All news with #zero day exploitation tag

🛡️ Google Threat Intelligence Group (GTIG) analysis found 90 zero-day vulnerabilities were actively exploited in 2025, and attackers are increasingly focusing on enterprise technology. Enterprise software and appliances accounted for 43 (48%) of tracked zero-days, with security and networking appliances most frequently targeted. End-user platforms still comprised 52% of exploits overall, led by Microsoft Windows, while mobile OS targeting rose and browser-based zero-days fell to a historic low. GTIG recommends segmentation, least-privilege architectures and continuous monitoring to detect and respond to threats.

⚠️ Google’s GTIG tracked 90 zero-day vulnerabilities in 2025, finding nearly half targeted enterprise technologies such as security appliances, VPNs, networking gear, and enterprise software. The report highlights that Chinese-linked actors increased their use of zero-days and that commercial surveillance vendors now outpaced state-backed groups. Defenders face shrinking response windows as exploit sharing, faster public-to-exploit timelines, and emerging AI accelerate attacks.

🔐 Google Threat Intelligence Group (GTIG) reports 90 zero-day vulnerabilities were actively exploited in 2025, a 15% increase from 2024. Nearly half targeted enterprise products such as security appliances, networking gear, VPNs, and virtualization platforms. Memory-safety issues comprised 35% of exploited flaws, and commercial spyware vendors overtook state actors as the top zero-day consumers. Google recommends reducing attack surface, continuous monitoring, and rapid patching to detect and contain exploitation.

🛡️ Google Threat Intelligence Group's 2025 review found 90 zero-day vulnerabilities exploited in the wild, down from 2023 but above 2024. Enterprise technologies accounted for a record 48% of zero-days, driven by attacks on networking and security appliances, while browser exploitation fell to historic lows. GTIG highlights growing involvement of commercial surveillance vendors and expanded financially motivated use of zero-days. Defenders are urged to prioritize segmentation, inventory, and rapid mitigation.

⚠️ Ox Security has disclosed a zero-click remote code execution (RCE) vulnerability affecting FreeScout, tracked as CVE-2026-28289 (Mail2Shell), which bypasses an earlier fix (CVE-2026-27636). By sending a single crafted email to any address configured in FreeScout, an attacker can execute code on the server without authentication and without any user interaction. Ox warned thousands of instances may be exposed and urged immediate upgrades to v1.8.207 or later. Administrators are also advised to disable AllowOverrideAll in Apache on affected servers.

🕵️ In episode 457 of the Smashing Security podcast, Graham Cluley and guest Carl Miller unpack a startling insider-abuse case where a defence contractor's leak of zero-day exploits apparently led to an internal investigation run by the leaker, who then framed an innocent colleague. The episode cites reporting and US government actions — including a DOJ sentencing and Treasury sanctions — that trace a network selling stolen government cyber tools to a Russia-linked broker. It also examines emerging concerns that nation states may attempt to manipulate AI by poisoning training data and influencing large language models, with broad implications for trust and national security.

⚠️ A newly disclosed maximum-severity flaw, CVE-2026-28289, enables zero-click remote code execution against FreeScout by defeating filename validation. Researchers at OX Security found that inserting a zero-width space (U+200B) before a filename bypasses the prior patch, allowing an attacker to upload a .htaccess-style payload that is later processed as a dotfile. The uploaded file can be reached via the platform's /storage/attachment/ path and used to execute commands without authentication. FreeScout 1.8.207 fixes the bypass; admins should update immediately and consider disabling AllowOverrideAll in Apache.

📱 Google Threat Intelligence Group (GTIG) identified a powerful exploit framework named Coruna (aka CryptoWaters) that bundles five full iOS exploit chains and 23 exploits targeting devices running iOS 13 through 17.2.1. The framework fingerprints devices, loads tailored WebKit remote code execution exploits and executes pointer authentication code (PAC) bypasses to achieve persistence. Observed in multiple campaigns since February 2025, the kit moved from commercial surveillance users to nation-state actors and later financially motivated operators; users should keep devices current and enable Lockdown Mode.

🔍 Google Threat Intelligence Group describes Coruna, a sophisticated iOS exploit kit containing five full exploit chains and 23 exploits that target iOS 13.0 through 17.2.1. The kit combines WebKit RCEs, PAC/PPL bypasses, and a root-capable loader called PlasmaLoader that exfiltrates financial data and cryptocurrency wallet information. GTIG observed deployments by both suspected state-backed and financially motivated actors and added affected domains to Safe Browsing. Users are urged to update iOS or enable Lockdown Mode if updates are not possible.

🔒 Google released March 2026 Android updates addressing 129 security flaws, including an actively exploited zero-day, CVE-2026-21385, in a Qualcomm display Graphics subcomponent. Qualcomm says the bug is an integer overflow/wraparound that local attackers can use to trigger memory corruption. Google also fixed 10 critical System/Framework/Kernel vulnerabilities and published two patch levels (2026-03-01 and 2026-03-05); Pixel devices receive fixes immediately while other vendors may take longer to roll them out.

⚡ The week's highlights show attackers exploiting critical infrastructure, cloud APIs, AI tooling, and consumer devices. Cisco SD‑WAN zero‑day (CVE‑2026‑20127) is being actively exploited to gain administrative access, while a string of high‑severity CVEs across vendors requires immediate attention. Misuse of trusted services — from Google Sheets and Gemini to autonomous AI agents — combined with exposed keys, is enabling stealthy, scalable access. Organizations should prioritize patching, tighten access to AI and cloud keys, and use continuous testing to validate defenses.

🔍 Akamai links the Russia-linked actor APT28 to exploitation of CVE-2026-21513, a high-severity (CVSS 8.8) MSHTML security feature bypass that Microsoft patched in its February 2026 update. The flaw in ieframe.dll mishandles hyperlink navigation and can be weaponized by malicious HTML or LNK files to invoke ShellExecuteExW and run resources outside the browser sandbox. Akamai identified a sample uploaded to VirusTotal on 30 January 2026 tied to infrastructure associated with APT28, while Microsoft and Google intelligence teams reported real-world exploitation.

🔒 Juniper PTX core routers running Junos OS Evolved contain a critical vulnerability that can allow an unauthenticated, network-based attacker to execute code as root. The flaw is in the On-Box Anomaly detection framework, which is enabled by default and should not be externally reachable. Juniper says it is unaware of any active exploitation and urges installation of 25.4R1-S1-EVO, while recommending ACLs or firewall filters and the alternative command request pfe anomalies disable as temporary mitigations.

⚠️ Government security agencies have urged immediate patching of a critical zero-day, CVE-2026-20127, impacting Cisco Catalyst SD-WAN Controller and SD-WAN Manager. The authentication bypass can grant unauthenticated remote attackers administrative privileges, NETCONF access and the ability to alter SD-WAN configuration. Authorities including CISA and Five Eyes partners require urgent patching and threat hunting; Cisco released fixes on 25 February 2026.

🔒 A maximum-severity vulnerability in Cisco Catalyst SD-WAN, tracked as CVE-2026-20127 (CVSS 10.0), lets an unauthenticated remote attacker bypass authentication and obtain elevated administrative privileges by sending a crafted request. Cisco reports active exploitation across on-prem and Cisco-hosted deployments by a sophisticated actor identified as UAT-8616, with malicious activity dating to 2023. Customers should apply vendor fixes immediately, audit /var/log/auth.log for unexpected "Accepted publickey for vmanage-admin" entries, and follow CISA emergency guidance.

🔒 The U.S. Treasury Department's Office of Foreign Assets Control designated Matrix LLC (doing business as Operation Zero) and its owner, Sergey Zelenyuk, under the Protecting American Intellectual Property Act, marking the first use of that law. The move coincided with the sentencing of former L3Harris manager Peter Williams, who was given 87 months for stealing eight zero‑day exploits and selling them to Operation Zero for about $1.3 million in cryptocurrency. OFAC also named related companies and individuals, including a UAE front company and a suspected Trickbot affiliate, freezing U.S. assets and warning of potential secondary sanctions for U.S. persons who transact with the designated parties.

🔒 A former senior executive at L3Harris cyber-division Trenchant, Australian national Peter Williams, has been sentenced to 87 months in prison after pleading guilty to stealing and selling zero-day exploits to a Russian broker. He admitted taking eight cyber-exploit components over three years, accepting cryptocurrency payments and providing paid follow-on support. Authorities say the theft cost Trenchant/L3Harris about $35m and posed significant national security risks. Williams was ordered to forfeit $1.3m, cryptocurrency, property and luxury items, and to serve three years of supervised release with special conditions.

🔒 Peter Williams, a 39-year-old former senior employee at L3Harris, was sentenced to just over seven years in prison after pleading guilty to selling eight zero-day exploits to the Russian exploit broker Operation Zero. Prosecutors say he received up to $4 million in cryptocurrency and has been ordered to forfeit proceeds, including properties and luxury items. The theft, which occurred between 2022 and 2025, targeted tools intended for sale only to the U.S. government and select allies and prompted criminal charges and sanctions.

🔒 Peter Williams, former head of Trenchant at L3Harris, was sentenced to 87 months in federal prison after admitting he stole and sold zero-day exploit components to the Russian broker Operation Zero. Prosecutors say he transferred at least eight protected exploit components between 2022 and 2025 using a portable external drive and encrypted channels. L3Harris estimates the theft caused $35 million in losses and the sales netted Williams $1.3 million in cryptocurrency. Authorities ordered forfeiture of the crypto, a house, and luxury items, and the U.S. Treasury announced sanctions against the broker.

🔍 The CrowdStrike 2026 Global Threat Report reviews 2025 as the year of the evasive adversary, detailing how attackers shifted to subtle, trust-based techniques across endpoint, identity, SaaS, and cloud environments. Adversaries accelerated operations using AI and exploited AI systems themselves, while supply chain compromises and zero-day usage rose markedly. The report highlights rapid breakout times, a high rate of malware-free intrusions, and significant increases in state-nexus activity, offering prioritized insights for defenders.