CISO2CISO Editor 2@ciso2ciso.com - 50d
A critical zero-day vulnerability, identified as CVE-2025-0282, is actively being exploited in the wild, affecting Ivanti Connect Secure, Policy Secure, and Neurons for ZTA gateways. This stack-based buffer overflow allows unauthenticated remote attackers to execute arbitrary code on vulnerable devices. Ivanti has confirmed that a limited number of Connect Secure appliances have already been targeted by this exploit. This flaw, boasting a critical CVSS score of 9.0, is particularly concerning as it enables remote code execution without requiring any authentication. The company became aware of the activity through its Integrity Checker Tool (ICT) and has since released a patch for the Connect Secure product line.
Alongside CVE-2025-0282, Ivanti is also addressing CVE-2025-0283, a high-severity stack-based buffer overflow vulnerability with a CVSS score of 7.0. This vulnerability requires a local authenticated attacker and allows for privilege escalation. While no exploitation of CVE-2025-0283 has been observed, patches for all affected products are being developed with fixes for Policy Secure and Neurons for ZTA Gateways expected on January 21. Ivanti urges all customers to apply the provided fixes for Connect Secure (v22.7R2.5) immediately, and to perform factory resets if the integrity checker shows signs of compromise. The company will share indicators of compromise with impacted customers to aid forensic investigations.
Recommended read:
References :
- forums.ivanti.com: Security Advisory: Ivanti Connect Secure, Policy Secure, ZTA Gateways - CVE-2025-0282, CVE-2025-0283
- www.helpnetsecurity.com: Ivanti Connect Secure zero-day exploited by attackers (CVE-2025-0282)
- ciso2ciso.com: CISO2CISO - CVE-2025-0282: Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild
- The Hacker News: The Hacker News - Ivanti Flaw CVE-2025-0282 Actively Exploited
- ciso2ciso.com: CVE-2025-0282: Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild
- securityonline.info: CVE-2025-0282 (CVSS 9.0): Ivanti Confirms Active Exploitation of Critical Flaw
- Kevin Beaumont: Ivanti Connect Secure, Policy Secure & ZTA Gateways customers, it's time to upgrade again as there's another two zero days already being exploited in the wild - CVE-2025-0282 and CVE-2025-0283 Unauth code execution.
- gbhackers.com: Ivanti 0-Day Vulnerability Exploited in Wild-Patch Now
- securityonline.info: CVE-2025-0282 (CVSS 9.0): Ivanti Confirms Active Exploitation of Critical Flaw
- : CISA : So hot off the press that it's not live yet 🥵🔥🔥 ( 9.0 critical ) A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.
- Pyrzout :vm:: CVE-2025-0282: Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild
- securityboulevard.com: Alert of Buffer Overflow Vulnerabilities in Multiple Ivanti Products (CVE-2025-0282)
- Pyrzout :vm:: Zero-day exploits plague Ivanti Connect Secure appliances for second year running – Source: go.theregister.com
- Techmeme: Ivanti warns that a zero-day in its widely-used Connect Secure VPN service has been exploited to compromise the networks of its corporate customers
- techcrunch.com: hackers-are-exploiting-a-new-ivanti-vpn-security-bug-to-hack-into-company-networks
- www.tenable.com: CVE-2025-0282: Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild
- ciso2ciso.com: Zero-day exploits plague Ivanti Connect Secure appliances for second year running – Source: go.theregister.com
- Latest from TechRadar: Ivanti warns another critical security flaw is being attacked
- www.bleepingcomputer.com: Banshee stealer evades detection using apple xprotect
- : watchTowr : Absolutely scathing review and rightful criticism of Ivanti as watchTowr successfully reproduces ( 9.0 critical ) Ivanti Connect Secure Buffer Overflow Vulnerability.
- securityonline.info: Ivanti Connect Secure Zero-Day Threat: 2,048 Vulnerable Devices and Critical Exploitation Details Unveiled
- www.scworld.com: Active exploitation of Ivanti Connect Secure zero-day ongoing
- ciso2ciso.com: China’s UNC5337 Exploits a Critical Ivanti RCE Bug, Again – Source: www.darkreading.com
- Kevin Beaumont: WatchTowr have a good look at the latest Ivanti Pulse Secure zero day. Honestly? Don’t buy this product. It isn’t secure and they’re hiding problems.
- securityaffairs.com: U.S. CISA adds Ivanti Connect Secure, Policy Secure, and ZTA Gateways flaw to its Known Exploited Vulnerabilities catalog
- securityonline.info: Ivanti Connect Secure Zero-Day Threat: 2,048 Vulnerable Devices and Critical Exploitation Details Unveiled
- fortiguard.fortinet.com: Ivanti Connect Secure Zero-Day Vulnerability
- labs.watchtowr.com: Exploitation Walkthrough and Techniques - Ivanti Connect Secure RCE (CVE-2025-0282) - watchTowr Labs
- Pyrzout :vm:: China’s UNC5337 Exploits a Critical Ivanti RCE Bug, Again – Source: www.darkreading.com 's
- www.helpnetsecurity.com: Week in review: Exploited Ivanti Connect Secure zero-day, Patch Tuesday forecast
- Pyrzout :vm:: Ivanti Rolls Out Patches to Mitigate Exploits in Connect Secure, Policy Secure, and ZTA Gateways
- thecyberexpress.com: Ivanti Vulnerabilities Patches Roll Out - The Cyber Express
- thecyberexpress.com: Ivanti Rolls Out Patches to Mitigate Exploits in Connect Secure, Policy Secure, and ZTA Gateways
- arcticwolf.com: CVE-2025-0282: Critical Zero-Day Remote Code Execution Vulnerability Impacts Several Ivanti Products
- Help Net Security: Week in review: Exploited Ivanti Connect Secure zero-day, Patch Tuesday forecast
- gbhackers.com: Gbhackers article about PoC release for Ivanti RCE vulnerability.
Iain Thomson@The Register - 17d
Apple has issued emergency security updates to address a zero-day vulnerability that was actively exploited in what the company describes as "extremely sophisticated" attacks targeting specific individuals. The vulnerability allowed attackers to disable USB Restricted Mode on locked iPhones and iPads, potentially enabling unauthorized data access. Apple's use of the term "extremely sophisticated" suggests a high level of complexity and targeted nature of these attacks.
The updates, released for iOS 18.3.1 and iPadOS 18.3.1, fix a flaw that allowed the disabling of USB Restricted Mode on a locked device. This security feature, introduced in 2018, blocks data transfer over USB if the device remains unlocked for seven days. The vulnerability was discovered by Bill Marczak from the Citizen Lab, who declined to comment further. While the identity of the attackers and their targets remain unknown, this highlights the importance of swiftly updating devices and raises concerns about the potential misuse of forensic tools to exploit such vulnerabilities.
Recommended read:
References :
- cyberinsider.com: CyberInsider article on Apple Patches Zero-Day Exploit Targeting Locked iPhones
- infosec.exchange: NEW: Apple released a fix for a zero-day bug for iOS and iPadOS that “may have been exploited in an extremely sophisticated attack against specific targeted individuals.� AFAIK this is the first time Apple uses "extremely sophisticated attack" in an official release. At this point, we don't know who abused the flaw, nor against whom.
- techcrunch.com: NEW: Apple has released updates for iPhone and iPad to fix a bug that Apple says was used in an "extremely sophisticated attack" against certain individuals.
- PCMag UK security: Apple Patches 'Extremely Sophisticated Attack' That Can Hit iPhones
- securityaffairs.com: SecurityAffairs article on iPhone and iPad bug exploited in sophisticated attacks
- The Register - Security: Apple warns 'extremely sophisticated attack' may be targeting iThings
- cyble.com: The Cyber Security Agency of Singapore (CSA) has recently issued a regarding the active exploitation of a zero-day vulnerability in a range of Apple products. This critical is being actively targeted, and Apple has released timely security updates to address the issue.
- Zack Whittaker: Apple has released updates for iPhone and iPad to fix a bug that Apple says was used in an "extremely sophisticated attack" against certain individuals. According to the release, the attack may need physical access to a device.
- TidBITS: Apple has released iOS 18.3.1 and iPadOS 18.3.1 to patch a vulnerability that disables USB Restricted Mode. While the risk is low for most users, high-profile targets like activists and journalists should update immediately.
- thecyberexpress.com: The Cyber Express: Apple Patches Actively Exploited iOS Zero-Day CVE-2025-24200 in Emergency Update
- cyble.com: Apple issues an urgent security advisory for iOS and iPadOS vulnerabilities
- support.apple.com: APPLE-SA-02-10-2025-1 iOS 18.3.1 and iPadOS 18.3.1
- www.pcmag.com: News about Apple patching an extremely sophisticated attack that can hit iPhones.
- readwrite.com: Apple releases iOS 18.3.1 to update security flaw in ‘sophisticated attack’
- arstechnica.com: Updates may also re-enable Apple Intelligence for those who turned it off.
- www.engadget.com: A new iPhone update patches a flaw that could allow an attacker to turn off a nearly seven-year-old .
- Ars OpenForum: Updates may also re-enable Apple Intelligence for those who turned it off.
- www.scworld.com: Such a vulnerability — which was discovered and reported by the University of Toronto Munk School of Global Affairs' The Citizen Lab — affects iPhone XS and later, iPad 7th generation and later, iPad mini 5th generation and later, all iPad Pro 11-inch generations, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd gen and later, and iPad Air 3rd generation and later.
Zeljka Zorz@Help Net Security - 28d
Zyxel has announced that it will not be releasing patches for two actively exploited zero-day vulnerabilities, identified as CVE-2024-40890 and CVE-2024-40891. These vulnerabilities affect multiple legacy DSL CPE products, including models VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300, and SBG3500. The vulnerabilities enable attackers to execute arbitrary commands on the affected devices. One of the vulnerabilities, CVE-2024-40891, is being actively exploited in the wild by a Mirai botnet variant.
GreyNoise warned that over 1,500 devices are affected by the command injection bug. CVE-2024-40890 is a post-authentication command injection vulnerability in the CGI program which allows an authenticated attacker to execute operating system (OS) commands on an affected device by sending a crafted HTTP POST request. CVE-2024-40891 is a post-authentication command injection vulnerability in the management commands which could allow an authenticated attacker to execute OS commands on an affected device via Telnet. Zyxel advises users to replace the end-of-life products with newer-generation devices for optimal protection.
Recommended read:
References :
- gbhackers.com: Zyxel CPE Zero-Day (CVE-2024-40891) Exploited in the Wild
- The Hacker News: Zyxel CPE Devices Face Active Exploitation Due to Unpatched CVE-2024-40891 Vulnerability
- Help Net Security: Zyxel CPE devices under attack via critical vulnerability without a patch (CVE-2024-40891)
- gbhackers.com: Zyxel CPE Zero-Day (CVE-2024-40891) Exploited in the Wild
- thedefendopsdiaries.com: Exploiting the Unpatched: A Deep Dive into Zyxel CPE Vulnerability | The DefendOps Diaries
- www.helpnetsecurity.com: Zyxel CPE devices under attack via critical vulnerability without a patch (CVE-2024-40891)
- ciso2ciso.com: Unpatched Zyxel CPE Zero-Day Pummeled by Cyberattackers – Source: www.darkreading.com
- BleepingComputer: Hackers are exploiting a critical command injection vulnerability in Zyxel CPE Series devices that is currently tracked as CVE-2024-40891 and remains unpatched since last July.
- securityonline.info: Zero-Day Alert: Mirai Botnet Exploiting Unpatched Zyxel CPE Vulnerability (CVE-2024-40891)
- securityonline.info: Zero-Day Alert: Mirai Botnet Exploiting Unpatched Zyxel CPE Vulnerability (CVE-2024-40891)
- ciso2ciso.com: Unpatched Zyxel CPE Zero-Day Pummeled by Cyberattackers – Source: www.darkreading.com
- www.bleepingcomputer.com: Hackers exploit critical unpatched flaw in Zyxel CPE devices
- : Zyxel's security advisory confirms the existence of , , and affecting end-of-life DSL CPE products.
- Vulnerability-Lookup: Command injection and insecure default credentials vulnerabilities n certain legacy DSL CPE from Zyxel, has been published on Vulnerability-Lookup:
- SecurityWeek: Zyxel Issues ‘No Patch’ Warning for Exploited Zero-Days
- www.securityweek.com: Zyxel Issues ‘No Patch’ Warning for Exploited Zero-Days
- vulnerability.circl.lu: Command injection and insecure default credentials vulnerabilities n certain legacy DSL CPE from Zyxel, has been published on Vulnerability-Lookup:
- The GreyNoise Blog: Active exploitation of zero-day Zyxel CPE vulnerability (CVE-2024-40891)
- www.zyxel.com: Zyxel security advisory confirms the existence of command injection and insecure default credentials vulnerabilities affecting end-of-life DSL CPE products.
- Dataconomy: If you own these Zyxel devices uninstall them now: No fix is coming
MalBot@malware.news - 50d
Check Point Research has identified a new version of the Banshee macOS stealer, a malware linked to Russian-speaking cyber criminals that targets macOS users. This updated version of the Banshee stealer uses the same string encryption algorithm as Apple's XProtect antivirus engine, allowing it to evade detection. The stealer operates as a 'stealer-as-a-service' and is used to steal browser credentials, cryptocurrency wallets, user passwords, and sensitive file data. It was initially distributed through malicious GitHub repositories and phishing websites which also targeted Windows users with Lumma Stealer.
The Banshee malware has seen a number of changes, with its original source code being leaked on underground forums, which ultimately led to the author shutting down their operations. Despite the shutdown, threat actors continue to distribute this new version of Banshee via phishing websites. The malware is designed to infiltrate macOS systems by using anti-analysis methods to evade debugging tools and antivirus engines by blending into legitimate processes. It has the ability to compromise cryptocurrency wallets, steal sensitive data, and deceive users with fake pop-ups to reveal their passwords.
Recommended read:
References :
- ciso2ciso.com: New Mirai Botnet Exploits Zero-Days in Routers and Smart Devices – Source: www.infosecurity-magazine.com
- malware.news: Industrial router zero-day leveraged by new Mirai-based botnet
- www.scworld.com: Industrial router zero-day leveraged by new Mirai-based botnet
- gbhackers.com: Mirai Botnet Variant Exploits Zero-Day Vulnerabilities in Routers
- securityonline.info: “Gayfemboy” Botnet Leveraging 0-Day Exploit in Four-Faith Industrial Routers
- ciso2ciso.com: New Mirai Botnet Exploits Zero-Days in Routers and Smart Devices – Source: www.infosecurity-magazine.com
- gbhackers.com: Mirai Botnet Variant Exploits Zero-Day Vulnerabilities in Routers
- securityonline.info: “Gayfemboy” Botnet Leveraging 0-Day Exploit in Four-Faith Industrial Routers
- : Check Point Research : Since September, Check Point Research has been monitoring a new version of the Banshee macOS stealer, a malware linked to Russian-speaking cyber criminals targeting macOS users.
- malware.news: Banshee: The Stealer That “Stole Code” From MacOS XProtect
- research.checkpoint.com: Banshee: The Stealer That “Stole Code” From MacOS XProtect
- securityonline.info: Malware Alert: Banshee Stealer Targets macOS Users
- www.bleepingcomputer.com: Banshee stealer evades detection using Apple XProtect encryption algo
- www.sentinelone.com: Banshee: The Stealer That “Stole Code” From MacOS XProtect
- Thomas Roccia :verified:: 🧐 CheckPoint recently released a macOS malware analysis report about the Banshee Stealer!
- it-online.co.za: Banshee Stealer targets macOS users
- ciso2ciso.com: Banshee 2.0 Malware Steals Apple’s Encryption to Hide on Macs – Source: www.darkreading.com
- ciso2ciso.com: Banshee 2.0 Malware Steals Apple’s Encryption to Hide on Macs – Source: www.darkreading.com
- securityaffairs.com: Banshee macOS stealer supports new evasion mechanisms
- 9to5Mac: Security Bite: macOS malware ‘Banshee’ found using Apple’s own code to evade detection
- 9to5mac.com: Security Bite: macOS malware ‘Banshee’ found using Apple’s own code to evade detection
- ciso2ciso.com: Banshee Stealer Hits macOS Users via Fake GitHub Repositories – Source:hackread.com
- Latest from TechRadar: This devious macOS malware is evading capture by using Apple's own encryption
- Pyrzout :vm:: Banshee 2.0 Malware Steals Apple’s Encryption to Hide on Macs – Source: www.darkreading.com
- ciso2ciso.com: Malware targets Mac users by using Apple’s security tool – Source: www.csoonline.com
info@thehackernews.com (The Hacker News)@The Hacker News - 17d
The cybercrime group XE Group has shifted its tactics from credit card skimming to exploiting zero-day vulnerabilities, with a recent focus on VeraCore software. This involves deploying reverse shells and web shells to maintain persistent remote access to compromised systems, targeting supply chains in the manufacturing and distribution sectors. The group has been active since at least 2010, marking a significant shift in their operational priorities towards targeted information theft.
The vulnerabilities exploited include CVE-2024-57968, an unrestricted file upload flaw, and CVE-2025-25181, an SQL injection vulnerability. These shortcomings are being chained to deploy ASPXSpy web shells for unauthorized access to infected systems, enabling file system enumeration, data exfiltration, and the execution of SQL queries. The exploitation activity was discovered in November 2024, with evidence suggesting the group leveraged CVE-2025-25181 as early as 2020.
Recommended read:
References :
- securityaffairs.com: XE Group shifts from credit card skimming to exploiting zero-days
- The Hacker News: XE Hacker Group Exploits VeraCore Zero-Day to Deploy Persistent Web Shells
- ciso2ciso.com: XE Hacker Group Exploits VeraCore Zero-Day to Deploy Persistent Web Shells – Source:thehackernews.com
- ciso2ciso.com: XE Hacker Group Exploits VeraCore Zero-Day to Deploy Persistent Web Shells – Source:thehackernews.com
- Blog: Article about the XE group exploiting Veracore zero-day to deploy persistent web shells.
- www.scworld.com: Report details how XE Group exploited a VeraCore zero-day to deploy reverse shells and web shells.
- SOC Prime Blog: SOCRadar: Detect XE Group Attacks
- intezer.com: Intezer's Nicole Fishbein, Joakim Kennedy & Justin Lentz provide an in-depth analysis of XE Group’s recent operations, looking at the exploits used, persistence mechanisms, and attack methodologies.
- socprime.com: XE Group, likely a Vietnam-linked hacking collective that has been active in the cyber threat arena for over a decade is believed to be behind the exploitation of a couple of VeraCore zero-day vulnerabilities.
- Virus Bulletin: Intezer's Nicole Fishbein, Joakim Kennedy & Justin Lentz provide an in-depth analysis of XE Group’s recent operations, looking at the exploits used, persistence mechanisms, and attack methodologies.
- securityaffairs.com: The cybercrime group XE Group exploited a VeraCore zero-day to deploy reverse shells, web shells in recent attacks.
- securityaffairs.com: Analysis of the XE Group's recent operations and their use of VeraCore zero-day vulnerabilities to deploy reverse shells and web shells.
TIGR Threat Watch@Security Risk Advisors - 50d
Multiple vulnerabilities have been discovered in Palo Alto Networks' Expedition migration tool, posing significant security risks. These flaws could allow attackers to gain unauthorized access to sensitive data such as usernames, cleartext passwords, device configurations, and API keys associated with firewalls running PAN-OS software. An OS command injection vulnerability, identified as CVE-2025-0107, allows authenticated attackers to execute arbitrary OS commands, potentially leading to data breaches and system compromise. Other vulnerabilities include SQL injection (CVE-2025-0103), reflected cross-site scripting (CVE-2025-0104), arbitrary file deletion (CVE-2025-0105) and a wildcard expansion enumeration (CVE-2025-0106).
The Expedition tool, intended for firewall migration and optimization, reached its End of Life (EoL) on December 31, 2024, and is no longer supported or updated. Organizations are strongly advised to transition away from using Expedition and to explore alternative migration tools. While Palo Alto Networks has released patches in versions 1.2.100 and 1.2.101, no further updates are planned for the tool. Until users can migrate, it is recommended to restrict network access to Expedition to only authorized users, hosts, and networks, or to shut down the service if it's not in use.
Recommended read:
References :
- gbhackers.com: Palo Alto Networks Expedition Tool Vulnerability Let Attackers Access Cleartext Passwords
- : Palo Alto Networks security advisories 08 January 2025: Expedition: Multiple Vulnerabilities in Expedition Migration Tool Lead to Exposure of Firewall Credentials
- securityonline.info: CISA Alerts on Actively Exploited Vulnerabilities in Mitel MiCollab and Oracle WebLogic Server
- ciso2ciso.com: Mitel 0-day, 5-year-old Oracle RCE bug under active exploit – Source: go.theregister.com
- The Hacker News: CISA Flags Critical Flaws in Mitel and Oracle Systems Amid Active Exploitation
- Latest from TechRadar: CISA says Oracle and Mitel have critical security flaws being exploited
- ciso2ciso.com: Mitel 0-day, 5-year-old Oracle RCE bug under active exploit – Source: go.theregister.com
- gbhackers.com: Palo Alto Networks Expedition Tool Vulnerability Let Attackers Access Cleartext Passwords
- securityonline.info: Mutiple Vulnerabilities Found in Palo Alto Networks Expedition Tool
- socca.tech: CVE-2025-0107: (Palo Alto Networks Expedition: Medium)
- Security Risk Advisors: Multiple Vulnerabilities in Palo Alto Networks Expedition Tool Allow Exposure of Firewall Credentials
@www.bleepingcomputer.com - 19d
Attackers are actively exploiting a deserialization vulnerability, identified as CVE-2025-0994, in Trimble’s Cityworks Server AMS. This flaw allows for remote code execution on Microsoft IIS web servers. The exploitation involves hackers deploying Cobalt Strike beacons for initial network access after gaining the ability to remotely execute commands. Cityworks is primarily used by local governments, utilities, and public works organizations for asset and work order management.
CISA has added the Cityworks vulnerability to its Known Exploited Vulnerabilities catalog, urging organizations to apply necessary updates and search for indicators of compromise. Furthermore, Microsoft has warned of code injection attacks using publicly disclosed ASP.NET machine keys, which can lead to the delivery of the Godzilla post-exploitation framework. It is advised to not copy keys from publicly available resources, as this poses a higher risk than stolen keys because they are available in multiple code repositories.
Recommended read:
References :
- : CISA puts out a standalone security alert about Trimble Cityworks Server Asset Management System (AMS).
- securityaffairs.com: U.S. CISA adds Trimble Cityworks flaw to its Known Exploited Vulnerabilities catalog
- securityonline.info: CVE-2025-0994: Critical Vulnerability in Trimble Cityworks Exploited in the Wild
- securityonline.info: CVE-2025-0994: Critical Vulnerability in Trimble Cityworks Exploited in the Wild
- Anonymous ???????? :af:: Trimble is warning that hackers are exploiting a Cityworks deserialization vulnerability to remotely execute commands on IIS servers and deploy Cobalt Strike beacons for initial network access.
- www.bleepingcomputer.com: Software vendor Trimble is warning that hackers are exploiting a Cityworks deserialization vulnerability to remotely execute commands on IIS servers and deploy Cobalt Strike beacons for initial network access.
- BleepingComputer: Software vendor Trimble is warning that hackers are exploiting a Cityworks deserialization vulnerability to remotely execute commands on IIS servers and deploy Cobalt Strike beacons for initial network access.
- bsky.app: Software vendor Trimble is warning that hackers are exploiting a Cityworks deserialization vulnerability to remotely execute commands on IIS servers and deploy Cobalt Strike beacons for initial network access.
- Anonymous ???????? :af:: Software vendor Trimble is warning that hackers are exploiting a Cityworks deserialization vulnerability to remotely execute commands on IIS servers and deploy Cobalt Strike beacons for initial network access.
- therecord.media: Hackers exploiting bug in popular Trimble Cityworks tool used by local gov’ts
Pierluigi Paganini@Security Affairs - 4d
Microsoft has issued updates to address a critical vulnerability, CVE-2025-24989, impacting its Power Pages platform. This flaw, a high-severity issue, is already being actively exploited in the wild, allowing unauthorized access to websites. Threat actors can leverage the vulnerability to achieve privilege escalation within targeted networks and evade user registration controls, granting them unauthorized access to sites.
Microsoft reports that the vulnerability, CVE-2025-24989, only impacts certain Power Pages users. The company urges users to examine their websites for possible compromise. The U.S. CISA has added the Microsoft Power Pages flaw to its Known Exploited Vulnerabilities catalog.
Recommended read:
References :
- securityaffairs.com: U.S. CISA adds Microsoft Power Pages flaw to its Known Exploited Vulnerabilities catalog
- socradar.io: Microsoft Patches Power Pages Zero-Day (CVE-2025-24989) & Recent PAN-OS Flaw (CVE-2025-0111) Joins CISA KEV
- www.scworld.com: Actively exploited Microsoft Power Pages flaw patched
- Report Boom: Microsoft has addressed a high-severity issue in Power Pages, CVE-2025-24989...
info@thehackernews.com (The Hacker News)@The Hacker News - 23d
Google has released the February 2025 Android security updates, patching a total of 48 vulnerabilities. Among these fixes is a critical zero-day kernel vulnerability, identified as CVE-2024-53104, which Google has confirmed is being actively exploited in the wild. This particular flaw is a privilege escalation issue found within the USB Video Class (UVC) driver, potentially allowing attackers to gain elevated permissions on affected devices.
The vulnerability, with a CVSS score of 7.8, stems from an out-of-bounds write condition within the "uvc_parse_format()" function of the "uvc_driver.c" program, specifically when parsing UVC_VS_UNDEFINED frames. This flaw, present since Linux kernel version 2.6.26 released in mid-2008, could lead to memory corruption, program crashes, or even arbitrary code execution. While the specific actors behind the exploitation remain unclear, the potential for "physical" privilege escalation raises concerns about misuse by forensic data extraction tools.
Recommended read:
References :
- cyberinsider.com: Google Fixes Zero-Day Flaw Exploited in Targeted Android Attacks
- BleepingComputer: The February 2025 Android security updates patch 48 vulnerabilities, including a zero-day kernel vulnerability tagged as exploited in the wild.
- securityaffairs.com: Google fixed actively exploited kernel zero-day flaw
- The Hacker News: Google Patches 47 Android Security Flaws, Including Actively Exploited CVE-2024-53104
- CyberInsider: Google Fixes Zero-Day Flaw Exploited in Targeted Android Attacks
- ciso2ciso.com: Google fixed actively exploited kernel zero-day flaw
- BleepingComputer: The February 2025 Android security updates patch 48 vulnerabilities, including a zero-day kernel vulnerability tagged as exploited in the wild.
- Pyrzout :vm:: Social post about google actively exploited kernel zero-day flaw.
- www.bleepingcomputer.com: The February 2025 Android security updates patch 48 vulnerabilities, including a zero-day kernel vulnerability tagged as exploited in the wild.
Zeljka Zorz@Help Net Security - 21d
Zyxel is warning users of its legacy DSL Customer Premises Equipment (CPE) products about actively exploited zero-day vulnerabilities that will not be patched. These vulnerabilities, identified as CVE-2024-40891 and CVE-2025-0890, allow attackers to execute arbitrary commands due to a combination of command injection flaws in the Telnet service and the presence of default credentials. This combination enables unauthenticated attackers to gain full control over affected routers, potentially leading to data theft, further attacks, and disruption of internet connectivity.
GreyNoise has observed attackers actively exploiting these vulnerabilities, including by Mirai-based botnets. The affected models, including VMG1312-B10A, VMG3926-B10B, and SBG3500, are end-of-life but remain in use and even available for purchase. Zyxel recommends replacing these devices with newer models and disabling Telnet access as immediate action. The default credentials such as "supervisor:zyad1234" and "zyuser:1234" are particularly problematic, providing easy access for attackers.
Recommended read:
References :
- securityonline.info: Zyxel Routers Under Attack: Default Credentials (CVE-2025-0890) and Code Injection (CVE-2024-40891), No Patch!
- Dataconomy: Taiwanese hardware maker Zyxel announced that it will not release a patch for two actively exploited vulnerabilities in multiple legacy DSL customer premises equipment (CPE) products.
- securityonline.info: Security researchers have identified critical vulnerabilities in Zyxel Customer Premises Equipment (CPE), leaving countless users vulnerable.
- Vulnerability-Lookup: Command injection and insecure default credentials vulnerabilities n certain legacy DSL CPE from Zyxel, has been published on Vulnerability-Lookup:
- vulnerability.circl.lu: A new bundle, Command injection and insecure default credentials vulnerabilities n certain legacy DSL CPE from Zyxel, has been published on Vulnerability-Lookup:
- BleepingComputer: Zyxel will not release a patch for two actively exploited vulnerabilities in multiple legacy DSL customer premises equipment (CPE) products.
@Full Disclosure - 17d
Apple has released security updates, iOS 18.3.1 and iPadOS 18.3.1, to address a vulnerability in USB Restricted Mode. The company warns that this flaw "may have been exploited in an extremely sophisticated attack against specific targeted individuals." This unusually strong language from Apple suggests the seriousness of the threat, as they typically use more reserved terms when describing exploited vulnerabilities. Security researcher Bill Marczak of The Citizen Lab at The University of Toronto’s Munk School reported the flaw.
The vulnerability, identified as CVE-2025-24200, allows a physical attack to disable USB Restricted Mode on a locked device. USB Restricted Mode is a security feature introduced in iOS 11.4.1 that prevents USB accessories from accessing a device's data if it hasn't been unlocked for an hour. The new updates patch this flaw, preventing attackers from turning off the security feature. Users are advised to update their devices to iOS 18.3.1, iPadOS 18.3.1 or iPadOS 17.7.5 to mitigate the risk.
Recommended read:
References :
- The Register - Security: Apple patch addresses the 'extremely sophisticated attack'.
- www.engadget.com: Information about Apple patching a vulnerability allowing for 'extremely sophisticated attack'.
@securityonline.info - 31d
Apple has released emergency security updates to address a critical zero-day vulnerability, identified as CVE-2025-24085, which is actively being exploited in the wild. The flaw impacts a wide array of Apple products, including iPhones, iPads, Macs, Apple Watches, Apple TVs, and devices running visionOS. This vulnerability, found within the Core Media framework, a core component of Apple's media processing pipeline, can potentially allow malicious applications to gain elevated privileges on affected devices. Apple has acknowledged reports of the issue being actively exploited against versions of iOS before 17.2, underscoring the urgency of the situation.
The updates are designated as iOS 18.3, iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3, tvOS 18.3, and visionOS 2.3 and address the vulnerability through improved memory management. Affected devices include iPhone XS and later, various iPad models including the iPad Pro, iPad Air, and iPad mini (specific generations detailed), Macs running macOS Sequoia, Apple Watch Series 6 and later, and all models of Apple TV HD and Apple TV 4K. Users are strongly advised to update their devices immediately to protect against potential exploits. Apple has not yet disclosed further details about the attacks or the researcher who discovered the vulnerability.
Recommended read:
References :
- securityonline.info: CVE-2025-24085: Apple Patches Actively Exploited Zero-Day Vulnerability
- ciso2ciso.com: Apple Patches Actively Exploited Zero-Day Vulnerability
- ApplSec: EMERGENCY UPDATE Apple pushed updates for a new zero-day that may have been actively exploited. CVE-2025-24085 (CoreMedia): - iOS and iPadOS 18.3 - macOS Sequoia 15.3 - tvOS 18.3 - watchOS 11.3
- ciso2ciso.com: Apple Patches Actively Exploited Zero-Day Vulnerability
- securityonline.info: Apple Patches Actively Exploited Zero-Day Vulnerability
- www.helpnetsecurity.com: Apple zero-day vulnerability exploited to target iPhone users (CVE-2025-24085) 'tmiss #0-day
- Pyrzout :vm:: Apple zero-day vulnerability exploited to target iPhone users (CVE-2025-24085) 'tmiss #0-day
- ciso2ciso.com: Apple fixed the first actively exploited zero-day of 2025 – Source: securityaffairs.com
Stefan Hostetler, Julian Tuin, Trevor Daher, Jon Grimm, Alyssa Newbury, Joe Wedderspoon, and Markus @Arctic Wolf - 43d
A new hacking group, known as Belsen Group, has leaked configuration files and VPN credentials for over 15,000 FortiGate firewall devices. The data, which includes full configuration dumps, device management certificates and even some plain text passwords, was made freely available on the dark web. Security researcher Kevin Beaumont first brought the issue to light, later confirmed by CloudSEK, and noted the vulnerability primarily affected Fortigate 7.0.x and 7.2.x devices.
The Belsen Group is believed to have been active since 2022, despite only recently appearing on social media and cybercrime forums. The leaked data was likely collected using a zero-day exploit in 2022, specifically CVE-2022-40684, and has only been released in January 2025. This means even organizations that have since patched may still be vulnerable if their configurations were captured by Belsen Group in 2022. The exposure of the data, which includes firewall rules, poses a significant security risk to affected organizations.
Recommended read:
References :
- ciso2ciso.com: Ciso2Ciso news about new hacking group leaks configuration of 15,000 Fortinet Firewalls.
- Kevin Beaumont: Cyberplace.Social post by GossiTheDog about Fortigate config data leak.
- www.bleepingcomputer.com: BleepingComputer Article about hackers leak configs and VPN credentials for 15,000 FortiGate devices.
- CySec Feeds: RT @S0ufi4n3: “2022 zero day was used to raid Fortigate firewall configs. Somebody just released them.“
- www.theregister.com: 15,000 FortiGate Firewall Configurations Leaked by Belsen Group
|
|
FlagThis - #zeroday