CyberSecurity news

FlagThis - #zeroday

Pierluigi Paganini@securityaffairs.com //

Apple Patches Zero-Day Exploited by Paragon Spyware

Apple has released details about a zero-day vulnerability, CVE-2025-43200, that was exploited by Paragon's Graphite spyware to hack at least two journalists' iPhones in Europe. The vulnerability was a zero-click flaw in iMessage, allowing attackers to compromise devices without any user interaction. Apple had quietly patched the flaw in iOS 18.3.1, which was released on February 10, but the details of the vulnerability were not publicized until recently.

The security advisory was updated four months after the initial iOS release to include the zero-day flaw, described as a logic issue when processing a maliciously crafted photo or video shared via an iCloud Link. Apple stated that they were aware of a report that this issue was exploited in an "extremely sophisticated attack against specific targeted individuals." Citizen Lab confirmed that this was the flaw used against Italian journalist Ciro Pellegrino and an unnamed "prominent" European journalist.

Citizen Lab also confirmed that Paragon's Graphite spyware was used to hack the journalists' iPhones. This incident is part of a growing trend of mercenary spyware operators exploiting iOS through silent attack chains. The now-confirmed infections call into question a report by Italian lawmakers, which didn't mention one of the hacked journalists. It remains unclear why Apple did not disclose the existence of the patched flaw until four months after the release of the iOS update, and an Apple spokesperson did not respond to a request for comment seeking clarity.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • infosec.exchange: NEW: Four months after releasing iOS 18.3.1, Apple has published details about a zero-day that it fixed at the time, but did not publicize.
  • Zack Whittaker: Citizen Lab have confirmed two journalists had their phones hacked with Paragon's Graphite spyware, likely by the same customer.
  • securityaffairs.com: Security researchers at Citizen Lab revealed that Paragon’s Graphite spyware can hack fully updated iPhones via zero-click attacks.
  • techcrunch.com: Apple fixes new iPhone zero-day bug used in Paragon spyware hacks
  • The Citizen Lab: Graphite Caught: First Forensic Confirmation of Paragon’s iOS Mercenary Spyware Finds Journalists Targeted - The Citizen Lab
  • infosec.exchange: Researchers found forensic evidence of Paragon's spyware on the iPhones of two journalists. One is Ciro Pellegrino, who works for Fanpage.
  • Zack Whittaker: NEW: Apple has confirmed in a now-updated February security advisory that it fixed a zero-day bug used in an "extremely sophisticated attack."
  • cyberinsider.com: New Zero-Click iMessage Exploit Infected iPhones with Paragon Spyware
  • securityaffairs.com: Apple confirmed that Messages app flaw was actively exploited in the wild
  • The Hacker News: Apple Zero-Click Flaw in Messages Exploited to Spy on Journalists Using Paragon Spyware
  • Help Net Security: iOS zero-click attacks used to deliver Graphite spyware (CVE-2025-43200)
  • Risky.Biz: Risky Bulletin: Predator spyware alive despite US sanctions
  • Threats | CyberScoop: Predator spyware activity surfaces in new places with new tricks
  • Risky Business Media: Predator spyware alive despite US sanctions
  • www.scworld.com: New Predator spyware activity identified
  • cyberscoop.com: The spyware’s developer, Intellexa, has been under pressure due to sanctions and public disclosure, but Recorded Future uncovered fresh activity.
  • thecyberexpress.com: Apple Patches Flaw Exploited in Zero-click Paragon Spyware Attacks
  • www.metacurity.com: Customers keep buying Predator spyware despite US sanctions
  • Schneier on Security: Paragon Spyware Used to Spy on European Journalists
  • citizenlab.ca: First forensic confirmation of Paragon's iOS mercenary spyware finds journalists targeted
  • thecyberexpress.com: Apple Patches Flaw Exploited in Zero-click Paragon Spyware Attacks
Classification:
@research.checkpoint.com //

Microsoft June 2025 Patch Tuesday Addresses Actively Exploited

Microsoft's June 2025 Patch Tuesday has addressed a total of 66 vulnerabilities across its product range, with one zero-day vulnerability, CVE-2025-33053, being actively exploited in the wild. This critical flaw exists in the Web Distributed Authoring and Versioning (WebDAV) implementation, and its exploitation could lead to remote code execution. Microsoft has issued an urgent security update to mitigate this threat, even for outdated systems like Windows Server 2008 and components of the long-retired Internet Explorer. The urgency of this patch is underscored by the ongoing exploitation of the vulnerability by the Stealth Falcon APT group.

The actively exploited zero-day, CVE-2025-33053, poses a significant risk because attackers can achieve remote code execution at the local level simply by tricking a user into following a malicious link. This vulnerability has been exploited since March 2025 by Stealth Falcon, a hacking group known for targeted attacks in the Middle East. Researchers at Check Point discovered the flaw being used against a Turkish defense company, where malware was inserted to facilitate data exfiltration and the installation of a custom keylogger. The attack involves a .url file disguised as a PDF, which, when clicked, redirects to a WebDAV server controlled by the attacker, causing a legitimate Windows diagnostic tool to execute a malicious file.

Alongside the actively exploited zero-day, Microsoft's June 2025 Patch Tuesday addresses a range of other vulnerabilities, including ten that are rated as "Critical". Another notable flaw, CVE-2025-33073, affects the Windows Server Message Block (SMB) client and could allow attackers to gain SYSTEM privileges. This vulnerability is considered less likely to be exploited but can be mitigated by enforcing server-side SMB signing via Group Policy. The updates also include fixes for vulnerabilities in Microsoft Office, .NET, Visual Studio, and other products, highlighting the breadth of the security update.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • isc.sans.edu: Microsoft today released patches for 67 vulnerabilities. 10 of these vulnerabilities are rated critical. One vulnerability has already been exploited and another vulnerability has been publicly disclosed before today.
  • BleepingComputer: Microsoft June 2025 Patch Tuesday fixes exploited zero-day, 66 flaws
  • Tenable Blog: Microsoft’s June 2025 Patch Tuesday Addresses 65 CVEs (CVE-2025-33053)
  • cyberinsider.com: Microsoft's June 2025 Patch Tuesday addresses 66 vulnerabilities across its product suite, including a high-severity zero-day in the WebDAV service that is currently being exploited in the wild.
  • securityonline.info: Stealth Falcon Exploits New Zero-Day (CVE-2025-33053) in Sophisticated Cyberespionage Campaign
  • Cisco Talos Blog: Microsoft Patch Tuesday for June 2025 — Snort rules and prominent vulnerabilities
  • borncity.com: Summarizes the Microsoft security updates for June 10, 2025, noting the zero-day classification.
  • Threats | CyberScoop: Microsoft Patch Tuesday addresses 66 vulnerabilities, including an actively exploited zero-day
  • hackread.com: June 2025 Patch Tuesday: Microsoft Fixes 66 Bugs, Including Active 0-Day
  • CyberInsider: Summary of the June 2025 Patch Tuesday release.
  • research.checkpoint.com: Check Point Research discovered a new campaign conducted by the APT group Stealth Falcon. The attack used a .url file that exploited a zero-day vulnerability (CVE-2025-33053) to execute malware from an actor-controlled WebDAV server.
  • gbhackers.com: Microsoft Patch Tuesday June 2025 – 66 Vulnerabilities Patched Including 2 Zero-Day
  • cyberscoop.com: Reports on Microsoft patching 66 vulnerabilities, including an actively exploited zero-day.
  • bsky.app: This month, Microsoft patched 67 vulnerabilities, including one actively exploited zero-days—CVE-2025-33053, a WebDAV RCE discovered by Check Point
  • gbhackers.com: Microsoft Windows WebDAV 0-Day RCE Vulnerability Actively Exploited in The Wild
  • www.helpnetsecurity.com: Microsoft fixes zero-day exploited for cyber espionage (CVE-2025-33053)
  • Kaspersky official blog: CVE-2025-33053: RCE in WebDAV | Kaspersky official blog
  • The Hacker News: Microsoft Patches 67 Vulnerabilities Including WEBDAV Zero-Day Exploited in the Wild
  • blog.checkpoint.com: Inside Stealth Falcon’s Espionage Campaign Using a Microsoft Zero-Day
  • Check Point Blog: Inside Stealth Falcon's Espionage Campaign Using a Microsoft Zero-Day
  • securityonline.info: Stealth Falcon Exploits New Zero-Day (CVE-2025-33053) in Sophisticated Cyberespionage Campaign
  • Blog: Microsoft’s June addressed 66 vulnerabilities. Notably, one of them has been actively exploited, and one other has been publicly disclosed.
  • go.theregister.com: Microsoft warns of 66 flaws to fix for this Patch Tuesday, and two are under active attack
  • arcticwolf.com: Arctic Wolf's blog covering the June 2025 Microsoft Patch Tuesday, mentioning CVE-2025-33053.
  • socprime.com: A new critical zero-day RCE vulnerability in Microsoft Windows, tracked as CVE-2025-33053, has been actively exploited by the Stealth Falcon (aka FruityArmor) APT group. The flaw leads to RCE by manipulating the system’s working directory.
  • www.bleepingcomputer.com: An APT hacking group known as 'Stealth Falcon' exploited a Windows WebDav RCE vulnerability in zero-day attacks since March 2025 against defense and government organizations in Turkey, Qatar, Egypt, and Yemen.
  • arcticwolf.com: Arctic Wolf observes that Microsoft Patch Tuesday: June 2025 includes CVE-2025-33053.
  • Virus Bulletin: Check Point Research discovered a new campaign conducted by the APT group Stealth Falcon. The attack used a .url file that exploited a zero-day vulnerability (CVE-2025-33053) to execute malware from an actor-controlled WebDAV server.
  • borncity.com: Microsoft Security Update Summary (June 10, 2025)
  • www.threatdown.com: June 2025 Microsoft Patch Tuesday fixes two zero-days
  • Arctic Wolf: Microsoft Patch Tuesday: June 2025
  • Help Net Security: Microsoft fixes zero-day exploited for cyber espionage (CVE-2025-33053)
  • thecyberexpress.com: Microsoft Patch Tuesday June 2025: One Zero-Day, Nine High-risk Flaws Fixed
  • infosecwriteups.com: (CVE-2025-33053) New 0-Day in WebDAV Exposes Servers to Remote Code Execution  —  Here’s What You…
  • Action1: June 2025 Vulnerability Digest Recording
  • 0patch Blog: Micropatches Released for WEBDAV Remote Code Execution Vulnerability (CVE-2025-33053)
  • Check Point Research: CVE-2025-33053, Stealth Falcon and Horus: A Saga of Middle Eastern Cyber Espionage
Classification:

Posts

Blogs

Research Tools