All news with #exploit detected tag

Mass Attacks Exploit Outdated WordPress Plugins in 2024

🔒 A large-scale campaign is exploiting outdated GutenKit and Hunk Companion WordPress plugins to achieve remote code execution by chaining unauthenticated or missing-authorization REST endpoint flaws (CVE-2024-9234, CVE-2024-9707, CVE-2024-11972). Wordfence observed 8.7 million blocked attempts across October 8–9. Attackers host a malicious ZIP plugin on GitHub that installs backdoors, and often drop the vulnerable wp-query-console plugin to gain RCE. Administrators should update affected plugins and scan for indicators of compromise immediately.

ToolShell Exploit Drives Surge in SharePoint Attacks

🛡️ Cisco Talos reports a rapid rise in exploitation of public-facing applications following the mid‑July 2025 disclosure of the ToolShell chain, which targets on‑premises Microsoft SharePoint servers via CVE-2025-53770 and CVE-2025-53771. In Q3, application exploitation featured in over 60% of Talos Incident Response engagements, with ToolShell activity implicated in nearly 40% of cases. Talos urges expedited patching and network segmentation to limit lateral movement and downstream impacts such as ransomware.

IR Trends Q3 2025: ToolShell Drives Access & Response

🛡️ Cisco Talos Incident Response observed a surge in attacks exploiting public-facing apps in Q3 2025, driven chiefly by ToolShell chains targeting on-premises Microsoft SharePoint servers. Rapid automated scanning and unauthenticated RCE vulnerabilities led to widespread compromise, highlighting the need for immediate patching and strict network segmentation. Post-compromise phishing from valid accounts and diverse ransomware families, including Warlock and LockBit, continued to impact victims.

Over 250 Magento Stores Targeted Using SessionReaper Bug

⚠️ Sansec warns that threat actors have begun exploiting CVE-2025-54236 (SessionReaper) in Adobe Commerce and Magento Open Source, with over 250 attack attempts recorded in 24 hours. The critical (CVSS 9.1) improper input validation flaw can enable customer account takeover via the Commerce REST API, and Adobe released a patch last month. Sansec cautions that 62% of Magento stores remain unpatched six weeks after disclosure, and observed activity includes dropping PHP webshells via '/customer/address_file/upload' and probing phpinfo from several attacker IPs.

Samsung Galaxy S25 Hacked at Pwn2Own Ireland 2025 Event

🔒 At Pwn2Own Ireland 2025, researchers from Mobile Hacking Lab and Summoning Team successfully exploited a Samsung Galaxy S25 using a five‑vulnerability chain to achieve code execution. The findings, credited to Ken Gannon and Dimitrios Valsamaras, were surrendered to Samsung under the event's coordinated disclosure rules. Hours later a second team, Interrupt Labs, used an improper input validation bug to seize camera and location access. Each team received $50,000; Samsung has 90 days to issue fixes.

Samsung Galaxy S25 Exploited on Day Two of Pwn2Own

🔓 Security researchers earned $792,750 on day two of Pwn2Own Ireland 2025, exploiting 56 unique zero-day vulnerabilities across smartphones, NAS devices, printers, cameras and smart-home gear. A five-bug chain used by Ken Gannon and Dimitrios Valsamaras successfully compromised the Samsung Galaxy S25, earning $50,000 and 5 Master of Pwn points. Several teams also exploited issues in QNAP and Synology NAS models, printers and IoT devices, and vendors now have 90 days to patch before public disclosure.

Active Exploitation of SessionReaper Flaw in Adobe Magento

⚠️ Sansec reports active exploitation of the critical SessionReaper vulnerability (CVE-2025-54236) affecting Adobe Commerce. The flaw enables account session takeover through the Commerce REST API; observed attacks delivered PHP webshells and phpinfo probes. Researchers report about 62% of stores remain unpatched six weeks after Adobe's emergency update. Administrators should apply Adobe's patch or recommended mitigations immediately.

CISA Confirms Exploitation of Oracle E-Business SSRF Flaw

🔒 CISA has confirmed active exploitation of CVE-2025-61884, an unauthenticated SSRF in the Oracle Configurator runtime, and added it to its Known Exploited Vulnerabilities catalog. Federal agencies are required to patch the issue by November 10, 2025. Oracle released a fix on October 11 rated 7.5 and BleepingComputer says the update blocks a leaked exploit tied to ShinyHunters and related extortion activity.

Hackers Deploy Rootkit via Cisco SNMP Zero-Day on Switches

⚠️Threat actors exploited a recently patched SNMP remote code execution flaw (CVE-2025-20352) in older Cisco IOS and IOS XE devices to deploy a persistent Linux rootkit. Trend Micro reports the campaign targeted unprotected 9400, 9300 and legacy 3750G switches and has been tracked as Operation Zero Disco, named for the universal password that contains 'disco'. The implant can disable logging, bypass AAA and VTY ACLs, hide running-configuration items and enable lateral movement; researchers recommend low-level firmware and ROM-region checks when compromise is suspected.

Gladinet patches zero-day in CentreStack file sharing

🔒 Gladinet released an urgent update for its CentreStack business solution to fix a local file inclusion flaw tracked as CVE-2025-11371, which was abused in the wild as a zero-day. The LFI allowed attackers to read Web.config, extract the ASP.NET machine key, and then leverage a prior deserialization RCE (CVE-2025-30406) to achieve remote code execution. Administrators should upgrade to CentreStack version 16.10.10408.56683 immediately; if patching is not possible, disable the temp handler in Web.config for the UploadDownloadProxy component as a temporary mitigation.

Cisco SNMP Rootkit Campaign Targets Network Devices

🔒 Trend Micro detailed a campaign exploiting CVE-2025-20352 that installed Linux rootkits on exposed Cisco switches and routers, enabling persistent unauthorized access. The attackers combined an SNMP remote code execution with a modified Telnet flaw (based on CVE-2017-3881) to read and write device memory and deploy fileless backdoors. Affected models include Cisco 9400, 9300 and legacy 3750G series. Device owners should apply Cisco patches, disable or harden SNMP and restrict management access.

Oracle quietly patches E-Business Suite SSRF zero-day

🔒Oracle has silently fixed an Oracle E-Business Suite vulnerability (CVE-2025-61884) after researchers confirmed the update blocks a pre-authentication SSRF used by a leaked ShinyHunters proof-of-concept. Oracle issued an out-of-band security update over the weekend and warned the flaw could allow access to sensitive resources. The vendor did not disclose that the issue was actively exploited or that a public exploit had been released, drawing criticism from researchers and customers.

Oracle Quietly Fixes E-Business Suite SSRF Zero-Day

🔒 Oracle released an out-of-band security update addressing a pre-authentication SSRF vulnerability (CVE-2025-61884) in E-Business Suite after a proof-of-concept exploit was leaked by the ShinyHunters group. The update validates attacker-supplied return_url values with a strict regex to block injected CRLFs and other malformed inputs. Researchers from watchTowr Labs, and multiple customers, confirmed the patch closes the SSRF component that remained after Oracle's earlier Oct. 4 emergency updates. Customers should apply the update immediately or implement a temporary mod_security rule blocking access to /configurator/UiServlet.

Oracle Quietly Patches E-Business Suite Zero-Day Exploit

⚠️ Oracle has quietly released an out-of-band update addressing CVE-2025-61884 in Oracle E-Business Suite, a pre-authentication SSRF exploited by a publicly leaked proof-of-concept published by the ShinyHunters extortion group. Oracle's advisory warns the flaw can expose sensitive resources but did not disclose active exploitation or the public exploit release, prompting follow-up from researchers. Independent testers confirm the new update now blocks the SSRF component that previously bypassed earlier patches.

Massive Multi-Country Botnet Targets US RDP Services

🔍 Researchers at GreyNoise have identified a large-scale, multi-country botnet that began targeting Remote Desktop Protocol (RDP) services in the United States on October 8. The campaign uses over 100,000 IP addresses and employs two RDP-specific techniques: RD Web Access timing attacks to infer valid usernames and RDP Web Client login enumeration to observe differing server behaviors. Nearly all sources share a common TCP fingerprint, indicating coordinated clusters. Administrators should block attacking IPs, review RDP logs, and avoid exposing remote desktop services to the public internet—use VPNs and enable multi-factor authentication.

Researchers Warn RondoDox Botnet Expands Exploitation

🔍 Trend Micro warns that RondoDox botnet campaigns have significantly expanded their targeting, exploiting more than 50 vulnerabilities across over 30 vendors to compromise routers, DVR/NVR systems, CCTV devices, web servers and other networked infrastructure. First observed by Trend Micro on June 15, 2025 via exploitation of CVE-2023-1389, and first documented by Fortinet FortiGuard Labs in July 2025, the threat now leverages a loader-as-a-service model that co-packages RondoDox with Mirai/Morte payloads, accelerating automated, multivector intrusions. The campaign includes 56 tracked flaws—18 without CVEs—spanning major vendors and underscores urgent detection and remediation needs.

Microsoft Restricts Edge IE Mode After Active Exploits

🔒 Microsoft has tightened access to Internet Explorer mode in Edge after credible reports in August 2025 that unknown actors abused the legacy compatibility feature to compromise devices. Attackers used social engineering to coerce users into reloading pages in IE mode and then chained unpatched Chakra JavaScript engine exploits to gain remote code execution and elevate privileges. Microsoft removed the IE mode toolbar button, context-menu and hamburger-menu entries; IE mode must now be enabled explicitly via Edge settings and sites must be added to an IE mode pages list.

RondoDox botnet rapidly exploits 56 n-day flaws worldwide

⚠️ RondoDox is a large-scale botnet actively exploiting 56 n-day vulnerabilities across more than 30 device types, including DVRs, NVRs, CCTV systems, routers, and web servers. Trend Micro researchers describe the campaign as using an exploit shotgun strategy, firing numerous exploits simultaneously to maximize infection despite generating noisy activity. The actor has weaponized flaws disclosed at events such as Pwn2Own and continues to expand its arsenal, including both recent CVEs and older end-of-life vulnerabilities. Recommended defenses include applying firmware updates, replacing EoL devices, segmenting networks, and removing default credentials.

Microsoft: Critical GoAnywhere Flaw Used in Ransomware

⚠️ Microsoft warns that a critical deserialization vulnerability, CVE-2025-10035, in Fortra's GoAnywhere MFT License Servlet Admin Console is being actively exploited in ransomware campaigns. The flaw (CVSS 10.0) enables attackers to bypass signature verification and deserialize attacker-controlled objects, potentially resulting in command injection and remote code execution on internet-exposed instances. Customers are urged to apply Fortra's patch, harden perimeter controls and run endpoint defenses in block mode to detect and stop post-breach activity.

Phoenix Rowhammer: DDR5 Bypass Exploits and Practical Risks

🧪 In September 2025, researchers at ETH Zurich published Phoenix, a Rowhammer variant that targets DDR5 memory by exploiting weaknesses in Target Row Refresh (TRR) logic. The team validated the technique across 15 tested SK Hynix modules and demonstrated practical capabilities including arbitrary read/write primitives, theft of an RSA‑2048 private key, and a Linux sudo bypass in constrained scenarios. Phoenix works by inducing timed access "windows" after 128 and after 2608 refresh intervals that momentarily degrade TRR responses, allowing precise bit flips. The authors recommend mitigations such as reduced refresh intervals, deployment of ECC memory, and adoption of Fine Granularity Refresh to harden platforms.