The vulnerability, tracked as CVE-2025-21042, is an out-of-bounds write vulnerability in the libimagecodec.quram.so library on Samsung mobile devices.

This security flaw allows remote attackers to execute arbitrary code on vulnerable devices without user interaction, making it particularly dangerous and prone to widespread exploitation.

Samsung 0-Day RCE Vulnerability Exploited

The vulnerability is classified under CWE-787, which represents out-of-bounds write flaws that can lead to memory corruption and unauthorized code execution.

The CISA researchers have confirmed that attackers are leveraging this zero-day to compromise Samsung smartphones. However, specific details about the attack campaigns remain limited.

CISA’s decision to add CVE-2025-21042 to the KEV catalog on November 10, 2025, signals that federal agencies have confirmed active exploitation attempts targeting this vulnerability.

While it remains unknown whether the flaw has been weaponized in ransomware campaigns, the remote code execution capability poses significant risks to both individual users and enterprise environments.

Exploiting the vulnerability could enable attackers to gain complete control of affected devices, potentially leading to data theft, surveillance, or the use of compromised smartphones as entry points into corporate networks.

Federal agencies must apply security patches and mitigations by December 1, 2025, according to CISA’s Binding Operational Directive 22-01.

Samsung users across all sectors should immediately check for available security updates and install them without delay.

Organizations that cannot immediately patch vulnerable devices should implement compensating controls or consider discontinuing use until fixes become available.

Samsung’s September 2025 patch for CVE-2025-21043 addressed a related zero-day in the same library

Users should remain vigilant and only download applications from trusted sources while monitoring their devices for suspicious activity.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post CISA Warns of Samsung Mobile Devices 0-Day RCE Vulnerability Exploited in Attacks appeared first on Cyber Security News.

Dubbed CVE-2025-2783, this flaw allowed attackers to bypass Chrome’s robust sandbox protections with minimal user interaction, leading to the deployment of sophisticated spyware.

Discovered by Kaspersky researchers in March 2025, Google swiftly patched the vulnerability, but not before infections spread through personalized phishing campaigns mimicking invitations to the prestigious Primakov Readings forum.

The attacks, part of an operation Kaspersky named ForumTroll, targeted media outlets, universities, government agencies, and financial institutions, underscoring the group’s focus on intelligence gathering.

Victims received impeccably crafted emails in Russian, luring them to malicious sites that triggered the exploit upon visit no downloads or clicks beyond the initial link were needed.

This drive-by infection chain exploited Chrome’s Mojo inter-process communication system, a critical component for handling data between browser processes on Windows.

The vulnerability stemmed from a subtle oversight: Chrome’s code failed to properly validate pseudo-handles like -2 (for the current thread), enabling attackers to dupe the system into duplicating handles across sandbox boundaries.

This logical flaw, rooted in outdated Windows optimizations, allowed shellcode execution in the privileged browser process, paving the way for malware persistence.

Unraveling The Attack Chain

The infection progressed in carefully designed stages, as reconstructed by Kaspersky’s Global Research and Analysis Team (GReAT).

It began with a phishing email validator script that used WebGPU to confirm a genuine browser visit, thwarting automated scanners.

If validated, an elliptic-curve Diffie-Hellman key exchange decrypted the next payload, hidden in innocuous files like JavaScript bundles and fonts.

Although the remote code execution (RCE) exploit evaded capture, the sandbox escape via CVE-2025-2783 was pivotal: it hooked functions in Chrome’s V8 inspector and ipcz library to relay thread handles, suspending and hijacking the browser process to inject a persistent loader.

This loader employed COM hijacking, overriding Windows registry entries for legitimate components like twinapi.dll to ensure malware execution in processes such as rdpclip.exe.

The payload, obfuscated with OLLVM and encrypted via a modified ChaCha20, decrypted into LeetAgent a rare spyware using leetspeak commands for tasks like keylogging, file theft (targeting docs, PDFs, and spreadsheets), and process injection.

Configuration arrived over HTTPS from C2 servers on Fastly.net, with extensive traffic obfuscation hinting at commercial origins.

Kaspersky traced LeetAgent’s debut to 2022, linking it to broader ForumTroll campaigns involving malicious attachments like ISO files and LNK shortcuts disguised as partnership invitations.

Deeper analysis revealed that LeetAgent’s loader shared code with Dante, an elusive commercial spyware from the Italian firm Memento Labs, rebranded from the infamous Hacking Team in 2019.

Dante, unveiled at the 2023 ISS World conference, packed VMProtect obfuscation, anti-debugging via event log queries for VM artifacts, and dynamic API resolution to evade hooks.

Its orchestrator managed modules encrypted with AES-256, using machine-bound keys from CPU IDs and product keys, stored in Base64-named folders under %LocalAppData%.

Kaspersky confirmed overlaps in persistence, font-hidden data, and exploit code, attributing ForumTroll’s toolkit to Memento Labs despite the vendor’s “start from scratch” promises.

This discovery highlights the shadowy spyware market’s resilience, where tools like Dante potentially nodding to Hacking Team’s “Da Vinci” via Dante Alighieri’s infernal journeys persist in APT hands.

Firefox patched a similar IPC flaw as CVE-2025-2857 shortly after. Experts warn of lingering pseudo-handle risks in other software.

For protection, update Chrome to 134.0.6998.177 or later, enable enhanced safe browsing, and monitor for IOCs like suspicious Base64 folders.

As Mem3nt0 mori evolves, vigilance against phishing remains paramount in this cat-and-mouse game of digital shadows.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Chrome 0-Day Vulnerability Actively Exploited in Attacks by Notorious Hacker Group appeared first on Cyber Security News.

The flaws, tracked as CVE-2025-24990 and CVE-2025-24052, affect the ltmdm64.sys driver and could allow low-privileged attackers to gain full administrator access.

These issues were patched in the October 2025 cumulative update, but Microsoft warns that affected fax modem hardware will cease functioning post-update.

Vulnerabilities Exposed In Legacy Driver

The Agere Modem driver, a third-party component shipped natively in Windows, has long been a dormant risk.

CVE-2025-24990 stems from an untrusted pointer dereference (CWE-822), enabling attackers to manipulate memory and bypass security boundaries.

With a CVSS 3.1 score of 7.8, it requires only local access and low privileges, yet yields high impacts on confidentiality, integrity, and availability.

Microsoft’s threat intelligence team, MSTIC, along with researchers from r-tec IT Security and an anonymous contributor, identified exploitation in the wild.

The second flaw, CVE-2025-24052, involves a stack-based buffer overflow (CWE-121), scoring 7.8 on CVSS. Publicly disclosed with proof-of-concept code available, it poses a similar threat but has not yet been observed in active attacks.

Both vulnerabilities persist even without active modem use, affecting all supported Windows versions from Windows 10 onward. Attackers need not interact with hardware; a simple local exploit suffices to elevate rights.

No indicators of compromise (IoCs) were detailed in disclosures, but Microsoft urges scanning for ltmdm64.sys presence.

These zero-days highlight the dangers of legacy drivers in modern ecosystems. An attacker with an initial foothold, perhaps via phishing or malware, could load the vulnerable driver and execute code to impersonate admins.

In enterprise settings, this escalates to domain control, data exfiltration, or ransomware deployment. Fabian Mosch from r-tec noted that exploits target driver loading during system boot or service calls, evading user-mode defenses.

The proof-of-concept for CVE-2025-24990 involves crafting malformed input to the driver’s IOCTL handler, which triggers the dereference of a controlled pointer.

For CVE-2025-24052, overflow exploits stack corruption via oversized buffers in modem emulation routines. Researchers demonstrated privilege jumps from standard user to SYSTEM level without crashes.

Microsoft’s Response And User Guidance

In the October Patch Tuesday release, Microsoft removed ltmdm64.sys entirely, rendering dependent Agere modems obsolete. Users reliant on fax hardware must seek alternatives, as no backward compatibility exists.

The company advises immediate patching and auditing for the driver via tools like Autoruns. For unpatched systems, disable the driver through Device Manager or group policy.

This incident underscores the need to phase out outdated components. Cybersecurity experts recommend endpoint detection rules for anomalous driver loads and regular vulnerability scans.

As exploitation continues, organizations should prioritize these fixes to thwart privilege escalation chains.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Windows Agere Modem Driver 0-Day Vulnerabilities Actively Exploited To Escalate Privileges appeared first on Cyber Security News.

At the center of this security crisis lies CVE-2025-20333, a devastating remote code execution vulnerability with a CVSS score of 9.9, which sophisticated state-sponsored threat actors have actively exploited in a campaign that represents a major evolution of the ArcaneDoor attack methodology.

CVE-2025-20333 represents a buffer overflow vulnerability in the VPN web server component of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software.

This critical flaw allows authenticated remote attackers with valid VPN user credentials to execute arbitrary code with root privileges on affected devices by sending crafted HTTP requests.

The vulnerability stems from improper validation of user-supplied input in HTTP(S) requests, a fundamental weakness that has devastating consequences when exploited successfully.

The technical nature of this vulnerability makes it particularly dangerous for several reasons.

First, it provides attackers with root-level access to the compromised device, effectively granting complete control over the security appliance that serves as the perimeter defense for an organization’s network.

Second, the buffer overflow mechanism allows for reliable exploitation, as demonstrated by the active campaigns observed in the wild.

Third, when chained with CVE-2025-20362, the authentication requirement can be bypassed, transforming this into an unauthenticated remote code execution vulnerability.

The exploitation of CVE-2025-20333 requires attackers to have valid VPN user credentials initially.

However, security researchers and government agencies have confirmed that this vulnerability is being chained with CVE-2025-20362, which allows unauthenticated access to restricted URL endpoints.

This chaining technique effectively removes the authentication barrier, enabling attackers to achieve unauthenticated remote code execution on vulnerable systems.

The combination of these two vulnerabilities creates a perfect storm for attackers seeking to compromise network perimeter devices.

ArcaneDoor Exploiting Vulnerability

The exploitation of CVE-2025-20333 is attributed to UAT4356, also known as Storm-1849, a sophisticated state-sponsored threat actor that has been active since at least 2024.

This group is believed to be China-aligned and specializes in targeting government networks and critical infrastructure worldwide through campaigns focused on perimeter network device exploitation.

The current campaign represents a significant evolution from their previous ArcaneDoor activities, demonstrating enhanced capabilities and more sophisticated attack methodologies.

The ArcaneDoor campaign initially came to public attention in early 2024 when Cisco Talos identified attacks targeting Cisco ASA devices using two different zero-day vulnerabilities: CVE-2024-20353 and CVE-2024-20359.

These earlier attacks deployed malware families known as Line Runner and Line Dancer, which provided the threat actors with persistent access and the ability to execute arbitrary commands on compromised devices.

The success of these initial campaigns appears to have encouraged the threat actors to develop new capabilities and target additional vulnerabilities.

In May 2025, multiple government agencies engaged Cisco to investigate a new wave of attacks targeting Cisco ASA 5500-X Series devices.

The investigation revealed that the same threat actor behind the original ArcaneDoor campaign had evolved their tactics, techniques, and procedures, now deploying more sophisticated malware families called RayInitiator and LINE VIPER.

These new malware families represent a significant advancement in capability, featuring enhanced persistence mechanisms and improved evasion techniques compared to their predecessors.

Cisco ASA 0-Day RCE Attack Chain

The current ArcaneDoor campaign showcases a sophisticated multi-stage attack chain that commences with the exploitation of CVE-2025-20362 to circumvent authentication mechanisms.

Attackers first leverage this missing authorization vulnerability to gain access to restricted URL endpoints that would normally require authentication.

This initial foothold provides the necessary access to exploit CVE-2025-20333, which then allows for authenticated remote code execution with root privileges.

Once initial access is achieved through the vulnerability chain, attackers deploy RayInitiator, a persistent multi-stage bootkit that is flashed directly to the victim device’s firmware.

RayInitiator represents a significant advancement over previous malware families, as it operates at the bootloader level and can survive device reboots and firmware upgrades.

This bootkit modifies the Grand Unified Bootloader (GRUB) to ensure persistence even through system maintenance activities that would normally remove malicious software.

The second component of the attack chain involves the deployment of LINE VIPER. This sophisticated user-mode shellcode loader receives commands through WebVPN client authentication sessions or via specially crafted ICMP packets.

LINE VIPER utilizes victim-specific tokens and RSA encryption keys to secure command and control communications.

The malware’s capabilities include executing CLI commands, performing packet captures, bypassing Authentication, Authorization, and Accounting (AAA) controls, suppressing syslog messages, harvesting user CLI commands, and forcing delayed reboots to evade forensic analysis.

Affected Infrastructure And Impact Assessment

The scope of devices affected by CVE-2025-20333 and the associated campaign is significant, particularly for organizations relying on legacy Cisco ASA hardware.

The threat actors specifically targeted Cisco ASA 5500-X Series devices running ASA software versions 9.12 or 9.14 with VPN web services enabled.

These targeted models include the 5512-X, 5515-X, 5525-X, 5545-X, 5555-X, and 5585-X, many of which are approaching or have already passed their end-of-support dates.

The strategic selection of these particular models is not coincidental. All successfully compromised devices lack Secure Boot and Trust Anchor technologies, making them vulnerable to the firmware-level persistence mechanisms employed by RayInitiator.

This technological limitation means that traditional remediation approaches, such as device reboots or software updates, are insufficient to completely remove the threat actor’s presence from compromised systems.

The absence of secure boot capabilities allows attackers to modify the device’s ROM Monitor (ROMMON) to maintain persistence across reboots and software upgrades.

The impact of successful exploitation extends far beyond the compromise of individual devices. Cisco ASA appliances typically serve as critical network perimeter defenses, often functioning as firewalls, VPN concentrators, and intrusion prevention systems.

When these devices are compromised, attackers gain a strategic position within the network architecture that enables traffic interception, configuration modification, and potentially lateral movement into internal network segments.

The compromise of these devices effectively turns the organization’s primary security control into an attack platform.

Government Response And Emergency Measures

The severity and scope of the CVE-2025-20333 exploitation campaign prompted an unprecedented response from government cybersecurity agencies worldwide.

On September 25, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive ED 25-03, mandating immediate action from federal agencies to identify and mitigate potential compromises of Cisco devices.

This emergency directive represents one of the most urgent cybersecurity mandates issued by CISA, reflecting the critical nature of the threat.

The emergency directive requires federal agencies to complete several time-sensitive actions, including identifying all instances of Cisco ASA and Cisco Firepower devices in operation and collecting memory files for forensic analysis by CISA within 24 hours of the directive’s issuance.

Additionally, agencies must apply the latest Cisco-provided software updates by September 26, 2025, and continue to apply all subsequent updates within 48 hours of release.

For devices that cannot be immediately patched, agencies must disconnect them from the network to prevent further compromise. The international response to this campaign has been equally swift and coordinated.

The UK’s National Cyber Security Centre (NCSC) released detailed malware analysis reports documenting the technical capabilities of RayInitiator and LINE VIPER.

The Canadian Centre for Cyber Security and the Australian Signals Directorate’s Australian Cyber Security Centre also provided support during the investigation and issued their own advisories urging immediate action.

This coordinated international response underscores the global significance of the threat and the need for unified defensive measures.

Advanced Evasion And Anti-Forensic Techniques

One of the most concerning aspects of the CVE-2025-20333 exploitation campaign is the sophisticated anti-forensic and evasion techniques employed by the threat actors.

UAT4356 has demonstrated a deep understanding of Cisco ASA architecture and forensic analysis procedures, implementing multiple layers of defensive measures to prevent detection and analysis.

These techniques represent a significant evolution from traditional attack methodologies and pose substantial challenges for incident response teams.

The threat actors have been observed systematically disabling logging functions on compromised devices to prevent the creation of audit trails that could reveal their activities.

This logging suppression is not limited to general system logs but extends to specific syslog message types that would typically indicate unauthorized access or configuration changes.

The selective nature of this log suppression suggests detailed knowledge of Cisco ASA logging mechanisms and the specific indicators that security teams typically monitor for signs of compromise.

Perhaps most concerning is the threat actors’ practice of intentionally crashing devices to prevent forensic analysis.

When security teams attempt to collect diagnostic information through crash dumps or core dumps, the malware triggers system crashes that corrupt or prevent the collection of forensic evidence.

This technique effectively blinds investigators and makes it extremely difficult to assess the full scope of compromise or collect indicators of compromise for threat hunting activities.

The LINE VIPER malware includes specific anti-forensic capabilities designed to evade detection and analysis. The malware can intercept and modify CLI commands entered by administrators, potentially hiding malicious activities or preventing the execution of diagnostic commands.

Additionally, the malware can force delayed reboots during forensic collection attempts, ensuring that memory-resident components are cleared before investigators can analyze them.

Lessons Learned For Network Defense

The CVE-2025-20333 exploitation campaign provides several critical lessons for organizations seeking to strengthen their network defense postures.

First and foremost, the incident highlights the critical importance of maintaining current patch levels for internet-facing devices, particularly those serving as network perimeter defenses.

The exploitation of zero-day vulnerabilities demonstrates that even previously unknown threats can have devastating impacts when they target critical infrastructure components.

The campaign also underscores the evolving nature of state-sponsored threat actors and their increasing focus on perimeter network devices.

Traditional security models that rely heavily on perimeter defenses may be insufficient against adversaries capable of compromising the perimeter devices themselves.

Organizations must implement defense-in-depth strategies that assume perimeter compromise and include additional layers of security controls within their network architectures.

The advanced persistence mechanisms employed by RayInitiator demonstrate the limitations of traditional incident response approaches when dealing with firmware-level compromises.

Standard remediation procedures, such as device reboots, software reinstallation, or configuration resets, are insufficient to remove threats that have achieved bootloader-level persistence.

Organizations must develop new incident response procedures that account for firmware-level compromises and include complete device replacement or firmware reflashing as potential remediation steps.

The anti-forensic capabilities demonstrated by the threat actors highlight the need for enhanced monitoring and logging strategies.

Organizations cannot rely solely on device-generated logs for security monitoring, as sophisticated attackers can manipulate or suppress these logging mechanisms.

External monitoring solutions that capture network traffic, configuration changes, and behavioral anomalies may be necessary to detect advanced persistent threats that have compromised the primary security devices.

The exploitation of CVE-2025-20333 and the broader ArcaneDoor campaign represent a significant escalation in the capabilities and targeting of state-sponsored threat actors.

The focus on network perimeter devices reflects a strategic shift toward targeting the fundamental infrastructure components that organizations rely upon for security.

This targeting approach is particularly effective because successful compromise of perimeter devices provides attackers with both visibility into network traffic and the ability to modify security policies and configurations.

The campaign also demonstrates the increasing sophistication of state-sponsored threat actors in developing custom malware and exploitation techniques specifically tailored to target network infrastructure.

The development of RayInitiator and LINE VIPER required significant investment in research and development, suggesting that nation-state actors are dedicating substantial resources to developing capabilities against network infrastructure targets.

This level of investment indicates that infrastructure targeting will likely continue to be a priority for advanced threat actors.

The international coordination required to investigate and respond to this campaign highlights both the global nature of modern cyber threats and the importance of international cooperation in cybersecurity defense.

The collaboration between U.S., UK, Canadian, and Australian agencies in analyzing the threat and developing countermeasures demonstrates the value of information sharing and coordinated response efforts.

This level of cooperation may become increasingly necessary as threat actors continue to develop more sophisticated capabilities.

The timeline of the campaign, from initial compromise in May 2025 to public disclosure in September 2025, also raises important questions about the detection and disclosure of advanced persistent threats.

The extended duration of the campaign before detection suggests that traditional security monitoring approaches may be insufficient for detecting sophisticated state-sponsored activities.

Organizations may need to implement more advanced threat hunting capabilities and anomaly detection systems to identify subtle indicators of compromise that evade traditional security controls.

The immediate remediation of CVE-2025-20333 and associated vulnerabilities requires a comprehensive approach that goes beyond simple patch application.

Cisco has released software updates addressing all three vulnerabilities discovered during the investigation, but organizations must also address the potential for persistent compromise that may survive standard patching procedures.

For devices suspected of compromise, Cisco recommends complete device replacement or factory reset followed by complete reconfiguration with new passwords, certificates, and cryptographic keys.

The remediation process must also account for the advanced persistence mechanisms employed by the threat actors.

Organizations with potentially compromised devices should assume that standard remediation procedures are insufficient and implement complete device replacement where possible.

For devices that cannot be immediately replaced, organizations should implement additional monitoring and network segmentation to limit the potential impact of ongoing compromise.

This may include isolating affected devices from critical network segments and implementing enhanced logging and monitoring for all communications to and from these devices.

Long-term prevention strategies must address both the technical vulnerabilities that enabled the initial compromise and the broader security architecture weaknesses that allowed the threat actors to maintain persistent access.

Organizations should prioritize the replacement of end-of-life network infrastructure devices with modern alternatives that include secure boot capabilities and other advanced security features.

The lack of secure boot capabilities in the targeted ASA 5500-X models was a critical factor that enabled the persistent compromise achieved by RayInitiator.

Organizations should also implement comprehensive network monitoring and anomaly detection capabilities that can identify suspicious activities even when device-generated logs are compromised or suppressed.

This includes network traffic analysis, configuration change monitoring, and behavioral analysis that can detect indicators of compromise independently of the potentially compromised devices themselves.

Advanced threat hunting capabilities may also be necessary to identify subtle indicators of persistent threats that evade traditional detection mechanisms.

The exploitation of CVE-2025-20333 in the ArcaneDoor campaign represents a watershed moment in cybersecurity, demonstrating the evolving capabilities of state-sponsored threat actors and the critical vulnerabilities present in network infrastructure devices.

The campaign’s sophisticated techniques, from zero-day exploitation to firmware-level persistence, highlight the need for fundamental changes in how organizations approach network security and incident response.

The international response to this threat, including emergency directives and coordinated intelligence sharing, underscores both the severity of the threat and the importance of collaborative defense efforts.

The lessons learned from this campaign extend far beyond the specific technical vulnerabilities that enabled the initial compromise.

Organizations must recognize that traditional perimeter-focused security models are insufficient against adversaries capable of compromising the perimeter devices themselves.

The advanced anti-forensic techniques and persistence mechanisms employed by the threat actors require new approaches to incident response and threat detection that account for the possibility of compromised security infrastructure.

Moving forward, the cybersecurity community must continue to adapt and evolve in response to increasingly sophisticated threat actors.

This includes developing new detection capabilities, implementing more robust security architectures, and maintaining the international cooperation necessary to defend against global cyber threats.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Lesson From Cisco ASA 0-Day RCE Vulnerability That Actively Exploited In The Wild appeared first on Cyber Security News.

According to recent data, more than 23,600 vulnerabilities were published in the first half of 2025 alone, representing a 16% increase over 2024.

This alarming trend has seen sophisticated threat actors, including nation-state groups and ransomware operators, weaponizing unknown vulnerabilities faster than ever before.

Nearly 30% of Known Exploited Vulnerabilities (KEVs) were weaponized within 24 hours of disclosure, with some high-profile edge devices experiencing zero-day exploitation before patches were even available.

The scope and sophistication of these attacks have evolved dramatically, targeting everything from widely-used web browsers to critical enterprise infrastructure.

This comprehensive analysis examines the most significant zero-day vulnerabilities that have been actively exploited throughout 2025, providing cybersecurity professionals with detailed technical insights, impact assessments, and mitigation strategies.

Google Chrome: The Browser Under Siege

CVE-2025-10585: The Latest Chrome Zero-Day

The most recent addition to Chrome’s vulnerability roster, CVE-2025-10585, was discovered on September 16, 2025, and patched within 24 hours.

This type confusion vulnerability in Chrome’s V8 JavaScript and WebAssembly engine represents the sixth Chrome zero-day exploited in 2025.

Google’s Threat Analysis Group (TAG) confirmed active exploitation, suggesting sophisticated threat actors, likely nation-state groups, were leveraging this flaw in targeted campaigns.

Technical Details:

• Vulnerability Type: Type confusion in V8 engine
• Attack Vector: Malicious websites with crafted JavaScript
• Impact: Arbitrary code execution, complete browser compromise
• Affected Versions: Chrome prior to 140.0.7339.185/.186

CVE-2025-6558: ANGLE GPU Exploitation

Earlier in July 2025, CVE-2025-6558 emerged as another critical Chrome zero-day, exploiting the ANGLE (Almost Native Graphics Layer Engine) and GPU components.

This vulnerability enabled attackers to escape Chrome’s sandbox through specially crafted graphics calls, leading to out-of-bounds memory access and potential arbitrary code execution.

Technical Impact:

• CVSS Score: Not disclosed
• Exploitation Method: Malicious HTML pages with crafted graphics calls
• Consequence: Browser sandbox escape, system-level access
• Fixed Version: Chrome 138.0.7204.157/.158

Chrome’s 2025 Zero-Day Portfolio

Throughout 2025, Chrome has been targeted by multiple zero-day exploits, including CVE-2025-2783, CVE-2025-4664, CVE-2025-5419, CVE-2025-6554, and CVE-2025-6558.

This sustained assault on Chrome underscores the browser’s critical role as an attack vector and the sophistication of modern threat actors targeting web-based technologies.

Citrix NetScaler: Critical Infrastructure Under Attack

CVE-2025-7775: The NetScaler RCE Zero-Day

On August 26, 2025, Citrix disclosed CVE-2025-7775, a critical memory overflow vulnerability in NetScaler ADC and NetScaler Gateway that had been actively exploited as a zero-day.

With a CVSS score of 9.2, this vulnerability represents one of the most severe threats to enterprise network infrastructure in 2025.

Vulnerability Analysis:

• CVSS Score: 9.2 (Critical)
• Attack Complexity: High (requires sophisticated exploitation techniques)
• Authentication Required: None (unauthenticated exploitation)
• Impact: Remote Code Execution and Denial of Service

The vulnerability affects NetScaler appliances configured as Gateway or AAA virtual servers, impacting versions 13.1, 14.1, 13.1-FIPS, and NDcPP.

According to Shadowserver data, over 28,200 instances remained exposed and vulnerable following the disclosure.

The exploitation has been linked to sophisticated threat actors capable of deploying web shells for persistent access.

Mitigation Requirements:

Organizations must immediately upgrade to fixed versions: 14.1-47.48+, 13.1-59.22+, 13.1-FIPS/NDcPP 13.1-37.241+, and 12.1-FIPS/NDcPP 12.1-55.330+.

Microsoft SharePoint: The ToolShell Campaign

CVE-2025-53770 And CVE-2025-53771: Chained Exploitation

In July 2025, Microsoft issued emergency out-of-band patches for two interconnected zero-day vulnerabilities affecting on-premises SharePoint servers.

These vulnerabilities, exploited in a campaign dubbed “ToolShell,” demonstrate the evolution of multi-stage attack chains.

CVE-2025-53770 Technical Profile:

• CVSS Score: 9.8 (Critical)
• Vulnerability Type: Unsafe deserialization of untrusted data
• Impact: Remote Code Execution
• Authentication: Bypassed through CVE-2025-53771

CVE-2025-53771 Technical Profile:

• CVSS Score: 6.3 (Medium)
• Vulnerability Type: Header spoofing vulnerability
• Impact: Authentication bypass
• Exploitation Method: Crafted Referer header

The attack chain operates by first exploiting CVE-2025-53771 to bypass authentication through header spoofing, then leveraging CVE-2025-53770 for code execution through malicious deserialization.

This sophisticated approach allows attackers to extract cryptographic machine keys, enabling long-term persistence even after the initial vulnerability is patched.

Attribution and Impact:

Unit 42 research identified overlapping activity with the Storm-2603 cluster, with exploitation attempts observed as early as July 17, 2025.

The campaign has evolved rapidly, with threat actors adjusting tactics to evade detection and shifting from .NET modules to web shell payloads.

SAP NetWeaver: Enterprise ERP Under Fire

CVE-2025-31324: The Perfect CVSS 10.0 Vulnerability

CVE-2025-31324 achieved the rare distinction of a perfect CVSS score of 10.0, representing maximum severity across all metrics.

This vulnerability in SAP NetWeaver Visual Composer allows unauthenticated attackers to upload arbitrary files, leading to immediate system compromise.

Critical Vulnerability Details:

• CVSS Score: 10.0 (Critical)
• Component: SAP NetWeaver Visual Composer
• Attack Vector: HTTP/HTTPS over Internet
• Authentication: None required
• Exploitation: /developmentserver/metadatauploader endpoint

The vulnerability was first exploited as a zero-day nearly three weeks before public disclosure, with evidence linking exploitation to both sophisticated APT groups and the Qilin ransomware operation.

OP Innovate’s incident response revealed communication with known Cobalt Strike infrastructure, suggesting the vulnerability’s use in broader ransomware campaigns.

Secondary Exploitation Wave:

Following public disclosure, CVE-2025-31324 experienced secondary exploitation waves by opportunistic attackers leveraging previously established web shells.

This pattern demonstrates how zero-day vulnerabilities continue to pose threats even after initial remediation efforts.

CVE-2025-42999: The Root Cause Fix

On May 13, 2025, SAP released Security Note 3604119 addressing CVE-2025-42999 (CVSS 9.1), which corrected the underlying root cause of CVE-2025-31324.

This follow-up vulnerability emerged from forensic analysis conducted by Onapsis Research Labs, highlighting the complex nature of enterprise software vulnerabilities.

Android Ecosystem: Mobile Platform Targets

CVE-2025-38352 And CVE-2025-48543: Targeted Mobile Exploitation

Google’s September 2025 Android Security Bulletin addressed two actively exploited zero-day vulnerabilities affecting the Android ecosystem.

Both vulnerabilities enable local privilege escalation and have been confirmed under “limited, targeted exploitation,” suggesting spyware campaigns against high-value individuals.

CVE-2025-38352 Analysis:

• Component: Linux kernel POSIX CPU timers
• Vulnerability Type: Race condition
• CVSS Score: 7.4
• Impact: Local privilege escalation
• Affected Versions: Android 10 and later

CVE-2025-48543 Analysis:

• Component: Android Runtime (ART)
• Vulnerability Type: Use-after-free
• Impact: Chrome sandbox escape, privilege escalation
• Target: Android system_server compromise

The targeting pattern and discovery by Google’s Threat Analysis Group strongly suggest these vulnerabilities were weaponized in mercenary spyware operations against specific high-risk users.

Samsung-Specific Android Vulnerability

CVE-2025-21043 represents a critical Android vulnerability specific to Samsung devices, discovered in the libimagecodec.quram.so library developed by Quramsoft.

This out-of-bounds write vulnerability enables remote code execution through malicious image processing.

Samsung Vulnerability Profile:

• CVSS Score: 8.8 (High)
• Component: libimagecodec.quram.so
• Discovery Date: August 13, 2025 (privately disclosed)
• Affected Versions: Android 13, 14, 15, 16
• Attribution: Reported by Meta and WhatsApp security teams

Apple Ecosystem: The Persistent Target

CVE-2025-43300: ImageIO Framework Exploitation

Apple issued emergency security updates in August 2025 for CVE-2025-43300, the seventh zero-day vulnerability patched by Apple in 2025.

This out-of-bounds write vulnerability in Apple’s ImageIO framework has been confirmed as exploited in “extremely sophisticated attacks against specific targeted individuals.”

Apple Zero-Day Profile:

• CVSS Score: 8.8 (High)
• Component: ImageIO framework
• Attack Vector: Malicious image files
• Impact: Memory corruption, arbitrary code execution
• Scope: iOS, iPadOS, macOS across multiple versions

The vulnerability demonstrates the evolution of attack techniques targeting Apple’s ecosystem, with simple image viewing potentially compromising entire device security.

Apple’s acknowledgment of sophisticated targeted attacks suggests nation-state involvement in the exploitation campaigns.

Apple’s 2025 Zero-Day Timeline:

Throughout 2025, Apple has patched seven zero-day vulnerabilities: CVE-2025-24085, CVE-2025-24200, CVE-2025-24201, CVE-2025-31200, CVE-2025-31201, CVE-2025-43200, and CVE-2025-43300.

This escalation indicates increasing attacker focus on Apple platforms and sophisticated threat research capabilities.

Microsoft Windows: Enterprise OS Under Siege

The May 2025 Zero-Day Cluster

Microsoft’s May 2025 Patch Tuesday addressed five actively exploited zero-day vulnerabilities, representing one of the most significant monthly zero-day disclosures in recent memory.

These vulnerabilities span multiple Windows components and enable various attack outcomes from privilege escalation to remote code execution.

Critical Windows Zero-Days:

1. CVE-2025-30397 – Scripting Engine Memory Corruption (CVSS 7.5)
2. CVE-2025-30400 – Desktop Window Manager Elevation of Privilege (CVSS 7.8)
3. CVE-2025-32701 – Common Log File System Driver EoP (CVSS 7.8)
4. CVE-2025-32706 – Windows CLFS Driver EoP (CVSS 7.8)
5. CVE-2025-32709 – Windows Ancillary Function Driver EoP (CVSS 7.8)

CVE-2025-53779: Kerberos Authentication Bypass

Microsoft’s August 2025 Patch Tuesday included CVE-2025-53779, a publicly disclosed zero-day affecting Windows Kerberos authentication.

This privilege escalation vulnerability, discovered by Akamai researcher Yuval Gordon, stems from relative path traversal and enables Active Directory domain compromise.

Kerberos Vulnerability Details:

• CVSS Score: 7.2
• Component: Windows Kerberos
• Technique Name: BadSuccessor
• Impact: Active Directory domain compromise through dMSA object abuse

CVE-2025-29824: CLFS Exploitation Leading To Ransomware

Microsoft Threat Intelligence discovered post-compromise exploitation of CVE-2025-29824, a zero-day elevation of privilege vulnerability in the Windows Common Log File System (CLFS).

The Storm-2460 threat group actively deployed this vulnerability in conjunction with PipeMagic malware for ransomware deployment.

CLFS Zero-Day Campaign:

• Threat Actor: Storm-2460
• Malware Family: PipeMagic backdoor
• Attack Outcome: RansomEXX ransomware deployment
• Target Sectors: IT, real estate, financial, software, retail

Sitecore: ViewState Deserialization Attack

CVE-2025-53690: ViewState Zero-Day Exploitation

Google’s Mandiant successfully disrupted an active ViewState deserialization attack targeting Sitecore products through CVE-2025-53690.

This zero-day vulnerability enabled remote code execution through improper handling of ViewState data, particularly affecting deployments using exposed sample keys from public documentation.

Sitecore Attack Chain:

• Initial Access: ViewState deserialization vulnerability
• Malware Deployed: WEEPSTEEL reconnaissance tool
• Persistence Tools: EARTHWORM tunnel, DWAGENT remote access
• Reconnaissance: SHARPHOUND Active Directory enumeration

The sophisticated attack progression from initial compromise to privilege escalation demonstrates the threat actor’s deep understanding of the exploited vulnerability and target environment.

The zero-day vulnerability landscape of 2025 represents an inflection point in cybersecurity, characterized by unprecedented exploitation velocity, sophisticated attack chains, and broad target diversity.

From Chrome browsers to enterprise SAP systems, no technology stack has proven immune to determined adversaries.

The consistent pattern of exploitation across major vendors, Apple, Google, Microsoft, Citrix, and others underscores the systematic nature of modern zero-day campaigns.

Organizations must recognize that zero-day exploitation is no longer an exceptional event but a routine component of the threat landscape.

Success in this environment requires moving beyond traditional patch-and-pray approaches to comprehensive defense-in-depth strategies that assume compromise and focus on detection, containment, and rapid response.

The lessons from 2025’s zero-day campaigns are clear: attackers are moving faster, targeting more diverse platforms, and demonstrating increasingly sophisticated techniques.

Defenders must match this evolution with equally sophisticated defensive capabilities, industry collaboration, and a fundamental shift toward proactive security architectures designed to withstand unknown threats.

As we advance through 2025, the cybersecurity community must continue adapting to this new reality where zero-day exploitation is not just possible but probable, requiring constant vigilance and continuous improvement of defensive capabilities across all technology platforms and organizational boundaries.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post Top Zero-Day Vulnerabilities Exploited in the Wild in 2025 appeared first on Cyber Security News.

The vulnerability, identified as CVE-2025-53690, stems from a ViewState deserialization flaw and is being actively exploited in the wild.

The investigation by Mandiant revealed that attackers are leveraging exposed ASP.NET machine keys that were included in Sitecore deployment guides from 2017 and earlier.

These keys allow malicious actors to bypass validation mechanisms and send harmful ViewState payloads to servers, leading to remote code execution.

Sitecore has acknowledged the vulnerability, labeling it SC2025-005, and has confirmed that it affects customers who used the sample machine key from the outdated deployment guides.

The company has since updated its deployment processes to generate unique machine keys automatically and has notified affected customers.

Impacted Products And Attack Details

The vulnerability potentially impacts several of Sitecore’s main products, including:

• Experience Manager (XM)
• Experience Platform (XP)
• Experience Commerce (XC)
• Managed Cloud

Products such as XM Cloud, Content Hub, and OrderCloud are not affected. Sitecore urges customers to consult their official advisory for a complete list and guidance.

Mandiant’s rapid response disrupted the attack before the full lifecycle could be observed, but their investigation provided significant insights into the attacker’s methods.

The attack began with the exploitation of the ViewState deserialization vulnerability on an internet-facing Sitecore instance. The attacker then used a custom malware, dubbed WEEPSTEEL, for internal reconnaissance.

This malware, embedded in a decrypted ViewState payload, gathered system, network, and user information, which was then encrypted and exfiltrated.

Following the initial compromise, the attacker staged several open-source tools in a public directory to expand their foothold. These included:

• EARTHWORM: A network tunneling tool to create a covert command-and-control channel.
• DWAGENT: A remote access tool for persistent access.
• SHARPHOUND: An Active Directory reconnaissance tool.

The threat actor then escalated their privileges by creating local administrator accounts and attempted to dump credentials from the SAM/SYSTEM hives to facilitate lateral movement across the network using the Remote Desktop Protocol (RDP).

To maintain their presence, they installed DWAGENT as a service and modified account settings to prevent password expiration.

Mitigations

Mandiant recommends that all Sitecore customers review their environments and implement security best practices for ASP.NET.

This includes automating machine key rotation, enabling View State Message Authentication Code (MAC), and encrypting any plaintext secrets.

Sitecore has provided detailed remediation instructions in its official advisory (SC2025-005).

The company strongly encourages customers to ensure their environments are running security-supported versions and to apply all available security fixes without delay.

The discovery of this vulnerability highlights the persistent danger of using default or sample configurations in production environments and underscores the need for continuous security monitoring and proactive patching.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post Google Warns of Zero-Day Vulnerability in Sitecore Products Allowing Remote Code Execution appeared first on Cyber Security News.

This represents the seventh zero-day vulnerability that Apple has patched in 2025, underscoring the persistent and escalating threat landscape facing iOS and macOS devices.

The vulnerability’s addition to CISA’s Known Exploited Vulnerabilities (KEV) catalog with a remediation deadline of September 11, 2025, emphasizes the urgent operational risk it poses to organizations and individual users alike.

Vulnerability Exploitation Mechanics

CVE-2025-43300 is an out-of-bounds write vulnerability affecting Apple’s ImageIO framework, specifically targeting the JPEG lossless decoding logic for Adobe DNG (Digital Negative) files.

The vulnerability stems from a critical inconsistency between metadata declarations in TIFF subdirectories and the actual component count in JPEG SOF3 (Start of Frame 3) markers.

The exploit mechanism involves manipulating just two bytes in a legitimate DNG file to create a dangerous metadata mismatch.

Security researchers have demonstrated that by modifying the SamplesPerPixel value from 1 to 2 in the TIFF SubIFD at offset 0x2FD00, while simultaneously changing the SOF3 component count from 2 to 1 at offset 0x3E40B, attackers can trigger memory corruption during image processing.

When Apple’s DNG decoder processes this malformed file, it allocates memory based on the SamplesPerPixel metadata (expecting 2 components) but processes data according to the SOF3 component count (only 1 component), resulting in a heap buffer overflow that enables arbitrary code execution.

This zero-click exploitation occurs automatically when the device processes the malicious image through iMessage, email attachments, AirDrop transfers, or web content.

Attack Sophistication and Implementation

Apple’s characterization of the attacks as “extremely sophisticated,” targeting “specific individuals,” indicates the involvement of advanced threat actors with significant technical capabilities.

The vulnerability’s exploitation requires a deep understanding of both the ImageIO framework and DNG file format specifications, suggesting attackers possess extensive reverse engineering expertise and resources.

The proof-of-concept code released by security researcher b1n4r1b01 demonstrates the exploit’s reproducibility, showing how the memory corruption manifests within Apple’s RawCamera.bundle component.

Detection tools like ELEGANT BOUNCER have been developed to identify exploitation attempts by validating consistency between TIFF metadata and JPEG stream parameters.

Historical Context of iOS Vulnerabilities

Unlike previous iOS zero-click exploits with clear commercial spyware attribution, CVE-2025-43300 presents significant attribution challenges.

Apple has not provided specific details about the attacking groups or targeted victims, limiting public understanding of the threat actors’ identity and motivations.

This contrasts sharply with well-documented campaigns like BLASTPASS and FORCEDENTRY, which have been definitively linked to NSO Group’s Pegasus spyware operations.

The sophisticated nature of the attack, combined with its highly targeted deployment, suggests involvement of either nation-state actors or advanced commercial spyware developers.

However, the absence of concrete attribution evidence complicates threat landscape assessment and defensive planning for security professionals.

The historical progression of iOS zero-click attacks reveals an escalating arms race between Apple’s security improvements and adversary capabilities.

Operation Triangulation (2019-2023) demonstrated unprecedented technical complexity by exploiting undocumented hardware features in Apple’s A12-A16 processors, requiring intimate knowledge of chip architecture that “very few, if any, outside of Apple and chip suppliers” could possess.

NSO Group’s FORCEDENTRY exploit showcased remarkable innovation by using JBIG2 bitmap operations to construct a “virtual computer” within iOS memory, creating logical gates and computational circuits to bypass Apple’s BlastDoor protections.

This technique, described by Google Project Zero as “one of the most technically sophisticated exploits we’ve ever seen,” elevated commercial spyware capabilities to rival nation-state operations.

BLASTPASS further demonstrated the evolution of zero-click attacks by exploiting WebP image vulnerabilities through PassKit attachments, circumventing Apple’s security improvements while maintaining the zero-interaction requirement critical for surveillance operations.

Commercial Spyware and Nation-State Connections

NSO Group has established itself as the dominant commercial spyware provider, with Pegasus deployed across at least 60 government agencies in 40 countries worldwide.

The Israeli company’s business model requires government approval for all exports, as Pegasus is classified as a weapon under Israeli law. This regulatory framework creates a controlled market where NSO selectively provides advanced surveillance capabilities to authorized government clients.

Recent legal developments have significantly impacted NSO’s operations, with a U.S. federal court finding the company liable for violating the Computer Fraud and Abuse Act in WhatsApp’s lawsuit.

This ruling represents the first time any commercial spyware company has been held accountable in U.S. courts, potentially setting a precedent for future litigation against surveillance technology vendors.

NSO Group’s Pegasus platform has evolved from requiring user interaction (click-based exploits) in 2016 to sophisticated zero-click capabilities by 2020.

The spyware’s technical features include comprehensive device compromise, enabling the collection of messages, calls, photos, location data, and real-time microphone/camera access.

The targeting patterns across Pegasus campaigns reveal a consistent focus on high-value individuals, including journalists, human rights activists, political dissidents, and government officials.

This targeting methodology aligns with CVE-2025-43300 reported use against “specific targeted individuals,” suggesting similar operational priorities among advanced threat actors.

Security Recommendations

Organizations and individuals must prioritize immediate patching across all Apple devices to iOS 18.6.2, iPadOS 18.6.2, and corresponding macOS versions.

The vulnerability’s confirmed active exploitation elevates the urgency beyond standard patch management timelines, particularly for high-risk users in journalism, activism, and government sectors.

Apple’s Lockdown Mode provides additional protection against sophisticated zero-click attacks, though it significantly restricts device functionality. For users facing elevated threat levels, enabling this feature offers enhanced security at the cost of user experience.

The persistent threat from commercial spyware and nation-state actors requires adaptive defense strategies that extend beyond traditional vulnerability management.

Organizations should implement enhanced monitoring for image processing anomalies, deploy advanced endpoint detection and response (EDR) solutions, and maintain current threat intelligence feeds focused on mobile device exploitation.

Proactive threat hunting becomes essential given the stealth characteristics of zero-click attacks, requiring security teams to analyze device behavior patterns, network communications, and system integrity indicators that may reveal compromise before traditional security tools detect malicious activity.

CVE-2025-43300 exemplifies the continuing evolution of mobile device threats, where sophisticated adversaries leverage complex technical vulnerabilities to achieve persistent surveillance capabilities.

The vulnerability’s technical sophistication, combined with its integration into the broader landscape of commercial spyware and nation-state cyber operations, underscores the critical importance of comprehensive mobile security strategies that address both technical vulnerabilities and operational threat models.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.

The post Analysis of Apple’s ImageIO Zero-Day Vulnerability: Attacker Context and Historical iOS Zero-Click Similarities appeared first on Cyber Security News.

CVE-2025-6218 and CVE-2025-8088 represent sophisticated attack vectors that have enabled threat actors to achieve remote code execution and establish persistent access to compromised systems through maliciously crafted archive files.

These vulnerabilities, with CVSS scores of 8.8 and 7.8, respectively, demonstrate the critical importance of maintaining updated compression software and implementing robust security measures around file handling processes.

The exploitation of these vulnerabilities has been observed across multiple threat campaigns, affecting both individual users and enterprise environments, highlighting the urgent need for comprehensive vulnerability management and user awareness programs.

WinRAR 0-Day Vulnerabilities

WinRAR, developed by win.rar GmbH, has maintained its position as a dominant force in the file compression software market for over two decades, with an estimated user base exceeding 500 million installations worldwide.

The software’s ubiquity across personal and corporate environments has made it an attractive target for cybercriminals seeking to exploit fundamental weaknesses in archive processing mechanisms.

The emergence of CVE-2025-6218 and CVE-2025-8088 represents a significant escalation in the sophistication of attacks targeting compression software, moving beyond traditional social engineering tactics to leverage deep technical vulnerabilities in the application’s core functionality.

The architectural design of WinRAR’s extraction engine, which processes complex archive structures and metadata, has historically presented numerous attack surfaces for malicious actors.

These vulnerabilities specifically target the filename parsing routines and path traversal protection mechanisms that are fundamental to secure archive extraction.

The discovery of these vulnerabilities coincided with increased threat actor interest in supply chain attacks and living-off-the-land techniques, making WinRAR an ideal vector for initial access and lateral movement within target networks.

Modern threat landscapes have demonstrated that compression software vulnerabilities can serve as powerful enablers for multi-stage attack campaigns, allowing adversaries to bypass traditional security controls while maintaining a low detection profile.

The integration of these exploits into advanced persistent threat (APT) toolkits and commodity malware families has amplified their impact, creating cascading security incidents across multiple industry sectors.

The technical complexity of these vulnerabilities also presents significant challenges for detection and mitigation, requiring organizations to implement comprehensive monitoring and response capabilities.

Technical Breakdown of the Vulnerabilities

CVE-2025-6218 represents a critical path traversal vulnerability within WinRAR’s archive extraction functionality, characterized by insufficient validation of file paths during the decompression process.

This vulnerability enables attackers to craft malicious RAR archives containing specially formatted filenames that can escape the intended extraction directory and write arbitrary files to sensitive system locations.

The vulnerability operates by exploiting weaknesses in the path normalization routines, allowing the use of directory traversal sequences (../) that bypass existing security controls and enable unauthorized file system access.

The technical implementation of CVE-2025-6218 centers around the manipulation of archive headers and filename entries that are processed during extraction.

Attackers leverage Unicode encoding techniques and null byte injection to create filenames that appear legitimate to initial validation routines but are interpreted differently during the actual file creation process.

This discrepancy allows malicious files to be written to critical system directories such as the Windows startup folder, system32 directory, or user profile locations, enabling immediate or persistent code execution upon system restart or user login.

CVE-2025-8088 presents a complementary attack vector through a buffer overflow vulnerability in WinRAR’s filename parsing engine. This vulnerability occurs when the application processes archive entries with exceptionally long filenames or malformed Unicode sequences, causing memory corruption that can be leveraged to achieve arbitrary code execution.

The vulnerability manifests during the initial parsing phase of archive processing, before any user interaction or security warnings are displayed, making it particularly dangerous for automated extraction scenarios or when email security gateways process archives.

The exploitation mechanism for CVE-2025-8088 involves careful manipulation of heap memory structures and return-oriented programming (ROP) techniques to bypass modern memory protection mechanisms such as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP).

Successful exploitation results in the attacker gaining the same privilege level as the WinRAR process, typically enabling full user-level access to the compromised system. When combined with CVE-2025-6218, these vulnerabilities create a powerful attack chain that provides both immediate code execution and persistent system access.

The initial discovery of these vulnerabilities emerged from security research conducted by multiple independent security firms during routine analysis of file format handling in popular compression software.

The research methodology involved comprehensive fuzzing operations against WinRAR’s parsing engines, utilizing both mutation-based and generation-based fuzzing techniques to identify edge cases in filename processing and archive structure validation.

Initial indicators of the vulnerabilities surfaced when researchers observed abnormal memory consumption patterns and unexpected file system operations during controlled extraction tests.

The first confirmed exploitation attempts were detected in early 2025 through advanced threat detection platforms monitoring for unusual file system activities associated with archive extraction processes.

Threat intelligence analysts identified a correlation between suspicious RAR file attachments in targeted phishing campaigns and subsequent indicators of compromise on victim systems.

These initial detections revealed a sophisticated attack infrastructure utilizing dynamic DNS services and compromised legitimate websites to host malicious archive files disguised as software updates, document collections, and media files.

Detailed forensic analysis of captured exploit samples revealed the technical sophistication employed by threat actors in weaponizing these vulnerabilities.

The malicious archives demonstrated advanced anti-analysis techniques, including the use of password protection, nested archive structures, and decoy files designed to evade automated security scanning systems.

Researchers discovered that successful exploitation campaigns employed social engineering themes related to current events, software updates, and business communications to increase the likelihood of user interaction with malicious archives.

The attack infrastructure supporting these exploitation campaigns exhibited characteristics consistent with organized cybercriminal operations, featuring redundant command and control networks, cryptocurrency-based payment systems, and sophisticated victim targeting mechanisms.

Analysis of network telemetry data revealed that successful compromises were followed by rapid lateral movement activities, credential harvesting operations, and deployment of secondary malware payloads designed to establish long-term persistence and facilitate data exfiltration.

Detection and Indicators of Compromise (IoCs)

Comprehensive detection of CVE-2025-6218 and CVE-2025-8088 exploitation requires implementation of multi-layered monitoring strategies that encompass file system operations, network communications, and process execution patterns.

Security teams should focus on detecting anomalous file creation activities outside standard application directories, particularly focusing on writes to system folders, startup locations, and user profile directories that occur during or immediately after archive extraction processes. 

File integrity monitoring systems should be configured to alert on unexpected modifications to critical system files, especially DLL files in application directories that may indicate hijacking attempts.

Network-based detection mechanisms should monitor for unusual DNS queries and HTTP/HTTPS connections initiated shortly after archive file processing, particularly focusing on connections to recently registered domains, dynamic DNS services, and IP addresses with poor reputation scores. 

Behavioral analysis engines should correlate archive extraction events with subsequent network activity to identify potential command and control communications.

Security information and event management (SIEM) systems should implement rules to detect the temporal correlation between WinRAR process execution and suspicious network connections or file system modifications.

Endpoint detection and response (EDR) solutions should be configured to monitor for specific process execution patterns associated with these exploits, including the creation of child processes from WinRAR, unusual DLL loading activities, and registry modifications related to persistence mechanisms.

Critical indicators include the execution of processes from temporary directories, PowerShell or CMD executions initiated by compression software, and the creation of scheduled tasks or startup entries during archive processing operations.

Organizations should implement proactive threat hunting activities focused on identifying historical indicators of compromise that may have evaded initial detection systems.

The comprehensive threat landscape surrounding CVE-2025-6218 and CVE-2025-8088 demonstrates the evolving sophistication of attacks targeting fundamental software components. It highlights the critical importance of maintaining current security practices around file handling and compression software management.

Organizations must implement robust detection capabilities, maintain updated software versions, and educate users about the risks associated with processing untrusted archive files to mitigate these emerging threats effectively.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.

The post WinRAR 0-Day Vulnerabilities Exploited in Wild by Hackers – Detailed Case Study appeared first on Cyber Security News.

The research, conducted by security expert Marek Tóth, reveals that attackers can exploit these vulnerabilities to steal credit card details, personal information, login credentials, and even two-factor authentication codes from unsuspecting users.

The new attack technique, dubbed “DOM-based Extension Clickjacking,” represents a significant evolution from traditional web-based clickjacking attacks.

Unlike conventional methods that target web applications through invisible iframes, this technique manipulates user interface elements that password manager extensions inject into web page DOM structures, making them invisible while remaining clickable.

The attack works by creating malicious scripts that hide extension UI elements using JavaScript manipulation, particularly through opacity adjustments and DOM overlay techniques.

When users encounter seemingly legitimate elements like cookie consent banners or CAPTCHA challenges on compromised websites, a single click can trigger the automatic filling of hidden forms with their stored sensitive data.

Extensive Testing Reveals Widespread Vulnerability

Tóth’s comprehensive research tested eleven popular password managers, including industry leaders such as 1Password, Bitwarden, LastPass, Dashlane, Keeper, and others.

The results were alarming: all tested password managers were initially vulnerable to at least one variant of the DOM-based Extension Clickjacking technique.

The vulnerabilities affect approximately 40 million active installations across Chrome Web Store, Firefox Add-ons, and Edge Add-ons platforms.

Six out of nine tested password managers were vulnerable to credit card detail extraction, while eight out of ten could be exploited to exfiltrate stored personal information.

Perhaps most concerning, ten out of eleven password managers were susceptible to credential theft, including Time-based One-Time Password (TOTP) codes used for two-factor authentication.

Following responsible disclosure in April 2025, several vendors have implemented fixes. Dashlane, Keeper, NordPass, ProtonPass, and RoboForm have successfully patched their extensions against the described attack methods.

However, major players, including 1Password, Bitwarden, LastPass, iCloud Passwords, Enpass, and LogMeOnce, remain vulnerable as of August 2025, representing approximately 32.7 million active installations still at risk.

The persistence of these vulnerabilities in widely used password managers highlights the complexity of securing browser extensions against sophisticated client-side attacks.

Unlike traditional clickjacking, which can be mitigated through HTTP headers like X-Frame-Options or Content-Security-Policy, DOM-based attacks require more comprehensive defensive measures at the extension level.

Attack Scenarios and Real-World Impact

The research demonstrates multiple attack scenarios with varying levels of sophistication. On an attacker-controlled website, malicious actors can steal credit card details and personal information without requiring any existing vulnerabilities in legitimate services.

More concerning is the subdomain attack vector, where attackers exploit Cross-Site Scripting (XSS) vulnerabilities or subdomain takeovers to target users on trusted domains.

Password managers typically autofill credentials not only on the exact domain where they were saved but also on all subdomains, significantly expanding the attack surface.

This means an attacker finding XSS on any subdomain can potentially steal a user’s primary account credentials through clickjacking techniques.

While comprehensive fixes require action from extension developers, users can implement several protective measures. For Chromium-based browsers, security experts recommend configuring extension site access to “on click” rather than automatic access, giving users manual control over autofill functionality.

The research also highlights the importance of keeping password manager extensions updated, as several vendors have released patches following the disclosure.

Users should verify they’re running the latest versions and consider disabling manual autofill features if available, though this may reduce convenience.

The discovery of these vulnerabilities underscores the evolving nature of web security threats and the need for continuous security research in browser extension ecosystems.

As password managers become increasingly central to digital security practices, ensuring their resilience against sophisticated client-side attacks becomes paramount for protecting millions of users’ sensitive data.

Safely detonate suspicious files to uncover threats, enrich your investigations, and cut incident response time. Start with an ANYRUN sandbox trial → 

The post 0-Day Clickjacking Vulnerabilities Found in Major Password Managers like 1Password, LastPass and Others appeared first on Cyber Security News.

WinRAR has released version 7.13 to address a critical security vulnerability that has been actively exploited by cybercriminals, marking another significant security incident for the popular file compression software.

The vulnerability, designated CVE-2025-8088, allows attackers to execute arbitrary code through maliciously crafted archive files, prompting immediate action from users worldwide.

Critical Security Flaw Exploited by Russian Hackers

The newly discovered vulnerability represents a serious threat to Windows users, with security researchers confirming that it has been exploited in active campaigns.

CVE-2025-8088 is a path traversal vulnerability that affects the Windows versions of WinRAR, UnRAR, and associated components, allowing specially crafted archives to bypass user-specified extraction paths and write files to unintended locations on the file system.

This capability enables attackers to execute arbitrary code on compromised systems, making it a particularly dangerous security flaw.

ESET researchers have linked this vulnerability to exploitation by the Russian RomCom group, which has been targeting companies across Europe and Canada.

The cybersecurity firm’s research team, including Anton Cherepanov, Peter Košinár, and Peter Strýček, discovered the vulnerability and reported it to WinRAR developers.

The vulnerability has been assigned a CVSS score of 8.4, classifying it as HIGH severity, which underscores the critical nature of this security issue.

Technical Details and Affected Systems

The directory traversal vulnerability is distinct from a previously patched security flaw that was addressed in WinRAR version 7.12, indicating that this represents a new attack vector that required separate remediation. The affected systems include:

• WinRAR for Windows – All desktop installations of the primary software.
• RAR and UnRAR command-line utilities – Windows versions of these tools.
• UnRAR.dll and portable UnRAR – Dynamic library and standalone versions.
• Version range affected – All WinRAR versions from 0 through 7.12.
• Unaffected platforms – Linux/Unix builds and RAR for Android remain secure.

The vulnerability affects all WinRAR versions from 0 through 7.12, meaning that virtually all existing installations require immediate updating.

The path traversal mechanism allows malicious archives to escape their intended extraction directories, potentially overwriting system files or placing executable code in locations where it can be automatically executed by the operating system.

This type of attack can lead to complete system compromise, data theft, or deployment of additional malware payloads.

Immediate Action Required for Users

WinRAR users must immediately update to version 7.13, which was released on July 30, 2025, with updated release notes published on August 12, 2025.

The update addresses not only the critical security vulnerability but also fixes several bugs from the previous version, including issues with the “Import settings from file” command and recovery size settings for older compression profiles.

The urgency of this update cannot be overstated, particularly given the confirmed exploitation in the wild. Organizations and individual users should prioritize this update across all Windows systems running WinRAR.

Beyond the immediate security fix, WinRAR 7.13 continues to offer advanced NTFS features that distinguish it from other compression tools, including built-in options to preserve symbolic links and archive Alternate Data Streams (ADS).

These capabilities remain valuable for backup, deployment, and forensic environments, but users must ensure they are running the latest secure version to benefit from these features safely.

Users who cannot immediately update should consider discontinuing use of WinRAR until the update can be applied, particularly in environments where untrusted archive files are regularly processed.

Uncover full scope of any attack any attack from hidden redirects to payloads in minutes — Try ANY.RUN free for 14 days.

The post CISA Added WinRaR Zero-Day (CVE-2025-8088) Vulnerability That is Actively Exploited In the Wild appeared first on Cyber Security News.