ZeroDay Field Notes - Some Assembly Required: Your Weekly Logon Script

Another week, another pile of fresh vulnerabilities and clever tradecraft to dig through. The blue team is busy patching, which means it’s a good time for the rest of us to be taking notes, updating our toolkits, and generally making their lives more difficult. It's UncleSp1d3r, and this week was a goldmine for anyone who appreciates the finer points of fileless execution, supply chain shenanigans, and good old-fashioned RCE.

Let’s dive into the good stuff.

New Toys for the Sandbox

It was a banner week for innovative malware and evasion techniques. My personal favorite comes from Synacktiv, which published a beautiful analysis of LinkPro, a stealthy eBPF rootkit found in a compromised AWS EKS environment. This thing is a work of art. After gaining initial access through a vulnerable Jenkins server, the actors deploy LinkPro, which uses a combination of LD_PRELOAD and two eBPF programs to hide its tracks. One eBPF program handles hiding processes and network connections, while the other acts as a "port knocker," activating the C2 only after receiving a magic TCP packet. It’s sophisticated, kernel-level implanting perfectly suited for modern cloud environments. Time to brush up on your bpftool skills if you want to find this one.

For those of you who enjoy living off the land, there's a lovely bit of tradecraft involving fileless execution on Linux. The SANS Internet Storm Center detailed a Python dropper that uses direct syscalls to execute an ELF payload entirely from memory. By calling memfd_create (syscall 319), it avoids touching disk entirely, making it invisible to file-based detection. The second stage in the analyzed sample was a simple XOR crypter, but the delivery mechanism is the real star here. It’s a clean technique for evading basic EDR and a good reminder that userland API monitoring isn't enough.

And if you're looking for creative C2 channels, VMRay found the SharkStealer infostealer using the BNB Smart Chain Testnet as a dead-drop resolver. Dubbed "EtherHiding," the Golang-based malware makes eth_call requests to a smart contract to retrieve an encrypted blob, which it then decrypts in memory to get its real C2 address. It’s a great way to decentralize your C2 infrastructure and make takedowns a massive headache.

In-the-Wild Exploits & Other Dumpster Fires

Of course, it wouldn't be a week in security without a few screaming dumpster fires. If you're looking for fresh shells, the opportunities were plentiful.

On-prem SharePoint continues to be the gift that keeps on giving. "ToolShell" (CVE-2025-53770) is an unauthenticated RCE being actively and widely exploited. Attackers are dropping web shells and pivoting with frameworks like Sliver and ShadowPad. Microsoft has the full guidance, but the short version is: if it’s unpatched, it's probably owned.

The e-commerce world is also having a bad time. "SessionReaper" (CVE-2025-54236) is a critical flaw in Adobe Commerce and Magento that allows for unauthenticated session hijacking via the REST API. Sansec and BleepingComputer report active exploitation, with attackers probing and dropping web shells. Adobe has released a hotfix advisory (APSB25-88) for those who care to patch.

And finally, if you needed more proof that perimeter devices are a top-tier target, a critical pre-auth RCE in WatchGuard's Fireware OS (CVE-2025-9242) is now under active exploitation. The bug is in the IKEv2 service, and with over 75,000 devices exposed to the internet, it’s a turkey shoot.

The Supply Chain is Still Leaking

The hits just keep on coming for developer environments. A self-propagating worm named "GlassWorm" was found spreading through the OpenVSX and VS Code marketplaces. As detailed by Truesec, this malware hides its payload in extensions using invisible Unicode characters, steals developer credentials, and uses a morbidly clever C2 architecture leveraging Solana blockchain transactions and Google Calendar as a fallback. With over 35,000 compromise-installs, this has likely resulted in a treasure trove of developer tokens ripe for the picking.

Not to be outdone, the Rust ecosystem is grappling with "TARmageddon" (CVE-2025-62518), a vulnerability in the abandoned async-tar library that allows a crafted nested TAR file to overwrite arbitrary files during extraction. Edera's research shows how this can lead to RCE in CI/CD pipelines. It’s a classic example of how a single, unmaintained dependency can create a massive security hole.

And just to prove no good deed goes unpunished, the official Xubuntu website was compromised to serve Windows malware to users trying to download the Linux distro. Instead of a torrent file, visitors were served a "Safe Downloader" that installed a crypto-clipper.

Bug & PoC Corner

For those of you looking for some new vulns to play with:

• Zyxel firewalls running ZLD firmware have a couple of nice bugs. CVE-2025-9133 is a configuration exposure that allows a semi-authenticated user to dump the running config by chaining commands in the zysh-cgi. Even better is CVE-2025-8078, a post-auth command injection in an undocumented CLI path that gives you root RCE.
• If you're into mail server shenanigans, DepthFirst found a CRLF injection in Netty's SMTP codec (CVE-2025-59419). This allows an attacker who can control SMTP parameters to inject additional commands, effectively letting you send spoofed emails that pass SPF, DKIM, and DMARC checks.

Field Notes & Defensive Annoyances

Finally, a few items from the other side of the fence. Prelude Security has a solid technical breakdown of Pointer Authentication (PAC) on Windows ARM64. It’s a good read if you’re interested in how modern exploit mitigations are being implemented at the hardware and compiler level. Knowing your enemy, and all that.

And Microsoft is finally disabling the preview pane in File Explorer for files with the Mark of the Web. It only took them… forever. This should cut down on the number of NTLM hash leaks from malicious .lnk and other files that trigger a connection on preview. A small win for the blue side, but a win nonetheless.

That’s a wrap. It’s a dangerous world out there, which makes it a fun one for us. Stay curious, stay creative, and don’t get caught.

— UncleSp1d3r