All news with #zero day exploitation tag

⚠️ Microsoft warns that Storm-1175 — an actor linked to Medusa ransomware — is rapidly exploiting internet-facing systems, often moving from initial access to data theft and encryption within 24 hours. The group has abused more than 16 vulnerabilities since 2023, including zero-days, and frequently chains exploits to establish persistence and accelerate operations. Targets include healthcare, education, professional services, and finance in Australia, the UK and the US.

⚠️ Microsoft says financially motivated actor Storm-1175 has run a high-tempo campaign that weaponizes both n-day and zero-day vulnerabilities to deliver Medusa ransomware against internet-facing systems. The group has exploited at least 16 flaws since 2023, including the zero-day CVE-2025-10035 affecting GoAnywhere MFT, and has impacted healthcare, education, professional services and finance in Australia, the UK and the US. Recommended protections include perimeter scanning, isolating web-facing systems behind VPNs, WAFs or a DMZ, enforcing MFA for RMM tools, enabling tamper protection and configuring XDR to detect and block common ransomware tactics.

🔒 China-linked threat actor Storm-1175 has been observed exploiting a mix of zero-day and N-day flaws to quickly compromise internet-facing systems and deploy Medusa ransomware. Microsoft reports the group moves with high operational tempo, chaining exploits and abusing legitimate RMM tools to evade detection. Targets include healthcare, education, professional services and finance across Australia, the UK and the US. Intrusions often lead to rapid data exfiltration and encryption within days, sometimes under 24 hours.

🚨 A security researcher published exploit code for an unpatched Windows privilege escalation vulnerability dubbed BlueHammer, citing dissatisfaction with how Microsoft's Security Response Center handled the report. The public proof-of-concept reportedly combines a TOCTOU and path confusion to access the SAM database and escalate to SYSTEM or elevated administrator privileges. The PoC contains bugs and is not reliably successful across all Windows editions, and Microsoft had not issued a patch at publication, leaving the flaw classified as a zero-day.

🛡️ Microsoft says the China-based, financially motivated threat group Storm-1175, an affiliate that deploys Medusa ransomware, has been rapidly weaponizing n-day and zero-day vulnerabilities to gain access and move to data exfiltration and encryption within days, sometimes within 24 hours. Microsoft observed the operators chaining exploits to create accounts, deploy remote management tools, steal credentials, and disable security controls before dropping ransomware, with recent victims across healthcare, education, professional services, and finance in Australia, the United Kingdom, and the United States.

⚠️ CISA has ordered federal agencies to patch FortiClient EMS instances by April 9 after the discovery of CVE-2026-35616, a pre-authentication API access bypass. Fortinet released emergency hotfixes and said unauthenticated attackers can execute code via specially crafted requests. Administrators are urged to apply hotfixes or upgrade to 7.4.7 immediately to mitigate active exploitation.

🔒Storm-1175 conducts high-tempo ransomware campaigns that rapidly weaponize recently disclosed and, in some cases, pre-disclosure zero-day vulnerabilities to gain initial access to web-facing systems. After exploitation the actor moves quickly to establish persistence, perform credential theft, tamper with security controls, and exfiltrate data before deploying Medusa ransomware. Microsoft observed intrusions affecting healthcare, education, professional services, and finance across Australia, the United Kingdom, and the United States, often completing impact within days or less. Recommended defenses include perimeter asset discovery, robust patching, RMM hardening, and tamper protection for endpoint security.

⚡ This week’s incidents include a supply-chain compromise of the popular Axios npm package by actors attributed to North Korea (UNC1069) and an actively exploited Chrome zero-day (CVE-2026-5281) in the Dawn/WebGPU component. Other notable events include active exploitation of Fortinet FortiClient EMS, a TrueConf update-integrity bypass, and an accidental large code leak from Anthropic’s Claude development. Organizations should treat developer tooling, CI/CD, and dependencies as part of the attack surface and apply patches and integrity checks promptly.

⚠️ Fortinet released an emergency weekend hotfix to address a critical pre-authentication flaw in FortiClient EMS (CVE-2026-35616) that is being actively exploited in the wild. The improper access control defect allows unauthenticated attackers to execute commands via specially crafted API requests and affects versions 7.4.5 and 7.4.6. Fortinet urges immediate installation of the hotfixes or upgrading to 7.4.7 when available. Shadowserver reports over 2,000 exposed EMS instances, primarily in the US and Germany.

🔧 Fortinet has released an out‑of‑band hotfix for a critical pre‑authentication API access bypass in FortiClient EMS (CVE-2026-35616, CVSS 9.1) that has been observed exploited in the wild. The flaw allows unauthenticated attackers to bypass API authentication and authorization protections and execute commands on affected systems, impacting versions 7.4.5–7.4.6. Fortinet urges immediate installation of the hotfix and says a full remediation will be included in 7.4.7.

🛡️ Google has patched a fourth zero-day in Chrome this year, addressing CVE-2026-5281 in Dawn, the browser's WebGPU implementation, which allowed remote code execution via a crafted HTML page when the renderer process was compromised. The company confirmed an exploit exists in the wild and urges users to update to Chrome 146.0.7680.178 or newer. This fix follows earlier 2026 patches for CSS memory handling, the Skia graphics library, and the V8 JavaScript engine.

🔓 Google researchers released a report describing Coruna, a sophisticated iPhone exploitation toolkit that chains 23 distinct iOS vulnerabilities into five full exploit techniques capable of bypassing device defenses and silently installing malware when a user visits a crafted website. Analysts note the code’s professional, English-language provenance and say it bears hallmarks of previously attributed US government modules. Reporting from TechCrunch cites former L3Harris employees who say the company’s Trenchant surveillance division helped develop parts of the toolkit and that an insider may have sold components to foreign actors, raising urgent questions about loss of control over offensive cyber capabilities.

🔒 Apple has expanded availability of iOS 18.7.7 to a broader set of iPhones and iPads to ensure devices remaining on iOS 18 receive protections against the actively exploited DarkSword exploit kit. The update delivers fixes for multiple vulnerabilities first mitigated in 2025 and addresses additional CVEs disclosed through 2026. Users with Automatic Updates enabled on eligible devices will receive these protections automatically. Researchers observed deployment of information-stealing and backdoor malware families including GhostBlade, GhostKnife, and GhostSaber in attacks exploiting these flaws.

⚠️ Check Point researchers report attackers exploited a TrueConf zero-day (CVE-2026-3502) to replace legitimate updates with malicious executables delivered from compromised on-premises servers. The vulnerability stems from a missing integrity check in the update mechanism and affected versions 8.1.0 through 8.5.2; TrueConf released a patch in 8.5.3 (March 2026). The campaign, tracked as TrueChaos, targeted government entities in Southeast Asia and likely leveraged Havoc C2, DLL sideloading, and a UAC bypass.

🔎 Researcher Hung Nguyen used simple prompts with Anthropic’s Claude Code to rapidly discover zero-day remote code execution flaws in Vim and GNU Emacs, showing that legacy codebases can be probed far faster by advanced LLMs than by conventional fuzzing. Within minutes Claude Code located missing security checks and generated proof-of-concept exploit ideas, prompting a quick patch for Vim (CVE-2026-34714). Emacs' maintainers declined to treat the finding as an Emacs bug, pointing to Git and leaving suggested manual mitigations for affected releases. The episode highlights both the power of AI-assisted research and the attendant risks of simpler exploit development.

🔒 Google released updates for Chrome to fix 21 vulnerabilities, including a zero-day (CVE-2026-5281) that has been exploited in the wild. Dawn, the WebGPU implementation, contains a use-after-free bug allowing a remote attacker with access to the renderer process to execute arbitrary code via crafted HTML. Users should update to versions 146.0.7680.177/178 on Windows and macOS and 146.0.7680.177 on Linux, and ensure Chromium-based browsers receive vendor patches.

⚠️ Google released emergency updates to fix a fourth actively exploited Chrome zero-day, tracked as CVE-2026-5281. The issue is a use-after-free in Dawn, Chromium's implementation of the WebGPU standard, and can cause crashes, rendering problems, or data corruption. Patches are available on Stable Desktop for Windows, macOS (146.0.7680.177/178), and Linux (146.0.7680.177); rollouts may take days, but updates are immediately available when checking.

⚠️ Five-month-old F5 BIG-IP APM flaw initially classified as a denial-of-service is now confirmed as a pre-authentication remote code execution vulnerability (CVE-2025-53521) being exploited in the wild. F5 updated its advisory, raised the CVSS to 9.8, and CISA added the issue to its KEV catalog after reports of active exploitation and observed root‑level malware persistence. Affected versions include 15.1.x, 16.1.x, 17.1.x and 17.5.x; F5 has released fixes, IOCs, and hardening guidance, but organizations should patch immediately and perform compromise assessments rather than rely solely on backups.

⚠ A high-severity update integrity flaw in TrueConf client (CVE-2026-3502, CVSS 7.8) has been exploited in the wild as part of the TrueChaos campaign. An attacker who controls an on‑premises TrueConf server can substitute legitimate update packages with poisoned installers that lead to arbitrary code execution via DLL side‑loading. Check Point observed the operation targeting government entities in Southeast Asia and linking activity to a Chinese‑nexus actor. Vendor patches are available in TrueConf Windows client 8.5.3 and organizations should apply them and verify update integrity.

🛠️ Check Point Research identified a zero-day (CVE-2026-3502, CVSS 7.8) in the TrueConf client update mechanism that was abused to deliver malware via legitimate software updates. Exploitation was observed in the wild targeting government entities in Southeast Asia and required no phishing or prior compromise. The attack chain culminated with deployment of Havoc, a powerful post-exploitation framework, and the vendor released a remediation after disclosure.