Researchers Find Critical Zero-Day Vulnerabilities in Foxit and Apryse PDF Platforms  PDF files are often seen as simple digital documents, but recent research shows they have evolved into complex software environments that can expose corporate systems to cyber risks. Modern PDF tools now function more like application platforms than basic viewers, potentially giving attackers pathways into private networks.  A study by Novee Security examined two widely used platforms, Foxit and Apryse. Released on February 18, 2026, the report identified 13 categories of vulnerabilities and 16 potential attack paths that could allow systems to be compromised.  Researchers say these issues are more than minor bugs. Some zero-day flaws could allow attackers to run commands on backend servers or take over user accounts without needing to compromise a browser or operating system. To find the vulnerabilities, analysts first identified common patterns that signal security weaknesses. These patterns were then used to train an AI system that scanned large volumes of code much faster than manual review alone.  By combining human insight with automated analysis, the system detected several high-impact issues that conventional scanning tools might miss. One major flaw appeared in Foxit’s digital signature server, which verifies electronically signed documents. Some of the most serious findings involve one-click exploits where simply opening a document or loading a link can trigger malicious activity. Vulnerabilities CVE-2025-70402 and CVE-2025-70400 affect Apryse WebViewer by allowing the software to trust remote configuration files without proper validation, enabling attackers to run malicious scripts.  Another flaw, CVE-2025-70401, showed that malicious code could be hidden in the “Author” field of a PDF comment and executed when a user interacts with it. Researchers also identified CVE-2025-66500, which affects Foxit browser plugins. In this case, manipulated messages could trick the plugin into running harmful scripts within the application. Testing further showed that certain weaknesses could allow attackers to send a simple request that triggers command execution on a server, granting unauthorized access to parts of the system.  These vulnerabilities highlight how small interactions or overlooked behaviors can lead to significant security risks. Experts say the core problem lies in how modern PDF platforms are built. Many now rely on web technologies such as iframes and server-side processing, yet organizations still treat PDF files as harmless static documents. This mismatch can create “trust boundary” failures where software accepts external data without sufficient validation.  Both vendors were notified before the research was published, and the vulnerabilities were assigned official CVE identifiers to support patching efforts. The findings highlight how document-processing systems—often overlooked in security planning—can become complex attack surfaces if not properly secured.

Researchers Find Critical Zero-Day Vulnerabilities in Foxit and Apryse PDF Platforms #criticalvulnerabilities #CyberAttackers #CyberHijack

Critical FreePBX Vulnerabilities Expose Authentication Bypass and Remote Code Execution Risks  Researchers at Horizon3.ai have uncovered several security vulnerabilities within FreePBX, an open-source private branch exchange platform. Among them, one severity flaw could be exploited to bypass authentication if very specific configurations are enabled. The issues were disclosed privately to FreePBX maintainers in mid-September 2025, and the researchers have raised concerns about the exposure of internet-facing PBX deployments.   According to Horizon3.ai's analysis, the disclosed vulnerabilities affect several FreePBX core components and can be exploited by an attacker to achieve unauthorized access, manipulate databases, upload malicious files, and ultimately execute arbitrary commands. One of the most critical finding involves an authentication bypass weakness that could grant attackers access to the FreePBX Administrator Control Panel without needing valid credentials, given specific conditions. This vulnerability manifests itself in situations where the system's authorization mechanism is configured to trust the web server rather than FreePBX's own user management.  Although the authentication bypass is not active in the default FreePBX configuration, it becomes exploitable with the addition of multiple advanced settings enabled. Once these are in place, an attacker can create HTTP requests that contain forged authorization headers as a way to provide administrative access. Researchers pointed out that such access can be used to add malicious users to internal database tables effectively to maintain control of the device. The behavior greatly resembles another FreePBX vulnerability disclosed in the past and that was being actively exploited during the first months of 2025.   Besides the authentication bypass, Horizon3.ai found various SQL injection bugs that impact different endpoints within the platform. These bugs allow authenticated attackers to read from and write to the underlying database by modifying request parameters. Such access can leak call records, credentials, and system configuration data. The researchers also discovered an arbitrary file upload bug that can be exploited as part of having a valid session identifier, thus allowing attacks to upload a PHP-based web shell and use command execution against the underlying server.  This can be used for extracting sensitive system files or establishing deeper persistence. Horizon3.ai noted that the vulnerabilities are fairly low-complexity to exploit and may enable remote code execution by both authenticated and unauthenticated attackers, depending on which endpoint is exposed and how the system is configured. It added that the PBX systems are an attractive target because such boxes are very exposed to the internet and also often integrated deeply into critical communications infrastructure. The FreePBX project has made patches available to address the issues across supported versions, beginning the rollout in incremental fashion between October and December 2025. In light of the findings, the project also disabled the ability to configure authentication providers through the web interface and required administrators to configure this setting through command-line tools. Temporary mitigation guidance issued by those impacted encouraged users to transition to the user manager authentication method, limit overrides to advanced settings, and reboot impacted systems to kill potentially unauthorized sessions. Researchers and FreePBX maintainers have called on administrators to check their environments for compromise-especially in cases where the vulnerable authentication configuration was enabled.  While several vulnerable code paths remain, they require security through additional authentication layers. Security experts underscored that, whenever possible, legacy authentication mechanisms should be avoided because they offer weaker protection against exploitation. The incident serves as a reminder of the importance of secure configuration practices, especially for systems that play a critical role in organizational communications.

Critical FreePBX Vulnerabilities Expose Authentication Bypass and Remote Code Execution Risks #Criticalsecurityflaw #criticalvulnerabilities #CyberSecurity

SentinelOne EDR Exploit Allows Babuk Ransomware Deployment Through Installer Abuse  A newly discovered exploit has revealed a critical vulnerability in SentinelOne’s endpoint detection and response (EDR) system, allowing cybercriminals to bypass its tamper protection and deploy the Babuk ransomware. The method, identified as a “Bring Your Own Installer” technique, was uncovered by John Ailes and Tim Mashni from Aon’s Stroz Friedberg Incident Response team during a real-world ransomware case investigation.  The core issue lies in how the SentinelOne agent handles updates. When an agent is upgraded, the existing version is momentarily stopped to make way for the new one. Threat actors have figured out how to exploit this transition window by launching a legitimate SentinelOne installer and then terminating it mid-process. This action disables the EDR protection temporarily, leaving the system vulnerable long enough to install ransomware or execute malicious operations without being detected.   Unlike traditional bypasses that rely on third-party drivers or hacking tools, this method takes advantage of SentinelOne’s own software. Once the process is interrupted, the system loses its protection, allowing the attackers to act with impunity. Ailes stressed that the bypass can be triggered using both older and newer agent versions, putting even up-to-date deployments at risk if specific configuration settings are not enabled. During their investigation, the team observed how the targeted device disappeared from the SentinelOne management console shortly after the exploit was executed, signaling that the endpoint had become unmonitored.  The attack was effective across multiple versions of the software, indicating that the exploit isn’t tied to a particular release. To mitigate this risk, SentinelOne recommends activating a feature called “Online Authorization” (also referred to as Local Upgrade Authorization). This setting ensures that any attempt to upgrade, downgrade, or uninstall the agent must first be approved via the SentinelOne management console.  Although this option exists, it is not enabled by default for existing customers, largely to maintain compatibility with deployment tools like Microsoft’s System Center Configuration Manager. Since the vulnerability was disclosed, SentinelOne has taken steps to notify customers and is now enabling the protective setting by default for new installations.  The company also confirmed sharing the findings with other major EDR providers, recognizing that similar techniques could potentially impact their platforms as well. While the current exploit does not affect SentinelOne when configured correctly, the case serves as a stark reminder of the importance of security hardening, particularly in the tools meant to defend against sophisticated threats.

SentinelOne EDR Exploit Allows Babuk Ransomware Deployment Through Installer Abuse #Babuk #BabukRansomware #criticalvulnerabilities

SAP Patches Critical Vulnerabilities in NetWeaver SAP has released 14 security notes on January 2025 Patch Day, including two addressing critical vulnerabilities in NetWeaver.

SAP Patches Critical Vulnerabilities in NetWeaver
www.securityweek.com/sap-patches-...

#Infosec #Security #Cybersecurity #CeptBiro #SAP #CriticalVulnerabilities #NetWeaver

The Top 5 Kubernetes CVEs of 2024: Have You Patched Them Yet? Staying up-to-date on the latest vulnerabilities impacting the Kubernetes ecosystem can be difficult, in part because of the diverse K8s attack surface.

Keeping up to date with high and #criticalvulnerabilities related to #Kubernetes can be challenging for a variety of reasons. Learn about the top 5 #k8s #vulnerabilities of 2024 and how a managed Kubernetes-as-a-Service provider minimizes risk:
www.fairwinds.com/blog/the-top...

Critical vulnerabilities persist in high-risk sectors - Help Net Security The finance and insurance industry (FSI) had the highest number of critical vulnerabilities across all site complexities.

Critical vulnerabilities persist in high-risk sectors
www.helpnetsecurity.com/2024/11/15/f...
#Infosec #Security #Cybersecurity #CeptBiro #CriticalVulnerabilities #HighRiskSectors

CVE-2024-0132 (CVSS 9.0): Critical Vulnerabilities Found in NVIDIA Container Toolkit
securityonline.info/cve-2024-013...
#Infosec #Security #Potatosecurity #CeptBiro #CriticalVulnerabilities #NVIDIAContainerToolkit

CVE-2024-0132 (CVSS 9.0): Critical Vulnerabilities Found in NVIDIA Container Toolkit Protect your organization from cyber threats with the latest NVIDIA Container Toolkit security patch. Learn about CVE-2024-0132 and how to prevent unauthorized access.

CVE-2024-0132 (CVSS 9.0): Critical Vulnerabilities Found in NVIDIA Container Toolkit
securityonline.info/cve-2024-013...
#Infosec #Security #Cybersecurity #CeptBiro #CriticalVulnerabilities #NVIDIAContainerToolkit

Binarly Transparency Platform 2.5 identifies critical vulnerabilities before they can be exploited - Help Net Security The Binarly Transparency Platform 2.5 empowers organizations with the tools to proactively mitigate firmware and software security issues.

Binarly Transparency Platform 2.5 identifies critical vulnerabilities before they can be exploited
www.helpnetsecurity.com/2024/09/05/b...
#Infosec #Security #Cybersecurity #CeptBiro #BinarlyTransparencyPlatform2.5 #CriticalVulnerabilities