CISA

Security Advisory

Apple Patches Zero-Day Vulnerability Exploited in Targeted Attacks (CVE-2025-43300) 

Security Advisory : Apple has released critical security patches to address a newly discovered zero-day vulnerability, CVE-2025-43300, that was found to be actively exploited in targeted attacks.

To protect users, Apple has issued patches in iOS 18.6.2, iPadOS 18.6.2, iPadOS 17.7.10 and the latest macOS versions.

OEM Apple 
Severity High 
CVSS Score 8.8 
CVEs CVE-2025-43300 
POC Available No 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview  The vulnerability resides in Apple’s ImageIO framework, which is used for handling image files across iOS, iPadOS, and macOS platforms. According to Apple, the flaw may have been used in sophisticated, targeted attacks, although exact details have not been disclosed.

The vulnerability affects a wide range of devices, including iPhones starting from the XS, multiple iPad models and Macs running macOS Ventura, Sonoma and Sequoia. This marks the seventh zero-day exploited in the wild that Apple has addressed in 2025, underscoring the increasing frequency and severity of threats targeting Apple users. 

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
An out-of-bounds write issue   CVE-2025-43300 iPhone, iPad, macOS  High iOS 18.6.2, iPadOS 18.6.2, iPadOS 17.7.10, macOS 13.7.8, macOS 14.7.8, macOS 15.6.1 

Technical Summary 

The vulnerability, CVE-2025-43300, is classified as an out-of-bounds write issue within the ImageIO framework.

It can be exploited when a specially crafted image file is processed, causing memory corruption that could allow an attacker to execute arbitrary code on the affected device.

This makes it a critical security flaw, particularly because the attack vector image files are common and often considered low risk. Apple has mitigated vulnerability by improving bounds by checking in the affected code.

The exploitation of this bug in the wild indicates a high level of sophistication, likely by advanced persistent threat actors targeting specific individuals. The technical nature of the bug aligns with a broader trend in which attackers exploit flaws in media-handling components to achieve remote code execution. As such, this patch not only fixes a critical issue but also highlights the need for continued vigilance and timely system updates. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-43300 iPhones, iPads, Macs. Critical out-of-bounds write vulnerability in Apple’s ImageIO framework that allows remote code execution by processing a malicious image. It has been actively exploited in highly targeted attacks on iOS, iPadOS, and macOS devices, prompting urgent patches.  Remote code execution via malicious image zero-click attack surface 

Apple has so far fixed a total of seven zero-day vulnerabilities in 2025 that were actively exploited in real-world attacks, including CVE-2025-43300, reflecting an ongoing effort to patch critical security flaws across iOS, iPadOS, and macOS platforms. 

  • CVE-2025-24085: A memory corruption flaw in WebKit that could allow remote code execution via malicious web content. 
  • CVE-2025-24200: An elevation of privilege vulnerability in the kernel, enabling attackers to gain higher system privileges. 
  • CVE-2025-2420: A logic issue in the kernel that could lead to arbitrary code execution by a malicious app. 
  • CVE-2025-31200: A vulnerability in the CoreGraphics framework allowing remote code execution when processing malicious PDF files. 
  • CVE-2025-31201: An issue in the IOMobileFrameBuffer kernel extension that could permit a local attacker to escalate privileges. 
  • CVE-2025-43200: A flaw in the AppleAVD driver leading to a potential kernel privilege escalation. 
  • CVE-2025-43300: An out-of-bounds write vulnerability in the ImageIO framework actively exploited through malicious images, enabling remote code execution. 

Remediation

Update your Apple devices immediately to the latest patched versions: 

  • iPhone – iOS 18.6.2 
  • iPad – iPadOS 18.6.2/17.7.10 
  • macOS – macOS Ventura 13.7.8, Sonoma 14.7.8 or Sequoia 15.6.1. 

Conclusion: 
Apple has urgently patched seven critical zero-day vulnerabilities in 2025, including CVE-2025-43300, that were actively exploited in targeted attacks.

Users are strongly advised to update their devices immediately to stay protected against these serious threats. 

In addition, CISA has added CVE-2025-43300 to its Known Exploited Vulnerabilities (KEV) Catalog under BOD 22-01, requiring federal agencies to remediate the flaw within specified timelines.

While the directive is mandatory for federal agencies, CISA strongly urges all organizations to prioritize remediation of KEV-listed vulnerabilities to reduce their exposure to active threats. 

References

Blogs

Surge in Ransomware attack reveal sophistication of Threat actors that strategically focuses on industries to incentivizes Ransom payment

  • The United States remains the primary target for Ransomware attacks
  • UK is preparing to ban any Ransomware payments  for critical infrastructure companies
  • Manufacturing, Technology and Healthcare top targeted sectors, with the Oil & Gas industry experiencing a remarkable 935% increase in attacks as per Zscaler report
  • RaaS market growth drivers

There has been improvement in cyber resilience but it has been observed when too many entities pay ransom, each payment provides gateway for next attack as the payment incentivise.

Ransomware attack target pattern reveals how threat actors are strategically focusing on industries where operational disruption, data sensitivity, and regulatory concerns create maximum leverage.

In the beginning of July 2025, Federal authorities, including the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA), have issued a high-priority advisory warning about the escalating threat posed by the Medusa ransomware group.

Medusa ransomware group ramped up its attacks, increasingly targeting users of major email service providers like Gmail and Outlook. Medusa’s reach extends across multiple industries, with healthcare, education, legal services, insurance, technology, and manufacturing among the hardest hit.

Now UK is preparing to ban any Ransomware payments  for critical infrastructure companies, local governments, schools and publicly funded entities like the NHS. The new ransomware payment proposal is just one part of a package of new regulations slated to soon go into effect in the UK, mostly centered on the Cyber Resilience Bill.

The new UK rules would additionally require all business types that are not impacted to notify the government when they intend to make a ransomware payment and may be required to seek guidance on the possibility of the payment violating sanctions on cybercriminal groups.

Surge in ransomware attacks

Zscaler  released its annual ThreatLabz 2025 Ransomware Report, revealing a dramatic 146% surge in ransomware attacks blocked by their cloud platform

The report highlights a significant shift in attack strategies, with threat actors increasingly focusing on data extortion over encryption.

Key findings show that ransomware groups stole 238 TB of data, representing a 92% increase year-over-year.

The report identifies Manufacturing, Technology, and Healthcare as the most targeted sectors, with the Oil & Gas industry experiencing a remarkable 935% increase in attacks.

The United States remains the primary target, accounting for 50% of all attacks with 3,671 incidents. RansomHub emerged as the most active group with 833 publicly named victims, followed by Akira (520) and Clop (488).

Ransomware and Crypto market

Well ransomware technique might have changed its pattern but not tactics, with crytpcurrencies it marked a major change and turning point in the world of cyber security.

How can we forget WannaCry (2017), it was perhaps the most infamous ransomware attack in history, caused global disruption by exploiting a Windows vulnerability.

The demand was Bitcoin, but its scale and method were more advanced but not the first.

BlackSuit ransomware extortion sites seized in Operation Checkmate

Law enforcement has seized the dark web extortion sites of the BlackSuit ransomware operation, which has targeted and breached the networks of hundreds of organizations worldwide over the past several years.

Yesterday 28 july,  the websites on the BlackSuit .onion domains were replaced with seizure banners announcing that the ransomware gang’s sites were taken down by the U.S. Homeland Security Investigations federal law enforcement agency as part of a joint international action codenamed Operation Checkmate.

Key trends Key driving the Ransomware Protection Market


The demand for ransomware protection solutions is further fuelled by the growing number of cyber-attacks targeting businesses, particularly in the BFSI sector, which remains the largest revenue generator in the market.

The demand for RaaS based products growing due to corporate digitization, and the advent of crypto currency like Bitcoin are the key market drivers enhancing the market demand and growth.

This  include technological advancements and increasing cyber threats.

  • Market size in 2024: USD 32.24 billion; projected to reach USD 93.35 billion by 2032.
  • End-point security segment accounted for 35% of market revenue.
  • BFSI sector generated the most income, with significant ransomware attacks reported.
  • Managed services segment dominated the market, catering to SMEs for enhanced cyber security.

Of all the reasons, cyber attacks now focus on any vulnerability as many businesses are switching to cloud services. In response to the ransom, distributed denial-of-service (DDoS) attacks are launched, which continue until the ransom is paid or the data risks being permanently lost.

Cybercriminals may breach into sites for trading cryptocurrencies and steal money. Crypto currency is currently the most widely used payment method in the event of a ransomware attack

Email remained the primary entry point in 96% of the reviewed breaches, accounting for 93%.

Social attacks are roughly three times more likely to cause breaches in businesses than physical vulnerabilities, highlighting the importance of regular staff cybersecurity training.

It has caused business to start researching ransomware defenses and has significantly increased demand for these defenses in the market under investigation.

Around the world, there are more data leaks and other security breaches. Phishing attacks have been used against numerous businesses from various industries at some point.

APEC market for Ransomware expected to grow

The Asia-Pacific Ransomware Protection Market is expected to grow at the fastest CAGR from 2023 to 2032.

This is due to the growing economies of China, India, and Australia spending extensively on cyber security solutions; Asia Pacific is also predicted to have growth potential in the ransomware prevention market.

Moreover, China’s Ransomware Protection market held the largest market share, and The Asia-Pacific region’s fastest-growing market for ransomware protection was India.

The market for Ransomware Protection industry has recently provided some of the most important benefits. Major players in the Ransomware Protection market, are attempting to increase market demand by investing in research and development operations.

Ransomware Protection Industry Developments

Intrucept has launched Intru360 gives security analysts and SOC managers a clear view across the organization, helping them fully understand the extent and context of an attack. It also simplifies workflows by automatically handling alerts, allowing for faster detection of both known and unknown threats.

Identify latest threats without having to purchase, implement, and oversee several solutions or find, hire, and manage a team security analyst.

Unify latest threat intelligence and security technologies to prioritize the threats that pose the greatest risk to your company.

Here are some features we offer:

  • Over 400 third-party and cloud integrations.
  • More than 1,100 preconfigured correlation rules.
  • Ready-to-use threat analytics, threat intelligence service feeds, and prioritization based on risk.
  • Prebuilt playbooks and automated response capabilities.

Source:

 BlackSuit ransomware extortion sites seized in Operation Checkmate

Ransomware attacks surge despite international enforcement effort | Cybersecurity Dive

Ransomware Protection Market Size, Growth Analysis – 2032

Blogs

Increased Funding on Cyber Offensive operation against Cyber Defense budget cut by Trump Admin; How wise a decision? Lets explore

Major new legislation commits over $1billion to US cyber offensives. Defining Cyber-offensive operations will include exploiting flaws in software or hack devices or deploy spyware.

This also include collecting internet traffic data and may involve targeted cyberattacks using zero-day exploits. Organizations often build the necessary infrastructure for such activities or gathers Intelligence as a part of these activates.

Trump administration, through the Department of Defense, has announced plans to spend $1 billion over four years on “offensive cyber operations.”

Along side recently the Trump regime announced that cyber offensive operation against Russia will be paused, highlighting that US govt now focuses mainly on China, moving away from eastern Europe.

It’s not clear what tools or software would qualify, but the legislation notes that the funds would go towards enhancing and improving the capabilities of the US Indo-Pacific Command, potentially focusing on the US’s biggest geopolitical rival, China.

The ongoing trade war with China is one of the main reason for Trump regime to shift focus from Russia , and in recent months security researchers have seen Chinese state hackers linked to People’s Liberation Army and the Ministry of State Security target companies in the fields of robotics, artificial intelligence, cloud computing and high-end medical device manufacturing. 

The legislation does not provide detailed information on what “offensive cyber operations” entail or which tools and software will be funded. The investment comes at a time when the U.S. has simultaneously reduced its cybersecurity defense budget by $1 billion. Few months back we witnessed how the US Cybersecurity and Infrastructure Security Agency (CISA) reaffirmed its commitment to defending against all cyberthreats after budget cuts was announced.

Over 1,000 CISA staff have departed since early 2025 through a combination of layoffs, buyouts, and voluntary resignations. What remains is a hollowed-out workforce facing rising cyber threats with fewer tools and teammates.

CISA maintained although the continued efforts to undermine and weaken cybersecurity teams capabilities, however counter-productive that may be in protecting US infrastructure.

Senator Ron Wyden has concerns. “Vastly expanding U.S. government hacking is going to invite retaliation — not just against federal agencies, but also rural hospitals, local governments and private companies who don’t stand a chance against nation-state hackers,” Wyden told the news site.

The US administration simultaneously enacted cuts to the nation’s cybersecurity defense allocations, by slashing $1 billion from the U.S. cyber defense budget. The cuts pose a significant risk as the country faces increasing cyber threats, particularly from Chinese adversaries.

However, the move to a more offensive cyber stance has been critiqued by Democratic Senator and Senate intelligence committee member Ron Wyden, who said that the offensive strategy, combined with Trump and DOGE’s massive cuts to defensive cyber operations such as slashing the budget and the termination of staff from the US Cybersecurity and Infrastructure Security Agency (CISA), only invites retaliation from the US’ largest geopolitical rival.

“The Trump administration has slashed funding for cyber security and government technology and left our country wide open to attack by foreign hackers,” Wyden told TechCrunch.

How wise decision it is to cut cyber defense budget while increasing Cyber offensive spending?

The layoffs at CISA have led to concerns the U.S. is less well protected against cyber threats from the likes of China, Russia and Iran.

Obviously there will be reduction in capacity to defend against cyberattacks, especially large-scale coordinated campaigns. The federal government has inadvertently provided adversaries with a map of its blind spots by scaling back critical cybersecurity programs.

This increase in budget for Cyber offensive operation is seen as an aggressive push and might provoke retaliatory attacks on vulnerable targets, such as local governments and healthcare entities. According to the report, the bill does not specify what the “offensive cyber operations” are or what software would qualify for funding.

At the same time The Trump administration has halted US offensive cyber operations against Russia, sparking concerns over national security and potential Russian cyber threats.

The Trump administration is well aware of the nation state attack and advance techniques cyber adversaries adopt to, a national threat to infrastructure security that cannot be compromised.

Every year there has been increase in cyber security budget if we take a look at from 2017 to 2024. The US government civilian agencies spent more on cybersecurity in each successive year than they did the prior year.

(Source: https://techcrunch.com)

Soucrce: Trump seeks unprecedented $1.23 billion cut to federal cyber budget | CSO Online

Security Advisory

ToolShell Zero-Day Exploits in Microsoft SharePoint Enable Full Remote Takeover 

Summary : Security Advisory


Two newly discovered zero-day vulnerabilities (CVE-2025-53770 and CVE-2025-53771) in Microsoft SharePoint Server are being actively exploited in the wild.

There is currently no patch available to plug this security hole, but Microsoft says that customers running on-premises SharePoint Servers can stop attackers from exploiting the vulnerability by configuring Antimalware Scan Interface (AMSI) integration in SharePoint and deploying Defender AV on all SharePoint servers.

OEM Microsoft 
Severity Critical 
CVSS Score 9.8 
CVEs CVE-2025-53770, CVE-2025-53771 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

These flaws allow unauthenticated remote code execution on on-premises servers, bypassing authentication and gaining full control over affected systems. Microsoft has released urgent security updates for supported SharePoint versions to address this issue. 

                   Vulnerability Name CVE ID Product Affected Severity CVSS Score 
SharePoint Server Remote Code CVE-2025-53770 SharePoint Server (on-prem) Critical 9.8 
Execution Vulnerability CVE-2025-53771 SharePoint Server (on-prem) Medium 6.3 

Technical Summary 

The vulnerabilities CVE-2025-53770 and CVE-2025-53771 stem from insecure handling of cryptographic key material and deserialization logic in on-premises Microsoft SharePoint Servers. These flaws enable a chained remote code execution attack dubbed ToolShell, where an unauthenticated attacker can gain full control of vulnerable servers. 

ToolShell is a sophisticated evolution of vulnerabilities CVE-2025-49704 and CVE-2025-49706, which were disclosed and patched in early July 2025 following demonstrations at Pwn2Own Berlin. Within days, attackers had bypassed these initial patches, forcing Microsoft to issue updated patches with new CVEs (53770, 53771). These latest variants are actively exploited in the wild. 

The exploit begins with a crafted request to the SharePoint endpoint /ToolPane.aspx, which exposes the internal configuration mechanism. By exploiting deserialization weaknesses, attackers extract cryptographic secrets, specifically the ValidationKey and DecryptionKey  which are used to sign the VIEWSTATE payloads. 

With these secrets, an attacker can generate malicious, signed payloads that are trusted by SharePoint’s security model, allowing arbitrary code execution without any authentication. This effectively turns SharePoint’s trust mechanism into a delivery vector for persistent compromise. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-53770 SharePoint 2016, 2019 Exploits deserialization in /ToolPane.aspx to steal crypto keys and craft signed __VIEWSTATE payloads Remote Code Execution, full system compromise 
CVE-2025-53771 SharePoint 2016, 2019 Variant of CVE-2025-49706; bypasses earlier fixes using enhanced payload injection techniques Persistent access without credentials 

Remediation: To mitigate potential attacks customers should follow:

Organizations running on-premises Microsoft SharePoint Servers must take the following steps immediately: 

  1. Apply Security Updates: 
  • SharePoint Subscription Edition: KB5002768 
  1. Enable AMSI Protection: 
  • Enable Antimalware Scan Interface (AMSI) in Full Mode for SharePoint. 
  • AMSI was turned on by default in Sept 2023 updates for 2016/2019. 
  1. Rotate Cryptographic Keys: 
  • Use Update-SPMachineKey (PowerShell) or Central Admin. 
  • Restart IIS using iisreset.exe after key rotation. 
  1. Deploy Endpoint Protection: 
  • Use Microsoft Defender for Endpoint or equivalent XDR tools. 

CISA Alert and Advisory Inclusion: 

The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-53770 to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies and private-sector partners are required to apply mitigations immediately due to confirmed active exploitation. CISA emphasized that such vulnerabilities pose an unacceptable risk to federal systems and critical infrastructure. 

Indicators of Compromise (IOCs): 

Type Value (Obfuscated/Generalized) Description 
IP Address 107.191.58[.]76, 104.238.159[.]149 Observed in initial and second attack waves 
User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0 User-Agent string seen in exploitation requests 
URL Path POST /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx Exploit entry point targeting ToolPane 

Conclusion: 
The ToolShell exploit chain represents a critical security threat to organizations using on-premises SharePoint Servers.

The vulnerabilities are not theoretical, attackers are actively exploiting them to gain full control of systems, exfiltrate cryptographic secrets and establish long-term persistence. With official patches now available, immediate action is required to prevent compromise, contain exposure and ensure ongoing system integrity. 

References

Security Advisory

Microsoft June 2025 Patch Tuesday – 67 Vulnerabilities Fixed Including 2 Zero-Days 

Summary : Microsoft’s June 2025 Patch Tuesday addresses a total of 67 vulnerabilities across its product ecosystem. Critical flaws in WebDAV, SMB, SharePoint and Remote Desktop Services highlight the urgency of installing this month’s updates.

OEM Microsoft 
Severity Critical 
Date of Announcement 2025-06-10 
No. of Vulnerabilities Patched 67 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

These include multiple high-risk flaws and two zero-day vulnerabilities one actively exploited and one publicly disclosed affecting core components like Windows WebDAV and the SMB Client. 

  • 67 Microsoft CVEs addressed 
  • 3 non-Microsoft CVEs addressed 

Breakdown of May 2025 Vulnerabilities 

  • 25 Remote Code Execution (RCE) 
  • 17 Information Disclosure 
  • 14 Elevation of Privilege (EoP) 
  • 6 Denial of Service (DoS)  
  • 3 Security Feature Bypass 
  • 2 Spoofing 
  • 2 Chromium (Edge) Vulnerabilities 
  • 1 Windows Secure Boot 
Vulnerability Name CVE ID Product Affected Severity CVSS Score 
WebDAV Remote Code Execution (Exploited in the wild)  CVE-2025-33053 Windows High 8.8 
SMB Client Elevation of Privilege (Publicly disclosed) CVE-2025-33073 Windows  High 8.8 

Technical Summary 

Two zero-day vulnerabilities in Microsoft’s ecosystem were addressed in June 2025. One of these, CVE-2025-33053, has been exploited in the wild and affects the deprecated but still present WebDAV component in Windows. The other, CVE-2025-33073, was publicly disclosed and affects the Windows SMB client, enabling attackers to elevate privileges. 

CVE ID System Affected Vulnerability Details Impact 
CVE-2025-33053 Windows 10,11 and Windows Server WebDAV RCE triggered when a user clicks a malicious link. Exploited by APT group “Stealth Falcon.” Exploitation complexity is low. Remote Code Execution 
CVE-2025-33073 Windows 10,11 and Windows Server EoP flaw in SMB Client. Exploitation may occur by connecting to a malicious SMB server. Privilege elevation to SYSTEM is possible. Elevation of Privilege  

Source: Microsoft and NVD 

In addition to the zero-day vulnerabilities, several other critical and high-severity issues were addressed: 

  • CVE-2025-47162, CVE-2025-47164, CVE-2025-47167: Microsoft Office, Preview Pane-based RCE vulnerabilities, exploitation more likely (CVSS 8.4) 
  • CVE-2025-47172: Microsoft SharePoint Server, SQL injection-based RCE (CVSS 8.8) 
  • CVE-2025-29828: Windows Cryptographic Services, memory release issue (CVSS 8.1) 
  • CVE-2025-32710: Windows Remote Desktop Services, use-after-free vulnerability (CVSS 8.1) 
  • CVE-2025-29976: Microsoft SharePoint, Local privilege escalation (CVSS 7.8) 
  • CVE-2025-30393: Microsoft Excel, RCE via malicious Excel file (CVSS 7.8) 
  • CVE-2025-24063: Windows Kernel, Local privilege escalation, marked “Exploitation More Likely” (CVSS 7.8) 
  • CVE-2025-32702: Visual Studio, Command injection RCE via malicious project file (CVSS 7.8) 
  • CVE-2025-26685: Microsoft Defender for Identity, Spoofing via NTLM fallback, exploitable in adjacent networks (CVSS 6.5) 

Remediation

  • Apply Patches Promptly: Install the June 2025 security updates immediately to mitigate risks. 

General Recommendations: 

  • Prioritize Zero-Days: Focus on patching the two confirmed zero-day vulnerabilities, especially those allowing Elevation of Privilege and remote code execution. 
  • Disable Deprecated Services: If not required, disable WebDAV (WebClient service) and SMBv1 to reduce exposure. 
  • Enforce SMB Signing: Use Group Policy to mandate SMB signing, reducing the risk from CVE-2025-33073. 
  • Monitor for Exploitation Attempts: Watch for suspicious SMB or WebDAV traffic in logs and endpoint detection systems. 
  •  Enable Auto Updates Where Feasible: For individual endpoints and less tightly controlled systems, enable automatic updates to maintain regular patch schedule. 

Conclusion: 

Microsoft’s June 2025 Patch Tuesday addresses two important zero-day vulnerabilities, including an actively exploited RCE in WebDAV tracked as CVE-2025-33053.

Organizations should prioritize these patches to mitigate risk from real-world threats. The CVE-2025-33053 vulnerability has also been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, emphasizing its urgency. 

References

Security Advisory

Critical 0-Day Vulnerabilities in Qualcomm Adreno GPU Drivers Actively Exploited  

Summary 

OEM Qualcomm 
Severity HIGH 
CVSS Score 8.6 
CVEs CVE-2025-21479, CVE-2025-21480, CVE-2025-27038 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

Three actively exploited zero-day vulnerabilities in Qualcomm’s Adreno GPU drivers (CVE-2025-21479, CVE-2025-21480, CVE-2025-27038) have been disclosed and patched.

These flaws impact billions of Android devices across vendors such as Samsung, Google, Xiaomi, and OnePlus. Qualcomm released patches to OEMs in May 2025, urging immediate integration to mitigate severe memory corruption and code execution threats. 

Vulnerability Name CVE ID Product Affected CVSS Score Severity 
​Incorrect Authorization Vulnerability  CVE-2025-21479 Qualcomm Adreno GPU Driver  8.6  High 
Incorrect Authorization Vulnerability  CVE-2025-21480 Qualcomm Adreno GPU Driver  8.6  High 
Use-After-Free Vulnerability  CVE-2025-27038 Qualcomm Adreno GPU Driver  7.5  High 

Technical Summary 

These vulnerabilities reside within Qualcomm’s Adreno GPU driver, specifically in the Graphics component. The flaws allow attackers to corrupt memory, escalate privileges or execute arbitrary code. Two issues (CVE-2025-21479, CVE-2025-21480) result from incorrect authorization mechanisms in GPU microcode and the third (CVE-2025-27038) is a use-after-free flaw that can be exploited via malicious content rendered through Chrome. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-21479   Android (Adreno GPU) Unauthorized command execution during specific GPU microcode sequences causes memory corruption.   Privilege escalation, system compromise. 
   CVE-2025-21480    Android (Adreno GPU) Similar unauthorized GPU command flaw allowing memory corruption via improper authorization checks.   Memory corruption, remote code execution. 
  CVE-2025-27038   Android (Chrome/Adreno) Use-after-free condition in graphics rendering pipeline (via Chrome) allows attacker control over freed memory space.   Arbitrary code execution. 

Recommendations

  • Apply OEM Patches Immediately: Qualcomm released fixes in May 2025 to all OEMs; users should install the latest firmware updates from their device manufacturers. 
  • Check for Updates: Go to Settings → System → Software Update and apply the latest security patches as soon as available. 
  • Apply Security Updates: Users should ensure their Android devices receive the latest security updates. 
  • Monitor Manufacturer Communications: Stay informed about patch availability specific to your device model via official OEM channels. 

Conclusion: 
These zero-day vulnerabilities in Qualcomm’s Adreno GPU drivers highlight ongoing security risks in mobile hardware components.

Exploited in limited, targeted attacks potentially by spyware vendors or state-sponsored actors these flaws pose significant threats to Android devices worldwide. 

In response to confirmed exploitation, CISA has added all three CVEs (CVE-2025-21479, CVE-2025-21480, CVE-2025-27038) to its Known Exploited Vulnerabilities (KEV) catalog, mandating swift action for federal systems.

Timely patching by OEMs and proactive updates by users are critical to mitigating these risks and preventing further exploitation. 

References

 

Blogs

NIST & CISA Proposed Metric for Vulnerability Exploitation Probability

The National Institute of Standards and Technology (NIST) is proposing a new metric to determine the likelihood of any software or hardware vulnerability being exploited.

The new metric is “Likely Exploited Vulnerabilities” (LEV), that aims to close a key gap in vulnerability management.

This new data point can benefit the SecOps teams who are working to release an effective patch management strategy and address the development flaws.

NIST now wants members of cyber security community to come forward and validate the method as predicting which ones is important for the efficiency and cost effectiveness of enterprise vulnerability remediation.

However NIST proposed that predicting ones which is important for the efficiency and cost effectiveness of enterprise vulnerability remediation efforts is important.

Currently, such remediation efforts rely on the Exploit Prediction Scoring System (EPSS), which has known inaccurate values, and Known Exploited Vulnerability (KEV) lists, which may not be comprehensive.

The proposed likelihood metric may augment EPSS remediation (correcting some inaccuracies) and KEV lists (enabling measurements of comprehensiveness). However, collaboration with industry is necessary to provide necessary performance measurements.

Importance of Metric for Vulnerability Exploitation Probability

Remediating vulnerabilities is time-consuming and costly. According to the paper, most companies only manage to patch about 16% of the vulnerabilities affecting their systems each month.

Meanwhile, research shows that only about 5% of vulnerabilities are exploited in the wild.

It is found organizations would spend their limited resources patching that small but dangerous subset, but identifying them has proven difficult.

That’s where LEV comes in to assist organizations prioritize vulnerabilities that are likely to have already been used in attacks, the metric could make patching efforts more targeted and effective.

In a recently published paper, Peter Mell (formerly of NIST) and Jonathan Spring of CISA presented a vulnerability exploitation metric that builds upon the existing Exploit Prediction Scoring System (EPSS) and CISA’s Known Exploited Vulnerabilities (KEV) catalog.

The researchers noted that studies show only about 5% of known vulnerabilities are exploited in the wild, while organizations typically remediate only 16% of vulnerabilities each month.

The researchers outline four key ways LEV could be used:

1. Estimate how many vulnerabilities have been exploited.
2. Check how complete KEV lists are.
3. Identify high-risk vulnerabilities missing from those lists.
4. Fix blind spots in EPSS, which sometimes underestimates risk for already-exploited bugs.

Introducing the LEV Metric

Mell and Spring’s new metric—called Likely Exploited Vulnerabilities (LEV) probabilities—aims to address the limitations of both EPSS and the KEV catalog. While EPSS provides 30-day exploitation probabilities, it has known inaccuracies, particularly underestimating risk for already-exploited vulnerabilities. KEV, on the other hand, is limited by its reliance on known exploit data and may not be comprehensive.

LEV probabilities are designed to:

  • Estimate how many and which vulnerabilities are likely to have been exploited
  • Assess the completeness of the KEV catalog
  • Enhance KEV-based prioritization by identifying likely-exploited vulnerabilities not yet listed
  • Improve EPSS-based prioritization by correcting underestimations

Key Findings

The researchers compared LEV and EPSS scores for specific vulnerabilities, showing significant differences.

For example:

  • CVE-2023-1730 (SupportCandy WordPress plugin SQL injection): before 3.1.5, the LEV probability was 0.70, while the peak EPSS score was 0.16.
  • CVE-2023-29373 (Microsoft ODBC Driver RCE – Remote Code Execution vulnerability): the LEV probability was 0.54350, while the peak EPSS probability was 0.08.

The LEV analysis identified hundreds of vulnerabilities with probabilities near 1.0. However, many of these are not listed in current KEV catalogs. NIST is actively seeking collaboration with partners as real-world validation is must for LEV to be a promising idea rather than a trusted tool.

NIST is currently seeking industry partners with relevant datasets to empirically evaluate the effectiveness of LEV probabilities through real-world performance measurements.

Sources: https://www.helpnetsecurity.com/2025/05/26/nist-likely-exploited-vulnerabilities/#:~:text=LEV%20aims%20to%20bridge%20that,%2C%20not%20replace%2C%20existing%20methods.

Blogs Cybersecurity News Security Advisory

Cyber Security News at a Glance; May 2025

For the month of May 2025 here are the Top News including Security Advisory & Blogs

Tesla Model 3 VCSEC Vulnerability Allows Remote Code Execution via TPMS Exploit

A high-severity vulnerability (CVE-2025-2082) in Tesla Model 3’s Vehicle Controller Security (VCSEC) module allows attackers within wireless range to remotely execute arbitrary code by exploiting a flaw in the Tire Pressure Monitoring System (TPMS)

Tesla Model 3 VCSEC Vulnerability Allows Remote Code Execution via TPMS Exploit 

The FBI issued an alert warning of ongoing exploitation of 13 EOL Linksys/Cisco routers by cybercriminal groups operating the 5Socks and Anyproxy services.

FBI Warns  End-of-Life Routers Exploited in Active Botnet and Proxy Campaigns 

Microsoft May 2025 Patch Tuesday Released; Fixed 83 Vulnerabilities, Including 5 Zero-Days

Microsoft addressed 83 vulnerabilities across its product suite. Among them are 5 zero-day vulnerabilities have been confirmed as actively exploited in the wild. The updates span Windows components, Office, Visual Studio, and other core services.

11 vulnerabilities were rated critical, emphasizing the importance of timely remediation especially for enterprise environments.

5 non-Microsoft CVEs included

78 Microsoft CVEs addressed

Microsoft May 2025 Patch Tuesday Released; Fixed 83 Vulnerabilities, Including 5 Zero-Days

Critical SAP NetWeaver Vulnerabilities Addressed in May 2025 Patch – Immediate Action Required 

SAP has released critical security updates for its May 2025 patch, including fixes for two actively exploited zero-day vulnerabilities in SAP NetWeaver Visual Composer.

SAP Visual Composer is not installed by default, however it is enabled because it was a core component used by business process specialists to develop business application components without coding.

Critical SAP NetWeaver Vulnerabilities Addressed in May 2025 Patch – Immediate Action Required 

CISA is officially changing the way it disseminates online security updates and guidance.

CISA says the enhanced information dissemination system will from now on use social media and email only to disperse cybersecurity alerts and advisories, saving its landing page for more critical warnings on May 12.

Updates on May 13

Just a day after announcing it was changing the way it sent out alerts, CISA has changed its mind and reverted back to its old system of putting everything on its website.

“We recognize this has caused some confusion in the cyber community,” the site now reads. “As such, we have paused immediate changes while we re-assess the best approach to sharing with our stakeholders.”

Social Media & emails as Medium to disperse Cybersecurity alerts; CISA

Zero-Day Threat in Chrome’s Loader Component (CVE-2025-4664) – CISA Flags Urgent Risk 

A zero-day vulnerability (CVE-2025-4664) in Google Chrome’s Loader component has been actively exploited in the wild.This flaw allows attackers to bypass security policies, leak cross-origin data, and potentially execute unauthorized code. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, urging immediate patching. 

Zero-Day Threat in Chrome’s Loader Component (CVE-2025-4664) – CISA Flags Urgent Risk 
Security Advisory

Zero-Day Threat in Chrome’s Loader Component (CVE-2025-4664) – CISA Flags Urgent Risk 

Summary : A zero-day vulnerability (CVE-2025-4664) in Google Chrome’s Loader component has been actively exploited in the wild.

OEM Google 
Severity Medium 
CVSS Score 4.3 
CVEs CVE-2025-4664 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

This flaw allows attackers to bypass security policies, leak cross-origin data, and potentially execute unauthorized code. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, urging immediate patching. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Insufficient Policy Enforcement vulnerability  CVE-2025-4664 Google Chrome  Medium  136.0.7103.113/.114 (Win/Mac),  136.0.7103.113 (Linux) 

Technical Summary 

CVE-2025-4664 is a zero-day vulnerability found in the Chrome Loader component due to insufficient policy enforcement.

It enables remote attackers to bypass browser security controls using crafted HTML content, possibly leaking cross-origin data or achieving sandbox escape. The bug has been actively exploited in the wild.

A second high-severity flaw, CVE-2025-4609, was also addressed in this update, involving an incorrect handle in the Mojo IPC layer, which can lead to memory corruption or privilege escalation. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-4664  Chrome (Windows, Mac, Linux) Insufficient policy enforcement in Loader enables cross-origin data leaks via crafted HTML.  Data leakage, sandbox escape, potential code execution 

Remediation

  • Update Chrome: Google has released security updates to address these vulnerabilities. Users and administrators must apply the latest Chrome versions: 
  • Windows/macOS: Chrome 136.0.7103.113 /136.0.7103.114 or later 
  • Linux: Chrome 136.0.7103.113 or later 

Conclusion: 
The active exploitation of CVE-2025-4664 highlights the urgent need for rapid security response and patch management. With acknowledgment from CISA and public disclosure by @slonser_, this zero-day poses a real and present threat to users of Chrome and other Chromium-based browsers.

Organizations should take immediate action to patch affected systems and monitor for signs of compromise.

Regular browser updates and proactive vulnerability management are essential to mitigating such critical security risks. 

References

Blogs

Social Media & emails as Medium to disperse Cybersecurity alerts; CISA

CISA is officially changing the way it disseminates online security updates and guidance.

CISA says the enhanced information dissemination system will from now on use social media and email only to disperse cybersecurity alerts and advisories, saving its landing page for more critical warnings on May 12.

As per new rule IT admins and others who want to know are advised to sign up for CISA’s email notifications to stay informed.

Updates on May 13

Just a day after announcing it was changing the way it sent out alerts, CISA has changed its mind and reverted back to its old system of putting everything on its website.

“We recognize this has caused some confusion in the cyber community,” the site now reads. “As such, we have paused immediate changes while we re-assess the best approach to sharing with our stakeholders.”

Some updates will still be available via RSS, though users tracking the Known Exploited Vulnerabilities Catalog must subscribe to that topic through the GovDelivery email service.

Going forward, only high-priority alerts—those tied to emerging threats or major cyber activity—will be posted on the agency’s Cybersecurity Alerts and Advisories webpage. Routine updates and known vulnerabilities, which were previously published on the site, will now be distributed via email, RSS feeds, and X (formerly Twitter).

“The focus of our Cybersecurity Alerts & Advisories webpage will now be on urgent information tied to emerging threats or major cyber activity,” said CISA.

“CISA wants this critical information to get the attention it deserves and ensure it is easier to find.”

Shift in decentralized Cyber communication i.e. multi channel communication

The shift comes as federal agencies rethink the way they communicate with the public and key stakeholders amid both technological and political pressures. For enterprises, this marks a turning point in how they receive, interpret, and act on federal cybersecurity guidance.

The intent appears focused on reducing information overload and sharpening visibility of alerts that signal active or imminent cyber danger.

 The announcement also said that security teams must ensure they’re subscribed to the correct GovDelivery topics, particularly for high-risk categories like the Known Exploited Vulnerabilities (KEV) Catalog.

How can enterprise proactively respond to alerts?

Enterprises and organisations now need to build and maintain multi-channel alert pipelines that ensure no critical update slips through the cracks. This will involve integrating email subscription systems, real-time RSS feeds, and authenticated social media monitoring into their security operations centers (SOCs). 

Security teams of various enterprise now must reevaluate their incident response protocols. In doing this they must align with the new metre and distribution of federal cybersecurity alerts.

This will help organizations as they place sharper emphasis on emerging threats and allow routine alerts to flow through alternative channels.

Critics have earlier warned how relying on a single private platform, especially one known for algorithmic unpredictability, introduce gaps in information access when high incidents takes place.

Sources: ALERT: CISA revamps how it disperses security advisories and updates starting today | Cybernews

Scroll to top