All news with #zero day exploitation tag

⚠️ Google’s Threat Intelligence Group warns that multiple actors — including state-backed clusters from Russia and China and financially motivated groups — are actively exploiting CVE-2025-8088, a WinRAR path-traversal bug patched in WinRAR 7.13. Attackers craft malicious archives that drop payloads into the Windows Startup folder (often via ADS-hidden LNKs) to achieve persistence and execute on login. Google advises upgrading to WinRAR 7.13+, monitoring Startup items and alternate data streams, and blocking malicious archive extraction.

🔒 Microsoft warns administrators of a critical Office security-bypass zero-day, CVE-2026-21509, that is being actively exploited. The flaw leverages legacy OLE document support to bypass protections similar to Office macros, enabling code execution when a user opens a malicious file. Microsoft has released fixes — automatic for Office 2021 and later, and separate updates for Office 2016 and 2019 — and notes affected applications must be restarted for patches to take effect.

🔒 Security researchers report that the high-severity CVE-2025-8088 path traversal in WinRAR is being actively exploited by both state-sponsored and criminal groups to gain initial access. The flaw leverages Alternate Data Streams (ADS) inside archives to hide payloads and uses directory traversal to drop LNK, HTA, BAT, CMD or script files, frequently into the Windows Startup folder for persistence. ESET and Google observed campaigns beginning in July 2025 and continuing into 2026, tied to actors such as RomCom, Turla and APT44 as well as financially motivated operators. Organizations should apply patches, monitor ADS/archive extraction behavior, and block or alert on suspicious startup items.

⚠️A critical sandbox escape in Pyodide used by Grist-Core allows remote code execution from a single malicious spreadsheet formula. Discovered by Cyera Research Labs and rated CVSS 9.1, the flaw leverages Python's object model, ctypes and exposed Emscripten runtime hooks to traverse from cell data into host runtimes. Grist patched the issue in v1.7.9 by running Pyodide under Deno and adding permission-based isolation; operators should upgrade promptly and treat formula execution as a privileged capability.

🛡️ Microsoft has released a patch addressing a high-severity zero-day in Microsoft Office that the company says has been exploited in the wild. Tracked as CVE-2026-21509 with a CVSS 3.1 score of 7.8, the flaw lets an attacker bypass OLE mitigations by relying on untrusted inputs in a security decision and requires only that a user open a malicious Office file. Microsoft urges users of Office 2016 and 2019 to install the update; Office 2021 and later will receive a service-side fix but require application restarts to take effect.

🛡️ Microsoft released an out-of-band patch for a high-severity Microsoft Office zero-day, tracked as CVE-2026-21509, rated CVSS 7.8 for a security feature bypass exploited in attacks. The flaw bypasses OLE mitigations for COM/OLE controls and requires a specially crafted Office file and user interaction; Microsoft says the Preview Pane is not an attack vector. Customers running Office 2021 and later receive a service-side fix (restart Office); Office 2016 and 2019 require installed updates. Microsoft also published a manual registry mitigation, and CISA added the flaw to its Known Exploited Vulnerabilities catalog.

🔒 Microsoft has issued emergency out-of-band updates to patch a high-severity Office zero-day, tracked as CVE-2026-21509, which is being actively exploited. The vulnerability allows an unauthenticated local attacker to bypass Office security features by convincing a user to open a malicious file; Microsoft says the preview pane is not an attack vector. Updates cover Microsoft 365 Apps and Office LTSC 2021/2024; fixes for Office 2016 and 2019 are pending. Microsoft and reporting outlets published registry-based mitigations administrators can apply until official updates are available.

🚗 The third annual Pwn2Own Automotive contest in Tokyo revealed 76 unique zero-day vulnerabilities across targets from Tesla infotainment to EV chargers, with Trend Micro's Zero Day Initiative paying out more than $1 million. A Fuzzware.io team took top honors, earning Master of Pwn with $215,500 and a $60,000 single-exploit prize for an Alpitronic HYC50 out-of-bounds write. Other teams compromised Automotive Grade Linux and exploited charger logic to install a playable Doom on a charger's screen. Vendors are urged to patch promptly.

⚠️ CISA has added CVE-2024-37079, a critical heap overflow in Broadcom VMware vCenter's DCE/RPC implementation, to its Known Exploited Vulnerabilities catalog citing evidence of active exploitation. The flaw (CVSS 9.8) can enable remote code execution via a crafted network packet; Broadcom released fixes in June 2024 alongside CVE-2024-37080, with related patches issued in September 2024. Broadcom confirms in‑the‑wild abuse and Federal civilian agencies must update to the latest vCenter release by February 13, 2026.

🔒 Fortinet has confirmed a new attack campaign that exploits an unpatched zero-day vulnerability to bypass authentication across SAML SSO implementations, including FortiCloud SSO. The activity, observed in mid-January, involves extraction of firewall configurations and creation of administrative and VPN-capable accounts. Fortinet is working on a fix and recommends updating to the latest releases, restoring clean backups, rotating all credentials, disabling FortiCloud SSO administrative logins, and restricting administrative access to trusted subnets.

🔒 Pwn2Own Automotive 2026 concluded in Tokyo with researchers awarded $1,047,000 for exploiting 76 zero-day vulnerabilities between January 21 and 23. The contest targeted fully patched in-vehicle infotainment systems, EV chargers, and car operating systems including Automotive Grade Linux. Team Fuzzware.io won top prize with $215,000; vendors have 90 days to issue fixes before public disclosure by the Zero Day Initiative.

🔐 A critical vulnerability in GNU InetUtils telnetd (CVE-2026-24061) enables remote attackers to bypass authentication and gain root access by supplying a crafted USER environment string. The flaw, present in releases 1.9.3 through 2.7, occurs because telnetd forwards an unvalidated USER value to /usr/bin/login, which interprets "-f root" as an authentication bypass. Administrators should apply patches or disable telnetd until updates are installed.

🔍 VulnCheck’s State of Exploitation 2026 report finds 28.96% of known exploited vulnerabilities (KEVs) were exploited before or on the day they were disclosed, up from 23.6% in 2024. In 2025 the firm observed exploitation of 884 vulnerabilities — a 15% year‑over‑year increase — across hundreds of vendors and products. Network edge devices (191 KEVs), content management systems (163) and open source software (129) were the most targeted, while operating systems saw the highest share of zero‑day and one‑day exploits. The report also notes time‑to‑exploitation patterns remained consistent and that ransomware attribution often lagged initial exploit disclosures.

🚗 On the second day of Pwn2Own Automotive 2026, security researchers earned $439,250 after exploiting 29 unique zero-day vulnerabilities in EV chargers, in-vehicle infotainment systems, and automotive operating systems. Contestants targeted fully patched devices such as the Phoenix Contact CHARX SEC-3150, ChargePoint Home Flex, and the Grizzl-E Smart 40A charging station. Fuzzware.io led the leaderboard after two days, and organizers confirmed vendors have 90 days to issue fixes before public disclosure by the Zero Day Initiative.

🔒 Cisco released patches for a critical, actively exploited vulnerability tracked as CVE-2026-20045 that affects multiple Unified Communications products and Webex Calling Dedicated Instance. The flaw (CVSS 8.2) allows unauthenticated remote attackers to execute arbitrary commands via crafted HTTP requests against the web-based management interface. Cisco urged customers to upgrade to fixed releases or apply published patch files; there are no workarounds. The U.S. CISA has added the issue to its KEV catalog with a remediation deadline of February 11, 2026.

🔒 Cisco released patches to address a critical remote code execution vulnerability, CVE-2026-20045, actively exploited against Unified Communications Manager, Unity Connection, and Webex Calling Dedicated Instance. The flaw stems from improper validation of user-supplied input in HTTP requests to the web management interface and can allow an attacker to gain user access and escalate to root. Administrators should apply the version-specific updates or provided .cop patch files immediately, as Cisco reports no available workarounds.

🚨Fortinet customers report attackers bypassing a previously patched FortiGate authentication flaw (CVE-2025-59718) to create admin accounts on devices running FortiOS 7.4.9 and 7.4.10. Fortinet reportedly plans releases of FortiOS 7.4.11, 7.6.6 and 8.0.0 to fully remediate the issue. Until those updates are available, admins are advised to disable FortiCloud SSO using the GUI or the CLI mitigation steps Fortinet published. Shadowserver found over 25,000 devices with FortiCloud SSO enabled in mid-December, and CISA has listed the vulnerability as actively exploited and ordered expedited patching.

🔒 At Pwn2Own Automotive 2026 in Tokyo, researchers chained 37 zero-day vulnerabilities and collected $516,500 in cash awards on the first day. Teams including Synacktiv Team, Fuzzware.io, PetoWorks, and Team DDOS gained root access on targets such as the Tesla Infotainment System, Sony XAV-9500ES, multiple EV chargers, and other IVI systems. Vendors have 90 days to issue patches before Trend Micro's Zero Day Initiative publicly discloses the reported flaws.

🔒 A newly disclosed flaw called WhisperPair (CVE-2025-36911) lets an attacker pair with many Bluetooth headsets by abusing Google Fast Pair requests, even when accessories are not in pairing mode. In roughly 10 seconds and within about 14 meters, a hostile device can assume owner-level privileges, enabling microphone access, audio control, or remote location tracking via Google Find Hub. iPhone and other non‑Android users face elevated risk because an attacker can register the headset to their Google account if it has never been paired to Android. Mitigations include installing vendor firmware updates, performing a factory reset, or using a trusted Android device to claim ownership if no patch is available.

⚡ This week’s roundup highlights active exploitation of a critical Fortinet FortiSIEM vulnerability (CVE-2025-64155) that can lead to full appliance compromise, alongside new malware and supply-chain concerns. Researchers also disclosed a clipboard‑hijacking campaign distributed by RedLineCyber and a Reprompt attack that targeted Microsoft Copilot via P2P prompt injection. Other notable items include a cloud-native Linux framework called VoidLink, disruption of the RedVDS criminal service, and an AWS CodeBuild misconfiguration that raised supply‑chain risks. Defenders should prioritize patching high-severity CVEs, harden CI/CD configurations, and treat AI/chatbot integrations and exposed devices as part of the attack surface.