All news with #zero-day tag

Microsoft releases final Windows 10 Patch Tuesday update

🔔 Microsoft has issued the final cumulative update for Windows 10, KB5066791, as the OS reaches end of support on October 14, 2025. The mandatory update delivers Microsoft's October 2025 Patch Tuesday fixes, closing six zero-day vulnerabilities and addressing 172 additional flaws. After installation, Windows 10 22H2 and 21H2 are updated to builds 19045.6456 and 19044.6456; users can install via Windows Update or the Microsoft Update Catalog and may schedule restarts to complete the process.

Microsoft October 2025 Patch Tuesday: 6 Zero-Days Fixed

🔒 Microsoft released its October 2025 Patch Tuesday, addressing 172 vulnerabilities including six zero‑day flaws and eight Critical issues. The updates include five remote code execution and three elevation‑of‑privilege critical bugs, along with numerous information disclosure, denial‑of‑service and security feature bypass fixes. Notable actions include the removal of an Agere modem driver and patches for exploited elevation‑of‑privilege and SMB/SQL Server issues. Windows 10 reaches end of support with this release; Extended Security Updates remain available for organizations and consumers.

Oracle Quietly Patches E-Business Suite Zero-Day Exploit

⚠️ Oracle has quietly released an out-of-band update addressing CVE-2025-61884 in Oracle E-Business Suite, a pre-authentication SSRF exploited by a publicly leaked proof-of-concept published by the ShinyHunters extortion group. Oracle's advisory warns the flaw can expose sensitive resources but did not disclose active exploitation or the public exploit release, prompting follow-up from researchers. Independent testers confirm the new update now blocks the SSRF component that previously bypassed earlier patches.

Oracle quietly patches E-Business Suite SSRF zero-day

🔒Oracle has silently fixed an Oracle E-Business Suite vulnerability (CVE-2025-61884) after researchers confirmed the update blocks a pre-authentication SSRF used by a leaked ShinyHunters proof-of-concept. Oracle issued an out-of-band security update over the weekend and warned the flaw could allow access to sensitive resources. The vendor did not disclose that the issue was actively exploited or that a public exploit had been released, drawing criticism from researchers and customers.

Oracle Quietly Fixes E-Business Suite SSRF Zero-Day

🔒 Oracle released an out-of-band security update addressing a pre-authentication SSRF vulnerability (CVE-2025-61884) in E-Business Suite after a proof-of-concept exploit was leaked by the ShinyHunters group. The update validates attacker-supplied return_url values with a strict regex to block injected CRLFs and other malformed inputs. Researchers from watchTowr Labs, and multiple customers, confirmed the patch closes the SSRF component that remained after Oracle's earlier Oct. 4 emergency updates. Customers should apply the update immediately or implement a temporary mod_security rule blocking access to /configurator/UiServlet.

October 2025 Patch Tuesday: 172 CVEs, 3 Zero-Days, 8 Critical

🔒 Microsoft’s October 2025 Patch Tuesday addresses 172 vulnerabilities, including two publicly disclosed issues, three zero‑day flaws and eight Critical CVEs. The bulk of fixes target Windows (134 patches), Microsoft Office (18) and Azure (6), with elevation-of-privilege and remote code execution as the primary risks. Windows 10 reaches end of life on October 14, 2025; hosts must be on 22H2 to receive Extended Security Updates. CrowdStrike recommends prioritizing patches for actively exploited zero‑days and using Falcon Exposure Management dashboards to track and remediate affected systems.

Microsoft restricts IE mode in Edge after zero-day attacks

🔒 Microsoft is restricting access to Internet Explorer mode in Edge after discovering attackers leveraged an unpatched zero-day in the Chakra JavaScript engine combined with social engineering to achieve remote code execution and privilege escalation. The company removed quick UI triggers (toolbar button, context menu, hamburger items) so IE mode now requires explicit configuration under Settings > Default Browser. Commercial, policy-managed deployments remain unaffected.

New zero-day in Gladinet re-enables patched RCE flaw

⚠️ Huntress has observed criminals exploiting a new zero-day (CVE-2025-11371) in Gladinet CentreStack and Triofox file-sharing servers that enables unauthenticated local file inclusion. The flaw can expose the application's Web.config machineKey, effectively re-enabling a prior ViewState deserialization RCE (CVE-2025-30406). Gladinet has not yet released a patch; Huntress advises disabling the UploadDownloadProxy temp handler as a mitigation. Huntress detected misuse across multiple customers and notes that SOC telemetry flagged irregular base64 payloads; administrators should assume 'fully patched' may not equal secure and isolate or disable vulnerable handlers until a vendor patch is available.

Weekly Recap: WhatsApp Worm, Oracle 0-Day and Ransomware

⚡This weekly recap covers high-impact incidents and emerging trends shaping enterprise risk. Significant exploitation of an Oracle E-Business Suite zero-day (CVE-2025-61882) and linked payloads reportedly affected dozens of organizations, while a GoAnywhere MFT flaw (CVE-2025-10035) enabled multi-stage intrusions by Storm-1175. Other highlights include a WhatsApp worm, npm-based phishing chains, an emerging ransomware cartel, AI abuse, and a prioritized list of critical CVEs.

Harvard Probes Data Breach Linked to Oracle Zero-Day

🔒 Harvard University is investigating a data breach after the Clop ransomware gang listed the school on its data leak site and attributed the incident to a recently disclosed Oracle E-Business Suite zero-day (CVE-2025-61882). A Harvard IT spokesperson said the issue affected a limited number of parties within a small administrative unit and that a patch from Oracle was applied upon receipt. The university reports no evidence of broader compromise while it continues monitoring.

Microsoft Restricts Edge IE Mode After Active Exploits

🔒 Microsoft has tightened access to Internet Explorer mode in Edge after credible reports in August 2025 that unknown actors abused the legacy compatibility feature to compromise devices. Attackers used social engineering to coerce users into reloading pages in IE mode and then chained unpatched Chakra JavaScript engine exploits to gain remote code execution and elevate privileges. Microsoft removed the IE mode toolbar button, context-menu and hamburger-menu entries; IE mode must now be enabled explicitly via Edge settings and sites must be added to an IE mode pages list.

Apple doubles top RCE bounty to $2M amid new MIE security

🔒 Apple has raised its top bounty for iOS zero‑click system‑level remote code execution from $1 million to $2 million, with additional bonuses for Lockdown Mode bypasses and beta‑stage reports that can push awards above $5 million. The change coincides with the rollout of Memory Integrity Enforcement in A19/A19 Pro chips, which leverages Arm's MTE/EMTE to harden memory safety. Apple will also provide 1,000 iPhone 17 devices to civil society members at risk.

Zero-Day in Gladinet CentreStack and Triofox Exploited

⚠️ Researchers report an actively exploited zero-day (CVE-2025-11371) in Gladinet's CentreStack and Triofox that permits unauthenticated Local File Inclusion (LFI) on default installs, exposing system files and allowing machine-key disclosure. Huntress observed exploitation on Sept 27 with at least three companies targeted. No patch is available yet; Gladinet has issued a workaround to disable a temp handler in the UploadDownloadProxy Web.config, though this may affect some functionality.

Aisuru Botnet Floods U.S. ISPs in Record DDoS Attack

🛰️ Aisuru, now the world’s largest IoT botnet, is drawing the majority of its attack volume from compromised consumer devices hosted by U.S. ISPs such as AT&T, Comcast and Verizon. In early October the botnet briefly generated a near‑30 terabit-per-second traffic flood, underscoring its rapidly expanding scale and destructive reach. The attacks have targeted gaming-focused networks and protection providers, causing widespread collateral congestion and forcing providers to reassess outbound mitigation. Built on Mirai-derived code, Aisuru is also being marketed as a residential proxy service, complicating attribution and remediation.

Google: Clop Exfiltrated Data via Oracle E-Business Flaw

🔍 Google Threat Intelligence and Mandiant report the Clop (FIN11) actor likely exfiltrated a significant amount of data from Oracle E-Business Suite environments beginning as early as August 9, 2025. The group sent extortion emails to executives from September 29 and supplied legitimate file listings to substantiate claims. Attackers exploited the zero-day CVE-2025-61882 prior to an emergency patch released on October 4, 2025. Investigators advise urgent patching, hunting for malicious templates, restricting outbound EBS traffic, and performing Java memory forensics.

Active Exploitation: Gladinet CentreStack LFI → RCE Bug

⚠️ Huntress reports active exploitation of an unauthenticated LFI zero-day, CVE-2025-11371, affecting Gladinet CentreStack and TrioFox up to version 16.7.10368.56560. The flaw permits disclosure of server files, including Web.config, enabling attackers to extract a hard-coded machine key that can enable a prior ViewState deserialization RCE (CVE-2025-30406). As an interim mitigation, Huntress recommends disabling the UploadDownloadProxy 'temp' handler in Web.config until a vendor patch is available.

Cl0p-Linked Actors Exploit Oracle E-Business Suite

🔔 Google Threat Intelligence Group and Mandiant report a multi-stage zero-day campaign exploiting Oracle E-Business Suite (tracked as CVE-2025-61882, CVSS 9.8) that has impacted dozens of organizations since August 2025. The attackers combined SSRF, CRLF injection, authentication bypass and XSL template injection to achieve remote code execution and deploy multi-stage Java loaders. Observed payloads include GOLDVEIN.JAVA and a SAGEGIFT/SAGELEAF/SAGEWAVE chain; orchestration and extortion messaging bear the Cl0p signature. Oracle has released patches and investigations by GTIG and Mandiant are ongoing.

Oracle EBS Zero-Day Exploitation and Extortion Campaign

⚠️ GTIG and Mandiant tracked a large-scale extortion campaign beginning Sept. 29, 2025, in which actors claiming affiliation with the CL0P brand alleged theft from Oracle E‑Business Suite (EBS) environments. Analysis indicates exploitation of a zero-day (CVE-2025-61882) as early as Aug. 9, 2025, with suspicious activity dating back to July 10. Attackers abused UiServlet and SyncServlet flows, embedding Java payloads via XSL templates to achieve unauthenticated RCE and deploy in-memory implants. Organizations are urged to apply Oracle emergency patches, hunt for malicious templates in XDO_TEMPLATES_B/XDO_LOBS, and restrict outbound traffic to disrupt C2.

ThreatsDay: Teams Abuse, MFA Hijack, $2B Crypto Heist

🛡️ Microsoft and researchers report threat actors abusing Microsoft Teams for extortion, social engineering, and financial theft after hijacking MFA with social engineering resets. Separate campaigns use malicious .LNK files to deliver PowerShell droppers and DLL implants that establish persistent command-and-control. Analysts also link over $2 billion in 2025 crypto thefts to North Korean‑linked groups and identify AI-driven disinformation, IoT flaws, and cloud misconfigurations as multiplying risk. Defenders are urged to harden identity, secure endpoints and apps, patch exposed services, and limit long-lived cloud credentials.

AI-Powered Cyberattacks Escalate Against Ukraine in 2025

🔍 Ukraine's SSSCIP reported a sharp rise in AI-enabled cyber operations in H1 2025, documenting 3,018 incidents versus 2,575 in H2 2024. Analysts found evidence that attackers used AI not only to craft phishing lures but also to generate malware samples, including a PowerShell stealer identified as WRECKSTEEL. Multiple UAC clusters—such as UAC-0219, UAC-0218, and UAC-0226—deployed stealers and backdoors via booby-trapped archives, SVG attachments, and ClickFix-style tactics. The report also details zero-click exploitation of Roundcube and Zimbra flaws and widespread abuse of legitimate cloud and collaboration services for hosting and data exfiltration.