Cyber Security Weekly Briefing, 4-8 August

August 8, 2025

Critical vulnerabilities affect more than 100 Dell laptop models

Talos has identified five critical vulnerabilities in Dell's ControlVault3 firmware and its APIs for Windows, dubbed “ReVault,” affecting more than 100 laptop models. These include two out-of-bounds flaws (CVE-2025-24311 CVSSv3 8.4, according to Talos,CVE-2025-25050 CVSSv3 8.8, according to Talos ), an arbitrary free (CVE-2025-25215 CVSSv3 8.8, according to Talos), a stack overflow (CVE-2025-24922 CVSSv3 8.8, according to Talos), and an unsafe deserialization (CVE-2025-24919 CVSSv3 8.1, according to Talos).

These flaws allow post-compromise persistence even after reinstalling Windows and physical attacks capable of bypassing login or accepting false fingerprints by manipulating the USH board. To mitigate the risks, it is recommended to update the firmware, disable unused services, and strengthen authentication. In addition, detection can be supported by BIOS intrusion functions, Windows service monitoring, and advanced security solutions.

More info

Linux backdoor detected that has gone undetected for a year

Researchers at Nextron Systems have discovered a Linux backdoor called Plague, designed as a malicious Pluggable Authentication Module (PAM) that allows attackers to bypass system authentication and gain persistent access via SSH. Because PAM modules are embedded in privileged authentication processes, Plague can operate covertly and undetected by conventional security tools.

The research reveals that there have been active samples of this malware since July 2024, without any antivirus engine having identified it as malicious. Its capabilities include the use of static credentials, anti-debugging techniques, string obfuscation and environment manipulation to avoid forensic logging.

For example, it deletes environment variables such as SSH_CONNECTION and redirects the command history (HISTFILE) to /dev/null. The implant survives system updates and has a high level of stealth, making it difficult to detect and analyse.

More info

Critical vulnerability in NestJS allows remote code execution in development environments

A critical vulnerability (CVE-2025-54782, CVSSv4 10.0, according to GitHub) was identified in the @nestjs/devtools-integration package of NestJS that allows remote code execution (RCE) on developer machines. The flaw arises when enabling the package in development mode, exposing a local HTTP server with the endpoint /inspector/graph/interact, which executes JavaScript code in an insecure sandbox based on vm.runInNewContext.

This implementation, similar to the abandoned safe-eval, allows for easy escape from the sandbox. In addition, the lack of proper origin and content type validation allows malicious sites to send POST requests with text/plain, bypassing CORS checks.

By simply visiting a malicious page, an attacker can execute arbitrary commands on the affected system. Investigated by JLLeitschuh (Socket), the vulnerability has been fixed by replacing the sandbox with @nyariv/sandboxjs, adding header validation and authentication. It is recommended to update to the patched version immediately..

More info

Storm-2603 deploys Warlock and LockBit ransomware using AK47 C2 framework

The Storm-2603 group, allegedly linked to China, has been linked to attacks targeting recent Microsoft SharePoint Server vulnerabilities (CVE-2025-49706 and CVE-2025-49704, CVSSv3 6.5 and 8.8 depending on vendor, respectively). The actor employs a custom command and control framework called AK47 C2, which operates via HTTP (AK47HTTP) and DNS (AK47DNS) channels. According to Check Point, it has been active since at least March 2025 and has targeted organisations in Latin America and Asia-Pacific.

Its tools include legitimate utilities such as PsExec, masscan or WinPcap, as well as a custom backdoor that communicates with fake domains. It uses DLL sideloading and BYOVD (bring your own vulnerable driver) techniques with an Antiy Labs driver to disable antivirus. It has also distributed payloads such as Warlock and LockBit Black via malicious MSI installers. While it is unclear whether its motivations are financial or espionage, Check Point warns that the group combines APT and cybercrime methods in its operations.

More info

Vietnamese group steals data of thousands of victims in 62 countries

Researchers from SentinelLABS and Beazley Security have uncovered a global operation led by a Vietnamese-speaking group responsible for compromising more than 4,000 victims in at least 62 countries, including South Korea, the U.S., the Netherlands, Hungary and Austria. The attackers use an infostealer called PaxStealer, which steals passwords, cookies, credit card data and other sensitive information. The malware has evolved this year to evade antivirus products and fool security analysts. It is estimated that more than 200,000 passwords and 4 million cookies have been stolen, mainly for financial purposes.

The stolen data is traded through Telegram via an automated subscription system that allows other cybercriminals to conduct cryptocurrency fraud or infiltrate other people's systems.

PaxStealer was initially identified in 2023 by Cisco Talos, and while its exact link to the CoralRaider group is not confirmed, there are overlaps in the use of the Vietnamese language in its code. The target of the attacks appears to be broad and opportunistic, affecting both corporate and home users.

More info