The attack uncovered by Truesec, dubbed “TamperedChef,” represents a new evolution in social engineering tactics that leverage trusted software categories to deploy information-stealing malware.

The malicious campaign centers around AppSuite PDF Editor, a free PDF editing tool promoted across multiple websites and distributed through Google advertising campaigns.

What makes this attack particularly insidious is its patient approach. The software initially appears harmless, functioning as advertised while secretly establishing persistence mechanisms and awaiting activation commands.

The campaign’s sophistication is evident in its execution timeline. Beginning on June 26, 2025, threat actors registered multiple domains and began promoting the PDF editor through at least five different Google advertising campaigns.

The malware remained dormant for 56 days strategically timed to coincide with typical Google advertising campaign durations—before activating its malicious capabilities on August 21, 2025.

Upon installation, the software establishes communication with command-and-control servers through specific URLs, including inst.productivity-tools.ai and vault.appsuites.ai.

The malware’s persistence mechanism involves creating registry entries that execute with various command-line arguments, including --install, --enableupdate, --fullupdate, and others.

When the --fullupdate argument is triggered, the software downloads and executes an obfuscated JavaScript file containing the core TamperedChef payload.

Data Theft Capabilities

Once activated, TamperedChef demonstrates sophisticated information-stealing capabilities. The malware queries web browser databases using Windows Data Protection API (DPAPI) to extract stored credentials and sensitive information.

It systematically terminates browser processes to access locked data files, ensuring comprehensive data harvesting from popular web browsers, Truesec said.

The malware also conducts system reconnaissance, identifying installed security products before proceeding with its data exfiltration operations. This behavior suggests the threat actors have invested significant effort in developing evasion techniques to bypass common security solutions.

The campaign’s legitimacy facade is reinforced through the abuse of digital certificates from multiple companies, including ECHO Infini SDN BHD, GLINT By J SDN. BHD, and SUMMIT NEXUS Holdings LLC.

Investigation reveals these companies share suspicious characteristics, including generic websites with potentially AI-generated content and shared business addresses.

Particularly concerning is the discovery that certificates from these entities have been used to sign other malicious software, including the Epibrowser malware, indicating a broader certificate abuse operation supporting multiple malware families.

Campaign Scope and Impact

The threat actors behind TamperedChef have addressed long-term persistence in the threat landscape, with evidence suggesting activity dating back to August 2024.

For the company BYTE Media, there are also digital certificates used to sign malware, but another one called Epibrowser.

In several cases, we have observed a file called elevate.exe being installed together with the PDF Editor bundle.

Their operations extend beyond the PDF editor to include other potentially unwanted programs like OneStart browser, all sharing common command-and-control infrastructure.

European organizations have been significantly impacted, with multiple companies reporting employee infections after downloading the malicious PDF editor.

The campaign’s success highlights the effectiveness of disguising malware as legitimate productivity tools—a category users typically trust and readily install.

This campaign represents a concerning evolution in malware distribution tactics. By leveraging legitimate advertising platforms and maintaining extended dormancy periods, threat actors can achieve widespread distribution before revealing malicious intent.

The use of AI-generated code and generic business fronts further demonstrates the industrialization of cybercrime operations.

The TamperedChef campaign serves as a stark reminder that even seemingly innocuous productivity tools can pose significant security risks. Organizations must implement robust software vetting procedures and maintain heightened awareness of free utilities from unknown sources, as today’s helpful application could become tomorrow’s security nightmare.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.

The post New TamperedChef Attack With Weaponized PDF Editor Steals Sensitive Data and Login Credentials appeared first on Cyber Security News.

WinRAR has released version 7.13 to address a critical security vulnerability that has been actively exploited by cybercriminals, marking another significant security incident for the popular file compression software.

The vulnerability, designated CVE-2025-8088, allows attackers to execute arbitrary code through maliciously crafted archive files, prompting immediate action from users worldwide.

Critical Security Flaw Exploited by Russian Hackers

The newly discovered vulnerability represents a serious threat to Windows users, with security researchers confirming that it has been exploited in active campaigns.

CVE-2025-8088 is a path traversal vulnerability that affects the Windows versions of WinRAR, UnRAR, and associated components, allowing specially crafted archives to bypass user-specified extraction paths and write files to unintended locations on the file system.

This capability enables attackers to execute arbitrary code on compromised systems, making it a particularly dangerous security flaw.

ESET researchers have linked this vulnerability to exploitation by the Russian RomCom group, which has been targeting companies across Europe and Canada.

The cybersecurity firm’s research team, including Anton Cherepanov, Peter Košinár, and Peter Strýček, discovered the vulnerability and reported it to WinRAR developers.

The vulnerability has been assigned a CVSS score of 8.4, classifying it as HIGH severity, which underscores the critical nature of this security issue.

Technical Details and Affected Systems

The directory traversal vulnerability is distinct from a previously patched security flaw that was addressed in WinRAR version 7.12, indicating that this represents a new attack vector that required separate remediation. The affected systems include:

• WinRAR for Windows – All desktop installations of the primary software.
• RAR and UnRAR command-line utilities – Windows versions of these tools.
• UnRAR.dll and portable UnRAR – Dynamic library and standalone versions.
• Version range affected – All WinRAR versions from 0 through 7.12.
• Unaffected platforms – Linux/Unix builds and RAR for Android remain secure.

The vulnerability affects all WinRAR versions from 0 through 7.12, meaning that virtually all existing installations require immediate updating.

The path traversal mechanism allows malicious archives to escape their intended extraction directories, potentially overwriting system files or placing executable code in locations where it can be automatically executed by the operating system.

This type of attack can lead to complete system compromise, data theft, or deployment of additional malware payloads.

Immediate Action Required for Users

WinRAR users must immediately update to version 7.13, which was released on July 30, 2025, with updated release notes published on August 12, 2025.

The update addresses not only the critical security vulnerability but also fixes several bugs from the previous version, including issues with the “Import settings from file” command and recovery size settings for older compression profiles.

The urgency of this update cannot be overstated, particularly given the confirmed exploitation in the wild. Organizations and individual users should prioritize this update across all Windows systems running WinRAR.

Beyond the immediate security fix, WinRAR 7.13 continues to offer advanced NTFS features that distinguish it from other compression tools, including built-in options to preserve symbolic links and archive Alternate Data Streams (ADS).

These capabilities remain valuable for backup, deployment, and forensic environments, but users must ensure they are running the latest secure version to benefit from these features safely.

Users who cannot immediately update should consider discontinuing use of WinRAR until the update can be applied, particularly in environments where untrusted archive files are regularly processed.

Uncover full scope of any attack any attack from hidden redirects to payloads in minutes — Try ANY.RUN free for 14 days.

The post CISA Added WinRaR Zero-Day (CVE-2025-8088) Vulnerability That is Actively Exploited In the Wild appeared first on Cyber Security News.

In today’s fast-paced digital environment, staying informed is crucial. Our goal is to provide you with relevant information to help you navigate the challenges of this dynamic field effectively.

This edition highlights emerging threats and the shifting dynamics of digital defenses. Key topics include advanced ransomware attacks and the increasing influence of state-sponsored cyber activities on global security.

We offer an in-depth analysis of these evolving threats, along with actionable strategies to bolster your organization’s defenses. Additionally, we examine how cutting-edge technologies like artificial intelligence (AI), machine learning (ML), and quantum computing are reshaping cybersecurity—both as tools for protection and as potential vulnerabilities exploited by adversaries.

Examples covered include AI-powered phishing schemes, ML-enhanced malware, and quantum computing’s potential to break encryption. We also explore how industries are addressing critical cybersecurity challenges, such as securing remote work environments and mitigating vulnerabilities in Internet of Things (IoT) devices.

These issues underscore the importance of proactive measures to protect digital infrastructure. We’ll also review recent regulatory developments, such as the European Union’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA), which are setting new benchmarks for data privacy and security to ensure your compliance strategies remain up-to-date.

Stay tuned each week as we dive into these complex topics and beyond, equipping you with the knowledge needed to stay ahead in the ever-evolving cybersecurity landscape.

Threats

1. Malware Exploits Application Layer for Stealthy Attacks

Analysis of over 1 million malware samples reveals that attackers are increasingly leveraging the Application Layer of the OSI model to conduct stealthy Command-and-Control (C2) operations. By abusing trusted protocols like HTTP/S, DNS, and SMTP, adversaries embed malicious activities within legitimate traffic, evading traditional detection mechanisms. Advanced tools like deep packet inspection and behavioral monitoring are critical to counter these threats.
Read more: https://cybersecuritynews.com/malware-samples-analysis-application-layer/

2. Rise in LLMjacking: DeepSeek-V3 Targeted

The release of DeepSeek-V3 has led to a surge in LLMjacking attacks, where stolen API keys are used to exploit large language models (LLMs). Cybercriminals monetize unauthorized access via reverse proxy systems, generating significant financial losses for victims. Organizations are advised to secure API keys and monitor account activity to mitigate these risks.
Read more: https://cybersecuritynews.com/llm-hijackers-deepseek-v3-model/

3. NetSupport RAT Abused for Full System Control

The NetSupport Remote Access Trojan (RAT) is being weaponized through the “ClickFix” technique, tricking users into executing malicious PowerShell commands. This allows attackers to gain full control over systems, leading to ransomware attacks and data breaches. Organizations should deploy endpoint detection tools and restrict unauthorized software installations.
Read more: https://cybersecuritynews.com/netsupport-rat-grant-attackers-full-access/

4. Valentine’s Day-Themed Domains Used for Cyberattacks

Threat actors are exploiting newly registered Valentine’s Day-themed domains to launch phishing and malware campaigns. A 39% rise in such domains has been observed, with one in eight being malicious or suspicious. Users should verify domain legitimacy and avoid clicking on unsolicited links during seasonal events.
Read more: https://cybersecuritynews.com/hackers-newly-registering-valentines-day-themed-domains/

5. Remote Desktop Manager Vulnerabilities Expose Encrypted Communications

Critical vulnerabilities in Devolutions’ Remote Desktop Manager (RDM) allow attackers to intercept encrypted communications through man-in-the-middle (MITM) attacks. Users are urged to upgrade to patched versions immediately to mitigate these risks.
Read more: https://cybersecuritynews.com/rdm-vulnerabilities-intercept-encrypted-communications/

6. Phishing Campaign Exploits Webflow CDN and Fake CAPTCHAs

A sophisticated phishing campaign abuses Webflow’s CDN and fake CAPTCHA pages to steal sensitive financial information. Victims are lured via search engine results into providing personal details under the guise of subscription services. Caution is advised when interacting with unfamiliar websites or documents found online.
Read more: https://cybersecuritynews.com/new-phishing-attacks-abuses-webflow-cdn-captchas/

7. Winnti Hackers Target Japanese Organizations

The China-based Winnti Group has launched a campaign called “RevivalStone,” targeting Japanese organizations in the manufacturing and energy sectors with advanced malware and WebShells. The attack highlights the need for robust cybersecurity defenses against state-sponsored threats.
Read more: https://cybersecuritynews.com/winnti-hackers-attacking-japanese-organizations/

8. Device Code Phishing Captures Authentication Tokens

Storm-2372 attackers exploit device code authentication to steal tokens, granting unauthorized access to accounts without passwords. Organizations should enforce multi-factor authentication (MFA) and educate users on phishing tactics to defend against such attacks.
Read more: https://cybersecuritynews.com/new-device-code-phishing-attack-exploit-device-code-authentication/

9. Astaroth 2FA Phishing Kit Bypasses Security Measures

The Astaroth phishing kit targets Gmail, Yahoo, and Office 365 users by intercepting two-factor authentication (2FA) codes through fake login pages. Enhanced user vigilance and reliance on app-based MFA instead of SMS are recommended for protection against such threats.
Read more: https://cybersecuritynews.com/new-astaroth-2fa-phishing-kit-targeting-gmail/

10. Fake BSOD Delivered via Malicious Python Script

A Python script using the tkinter library creates a fake “Blue Screen of Death” (BSOD) as an anti-analysis tactic, disrupting systems temporarily while evading antivirus detection due to its low-profile nature. Behavioral analysis is crucial for identifying such threats early on.
Read more: https://cybersecuritynews.com/fake-bsod-delivered/

Cyber Attack News

1. Critical KerioControl Firewall Vulnerability Exposes Thousands of Systems

A severe vulnerability (CVE-2024-52875) in GFI KerioControl firewalls allows remote code execution (RCE) through unauthenticated URI paths. Over 12,000 systems remain unpatched globally, posing risks of data breaches and ransomware attacks. Organizations are urged to restrict access, monitor for unusual activity, and apply updates promptly.
Read more: https://cybersecuritynews.com/keriocontrol-firewall-1-click-rce/

2. SonicWall Firewalls Exploited to Hijack SSL VPN Sessions

Attackers are exploiting a critical flaw (CVE-2024-53704) in SonicWall firewalls to bypass authentication and hijack SSL VPN sessions. The vulnerability stems from improper handling of Base64-encoded session cookies. SonicWall has released patches, and organizations are advised to update immediately to mitigate risks.
Read more: https://cybersecuritynews.com/unpatched-sonicwall-firewalls-vulnerability/

3. Hackers Use Social Engineering to Exploit PowerShell

North Korean hacking group Emerald Sleet is tricking victims into running PowerShell commands as administrators via spear-phishing emails. The attack installs malicious tools for espionage and data theft. Microsoft advises training users to recognize phishing attempts and deploying advanced anti-phishing solutions.
Read more: https://cybersecuritynews.com/hackers-trick-you-to-run-powershell-as-admin/

4. $8.5M Stolen in zkLend DeFi Hack

The Ethereum-based DeFi protocol zkLend suffered a major breach, losing 3,300 ETH ($8.5 million). The company has offered a 10% whitehat bounty for the return of funds but may escalate the matter with law enforcement if the attacker does not respond. Users are reminded of the risks associated with DeFi platforms.
Read more: https://cybersecuritynews.com/zklend-hacked/

5. Apple Silicon’s KASLR Security Bypassed by SysBumps Attack

Researchers have bypassed Apple Silicon’s Kernel Address Space Layout Randomization (KASLR), exposing macOS systems to kernel memory exploitation. The attack leverages speculative execution vulnerabilities in Apple’s M-series processors, highlighting weaknesses in advanced kernel isolation techniques. Apple is investigating mitigation strategies.
Read more: https://cybersecuritynews.com/kaslr-exploited-apple-silicon/

6. Pyramid Pentesting Tool Abused for Stealthy C2 Communications

Hackers are using the open-source Pyramid pentesting tool to establish stealthy command-and-control (C2) channels, bypassing endpoint detection systems. Pyramid’s lightweight HTTP/S server capabilities make it a favored choice for malicious actors seeking to evade detection during post-exploitation activities.
Read more: https://cybersecuritynews.com/hackers-using-pyramid-pentesting-tool/

7. Malware Exploits Microsoft Outlook via Graph API

A sophisticated malware campaign uses Microsoft Outlook as a communication channel through the Graph API, employing custom tools like PATHLOADER and FINALDRAFT for espionage and data exfiltration. Organizations should monitor Graph API usage and implement stringent access controls to counter such threats effectively.
Read more: https://cybersecuritynews.com/new-malware-exploiting-outlook-as-a-communication-channel/

8. PAN-OS Authentication Bypass Actively Exploited

Palo Alto Networks has patched a high-severity authentication bypass vulnerability (CVE-2025-0108) in PAN-OS software that attackers are actively exploiting. Organizations must update affected versions immediately and restrict management interface access to trusted IPs to reduce exposure risks.
Read more: https://cybersecuritynews.com/pan-os-authentication-bypass-exploited/

9. Salt Typhoon Hackers Exploit Cisco Devices Globally

The Chinese state-sponsored group Salt Typhoon exploited over 1,000 unpatched Cisco devices using privilege escalation vulnerabilities (CVE-2023-20198 and CVE-2023-20273). These attacks target telecommunications providers and universities, emphasizing the need for immediate patching and enhanced network security measures.
Read more: https://cybersecuritynews.com/salt-typhoon-hackers-exploited-1000-cisco-devices/

Vulnerability News

1. Microsoft SharePoint Connector Vulnerability (CVE-2024-49070)

A critical SSRF vulnerability in Microsoft Power Platform’s SharePoint connector allowed attackers to impersonate users and access sensitive data. Exploitation required specific user roles, but Microsoft has patched the flaw. Organizations are advised to apply updates and monitor for suspicious activity.
Read more: https://cybersecuritynews.com/microsoft-sharepoint-connector-vulnerability/

2. Apple Zero-Day Vulnerability (CVE-2025-24200)

Apple released iOS and iPadOS 18.3.1 to address a zero-day vulnerability targeting USB Restricted Mode. This flaw allowed physical attackers to disable the feature on locked devices, posing risks to targeted individuals. Immediate updates are recommended for all eligible devices.
Read more: https://cybersecuritynews.com/apple-0-day-vulnerability-exploited-in-extremely-sophisticated-attacks-in-the-wild/

3. Progress LoadMaster Security Vulnerabilities

Multiple critical vulnerabilities in Progress LoadMaster products could allow attackers to execute arbitrary commands or access sensitive files. No reports of exploitation have surfaced, but users should update to the latest firmware immediately.
Read more: https://cybersecuritynews.com/progress-loadmaster-security-vulnerability/

4. SAP Patches 19 Vulnerabilities

SAP released updates addressing high-severity vulnerabilities, including XSS, authentication bypasses, and authorization flaws across platforms like NetWeaver and BusinessObjects. Timely patching is crucial to mitigate exploitation risks.
Read more: https://cybersecuritynews.com/19-vulnerabilities-across-multiple-products-patched/

5. Ivanti CSA RCE Vulnerability (CVE-2024-47908)

Ivanti patched a critical command injection vulnerability in its Cloud Services Appliance (CSA), which could allow remote code execution by authenticated attackers. Users are urged to upgrade to version 5.0.5 immediately.
Read more: https://cybersecuritynews.com/ivanti-csa-vulnerability-rce/

6. Fortinet FortiOS DoS and RCE Flaws

Fortinet addressed vulnerabilities in its VPN software that could lead to denial-of-service attacks or remote code execution due to outdated library usage. Updated FortiOS versions are now available, and immediate patching is advised.
Read more: https://cybersecuritynews.com/fortios-vulnerabilities-allowing-dos-rce/

7. OpenSSL MitM Vulnerability (CVE-2024-12797)

A high-severity flaw in OpenSSL versions 3.2–3.4 could enable man-in-the-middle attacks during TLS handshakes using raw public keys (RPKs). Administrators must update OpenSSL to the latest patched versions promptly.
Read more: https://cybersecuritynews.com/openssl-vulnerability/

8. AWS IAM Username Enumeration Flaws

Two vulnerabilities in AWS IAM login flows allowed attackers to enumerate valid usernames via MFA prompts and timing discrepancies. AWS has patched one issue, while the other remains an accepted risk; organizations should enable MFA and monitor login events closely.
Read more: https://cybersecuritynews.com/aws-iam-vulnerabilities/

9. PAN-OS Authentication Bypass (CVE-2025-0108)

Palo Alto Networks disclosed a vulnerability in PAN-OS that allowed unauthenticated attackers to bypass web interface authentication under specific configurations. Organizations should upgrade affected systems and restrict interface access to internal IPs only.
Read more: https://cybersecuritynews.com/pan-os-vulnerability-web-interface-authentication/

10. Chrome Use-After-Free Vulnerability (CVE-2025-0995)

Google released an urgent Chrome update addressing critical vulnerabilities, including a use-after-free flaw in the V8 JavaScript engine that could enable remote code execution via crafted HTML pages. Users should update Chrome immediately to secure their browsers against potential exploits.
Read more: https://cybersecuritynews.com/chrome-use-after-free-vulnerability-v8/

11. Firewall Authentication Bypass Issue

A newly discovered firewall vulnerability allows attackers to bypass authentication mechanisms under certain conditions, compromising network security systems’ integrity and confidentiality. Immediate updates are recommended for affected devices.
Read more: https://cybersecuritynews.com/firewall-authentication-bypass-vulnerability/

Other Cyber News

1. GitHub Copilot Introduces Agent Mode for Autonomous Coding

GitHub has launched a revolutionary update to its AI-powered coding assistant, GitHub Copilot, with the introduction of Agent Mode. This new feature enables developers to autonomously complete complex coding tasks, such as debugging, designing database schemas, and implementing APIs. Available in preview for Visual Studio Code Insiders, Agent Mode combines advanced AI capabilities with workflow automation.

Additionally, GitHub announced the general availability of Copilot Edits, which allows multi-file changes using natural language prompts. A sneak peek into Project Padawan also revealed plans for autonomous software engineering agents capable of automating tasks like generating pull requests and refactoring codebases.

Read more: GitHub Copilot’s New Agent Mode

2. Major Takedown of 8Base Ransomware Group

In a significant breakthrough, Thai authorities have arrested four European nationals linked to the notorious 8Base ransomware group. The operation, codenamed “Phobos Aetor,” led to the seizure of the group’s dark web infrastructure. The suspects are accused of deploying Phobos ransomware, targeting over 1,000 victims globally and causing damages exceeding $16 million.

The group used a “double extortion” strategy, encrypting data while threatening to leak it if ransoms were not paid. This takedown highlights growing international cooperation in combating ransomware threats.

Read more: 8Base Ransomware Dark Web Site Seized

3. Google Chrome’s Enhanced Safe Browsing Protects Over 1 Billion Users

Google Chrome’s Enhanced Protection mode now safeguards more than 1 billion users against phishing and scams. This advanced security feature offers twice the protection compared to standard modes by leveraging AI and machine learning to detect malicious websites and downloads in real time.

Enhanced Protection also conducts over 300,000 deep scans monthly to identify malware hidden in suspicious files, ensuring robust online safety while prioritizing user privacy.

Read more: Google Chrome’s Safe Browsing

4. Windows 11 Compression Formats Pose Security Risks

Microsoft’s latest Windows 11 update (KB5031455) added native support for 11 new compression formats like RAR and 7z via the open-source libarchive library. However, this integration has exposed users to vulnerabilities, including remote code execution (RCE) flaws (CVE-2024-20696 and CVE-2024-20697).

These vulnerabilities stem from improper bounds checking during file decompression, allowing attackers to execute arbitrary code or manipulate files on affected systems. Users are advised to exercise caution when handling archives from untrusted sources.

Read more: Windows 11’s New Compression Formats Pose Risks

The post Cybersecurity Weekly Recap: Latest on Attacks, Vulnerabilities, & Data Breaches appeared first on Cyber Security News.

On its first day, white-hat hackers demonstrated their skills by exploiting 16 previously unknown vulnerabilities across in-vehicle infotainment (IVI) systems, electric vehicle (EV) chargers, and operating systems (OS). The event awarded a staggering $382,750 in prizes to participants.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Key Highlights from Day 1

The competition saw a mix of successes, collisions (where exploits overlapped with known vulnerabilities), and failures. Here are the notable achievements:

• PCAutomotive exploited a stack-based buffer overflow on the Alpine IVI system, earning $20,000 and two Master of Pwn points.
• Viettel Cyber Security successfully used an OS command injection bug to exploit the Kenwood IVI system for $20,000 and two points.
• Cong Thanh and Nam Dung of ANHTUD leveraged an integer overflow to gain code execution on the Sony XAV-AX8500 IVI system, securing $20,000 and two points.
• Sina Kheirkhah of Summoning Team executed a three-bug combo to exploit the Phoenix Contact CHARX SEC-3150 EV charger. Despite one bug being previously disclosed, he earned $41,750 and 4.25 points.
• Synacktiv utilized a stack-based buffer overflow combined with a known OCPP bug to manipulate signals on the ChargePoint charger. This earned them $47,500 and 4.75 points.

The standout performance came from PHP Hooligans, who exploited a heap-based buffer overflow on the Autel charger to claim $50,000 and five Master of Pwn points.

Similarly impressive was Sina Kheirkhah, who later exploited a hard-coded cryptographic key vulnerability in a Ubiquiti charger for another $50,000 and five points.

Another notable success came from fuzzware[.]io, whose team accessed an Autel MaxiCharger via an open port and exploited it using a stack-based buffer overflow. Their efforts netted them $25,000 and five points.

Bug collisions—where multiple teams targeted the same vulnerabilities—were a recurring theme. For example:

• SK Shieldus encountered a collision while exploiting an unpatched OS command injection bug in Alpine IVI from last year’s contest. They received only $5,000 and one point.
• Similarly, Bongeun Koo of STEALIEN faced a collision on Alpine IVI but managed to earn $5,000.

Despite some failures, such as unsuccessful attempts by Riccardo Mori (Quarkslab) and Sina Kheirkhah on certain targets, the day ended with high spirits.

Leaderboard Update

• The team from fuzzware.io leads the Master of Pwn race with multiple successful exploits.
• Close behind is Sina Kheirkhah, who amassed $91,750 in winnings and 9.25 points.

Pwn2Own Automotive 2025 continues until January 24, with more exploits expected as researchers tackle additional targets. The event underscores the importance of addressing cybersecurity risks in software-defined vehicles as they become increasingly integral to modern transportation.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

The post Hackers Exploited 16 0-days & Earned $382,750 – Pwn2Own Automotive 2025 appeared first on Cyber Security News.

This flaw, CVE-2025-24014, exposes users to a potential crash when operating Vim in silent Ex mode (-s -e) under specific conditions. 

The vulnerability arises from improper handling of binary characters, leading to an out-of-bounds write scenario.

Vim Command Line Editor Vulnerability – CVE-2025-24014

According to GitHub user @fizz-is-on-the-way, who reported the vulnerability, in silent Ex mode, Vim operates without displaying a graphical interface and is commonly used for automated or batch text processing. 

However, by providing Vim with a few binary characters, it is still possible to trigger the function that manages the scrolling of a graphical user interface (GUI) version of Vim.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

This function attempts to access the ScreenLines pointer, which remains unallocated in silent Ex mode due to the absence of a screen. Consequently, this results in a segmentation fault.

“It is still possible to trigger the function that handles the scrolling of a GUI version of Vim by feeding some binary characters to Vim”, reads the report.

“The function that handles the scrolling, however, may be triggering a redraw, which will access the ScreenLines pointer, even so, this variable hasn’t been allocated”.

The root cause of the issue is the win_line() function, which handles screen redraws. When invoked improperly, it accesses memory locations beyond its bounds, leading to a crash. 

The vulnerability has been categorized under CWE-787, Out-of-bounds Write, emphasizing its potential for memory corruption.

The severity of CVE-2025-24014 is rated as medium due to the specific conditions required for exploitation:

• The user must explicitly run Vim in silent Ex mode.
• Malicious binary data must be intentionally fed into Vim to trigger the flaw.

While the vulnerability does not allow remote code execution or privilege escalation, it could disrupt workflows by causing unexpected crashes.

Fix Available

The issue has been addressed in Vim patch 9.1.1043, which implements a safeguard to prevent redraw attempts if the ScreenLines pointer is null.

This fix ensures that no unallocated memory is accessed during operations in silent Ex mode.

Users are strongly advised to update their Vim installations to version 9.1.1043 or later to mitigate this vulnerability.

Although its impact is limited due to particular exploit conditions, users should prioritize system updates to prevent disruptions from unexpected crashes.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

The post Vim Command Line Text Editor Vulnerability Tiggers Potential Crash appeared first on Cyber Security News.

This exponential increase in processing power means quantum computers can solve problems that would take classical computers millennia to crack.

This is great for medicine, artificial intelligence, and logistics but a big problem for the encryption that underpins the internet.

Encryption is at the heart of modern security. Techniques like RSA, AES, and ECC (Elliptic Curve Cryptography) are the foundation of secure communications and transactions, from sending emails to online banking.

These algorithms rely on complex mathematical problems, prime factorization, and discrete logarithms that classical computers take a long time to solve.

But with quantum computing these encryption standards can be cracked in seconds. This brings quantum-resistant cryptography to the top of the security agenda.

Bitcoin And Blockchain Security

The impact of quantum computing goes far beyond traditional encryption. Blockchain, the basis of cryptocurrencies like Bitcoin, has a quantum problem too.

At the heart of Bitcoin’s security is the use of cryptographic algorithms, especially ECC, which ensures only the holder of a private key can authorize a transaction.

If quantum computers can break ECC an attacker could, in theory, reverse engineer private keys from public addresses and steal Bitcoin or other assets secured by blockchain.

For now, Bitcoin is safe. Quantum computers aren’t powerful enough to do this on a large scale. But this won’t last forever.

If blockchain is to remain secure in the post-quantum world developers will need to add quantum-safe cryptographic methods, possibly moving to lattice-based cryptography or hash-based cryptography.

These new cryptosystems could potentially be resistant to quantum attacks by using mathematical structures that quantum computers can’t break.

The convergence of blockchain and quantum computing is still speculative but it’s a reason to be vigilant and future-proof your digital assets.

Shor’s Algorithm: The Sword Of Damocles

One of the biggest threats to current encryption is Shor’s algorithm, a quantum algorithm that makes factoring large integers much faster – a problem that RSA is based on.

While classical algorithms take exponentially longer to factor larger numbers, Shor’s algorithm would allow a quantum computer to factor them in polynomial time.

What used to take thousands of years of classical computing time could be done in hours, making RSA obsolete.

This paradigm shift poses huge problems for governments, corporations, and individuals who rely on encryption to protect everything from classified communications to personal data.

The real risk is that sensitive information currently encrypted could be stored and decrypted when quantum computers are available.

This is called a “harvest now, decrypt later” strategy where attackers collect encrypted data today and break it in the quantum future.

The Post-Quantum Cryptography Rush

In response to these growing concerns, the cryptographic community is racing to develop quantum-resistant algorithms. NIST has already started standardizing post-quantum cryptographic algorithms which will be finalized in the next few years.

These quantum-safe algorithms are based on problems that even quantum computers struggle to solve efficiently such as lattice-based, code-based, and multivariate polynomial cryptography.

Each has its approach to securing data in the quantum era, but none are without their own complexities and limitations.

Lattice-based cryptography, for example, builds its security around problems in lattice mathematics where finding the shortest or closest vector in a lattice is computationally infeasible for both classical and quantum computers.

Multivariate polynomial cryptography, on the other hand, involves solving systems of polynomial equations – another problem that is resistant to quantum breakthroughs.

While these algorithms are promising, their real world applications and efficiency are still an area of active research.

Hybrid Approach

Despite the progress in quantum-resistant cryptography, many security experts recommend a hybrid approach to encryption during the transition to a post-quantum world.

This means combining classical and quantum-resistant cryptographic methods to create layered defenses so that even if one is broken, the other still provides security.

This hybrid model would provide a buffer period for organizations to adapt without being immediately vulnerable.

Banks, governments and large corporations are focused on this hybrid approach as they have the most to lose.

The problem is the massive infrastructure change required to deploy quantum-safe cryptography at scale. Public key infrastructures (PKI) embedded in software, hardware, and communication protocols will need to be updated.

Quantum Future Ready

Quantum computing is still a few decades away but we need to start preparing for its impact on encryption now.

Cybersecurity professionals and cryptographers are saying we need to be proactive, not reactive, waiting for quantum supremacy could be catastrophic.

The financial, government, and healthcare sectors where encryption is key are most at risk and need to get ahead of the curve by investing in quantum-safe solutions now.

In addition to technical prep, international collaboration will be key to a smooth transition to post-quantum encryption standards. As quantum computing evolves so will the geopolitical landscape of cybersecurity.

Countries that fall behind in this race will find their infrastructure and communications vulnerable to quantum-enabled attacks.

Conclusion: The Quantum Challenge

Quantum computing will change the world, but it will also break modern encryption. As we stand at the edge of this next great leap in computing power, the race to secure our digital world from quantum threats is already underway.

While there is still work to be done (post-quantum crypto and upgrading existing infrastructure), the cybersecurity community must stay alert.

The quantum future is coming and with it a whole new way of protecting our most sensitive data.

The post Quantum Computing’s Impact On Encryption Standards appeared first on Cyber Security News.

The flaw, which affects millions of OpenSSH servers globally, allows unauthenticated, remote attackers to execute arbitrary code with root privileges under specific conditions.

The Vulnerability: A Regression Of A 2006 Issue

CVE-2024-6387 arises from a signal handler race condition in OpenSSH’s server (sshd). This issue occurs when an unauthenticated client fails to log in within the `LoginGraceTime` limit (120 seconds by default).

The server’s SIGALRM handler, triggered in this scenario, calls non-async-signal-safe functions such as `syslog()`, creating a race condition that can be exploited to achieve remote code execution (RCE). 

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

This vulnerability is particularly critical because it reintroduces a flaw first patched in 2006 (CVE-2006-5051), making it a regression issue. The vulnerability was uncovered by Qualys Threat Research Unit.

It impacts OpenSSH versions 8.5p1 through 9.8p1 on glibc-based Linux systems. OpenBSD systems remain unaffected due to their different signal-handling mechanisms.

Exploitation Challenges And Risks

While the vulnerability is severe, exploiting it is not straightforward. Security researchers have described it as a “statistical exploit,” requiring numerous attempts to win the race condition.

In controlled environments, successful exploitation takes between several hours and one week, depending on system configurations and mitigations like Address Space Layout Randomization (ASLR). Despite these challenges, the release of PoC code significantly lowers the barrier for attackers.

Reports indicate that exploit tools targeting CVE-2024-6387 are already circulating on underground forums, and at least one IP address has been observed attempting exploitation in the wild.

The vulnerability affects over 14 million internet-exposed OpenSSH servers globally, according to scans conducted using tools like Shodan and Censys.

Approximately 700,000 of these are confirmed vulnerable based on Qualys’ data. Exploitation could lead to full system compromise, allowing attackers to install malware, create backdoors, manipulate data, and propagate within networks.

Notably, exploitation has only been demonstrated on 32-bit Linux systems with glibc. While exploitation on 64-bit systems or non-glibc environments is theoretically possible, it has not been confirmed. 

Mitigation Measures

To address this critical vulnerability:

• Upgrade to OpenSSH 9.8 or Later: The latest version includes patches that resolve the race condition.
• Temporary Workaround: Set `LoginGraceTime` to `0` in the sshd configuration file. While this prevents exploitation of the vulnerability, it may expose systems to denial-of-service risks.
• Restrict Access: Use network-based controls to limit SSH access.
• Monitor for Indicators of Compromise (IoCs): Organizations should deploy intrusion detection systems and monitor logs for unusual activity.

The release of the PoC code has sparked widespread concern among cybersecurity experts. While some researchers have struggled to achieve successful exploitation outside laboratory settings, others warn that attackers could refine these methods over time.

Organizations are urged to act swiftly to patch affected systems and implement additional security measures where immediate upgrades are not feasible.

The release of a PoC exploit for CVE-2024-6387 underscores the urgency of addressing this critical vulnerability in OpenSSH servers.

While mass exploitation remains unlikely due to technical barriers, the potential impact of successful attacks is severe. Organizations must prioritize patching and adopt layered security measures to mitigate risks associated with this flaw.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!

The post PoC Exploit Released For OpenSSH Arbitrary Code Execution Vulnerability appeared first on Cyber Security News.

Raccoon Infostealer emerged as a leading malware-as-a-service platform since its inception in 2019.

It allowed cybercriminals to steal sensitive data, including login credentials, financial information, and cryptocurrency wallet details, by renting the malware for approximately $200 per month in cryptocurrency payments.

The malware was distributed through phishing campaigns and exploit kits, targeting browsers, cryptocurrency wallets, and other applications.

It exfiltrated data into compressed files sent to command-and-control servers, leaving victims vulnerable to fraud and identity theft.

The FBI and international law enforcement dismantled the Raccoon infrastructure in March 2022 during Sokolovsky’s arrest in the Netherlands.

This operation disrupted the malware’s activities temporarily but highlighted the growing sophistication of cybercrime networks.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Legal Proceedings and Sentencing

Sokolovsky was extradited to the United States in February 2024 after being indicted on charges including conspiracy to commit computer intrusion, fraud, money laundering, and aggravated identity theft.

In October 2024, he pleaded guilty to one count of conspiracy to commit computer intrusion. As part of his plea agreement, he agreed to forfeit $23,975 and pay restitution of at least $910,844.61 to victims.

The court acknowledged that Raccoon Infostealer compromised over 52 million user credentials globally. U.S. Attorney Jaime Esparza emphasized that Sokolovsky’s actions enabled even amateur hackers to commit complex cybercrimes on a massive scale.

Law enforcement agencies from multiple countries played crucial roles in bringing Sokolovsky to justice.

The case underscores the challenges posed by malware-as-a-service platforms like Raccoon Infostealer. Despite its dismantling in 2022, an upgraded version re-emerged in underground forums by 2023, showcasing enhanced features and anti-detection measures.

The FBI continues to prioritize such cases and encourages victims of financial scams linked to Raccoon Infostealer to report incidents via its IC3.gov platform.

This sentencing serves as a warning to cybercriminals worldwide. With international cooperation becoming increasingly effective, law enforcement agencies are better equipped to combat the evolving landscape of cybercrime.

The post Raccoon Infostealer Admin Arrested for Hacking Computers appeared first on Cyber Security News.

The flaw allowed unauthorized access to certain pages directly under the application’s root directory, bypassing middleware-based authorization checks. This issue has raised significant concerns due to Next.js’ extensive adoption by developers and organizations worldwide.

The vulnerability affected Next.js versions 9.5.5 through 14.2.14. It stemmed from how middleware authorization was implemented based on the pathname of requests.

Specifically, pages located directly under the root directory (e.g., `https://example.com/foo`) were vulnerable, while the root itself (`https://example.com/`) and nested paths (`https://example.com/foo/bar`) remained unaffected.

This bypass could have enabled attackers to gain unauthorized access to sensitive application data or functionality if proper authorization mechanisms had not been implemented elsewhere in the application.

The vulnerability was assigned a CVSS score of 7.5, indicating high severity. Given the widespread use of Next.js in enterprise and consumer-facing applications, this flaw posed a significant risk to user data and business operations.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Organizations relying on middleware for authorization checks were particularly vulnerable if they had not updated their applications.

The Next.js team promptly addressed the issue by releasing a patch in version 14.2.15 and later. Developers are strongly advised to upgrade their applications to this version or newer to eliminate the risk of exploitation.

For applications hosted on Vercel, the platform that created Next.js, the vulnerability has been automatically mitigated through proactive measures implemented by Vercel’s firewall.

This ensures that even applications running older versions of Next.js are protected against this specific flaw.

Unfortunately, this vulnerability has no official workarounds apart from upgrading to a patched version of Next.js. Developers must prioritize updating their dependencies to secure their applications effectively.

To protect against potential exploitation:

• Update your Next.js application to version 14.2.15 or later immediately.
• If hosting on Vercel, verify that your deployment benefits from their automatic mitigation.
• Review your application’s authorization logic to ensure robust security measures beyond middleware checks.

This incident underscores the importance of staying vigilant about security updates and regularly auditing application dependencies for vulnerabilities.

By addressing such issues promptly, developers can safeguard their applications and users from potential threats.

The post Next.js Authorization Bypass Vulnerability Exposes Root-Level Pages appeared first on Cyber Security News.

These flaws could enable attackers to execute unauthorized code or commands remotely, posing significant risks to enterprise networks.

FortiWLM Vulnerability (CVE-2023-34990):

A critical security flaw, identified as CVE-2023-34990, has been discovered in Fortinet’s FortiWLM, a wireless LAN management solution.

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

With a CVSS score of 9.6, this vulnerability stems from a relative path traversal issue (CWE-23) that allows unauthenticated attackers to read sensitive files. The affected versions include:

• FortiWLM 8.6: 8.6.0 through 8.6.5
• FortiWLM 8.5: 8.5.0 through 8.5.4

Fortinet has released updates to address this issue, urging users to upgrade to FortiWLM 8.6.6 or above for version 8.6 and 8.5.5 or above for version 8.5.

Security researcher Zach Hanley of Horizon3.ai identified that the vulnerability stems from improper validation of the imagename parameter in the /ems/cgi-bin/ezrf_lighttpd.cgi endpoint.

This flaw enables attackers to construct requests with path traversal sequences to access files outside the intended directory

FortiManager Vulnerability (CVE-2024-48889):

Another critical vulnerability, tracked as CVE-2024-48889, affects Fortinet’s FortiManager, a centralized security management platform.

This flaw, with a CVSS score of 7.2, arises from improper neutralization of special elements in OS commands (CWE-78), potentially allowing authenticated attackers to execute arbitrary code remotely. The affected versions include:

• FortiManager 7.6: 7.6.0
• FortiManager 7.4: 7.4.0 through 7.4.4
• FortiManager 7.4 Cloud: 7.4.1 through 7.4.4
• FortiManager 7.2: 7.2.3 through 7.2.7
• FortiManager 7.2 Cloud: 7.2.1 through 7.2.7
• FortiManager 7.0: 7.0.5 through 7.0.12
• FortiManager 7.0 Cloud: 7.0.1 through 7.0.12
• FortiManager 6.4: 6.4.10 through 6.4.14

Additionally, older FortiAnalyzer models with the `fmg-status` feature enabled are also impacted. Fortinet has provided updates for these versions, recommending users upgrade to the latest versions to mitigate the risk.

Organizations and individuals relying on Fortinet products are strongly advised to apply the necessary updates immediately to protect their systems and data from potential attacks.

Fortinet’s advisories provide detailed information on affected versions, remediation steps, and workarounds. Users should consult these resources and take appropriate action to secure their environments.

The discovery of these critical vulnerabilities underscores the importance of timely patching and vigilant cybersecurity practices.

Fortinet’s proactive approach to addressing these issues highlights the ongoing battle against cyber threats and the need for continuous security updates in enterprise environments.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

The post Fortinet Vulnerabilities Let Attackers Execute Arbitrary Code Remotely appeared first on Cyber Security News.