< ciso
brief />
Tag Banner

All news with #active exploitation tag

684 articles · page 30 of 35

Slider Revolution Arbitrary File Read Affects 4M Sites

⚠ A critical Arbitrary File Read vulnerability (CVE-2025-9217) was found in the widely used Slider Revolution WordPress plugin, affecting versions up to 6.7.36. The bug allowed authenticated users with contributor-level access or higher to read arbitrary files on the server by abusing two export parameters, used_svg and used_images. ThemePunch released a patch (6.7.37) on August 28 after a report to Wordfence; administrators should update immediately to protect site data.
read more →

CISA Adds KEV Entry: Adobe Experience Manager Vulnerability

🔔CISA has added one vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2025-54253, an Adobe Experience Manager Forms code execution vulnerability that CISA says shows evidence of active exploitation. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by their assigned due dates. CISA strongly urges all organizations to prioritize timely remediation and follow vendor guidance and standard patch management practices; the agency will continue updating the catalog as new exploitation evidence emerges.
read more →

Critical ICTBroadcast Cookie Injection Leads to RCE

🔒 Researchers warn of a critical unauthenticated command injection in ICTBroadcast (CVE-2025-2611, CVSS 9.3) that allows attackers to inject shell commands via the BROADCAST session cookie. Exploits observed since October 11 used a time-based probe followed by Base64-encoded payloads to establish reverse shells. Approximately 200 internet-facing instances running versions 7.4 and earlier appear exposed; vendor comment and patch status remain unclear.
read more →

Microsoft October 2025 Patch Tuesday: Key Fixes & Rules

🛡️ Microsoft’s October 2025 Patch Tuesday addresses 175 Microsoft CVEs and 21 non‑Microsoft CVEs, including 17 rated critical and 11 marked important, with three already observed exploited in the wild. Talos highlights active exploitation of CVE-2025-24990 (Agere Modem driver), CVE-2025-59230 (Remote Access Connection Manager), and CVE-2025-47827 (IGEL OS Secure Boot bypass) and urges prompt remediation. Cisco Talos also published new Snort rules to detect many of these exploits and recommends updating patches, removing unsupported drivers, and refreshing IDS/IPS signatures.
read more →

Chinese Hackers Turn ArcGIS Server into Year-Long Backdoor

🛡️ReliaQuest attributes a campaign to China-linked group Flax Typhoon that compromised a public-facing ArcGIS server by converting a Java Server Object Extension (SOE) into a gated web shell, maintaining access for over a year. The attackers embedded a hard-coded key and hid the backdoor in system backups to survive full system recovery. They uploaded a renamed SoftEther executable (bridge.exe), created a "SysBridge" service to persist, and used an outbound HTTPS VPN bridge to extend the victim network for covert lateral movement. Investigators observed credential theft, admin account resets, and extensive living-off-the-land activity to evade detection.
read more →

Microsoft Restricts Edge IE Mode After Active Exploits

🔒 Microsoft has tightened access to Internet Explorer mode in Edge after credible reports in August 2025 that unknown actors abused the legacy compatibility feature to compromise devices. Attackers used social engineering to coerce users into reloading pages in IE mode and then chained unpatched Chakra JavaScript engine exploits to gain remote code execution and elevate privileges. Microsoft removed the IE mode toolbar button, context-menu and hamburger-menu entries; IE mode must now be enabled explicitly via Edge settings and sites must be added to an IE mode pages list.
read more →

High-Severity Oracle E-Business Suite Vulnerability Alert

🔒 Oracle issued an alert for CVE-2025-61884, a high-severity (CVSS 7.5) flaw in Oracle E-Business Suite versions 12.2.3 through 12.2.14 that can be exploited remotely over HTTP without authentication. The NIST description warns the defect permits an unauthenticated attacker to compromise Oracle Configurator, potentially exposing or allowing complete access to critical configurable data. Oracle urges administrators to apply the update immediately; it has not reported observed in-the-wild exploitation.
read more →

Widespread SonicWall SSL VPN Compromise Hits 100+ Accounts

🔒 Huntress warns of a widespread compromise of SonicWall SSL VPN devices that allowed threat actors to rapidly authenticate into multiple accounts across customer environments. Activity began on October 4, 2025, impacting over 100 VPN accounts across 16 customers, with logins traced to IP 202.155.8[.]73. While some intrusions disconnected quickly, others involved network scanning and attempts to access local Windows accounts. Organizations are urged to reset firewall credentials, restrict WAN management, revoke exposed API keys, monitor logins, and enforce MFA.
read more →

Stealit Campaign Abuses Node.js Single Executable Packaging

🔍 FortiGuard Labs identified an active Stealit campaign that distributes malware packaged with Node.js Single Executable Application (SEA) technology to create standalone Windows binaries. Operators deliver fake game and VPN installers via file-sharing sites and Discord, using multi-layer obfuscation and in-memory execution. The modular payloads harvest browser data, extension-based crypto wallets, and provide remote access, with persistence via a startup Visual Basic script. Fortinet provides detections and recommends updating protections and user training.
read more →

Fortra Confirms Active Exploitation of GoAnywhere Flaw

🔒 Fortra disclosed its investigation into CVE-2025-10035, a deserialization vulnerability in the GoAnywhere License Servlet that has been exploited since September 11, 2025. The vendor issued a hotfix within 24 hours and published patched builds (7.6.3 and 7.8.4) on September 15, saying the risk is limited to admin consoles exposed to the public internet. Microsoft attributes observed exploitation to threat actor Storm-1175, which deployed Medusa ransomware; Fortra recommends restricting internet access to admin consoles, enabling monitoring, and keeping software up to date.
read more →

Active Exploitation: Gladinet CentreStack LFI → RCE Bug

⚠️ Huntress reports active exploitation of an unauthenticated LFI zero-day, CVE-2025-11371, affecting Gladinet CentreStack and TrioFox up to version 16.7.10368.56560. The flaw permits disclosure of server files, including Web.config, enabling attackers to extract a hard-coded machine key that can enable a prior ViewState deserialization RCE (CVE-2025-30406). As an interim mitigation, Huntress recommends disabling the UploadDownloadProxy 'temp' handler in Web.config until a vendor patch is available.
read more →

Cl0p-Linked Actors Exploit Oracle E-Business Suite

🔔 Google Threat Intelligence Group and Mandiant report a multi-stage zero-day campaign exploiting Oracle E-Business Suite (tracked as CVE-2025-61882, CVSS 9.8) that has impacted dozens of organizations since August 2025. The attackers combined SSRF, CRLF injection, authentication bypass and XSL template injection to achieve remote code execution and deploy multi-stage Java loaders. Observed payloads include GOLDVEIN.JAVA and a SAGEGIFT/SAGELEAF/SAGEWAVE chain; orchestration and extortion messaging bear the Cl0p signature. Oracle has released patches and investigations by GTIG and Mandiant are ongoing.
read more →

RondoDox botnet rapidly exploits 56 n-day flaws worldwide

⚠️ RondoDox is a large-scale botnet actively exploiting 56 n-day vulnerabilities across more than 30 device types, including DVRs, NVRs, CCTV systems, routers, and web servers. Trend Micro researchers describe the campaign as using an exploit shotgun strategy, firing numerous exploits simultaneously to maximize infection despite generating noisy activity. The actor has weaponized flaws disclosed at events such as Pwn2Own and continues to expand its arsenal, including both recent CVEs and older end-of-life vulnerabilities. Recommended defenses include applying firmware updates, replacing EoL devices, segmenting networks, and removing default credentials.
read more →

Velociraptor Abused in Ransomware Attacks by Storm-2603

🔐 Cisco Talos confirmed ransomware operators abused Velociraptor, an open-source DFIR endpoint tool, to gain arbitrary command execution in August 2025 by deploying an outdated agent vulnerable to CVE-2025-6264. Talos links the activity with moderate confidence to Storm-2603 based on overlapping tooling and TTPs. Operators used the tool to stage lateral movement, deploy fileless PowerShell encryptors, and deliver multiple ransomware families, severely disrupting VMware ESXi and Windows servers.
read more →

Critical Service Finder Bug Lets Attackers Hijack Sites

🔒 A critical authentication bypass in the Service Finder Bookings plugin (CVE-2025-5947, CVSS 9.8) allows unauthenticated attackers to sign in as any user, including administrators. The root cause is improper cookie validation in the account-switching function service_finder_switch_back(), which enables privilege escalation. Maintainers released Service Finder version 6.1 on July 17, 2025 to address the issue, and exploitation attempts have been observed since August 1, 2025. Administrators should upgrade immediately and audit sites for unauthorized accounts or unexpected changes.
read more →

Hackers Inject Redirecting JavaScript via WordPress Themes

🔒 Security researchers warn of an active campaign that modifies WordPress theme files (notably functions.php) to inject malicious JavaScript that redirects visitors to fraudulent verification and malware distribution pages. The injected loader uses obfuscated references to advertising services but posts to a controller domain that serves a remote script from porsasystem[.]com and an iframe mimicking Cloudflare assets. The activity has ties to the Kongtuke traffic distribution system and highlights the need to patch themes, enforce strong credentials, and scan for persistent backdoors.
read more →

Chinese-Linked Hackers Weaponize Nezha via Log Poisoning

🔒 Huntress reported that threat actors with suspected ties to China abused a vulnerable phpMyAdmin panel in August 2025 to perform log poisoning, recording a PHP web shell into a query log and naming the file with a .php extension. The actors used the web shell (accessed via ANTSWORD) to deploy the open-source Nezha agent and inventory over 100 hosts—primarily in Taiwan, Japan, South Korea and Hong Kong. The Nezha agent facilitated execution of an interactive PowerShell script that created Microsoft Defender exclusions and launched Gh0st RAT via a loader and dropper.
read more →

Threat actors repurpose open-source monitor as beacon

⚠️ Attackers linked to China turned a benign open-source network monitoring agent into a remote access beacon using log poisoning and a tiny web shell. Huntress says they installed the legitimate Nezha RMM via a poisoned phpMyAdmin log and then deployed Ghost RAT for deeper persistence. The intrusion affected more than 100 hosts across Taiwan, Japan, South Korea, and Hong Kong and was contained in August 2025.
read more →

Nezha Agent Linked to New Web Application Compromises

🔍 Huntress analysts uncovered a sophisticated campaign beginning in August 2025 that used log poisoning to plant a PHP web shell and then manage compromised servers via AntSword. The operators downloaded a file named 'live.exe' — identified as the open-source Nezha agent — which connected to a command server at c.mid[.]al and enabled remote tasking. Nezha was used to execute PowerShell commands to disable Windows Defender and to deploy 'x.exe', a Ghost RAT variant that persisted as 'SQLlite'. More than 100 systems, primarily in Taiwan, Japan, South Korea and Hong Kong, were observed communicating with the attackers' dashboard.
read more →

Oracle EBS Zero-Day Exploited by Clop Since August

🔒 CrowdStrike reports the Clop ransomware gang has been exploiting an Oracle E-Business Suite zero-day, CVE-2025-61882, since early August to steal sensitive documents. The flaw resides in the BI Publisher Integration of Concurrent Processing and allows unauthenticated remote code execution via a single HTTP request. Oracle issued a patch and warned customers to apply updates immediately as extortion emails tied to stolen EBS data are being circulated.
read more →