5 key takeaways from Black Hat USA 2025

Vaults can be cracked open: Critical vulnerabilities in popular enterprise credential vaults were unveiled by security researchers from Cyata during Black Hat.The flaws in various components of HashiCorp Vault and CyberArk Conjur, responsibly disclosed to the vendors and patched before their disclosure, stemmed from subtle logic flaws in authentication, validation, and policy enforcement mechanisms, as CSO reported in our story on the research.Secrets vaults store credentials, tokens, and certificates that govern access to systems, services, APIs, and data while offering role-based access controls, secret rotation and auditing functions. Designed for integration with DevOps tools, these technologies often form an integral part of software development pipelines.

Security of hardware components merits closer examination: Flaws in the firmware that ships with more than 100 models of Dell business laptops threatened the security of hardware subcomponents designed to secure biometric data, passwords, and other secrets.Security researchers at Cisco Talos used Black Hat to demonstrate how flaws in the ControlVault3 (CV) firmware and associated chips in Dell laptops could be used to bypass Windows login given physical access to a vulnerable laptop. In the worse-case scenario, one of the vulnerabilities discovered by Cisco Talos would allow attackers to plant a malware implant capable of surviving even an operating system reinstallation.All five of the vulnerabilities were addressed by driver and firmware updates released by Dell between March and May 2025.Cisco Talos selected ControlVault as a target for security research because the technology is widely used for security and enhanced logins but little studied by security researchers. Philippe Laulheret, senior vulnerability researcher at Cisco Talos, told CSO that the affected technology was limited to Dell laptops, adding that there is no evidence of exploitation of the flaws it discovered in the wild.

Multi-tenancy isolation in cloud systems called into question: The security of cloud-based systems fell under the spotlight at Black Hat with a talk on how an undocumented internal protocol in Amazon Elastic Container Service (ECS) running on EC2 hosts was open to exploitation.Security shortcomings allowed a malicious container task with low identiy and access management (IAM) privileges to impersonate the ECS agent and steal AWS credentials belonging to other, higher-privileged tasks running on the same instance, CSO’s Shweta Sharma reported.By abusing the ECS agent’s communication channel with the control plane via WebSocket, an attacker can harvest IAM credentials, security researcher Naor Haziz of Sweet Security demonstrated.Attackers could have crashed Windows domain controllers and built a botnet using unauthenticated remote procedure call (RPC) and Lightweight Directory Access Protocol (LDAP) vulnerabilities.The attack breaks assumptions of container isolation on ECS EC2, enabling privilege escalation and lateral movement within the cloud environment. Containers sharing one EC2 instance are effectively in the same trust domain unless users enforce isolation, the research demonstrated. AWS recommends adopting stronger isolation models such as Fargate as a countermeasure.

Windows research uncovers new botnet vector: During DEF CON, security researchers from SafeBreach detailed novel denial-of-service (DoS) and distributed denial-of-service (DDoS) attack techniques against Windows systems dubbed Win-DDoS.The attack involves remotely crashing domain controllers or other Windows endpoints on internal networks, using the RPC framework combined with a set of zero-click vulnerabilities affecting Windows services.The discovery came as part of a follow-up research on a previous Windows LDAP RCE vulnerability, LDAPNightmare, as previously reported.

First seen on csoonline.com

Jump to article: www.csoonline.com/article/4037869/5-key-takeaways-from-black-hat-usa-2025.html