// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of May 5, 2025
Signal Brief · Archived

Week of May 5, 2025

2025-05-05 — 2025-05-11 · 4 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of May 5, 2025, ColdRecon logged 4 public endpoint-security events from open-source reporting — 2 incidents, 1 vuln disclosure, 1 vendor announcement. Vendors in the record this week: SentinelOne, McAfee.

The Week's Public Record

Events

2025-05-11
vuln disclosure
McAfee Agent Use-After-Free Vulnerability in Remote LoggingCVE-2019-3588
A use-after-free vulnerability exists in the remote logging feature of McAfee Agent versions 5.0.x before 5.0.6 HF1267994, 5.5.x before 5.5.1 HF1267991, and 5.6.x before 5.6.0. An unauthenticated remote attacker can exploit this to potentially execute arbitrary code or cause denial of service. The vulnerability is tracked as CVE-2019-3588 and addressed in McAfee Security Bulletin SB10258.
2025-05-06
vendor announcement
SentinelOne Announces Protection Against Local Agent Upgrade Bypass TechniqueLocal Upgrade Bypass (BYOI)
Aon (Stroz Friedberg) disclosed a local bypass technique that could affect SentinelOne's Windows agent if an attacker has local admin and a signed installer. SentinelOne had already introduced a Local Upgrade Authorization feature in January 2025 to block unauthorized upgrades, and has now released a detection rule and made the feature default for new customers.
2025-05-06
incident
DragonForce Ransomware Cartel Targets UK Retailers with Custom Payloads and RaaS ModelDragonForce
SentinelOne reports that the DragonForce ransomware gang, originally a hacktivist group, has evolved into a financially motivated Ransomware-as-a-Service cartel. The group recently attacked major UK retailers including Harrods, Marks & Spencer, and the Co-Op, using custom ransomware based on Conti v3 code. DragonForce operates a multi-extortion model with a leak site called RansomBay and offers affiliates a web panel to customize payloads for Windows, Linux, ESXi, and NAS systems.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →