CyberSecurity news

FlagThis

Microsoft Threat@Microsoft Security Blog - 3h
Microsoft is warning of a large-scale malvertising campaign that has impacted nearly one million devices worldwide, starting in early December 2024. The attack originates from illegal streaming websites using embedded malvertising redirectors. These redirectors lead users to GitHub, Discord, and Dropbox where initial access payloads are hosted. The primary goal of this campaign, tracked under the name Storm-0408, is to steal sensitive information from both consumer and enterprise devices, highlighting the indiscriminate nature of the attack.

The attackers used a multi-stage approach, with GitHub serving as the primary platform for delivering the initial malware. This malware then deploys additional malicious files and scripts designed to collect system information and exfiltrate documents and data. Microsoft has since taken down the malicious repositories with the collaboration of the GitHub security team. The attack also employs a sophisticated redirection chain, with the initial redirector embedded within an iframe element on the illegal streaming websites.

Recommended read:
References :

info@thehackernews.com (The@The Hacker News - 19h
A critical security vulnerability, identified as CVE-2025-25012, has been discovered in Kibana, a widely used data visualization platform for Elasticsearch. The flaw stems from prototype pollution, potentially allowing attackers to execute arbitrary code on affected systems. This poses a significant risk to organizations relying on Kibana for data analysis and monitoring, with the vulnerability receiving a critical CVSS score of 9.9. The vulnerability exists due to the manipulation of an object's properties, which can lead to unintended behaviors within the application and allow an attacker to gain unauthorized access.

Versions 8.15.0 and later, up to 8.17.3 are affected. In versions from 8.15.0 to before 8.17.1, the vulnerability is exploitable by users with the Viewer role. However, in versions 8.17.1 and 8.17.2, exploitation is limited to users with elevated privileges. An urgent fix has been released in version 8.17.3, and users are advised to apply the latest security patches immediately to safeguard against potential threats. For those unable to patch immediately, setting the Integration Assistant feature flag to false may provide some mitigation.

Recommended read:
References :
  • socradar.io: Critical Kibana Vulnerability (CVE-2025-25012) Exposes Systems to Code Execution, Patch Now
  • Security Affairs: Security Affairs article on Elastic patching critical Kibana flaw.
  • The Hacker News: The Hacker News article on Elastic releasing an urgent fix for a critical Kibana vulnerability.
  • thecyberexpress.com: Elastic Issues Urgent Update for Critical Kibana Vulnerability Exposing Remote Code Execution Risk

Pierluigi Paganini@Security Affairs - 19h
References: cyble.com , iHLS
February witnessed a record-breaking surge in ransomware attacks, fueled by the prolific activity of groups like CL0P, known for exploiting MFT vulnerabilities. The ransomware landscape is also seeing significant activity from groups like Akira and RansomHub.

Recent analysis reveals a notable development with the Black Basta and CACTUS ransomware groups, uncovering a shared BackConnect module. This module, internally tracked as QBACKCONNECT, provides extensive remote control capabilities, including executing commands and exfiltrating sensitive data. The Qilin ransomware group has also claimed responsibility for attacks on the Utsunomiya Central Clinic (UCC), a cancer treatment center in Japan, and Rockhill Women's Care, a gynecology facility in Kansas City, stealing and leaking sensitive patient data.

Recommended read:
References :
  • cyble.com: February Sees Record-Breaking Ransomware Attacks, New Data Shows
  • iHLS: Ransomware Group Targets Cancer Clinic, Exposes Sensitive Health Data

Cynthia B@Metacurity - 19h
The Lazarus Group, a North Korean hacking organization, has reportedly laundered 100% of the $1.4 billion stolen from the Bybit cryptocurrency exchange. This information was initially reported by The Record and other cybersecurity news outlets. The stolen funds, in the form of Ethereum (ETH), were moved to new addresses, which is the first step in laundering cryptocurrency.

This rapid laundering of such a large sum indicates a high level of operational efficiency by the North Korean hackers. Ari Redbord, a former federal prosecutor and senior Treasury official, described this event as showing “unprecedented level of operational efficiency.” He also suggested that North Korea has expanded its money laundering infrastructure or that underground financial networks, especially in China, have improved their ability to handle illicit funds. This situation underscores the increasing sophistication of North Korea's cybercrime activities and their ability to quickly process stolen cryptocurrency.

Recommended read:
References :
  • infosec.exchange: NEW: The (allegedly North Korean) hackers behind the Bybit crypto heist have already laundered all the stolen Ethereum, which was worth $1.4 billion.
  • Metacurity: Lazarus Group hackers have laundered 100% of the $1.4 billion they stole from Bybit

Steven Campbell@Arctic Wolf - 1d
The FBI has issued a warning regarding a new data extortion scam where criminals are impersonating the BianLian ransomware group. These fraudsters are sending physical letters through the United States Postal Service to corporate executives, claiming their networks have been breached. The letters demand Bitcoin payments in exchange for preventing the release of sensitive company data.

Analysis suggests these letters are fraudulent, and organizations, particularly within the US healthcare sector, are advised to report such incidents to the FBI. Security vendors, including Arctic Wolf and Guidepoint Security, have studied these letters and believe the campaign is a ruse by someone pretending to be BianLian. The letters mimic conventional ransom notes, demanding payments of between $250,000 to $350,000 within 10 days.

This activity highlights the evolving tactics of cybercriminals who are now employing postal mail to target high-profile individuals in an attempt to extort money under false pretenses. The FBI urges companies to implement internal protocols for verifying ransom demands and to remain vigilant against these deceptive practices. It’s crucial for organizations to discern fake attacks from real ones amidst the increasing complexity of cybercrime.

Recommended read:
References :
  • Arctic Wolf: Self-Proclaimed “BianLian Groupâ€� Uses Physical Mail to Extort Organizations
  • CyberInsider: Fake BianLian Ransom Notes Delivered to Executives via Post Mail
  • DataBreaches.Net: Bogus ‘BianLian’ Gang Sends Snail-Mail Extortion Letters
  • www.csoonline.com: Ransomware goes postal: US healthcare firms receive fake extortion letters
  • PCMag UK security: Businesses Are Receiving Snail Mail Ransomware Threats, But It's a Scam
  • BrianKrebs: Someone has been snail mailing letters to various businesses pretending to be the BianLian ransomware group.
  • Cyber Security News: FBI Warns of Data Extortion Scam Targeting Corporate Executives
  • gbhackers.com: FBI Warns: Threat Actors Impersonating BianLian Group to Target Corporate Executives
  • techcrunch.com: The FBI is warning that scammers are impersonating the BianLian ransomware gang using fake ransom notes sent to U.S. corporate executives.
  • thecyberexpress.com: FBI Issues Urgent Warning About Data Extortion Scam Targeting Corporate Executives

eff.org via@Lobsters - 1d
The Electronic Frontier Foundation (EFF) has launched Rayhunter, a new free and open-source tool designed to detect cell-site simulators (CSS), also known as IMSI catchers or Stingrays. These devices masquerade as legitimate cell towers, tricking phones into connecting to them. Law enforcement and other entities use CSS to pinpoint the location of phones and log identifying information, sometimes intercepting communications.

Rayhunter operates using an affordable mobile hotspot, empowering individuals, regardless of their technical skills, to search for CSS around the world. The EFF hopes this tool will help uncover how these devices are being used, as there is a lack of solid, empirical evidence about the function and usage of CSS. Police departments are often resistant to releasing logs of their use, and the companies that manufacture them are unwilling to divulge details of how they work.

Recommended read:
References :
  • bsky.app: The Electronic Frontier Foundation (EFF) has released a free, open-source tool named Rayhunter that is designed to detect cell-site simulators (CSS), also known as IMSI catchers or Stingrays.
  • cyberinsider.com: EFF Launches Rayhunter Open-Source Tool to Detect Cellular Spying
  • Lobsters: Meet Rayhunter: A New Open Source Tool from EFF to Detect Cellular Spying
  • mastodon.social: At EFF we spend a lot of time thinking about the tech used by police and authorities to spy on you while you’re going about your everyday life, like cell-site simulators (CSS).
  • mastodon.social: At EFF we spend a lot of time thinking about the tech used by police and authorities to spy on you while you’re going about your everyday life, like cell-site simulators (CSS). Rayhunter is a new open source tool we’ve created that we hope empowers everyone to help search out CSS around the world.

Michael Kan@PCMag UK security - 1d
References: bsky.app , CyberInsider , bsky.app ...
The U.S. Department of Justice (DOJ) has indicted 12 Chinese nationals for hacking attacks targeting critical U.S. sectors. Those indicted include officers from China’s Ministry of Public Security (MPS) and employees of i-Soon. The indictments reveal a Chinese hacker-for-hire ecosystem, with targets including U.S.-based critics and dissidents of the PRC, a large religious organization in the United States, the foreign ministries of multiple governments in Asia, and U.S. federal and state government agencies, including the U.S. Department of the Treasury.

The DOJ has also begun a crackdown on a Chinese hacking network known as Silk Typhoon. According to court documents, the MPS and MSS employed an extensive network that has been linked to network breaches and cyberattacks targeting victims worldwide since 2011. The Justice Department, FBI, Naval Criminal Investigative Service, and Departments of State and the Treasury announced today their coordinated efforts to disrupt and deter the malicious cyber activities of 12 Chinese nationals, including two officers of the People’s Republic of China’s (PRC) Ministry of Public Security (MPS), employees of an ostensibly private PRC company, Anxun Information Technology Co. Ltd. (安洵信息技术有限公司) also known as “i-Soon,” and members of Advanced Persistent Threat 27 (APT27).

Recommended read:
References :
  • bsky.app: US Justice Department has charged Chinese state security officers and APT27 and i-Soon Chinese hackers linked to network breaches and cyberattacks targeting victims worldwide since 2011.
  • CyberInsider: U.S. Charges 12 Chinese Nationals Over Decade-Long Cyber Espionage Campaign
  • The Cyber Express: The United States Department of Justice (DOJ) has taken action against a major cyber threat, opening indictments against 12 Chinese nationals, including two officers from China’s Ministry of Public Security (MPS) and several employees of the Chinese technology firm i-Soon.
  • bsky.app: USA accuses China's State of operating network of "hackers for hire". Accused 12 individuals, 2 officers of the PRC Ministry of Public Security (MPS), employees of a private company, Anxun Information Technology Co. Ltd, and members of APT27.
  • The Hacker News: U.S. Charges 12 Chinese Nationals in State-Backed Hacking Operations
  • securityaffairs.com: US DOJ charges 12 Chinese nationals for state-linked cyber operations
  • The Register - Security: Feds name and charge alleged Silk Typhoon spies behind years of China-on-US attacks
  • DataBreaches.Net: Justice Department Charges 12 Chinese Contract Hackers and Law Enforcement Officers in Global Computer Intrusion Campaigns
  • bsky.app: The US Justice Department has charged Chinese state security officers and APT27 and i-Soon Chinese hackers linked to network breaches and cyberattacks targeting victims worldwide since 2011.
  • cyble.com: U.S. Indictments Shed Light on i-Soon Hacking Tools, Methods
  • Metacurity: US indicts twelve prolific Chinese hackers, including eight i-Soon staffers

Kirsten Doyle@Information Security Buzz - 1d
Socket researchers have discovered a malicious campaign infiltrating the Go ecosystem using typosquatted packages. These packages are designed to install hidden loader malware targeting Linux and macOS systems. The threat actor has published at least seven packages that impersonate widely used Go libraries.

These malicious packages share repeated malicious filenames and consistent obfuscation techniques, suggesting a coordinated threat actor. One of the packages appears to target financial-sector developers. The typosquatted packages can execute remote code, potentially stealing data or credentials.

Recommended read:
References :
  • Information Security Buzz: Typosquatted Go Packages Distribute Malware Loader Targeting Linux and macOS
  • Anonymous ???????? :af:: Researchers have found a malicious campaign targeting Go developers with fake libraries. At least 7 typosquatted packages impersonate popular Go modules to deploy loader malware. These can execute remote code, stealing data or credentials on Linux and macOS systems.
  • socket.dev: Typosquatted Go Packages Deliver Malware Loader Targeting Linux and macOS Systems
  • The Hacker News: Seven Malicious Go Packages Found Deploying Malware on Linux and macOS Systems

Kirsten Doyle@Information Security Buzz - 1d
Proofpoint researchers have uncovered a cyber espionage campaign targeting the aviation and satellite communications sectors in the United Arab Emirates (UAE). Attributed to the threat cluster UNK_CraftyCamel, the operation involved exploiting trusted business relationships to infiltrate critical infrastructure. The attackers compromised an email account belonging to INDIC Electronics, an Indian electronics company, to send spear-phishing emails containing malicious URLs to fewer than five targeted organizations in the UAE, which begun in October 2024.

The malicious URLs mimicked legitimate domains and led recipients to download a ZIP archive embedded with polyglot files, designed to evade detection by exploiting format-specific quirks. Upon execution, the LNK file triggered a chain of events that installed a custom backdoor named "Sosano." Sosano, written in Golang, connects to a command-and-control server and supports commands for directory traversal, payload downloading, shell command execution, and directory deletion. Researchers noted similarities between UNK_CraftyCamel's tactics and those of Iranian-aligned groups, but assess it as a distinct entity.

Recommended read:
References :
  • Cyber Security News: Hackers Exploit Business Relationships to Attack Arab Emirates Aviation Sector
  • gbhackers.com: Hackers Exploiting Business Relationships to Attack Arab Emirates Aviation Sector
  • The Record: Proofpoint researchers say they spotted new backdoor malware that suspected Iranian regime-backed hackers have aimed at sectors such as aviation, satellite communications and critical transportation infrastructure in the United Arab Emirates.
  • Information Security Buzz: Highly Targeted Cyber Espionage Campaign Targeting UAE Aviation Sector
  • thehackernews.com: Suspected Iranian Hackers Used Compromised Indian Firm's Email to Target U.A.E. Aviation Sector
  • Virus Bulletin: Proofpoint researchers identified a highly targeted email-based campaign targeting UAE organizations. The malicious messages were sent from a compromised entity in a trusted business relationship with the targets, and used lures customized to every target.
  • www.cysecurity.news: A dangerous new cyberattack is affecting aviation, satellite communication, and transportation companies in the United Arab Emirates.
  • Vulnerable U: Highly Targeted Polyglot Malware Campaign Hits UAE Aviation and Satellite Firms

Pierluigi Paganini@Security Affairs - 2d
The Chinese espionage group Silk Typhoon is expanding its cyberattacks to target the global IT supply chain. Microsoft has warned that this group, backed by the Chinese state, has shifted its tactics to focus on remote management tools and cloud services. These supply chain attacks provide access to downstream customers, enabling the group to move laterally within networks and compromise various organizations.

US government agencies have announced criminal charges against alleged members of the Silk Typhoon gang, along with the seizure of internet domains linked to their long-term espionage campaign. The group is accused of compromising US government agencies and other major organizations. The Justice Department has stated that the Chinese government, including its Ministries of State and Public Security, has encouraged and supported private contractors and technology companies to hack and steal information, providing a form of plausible deniability.

Recommended read:
References :
  • bsky.app: Microsoft warns that Chinese cyber-espionage threat group 'Silk Typhoon' has shifted its tactics, now targeting remote management tools and cloud services in supply chain attacks that give them access to downstream customers.
  • The Register - Security: They're good at zero-day exploits, too Silk Typhoon, the Chinese government crew believed to be behind the December US Treasury intrusions, has been abusing stolen API keys and cloud credentials in ongoing attacks targeting IT companies and state and local government agencies since late 2024, according to Microsoft Threat Intelligence.
  • BleepingComputer: Microsoft warns that Chinese cyber-espionage threat group 'Silk Typhoon' has shifted its tactics, now targeting remote management tools and cloud services in supply chain attacks that give them access to downstream customers.
  • bsky.app: Microsoft warns that Chinese cyber-espionage threat group 'Silk Typhoon' has shifted its tactics, now targeting remote management tools and cloud services in supply chain attacks that give them access to downstream customers.
  • securityaffairs.com: Microsoft warns that China-backed APT Silk Typhoon linked to US Treasury hack, is now targeting global IT supply chains, using IT firms to spy and move laterally.
  • cyberinsider.com: Microsoft Threat Intelligence has identified a shift in tactics by Silk Typhoon, a Chinese state-sponsored cyber-espionage group, which is now targeting IT supply chain providers, including remote management tools and cloud applications.
  • Information Security Buzz: China-linked APT Silk Typhoon targets IT Supply Chain
  • The Hacker News: China-Linked Silk Typhoon Expands Cyber Attacks to IT Supply Chains for Initial Access
  • thecyberexpress.com: The Chinese espionage group known as Silk Typhoon has expanded the cyberattacks to target the global IT supply chain. Microsoft Threat Intelligence has identified a shift in the group’s tactics, highlighting a new focus on commonly used IT solutions such as remote management tools and cloud applications.
  • gbhackers.com: Microsoft Warns Silk Typhoon Hackers Exploit Cloud Services to Attack IT Supply Chain
  • Cyber Security News: Microsoft Warns Silk Typhoon Hackers Exploit Cloud Services to Attack IT Supply Chain
  • The Register - Security: Feds name and charge alleged Silk Typhoon spies behind years of China-on-US attacks
  • Virus Bulletin: Microsoft Threat Intelligence has identified a shift in tactics used by Silk Typhoon. The espionage group is now targeting common IT solutions like remote management tools and cloud applications to gain initial access.
  • Source: Silk Typhoon is a Chinese state actor focused on espionage campaigns targeting a wide range of industries in the US and throughout the world.

securebulletin.com@Secure Bulletin - 2d
New research indicates a connection between the Black Basta and Cactus ransomware gangs, with both groups employing similar social engineering attacks and the BackConnect proxy malware to gain persistent access to corporate networks. Trend Micro researchers have highlighted how both ransomware groups utilize the BackConnect (BC) module to maintain control over infected hosts and exfiltrate sensitive data. The use of QBACKCONNECT suggests a close working relationship between Black Basta and the QakBot developers.

The BackConnect module, tracked as QBACKCONNECT due to its overlaps with the QakBot loader, grants attackers a wide range of remote control capabilities. This allows them to execute commands, steal sensitive data, such as login credentials, financial information, and personal files. Researchers observed a CACTUS ransomware attack that mirrored Black Basta's methods in deploying BackConnect, but extended their operations to include lateral movement and data exfiltration.

Recommended read:
References :
  • The Hacker News: Researchers Link CACTUS Ransomware Tactics to Former Black Basta Affiliates
  • www.bleepingcomputer.com: Microsoft Teams tactics, malware connect Black Basta, Cactus ransomware
  • Virus Bulletin: Trend Micro researchers discuss how the Black Basta and Cactus ransomware groups utilized the BackConnect malware to maintain persistent control and exfiltrate sensitive data from compromised machines.
  • bsky.app: New research has uncovered further links between the Black Basta and Cactus ransomware gangs, with members of both groups utilizing the same social engineering attacks and the BackConnect proxy malware for post-exploitation access to corporate networks.
  • Secure Bulletin: Black Basta and CACTUS ransomware: shared BackConnect module signals affiliate transition
  • BleepingComputer: New research has uncovered further links between the Black Basta and Cactus ransomware gangs, with members of both groups utilizing the same social engineering attacks and the BackConnect proxy malware for post-exploitation access to corporate networks.
  • Virus Bulletin: Trend Micro researchers discuss how the Black Basta and Cactus ransomware groups utilized the BackConnect malware to maintain persistent control and exfiltrate sensitive data from compromised machines.

Aman Mishra@gbhackers.com - 2d
Cybersecurity researchers have revealed a sophisticated campaign where hackers are exploiting Microsoft Teams and Quick Assist for remote access. The attacks have been attributed to ransomware groups such as Black Basta and Cactus, highlighting a growing trend of cybercriminals abusing legitimate tools to bypass security defenses and infiltrate corporate networks. The attackers use social engineering tactics, including email flooding, followed by direct contact via Microsoft Teams, impersonating IT support staff to trick victims into granting access through Microsoft’s Quick Assist tool.

Once inside, attackers deploy additional malware by abusing OneDriveStandaloneUpdater.exe, a legitimate Microsoft process. By sideloading malicious DLLs, they establish persistent control and use BackConnect malware for command-and-control communication. This campaign has impacted various regions and industries, with a significant number of incidents occurring in North America, particularly the United States, and Europe. Manufacturing, financial services, and real estate sectors have been particularly targeted, as these threat actors are actively working around conventional security measures.

Recommended read:
References :

Pierluigi Paganini@Security Affairs - 2d
Google has released the March 2025 Android Security Bulletin, which addresses 44 vulnerabilities. Notably, the update includes patches for two zero-day flaws, identified as CVE-2024-43093 and CVE-2024-50302, that are actively being exploited in the wild. The high-severity vulnerability CVE-2024-43093 is a privilege escalation flaw in the Framework component that could result in unauthorized access to "Android/data," "Android/obb," and "Android/sandbox" directories, and their respective sub-directories. CVE-2024-50302 is also a privilege escalation flaw in the HID USB component of the Linux kernel that could lead to a leak of uninitialized kernel memory to a local attacker through specially crafted HID reports.

This security update arrives after reports surfaced that Serbian authorities used one of these zero-day vulnerabilities to unlock confiscated devices. Google acknowledged that both CVE-2024-43093 and CVE-2024-50302 have come under "limited, targeted exploitation." The company has released two security patch levels to allow Android partners flexibility in addressing vulnerabilities across devices more quickly. The security patch levels are 2025-03-01 and 2025-03-05.

Recommended read:
References :
  • securityaffairs.com: Reports the release of Google's March 2025 Android security update, which addresses actively exploited zero-day vulnerabilities.
  • cyberinsider.com: Google Patches Two Actively Exploited Zero-Day Flaws in Android
  • The Hacker News: Google's March 2025 Android Security Update Fixes Two Actively Exploited Vulnerabilities.
  • bsky.app: Google has released patches for 43 vulnerabilities in Android's March 2025 security update, including two zero-days. Serbian authorities have used one of the zero-days to unlock confiscated devices.
  • Information Security Buzz: Google Issues Urgent Alert for Exploited Android Vulnerabilities

Business Wire@ai-techpark.com - 3d
SolarWinds has acquired Squadcast, an incident response startup, to enhance its observability platform. The move aims to provide customers with intelligent automation capabilities, leading to faster incident resolution and a significant reduction in mean time to resolution (MTTR). By integrating Squadcast's technology, SolarWinds seeks to streamline incident management, improve operational resilience, and empower IT professionals to effectively manage hybrid ecosystems amidst a growing influx of alerts.

SolarWinds plans to combine Squadcast’s intelligent incident response product into its observability platform to accelerate MTTR. Squadcast's platform offers features such as on-call management, incident response, reliability workflows, and continuous learning capabilities. Squadcast reports that its users see benefits such as a 68% reduction in the average MTTR and save some 1,000 work hours and $500,00 in costs. Financial details of the acquisition were not disclosed.

Recommended read:
References :
  • ai-techpark.com: Reports on SolarWinds acquiring Squadcast, unifying observability and incident response.
  • www.networkworld.com: Reports on SolarWinds buying Squadcast to speed incident response.
  • Techzine Global: Reports on SolarWinds buys incident response startup Squadcast

Pierluigi Paganini@Security Affairs - 3d
The Polish Space Agency (POLSA) has shut down its systems and disconnected from the internet following a major cyberattack detected over the weekend. The agency confirmed the unauthorized intrusion into its IT infrastructure, prompting an immediate response to secure sensitive data. Cybersecurity teams are actively working to restore operations, with the Polish Computer Security Incident Response Team (CSIRT NASK) and the Polish Military CSIRT (CSIRT MON) assisting POLSA in securing affected systems.

Poland's Minister of Digital Affairs, Krzysztof Gawkowski, stated that the systems under attack were secured and that intensive operational activities are underway to identify the perpetrators behind the cyberattack. While the exact nature of the breach remains undisclosed, sources suggest that POLSA’s internal email systems were compromised, forcing employees to communicate via phone. Amid escalating cyber threats, Poland is significantly ramping up its cybersecurity defenses, with suspicions pointing towards Russian involvement.

Recommended read:
References :

@csoonline.com - 3d
Broadcom has issued emergency security patches for VMware ESXi, Workstation, and Fusion products, addressing three zero-day vulnerabilities actively exploited in the wild. These flaws can lead to virtual machine escape, allowing attackers to potentially gain control of the host systems. VMware products, including VMware vSphere, VMware Cloud Foundation, and VMware Telco Cloud Platform, are affected. Broadcom credited Microsoft's MSTIC security team with spotting and reporting the attacks.

The vulnerabilities were discovered by Microsoft and are actively being exploited. Patches are now available to address these critical security issues, and users of affected VMware products are strongly advised to apply the updates immediately to mitigate the risk of exploitation. Information on the patches can be found at the link provided by Broadcom (CVE-2025-22224: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390).

Recommended read:
References :
  • bsky.app: Broadcom released security patches to patch an actively exploited zero-day in its VMware ESXi products. Broadcom credited Microsoft's MSTIC security team with spotting and reporting the attacks.
  • The Hacker News: Broadcom Releases Urgent Patches
  • The Register - Software: VMware splats guest-to-hypervisor escape bugs already exploited in wild
  • www.csoonline.com: VMware ESXi gets critical patches for in-the-wild virtual machine escape attack.
  • securityaffairs.com: VMware fixed three actively exploited zero-days in ESX products
  • Arctic Wolf: Three VMware Zero-Days Exploited in the Wild Patched by Broadcom.
  • bsky.app: BleepingComputer article on VMware zero-days.
  • Vulnerability-Lookup: A new bundle, VMSA-2025-0004: VMware ESXi, Workstation, and Fusion updates address multiple vulnerabilities (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226), has been published on Vulnerability-Lookup:
  • The Record: Three product lines from technology giant VMware — ESXI, Workstation and Fusion — have patches for vulnerabilities that the company and the federal government have said are being exploited by hackers
  • securityaffairs.com: U.S. CISA adds Linux kernel and VMware ESXi and Workstation flaws to its Known Exploited Vulnerabilities catalog
  • borncity.com: 0-day vulnerabilities in VMWare ESXi, Workstation and Fusion
  • socradar.io: VMware Security Alert: Active Exploitation of Zero-Day Vulnerabilities (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226)
  • Arctic Wolf: Three VMware Zero-Days Exploited in the Wild Patched by Broadcom
  • Blog: Multiple zero-days in VMware products actively exploited
  • gbhackers.com: CISA Issues Alert on Actively Exploited VMware Vulnerabilities
  • www.tenable.com: CVE-2025-22224, CVE-2025-22225, CVE-2025-22226: Zero-Day Vulnerabilities in VMware ESXi, Workstation and Fusion Exploited
  • Information Security Buzz: Broadcom warns VMware users of Critical Zero-Day Exploits