Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Vulnerabilities and Exploits. Show all posts
Vulnerabilities and Exploits
CISA Cisco Firewall Security Patch Shadowserver Vulnerabilities and Exploits

Cisco Firewall Vulnerabilities Leave 50,000 Devices Exposed Worldwide

 

Nearly 50,000 Cisco firewall devices worldwide are currently exposed to significant security risks following the disclosure of three critical vulnerabilities in Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) products.

Statistics from the Shadowserver Foundation have highlighted the scale of this problem, revealing that thousands of these devices remain directly accessible via the internet and have yet to receive urgent security patches. 

The vulnerabilities, which were publicly announced on September 25, prompted the Cybersecurity and Infrastructure Security Agency (CISA) to issue a rare emergency patching directive, reflecting the severity and potential impact of these flaws.

The United States leads in terms of exposure, with more than 19,000 vulnerable devices identified, outpacing every other country. The United Kingdom follows with over 2,700 exposed units, while Japan, Germany, and Russia also have substantial numbers. 

Across Europe, other countries report fewer than 1,000 vulnerable devices each, but the cumulative risk remains global in scope. Shadowserver’s ongoing data collection will track mitigation efforts over the coming weeks, providing insights into how organizations respond to these urgent warnings.

Central to the threat are two particular vulnerabilities, CVE-2025-20362 and CVE-2025-20333, which have already been exploited by a highly sophisticated threat actor. This campaign has successfully targeted and breached several federal agencies along with organizations worldwide.

The nature of these vulnerabilities makes them especially dangerous: both relate to improper validation of HTTPS requests by the affected Cisco firewalls. This weakness could allow attackers to submit malicious requests that effectively bypass authentication controls, leaving affected systems open to compromise.

Specifically, CVE-2025-20362 enables attackers to access restricted VPN-related URLs that should otherwise require strong authentication, while CVE-2025-20333 allows malicious actors to execute arbitrary code with root privileges, dramatically increasing the potential for damaging network intrusions. 

In light of these dangers, U.S. federal agencies have been given until the end of Thursday to confirm with CISA that all vulnerable devices have been patched or otherwise mitigated against potential exploitation.

The urgency surrounding these vulnerabilities is underscored by the demonstrated capability of attackers and the ongoing risks to national and organizational cybersecurity worldwide. As real-time data continues to be collected, the response from security teams will be crucial in minimizing exposure and preventing future incidents related to these Cisco firewall flaws.
Read more »
Zero-Click Exploit
cybersecurity threat Digital Espionage iOS Vulnerability Mobile Security Remote Code Execution Spyware Attack Vulnerabilities and Exploits vulnerability patch WhatsApp Security Zero-Click Exploit

Critical WhatsApp Zero Click Vulnerability Abused with DNG Payload

 


It has been reported that attackers are actively exploiting a recently discovered vulnerability in WhatsApp's iOS application as a part of a sophisticated cyber campaign that underscores how zero-day vulnerabilities are becoming weaponised in today's cyber warfare. With the zero-click exploit identified as CVE-2025-55177 with a CVSS score of 5.4, malicious actors can execute unauthorised content processing based on any URL on a victim's device without the need for user interaction whatsoever. 

A vulnerability referred to as CVE-2025-55177 provides threat actors with a way to manipulate WhatsApp's synchronization process, so they may force WhatsApp to process attacker-controlled content during device linking when they manipulate the WhatsApp synchronization process. 

Even though the vulnerability could have allowed crafted content to be injected or disrupted services, its real danger arose when it was combined with Apple's CVE-2025-43300, another security flaw that affects the ImageIO framework, which parses image files. In addition to this, there were also two other vulnerabilities in iOS and Mac OS that allowed out-of-bounds memory writing, which resulted in remote code execution across these systems. 

The combination of these weaknesses created a very powerful exploit chain that could deliver malicious images through the incoming message of a WhatsApp message, causing infection without the victim ever having to click, tap or interact with anything at all—a quintessential zero-click attack scenario. Investigators found that the targeting of the victims was intentional and highly selective. 

In the past, WhatsApp has confirmed that it has notified fewer than 200 people about potential threats in its apps, a number that is similar to earlier mercenary spyware operations targeting high-value users. Apple has also acknowledged active exploitation in the wild and has issued security advisories concurrently. 

Researchers from Amnesty International noted that, despite initial signs suggesting limited probing of Android devices, this campaign was mainly concerned with Apple's iOS and macOS ecosystems, and therefore was focused on those two ecosystems mainly. The implications are particularly severe for businesses.

Corporate executives, legal teams, and employees with privileged access to confidential intellectual property are at risk of being spied on or exfiltrated through using WhatsApp on their work devices, which represents a direct and potentially invisible entry point into corporate data systems. 

Cybersecurity and Infrastructure Security Agency (CISA) officials say that the vulnerability was caused by an "incomplete authorisation of linked device synchronisation messages" that existed in WhatsApp for iOS versions before version 2.25.2.173, WhatsApp Business for iOS versions of 2.25.1.78, and WhatsApp for Mac versions of 2.25.21.78. 

This flaw is believed to have been exploited by researchers as part of a complex exploit chain, which was created using the flaw in conjunction with a previously patched iOS vulnerability known as CVE-2025-43300, allowing for the delivery of spyware onto targeted devices. A U.S. government advisory has been issued urging federal employees to update their Apple devices immediately because the campaign has reportedly affected approximately 200 people. 

A new discovery adds to the growing body of evidence that advanced cyber threat actors increasingly rely on chaining multiple zero-day exploits to circumvent hardened defences and compromise remote devices. In 2024, Google's Threat Analysis Group reported 75 zero-day exploits that were actively exploited, a figure that reflects how the scale of these attacks is accelerating. 

This stealthy intrusion method continues to dominate as the year 2025 unfolds, resulting in nearly one-third of all recorded compromise attempts worldwide occurring this year. It is important for cybersecurity experts to remind us that the WhatsApp incident demonstrates once more the fragility of digital trust, even when it comes to encrypting platforms once considered to be secure. 

It has been uncovered that the attackers exploited a subtle logic flaw in WhatsApp’s device-linking system, allowing them to disguise malicious content to appear as if it was originating from the user’s own paired device, according to a technical analysis.

Through this vulnerability, a specially crafted Digital Negative (DNG) file could be delivered, which, once processed automatically by the application, could cause a series of memory corruption events that would result in remote code execution. Researchers at DarkNavyOrg have demonstrated the proof-of-concept in its fullest sense, showing how an automated script is capable of authenticating, generating the malicious DNG payload, and sending it to the intended victim without triggering any security alerts. 

In order to take advantage of the exploit, there are no visible warnings, notification pop-ups, or message notifications displayed on the user's screen. This allows attackers to gain access to messages, media, microphones, and cameras unrestrictedly, and even install spyware undetected. It has been reported to WhatsApp and Apple that the vulnerability has been found, and patches have been released to mitigate the risks. 

Despite this, security experts recommend that users install the latest updates immediately and be cautious when using unsolicited media files—even those seemingly sent by trusted contacts. In the meantime, organisations should ensure that endpoint monitoring is strengthened, that mobile device management controls are enforced, and that anomalous messaging behaviour is closely tracked until the remediation has been completed. 

There is a clear need for robust input validation, secure file handling protocols, and timely security updates to prevent silent but highly destructive attacks targeting mainstream communication platforms that can be carried out against mainstream communication platforms due to the incident. Cyber adversaries have, for a long time, been targeting companies such as WhatsApp, and WhatsApp is no exception. 

It is noteworthy that despite the platform's strong security framework and end-to-end encryption, threat actors are still hunting for new vulnerabilities to exploit. Although there are several different cyberattack types, security experts emphasise that zero-click exploits remain the most insidious, since they can compromise devices without the user having to do anything. 

V4WEB Cybersecurity founder, Riteh Bhatia, made an explanation for V4WEB's recent WhatsApp advisory, explaining that it pertains to one of these zero-click exploits--a method of attacking that does not require a victim to click, download, or applaud during the attack. Bhatia explained that, unlike phishing, where a user is required to click on a malicious link, zero-click attacks operate silently, working in the background. 

According to Bhatia, the attackers used a vulnerability in WhatsApp as well as a vulnerability in Apple's iOS to hack into targeted devices through a chain of vulnerabilities. He explained to Entrepreneur India that this process is known as chaining vulnerabilities. 

Chaining vulnerabilities allows one weakness to provide entry while the other provides control of the system as a whole. Further, Bharatia stressed that spyware deployed by these methods is capable of doing a wide range of invasive functions, such as reading messages, listening through the microphone, tracking location, and accessing the camera in real time, in addition to other invasive actions. 

As a warning sign, users might notice excessive battery drain, overheating, unusual data usage, or unexpected system crashes, all of which may indicate that the user's system is not performing optimally. Likewise, Anirudh Batra, a senior security researcher at CloudSEK, stated that zero-click vulnerabilities represent the "holy grail" for hackers, as they can be exploited seamlessly even on fully updated and ostensibly secure devices without any intervention from the target, and no action is necessary on their part.

If this vulnerability is exploited effectively, attackers will be able to have full control over the targeted devices, which will allow them to access sensitive data, monitor communications, and deploy additional malware, all without the appearance of any ill effect. As a result of this incident, it emphasises that security risks associated with complex file formats and cross-platform messaging apps persist, since flaws in file parsers continue to serve as common pathways for remote code execution.

There is a continuing investigation going on by DarkNavyOrg, including one looking into a Samsung vulnerability (CVE-2025-21043), which has been identified as a potential security concern. There was a warning from both WhatsApp and Apple that users should update their operating systems and applications immediately, and Meta confirmed that less than 200 users were notified of in-app threats. 

It has been reported that some journalists, activists, and other public figures have been targeted. Meta's spokesperson Emily Westcott stressed how important it is for users to keep their devices current and to enable WhatsApp's privacy and security features. Furthermore, Amnesty International has also noted possible Android infections and is currently conducting further investigation. 

In the past, similar spyware operations occurred, such as WhatsApp's lawsuit against Israel's NSO Group in 2019, which allegedly targeted 1,400 users with the Pegasus spyware, which later became famous for its role in global cyberespionage. While sanctions and international scrutiny have been applied to such surveillance operations, they continue to evolve, reflecting the persistent threat that advanced mobile exploits continue to pose. 

There is no doubt that the latest revelations are highlighting the need for individuals and organisations to prioritise proactive cyber security measures rather than reactive ones, as zero-click exploits are becoming more sophisticated, the traditional boundaries of digital security—once relying solely on the caution of users—are eroding rapidly. It has become increasingly important for organisations to keep constant vigilance, update their software quickly, and employ layered defence strategies to protect both their personal and business information. 

Organisations need to invest in threat intelligence solutions, continuous monitoring systems, and regular mobile security audits if they want to be on the lookout for potential threats early on. In order for individual users to reduce their exposure, they need to maintain the latest version of their devices and applications, enable built-in privacy protections, and avoid unnecessary third-party integrations. 

The WhatsApp exploit is an important reminder that even trusted, encrypted platforms may be compromised at some point. The cyber espionage industry is evolving into a silent and targeted operation, and digital trust must be reinforced through transparent processes, rapid patching, and global cooperation between tech companies and regulators. A strong defence against invisible intrusions still resides in awareness and timely action.
Read more »
Vulnerabilities and Exploits
ASLR NSDictionary Project Zero Security flaw Vulnerabilities and Exploits

Project Zero Exposes Apple ASLR Bypass via NSDictionary Serialization Flaw

 

Google Project Zero has uncovered a sophisticated technique for bypassing Address Space Layout Randomization (ASLR) protections on Apple devices, targeting a fundamental issue in Apple’s serialization framework. Security researcher Jann Horn described how deterministic behaviors in NSKeyedArchiver and NSKeyedUnarchiver could enable attackers to leak memory pointer values without exploiting conventional bugs or timing-based side channels.

The vulnerability centers on the interaction between singleton objects, pointer-based hash values, and serialization routines. Specifically, Horn identified that NSNull—a singleton object within Apple’s Core Foundation (CFNull)—exposes its memory address through its hash value. Because this object resides in a fixed location in the shared cache, it creates a reliable oracle for leaking memory addresses, defeating standard ASLR defenses.

Attackers can exploit this by crafting malicious serialized input which, when de-serialized and then re-serialized by a victim application, can allow inference of key memory locations. By leveraging the predictable hashing of NSNumber keys and understanding how NSDictionary structures its internal hash table based on prime-numbered bucket counts, an attacker controls where keys are placed during serialization. The relative position of the NSNull key reveals the outcome of hash_code % num_buckets, letting attackers deduce the memory address used by NSNull.

Scaling this approach involves using dictionaries with different prime-sized bucket counts, repeatedly measuring key placements, and applying the Extended Euclidean Algorithm. This enables precise reconstruction of the NSNull pointer address. Horn’s proof-of-concept demonstrated the feasibility, though no real-world application was found with this pattern in production services. The attacker’s tooling involved generating specialized serialized input and computing memory addresses after receiving the victim’s output.

Apple addressed the issue in its March 31, 2025 security updates. Horn cautioned against frameworks using raw memory addresses as hash values, especially when those addresses are static, and recommended strict allowlisting during deserialization, not returning re-serialized attacker input, and keeping outputs within trusted boundaries—aligning with broader best practices for deserialization risks.

Horn linked this exploit to earlier research on hash-based attacks, such as hashDoS, but highlighted that this method exploits hash order determinism for information leakage rather than denial-of-service. Ultimately, the finding broadens the understanding of how seemingly safe serialization behavior can be weaponized, and underscores the importance of robust serialization hygiene in software security.
Read more »
Vulnerabilities and Exploits
Akira Ransomware Arctic Wolf security research CVE-2024-40766 exploit Ransomware SonicWall SSL VPN vulnerability Vulnerabilities and Exploits

Akira Ransomware Breaches Networks in Under Four Hours via SonicWall VPN Exploit

 

Akira ransomware affiliates need less than four hours to breach organizations and launch attacks, according to researchers at Arctic Wolf. The group is exploiting stolen SonicWall SSL VPN credentials and has reportedly found ways to bypass multi-factor authentication (MFA).

Once inside, attackers quickly begin scanning networks to identify services and weak accounts. They leverage Impacket to establish SMB sessions, use RDP for lateral movement, and eventually target Domain Controllers, virtual machine storage, and backups. Additional accounts, including domain accounts, are created to install remote monitoring and management (RMM) tools and enable data theft. The process also includes establishing command-and-control channels, exfiltrating sensitive data, disabling legitimate RMM and EDR tools, deleting shadow copies and event logs, and using WinRAR with rclone or FileZilla for data transfers. The attack culminates with the deployment of Akira ransomware.

Akira activity has been rising since July 2025. Early reports suggested a SonicWall zero-day exploit, but investigations revealed attackers were abusing CVE-2024-40766, an improper access control flaw in SonicWall SonicOS management access and SSL VPN. Though SonicWall released a patch in August 2024, some organizations failed to reset SSL VPN passwords after upgrading from Gen 6 to Gen 7 firewalls, leaving them exposed.

Experts believe that attackers harvested privileged account credentials months earlier and are now reusing them against organizations that patched but never rotated passwords. Rapid7 also identified other weaknesses being exploited, including misconfigured SSLVPN Default User Group settings and the externally exposed Virtual Office Portal, which attackers use to configure OTP MFA on compromised accounts.

“In our investigation, we observed repeated malicious SSL VPN logins on accounts with OTP MFA enabled, ruling out scratch code usage in those cases. We also found no signs of malicious use of the compromised accounts prior to SSL VPN login (event ID 1080), nor did we observe unauthorized OTP unbinding events or other malicious configuration changes (event ID 1382) in the five days leading up to the intrusions,” Arctic Wolf researchers stated.

“Taken together, the evidence points to the use of valid credentials rather than modification of OTP configuration, though the exact method of authenticating against MFA-enabled accounts remains unclear.”

So far, victim organizations span multiple industries and sizes, indicating opportunistic targeting rather than focused campaigns. Researchers emphasize that the minimal time between breach and ransomware execution makes early detection and rapid response essential.

Defensive Measures

Arctic Wolf recommends organizations take the following steps:
  • Monitor or block logins originating from VPS hosting providers.
  • Watch for abnormal SMB and LDAP activity linked to Impacket and discovery tools.
  • Detect unusual execution of scanning and archival utilities on servers.
  • Leverage App Control for Business to restrict unauthorized remote tools and block execution from untrusted paths.
“If your SonicWall devices have previously run firmware versions vulnerable to CVE-2024-40766, we strongly recommend resetting all credentials stored on the firewall, including SSL VPN passwords and OTP MFA secrets,” Arctic Wolf advised. “This includes both local firewall accounts and LDAP-synchronised Active Directory accounts, especially where accounts have access to SSL VPN. Threat actors are abusing these credentials even when devices are fully patched, suggesting that credential theft may have occurred earlier in the lifecycle.”
Read more »
Vulnerabilities and Exploits
CISA KEV catalog Cyble vulnerabilities Ivanti Endpoint ransomware exploited vulnerabilities SolarWinds CVE-2025-26399 Vulnerabilities and Exploits

Cyble Flags 22 Vulnerabilities Under Active Exploitation, Including Ransomware Attacks

 



Cybersecurity researchers at Cyble have revealed 22 vulnerabilities currently being exploited by threat actors, with nine of them missing from the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog.

In its latest blog post, Cyble explained that twelve of the vulnerabilities were flagged by its honeypot sensors after detecting real-world attack attempts. Out of these twelve, only four are listed in CISA’s KEV catalog.

The report also highlights 10 vulnerabilities actively abused by ransomware groups. Interestingly, nine of those have already made it into CISA’s KEV catalog, with just one — CVE-2025-7771 in ThrottleStop.sys — standing out as an exception. This flaw has reportedly been exploited by the MedusaLocker ransomware group.

Adding to the urgency, SolarWinds today rolled out a hotfix addressing CVE-2025-26399 in SolarWinds Web Help Desk. The flaw bypasses patches for CVE-2024-28988, which itself was a patch bypass for CVE-2024-28986. Since CVE-2024-28986 is already part of the KEV catalog, experts warn the new 9.8 CVSS-rated vulnerability could quickly attract attention from attackers.

Cyble researchers documented 12 vulnerabilities under active attack, including:

  • CVE-2025-49493 – Akamai CloudTest (before version 60, 2025.06.02)

  • CVE-2025-5086 – DELMIA Apriso (Release 2020–2025), recently added as a rare ICS/OT flaw in the KEV catalog

  • CVE-2025-48827 – vBulletin 5.0.0–5.7.5 and 6.0.0–6.0.3 on PHP 8.1+

  • CVE-2025-45985 – Multiple Blink router models

  • CVE-2025-4427 – Ivanti Endpoint Manager Mobile up to 12.5.0.0 (in KEV catalog)

  • CVE-2025-4009 – Evertz SDVN 3080ipx-10G management interface

  • CVE-2025-32432 – Craft CMS 3.0.0-RC1 to <3.9.15, 4.0.0-RC1 to <4.14.15, 5.0.0-RC1 to <5.6.17

  • CVE-2025-31161 – CrushFTP 10 (before 10.8.4) and 11 (before 11.3.1), listed in KEV

  • CVE-2025-29306 – FoxCMS v1.2.5

  • CVE-2025-20188 – Cisco IOS XE Software for Wireless LAN Controllers

  • CVE-2025-47812 – Wing FTP Server (before 7.4.4), also in KEV

  • CVE-2025-54782 – NestJS versions 0.2.0 and below in @nestjs/devtools-integration

Cyble’s threat intelligence division also identified 10 vulnerabilities exploited by ransomware groups, tracked via open-source intelligence and internal monitoring. Notable cases include:

  • CVE-2025-53770 – Microsoft SharePoint Server, exploited by Storm-2603

  • CVE-2024-40766 – SonicWall SonicOS, targeted by Akira

  • CVE-2024-23692 – Rejetto HTTP File Server, targeted by an unknown group

  • CVE-2025-8088 – WinRAR for Windows, exploited by RomCom (Storm-0978 / Tropical Scorpius / UNC2596)

  • CVE-2025-29824 – Windows Common Log File System, abused by RansomExx (Storm-2460)

  • CVE-2025-31324 and CVE-2025-42999 – SAP NetWeaver Visual Composer Metadata Uploader, exploited in tandem by Scattered Spider

  • CVE-2023-46604 – Java OpenWire protocol marshaller, linked to Linux malware Drip Dropper

  • CVE-2025-24472 – FortiOS 7.0.0–7.0.16, FortiProxy 7.2.0–7.2.12 / 7.0.0–7.0.19, exploited by INC Ransom

According to Cyble, these vulnerabilities “should be high-priority fixes by security teams if they haven't been patched or mitigated already, and a risk-based vulnerability management program should be at the heart of every organization's cyber defenses.”

Read more »
Vulnerabilities and Exploits
Cloud Breach Cloud Misconfiguration Threat Landscape Vulnerabilities and Exploits

Misconfigurations Still Fuel Most Cloud Breaches in 2025

 

Cloud misconfigurations persist as the foremost driver of cloud breaches in 2025, revealing deep-seated challenges in both technological and operational practices across organizations. 

While cloud services promise remarkable agility and scale, the complexity of modern infrastructure and oversight failures continue to expose companies to widespread risks, often overshadowing technical advancements in security.

Roots of misconfigurations

At their core, cloud misconfigurations typically arise from the interplay of speed-driven development practices, insufficient cloud expertise, and gaps in secure deployment workflows. 

Developers and DevOps teams, pressured by tight release timelines, often prioritize functionality and rapid deployment over robust security—leading to frequent mistakes such as leaving storage buckets public, excessive user privileges, and open network ports. 

These errors are amplified by the sprawling nature of cloud environments, where hundreds of microservices and resources each require detailed security settings. The mere failure to reset default configurations provided by cloud vendors, designed for ease of use rather than security, opens the door to potential attacks if not properly hardened from the outset.

Security alert fatigue also impedes effective responses: cloud monitoring tools tend to flood teams with poorly categorized alerts lacking real-world context, causing crucial warnings to be overlooked amidst false positives. 

Compounding these issues is the persistent skill gap, as the rapid evolution of cloud technologies outpaces many professionals' ability to keep up—especially in areas requiring hybrid knowledge of architecture and security. Hardcoded secrets within application code further undermine defenses, making it easier for attackers to exfiltrate sensitive data.

Pathways to improvement

True progress lies in shifting from a reactive stance—where breaches are detected after the fact—to a proactive security-first approach integrated throughout development cycles. 

This means embedding security protocols at every step, continuously training staff on new cloud attack techniques, and leveraging advanced tools that understand context to reduce unnecessary alert volume. Organizations should also regularly audit permissions, segment networks, and rigorously manage all access credentials to mitigate both insider and external threats.

Ultimately, misconfigurations endure because cloud security is too often sidelined for speed, and technology alone cannot solve human and procedural failings. To tame this leading breach vector, organizations must treat security as inseparable from innovation—building robust, resilient frameworks that safeguard data as effectively as they enable growth.
Read more »
zero-click
ChatGPT OpenAI Radware ShadowLeak Vulnerabilities and Exploits zero-click

ShadowLeak: Zero-Click ChatGPT Flaw Exposes Gmail Data to Silent Theft

 

A critical zero-click vulnerability known as "ShadowLeak" was recently discovered in OpenAI's ChatGPT Deep Research agent, exposing users’ sensitive data to stealthy attacks without any interaction required. 

Uncovered by Radware researchers and disclosed in September 2025, the vulnerability specifically targeted the Deep Research agent's integration with applications like Gmail. This feature, launched by OpenAI in February 2025, allows the agent to autonomously browse, analyze, and synthesize large amounts of online and personal data to produce detailed reports.

The ShadowLeak exploit works through a technique called indirect prompt injection, where an attacker embeds hidden commands in an HTML-formatted email—such as white-on-white text or tiny fonts—that are invisible to the human eye. 

When the Deep Research agent reads the booby-trapped email in the course of fulfilling a standard user request (like “summarize my inbox”), it executes those hidden commands. Sensitive Gmail data, including personal or organizational details, is then exfiltrated directly from OpenAI’s cloud servers to an attacker-controlled endpoint, with no endpoint or user action needed.

Unlike prior attacks (such as AgentFlayer and EchoLeak) that depended on rendering attacker-controlled content on a user’s machine, ShadowLeak operates purely on the server side. All data transmission and agent decisions take place within OpenAI’s infrastructure, bypassing local, enterprise, or network-based security tools. The lack of client or network visibility means the victim remains completely unaware of the compromise and has no chance to intervene, making it a quintessential zero-click threat.

The impact of ShadowLeak is significant, with potential leakage of personally identifiable information (PII), protected health information (PHI), business secrets, legal strategies, and more. It also raises the stakes for regulatory compliance, as such exfiltrations could trigger GDPR, CCPA, or SEC violations, along with serious reputational and financial damage.

Radware reported the vulnerability to OpenAI via the BugCrowd platform on June 18, 2025. OpenAI responded promptly, fixing the issue in early August and confirming that there was no evidence the flaw had been exploited in the wild. 

OpenAI underscored its commitment to strengthening defenses against prompt injection and similar attacks, welcoming continued adversarial testing by security researchers to safeguard emerging AI agent architectures.
Read more »
Vulnerabilities and Exploits
Authentication cloud environment CVE Microsfot Entra ID Microsoft Azure Vulnerabilities and Exploits

Researcher Finds Entra ID Weakness That Could Have Granted Global Admin Access




Two critical weaknesses recently came to light in Microsoft’s Entra ID platform could have given attackers unprecedented control over nearly every Azure cloud customer. The flaws were discovered and reported responsibly, allowing Microsoft to release fixes before attackers were able to exploit them.

Entra ID, previously known as Azure Active Directory, is the identity management system that controls how users log in, what resources they can reach, and who has administrator rights. It is a core service for businesses worldwide, which means any failure in its security could ripple across countless organizations at once.

Dutch security researcher Dirk-jan Mollema, who specializes in cloud identity security, identified the flaws while preparing material for a cybersecurity conference. What he found was alarming: the two vulnerabilities, when combined, created a path for attackers to impersonate users and escalate privileges to the highest level, effectively granting full control of customer environments.

The first weakness involved so-called “Actor Tokens,” a type of authentication token issued by an old Microsoft system known as Access Control Service. These tokens carried unusual privileges that, on their own, posed little risk but became dangerous when chained with a second issue. That second vulnerability was buried in Azure Active Directory Graph, a legacy interface used to access Microsoft 365 data. Unlike its modern replacement, Microsoft Graph, the older system did not properly check which tenant— a customer’s isolated cloud environment was sending a request. By combining the two flaws, attackers could trick the system into accepting tokens from outside tenants, opening the door to total compromise.

With administrator-level access, attackers would have been able to add new privileged accounts, alter security settings, and access sensitive information. Experts warned that such attacks could bypass common safeguards like multifactor authentication and leave minimal traces in activity logs, making them particularly dangerous.

Mollema disclosed his findings to Microsoft on July 14. The company began work the same day, deployed a fix globally within days, and later introduced additional protections. A vulnerability identifier (CVE) was issued in September, and Microsoft confirmed that no evidence of exploitation was found during its investigation.

Security researchers have compared the potential fallout to past incidents where authentication weaknesses enabled large-scale breaches. While the flaws in Entra ID never reached that point, the discovery illustrates how overlooked legacy systems can undermine modern security frameworks.

Microsoft has since retired the affected components and emphasized its commitment to phasing out outdated protocols. For organizations using Entra ID, the incident highlights the need to remain alert to vendor advisories, apply updates quickly, and watch for unusual activity in administrative accounts.

The vulnerabilities may now be closed, but they reveal how hidden dependencies in cloud infrastructure can become high-risk targets. As cloud identity systems continue to expand, the security community will likely scrutinize them even more closely for weaknesses of this scale.


Read more »
Vulnerabilities and Exploits
Akira Ransomware CVE-2024-40766 SonicOS 7.3.0 SonicWall firewall vulnerability SonicWall Gen 7 SSLVPN exploit Vulnerabilities and Exploits

Ransomware Groups Still Exploiting SonicWall Firewall Vulnerability Despite Patch

 

More than a year after SonicWall released a patch for CVE-2024-40766, a critical vulnerability affecting its next-generation firewalls, attackers linked to the Akira ransomware-as-a-service operation continue to exploit the flaw to breach organizations.

Similar to incidents in September 2024 and earlier this year, affiliates of the Akira group are behind the latest wave of attacks. The spike observed in July 2025 was partly due to organizations upgrading from Gen 6 to Gen 7 SonicWall firewalls without resetting local user passwords as recommended by SonicWall.

Attackers have also expanded their techniques. According to Rapid7’s Incident Response team, there has been “an uptick in intrusions involving SonicWall appliances” since early August 2025. Their findings indicate that the Akira group may be chaining together three different security weaknesses to gain access and deploy ransomware.

CVE-2024-40766, which remains unpatched in some environments.

A misconfiguration in the SSLVPN Default Users Group setting. SonicWall explains:

“This setting automatically adds every successfully authenticated LDAP user to a predefined local group, regardless of their actual membership in Active Directory. If that default group has access to sensitive services – such as SSL VPN, administrative interfaces, or unrestricted network zones – then any compromised AD account, even one with no legitimate need for those services, will instantly inherit those permissions.”
“This effectively bypasses intended AD group-based access controls, giving attackers a direct path into the network perimeter as soon as they obtain valid credentials.”

Abuse of the Virtual Office Portal feature in SonicWall appliances, which attackers are using to configure MFA/TOTP on already compromised accounts.

The Australian Cyber Security Centre (ACSC) has also issued warnings about increased Akira activity targeting Australian entities via CVE-2024-40766.

According to Rapid7, the attackers’ method remains consistent: they gain entry through the SSLVPN component, escalate privileges to elevated or service accounts, exfiltrate sensitive data from file servers and network shares, disable or delete backups, and finally execute ransomware at the hypervisor layer.

Recommended Mitigations

Organizations relying on SonicWall firewalls are advised to:

  • Rotate passwords on all SonicWall local accounts and delete unused ones.
  • Enforce MFA/TOTP for SSLVPN services.
  • Set the Default LDAP User Group to “None.”
  • Restrict Virtual Office Portal access to trusted local networks and closely monitor usage.
  • Ensure all appliances run the latest firmware updates.

SonicWall recently highlighted that SonicOS 7.3.0 introduces additional protections against brute-force attacks and enhanced MFA controls, providing stronger defense against ransomware intrusions.
Read more »
Zero Day exploit
Apple Security CVSS Cybersecurity Threats iOS Mobile Device Protection Spyware Campaign Vulnerabilities and Exploits WhatsApp Vulnerability Zero Click Attack Zero Day exploit

WhatsApp 0-Day Exploited in Targeted Attacks on Mac and iOS Platforms

 


Providing a fresh reminder of the constant threat to widespread communication platforms, WhatsApp has disclosed and patched a vulnerability affecting its iOS and macOS applications. The vulnerability has already been exploited in real-world attacks, according to WhatsApp, which warns it may already have been exploited in the past. 

It has a CVSS score of 5.4 and is tracked as CVE-2025-55177. The vulnerability is caused by an insufficient level of authorisation when handling linked device synchronization messages. As a result of the vulnerability, WhatsApp has warned that a malicious actor could potentially compromise the security of users by manipulating content processing using arbitrary URLs on the target device. 

In a statement, the Meta-owned company credited its in-house security team with discovering and analyzing this bug, which is thought to have been exploited in combination with a recently revealed Apple zero-day vulnerability as part of targeted attacks on the company. The incident was deemed to be the result of an "advanced spyware campaign" by Donncha Cearbhaill of Amnesty International's Security Lab, which notes it had been active for approximately 90 days and used zero-click delivery techniques. 

Through this technique, attackers were able to spread malicious exploits through WhatsApp without requiring any interaction from the victim, allowing them to steal data from Apple devices silently and raising serious concerns about the resilience of even highly secure platforms. By way of spokesperson Margarita Franklin, Meta, the parent company of WhatsApp, confirmed that the flaw had been identified and patched several weeks ago, with notification sent to less than 200 users who had been affected. 

Even though the company has not attributed the operation to any specific threat actor or spyware vendor, the lack of attribution highlights how difficult it may be to trace such sophisticated campaigns when it comes to tracking them down. Technology providers are facing increasingly complex and stealthy attacks on popular communication tools, which is why the episode emphasizes the mounting challenges they face in defending them against such attacks. 

Recently, a critical flaw has been discovered in WhatsApp which has been catalogued as CVE-2025-55177, which has once again brought to the fore the security landscape around widely used communication platforms. Based on initial CVSS scores of 5.4 and 8.0, the vulnerability highlights how zero-day exploits continue to pose a challenge to users and device integrity, as well as undermine privacy and device integrity. 

It is believed that the root of the flaw is due to incomplete authorization in the handling of synchronization messages between linked devices. This weakness was the basis of the attack, which could be exploited as a tool to override the expected security features. Using this vulnerability, a malicious actor who has no legitimate association with the target could force a victim's device to process content from an arbitrary URL on its own behalf if exploited. 

The manipulation of trusted communication channels could serve as an entry point for remote code execution, or unauthorized delivery of malicious content, directly from the attacker's infrastructure, which can then be used to deliver malicious content. In such a scenario, users' trust is not only compromised, but it also highlights how vulnerable application-level security measures can be if authorization mechanisms are not properly enforced. 

There is an added level of seriousness to this discovery, since the exploit appears to have been a zero-click attack. In contrast to conventional attacks that require the user to open a file or click on a link, zero-click exploits do not require the user to interact with them whatsoever, which significantly reduces the chances of detection. 

As a result of silent compromises, attackers are able to install spyware or malicious code swiftly, discreetly, and with little or no trace until the damage has been done. WhatsApp's internal security team believes that the CVE-2025-55177 vulnerability was not an isolated occurrence. Rather than being isolated from the other vulnerability within Apple's ecosystem, it is thought to have been chained together with a separate vulnerability within the Apple ecosystem – CVE-2025-43300 – to allow sophisticated, targeted attacks.

In the Apple case, a CVSS score of 8.8 was assigned to the ImageIO framework that was characterized by an out-of-bounds write condition. When these vulnerabilities occur during the processing of images, they can corrupt memory, giving way to deeper system-level vulnerabilities. An exploit chaining strategy, whereby an application-level bug is paired up with an operating system vulnerability in order to maximize the scope and stealth of a campaign, is an increasingly popular strategy among advanced adversaries as a means of maximizing the scope and stealth of their operations. 

On August 20, Apple updated its entire product line in order to address CVE-2025-43300, issuing patches for iOS 18.6.2, iPadOS 18.6.2, and 17.7.10, Mac OS Sequoia 15.6.1, Mac OS Sonoma 14.7.2, and Mac OS Ventura 13.7.1. It was noted in the advisory that while the company had refrained from providing detailed technical details, they had been aware of reports that the flaw had already been exploited against specific individuals by users in the wild.

In line with the tactics used by state-sponsored groups and well-funded spyware vendors, these attacks were highly targeted and not indiscriminate, as they suggest that these attacks were highly targeted and not indiscriminate. In addition to mitigating the threat quickly, WhatsApp has also quickly rolled out patches that fix CVE-2025-55177 on all its platforms, rolling it out in late July and early August 2025. As with Apple, WhatsApp's version of iOS 2.2.21.73, WhatsApp Business, and WhatsApp for Mac all came with the patches. 

However, as Apple did, WhatsApp did not provide details of the observed attacks, and provided limited commentary on the nature or scale of the exploitation. The reticence that occurs when a zero-day exploitation is being actively exploited is not unusual, as revealing too much could help threat actors improve their techniques inadvertently. 

While the extent of the campaign is still unknown, the operational sophistication implied by these exploits suggests that an adversary with adequate resources has been engaged in this operation. This is because of the fact that zero-click vectors are being used as well as the seamless chaining of vulnerabilities across both application and operating system layers, which illustrates how complex cyber threats are becoming. 

In the broader context of these incidents, it is important to recognize that attackers are increasingly using multi-layered exploit chains to get around user defenses, get past traditional detection methods, and implant spyware in a highly precise manner. Taking a broader perspective of the WhatsApp and Apple vulnerabilities, it is important to note that today's interconnected digital environment creates a precarious balance between convenience and security. 

With the rapid expansion of messaging platforms, the attack surface is inevitably bound to increase, allowing adversaries to find weaknesses more easily. According to recent disclosures, it is imperative that timely patches, rigorous vulnerability management, and ongoing collaboration between vendors be implemented so that coordinated, high-level exploitation campaigns are limited in impact. 

In order to defend against zero-click exploit campaigns that leverage zero-click exploits, security specialists advise that a routine patch application does not suffice. There is a growing need for organizations to adopt a layered defense strategy that integrates technical safeguards with operational discipline in order to reduce exposure. 

Among the steps to take is updating WhatsApp and other messaging platforms to the most recent patched versions, enforcing mobile device management (MDM) baselines, and implementing solutions for detection and response of mobile endpoints (EDR) that can be used to detect as well as analyse the data. To further enhance resilience, system logs can be monitored for unusual activity, command-and-control traffic can be blocked at the network level, and threat intelligence data can be utilized. 

To eliminate possible persistence mechanisms, factory resets should be recommended when a compromise is suspected. Likewise, it is crucial to build user awareness by providing training on spyware risks and incident reporting, in addition to reviewing incident response playbooks to ensure they address zero-day and zero-click exploitation scenarios. In addition to these practices, organizations should adopt strict communication security policies, and conduct regular third-party risk assessments in order to strengthen their defense against stealthy spyware operations and reduce the impact of sophisticated intrusion attempts on their systems. 

There has been a sharp reminder resulting from the revelations surrounding WhatsApp and Apple vulnerabilities that no platform, no matter how popular or secure it appears to be, is immune to exploitation. In this day and age, zero-click spyware is becoming increasingly sophisticated, which underscores the necessity to treat mobile device security as a strategic priority rather than something people take for granted. 

The best way to do this for individuals would be to develop the habit of downloading and installing software updates as soon as they become available, to exercise caution when unusual behavior occurs on their mobile devices, and to consider the use of trusted mobile security tools. 

Organizations need to shift from compliance checklists and develop a culture of proactive resilience rather than relying on compliance checklists. This means investing in multiple defenses, continuous monitoring, and cross-team collaboration between the IT, security, and legal departments in order to better detect and contain incidents.

It is imperative that technology vendors, independent researchers, and civil society organisations collaboratively work together in order to hold spyware operators accountable for their actions and ensure that users retain trust in their digital communications in the future. 

In spite of vulnerabilities continuing to be found in the digital ecosystem, a combination of rapid response, transparency, and a security-first mindset can turn such incidents into opportunities for stronger defenses and more resilient digital ecosystems by eliminating vulnerabilities as quickly as possible.
Read more »
Vulnerabilities and Exploits
Business Security Data I/O Ransomware attack Supply Chain Vulnerabilities and Exploits

Data I/O Ransomware Attack Exposes Vulnerability in Global Electronics Supply Chain

 

Data I/O, a leading manufacturer specializing in device programming and security provisioning solutions, experienced a major ransomware attack in August 2025 that crippled core operations and raised industry-wide concerns about supply chain vulnerabilities in the technology sector.

The attack, first detected on August 16, 2025, used a sophisticated phishing campaign to compromise network credentials, enabling the attackers to exploit vulnerabilities in the company’s remote access systems and achieve lateral movement across network segments. 

This incident resulted in the encryption of critical proprietary data, including chip design schematics, manufacturing blueprints, sensitive communications, and firmware for products used by major clients such as Amazon, Apple, Google, and automotive manufacturers. 

Attack methodology 

Investigations mapped the attack to multiple MITRE ATT&CK techniques: T1566 for phishing, T1021 for remote services exploitation, T1486 for impact via data encryption, and possible use of T1078 via valid accounts. The attackers sent deceptive emails to Data I/O employees that tricked users into surrendering network credentials or accessing malicious links. After gaining access, the adversaries leveraged weaknesses in remote connectivity protocols to move laterally and encrypt essential files.

The ransomware incident caused widespread disruptions: internal and external communications, shipping, receiving, manufacturing production lines, and support functions were all impacted. The company activated incident response protocols, isolating affected systems and proactively taking critical platforms offline to prevent further spread. As of late August, some systems remained offline, without a clear timeline for full restoration. 

Broader implications 

Data I/O’s strategic role as a supply chain hub in electronics manufacturing made it a disproportionate target. Disruption reverberated across technology, automotive, and IoT sectors due to the company’s handling of security credentials and firmware for multi-billion-dollar products.

The incident underscores how ransomware operators increasingly target manufacturing entities, exploiting supply chain vulnerabilities to extract ransoms and maximize operational harm. The attackers reportedly demanded a ransom of $30 million, threatening to release encrypted data publicly if payment was not made within 72 hours. 

Data I/O engaged external cybersecurity experts and forensic professionals, initiated a full-scale investigation, and pledged transparency as more details emerged. The incident highlights urgent needs for improved remote access security, robust phishing defenses, and faster detection and response capabilities across the technology manufacturing sector. 

Analysts warn this attack may foreshadow future campaigns targeting critical infrastructure and high-tech supply chains, stressing the necessity for more resilient cybersecurity strategies.
Read more »
Vulnerabilities and Exploits
Browser Clickjacking links Login Credentials Password Manager Vulnerabilities and Exploits

Password Managers Face Clickjacking Flaw, Millions of Users at Risk



For years, password managers have been promoted as one of the safest ways to store and manage login details. They keep everything in one place, help generate strong credentials, and protect against weak or reused passwords. But new research has uncovered a weakness in several widely used browser extensions that could expose sensitive information for millions of people.


Details about the flows

Security researchers recently found that 11 different password manager extensions share a vulnerability linked to the way they rely on the Document Object Model (DOM). The DOM is part of how web pages are structured, and in this case, it opens a door to a technique known as “clickjacking.”

Clickjacking works by tricking users into clicking on invisible or disguised elements of a web page. For example, a malicious site may look legitimate but contain hidden layers. A single misplaced click can unintentionally activate the password manager’s autofill function. Once that happens, the manager may begin entering saved credentials directly into the attacker’s page.

The danger lies in how quietly this happens. Users often close the site without realizing that their passwords or even stored credit card information and personal details like addresses or phone numbers may already have been copied by attackers.


The scale of the issue

The affected list includes some of the most recognized password managers in the industry. An estimated 40 million users worldwide could be impacted. While some companies have already addressed the issue through updates, not all providers have released fixes yet. For example, RoboForm has patched its extension, and Bitwarden has rolled out a new version. However, others remain in the process of responding.


Protecting yourself

There is no universal fix for clickjacking, but users can take important steps to reduce risk:

1. Be cautious with links: Avoid clicking on unfamiliar or suspicious links, even if they appear genuine. It is always safer to type the website address directly or use trusted bookmarks.

2. Update your tools: Make sure your password manager extension is up to date. Updates often contain security fixes that block known vulnerabilities.

3. Change autofill settings: If you use a Chromium-based browser, switch your password manager’s autofill to “on-click.” This ensures that details are only filled in when you actively choose to do so.

4. Disable unnecessary autofill: Consider turning off automatic completion for personal information like email addresses in your browser settings.


The bottom line

Password managers are still an essential tool for safe online habits, but like any technology, they are not immune to flaws. Staying alert, practicing careful browsing, and keeping your software updated can substantially lower the risk. Until every provider has addressed the vulnerability, users should take extra precautions to keep their digital identities secure.



Read more »
Vulnerabilities and Exploits
Business Security Dell ControlVault RevaUlt SOC Platform Vulnerabilities and Exploits

ReVault Flaws Expose Dell ControlVault3 Hardware to Persistent Attacks

 

RevaUlt, a company marketing itself on advanced endpoint protection and next-generation SOC capabilities, recently suffered a severe security breach. The attackers penetrated its internal environment, exploiting vulnerabilities in the architecture used for their supposed secure SOC platform. 

The compromise was discovered after suspicious activity was detected both within the RevaUlt corporate network and among several client deployments, suggesting a supply chain dimension to the attack as well. 

Attack mechanics

The attackers leveraged persistence techniques and privilege escalation to move laterally through RevaUlt's infrastructure, ultimately acquiring administrative access to sensitive SOC data. The breach included the exfiltration of client logs, incident reports, and in some cases, authentication secrets used by RevaUlt for remote management of client environments.

Attackers used sophisticated anti-forensic measures to delay detection, making full remediation more challenging and indicating a high level of attacker maturity. 

Impact on clients and the industry 

This compromise not only undermined RevaUlt’s internal systems but also exposed multiple organizations relying on its SOC services to potential intrusion and sensitive data leakage. As a result, clients had to initiate emergency incident response procedures, rotate credentials, and validate the integrity of their log data and detection mechanisms. 

The breach underscores the inherent risks of outsourcing critical security operations to third-party SOC providers, especially when those providers lack sufficient internal controls or operational transparency. 

Lessons and industry response 

The incident has prompted a wave of scrutiny regarding trust in managed SOC platforms and the challenges of ensuring supply chain security within cybersecurity itself. 

Experts urge organizations to tighten their vendor evaluation processes, demand greater transparency, and implement layered monitoring—even on services provided by so-called “secure” vendors. The breach serves as a cautionary tale that no security solution is immune to compromise and that shared vigilance and robust incident response remain paramount for cyber resilience. 

Additionally, recommended mitigations include applying Dell’s firmware and driver fixes, disabling ControlVault services and peripherals (fingerprint, smart card, NFC) if unused, and turning off fingerprint login in high-risk scenarios to shrink the attack surface pending updates. 

RevaUlt’s situation is now a key reference point in ongoing discussions about SOC resilience, supply chain vulnerabilities, and the evolving sophistication of attackers targeting high-value security infrastructure.
Read more »
Vulnerabilities and Exploits
Clickjacking Attacks Credential Theft Password Manager User Security Vulnerabilities and Exploits

Major Password Managers Leak User Credentials in Unpatched Clickjacking Attacks

 

Six popular password managers serving tens of millions of users remain vulnerable to unpatched clickjacking flaws that could allow cybercriminals to steal login credentials, two-factor authentication codes, and credit card information. 

Modus operandi

Security researcher Marek Tóth, who presented these findings at DEF CON 33, demonstrated how attackers exploit these vulnerabilities by running malicious scripts on compromised websites. 

The attack works by using opacity settings and overlays to hide password manager autofill dropdown menus while displaying fake elements like cookie banners or CAPTCHA prompts. When users click on these decoy elements, they unknowingly trigger autofill actions that expose sensitive data. 

Tóth developed multiple exploitation variants, including DOM element manipulation techniques and a method where the user interface follows the mouse cursor, making any click trigger data autofill. The researcher created a universal attack script that can identify which password manager a target is using and adapt the attack in real-time. 

Impacted password managers

The vulnerable password managers include: 
  • 1Password 8.11.4.27 
  • Bitwarden 2025.7.0 
  • Enpass 6.11.6 
  • iCloud Passwords 3.1.25
  • LastPass 4.146.3 
  • LogMeOnce 7.12.4 
These services collectively have approximately 40 million users. 

Vendor responses 

Vendor responses have been mixed. 1Password dismissed the report as "out-of-scope/informative," arguing that clickjacking is a general web risk users should mitigate themselves. Similarly, LastPass initially marked the report as "informative" before later acknowledging they're working on fixes. 

Bitwarden downplayed the severity but claims to have addressed the issues in version 2025.8.0. However, LogMeOnce initially failed to respond to any communication attempts, though they later released an update. Several vendors have successfully implemented fixes, including Dashlane, NordPass, ProtonPass, RoboForm, and Keeper.

Safety measures 

Until patches are available, Tóth recommends that users disable autofill functionality in their password managers and rely on manual copy-paste operations instead. This significantly reduces the attack surface while maintaining password manager security benefits. 

The research highlights ongoing challenges in balancing user convenience with security in password management tools, particularly regarding browser extension vulnerabilities.
Read more »
Vulnerabilities and Exploits
Apple zero-day vulnerability iOS 18.6.2 update macOS security patch Vulnerabilities and Exploits

Apple Issues Emergency Security Updates to Fix New Zero-Day Vulnerability

 

Apple has rolled out urgent security updates to fix yet another zero-day vulnerability that hackers have been actively exploiting in what the company calls an "extremely sophisticated attack."

The flaw, tracked as CVE-2025-43300, stems from an out-of-bounds write vulnerability within the Image I/O framework—a core component that allows apps to handle various image file formats.

Such vulnerabilities occur when malicious input forces a program to write data beyond allocated memory limits. This can trigger crashes, corrupt files, or, in severe cases, enable remote code execution.

"Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals," the company stated in its security advisory published Wednesday.

The company explained: "An out-of-bounds write issue was addressed with improved bounds checking. Processing a malicious image file may result in memory corruption."

To mitigate the flaw, Apple has released patches in the following updates: iOS 18.6.2, iPadOS 18.6.2, iPadOS 17.7.10, macOS Sequoia 15.6.1, macOS Sonoma 14.7.8, and macOS Ventura 13.7.8.

Devices Impacted by the Zero-Day Vulnerability

This zero-day affects a broad range of both old and new Apple devices, including:

  • iPhone XS and later
  • iPad Pro models: 13-inch, 12.9-inch (3rd gen+), 11-inch (1st gen+), iPad Air (3rd gen+), iPad 7th gen+, iPad mini (5th gen+), iPad Pro 12.9-inch (2nd gen), iPad Pro 10.5-inch, and iPad 6th gen
  • Macs running macOS Sequoia, Sonoma, and Ventura

While Apple has not disclosed which threat actors are behind the attacks, nor detailed how the exploit was carried out, it strongly urges all users to install the updates immediately to reduce the risk of compromise.

This marks the sixth zero-day Apple has patched in 2025, with earlier fixes addressing flaws in January (CVE-2025-24085), February (CVE-2025-24200), March (CVE-2025-24201), and two in April (CVE-2025-31200, CVE-2025-31201).

For comparison, in 2024 Apple resolved six other zero-days exploited in active attacks, spread across January, March, May, and November.
Read more »
zero-day attacks
CVE-2025-8088 ESET cybersecurity report RomCom hacking group Vulnerabilities and Exploits WinRAR vulnerability zero-day attacks

RomCom Hackers Exploit WinRAR Zero-Day CVE-2025-8088 in Cyberattacks, ESET Confirms

 

Cybersecurity researchers have uncovered that the Russian hacking group RomCom exploited a previously unknown flaw in WinRAR, tracked as CVE-2025-8088, in a series of zero-day attacks. The vulnerability was identified as a path traversal bug that enabled attackers to drop malicious payloads onto victims’ systems.

According to a report published by ESET, the flaw was discovered on July 18, 2025, when RomCom began using it in live campaigns. The issue stemmed from the abuse of alternate data streams (ADS) within specially crafted RAR archives. These archives contained hidden payloads designed to extract malicious files into specific Windows directories, including %TEMP%, %LOCALAPPDATA%, and the Startup folder, allowing malware to persist across reboots.

WinRAR released a patched version (7.13) on July 30, 2025, after being alerted by ESET. However, the official advisory at the time did not mention ongoing exploitation.

ESET’s analysis revealed three attack chains delivering different RomCom malware families:
  • Mythic Agent – executed through a COM hijack, enabling command-and-control communications.
  • SnipBot – a trojanized PuTTY CAC version that downloaded additional payloads.
  • MeltingClaw – a modular malware framework used for further infections.
The malicious archives also contained numerous invalid ADS entries. ESET believes these were deliberately added to create harmless-looking warnings in WinRAR, masking the presence of the true malware payloads.

This is not the first time RomCom has exploited zero-day flaws. The group, also known as Storm-0978 and Tropical Scorpius, has previously leveraged vulnerabilities in Firefox and Microsoft Office.

Russian cybersecurity company Bi.Zone separately reported that another cluster, tracked as Paper Werewolf, also abused CVE-2025-8088 and a related bug, CVE-2025-6218.

While Microsoft added native RAR support to Windows in 2023, its limited functionality means many enterprises still rely on WinRAR, making it an attractive target for attackers.

WinRAR developers confirmed that they had not received user complaints and were only provided with technical details necessary to release the patch. Since WinRAR lacks an auto-update feature, users must manually download and install the latest version to stay protected.
Read more »
Subscribe to: Posts (Atom)