All news with #zero day exploitation tag

🔒 Citrix has issued patches for three vulnerabilities in NetScaler ADC and NetScaler Gateway, and confirmed active exploitation of CVE-2025-7775. The flaws include two memory overflow issues (CVSS 9.2 and 8.8) that can lead to remote code execution or denial-of-service, and an improper access-control bug (CVSS 8.7) affecting the management interface. Fixes are available in multiple 12.x–14.x releases with no workarounds; Citrix credited external researchers for reporting the issues.

🚨Docker has released an urgent patch for CVE-2025-9074, a critical container escape flaw in Docker Desktop for Windows and macOS that carries a CVSS score of 9.3. A malicious container could reach the Docker Engine API at 192.168.65.7:2375 without authentication, create and start new containers that bind the host C:\ drive and thereby access or modify host files. The issue is fixed in version 4.44.3; Enhanced Container Isolation (ECI) does not mitigate the vulnerability. Linux desktop installations are not affected because they use a host named pipe instead of a TCP socket.

🛡️ CrowdStrike warns that China-linked groups Murky Panda, Genesis Panda, and Glacial Panda have intensified cloud and telecommunications espionage, abusing trusted cloud relationships and internet-facing appliances to gain access. The actors exploit N-day and zero-day flaws, deploy web shells, and steal cloud credentials to establish persistence with tools such as CloudedHope. Targets include government, technology, financial, and telecom sectors, with operations tailored to covert intelligence collection and long-term access.

⚠️ EchoLink is a newly identified zero-click vulnerability in Microsoft 365 Copilot that enables silent exfiltration of enterprise data without any user interaction. This class of attack bypasses traditional click- or download-based defenses and moves laterally at machine speed, making detection and containment difficult. Organizations relying solely on native tools or fragmented point solutions should urgently reassess their exposure and incident response readiness.

🛡️ Microsoft’s August 2025 Patch Tuesday addresses 107 CVEs, including one publicly disclosed Windows Kerberos zero‑day (CVE-2025-53779) and 13 Critical flaws. Notable fixes cover high‑severity RCEs in the Windows Graphics Component and GDI+ and an NTLM elevation‑of‑privilege issue. Microsoft has released patches; organizations should apply updates promptly and use Falcon Exposure Management to prioritize and visualize exposure.

🔒 ESET researchers uncovered a previously unknown WinRAR vulnerability, tracked as CVE-2025-8088, that is being actively exploited by the Russia-aligned actor RomCom in targeted spearphishing campaigns. The Windows path traversal flaw enables execution of arbitrary code when victims open crafted archives. Users should update to WinRAR 7.13 immediately and consult ESET's video and blogpost for indicators and mitigation.

🔒 ESET researchers disclosed a previously unknown WinRAR zero-day, CVE-2025-8088, actively exploited by the Russia-aligned group RomCom. The flaw is a path-traversal vulnerability that leverages NTFS alternate data streams (ADS) to conceal malicious files in RAR archives, which are silently deployed on extraction. Observed payloads included a Mythic agent, a SnipBot variant, and RustyClaw (MeltingClaw), targeting organizations in finance, manufacturing, defense and logistics. Users and vendors relying on WinRAR, UnRAR.dll or its source must update to the July 30, 2025 patched release immediately.

🛡️ ESET's research details active exploitation of two zero-day vulnerabilities—CVE-2025-53770 and CVE-2025-53771—against on-premises Microsoft SharePoint servers in a campaign dubbed ToolShell. The company reports global impact, with the United States responsible for 13.3% of observed attacks. Organizations should immediately prioritize patching affected servers, apply vendor mitigations, tighten access controls and monitoring, and review logs for indicators of compromise. Watch the accompanying video featuring ESET Chief Security Evangelist Tony Anscombe and consult the full blogpost for technical detail.

🔒 Microsoft and ESET reported active exploitation of a SharePoint Server vulnerability cluster called ToolShell, comprising CVE-2025-53770 (remote code execution) and CVE-2025-53771 (server spoofing). Attacks began on July 17, 2025, and target on-prem SharePoint Subscription Edition, SharePoint 2019 and SharePoint 2016; SharePoint Online is not affected. Operators deployed webshells — notably spinstall0.aspx (detected as MSIL/Webshell.JS) and several ghostfile*.aspx samples — to bypass MFA/SSO, exfiltrate data and move laterally across integrated Microsoft services. Microsoft and ESET confirmed patches were released on July 22, and ESET published IoCs and telemetry to assist defenders.