All news with #zero-day tag

Chinese Group Uses BRICKSTORM Backdoor Against US Firms

⚠️ Google Threat Intelligence Group says a Chinese-aligned cluster has used the BRICKSTORM backdoor in intrusion campaigns since at least March 2025 against US legal and technology firms, SaaS providers and outsourcing companies. Attackers focused on harvesting emails and files from key individuals and establishing long-term footholds. The group, tracked as UNC5221, exploited zero-days, deployed BRICKSTORM on VMware appliances, and used credential theft and persistence mechanisms to evade detection. Google and partners have published detection guidance and a Mandiant scanner script to help identify infections.

Cisco warns of IOS and IOS XE SNMP zero-day attacks

🛡️ Cisco released security updates addressing a high-severity zero-day, tracked as CVE-2025-20352, in IOS and IOS XE. The flaw is a stack-based buffer overflow in the SNMP subsystem that allows authenticated remote attackers with low privileges to trigger DoS, and high-privileged actors to execute code as root on affected devices. Cisco reports exploitation in the wild after Administrator credentials were compromised and urges customers to upgrade; as a temporary mitigation it recommends limiting SNMP access to trusted users.

Unpatched OnePlus flaw exposes SMS data to rogue apps

🔒 Rapid7 disclosed an unpatched vulnerability in OnePlus's OxygenOS (CVE-2025-10184) that allows any installed app to access SMS content and metadata without SMS permissions. The fault arises from modified Telephony content providers whose manifests omit a required write permission and accept unsanitized input. By abusing a blind SQL-injection vector an attacker can infer SMS text one character at a time. OnePlus has acknowledged the report and is investigating; users should minimize installed apps and avoid SMS-based 2FA.

Brickstorm: Long-term Go-based Backdoor Targets US Orgs

🔒 Google researchers report suspected China-linked operators used a Go-based backdoor named Brickstorm to persistently exfiltrate data from U.S. technology, legal, SaaS and BPO organizations, with an average dwell time of 393 days. Brickstorm operated as a web server, file dropper, SOCKS relay and remote command executor while masquerading traffic as legitimate cloud services and targeting edge appliances that often lack EDR. GTIG attributes the activity to UNC5221, a cluster linked to Ivanti zero-day exploitation and custom tools like Spawnant and Zipline. Mandiant published a scanner with YARA rules but cautioned it may not detect all variants or persistence mechanisms.

Weekly Recap: Chrome 0-day, AI Threats, and Supply Chain Risk

🔒 This week's recap highlights rapid attacker innovation and urgent remediation: Google patched an actively exploited Chrome zero-day (CVE-2025-10585), while researchers demonstrated a DDR5 RowHammer variant that undermines TRR protections. Dual-use AI tooling and model namespace reuse risks surfaced alongside widespread supply-chain and phishing disruptions. Defenders should prioritize patching, harden model dependencies, and monitor for stealthy loaders.

CISA Details Malware Kits Used in Ivanti EPMM Attacks

🔍 CISA released a technical analysis of malware used in attacks exploiting two Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities, CVE-2025-4427 and CVE-2025-4428. The agency details two distinct malware sets that used a common web-install.jar loader and malicious listener classes to inject and execute code, exfiltrate data, and maintain persistence. Attackers targeted the /mifs/rs/api/v2/ endpoint via HTTP GET requests with a ?format= parameter, delivering segmented, Base64-encoded payloads. CISA published IOCs, YARA and SIGMA rules and advises immediate patching and treating MDM systems as high-value assets.

ShadowLeak zero-click exfiltrates Gmail via ChatGPT Agent

🔒 Radware disclosed a zero-click vulnerability dubbed ShadowLeak in OpenAI's Deep Research agent that can exfiltrate Gmail inbox data to an attacker-controlled server via a single crafted email. The flaw enables service-side leakage by causing the agent's autonomous browser to visit attacker URLs and inject harvested PII without rendering content or user interaction. Radware reported the issue in June; OpenAI fixed it silently in August and acknowledged resolution in September.

Entra ID Actor Token Flaw Lets Attackers Impersonate Admins

🔒 Researchers disclosed a max-severity vulnerability in Microsoft Entra ID that allowed attackers to request and reuse internal Actor tokens to impersonate any user, including Global Administrators, across tenants. The issue stemmed from a legacy Azure AD Graph API that failed to validate the originating tenant, enabling cross-tenant impersonation without triggering MFA, Conditional Access, or audit logs. Microsoft patched the flaw, tracked as CVE-2025-55241, and rolled a global fix but experts warn that lack of historical visibility leaves uncertainty about past exploitation.

CISA Details Two Java Loaders Exploiting Ivanti EPMM Flaws

🔒 CISA released details of two malicious toolsets found on an organization's server after attackers chained zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). Each set contains a Java loader that installs an HTTP listener to decode, decrypt and execute arbitrary payloads and maintain persistence. CISA urges updating EPMM, monitoring for suspicious activity, and restricting access to MDM systems.

Google patches sixth Chrome zero-day exploited in 2025

🔒Google has released emergency security updates to address a high-severity Chrome zero-day, CVE-2025-10585, which a public exploit indicates is being used in the wild. The vulnerability is a type confusion weakness in Chrome's V8 JavaScript engine and was reported by Google's Threat Analysis Group. Google issued emergency Stable Desktop releases — Chrome 140.0.7339.185/.186 for Windows and macOS and 140.0.7339.185 for Linux — and recommends users update immediately via Chrome menu > Help > About Google Chrome and click 'Relaunch' once the update finishes. The company also said it may withhold technical details until a majority of users have applied the fix.

Google Issues Chrome Security Update for V8 Zero-Day

⚠️ Google released security updates for Chrome to address four vulnerabilities, including a zero-day (CVE-2025-10585) in the V8 JavaScript and WebAssembly engine that is reported to be exploited in the wild. The issue is a type confusion bug discovered and reported by Google's Threat Analysis Group on September 16, 2025, and can enable arbitrary code execution or crashes. Users should update to Chrome 140.0.7339.185/.186 (Windows/macOS) or 140.0.7339.185 (Linux) and apply vendor patches for other Chromium-based browsers when available.

Apple patches ImageIO zero-day, urges users to update

🛡️ Apple has released iOS 16.7.12 and iPadOS 16.7.12 to address a critical zero-day in the ImageIO framework (CVE-2025-43300) that can trigger memory corruption when processing crafted images. The vendor says the flaw is an out-of-bounds write and that it may have been exploited in targeted attacks against specific individuals. The fix improves bounds checking and was back-ported from the 18.6.2 updates to reach older devices. Users, particularly those on older iPhones and iPads, are advised to install the update immediately.

Apple Backports Zero-Day Fixes to Older iPhones and iPads

🔒 Apple has released security updates that backport a patch for CVE-2025-43300 to older iPhone, iPad and iPod touch builds. The flaw is an out-of-bounds write in the Image I/O framework that can cause memory corruption, crashes, or enable remote code execution when a device processes a malicious image file. Apple said the issue was exploited in an extremely sophisticated targeted attack and has added improved bounds checking; affected users should install the updates promptly.

Apple Backports Patch for CVE-2025-43300 Exploited Spyware

🛡️ Apple has backported a fix for CVE-2025-43300, an ImageIO out-of-bounds write that can cause memory corruption and has been observed in an extremely sophisticated, targeted spyware campaign. The flaw (CVSS 8.8) was reportedly chained with a WhatsApp vulnerability (CVE-2025-55177, CVSS 5.4) in attacks against fewer than 200 individuals. Patches were issued for current releases and older OS builds — including iOS 16.7.12 and iOS 15.8.5 device backports — and distributed across macOS, tvOS, visionOS, watchOS, Safari, and Xcode. Users and administrators should install the available updates immediately to ensure protection.

Apple releases September 2025 OS updates with patches

🔒 Apple published iOS 26, iPadOS 26 and macOS 26 updates that patch multiple vulnerabilities but did not report active exploitation. The releases address 27 defects in iOS/iPadOS and 77 in macOS, and also include fixes across Safari, watchOS, visionOS and Xcode. Users who prefer not to upgrade to the year-numbered releases can apply security-only updates — iOS 18.7, iPadOS 18.7 or macOS 15.7 — while many devices from 2019 or earlier are not supported. Trend Micro’s Dustin Childs said he saw no sign of active exploitation in this batch, though macOS fixes for PackageKit and StorageKit are notable because exploitation could yield root privileges.

Weekly Recap: Bootkit Malware, AI Attacks, Supply Chain

⚡ This weekly recap synthesizes critical cyber events and trends, highlighting a new bootkit, AI-enhanced attack tooling, and persistent supply-chain intrusions. HybridPetya samples demonstrate techniques to bypass UEFI Secure Boot, enabling bootkit persistence that can evade AV and survive OS reinstalls. The briefing also covers vendor emergency patches, novel Android RATs, fileless frameworks, and practical patch priorities for defenders.

Samsung image library flaw enables zero-click RCE exploit

📸 Samsung disclosed a critical remote code execution vulnerability in a closed-source image-parsing library, libimagecodec.quram.so, supplied by Quramsoft that affects devices running Android 13–16. The out-of-bounds write (CVE-2025-21043, CVSS 8.8) can be triggered by a specially crafted image and has been exploited in the wild. Messaging apps are a likely vector and the flaw can operate as a zero-click backdoor. Samsung released an SMR Sep-2025 Release 1 patch; enterprises should prioritize deployment.

Samsung fixes libimagecodec zero-day CVE-2025-21043

⚠️ Samsung released its monthly Android security update addressing a critical zero-day, CVE-2025-21043, a high-severity (CVSS 8.8) out-of-bounds write in libimagecodec.quram.so that can enable remote arbitrary code execution. The company says the flaw affects Android 13–16 and was privately disclosed on August 13, 2025. The affected library is a closed-source image parser from Quramsoft and the patch corrects an incorrect implementation. Samsung acknowledged an exploit exists in the wild but did not provide attack specifics.

Apple Alerts French Users to Fourth 2025 Spyware Campaign

🔔 Apple has notified users in France that devices linked to some iCloud accounts may have been compromised in a fourth spyware campaign this year, CERT-FR confirmed on September 3, 2025. The agency said the alerts target high-profile individuals — journalists, lawyers, activists, politicians and senior officials — and follow prior notices on March 5, April 29 and June 25. Recent disclosures also link WhatsApp and iOS vulnerabilities exploited in zero-click chains, while Apple’s Memory Integrity Enforcement aims to harden new iPhones against such memory-corruption attacks.

France Alerts Apple Users to New Spyware Campaigns

🔔Apple has alerted some iCloud account holders to a newly identified spyware campaign that may have compromised at least one device tied to notified accounts. France’s national CERT (CERT-FR), run by ANSSI, published an advisory on 11 September after Apple issued notifications starting 3 September. CERT-FR urged recipients to contact the team immediately, retain the original Apple notification (from threat-notifications@email.apple.com or threat-notifications@apple.com), and avoid altering or restarting affected devices to preserve forensic evidence. The advisory reiterated basic and advanced risk-reduction steps including two-factor authentication, timely updates, enabling automatic updates, separating work and personal use, and activating Lockdown Mode.