All news with #zero day exploitation tag

⚠️ Huntress has observed criminals exploiting a new zero-day (CVE-2025-11371) in Gladinet CentreStack and Triofox file-sharing servers that enables unauthenticated local file inclusion. The flaw can expose the application's Web.config machineKey, effectively re-enabling a prior ViewState deserialization RCE (CVE-2025-30406). Gladinet has not yet released a patch; Huntress advises disabling the UploadDownloadProxy temp handler as a mitigation. Huntress detected misuse across multiple customers and notes that SOC telemetry flagged irregular base64 payloads; administrators should assume 'fully patched' may not equal secure and isolate or disable vulnerable handlers until a vendor patch is available.

🔒 Apple has raised its top bounty for iOS zero‑click system‑level remote code execution from $1 million to $2 million, with additional bonuses for Lockdown Mode bypasses and beta‑stage reports that can push awards above $5 million. The change coincides with the rollout of Memory Integrity Enforcement in A19/A19 Pro chips, which leverages Arm's MTE/EMTE to harden memory safety. Apple will also provide 1,000 iPhone 17 devices to civil society members at risk.

⚠️ Researchers report an actively exploited zero-day (CVE-2025-11371) in Gladinet's CentreStack and Triofox that permits unauthenticated Local File Inclusion (LFI) on default installs, exposing system files and allowing machine-key disclosure. Huntress observed exploitation on Sept 27 with at least three companies targeted. No patch is available yet; Gladinet has issued a workaround to disable a temp handler in the UploadDownloadProxy Web.config, though this may affect some functionality.

🔒 Apple has expanded and redesigned its bug bounty program, doubling the top reward to $2 million for zero-click remote compromise reports and enabling bonus payouts that can push awards above $5 million. The new payout tiers raise rewards across multiple attack categories and add a $1,000 encouragement award for low-impact findings. Apple broadened the wireless-proximity category to include C1/C1X and N1 chips and plans to distribute 1,000 secured iPhone 17 devices in 2026.

🔍 Google Threat Intelligence and Mandiant report the Clop (FIN11) actor likely exfiltrated a significant amount of data from Oracle E-Business Suite environments beginning as early as August 9, 2025. The group sent extortion emails to executives from September 29 and supplied legitimate file listings to substantiate claims. Attackers exploited the zero-day CVE-2025-61882 prior to an emergency patch released on October 4, 2025. Investigators advise urgent patching, hunting for malicious templates, restricting outbound EBS traffic, and performing Java memory forensics.

🔔 Google Threat Intelligence Group and Mandiant report a multi-stage zero-day campaign exploiting Oracle E-Business Suite (tracked as CVE-2025-61882, CVSS 9.8) that has impacted dozens of organizations since August 2025. The attackers combined SSRF, CRLF injection, authentication bypass and XSL template injection to achieve remote code execution and deploy multi-stage Java loaders. Observed payloads include GOLDVEIN.JAVA and a SAGEGIFT/SAGELEAF/SAGEWAVE chain; orchestration and extortion messaging bear the Cl0p signature. Oracle has released patches and investigations by GTIG and Mandiant are ongoing.

⚠️ GTIG and Mandiant tracked a large-scale extortion campaign beginning Sept. 29, 2025, in which actors claiming affiliation with the CL0P brand alleged theft from Oracle E‑Business Suite (EBS) environments. Analysis indicates exploitation of a zero-day (CVE-2025-61882) as early as Aug. 9, 2025, with suspicious activity dating back to July 10. Attackers abused UiServlet and SyncServlet flows, embedding Java payloads via XSL templates to achieve unauthenticated RCE and deploy in-memory implants. Organizations are urged to apply Oracle emergency patches, hunt for malicious templates in XDO_TEMPLATES_B/XDO_LOBS, and restrict outbound traffic to disrupt C2.

🚨 Redis has a critical, decade‑old vulnerability identified as CVE-2025-49844 (RediShell) in its embedded Lua scripting engine that can let authenticated users escape the sandbox and execute arbitrary code on the host. Researchers at Wiz report roughly 330,000 Redis instances are exposed online, with about 60,000 lacking authentication. Redis and Wiz disclosed the issue on October 3 and published patches; administrators should apply updates, restrict access, and disable Lua scripting if not required.

🔔 The UK's National Cyber Security Centre has urged Oracle E-Business Suite customers to apply an emergency update for CVE-2025-61882, a critical unauthenticated remote code execution vulnerability in the BI Publisher Integration component affecting EBS 12.2.3–12.2.14. Security firm Mandiant reports the Clop ransomware group exploited the bug as a zero-day in August, and the exploit has since been leaked, raising the risk of wider attacks. The NCSC and Rapid7 recommend immediate compromise assessments using Oracle's IoCs, contacting Oracle PSIRT and the NCSC if compromise is suspected, installing the latest EBS update (with the October 2023 CPU applied first), and reducing internet exposure of EBS instances.

⚠ A critical vulnerability in the Unity Runtime, introduced in engine version 2017.01, can allow attackers to pass crafted startup parameters that cause games to load arbitrary native libraries on Windows, macOS, Linux and Android. Exploitation may execute malicious code or expose device data, and the risk depends on game and OS settings. Vendors Valve and Microsoft advise blocking or removing affected titles while Unity urges developers to update, recompile and republish builds; Unity also provides an application patcher for unmaintained games.

🔴 Oracle has released an emergency patch addressing a critical zero-day remote code execution flaw, CVE-2025-61882, in the E-Business Suite BI Publisher Integration component. The vulnerability (affecting versions 12.2.3–12.2.14) is rated 9.8 on the CVSS scale and is exploitable remotely without authentication. Cl0p actors are linked to active exploitation and high-value extortion demands; Oracle published IoCs and strongly urges immediate patching and aggressive compromise hunting.

🔒 Microsoft Threat Intelligence warns of active exploitation of a critical deserialization vulnerability in GoAnywhere MFT License Servlet (CVE-2025-10035, CVSS 10.0) that can allow forged license responses to trigger arbitrary object deserialization and potential remote code execution. Activity attributed to Storm-1175 included initial access via this flaw, deployment of RMM tools (SimpleHelp, MeshAgent), and at least one Medusa ransomware incident. Customers should upgrade per Fortra guidance, run EDR in block mode, restrict outbound connections, and use the provided Defender detections and IoCs for hunting and response.

🔒 The Redis security team has released patches for CVE-2025-49844, a maximum-severity use-after-free in the bundled Lua interpreter that can enable remote code execution when an attacker supplies a specially crafted Lua script. Wiz researchers, who disclosed the issue at Pwn2Own Berlin and dubbed it RediShell, found approximately 330,000 Redis instances exposed online and at least 60,000 requiring no authentication. Administrators should apply the published fixes (for example, 7.22.2-12 and later; OSS/CE/Stack variants also updated) immediately and implement mitigations such as enabling authentication, disabling Lua scripting where possible, running Redis as a non-root user, and restricting network access.

⚠️ A code execution vulnerability in Unity's Runtime (CVE-2025-59489) can allow unsafe file loading and local file inclusion, enabling code execution on Android and privilege escalation on Windows. Valve/Steam issued a Client update to block launching custom URI schemes and urges publishers to rebuild with a safe Unity version or replace the UnityPlayer.dll. Microsoft published guidance recommending users uninstall vulnerable games until patched, and Unity advises developers to update the Editor, recompile, and redeploy.

🛡️Threat actors tied to Cl0p exploited a critical Oracle E-Business Suite zero-day (CVE-2025-61882, CVSS 9.8) to steal large volumes of data, with multiple flaws abused across patched and unpatched systems. The week also spotlights a new espionage actor, Phantom Taurus, plus diverse campaigns from WordPress-based loaders to self-spreading WhatsApp malware. Prioritize patching, strengthen pre-boot authentication for BitLocker, and increase monitoring for the indicators associated with these campaigns.

⚠️A stored cross-site scripting vulnerability in the Zimbra Classic Web Client (CVE-2025-27915) was exploited in targeted attacks and has since been patched. The flaw allowed embedded JavaScript in ICS calendar entries to execute via an ontoggle event, enabling attackers to create mail filters, redirect messages, and exfiltrate mailbox data. Zimbra released fixes on January 27, 2025; administrators should apply updates and audit mailbox filters and logs for indicators of compromise.

📅 Researchers found a zero-day XSS in Zimbra Collaboration Suite exploited through malicious .ICS (iCalendar) attachments that delivered obfuscated JavaScript. The vulnerability, tracked as CVE-2025-27915, affects ZCS 9.0, 10.0 and 10.1 and was patched by Zimbra on January 27 with releases ZCS 9.0.0 P44, 10.0.13 and 10.1.5. StrikeReady determined attacks began in early January and involved a spoofed Libyan Navy email targeting a Brazilian military organization. The injected script is capable of stealing credentials, emails, contacts and shared folders, manipulating filters to forward mail, and using the Zimbra SOAP API to exfiltrate data.

🔒 CISA added a critical vulnerability affecting the Sudo utility to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The flaw, CVE-2025-32463 (CVSS 9.3), impacts Sudo versions prior to 1.9.17p1 and can be abused via the -R (--chroot) option to execute arbitrary commands as root, bypassing sudoers. Four additional flaws were also added to the KEV list. Agencies and organizations are advised to apply mitigations and updates by October 20, 2025 and upgrade or implement compensating controls immediately.

⚠️ Cisco reported active exploitation of multiple zero-day vulnerabilities in ASA and FTD software by a state-sponsored actor tracked as ArcaneDoor. Two CVEs (CVE-2025-20333 and CVE-2025-20362) are being exploited in the wild and a third (CVE-2025-20363) is at high risk for imminent exploitation. Cisco released updates on Sep. 25, 2025, and CISA issued Emergency Directive 25-03; organizations should prioritize immediate patching or apply vendor mitigations when updates are not yet possible.

⚠️ Fortra's GoAnywhere MFT is being exploited in the wild via a deserialization flaw tracked as CVE-2025-10035 in the License Servlet, enabling unauthenticated remote command injection when attackers supply a forged license response signature. WatchTowr Labs reports credible evidence of exploitation dating back to September 10, 2025, prior to Fortra's advisory published on September 18. Administrators should apply patches to 7.8.4 or 7.6.3, remove public Admin Console exposure, and search logs for the error string 'SignedObject.getObject'.