New CTI Lab: CVE-2025-9074 (Docker Container Escape): Defensive
Pvotal Technologies published a write-up for a vulnerability in Docker Engine, given a CVSS score of 9.3. CVE-2025-9074 is a flaw in Docker Desktop that exposes the Docker Engine API to any container, with no authentication. Exploitation of this critical vulnerability allows a low-privileged container to issue privileged API commands, take over other containers, and, in some cases, mount the host drive and access files and folders and eventually achieve remote code execution. Why should our customers care? Many organizations rely on containerization in their development teams, and a vulnerability like this could allow an attacker to gain access to any to developer's workstation by mounting a developer's host drive. The possibility of supply chain attacks is increased due to malicious containers that can be used by developers, which can have start-up scripts that mount and "escape" the containerized environment. Who is the defensive lab for? System Administrators Developers SOC Analysts Incident Responders Threat Hunting Here are the links to the labs: Defensive: https://immersivelabs.online/labs/cve-2025-9074-docker-container-escape-defensiveConfessions of a Blue Teamer: How Unseen Work Pays off in a Crisis
In the fast-paced world of cybersecurity, the spotlight often shines on the dramatic breach or the sophisticated attack. But you know the truth: true resilience isn't about the heroics during a crisis, but the countless hours of unsung, diligent work that happens long before an incident ever escalates. This webinar offers an inside look at the often-overlooked, critical efforts of defensive cybersecurity professionals. Join seasoned Blue Teamers Kev Breen and Kevin Marriott from the Immersive Container 7 research team, plus Natalie George from BT Group, as they pull back the curtain on the quiet dedication and meticulous processes that underpin a truly robust defense based on real-world experiences. This session will highlight the daily real work that builds an unshakeable security posture. You’ll gain valuable insights into: The Unseen Foundations of Incident Response: Understand how the continuous, often repetitive, work of tuning, hardening, and practicing directly translates into a calm, effective, and decisive response when a real-world crisis unfolds. Transforming "Boring" into Bulletproof: Discover how the disciplined execution of seemingly mundane tasks – like log analysis, alert triage, and play runbooks – is the true differentiator between a team that panics and one that performs under pressure. Cultivating a Culture of Proactive Defense: Learn actionable strategies for embedding the "unseen work" mentality within your SOC, fostering a team that embraces continuous improvement, hones their skills through constant practice, and thrives on the quiet satisfaction of preventing crises before they start. This is your opportunity to hear hot takes on blue team efforts to build the bedrock of an organization's cyber resilience. Don't let your team be defined by what goes wrong; empower them with the foresight, training, and robust cyber readiness. Being truly ready isn't a stroke of luck. It's the direct result of the work no one sees.ImmersiveOne: Scattered Spider Release
Scattered Spider has continuously been a threat to many of our customers, and one of the reasons is that they have techniques and tactics that can affect all members of an organization. From their advanced social engineering tactics targeting less security-focused users in an organization to bypassing defences long enough to deploy ransomware and steal data from some of the largest organizations in the world. Therefore, Immersive is releasing an ImmersiveOne approach to protecting our customers. This means customers now have access to the following: Lab – Scattered Spider and Dragonforce: Campaign Analysis Lab – Threat Actors: Scattered Spider Workforce Scenario – Social Engineering Techniques Crisis Sim – Responding to a Scattered Spider Attack The technical and non-technical labs, workforce scenario, and Crisis Sim scenario release will enable everyone inside an organization to prepare and be ready for threats posed by Scattered Spider. For an in-depth blog on Scattered Spider and what to think about in a crisis, follow the link here: https://www.immersivelabs.com/resources/blog/scattered-spider-what-these-breaches-reveal-about-crisis-leadership-under-pressureOperational CTI: Creating a Proof of Concept
# Recorded on 30th July 2025 Creating proof of concepts (PoC) isn’t always straightforward — it requires a deep understanding of both the target system and the underlying vulnerability. In this session, we’ll walk through how Immersive's Cyber Threat Intelligence (CTI) team move from identifying a vulnerability to developing a working PoC used in offensive lab environments. Join us to explore the tools, thought process, and technical steps that turn raw intelligence into actionable outcomes for detection, validation, and defence.` This is a live session and there will be opportunities to ask questions to Immersive CTI experts.Operational CTI: How Immersive Builds Labs for Real-World Threat Preparedness
This event has now ended. You can watch the recording here. --- 📢 Today's the day! Our exclusive Community webinar 'Operational CTI: How Immersive Builds Labs for Real-World Threat Preparedness' will be live at 3pm GMT (10am EST). Here's a few tips to help you get the most from your experience: 🚀 This is a live, interactive session. Make sure you join the session promptly in order to get the full experience. 🔗 To join today's session, visit the event page or simply use the Zoom link. ❓You’ll also have the opportunity to participate in a Q&A with our expert panel so you can leave with an action plan to turn your ideas into reality! You can pre-submit questions here. Event Description Have you ever wondered how Immersive Labs can release CTI labs on the latest threats so quickly? Come backstage with us on this ✨ Community Exclusive ✨ event to learn just how we do it. BenMcCarthy and benhopkins, two of the experts from the CTI team will reveal what it takes to make a lab, some of their favourites from 2024 and what is to come from the CTI team. Agenda What are CTI labs and how do we select labs to build? Build Stage 1 - Research Build Stage 2 - "Labified" Build Stage 3 - Content Build Stage 4 - QA Some of our favourite labs Examples of speedy launches of labs C2 research What next for our Threat Research and CTI Labs You’ll also have the opportunity to pre-submit questions here so you can ensure that you leave with all of the information you need! This is a Community Exclusive event: Hit the attend button to register. This webinar will be live at 3pm GMT and will be recorded.Operational CTI: Lessons from the Attacks That Didn’t Target You
Watch the recording from this event here ⬇️ Many organizations overlook vulnerabilities and attack campaigns that don’t directly impact them. While this makes sense for risk prioritization, studying these threats can reveal valuable insights that improve your defensive posture and technical skills. In this webinar, we’ll take you through a technical analysis of a recent malicious campaign and explore how analyzing adversary techniques — even those that haven’t targeted your organization — can uncover hidden gaps in your security strategy and enhance your ability to detect and mitigate future threats. Key Takeaways Threat Awareness Beyond Your Scope – Understanding attack campaigns that don’t directly affect your organization can still provide critical insights into evolving threat landscapes. Improving Defensive Posture – Learning from other attacks helps identify weaknesses in your own security strategy before they become exploited. Expanding Technical Knowledge – Deep-diving into attack techniques and vulnerabilities sharpens your ability to detect and mitigate sophisticated threats. Proactive Security Mindset – Adopting a proactive rather than reactive approach can help organizations stay ahead of adversaries, even if they’re not immediate targets. Applying Lessons Practically – Insights from external threats can shape better incident response plans, detection rules, and security skills.CVE-2025-53770 - Unauthenticated Remote Code Execution via unsafe deserialization in Microsoft SharePoint Server
Understanding the RCE On July 22, 2025, Immersive’s threat research team was trying to understand how the SharePoint zero-day vulnerability was uncovered, based on Eye Security’s initial article. There were many proofs of concept (PoCs) and initial articles on indicators of attack (IoAs) and their severity. But none covered the exploit itself or could help us understand how the exploit was weaponized in depth. In this blog, I’ll share our research process and how we (eventually!) got to the bottom of this exploit. The challenges of building a CTI lab Our initial thought process for building this Cyber Threat Intelligence (CTI) lab was fairly straightforward. We’d understand the indicators of compromise (IoCs) and the PoCs that were shared in the article, try replicating it with the PoC, and obtain some logs. However, it was easier said than done. What went wrong? The PoCs just didn't work, and there was no way for us to understand why. This makes sense retrospectively – initial articles only provided surface-level information, rather than details on how the exploit was made. We ended up deploying different variants of SharePoint to see which were vulnerable. Alas, nothing worked (I’ll explain why this happened in more depth later on). Looking at the logs to identify the problem didn’t work either, because who looks at logs, right? Some of the initial PoCs were taken down, and the ones remaining were missing a piece of the puzzle. It was also fairly noticeable that many of the PoCs added to GitHub weren’t true either, and some were ransomware binaries! Dissecting the payload – mistakes and a learning curve Based on the initial brief from the Eye Security article, we figured out that it was a deserialization problem. After many days of unravelling and building multiple SharePoint servers with different versions, the “Hallelujah” moment finally arrived. A new remote code execution (RCE) module for this exploit was committed to Metasploit's GitHub repo. It wasn't the code that mattered much to us, but the comments in it that got us interested: The highlighted comments helped us map out which deserialization gadget chain works against specific SharePoint Server versions. This was important, as the exploit itself abuses insecure deserialization in the ViewState on SharePoint pages like ToolPane.aspx. This is when it hit us: our initial exploit of the RCE using the TypeConfuseDelegate gadget with BinaryFormatter wasn't working because we weren’t targeting the versions that were vulnerable to that gadget chain. To put this to the test, we had the right version built (v16.0.10337.12109) and also decided to further analyze the payload itself from the Metasploit module – I know it's cutting corners, but I was very keen on how it all works together! To achieve this, we downloaded the earliest exploit module commit on its GitHub, added it to our existing Metasploit framework, and intercepted the request using BurpSuite. This gave us the PoC, which we could analyze: Obviously, there was no need to reinvent the wheel since Metasploit already had a functional module, but where’s the fun in that? Dissecting the payload – decoding It’s already noticeable that the payload is URL-encoded. By decoding it, you’ll be able to see the body of the request. It has references to controltemplates/ACLEditor and an Excel DataSet, which is commonly used in .NET deserialization exploits, along with a Base64 encoded and compressed data table: The next step was to extract and Base64 decode the compressed data table: The decoded and decompressed information is the raw XML schema and DiffGram that the DataSetWrapper spits out. The part highlighted in the red box is the embedded first-stage gadget, Base64 encoded as an XSD string. Remember when I mentioned that our PoCs weren't working earlier? It’s because we didn't embed our Base64 encoded payload onto a raw XML schema and DiffGram. If you take the Base64 encoded XSD string and decode it, you’d get the payload. The payload I had on Metasploit was: And by decoding the string obtained from above, we can see it too: Weaponizing our PoC to emulate the IoCs With all the juicy information to hand, it was time to recreate this and see how threat actors in the wild did it. Bear in mind that the IoCs from the research article mentioned they weren’t obtaining any shells from the RCE, but stealthily leaking cryptographic secrets from SharePoint servers, which were chained to craft a fully valid and signed payload using ysoserial. The PoC implemented based on the work from the Metasploit module wraps our initial “inner” ysoserial payload inside an XML and DataSet gadget that SharePoint expects, then serializes, compresses, and Base64 encodes it. The payload that was built closely resembles what’s seen in the wild, which was dropping malicious content to a file named spinstall0.aspx that leaks cryptographic secrets. This Base64 payload was then embedded into an XML and DataSet gadget, using our PoC: All that remained was to send the payload. Here’s what we noticed upon sending the request via Burp: And while looking at the Process Explorer running on our SharePoint test environment: Similar to the IoCs, you’ll note that w3wp.exe spawns cmd.exe, and a PowerShell process is then spawned from the cmd.exe child process. If it’s succeeded, you should be able to navigate to https://X.X.X.X/_layouts/15/spinstall0.aspx to view and read the SharePoint’s MachineKey config file, including the ValidationKey: Finally, from our ELK logs: As you’ll notice, the log shows that the exploit’s PowerShell payload used set-content to write an ASPX backdoor into SharePoint’s _layouts directory (spinstall0.aspx). In summary Looking back at this exploit, it’s interesting from an offensive perspective to see how advanced persistent threat actors are finding creative ways to compromise organization infrastructures. In the meantime, I can only send prayers to the SOC analysts and Sysadmins fixing SharePoint, because let’s be honest – SharePoint is a cave nobody comes out alive from! For more information and finer details on how the exploit works, I'll leave this fantastic article here: Viettel Cyber Security: SharePoint ToolShell – One Request PreAuth RCE ChainNew CTI Labs: CVE-2025-53770 (ToolShell SharePoint RCE): Offensive and Defensive
Recently, a critical zero-day vulnerability affecting on-premise SharePoint servers, identified as CVE-2025-53770, was uncovered. This vulnerability allows for authentication bypass, leading to remote code execution, and has been actively exploited in the wild. Eye Security researchers detected an in-the-wild exploit chain on July 18, 2025, during an incident response engagement. This discovery led to Microsoft assigning two CVEs: CVE-2025-53770 and CVE-2025-53771. The attack notably leveraged a combination of vulnerabilities to achieve its objectives, impacting numerous SharePoint servers globally. There is now a public exploit available for anyone wanting to achieve remote code execution. Why should our customers care? This critical vulnerability has been added to the CISA Kev Catalog. and with no authentication or user interaction, a vulnerable SharePoint server can be fully taken over remotely, letting attackers run arbitrary code as if they were privileged admins. SharePoint is a complex and large system that often holds a lot of sensitive data for organizations and is often a targeted system for attackers. Who is the defensive lab for? System Administrators SOC Analysts Incident Responders Threat Hunters Who is the offensive lab for? Red teamers Penetration Testers Threat Hunters Here are the links to the labs: Offensive: https://immersivelabs.online/v2/labs/cve-2025-53770-toolshell-sharepoint-rce-offensive Defensive: https://immersivelabs.online/v2/labs/cve-2025-53770-toolshell-sharepoint-rce-defensiveLabs Live
This event has now ended. You can watch the recording here. Ever felt totally stuck with a lab? Getting frustrated? Maybe you could have used the helpful guidance of an expert? Introducing Labs Live, a groundbreaking community webinar series from Immersive! For the first time, we're bringing you live, interactive lab sessions led by seasoned professionals. In each Labs Live webinar, you'll collaborate directly with an expert as they navigate a challenging lab. They'll share their techniques, answer your questions, and together, you might even discover new insights. This isn't just a demonstration; it's a hands-on learning experience.Don't miss out on this unique opportunity to elevate your cyber skills. Our very first Labs Live session will be hosted by KevBreen Senior Director of Cyber Threat Research, as he tackles the latest Cyber Threat Intelligence Lab. Join him on April 25th to solve it together!New CTI Lab: CVE-2025-32463 (Sudo Chroot Elevation of Privilege): Offensive
On June 30, 2025, the Stratascale Cyber Research Unit (CRU) team identified a critical local privilege escalation vulnerability in sudo, tracked as CVE-2025-32463. This vulnerability, related to sudo's chroot option, can allow an attacker to escalate privileges to root on an affected system. Why should our customers care? This critical vulnerability is reasonably trivial to exploit, and should an attacker gain user-level access to a vulnerable machine, they'll be able to elevate their privileges and have full control over the machine. It has come to our attention that not many people are aware that sudo has versioning. It is a binary that is constantly iterated upon, which naturally may introduce new vulnerabilities. If administrators and security analysts are not aware of how these vulnerabilities work, this can lead to significant risks and impacts. Who is it for? Red Teamers Penetration Testers System Administrators Here is a link to the lab: https://iml.immersivelabs.online/labs/cve-2025-32463-sudo-chroot-elevation-of-privilege-offensive
