A security vulnerability recently discovered in WhatsApp’s linked device feature that allows users to access WhatsApp across multiple devices, such as phones and computers.
CISA has added this flaw to its Known Exploited Vulnerabilities (KEV) Catalog, highlighting its significance. The flaw allows attackers to send crafted messages that forced WhatsApp to load malicious content from a rogue website without any user interaction. WhatsApp and Apple already patched the issue and users are urged to update their apps immediately to stay protected.
Vulnerability Name
CVE ID
Product Affected
Severity
Fixed Version
WhatsApp Incorrect Authorization Vulnerability
CVE-2025-55177
WhatsApp
Medium
2.25.21.73 and later.
WB iOS 2.25.21.78 and later. WhatsApp Desktop for Mac 2.25.21.78 and later.
Technical Summary
The vulnerability was due to incomplete authorization of synchronization messages in WhatsApp’s linked device feature. This flaw allowed an attacker to send crafted sync messages that could trick WhatsApp into processing content from an arbitrary URL, even if the message came from an untrusted source.
This could result in WhatsApp loading and executing malicious content on the target device without any user interaction. The impact of the attack was significantly increased when combined with a separate Apple OS vulnerability (CVE-2025-43300), making it suitable for sophisticated, targeted exploitation.
CVE ID
System Affected
Vulnerability Details
Impact
CVE-2025-55177
WhatsApp for iOS (v2.22.25.2 to v2.25.21.72) WhatsApp Business for iOS (v2.22.25.2 to v2.25.21.77) WhatsApp Desktop for Mac (v2.22.25.2 to v2.25.21.77
Incomplete authorization in the linked device sync feature allowed attackers to send crafted sync messages that caused WhatsApp to load content from an arbitrary URL without user interaction. This could be used to execute malicious code on the device.
Update the WhatsApp in iOS and mac devices to the latest version
WhatsApp for iOS: Update to v2.25.21.73 or latest version
WhatsApp Business for iOS: Update to v2.25.21.78 or latest version
WhatsApp Desktop for Mac: Update to v2.25.21.78 or latest version
Conclusion: The WhatsApp vulnerability highlights the growing risks of zero-click attacks, where devices can be compromised without any user interaction. This flaw has been exploited in targeted attacks and poses a serious threat to user security and privacy. It is important for all users to keep their apps and operating systems up to date and follow trusted security recommendations
Security Advisory : Apple has released critical security patches to address a newly discovered zero-day vulnerability, CVE-2025-43300, that was found to be actively exploited in targeted attacks.
To protect users, Apple has issued patches in iOS 18.6.2, iPadOS 18.6.2, iPadOS 17.7.10 and the latest macOS versions.
OEM
Apple
Severity
High
CVSS Score
8.8
CVEs
CVE-2025-43300
POC Available
No
Actively Exploited
Yes
Exploited in Wild
Yes
Advisory Version
1.0
Overview The vulnerability resides in Apple’s ImageIO framework, which is used for handling image files across iOS, iPadOS, and macOS platforms. According to Apple, the flaw may have been used in sophisticated, targeted attacks, although exact details have not been disclosed.
The vulnerability affects a wide range of devices, including iPhones starting from the XS, multiple iPad models and Macs running macOS Ventura, Sonoma and Sequoia. This marks the seventh zero-day exploited in the wild that Apple has addressed in 2025, underscoring the increasing frequency and severity of threats targeting Apple users.
The vulnerability, CVE-2025-43300, is classified as an out-of-bounds write issue within the ImageIO framework.
It can be exploited when a specially crafted image file is processed, causing memory corruption that could allow an attacker to execute arbitrary code on the affected device.
This makes it a critical security flaw, particularly because the attack vector image files are common and often considered low risk. Apple has mitigated vulnerability by improving bounds by checking in the affected code.
The exploitation of this bug in the wild indicates a high level of sophistication, likely by advanced persistent threat actors targeting specific individuals. The technical nature of the bug aligns with a broader trend in which attackers exploit flaws in media-handling components to achieve remote code execution. As such, this patch not only fixes a critical issue but also highlights the need for continued vigilance and timely system updates.
CVE ID
System Affected
Vulnerability Details
Impact
CVE-2025-43300
iPhones, iPads, Macs.
Critical out-of-bounds write vulnerability in Apple’s ImageIO framework that allows remote code execution by processing a malicious image. It has been actively exploited in highly targeted attacks on iOS, iPadOS, and macOS devices, prompting urgent patches.
Remote code execution via malicious image zero-click attack surface
Apple has so far fixed a total of seven zero-day vulnerabilities in 2025 that were actively exploited in real-world attacks, including CVE-2025-43300, reflecting an ongoing effort to patch critical security flaws across iOS, iPadOS, and macOS platforms.
CVE-2025-24085: A memory corruption flaw in WebKit that could allow remote code execution via malicious web content.
CVE-2025-24200: An elevation of privilege vulnerability in the kernel, enabling attackers to gain higher system privileges.
CVE-2025-2420: A logic issue in the kernel that could lead to arbitrary code execution by a malicious app.
CVE-2025-31200: A vulnerability in the CoreGraphics framework allowing remote code execution when processing malicious PDF files.
CVE-2025-31201: An issue in the IOMobileFrameBuffer kernel extension that could permit a local attacker to escalate privileges.
CVE-2025-43200: A flaw in the AppleAVD driver leading to a potential kernel privilege escalation.
CVE-2025-43300: An out-of-bounds write vulnerability in the ImageIO framework actively exploited through malicious images, enabling remote code execution.
Remediation:
Update your Apple devices immediately to the latest patched versions:
iPhone – iOS 18.6.2
iPad – iPadOS 18.6.2/17.7.10
macOS – macOS Ventura 13.7.8, Sonoma 14.7.8 or Sequoia 15.6.1.
Conclusion: Apple has urgently patched seven critical zero-day vulnerabilities in 2025, including CVE-2025-43300, that were actively exploited in targeted attacks.
Users are strongly advised to update their devices immediately to stay protected against these serious threats.
In addition, CISA has added CVE-2025-43300 to its Known Exploited Vulnerabilities (KEV) Catalog under BOD 22-01, requiring federal agencies to remediate the flaw within specified timelines.
While the directive is mandatory for federal agencies, CISA strongly urges all organizations to prioritize remediation of KEV-listed vulnerabilities to reduce their exposure to active threats.
The United States remains the primary target for Ransomware attacks
UK is preparing to ban any Ransomware payments for critical infrastructure companies
Manufacturing, Technology and Healthcare top targeted sectors, with the Oil & Gas industry experiencing a remarkable 935% increase in attacks as per Zscaler report
RaaS market growth drivers
There has been improvement in cyber resilience but it has been observed when too many entities pay ransom, each payment provides gateway for next attack as the payment incentivise.
Ransomware attack target pattern reveals how threat actors are strategically focusing on industries where operational disruption, data sensitivity, and regulatory concerns create maximum leverage.
In the beginning of July 2025, Federal authorities, including the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA), have issued a high-priority advisory warning about the escalating threat posed by the Medusa ransomware group.
Medusa ransomware group ramped up its attacks, increasingly targeting users of major email service providers like Gmail and Outlook. Medusa’s reach extends across multiple industries, with healthcare, education, legal services, insurance, technology, and manufacturing among the hardest hit.
Now UK is preparing to ban any Ransomware payments for critical infrastructure companies, local governments, schools and publicly funded entities like the NHS. The new ransomware payment proposal is just one part of a package of new regulations slated to soon go into effect in the UK, mostly centered on the Cyber Resilience Bill.
The new UK rules would additionally require all business types that are not impacted to notify the government when they intend to make a ransomware payment and may be required to seek guidance on the possibility of the payment violating sanctions on cybercriminal groups.
Surge in ransomware attacks
Zscaler released its annual ThreatLabz 2025 Ransomware Report, revealing a dramatic 146% surge in ransomware attacks blocked by their cloud platform
The report highlights a significant shift in attack strategies, with threat actors increasingly focusing on data extortion over encryption.
Key findings show that ransomware groups stole 238 TB of data, representing a 92% increase year-over-year.
The report identifies Manufacturing, Technology, and Healthcare as the most targeted sectors, with the Oil & Gas industry experiencing a remarkable 935% increase in attacks.
The United States remains the primary target, accounting for 50% of all attacks with 3,671 incidents. RansomHub emerged as the most active group with 833 publicly named victims, followed by Akira (520) and Clop (488).
Ransomware and Crypto market
Well ransomware technique might have changed its pattern but not tactics, with crytpcurrencies it marked a major change and turning point in the world of cyber security.
How can we forget WannaCry (2017), it was perhaps the most infamous ransomware attack in history, caused global disruption by exploiting a Windows vulnerability.
The demand was Bitcoin, but its scale and method were more advanced but not the first.
BlackSuit ransomware extortion sites seized in Operation Checkmate
Law enforcement has seized the dark web extortion sites of the BlackSuit ransomware operation, which has targeted and breached the networks of hundreds of organizations worldwide over the past several years.
Yesterday 28 july, the websites on the BlackSuit .onion domains were replaced with seizure banners announcing that the ransomware gang’s sites were taken down by the U.S. Homeland Security Investigations federal law enforcement agency as part of a joint international action codenamed Operation Checkmate.
Key trends Key driving the Ransomware Protection Market
The demand for ransomware protection solutions is further fuelled by the growing number of cyber-attacks targeting businesses, particularly in the BFSI sector, which remains the largest revenue generator in the market.
The demand for RaaS based products growing due to corporate digitization, and the advent of crypto currency like Bitcoin are the key market drivers enhancing the market demand and growth.
This include technological advancements and increasing cyber threats.
Market size in 2024: USD 32.24 billion; projected to reach USD 93.35 billion by 2032.
End-point security segment accounted for 35% of market revenue.
BFSI sector generated the most income, with significant ransomware attacks reported.
Managed services segment dominated the market, catering to SMEs for enhanced cyber security.
Of all the reasons, cyber attacks now focus on any vulnerability as many businesses are switching to cloud services. In response to the ransom, distributed denial-of-service (DDoS) attacks are launched, which continue until the ransom is paid or the data risks being permanently lost.
Cybercriminals may breach into sites for trading cryptocurrencies and steal money. Crypto currency is currently the most widely used payment method in the event of a ransomware attack
Email remained the primary entry point in 96% of the reviewed breaches, accounting for 93%.
Social attacks are roughly three times more likely to cause breaches in businesses than physical vulnerabilities, highlighting the importance of regular staff cybersecurity training.
It has caused business to start researching ransomware defenses and has significantly increased demand for these defenses in the market under investigation.
Around the world, there are more data leaks and other security breaches. Phishing attacks have been used against numerous businesses from various industries at some point.
APEC market for Ransomware expected to grow
The Asia-Pacific Ransomware Protection Market is expected to grow at the fastest CAGR from 2023 to 2032.
This is due to the growing economies of China, India, and Australia spending extensively on cyber security solutions; Asia Pacific is also predicted to have growth potential in the ransomware prevention market.
Moreover, China’s Ransomware Protection market held the largest market share, and The Asia-Pacific region’s fastest-growing market for ransomware protection was India.
The market for Ransomware Protection industry has recently provided some of the most important benefits. Major players in the Ransomware Protection market, are attempting to increase market demand by investing in research and development operations.
Ransomware Protection Industry Developments
Intrucept has launched Intru360 gives security analysts and SOC managers a clear view across the organization, helping them fully understand the extent and context of an attack. It also simplifies workflows by automatically handling alerts, allowing for faster detection of both known and unknown threats.
Identify latest threats without having to purchase, implement, and oversee several solutions or find, hire, and manage a team security analyst.
Unify latest threat intelligence and security technologies to prioritize the threats that pose the greatest risk to your company.
Here are some features we offer:
Over 400 third-party and cloud integrations.
More than 1,100 preconfigured correlation rules.
Ready-to-use threat analytics, threat intelligence service feeds, and prioritization based on risk.
Prebuilt playbooks and automated response capabilities.
Major new legislation commits over $1billion to US cyber offensives. Defining Cyber-offensive operations will include exploiting flaws in software or hack devices or deploy spyware.
This also include collecting internet traffic data and may involve targeted cyberattacks using zero-day exploits. Organizations often build the necessary infrastructure for such activities or gathers Intelligence as a part of these activates.
Trump administration, through the Department of Defense, has announced plans to spend $1 billion over four years on “offensive cyber operations.”
Along side recently the Trump regime announced that cyber offensive operation against Russia will be paused, highlighting that US govt now focuses mainly on China, moving away from eastern Europe.
It’s not clear what tools or software would qualify, but the legislation notes that the funds would go towards enhancing and improving the capabilities of the US Indo-Pacific Command, potentially focusing on the US’s biggest geopolitical rival, China.
The ongoing trade war with China is one of the main reason for Trump regime to shift focus from Russia , and in recent months security researchers have seen Chinese state hackers linked to People’s Liberation Army and the Ministry of State Security target companies in the fields of robotics, artificial intelligence, cloud computing and high-end medical device manufacturing.
The legislation does not provide detailed information on what “offensive cyber operations” entail or which tools and software will be funded. The investment comes at a time when the U.S. has simultaneously reduced its cybersecurity defense budget by $1 billion. Few months back we witnessed how the US Cybersecurity and Infrastructure Security Agency (CISA) reaffirmed its commitment to defending against all cyberthreats after budget cuts was announced.
Over 1,000 CISA staff have departed since early 2025 through a combination of layoffs, buyouts, and voluntary resignations. What remains is a hollowed-out workforce facing rising cyber threats with fewer tools and teammates.
CISA maintained although the continued efforts to undermine and weaken cybersecurity teams capabilities, however counter-productive that may be in protecting US infrastructure.
Senator Ron Wyden has concerns. “Vastly expanding U.S. government hacking is going to invite retaliation — not just against federal agencies, but also rural hospitals, local governments and private companies who don’t stand a chance against nation-state hackers,” Wyden told the news site.
The US administration simultaneously enacted cuts to the nation’s cybersecurity defense allocations, by slashing $1 billion from the U.S. cyber defense budget. The cuts pose a significant risk as the country faces increasing cyber threats, particularly from Chinese adversaries.
However, the move to a more offensive cyber stance has been critiqued by Democratic Senator and Senate intelligence committee member Ron Wyden, who said that the offensive strategy, combined with Trump and DOGE’s massive cuts to defensive cyber operations such as slashing the budget and the termination of staff from the US Cybersecurity and Infrastructure Security Agency (CISA), only invites retaliation from the US’ largest geopolitical rival.
“The Trump administration has slashed funding for cyber security and government technology and left our country wide open to attack by foreign hackers,” Wyden told TechCrunch.
How wise decision it is to cut cyber defense budget while increasing Cyber offensive spending?
The layoffs at CISA have led to concerns the U.S. is less well protected against cyber threats from the likes of China, Russia and Iran.
Obviously there will be reduction in capacity to defend against cyberattacks, especially large-scale coordinated campaigns. The federal government has inadvertently provided adversaries with a map of its blind spots by scaling back critical cybersecurity programs.
This increase in budget for Cyber offensive operation is seen as an aggressive push and might provoke retaliatory attacks on vulnerable targets, such as local governments and healthcare entities. According to the report, the bill does not specify what the “offensive cyber operations” are or what software would qualify for funding.
At the same time The Trump administration has halted US offensive cyber operations against Russia, sparking concerns over national security and potential Russian cyber threats.
The Trump administration is well aware of the nation state attack and advance techniques cyber adversaries adopt to, a national threat to infrastructure security that cannot be compromised.
Every year there has been increase in cyber security budget if we take a look at from 2017 to 2024. The US government civilian agencies spent more on cybersecurity in each successive year than they did the prior year.
Two newly discovered zero-day vulnerabilities (CVE-2025-53770 and CVE-2025-53771) in Microsoft SharePoint Server are being actively exploited in the wild.
There is currently no patch available to plug this security hole, but Microsoft says that customers running on-premises SharePoint Servers can stop attackers from exploiting the vulnerability by configuring Antimalware Scan Interface (AMSI) integration in SharePoint and deploying Defender AV on all SharePoint servers.
OEM
Microsoft
Severity
Critical
CVSS Score
9.8
CVEs
CVE-2025-53770, CVE-2025-53771
Actively Exploited
Yes
Exploited in Wild
Yes
Advisory Version
1.0
Overview
These flaws allow unauthenticated remote code execution on on-premises servers, bypassing authentication and gaining full control over affected systems. Microsoft has released urgent security updates for supported SharePoint versions to address this issue.
Vulnerability Name
CVE ID
Product Affected
Severity
CVSS Score
SharePoint Server Remote Code
CVE-2025-53770
SharePoint Server (on-prem)
Critical
9.8
Execution Vulnerability
CVE-2025-53771
SharePoint Server (on-prem)
Medium
6.3
Technical Summary
The vulnerabilities CVE-2025-53770 and CVE-2025-53771 stem from insecure handling of cryptographic key material and deserialization logic in on-premises Microsoft SharePoint Servers. These flaws enable a chained remote code execution attack dubbed ToolShell, where an unauthenticated attacker can gain full control of vulnerable servers.
ToolShell is a sophisticated evolution of vulnerabilities CVE-2025-49704 and CVE-2025-49706, which were disclosed and patched in early July 2025 following demonstrations at Pwn2Own Berlin. Within days, attackers had bypassed these initial patches, forcing Microsoft to issue updated patches with new CVEs (53770, 53771). These latest variants are actively exploited in the wild.
The exploit begins with a crafted request to the SharePoint endpoint /ToolPane.aspx, which exposes the internal configuration mechanism. By exploiting deserialization weaknesses, attackers extract cryptographic secrets, specifically the ValidationKey and DecryptionKey which are used to sign the VIEWSTATE payloads.
With these secrets, an attacker can generate malicious, signed payloads that are trusted by SharePoint’s security model, allowing arbitrary code execution without any authentication. This effectively turns SharePoint’s trust mechanism into a delivery vector for persistent compromise.
CVE ID
System Affected
Vulnerability Details
Impact
CVE-2025-53770
SharePoint 2016, 2019
Exploits deserialization in /ToolPane.aspx to steal crypto keys and craft signed __VIEWSTATE payloads
Remote Code Execution, full system compromise
CVE-2025-53771
SharePoint 2016, 2019
Variant of CVE-2025-49706; bypasses earlier fixes using enhanced payload injection techniques
Persistent access without credentials
Remediation:To mitigate potential attacks customers should follow:
Organizations running on-premises Microsoft SharePoint Servers must take the following steps immediately:
Enable Antimalware Scan Interface (AMSI) in Full Mode for SharePoint.
AMSI was turned on by default in Sept 2023 updates for 2016/2019.
Rotate Cryptographic Keys:
Use Update-SPMachineKey (PowerShell) or Central Admin.
Restart IIS using iisreset.exe after key rotation.
Deploy Endpoint Protection:
Use Microsoft Defender for Endpoint or equivalent XDR tools.
CISA Alert and Advisory Inclusion:
The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-53770 to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies and private-sector partners are required to apply mitigations immediately due to confirmed active exploitation. CISA emphasized that such vulnerabilities pose an unacceptable risk to federal systems and critical infrastructure.
Indicators of Compromise (IOCs):
Type
Value (Obfuscated/Generalized)
Description
IP Address
107.191.58[.]76, 104.238.159[.]149
Observed in initial and second attack waves
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
User-Agent string seen in exploitation requests
URL Path
POST /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx
Exploit entry point targeting ToolPane
Conclusion: The ToolShell exploit chain represents a critical security threat to organizations using on-premises SharePoint Servers.
The vulnerabilities are not theoretical, attackers are actively exploiting them to gain full control of systems, exfiltrate cryptographic secrets and establish long-term persistence. With official patches now available, immediate action is required to prevent compromise, contain exposure and ensure ongoing system integrity.
Summary : Microsoft’s June 2025 Patch Tuesday addresses a total of 67 vulnerabilities across its product ecosystem. Critical flaws in WebDAV, SMB, SharePoint and Remote Desktop Services highlight the urgency of installing this month’s updates.
OEM
Microsoft
Severity
Critical
Date of Announcement
2025-06-10
No. of Vulnerabilities Patched
67
Actively Exploited
Yes
Exploited in Wild
Yes
Advisory Version
1.0
Overview
These include multiple high-risk flaws and two zero-day vulnerabilities one actively exploited and one publicly disclosed affecting core components like Windows WebDAV and the SMB Client.
67 Microsoft CVEs addressed
3 non-Microsoft CVEs addressed
Breakdown of May 2025 Vulnerabilities
25 Remote Code Execution (RCE)
17 Information Disclosure
14 Elevation of Privilege (EoP)
6 Denial of Service (DoS)
3 Security Feature Bypass
2 Spoofing
2 Chromium (Edge) Vulnerabilities
1 Windows Secure Boot
Vulnerability Name
CVE ID
Product Affected
Severity
CVSS Score
WebDAV Remote Code Execution (Exploited in the wild)
CVE-2025-33053
Windows
High
8.8
SMB Client Elevation of Privilege (Publicly disclosed)
CVE-2025-33073
Windows
High
8.8
Technical Summary
Two zero-day vulnerabilities in Microsoft’s ecosystem were addressed in June 2025. One of these, CVE-2025-33053, has been exploited in the wild and affects the deprecated but still present WebDAV component in Windows. The other, CVE-2025-33073, was publicly disclosed and affects the Windows SMB client, enabling attackers to elevate privileges.
CVE ID
System Affected
Vulnerability Details
Impact
CVE-2025-33053
Windows 10,11 and Windows Server
WebDAV RCE triggered when a user clicks a malicious link. Exploited by APT group “Stealth Falcon.” Exploitation complexity is low.
Remote Code Execution
CVE-2025-33073
Windows 10,11 and Windows Server
EoP flaw in SMB Client. Exploitation may occur by connecting to a malicious SMB server. Privilege elevation to SYSTEM is possible.
Elevation of Privilege
Source: Microsoft and NVD
In addition to the zero-day vulnerabilities, several other critical and high-severity issues were addressed:
CVE-2025-47162, CVE-2025-47164, CVE-2025-47167: Microsoft Office, Preview Pane-based RCE vulnerabilities, exploitation more likely (CVSS 8.4)
CVE-2025-47172: Microsoft SharePoint Server, SQL injection-based RCE (CVSS 8.8)
CVE-2025-29828: Windows Cryptographic Services, memory release issue (CVSS 8.1)
CVE-2025-32710: Windows Remote Desktop Services, use-after-free vulnerability (CVSS 8.1)
CVE-2025-29976: Microsoft SharePoint, Local privilege escalation (CVSS 7.8)
CVE-2025-30393: Microsoft Excel, RCE via malicious Excel file (CVSS 7.8)
CVE-2025-24063: Windows Kernel, Local privilege escalation, marked “Exploitation More Likely” (CVSS 7.8)
CVE-2025-26685: Microsoft Defender for Identity, Spoofing via NTLM fallback, exploitable in adjacent networks (CVSS 6.5)
Remediation:
Apply Patches Promptly: Install the June 2025 security updates immediately to mitigate risks.
General Recommendations:
Prioritize Zero-Days: Focus on patching the two confirmed zero-day vulnerabilities, especially those allowing Elevation of Privilege and remote code execution.
Disable Deprecated Services: If not required, disable WebDAV (WebClient service) and SMBv1 to reduce exposure.
Enforce SMB Signing: Use Group Policy to mandate SMB signing, reducing the risk from CVE-2025-33073.
Monitor for Exploitation Attempts: Watch for suspicious SMB or WebDAV traffic in logs and endpoint detection systems.
Enable Auto Updates Where Feasible: For individual endpoints and less tightly controlled systems, enable automatic updates to maintain regular patch schedule.
Conclusion:
Microsoft’s June 2025 Patch Tuesday addresses two important zero-day vulnerabilities, including an actively exploited RCE in WebDAV tracked as CVE-2025-33053.
Organizations should prioritize these patches to mitigate risk from real-world threats. The CVE-2025-33053 vulnerability has also been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, emphasizing its urgency.
Three actively exploited zero-day vulnerabilities in Qualcomm’s Adreno GPU drivers (CVE-2025-21479, CVE-2025-21480, CVE-2025-27038) have been disclosed and patched.
These flaws impact billions of Android devices across vendors such as Samsung, Google, Xiaomi, and OnePlus. Qualcomm released patches to OEMs in May 2025, urging immediate integration to mitigate severe memory corruption and code execution threats.
Vulnerability Name
CVE ID
Product Affected
CVSS Score
Severity
Incorrect Authorization Vulnerability
CVE-2025-21479
Qualcomm Adreno GPU Driver
8.6
High
Incorrect Authorization Vulnerability
CVE-2025-21480
Qualcomm Adreno GPU Driver
8.6
High
Use-After-Free Vulnerability
CVE-2025-27038
Qualcomm Adreno GPU Driver
7.5
High
Technical Summary
These vulnerabilities reside within Qualcomm’s Adreno GPU driver, specifically in the Graphics component. The flaws allow attackers to corrupt memory, escalate privileges or execute arbitrary code. Two issues (CVE-2025-21479, CVE-2025-21480) result from incorrect authorization mechanisms in GPU microcode and the third (CVE-2025-27038) is a use-after-free flaw that can be exploited via malicious content rendered through Chrome.
CVE ID
System Affected
Vulnerability Details
Impact
CVE-2025-21479
Android (Adreno GPU)
Unauthorized command execution during specific GPU microcode sequences causes memory corruption.
Privilege escalation, system compromise.
CVE-2025-21480
Android (Adreno GPU)
Similar unauthorized GPU command flaw allowing memory corruption via improper authorization checks.
Memory corruption, remote code execution.
CVE-2025-27038
Android (Chrome/Adreno)
Use-after-free condition in graphics rendering pipeline (via Chrome) allows attacker control over freed memory space.
Arbitrary code execution.
Recommendations:
Apply OEM Patches Immediately: Qualcomm released fixes in May 2025 to all OEMs; users should install the latest firmware updates from their device manufacturers.
Check for Updates: Go to Settings → System → Software Update and apply the latest security patches as soon as available.
Apply Security Updates: Users should ensure their Android devices receive the latest security updates.
Monitor Manufacturer Communications: Stay informed about patch availability specific to your device model via official OEM channels.
Conclusion: These zero-day vulnerabilities in Qualcomm’s Adreno GPU drivers highlight ongoing security risks in mobile hardware components.
Exploited in limited, targeted attacks potentially by spyware vendors or state-sponsored actors these flaws pose significant threats to Android devices worldwide.
In response to confirmed exploitation, CISA has added all three CVEs (CVE-2025-21479, CVE-2025-21480, CVE-2025-27038) to its Known Exploited Vulnerabilities (KEV) catalog, mandating swift action for federal systems.
Timely patching by OEMs and proactive updates by users are critical to mitigating these risks and preventing further exploitation.
The National Institute of Standards and Technology (NIST) is proposing a new metric to determine the likelihood of any software or hardware vulnerability being exploited.
The new metric is “Likely Exploited Vulnerabilities” (LEV), that aims to close a key gap in vulnerability management.
This new data point can benefit the SecOps teams who are working to release an effective patch management strategy and address the development flaws.
NIST now wants members of cyber security community to come forward and validate the method as predicting which ones is important for the efficiency and cost effectiveness of enterprise vulnerability remediation.
However NIST proposed that predicting ones which is important for the efficiency and cost effectiveness of enterprise vulnerability remediation efforts is important.
Currently, such remediation efforts rely on the Exploit Prediction Scoring System (EPSS), which has known inaccurate values, and Known Exploited Vulnerability (KEV) lists, which may not be comprehensive.
The proposed likelihood metric may augment EPSS remediation (correcting some inaccuracies) and KEV lists (enabling measurements of comprehensiveness). However, collaboration with industry is necessary to provide necessary performance measurements.
Importance of Metricfor Vulnerability Exploitation Probability
Remediating vulnerabilities is time-consuming and costly. According to the paper, most companies only manage to patch about 16% of the vulnerabilities affecting their systems each month.
Meanwhile, research shows that only about 5% of vulnerabilities are exploited in the wild.
It is found organizations would spend their limited resources patching that small but dangerous subset, but identifying them has proven difficult.
That’s where LEV comes in to assist organizations prioritize vulnerabilities that are likely to have already been used in attacks, the metric could make patching efforts more targeted and effective.
In a recently published paper, Peter Mell (formerly of NIST) and Jonathan Spring of CISA presented a vulnerability exploitation metric that builds upon the existing Exploit Prediction Scoring System (EPSS) and CISA’s Known Exploited Vulnerabilities (KEV) catalog.
The researchers noted that studies show only about 5% of known vulnerabilities are exploited in the wild, while organizations typically remediate only 16% of vulnerabilities each month.
The researchers outline four key ways LEV could be used:
1. Estimate how many vulnerabilities have been exploited. 2. Check how complete KEV lists are. 3. Identify high-risk vulnerabilities missing from those lists. 4. Fix blind spots in EPSS, which sometimes underestimates risk for already-exploited bugs.
Introducing the LEV Metric
Mell and Spring’s new metric—called Likely Exploited Vulnerabilities (LEV) probabilities—aims to address the limitations of both EPSS and the KEV catalog. While EPSS provides 30-day exploitation probabilities, it has known inaccuracies, particularly underestimating risk for already-exploited vulnerabilities. KEV, on the other hand, is limited by its reliance on known exploit data and may not be comprehensive.
LEV probabilities are designed to:
Estimate how many and which vulnerabilities are likely to have been exploited
Assess the completeness of the KEV catalog
Enhance KEV-based prioritization by identifying likely-exploited vulnerabilities not yet listed
Improve EPSS-based prioritization by correcting underestimations
Key Findings
The researchers compared LEV and EPSS scores for specific vulnerabilities, showing significant differences.
For example:
CVE-2023-1730 (SupportCandy WordPress plugin SQL injection): before 3.1.5, the LEV probability was 0.70, while the peak EPSS score was 0.16.
CVE-2023-29373 (Microsoft ODBC Driver RCE – Remote Code Execution vulnerability): the LEV probability was 0.54350, while the peak EPSS probability was 0.08.
The LEV analysis identified hundreds of vulnerabilities with probabilities near 1.0. However, many of these are not listed in current KEV catalogs. NIST is actively seeking collaboration with partners as real-world validation is must for LEV to be a promising idea rather than a trusted tool.
NIST is currently seeking industry partners with relevant datasets to empirically evaluate the effectiveness of LEV probabilities through real-world performance measurements.
For the month of May 2025 here are the Top News including Security Advisory & Blogs
Tesla Model 3 VCSEC Vulnerability Allows Remote Code Execution via TPMS Exploit
A high-severity vulnerability (CVE-2025-2082) in Tesla Model 3’s Vehicle Controller Security (VCSEC) module allows attackers within wireless range to remotely execute arbitrary code by exploiting a flaw in the Tire Pressure Monitoring System (TPMS)
The FBI issued an alert warning of ongoing exploitation of 13 EOL Linksys/Cisco routers by cybercriminal groups operating the 5Socks and Anyproxy services.
Microsoft May 2025 Patch Tuesday Released; Fixed 83 Vulnerabilities, Including 5 Zero-Days
Microsoft addressed 83 vulnerabilities across its product suite. Among them are 5 zero-day vulnerabilities have been confirmed as actively exploited in the wild. The updates span Windows components, Office, Visual Studio, and other core services.
11 vulnerabilities were rated critical, emphasizing the importance of timely remediation especially for enterprise environments.
Critical SAP NetWeaver Vulnerabilities Addressed in May 2025 Patch – Immediate Action Required
SAP has released critical security updates for its May 2025 patch, including fixes for two actively exploited zero-day vulnerabilities in SAP NetWeaver Visual Composer.
SAP Visual Composer is not installed by default, however it is enabled because it was a core component used by business process specialists to develop business application components without coding.
CISA isofficially changing the way it disseminates online security updates and guidance.
CISA says the enhanced information dissemination system will from now on use social media and email only to disperse cybersecurity alerts and advisories, saving its landing page for more critical warnings on May 12.
Updates on May 13
Just a day after announcing it was changing the way it sent out alerts, CISA has changed its mind and reverted back to its old system of putting everything on its website.
“We recognize this has caused some confusion in the cyber community,” the site now reads. “As such, we have paused immediate changes while we re-assess the best approach to sharing with our stakeholders.”
A zero-day vulnerability (CVE-2025-4664) in Google Chrome’s Loader component has been actively exploited in the wild.This flaw allows attackers to bypass security policies, leak cross-origin data, and potentially execute unauthorized code. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, urging immediate patching.
Summary : A zero-day vulnerability (CVE-2025-4664) in Google Chrome’s Loader component has been actively exploited in the wild.
OEM
Google
Severity
Medium
CVSS Score
4.3
CVEs
CVE-2025-4664
Actively Exploited
Yes
Exploited in Wild
Yes
Advisory Version
1.0
Overview
This flaw allows attackers to bypass security policies, leak cross-origin data, and potentially execute unauthorized code. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, urging immediate patching.
CVE-2025-4664 is a zero-day vulnerability found in the Chrome Loader component due to insufficient policy enforcement.
It enables remote attackers to bypass browser security controls using crafted HTML content, possibly leaking cross-origin data or achieving sandbox escape. The bug has been actively exploited in the wild.
A second high-severity flaw, CVE-2025-4609, was also addressed in this update, involving an incorrect handle in the Mojo IPC layer, which can lead to memory corruption or privilege escalation.
CVE ID
System Affected
Vulnerability Details
Impact
CVE-2025-4664
Chrome (Windows, Mac, Linux)
Insufficient policy enforcement in Loader enables cross-origin data leaks via crafted HTML.
Data leakage, sandbox escape, potential code execution
Remediation:
Update Chrome: Google has released security updates to address these vulnerabilities. Users and administrators must apply the latest Chrome versions:
Windows/macOS: Chrome 136.0.7103.113 /136.0.7103.114 or later
Linux: Chrome 136.0.7103.113 or later
Conclusion: The active exploitation of CVE-2025-4664 highlights the urgent need for rapid security response and patch management. With acknowledgment from CISA and public disclosure by @slonser_, this zero-day poses a real and present threat to users of Chrome and other Chromium-based browsers.
Organizations should take immediate action to patch affected systems and monitor for signs of compromise.
Regular browser updates and proactive vulnerability management are essential to mitigating such critical security risks.
Recent Comments