< ciso
brief />
Tag Banner

All news with #active exploitation tag

684 articles · page 24 of 35

Apple Issues Security Updates for Two WebKit Zero-Days

🔒 Apple released security updates across iOS, iPadOS, macOS, tvOS, watchOS, visionOS and Safari to address two WebKit vulnerabilities—CVE-2025-43529 and CVE-2025-14174—that have been exploited in the wild. One of the flaws was patched in Chrome earlier this week, and Apple credits Google TAG and its own SEAR team with discovery and reporting. The issues can lead to arbitrary code execution or memory corruption when processing malicious web content. Users and administrators should apply the listed OS and Safari updates immediately to mitigate active exploitation.
read more →

Apple patches two WebKit zero-days used in targeted attacks

🔒 Apple released emergency updates to patch two zero-day WebKit vulnerabilities — CVE-2025-43529 (use-after-free) and CVE-2025-14174 (memory corruption) — that were exploited in an 'extremely sophisticated' attack against targeted individuals. Both bugs affect devices running WebKit on iPhone and iPad and were discovered by Google’s Threat Analysis Group and Apple. Apple fixed the issues across iOS, iPadOS, macOS, tvOS, watchOS, visionOS and Safari and urges users to install updates promptly.
read more →

React2Shell RCE exploited widely: GTIG findings Dec 2025

⚠️GTIG reports active, widespread exploitation of a critical unauthenticated RCE in React Server Components (CVE-2025-55182, “React2Shell”) disclosed on Dec. 3, 2025. Attackers ranging from opportunistic cryptominers to suspected China-nexus espionage clusters have delivered payloads including MINOCAT, SNOWLIGHT, HISONIC, COMPOOD, and XMRig miners. Exploits target vulnerable react-server-dom-* package versions and commonly use simple HTTP fetch-and-execute chains to establish persistence via cron, systemd, and shell profile modifications. Organizations are advised to patch immediately, deploy WAF rules, audit dependencies, and hunt for the supplied IOCs and YARA signatures.
read more →

CISA Orders Federal Patch for Exploited GeoServer XXE

⚠️ CISA has ordered U.S. federal agencies to patch an unauthenticated XML External Entity (XXE) vulnerability in GeoServer tracked as CVE-2025-58360, affecting GeoServer 2.26.1 and earlier and reachable via the /geoserver/wms GetMap XML input. The flaw allows attackers to retrieve arbitrary files, enable SSRF, or cause DoS and is being actively exploited. Agencies must remediate by Jan 1, 2026; CISA urges all network defenders to prioritize patching immediately.
read more →

React2Shell Zero-Day Sparks Global Exploitation Surge

⚠️ The critical React2Shell vulnerability (CVE-2025-55182, CVSS 10.0) enables remote, unauthenticated code execution via unsafe deserialization in the React Server Components Flight protocol. Since disclosure on December 3, 2025, multiple actors have exploited it to deliver miners, botnets, and other malware, targeting Next.js and containerized cloud workloads. CISA has accelerated mitigation deadlines and is urging agencies to patch by December 12, 2025; defenders should apply vendor fixes, enable WAF protections, and review logs for indicators of compromise.
read more →

CISA Adds GeoServer XXE Flaw to Known Exploited List

🛡️ CISA added a high‑severity XML External Entity (XXE) flaw, CVE-2025-58360 (CVSS 8.2), affecting OSGeo GeoServer to its Known Exploited Vulnerabilities catalog after evidence of in‑the‑wild exploitation. The unauthenticated vulnerability impacts releases up to and including 2.25.5 and versions 2.26.0–2.26.1 and was reported by the AI platform XBOW. GeoServer has published patches (2.25.6, 2.26.2, 2.27.0, 2.28.0, 2.28.1); operators should upgrade or apply vendor mitigations and review the /geoserver/wms GetMap endpoint and XML processing to mitigate XXE, SSRF, and DoS risks.
read more →

React2Shell and RSC Vulnerabilities: Rapid Exploitation

🚨 Cloudflare's Cloudforce One team observed rapid scanning and exploitation attempts immediately after the public disclosure of React2Shell (CVE-2025-55182) on 2025-12-03. Attackers quickly integrated the unauthenticated RCE into automated reconnaissance using public asset discovery, Nuclei templates, and custom scanners to find exposed React Server Components. Cloudflare deployed Free and Paid WAF rules (default Block) and Worker-level protections while urging immediate patching. Telemetry showed millions of hits, diverse User-Agent fingerprints, and broad payload experimentation.
read more →

CISA Adds GeoServer XXE (CVE-2025-58360) to KEV Catalog

🔔 CISA has added CVE-2025-58360 — an OSGeo GeoServer XML External Entity (XXE) vulnerability — to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation. The issue involves improper restriction of XML External Entity references, a common vector attackers use to access sensitive data or cause service disruption. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by required due dates; CISA also urges all organizations to prioritize timely patching, mitigations, and monitoring. CISA will continue updating the KEV Catalog as additional exploited CVEs meet its criteria.
read more →

Unpatched Gogs Zero-Day Actively Exploited on 700+ Hosts

⚠️ A high-severity unpatched vulnerability in Gogs (tracked as CVE-2025-8110, CVSS 8.7) is under active exploitation, with Wiz reporting more than 700 compromised internet-facing instances. The flaw is a file-overwrite bug in the PutContents API that mishandles symbolic links, enabling attackers to overwrite arbitrary files and achieve local code execution. A vendor fix is reportedly in development; operators should disable open registration, limit exposure, and scan for randomly named repositories.
read more →

Hard-coded Gladinet Keys Enable Active Exploitation

🔐 Huntress warns that hard-coded cryptographic keys in Gladinet CentreStack and Triofox allow attackers to decrypt or forge access tickets, exposing sensitive files such as web.config. The flaw stems from a function that returns the same 100-byte strings to derive persistent keys, enabling indefinite reuse of crafted URLs to download server configuration. Organisations should update to version 16.12.10420.56791 and rotate machine keys immediately.
read more →

React2Shell Exploitation Delivers Miners and Backdoors

⚠ Huntress reports widespread exploitation of the maximum-severity React Server Components flaw CVE-2025-55182, with attackers leveraging vulnerable Next.js instances to deploy cryptocurrency miners and multiple novel Linux malware families. Observed payloads include the PeerBlight backdoor, CowTunnel reverse proxy and ZinFoq post-exploitation implant, alongside droppers that fetch XMRig, Sliver C2 and Kaiji variants. Activity since early December 2025 has targeted many sectors — notably construction and entertainment — and shows signs of automated scanning and exploitation tools that sometimes deploy Linux payloads to Windows hosts. Organizations should update react-server-dom-webpack, react-server-dom-parcel and react-server-dom-turbopack immediately and hunt for indicators of compromise.
read more →

Critical Ivanti EPM Flaw Patched; Immediate Updates Urged

🔒 Ivanti released EPM 2024 SU4 SR1 to address a critical stored XSS vulnerability (CVE-2025-10573) that lets unauthenticated attackers hijack administrator sessions by submitting malicious device scan data to the incoming API. The update also fixes three high-severity flaws that can enable code execution with user interaction and an issue that permits unauthorized file writes. Ivanti said reports came through its responsible disclosure program and it was not aware of active exploitation at disclosure. Organizations with internet-facing or high-privilege EPM instances should apply the patch immediately and isolate management interfaces until updated.
read more →

WinRAR Path Traversal CVE-2025-6218 Under Active Attack

⚠️ CISA has added WinRAR path traversal CVE-2025-6218 (CVSS 7.8) to its Known Exploited Vulnerabilities list after reports of active exploitation. RARLAB patched the Windows-only flaw in WinRAR 7.12 (June 2025); attackers can place files in sensitive locations such as the Startup folder or Word’s global template to achieve code execution. Multiple groups — including GOFFEE, Bitter (APT‑C‑08/Manlinghua), and Gamaredon — have used the bug in phishing campaigns; organizations should deploy 7.12 or apply mitigations like blocking malicious archives, disabling macros, and monitoring for C2 activity.
read more →

React2Shell Exploits Deploy EtherRAT, Linked to DPRK

🔐 Security researchers at Sysdig report new campaigns exploiting React2Shell (CVE-2025-55182), resulting in a novel implant that delivers EtherRAT and demonstrates advanced persistence and evasion. The exploit targets React v19 and many related frameworks, using a base64 shell command to fetch a downloader that installs Node.js, decrypts an obfuscated JavaScript dropper, and executes a blockchain-based C2-capable payload. Sysdig observed tooling overlaps with North Korea-associated campaigns, though firm attribution remains unconfirmed.
read more →

DeadLock Ransomware Uses BYOVD to Disable Endpoint Defenses

🔒 Cisco Talos detailed a campaign where a financially motivated actor deployed DeadLock ransomware using a Bring Your Own Vulnerable Driver (BYOVD) technique to disable endpoint protections by exploiting a Baidu driver flaw (CVE-2024-51324). A custom loader invoked the vulnerable driver to issue kernel-level commands that killed security processes; PowerShell scripts then escalated privileges, stopped backup and security services, and erased shadow copies. The C++ payload (compiled July 2025) injects into rundll32.exe, uses a custom stream cipher with time-based keys to append ".dlock" and waits roughly 50 seconds to evade sandboxes; communications and ransom negotiations occurred via Session. Organizations should enforce MFA, maintain strong endpoint controls and keep regular offline backups.
read more →

North Korean Hackers Exploit React2Shell to Deploy EtherRAT

🔒 Researchers at Sysdig uncovered a new malware implant, EtherRAT, delivered via exploitation of the React2Shell deserialization flaw in Next.js just days after the vulnerability disclosure. The implant bundles a full Node.js runtime, uses an encrypted loader, and employs Ethereum smart contracts for resilient C2 while supporting five Linux persistence mechanisms. Operators can self-update the payload and execute arbitrary JavaScript, complicating detection and response.
read more →

JS#SMUGGLER Uses Compromised Sites to Deploy NetSupport RAT

🔍 Securonix has detailed a campaign named JS#SMUGGLER that leverages compromised websites and an obfuscated JavaScript loader to deliver the NetSupport RAT. Attackers chain a hidden iframe and a remote HTA executed via mshta.exe to run encrypted PowerShell stagers and fetch the RAT. The loader applies device-aware branching and a visit-tracking mechanism to trigger payloads only on first visits, reducing detection risk. Temporary stagers are removed and payloads execute in-memory to minimize forensic artifacts.
read more →

Weekly Cyber Recap: React2Shell, AI IDE Flaws, DDoS

🛡️ This week's bulletin spotlights a critical React Server Components flaw, CVE-2025-55182 (React2Shell), that was widely exploited within hours of disclosure, triggering emergency mitigations. Researchers also disclosed 30+ vulnerabilities in AI-integrated IDEs (IDEsaster), while Cloudflare mitigated a record 29.7 Tbps DDoS attributed to the AISURU botnet. Additional activity includes espionage backdoors (BRICKSTORM), fake banking apps distributing Android RATs in Southeast Asia, USB-based miner campaigns, and new stealers and packer services. Defenders are urged to prioritize patching, monitor telemetry, and accelerate threat intelligence sharing.
read more →

CISA Adds Two Vulnerabilities to Known Exploited Catalog

🔔 CISA added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2022-37055, a buffer overflow affecting D-Link routers, and CVE-2025-66644, an OS command injection in Array Networks ArrayOS AG. Both were included based on evidence of active exploitation. Under BOD 22-01, Federal Civilian Executive Branch agencies are required to remediate KEV entries by their due dates, and CISA urges all organizations to prioritize timely remediation and risk-reduction measures.
read more →

React2Shell RCE Actively Exploited by Multiple Threat Actors

🔴 The newly disclosed React2Shell vulnerability (CVE-2025-55182) is being actively exploited in the wild and carries a CVSS v3.1 score of 10. AWS has attributed exploitation attempts to state-linked groups including Earth Lamia and Jackpot Panda, while multiple proof-of-concept exploits have rapidly appeared. Broad scans from Shadowserver and Censys show tens of thousands to over two million potentially affected instances, and defenders are urged to apply the published React security updates immediately.
read more →