Exploit Blog News(87) - 2024 2023 2022 2021 2020 2019 2018
APT blog Attack blog BigBrother blog BotNet blog Cyber blog Cryptocurrency blog Exploit blog Hacking blog ICS blog Incident blog IoT blog Malware blog OS Blog Phishing blog Ransom blog Safety blog Security blog Social blog Spam blog Vulnerebility blog
DATE | NAME | Info | CATEG. | WEB |
|
11.10.25 |
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits | Trend™ Research and ZDI Threat Hunters have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests. | Exploit blog | Trend Micro |
| 4.10.25 | Exploiting Legitimate Remote Access Tools in Ransomware Campaigns | Introduction Ransomware is one of the most disruptive cyber threats, encrypting critical organizational data and demanding ransom payments for restoration. While early campaigns relied on mass phishing or opportunistic malware distribution, modern ransomware operations have evolved into highly sophisticated | Exploit blog | Seqrite |
| 4.10.25 | Exploited in the Wild: DELMIA Apriso Insecure Deserialization (CVE-2025-5086) | The SonicWall Capture Labs threat research team became aware of a deserialization of untrusted data vulnerability in DELMIA Apriso, assessed its impact and developed mitigation measures. DELMIA Apriso, developed by Dassault Systèmes, is a Manufacturing Operations Management (MOM) software that helps manufacturers digitize and manage global production. | Exploit blog | SonicWall |
| 6.9.25 | EOL Devices: Exploits Will Continue Until Security Improves | Something that has caught my attention lately, both in the news and from recent leaks of threat actor groups, is that attackers continue to use what works. The technique could be something elaborate or straightforward. | Exploit blog | Eclypsium |
| 30.8.25 | TAOTH Campaign Exploits End-of-Support Software to Target Traditional Chinese Users and Dissidents | The TAOTH campaign exploited abandoned software and spear-phishing to deploy multiple malware families, targeting dissidents and other high-value individuals across Eastern Asia. | Exploit blog | Trend Micro |
| 23.8.25 | Keys to the Kingdom: Erlang/OTP SSH Vulnerability Analysis and Exploits Observed in the Wild | This article presents our observations of exploit attempts targeting CVE-2025-32433. This vulnerability allows unauthenticated remote code execution (RCE) in the Secure Shell (SSH) daemon (sshd) from certain versions of the Erlang programming language's Open Telecom Platform (OTP). | Exploit blog | Palo Alto |
| 23.8.25 | When Good Accounts Go Bad: Exploiting Delegated Managed Service Accounts in Active Directory | BadSuccessor is a critical attack vector that emerged following the release of Windows Server 2025. Under certain conditions, this server version enables users to leverage delegated Managed Service Accounts (dMSAs) to elevate privileges within Active Directory environments running Windows Server 2025. At the time of writing this article, no patch exists for this issue. | Exploit blog | Palo Alto |
| 17.8.25 | When Good Accounts Go Bad: Exploiting Delegated Managed Service Accounts in Active Directory | BadSuccessor is a critical attack vector that emerged following the release of Windows Server 2025. Under certain conditions, this server version enables users to leverage delegated Managed Service Accounts (dMSAs) to elevate privileges within Active Directory environments running Windows Server 2025. At the time of writing this article, no patch exists for this issue. | Exploit blog | Palo Alto |
| 16.8.25 | WinRAR zero-day exploited in espionage attacks against high-value targets | The attacks used spearphishing campaigns to target financial, manufacturing, defense, and logistics companies in Europe and Canada, ESET research finds | Exploit blog | Eset |
| 26.7.25 | Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief (Updated July 25) | Unit 42 is tracking high-impact, ongoing threat activity targeting self-hosted Microsoft SharePoint servers. While SaaS environments remain unaffected, self-hosted SharePoint deployments — particularly within government, schools, healthcare (including hospitals) and large enterprise companies — are at immediate risk. | Exploit blog | Palo Alto |
| 12.7.25 | GoldMelody’s Hidden Chords: Initial Access Broker In-Memory IIS Modules Revealed | Unit 42 researchers uncovered a campaign by an initial access broker (IAB) to exploit leaked Machine Keys — cryptographic keys used on ASP.NET sites — to gain access to targeted organizations. IABs breach organizations and then sell that access to other threat actors. | Exploit blog | Palo Alto |
| 12.7.25 | GoldMelody’s Hidden Chords: Initial Access Broker In-Memory IIS Modules Revealed | Unit 42 researchers uncovered a campaign by an initial access broker (IAB) to exploit leaked Machine Keys — cryptographic keys used on ASP.NET sites — to gain access to targeted organizations. IABs breach organizations and then sell that access to other threat actors. | Exploit blog | Palo Alto |
| 5.7.25 | Exposed JDWP Exploited in the Wild: What Happens When Debug Ports Are Left Open | During routine monitoring, the Wiz Research Team observed an exploitation attempt targeting one of our honeypot servers running TeamCity, a popular CI/CD tool. | Exploit blog | WIZ |
| 3.7.25 | Further insights into Ivanti CSA 4.6 vulnerabilities exploitation | Between October 2024 and late January 2025, public reports described the exploitation of Ivanti CSA vulnerabilities which started Q4 2024. We share analysis results confirming a worldwide exploitation, that lead to Webshells deployments in September and October 2024. | Exploit blog | INSIDETHELAB |
| 1.7.25 | Can You Trust that Verified Symbol? Exploiting IDE Extensions is Easier Than it Should Be | OX Security researchers uncover how easy it is for malicious extensions to bypass trust checks and execute code on developer machines. | Exploit blog | OX SECURITY |
| 21.6.25 | Uncovering a Tor-Enabled Docker Exploit | A recent attack campaign took advantage of exposed Docker Remote APIs and used the Tor network to deploy a stealthy cryptocurrency miner. This blog breaks down the attack chain. | Exploit blog | Trend Micro |
| 20.6.25 | Threat actor Banana Squad exploits GitHub repos in new campaign | ReversingLabs researchers discovered more than 60 GitHub repositories that contain hundreds of trojanized files. | Exploit blog | ReversingLabs |
| 14.6.25 | The Week in Vulnerabilities: Cyble Warns of Rising Exploits Targeting ICS, Enterprise, and Web Systems | Cyble reports rising vulnerability threats from May 28–June 3, highlighting flaws in ICS, enterprise,... | Exploit blog | Cyble |
| 14.6.25 | Serverless Tokens in the Cloud: Exploitation and Detections | This article outlines the mechanics and security implications of serverless authentication across major cloud platforms. | Exploit blog | Palo Alto |
| 1.6.25 | CISA Updates Advisory for Active Exploitation Targeting Commvault Metallic SaaS Cloud Platform | CISA issues urgent update on threats targeting Commvault’s Metallic SaaS platform, widely used for Microsoft 365 backups. | Exploit blog | Cyble |
| 24.5.24 | UAT-6382 exploits Cityworks zero-day vulnerability to deliver malware | Talos has observed exploitation of CVE-2025-0994 in the wild by UAT-6382, a Chinese-speaking threat actor, who then deployed malware payloads via TetraLoader. | Exploit blog | CISCO TALOS |
| 24.5.24 | Duping Cloud Functions: An emerging serverless attack vector | Cisco Talos built on Tenable’s discovery of a Google Cloud Platform vulnerability to uncover how attackers could exploit similar techniques across AWS and Azure. | Exploit blog | CISCO TALOS |
| 10.5.24 | The IT help desk kindly requests you read this newsletter | How do attackers exploit authority bias to manipulate victims? Martin shares proactive strategies to protect yourself and others in this must-read edition of the Threat Source newsletter. | Exploit blog | CISCO TALOS |
| 29.4.25 | Hello 0-Days, My Old Friend: A 2024 Zero-Day Exploitation Analysis | Google Threat Intelligence Group (GTIG) tracked 75 zero-day vulnerabilities exploited in the wild in 2024, a decrease from the number we identified in 2023 (98 vulnerabilities), but still an increase from 2022 (63 vulnerabilities). | Exploit blog | Google Threat Intelligence |
|
29.3.25 |
An analysis of the NSO BLASTPASS iMessage exploit | On September 7, 2023 Apple issued an out-of-band security update for iOS | Exploit blog | Project Zero |
| 8.3.25 | Unmasking the new persistent attacks on Japan | Cisco Talos has discovered an active exploitation of CVE-2024-4577 by an attacker in order to gain access to the victim's machines and carry out post-exploitation activities. | Exploit blog | |
|
22.2.25 |
The Cat and Mouse Game: Exploiting Statistical Weaknesses in Human Interaction Anti-Evasions |
We describe, in very general terms, how we were able to evade detection by taking advantage of statistical anomalies in the human interaction modules of several sandbox solutions. | ||
|
22.2.25 |
Talos IR trends Q4 2024: Web shell usage and exploitation of public-facing applications spike |
This new report from Cisco Talos Incident Response explores how threat actors increasingly deployed web shells against vulnerable web applications, and exploited vulnerable or unpatched public-facing applications to gain initial access. |
||
|
22.12.24 | MOONSHINE Exploit Kit and DarkNimbus Backdoor Enabling Earth Minotaur’s Multi-Platform Attacks | Trend Micro’s monitoring of the MOONSHINE exploit kit revealed how it’s used by the threat actor Earth Minotaur to exploit Android messaging app vulnerabilities and install the DarkNimbus backdoor for surveillance. | Exploit blog | |
|
21.12.24 |
The Qualcomm DSP Driver - Unexpectedly Excavating an Exploit |
Earlier this year, Google's TAG received some kernel panic logs generated by an In-the-Wild (ITW) exploit. Those logs kicked off a bug hunt that led to the discovery of 6 vulnerabilities in one Qualcomm driver over the course of 2.5 months, including one issue that TAG reported as ITW. This blog post covers the details of the original artifacts, each of the bugs discovered, and the hypothesized ITW exploit strategy gleaned from the logs. | ||
|
2.11.24 | Threat actors exploiting zero-days faster than ever – Week in security with Tony Anscombe | The average time it takes attackers to weaponize a vulnerability, either before or after a patch is released, shrank from 63 days in 2018-2019 to just five days last year | Exploit blog | |
21.9.24 | Discovering Splinter: A First Look at a New Post-Exploitation Red Team Tool | This article discusses the discovery of a new post-exploitation red team tool called Splinter that we found on customer systems using Advanced WildFire’s memory scanning tools. Penetration testing toolkits and adversary simulation frameworks are often useful for identifying potential security issues in a company's network. | Exploit blog | Palo Alto |
1.9.24 | North Korean threat actor Citrine Sleet exploiting Chromium zero-day | Microsoft identified a North Korean threat actor exploiting a zero-day vulnerability in Chromium, now identified as CVE-2024-7971, to gain remote code execution (RCE). | Exploit blog | Microsoft Blog |
13.7.24 | EXPLORING COMPILED V8 JAVASCRIPT USAGE IN MALWARE | In recent months, CPR has been investigating the usage of compiled V8 JavaScript by malware authors. Compiled V8 JavaScript is a lesser-known feature in V8, Google’s JavaScript engine, that enables the compilation of JavaScript into low-level bytecode. This technique assists attackers in evading static detections and hiding their original source code, rendering it almost impossible to analyze statically. | Exploit blog | Checkpoint |
6.7.24 | Attackers Exploiting Public Cobalt Strike Profiles | In this article, Unit 42 researchers detail recent findings of malicious Cobalt Strike infrastructure. We also share examples of malicious Cobalt Strike samples that use Malleable C2 configuration profiles derived from the same profile hosted on a public code repository. | Exploit blog | Palo Alto |
| 15.6.24 | Commando Cat: A Novel Cryptojacking Attack Abusing Docker Remote API Servers | We analyze a cryptojacking attack campaign exploiting exposed Docker remote API servers to deploy cryptocurrency miners, using Docker images from the open-source Commando project. | Exploit blog | Trend Micro |
| 15.6.24 | Decoding Router Vulnerabilities Exploited by Mirai: Insights from SonicWall’s Honeypot Data | SonicWall recently identified a significant increase in Mirai honeypot activity. In this deep dive, we explore the evolution of Mirai, who is most at risk and the best ways to mitigate attacks. | Exploit blog | SonicWall |
18.5.24 | FOXIT PDF “FLAWED DESIGN” EXPLOITATION | PDF (Portable Document Format) files have become an integral part of modern digital communication. Renowned for their universality and fidelity, PDFs offer a robust platform for sharing documents across diverse computing environments | Exploit blog | Checkpoint |