Signal Brief · Archived
Week of January 13, 2025
The Week's Public Record
Events
2025-01-18
research poc
New BYOVD Technique Uses Symbolic Links to Blind EDR by Overwriting Service ExecutablesBYOVD-Symlink-EDR-Blind
A researcher disclosed a method that combines Bring Your Own Vulnerable Driver (BYOVD) with Windows symbolic links to expand the pool of exploitable drivers. The technique leverages any driver with file-writing capability to overwrite EDR user-mode service executables during boot, effectively blinding the EDR. A proof-of-concept demonstrates disabling Microsoft Defender on Windows 11.
2025-01-14
vuln disclosure
CVE-2025-21213: Windows 10 1507 Secure Boot Bypass VulnerabilityCVE-2025-21213
A vulnerability in Windows 10 version 1507 allows bypassing Secure Boot protections. This flaw could enable attackers to load untrusted code during the boot process, undermining endpoint security guarantees.
2025-01-13
vuln disclosure
WatchGuard Endpoint Protection Privilege Escalation in PSANHost Enables Arbitrary File Delete as SYSTEMCVE-2024-8424
WatchGuard disclosed CVE-2024-8424, an improper privilege management vulnerability in the PSANHost.exe module of its endpoint protection products. The flaw allows a local attacker to delete arbitrary files with SYSTEM privileges. The issue is resolved in updated versions.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.