// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of April 28, 2025
Signal Brief · Archived

Week of April 28, 2025

2025-04-28 — 2025-05-04 · 5 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of April 28, 2025, ColdRecon logged 5 public endpoint-security events from open-source reporting — 2 vuln disclosures, 2 research pocs, 1 incident. Vendors in the record this week: Elastic, Symantec, Commvault.

The Week's Public Record

Events

2025-05-01
vuln disclosure
Elastic Agent and Elastic Defend Local API Key DisclosureCVE-2023-46669
A vulnerability in Elastic Agent and Elastic Defend (formerly Elastic Endpoint Security) exposes sensitive API key information to local unauthorized actors. This could lead to loss of confidentiality and allow impersonation of the endpoint to the Elastic Stack. The issue was internally discovered by Elastic engineers with no evidence of exploitation.
2025-05-01
research poc
Researcher demonstrates EDR command-line logging bypass using PowerShell stdin streamEDR stdin logging bypass via PowerShell
A researcher developed a method to bypass EDR command-line logging by feeding commands to a PowerShell process via stdin instead of arguments. The technique hides executed commands from typical EDR process logs, though PowerShell script block logging may still capture activity. The method was confirmed against one major EDR product and may affect others.
2025-04-30
vuln disclosure
CVE-2025-3599: Symantec Endpoint Protection Windows Agent ERASER Engine Elevation of PrivilegeCVE-2025-3599
A vulnerability in Symantec Endpoint Protection Windows Agent's ERASER Engine prior to version 119.1.7.8 allows an attacker to delete protected resources. This is an elevation of privilege issue that could undermine endpoint protection integrity.
2025-04-30
research poc
Researcher Demonstrates EDR Bypass Using Simple Python RAT Without ObfuscationClean-Code EDR Bypass
A penetration tester found that a heavily obfuscated PowerShell RAT was consistently detected by an EDR, but a simple, clean Python socket-based RAT with basic persistence functions executed without triggering any alerts. The research highlights that modern EDRs may flag complex obfuscation techniques as suspicious behavior, while straightforward, non-obfuscated code can evade detection by appearing benign.
2025-04-30
incident
Commvault Discloses Breach Exploiting Zero-Day CVE-2025-3928 in Web ServerCVE-2025-3928
Commvault experienced a breach by a nation-state actor who exploited a zero-day vulnerability (CVE-2025-3928) in its Web Server software to plant webshells. The incident affected a small number of customers but did not compromise backup data. Commvault is working with cybersecurity firms and authorities, and CISA has added the CVE to its Known Exploited Vulnerabilities Catalog.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →