RCE

Security Advisory

RCE Risk in D-Link Routers due to Hardcoded Telnet Credentials

Summary A significant security flaw (CVE-2025-46176) has exposed thousands of D-Link routers to remote code execution attacks through hardcoded Telnet credentials embedded in firmware. This is affecting its DIR-605L and DIR-816L routers.

If successful exploitation happens this will enables attackers to modify router configurations, deploy malware, or pivot into internal networks.

OEMD-link
SeverityMedium
CVSS Score6.5
CVEsCVE-2025-46176
Actively ExploitedNo
Exploited in WildNo
Advisory Version1.0

Overview

The flaw exposes devices to remote command execution (RCE) through hardcoded Telnet credentials.

The vulnerability has been rated medium in severity (CVSS 6.5), with no official firmware patch available as of May 2025.

Vulnerability NameCVE IDProduct AffectedSeverityFixed Version
Hardcoded Telnet Credentials vulnerability  CVE-2025-46176D-Link Router  MediumNo official fix available

Technical Summary

The vulnerability arises from hardcoded Telnet credentials in the router firmware, which allows unauthenticated remote attackers to execute arbitrary commands.

Firmware analysis revealed embedded credentials in configuration files used during Telnet service initialization.

Security experts recommended retiring these EOL devices due to absence of security support and the impossibility of removing hardcoded credentials through configuration changes.

CVE IDSystem AffectedVulnerability DetailsImpact
    CVE-2025-46176D-Link DIR-605L v2.13B01, DIR-816L v2.06B01Telnet service (/usr/sbin/telnetd -l /bin/sh -u Alphanetworks:$image_sign) uses hardcoded credentials from image_sign file, exposing plaintext passwords.      RCE

Recommendations:

As of May 2025, no firmware updates are available to fix the vulnerability. Recommended temporary mitigations include :

  • Disable Telnet access via the router’s web interface.
  • Block Telnet port (23) using firewall rules:

“iptables -A INPUT -p tcp –dport 23 -j DROP”

  • Restrict WAN access to management interfaces.
  • Monitor D-Link’s official support page for firmware updates.

Conclusion:
Security researchers discovered the flaw through firmware analysis, revealing that both router models contain default Telnet credentials that cannot be changed by users. 

While exploitation likelihood is currently assessed as low, vulnerability enables unauthenticated attackers to gain control of the routers, affecting confidentiality, integrity and availability.

Immediate mitigation is advised, especially for publicly exposed devices and Security experts strongly recommend retiring these EOL devices due to the absence of security support and the impossibility of removing hardcoded credentials through configuration changes.

Threat from Legacy Devices:

The vulnerability in Telnet revealed security risks that legacy networking equipment carry with them and is embedded hardcoded credentials in IoT devices.

Inadequate security, harboring multiple unpatched vulnerabilities and relying on inadequate security controls that fail to address underlying risks. This poses a threat not only to device itself, but also to the network and connected critical assets.

References:

Security Advisory

Critical Firefox 0-Day Vulnerabilities Exploited at Pwn2Own 2025 – Immediate Update Required

Summary: Mozilla Patches Two Critical Zero-Day Vulnerabilities In Firefox.

The Two critical zero-day vulnerabilities (CVE-2025-4918 and CVE-2025-4919) have been discovered in Mozilla Firefox, allowing attackers to execute malicious code through out-of-bounds memory manipulation in the JavaScript engine.

OEMMozilla
SeverityHigh
CVSS Score8.8
CVEsCVE-2025-4918, CVE-2025-4919
Actively ExploitedNo
Exploited in WildNo
Advisory Version1.0

Overview

Mozilla has released emergency security updates to address the issues.

Vulnerability NameCVE IDProduct AffectedSeverityFixed Version
​ JavaScript Promise OOB Access  CVE-2025-4918Firefox  High  Firefox 138.0.4, ESR 128.10.1, 115.23.1
Array Index Confusion  CVE-2025-4919Firefox  High  Firefox 138.0.4, ESR 128.10.1, 115.23.1

Technical Summary

The two vulnerabilities lie within the JavaScript engine of Mozilla Firefox. CVE-2025-4918 arises from improper handling of JavaScript Promise objects, leading to out-of-bounds memory access. CVE-2025-4919 involves an integer overflow during array index calculations, resulting in memory corruption.

Both vulnerabilities can be exploited by tricking users into visiting a malicious website, allowing attackers to gain code execution capabilities within the browser.

CVE IDSystem AffectedVulnerability DetailsImpact
    CVE-2025-4918  Firefox < 138.0.4, ESR < 128.10.1, < 115.23.1Improper memory boundary handling in JavaScript Promise resolution leads to out-of-bounds read/write    Remote Code Execution
    CVE-2025-4919    Firefox < 138.0.4, ESR < 128.10.1, < 115.23.1Array index miscalculation during optimization routines allows memory corruption via out-of-bounds access    Remote Code Execution

Remediation:

  • Update Firefox: Mozilla has released patched versions that fix these vulnerabilities. Users and administrators should immediately update to the latest versions:
  • Firefox 138.0.4 or later
  • Firefox ESR 128.10.1 or later
  • Firefox ESR 115.23.1 or later

Recommendations:

  • Temporary Workarounds (if immediate update is not possible):
  • Avoid visiting unfamiliar or suspicious websites.
  • Use browser security extensions to restrict or disable JavaScript execution.
  • Consider using application whitelisting or sandboxing to restrict browser-based activities.
  • Enterprise Recommendation:
  • Deploy Firefox updates across managed environments using enterprise software deployment tools.
  • Monitor threat intelligence feeds and endpoint protection logs for any signs of exploitation

Conclusion:
The vulnerabilities CVE-2025-4918 and CVE-2025-4919 pose critical risks as they can be exploited for remote code execution via malicious JavaScript. These flaws were responsibly disclosed and demonstrated at Pwn2Own 2025, a leading security research competition held in Berlin.

  • CVE-2025-4918 was discovered and demonstrated by Edouard Bochin and Tao Yan from Palo Alto Networks, involving an out-of-bounds write in the handling of JavaScript Promise objects.
  • CVE-2025-4919 was discovered by security researcher Manfred Paul, who exploited a memory corruption issue through array index manipulation.

Both researchers participated through Trend Micro’s Zero Day Initiative (ZDI), and their demonstrations earned top scores and prizes. Mozilla has responded swiftly with fixes, and users are strongly urged to update immediately.

Staying current with software patches remains a vital defense against modern web-based threats.

The updates, which cover Firefox on both desktop and Android platforms, as well as two Extended Support Releases (ESR), were issued just hours after the event concluded on Saturday—immediately following the public demonstration of the second vulnerability.

References:

Security Advisory

OpenCTI Web-Hook Flaw Enables Full System Compromise

Summary

OEMFiligran
SeverityCritical
CVSS Score9.1
CVEsCVE-2025-24977
Actively ExploitedNo
Exploited in WildNo
Advisory Version1.0

Overview

A critical vulnerability (CVE-2025-24977) in the OpenCTI Platform allows authenticated users with specific permissions to execute arbitrary commands on the host infrastructure, leading to potential full system compromise.

Vulnerability NameCVE IDProduct AffectedSeverityFixed Version
​ Webhook Remote Code Execution vulnerability  CVE-2025-24977OpenCTI  Critical  6.4.11

Technical Summary

The vulnerability resides in OpenCTI’s webhook templating system, which is built on JavaScript. Users with elevated privileges can inject malicious JavaScript into web-hook templates.

Although the platform implements a basic sandbox to prevent the use of external modules, this protection can be bypassed, allowing attackers to gain command execution within the host container.

Due to common deployment practices using Docker or Kubernetes, where environment variables are used to pass sensitive data (eg: credentials, tokens), exploitation of this flaw may expose critical secrets and permit root-level access, leading to full infrastructure takeover.

CVE IDSystem AffectedVulnerability DetailsImpact
    CVE-2025-24977  OpenCTI (≤ v6.4.10)The webhook feature allows JavaScript-based message customization. Users with manage customizations permission can craft malicious JavaScript in templates to bypass restrictions and execute OS-level commands. Since OpenCTI is often containerized, attackers can gain root access and extract sensitive environment variables passed to the container.  Root shell access in the container, exposure of sensitive secrets, full system compromise, lateral movement within infrastructure.

Remediation:

  • Upgrade: Immediately update to OpenCTI version 6.4.11 or later.
  • Restrict user permissions: Especially the manage customizations capability — limit access to trusted personnel only.
  • Review and audit: Existing webhook configurations for signs of misuse, unauthorized scripts, or suspicious behavior.
  • Implement container hardening practices: Reduce risk of secret exposure by:
    • Avoiding storage of secrets in environment variables when possible.
    • Using dedicated secret management tools.
    • Running containers with least privilege and limiting runtime capabilities.

The misuse can grant the attacker a root shell inside a container, exposing internal server-side secrets and potentially compromising the entire infrastructure.

Conclusion:
CVE-2025-24977 presents a highly exploitable attack vector within the OpenCTI platform and must be treated as an urgent priority for remediation.

The combination of remote code execution, privileged access and secret exposure in containerized environments makes it especially dangerous.

Organizations leveraging OpenCTI should upgrade to the latest version without delay, review their deployment security posture, and enforce strict access control around webhook customization capabilities.

References:

Security Advisory

Apache Parquet Java Vulnerability Enables Remote Code Execution via Avro Schema 

Summary Security Advisory:

A high-severity remote code execution (RCE) has been identified in Apache Parquet Java, specifically within the parquet-avro module. Discovered by Apache contributor Gang Wu, this vulnerability affects all versions up to and including 1.15.1 and can allow attackers to execute arbitrary code when a system processes a specially crafted Parquet file. The issue is fixed in version 1.15.2. 

OEM Apache 
Severity High 
CVSS Score Not Available 
CVEs CVE-2025-46762 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Apache Parquet is an open-source, columnar storage format designed for efficient data processing, widely used by big data platforms and organizations engaged in data engineering and analytics.

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Remote Code Execution vulnerability  CVE-2025-46762 Apache Parquet Java  High  1.15.2 

Technical Summary 

CVE-2025-46762 arises from insecure schema parsing logic in the parquet-avro module of Apache Parquet Java. When the application uses the “specific” or “reflect” Avro data models to read a Parquet file, malicious actors can inject specially crafted metadata into the Avro schema portion of the file.

Upon deserialization, the system may inadvertently execute code from Java classes listed in the default trusted packages (e.g., java.util), resulting in remote code execution. The vulnerability is not present when using the safer “generic” Avro model. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-46762  Apache Parquet Java ≤1.15.1 Insecure deserialization in the parquet-avro module allows execution of arbitrary Java classes when processing Parquet files with embedded malicious Avro schemas. The issue is exploitable only when using the “specific” or “reflect” data models, and relies on the presence of pre-approved trusted packages like java.util.  Remote Code Execution (RCE), potential supply chain compromise, unauthorized code execution. 

Conditions for Exploitation: 

  • Applications must use parquet-avro to read Parquet files. 
  • The Avro “specific” or “reflect” deserialization models are used (not “generic”). 
  • Attacker-supplied or untrusted Parquet files are processed by the system. 

This creates significant risk in data processing environments such as Apache Spark, Flink, and Hadoop, where external Parquet files are commonly ingested. 

Remediation

  • Upgrade to Apache Parquet Java version 1.15.2: This version addresses the vulnerability by tightening controls around trusted packages and blocking unsafe deserialization. 
  • For users unable to upgrade immediately: apply the following JVM system property to disable trusted package deserialization: 

-Dorg.apache.parquet.avro.SERIALIZABLE_PACKAGES=”” 

Conclusion: 
CVE-2025-46762 presents a significant RCE threat within big data ecosystems that use Apache Parquet Java with the parquet-avro module. Systems relying on unsafe deserialization patterns are especially at risk. Prompt patching or configuration hardening is strongly recommended to safeguard against exploitation. 

References

Security Advisory

Tesla Model 3 VCSEC Vulnerability Allows Remote Code Execution via TPMS Exploit 

Summary of Security Advisory

A high-severity vulnerability (CVE-2025-2082) in Tesla Model 3’s Vehicle Controller Security (VCSEC) module allows attackers within wireless range to remotely execute arbitrary code by exploiting a flaw in the Tire Pressure Monitoring System (TPMS)

OEM Tesla 
Severity High 
CVSS Score 7.5 
CVEs CVE-2025-2082 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

This provides potentiality in giving access to critical vehicle controls; Tesla has addressed the issue in firmware version 2024.14. 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
​Remote Code Execution vulnerability  CVE-2025-2082 Tesla Model 3   High  7.5 

Technical Summary 

The vulnerability lies in the VCSEC module, responsible for security functions like immobilization, door locking, and TPMS monitoring.

An integer overflow occurs when the VCSEC processes malformed certificate responses transmitted via the TPMS subsystem. Exploiting this flaw enables memory corruption, leading to remote code execution.

The attack does not require user interaction or authentication and can be carried out over adjacent wireless interfaces such as Bluetooth Low Energy (BLE) or Ultra-Wideband (UWB).

Once compromised, attackers may issue unauthorized commands to the Controller Area Network (CAN) bus, which governs safety-critical systems including braking, steering, and acceleration. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-2082   Tesla Model 3 (pre-2024.14) Integer overflow in VCSEC module’s certificate handling logic triggered by malformed TPMS messages.  Remote code execution, unauthorized CAN bus access, potential control over critical systems 

Remediation

  • Update Tesla Firmware: Owners should update firmware version 2024.14 via the vehicle’s touchscreen or over-the-air (OTA) updates. 
  • Avoid Wireless Threats: Refrain from connecting to unknown BLE/UWB networks and using unauthorized TPMS accessories. 

Conclusion: 
This vulnerability demonstrates how auxiliary vehicle systems like TPMS can serve as entry points for serious security breaches. While Tesla’s prompt patch release, reflects good incident response, this case underscores the urgency for ongoing scrutiny of wireless automotive components. Owners must apply the firmware update and maintain secure update practices to reduce the risk of exploitation. 

References

Security Advisory

Critical SAP NetWeaver Zero-day Vulnerability Exploited in the Wild 

As per researchers hackers are actively exploiting a critical unrestricted-file-upload vulnerability in SAP NetWeaver Visual Composer. Regarding this urgent patch has been released by SAP to fix CVE-2025-31324, a zero-day vulnerability in SAP NetWeaver Visual Composer.

Critical SAP NetWeaver Zero-day Vulnerability Exploited in the Wild 

The vulnerability in SAP NetWeaver Visual Composer that may have allowed unauthenticated and unauthorized code execution in certain Java Servlets.

Several cybersecurity companies have reported active exploitation in the wild.

Summary 

OEM SAP 
Severity Critical 
CVSS Score 10.0 
CVEs CVE-2025-31324 
POC Available No 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

This vulnerability enables remote uploading and execution of malicious files by unauthenticated attackers, potentially compromising the entire system.

It is highly advised to implement patching or mitigation measures right away in order to guard against possible espionage, sabotage, data theft, and operational disruption. 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
Missing Authorization in Metadata Uploader  CVE-2025-31324 SAP  Critical  10.0 

Technical Summary 

The vulnerability stems from a missing authorization check in the Metadata Uploader component of SAP NetWeaver Visual Composer.

Attackers can exploit this by sending crafted unauthenticated POST requests to the development server/meta data uploader endpoint, allowing them to upload arbitrary JSP webshell files.

Once uploaded, attackers can interact with these shells via simple GET requests to execute arbitrary commands, resulting in remote code execution (RCE) with <sid>adm operating system privileges — effectively giving full control over SAP systems. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-31324  SAP NetWeaver Visual Composer (VCFRAMEWORK 7.50) Missing authorization check at /developmentserver/metadatauploader enables unauthenticated malicious file uploads. Webshells planted can be used to execute OS-level commands, deploy additional malware, and move laterally across the network. Full system compromise including: 
– Remote Command Execution 
– Privilege Escalation 
– Data Exfiltration 
– Ransomware Deployment 
– Potential Espionage/Sabotage/Fraud 

Key Exploitation Details: 

  • Exploited Path: /developmentserver/metadatauploader 
  • Common Webshell Files: helper.jsp, cache.jsp, and others with randomized names. 
  • Post-Exploitation Tools: 
  • Brute Ratel: Used for C2 operations, credential theft, privilege escalation. 
  • Heaven’s Gate: 32-to-64 bit transition technique for evading endpoint detection. 

Risk Factors: 

  • Systems where Visual Composer is enabled (even though it is not enabled by default). 
  • Systems exposed to the internet. 
  • Systems without custom security measures protecting the Metadata Uploader endpoint. 

Remediation

  • Apply SAP Patch: Updated the patches released by SAP without waiting for routine patch cycles. 
  • Restrict Access: Block external access to the /development server/metadata uploader endpoint via firewall or reverse proxy rules. 
  • Disable Visual Composer: If Visual Composer is not critical to business operations, disable it to remove the attack surface. 

Recommendations: 

  • Conduct Threat Hunting: 

Scan for suspicious JSP files (e.g., helper.jsp, cache.jsp) in these directories: 

  • /j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root 
  • /j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work 
  • /j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work/sync 
  • Monitoring and SIEM: Forward logs from the NetWeaver server to SIEM tools and monitor for unauthorized file upload activity. 
  • Utilize Open-Source Tools: Use scanners (such as those released by Onapsis) to check system vulnerability. 

Conclusion: 
Given the criticality and active exploitation of CVE-2025-31324, organizations running SAP NetWeaver Visual Composer should prioritize patching and mitigation efforts. The potential for full system compromise, ransomware attacks, and data exfiltration represents a severe business risk. Immediate action is strongly advised to secure SAP environments and prevent exploitation. 

References

Security Advisory

Spoofing Vulnerability in WhatsApp Desktop for Windows

Summary 

Be careful when you open that file in whatapp, it might have that spoofing flaw allowing Arbitrary Code Execution (CVE-2025-30401) and affects all versions of WhatsApp Desktop for Windows prior to 2.2450.6, and stems from a bug .

Overview 

The vulnerability has been fixed in version 2.2450.6. WhatsApp has and will always be an attractive field for attackers and this particular bug does require user interaction – the victim has to manually open the malicious attachment for the payload to run.

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
 Spoofing Vulnerability  CVE-2025-30401  WhatsApp Desktop for Windows  Medium  2.2450.6 

Technical Summary 

The vulnerability results from WhatsApp for Windows’s different handling of attachments. It opens files depending on their filename extension while displaying files based on their MIME type. This mismatch allows attackers to spoof file types and trick users into launching malicious executables. 

Example Scenario: 

An attacker sends a file named cat.jpg.exe with a MIME type of image/jpeg. WhatsApp displays the file as an image (because of the MIME type), misleading the user. If the user manually opens the attachment from within WhatsApp, Windows uses the .exe extension to execute the file — potentially launching malicious code. 

This form of UI spoofing can be especially effective in group chats, where malicious attachments may be distributed widely and appear harmless. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-30401   WhatsApp Desktop for Windows (<2.2450.6)  MIME type used for display, but file extension used for execution.

A mismatch between the two could allow a file to appear harmless (e.g., image), while actually being executable (e.g., .exe). 		 Remote Arbitrary code execution 

Remediation

  • Official Patch Available: The vulnerability has been resolved by Meta (formerly Facebook). Users should update WhatsApp for Windows to version 2.2450.6 or latest version. 

Conclusion: 

CVE-2025-30401 is a key example of how inconsistent file processing in the user interface can result in serious security threats. Attackers can create misleading payloads that can run arbitrary code by taking advantage of users’ faith in how apps display attachments.

Due to the possibility of remote exploitation, users should update to the latest WhatsApp version 2.2450.6 or later. Patching should be done right away to avoid any compromise. 

Be careful when you click attachments.

References: 

Security Advisory

WordPress Ultimate CSV Importer Flaws Put 20,000+ Sites at Risk

Threat researchers discovered an arbitrary File Upload vulnerability and an Arbitrary File Deletion vulnerability within the WP Ultimate CSV Importer plugin. This is affecting versions 7.19 and earlier.

The vulnerabilities have been addressed in version 7.19.1 of the plugin.

Summary 

OEM WordPress 
Severity High 
CVSS Score 8.8 
CVEs CVE-2025-2008, CVE- 2025-2007 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

The security flaw WordPress plugin, Ultimate CSV Importer, affecting over 20,000 websites. The vulnerabilities, identified as CVE-2025-2008 and CVE-2025-2007, can lead to catastrophic consequences, including complete site compromise. 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
Arbitrary File Upload  CVE-2025-2008 WordPress  High  8.8 
Arbitrary File Deletion  CVE-2025-2007 WordPress  High  8.1 

Technical Summary 

A critical security vulnerability has been discovered in the WP Ultimate CSV Importer plugin (versions ≤ v7.19). This flaw allows attackers with only Subscriber level access to exploit the system in two dangerous ways: 

  1. Malicious File Upload: Attackers can upload malicious files, potentially enabling remote code execution and granting full control over the affected site. This allows for complete site compromise, including the ability to install backdoors or steal sensitive information. 
  1. Critical File Deletion: Attackers can delete crucial files, such as wp-config.php, which can reset the WordPress site and give attackers the ability to take full control over the site. 
CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-2008  WP Ultimate CSV Importer plugin (versions ≤ 7.19) A critical flaw in the WP Ultimate CSV Importer plugin (≤ v7.19) allows attackers with Subscriber access to upload malicious files due to improper file type validation.
This can lead to remote code execution (RCE) and full site takeover. 		  Remote code execution (RCE) 
 CVE-2025-2007 WP Ultimate CSV Importer plugin (versions ≤ 7.19) A serious flaw in the WP Ultimate CSV Importer plugin (≤ v7.19) allows attackers with Subscriber access to delete critical files, like wp-config.php, due to weak file path validation.
This can reset the site, letting attackers take control. 		 Arbitrary file deletion leading to site reset 

Remediation

Install version 7.19.1 or later to fix the security flaws. Keeping all plugins and WordPress updated helps prevent attacks. 

General Recommendations 

  • Update the Plugin – Install the latest version (7.19.1+) to fix security issues and keep your site safe. 
  • Limit User Access – Allow only trusted users to upload or delete files to prevent hackers from exploiting vulnerabilities. 
  • Use Security Plugins – Install tools to block threats, monitor activity, and protect your site. 
  • Backup Your Website – Regularly save backups so you can restore your site if it gets hacked or files are deleted. 

Conclusion: 

A major security issue in a popular WordPress plugin put over 20,000 websites at risk of being taken over by hackers.

Attackers could upload harmful files or delete important ones, making websites vulnerable. This incident shows why keeping plugins updated, limiting user access, and using security tools is crucial. Updating to version 7.19.1 is necessary to stay protected. 

References

Security Advisory

3 Zero-Day Vulnerabilities backported & fixed in Apple Devices

Summary 

3 Zero-Day Vulnerabilities backported & fixed in Apple Devices

Apple backported fixes for three vulnerabilities that have come under active exploitation in the wild to older models and previous versions of the operating systems.

OEM Apple 
Severity High 
CVSS Score 8.8 
CVEs CVE-2025-24201, CVE-2025-24085, and CVE-2025-24200. 
No. of Vulnerabilities Patched 03 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

Apple has released an urgent security advisory concerning three zero-day vulnerabilities currently being actively exploited: CVE-2025-24200, CVE-2025-24201, and CVE-2025-24085. These vulnerabilities affect a range of Apple devices, such as iPhones, iPads, Macs, and other platforms. Users are strongly urged to update to the latest patched versions to reduce security risks. 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
WebKit Out-of-Bounds Write Vulnerability  CVE-2025-24201 iOS, macOS, visionOS, Safari  High  8.8 
Use-After-Free Vulnerability  CVE-2025-24085 iOS, iPasOS, macOS, watchOS, tvOS  High  7.8 
Incorrect Authorization Vulnerability  CVE-2025-24200  iOS, iPadOS  Medium  6.1 

Technical Summary 

Apple’s latest security update patches three Zero-Day vulnerabilities that hackers were actively exploiting. These vulnerabilities could allow attackers to bypass security protections, making devices more vulnerable. One of the vulnerabilities enables remote code execution, letting attackers run malicious programs. Another flaw allows privilege escalation, giving attackers higher-level access to system functions. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-24201  iOS 18.3.2, iPadOS 18.3.2, macOS Sequoia 15.3.2, visionOS 2.3.2, Safari 18.3  Out-of-bounds write issue allowing malicious websites to escape the Web Content sandbox   Remote Code Execution 
 CVE-2025-24085 iOS 18.3, iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3, tvOS 18.3, visionOS 2.3 Use-after-free vulnerability in CoreMedia allowing privilege escalation via malicious apps.  Privilege escalation via CoreMedia 
 CVE-2025-24200  iOS 18.3.1, iPadOS 18.3.1, iPadOS 17.7.5 (iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch, etc.) Authorization bypass vulnerability allowing attackers to disable USB Restricted Mode on locked devices.  Security Bypass USB Restricted Mode 

Remediation

Apply Patches Promptly: Apple has released security updates to address these vulnerabilities. Users should update their devices immediately to mitigate risks 

  • iPhones and iPads: Update to iOS 18.3/iPadOS 18.3 or later. 
  • Macs: Install macOS Sequoia 15.3 or later. 
  • Apple Watch: Upgrade to watchOS 11.3. 
  • Apple TV: Apply tvOS 18.3 updates. 
  • Vision Pro: Install visionOS 2.3 updates. 

General Recommendations: 

  • Prioritize Zero-Day Fixes: Focus on patching actively exploited vulnerabilities, especially those affecting USB Restricted Mode, WebKit, and CoreMedia.  
  • Enable Lockdown Mode: On supported devices, Lockdown Mode can provide additional security against targeted attacks.  
  • Be Cautious with USB Devices: Avoid connecting untrusted accessories to Apple devices to mitigate USB-based attack vectors. 
  • Stay Alert for Malicious Websites: Since WebKit vulnerabilities are actively exploited, avoid suspicious links and untrusted web content. 
  • Monitor for Exploitation: Continuously monitor systems for any signs of exploitation or suspicious activity. 

Conclusion: 

The discovery and active exploitation of these zero-day vulnerabilities underscore the increasing sophistication of cyberattacks targeting Apple’s ecosystem.

While Apple has responded swiftly with patches, users must remain vigilant by keeping their devices updated and adhering to cybersecurity best practices, such as avoiding untrusted applications and enabling Lockdown Mode where applicable. 

Apple fixed all the vulnerability with improved state management.

References


 

Security Advisory

Critical Chrome Vulnerability (CVE-2025-2783) Exploited in Cyber-Espionage Campaign

OEMGoogle Chrome
SeverityHigh
CVSS8.3
CVEsCVE-2025-2783
Exploited in WildYes
Patch/Remediation AvailableYes
Advisory Version1.0

Overview

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent advisory regarding the critical zero-day vulnerability, CVE-2025-2783, in Google Chrome and other Chromium-based browsers on Windows. This vulnerability is actively exploited in the wild and has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, urged immediate patching to prevent security breaches and unauthorized system access.

Vulnerability NameCVE IDProduct AffectedSeverityFixed Version
  Google Chromium Mojo Sandbox Escape Vulnerability  CVE-2025-2783  Google Chrome  High  134.0.6998.117/.118

Technical Summary

This high-severity vulnerability found in the Mojo framework of Chromium-based browsers including Google Chrome, Microsoft Edge, and Opera, Brave etc. The vulnerability originates from a logic error that results in an incorrect handle being provided under certain conditions. This flaw allows attackers to bypass Chrome’s sandbox protections and potentially execute arbitrary code on the affected system.

Security researchers from Kaspersky discovered this zero-day vulnerability as part of an advanced cyber-espionage campaign dubbed “Operation ForumTroll.” The attack campaign targeted media outlets, educational institutions, and government organizations in Russia through highly personalized phishing emails.

The exploit chain is particularly dangerous because it requires minimal user interaction. Victims only need to click on a malicious link in a phishing email, after which the attack executes automatically without any additional action from the user. Once triggered, the exploit allows attackers to escape Chrome’s sandbox environment, leading to remote code execution and possible system compromise.

CVE IDSystem AffectedVulnerability DetailsImpact
    CVE-2025-2783    Google Chrome (Windows)    Incorrect handle provided in Mojo, allowing sandbox escape  Remote code execution, System Compromise

Remediation:

  • Google Chrome Patch Released: Google has released security updates in Chrome versions 134.0.6998.177/.178 to address this vulnerability. Users should update immediately.

General Recommendations:

  • Enable Automatic Updates: Ensure automatic updates are enabled in Google Chrome and other Chromium-based browsers to receive future security patches promptly.
  • Phishing Awareness Training: Organizations should educate employees on identifying and avoiding phishing emails to prevent exploitation.
  • Endpoint Security Measures: Deploy endpoint detection and response (EDR) solutions to monitor and mitigate potential threats.
  • CISA Compliance for Federal Agencies: Federal agencies must adhere to CISA’s Binding Operational Directive (BOD) 22-01 to address known exploited vulnerabilities promptly.

Conclusion:

The exploitation of CVE-2025-2783 demonstrates the ongoing threat posed by sophisticated cyber-espionage activities.  Google has responded swiftly with a patch, and users are strongly advised to update their browsers immediately. Organizations should remain vigilant against phishing attempts and enhance their cybersecurity posture to mitigate similar threats in the future.

References:

Scroll to top