Akamai researcher Yuval Gordon discovered a privilege escalation vulnerability in Windows Server 2025 that allows attackers to compromise any user in Active Directory (AD).
The attack exploits the delegated Managed Service Account (dMSA) feature that was introduced in Windows Server 2025, works with the default configuration, and is trivial to implement.
This issue likely affects most organizations that rely on AD. In 91% of the environments we examined, we found users outside the domain admins group that had the required permissions to perform this attack.
Although Microsoft states they plan to fix this issue in the future, a patch is not currently available. Therefore, organizations need to take other proactive measures to reduce their exposure to this attack. Microsoft has reviewed our findings and approved the publication of this information.
In this blog post, we provide full details of the attack, as well as detection and mitigation strategies.
A supply-chain attack targets Linux servers with disk-wiping malware hidden in Golang modules published on GitHub.
The campaign was detected last month and relied on three malicious Go modules that included “highly obfuscated code” for retrieving remote payloads and executing them.
Complete disk destruction
The attack appears designed specifically for Linux-based servers and developer environments, as the destructive payload - a Bash script named done.sh, runs a ‘dd’ command for the file-wiping activity.
Furthermore, the payload verifies that it runs in a Linux environment (runtime.GOOS == "linux") before trying to execute.
An analysis from supply-chain security company Socket shows that the command overwrites with zeroes every byte of data, leading to irreversible data loss and system failure.
The target is the primary storage volume, /dev/sda, that holds critical system data, user files, databases, and configurations.
“By populating the entire disk with zeros, the script completely destroys the file system structure, operating system, and all user data, rendering the system unbootable and unrecoverable” - Socket
The researchers discovered the attack in April and identified three Go modules on GitHub, that have since been removed from the platform:
github[.]com/truthfulpharm/prototransform
github[.]com/blankloggia/go-mcp
github[.]com/steelpoor/tlsproxy
Arctic Wolf has observed exploitation in the wild of CVE-2024-7399 in Samsung MagicINFO 9 Server—a CMS used to manage and remotely control digital signage displays.
As of early May 2025, Arctic Wolf has observed exploitation in the wild of CVE-2024-7399 in Samsung MagicINFO 9 Server—a content management system (CMS) used to manage and remotely control digital signage displays. The vulnerability allows for arbitrary file writing by unauthenticated users, and may ultimately lead to remote code execution when the vulnerability is used to write specially crafted JavaServer Pages (JSP) files.
This high-severity vulnerability had originally been made public by Samsung in August 2024 following responsible disclosure by security researchers, with no exploitation reported at the time. On April 30, 2025, a new research article was published along with technical details and a proof-of-concept (PoC) exploit. Exploitation was then observed within days of that publication.
Given the low barrier to exploitation and the availability of a public PoC, threat actors are likely to continue targeting this vulnerability. Arctic Wolf will continue to monitor for malicious post-compromise activities related to this vulnerability, and will alert Managed Detection and Response customers as required when malicious activities are observed.
Microsoft has officially deprecated the Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) in future versions of Windows Server, recommending admins switch to different protocols that offer increased security.
#Deprecated #L2TP #Microsoft #PPTP #Server #VPN #Windows
Progress Report Server Unauthenticated Remote Code Execution Chain
BMC&C Eclypsium Research has discovered and reported 3 vulnerabilities in American Megatrends, Inc. (AMI) MegaRAC Baseboard Management Controller (BMC) software. We are referring to these vulnerabilities collectively as BMC&C. MegaRAC BMC is widely used by many leading server manufacturers to provide “lights-out” management capabilities for their server products. Server manufacturers…
