Bitwarden Password Manager Flaw Let Attackers Steal Credentials

The Flashpoint Vulnerability Research team observed that Bitwarden, a well-known password manager browser extension, treated embedded iframes on web pages in an unusual way.

Insecure behavior in Bitwarden’s credentials autofill feature makes it possible for malicious iframes embedded on reliable websites to take advantage of users’ credentials and pass them to an attacker.

The HTML element defines a nested browsing environment, embedding another HTML page into the current one, according to the Mozilla HTML documentation.</p> <p>Bitwarden first became aware of the issue in 2018 but decided to support it in order to support legitimate websites that employ iframes.</p> <div class="td-a-rec td-a-rec-id-content_inline tdi_3 td_block_template_11"> <p><img decoding="async" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBKiswXdKF8gY-LMgugufSvWPW4H2fPJXr9wrS9H0CB_LnAGA_d0fmhuzTIIFjoWfgTxo3mwCB89m0yo4z7qIiZI8Xj6BGboY1gsz7o8udwtJCYn8Dd_ognkc1JdF4AJ9wiA2mn_aiDRDoZpBO8XZ9jXGF-_2JVa_-j4rnn6m-6StX_UKemLyfi1AFQw/s16000/reimagine%20ZTNA%20new%20banner.png " alt="EHA" title="Bitwarden Password Manager Flaw Let Attackers Steal Credentials 2"></div> <h2 id="h-auto-fill-behavior-in-bitwarden"><strong>Auto-Fill Behavior in Bitwarden</strong></h2> <p>The Bitwarden extension can offer to fill in the appropriate login fields when it recognizes that a user is on a website for which they have saved credentials. </p> <p>If the “Auto-fill on page load” option is selected, it will complete itself without requiring user input.</p> <div class="wp-block-image"> <figure class="aligncenter"><img decoding="async" src="https://lh5.googleusercontent.com/V_oavWXVfUdbdwybmQvNZDUjdCo9pFq96Yj3K20GZUhEljrJisEeH6nmQhfBbv6HGfOR-mGkZBDt5tUx83I6gh4K9QwJCArwQ4WyS-UPmTT8UE5qNCgWhp5tUAYWzmH1X4k71n2avKcGmwoubU0ZpQ" alt="Bitwarden Password Manager Flaw Let Attackers Steal Credentials" title="Bitwarden Password Manager Flaw Let Attackers Steal Credentials 3"><figcaption class="wp-element-caption">Completing the login forms on both the legitimate website and the external iframe</figcaption></figure> </div> <p>Curiously, even though they are from distinct domains, the extensions also automatically auto-fill forms that are defined in an embedded iframe.</p> <p>“While the embedded iframe does not have access to any content in the parent page, it can wait for input to the login form and forward the entered credentials to a remote server without further user interaction”, says Flashpoint.</p> <p>Flashpoint looked at how frequently iframes are included on login pages of high-traffic websites and found that the risk was significantly reduced by the small number of risky scenarios.</p> <p>Indeed, Flashpoint also found a second problem while looking into the iframes issue: Bitwarden would also automatically fill login information on subdomains of the base domain matching a login.</p> <p>If autofill is enabled, an attacker who hosts a phishing page under a subdomain that corresponds to a login stored for a specific base domain will be able to obtain the credentials from the victim as soon as they arrive at the page.</p> <p>“If you have encountered your fair share of web solutions and content providers, it becomes clear that this poses a problem. Some content hosting providers allow hosting arbitrary content under a subdomain of their official domain, which also serves their login page”, Flashpoint explains.</p> <p>“As an example, should a company have a login page at https://logins.company.tld and allow users to serve content under https://<clientname>.company.tld, these users are able to steal credentials from the Bitwarden extensions.”</p> <h2><strong>Potential Attack Methods</strong></h2> <ul> <li>An unhacked website with the “Auto-fill on page load” option turned on embeds an external iframe that is in the hands of an attacker.</li> <li>Using a subdomain of, say, a hosting company, which has its login form under the same base domain, an attacker installs a specially crafted web page.</li> </ul> <p>Hence, an attacker is possible to steal the credentials kept for each domain if a user using a Bitwarden browser extension visits a specially crafted page housed in these web services.</p> <p>As previously noted, no additional user input is needed if the option to “Auto-fill on page load” is activated. Also, when a user logs in via the context menu, forms that are embedded in iframes also get filled.</p> <p>Bitwarden expressly mentions the possibility of compromised sites utilizing the autofill feature to steal credentials in its documentation and emphasizes that the feature is a potential danger.</p> <p class="has-background" style="background-color:#f4f4f4">However because users must log in to services using embedded iframes from external sites, Bitwarden’s engineers chose to maintain the behavior and put a warning on the software’s documentation and the extension’s pertinent settings menu.</p> <p>In response, Bitwarden stated that they would not change the functionality of iframes but would promise to block autofill on the reported hosting environment in a future release.</p> <p class="has-text-align-center has-background" style="background-color:#f4f4f4"><strong>Network Security Checklist – Download Free E-Book</strong></p> <p> </div> <br /><a href="https://cybersecuritynews.com/bitwarden-password-manager-flaw/" target="_blank" rel="noopener">Source link </a></p> </div> <div id="post-extra-info"> <div class="theiaStickySidebar"> <div id="share-buttons-top" class="share-buttons share-buttons-top"> <div class="share-links share-centered"> <div class="share-title"> <span class="tie-icon-share" aria-hidden="true"></span> <span> Share</span> </div> <a href="https://www.facebook.com/sharer.php?u=https://cybernoz.com/bitwarden-password-manager-flaw-let-attackers-steal-credentials/" rel="external noopener nofollow" title="Facebook" target="_blank" class="facebook-share-btn large-share-button" data-raw="https://www.facebook.com/sharer.php?u={post_link}"> <span class="share-btn-icon tie-icon-facebook"></span> <span class="social-text">Facebook</span> </a> <a href="https://twitter.com/intent/tweet?text=Bitwarden%20Password%20Manager%20Flaw%20Let%20Attackers%20Steal%20Credentials&url=https://cybernoz.com/bitwarden-password-manager-flaw-let-attackers-steal-credentials/" rel="external noopener nofollow" title="X" target="_blank" class="twitter-share-btn large-share-button" data-raw="https://twitter.com/intent/tweet?text={post_title}&url={post_link}"> <span class="share-btn-icon tie-icon-twitter"></span> <span class="social-text">X</span> </a> <a href="https://www.linkedin.com/shareArticle?mini=true&url=https://cybernoz.com/bitwarden-password-manager-flaw-let-attackers-steal-credentials/&title=Bitwarden%20Password%20Manager%20Flaw%20Let%20Attackers%20Steal%20Credentials" rel="external noopener nofollow" title="LinkedIn" target="_blank" class="linkedin-share-btn " data-raw="https://www.linkedin.com/shareArticle?mini=true&url={post_full_link}&title={post_title}"> <span class="share-btn-icon tie-icon-linkedin"></span> <span class="screen-reader-text">LinkedIn</span> </a> <a href="https://www.tumblr.com/share/link?url=https://cybernoz.com/bitwarden-password-manager-flaw-let-attackers-steal-credentials/&name=Bitwarden%20Password%20Manager%20Flaw%20Let%20Attackers%20Steal%20Credentials" rel="external noopener nofollow" title="Tumblr" target="_blank" class="tumblr-share-btn " data-raw="https://www.tumblr.com/share/link?url={post_link}&name={post_title}"> <span class="share-btn-icon tie-icon-tumblr"></span> <span class="screen-reader-text">Tumblr</span> </a> <a href="https://pinterest.com/pin/create/button/?url=https://cybernoz.com/bitwarden-password-manager-flaw-let-attackers-steal-credentials/&description=Bitwarden%20Password%20Manager%20Flaw%20Let%20Attackers%20Steal%20Credentials&media=https://cybernoz.com/wp-content/uploads/2023/03/Bitwarden-Password-Manager-Flaw-Let-Attackers-Steal-Credentials.png" rel="external noopener nofollow" title="Pinterest" target="_blank" class="pinterest-share-btn " data-raw="https://pinterest.com/pin/create/button/?url={post_link}&description={post_title}&media={post_img}"> <span class="share-btn-icon tie-icon-pinterest"></span> <span class="screen-reader-text">Pinterest</span> </a> <a href="https://reddit.com/submit?url=https://cybernoz.com/bitwarden-password-manager-flaw-let-attackers-steal-credentials/&title=Bitwarden%20Password%20Manager%20Flaw%20Let%20Attackers%20Steal%20Credentials" rel="external noopener nofollow" title="Reddit" target="_blank" class="reddit-share-btn " data-raw="https://reddit.com/submit?url={post_link}&title={post_title}"> <span class="share-btn-icon tie-icon-reddit"></span> <span class="screen-reader-text">Reddit</span> </a> <a href="https://api.whatsapp.com/send?text=Bitwarden%20Password%20Manager%20Flaw%20Let%20Attackers%20Steal%20Credentials%20https://cybernoz.com/bitwarden-password-manager-flaw-let-attackers-steal-credentials/" rel="external noopener nofollow" title="WhatsApp" target="_blank" class="whatsapp-share-btn " data-raw="https://api.whatsapp.com/send?text={post_title}%20{post_link}"> <span class="share-btn-icon tie-icon-whatsapp"></span> <span class="screen-reader-text">WhatsApp</span> </a> <a href="https://telegram.me/share/url?url=https://cybernoz.com/bitwarden-password-manager-flaw-let-attackers-steal-credentials/&text=Bitwarden%20Password%20Manager%20Flaw%20Let%20Attackers%20Steal%20Credentials" rel="external noopener nofollow" title="Telegram" target="_blank" class="telegram-share-btn " data-raw="https://telegram.me/share/url?url={post_link}&text={post_title}"> <span class="share-btn-icon tie-icon-paper-plane"></span> <span class="screen-reader-text">Telegram</span> </a> <a href="mailto:?subject=Bitwarden%20Password%20Manager%20Flaw%20Let%20Attackers%20Steal%20Credentials&body=https://cybernoz.com/bitwarden-password-manager-flaw-let-attackers-steal-credentials/" rel="external noopener nofollow" title="Share via Email" target="_blank" class="email-share-btn " data-raw="mailto:?subject={post_title}&body={post_link}"> <span class="share-btn-icon tie-icon-envelope"></span> <span class="screen-reader-text">Share via Email</span> </a> <a href="#" rel="external noopener nofollow" title="Print" target="_blank" class="print-share-btn " data-raw="#"> <span class="share-btn-icon tie-icon-print"></span> <span class="screen-reader-text">Print</span> </a> </div> </div> </div> </div> <div class="clearfix"></div> <script id="tie-schema-json" type="application/ld+json">{"@context":"http:\/\/schema.org","@type":"Article","dateCreated":"2023-03-09T15:46:17+03:00","datePublished":"2023-03-09T15:46:17+03:00","dateModified":"2023-03-09T15:46:22+03:00","headline":"Bitwarden Password Manager Flaw Let Attackers Steal Credentials","name":"Bitwarden Password Manager Flaw Let Attackers Steal Credentials","keywords":[],"url":"https:\/\/cybernoz.com\/bitwarden-password-manager-flaw-let-attackers-steal-credentials\/","description":"The Flashpoint Vulnerability Research team observed that Bitwarden, a well-known password manager browser extension, treated embedded iframes on web pages in an unusual way.\u00a0 Insecure behavior in Bitw","copyrightYear":"2023","articleSection":"CyberSecurityNews","articleBody":" \r\n\n \n \nThe Flashpoint Vulnerability Research team observed that Bitwarden, a well-known password manager browser extension, treated embedded iframes on web pages in an unusual way.\u00a0\n\n\n\n\nInsecure behavior in Bitwarden\u2019s credentials autofill feature makes it possible for malicious iframes embedded on reliable websites to take advantage of users\u2019 credentials and pass them to an attacker.\n\n\n\nThe HTML element defines a nested browsing environment, embedding another HTML page into the current one, according to the Mozilla HTML documentation.\n\n\n\nBitwarden first became aware of the issue in 2018 but decided to support it in order to support legitimate websites that employ iframes.\n\r\n\n\n\n\nAuto-Fill Behavior in Bitwarden\n\n\n\nThe Bitwarden extension can offer to fill in the appropriate login fields when it recognizes that a user is on a website for which they have saved credentials.\u00a0\n\n\n\nIf the \u201cAuto-fill on page load\u201d option is selected, it will complete itself without requiring user input.\n\n\n\nCompleting the login forms on both the legitimate website and the external iframe\n\n\nCuriously, even though they are from distinct domains, the extensions also automatically auto-fill\u00a0forms that are defined in an embedded iframe.\n\n\n\n\u201cWhile the embedded iframe does not have access to any content in the parent page, it can wait for input to the login form and forward the entered credentials to a remote server without further user interaction\u201d, says Flashpoint.\n\n\n\nFlashpoint looked at how frequently iframes are included on login pages of high-traffic\u00a0websites and found that the risk was significantly reduced by the small number of risky scenarios.\n\n\n\nIndeed, Flashpoint also found a second problem while looking into the iframes issue: Bitwarden would also automatically fill login information on subdomains of the base domain matching a login.\n\n\n\nIf autofill is enabled, an attacker who hosts a phishing page under a subdomain that corresponds to a login stored for a specific base domain will be able to obtain the credentials from the victim as soon as they arrive at the page.\n\n\n\n\u201cIf you have encountered your fair share of web solutions and content providers, it becomes clear that this poses a problem. Some content hosting providers allow hosting arbitrary content under a subdomain of their official domain, which also serves their login page\u201d, Flashpoint explains.\n\n\n\n\u201cAs an example, should a company have a login page at https:\/\/logins.company.tld and allow users to serve content under https:\/\/.company.tld, these users are able to steal credentials from the Bitwarden extensions.\u201d\n\n\n\nPotential Attack Methods\n\n\n\n\nAn unhacked website with the \u201cAuto-fill on page load\u201d option turned on embeds an\u00a0external iframe that is in the hands of an attacker.\n\n\n\nUsing a subdomain of, say, a hosting company, which has its login form under the same base domain, an attacker installs a specially crafted web page.\n\n\n\n\nHence, an attacker is possible to steal the credentials kept for each domain if a user using a Bitwarden browser extension visits a specially crafted page housed in these web services.\n\n\n\nAs previously noted, no additional user input is needed if the option to \u201cAuto-fill on page load\u201d is activated. Also, when a user logs in via the context menu, forms that are embedded in iframes also get filled.\n\n\n\nBitwarden expressly mentions the possibility of compromised sites utilizing the autofill feature to steal credentials in its documentation and emphasizes that the feature is a potential danger.\n\n\n\nHowever because users must log in to services using embedded iframes from external sites, Bitwarden\u2019s engineers chose to maintain the behavior and put a warning on the software\u2019s documentation and the extension\u2019s pertinent settings menu.\n\n\n\nIn response, Bitwarden stated that they would not change the functionality of iframes but would promise to block autofill on the reported hosting environment in a future release.\n\n\n\nNetwork Security Checklist \u2013\u00a0Download Free E-Book\n\n \r\n\r\nSource link ","publisher":{"@id":"#Publisher","@type":"Organization","name":"Cybernoz - Cybersecurity News","logo":{"@type":"ImageObject","url":"https:\/\/cybernoz.com\/wp-content\/themes\/jannah\/assets\/images\/logo@2x.png"},"sameAs":["https:\/\/t.me\/cybernozcom"]},"sourceOrganization":{"@id":"#Publisher"},"copyrightHolder":{"@id":"#Publisher"},"mainEntityOfPage":{"@type":"WebPage","@id":"https:\/\/cybernoz.com\/bitwarden-password-manager-flaw-let-attackers-steal-credentials\/","breadcrumb":{"@id":"#Breadcrumb"}},"author":{"@type":"Person","name":"Cybernoz","url":"https:\/\/cybernoz.com\/author\/cybernoz\/"},"image":{"@type":"ImageObject","url":"https:\/\/cybernoz.com\/wp-content\/uploads\/2023\/03\/Bitwarden-Password-Manager-Flaw-Let-Attackers-Steal-Credentials.png","width":1200,"height":270}}</script> </article> <div class="post-components"> <div id="read-next-block" class="container-wrapper read-next-slider-4"> <h2 class="read-next-block-title">Read Next</h2> <section id="tie-read-next" class="slider-area mag-box"> <div class="slider-area-inner"> <div id="tie-main-slider-4-read-next" class="tie-main-slider main-slider wide-slider-with-navfor-wrapper wide-slider-wrapper centered-title-slider tie-slick-slider-wrapper" data-slider-id="4" data-autoplay="true" data-speed="3000"> <div class="main-slider-inner"> <div class="container slider-main-container"> <div class="tie-slick-slider"> <ul class="tie-slider-nav"></ul> <div style="background-image: url(https://cybernoz.com/wp-content/uploads/2025/07/New-Phishing-Attack-Impersonates-as-DWP-Attacking-Users-to-Steal.jpeg)" class="slide slide-id-176890 tie-slide-1 tie-standard"> <a href="https://cybernoz.com/new-phishing-attack-impersonates-as-dwp-attacking-users-to-steal-credit-card-data/" class="all-over-thumb-link" aria-label="New Phishing Attack Impersonates as DWP Attacking Users to Steal Credit Card Data"></a> <div class="thumb-overlay"><div class="container"><span class="post-cat-wrap"><a class="post-cat tie-cat-4" href="https://cybernoz.com/category/cybersecuritynews/">CyberSecurityNews</a></span><div class="thumb-content"><div class="thumb-meta"><span class="date meta-item tie-icon">July 5, 2025</span></div> <h2 class="thumb-title"><a href="https://cybernoz.com/new-phishing-attack-impersonates-as-dwp-attacking-users-to-steal-credit-card-data/">New Phishing Attack Impersonates as DWP Attacking Users to Steal Credit Card Data</a></h2> </div> </div> </div> </div> <div style="background-image: url(https://cybernoz.com/wp-content/uploads/2025/07/Writable-File-in-Lenovos-Windows-Directory-Enables-a-Stealthy-AppLocker.webp.jpeg)" class="slide slide-id-176887 tie-slide-2 tie-standard"> <a href="https://cybernoz.com/writable-file-in-lenovos-windows-directory-enables-a-stealthy-applocker-bypass/" class="all-over-thumb-link" aria-label="Writable File in Lenovo’s Windows Directory Enables a Stealthy AppLocker Bypass"></a> <div class="thumb-overlay"><div class="container"><span class="post-cat-wrap"><a class="post-cat tie-cat-4" href="https://cybernoz.com/category/cybersecuritynews/">CyberSecurityNews</a></span><div class="thumb-content"><div class="thumb-meta"><span class="date meta-item tie-icon">July 5, 2025</span></div> <h2 class="thumb-title"><a href="https://cybernoz.com/writable-file-in-lenovos-windows-directory-enables-a-stealthy-applocker-bypass/">Writable File in Lenovo’s Windows Directory Enables a Stealthy AppLocker Bypass</a></h2> </div> </div> </div> </div> <div style="background-image: url(https://cybernoz.com/wp-content/uploads/2025/07/Instagram-Started-Using-1-Week-Validity-TLS-certificates-and-Changes-Them.webp.jpeg)" class="slide slide-id-176884 tie-slide-3 tie-standard"> <a href="https://cybernoz.com/instagram-started-using-1-week-validity-tls-certificates-and-changes-them-daily/" class="all-over-thumb-link" aria-label="Instagram Started Using 1-Week Validity TLS certificates and Changes Them Daily"></a> <div class="thumb-overlay"><div class="container"><span class="post-cat-wrap"><a class="post-cat tie-cat-4" href="https://cybernoz.com/category/cybersecuritynews/">CyberSecurityNews</a></span><div class="thumb-content"><div class="thumb-meta"><span class="date meta-item tie-icon">July 5, 2025</span></div> <h2 class="thumb-title"><a href="https://cybernoz.com/instagram-started-using-1-week-validity-tls-certificates-and-changes-them-daily/">Instagram Started Using 1-Week Validity TLS certificates and Changes Them Daily</a></h2> </div> </div> </div> </div> <div style="background-image: url(https://cybernoz.com/wp-content/uploads/2025/07/CitrixBleed-2-Vulnerability-PoC-Released.webp.jpeg)" class="slide slide-id-176881 tie-slide-4 tie-standard"> <a href="https://cybernoz.com/citrixbleed-2-vulnerability-poc-released/" class="all-over-thumb-link" aria-label="“CitrixBleed 2” Vulnerability PoC Released"></a> <div class="thumb-overlay"><div class="container"><span class="post-cat-wrap"><a class="post-cat tie-cat-4" href="https://cybernoz.com/category/cybersecuritynews/">CyberSecurityNews</a></span><div class="thumb-content"><div class="thumb-meta"><span class="date meta-item tie-icon">July 5, 2025</span></div> <h2 class="thumb-title"><a href="https://cybernoz.com/citrixbleed-2-vulnerability-poc-released/">“CitrixBleed 2” Vulnerability PoC Released</a></h2> </div> </div> </div> </div> <div style="background-image: url(https://cybernoz.com/wp-content/uploads/2025/07/Russia-Jailed-Hacker-Who-Worked-for-Ukrainian-Intelligence-to-Launch.jpeg)" class="slide slide-id-176878 tie-slide-5 tie-standard"> <a href="https://cybernoz.com/russia-jailed-hacker-who-worked-for-ukrainian-intelligence-to-launch-cyberattacks-on-critical-infrastructure/" class="all-over-thumb-link" aria-label="Russia Jailed Hacker Who Worked for Ukrainian Intelligence to Launch Cyberattacks on Critical Infrastructure"></a> <div class="thumb-overlay"><div class="container"><span class="post-cat-wrap"><a class="post-cat tie-cat-4" href="https://cybernoz.com/category/cybersecuritynews/">CyberSecurityNews</a></span><div class="thumb-content"><div class="thumb-meta"><span class="date meta-item tie-icon">July 5, 2025</span></div> <h2 class="thumb-title"><a href="https://cybernoz.com/russia-jailed-hacker-who-worked-for-ukrainian-intelligence-to-launch-cyberattacks-on-critical-infrastructure/">Russia Jailed Hacker Who Worked for Ukrainian Intelligence to Launch Cyberattacks on Critical Infrastructure</a></h2> </div> </div> </div> </div> <div style="background-image: url(https://cybernoz.com/wp-content/uploads/2025/07/Threat-Actors-Turning-Job-Offers-Into-Traps-Over-264-Million.jpeg)" class="slide slide-id-176875 tie-slide-6 tie-standard"> <a href="https://cybernoz.com/threat-actors-turning-job-offers-into-traps-over-264-million-lost-in-2024-alone/" class="all-over-thumb-link" aria-label="Threat Actors Turning Job Offers Into Traps, Over $264 Million Lost in 2024 Alone"></a> <div class="thumb-overlay"><div class="container"><span class="post-cat-wrap"><a class="post-cat tie-cat-4" href="https://cybernoz.com/category/cybersecuritynews/">CyberSecurityNews</a></span><div class="thumb-content"><div class="thumb-meta"><span class="date meta-item tie-icon">July 5, 2025</span></div> <h2 class="thumb-title"><a href="https://cybernoz.com/threat-actors-turning-job-offers-into-traps-over-264-million-lost-in-2024-alone/">Threat Actors Turning Job Offers Into Traps, Over $264 Million Lost in 2024 Alone</a></h2> </div> </div> </div> </div> <div style="background-image: url(https://cybernoz.com/wp-content/uploads/2025/07/The-Most-Active-RAT-Uses-New-Stagers-and-Loaders-to.jpeg)" class="slide slide-id-176872 tie-slide-1 tie-standard"> <a href="https://cybernoz.com/the-most-active-rat-uses-new-stagers-and-loaders-to-bypass-defenses/" class="all-over-thumb-link" aria-label="The Most Active RAT Uses New Stagers and Loaders to Bypass Defenses"></a> <div class="thumb-overlay"><div class="container"><span class="post-cat-wrap"><a class="post-cat tie-cat-4" href="https://cybernoz.com/category/cybersecuritynews/">CyberSecurityNews</a></span><div class="thumb-content"><div class="thumb-meta"><span class="date meta-item tie-icon">July 5, 2025</span></div> <h2 class="thumb-title"><a href="https://cybernoz.com/the-most-active-rat-uses-new-stagers-and-loaders-to-bypass-defenses/">The Most Active RAT Uses New Stagers and Loaders to Bypass Defenses</a></h2> </div> </div> </div> </div> <div style="background-image: url(https://cybernoz.com/wp-content/uploads/2025/07/Threat-Actors-Abused-AV-EDR-Evasion-Framework-In-The-Wild-to.jpeg)" class="slide slide-id-176867 tie-slide-2 tie-standard"> <a href="https://cybernoz.com/threat-actors-abused-av-edr-evasion-framework-in-the-wild-to-deploy-malware-payloads/" class="all-over-thumb-link" aria-label="Threat Actors Abused AV – EDR Evasion Framework In-The-Wild to Deploy Malware Payloads"></a> <div class="thumb-overlay"><div class="container"><span class="post-cat-wrap"><a class="post-cat tie-cat-4" href="https://cybernoz.com/category/cybersecuritynews/">CyberSecurityNews</a></span><div class="thumb-content"><div class="thumb-meta"><span class="date meta-item tie-icon">July 5, 2025</span></div> <h2 class="thumb-title"><a href="https://cybernoz.com/threat-actors-abused-av-edr-evasion-framework-in-the-wild-to-deploy-malware-payloads/">Threat Actors Abused AV – EDR Evasion Framework In-The-Wild to Deploy Malware Payloads</a></h2> </div> </div> </div> </div> <div style="background-image: url(https://cybernoz.com/wp-content/uploads/2025/07/Scattered-Spider-Upgraded-Their-Tactics-to-Abuse-Legitimate-Tools-to.jpeg)" class="slide slide-id-176862 tie-slide-3 tie-standard"> <a href="https://cybernoz.com/scattered-spider-upgraded-their-tactics-to-abuse-legitimate-tools-to-evade-detection-and-maintain-persistence/" class="all-over-thumb-link" aria-label="Scattered Spider Upgraded Their Tactics to Abuse Legitimate Tools to Evade Detection and Maintain Persistence"></a> <div class="thumb-overlay"><div class="container"><span class="post-cat-wrap"><a class="post-cat tie-cat-4" href="https://cybernoz.com/category/cybersecuritynews/">CyberSecurityNews</a></span><div class="thumb-content"><div class="thumb-meta"><span class="date meta-item tie-icon">July 5, 2025</span></div> <h2 class="thumb-title"><a href="https://cybernoz.com/scattered-spider-upgraded-their-tactics-to-abuse-legitimate-tools-to-evade-detection-and-maintain-persistence/">Scattered Spider Upgraded Their Tactics to Abuse Legitimate Tools to Evade Detection and Maintain Persistence</a></h2> </div> </div> </div> </div> <div style="background-image: url(https://cybernoz.com/wp-content/uploads/2025/07/Hackers-Exploit-Legitimate-Inno-Setup-Installer-to-Use-as-a.jpeg)" class="slide slide-id-176858 tie-slide-4 tie-standard"> <a href="https://cybernoz.com/hackers-exploit-legitimate-inno-setup-installer-to-use-as-a-malware-delivery-vehicle/" class="all-over-thumb-link" aria-label="Hackers Exploit Legitimate Inno Setup Installer to Use as a Malware Delivery Vehicle"></a> <div class="thumb-overlay"><div class="container"><span class="post-cat-wrap"><a class="post-cat tie-cat-4" href="https://cybernoz.com/category/cybersecuritynews/">CyberSecurityNews</a></span><div class="thumb-content"><div class="thumb-meta"><span class="date meta-item tie-icon">July 5, 2025</span></div> <h2 class="thumb-title"><a href="https://cybernoz.com/hackers-exploit-legitimate-inno-setup-installer-to-use-as-a-malware-delivery-vehicle/">Hackers Exploit Legitimate Inno Setup Installer to Use as a Malware Delivery Vehicle</a></h2> </div> </div> </div> </div> </div> </div> </div> </div> <div class="wide-slider-nav-wrapper "> <ul class="tie-slider-nav"></ul> <div class="container"> <div class="tie-row"> <div class="tie-col-md-12"> <div class="tie-slick-slider"> <div class="slide tie-slide-5"> <div class="slide-overlay"> <div class="thumb-meta"><span class="date meta-item tie-icon">July 5, 2025</span></div> <h3 class="thumb-title">New Phishing Attack Impersonates as DWP Attacking Users to Steal Credit Card Data</h3> </div> </div> <div class="slide tie-slide-6"> <div class="slide-overlay"> <div class="thumb-meta"><span class="date meta-item tie-icon">July 5, 2025</span></div> <h3 class="thumb-title">Writable File in Lenovo’s Windows Directory Enables a Stealthy AppLocker Bypass</h3> </div> </div> <div class="slide tie-slide-1"> <div class="slide-overlay"> <div class="thumb-meta"><span class="date meta-item tie-icon">July 5, 2025</span></div> <h3 class="thumb-title">Instagram Started Using 1-Week Validity TLS certificates and Changes Them Daily</h3> </div> </div> <div class="slide tie-slide-2"> <div class="slide-overlay"> <div class="thumb-meta"><span class="date meta-item tie-icon">July 5, 2025</span></div> <h3 class="thumb-title">“CitrixBleed 2” Vulnerability PoC Released</h3> </div> </div> <div class="slide tie-slide-3"> <div class="slide-overlay"> <div class="thumb-meta"><span class="date meta-item tie-icon">July 5, 2025</span></div> <h3 class="thumb-title">Russia Jailed Hacker Who Worked for Ukrainian Intelligence to Launch Cyberattacks on Critical Infrastructure</h3> </div> </div> <div class="slide tie-slide-4"> <div class="slide-overlay"> <div class="thumb-meta"><span class="date meta-item tie-icon">July 5, 2025</span></div> <h3 class="thumb-title">Threat Actors Turning Job Offers Into Traps, Over $264 Million Lost in 2024 Alone</h3> </div> </div> <div class="slide tie-slide-5"> <div class="slide-overlay"> <div class="thumb-meta"><span class="date meta-item tie-icon">July 5, 2025</span></div> <h3 class="thumb-title">The Most Active RAT Uses New Stagers and Loaders to Bypass Defenses</h3> </div> </div> <div class="slide tie-slide-6"> <div class="slide-overlay"> <div class="thumb-meta"><span class="date meta-item tie-icon">July 5, 2025</span></div> <h3 class="thumb-title">Threat Actors Abused AV – EDR Evasion Framework In-The-Wild to Deploy Malware Payloads</h3> </div> </div> <div class="slide tie-slide-1"> <div class="slide-overlay"> <div class="thumb-meta"><span class="date meta-item tie-icon">July 5, 2025</span></div> <h3 class="thumb-title">Scattered Spider Upgraded Their Tactics to Abuse Legitimate Tools to Evade Detection and Maintain Persistence</h3> </div> </div> <div class="slide tie-slide-2"> <div class="slide-overlay"> <div class="thumb-meta"><span class="date meta-item tie-icon">July 5, 2025</span></div> <h3 class="thumb-title">Hackers Exploit Legitimate Inno Setup Installer to Use as a Malware Delivery Vehicle</h3> </div> </div> </div> </div> </div> </div> </div> </div> </section> </div> <div id="related-posts" class="container-wrapper"> <div class="mag-box-title the-global-title"> <h3>Related Articles</h3> </div> <div class="related-posts-list"> <div class="related-item tie-standard"> <a aria-label="Researchers Uncover New Technique to Exploit Azure Arc for Hybrid Escalation in Enterprise Environment and Maintain Persistence" href="https://cybernoz.com/researchers-uncover-new-technique-to-exploit-azure-arc-for-hybrid-escalation-in-enterprise-environment-and-maintain-persistence/" class="post-thumb"><img width="1600" height="900" src="https://cybernoz.com/wp-content/uploads/2025/07/Researchers-Uncover-New-Technique-to-Exploit-Azure-Arc-for-Hybrid.jpeg" class="attachment-jannah-image-large size-jannah-image-large wp-post-image" alt="Researchers Uncover New Technique to Exploit Azure Arc for Hybrid Escalation in Enterprise Environment and Maintain Persistence" decoding="async" fetchpriority="high" srcset="https://cybernoz.com/wp-content/uploads/2025/07/Researchers-Uncover-New-Technique-to-Exploit-Azure-Arc-for-Hybrid.jpeg 1600w, https://cybernoz.com/wp-content/uploads/2025/07/Researchers-Uncover-New-Technique-to-Exploit-Azure-Arc-for-Hybrid-768x432.jpeg 768w, https://cybernoz.com/wp-content/uploads/2025/07/Researchers-Uncover-New-Technique-to-Exploit-Azure-Arc-for-Hybrid-1536x864.jpeg 1536w" sizes="(max-width: 1600px) 100vw, 1600px" title="Researchers Uncover New Technique to Exploit Azure Arc for Hybrid Escalation in Enterprise Environment and Maintain Persistence 4"></a> <h3 class="post-title"><a href="https://cybernoz.com/researchers-uncover-new-technique-to-exploit-azure-arc-for-hybrid-escalation-in-enterprise-environment-and-maintain-persistence/">Researchers Uncover New Technique to Exploit Azure Arc for Hybrid Escalation in Enterprise Environment and…</a></h3> <div class="post-meta clearfix"><span class="date meta-item tie-icon">July 5, 2025</span></div> </div> <div class="related-item tie-standard"> <a aria-label="Hackers Exploiting Java Debug Wire Protocol Servers in Wild to Deploy Cryptomining Payload" href="https://cybernoz.com/hackers-exploiting-java-debug-wire-protocol-servers-in-wild-to-deploy-cryptomining-payload/" class="post-thumb"><img width="1600" height="900" src="https://cybernoz.com/wp-content/uploads/2025/07/Hackers-Exploiting-Java-Debug-Wire-Protocol-Servers-in-Wild-to.jpeg" class="attachment-jannah-image-large size-jannah-image-large wp-post-image" alt="Hackers Exploiting Java Debug Wire Protocol Servers in Wild to Deploy Cryptomining Payload" decoding="async" srcset="https://cybernoz.com/wp-content/uploads/2025/07/Hackers-Exploiting-Java-Debug-Wire-Protocol-Servers-in-Wild-to.jpeg 1600w, https://cybernoz.com/wp-content/uploads/2025/07/Hackers-Exploiting-Java-Debug-Wire-Protocol-Servers-in-Wild-to-768x432.jpeg 768w, https://cybernoz.com/wp-content/uploads/2025/07/Hackers-Exploiting-Java-Debug-Wire-Protocol-Servers-in-Wild-to-1536x864.jpeg 1536w" sizes="(max-width: 1600px) 100vw, 1600px" title="Hackers Exploiting Java Debug Wire Protocol Servers in Wild to Deploy Cryptomining Payload 5"></a> <h3 class="post-title"><a href="https://cybernoz.com/hackers-exploiting-java-debug-wire-protocol-servers-in-wild-to-deploy-cryptomining-payload/">Hackers Exploiting Java Debug Wire Protocol Servers in Wild to Deploy Cryptomining Payload</a></h3> <div class="post-meta clearfix"><span class="date meta-item tie-icon">July 5, 2025</span></div> </div> <div class="related-item tie-standard"> <a aria-label="Next.js Cache Poisoning Vulnerability Let Attackers Trigger DoS Condition" href="https://cybernoz.com/next-js-cache-poisoning-vulnerability-let-attackers-trigger-dos-condition/" class="post-thumb"><img width="1600" height="900" src="https://cybernoz.com/wp-content/uploads/2025/07/Nextjs-Cache-Poisoning-Vulnerability-Let-Attackers-Trigger-DoS-Condition.webp.jpeg" class="attachment-jannah-image-large size-jannah-image-large wp-post-image" alt="Next.js Cache Poisoning Vulnerability Let Attackers Trigger DoS Condition" decoding="async" srcset="https://cybernoz.com/wp-content/uploads/2025/07/Nextjs-Cache-Poisoning-Vulnerability-Let-Attackers-Trigger-DoS-Condition.webp.jpeg 1600w, https://cybernoz.com/wp-content/uploads/2025/07/Nextjs-Cache-Poisoning-Vulnerability-Let-Attackers-Trigger-DoS-Condition.webp-768x432.jpeg 768w, https://cybernoz.com/wp-content/uploads/2025/07/Nextjs-Cache-Poisoning-Vulnerability-Let-Attackers-Trigger-DoS-Condition.webp-1536x864.jpeg 1536w" sizes="(max-width: 1600px) 100vw, 1600px" title="Next.js Cache Poisoning Vulnerability Let Attackers Trigger DoS Condition 6"></a> <h3 class="post-title"><a href="https://cybernoz.com/next-js-cache-poisoning-vulnerability-let-attackers-trigger-dos-condition/">Next.js Cache Poisoning Vulnerability Let Attackers Trigger DoS Condition</a></h3> <div class="post-meta clearfix"><span class="date meta-item tie-icon">July 5, 2025</span></div> </div> <div class="related-item tie-standard"> <a aria-label="Microsoft Investigating Forms Service Issue Not Accessible for Users" href="https://cybernoz.com/microsoft-investigating-forms-service-issue-not-accessible-for-users/" class="post-thumb"><img width="1600" height="900" src="https://cybernoz.com/wp-content/uploads/2025/07/Microsoft-Investigating-Forms-Service-Issue-Not-Accessible-for-Users.webp.jpeg" class="attachment-jannah-image-large size-jannah-image-large wp-post-image" alt="Microsoft Investigating Forms Service Issue Not Accessible for Users" decoding="async" loading="lazy" srcset="https://cybernoz.com/wp-content/uploads/2025/07/Microsoft-Investigating-Forms-Service-Issue-Not-Accessible-for-Users.webp.jpeg 1600w, https://cybernoz.com/wp-content/uploads/2025/07/Microsoft-Investigating-Forms-Service-Issue-Not-Accessible-for-Users.webp-768x432.jpeg 768w, https://cybernoz.com/wp-content/uploads/2025/07/Microsoft-Investigating-Forms-Service-Issue-Not-Accessible-for-Users.webp-1536x864.jpeg 1536w" sizes="auto, (max-width: 1600px) 100vw, 1600px" title="Microsoft Investigating Forms Service Issue Not Accessible for Users 7"></a> <h3 class="post-title"><a href="https://cybernoz.com/microsoft-investigating-forms-service-issue-not-accessible-for-users/">Microsoft Investigating Forms Service Issue Not Accessible for Users</a></h3> <div class="post-meta clearfix"><span class="date meta-item tie-icon">July 4, 2025</span></div> </div> <div class="related-item tie-standard"> <a aria-label="Massive Android Ad Fraud ‘IconAds’ Leverages Google Play to Attack Phone Users" href="https://cybernoz.com/massive-android-ad-fraud-iconads-leverages-google-play-to-attack-phone-users/" class="post-thumb"><img width="1600" height="900" src="https://cybernoz.com/wp-content/uploads/2025/07/Massive-Android-Ad-Fraud-IconAds-Leverages-Google-Play-to-Attack.jpeg" class="attachment-jannah-image-large size-jannah-image-large wp-post-image" alt="Massive Android Ad Fraud 'IconAds' Leverages Google Play to Attack Phone Users" decoding="async" loading="lazy" srcset="https://cybernoz.com/wp-content/uploads/2025/07/Massive-Android-Ad-Fraud-IconAds-Leverages-Google-Play-to-Attack.jpeg 1600w, https://cybernoz.com/wp-content/uploads/2025/07/Massive-Android-Ad-Fraud-IconAds-Leverages-Google-Play-to-Attack-768x432.jpeg 768w, https://cybernoz.com/wp-content/uploads/2025/07/Massive-Android-Ad-Fraud-IconAds-Leverages-Google-Play-to-Attack-1536x864.jpeg 1536w" sizes="auto, (max-width: 1600px) 100vw, 1600px" title="Massive Android Ad Fraud 'IconAds' Leverages Google Play to Attack Phone Users 8"></a> <h3 class="post-title"><a href="https://cybernoz.com/massive-android-ad-fraud-iconads-leverages-google-play-to-attack-phone-users/">Massive Android Ad Fraud ‘IconAds’ Leverages Google Play to Attack Phone Users</a></h3> <div class="post-meta clearfix"><span class="date meta-item tie-icon">July 4, 2025</span></div> </div> <div class="related-item tie-standard"> <a aria-label="Multiple PHP Vulnerabilities Allow SQL Injection & DoS Attacks" href="https://cybernoz.com/multiple-php-vulnerabilities-allow-sql-injection-dos-attacks/" class="post-thumb"><img width="1600" height="900" src="https://cybernoz.com/wp-content/uploads/2025/07/Multiple-PHP-Vulnerabilities-Allow-SQL-Injection-DoS-Attacks.webp.jpeg" class="attachment-jannah-image-large size-jannah-image-large wp-post-image" alt="Multiple PHP Vulnerabilities Allow SQL Injection & DoS Attacks" decoding="async" loading="lazy" srcset="https://cybernoz.com/wp-content/uploads/2025/07/Multiple-PHP-Vulnerabilities-Allow-SQL-Injection-DoS-Attacks.webp.jpeg 1600w, https://cybernoz.com/wp-content/uploads/2025/07/Multiple-PHP-Vulnerabilities-Allow-SQL-Injection-DoS-Attacks.webp-768x432.jpeg 768w, https://cybernoz.com/wp-content/uploads/2025/07/Multiple-PHP-Vulnerabilities-Allow-SQL-Injection-DoS-Attacks.webp-1536x864.jpeg 1536w" sizes="auto, (max-width: 1600px) 100vw, 1600px" title="Multiple PHP Vulnerabilities Allow SQL Injection & DoS Attacks 9"></a> <h3 class="post-title"><a href="https://cybernoz.com/multiple-php-vulnerabilities-allow-sql-injection-dos-attacks/">Multiple PHP Vulnerabilities Allow SQL Injection & DoS Attacks</a></h3> <div class="post-meta clearfix"><span class="date meta-item tie-icon">July 4, 2025</span></div> </div> </div> </div> </div> </div> <aside class="sidebar tie-col-md-4 tie-col-xs-12 normal-side" aria-label="Primary Sidebar"> <div class="theiaStickySidebar"> <div id="posts-list-widget-3" class="container-wrapper widget posts-list"><div class="widget-title the-global-title"><div class="the-subtitle">Recent Posts</div></div><div class="widget-posts-list-wrapper"><div class="widget-posts-list-container" ><ul class="posts-list-items widget-posts-wrapper"> <li class="widget-single-post-item widget-post-list tie-standard"> <div class="post-widget-thumbnail"> <a aria-label="AI’s Morose Mania" href="https://cybernoz.com/ais-morose-mania/" class="post-thumb"><img width="1200" height="985" src="https://cybernoz.com/wp-content/uploads/2025/07/AIs-Morose-Mania.jpg" class="attachment-jannah-image-small size-jannah-image-small tie-small-image wp-post-image" alt="Hide the Pain Harold - smiling through the existential dread" decoding="async" loading="lazy" srcset="https://cybernoz.com/wp-content/uploads/2025/07/AIs-Morose-Mania.jpg 1200w, https://cybernoz.com/wp-content/uploads/2025/07/AIs-Morose-Mania-768x630.jpg 768w" sizes="auto, (max-width: 1200px) 100vw, 1200px" title="AI's Morose Mania 10"></a> </div> <div class="post-widget-body "> <a class="post-title the-subtitle" href="https://cybernoz.com/ais-morose-mania/">AI’s Morose Mania</a> <div class="post-meta"> <span class="date meta-item tie-icon">July 6, 2025</span> </div> </div> </li> <li class="widget-single-post-item widget-post-list tie-standard"> <div class="post-widget-thumbnail"> <a aria-label="North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates" href="https://cybernoz.com/north-korea-linked-threat-actors-spread-macos-nimdoor-malware-via-fake-zoom-updates/" class="post-thumb"><img width="1200" height="675" src="https://cybernoz.com/wp-content/uploads/2025/06/DOJ-moves-to-seize-774M-in-crypto-linked-to-North.jpg" class="attachment-jannah-image-small size-jannah-image-small tie-small-image wp-post-image" alt="DOJ moves to seize $7.74M in crypto linked to North Korean IT Worker Scam" decoding="async" loading="lazy" srcset="https://cybernoz.com/wp-content/uploads/2025/06/DOJ-moves-to-seize-774M-in-crypto-linked-to-North.jpg 1200w, https://cybernoz.com/wp-content/uploads/2025/06/DOJ-moves-to-seize-774M-in-crypto-linked-to-North-768x432.jpg 768w" sizes="auto, (max-width: 1200px) 100vw, 1200px" title="North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates 11"></a> </div> <div class="post-widget-body "> <a class="post-title the-subtitle" href="https://cybernoz.com/north-korea-linked-threat-actors-spread-macos-nimdoor-malware-via-fake-zoom-updates/">North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates</a> <div class="post-meta"> <span class="date meta-item tie-icon">July 5, 2025</span> </div> </div> </li> <li class="widget-single-post-item widget-post-list tie-standard"> <div class="post-widget-thumbnail"> <a aria-label="Ingram Micro outage caused by SafePay ransomware attack" href="https://cybernoz.com/ingram-micro-outage-caused-by-safepay-ransomware-attack/" class="post-thumb"><img width="1600" height="900" src="https://cybernoz.com/wp-content/uploads/2025/07/Ingram-Micro-outage-caused-by-SafePay-ransomware-attack.jpg" class="attachment-jannah-image-small size-jannah-image-small tie-small-image wp-post-image" alt="Ingram Micro" decoding="async" loading="lazy" srcset="https://cybernoz.com/wp-content/uploads/2025/07/Ingram-Micro-outage-caused-by-SafePay-ransomware-attack.jpg 1600w, https://cybernoz.com/wp-content/uploads/2025/07/Ingram-Micro-outage-caused-by-SafePay-ransomware-attack-768x432.jpg 768w, https://cybernoz.com/wp-content/uploads/2025/07/Ingram-Micro-outage-caused-by-SafePay-ransomware-attack-1536x864.jpg 1536w" sizes="auto, (max-width: 1600px) 100vw, 1600px" title="Ingram Micro outage caused by SafePay ransomware attack 12"></a> </div> <div class="post-widget-body "> <a class="post-title the-subtitle" href="https://cybernoz.com/ingram-micro-outage-caused-by-safepay-ransomware-attack/">Ingram Micro outage caused by SafePay ransomware attack</a> <div class="post-meta"> <span class="date meta-item tie-icon">July 5, 2025</span> </div> </div> </li> <li class="widget-single-post-item widget-post-list tie-standard"> <div class="post-widget-thumbnail"> <a aria-label="New Phishing Attack Impersonates as DWP Attacking Users to Steal Credit Card Data" href="https://cybernoz.com/new-phishing-attack-impersonates-as-dwp-attacking-users-to-steal-credit-card-data/" class="post-thumb"><img width="1600" height="900" src="https://cybernoz.com/wp-content/uploads/2025/07/New-Phishing-Attack-Impersonates-as-DWP-Attacking-Users-to-Steal.jpeg" class="attachment-jannah-image-small size-jannah-image-small tie-small-image wp-post-image" alt="New Phishing Attack Impersonates as DWP Attacking Users to Steal Credit Card Data" decoding="async" loading="lazy" srcset="https://cybernoz.com/wp-content/uploads/2025/07/New-Phishing-Attack-Impersonates-as-DWP-Attacking-Users-to-Steal.jpeg 1600w, https://cybernoz.com/wp-content/uploads/2025/07/New-Phishing-Attack-Impersonates-as-DWP-Attacking-Users-to-Steal-768x432.jpeg 768w, https://cybernoz.com/wp-content/uploads/2025/07/New-Phishing-Attack-Impersonates-as-DWP-Attacking-Users-to-Steal-1536x864.jpeg 1536w" sizes="auto, (max-width: 1600px) 100vw, 1600px" title="New Phishing Attack Impersonates as DWP Attacking Users to Steal Credit Card Data 13"></a> </div> <div class="post-widget-body "> <a class="post-title the-subtitle" href="https://cybernoz.com/new-phishing-attack-impersonates-as-dwp-attacking-users-to-steal-credit-card-data/">New Phishing Attack Impersonates as DWP Attacking Users to Steal Credit Card Data</a> <div class="post-meta"> <span class="date meta-item tie-icon">July 5, 2025</span> </div> </div> </li> <li class="widget-single-post-item widget-post-list tie-standard"> <div class="post-widget-thumbnail"> <a aria-label="Writable File in Lenovo’s Windows Directory Enables a Stealthy AppLocker Bypass" href="https://cybernoz.com/writable-file-in-lenovos-windows-directory-enables-a-stealthy-applocker-bypass/" class="post-thumb"><img width="1600" height="900" src="https://cybernoz.com/wp-content/uploads/2025/07/Writable-File-in-Lenovos-Windows-Directory-Enables-a-Stealthy-AppLocker.webp.jpeg" class="attachment-jannah-image-small size-jannah-image-small tie-small-image wp-post-image" alt="Writable File in Lenovo’s Windows Directory Enables a Stealthy AppLocker Bypass" decoding="async" loading="lazy" srcset="https://cybernoz.com/wp-content/uploads/2025/07/Writable-File-in-Lenovos-Windows-Directory-Enables-a-Stealthy-AppLocker.webp.jpeg 1600w, https://cybernoz.com/wp-content/uploads/2025/07/Writable-File-in-Lenovos-Windows-Directory-Enables-a-Stealthy-AppLocker.webp-768x432.jpeg 768w, https://cybernoz.com/wp-content/uploads/2025/07/Writable-File-in-Lenovos-Windows-Directory-Enables-a-Stealthy-AppLocker.webp-1536x864.jpeg 1536w" sizes="auto, (max-width: 1600px) 100vw, 1600px" title="Writable File in Lenovo’s Windows Directory Enables a Stealthy AppLocker Bypass 14"></a> </div> <div class="post-widget-body "> <a class="post-title the-subtitle" href="https://cybernoz.com/writable-file-in-lenovos-windows-directory-enables-a-stealthy-applocker-bypass/">Writable File in Lenovo’s Windows Directory Enables a Stealthy AppLocker Bypass</a> <div class="post-meta"> <span class="date meta-item tie-icon">July 5, 2025</span> </div> </div> </li> </ul></div></div><div class="clearfix"></div></div> </div> </aside> </div></div> <footer id="footer" class="site-footer dark-skin dark-widgetized-area"> </footer> <div id="share-buttons-mobile" class="share-buttons share-buttons-mobile"> <div class="share-links icons-only"> <a href="https://www.facebook.com/sharer.php?u=https://cybernoz.com/bitwarden-password-manager-flaw-let-attackers-steal-credentials/" rel="external noopener nofollow" title="Facebook" target="_blank" class="facebook-share-btn " data-raw="https://www.facebook.com/sharer.php?u={post_link}"> <span class="share-btn-icon tie-icon-facebook"></span> <span class="screen-reader-text">Facebook</span> </a> <a href="https://twitter.com/intent/tweet?text=Bitwarden%20Password%20Manager%20Flaw%20Let%20Attackers%20Steal%20Credentials&url=https://cybernoz.com/bitwarden-password-manager-flaw-let-attackers-steal-credentials/" rel="external noopener nofollow" title="X" target="_blank" class="twitter-share-btn " data-raw="https://twitter.com/intent/tweet?text={post_title}&url={post_link}"> <span class="share-btn-icon tie-icon-twitter"></span> <span class="screen-reader-text">X</span> </a> <a href="https://www.linkedin.com/shareArticle?mini=true&url=https://cybernoz.com/bitwarden-password-manager-flaw-let-attackers-steal-credentials/&title=Bitwarden%20Password%20Manager%20Flaw%20Let%20Attackers%20Steal%20Credentials" rel="external noopener nofollow" title="LinkedIn" target="_blank" class="linkedin-share-btn " data-raw="https://www.linkedin.com/shareArticle?mini=true&url={post_full_link}&title={post_title}"> <span class="share-btn-icon tie-icon-linkedin"></span> <span class="screen-reader-text">LinkedIn</span> </a> <a href="https://pinterest.com/pin/create/button/?url=https://cybernoz.com/bitwarden-password-manager-flaw-let-attackers-steal-credentials/&description=Bitwarden%20Password%20Manager%20Flaw%20Let%20Attackers%20Steal%20Credentials&media=https://cybernoz.com/wp-content/uploads/2023/03/Bitwarden-Password-Manager-Flaw-Let-Attackers-Steal-Credentials.png" rel="external noopener nofollow" title="Pinterest" target="_blank" class="pinterest-share-btn " data-raw="https://pinterest.com/pin/create/button/?url={post_link}&description={post_title}&media={post_img}"> <span class="share-btn-icon tie-icon-pinterest"></span> <span class="screen-reader-text">Pinterest</span> </a> <a href="https://reddit.com/submit?url=https://cybernoz.com/bitwarden-password-manager-flaw-let-attackers-steal-credentials/&title=Bitwarden%20Password%20Manager%20Flaw%20Let%20Attackers%20Steal%20Credentials" rel="external noopener nofollow" title="Reddit" target="_blank" class="reddit-share-btn " data-raw="https://reddit.com/submit?url={post_link}&title={post_title}"> <span class="share-btn-icon tie-icon-reddit"></span> <span class="screen-reader-text">Reddit</span> </a> <a href="https://api.whatsapp.com/send?text=Bitwarden%20Password%20Manager%20Flaw%20Let%20Attackers%20Steal%20Credentials%20https://cybernoz.com/bitwarden-password-manager-flaw-let-attackers-steal-credentials/" rel="external noopener nofollow" title="WhatsApp" target="_blank" class="whatsapp-share-btn " data-raw="https://api.whatsapp.com/send?text={post_title}%20{post_link}"> <span class="share-btn-icon tie-icon-whatsapp"></span> <span class="screen-reader-text">WhatsApp</span> </a> <a href="https://telegram.me/share/url?url=https://cybernoz.com/bitwarden-password-manager-flaw-let-attackers-steal-credentials/&text=Bitwarden%20Password%20Manager%20Flaw%20Let%20Attackers%20Steal%20Credentials" rel="external noopener nofollow" title="Telegram" target="_blank" class="telegram-share-btn " data-raw="https://telegram.me/share/url?url={post_link}&text={post_title}"> <span class="share-btn-icon tie-icon-paper-plane"></span> <span class="screen-reader-text">Telegram</span> </a> </div> </div> <div class="mobile-share-buttons-spacer"></div> </div> </div> </div> <noscript> <div> <img src="https://mc.yandex.ru/watch/102510865" style="position:absolute; left:-9999px;" alt=""/> </div> </noscript> <script type="speculationrules"> {"prefetch":[{"source":"document","where":{"and":[{"href_matches":"\/*"},{"not":{"href_matches":["\/wp-*.php","\/wp-admin\/*","\/wp-content\/uploads\/*","\/wp-content\/*","\/wp-content\/plugins\/*","\/wp-content\/themes\/jannah\/*","\/*\\?(.+)"]}},{"not":{"selector_matches":"a[rel~=\"nofollow\"]"}},{"not":{"selector_matches":".no-prefetch, .no-prefetch a"}}]},"eagerness":"conservative"}]} </script> <div id="is-scroller-outer"><div id="is-scroller"></div></div><div id="fb-root"></div> <div id="tie-popup-search-mobile" class="tie-popup tie-popup-search-wrap" style="display: none;"> <a href="#" class="tie-btn-close remove big-btn light-btn"> <span class="screen-reader-text">Close</span> </a> <div class="popup-search-wrap-inner"> <div class="live-search-parent pop-up-live-search" data-skin="live-search-popup" aria-label="Search"> <form method="get" class="tie-popup-search-form" action="https://cybernoz.com/"> <input class="tie-popup-search-input " inputmode="search" type="text" name="s" title="Search for" autocomplete="off" placeholder="Search for" /> <button class="tie-popup-search-submit" type="submit"> <span class="tie-icon-search tie-search-icon" aria-hidden="true"></span> <span class="screen-reader-text">Search for</span> </button> </form> </div> </div> </div> <script type="text/javascript" src="https://cybernoz.com/wp-content/plugins/wp-yandex-metrika/assets/contactFormSeven.min.js?ver=1.2.1" id="wp-yandex-metrika_contact-form-7-js"></script> <script type="text/javascript" src="https://cybernoz.com/wp-includes/js/dist/hooks.min.js?ver=4d63a3d491d11ffd8ac6" id="wp-hooks-js"></script> <script type="text/javascript" src="https://cybernoz.com/wp-includes/js/dist/i18n.min.js?ver=5e580eb46a90c2b997e6" id="wp-i18n-js"></script> <script type="text/javascript" id="wp-i18n-js-after"> /* <![CDATA[ */ wp.i18n.setLocaleData( { 'text direction\u0004ltr': [ 'ltr' ] } ); /* ]]> */ </script> <script type="text/javascript" src="https://cybernoz.com/wp-content/plugins/contact-form-7/includes/swv/js/index.js?ver=6.1" id="swv-js"></script> <script type="text/javascript" id="contact-form-7-js-before"> /* <![CDATA[ */ var wpcf7 = { "api": { "root": "https:\/\/cybernoz.com\/wp-json\/", "namespace": "contact-form-7\/v1" } }; /* ]]> */ </script> <script type="text/javascript" src="https://cybernoz.com/wp-content/plugins/contact-form-7/includes/js/index.js?ver=6.1" id="contact-form-7-js"></script> <script type="text/javascript" src="https://cybernoz.com/wp-content/plugins/mousewheel-smooth-scroll/js/lenis.min.js?ver=1.1.19" id="lenis-js"></script> <script type="text/javascript" src="https://cybernoz.com/wp-content/uploads/wpmss/lenis-init.min.js?ver=1741843726" id="lenis-init-js"></script> <script type="text/javascript" id="tie-scripts-js-extra"> /* <![CDATA[ */ var tie = {"is_rtl":"","ajaxurl":"https:\/\/cybernoz.com\/wp-admin\/admin-ajax.php","is_side_aside_light":"","is_taqyeem_active":"","is_sticky_video":"","mobile_menu_top":"","mobile_menu_active":"","mobile_menu_parent":"","lightbox_all":"","lightbox_gallery":"","lightbox_skin":"dark","lightbox_thumb":"vertical","lightbox_arrows":"","is_singular":"1","autoload_posts":"","reading_indicator":"","lazyload":"","select_share":"","select_share_twitter":"","select_share_facebook":"","select_share_linkedin":"","select_share_email":"","facebook_app_id":"5303202981","twitter_username":"","responsive_tables":"","ad_blocker_detector":"","sticky_behavior":"default","sticky_desktop":"true","sticky_mobile":"true","sticky_mobile_behavior":"default","ajax_loader":"<div class=\"loader-overlay\"><div class=\"spinner-circle\"><\/div><\/div>","type_to_search":"","lang_no_results":"Nothing Found","sticky_share_mobile":"true","sticky_share_post":"","sticky_share_post_menu":""}; /* ]]> */ </script> <script type="text/javascript" src="https://cybernoz.com/wp-content/themes/jannah/assets/js/scripts.min.js?ver=7.4.1" id="tie-scripts-js"></script> <script type="text/javascript" src="https://cybernoz.com/wp-content/themes/jannah/assets/js/sliders.min.js?ver=7.4.1" id="tie-js-sliders-js"></script> <script type="text/javascript" src="https://cybernoz.com/wp-content/themes/jannah/assets/js/shortcodes.js?ver=7.4.1" id="tie-js-shortcodes-js"></script> <script type="text/javascript" src="https://cybernoz.com/wp-content/themes/jannah/assets/js/desktop.min.js?ver=7.4.1" id="tie-js-desktop-js"></script> <script type="text/javascript" src="https://cybernoz.com/wp-content/themes/jannah/assets/js/single.min.js?ver=7.4.1" id="tie-js-single-js"></script> <script type="text/javascript" src="https://cybernoz.com/wp-content/plugins/google-site-kit/dist/assets/js/googlesitekit-events-provider-contact-form-7-84e9a1056bc4922b7cbd.js" id="googlesitekit-events-provider-contact-form-7-js" defer></script> <script type='text/javascript'> !function(t){"use strict";t.loadCSS||(t.loadCSS=function(){});var e=loadCSS.relpreload={};if(e.support=function(){var e;try{e=t.document.createElement("link").relList.supports("preload")}catch(t){e=!1}return function(){return e}}(),e.bindMediaToggle=function(t){var e=t.media||"all";function a(){t.addEventListener?t.removeEventListener("load",a):t.attachEvent&&t.detachEvent("onload",a),t.setAttribute("onload",null),t.media=e}t.addEventListener?t.addEventListener("load",a):t.attachEvent&&t.attachEvent("onload",a),setTimeout(function(){t.rel="stylesheet",t.media="only x"}),setTimeout(a,3e3)},e.poly=function(){if(!e.support())for(var a=t.document.getElementsByTagName("link"),n=0;n<a.length;n++){var o=a[n];"preload"!==o.rel||"style"!==o.getAttribute("as")||o.getAttribute("data-loadcss")||(o.setAttribute("data-loadcss",!0),e.bindMediaToggle(o))}},!e.support()){e.poly();var a=t.setInterval(e.poly,500);t.addEventListener?t.addEventListener("load",function(){e.poly(),t.clearInterval(a)}):t.attachEvent&&t.attachEvent("onload",function(){e.poly(),t.clearInterval(a)})}"undefined"!=typeof exports?exports.loadCSS=loadCSS:t.loadCSS=loadCSS}("undefined"!=typeof global?global:this); </script> <script type='text/javascript'> var c = document.body.className; c = c.replace(/tie-no-js/, 'tie-js'); document.body.className = c; </script> </body> </html> <script src="/cdn-cgi/scripts/7d0fa10a/cloudflare-static/rocket-loader.min.js" data-cf-settings="e94f9c56fbdd2ac826f1a291-|49" defer></script><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script>