Security Intelligence
Loading table of contents...
Loading table of contents...
Critical vulnerability in M365 Copilot
Researchers are reporting on a critical vulnerability in Microsoft 365 Copilot, tracked as CVE-2025-32711. The flaw has been assigned a CVSS score of 9.3, and Microsoft applied server-side fixes to it in May. There is no evidence of real-world exploitation, and customers do not need to take any action.
Researchers who disclosed the attack method, dubbed EchoLeak, assigned it to a new class of vulnerabilities called 'LLM Scope Violation'. Such flaws cause a large language model (LLM) to leak privileged internal data without user intent or interaction. Threat actors could abuse the issue to extract sensitive data, such as chat histories, documents, or SharePoint content.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
Although reported as the “first known zero-click AI vulnerability,” the underlying exploitation technique described in the report comes down to a prompt injection or command injection in AI systems.
Similar attacks have been demonstrated in research and smaller-scale AI deployments before EchoLeak. However, these previous demonstrations required explicit user engagement, or were limited in scope and impact. EchoLeak is unique in that it bypasses most user action and targets a high-profile, enterprise-grade AI product.
ConnectWise urgently rotates certificate
ConnectWise is updating its digital signing certificates used in ConnectWise ScreenConnect, Automate, and RMM due to security concerns over how ScreenConnect handled certain configuration data in earlier versions.
The company stated that its current advisory is unrelated to the earlier news that a nation-state actor had compromised ScreenConnect cloud instances of some ConnectWise customers.
ConnectWise customers using on-premises versions of ScreenConnect or Automate are urged to ensure the update has been deployed by June 13 at 8:00 p.m. Updates for ScreenConnect, Automate, and RMM cloud instances will be deployed automatically, and customers need to validate that their agents are running the latest version before the June 13 deadline.
Failure to update may result in disruptions or degraded experience, and leave systems vulnerable to the noted security risks.
ICS Security Patch Day includes max-severity flaw
On June 10, a number of industrial control system (ICS) vendors, including Siemens and Schneider Electric, released security updates for their products.
Siemens’ advisory included a report on multiple vulnerabilities in Palo Alto Networks PAN-OS affecting its RUGGEDCOM APE1808 devices. The issue is rated with a maximum CVSS score of 10 out of 10.
Other critical vulnerabilities, ranging from CVSS score of 9.8 to 10, affect:
- RUGGEDCOM APE1808 devices
- Energy services using Elspec G5DFR
- RUGGEDCOM ROX II
- Certain versions of SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP
Schneider Electric addressed medium to high-severity vulnerabilities in Modicon controllers and the EVLink WallBox electric vehicle charging station. The third-party real-time operating system powering Insight Home and Insight Facility products have reached end of life, but mitigations are available to reduce the risk of exploitation.
Given current geopolitical context, ICS systems are an attractive target for hacktivists and nation-state threat actors. We recommend applying the latest updates to these products as soon as possible.
Microsoft Patch Tuesday updates include an exploited flaw
Microsoft’s June Patch Tuesday updates addressed 66 vulnerabilities. Notably, one of them has been actively exploited, and one other has been publicly disclosed.
Researchers drew attention to an issue in Web Distributed Authoring and Versioning (WeBDAV), tracked as CVE-2025-33053, that has been abused by an advanced persistent threat (APT) group known as Stealth Falcon, linked to the UAE. This flaw could allow remote code execution of malicious code on the affected system.
The publicly disclosed flaw, CVE-2025-33073, affects Windows Server Message Block (SMB) client. It could enable elevation of privilege in Windows SMB client, allowing threat actors to gain SYSTEM privileges on vulnerable devices. The flaw can be mitigated by enforcing server-side SMB signing via Group Policy.
Both flaws were rated as ‘Important’ with a CVSS score of 8.8/10.
Both flaws require user interaction to exploit and, for most organizations, will likely be part of a regular patching cycle. Taking the recommended mitigation path for CVE-2025-33073 can be done prior to patching.
June SAP Security Patch Day
SAP Security Patch Day addressed 14 new security issues, including a critical vulnerability, five high-severity flaws, six medium-severity bugs, and two low-severity issues.
The critical issue is tracked as CVE-2025-42989, and affects SAP NetWeaver Application Server for ABAP. It allows a bypass of authorization checks and elevation of privileges. It's been rated with a CVSS score of 9.6.
Researchers noted that organizations applying the SAP’s note may need to assign additional S_RFC permissions to some users.
SAP NetWeaver Application appears to be an attractive target for threat actors and was noted being exploited earlier this year. We recommend applying the latest updates to this product as soon as possible.
Mirai botnet variants exploit multiple flaws
Two different Mirai botnet variants are exploiting a critical vulnerability (CVSS score of 9.9 out of 10) in the Wazur Server. The flaw, tracked as CVE-2025-24016, allows for remote code execution on Wazuh servers, and affects all versions of the server software including 4.4.0 and above. It was addressed in February 2025 with the release of version 4.9.1, with proof-of-concept (POC) publicly disclosed around the same time.
If you are running Wazur Server prior to version 4.9.1, patch immediately.
Researchers are also reporting that one of the Mirai variants is exploiting vulnerable digital video recording (DVR) devices from TBK Vision. Threat actors are reportedly taking advantage of a proof-of-concept exploit that was published in 2024 for a medium-severity flaw (CVSS: 6.3), tracked as CVE-2024-3721. It's unknown whether TBK Vision patched the flaw or if it remains unpatched.
TBK DVR devices can be managed remotely and may allow remote execution of malicious commands. The devices are used by many manufacturers and may appear under different brands. As there are no public details on the patch, it would be prudent to email your DVR provider and ensure your systems are secured.
Exploits published for Windows Kernel flaws
Researchers published POC exploits for two flaws in the Windows Kernel Transaction Manager driver tm.sys.
The flaws, tracked as CVE-2024-43570 and CVE-2024-43535, allow for elevation of privileges on an already compromised machine, and are rated with medium severity. Such flaws could be leveraged in an exploit chain to obtain access to sensitive internal data, which could result in changes to system settings or installation of malware.
The POC was demonstrated on Windows 11 Pro 23H2 226321.4169 (September Patch Tuesday Update) Virtual Machine during the OffensiveCon25 conference earlier this year.
If you have the latest Windows updates, there is no action required. For those with outdated Windows, review the list of impacted systems for CVE-2024-43570 and CVE-2024-43535, and apply the latest updates.
