All news with #zero day exploitation tag

🔒 Shadowserver has identified more than 25,000 Fortinet devices online with FortiCloud SSO enabled, amid active exploitation of a critical authentication bypass (CVE-2025-59718/CVE-2025-59719). Researchers report attackers send malicious SAML messages to perform unauthorized SSO, gain admin-level access, and download system configuration files containing hashed credentials, exposed services, and network details. CISA added the flaw to its list of actively exploited vulnerabilities and ordered U.S. agencies to patch within a week; Fortinet notes FortiCloud SSO is only enabled after device registration, but many management interfaces remain publicly reachable.

⚠️ Cisco Talos has identified an active campaign exploiting a zero-day in AsyncOS, impacting Cisco Secure Email Gateway, Cisco Secure Email and Web Manager. The flaw targets systems with the spam quarantine feature enabled and has been active since at least late November; a vendor patch is not yet available. Cisco currently recommends wiping and rebuilding compromised devices, and analysts urge restricting access to management ports and deploying compensating controls while organizations plan remediation.

🚨 React2Shell (CVE-2025-55182) is a critical pre-authentication remote code execution flaw affecting React Server Components, Next.js and related frameworks. Exploitable with a single crafted HTTP request that targets the Flight protocol, the bug lets attackers inject and execute arbitrary server-side components, enabling backdoors, crypto miners and ransomware deployment. Researchers at S-RM and the Microsoft Defender team warn default configurations are vulnerable and note some early patches were incomplete; organizations should urgently verify fully patched versions and run forensic checks.

⚠️ Cisco warns a China-linked actor is actively exploiting a previously unknown zero-day in its Secure Email appliances to gain persistent access when the Spam Quarantine feature is enabled and exposed to the internet. Cisco Talos reports activity since at least late November and says no patch is available. In confirmed compromises, Cisco advises wiping and rebuilding affected appliances to remove persistence; organizations should immediately restrict access to management ports and apply compensating controls while awaiting a fix.

🚨 Cisco has warned of a maximum-severity zero-day in AsyncOS (CVE-2025-20393) that is actively exploited by a China-nexus APT tracked as UAT-9686. The flaw carries a CVSS score of 10.0 and can allow arbitrary command execution as root when the Spam Quarantine feature is enabled and reachable from the internet. Cisco observed attacks since late November 2025 and advises isolating affected appliances, restricting internet access, tightening authentication, monitoring web logs, and rebuilding compromised units until a patch is available.

🔒 The Zeroday Cloud competition in London, hosted by Wiz Research with support from AWS, Microsoft, and Google Cloud, awarded $320,000 to teams that demonstrated 11 zero-day remote code execution vulnerabilities. Exploits affected critical cloud components including Redis, PostgreSQL, MariaDB, Grafana, and a Linux-kernel container escape that broke tenant isolation. Team Xint Code earned the top prize of $90,000. Attempts against AI tooling such as vLLM and Ollama were made but failed due to time exhaustion.

⚠️ Apple and Google issued urgent patches for two actively exploited zero-days affecting iOS, macOS, Safari and Chrome's ANGLE library, while multiple high‑severity flaws in React, WinRAR, and .NET proxies are being weaponized in live attacks. Researchers also disclosed SOAPwn .NET proxy abuse and a CentreStack/Triofox token‑encryption failure leading to remote code execution. CISA added the WinRAR path‑traversal bug to KEV; LastPass was fined after the 2022 breach. Prioritize immediate patching and validate web and SSO defenses.

⚠️ CISA has added a high-severity Sierra Wireless AirLink vulnerability, CVE-2018-4063, to its Known Exploited Vulnerabilities (KEV) catalog after reports of active exploitation. The flaw in the ACEManager upload.cgi function permits unrestricted file uploads that can lead to remote code execution, and ACEManager runs with root privileges. Federal agencies are advised to update affected devices to supported versions or discontinue use by January 2, 2026.

🔒 Apple released security updates across iOS, iPadOS, macOS, tvOS, watchOS, visionOS and Safari to address two WebKit vulnerabilities—CVE-2025-43529 and CVE-2025-14174—that have been exploited in the wild. One of the flaws was patched in Chrome earlier this week, and Apple credits Google TAG and its own SEAR team with discovery and reporting. The issues can lead to arbitrary code execution or memory corruption when processing malicious web content. Users and administrators should apply the listed OS and Safari updates immediately to mitigate active exploitation.

🔒 Apple released emergency updates to patch two zero-day WebKit vulnerabilities — CVE-2025-43529 (use-after-free) and CVE-2025-14174 (memory corruption) — that were exploited in an 'extremely sophisticated' attack against targeted individuals. Both bugs affect devices running WebKit on iPhone and iPad and were discovered by Google’s Threat Analysis Group and Apple. Apple fixed the issues across iOS, iPadOS, macOS, tvOS, watchOS, visionOS and Safari and urges users to install updates promptly.

🔒 ACROS Security's 0Patch team has published free, unofficial micropatches for a newly discovered Windows RasMan zero-day that can crash the Remote Access Connection Manager (RasMan) service. The defect, found while investigating CVE-2025-59230, triggers a null-pointer read when RasMan mishandles circular linked lists and can be combined with an elevation-of-privilege bug to enable code execution. 0Patch provides an agent that applies the micropatch automatically across affected Windows versions until Microsoft issues an official fix, typically without requiring a restart.

⚠️ The critical React2Shell vulnerability (CVE-2025-55182, CVSS 10.0) enables remote, unauthenticated code execution via unsafe deserialization in the React Server Components Flight protocol. Since disclosure on December 3, 2025, multiple actors have exploited it to deliver miners, botnets, and other malware, targeting Next.js and containerized cloud workloads. CISA has accelerated mitigation deadlines and is urging agencies to patch by December 12, 2025; defenders should apply vendor fixes, enable WAF protections, and review logs for indicators of compromise.

⚠️ An unpatched zero-day in Gogs enables remote code execution on Internet-facing instances by exploiting a path traversal weakness in the PutContents API (CVE-2025-8110). Attackers abuse symbolic links to overwrite files outside repositories and modify Git configuration values such as sshCommand, forcing arbitrary command execution. Researchers found over 1,400 exposed servers and more than 700 with compromise indicators. Administrators should disable open registration and restrict access immediately.

🔒 Google released a Chrome security update on December 10 to patch three zero-day vulnerabilities, including a high-severity bug tracked internally as 466192044 for which an exploit is reported in the wild. Google has not published technical details and marks the issue as Under coordination, saying details may be restricted until most users are updated. The advisory also fixes two additional issues: CVE-2025-14372, a use-after-free in Chrome's Password Manager reported by Weipeng Jiang, and CVE-2025-14373, an inappropriate implementation in the Chrome toolbar reported by Khalil Zhani.

🔔 Google has issued emergency updates for Chrome to address a zero-day tracked as Chromium bug 466192044 that is actively exploited in the wild. The vulnerability is a buffer overflow in the LibANGLE Metal renderer caused by improper buffer sizing and can lead to memory corruption, crashes, sensitive data leaks, or arbitrary code execution. Stable channel builds rolling out are Windows 143.0.7499.109, macOS 143.0.7499.110, and Linux 143.0.7499.109; users should update immediately or allow Chrome to install the update on restart.

🔐 Google released Chrome security updates addressing three vulnerabilities, including a high-severity flaw that is being actively exploited in the wild and is tracked as Chromium issue 466192044. Google withheld the CVE identifier, affected component, and technical details while coordinating disclosure to allow broader patching. The release also corrects two medium-severity issues in the Password Manager and Toolbar. Users should update to Chrome 143.0.7499.109/.110 (Windows/macOS) or 143.0.7499.109 (Linux) and apply vendor patches for other Chromium-based browsers when available.

⚠️ CISA has added WinRAR path traversal CVE-2025-6218 (CVSS 7.8) to its Known Exploited Vulnerabilities list after reports of active exploitation. RARLAB patched the Windows-only flaw in WinRAR 7.12 (June 2025); attackers can place files in sensitive locations such as the Startup folder or Word’s global template to achieve code execution. Multiple groups — including GOFFEE, Bitter (APT‑C‑08/Manlinghua), and Gamaredon — have used the bug in phishing campaigns; organizations should deploy 7.12 or apply mitigations like blocking malicious archives, disabling macros, and monitoring for C2 activity.

⚠️ Microsoft has released patches for three zero-day vulnerabilities in its December update, including an actively exploited kernel elevation-of-privilege in the Windows Cloud Files Mini Filter Driver (CVE-2025-62221). Two additional zero-days—an RCE in PowerShell (CVE-2025-54100) and an RCE in GitHub Copilot for JetBrains (CVE-2025-64671)—were publicly disclosed but not observed in the wild. Security experts warn attackers could chain the kernel flaw with other exploits to achieve full system or domain compromise.

🚨 Microsoft’s December Patch Tuesday delivers 57 fixes, but an actively exploited zero-day in Windows Cloud Files Mini Filter Driver (CVE-2025-62221) requires immediate remediation. The flaw is a low-complexity use-after-free escalation-of-privilege that can enable a local foothold to become full system compromise. Security teams should prioritize this patch, enforce least-privilege controls, and enhance monitoring where rapid patching isn't possible.

🔒 Microsoft has released the KB5071546 extended security update for Windows 10 Enterprise LTSC and systems enrolled in the ESU program, addressing 57 security vulnerabilities including three zero-days. The mandatory patch updates Windows 10 to build 19045.6691 (LTSC 2021 to 19044.6691) and installs automatically, requiring a restart. Notably, it fixes a remote code execution zero-day in PowerShell (CVE-2025-54100) by adding a confirmation prompt and guidance to use -UseBasicParsing with Invoke-WebRequest to avoid parsing embedded scripts.