All news with #zero-day tag

CISA Flags VMware Tools Zero-Day in KEV Catalog; Exploited

🛡️ CISA has added the high-severity flaw CVE-2025-41244, impacting Broadcom VMware Tools and VMware Aria Operations, to its Known Exploited Vulnerabilities catalog after reports of active exploitation. The bug (CVSS 7.8) allows a malicious local, non-administrative user with VM access and SDMP enabled to escalate privileges to root on the same VM. Broadcom-owned VMware released a patch last month, but NVISO Labs says the zero-day was exploited in the wild since mid-October 2024 and attributes activity to a China-linked actor tracked as UNC5174. Federal civilian agencies must implement mitigations by November 20, 2025.

Ex-L3Harris Executive Pleads Guilty to Selling Exploits

🔒 Peter Williams, a former general manager at L3Harris Trenchant, pleaded guilty in U.S. court to stealing and selling protected cyber-exploit components between 2022 and 2025. Prosecutors say he removed at least eight sensitive trade-secret exploit components intended for exclusive government use and sold them to a broker that works with the Russian government for $1.3 million in cryptocurrency. He now faces up to 10 years in prison and significant fines.

Chromium Blink flaw crashes Chrome, Edge; exploit published

⚠ A researcher, Jose Pino, published a proof-of-concept on October 29 demonstrating a Blink rendering-engine flaw that can crash Chrome, Microsoft Edge and several other Chromium-based browsers within seconds by flooding document.title updates. Pino says he reported the issue to Google on August 28 and, after no response, released the PoC to force public attention. The exploit saturates the main thread with millions of DOM mutations per second, producing rapid CPU spikes, tab freezes and eventual process termination, and it raises particular concern for headless and automated enterprise workflows.

Defense Contractor Pleads Guilty to Selling Zero-Days

🛡️ The former general manager of L3Harris cyber-division Trenchant, Australian national Peter Williams, pleaded guilty in a US district court to stealing and selling zero-day exploit components to a Russian cyber broker. Prosecutors allege he exfiltrated at least eight exploit components via encrypted channels in exchange for millions in cryptocurrency and follow-on support payments. Authorities say the code could be worth tens of millions and that the broker’s clients include the Russian government, creating a national security threat. Williams faces up to 20 years in prison and significant fines.

Chrome zero-day exploited in targeted Operation ForumTroll

🔒 A critical Chrome zero-day (CVE-2025-2783) has been actively exploited in a targeted espionage operation Kaspersky calls "Operation ForumTroll," attributed to the threat actor Mem3nt0 mori. Attackers used highly personalized phishing invites and one-click, short-lived links to deliver a sandbox-escape exploit that enabled code execution in Chrome's browser process. Google moved quickly with fixes in Chrome 134.0.6998.177/.178, while related issues were later patched in Firefox as CVE-2025-2857.

Move Beyond the SOC: Adopt a Risk Operations Center

📡 The Resilience Risk Operations Center (ROC) reframes cyber defense by fusing technical, business and financial intelligence into a single operating environment. Rather than relying solely on a traditional SOC that reacts to alerts, the ROC prioritizes threats using actuarial and claims data to show potential financial impact and guide urgent decisions. Inspired by the US Air Force AOC, it co-locates multidisciplinary experts to anticipate attacks and accelerate response. Early use, including response to an April 2024 VPN zero-day, showed faster mitigation and reduced losses.

Chrome zero-day exploited to deliver LeetAgent spyware

⚠️ Kaspersky reports a patched Google Chrome zero-day (CVE-2025-2783) was exploited to deploy a newly documented spyware called LeetAgent linked to Italian firm Memento Labs. The operation used personalized, short‑lived phishing links to a Primakov Readings lure that triggered a sandbox escape in Chromium browsers and dropped a loader to launch the implant. Targets included media, universities, research centers, government and financial organizations in Russia and Belarus.

Italian Spyware Vendor Linked to Chrome Zero-Day Attacks

🔎 Kaspersky links a Chrome zero-day used in Operation ForumTroll to spyware tied to Memento Labs, a company formed from assets of the former Hacking Team. The campaign, revealed in March, used targeted phishing invites to the Primakov Readings and exploited a sandbox escape (CVE-2025-2783) to deploy a persistent loader. That loader decrypted and executed LeetAgent, a modular spyware, and in some cases introduced the Dante implant. Chrome and Firefox received patches soon after the discovery.

LeetAgent and Dante: ForumTroll Toolset Revealed Report

🔍 Our GReAT team reconstructed ForumTroll’s infection chain and identified the malware family dubbed LeetAgent, delivered via spear‑phishing and an exploit of CVE-2025-2783 in Google Chrome when recipients were lured with invitations to the Primakov Readings. Further analysis linked the same delivery tools to the commercial spyware Dante (formerly developed by Hacking Team, now Memento Labs), which uses modular plugins, per‑victim encryption keys and a timed self‑destruct mechanism. Initial detections were made by Kaspersky XDR; full technical details and IOCs have been compiled for APT subscribers.

Hackers Earn $1,024,750 for 73 Zero‑Days at Pwn2Own Ireland

🛡️ Pwn2Own Ireland 2025 concluded in Cork with security researchers awarded $1,024,750 after demonstrating 73 zero-day vulnerabilities across eight product categories. Targets included printers, network-attached storage, messaging apps, smart home and surveillance devices, home networking gear, flagship phones (iPhone 16, Galaxy S25, Pixel 9) and wearables. The contest expanded the attack surface to include USB port exploitation on locked mobile handsets while retaining Bluetooth, Wi‑Fi and NFC vectors. Summoning Team topped the leaderboard with $187,500 and 22 Master of Pwn points.

WhatsApp $1M Zero-Click Hack Mystery: Pwn2Own Outcome

🔐 A high-profile entry by a hacker known as ‘Eugene’ at Pwn2Own Ireland 2025 withdrew a claimed zero-click remote code execution exploit targeting WhatsApp, forfeiting the event’s $1 million top prize. Organizers Trend Micro ZDI say Team Z3 is sharing findings privately for coordinated disclosure to Meta, while WhatsApp reports no viable exploit was publicly demonstrated. The cancellation has fueled speculation about exploit readiness and underscores the role of responsible disclosure and rigorous triage before public demonstrations.

Threat Source: SharePoint Exploits and Patch Urgency

⚠ Cisco Talos reports a sharp increase in attacks against public-facing applications, with the ToolShell chain exploiting unpatched Microsoft SharePoint servers rising to over 60% of IR cases this quarter. Ransomware-related incidents fell to about 20% but show evolving tactics, including leveraging legitimate tools and compromised internal accounts for persistence and phishing. Organizations are urged to prioritize rapid patching, robust network segmentation, centralized logging, MFA, and user education to reduce exposure.

IR Trends Q3 2025: ToolShell Drives Access & Response

🛡️ Cisco Talos Incident Response observed a surge in attacks exploiting public-facing apps in Q3 2025, driven chiefly by ToolShell chains targeting on-premises Microsoft SharePoint servers. Rapid automated scanning and unauthenticated RCE vulnerabilities led to widespread compromise, highlighting the need for immediate patching and strict network segmentation. Post-compromise phishing from valid accounts and diverse ransomware families, including Warlock and LockBit, continued to impact victims.

Samsung Galaxy S25 Hacked at Pwn2Own Ireland 2025 Event

🔒 At Pwn2Own Ireland 2025, researchers from Mobile Hacking Lab and Summoning Team successfully exploited a Samsung Galaxy S25 using a five‑vulnerability chain to achieve code execution. The findings, credited to Ken Gannon and Dimitrios Valsamaras, were surrendered to Samsung under the event's coordinated disclosure rules. Hours later a second team, Interrupt Labs, used an improper input validation bug to seize camera and location access. Each team received $50,000; Samsung has 90 days to issue fixes.

Samsung Galaxy S25 Exploited on Day Two of Pwn2Own

🔓 Security researchers earned $792,750 on day two of Pwn2Own Ireland 2025, exploiting 56 unique zero-day vulnerabilities across smartphones, NAS devices, printers, cameras and smart-home gear. A five-bug chain used by Ken Gannon and Dimitrios Valsamaras successfully compromised the Samsung Galaxy S25, earning $50,000 and 5 Master of Pwn points. Several teams also exploited issues in QNAP and Synology NAS models, printers and IoT devices, and vendors now have 90 days to patch before public disclosure.

Chinese Groups Exploit ToolShell SharePoint Flaw Widespread

🔒 Symantec reports that China-linked threat actors exploited the ToolShell vulnerability in Microsoft SharePoint (CVE-2025-53770) weeks after Microsoft issued a July 2025 patch, compromising a Middle Eastern telecom and multiple government and corporate targets across regions. Attackers used loaders and backdoors such as KrustyLoader, ShadowPad and Zingdoor, and in several incidents employed DLL side-loading and privilege escalation via CVE-2021-36942. Symantec notes the operations aimed at credential theft, stealthy persistence, and likely espionage, with activity linked to groups including Linen Typhoon, Violet Typhoon, Storm-2603 and Salt Typhoon.

ToolShell SharePoint Exploit Hits Organizations Worldwide

⚠️ Symantec reports that hackers linked to China exploited the ToolShell vulnerability (CVE-2025-53770) in on-premise Microsoft SharePoint servers to target government agencies, universities, telecommunications providers, and financial firms across four continents. The zero-day, disclosed on July 20, was used to plant webshells and enable remote code execution. Attackers deployed DLL side-loading to load a Go backdoor named Zingdoor, later chained to ShadowPad, KrustyLoader, and the Sliver framework, and performed credential dumping and PetitPotam abuse to escalate to domain compromise.

CISA Confirms Exploitation of Oracle E-Business SSRF Flaw

🔒 CISA has confirmed active exploitation of CVE-2025-61884, an unauthenticated SSRF in the Oracle Configurator runtime, and added it to its Known Exploited Vulnerabilities catalog. Federal agencies are required to patch the issue by November 10, 2025. Oracle released a fix on October 11 rated 7.5 and BleepingComputer says the update blocks a leaked exploit tied to ShinyHunters and related extortion activity.

Researchers Exploit 34 Zero-Days at Pwn2Own Ireland

🔒On the first day of Pwn2Own Ireland 2025, security researchers exploited 34 unique zero-day vulnerabilities and collected $522,500 in cash awards. Team DDOS (Bongeun Koo and Evangelos Daravigkas) chained eight flaws to compromise a QNAP Qhora-322 router via its WAN interface and access a QNAP TS-453E, earning $100,000 and moving into second place on the Master of Pwn leaderboard. The Summoning Team led day one with $102,500 and 11.5 points after multiple successful root exploits. The Zero Day Initiative (ZDI) organized the event and coordinates 90-day responsible disclosure with affected vendors.

Weekly Recap: F5 Breach, Linux Rootkits, and Trends

🔒 This weekly recap highlights long-lived, stealthy intrusions and emerging tactics that are reshaping defender priorities. Chief among them, F5 disclosed a year-long breach involving the BRICKSTORM malware and stolen BIG-IP source material, while researchers uncovered new Linux rootkits such as LinkPro and campaigns abusing blockchain smart contracts for malware delivery. The report urges inventorying edge devices, prioritizing patches, and improving detection, baselining, and intelligence sharing.