// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of August 18, 2025
Signal Brief · Archived

Week of August 18, 2025

2025-08-18 — 2025-08-24 · 4 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of August 18, 2025, ColdRecon logged 4 public endpoint-security events from open-source reporting — 3 research pocs, 1 vuln disclosure. Vendors in the record this week: Microsoft, IBM.

The Week's Public Record

Events

2025-08-24
research poc
DSEclipse: UEFI Bootkit Patches Driver Signature Enforcement in Under 1 KBDSEclipse
A researcher released DSEclipse, a proof-of-concept UEFI bootkit written in x64 assembly that patches Windows Driver Signature Enforcement (DSE) at boot to allow loading unsigned drivers. The bootkit is only 976 bytes, supports HVCI, and leaves minimal traces. This demonstrates a technique to bypass a key Windows security mechanism before the OS initializes.
2025-08-22
research poc
Researcher Details Custom Dropper with Multiple EDR Evasion TechniquesCustom EDR Bypass Dropper
A red teamer published a field guide describing a custom dropper that bypasses modern EDRs using direct syscalls, payload obfuscation, and ETW patching. The article details stealth techniques to avoid detection and leaves minimal forensic evidence. It serves as a proof-of-concept to challenge assumptions about EDR invulnerability.
2025-08-20
vuln disclosure
IBM QRadar SOAR Plugin App Path Traversal VulnerabilityCVE-2025-36114
A path traversal vulnerability (CVE-2025-36114) in IBM QRadar SOAR Plugin App versions 1.0.0 through 5.6.0 allows unauthenticated remote attackers to read arbitrary files on the server. The flaw stems from improper input validation of URL parameters, enabling directory traversal via sequences like '../'. This could expose sensitive data such as credentials and configuration files.
2025-08-18
research poc
Manipulating Windows Filtering Platform to Blind EDRsWFP Manipulation
Researchers demonstrate how manipulating Windows Filtering Platform (WFP) rules can block an EDR's cloud communication or bypass its network isolation, effectively blinding the EDR. The technique exploits the hierarchical filter evaluation logic of WFP, which many EDRs rely on for traffic control. This can reduce detection and response capabilities when the EDR is disconnected from its cloud backend.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →