// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of April 7, 2025
Signal Brief · Archived

Week of April 7, 2025

2025-04-07 — 2025-04-13 · 5 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of April 7, 2025, ColdRecon logged 5 public endpoint-security events from open-source reporting — 4 vuln disclosures, 1 research poc. Vendors in the record this week: Sophos, Secureworks, Palo Alto Networks.

The Week's Public Record

Events

2025-04-11
research poc
Arsenal 2.0: Direct Syscall and Static Evasion Techniques to Bypass EDRArsenal 2.0
A red team researcher details an updated defense evasion toolkit combining direct syscalls to bypass user-mode EDR hooking with static analysis evasion methods like API renaming, egg-hunting, and random instructions. The techniques aim to make both dynamic and on-disk detection harder for endpoint security products.
2025-04-11
vuln disclosure
Resolved LPE vulnerability in Taegis Endpoint Agent (Linux) (CVE-2024-13861)CVE-2024-13861
Secureworks (a Sophos company) disclosed and fixed a local privilege escalation vulnerability in the Debian package component of Taegis Endpoint Agent for Linux. The flaw allowed arbitrary code execution. Red Hat-based Linux systems using RPM packages were not affected.
Sophos · Secureworks ↗ www.sophos.com (2025-04-11)
2025-04-09
vuln disclosure
CVE-2025-0120: Palo Alto GlobalProtect App Local Privilege Escalation on WindowsCVE-2025-0120
A local privilege escalation vulnerability exists in the Palo Alto Networks GlobalProtect app on Windows. A locally authenticated non-administrative user can escalate to NT AUTHORITY\SYSTEM by exploiting a privilege management flaw combined with a race condition. The vulnerability is rated MEDIUM severity and has no known in-the-wild exploitation.
2025-04-08
vuln disclosure
CVE-2025-26678: Windows Defender Application Control Authentication Bypass VulnerabilityCVE-2025-26678
CVE-2025-26678 is an improper access control vulnerability in Windows Defender Application Control (WDAC) on Windows 10 1809 and other versions. It allows a local attacker to bypass WDAC application whitelisting policies without user interaction or elevated privileges, potentially enabling execution of unauthorized code. This undermines a key endpoint security control, posing high risk to confidentiality, integrity, and availability.
2025-04-07
vuln disclosure
ToddyCat APT Exploits ESET Command-Line Scanner Vulnerability to Bypass Windows SecurityCVE-2024-11859
The ToddyCat APT group exploited CVE-2024-11859, a DLL sideloading vulnerability in ESET's command-line scanner (ecls.exe), to execute malicious payloads under the guise of a trusted security process. The attack used a custom malware toolkit called TCESB, which leverages BYOVD and kernel tampering to disable security monitoring. ESET patched the vulnerability on January 21, 2025.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →