// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of September 29, 2025
Signal Brief · Archived

Week of September 29, 2025

2025-09-29 — 2025-10-05 · 4 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of September 29, 2025, ColdRecon logged 4 public endpoint-security events from open-source reporting — 2 vuln disclosures, 1 research poc, 1 incident. Vendors in the record this week: Microsoft, Zabbix, Motex.

The Week's Public Record

Events

2025-10-03
vuln disclosure
CVE-2025-27237: Zabbix Agent for Windows Local Privilege Escalation via OpenSSL Config DLL InjectionCVE-2025-27237
CVE-2025-27237 is a local privilege escalation vulnerability in Zabbix Agent and Agent 2 on Windows. The agents load OpenSSL configuration from a world-writable directory, allowing a low-privileged attacker to inject a malicious DLL via a crafted openssl.cnf file. The DLL executes with the privileges of the Zabbix Agent service, typically LocalSystem, leading to full system compromise.
2025-10-01
research poc
Research PoC: Bypassing Windows Defender with AES-Encrypted ShellcodeAES-encrypted msfvenom payload bypassing Windows Defender
A security researcher demonstrates a simple method to evade Windows Defender detection by encrypting a msfvenom-generated payload with AES-256-CBC. The technique involves generating a random key and IV, encrypting the shellcode, and then decrypting it at runtime before injection. This bypasses static signature-based detection without requiring advanced evasion like indirect syscalls or IAT obfuscation.
2025-09-30
vuln disclosure
CVE-2025-61932: Lanscope Endpoint Manager RCE VulnerabilityCVE-2025-61932
CVE-2025-61932 is a critical remote code execution vulnerability in Motex Lanscope Endpoint Manager (On-Premises) affecting the Client program (MR) and Detection agent (DA) components. The flaw stems from improper verification of request origins, allowing unauthenticated attackers to execute arbitrary code via specially crafted network packets. Active exploitation has been observed, and the vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.
2025-09-29
incident
Attackers Use Malicious WDAC Policies to Disable EDR AgentsWDAC Bypass
Cybercriminals are deploying malicious Windows Defender Application Control (WDAC) policies to block EDR executables, drivers, and services, effectively disabling endpoint detection. The technique, previously a proof-of-concept called Krueger, is now used in active malware like DreamDemon, targeting EDR products including CrowdStrike and Microsoft Defender for Endpoint. This bypass undermines the detect-and-respond model by blinding sensors before they initialize.
Microsoft · CrowdStrike ↗ prevent-ransomware.com (2025-09-29)
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →