All news with #zero-day tag

Samsung patches actively exploited zero-day in image codec

🔒 Samsung has released a patch for a critical remote code execution vulnerability tracked as CVE-2025-21043 that was actively exploited on Android devices. Reported by Meta and WhatsApp security teams on August 13, the flaw stems from an out-of-bounds write in libimagecodec.quram.so, a closed-source Quramsoft image parser, and affects devices running Android 13 and later. Samsung’s advisory notes an exploit was observed in the wild and that other messaging apps using the vulnerable library could also be at risk; users should apply the September SMR update promptly.

Apple warns customers targeted by recent spyware attacks

🔔 Apple warned customers that their accounts were targeted in a series of mercenary spyware attacks, according to France's CERT‑FR. Notifications were issued on March 5, April 29, June 25 and September 3 and appear at the top of account.apple.com and via the email or phone linked to users' Apple IDs. The alerts indicate highly sophisticated campaigns often using zero‑day and zero‑click techniques, meaning at least one device tied to the account may be compromised. Apple recommends enabling Lockdown Mode and seeking rapid-response assistance through Access Now.

Two Zero-Days Among Microsoft Patch Tuesday Fixes This Month

⚠️ Microsoft released its monthly Patch Tuesday addressing 81 vulnerabilities, including two disclosed zero-days affecting SQL Server and SMB. The first, CVE-2024-21907, involves improper handling in Newtonsoft.Json used by SQL Server and can cause denial of service via deeply nested JSON. The second, CVE-2025-55234, is a remotely exploitable SMB elevation-of-privilege that can be mitigated by hardening features like SMB Server Signing and Extended Protection for Authentication; Microsoft also offers audit tools to check compatibility before enabling them.

Microsoft Patch Tuesday: September 2025 Security Fixes

🔒 Microsoft today released Patch Tuesday updates addressing more than 80 vulnerabilities across Windows and related products, including 13 rated critical. There are no known zero‑day or actively exploited flaws in this bundle, but Microsoft patched several high‑risk issues such as CVE-2025-54918 (Windows NTLM), CVE-2025-55234 (SMB client), and CVE-2025-54916 (NTFS). Researchers warn many fixes are for privilege‑escalation bugs — some remotely exploitable — and note that Apple and Google recently patched zero‑days in their platforms as well.

Microsoft Sep 2025 Patch Tuesday: 81 fixes, two zero-days

🔒 Microsoft released its September 2025 Patch Tuesday addressing 81 vulnerabilities, including two publicly disclosed zero-days affecting Windows SMB Server and the Newtonsoft.Json library bundled with SQL Server. The update bundle contains nine Critical fixes — five remote code execution issues — and a total of 41 elevation-of-privilege vulnerabilities across Windows, Azure, and related components. Administrators are advised to apply patches promptly, enable and test SMB Server signing and Extended Protection for Authentication, enable auditing to check compatibility, and ensure SQL Server receives the patched Newtonsoft.Json to mitigate the disclosed flaws.

September 2025 Patch Tuesday: Microsoft Vulnerabilities

🔔 Microsoft’s September 2025 update addresses 84 vulnerabilities, including two publicly disclosed zero-days and eight Critical issues. CrowdStrike’s analysis identifies elevation of privilege, remote code execution and information disclosure as the top exploitation vectors and notes many critical flaws require some user interaction. Key affected components include Windows, Extended Security Updates (ESU) and Microsoft Office, with notable CVEs in SMB, NTLM, Hyper-V and graphics subsystems. Organizations should prioritize patching, apply mitigations for unpatchable issues, and plan for Windows 10 end of support in October 2025.

Salesloft–Drift Supply Chain Breach and Weekly Recap

🔒 Salesloft has moved to take Drift offline after a supply‑chain compromise that resulted in the mass theft of OAuth tokens and unauthorized access to Salesforce data. Multiple large vendors — including Cloudflare, Google Workspace, PagerDuty, Palo Alto Networks, and Tenable — confirmed impact, and activity is attributed to clusters tracked as UNC6395 and GRUB1. The incident underscores how fragile integrations can be and the importance of token hygiene, rapid revocation, and enhanced monitoring to contain downstream exposure.

CISA Orders Immediate Patch for Critical Sitecore Flaw

🔒 CISA has ordered immediate patching of a critical deserialization vulnerability in Sitecore (CVE-2025-53690), rated 9.0, after active exploitation was observed. The flaw arises from exposed ASP.NET machine keys—some copied from older deployment guides—and allows ViewState deserialization that leads to remote code execution. Agencies must rotate machine keys, harden configurations, and scan for compromise indicators by September 25, 2025, to mitigate further intrusions.

Legacy Sitecore ViewState Zero-Day Allows WeepSteel Backdoors

🔐 Mandiant observed attackers exploiting a zero‑day ViewState deserialization flaw (CVE-2025-53690) in legacy Sitecore deployments that reused a sample ASP.NET machineKey. Adversaries delivered a WeepSteel reconnaissance backdoor to collect system and network data and disguised exfiltration as normal ViewState traffic. Sitecore advises replacing and encrypting static machineKey values and instituting regular key rotation to mitigate further risk.

From Summer Camp to Grind Season — Threat Source Recap

📰 This week’s Threat Source newsletter highlights three significant vulnerabilities Talos researchers uncovered and helped remediate: a Dell firmware persistence flaw (Revault), an Office for macOS permissions bypass, and router compromises that blend malicious traffic with legitimate ISP flows. The author, William Largent, also emphasizes mental health and recommends a paper on AI behavioral pathologies to help anticipate malicious or errant AI-driven activity. Top headlines include a 4.4M-record TransUnion breach, a Salesloft Drift AI token compromise, a Passwordstate high-severity fix, an Azure AD credential leak, and a WhatsApp zero-day. Watch the Talos Threat Perspective episode and read the Dell write-up for mitigation guidance.

New TP-Link CWMP Zero-Day Targets Multiple Routers

🔒TP-Link has confirmed an unpatched zero-day in its CWMP implementation that can enable remote code execution on multiple routers. Independent researcher Mehrun (ByteRay) reported the issue to TP-Link on May 11, 2024; the flaw is a stack-based buffer overflow in the SOAP SetParameterValues handler caused by unbounded strncpy calls. TP-Link says a patch exists for some European firmware builds and that fixes for U.S. and other global versions are in development; users should update firmware, change default admin credentials, and disable CWMP if it is not required.

Sitecore Issues Patch After Critical Exploited Zero-Day

🔒 Mandiant disrupted an active exploitation of a critical zero-day in Sitecore's Experience Manager and Experience Platform that permits remote code execution via ViewState deserialization. Publicly disclosed on September 3 as CVE-2025-53690 (CVSS 9.0), the flaw affects Sitecore versions up to 9.0 when deployments retained the sample ASP.NET machine key published in older deployment guides. Attackers used the vulnerability to deliver WEEPSTEEL and other tooling, harvest credentials and perform lateral movement. Sitecore has issued a security advisory, notified impacted customers and says recent deployments now auto-generate unique machine keys.

Google ships September Android patches for 120 flaws

🔒 Google has released its September 2025 Android security updates addressing 120 vulnerabilities, including two issues that Google says have been exploited in limited, targeted attacks. The two highlighted flaws are CVE-2025-38352 (CVSS 7.4), affecting the Linux Kernel, and CVE-2025-48543, impacting the Android Runtime; both can enable local privilege escalation with no user interaction. Google issued patch levels 2025-09-01 and 2025-09-05 to let partners deploy common fixes more quickly and credited Benoît Sevens of TAG with reporting the kernel issue.

HexStrike-AI Enables Rapid Zero-Day Exploitation at Scale

⚠️ HexStrike-AI is a newly released framework that acts as an orchestration “brain,” directing more than 150 specialized AI agents to autonomously scan, exploit, and persist inside targets. Within hours of release, dark‑web chatter showed threat actors attempting to weaponize it against recent zero‑day CVEs, dropping webshells enabling unauthenticated remote code execution. Although the targeted vulnerabilities are complex and typically require advanced skills, operators claim HexStrike-AI can reduce exploitation time from days to under 10 minutes, potentially lowering the barrier for less skilled attackers.

ICE Reinstates Contract with Paragon Spyware Vendor

🔁 ICE has reinstated a $2m contract with Israeli-founded vendor Paragon Solutions, now owned by US private equity, enabling delivery of hardware and perpetual license software to the agency. The agreement, originally signed on 27 September 2024 and suspended after a White House review on 8 October 2024, was cleared to resume work on 30 August. Paragon has been linked to the Graphite spyware used against European journalists and implicated in Italian government investigations, raising procurement and national security concerns.

Weekly Recap: WhatsApp 0-Day, Docker Bug, Breaches

🚨 This weekly recap highlights multiple cross-cutting incidents, from an actively exploited WhatsApp 0‑day to a critical Docker Desktop bug and a Salesforce data-exfiltration campaign. It shows how attackers combine stolen OAuth tokens, unpatched software, and deceptive web content to escalate access. Vendors issued patches and advisories for numerous CVEs; defenders should prioritize patching, token hygiene, and targeted monitoring. Practical steps include auditing MCP integrations, enforcing zero-trust controls, and hunting for chained compromises.

WhatsApp Patches Zero-Click Zero-Day Exploit in iOS

🔒 WhatsApp has patched a critical zero-day (CVE-2025-55177) affecting linked-device synchronization that could allow processing of content from an arbitrary URL on a target device. The vendor says the flaw, when combined with an Apple OS-level out-of-bounds write (CVE-2025-43300), may have been exploited in a targeted, sophisticated zero-click attack. Apple patched the related OS issue on August 20. Users should apply the updated WhatsApp and WhatsApp Business iOS and Mac clients immediately.

WhatsApp Emergency Update Fixes Zero-Click iOS/macOS Bug

🔒 WhatsApp has issued emergency updates for iOS and macOS to fix CVE-2025-55177, a high-severity authorization flaw that may have been exploited alongside an Apple ImageIO zero-day (CVE-2025-43300). The bug could allow processing of content from an arbitrary URL on a target device and affects specific iOS, Business iOS, and Mac app versions. Users are urged to update immediately; confirmed targets were advised to perform a full factory reset.

WhatsApp patches iOS and macOS zero-day vulnerability

🔒 WhatsApp has patched a zero-click vulnerability (CVE-2025-55177) impacting WhatsApp for iOS prior to 2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78. The flaw involved incomplete authorization of linked-device synchronization messages that could trigger processing of content from an arbitrary URL on a target device. WhatsApp said the bug may have been chained with an Apple OS-level zero-day (CVE-2025-43300) and exploited in targeted, sophisticated attacks. Potentially impacted users have been urged to perform a factory reset and keep their operating systems and apps up to date.

Critical FreePBX Zero-Day Under Active Exploitation

🚨 The Sangoma FreePBX project has issued an advisory for an actively exploited zero-day (CVE-2025-57819) that allows unauthenticated access to the Administrator control panel, enabling arbitrary database manipulation and remote code execution. The flaw stems from insufficiently sanitized user input in the commercial endpoint module and impacts FreePBX 15, 16, and 17 prior to their listed patched releases. Administrators should apply the emergency updates immediately, restrict public ACP access, and scan for indicators of compromise.