Pentagon rules sharply limit US Marines and National Guard activity in Los Angeles, prohibiting arrests, surveillance, and other customary police work.

For the first time in decades, active-duty US Marines are rolling into Los Angeles—not for disaster relief or training drills, but to guard federal buildings during a protest crackdown that legal experts say threatens long-standing limits on military power at home.

The deployment, announced by President Donald Trump on Monday, involves more than 700 Marines from the 2nd Battalion, 7th Regiment of the 1st Marine Division, based at Camp Pendleton and Twentynine Palms. Mobilized under Title 10 orders, the Marines have been commanded to protect federal property and personnel from mounting protests over aggressive immigration raids and neighborhood sweeps. It is a rare and forceful use of federal military power on US soil.

The mobilization follows Trump’s June 7 order that federalized as many as 4,000 California national guardsmen, overriding the objections of state officials and igniting a high-stakes legal fight.

A US district judge on Thursday ordered Trump to return control of the guardsmen to the state of California, saying the takeover was unlawful, only likely to inflame tensions in the city, and had deprived the state of resources necessary “to fight fires, combat the fentanyl trade, and perform other critical functions.” The injunction was quickly stayed, however, by a federal appeals court, pending a hearing next week.

Protests began Friday in Westlake, an immigrant-heavy neighborhood near downtown LA, where residents rallied in response to sweeping ICE raids that targeted day laborers outside local businesses. Demonstrators marched, held signs, and chanted for several hours before tensions escalated after police declared an unlawful assembly and advanced on the crowd. LAPD officers and federal agents deployed a range of crowd control weapons, including batons, tear gas, pepper spray, and flash-bang grenades. Reports from journalists and observers describe nonviolent protesters—and members of the press—being struck by rubber bullets and stun devices during the crackdown.

Widespread protests are expected in LA and at some 2,000 other locations around the US this weekend.

While the president holds broad emergency powers, legal scholars say that without invoking the Insurrection Act—a statute that permits domestic troop deployments only in cases of a rebellion or civil rights violations—federal law sharply limits what active-duty forces can do. Marines may not act as a _posse comitatus_, or function as law enforcement. They're barred from conducting surveillance and, in general, crowd control, as well as _officially_ arresting people, and may otherwise only support police in narrowly defined ways, according to Defense Department rules.

Pentagon directives governing “civil disturbance operations” reinforce these limits. Federal troops are prohibited from arresting civilians, searching property, and collecting evidence. They may not conduct surveillance of US persons. That includes not just individuals but vehicles, locations, and “transactions.” They may not serve as undercover agents, informants, or interrogators. Unless a crime is committed by a service member or on military property, Title 10 forces are likewise banned from engaging in any kind of forensics for the benefit of civilian police—unless they are willing to put in writing that such evidence was obtained by consent.

US Northern Command, which oversees military support to nonmilitary authorities in the contiguous 48 states, said Friday that Marines would not conduct “arrests” but are authorized to "temporarily hold" people in "specific circumstances" until police arrive to make a _formal_ arrest. The clarification follows the emergence of a video showing Marines in LA detaining a civilian with plastic handcuffs before awaiting police—the first known instance of such an action during the current deployment.

There are numerous other scenarios in which the military can provide assistance to police, including by giving them “information” obtained “in the normal course” of their duties, unless applicable privacy laws prohibit it. Military members can also provide police with a wide variety of assistance so long as it’s in a “private capacity” and they’re off duty. Additionally, they can provide “expert advice,” so long as it doesn’t count as serving a function core to civilian police work.

The Department of Defense did not immediately respond to a request for comment; however, a staff member in the Office of the Under Secretary of Defense for Policy confirmed for WIRED by phone the current set of policies under which deployed federal troops must operate.

There is one major caveat to the military’s restrictions. During an “extraordinary emergency,” military commanders may take limited, immediate action to prevent massive destruction or to restore critical public services, but only so long as presidential approval is “impossible” to obtain in advance. And while military personnel are naturally expected to maintain order and discipline at all times, under no circumstances are they required to stand down when their lives, or the lives of others, are in immediate danger.

Still, enforcement of these rules in the field is far from guaranteed. Legal experts warn that adherence often varies in chaotic environments. Trump administration officials have also demonstrated a willingness to skirt the law. Last week, homeland security secretary Kristi Noem asked the Pentagon to authorize military assistance in conducting arrests and to deploy drone surveillance, according to a letter obtained by The San Francisco Chronicle—a move experts say directly contradicts standing legal prohibitions.

At a press conference on Thursday, Noem stated the federal government was on a mission to “liberate” Los Angeles from “socialists” and the “leadership” of California governor Gavin Newsom and LA mayor Karen Bass. US Senator Alex Padilla, who represents the citizens of California, was forcibly removed from the press conference after attempting to question Noem. Outside the press conference room, federal agents forced the senator to the ground, where he was temporarily placed in handcuffs.

Unlike the National Guard, which is well trained for domestic crowd control, active-duty Marines generally receive relatively little instruction in handling civil unrest. Those who do typically belong to military police or specialized security units. Nonetheless, the Marine Corps has published footage online showing various task forces training with riot-control tactics and “nonlethal” weapons. Constitutional concerns do not arise, however, when Marines face off against foreign mobs—such as in civilian zones during the Afghanistan war or on the rare occasion protesters breach the perimeter of a US embassy. And wartime rules of engagement are far more lenient than the rules of force by which Marines must adhere domestically.

In a statement on Wednesday, Northern Command confirmed the Marines had undergone training in all “mission essential tasks,” including “de-escalation” and “crowd control.” They will reportedly be accompanied by legal and law enforcement experts.

Constitutional experts warn that deploying military forces against civilian demonstrators blurs the line between law enforcement and military power, potentially setting a dangerous precedent for unchecked presidential authority. The risk deepens, they say, if federal troops overstep their legal bounds.

If lines are crossed, it could open a door that may not close easily—clearing the way for future crackdowns that erode Americans’ hard-won civil liberties.

_Updated 7:40 pm ET, June 13, 2025: This story has been updated to include details about the first known arrest in 2025 of a protester by US Marines._

Here’s What Marines and the National Guard Can (and Can’t) Do at LA Protests

In this week's edition, Bill explores the importance of self-awareness and building repeatable processes to better secure your environment.

Thursday, June 12, 2025 14:01

Welcome to this week’s edition of the Threat Source newsletter. 

This week, I'm coming to you from Cisco Live in San Diego where I've just talked to a room that some of you may have been in, so writing this feels a bit surreal. It's really hard to try and write a cogent newsletter with all that's happening in the world, some directly outside my door. To purposefully butcher Charles Dickens, "It was the worst of times, it was the even worse times." Nevertheless, I'm persisting.  

I've had great conversations with so many smart people this week, but I was reminded once again that the most important tool you can leverage in protecting and securing your environment is knowing your environment and knowing yourself.  

Knowing your environment can and should be tooled and processed so that it can be repeatable. Continuing to know your environment requires constant vigilance and effort. Knowing yourself requires a level of introspection that is hard — and honestly, sometimes I just lift the rug and sweep my issues under it when I can't tackle that negativity.  

I'll give you an excellent example: every single thing I write would get flagged as AI. Everything. Why? I use an em dash (“—”) for roughly every four words I write — sometimes more, if I let it fly. It's clear that I could never go back to school successfully, despite the comedy gold that it would produce. For those of you old enough to remember “Back to School” with Rodney Dangerfield, I think you can imagine. I don't even want to talk about my kludgy code. Sure, it runs, but at what cost? 

So my advice? Do as I say, not as I do. Learn everything about your environment in a repeatable way, with a clear and documented process. Then analyze your own weaknesses in your work — let's not try to make miracles happen — and identify chances for you to learn, fill the gaps in your skill set and then do it all over again. The bad guys are really good at learning your environment; make it as hard for them as you can. 

**The one big thing **

Cisco Talos recently disclosed several vulnerabilities across various software, including catdoc, Parallel, NVIDIA and High-Logic FontCreator. While most vulnerabilities were patched by their respective vendors, catdoc posed an exception as the vendor was unreachable, prompting Talos to provide patches directly.

**Why do I care? **

These vulnerabilities highlight risks in widely used software, potentially exposing systems to attacks such as privilege escalation, memory corruption and data leaks. Understanding these risks is crucial to protect your systems. 

**So now what? **

If you use these programs, update them immediately with the latest patches to protect yourself.  If you're on a security team, grab the latest Snort rules to detect possible exploits and keep an eye out for suspicious activity.  And if you're a developer, take notes from these vulnerabilities to strengthen your own code and avoid similar pitfalls in your projects. Security is everyone’s job!

**Top security headlines of the week **

**NHS in England calls for blood donors after ransomware attack**  
The UK’s National Health Service (NHS) is calling for one million donors after a Qilin ransomware attack last summer caused a severe shortage of O-negative blood. (Cybernews) 

**Let them eat junk food: Major organic supplier to Whole Foods, Walmart, hit by cyberattack**  
North American grocery wholesaler United Natural Foods told regulators that a cyber incident temporarily disrupted operations, including its ability to fulfill customer orders. (The Register) 

**Google fixes bug that could reveal users’ private phone numbers**   
A security researcher has discovered a bug that could be exploited to reveal the private recovery phone number of almost any Google account without alerting its owner, potentially exposing users to privacy and security risks. (TechCrunch) 

**SinoTrack GPS Devices Vulnerable to Remote Vehicle Control via Default Passwords**   
Two security vulnerabilities have been disclosed in SinoTrack GPS devices that could be exploited to control certain remote functions on connected vehicles and even track their locations. (The Hacker News)

**Can’t get enough Talos? **

**Microsoft Patch Tuesday for June 2025**   
Microsoft has released its monthly security update, which includes 66 vulnerabilities affecting a range of products, including 10 that Microsoft marked as “critical.” Read the blog here.

**PathWiper targeting Ukrainian critical infrastructure**   
Cisco Talos observed a destructive attack on a critical infrastructure entity within Ukraine, using a previously unknown wiper we are calling “PathWiper.” Learn more.

**Upcoming events where you can find Talos **

*   REcon (June 27 – 29) Montreal, Canada 
*   NIRMA (July 28 – 30) St. Augustine, FL 
*   Black Hat USA (Aug. 2 – 7) Las Vegas, NV 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Typical Filename: VID001.exe   
Claimed Product: N/A   
Detection Name: Win.Worm.Coinminer::1201 

**SHA 256: 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1**   
MD5: 3e10a74a7613d1cae4b9749d7ec93515   
VirusTotal: https://www.virustotal.com/gui/file/5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
Typical Filename: IMG001.exe   
Claimed Product: N/A   
Detection Name: Win.Dropper.Coinminer::1201 

**SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0**   
MD5: 8c69830a50fb85d8a794fa46643493b2    
VirusTotal: https://www.virustotal.com/gui/file/c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0  
Typical Filename: AAct.exe    
Claimed Product: N/A    
Detection Name: PUA.Win.Dropper.Generic::1201 

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**     
MD5: 7bdbd180c081fa63ca94f9c22c457376     
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details    
Typical Filename: IMG001.exe    
Detection Name: Simple\_Custom\_Detection   

**SHA256 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F**   
MD5: 44d88612fea8a8f36de82e1278abb02f   
VirusTotal: https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection  
Typical Filename: eicar.com-42987   
Detection Name: eicarTestFile

Know thyself, know thy environment

Waymo driverless taxis capture troves of video footage in order to operate, but the company reveals very little about how much data is stored—and for how long.

Thousands of people across the United States poured into the streets this week to protest the Trump administration’s immigration policies, joining a nationwide wave of resistance that began in Los Angeles. One of the most widely shared images from the city, where federal authorities have sent almost 5,000 active-duty Marines and National Guard members, is of five Waymo robotaxis that were vandalized and set on fire. The incident has become one of the most recognizable symbols of the demonstrations so far, and prompted Waymo to temporarily shut off service in several parts of the city as well as parts of San Francisco on Monday.

The charred Waymo cars have also raised fresh questions about what kinds of technology authorities can use to surveil protesters and potentially collect evidence to make arrests. According to Waymo’s website, its latest driverless cars have 29 external cameras, providing “a simultaneous 360° view around the vehicle,” as well as an unknown number of internal ones.

Over the past several years, Waymo has repeatedly shared video footage with police after receiving formal legal requests. But it’s not clear how often the self-driving company, which is owned by Google’s parent organization Alphabet, complies with these demands. Unlike Google, Waymo doesn’t disclose the number of legal requests it receives nor how it responds to them. When police do obtain footage, they could also combine it with other technology—like face recognition or nonbiometric tools for finding and tracking people in videoclips—to identify possible criminal suspects.

Waymo spokesperson Sandy Karp tells WIRED that the company's general policy is to challenge data requests that are overly broad or lack sound legal basis, but it doesn’t disclose or comment on specific cases. Karp pointed to Waymo’s privacy policy, which acknowledges that the company may share user data to comply with laws and governmental requests. A separate support page for Waymo One, the dedicated app for its robotaxi service, notes that the company “may share certain data with law enforcement as needed to comply with legal requirements, enforce agreements, and protect the safety of you and others.”

It’s not clear how much, if any, of the video footage potentially captured by the burned Waymos in Los Angeles may have been destroyed along with the cars. Waymo doesn’t specify whether the data collected by its robotaxis is stored locally in the vehicle itself or externally in the cloud. The company previously told The Washington Post that “interior camera data” isn’t stored alongside the data from external cameras.

If any footage does still exist from the destroyed vehicles, Waymo doesn’t disclose how long it may remain available. Waymo’s website and privacy policy do not specify how long the company retains camera footage captured inside or outside its vehicles. For years, self-driving companies like Waymo retained large amounts of information collected by their cars for training purposes and to optimize the underlying technology. The company has generally been trending more recently toward deleting data sooner, WIRED previously reported, though it’s unclear whether some types may be stored longer than others.

Waymo declined to answer questions from WIRED about how many cameras are inside its vehicles, exactly how long footage is retained, and whether the company has ever turned over footage to US federal law enforcement or a branch of the military. Karp did note, however, that the company’s engineering team sometimes uses information from sensors, including video footage and other data, to run simulations aimed at improving its technology. She says Waymo also puts limits on both who can access data and how long it’s retained.

Waymo’s robotaxi service is currently available in the Phoenix metro area and parts of San Francisco, Los Angeles, and Austin, Texas. In the company’s relatively short time operating in US cities, it has shown a willingness to comply with requests for footage from law enforcement.

Officers working for the Mesa Police Department and the Chandler Police Department in Arizona have been requesting and using footage from Waymos for criminal investigations since 2016, or about as long as the vehicles have been in their towns, according to reporting from Phoenix’s ABC 15. Police told the news outlet in 2022 that they have used the footage for several cases, including an alleged road rage incident. (The individual pleaded guilty after being charged with disorderly conduct.)

In May 2022, two months after Waymo began limited robotaxi operations in San Francisco, Vice reported that a training document for San Francisco police explicitly told officers that “autonomous vehicles” have footage that could sometimes “help with investigative leads.”

As of 2023, Waymo had been issued at least nine search warrants in San Francisco and Arizona’s Maricopa County, its primary markets at the time, according to reporting from Bloomberg. One of the cases involved the murder of an Uber driver in 2021. While San Francisco police said they couldn’t identify a specific Waymo vehicle that was near the crime scene, an officer argued that there was “probable cause” that Waymo vehicles were “driving around the area” and had footage of the victim, possible suspects, and the crime scene, according to a search warrant viewed by Bloomberg. Waymo complied and provided footage, but it ultimately did not lead to the arrest of the suspect, who was convicted of the murder in 2023.

Last year, WIRED reported that Waymo had sued two individuals for allegedly vandalizing its vehicles in San Francisco and had camera footage from the cars of the alleged incidents. (One of the cases is ongoing; the other was dismissed last month.)

Waymo’s video-recording and data-collection practices aren’t unique. All vehicles with self-driving capabilities rely on a combination of lidar, radar, and video data in order to operate. Cruise, the now defunct self-driving-car venture run by General Motors, also reportedly gave camera footage to law enforcement upon request.

Private owners of camera-equipped vehicles can also voluntarily turn over camera footage to law enforcement. For example, police in Berkeley, California, have received at least two sets of footage from the owner of a Tesla Cybertruck who said their car was vandalized twice this year, according to documents obtained by WIRED via public record request.

_Additional reporting by Paresh Dave._

How Waymo Handles Footage From Events Like the LA Immigration Protests

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed three zero-day vulnerabilities in catdoc, as well as vulnerabilities in Parallel, NVIDIA and High-Logic FontCreator 15.

Wednesday, June 11, 2025 09:47

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed three zero-day vulnerabilities in catdoc, as well as vulnerabilities in Parallel, NVIDIA and High-Logic FontCreator 15. 

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, in adherence to Cisco’s third-party vulnerability disclosure policy, except in the case of the catdoc zero-day vulnerabilities, which were patched by our researcher (patches found in this repository). This is an unusual case, because the vendor could not be reached to fix these high-risk bugs; our policy does not include fixing third-party vulnerabilities. 

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.      

**catdoc zero-day vulnerabilities **

_Discovered by Ali Rizvi-Santiago of Cisco Talos._    

The catdoc program pulls plain text content from Microsoft Word, Excel, PowerPoint and Rich Text Format files. The vendor was unreachable, Debian will be merging our patches into their distribution. https://github.com/Cisco-Talos/catdoc-talos-fixes/releases/tag/talos-fixes.2025-05

TALOS-2024-2128 (CVE-2024-48877) is a memory corruption vulnerability in the Shared String Table Record Parser implementation in xls2csv utility version 0.95. A specially crafted malformed file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability. 

TALOS-2024-2131 (CVE-2024-52035) is an integer overflow vulnerability which exists in the OLE Document File Allocation Table Parser functionality of catdoc 0.95., and TALOS-2024-2132 (CVE-2024-54028) is an integer underflow vulnerability in the OLE Document DIFAT Parser functionality. A specially crafted malformed file can lead to heap-based memory corruption for either vulnerability, and an attacker can provide a malicious file as a trigger. 

**Parallel integer overflow vulnerability  **

_Discovered by KPC of Cisco Talos._    

Parallels is a desktop emulator for Mac computers that enables virtual Windows applications.

TALOS-2025-2160 (CVE-2025-31359) is a directory traversal vulnerability exists in the PVMP package unpacking functionality of Parallels Desktop for Mac version 20.2.2 (55879). This vulnerability can be exploited by an attacker to write to arbitrary files, potentially leading to privilege escalation.

There are three privilege escalation vulnerabilities in the virtual machine archive restoration functionality of Parallels Desktop for Mac version 20.1.1 (55740).

*   TALOS-2024-2126 (CVE-2024-36486): When an archived virtual machine is restored, the prl\_vmarchiver tool decompresses the file and writes the content back to its original location using root privileges. An attacker can exploit this process by using a hard link to write to an arbitrary file, potentially resulting in privilege escalation.
*   TALOS-2024-2124 (CVE-2024-54189): When a snapshot of a virtual machine is taken, a root service writes to a file owned by a normal user. By using a hard link, an attacker can write to an arbitrary file, potentially leading to privilege escalation.
*   TALOS-2024-2123 (CVE-2024-52561): When a snapshot of a virtual machine is deleted, a root service verifies and modifies the ownership of the snapshot files. By using a symlink, an attacker can change the ownership of files owned by root to a lower-privilege user, potentially leading to privilege escalation.

**NVIDIA integer overflow vulnerability  **

_Discovered by Dimitrios Tatsis of Cisco Talos._    

NVIDIA cuobjdump is a command-line utility included in the NVIDIA CUDA Toolkit. Similar to the standard \`objdump\` utility, it parses CUDA executable files and displays information like PTX disassembly, section headers, relocations etc. 

TALOS-2025-2151 (CVE-2025-23247) is an integer overflow in the ELF Section Parsing functionality of NVIDIA cuobjdump 12.8.55. A specially crafted fatbin file can lead to an out-of-bounds write. An attacker can provide a malicious file to trigger this vulnerability. 

**High-Logic out-of-bounds read vulnerability  **

_Discovered by KPC of Cisco Talos._    

High-Logic FontCreator is a font editor for Windows & macOS. The program allows you to create, edit and export OpenType, TrueType and responsive variable fonts. 

An out-of-bounds read vulnerability, TALOS-2025-2157 (CVE-2025-20001), exists in High-Logic FontCreator 15.0.0.3015. A specially crafted font file can trigger this vulnerability which can lead to disclosure of sensitive information. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability.

catdoc zero-day, NVIDIA, High-Logic FontCreator and Parallel vulnerabilities

Microsoft has released its monthly security update for June 2025, which includes 66 vulnerabilities affecting a range of products, including 10 that Microsoft marked as “critical.”

Tuesday, June 10, 2025 17:45

Microsoft has released its monthly security update for June 2025, which includes 66 vulnerabilities affecting a range of products, including 10 that Microsoft marked as “critical.” 

In this month's release, none of the included vulnerabilities have been observed by Microsoft being actively exploited in the wild. Out of eleven "critical" entries, nine are remote code execution (RCE) vulnerabilities in Microsoft Windows services and applications including Microsoft Windows Remote Desktop Service, Windows Schannel (Secure Channel), KDC Proxy service, Microsoft Office, Word and SharePoint server. There are two elevation of privilege vulnerabilities affecting Windows NetLogon and Power Automate. 

CVE-2025-32710 is the RCE vulnerability in Windows Remote Desktop Services and is given CVSS 3.1 score of 8.1. Successful exploitation of this vulnerability requires an attacker to win a race condition. An attacker could successfully exploit this vulnerability by attempting to connect to a system with the Remote Desktop Gateway role, triggering the race condition to a use-after-free scenario, and then leveraging this to execute arbitrary code. Microsoft has assessed that the attack complexity is “high,” and exploitation is "less likely." 

CVE-2025-29828 is an RCE vulnerability in Windows Schannel (Secure Channel), a security support provider (SSP) in the Windows operating system that implements Secure Sockets layer (SSL) and Transport Layer Security (TLS) Protocols. It is part of the Security Support Provider Interface (SSPI) and is used to secure network communications. Microsoft noted that a missing release of memory by Windows Cryptographic Services could trigger this vulnerability, allowing an unauthorized attacker to execute code over a network. An attacker can exploit this vulnerability through the malicious use of fragmented ClientHello messages to a target server that accepts TLS connections. Microsoft has assessed that the attack complexity is “high”, and exploitation is "less likely".  

CVE-2025-33071 is the RCE vulnerability in Windows KDC Proxy Service (KPSSVC) given CVSS 3.1 score of 8.1. To successfully exploit this vulnerability, an unauthenticated attacker could use a specially crafted application to leverage a cryptographic protocol vulnerability in Kerberos Key Distribution Center Proxy Service to perform remote code execution against the target. Microsoft has noted that this vulnerability only affects Windows servers that are configured as a Kerberos key Distribution Center (KDC) Proxy Protocol server, and Domain controllers are not affected. Microsoft has assessed that the attack complexity is “high”, and exploitation is "more likely".  

CVE-2025-47172 is the RCE vulnerability in Microsoft SharePoint server given CVSS 3.1 score of 8.8. Microsoft noted that this vulnerability in Microsoft Office SharePoint is due to improper neutralization of special elements used in a SQL command which would allow an authorized attacker to execute code over a network. To exploit this vulnerability an authenticated attacker in a network-based attack, with a minimum of Site Member permission, could execute arbitrary code remotely on the SharePoint server. Microsoft has assessed that the attack complexity is “low,” and exploitation is “less likely." 

CVE-2025-47162, CVE-2025-47164, CVE-2025-47167 and CVE-2025-47953 are RCE vulnerabilities in Microsoft Office. The vulnerabilities CVE-2025-47164 and CVE-2025-47953 are "use after free” (UAF) vulnerabilities that occur when Microsoft Office tries to access memory that has already been freed. CVE-2025-47162 is a heap-based buffer overflow in Microsoft Office and the CVE-2025-47167 is a "type confusion" vulnerability which is triggered when Microsoft Office interprets a block of memory as the wrong data type. An unauthorized attacker exploits these vulnerabilities and executes arbitrary code on the victim's machine. Microsoft has assessed that for CVE-2025-47162, CVE-2025-47164 and CVE-2025-47167, the attack complexity is "low," and exploitation is "more likely." For CVE-2025-47953, the attack complexity is "low," and exploitation is "less likely."  

Microsoft listed two critical elevations of privilege vulnerabilities. 

CVE-2025-33070 is an elevation of privilege critical vulnerability in Windows Netlogon. An attacker could exploit the vulnerability by leveraging an authentication bypass in the Windows Netlogon service using uninitialized resources. An attacker, by successfully exploiting this vulnerability, could gain domain administrator privileges. Microsoft has assessed that the attack complexity is “high,” and exploitation is “more likely."  

Microsoft noted that the CVE-2025-47966 is a critical elevation of privilege vulnerability in Power Automate in the Windows OS. Power Automate is a Microsoft tool for automating repetitive tasks and business processes across different applications and services. This vulnerability in Power Automate exposed sensitive information to an unauthorized actor, allowing privilege escalation over a network. Microsoft has reported that this vulnerability with CVSS 3.1 base score of 9.8 has been fully mitigated and no further action is required by the users.  

Talos would also like to highlight the following "important" vulnerabilities as Microsoft has determined that exploitation is "more likely:" 

*   CVE-2025-32713 - Windows Common Log File System Driver Elevation of Privilege Vulnerability. 
*   CVE-2025-32714 - Windows Installer Elevation of Privilege Vulnerability. 
*   CVE-2025-47962 - Windows SDK Elevation of Privilege Vulnerability. 

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.  

In response to these vulnerability disclosures, Talos is releasing a new Snort ruleset that detects attempts to exploit some of them. Please note that additional rules may be released at a future date, and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Ruleset customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 55802, 56290, 65030-65043. There are also these Snort 3 rules: 301220, 301250-301255.

Microsoft Patch Tuesday for June 2025 — Snort rules and prominent vulnerabilities

President Trump’s deployment of more than 700 Marines to Los Angeles—following ICE raids and mass protests—has ignited a fierce national debate over state sovereignty and civil-military boundaries.

As hundreds of United States Marines deploy in Los Angeles under presidential orders to protect federal property amid growing protests over immigration enforcement, constitutional scholars and civil rights attorneys warn of long-term implications for American democracy and civil-military relations.

President Donald Trump revealed Monday that he had ordered the deployment of more than 700 activity-duty Marines out of Camp Pendleton—an extraordinary use of military force in response to civil unrest. The move, widely condemned by his critics, follows Trump’s federalization of the National Guard. Some 3,800 guardsmen have since been deployed in California against the objections of its government, spurring debate among legal observers over the limits of the president’s power to send troops into American streets.

Trump ordered the deployments in response to thousands of Angelenos who took to the streets on Friday in protests. LA residents responded after Immigration and Customs Enforcement (ICE) agents carried out sweeping raids of local businesses, arresting, among others, dozens of day laborers who were vying for work outside a local Home Depot. Larger demonstrations soon formed and remained largely peaceful until residents were engaged by police with riot shields and crowd control weapons. Over the weekend, the clashes between police and protesters escalated across many neighborhoods with large immigrant populations. Numerous buildings were vandalized with anti-ICE messages, and several Waymo autonomous vehicles were set ablaze.

Videos captured by protest attendees show police firing upon demonstrators with rubber bullets and other crowd control agents, including waves of asphyxiating CS gas. Members of the press shared images online showing injuries they incurred from the police assault. In widely shared footage, a law enforcement officer appears to intentionally target an Australian reporter, Lauren Tomasi, shooting her from feet away with a rubber bullet as she delivers a monologue into a camera. On Monday, CNN correspondent Jason Carroll was arrested live on air.

California governor Gavin Newsom condemned Trump’s troop deployment in posts on social media, calling the president’s actions an “unmistakable step toward authoritarianism.” His attorney general, Rob Bonta, has filed a lawsuit in federal court claiming the order violated the state’s sovereignty, infringing on Newsom’s authority as the California National Guard’s commander in chief.

In response to a request for comment, the Department of Defense referred WIRED to a US Northern Command press release detailing the deployment of Marines and National Guardsmen.

Federal troops in the United States are ordinarily barred from participating in civilian law enforcement activities. This rule, known as “posse comitatus,” may be suspended, however, by a sitting president in cases of civil unrest or outright rebellion. This exception—permitted under the Insurrection Act—allows the president to deploy troops when circumstances make it “impracticable” for state authorities to enforce federal law by “ordinary” means.

While these powers are most often invoked at the request of a state government, the president may also invoke the act when a state chooses to ignore the constitutional rights of its inhabitants—as happened multiple times in the mid-20th century, when southern states refused to desegregate schools after the Supreme Court’s landmark _Brown v. Board of Education_ decision.

President Trump, however, has so far not invoked the Insurrection Act, relying instead on a theory of “inherent authority” advanced by the US Justice Department in 1971 during the height of the anti–Vietnam War protests. This interpretation of presidential power finds that troops may be deployed in an effort to “protect federal property and functions.” Notably—unlike the Insurrection Act—this does not permit troops to engage in activities that are generally the purview of civilian law enforcement agencies.

Trump also invoked statutory power granted to him by Congress under Title 10 of the US Code, which enabled him to federalize elements of California’s National Guard. These activations typically occur when guardsmen are needed to support overseas military operations, as happened routinely this century during the wars in Iraq and Afghanistan. Domestically, however, guardsmen are not usually federalized without the agreement of a state’s governor—unless the Insurrection Act has been invoked.

Legal experts interviewed by WIRED offered a range of opinions on the president’s authority to deploy active-duty military troops or federalize the National Guard. While most believe it is likely within Trump’s power to ignore Newsom’s express objections, doing so without an invocation of the Insurrection Act, they say, is a decision fraught with legal complexities that carries serious implications, from altering—perhaps permanently—the fundamental relationship between Americans, states, and the federal government, to disturbing the delicate balance between civilian governance and military power.

Liza Goitein, senior director of the Brennan Center's Liberty and National Security Program, underscores the “unprecedented” nature of Trump’s approach. “He’s trying to basically exercise the powers of the Insurrection Act without invoking it,” she says. A key issue for Goitein is that the memorandum signed by Trump last week federalizing the National Guard makes no mention of Los Angeles or California. Rather, it states that the guardsmen are being mobilized to address protests that are both “occurring” and “likely to occur.”

In essence, the memo “authorizes the deployment of federal troops anywhere in the country,” Goitein says, “including places where there are no protests yet. We’re talking about preemptive deployment.”

Goitein argues that the administration’s justifications could undermine both judicial accountability and civil‑military boundaries. Under the Insurrection Act, federal troops can take on the responsibilities of local and state police. But without it, their authority should be quite limited. Neither the guardsmen nor the Marines, for instance, should engage with protesters acting peacefully, according to Goitein. “He says they’re there to protect federal property,” she says. “But it looks a lot like quelling civil unrest.”

Anthony Kuhn, a 28-year US Army veteran and managing partner at Tully Rinckey, believes, meanwhile, that there is really “no question” that Trump would be justified in declaring a “violent rebellion” underway in California, empowering him to ignore Newsom’s objections. The images and video of protesters hurling rocks and other items at police and lighting cars on fire all serve as evidence toward that conclusion.

“I know people in California, the governor, the mayor, are trying to frame it as a protest. But at this point,” says Kuhn, “it’s a violent rebellion. You can draw your own conclusions from the pictures and videos floating around.” Kuhn argues that the intentions of the protesters, the politics fueling the demonstrations, don’t matter. “They’re attacking federal facilities. They’re destroying federal property. So in an attempt to restore the peace, the president has the authority under Title 10 to deploy troops. It’s pretty straightforward.”

In contrast, Rutgers University professor Bruce Afran says deploying military forces against Americans is “completely unconstitutional” in the absence of a true state of domestic insurrection. “There was an attack on ICE’s offices, the doorways, there was some graffiti, there were images of protesters breaking into a guardhouse, which was empty,” he says. “But even if it went to the point of setting a car on fire, that's not a domestic insurrection. That's a protest that is engaged in some illegality. And we have civil means to punish it without the armed forces.”

Afran argues that meddling with the expectations of civilians, who naturally anticipate interacting with police but not armed soldiers, can fundamentally alter the relationship between citizens and their government, even blurring the line between democracy and authoritarianism. “The long-term danger is that we come to accept the role of the army in regulating civilian protest instead of allowing local law enforcement to do the job,” he says. “And once we accept that new paradigm—to use a kind of BS word—the relationship between the citizen and the government is altered forever.”

“Violent rioters in Los Angeles, enabled by Democrat governor Gavin Newsom, have attacked American law enforcement, set cars on fire, and fueled lawless chaos," Abigail Jackson, a White House spokesperson, tells WIRED. "President Trump rightfully stepped in to protect federal law enforcement officers. When Democrat leaders refuse to protect American citizens, President Trump will always step in.”

As the orders to mobilize federal troops have come down, some users on social media have urged service members to consider the orders unlawful and refuse to obey—a move that legal experts say would be very difficult to pull off.

David Coombs, a lecturer in criminal procedure and military law at the University of Buffalo and a veteran of the US Army’s Judge Advocate General's Corps, says it’s hypothetically possible that troops could question whether Trump has the authority to mobilize state guardsmen over the objection of a state governor. “I think ultimately the answer to that will be yes,” he says. “But it is a gray area. When you look at the chain of command, it envisions the governor controlling all of these individuals.”

Separately, says Coombs, when troops are ordered to mobilize, they could—again, hypothetically—refuse to engage in activities that are beyond the scope of the president’s orders, such as carrying out immigration raids or making arrests. “All they can do in this case, under Title 10 status, is protect the safety of federal personnel and property. If you go beyond that, then it violates the Posse Comitatus Act.” Federal troops, for instance, would need civilian police to step in at the point that local authorities want peaceful protesters to disperse.

The San Francisco Chronicle reports that, in a letter on Sunday, Homeland Security Secretary Kristi Noem requested that military troops be directed to detain alleged “lawbreakers” during protests “or arrest them,” which legal experts almost universally agree would be illegal under ordinary circumstances. The letter was addressed to Defense Secretary Pete Hegseth and accused the anti-ICE protesters of being “violent, insurrectionist mobs” aiming to “protect invaders and military aged males belonging to identified foreign terrorist organizations.”

Khun, who warns there’s a big difference between philosophizing over what constitutes an unlawful order and disobeying commands, dismisses the idea that troops, in the heat of the moment, will have an option. “It’s not going to be litigated in the middle of an actual deployment,” he says. “There’s no immediate relief, no immediate way to prove that an order is unlawful.”

Khun says that were he deployed into a similar situation, “me and my junior soldiers would not respond to a nonviolent or peaceful protest.” Asked what protesters should expect, should they engage with federal troops trained for combat overseas, Kuhn says the Marines will hold their ground more firmly than police, who are often forced to retreat as mobs approach. In addition to being armed with the same crowd control weapons, Marines are extensively trained in close-quarters combat.

“I would expect a defensive response,” he says, “but not lethal force.”

_Additional reporting by Alexa O’Brien._

_Updated at 1:40 pm ET, June 10, 2025: Added clarifying language around the less-lethal shooting of Lauren Tomasi and fixed a typo in the California attorney general's name._

The ‘Long-Term Danger’ of Trump Sending Troops to the LA Protests

Cisco Talos discovers PathWiper, a destructive new malware targeting critical infrastructure in Ukraine, highlighting ongoing cyber threats amidst the Russia-Ukraine conflict.

A newly identified malware named PathWiper was recently used in a cyberattack targeting essential services in Ukraine. Cybersecurity experts at Cisco Talos reported the incident this week and shared details with Hackread.com.

For your information, wipers are a type of malware designed to erase or corrupt data on computer systems, making them unusable. In this attack, the cybercriminals managed to get into a legitimate system that manages computer networks. They likely had inside knowledge of this system, which allowed them to send harmful commands and spread PathWiper to connected devices, researchers noted.

“Throughout the course of the attack, filenames and actions used were intended to mimic those deployed by the administrative utility’s console, indicating that the attackers had prior knowledge of the console and possibly its functionality within the victim enterprise’s environment,” the company wrote in its blog post.

The malware works by replacing important parts of a computer’s file system with random information. It finds all connected storage devices, including hard drives and network drives, and then overwrites their contents. The attackers tried to make their actions look like normal operations of the network management tool to avoid detection.

Cisco Talos believes that a Russian-backed Advanced Persistent Threat (APT) actor is behind this disruptive attack. Their confidence comes from observing similar attack methods and the capabilities of this wiper malware, which match previously seen attacks on Ukrainian targets.

****Similarities and Differences to Other Attacks****

PathWiper shares some features with another wiper malware called HermeticWiper, which also targeted Ukrainian entities in 2022. Both PathWiper and HermeticWiper aim to damage key parts of a computer’s storage, like the Master Boot Record (MBR) and files related to the New Technology File System (NTFS).

However, there’s a key difference in how they corrupt drives. PathWiper is more advanced; it carefully identifies all connected drives, even those that are temporarily disconnected, and verifies them before wiping. In contrast, HermeticWiper uses a simpler method of just trying to corrupt a range of physical drives.

The attack shows the continuing danger to Ukraine’s critical infrastructure as the conflict with Russia carries on. It is recommended to use security products for endpoint protection, email security, firewalls, network analysis, and malware analysis. These tools help organizations detect and prevent malicious activity, block harmful emails and websites, and provide multi-factor authentication to allow access only to authorized users.

New PathWiper Malware Strikes Ukraine’s Critical Infrastructure

A critical infrastructure entity within Ukraine was targeted by a previously unseen data wiper malware named PathWiper, according to new findings from Cisco Talos.
"The attack was instrumented via a legitimate endpoint administration framework, indicating that the attackers likely had access to the administrative console, that was then used to issue malicious commands and deploy PathWiper across

New PathWiper Data Wiper Malware Disrupts Ukrainian Critical Infrastructure in 2025 Attack

Cisco Talos researchers observed the new wiper malware in a destructive attack against an unnamed critical infrastructure organization.

'PathWiper' Attack Hits Critical Infrastructure In Ukraine

The vulnerability, with a 9.9 CVSS score on a 10-point scale, results in different Cisco ISE deployments all sharing the same credentials as long as the software release and cloud platform remain the same.

Tag

#cisco