Approximately 500 NIST staffers, including at least three lab directors, are expected to lose their jobs at the standards agency as part of the ongoing DOGE purge, sources tell WIRED.

Sweeping layoffs architected by the Trump administration and the so-called Department of Government Efficiency may be coming as soon as this week at the National Institute of Standards and Technology (NIST), a non-regulatory agency responsible for establishing benchmarks that ensure everything from beauty products to quantum computers are safe and reliable.

According to several current and former employees at NIST, the agency has been bracing for cuts since President Donald Trump took office last month and ordered billionaire Elon Musk and DOGE to slash spending across the federal government. The fears were heightened last week when some NIST workers witnessed a handful of people they believed to be associated with DOGE inside Building 225, which houses the NIST Information Technology Laboratory at the agency’s Gaithersburg, Maryland campus, according to multiple people briefed on the sightings. The DOGE staff were seeking access to NIST’s IT systems, one of the people said.

Soon after the purported visit, NIST leadership told employees that DOGE staffers were not currently on campus, but that office space and technology were being provisioned for them, according to the same people.

On Wednesday, Axios and Bloomberg reported that NIST had begun informing some employees that they could soon be laid off. About 500 recent hires who are still in probationary status and can be let go more easily were among those expected to be affected, according to the reports. Three sources tell WIRED that the cuts likely impact lauded technical experts in leadership positions, including three lab directors who were promoted within the last year. One person familiar with the agency tells WIRED that the official layoff notices may come Friday.

The White House and a spokesperson for NIST, which is part of the Department of Commerce, did not yet return requests for comment.

One NIST team that has been fearing cuts because of its number of probationary employees is the US AI Safety Institute (AISI), which was created after former President Joe Biden’s sweeping executive order on AI issued in October 2023. Trump rescinded the order shortly after taking office last month, describing it as a “barrier to American leadership in artificial intelligence.”

The AI Safety Institute and its roughly two dozen staffers has been working closely with AI companies, including rivals to Musk’s startup xAI like OpenAI and Anthropic, to understand and test the capabilities of their most powerful models. Musk was an early investor in OpenAI and is currently suing the startup over its decision to transition from a non-profit to a for-profit corporation.

AISI’s inaugural director, Elizabeth Kelly, announced she was leaving her role earlier this month. Several other high-profile NIST leaders working on AI have also departed in recent weeks, including Reva Schwartz, who led NIST’s Assessing Risks and Impacts of AI program, and Elham Tabassi, NIST’s chief AI advisor. Kelly and Schwartz declined to comment. Tabassi did not respond to a request for comment.

US Vice President JD Vance recently signaled the new administration’s intent to deprioritize AI safety at the AI Action Summit, a major international meeting held in Paris last week that AISI and other government staffers were not invited to attend, according to three familiar with the matter. “I'm not here this morning to talk about AI safety,” Vance said in his first major speech as VP. “I'm here to talk about AI opportunity.”

Though they receive bipartisan support, the AI Safety Institute and other parts of NIST had been preparing for the Trump administration to set new priorities for their work. In anticipation, some NIST teams began moving to deprioritize efforts such as fighting misinformation and racial bias in AI systems, according to two people familiar with the projects. Two other people say that putting even more public emphasis on national security was welcomed among some staffers, since the institute has already engaged in related research efforts.

Overall, the AI Safety Institute has been pressing ahead with working groups and other efforts focused on developing guidelines for studying AI systems. Last week, the startup Scale AI announced it had been selected by the institute as its “first approved third-party evaluator authorized to conduct AI model assessments.” Michael Kratsios, Trump’s pick to direct the White House Office of Science and Technology Policy, was until recently Scale’s managing director.

The feared layoffs at NIST have drawn strong rebuke from civil society groups, such as the Center for AI Policy, and congressional Democrats. NIST’s 2024 budget was about $1.5 billion, approximately .02 percent of federal spending overall, making it perhaps an unlikely target for Musk’s DOGE project. DOGE staffers have dropped into several government agencies this month, gaining access to sensitive systems, promoting the use of AI to boost productivity, and seeding a trail of resignations among long-time government workers. DOGE’s specific goals at NIST couldn’t be immediately learned.

US Representative Jake Auchincloss, a Democrat who serves on the House energy and commerce committee, says any efforts by DOGE to trim NIST rather than focusing instead on parts of government that account for far more spending, such as Department of Defense contracts, amounts to “scrounging for pennies in front of a bank vault.” He called NIST an agency with high returns on investment and warned that hobbling it would be self-defeating for the US. “Imparing NIST’s function is going to harm business productivity and increase costs,” Auchincloss says.

Staff for Democrats on the US House of Representatives Committee on Science, Space, and Technology say they are concerned about the potential for significant economic harm from any cuts to NIST. The agency’s timekeeping is used by stock markets and its research on buildings and pipelines help keep infrastructure intact. DOGE “might throw out things that are crucial to the functioning of the economy,” says one of the Democratic staffers, who all spoke on the condition of anonymity.

Budget cuts at other agencies could also have ripple effects at NIST because they help fund some of its projects, including studies on the accuracy of facial recognition systems and a database of cybersecurity vulnerabilities. “We’re worried about staffing, funding at every research agency in the federal government,” says the science committee staffer.

Earlier this month, California representative Zoe Lofgren, the top Democrat on the Republican-controlled House science committee, and her colleagues sent letters to the heads of several agencies including NIST and National Aeronautics and Space Administration demanding transparency about DOGE activities.

“While NIST does not conduct classified research, its cutting edge work in topics such as AI, quantum sensors and clocks, and semiconductors are world-class, and improper exfiltration to non-secure servers would be a boon for our adversaries,” stated the letter last week to NIST Acting Director Craig Burkhardt. It demanded a response from him by February 18; as of February 19, there had been none, according to Lofgren’s office.

The letter also raised concern about Musk’s potential conflicts of interest at NIST, given the intimate dealings between the AI Safety Institute and his competitors. Representative Auchincloss, who has studied NIST’s biology projects, expressed concern about Musk potentially gaining an unfair advantage and compromising safety by influencing standards that affect his Neuralink brain implant venture.

NIST was originally created in 1901 to help the US science and engineering industries establish scientific norms in areas like measurement. In coordination with the US Naval Observatory, the agency is also responsible for building and maintaining the country’s most accurate atomic clocks. Overall, NIST currently employs about 3,400 scientists, engineers, and technicians, according to its website.

Project 2025, an informal plan for the Trump administration crafted by the Heritage Foundation, an influential right-leaning think tank, called for consolidating the research work currently spread across NIST and other agencies and ensuring that it “serves the national interest in a concrete way in line with conservative principles.”

_Additional reporting by Andrew Couts, Kate Knibbs, and Louise Matsakis._

The National Institute of Standards and Technology Braces for Mass Firings

Breeze Liu has been a prominent advocate for victims. But even she struggled to scrub nonconsensual intimate images and videos of herself from the web.

Breeze Liu’s online nightmare started with a phone call. In April 2020, a college classmate rang Liu, then 24 years old, to tell her an explicit video of her was on PornHub under the title “Korean teen.” Liu alleges it had been filmed without her permission when she was 17 and uploaded without her consent.

Over time, the video mushroomed and multiplied: it was saved, posted on other porn websites and, Liu claims, used to create intimate deepfake videos that spread across the web. The impact on Liu was profound. “I honestly had to struggle with suicidal thoughts, and I almost killed myself,” she says.

Wiping around 400 nonconsensual images and videos from the web would require a multiyear, intercontinental effort. During this time, Liu went from working as a venture capitalist to starting her own company to help fight digital abuse. But when dealing with her own content, the entrepreneur faced a wall of silence and continual delays from one of the internet’s biggest gatekeepers: Microsoft.

As images and videos are published on websites like PornHub, they’re often hosted on cloud infrastructure. A series of emails related to Liu’s case reviewed by WIRED, plus interviews with a French victims’ aid organization and other advocates working with her, show how Microsoft, despite repeated pleas, did not remove about 150 explicit images of Liu stored on its Azure cloud services. While other companies took down hundreds of images, Liu and a colleague say Microsoft only took action after the two confronted a senior member of the tech giant’s safety team at a content moderation conference.

The drawn-out process, which prolonged the emotional toll on Liu, provides a detailed illustration of the difficulties victims and survivors of intimate image abuse experience in trying to erase the content from the web. Liu’s ordeal also highlights the void some victims fall into when their age in the imagery is disputed or hard to discern, an overlooked problem that may become more pressing as nudify apps spread in high schools.

“It’s almost impossible for ordinary people to navigate the complex system and do damage control,” Liu says. While she has shared parts of her struggle before, many of the details in this story and the resolution of Microsoft’s prolonged failure to remove the intimate images have not been previously reported. “We’re facing an extremely broken system, and this is a global issue,” Liu says. “This is a huge problem.”

Courtney Gregoire, Microsoft’s chief digital safety officer, says the company has learned from miscommunications in Liu’s case and doesn’t want anyone to go through the agonizing experience she did. “This content is a priority area where we endeavor to be actioning within 12 hours,” Gregoire says. For Liu, the grueling process took eight months.

After being alerted to the first nonconsensual video of her online in April 2020, Liu says, it took her a whole day to calm down. On May 14 of that year, she contacted the Berkeley Police Department, where she lived in California at the time.

The state considers it a misdemeanor crime to share real or spoofed intimate images of someone without their consent while knowing it would cause them distress. Detectives obtained search warrants for some websites but couldn’t identify the people responsible for uploading the content “based on the limited information retained by the internet sites and the overseas nature of the accounts involved,” department spokesperson Byron White says. Liu says she had a suspicion of who was responsible for the uploads, but the detectives weren’t sure how to prove it.

Liu contacted the Cyber Civil Rights Initiative, a US-based nonprofit that helps to tackle abusive content. While the organization found another webpage with violative content of her, the entrepreneur says it couldn’t aid her with takedown requests because she appeared potentially under the age of 18 in the images. The Cyber Civil Rights Initiative declined to comment about Liu but confirmed that it is legally barred from reviewing sexual imagery of minors.

By this point, it had been months since Liu first learned of the images and videos, and she needed a break. The original video hadn’t been quickly removed, and Liu suspected it had already spread far and wide. She felt powerless. She decided to let the case go, citing the stress of the pandemic, her frantic work schedule in venture capital, and the toll on her health. Embarrassed and terrified, the only confidant she told her story to was her cat.

“I always had this gut feeling that there’s more, but I was not mentally stable enough to handle any more brutal truths,” Liu says, adding that she did not feel comfortable searching for them herself. “You don’t want to see that of yourself.” That changed after Liu left her VC job in 2022 and decided to fully pursue her own startup, Alecto AI, which aims to develop face-recognition tools to help people find and remove nonconsensual images that have been shared on digital platforms.

It took about three years before Liu was ready to revisit efforts to get the explicit content of her taken down. Toward the end of 2023, she enlisted the help of her Alecto AI cofounder, Andrea Powell, a longtime trafficking and abuse victims’ advocate. That October, they sought out the help of a researcher at a victim helpline funded by the UK government. The researcher’s manual and automated image searching discovered 832 links appearing to show Liu in intimate states. “I couldn’t even look at the file, because that was just too much,” Liu says. She dialed up her therapist while a friend downloaded the spreadsheet of URLs for her. “She wasn’t even clicking into the content; she was just looking at the name of the URLs and she started crying,” Liu says.

Powell says the links contained “violent Asian-centric” language. But the UK-funded helpline can’t help victims abroad with takedowns, leaving Liu stranded with the spreadsheet. She thought about using StopNCII, a popular tool that uses matching algorithms to find abusive images, but felt it wasn’t a good fit. She feared it might not be able to spot potential deepfakes.

Liu then contacted the FBI, which preserved some of the links as evidence but in her view did not demonstrate further progress toward arresting the original uploader. The agency declined WIRED’s request for comment.

At one point, Liu turned to the National Center for Missing & Exploited Children, or NCMEC, a nonprofit established by the US Congress to work with child sexual abuse imagery, to see if it could help. But the nonprofit could not engage, Liu says. Even though Liu looked young in the content, she could not prove she was under 18 at the time, a prerequisite for NCMEC to pursue takedowns.

Lauren Coffren, NCMEC’s executive director, says it relies on partner law enforcement agencies to assess the age of victims. Age-borderline cases are rare, Coffren says, but “that stinks for a survivor” who should qualify for the organization’s help. “It speaks to just how difficult it is for survivors to be able to navigate this.”

Liu felt stuck between groups that seemingly couldn’t pursue takedowns for her. And she was tired of being judged. “What difference would it make if I was 17 or just two days over 18?” she says. “The damage for me is the same. It’s beyond frustrating.”

That’s when Powell, at the Paris Peace Forum, pleaded to a French victims’ aid organization, Point de Contact, which assists people in reporting illegal content. “I was sort of threatening that I just fly Breeze to France and make the case she’s French,” Powell says. Ultimately, on November 13, 2023, Point de Contact agreed to step up where other organizations had not. In the following days, emails show, the hotline analyzed the URLs and by the middle of December had started to send legal takedown demands to hosting providers. Liu was overcome—progress at last. “I'm literally shaking as I'm typing this,” Liu wrote in an email as the work began.

Etienne Dirani, operations manager at Point de Contact, says it found 395 nonconsensual images in the links Liu provided. The majority of the remaining 437 had already been deleted or made inaccessible. Others did not clearly identify Liu, or did not depict her intimately. Dirani says “tens” of unique images were published across multiple websites and that Point de Contact’s investigation at the time didn’t find any content “likely” generated by AI.

Some companies and hosting providers moved quickly; by the first week of January 2024, 155 URLs were dead. Microsoft, according to emails from Point de Contact to Liu, requested additional identifying information, such as her full name and social media handles, so the company could verify the content was associated with her. Liu provided these details, including a copy of her passport, but nothing happened.

More than a month later, a few dozen additional pieces of content had been removed. Of the 202 that remained online, 142 were hosted on Microsoft’s Azure services. A Point de Contact investigator emailed Liu and alleged, “Microsoft's abuse team did not answer our notification emails” and said the team was trying some of its individual contacts at the company. Around that time, a frustrated Liu mentioned Microsoft’s slow response in an interview with The Street. An unnamed Microsoft spokesperson told the news outlet that the company was investigating and noted that any potential violations of its acceptable use policy are taken seriously. Yet again, no action followed.

“The main issue we had was the lack of response from Microsoft,” Dirani says. He alleges that Microsoft’s abuse team believed that it needed more information, but he says the company never communicated what that information was. Even a higher-up contact wouldn’t give a straight answer on what additional details could trigger a takedown. Point de Contact tried to “push” Microsoft more, including opening a new case, according to Dirani. “We were sending reminders of all the URLs that were still online,” he says. “But unfortunately, even the new reports we sent were not responded to.”

As months went by, Liu could do little but wonder how many people each day were encountering the violative imagery of her. She was terrified about her career being derailed and was generally disheartened. Powell says she was in touch with Microsoft’s director of public policy for digital safety, Liz Thomas, at the time, but she was told it was difficult to verify the content showed Liu.

However, in late July last year, Powell and Liu concocted a plan to speak with Thomas at a San Francisco hotel hosting TrustCon, a conference for people working on online trust and safety issues. They hadn’t registered for the event, but Powell located Thomas at the hotel’s public bar with a group of colleagues. Once the colleagues left, Powell approached Thomas and urged for action, pointing toward Liu as she made her case. Seeing Liu in the same room made an impact.

Within days of the event, a Microsoft staffer emailed Powell that the case had been escalated, and the 142 URLs with Liu’s image started disappearing. “I don't ideally want to be chasing trust and safety people up and down the halls at TrustCon to deal with a case,” Powell says. “But it was what had to be done.”

At the start of last August, Point de Contact told WIRED that only two images on four different Microsoft servers remained. “We deeply regret that this issue took almost 10 months of communication between the victim, Microsoft and us as an NGO to be resolved,” the NGO said in an email at the time.

Microsoft digital safety chief Gregoire says Liu’s situation has spurred her team to try to improve reporting processes and relationships with victim aid groups. Point de Contact initially flagged links over which the company didn’t have control, according to Gregoire. She declined to elaborate on the circumstances. Dirani says this explanation was never communicated to him, and it remains unclear why the links were not “actionable.”

Only after Powell cornered Thomas over Liu’s case did Microsoft obtain the URLs upon which it could act. “We’re thankful, to be perfectly honest, to the spontaneous connection at TrustCon,” Gregoire says. But it shouldn’t be needed again: Point de Contact now has a more direct way to stay in touch, she says.

Other victim aid groups say their relationships with tech giants remain challenging. Last year, a WIRED investigation revealed that executives at Google rejected numerous ideas raised by staff and outside advocates that aimed to proactively counter access to problematic imagery in search results. Some survivors have found that the fastest way to get content removed is by filing copyright claims, a tactic those working in the online safety industry say is inadequate.

The lack of consistency in policies and processes among tech companies contributes to delays in securing takedowns, according to Emma Pickering, the head of technology facilitated abuse at Refuge, the UK’s largest domestic abuse organization. “They all just respond however they choose to—and the response usually is incredibly poor,” she says. (Google introduced new policies in July 2024 to accelerate removals.)

Pickering claims Microsoft, in particular, has been difficult. “I’ve recently been told if I want to engage with them, we need to provide evidence that we use their platform and we promote them,” she says, adding Refuge is trying to engage with as many tech platforms as possible.

Microsoft’s Gregoire says she will look into these concerns and is open to dialogue. The company hopes to stem the need for takedowns, in part, by scaring off perpetrators. This past December, Microsoft sued a group of 10 unknown individuals who allegedly circumvented safeguards on Azure and used an AI tool to generate offensive images, including some Gregoire described as sexually harmful. “We don't want our services to be abused to cause harm,” she says.

For Liu, the challenges haven’t ended. Videos and images depicting her naked remain available on at least one self-styled “free porn” website, according to links reviewed by WIRED. She also has had to pour her savings into developing Alecto AI because investor support has been lackluster. Some investors allegedly told her not to use her own experience in her pitch. Liu says that when she pitched one male-female pair who were considering investing, they burst into laughter at the idea of building a business around the use of AI to detect online image abuse. Even responding that she had almost killed herself after being victimized did little to sway them, Liu says.

In December 2024, more than four and a half years since her nightmare began, Liu found a glimmer of hope. A proposal she has advocated for in the US Congress to require websites to remove unwanted explicit images within 48 hours nearly ended up on then-President Joe Biden’s desk. It was ultimately shelved, but real progress had never felt so close. Liu and a bipartisan group of over 20 lawmakers haven’t given up; in January, they reintroduced the proposal, which threatens potential penalties of up to $50,000 per violation. Despite objections from rights groups worried about over-censorship, the bill passed the Senate last week. Even Microsoft has gotten behind it.

_If you or someone you know needs help, call 1-800-273-8255_ _for free, 24-hour support from the National Suicide Prevention Lifeline. You can also text HOME to 741-741 for the Crisis Text Line. Outside the US, visit the International Association for Suicide Prevention_ _for crisis centers around the world._

How One AI Startup Founder Cornered Microsoft Into Finally Taking Down Explicit Videos of Her

These sorts of attacks reveal growing adversary interest in secure messaging apps used by high-value targets for communication, Google says.

Source: aily\_creativity via Shutterstock

Multiple Russia-aligned threat groups are actively targeting the Signal Messenger application of individuals likely to exchange sensitive military and government communications related to the country's war with Ukraine.

For now, the activity appears limited to persons of interest to Russia's intelligence services, according to researchers at Google's Threat Intelligence Group (GTIG), who spotted it recently. But the tactics the threat actors are using in the campaign could well serve as a blueprint for other groups to follow in broader attacks on Signal, WhatsApp, Telegram, and other popular messaging apps, GTIG warned in a blog post this week.

**Likely to Become More Prevalent**

"We anticipate the tactics and methods used to target Signal will grow in prevalence in the near-term and proliferate to additional threat actors and regions outside the Ukrainian theater of war," Google threat analyst Dan Black wrote in the post.

Two of the Russian cyber-espionage groups that Google observed targeting Signal are UNC5792 — a threat actor that Ukraine's CERT tracks as UAC-0195 — and UNC4221 (aka UAC-0185). The goal of the attackers in both cases is to trick targeted victims into unknowingly linking their Signal account to an attacker-controlled device so any incoming messages are simultaneously available on the linked device.  

The attacks are taking advantage of "linked devices," a feature of the Signal app that allows users to securely connect and synchronize their account across multiple devices. However, the tactics that each threat group uses to get targets to unwittingly link their accounts have been slightly different.

UNC5782's ploy has been to send invitations asking targeted individuals to join a Signal group by sharing a malicious QR code with them. While the invitations look identical to Signal's group invite, the threat actors have modified them so that anyone social-engineered into scanning the QR code ends up linking their account to a UNC592-controlled device instead.

The other threat group, UNC4221, is using a customized phishing kit that impersonates parts of Kropyva, an application that Ukraine's military uses for artillery guidance, to try and social-engineer Signal Messenger users of interest. The threat actor has established Kropyva-themed phishing sites with the QR code directly embedded on them. It has also set up phishing sites pretending to contain legitimate Signal instructions for device linking to encourage scam victims into scanning their malicious QR code.

**Broad Threat Actor Interest**

Google identified UNC4221 and UNC5782 as two of several Russian and Belarusian groups that are targeting Signal Messenger to spy on persons of interest. Not all attacks by UNC4221 and UNC578 have involved device linking. Russia's infamous Sandworm cyber-sabotage group (which Google tracks as APT44) has been stealing Signal messages from a target's Signal database or local storage files, using a combination of malware tools. Similarly, Turla, a threat actor that the US government has tied to Russia's Federal Security Service (FSB), is doing the same using a lightweight PowerShell script that it deploys after gaining access to a target environment. Another threat actor from the region targeting Signal Messenger, according to Google, is Belarus-linked UNC1151, which uses the Robocopy Windows file-copying tool to copy and store Signal messages and attachments for future theft.

The flurry of activity targeting Signal is a sign of broader attacker interest in secure messaging apps used by those in espionage and intelligence gathering, including politicians, military personnel, activists, privacy advocates, and journalists. The apps' security features, which include end-to-end encryption of text, voice, and video with minimal data collection practices, have made it a popular tool for at-risk individuals and communities. It has also made the app "a high-value target for adversaries seeking to intercept sensitive information that could fulfill a range of different intelligence requirements," Google's Black wrote.

Signal is not the only target. Russian groups have also targeted Telegram and WhatsApp users in the same way, Black said. He pointed to a recent Microsoft report on attacks by Russian group Star Blizzard (aka Coldriver, Blue Charlie, Callisto, and UNC4057) that targeted WhatsApp accounts belonging to current and former government officials and diplomats.

Significantly, attacks targeting WhatsApp can affect businesses as well. Although WhatsApp — like Signal, Telegram and other messenger apps — is primarily consumer-focused, numerous businesses worldwide use the app. WhatsApp even has a business version that it has positioned as a tool that businesses can use to engage with customers, accelerate sales, and deliver customer support.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Russian Groups Target Signal Messenger in Spy Campaign

Is your Signal, WhatsApp, or Telegram account safe? Google warns of increasing attacks by Russian state-backed groups. Learn…

Is your Signal, WhatsApp, or Telegram account safe? Google warns of increasing attacks by Russian state-backed groups. Learn how they’re stealing messages and what you can do to defend yourself.

Russian state-backed actors are increasingly targeting secure messaging applications like Signal to intercept sensitive communications, reveals a recent report by Google’s Threat Intelligence Group. These groups, often aligned with Russian intelligence services, are focusing on compromising accounts used by individuals of interest, including military personnel, politicians, journalists, and activists. While the initial focus appears to be related to the conflict in Ukraine, researchers believe that these tactics will spread to other regions and threat actors.  

A primary method employed by these actors in this campaign involves exploiting the “linked devices” feature of Signal. By using phishing techniques, they trick users into scanning malicious QR codes, which then secretly link the victim’s account to a device controlled by the attacker. This allows the attacker to receive all messages in real-time, effectively eavesdropping on conversations without needing to compromise the entire device.

These malicious QR codes are often disguised as legitimate Signal resources, such as group invites, security alerts, or even device pairing instructions. In some cases, they are incorporated into phishing pages designed to mimic specialized applications, such as those used by the Ukrainian military.

The screenshot shows a Signal app phishing site and one of the malicious QR codes used in the attack (via Google).

In some cases, malicious QR codes are used in close-access scenarios, such as when Russian military forces capture devices on the battlefield.  This method lacks centralized monitoring and can go unnoticed for extended periods, which makes it hard to detect.

One group, identified as UNC5792 (also known as UAC-0195), has been observed modifying legitimate Signal group invite links. These altered links redirect victims to fake pages that initiate the unauthorized linking of their devices to the attacker’s control. The phishing pages are designed to closely resemble official Signal invites, making detection challenging. 

Another group, UNC4221 (UAC-0185), has targeted Ukrainian military personnel by embedding malicious QR codes within phishing sites that mimic artillery guidance applications. They have also used fake Signal security alerts to deceive victims. 

Beyond phishing, APT44 (Sandworm) utilizes malware and scripts to extract Signal messages from compromised Windows and Android devices. Their WAVESIGN script retrieves recent messages, while Infamous Chisel malware searches for Signal database files on Android devices.  

Other groups, like Turla and UNC1151, target the desktop application, using scripts and tools to copy and exfiltrate stored messages. UNC4221 has also used a JavaScript payload called PINPOINT to gather user information and geolocation data.

The popularity of secure messaging apps makes them prime targets for adversaries and other platforms, such as WhatsApp and Telegram, are also facing similar threats.

“The operational emphasis on Signal from multiple threat actors in recent months serves as an important warning for the growing threat to secure messaging applications that is certain to intensify in the near-term,” researchers warned.

Therefore, users are advised to stay cautious. It is important to use strong screen locks with complex passwords, keep operating systems and apps updated, and ensure Google Play Protect is enabled. Regularly auditing linked devices, exercising caution with QR codes and links, and enabling two-factor authentication are also recommended. iPhone users at high risk should consider enabling Lockdown Mode.

Hackers Tricking Users Into Linking Devices to Steal Signal Messages

The authentication bypass vulnerability in the OS for the company's firewall devices is under increasing attack and being chained with other bugs, making it imperative for organizations to mitigate the issue ASAP.

Source: Chiew via Shutterstock

Attackers are actively exploiting an authentication bypass flaw found in the Palo Alto Networks PAN-OS software that lets an unauthenticated attacker bypass authentication of that interface and invoke certain PHP scripts.

Both the Cybersecurity Infrastructure and Security Agency (CISA) and security researchers are warning of increasing attacker activity to exploit the flaw, tracked as CVE-2025-0108 and first revealed in a blog post on Feb. 12 as a zero-day flaw by researchers at Searchlight Cyber AssetNote. PAN-OS is the operating system for Palo Alto's firewall devices; the flaw affects certain versions of PAN-OS v11.2, v11.1 , v10.2, and v10.1 and has been patched for all affected versions.

Patch info is available in Palo Alto's security advisory on CVE-2025-0108, which is rated as 8.8 and therefore of high severity on the CVSS. The company warned that while the PHP scripts that can be invoked do not themselves enable remote code execution, exploiting the flaw "can negatively impact integrity and confidentiality of PAN-OS," potentially giving attackers access to vulnerable systems, where other bugs could be used to achieve further aims.

Indeed, researchers observed attackers making exploit attempts by chaining CVE-2025-0108 with two other PAN-OS Web management interface flaws — CVE-2024-9474, a privilege escalation flaw, and CVE-2025-0111, an authenticated file read vulnerability — on unpatched and unsecured PAN-OS instances.

**Active Exploitation of Palo Alto Firewalls**

Threat actors apparently got the memo on the potential for exploit, as attacks on affected devices are on the rise. As of Feb. 18, 25 malicious IPs are actively exploiting CVE-2025-0108, up from merely two the day after its discovery was made public, according to researchers at GreyNoise. The top three countries for these attacks are the US, Germany, and the Netherlands, according to a blog post on the exploitation.

"Organizations relying on PAN-OS firewalls should assume that unpatched devices are being targeted and take immediate steps to secure them," Noah Stone, head of content at GreyNoise Intelligence, wrote in the post.

The increased activity to exploit the flaw compelled the CISA to add it to the Known Exploited Vulnerabilities Catalog this week and urge those affected to apply Palo Alto's patches for affected device versions.

**Why CVE-2025-0108 in PAN-OS Exists**

The flaw exists because of a common architecture present in PAN-OS, "where authentication is enforced at a proxy layer, but then the request is passed through a second layer with different behavior," security researcher Adam Kues wrote in Searchlight Cyber Assenote's post.

"Fundamentally, these architectures lead to header smuggling and path confusion, which can result in many impactful bugs," he explained.

Specifically, a Web request to the PAN-OS management interface is handled by three separate components: Nginx, Apache, and the PHP application itself. The researchers found that when the authentication by the requester is set at the Nginx level and based on HTTP headers, the request is then reprocessed again in Apache, which may process the path or headers differently to Nginx before finally handing off the request to PHP.

"If there is a difference between what Nginx thinks our request looks like and what Apache thinks our request looks like, we could achieve an authentication bypass," Kues explained.

The risk of exploitation is greatest if a network configuration enables access to the management interface from the Internet (or any untrusted network) either directly or through a dataplane interface that includes a management interface profile, Palo Alto noted in its advisory.

**Eliminate Risk by Patching Auth Bypass Now**

Palo Alto's network devices are widely used and flaws within them are often quickly set upon by attackers, making it imperative that mitigation for CVE-2025-0108 happens sooner rather than later. The best way to eliminate the risk of exploitation completely is to apply Palo Alto's updates to affected devices, according to the CISA and researchers.

Affected organizations also can reduce this risk if network administrators ensure that only trusted internal IP addresses can access the management interface, according to Palo Alto. Defenders can discover any assets that require remediation action by visiting the Assets section of the Customer Support Portal, the company said.

Palo Alto also recommends that organizations whitelist IPs in the management interface to prevent this or similar vulnerabilities from being exploited over the Internet.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Patch Now: CISA Warns of Palo Alto Flaw Exploited in the Wild

Google warns that hackers tied to Russia are tricking Ukrainian soldiers with fake QR codes for Signal group invites that let spies steal their messages. Signal has pushed out new safeguards.

For more than a decade now, Russian cyberwarfare has used Ukraine as a test lab for its latest hacking techniques, methods that often target Ukrainians first before they're deployed more broadly. Now Google is warning of a Russian espionage trick that's been used to obtain Ukrainians' messages on the encrypted platform Signal—and one that both Ukrainians and other Signal users worldwide should protect themselves against with a new update to the app.

Google's threat intelligence team on Wednesday released a report revealing how multiple hacker groups that serve Russian state interests are targeting Signal, the end-to-end encrypted messaging tool that has become widely accepted as a standard for private communications and is now often used by Ukrainians, including in the Ukrainian military's battlefield communications. Those Russia-linked groups, which Google has given the working names UNC5792 and UNC4221, are taking advantage of a Signal feature that allows users to join a Signal group by scanning a QR code from their phone. By sending phishing messages to victims, often over Signal itself, both hacker groups have spoofed those group invites in the form of QR codes that instead hide javascript commands that link the victim's phone to a new device—in this case, one in the hands of an eavesdropper who can then read every message the target sends or receives.

“It looks exactly like a group invite, and everything would function exactly like that, except when you scan it, it links the device out,” says Dan Black, a Google cyberespionage researcher and former NATO analyst. “It instantly pairs your device with theirs. And all your messages are now, in real time, being delivered over to the threat actor while you're receiving them.”

Two months ago, Google began warning the Signal Foundation that maintains the private communications platform about Russia's use of the QR code phishing technique, and Signal last week finished rolling out an update for iOS and Android designed to counter the trick. The new safeguard warns users when they link a new device and checks with them again at a randomized interval a few hours after that device is added to confirm that they still want to share all messages with it. Signal now also requires a form of authentication such as entering a passcode or using FaceID or TouchID on iOS to add a new linked device.

In fact, Signal had already been working to update those forms of phishing protections aimed specifically at exploitation of its linked device feature prior to Google's warning, says Signal's senior technologist, Josh Lund. But Google's report about Russia's spying in Ukraine provided an “acute” example of the problem that pushed them to move quickly to protect users, he says.

“We're really grateful to the Google team for their help in making Signal more resilient to this type of social engineering,” says Lund, using the cybersecurity term for tricks that deceive victims into giving hackers sensitive information or access to their systems.

Both Google and Signal emphasized that the phishing technique Google has seen in use in Ukraine doesn't suggest that Signal's encryption is broken or that the app's messages can otherwise be eavesdropped in transit. Instead, the trick essentially combines two legitimate features—QR-code group invites and QR-code device linking that pairs a smartphone with a laptop—invisibly swapping one with the other to deceive users. “Phishing is a big problem on the internet, and it's never nice to hear that someone has fallen victim to one of these attacks,” Lund says. “But we're trying to do our best to keep users safe, and we think these recent improvements will really help.”

Google notes that it's seen Russia use similar techniques to target other communications platforms like WhatsApp and Telegram, too. But the hackers tied to Russia's military have focused on Signal because of its widespread tactical use in the Ukrainian military. One of the two hacker groups that has exploited the QR code phishing technique, for instance, has disguised the codes as invites to groups associated with an artillery guidance app used by the Ukrainian military called Kropyva. In other instances, the spoofed QR codes have impersonated invites to other groups from a trusted contact, or security alerts from Signal itself.

Russia's hackers have targeted Signal as part of the country's war efforts in Ukraine since as early as 2023, a year into its full-scale invasion, says Google's Black. That's when the Russian hacker group known as Sandworm, a notorious unit of Russia's GRU military intelligence agency, began pivoting from disruptive cyberattacks to tactical espionage that included penetrating tablet computers used by the Ukrainian military. In some cases, Sandworm's hackers have also aided front-line Russian troops in off-loading Signal messages from captured devices, including by using the linked-device feature to pair compromised phones with their own PCs. Google says that Turla, a hacker group linked to Russia's FSB security agency, has also targeted Signal messages on PCs that it's infected with malware.

Google's Black says that the company's analysts nonetheless waited to highlight Russia's use of the QR-code phishing technique to target Signal until the Signal Foundation could push out new protections, in part to prevent other hackers from copying the technique. Black warns, in fact, that Russia's targeting of Signal in Ukraine shouldn't be seen as a problem limited to Ukraine nor to military conflicts in general. The trick is just as likely to be used for targeting dissidents and activists who use Signal worldwide, or even a broader set of targets. In December, for instance, US officials recommended Americans use end-to-end encrypted apps in response to the Chinese hacker group Salt Typhoon's widespread penetrations of US telecom networks.

“The use case for these techniques is just so wide," says Black. “We've seen history tell us a very particular story in terms of tradecraft, that the things that happen in Ukraine don't seem to stay confined there.”

A Signal Update Fends Off a Phishing Technique Used in Russian Espionage

Two Estonian nationals plead guilty to a $577M cryptocurrency Ponzi scheme through HashFlare, defrauding hundreds of thousands globally.…

Two Estonian nationals plead guilty to a $577M cryptocurrency Ponzi scheme through HashFlare, defrauding hundreds of thousands globally. They face 20 years in prison and forfeit $400M in assets.

The US Department of Justice (DoJ) has confirmed that two Estonian nationals have admitted guilt in a large-scale cryptocurrency fraud case that impacted numerous victims worldwide. The perpetrators, identified as Sergei Potapenko and Ivan Turõgin, both 40 years old, were originally arrested in November 2022 and extradited to the US in May 2024. 

They, reportedly, ran a cryptocurrency fraud scheme that amassed over $577 million between 2015 and 2019. This substantial sum was obtained by misleading investors about the capabilities of their purported cryptocurrency mining service, HashFlare.io.

HashFlare’s homepage (Screenshot credit: Hackread.com)

According to the DoJ’s press release, Potapenko and Turõgin operated a complex Ponzi scheme (a scam where insanely high returns are offered with minimal effort) involving cryptocurrency mining services. They marketed contracts to investors, promising a portion of the cryptocurrency generated by HashFlare. 

Over the four-year period, this operation amassed a substantial sum of money, exceeding half a billion dollars. The scheme victimized hundreds of thousands of individuals across the globe, including those in the United States.

The perpetrators employed sophisticated methods to deceive investors. The fraudulent activity involved a discrepancy between the promised mining capacity and the actual resources available. HashFlare lacked the necessary computing power to conduct extensive mining for clients. Operators, therefore, fabricated data on a web platform to show investors their supposed profits, misappropriating funds for their own benefit. 

This means, they not only misrepresented their mining capacity but also created a false impression of profitability through fabricated data. They used the illicitly gained funds to acquire luxury items, including real estate and high-end vehicles and also invested in cryptocurrency and other assets.  

While the figure of $577 million represents the total sales generated by the fraudulent scheme, it is important to note that the defendants agreed to forfeit assets worth over $400 million as part of their plea deal. This indicates the scale of the financial gains they acquired through the scheme. These recovered funds will be used to reimburse those who were harmed by the fraudulent scheme, and the process will be revealed by the DoJ at a later date.

Potapenko and Turõgin have pleaded guilty to conspiracy to commit wire fraud, which involves a maximum sentence of 20 years. They will be sentenced on May 8 and their sentencing depends on various factors, including federal guidelines and other relevant legal considerations. 

The DoJ commended Estonia’s Cybercrime Bureau, the Estonian Prosecutor General, and the Ministry of Justice and Digital Affairs for their assistance in the investigation and extradition process. The FBI is actively urging victims of the HashFlare fraud to come forward.

Featured Image via: PixaBay/Sergei Tokmakov

HashFlare Fraud: Two Estonians Admit to Running $577M Crypto Scam

Despite high-profile attention and even US sanctions, the group hasn’t stopped or even slowed its operation, including the breach of two more US telecoms.

When the Chinese hacker group known as Salt Typhoon was revealed last fall to have deeply penetrated major US telecommunications companies—ultimately breaching no fewer than nine of the phone carriers and accessing Americans' texts and calls in real time—that hacking campaign was treated as a four-alarm fire by the US government. Yet even after those hackers' high-profile exposure, they've continued their spree of breaking into telecom networks worldwide, including more in the US.

Researchers at cybersecurity firm Recorded Future on Wednesday night revealed in a report that they've seen Salt Typhoon breach five telecoms and internet service providers around the world, as well as more than a dozen universities from Utah to Vietnam, all between December and January. The telecoms include one US internet service provider and telecom firm and another US-based subsidiary of a UK telecom, according to the company's analysts, though they declined to name those victims to WIRED.

“They’re super active, and they continue to be super active,” says Levi Gundert, who leads Recorded Future's research team known as Insikt Group. “I think there's just a general under-appreciation for how aggressive they are being in turning telecommunications networks into Swiss cheese.”

To carry out this latest campaign of intrusions, Salt Typhoon—which Recorded Future tracks under its own name, RedMike, rather than the Typhoon handle created by Microsoft—has targeted the internet-exposed web interfaces of Cisco's IOS software, which runs on the networking giant's routers and switches. The hackers exploited two different vulnerabilities in those devices' code, one of which grants initial access, and another that provides root privileges, giving the hackers full control of an often powerful piece of equipment with access to a victim's network.

“Any time you're embedded in communication networks on infrastructure like routers, you have the keys to the kingdom in what you're able to access and observe and exfiltrate,” Gundert says.

Recorded Future found more than 12,000 Cisco devices whose web interfaces were exposed online, and says that the hackers targeted more than a thousand of those devices installed in networks worldwide. Of those, they appear to have focused on a smaller subset of telecoms and university networks whose Cisco devices they successfully exploited. For those selected targets, Salt Typhoon configured the hacked Cisco devices to connect to the hackers' own command-and-control servers via generic routing encapsulation, or GRE tunnels—a protocol used to set up private communications channels—then used those connections to maintain their access and steal data.

When WIRED reached out to Cisco for comment, the company pointed to a security advisory it published about vulnerabilities in the web interface of its IOS software in 2023. “We continue to strongly urge customers to follow recommendations outlined in the advisory and upgrade to the available fixed software release,” a spokesperson wrote in a statement.

Hacking network appliances as entry points to target victims—often by exploiting known vulnerabilities that device owners have failed to patch—has become standard operating procedure for Salt Typhoon and other Chinese hacking groups. That's in part because those network devices lack many of the security controls and monitoring software that's been extended to more traditional computing devices like servers and PCs. Recorded Future notes in its report that sophisticated Chinese espionage teams have targeted those vulnerable network appliances as a primary intrusion technique for at least five years.

That Salt Typhoon continues to carry out business as usual is nonetheless notable, Recorded Future's analysts say. The group's activities have been exposed in the media, in government reports and announcements issued by the FCC, CISA, and the White House, even in sanctions issued by the US Treasury. But that hasn't caused the hackers to change course. On January 17, Treasury sanctioned Sichuan Juxinhe Network Technology, a cybersecurity firm allegedly linked to Salt Typhoon's operations. And yet, Gundert says, Recorded Future hasn't seen any cessation or slowdown of the hackers' activities even since that date.

“That's the disappointing part about this,” says Gundert. “Even with all the attention, we haven't observed any real change in the volume or velocity of attacks, even in the same target demographic of telecommunications.”

After Salt Typhoon's hacking campaign targeting US telecom networks came to light last fall, then FBI director Christopher Wray described the phone company breaches as China's “most significant cyber-espionage campaign in history.” The intrusions, which in some cases exploited the wiretap mechanisms built into telecoms for law enforcement use, prompted CISA and FBI officials to go so far as to recommend that Americans use end-to-end encrypted communication apps like Signal and WhatsApp to avoid leaving their texts and calls vulnerable to China's real-time spying.

In this latest rash of intrusions, Recorded Future says it's seen the Chinese hackers break into not only the US internet service provider and telecommunications firm and a US affiliate of a UK telecom, but also telecoms in South Africa and Thailand and an internet service provider in Italy, though it declined to name any of those victims. It's also seen the group target a broader range of universities around the world for apparent espionage, including in Argentina, Bangladesh, Indonesia, Malaysia, Mexico, Netherland, Thailand, Vietnam, and the US—including the University of California, California State, Utah Tech, and Loyola University.

Recorded Future says it was able to gain visibility into those intrusions by identifying command-and-control infrastructure used by Salt Typhoon, though it didn't further explain its methodology. The company's analysts note that there may well be other parts of the group's hacking campaign—and other victims—that it hasn't discovered.

“They've only gotten more bold,” says Jon Condra, another Recorded Future analyst. “I strongly suspect it's much larger than what we’ve seen.”

China’s Salt Typhoon Spies Are Still Hacking Telecoms—Now by Exploiting Cisco Routers

In a landscape where cyber threats evolve daily, the Defense Information Systems Agency’s (DISA) Enterprise Patch Management System (EPMS) plays a critical role in maintaining the cybersecurity of the Department of Defense (DoD). EPMS is not just a tool—it's a strategy, bridging software, efficiency and innovation to enhance the security posture of  critical systems.The Importance of EPMSEPMS addresses a core cybersecurity challenge: verifying that all systems are consistently patched against known vulnerabilities. With cyber adversaries growing more sophisticated, leaving any endpoint exp

In a landscape where cyber threats evolve daily, the **Defense Information Systems Agency****’s (DISA) Enterprise Patch Management System (EPMS)** plays a critical role in maintaining the cybersecurity of the Department of Defense (DoD). EPMS is not just a tool—it's a strategy, bridging software, efficiency and innovation to enhance the security posture of  critical systems.

**The Importance of EPMS**

EPMS addresses a core cybersecurity challenge: verifying that all systems are consistently patched against known vulnerabilities. With cyber adversaries growing more sophisticated, leaving any endpoint exposed is a risk the DoD cannot afford. EPMS helps to drive more rapid patch delivery with greater security assurance across classified (SIPR) and unclassified (NIPR) networks, keeping the defense infrastructure resilient.

**Red Hat and EPMS: a powerful alliance**

One of EPMS's core components is its integration with **Red Hat Satellite**, a platform purpose-built for managing Red Hat Enterprise Linux (RHEL) systems. This collaboration delivers several IT security advantages:

*   **Trusted supply chain:** All Red Hat content distributed through EPMS is cryptographically signed and verified, which helps verify the integrity and authenticity of patches
*   **Compliance enforcement:** Built-in tools for OpenSCAP scanning and Security Technical Implementation Guide (STIG) compliance make it easier to improve systems security
*   **Automation for scalability:** Red Hat Ansible Automation Platform provides automation within Satellite that simplifies the application of security baselines across large fleets of systems

**Overcoming the sneakernet bottleneck**

Traditionally, patching disconnected networks like SIPR involved a cumbersome process—downloading updates to unclassified systems, burning them to physical media and manually transferring them to classified networks. EPMS replaces this inefficient process, utilizing **Global Content Distribution Services (GCDS)**, enabling faster downloads. This innovation significantly reduces risk and accelerates the patching cycle.

**Key features and benefits of EPMS**

1.  **Enhanced efficiency:** By automating patch distribution and lifecycle management, EPMS reduces administrative workload and minimizes downtime
2.  **Broad compatibility:** Supporting all major RHEL versions and additional Red Hat solutions like RHEL for SAP and real-time computing
3.  **Scalability:** Hundreds of Red Hat Satellite servers across NIPR and SIPR power security-hardened content delivery at scale
4.  **Secure software supply chain:** The integration of checksums, GPG signature verification and certificate-based authentication provides verification of patch integrity

**The role of automation in security**

Automation is the backbone of EPMS, transforming security operations from reactive to proactive:

*   **Faster updates:** Patches can be deployed 78% faster, reducing exposure to threats
*   **Unified management:** Systems can be grouped for efficient updates to drive consistency across environments
*   **Policy compliance:** Ansible roles enforce security policies across all systems, helping to maintain a stronger security posture

**Why EPMS matters for the future**

As the DoD moves toward increasingly interconnected operations, EPMS remains a cornerstone of its cybersecurity strategy. It represents a shift from fragmented patch management practices to a unified, automated system that offers greater scalability and efficiency, along with an enhanced security footprint. By confirming that critical systems remain updated and compliant, EPMS helps to safeguard not just data but also the integrity of national defense.

In the face of growing cyber threats, EPMS demonstrates how innovation in technology can help protect against vulnerabilities, maintain mission readiness and provide for the security of the nation’s defense infrastructure.

To learn more, contact _EPMS-DoD@Redhat.com_

product trial

**Red Hat Advanced Cluster Security Cloud Service | product trial**

Red Hat Advanced Cluster Security Cloud Service | product trial

Enter keywords here to search blogs

UI\_Icon-Red\_Hat-Close-A-Black-RGB

**Keep exploring**

**Browse by channel**

**Automation**

The latest on IT automation for tech, teams, and environments

**Security**

The latest on how we reduce risks across environments and technologies

**Edge computing**

Updates on the platforms that simplify operations at the edge

**Infrastructure**

The latest on the world’s leading enterprise Linux platform

**Applications**

Inside our solutions to the toughest application challenges

**Original shows**

Entertaining stories from the makers and leaders in enterprise tech

EPMS: the cornerstone of cybersecurity in defense operations

Microsoft’s February Patch Tuesday addresses 63 security vulnerabilities, including two actively exploited zero-days. Update your systems now to…

Microsoft’s February Patch Tuesday addresses 63 security vulnerabilities, including two actively exploited zero-days. Update your systems now to protect against these threats.

Microsoft’s February 2025 Patch Tuesday update addresses 63 security vulnerabilities across its product range, including two zero-day exploits actively being used by attackers. Four of these vulnerabilities are classified as critical.

The update covers a variety of vulnerability types, including remote code execution, elevation of privilege, denial of service, spoofing, security feature bypass, information disclosure, and tampering.

Screenshot via SOCRadar

Two zero-day vulnerabilities are of particular concern due to their active exploitation.  

CVE-2025-21391, an elevation of privilege flaw in Windows Storage, could allow attackers to delete critical system files, potentially causing data loss and service disruptions.  While Microsoft states this vulnerability doesn’t expose confidential data, the ability to disrupt services is, nevertheless, a serious concern.  

The second actively exploited zero-day, CVE-2025-21418, affects the Ancillary Function Driver for Windows Sockets.  This vulnerability enables privilege escalation, potentially granting attackers SYSTEM-level access.  Details about the exploitation methods for these vulnerabilities remain undisclosed.

Microsoft is also addressing two publicly disclosed zero-day vulnerabilities. CVE-2025-21194, a hypervisor flaw, could compromise the secure kernel in UEFI-based virtual machines. This vulnerability is speculated to be related to the PixieFail vulnerabilities. Another flaw, CVE-2025-21377, could allow attackers to steal NTLM hashes through minimal user interaction with a malicious file.

Some critical vulnerabilities patched by Microsoft include: CVE-2025-21376, an RCE vulnerability in Windows Lightweight Directory Access Protocol allowing arbitrary code execution. CVE-2025-21177, a Server-Side Request Forgery vulnerability in Dynamics 365 that may lead to privilege escalation. CVE-2025-21379 in the DHCP Client Service and CVE-2025-21381 in Microsoft Excel, both allow remote code execution.  

Another severe flaw addressed was in Microsoft’s High-Performance Compute Pack. Tracked as CVE-2025-21198, it is a remote code execution (RCE) vulnerability that allows attackers to perform RCE on other clusters or nodes connected to the targeted head node by sending a specially crafted HTTPS request

Microsoft also addressed some high-risk flaws in this update including vulnerabilities in Microsoft Office SharePoint, Windows Disk Cleanup Tool, Windows CoreMessaging, Windows Win32 Kernel Subsystem, Windows Setup Files Cleanup, Windows DWM Core Library, and others. These vulnerabilities are considered high-risk due to their potential for exploitation and the lack of existing workarounds.  

Beyond Microsoft’s updates, other vendors, including Adobe, SAP, and Ivanti, have also released security patches.  SAP’s updates address vulnerabilities in BusinessObjects, Supplier Relationship Management, and Approuter, including a critical authorization flaw.  Ivanti’s patch fixes a critical OS command injection vulnerability in its Cloud Services Application.  

These updates highlight the ongoing need for timely security patching. With actively exploited zero-days and a range of critical vulnerabilities, organizations must prioritize applying these updates to mitigate risks. The sheer volume of vulnerabilities tracked by security platforms is staggering, as illustrated by SOCRadar’s Vulnerability Intelligence dashboard.

Screenshot via SOCRadar

Mr. Saeed Abbasi, Manager of Vulnerability Research at Qualys Threat Research Unit, told Hackread.com that CVE-2025-21391, though appearing as a file deletion bug, is actively exploited and far more dangerous when combined with code execution. While it doesn’t threaten confidentiality, it severely impacts integrity and availability, potentially crippling servers. Attackers can exploit it to delete critical system files, replacing them with weakly secured versions, and ultimately gaining SYSTEM-level access. Abbasi warns this is no minor flaw; it’s a stealthy path to full system control.

Tag

#sap