All news with #zero day exploitation tag

🔒 Google released updates for Chrome to fix 21 vulnerabilities, including a zero-day (CVE-2026-5281) that has been exploited in the wild. Dawn, the WebGPU implementation, contains a use-after-free bug allowing a remote attacker with access to the renderer process to execute arbitrary code via crafted HTML. Users should update to versions 146.0.7680.177/178 on Windows and macOS and 146.0.7680.177 on Linux, and ensure Chromium-based browsers receive vendor patches.

⚠️ Google released emergency updates to fix a fourth actively exploited Chrome zero-day, tracked as CVE-2026-5281. The issue is a use-after-free in Dawn, Chromium's implementation of the WebGPU standard, and can cause crashes, rendering problems, or data corruption. Patches are available on Stable Desktop for Windows, macOS (146.0.7680.177/178), and Linux (146.0.7680.177); rollouts may take days, but updates are immediately available when checking.

⚠️ Five-month-old F5 BIG-IP APM flaw initially classified as a denial-of-service is now confirmed as a pre-authentication remote code execution vulnerability (CVE-2025-53521) being exploited in the wild. F5 updated its advisory, raised the CVSS to 9.8, and CISA added the issue to its KEV catalog after reports of active exploitation and observed root‑level malware persistence. Affected versions include 15.1.x, 16.1.x, 17.1.x and 17.5.x; F5 has released fixes, IOCs, and hardening guidance, but organizations should patch immediately and perform compromise assessments rather than rely solely on backups.

⚠ A high-severity update integrity flaw in TrueConf client (CVE-2026-3502, CVSS 7.8) has been exploited in the wild as part of the TrueChaos campaign. An attacker who controls an on‑premises TrueConf server can substitute legitimate update packages with poisoned installers that lead to arbitrary code execution via DLL side‑loading. Check Point observed the operation targeting government entities in Southeast Asia and linking activity to a Chinese‑nexus actor. Vendor patches are available in TrueConf Windows client 8.5.3 and organizations should apply them and verify update integrity.

🛠️ Check Point Research identified a zero-day (CVE-2026-3502, CVSS 7.8) in the TrueConf client update mechanism that was abused to deliver malware via legitimate software updates. Exploitation was observed in the wild targeting government entities in Southeast Asia and required no phishing or prior compromise. The attack chain culminated with deployment of Havoc, a powerful post-exploitation framework, and the vendor released a remediation after disclosure.

🔒 Coruna is an evolved iOS exploit framework tied to the earlier Operation Triangulation espionage campaign and now includes support for modern Apple silicon such as A17 and M3 chips and iOS builds up to 17.2. Kaspersky found five exploit chains leveraging 23 vulnerabilities, including CVE-2023-32434 and CVE-2023-38606, and determined parts of the kernel exploit are maintained revisions of Triangulation code. The attack begins via a Safari stager that fingerprints the device, selects tailored RCE and PAC exploits, downloads encrypted components decrypted with ChaCha20 and decompressed with LZMA, then loads payloads appropriate to ARM64/ARM64E architectures. Kaspersky also observed Coruna’s use in financially motivated campaigns that impersonate crypto exchanges; Apple has released fixes and users should apply updates promptly.

⚠️ Coruna, an iPhone exploit kit, repurposes an updated kernel exploit originally used in the 2023 Operation Triangulation campaign, according to Kaspersky. The kit targets iOS 13.0–17.2.1 devices with five full exploit chains and 23 exploits, fingerprinting Safari visitors and selecting tailored Mach-O loaders and payloads. Kaspersky warns the actively maintained, modular codebase now enables mass exploitation and broader criminal reuse, increasing risk to unpatched users.

🔔 A new critical out-of-bounds read vulnerability, CVE-2026-3055, affects customer-managed Citrix NetScaler ADC and NetScaler Gateway appliances configured as SAML IDPs and is rated 9.3 on the CVSS scale. The flaw allows unauthenticated remote attackers to leak potentially sensitive memory from the appliance, risking exposure of credentials and secrets. Citrix is urging immediate installation of updated builds and defenders should reduce public exposure and prioritize patching.

🔒 CISA has directed all federal civilian agencies to urgently patch a critical remote code execution vulnerability in Cisco Secure Firewall Management Center (FMC) — tracked as CVE-2026-20131 with a CVSS score of 10. Cisco released a fix on 4 March after reports that the Interlock ransomware group had been exploiting the flaw as a zero day. Agencies were given just three days after KEV listing to patch or discontinue use due to active ransomware campaigns.

🔒 CISA ordered U.S. federal agencies to patch three iOS vulnerabilities exploited by the DarkSword exploit kit, imposing a two-week deadline under BOD 22-01. Apple has released fixes and the flaws now only affect iPhones running iOS 18.4 through 18.7. Researchers linked DarkSword to multiple threat groups and to data-stealing malware families including GhostBlade, GhostKnife, and GhostSaber.

⚠️ CISA has added five actively exploited vulnerabilities affecting Apple, Craft CMS, and Laravel Livewire to its Known Exploited Vulnerabilities (KEV) catalog and ordered federal agencies to patch them by April 3, 2026. The flaws include high‑severity memory corruption bugs in Apple WebKit and kernel components and critical code injection issues in Craft and Laravel that were fixed in 2025. Security researchers have observed exploitation linked to the DarkSword iOS exploit kit and campaigns attributed to MuddyWater.

⚠️ Amazon disclosed that the ransomware group Interlock exploited a critical deserialization flaw in Cisco Secure Firewall Management Center (CVE-2026-20131) as a zero-day beginning January 26, roughly 38 days before Cisco released a patch on March 4. The bug carries a CVSS score of 10 and was addressed in Cisco’s semiannual firewall update alongside a second high-severity FMC issue. Using its MadPot honeypot network, Amazon captured attacker activity, recovered a malicious ELF binary, and traced a full attack chain that leveraged a single poorly secured staging server. The findings underscore the limits of patching alone and the need for layered defenses and urgent log hunting for provided indicators.

⚠️Researchers from Google Threat Intelligence Group, Lookout and iVerify report a new full‑chain JavaScript exploit kit named DarkSword has been used since at least November 2025 to fully compromise iPhones and exfiltrate sensitive data. The kit has appeared in watering‑hole campaigns targeting users in Saudi Arabia, Turkey, Malaysia and Ukraine and is linked to multiple actors including UNC6353, UNC6748 and a Turkish vendor. Apple has released patches addressing the exploited CVEs; users should install updates promptly.

🔒 The Interlock ransomware gang exploited a maximum-severity remote code execution flaw in Cisco Secure Firewall Management Center as a zero-day beginning January 26, 2026. Cisco released a patch for CVE-2026-20131 on March 4, warning it allowed unauthenticated attackers to execute arbitrary Java code as root on unpatched devices. Amazon's threat team reported Interlock had been exploiting the vulnerability for 36 days prior to public disclosure.

⚠️ Amazon Threat Intelligence warns of an active Interlock ransomware campaign exploiting a critical Cisco Secure Firewall Management Center vulnerability tracked as CVE-2026-20131 (CVSS 10.0). The flaw enables insecure deserialization of a user-supplied Java byte stream, allowing unauthenticated remote code execution as root. Amazon telemetry shows zero-day exploitation since January 26, 2026, and the actor's toolkit includes multi-platform backdoors, reconnaissance scripts, and infrastructure-laundering components.

🔴 Google has released emergency patches addressing two actively exploited Chrome zero-day vulnerabilities, CVE-2026-3909 and CVE-2026-3910. The flaws affect Chromium-based browsers before version 146.0.7680.75, enabling out-of-bounds memory access and remote code execution via crafted web pages. Administrators should enable automatic updates, apply fixes immediately, monitor for outdated clients, and consider browser isolation to reduce exposure.

🔔 CISA has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2026-3909 (Google Skia out-of-bounds write) and CVE-2026-3910 (Google Chromium V8 unspecified). The agency cites evidence of active exploitation and reminds Federal Civilian Executive Branch agencies of remediation obligations under BOD 22-01. CISA strongly urges all organizations to prioritize timely remediation to reduce exposure to attacks.

🔒 Google released security updates for Chrome to address two high-severity zero-day vulnerabilities that have been exploited in the wild. The flaws—CVE-2026-3909 (Skia out-of-bounds write) and CVE-2026-3910 (V8 sandbox code execution)—are rated CVSS 8.8 and were reported on March 10, 2026. Users should update to versions 146.0.7680.75/76 for Windows and macOS or 146.0.7680.75 for Linux and apply vendor patches for other Chromium-based browsers.

🔒 Google released emergency updates to address two Chrome zero-day vulnerabilities exploited in the wild. The first, CVE-2026-3909, is an out-of-bounds write in the Skia rendering library that can cause crashes or enable code execution; the second, CVE-2026-3910, is an inappropriate implementation issue in the V8 JavaScript/WebAssembly engine. Updates for Chrome Stable are rolling on Windows, macOS, and Linux; users should update promptly. If automatic updates are enabled, the patch will install on next launch.

🔒 Microsoft released its March Patch Tuesday updates addressing 79 vulnerabilities, including two publicly disclosed zero-day flaws. The zero-days are CVE-2026-21262, an SQL Server elevation-of-privilege issue (CVSS 8.8), and CVE-2026-26127, a .NET denial-of-service vulnerability. Security researchers warn that while only three flaws were rated critical, the bulk of fixes are elevation-of-privilege bugs in core Windows components and should be prioritised to avoid escalation chains and operational disruption.