The flaw, tracked as CVE-2025-13051, affects two widely used ASUSTOR applications and poses a significant risk to users running outdated versions.

The DLL Hijacking Vulnerability

The vulnerability stems from a DLL hijacking weakness that occurs when ASUSTOR Backup Plan (ABP) and ASUSTOR EZSync (AES) services are installed in directories accessible to non-administrative users.

Attackers can exploit this flaw by replacing legitimate dynamic link library (DLL) files with malicious versions that share the same filename as those loaded by the service.

When the affected service restarts, the malicious DLL is automatically loaded and executed.

Under the LocalSystem account, granting attackers unauthorized code execution with the highest level of system privileges.

This type of attack can lead to complete system compromise, allowing threat actors to install malware, steal sensitive data, or establish constant backdoor access.

The bug affects ABP version 2.0.7.9050 and all older versions, and AES version 1.0.6.8290 and all earlier releases.

ASUSTOR has released security patches to address this critical flaw. Users should immediately upgrade to ABP version 2.0.7.10171 or higher, and to AES version 1.1.0.10312 or higher, to protect their systems from potential exploitation.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Critical ASUSTOR Vulnerability Let Attackers Execute Malicious Code with Elevated Privileges appeared first on Cyber Security News.

The vulnerability was internally discovered and reported by SonicWall’s security team. The flaw, tracked as CVE-2025-40601, carries a CVSS score of 7.5 and affects multiple generations of SonicWall firewall products.

Understanding the Vulnerability

The vulnerability exists in the SSLVPN service component of SonicOS and stems from a stack-based buffer overflow weakness (CWE-121).

When exploited, an attacker can send specially crafted requests to the vulnerable SSLVPN interface without authentication, causing the affected firewall to crash and interrupting services.

SonicWall states that this vulnerability only impacts devices with the SSLVPN interface or service enabled on the firewall. Organizations that do not use this feature remain unaffected.

Currently, SonicWall PSIRT reports no active exploitation in the wild, and no proof-of-concept code has been publicly released.

The vulnerability impacts both Gen7 and Gen8 SonicWall firewalls across hardware and virtual platforms.

Gen7 devices running firmware versions 7.3.0-7012 and older are vulnerable, while Gen8 firewalls with versions 8.0.2-8011 and earlier are affected. SonicWall Gen6 firewalls and SMA 1000/100 series SSL VPN products are not impacted.

SonicWall strongly urges organizations to update to the patched firmware versions immediately.

Until patches can be applied, administrators should restrict SSLVPN access to trusted source IP addresses only or disable the service from untrusted internet sources by modifying existing access rules.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post SonicOS SSLVPN Vulnerability Let Attackers Crash the Firewall Remotely appeared first on Cyber Security News.

Priced at $30,000, the exploit purportedly works on most Office file formats, including the latest versions, and affects fully patched Windows installations.

This development raises alarms in the cybersecurity community, as it could enable attackers to bypass Microsoft’s robust sandbox protections and execute arbitrary code with minimal user interaction.

The advertisement, posted in Russian on a prominent hacking forum, describes the vulnerability as a high-impact 0-day capable of delivering payloads through malicious Office documents.

Zeroplayer claims the exploit chain allows remote attackers to escape the Office sandbox a critical security feature designed to isolate potentially harmful code—and achieve full system compromise on Windows.

Delivery methods involve embedding the exploit in common file types like Word or Excel documents, which could be distributed via phishing emails or compromised websites.

Details of the Hacker Forum Listing

The seller invites private messages for demonstrations and proof-of-concept details, emphasizing compatibility with recent updates to mitigate detection by antivirus tools.

This isn’t Zeroplayer’s first foray into the exploit market; the actor previously offered a WinRAR zero-day RCE for $80,000 in July 2025, highlighting a pattern of targeting widely used productivity and archiving software.

Such sales underscore the lucrative underground economy for zero-days, where exploits fetch premium prices before public disclosure or patching.​

Microsoft’s November 2025 Patch Tuesday addressed multiple critical RCE flaws in Office, including CVE-2025-62199, a use-after-free vulnerability exploitable via malicious documents.

However, that patch focused on known issues and did not reference this alleged 0-day, suggesting it remains unpatched and potentially more dangerous due to its sandbox escape component.

Sandbox escapes are particularly concerning, as they neutralize one of Office’s primary defenses against macro-based attacks, allowing malware to spread laterally across networks.​

Experts note that Russian-language forums like the one hosting this listing often serve as hubs for state-affiliated or opportunistic threat actors, who may weaponize such exploits for ransomware, espionage, or data theft.

Similar past incidents, such as the 2023 exploitation of CVE-2023-36884 by the Russian group Storm-0978, involved Office RCE for backdoor deployment against Western targets.​

The potential fallout from this 0-day is significant, especially for enterprises reliant on Microsoft 365. Attackers could leverage it to compromise supply chains or conduct targeted intrusions, evading endpoint detection responses.

Given Office’s ubiquity across over 1.4 billion devices globally, unpatched systems face a heightened risk of infection through spear-phishing.​

Organizations should prioritize macro disabling in Office policies, enable Protected View for all documents, and deploy advanced threat protection tools.

Monitoring for anomalous forum activity and applying upcoming patches urgently is advised, as Microsoft may accelerate fixes if exploitation evidence emerges.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Threat Actors Allegedly Selling Microsoft Office 0-Day RCE Vulnerability on Hacking Forums appeared first on Cyber Security News.

According to Horizon3.ai, it allows unauthenticated attackers to bypass authentication, access legacy APIs, and exfiltrate sensitive files, including credentials and database backups.

The Vulnerability Chain

Earlier this year, N-able N-central was added to the CISA Known Exploited Vulnerabilities (KEV) catalog for CVE-2025-8875 and CVE-2025-8876.

These vulnerabilities enable authenticated attackers to achieve remote code execution via deserialization and command injection.

Horizon3.ai researchers found more serious flaws in the latest versions. They also uncovered new weaknesses and built a dangerous attack chain.

An unauthenticated attacker can exploit CVE-2025-9316, a weak authentication bypass in the legacy SOAP API, to obtain valid session IDs.

This initial access opens doors to CVE-2025-11700, an XML External Entity (XXE) injection vulnerability that allows reading arbitrary files from the filesystem.

With approximately 3,000 N-central instances exposed on the internet according to Shodan, the attack surface is significant.

Horizon3.ai researchers demonstrated how attackers can chain these vulnerabilities to read sensitive configuration files, including /opt/nable/var/ncsai/etc/ncbackup.conf, which contains database backup credentials stored in cleartext.

Most critically, accessing the N-central database backup reveals all integration secrets: domain credentials, API keys, SSH private keys, and encrypted database entries.

Using cryptographic keys stored in the backup (masterPassword and keystore.bcfks), attackers can decrypt all stored secrets, leading to complete infrastructure compromise.

N-able addressed these vulnerabilities in version 2025.4.0.9, released on November 5, 2025, by restricting access to vulnerable legacy SOAP API endpoints.

Organizations should upgrade immediately and review logs for indicators of exploitation, including “Failed to import service template” entries in dmsservice.log.

The vulnerability chain demonstrates why legacy API endpoints pose persistent security risks in enterprise software, particularly for widely deployed RMM solutions that threat actors commonly target.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Critical N-able N-central Vulnerabilities Allow attacker to interact with legacy APIs and read sensitive files appeared first on Cyber Security News.

Rapid7 discovered that the vulnerabilities can be chained together to compromise administrator accounts without any user interaction or valid credentials. The vulnerabilities affect Twonky Server installations on both Linux and Windows platforms.

Twonky Server is widely deployed in network-attached storage (NAS) devices, routers, set-top boxes, and gateways worldwide. With approximately 850 instances currently exposed to the public internet, according to Shodan data.

Vulnerabilities Let Attackers Bypass Authentication

The first vulnerability (CVE-2025-13315) allows attackers to bypass API authentication controls through an alternative routing mechanism.

By using the “/nmc/rpc/” prefix instead of the standard “/rpc/” path, attackers can access the log_getfile endpoint without authentication.

This endpoint exposes application logs containing the administrator’s username and encrypted password.

The second vulnerability (CVE-2025-13316) makes password decryption easy. Twonky Server uses hardcoded Blowfish encryption keys across all installations.

Rapid7 researchers identified twelve static keys embedded in the compiled binary, meaning any attacker with knowledge of the encrypted password can decrypt it to plaintext using these publicly available keys.

Rapid7 correctly reported these vulnerabilities to Lynx Technology, the vendor behind Twonky Server.

However, the vendor ceased communications after acknowledging receipt of the technical disclosure and stated that patches would not be possible.

Version 8.5.2 remains the latest available release with no security updates. Organizations using Twonky Server should immediately restrict application traffic to trusted IP addresses only.

All administrator credentials should be considered compromised and rotated if the server is exposed to untrusted networks.

Rapid7 has released a Metasploit module that demonstrates the complete exploitation chain and plans to provide detection capabilities in its vulnerability scanning tools.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Critical Twonky Server Vulnerabilities Let Attackers Bypass Authentication appeared first on Cyber Security News.

Ollama is a widely used tool that allows developers and AI specialists to run large language models locally without relying on external services like OpenAI.

The platform supports numerous open-source models, including gpt-oss, DeepSeek-R1, Meta’s Llama4, and Google’s Gemma3.

Sonarsource researchers found a critical Out-Of-Bounds Write vulnerability during security auditing of Ollama’s codebase.

The vulnerability affects all Ollama versions before 0.7.0 and exists in the model file parsing mechanism. When processing specially crafted GGUF model files, the software fails to validate specific metadata values properly.

Specifically, during the parsing of mllama models, the code does not verify whether indices specified in the model’s metadata fall within acceptable bounds. This oversight allows attackers to manipulate memory beyond allocated boundaries.

The exploitation path involves creating malicious model files with oversized metadata entries or invalid layer indices. When Ollama processes these files, the vulnerability triggers an Out-Of-Bounds Write condition.

Attackers who gain access to Ollama’s API can load and execute these weaponized models, achieving remote code execution on the target system.

Sonarsource confirmed the vulnerability is exploitable in builds without Position Independent Executable configuration, releases include this protection; experts believe exploitation remains feasible with additional effort.

The vulnerability particularly affects the mllama model parsing code written in C++, where unsafe memory operations occur during model initialization.

The Ollama development team addressed this vulnerability in version 0.7.0 by completely rewriting the vulnerable mllama model handling code in Go, eliminating the unsafe C++ implementation.

Users running older versions face significant security risks and should upgrade to the latest release immediately.

Organizations using Ollama in production environments should audit their deployments and implement version controls to prevent the loading of untrusted model files.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Ollama Vulnerabilities Let Attackers Execute Arbitrary Code by Parsing of Malicious Model Files appeared first on Cyber Security News.

CVE-2025-13223 is a flaw in the Chromium V8 JavaScript engine that poses significant risks to users worldwide, potentially enabling remote code execution and data breaches.

The vulnerability stems from a type confusion error, classified under CWE-843, which tricks the browser into mishandling data types and corrupts the heap memory. Discovered and patched by Google on November 19, 2025, via its stable channel update, the issue affects Chrome versions before 131.0.6778.72.

Attackers have already leveraged it in the wild, though details on specific campaigns remain limited. CISA added it to its Known Exploited Vulnerabilities (KEV) catalog the same day, mandating federal agencies to apply mitigations by December 10, 2025.

Vulnerability Breakdown and Affected Systems

This zero-day targets the core of Chrome’s rendering engine, making it a prime vector for drive-by downloads and malicious interactions on websites.

While primarily affecting desktop users on Windows, macOS, and Linux, the flaw extends to Chromium-based browsers such as Microsoft Edge and Brave.

No confirmed ties to ransomware exist yet, but experts warn of potential escalation in phishing and supply chain attacks.

CISA urges immediate updates to the latest Chrome version, available through Google’s release notes. In cloud environments, agencies must align with Binding Operational Directive 22-01 and emphasize zero-trust principles. If patches aren’t feasible, discontinuing the product is advised to curb risks.

This incident underscores the relentless pace of browser threats, especially in V8’s complex codebase. With over 3 billion users, Chrome’s dominance amplifies the stakes, as unpatched systems could fuel widespread compromises.

Security researchers highlight the need for vigilant monitoring, as zero-days like this often precede larger campaigns.

As exploitation continues, organizations should scan networks for indicators of compromise and educate users on safe browsing. Google’s swift response mitigates much of the danger, but proactive patching remains key to staying ahead of adversaries.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post CISA Warns of Google Chrome 0-Day Vulnerability Exploited in Attacks appeared first on Cyber Security News.

The flaw enables unauthorized actions, including data theft, privilege escalation, and exfiltration of external email, even with ServiceNow’s built-in prompt injection protection enabled.

The vulnerability stems from three default configurations that, when combined, create a dangerous attack surface. ServiceNow Assist agents are automatically assigned to the same team and marked as discoverable by default.

This enables inter-agent communication through the AiA ReAct Engine and Orchestrator components, which manage information flow and task delegation between agents.

ServiceNow AI Prompt Injection Attacks

Attackers exploit this by injecting malicious prompts into data fields that other agents will read when a safe agent encounters the compromised data.

It can be tricked into recruiting more powerful agents to execute unauthorized tasks on behalf of the highly privileged user who triggered the initial interaction.

In proof-of-concept demonstrations, Appomni researchers successfully performed Create, Read, Update, and Delete (CRUD) operations.

On sensitive records and sent external emails containing confidential data, all while avoiding existing security protections.

The attack succeeds primarily because agents execute with the privileges of the user who initiated the interaction, not the user who inserted the malicious prompt.

A low-privileged attacker can therefore leverage administrative agents to bypass access controls and access data they would otherwise be unable to reach.

Appomni advises organizations using ServiceNow to immediately implement these protective measures: Enable Supervised Execution Mode: Configure powerful agents performing CRUD operations or email sending to require human approval before executing actions.

Disable Autonomous Overrides: Ensure the sn_aia.The enable_usecase_tool_execution_mode_override system property remains set to false.

Segment Agent Teams: Separate agents into distinct teams based on function, preventing low-privilege agents from accessing powerful ones.

Monitor Agent Behavior: Deploy real-time monitoring solutions to detect suspicious agent interactions and deviations from expected workflows.

ServiceNow confirmed that these behaviors align with the intended functionality but updated the documentation to clarify configuration risks. Security teams must prioritize auditing their AI agent deployments immediately to prevent exploitation of these default settings.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Hackers Can Exploit Default ServiceNow AI Assistants Configurations to Launch Prompt Injection Attacks appeared first on Cyber Security News.

Mindgard researchers discovered the flaws during an audit of the popular VSCode extension, which supports Claude Sonnet and the free Sonic model.

The vulnerabilities stem from inadequate prompt-injection protections during Cline’s analysis of source code files. Attackers can embed malicious instructions in Python, Markdown, and shell scripts to override the agent’s safety guardrails.

Notably, exploitation requires nothing more than opening a compromised repository and requesting analysis.

Mindgard reports that all vulnerabilities were disclosed to the vendor before publication, though the team did not respond to repeated coordination attempts.

Cline AI Coding Agent Vulnerabilities

DNS-based Data Exfiltration allows attackers to leak sensitive API keys and environment variables. By hiding instructions in code comments, attackers can trick Cline into running ping commands that embed system information in DNS requests sent to their own servers.

.clinerules Arbitrary Code Execution exploits Cline’s custom rules system. Attackers place malicious Markdown files in a project’s .clinerules directory.

To force all execute_command operations to run with requires_approval=false, bypassing user consent mechanisms and enabling silent code execution.

The TOCTOU Vulnerability uses time-of-check-time-of-use logic to gradually modify shell scripts across multiple analysis requests.

An attacker can first add harmless code to a script, then later change it to add harmful code while the background task is still running.

Information Leakage reveals the underlying model infrastructure through error messages, exposing that the Sonic model is powered by grok-4.

Cline’s development team implemented mitigations in version 3.35.0, including enhanced prompt injection detection.

Mindgard researchers note the vendor’s delayed response raises concerns about the velocity of LLM agent exploitation relative to security remediation timelines.

The findings underscore that system prompts are not harmless configuration files but core security boundaries.

As AI agents become integral development tools, securing the intersection of language, tools, and code execution remains critically underdeveloped.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Cline AI Coding Agent Vulnerabilities Enables Prompt Injection, Code Execution, and Data Leakage appeared first on Cyber Security News.

The flaw, tracked as CVE-2025-11001, stems from improper handling of symbolic links in ZIP archives, allowing attackers to traverse directories and execute arbitrary code on vulnerable systems.

First disclosed in October 2025, this vulnerability has a CVSS v3 score of 7.0, highlighting its high severity due to the potential for widespread exploitation without requiring elevated privileges.​

7-Zip RCE Vulnerability Exploited

CVE-2025-11001 arises during the parsing of ZIP files containing crafted symbolic links, which trick 7-Zip into writing files outside the intended extraction directory.

This directory traversal can enable attackers to overwrite critical system files or inject malicious payloads, leading to full code execution in the context of the user or service account running the application.

Security researchers at Trend Micro’s Zero Day Initiative (ZDI) detailed how an attacker could leverage this to escape sandboxed environments, making it particularly dangerous for automated file processing in enterprise settings.​

The vulnerability was discovered by Ryota Shiga of GMO Flatt Security Inc., in collaboration with their AI-powered AppSec Auditor tool, and reported promptly to the 7-Zip developers.

A proof-of-concept (PoC) exploit has since been publicly released, demonstrating how a malicious ZIP file can abuse symbolic link handling to facilitate arbitrary file writes and, in certain scenarios, direct RCE.

This PoC has lowered the barrier for threat actors, accelerating real-world attacks observed in the wild. Notably, exploitation requires minimal user interaction; simply opening or extracting a booby-trapped archive suffices, a common vector in phishing campaigns and drive-by downloads.​

This issue is not isolated; 7-Zip version 25.00, released in July 2025, also patches a related flaw, CVE-2025-11002, which shares the same symbolic link mishandling root cause and carries an identical CVSS score of 7.0.

Both vulnerabilities were introduced in version 21.02, affecting all prior releases of the open-source tool used by over 100 million Windows users worldwide for compression tasks. Early indicators suggest attackers are targeting unpatched systems in sectors like healthcare and finance, where file handling is routine.​

The U.K.’s NHS England Digital issued an urgent advisory on November 18, 2025, confirming active exploitation of CVE-2025-11001, urging immediate updates to mitigate risks.

Threat actors could use this RCE to deploy ransomware, steal sensitive data, or establish persistent backdoors, amplifying the danger in supply chain attacks where compromised archives spread via email or shared drives.

Organizations relying on 7-Zip for bulk file operations face elevated threats, as automated extractions could silently propagate malware across networks.​

To counter this threat, users and organizations must update 7-Zip to version 25.00 or later, available from the official website, which enforces stricter path canonicalization to block traversal attempts.

The patch prevents symbolic links from escaping extraction boundaries, neutralizing both CVE-2025-11001 and CVE-2025-11002. Affected platforms include all Windows versions running 7-Zip prior to 25.00, with no reported impacts on Linux or macOS ports yet.​

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Hackers Actively Exploiting 7-Zip RCE Vulnerability in the Wild appeared first on Cyber Security News.