// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of October 27, 2025
Signal Brief · Archived

Week of October 27, 2025

2025-10-27 — 2025-11-02 · 5 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of October 27, 2025, ColdRecon logged 5 public endpoint-security events from open-source reporting — 3 vuln disclosures, 2 research pocs. Vendors in the record this week: Microsoft, Safetica, Elastic.

The Week's Public Record

Events

2025-11-01
research poc
EDR-Redir V2 Uses Bind Links to Redirect EDR Parent FoldersEDR-Redir V2
A new technique, EDR-Redir V2, leverages Windows bind links to redirect the parent folder (e.g., Program Files) of an EDR's operating directory, bypassing folder protections. This allows an attacker to perform DLL hijacking by placing malicious files in a controlled location that the EDR sees as its parent. The method was demonstrated against Windows Defender on Windows 11 and is expected to work against many EDR solutions.
2025-11-01
vuln disclosure
CVE-2026-0828: Safetica ProcessMonitorDriver.sys BYOVD Vulnerability Allows EDR Termination and Privilege EscalationCVE-2026-0828
A vulnerability in the Safetica DLP kernel driver (ProcessMonitorDriver.sys) allows an attacker with administrator privileges to load the driver and send a crafted IOCTL to terminate arbitrary processes, including PPL-protected EDR/antivirus processes, from kernel context. This enables bypassing endpoint security and escalating to SYSTEM privileges. The issue is fixed in Safetica versions 11.26.19, 11.29.8, and 10.5.150.
2025-10-31
research poc
Researchers Demonstrate Linux Rootkit Evading Elastic Security EDRSingularity Linux Rootkit
Security researchers developed a proof-of-concept Linux rootkit named Singularity that bypasses Elastic Security's EDR detection. The rootkit uses multiple evasion techniques including string obfuscation, symbol name randomization, module fragmentation, and direct syscalls to avoid static and behavioral detection. This demonstrates weaknesses in current kernel-level threat detection methodologies.
2025-10-29
vuln disclosure
CVE-2025-62792: Wazuh Manager Buffer Over-Read via Agent MessagesCVE-2025-62792
CVE-2025-62792 is an out-of-bounds read vulnerability in Wazuh Manager versions prior to 4.12.0. A compromised agent can send a crafted message causing the manager to read beyond allocated buffer boundaries, potentially exposing sensitive memory contents. The flaw resides in improper NULL termination in OS_CleanMSG() leading to over-read in w_expression_match().
2025-10-27
vuln disclosure
CVE-2025-61156: ThreatFire System Monitor Kernel Driver Allows Unprivileged Process Termination and EDR BypassCVE-2025-61156
A vulnerability in the ThreatFire System Monitor kernel driver (TfSysMon.sys) allows unprivileged users to terminate protected processes, including EDR and anti-malware, with kernel privileges. The driver lacks proper access control, enabling BYOVD attacks and local denial of service. The vulnerable driver is not in Microsoft's blocklist and its signature remains valid.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →