Threat Newsletter Week 35-36
CISA Flags TP-Link Router Flaws CVE-2023-50224 and CVE-2025-9377 as Actively Exploited
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added two security flaws impacting TP-Link wireless routers to its Known Exploited Vulnerabilities (KEV) catalog, noting that there is evidence of them being exploited in the wild.
The vulnerabilities in question are listed below –
- CVE-2023-50224 (CVSS score: 6.5) – An authentication bypass by spoofing vulnerability within the httpd service of TP-Link TL-WR841N, which listens on TCP port 80 by default, leading to the disclosure of stored credentials in „/tmp/dropbear/dropbearpwd“
- CVE-2025-9377 (CVSS score: 8.6) – An operating system command injection vulnerability in TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9 that could lead to remote code execution
According to information listed on the company’s website, the following router models have reached end-of-life (EoL) status –
- TL-WR841N (versions 10.0 and 11.0)
- TL-WR841ND (version 10.0)
- Archer C7 (versions 2.0 and 3.0)
However, TP-Link has released firmware updates for the two vulnerabilities as of November 2024 owing to malicious exploitation activity.
„The affected products have reached their End-of-Service (EOS) and are no longer receiving active support, including security updates,“ the company said. „For enhanced protection, we recommend that customers upgrade to newer hardware to ensure optimal performance and security.“
Source: The hacker news / Bleeping computer
Link: https://thehackernews.com/2025/09/cisa-flags-tp-link-router-flaws-cve.html
Link: https://www.bleepingcomputer.com/news/security/new-tp-link-zero-day-surfaces-as-cisa-warns-other-flaws-are-exploited/
6 browser-based attacks all security teams should be ready for in 2025
What security teams need to know about the browser-based attack techniques that are the leading cause of breaches in 2025. “The browser is the new battleground.” “The browser is the new endpoint”.
These are statements you’ll run into time and again as you read articles on websites like this one. But what does this actually mean from a security perspective?
In this article, we’ll explore what security teams are trying to stop attackers from doing in the browser, breaking down what a “browser-based attack” is, and what’s required for effective detection and response.
Source: Bleeping computer
Link: https://www.bleepingcomputer.com/news/security/6-browser-based-attacks-all-security-teams-should-be-ready-for-in-2025/
Threat Actors Weaponize HexStrike AI to Exploit Citrix Flaws Within a Week of Disclosure
Threat actors are attempting to leverage a newly released artificial intelligence (AI) offensive security tool called HexStrike AI to exploit recently disclosed security flaws.
HexStrike AI, according to its website, is pitched as an AI‑driven security platform to automate reconnaissance and vulnerability discovery with an aim to accelerate authorized red teaming operations, bug bounty hunting, and capture the flag (CTF) challenges.
Per information shared on its GitHub repository, the open-source platform integrates with over 150 security tools to facilitate network reconnaissance, web application security testing, reverse engineering, and cloud security. It also supports dozens of specialized AI agents that are fine-tuned for vulnerability intelligence, exploit development, attack chain discovery, and error handling.
But according to a report from Check Point, threat actors are trying their hands on the tool to gain an adversarial advantage, attempting to weaponize the tool to exploit recently disclosed security vulnerabilities.
„This marks a pivotal moment: a tool designed to strengthen defenses has been claimed to be rapidly repurposed into an engine for exploitation, crystallizing earlier concepts into a widely available platform driving real-world attacks,“ the cybersecurity company said.
Source: The hacker news / Checkpoint website blog
Link: https://thehackernews.com/2025/09/threat-actors-weaponize-hexstrike-ai-to.html
Link: https://blog.checkpoint.com/executive-insights/hexstrike-ai-when-llms-meet-zero-day-exploitation/
Cloudflare Blocks Record-Breaking 11.5 Tbps DDoS Attack
Cloudflare on Tuesday said it automatically mitigated a record-setting volumetric distributed denial-of-service (DDoS) attack that peaked at 11.5 terabits per second (Tbps).
„Over the past few weeks, we’ve autonomously blocked hundreds of hyper-volumetric DDoS attacks, with the largest reaching peaks of 5.1 Bpps and 11.5 Tbps,“ the web infrastructure and security company said in a post on X. „The 11.5 Tbps attack was a UDP flood that mainly came from Google Cloud.“
The entire attack lasted only about 35 seconds, with the company stating its „defenses have been working overtime.“
Volumetric DDoS attacks are designed to overwhelm a target with a tsunami of traffic, causing the server to slow down or even fail. These attacks typically result in network congestion, packet loss, and service disruptions.
Such attacks are often conducted by sending the requests from botnets that are already under the control of the threat actors after having infected the devices, be it computers, IoT devices, and other machines, with malware.
Source: The hacker news
Link: https://thehackernews.com/2025/09/cloudflare-blocks-record-breaking-115.html
Android Security Alert: Google Patches 120 Flaws, Including Two Zero-Days Under Attack
Google has shipped security updates to address 120 security flaws in its Android operating system as part of its monthly fixes for September 2025, including two issues that it said have been exploited in targeted attacks.
The vulnerabilities are listed below –
- CVE-2025-38352 (CVSS score: 7.4) – A privilege escalation flaw in the Linux Kernel component
- CVE-2025-48543 (CVSS score: N/A) – A privilege escalation flaw in the Android Runtime component
Google said both vulnerabilities could lead to local escalation of privilege with no additional execution privileges needed. It also noted that no user interaction is required for exploitation.
Source: The hacker news / Bleeping computer / Securityweek / Helpnet security
Link: https://thehackernews.com/2025/09/android-security-alert-google-patches.html
Link: https://www.bleepingcomputer.com/news/security/google-fixes-actively-exploited-android-flaws-in-september-update/
Link: https://www.securityweek.com/two-exploited-vulnerabilities-patched-in-android/
Link: https://www.helpnetsecurity.com/2025/09/04/google-fixes-actively-exploited-android-vulnerabilities-cve-2025-48543-cve-2025-38352/
Sitecore Zero-Day Sparks New Round of ViewState Threats
A critical Sitecore zero-day vulnerability is under active exploitation in the latest series of ViewState deserialization attacks this year.
The vulnerability, tracked as CVE-2025-53690 and disclosed on Tuesday, impacts several Sitecore products including Experience Manager (XM), Experience Platform (XP), and Experience Commerce. In a blog post published Wednesday, Mandiant said the zero-day vulnerability is a ViewState deserialization flaw under active exploitation in the wild.
ViewState is a feature of ASP.NET page frameworks that is designed to preserve page and control values between round trips. ASP.NET machine keys are used to protect ViewState from unauthorized access, but if the keys are exposed, a threat actor can commit remote code execution (RCE) and deserialization attacks against a target organization’s servers.
According to Mandiant, that’s exactly what happened with the exploitation of CVE-2025-53690. „In a recent investigation, Mandiant Threat Defense discovered an active ViewState deserialization attack affecting Sitecore deployments leveraging a sample machine key that had been exposed in Sitecore deployment guides from 2017 and earlier,“ the blog post said. „An attacker leveraged the exposed ASP.NET machine key to perform remote code execution.“
Source: Dark reading / Helpnet security
Link: https://www.darkreading.com/vulnerabilities-threats/sitecore-zero-day-viewstate-threats
Link: https://www.helpnetsecurity.com/2025/09/04/sitecore-zero-day-vulnerability-cve-2025-53690-exploited/
Threat Newsletter Week 34
Apple Patches CVE-2025-43300 Zero-Day in iOS, iPadOS, and macOS Exploited in Targeted Attacks
Apple has released security updates to address a security flaw impacting iOS, iPadOS, and macOS that it said has come under active exploitation in the wild.
The zero-day out-of-bounds write vulnerability, tracked as CVE-2025-43300, resides in the ImageIO framework that could result in memory corruption when processing a malicious image.
„Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals,“ the company said in an advisory.
The iPhone maker said the bug was internally discovered and that it was addressed with improved bounds checking. The following versions address the security defect –
- iOS 18.6.2 and iPadOS 18.6.2 – iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
- iPadOS 17.7.10 – iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation
- macOS Ventura 13.7.8 – Macs running macOS Ventura
- macOS Sonoma 14.7.8 – Macs running macOS Sonoma
- macOS Sequoia 15.6.1 – Macs running macOS Sequoia
It’s currently not known who is behind the attacks and who may have been targeted, but it’s likely that the vulnerability has been weaponised as part of highly targeted attacks.
Source: The hacker news / Bleeping computer
Link: https://thehackernews.com/2025/08/apple-patches-cve-2025-43300-zero-day.html
Link: https://www.bleepingcomputer.com/news/apple/apple-emergency-updates-fix-new-actively-exploited-zero-day/
Public Exploit for Chained SAP Flaws Exposes Unpatched Systems to Remote Code Execution
A new exploit combining two critical, now-patched security flaws in SAP NetWeaver has emerged in the wild, putting organizations at risk of system compromise and data theft.
The exploit in question chains together CVE-2025-31324 and CVE-2025-42999 to bypass authentication and achieve remote code execution, SAP security company Onapsis said.
- CVE-2025-31324 (CVSS score: 10.0) – Missing Authorization check in SAP NetWeaver’s Visual Composer development server
- CVE-2025-42999 (CVSS score: 9.1) – Insecure Deserialization in SAP NetWeaver’s Visual Composer development server
The vulnerabilities were addressed by SAP back in April and May 2025, but not before they were abused by threat actors as zero-days since at least March.
Multiple ransomware and data extortion groups, including Qilin, BianLian, and RansomExx, have been observed weaponizing the flaws, not to mention several China-nexus espionage crews who have also put them to use in attacks targeting critical infrastructure networks.
Source: The hacker news / Securityweek
Link: https://thehackernews.com/2025/08/public-exploit-for-chained-sap-flaws.html
Link: https://www.securityweek.com/new-exploit-poses-threat-to-sap-netweaver-instances/
PipeMagic Backdoor Resurfaces as Part of Play Ransomware Attack Chain
Attackers are wielding the sophisticated modular malware while exploiting CVE-2025-29824, a previously zero-day flaw in Windows Common Log File System (CLFS) that allows attackers to gain system-level privileges on compromised systems.
Attackers are deploying a sophisticated, modular backdoor that mimics ChatGPT Desktop to disguise itself as part of an attack chain that exploits a critical Windows flaw to deliver the Play ransomware.
A threat group that Microsoft tracks as Storm-2460 is deploying the PipeMagic backdoor in an attack campaign that exploits CVE-2025-29824, an elevation-of-privilege vulnerability in Windows Common Log File System (CLFS) that allows attackers to gain system-level privileges on compromised systems, Microsoft Threat Intelligence (MTI) revealed in a blog post on Aug. 18.
The flaw — found in the CLFS Driver, a kernel-level component that manages logging for different Windows services and applications — was a zero-day flaw when it was discovered in April. Microsoft patched it as part of its April Patch Tuesday raft of security updates.
Source: Dark reading
Link: https://www.darkreading.com/threat-intelligence/pipemagic-backdoor-resurfaces-play-ransomware-attack-chain
GPT-5 Has a Vulnerability: Its Router Can Send You to Older, Less Safe Models
The new GPT-5 is easy to jailbreak. Researchers have discovered the cause – an SSFR-like flaw in its internal routing mechanism.
When you ask GPT-5 a question, the answer may not come from GPT-5. The model includes an initial router that parses the prompt and decides which of the various GPT models to query. It may be the GPT-5 Pro you expect, but it could equally be GPT 3.5, GPT-4o, GPT-5-mini, or GPT-5-nano.
The reasoning behind this variability in the source of the response is probably to balance the LLM’s efficiency (by using faster, lighter and possibly more focused models on the simpler queries) and cost (GPT-5’s strong reasoning capabilities make it very expensive to run). Researchers at Adversa AI have estimated that this re-routing could be saving OpenAI up to $1.86 billion per year. But the process is opaque.
Worse, the researchers at Adversa have discovered and explained that this internal routing can be manipulated by the user to make GPT-5 redirect the query to the user’s model of choice by including specific ‘trigger’ phrases in the prompt.
Adversa has named, or perhaps more accurately described the vulnerability PROMISQROUTE, which stands for ‘Prompt-based Router Open-Mode Manipulation Induced via SSRF-like Queries, Reconfiguring Operations Using Trust Evasion’. “It’s an evasion attack on the router,” explains Alex Polyakov (co-founder and CEO at Adversa AI). “We manipulate the decision-making process, which is fairly simple, deciding which model should handle the request.”
Source: Securityweek
Link: https://www.securityweek.com/gpt-5-has-a-vulnerability-it-may-not-be-gpt-5-answering-your-call/
The OSINT Intelligence Cycle Part 1: Planning and Direction
Many newcomers to open source intelligence immediately gravitate towards the tools and become reliant on them rather quickly. This becomes problematic when the tools break, become deprecated, or otherwise unavailable. While automation, collection assistance, and visualization tools can help immensely in an investigation, they cannot analyze the work and do your job for you.
One of my most repeated bits of advice for those new to OSINT or those wishing to improve their current OSINT skills is to go back to the basics, namely the intelligence cycle. This series of articles aims to reframe each phase of the intelligence cycle to show specifically how I apply it during one of my OSINT investigations.
The planning and direction phase of the OSINT intelligence cycle is where an analyst should determine their investigative requirements, outline what questions they are attempting to answer, and make note of any special circumstances that might arise due to the target, the situation, or the platforms that might be used.
At best, going into an OSINT investigation without a plan or direction can cause an investigation to take longer than needed. At worst? An investigator may lack the proper dependencies required for the investigation or risk being detected by the target due to technical oversights. During this phase of the intelligence cycle, I tend to take the following steps.
Source: Secjuice
Link: https://www.secjuice.com/osint-intelligence-cycle-part-i-planning-and-direction/
Threat Newsletter Week 32-33
Microsoft August 2025 Patch Tuesday Fixes Kerberos Zero-Day Among 111 Total New Flaws
Microsoft on Tuesday rolled out fixes for a massive set of 111 security flaws across its software portfolio, including one flaw that has been disclosed as publicly known at the time of the release.
Of the 111 vulnerabilities, 16 are rated Critical, 92 are rated Important, two are rated Moderate, and one is rated Low in severity. Forty-four of the vulnerabilities relate to privilege escalation, followed by remote code execution (35), information disclosure (18), spoofing (8), and denial-of-service (4) defects.
This is in addition to 16 vulnerabilities addressed in Microsoft’s Chromium-based Edge browser since the release of last month’s Patch Tuesday update, including two spoofing bugs affecting Edge for Android.
Included among the vulnerabilities is a privilege escalation vulnerability impacting Microsoft Exchange Server hybrid deployments (CVE-2025-53786, CVSS score: 8.0) that Microsoft disclosed last week.
The publicly disclosed zero-day is CVE-2025-53779 (CVSS score: 7.2), another privilege escalation flaw in Windows Kerberos that stems from a case of relative path traversal. Akamai researcher Yuval Gordon has been credited with discovering and reporting the bug.
Source: The hacker news / Bleeping Computer / Krebs on security / Securityweek / CISCO Talos intelligence group / SANS internet storm center
Link: https://thehackernews.com/2025/08/microsoft-august-2025-patch-tuesday.html
Link: https://www.bleepingcomputer.com/news/microsoft/microsoft-august-2025-patch-tuesday-fixes-one-zero-day-107-flaws/
Link: https://krebsonsecurity.com/2025/08/microsoft-patch-tuesday-august-2025-edition/
Link: https://www.securityweek.com/microsoft-patches-over-100-vulnerabilities/
Link: https://blog.talosintelligence.com/microsoft-patch-tuesday-august-2025/
Link: https://isc.sans.edu/diary/Microsoft%20August%202025%20Patch%20Tuesday/32192
Adobe Patches Over 60 Vulnerabilities Across 13 Products
Adobe’s August 2025 Patch Tuesday updates address more than 60 vulnerabilities across 3D design, content creation, publishing and other types of products.
The software giant has published 13 new advisories, including five that cover vulnerabilities in Substance 3D products such as Viewer, Modeler, Painter, Sampler, and Stager.
In each of them Adobe patched one or more critical (high severity based on CVSS score) code execution vulnerabilities, and in some of them multiple important (medium severity) memory leaks.
In Commerce and the Magento open source solution Adobe fixed four critical vulnerabilities that can be exploited for privilege escalation, denial of service (DoS), and arbitrary file system read, along with two security feature bypass issues.
In Animate, the company patched one critical arbitrary code execution vulnerability and a memory leak, while in Illustrator it addressed three code execution flaws and one DoS issue.
Source: Securityweek
Link: https://www.securityweek.com/adobe-patches-over-60-vulnerabilities-across-13-products/
WinRAR Zero-Day Under Active Exploitation – Update to Latest Version Immediately
The maintainers of the WinRAR file archiving utility have released an update to address an actively exploited zero-day vulnerability.
Tracked as CVE-2025-8088 (CVSS score: 8.8), the issue has been described as a case of path traversal affecting the Windows version of the tool that could be exploited to obtain arbitrary code execution by crafting malicious archive files.
„When extracting a file, previous versions of WinRAR, Windows versions of RAR, UnRAR, portable UnRAR source code and UnRAR.dll can be tricked into using a path, defined in a specially crafted archive, instead of a specified path,“ WinRAR said in an advisory.
Anton Cherepanov, Peter Kosinar, and Peter Strycek from ESET have been credited for discovering and reporting the security defect, which has been addressed in WinRAR version 7.13 released on July 30, 2025.
Source: The hacker news / Bleeping computer
Link: https://thehackernews.com/2025/08/winrar-zero-day-under-active.html
Link: https://www.bleepingcomputer.com/news/security/winrar-zero-day-flaw-exploited-by-romcom-hackers-in-phishing-attacks/
Zoom and Xerox Release Critical Security Updates Fixing Privilege Escalation and RCE Flaws
Zoom and Xerox have addressed critical security flaws in Zoom Clients for Windows and FreeFlow Core that could allow privilege escalation and remote code execution.
The vulnerability impacting Zoom Clients for Windows, tracked as CVE-2025-49457 (CVSS score: 9.6), relates to a case of an untrusted search path that could pave the way for privilege escalation.
„Untrusted search path in certain Zoom Clients for Windows may allow an unauthenticated user to conduct an escalation of privilege via network access,“ Zoom said in a security bulletin on Tuesday.
The issue, reported by its own Offensive Security team, affects the following products –
- Zoom Workplace for Windows before version 6.3.10
- Zoom Workplace VDI for Windows before version 6.3.10 (except 6.1.16 and 6.2.12)
- Zoom Rooms for Windows before version 6.3.10
- Zoom Rooms Controller for Windows before version 6.3.10
- Zoom Meeting SDK for Windows before version 6.3.10
The disclosure comes as multiple vulnerabilities have been disclosed in Xerox FreeFlow Core, the most severe of which could result in remote code execution.
Source: The hacker news
Link: https://thehackernews.com/2025/08/zoom-and-xerox-release-critical.html
Fortinet Warns About FortiSIEM Vulnerability (CVE-2025-25256) With In-the-Wild Exploit Code
Fortinet is alerting customers of a critical security flaw in FortiSIEM for which it said there exists an exploit in the wild.
The vulnerability, tracked as CVE-2025-25256, carries a CVSS score of 9.8 out of a maximum of 10.0.
„An improper neutralization of special elements used in an OS command (‚OS Command Injection‘) vulnerability [CWE-78] in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted CLI requests,“ the company said in a Tuesday advisory.
The following versions are impacted by the flaw –
- FortiSIEM 6.1, 6.2, 6.3, 6.4, 6.5, 6.6 (Migrate to a fixed release)
- FortiSIEM 6.7.0 through 6.7.9 (Upgrade to 6.7.10 or above)
- FortiSIEM 7.0.0 through 7.0.3 (Upgrade to 7.0.4 or above)
- FortiSIEM 7.1.0 through 7.1.7 (Upgrade to 7.1.8 or above)
- FortiSIEM 7.2.0 through 7.2.5 (Upgrade to 7.2.6 or above)
- FortiSIEM 7.3.0 through 7.3.1 (Upgrade to 7.3.2 or above)
- FortiSIEM 7.4 (Not affected)
Fortinet acknowledged in its advisory that a „practical exploit code for this vulnerability was found in the wild,“ but did not share any additional specifics about the nature of the exploit and where it was found. It also noted that the exploitation code does not appear to produce distinctive indicators of compromise (IoCs).
Source: The hacker news / Bleeping computer
Link: https://thehackernews.com/2025/08/fortinet-warns-about-fortisiem.html
Link: https://www.bleepingcomputer.com/news/security/fortinet-warns-of-fortisiem-pre-auth-rce-flaw-with-exploit-in-the-wild/
ICS Patch Tuesday: Major Vendors Address Code Execution Vulnerabilities
August 2025 Patch Tuesday advisories have been published by several major companies offering industrial control system (ICS) and other operational technology (OT) solutions.
Siemens has published 22 new advisories. One of them is for CVE-2025-40746, a critical Simatic RTLS Locating Manager issue that can be exploited by an authenticated attacker for code execution with System privileges.
The company has also published advisories covering high-severity vulnerabilities in Comos (code execution), Siemens Engineering Platforms (code execution), Simcenter (crash or code execution), Sinumerik controllers (unauthorized remote access), Ruggedcom (authentication bypass with physical access), Simatic (code execution), Siprotect (DoS), and Opcenter Quality (unauthorized access).
Siemens also addressed vulnerabilities introduced by the use of third-party components, including OpenSSL, Linux kernel, Wibu Systems, Nginx, Nozomi Networks, and SQLite.
Medium- and low-severity issues have been resolved in Simotion Scout, Siprotec 5, Simatic RTLS Locating Manager, Ruggedcom ROX II, and Sicam Q products. As usual, Siemens has released patches for many of these vulnerabilities, but only mitigations or workarounds are available for some of the flaws.
Source: Securityweek
Link: https://www.securityweek.com/ics-patch-tuesday-major-vendors-address-code-execution-vulnerabilities/
SAP Patches Critical S/4HANA Vulnerability
SAP has fixed more than a dozen vulnerabilities with its August 2025 Patch Tuesday updates, including critical vulnerabilities.
This Patch Tuesday — or as the enterprise software giant calls it, Security Patch Day — 15 new security notes (fixes) have been released, along with four updates to previous fixes.
Onapsis, a company specializing in enterprise application security, which often finds SAP product vulnerabilities, pointed out that the vendor has released a total of 26 new and updated fixes since the previous Patch Tuesday.
Of these 26 fixes, four have been classified as ‘hot news’ or ‘critical’, including two that are new and two updates to previous patches. The new ‘hot news’ patches are for CVE-2025-42950 and CVE-2025-42957, which have been described as code injection issues.
According to Onapsis, they can be exploited for arbitrary code execution, which can lead to a full system compromise.
CVE-2025-42950 and CVE-2025-42957 are the same vulnerability, Onapsis said, but different CVEs have been assigned to different products. CVE-2025-42957 has been assigned to the S/4HANA enterprise resource planning (ERP) software, while CVE-2025-42950 is for the older generation of the ERP software, ERP Central Component (ECC).
Source: Securityweek
Link: https://www.securityweek.com/sap-patches-critical-s-4hana-vulnerability/
Malvertising campaign leads to PS1Bot, a multi-stage malware framework
Cisco Talos has observed an ongoing malware campaign that seeks to infect victims with a multi-stage malware framework, implemented in PowerShell and C#, which we are referring to as “PS1Bot.”
PS1Bot features a modular design, with several modules delivered used to perform a variety of malicious activities on infected systems, including information theft, keylogging, reconnaissance and the establishment of persistent system access.
PS1Bot has been designed with stealth in mind, minimizing persistent artifacts left on infected systems and incorporating in-memory execution techniques to facilitate execution of follow-on modules without requiring them to be written to disk.
PS1Bot distribution campaigns have been extremely active since early 2025, with new samples being observed frequently throughout the year.
The information stealer module implementation leverages wordlists embedded into the stealer to enumerate files containing passwords and seed phrases that can be used to access cryptocurrency wallets, which the stealer also attempts to exfiltrate from infected systems.
Source: CISCO Talos intelligence group
Link: https://blog.talosintelligence.com/ps1bot-malvertising-campaign/
Threat Newsletter Week 30-31
Apple Patches Safari Vulnerability Also Exploited as Zero-Day in Google Chrome
Apple on Tuesday released security updates for its entire software portfolio, including a fix for a vulnerability that Google said was exploited as a zero-day in the Chrome web browser earlier this month.
The vulnerability, tracked as CVE-2025-6558 (CVSS score: 8.8), is an incorrect validation of untrusted input in the browser’s ANGLE and GPU components that could result in a sandbox escape via a crafted HTML page.
While there are no details on how the issue has been weaponized by threat actors, Google acknowledged that an „exploit for CVE-2025-6558 exists in the wild.“ Clément Lecigne and Vlad Stolyarov of Google’s Threat Analysis Group (TAG) have been credited with discovering and reporting the shortcoming.
The iPhone maker, in its latest round of software updates, also included patches for CVE-2025-6558, stating the vulnerability impacts the WebKit browser engine that powers its Safari browser.
Source: The hacker news / Bleeping computer / Securityweek
Link: https://thehackernews.com/2025/07/apple-patches-safari-vulnerability-also.html
Link: https://www.bleepingcomputer.com/news/security/apple-patches-security-flaw-exploited-in-chrome-zero-day-attacks/
Link: https://www.securityweek.com/apple-patches-safari-vulnerability-flagged-as-exploited-against-chrome/
Sophos and SonicWall Patch Critical RCE Flaws Affecting Firewalls and SMA 100 Devices
Sophos and SonicWall have alerted users of critical security flaws in Sophos Firewall and Secure Mobile Access (SMA) 100 Series appliances that could be exploited to achieve remote code execution.
The two vulnerabilities impacting Sophos Firewall are listed below –
- CVE-2025-6704 (CVSS score: 9.8) – An arbitrary file writing vulnerability in the Secure PDF eXchange (SPX) feature can lead to pre-auth remote code execution, if a specific configuration of SPX is enabled in combination with the firewall running in High Availability (HA) mode
- CVE-2025-7624 (CVSS score: 9.8) – An SQL injection vulnerability in the legacy (transparent) SMTP proxy can lead to remote code execution, if a quarantining policy is active for Email and SFOS was upgraded from a version older than 21.0 GA
Sophos said CVE-2025-6704 affects about 0.05% of devices, while CVE-2025-7624 impacts as many as 0.73% of devices. Both vulnerabilities have been addressed alongside a high-severity command injection vulnerability in the WebAdmin component (CVE-2025-7382, CVSS score: 8.8) that could result in pre-auth code execution on High Availability (HA) auxiliary devices, if OTP authentication for the admin user is enabled.
Source: The hacker news / Securityweek
Link: https://thehackernews.com/2025/07/sophos-and-sonicwall-patch-critical-rce.html
Link: https://www.securityweek.com/critical-vulnerabilities-patched-in-sophos-firewall/
Kali Linux can now run in Apple containers on macOS systems
Cybersecurity professionals and researchers can now launch Kali Linux in a virtualized container on macOS Sequoia using Apple’s new containerization framework.
During WWDC 2025, Apple announced a new containerization framework that allows Apple Silicon hardware to run isolated Linux distros in its virtualized environment, similar to Microsoft Windows Subsystem for Linux 2 (WSL2).
To get started, users on macOS Sequoia with Apple Silicon can install the container CLI via Homebrew and initialize Apple’s container framework:
brew install –cask container
container system start
You can then launch Kali Linux using the following command, which loads the container from the DockerHub container library and executes inside a macOS VM.
container run –rm -it kalilinux/kali-rolling
You can also use a container to mount a local directory into the Kali VM with a command like:
container run –remove –interactive –tty –volume $(pwd):/mnt –workdir /mnt docker.io/kalilinux/kali-rolling:latest
This command allows you to access files on the host device from within the container.
However, there are some limitations to the new feature, as it’s only available on Apple Silicon and does not support Intel Macs.
Source: Bleeping computer
Link: https://www.bleepingcomputer.com/news/security/kali-linux-can-now-run-in-apple-containers-on-macos-systems/
Hackers exploit SAP NetWeaver bug to deploy Linux Auto-Color malware
Hackers were spotted exploiting a critical SAP NetWeaver vulnerability tracked as CVE-2025-31324 to deploy the Auto-Color Linux malware in a cyberattack on a U.S.-based chemicals company.
Cybersecurity firm Darktrace discovered the attack during an incident response in April 2025, where an investigation revealed that the Auto-Color malware had evolved to include additional advanced evasion tactics.
Darktrace reports that the attack started on April 25, but active exploitation occurred two days later, delivering an ELF (Linux executable) file onto the targeted machine.
The Auto-Color malware was first documented by Palo Alto Networks‘ Unit 42 researchers in February 2025, who highlighted its evasive nature and difficulty in eradicating once it has established a foothold on a machine.
The backdoor adjusts its behavior based on the user privilege level it runs from, and uses ‚ld.so.preload‘ for stealthy persistence via shared object injection.
Source: Bleeping computer
Link: https://www.bleepingcomputer.com/news/security/hackers-exploit-sap-netweaver-bug-to-deploy-linux-auto-color-malware/
Palo Alto Networks Grabs IAM Provider CyberArk for $25B
Palo Alto Networks has agreed to acquire CyberArk for approximately $25 billion, thrusting the networking and next-generation firewall giant into the identity and access management (IAM) space.
Under terms of the agreement, which was announced Wednesday morning, CyberArk shareholders will receive $45 in cash and approximately 2.2 shares of Palo Alto Networks common stock per CyberArk share. The deal is expected to close during the second half of Palo Alto Networks‘ fiscal 2026.
CyberArk was founded in 1999, establishing a strong presence in the IAM market with core offerings like single sign-on and multifactor authentication, as well as privileged access management (PAM) and machine identity services. The vendor made numerous acquisitions of its own over the years, the most notable of which was last year’s $1.54 billion deal for Venafi, which specialized in machine identity management.
The addition of CyberArk gives Palo Alto Networks a key piece for its widening cybersecurity portfolio. Since its founding in 2005, the company has steadily expanded beyond its network security and firewall roots into cloud security, extended detection and response, and secure access service edge.
Source: Dark reading / Securityweek
Link: https://www.darkreading.com/identity-access-management-security/palo-alto-networks-grabs-iam-provider-cyberark-for-25b
Link: https://www.securityweek.com/palo-alto-networks-to-acquire-cyberark-for-25-billion/
IR Trends Q2 2025: Phishing attacks persist as actors leverage compromised valid accounts to enhance legitimacy
Phishing remained the top method of initial access this quarter, appearing in a third of all engagements – a decrease from 50 percent last quarter. Threat actors largely leveraged compromised internal or trusted business partner email accounts to deploy malicious emails, bypassing security controls and gaining targets’ trust. Interestingly, the objective of the majority of observed phishing attacks appeared to be credential harvesting, suggesting cybercriminals may consider brokering compromised credentials as simpler and more reliably profitable than other post-exploitation activities, such as engineering a financial payout or stealing proprietary data.
Ransomware and pre-ransomware incidents made up half of all engagements this quarter, similar to last quarter. Cisco Talos Incident Response (Talos IR) responded to Qilin ransomware for the first time, identifying previously unreported tools and tactics, techniques, and procedures (TTPs), including a new data exfiltration method. Our observations of Qilin activity indicate a potential expansion of the group and/or an increase in operational tempo in the foreseeable future, warranting this as a threat to monitor. Additionally, ransomware actors leveraged a dated version of PowerShell, PowerShell 1.0, in a third of ransomware and pre-ransomware engagements this quarter, likely to evade detection and gain more flexibility for their offensive capabilities.
Source: CISCO Talos intelligence group
Link: https://blog.talosintelligence.com/ir-trends-q2-2025/
Why CISOs should rethink identity risk through attack paths
Identity-based attack paths are behind most breaches today, yet many organizations can’t actually see how those paths form. The 2025 State of Attack Path Management report from SpecterOps makes the case that traditional tools like identity governance, PAM, and MFA aren’t enough. They help manage access, but they miss the bigger problem: how identity and privilege sprawl across the environment in ways that attackers can string together.
Attack Path Management (APM) is a continuous security practice, not a one-time project. It helps organizations map, understand, and dismantle the chains of access and control that attackers exploit.
The real problem is privilege chaining. Researchers contrast two models: access graphs and attack graphs. Access graphs show who has access to what, often for audits or compliance. But attackers don’t care about who’s authorized, they care about what’s reachable. Attack graphs show how identities, sessions, and permissions can be chained together to reach critical assets, even when each link looks harmless on its own.
This shift in perspective helps explain why identity compromise is so hard to detect or prevent. Most tools can tell you whether a credential is being used. Few can show whether that credential is just one hop away from Domain Admin.
Source: Helpnet security
Link: https://www.helpnetsecurity.com/2025/07/30/ciso-attack-path-management-apm/
Threat Newsletter Week 28-29
Max severity Cisco ISE bug allows pre-auth command execution, patch now
A critical vulnerability (CVE-2025-20337) in Cisco’s Identity Services Engine (ISE) could be exploited to let an unauthenticated attacker store malicious files, execute arbitrary code, or gain root privileges on vulnerable devices.
The security issue received the maximum severity rating, 10 out of 10, and is caused by insufficient user-supplied input validation checks.
It was discovered by Kentaro Kawane, a researcher at the Japanese cybersecurity service GMO Cybersecurity by Ierae, and reported Trend Micro’s Zero Day Initiative (ZDI).
A remote unauthenticated attacker could leverage it by submitting a specially crafted API request. The vulnerability was added via an update to the security bulletin for CVE-2025-20281 and CVE-2025-20282, two similar RCE vulnerabilities that also received the maximum severity score, that impact ISE and ISE-PIC versions 3.4 and 3.3.
Source: Bleeping computer / Securityweek
Link: https://www.bleepingcomputer.com/news/security/max-severity-cisco-ise-bug-allows-pre-auth-command-execution-patch-now/
Link: https://www.securityweek.com/cisco-patches-another-critical-ise-vulnerability/
Fortinet Releases Patch for Critical SQL Injection Flaw in FortiWeb (CVE-2025-25257)
Fortinet has released fixes for a critical security flaw impacting FortiWeb that could enable an unauthenticated attacker to run arbitrary database commands on susceptible instances. Tracked as CVE-2025-25257, the vulnerability carries a CVSS score of 9.6 out of a maximum of 10.0.
„An improper neutralization of special elements used in an SQL command (‚SQL Injection‘) vulnerability [CWE-89] in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests,“ Fortinet said in an advisory released this week.
The shortcoming impacts the following versions –
- FortiWeb 7.6.0 through 7.6.3 (Upgrade to 7.6.4 or above)
- FortiWeb 7.4.0 through 7.4.7 (Upgrade to 7.4.8 or above)
- FortiWeb 7.2.0 through 7.2.10 (Upgrade to 7.2.11 or above)
- FortiWeb 7.0.0 through 7.0.10 (Upgrade to 7.0.11 or above)
Kentaro Kawane from GMO Cybersecurity, who was recently credited with reporting a set of critical flaws in Cisco Identity Services and ISE Passive Identity Connector (CVE-2025-20286, CVE-2025-20281, and CVE-2025-20282), has been acknowledged for discovering the issue.
Source: The hacker news
Link: https://thehackernews.com/2025/07/fortinet-releases-patch-for-critical.html
CISA Adds Citrix NetScaler CVE-2025-5777 to KEV Catalog as Active Exploits Target Enterprises
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a critical security flaw impacting Citrix NetScaler ADC and Gateway to its Known Exploited Vulnerabilities (KEV) catalog, officially confirming the vulnerability has been weaponized in the wild.
The shortcoming in question is CVE-2025-5777 (CVSS score: 9.3), an instance of insufficient input validation that could be exploited by an attacker to bypass authentication when the appliance is configured as a Gateway or AAA virtual server. It’s also called Citrix Bleed 2 owing to its similarities with Citrix Bleed (CVE-2023-4966).
„Citrix NetScaler ADC and Gateway contain an out-of-bounds read vulnerability due to insufficient input validation,“ the agency said. „This vulnerability can lead to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.“
CISA pointed out that flaws like CVE-2025-5777 are frequent attack vectors for malicious cyber actors and pose significant risk to federal enterprises. To that end, Federal Civilian Executive Branch (FCEB) agencies are required to implement mitigations by the end of today, July 11.
Source: The hacker news / Securityweek / Bleeping computer
Link: https://thehackernews.com/2025/07/cisa-adds-citrix-netscaler-cve-2025.html
Link: https://www.securityweek.com/citrixbleed-2-flaw-poses-unacceptable-risk-cisa/
Link: https://www.bleepingcomputer.com/news/security/citrix-bleed-2-exploited-weeks-before-pocs-as-citrix-denied-attacks/
Critical Wing FTP Server Vulnerability (CVE-2025-47812) Actively Being Exploited in the Wild
A recently disclosed maximum-severity security flaw impacting the Wing FTP Server has come under active exploitation in the wild, according to Huntress.
The vulnerability, tracked as CVE-2025-47812 (CVSS score: 10.0), is a case of improper handling of null (‚\0‘) bytes in the server’s web interface, which allows for remote code execution. It has been addressed in version 7.4.4.
„The user and admin web interfaces mishandle ‚\0‘ bytes, ultimately allowing injection of arbitrary Lua code into user session files,“ according to an advisory for the flaw on CVE.org. „This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default).“
Source: The hacker news / Huntress blog
Link: https://thehackernews.com/2025/07/critical-wing-ftp-server-vulnerability.html
Link: https://www.huntress.com/blog/wing-ftp-server-remote-code-execution-cve-2025-47812-exploited-in-wild
Fully Patched SonicWall Gear Under Likely Zero-Day Attack
A threat actor linked to the Abyss ransomware campaign appears to be exploiting a zero-day flaw to plant a stealthy new backdoor on fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series devices.
What makes this campaign especially dangerous is the attackers‘ use of stolen local administrator credentials and one-time password seeds from previous intrusions, leaving organizations vulnerable to repeat attacks.
Researchers at Google’s Threat Intelligence Group (GTIG) are still piecing together how the attackers are harvesting those credentials, but they suspect the criminals are exploiting other known SonicWall flaws to get initial access.
The ultimate goal of the campaign appears to be data theft, extortion, and ransomware deployment. GTIG is tracking the threat cluster as UNC6148, a format it uses to designate uncategorized intrusion activity on which it is still gathering information. Available telemetry suggests that malicious activity related to the ongoing campaign may have started as early as October 2024.
Source: Dark reading / Securityweek
Link: https://www.darkreading.com/remote-workforce/fully-patched-sonicwall-gear-zero-day-attack
Link: https://www.securityweek.com/sonicwall-sma-appliances-targeted-with-new-overstep-malware/
Talos IR ransomware engagements and the significance of timeliness in incident response
As ransomware threat actors continuously decrease their dwell time — here defined as the duration between initial access and encryption — it is increasingly imperative to be mindful of timeliness in incident response engagements (Infosecurity Magazine, CyberScoop, Orca, ThreatDown). Early intervention and remediation can significantly mitigate or even wholly prevent repercussions of ransomware attacks, such as financial loss, reputational damage and legal repercussions, as exemplified by a comparison of two recent Talos IR engagements.
Source: CISCO Talos intelligence group
Link: https://blog.talosintelligence.com/talos-ir-ransomware-engagements-and-the-significance-of-timeliness-in-incident-response/
Threat Newsletter Week 26-27
Critical Cisco Vulnerability in Unified CM Grants Root Access via Static Credentials
Cisco has released security updates to address a maximum-severity security flaw in Unified Communications Manager (Unified CM) and Unified Communications Manager Session Management Edition (Unified CM SME) that could permit an attacker to login to a susceptible device as the root user, allowing them to gain elevated privileges.
The vulnerability, tracked as CVE-2025-20309, carries a CVSS score of 10.0.
„This vulnerability is due to the presence of static user credentials for the root account that are reserved for use during development,“ Cisco said in an advisory released Wednesday.
„An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user.“
Hard-coded credentials like this usually come from testing or quick fixes during development, but they should never make it into live systems. In tools like Unified CM that handle voice calls and communication across a company, root access can let attackers move deeper into the network, listen in on calls, or change how users log in.
Source: The hacker news / Bleeping computer / Securityweek
Link: https://thehackernews.com/2025/07/critical-cisco-vulnerability-in-unified.html
Link: https://www.bleepingcomputer.com/news/security/cisco-removes-unified-cm-callManager-backdoor-root-account/
Link: https://www.securityweek.com/cisco-warns-of-hardcoded-credentials-in-enterprise-software/
Chrome Zero-Day CVE-2025-6554 Under Active Attack — Google Issues Security Update
Google has released security updates to address a vulnerability in its Chrome browser for which an exploit exists in the wild.
The zero-day vulnerability, tracked as CVE-2025-6554 (CVSS score: N/A), has been described as a type confusing flaw in the V8 JavaScript and WebAssembly engine.
„Type confusion in V8 in Google Chrome prior to 138.0.7204.96 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page,“ according to a description of the bug on the NIST’s National Vulnerability Database (NVD).
Type confusion vulnerabilities can have severe consequences as they can be exploited to trigger unexpected software behavior, resulting in the execution of arbitrary code and program crashes.
Zero-day bugs like this are especially risky because attackers often start using them before a fix is available. In real-world attacks, these flaws can let hackers install spyware, launch drive-by downloads, or quietly run harmful code — sometimes just by getting someone to open a malicious website.
Source: The hacker news / Bleeping computer / Securityweek
Link: https://thehackernews.com/2025/07/google-patches-critical-zero-day-flaw.html
Link: https://www.bleepingcomputer.com/news/security/google-fixes-fourth-actively-exploited-chrome-zero-day-of-2025/
Link: https://www.securityweek.com/chrome-138-update-patches-zero-day-vulnerability/
Citrix warns of login issues after NetScaler auth bypass patch
Citrix warns that patching recently disclosed vulnerabilities that can be exploited to bypass authentication and launch denial-of-service attacks may also break login pages on NetScaler ADC and Gateway appliances.
This happens because starting with NetScaler 14.1.47.46 and 13.1.59.19, the Content Security Policy (CSP) header, which mitigates risks associated with cross-site scripting (XSS), code injection, and other client-side attacks, is enabled by default.
However, while it is designed to block unauthorized scripts and external content from executing in the browser, the policy also inadvertently restricts legitimate scripts or resources loaded by DUO configuration based on Radius authentication, integrations, custom SAML setups, or other IDP configurations not compliant with the strict CSP rules.
Source: Bleeping computer
Link: https://www.bleepingcomputer.com/news/security/citrix-warns-of-login-issues-after-netscaler-auth-bypass-patch/
Cybercriminal abuse of large language models
Generative AI and LLMs have taken the world by storm. With the ability to generate convincing text, solve problems, write computer code and more, LLMs are being integrated into almost every facet of society. According to Hugging Face (a platform that hosts models), there are currently over 1.8 million different models to choose from.
LLMs are usually built with key safety features, including alignment and guardrails. Alignment is a training process that LLMs undergo to minimize bias and ensure that the LLM generates outputs that are consistent with human values and ethics. Guardrails are additional real-time safety mechanisms that try to restrain the LLM from engaging in harmful or undesirable actions in response to user input. Many of the most advanced (or “frontier”) LLMs are protected in this manner. For example, asking ChatGPT to produce a phishing email will result in a denial, such as, “Sorry, I can’t assist with that.”
For cybercriminals who wish to utilize LLMs for conducting or improving their attacks, these safety mechanisms can present a significant obstacle. To achieve their goals, cybercriminals are increasingly gravitating towards uncensored LLMs, cybercriminal-designed LLMs and jailbreaking legitimate LLMs.
Source: CISCO Talos intelligence group
Link: https://blog.talosintelligence.com/cybercriminal-abuse-of-large-language-models/
NTLM relay attacks are back from the dead
NTLM relay attacks are the easiest way for an attacker to compromise domain-joined hosts. While many security practitioners think NTLM relay is a solved problem, it is not – and, in fact, it may be getting worse. Anecdotally, they are used in most attacks seen by my employer’s consulting arm and have gotten much more common in the last few years.
With most environments vulnerable, NTLM sets the stage for lateral movement and privilege escalation. These attacks originate from Authenticated Users and can often reach Tier Zero, resulting in a large exposure and a critical impact.
Here’s an introduction to how these attacks work, what they can target, and how to defend against them.
Source: Helpnet Security
Link: https://www.helpnetsecurity.com/2025/07/04/ntlm-relay-attacks/
Identifying and abusing Azure Arc for hybrid escalation and persistence
My research into Microsoft Azure Arc began during a recent red team operation where we stumbled across a PowerShell script containing a hardcoded Service Principal secret that was responsible for deploying Arc to on-premises systems. I didn’t know much about the service, so I started doing some research to determine what we could do with the recovered credentials. We ended up being able to use techniques documented in prior research on this topic to gain code execution on a domain controller and pivot back up into Microsoft Azure, but this got me thinking about some broader questions related to Arc: How do you identify it in environments? What (mis)configurations could exist that would allow for escalation? What other code execution vectors exist within it? Could it be used as an out-of-band persistence mechanism?
Source: IBM security intelligence
Link: https://www.ibm.com/think/x-force/identifying-abusing-azure-arc-for-hybrid-escalation-persistence
Threat Newsletter Week 24-25
Microsoft Patches 67 Vulnerabilities Including WEBDAV Zero-Day Exploited in the Wild
Microsoft has released patches to fix 67 security flaws, including one zero-day bug in Web Distributed Authoring and Versioning (WebDAV) that it said has come under active exploitation in the wild.
Of the 67 vulnerabilities, 11 are rated Critical and 56 are rated Important in severity. This includes 26 remote code execution flaws, 17 information disclosure flaws, and 14 privilege escalation flaws.
The patches are in addition to 13 shortcomings addressed by the company in its Chromium-based Edge browser since the release of last month’s Patch Tuesday update.
The vulnerability that has been weaponized in real-world attacks concerns a remote code execution in WebDAV (CVE-2025-33053, CVSS score: 8.8) that can be triggered by deceiving users into clicking on a specially crafted URL.
The tech giant credited Check Point researchers Alexandra Gofman and David Driker for discovering and reporting the bug. It’s worth mentioning that CVE-2025-33053 is the first zero-day vulnerability to be disclosed in the WebDAV standard.
Source: The hacker news / Bleeping computer / Krebs on security / Securityweek / CISCO Talos intelligence group / SANS internet storm center
Link: https://thehackernews.com/2025/06/microsoft-patches-67-vulnerabilities.html
Link: https://www.bleepingcomputer.com/news/microsoft/microsoft-june-2025-patch-tuesday-fixes-exploited-zero-day-66-flaws/
Link: https://krebsonsecurity.com/2025/06/patch-tuesday-june-2025-edition/
Link: https://www.securityweek.com/microsoft-patch-tuesday-covers-webdav-flaw-marked-as-already-exploited/
Link: https://blog.talosintelligence.com/microsoft-patch-tuesday-june-2025/
Link: https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%20June%202025/32032
Water Curse Employs 76 GitHub Accounts to Deliver Multi-Stage Malware Campaign
Cybersecurity researchers have exposed a previously unknown threat actor known as Water Curse that relies on weaponized GitHub repositories to deliver multi-stage malware.
„The malware enables data exfiltration (including credentials, browser data, and session tokens), remote access, and long-term persistence on infected systems,“ Trend Micro researchers Jovit Samaniego, Aira Marcelo, Mohamed Fahmy, and Gabriel Nicoleta said in an analysis published this week.
The „broad and sustained“ campaign, first spotted last month, set up repositories offering seemingly innocuous penetration testing utilities, but harbored within their Visual Studio project configuration files malicious payloads such as SMTP email bomber and Sakura-RAT.
Water Curse’s arsenal incorporates a wide range of tools and programming languages, underscoring their cross-functional development capabilities to target the supply chain with „developer-oriented information stealers that blur the line between red team tooling and active malware distribution.“
„Upon execution, the malicious payloads initiated complex multistage infection chains utilizing obfuscated scripts written in Visual Basic Script (VBS) and PowerShell,“ the researchers said. „These scripts downloaded encrypted archives, extracted Electron-based applications, and performed extensive system reconnaissance.“
Source: The hacker news / Dark reading / Securityweek
Link: https://thehackernews.com/2025/06/water-curse-hijacks-76-github-accounts.html
Link: https://www.darkreading.com/cyberattacks-data-breaches/water-curse-targets-cybersecurity-pros-github-repos
Link: https://www.securityweek.com/new-campaigns-distribute-malware-via-open-source-hacking-tools/
CISA Warns of Active Exploitation of Linux Kernel Privilege Escalation Vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday placed a security flaw impacting the Linux kernel in its Known Exploited Vulnerabilities (KEV) catalog, stating it has been actively exploited in the wild.
The vulnerability, CVE-2023-0386 (CVSS score: 7.8), is an improper ownership bug in the Linux kernel that could be exploited to escalate privileges on susceptible systems. It was patched in early 2023.
„Linux kernel contains an improper ownership management vulnerability, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount,“ the agency said.
Source: The hacker news / Bleeping computer / Securityweek
Link: https://thehackernews.com/2025/06/cisa-warns-of-active-exploitation-of.html
Link: https://www.bleepingcomputer.com/news/security/cisa-warns-of-attackers-exploiting-linux-flaw-with-poc-exploit/
Link: https://www.securityweek.com/linux-security-new-flaws-allow-root-access-cisa-warns-of-old-bug-exploitation/
Veeam Patches CVE-2025-23121: Critical RCE Bug Rated 9.9 CVSS in Backup & Replication
Veeam has rolled out patches to contain a critical security flaw impacting its Backup & Replication software that could result in remote code execution under certain conditions.
The security defect, tracked as CVE-2025-23121, carries a CVSS score of 9.9 out of a maximum of 10.0.
„A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user,“ the company said in an advisory.
CVE-2025-23121 impacts all earlier version 12 builds, including 12.3.1.1139. It has been addressed in version 12.3.2 (build 12.3.2.3617). Security researchers at CODE WHITE GmbH and watchTowr have been credited with discovering and reporting the vulnerability.
Source: The hacker news / Bleeping computer
Link: https://thehackernews.com/2025/06/veeam-patches-cve-2025-23121-critical.html
Link: https://www.bleepingcomputer.com/news/security/new-veeam-rce-flaw-lets-domain-users-hack-backup-servers/
Google Warns of Scattered Spider Attacks Targeting IT Support Teams at U.S. Insurance Firms
The notorious cybercrime group known as Scattered Spider (aka UNC3944) that recently targeted various U.K. and U.S. retailers has begun to target major insurance companies, according to Google Threat Intelligence Group (GTIG).
„Google Threat Intelligence Group is now aware of multiple intrusions in the U.S. which bear all the hallmarks of Scattered Spider activity,“ John Hultquist, chief analyst at GTIG, said in an email Monday.
„We are now seeing incidents in the insurance industry. Given this actor’s history of focusing on a sector at a time, the insurance industry should be on high alert, especially for social engineering schemes which target their help desks and call centers.“
Scattered Spider is the name assigned to an amorphous collective that’s known for its use of advanced social engineering tactics to breach organizations. In recent months, the threat actors are believed to have forged an alliance with the DragonForce ransomware cartel in the wake of the latter’s supposed takeover of RansomHub’s infrastructure.
However, GTIG told The Hacker News that it has not seen any evidence of Scattered Spider collaborating with DragonForce or using its ransomware.
„The group has repeatedly demonstrated its ability to impersonate employees, deceive IT support teams, and bypass multi-factor authentication (MFA) through cunning psychological tactics,“ SOS Intelligence said.
Source: The hacker news / Bleeping computer
Link: https://thehackernews.com/2025/06/google-warns-of-scattered-spider.html
Link: https://www.bleepingcomputer.com/news/security/google-warns-scattered-spider-hackers-now-target-us-insurance-companies/
Zero-Click AI Vulnerability Exposes Microsoft 365 Copilot Data Without User Interaction
A novel attack technique named EchoLeak has been characterized as a „zero-click“ artificial intelligence (AI) vulnerability that allows bad actors to exfiltrate sensitive data from Microsoft 365 (M365) Copilot’s context sans any user interaction.
The critical-rated vulnerability has been assigned the CVE identifier CVE-2025-32711 (CVSS score: 9.3). It requires no customer action and has been already addressed by Microsoft. There is no evidence that the shortcoming was exploited maliciously in the wild.
„AI command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network,“ the company said in an advisory released Wednesday. It has since been added to Microsoft’s Patch Tuesday list for June 2025, taking the total number of fixed flaws to 68.
Aim Security, which discovered and reported the issue, said it’s an instance of a large language model (LLM) Scope Violation that paves the way for indirect prompt injection, leading to unintended behavior.
LLM Scope Violation occurs when an attacker’s instructions embedded in untrusted content, e.g., an email sent from outside an organization, successfully tricks the AI system into accessing and processing privileged internal data without explicit user intent or interaction.
Source: The hacker news / Bleeping computer / Dark reading / aim security blog
Link: https://thehackernews.com/2025/06/zero-click-ai-vulnerability-exposes.html
Link: https://www.bleepingcomputer.com/news/security/zero-click-ai-data-leak-flaw-uncovered-in-microsoft-365-copilot/
Link: https://www.darkreading.com/application-security/researchers-detail-zero-click-copilot-exploit-echoleak
Link: https://www.aim.security/lp/aim-labs-echoleak-blogpost
Threat Newsletter Week 22-23
Critical Cisco ISE Auth Bypass Flaw Impacts Cloud Deployments on AWS, Azure, and OCI
Cisco has released security patches to address a critical security flaw impacting the Identity Services Engine (ISE) that, if successfully exploited, could allow unauthenticated actors to carry out malicious actions on susceptible systems.
The security defect, tracked as CVE-2025-20286, carries a CVSS score of 9.9 out of 10.0. It has been described as a static credential vulnerability.
„A vulnerability in Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI) cloud deployments of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to access sensitive data, execute limited administrative operations, modify system configurations, or disrupt services within the impacted systems,“ the company said in an advisory.
The networking equipment maker, which credited Kentaro Kawane of GMO Cybersecurity for reporting the flaw, noted it’s aware of the existence of a proof-of-concept (PoC) exploit. There is no evidence that it has been maliciously exploited in the wild.
Source: The hacker news / Bleeping computer / Dark reading / Securityweek / CISCO security advisory
Link: https://thehackernews.com/2025/06/critical-cisco-ise-auth-bypass-flaw.html
Link: https://www.bleepingcomputer.com/news/security/cisco-warns-of-ise-and-ccp-flaws-with-public-exploit-code/
Link: https://www.darkreading.com/vulnerabilities-threats/cisco-warns-critical-static-credential-vulnerability
Link: https://www.securityweek.com/cisco-patches-critical-ise-vulnerability-with-public-poc/
Link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-aws-static-cred-FPMjUcm7
Chaos RAT Malware Targets Windows and Linux via Fake Network Tool Downloads
Threat hunters are calling attention to a new variant of a remote access trojan (RAT) called Chaos RAT that has been used in recent attacks targeting Windows and Linux systems.
According to findings from Acronis, the malware artifact may have been distributed by tricking victims into downloading a network troubleshooting utility for Linux environments.
„Chaos RAT is an open-source RAT written in Golang, offering cross-platform support for both Windows and Linux systems,“ security researchers Santiago Pontiroli, Gabor Molnar, and Kirill Antonenko said in a report shared with The Hacker News.
„Inspired by popular frameworks such as Cobalt Strike and Sliver, Chaos RAT provides an administrative panel where users can build payloads, establish sessions, and control compromised machines.“
While work on the „remote administration tool“ started way back in 2017, it did not attract attention until December 2022, when it was put to use in a malicious campaign targeting public-facing web applications hosted on Linux systems with the XMRig cryptocurrency miner.
Source: The hacker news
Link: https://thehackernews.com/2025/06/chaos-rat-malware-targets-windows-and.html
New Chrome Zero-Day Actively Exploited; Google Issues Emergency Out-of-Band Patch
Google on Monday released out-of-band fixes to address three security issues in its Chrome browser, including one that it said has come under active exploitation in the wild.
The high-severity flaw is being tracked as CVE-2025-5419 (CVSS score: 8.8), and has been flagged as an out-of-bounds read and write vulnerability in the V8 JavaScript and WebAssembly engine.
„Out-of-bounds read and write in V8 in Google Chrome prior to 137.0.7151.68 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page,“ reads the description of the bug on the NIST’s National Vulnerability Database (NVD).
Google credited Clement Lecigne and Benoît Sevens of Google Threat Analysis Group (TAG) with discovering and reporting the flaw on May 27, 2025. It also noted that the issue was addressed the next day by pushing out a configuration change to the Stable version of the browser across all platforms.
Source: The hacker news / Securityweek
Link: https://thehackernews.com/2025/06/new-chrome-zero-day-actively-exploited.html
Link: https://www.securityweek.com/google-researchers-find-new-chrome-zero-day/
Critical Fortinet flaws now exploited in Qilin ransomware attacks
The Qilin ransomware operation has recently joined attacks exploiting two Fortinet vulnerabilities that allow bypassing authentication on vulnerable devices and executing malicious code remotely.
Qilin (also tracked as Phantom Mantis) surfaced in August 2022 as a Ransomware-as-a-Service (RaaS) operation under the „Agenda“ name and has since claimed responsibility for over 310 victims on its dark web leak site.
Its victim list also includes high-profile organizations, such as automotive giant Yangfeng, publishing giant Lee Enterprises, Australia’s Court Services Victoria, and pathology services provider Synnovis. The Synnovis incident impacted several major NHS hospitals in London, which forced them to cancel hundreds of appointments and operations.
Threat intelligence company PRODAFT, which spotted these new and partially automated Qilin ransomware attacks targeting several Fortinet flaws, also revealed that the threat actors are currently focusing on organizations from Spanish-speaking countries, but they expect the campaign to expand worldwide.
Source: Bleeping computer
Link: https://www.bleepingcomputer.com/news/security/critical-fortinet-flaws-now-exploited-in-qilin-ransomware-attacks/
Hewlett Packard Enterprise warns of critical StoreOnce auth bypass
Hewlett Packard Enterprise (HPE) has issued a security bulletin to warn about eight vulnerabilities impacting StoreOnce, its disk-based backup and deduplication solution.
Among the flaws fixed this time is a critical severity (CVSS v3.1 score: 9.8) authentication bypass vulnerability tracked under CVE-2025-37093, three remote code execution bugs, two directory traversal problems, and a server-side request forgery issue.
The flaws impact all versions of the HPE StoreOnce Software before v4.3.11, which is now the recommended upgrade version.
Here’s the complete list of the eight vulnerabilities HPE fixed in version 4.3.11:
- CVE-2025-37089 – Remote Code Execution
- CVE-2025-37090 – Server-Side Request Forgery
- CVE-2025-37091 – Remote Code Execution
- CVE-2025-37092 – Remote Code Execution
- CVE-2025-37093 – Authentication Bypass
- CVE-2025-37094 – Directory Traversal Arbitrary File Deletion
- CVE-2025-37095 – Directory Traversal Information Disclosure
- CVE-2025-37096 – Remote Code Execution
Not many details were disclosed about the flaws this time.
However, Zero Day Initiative (ZDI), which discovered them, mentions that CVE-2025-37093 exists within the implementation of the machineAccountCheck method, resulting from improper implementation of an authentication algorithm.
Source: Bleeping computer / Securityweek / HP support center
Link: https://www.bleepingcomputer.com/news/security/hewlett-packard-enterprise-warns-of-critical-storeonce-auth-bypass/
Link: https://www.securityweek.com/hpe-patches-critical-vulnerability-in-storeonce/
Link: https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbst04847en_us&docLocale=en_US
MITRE Publishes Post-Quantum Cryptography Migration Roadmap
The MITRE-founded Post-Quantum Cryptography Coalition (PQCC) this week published fresh guidance for organizations looking to ready themselves to transition to quantum-safe cryptography.
Advancements in the development of advanced quantum computing represent threats to the systems currently ensuring authenticity and securing communications and sensitive data, making the migration to post-quantum cryptography (PQC) a necessity, PQCC says.
Intended for CIOs and CISOs, the coalition’s PQC migration roadmap (PDF) provides an overview of four key stages of the migration process, namely preparation, baseline understanding, planning and execution, and monitoring and evaluation.
For each organization, transitioning to PQC requires outlining migration aims, understanding data inventories and prioritizing updates, acquiring/developing post-quantum solutions and implementing them, and building measures to track the migration process and assess security as quantum capabilities evolve. The migration process, however, differs.
“How an organization applies this roadmap depends on the shelf-life and volume of its critical data, the amount of available information about its assets, its budget for potentially significant software and hardware updates, and numerous other influencing factors,” the document reads.
Cryptographically-relevant quantum computers capable of breaking the current cryptographic security may still be decades away, but organizations should begin the transition process now, to mitigate the threat of data being stolen now and decrypted later, PQCC says.
“This roadmap empowers CIOs (chief information officers) and CISOs (chief information security officers) to act decisively, taking proactive steps to protect sensitive data now and in the future,” MITRE vice president Wen Masters commented.
PQCC’s guidance comes out two years after the US government released a set of quantum readiness recommendations and one year after NIST’s post-quantum cryptography standards were published.
Source: Securityweek
Link: https://www.securityweek.com/mitre-publishes-post-quantum-cryptography-migration-roadmap/
Threat Newsletter Week 20-21
Critical Windows Server 2025 dMSA Vulnerability Enables Active Directory Compromise
A privilege escalation flaw has been demonstrated in Windows Server 2025 that makes it possible for attackers to compromise any user in Active Directory (AD).
„The attack exploits the delegated Managed Service Account (dMSA) feature that was introduced in Windows Server 2025, works with the default configuration, and is trivial to implement,“ Akamai security researcher Yuval Gordon said in a report shared with The Hacker News.
„This issue likely affects most organizations that rely on AD. In 91% of the environments we examined, we found users outside the domain admins group that had the required permissions to perform this attack.“
What makes the attack pathway notable is that it leverages a new feature called Delegated Managed Service Accounts (dMSA) that allows migration from an existing legacy service account. It was introduced in Windows Server 2025 as a mitigation to Kerberoasting attacks.
Source: The hacker news / Dark reading / Securityweek / Helpnet security / Akamai blog
Link: https://thehackernews.com/2025/05/critical-windows-server-2025-dmsa.html
Link: https://www.darkreading.com/vulnerabilities-threats/unpatched-windows-server-flaw-threatens-active-directory-users
Link: https://www.securityweek.com/akamai-microsoft-disagree-on-severity-of-unpatched-badsuccessor-flaw/
Link: https://www.helpnetsecurity.com/2025/05/22/unpatched-windows-server-vulnerability-allows-active-directory-users-full-domain-compromise/
Link: https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory
Critical Versa Concerto Flaws Let Attackers Escape Docker and Compromise Hosts
Cybersecurity researchers have uncovered multiple critical security vulnerabilities impacting the Versa Concerto network security and SD-WAN orchestration platform that could be exploited to take control of susceptible instances.
It’s worth noting that the identified shortcomings remain unpatched despite responsible disclosure on February 13, 2025, prompting a public release of the issues following the end of the 90-day deadline.
„These vulnerabilities, when chained together, could allow an attacker to fully compromise both the application and the underlying host system,“ ProjectDiscovery researchers Harsh Jaiswal, Rahul Maini, and Parth Malhotra said in a report shared with The Hacker News.
The security defects are listed below –
- CVE-2025-34025 (CVSS score: 8.6) – A privilege escalation and Docker container escape vulnerability that’s caused by unsafe default mounting of host binary paths and could be exploited to gain code execution on the underlying host machine
- CVE-2025-34026 (CVSS score: 9.2) – An authentication bypass vulnerability in the Traefik reverse proxy configuration that allows an attacker to access administrative endpoints, which could then be exploited to access heap dumps and trace logs by exploiting an internal Spring Boot Actuator endpoint via CVE-2024-45410
- CVE-2025-34027 (CVSS score: 10.0) – An authentication bypass vulnerability in the Traefik reverse proxy configuration that allows an attacker to access administrative endpoints, which could then be exploited to achieve remote code execution by exploiting an endpoint related to package uploads („/portalapi/v1/package/spack/upload“) via arbitrary file writes
Successful exploitation of CVE-2025-34027 could allow an attacker to leverage a race condition and write malicious files to disk, ultimately resulting in remote code execution using LD_PRELOAD and a reverse shell.
Source: The hacker news / Bleeping computer / Infosecurity magazine
Link: https://thehackernews.com/2025/05/unpatched-versa-concerto-flaws-let.html
Link: https://www.bleepingcomputer.com/news/security/unpatched-critical-bugs-in-versa-concerto-lead-to-auth-bypass-rce/
Link: https://www.infosecurity-magazine.com/news/critical-zerodays-versa-networks/
The Crowded Battle: Key Insights from the 2025 State of Pentesting Report
In the newly released 2025 State of Pentesting Report, Pentera surveyed 500 CISOs from global enterprises (200 from within the USA) to understand the strategies, tactics, and tools they use to cope with the thousands of security alerts, the persisting breaches and the growing cyber risks they have to handle. The findings reveal a complex picture of progress, challenges, and a shifting mindset about how enterprises approach security testing.
Over the past year, 45% of enterprises expanded their security technology stacks, with organizations now managing an average of 75 different security solutions.
Yet despite these layers of security tools, 67% of U.S. enterprises experienced a breach in the past 24 months. The growing number of deployed tools has a few effects on the daily operation and the overall cyber posture of the organization.
Although it seems obvious, the findings tell a clear story – more security tools do mean better security posture. However, there is no silver bullet. Among organizations with fewer than 50 security tools, 93% reported a breach. That percentage steadily declines as stack size increases, dropping to 61% among those using more than 100 tools.
Source: The hacker news
Link: https://thehackernews.com/2025/05/the-crowded-battle-key-insights-from.html
Ivanti EPMM Exploitation Tied to Previous Zero-Day Attacks
A threat actor that exploited two Ivanti zero-day vulnerabilities earlier this month was behind previous zero-day attacks on other edge devices.
Ivanti last week disclosed that two vulnerabilities in its Endpoint Manager Mobile (EPMM) VPN product had been chained together for remote code execution (RCE) attacks. The flaws include CVE-2025-4427, a medium-severity authentication bypass vulnerability, and CVE-2025-4428, a high-severity RCE vulnerability in EPMM.
The Cybersecurity and Infrastructure Security Agency (CISA) added the two CVEs to its Known Exploited Vulnerabilities catalog on Monday. Researchers at Wiz on Tuesday published a blog post that warned of ongoing exploitation activity against the Ivanti vulnerabilities and detailed connections to attacks on other edge devices, most notably Palo Alto Networks‘ firewalls.
The pattern of threat activity heightens risks to enterprises and further illustrates that edge devices continue to be a popular and lucrative target for a variety of threat actors.
Source: Dark reading / Securityweek
Link: https://www.darkreading.com/cyberattacks-data-breaches/ivanti-epmm-exploitation-previous-zero-day-attacks
Link: https://www.securityweek.com/wiz-warns-of-ongoing-exploitation-of-recent-ivanti-vulnerabilities/
Pen Testing for Compliance Only? It’s Time to Change Your Approach
Imagine this: Your organization completed its annual penetration test in January, earning high marks for security compliance. In February, your development team deployed a routine software update. By April, attackers had already exploited a vulnerability introduced in that February update, gaining access to customer data weeks before being finally detected.
This situation isn’t theoretical: it plays out repeatedly as organizations realize that point-in-time compliance testing can’t protect against vulnerabilities introduced after the assessment. According to Verizons 2025 Data Breach Investigation Report, the exploitation of vulnerabilities rose 34% year-over-year. While compliance frameworks provide important security guidelines, companies need continuous security validation to identify and remediate new vulnerabilities before attackers can exploit them.
Here’s what you need to know about pen testing to meet compliance standards — and why you should adopt continuous penetration testing, if your penetration testing goals go beyond minimum standards.
Source: The hacker news
Link: https://thehackernews.com/2025/05/pen-testing-for-compliance-only-its.html
Threat Newsletter Week 18-19
Chinese Hackers Exploit SAP RCE Flaw CVE-2025-31324, Deploy Golang-Based SuperShell
A China-linked unnamed threat actor dubbed Chaya_004 has been observed exploiting a recently disclosed security flaw in SAP NetWeaver.
Forescout Vedere Labs, in a report published today, said it uncovered a malicious infrastructure likely associated with the hacking group weaponizing CVE-2025-31324 (CVSS score: 10.0) since April 29, 2025.
CVE-2025-31324 refers to a critical SAP NetWeaver flaw that allows attackers to achieve remote code execution (RCE) by uploading web shells through a susceptible „/developmentserver/metadatauploader“ endpoint.
The vulnerability was first flagged by ReliaQuest late last month when it found the shortcoming being abused in real-world attacks by unknown threat actors to drop web shells and the Brute Ratel C4 post-exploitation framework.
Source: The hacker news
Link: https://thehackernews.com/2025/05/chinese-hackers-exploit-sap-rce-flaw.html
SonicWall Patches 3 Flaws in SMA 100 Devices Allowing Attackers to Run Code as Root
SonicWall has released patches to address three security flaws affecting SMA 100 Secure Mobile Access (SMA) appliances that could be fashioned to result in remote code execution.
The vulnerabilities are listed below –
- CVE-2025-32819 (CVSS score: 8.8) – A vulnerability in SMA100 allows a remote authenticated attacker with SSL-VPN user privileges to bypass the path traversal checks and delete an arbitrary file potentially resulting in a reboot to factory default settings.
- CVE-2025-32820 (CVSS score: 8.3) – A vulnerability in SMA100 allows a remote authenticated attacker with SSL-VPN user privileges can inject a path traversal sequence to make any directory on the SMA appliance writable
- CVE-2025-32821 (CVSS score: 6.7) – A vulnerability in SMA100 allows a remote authenticated attacker with SSL-VPN admin privileges can with admin privileges can inject shell command arguments to upload a file on the appliance
„An attacker with access to an SMA SSL-VPN user account can chain these vulnerabilities to make a sensitive system directory writable, elevate their privileges to SMA administrator, and write an executable file to a system directory,“ Rapid7 said in a report. „This chain results in root-level remote code execution.“
Source: The hacker news / Bleeping computer / Dark reading / Securityweek
Link: https://thehackernews.com/2025/05/sonicwall-patches-3-flaws-in-sma-100.html
Link: https://www.bleepingcomputer.com/news/security/sonicwall-urges-admins-to-patch-vpn-flaw-exploited-in-attacks/
Link: https://www.darkreading.com/endpoint-security/sonicwall-patch-exploit-chain-sma-devices
Link: https://www.securityweek.com/possible-zero-day-patched-in-sonicwall-sma-appliances/
Cisco Patches CVE-2025-20188 (10.0 CVSS) in IOS XE That Enables Root Exploits via JWT
Cisco has released software fixes to address a maximum-severity security flaw in its IOS XE Wireless Controller that could enable an unauthenticated, remote attacker to upload arbitrary files to a susceptible system.
The vulnerability, tracked as CVE-2025-20188, has been rated 10.0 on the CVSS scoring system.
„This vulnerability is due to the presence of a hard-coded JSON Web Token (JWT) on an affected system,“ the company said in a Wednesday advisory. „An attacker could exploit this vulnerability by sending crafted HTTPS requests to the AP image download interface. A successful exploit could allow the attacker to upload files, perform path traversal, and execute arbitrary commands with root privileges.“
Source: The hacker news / Bleeping computer / Securityweek / CISCO security advisory
Link: https://thehackernews.com/2025/05/cisco-patches-cve-2025-20188-100-cvss.html
Link: https://www.bleepingcomputer.com/news/security/cisco-fixes-max-severity-ios-xe-flaw-letting-attackers-hijack-devices/
Link: https://www.securityweek.com/cisco-patches-35-vulnerabilities-across-several-products/
Link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-file-uplpd-rHZG9UfC
Update ASAP: Google Fixes Android Flaw (CVE-2025-27363) Exploited by Attackers
Google has released its monthly security updates for Android with fixes for 46 security flaws, including one vulnerability that it said has been exploited in the wild.
The vulnerability in question is CVE-2025-27363 (CVSS score: 8.1), a high-severity flaw in the System component that could lead to local code execution without requiring any additional execution privileges.
„The most severe of these issues is a high security vulnerability in the System component that could lead to local code execution with no additional execution privileges needed,“ Google said in a Monday advisory. „User interaction is not needed for exploitation.“
It’s worth noting that CVE-2025-27363 is rooted in the FreeType open-source font rendering library. It was first disclosed by Facebook in March 2025 as having been exploited in the wild.
Source: The hacker news / Securityweek
Link: Update ASAP: Google Fixes Android Flaw (CVE-2025-27363) Exploited by Attackers
Link: https://www.securityweek.com/android-update-patches-freetype-vulnerability-exploited-as-zero-day/
Play Ransomware Exploited Windows CVE-2025-29824 as Zero-Day to Breach U.S. Organization
Threat actors with links to the Play ransomware family exploited a recently patched security flaw in Microsoft Windows as a zero-day as part of an attack targeting an unnamed organization in the United States.
The attack, per the Symantec Threat Hunter Team, part of Broadcom, leveraged CVE-2025-29824, a privilege escalation flaw in the Common Log File System (CLFS) driver. It was patched by Microsoft last month.
Play, also called Balloonfly and PlayCrypt, is known for its double extortion tactics, wherein sensitive data is exfiltrated prior to encryption in exchange for a ransom. It’s active since at least mid-2022.
In the activity observed by Symantec, the threat actors are said to have likely leveraged a public-facing Cisco Adaptive Security Appliance (ASA) as an entry point, taking advantage of an as-yet-undetermined method to move to another Windows machine on the target network.
The attack is notable for the use of Grixba, a bespoke information stealer previously attributed to Play and an exploit for CVE-2025-29824 that’s dropped in the Music folder, giving it names that masquerade as Palo Alto Networks software (e.g., „paloaltoconfig.exe“ and „paloaltoconfig.dll“).
Source: The hacker news / Bleeping computer / Dark reading
Link: https://thehackernews.com/2025/05/play-ransomware-exploited-windows-cve.html
Link: https://www.bleepingcomputer.com/news/security/play-ransomware-exploited-windows-logging-flaw-in-zero-day-attacks/
Link: https://www.darkreading.com/cyberattacks-data-breaches/play-ransomware-group-windows-zero-day
State-of-the-art phishing: MFA bypass
Cybercriminals are bypassing multi-factor authentication (MFA) using adversary-in-the-middle (AiTM) attacks via reverse proxies, intercepting credentials and authentication cookies. The developers behind Phishing-as-a-Service (PhaaS) kits like Tycoon 2FA and Evilproxy have added features to make them easier to use and harder to detect.
WebAuthn, a passwordless MFA solution using public key cryptography, prevents password transmission and nullifies server-side authentication databases, offering a robust defense against MFA bypass attacks.
Despite its strong security benefits, WebAuthn has seen slow adoption. Cisco Talos recommends that organizations reassess their current MFA strategies in light of these evolving phishing threats.
Source: CISCO Talos intelligence group
Link: https://blog.talosintelligence.com/state-of-the-art-phishing-mfa-bypass/
