Threat Alerts

Three critical vulnerabilities in runc, the container runtime powering Docker and Kubernetes, could allow attackers to escape container isolation and gain root access to host systems. CVE-2025-31133 (CVSS 7.3), CVE-2025-52565 (CVSS 8.4), and CVE-2025-52881 (CVSS 7.3) exploit race conditions and mount operations to break container boundaries.

The vulnerabilities leverage different attack vectors to achieve container escape. CVE-2025-31133 exploits the maskedPaths feature by replacing /dev/null with a symlink during container creation, tricking runc into mounting arbitrary host paths and writing to critical system files like /proc/sys/kernel/core_pattern. CVE-2025-52565 targets the /dev/console mount operation during initialization, where insufficient validation allows attackers to redirect mounts and gain write access to protected procfs files before security protections are applied.

CVE-2025-52881 enables bypassing Linux Security Module protections through race conditions with shared mounts, allowing attackers to redirect writes to fake procfs files and manipulate dangerous system files such as /proc/sysrq-trigger. All three vulnerabilities require the ability to start containers with custom mount configurations, making malicious container images and Dockerfiles the primary attack vectors. CVE-2025-31133 and CVE-2025-52881 impact all known runc versions, while CVE-2025-52565 affects versions 1.0.0-rc3 and later.

Europe’s cyber threat landscape is rapidly intensifying, marked by a surge in both criminal and state-aligned operations. Ransomware groups have accelerated attack timelines by 48%, often completing intrusions within 24 hours, while Europe now accounts for 22% of global leak site victims. Since early 2024, big-game-hunting ransomware has struck over 2,100 European organizations, supported by initial access brokers selling network entry to more than 1,400 entities through stolen credentials, software exploits, and social engineering. At the same time, state-backed groups from Russia, China, Iran, and North Korea are expanding targeting across defense, government, energy, and academic sectors—each pursuing distinct objectives ranging from intelligence gathering to credential theft. This convergence of financially motivated crime and geopolitical espionage underscores a new phase of rapid, industrialized threat activity across the region.

Google has released a security update addressing two high-severity vulnerabilities in Chrome CVE-2025-11756 (Use-After-Free in Safe Browsing) and CVE-2025-12036 (Out-of-Bounds Memory Access in V8) impacting versions 141.0.7390.122 and earlier. Both flaws could allow remote attackers to execute arbitrary code or compromise browser stability through crafted web content.

CVE-2025-11756 (CVSS 8.8) originates from improper memory management in the Safe Browsing component, which could enable a remote attacker who has already compromised the renderer process to perform out-of-bounds memory access using a crafted HTML page, potentially leading to arbitrary code execution or crashes. Meanwhile, CVE-2025-12036 (CVSS 8.8) affects the V8 JavaScript engine, where an out-of-bounds memory access flaw can be triggered through specially crafted web content, allowing attackers to execute code within the browser context and compromise user data.

A new Microsoft Teams feature set to roll out soon — “Chat with Anyone” — is raising significant security concerns as it could open a new vector for phishing, impersonation, and malware delivery. By allowing users to message any external or personal email address directly through Teams, the feature effectively bypasses corporate email security controls and established domain restrictions. Threat actors could exploit this capability to impersonate trusted contacts, send malicious links or files, and initiate credential theft campaigns within legitimate Teams environments. Organizations are advised to review Teams configuration settings in advance and prepare access control policies to limit or monitor external communications once the feature becomes available.

A critical vulnerability has been identified in the Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress, affecting all versions up to 3.6.0. The flaw allows attackers to perform full administrative actions such as uploading backdoored plugins or redirecting site content, effectively compromising both the site and its users.

Tracked as CVE-2025-11833 (CVSS 9.8, Critical), the vulnerability stems from a missing authorization check in the plugin’s email log functionality. This allows unauthenticated attackers to access sensitive email logs, including password reset messages, which can then be exploited to reset administrator credentials and gain complete control of affected websites.

Cephalus is a financially motivated ransomware group that gains access to organizations by compromising Remote Desktop Protocol (RDP) accounts that lack multi-factor authentication. The operators conduct targeted intrusions to exfiltrate data and then encrypt victims’ files, openly declaring their presence in ransom notes and publishing proof of breaches via file-sharing repositories to pressure victims into paying. Named after the mythological figure famed for an “unfailing” spear, Cephalus demonstrates high confidence in its operations and focuses on maximizing impact and leverage against chosen targets.

Technically, the ransomware is written in Go and includes multiple anti-analysis and hardening measures. It generates a fake AES key to disrupt dynamic analysis, disables Windows Defender real-time protection, removes VSS backups and terminates backup and database services (for example, Veeam and MSSQL) to hinder recovery. File encryption uses a single AES-CTR key derived by hashing a random 32-byte value with SHA-256 repeated 10,000 times; that AES key is protected in memory via a SecureMemory construct (VirtualLock to prevent paging and XOR masking) and is ultimately encrypted with an embedded RSA public key so only the attackers can restore it. After encryption the malware drops a recover.txt ransom note in affected directories a design that makes recovery extremely difficult without the attackers cooperation.