The flaw, tracked as CVE-2025-13051, affects two widely used ASUSTOR applications and poses a significant risk to users running outdated versions.

The DLL Hijacking Vulnerability

The vulnerability stems from a DLL hijacking weakness that occurs when ASUSTOR Backup Plan (ABP) and ASUSTOR EZSync (AES) services are installed in directories accessible to non-administrative users.

Attackers can exploit this flaw by replacing legitimate dynamic link library (DLL) files with malicious versions that share the same filename as those loaded by the service.

When the affected service restarts, the malicious DLL is automatically loaded and executed.

Under the LocalSystem account, granting attackers unauthorized code execution with the highest level of system privileges.

This type of attack can lead to complete system compromise, allowing threat actors to install malware, steal sensitive data, or establish constant backdoor access.

The bug affects ABP version 2.0.7.9050 and all older versions, and AES version 1.0.6.8290 and all earlier releases.

ASUSTOR has released security patches to address this critical flaw. Users should immediately upgrade to ABP version 2.0.7.10171 or higher, and to AES version 1.1.0.10312 or higher, to protect their systems from potential exploitation.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Critical ASUSTOR Vulnerability Let Attackers Execute Malicious Code with Elevated Privileges appeared first on Cyber Security News.

The vulnerability was internally discovered and reported by SonicWall’s security team. The flaw, tracked as CVE-2025-40601, carries a CVSS score of 7.5 and affects multiple generations of SonicWall firewall products.

Understanding the Vulnerability

The vulnerability exists in the SSLVPN service component of SonicOS and stems from a stack-based buffer overflow weakness (CWE-121).

When exploited, an attacker can send specially crafted requests to the vulnerable SSLVPN interface without authentication, causing the affected firewall to crash and interrupting services.

SonicWall states that this vulnerability only impacts devices with the SSLVPN interface or service enabled on the firewall. Organizations that do not use this feature remain unaffected.

Currently, SonicWall PSIRT reports no active exploitation in the wild, and no proof-of-concept code has been publicly released.

The vulnerability impacts both Gen7 and Gen8 SonicWall firewalls across hardware and virtual platforms.

Gen7 devices running firmware versions 7.3.0-7012 and older are vulnerable, while Gen8 firewalls with versions 8.0.2-8011 and earlier are affected. SonicWall Gen6 firewalls and SMA 1000/100 series SSL VPN products are not impacted.

SonicWall strongly urges organizations to update to the patched firmware versions immediately.

Until patches can be applied, administrators should restrict SSLVPN access to trusted source IP addresses only or disable the service from untrusted internet sources by modifying existing access rules.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post SonicOS SSLVPN Vulnerability Let Attackers Crash the Firewall Remotely appeared first on Cyber Security News.

The flaw, tracked as CVE-2025-11001, stems from improper handling of symbolic links in ZIP archives, allowing attackers to traverse directories and execute arbitrary code on vulnerable systems.

First disclosed in October 2025, this vulnerability has a CVSS v3 score of 7.0, highlighting its high severity due to the potential for widespread exploitation without requiring elevated privileges.​

7-Zip RCE Vulnerability Exploited

CVE-2025-11001 arises during the parsing of ZIP files containing crafted symbolic links, which trick 7-Zip into writing files outside the intended extraction directory.

This directory traversal can enable attackers to overwrite critical system files or inject malicious payloads, leading to full code execution in the context of the user or service account running the application.

Security researchers at Trend Micro’s Zero Day Initiative (ZDI) detailed how an attacker could leverage this to escape sandboxed environments, making it particularly dangerous for automated file processing in enterprise settings.​

The vulnerability was discovered by Ryota Shiga of GMO Flatt Security Inc., in collaboration with their AI-powered AppSec Auditor tool, and reported promptly to the 7-Zip developers.

A proof-of-concept (PoC) exploit has since been publicly released, demonstrating how a malicious ZIP file can abuse symbolic link handling to facilitate arbitrary file writes and, in certain scenarios, direct RCE.

This PoC has lowered the barrier for threat actors, accelerating real-world attacks observed in the wild. Notably, exploitation requires minimal user interaction; simply opening or extracting a booby-trapped archive suffices, a common vector in phishing campaigns and drive-by downloads.​

This issue is not isolated; 7-Zip version 25.00, released in July 2025, also patches a related flaw, CVE-2025-11002, which shares the same symbolic link mishandling root cause and carries an identical CVSS score of 7.0.

Both vulnerabilities were introduced in version 21.02, affecting all prior releases of the open-source tool used by over 100 million Windows users worldwide for compression tasks. Early indicators suggest attackers are targeting unpatched systems in sectors like healthcare and finance, where file handling is routine.​

The U.K.’s NHS England Digital issued an urgent advisory on November 18, 2025, confirming active exploitation of CVE-2025-11001, urging immediate updates to mitigate risks.

Threat actors could use this RCE to deploy ransomware, steal sensitive data, or establish persistent backdoors, amplifying the danger in supply chain attacks where compromised archives spread via email or shared drives.

Organizations relying on 7-Zip for bulk file operations face elevated threats, as automated extractions could silently propagate malware across networks.​

To counter this threat, users and organizations must update 7-Zip to version 25.00 or later, available from the official website, which enforces stricter path canonicalization to block traversal attempts.

The patch prevents symbolic links from escaping extraction boundaries, neutralizing both CVE-2025-11001 and CVE-2025-11002. Affected platforms include all Windows versions running 7-Zip prior to 25.00, with no reported impacts on Linux or macOS ports yet.​

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Hackers Actively Exploiting 7-Zip RCE Vulnerability in the Wild appeared first on Cyber Security News.

SecurityScorecard’s STRIKE team, in collaboration with ASUS, revealed the operation on November 18, 2025, highlighting how attackers exploited outdated firmware to build a stealthy network infrastructure.

This breach underscores the rising threat to end-of-life consumer devices, with infections concentrated in Taiwan and spreading to the U.S., Russia, and Southeast Asia.​

Researchers first detected Operation WrtHug through a suspicious self-signed TLS certificate shared across compromised devices, featuring an unusually long 100-year expiration date from April 2022.

This certificate, with SHA1 thumbprint 1894a6800dff523894eba7f31cea8d05d51032b4, appeared on 99% of affected ASUS AiCloud services, a feature meant for remote home network access but now exploited as an entry point.

The campaign targets exclusively ASUS WRT models, many of which are end-of-life and unpatched, allowing attackers to inject commands and gain root privileges without altering the device’s outward appearance.

The operation’s scale is alarming, with estimates of 50,000 unique IP addresses involved over the past six months, based on proprietary scans and tools like Driftnet.

Unlike random botnets, WrtHug shows a deliberate geographic focus, infecting 30-50% of devices in Taiwan, a pattern that aligns with geopolitical tensions. Smaller clusters hit South Korea, Japan, Hong Kong, central Europe, and the U.S., but mainland China remains largely untouched, aside from Hong Kong.

Exploited Vulnerabilities

Attackers chained six known flaws in ASUS firmware to propagate the malware, focusing on N-day exploits in AiCloud and OS injection vectors, SecurityScorecard said to CybersecurityNews.

These vulnerabilities, all patched by ASUS, primarily affect outdated routers running lighttpd or Apache web servers.

The table below details the key CVEs, their impacts, and prerequisites:​

These flaws link to CVE-2023-39780, a command injection bug tied to the earlier AyySSHush campaign, suggesting possible actor overlap. Seven IPs show dual compromise, hinting at coordinated efforts.

STRIKE assesses low-to-moderate confidence that China Nexus actors drive WrtHug, mirroring tactics in ORBs like LapDogs and PolarEdge. The focus on Taiwan and router persistence via SSH backdoors points to espionage infrastructure building.

This fits a trend of state-sponsored router hijacks, evolving from brute-force to multi-stage infections.

Targeted models include RT-AC1200HP, GT-AC5300, and DSL-AC68U, often in homes or small offices. While post-exploitation details remain unclear, the setup enables proxying C2 traffic and data exfiltration.

Indicators of Compromise

Monitoring for these IOCs can help detect infections:

Additional IPs: 59.26.66[.]44, 83.188.236[.]86, 195.234.71[.]218

ASUS urges firmware updates and disabling unused features like AiCloud on supported devices. For EoL models, replacement is recommended, alongside network segmentation and TLS certificate monitoring.

Organizations should scan for the IOC certificate and apply CISA’s known exploited catalog patches.

As router attacks escalate in 2025, this incident highlights the need for vigilant SOHO security to thwart nation-state probing. SecurityScorecard calls for industry collaboration to counter such calculated threats.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Massive Hacking Operation WrtHug Compromises Thousands of ASUS Routers Worldwide appeared first on Cyber Security News.

The technology giant confirmed the incident via official Microsoft 365 Status channels, assigning the tracking identifier CP1188020 for administrative reference.

The Issue and Impact

The reported problem prevents users from executing any operations on files directly within the Microsoft Copilot interface.

This includes activities such as uploading, downloading, editing, sharing, or otherwise manipulating documents and files that users need to work with through the Copilot application.

The disruption has affected multiple users across the Microsoft 365 ecosystem, suggesting a potentially significant infrastructure or application-level issue.

The inability to process files through Copilot directly impacts productivity workflows that rely on the AI assistant to analyze documents, extract information, or perform collaborative file management tasks.

Organizations leveraging Copilot for document intelligence and file processing have reported workflow interruptions, forcing teams to seek alternative methods for file handling.

Microsoft’s incident management team has officially acknowledged the situation through the Microsoft 365 Status communication channel, confirming that technical teams are actively investigating the root cause.

Additional technical details and real-time updates on the investigation progress are available in the Microsoft 365 admin center under the incident ticket CP1188020.

The admin center serves as the central location where Microsoft 365 administrators can monitor incident status, view available mitigation steps, and receive estimated resolution timelines.

Organizations should check this resource regularly for the latest updates on the investigation findings and any recommended workarounds.

Currently, users experiencing issues with file operations in Microsoft Copilot should be aware that Microsoft’s engineering teams are working to identify the underlying cause and implement a resolution.

During this investigation period, users may need to temporarily use alternative methods for file processing tasks or defer non-critical operations until service restoration.

The incident highlights the importance of having backup workflows and contingency plans for critical file management operations that depend on cloud-based AI services.

Organizations should ensure their teams are aware of alternative methods for completing essential file-related tasks.

Microsoft typically provides hourly updates during active service investigations, with communications shared through the admin center and the Microsoft 365 Status page.

Administrators and end-users are encouraged to monitor these official channels for resolution announcements and any subsequent guidance once the issue is resolved.

The company’s track record demonstrates a commitment to rapid incident resolution, and users can expect continued transparency regarding investigation progress and remediation efforts.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Microsoft Investigating Copilot Issue On Processing Files  appeared first on Cyber Security News.

The flaw, characterized as improper neutralization of special elements used in OS commands (CWE-78), enables authenticated attackers to execute unauthorized code or commands on targeted devices via crafted HTTP requests or through the platform’s CLI interface.

Security researchers, including Jason McFadyen from Trend Research at Trend Micro, are credited with responsibly reporting the vulnerability, which Fortinet published on November 18 alongside mitigation steps.​

The vulnerability affects multiple versions, including FortiWeb 8.0 (up to 8.0.1), 7.6 (up to 7.6.5), 7.4 (up to 7.4.10), 7.2 (up to 7.2.11), and 7.0 (up to 7.0.11).

If exploited, attackers could gain the ability to run arbitrary code with system-level privileges, significantly compromising device integrity, potentially pivoting deeper into network environments, and modifying or disabling web protections.

The vulnerability is classified as medium severity with a CVSSv3 score of 6.7 according to Fortinet, though several external researchers have noted comparable path traversal flaws for FortiWeb this month carry critical scores due to unauthenticated access vectors.​

Exploitation Observed in the Wild

Reports from security analysts and organizations such as Rapid7 and Defused have tracked in-the-wild exploitation since early October, including public postings of proof-of-concept code on underground forums.

Attacks have already targeted internet-facing FortiWeb panels, with successful exploitation enabling attackers to automate persistence using newly created administrator accounts.

Fortinet urges all affected users to upgrade to the available patches in 8.0.2, 7.6.6, 7.4.11, 7.2.12, and 7.0.12. Restrict management interface exposure and immediately audit existing admin accounts for unauthorized additions as additional mitigation.​

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post New FortiWeb 0-Day Command Injection Vulnerability Exploited in the Wild appeared first on Cyber Security News.

The vulnerability, tracked as CVE-2025-9501 with a CVSS severity score of 9.0 (Critical), allows unauthenticated attackers to execute arbitrary PHP commands directly on vulnerable servers.

W3 Total Cache Vulnerability

The flaw exists in the _parse_dynamic_mfunc function, which processes dynamic function calls without proper input validation.

Attackers can exploit this weakness by submitting a malicious payload through WordPress comment submissions on any post.

Because the vulnerability requires no authentication and minimal user interaction, it poses an immediate and severe threat to all unpatched installations.

The vulnerability belongs to the Injection category (OWASP A1). It is classified as CWE-78: Improper Blocking of Special Elements used in an OS Command.

This means attackers can execute arbitrary operating system commands with the privileges of the web server process.

W3 Total Cache maintains a critical role in WordPress infrastructure, providing advanced caching functionality that site administrators rely on for performance optimization.

The broad adoption makes this vulnerability particularly concerning, as each affected installation represents a potential entry point for Remote Code Execution (RCE) attacks.

Attackers exploiting this vulnerability could achieve complete server compromise, including data theft, malware installation, ransomware deployment, and website defacement.

The vulnerability’s public disclosure on October 27, 2025, increases the urgency for immediate remediation.

The W3 Total Cache development team released a patch in version 2.8.13 to address the command injection flaw. WordPress site administrators must immediately update to this patched version or later.

Security teams should review server logs for suspicious comment submissions and unusual PHP execution patterns that may indicate exploitation attempts.

WordPress website administrators should prioritize this update as critical. Organizations managing multiple WordPress installations should implement automated patching systems.

Security monitoring should be heightened for any signs of unauthorized command execution, file modifications, or unexpected outbound connections that may indicate successful exploitation.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post W3 Total Cache Command Injection Vulnerability Exposes 1 Million WordPress Sites to RCE Attacks appeared first on Cyber Security News.

The flaw allows attackers to catch network traffic and obtain plaintext credentials and other confidential data. The vulnerability, tracked as CVE-2025-62765, stems from the product’s failure to encrypt data during transmission.

This cleartext transmission vulnerability poses a significant security risk for organizations that rely on Lynx+ Gateway technology, particularly those managing critical infrastructure or handling sensitive communications.

Lynx+ Gateway Vulnerability

An attacker with network access could exploit this weakness by monitoring traffic flowing through the affected gateway.

The lack of encryption means that credentials, authentication tokens, and other sensitive information transmitted across the network remain visible to potential threat actors.

According to CISA, no authentication or user interaction is required to launch an attack, making this vulnerability particularly dangerous.

The vulnerability has received a CVSS v3 base score of 7.5, indicating a high-severity threat.

The CVSS v3 vector string (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A: N) shows the attack can be executed remotely with low complexity and requires no privileges.

The vulnerability severely impacts confidentiality without affecting integrity or availability. The CVSS v4 score is even more severe at 8.7, reflecting the evolving assessment of this threat.

The CVSS v4 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA: N) confirms that the attack vector remains network-based, with minimal barriers to exploitation.

Organizations using Lynx+ Gateway devices should prioritize patching this vulnerability immediately. CISA recommends implementing network segmentation to limit exposure and monitoring for suspicious network activity.

Additionally, organizations should consider implementing encrypted communication channels and reviewing access logs for signs of unauthorized traffic interception.

Until patches are available, administrators should restrict network access to affected gateways and implement additional monitoring controls.

Given the critical nature of this flaw, this update should be treated as a high-priority security incident requiring urgent attention from network and security teams.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post CISA Warns of Critical Lynx+ Gateway Vulnerability Exposes Data in Cleartext appeared first on Cyber Security News.

The patch, rolled out in Chrome Stable version 142.0.7444.175 for Windows and Linux, and 142.0.7444.176 for Mac, fixes two high-severity type confusion bugs in the V8 JavaScript engine.

The most alarming is CVE-2025-13223, reported on November 12, 2025, by Clément Lecigne of Google’s Threat Analysis Group (TAG).

Google confirmed an exploit for this flaw is already circulating, potentially allowing remote attackers to execute arbitrary code on victims’ systems without interaction.

Type confusion vulnerabilities, a staple in browser exploits, occur when the V8 engine misinterprets data types, leading to memory corruption. This can enable attackers to bypass Chrome’s sandbox protections, steal sensitive information, or install malware.

The second fix, CVE-2025-13224, was identified earlier on October 9, 2025, by Google’s internal Big Sleep fuzzing tool, highlighting the company’s proactive defense layers, reads the advisory.

TAG’s involvement suggests possible ties to advanced persistent threats (APTs), as the group often tracks state-sponsored operations using such flaws for espionage or supply chain attacks.

This incident underscores Chrome’s dominance as a target, as over 65% of global browsers run the engine, making timely patches essential.

Google credits tools like AddressSanitizer and libFuzzer for early detection, but the rapid exploitation timeline, from report to wild use in under a week, raises questions about attribution. Users should enable automatic updates and avoid suspicious links.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Chrome Type Confusion Zero-Day Vulnerability Actively Exploited in the Wild appeared first on Cyber Security News.

Researcher Kim shared the details in a blog post on October 20, 2025, emphasizing that the findings stem from her reverse engineering efforts and urging readers to verify independently.

The vulnerability hinges on a maliciously crafted “downloads.28.sqlitedb” database, which tricks the itunesstored daemon into downloading and placing a secondary database, “BLDatabaseManager.sqlite,” into a shared system group container.

While itunesstored operates under strict sandbox limits, the subsequent stage leverages bookassetd a daemon handling iBooks downloads with broader permissions.

MobileGestalt Exploit

This allows writes to mobile-owned paths like /private/var/mobile/Library/FairPlay/, /private/var/mobile/Media/, and even system caches such as /private/var/containers/Shared/SystemGroup/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist.

In a demo on an iPhone 12 running iOS 16.0.1, Kim modified the MobileGestalt cache to spoof the device as an iPod touch (model iPod9,1), proving the exploit’s reach.

The process requires preparing the target file in a modified EPUB format, zipped without compressing the mimetype file, and hosting supporting assets like iTunesMetadata.plist on a server.

Attackers must then use tools like 3uTools or afcclient to inject the databases into /var/mobile/Media/Downloads/, followed by targeted reboots to trigger the downloads.

Expected behavior halts writes to unauthorized paths, but the flaw permits modifications unless the destination is root-controlled.

Kim lists numerous writable locations, including caches and media directories, potentially enabling persistence, configuration tampering, or data exfiltration.

The exploit requires physical or tethered access to place the database, but once set up, it could facilitate more sophisticated attacks on jailbroken or compromised devices.

Apple has not yet commented, and Kim notes the issue may be patched imminently. She provides basic files on GitHub for educational use, stressing that the research is for learning only and not for illegal activities.

As iOS evolves with tighter sandboxing, this POC underscores ongoing challenges in daemon isolation. Security teams should monitor for related indicators, like anomalous database entries in download logs.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post New MobileGestalt Exploit for iOS 26.0.1 Enables Unauthorized Writes to Protected Data appeared first on Cyber Security News.