Skip to content

AI Security Architecture: Integrating SealPath SDK for Secure Agentic Workflows

The Securing of Generative Knowledge 

Leveraging SealPath SDK to Enforce Persistent Information Rights Management Within Enterprise AI Architectures

Strategic Briefing: Connecting autonomous AI agents to internal corporate repositories unlocks immense productivity, yet it creates a severe data exposure risk. Because large language models inherently aggregate and synthesize information across disparate data silos, they often bypass traditional folder-level permissions. This blueprint details how the SealPath SDK embeds an external, identity-centric verification layer directly into AI pipelines, ensuring autonomous agents query data based strictly on the user’s active document rights.

The Structural Risk of Agentic Knowledge Retrieval

Enterprise AI workflows allow personnel to query expansive data estates using natural language—instantly extracting summaries of legal contracts, vendor parameters, or proprietary technical roadmaps. However, when these intelligent orchestrators index repositories containing inherited permissions, open shared links, or cross-departmental folders, they introduce a fundamental security flaw.

An AI model does not need to expose a complete confidential document to cause a catastrophic data breach. It is enough for the agent to inject sensitive fragments into a low-clearance chat session, synthesize protected data points across different sources, or infer restricted operational metrics. Proximity to data within a vector database can no longer imply permission to retrieve it. For enterprises handling regulated or proprietary intellectual property, granular access control must move from a repository parameter to a property of the file itself.

“An enterprise AI agent must not formulate its answers based on everything it is technically capable of finding. It must formulate responses exclusively from the data assets the querying identity is explicitly authorized to view.”


Why Localized Isolation Beats Basic Indexing

A common architectural misstep is relying on simple repository synchronization—indexing broad shared drives and leaving information filtration to the AI system itself. Without an independent, auditable cryptographic boundary, the runtime engine risks amplifying preexisting permission creep across the enterprise.

This challenge is recognized by industry standards like Microsoft 365 Copilot, which emphasizes that intelligent retrieval must respect identity-based access boundaries at the runtime layer. True data security requires shifting the core query from an unstructured search to a permission-validated request:

Retrieval ParadigmPrimary Indexing QueryOperational Security Boundary
Standard AI Agent“Which documents across the indexed data estate are semantically relevant to this prompt?”Dependent on basic folder-level inheritance; vulnerable to privilege creep and oversharing.
Secure IRM-Integrated Agent“Which relevant documents is this specific user identity contractually and cryptographically permitted to decrypt?”Enforced by persistent, document-level cryptographic signatures that remain valid anywhere the file travels.

Architectural Overview: The SealPath SDK Validation Loop

The SealPath SDK introduces an automated enforcement layer directly between the autonomous agent and the underlying protected file matrix. By integrating permission checking directly into the retrieval-augmented generation (RAG) loop, the application verifies information rights before data content enters the model context.

 

The secure operational workflow follows a strict sequential lifecycle:

  1. Prompt Ingestion: The human operator inputs an unstructured query into the enterprise AI interface.
  2. Candidate Isolation: The agent queries its vector database or storage array to locate semantically relevant files.
  3. Cryptographic Attestation: Before reading or chunking any protected document, the application calls the SealPath SDK interface.
  4. Identity-Based Verification: SealPath verifies the querying user’s identity and checks their active permissions against the file’s security policy.
  5. Context Ingestion: If authorized, the document is decrypted and its contents are passed into the model’s context window. If unauthorized, the file is excluded entirely.
  6. Scoped Response Generation: The model generates an answer derived exclusively from authenticated, permission-compliant sources.

Granular Permission Evaluation at the Runtime Layer

Traditional access controls utilize a simple binary open/close decision. By contrast, the SealPath SDK enables enterprise applications to analyze the exact usage parameters associated with a file before it is leveraged by an autonomous pipeline. The application can dynamically evaluate multiple security variables in real time:

  • Decryption Clearance: Confirming if the specific user context possesses the cryptographic keys to open the file.
  • Functional Micro-Permissions: Checking if the active identity is restricted from copying content, printing pages, or editing fields—allowing the application to limit data chunking accordingly.
  • Temporal Boundaries: Validating if the document’s access window has expired or if permissions have been unilaterally revoked.

If an unauthorized user requests an analysis of an unvetted document, the system excludes the file from the RAG cycle, allowing the agent to respond securely: “Based exclusively on the documentation you are authorized to access, the available information states…”

Neutralizing the AI Oversharing Multiplier

Oversharing—the exposure of corporate data to excessive users over inappropriate timelines—is a long-standing data governance challenge. Historically, an overexposed document often remained secure simply through obscurity, buried deep within nested network shares. AI eliminates this security by obscurity. An agent can discover, aggregate, and display an overexposed file in seconds.

The SealPath integration addresses this vulnerability by ensuring that protection travels with the file itself. Whether a file is downloaded, renamed, copied to an external drive, or moved into a different data tier, its cryptographic boundaries remain intact. If an identity cannot open the document manually, the agent cannot use the document to formulate an answer for that identity.

CISO Architecture Guide: Best Practices for Secure Enterprise AI Integration

To safely deploy large language models alongside sensitive data estates, organizations should anchor their architecture around these principles, aligned with the OWASP Top 10 for LLM Applications:

  • Pre-Context Permission Validation: Always enforce identity checks via the SealPath SDK before document content is processed or transmitted to the model context. Validating permissions after data ingestion is a failure point.
  • Enforce User-Context Least Privilege: Avoid running AI agents on broad administrative accounts that have access to all data. Force the agent to operate within the specific user’s identity context.
  • Secure Index Segregation: Prevent the creation of unmanaged vector indexes or caching databases that contain unencrypted, sensitive fragments without respecting original document-level access rights.
  • Context Window Minimization: Restrict the payload sent to external or managed AI models to the absolute minimum required to address the prompt, reducing systemic exposure.
  • Comprehensive Audit Traceability: Log all data requests, user contexts, and SDK authorization outcomes to maintain clean data governance and compliance trails.

Protect Your Autonomous Workflows with SealPath

Adopting advanced AI capabilities should not require sacrificing rigid document governance. The SealPath SDK allows you to bring enterprise-grade Information Rights Management (IRM) directly into your custom applications, RAG pipelines, and agentic workflows.

  • Persistent Cryptographic Boundaries: Ensure security policies travel with the document, protecting files inside and outside your storage network.
  • Identity-Centric Verifications: Validate active user rights automatically before data enters the model context.
  • Robust Compliance Tracking: Maintain complete visibility over which corporate documents are being utilized by automated models.

Harden your enterprise AI deployment and eliminate the risk of oversharing. Contact our engineering team today to integrate the SealPath SDK into your digital workflows.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About SealPath
SealPath is the European leader in Data-Centric Security and Enterprise Digital Rights Management, working with significant companies in more than 25 countries. SealPath has been helping organizations from different business verticals such as Manufacturing, Oil and Gas, Retail, Finance, Health, and Public Administration, to protect their data for over a decade. SealPath’s client portfolio includes organizations within the Fortune 500 and Eurostoxx 50 indices. SealPath facilitates the prevention of costly mistakes, reducing the risk of data leakage, ensuring the security of confidential information, and protecting data assets.

Simplifying Monitoring Architecture | Strategic Guide

The Elegance of Simplification

Strategic Architecture for Complex Monitoring Environments

In technology, we often mistake complexity for power. However, a monitoring platform that requires a dedicated team just to keep it alive has lost its way. Pandora FMS 800 LTS Aquarius introduces a streamlined architecture designed to reduce operational friction and maximize SRE agility.

“A tool that is complex to operate is, by definition, a fragile tool. Real power lies in intelligent consolidation, not infinite fragmentation.”

 

The Operational Trinity

Network Server
The versatile backbone. Consolidates WMI, remote scripts, and web UX into a single, agile role.
High Performance Server
The speed specialist. Engineered for 15-second polling intervals in large-scale centralized architectures.
Heavy Server
The data heavyweight. Manages inventory, vulnerability scans, and complex integrations without impacting core polling.

 

Maintainability as a Survival Requirement

Updating a critical system shouldn’t involve “tension and cold sweat.” The new Pandora_Supervisor acts as a conductor, managing updates and restarts transparently to ensure you never go blind during a maintenance window.

  • Efficiency: No CPU cycles wasted on redundant processes.
  • Scalability: Growth in nodes should not lead to growth in maintenance hours.
  • Resilience: Specialized servers allow for granular load balancing and high availability.

NV3 Launch: The New Standard in NAC

The moment we have been waiting for is here. The first production version of NV3 is officially ready, marking a foundational leap for the NACVIEW ecosystem.

This is not our destination, but a departure point—a preview of a long-term evolution. With NV3, we enter a continuous process of refinement, where each new capability brings us closer to absolute security excellence.

Advanced Capabilities for Modern IT

Evolved Architecture
Enables seamless network segmentation and total flexibility for distributed environments.
High-Velocity Performance
Optimized for large-scale networks, delivering effective and rapid access control.
Intelligent Integration
Expanded capabilities that enhance the precision of IT security policy enforcement.
Intuitive Management
A streamlined interface designed to simplify complex system administration and support Zero Trust.
 

Embark on the Journey

We invite you to experience the new era of network control with a complimentary NV3-20 license.

About NACVIEW
A powerful network access control (NAC) solution designed to provide organizations with comprehensive visibility and control over their network infrastructure. Developed by leading network security company, NACVIEW offers advanced features and capabilities to ensure secure and efficient network access for users and devices.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

Quantifying ROI: Governing Shadow AI to Cut TCO

AI adoption is no longer a trend; it is a sprint. While 81% of AI usage occurs outside the view of IT departments, the "Shadow AI" phenomenon presents a significant financial risk. To protect the bottom line, IT leaders must shift from simple "shadow" detection to a comprehensive ROI-based governance model.

$4.88M Avg. Cost of a Data Breach
$2.2M Avg. Governance Savings
4% Potential Global Revenue Fine

The Hidden TCO Pillars of Shadow AI

In the age of AI, Total Cost of Ownership (TCO) extends beyond licensing. It includes the "ownership" of risk created by unvetted tools:

Remediation Costs The human labor required to fix AI-generated code hallucinations or clean up prompt-based data spills.
Fragmented Data Value lost when proprietary information is trapped in personal LLM silos rather than centralized assets.
Compliance Liability The financial impact of failed audits and regulatory standards like GDPR or the AI Act.

The Governance Dividend: Calculating ROI

Governing Shadow AI is a strategy of cost avoidance. By implementing automated security controls, organizations effectively eliminate a "shadow tax." According to IBM's 2024 data, extensive use of security AI and automation lowers breach costs by an average of $2.2 million—a direct governance dividend for the proactive enterprise.

A Financial Framework for Cost Control (NIST AI RMF)

Apply these four steps to convert Shadow AI liabilities into managed assets:

  • Govern: Replace blanket bans with safe-use policies that provide a "paved road" for adoption.
  • Map: Use discovery tools to illuminate applications running on your network.
  • Measure: Conduct financial and security risk assessments for high-usage unauthorized tools.
  • Manage: Centralize access through a single pane of glass to enforce identity controls.

Conclusion: Strategic Innovation

IT leaders have the unique opportunity to enable innovation while strictly protecting the organization's financial health. By shedding light on Shadow AI, you stop burning resources on hidden risks and start investing in secure, scalable growth.

About JumpCloud
At JumpCloud, our mission is to build a world-class cloud directory. Not just the evolution of Active Directory to the cloud, but a reinvention of how modern IT teams get work done. The JumpCloud Directory Platform is a directory for your users, their IT resources, your fleet of devices, and the secure connections between them with full control, security, and visibility.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

Pandora ITSM – Release OUM #108

This update focuses on administrative centralization, task-level flexibility, and modern security standards.

Strategic New Features & Improvements

1. Centralized Global Inventory Management

We have overhauled the management of global inventory fields. These fields are now handled in a new, unified section, removing the previous redundancy where fields were duplicated across every individual Object Type.

Major Benefits:
  • Ensures superior configuration consistency.
  • Reduces manual errors by eliminating field duplication.
  • Enables more agile and efficient data management.

2. Advanced Customization for Project Tasks

To provide greater flexibility, we have introduced new "Task Types" for project management. This allows teams to define specific custom fields tailored to their unique requirements.

  • Assign a specific Task Type to each project task.
  • Dynamically configure available fields based on the selected type.
  • Capture comprehensive information specific to the project's context.

3. OAuth 2.0 Integration for Microsoft O365

Following Microsoft's updated security policies, legacy connection methods for email are no longer viable. This version integrates OAuth 2.0, providing a secure authentication path for sending and receiving emails through Microsoft servers.

Functional Enhancements & UI Updates

Security & Compliance
  • Mandatory 2FA configuration can now be enforced for all users globally.
  • Applied strict ACL restrictions to user mentions across all modules (Incidents, Projects, Changes).
  • Added expiration dates to session cookies for improved security posture.
Reporting & Visuals
  • Redesigned performance reports now include a column for "non-billable hours".
  • Modernized the Web Console sidebar with redesigned and relocated minimize/maximize controls.
  • Improved the "Operator Detailed" report with a cleaner, intuitive interface.

Vulnerability Remediation

Reference Description Status
Case #3399 Restricted involuntary access to menu items explicitly marked as hidden while maintaining authorized group/user access. Fixed

Summary of Notable Bug Fixes

  • Authentication: Resolved issues with user creation and login via LDAP® and Microsoft AD®.
  • Data Integrity: Blocked the ability to post duplicate comments within Work Units.
  • Reporting: Corrected percentage calculations in general support charts and fixed date filtering in detailed reports.
  • Performance: Implemented database indexing for project tasks to significantly reduce access times.

Note: New installations of PITSM now feature optimized default incident fields and rename "SLA affected" to "SLA triggered" for better clarity.

About PandoraFMS
Pandora FMS is a flexible monitoring system, capable of monitoring devices, infrastructures, applications, services and business processes.
Of course, one of the things that Pandora FMS can control is the hard disks of your computers.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

Understanding Encryption: The Shield of the Digital Age

Encryption sits at the core of nearly every digital system we use today. It is the sophisticated mechanism that transforms readable information into protected data, ensuring privacy, security, and compliance across the globe.

The Golden Rule: Encryption protects Data at Rest (files on your hard drive) and Data in Transit (messages moving across the internet).

 

How Encryption Works

Think of encryption as a high-tech vault. To protect your data, it goes through a four-step journey:

  • Plaintext: Your original, readable information.
  • The Algorithm: The mathematical formula used to scramble the data.
  • The Key: A random string of bits that locks and unlocks the data.
  • Ciphertext: The resulting “scrambled” data that is unreadable without the key.

 

Types of Modern Encryption

 

Symmetric Encryption

Uses a single secret key to both encrypt and decrypt. It is highly efficient and fast, making it the standard for full-disk encryption and database security.

Examples: AES, XChaCha20

 

Asymmetric Encryption

Uses a pair of keys: a Public Key for encryption and a Private Key for decryption. Essential for secure key exchanges over the internet.

Examples: RSA, ECC

 

Why Encryption Matters

Encryption is more than just a security feature; it is a baseline requirement for modern life:

  • Privacy: Prevents ISPs and hackers from “eavesdropping” on your traffic.
  • Security: Reduces the impact of data breaches; stolen data is useless if it is encrypted.
  • Integrity: Ensures that data hasn’t been altered while moving from sender to receiver.
  • Compliance: Mandated by regulations like GDPR and HIPAA to protect sensitive user data.

 

Experience Total Privacy with NordPass

At NordPass, we use the cutting-edge XChaCha20 algorithm to protect your digital vault. This symmetric stream cipher is designed for maximum speed and robust security, ensuring that your passwords, credit card details, and secure notes are always under a 256-bit lock and key.

About NordPass
NordPass is developed by Nord Security, a company leading the global market of cybersecurity products.

The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

2FA Recovery Guide: What to Do If You Lose Your Phone

Using your phone as a Two-Factor Authentication (2FA) device is incredibly convenient—until that phone goes missing. If you find yourself locked out of your accounts because your verification device is lost or stolen, follow these steps to regain control.

Important: If you think your phone was stolen, use “Find My Device” (Android) or “Find My” (iOS) immediately to lock or erase the device remotely. This prevents attackers from accessing your 2FA apps.
 

Immediate Recovery Methods

1. Use Your Backup Recovery Codes

Most major platforms (Google, Microsoft, Facebook) provide a list of one-time recovery codes when you first enable 2FA. If you followed security best practices and stored these in a safe place (like a physical safe or a secure note in a password manager), you can enter one of these codes instead of the mobile verification.

2. SMS Redirection via SIM Swap

If you use SMS-based 2FA, your security is tied to your phone number. Contact your mobile service provider to report the lost phone and request a new SIM card for your existing number. Once the new SIM is activated in a backup device, you will begin receiving 2FA codes again.

Setting Up Your New Device

Once you have a new phone, follow these steps to restore your Google Authenticator or similar apps:

  • Sign in via Backup: Use a backup email or trusted secondary phone number to access your main account.
  • Re-activate Authenticator: Go to your account security settings and select “Set up Authenticator” to generate a new QR code.
  • Sync to Password Manager: Consider using a manager like NordPass to store 2FA seeds or recovery codes so they are accessible from any browser.

 

Future-Proofing: Transition to Passkeys

The safest way to avoid the “lost phone” trap is to adopt Passkeys. Unlike traditional 2FA, Passkeys use cryptographic keys stored securely in the cloud or an encrypted vault. If you lose your phone, your Passkeys remain accessible via your account login on other devices, providing robust security without the single-point-of-failure risk of a physical phone.

About NordPass
NordPass is developed by Nord Security, a company leading the global market of cybersecurity products.

The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

Managing Shadow IT Risks

Shadow IT is the use of devices, software, or cloud services without the approval or knowledge of the IT department. While usually driven by a desire for efficiency, it creates significant security blind spots.

Key Takeaways:

  • Enterprises typically use 10x more unsanctioned apps than approved ones.
  • Hybrid work and personal devices (BYOD) have accelerated Shadow IT adoption.
  • Risks include data breaches, compliance violations, and malware exposure.

Why Shadow IT is a Growing Concern

In most cases, employees use Shadow IT not out of malice, but to overcome friction. Common drivers include:

  • SaaS Accessibility: Most cloud tools only require a personal email to sign up.
  • Approval Delays: Official IT cycles can be slower than the pace of a specific project.
  • Feature Gaps: Official tools may lack usability or real-time collaboration features.

Critical Risks to the Organization

Data Breaches & Leakage
Regulatory Non-compliance
Malware & Credential Theft
Operational Disruptions

Detection and Prevention Best Practices

How to Detect Unsanctioned Tools

IT teams can regain visibility through Network Traffic Analysis, Endpoint Monitoring, and auditing Expense Reports to find unauthorized software subscriptions.

Best Practices for Management

  • Establish Clear Policies: Create a simple, fast-track process for tool approvals.
  • Use CASBs: Cloud Access Security Brokers provide visibility into cloud-based data movement.
  • Implement DNS Filtering: Block access to high-risk or unapproved domains at the network level.
  • Employee Education: Train staff to understand that security is a shared responsibility.

Securing the Perimeter with NordLayer

NordLayer helps organizations control Shadow IT through proactive tools like DNS Filtering, which blocks malicious domains, and Application Blocker, which prevents high-risk software from connecting to your network.

About Nord Security
The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

About NordLayer
NordLayer is an adaptive network access security solution for modern businesses – from the world’s most trusted cybersecurity brand, Nord Security.

The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

Keepit Platform Crowned in Three Categories at Security Today’s CyberSecured Awards 2025

Keepit, a global leader in cloud-native data protection, is proud to announce its recognition at the prestigious 2025 Security Today CyberSecured Awards. For the second consecutive year, Keepit secured top honors in three critical categories:

• Cloud Security
• Data Loss Prevention (DLP)
• Disaster Recovery / Business Continuity

Immutable Backups: The Last Line of Defense

As organizations increasingly rely on SaaS applications and AI, the necessity for robust, immutable backups has never been higher. The Keepit platform helps companies mitigate the risk of data loss resulting from cyberattacks or human error by protecting thirteen key applications, including:

  • Microsoft 365
  • Microsoft Entra ID
  • Okta
  • Google Workspace

“With the increasing use of SaaS applications and AI in critical business operations, immutable backups and rapid recovery are at the center of modern data resilience. This recognition underscores our commitment to security, reliability, and best-in-class data protection.”

— Michele Hayes, CMO at Keepit

This achievement builds on Keepit’s successful year, which included multiple accolades such as being named “Business Continuity Cyber Solution of the Year” and multiple wins at the Global InfoSec Awards.

About Keepit
At Keepit, we believe in a digital future where all software is delivered as a service. Keepit’s mission is to protect data in the cloud Keepit is a software company specializing in Cloud-to-Cloud data backup and recovery. Deriving from +20 year experience in building best-in-class data protection and hosting services, Keepit is pioneering the way to secure and protect cloud data at scale.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

ESET Research analyzed a critical flaw in Windows Imaging Component, which abuses JPG files

ESET researchers have concluded an in-depth examination of CVE-2025-50165, a Windows Imaging Component vulnerability. Although classified as critical, ESET’s root cause analysis suggests the complexity of exploitation makes large-scale attacks highly improbable.

Technical Distinction: The flaw exists in the encoding and compression stage of a JPG image, not the decoding (rendering) stage. Simply viewing a malicious image will not trigger the vulnerability.

Root Cause: WindowsCodecs.dll

The vulnerability occurs when WindowsCodecs.dll attempts to encode a JPG image using 12-bit or 16-bit data precision. The specific function involved, jpeg_finish_compress, is triggered during specific actions such as saving an image or generating system thumbnails.

Expert Analysis

“Our analysis indicates that exploitation is harder than it appears,” says ESET researcher Romain Dumont. “A host application is only vulnerable if it allows JPG images to be re-encoded, and even then, an attacker would need precise control over heap manipulation and address leaks to achieve remote code execution.”

Key Takeaways

  • Open Source Roots: The component utilizes libjpeg-turbo, which saw similar vulnerabilities patched in late 2024.
  • Reproduction: ESET has successfully reproduced the system crash using a 12-bit/16-bit JPG test method.
  • Status: Microsoft released a patch for this vulnerability in August; users are encouraged to verify their systems are up to date.

For the full technical report, visit WeLiveSecurity.com and search for “Revisiting CVE-2025-50165.”

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.