< ciso
brief />
Tag Banner

All news with #active exploitation tag

684 articles · page 34 of 35

HexStrike-AI Enables Rapid Zero-Day Exploitation at Scale

⚠️ HexStrike-AI is a newly released framework that acts as an orchestration “brain,” directing more than 150 specialized AI agents to autonomously scan, exploit, and persist inside targets. Within hours of release, dark‑web chatter showed threat actors attempting to weaponize it against recent zero‑day CVEs, dropping webshells enabling unauthenticated remote code execution. Although the targeted vulnerabilities are complex and typically require advanced skills, operators claim HexStrike-AI can reduce exploitation time from days to under 10 minutes, potentially lowering the barrier for less skilled attackers.
read more →

Silver Fox Abuses Microsoft-Signed Drivers to Deploy RAT

⚠️ A newly discovered campaign attributed to the Silver Fox APT abuses trusted Microsoft-signed drivers to bypass security protections and install a remote access tool. Check Point Research found attackers used the WatchDog driver (amsdk.sys) and an older Zemana-based driver to terminate antivirus and EDR processes, enabling deployment of ValleyRAT. Researchers observed loaders with anti-analysis, persistence, embedded drivers and hardcoded lists of security processes, and warn that timestamp edits can preserve valid signatures while evading hash-based detection.
read more →

WhatsApp Patches Zero-Click Zero-Day Exploit in iOS

🔒 WhatsApp has patched a critical zero-day (CVE-2025-55177) affecting linked-device synchronization that could allow processing of content from an arbitrary URL on a target device. The vendor says the flaw, when combined with an Apple OS-level out-of-bounds write (CVE-2025-43300), may have been exploited in a targeted, sophisticated zero-click attack. Apple patched the related OS issue on August 20. Users should apply the updated WhatsApp and WhatsApp Business iOS and Mac clients immediately.
read more →

Sitecore Vulnerabilities Enable Cache Poisoning to RCE

🔒 Three vulnerabilities affecting the Sitecore Experience Platform can be chained to escalate from HTML cache poisoning to remote code execution. Researchers describe a pre-auth HTML cache reflection (CVE-2025-53693) combined with an insecure deserialization RCE (CVE-2025-53691) and an ItemService API information-disclosure bug (CVE-2025-53694) that permits cache key enumeration and poisoned HTML injection. Sitecore issued patches in June and July 2025; administrators should apply updates, restrict ItemService exposure to trusted networks, and consider WAF rules and other mitigations to reduce the chaining risk.
read more →

WordPress Plugin and Theme Vulnerabilities Surge in 2025

⚠️ Recent investigations show a wave of active attacks against WordPress plugins and themes, including Gravity Forms, the Alone and Motors themes, and Post SMTP. Exploits have enabled remote code execution, administrator account takeover, and mass site compromise, while the Efimer trojan has been distributed from some infected sites. Vendors have issued patches, but many sites remain unpatched—site owners should update immediately and follow hardening best practices.
read more →

CISA Adds Sangoma FreePBX CVE to Known Exploited List

⚠️ CISA added CVE-2025-57819, an authentication bypass in Sangoma FreePBX, to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation. The vulnerability is a frequent attack vector that poses significant risk to the federal enterprise. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV items by required due dates. CISA urges all organizations to prioritize timely remediation.
read more →

State-Sponsored Hackers Behind Majority of Exploits

🔐 Recorded Future’s Insikt Group reports that 53% of attributed vulnerability exploits in H1 2025 were carried out by state-sponsored actors, driven largely by geopolitical aims such as espionage and surveillance. Chinese-linked groups accounted for the largest share, with UNC5221 exploiting numerous flaws—often in Ivanti products. The study found 161 exploited CVEs, 69% of which required no authentication and 48% were remotely exploitable. It also highlights the rise of social-engineering techniques like ClickFix and increasing EDR-evasion methods used by ransomware actors.
read more →

Critical FreePBX Zero-Day Under Active Exploitation

🚨 The Sangoma FreePBX project has issued an advisory for an actively exploited zero-day (CVE-2025-57819) that allows unauthenticated access to the Administrator control panel, enabling arbitrary database manipulation and remote code execution. The flaw stems from insufficiently sanitized user input in the commercial endpoint module and impacts FreePBX 15, 16, and 17 prior to their listed patched releases. Administrators should apply the emergency updates immediately, restrict public ACP access, and scan for indicators of compromise.
read more →

Joint Advisory Reveals Salt Typhoon APT Techniques Worldwide

🔍 Salt Typhoon, a Chinese state-aligned APT also tracked as Operator Panda/RedMike, is the subject of a joint advisory from intelligence and cybersecurity agencies across 13 countries. The report links the group to Chinese entities tied to the PLA and MSS and documents repeated exploitation of n-day flaws in network edge devices from vendors such as Ivanti, Palo Alto Networks and Cisco. It details persistence via ACL modifications, tunneled proxies, credential capture via RADIUS/TACACS+, and exfiltration over peering and BGP, and urges telecoms to hunt for intrusions, patch quickly and harden management interfaces.
read more →

Citrix Patches NetScaler Zero-Days as Active Exploits Continue

🔒Citrix has released patches for three critical zero-day vulnerabilities in NetScaler ADC and NetScaler Gateway (CVE-2025-7775, CVE-2025-7776, CVE-2025-8424), including pre-auth remote code execution observed in the wild. The vendor provided fixes for affected 14.1, 13.1 and 12.1-FIPS/NDcPP builds and said no workaround is available. Security researchers and CISA urged immediate patching and forensic checks for potential backdoors.
read more →

Citrix Patches NetScaler Flaws; Confirms Active Exploitation

🔒 Citrix has issued patches for three vulnerabilities in NetScaler ADC and NetScaler Gateway, and confirmed active exploitation of CVE-2025-7775. The flaws include two memory overflow issues (CVSS 9.2 and 8.8) that can lead to remote code execution or denial-of-service, and an improper access-control bug (CVSS 8.7) affecting the management interface. Fixes are available in multiple 12.x–14.x releases with no workarounds; Citrix credited external researchers for reporting the issues.
read more →

CISA Adds CVE-2025-7775 for Citrix NetScaler Memory Overflow

🔔 CISA has added CVE-2025-7775, a memory overflow vulnerability in Citrix NetScaler, to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. This class of flaw is a frequent attack vector and presents significant risk to the federal enterprise. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate cataloged KEVs by the specified due date. CISA strongly urges all organizations to prioritize timely remediation as part of routine vulnerability management.
read more →

CISA Adds Three Actively Exploited Flaws in Citrix, Git

🚨 CISA added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog affecting Citrix Session Recording and Git. Two Citrix issues (CVE-2024-8068, CVE-2024-8069; CVSS 5.1) can lead to privilege escalation to the NetworkService account or limited remote code execution for authenticated intranet users, while CVE-2025-48384 (CVSS 8.1) in Git stems from carriage return handling that can enable arbitrary code execution. Federal agencies must mitigate these issues by September 15, 2025.
read more →

CISA Adds Three New Vulnerabilities to KEV Catalog

⚠️ CISA added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog on August 25, 2025: CVE-2024-8069 and CVE-2024-8068 affecting Citrix Session Recording, and CVE-2025-48384, a Git link following vulnerability. CISA states these defects are supported by evidence of active exploitation and represent frequent attack vectors that pose significant risk to the federal enterprise. While BOD 22-01 binds Federal Civilian Executive Branch agencies to remediate listed CVEs by the required due dates, CISA urges all organizations to prioritize timely remediation and incorporate these entries into vulnerability management workflows.
read more →

GeoServer Exploits, PolarEdge, Gayfemboy Expand Cybercrime

🛡️ Cybersecurity teams report coordinated campaigns exploiting exposed infrastructure and known flaws to monetize or weaponize compromised devices. Attackers have abused CVE-2024-36401 in GeoServer to drop lightweight Dart binaries that monetize bandwidth via legitimate passive-income services, while the PolarEdge botnet and Mirai-derived gayfemboy expand relay and DDoS capabilities across consumer and enterprise devices. Separately, TA-NATALSTATUS targets unauthenticated Redis instances to install stealthy cryptominers and persistence tooling.
read more →

Russian State-Backed Static Tundra Exploits Cisco Devices

🧭 The author opens with a travel anecdote and practical reminders on securing devices while on the road, urging readers to update, back up, and avoid public charging or untrusted Wi‑Fi. The newsletter highlights field-tested precautions including disabling auto-connect, using VPNs or phone hotspots, enabling device tracking, and carrying power banks. It also warns of an active campaign by a Russian state-backed group targeting Cisco devices via CVE-2018-0171, urging immediate patching and hardening.
read more →

CISA Adds Apple iOS/iPadOS/macOS KEV: CVE-2025-43300

⚠️ CISA added CVE-2025-43300 to its Known Exploited Vulnerabilities (KEV) Catalog, identifying an out‑of‑bounds write in Apple iOS, iPadOS, and macOS that the agency says is under active exploitation. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by established deadlines, and CISA strongly urges all organizations to prioritize timely patching and mitigation. This vulnerability reflects a common and high-risk memory-corruption vector that can enable code execution or other severe impacts if exploited. CISA will continue to update the KEV Catalog as new evidence of exploitation emerges.
read more →

Dutch prosecution hack disables multiple speed cameras

⚠️ The Netherlands' Public Prosecution Service (Openbaar Ministerie) disconnected its networks on July 17 after suspecting attackers had exploited Citrix device vulnerabilities, leaving several fixed, average and portable speed cameras unable to record offences. Internal email remained available, but external communications and documents required printing and postal delivery. Regulators including the National Cybersecurity Centre were informed, and prosecutors warned that ongoing downtime will delay cases and hamper road-safety enforcement while systems remain offline.
read more →

CISA Adds Trend Micro Apex One KEV OS Command Injection

🛡️ CISA has added CVE-2025-54948, an OS command injection vulnerability in Trend Micro Apex One, to its Known Exploited Vulnerabilities (KEV) Catalog after observing active exploitation. The entry underscores the significant risk these flaws pose to federal and nonfederal networks and reiterates that BOD 22-01 requires Federal Civilian Executive Branch agencies to remediate KEV entries by specified deadlines. CISA strongly urges all organizations to prioritize timely remediation and integrate KEV fixes into standard vulnerability management practices.
read more →

Erlang/OTP SSH RCE: CVE-2025-32433 Exploitation Wave

⚠️ Unit 42 details active exploitation of CVE-2025-32433, a critical (CVSS 10.0) unauthenticated RCE in the Erlang/OTP SSH daemon that processes SSH protocol messages prior to authentication. Researchers reproduced and validated the bug and observed exploit bursts from May 1–9, 2025, with payloads delivering reverse shells and DNS-based callbacks to randomized subdomains. Immediate remediation is to upgrade to OTP-27.3.3, OTP-26.2.5.11 or OTP-25.3.2.20 (or later); temporary measures include disabling SSH, restricting access and applying Unit 42 signature 96163.
read more →