All news with #exploit tag

🔒 A critical Remote Code Execution (RCE) flaw in Gogs, a self-hosted Git service, enables any authenticated user to execute arbitrary commands by creating a pull request with a malicious branch name that injects the --exec flag into git rebase. Rated 9.4 by Rapid7, the bug requires only a registered account on default instances and can be abused without admin privileges or other user interaction. Rapid7 published an exploit module and advises restricting registration and repository creation and auditing rebase merge settings.

🔒 A security report details how a group used Anthropic’s Mythos AI model to discover a kernel memory corruption vulnerability and develop an exploit targeting Apple’s M5 platform. The article summarizes the incident and notes it was posted on May 21, 2026. It highlights implications for macOS security and the role of advanced AI tools in vulnerability discovery. The piece is concise and focused on the exploit’s origin and significance.

🔒 A public proof-of-concept (PoC) exploit has been released for the recently patched local privilege escalation flaw dubbed PinTheft, which targets an RDS zerocopy double-free in the Linux kernel. The issue can lead to a page-cache overwrite via io_uring fixed buffers and allow a local attacker to obtain a root shell. Exploitation requires the RDS kernel module, io_uring enabled, a readable SUID-root binary and x86_64 support, so the impact is limited in practice and Arch Linux defaults make it the most exposed. Administrators are advised to apply kernel updates or unload and blacklist the RDS modules as an interim mitigation.

🔒 A proof-of-concept exploit is available for the recently patched DirtyDecrypt (aka DirtyCBC) local privilege escalation in the Linux kernel's rxgk module, enabling attackers to gain root on systems built with CONFIG_RXGK enabled. The flaw, independently reported by the V12 team on May 9, aligns with CVE-2026-31635, which was patched in late April. The PoC has been tested against Fedora and mainline kernels and mainly affects distributions that track upstream releases, such as Fedora, Arch, and openSUSE Tumbleweed. Users should apply kernel updates or use recommended mitigations until patches are deployed.

⚠️ Rapid7's Cyber Threat Landscape Report shows confirmed exploitation of newly disclosed high- and critical-severity vulnerabilities surged 105% year-over-year, while median time to CISA KEV inclusion fell to 5.0 days and mean time-to-exploit dropped to 28.5 days. Industry observers cite the industrialization of cybercrime and the use of AI to speed discovery and exploit development. Experts warn that patches increasingly act as roadmaps for attackers, and urge adoption of secure-by-design, aggressive pre-release testing, and faster isolation or rebuild capabilities to counter the collapsing patch window.

🚨 A security researcher published exploit code for an unpatched Windows privilege escalation vulnerability dubbed BlueHammer, citing dissatisfaction with how Microsoft's Security Response Center handled the report. The public proof-of-concept reportedly combines a TOCTOU and path confusion to access the SAM database and escalate to SYSTEM or elevated administrator privileges. The PoC contains bugs and is not reliably successful across all Windows editions, and Microsoft had not issued a patch at publication, leaving the flaw classified as a zero-day.

🔓 Google researchers released a report describing Coruna, a sophisticated iPhone exploitation toolkit that chains 23 distinct iOS vulnerabilities into five full exploit techniques capable of bypassing device defenses and silently installing malware when a user visits a crafted website. Analysts note the code’s professional, English-language provenance and say it bears hallmarks of previously attributed US government modules. Reporting from TechCrunch cites former L3Harris employees who say the company’s Trenchant surveillance division helped develop parts of the toolkit and that an insider may have sold components to foreign actors, raising urgent questions about loss of control over offensive cyber capabilities.

🔒 Proofpoint disclosed a targeted email campaign by Russia-linked TA446 that leverages the leaked DarkSword iOS exploit kit to target iPhones. The group used spoofed "discussion invitation" messages impersonating the Atlantic Council to deliver the GHOSTBLADE dataminer and, in some instances, the MAYBEROBOT backdoor via password-protected ZIPs. Proofpoint noted sharply increased message volume and server-side filtering that routes only iPhone browsers to the exploit chain. Apple has issued lock-screen warnings urging immediate updates to block the threat.

🛡️ CISA has ordered federal agencies to patch three iOS vulnerabilities targeted by the Coruna exploit kit, which bundles multiple chains for at least 23 iOS flaws. Google researchers say Coruna provides PAC bypass, sandbox and PPL escapes, WebKit remote code execution and kernel elevation. Exploits are mitigated on recent iOS releases and can be blocked by private browsing or Lockdown Mode. CISA added the flaws to its KEV list and set a March 26 remediation deadline under BOD 22-01, urging organizations to prioritize fixes.

🔒Researchers at Google’s Threat Intelligence Group uncovered Coruna, a sophisticated iOS exploit kit composed of five exploit chains and 23 individual exploits that migrated from a commercial surveillance customer to suspected state and criminal operators within months. The framework resurfaced with UNC6353 on compromised Ukrainian sites and later powered mass attacks by China-based UNC6691 on fake financial pages. Its payload, tracked as Plasmagrid, injects into the root powerd daemon to exfiltrate cryptocurrency wallets, seed phrases and QR codes. GTIG urges immediate iOS updates, enabling Lockdown Mode where updates are impossible, and has published IoCs on VirusTotal.

🔐 Researchers at Google's Threat Intelligence Group disclosed the Coruna exploit kit, a complex toolkit that compromises Apple iPhones running iOS 13.0 through 17.2.1 using multiple chained vulnerabilities. The framework contains five full exploit chains and 23 distinct flaws, and includes device fingerprinting, automatic WebKit exploit selection and mitigation bypasses. A final-stage loader called PlasmaLoader focuses on extracting financial data such as QR codes and cryptocurrency recovery phrases. Google recommends updating to the latest iOS release or enabling Lockdown Mode when updates aren’t possible.

🔒 Google researchers disclosed a previously undocumented iOS exploit kit named Coruna, comprising 23 exploits and five full exploit chains that target iOS 13.0 through 17.2.1. Observed by the Google Threat Intelligence Group in 2025, the framework fingerprints devices, avoids targets in Lockdown Mode or private browsing, and delivers a stager loader called PlasmaLoader that injects into the iOS root daemon. Post-exploitation modules specifically target cryptocurrency wallets to extract BIP39 recovery phrases and other sensitive text, encrypting stolen data and using a DGA seeded with "lazarus" for resilience.

🃏 Security researchers demonstrated at Black Hat 2023 that the popular DeckMate 2 automated shuffler can be compromised to reveal card order, exploiting an exposed USB port, hard-coded credentials, and an internal camera. The device’s firmware hash check was bypassed in the proof-of-concept, allowing attackers to transmit card sequences to accomplices. Two years later, DOJ indictments show criminals used pre-hacked units, invisible card markings, and remote signaling to defraud players of millions.

⚠️ FortiGuard Labs observed a Mirai-derived botnet named ShadowV2 actively exploiting multiple known IoT firmware vulnerabilities to deliver a downloader and ELF payloads that enable remote takeover and DDoS operations. The activity, detected during a late‑October global AWS connectivity disruption, targeted a wide range of devices including D-Link, TP‑Link, DD‑WRT variants and DVR systems. ShadowV2 decodes a XOR-encoded configuration (key 0x22), contacts a hardcoded C2 (silverpath.shadowstresser.info / 81.88.18.108), and supports UDP, TCP and HTTP flood methods. Fortinet provides AV detections, IPS signatures for the exploited CVEs, and recommends firmware updates, network hardening, and continuous monitoring.

🚨 Balancer announced an exploit of its V2 Compostable Stable Pools on Ethereum at 07:48 UTC that resulted in reported losses exceeding $128 million. Initial analysis from GoPlus Security points to a precision rounding error in the Vault’s swap calculations that an attacker chained via batchSwap, while other researchers suggest improper authorization and callback handling in V2 vaults. Balancer says the issue is isolated to V2 Compostable Stable Pools, with V3 and other pools unaffected, and the team is working with security researchers on a full post‑mortem. Users are warned to remain vigilant for scams and phishing attempts following the incident.

🔒 Peter Williams, a former general manager at L3Harris Trenchant, pleaded guilty in U.S. court to stealing and selling protected cyber-exploit components between 2022 and 2025. Prosecutors say he removed at least eight sensitive trade-secret exploit components intended for exclusive government use and sold them to a broker that works with the Russian government for $1.3 million in cryptocurrency. He now faces up to 10 years in prison and significant fines.

🔍 Trend Micro warns that RondoDox botnet campaigns have significantly expanded their targeting, exploiting more than 50 vulnerabilities across over 30 vendors to compromise routers, DVR/NVR systems, CCTV devices, web servers and other networked infrastructure. First observed by Trend Micro on June 15, 2025 via exploitation of CVE-2023-1389, and first documented by Fortinet FortiGuard Labs in July 2025, the threat now leverages a loader-as-a-service model that co-packages RondoDox with Mirai/Morte payloads, accelerating automated, multivector intrusions. The campaign includes 56 tracked flaws—18 without CVEs—spanning major vendors and underscores urgent detection and remediation needs.

🔒 Apple has introduced Memory Integrity Enforcement in the iPhone 17, a hardware-aware, always-on defense against memory-safety exploits used by spyware like Pegasus. Building on Arm’s MTE and its 2022 Enhanced Memory Tagging Extension, Apple’s implementation tags allocations with secrets and verifies them on every access. The company says the protection runs continuously without noticeable performance loss. Apple collaborated with Arm and tuned the chip-level design to make exploitation of memory-corruption bugs significantly harder while preserving compatibility with existing code.