This vulnerability is an authentication bypass and insecure deserialization vulnerability in Fortra GoAnywhere MFT. An attacker can first obtain the authentication token value through the authentication bypass vulnerability and then execute serialized malicious code by sending it to a specific endpoint. A patch for this vulnerability was released in September 2025, and AIWAF products will Read more about [2026.01 Vulnerability Report] Fortra GoAnywhere MFT Auth Bypass & Insecure Deserialization[…]

This vulnerability is caused by a structural design flaw in the React Server Components (RSC) and Next.js Server Function processing flow, where server-side logic unsafely applies Flight-based deserialization to client-supplied input, resulting in insecure JavaScript object interpretation. An attacker can trigger the vulnerable code path using a crafted HTTP request without authentication, leading to remote Read more about [2025.12 Vulnerability Report] React2Shell (CVE-2025-55182)[…]

Grafana Enterprise is a critical asset that handles core enterprise monitoring data. CVE-2025-41115 is a critical vulnerability that allows an attacker to gain administrator privileges with a single HTTP request, without even logging in. With detailed analysis and proof-of-concept (PoC) techniques already being discussed, exploitation attempts are expected to surge. Therefore, customers using the platform Read more about [2025.12 Vulnerability Report] Grafana SCIM Privilege Escalation Vulnerability (CVE-2025-41115)[…]

This vulnerability is a remote code execution vulnerability in Oracle E-Business Suite. An attacker could exploit multiple vulnerabilities in the service to execute malicious commands. A patch for this vulnerability was released in October 2025, and AIWAF products will address this vulnerability through the “Oracle E-Business RCE Chain” pattern, which will be added in the Read more about [2025.11 Vulnerability Report] Oracle E-Business Suite RCE Chain[…]

GroupOffice is a system provided to businesses, and the CVE-2025-63406 vulnerability in this service is a critical vulnerability that could allow remote code execution without authentication. Given the detailed analysis of the vulnerability and the high potential for remote exploitation, exploitation attempts are expected to be active. Therefore, customers using this platform should patch to Read more about [2025.11 Vulnerability Report] Intermesh BV GroupOffice Remote Code Execution(CVE-2025-63406)[…]

We analyze a technique that abuses the dump functionality of Windows Error Reporting (WerFaultSecure) to temporarily freeze EDR/antivirus processes and manipulate their execution state. An attacker supplies the target process’s PID to WerFaultSecure, and during the collection of a dump for the protected process (PPL, Protected Process Light), WerFaultSecure suspends the target process. The research Read more about [2025.11 Vulnerability Report] EDR-Freeze Based Neutralization Techniques Targeting Protected Processes (PP/PPL)[…]

Microsoft released a security update in March 2025 that fixes a vulnerability in Windows File Explorer where NTLM authentication data could be leaked when Explorer processes files inside archive files (e.g., ZIP/RAR). The issue was initially assigned CVE-2025-24071 and was later re-identified as CVE-2025-24054. NTLM (New Technology LAN Manager) is an authentication protocol used in Read more about [2025.10 Vulnerability Report] CVE-2025-24054: NTLM Hash Exfiltration via .library-ms in Windows Explorer[…]

PluXml CMS is a widely used content management system (CMS) for personal and small website environments. The recently discovered CVE-2025-57567 vulnerability resides in the theme editor feature within the service’s admin panel, allowing an authenticated administrator to inject arbitrary PHP code, potentially leading to remote code execution (RCE). This vulnerability is extremely dangerous, as a Read more about [2025.10 Vulnerability Report] PluXml CMS — Theme Editor Authenticated Admin Remote Code Execution (CVE-2025-57567)[…]

This vulnerability is an insecure deserialization vulnerability in the Sitecore Experience Platform. An attacker could access classes that utilize deserialization under the /-/xaml/Sitecore.Shell path and execute serialized malicious code. A patch for this vulnerability was released in July 2025, and AIWAF products will address this vulnerability through the “Sitecore Experience Platform Insecure Deserialization Remote Code Read more about [2025.10 Vulnerability Report] Sitecore Experience Platform Insecure Deserialization[…]

CVE-2025-8088 is a vulnerability in WinRAR for Windows that arises from incomplete path normalization/validation during extraction. Under certain conditions an archive entry (for example, using Alternate Data Streams, ADS) can be crafted to bypass the intended extraction path and create files outside the target directory — including auto-start locations such as the Startup folder. An adversary can leverage this to plant files that execute at logon, enabling code execution and persistence. 1. Overview Disclosed in August 2025, CVE-2025-8088 is a vulnerability in WinRAR for Windows. Because path normalization/validation during extraction is incomplete, an attacker-supplied archive can cause files to be created outside the intended extraction directory (including parent directories). An attacker can exploit this behavior to place files in autorun locations (e.g., the Startup folder), causing automatic execution upon user logon (resulting in remote code execution). 2. Affected Versions Affected product: WinRAR for Windows versions up to and including 7.12 Trigger conditions: Occurs when a user extracts an attacker-crafted RAR archive with WinRAR and then manually executes files from the extracted contents (or when extraction itself writes to unintended locations). Impact: The attacker can place batch files, LNK shortcuts, executables, or scripts into locations such as %APPDATA%\…\Startup. If such files are placed in a startup location, they may execute automatically after reboot or on next logon. 3. Root Cause Analysis of PoC-created file stream data shows the following structure (summary): The archive contains multiple streams. Block[1] holds the packed file data. The vulnerability arises from Block[2], which contains NTFS-related metadata streams. Block[2] can include filename/path metadata, timestamps, and other NTFS stream information required for restoring NTFS streams. The flaw occurs in how WinRAR interprets the path/stream information in Block[2]. Background (ADS & NTFS): NTFS supports multiple data streams per file. An Alternate Data Stream (ADS) is a named $DATA attribute and can be referenced as filename:streamname. For example, example.pdf:hidden.bin is interpreted as a hidden associated data stream of example.pdf. Windows uses ADS in some security mechanisms — e.g., Mark of the Web (MoTW). Files downloaded from the Internet are often given an ADS like filename:Zone.Identifier:$DATA (e.g., test.exe:Zone.Identifier) which supplies a ZoneID (e.g., ZoneID = 3) that influences Protected View / SmartScreen behavior. How the vulnerability is triggered: The attacker crafts NTFS metadata inside the RAR (Block[2]) that includes a filename:streamname style entry combined with path traversal elements such as ..\. When WinRAR processes this metadata during extraction, the colon (:) is interpreted by Windows as an ADS separator. The attacker’s path elements then become involved in the normalization process and can cause writes outside the extraction folder when passed to the Windows file creation API (CreateFileW). Debugging a PoC shows that the decoy.txt:streamname syntax is manipulated so that the stream portion is replaced by path traversal elements (e.g., ..\..\..\…). This string ends up being passed directly to CreateFileW as its first parameter; the colon is handled as an ADS delimiter by Windows and the crafted path components interfere with normalization, causing Windows to create files outside the intended directory. 4. Real-world Attack Example Threat actor groups (RomCom / Storm-0978 / Tropical Scorpius / UNC2596 — linked to Russia) discovered and began exploiting CVE-2025-8088 in the wild. A representative attack flow observed: Source: https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/ When the malicious RAR is extracted, the archive drops Update.lnk and msedge.dll into attacker-controlled target locations (for example, into %TEMP% or Startup). When Update.lnk is executed, it modifies registry values to perform COM hijacking: HKCU\Software\Classes\CLSID\{1299CF18-C4F5-4B6A-BB0F-2299F0398E27}\InprocServer32 = “%temp%\msedge.dll” That CLSID is mapped to the npmproxy.dll (Network List Manager proxy/stub DLL) PSFactoryBuffer object. Because the attacker registered msedge.dll for that CLSID, when the COM runtime resolves the CLSID it loads the attacker-provided msedge.dll instead of the expected npmproxy.dll. As a result, the attacker’s DLL runs and carries out malicious actions. (Reference flow diagram and PoC analyses have shown this chain.) Source referenced: ESET / WeLiveSecurity report on the campaign. 5. Mitigation Immediate action: Update WinRAR to 7.13 or later as soon as possible. Operational controls: Inspect and remediate endpoints and servers where suspicious RAR files may have been extracted. Mail and gateway controls: For mail and cross-network transfer paths, quarantine or pre-scan RAR attachments (sandboxing / AV / detonation) before allowing users to extract or execute archived content. 6. Conclusion CVE-2025-8088 is a WinRAR directory-traversal/ADS abuse vulnerability that enables extraction to arbitrary paths (including autorun/startup locations). Attackers can exploit this to drop files that execute automatically (persistence and code execution). The vulnerability has been actively used in real-world campaigns and is listed on CISA/KEV, so rapid remediation is recommended. 7. References https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/ https://www.seqrite.com/ko/blog/winrar-directory-traversal-ntfs-ads-vulnerabilities-cve-2025-6218-cve-2025-8088/ https://github.com/onlytoxi/CVE-2025-8088-Winrar-Tool