@securityonline.info
//
A critical security vulnerability has been discovered in Active! Mail, a web-based email client popular among large Japanese organizations. The vulnerability, identified as CVE-2025-42599, is a stack-based buffer overflow that allows remote attackers to execute arbitrary code on affected systems. This flaw, which has a CVSS score of 9.8, poses a significant threat to over 2,250 organizations in Japan, potentially impacting more than 11 million accounts. The severity of this vulnerability stems from the fact that it can be exploited by unauthenticated attackers, meaning they do not need any login credentials to carry out an attack.
This zero-day remote code execution vulnerability is actively being exploited in attacks targeting large organizations in Japan. Successful exploitation of CVE-2025-42599 can lead to full server compromise, data theft, service disruption, or the installation of malware. Given that Active! Mail is a vital component in many Japanese-language business environments, including corporations, universities, government agencies, and banks, the potential impact is substantial. It is crucial to note that Active! mail is used in over 2,250 organizations, boasting over 11,000,000 accounts, making it a significant player in the country's business webmail market.
In response to the active exploitation of this vulnerability, Qualitia, the developer of Active! Mail, released a security bulletin and a corrective patch on April 18, 2025. Users are strongly urged to update to Active! Mail 6 BuildInfo: 6.60.06008562 as soon as possible to mitigate the risk. The Japan Computer Emergency Response Team (JPCERT) has also issued an advisory emphasizing the urgency of applying the patch. For organizations unable to update immediately, JPCERT recommends configuring Web Application Firewalls (WAF) to inspect HTTP request bodies and block excessively large multipart/form-data headers as a temporary mitigation strategy.
Recommended read:
References :
- bsky.app: An Active! Mail zero-day remote code execution vulnerability is actively exploited in attacks on large organizations in Japan.
- securityonline.info: CVE-2025-42599: Critical Buffer Overflow in Active! mail Exploited in the Wild
- The DefendOps Diaries: Explore the critical Active! Mail vulnerability impacting over 11 million accounts, highlighting the need for robust cybersecurity measures.
- BleepingComputer: An Active! Mail zero-day remote code execution vulnerability is actively exploited in attacks on large organizations in Japan.
- securityonline.info: CVE-2025-42599: Critical Buffer Overflow in Active! mail Exploited in the Wild
info@thehackernews.com (The@The Hacker News
//
Microsoft has issued a critical security update as part of its April 2025 Patch Tuesday to address a zero-day vulnerability (CVE-2025-29824) in the Windows Common Log File System (CLFS). The vulnerability, classified as an elevation of privilege flaw, is being actively exploited by the RansomEXX ransomware gang to gain SYSTEM privileges on compromised systems. According to Microsoft, the attacks have targeted a limited number of organizations across various sectors and countries, including the IT and real estate sectors in the United States, the financial sector in Venezuela, a software company in Spain, and the retail sector in Saudi Arabia.
Microsoft Threat Intelligence Center (MSTIC) has attributed the exploitation activity to a group tracked as Storm-2460, which deployed the PipeMagic malware to facilitate the attacks. Successful exploitation of CVE-2025-29824 allows an attacker with a standard user account to escalate privileges, enabling them to install malware, modify system files, disable security features, access sensitive data, and maintain persistent access. This can result in full system compromise and lateral movement across networks, leading to the widespread deployment and detonation of ransomware within the affected environment.
The zero-day vulnerability is located in the CLFS kernel driver and is due to a use-after-free weakness. Microsoft recommends that organizations prioritize applying security updates for elevation of privilege vulnerabilities to add a layer of defense against ransomware attacks. While Microsoft has issued security updates for impacted Windows versions, patches for Windows 10 x64 and 32-bit systems are pending release. In addition to fixing the zero-day flaw, Microsoft's April 2025 Patch Tuesday includes fixes for 134 other vulnerabilities, with 11 of them classified as critical remote code execution vulnerabilities.
Recommended read:
References :
- isc.sans.edu: This month, Microsoft has released patches addressing a total of 125 vulnerabilities.
- The DefendOps Diaries: Microsoft's April 2025 Patch Tuesday addresses 134 vulnerabilities, including a critical zero-day, highlighting the need for robust security.
- Cyber Security News: Microsoft’s April 2025 Patch Tuesday update has arrived, delivering critical fixes for 121 security vulnerabilities across its broad suite of software products.
- BleepingComputer: Today is Microsoft's April 2025 Patch Tuesday, which includes security updates for 134 flaws, including one actively exploited zero-day vulnerability.
- Tenable Blog: Microsoft’s April 2025 Patch Tuesday Addresses 121 CVEs (CVE-2025-29824)
- Cisco Talos Blog: Microsoft Patch Tuesday for April 2025 — Snort rules and prominent vulnerabilities
- CyberInsider: Microsoft Fixes Actively Exploited CLFS Zero-Day Used in Ransomware Attacks
- bsky.app: Microsoft says the RansomEXX ransomware gang has been exploiting a high-severity zero-day flaw (CVE-2025-29824) in the Windows Common Log File System to gain SYSTEM privileges on victims' systems.
- The DefendOps Diaries: Understanding the Impact of CVE-2025-29824: A Critical Windows Vulnerability
- Threats | CyberScoop: Microsoft patches zero-day actively exploited in string of ransomware attacks
- thecyberexpress.com: TheCyberExpress article on Microsoft Patch Tuesday April 2025.
- cyberinsider.com: Microsoft Fixes Actively Exploited CLFS Zero-Day Used in Ransomware Attacks
- www.microsoft.com: Microsoft Security Blog on CLFS zero-day exploitation.
- BleepingComputer: Microsoft says the RansomEXX ransomware gang has been exploiting a high-severity zero-day flaw (CVE-2025-29824) in the Windows Common Log File System to gain SYSTEM privileges on victims' systems.
- bsky.app: Sky News post on Microsoft April 2025 Patch Tuesday.
- Cyber Security News: CybersecurityNews article on Windows CLFS Zero-Day Vulnerability Actively Exploited by Ransomware Group
- Microsoft Security Blog: Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) have discovered post-compromise exploitation of a newly discovered zero-day vulnerability in the Windows Common Log File System (CLFS) against a small number of targets.
- Malwarebytes: Microsoft releases April 2025 Patch Tuesday updates, including fixes for 121 vulnerabilities, one of which is an actively exploited zero-day in the Windows Common Log File System (CLFS) driver.
- isc.sans.edu: Microsoft today released updates to plug at least 121 security holes in its Windows operating systems and software, including one vulnerability that is already being exploited in the wild.
- Blog RSS Feed: Report on the April 2025 Patch Tuesday analysis, including CVE-2025-29824.
- krebsonsecurity.com: Microsoft today released updates to plug at least 121 security holes in its Windows operating systems and software, including one vulnerability that is already being exploited in the wild.
- securityonline.info: SecurityOnline discusses Windows CLFS Zero-Day Exploited to Deploy Ransomware
- securityonline.info: Windows CLFS Zero-Day Exploited to Deploy Ransomware
- securityaffairs.com: U.S. CISA adds Gladinet CentreStack and ZTA Microsoft Windows Common Log File System (CLFS) Driver flaws to its Known Exploited Vulnerabilities catalog
- www.cybersecuritydive.com: Windows CLFS zero-day exploited in ransomware attacks
- Security | TechRepublic: Microsoft: Windows CLFS Vulnerability Could Lead to ‘Widespread Deployment and Detonation of Ransomware’
- The Register - Software: Bad luck, Windows 10 users. No fix yet for ransomware-exploited bug
- The Hacker News: Microsoft released security fixes to address a massive set of 126 flaws affecting its software products, including one vulnerability that it said has been actively exploited in the wild.
- www.microsoft.com: Read how cyberattackers exploit domain controllers to gain privileged system access where they deploy ransomware that causes widespread damage and operational disruption.
- The Hacker News: PipeMagic Trojan Exploits Windows Zero-Day Vulnerability to Deploy Ransomware
- securityonline.info: Recently, the Cybersecurity and Infrastructure Security Agency (CISA) added two significant vulnerabilities to its Known Exploited Vulnerabilities Catalog, highlighting the urgency for users to apply necessary patches.
- Arctic Wolf: On April 8, 2025, Microsoft released its April 2025 security update, addressing 126 newly disclosed vulnerabilities.
- arcticwolf.com: On April 8, 2025, Microsoft released its April 2025 security update, addressing 126 newly disclosed vulnerabilities. Arctic Wolf has highlighted five vulnerabilities affecting Microsoft Windows in this security bulletin, including one exploited vulnerability and four vulnerabilities that Microsoft has labeled as Critical.Â
- Know Your Adversary: Hello everyone! I think you already heard about a zero-day vulnerability in the Common Log File System (CLFS) weaponized by RansomEXX affiliates. I'm talking about CVE 2025-29824 .
- Sophos News: One actively exploited issue patched; five Critical-severity Office vulns exploitable via Preview Pane
- Security | TechRepublic: One CVE was used against “a small number of targets.†Windows 10 users needed to wait a little bit for their patches.
- www.threatdown.com: April’s Patch Tuesday fixes a whopping 126 Microsoft vulnerabilities.
- Logpoint: The Microsoft Security blog highlights the active exploitation of CVE-2025-24983, a zero-day vulnerability in the Windows Common Log File System (CLFS) that allows local privilege escalation to SYSTEM-level access.
- Arctic Wolf: Microsoft Patch Tuesday: April 2025
- www.logpoint.com: The Microsoft Security blog highlights the active exploitation of CVE-2025-24983, a zero-day vulnerability in the Windows Common Log File System (CLFS) that allows local privilege escalation to SYSTEM-level access.
- arcticwolf.com: Microsoft Patch Tuesday: April 2025
- ciso2ciso.com: Microsoft: Windows CLFS Vulnerability Could Lead to ‘Widespread Deployment and Detonation of Ransomware’
- Security Risk Advisors: New CLFS Zero-Day (CVE-2025-29824) Enables Rapid Privilege Escalation, Leading to Ransomware Deployment
- cyberscoop.com: Microsoft patches zero-day actively exploited in string of ransomware attacks
- www.tenable.com: Tenable's analysis of the CLFS vulnerability and its exploitation by Storm-2460.
- Help Net Security: Article on Week in review: Microsoft patches exploited Windows CLFS 0-day, WinRAR MotW bypass flaw fixed
Bill Mann@CyberInsider
//
Google has released its April 2025 Android security update, addressing a total of 62 vulnerabilities. This includes fixes for two actively exploited zero-day vulnerabilities. The security bulletin addresses vulnerabilities across system components, the Linux kernel, and third-party hardware drivers, highlighting the importance of applying updates promptly. The two high-severity zero-days were reportedly used in targeted surveillance operations.
The exploited vulnerabilities are identified as CVE-2024-53150 and CVE-2024-53197. CVE-2024-53150 is an Android Kernel information disclosure vulnerability caused by an out-of-bound read weakness, potentially allowing local attackers to access sensitive information. CVE-2024-53197 is a high-severity privilege escalation flaw in the Linux kernel’s USB-audio driver for ALSA devices.
The privilege escalation flaw, CVE-2024-53197, was reportedly exploited by Serbian authorities to unlock confiscated Android devices. This was part of a zero-day exploit chain developed by Cellebrite, an Israeli digital forensics company. The exploit chain also included CVE-2024-53104, patched in February 2025, and CVE-2024-50302, patched last month. With this latest update, all three vulnerabilities in that chain are now fixed. Users are advised to apply the updates as soon as they are released by Android original equipment manufacturers (OEMs).
Recommended read:
References :
- CyberInsider: Google Patches Actively Exploited Android Zero-Day Vulnerabilities
- discuss.privacyguides.net: Google just fixed two critical Android zero-days and 60 other flaws
- The Hacker News: Google Releases Android Update to Patch Two Actively Exploited Vulnerabilities
- BleepingComputer: Google fixes Android zero-days exploited in attacks, 60 other flaws
- securityaffairs.com: Google addressed 62 vulnerabilities with the release of Android ‘s April 2025 security update, including two actively exploited zero-days.
- cyberinsider.com: Google’s April 2025 Android Security Bulletin addresses 60 vulnerabilities across system components, the Linux kernel, and third-party hardware drivers, including two high-severity zero-days that have been actively exploited in targeted surveillance operations.
- Threats | CyberScoop: Google addresses 2 actively exploited vulnerabilities in security update
- techcrunch.com: Google fixes two Android zero-day bugs actively exploited by hackers
- Malwarebytes: Google fixes two actively exploited zero-day vulnerabilities in Android
- cyberscoop.com: Google addresses 2 actively exploited vulnerabilities in security update
- techcrunch.com: Google fixes two Android zero-day bugs actively exploited by hackers
- MSSP feed for Latest: Google Patches Two Zero-Days in April 2025 Android Security Update
- infosec.exchange: NEW: Google has pushed out patches for two zero-days that were being (and may still be) exploited in the wild. Amnesty previously found that one of them was being used against a student activist in Serbia, by Serbian authorities armed with Cellebrite.
- Cyber Security News: Google addressed 62 vulnerabilities with the release of Android ‘s April 2025 security update, including two actively exploited zero-days.
Bill Mann@CyberInsider
//
Apple has released a series of critical security updates for its operating systems, including iOS 18.4 and macOS Sequoia 15.4. These updates address a total of 145 vulnerabilities, including several zero-day exploits that may have been actively exploited. Users of iOS, iPadOS, macOS, tvOS, visionOS, Safari, and Xcode are urged to update their devices immediately to safeguard against potential security threats. Notably, watchOS was missing from this patch lineup.
Apple pushed emergency updates targeting three zero-day vulnerabilities identified as CVE-2025-24200 (Accessibility) and CVE-2025-24201 (WebKit). These patches have been backported to older iOS and iPadOS versions, specifically 15.8.4 and 16.7.11, ensuring that users on older devices are also protected from these actively exploited flaws. The updates include fixes for bugs in WebKit, Siri, Safari, and libxpc, along with numerous other security enhancements, underscoring Apple's commitment to addressing security vulnerabilities across its product ecosystem.
Recommended read:
References :
- bsky.app: EMERGENCY UPDATES Apple pushed additional updates for 3 zero-days that may have been actively exploited. CVE-2025-24200 (Accessibility) additional patches, CVE-2025-24201 (WebKit) additional patches: - iOS and iPadOS 15.8.4 - iOS and iPadOS 16.7.11
- CyberInsider: Apple has issued a wide set of security updates, patching multiple zero-day vulnerabilities across its operating systems — including iOS, macOS, iPadOS, and Safari — and notably extended critical fixes to older software versions, addressing previously exploited flaws.
- isc.sans.edu: Apple Patches Everything: March 31st 2025 Edition, (Mon, Mar 31st)
- The Apple Post: Apple releases iOS 18.4 with Priority Notifications feature, Control Center updates, new emoji, more
- bsky.app: NEW SECURITY CONTENT - macOS Sequoia 15.4 - 131 bugs fixed macOS Sonoma 14.7.5 - 91 bugs fixed macOS Ventura 13.7.5 - 85 bugs fixed iOS and iPadOS 18.4 - 62 bugs fixed visionOS 2.4 - 38 bugs fixed iPadOS 17.7.6 - 38 bugs fixed tvOS 18.4 - 36 bugs fixed
- securityaffairs.com: Apple has backported fixes for three actively exploited vulnerabilities to older devices and OS versions. The three vulnerabilities are: Apple released the following updates: that are available for the following devices:
- The Register - Security: Apple belatedly patches actively exploited bugs in older OSes
- thecyberexpress.com: Apple Backports Zero-Day Patches to Older Devices in Latest Security Update
- The Hacker News: Apple Backports Critical Fixes for 3 Live Exploits Impacting iOS and macOS Legacy Devices
Pierluigi Paganini@Security Affairs
//
Apple released a substantial set of security updates on March 31st, 2025, addressing a total of 145 vulnerabilities across its product ecosystem, including iOS, iPadOS, macOS, tvOS, visionOS, Safari, and Xcode. Notably absent from this update was watchOS. The updates included backported fixes for three actively exploited zero-day vulnerabilities, specifically targeting older iOS and iPadOS versions. These vulnerabilities had already been addressed in more recent versions a few weeks prior.
The most critical fix is for CVE-2025-24200, a vulnerability that allowed attackers to bypass USB Restricted Mode. This feature, introduced in 2018 to protect locked iDevices, could be disabled, potentially exposing user data. Another significant fix addresses CVE-2025-24201, a flaw in the WebKit engine that allowed malicious web content to escape Safari's sandbox. Additionally, macOS Ventura received a patch for CVE-2025-24085, a privilege escalation vulnerability in CoreMedia. These updates are now available for iOS versions 16.7.11 and 15.8.4, iPadOS versions 16.7.11 and 15.8.4, and macOS Ventura 13.7.5.
Recommended read:
References :
- The Register - Security: Apple belatedly patches actively exploited bugs in older OSes
- securityaffairs.com: Apple backported fixes for three actively exploited flaws to older devices
- thecyberexpress.com: Apple Backports Zero-Day Patches to Older Devices in Latest Security Update
- The Hacker News: Apple Backports Critical Fixes for 3 Recent 0-Days Impacting Older iOS and macOS Devices
- CyberInsider: Apple Backports Zero-Day Fixes to Older iOS and macOS Versions
- Full Disclosure: APPLE-SA-03-31-2025-6 iOS 15.8.4 and iPadOS 15.8.4
- Security | TechRepublic: Still Using an Older Version of iOS or iPadOS? Update Now to Patch These Critical Security Vulnerabilities
Pierluigi Paganini@Security Affairs
//
Apple has released security updates to address actively exploited zero-day vulnerabilities impacting older iPhones and Macs. The patches aim to fix flaws that could allow malicious actors to elevate privileges or execute arbitrary code on affected devices. These updates address CVE-2025-24200, CVE-2025-24201, and CVE-2025-24085, and are now available for iOS 15.8.4, iPadOS 15.8.4, iOS 16.7.11, iPadOS 16.7.11, macOS Sonoma 14.7.5, and macOS Ventura 13.7.5.
The vulnerabilities include a use-after-free bug in the Core Media component (CVE-2025-24085), an authorization issue in the Accessibility component (CVE-2025-24200), and an out-of-bounds write issue in the WebKit component (CVE-2025-24201). Apple addressed the flaw in iOS 18.3.1, iPadOS 18.3.1, and 17.7.5, released on February 10, 2025. CVE-2025-24200 specifically allowed attackers with physical access to locked devices to disable USB Restricted Mode. Users of older devices, including iPhone 6s, iPhone 7, iPhone 8, iPhone X, iPad Air 2, and various iPad Pro models, are urged to update their systems to safeguard against potential threats.
Recommended read:
References :
- securityaffairs.com: Apple backported fixes for three actively exploited flaws to older devices
- The Hacker News: Apple Backports Critical Fixes for 3 Live Exploits Impacting iOS and macOS Legacy Devices
- BleepingComputer: Apple backports zero-day patches to older iPhones and Macs
- The Register - Security: Apple belatedly patches actively exploited bugs in older OSes
- thecyberexpress.com: Apple Backports Zero-Day Patches to Older Devices in Latest Security Update
do son@Daily CyberSecurity
//
CISA has issued a Malware Analysis Report (MAR-25993211-r1.v1) detailing a new malware variant named RESURGE, which exploits a critical vulnerability in Ivanti Connect Secure devices (CVE-2025-0282). The analysis indicates that RESURGE exhibits capabilities similar to the SPAWNCHIMERA malware, including surviving system reboots, but contains distinctive commands that alter its behavior. According to CISA, RESURGE can create web shells, manipulate integrity checks, and modify files, enabling credential harvesting, account creation, password resets, and escalating permissions.
RESURGE can also copy the web shell to the Ivanti running boot disk and manipulate the running coreboot image, ensuring persistence and unauthorized access. CISA strongly advises organizations using Ivanti Connect Secure devices to take immediate action to mitigate this threat by applying security patches for CVE-2025-0282, monitoring network traffic for unusual SSH connections, and implementing robust logging practices to detect tampering attempts. The vulnerability, CVE-2025-0282, is a stack-based buffer overflow vulnerability affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways that could result in remote code execution.
Recommended read:
References :
- securityonline.info: CISA Warns of RESURGE Malware: Exploiting Ivanti Vulnerability
- Cyber Security News: The Cybersecurity and Infrastructure Security Agency (CISA) has issued a Malware Analysis Report (MAR-25993211-r1.v1) detailing the exploitation of a critical vulnerability in Ivanti Connect Secure devices (CVE-2025-0282).
- bsky.app: CISA has published a technical report on RESURGE, a web shell installed on Ivanti Connect Secure devices via CVE-2025-0282
- thehackernews.com: RESURGE Malware Exploits Ivanti Flaw with Rootkit and Web Shell Features
- securityaffairs.com: CISA warns of RESURGE malware exploiting Ivanti flaw
- Help Net Security: CISA has released indicators of compromise, detection signatures, and updated mitigation advice for rooting out a newly identified malware variant used by the attackers who breached Ivanti Connect Secure VPN appliances in December 2024 by exploiting the CVE-2025-0282 zero-day.
- : It’s the end of March 2025...of course CISOs still need to worry about Ivanti Connect Secure flaws.
- www.cybersecuritydive.com: CVE-2025-0282, a critical vulnerability that affects Ivanti’s Connect Secure, Policy Secure and ZTA Gateway products, was disclosed and patched in January.
- : CISA recommends immediate action to address malware variant RESURGE exploiting Ivanti vulnerability CVE-2025-0282
- thecyberexpress.com: CISA Details New Malware Used in Ivanti Attacks
- Sam Bent: A newly discovered malware named RESURGE is targeting Ivanti Connect Secure vulnerabilities, delivering stealth capabilities like rootkits and web shells. Tied to China-linked espionage groups.
- The Register - Security: CISA spots spawn of Spawn malware targeting Ivanti flaw
- Arctic Wolf: CVE-2025-22457: Ivanti Connect Secure VPN Vulnerable to Zero-Day RCE Exploitation
- cert.europa.eu: 2025-016: Critical Vulnerability in Ivanti Products
- securityonline.info: CVE-2025-22457: UNC5221 Exploits Ivanti Zero-Day Flaw to Deploy TRAILBLAZE and BRUSHFIRE Malware
- Help Net Security: Ivanti VPN customers targeted via unrecognized RCE vulnerability (CVE-2025-22457)
- securityaffairs.com: China-linked group UNC5221 exploited Ivanti Connect Secure zero-day since mid-March
- The Register - Security: Suspected Chinese spies right now hijacking buggy Ivanti gear – for third time in 3 years
- www.bleepingcomputer.com: Ivanti patches Connect Secure zero-day exploited since mid-March
- BleepingComputer: Ivanti has released security updates to patch a critical Connect Secure remote code execution vulnerability exploited by a China-linked espionage actor to deploy malware since at least mid-March 2025.
- Threats | CyberScoop: China-backed espionage group hits Ivanti customers again
- www.scworld.com: Mandiant warns of attacks on newly-disclosed Ivanti remote takeover threat
- The Hacker News: Critical Ivanti Flaw Actively Exploited to Deploy TRAILBLAZE and BRUSHFIRE Malware
- bsky.app: Mandiant links the exploitation of a Connect Secure vulnerability to a China-linked APT (UNC5221).
- bsky.app: Ivanti has released security updates to patch a critical Connect Secure remote code execution vulnerability exploited by a China-linked espionage actor to deploy malware since at least mid-March 2025.
- research.kudelskisecurity.com: CVE-2025-22457: Critical Ivanti Connect Secure Vulnerability
- Arctic Wolf: Ivanti disclosed a critical zero-day vulnerability, CVE-2025-22457, affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways
- Vulnerable U: The vulnerability affects many versions of Ivanti appliances and is being exploited by a Chinese actor
- darkwebinformer.com: CVE-2025-22457: April Security Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways (CVE-2025-22457)
@The DefendOps Diaries
//
A Russian threat actor, known as Water Gamayun or EncryptHub, is actively exploiting a zero-day vulnerability in the Microsoft Management Console (MMC) framework, identified as CVE-2025-26633. This flaw, dubbed MSC EvilTwin, enables attackers to execute malicious code on infected Windows systems. The attackers manipulate .msc files and the MMC's Multilingual User Interface Path (MUIPath) to bypass security features and deploy various malicious payloads.
Water Gamayun employs sophisticated delivery methods, including provisioning packages, signed MSI files, and Windows MSC files. The group's arsenal includes custom backdoors like SilentPrism and DarkWisp, as well as variants of the EncryptHub Stealer, Stealc, and Rhadamanthys. These payloads are designed to maintain persistence, steal sensitive data, and exfiltrate it to command-and-control servers, using encrypted channels and anti-analysis techniques. Organizations can protect themselves through up-to-date patch management and advanced threat detection technologies.
Recommended read:
References :
- www.cybersecuritydive.com: Russian threat actor weaponized Microsoft Management Console flaw
- www.trendmicro.com: Trend Research discusses the delivery methods, custom payloads, and techniques used by Water Gamayun, the suspected Russian threat actor abusing a zero-day vulnerability in the Microsoft Management Console framework (CVE-2025-26633) to execute malicious code on infected machines.
- iHLS: A threat actor is leveraging a zero-day vulnerability in the Microsoft Management Console (MMC) to distribute malware.
- Virus Bulletin: Trend Micro researchers identified a campaign by the Russian threat actor Water Gamayun exploiting CVE-2025-26633, a zero-day vulnerability in the Microsoft Management Console.
- doublepulsar.com: Bleeping Computer reports on claims of a breach of Oracle Cloud federated SSO login servers.
- www.cybersecuritydive.com: Confirmation of patient data stolen in alleged cloud breach.
- www.healthcareitnews.com: Reports indicate Oracle Health customers received a letter about a data compromise.
- Techzine Global: Oracle acknowledged the breach related to their health tech division.
- www.cybersecuritydive.com: Security firms brace for impact of potential Oracle Cloud breach
- DataBreaches.Net: Oracle attempt to hide serious cybersecurity incident from customers in Oracle SaaS service
- infosec.exchange: Oracle is apparently dealing with two separate breaches — one affecting Oracle Cloud, and one Oracle Health — but the company refuses to say what's actually going on.
- Risky Business Media: Risky Bulletin: Oracle's healthtech division hacked, customers extorted
- aboutdfir.com: Oracle Health breach compromises patient data at US hospitals A breach at Oracle Health impacts multiple US healthcare organizations and hospitals after a threat actor stole patient data from legacy servers. Oracle Health has not yet publicly disclosed the incident, but in private communications sent to impacted customers and from conversations with those involved, BleepingComputer confirmed […] The post appeared first on .
- techcrunch.com: Oracle under fire for its handling of separate security incidents
- techxplore.com: Oracle warns health customers of patient data breach
- The Register - Security: 1990s incident response in 2025 Two Oracle data security breaches have been reported in the past week, and the database goliath not only remains reluctant to acknowledge the disasters publicly – it may be scrubbing the web of evidence, too.…
- : Oracle’s healthcare subsidiary, Oracle Health, has suffered a data breach, potentially exposing customers’ sensitive data, the company told some of its customers.
- SiliconANGLE: Oracle denies cloud breach, while researchers point to credible indicators
- Danny Palmer: NEW: Oracle is apparently dealing with two separate breaches — one affecting Oracle Cloud, and one Oracle Health — but the company refuses to say what's actually going on. Both public and employees are confused at this point, as there is little transparency. Here's a recap of what's happening.
Sergiu Gatlan@BleepingComputer
//
Google has released a critical security update for its Chrome browser to address a high-severity zero-day vulnerability, identified as CVE-2025-2783. This vulnerability was actively exploited in a sophisticated espionage campaign targeting Russian organizations, specifically media companies, educational institutions, and government entities. According to Kaspersky, the vulnerability allowed attackers to bypass Chrome’s sandbox protections, gaining unauthorized access to affected systems without requiring further user interaction. This incident marks the first actively exploited Chrome zero-day since the start of the year, underscoring the persistent threat landscape faced by internet users.
Kaspersky's investigation, dubbed "Operation ForumTroll," revealed that the attacks were initiated through personalized phishing emails disguised as invitations to the "Primakov Readings" forum. Clicking the malicious link led victims to a compromised website that immediately exploited the zero-day vulnerability. The technical sophistication of the exploit chain points to a highly skilled Advanced Persistent Threat (APT) group. Google urges users to update their Chrome browsers immediately to version 134.0.6998.177/.178 for Windows to mitigate the risk.
Recommended read:
References :
- cyberinsider.com: Google has released a security update for Chrome to address a high-severity zero-day vulnerability that was actively exploited in a sophisticated espionage campaign targeting Russian organizations.
- thehackernews.com: Zero-Day Alert: Google Releases Chrome Patch for Exploit Used in Russian Espionage Attacks
- securityaffairs.com: Google fixed the first actively exploited Chrome zero-day since the start of the year
- techcrunch.com: Google fixes Chrome zero-day security flaw used in hacking campaign targeting journalists
- thecyberexpress.com: Google has rolled out a new security update for Chrome users, following the discovery of a vulnerability, CVE-2025-2783, affecting the Windows version of the browser.
- The DefendOps Diaries: Google Chrome Vulnerability CVE-2025-2783: A Closer Look
- Cybernews: Google has patched a dangerous zero-day vulnerability that has already been exploited by sophisticated threat actors in the wild
- Zack Whittaker: New: Google has fixed a zero-day bug in Chrome that was being actively exploited as part of a hacking campaign. Kaspersky says the bug was exploited to target journalists and employees at educational institutions.
- Kaspersky official blog: Kaspersky’s GReAT experts have discovered the Operation ForumTroll APT attack, which used a zero-day vulnerability in Google Chrome.
- bsky.app: Google has fixed a high-severity Chrome zero-day vulnerability exploited to escape the browser's sandbox and deploy malware in espionage attacks targeting Russian organizations.
- Cyber Security News: Operation ForumTroll: APT Hackers Use Chrome Zero-Day to Evade Sandbox Protections.
- www.bleepingcomputer.com: Google has released out-of-band fixes to address a high-severity security flaw in Chrome browser for Windows that has been actively exploited.
- Help Net Security: Help Net Security: Google fixes exploited Chrome sandbox bypass zero-day (CVE-2025-2783)
- securityonline.info: CVE-2025-2783: Chrome Zero-Day Exploited in State-Sponsored Espionage Campaign
- MSSP feed for Latest: Google remediated the high-severity Chrome for Windows zero-day vulnerability.
- The Register - Security: After Chrome patches zero-day used to target Russians, Firefox splats similar bug
- thecyberexpress.com: CISA Issues Urgent Security Alerts: Critical Vulnerabilities in Schneider Electric, Chrome, and Sitecore
- PCMag UK security: Details about Firefox also being affected by Chrome zero-day flaw
- CyberInsider: Firefox Says It’s Vulnerable to Chrome’s Zero-Day Used in Espionage Attacks
- iHLS: Google Patches Dangerous Zero-Day Flaw in Chrome
- PCMag UK security: Time to Patch: Google Chrome Flaw Used to Spread Spyware
- MSPoweruser: Google patches a Chrome zero-day vulnerability used in espionage
- The Hacker News: Mozilla has released updates to address a critical security flaw impacting its Firefox browser for Windows, merely days after Google patched a similar flaw in Chrome that came under active exploitation as a zero-day.
- Blog: Mozilla has released updates to fix a critical security flaw in its Firefox browser for Windows. The vulnerability, designated CVE-2025-2857, stems from improper handling within the browser's inter-process communication (IPC) code, which could allow a compromised child process to gain elevated privileges by manipulating the parent process into returning a powerful handle, potentially leading to sandbox escape.
- techcrunch.com: Mozilla patches Firefox bug ‘exploited in the wild,’ similar to bug attacking Chrome
- securityaffairs.com: Google addressed a critical vulnerability, tracked as CVE-2025-2783, impacting its Chrome browser for Windows.
- securityaffairs.com: U.S. CISA adds Google Chromium Mojo flaw to its Known Exploited Vulnerabilities catalog
- www.scworld.com: Mozilla Patches Firefox Bug Exploited in the Wild, Similar to Chrome Zero-Day
- OODAloop: Firefox Affected by Flaw Similar to Chrome Zero-Day Exploited in Russia
- bsky.app: Google has released out-of-band fixes to address a high-severity security flaw in its Chrome browser for Windows that has been exploited in the wild as part of attacks targeting organizations in Russia.
@The DefendOps Diaries
//
EncryptHub, a group linked to RansomHub, has been identified as the actor exploiting a zero-day vulnerability in Microsoft Management Console (MMC). Tracked as CVE-2025-26633, this flaw allows attackers to bypass security features and execute malicious code on vulnerable Windows systems. The vulnerability stems from improper input sanitization within MMC, a core administrative tool. Attackers are leveraging this flaw through email and web-based attacks, delivering malicious payloads to unsuspecting users, bypassing Windows file reputation protections.
The exploit, dubbed 'MSC EvilTwin', manipulates .msc files and the Multilingual User Interface Path (MUIPath) to execute malicious payloads, maintain persistence, and steal sensitive data. Specifically, attackers create two .msc files with the same name, a clean one and a malicious counterpart. When the legitimate file is run, MMC inadvertently picks the rogue file from a directory named "en-US" and executes it, unbeknownst to the user. This sophisticated technique allows EncryptHub to deploy various malware families, including Rhadamanthys and StealC, information stealers which pose a severe risk to affected organizations.
Recommended read:
References :
- The DefendOps Diaries: Understanding the CVE-2025-26633 Vulnerability in Microsoft Management Console
- www.trendmicro.com: Trend Research identified Russian threat actor Water Gamayun exploiting CVE-2025-26633, a zero-day vulnerability in the Microsoft Management Console that attackers exploit to execute malicious code and exfiltrate data.
- Cyber Security News: Hackers Exploit Windows MMC Zero-Day Vulnerability to Execute Malicious Code
- BleepingComputer: A threat actor known as EncryptHub has been linked to Windows zero-day attacks exploiting a Microsoft Management Console vulnerability patched this month.
- gbhackers.com: Windows MMC Framework Zero-Day Exploited to Execute Malicious Code
- www.scworld.com: Windows-targeted EncryptHub attacks involve MMC zero-day exploitation
- bsky.app: EncryptHub, an affiliate of RansomHub, was behind recent MMC zero-day patched this month by Microsoft
- The Hacker News: EncryptHub Exploits Windows Zero-Day to Deploy Rhadamanthys and StealC Malware
- Virus Bulletin: Trend Micro researchers identified a campaign by the Russian threat actor Water Gamayun exploiting CVE-2025-26633, a zero-day vulnerability in the Microsoft Management Console that attackers exploit to execute malicious code and exfiltrate data.
- www.cybersecuritydive.com: A threat actor known as “EncryptHub” began exploiting the zero-day vulnerability before it was patched earlier this month.
- : Trend Micro researchers identified a campaign by the Russian threat actor Water Gamayun exploiting CVE-2025-26633, a zero-day vulnerability in the Microsoft Management Console that attackers exploit to execute malicious code and exfiltrate data.
- www.trendmicro.com: Trend Research discusses the delivery methods, custom payloads, and techniques used by Water Gamayun, the suspected Russian threat actor abusing a zero-day vulnerability in the Microsoft Management Console framework (CVE-2025-26633) to execute malicious code on infected machines.
- Christoffer S.: (trendmicro.com) A Deep Dive into Water Gamayun's Arsenal and Infrastructure Executive Summary: This research provides a comprehensive analysis of Water Gamayun (also known as EncryptHub and Larva-208), a suspected Russian threat actor exploiting the MSC EvilTwin zero-day vulnerability (CVE-2025-26633) in Microsoft Management Console.
- Cyber Security News: Zero-Day in Windows MMC Framework Exploited for Malicious Code Execution
- Know Your Adversary: Adversaries always need to execute commands via various command and scripting interpreters. It's a well-known behavior, so they always look for defense evasion techniques. Trend Micro releleased a on Water Gamayun , and noted an interesting technique used by the threat acrors for proxy execution.
Pierluigi Paganini@Security Affairs
//
A Russian zero-day broker known as Operation Zero is offering up to $4 million for zero-day exploits targeting the Telegram messaging app. This broker exclusively sells vulnerabilities to Russian government and private organizations, suggesting a significant interest from these entities in exploiting Telegram's security flaws. The high bounty offered indicates the immense value of potential targets to these organizations and their willingness to invest heavily in acquiring such exploits.
Operation Zero has released multiple bounty tiers for security vulnerabilities targeting Telegram, with the price depending on the user interaction required. Remote code execution vulnerabilities needing one user interaction fetch $500,000, while a zero-click RCE vulnerability is valued at $1.5 million. A complete exploit chain capable of compromising the entire system may command up to $4 million. This highlights the potential for targeted attacks on individuals or user groups through the platform, given Telegram's user base of over a billion.
Recommended read:
References :
- CyberInsider: Russian Zero-Day Firm Offers Record $4 Million for Telegram Exploits
- infosec.exchange: NEW: A zero-day provider that exclusively sells to the Russian government is offering up to $4 million for flaws in Telegram. This announcement offers a glimpse into what the Russian government may be especially interested in, and willing to pay (even at a premium), right now. Sources in the industry tell me the prices offered are broadly right.
- techcrunch.com: Russian zero-day seller is offering up to $4 million for Telegram exploits
- securityaffairs.com: Zero-day broker Operation Zero offers up to $4 million for Telegram exploits
- securityonline.info: The Russian vulnerability broker, Operation Zero, is a company specializing in the acquisition and sale of security vulnerabilities—whether The post appeared first on .
- Davey Winder: The Russian exploit brokerage firm, Operation Zero, is offering up to $4 million for zero-day vulnerabilities in Telegram. This signifies heightened state-sponsored interest in hacking Telegram.
- hackread.com: A broker that only sells to Russian private and government organizations has just offered $4 million for a zero-day hack attack against the Telegram messenger app.
|
|