zero-day | Breaking Cybersecurity News | The Hacker News

Apple has disclosed that a now-patched security flaw present in its Messages app was actively exploited in the wild to target civil society members in sophisticated cyber attacks. The vulnerability, tracked as CVE-2025-43200, was addressed on February 10, 2025, as part of iOS 18.3.1, iPadOS 18.3.1 , iPadOS 17.7.5 , macOS Sequoia 15.3.1 , macOS Sonoma 14.7.4 , macOS Ventura 13.7.4 , watchOS 11.3.1 , and visionOS 2.3.1 . "A logic issue existed when processing a maliciously crafted photo or video shared via an iCloud Link," the company said in an advisory, adding the vulnerability was addressed with improved checks. The iPhone maker also acknowledged that it's aware the vulnerability "may have been exploited in an extremely sophisticated attack against specifically targeted individuals." It's worth noting that the iOS 18.3.1, iPadOS 18.3.1, and iPadOS 17.7.5 updates also resolved another actively exploited zero-day tracked as CVE-2025-24200. It's curr...

Microsoft has released patches to fix 67 security flaws , including one zero-day bug in Web Distributed Authoring and Versioning (WebDAV) that it said has come under active exploitation in the wild. Of the 67 vulnerabilities, 11 are rated Critical and 56 are rated Important in severity. This includes 26 remote code execution flaws, 17 information disclosure flaws, and 14 privilege escalation flaws. The patches are in addition to 13 shortcomings addressed by the company in its Chromium-based Edge browser since the release of last month's Patch Tuesday update . The vulnerability that has been weaponized in real-world attacks concerns a remote code execution in WebDAV ( CVE-2025-33053 , CVSS score: 8.8) that can be triggered by deceiving users into clicking on a specially crafted URL. The tech giant credited Check Point researchers Alexandra Gofman and David Driker for discovering and reporting the bug. It's worth mentioning that CVE-2025-33053 is the first zero-day vulnerab...

Google on Monday released out-of-band fixes to address three security issues in its Chrome browser, including one that it said has come under active exploitation in the wild. The high-severity flaw is being tracked as CVE-2025-5419 (CVSS score: 8.8), and has been flagged as an out-of-bounds read and write vulnerability in the V8 JavaScript and WebAssembly engine. "Out-of-bounds read and write in V8 in Google Chrome prior to 137.0.7151.68 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page," reads the description of the bug on the NIST's National Vulnerability Database (NVD). Google credited Clement Lecigne and Benoît Sevens of Google Threat Analysis Group (TAG) with discovering and reporting the flaw on May 27, 2025. It also noted that the issue was addressed the next day by pushing out a configuration change to the Stable version of the browser across all platforms. As is customary, the advisory is light on details regarding t...

Qualcomm has shipped security updates to address three zero-day vulnerabilities that it said have been exploited in limited, targeted attacks in the wild. The flaws in question, which were responsibly disclosed to the company by the Google Android Security team, are listed below - CVE-2025-21479 and CVE-2025-21480 (CVSS score: 8.6) - Two incorrect authorization vulnerabilities in the Graphics component that could result in memory corruption due to unauthorized command execution in GPU microcode while executing a specific sequence of commands CVE-2025-27038 (CVSS score: 7.5) - A use-after-free vulnerability in the Graphics component that could result in memory corruption while rendering graphics using Adreno GPU drivers in Chrome "There are indications from Google Threat Analysis Group that CVE-2025-21479, CVE-2025-21480, CVE-2025-27038 may be under limited, targeted exploitation," Qualcomm said in an advisory. "Patches for the issues affecting the Adreno Grap...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday revealed that Commvault is monitoring cyber threat activity targeting applications hosted in their Microsoft Azure cloud environment. "Threat actors may have accessed client secrets for Commvault's (Metallic) Microsoft 365 (M365) backup software-as-a-service (SaaS) solution, hosted in Azure," the agency said . "This provided the threat actors with unauthorized access to Commvault's customers' M365 environments that have application secrets stored by Commvault." CISA further noted that the activity may be part of a broader campaign targeting various software-as-a-service (SaaS) providers' cloud infrastructures with default configurations and elevated permissions. The advisory comes weeks after Commvault revealed that Microsoft notified the company in February 2025 of unauthorized activity by a nation-state threat actor within its Azure environment. The incident led to th...

Mozilla has released security updates to address two critical security flaws in its Firefox browser that could be potentially exploited to access sensitive data or achieve code execution. The vulnerabilities, both of which were exploited as a zero-day at Pwn2Own Berlin, are listed below - CVE-2025-4918 - An out-of-bounds access vulnerability when resolving Promise objects that could allow an attacker to perform read or write on a JavaScript Promise object CVE-2025-4919 - An out-of-bounds access vulnerability when optimizing linear sums that could allow an attacker to perform read or write on a JavaScript object by confusing array index sizes In other words, successful exploitation of either of the flaws could permit an adversary to achieve out-of-bounds read or write , which could then be abused to access otherwise sensitive information or result in memory corruption that could pave the way for code execution. The vulnerabilities affect the following versions of the Firefox b...

Microsoft on Tuesday shipped fixes to address a total of 78 security flaws across its software lineup, including a set of five zero-days that have come under active exploitation in the wild. Of the 78 flaws resolved by the tech giant, 11 are rated Critical, 66 are rated Important, and one is rated Low in severity. Twenty-eight of these vulnerabilities lead to remote code execution, 21 of them are privilege escalation bugs, and 16 others are classified as information disclosure flaws. The updates are in addition to eight more security defects patched by the company in its Chromium-based Edge browser since the release of last month's Patch Tuesday update . The five vulnerabilities that have come under active exploitation in the wild are listed below - CVE-2025-30397 (CVSS score: 7.5) - Scripting Engine Memory Corruption Vulnerability CVE-2025-30400 (CVSS score: 7.8) - Microsoft Desktop Window Manager (DWM) Core Library Elevation of Privilege Vulnerability CVE-2025-3270...

Fortinet has patched a critical security flaw that it said has been exploited as a zero-day in attacks targeting FortiVoice enterprise phone systems. The vulnerability, tracked as CVE-2025-32756, carries a CVSS score of 9.6 out of 10.0. "A stack-based overflow vulnerability [CWE-121] in FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera may allow a remote unauthenticated attacker to execute arbitrary code or commands via crafted HTTP requests," the company said in an advisory. The company said it observed the flaw being exploited in the wild on FortiVoice systems, but did not disclose the scale of the attacks and the identity of the threat actors behind them. It further noted that the threat actor performed device network scans, erased system crash logs, and enabled fcgi debugging to log credentials from the system or SSH login attempts. The issue affects the following products and versions - FortiCamera 1.1, 2.0 (Migrate to a fixed release) FortiCamer...

A Türkiye-affiliated threat actor exploited a zero-day security flaw in an Indian enterprise communication platform called Output Messenger as part of a cyber espionage attack campaign since April 2024. "These exploits have resulted in a collection of related user data from targets in Iraq," the Microsoft Threat Intelligence team said . "The targets of the attack are associated with the Kurdish military operating in Iraq, consistent with previously observed Marbled Dust targeting priorities." The activity has been attributed to a threat group it tracks as Marbled Dust (formerly Silicon), which is also known as Cosmic Wolf, Sea Turtle, Teal Kurma, and UNC1326. The hacking crew is believed to have been active since at least 2017, although it wasn't until two years later that Cisco Talos documented attacks targeting public and private entities in the Middle East and North Africa. Early last year, it was also identified as targeting telecommunication, media, in...

The Vulnerability Treadmill The reactive nature of vulnerability management, combined with delays from policy and process, strains security teams. Capacity is limited and patching everything immediately is a struggle. Our Vulnerability Operation Center (VOC) dataset analysis identified 1,337,797 unique findings (security issues) across 68,500 unique customer assets. 32,585 of them were distinct CVEs, with 10,014 having a CVSS score of 8 or higher. Among these, external assets have 11,605 distinct CVEs, while internal assets have 31,966. With this volume of CVEs, it's no surprise that some go unpatched and lead to compromises. Why are we stuck in this situation, what can be done, and is there a better approach out there? We'll explore the state of vulnerability reporting, how to prioritize vulnerabilities by threat and exploitation, examine statistical probabilities, and briefly discuss risk. Lastly, we'll consider solutions to minimize vulnerability impact while giving management ...

SonicWall has released patches to address three security flaws affecting SMA 100 Secure Mobile Access (SMA) appliances that could be fashioned to result in remote code execution. The vulnerabilities are listed below - CVE-2025-32819 (CVSS score: 8.8) - A vulnerability in SMA100 allows a remote authenticated attacker with SSL-VPN user privileges to bypass the path traversal checks and delete an arbitrary file potentially resulting in a reboot to factory default settings. CVE-2025-32820 (CVSS score: 8.3) - A vulnerability in SMA100 allows a remote authenticated attacker with SSL-VPN user privileges can inject a path traversal sequence to make any directory on the SMA appliance writable CVE-2025-32821 (CVSS score: 6.7) - A vulnerability in SMA100 allows a remote authenticated attacker with SSL-VPN admin privileges can with admin privileges can inject shell command arguments to upload a file on the appliance "An attacker with access to an SMA SSL-VPN user account can chain...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a maximum-severity security flaw impacting Commvault Command Center to its Known Exploited Vulnerabilities (KEV) catalog, a little over a week after it was publicly disclosed. The vulnerability in question is CVE-2025-34028 (CVSS score: 10.0), a path traversal bug that affects 11.38 Innovation Release, from versions 11.38.0 through 11.38.19. It has been addressed in versions 11.38.20 and 11.38.25. "Commvault Command Center contains a path traversal vulnerability that allows a remote, unauthenticated attacker to execute arbitrary code," CISA said . The flaw essentially permits an attacker to upload ZIP files that, when decompressed on the target server, could result in remote code execution. Cybersecurity company watchTowr Labs, which was credited with discovering and reporting the bug, said the problem resides in an endpoint called "deployWebpackage.do" that triggers a pre-authenticat...

Enterprise data backup platform Commvault has revealed that an unknown nation-state threat actor breached its Microsoft Azure environment by exploiting CVE-2025-3928 but emphasized there is no evidence of unauthorized data access. "This activity has affected a small number of customers we have in common with Microsoft, and we are working with those customers to provide assistance," the company said in an update. "Importantly, there has been no unauthorized access to customer backup data that Commvault stores and protects, and no material impact on our business operations or our ability to deliver products and services." In an advisory issued on March 7, 2025, Commvault said it was notified by Microsoft on February 20 about unauthorized activity within its Azure environment and that the threat actor exploited CVE-2025-3928 as a zero-day. It also said it rotated affected credentials and enhanced security measures. The disclosure comes as the U.S. Cybersecurity ...

Google has revealed that it observed 75 zero-day vulnerabilities exploited in the wild in 2024, down from 98 in 2023 but an increase from 63 the year before. Of the 75 zero-days, 44% of them targeted enterprise products. As many as 20 flaws were identified in security software and appliances. "Zero-day exploitation of browsers and mobile devices fell drastically, decreasing by about a third for browsers and by about half for mobile devices compared to what we observed last year," the Google Threat Intelligence Group (GTIG) said in a report shared with The Hacker news. "Exploit chains made up of multiple zero-day vulnerabilities continue to be almost exclusively (~90%) used to target mobile devices." While Microsoft Windows accounted for 22 of the zero-day flaws exploited in 2024, Apple's Safari had three, iOS had two, Android had seven, Chrome had seven, and Mozilla Firefox had one flaw that were abused during the same period. Three of the seven zero-days ...