All news with #zero-day tag

Fortinet silently patches FortiWeb zero-day flaw in the wild

🚨 Fortinet confirmed a silent patch for a critical FortiWeb GUI path confusion zero-day (tracked as CVE-2025-64446) that is being "massively exploited in the wild." The flaw allowed unauthenticated HTTP(S) requests to execute administrative commands and create local admin accounts on internet-exposed devices. Fortinet released fixes in FortiWeb 8.0.2 (Oct 28) and later; administrators should upgrade, disable internet-facing management interfaces if they cannot update immediately, and audit logs for unauthorized accounts.

Authentication Bypass in Fortinet FortiWeb Actively Exploited

🚨 Researchers report an authentication bypass in Fortinet FortiWeb that is being actively exploited in the wild, allowing attackers to create privileged administrator accounts and fully compromise devices. watchTowr reproduced the issue, released a proof-of-concept and an artifact generator to help identify vulnerable appliances. The flaw is patched in FortiWeb 8.0.2, but Fortinet has not published a PSIRT advisory or assigned a CVE, and Rapid7 urges emergency patching for older versions.

Washington Post Oracle Breach Exposes Nearly 10,000

🔒 The Washington Post says a zero-day in Oracle E-Business Suite was used to access parts of its network, exposing personal and financial records for 9,720 employees and contractors. The intrusion occurred between July 10 and August 22, and attackers attempted extortion in late September. The activity has been tied to the Clop group exploiting CVE-2025-61884, and impacted individuals are being offered 12 months of identity protection and advised to consider credit freezes.

Zero-day Campaign Targets Cisco ISE and Citrix Systems

🔒 Amazon Threat Intelligence disclosed an advanced APT campaign that weaponized zero-day vulnerabilities in Citrix NetScaler (Citrix Bleed 2, CVE-2025-5777) and Cisco Identity Services Engine (CVE-2025-20337). Attackers achieved pre-auth remote code execution via input-validation and deserialization flaws and deployed an in-memory web shell masquerading as the ISE IdentityAuditAction component. The implant registered as a Tomcat HTTP listener, used DES with nonstandard Base-64 encoding, required specific HTTP headers, and relied on Java reflection and bespoke decoding routines to evade detection.

GlobalLogic Confirmed as Victim of Cl0p Oracle EBS Exploit

🔒 GlobalLogic has notified 10,471 current and former employees that their data was exposed after a zero-day in Oracle E-Business Suite (EBS) was exploited in early October 2025. The company says it patched the vulnerability after confirming data exfiltration on 9 October. Stolen records reportedly include HR and payroll details such as names, dates of birth, passport numbers, salary, bank account and routing numbers, creating a high risk of follow-on phishing and identity fraud. GlobalLogic did not confirm contact by the extortion group, while security firms link the incident to Cl0p, which has targeted dozens of organizations including Harvard and Envoy Air.

Amazon: APT Exploits Cisco ISE and Citrix Zero‑Days

🔒 Amazon Threat Intelligence identified an advanced threat actor exploiting undisclosed zero-day vulnerabilities in Cisco Identity Services Engine (ISE) and Citrix products. The actor achieved pre-authentication remote code execution via a newly tracked Cisco deserialization flaw (CVE-2025-20337) and earlier Citrix Bleed Two activity (CVE-2025-5777). Following exploitation, a custom in-memory web shell disguised as IdentityAuditAction was deployed, demonstrating sophisticated evasion using Java reflection, Tomcat request listeners, and DES with nonstandard Base64. Amazon recommends limiting external access to management endpoints and implementing layered defenses and detection coverage.

Amazon: Threat Actor Exploited Cisco and Citrix Zero-Days

⚠️ Amazon's threat intelligence team disclosed that it observed an advanced threat actor exploiting two zero-day vulnerabilities in Citrix NetScaler ADC (CVE-2025-5777) and Cisco Identity Services Engine (CVE-2025-20337) to deploy a custom web shell. The backdoor, disguised as an IdentityAuditAction component, operates entirely in memory, uses Java reflection to inject into running threads, and registers a Tomcat listener to monitor HTTP traffic. Amazon observed the activity via its MadPot honeypot, called the actor highly resourced, and noted both flaws were later patched by the vendors.

Zero-day Attacks Exploit Citrix Bleed 2 and Cisco ISE

🛡️ Amazon's MadPot honeypot observed exploitation of Citrix Bleed 2 (CVE-2025-5777) and Cisco ISE (CVE-2025-20337) before public disclosure. The attacker used the ISE flaw to deploy a stealthy custom web shell named IdentityAuditAction, which registered an HTTP listener, used Java reflection to inject into Tomcat threads, and relied on DES with non-standard base64 encoding for concealment. Apply vendor patches and limit edge device access through layered firewall controls.

CISA Issues Guidance on Cisco ASA and Firepower Risks

⚠️ CISA released Implementation Guidance for Emergency Directive 25‑03 addressing ongoing exploitation of Cisco ASA and Firepower devices, identifying minimum software versions that remediate known vulnerabilities. The guidance directs federal agencies to perform corrective patching and recommends all organizations verify and apply the specified minimum updates. CISA also provides the RayDetect scanner to analyze ASA core dumps for RayInitiator compromise and offers temporary mitigation recommendations for agencies still completing compliance.

Microsoft Patches 63 Flaws Including Kernel Zero‑Day

🔒 Microsoft released patches for 63 vulnerabilities, four rated Critical and 59 Important, including a Windows Kernel zero-day (CVE-2025-62215) that Microsoft says is being exploited in the wild. The flaws span privilege escalation, remote code execution, information disclosure and DoS, with notable heap-overflow issues in Graphics Component and WSL GUI. Administrators are urged to prioritize updates where exploits are known or where vulnerabilities permit privilege escalation or remote code execution.

November 2025 Patch Tuesday: One Zero-Day, Five Criticals

🔒 Microsoft’s November 2025 Patch Tuesday addresses 63 CVEs, including one actively exploited zero‑day and five Critical vulnerabilities that span Windows, Office, Developer Tools and third‑party products. This release is the first Extended Security Update (ESU) roll‑out for Windows 10 after its October 14 end‑of‑life; ESU enrollment and upgrade to 22H2 are required to receive fixes. CrowdStrike notes elevation of privilege, remote code execution and information disclosure are the leading exploitation techniques this month. Administrators should prioritize the zero‑day and Critical fixes (notably GDI+ and Nuance PowerScribe) and adopt mitigations where patching is delayed.

November Patch Tuesday: Critical Windows Kernel Zero-Day

⚠️ Microsoft’s November Patch Tuesday addresses 63 vulnerabilities, including an actively exploited Windows kernel zero-day CVE-2025-62215 that can allow local attackers to escalate to SYSTEM via a complex race-condition double-free. Administrators should prioritize this fix across servers, domain controllers, and desktops, including Windows 10 systems enrolled in the ESU program. Other notable fixes include a Copilot Chat extension RCE (CVE-2025-62222) and a critical Microsoft Graphics Component overflow that could be triggered by specially crafted document uploads.

Synology Patches Critical BeeStation RCE Shown at Pwn2Own

🔒 Synology has released a patch for a critical remote code execution flaw (CVE-2025-12686) in BeeStation OS, following a proof-of-concept exploit shown at Pwn2Own Ireland. The vulnerability, described as a buffer copy without checking input size, can enable arbitrary code execution on impacted NAS devices and has no practical mitigations. Synology advises users to upgrade to BeeStation OS 1.3.2-65648 or later to remediate the issue. The flaw was demonstrated by Synacktiv researchers Tek and anyfun, who earned a $40,000 reward.

Microsoft November 2025 Patch Tuesday: 63 Flaws, 1 Zero-Day

🛡️ Microsoft’s November 2025 Patch Tuesday addresses 63 vulnerabilities, including one actively exploited zero-day in the Windows Kernel (CVE-2025-62215). The update bundle includes four Critical issues and a broad set of fixes across kernel, RDP, Hyper-V, drivers, Office components and other Windows subsystems. Organizations still on unsupported Windows 10 should upgrade to Windows 11 or enroll in Microsoft’s ESU program; Microsoft also released an out-of-band patch to fix an ESU enrollment bug.

GlobalLogic warns 10,000 employees of Oracle data theft

🔒 GlobalLogic is notifying 10,471 current and former employees that personal data was stolen after attackers exploited an Oracle E-Business Suite zero-day. The compromised HR information includes names, contact details, birthdates, passport and tax identifiers, salary and bank account information. The incident aligns with a wider extortion campaign linked to the Clop ransomware group exploiting CVE-2025-61882.

CISA Adds Samsung Zero-Day Used to Deploy LandFall Spyware

🛡️ US federal agencies have been directed to patch a critical Samsung zero-day exploited to deploy spyware on mobile devices. The out-of-bounds write flaw CVE-2025-21042 (CVSS 9.8) was patched by Samsung in April, but Palo Alto Networks reports it has been used in a campaign since mid-2024. Commercial spyware LandFall was embedded in malicious DNG images and distributed via WhatsApp, with possible zero-click remote code execution. CISA added the bug to its KEV catalog and requires mitigation or discontinuation by December 1.

CISA Orders Federal Patch for Samsung Zero‑Day Spyware

🔒 CISA has ordered U.S. federal agencies to patch a critical Samsung vulnerability, CVE-2025-21042, which has been exploited to deploy LandFall spyware via malicious DNG images sent over WhatsApp. The flaw is an out-of-bounds write in libimagecodec.quram.so affecting devices on Android 13 and later; Samsung issued a patch in April after reports from Meta and WhatsApp security teams. CISA added the bug to its Known Exploited Vulnerabilities catalog and requires Federal Civilian Executive Branch agencies to remediate by December 1 under BOD 22-01. The spyware can exfiltrate data, record audio, and track location.

Weekly Recap: Hidden VMs, AI Leaks, and Mobile Spyware

🛡️ This week's recap highlights sophisticated, real-world threats that bypass conventional defenses. Actors like Curly COMrades abused Hyper-V to run a hidden Alpine Linux VM and execute payloads outside the host OS, evading EDR/XDR. Microsoft disclosed the Whisper Leak AI side-channel that infers chat topics from encrypted traffic, and a patched Samsung zero-day was weaponized to deploy LANDFALL spyware to select Galaxy devices. Time-delayed NuGet logic bombs, a new criminal alliance (SLH), and ongoing RMM and supply-chain abuses underscore rising coordination and stealth—prioritize detection and mitigations now.

QNAP Fixes Seven NAS Zero-Day Flaws From Pwn2Own Competition

🔒 QNAP has released patches for seven zero-day vulnerabilities that were exploited to hack NAS devices during the Pwn2Own Ireland 2025 contest. The flaws affect QTS/QuTS hero and several bundled apps, including Hyper Data Protector, Malware Remover, and HBS 3, and are tracked under multiple CVEs. Fixed firmware and app builds are available and administrators are advised to update via Control Panel > System > Firmware Update and the App Center, then change all passwords. Regularly checking product support status and applying updates promptly are recommended to maintain security.

LandFall Spyware Abused Samsung DNG Zero-Day via WhatsApp

🔒 A threat actor exploited a Samsung Android image-processing zero-day, CVE-2025-21042, to deliver a previously unknown spyware called LandFall using malicious DNG images sent over WhatsApp. Researchers link activity back to at least July 23, 2024, and say the campaign targeted select Galaxy models in the Middle East. Unit 42 found a loader and a SELinux policy manipulator in the DNG files that enabled privilege escalation, persistence, and data exfiltration. Users are advised to apply patches promptly, disable automatic media downloads, and enable platform protection features.