All news with #zero-day tag

Autonomous AI Hacking: How Agents Will Reshape Cybersecurity

⚠️ AI agents are increasingly automating cyberattacks, performing reconnaissance, exploitation, and data theft at machine speed and scale. In 2023 examples include XBOW's mass vulnerability reports, DARPA teams finding dozens of flaws in hours, and reports of adversaries using Claude and HexStrike-AI to orchestrate ransomware and persistent intrusions. This shift threatens accelerated attacks beyond traditional patch cycles while presenting new defensive opportunities such as AI-assisted vulnerability discovery, VulnOps, and even self-healing networks.

ShinyHunters Launch Extortion Site Targeting Corporates

🔓 A cybercrime collective known as ShinyHunters has launched a public extortion blog threatening to publish data stolen from dozens of major companies if ransoms are not paid. The group claims to have harvested Salesforce customer records via a May voice-phishing campaign, and also says it exfiltrated terabytes of files from a Red Hat GitLab server and Discord user data tied to a third-party provider. Security firms and affected vendors including Salesforce, Red Hat and Discord are investigating, while Google and other investigators link the activity to several related UNC clusters and warn of additional token thefts tied to Salesloft. Victim shaming, published exploit scripts for an Oracle E-Business Suite zero-day, and malware-laced threats have amplified the incident’s severity.

Oracle EBS Zero-Day Exploited by Clop Since August

🔒 CrowdStrike reports the Clop ransomware gang has been exploiting an Oracle E-Business Suite zero-day, CVE-2025-61882, since early August to steal sensitive documents. The flaw resides in the BI Publisher Integration of Concurrent Processing and allows unauthenticated remote code execution via a single HTTP request. Oracle issued a patch and warned customers to apply updates immediately as extortion emails tied to stolen EBS data are being circulated.

NCSC Urges Patch for Critical Oracle E-Business Bug

🔔 The UK's National Cyber Security Centre has urged Oracle E-Business Suite customers to apply an emergency update for CVE-2025-61882, a critical unauthenticated remote code execution vulnerability in the BI Publisher Integration component affecting EBS 12.2.3–12.2.14. Security firm Mandiant reports the Clop ransomware group exploited the bug as a zero-day in August, and the exploit has since been leaked, raising the risk of wider attacks. The NCSC and Rapid7 recommend immediate compromise assessments using Oracle's IoCs, contacting Oracle PSIRT and the NCSC if compromise is suspected, installing the latest EBS update (with the October 2023 CPU applied first), and reducing internet exposure of EBS instances.

Microsoft: Critical GoAnywhere Flaw Used in Ransomware

⚠️ Microsoft warns that a critical deserialization vulnerability, CVE-2025-10035, in Fortra's GoAnywhere MFT License Servlet Admin Console is being actively exploited in ransomware campaigns. The flaw (CVSS 10.0) enables attackers to bypass signature verification and deserialize attacker-controlled objects, potentially resulting in command injection and remote code execution on internet-exposed instances. Customers are urged to apply Fortra's patch, harden perimeter controls and run endpoint defenses in block mode to detect and stop post-breach activity.

Critical GoAnywhere MFT Flaw Exploited in Medusa Attacks

⚠️ Microsoft warns that a critical deserialization vulnerability in GoAnywhere MFT (CVE-2025-10035) has been actively exploited by a Medusa ransomware affiliate tracked as Storm-1175 since early September. The License Servlet flaw enables remote compromise without user interaction, allowing attackers to gain initial access and persist via abused RMM tools. Administrators should apply Fortra's patches and inspect logs for SignedObject.getObject stack traces.

Oracle issues emergency patch for EBS zero-day RCE

🔴 Oracle has released an emergency patch addressing a critical zero-day remote code execution flaw, CVE-2025-61882, in the E-Business Suite BI Publisher Integration component. The vulnerability (affecting versions 12.2.3–12.2.14) is rated 9.8 on the CVSS scale and is exploitable remotely without authentication. Cl0p actors are linked to active exploitation and high-value extortion demands; Oracle published IoCs and strongly urges immediate patching and aggressive compromise hunting.

Zeroday Cloud contest: $4.5M bounties for cloud tools

🔐 Zeroday Cloud is a new hacking competition focused on open-source cloud and AI tools, offering a $4.5 million bug bounty pool. Hosted by Wiz Research with Google Cloud, AWS, and Microsoft, it takes place December 10–11 at Black Hat Europe in London. The contest features six categories covering AI, Kubernetes, containers, web servers, databases, and DevOps, with bounties ranging from $10,000 to $300,000. Participants must deliver complete compromises and register via HackerOne.

Cl0p Exploits Critical Oracle E-Business Suite Flaw

🔒 Oracle released an emergency patch to address a critical unauthenticated vulnerability in E-Business Suite (CVE-2025-61882) with a CVSS score of 9.8. The flaw allows remote code execution against the Oracle concurrent processing component over HTTP and has been actively exploited by the Cl0p group in large-scale data theft. Security firms report mass email-based distribution from hundreds of compromised accounts and recommend immediate patching and forensic checks for listed IoCs and suspicious GET/POST activity.

Weekly Cyber Recap: Oracle 0-Day, BitLocker Bypass

🛡️Threat actors tied to Cl0p exploited a critical Oracle E-Business Suite zero-day (CVE-2025-61882, CVSS 9.8) to steal large volumes of data, with multiple flaws abused across patched and unpatched systems. The week also spotlights a new espionage actor, Phantom Taurus, plus diverse campaigns from WordPress-based loaders to self-spreading WhatsApp malware. Prioritize patching, strengthen pre-boot authentication for BitLocker, and increase monitoring for the indicators associated with these campaigns.

Mass Exploitation of Oracle E-Business Suite Zero-Day

🔒 CrowdStrike is tracking a mass exploitation campaign abusing a novel zero-day, CVE-2025-61882, against Oracle E-Business Suite (EBS) that enables unauthenticated remote code execution and data exfiltration. First observed on 2025-08-09, activity accelerated after a proof-of-concept surfaced on 2025-10-03 and Oracle released an advisory with IOCs on 2025-10-04. CrowdStrike assesses likely involvement by the actor tracked as GRACEFUL SPIDER (moderate confidence) while acknowledging multiple actors may be exploiting internet-exposed EBS instances; detection and mitigation guidance and Falcon tooling are provided to help defenders.

Zimbra XSS Zero-Day Used to Target Brazilian Military

⚠️A stored cross-site scripting vulnerability in the Zimbra Classic Web Client (CVE-2025-27915) was exploited in targeted attacks and has since been patched. The flaw allowed embedded JavaScript in ICS calendar entries to execute via an ontoggle event, enabling attackers to create mail filters, redirect messages, and exfiltrate mailbox data. Zimbra released fixes on January 27, 2025; administrators should apply updates and audit mailbox filters and logs for indicators of compromise.

Oracle patches critical EBS zero-day used by Clop gang

⚠️ Oracle has released an emergency update addressing CVE-2025-61882, a critical unauthenticated remote code execution flaw in Oracle E-Business Suite (Concurrent Processing / BI Publisher Integration). The vulnerability affects versions 12.2.3–12.2.14 and carries a CVSS base score of 9.8. Customers must first install the October 2023 Critical Patch Update before applying the new fix. Intelligence firms say the Clop extortion gang actively used the bug in August 2025 to steal data.

Zero-day XSS in Zimbra abused via malicious .ICS files

📅 Researchers found a zero-day XSS in Zimbra Collaboration Suite exploited through malicious .ICS (iCalendar) attachments that delivered obfuscated JavaScript. The vulnerability, tracked as CVE-2025-27915, affects ZCS 9.0, 10.0 and 10.1 and was patched by Zimbra on January 27 with releases ZCS 9.0.0 P44, 10.0.13 and 10.1.5. StrikeReady determined attacks began in early January and involved a spoofed Libyan Navy email targeting a Brazilian military organization. The injected script is capable of stealing credentials, emails, contacts and shared folders, manipulating filters to forward mail, and using the Zimbra SOAP API to exfiltrate data.

Spike in Scanning Targets Palo Alto Login Portals Globally

🔍 GreyNoise observed a nearly 500% surge in IP addresses scanning Palo Alto Networks login portals on October 3, 2025, jumping from about 200 to roughly 1,300 unique IPs. The firm classified 93% of those IPs as suspicious and 7% as malicious, with most activity geolocated to the U.S. and smaller clusters in the U.K., the Netherlands, Canada and Russia. GreyNoise noted the traffic was targeted and structured and shared a dominant TLS fingerprint with recent Cisco ASA scans.

Manufacturing Under Fire: Strengthening Cyber Defenses

🔒 Manufacturers face growing, targeted cyber threats driven by legacy OT, complex supply chains, and high-value IP. Attackers increasingly use credential theft, social engineering and sophisticated malware to achieve prolonged access, data theft and ransomware extortion that can halt production and ripple across partners. Building resilience with MFA, prompt patching and continuous detection such as MDR — offering 24/7 threat monitoring, expert hunting and rapid containment — reduces downtime and strengthens supply chain security while aligning with Zero Trust principles.

Chinese Hackers Exploited VMware Zero-Day Since Oct 2024

🔒 Broadcom issued patches for a high-severity privilege escalation vulnerability in VMware Aria Operations and VMware Tools that has been actively exploited since October 2024. European firm NVISO linked the in-the-wild abuse to the China-aligned group UNC5174 and published a proof-of-concept for CVE-2025-41244. The flaw allows an unprivileged local attacker to stage a malicious binary (commonly in /tmp/httpd), have it discovered by VMware service discovery, and escalate to root-level execution on vulnerable VMs.

China-linked UNC5174 exploiting VMware Tools zero-day

⚠️ NVISO Labs says China-linked UNC5174 has been exploiting a newly patched local privilege escalation bug, CVE-2025-41244, in Broadcom VMware Tools and VMware Aria Operations since mid-October 2024. The vulnerability (CVSS 7.8) stems from a vulnerable get_version() regex that can match non-system binaries in writable directories (for example, /tmp/httpd) and cause metrics collection to execute them with elevated privileges. VMware and Broadcom have released fixes and mitigations; affected organizations should apply vendor patches and follow VMware's guidance, and Linux distributions will receive patched open-vm-tools packages from vendors.

Weekly Recap: Cisco 0-day, Record DDoS, New Malware

🛡️ Cisco firewalls were exploited in active zero-day attacks that delivered previously undocumented malware families including RayInitiator and LINE VIPER by chaining CVE-2025-20362 and CVE-2025-20333. Infrastructure and cloud environments faced major pressure this week: Cloudflare mitigated a record 22.2 Tbps DDoS while misconfigured Docker instances enabled ShadowV2 bot operations. Researchers also disclosed Supermicro BMC flaws that could allow malicious firmware implants, and ransomware actors increasingly abuse exposed AWS keys. Prioritize patching, firmware updates, and cloud identity hygiene now.

September 2025 Zero-Day Exploits Impact Cisco ASA/FTD

⚠️ Cisco reported active exploitation of multiple zero-day vulnerabilities in ASA and FTD software by a state-sponsored actor tracked as ArcaneDoor. Two CVEs (CVE-2025-20333 and CVE-2025-20362) are being exploited in the wild and a third (CVE-2025-20363) is at high risk for imminent exploitation. Cisco released updates on Sep. 25, 2025, and CISA issued Emergency Directive 25-03; organizations should prioritize immediate patching or apply vendor mitigations when updates are not yet possible.