Urgent: China-Linked Hackers Exploit New VMware Zero-Day Since October 2024
A newly patched security flaw impacting Broadcom VMware Tools and VMware Aria Operations has been exploited in the wild as a zero-day since mid-October 2024 by a threat actor called UNC5174, according to NVISO Labs.
The vulnerability in question is CVE-2025-41244 (CVSS score: 7.8), a local privilege escalation bug affecting the following versions –
- VMware Cloud Foundation 4.x and 5.x
- VMware Cloud Foundation 9.x.x.x
- VMware Cloud Foundation 13.x.x.x (Windows, Linux)
- VMware vSphere Foundation 9.x.x.x
- VMware vSphere Foundation 13.x.x.x (Windows, Linux)
- VMware Aria Operations 8.x
- VMware Tools 11.x.x, 12.x.x, and 13.x.x (Windows, Linux)
- VMware Telco Cloud Platform 4.x and 5.x
- VMware Telco Cloud Infrastructure 2.x and 3.x
“A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM,” VMware said in an advisory released Monday.
Source: The hacker news / Bleeping computer / Securityweek / Dark reading
Link: https://thehackernews.com/2025/09/urgent-china-linked-hackers-exploit-new.html
Link: https://www.darkreading.com/remote-workforce/china-exploited-new-vmware-bug-nearly
CISA Sounds Alarm on Critical Sudo Flaw Actively Exploited in Linux and Unix Systems
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a critical security flaw impacting the Sudo command-line utility for Linux and Unix-like operating systems to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.
The vulnerability in question is CVE-2025-32463 (CVSS score: 9.3), which affects Sudo versions prior to 1.9.17p1. It was disclosed by Stratascale researcher Rich Mirch back in July 2025.
“Sudo contains an inclusion of functionality from an untrusted control sphere vulnerability,” CISA said. “This vulnerability could allow a local attacker to leverage sudo’s -R (–chroot) option to run arbitrary commands as root, even if they are not listed in the sudoers file.”
Source: The hacker news / Bleeping computer
Link: https://thehackernews.com/2025/09/cisa-sounds-alarm-on-critical-sudo-flaw.html
Fortra GoAnywhere CVSS 10 Flaw Exploited as 0-Day a Week Before Public Disclosure
Cybersecurity company watchTowr Labs has disclosed that it has “credible evidence” of active exploitation of the recently disclosed security flaw in Fortra GoAnywhere Managed File Transfer (MFT) software as early as September 10, 2025, a whole week before it was publicly disclosed.
“This is not ‘just’ a CVSS 10.0 flaw in a solution long favored by APT groups and ransomware operators – it is a vulnerability that has been actively exploited in the wild since at least September 10, 2025,” Benjamin Harris, CEO and Founder of watchTowr, told The Hacker News.
The vulnerability in question is CVE-2025-10035, which has been described as a deserialization vulnerability in the License Servlet that could result in command injection without authentication. Fortra GoAnywhere version 7.8.4, or the Sustain Release 7.6.3, was released by Fortra last week to remediate the problem.
Source: The hacker news / Bleeping computer / Securityweek / Dark reading / Watchtower blog
Link: https://thehackernews.com/2025/09/fortra-goanywhere-cvss-10-flaw.html
Link: https://www.securityweek.com/recent-fortra-goanywhere-mft-vulnerability-exploited-as-zero-day/
Link: https://www.darkreading.com/cyberattacks-data-breaches/patch-fortra-goanywhere-bug-command-injection
Link: https://labs.watchtowr.com/it-is-bad-exploitation-of-fortra-goanywhere-mft-cve-2025-10035-part-2/
Urgent: Cisco ASA Zero-Day Duo Under Attack; CISA Triggers Emergency Mitigation Directive
Cisco is urging customers to patch two security flaws impacting the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software, which it said have been exploited in the wild.
The zero-day vulnerabilities in question are listed below –
- CVE-2025-20333 (CVSS score: 9.9) – An improper validation of user-supplied input in HTTP(S) requests vulnerability that could allow an authenticated, remote attacker with valid VPN user credentials to execute arbitrary code as root on an affected device by sending crafted HTTP requests
- CVE-2025-20362 (CVSS score: 6.5) – An improper validation of user-supplied input in HTTP(S) requests vulnerability that could allow an unauthenticated, remote attacker to access restricted URL endpoints without authentication by sending crafted HTTP requests
Cisco said it’s aware of “attempted exploitation” of both vulnerabilities, but did not reveal who may be behind it, or how widespread the attacks are. It’s suspected that the two vulnerabilities are being chained to bypass authentication and execute malicious code on susceptible appliances.
Source: The hacker news / Bleeping computer / Dark reading / CISCO Talos intelligence group / Helpnet security / CISCO security event response
Link: https://thehackernews.com/2025/09/urgent-cisco-asa-zero-day-duo-under.html
Link: https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks
Cisco ASA Firewall Zero-Day Exploits Deploy RayInitiator and LINE VIPER Malware
The U.K. National Cyber Security Centre (NCSC) has revealed that threat actors have exploited the recently disclosed security flaws impacting Cisco firewalls as part of zero-day attacks to deliver previously undocumented malware families like RayInitiator and LINE VIPER.
“The RayInitiator and LINE VIPER malware represent a significant evolution on that used in the previous campaign, both in sophistication and its ability to evade detection,” the agency said.
Cisco on Thursday revealed that it began investigating attacks on multiple government agencies linked to the state-sponsored campaign in May 2025 that targeted Adaptive Security Appliance (ASA) 5500-X Series devices to implant malware, execute commands, and potentially exfiltrate data from the compromised devices.
An in-depth analysis of firmware extracted from the infected devices running Cisco Secure Firewall ASA Software with VPN web services enabled ultimately led to the discovery of a memory corruption bug in the product software, it added.
“Attackers were observed to have exploited multiple zero-day vulnerabilities and employed advanced evasion techniques such as disabling logging, intercepting CLI commands, and intentionally crashing devices to prevent diagnostic analysis,” the company said.
Source: The hacker news / Securityweek
Link: https://thehackernews.com/2025/09/cisco-asa-firewall-zero-day-exploits.html
Link: https://www.securityweek.com/cisco-firewall-zero-days-exploited-in-china-linked-arcanedoor-attacks/
SolarWinds Releases Hotfix for Critical CVE-2025-26399 Remote Code Execution Flaw
SolarWinds has released hot fixes to address a critical security flaw impacting its Web Help Desk software that, if successfully exploited, could allow attackers to execute arbitrary commands on susceptible systems.
The vulnerability, tracked as CVE-2025-26399 (CVSS score: 9.8), has been described as an instance of deserialization of untrusted data that could result in code execution. It affects SolarWinds Web Help Desk 12.8.7 and all previous versions.
“SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine,” SolarWinds said in an advisory released on September 17, 2025.
Source: The hacker news / Bleeping computer / Securityweek
Link: https://thehackernews.com/2025/09/solarwinds-releases-hotfix-for-critical.html
Link: https://www.securityweek.com/solarwinds-makes-third-attempt-at-patching-exploited-vulnerability/
Cloudflare mitigates new record-breaking 22.2 Tbps DDoS attack
Cloudflare has mitigated a distributed denial-of-service (DDoS) attack that peaked at a record-breaking 22.2 terabits per second (Tbps) and 10.6 billion packets per second (Bpps).
DDoS attacks typically exhaust either system or network resources, aiming to make services slow or unavailable to legitimate users.
Record-breaking DDoS attacks are becoming more frequent, as just three weeks ago, Cloudflare disclosed that it mitigated a massive 11.5 Tbps and 5.1 Bpps attack, the largest publicly announced at the time.
Two months before that, the company dealt with another ecord attack that peaked at 7.3 Tbps. In April, the internet giant warned that it was dealing with a record number of DDoS attacks this year.
The latest DDoS incident, also volumentric, lasted 40 seconds and is by far the largest ever mitigated.
Source: Bleeping computer