All news with #zero-day tag

Sitecore Issues Patch After Critical Exploited Zero-Day

🔒 Mandiant disrupted an active exploitation of a critical zero-day in Sitecore's Experience Manager and Experience Platform that permits remote code execution via ViewState deserialization. Publicly disclosed on September 3 as CVE-2025-53690 (CVSS 9.0), the flaw affects Sitecore versions up to 9.0 when deployments retained the sample ASP.NET machine key published in older deployment guides. Attackers used the vulnerability to deliver WEEPSTEEL and other tooling, harvest credentials and perform lateral movement. Sitecore has issued a security advisory, notified impacted customers and says recent deployments now auto-generate unique machine keys.

Google ships September Android patches for 120 flaws

🔒 Google has released its September 2025 Android security updates addressing 120 vulnerabilities, including two issues that Google says have been exploited in limited, targeted attacks. The two highlighted flaws are CVE-2025-38352 (CVSS 7.4), affecting the Linux Kernel, and CVE-2025-48543, impacting the Android Runtime; both can enable local privilege escalation with no user interaction. Google issued patch levels 2025-09-01 and 2025-09-05 to let partners deploy common fixes more quickly and credited Benoît Sevens of TAG with reporting the kernel issue.

HexStrike-AI Enables Rapid Zero-Day Exploitation at Scale

⚠️ HexStrike-AI is a newly released framework that acts as an orchestration “brain,” directing more than 150 specialized AI agents to autonomously scan, exploit, and persist inside targets. Within hours of release, dark‑web chatter showed threat actors attempting to weaponize it against recent zero‑day CVEs, dropping webshells enabling unauthenticated remote code execution. Although the targeted vulnerabilities are complex and typically require advanced skills, operators claim HexStrike-AI can reduce exploitation time from days to under 10 minutes, potentially lowering the barrier for less skilled attackers.

ICE Reinstates Contract with Paragon Spyware Vendor

🔁 ICE has reinstated a $2m contract with Israeli-founded vendor Paragon Solutions, now owned by US private equity, enabling delivery of hardware and perpetual license software to the agency. The agreement, originally signed on 27 September 2024 and suspended after a White House review on 8 October 2024, was cleared to resume work on 30 August. Paragon has been linked to the Graphite spyware used against European journalists and implicated in Italian government investigations, raising procurement and national security concerns.

Weekly Recap: WhatsApp 0-Day, Docker Bug, Breaches

🚨 This weekly recap highlights multiple cross-cutting incidents, from an actively exploited WhatsApp 0‑day to a critical Docker Desktop bug and a Salesforce data-exfiltration campaign. It shows how attackers combine stolen OAuth tokens, unpatched software, and deceptive web content to escalate access. Vendors issued patches and advisories for numerous CVEs; defenders should prioritize patching, token hygiene, and targeted monitoring. Practical steps include auditing MCP integrations, enforcing zero-trust controls, and hunting for chained compromises.

WhatsApp Patches Zero-Click Zero-Day Exploit in iOS

🔒 WhatsApp has patched a critical zero-day (CVE-2025-55177) affecting linked-device synchronization that could allow processing of content from an arbitrary URL on a target device. The vendor says the flaw, when combined with an Apple OS-level out-of-bounds write (CVE-2025-43300), may have been exploited in a targeted, sophisticated zero-click attack. Apple patched the related OS issue on August 20. Users should apply the updated WhatsApp and WhatsApp Business iOS and Mac clients immediately.

WhatsApp Emergency Update Fixes Zero-Click iOS/macOS Bug

🔒 WhatsApp has issued emergency updates for iOS and macOS to fix CVE-2025-55177, a high-severity authorization flaw that may have been exploited alongside an Apple ImageIO zero-day (CVE-2025-43300). The bug could allow processing of content from an arbitrary URL on a target device and affects specific iOS, Business iOS, and Mac app versions. Users are urged to update immediately; confirmed targets were advised to perform a full factory reset.

WhatsApp patches iOS and macOS zero-day vulnerability

🔒 WhatsApp has patched a zero-click vulnerability (CVE-2025-55177) impacting WhatsApp for iOS prior to 2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78. The flaw involved incomplete authorization of linked-device synchronization messages that could trigger processing of content from an arbitrary URL on a target device. WhatsApp said the bug may have been chained with an Apple OS-level zero-day (CVE-2025-43300) and exploited in targeted, sophisticated attacks. Potentially impacted users have been urged to perform a factory reset and keep their operating systems and apps up to date.

Critical FreePBX Zero-Day Under Active Exploitation

🚨 The Sangoma FreePBX project has issued an advisory for an actively exploited zero-day (CVE-2025-57819) that allows unauthenticated access to the Administrator control panel, enabling arbitrary database manipulation and remote code execution. The flaw stems from insufficiently sanitized user input in the commercial endpoint module and impacts FreePBX 15, 16, and 17 prior to their listed patched releases. Administrators should apply the emergency updates immediately, restrict public ACP access, and scan for indicators of compromise.

Citrix warns of NetScaler ADC/Gateway zero-day exploit

⚠️ Citrix has warned of multiple zero-day vulnerabilities in NetScaler ADC and NetScaler Gateway, highlighting CVE-2025-7775 as being actively exploited. The critical issue is a memory overflow that can lead to denial of service or remote code execution on appliances meeting specific configuration preconditions. Citrix provides CLI checks to identify affected devices but reports no mitigations or workarounds, and researchers estimate a large percentage of appliances remain unpatched. Administrators are urged to prioritize patching immediately.

Palo Alto Networks Named Leader in HMF Magic Quadrant

🔐 Palo Alto Networks has been named a Leader in the inaugural 2025 Gartner Magic Quadrant for Hybrid Mesh Firewall, recognized for both Completeness of Vision and Ability to Execute. The announcement highlights the Strata Network Security Platform, which unifies hardware, virtual, container, cloud-native and FWaaS deployments under a single, cloud-based management plane. Powered by Precision AI®, the platform delivers consistent policy, automation and real-time threat prevention across hybrid environments.

Citrix Patches NetScaler Zero-Days as Active Exploits Continue

🔒Citrix has released patches for three critical zero-day vulnerabilities in NetScaler ADC and NetScaler Gateway (CVE-2025-7775, CVE-2025-7776, CVE-2025-8424), including pre-auth remote code execution observed in the wild. The vendor provided fixes for affected 14.1, 13.1 and 12.1-FIPS/NDcPP builds and said no workaround is available. Security researchers and CISA urged immediate patching and forensic checks for potential backdoors.

Weekly Recap: Password Manager Clickjacking Flaws and Threats

🔒 This week's recap spotlights a DOM-based extension clickjacking technique disclosed by researcher Marek Tóth at DEF CON that affects popular browser password manager plugins. Vendors including Bitwarden, Dashlane, Enpass, KeePassXC-Browser, Keeper, LastPass, NordPass, ProtonPass, and RoboForm issued fixes by August 22. Other leading stories cover legacy Cisco devices exploited for persistent access, an actively exploited Apple 0-day in ImageIO, cloud intrusions leveraging trusted partner relationships, and several high-risk CVEs to prioritize.

MURKY PANDA: Trusted-Relationship Cloud Threats and TTPs

🔒 Since late 2024 CrowdStrike's Counter Adversary Operations has tracked MURKY PANDA, a China‑nexus actor targeting government, technology, academic, legal and professional services in North America. The group exploits internet‑facing appliances, rapidly weaponizes n‑day and zero‑day flaws, and deploys web shells (including Neo‑reGeorg) and the Golang RAT CloudedHope. CrowdStrike recommends auditing Entra ID service principals and activity, enabling Microsoft Graph logging, hunting for anomalous service principal sign‑ins, prioritizing patching of cloud and edge devices, and leveraging Falcon detection and SIEM capabilities.

Dissecting PipeMagic: Architecture of a Modular Backdoor

🔍 Microsoft Threat Intelligence details PipeMagic, a modular backdoor used by Storm-2460 that masquerades as an open-source ChatGPT Desktop Application. The malware is deployed via an in-memory MSBuild dropper and leverages named pipes and doubly linked lists to stage, self-update, and execute encrypted payload modules delivered from a TCP C2. Analysts observed exploitation of CVE-2025-29824 for privilege escalation followed by ransomware deployment, with victims across IT, finance, and real estate in multiple regions. The report includes selected IoCs, Defender detections, and mitigation guidance to help defenders detect and respond.

EchoLink: Rise of Zero-Click AI Exploits in M365 Enterprise

⚠️ EchoLink is a newly identified zero-click vulnerability in Microsoft 365 Copilot that enables silent exfiltration of enterprise data without any user interaction. This class of attack bypasses traditional click- or download-based defenses and moves laterally at machine speed, making detection and containment difficult. Organizations relying solely on native tools or fragmented point solutions should urgently reassess their exposure and incident response readiness.

WinRAR zero-day (CVE-2025-8088) used in RomCom attacks

🔒 ESET researchers uncovered a previously unknown WinRAR vulnerability, tracked as CVE-2025-8088, that is being actively exploited by the Russia-aligned actor RomCom in targeted spearphishing campaigns. The Windows path traversal flaw enables execution of arbitrary code when victims open crafted archives. Users should update to WinRAR 7.13 immediately and consult ESET's video and blogpost for indicators and mitigation.

WinRAR zero-day (CVE-2025-8088) exploited by RomCom

🔒 ESET researchers disclosed a previously unknown WinRAR zero-day, CVE-2025-8088, actively exploited by the Russia-aligned group RomCom. The flaw is a path-traversal vulnerability that leverages NTFS alternate data streams (ADS) to conceal malicious files in RAR archives, which are silently deployed on extraction. Observed payloads included a Mythic agent, a SnipBot variant, and RustyClaw (MeltingClaw), targeting organizations in finance, manufacturing, defense and logistics. Users and vendors relying on WinRAR, UnRAR.dll or its source must update to the July 30, 2025 patched release immediately.

Microsoft Bounty Program: $17M Distributed in 2025

🔒 The Microsoft Bounty Program distributed $17 million this year to 344 security researchers across 59 countries, marking the largest total payout in the program’s history. In partnership with the Microsoft Security Response Center (MSRC), researchers helped identify and remediate more than a thousand potential vulnerabilities across Azure, Microsoft 365, Windows, and other Microsoft products and services. The program also expanded coverage and awards for Copilot, identity and Defender scopes, Dynamics 365 & Power Platform AI categories, and refreshed Windows attack scenario incentives to prioritize high-impact research.

Zero Day Quest returns with up to $5M bounties for Cloud

🔒 Microsoft is relaunching Zero Day Quest with up to $5 million in total bounties for high-impact Cloud and AI security research. The Research Challenge runs 4 August–4 October 2025 and focuses on targeted scenarios across Azure, Copilot, Dynamics 365 and Power Platform, Identity, and M365. Eligible critical findings receive a +50% bounty multiplier, and top contributors may be invited to an exclusive live hacking event at Microsoft’s Redmond campus in Spring 2026. Participants will have access to training from the AI Red Team, MSRC, and product teams, and Microsoft will support transparent, responsible disclosure.