// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of May 12, 2025
Signal Brief · Archived

Week of May 12, 2025

2025-05-12 — 2025-05-18 · 7 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of May 12, 2025, ColdRecon logged 7 public endpoint-security events from open-source reporting — 4 research pocs, 3 vuln disclosures. Vendors in the record this week: Microsoft, Various EDR/AV vendors, Palo Alto Networks.

The Week's Public Record

Events

2025-05-18
research poc
Public Release of EDR and AV Bypass Arsenal RepositoryBypass-Protection0x00
A GitHub repository named 'Bypass-Protection0x00' was published, aggregating over 30 tools and techniques for evading endpoint security products. It includes proof-of-concept exploits, loaders, and utilities targeting EDR, AV, UEFI, and Windows protections. The collection is intended for security research but lowers the barrier for attackers to adopt advanced evasion methods.
Microsoft · Various EDR/AV vendors ↗ github.com (2025-05-18)
2025-05-16
research poc
Microsoft Signed Debugger CDB Used to Bypass AMSI, CLM, and ETWCDB-AMSI-CLM-ETW-Bypass
A researcher demonstrates using the Microsoft-signed console debugger CDB to bypass AMSI, Constrained Language Mode (CLM), and ETW by scripting memory patches before PowerShell initializes. The technique forces AmsiScanBuffer to return E_INVALIDARG and manipulates SystemPolicy to return None, effectively disabling script scanning and logging. This matters because it uses a trusted, signed Microsoft tool, making it harder for EDRs to detect or block.
2025-05-15
research poc
WDAC Bypass via Exploiting Trusted Electron Applications' V8 EngineBring Your Own Vulnerable Application (BYOVA) WDAC Bypass
Researchers demonstrated a technique to bypass Windows Defender Application Control (WDAC) by exploiting vulnerabilities in trusted, signed Electron applications. The method leverages the V8 JavaScript engine to execute arbitrary code within a whitelisted process, evading WDAC policies. This poses a risk to high-assurance environments relying on WDAC as a core security control.
2025-05-14
vuln disclosure
CVE-2025-0134: Authenticated Code Injection in Cortex XDR Broker VMCVE-2025-0134
A code injection vulnerability in Palo Alto Networks Cortex XDR Broker VM allows an authenticated user to execute arbitrary code with root privileges on the host OS. The issue affects Broker VM versions prior to 26.0.119 and has a CVSS-BT score of 2.6 (LOW). No exploitation has been observed in the wild.
2025-05-14
vuln disclosure
Fortinet and Ivanti Disclose Zero-Day Vulnerabilities Exploited in the WildCVE-2025-32756
Fortinet disclosed CVE-2025-32756, a critical stack-based overflow in multiple products allowing unauthenticated RCE, exploited in the wild on FortiVoice. Ivanti disclosed CVE-2025-4427 and CVE-2025-4428 in Endpoint Manager, which when chained enable unauthenticated RCE, with limited exploitation observed.
2025-05-12
research poc
TrollAMSI2: PowerShell AMSI Bypass via JIT Byte Patching and UnInitTrollAMSI2
TrollAMSI2 is a proof-of-concept tool that bypasses PowerShell AMSI by byte-patching the AMSI initialization method in JIT-compiled code, then forcing an UnInit call to prevent proper re-initialization. It offers both a DLL method using HarmonyLib and a PowerShell one-liner, achieving zero detections on VirusTotal at the time of publication.
2025-05-12
vuln disclosure
CVE-2025-26684: Microsoft Defender for Endpoint for Linux Privilege Escalation VulnerabilityCVE-2025-26684
CVE-2025-26684 is a local privilege escalation vulnerability in Microsoft Defender for Endpoint for Linux. It arises from improper validation of file paths, allowing an attacker with existing high privileges to manipulate file operations and gain full control of the system. The vulnerability affects all versions prior to the patch.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →