// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of March 31, 2025
Signal Brief · Archived

Week of March 31, 2025

2025-03-31 — 2025-04-06 · 3 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of March 31, 2025, ColdRecon logged 3 public endpoint-security events from open-source reporting — 1 vuln disclosure, 1 research poc, 1 incident. Vendors in the record this week: Ivanti, all major EDR solutions, Check Point.

The Week's Public Record

Events

2025-04-04
vuln disclosure
Ivanti Endpoint Manager DLL Hijacking Privilege Escalation VulnerabilityCVE-2025-22458
CVE-2025-22458 is a DLL hijacking vulnerability in Ivanti Endpoint Manager that allows an authenticated attacker to escalate privileges to SYSTEM. The flaw arises from improper DLL search path handling, enabling malicious DLL placement in writable directories. Affected versions include Ivanti Endpoint Manager 2024 prior to SU1 and 2022 prior to SU7.
2025-04-03
research poc
EDR Bypass via AVRF Callback Hijacking and NTDLL Hooking in C#AVRF-Callback-EDR-Bypass
Researchers from W2H Corp. published a proof-of-concept technique that bypasses EDR by hijacking the AvrfpAPILookupCallbackRoutine callback in ntdll.dll during early process initialization, before the EDR DLL loads. The method uses C# and .NET 8 to inject shellcode and hook functions like LdrLoadDll, neutralizing all major EDR solutions. This pre-monitoring phase exploitation allows attackers to run code undetected.
all major EDR solutions ↗ medium.com (2025-04-03)
2025-03-31
incident
Check Point Discloses Limited Data Exposure from December 2024 Portal Account CompromiseCheck Point Portal Account Compromise (Dec 2024)
Check Point confirmed a December 2024 incident where compromised credentials for a portal account led to limited data exposure. The threat actor CoreInjection later claimed to sell stolen data, but Check Point states the exposed information was limited to account names, product names, employee emails, and three customer contacts, with no access to production systems or security architecture.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →