrieve connection tokens belonging to other users via the super-connection API endpoint (/api/v1/authentication/super-connection-token/). When accessed from a web browser, this endpoint returns connection tokens created by all users instead of restricting results to tokens owned by or authorized for the requester. An attacker who obtains these tokens can use them to initiate connections to managed assets on behalf of the original token owners, resulting in unauthorized access and privilege escalation across sensitive systems. This vulnerability is fixed in v3.10.20-lts and v4.10.11-lts.

https://nvd.nist.gov/vuln/detail/CVE-2025-41253

 

 

9. CVE-2025-52472

JumpServer is an open source bastion host and an operation and maintenance security audit system. In JumpServer versions prior to v3.10.20-lts and v4.10.11-lts, an authenticated, non-privileged user can retrieve connection tokens belonging to other users via the super-connection API endpoint (/api/v1/authentication/super-connection-token/). When accessed from a web browser, this endpoint returns connection tokens created by all users instead of restricting results to tokens owned by or authorized for the requester. An attacker who obtains these tokens can use them to initiate connections to managed assets on behalf of the original token owners, resulting in unauthorized access and privilege escalation across sensitive systems. This vulnerability is fixed in v3.10.20-lts and v4.10.11-lts.

https://nvd.nist.gov/vuln/detail/CVE-2025-52472

 

 

10. CVE-2025-52565

JumpServer is an open source bastion host and an operation and maintenance security audit system. In JumpServer versions prior to v3.10.20-lts and v4.10.11-lts, an authenticated, non-privileged user can retrieve connection tokens belonging to other users via the super-connection API endpoint (/api/v1/authentication/super-connection-token/). When accessed from a web browser, this endpoint returns connection tokens created by all users instead of restricting results to tokens owned by or authorized for the requester. An attacker who obtains these tokens can use them to initiate connections to managed assets on behalf of the original token owners, resulting in unauthorized access and privilege escalation across sensitive systems. This vulnerability is fixed in v3.10.20-lts and v4.10.11-lts.

https://nvd.nist.gov/vuln/detail/CVE-2025-52565

 

""/
Investigation, Opinion

Key Cyber Threat Intelligence Trends to Watch in 2026

by Daniel Collyer
January 15, 2026

Why 2026 Matters for CTI

As organisations enter 2026, cyber threat intelligence finds itself at a critical inflexion point. The threat landscape continues to expand in volume and complexity, but the pressures shaping it are no longer purely technical. Geopolitical instability, regional conflict, and sustained economic uncertainty are increasingly influencing who is targeted, why, and to what end. For businesses, this means cyber risk is now inseparable from broader strategic and operational risk.

At the same time, the pace of technological change continues to accelerate. Artificial intelligence is now firmly embedded on both sides of the threat equation. Adversaries are using AI to scale social engineering, automate reconnaissance, and rapidly adapt tooling, while defenders are racing to apply the same technologies to detection, analysis, and response. This arms race is generating more data, more alerts, and more intelligence than ever before.

Yet quantity is no longer the problem. Many organisations are experiencing intelligence overload, where feeds, reports, and indicators accumulate faster than they can be meaningfully consumed. Decision makers are not asking for more information, but for clearer insight. They want to understand which threats matter, how they are likely to manifest, and what actions should be prioritised in response.

As a result, 2026 represents a decisive shift for cyber threat intelligence. The focus is moving away from collecting more data and towards understanding it better. Success is increasingly defined by context, relevance, and the ability to translate technical detail into actionable judgment. This is less a year of entirely new threats and more a year defined by how existing threats are used, scaled, and adapted to specific targets and circumstances.

In this article, we explore the key trends shaping cyber threat intelligence in 2026, and what they mean for organisations seeking to make informed, risk-based decisions in an increasingly uncertain environment.

AI-Native Threat Actors Become the Norm

By 2026, the use of artificial intelligence by threat actors can no longer be described as experimental or emerging. For many adversaries, AI-enabled tooling is now embedded into everyday operations, shaping how attacks are planned, executed, and refined. Rather than creating entirely new categories of threats, AI is amplifying existing ones by increasing their speed, scale, and apparent sophistication.

One of the most visible impacts is in phishing, pretexting, and broader social engineering activity. AI-generated content allows attackers to produce convincing messages tailored to specific organisations, roles, or even individuals with minimal effort. Language quality is no longer a reliable signal of legitimacy, and pretexts can be rapidly adapted based on open source information, previous engagement, or real-time feedback. This has significantly reduced the cost and skill barrier traditionally associated with effective social engineering.

Malware development has also been accelerated. AI-assisted coding and analysis tools enable faster iteration, allowing threat actors to modify payloads, obfuscation techniques, and delivery mechanisms in near real time. Polymorphism and frequent recompilation mean that identical samples may exist only briefly, limiting the usefulness of traditional signature-based detection and static file indicators. The result is a faster-moving malware ecosystem that is harder to catalogue and track using conventional methods.

Reconnaissance and target profiling are increasingly automated. Threat actors can now use AI to process large volumes of leaked data, scraped content, and technical metadata to identify high-value targets and likely points of weakness. This automation enables more precise targeting while reducing the need for manual research, allowing even smaller or less experienced groups to operate with a level of efficiency previously associated with more capable actors.

Taken together, these developments are blurring traditional distinctions between high-skill and low-skill adversaries. Tools that once required significant expertise to develop or operate are becoming accessible through automation and commoditised services. As a result, lower capability actors can conduct campaigns that appear more polished, more targeted, and more persistent than their underlying skill level would suggest.

For cyber threat intelligence teams, this shift has important implications. Static indicators such as file hashes, domains, and IP addresses are ageing even faster than before, often becoming obsolete within hours or days. While such indicators still have operational value, they can no longer be the primary lens through which AI-enabled activity is understood.

Instead, there is a growing need to focus on behavioural patterns and campaign-level analysis. Understanding how attacks are structured, how lures evolve over time, and how infrastructure is deployed and rotated provides more durable insight than individual technical artefacts. Equally important is tracking the evolution of tradecraft. The key intelligence question is no longer which tool was used, but how it was applied, adapted, and combined with other techniques to achieve an objective.

In 2026, effective threat intelligence depends less on cataloguing tools and more on recognising patterns of behaviour. As AI continues to level the playing field for adversaries, the ability to identify and contextualise these patterns will be central to maintaining meaningful visibility into the threat landscape.

AI-Enabled Tradecraft in Practice

During 2024 and 2025, security researchers documented the use of generative AI tools such as WormGPT and FraudGPT in live phishing and business email compromise campaigns, enabling fluent, highly targeted lures at scale. Microsoft and Google both reported attackers using AI-assisted reconnaissance to tailor phishing based on user roles, organisations, and cloud environments. In parallel, Mandiant and Microsoft observed identity-focused intrusions where domains, payloads, and malware variants rotated faster than traditional indicators could be operationalised. While static indicators decayed rapidly, behavioural patterns such as role-based targeting, cloud-hosted delivery, MFA abuse, and living-off-the-land activity remained consistent.

Content and Format Abuse Outpaces Traditional Detection

As technical controls continue to improve, threat actors are increasingly shifting their focus away from exploiting software vulnerabilities and towards abusing trust in common content formats. By 2026, malicious activity is frequently concealed within files and data types that organisations are structurally inclined to allow, inspect lightly, or prioritise for usability over security.

Content-type smuggling and polyglot files are becoming more prevalent as attackers exploit discrepancies between how systems interpret file formats. A single file may present itself as benign to one control while being parsed differently by another, allowing embedded scripts or payloads to execute downstream. These techniques are not new, but they are now being applied more systematically and at greater scale, particularly in environments that rely on automated content handling.

Common formats such as PDFs, images, emojis, markdown, and compressed archives are increasingly abused as delivery vehicles. PDFs can carry embedded scripts or external references, images can contain hidden data or exploit parsing behaviour, and text-based formats can be manipulated to trigger unexpected interpretation by browsers, email clients, or automated analysis tools. Even elements designed for expression and accessibility, such as emojis, can be repurposed to carry hidden instructions or evade simple content inspection.

Delivery mechanisms are also evolving. Rather than relying solely on direct email attachments or malicious links, attackers are increasingly using trusted SaaS platforms and collaboration tools to distribute payloads. File sharing services, document collaboration platforms, and messaging tools provide a level of implicit trust and are often deeply integrated into business workflows. This makes it harder for both users and security controls to distinguish malicious activity from legitimate use.

These techniques are particularly effective at evading gateway and sandbox-based detection. Many security controls are optimised to analyse standalone files or clearly defined executables, not content that only becomes malicious when rendered in a specific context or combined with user interaction. Sandboxes may fail to replicate the precise conditions required to trigger malicious behaviour, while gateways may prioritise performance over deep inspection of complex or nested formats.

For cyber threat intelligence teams, this trend reinforces the importance of tracking delivery mechanisms as a primary tactic, technique, and procedure. Understanding how malicious content is introduced into an environment often provides more durable insight than focusing solely on the final payload. The same malware family may be delivered through multiple formats and channels, each tailored to exploit specific organisational habits or control gaps.

This also highlights the intelligence value of analysing how malware arrives, not just what it is. Patterns in file types, hosting platforms, and user interaction requirements can reveal actor preferences and campaign objectives that are not visible through static analysis alone. Such insights are particularly valuable for informing detection engineering and user awareness efforts.

Finally, this trend underscores the need for stronger collaboration between cyber threat intelligence teams and email and web security functions. Intelligence on emerging delivery techniques must be translated into practical guidance for those configuring and tuning controls. In 2026, effective defence against content and format abuse depends not only on identifying malicious artefacts, but on understanding and disrupting the pathways through which they are delivered.

Abuse of Trusted Formats and Platforms

During 2023–2025, multiple security vendors reported widespread abuse of PDFs and archive files to deliver malware while bypassing email and web gateways, including campaigns where malicious content was only revealed after user interaction. Microsoft and Google both documented attackers hosting payloads on legitimate SaaS platforms such as OneDrive, Google Drive, and Dropbox, exploiting implicit trust and integration with enterprise environments. Researchers also observed the use of HTML smuggling and polyglot files to evade content inspection by disguising executable behaviour within allowed formats. In many cases, sandbox detonation failed to trigger malicious activity due to environmental checks or delayed execution. These campaigns demonstrated that the most reliable intelligence signal was not the final payload, but the consistent delivery techniques and abuse of trusted platforms, reinforcing the value of tracking delivery mechanisms as a primary tactic.

The Continued Rise of Identity-Centric Attacks

The Continued Rise of Identity-Centric Attacks

As organisations continue to adopt cloud services and remote working models, identity has become the primary control plane for access to systems and data. In 2026, attackers are increasingly targeting identity directly, recognising that compromising credentials or sessions often provides broader and more durable access than exploiting a single technical vulnerability.

One of the most common techniques remains multi-factor authentication fatigue, often referred to as push bombing. By repeatedly triggering authentication prompts, attackers aim to exploit user frustration or inattention, eventually inducing approval of a fraudulent request. While awareness of this technique has grown, it remains effective in environments where controls are permissive or user training is inconsistent.

Token theft and session hijacking are also becoming more prevalent. Rather than capturing usernames and passwords, attackers increasingly seek to obtain valid session tokens, cookies, or authentication artefacts that allow them to bypass interactive login processes altogether. These techniques are particularly effective against cloud services and single sign-on environments, where a compromised token can provide access to multiple applications without further challenge.

The abuse of OAuth applications and cloud identities represents another significant area of risk. Malicious or compromised OAuth apps can be granted persistent access to user data and resources, often with limited visibility once approved. Attackers may also create or manipulate cloud-native identities, such as service principals or managed identities, to establish long-term access that blends into normal administrative activity.

Once access is obtained, many adversaries favour living-off-the-land techniques within cloud environments. By using legitimate tools, built-in administrative functions, and native APIs, attackers can move laterally, escalate privileges, and exfiltrate data while minimising the use of overtly malicious tooling. This approach reduces the likelihood of triggering traditional malware-focused detection and allows activity to appear operationally routine.

For cyber threat intelligence teams, these developments necessitate a shift in focus. Traditional indicators such as IP addresses and domains remain relevant, but they provide limited insight into identity-centric attacks that leverage legitimate infrastructure and services. Greater value lies in understanding patterns of authentication abuse, anomalous access behaviour, and misuse of identity features.

Tracking actor playbooks against identity and access management controls is becoming increasingly important. Intelligence that maps how specific adversaries exploit MFA configurations, token lifetimes, OAuth consent processes, or role assignment models can directly inform defensive priorities. This enables organisations to move beyond generic hardening guidance and focus on the controls most likely to be targeted.

In 2026, effective threat intelligence plays a critical role in shaping identity defence. By translating observed attack patterns into concrete recommendations, CTI teams can help organisations prioritise identity hardening efforts and reduce exposure at what has become the most frequently attacked layer of the modern enterprise.

Identity as the Primary Attack Surface

Between 2023 and 2025, Microsoft, Mandiant, and Okta documented a sustained rise in identity-centric intrusions involving MFA fatigue attacks, token theft, and session hijacking, particularly against cloud-first organisations. Campaigns attributed to financially motivated groups showed repeated push bombing attempts followed by abuse of valid sessions rather than credential reuse. Researchers also reported widespread misuse of OAuth applications, where attackers gained persistent access by tricking users into granting permissions to malicious or compromised apps. Once inside, adversaries frequently relied on living-off-the-land techniques, using native cloud tooling and APIs to blend into normal administrative activity. These cases highlighted the limited value of traditional IP- or domain-based indicators and reinforced the importance of tracking identity behaviour and attacker playbooks against IAM controls.

Ransomware Becomes a Business Model, Not a Malware Type

Ransomware Becomes a Business Model, Not a Malware Type

By 2026, ransomware will be best understood not as a single category of malware, but as a service-driven business model. The technical payload used to encrypt systems is often interchangeable, while the real differentiation lies in how operations are organised, monetised, and sustained. This shift continues to reshape both the threat landscape and the way organisations should approach ransomware risk.

Ransomware-as-a-service ecosystems continue to evolve and mature. Core developers provide tooling, infrastructure, and branding, while affiliates conduct intrusions and deploy payloads in exchange for a share of the proceeds. This model allows rapid scaling, frequent rebranding, and the replacement of disrupted components with minimal impact to overall activity. It also creates a steady flow of new and short-lived variants that complicate traditional tracking.

At the same time, ransomware operations are increasingly decoupled from encryption itself. Data theft and extortion-only models remain prevalent, particularly where reliable backups or operational resilience reduce the impact of encryption. Many campaigns now combine multiple pressure points, including data leaks, regulatory exposure, and direct contact with customers or partners. These hybrid approaches are designed to maximise leverage while reducing technical complexity.

Rebranding and fragmentation further obscure attribution. Groups regularly change names, infrastructure, and public-facing personas in response to law enforcement action or reputational damage. In some cases, operators deliberately adopt the branding or tactics of other groups to mislead victims and researchers. False-flag activity adds further noise, making it difficult to draw conclusions based solely on malware samples or ransom notes.

Targeting is also shifting. While large enterprises remain attractive, mid-sized organisations are increasingly in focus due to perceived gaps in security maturity and incident response capability. Supply chains continue to present valuable opportunities, allowing attackers to leverage trusted relationships to increase reach and impact. These campaigns often prioritise speed and disruption over long-term persistence.

For cyber threat intelligence teams, these trends present both challenges and opportunities. Actor clustering becomes more difficult as tooling and branding fragment, but it also becomes more valuable. Understanding how campaigns relate to one another through shared behaviours, infrastructure management, and operational patterns provides insight that individual malware labels cannot.

This reinforces the need to focus on who is behind an operation rather than which strain is used. Tracking negotiation behaviour, communication style, leak site activity, and pressure tactics can reveal consistent operator fingerprints even as technical components change. Such intelligence is particularly valuable for incident response planning, negotiation strategy, and executive decision-making.

In 2026, effective ransomware intelligence depends on moving beyond file-based analysis and towards a deeper understanding of adversary operations as businesses in their own right. Those who can identify and anticipate how these businesses operate are better positioned to disrupt them and reduce their impact.

Ransomware as an Operational Business

From 2023 to 2025, ransomware groups such as LockBit, ALPHV, and Cl0p were repeatedly observed operating as service-based ecosystems, with affiliates conducting intrusions while core teams managed tooling, infrastructure, and leak sites. High-profile campaigns, including the MOVEit and GoAnywhere mass exploitation events, demonstrated how data theft and extortion could be conducted at scale without relying solely on encryption. Researchers also documented frequent rebranding and fragmentation following law enforcement pressure, complicating attribution based on malware families alone. Across these campaigns, consistent behaviours such as negotiation style, leak site structure, and pressure tactics persisted even as payloads and infrastructure changed. These patterns underscore the value of actor-centric intelligence focused on who is operating, rather than which ransomware strain is deployed.

Geopolitics Drives Threat Actor Priorities

Geopolitics Drives Threat Actor Priorities

In 2026, the influence of geopolitics on the cyber threat landscape is more pronounced than ever. Nation-state and state-aligned actors are not only increasing in activity but are also shaping the broader ecosystem in which financially motivated and ideologically driven groups operate. Cyber operations are now a routine extension of geopolitical competition, conflict, and signalling.

One key trend is the spillover of geopolitical tensions into cyberspace. Regional conflicts, diplomatic disputes, and economic sanctions frequently coincide with surges in cyber activity, ranging from espionage and influence operations to disruptive attacks. These campaigns may not always be directly attributable to a single state, but they often align closely with national interests or strategic objectives.

Critical infrastructure and logistics networks are increasingly attractive targets. Energy, transport, telecommunications, and supply chain management systems offer opportunities for intelligence collection, disruption, and strategic pressure. Even limited or short-lived interference can have outsized economic and political effects, making these sectors a persistent focus for capable adversaries.

Hacktivism continues to play a prominent role, often blurring the boundary between grassroots activism and state-aligned activity. In some cases, hacktivist groups act as proxies or amplifiers, conducting operations that provide plausible deniability while supporting broader strategic aims. In others, state actors deliberately mimic hacktivist tactics to obscure attribution and complicate response decisions.

These dynamics contribute to increasingly blurred lines between cybercrime, espionage, and disruption. Financially motivated groups may be tolerated or tacitly supported when their activity aligns with national interests, while espionage operations may incorporate criminal techniques or infrastructure. This convergence makes simple categorisation of threats less meaningful and increases the risk of misinterpretation.

For cyber threat intelligence teams, this environment elevates the importance of strategic intelligence alongside tactical reporting. Understanding the geopolitical context in which activity occurs is often essential to interpreting intent, likely targets, and potential escalation. Mapping geopolitical events to observed cyber activity can help organisations anticipate periods of heightened risk and adjust their posture accordingly.

Equally important is the ability to communicate uncertainty and intent to leadership. Strategic intelligence rarely offers definitive answers, but it can provide informed assessments and plausible scenarios. In 2026, effective CTI is measured not only by technical accuracy but by its ability to support informed decision-making in a world where cyber activity is increasingly intertwined with global politics.

Geopolitics Shaping Cyber Operations

Between 2022 and 2025, geopolitical events including the war in Ukraine and heightened tensions in the Middle East coincided with spikes in cyber activity targeting government, energy, logistics, and telecommunications sectors. Security firms and government agencies reported coordinated campaigns involving espionage, disruption, and influence operations aligned with national interests. Hacktivist groups emerged rapidly around these conflicts, often amplifying or obscuring state-aligned activity through defacements, data leaks, and denial-of-service attacks. In several cases, financially motivated and politically aligned operations used overlapping infrastructure and techniques, blurring traditional threat categories. These trends highlighted the growing importance of strategic intelligence that links geopolitical developments to cyber activity and communicates intent and uncertainty to decision-makers.

Intelligence Consumers Demand Clarity, Not Just Alerts

Intelligence Consumers Demand Clarity, Not Just Alerts

As cyber threat intelligence becomes more widely consumed across organisations, expectations around how intelligence is delivered are evolving. In 2026, the challenge is no longer access to threat data, but ensuring that alerts and intelligence are timely, relevant, and actionable for their intended audience.

Security teams and decision makers are exposed to a growing volume of alerts, notifications, and intelligence updates. While this flow of information is essential for maintaining situational awareness, it can become difficult to distinguish between background noise and issues that require immediate attention. This has led to increasing demand for clarity alongside coverage.

Rather than simply asking what has been observed, intelligence consumers are asking more targeted questions. They want to understand why an alert matters, how it relates to their environment, and what actions should be considered next. Alerts that are enriched with context, confidence, and clear analytical judgment are far more likely to drive effective response than raw signals alone.

This has reinforced the importance of tying intelligence to risk and impact. When alerts are mapped to threat actors, campaigns, targeting patterns, or likely objectives, they become easier to prioritise and act upon. Intelligence that highlights relevance, such as sector targeting, geographic focus, or alignment with known tradecraft, enables organisations to make faster and more informed decisions.

Narrative also plays an increasingly important role. Even within alert-driven systems, structured explanations and concise assessments help consumers interpret activity and avoid misreading its significance. The ability to combine timely alerting with clear analytical framing is becoming a key differentiator in intelligence delivery.

For CTI providers, this reflects a broader maturity shift from delivering data alone to delivering understanding at scale. Alerts remain a critical mechanism for awareness and response, but their value is maximised when they are supported by consistent analysis and clear articulation of what the intelligence means. In 2026, the most effective intelligence services are those that help customers move confidently from notification to decision.

CTI Tooling Consolidation, Integration, and Automation

The CTI tooling landscape continues to evolve as organisations seek to simplify workflows and extract greater value from the intelligence they consume. By 2026, many teams are consolidating platforms and prioritising solutions that integrate cleanly into existing security operations rather than operating in isolation.

Overlapping tools and fragmented intelligence sources can make it difficult to maintain a coherent view of the threat landscape. As a result, there is growing emphasis on platforms and services that centralise intelligence, reduce duplication, and present information in a consistent and usable format. Integration with SIEM, SOAR, EDR, and email security tooling is increasingly expected rather than optional.

Automation plays a central role in enabling this consolidation. Automated enrichment, correlation, and triage allow large volumes of intelligence to be processed and surfaced rapidly. This is particularly important for alert-driven intelligence delivery, where speed and scale are critical. Automation ensures that alerts arrive with the context needed to support immediate action.

At the same time, expectations around automation are becoming more realistic. While machines excel at processing data and identifying patterns, analytical judgement remains essential for interpreting intent, assessing confidence, and identifying meaningful shifts in adversary behaviour. The most effective intelligence platforms combine automated processing with human-led analysis.

This balance also shapes discussions around return on investment. Customers increasingly expect intelligence tooling to demonstrate clear operational benefit, such as improved detection, faster response, or better prioritisation. Intelligence that is delivered in a form that integrates naturally into security workflows is more likely to achieve this impact.

For CTI teams and providers alike, a key consideration is deciding what should be automated and what should remain analyst-driven. Repeatable processes and large-scale data handling benefit from automation, while assessments of intent, relevance, and strategic significance continue to rely on human expertise.

In 2026, the enduring value of experienced analysts is not diminished by automation but amplified by it. By pairing scalable delivery mechanisms with consistent analytical oversight, CTI providers can deliver intelligence that is both timely and trusted. This combination is central to meeting rising customer expectations in an increasingly complex threat environment.

What This Means for CTI Teams in 2026

Taken together, these trends point to a clear evolution in how cyber threat intelligence teams must operate in 2026. The challenge is not a lack of data or tooling, but ensuring that intelligence capability is aligned with real organisational needs and outcomes. Teams that adapt their focus and ways of working will be best placed to deliver sustained value.

First, there is a renewed need to invest in analytical skills alongside technology. Tooling and automated alerting provide essential scale and coverage, but they do not replace the ability to assess relevance, weigh confidence, and draw meaningful conclusions. Developing analysts who can interpret complex activity, recognise patterns over time, and communicate insight clearly remains one of the most effective ways to improve intelligence outcomes.

Second, collection should be increasingly guided by clearly defined priority intelligence requirements. Rather than attempting to monitor everything equally, effective CTI teams focus on the threats, actors, and techniques most relevant to their organisation or customers. Well-defined PIRs help shape what data is collected, how it is analysed, and how it is delivered, ensuring that intelligence production remains purposeful rather than reactive.

Strong relationships across the security and business landscape are also essential. CTI does not operate in isolation, and its value is maximised when it is closely connected to security operations, incident response, identity and access management, and senior leadership. Regular engagement with these stakeholders helps ensure that intelligence outputs align with detection needs, response priorities, and strategic concerns.

Finally, success in 2026 is increasingly measured by influence rather than output. The most effective CTI teams are those that can demonstrate how intelligence has informed decisions, shaped defensive priorities, or enabled faster and more confident responses. Reports and alerts remain important delivery mechanisms, but their true value lies in the decisions they support.

For CTI teams navigating an increasingly complex threat environment, these principles provide a practical foundation. By combining strong analytical capability, focused collection, collaborative working, and outcome-driven measurement, intelligence teams can remain relevant and impactful in the year ahead.

Conclusion: The Evolution of CTI

Cyber threat intelligence in 2026 is evolving rapidly. What was once largely a support function is increasingly a strategic enabler, providing insight that shapes decisions across security operations and organisational leadership. Threats are faster, more complex, and noisier than ever, driven by automation, AI, and shifting geopolitical pressures.

In this environment, the differentiators for effective intelligence are context, clarity, and credibility. Understanding not just what is happening, but why it matters and how it affects the organisation, is what turns data into actionable insight. Teams that can provide this perspective, supported by robust analytical capability and integrated tooling, will be best placed to help organisations anticipate, prioritise, and respond to evolving threats.

2026 will not be defined by new types of threats alone, but by the ability of intelligence teams to interpret them, communicate their significance, and drive meaningful action. In this way, cyber threat intelligence will continue to move from reactive observation to proactive influence, ensuring its central role in organisational resilience and security strategy.

"SOS
CVE Top 10

The SOS Intelligence CVE Chatter Weekly Top Ten – 12 January 2026

by Amir Hadzipasic
January 12, 2026

 

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

 

 

1.  CVE-2025-59287

Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2025-59287

 

 

2. CVE-2024-49113

Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-49113

 

 

3. CVE-2025-14847

Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2025-14847

 

 

4. CVE-2024-38063

Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-38063

 

 

5. CVE-2025-24118

Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2025-24118

 

 

6. CVE-2025-54100

Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2025-54100

 

 

7. CVE-2025-8088

Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2025-8088

 

 

8. CVE-2025-68613

Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2025-68613

 

 

9. CVE-2022-21227

Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2022-21227

 

 

10. CVE-2016-10033

Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2016-10033

 

"SOS
CVE Top 10

The SOS Intelligence CVE Chatter Weekly Top Ten – 05 January 2026

by Amir Hadzipasic
January 5, 2026

 

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

 

 

1.  CVE-2025-59287

n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Execution (RCE) vulnerability in their workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations. This issue has been fixed in versions 1.120.4, 1.121.1, and 1.122.0. Users are strongly advised to upgrade to a patched version, which introduces additional safeguards to restrict expression evaluation. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only; and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully eliminate the risk and should only be used as short-term measures.

https://nvd.nist.gov/vuln/detail/CVE-2025-59287

 

 

2. CVE-2025-14847

n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Execution (RCE) vulnerability in their workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations. This issue has been fixed in versions 1.120.4, 1.121.1, and 1.122.0. Users are strongly advised to upgrade to a patched version, which introduces additional safeguards to restrict expression evaluation. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only; and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully eliminate the risk and should only be used as short-term measures.

https://nvd.nist.gov/vuln/detail/CVE-2025-14847

 

 

3. CVE-2025-68613

n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Execution (RCE) vulnerability in their workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations. This issue has been fixed in versions 1.120.4, 1.121.1, and 1.122.0. Users are strongly advised to upgrade to a patched version, which introduces additional safeguards to restrict expression evaluation. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only; and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully eliminate the risk and should only be used as short-term measures.

https://nvd.nist.gov/vuln/detail/CVE-2025-68613

 

 

4. CVE-2024-38063

n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Execution (RCE) vulnerability in their workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations. This issue has been fixed in versions 1.120.4, 1.121.1, and 1.122.0. Users are strongly advised to upgrade to a patched version, which introduces additional safeguards to restrict expression evaluation. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only; and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully eliminate the risk and should only be used as short-term measures.

https://nvd.nist.gov/vuln/detail/CVE-2024-38063

 

 

5. CVE-2025-8088

n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Execution (RCE) vulnerability in their workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations. This issue has been fixed in versions 1.120.4, 1.121.1, and 1.122.0. Users are strongly advised to upgrade to a patched version, which introduces additional safeguards to restrict expression evaluation. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only; and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully eliminate the risk and should only be used as short-term measures.

https://nvd.nist.gov/vuln/detail/CVE-2025-8088

 

 

6. CVE-2025-24118

n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Execution (RCE) vulnerability in their workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations. This issue has been fixed in versions 1.120.4, 1.121.1, and 1.122.0. Users are strongly advised to upgrade to a patched version, which introduces additional safeguards to restrict expression evaluation. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only; and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully eliminate the risk and should only be used as short-term measures.

https://nvd.nist.gov/vuln/detail/CVE-2025-24118

 

 

7. CVE-2025-54100

n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Execution (RCE) vulnerability in their workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations. This issue has been fixed in versions 1.120.4, 1.121.1, and 1.122.0. Users are strongly advised to upgrade to a patched version, which introduces additional safeguards to restrict expression evaluation. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only; and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully eliminate the risk and should only be used as short-term measures.

https://nvd.nist.gov/vuln/detail/CVE-2025-54100

 

 

8. CVE-2024-49113

Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2024-49113

 

 

9. CVE-2025-50708

Improper link resolution before file access (‘link following’) in Windows Update Stack allows an authorized attacker to elevate privileges locally.

https://nvd.nist.gov/vuln/detail/CVE-2025-50708

 

 

10. CVE-2016-10033

Improper link resolution before file access (‘link following’) in Windows Update Stack allows an authorized attacker to elevate privileges locally.

https://nvd.nist.gov/vuln/detail/CVE-2016-10033

 

"SOS
CVE Top 10

The SOS Intelligence CVE Chatter Weekly Top Ten – 29 December 2025

by Amir Hadzipasic
December 29, 2025

 

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

 

 

1.  CVE-2025-59287

Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: REST WebServices). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Identity Manager. Successful attacks of this vulnerability can result in takeover of Identity Manager. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

https://nvd.nist.gov/vuln/detail/CVE-2025-59287

 

 

2. CVE-2025-68613

n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Execution (RCE) vulnerability in their workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations. This issue has been fixed in versions 1.120.4, 1.121.1, and 1.122.0. Users are strongly advised to upgrade to a patched version, which introduces additional safeguards to restrict expression evaluation. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only; and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully eliminate the risk and should only be used as short-term measures.

https://nvd.nist.gov/vuln/detail/CVE-2025-68613

 

 

3. CVE-2025-8088

The issue was addressed with improved memory handling. This issue is fixed in iPadOS 17.7.4, macOS Sequoia 15.3, macOS Sonoma 14.7.3. An app may be able to cause unexpected system termination or write kernel memory.

https://nvd.nist.gov/vuln/detail/CVE-2025-8088

 

 

4. CVE-2022-21227

The issue was addressed with improved memory handling. This issue is fixed in iPadOS 17.7.4, macOS Sequoia 15.3, macOS Sonoma 14.7.3. An app may be able to cause unexpected system termination or write kernel memory.

https://nvd.nist.gov/vuln/detail/CVE-2022-21227

 

 

5. CVE-2016-10033

The issue was addressed with improved memory handling. This issue is fixed in iPadOS 17.7.4, macOS Sequoia 15.3, macOS Sonoma 14.7.3. An app may be able to cause unexpected system termination or write kernel memory.

https://nvd.nist.gov/vuln/detail/CVE-2016-10033

 

 

6. CVE-2017-8759

The issue was addressed with improved memory handling. This issue is fixed in iPadOS 17.7.4, macOS Sequoia 15.3, macOS Sonoma 14.7.3. An app may be able to cause unexpected system termination or write kernel memory.

https://nvd.nist.gov/vuln/detail/CVE-2017-8759

 

 

7. CVE-2021-40539

The issue was addressed with improved memory handling. This issue is fixed in iPadOS 17.7.4, macOS Sequoia 15.3, macOS Sonoma 14.7.3. An app may be able to cause unexpected system termination or write kernel memory.

https://nvd.nist.gov/vuln/detail/CVE-2021-40539

 

 

8. CVE-2024-10687

The issue was addressed with improved memory handling. This issue is fixed in iPadOS 17.7.4, macOS Sequoia 15.3, macOS Sonoma 14.7.3. An app may be able to cause unexpected system termination or write kernel memory.

https://nvd.nist.gov/vuln/detail/CVE-2024-10687

 

 

9. CVE-2024-21762

The issue was addressed with improved memory handling. This issue is fixed in iPadOS 17.7.4, macOS Sequoia 15.3, macOS Sonoma 14.7.3. An app may be able to cause unexpected system termination or write kernel memory.

https://nvd.nist.gov/vuln/detail/CVE-2024-21762

 

 

10. CVE-2024-34102

The issue was addressed with improved memory handling. This issue is fixed in iPadOS 17.7.4, macOS Sequoia 15.3, macOS Sonoma 14.7.3. An app may be able to cause unexpected system termination or write kernel memory.

https://nvd.nist.gov/vuln/detail/CVE-2024-34102

 

"SOS
CVE Top 10

The SOS Intelligence CVE Chatter Weekly Top Ten – 22 December 2025

by Amir Hadzipasic
December 22, 2025

 

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

 

 

1.  CVE-2025-31133

A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.

https://nvd.nist.gov/vuln/detail/CVE-2025-31133

 

 

2. CVE-2025-41253

A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.

https://nvd.nist.gov/vuln/detail/CVE-2025-41253

 

 

3. CVE-2025-52472

A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.

https://nvd.nist.gov/vuln/detail/CVE-2025-52472

 

 

4. CVE-2025-52565

A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.

https://nvd.nist.gov/vuln/detail/CVE-2025-52565

 

 

5. CVE-2025-52881

A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.

https://nvd.nist.gov/vuln/detail/CVE-2025-52881

 

 

6. CVE-2025-55449

A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.

https://nvd.nist.gov/vuln/detail/CVE-2025-55449

 

 

7. CVE-2025-59287

A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.

https://nvd.nist.gov/vuln/detail/CVE-2025-59287

 

 

8. CVE-2025-61757

A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.

https://nvd.nist.gov/vuln/detail/CVE-2025-61757

 

 

9. CVE-2025-62712

A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.

https://nvd.nist.gov/vuln/detail/CVE-2025-62712

 

 

10. CVE-2025-64446

A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.

https://nvd.nist.gov/vuln/detail/CVE-2025-64446

 

"SOS
CVE Top 10

The SOS Intelligence CVE Chatter Weekly Top Ten – 15 December 2025

by Amir Hadzipasic
December 15, 2025

 

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

 

 

1.  CVE-2025-61757

JumpServer is an open source bastion host and an operation and maintenance security audit system. In JumpServer versions prior to v3.10.20-lts and v4.10.11-lts, an authenticated, non-privileged user can retrieve connection tokens belonging to other users via the super-connection API endpoint (/api/v1/authentication/super-connection-token/). When accessed from a web browser, this endpoint returns connection tokens created by all users instead of restricting results to tokens owned by or authorized for the requester. An attacker who obtains these tokens can use them to initiate connections to managed assets on behalf of the original token owners, resulting in unauthorized access and privilege escalation across sensitive systems. This vulnerability is fixed in v3.10.20-lts and v4.10.11-lts.

https://nvd.nist.gov/vuln/detail/CVE-2025-61757

 

 

2. CVE-2025-64446

JumpServer is an open source bastion host and an operation and maintenance security audit system. In JumpServer versions prior to v3.10.20-lts and v4.10.11-lts, an authenticated, non-privileged user can retrieve connection tokens belonging to other users via the super-connection API endpoint (/api/v1/authentication/super-connection-token/). When accessed from a web browser, this endpoint returns connection tokens created by all users instead of restricting results to tokens owned by or authorized for the requester. An attacker who obtains these tokens can use them to initiate connections to managed assets on behalf of the original token owners, resulting in unauthorized access and privilege escalation across sensitive systems. This vulnerability is fixed in v3.10.20-lts and v4.10.11-lts.

https://nvd.nist.gov/vuln/detail/CVE-2025-64446

 

 

3. CVE-2025-31133

JumpServer is an open source bastion host and an operation and maintenance security audit system. In JumpServer versions prior to v3.10.20-lts and v4.10.11-lts, an authenticated, non-privileged user can retrieve connection tokens belonging to other users via the super-connection API endpoint (/api/v1/authentication/super-connection-token/). When accessed from a web browser, this endpoint returns connection tokens created by all users instead of restricting results to tokens owned by or authorized for the requester. An attacker who obtains these tokens can use them to initiate connections to managed assets on behalf of the original token owners, resulting in unauthorized access and privilege escalation across sensitive systems. This vulnerability is fixed in v3.10.20-lts and v4.10.11-lts.

https://nvd.nist.gov/vuln/detail/CVE-2025-31133

 

 

4. CVE-2025-41253

JumpServer is an open source bastion host and an operation and maintenance security audit system. In JumpServer versions prior to v3.10.20-lts and v4.10.11-lts, an authenticated, non-privileged user can retrieve connection tokens belonging to other users via the super-connection API endpoint (/api/v1/authentication/super-connection-token/). When accessed from a web browser, this endpoint returns connection tokens created by all users instead of restricting results to tokens owned by or authorized for the requester. An attacker who obtains these tokens can use them to initiate connections to managed assets on behalf of the original token owners, resulting in unauthorized access and privilege escalation across sensitive systems. This vulnerability is fixed in v3.10.20-lts and v4.10.11-lts.

https://nvd.nist.gov/vuln/detail/CVE-2025-41253

 

 

5. CVE-2025-52472

JumpServer is an open source bastion host and an operation and maintenance security audit system. In JumpServer versions prior to v3.10.20-lts and v4.10.11-lts, an authenticated, non-privileged user can retrieve connection tokens belonging to other users via the super-connection API endpoint (/api/v1/authentication/super-connection-token/). When accessed from a web browser, this endpoint returns connection tokens created by all users instead of restricting results to tokens owned by or authorized for the requester. An attacker who obtains these tokens can use them to initiate connections to managed assets on behalf of the original token owners, resulting in unauthorized access and privilege escalation across sensitive systems. This vulnerability is fixed in v3.10.20-lts and v4.10.11-lts.

https://nvd.nist.gov/vuln/detail/CVE-2025-52472

 

 

6. CVE-2025-52565

JumpServer is an open source bastion host and an operation and maintenance security audit system. In JumpServer versions prior to v3.10.20-lts and v4.10.11-lts, an authenticated, non-privileged user can retrieve connection tokens belonging to other users via the super-connection API endpoint (/api/v1/authentication/super-connection-token/). When accessed from a web browser, this endpoint returns connection tokens created by all users instead of restricting results to tokens owned by or authorized for the requester. An attacker who obtains these tokens can use them to initiate connections to managed assets on behalf of the original token owners, resulting in unauthorized access and privilege escalation across sensitive systems. This vulnerability is fixed in v3.10.20-lts and v4.10.11-lts.

https://nvd.nist.gov/vuln/detail/CVE-2025-52565

 

 

7. CVE-2025-52881

JumpServer is an open source bastion host and an operation and maintenance security audit system. In JumpServer versions prior to v3.10.20-lts and v4.10.11-lts, an authenticated, non-privileged user can retrieve connection tokens belonging to other users via the super-connection API endpoint (/api/v1/authentication/super-connection-token/). When accessed from a web browser, this endpoint returns connection tokens created by all users instead of restricting results to tokens owned by or authorized for the requester. An attacker who obtains these tokens can use them to initiate connections to managed assets on behalf of the original token owners, resulting in unauthorized access and privilege escalation across sensitive systems. This vulnerability is fixed in v3.10.20-lts and v4.10.11-lts.

https://nvd.nist.gov/vuln/detail/CVE-2025-52881

 

 

8. CVE-2025-55449

JumpServer is an open source bastion host and an operation and maintenance security audit system. In JumpServer versions prior to v3.10.20-lts and v4.10.11-lts, an authenticated, non-privileged user can retrieve connection tokens belonging to other users via the super-connection API endpoint (/api/v1/authentication/super-connection-token/). When accessed from a web browser, this endpoint returns connection tokens created by all users instead of restricting results to tokens owned by or authorized for the requester. An attacker who obtains these tokens can use them to initiate connections to managed assets on behalf of the original token owners, resulting in unauthorized access and privilege escalation across sensitive systems. This vulnerability is fixed in v3.10.20-lts and v4.10.11-lts.

https://nvd.nist.gov/vuln/detail/CVE-2025-55449

 

 

9. CVE-2025-59287

JumpServer is an open source bastion host and an operation and maintenance security audit system. In JumpServer versions prior to v3.10.20-lts and v4.10.11-lts, an authenticated, non-privileged user can retrieve connection tokens belonging to other users via the super-connection API endpoint (/api/v1/authentication/super-connection-token/). When accessed from a web browser, this endpoint returns connection tokens created by all users instead of restricting results to tokens owned by or authorized for the requester. An attacker who obtains these tokens can use them to initiate connections to managed assets on behalf of the original token owners, resulting in unauthorized access and privilege escalation across sensitive systems. This vulnerability is fixed in v3.10.20-lts and v4.10.11-lts.

https://nvd.nist.gov/vuln/detail/CVE-2025-59287

 

 

10. CVE-2025-62712

JumpServer is an open source bastion host and an operation and maintenance security audit system. In JumpServer versions prior to v3.10.20-lts and v4.10.11-lts, an authenticated, non-privileged user can retrieve connection tokens belonging to other users via the super-connection API endpoint (/api/v1/authentication/super-connection-token/). When accessed from a web browser, this endpoint returns connection tokens created by all users instead of restricting results to tokens owned by or authorized for the requester. An attacker who obtains these tokens can use them to initiate connections to managed assets on behalf of the original token owners, resulting in unauthorized access and privilege escalation across sensitive systems. This vulnerability is fixed in v3.10.20-lts and v4.10.11-lts.

https://nvd.nist.gov/vuln/detail/CVE-2025-62712

 

1 2 3 30 31
Recent Posts
Recent Comments
    Privacy Settings
    We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
    Youtube
    Consent to display content from - Youtube
    Vimeo
    Consent to display content from - Vimeo
    Google Maps
    Consent to display content from - Google
    Spotify
    Consent to display content from - Spotify
    Sound Cloud
    Consent to display content from - Sound
    Save