HOT NEWS 2025 DECEMBER January(141) February(191) March(268) April(349) May(260) June(502) July(272) August(180) September(202) October(252) November(308) December(200) | HOT NEWS 2026 HOT NEWS 2025 HOT NEWS 2024
|
DATE |
NAME |
INFO |
CATEGORY |
SUBCATE |
| 31.12.25 | DarkSpectre | DarkSpectre: Unmasking the Threat Actor Behind 8.8 Million Infected Browsers | HACKING | BROWSER |
| 31.12.25 | CVE-2025-13915 | IBM API Connect 10.0.8.0 through 10.0.8.5, and 10.0.11.0 could allow a remote attacker to bypass authentication mechanisms and gain unauthorized access to the application. |
VULNEREBILITY |
|
| 31.12.25 | Shai Hulud | Shai Hulud strikes again - The golden path | MALWARE | PYTHON |
| 31.12.25 | CVE-2025-52691 | Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution. |
VULNEREBILITY |
|
| 31.12.25 | Silver Fox | Silver Fox Targeting India Using Tax Themed Phishing Lures | APT | APT |
| 31.12.25 | HoneyMyte | The HoneyMyte APT evolves with a kernel-mode rootkit and a ToneShell backdoor | APT | APT |
| 27.12.25 | Panda APT | The Evasive Panda APT group (also known as Bronze Highland, Daggerfly, and StormBamboo) has been active since 2012, targeting multiple industries with sophisticated, evolving tactics. Our latest research (June 2025) reveals that the attackers conducted highly-targeted campaigns, which started in November 2022 and ran until November 2024. | APT | APT |
| 27.12.25 | CVE-2025-14847 | Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 |
VULNEREBILITY |
|
| 27.12.25 | UNG0801 | Key Targets. Industries Affected. Geographical Focus. Infection Chain – Operation IconCat. Infection Chain – I. Infection Chain – II. Campaign-Analysis – Operation IconCat. Campaign-I Initial Findings. Looking into the malicious PDF File. Technical Analysis. Malicious PyInstaller implant – PYTRIC... | GROUP | GROUP |
|
25.12.25 |
Pytric and Rustric implants leveraged in UNG0801 malicious operations | A new malicious activity attributed to a persistent threat cluster designated as UNG0801 (aka Operation IconCat) has been reported in the wild. The campaign targets specifically Israeli enterprise environments. The attackers employ sophisticated social engineering techniques, utilizing Hebrew-language phishing lures that mimic internal corporate communications. | GROUP | |
|
25.12.25 |
MacSync Stealer malware | Jamf Threat Labs has identified an updated variant of the MacSync Stealer malware, that leverages code-signed binaries able to deliver the malicious payloads without user interaction. To evade detection, the attackers also inflate the malicious application bundle to over 25 MBs using decoy PDFs and employ a Swift-based helper to execute the malicious scripts. | VIRUS | |
|
25.12.25 |
CVE-2025-34392 - Barracuda Service Center absolute path traversal vulnerability | CVE-2025-34392 is a recently disclosed critical (CVSS score 10.0) absolute path traversal vulnerability affecting Barracuda Service Center, which is a web-based management console for Barracuda Managed Workplace (RMM). If successfully exploited the flaw might allow unauthorized attackers to perform arbitrary file write operations and remote code execution via malicious webshell upload. | VULNEREBILITY | |
|
25.12.25 |
Paper Werewolf campaign delivering EchoGather malware | Researchers from Intezer reported on a new malicious activity attributed to the Paper Werewolf threat group (aka GOFFEE). The attackers leverage XLL-based delivery techniques to distribute a custom backdoor dubbed EchoGather. | CAMPAIGN | |
|
25.12.25 |
Caminho and DCRAT malware variants leveraged by the Blind Eagle APT | Zscaler researchers identified a recent spear-phishing campaign attributed to the BlindEagle threat group that has been targeting Colombian institutions. The operation utilized phishing emails, a fake web portal, PowerShell scripts, steganography to hide payloads, and legitimate services like Discord to host arbitrary payloads. | VIRUS | |
|
25.12.25 |
AshTag malware distributed by the Ashen Lepus APT | Researchers from Palo Alto have detailed an evolving espionage campaign attributed to the Ashen Lepus APT group. This campaign has introduced a fully featured, modular .NET malware dubbed AshTag. The infection chain relies on social engineering and DLL side-loading performed by the AshenLoader malware. | APT | |
|
25.12.25 |
PyStoreRAT malware | A new sophisticated supply chain attack utilizing dormant GitHub accounts to distribute a previously undocumented malware dubbed PyStoreRAT has been reported in the wild. | VIRUS | |
|
25.12.25 |
RansomHouse RaaS | RansomHouse is a Ransomware-as-a-Service (RaaS) operation attributed to the threat actor Jolly Scorpius. This group employs a double-extortion method, generating revenue through ransoming encrypted files and sensitive data, and primarily targets virtualized environments through their MrAgent and Mario components. | RANSOM | |
|
25.12.25 |
SantaStealer - a new MaaS infostealer | Rapid7 Labs has identified a new infostealer variant dubbed SantaStealer, which is currently advertised on underground forums and offered for sale under the Malware-as-a-Service (MaaS) offering. Functionally, SantaStealer is designed to harvest sensitive data from browsers, including credentials, cookies, and credit card details. | VIRUS | |
|
25.12.25 |
Frogblight mobile malware | Frogblight is a sophisticated Android banking malware operating under the Malware-as-a-Service model and targeting specifically Turkish users through a combination of banking theft and spyware capabilities. As reported by the researchers from Securelist, the malware spreads via social engineering, utilizing phishing SMS messages that falsely warn victims of pending court cases. | VIRUS | |
|
25.12.25 |
CVE-2025-6389 - WordPress Sneeit Framework plugin vulnerability under active exploitation | CVE-2025-6389 is a recently disclosed critical (CVSS score 9.8) Remote Code Execution (RCE) vulnerability affecting Sneeit Framework plugin for WordPress. | VULNEREBILITY | |
|
25.12.25 |
Longlegs group attributed to multiple campaigns delivering ransomware | The Longlegs (aka Gold Salem, Storm-2603) threat actor group has established itself in early 2025 through the distribution of Warlock ransomware. The group gained notoriety in mid-2025 following exploitation of ToolShell, a collection of Microsoft SharePoint vulnerabilities. | GROUP | |
|
25.12.25 |
CVE-2025-58360 - OSGeo GeoServer XML External Entity (XXE) vulnerability | CVE-2025-58360 is a recently disclosed critical (CVSS score 9.8) XML External Entity (XXE) vulnerability affecting GeoServer, which is an open-source software server written in Java that allows for editing and sharing of geospatial data. If successfully exploited the flaw might allow an unauthenticated attacker to access arbitrary files from the server's file system or to conduct Server-Side Request Forgery (SSRF) attacks | VULNEREBILITY | |
|
25.12.25 |
CVE-2020-12812 | An improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username. |
VULNEREBILITY |
|
|
25.12.25 |
CVE-2023-52163 | Digiever DS-2105 Pro 3.1.0.71-11 devices allow time_tzsetup.cgi Command Injection. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. |
VULNEREBILITY |
|
|
25.12.25 |
Defeating AuraStealer: Practical Deobfuscation Workflows for Modern Infostealers |
STEALER |
||
|
25.12.25 |
GhostPairing Attacks: from phone number to full access in WhatsApp |
|||
|
25.12.25 |
Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability |
VULNEREBILITY |
||
|
25.12.25 |
An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 15.8.5 and iPadOS 15.8.5, iOS 16.7.12 and iPadOS 16.7.12. |
VULNEREBILITY |
||
|
25.12.25 |
SantaStealer is Coming to Town: A New, Ambitious Infostealer Advertised on Underground Forums |
INFOSTEALER |
||
|
25.12.25 |
From ClickFix to code signed: the quiet shift of MacSync Stealer malware |
Mac OS |
||
|
24.12.25 |
Prince of Persia: A Decade of Iranian Nation-State APT Campaign Activity under the Microscope |
|||
|
24.12.25 |
Choose Your Fighter: A New Stage in the Evolution of Android SMS Stealers in Uzbekistan |
ANDROID |
||
|
24.12.25 |
NexusRoute | NexusRoute: Attempting to Disrupt an Indian Government Ministry | MALWARE | ANDROID |
|
24.12.25 |
Frogblight threatens you with a court case: a new Android banker targets Turkish users |
ANDROID BANKING |
||
|
24.12.25 |
Meet Cellik - A New Android RAT With Play Store Integration |
ANDROID RAT |
||
|
24.12.25 |
n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Execution (RCE) vulnerability in their workflow expression evaluation system. |
VULNEREBILITY |
||
|
20.12.25 |
Vulnerability in UEFI firmware modules prevents IOMMU initialization on some UEFI-based motherboards |
A newly identified vulnerability in some UEFI-supported motherboard models leaves systems vulnerable to early-boot DMA attacks across architectures that implement UEFI and IOMMU. |
||
|
20.12.25 |
Siemens Gridscale X Prepay username enumeration and account lock bypass vulnerability |
Vulnerabilities have been identified in Siemens Gridscale X Prepay that allows unauthenticated username enumeration and enables an attacker to bypass account lock functionality. |
||
|
20.12.25 |
A view of the H2 2025 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts |
|||
|
20.12.25 |
EXECUTIVE SUMMARY CYFIRMA is dedicated to providing advanced warning and strategic analysis of the evolving cyber threat landscape. Our latest report analyzes a targeted malware campaign attributed to APT-36, which… |
|||
|
20.12.25 |
EXECUTIVE SUMMARY CYFIRMA examines a sophisticated phishing campaign that leverages QR-code-based delivery, commonly referred to as “quishing,” to target employees with |
|||
|
20.12.25 |
The YouTube Ghost Network is a malware distribution network that uses compromised accounts to promote malicious videos and spread malware, such as infostealers. |
LOADER |
||
|
20.12.25 |
From Loader to Looter: ACR Stealer Rides on Upgraded CountLoader |
LOADER |
||
|
19.12.25 |
An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to execute arbitrary code. |
VULNEREBILITY |
||
|
19.12.25 |
(CVSS score: 7.0) - A protection mechanism failure vulnerability affecting ASRock, ASRock Rack, and ASRock Industrial motherboards using Intel 500, 600, 700, and 800 series chipsets |
VULNEREBILITY |
||
|
19.12.25 |
(CVSS score: 7.0) - A protection mechanism failure vulnerability affecting ASUS motherboards using Intel Z490, W480, B460, H410, Z590, B560, H510, Z690, B660, W680, Z790, B760, and W790 series chipsets |
VULNEREBILITY |
||
|
19.12.25 |
(CVSS score: 7.0) - A protection mechanism failure vulnerability affecting GIGABYTE motherboards using Intel Z890, W880, Q870, B860, H810, Z790, B760, Z690, Q670, B660, H610, W790 series chipsets, and AMD X870E, X870, B850, B840, X670, B650, A620, A620A, and TRX50 series chipsets (Fix for TRX50 planned for Q1 2026) |
VULNEREBILITY |
||
|
19.12.25 |
(CVSS score: 7.0) - A protection mechanism failure vulnerability affecting MSI motherboards using Intel 600 and 700 series chipsets |
VULNEREBILITY |
||
|
19.12.25 |
LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan |
|||
|
18.12.25 |
Kimsuky Distributing Malicious Mobile App via QR Code |
ANDROID |
||
|
18.12.25 |
A remote code execution issue exists in HPE OneView. |
VULNEREBILITY |
||
|
18.12.25 |
ASUS Live Update Embedded Malicious Code Vulnerability |
VULNEREBILITY |
||
|
18.12.25 |
SonicWall SMA1000 Missing Authorization Vulnerability |
VULNEREBILITY |
||
|
18.12.25 |
Cisco is aware of a potential vulnerability. Cisco is currently investigating and will update these details as appropriate as more information becomes available. |
VULNEREBILITY |
||
|
18.12.25 |
A local privilege escalation vulnerability due to insufficient authorization in the SonicWall SMA1000 appliance management console (AMC). |
VULNEREBILITY |
||
|
18.12.25 |
Kimwolf Exposed: The Massive Android Botnet with 1.8 Million Infected Devices |
|||
|
17.12.25 |
Operation ForumTroll continues: Russian political scientists targeted using plagiarism reports |
|||
|
17.12.25 |
Inside Ink Dragon: Revealing the Relay Network and Inner Workings of a Stealthy Offensive Operation |
|||
|
17.12.25 |
Inside GhostPoster: How a PNG Icon Infected 50,000 Firefox Users |
JAVASCRIPT |
||
|
17.12.25 |
Patch or Peril: A Veeam vulnerability incident |
|||
|
17.12.25 |
Remediating Atlassian Confluence servers fails to thwart Effluence backdoor |
BACKDOOR |
||
|
17.12.25 |
In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5. |
VULNEREBILITY |
||
|
17.12.25 |
(CVSS score: 8.6) - Numerous authenticated SQL injection vulnerabilities impacting four unique endpoints (basestation, model, firmware, and custom extension) and 11 affected parameters that enable read and write access to the underlying SQL database |
VULNEREBILITY |
||
|
17.12.25 |
(CVSS score: 8.6) - An authenticated arbitrary file upload vulnerability that allows an attacker to exploit the firmware upload endpoint to upload a PHP web shell after obtaining a valid PHPSESSID and run arbitrary commands to leak the contents of sensitive files (e.g., "/etc/passwd") |
VULNEREBILITY |
||
|
17.12.25 |
(CVSS score: 9.3) - An authentication bypass vulnerability that occurs when the "Authorization Type" (aka AUTHTYPE) is set to "webserver," allowing an attacker to log in to the Administrator Control Panel via a forged Authorization header |
VULNEREBILITY |
||
|
17.12.25 |
4.3 Million Browsers Infected: Inside ShadyPanda's 7-Year Malware Campaign |
BACKDOOR |
||
|
15.12.25 |
CyberVolk | A Deep Dive into the Hacktivists, Tools and Ransomware Fueling Pro-Russian Cyber Attacks |
|||
|
14.12.25 |
Windows Remote Access Connection Manager Elevation of Privilege Vulnerability |
VULNEREBILITY |
||
|
14.12.25 |
ConsentFix: Analysing a browser-native ClickFix-style attack that hijacks OAuth consent grants |
WEB |
||
|
14.12.25 |
Pro-Russia Hacktivists Conduct Opportunistic |
This joint Cybersecurity Advisory is being published as an addition to the Cybersecurity and Infrastructure Security Agency (CISA) May 6, 2025, joint fact sheet Primary Mitigations to Reduce Cyber Threats to Operational Technology and European Cybercrime Centre’s (EC3) Operation Eastwood.. |
||
|
14.12.25 |
An exploitable remote code execution vulnerability exists in the upload.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can upload a file, resulting in executable code being uploaded, and routable, to the webserver. An attacker can make an authenticated HTTP request to trigger this vulnerability. |
VULNEREBILITY |
||
|
14.12.25 |
(CVSS score: 8.8) - A memory corruption issue in WebKit that may lead to memory corruption when processing maliciously crafted web content |
VULNEREBILITY |
||
|
14.12.25 |
Apple fixes two zero-day flaws exploited in 'sophisticated' attacks By Lawrence Abrams December 12, 2025 06:23 PM 0 Apple has released emergency updates to patch two zero-day vulnerabilities that were exploited in an “extremely sophisticated attack” targeting specific individuals. |
VULNEREBILITY |
||
|
13.12.25 |
CVE-2025-54100 - PowerShell Remote Code Execution Vulnerability |
VULNEREBILITY |
||
|
13.12.25 |
CVE-2025-64671 - GitHub Copilot for Jetbrains Remote Code Execution Vulnerability |
VULNEREBILITY |
||
|
13.12.25 |
CVE-2025-62221 - Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability |
VULNEREBILITY |
||
|
13.12.25 |
Ransomware Trends in Bank Secrecy Act Data Between |
This Financial Trend Analysis (FTA) focuses on ransomware patterns and trends identified in Bank Secrecy Act (BSA) data. The Financial Crimes Enforcement Network (FinCEN) is issuing this report pursuant to section 6206 of the Anti-Money Laundering Act of 2020 (codified at 31 U.S.C. § 5318(g)(6) (B)), which requires periodic publication of BSA-derived threat pattern and trend information. |
RANSOMWARE |
|
|
13.12.25 |
TOTOLINK's X5000R's (AX1800 router) lacks authentication for telnet |
An unauthenticated HTTP request can enable telnet which may lead to remote code execution with root-level privileges. |
||
|
13.12.25 |
Vulnerabilities identified in PCIe Integrity and Data Encryption (IDE) protocol specification |
PCI Express Integrity and Data Encryption (PCIe IDE), introduced in the PCIe 6.0 standard, provides link-level encryption and integrity protection for data transferred across PCIe connections. |
||
| 13.12.25 | EtherHiding | Hiding Web2 Malicious Code in Web3 Smart Contracts | HACKING | MALWARE |
| 13.12.25 | CVE-2025-54100 | PowerShell Remote Code Execution Vulnerability |
VULNEREBILITY |
|
| 13.12.25 | CVE-2025-42928 | Under certain conditions, a high privileged user could exploit a deserialization vulnerability in SAP jConnect to launch remote code execution. |
VULNEREBILITY |
|
| 13.12.25 | CVE-2025-55754 | Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Tomcat did not escape ANSI escape sequences in log messages |
VULNEREBILITY |
|
| 13.12.25 | CVE-2025-42880 | Due to missing input sanitation, SAP Solution Manager allows an authenticated attacker to insert malicious code when calling a remote-enabled function module. |
VULNEREBILITY |
|
| 13.12.25 | Operation MoneyMount-ISO | Table of Contents: Introduction: Targeted sectors: Initial Findings about Campaign: Analysis of Phishing Mail: Infection Chain: Technical Analysis: Stage-1: Analysis of Malicious ISO file. Stage-2: Analysis of Executable. Analysis of 1st Payload Analysis of 2nd Payload (Phantom Stealer) Conclusion:... | OPERATION | OPERATION |
| 13.12.25 | Operation FrostBeacon | Operation FrostBeacon: Multi-Cluster Cobalt Strike Campaign Targets Russia Contents Introduction Key Targets Geographical Focus Industries Affected LNK Cluster Initial Access: | OPERATION | OPERATION |
| 13.12.25 | GROUP 123 | Group123 is a North Korean state-sponsored advanced persistent threat (APT) group active since at least 2012. It is also tracked under other names such as APT37, Reaper, and | APT | APT |
| 13.12.25 | Golang Stealer | This week, SonicWall Capture Labs Threat Research Team analyzed a sample of SalatStealer. This is a Golang malware capable of infiltrating a system and enumerating through browsers, files, cryptowallets and systems while embedding a complete array of monitoring tools to push and pull any data on disk. | MALWARE | STEALER |
| 13.12.25 | ValleyRAT | Cracking ValleyRAT: From Builder Secrets to Kernel Rootkits | MALWARE | RAT |
| 13.12.25 | SetcodeRat | SetcodeRat Exposed: A Telegram Secret Stealing Trojan Customized for Chinese-speaking Regions | MALWARE | RAT |
| 13.12.25 | PyStoreRAT | PyStoreRAT: A New AI-Driven Supply Chain Malware Campaign Targeting IT & OSINT Professionals | MALWARE | RAT |
| 13.12.25 | BlackForce | Technical Analysis of the BlackForce Phishing Kit | PHISHING | KIT |
| 13.12.25 | Spiderman | Spiderman Phishing Kit Mimics Top European Banks With A Few Clicks | PHISHING | KIT |
| 13.12.25 | GhostFrame | Threat Spotlight: Introducing GhostFrame, a new super stealthy phishing kit | PHISHING | KIT |
| 12.12.25 | AshTag | Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities With New AshTag Malware Suite | MALWARE | MALWARE |
| 12.12.25 | AridViper | AridViper, an intrusion set allegedly associated with Hamas | GROUP | GROUP |
| 12.12.25 | CVE-2025-55182 | Meta React Server Components Remote Code Execution Vulnerability |
VULNEREBILITY |
|
| 12.12.25 | CVE-2025-58360 | OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability |
VULNEREBILITY |
|
| 12.12.25 | CVE-2025-55184 | (CVSS score: 7.5) - A pre-authentication denial of service vulnerability arising from unsafe deserialization of payloads from HTTP requests to Server Function endpoints, triggering an infinite loop that hangs the server process and may prevent future HTTP requests from being served |
VULNEREBILITY |
|
| 12.12.25 | CVE-2025-67779 | (CVSS score: 7.5) - An incomplete fix for CVE-2025-55184 that has the same impact |
VULNEREBILITY |
|
| 12.12.25 | CVE-2025-55183 | (CVSS score: 5.3) - An information leak vulnerability that may cause a specifically crafted HTTP request sent to a vulnerable Server Function to return the source code of any Server Function |
VULNEREBILITY |
|
| 12.12.25 | CVE-2024-55947 | Gogs is an open source self-hosted Git service. A malicious user is able to write a file to an arbitrary path on the server to gain SSH access to the server. The vulnerability is fixed in 0.13.1. |
VULNEREBILITY |
|
| 12.12.25 | CVE-2025-8110 | Improper Symbolic link handling in the PutContents API in Gogs allows Local Execution of Code. |
VULNEREBILITY |
|
| 12.12.25 | NANOREMOTE | The fully-featured backdoor we call NANOREMOTE shares characteristics with malware described in REF7707 and is similar to the FINALDRAFT implant. | MALWARE | BACKDOOR |
| 12.12.25 | SOAPwn | SOAPwn: Pwning .NET Framework Applications Through HTTP Client Proxies And WSDL | EXPLOIT | EXPLOIT |
| 12.12.25 | PeerBlight | PeerBlight Linux Backdoor Exploits React2Shell CVE-2025-55182 | MALWARE | BACKDOOR |
| 10.12.25 | CVE-2025-54100 | (CVSS score: 7.8) - A command injection vulnerability in Windows PowerShell that allows an unauthorized attacker to execute code locally |
VULNEREBILITY |
|
| 10.12.25 | CVE-2025-64671 | (CVSS score: 8.4) - A command injection vulnerability in GitHub Copilot for JetBrains that allows an unauthorized attacker to execute code locally |
VULNEREBILITY |
|
| 10.12.25 | CVE-2025-62223 | Microsoft Edge (Chromium-based) for Mac Spoofing Vulnerability |
VULNEREBILITY |
|
| 10.12.25 | CVE-2025-62221 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability |
VULNEREBILITY |
|
| 10.12.25 | CVE-2025-54131 | Cursor is a code editor built for programming with AI. In versions below 1.3, an attacker can bypass the allow list in auto-run mode with a backtick (`) or $(cmd). |
VULNEREBILITY |
|
| 10.12.25 | CVE-2025-59458 | In JetBrains Junie before 252.284.66, 251.284.66, 243.284.66, 252.284.61, 251.284.61, 243.284.61, 252.284.50, 252.284.54, 251.284.54, 251.284.50, 243.284.54, 243.284.50 code execution was possible due to improper command validation |
VULNEREBILITY |
|
| 10.12.25 | CVE-2025-54377 | Roo Code is an AI-powered autonomous coding agent that lives in users' editors. In versions 3.23.18 and below, RooCode does not validate line breaks (\n) in its command input, allowing potential bypass of the allow-list mechanism. The project appears to lack parsing or validation logic to prevent multi-line command injection. |
VULNEREBILITY |
|
| 10.12.25 | CVE-2025-57771 | Roo Code is an AI-powered autonomous coding agent that lives in users' editors. In versions prior to 3.25.5, Roo-Code fails to properly handle process substitution and single ampersand characters in the command parsing logic for auto-execute commands. |
VULNEREBILITY |
|
| 10.12.25 | CVE-2025-65946 | Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Prior to version 3.26.7, Due to an error in validation it was possible for Roo to automatically execute commands that did not match the allow list prefixes. This issue has been patched in version 3.26.7. |
VULNEREBILITY |
|
| 10.12.25 | CVE-2025-9612 | (Forbidden IDE Reordering) – A missing integrity check on a receiving port may allow re-ordering of PCIe traffic, leading the receiver to process stale data |
VULNEREBILITY |
|
| 10.12.25 | CVE-2025-9613 | (Completion Timeout Redirection) – Incomplete flushing of a completion timeout may allow a receiver to accept incorrect data when an attacker injects a packet with a matching tag. |
VULNEREBILITY |
|
| 10.12.25 | CVE-2025-9614 | (Delayed Posted Redirection) – Incomplete flushing or re-keying of an IDE stream may result in the receiver consuming stale, incorrect data packets. |
VULNEREBILITY |
|
| 10.12.25 | GOLD BLADE’s | Sharpening the knife: GOLD BLADE’s strategic evolution | APT | APT |
| 10.12.25 | JS#SMUGGLER | JS#SMUGGLER: Multi-Stage - Hidden Iframes, Obfuscated JavaScript, Silent Redirectors & NetSupport RAT Delivery | MALWARE | JAVASCRIPT |
| 10.12.25 | APT-C-08 | WinRAR CVE-2025-6218 Exploit: In-Depth Analysis of the APT-C-08 Directory Traversal Attack | APT | APT |
| 10.12.25 | CVE-2025-8088 | A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild and was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýèek from ESET. |
VULNEREBILITY |
|
| 10.12.25 | CVE-2025-6218 | RARLAB WinRAR Path Traversal Vulnerability |
VULNEREBILITY |
|
| 10.12.25 | CVE-2025-62221 | Microsoft Windows Use After Free Vulnerability |
VULNEREBILITY |
|
| 10.12.25 | CVE-2025-59719 | An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb 8.0.0, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9 may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message. |
VULNEREBILITY |
|
| 10.12.25 | CVE-2025-59718 | A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiProxy 7.6.0 |
VULNEREBILITY |
|
| 10.12.25 | EtherRAT | EtherRAT: DPRK uses novel Ethereum implant in React2Shell attacks | MALWARE | RAT |
| 10.12.25 | CastleLoader | GrayBravo’s CastleLoader Activity Clusters Target Multiple Industries | MALWARE | LOADER |
| 10.12.25 | Storm-0249 | Threat Spotlight: Storm-0249 Moves from Mass Phishing to Precision EDR Exploitation | APT | APT |
| 8.12.25 | CVE-2025-2611 | The ICTBroadcast application unsafely passes session cookie data to shell processing, allowing an attacker to inject shell commands into a session cookie that get executed on the server. This results in unauthenticated remote code execution in the session handling. Versions 7.4 and below are known to be vulnerable. |
VULNEREBILITY |
|
| 8.12.25 | The Sneeit Framework plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.3 via the sneeit_articles_pagination_callback() function. This is due to the function accepting user input and then passing that through call_user_func(). |
VULNEREBILITY |
||
| 8.12.25 | SEEDSNATCHER | Dissecting an Android Malware Targeting Multiple Crypto Wallet Mnemonic Phrases | MALWARE | ANDROID |
| 8.12.25 | ClayRat | Return of ClayRat: Expanded Features and Techniques | MALWARE | RAT |
| 8.12.25 | FvncBot | New FvncBot Android banking trojan targets Poland | MALWARE | ANDROID |
| 8.12.25 | UDPGangster | MuddyWater campaign analysis reveals macro-based delivery, extensive anti-analysis techniques, and shared infrastructure links | CAMPAIGN | CAMPAIGN |
| 7.12.25 | Snowlight | A malware dropper that allows remote attackers to drop additional payloads on breached devices. | MALWARE | Dropper |
| 7.12.25 | Vshell | A backdoor commonly used by Chinese hacking groups for remote access, post-exploitation activity, and to move laterally through a compromised network. | MALWARE | Backdoor |
| 7.12.25 | CVE-2025-55182 | A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints. |
VULNEREBILITY |
|
| 7.12.25 | CVE-2022-41049 | Windows Mark of the Web Security Feature Bypass Vulnerability |
VULNEREBILITY |
|
| 7.12.25 | CVE-2025-49150 | Cursor is a code editor built for programming with AI. Prior to 0.51.0, by default, the setting json.schemaDownload.enable was set to True. This means that by writing a JSON file, an attacker can trigger an arbitrary HTTP GET request that does not require user confirmation. |
VULNEREBILITY |
|
| 7.12.25 | CVE-2025-53097 | Roo Code is an AI-powered autonomous coding agent. Prior to version 3.20.3, there was an issue where the Roo Code agent's `search_files` tool did not respect the setting to disable reads outside of the VS Code workspace |
VULNEREBILITY |
|
| 7.12.25 | CVE-2025-58335 | In JetBrains Junie before 252.284.66, 251.284.66, 243.284.66, 252.284.61, 251.284.61, 243.284.61, 252.284.50, 252.284.54, 251.284.54, 251.284.50, 243.284.54, 243.284.50 information disclosure was possible via search_project function |
VULNEREBILITY |
|
| 7.12.25 | CVE-2025-53773 | Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio allows an unauthorized attacker to execute code locally. |
VULNEREBILITY |
|
| 7.12.25 | CVE-2025-54130 | Cursor is a code editor built for programming with AI. Cursor allows writing in-workspace files with no user approval in versions less than 1.3.9. If the file is a dotfile, editing it requires approval but creating a new one doesn't. |
VULNEREBILITY |
|
| 7.12.25 | CVE-2025-53536 | Roo Code is an AI-powered autonomous coding agent. Prior to 3.22.6, if the victim had "Write" auto-approved, an attacker with the ability to submit prompts to the agent could write to VS Code settings files and trigger code execution. |
VULNEREBILITY |
|
| 7.12.25 | CVE-2025-55012 | Zed is a multiplayer code editor. Prior to version 0.197.3, in the Zed Agent Panel allowed for an AI agent to achieve Remote Code Execution (RCE) by bypassing user permission checks. |
VULNEREBILITY |
|
| 7.12.25 | CVE-2025-64660 | Improper access control in GitHub Copilot and Visual Studio Code allows an authorized attacker to execute code over a network. |
VULNEREBILITY |
|
| 7.12.25 | CVE-2025-61590 | Cursor is a code editor built for programming with AI. Versions 1.6 and below are vulnerable to Remote Code Execution (RCE) attacks through Visual Studio Code Workspaces. |
VULNEREBILITY |
|
| 7.12.25 | CVE-2025-58372 | Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Versions 3.25.23 and below contain a vulnerability where certain VS Code workspace configuration files (.code-workspace) are not protected in the same way as the .vscode folder. |
VULNEREBILITY |
|
| 7.12.25 | CVE-2025-55182 | Meta React Server Components Remote Code Execution Vulnerability |
VULNEREBILITY |
|
| 7.12.25 | CVE-2025-47322 | Memory corruption while handling IOCTL calls to set mode. |
VULNEREBILITY |
|
| 7.12.25 | CVE-2025-47320 | Memory corruption while processing MFC channel configuration during music playback. |
VULNEREBILITY |
|
| 7.12.25 | CVE-2025-27063 | Memory corruption during video playback when video session open fails with time out error. |
VULNEREBILITY |
|
| 7.12.25 | CVE-2025-47321 | Memory corruption while copying packets received from unix clients. |
VULNEREBILITY |
|
| 7.12.25 | CVE-2025-47387 | Memory Corruption when processing IOCTLs for JPEG data without verification. |
VULNEREBILITY |
|
| 7.12.25 | CVE-2025-47350 | Memory corruption while handling concurrent memory mapping and unmapping requests from a user-space application. |
VULNEREBILITY |
|
| 7.12.25 | CVE-2025-47325 | Information disclosure while processing system calls with invalid parameters. |
VULNEREBILITY |
|
| 7.12.25 | CVE-2025-47323 | Memory corruption while routing GPR packets between user and root when handling large data packet. |
VULNEREBILITY |
|
| 7.12.25 | CVE-2025-47372 | Memory Corruption when a corrupted ELF image with an oversized file size is read into a buffer without authentication. |
VULNEREBILITY |
|
| 7.12.25 | CVE-2025-47319 | Exposure of Sensitive System Information to an Unauthorized Control Sphere in HLOS |
VULNEREBILITY |
|
| 6.12.25 | RondoDox | Tracking RondoDox: Malware Exploiting Many IoT Vulnerabilities | MALWARE | IOT |
| 6.12.25 | HashJack Attack | HashJack Attack Targets AI Browsers and Agentic AI Systems | ATTACK | AI |
| 6.12.25 | CVE-2025-54988 | Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. An attacker may be able to read sensitive data or trigger malicious requests to internal resources or third-party servers. |
VULNEREBILITY |
|
| 6.12.25 | CVE-2025-66516 | Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as in CVE-2025-54988. |
VULNEREBILITY |
|
| 6.12.25 | CVE-2025-1338 | A vulnerability was found in NUUO Camera up to 20250203. It has been declared as critical. This vulnerability affects the function print_file of the file /handle_config.php. The manipulation of the argument log leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. |
VULNEREBILITY |
|
| 6.12.25 | V3G4 Botnet | CRIL has uncovered an active V3G4 campaign using a Mirai-derived botnet alongside a fileless, runtime-configured cryptominer. | BOTNET | BOTNET |
| 6.12.25 | Operation DupeHike | Contents Introduction Key Targets. Industries Affected. Geographical Focus. Infection Chain. Initial Findings. Looking into the decoy-document Technical Analysis Stage 1 – Malicious LNK Script Stage 2 – DUPERUNNER Implant Stage 3 – AdaptixC2 Beacon. Infrastructural Artefacts. Conclusion SEQRITE Protection.... | OPERATION | OPERATION |
| 5.12.25 | Benzona Ransomware | A new ransomware operation known as Benzona has surfaced, showing signs of rapid development and growing confidence. The malware encrypts victim files using the “.benzona” extension and drops a ransom note titled RECOVERY_INFO.txt, warning that sensitive data has already been exfiltrated. Victims are given a 72-hour deadline to negotiate via a Tor-based chat portal, with threats of data publication should they refuse. | RANSOM | |
| 5.12.25 | DupeRunner and AdaptixC2 malware deployed within the Operation DupeHike | The SEQRITE researchers have uncovered a targeted cyber espionage campaign dubbed Operation DupeHike. The campaign is focused on various sectors including HR, payroll, and administrative departments. The attack utilizes sophisticated social engineering tactics, deploying realistic decoy documents centered on employee financial bonuses to lure victims. | OPERATION | |
| 5.12.25 | Symbiote and BPFdoor Linux malware variants implement new eBPF filters | Symbiote and BPFdoor are two Linux malware strains known to utilize Berkeley Packet Filter (BPF) packet sniffer to monitor network traffic and send packets only on existing open ports, bypassing firewall rules and network protections. As reported by researchers from Fortinet, both called out malware families have recently implemented new extended Berkeley Packet Filters (eBPFs) within the distributed payloads. | VIRUS | |
| 5.12.25 | Datebug APT deploys malware targeting BOSS Linux systems | The Pakistan-based advanced persistent threat (APT) group known as Datebug (aka APT36, Transparent Tribe, Storm-0156) is reported to be behind recent attacks targeting Indian government entities running Bharat Operating System Solutions (BOSS) Linux. | APT | |
| 5.12.25 | CVE-2025-61757 - Oracle Fusion Middleware vulnerability | CVE-2025-61757 is a recently disclosed critical (CVSS score 9.8) missing authentication vulnerability affecting the Identity Manager product of Oracle Fusion Middleware. If successfully exploited the flaw might provide unauthenticated attackers with network access via HTTP to compromise Identity Manager leading up to takeover of the vulnerable Identity Manager instance by the threat actors. | VULNEREBILITY | |
| 5.12.25 | CVE-2025-12480 - Gladinet Triofox vulnerability | CVE-2025-12480 is a recently disclosed critical (CVSS score 9.1) improper access control vulnerability affecting Gladinet Triofox file server and storage solution. If successfully exploited the flaw might allow unauthenticated remote attackers access to the vulnerable application configuration pages and enable them to perform upload and execution of arbitrary payloads. | VULNEREBILITY | |
| 5.12.25 | LotusHarvest malware deployed in Operation Hanoi Thief | SEQRITE Labs’ researchers have identified "Operation Hanoi Thief," a malicious cyber campaign targeting IT professionals and HR recruiters in Vietnam. The campaign employs spear-phishing emails containing fake resumes to deliver malware used to steal confidential user data. | OPERATION | |
| 5.12.25 | Arkanix Stealer | Researchers at G DATA recently observed a new infostealer dubbed Arkanix. According to their findings, it was initially built in Python and distributed via Discord as a fake “utility,” but it quickly evolved — a native C++ “premium” version now exists, complete with VMProtect obfuscation. Its capabilities are standard for commodity stealers. | VIRUS | |
| 5.12.25 | Albiriox mobile RAT | Albiriox is a new Android malware operating under a Malware-as-a-Service (MaaS) model, designed to facilitate on-device fraud, VNC‑based remote control and overlay attacks. As reported by researchers from Cleafy, the malware spreads through social engineering, specifically targeting Austrian victims via fake applications distributed through SMS and WhatsApp lures | VIRUS | |
| 5.12.25 | CVE-2025-34299 - Monsta FTP vulnerability | CVE-2025-34299 is a recently disclosed critical (CVSS score 9.3) arbitrary file upload vulnerability affecting Monsta FTP solution (version 2.11.2 and earlier). If successfully exploited the flaw might allow unauthenticated remote attackers to perform arbitrary code execution by uploading a specially crafted file from malicious SFTP or FTP servers. | VULNEREBILITY | |
| 5.12.25 | Duc contains a stack buffer overflow vulnerability in the buffer_get function, allowing for out-of-bounds memory read | Duc, an open-source disk management tool, contains a stack-based buffer overflow vulnerability allowing for out-of-bounds memory read. | ALERT | ALERT |
| 5.12.25 | Insufficient Session Cookie Invalidation in nopCommerce ASP.NET Core eCommerce Platform | nopCommerce, an ecommerce platform, fails to invalidate session cookies upon user logout or session termination, enabling attackers to use the captured cookie to gain access to the application. This vulnerability is extremely similar to CVE-2019-7215. | ALERT | ALERT |
| 5.12.25 | Intellexa Leaks | Global: “Intellexa Leaks” investigation provides further evidence of spyware threats to human rights. | BIGBROTHER | BIGBROTHER |
| 5.12.25 | ValleyRAT | Silver Fox’s Russian Ruse: ValleyRAT Hits China via Fake Microsoft Teams Attack | MALWARE | RAT |
| 5.12.25 | BRICKSTORM Backdoor | The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Canadian Centre for Cyber Security (Cyber Centre) assess People’s Republic of China (PRC) state-sponsored cyber actors are using BRICKSTORM malware for long-term persistence on victim systems. V | MALWARE | BACKDOOR |
| 4.12.25 |
Cloudflare's 2025 Q3 DDoS threat report -- including Aisuru, the apex of botnets |
Welcome to the 23rd edition of Cloudflare’s Quarterly DDoS Threat Report. This report offers a comprehensive analysis of the evolving threat landscape of Distributed Denial of Service (DDoS) attacks based on data from the Cloudflare network. In this edition, we focus on the third quarter of 2025. | BOTNET | BOTNET |
| 4.12.25 | CVE-2025-55182 | A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. |
VULNEREBILITY |
|
| 4.12.25 | CVE-2025-9491 | Microsoft Windows LNK File UI Misrepresentation Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. |
VULNEREBILITY |
|
| 4.12.25 | CVE-2025-8489 | The King Addons for Elementor – Free Elements, Widgets, Templates, and Features for Elementor plugin for WordPress is vulnerable to privilege escalation in versions 24.12.92 to 51.1.14 . |
VULNEREBILITY |
|
| 3.12.25 | ShadyPanda's | 4.3 Million Browsers Infected: Inside ShadyPanda's 7-Year Malware Campaign | APT | APT |
| 3.12.25 | CVE-2025-10155 | (CVSS score: 9.3/7.8) - A file extension bypass vulnerability that can be used to undermine the scanner and load the model when providing a standard pickle file with a PyTorch-related extension such as .bin or .pt |
VULNEREBILITY |
|
| 3.12.25 | CVE-2025-10156 | (CVSS score: 9.3/7.5) - A bypass vulnerability that can be used to disable ZIP archive scanning by introducing a Cyclic Redundancy Check (CRC) error |
VULNEREBILITY |
|
| 3.12.25 | CVE-2025-10157 | (CVSS score: 9.3/8.3) - A bypass vulnerability that can be used to undermine Picklescan's unsafe globals check, leading to arbitrary code execution by getting around a blocklist of dangerous imports |
VULNEREBILITY |
|
| 3.12.25 | Glassworm's resurgence | Security can't take holidays off, but the code marketplace scanners just might. Over the past week, we've identified and tracked an unprecedented 23 extensions which copy other popular extensions, update after publishing with malware, manipulate download counts, and use KNOWN attack signatures which have been in use for months. Many of these relate to Glassworm malware, but there could be mulitple campaigns at work also. | MALWARE | Worm |
| 3.12.25 | MuddyWater | MuddyWater targets critical infrastructure in Israel and Egypt, relying on custom malware, improved tactics, and a predictable playbook | APT | APT |
| 2.12.25 | Android Security Bulletin—December 2025 | This Android Security Bulletin contains details of security vulnerabilities that affect Android devices. Security patch levels of 2025-12-05 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version. | VULNEREBILITY | VULNEREBILITY |
| 2.12.25 | Albiriox | Albiriox Exposed: A New RAT Mobile Malware Targeting Global Finance and Crypto Wallets | MALWARE | Android |
| 2.12.25 | Tomiris | Tomiris wreaks Havoc: New tools and techniques of the APT group | APT | APT |
| 2.12.25 | CVE-2021-26829 | OpenPLC ScadaBR Cross-site Scripting Vulnerability: OpenPLC ScadaBR contains a cross-site scripting vulnerability via system_settings.shtm. |
VULNEREBILITY |
|