All news with #zero day exploitation tag

🔒 Cisco released patches to address a critical remote code execution vulnerability, CVE-2026-20045, actively exploited against Unified Communications Manager, Unity Connection, and Webex Calling Dedicated Instance. The flaw stems from improper validation of user-supplied input in HTTP requests to the web management interface and can allow an attacker to gain user access and escalate to root. Administrators should apply the version-specific updates or provided .cop patch files immediately, as Cisco reports no available workarounds.

🚨Fortinet customers report attackers bypassing a previously patched FortiGate authentication flaw (CVE-2025-59718) to create admin accounts on devices running FortiOS 7.4.9 and 7.4.10. Fortinet reportedly plans releases of FortiOS 7.4.11, 7.6.6 and 8.0.0 to fully remediate the issue. Until those updates are available, admins are advised to disable FortiCloud SSO using the GUI or the CLI mitigation steps Fortinet published. Shadowserver found over 25,000 devices with FortiCloud SSO enabled in mid-December, and CISA has listed the vulnerability as actively exploited and ordered expedited patching.

🔒 At Pwn2Own Automotive 2026 in Tokyo, researchers chained 37 zero-day vulnerabilities and collected $516,500 in cash awards on the first day. Teams including Synacktiv Team, Fuzzware.io, PetoWorks, and Team DDOS gained root access on targets such as the Tesla Infotainment System, Sony XAV-9500ES, multiple EV chargers, and other IVI systems. Vendors have 90 days to issue patches before Trend Micro's Zero Day Initiative publicly discloses the reported flaws.

🔒 A newly disclosed flaw called WhisperPair (CVE-2025-36911) lets an attacker pair with many Bluetooth headsets by abusing Google Fast Pair requests, even when accessories are not in pairing mode. In roughly 10 seconds and within about 14 meters, a hostile device can assume owner-level privileges, enabling microphone access, audio control, or remote location tracking via Google Find Hub. iPhone and other non‑Android users face elevated risk because an attacker can register the headset to their Google account if it has never been paired to Android. Mitigations include installing vendor firmware updates, performing a factory reset, or using a trusted Android device to claim ownership if no patch is available.

⚡ This week’s roundup highlights active exploitation of a critical Fortinet FortiSIEM vulnerability (CVE-2025-64155) that can lead to full appliance compromise, alongside new malware and supply-chain concerns. Researchers also disclosed a clipboard‑hijacking campaign distributed by RedLineCyber and a Reprompt attack that targeted Microsoft Copilot via P2P prompt injection. Other notable items include a cloud-native Linux framework called VoidLink, disruption of the RedVDS criminal service, and an AWS CodeBuild misconfiguration that raised supply‑chain risks. Defenders should prioritize patching high-severity CVEs, harden CI/CD configurations, and treat AI/chatbot integrations and exposed devices as part of the attack surface.

⚠️ Cisco has released patches for a critical zero-day, CVE-2025-20393, in AsyncOS that affects Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances. The flaw allows a remote attacker to gain root by sending a crafted HTTP request to the Spam Quarantine interface when it is enabled and reachable from the internet. Cisco first learned of exploitation in December, issued a public advisory on Dec. 17, and has now published fixes to address the issue.

🔒 Cisco Talos describes an actor tracked as UAT-8837, active since at least 2025, that targeted North American critical infrastructure to gain initial access. The group exploited both compromised credentials and a Sitecore ViewState deserialization zero-day (CVE-2025-53690), with Mandiant linking the flaw to deployment of the WeepSteel reconnaissance backdoor. Post-compromise activity focused on credential theft, Active Directory enumeration, and use of living-off-the-land utilities and open-source tools to evade detection.

🔒 Cisco has released a fix for a maximum‑severity AsyncOS zero‑day (CVE-2025-20393) that has been exploited since November 2025. The flaw impacts Cisco Secure Email Gateway and Secure Email and Web Manager appliances with non-standard configurations when the Spam Quarantine feature is exposed to the internet, permitting arbitrary command execution as root. Cisco Talos links the intrusions to a Chinese-nexus actor tracked as UAT-9686, which deployed persistence and tunneling implants and a log-wiping utility. CISA has added the vulnerability to its known exploited vulnerabilities catalog and ordered federal remediation under BOD 22-01.

⚠️ Cisco Talos says a China-aligned advanced persistent threat tracked as UAT-8837 has been leveraging a critical Sitecore zero-day (CVE-2025-53690, CVSS 9.0) to gain initial access to North American critical infrastructure. The actor uses both exploit-based access and compromised credentials, then deploys open-source tools for credential harvesting, Active Directory reconnaissance, and persistent remote access. Observed artifacts include GoTokenTheft, EarthWorm, DWAgent, SharpHound, Impacket, Rubeus, and Certipy, raising supply chain and OT exposure concerns.

🔒 Cisco has released patches for a maximum-severity remote command execution vulnerability (CVE-2025-20393, CVSS 10.0) in AsyncOS that affects Cisco Secure Email Gateway and Secure Email and Web Manager. The defect stems from insufficient validation of HTTP requests in the Spam Quarantine feature and can allow arbitrary commands to run as root when the feature is enabled and reachable from the internet. Cisco says a China-nexus APT tracked as UAT-9686 exploited the bug in the wild, deploying tunneling tools, a log-cleaner and a Python backdoor, and that fixes remove persistence artifacts. Administrators should apply the provided fixed releases and follow the vendor's hardening guidance to restrict access and monitor for anomalous activity.

🔓 A critical FortiSIEM vulnerability, tracked as CVE-2025-25256, enables remote unauthenticated attackers to execute arbitrary commands by invoking exposed phMonitor handlers. Horizon3.ai disclosed technical details and published a demonstrative exploit after Fortinet issued patches across supported branches. The flaw combines arbitrary write with privilege escalation to root and affects a range of FortiSIEM releases; Fortinet advises applying the supplied updates or restricting access to the phMonitor port (7900) as a temporary mitigation.

🛡️ FortiGuard Labs uncovered a phishing campaign that delivers a fileless Remcos RAT via a malicious Word document which loads a remote RTF exploiting CVE-2017-11882. The exploit executes shellcode to fetch a VBScript that launches a Base64 PowerShell loader. That PowerShell downloads an image with an embedded .NET module, which the loader runs in memory to install persistence and inject the Remcos payload into a legitimate process using process hollowing.

🔒 Microsoft released updates addressing over 100 CVEs on the first Patch Tuesday of 2026, including three zero-day vulnerabilities. CVE-2026-20805 is an actively exploited information-disclosure flaw in the Desktop Window Manager that can undermine ASLR; CVE-2026-21265 concerns a secure-boot certificate-expiration bypass affecting many devices; CVE-2023-31096 is an elevation-of-privilege in legacy Agere modem drivers that Microsoft is removing. Administrators should prioritize patching, review firmware and UEFI certificates, and audit hardware where updates may require manual acceptance.

🛡️ Microsoft’s January 2026 Patch Tuesday addresses eight critical vulnerabilities and an actively exploited zero-day, with many high‑score flaws affecting Office and SharePoint. The Desktop Window Manager information-disclosure bug (CVE-2026-20805) is already being exploited and can leak memory to enable follow-on attacks. Other priorities include an RRAS heap overflow (CVE-2026-20868), Secure Boot certificate updates (CVE-2026-21265), and multiple NTFS and WinSock elevation issues. Administrators should accelerate patching, restrict local access, and monitor for suspicious activity.

🔒 Microsoft released January 2026 security updates addressing 113 vulnerabilities across Windows and supported products, including eight rated Critical. The company confirmed active exploitation of a Desktop Window Manager information disclosure flaw, CVE-2026-20805, which researchers say can be chained to code execution bugs. Other prominent fixes include two Office RCEs exploitable via the Preview Pane, a critical Secure Boot bypass, and removal of legacy modem drivers. Experts urge rapid, risk-based patching and careful BIOS/bootloader preparation.

🔔 Microsoft released its January 2026 Patch Tuesday addressing 114 vulnerabilities, including three zero-days and several Critical flaws. Notable fixes include an actively exploited information-disclosure issue in Windows Desktop Window Manager (CVE-2026-20805) and publicly disclosed zero-days in Agere Soft Modem and Secure Boot. The release also remediates multiple Critical RCE and elevation-of-privilege issues across Windows and Microsoft Office. Organizations should prioritize testing and deployment and apply compensating controls where immediate patching is impractical.

🔍 Huntress says Chinese-speaking threat actors used a compromised SonicWall VPN appliance in December 2025 to deploy a multi-stage exploit against VMware ESXi, leveraging three zero-day vulnerabilities disclosed by Broadcom in March 2025 (CVE-2025-22224/22225/22226). The toolkit includes an orchestrator dubbed MAESTRO, an unsigned kernel driver loaded via KDU, and a VSOCK-based ELF backdoor called VSOCKpuppet. The attack chain enabled VM-to-hypervisor escapes, remote control of ESXi hosts over VSOCK port 10000, and file transfer capabilities from guest VMs, all of which were halted by Huntress before a suspected ransomware stage could complete.

🔒 Chinese-speaking threat actors used a compromised SonicWall VPN appliance to deliver a VMware ESXi exploit toolkit that appears to have been developed more than a year before the vulnerabilities were publicly disclosed. Huntress analysts found PDB build paths and simplified Chinese artifacts suggesting components were compiled in late 2023 and early 2024. The toolkit chains multiple ESXi flaws to escape guest VMs into the hypervisor, load an unsigned kernel driver, and deploy a persistent backdoor. Organizations are urged to apply the latest ESXi security updates and use the supplied detection rules to detect compromise.

🚨 CISA has added a maximum-severity vulnerability in HPE OneView (CVE-2025-37164) to its catalog of flaws actively exploited in the wild. Reported by Nguyen Quoc Khanh (brocked200) and patched by HPE in mid-December, the bug affects all OneView releases before v11.00 and enables unauthenticated code-injection attacks leading to remote code execution. There are no known mitigations or workarounds; HPE and CISA urge immediate upgrades, and federal agencies must remediate by January 28 under BOD 22-01.

⚠️A critical remote code execution flaw, CVE-2026-0625, is being actively exploited in legacy D-Link DSL gateway routers via a command-injection weakness in the dnscfg.cgi endpoint. Improper sanitization of DNS configuration parameters allows unauthenticated attackers to execute arbitrary shell commands and modify DNS settings. D-Link says it is investigating affected firmware variants and will publish an updated model list after a firmware-level review. Owners of end-of-life devices should retire or replace impacted hardware immediately.