Apache ActiveMQ Vulnerability CVE-2026-34197 Exploited in the Wild
CVE-2026-34197, an Apache ActiveMQ flaw
Continue ReadingKEV
Emergency Patch Issued by Fortinet in Latest FortiClient Vulnerabilities
Emergency Patch Issued by Fortinet for FortiClient for Vulnerability
Continue Reading
2 Cyber security Vulnerabilities Affecting Hikvision & Rockwell Automation-CVSS 9.8 Flaws
CISA emphasized the urgency of addressing these vulnerabilities
Continue Reading
CISA added FileZen CVE-2026-25108 to its KEV Catalog; Patch Now
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-25108 to its Known Exploited Vulnerabilities (KEV) catalog, that is being exploited in the wild.
Findings from CISA also confirmed about the flaw, that it affects Soliton Systems K.K. FileZen, a file transfer product. It has been included in KEV, sensing urgency for organizations still running vulnerable versions of the product.
“Soliton Systems K.K FileZen contains an OS command injection vulnerability when a user logs-in to the affected product and sends a specially crafted HTTP request,” CISA said.
Key Findings from FileZen CVE-2026-25108 vulnerability added in CISA’s KEV list
The primary reason after evaluation by threat researcher’s were –
FileZen CVE-2026-25108 is an OS command injection vulnerability. According to NVD, when the FileZen Antivirus Check Option is enabled, a logged-in user can send a specially crafted HTTP request and execute arbitrary operating system commands. In such scenario an attacker with valid access could potentially run commands on the underlying server, creating serious risk to confidentiality, integrity, and availability.
- The vulnerability carries a CVSS v4 score of 8.7 (High) from JPCERT/CC, and NVD also lists a CVSS v3.1 score of 8.8 (High).
- Being a high-severity, actively exploited flaw tied to direct command execution and class of bug occurs when an application improperly handles input that ends up being interpreted by the operating system as a command.
- For attackers it becomes easy to manipulate server behavior and potentially execute arbitrary commands
Why CISA added FileZen CVE-2026-25108 to its KEV
- The vulnerability is not unauthenticated and any exploitation by attackers will requires a user to be logged in and it’s still not safe.
- What we witnessed in case of many real-world attacks always begins with stolen credentials or weak passwords or previously compromised accounts of less privileged.
- Any availability of any valid account could escalate the flaw like FileZen CVE-2026-25108 can pave way for an deeper compromise in future.
- This is exactly why CISA’s KEV addition matters so much. A KEV listing means the issue has moved beyond theoretical risk and into confirmed real-world exploitation.
Impact of the Vulnerability as assessed by vendor JVN (Japan Vulnerability Notes)
JVN states that if a user logs in to the affected product and sends a specially crafted HTTP request, an arbitrary OS command may be executed.
Soliton similarly says there is a possibility that a remote third party could execute arbitrary OS commands within FileZen.
The practical impact of that can be severe. Depending on server configuration and user privileges, successful exploitation could allow an attacker to:
- Run unauthorized commands on the server
- Manipulate files or processes
- Establish persistence
- Access sensitive transferred data
- Use the compromised FileZen environment as a pivot point into internal systems
Technical Analysis of CVE-2026-25108
OS command injection occurs when an application transmits unsafe data-such as cookies, form fields, or HTTP headers-to an operating system shell. In the case of FileZen, the vulnerability manifests during the file processing phase when the Antivirus Check Option is active. The system’s internal logic processes HTTP requests in a manner that allows an attacker to append shell commands to legitimate parameters.
Remediation & understanding why it is essential to integrate with threat intelligence monitoring platform
Organizations utilizing these versions must prioritize the transition to version 5.0.11 or later. When vendor platform Soliton indicated that simply disabling the Antivirus Check Option may reduce the immediate attack surface but does not replace the requirement for a full firmware update.
As per vendor’s suggestion a resetting of password for all users if an organization suspects a compromise. Integration with cyber threat intelligence platform will provide early warning indicators of exploitation as cyber threat intelligence platforms collect data from various sources to provide early warning indicators of exploitation.
CISA has set a deadline of March 17, 2026, for Federal Civilian Executive Branch (FCEB) agencies to remediate CVE-2026-25108. This mandate specifically applies to federal agencies, it serves as a stark reminder for private sector organizations. The inclusion in the KEV catalog implies that the vulnerability is being used in the wild, likely by state-sponsored actors or organized cybercriminal groups.
Sources; CVE-2026-25108 CISA Confirms Active Exploitation of FileZen
Ransomware attackers Exploit VMware ESXi arbitrary-write vulnerability
VMware ESXi VMware vulnerabilities
Continue Reading
Apple Patches Zero-Day Vulnerability Exploited in Targeted Attacks (CVE-2025-43300)
Security Advisory : Apple has released critical security patches to address a newly discovered zero-day vulnerability, CVE-2025-43300, that was found to be actively exploited in targeted attacks.
To protect users, Apple has issued patches in iOS 18.6.2, iPadOS 18.6.2, iPadOS 17.7.10 and the latest macOS versions.
| OEM | Apple |
| Severity | High |
| CVSS Score | 8.8 |
| CVEs | CVE-2025-43300 |
| POC Available | No |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview The vulnerability resides in Apple’s ImageIO framework, which is used for handling image files across iOS, iPadOS, and macOS platforms. According to Apple, the flaw may have been used in sophisticated, targeted attacks, although exact details have not been disclosed.
The vulnerability affects a wide range of devices, including iPhones starting from the XS, multiple iPad models and Macs running macOS Ventura, Sonoma and Sequoia. This marks the seventh zero-day exploited in the wild that Apple has addressed in 2025, underscoring the increasing frequency and severity of threats targeting Apple users.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| An out-of-bounds write issue | CVE-2025-43300 | iPhone, iPad, macOS | High | iOS 18.6.2, iPadOS 18.6.2, iPadOS 17.7.10, macOS 13.7.8, macOS 14.7.8, macOS 15.6.1 |
Technical Summary
The vulnerability, CVE-2025-43300, is classified as an out-of-bounds write issue within the ImageIO framework.
It can be exploited when a specially crafted image file is processed, causing memory corruption that could allow an attacker to execute arbitrary code on the affected device.
This makes it a critical security flaw, particularly because the attack vector image files are common and often considered low risk. Apple has mitigated vulnerability by improving bounds by checking in the affected code.
The exploitation of this bug in the wild indicates a high level of sophistication, likely by advanced persistent threat actors targeting specific individuals. The technical nature of the bug aligns with a broader trend in which attackers exploit flaws in media-handling components to achieve remote code execution. As such, this patch not only fixes a critical issue but also highlights the need for continued vigilance and timely system updates.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-43300 | iPhones, iPads, Macs. | Critical out-of-bounds write vulnerability in Apple’s ImageIO framework that allows remote code execution by processing a malicious image. It has been actively exploited in highly targeted attacks on iOS, iPadOS, and macOS devices, prompting urgent patches. | Remote code execution via malicious image zero-click attack surface |
Apple has so far fixed a total of seven zero-day vulnerabilities in 2025 that were actively exploited in real-world attacks, including CVE-2025-43300, reflecting an ongoing effort to patch critical security flaws across iOS, iPadOS, and macOS platforms.
- CVE-2025-24085: A memory corruption flaw in WebKit that could allow remote code execution via malicious web content.
- CVE-2025-24200: An elevation of privilege vulnerability in the kernel, enabling attackers to gain higher system privileges.
- CVE-2025-2420: A logic issue in the kernel that could lead to arbitrary code execution by a malicious app.
- CVE-2025-31200: A vulnerability in the CoreGraphics framework allowing remote code execution when processing malicious PDF files.
- CVE-2025-31201: An issue in the IOMobileFrameBuffer kernel extension that could permit a local attacker to escalate privileges.
- CVE-2025-43200: A flaw in the AppleAVD driver leading to a potential kernel privilege escalation.
- CVE-2025-43300: An out-of-bounds write vulnerability in the ImageIO framework actively exploited through malicious images, enabling remote code execution.
Remediation:
Update your Apple devices immediately to the latest patched versions:
- iPhone – iOS 18.6.2
- iPad – iPadOS 18.6.2/17.7.10
- macOS – macOS Ventura 13.7.8, Sonoma 14.7.8 or Sequoia 15.6.1.
Conclusion:
Apple has urgently patched seven critical zero-day vulnerabilities in 2025, including CVE-2025-43300, that were actively exploited in targeted attacks.
Users are strongly advised to update their devices immediately to stay protected against these serious threats.
In addition, CISA has added CVE-2025-43300 to its Known Exploited Vulnerabilities (KEV) Catalog under BOD 22-01, requiring federal agencies to remediate the flaw within specified timelines.
While the directive is mandatory for federal agencies, CISA strongly urges all organizations to prioritize remediation of KEV-listed vulnerabilities to reduce their exposure to active threats.
References:
Microsoft June 2025 Patch Tuesday – 67 Vulnerabilities Fixed Including 2 Zero-Days
Summary : Microsoft’s June 2025 Patch Tuesday addresses a total of 67 vulnerabilities across its product ecosystem. Critical flaws in WebDAV, SMB, SharePoint and Remote Desktop Services highlight the urgency of installing this month’s updates.
| OEM | Microsoft |
| Severity | Critical |
| Date of Announcement | 2025-06-10 |
| No. of Vulnerabilities Patched | 67 |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview
These include multiple high-risk flaws and two zero-day vulnerabilities one actively exploited and one publicly disclosed affecting core components like Windows WebDAV and the SMB Client.
- 67 Microsoft CVEs addressed
- 3 non-Microsoft CVEs addressed
Breakdown of May 2025 Vulnerabilities
- 25 Remote Code Execution (RCE)
- 17 Information Disclosure
- 14 Elevation of Privilege (EoP)
- 6 Denial of Service (DoS)
- 3 Security Feature Bypass
- 2 Spoofing
- 2 Chromium (Edge) Vulnerabilities
- 1 Windows Secure Boot
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| WebDAV Remote Code Execution (Exploited in the wild) | CVE-2025-33053 | Windows | High | 8.8 |
| SMB Client Elevation of Privilege (Publicly disclosed) | CVE-2025-33073 | Windows | High | 8.8 |
Technical Summary
Two zero-day vulnerabilities in Microsoft’s ecosystem were addressed in June 2025. One of these, CVE-2025-33053, has been exploited in the wild and affects the deprecated but still present WebDAV component in Windows. The other, CVE-2025-33073, was publicly disclosed and affects the Windows SMB client, enabling attackers to elevate privileges.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-33053 | Windows 10,11 and Windows Server | WebDAV RCE triggered when a user clicks a malicious link. Exploited by APT group “Stealth Falcon.” Exploitation complexity is low. | Remote Code Execution |
| CVE-2025-33073 | Windows 10,11 and Windows Server | EoP flaw in SMB Client. Exploitation may occur by connecting to a malicious SMB server. Privilege elevation to SYSTEM is possible. | Elevation of Privilege |
Source: Microsoft and NVD
In addition to the zero-day vulnerabilities, several other critical and high-severity issues were addressed:
- CVE-2025-47162, CVE-2025-47164, CVE-2025-47167: Microsoft Office, Preview Pane-based RCE vulnerabilities, exploitation more likely (CVSS 8.4)
- CVE-2025-47172: Microsoft SharePoint Server, SQL injection-based RCE (CVSS 8.8)
- CVE-2025-29828: Windows Cryptographic Services, memory release issue (CVSS 8.1)
- CVE-2025-32710: Windows Remote Desktop Services, use-after-free vulnerability (CVSS 8.1)
- CVE-2025-29976: Microsoft SharePoint, Local privilege escalation (CVSS 7.8)
- CVE-2025-30393: Microsoft Excel, RCE via malicious Excel file (CVSS 7.8)
- CVE-2025-24063: Windows Kernel, Local privilege escalation, marked “Exploitation More Likely” (CVSS 7.8)
- CVE-2025-32702: Visual Studio, Command injection RCE via malicious project file (CVSS 7.8)
- CVE-2025-26685: Microsoft Defender for Identity, Spoofing via NTLM fallback, exploitable in adjacent networks (CVSS 6.5)
Remediation:
- Apply Patches Promptly: Install the June 2025 security updates immediately to mitigate risks.
General Recommendations:
- Prioritize Zero-Days: Focus on patching the two confirmed zero-day vulnerabilities, especially those allowing Elevation of Privilege and remote code execution.
- Disable Deprecated Services: If not required, disable WebDAV (WebClient service) and SMBv1 to reduce exposure.
- Enforce SMB Signing: Use Group Policy to mandate SMB signing, reducing the risk from CVE-2025-33073.
- Monitor for Exploitation Attempts: Watch for suspicious SMB or WebDAV traffic in logs and endpoint detection systems.
- Enable Auto Updates Where Feasible: For individual endpoints and less tightly controlled systems, enable automatic updates to maintain regular patch schedule.
Conclusion:
Microsoft’s June 2025 Patch Tuesday addresses two important zero-day vulnerabilities, including an actively exploited RCE in WebDAV tracked as CVE-2025-33053.
Organizations should prioritize these patches to mitigate risk from real-world threats. The CVE-2025-33053 vulnerability has also been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, emphasizing its urgency.
References:
Critical 0-Day Vulnerabilities in Qualcomm Adreno GPU Drivers Actively Exploited
Summary
| OEM | Qualcomm |
| Severity | HIGH |
| CVSS Score | 8.6 |
| CVEs | CVE-2025-21479, CVE-2025-21480, CVE-2025-27038 |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview
Three actively exploited zero-day vulnerabilities in Qualcomm’s Adreno GPU drivers (CVE-2025-21479, CVE-2025-21480, CVE-2025-27038) have been disclosed and patched.
These flaws impact billions of Android devices across vendors such as Samsung, Google, Xiaomi, and OnePlus. Qualcomm released patches to OEMs in May 2025, urging immediate integration to mitigate severe memory corruption and code execution threats.
| Vulnerability Name | CVE ID | Product Affected | CVSS Score | Severity |
| Incorrect Authorization Vulnerability | CVE-2025-21479 | Qualcomm Adreno GPU Driver | 8.6 | High |
| Incorrect Authorization Vulnerability | CVE-2025-21480 | Qualcomm Adreno GPU Driver | 8.6 | High |
| Use-After-Free Vulnerability | CVE-2025-27038 | Qualcomm Adreno GPU Driver | 7.5 | High |
Technical Summary
These vulnerabilities reside within Qualcomm’s Adreno GPU driver, specifically in the Graphics component. The flaws allow attackers to corrupt memory, escalate privileges or execute arbitrary code. Two issues (CVE-2025-21479, CVE-2025-21480) result from incorrect authorization mechanisms in GPU microcode and the third (CVE-2025-27038) is a use-after-free flaw that can be exploited via malicious content rendered through Chrome.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-21479 | Android (Adreno GPU) | Unauthorized command execution during specific GPU microcode sequences causes memory corruption. | Privilege escalation, system compromise. |
| CVE-2025-21480 | Android (Adreno GPU) | Similar unauthorized GPU command flaw allowing memory corruption via improper authorization checks. | Memory corruption, remote code execution. |
| CVE-2025-27038 | Android (Chrome/Adreno) | Use-after-free condition in graphics rendering pipeline (via Chrome) allows attacker control over freed memory space. | Arbitrary code execution. |
Recommendations:
- Apply OEM Patches Immediately: Qualcomm released fixes in May 2025 to all OEMs; users should install the latest firmware updates from their device manufacturers.
- Check for Updates: Go to Settings → System → Software Update and apply the latest security patches as soon as available.
- Apply Security Updates: Users should ensure their Android devices receive the latest security updates.
- Monitor Manufacturer Communications: Stay informed about patch availability specific to your device model via official OEM channels.
Conclusion:
These zero-day vulnerabilities in Qualcomm’s Adreno GPU drivers highlight ongoing security risks in mobile hardware components.
Exploited in limited, targeted attacks potentially by spyware vendors or state-sponsored actors these flaws pose significant threats to Android devices worldwide.
In response to confirmed exploitation, CISA has added all three CVEs (CVE-2025-21479, CVE-2025-21480, CVE-2025-27038) to its Known Exploited Vulnerabilities (KEV) catalog, mandating swift action for federal systems.
Timely patching by OEMs and proactive updates by users are critical to mitigating these risks and preventing further exploitation.
References:
NIST & CISA Proposed Metric for Vulnerability Exploitation Probability
The National Institute of Standards and Technology (NIST) is proposing a new metric to determine the likelihood of any software or hardware vulnerability being exploited.
The new metric is “Likely Exploited Vulnerabilities” (LEV), that aims to close a key gap in vulnerability management.
This new data point can benefit the SecOps teams who are working to release an effective patch management strategy and address the development flaws.
NIST now wants members of cyber security community to come forward and validate the method as predicting which ones is important for the efficiency and cost effectiveness of enterprise vulnerability remediation.
However NIST proposed that predicting ones which is important for the efficiency and cost effectiveness of enterprise vulnerability remediation efforts is important.
Currently, such remediation efforts rely on the Exploit Prediction Scoring System (EPSS), which has known inaccurate values, and Known Exploited Vulnerability (KEV) lists, which may not be comprehensive.
The proposed likelihood metric may augment EPSS remediation (correcting some inaccuracies) and KEV lists (enabling measurements of comprehensiveness). However, collaboration with industry is necessary to provide necessary performance measurements.
Importance of Metric for Vulnerability Exploitation Probability
Remediating vulnerabilities is time-consuming and costly. According to the paper, most companies only manage to patch about 16% of the vulnerabilities affecting their systems each month.
Meanwhile, research shows that only about 5% of vulnerabilities are exploited in the wild.
It is found organizations would spend their limited resources patching that small but dangerous subset, but identifying them has proven difficult.
That’s where LEV comes in to assist organizations prioritize vulnerabilities that are likely to have already been used in attacks, the metric could make patching efforts more targeted and effective.
In a recently published paper, Peter Mell (formerly of NIST) and Jonathan Spring of CISA presented a vulnerability exploitation metric that builds upon the existing Exploit Prediction Scoring System (EPSS) and CISA’s Known Exploited Vulnerabilities (KEV) catalog.
The researchers noted that studies show only about 5% of known vulnerabilities are exploited in the wild, while organizations typically remediate only 16% of vulnerabilities each month.
The researchers outline four key ways LEV could be used:
1. Estimate how many vulnerabilities have been exploited.
2. Check how complete KEV lists are.
3. Identify high-risk vulnerabilities missing from those lists.
4. Fix blind spots in EPSS, which sometimes underestimates risk for already-exploited bugs.
Introducing the LEV Metric
Mell and Spring’s new metric—called Likely Exploited Vulnerabilities (LEV) probabilities—aims to address the limitations of both EPSS and the KEV catalog. While EPSS provides 30-day exploitation probabilities, it has known inaccuracies, particularly underestimating risk for already-exploited vulnerabilities. KEV, on the other hand, is limited by its reliance on known exploit data and may not be comprehensive.
LEV probabilities are designed to:
- Estimate how many and which vulnerabilities are likely to have been exploited
- Assess the completeness of the KEV catalog
- Enhance KEV-based prioritization by identifying likely-exploited vulnerabilities not yet listed
- Improve EPSS-based prioritization by correcting underestimations
Key Findings
The researchers compared LEV and EPSS scores for specific vulnerabilities, showing significant differences.
For example:
- CVE-2023-1730 (SupportCandy WordPress plugin SQL injection): before 3.1.5, the LEV probability was 0.70, while the peak EPSS score was 0.16.
- CVE-2023-29373 (Microsoft ODBC Driver RCE – Remote Code Execution vulnerability): the LEV probability was 0.54350, while the peak EPSS probability was 0.08.
The LEV analysis identified hundreds of vulnerabilities with probabilities near 1.0. However, many of these are not listed in current KEV catalogs. NIST is actively seeking collaboration with partners as real-world validation is must for LEV to be a promising idea rather than a trusted tool.
NIST is currently seeking industry partners with relevant datasets to empirically evaluate the effectiveness of LEV probabilities through real-world performance measurements.
Sources: https://www.helpnetsecurity.com/2025/05/26/nist-likely-exploited-vulnerabilities/#:~:text=LEV%20aims%20to%20bridge%20that,%2C%20not%20replace%2C%20existing%20methods.
Critical VMware Vulnerabilities Exploited in the Wild – Patch Immediately
Broadcom released a security alert on Tuesday morning to warn VMware customers about three zero-days that have been exploited in the wild.
Continue Reading
Recent Comments