Microsoft Enterprise Apps Vulnerable to SOAPwn Flaw

🔐 Are Passkeys Ready for Enterprises? Short answer: Yes. Passkeys aren’t experimental anymore. They’re enterprise-ready, standards-based, and already being adopted at scale. If you’re modernizing IAM in 2026, Passkeys + FIDO should be on your roadmap, if they aren’t already. #Passkeys are: ✔️ Phishing-resistant by design: No shared secrets or passwords to steal ✔️ Proven at massive global scale: Backed by Apple, Google, and Microsoft For IT and security teams, this means: ✔️Fewer breaches caused by stolen credentials ✔️Lower support costs from password resets ✔️Faster, more reliable logins for users ✔️Strong alignment with Zero Trust strategies To learn more about passkeys, visit our article for a full FAQ: https://lnkd.in/gpQVPR-P

While many of us are easing into the new year, attackers are not. Just before year’s end, #ConsentFix emerged, a clever #OAuth-based attack that abuses legitimate authentication flows to steal authorization codes and effectively hand attackers the keys to #MicrosoftEntra.   For us, the year didn’t simply stop. Fabian Bader, Christopher Brumm and Thomas Naunheim took a closer look at why this attack works despite Conditional Access, which signals it leaves behind in the logs, and how defenders can detect and mitigate it before real damage is done.   Full analysis & detections: 👉 https://lnkd.in/dgee_hie

Fantastic write-up by glueckkanja. This research highlights the importance of remaining vigilant in the cybersecurity arena. It's not enough to have a handful of policies blocking the common threats. Stay sharp!

The Three-Character Takedown: How URL Path Bypasses Can Expose Your Most Sensitive Admin Panels + Video Introduction: A recent security disclosure by researcher Sam Curry reveals a critical, yet deceptively simple, flaw in how web applications protect administrative interfaces. By appending just three characters—a semicolon and a slash (;/)—to a blocked URL path like /admin, he bypassed Apple's IP-based restrictions, gaining full control. This incident underscores a systemic failure in path-based security logic and serves as a stark warning for developers and security teams to scrutinize their access control implementations beyond superficial URL matching....

Malicious Go Packages Impersonate Google’s UUID Library and Exfiltrate Data A pair of typosquatted Go packages posing as Google’s UUID library quietly turn helper functions into encrypted exfiltration channels to a paste site, putting developer and CI data at risk. https://lnkd.in/gcmcaQiU

Day 4/7: Two PRs in Google's OSV.dev: 1. Added source context to parsing errors - know which file failed. 2. Optimized exporter — CRC32C hash check before upload. Contributing to security tooling used by the industry.

Microsoft won’t fix .NET RCE bug affecting slew of enterprise apps, researchers say Security researchers [Piotr Bazydło] have revealed a .NET security flaw thought to affect a host of enterprise-grade products that they say Microsoft refuses to fix. The researcher identified the SoapHttpClientProtocol class as the primary culprit, explaining that it can be exploited in different ways to achieve an attacker's goals. The researcher brought this issue to Microsoft at the time via the Zero Day Initiative (ZDI). Microsoft reportedly told Bazydło it would not be fixing the bug since developers should not be allowing untrusted inputs. Clearly delighted with the response, Bazydło wrote: "So first we blame the application. If that is not an option, because it would require fixing Microsoft's own code, we blame the user.... Credits to TheRegister by Connor Jones. [Source in the comments section]

Feels like CVE-2025-64512 is a bit underrated. It can literally be used to run arbitrary code in a package used by more than 34k projects. For example, Microsoft Markitdown 0.1.3 (84k ⭐️ on GitHub), installed before December 1st, is vulnerable to arbitrary code execution. Microsoft released a patched version (0.1.4) on December 1st, but no security alerts. Other projects could be affected as well. CVE-2025-64512-Polyglot-PoC [1]: https://lnkd.in/dD6XNQbm

Identity is easy to take for granted… until it fails. To see how failures happen and what they impact, I’ve been breaking the underlying network and system pieces that identity depends on in my lab environment. This week, the focus was DNS. I misconfigured system DNS to point at a non-responsive resolver, fully expecting the login pages for Microsoft and Google to fail immediately. To my surprise, they didn’t; the pages loaded normally. Turns out the browser was bypassing system DNS entirely using DNS-over-HTTPS (DoH). Once I disabled DoH and forced the browser to use system DNS, the pages failed to load. Main takeaway: in the network steps before authentication, clients may use more than one way to resolve names. Whether something fails depends on which one is actually in use. Full lab writeup below in the comments ⬇️

Mayan EDMS, Open Redirect, CVE-2024-XXXXX (Low) This vulnerability is an open redirect within the `/authentication/` endpoint of Mayan EDMS. The flaw exists due to improper validation of user-supplied redirect URLs. Specifically, the application does not sufficiently sanitize or whitelist the target destination parameter in certain authentication-related requests. An attacker can craft a malicious URL containing the vulnerable `/authentication/` path appended with a deceptive redirect parameter (e.g., `?next=...