All news with #zero day exploitation tag

⚠️ Cisco has warned customers of two actively exploited zero-day vulnerabilities affecting Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) software. CVE-2025-20333 enables authenticated attackers to execute arbitrary code remotely, while CVE-2025-20362 allows remote access to restricted URL endpoints without authentication. Cisco's PSIRT reported attempted exploitation and strongly recommends upgrading to fixed software releases.

🛡️ CISA issued Emergency Directive 25-03 directing federal civilian agencies to identify and mitigate exploitation of a zero-day affecting Cisco Adaptive Security Appliances (ASA). Agencies must inventory in-scope devices, collect forensic data, and assess compromises using CISA-provided procedures and tools. End-of-support devices must be disconnected and remaining appliances upgraded by 11:59 PM EST on September 26, 2025; CISA will monitor compliance and provide assistance.

🛡️ Cisco released security updates addressing a high-severity zero-day, tracked as CVE-2025-20352, in IOS and IOS XE. The flaw is a stack-based buffer overflow in the SNMP subsystem that allows authenticated remote attackers with low privileges to trigger DoS, and high-privileged actors to execute code as root on affected devices. Cisco reports exploitation in the wild after Administrator credentials were compromised and urges customers to upgrade; as a temporary mitigation it recommends limiting SNMP access to trusted users.

🔒BRICKSTORM is a highly evasive backdoor campaign tracked by GTIG and Mandiant that targets network appliances and virtualization infrastructure to maintain long-term access to US organizations. The actor, tracked as UNC5221, deploys a Go-based malware with SOCKS proxy functionality and uses techniques — including zero‑day exploitation of edge appliances, credential capture via a BRICKSTEAL servlet filter, and VM cloning — to remain undetected for an average of 393 days. GTIG and Mandiant published YARA rules, a scanner, and a focused hunting checklist to help defenders locate infections and harden management interfaces and vSphere deployments.

🔒 CISA reported that an unnamed federal civilian agency was breached after actors exploited CVE-2024-36401, an RCE in a public-facing GeoServer, on July 11, 2024. The vendor had patched the flaw on June 30 and CISA added it to the KEV catalogue on July 15; a second GeoServer was compromised on July 24. Attackers deployed open-source tools and web shells such as China Chopper, used living-off-the-land and brute-force techniques, and established persistence. CISA highlighted failures in timely patching, incident-response testing, and continuous EDR monitoring.

⚠️ Researchers at ETH Zurich published a paper demonstrating VMScape, a practical Spectre v2 (branch target injection) attack that escapes a guest VM to read host memory in virtualized environments. The team showed AMD Zen1–Zen5 CPUs and older Intel Coffee Lake servers can be abused to exfiltrate secrets from a default-configured VM. The issue was assigned CVE-2025-40300 and a Linux kernel patch is available; hardware protections such as SEV/SEV-SNP and TDX are recommended mitigations.

🔒 This week's recap highlights rapid attacker innovation and urgent remediation: Google patched an actively exploited Chrome zero-day (CVE-2025-10585), while researchers demonstrated a DDR5 RowHammer variant that undermines TRR protections. Dual-use AI tooling and model namespace reuse risks surfaced alongside widespread supply-chain and phishing disruptions. Defenders should prioritize patching, harden model dependencies, and monitor for stealthy loaders.

🔒 Radware disclosed a zero-click vulnerability dubbed ShadowLeak in OpenAI's Deep Research agent that can exfiltrate Gmail inbox data to an attacker-controlled server via a single crafted email. The flaw enables service-side leakage by causing the agent's autonomous browser to visit attacker URLs and inject harvested PII without rendering content or user interaction. Radware reported the issue in June; OpenAI fixed it silently in August and acknowledged resolution in September.

🔒 CISA released details of two malicious toolsets found on an organization's server after attackers chained zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). Each set contains a Java loader that installs an HTTP listener to decode, decrypt and execute arbitrary payloads and maintain persistence. CISA urges updating EPMM, monitoring for suspicious activity, and restricting access to MDM systems.

⚠ The new Phoenix Rowhammer technique reverse-engineers TRR in SK Hynix DDR5 DIMMs to induce controlled bit flips previously believed mitigated. Researchers from ETH Zurich and Google report Phoenix reliably triggers flips across all 15 tested modules, enabling practical exploits such as forged Page Table Entries, RSA-2048 key leakage from co-located VMs, and a sudo-based root escalation. The issue is tracked as CVE-2025-6202.

🛡️ CISA released a Malware Analysis Report analyzing two malware families recovered from an organization compromised via CVE-2025-4427 and CVE-2025-4428 in Ivanti Endpoint Manager Mobile. The report, titled Malicious Listener for Ivanti EPMM Systems, provides indicators of compromise and detection content including YARA and SIGMA rules to support hunting and response. Recommended mitigations stress upgrading Ivanti EPMM to the latest versions and treating mobile device management systems as high-value assets with enhanced monitoring, access controls, and restrictions.

🔒Google has released emergency security updates to address a high-severity Chrome zero-day, CVE-2025-10585, which a public exploit indicates is being used in the wild. The vulnerability is a type confusion weakness in Chrome's V8 JavaScript engine and was reported by Google's Threat Analysis Group. Google issued emergency Stable Desktop releases — Chrome 140.0.7339.185/.186 for Windows and macOS and 140.0.7339.185 for Linux — and recommends users update immediately via Chrome menu > Help > About Google Chrome and click 'Relaunch' once the update finishes. The company also said it may withhold technical details until a majority of users have applied the fix.

⚠️ Google released security updates for Chrome to address four vulnerabilities, including a zero-day (CVE-2025-10585) in the V8 JavaScript and WebAssembly engine that is reported to be exploited in the wild. The issue is a type confusion bug discovered and reported by Google's Threat Analysis Group on September 16, 2025, and can enable arbitrary code execution or crashes. Users should update to Chrome 140.0.7339.185/.186 (Windows/macOS) or 140.0.7339.185 (Linux) and apply vendor patches for other Chromium-based browsers when available.

🛡️ Apple has released iOS 16.7.12 and iPadOS 16.7.12 to address a critical zero-day in the ImageIO framework (CVE-2025-43300) that can trigger memory corruption when processing crafted images. The vendor says the flaw is an out-of-bounds write and that it may have been exploited in targeted attacks against specific individuals. The fix improves bounds checking and was back-ported from the 18.6.2 updates to reach older devices. Users, particularly those on older iPhones and iPads, are advised to install the update immediately.

🔒 Apple has released security updates that backport a patch for CVE-2025-43300 to older iPhone, iPad and iPod touch builds. The flaw is an out-of-bounds write in the Image I/O framework that can cause memory corruption, crashes, or enable remote code execution when a device processes a malicious image file. Apple said the issue was exploited in an extremely sophisticated targeted attack and has added improved bounds checking; affected users should install the updates promptly.

🛡️ Apple has backported a fix for CVE-2025-43300, an ImageIO out-of-bounds write that can cause memory corruption and has been observed in an extremely sophisticated, targeted spyware campaign. The flaw (CVSS 8.8) was reportedly chained with a WhatsApp vulnerability (CVE-2025-55177, CVSS 5.4) in attacks against fewer than 200 individuals. Patches were issued for current releases and older OS builds — including iOS 16.7.12 and iOS 15.8.5 device backports — and distributed across macOS, tvOS, visionOS, watchOS, Safari, and Xcode. Users and administrators should install the available updates immediately to ensure protection.

📸 Samsung disclosed a critical remote code execution vulnerability in a closed-source image-parsing library, libimagecodec.quram.so, supplied by Quramsoft that affects devices running Android 13–16. The out-of-bounds write (CVE-2025-21043, CVSS 8.8) can be triggered by a specially crafted image and has been exploited in the wild. Messaging apps are a likely vector and the flaw can operate as a zero-click backdoor. Samsung released an SMR Sep-2025 Release 1 patch; enterprises should prioritize deployment.

🔒 Researchers have demonstrated VMScape, a Spectre-like branch target injection attack that breaks guest-to-host isolation on AMD and Intel CPUs in virtualized environments. The proof-of-concept targeted KVM/QEMU in its default configuration and extracted host disk encryption keys from an AMD Zen 4 system. Tracked as CVE-2025-40300, mitigations include inserting an Indirect Branch Prediction Barrier (IBPB) on VMEXIT, which maintainers report causes only marginal performance impact. The vulnerability highlights that existing Spectre-BTI defenses and microcode updates are insufficient in some virtualized deployments, particularly on AMD Zen microarchitectures.

⚠️ Samsung released its monthly Android security update addressing a critical zero-day, CVE-2025-21043, a high-severity (CVSS 8.8) out-of-bounds write in libimagecodec.quram.so that can enable remote arbitrary code execution. The company says the flaw affects Android 13–16 and was privately disclosed on August 13, 2025. The affected library is a closed-source image parser from Quramsoft and the patch corrects an incorrect implementation. Samsung acknowledged an exploit exists in the wild but did not provide attack specifics.

🔔 Apple has notified users in France that devices linked to some iCloud accounts may have been compromised in a fourth spyware campaign this year, CERT-FR confirmed on September 3, 2025. The agency said the alerts target high-profile individuals — journalists, lawyers, activists, politicians and senior officials — and follow prior notices on March 5, April 29 and June 25. Recent disclosures also link WhatsApp and iOS vulnerabilities exploited in zero-click chains, while Apple’s Memory Integrity Enforcement aims to harden new iPhones against such memory-corruption attacks.