CyberSecurity news

FlagThis - #zeroday

Sergiu Gatlan@BleepingComputer //
Google has released a critical security update for its Chrome browser to address a high-severity zero-day vulnerability, identified as CVE-2025-2783. This vulnerability was actively exploited in a sophisticated espionage campaign targeting Russian organizations, specifically media companies, educational institutions, and government entities. According to Kaspersky, the vulnerability allowed attackers to bypass Chrome’s sandbox protections, gaining unauthorized access to affected systems without requiring further user interaction. This incident marks the first actively exploited Chrome zero-day since the start of the year, underscoring the persistent threat landscape faced by internet users.

Kaspersky's investigation, dubbed "Operation ForumTroll," revealed that the attacks were initiated through personalized phishing emails disguised as invitations to the "Primakov Readings" forum. Clicking the malicious link led victims to a compromised website that immediately exploited the zero-day vulnerability. The technical sophistication of the exploit chain points to a highly skilled Advanced Persistent Threat (APT) group. Google urges users to update their Chrome browsers immediately to version 134.0.6998.177/.178 for Windows to mitigate the risk.

Recommended read:
References :
  • cyberinsider.com: Google has released a security update for Chrome to address a high-severity zero-day vulnerability that was actively exploited in a sophisticated espionage campaign targeting Russian organizations.
  • thehackernews.com: Zero-Day Alert: Google Releases Chrome Patch for Exploit Used in Russian Espionage Attacks
  • securityaffairs.com: Google fixed the first actively exploited Chrome zero-day since the start of the year
  • techcrunch.com: Google fixes Chrome zero-day security flaw used in hacking campaign targeting journalists
  • thecyberexpress.com: Google has rolled out a new security update for Chrome users, following the discovery of a vulnerability, CVE-2025-2783, affecting the Windows version of the browser.
  • The DefendOps Diaries: Google Chrome Vulnerability CVE-2025-2783: A Closer Look
  • Cybernews: Google has patched a dangerous zero-day vulnerability that has already been exploited by sophisticated threat actors in the wild
  • Zack Whittaker: New: Google has fixed a zero-day bug in Chrome that was being actively exploited as part of a hacking campaign. Kaspersky says the bug was exploited to target journalists and employees at educational institutions.
  • Kaspersky official blog: Kaspersky’s GReAT experts have discovered the Operation ForumTroll APT attack, which used a zero-day vulnerability in Google Chrome.
  • bsky.app: Google has fixed a high-severity Chrome zero-day vulnerability exploited to escape the browser's sandbox and deploy malware in espionage attacks targeting Russian organizations.
  • Cyber Security News: Operation ForumTroll: APT Hackers Use Chrome Zero-Day to Evade Sandbox Protections.
  • www.bleepingcomputer.com: Google has released out-of-band fixes to address a high-severity security flaw in Chrome browser for Windows that has been actively exploited.
  • Help Net Security: Help Net Security: Google fixes exploited Chrome sandbox bypass zero-day (CVE-2025-2783)
  • securityonline.info: CVE-2025-2783: Chrome Zero-Day Exploited in State-Sponsored Espionage Campaign
  • MSSP feed for Latest: Google remediated the high-severity Chrome for Windows zero-day vulnerability.
  • The Register - Security: After Chrome patches zero-day used to target Russians, Firefox splats similar bug
  • PCMag UK security: Details about Firefox also being affected by Chrome zero-day flaw
  • CyberInsider: Firefox Says It’s Vulnerable to Chrome’s Zero-Day Used in Espionage Attacks
  • iHLS: Google Patches Dangerous Zero-Day Flaw in Chrome
  • PCMag UK security: Time to Patch: Google Chrome Flaw Used to Spread Spyware
  • MSPoweruser: Google patches a Chrome zero-day vulnerability used in espionage
  • The Hacker News: Mozilla has released updates to address a critical security flaw impacting its Firefox browser for Windows, merely days after Google patched a similar flaw in Chrome that came under active exploitation as a zero-day.
  • Blog: Mozilla has released updates to fix a critical security flaw in its Firefox browser for Windows. The vulnerability, designated CVE-2025-2857, stems from improper handling within the browser's inter-process communication (IPC) code, which could allow a compromised child process to gain elevated privileges by manipulating the parent process into returning a powerful handle, potentially leading to sandbox escape.
  • securityaffairs.com: Google addressed a critical vulnerability, tracked as CVE-2025-2783, impacting its Chrome browser for Windows.
  • securityaffairs.com: U.S. CISA adds Google Chromium Mojo flaw to its Known Exploited Vulnerabilities catalog
  • thecyberexpress.com: CISA Issues Urgent Security Alerts: Critical Vulnerabilities in Schneider Electric, Chrome, and Sitecore

@The DefendOps Diaries //
Microsoft's March 2025 Patch Tuesday has addressed 57 flaws, including seven zero-day vulnerabilities that were already being actively exploited. These zero-day flaws highlight the importance of applying security updates in a timely manner. Three critical vulnerabilities were remote code execution vulnerabilities, posing a high risk that could lead to full system compromise if exploited. One notable zero-day vulnerability is the Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability (CVE-2025-24983), which could allow attackers to gain SYSTEM privileges through a race condition.

Microsoft has also announced that it will drop support for the Remote Desktop app, available through the Microsoft Store, on May 27th. The current app will be replaced with the new Windows App, designed for work and school accounts. Microsoft is encouraging users to review the known issues and limitations of the Windows App to understand any feature gaps that may create challenges during migration. The Windows App is intended to connect to Azure Virtual Desktop, Windows 365, Microsoft Dev Box, Remote Desktop Services, and remote PCs.

Recommended read:
References :
  • isc.sans.edu: Microsoft Patch Tuesday: March 2025, (Tue, Mar 11th)
  • The DefendOps Diaries: Microsoft's March 2025 Patch Tuesday: Addressing Critical Vulnerabilities
  • BleepingComputer: Microsoft March 2025 Patch Tuesday fixes 7 zero-days, 57 flaws
  • CyberInsider: Microsoft March 2025 ‘Patch Tuesday’ Updates Fix Six Actively Exploited Flaws
  • Tenable Blog: Microsoft’s March 2025 Patch Tuesday Addresses 56 CVEs (CVE-2025-26633, CVE-2025-24983, CVE-2025-24993)
  • bsky.app: Today is Microsoft's March 2025 Patch Tuesday, which includes security updates for 57 flaws, including six actively exploited zero-day vulnerabilities.
  • krebsonsecurity.com: Microsoft: 6 Zero-Days in March 2025 Patch Tuesday
  • Blog RSS Feed: March 2025 Patch Tuesday Analysis
  • Threats | CyberScoop: Microsoft patches 57 vulnerabilities, including 6 zero-days
  • The Register - Software: Choose your own Patch Tuesday adventure: Start with six zero-day fixes, or six critical flaws
  • hackread.com: March 2025 Patch Tuesday: Microsoft Fixes 57 Vulnerabilities, 7 Zero-Days
  • www.kaspersky.com: Main vulnerabilities from Microsoft's March Patch Tuesday | Kaspersky official blog
  • Rescana: Microsoft March 2025 Patch Tuesday: Zero-Day Exploitation Analysis in WinDbg, ASP.NET Core, and Remote Desktop
  • socradar.io: March 2025 Patch Tuesday: Microsoft Fixes 6 Critical & 6 Exploited Security Vulnerabilities
  • Security | TechRepublic: Microsoft's March 2025 Patch Tuesday includes six actively exploited zero-day vulnerabilities. Learn about the critical vulnerabilities and why immediate updates are essential.
  • Davey Winder: Microsoft has confirmed that no less than six zero-day vulnerabilities are exploiting Windows users in the wild. Here’s what you need to know and do.
  • : Microsoft Patches a Whopping Seven Zero-Days in March
  • Blog: As part of its monthly Patch Tuesday event, Microsoft has fixed 57 vulnerabilities. Among them are six actively exploited zero-day vulnerabilities
  • Arctic Wolf: Microsoft Patch Tuesday: March 2025
  • Talkback Resources: Microsoft's Patch Tuesday reports 6 flaws already under fire [app] [sys]
  • ESET Research: has discovered a zero day exploit abusing -2025-24983 vulnerability in the Windows kernel 🪟 to elevate privileges ( ).
  • The DefendOps Diaries: Understanding the Impact of CVE-2025-24983: A Critical Windows Kernel Vulnerability
  • BleepingComputer: Microsoft patches Windows Kernel zero-day exploited since 2023
  • PCWorld: Big March patch fixes dozens of security flaws in Windows and Office
  • securityaffairs.com: Microsoft Patch Tuesday security updates for March 2025 fix six actively exploited zero-days
  • www.threatdown.com: The March 2025 Patch Tuesday update contains an unusually large number of zero-day vulnerabilities that are being actively exploited.
  • Arctic Wolf: Microsoft Patch Tuesday: March 2025
  • www.computerworld.com: For March’s Patch Tuesday, 57 fixes — and 7 zero-days

@csoonline.com //
Broadcom has issued urgent security patches to address three actively exploited vulnerabilities affecting VMware ESXi, Workstation, and Fusion products. These flaws, tracked as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, could enable attackers to execute code and disclose sensitive information. VMware ESXi is under active exploitation in the wild, making timely patching crucial to prevent potential attacks. The vulnerabilities impact various versions of VMware ESXi 8.0, 7.0, Workstation 17.x, Fusion 13.x, Cloud Foundation 5.x and 4.x, and Telco Cloud Platform.

The most critical flaw, CVE-2025-22224, boasts a CVSS score of 9.3 and is a heap-overflow vulnerability leading to an out-of-bounds write. A malicious actor with local administrative privileges on a virtual machine could exploit this to execute code as the virtual machine's VMX process running on the host. Broadcom credited Microsoft's MSTIC security team with discovering and reporting these vulnerabilities. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added these zero-day vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal civilian agencies to patch them by March 25, 2025.

Recommended read:
References :
  • bsky.app: Broadcom released security patches to patch an actively exploited zero-day in its VMware ESXi products. Broadcom credited Microsoft's MSTIC security team with spotting and reporting the attacks.
  • The Hacker News: Broadcom Releases Urgent Patches
  • The Register - Software: VMware splats guest-to-hypervisor escape bugs already exploited in wild
  • www.csoonline.com: VMware ESXi gets critical patches for in-the-wild virtual machine escape attack
  • securityaffairs.com: VMware fixed three actively exploited zero-days in ESX products
  • Arctic Wolf: Three VMware Zero-Days Exploited in the Wild Patched by Broadcom
  • bsky.app: BleepingComputer article on VMware zero-days.
  • Vulnerability-Lookup: A new bundle, VMSA-2025-0004: VMware ESXi, Workstation, and Fusion updates address multiple vulnerabilities (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226), has been published on Vulnerability-Lookup:
  • The Record: Three product lines from technology giant VMware — ESXI, Workstation and Fusion — have patches for vulnerabilities that the company and the federal government have said are being exploited by hackers
  • securityaffairs.com: U.S. CISA adds Linux kernel and VMware ESXi and Workstation flaws to its Known Exploited Vulnerabilities catalog
  • borncity.com: 0-day vulnerabilities in VMWare ESXi, Workstation and Fusion
  • socradar.io: VMware Security Alert: Active Exploitation of Zero-Day Vulnerabilities (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226)
  • Arctic Wolf: Three VMware Zero-Days Exploited in the Wild Patched by Broadcom
  • Blog: Multiple zero-days in VMware products actively exploited
  • gbhackers.com: CISA Issues Alert on Actively Exploited VMware Vulnerabilities
  • www.tenable.com: CVE-2025-22224, CVE-2025-22225, CVE-2025-22226: Zero-Day Vulnerabilities in VMware ESXi, Workstation and Fusion Exploited
  • Information Security Buzz: Broadcom warns VMware users of Critical Zero-Day Exploits
  • www.cybersecuritydive.com: 37K+ VMware ESXi instances vulnerable to critical zero-day
  • www.itpro.com: Broadcom issues urgent alert over three VMware zero-days
  • Carly Page: Broadcom is warning that a trio of VMware vulnerabilities are being actively exploited by hackers to compromise the networks of its corporate customers
  • techcrunch.com: Security experts warn of ‘huge impact’ of actively exploited hypervisor flaws that allow sandbox escape
  • Security Risk Advisors: Three Critical VMware Vulnerabilities Exploited in Wild Targeting ESXi, Workstation, and Fusion
  • www.cybersecuritydive.com: Broadcom urges customers to patch 3 zero-day VMware flaws
  • MSSP feed for Latest: Broadcom: VMware Zero-Days Being Exploited in the Wild
  • www.bleepingcomputer.com: Over 37,000 internet-exposed VMware ESXi instances are vulnerable to CVE-2025-22224, a critical out-of-bounds write flaw that is actively exploited in the wild.
  • research.kudelskisecurity.com: Critical VMware ESXi, Workstation, Fusion Vulnerabilities Seen Exploited in Wild
  • cyble.com: Three VMware Zero-Days Under Active Exploitation – What You Need to Know
  • Zack Whittaker: VMware emergency hypervisor escape bugs under attack

Bill Mann@CyberInsider //
A critical unpatched zero-day vulnerability in Microsoft Windows is being actively exploited by 11 state-sponsored threat groups for espionage, data theft, and financially motivated campaigns since 2017. The flaw, tracked as ZDI-CAN-25373, involves the use of crafted Windows Shortcut (.LNK) files to execute hidden malicious commands. This allows attackers to gain unauthorized access to systems, steal sensitive data, and potentially conduct cyber espionage activities targeting governments, private entities, financial organizations, think tanks, telecommunication service providers, and military/defense agencies across multiple countries.

The attacks leverage hidden command line arguments within the malicious .LNK files, making detection difficult by padding the arguments with whitespace characters. Nearly 1,000 .LNK file artifacts exploiting the vulnerability have been found, and linked to APT groups from China, Iran, North Korea, and Russia. In these attacks, the .LNK files act as a delivery vehicle for malware families like Lumma Stealer, GuLoader, and Remcos RAT. Microsoft considers the issue a low severity user interface misrepresentation and does not plan to release a fix.

Recommended read:
References :
  • The Hacker News: An unpatched security flaw impacting Microsoft Windows has been exploited by 11 state-sponsored groups from China, Iran, North Korea, and Russia as part of data theft, espionage, and financially motivated campaigns that date back to 2017.
  • ZDI: Published Advisories: ZDI-25-148: (0Day) Microsoft Windows LNK File UI Misrepresentation Remote Code Execution Vulnerability
  • The Register - Security: Microsoft isn't fixing 8-year-old shortcut exploit abused for spying
  • securityaffairs.com: State-Sponsored Actors and Cybercrime Gangs Abuse Malicious .lnk Files for Espionage and Data Theft
  • The DefendOps Diaries: Exploiting Windows Zero-Day Vulnerabilities: The Role of State-Sponsored Hacking Groups
  • BleepingComputer: New Windows zero-day exploited by 11 state hacking groups since 2017
  • CyberInsider: Microsoft Declines to Fix Actively Exploited Windows Zero-Day Vulnerability
  • socradar.io: Windows Shortcut Zero-Day (ZDI-CAN-25373) Exploited by State-Backed Threat Actors Since 2017: Overview of Key Details
  • Virus Bulletin: Trend Micro ZDI's Peter Girnus & Aliakbar Zahravi describe how researchers uncovered both state-sponsored and cybercriminal groups extensively exploiting ZDI-CAN-25373, a Windows .lnk file vulnerability that enables hidden command execution.
  • Tech Monitor: A Windows shortcut vulnerability, identified as ZDI-CAN-25373, has been exploited in widespread cyber espionage campaigns.
  • www.ghacks.net: Windows has an 8-year-old security issue that is exploited and known by Microsoft for some time
  • www.cybersecuritydive.com: 11 nation-state groups exploit unpatched Microsoft zero-day
  • www.techradar.com: An unpatched Windows zero-day flaw has been exploited by 11 nation-state attackers
  • Security Risk Advisors: APT Groups Exploit Unpatched Windows Shortcut Vulnerability for Espionage and Data Theft
  • hackread.com: 11 Nation-State Hackers Exploit Unpatched Windows Flaw Since 2017
  • : Windows Shortcut Flaw Exploited by 11 State-Sponsored Groups
  • securityonline.info: A recently uncovered vulnerability, ZDI-CAN-25373, identified by the Trend Zero Day Initiative (ZDI), is at the center of the
  • Blog: Microsoft reluctant to patch Windows zero-day exploited by nation-state hackers
  • Virus Bulletin: Trend Micro ZDI's Peter Girnus & Aliakbar Zahravi describe how researchers uncovered both state-sponsored and cybercriminal groups extensively exploiting ZDI-CAN-25373, a Windows .lnk file vulnerability that enables hidden command execution.
  • Sam Bent: Windows Shortcut Zero-Day Used by Nation-States
  • www.trendmicro.com: ZDI-CAN-25373: Windows Shortcut Exploit Abused as Zero-Day in Widespread APT Campaigns
  • Logpoint: Windows Shell Link Vulnerability ZDI-CAN-25373: Detecting Hidden Commands
  • SecureWorld News: Nation-State Hackers Exploit Windows Shortcut Zero-Day Vulnerability
  • Information Security Buzz: Windows Shortcut Zero-Day Under Active Attack
  • borncity.com: Windows shortcut exploit used by state hackers as a 0-day since 2017
  • Threats | CyberScoop: Nation-state groups hit hundreds of organizations with Microsoft Windows zero-day
  • Help Net Security: APTs have been using zero-day Windows shortcut exploit for eight years (ZDI-CAN-25373)
  • aboutdfir.com: Microsoft isn’t fixing 8-year-old shortcut exploit abused for spying
  • securityboulevard.com: Microsoft Won’t Fix This Bad Zero Day (Despite Wide Abuse)
  • aboutdfir.com: Microsoft isn’t fixing 8-year-old shortcut exploit abused for spying An exploitation avenue found by Trend Micro in Windows has been used in an eight-year-long spying campaign, but there’s no sign of a fix from Microsoft, which apparently considers this a low priority.

MSSP Alert@MSSP feed for Latest //
Apple has issued critical security updates for iOS 18.3.2 and iPadOS 18.3.2, addressing a actively exploited WebKit vulnerability identified as CVE-2025-24201. This flaw allowed cybercriminals to use maliciously crafted web content to bypass the Web Content sandbox. The update is available for iPhone XS and later, multiple iPad Pro models, iPad Air (3rd generation and later) and iPad mini (5th generation and later).

Users are urged to update their devices promptly by navigating to Settings > General > Software Update. Security experts emphasize the importance of these patches, noting that failure to update leaves devices vulnerable to compromise. According to Adam Boynton, senior security strategy manager EMEIA at Jamf, keeping devices up to date is essential. He also stated that this particular flaw allowed attackers to access data in other parts of the operating system.

Recommended read:
References :
  • The DefendOps Diaries: Apple's Swift Response to WebKit Zero-Day Vulnerability: CVE-2025-24201
  • BleepingComputer: Apple fixes WebKit zero-day exploited in ‘extremely sophisticated’ attacks
  • securityaffairs.com: Apple fixed the third actively exploited zero-day of 2025
  • CyberInsider: Apple Patches Zero-Day Flaw Used in Targeted iPhone Attacks
  • Threats | CyberScoop: Apple released emergency software patches Tuesday that address a newly identified zero-day vulnerability in the company’s WebKit web browser engine.  Tracked as CVE-2025-24201, an attacker can potentially escape the constraints of Webkit’s Web Content sandbox, potentially leading to unauthorized actions.
  • techcrunch.com: The flaw was in the browser engine WebKit, used by Safari and other apps.
  • bsky.app: Apple has released emergency security updates to patch a zero-day bug the company describes as exploited in "extremely sophisticated" attacks.
  • bsky.app: Apple has released emergency security updates to patch a zero-day bug the company describes as exploited in "extremely sophisticated" attacks.
  • infosec.exchange: NEW: Apple patched a zero-day in WebKit that “may have been exploited in an extremely sophisticated attack against specific targeted individuals.â€� This is second time, AFAICT, that Apple uses the "extremely sophisticated" phrase for a patched bug.
  • The Hacker News: Apple Releases Patch for WebKit Zero-Day Vulnerability Exploited in Targeted Attacks
  • www.csoonline.com: Apple patches zero-day bugs used in targeted iPhone attacks
  • Blog: FieldEffect blog post on apple-emergency-update-extremely-sophisticated-zero-day.
  • www.infosecurity-magazine.com: iOS 18.3.2 Patches Actively Exploited WebKit Vulnerability
  • MSSP feed for Latest: Apple Addresses Actively-Exploited Zero-Day In WebKit Browser Engine
  • Malwarebytes: Update your iPhone now: Apple patches vulnerability used in “extremely sophisticated attacksâ€�
  • SOC Prime Blog: CVE-2025-24201 Exploitation: Apple Fixes the WebKit Zero-Day Vulnerability Used in Sophisticated Attacks
  • bsky.app: Apple pushed additional updates for a zero-day that may have been actively exploited.
  • ApplSec: Apple pushed updates for a new zero-day that may have been actively exploited.
  • iThinkDifferent: iOS 18.3.2, iPadOS 18.3.2, macOS Sequoia 15.3.2, and visionOS 2.3.2 released with critical WebKit security fix
  • www.zdnet.com: Apple is patching a vulnerability in iPhones and iPads that could be exploited in "extremely sophisticated" attacks. The vulnerability, dubbed CVE-2025-24201, was found in , Apple's open-source framework that helps render pages in Safari, Mail, App Store, and other apps. It
  • bsky.app: 📣 EMERGENCY UPDATE 📣 Apple pushed updates for a new zero-day that may have been actively exploited. ğŸ�› CVE-2025-24201 (WebKit): - iOS and iPadOS 18.3.2 - macOS Sequoia 15.3.2 - visionOS 2.3.2 #apple #infosec
  • bsky.app: 📣 EMERGENCY UPDATE 📣 Apple pushed updates for a new zero-day that may have been actively exploited. ğŸ�› CVE-2025-24201 (WebKit): - iOS and iPadOS 18.3.2 - macOS Sequoia 15.3.2 - visionOS 2.3.2 #apple #infosec
  • Rescana: Apple Urgently Patches CVE-2025-24201 Zero-Day in iOS, iPadOS, macOS, visionOS, and Safari amid Attacks
  • PCMag UK security: Update Now: Apple Rolls Out Fix for 'Extremely Sophisticated' Zero-Day Bug
  • eWEEK: Apple addressed a zero-day vulnerability, tracked as CVE-2025-24201, that has been exploited in “extremely sophisticatedâ€� cyber attacks.

Carly Page@TechCrunch //
The Pennsylvania State Education Association (PSEA), the largest public-sector union in Pennsylvania, has announced a significant data breach affecting over 500,000 members. The breach, which occurred in July 2024, resulted in attackers stealing sensitive personal information. PSEA is now notifying the impacted individuals about the incident and the potential risks.

The stolen data includes highly sensitive information, such as government-issued identification documents, Social Security numbers, passport numbers, medical information, and financial data like card numbers with PINs and expiration dates. Member account numbers, PINs, passwords, and security codes were also accessed. PSEA took steps to ensure, to the best of its ability and knowledge, that the stolen data was deleted.

Recommended read:
References :
  • bsky.app: The Pennsylvania State Education Association (PSEA), the largest public-sector union in Pennsylvania, is notifying over half a million individuals that attackers stole their personal information in a July 2024 security breach.
  • BleepingComputer: The Pennsylvania State Education Association (PSEA), the largest public-sector union in Pennsylvania, is notifying over half a million individuals that attackers stole their personal information in a July 2024 security breach.
  • techcrunch.com: US teachers’ union says hackers stole sensitive personal data on over 500,000 members
  • www.bleepingcomputer.com: Pennsylvania education union data breach hit 500,000 people
  • The Register - Security: Attackers swipe data of 500k+ people from Pennsylvania teachers union
  • The DefendOps Diaries: Understanding the PSEA Data Breach: Lessons and Future Prevention
  • : The Pennsylvania State Education Association (PSEA) has sent breach notifications to over 500,000 current and former members
  • Zack Whittaker: Pennsylvania's biggest union for educators had a data breach, exposing over half a million members' personal information.
  • securityaffairs.com: Pennsylvania State Education Association data breach impacts 500,000 individuals
  • Carly Page: The Pennsylvania State Education Association says hackers stole the sensitive personal and financial information of more than half a million of its members.  PSEA said it “took steps†to ensure the stolen data was deleted, suggesting it was the target of a ransomware or data extortion attack, and subsequently paid a ransom demand to the hackers responsible
  • infosec.exchange: NEW: A zero-day provider that exclusively sells to the Russian government is offering up to $4 million for flaws in Telegram. This announcement offers a glimpse into what the Russian government may be especially interested in, and willing to pay (even at a premium), right now. Sources in the industry tell me the prices offered are broadly right.
  • securityaffairs.com: Zero-day broker Operation Zero offers up to $4 million for Telegram exploits
  • techcrunch.com: Russian zero-day seller is offering up to $4 million for Telegram exploits
  • CyberInsider: Cyber Insider article about Russian Zero-Day Firm Offering Record $4 Million for Telegram Exploits
  • www.techradar.com: Data breach at Pennsylvania education union potentially exposes 500,000 victims

@The DefendOps Diaries //
A Russian threat actor, known as Water Gamayun or EncryptHub, is actively exploiting a zero-day vulnerability in the Microsoft Management Console (MMC) framework, identified as CVE-2025-26633. This flaw, dubbed MSC EvilTwin, enables attackers to execute malicious code on infected Windows systems. The attackers manipulate .msc files and the MMC's Multilingual User Interface Path (MUIPath) to bypass security features and deploy various malicious payloads.

Water Gamayun employs sophisticated delivery methods, including provisioning packages, signed MSI files, and Windows MSC files. The group's arsenal includes custom backdoors like SilentPrism and DarkWisp, as well as variants of the EncryptHub Stealer, Stealc, and Rhadamanthys. These payloads are designed to maintain persistence, steal sensitive data, and exfiltrate it to command-and-control servers, using encrypted channels and anti-analysis techniques. Organizations can protect themselves through up-to-date patch management and advanced threat detection technologies.

Recommended read:
References :
  • The DefendOps Diaries: Understanding the CVE-2025-26633 Vulnerability in Microsoft Management Console
  • www.trendmicro.com: Trend Research identified Russian threat actor Water Gamayun exploiting CVE-2025-26633, a zero-day vulnerability in the Microsoft Management Console that attackers exploit to execute malicious code and exfiltrate data.
  • Cyber Security News: Hackers Exploit Windows MMC Zero-Day Vulnerability to Execute Malicious Code
  • BleepingComputer: A threat actor known as EncryptHub has been linked to Windows zero-day attacks exploiting a Microsoft Management Console vulnerability patched this month.
  • gbhackers.com: Windows MMC Framework Zero-Day Exploited to Execute Malicious Code
  • www.scworld.com: Windows-targeted EncryptHub attacks involve MMC zero-day exploitation
  • bsky.app: EncryptHub, an affiliate of RansomHub, was behind recent MMC zero-day patched this month by Microsoft
  • The Hacker News: EncryptHub Exploits Windows Zero-Day to Deploy Rhadamanthys and StealC Malware
  • Virus Bulletin: Trend Micro researchers identified a campaign by the Russian threat actor Water Gamayun exploiting CVE-2025-26633, a zero-day vulnerability in the Microsoft Management Console.
  • www.cybersecuritydive.com: Russian threat actor weaponized Microsoft Management Console flaw
  • : Trend Micro researchers identified a campaign by the Russian threat actor Water Gamayun exploiting CVE-2025-26633, a zero-day vulnerability in the Microsoft Management Console that attackers exploit to execute malicious code and exfiltrate data.
  • www.trendmicro.com: Trend Research discusses the delivery methods, custom payloads, and techniques used by Water Gamayun, the suspected Russian threat actor abusing a zero-day vulnerability in the Microsoft Management Console framework (CVE-2025-26633) to execute malicious code on infected machines.
  • Christoffer S.: (trendmicro.com) A Deep Dive into Water Gamayun's Arsenal and Infrastructure Executive Summary: This research provides a comprehensive analysis of Water Gamayun (also known as EncryptHub and Larva-208), a suspected Russian threat actor exploiting the MSC EvilTwin zero-day vulnerability (CVE-2025-26633) in Microsoft Management Console.
  • iHLS: A threat actor is leveraging a zero-day vulnerability in the Microsoft Management Console (MMC) to distribute malware.
  • Cyber Security News: Zero-Day in Windows MMC Framework Exploited for Malicious Code Execution
  • Know Your Adversary: Adversaries always need to execute commands via various command and scripting interpreters. It's a well-known behavior, so they always look for defense evasion techniques. Trend Micro releleased a on Water Gamayun , and noted an interesting technique used by the threat acrors for proxy execution.

Paolo Tarsitano@Cyber Security 360 //
Citizen Lab researchers have identified several countries as potential customers of Paragon Solutions' Graphite spyware, which was used in attacks against human rights defenders. The investigation mapped the infrastructure of the Israel-based spyware maker, identifying servers likely used by customers in Australia, Canada, Cyprus, Denmark, Israel, and Singapore. The findings follow WhatsApp's notification to numerous individuals that Paragon exploited the platform to deliver spyware to their phones.

The Citizen Lab report includes an infrastructure analysis of Graphite, a forensic analysis of infected devices belonging to members of civil society, and a closer look at the spyware's use in Canada and Italy. Meta (WhatsApp) confirmed these details were pivotal to their ongoing investigation into Paragon which allowed them to fix a zero-click exploit.

Paragon’s executive chairman, John Fleming, responded that Citizen Lab shared only a "very limited amount of information" beforehand, "some of which appears to be inaccurate," while declining to specify what was inaccurate. Despite Paragon's claims of selling only to democracies, the report raises concerns about potential abuse, suggesting their safeguards may not be sufficient.

Recommended read:
References :
  • infosec.exchange: Researchers mapped out the infrastructure of spyware maker Paragon Solutions, and say they were able to identify servers likely used by customers in several countries: Australia, Canada, Cyprus, Denmark, Israel, and Singapore. Paragon’s executive chairman John Fleming said Citizen Lab shared in advance "very limited amount of information, some of which appears to be inaccurate." He declined to say what was inaccurate exactly.
  • The Citizen Lab: In our first investigation into Israel-based spyware company, Paragon Solutions, we begin to untangle multiple threads connected to the proliferation of Paragon's mercenary spyware operations across the globe. This report includes an infrastructure analysis of Paragon’s spyware product, called Graphite; a forensic analysis of infected devices belonging to members of civil society; and a closer look at the use of Paragon spyware in both Canada and Italy. —
  • techcrunch.com: Researchers name several countries as potential Paragon spyware customers
  • CyberInsider: Paragon’s Spyware ‘Graphite’ Used in WhatsApp Attacks
  • securityaffairs.com: WhatsApp fixed zero-day flaw used to deploy Paragon Graphite spyware
  • Zack Whittaker: Researchers at Citizen Lab have named several countries as potential customers of Paragon's Graphite spyware, which Citizen Lab says was used in a widespread campaign targeting human rights defenders in Italy.
  • Metacurity: Australia, Canada, Cyprus, Denmark, Israel, and Singapore likely bought Paragon spyware, Citizen Lab
  • The Hacker News: Six Governments Likely Use Israeli Paragon Spyware to Hack IM Apps and Harvest Data
  • BleepingComputer: WhatsApp patched zero-day flaw used in Paragon spyware attacks
  • Cyber Security 360: Italia spiata: svelata la rete dello spyware Paragon Graphite
  • hackread.com: Israeli Spyware Graphite Targeted WhatsApp with 0-Click Exploit
  • The Register - Security: Paragon spyware deployed against journalists and activists, Citizen Lab claims
  • Christoffer S.: A First Look at Paragon's Proliferating Spyware Operations" investigates Paragon Solutions, an Israeli spyware vendor founded in 2019 that sells a product called Graphite.
  • IT-Connect: Une faille zero-click sur WhatsApp a été exploitée par un spyware de Paragon, à l'aide d'un simple document PDF.
  • Zack Whittaker: This week's edition of ~ this week in security ~ includes a look at Citizen Lab's report revealing Paragon spyware customers and victims, CISA scrambling to contact fired staff after court reverses layoffs, and Wiz joining Google Cloud. Plus, a brand new cyber cat, and more. Sign up/RSS: Read online: Donate/support:

@csoonline.com //
Three critical zero-day vulnerabilities have been discovered in VMware products, including ESXi, Workstation, and Fusion. Tracked as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, these flaws are actively being exploited in the wild. Microsoft's Threat Intelligence Center (MSTIC) uncovered these vulnerabilities on March 4th. Chaining these three vulnerabilities together allows an attacker to escape a virtual machine and gain access to the ESXi hypervisor.

These vulnerabilities impact a wide range of VMware products, including VMware ESXi, Workstation Pro/Player, Fusion, Cloud Foundation, and Telco Cloud Platform. Successful exploitation could grant attackers unauthorized access to systems, enabling them to execute arbitrary code remotely and escalate privileges. VMware has released patches to address these issues, and CISA has added the vulnerabilities to its Known Exploited Vulnerabilities Catalog, urging immediate patching.

Recommended read:
References :
  • Arctic Wolf: Three VMware Zero-Days Exploited in the Wild Patched by Broadcom.
  • securityaffairs.com: VMware fixed three actively exploited zero-days in ESX products
  • www.csoonline.com: VMware ESXi gets critical patches for in-the-wild virtual machine escape attack.
  • research.kudelskisecurity.com: Summary On March 4th, Microsoft’s Threat Intelligence Center (MSTIC) uncovered three critical vulnerabilities in VMware products that are being actively exploited in the wild. Affected
  • www.tenable.com: CVE-2025-22224, CVE-2025-22225, CVE-2025-22226: Zero-Day Vulnerabilities in VMware ESXi, Workstation and Fusion Exploited
  • fortiguard.fortinet.com: Multiple zero-day vulnerabilities have been identified in VMware's ESXi, Workstation, and Fusion products. VMware has confirmed that these vulnerabilities are being actively exploited in the wild, and the Cybersecurity and Infrastructure Security Agency (CISA) has included them in its Known Exploited Vulnerabilities Catalog due to evidence of such exploitation.
  • The Register - Software: VMware splats guest-to-hypervisor escape bugs already exploited in wild The heap overflow zero-day in the memory unsafe code by Miss Creant Broadcom today pushed out patches for three VMware hypervisor-hijacking bugs, including one rated critical, that have already been found and exploited by criminals.…
  • Blog: Key Takeaways Three zero-day vulnerabilities have been discovered in VMware products, tracked as CVE-2025-22224 , CVE-2025-22225 , and CVE-2025-22226 . Nearly all supported and unsupported VMware products are impacted, including VMware ESXi, VMware Workstation Pro / Player (Workstation), VMware Fusion, VMware Cloud Foundation, and VMware Telco Cloud Platform. Chaining these 3 vulnerabilities together allows an attacker to escape or “break outâ€� of a “childâ€� Virtual Machine (VM), gain access to the “parentâ€� ESXi Hypervisor, and potentially access any other accessible VM as well as gain access to the management network of the exposed VMware cluster.

Pierluigi Paganini@Security Affairs //
A Russian zero-day broker known as Operation Zero is offering up to $4 million for zero-day exploits targeting the Telegram messaging app. This broker exclusively sells vulnerabilities to Russian government and private organizations, suggesting a significant interest from these entities in exploiting Telegram's security flaws. The high bounty offered indicates the immense value of potential targets to these organizations and their willingness to invest heavily in acquiring such exploits.

Operation Zero has released multiple bounty tiers for security vulnerabilities targeting Telegram, with the price depending on the user interaction required. Remote code execution vulnerabilities needing one user interaction fetch $500,000, while a zero-click RCE vulnerability is valued at $1.5 million. A complete exploit chain capable of compromising the entire system may command up to $4 million. This highlights the potential for targeted attacks on individuals or user groups through the platform, given Telegram's user base of over a billion.

Recommended read:
References :
  • CyberInsider: Russian Zero-Day Firm Offers Record $4 Million for Telegram Exploits
  • infosec.exchange: NEW: A zero-day provider that exclusively sells to the Russian government is offering up to $4 million for flaws in Telegram. This announcement offers a glimpse into what the Russian government may be especially interested in, and willing to pay (even at a premium), right now. Sources in the industry tell me the prices offered are broadly right.
  • techcrunch.com: Russian zero-day seller is offering up to $4 million for Telegram exploits
  • securityaffairs.com: Zero-day broker Operation Zero offers up to $4 million for Telegram exploits
  • securityonline.info: The Russian vulnerability broker, Operation Zero, is a company specializing in the acquisition and sale of security vulnerabilities—whether The post appeared first on .
  • Davey Winder: The Russian exploit brokerage firm, Operation Zero, is offering up to $4 million for zero-day vulnerabilities in Telegram. This signifies heightened state-sponsored interest in hacking Telegram.
  • hackread.com: A broker that only sells to Russian private and government organizations has just offered $4 million for a zero-day hack attack against the Telegram messenger app.

Alex Lekander@CyberInsider //
Serbian authorities reportedly used a Cellebrite-developed Android zero-day exploit chain to unlock the device of a student activist and attempt to install spyware. This exploit targeted vulnerabilities in Android, allowing authorities to bypass security measures. Amnesty International discovered the exploit after analyzing the student's phone, which prompted them to alert Google.

Google has since fixed three zero-day vulnerabilities in Android that were exploited by Cellebrite forensic tools. Following the reports of misuse for political reasons, Cellebrite blocked Serbia from further use of its solution. The company took action after claims emerged that the equipment was being used improperly.

Recommended read:
References :
  • infosec.exchange: NEW: Google fixed three zero-day vulnerabilities in Android that were used by authorities to unlock phones with Cellebrite forensic tools. The fixes come after Amnesty alerted Google, following the analysis of a Serbian student protester's phone.
  • bsky.app: Serbian authorities have reportedly used an Android zero-day exploit chain developed by Cellebrite to unlock the device of a student activist in the country and attempt to install spyware.
  • CyberInsider: Serbia Used Cellebrite Zero-Day Android Attack on Student Activist
  • securityaffairs.com: Cellebrite blocked Serbia from using its solution because misuse of the equipment for political reasons
  • techcrunch.com: Amnesty International said that Google fixed previously unknown flaws in Android that allowed authorities to unlock phones using forensic tools. On Friday, Amnesty International published a report detailing a chain of three zero-day vulnerabilities developed by phone-unlocking company Cellebrite, which its researchers found after investigating the hack of a student protester’s phone in Serbia. The
  • The Hacker News: Amnesty Finds Cellebrite’s Zero-Day Used to Unlock Serbian Activist’s Android Phone
  • infosec.exchange: Amnesty International has uncovered a sophisticated cyber-espionage campaign in Serbia, where authorities used Cellebrite kit with Linux USB CVE-2024-53104 exploit chained with 2 other CVEs to unlock the Android phone of a student activist
  • aboutdfir.com: Cellebrite cuts off Serbia over abuse of phone-cracking software against civil society
  • securityaffairs.com: Serbian student activist’s phone hacked using Cellebrite zero-day exploit
  • Talkback Resources: Cellebrite zero-day exploit used to target phone of Serbian student activist [app] [exp]

Pierluigi Paganini@Security Affairs //
Google has released the March 2025 Android Security Bulletin, which addresses 44 vulnerabilities. Notably, the update includes patches for two zero-day flaws, identified as CVE-2024-43093 and CVE-2024-50302, that are actively being exploited in the wild. The high-severity vulnerability CVE-2024-43093 is a privilege escalation flaw in the Framework component that could result in unauthorized access to "Android/data," "Android/obb," and "Android/sandbox" directories, and their respective sub-directories. CVE-2024-50302 is also a privilege escalation flaw in the HID USB component of the Linux kernel that could lead to a leak of uninitialized kernel memory to a local attacker through specially crafted HID reports.

This security update arrives after reports surfaced that Serbian authorities used one of these zero-day vulnerabilities to unlock confiscated devices. Google acknowledged that both CVE-2024-43093 and CVE-2024-50302 have come under "limited, targeted exploitation." The company has released two security patch levels to allow Android partners flexibility in addressing vulnerabilities across devices more quickly. The security patch levels are 2025-03-01 and 2025-03-05.

Recommended read:
References :
  • securityaffairs.com: Reports the release of Google's March 2025 Android security update, which addresses actively exploited zero-day vulnerabilities.
  • cyberinsider.com: Google Patches Two Actively Exploited Zero-Day Flaws in Android
  • The Hacker News: Google's March 2025 Android Security Update Fixes Two Actively Exploited Vulnerabilities.
  • bsky.app: Google has released patches for 43 vulnerabilities in Android's March 2025 security update, including two zero-days. Serbian authorities have used one of the zero-days to unlock confiscated devices.
  • Information Security Buzz: Google Issues Urgent Alert for Exploited Android Vulnerabilities

do son@Daily CyberSecurity //
Microsoft has released a patch for a Windows kernel vulnerability, CVE-2025-24983, after it was exploited in the wild since March 2023. Cybersecurity firm ESET discovered the zero-day exploit being used to escalate privileges on compromised machines. The vulnerability, a "Use-after-Free" (UaF) flaw related to improper memory management, allows attackers to gain system-level access, enabling data exfiltration and remote access. Microsoft has assigned a severity score of 7.0 to the flaw, acknowledging that malicious actors had been exploiting it.

The patch addresses a long-standing security vulnerability in the Windows NT kernel subsystem, which has been actively exploited by hackers for two years. The primary targets are older Windows versions, including Windows 10 v1809 and Windows Server 2016, as well as Windows 8.1 and Server 2012 R2. It appears the complexity of exploitation contributed to the delay. This flaw enables attackers to escalate privileges from a low-level local account to system-level access, facilitating malicious activities. Microsoft confirms that this vulnerability does not affect newer operating systems such as Windows 11 and Windows Server 2019.

Recommended read:
References :
  • securityonline.info: Microsoft Patches 2-Year-Old Windows Kernel Flaw CVE-2025-24983 After Exploitation
  • The Hacker News: Unpatched Windows Zero-Day Flaw Exploited by 11 State-Sponsored Threat Groups Since 2017
  • BleepingComputer: New Windows zero-day exploited by 11 state hacking groups since 2017
  • Blog: Microsoft reluctant to patch Windows zero-day exploited by nation-state hackers
  • Sam Bent: Microsoft Windows Zero-Day Used by Nation-States
  • SecureWorld News: Nation-State Hackers Exploit Windows Shortcut Zero-Day Vulnerability

Pierluigi Paganini@Security Affairs //
Ransomware gangs are actively exploiting a zero-day flaw in the BioNTdrv.sys driver of Paragon Partition Manager. Microsoft has issued a warning about this actively exploited vulnerability, noting that attackers are leveraging it in ransomware attacks. Security researchers have uncovered five distinct vulnerabilities within the driver, which could allow malicious actors to escalate their privileges to SYSTEM level or cause denial-of-service (DoS) attacks.

These vulnerabilities include arbitrary kernel memory mapping and write issues, a null pointer dereference, insecure kernel resource access, and an arbitrary memory move vulnerability. Attackers can exploit these weaknesses, particularly in BioNTdrv.sys versions 1.3.0 and 1.5.1, even on systems without Paragon Partition Manager installed, using the "Bring Your Own Vulnerable Driver" (BYOVD) technique. Paragon Software has released an updated driver, BioNTdrv.sys version 2.0.0, for its Hard Disk Manager family products starting from version 17.45.0, to address these critical flaws.

Recommended read:
References :
  • CyberInsider: Paragon Partition Manager Flaws Leveraged in Ransomware Attacks
  • gbhackers.com: Paragon Partition Manager Vulnerabilities Allow Attackers to Escalate Privileges and Trigger DoS Attacks
  • securityaffairs.com: Ransomware gangs exploit a Paragon Partition Manager BioNTdrv.sys driver zero-day
  • thehackernews.com: Hackers Exploit Paragon Partition Manager Driver Vulnerability in Ransomware Attacks
  • Cyber Security News: Paragon Partition Manager Vulnerabilities Let Attackers Escalate Privileges and Trigger DoS Attacks

Pierluigi Paganini@Security Affairs //
Microsoft has issued updates to address a critical vulnerability, CVE-2025-24989, impacting its Power Pages platform. This flaw, a high-severity issue, is already being actively exploited in the wild, allowing unauthorized access to websites. Threat actors can leverage the vulnerability to achieve privilege escalation within targeted networks and evade user registration controls, granting them unauthorized access to sites.

Microsoft reports that the vulnerability, CVE-2025-24989, only impacts certain Power Pages users. The company urges users to examine their websites for possible compromise. The U.S. CISA has added the Microsoft Power Pages flaw to its Known Exploited Vulnerabilities catalog.

Recommended read:
References :
  • securityaffairs.com: U.S. CISA adds Microsoft Power Pages flaw to its Known Exploited Vulnerabilities catalog
  • socradar.io: Microsoft Patches Power Pages Zero-Day (CVE-2025-24989) & Recent PAN-OS Flaw (CVE-2025-0111) Joins CISA KEV
  • www.scworld.com: Actively exploited Microsoft Power Pages flaw patched
  • Report Boom: Microsoft has addressed a high-severity issue in Power Pages, CVE-2025-24989...

@csoonline.com //
Three critical zero-day vulnerabilities have been discovered in VMware products, leading to active exploitation in the wild. The vulnerabilities affect VMware ESXi, Workstation, and Fusion, potentially allowing attackers to execute arbitrary code and escalate privileges. Microsoft's Threat Intelligence Center (MSTIC) uncovered the vulnerabilities, and they have since been added to CISA's Known Exploited Vulnerabilities Catalog.

Affected VMware products include ESXi versions 8.0 and 7.0, Workstation 17.x, Fusion 13.x, Cloud Foundation 5.x and 4.5.x, and Telco Cloud Platform 5.x, 4.x, 3.x, and 2.x. The vulnerabilities, identified as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, carry CVSSv3 scores of 9.3, 8.2, and 7.1 respectively. Organizations using these VMware products are strongly advised to apply the available patches immediately to mitigate the risks associated with these flaws.

Recommended read:
References :
  • cyble.com: Three critical zero-day vulnerabilities in VMware products, affecting VMware ESXi, Workstation, and Fusion, were reported as exploited in the wild.
  • research.kudelskisecurity.com: Three critical zero-day vulnerabilities found in VMware products were actively being exploited in the wild.
  • MSSP feed for Latest: Multiple zero-day vulnerabilities in VMware's ESXi, Workstation, and Fusion products were identified and confirmed by VMware, with evidence of active exploitation.