Trend Micro RCE ⚠️, Pwning Claude Code 🤖, Betterment Breach 💸

Trend Micro patched three vulnerabilities in Apex Central on-premise, including a critical RCE flaw in LoadLibraryEX (CVE-2025-69258, CVSS 9.8) ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌  ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ 

Sign Up |Advertise|View Online TLDR Together With TLDR Information Security 2026-01-13 New Research: Company-Wide Mandates Drive 2.4x Password Manager Usage (Sponsor) Bitwarden surveyed IT managers and enterprise users to find out what actually drives password manager adoption. The biggest factor? Leadership directives. Organizations with company-wide mandates experience 79% regular password manager usage, compared to just 36% without one. But mandates alone don't solve the problem. The latest Security Impact Report breaks down what really works: 🤖 Technical enforcement (like disabling browser password storage) rated very effective by 43% 📣 Executive announcements explaining security importance were rated the most effective communication tactic by 38% 🔐 Phased department-by-department rollouts build momentum and streamline onboarding 🏆 99% reported improved security posture after deploying Bitwarden across their organization. Read the full report (ungated) or try Bitwarden for free → 🔓 Attacks & Vulnerabilities Trend Micro fixed a remote code execution in Apex Central (2 minute read) Trend Micro patched three vulnerabilities in Apex Central on-premise, including a critical RCE flaw in LoadLibraryEX (CVE-2025-69258, CVSS 9.8) that allows unauthenticated attackers to execute code as SYSTEM by loading malicious DLLs. Tenable disclosed the vulnerabilities along with PoC exploit code after discovering them in August. Organizations running Apex Central below Build 7190 should apply the critical patch immediately and restrict remote access to management consoles. CISA Orders Feds to Patch Gogs RCE Flaw Exploited in 0-Day Attacks (2 minute read) CISA has ordered government agencies to secure their systems against a high-severity vulnerability in the Gogs alternative for GitHub. The remote code execution (RCE) vulnerability is caused by a path traversal weakness in the PutContents API that allows attackers to bypass protections implemented for a previous RCE bug. Attackers can exploit the vulnerability by creating symbolic links that point to system files and then using the PutContents API to write data to those files via the symbolic links. 'Bad Actor' Hijacks Apex Legends Characters in Live Matches (2 minute read) Apex Legends players experienced disruptions during live matches over the weekend as threat actors hijacked their characters, removed them from matches, and changed their nicknames. Players theorized that a threat actor obtained access to an administrative panel for the game. Apex Legends publisher Respawn stated that it had remediated the security incident and that the attackers were unable to access sensitive files or execute code on victims' devices. 🧠 Strategies & Tactics Pwning Claude Code in 8 Different Ways (9 minute read) Claude Code was found to execute arbitrary system commands without explicit user approval through eight distinct techniques that bypassed its command-safety mechanisms. These issues stemmed from fragile regex-based blocklists on "safe" commands like man, sort, sed, git, xargs, and rg, plus subtle Bash variable expansion tricks that hid real payloads. An attacker could turn supposedly read‑only operations into command execution paths by abusing lesser-known flags and prompt-like variable expansion. The problems were ultimately fixed by moving from a blocklist-first design to a stricter allowlist model in Claude Code v1.0.93. The Map is not the Territory: The Agent-Tool Trust Boundary (15 minute read) Modern AI agents often treat model outputs as fully trusted inputs to tools, creating a dangerous gap between text strings (the map) and what the underlying system actually does (the territory). Attackers exploit this by encoding malicious behavior in paths, URLs, or shell commands that pass superficial checks but resolve to sensitive files, internal services, or injected commands at execution time. Robust defenses require layered, deterministic guards: semantic validation that interprets arguments as the system will, and execution-time checks that verify real filesystem and network behavior rather than relying on regexes or human confirmation alone. AWS Privilege Escalation: IAM Risks, Service-Based Attacks, and New AI-Driven Bedrock/AgentCore Vectors (22 minute read) AWS privilege escalation has evolved from classic IAM misconfigurations to service-based execution paths and now AI-driven orchestration via Bedrock Agents and AgentCore Code Interpreters. New attack vectors include creating code interpreters that execute Python under privileged agent roles and hijacking Lambda functions backing Bedrock agent tools, both of which enable multi-stage privilege chains to sensitive resources. Testing across 16 scenarios showed that all were exploitable in unrestricted environments but preventable with properly configured SCP-based guardrails, highlighting that native AWS controls often cannot granularly constrain high-risk actions that lack ARNs or condition keys. 🧑‍💻 Launches & Tools vulnerable-mcp-servers-lab (GitHub Repo) This repository contains a collection of intentionally vulnerable Model Context Protocol (MCP) server implementations for security training, covering common failure modes including path traversal, indirect prompt injection, eval-based RCE, namespace typosquatting, and secrets exposure. Each server includes documentation on exploitation techniques, supporting hands-on training for pentesters learning AI agent security and MCP integration risks. Intended for isolated lab environments only. reNgine (GitHub Repo) reNgine is an automated reconnaissance framework for web applications focused on highly configurable, streamlined recon processes via Engines, recon data correlation, and organization. It supports continuous monitoring and is backed by a database. unKover (GitHub Repo) unKover is a Windows anti-rootkit driver that can detect drivers mapped to kernel memory. 🎁 Miscellaneous Fintech firm Betterment confirms data breach after hackers send fake crypto scam notification to users (2 minute read) Betterment disclosed that attackers used social engineering to access some customer data, including names and contact details, via third-party marketing and operations platforms, and then pushed a fake in‑app crypto message promising to triple deposits sent to a malicious wallet. The firm says no accounts or credentials were compromised. It is investigating the incident with external cybersecurity support. Russia's Fancy Bear APT Doubles Down on Global Secrets Theft (4 minute read) The Russian Fancy Bear APT has been carrying out a low-complexity, spear-phishing campaign targeting governments or organizations of strategic value to Russia. The phishing emails contain a link to a document that the target believes is relevant, which then redirects them to a phishing page for an email or VPN provider. While Fancy Bear is better known for more sophisticated malware campaigns, this campaign may have been chosen as a low-cost effort to gain access to notable organizations. Things You Wish You Didn't Need to Know About Service-Linked Roles (12 minute read) AWS Service-Linked Roles (SLRs) are a special class of IAM roles managed by AWS and used to bootstrap services or resources within services that depend on other services. SLRs are largely undocumented, so the author of this post used the undocumented iamv2 API to enumerate the trust policies and IAM policies of the SLRs used by as many services as they could find. They discovered several "code smells" in the IAM policies, such as a lack of confused-deputy protection, resource policies that use wildcards, tag-based policies, or name-based policies. ⚡ Quick Links Europol Raids Disrupt Black Axe Cybercrime Ring in Spain (2 minute read) Europol-coordinated raids across Spain arrested 34 members of the Black Axe cybercrime organization and seized €185,000 in assets linked to romance scams, phishing, and BEC fraud, resulting in nearly €6 million in losses. Ireland recalls almost 13,000 passports over missing 'IRL' code (2 minute read) Ireland recalled nearly 13,000 passports issued between December 23 and January 6 after a software update omitted the 'IRL' country code from the machine-readable zone, rendering documents non-compliant with ICAO standards and potentially unusable at automated border gates. Researchers Uncover Service Providers Fueling Industrial-Scale Pig Butchering Fraud (5 minute read) Infoblox researchers exposed service providers, including Penguin Account Store and UWORK, that supply Chinese-speaking crime syndicates with turnkey pig butchering-as-a-service (PBaaS) infrastructure, offering fraud kits, stolen credentials, CRM platforms, and complete scam packages starting at $50. Love TLDR? Tell your friends and get rewards! Share your referral link below with friends to get free TLDR swag! https://refer.tldr.tech/dc263000/8 Track your referrals here. Want to advertise in TLDR? 📰 If your company is interested in reaching an audience of cybersecurity professionals and decision makers, you may want to advertise with us. Want to work at TLDR? 💼 Apply here, create your own role or send a friend's resume to jobs@tldr.tech and get $1k if we hire them! TLDR is one of Inc.'s Best Bootstrapped businesses of 2025. If you have any comments or feedback, just respond to this email! Thanks for reading, Prasanna Gautam, Eric Fernandez & Sammy Tbeile Manage your subscriptions to our other newsletters on tech, startups, and programming. Or if TLDR Information Security isn't for you, please unsubscribe.