CISA Flags TP-Link Router Flaws CVE-2023-50224 and CVE-2025-9377 as Actively Exploited
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added two security flaws impacting TP-Link wireless routers to its Known Exploited Vulnerabilities (KEV) catalog, noting that there is evidence of them being exploited in the wild.
The vulnerabilities in question are listed below –
- CVE-2023-50224 (CVSS score: 6.5) – An authentication bypass by spoofing vulnerability within the httpd service of TP-Link TL-WR841N, which listens on TCP port 80 by default, leading to the disclosure of stored credentials in “/tmp/dropbear/dropbearpwd”
- CVE-2025-9377 (CVSS score: 8.6) – An operating system command injection vulnerability in TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9 that could lead to remote code execution
According to information listed on the company’s website, the following router models have reached end-of-life (EoL) status –
- TL-WR841N (versions 10.0 and 11.0)
- TL-WR841ND (version 10.0)
- Archer C7 (versions 2.0 and 3.0)
However, TP-Link has released firmware updates for the two vulnerabilities as of November 2024 owing to malicious exploitation activity.
“The affected products have reached their End-of-Service (EOS) and are no longer receiving active support, including security updates,” the company said. “For enhanced protection, we recommend that customers upgrade to newer hardware to ensure optimal performance and security.”
Source: The hacker news / Bleeping computer
Link: https://thehackernews.com/2025/09/cisa-flags-tp-link-router-flaws-cve.html
6 browser-based attacks all security teams should be ready for in 2025
What security teams need to know about the browser-based attack techniques that are the leading cause of breaches in 2025. “The browser is the new battleground.” “The browser is the new endpoint”.
These are statements you’ll run into time and again as you read articles on websites like this one. But what does this actually mean from a security perspective?
In this article, we’ll explore what security teams are trying to stop attackers from doing in the browser, breaking down what a “browser-based attack” is, and what’s required for effective detection and response.
Source: Bleeping computer
Threat Actors Weaponize HexStrike AI to Exploit Citrix Flaws Within a Week of Disclosure
Threat actors are attempting to leverage a newly released artificial intelligence (AI) offensive security tool called HexStrike AI to exploit recently disclosed security flaws.
HexStrike AI, according to its website, is pitched as an AI‑driven security platform to automate reconnaissance and vulnerability discovery with an aim to accelerate authorized red teaming operations, bug bounty hunting, and capture the flag (CTF) challenges.
Per information shared on its GitHub repository, the open-source platform integrates with over 150 security tools to facilitate network reconnaissance, web application security testing, reverse engineering, and cloud security. It also supports dozens of specialized AI agents that are fine-tuned for vulnerability intelligence, exploit development, attack chain discovery, and error handling.
But according to a report from Check Point, threat actors are trying their hands on the tool to gain an adversarial advantage, attempting to weaponize the tool to exploit recently disclosed security vulnerabilities.
“This marks a pivotal moment: a tool designed to strengthen defenses has been claimed to be rapidly repurposed into an engine for exploitation, crystallizing earlier concepts into a widely available platform driving real-world attacks,” the cybersecurity company said.
Source: The hacker news / Checkpoint website blog
Link: https://thehackernews.com/2025/09/threat-actors-weaponize-hexstrike-ai-to.html
Link: https://blog.checkpoint.com/executive-insights/hexstrike-ai-when-llms-meet-zero-day-exploitation/
Cloudflare Blocks Record-Breaking 11.5 Tbps DDoS Attack
Cloudflare on Tuesday said it automatically mitigated a record-setting volumetric distributed denial-of-service (DDoS) attack that peaked at 11.5 terabits per second (Tbps).
“Over the past few weeks, we’ve autonomously blocked hundreds of hyper-volumetric DDoS attacks, with the largest reaching peaks of 5.1 Bpps and 11.5 Tbps,” the web infrastructure and security company said in a post on X. “The 11.5 Tbps attack was a UDP flood that mainly came from Google Cloud.”
The entire attack lasted only about 35 seconds, with the company stating its “defenses have been working overtime.”
Volumetric DDoS attacks are designed to overwhelm a target with a tsunami of traffic, causing the server to slow down or even fail. These attacks typically result in network congestion, packet loss, and service disruptions.
Such attacks are often conducted by sending the requests from botnets that are already under the control of the threat actors after having infected the devices, be it computers, IoT devices, and other machines, with malware.
Source: The hacker news
Link: https://thehackernews.com/2025/09/cloudflare-blocks-record-breaking-115.html
Android Security Alert: Google Patches 120 Flaws, Including Two Zero-Days Under Attack
Google has shipped security updates to address 120 security flaws in its Android operating system as part of its monthly fixes for September 2025, including two issues that it said have been exploited in targeted attacks.
The vulnerabilities are listed below –
- CVE-2025-38352 (CVSS score: 7.4) – A privilege escalation flaw in the Linux Kernel component
- CVE-2025-48543 (CVSS score: N/A) – A privilege escalation flaw in the Android Runtime component
Google said both vulnerabilities could lead to local escalation of privilege with no additional execution privileges needed. It also noted that no user interaction is required for exploitation.
Source: The hacker news / Bleeping computer / Securityweek / Helpnet security
Link: https://thehackernews.com/2025/09/android-security-alert-google-patches.html
Link: https://www.securityweek.com/two-exploited-vulnerabilities-patched-in-android/
Sitecore Zero-Day Sparks New Round of ViewState Threats
A critical Sitecore zero-day vulnerability is under active exploitation in the latest series of ViewState deserialization attacks this year.
The vulnerability, tracked as CVE-2025-53690 and disclosed on Tuesday, impacts several Sitecore products including Experience Manager (XM), Experience Platform (XP), and Experience Commerce. In a blog post published Wednesday, Mandiant said the zero-day vulnerability is a ViewState deserialization flaw under active exploitation in the wild.
ViewState is a feature of ASP.NET page frameworks that is designed to preserve page and control values between round trips. ASP.NET machine keys are used to protect ViewState from unauthorized access, but if the keys are exposed, a threat actor can commit remote code execution (RCE) and deserialization attacks against a target organization’s servers.
According to Mandiant, that’s exactly what happened with the exploitation of CVE-2025-53690. “In a recent investigation, Mandiant Threat Defense discovered an active ViewState deserialization attack affecting Sitecore deployments leveraging a sample machine key that had been exposed in Sitecore deployment guides from 2017 and earlier,” the blog post said. “An attacker leveraged the exposed ASP.NET machine key to perform remote code execution.”
Source: Dark reading / Helpnet security
Link: https://www.darkreading.com/vulnerabilities-threats/sitecore-zero-day-viewstate-threats
Link: https://www.helpnetsecurity.com/2025/09/04/sitecore-zero-day-vulnerability-cve-2025-53690-exploited/