There is a critical surge in AI-powered phishing campaigns, with a 300% year-over-year increase and a significant rise in attack sophistication. These campaigns leverage machine learning to analyze organizational communication patterns and employee behavior, generating highly personalized and contextually relevant phishing emails in real time. Traditional signature-based detection methods are largely ineffective against these dynamic, unique attack vectors. The FBI reports over 200 US organizations compromised within 30 days, and NIST predicts that by 2025, 90% of successful breaches will stem from AI-driven phishing. Although primarily targeting US infrastructure, European organizations are at risk due to the global nature of phishing and interconnected business relationships. Defenders must adopt advanced behavioral analytics, AI-driven detection, and comprehensive employee training to mitigate these threats effectively. Countries with significant digital infrastructure and high adoption of targeted sectors are most vulnerable. This threat is critical due to its high impact on confidentiality, integrity, and availability, ease of exploitation without user authentication, and broad attack surface.

The reported threat involves a dramatic escalation in AI-powered phishing campaigns, as highlighted by CISA's Emergency Directive and corroborated by FBI Cyber Division reports. These campaigns have seen a 300% increase year-over-year, with the sophistication score rising from 3.2 to 8.7 out of 10. Attackers utilize advanced machine learning algorithms to analyze target organizations’ communication patterns, employee behaviors, and business relationships, enabling the generation of thousands of unique, personalized phishing emails in real time. This approach leverages natural language processing (NLP) to craft contextually relevant messages that convincingly mimic legitimate business communications, significantly increasing the likelihood of successful compromise. Unlike traditional phishing that relied on generic templates and basic social engineering, these AI-driven campaigns evade signature-based detection mechanisms due to their dynamic and unique nature. The FBI reports over 200 US organizations compromised within a month, underscoring the scale and effectiveness of these attacks. NIST forecasts that by 2025, 90% of successful breaches will originate from AI-powered campaigns, indicating a paradigm shift in threat landscape. The threat exploits human factors and organizational communication channels, making it challenging to detect and prevent with conventional security controls. The lack of known exploits in the wild refers to specific software vulnerabilities, but the phishing vector itself is actively exploited. This evolving attack chain demands advanced threat intelligence, behavioral analytics, and adaptive defense strategies.

Reddit NetSec

Detailed information about CISA Emergency Directive: AI-Powered Phishing Campaign Analysis - 300% Surge, $2.3B Q3 Losses. Get real-time updates, technical detai

CISA Emergency Directive: AI-Powered Phishing Campaign Analysis - 300% Surge, $2.3B Q3 Losses - Live Threat Intelligence - Threat Radar | OffSeq.com

CISA Emergency Directive: AI-Powered Phishing Campaign Analysis - 300% Surge, $2.3B Q3 Losses

Reddit Discussion: CISA Emergency Directive: AI-Powered Phishing Campaign Analysis - 300% Surge, $2.3B Q3 Losses

Trend Micro's Zero Day Initiative (ZDI) disclosed 13 unpatched vulnerabilities in Ivanti Endpoint Manager, including 12 remote code execution (RCE) flaws and one local privilege escalation (LPE) bug. These vulnerabilities stem from improper validation of user-supplied input, leading to deserialization issues and unsafe SQL query construction. Exploitation requires authentication, with some needing admin credentials or user interaction. The most severe vulnerability has a CVSS-like score of 8. 8, indicating high risk. Ivanti has delayed patch releases, extending the timeline to March 2026, leaving organizations exposed. Attackers could execute arbitrary code with system or service account privileges, potentially compromising confidentiality, integrity, and availability. Mitigation currently focuses on restricting access and interaction with the affected product. European organizations using Ivanti Endpoint Manager should prioritize risk assessment and implement strict access controls until patches are available.

The Zero Day Initiative (ZDI) published advisories detailing 13 unpatched vulnerabilities in Ivanti Endpoint Manager, a widely used endpoint management solution. These include 12 remote code execution (RCE) vulnerabilities and one local privilege escalation (LPE) flaw. The LPE vulnerability affects the AgentPortal service and arises from improper validation of user input, leading to deserialization of untrusted data and execution of code with SYSTEM privileges. The RCE vulnerabilities are located in multiple components such as Report_RunPatch, MP_Report_Run2, DBDR, PatchHistory, MP_QueryDetail2, MP_QueryDetail, MP_VistaReport, and Report_Run classes, as well as GetCountForQuery and OnSaveToDB methods. These RCE issues result from unsafe handling of user-supplied input used in SQL queries or file operations, enabling arbitrary code execution under the context of the service account or user. Exploitation requires authentication; some require admin credentials or user interaction, such as opening a malicious file or webpage. The most critical vulnerability has a CVSS-like score of 8.8, with others scoring 7.8 and 7.2, indicating high severity. Ivanti was notified of these flaws between November 2024 and June 2025 but has delayed patching, now targeting March 2026 for fixes. ZDI’s disclosure follows their 120-day policy, releasing limited advisories due to the vendor’s delayed response. The vulnerabilities pose significant risks, including remote arbitrary code execution and privilege escalation, which could lead to full system compromise. Currently, the primary mitigation is to restrict access and interaction with the vulnerable Endpoint Manager components until patches are released.

SecurityWeek

Detailed information about ZDI Drops 13 Unpatched Ivanti Endpoint Manager Vulnerabilities. Get real-time updates, technical details, and mitigation strategies.

ZDI Drops 13 Unpatched Ivanti Endpoint Manager Vulnerabilities - Live Threat Intelligence - Threat Radar | OffSeq.com

Original Source

ZDI Drops 13 Unpatched Ivanti Endpoint Manager Vulnerabilities

CVE-2025-52650 is a high-severity vulnerability in HCL AION version 2. 0 that allows inline script execution due to improper Content Security Policy (CSP) implementation. This weakness, classified under CWE-1032, enables attackers to bypass CSP restrictions and execute malicious scripts in the context of the affected application. Exploitation requires user interaction but no privileges or authentication, and can lead to significant integrity compromise, although confidentiality impact is limited and availability is unaffected. The vulnerability affects internet-facing applications built on HCL AION 2. 0, potentially exposing European organizations using this platform to targeted attacks. No public exploits are known yet, but the ease of exploitation and the critical nature of CSP bypasses warrant immediate attention. Mitigation involves applying vendor patches once available, enforcing strict CSP policies disallowing inline scripts, and employing runtime application self-protection (RASP) or web application firewalls (WAF) with CSP enforcement capabilities. Countries with higher adoption of HCL enterprise solutions and strategic digital infrastructures, such as Germany, France, the UK, and the Netherlands, are most likely to be impacted. Organizations should prioritize remediation to prevent potential integrity breaches and maintain secure application environments.

CVE-2025-52650 identifies a vulnerability in HCL AION version 2.0 related to improper enforcement of Content Security Policy (CSP), specifically allowing inline script execution. CSP is a critical security mechanism designed to prevent cross-site scripting (XSS) and related code injection attacks by restricting the sources from which scripts can be loaded and executed. The vulnerability falls under CWE-1032, which concerns CSP bypasses. In this case, the CSP implemented by HCL AION 2.0 is insufficiently restrictive, permitting attackers to inject and execute inline scripts despite CSP rules intended to block such behavior. This flaw enables attackers to execute arbitrary JavaScript in the context of the affected web application, potentially leading to unauthorized actions, data manipulation, or further exploitation. The CVSS v3.1 score of 8.2 reflects a high severity, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The scope is changed (S:C), indicating that exploitation can affect resources beyond the vulnerable component. The impact metrics show low confidentiality impact (C:L), high integrity impact (I:H), and no availability impact (A:N). No known exploits are currently in the wild, but the vulnerability's nature and ease of exploitation make it a significant risk. The lack of available patches at the time of publication necessitates immediate interim mitigations. This vulnerability primarily threatens web applications built on HCL AION 2.0, which may be used in enterprise environments for process automation and digital transformation.

CVE Database V5

Detailed information about CVE-2025-52650: CWE-1032 in HCL HCL AION affecting HCL HCL AION. Get real-time updates, technical details, and mitigation strategies.

CVE-2025-52650: CWE-1032 in HCL HCL AION - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-52650: CWE-1032 in HCL HCL AION

CVE-2025-41089 is a reflected Cross-Site Scripting (XSS) vulnerability in Xibo CMS version 4. 1. 2, a digital signage content management system. The flaw arises from improper input validation in the 'Configuration Name' field of certain template elements, such as the 'Clock' widget. An attacker with limited privileges can exploit this by creating or modifying templates to inject malicious scripts. The vulnerability has a medium severity with a CVSS score of 4. 8, requiring no authentication but some user interaction. While no known exploits are currently in the wild, successful exploitation could lead to session hijacking, defacement, or redirection attacks. European organizations using Xibo CMS for digital signage should prioritize patching or applying mitigations to prevent potential exploitation. Countries with higher adoption of Xibo CMS and significant digital signage deployments, such as the UK, Germany, and France, are more likely to be impacted.

CVE-2025-41089 is a reflected Cross-Site Scripting (XSS) vulnerability identified in Xibo CMS version 4.1.2, a widely used open-source digital signage content management system. The vulnerability stems from improper neutralization of user input during web page generation, specifically in the 'Configuration Name' field of template elements like the 'Clock' widget. An attacker with limited privileges can exploit this by creating or modifying a template in the 'Templates' section and injecting malicious JavaScript code into the 'Configuration Name' field. When a victim views the affected page, the malicious script executes in their browser context, potentially allowing session hijacking, credential theft, or unauthorized actions within the CMS interface. The CVSS 4.0 vector indicates the attack requires no authentication (AV:N), low attack complexity (AC:L), no privileges (PR:L), and user interaction (UI:A). The vulnerability does not affect confidentiality, integrity, or availability directly but can lead to indirect impacts through session compromise or social engineering. No patches or known exploits are currently available, but the vulnerability is publicly disclosed and should be addressed promptly. The vulnerability is tracked under CWE-79, highlighting improper input validation as the root cause. Given Xibo CMS's role in managing digital signage content, exploitation could also lead to defacement or misinformation dissemination on public displays.

Detailed information about CVE-2025-41089: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Xibo Signage Xi

CVE-2025-41089: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Xibo Signage Xibo CMS - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-41089: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Xibo Signage Xibo CMS

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in HCL AION This issue affects HCL AION: 2.0.

Detailed information about CVE-2025-52634: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in HCL HCL AION affecting HCL HCL AION. Get real-t