Quotidien Shaarli

An ongoing phishing campaign abuses a little‑known feature in Microsoft 365 called "Direct Send" to evade detection by email security and steal credentials.

Direct Send is a Microsoft 365 feature that allows on‑premises devices, applications, or cloud services to send emails through a tenant's smart host as if they originated from the organization's domain. It’s designed for use by printers, scanners, and other devices that need to send messages on behalf of the company.

However, the feature is a known security risk, as it doesn't require any authentication, allowing remote users to send internal‑looking emails from the company's domain.

Microsoft recommends that only advanced customers utilize the feature, as its safety depends on whether Microsoft 365 is configured correctly and the smart host is properly locked down..

"We recommend Direct Send only for advanced customers willing to take on the responsibilities of email server admins," explains Microsoft.

"You need to be familiar with setting up and following best practices for sending email over the internet. When correctly configured and managed, Direct Send is a secure and viable option. But customers run the risk of misconfiguration that disrupts mail flow or threatens the security of their communication."

The company has shared ways to disable the feature, which are explained later in the article, and says they are working on a way to deprecate the feature.

CISA says a maximum severity vulnerability in AMI's MegaRAC Baseboard Management Controller (BMC) software, which enables attackers to hijack and brick servers, is currently under active exploitation.
CISA has confirmed that a maximum severity vulnerability in AMI's MegaRAC Baseboard Management Controller (BMC) software is now actively exploited in attacks.

The MegaRAC BMC firmware provides remote system management capabilities for troubleshooting servers without being physically present, and it's used by several vendors (including HPE, Asus, and ASRock) that supply equipment to cloud service providers and data centers.

This authentication bypass security flaw (tracked as CVE-2024-54085) can be exploited by remote unauthenticated attackers in low-complexity attacks that don't require user interaction to hijack and potentially brick unpatched servers.

L'antenne secrète, Airbus et la Chine (1/2) – Les services de renseignement français suspectent qu'une petite société de télécommunications chinoise ait déployé une station d'écoute à proximité de sites d'Airbus. Si une enquête judiciaire est ouverte, l'affaire mobilise fortement les espions hexagonaux. Révélations.

C'est une rue étroite qui coupe la "plus belle avenue du monde". À une centaine de mètres des Champs-Élysées, à Paris, entre une immense boutique du géant français du prêt-à-porter Lacoste et un ancien restaurant irakien, apparaît le 17 rue du Colisée. Ce centre d'affaires sans charme héberge un cabinet d'avocats, un groupe spécialisé dans les semi-conducteurs et une entreprise de production musicale. Depuis le 1er janvier 2025, l'immeuble compte un nouvel occupant : la société chinoise SATHD Europe, spécialisée dans les télécommunications par satellite. Alors que ses statuts juridiques l'attestent, l'entreprise ne figure pas sur la plaque mentionnant les locataires. Ces derniers affirment par ailleurs n'avoir constaté aucun signe de présence de cette mystérieuse entité entre les murs.

SATHD Europe existe pourtant bel et bien. La société est même soupçonnée par les services de renseignement hexagonaux d'être à l'origine de l'une des plus grandes opérations d'espionnage ayant visé la France ces dernières années. Après plusieurs mois d'enquête, Intelligence Online est en mesure de révéler une affaire de longue haleine, dans laquelle les regards convergent vers la Chine.

Village idéalement situé dans le cône de réception satellitaire
Début 2022. Les officiers de la Direction du renseignement et de la sécurité de la défense (DRSD), service de contre-ingérence du ministère des armées, repèrent une antenne suspecte qui dépasse du balcon d'un immeuble de Boulogne-sur-Gesse, petite commune rurale de Haute-Garonne. Celle-ci ressemble à peu de chose près à une parabole permettant de recevoir la télévision par satellite. Les contre-espions français sont toutefois sur leurs gardes. Ce village se situe à environ 71 kilomètres en ligne droite du téléport d'Issus Aussaguel. Ce centre de télécommunications, au sud de Toulouse, pilote les satellites d'observation de la Terre du Centre national d'études spatiales (CNES), notamment les Pléiades fabriqués par Airbus Group et les SWOT conçus par le français Thales Alenia Space (TAS) et l'américain Jet Propulsion Laboratory.

Developing a rigorous scoring system for Agentic AI Top 10 vulnerabilities, leading to a comprehensive AIVSS framework for all AI systems.

Key Deliverables

• Agentic AI Top 10 Vulnerability Scoring System:
  • A precise and quantifiable scoring methodology tailored to the unique risks identified in the OWASP Agentic AI Top 10.
  • Clear rubrics and guidelines for assessing the severity and exploitability of these specific vulnerabilities.
• Comprehensive AIVSS Framework Package:
  • Standardized AIVSS Framework: A scalable framework validated across a diverse range of AI applications, including and extending beyond Agentic AI.
  • AIVSS Framework Guide: Detailed documentation explaining the metrics, scoring methodology, and application of the framework.
  • AIVSS Scoring Calculator: An open-source tool to automate and standardize the vulnerability scoring process.
  • AIVSS Assessment Report Templates: Standardized templates for documenting AI vulnerability assessments.

Le procès de seize personnes impliquées dans le siphonnage des données bancaires et personnelles de 76 000 intérimaires Adecco débute ce lundi à Lyon. Le préjudice estimé atteint 1,6 million d’euros.

• Le procès de seize personnes débute à Lyon pour le siphonnage de données de 76 000 intérimaires Adecco, causant un préjudice de 1,6 million d'euros.
• Un alternant d'Adecco a permis l'accès aux données via le darkweb, entraînant des prélèvements frauduleux orchestrés par une société écran.
• Les victimes, exposées à des risques d'usurpation d'identité, s'inquiètent des conséquences à long terme de cette fraude.

En 2022, des intérimaires d’Adecco découvrent sur leur relevé bancaire un débit de 49,85 euros. Le nom affiché ne leur dit rien. Rapidement, l’affaire fait tache d'huile. Comme on vous l'avait raconté sur Clubic à cette époque, plusieurs milliers de personnes se rendent compte du problème en même temps. Les prélèvements se répètent, toujours pour le même montant. Les victimes échangent sur un groupe Facebook. Le point commun se confirme. Elles réalisent qu'elles ont toutes travaillé pour le leader du travail temporaire en France. Adecco lance un audit interne. Très vite, le lien se fait avec ses propres fichiers. Le géant suisse, pays pourtant considéré comme sanctuaire des données personnelles, comprend qu’un vaste piratage vient de toucher ses bases de données.

Multiple vulnerabilities in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an unauthenticated, remote attacker to issue commands on the underlying operating system as the root user.

For more information about these vulnerabilities, see the Details section of this advisory.

Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.

Details

The vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit the other vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerability.

Details about the vulnerabilities are as follows:

CVE-2025-20281: Cisco ISE API Unauthenticated Remote Code Execution Vulnerability

A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit this vulnerability.

This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to obtain root privileges on an affected device.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Bug ID(s): CSCwo99449
CVE ID: CVE-2025-20281
Security Impact Rating (SIR): Critical
CVSS Base Score: 10.0
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2025-20282: Cisco ISE API Unauthenticated Remote Code Execution Vulnerability

A vulnerability in an internal API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to upload arbitrary files to an affected device and then execute those files on the underlying operating system as root.

This vulnerability is due a lack of file validation checks that would prevent uploaded files from being placed in privileged directories on an affected system. An attacker could exploit this vulnerability by uploading a crafted file to the affected device. A successful exploit could allow the attacker to store malicious files on the affected system and then execute arbitrary code or obtain root privileges on the system.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Bug ID(s): CSCwp02821
CVE ID: CVE-2025-20282
Security Impact Rating (SIR): Critical
CVSS Base Score: 10.0
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Workarounds

There are no workarounds that address these vulnerabilities.

If the United States wishes to compete in cyberspace, it must compete against China to secure its offensive cyber supply chain.

Strategic competition between the United States and China has long played out in cyberspace, where offensive cyber capabilities, like zero-day vulnerabilities, are a strategic resource. Since 2016, China has been turning the zero-day marketplace in East Asia into a funnel of offensive cyber capabilities for its military and intelligence services, both to ensure it can break into the most secure Western technologies and to deny the United States from obtaining similar capabilities from the region. If the United States wishes to compete in cyberspace, it must compete against China to secure its offensive cyber supply chain.  

This report is the first to conduct a comparative study within the international offensive cyber supply chain, comparing the United States’ fragmented, risk-averse acquisition model with China’s outsourced and funnel-like approach.  

Key findings: 

• Zero-day exploitation is becoming more difficult, opaque, and expensive, leading to “feast-or-famine” contract cycles. 
• Middlemen with prior government connections further drive up costs and create inefficiency in the US and Five Eyes (FVEYs) market, while eroding trust between buyers and sellers.  
• China’s domestic cyber pipeline dwarfs that of the United States. China is also increasingly moving to recruit from the Middle East and East Asia. 
• The United States relies on international talent for its zero-day capabilities, and its domestic talent investment is sparse – focused on defense rather than offense.  
• The US acquisition processes favor large prime contractors, and prioritize extremely high levels of accuracy, trust, and stealth, which can create market inefficiencies and overly index on high-cost, exquisite zero-day exploit procurements. 
• China’s acquisition processes use decentralized contracting methods. The Chinese Communist Party (CCP) outsources operations, shortens contract cycles, and prolongs the life of an exploit through additional resourcing and “n-day” usage.    
• US cybersecurity goals, coupled with “Big Tech” market dominance, are strategic counterweights to the US offensive capability program, demonstrating a strategic trade-off between economic prosperity and national security. 
• China’s offensive cyber industry is already heavily integrated with artificial intelligence (AI) institutions, and China’s private sector has been proactively using AI for cyber operations. 
• Given the opaque international market for zero-day exploits, preference among government customers for full exploit chains leveraging multiple exploit primitives, and the increase in bug collisions, governments can almost never be sure they truly have a “unique capability.”