CybserSecurity News

Tag: zeroday

  • Chrome Emergency Update: Google Patches Actively Exploited V8 Zero-Day (CVE-2025-13223)

    Google has released new updates for the Chrome browser amid yet another wave of attacks exploiting a flaw in the V8 engine. The company confirmed that one of the vulnerabilities is already being weaponized in real-world incidents, prompting an immediate rollout of patches.

    The primary issue is CVE-2025-13223, rated 8.8, a type-handling error within V8 that can lead to memory corruption. Under the right conditions, a remote attacker could execute arbitrary code via a specially crafted HTML page.

    The flaw was reported by Clément Lecigne of Google’s Threat Analysis Group, who detected the issue on November 12. While the company has not disclosed who may be targeting the vulnerability or the scale of the attacks, it confirms that a functioning exploit is already in circulation.

    This marks the third actively exploited V8-class anomaly this year, joining CVE-2025-6554 and CVE-2025-10585. Google also patched another similar engine-level issue — CVE-2025-13224, discovered by the company’s internal AI agent, Big Sleep. Both flaws received identical severity scores due to their potential to enable arbitrary system actions.

    Google notes that with the November release, the number of zero-day vulnerabilities fixed in Chrome since the beginning of the year has reached seven. The list also includes CVE-2025-2783, CVE-2025-4664, CVE-2025-5419, CVE-2025-6558, and others.

    To minimize risk, users are urged to install the latest browser versions:

    • 142.0.7444.175 or .176 for Windows
    • 142.0.7444.176 for macOS
    • 142.0.7444.175 for Linux

    Updates can be checked via Help → About Google Chrome, followed by restarting the browser. Users of Edge, Brave, Opera, and Vivaldi should likewise await corresponding updates in their respective releases.

  • CVE-2025-24893: XWiki Zero-Day Exploited by RondoDox Botnet and Cryptominers

    The recent surge in activity surrounding an XWiki vulnerability underscores how swiftly weaknesses in widely used platforms can be transformed into launchpads for large-scale attacks. The unfolding pattern makes clear that once the first successful intrusions are observed, multiple threat actors join the fray, and the scope of the danger expands by the day.

    The issue stems from CVE-2025-24893, rated 9.8 on the CVSS scale. This flaw allows an unauthenticated guest user to execute arbitrary code remotely by invoking “/bin/get/Main/SolrSearch.” Developers patched the vulnerability in XWiki versions 15.10.11, 16.4.1, and 16.5.0RC1 at the end of February 2025. Nevertheless, a number of servers continue to run outdated builds, leaving the door open for unauthorized access. Initial confirmations of exploitation appeared in the spring, and by late October, VulnCheck reported new attack chains leveraging the flaw to deploy a cryptominer.

    Shortly thereafter, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-24893 to its catalog of actively exploited vulnerabilities and required federal agencies to apply security updates by November 20. Against this backdrop, VulnCheck recorded a sharp rise in malicious activity: a peak on November 7, followed by another spike on the 11th. This trend reflects an expanding circle of attackers simultaneously scanning the internet for exposed targets.

    One of the competitors in this race is the RondoDox botnet, known for its eagerness to adopt new exploitation techniques to broaden its network of compromised devices. Since late October, it has been abusing the XWiki flaw to pull vulnerable servers into an infrastructure used for HTTP, UDP, and TCP DDoS attacks. The first attempts were observed on November 3. In parallel, other groups have been exploiting the same weakness to install miners, establish reverse shells, and harvest configuration data, relying in part on Nuclei templates to identify suitable targets.

    This situation illustrates how quickly a single vulnerability can be weaponized by multiple, unrelated threat actors. The VulnCheck investigation emphasizes that once the first successful intrusion occurs, botnets, miners, and automated scanners rapidly join in, acting independently yet simultaneously. In such an environment, keeping server software fully up to date remains the only truly reliable means of reducing risk.

  • Logitech Discloses Data Exfiltration via Third-Party Zero-Day Vulnerability

    Logitech has informed the U.S. Securities and Exchange Commission (SEC) that it experienced unauthorized data exfiltration as a result of a previously unknown vulnerability in third-party software. The incident involved targeted access to a segment of the company’s internal IT environment which, according to Logitech’s assessment, did not affect its devices, manufacturing operations, or core services. Company representatives noted that Logitech identified the intrusion independently and immediately engaged external teams for technical analysis and remediation.

    According to the internal investigation, a third party exploited a zero-day vulnerability in a software platform supplied by an outside vendor, enabling the extraction of certain information from an isolated segment of the corporate infrastructure. Once an official patch became available, the vulnerability was closed within the company. Logitech’s review concluded that the affected environment did not store national identifiers, payment information, or other categories of highly sensitive data. Nevertheless, the exfiltrated files may have contained select employee information, a limited amount of consumer data, and materials related to customer and partner operations.

    The company emphasizes that the incident does not affect its financial stability or current reporting indicators. At the time of filing with the SEC, Logitech saw no basis to expect long-term consequences for its operational performance. The company also highlighted that it maintains extensive cyber-risk insurance, which under the terms of the policy covers technical response teams, legal expenses, business interruption, and potential regulatory actions.

    Logitech notes, however, that further analysis may reveal additional details not available at the time of the filing. The company continues to assess its relationships with customers, partners, government entities, and employees in the context of the incident and is also considering various potential legal implications. Additional risk factors are detailed in the annual report for the fiscal year ending March 31, 2025.

  • Uhale Digital Photo Frames Ship with Root Access and Download Hidden Malware

    A serious issue has been uncovered in the digital photo-frame market: Android-based devices sold under the Uhale brand are downloading malicious components during system startup and contain a series of critical vulnerabilities that allow attackers to take full control of the device. These conclusions were reached by Quokka researchers after analysing the behaviour of the Uhale app and the underlying platform developed by the Chinese company Whale TV. Their attempts to notify the developer since May of this year have gone unanswered.

    The investigation revealed that some frames, immediately upon being powered on, connect to remote servers located in China, download version 4.2.0 of the application and automatically launch the updated build. After rebooting, the embedded client initiates the download and execution of a JAR or DEX file, stores it in an internal directory and continues to load it at every subsequent startup. The researchers observed notable similarities with the Mezmess and Vo1d malware families — from package prefixes and strings to delivery methods and the placement of system artefacts. The exact infection vector, however, remains unclear.

    The devices’ system-level configuration introduces additional danger: all examined frames run with SELinux disabled, ship with root access already enabled and are signed with public AOSP test keys. This combination leaves them vulnerable straight out of the box and creates conditions for the unrestricted execution of any operation.

    Seventeen vulnerabilities were identified in the software, eleven of which have been assigned CVE identifiers. Among them are several particularly severe flaws.

    CVE-2025-58392 and its related CVE-2025-58397 stem from an insecure TrustManager implementation that enables an attacker to spoof protected responses and execute arbitrary commands with superuser privileges.

    CVE-2025-58388 was found in the update mechanism, where unsanitised filenames are passed directly into shell commands, allowing silent installation of arbitrary APKs.

    CVE-2025-58394 highlights that all examined models ship without active SELinux, include root access by default and rely on publicly available test keys.

    CVE-2025-58396 shows that the preinstalled client opens a file server on TCP port 17802 that accepts any uploads without permission checks, enabling any device on the local network to overwrite or delete files.

    In CVE-2025-58390, SSL/TLS handling errors in WebView ignore certificates and mixed content, making it possible to alter displayed information and perform local phishing attacks.

    The researchers also discovered a hardcoded AES key used to decrypt sdkbin network responses and found outdated libraries and Adups components in several models.

    Taken together, these issues leave the software stack devoid of meaningful protection and introduce significant supply-chain risks. The number of affected users is difficult to estimate: the frames are sold under various brand names, and details about the underlying platform are not disclosed. The Uhale app has over half a million downloads on Google Play, and more than 11,000 reviews on the App Store. Across online marketplaces, reviews of devices running the same platform also approach a thousand.

  • November Patch Tuesday 2025: Microsoft Fixes 63 Flaws, Including an Exploited Windows Zero-Day

    In its November Patch Tuesday release, Microsoft addressed 63 vulnerabilities, including a critical zero-day flaw that had already been exploited in the wild. This month’s patches span a broad spectrum of Windows components and Microsoft products — from the operating-system kernel to the Office suite and various cloud services.

    According to the company, the most severe issue affected the Windows kernel and allowed attackers to obtain system-level privileges through a race-condition flaw. Indexed as CVE-2025-62215, the vulnerability enabled local privilege escalation by exploiting improper synchronization during shared-resource access. Evidence of its active exploitation was provided by Microsoft’s internal threat-intelligence team.

    Among the remaining vulnerabilities, 29 involve privilege escalation, 16 permit remote code execution, 11 expose sensitive information, 3 can cause denial of service, 2 bypass security mechanisms, and 2 relate to data tampering. Four vulnerabilities were rated critical, primarily due to their potential to enable remote execution of arbitrary code.

    Updates were released for both modern and legacy Windows versions. Notably, Windows 10 — now under extended support — received an update, including an out-of-band fix for an issue preventing users from registering for the ESU program. Microsoft also released KB5066835 and KB5066793 for Windows 11, and KB5068781 for Windows 10.

    Several other vendors issued coordinated updates alongside Microsoft. Adobe patched flaws in InDesign, Illustrator, Photoshop, and other products. Cisco fixed vulnerabilities across multiple solutions — including ASA and identity systems — and warned of renewed exploitation of older bugs. A critical remote code execution flaw was eliminated in the expr-eval JavaScript library. Fortinet released patches for FortiOS to address a privilege-escalation issue. Google’s November Android bulletin closed two vulnerabilities. Ivanti, SAP, Samsung, and QNAP also issued their monthly updates; notably, QNAP patched seven zero-day vulnerabilities showcased at Pwn2Own Ireland 2025.

    This month’s release gives particular weight to vulnerabilities in Microsoft Office, including Excel and Word, where Microsoft resolved issues ranging from information disclosure to execution of malicious code triggered simply by opening a document. Additional flaws were identified in Windows Kerberos, DirectX components, Bluetooth and Wi-Fi drivers, Remote Desktop, and the Windows Subsystem for Linux GUI. Some vulnerabilities also affected Visual Studio and CoPilot extensions, underscoring the exposure of developer tooling.

    Microsoft has published the full list of patched vulnerabilities in its official documentation. Given active exploitation of several flaws, applying the latest updates without delay is strongly advised.

  • Synology Patches BeeStation Zero-Day (CVE-2025-12686) Exposed at Pwn2Own 2025

    Synology has patched a zero-day vulnerability in its BeeStation devices, demonstrated at the recent Pwn2Own competition. The flaw, assigned CVE-2025-12686, falls under the category of “buffer copy without input-size validation,” enabling an attacker to execute arbitrary code on the target system.

    The issue affects multiple versions of BeeStation OS, the operating system that powers Synology’s consumer-grade network storage devices and is marketed as a “personal cloud.” The fix is included in BeeStation OS version 1.3.2-65648 and later. As no temporary mitigations exist, users are strongly urged to install the updated firmware without delay.

    The vulnerability was showcased by researchers Tek and anyfun from the French firm Synacktiv during the Pwn2Own Ireland 2025 competition held on October 21. Their successful exploitation earned the team a $40,000 reward.

    Pwn2Own annually brings together security specialists from around the globe, giving them a stage on which to demonstrate zero-day exploits in widely used devices. At the recent event in Ireland, participants uncovered 73 previously unknown vulnerabilities across a range of products and collectively earned more than one million dollars.

    Just a week earlier, another major NAS manufacturer, QNAP, released patches addressing seven zero-day vulnerabilities discovered at the same competition.

    In accordance with its disclosure policy, the Zero Day Initiative (ZDI) refrains from publishing technical details until fixes are available and users have had sufficient time to update. Full technical analyses are expected to appear on the initiative’s website and in researchers’ blogs in the coming months.

  • Mandiant: Triofox Zero-Day Exploited to Gain SYSTEM Access via Antivirus Feature

    Mandiant researchers have uncovered active exploitation of a zero-day vulnerability in the Gladinet Triofox remote access and file-sharing platform. CVE-2025-12480 allowed attackers to bypass authorization and reach configuration pages of the web interface, through which they created administrative accounts and uploaded arbitrary malicious files. The flaw was patched in version 16.7.10368.56560, but not before at least one threat cluster had weaponized it.

    The malicious activity was first observed on 24 August 2025 and has been attributed to the UNC6485 cluster. The intruders did not merely obtain administrative control: they chained that access to a vulnerable antivirus-check feature to execute arbitrary code as SYSTEM.

    Detection began with an automated alert that flagged third-party utilities being written to system directories. Within 16 minutes Mandiant confirmed the compromise, isolated the host, and determined that Triofox authenticated requests improperly by relying on the Host header. If a request specified “localhost,” the server would automatically grant access to AdminDatabase.aspx — a local-only setup page intended for on-host maintenance.

    Using that page, the attackers re-invoked the installation wizard and created a full system administrator account named “Cluster Admin.” That level of control allowed them to proceed to the next stage: uploading malicious scripts via the application’s antivirus-scan mechanism.

    Architecturally, Triofox permits administrators to define an arbitrary path for the executable designated as the “antivirus engine.” The uploaded script is then invoked with the privileges of the parent process, effectively granting full system access. The adversaries exploited this to run a file named centre_report.bat, which used PowerShell to fetch the next stage: an installer disguised as a ZIP archive that deployed the Zoho UEMS installer. Once the legitimate UEMS agent was in place, they installed Zoho Assist and AnyDesk to persist on the compromised host.

    From their foothold the operators executed reconnaissance and lateral-movement actions: enumerating SMB sessions, enumerating user accounts, attempting password changes, and adding accounts to local and domain administrator groups. For stealthy command-and-control, they uploaded legitimate PuTTY and Plink binaries (renamed silcon.exe and sihosts.exe) to the server and used them to establish an encrypted SSH tunnel to an external C2. That channel was used to forward RDP traffic over port 3389, enabling full remote control of the infected machine.

    Root-cause analysis showed the core access check resides in the CanRunCriticalPage() routine inside GladPageUILib.dll. If the Host header contains “localhost,” the library ignores the configured trusted-IP checks and grants access to critical pages automatically. In short, the lack of source-validation combined with reliance on correct configuration produced an unauthenticated attack vector.

    Mandiant recommends updating Triofox to the patched release, auditing all administrative accounts, and verifying that the configured antivirus engine path does not point at arbitrary third-party executables. Organizations should also review network logs for anomalous SSH activity and investigate any unusual RDP forwarding.

  • Critical RCE Zero-Days Patched: QNAP Fixes 7 Flaws Exposed at Pwn2Own 2025

    The Taiwanese company QNAP has released updates for its systems addressing seven zero-day vulnerabilities unveiled by participants at Pwn2Own Ireland 2025. The flaws affected the company’s proprietary operating systems QTS and QuTS hero, as well as several key services — Hyper Data Protector, Malware Remover, and HBS 3 Hybrid Backup Sync. All vulnerabilities were discovered during live demonstrations by researchers from Summoning Team, DEVCORE, Team DDOS, and an intern from CyCraft Technology.

    According to the official advisory, patches have been issued for the QTS and QuTS hero operating systems, the Malware Remover module, the Hyper Data Protector application, and the HBS 3 Hybrid Backup Sync utility. While the technical details of the exploits have not yet been disclosed, all were classified as critical, enabling remote execution of arbitrary code on vulnerable devices. To safeguard their systems, QNAP strongly urges users to install the latest software versions containing these security fixes without delay.

    The company also reminded users of the importance of regularly updating NAS firmware to ensure ongoing protection through the most recent security patches. QNAP emphasized that this incident continues its long-term initiative to address vulnerabilities identified during previous Pwn2Own competitions. In October 2024, the company had already mitigated several flaws showcased by researchers at Pwn2Own Ireland 2024.

    QNAP, a frequent participant in such events, views them as an essential means of strengthening the resilience of its NAS ecosystem — offering security researchers a controlled environment to test protective mechanisms and publicly demonstrate weaknesses that might otherwise go unnoticed.

  • ArcaneDoor Strikes Cisco Firewalls Again: New DoS Exploit Variant Emerges

    Cisco has warned customers of a fresh wave of attacks against its firewalls: adversaries have been striking vulnerable appliances for at least six months, and in early November a new exploitation variant emerged. In a Thursday bulletin, the company reported that on 5 November 2025 it observed novel techniques targeting systems running Cisco Secure ASA Software and Cisco Secure FTD Software, exploiting CVE-2025-20333 and CVE-2025-20362. On unpatched platforms these flaws cause cyclic reboots and subsequent denial-of-service.

    Both vulnerabilities were patched in September, after which the UK National Cyber Security Centre and the US CISA publicly warned of active exploitation by a “sophisticated” adversary; at least one US agency was among the victims. As early as May, Cisco engaged multiple government partners to assist affected organisations: forensic work revealed attackers deploying malicious components, executing arbitrary commands, and likely exfiltrating data from compromised nodes. Cisco assembled a dedicated response team and worked closely with a limited set of customers whose networks had been intruded.

    Researchers note the adversary combined several zero-day flaws and employed stealthy tradecraft: disabling logging, intercepting CLI input, and deliberately “crashing” devices to frustrate diagnosis. In several instances the ROM Monitor (ROMmon) bootloader was modified, enabling persistence that survived reboots and software updates.

    Cisco, together with US and UK agencies, links earlier incidents and this “new variant” to the group behind the ArcaneDoor operation—first disclosed in April 2024 when the vendor remediated two zero-days in ASA and FTD that had been used to penetrate government and telecom infrastructure (activity indexed as UAT4356). Since 2024 Cisco has declined to attribute the campaign to a specific nation, referring inquiries to its public advisories.

    Separately, on Thursday Cisco released patches for two critical vulnerabilities in Cisco Unified Contact Center Express (UCCX). CVE-2025-20354 and CVE-2025-20358 permit an unauthenticated remote attacker to upload arbitrary files, execute commands as root, or bypass authentication to run scripts as an internal, non-privileged user. UCCX deployments are vulnerable regardless of configuration; Cisco recommends upgrading to 12.5 SU3 ES07 or 15.0 ES01.

    CVE-2025-20354 carries a CVSS score of 9.8 and stems from improper validation in a Java RMI process: exploitation via a crafted file can result in arbitrary command execution on the host OS and privilege escalation to superuser. CVE-2025-20358 (score 9.4) enables authentication bypass between the CCX Editor and the Unified CCX server: an attacker can redirect authentication checks to a controlled node, trick the client into believing login succeeded, and then execute arbitrary scripts as an internal account without administrative rights.

    Cisco is not aware of confirmed, widespread exploitation of the UCCX defects, yet it urges customers to apply patches immediately. Given the relentless activity around ASA/FTD and the emergence of a new exploitation variant, postponing updates and configuration audits is exceedingly risky.

  • Microsoft: Windows 10 is the safest and most zero-day vulnerabilities are no longer available

    In terms of security, Microsoft often publishes reports that praise Windows 10 security, which of course provides some kind of motivation for enterprise users to upgrade. Recently, Microsoft also released a new report to explain this point. Microsoft reported in the report that the vast majority of Windows 10 zero-day vulnerabilities are no longer available. Although there is no guarantee that all users will install the cumulative update fix vulnerability immediately, there are other ways for Microsoft to provide additional security controls.

    Engineers at Microsoft Security Response Center used telemetry data to categorize all attack cases that exploit zero-day vulnerabilities since the release of Windows 10. Microsoft engineers say that most zero-day vulnerabilities will fail within a few months of releasing a fix or fix and that an attacker can no longer exploit the vulnerability. If the user does not actively install the update compared to the previous legacy operating system, the vulnerability is always there and there will always be an attacker trying to exploit the vulnerability. The main reason for being able to quickly eliminate zero-day vulnerabilities is that Microsoft uses flow control protection and device protection to automatically enable mitigation measures for the system.

    In fact, this is related to Microsoft Defender, which is enabled by default in Microsoft’s operating system. With this security software, Microsoft can quickly intercept attacks.

    In the past 12 years, most of the vulnerabilities discovered by Microsoft versions have been related to memory management. Such vulnerabilities account for up to 70% of the total vulnerabilities. Vulnerabilities in memory management are often horrendous and very frequent, and such situations are a concern of Microsoft security engineers.

    The Microsoft security team is currently exploring the use of the Rust programming language instead of C/C++, and Microsoft hopes to use the new programming language to reduce errors. This means that the frequency of security vulnerabilities in memory management classes may be reduced in the future, and the security of the entire operating system is greatly improved.

    Via: ZDNet