In 2025, the stakes changed. CISOs were hauled into courtrooms. Boards confronted a wave of shareholder lawsuits. And the rise of autonomous systems introduced fresh ambiguity and risk around who’s accountable when algorithms act.
What is the Personal Data Protection Act (PDPA) of Thailand? The Personal Data Protection Act, B.E. 2562 (2019), often referred to by its acronym, PDPA, is Thailand’s comprehensive data privacy and protection law. Enacted to safeguard the personal data of individuals, it is heavily influenced by international privacy standards, most notably the European Union’s General […]
Overview On December 10, NSFOCUS CERT detected that Microsoft released the December Security Update patch, which fixed 57 security issues involving widely used products such as Windows, Microsoft Office, Microsoft Exchange Server, Azure, etc., including high-risk vulnerability types such as privilege escalation and remote code execution. Among the vulnerabilities fixed by Microsoft’s monthly update this […]
Microsoft addressed over 1,100 CVEs as part of Patch Tuesday releases in 2025, including 40 zero-day vulnerabilities.
Key takeaways:
Microsoft's 2025 Patch Tuesday releases addressed 1,130 CVEs. This is the second year in a row where the CVE count was over 1,000.
Elevation of Privilege vulnerabilities accounted for 38.3% of all Patch Tuesday vulnerabilities in 2025, followed by Remote Code Execution flaws at 30.8%.
41 zero-day vulnerabilities were addressed across all Patch Tuesday releases in 2025, including 24 that were exploited in the wild.
Background
Microsoft’s Patch Tuesday, a monthly release of software patches for Microsoft products, has just celebrated its 22nd anniversary. The Tenable Research Special Operations Team (RSO) first covered the 20th anniversary in 2023, followed by our 2024 year in review publication, covering the trends and significant vulnerabilities from the 2024 Patch Tuesday releases.
Analysis
In 2025, Microsoft patched 1,130 CVEs throughout the year across a number of products. This was a 12% increase compared to 2024, when Microsoft patched 1,009 CVEs. With another year of Patch Tuesday releases behind us, Microsoft has yet to break its 2020 record with 1,245 CVE’s patched. However, this is the second year in a row that Microsoft crossed the 1,000 CVE threshold, and the third time since Patch Tuesday’s inception.
In 2025, Microsoft broke its record for the most CVEs patched in a month twice. The year started off with the largest Patch Tuesday release with 157 CVEs patched. This record was broken again in October with 167 CVEs patched.
Patch Tuesday 2025 by severity
Each month, Microsoft categorizes vulnerabilities into four main severity levels: low, moderate, important and critical.
Over the last three years, the bulk of the Patch Tuesday vulnerabilities continue to be rated as important. In 2025, 91.3% of all CVEs patched were rated important, followed by critical at 8.1%. Moderate accounted for 0.4%, while there were no CVEs rated as low in 2025.
Patch Tuesday 2025 by impact
In addition to severity levels, Microsoft also categorizes vulnerabilities by seven impact levels: remote code execution (RCE), elevation of privilege (EoP), denial of service (DoS), information disclosure, spoofing, security feature bypass and tampering.
In 2024, RCE vulnerabilities led the impact category, however 2025 saw EoP vulnerabilities taking the lead with 38.3% of all Patch Tuesday vulnerabilities. RCE accounted for 30.8%, followed by information disclosure flaws at 14.2% and DoS vulnerabilities at 7.7%. In a strange coincidence, this year there were only 4 CVEs categorized as tampering, which was the same in 2024. In both 2024 and 2025, tampering flaws accounted for only 0.4%.
Patch Tuesday 2025 zero-day vulnerabilities
In 2025, Microsoft patched 41 CVEs that were identified as zero-day vulnerabilities. Of the 41 CVEs, 24 were exploited in the wild. While not all zero-days were exploited, we classify zero-days as those vulnerabilities that were disclosed prior to being patched by the vendor.
Looking deeper at the 24 CVEs that were exploited in the wild, 62.5% were EoP flaws. EoP vulnerabilities are often leveraged by advanced persistent threat (APT) actors and determined cybercriminals seeking to elevate privileges as part of post-compromise activity. Following EoP flaws, RCEs were the second most prominent vulnerabilities across Patch Tuesday, accounting for 20.8% of zero-day flaws.
While only a small number of zero-days were addressed as part of 2025’s Patch Tuesday releases, we took a deeper dive into some of the more notable zero-days from the year. The table below includes these CVEs along with details on their exploitation activity.
Microsoft Management Console Security Feature Bypass Vulnerability
Exploited by Water Gamayu (aka EncryptHub, Larva-208) to deploy the MSC EvilTwin trojan loader. The attack campaigns also saw several malware variants abused, including EncryptHub stealer, DarkWisp backdoor, SilentPrism backdoor, Stealc and the Rhadamanthys stealer.
Microsoft SharePoint Remote Code Execution Vulnerability
Exploited by multiple APTs and nation-state actors including Linen Typhoon (aka Emissary Panda), Violet Typhoon, Storm-2603 and Warlock ransomware (aka GOLD SALEM). Chained with CVE-2025-49706 in an attack dubbed ToolShell.
Microsoft SharePoint Server Spoofing Vulnerability
Exploited by multiple APTs and nation-state actors including Linen Typhoon (aka Emissary Panda), Violet Typhoon, Storm-2603 and Warlock ransomware (aka GOLD SALEM). Chained with CVE-2025-49704 in an attack dubbed ToolShell.
Conclusion
With 2025’s Patch Tuesday releases in our rear-view mirror, it’s evident that we continue to see an upward trend in the number of vulnerabilities addressed year over year by Microsoft. With the lion's share of the market for operating systems, it’s imperative that defenders are quick to apply patches on the monthly release of Patch Tuesday updates. Attackers are often opportunistic and ready to capitalize on the latest exploitable vulnerabilities. As always, the RSO team will continue our monthly cadence of Patch Tuesday blogs, ensuring our readers have the actionable information necessary to take immediate action and improve their organization's security posture.
Cisco Vulnerability Management (formerly Kenna) has long been a valuable partner for security teams. With its end-of-life now underway, Tenable One offers a clear path forward, delivering end-to-end unified exposure management for the future of risk management.
Key takeaways:
Tenable’s strong partnership with Cisco helps customers with a natural path forward and easy transition to exposure management.
Exposure management is the next frontier, taking organizations beyond risk-based vulnerability management (RBVM) by delivering insight across various domains.
Security teams are used to change, The way organizations think about risk is evolving, and many cybersecurity leaders and practitioners are realizing that the tools built for yesterday’s vulnerability management — while essential for their operations — aren’t enough for today’s exposure.
For years, risk-based vulnerability management (RBVM) tools like Cisco Vulnerability Management (formerly Kenna) have helped teams aggregate data from different security scanners into one place. But simple aggregation is now table stakes; the security requirements of most organizations have outgrown it. Seeing one-dimensional findings of risk creates more noise from those same tools. What’s lacking is connectivity across all risk, a view of exposures created from the sum of the parts, together. Modern security programs need insight — how assets, vulnerabilities, misconfigurations, and identity relationships are connected. The same view threat actors have by probing and connecting these pieces together to create the next breach.
Moving towards exposure management can help. It meets the modern security organization’s needs, going beyond listing CVEs to focus on the real story behind your risk: how everything in your environment interacts, so you can identify your most toxic combinations based on analysis of the insights provided by your various security tools.
With Cisco entering end-of-life and end-of-sale for Cisco Vulnerability Management, Vulnerability Intelligence, and their Application Security Module, many teams are finding themselves at a decision point. Cisco announced on Dec. 9 that there is no replacement available for the Cisco Vulnerability Management, Vulnerability Intelligence, and Application Security Module (formerly known as Kenna.VM, Kenna.VI, and AppSec) at this time. The key EoL / EoS dates are as follows:
March 10, 2026: End of Sale — The last date to order the product through Cisco point-of-sale mechanisms. The product is no longer for sale after this date.
June 11, 2026: End of Service — The last date to extend or renew a service contract for the product.
June 30, 2028: Last date of support subscription — The last date to receive applicable subscription entitlements, service, and support for the product as entitled by active subscriptions and service contracts (as applicable) or by warranty terms and conditions. After this date, all subscription and support services for the product are unavailable, and the product becomes obsolete.
Organizations of all backgrounds and maturity have the chance to treat this moment not as a replacement project, but as an opportunity to change how they approach proactive security.
The differences are in the hidden details: The new era of exposure management
Although risk-based vulnerability management provides a solid foundation, it hits a natural limitation. At best, it aggregates the data, showing only a handful of disconnected severity scores.
While RVBM offers a new lens through which to view your environment, the core challenge still remains the same: security teams are stuck sifting through various findings across tools. Sure, it’s all in one place but it’s impossible to make a true “apples to apples” comparison because the findings aren’t normalized and deduplicated. Visibility alone is insufficient for effective exposure prioritization; the missing detail that RBVM lacks is insight.
Tenable’s take on exposure management breaks that barrier by connecting the findings from your various security tools to create insights from your entire environment. You can see the big picture. It’s the difference between staring at isolated findings with different risk scores and truly understanding how your entire attack surface looks to an adversary at any given time.
Insight comes from connecting context, not just critical severity scores, which is where exposure management distinguishes itself.
Let’s look at a simple example. There is a stark difference between:
Individual findings:These ~100 servers are running Windows OS with a critical vulnerability. Versus
Insight:This specific server is exposed to the internet, has a medium-severity vulnerability, and is accessible by a compromised admin.
In the first example, security teams waste time deciphering which handful of the 100 Windows servers are the most at risk, wasting resources and efforts working with IT to remediate. In reality, the biggest threat is the one server everyone saw, but no one thought about. How could they? It’s a single step in a multi-chained attack path.
By mapping out how different flaws connect to compromise your critical assets, you can ignore the noise of consolidated tools and zero in on the specific toxic combinations that leave your organization exposed. This shifts your team from constantly reacting to seemingly critical fire drills to preemptively shutting down the most dangerous attack paths — the ones you wouldn’t be able to piece together using simple aggregation tools.
Tenable is elevating how organizations of all sizes and maturity levels can identify their exposure.
Exposure management maturity model: A true one-size-fits-all model
One of the most compelling aspects of exposure management is that it isn’t reserved for organizations with bottomless budgets or sprawling security teams; it meets you exactly where you are. Whether your program is currently in a reactive "fire drill" phase — scrambling to patch whatever feels urgent today — or you have a robust set of tools that unfortunately don't talk to each other, exposure management offers a structured path forward.
Tenable’s maturity model highlights that every security program sits somewhere on a spectrum, from "ad hoc" teams keeping the lights on to "standardized" operations that have reached a complexity ceiling. Exposure management creates a unified fabric across these stages, allowing even smaller teams to shift from chaotic, siloed scanning to a more cohesive view of their attack surface without needing to rip-and-replace their entire stack overnight.
Top industry analyst firms name Tenable One a Leader
Simply put, Tenable isn’t catching up to exposure management — it’s leading it.
Built to work with the tools you already have
With 300+ integrations and an open, flexible architecture, Tenable One connects with the security tools you already rely on. Instead of forcing you into a new ecosystem, it strengthens the one you’ve built. Think of Tenable One as the central hub of your security program — the place where everything finally comes together in a clear, contextual view.
Moving beyond lists into real exposure management
Shifting to Tenable One isn’t just about finding a new home for your vulnerability data. It’s about stepping into the next generation of risk management.
Gain unified visibility: Bring together vulnerabilities, misconfigurations, identities, and operational technology (OT) risks from across your security tools into a single platform.
Connect the dots: Understand how risks connect across domains to identify toxic risk combinations across your environment.
See full attack paths: See the paths attackers could take across your environment, from initial entry point to business-critical crown jewels.
Remediate with context: Use holistic risk insights, business context, and threat intelligence to focus remediation on the exposures that matter most.
Communicate with confidence: Deliver executives and board members holistic reports that show how security actions reduce overall organizational business risk.
Exposure management changes the security conversation from “What vulnerabilities do we have?” to “What combinations of risk create the highest exposure ?”
Ready to see what Tenable One can do? View the demo below:
The transition from Cisco VM (Kenna) doesn’t have to be disruptive. It can be transformative. If you’re ready to see how Tenable One can elevate your security program, request a demo of Tenable One today.
How Are Non-Human Identities Revolutionizing Cybersecurity? Have you ever considered the pivotal role that Non-Human Identities (NHIs) play in cyber defense frameworks? When businesses increasingly shift operations to the cloud, safeguarding these machine identities becomes paramount. But what exactly are NHIs, and why is their management vital across industries? NHIs, often referred to as machine […]
Can Agentic AI Revolutionize Cybersecurity Practices? Where digital threats consistently challenge organizations, how can cybersecurity teams leverage innovations to bolster their defenses? Enter the concept of Agentic AI—a technology that could serve as a powerful ally in the ongoing battle against cyber threats. By enhancing the management of Non-Human Identities (NHIs) and secrets security management, […]
AI is transforming enterprise productivity and reshaping the threat model at the same time. Unlike human users, agentic AI and autonomous agents operate at machine speed and inherit broad network permissions and embedded credentials. This creates new security and compliance … Read More
Authors, Creators & Presenters: Phillip Rieger (Technical University of Darmstadt), Alessandro Pegoraro (Technical University of Darmstadt), Kavita Kumari (Technical University of Darmstadt), Tigist Abera (Technical University of Darmstadt), Jonathan Knauer (Technical University of Darmstadt), Ahmad-Reza Sadeghi (Technical University of Darmstadt)
PAPER
SafeSplit: A Novel Defense Against Client-Side Backdoor Attacks in Split Learning
Split Learning (SL) is a distributed deep learning approach enabling multiple clients and a server to collaboratively train and infer on a shared deep neural network (DNN) without requiring clients to share their private local data. The DNN is partitioned in SL, with most layers residing on the server and a few initial layers and inputs on the client side. This configuration allows resource-constrained clients to participate in training and inference. However, the distributed architecture exposes SL to backdoor attacks, where malicious clients can manipulate local datasets to alter the DNN's behavior. Existing defenses from other distributed frameworks like Federated Learning are not applicable, and there is a lack of effective backdoor defenses specifically designed for SL. We present SafeSplit, the first defense against client-side backdoor attacks in Split Learning (SL). SafeSplit enables the server to detect and filter out malicious client behavior by employing circular backward analysis after a client's training is completed, iteratively reverting to a trained checkpoint where the model under examination is found to be benign. It uses a two-fold analysis to identify client-induced changes and detect poisoned models. First, a static analysis in the frequency domain measures the differences in the layer's parameters at the server. Second, a dynamic analysis introduces a novel rotational distance metric that assesses the orientation shifts of the server's layer parameters during training. Our comprehensive evaluation across various data distributions, client counts, and attack scenarios demonstrates the high efficacy of this dual analysis in mitigating backdoor attacks while preserving model utility.
ABOUT NDSS
The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies.
Authors, Creators & Presenters: Xiaochen Zhu (National University of Singapore & Massachusetts Institute of Technology), Xinjian Luo (National University of Singapore & Mohamed bin Zayed University of Artificial Intelligence), Yuncheng Wu (Renmin University of China), Yangfan Jiang (National University of Singapore), Xiaokui Xiao (National University of Singapore), Beng Chin Ooi (National University of Singapore)
PAPER
Passive Inference Attacks on Split Learning via Adversarial Regularization
Split Learning (SL) has emerged as a practical and efficient alternative to traditional federated learning. While previous attempts to attack SL have often relied on overly strong assumptions or targeted easily exploitable models, we seek to develop more capable attacks. We introduce SDAR, a novel attack framework against SL with an honest-but-curious server. SDAR leverages auxiliary data and adversarial regularization to learn a decodable simulator of the client's private model, which can effectively infer the client's private features under the vanilla SL, and both features and labels under the U-shaped SL. We perform extensive experiments in both configurations to validate the effectiveness of our proposed attacks. Notably, in challenging scenarios where existing passive attacks struggle to reconstruct the client's private data effectively, SDAR consistently achieves significantly superior attack performance, even comparable to active attacks. On CIFAR-10, at the deep split level of 7, SDAR achieves private feature reconstruction with less than 0.025 mean squared error in both the vanilla and the U-shaped SL, and attains a label inference accuracy of over 98% in the U-shaped setting, while existing attacks fail to produce non-trivial results.
ABOUT NDSS
The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies.
AttackIQ has issued recommendations in response to the Cybersecurity Advisory (CSA) released by the Cybersecurity and Infrastructure Security Agency (CISA) on December 9, 2025, which details the ongoing targeting of critical infrastructure by pro-Russia hacktivists.
At the beginning of this year, we launched the Year of Browser Bugs (YOBB) project, a commitment to research and share critical architectural vulnerabilities in the browser. Inspired by the iconic Months of Bugs tradition in the 2000s, YOBB was started with a similar purpose — to drive awareness and discussion around key security gaps and emerging threats in the browser.
Over the past decade, the browser has become the new endpoint, the primary gateway through which employees access SaaS apps, interact with sensitive data, and use the internet. The modern browser has also evolved significantly, with many capabilities that support complex web apps that parallel the performance of native apps. As with all new technologies, the very same features are also being used by malicious actors to exploit users, exploiting a massive security gap left by traditional solutions that primarily focus on endpoints and networks. Compounded with the release of AI Browsers, the browser has become the single most common initial access point for attackers. Yet, it remains to be poorly understood.
The YOBB project aims to demystify these vulnerabilities, by highlighting architectural limitations, behavioral trends and industry dynamics that cannot be fixed by a simple security patch. In the past 12 months, we released 11 research pieces, including major zero day vulnerabilities presented at DEF CON, Black Hat, RSA and BSides. Below is a recap of our findings, and the complete Year of Browser Bugs report is available for download here.
January 2025: Browser Syncjacking Attack
The Browser Syncjacking attack demonstrated that browser extensions, even just with simple read/write permissions available to popular extensions like Grammarly, can lead to full browser and device takeover by exploiting Google Workspace’s profile sync functionality. The attack unfolds in three escalating stages: profile hijacking, browser hijacking, and device hijacking.
Profile Hijacking — the malicious extension, disguised as an AI tool, logs the user into an attacker managed Chrome profile while the user is idle. This immediately allows the attacker to disable security features in the browser. The attacker can then further trick the user into syncing Chrome with the managed Google profile, giving attackers full access to all credentials and browsing history stored locally.
Browser Hijacking — the same extension intercepts legitimate downloads like Zoom updates, replacing the file with the attacker’s malicious executable containing an enrollment token and registry modifications. Believing they’re installing a Zoom update, the victim runs the file, which installs registry entries that convert their browser into a managed browser under the attacker’s Google Workspace control.
Device Hijacking — The same malicious file can also inject registry entries enabling the extension to communicate with native applications directly, bypassing additional authentication requirements. With this connection established, attackers leverage the extension alongside the local shell to gain complete device access — executing system commands, covertly activating cameras and microphones, capturing keystrokes, and accessing all applications and sensitive data on the machine.
Polymorphic extensions are malicious extensions that can silently impersonate any extension, such as password managers and crypto wallets. The attack exploits end users’ reliance on visual cues to determine whether what they are interacting with is safe, and the fact that extensions can change their icons and appearance on the fly without any user warning. With additional permissions, these malicious extensions can even disable the real extension while they impersonate them.
The user installs and pins a malicious extension, masquerading as a productivity tool.
After some time, the extension disables and impersonates the user’s password manager, by creating pixel-perfect replicas of the target extensions’ icon, HTML popups and workflows.
The extension injects a HTML popup that prompts the user to re-login to their password manager.
The user enters their master password, which is used by the attacker to login to the real password manager and access all passwords on the user’s vault.
Browser-native ransomware represents a fundamental shift in ransomware delivery that enables ransomware attacks to be executed without any local files or process, bypassing traditional anti-ransomware and EDR tools. Due to the proliferation of cloud storage and SaaS services, over 80% of enterprise data now resides in the cloud and is primarily accessed through the browser. By combining identity attacks and agentic workflows, attackers can systematically exfiltrate and hold sensitive files and data hostage for ransom. While BNRs manifest in many ways, here a few case studies:
File Storage BNR — via consent phishing (i.e. OAuth attacks), the attacker tricks users into granting their malicious app permission to “see, edit, create and delete all Google Drive files”. With AI agents, the attacker then systematically exfiltrates and deletes all files in the drive, including those shared by colleagues & customers, leaving a ransom note in place threatening to leak the data.
Email BNR — similarly, disguised as a legitimate tool, the attacker’s app requests permissions to “read, compose, send and permanently delete all email from Gmail”. Once granted, the attacker exfiltrates all emails to identify every SaaS app the victim is registered with by scraping welcome, notification, and billing emails. Using an AI agent, the attacker systematically resets passwords to these apps, logs the victim out, exfiltrates all data, and uploads ransom notes demanding payment in exchange for passwords and not leaking the data.
Disclosed at BSides SF, Data Splicing Attacks represent a new class of data exfiltration techniques capable of bypassing major enterprise DLP solutions listed by Gartner’s Magic Quadrant. The research exposed fundamental architectural flaws in both endpoint-based and proxy-based DLP solutions that allow attackers to upload/paste/print any sensitive data through the browser with several techniques:
Data Smuggling via Alternate Communication Channels — exfiltrating data via binary communication channels such as WebRTC and gRPC that are unmonitored by cloud SASE/SSE DLP or endpoint DLP solutions
Data Sharding — breaking files/data into small “shards” that individually do not trigger regex detection, only to reassemble them after DLP inspection
Data Ciphering — encrypting files, only to decrypt them after DLP inspection, exploiting the fact that most DLP solutions blanket block/allow encrypted files that they do not have decryption keys to inspect
Data Transcoding — encoding file/data with encoding techniques like Base64 such that they evade regex-based DLP policies, only to decode them post-inspection after file download or right before paste/upload
Data Insertion — inserting small characters in background color between texts to break regex, allowing sensitive files to be printed without triggering DLP policies
While Browser-in-the-Middle (BitM) attacks have been known since 2021, they typically come with a major telltale sign — the parent window still displays a suspicious URL in the address bar, raising suspicion among security-aware users. Our research discovered that the Fullscreen API can be exploited to address this flaw, as any user interaction can be used to trigger a fullscreen popup containing the attacker controlled noVNC window. Not knowing that they are now interacting with an attacker-controlled browser, the victim continues their work, unknowingly giving attackers access to watch everything they do as they open additional tabs and access enterprise apps, all while thinking they’re on their own browser.
The user lands on a phishing site impersonating a popular SaaS app (like Figma) through malvertising or SEO poisoning.
When the user clicks what appears to be a normal “Log in” button, it triggers the Fullscreen API to expand a previously hidden BitM window to fullscreen.
The fullscreen window displays the attacker’s remote browser showing the legitimate login page, completely covering the parent window’s suspicious URL.
The user enters their credentials on the real site displayed in the attacker’s remote browser, successfully logging in without any indication of compromise.
The user continues working — opening additional tabs and accessing other enterprise apps — all within the attacker-controlled remote browser under constant surveillance.
While all browsers are vulnerable to Fullscreen BitM, the attack works especially well on Safari due to the complete lack of visual indicators when entering fullscreen mode.
June 2025: Browser AI Agents: The “New Weakest Link”
Since OpenAI launched Operator, AI agents have exploded in adoption, with 79% of organizations deploying agentic workflows today. Unfortunately, these agents are trained to do tasks, not to be security aware, making them even more vulnerable than an average employee. We demonstrated how browser AI agents fall prey to rudimentary attacks like phishing and OAuth attacks, leading to data exfiltration and malicious file download. Critically, these agents operate at the same privilege level as users, having full access to the same enterprise resources with little guardrails on agentic workflows.
Since our research, multiple agentic AI providers have improved their security guardrails, often requiring permissions when high risk actions are performed. However, these features are built at the discretion of the AI vendor. There is yet to be an industry standard for AI vendors and enterprises alike when it comes to Agentic Identity and Agentic DLP, which becomes especially challenging with the volume of AI applications being built every day.
July 2025: Architectural Limitations of Chrome DevTools
The past few years witnessed a surge in malicious browser extensions, including Geco Colorpick and the Cyberhaven breach. Most extensions are downloaded from official stores like Chrome Web Store, leading enterprises to heavily depend on browser vendors to conduct security audits, trusting labels like “Verified” and “Chrome Featured Extension” as security indicators. Unfortunately, attackers can easily game the system with fake reviews and mass downloads. Indeed, numerous verified extensions have been discovered as malicious.
Yet, there is still very little end users can do to inspect extension behaviors in the browser, even with the Developer Tools provided by browser vendors. This YOBB highlights how trivial it is for malicious extensions to hide suspicious activity from DevTools by exploiting several key limitations:
Difficulty debugging content and service workers simultaneously
No visibility into message passing and internal communications between extension components
No source attribution for injected JavaScript (webpage vs. extension)
Limited network traffic logging that extensions can easily circumvent
No insights into offscreen documents to inspect background processes, hidden extension pages, and time/action-triggered behaviors
August 2025: Passkeys Pwned: Turning WebAuthn Against Itself
At DEF CON 33, we disclosed a major implementation flaw in passkeys that allows attackers to intercept and forge the passkey registration and authentication flows, replacing it with the attacker’s key pair.
Via a malicious script/browser extension, the attacker force fails the passkey authentication, forcing the user to re-register their passkey
The attacker intercepts the call during the passkey registration, and generates its own private and public key
The malicious extension stores the private key locally (or sent to the attacker for login via their device) and sends the public key to the service provider’s server
When an authentication occurs, the extension/script intercepts this call too and signs the challenge with the stored attacker private key
Since the public key stored on the server is part of the malicious pair the attacker generated during registration, the authentication check succeeds
Note that in both the registration and authentication flow, the user still enters their biometrics/PIN, a visual indicator that many associate with good security. However, in both scenarios, the authenticator’s response is dropped and replaced with the attacker’s public key/signed challenge before it ever reaches the server.
September 2025: Architectural Security Vulnerabilities of AI Browsers
When Perplexity released Comet in July 2025, it brought to light what the future of browsers could look like. Our research deep-dived into AI Browsers to uncover how attackers can exploit AI Browsers, including:
Falling into malicious workflows while surfing the internet — e.g. falling to consent phishing attacks while completing a research task, granting excessive OAuth permissions to malicious apps for full access to the user’s Gmail and Google Drive without the user’s knowledge
Falling into malicious instructions in trusted apps — e.g. following malicious instructions in emails & trusted SaaS apps to share confidential documents and add malicious links to calendar meetings
Downloading malicious files — e.g. downloading malware while trying to complete a form, even when the original user prompt never requested any downloads
Many other researchers in the community have also voiced similar concerns on prompt injection attacks that led AI Browsers to go rogue. Since then, popular AI Browsers like Comet and Atlas have started adding guardrails that require explicit user permissions for certain agentic tasks. This marks an encouraging example of what can be achieved when security researchers and innovators collaborate to make emerging technologies more secure.
Building on our previous AI Browser research, AI Sidebar Spoofing attacks involve malicious extensions that can inject a pixel-perfect replica of AI sidebars. By impersonating the very interface that users trust to interact with these AI browsers, it then generates malicious instructions that eventually lead to phishing, malicious file download and even device takeover.
We discovered a poorly documented MCP API in Comet that allows its embedded extensions to execute arbitrary local commands without explicit user permission. Critically, the MCP API is made available by default to Comet’s embedded extensions, which is installed by default, hidden from the extension dashboard, and cannot be disabled by users even if it is compromised.
In our attack POC, we used extension stomping to demonstrate how the MCP API can be misused to execute ransomware. However, in reality, it is more likely that this exploit will be done via XSS and network MitM in the wild as it requires minimal end user involvement. One day after the release, Comet made a silent update that disabled the MCP API. While we have not received official acknowledgement of our bug report, the patch is a positive move towards making the AI Browser safer.
SquareX’s browser extension turns any browser on any device into an enterprise-grade secure browser. SquareX’s industry-first Browser Detection and Response (BDR) solution empowers organizations to proactively defend against browser-native threats including rogue AI agents, Last Mile Reassembly Attacks, malicious extensions and identity attacks. Unlike dedicated enterprise browsers, SquareX seamlessly integrates with users’ existing consumer browsers, delivering security without compromising user experience.
Ready to experience award-winning browser security? Visit www.sqrx.com to learn more or sign up for an enterprise pilot.
The U.S. National Institute of Standards and Technology (NIST) is building a taxonomy of attack and mitigations for securing artificial intelligence (AI) agents. Speaking at the AI Summit New York conference, Apostol Vassilev, a research team supervisor for NIST, told attendees that the arm of the U.S. Department of Commerce is working with industry partners..
In December 2025, a ransomware attack on Marquis Software Solutions, a data analytics and marketing vendor serving the financial sector, compromised sensitive customer information held by multiple banks and credit unions, according to Infosecurity Magazine. The attackers reportedly gained access through a known vulnerability in a firewall device connected to Marquis’s remote-access systems. The incident
See how Crédit Agricole Personal Finance & Mobility (CAPFM) uses DataDome to cut bot traffic by 40%, govern AI & LLM crawlers, and restore clean analytics, protecting all their domains without friction.
A recently documented cyber attack has set a new global benchmark for digital disruption. A botnet known as Aisuru launched a massive distributed denial-of-service attack, peaking at an unprecedented 29.7 terabits per second against a financial services target. While service providers were ultimately able to contain the impact, the event is a clear warning that
The Era of Fragmentation: Why Your Security Stack is Failing You The modern enterprise security environment is complex, often relying on a “best-of-breed” strategy that is anything but the best. This fragmented approach, licensing 15 or more point solutions, creates debilitating problems such as alert fatigue and a practice known as “swivel-chair analysis.” This is
I recently learned that the great folks from The DFIR Report have done a writeup covering the Latrodectus backdoor. Their report is titled From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion. I found it particularly interesting that the threat actors used Latrodectus to drop a B[...]
Login
