Kasm Technologies Security Advisories: Browser Argument Injection, NGINX Config Injection, and Phishing Campaign

Critical Vulnerability Information [Cybersecurity Notice] REF: Spoofed Phishing Mail (Kasm Shared File) - Description: A phishing campaign targeting Kasm Technologies customers, spoofing a SharePoint Online email purportedly from Brian Jenrette sharing a file. CVE-2021-35587 - Oracle Cloud Security Incident (March 21, 2025) - Description: Third-party reports indicate "The Biggest Supply Chain Hack of 2025" affecting over 140,000 Oracle Cloud Infrastructure (OCI) tenants. KASM-2024-0001 - Browser argument injection - Description: Kasm Go URL is a special URL provided to end users, allowing them to navigate to Kasm via their local browser, potentially leading to unauthorized direct access to the Kasm browser. CVE-2021-44228 - Apache Log4j2 Java - Description: A vulnerability in Apache Log4j2 versions 2.0-beta9 through 2.14.1, publicly disclosed on December 9, 2021. CVE-2021-4034 - Local privilege escalation in pkexec - Description: A local privilege escalation vulnerability in the pkexec tool from polkit, allowing unprivileged users to execute privileged commands. KASM-2022-0001 - NGINX configuration injection vulnerability - Description: Certain Kasm deployments using default Zone settings without a reverse proxy or L7 load balancer may be vulnerable to NGINX configuration injection attacks. CVE-2022-0847 - Local privilege escalation in Linux pipe (DirtyPipe) - Description: The DirtyPipe vulnerability in Linux kernel versions 5.8 and above, which has been patched across multiple Linux distributions.

Goal Reached Thanks to every supporter — we hit 100%!

Kasm Technologies Security Advisories: Browser Argument Injection, NGINX Config Injection, and Phishing Campaign