All news with #zero-day tag

Google patches eighth Chrome zero-day exploited in 2025

🔔 Google has issued emergency updates for Chrome to address a zero-day tracked as Chromium bug 466192044 that is actively exploited in the wild. The vulnerability is a buffer overflow in the LibANGLE Metal renderer caused by improper buffer sizing and can lead to memory corruption, crashes, sensitive data leaks, or arbitrary code execution. Stable channel builds rolling out are Windows 143.0.7499.109, macOS 143.0.7499.110, and Linux 143.0.7499.109; users should update immediately or allow Chrome to install the update on restart.

Microsoft Patches Three Zero-Days Including Kernel EoP

⚠️ Microsoft has released patches for three zero-day vulnerabilities in its December update, including an actively exploited kernel elevation-of-privilege in the Windows Cloud Files Mini Filter Driver (CVE-2025-62221). Two additional zero-days—an RCE in PowerShell (CVE-2025-54100) and an RCE in GitHub Copilot for JetBrains (CVE-2025-64671)—were publicly disclosed but not observed in the wild. Security experts warn attackers could chain the kernel flaw with other exploits to achieve full system or domain compromise.

Microsoft Patches 56 Flaws Including Active Zero-Days

🛡️ Microsoft released December 2025 patches addressing 56 Windows vulnerabilities, three rated Critical and 53 Important. The update fixes 29 privilege-escalation flaws, 18 remote code execution bugs and other defects, and includes two zero-days and one actively exploited use-after-free (CVE-2025-62221) in the Cloud Files Mini Filter Driver. Administrators are urged to prioritize the KEV-listed fix and follow vendor guidance for mitigation and monitoring.

Microsoft Patch Tuesday — December 2025 Security Fixes

🛡️ Microsoft released its final Patch Tuesday of 2025, addressing 56 vulnerabilities including one actively exploited zero-day, CVE-2025-62221, and two publicly disclosed bugs. The zero-day is a privilege escalation in the Windows Cloud Files Mini Filter Driver, a core component used by cloud sync services such as OneDrive. Three flaws received Microsoft’s Critical rating, including two Office bugs exploitable via Outlook’s Preview Pane. Administrators should prioritize updates for the flagged privilege escalation issues and apply patches promptly.

Microsoft December 2025 Patch Tuesday: 57 Fixes, 3 Zero-Days

🔒 Microsoft's December 2025 Patch Tuesday delivers fixes for 57 vulnerabilities, including three zero-day flaws — one actively exploited and two publicly disclosed. The update addresses 19 remote code execution, 28 elevation of privilege, four information disclosure, three denial of service, and two spoofing issues across Windows, PowerShell, Office, Exchange Server and drivers. Administrators should prioritize the actively exploited CVE-2025-62221 and apply vendor patches promptly.

Marquis Software Breach Impacts Over 780,000 Nationwide

🔒 Marquis Software Solutions confirmed a breach affecting more than 780,000 individuals after attackers exploited a SonicWall firewall vulnerability on 14 August. The company shut down affected systems and engaged external cybersecurity specialists; a late-October review found unauthorized actors copied files containing personal and financial data from certain business customers. Marquis is offering free credit monitoring and has implemented multiple security controls while its investigation continues, and it reports no evidence so far that the stolen data has been posted online.

Weekly Cyber Recap: React2Shell, AI IDE Flaws, DDoS

🛡️ This week's bulletin spotlights a critical React Server Components flaw, CVE-2025-55182 (React2Shell), that was widely exploited within hours of disclosure, triggering emergency mitigations. Researchers also disclosed 30+ vulnerabilities in AI-integrated IDEs (IDEsaster), while Cloudflare mitigated a record 29.7 Tbps DDoS attributed to the AISURU botnet. Additional activity includes espionage backdoors (BRICKSTORM), fake banking apps distributing Android RATs in Southeast Asia, USB-based miner campaigns, and new stealers and packer services. Defenders are urged to prioritize patching, monitor telemetry, and accelerate threat intelligence sharing.

React2Shell RCE Actively Exploited by Multiple Threat Actors

🔴 The newly disclosed React2Shell vulnerability (CVE-2025-55182) is being actively exploited in the wild and carries a CVSS v3.1 score of 10. AWS has attributed exploitation attempts to state-linked groups including Earth Lamia and Jackpot Panda, while multiple proof-of-concept exploits have rapidly appeared. Broad scans from Shadowserver and Censys show tens of thousands to over two million potentially affected instances, and defenders are urged to apply the published React security updates immediately.

React2Shell (CVE-2025-55182): Critical Server RCE Threat

🛡️ In early December 2025 the React project disclosed a critical server-side vulnerability dubbed React2Shell (CVE-2025-55182) rated CVSS 10.0. The bug allows unauthenticated attackers to execute arbitrary code by sending a specially crafted request to a vulnerable server feature. Check Point notes that CloudGuard WAF customers were proactively protected and not affected. Organizations should patch promptly and review traffic controls.

Chinese Threat Actors Rapidly Exploit React2Shell Flaw

⚠️ Within hours of public disclosure, two China-linked groups began exploiting the newly disclosed CVE-2025-55182 (React2Shell) remote code execution flaw in React Server Components. AWS telemetry from MadPot honeypots attributes activity to Earth Lamia and Jackpot Panda, showing attempts to run discovery commands such as "whoami", write files like "/tmp/pwned.txt", and read sensitive files such as "/etc/passwd". Vendors addressed the bug in React 19.0.1, 19.1.2, and 19.2.1, but attackers are concurrently scanning for other N-day flaws.

Intellexa Predator Leaks Reveal Zero-Days and Ad Abuse

🔎 Amnesty International reports a Pakistani human rights lawyer received a WhatsApp link tied to a Predator 1-click attempt, the first known targeting of Balochistan civil society by Intellexa's spyware. Jointly published leaks and vendor analyses show Predator (also marketed as Helios, Nova and Green Arrow) used messaging, ad-based and ISP-assisted vectors plus multiple zero-day exploits to install surveillance payloads. Google Threat Intelligence Group mapped numerous V8, WebKit, Android kernel and other CVEs to the campaign and documented a modular iOS exploitation framework named JSKit and a post-exploitation payload called PREYHUNTER. The disclosures raise urgent questions about exploit sourcing, customer access to logs, and human rights due diligence.

Intellexa's Predator Spyware Continues Despite Sanctions

📣 Leaked documents and coordinated technical reports indicate the Intellexa surveillance consortium continues to develop, sell and operate its Predator spyware despite multiple sanctions. Analyses from Google Threat Intelligence Group, Recorded Future and Amnesty’s Security Lab attribute numerous mobile browser zero-day exploits and new infection methods to the vendor. Amnesty disclosed a novel Aladdin zero-click vector that abuses the mobile advertising ecosystem to deliver malicious ads which infect devices on view, while Recorded Future and Google documented Intellexa’s outsized share of exploited zero-days. The combined findings point to active customers, new nexus entities and ongoing global operations.

CISA: PRC-linked BRICKSTORM Backdoor Targets vSphere

🔒 CISA on Thursday released details of a Golang backdoor named BRICKSTORM used by PRC-linked actors to maintain long-term stealthy access to VMware vSphere and Windows systems. The implant provides interactive shell access, file management, SOCKS proxying, and multiple C2 channels including HTTPS, WebSockets, nested TLS, and DNS-over-HTTPS to conceal communications and blend with normal traffic. CISA and private-sector researchers tied deployments to clusters tracked as UNC5221 and to CrowdStrike’s Warp Panda, noting self-reinstating persistence, VSOCK support for inter-VM operations, and use in attacks against government, IT, legal, and technology targets.

Predator Spyware Uses Ad-Based Zero-Click Infection

📢 Researchers report that the Predator spyware operator Intellexa developed a zero-click delivery mechanism called Aladdin that can infect targets simply by serving a weaponized advertisement. The technique abuses commercial mobile advertising systems and Demand Side Platforms to force malicious ads to specific IPs and devices, with viewing alone triggering redirections to exploit servers. First deployed in 2024 and routed through shell companies across multiple countries, the campaign is corroborated by leaked Intellexa documents and technical analysis from Amnesty, Google, and Recorded Future. Analysts recommend blocking ads, hiding public IPs, and using platform protections, though leaked materials suggest operators can obtain subscriber IP/location data from local mobile operators.

Microsoft Quietly Patches Long-Exploited Windows LNK Bug

🔒 Microsoft has quietly fixed CVE-2025-9491, a Windows Shortcut (.LNK) UI misinterpretation flaw that enabled remote code execution and has been abused since 2017 by multiple state-affiliated and criminal groups. The change, deployed in November 2025, forces the Properties dialog to display the full Target command string regardless of length, removing the truncation that hid malicious arguments. Vendors including 0patch and ACROS Security noted alternative mitigations — a UI change by Microsoft and a warning-based micropatch — that together reduce user exposure.

Microsoft mitigates Windows LNK zero-day exploited widely

🔒 Microsoft has quietly mitigated a high-severity Windows LNK vulnerability tracked as CVE-2025-9491, which attackers used to hide malicious command-line arguments inside .lnk files. The flaw relied on padding the Target field so Windows previously masked arguments beyond 260 characters, enabling persistence and malware delivery. Microsoft’s November update now shows the full Target string in Properties but does not remove malicious arguments or warn users. An unofficial 0Patch micropatch limits target strings and warns on unusually long values.

Pall Mall Process to Define Responsible Cyber Intrusion

🛡️ The Pall Mall Process, launched in 2024 by the UK and France with 27 governments and major tech firms onboard, seeks to set guidelines for commercial cyber intrusion capabilities. Its second phase invites input from the offensive cyber industry — vendors, brokers, researchers and service providers — on what constitutes responsible behaviour. The guidance will complement the existing Code of Practice for States and aims to curb irresponsible trade in spyware and zero‑day exploits. The public consultation closes on December 22.

Critical PickleScan Zero-Days Threaten AI Model Supply

🔒 Three critical zero-day vulnerabilities in PickleScan, a widely used scanner for Python pickle files and PyTorch models, could enable attackers to bypass model-scanning safeguards and distribute malicious machine learning models undetected. The JFrog Security Research Team published an advisory on 2 December after confirming all three flaws carry a CVSS score of 9.3. JFrog has advised upgrading to PickleScan 0.0.31, adopting layered defenses, and shifting to safer formats such as safetensors.

Google fixes two Android zero-days, 107 vulnerabilities

🔒 Google released its December 2025 Android security bulletin addressing 107 vulnerabilities, including two zero-days (CVE-2025-48633 and CVE-2025-48572) that are reported to be under limited targeted exploitation. The flaws affect Android 13–16 and include information-disclosure and privilege‑escalation issues; the most critical fix this month is CVE-2025-48631 (DoS). Updates also include critical kernel fixes for Qualcomm and closed‑source vendors, and Samsung has ported fixes. Users should apply updates, keep Play Protect active, or move to supported builds.

University of Pennsylvania Confirms Oracle EBS Data Theft

🔒 The University of Pennsylvania disclosed that attackers exploited a previously unknown Oracle E-Business Suite zero-day in August to obtain files containing personal information. In a notification filed with Maine's Attorney General, Penn said at least 1,488 individuals had data taken and warned the overall total may be larger. The university reported no evidence so far that the stolen information has been misused or published and has not publicly attributed the intrusion; the incident aligns with a broader campaign linked to the Clop ransomware group.