nGuard

Call us p. 704.583.4088
Client PortalSpeak to An Expert

Mobile Security

Windows Under Attack: May 2025 Patch Tuesday Unveils 5 Active Zero-Days

Microsoft’s May 2025 Patch Tuesday unveiled a concerning landscape for Windows administrators, addressing 78 vulnerabilities, including five zero-day exploits actively leveraged in the wild. These vulnerabilities span critical components of the Windows operating system, emphasizing the necessity for immediate action and robust security measures.

The Zero-Day Threat Landscape
The five zero-day vulnerabilities patched this month are:

  • CVE-2025-30397: A memory corruption vulnerability in the Microsoft Scripting Engine, potentially allowing remote code execution if a user visits a malicious website.
  • CVE-2025-30400: An elevation of privilege flaw in the Windows Desktop Window Manager (DWM) Core Library, which could allow attackers to execute code with elevated privileges.
  • CVE-2025-32701 and CVE-2025-32706: Elevation of privilege vulnerabilities in the Windows Common Log File System (CLFS) driver, which have been a recurring target for attackers due to improper input validation.
  • CVE-2025-32709: An elevation of privilege issue in the Windows Ancillary Function Driver for WinSock, affecting multiple Windows Server versions.

These vulnerabilities have been actively exploited, with some linked to targeted espionage and financially motivated attacks, including ransomware deployments.

Strategic Response and Mitigation
Given the active exploitation of these zero-days, organizations should prioritize the following actions:

  1. Immediate Patch Deployment: Ensure all systems are updated with the latest security patches released in May 2025.
  2. Vulnerability Assessment: Conduct comprehensive assessments to identify and remediate vulnerabilities within your environment.
  3. Security Monitoring: Implement continuous monitoring to detect and respond to potential exploitation attempts promptly.
  4. Employee Awareness: Educate staff about the risks associated with these vulnerabilities and promote best practices to prevent exploitation.

Integrating these measures into your security strategy is crucial to defend against the evolving threat landscape.

Looking Ahead
The recurrence of zero-day vulnerabilities in critical Windows components underscores the importance of a proactive and layered security approach. Organizations must remain vigilant, ensuring timely updates, continuous monitoring, and comprehensive security assessments to safeguard against emerging threats.

Microsoft’s Recall Saga: Continuous Coverage and Latest News

Microsoft’s Recall General Release and New Security Considerations

May 7th, 2025

This article serves as the latest update to our ongoing coverage of Microsoft’s controversial Windows Recall feature. Since our previous discussions in September, Microsoft has officially rolled out its Recall feature to the general public following nearly a year of scrutiny, revisions, and limited testing. As part of the new Copilot+ PC experience, Recall remains one of the most debated features Microsoft has released in recent memory. Designed to take continuous screenshots and build a searchable record of user activity, Recall’s functionality promises convenience but continues to raise significant privacy and security concerns.

This latest development includes updates to Recall’s security architecture, usage policies, and system requirements. For organizations considering the deployment of Copilot+ devices, understanding the risks and implementing proactive controls is essential.

Recall Now Live on Copilot+ PCs

Recall is now publicly available on all Copilot+ PCs, excluding those in the European Economic Area where the rollout will occur later this year. It remains exclusive to devices with high-powered Neural Processing Units (NPUs) capable of 40 trillion operations per second or more. This processing enables on-device AI capabilities, reducing the need to send data to Microsoft servers and reinforcing Microsoft’s promise that all Recall data remains local.

Recall must be enabled manually by users and requires a second opt-in step during setup. The feature can also be paused from the system tray icon or uninstalled entirely through the Windows Features control panel. These changes reflect Microsoft’s effort to improve user control following significant backlash during Recall’s initial announcement.

Security Enhancements and Remaining Gaps

Microsoft has introduced several new protections with the release:

  • Encrypted Storage and Isolation: All screenshots and extracted data are now encrypted and isolated using Virtualization Based Security and the Trusted Platform Module. Data is stored outside the primary Windows environment to reduce the impact of malware infection.
  • Biometric Access and PIN Use: Enabling Recall requires facial or fingerprint authentication using Windows Hello. After setup, access is controlled using the same Windows Hello PIN used to unlock the device. Critics argue this fallback method could still expose data if a PIN is guessed or shared.
  • Application Filtering: Microsoft has added automatic filters to prevent screenshots of sensitive content such as credit card fields, banking sites, and password managers. However, researchers continue to find instances where sensitive information is captured, including encrypted messages and financial data. Visual indicators are present when Recall is running, but users must manually review captured data to confirm exclusions are working correctly.
  • Screenshot Management: Users can configure how long Recall stores data and can delete individual screenshots, data from specific applications, or entire time periods such as the past hour or day.

While these improvements represent a significant upgrade over Recall’s earlier iterations, privacy risks persist. Any active window can be silently recorded if Recall is enabled, potentially capturing sensitive conversations, passwords, or proprietary business data. Furthermore, anyone with physical access and the correct PIN may still access stored content.

AI Feature Expansion and Privacy Implications

Alongside Recall, Microsoft has publicly launched two additional Copilot+ AI tools:

  • Natural Language Windows Search: This enhancement allows users to search across apps, settings, and documents using conversational language.
  • Click to Do: A context-sensitive interface that enables quick actions like summarizing text, copying content, or erasing parts of images.

These features contribute to a growing reliance on embedded AI in the Windows ecosystem. As with Recall, these tools operate at the system level and interact closely with user data, increasing the attack surface and making centralized visibility and control more important than ever.

Mitigating Enterprise Risk:

As Recall and other AI-powered features roll out across enterprise devices, organizations must take proactive steps to mitigate privacy and data leakage risks. nGuard offers several services that can help:

  • Group Policy Configuration Review: Ensure that Recall and associated features are disabled organization-wide using Group Policy Objects (GPOs). nGuard’s configuration review services can verify that security policies are correctly implemented and enforced.
  • AI Risk Assessments: Evaluate the broader impact of adopting AI-powered features like Copilot in your environment. nGuard provides strategic guidance and technical assessments aligned with the NIST AI Risk Management Framework.
  • Security Awareness Training: Educate staff on the risks associated with Recall, AI, and similar tools.

Wrap

Microsoft has made Recall more secure than its original form, but not without compromise. Organizations must remain on top of their risk management practices, especially as AI features become more embedded in everyday operating systems. With the general availability of Recall, now is the time for enterprises to review internal policies, implement technical controls, and conduct regular assessments to ensure these features do not become a blind spot in their security strategy.

New Recall Updates and Changes – September 2024

September 11th, 2024

This article serves as the latest update to our ongoing coverage of Microsoft’s controversial Windows Recall feature. Since our previous discussions in June, significant developments have unfolded, particularly surrounding the security concerns and the broader implications of Recall’s reintroduction. Microsoft has made a series of changes in response to user feedback and security concerns, and in this article, we will explore the latest updates and how they fit into the wider Recall saga.

The Comeback of Windows Recall: October Rollout for Windows Insiders

After pausing the rollout of Windows Recall in June 2024, Microsoft has now confirmed that the feature will be returning in October. However, this return will be limited to Windows Insiders who are using Copilot+ PCs. These devices, equipped with powerful Neural Processing Units (NPUs), are the only ones capable of running Recall’s AI-powered screenshot functionality effectively.

Despite privacy concerns that led to Recall’s initial suspension, Microsoft is moving ahead with plans to test the feature among Insiders. The company hopes to leverage user feedback from this program before making Recall more widely available. Microsoft has made several key adjustments, including stronger encryption for the Recall database and requiring biometric authentication through Windows Hello. These security improvements aim to address the vulnerabilities that were previously identified, but questions remain about the long-term privacy risks of the feature.

Key Updates and Adjustments to Windows Recall

1. Security Enhancements: Encryption and Authentication

The most notable security update is the encryption of the SQLite database that Recall uses to store screenshots. This database will remain encrypted until a user authenticates through Windows Hello, adding a critical layer of security to protect the data collected by Recall. Moreover, the feature now requires biometric verification, ensuring that unauthorized users cannot access this sensitive information. These measures are welcomed, given the concerns raised by security researchers that the unencrypted database could be exploited by malware or other malicious actors.

These updates, while addressing some of the initial concerns, highlight the need for comprehensive security solutions for businesses and organizations that may adopt this feature. Companies can turn to services provided by nGuard for security assessments and managed SIEM, which can help ensure that sensitive data, such as that captured by Recall, is protected from exploitation.

2. Clarification on Uninstallation Options

Recently, confusion arose when users discovered an option to uninstall Recall in the Windows Features menu following the release of Windows 11’s 24H2 update (KB5041865). Microsoft has since clarified that this was a bug and that Recall cannot be fully uninstalled – only disabled. This has disappointed users hoping to remove the feature entirely due to its security risks. While Recall can be disabled, Microsoft’s decision not to allow full removal may lead to concerns in specific environments, particularly in corporate or governmental sectors, where stringent data privacy policies are in place.

The Return of Recall with More Screenshots Features

As Microsoft prepares to release Recall for testing within the Windows Insider community, more detailed information about the system requirements has emerged. To run Recall, a device must meet the following specifications:

  • Processor: Snapdragon X Plus or X Elite processors, System on a Chip (SoC), or another compatible processor.
  • RAM: At least 16GB DDR5/LPDDR5.
  • Storage: Minimum of 256GB SSD or UFS storage.

These hardware requirements ensure that Recall functions smoothly and securely, as it heavily relies on the computational power of NPUs to analyze and manage the continuous stream of screenshots.

Microsoft’s reintroduction of Recall also includes the Copilot Screenray feature, which offers real-time analysis of the user’s desktop, further expanding the functionality of Recall. For instance, this feature could translate text from an email in real-time or provide AI-powered insights on various tasks. However, this addition brings even greater concerns about privacy, as the continuous monitoring of user screens could expose confidential or sensitive information. Ensuring that this data is adequately protected will be critical.

The Evolving Privacy Debate and Microsoft’s Response

The return of Recall has not been without criticism, especially from privacy advocates who argue that the feature remains a potential vulnerability. By continuously taking and storing screenshots, Recall creates a log of user activity that could be exploited if a device is compromised.

Security researchers, including Michael Bargury, have highlighted how Microsoft’s Copilot AI system, which Recall is a part of, could be weaponized for cyberattacks through prompt injections and data exfiltration. These techniques could allow attackers to manipulate the system, extract sensitive data, and even alter key information such as financial details.

While Microsoft has worked to improve Recall’s security, organizations need to stay informed on updates, changes, and vulnerabilities discovered in Recall. The risks associated with AI-powered tools like Recall can be mitigated by regularly conducting security audits against something like the NIST AI RMF Playbook, and employing advanced logging and monitoring solutions to detect suspicious activities early.

Wrap: Balancing Innovation and Security

The Microsoft Recall saga outlines another example of the challenges involved in integrating innovative AI features with user privacy concerns. While Microsoft’s adjustments to Recall, including its enhanced encryption, are steps in the right direction, the privacy debate is not over, yet.

For those looking to bolster their security as AI features like Recall become more prevalent, regular security assessments, logging, and monitoring can help organizations stay ahead of emerging threats and ensure compliance with privacy regulations.

Update: Microsoft Recall Recalled

June 12th, 2024

This article provides an update to our original discussion on the Microsoft Recall feature, updating you on the significant developments since our last coverage on June 6th. The Recall feature has faced extensive criticism concerning privacy and security, leading Microsoft to make crucial adjustments. Here, we dive into the latest updates and recent changes Microsoft has implemented to alleviate these concerns.

Microsoft Recall Under Scrutiny
Microsoft announced significant changes to the Recall feature following widespread criticism. Originally set to be enabled by default, Recall will now be an opt-in feature for users. This change is part of Microsoft’s response to the heavy criticism regarding privacy and data security.

Key Updates to Microsoft Recall

1. Recall to Be Opt-In
Microsoft’s decision to make Recall an opt-in feature marks a significant shift. Users will now have to actively enable the feature, which Microsoft believes will enhance user trust and security.

2. Enhanced Security Measures
To address privacy concerns, Microsoft has introduced several security enhancements for Recall:

  • Biometric Authentication: Users will need to use Windows Hello biometric security to enable Recall.
  • Presence Detection: Recall will require user presence verification to view data.
  • Additional Encryption: Microsoft has implemented further encryption measures to protect stored data.

3. Recall Feature Pulled from Developer Channel
In response to ongoing criticism, Microsoft has temporarily pulled the latest Windows 11 24H2 preview build, the only version that included Recall, from the Windows Insider Program. This move aims to give the company time to refine the feature and address the concerns raised by users and privacy advocates.

Privacy Concerns and Microsoft’s Response
Recall was initially designed to capture periodic screenshots of user activity, stored and analyzed locally on the device. Despite these assurances, privacy experts raised alarms about the potential for misuse, especially if others gained physical access to the device. Microsoft has acknowledged these concerns and emphasized its commitment to user privacy and security.

Public and Expert Reactions
The initial release of Recall received backlash from security researchers, users, and the press. Critics highlighted the potential risks of storing detailed activity logs on devices, which could be exploited by attackers or advertisers. Microsoft’s decision to make Recall an opt-in feature and enhance its security protocols has been seen as a positive step, though skepticism remains.

Future of Recall and Windows 11 24H2
While the Recall feature will be included in the Copilot Plus PCs set to launch on June 18, its broader rollout remains uncertain. Microsoft has paused the release of the 24H2 update but plans to resume it soon, ensuring the feature is thoroughly tested and secure before a wider release.

The Importance of Regular Security Audits
As Microsoft works to improve Recall’s security, it’s crucial for users and organizations to regularly perform security audits of new technologies like Recall. Regular security audits can identify potential vulnerabilities and ensure compliance with industry standards. nGuard offers comprehensive security assessments that help businesses protect their data and systems effectively.

Proper Logging and Monitoring Practices
In addition to regular security audits, implementing proper logging and monitoring is essential for maintaining security. Proper logging helps in tracking user activities and identifying potential security incidents early. Services like nGuard’s Managed Event Collection provide comprehensive  solutions for logging and monitoring, ensuring continuous oversight and quick response to any suspicious activities.

Microsoft’s Commitment to AI Integration
Despite the controversy, Microsoft continues to push forward with its AI integration plans. The Recall feature is part of the larger Copilot Plus initiative, which includes AI-driven capabilities such as advanced photo editing and live transcription. Microsoft’s partnership with OpenAI and its focus on AI innovation remain central to its strategy, even as it navigates the challenges posed by new technologies.

The Microsoft Recall Saga highlights the complexities of integrating advanced AI features into widely used software. By making Recall an opt-in feature and implementing much needed security measures, Microsoft aims to balance innovation with user privacy and trust. As the situation evolves, nGuard will continue updating to see how Microsoft addresses the remaining concerns and rolls out its AI-powered features.

Microsoft’s Windows 11 Recall: Revolution or Privacy Nightmare?

June 6th, 2024

Overview
Microsoft’s latest Windows 11 feature, Recall, has generated substantial controversy in the tech community. This AI-driven tool aims to enhance user productivity by capturing screenshots of active windows every few seconds, allowing users to easily retrieve past information. However, this seemingly innovative feature has raised significant privacy and security concerns among users and experts alike.

Privacy advocates and security experts have voiced concerns over the potential for Recall to inadvertently capture sensitive information, such as passwords, confidential documents, and personal data. Critics argue that the constant screenshot capturing could lead to unintended data exposure and increased risk if a device is compromised. The debate has highlighted the need for stronger privacy controls and transparent data handling practices from Microsoft to address these widespread apprehensions.

Technical Methodologies
Recall operates by taking periodic screenshots of a user’s active window, storing this data on the device for up to three months. These snapshots are analyzed by an on-device Neural Processing Unit (NPU) and an AI model, indexing the data semantically. Users can search their Recall history through natural language queries, making it easy to locate specific information.

The data collected by Recall is encrypted with BitLocker and tied to the user’s Windows account. Microsoft emphasizes that the data remains local and private, not shared with Microsoft or other users on the same device.

Impact Assessment
While Microsoft asserts that Recall is designed with user privacy in mind, critics highlight several vulnerabilities:

  1. Data Exposure: Continuous screenshot capturing can inadvertently include sensitive information such as passwords, confidential documents, and personal photos. For example, if a user is working on a confidential business proposal, screenshots of this document could be captured and stored.  This data, stored locally, is accessible to anyone with device access.
  2. Security Risks: If a device is compromised by malware, the attacker could potentially access the entire Recall database, extracting sensitive information stored in these snapshots.
  3. User Trust: Historical data usage by large corporations has eroded user trust. Despite Microsoft’s assurances of local data storage and encryption, users remain skeptical, particularly in light of past incidents where tech companies have mishandled user data.

Strategic Responses
To mitigate these risks, users and organizations should consider the following strategies:

  1. Disable Recall: Users can manage Recall settings to limit its functionality or disable it entirely. Companies can use group policies to disable Recall across all devices. For detailed instructions, refer to Microsoft’s official Recall settings guide.
  2. Regular Audits: Conduct regular security audits to ensure no sensitive information is inadvertently captured and stored by Recall.
  3. User Training: Educate users on the potential risks of using Recall and best practices for managing their privacy settings.

Forward-Looking Strategies
Looking ahead, Microsoft and users can adopt several strategies to address these concerns:

  1. Enhanced Controls: Microsoft should provide more granular controls for users to manage what information Recall captures and stores.
  2. Transparency: Continuous transparency from Microsoft about how Recall data is handled, stored, and protected is crucial to building user trust.
  3. Integration with Security Solutions: Users should leverage advanced security solutions, such as those offered by nGuard, to monitor and protect data stored by Recall. nGuard’s security assessments and managed event collection services can add an extra layer of security, ensuring that sensitive data remains safe even if captured by Recall. These services help identify vulnerabilities and monitor for suspicious activities, providing comprehensive protection against potential breaches.

Conclusion
While Microsoft’s Recall feature in Windows 11 promises enhanced productivity, it brings significant privacy and security risks. Users and organizations must adopt strategic measures to safeguard their information, ensuring that this innovative tool does not become a gateway for data breaches.

This Week in Cybersecurity (TWiC): Exploit Surge – Palo Alto, Fortinet, SonicWall, and CISA

Cybersecurity headlines this week revealed several high-risk developments affecting VPN infrastructure, DNS systems, firewall appliances, and widely exploited CVEs. Attackers continue to blend opportunistic scanning with advanced persistence techniques, targeting both outdated software and overlooked configurations. Here’s what your team needs to know.

Palo Alto GlobalProtect VPNs Targeted in Ongoing Exploitation Campaigns
A critical command injection vulnerability (CVE-2024-3400) in Palo Alto’s PAN-OS is being actively exploited, with attackers leveraging the flaw to deploy reverse shells and establish persistent backdoors. The vulnerability—pre-authentication and requiring no user interaction—has been observed in targeted attacks by APTs and opportunistic threat actors alike. Despite an initial mitigation release, exploitation surged until the full patch became available in PAN-OS 10.2.9-h1, 11.0.4-h1, and 11.1.2-h3.

Risks Identified:

  • Remote command execution via unauthenticated access
  • Lateral movement following initial access to GlobalProtect
  • Deployment of persistent payloads and shell access

Security Recommendations:

Fast Flux DNS Techniques Resurface in Botnet C2 Operations
CISA issued a new alert on the re-emergence of fast flux DNS techniques—a method of frequently rotating IP addresses tied to a domain—to evade detection and bolster botnet infrastructure. Attackers use this method to obscure command and control (C2) servers and malware delivery operations. The tactic enables high availability, redundancy, and extended attacker dwell time.

Risks Identified:

  • DNS obfuscation of malicious infrastructure
  • Delayed threat detection due to dynamic IP rotation
  • Misidentification of threat actors due to overlapping IP pools

Security Recommendations:

  • Network Traffic Analysis & Threat Intelligence Integration: Detect suspicious behaviors to low-reputation or frequently changing domains. By analyzing firewall, proxy, and EDR logs, a managed SIEM can spot devices attempting outbound communication with suspicious, frequently changing IPs or flagged domains. A SIEM can also correlate DNS and outbound traffic patterns to detect signs of beaconing to a botnet C2.
  • DNS Traffic Monitoring: Implement anomaly-based detection for fast-changing A and NS records.

Fortinet Zero-Day Leads to Persistent Implants in SSL-VPN Devices
Although CVE-2022-42475 was patched in late 2022, Fortinet confirmed new cases of attackers leveraging it to install stealthy rootkits in unpatched FortiOS devices well into 2025. These implants survive reboots and evade most endpoint detection tools, indicating a highly advanced level of persistence used by state-aligned threat actors.

Risks Identified:

  • Long-term undetected access to SSL-VPN appliances
  • Use of custom malware for command execution and data exfiltration
  • Re-infection following patching due to rootkit persistence

Security Recommendations:

Fortinet Zero-Days Enable Persistent Access Through Symlink Backdoors

Newly disclosed Fortinet vulnerabilities (including CVE-2024-26005) enable attackers to plant persistent backdoors using symlink abuse and improperly secured config file paths. Once exploited, attackers can bypass hardening settings and gain long-term access even after patches are applied. These zero-days have been seen in sophisticated intrusion campaigns targeting government and enterprise networks.

Risks Identified:

  • Implanting backdoors that survive reboots and firmware updates
  • Bypassing hardening configs through symlink manipulation
  • Access to firewall management planes and downstream devices

Security Recommendations:

CISA Expands KEV Catalog
CISA has updated its Known Exploited Vulnerabilities (KEV) list with several critical vulnerabilities affecting Microsoft Exchange, Cisco IOS XE, and Ivanti systems. These CVEs are confirmed to be exploited in the wild and are being used by ransomware groups and initial access brokers to gain footholds in enterprise environments.

Risks Identified:

  • Rapid weaponization of newly disclosed or older unpatched vulnerabilities
  • Exploitation paths leading to lateral movement and data encryption
  • Incomplete patching due to shadow IT or configuration drift

Security Recommendations:

  • Remediation Prioritization: Focus first on CISA KEV-listed vulnerabilities to reduce exposure.
  • Managed Vulnerability Scanning: Identify outdated or unpatched software across your environment.
  • Configuration Audits: Validate hardened settings and proper segmentation on high-value assets.

From VPN appliances to DNS abuse and persistent firewall implants, this edition’s threats highlight how adversaries blend stealth, automation, and zero-day chaining to evade defenses. Organizations must stay ahead by combining continuous monitoring with proactive services like penetration testing and configuration auditing, while prioritizing remediations. It’s not just about patching—it’s about verifying and validating that your defenses actually work.

MAJOR Cloud Provider Breach

Background and Timeline

In today’s cloud-driven world, trust and transparency are fundamental pillars of cybersecurity. Organizations entrust cloud providers with critical infrastructure and sensitive data, expecting rigorous security controls and open communication when incidents occur. However, recent developments surrounding Oracle’s cloud environment tell a vastly different story.

March 21, 2025: A threat actor known as rose87168 claims to have breached Oracle services under the domain *.oraclecloud.com. The initial report emerges on Bleeping Computer, with Oracle immediately denying any alleged breach, stating that the leaked credentials were not associated with Oracle Cloud and that no customer data was compromised.

Late March 2025: Despite Oracle’s denial, the threat actor releases evidence, including an archive.org link that seemingly confirms unauthorized access to a system using Oracle Access Manager. The hacker also leaks a two-hour-long internal Oracle meeting recording, revealing discussions on internal password vaults and customer-facing systems.

March 28, 2025: Further investigation by cybersecurity researchers and media outlets confirms that Oracle customers’ data—including staff email addresses—has been leaked. Oracle maintains there was no breach, using nuanced language to shift attention toward ‘legacy’ systems instead of core infrastructure.

March 31, 2025: A lawsuit is filed against Oracle Health, accusing the company of attempting to conceal a separate breach and failing to notify affected customers. The suit highlights potential violations of data breach notification laws, underscoring concerns around cloud provider accountability and security transparency.

Early April 2025: The threat actor escalates by leaking additional configuration files and system details, further confirming the security lapse. Meanwhile, Oracle Health, a SaaS subsidiary of Oracle, experiences a separate breach compromising U.S. healthcare organizations and exposing patient data.

April 2-4, 2025: Oracle privately notifies select customers that attackers accessed old client credentials last used in 2017. However, contradicting this statement, leaked data samples include records from late 2024 and early 2025, proving recent exposure. Reports confirm that attackers exploited a 2020 Java vulnerability to gain access and deploy malware, leading to exfiltration of usernames, emails, and hashed passwords from Oracle Identity Manager (IDM) databases.

Implications

If the allegations about this breach hold true, they raise fundamental questions about Oracle’s security measures, incident response, and transparency with customers. While Oracle downplays the situation, attackers remain active, putting affected users at risk of fraud, regulatory consequences, and theft including intellectual property.

Recommended Mitigation

In light of incidents in the cloud, organizations must rethink their approach to protecting their overall infrastructure. Below are critical defenses every cloud-reliant business should implement—along with how nGuard delivers each in our specialized services:

  1. Cloud Security Posture Management (CSPM): Our Cloud Security Assessments include automated tools and expert analysis to identify compliance gaps, misconfigurations, and policy violations in real time.
  2. Strategic Gap Assessments: We evaluate your current cloud security strategy against Zero Trust frameworks and standards to help you close critical gaps to align with regulatory and operational benchmarks.
  3. Incident Response & Digital Forensics: When breaches do occur, nGuard experts deliver rapid containment, root cause analysis, and post-incident reporting to support recovery and regulatory response.
  4. Routine Penetration Testing & Vulnerability Scanning: nGuard’s thorough Penetration Testing and automated Vulnerability Scanning identify misconfigurations and exploitable weaknesses before attackers can act.
  5. Multi-Factor Authentication (MFA): Our team validates the proper use of MFA implementation across platforms to reduce the risk of account compromise—even when credentials are exposed.
  6. Continuous Security Monitoring & Threat Intelligence: Through our Managed Event Collection (MECC) service, nGuard offers real-time monitoring, alerting, and analysis of unusual or malicious activity within your cloud environment.

Conclusion

The Oracle breach serves as a warning that even industry giants are vulnerable to cyber threats. Safeguards and controls must be independently verified, continuously evaluated, and tailored to your unique risk profile.

Cloud security isn’t just a technical concern—it’s a business-critical priority. Harden your cloud infrastructure today with nGuard’s expert guidance and cutting-edge security solutions.

This Week in Cybersecurity (TWiC): Exploit Edition – Veeam, Fortinet, ChatGPT, and WhatsApp

This week saw a sharp uptick in active exploitation, with major vulnerabilities surfacing across backup systems, firewalls, AI platforms, and messaging apps. From remote code execution flaws in Veeam and Fortinet to an SSRF bug in ChatGPT and a WhatsApp zero-day abused by spyware, attackers are leveraging both old and new tactics to gain footholds. Here’s what you need to know.

Veeam Backup Flaw Enables Domain-Wide Remote Code Execution
A critical remote code execution vulnerability (CVE-2025-23120) in Veeam Backup & Replication has been patched, but domain-joined environments remain at serious risk. This deserialization flaw allows any domain user to execute code on vulnerable servers. The vulnerability can allow attackers to bypass existing blacklist-based protections to gain full control of backup infrastructure. All are encouraged to upgrade to Veeam version 12.3.1 immediately.

Risks Identified:

  • Remote execution of arbitrary code by low-privilege domain users
  • Compromised backup servers enabling data exfiltration and deletion
  • Potential full-network compromise via lateral movement

Security Recommendations:

Fortinet Firewalls Under Active Exploitation by Ransomware Groups
CISA has added CVE-2025-24472 and CVE-2024-55591, two authentication bypass flaws in Fortinet’s FortiOS and FortiProxy, to its Known Exploited Vulnerabilities catalog. These bugs allow unauthenticated attackers to gain super-admin access via exposed management interfaces. Ransomware actor Mora_001 has been seen exploiting these vulnerabilities to deploy malware, create persistent access, and conduct full attack chains including data theft and encryption.

Risks Identified:

  • Exploitation of Internet-exposed FortiGate consoles
  • Privilege escalation using crafted proxy requests and WebSocket attacks
  • Deployment of custom ransomware (“SuperBlack”)

Security Recommendations:

  • Immediately apply Fortinet’s patches and restrict access to management interfaces
  • Firewall & Network Device Audits: Uncover vulnerabilities in edge infrastructure and enforce segmentation and access controls. Monitor for suspicious admin account creation and unauthorized script scheduling.
  • Log Management & SIEM Solutions: Allow for real-time detection of post-exploitation activity like unauthorized account creation or lateral movement.

ChatGPT SSRF Bug Under Active Attack by Threat Actors
A newly discovered server-side request forgery (SSRF) vulnerability (CVE-2024-27564) in ChatGPT has become a popular exploit path for attackers. The bug allows malicious actors to inject URLs into ChatGPT inputs, tricking the application into making unauthorized requests. Though rated as medium severity, it has already been weaponized in over 10,000 attack attempts, with financial services and government organizations most heavily targeted.

Risks Identified:

  • Injection of malicious URLs into ChatGPT requests
  • Access to internal services or sensitive resources via SSRF
  • Misconfigured IPS, WAF, and firewalls increase exposure

Security Recommendations:

  • Validate IPS and WAF rules to detect and block SSRF behavior
  • Monitor traffic from known malicious IP addresses
  • Web Application Security Assessments: Simulate attacks like SSRF and reveal weaknesses in your application defenses.
  • Configuration Assessments: Help ensure your WAF, firewall, and intrusion prevention systems are properly tuned to defend against modern web-based threats.

Paragon Spyware Leveraged WhatsApp Zero-Day
Citizen Lab and Meta have confirmed that the Graphite spyware from surveillance firm Paragon exploited a WhatsApp zero-day to carry out zero-click attacks against mobile users in over two dozen countries. Despite Paragon’s claims of ethical use, the spyware has targeted journalists, activists, and government critics, suggesting potential misuse of its capabilities.

Risks Identified:

  • Exploits required no user interaction (zero-click)
  • Attacks affected both Android and iOS users

Security Recommendations:

  • Encourage regular updates for all messaging and mobile apps
  • Limit sensitive communications over third-party messaging platforms
  • Social Engineering Testing: Phishing campaigns that emulate realistic adversary tactics, helping you train staff to avoid common pitfalls.

Wrap
This week’s advisory highlights the continued pressure placed on backup platforms, firewalls, AI systems, and messaging apps. As attackers evolve their strategies from exploiting overlooked bugs to chaining zero-days into spyware campaigns organizations must strengthen their defenses with timely patching, rigorous access control, and continuous monitoring. Stay ahead of the threats by combining proactive assessments, intelligent detection, and user-focused training.

This Little-Known Microsoft Feature Could Be Your Biggest Security Risk!

In a previous This week in Cyber Security advisory, we highlighted how threat actors are successfully exploiting organization’s Microsoft 365 infrastructure using device code phishing attacks. In this advisory, we’ll take a deeper look at how device code authentication works and why it’s targeted, as well as mitigations for device code phishing and other attack vectors that target Microsoft Entra ID tokens.

How Device Code Authentication Works
Instead of signing in directly, users navigate to https://microsoft.com/devicelogin which will redirect them to the login portal seen in the screenshot below, prompting the user to enter a code that will allow a device or app to access their Microsoft Entra ID account.

Just as streaming services like Netflix use device code authentication to simplify logins on remote controls, Entra ID leverages device codes for similar scenarios. This method is particularly useful for Internet of Things (IoT) devices—such as smart appliances and industrial sensors—and command-line interface (CLI) tools, which developers use to interact with software via text commands. These environments often lack traditional authentication options, making device codes an effective solution.
On the back-end, device code authentication uses OAuth 2.0 to authenticate the device or app to the user’s account. Once a user completes the authentication process (including MFA if prompted), an access token and a refresh token are issued to that device or app session. There are other types of tokens within Entra ID but we’ll be focusing on access and refresh tokens here.

  • Access Tokens: This token is used to authenticate or access an Entra ID resource. The default lifetime is a random value between 60 and 90 minutes.
  • Refresh Tokens: Used to refresh or generate new access tokens. This can be continually used with a 90-day timeframe to generate new access tokens.

This is especially useful for attackers for several reasons:

  • By abusing legitimate functionality of a trusted resource, an attacker increases the likelihood of a successful attack.
  • Tokens offer the same level of access and/or privileges as the user’s credentials (e.g., access to Outlook, SharePoint, Teams, etc.).
  • Attackers can maintain access to the account even if a user’s password is updatedTokens need to be manually revoked using PowerShell.
  • MFA is not required to access resources after the device is authenticated to the user’s account.
  • After gaining this initial access via device code phishing, attackers can potentially move laterally, escalate privileges, steal sensitive data, and maintain persistence within the environment through unauthorized access to Microsoft 365 services (Outlook, Teams, SharePoint, etc.) or other Entra ID–protected resources.

Broader Initial Access Threats
In addition to device code phishing, there are other attack vectors that attackers use to try and gain access to Entra ID tokens. Awareness of these types of attacks can help organizations prioritize their defense and mitigation strategies.

Mitigation Guidance
nGuard recommends implementing layered countermeasures to prevent or contain threats to Entra ID. The table below contains Entra ID defense recommendations focusing on removing or restricting initial access (IA) attack vectors first, then focuses on eliminating privilege escalation (PE) vectors.

The table also notes which attack vectors are mitigated by each control. If your organization does not rely on device authentication, disabling it outright can eliminate that attack vector.

Once technical controls are in place, security assessments should be performed regularly to validate that implemented protections are working effectively and ensure misconfigurations or new vulnerabilities haven’t been introduced between assessments.

Recommended DefenseHow It HelpsAttack Vectors Mitigated
Disable or Restrict Device Authentication Flow (if not needed, or limit access via Conditional Access Policies) Removes or locks down device code phishing attack vectors Device Code Phishing
Phishing-Resistant MFA
(e.g., FIDO2 tokens, certificate based, number matching)		 Neutralizes credential attacks such as brute force
Stops easy approvals for MFA fatigue
Increases difficulty of device code phishing attacks		 AiTM Phishing
Credential Attacks
Device Code Phishing
MFA Fatigue
Restrict OAuth App Consents
(admin workflows, governance)		 Blocks malicious apps from tricking users into illicit consent
Prevents unauthorized device code usage if combined with restricted app permission		 Device Code Phishing
Illicit OAuth Consent
Disable Legacy/Basic Authentication (if not needed) Enforces modern authentication / MFA usage
Prevents credential attacks via old protocols that skip MFA		 Credential Attacks
Strong Password Management
(banned password lists, lockout policies)		 Reduces effectiveness of credential attacks
Improves overall credential hygiene		 Credential Attacks
Monitor & Alert on Anomalous SignIns
(Entra ID Protection, SIEM)		 Identifies device code anomalies or suspicious reverse proxy sign-ins
Flags repeated MFA prompts
Spots unusual IP and geolocation usage to detect token theft		 Device Code Phishing
AiTM Phishing
MFA Fatigue
Post Compromise Attacks
Shorter Token Lifetimes & Continuous Access Evaluation (CAE) Limits timeframe tokens validity
Forces frequent reauthentication
Real time risk-based token revocation
Limits the utility of stolen or replayed tokens
Reduces long-lived sessions that man-in-the-middle phishing attackers can exploit		 AiTM Phishing
Post Compromise Attacks
 
Harden Endpoints & Browsers
(EDR, patching, limiting extensions)		 Detects malware that steals tokens or session cookies
Encourages least privilege to contain endpoint compromise		 Post Compromise Attacks

Summary
In addition to implementing technical controls, organizations can enhance security by educating users on recognizing suspicious device code prompts and illicit consent phishing attempts. Regular security awareness training and social engineering exercises help reinforce this knowledge, ensuring users remain vigilant and identifying those who may need additional guidance. By adopting a layered security approach, organizations can increase the difficulty of attacks and provide additional protection in case of unauthorized access. Focusing on high-impact defenses and environment-specific mitigations enables efficient protection against device code phishing and other threats targeting Entra ID.

Chat Icon Chat Close

Learn how nGuard can secure your data

Ready to take the next step? Speak to an nGuard expert and get your questions answered today.

Chat Popup

No thanks, maybe later