"In cyber war, even the strongest passwords can fall, but a mind prepared for battle is unbreakable." - The Art of Cyber War

This cybersecurity roundup highlights the significant and growing attack surface of AI/LLM technologies, detailing vulnerabilities such as a Remote Code Execution (RCE) in Ollama via malicious models, a GitHub Copilot Chat plugin flaw (CVE-2025-53773) allowing unauthorized actions, and the "Whisper Leak" side-channel attack capable of inferring topics from encrypted LLM traffic. Alongside these AI-centric risks, the collection details several critical infrastructure vulnerabilities, including a 9.8 CVSS RCE in the React Native CLI (CVE-2025-11953), a 9.1 CVSS SQL Injection in the Django framework (CVE-2025-64459), and a 9.9 CVSS HTTP Request Smuggling flaw in ASP.NET Kestrel (CVE-2025-55315). The summary also covers real-world attack analyses, such as a sophisticated hotel phishing campaign using stolen credentials and a deep dive into Clop ransomware operations, while rounding out with updates on security tools, the KubeVirt platform's critical file access vulnerability, and industry shifts like the 2025 OWASP Top 10 update.

📚 SecMisc #

Optimize Your Brain for Learning

Recognize that cognitive capacity for deep learning is a finite resource, similar to physical endurance.

Over-exertion on tasks requiring intense focus diminishes subsequent ability to absorb complex information or sustain effort.

SANS DShield API Reference

The SANS Internet Storm Center DShield API provides programmatic access to threat intelligence data.

Security professionals can leverage this API for integrating DShield's insights into automated threat analysis or SIEM systems.

Check Server Post-Quantum Readiness

Quantum computers pose a future threat to current encryption standards, necessitating the adoption of Post-Quantum Cryptography (PQC).

QCReady offers a utility to assess server readiness for PQC, identifying whether TLS implementations support next-generation secure protocols.

📰 SecLinks #

Brief Backup Exposure Leads to Breach

Even transient exposure of database backup files, measured in seconds or minutes, creates sufficient opportunity for attackers to exfiltrate critical data.

This emphasizes the extreme sensitivity of backup files and the need for immediate, secure storage and tight access controls upon creation.

Unauthenticated RCE in UniFi OS

A critical vulnerability (CVE-2025-52665) in UniFi OS allows unauthenticated Remote Code Execution, compromising UDM series routers.

The exploit chain leveraged insecure design patterns across unauthenticated APIs, specifically tracing the "backup/export" functionality.

This highlights the risk of exposed internal API routes and how seemingly innocuous functions can be chained for full system compromise without credentials.

Ollama RCE via Malicious Models

Ollama versions prior to 0.7.0 are vulnerable to Remote Code Execution when an attacker with API access loads a malicious model.

The vulnerability is critical as it leverages the client-server architecture and the model runner process, allowing arbitrary code execution.

This highlights the supply chain risks associated with AI models, where malicious payloads can be embedded within seemingly functional artifacts.

Hugging Face Enhances AI Security

Hugging Face is collaborating with VirusTotal to improve the security of its vast repository of 2.2 million AI model artifacts.

AI models are complex digital assets that can contain hidden risks within binary files, serialized data, and dependencies.

This partnership aims to mitigate supply chain risks in the AI ecosystem by scanning shared assets for malicious components.

Chrome Deprecates XSLT for Security

Google Chrome is deprecating XSLT support to enhance browser security.

This removal addresses potential attack surfaces and simplifies the browser's codebase, reducing the risk of future vulnerabilities.

Evolving AI Red Teaming Techniques

AI red teaming requires advanced techniques, including strategic combinations of policy manipulation, role-playing, and encoding methods, as basic malicious prompts are now rejected by sophisticated AI.

Syntactic Anti-Classifiers and prompt boundaries remain effective tools for performing AI jailbreaks against current safeguards.

This indicates a continuous cat-and-mouse game where attack sophistication must match increasing AI defensive capabilities.

"Cyberslop": AI Threat Exaggeration for Profit

The term "cyberslop" critiques the practice of leveraging perceived expertise to make exaggerated or baseless claims about generative AI cyber threats for financial gain.

This highlights a growing concern within the security community regarding the responsible communication of AI-related risks and the potential for fear-mongering.

AI-Annotated Codebase Understanding with Codemaps

Cognition AI introduces "Windsurf Codemaps," AI-annotated structured maps of code, powered by advanced LLMs like SWE-1.5 and Claude Sonnet 4.5.

Codemaps aim to provide hyper-contextualized codebase understanding and precise code navigation, potentially assisting security auditors in comprehending complex systems.

Critical RCE in React Native CLI

CVE-2025-11953 is a critical (CVSS 9.8) RCE vulnerability in the @react-native-community/cli NPM package, affecting millions of weekly downloads.

This flaw allows remote, unauthenticated attackers to execute arbitrary OS commands on developer machines running the React Native development server.

The vulnerability is exacerbated by a separate security issue in React Native's core that exposes the development server to external network attacks, transforming a local exploit into a critical remote one.

KubeVirt Security Audit Methodology

Quarkslab conducted a security audit of KubeVirt, employing a comprehensive methodology including threat modeling, static analysis, dynamic testing, and fuzzing campaigns.

This structured approach aims to identify vulnerabilities and strengthen the security posture of critical open-source projects.

The audit highlights the importance of independent security assessments for projects like KubeVirt, which manage virtual machines within Kubernetes.

Inside the Great Firewall Infrastructure

An in-depth analysis based on a 500GB GFW data dump reveals the intricate technical infrastructure, operational logic, and strategic design of China's censorship and surveillance ecosystem.

The research provides an unprecedented reconstruction of the digital control apparatus, including internal network diagrams and control logs.

This offers critical insights into state-sponsored internet censorship mechanisms and their underlying technologies.

Critical SQLi in Django Framework

A critical SQL Injection vulnerability (CVE-2025-64459, CVSS 9.1) affects Django, enabling unauthorized data access, authentication bypass, or privilege escalation.

Attackers can exploit this by injecting internal query parameters (_connector, _negated) into user-controlled input passed to filter(), exclude(), or get() methods.

The high impact, low attack complexity, and unauthenticated exploitability necessitate immediate upgrade to Django versions 5.2.8, 5.1.14, or 4.2.26.

Copilot Chat Plugin Vulnerability

The GitHub Copilot Chat plugin for VS Code, which enables LLM agents to interact with the workspace via tool calls, introduced vulnerabilities like CVE-2025-53773.

Attackers can instruct the agent to modify a user's settings.json file, enabling autonomous tool execution and bypassing explicit approval mechanisms.

This highlights the security risks of AI agents interacting with host system configurations, potentially leading to unauthorized operations.

Hotel Credential Theft Phishing Campaign

A sophisticated phishing campaign targets hospitality customers, leveraging stolen credentials from hotels to send highly credible fraudulent communications via email or WhatsApp.

The initial compromise likely involved infostealing malware deployed on hotel establishments, leading to the theft of access to booking platforms like Booking.com and Expedia.

This demonstrates a multi-stage attack where initial credential theft is leveraged to facilitate more convincing and effective customer-targeted banking fraud.

Dissecting Clop Ransomware Operations

Clop (Cl0p), a prominent Russian-linked ransomware group operating since 2019, has extorted over $500M and is known for targeting corporate and private networks.

The group has utilized 0-day exploits, such as an Oracle E-Business Suite vulnerability (CVE-2025–61882), to gain initial access.

This analysis provides insights into the operational tactics, origins, and technical indicators of a major ransomware threat actor.

OWASP Top 10 for 2025 Updates

The OWASP Top 10 for 2025 introduces two new categories and one consolidation, aiming to focus more on root causes of vulnerabilities rather than just symptoms.

This update reflects the evolving landscape of web application security risks and provides an updated framework for developers and security professionals.

PHP Cryptomining Campaign Activity

A significant ramp-up in cryptomining exploitation attempts against PHP and PHP-based frameworks was observed from August to November 2025, showing seven distinct attack patterns.

A large portion of attacking IPs originate from major cloud providers (Cloudflare, DigitalOcean, Google), indicating compromised VMs, misconfigured services, or rented infrastructure used for large-scale mining operations.

This highlights the ongoing threat of cryptomining via web exploits and the abuse of cloud resources for illicit activities.

Mercari Adopts Passkeys for Phishing Resistance

Mercari, a comprehensive consumer service ecosystem, is enhancing account security by implementing passkeys for phishing resistance.

This adoption of advanced authentication methods improves protection for users across its integrated services, including marketplace, payment, and crypto exchange.

Whisper Leak: LLM Side-Channel Attack

Microsoft discovered "Whisper Leak," a novel side-channel attack capable of inferring remote language model conversation topics.

This attack is effective even when traffic is end-to-end encrypted with TLS, by observing network traffic patterns.

It highlights new vectors for data leakage in LLM deployments, requiring attention to network telemetry beyond just content encryption.

Critical Request Smuggling in ASP.NET Kestrel

A critical HTTP request smuggling vulnerability (CVE-2025-55315, CVSS 9.9) was discovered in ASP.NET Core's Kestrel server.

The exploit leverages malformed chunked transfer encoding extensions, specifically the acceptance of control characters like \n or \r within chunk extension names, which violates RFC 9112.

This vulnerability represents a significant risk for ASP.NET Core deployments, enabling attackers to bypass security controls and access sensitive information.

🐦 SecX #

Web Security vs. Binary Exploitation

This X thread likely discusses the contrasting approaches, skill sets, and typical challenges involved in web security versus binary exploitation.

It provides a high-level comparison for security professionals to understand the different domains of vulnerability research and defense.

🎥 SecVideo #

Pegasus Spyware: Tracking Continues

This video likely discusses the ongoing prevalence and impact of Pegasus spyware despite legal actions against its developer.

It highlights the persistent threat of state-sponsored surveillance and the challenges in protecting individuals from sophisticated mobile compromises.

💻 SecGit #

KubeVirt Arbitrary Host File Access

KubeVirt is susceptible to vulnerabilities allowing arbitrary host file read and write operations.

This is a critical privilege escalation issue, enabling guest VMs to manipulate the underlying host filesystem.

Burp TLS Fingerprint Bypass Extension

This Burp Suite extension mutates TLS ciphers to circumvent bot detection systems that rely on TLS fingerprinting.

Security testers can use this tool to bypass WAFs or other protective measures that detect automated tools based on TLS client characteristics.

CDN Re-Fronting Bypass Tool

The cdn-proxy tool facilitates bypassing CDN and WAF restrictions through CDN re-fronting techniques.

This resource is valuable for red teamers and penetration testers seeking to circumvent network perimeter controls.

FFmpeg Assembly Language Lessons

This GitHub repository provides educational lessons on assembly language specifically tailored for FFmpeg development.

It's a valuable resource for reverse engineers and low-level security researchers analyzing multimedia processing.

← Back to Seclog