Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Vulnerabilities and Exploits. Show all posts
WebKit Security Flaws
Apple Security Patches Apple Zero-Day Vulnerabilities iOS Security Update Mobile Spyware Threats Targeted Cyber Exploitation Vulnerabilities and Exploits WebKit Security Flaws

Apple Addresses Two Actively Exploited Zero-Day Security Flaws


Following confirmation that two previously unknown security flaws had been actively exploited in the wild on Friday, Apple rolled out a series of security updates across its entire software ecosystem to address this issue, further demonstrating the continued use of high-end exploit chains against some targets. This is a major security update that is being released by Apple today across a wide range of iOS, iPadOS, macOS, watchOS, tvOS, visionOS, and the Safari browser. This fix addresses flaws that could have led attackers to execute malicious code in the past using specially crafted web content.


There are a number of vulnerabilities that are reminiscent of one of the ones Google patched earlier this week in Chrome, highlighting cross-platform vulnerability within shared graphics components. A report released by Apple indicated that at least one of the flaws may have been exploited as part of what it described as an "extremely sophisticated attack" targeting individuals who were running older versions of iOS before iOS 26, indicating that rather than an opportunistic abuse, this was a targeted exploitation campaign. 

Using a coordinated effort between Apple Security Engineering and Architecture and Google's Threat Analysis Group, the vulnerabilities were identified as CVE-2025-14174, a high severity memory corruption flaw, and as CVE-2025-43529, a use-after-free flaw. The two vulnerabilities were tracked as CVE-2025-43529, a use-after-free bug. 

In response to advanced threat activity, major vendors are continuing to collaborate together. Separately, Apple has released a new round of emergency patches after confirming that two more vulnerabilities have also been exploited in a real-world attack in a separate advisory. 

Apple has released a new update to address the flaws that could allow attackers to gain deeper control over their affected devices under carefully crafted conditions, and this update is applicable to iOS, iPadOS, macOS Sequoia, tvOS, and visionOS. 

A memory corruption issue in Apple's Core Audio framework has led to an issue named CVE-2025-31200 which could result in arbitrary code execution on a device when it processes a specially designed audio stream embedded within a malicious media file. The second issue is CVE-2025-31201. This flaw affects Apple's RPAC component, which could be exploited by an attacker with existing read and write capabilities in order to bypass the protections for Pointer Authentication.

In an attempt to mitigate the risks, Apple said it strengthened bounds checks and removed the vulnerable code path altogether. According to Apple's engineers, Google's Threat Analysis Group as well as the company's own engineers were the ones who identified the Core Audio vulnerability. According to the company's earlier disclosures, the bugs have been leveraged to launch what it calls "extremely sophisticated" attacks targeting a very specific group of iOS users. 

With the latest fix from Apple, the number of zero-day vulnerabilities Apple has patched in the past year has reached five, following earlier updates addressing actively exploited flaws in Core Media, Accessibility, and WebKit—a combination of high-risk issues that indicates a sustained focus by advanced threat actors on Apple's software stack, demonstrating that Apple's software stack has been the target of sophisticated attack actors. 

The company claims the vulnerabilities have been addressed across its latest software releases, including iOS 26.2, iOS and iPad OS 18.7.3, macOS Tahoe 26.2, tvOS 26.2, watchOS 26.2, visionOS 26.2, and Safari 26.2, making sure that both current and legacy platforms are protected from these threats.

Following the disclosure, Google quietly patched a previously undisclosed Chrome zero-day that had been labelled only as a high-severity issue "under coordination" earlier in the week, which was close in nature. After updating its advisory to CVE-2025-14174, Google confirmed that the flaw is an out-of-bounds memory access bug in the ANGLE graphics layer, which was the same issue that was addressed by Apple earlier this week. 

It indicates that Google and Apple handled vulnerabilities together in a coordinated manner. In the absence of further technical insight into the attacks themselves, Apple has refused to provide any further technical information, other than to note that the attacks were directed at a single group of individuals running older versions of iOS prior to iOS 26, which can be correlated with using exploits that are spyware-grade in nature. 

Since the problems both originate in WebKit, the browser engine that runs all iOS browsers, including Chrome, the researchers believe the activity represents a narrowly targeted campaign rather than an indiscriminate exploitation of the platform. 

Even though Apple emphasised that these attacks were targeted and very specific, the company strongly urged its users to update their operating systems without delay in order to prevent any further damage to their systems. 

Apple has patched seven zero-day vulnerabilities during 2025 with these updates. There have been a number of exploits that have been addressed in the wild throughout the year, from January and February until April, as well as a noteworthy backport that was implemented in September that provided protection against CVE-2025-43300 on older iPhone and iPad models still running iOS or iOSOS 15 and 16.

Apple's platforms have increasingly been discovered to be a high-value target for well-resourced threat actors, with the capability of exploiting browser and system weaknesses in a way that allows them to reach carefully selected victims using a chain of attacks on the platforms. 

It is evident that the company's rapid patching cadence, along with coordinated efforts with external researchers, indicates the company's maturing response to advanced exploitation; however, the frequency of zero-day fixes this year highlights the importance of timely updates across all supported devices in order to safeguard consumers.

Specifically, security experts recommend that users, especially those who perform high risk functions like journalists, executives, and public figures, enable automatic updates, limit the amount of untrusted web content they view, and review device security settings in order to reduce potential attack surfaces. 

Enterprises that manage Apple hardware at scale should also accelerate patch deployments and keep an eye out for signs of compromise associated with WebKit-based attacks. A growing number of targeted surveillance tools and commercial spyware continue to emerge, and Apple’s latest fixes serve to remind us of the fact that platform security is more of a process than it is a static guarantee. 

For a company to stay ahead of sophisticated adversaries, collaboration, transparency, and user awareness are increasingly critical to ensuring platform security.
Read more »
Vulnerabilities and Exploits
code execution Ivanti EPM Remote Exploit Security flaw Vulnerabilities and Exploits

Ivanti Flags Critical Endpoint Manager Flaw Allowing Remote Code Execution

 

Ivanti is urging customers to quickly patch a critical vulnerability in its Endpoint Manager (EPM) product that could let remote attackers execute arbitrary JavaScript in administrator sessions through low-complexity cross-site scripting (XSS) attacks.The issue, tracked as CVE-2025-10573, affects the EPM web service and can be abused without authentication, but does require some user interaction to trigger.

The flaw stems from how Ivanti EPM handles managed endpoints presented to the primary web service. According to Rapid7 researcher Ryan Emmons, an attacker with unauthenticated access to the EPM web interface can register bogus managed endpoints and inject malicious JavaScript into the administrator dashboard. Once an EPM administrator views a poisoned dashboard widget as part of routine use, the injected code executes in the browser, allowing the attacker to hijack the admin session and act with their privileges.

Patch availability and exposure

Ivanti has released EPM 2024 SU4 SR1 to remediate CVE-2025-10573 and recommends customers install this update as soon as possible. The company stressed that EPM is designed to operate behind perimeter defenses and not be directly exposed to the public internet, which should lower practical risk where deployments follow guidance.However, data from the Shadowserver Foundation shows hundreds of Ivanti EPM instances reachable online, with the highest counts in the United States, Germany, and Japan, significantly increasing potential attack surface for those organizations.

Alongside the critical bug, Ivanti shipped fixes for three other high‑severity vulnerabilities affecting EPM, including CVE-2025-13659 and CVE-2025-13662. These two issues could also enable unauthenticated remote attackers to execute arbitrary code on vulnerable systems under certain conditions. Successful exploitation of the newly disclosed high‑severity flaws requires user interaction and either connecting to an untrusted core server or importing untrusted configuration files, which slightly raises the bar for real-world attacks.

Threat landscape and prior exploitation

Ivanti stated there is currently no evidence that any of the newly patched flaws have been exploited in the wild and credited its responsible disclosure program for bringing them to light. Nonetheless, EPM vulnerabilities have been frequent targets, and U.S. Cybersecurity and Infrastructure Security Agency (CISA) has repeatedly added Ivanti EPM bugs to its catalog of exploited vulnerabilities. In 2024, CISA ordered federal agencies to urgently patch multiple Ivanti EPM issues, including three critical flaws flagged in March and another actively exploited vulnerability mandated for remediation in October.
Read more »
Web security
Browser Vulnerability cross-origin data leak CSS security flaw Lyra Rebane research SVG clickjacking Vulnerabilities and Exploits Web security

New SVG-Based Clickjacking Technique Exposes Cross-Origin Data Through CSS Filters

 

Security researcher Lyra Rebane has developed a new type of clickjacking attack that cleverly exploits Scalable Vector Graphics (SVG) and Cascading Style Sheets (CSS) to bypass traditional web protections.

Rebane first showcased this discovery during BSides Tallinn in October and has since released a technical breakdown of the method. The attack takes advantage of a little-known behavior where SVG filters can inadvertently expose cross-origin information—directly undermining the web’s same-origin policy.

Clickjacking, also known as a user interface redress attack, involves deceiving users into performing unintended actions by visually manipulating interface elements. The concept, introduced in 2008 by security researchers Jeremiah Grossman and Robert Hansen, was originally described as a technique for redirecting mouse clicks to malicious targets such as hidden buttons or form inputs.

Over the years, browsers have implemented numerous defenses to prevent such attacks. OWASP highlights common safeguards such as blocking page rendering within frames via X-Frame-Options or CSP frame-ancestors, limiting cookie access inside frames, and using JavaScript frame-busting scripts. Even with these protections, new variants continue to appear—most recently, last year’s cross-window forgery technique.

Rebane’s discovery began while she was experimenting with recreating Apple’s Liquid Glass distortion effect using SVG filters and CSS. Once she successfully replicated the effect, she noticed that when embedded inside an iframe, her SVG/CSS implementation could detect pixel data from the page beneath it—effectively accessing information from another origin.

She told The Register that previous attempts using SVG for cross-origin attacks exist, citing Paul Stone’s “Perfect Pixel Timing Attacks With HTML” and Ron Masas’s “The Human Side Channel”. But, as Rebane stated, "I don't think anyone else has run logic on cross-origin data the way I have."

Her write-up details how she used SVG filters to construct logic gates capable of processing webpage pixels using arbitrary computation—enabling a clickjacking method that would be extremely difficult to achieve with other tools.

According to Rebane, "By using feBlend and feComposite, we can recreate all logic gates and make SVG filters functionally complete. This means that we can program anything we want, as long as it is not timing-based and doesn't take up too many resources."

To demonstrate the risks, Rebane created a proof-of-concept that extracts text from Google Docs. Her attack overlays a “Generate Document” button on a popup. When clicked, the underlying script identifies the popup and shows a CAPTCHA-style textbox. Once submitted, the attacker-controlled interface secretly feeds a suggested Google Docs file name into a hidden textbox. While typical framing restrictions would prevent this, Google Docs allows itself to be embedded, making the attack viable.

Rebane noted that this is common among services intended for embedding—such as YouTube videos, social widgets, maps, payment systems, comment modules, and advertisements. Some services also unintentionally permit framing by failing to include protective headers, which is frequently seen in API endpoints.

Beyond iframe scenarios, Rebane explained that the technique can also be adapted for sites vulnerable to HTML injection.

She said, "There's a vulnerability class known as XSS which involves injecting HTML on websites through various means to execute malicious JavaScript." With CSP now blocking many forms of unsafe JavaScript, attackers look for alternatives. In such cases, "CSS is the next best thing to use, and it can be used for many kinds of interesting attacks," she added, arguing that CSS itself behaves like a programming language. "SVG clickjacking is one of the many attacks that could be used there."

Although the method does not fundamentally overhaul existing web security principles, it significantly lowers the complexity required to execute advanced attack chains.

Google awarded Rebane a $3,133.70 bug bounty for reporting the flaw. She noted that the issue remains unresolved and may not even be classified as a browser bug, adding that Firefox and other browsers are affected as well.

Rebane also pointed out potential mitigations—highlighting the Intersection Observer v2 API, which can detect when an SVG filter is positioned above an iframe.

Google has yet to comment on the matter. A related Chromium bug originating from earlier timing attacks has been closed with a “won’t fix” status.
Read more »
Vulnerability
cyber attack React2Shell Vulnerabilities and Exploits Vulnerability

React2Shell Exploited Within Hours as Firms Rush to Patch

 

Two hacking groups linked to China have started exploiting a major security flaw in React Server Components (RSC) only hours after the vulnerability became public. 

The flaw, tracked as CVE-2025-55182 and widely called React2Shell, allows attackers to gain unauthenticated remote code execution, potentially giving them full control over vulnerable servers. 

The security bug has a maximum CVSS score of 10.0, which represents the highest level of severity. It has been fixed in React versions 19.0.1, 19.1.2 and 19.2.1, and developers are being urged to update immediately. According to a report shared by Amazon Web Services, two China-nexus groups named Earth Lamia and Jackpot Panda were seen attempting to exploit the flaw through AWS honeypot systems. 

AWS said the activity was coming from infrastructure previously tied to state-linked cyber actors. Earth Lamia has previously targeted organizations across financial services, logistics, retail, IT, universities and government sectors across Latin America, the Middle East and Southeast Asia. 

Jackpot Panda has mainly focused on sectors connected to online gambling in East and Southeast Asia and has used supply chain attacks to gain access. The group was tied to the 2022 compromise of the Comm100 chat application and has used trojanized installers to spread malware. 

AWS also noted that attackers have been exploiting the React vulnerability alongside older bugs, including flaws in NUUO camera systems. Early attacks have attempted to run discovery commands, create files and read sensitive information from servers. 

Security researchers say the trend shows how fast attackers now operate: they monitor new vulnerability announcements and add exploits to their scanning tools immediately to increase their chances of finding unpatched systems. 

A brief global outage at Cloudflare this week added to industry concern. Cloudflare confirmed that a change to its Web Application Firewall, introduced to help protect customers from the newly disclosed React flaw, caused disruption that led many websites to return “500 Internal Server Error” messages. 

The company stressed that the outage was not the result of a cyberattack. The scale of the React vulnerability is a major concern because millions of websites rely on React and Next.js, including large brands such as Airbnb and Netflix. 

Security researchers estimate that about 39 percent of cloud environments contain vulnerable React components. A working proof-of-concept exploit is already available on GitHub, raising fears of mass exploitation. Experts warn that even projects that do not intentionally use server-side functions may still be exposed because the affected components can remain enabled by default. 

Cybersecurity firms and cloud providers are urging organizations to take action immediately: 


  1. Apply official patches for React, Next.js and related RSC frameworks.
  2. Enable updated Web Application Firewall rules from providers including AWS, Cloudflare, Google Cloud, Akamai and Vercel.
  3. Review logs for signs of compromise, including suspicious file creation, attempts to read sensitive data or reconnaissance behavior.

Although widespread exploitation has not yet been confirmed publicly, experts warn that attackers are already scanning the internet at scale. 
Read more »
Vulnerabilities and Exploits
AI Cloud Data Next.js React Server Vulnerabilities and Exploits

Critical Vulnerabilities Found in React Server Components and Next.js


Open in the wild flaw

The US Cybersecurity and Infrastructure Security Agency (CISA) added a critical security flaw affecting React Server Components (RSC) to its Known Exploited Vulnerabilities (KEV) catalog after exploitation in the wild.

The flaw CVE-2025-55182 (CVSS score: 10.0) or React2Shell hints towards a remote code execution (RCE) that can be triggered by an illicit threat actor without needing any setup. 

Remote code execution 

According to the CISA advisory, "Meta React Server Components contains a remote coThe incident surfaced when Amazon said it found attack attempts from infrastructure related to Chinese hacking groupsde execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints."

The problem comes from unsafe deserialization in the library's Flight protocol, which React uses to communicate between a client and server. It results in a case where an unauthorised, remote hacker can deploy arbitrary commands on the server by sending specially tailored HTTP requests. The conversion of text into objects is considered a dangerous class of software vulnerability. 

About the flaw

 "The React2Shell vulnerability resides in the react-server package, specifically in how it parses object references during deserialization," said Martin Zugec, technical solutions director at Bitdefender.

The incident surfaced when Amazon said it found attack attempts from infrastructure related to Chinese hacking groups such as Jackpot Panda and Earth Lamia. "Within hours of the public disclosure of CVE-2025-55182 (React2Shell) on December 3, 2025, Amazon threat intelligence teams observed active exploitation attempts by multiple China state-nexus threat groups, including Earth Lamia and Jackpot Panda," AWS said.

Attack tactic 

Few attacks deployed cryptocurrency miners and ran "cheap math" PowerShell commands for successful exploitation. After that, it dropped in-memory downloaders capable of taking out extra payload from a remote server.

According to Censys, an attack surface management platform, 2.15 million cases of internet-facing services may be affected by this flaw. This includes leaked web services via React Server Components and leaked cases of frameworks like RedwoodSDK, React Router, Waku, and Next.js.

According to data shared by attack surface management platform Censys, there are about 2.15 million instances of internet-facing services that may be affected by this vulnerability. This comprises exposed web services using React Server Components and exposed instances of frameworks such as Next.js, Waku, React Router, and RedwoodSDK.


Read more »
Zero Day
CVE exploits LNKs Microsoft Vulnerabilities and Exploits Windows Zero Day

Microsoft Quietly Changes Windows Shortcut Handling After Dangerous Zero-day Abuse

 



Microsoft has changed how Windows displays information inside shortcut files after researchers confirmed that multiple hacking groups were exploiting a long-standing weakness in Windows Shell Link (.lnk) files to spread malware in real attacks.

The vulnerability, CVE-2025-9491, pertains to how Windows accesses and displays the "Target" field of a shortcut file. The attackers found that they could fill the Target field with big sets of blank spaces, followed by malicious commands. When a user looks at a file's properties, Windows only displays the first part of that field. The malicious command remains hidden behind whitespace, making the shortcut seem innocuous.

These types of shortcuts are usually distributed inside ZIP folders or other similar archives, since many email services block .lnk files outright. The attack relies on persuasion: Victims must willingly open the shortcut for the malware to gain an entry point on the system. When opened, the hidden command can install additional tools or create persistence.


Active Exploitation by Multiple Threat Groups

Trend Micro researchers documented in early 2025 that this trick was already being used broadly. Several state-backed groups and financially motivated actors had adopted the method to deliver a range of malware families, from remote access trojans to banking trojans. Later, Arctic Wolf Labs also observed attempts to use the same technique against diplomats in parts of Europe, where attackers used the disguised shortcut files to drop remote access malware.

The campaigns followed a familiar pattern. Victims received a compressed folder containing what looked like a legitimate document or utility. Inside sat a shortcut that looked ordinary but actually executed a concealed command once it was opened.


Microsoft introduces a quiet mitigation

Although Microsoft first said the bug did not meet the criteria for out-of-band servicing because it required user interaction, the company nonetheless issued a silent fix via standard Windows patching. With the patches in place, Windows now displays the full Target field in a shortcut's properties window instead of truncating the display after about 260 characters.

This adjustment does not automatically remove malicious arguments inside a shortcut, nor does it pop up with a special warning when an unusually long command is present. It merely provides full visibility to users, which may make suspicious content more easily identifiable for the more cautious users.

When questioned about the reason for the change, Microsoft repeated its long-held guidance: users shouldn't open files from unknown sources and should pay attention to its built-in security warnings.


Independent patch offers stricter safeguards

Because Microsoft's update is more a matter of visibility than enforcement, ACROS Security has issued an unofficial micropatch via its 0patch service. The update its team released limits the length of Target fields and pops up a warning before allowing a potentially suspicious shortcut to open. This more strict treatment, according to the group, would block the vast majority of malicious shortcuts seen in the wild.

This unofficial patch is now available to 0patch customers using various versions of Windows, including editions that are no longer officially supported.


How users can protect themselves

Users and organizations can minimize the risk by refraining from taking shortcuts coming from unfamiliar sources, especially those that are wrapped inside compressed folders. Security teams are encouraged to ensure Windows systems are fully updated, apply endpoint protection tools, and treat unsolicited attachments with care. Training users to inspect file properties and avoid launching unexpected shortcut files is also a top priority.

However, as the exploitation of CVE-2025-9491 continues to manifest in targeted attacks, the updated Windows behavior, user awareness, and security controls are layered together for the best defense for now. 

Read more »
Vulnerabilities and Exploits
AI API Business Security GitHub Tokens Vulnerabilities and Exploits

65% of Top AI Companies Leak Secrets on GitHub

 

Leading AI companies continue to face significant cybersecurity challenges, particularly in protecting sensitive information, as highlighted in recent research from Wiz. The study focused on the Forbes top 50 AI firms, revealing that 65% of them were found to be leaking verified secrets—such as API keys, tokens, and credentials—on public GitHub repositories. 

These leaks often occurred in places not easily accessible to standard security scanners, including deleted forks, developer repositories, and GitHub gists, indicating a deeper and more persistent problem than surface-level exposure. Wiz's approach to uncovering these leaks involved a framework called "Depth, Perimeter, and Coverage." Depth allowed researchers to look beyond just the main repositories, reaching into less visible parts of the codebase. 

Perimeter expanded the search to contributors and organization members, recognizing that individuals could inadvertently upload company-related secrets to their own public spaces. Coverage ensured that new types of secrets, such as those used by AI-specific platforms like Tavily, Langchain, Cohere, and Pinecone, were included in the scan, which many traditional tools overlook.

The findings show that despite being leaders in cutting-edge technology, these AI companies have not adequately addressed basic security hygiene. The researchers disclosed the discovered leaks to the affected organisations, but nearly half of these notifications either failed to reach the intended recipients, were ignored, or received no actionable response, underscoring the lack of dedicated channels for vulnerability disclosure.

Security Tips 

Wiz recommends several essential security measures for all organisations, regardless of size. First, deploying robust secret scanning should be a mandatory practice to proactively identify and remove sensitive information from codebases. Second, companies should prioritise the detection of their own unique secret formats, especially if they are new or specific to their operations. Engaging vendors and the open source community to support the detection of these formats is also advised.

Finally, establishing a clear and accessible disclosure protocol is crucial. Having a dedicated channel for reporting vulnerabilities and leaks enables faster remediation and better coordination between researchers and organisations, minimising potential damage from exposure. The research serves as a stark reminder that even the most advanced companies must not overlook fundamental cybersecurity practices to safeguard sensitive data and maintain trust in the rapidly evolving AI landscape.
Read more »
zero Day vulnerability
firmware Hardware router Vulnerabilities and Exploits WiFi zero Day vulnerability

Should You Still Trust Your Router? What Users Need to Know and How to Secure Home Wi-Fi today

 



Public discussion in the United States has intensified around one of the country’s most widely purchased home router brands after reports suggested that federal agencies are considering restrictions on future sales. The conversation stems from concerns about potential national security risks and the possibility of foreign influence in hardware design or data handling. While the company firmly denies these allegations, the ongoing scrutiny has encouraged many users to reassess the safety of their home Wi-Fi setup and understand how to better protect their networks.


Why the issue surfaced

The debate began when officials started examining whether equipment manufactured by the company could expose American networks to security risks. Investigators reportedly focused on the firm’s origins and questioned whether foreign jurisdictions could exert influence over product development or data processes.

The company has rejected these claims, saying its design, security functions, and oversight structures operate independently and that its leadership teams within the United States manage core product decisions. It maintains that no government has the ability to access or manipulate its systems.


Common router vulnerabilities users should understand

Even without the broader policy debate, home routers are frequently targeted by attackers, often through well-known weaknesses:

Hardware-level risks. In rare cases, security issues can originate in the physical components themselves. Malicious implants or flawed chips can give attackers a hidden entry point that is difficult for users to detect without specialized tools.

Unpatched security gaps. Zero-day vulnerabilities are flaws discovered by attackers before the manufacturer has prepared a fix. Some older or discontinued models may never receive patches, leaving users exposed for the long term.

Outdated firmware. Firmware updates serve the same purpose as software updates on phones and computers. Without them, routers miss critical security improvements and remain vulnerable to known exploits.

Botnets. Compromised routers are often absorbed into large collections of infected devices. These groups of hijacked systems are then directed to launch attacks, spread malware, or steal information.

Weak login credentials. Many intrusions occur simply because users keep the default administrator username and password. Attackers run automated tools that test the most common combinations in an attempt to break in.

Exposed remote settings. Some routers allow remote control panels to be accessed from outside the home network. If these remain active or are protected with simple passwords, attackers can quietly enter the system.

Outdated Wi-Fi encryption. Older wireless standards are easy for attackers to crack. Weak encryption allows outsiders to intercept traffic or join the network without permission.


How to strengthen your home network today

Any user can substantially improve their router’s security by following a few essential steps:

1. Change default passwords immediately. Use strong, unique credentials for both the router’s control panel and the Wi-Fi network.

2. Check for firmware updates regularly. Install every available update. If your device no longer receives support, replacement is advisable.

3. Enable the built-in firewall. It acts as the first barrier between your home network and outside threats.

4. Turn off remote management features. Only leave such functions active if you clearly understand them and require them.

5. Use modern Wi-Fi encryption. Choose WPA3 whenever your device supports it. If not, use the most up-to-date option available.

6. Consider a trusted VPN. It adds an extra layer of protection by encrypting your online activity.

7. Upgrade aging hardware. Older models often lack modern protections and may struggle to handle security patches or stable performance.


What users should do now

A potential restriction on any router brand is still under government review. For now, users should focus on ensuring their own devices are secured and updated. Strengthening home Wi-Fi settings, using current security practices, and replacing unsupported hardware will offer the most immediate protection while the situation continues to escalate. 


Read more »
Zero-Day Vulnerabilities
chain attacks Cyble report October cyber threats Ransomware Groups SaaS provider attacks software supply Vulnerabilities and Exploits Zero-Day Vulnerabilities

Software Supply Chain Attacks Surge to Record Highs in October, Driven by Zero-Day Flaws and Ransomware Groups

 

Software supply chain intrusions reached an unprecedented peak in October, surpassing previous monthly records by more than 30%, according to new research.

Cyble revealed in a blog post that threat actors on dark-web leak forums claimed 41 supply chain attacks in October—10 more than the earlier high recorded in April 2025. The report notes that supply chain incidents have more than doubled since April, with an average of 28 attacks per month, compared to the monthly average of 13 from early 2024 through March 2025. Cyble attributed the escalation to multiple factors.

The sharp rise has been fueled primarily by a “combination of critical and zero-day IT vulnerabilities and threat actors actively targeting SaaS and IT service providers,” Cyble wrote, adding that “the sustained increase suggests that the risk of supply chain attacks may remain elevated going forward.”

Additional contributors include cloud-security weaknesses and AI-powered phishing campaigns, with vishing also playing an important role in recent Scattered LAPSUS$ Hunters attacks on Salesforce environments.

All 24 industries monitored by Cyble experienced at least one supply chain breach this year, but IT and IT services firms were hit disproportionately. These organizations remain attractive to attackers due to their broad customer ecosystems and valuable access points. Cyble reported 107 supply chain attacks targeting IT companies so far this year—over three times more than those seen in financial services, transportation, technology, or government sectors.

Ransomware operations remain a major driver of this surge. Groups such as Qilin and Akira, which Cyble identified as the most active this year, have also carried out “an above-average share of supply chain attacks.”

Akira recently targeted a major open-source initiative, stealing 23GB of sensitive data including internal reports, confidential files, and issue-tracking information. Both Akira and Qilin have also compromised multiple IT providers serving high-risk verticals such as government, defense, intelligence, law enforcement, healthcare, energy, and finance. In one case, Qilin claimed to have obtained source code for proprietary tools used across public safety and security organizations.

Another Qilin incident involved breaching customers of a U.S. cybersecurity and cloud provider through “clear-text credentials stored in Word and Excel documents hosted on the company’s systems.”

A newer threat actor, Kyber, leaked more than 141GB of internal builds, databases, project files, and backups allegedly taken from a major U.S. aerospace and defense contractor specializing in communication and electronic warfare technologies.

Other notable October events included the Cl0p ransomware group's exploitation of Oracle E-Business Suite vulnerabilities and a breach involving Red Hat GitLab.

Cyble emphasized that mitigating supply chain threats is difficult because organizations inherently trust their vendors and partners. The firm stressed that security audits and third-party risk evaluations should become routine practice.

The researchers highlighted that the “most effective place to control software supply chain risks is in the continuous integration and development (CI/CD) process,” and advised that organizations thoroughly vet suppliers and enforce strong security requirements within contracts to strengthen third-party protection.
Read more »
Vulnerabilities and Exploits
CISA Linux Kernel Ransomware Campaign Vulnerabilities and Exploits

CISA Warns: Linux Kernel Flaw Actively Exploited in Ransomware Attacks

 

A critical Linux kernel vulnerability (CVE-2024-1086) is now actively exploited in ransomware attacks, according to a recent update from the U.S. Cybersecurity and Infrastructure Security Agency (CISA). First publicly disclosed on January 31, 2024, this flaw stems from a decade-old code commit to the netfilter: nf_tables kernel component and was patched early in 2024. 

However, the exploit—which allows attackers with local access to escalate privileges and gain root control over affected systems—remains a severe threat for systems running kernel versions from 3.15 to 6.8-rc1, affecting prominent distributions like Debian, Ubuntu, Fedora, and Red Hat.

CISA’s latest advisory confirms the vulnerability is leveraged in live ransomware campaigns but doesn’t provide detailed incident counts or victim breakdowns. The agency added CVE-2024-1086 to its Known Exploited Vulnerabilities (KEV) catalog in May 2024, mandating federal agencies patch by June 20, 2024 or implement mitigations. These mitigations include blocklisting ‘nf_tables’ if not in use, restricting user namespace access to shrink the attack surface, and optionally deploying the Linux Kernel Runtime Guard (LKRG)—though the latter may introduce instability.

Security experts and community commentators highlight both the significance and scope of the risk. The flaw enables threat actors to achieve root-level system takeover—compromising defenses, altering files, moving laterally within networks, and exfiltrating sensitive data. 

Its effects are especially critical in server and enterprise contexts (where vulnerable kernel versions are widely deployed) rather than typical desktop Linux environments. For context, a security researcher known as 'Notselwyn' published a proof-of-concept exploit in March 2024 that clearly demonstrates effective privilege escalation on kernel versions 5.14 through 6.6, broadening attack feasibility for cybercriminals.

Immutability in Linux distributions (such as ChromeOS, Fedora Kinoite) is noted as a partial defense, limiting exploit persistence but not fully mitigating in-memory or user-data targeting attacks. CISA stresses following vendor-specific instructions for mitigation and, where remedies are unavailable, discontinuing product use for guaranteed safety. 

Community debate also reflects persistent frustration at slow patch adoption and challenges in keeping kernels up to date across varied deployment environments. The ongoing exploitation—as confirmed by CISA—underscores the critical need for timely patching, rigorous access controls, and awareness of Linux privilege escalation risks in the face of escalating ransomware threats.
Read more »
WSUS exploit
CVE-2025-59287 Cybersecurity Microsoft patch failure Vulnerabilities and Exploits Windows Server Update Services vulnerability WSUS exploit

Attackers Exploit Critical Windows Server Update Services Flaw After Microsoft’s Patch Fails

 

Cybersecurity researchers have warned that attackers are actively exploiting a severe vulnerability in Windows Server Update Services (WSUS), even after Microsoft’s recent patch failed to fully fix the issue. The flaw, tracked as CVE-2025-59287, impacts WSUS versions dating back to 2012.

Microsoft rolled out an emergency out-of-band security update for the vulnerability on Thursday, following earlier attempts to address it. Despite this, several cybersecurity firms reported active exploitation by Friday. However, Microsoft has not yet officially confirmed these attacks.

This situation highlights how quickly both cyber defenders and adversaries respond to newly disclosed flaws. Within hours of Microsoft’s emergency patch release, researchers observed proof-of-concept exploits and live attacks targeting vulnerable servers.

“This vulnerability shows how simple and trivial exploitation is once an attack script is publicly available,” said John Hammond, principal security researcher at Huntress, in an interview with CyberScoop. “It’s always an attack of opportunity — just kind of spray-and-pray, and see whatever access a criminal can get their hands on.”

The Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, urging organizations to apply the latest patch and adhere to Microsoft’s mitigation steps.

A Microsoft spokesperson confirmed the re-release of the patch, explaining: “We re-released this CVE after identifying that the initial update did not fully mitigate the issue. Customers who have installed the latest updates are already protected.” Microsoft did not specify when or how it discovered that the previous patch was insufficient.

According to Shadowserver, over 2,800 instances of WSUS with open ports (8530 and 8531) are exposed to the internet — a necessary condition for exploitation. Approximately 28% of these vulnerable systems are located in the United States.

“Exploitation of this flaw is indiscriminate,” warned Ben Harris, founder and CEO of watchTowr. “If an unpatched Windows Server Update Services instance is online, at this stage it has likely already been compromised. This isn’t limited to low-risk environments — some of the affected entities are exactly the types of targets attackers prioritize.”

Huntress has observed five active attack cases linked to CVE-2025-59287. Hammond explained that these incidents mostly involve reconnaissance activities — such as environment mapping and data exfiltration — with no severe damage observed so far. However, he cautioned that WSUS operates with high-level privileges, meaning successful exploitation could fully compromise the affected server.

The risk, Hammond added, could escalate into supply chain attacks, where adversaries push malicious updates to connected systems. “Some potential supply-chain shenanigans just opening the door with this opportunity,” he said.

Experts from Palo Alto Networks’ Unit 42 echoed the concern. “By compromising this single server, an attacker can take over the entire patch distribution system,” said Justin Moore, senior manager of threat intel research at Unit 42. “With no authentication, they can gain system-level control and execute a devastating internal supply chain attack. They can push malware to every workstation and server in the organization, all disguised as a legitimate Microsoft update. This turns the trusted service into a weapon of mass distribution.”

Security researchers continue to emphasize that WSUS should never be exposed to the public internet, as attackers cannot exploit the flaw in instances that restrict external access.

Microsoft deprecated WSUS in September, stating that while it will still receive security support, it is no longer under active development or set to gain new features.
Read more »
Vulnerabilities and Exploits
CISA E-Business Suite Oracle SSR Flaw Vulnerabilities and Exploits

Critical Oracle Suite Flaw Actively Exploited; CISA Orders Urgent Patch

 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that attackers are actively exploiting a critical server-side request forgery (SSRF) vulnerability, CVE-2025-61884, in Oracle E-Business Suite's Configurator runtime component. Federal agencies have been directed to patch this flaw by November 10, 2025, as it is now listed in CISA’s Known Exploited Vulnerabilities catalog.

CVE-2025-61884, which carries a severity rating of 7.5, allows attackers to gain unauthorized access to sensitive data or even full access to all Oracle Configurator data. The vulnerability was first disclosed by Oracle on October 11, 2025, but the company did not initially confirm exploitation, despite evidence that the exploit was leaked by threat actors ShinyHunters and Scattered Lapsus$ in July. The patch fixes the SSRF flaw by validating the "return_url" parameter provided by attackers, blocking malicious requests if validation fails.

In early October, cybersecurity firm Mandiant disclosed that the Clop ransomware group had been extorting organizations using Oracle E-Business Suite zero-day flaws. Oracle responded by stating that Clop had exploited vulnerabilities patched in July. On October 3, ShinyHunters leaked an exploit for Oracle EBS, which was later linked to Clop. Oracle then disclosed CVE-2025-61882, which was unrelated and was patched for August attacks that targeted the /OA_HTML/SyncServlet endpoint.

Investigations by CrowdStrike and Mandiant revealed two distinct campaigns: the July campaign exploited the SSRF flaw in /configurator/UiServlet (CVE-2025-61884), while the August campaign targeted the /OA_HTML/SyncServlet endpoint, now fixed under CVE-2025-61882. The ShinyHunters exploit leaked earlier targets the UiServlet SSRF chain, not the SyncServlet flaw.

There is confusion about why Oracle listed the ShinyHunters exploit as an indicator of compromise for CVE-2025-61882 instead of CVE-2025-61884, despite evidence pointing to the latter. Oracle has not responded to media inquiries regarding this discrepancy or the status of CVE-2025-61882 as exploited. This incident highlights the ongoing risk to organizations using Oracle E-Business Suite and underscores the urgency of timely patching and robust vulnerability management.
Read more »
Vulnerabilities and Exploits
ArcGIS Backdoor Attacks Flax Typhoon Geospatial Vulnerabilities and Exploits

Geospatial Tool Turned Into Stealthy Backdoor by Flax Typhoon

 

Chinese state-backed hacking group Flax Typhoon has been exploiting a feature within Esri’s ArcGIS software to maintain covert access to targeted systems for more than a year, according to new findings from ReliaQuest. The group, active since at least 2021 and known for espionage operations against entities in the U.S., Europe, and Taiwan, weaponized ArcGIS’s Server Object Extension (SOE) to transform the software into a webshell—essentially turning legitimate features into tools for persistent compromise.

Researchers found that the attackers targeted a public-facing ArcGIS server linked to a private backend server. By compromising the portal administrator credentials, they deployed a malicious extension that forced the system to create a hidden directory, which became their private command and control workspace. 

This extension included a hardcoded key, shielding their access from others while ensuring persistence. The hackers maintained this access long enough for the malicious file to become embedded in backup systems, effectively guaranteeing reinfection even if administrators restored the system from backups.

ReliaQuest described this as a particularly deceptive attack chain that allowed the group to mimic normal network activity, thereby bypassing typical detection mechanisms. Because the infected component was integrated into backup files, standard recovery protocols became a liability — a compromised backup meant a built-in reinfection vector. The tactic showcases Flax Typhoon’s hallmark strategy of exploiting trusted internal processes and tools rather than relying on advanced malware or sophisticated exploits.

This method is consistent with Flax Typhoon’s history of leveraging legitimate software components for espionage. Microsoft had previously documented the group’s capability to maintain long-term access to dozens of Taiwanese organizations using built-in Windows utilities and benign applications for stealth. The U.S. Treasury Department has sanctioned Integrity Technology Group, a Beijing-based company implicated in supporting Flax Typhoon’s operations, including managing infrastructure for a major botnet dismantled by the FBI.

ReliaQuest warned that the real danger extends beyond ArcGIS or Esri’s ecosystem — it highlights the inherent risks in enterprise software that depends on third-party extensions or backend access. The researchers called the case a “wake-up call,” urging organizations to treat every interface with backend connectivity as a high-risk access point, regardless of how routine or trusted it appears.
Read more »
Windows 10
Device Vulnerability Microsoft User Privacy Vulnerabilities and Exploits Windows 10

Windows 10 Support Termination Leaves Devices Vulnerable

 

Microsoft has officially ended support for Windows 10, marking a major shift impacting hundreds of millions of users worldwide. Released in 2015, the operating system will no longer receive free security updates, bug fixes, or technical assistance, leaving all devices running it vulnerable to exploitation. This decision mirrors previous end-of-life events such as Windows XP, which saw a surge in cyberattacks after losing support.

Rising security threats

Without updates, Windows 10 systems are expected to become prime targets for hackers. Thousands of vulnerabilities have already been documented in public databases like ExploitDB, and several critical flaws have been actively exploited. 

Among them are CVE-2025-29824, a “use-after-free” bug in the Common Log File System Driver with a CVSS score of 7.8; CVE-2025-24993, a heap-based buffer overflow in NTFS marked as “known exploited”; and CVE-2025-24984, leaking NTFS log data with the highest EPSS score of 13.87%. 

These vulnerabilities enable privilege escalation, code execution, or remote intrusion, many of which have been added to the U.S. CISA’s Known Exploited Vulnerabilities (KEV) catalog, signaling the seriousness of the risks.

Limited upgrade paths

Microsoft recommends that users migrate to Windows 11, which features modernized architecture and ongoing support. However, strict hardware requirements mean that roughly 200 million Windows 10 computers worldwide remain ineligible for the upgrade. 

For those unable to transition, Microsoft provides three main options: purchasing new hardware compatible with Windows 11, enrolling in a paid Extended Security Updates (ESU) program (offering patches for one extra year), or continuing to operate unsupported — a risky path exposing systems to severe cyber threats.

The support cutoff extends beyond the OS. Microsoft Office 2016 and 2019 have simultaneously reached end-of-life, leaving only newer versions like Office 2021 and LTSC operable but unsupported on Windows 10. Users are encouraged to switch to Microsoft 365 or move licenses to Windows 11 devices. Notably, support for Office LTSC 2021 ends in October 2026.

Data protection tips

Microsoft urges users to back up critical data and securely erase drives before recycling or reselling devices. Participating manufacturers and Microsoft itself offer trade-in or recycling programs to ensure data safety. As cyber risks amplify and hackers exploit obsolete systems, users still on Windows 10 face a critical choice — upgrade, pay for ESU, or risk exposure in an increasingly volatile digital landscape.
Read more »
zero-day
Clop Ransomware Extortion Campaign Oracle Vulnerabilities and Exploits zero-day

Clop Ransomware Exploits Oracle Zero-Day in Major Extortion Campaign

 

The Clop ransomware gang has orchestrated a massive extortion campaign targeting Oracle E-Business Suite customers by exploiting a critical zero-day vulnerability tracked as CVE-2025-61882. The vulnerability, which carries a CVSS score of 9.8, affects Oracle EBS versions 12.2.3 through 12.2.14 and allows unauthenticated remote code execution without requiring credentials.

Beginning September 29, 2025, Clop operatives sent high-volume extortion emails to executives at numerous organizations, claiming to have stolen sensitive data from their Oracle EBS environments. However, investigations by Google Threat Intelligence Group and Mandiant revealed that active exploitation began much earlier—as early as August 9, 2025, with suspicious activity dating back to July 10, 2025. This means attackers exploited the vulnerability weeks before Oracle released a patch on October 4, 2025.

The vulnerability affects the Concurrent Processing component's BI Publisher integration within Oracle EBS, allowing attackers to execute arbitrary code and gain complete control over compromised servers. Researchers identified multiple distinct exploitation chains targeting various EBS components, including UiServlet and SyncServlet modules. The most probable attack vector involved the SyncServlet module, where attackers injected malicious XSL files into databases via the XDO Template Manager to trigger remote code execution.

The campaign involved sophisticated multi-stage malware frameworks, including GOLDVEIN.JAVA downloader and the SAGE malware family. These tools closely resemble malware families deployed during Clop's previous Cleo software compromise in late 2024, strengthening attribution to the notorious cybercrime group. Attackers successfully exfiltrated significant amounts of data from impacted organizations, affecting dozens of victims according to current assessments.

Clop, also known as TA505 or FIN11, has been active since 2019 and maintains a track record of exploiting zero-day vulnerabilities in enterprise platforms. The group previously targeted Accellion FTA, SolarWinds Serv-U FTP, GoAnywhere MFT, MOVEit Transfer, and Cleo file transfer systems. This latest campaign demonstrates Clop's continued focus on rapid zero-day exploitation of critical enterprise software for large-scale data extortion operations.

Oracle issued an emergency security alert on October 4, 2025, urging customers to apply the patch immediately. The FBI characterized the zero-day as "an emergency putting Oracle E-Business Suite environments at risk of full compromise". CISA added CVE-2025-61882 to its Known Exploited Vulnerabilities catalog and issued urgent alerts regarding active exploitation for ransomware attacks worldwide.
Read more »
Vulnerabilities and Exploits
CISA Cisco Firewall Security Patch Shadowserver Vulnerabilities and Exploits

Cisco Firewall Vulnerabilities Leave 50,000 Devices Exposed Worldwide

 

Nearly 50,000 Cisco firewall devices worldwide are currently exposed to significant security risks following the disclosure of three critical vulnerabilities in Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) products.

Statistics from the Shadowserver Foundation have highlighted the scale of this problem, revealing that thousands of these devices remain directly accessible via the internet and have yet to receive urgent security patches. 

The vulnerabilities, which were publicly announced on September 25, prompted the Cybersecurity and Infrastructure Security Agency (CISA) to issue a rare emergency patching directive, reflecting the severity and potential impact of these flaws.

The United States leads in terms of exposure, with more than 19,000 vulnerable devices identified, outpacing every other country. The United Kingdom follows with over 2,700 exposed units, while Japan, Germany, and Russia also have substantial numbers. 

Across Europe, other countries report fewer than 1,000 vulnerable devices each, but the cumulative risk remains global in scope. Shadowserver’s ongoing data collection will track mitigation efforts over the coming weeks, providing insights into how organizations respond to these urgent warnings.

Central to the threat are two particular vulnerabilities, CVE-2025-20362 and CVE-2025-20333, which have already been exploited by a highly sophisticated threat actor. This campaign has successfully targeted and breached several federal agencies along with organizations worldwide.

The nature of these vulnerabilities makes them especially dangerous: both relate to improper validation of HTTPS requests by the affected Cisco firewalls. This weakness could allow attackers to submit malicious requests that effectively bypass authentication controls, leaving affected systems open to compromise.

Specifically, CVE-2025-20362 enables attackers to access restricted VPN-related URLs that should otherwise require strong authentication, while CVE-2025-20333 allows malicious actors to execute arbitrary code with root privileges, dramatically increasing the potential for damaging network intrusions. 

In light of these dangers, U.S. federal agencies have been given until the end of Thursday to confirm with CISA that all vulnerable devices have been patched or otherwise mitigated against potential exploitation.

The urgency surrounding these vulnerabilities is underscored by the demonstrated capability of attackers and the ongoing risks to national and organizational cybersecurity worldwide. As real-time data continues to be collected, the response from security teams will be crucial in minimizing exposure and preventing future incidents related to these Cisco firewall flaws.
Read more »
Zero-Click Exploit
cybersecurity threat Digital Espionage iOS Vulnerability Mobile Security Remote Code Execution Spyware Attack Vulnerabilities and Exploits vulnerability patch WhatsApp Security Zero-Click Exploit

Critical WhatsApp Zero Click Vulnerability Abused with DNG Payload

 


It has been reported that attackers are actively exploiting a recently discovered vulnerability in WhatsApp's iOS application as a part of a sophisticated cyber campaign that underscores how zero-day vulnerabilities are becoming weaponised in today's cyber warfare. With the zero-click exploit identified as CVE-2025-55177 with a CVSS score of 5.4, malicious actors can execute unauthorised content processing based on any URL on a victim's device without the need for user interaction whatsoever. 

A vulnerability referred to as CVE-2025-55177 provides threat actors with a way to manipulate WhatsApp's synchronization process, so they may force WhatsApp to process attacker-controlled content during device linking when they manipulate the WhatsApp synchronization process. 

Even though the vulnerability could have allowed crafted content to be injected or disrupted services, its real danger arose when it was combined with Apple's CVE-2025-43300, another security flaw that affects the ImageIO framework, which parses image files. In addition to this, there were also two other vulnerabilities in iOS and Mac OS that allowed out-of-bounds memory writing, which resulted in remote code execution across these systems. 

The combination of these weaknesses created a very powerful exploit chain that could deliver malicious images through the incoming message of a WhatsApp message, causing infection without the victim ever having to click, tap or interact with anything at all—a quintessential zero-click attack scenario. Investigators found that the targeting of the victims was intentional and highly selective. 

In the past, WhatsApp has confirmed that it has notified fewer than 200 people about potential threats in its apps, a number that is similar to earlier mercenary spyware operations targeting high-value users. Apple has also acknowledged active exploitation in the wild and has issued security advisories concurrently. 

Researchers from Amnesty International noted that, despite initial signs suggesting limited probing of Android devices, this campaign was mainly concerned with Apple's iOS and macOS ecosystems, and therefore was focused on those two ecosystems mainly. The implications are particularly severe for businesses.

Corporate executives, legal teams, and employees with privileged access to confidential intellectual property are at risk of being spied on or exfiltrated through using WhatsApp on their work devices, which represents a direct and potentially invisible entry point into corporate data systems. 

Cybersecurity and Infrastructure Security Agency (CISA) officials say that the vulnerability was caused by an "incomplete authorisation of linked device synchronisation messages" that existed in WhatsApp for iOS versions before version 2.25.2.173, WhatsApp Business for iOS versions of 2.25.1.78, and WhatsApp for Mac versions of 2.25.21.78. 

This flaw is believed to have been exploited by researchers as part of a complex exploit chain, which was created using the flaw in conjunction with a previously patched iOS vulnerability known as CVE-2025-43300, allowing for the delivery of spyware onto targeted devices. A U.S. government advisory has been issued urging federal employees to update their Apple devices immediately because the campaign has reportedly affected approximately 200 people. 

A new discovery adds to the growing body of evidence that advanced cyber threat actors increasingly rely on chaining multiple zero-day exploits to circumvent hardened defences and compromise remote devices. In 2024, Google's Threat Analysis Group reported 75 zero-day exploits that were actively exploited, a figure that reflects how the scale of these attacks is accelerating. 

This stealthy intrusion method continues to dominate as the year 2025 unfolds, resulting in nearly one-third of all recorded compromise attempts worldwide occurring this year. It is important for cybersecurity experts to remind us that the WhatsApp incident demonstrates once more the fragility of digital trust, even when it comes to encrypting platforms once considered to be secure. 

It has been uncovered that the attackers exploited a subtle logic flaw in WhatsApp’s device-linking system, allowing them to disguise malicious content to appear as if it was originating from the user’s own paired device, according to a technical analysis.

Through this vulnerability, a specially crafted Digital Negative (DNG) file could be delivered, which, once processed automatically by the application, could cause a series of memory corruption events that would result in remote code execution. Researchers at DarkNavyOrg have demonstrated the proof-of-concept in its fullest sense, showing how an automated script is capable of authenticating, generating the malicious DNG payload, and sending it to the intended victim without triggering any security alerts. 

In order to take advantage of the exploit, there are no visible warnings, notification pop-ups, or message notifications displayed on the user's screen. This allows attackers to gain access to messages, media, microphones, and cameras unrestrictedly, and even install spyware undetected. It has been reported to WhatsApp and Apple that the vulnerability has been found, and patches have been released to mitigate the risks. 

Despite this, security experts recommend that users install the latest updates immediately and be cautious when using unsolicited media files—even those seemingly sent by trusted contacts. In the meantime, organisations should ensure that endpoint monitoring is strengthened, that mobile device management controls are enforced, and that anomalous messaging behaviour is closely tracked until the remediation has been completed. 

There is a clear need for robust input validation, secure file handling protocols, and timely security updates to prevent silent but highly destructive attacks targeting mainstream communication platforms that can be carried out against mainstream communication platforms due to the incident. Cyber adversaries have, for a long time, been targeting companies such as WhatsApp, and WhatsApp is no exception. 

It is noteworthy that despite the platform's strong security framework and end-to-end encryption, threat actors are still hunting for new vulnerabilities to exploit. Although there are several different cyberattack types, security experts emphasise that zero-click exploits remain the most insidious, since they can compromise devices without the user having to do anything. 

V4WEB Cybersecurity founder, Riteh Bhatia, made an explanation for V4WEB's recent WhatsApp advisory, explaining that it pertains to one of these zero-click exploits--a method of attacking that does not require a victim to click, download, or applaud during the attack. Bhatia explained that, unlike phishing, where a user is required to click on a malicious link, zero-click attacks operate silently, working in the background. 

According to Bhatia, the attackers used a vulnerability in WhatsApp as well as a vulnerability in Apple's iOS to hack into targeted devices through a chain of vulnerabilities. He explained to Entrepreneur India that this process is known as chaining vulnerabilities. 

Chaining vulnerabilities allows one weakness to provide entry while the other provides control of the system as a whole. Further, Bharatia stressed that spyware deployed by these methods is capable of doing a wide range of invasive functions, such as reading messages, listening through the microphone, tracking location, and accessing the camera in real time, in addition to other invasive actions. 

As a warning sign, users might notice excessive battery drain, overheating, unusual data usage, or unexpected system crashes, all of which may indicate that the user's system is not performing optimally. Likewise, Anirudh Batra, a senior security researcher at CloudSEK, stated that zero-click vulnerabilities represent the "holy grail" for hackers, as they can be exploited seamlessly even on fully updated and ostensibly secure devices without any intervention from the target, and no action is necessary on their part.

If this vulnerability is exploited effectively, attackers will be able to have full control over the targeted devices, which will allow them to access sensitive data, monitor communications, and deploy additional malware, all without the appearance of any ill effect. As a result of this incident, it emphasises that security risks associated with complex file formats and cross-platform messaging apps persist, since flaws in file parsers continue to serve as common pathways for remote code execution.

There is a continuing investigation going on by DarkNavyOrg, including one looking into a Samsung vulnerability (CVE-2025-21043), which has been identified as a potential security concern. There was a warning from both WhatsApp and Apple that users should update their operating systems and applications immediately, and Meta confirmed that less than 200 users were notified of in-app threats. 

It has been reported that some journalists, activists, and other public figures have been targeted. Meta's spokesperson Emily Westcott stressed how important it is for users to keep their devices current and to enable WhatsApp's privacy and security features. Furthermore, Amnesty International has also noted possible Android infections and is currently conducting further investigation. 

In the past, similar spyware operations occurred, such as WhatsApp's lawsuit against Israel's NSO Group in 2019, which allegedly targeted 1,400 users with the Pegasus spyware, which later became famous for its role in global cyberespionage. While sanctions and international scrutiny have been applied to such surveillance operations, they continue to evolve, reflecting the persistent threat that advanced mobile exploits continue to pose. 

There is no doubt that the latest revelations are highlighting the need for individuals and organisations to prioritise proactive cyber security measures rather than reactive ones, as zero-click exploits are becoming more sophisticated, the traditional boundaries of digital security—once relying solely on the caution of users—are eroding rapidly. It has become increasingly important for organisations to keep constant vigilance, update their software quickly, and employ layered defence strategies to protect both their personal and business information. 

Organisations need to invest in threat intelligence solutions, continuous monitoring systems, and regular mobile security audits if they want to be on the lookout for potential threats early on. In order for individual users to reduce their exposure, they need to maintain the latest version of their devices and applications, enable built-in privacy protections, and avoid unnecessary third-party integrations. 

The WhatsApp exploit is an important reminder that even trusted, encrypted platforms may be compromised at some point. The cyber espionage industry is evolving into a silent and targeted operation, and digital trust must be reinforced through transparent processes, rapid patching, and global cooperation between tech companies and regulators. A strong defence against invisible intrusions still resides in awareness and timely action.
Read more »
Subscribe to: Comments (Atom)