Kasm Technologies Security Advisories: Browser Argument Injection, NGINX Config Injection, and Phishing Campaign

### Critical Vulnerability Information - **[Cybersecurity Notice] REF: Spoofed Phishing Mail (Kasm Shared File)** - **Description**: A phishing campaign targeting Kasm Technologies customers, spoofing a SharePoint Online email purportedly from Brian Jenrette sharing a file. - **CVE-2021-35587 - Oracle Cloud Security Incident (March 21, 2025)** - **Description**: Third-party reports indicate "The Biggest Supply Chain Hack of 2025" affecting over 140,000 Oracle Cloud Infrastructure (OCI) tenants. - **KASM-2024-0001 - Browser argument injection** - **Description**: Kasm Go URL is a special URL provided to end users, allowing them to navigate to Kasm via their local browser, potentially leading to unauthorized direct access to the Kasm browser. - **CVE-2021-44228 - Apache Log4j2 Java** - **Description**: A vulnerability in Apache Log4j2 versions 2.0-beta9 through 2.14.1, publicly disclosed on December 9, 2021. - **CVE-2021-4034 - Local privilege escalation in pkexec** - **Description**: A local privilege escalation vulnerability in the pkexec tool from polkit, allowing unprivileged users to execute privileged commands. - **KASM-2022-0001 - NGINX configuration injection vulnerability** - **Description**: Certain Kasm deployments using default Zone settings without a reverse proxy or L7 load balancer may be vulnerable to NGINX configuration injection attacks. - **CVE-2022-0847 - Local privilege escalation in Linux pipe (DirtyPipe)** - **Description**: The DirtyPipe vulnerability in Linux kernel versions 5.8 and above, which has been patched across multiple Linux distributions.

Goal Reached Thanks to every supporter — we hit 100%!

Kasm Technologies Security Advisories: Browser Argument Injection, NGINX Config Injection, and Phishing Campaign