privilege escalation | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have discovered risky default identity and access management (IAM) roles impacting Amazon Web Services that could open the door for attackers to escalate privileges, manipulate other AWS services, and, in some cases, even fully compromise AWS accounts. "These roles, often created automatically or recommended during setup, grant overly broad permissions, such as full S3 access," Aqua researchers Yakir Kadkoda and Ofek Itach said in an analysis. "These default roles silently introduce attack paths that allow privilege escalation, cross-service access, and even potential account compromise." The cloud security firm said it identified security issues in default IAM roles created by AWS services like SageMaker, Glue, EMR, and Lightsail. A similar flaw has also been unearthed in a popular open-source framework called Ray, which automatically creates a default IAM role (ray-autoscaler-v1) with the AmazonS3FullAccess policy. What's concer...

Microsoft on Tuesday shipped fixes to address a total of 78 security flaws across its software lineup, including a set of five zero-days that have come under active exploitation in the wild. Of the 78 flaws resolved by the tech giant, 11 are rated Critical, 66 are rated Important, and one is rated Low in severity. Twenty-eight of these vulnerabilities lead to remote code execution, 21 of them are privilege escalation bugs, and 16 others are classified as information disclosure flaws. The updates are in addition to eight more security defects patched by the company in its Chromium-based Edge browser since the release of last month's Patch Tuesday update . The five vulnerabilities that have come under active exploitation in the wild are listed below - CVE-2025-30397 (CVSS score: 7.5) - Scripting Engine Memory Corruption Vulnerability CVE-2025-30400 (CVSS score: 7.8) - Microsoft Desktop Window Manager (DWM) Core Library Elevation of Privilege Vulnerability CVE-2025-3270...

A second security flaw impacting the OttoKit (formerly SureTriggers ) WordPress plugin has come under active exploitation in the wild. The vulnerability, tracked as CVE-2025-27007 (CVSS score: 9.8), is a privilege escalation bug impacting all versions of the plugin prior to and including version 1.0.82.  "This is due to the create_wp_connection() function missing a capability check and insufficiently verifying a user's authentication credentials," Wordfence said . "This makes it possible for unauthenticated attackers to establish a connection, which ultimately can make privilege escalation possible." That said, the vulnerability is exploitable only in two possible scenarios - When a site has never enabled or used an application password, and OttoKit has never been connected to the website using an application password before When an attacker has authenticated access to a site and can generate a valid application password Wordfence revealed that it obs...

Google has released its monthly security updates for Android with fixes for 46 security flaws, including one vulnerability that it said has been exploited in the wild. The vulnerability in question is CVE-2025-27363 (CVSS score: 8.1), a high-severity flaw in the System component that could lead to local code execution without requiring any additional execution privileges. "The most severe of these issues is a high security vulnerability in the System component that could lead to local code execution with no additional execution privileges needed," Google said in a Monday advisory. "User interaction is not needed for exploitation." It's worth noting that CVE-2025-27363 is rooted in the FreeType open-source font rendering library. It was first disclosed by Facebook in March 2025 as having been exploited in the wild. The shortcoming has been described as an out-of-bounds write flaw that could result in code execution when parsing TrueType GX and variable fo...

Cybersecurity researchers have detailed a now-patched vulnerability in Google Cloud Platform (GCP) that could have enabled an attacker to elevate their privileges in the Cloud Composer workflow orchestration service that's based on Apache Airflow. "This vulnerability lets attackers with edit permissions in Cloud Composer to escalate their access to the default Cloud Build service account, which has high-level permissions across GCP services like Cloud Build itself, Cloud Storage, and Artifact Registry," Liv Matan, senior security researcher at Tenable, said in a report shared with The Hacker News. The shortcoming has been codenamed ConfusedComposer by the cybersecurity company, describing it as a variant of ConfusedFunction , a privilege escalation vulnerability impacting GCP's Cloud Functions service that an attacker could exploit to access other services and sensitive data in an unauthorized manner. The disclosure comes weeks after Tenable detailed another pr...

Cybersecurity researchers have detailed four different vulnerabilities in a core component of the Windows task scheduling service that could be exploited by local attackers to achieve privilege escalation and erase logs to cover up evidence of malicious activities. The issues have been uncovered in a binary named " schtasks.exe ," which enables an administrator to create, delete, query, change, run, and end scheduled tasks on a local or remote computer. "A [User Account Control] bypass vulnerability has been found in Microsoft Windows, enabling attackers to bypass the User Account Control prompt, allowing them to execute high-privilege (SYSTEM) commands without user approval," Cymulate security researcher Ruben Enkaoua said in a report shared with The Hacker News. "By exploiting this weakness, attackers can elevate their privileges and run malicious payloads with Administrators' rights, leading to unauthorized access, data theft, or further system c...

Intro: Why hack in when you can log in? SaaS applications are the backbone of modern organizations, powering productivity and operational efficiency. But every new app introduces critical security risks through app integrations and multiple users, creating easy access points for threat actors. As a result, SaaS breaches have increased, and according to a May 2024 XM Cyber report, identity and credential misconfigurations caused 80% of security exposures. Subtle signs of a compromise get lost in the noise, and then multi-stage attacks unfold undetected due to siloed solutions. Think of an account takeover in Entra ID, then privilege escalation in GitHub, along with data exfiltration from Slack. Each seems unrelated when viewed in isolation, but in a connected timeline of events, it's a dangerous breach. Wing Security's SaaS platform is a multi-layered solution that combines posture management with real-time identity threat detection and response. This allows organizations to get a ...

Cybersecurity researchers have detailed a case of an incomplete patch for a previously addressed security flaw impacting the NVIDIA Container Toolkit that, if successfully exploited, could put sensitive data at risk. The original vulnerability CVE-2024-0132 (CVSS score: 9.0) is a Time-of-Check Time-of-Use (TOCTOU) vulnerability that could lead to a container escape attack and allow for unauthorized access to the underlying host. While this flaw was resolved by NVIDIA in September 2024, a new analysis by Trend Micro has revealed the fix to be incomplete and that there also exists a related performance flaw affecting Docker on Linux that could result in a denial-of-service (DoS) condition. "These issues could enable attackers to escape container isolation, access sensitive host resources, and cause severe operational disruptions," Trend Micro researcher Abdelrahman Esmail said in a new report published today. The fact that the TOCTOU vulnerability persists means that a ...

Microsoft has released security fixes to address a massive set of 125 flaws affecting its software products, including one vulnerability that it said has been actively exploited in the wild. Of the 125 vulnerabilities, 11 are rated Critical, 112 are rated Important, and two are rated Low in severity. Forty-nine of these vulnerabilities are classified as privilege escalation, 34 as remote code execution, 16 as information disclosure, and 14 as denial-of-service (DoS) bugs. The updates are aside from the 22 flaws the company patched in its Chromium-based Edge browser since the release of last month's Patch Tuesday update . The vulnerability that has been flagged as under active attack is an elevation of privilege (EoP) flaw impacting the Windows Common Log File System (CLFS) Driver ( CVE-2025-29824 , CVSS score: 7.8) that stems from a use-after-free scenario, allowing an authorized attacker to elevate privileges locally. CVE-2025-29824 is the sixth EoP vulnerability to be di...

Cybersecurity researchers have disclosed details of a now-patched security flaw in the Amazon EC2 Simple Systems Manager (SSM) Agent that, if successfully exploited, could permit an attacker to achieve privilege escalation and code execution. The vulnerability could permit an attacker to create directories in unintended locations on the filesystem, execute arbitrary scripts with root privileges, and likely escalate privileges or perform malicious activities by writing files to sensitive areas of the system, Cymulate said in a report shared with The Hacker News. Amazon SSM Agent is a component of Amazon Web Services (AWS) that enables administrators to remotely manage, configure, and execute commands on EC2 instances and on-premises servers.  The software processes commands and tasks defined in SSM Documents , which can include one or more plugins, each of which is responsible for carrying out specific tasks, such as running shell scripts or automating deployment or configura...

Google has shipped patches for 62 vulnerabilities, two of which it said have been exploited in the wild. The two high-severity vulnerabilities are listed below - CVE-2024-53150 (CVSS score: 7.8) - An out-of-bounds flaw in the USB sub-component of Kernel that could result in information disclosure CVE-2024-53197 (CVSS score: 7.8) - A privilege escalation flaw in the USB sub-component of Kernel "The most severe of these issues is a critical security vulnerability in the System component that could lead to remote escalation of privilege with no additional execution privileges needed," Google said in its monthly security bulletin for April 2025. "User interaction is not needed for exploitation." The tech giant also acknowledged that both the shortcomings may have come under "limited, targeted exploitation." It's worth noting that CVE-2024-53197 is rooted in the Linux kernel and was patched last year, alongside CVE-2024-53104 and CVE-2024-50302...

Cybersecurity researchers have disclosed details of a now-patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run that could have allowed a malicious actor to access container images and even inject malicious code. "The vulnerability could have allowed such an identity to abuse its Google Cloud Run revision edit permissions in order to pull private Google Artifact Registry and Google Container Registry images in the same account," Tenable security researcher Liv Matan said in a report shared with The Hacker News. The security shortcoming has been codenamed ImageRunner by the cybersecurity company. Following responsible disclosure, Google addressed the problem as of January 28, 2025. Google Cloud Run is a fully managed service for executing containerized applications in a scalable, serverless environment. When the technology is used to run a service, container images are retrieved from the Artifact Registry (or Docker Hub) for subsequent depl...

A critical security flaw has been disclosed in NetApp SnapCenter that, if successfully exploited, could allow privilege escalation. SnapCenter is an enterprise-focused software that's used to manage data protection across applications, databases, virtual machines, and file systems, offering the ability to backup, restore, and clone data resources. The vulnerability, tracked as CVE-2025-26512 , carries a CVSS score of 9.9 out of a maximum of 10.0. "SnapCenter versions prior to 6.0.1P1 and 6.1P1 are susceptible to a vulnerability which may allow an authenticated SnapCenter Server user to become an admin user on a remote system where a SnapCenter plug-in has been installed," the data infrastructure company said in an advisory published this week. CVE-2025-26512 has been addressed in SnapCenter versions 6.0.1P1 and 6.1P1. There are currently no workarounds that address the issue.  While there is no evidence that the shortcoming has been exploited in the wild, it'...

Citrix has released security updates for a high-severity security flaw impacting NetScaler Console (formerly NetScaler ADM) and NetScaler Agent that could lead to privilege escalation under certain conditions. The vulnerability, tracked as CVE-2024-12284 , has been given a CVSS v4 score of 8.8 out of a maximum of 10.0. It has been described as a case of improper privilege management that could result in authenticated privilege escalation if the NetScaler Console Agent is deployed and allows an attacker to execute post-compromise actions. "The issue arises due to inadequate privilege management and could be exploited by an authenticated malicious actor to execute commands without additional authorization," Netscaler noted . "However, only authenticated users with existing access to the NetScaler Console can exploit this vulnerability, thereby limiting the threat surface to only authenticated users." The shortcoming affects the below versions - NetScaler Cons...