Today’s Topics:

• 7-Zip Symbolic Link Flaw Draws Attention After Public PoC Release
• Another Salesforce Supply-Chain Breach: Gainsight Compromise Fuels OAuth Token Theft
• How can Netizen help?

7-Zip Symbolic Link Flaw Draws Attention After Public PoC Release

Reports from NHS England Digital briefly suggested that a newly disclosed flaw in 7-Zip was being used in real attacks, but the agency later corrected its advisory, clarifying that it has not seen evidence of live exploitation. What they have confirmed is the presence of a public proof-of-concept, which raises the stakes for anyone still running outdated versions of the tool.

The issue, tracked as CVE-2025-11001, affects how 7-Zip processes symbolic links inside ZIP archives. A crafted archive can push the program into unintended directories and open the door for remote code execution under a service-level account. Trend Micro’s ZDI highlighted the directory traversal weakness last month, and the fix quietly arrived with version 25.00 in July. The flaw was introduced several versions earlier, making long-term installs especially exposed.

Researchers Ryota Shiga and Takumi, an AI-assisted auditing system from GMO Flatt Security, discovered and disclosed the problem. A second, similar bug, CVE-2025-11002, was also fixed in the same release and involves the same symbolic-link handling weakness. Both issues share the same severity score and the same potential impact.

Although NHS initially suggested active exploitation, the updated advisory walks that back and attributes the earlier wording to an error. What remains true is that a PoC is already available. Security researcher Dominik, who published the demonstration, noted that successful exploitation requires either an elevated account or Windows developer mode. The vulnerability only affects Windows systems and cannot trigger outside those conditions.

With public exploit material already circulating, users relying on older 7-Zip versions are exposed to unnecessary risk. Updating to version 25.00 or later closes both symbolic-link flaws and prevents attackers from using crafted archives to gain footholds on a target system.

Another Salesforce Supply-Chain Breach: Gainsight Compromise Fuels OAuth Token Theft

Salesforce customers are once again dealing with a familiar and avoidable problem: attackers abusing third-party integrations to slip into environments that organizations assumed were already under control. The newest incident mirrors the Drift breach from earlier in the year, only this time the attackers used Gainsight as their entry point. OAuth tokens tied to Gainsight’s connection with Salesforce were stolen, giving the threat group access to customer environments with whatever permissions each organization had granted the app.

The attackers behind this campaign are linked to the ShinyHunters extortion group, which has spent much of the past year targeting SaaS integrations that provide broad access but are often treated as low-risk. Google’s threat intelligence team attributed this latest wave to a group connected to ShinyHunters and said that more than 200 Salesforce environments were affected. The attackers themselves claimed nearly 1,000 across both Drift and Gainsight.

Salesforce responded by pulling the affected apps from its marketplace and revoking all active OAuth tokens associated with Gainsight. That decision briefly caused confusion inside Gainsight, which initially believed the sudden failure of customer connections was a technical glitch. Salesforce later clarified that revoking the tokens did not erase audit trails or limit customers’ ability to investigate the breach.

The most striking part of this episode is how straightforward the attackers’ strategy was. Security researchers pointed out that Drift never required the level of access many customers had given it, and the same pattern repeated with Gainsight. These integrations were granted extensive permissions far beyond what a sales-oriented tool reasonably needs, creating a perfect opportunity for attackers once those OAuth tokens were stolen.

This isn’t just a Salesforce issue. Gainsight connects to a long list of other platforms; Slack, Microsoft Teams, HubSpot, Jira, Snowflake, and many more. Any organization that integrated Gainsight without a clear access policy may now be exposed across several systems, not just Salesforce. Many teams are only now realizing how many places their SaaS tools connect and how little visibility they actually have.

How Can Netizen Help?

Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.