// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of September 15, 2025
Signal Brief · Archived

Week of September 15, 2025

2025-09-15 — 2025-09-21 · 7 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of September 15, 2025, ColdRecon logged 7 public endpoint-security events from open-source reporting — 3 vuln disclosures, 2 research pocs, 2 incidents. Vendors in the record this week: Moxa, McAfee, BMC.

The Week's Public Record

Events

2025-09-21
research poc
Research PoC Demonstrates ETW Bypass Using Direct Syscalls and In-Memory Patching of NtTraceEventETW Patching via Direct Syscalls
A research article details a method to bypass Event Tracing for Windows (ETW) by patching the NtTraceEvent syscall in memory with a RET instruction. The technique uses direct system calls and manual PE parsing to evade EDR hooks, effectively disabling ETW-based telemetry for stealthy operations.
2025-09-20
vuln disclosure
Moxa EDR-810 Server Agent Information Disclosure VulnerabilityCVE-2017-12128
An information disclosure vulnerability exists in the Server Agent functionality of Moxa EDR-810 V4.1 build 17030317. A remote attacker can send a specially crafted TCP packet to trigger the vulnerability, potentially exposing sensitive information. The vulnerability has a CVSS v3 base score of 7.5 (High).
2025-09-20
vuln disclosure
McAfee Agent 5.x prior to 5.7.3 Multiple VulnerabilitiesCVE-2021-31839, CVE-2021-31840
McAfee Agent versions 5.x before 5.7.3 contain two vulnerabilities: improper privilege management allowing local authenticated attackers to edit the agent event log (CVE-2021-31839), and an unsigned DLL preloading attack enabling loading of malicious libraries (CVE-2021-31840). These flaws could allow attackers to manipulate security event data or execute arbitrary code on endpoints.
2025-09-19
research poc
SentinelOne Research on Hunting LLM-Enabled Malware via Embedded Prompts and API KeysLLM-Enabled Malware Hunting Methodology
SentinelOne researchers presented a methodology for hunting LLM-enabled malware by pattern matching against embedded API keys and prompt structures. They identified previously unknown samples, including what may be the earliest known LLM-enabled malware dubbed 'MalTerminal', and discussed detection challenges posed by runtime code generation.
2025-09-16
vuln disclosure
CVE-2025-55118: Control-M/Agent Heap-Based Buffer Overflow in SSL/TLS HandlingCVE-2025-55118
CVE-2025-55118 is a heap-based buffer overflow vulnerability in BMC Control-M/Agent that can be triggered remotely when non-default SSL/TLS configurations are used. The flaw allows memory corruption, potentially leading to denial of service or arbitrary code execution. Mitigation involves reviewing and changing the affected configuration settings.
2025-09-16
incident
CrowdStrike npm Packages Compromised in Shai-Halud Supply Chain AttackShai-Halud supply chain attack (CrowdStrike npm compromise)
Multiple npm packages published by CrowdStrike were compromised in an ongoing supply chain attack linked to the Shai-Halud campaign. The malicious packages contained a script that downloads TruffleHog to steal secrets and creates unauthorized GitHub Actions workflows for persistence. CrowdStrike confirmed the Falcon sensor and platform are not impacted.
2025-09-16
incident
EvilAI malware campaign uses AI-generated code to target critical infrastructureEvilAI
Trend Micro researchers discovered the EvilAI malware campaign exploiting AI-generated code to breach critical sectors globally. The campaign leverages AI to craft evasive malware, posing a significant threat to endpoint security. This incident highlights the emerging risk of AI-assisted attacks bypassing traditional defenses.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →