Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Vulnerabilities and Exploits. Show all posts
Vulnerabilities and Exploits
Cl0p Ransomware Data Leak Korean Air Supply-Chain Attack Vulnerabilities and Exploits

Korean Air Employee Data Exposed in Cl0p Ransomware Supply-Chain Attack

 

Korean Air has acknowledged the theft of sensitive data belonging to 30,000 current and former employees in a serious data breach. The breach occurred via a supply-chain compromise at KC&D Service, the airline's former catering subsidiary. Hackers exploited a critical flaw in Oracle E-Business Suite, tracked as CVE-2025-61882, that enabled code execution remotely without requiring any user interaction or authentication to login. Cl0p ransomware operators claimed responsibility for the attack, and after ransom demands were apparently ignored, they dumped almost 500 GB of stolen archives on their dark web site. 

The intrusion occurred at KC&D, which, though it was sold to Hahn & Company in 2020, was still handling in-flight meals and duty-free services. Korean Air continues to own a 20% stake and has continued sharing employee data through KC&D's ERP server. The attackers targeted Oracle EBS versions 12.2.3 through 12.2.14 to bypass authentication and reach sensitive systems. The vulnerability was publicly disclosed in early October 2025, after initial exploitation that started in August. Although Oracle promptly released patches, the combination of late detection and widespread exposure caused data exfiltration to spread across many victims. 

The stolen information includes full names and bank account numbers, which increases the risk of identity theft, financial fraud and phishing attacks for those whose information was compromised. Importantly, no customer data, including flight records or payment information, was compromised, preventing wider impact on operations. Korean Air on Dec. 29, 2025, advised the employees to be cautious of scams and took emergency security measures, disconnecting the KC&D servers and filing a report with the Korea Internet and Security Agency (KISA).

This attack is reminiscent of the 2023 MOVEit Transfer breach conducted by Cl0p, a similar file-transfer exploit that resulted in the compromise of millions of records from hundreds of companies. Dozens of EBS victims have surfaced, including Envoy Air, Harvard University, Schneider Electric, Emerson, Cox Enterprises, Logitech, and Barts Health NHS Trust, underscoring the campaign's global scale. Cl0p, a Russia-nexus extortion group linked to FIN11, prioritizes data theft over encryption for high-value targets. 

The incident emphasizes enduring supply-chain risk in aviation and enterprise software, underscoring the importance of timely patching, third-party risk assessments, and zero-trust architectures. Korean Air Vice Chairman Woo Kee-hong confirmed full dedication to breach scoping and support for its employees in the midst of South Korea's wave of cyberattacks, which also targeted Coupang and SK Telecom in recent days. Organizations around the globe need to review their Oracle EBS exposures and keep an eye on Cl0p leak sites in order to reduce risk.
Read more »
Vulnerability
Critical Flaw Hackers MongoDB Exposure Vulnerabilities and Exploits Vulnerability

Critical MongoDB Flaw Allows Unauthenticated Memory Data Leaks

 


A critical security flaw in MongoDB could allow unauthenticated attackers to extract sensitive data directly from server memory, prompting urgent patching warnings from security researchers and the database vendor. 

The vulnerability, tracked as CVE-2025-14847, affects MongoDB’s implementation of zlib compression and exposes uninitialized heap memory to remote attackers without requiring login credentials. 

Researchers say the issue significantly lowers the barrier for exploitation and could lead to large scale data leaks if left unaddressed. According to security analyses published this week, the flaw exists in MongoDB’s network message decompression logic. By sending specially crafted network packets, an attacker can trigger MongoDB servers to return fragments of memory that were never intended to be shared. 

This memory may contain sensitive information such as user data, credentials, cryptographic material or internal application secrets. The vulnerability impacts a broad range of MongoDB versions across several major releases. 

Affected versions include MongoDB 8.2.0 through 8.2.2, 8.0.0 through 8.0.16, 7.0.0 through 7.0.27, 6.0.0 through 6.0.26, 5.0.0 through 5.0.31 and 4.4.0 through 4.4.29. Older branches including versions 4.2, 4.0 and 3.6 are also affected and do not have backported fixes. 

MongoDB has released patched versions to address the issue, including 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32 and 4.4.30. Security teams are being urged to upgrade immediately, particularly for servers exposed to the internet or reachable through internal network movement. 

For organizations unable to patch right away, MongoDB has recommended temporary mitigations. These include disabling zlib compression in the database configuration or switching to alternative compression algorithms such as Snappy or Zstandard. 

Administrators are also advised to close unused ports and restrict network access to MongoDB instances wherever possible. Technical reviews of the fix show that the vulnerability stemmed from incorrect handling of buffer sizes during decompression. 

The original code returned the size of allocated memory rather than the actual length of decompressed data, leading to unintended memory disclosure. 

The patch corrects this behavior by ensuring only valid data lengths are returned. Security researchers warn that while exploiting the flaw to extract large volumes of meaningful data may require repeated requests over time, the risk increases the longer a vulnerable server remains exposed. Any MongoDB deployment handling sensitive or regulated data is considered at elevated risk.
Read more »
workflow automation security
Arbitrary code execution CVE-2025-68613 n8n security flaw n8n vulnerability Vulnerabilities and Exploits workflow automation security

Critical n8n Vulnerabilty Enables Arbitrary Code Execution, Over 100,000 Instances at Risk

 


A severe security flaw has been identified in the n8n workflow automation platform that could allow attackers to run arbitrary code in specific scenarios. The vulnerability, assigned CVE-2025-68613, has been rated 9.9 on the CVSS scale, highlighting its critical severity. 

The issue was discovered and responsibly disclosed by security researcher Fatih Çelik. According to npm data, the affected package sees approximately 57,000 downloads each week.

"Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime," the maintainers of the npm package said

"An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations."

The vulnerability impacts all n8n versions starting from 0.211.0 up to, but not including, 1.120.4. The issue has been resolved in releases 1.120.4, 1.121.1, and 1.122.0. Data from attack surface management firm Censys indicates that as of December 22, 2025, around 103,476 n8n instances could still be exposed. Most of these potentially vulnerable deployments are based in the United States, Germany, France, Brazil, and Singapore.

Given the seriousness of the flaw, users are strongly urged to update their installations immediately. For environments where patching cannot be carried out right away, security experts recommend restricting workflow creation and editing rights to trusted users only. Additionally, deploying n8n within a hardened setup with limited operating system privileges and controlled network access can help reduce the risk of exploitation.
Read more »
Zero Click Exploit
APT28 Cloud Data Theft cyber attack GRU Hackers Malware Chain Attack Sandworm APT44 Task Scheduler Flaw Vulnerabilities and Exploits Windows Vulnerability Zero Click Exploit

Russian Threat Actors Deploy Zero-Click Exploit in High-Impact Attack on France


 

The end of 2025 and global cybersecurity assessments indicated that one of the most formidable state-aligned hacking units in Russia has changed its tactics significantly. It has been widely reported that state-sponsored threat actors linked to the GRU's cyber-operations arm, widely known by various nicknames such as Sandworm, APT44, and Microsoft's Seashell Blizzard cluster, are recalibrating their approach with noticeable precision as they approach their target market. 

A group that once was renowned for exploiting zero-day vulnerabilities and newly disclosed ones with high-profile and disruptive effects, the group has now shifted into a quieter, yet equally strategic approach, systematically targeting weaknesses resulting from human and network misconfigurations rather than exploits resulting from cutting-edge techniques.

The analysis published by Amazon Threat Intelligence, based on findings obtained by Amazon’s Threat Intelligence division, illustrates this shift, revealing that the cluster is increasingly concentrating on exploiting incorrectly configured network edge devices, suggesting a deliberate move away from overt zero-day or zero-n-day intrusion techniques to the use of sustained reconnaissance and exploitation of exposed infrastructure at the digital perimeter, signaling an intentional shift away from overt zero-day or n-day intrusion techniques. 

An intrusion campaign that lasted only a few weeks, but was exceptionally powerful, was uncovered in early October by investigators attributed to RomCom, a Russia-connected advanced persistent threat group that has also been identified by Storm 0978, Tropical Scorpius, and UNC2596. 

The ESET cybersecurity researchers found malicious files on a Russian-managed server on October 8, and they traced the availability of these malicious files back to October 3, just five days before they were discovered by the researchers. 

The technical analysis revealed that both of these files exploited two previously unknown zero-day vulnerabilities, one of which affected Mozilla browsers used both in Firefox and Tor environments, while the other was targeted at a Windows operating system vulnerability. 

By combining these weaknesses, it became possible for RomCom to deliver a silent backdoor to any device accessing a compromised website without the visitor interacting with them, consenting to them, or even clicking a single button. 

Although attackers initially had the capability of executing arbitrary code globally on a global scale, the exposure window remained narrow even though attackers had the capability. Romain Dumont, a malware researcher for ESET, noted that while the operation was constrained by quick defensive actions, highlighting that even though the vulnerabilities were severe, they were patched within days, sharply limiting the likelihood of mass compromises occurring. 

A deliberate and multilayered attack chain was used to perpetrate the intrusion in a manner that was designed for both reach and discretion. It was the first part of the campaign where a browser-level vulnerability was exploited to gain access to a target computer by invoking it, and this setup created the conditions for a secondary breach that was made possible via a critical flaw within the Windows Task Scheduler service known as CVE-2024-49039. 

An insufficient ability to handle permissions enabled malicious tasks to execute without being detected by security prompts or requiring the user's consent. As a result of linking the two vulnerabilities, the attackers were able to achieve a zero-click compromise by granting complete system control when a victim loaded a booby-trapped webpage, eliminating traditional interaction-based warnings. 

There is a concealed PowerShell process in the payload that connects to a remote command server, downloads malware and deploys it aggressively in rapid succession, so the infection timeline can be compressed to near on-the-spot execution as a result. 

As researchers noted, the initial distribution vector of the attack is unclear, but the operational design strongly emphasized automation, persistence, and a minimal forensic footprint, which reduced visible indications of compromise and complicated the investigation of the incident afterward.

There has been a continuous coordination of Russian-aligned cyber units across geopolitical targets during the same monitoring period, with the country of Ukraine experiencing most sustained pressure during the period. 

Despite the fact that Gamaredon appears to have been linked with Russia's Federal Security Service and has been tracked by several security indices such as Primitive Bear, UNC530, and Aqua Blizzard, it continues to be the most active hacker targeting Ukrainian government networks. As well as improving malware obfuscation frameworks, the group deployed a cloud-enabled file stealer called PteroBox that used legitimate services like Dropbox to extract data. 

Fancy Bear, a cyber-intelligence division of the GRU reportedly responsible for APT28, expanded Operation RoundPress at the same time, refining its exploitation of cross-site scripting vulnerabilities within webmail platforms. 

The attacker leveraged the zero-day vulnerability in the MDaemon Email Server (CVE-2024-11182) to exploit the penetration of Ukrainian private-sector systems using a zero-day exploit. One of the clusters linked to GRU, Sandworm, was also indexed under APT44 and has traditionally been associated with disruptive campaigns that targeted Ukrainian energy infrastructure, exploiting weaknesses in Active Directory Group Policies, which enabled it to deploy ZEROLOT, a new tool designed to destroy networks. A parallel investment in high-impact exploit development was demonstrated at RomaCom, a company operating within a broader Russian-aligned threat ecosystem.

It chained zero-day vulnerabilities across widely used software platforms, including Firefox and Windows, confirming that zero-interaction intrusion methods are gaining traction, reinforcing the trend toward zero-interaction intrusion methods. In addition to putting these operations into a global context, ESET’s intelligence reports also identified persistent activity from state-backed groups in the context of the operations. 

APT actors aligned with China, such as Mustang Panda, have continued a campaign against governments and maritime transportation companies by using Korplug loaders and weaponized USB vectors, while PerplexedGoblin has deployed the NanoSlate espionage backdoor against a government network in Central Europe.

The operations of North Korea-aligned threat actors, such as Kimsuky and Konni, increased significantly in early 2025 after a temporary decline in late 2024 as they shifted their attentions from South Korean institutions to in-country diplomatic personnel. Andariel reappeared after nearly a year of being out of the game, when an industrial software provider in South Korea was breached, while DeceptiveDevelopment continued to conduct social engineering operations to spread the multi-platform WeaselStore malware.

This led to the spreading of fraudulent cryptocurrency and finance job postings, which enabled the malware to be distributed on multiple platforms. The APT-C-60 group also uploaded to VirusTotal in late February 2025 a VHDX archive containing an encrypted downloader and a malicious shortcut, which is internally called RadialAgent and uploaded through a Japan-based submission to the web security company. 

ESET's leadership explained that the disclosures were only a small portion of the intelligence data gathered during that period, however they did represent a broad tactical trajectory that was reflected in the disclosures. To increase the effectiveness of their operations, threat actors have increasingly prioritized stealth, infrastructure exposure, malware modularity, and long-range intrusion campaigns that align with active geopolitical fault lines in order to increase their operational efficiency. 

It remains unclear how the exploit chain is likely to impact the victims as well as the precise scope of damages caused. The identities of the victims who may have been affected remain unclear. This underscores the difficulty of uncovering campaigns that are designed for speed and opacity. 

A pronounced concentration of targets has been observed across North America and Europe based on ESET's telemetry. Investigators have been able to confirm this based on ESET's telemetry. The Czech Republic, France, Germany, Poland, Spain, Italy, and the United States are among the notable clusters, and New Zealand and French Guiana have been identified as having a smaller number of dispersed cases. 

There was no evidence of compromise among any of the victims tracked by ESET that had used the Tor browser even though the exploit theoretically was capable of reaching users accessing the web from privacy-hardened environments. According to Damien Schaeffer, a senior malware researcher at ESET, it may have been the configuration differences between Tor and standard Firefox, particularly the default permission settings, that disrupted the exploit's execution path, an idea that is reinforced by the target profile of the exploit. 

In the period between RomCom's activities and the period after it, it seemed that its activities were focused primarily on corporate networks and commercial infrastructure, environments that tended not to use Tor, limiting the exploit's viability in those channels. The two vulnerabilities in the chain, Mozilla's CVE-2024-9680 and Windows Task Scheduler's CVE-2024-49039, were remediated and fixed since then. In the case of the attack, the payload was triggered by a permissions error in the Windows Task Scheduler service that caused it to connect to a remote command server and retrieve malicious software without generating security prompts or requiring the user to authorize the process. 

This allowed the attack to execute. Infections had a consistent exposure point - loading a compromised or counterfeit website - which led to the deployment sequence running to completion within seconds. There were very few observable indicators and it was very difficult to detect an endpoint once the infection had been installed. In the middle of October, Mozilla released browser patches for Firefox and Tor, followed by a Thunderbird security update on October 10. 

The vulnerability disclosure was received about 25 hours after Thunderbird's security update was released. A Microsoft security update on Windows was released on Nov. 12, which effectively ended the exploit chain, effectively severing any systemic exposure before it could be widespread. 

As researchers have acknowledged, the original distribution vector used in seeding the infected URLs has yet to be identified, further raising concerns about the group's preference for automated campaigns over traceability campaigns. 

It is important to note that even though the operation was ultimately limited by the rapid vendor response, cybersecurity specialists continue to emphasize the importance of routinely verifying software updates and to urge users and businesses to ensure that all necessary browser patches are applied. Additionally, industry experts are advocating a more rigorous validation of digital touchpoints, particularly in corporate environments, warning that infrastructure exposure, rather than novelty software, is increasingly becoming the weakest link in high-impact intrusion chains, which, if not removed, will lead to increased cyber-attacks. 

As 2025 dawned on us, a stark reminder was in front of us that today's cyber conflict is no longer simply defined by the discovery of rare vulnerabilities, but by the strategic exploitation of overlooked ones, as well. In spite of the fact that RomCom and the broader Russia-aligned threat ecosystem have been implicated in a number of incidents, operational success has become increasingly dependent on persistence, infrastructure visibility, and abuse of trust - whether through network misconfiguration, poisoned policy mechanisms, or malware distribution without interaction. 

There has been a limited amount of disruption since Mozilla and Microsoft released their patches, but there remains some uncertainty around initial link distribution, victim identification, and possible data impact, which illustrates a broader truth: even short access to powerful exploit chains can have lasting consequences that go far beyond their lifetime. 

There is a growing awareness among security experts that defense must evolve at the same pace as offense, so organizations should implement layered intrusion monitoring systems, continuous endpoint behavior analyses, stricter identity policy audits, and routinely verifying the integrity of software as a replacement for updating only providing security. 

A greater focus on the external digital assets, supply chains, and risks of cloud exfiltration will be critical in the year to come. As a result of the threat landscape in 2025, there is clear evidence that resilience can be built not only by applying advanced tools, but also through disciplined configuration hygiene, rapid incident transparency, and an attitude towards security that anticipates rather than reacts to compromise.
Read more »
Vulnerabilities and Exploits
API connect Authentication Bypass IBM Security Vulnerabilities and Exploits

IBM Issues Critical Alert Over Authentication Bypass Flaw in API Connect Platform



IBM has warned organizations using its API Connect platform about a severe security vulnerability that could allow unauthorized individuals to access applications remotely. The company has urged customers to apply security updates immediately to reduce the risk of exploitation.

API Connect is an enterprise-level platform designed to help organizations create, manage, and secure application programming interfaces, commonly referred to as APIs. APIs act as digital connectors that allow different software systems to communicate securely. Because these interfaces often expose internal services to external applications, business partners, and developers, they play a crucial role in modern digital operations.

IBM API Connect can be deployed in multiple environments, including on-premises infrastructure, cloud-based systems, and hybrid setups. Due to this flexibility, it is widely adopted across industries such as banking, healthcare, retail, and telecommunications, where secure data exchange is essential.

The vulnerability, identified as CVE-2025-13915, has been assigned a severity score of 9.8 out of 10, placing it in the highest risk category. According to IBM, the flaw affects API Connect versions 10.0.11.0 and 10.0.8.0 through 10.0.8.5.

At the core of the issue is a weakness in the platform’s authentication mechanism. Under certain conditions, an attacker could bypass login checks entirely and gain access to exposed applications without providing valid credentials. The attack does not require advanced technical skill or interaction from a legitimate user, which increases the potential risk.

If successfully exploited, this vulnerability could allow threat actors to reach applications that rely on API Connect as a gateway, potentially exposing sensitive systems and data. Given the role of APIs in connecting backend services, such access could have serious operational and security consequences.

IBM has released updated software versions that address the flaw and has strongly recommended that administrators upgrade affected systems as soon as possible. For organizations that are unable to deploy the updates immediately, IBM has outlined temporary mitigation steps. One key recommendation is disabling the self-service sign-up feature on the Developer Portal, which can reduce exposure until a full fix is applied.

The company has also provided detailed guidance for installing the updates across different environments, including VMware, OpenShift Container Platform, and Kubernetes-based deployments.

While IBM has not confirmed active exploitation of this specific vulnerability, U.S. cybersecurity authorities have previously flagged multiple IBM-related security flaws as being abused in real-world attacks. In recent years, several IBM vulnerabilities were added to the U.S. Cybersecurity and Infrastructure Security Agency’s catalog of known exploited vulnerabilities, requiring federal agencies to secure affected systems under Binding Operational Directive 22-01.

Some of those previously listed flaws were later linked to ransomware activity, underscoring the importance of addressing high-severity vulnerabilities promptly.

Security experts advise organizations using API Connect to verify their software versions, apply updates without delay, and monitor systems closely for unusual behavior. As APIs continue to form the backbone of digital services, maintaining strong authentication controls remains critical to reducing cyber risk.



Read more »
WebKit Exploit
Android Update Dangerous December iPhone Patch Vulnerabilities and Exploits WebKit Exploit

Dangerous December: Urgent Update Warning for All Android and iPhone Users

 

An emergent surge of urgent security advisories has permeated the tech sector in December, with both Google and Apple warning Android and iPhone users of critical vulnerabilities being actively exploited in the wild. Termed "Dangerous December," this time period marks a significant ramping up of the threat landscape for mobile users, as both companies have issued emergency patches to remediate vulnerabilities capable of enabling attacker control of devices through specially crafted web content or malicious image files. 

Google kicked off the month by confirming that Android devices are currently at risk due to two critical vulnerabilities being actively exploited. The company issued a rapid emergency patch for all Chrome users, so fast it was delivered before it even received an official CVE designation. The vulnerability is currently known as CVE-2025-14174 and is considered actively exploited; Google urges users to update now to avoid being compromised. 

Apple subsequently released emergency updates for iPhones, iPads, and other Apple devices to address two vulnerabilities, including CVE-2025-14174 and another identified as CVE-5-29. Both vulnerabilities are associated with the WebKit browser engine, which supports Safari and other browsers on iOS devices. Security specialists further note that browser engines have become one of the main targets for attackers, which correspondingly raises user exposure if updates are not applied in a timely manner. 

The U.S. Cybersecurity and Infrastructure Security Agency has issued a directive of its own, requiring federal employees to update Chrome and all Chromium-based browsers by January 2, or stop using them. For Apple devices, the deadline is January 5. CISA cautions that these vulnerabilities might allow remote attackers to perform out-of-bounds memory access, which may allow the attacker to take control of an affected device. 

While the attacks so far have been targeted, researchers warn that these exploits will soon become ubiquitous, which makes the need for immediate updates across all users paramount. In light of this, users of Android or iPhone devices, or any Chromium-based browser, should update their software right away to protect data and privacy. The threat is real, and any delay may expose people to sophisticated spyware and hacking attacks.
Read more »
WebKit Security Flaws
Apple Security Patches Apple Zero-Day Vulnerabilities iOS Security Update Mobile Spyware Threats Targeted Cyber Exploitation Vulnerabilities and Exploits WebKit Security Flaws

Apple Addresses Two Actively Exploited Zero-Day Security Flaws


Following confirmation that two previously unknown security flaws had been actively exploited in the wild on Friday, Apple rolled out a series of security updates across its entire software ecosystem to address this issue, further demonstrating the continued use of high-end exploit chains against some targets. This is a major security update that is being released by Apple today across a wide range of iOS, iPadOS, macOS, watchOS, tvOS, visionOS, and the Safari browser. This fix addresses flaws that could have led attackers to execute malicious code in the past using specially crafted web content.


There are a number of vulnerabilities that are reminiscent of one of the ones Google patched earlier this week in Chrome, highlighting cross-platform vulnerability within shared graphics components. A report released by Apple indicated that at least one of the flaws may have been exploited as part of what it described as an "extremely sophisticated attack" targeting individuals who were running older versions of iOS before iOS 26, indicating that rather than an opportunistic abuse, this was a targeted exploitation campaign. 

Using a coordinated effort between Apple Security Engineering and Architecture and Google's Threat Analysis Group, the vulnerabilities were identified as CVE-2025-14174, a high severity memory corruption flaw, and as CVE-2025-43529, a use-after-free flaw. The two vulnerabilities were tracked as CVE-2025-43529, a use-after-free bug. 

In response to advanced threat activity, major vendors are continuing to collaborate together. Separately, Apple has released a new round of emergency patches after confirming that two more vulnerabilities have also been exploited in a real-world attack in a separate advisory. 

Apple has released a new update to address the flaws that could allow attackers to gain deeper control over their affected devices under carefully crafted conditions, and this update is applicable to iOS, iPadOS, macOS Sequoia, tvOS, and visionOS. 

A memory corruption issue in Apple's Core Audio framework has led to an issue named CVE-2025-31200 which could result in arbitrary code execution on a device when it processes a specially designed audio stream embedded within a malicious media file. The second issue is CVE-2025-31201. This flaw affects Apple's RPAC component, which could be exploited by an attacker with existing read and write capabilities in order to bypass the protections for Pointer Authentication.

In an attempt to mitigate the risks, Apple said it strengthened bounds checks and removed the vulnerable code path altogether. According to Apple's engineers, Google's Threat Analysis Group as well as the company's own engineers were the ones who identified the Core Audio vulnerability. According to the company's earlier disclosures, the bugs have been leveraged to launch what it calls "extremely sophisticated" attacks targeting a very specific group of iOS users. 

With the latest fix from Apple, the number of zero-day vulnerabilities Apple has patched in the past year has reached five, following earlier updates addressing actively exploited flaws in Core Media, Accessibility, and WebKit—a combination of high-risk issues that indicates a sustained focus by advanced threat actors on Apple's software stack, demonstrating that Apple's software stack has been the target of sophisticated attack actors. 

The company claims the vulnerabilities have been addressed across its latest software releases, including iOS 26.2, iOS and iPad OS 18.7.3, macOS Tahoe 26.2, tvOS 26.2, watchOS 26.2, visionOS 26.2, and Safari 26.2, making sure that both current and legacy platforms are protected from these threats.

Following the disclosure, Google quietly patched a previously undisclosed Chrome zero-day that had been labelled only as a high-severity issue "under coordination" earlier in the week, which was close in nature. After updating its advisory to CVE-2025-14174, Google confirmed that the flaw is an out-of-bounds memory access bug in the ANGLE graphics layer, which was the same issue that was addressed by Apple earlier this week. 

It indicates that Google and Apple handled vulnerabilities together in a coordinated manner. In the absence of further technical insight into the attacks themselves, Apple has refused to provide any further technical information, other than to note that the attacks were directed at a single group of individuals running older versions of iOS prior to iOS 26, which can be correlated with using exploits that are spyware-grade in nature. 

Since the problems both originate in WebKit, the browser engine that runs all iOS browsers, including Chrome, the researchers believe the activity represents a narrowly targeted campaign rather than an indiscriminate exploitation of the platform. 

Even though Apple emphasised that these attacks were targeted and very specific, the company strongly urged its users to update their operating systems without delay in order to prevent any further damage to their systems. 

Apple has patched seven zero-day vulnerabilities during 2025 with these updates. There have been a number of exploits that have been addressed in the wild throughout the year, from January and February until April, as well as a noteworthy backport that was implemented in September that provided protection against CVE-2025-43300 on older iPhone and iPad models still running iOS or iOSOS 15 and 16.

Apple's platforms have increasingly been discovered to be a high-value target for well-resourced threat actors, with the capability of exploiting browser and system weaknesses in a way that allows them to reach carefully selected victims using a chain of attacks on the platforms. 

It is evident that the company's rapid patching cadence, along with coordinated efforts with external researchers, indicates the company's maturing response to advanced exploitation; however, the frequency of zero-day fixes this year highlights the importance of timely updates across all supported devices in order to safeguard consumers.

Specifically, security experts recommend that users, especially those who perform high risk functions like journalists, executives, and public figures, enable automatic updates, limit the amount of untrusted web content they view, and review device security settings in order to reduce potential attack surfaces. 

Enterprises that manage Apple hardware at scale should also accelerate patch deployments and keep an eye out for signs of compromise associated with WebKit-based attacks. A growing number of targeted surveillance tools and commercial spyware continue to emerge, and Apple’s latest fixes serve to remind us of the fact that platform security is more of a process than it is a static guarantee. 

For a company to stay ahead of sophisticated adversaries, collaboration, transparency, and user awareness are increasingly critical to ensuring platform security.
Read more »
Vulnerabilities and Exploits
code execution Ivanti EPM Remote Exploit Security flaw Vulnerabilities and Exploits

Ivanti Flags Critical Endpoint Manager Flaw Allowing Remote Code Execution

 

Ivanti is urging customers to quickly patch a critical vulnerability in its Endpoint Manager (EPM) product that could let remote attackers execute arbitrary JavaScript in administrator sessions through low-complexity cross-site scripting (XSS) attacks.The issue, tracked as CVE-2025-10573, affects the EPM web service and can be abused without authentication, but does require some user interaction to trigger.

The flaw stems from how Ivanti EPM handles managed endpoints presented to the primary web service. According to Rapid7 researcher Ryan Emmons, an attacker with unauthenticated access to the EPM web interface can register bogus managed endpoints and inject malicious JavaScript into the administrator dashboard. Once an EPM administrator views a poisoned dashboard widget as part of routine use, the injected code executes in the browser, allowing the attacker to hijack the admin session and act with their privileges.

Patch availability and exposure

Ivanti has released EPM 2024 SU4 SR1 to remediate CVE-2025-10573 and recommends customers install this update as soon as possible. The company stressed that EPM is designed to operate behind perimeter defenses and not be directly exposed to the public internet, which should lower practical risk where deployments follow guidance.However, data from the Shadowserver Foundation shows hundreds of Ivanti EPM instances reachable online, with the highest counts in the United States, Germany, and Japan, significantly increasing potential attack surface for those organizations.

Alongside the critical bug, Ivanti shipped fixes for three other high‑severity vulnerabilities affecting EPM, including CVE-2025-13659 and CVE-2025-13662. These two issues could also enable unauthenticated remote attackers to execute arbitrary code on vulnerable systems under certain conditions. Successful exploitation of the newly disclosed high‑severity flaws requires user interaction and either connecting to an untrusted core server or importing untrusted configuration files, which slightly raises the bar for real-world attacks.

Threat landscape and prior exploitation

Ivanti stated there is currently no evidence that any of the newly patched flaws have been exploited in the wild and credited its responsible disclosure program for bringing them to light. Nonetheless, EPM vulnerabilities have been frequent targets, and U.S. Cybersecurity and Infrastructure Security Agency (CISA) has repeatedly added Ivanti EPM bugs to its catalog of exploited vulnerabilities. In 2024, CISA ordered federal agencies to urgently patch multiple Ivanti EPM issues, including three critical flaws flagged in March and another actively exploited vulnerability mandated for remediation in October.
Read more »
Web security
Browser Vulnerability cross-origin data leak CSS security flaw Lyra Rebane research SVG clickjacking Vulnerabilities and Exploits Web security

New SVG-Based Clickjacking Technique Exposes Cross-Origin Data Through CSS Filters

 

Security researcher Lyra Rebane has developed a new type of clickjacking attack that cleverly exploits Scalable Vector Graphics (SVG) and Cascading Style Sheets (CSS) to bypass traditional web protections.

Rebane first showcased this discovery during BSides Tallinn in October and has since released a technical breakdown of the method. The attack takes advantage of a little-known behavior where SVG filters can inadvertently expose cross-origin information—directly undermining the web’s same-origin policy.

Clickjacking, also known as a user interface redress attack, involves deceiving users into performing unintended actions by visually manipulating interface elements. The concept, introduced in 2008 by security researchers Jeremiah Grossman and Robert Hansen, was originally described as a technique for redirecting mouse clicks to malicious targets such as hidden buttons or form inputs.

Over the years, browsers have implemented numerous defenses to prevent such attacks. OWASP highlights common safeguards such as blocking page rendering within frames via X-Frame-Options or CSP frame-ancestors, limiting cookie access inside frames, and using JavaScript frame-busting scripts. Even with these protections, new variants continue to appear—most recently, last year’s cross-window forgery technique.

Rebane’s discovery began while she was experimenting with recreating Apple’s Liquid Glass distortion effect using SVG filters and CSS. Once she successfully replicated the effect, she noticed that when embedded inside an iframe, her SVG/CSS implementation could detect pixel data from the page beneath it—effectively accessing information from another origin.

She told The Register that previous attempts using SVG for cross-origin attacks exist, citing Paul Stone’s “Perfect Pixel Timing Attacks With HTML” and Ron Masas’s “The Human Side Channel”. But, as Rebane stated, "I don't think anyone else has run logic on cross-origin data the way I have."

Her write-up details how she used SVG filters to construct logic gates capable of processing webpage pixels using arbitrary computation—enabling a clickjacking method that would be extremely difficult to achieve with other tools.

According to Rebane, "By using feBlend and feComposite, we can recreate all logic gates and make SVG filters functionally complete. This means that we can program anything we want, as long as it is not timing-based and doesn't take up too many resources."

To demonstrate the risks, Rebane created a proof-of-concept that extracts text from Google Docs. Her attack overlays a “Generate Document” button on a popup. When clicked, the underlying script identifies the popup and shows a CAPTCHA-style textbox. Once submitted, the attacker-controlled interface secretly feeds a suggested Google Docs file name into a hidden textbox. While typical framing restrictions would prevent this, Google Docs allows itself to be embedded, making the attack viable.

Rebane noted that this is common among services intended for embedding—such as YouTube videos, social widgets, maps, payment systems, comment modules, and advertisements. Some services also unintentionally permit framing by failing to include protective headers, which is frequently seen in API endpoints.

Beyond iframe scenarios, Rebane explained that the technique can also be adapted for sites vulnerable to HTML injection.

She said, "There's a vulnerability class known as XSS which involves injecting HTML on websites through various means to execute malicious JavaScript." With CSP now blocking many forms of unsafe JavaScript, attackers look for alternatives. In such cases, "CSS is the next best thing to use, and it can be used for many kinds of interesting attacks," she added, arguing that CSS itself behaves like a programming language. "SVG clickjacking is one of the many attacks that could be used there."

Although the method does not fundamentally overhaul existing web security principles, it significantly lowers the complexity required to execute advanced attack chains.

Google awarded Rebane a $3,133.70 bug bounty for reporting the flaw. She noted that the issue remains unresolved and may not even be classified as a browser bug, adding that Firefox and other browsers are affected as well.

Rebane also pointed out potential mitigations—highlighting the Intersection Observer v2 API, which can detect when an SVG filter is positioned above an iframe.

Google has yet to comment on the matter. A related Chromium bug originating from earlier timing attacks has been closed with a “won’t fix” status.
Read more »
Vulnerability
cyber attack React2Shell Vulnerabilities and Exploits Vulnerability

React2Shell Exploited Within Hours as Firms Rush to Patch

 

Two hacking groups linked to China have started exploiting a major security flaw in React Server Components (RSC) only hours after the vulnerability became public. 

The flaw, tracked as CVE-2025-55182 and widely called React2Shell, allows attackers to gain unauthenticated remote code execution, potentially giving them full control over vulnerable servers. 

The security bug has a maximum CVSS score of 10.0, which represents the highest level of severity. It has been fixed in React versions 19.0.1, 19.1.2 and 19.2.1, and developers are being urged to update immediately. According to a report shared by Amazon Web Services, two China-nexus groups named Earth Lamia and Jackpot Panda were seen attempting to exploit the flaw through AWS honeypot systems. 

AWS said the activity was coming from infrastructure previously tied to state-linked cyber actors. Earth Lamia has previously targeted organizations across financial services, logistics, retail, IT, universities and government sectors across Latin America, the Middle East and Southeast Asia. 

Jackpot Panda has mainly focused on sectors connected to online gambling in East and Southeast Asia and has used supply chain attacks to gain access. The group was tied to the 2022 compromise of the Comm100 chat application and has used trojanized installers to spread malware. 

AWS also noted that attackers have been exploiting the React vulnerability alongside older bugs, including flaws in NUUO camera systems. Early attacks have attempted to run discovery commands, create files and read sensitive information from servers. 

Security researchers say the trend shows how fast attackers now operate: they monitor new vulnerability announcements and add exploits to their scanning tools immediately to increase their chances of finding unpatched systems. 

A brief global outage at Cloudflare this week added to industry concern. Cloudflare confirmed that a change to its Web Application Firewall, introduced to help protect customers from the newly disclosed React flaw, caused disruption that led many websites to return “500 Internal Server Error” messages. 

The company stressed that the outage was not the result of a cyberattack. The scale of the React vulnerability is a major concern because millions of websites rely on React and Next.js, including large brands such as Airbnb and Netflix. 

Security researchers estimate that about 39 percent of cloud environments contain vulnerable React components. A working proof-of-concept exploit is already available on GitHub, raising fears of mass exploitation. Experts warn that even projects that do not intentionally use server-side functions may still be exposed because the affected components can remain enabled by default. 

Cybersecurity firms and cloud providers are urging organizations to take action immediately: 


  1. Apply official patches for React, Next.js and related RSC frameworks.
  2. Enable updated Web Application Firewall rules from providers including AWS, Cloudflare, Google Cloud, Akamai and Vercel.
  3. Review logs for signs of compromise, including suspicious file creation, attempts to read sensitive data or reconnaissance behavior.

Although widespread exploitation has not yet been confirmed publicly, experts warn that attackers are already scanning the internet at scale. 
Read more »
Vulnerabilities and Exploits
AI Cloud Data Next.js React Server Vulnerabilities and Exploits

Critical Vulnerabilities Found in React Server Components and Next.js


Open in the wild flaw

The US Cybersecurity and Infrastructure Security Agency (CISA) added a critical security flaw affecting React Server Components (RSC) to its Known Exploited Vulnerabilities (KEV) catalog after exploitation in the wild.

The flaw CVE-2025-55182 (CVSS score: 10.0) or React2Shell hints towards a remote code execution (RCE) that can be triggered by an illicit threat actor without needing any setup. 

Remote code execution 

According to the CISA advisory, "Meta React Server Components contains a remote coThe incident surfaced when Amazon said it found attack attempts from infrastructure related to Chinese hacking groupsde execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints."

The problem comes from unsafe deserialization in the library's Flight protocol, which React uses to communicate between a client and server. It results in a case where an unauthorised, remote hacker can deploy arbitrary commands on the server by sending specially tailored HTTP requests. The conversion of text into objects is considered a dangerous class of software vulnerability. 

About the flaw

 "The React2Shell vulnerability resides in the react-server package, specifically in how it parses object references during deserialization," said Martin Zugec, technical solutions director at Bitdefender.

The incident surfaced when Amazon said it found attack attempts from infrastructure related to Chinese hacking groups such as Jackpot Panda and Earth Lamia. "Within hours of the public disclosure of CVE-2025-55182 (React2Shell) on December 3, 2025, Amazon threat intelligence teams observed active exploitation attempts by multiple China state-nexus threat groups, including Earth Lamia and Jackpot Panda," AWS said.

Attack tactic 

Few attacks deployed cryptocurrency miners and ran "cheap math" PowerShell commands for successful exploitation. After that, it dropped in-memory downloaders capable of taking out extra payload from a remote server.

According to Censys, an attack surface management platform, 2.15 million cases of internet-facing services may be affected by this flaw. This includes leaked web services via React Server Components and leaked cases of frameworks like RedwoodSDK, React Router, Waku, and Next.js.

According to data shared by attack surface management platform Censys, there are about 2.15 million instances of internet-facing services that may be affected by this vulnerability. This comprises exposed web services using React Server Components and exposed instances of frameworks such as Next.js, Waku, React Router, and RedwoodSDK.


Read more »
Zero Day
CVE exploits LNKs Microsoft Vulnerabilities and Exploits Windows Zero Day

Microsoft Quietly Changes Windows Shortcut Handling After Dangerous Zero-day Abuse

 



Microsoft has changed how Windows displays information inside shortcut files after researchers confirmed that multiple hacking groups were exploiting a long-standing weakness in Windows Shell Link (.lnk) files to spread malware in real attacks.

The vulnerability, CVE-2025-9491, pertains to how Windows accesses and displays the "Target" field of a shortcut file. The attackers found that they could fill the Target field with big sets of blank spaces, followed by malicious commands. When a user looks at a file's properties, Windows only displays the first part of that field. The malicious command remains hidden behind whitespace, making the shortcut seem innocuous.

These types of shortcuts are usually distributed inside ZIP folders or other similar archives, since many email services block .lnk files outright. The attack relies on persuasion: Victims must willingly open the shortcut for the malware to gain an entry point on the system. When opened, the hidden command can install additional tools or create persistence.


Active Exploitation by Multiple Threat Groups

Trend Micro researchers documented in early 2025 that this trick was already being used broadly. Several state-backed groups and financially motivated actors had adopted the method to deliver a range of malware families, from remote access trojans to banking trojans. Later, Arctic Wolf Labs also observed attempts to use the same technique against diplomats in parts of Europe, where attackers used the disguised shortcut files to drop remote access malware.

The campaigns followed a familiar pattern. Victims received a compressed folder containing what looked like a legitimate document or utility. Inside sat a shortcut that looked ordinary but actually executed a concealed command once it was opened.


Microsoft introduces a quiet mitigation

Although Microsoft first said the bug did not meet the criteria for out-of-band servicing because it required user interaction, the company nonetheless issued a silent fix via standard Windows patching. With the patches in place, Windows now displays the full Target field in a shortcut's properties window instead of truncating the display after about 260 characters.

This adjustment does not automatically remove malicious arguments inside a shortcut, nor does it pop up with a special warning when an unusually long command is present. It merely provides full visibility to users, which may make suspicious content more easily identifiable for the more cautious users.

When questioned about the reason for the change, Microsoft repeated its long-held guidance: users shouldn't open files from unknown sources and should pay attention to its built-in security warnings.


Independent patch offers stricter safeguards

Because Microsoft's update is more a matter of visibility than enforcement, ACROS Security has issued an unofficial micropatch via its 0patch service. The update its team released limits the length of Target fields and pops up a warning before allowing a potentially suspicious shortcut to open. This more strict treatment, according to the group, would block the vast majority of malicious shortcuts seen in the wild.

This unofficial patch is now available to 0patch customers using various versions of Windows, including editions that are no longer officially supported.


How users can protect themselves

Users and organizations can minimize the risk by refraining from taking shortcuts coming from unfamiliar sources, especially those that are wrapped inside compressed folders. Security teams are encouraged to ensure Windows systems are fully updated, apply endpoint protection tools, and treat unsolicited attachments with care. Training users to inspect file properties and avoid launching unexpected shortcut files is also a top priority.

However, as the exploitation of CVE-2025-9491 continues to manifest in targeted attacks, the updated Windows behavior, user awareness, and security controls are layered together for the best defense for now. 

Read more »
Vulnerabilities and Exploits
AI API Business Security GitHub Tokens Vulnerabilities and Exploits

65% of Top AI Companies Leak Secrets on GitHub

 

Leading AI companies continue to face significant cybersecurity challenges, particularly in protecting sensitive information, as highlighted in recent research from Wiz. The study focused on the Forbes top 50 AI firms, revealing that 65% of them were found to be leaking verified secrets—such as API keys, tokens, and credentials—on public GitHub repositories. 

These leaks often occurred in places not easily accessible to standard security scanners, including deleted forks, developer repositories, and GitHub gists, indicating a deeper and more persistent problem than surface-level exposure. Wiz's approach to uncovering these leaks involved a framework called "Depth, Perimeter, and Coverage." Depth allowed researchers to look beyond just the main repositories, reaching into less visible parts of the codebase. 

Perimeter expanded the search to contributors and organization members, recognizing that individuals could inadvertently upload company-related secrets to their own public spaces. Coverage ensured that new types of secrets, such as those used by AI-specific platforms like Tavily, Langchain, Cohere, and Pinecone, were included in the scan, which many traditional tools overlook.

The findings show that despite being leaders in cutting-edge technology, these AI companies have not adequately addressed basic security hygiene. The researchers disclosed the discovered leaks to the affected organisations, but nearly half of these notifications either failed to reach the intended recipients, were ignored, or received no actionable response, underscoring the lack of dedicated channels for vulnerability disclosure.

Security Tips 

Wiz recommends several essential security measures for all organisations, regardless of size. First, deploying robust secret scanning should be a mandatory practice to proactively identify and remove sensitive information from codebases. Second, companies should prioritise the detection of their own unique secret formats, especially if they are new or specific to their operations. Engaging vendors and the open source community to support the detection of these formats is also advised.

Finally, establishing a clear and accessible disclosure protocol is crucial. Having a dedicated channel for reporting vulnerabilities and leaks enables faster remediation and better coordination between researchers and organisations, minimising potential damage from exposure. The research serves as a stark reminder that even the most advanced companies must not overlook fundamental cybersecurity practices to safeguard sensitive data and maintain trust in the rapidly evolving AI landscape.
Read more »
zero Day vulnerability
firmware Hardware router Vulnerabilities and Exploits WiFi zero Day vulnerability

Should You Still Trust Your Router? What Users Need to Know and How to Secure Home Wi-Fi today

 



Public discussion in the United States has intensified around one of the country’s most widely purchased home router brands after reports suggested that federal agencies are considering restrictions on future sales. The conversation stems from concerns about potential national security risks and the possibility of foreign influence in hardware design or data handling. While the company firmly denies these allegations, the ongoing scrutiny has encouraged many users to reassess the safety of their home Wi-Fi setup and understand how to better protect their networks.


Why the issue surfaced

The debate began when officials started examining whether equipment manufactured by the company could expose American networks to security risks. Investigators reportedly focused on the firm’s origins and questioned whether foreign jurisdictions could exert influence over product development or data processes.

The company has rejected these claims, saying its design, security functions, and oversight structures operate independently and that its leadership teams within the United States manage core product decisions. It maintains that no government has the ability to access or manipulate its systems.


Common router vulnerabilities users should understand

Even without the broader policy debate, home routers are frequently targeted by attackers, often through well-known weaknesses:

Hardware-level risks. In rare cases, security issues can originate in the physical components themselves. Malicious implants or flawed chips can give attackers a hidden entry point that is difficult for users to detect without specialized tools.

Unpatched security gaps. Zero-day vulnerabilities are flaws discovered by attackers before the manufacturer has prepared a fix. Some older or discontinued models may never receive patches, leaving users exposed for the long term.

Outdated firmware. Firmware updates serve the same purpose as software updates on phones and computers. Without them, routers miss critical security improvements and remain vulnerable to known exploits.

Botnets. Compromised routers are often absorbed into large collections of infected devices. These groups of hijacked systems are then directed to launch attacks, spread malware, or steal information.

Weak login credentials. Many intrusions occur simply because users keep the default administrator username and password. Attackers run automated tools that test the most common combinations in an attempt to break in.

Exposed remote settings. Some routers allow remote control panels to be accessed from outside the home network. If these remain active or are protected with simple passwords, attackers can quietly enter the system.

Outdated Wi-Fi encryption. Older wireless standards are easy for attackers to crack. Weak encryption allows outsiders to intercept traffic or join the network without permission.


How to strengthen your home network today

Any user can substantially improve their router’s security by following a few essential steps:

1. Change default passwords immediately. Use strong, unique credentials for both the router’s control panel and the Wi-Fi network.

2. Check for firmware updates regularly. Install every available update. If your device no longer receives support, replacement is advisable.

3. Enable the built-in firewall. It acts as the first barrier between your home network and outside threats.

4. Turn off remote management features. Only leave such functions active if you clearly understand them and require them.

5. Use modern Wi-Fi encryption. Choose WPA3 whenever your device supports it. If not, use the most up-to-date option available.

6. Consider a trusted VPN. It adds an extra layer of protection by encrypting your online activity.

7. Upgrade aging hardware. Older models often lack modern protections and may struggle to handle security patches or stable performance.


What users should do now

A potential restriction on any router brand is still under government review. For now, users should focus on ensuring their own devices are secured and updated. Strengthening home Wi-Fi settings, using current security practices, and replacing unsupported hardware will offer the most immediate protection while the situation continues to escalate. 


Read more »
Zero-Day Vulnerabilities
chain attacks Cyble report October cyber threats Ransomware Groups SaaS provider attacks software supply Vulnerabilities and Exploits Zero-Day Vulnerabilities

Software Supply Chain Attacks Surge to Record Highs in October, Driven by Zero-Day Flaws and Ransomware Groups

 

Software supply chain intrusions reached an unprecedented peak in October, surpassing previous monthly records by more than 30%, according to new research.

Cyble revealed in a blog post that threat actors on dark-web leak forums claimed 41 supply chain attacks in October—10 more than the earlier high recorded in April 2025. The report notes that supply chain incidents have more than doubled since April, with an average of 28 attacks per month, compared to the monthly average of 13 from early 2024 through March 2025. Cyble attributed the escalation to multiple factors.

The sharp rise has been fueled primarily by a “combination of critical and zero-day IT vulnerabilities and threat actors actively targeting SaaS and IT service providers,” Cyble wrote, adding that “the sustained increase suggests that the risk of supply chain attacks may remain elevated going forward.”

Additional contributors include cloud-security weaknesses and AI-powered phishing campaigns, with vishing also playing an important role in recent Scattered LAPSUS$ Hunters attacks on Salesforce environments.

All 24 industries monitored by Cyble experienced at least one supply chain breach this year, but IT and IT services firms were hit disproportionately. These organizations remain attractive to attackers due to their broad customer ecosystems and valuable access points. Cyble reported 107 supply chain attacks targeting IT companies so far this year—over three times more than those seen in financial services, transportation, technology, or government sectors.

Ransomware operations remain a major driver of this surge. Groups such as Qilin and Akira, which Cyble identified as the most active this year, have also carried out “an above-average share of supply chain attacks.”

Akira recently targeted a major open-source initiative, stealing 23GB of sensitive data including internal reports, confidential files, and issue-tracking information. Both Akira and Qilin have also compromised multiple IT providers serving high-risk verticals such as government, defense, intelligence, law enforcement, healthcare, energy, and finance. In one case, Qilin claimed to have obtained source code for proprietary tools used across public safety and security organizations.

Another Qilin incident involved breaching customers of a U.S. cybersecurity and cloud provider through “clear-text credentials stored in Word and Excel documents hosted on the company’s systems.”

A newer threat actor, Kyber, leaked more than 141GB of internal builds, databases, project files, and backups allegedly taken from a major U.S. aerospace and defense contractor specializing in communication and electronic warfare technologies.

Other notable October events included the Cl0p ransomware group's exploitation of Oracle E-Business Suite vulnerabilities and a breach involving Red Hat GitLab.

Cyble emphasized that mitigating supply chain threats is difficult because organizations inherently trust their vendors and partners. The firm stressed that security audits and third-party risk evaluations should become routine practice.

The researchers highlighted that the “most effective place to control software supply chain risks is in the continuous integration and development (CI/CD) process,” and advised that organizations thoroughly vet suppliers and enforce strong security requirements within contracts to strengthen third-party protection.
Read more »
Vulnerabilities and Exploits
CISA Linux Kernel Ransomware Campaign Vulnerabilities and Exploits

CISA Warns: Linux Kernel Flaw Actively Exploited in Ransomware Attacks

 

A critical Linux kernel vulnerability (CVE-2024-1086) is now actively exploited in ransomware attacks, according to a recent update from the U.S. Cybersecurity and Infrastructure Security Agency (CISA). First publicly disclosed on January 31, 2024, this flaw stems from a decade-old code commit to the netfilter: nf_tables kernel component and was patched early in 2024. 

However, the exploit—which allows attackers with local access to escalate privileges and gain root control over affected systems—remains a severe threat for systems running kernel versions from 3.15 to 6.8-rc1, affecting prominent distributions like Debian, Ubuntu, Fedora, and Red Hat.

CISA’s latest advisory confirms the vulnerability is leveraged in live ransomware campaigns but doesn’t provide detailed incident counts or victim breakdowns. The agency added CVE-2024-1086 to its Known Exploited Vulnerabilities (KEV) catalog in May 2024, mandating federal agencies patch by June 20, 2024 or implement mitigations. These mitigations include blocklisting ‘nf_tables’ if not in use, restricting user namespace access to shrink the attack surface, and optionally deploying the Linux Kernel Runtime Guard (LKRG)—though the latter may introduce instability.

Security experts and community commentators highlight both the significance and scope of the risk. The flaw enables threat actors to achieve root-level system takeover—compromising defenses, altering files, moving laterally within networks, and exfiltrating sensitive data. 

Its effects are especially critical in server and enterprise contexts (where vulnerable kernel versions are widely deployed) rather than typical desktop Linux environments. For context, a security researcher known as 'Notselwyn' published a proof-of-concept exploit in March 2024 that clearly demonstrates effective privilege escalation on kernel versions 5.14 through 6.6, broadening attack feasibility for cybercriminals.

Immutability in Linux distributions (such as ChromeOS, Fedora Kinoite) is noted as a partial defense, limiting exploit persistence but not fully mitigating in-memory or user-data targeting attacks. CISA stresses following vendor-specific instructions for mitigation and, where remedies are unavailable, discontinuing product use for guaranteed safety. 

Community debate also reflects persistent frustration at slow patch adoption and challenges in keeping kernels up to date across varied deployment environments. The ongoing exploitation—as confirmed by CISA—underscores the critical need for timely patching, rigorous access controls, and awareness of Linux privilege escalation risks in the face of escalating ransomware threats.
Read more »
WSUS exploit
CVE-2025-59287 Cybersecurity Microsoft patch failure Vulnerabilities and Exploits Windows Server Update Services vulnerability WSUS exploit

Attackers Exploit Critical Windows Server Update Services Flaw After Microsoft’s Patch Fails

 

Cybersecurity researchers have warned that attackers are actively exploiting a severe vulnerability in Windows Server Update Services (WSUS), even after Microsoft’s recent patch failed to fully fix the issue. The flaw, tracked as CVE-2025-59287, impacts WSUS versions dating back to 2012.

Microsoft rolled out an emergency out-of-band security update for the vulnerability on Thursday, following earlier attempts to address it. Despite this, several cybersecurity firms reported active exploitation by Friday. However, Microsoft has not yet officially confirmed these attacks.

This situation highlights how quickly both cyber defenders and adversaries respond to newly disclosed flaws. Within hours of Microsoft’s emergency patch release, researchers observed proof-of-concept exploits and live attacks targeting vulnerable servers.

“This vulnerability shows how simple and trivial exploitation is once an attack script is publicly available,” said John Hammond, principal security researcher at Huntress, in an interview with CyberScoop. “It’s always an attack of opportunity — just kind of spray-and-pray, and see whatever access a criminal can get their hands on.”

The Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, urging organizations to apply the latest patch and adhere to Microsoft’s mitigation steps.

A Microsoft spokesperson confirmed the re-release of the patch, explaining: “We re-released this CVE after identifying that the initial update did not fully mitigate the issue. Customers who have installed the latest updates are already protected.” Microsoft did not specify when or how it discovered that the previous patch was insufficient.

According to Shadowserver, over 2,800 instances of WSUS with open ports (8530 and 8531) are exposed to the internet — a necessary condition for exploitation. Approximately 28% of these vulnerable systems are located in the United States.

“Exploitation of this flaw is indiscriminate,” warned Ben Harris, founder and CEO of watchTowr. “If an unpatched Windows Server Update Services instance is online, at this stage it has likely already been compromised. This isn’t limited to low-risk environments — some of the affected entities are exactly the types of targets attackers prioritize.”

Huntress has observed five active attack cases linked to CVE-2025-59287. Hammond explained that these incidents mostly involve reconnaissance activities — such as environment mapping and data exfiltration — with no severe damage observed so far. However, he cautioned that WSUS operates with high-level privileges, meaning successful exploitation could fully compromise the affected server.

The risk, Hammond added, could escalate into supply chain attacks, where adversaries push malicious updates to connected systems. “Some potential supply-chain shenanigans just opening the door with this opportunity,” he said.

Experts from Palo Alto Networks’ Unit 42 echoed the concern. “By compromising this single server, an attacker can take over the entire patch distribution system,” said Justin Moore, senior manager of threat intel research at Unit 42. “With no authentication, they can gain system-level control and execute a devastating internal supply chain attack. They can push malware to every workstation and server in the organization, all disguised as a legitimate Microsoft update. This turns the trusted service into a weapon of mass distribution.”

Security researchers continue to emphasize that WSUS should never be exposed to the public internet, as attackers cannot exploit the flaw in instances that restrict external access.

Microsoft deprecated WSUS in September, stating that while it will still receive security support, it is no longer under active development or set to gain new features.
Read more »
Subscribe to: Comments (Atom)