HOT NEWS 2025 January(141) February(191) March(268) April(349) May(260) June(502) July(272) August(180) September(202) October(252) November(308) December(60) THREATS YEARS
|
DATE |
NAME |
INFO |
CATEGORY |
SUBCATE |
| 30.11.25 | CVE-2025-12816 | An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions. |
VULNEREBILITY |
|
| 30.11.25 | CVE-2025-59366 | An authentication-bypass vulnerability exists in AiCloud. This vulnerability can be triggered by an unintended side effect of the Samba functionality, potentially leading to allow execution of specific functions without proper authorization. Refer to the Security Update for ASUS Router Firmware section on the ASUS Security Advisory for more information. |
VULNEREBILITY |
|
| 30.11.25 | CVE-2020-0688 | A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka 'Microsoft Exchange Memory Corruption Vulnerability'. |
VULNEREBILITY |
|
| 30.11.25 | CVE-2021-26855 | Microsoft Exchange Server Remote Code Execution Vulnerability |
VULNEREBILITY |
|
| 30.11.25 | Public Report: Android Quick Share Application Penetration Test |
NetSPI performed an analysis of Google LLC’s implementation
of Quick Share to identify vulnerabilities, determine the level of risk they present to Google, and provide actionable recommendations to reduce this risk. |
REPORT | REPORT |
| 30.11.25 | CVE-2025-61757 | Oracle Fusion Middleware Missing Authentication for Critical Function Vulnerability |
VULNEREBILITY |
|
| 29.11.25 | TangleCrypt packer employed in recent StoneStop malware delivery campaign | The researchers from WithSecure have released a technical analysis of TangleCrypt, a previously undocumented packer identified in recent attacks utilizing StoneStop EDR killer malware. | VIRUS | |
| 29.11.25 | Flexible Ferret malware distribution campaigns continue to target macOS users | A new run of the malicious campaign dubbed "Contagious Interview" has been reported on by the researchers from JAMF. The attackers target macOS users, lure them to fake job websites, and then trick into downloading malware via a bogus software updates. | VIRUS | |
| 29.11.25 | W-8BEN Phishing Alert: Interactive Brokers users targeted via fake login pages | Interactive Brokers (IBKR) is a large, global securities firm offering an electronic trading platform for sophisticated investors, active traders, and institutions across a wide range of products. Recently, a phishing campaign was identified that impersonates a request for the W-8BEN tax form, primarily targeting non-U.S. residents to steal sensitive data. | PHISHING | |
| 29.11.25 | Recent ShadowV2 - a Mirai variant delivery campaign | FortiGuard Labs recently reported on ShadowV2, a Mirai-based malware, targeting IoT devices during the large-scale AWS disruption incident in October. | BOTNET | |
| 29.11.25 | StealC malware campaign targets Blender users | StealC malware was deployed in a campaign by Russian-linked threat actors targeting users of the popular open-source 3D creation suite, Blender. The multi-stage attack involves malicious .blend files published to legitimate 3D marketplaces. | VIRUS | |
| 29.11.25 | Silver Fox Campaign Uses Fake Apps & BYOVD | Researchers recently observed a “SwimSnake / Silver Fox” campaign distributing remote-control malware via SEO-boosted fake download sites that impersonate apps like Youdao Translator and WPS. The loaders perform multilayered decryption, use around 80 encrypted fallback C2 addresses, and deploy Gh0st-derived plugins to conceal payloads and support spying, remote command execution, and DDoS. | CAMPAIGN | |
| 29.11.25 | Banking malware spread to Brazilian users in campaign leveraging phishing and WhatsApp messaging | A sophisticated malware campaign, identified by K7 Security Labs as part of the "Water-Saci" operation, is targeting the Brazilian financial sector through a hybrid phishing and WhatsApp messaging propagation strategy. Initial access is gained via phishing emails with malicious .VBS attachments, followed by the deployment of Python scripts and Selenium webdriver used to hijack WhatsApp Web sessions. | VIRUS | |
| 29.11.25 | TamperedChef activity continues | TamperedChef is a cyber campaign utilizing malvertising and Search Engine Optimization (SEO) to distribute malicious payloads. The operation targets users searching for common software like web browsers, PDF editors, or product manuals. | CAMPAIGN | |
| 29.11.25 | Autumn Dragon APT activity | Autumn Dragon is a sophisticated cyber espionage campaign targeting government and media organizations across Southeast Asia. As reported by the researchers from CyberArmor, the campaign has been active since early 2025. It begins with spearphishing emails containing a malicious RAR archive that exploits CVE-2025-8088, a path traversal vulnerability in WinRAR. | APT | |
| 29.11.25 | Tsundere botnet | Researchers at Kaspersky have identified a growing botnet named Tsundere, which has been targeting Windows users since at least mid-2025. The malware is primarily propagated through fake MSI installers disguised as popular video games installers or other pirated software. | BOTNET | |
| 29.11.25 | New variant of Shai-Hulud worm found targeting npm packages | A new, aggressive wave of the "Shai Hulud" malware campaign has been reported, compromising hundreds of packages and impacting major organizations including Zapier, Postman, AsyncAPI, and ENS Domains. The malware operates like a sophisticated worm, autonomously spreading by re-publishing itself into other packages maintained by the compromised individual. | VIRUS | |
| 29.11.25 | CCLand Ransomware | A ransomware actor calling itself “CCLand Team” has recently surfaced. The group presents itself as purely financially motivated and appears to follow a conventional double-extortion model, claiming data theft, file encryption and threatening public disclosure. In the recent activity, they demanded USD 50,000 in Bitcoin with a one-week deadline. | RANSOM | |
| 29.11.25 | Forge JavaScript library impacted by a vulnerability in signature verification. | The Forge JavaScript library provides TLS-related cryptographic utilities. A vulnerability that allows signature verification to be bypassed through crafted manipulation of ASN.1 structures, particularly in fields such as Message Authentication Code (MAC) data, was identified. | ALERT | ALERT |
| 29.11.25 | Fluent Bit contains five vulnerabilities, including stack buffer overflow, authentication bypass, and path traversa | Fluent Bit is a logging and metrics processor and forwarder that is used in a variety of cloud and container networking environments. Several vulnerabilities in Fluent Bit have been discovered that could allow for authentication bypass, remote code execution (RCE) and denial of service (DoS) largely enabled by various Fluent Bit plugins and by how Fluent Bit processes tags. | ALERT | ALERT |
| 29.11.25 | Lack of Sufficient Guardrails Lead to Excessive Agency (LLM08) in Some LLM Applications | Retell AI's API creates AI voice agents that have excessive permissions and functionality, as a result of insufficient amounts of guardrails. As a result, attackers can exploit this and conduct large scale social engineering, phishing, and misinformation campaigns. | ALERT | ALERT |
| 29.11.25 | ShadowV2 | At the end of October, during a global disruption of AWS connections, FortiGuard Labs observed malware named “ShadowV2” spreading via IoT vulnerabilities. These incidents affected multiple countries worldwide and spanned seven different industries. | BOTNET | BOTNET |
| 28.11.25 | Bloody Wolf | Bloody Wolf: A Blunt Crowbar Threat To Justice | GROUP | GROUP |
| 26.11.25 | Qilin RaaS | The Korean Leaks – Analyzing the Hybrid Geopolitical Campaign Targeting South Korean Financial Services With Qilin RaaS | CAMPAIGN | CAMPAIGN |
| 26.11.25 |
Market Opportunities and Advanced Strategies Increase the Impact and Resilience of Purchase Scams |
Purchase scams are a major emerging fraud threat in which threat actors use fake e-commerce stores to steal victim data and accept victim card payments for non-existent goods and services. | REPORT | REPORT |
| 26.11.25 | RomCom payload | Russian RomCom Utilizing SocGholish to Deliver Mythic Agent to U.S. Companies Supporting Ukraine | OPERATION | OPERATION |
| 25.11.25 | "JackFix" attack | Fake adult websites pop realistic Windows Update screen to deliver stealers via ClickFix | ATTACK | ATTACK |
| 25.11.25 | ToddyCat | ToddyCat: your hidden email assistant. Part 1 | GROUP | GROUP |
| 25.11.25 | StealC V2 infostealer | Morphisec Thwarts Russian-Linked StealC V2 Campaign Targeting Blender Users via Malicious .blend Files | MALWARE | Stealer |
| 24.11.25 | CVE-2025-12969 | Fluent Bit in_forward input plugin does not properly enforce the security.users authentication mechanism under certain configuration conditions. This allows remote attackers with network access to the Fluent Bit instance exposing the forward input to send unauthenticated data. |
VULNEREBILITY |
|
| 24.11.25 | CVE-2025-12977 | Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins fail to sanitize tag_key inputs. An attacker with network access or the ability to write records into Splunk or Elasticsearch can supply tag_key values containing special characters such as newlines or ../ that are treated as valid tags. |
VULNEREBILITY |
|
| 24.11.25 | CVE-2025-12978 | Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins contain a flaw in the tag_key validation logic that fails to enforce exact key-length matching. This allows crafted inputs where a tag prefix is incorrectly treated as a full match. |
VULNEREBILITY |
|
| 24.11.25 | CVE-2025-12970 | The extract_name function in Fluent Bit in_docker input plugin copies container names into a fixed size stack buffer without validating length. |
VULNEREBILITY |
|
| 24.11.25 | CVE-2025-12972 | Fluent Bit out_file plugin does not properly sanitize tag values when deriving output file names. When the File option is omitted, the plugin uses untrusted tag input to construct file paths. |
VULNEREBILITY |
|
| 24.11.25 | Shai-Hulud 2.0 | Detect and mitigate malicious npm packages linked to the recent Shai-Hulud-style campaign. Over 25,000 affected repositories across ~350 unique users. | CAMPAIGN | CAMPAIGN |
| 24.11.25 | Shai-Hulud Campaign | It's another Monday morning, sitting down at the computer. And I see a stack of alerts from the last hour of packages showing signs of malware in our triage queue. Having not yet finished my first cup of coffee, I see Shai Hulud indicators. Y | CAMPAIGN | CAMPAIGN |
| 24.11.25 | Analysis of ShadowPad Attack Exploiting WSUS Remote Code Execution Vulnerability (CVE-2025-59287) | AhnLab SEcurity intelligence Center (ASEC) has identified an attack where the remote code execution vulnerability in Microsoft Windows Server Update Services (WSUS), tracked as CVE-2025-59287, was exploited to distribute the ShadowPad malware. | REPORT | REPORT |
| 23.11.25 | CVE-2025-35939 | Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. |
VULNEREBILITY |
|
| 23.11.25 | CVE-2025-9242 | An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to execute arbitrary code. |
VULNEREBILITY |
|
|
19.11.25 |
CVE-2025-2492 | An improper authentication control vulnerability exists in AiCloud. This vulnerability can be triggered by a crafted request, potentially leading to unauthorized execution of functions. Refer to the 'ASUS Router AiCloud vulnerability' section on the ASUS Security Advisory for more information. |
VULNEREBILITY |
|
|
19.11.25 |
CVE-2024-12912 | An improper input insertion vulnerability in AiCloud on certain router models may lead to arbitrary command execution. Refer to the '01/02/2025 ASUS Router AiCloud vulnerability' section on the ASUS Security Advisory for more information. |
VULNEREBILITY |
|
|
19.11.25 |
CVE-2023-39780 | On ASUS RT-AX55 3.0.0.4.386.51598 devices, authenticated attackers can perform OS command injection via the /start_apply.htm qos_bw_rulelist parameter. NOTE: for the similar "token-generated module" issue, see CVE-2023-41345; for the similar "token-refresh module" issue, see CVE-2023-41346; for the similar "check token module" issue, see CVE-2023-41347; and for the similar "code-authentication module" issue, see CVE-2023-41348. |
VULNEREBILITY |
|
|
19.11.25 |
CVE-2023-41348 | ASUS RT-AX55’s authentication-related function has a vulnerability of insufficient filtering of special characters within its check token module. An authenticated remote attacker can exploit this vulnerability to perform a Command Injection attack to execute arbitrary commands, disrupt the system or terminate services. |
VULNEREBILITY |
|
|
19.11.25 |
CVE-2023-41347 | ASUS RT-AX55’s authentication-related function has a vulnerability of insufficient filtering of special characters within its check token module. An authenticated remote attacker can exploit this vulnerability to perform a Command Injection attack to execute arbitrary commands, disrupt the system or terminate services. |
VULNEREBILITY |
|
|
19.11.25 |
CVE-2023-41346 | ASUS RT-AX55’s authentication-related function has a vulnerability of insufficient filtering of special characters within its token-refresh module. An authenticated remote attacker can exploit this vulnerability to perform a Command Injection attack to execute arbitrary commands, disrupt the system or terminate services. |
VULNEREBILITY |
|
|
19.11.25 |
CVE-2023-41345 | ASUS RT-AX55’s authentication-related function has a vulnerability of insufficient filtering of special characters within its token-generated module. An authenticated remote attacker can exploit this vulnerability to perform a Command Injection attack to execute arbitrary commands, disrupt the system, or terminate services. |
VULNEREBILITY |
|
|
19.11.25 |
Exploiting Agent-to-Agent Discovery via Prompt Injection | When AI Turns on Its Team: Exploiting Agent-to-Agent Discovery via Prompt Injection | HACKING | AI |
|
19.11.25 |
Operation WrtHug | Operation WrtHug, The Global Espionage Campaign Hiding in Your Home Router | OPERATION | OPERATION |
|
19.11.25 |
Eternidade Stealer | Advanced Banking Trojan Maverick Uses WhatsApp to Prey on Brazilian Users | MALWARE | Stealer |
|
19.11.25 |
PlushDaemon | PlushDaemon compromises network devices for adversary-in-the-middle attacks | APT | APT |
|
19.11.25 |
CVE-2025-58034 | An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5,.. |
VULNEREBILITY |
|
|
19.11.25 |
Unity Runtime before 2025-10-02 on Android, Windows, macOS, and Linux allows argument injection that can result in loading of library code from an unintended location. |
VULNEREBILITY |
||
|
18.11.25 |
SmartApeSG campaign uses ClickFix page to push NetSupport RAT |
CAMPAIGN |
||
|
18.11.25 |
Morphisec Thwarts Sophisticated Tuoni C2 Attack on US Real Estate Fi |
In October 2025, Morphisec’s anti-ransomware prevention platform stopped a highly advanced cyberattack targeting a major U.S. real estate company. |
||
|
18.11.25 |
EVALUSION Campaign Delivers Amatera Stealer and NetSupport RAT |
CAMPAIGN |
||
|
18.11.25 |
Type Confusion in V8 in Google Chrome prior to 142.0.7444.175 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) |
VULNEREBILITY |
||
|
18.11.25 |
Pure Crypter Malware Analysis: 99 Problems but Detection Ain’t One |
Crypter |
||
|
17.11.25 |
RONINGLOADER: DragonBreath’s New Path to PPL Abuse |
Loader |
||
|
17.11.25 |
In multiple locations, there is a possible condition that results in OOB accesses due to an incorrect bounds check. This could lead to remote code execution in combination with other bugs, with no additional execution privileges needed. |
VULNEREBILITY |
||
|
16.11.25 |
An authentication bypass vulnerability has been identified in certain DSL series routers, may allow remote attackers to gain unauthorized access into the affected system. |
VULNEREBILITY |
||
|
16.11.25 |
CVE-2025-12686 allows remote attackers to execute arbitrary code |
VULNEREBILITY |
||
|
15.11.25 |
The Genians Security Center (GSC) has identified new attack activity linked to the KONNI APT campaign, which is known to be associated with the Kimsuky or APT37 groups. |
MALWARE |
||
|
15.11.25 |
Quantum Redirect: Offense by Vibes |
PHISHING |
||
|
15.11.25 |
Quantum Route Redirect: Anonymous Tool Streamlining Global Phishing Attack |
PHISHING |
||
|
15.11.25 |
SQL Anywhere Monitor (Non-GUI) baked credentials into the code,exposing the resources or functionality to unintended users and providing attackers with the possibility of arbitrary code execution.This could cause high impact on confidentiality integrity and availability of the system. |
VULNEREBILITY |
||
|
15.11.25 |
The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. However, due to insufficient input validation, an attacker can pass a crafted variables object into the evaluate() function and trigger arbitrary code execution. |
VULNEREBILITY |
||
|
15.11.25 |
Attackers leverage software brand impersonation to deliver Gh0st RAT |
A report by Unit42 at Palo Alto Networks highlights two brand impersonation campaigns observed in 2025 that deliver a Gh0st RAT payload. |
||
|
15.11.25 |
A new malspam campaign impersonating the GLS delivery service has been reported by CERT AGID. The attackers leverage malicious emails themed with a failed parcel delivery and urge the recipients to open an attached XHTML file. |
|||
|
15.11.25 |
Researchers from Canva Threat Detection and Hunting team reported on an increased use of weaponized AppleScript (.scpt) files by the malicious threat actors. |
|||
|
15.11.25 |
The DanaBot malware has resurfaced with a new Windows variant, approximately six months after its activity was severely disrupted by the international law enforcement action, Operation Endgame. |
|||
|
15.11.25 |
A new report by researchers at Cisco Talos details recent activity related to the Kraken ransomware group. The group, established in early 2025, runs a double extortion operation with no specific industry or geographical focus. |
|||
|
15.11.25 |
SkyCloak campaigns target Russian and Belarusian military entities |
Russian and Belarusian military entities are targeted in a multi-stage attack, intent on allowing backdoor access for the attackers. Details of the activity, given the name Operation SkyCloak in a report published by Seqrite, are further corroborated in a report shared by researchers at Cyble. |
||
|
15.11.25 |
Unprotected temporary directories in Wolfram Cloud version 14.2 may result in privilege escalation |
Wolfram Cloud version 14.2 allows Java Virtual Machine (JVM) unrestricted access to temporary resources in the /tmp/ directory of the cloud environment which may result in privilege escalation, information exfiltration, and remote code execution. |
ALERT |
|
|
15.11.25 |
Lite XL Arbitrary Code Execution via Project Module and Legacy system.exec Function |
Lite XL is a lightweight text editor derived from the lite project, written primarily in Lua and C. |
ALERT |
|
|
15.11.25 |
NVIDIA AIStore AuthN Hard-coded Credentials Authentication Bypass Vulnerability |
ZDI-25-1013 |
ZERO-DAY |
|
|
15.11.25 |
ZDI-25-1012 |
ZERO-DAY |
||
|
15.11.25 |
Contagious Interview Actors Now Utilize JSON Storage Services for Malware Delivery |
JSON |
||
|
15.11.25 |
MCP Hijacking of Cursor’s New Browser |
WEB |
||
|
15.11.25 |
ShadowMQ: How Code Reuse Spread Critical Vulnerabilities Across the AI Ecosystem |
VULNEREBILITY |
||
|
15.11.25 |
CVE-2025-60455 |
(CVSS score: N/A) - Modular Max Server (Fixed) |
VULNEREBILITY |
|
|
15.11.25 |
(CVSS score: 8.8) - NVIDIA TensorRT-LLM (Fixed in version 0.18.2) |
VULNEREBILITY |
||
|
15.11.25 |
(CVSS score: 8.0) - vLLM (While the issue is not fixed, it has been addressed by switching to the V1 engine by default) |
VULNEREBILITY |
||
|
15.11.25 |
SpearSpecter |
Israel National Digital
Agency researchers have uncovered an ongoing, sophisticated espionage
campaign, |
BIGBROTHER |
|
|
15.11.25 |
BRONZE BUTLER, also known as Tick or REDBALDKNIGHT, is a sophisticated and persistent cyber espionage group believed to originate from China. |
GROUP |
||
|
15.11.25 |
This week, the SonicWall Capture Labs Threat Research Team analyzed a sample of RondoDox, a Linux botnet infector. |
Botnet |
||
|
15.11.25 |
In August 2025, Cisco
Talos observed big-game hunting and double extortion attacks carried out
by Kraken, a |
GROUP |
||
|
14.11.25 |
CRIL analyzed an active phishing campaign leveraging HTML-based Telegram bot credential harvesters designed to mimic multiple prominent brands |
PHISHING |
||
|
14.11.25 |
Disrupting the first reported AI-orchestrated cyber espionage campaing |
We have developed sophisticated safety and security measures to prevent the misuse of our AI models. |
||
|
13.11.25 |
Apple Safari JavaScriptCore Wasm Function Parsing Use-After-Free Remote Code Execution Vulnerability |
ZDI-CAN-28039 |
ZERO-DAY |
|
|
13.11.25 |
Apple Safari JavaScriptCore Wasm Function Parsing Use-After-Free Remote Code Execution Vulnerability |
ZDI-CAN-28039 |
ZERO-DAY |
|
|
13.11.25 |
ZDI-CAN-27991 |
ZERO-DAY |
||
|
13.11.25 |
Apple macOS USD readAccessorData Heap-based Buffer Overflow Remote Code Execution Vulnerability |
ZDI-CAN-27849 |
ZERO-DAY |
|
|
13.11.25 |
Apple macOS ICC Profile Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability |
ZDI-CAN-27894 |
ZERO-DAY |
|
|
13.11.25 |
ZDI-CAN-27825 |
ZERO-DAY |
||
|
13.11.25 |
Apple macOS CoreText Font Glyph Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability |
ZDI-CAN-27796 |
ZERO-DAY |
|
|
13.11.25 |
Apple macOS WindowServer Excessive Iteration Denial-of-Service Vulnerability |
ZDI-CAN-27348 |
ZERO-DAY |
|
|
13.11.25 |
ZDI-CAN-27854 |
ZERO-DAY |
||
|
13.11.25 |
Apple macOS USD importNodeAnimations Heap-based Buffer Overflow Remote Code Execution Vulnerability |
ZDI-CAN-27853 |
ZERO-DAY |
|
|
13.11.25 |
Apple macOS USD importMeshes Heap-based Buffer Overflow Remote Code Execution Vulnerability |
ZDI-CAN-27848 |
ZERO-DAY |
|
|
13.11.25 |
Microsoft Windows Common Log File System Out-Of-Bounds Read Information Disclosure Vulnerability |
ZDI-CAN-27263 |
ZERO-DAY |
|
|
13.11.25 |
Adobe USD-Fileformat-plugins usdGltf Out-Of-Bounds Read Information Disclosure Vulnerability |
ZDI-CAN-28025 |
ZERO-DAY |
|
|
13.11.25 |
Adobe USD-Fileformat-plugins usdGltf Out-Of-Bounds Read Information Disclosure Vulnerability |
ZDI-CAN-28023 |
ZERO-DAY |
|
|
13.11.25 |
Adobe USD-Fileformat-plugins usdGltf Out-Of-Bounds Read Information Disclosure Vulnerability |
ZDI-CAN-28024 |
ZERO-DAY |
|
|
13.11.25 |
Adobe USD-Fileformat-plugins usdGltf Use-After-Free Information Disclosure Vulnerability |
ZDI-CAN-28027 |
ZERO-DAY |
|
|
13.11.25 |
Adobe USD-Fileformat-plugins usdGltf Out-Of-Bounds Read Information Disclosure Vulnerability |
ZDI-CAN-28022 |
ZERO-DAY |
|
|
13.11.25 |
Adobe USD-Fileformat-plugins usdGltf Out-Of-Bounds Read Information Disclosure Vulnerability |
ZDI-CAN-28026 |
ZERO-DAY |
|
|
13.11.25 |
Adobe USD-Fileformat-plugins Out-Of-Bounds Read Remote Code Execution Vulnerability |
ZDI-CAN-28072 |
ZERO-DAY |
|
|
13.11.25 |
Adobe USD-Fileformat-plugins usdGltf Heap-based Buffer Overflow Remote Code Execution Vulnerability |
ZDI-CAN-28071 |
ZERO-DAY |
|
|
13.11.25 |
Adobe USD-Fileformat-plugins usdGltf Heap-based Buffer Overflow Remote Code Execution Vulnerability |
ZDI-CAN-28021 |
ZERO-DAY |
|
|
13.11.25 |
The Great Indonesian TEA Theft: Analyzing a NPM Spam Campaign |
SPAM |
||
|
13.11.25 |
A dual strategy: legal action and new legislation to fight scammers |
That text message you got about a 'stuck package' from USPS or an 'unpaid road toll'? It’s not just spam. |
SPAM |
|
|
13.11.25 |
Microsoft Windows Race Condition Vulnerability |
VULNEREBILITY |
||
|
13.11.25 |
Gladinet Triofox Improper Access Control Vulnerability |
VULNEREBILITY |
||
|
13.11.25 |
WatchGuard Firebox Out-of-Bounds Write Vulnerability |
VULNEREBILITY |
||
| 12.11.25 | CHAMELEON#NET campaign - from DarkTortilla loader to FormBook payload | A new sophisticated malspam campaign utilizing the DarkTortilla .NET malware loader to deliver the FormBook Remote Access Trojan (RAT) has been documented by the researchers from Securonix. The attack is initiated via phishing, where users are manipulated into downloading a compressed .BZ2 archive containing a highly obfuscated JavaScript dropper. | VIRUS | |
| 12.11.25 | A new phishing campaign targeting hospitality industry customers | A recent phishing campaign reported by the researchers from Sekoia is targeting hospitality customers. A key intrusion tactic involves sending malicious emails to popular hospitality sector businesses that lure the staff into clicking a URL employing the "ClickFix" social engineering technique, ultimately manipulating them into executing a malicious PowerShell command. | CAMPAIGN | |
| 12.11.2025 | CVE-2024-25621 | containerd affected by a local privilege escalation via wide permissions on CRI directory | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-10966 | missing SFTP host verification with wolfSSH | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-12863 | Libxml2: namespace use-after-free in xmlsettreedoc() function of libxml2 | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-12875 | mruby array.c ary_fill_exec out-of-bounds write | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-30398 | Nuance PowerScribe 360 Information Disclosure Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-31133 | runc container escape via "masked path" abuse due to mount race conditions | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-40107 | can: hi311x: fix null pointer dereference when resuming from sleep before interface was enabled | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-40109 | crypto: rng - Ensure set_ent is always present | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-47179 | Configuration Manager Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-52565 | container escape due to /dev/console mount and related races | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-52881 | runc: LSM labels can be bypassed with malicious config using dummy procfs files | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-59240 | Microsoft Excel Information Disclosure Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-59499 | Microsoft SQL Server Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-59504 | Azure Monitor Agent Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-59505 | Windows Smart Card Reader Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-59506 | DirectX Graphics Kernel Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-59507 | Windows Speech Runtime Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-59508 | Windows Speech Recognition Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-59509 | Windows Speech Recognition Information Disclosure Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-59510 | Windows Routing and Remote Access Service (RRAS) Denial of Service Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-59511 | Windows WLAN Service Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-59512 | Customer Experience Improvement Program (CEIP) Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-59513 | Windows Bluetooth RFCOM Protocol Driver Information Disclosure Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-59514 | Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-59515 | Windows Broadcast DVR User Service Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-60703 | Windows Remote Desktop Services Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-60704 | Windows Kerberos Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-60705 | Windows Client-Side Caching Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-60706 | Windows Hyper-V Information Disclosure Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-60707 | Multimedia Class Scheduler Service (MMCSS) Driver Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-60708 | Storvsp.sys Driver Denial of Service Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-60709 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-60710 | Host Process for Windows Tasks Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-60713 | Windows Routing and Remote Access Service (RRAS) Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-60714 | Windows OLE Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-60715 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-60716 | DirectX Graphics Kernel Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-60717 | Windows Broadcast DVR User Service Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-60718 | Windows Administrator Protection Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-60719 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-60720 | Windows Transport Driver Interface (TDI) Translation Driver Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-60721 | Windows Administrator Protection Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-60722 | Microsoft OneDrive for Android Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-60723 | DirectX Graphics Kernel Denial of Service Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-60724 | GDI+ Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-60726 | Microsoft Excel Information Disclosure Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-60727 | Microsoft Excel Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-60728 | Microsoft Excel Information Disclosure Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-60753 | An issue was discovered in libarchive bsdtar before version 3.8.1 in function apply_substitution in file tar/subst.c when processing crafted -s substitution rules. | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-62199 | Microsoft Office Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-62200 | Microsoft Excel Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-62201 | Microsoft Excel Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-62202 | Microsoft Excel Information Disclosure Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-62203 | Microsoft Excel Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-62204 | Microsoft SharePoint Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-62205 | Microsoft Office Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-62206 | Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-62208 | Windows License Manager Information Disclosure Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-62209 | Windows License Manager Information Disclosure Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-62210 | Dynamics 365 Field Service (online) Spoofing Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-62211 | Dynamics 365 Field Service (online) Spoofing Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-62213 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-62214 | Visual Studio Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-62215 | Windows Kernel Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-62216 | Microsoft Office Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-62217 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-62218 | Microsoft Wireless Provisioning System Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-62219 | Microsoft Wireless Provisioning System Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-62220 | Windows Subsystem for Linux GUI Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-62222 | Agentic AI and Visual Studio Code Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-62449 | Microsoft Visual Studio Code CoPilot Chat Extension Security Feature Bypass Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-62452 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-62453 | GitHub Copilot and Visual Studio Code Security Feature Bypass Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-64329 | containerd CRI server: Host memory exhaustion through Attach goroutine leak | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-64432 | KubeVirt Affected by an Authentication Bypass in Kubernetes Aggregation Layer | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-64433 | KubeVirt Arbitrary Container File Read | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-64434 | KubeVirt Improper TLS Certificate Management Handling Allows API Identity Spoofing | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-64435 | KubeVirt VMI Denial-of-Service (DoS) Using Pod Impersonation | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-64436 | KubeVirt Excessive Role Permissions Could Enable Unauthorized VMI Migrations Between Nodes | VULNEREBILITY | VULNEREBILITY |
| 12.11.2025 | CVE-2025-64437 | KubeVirt Isolation Detection Flaw Allows Arbitrary File Permission Changes | VULNEREBILITY | VULNEREBILITY |
| 12.11.25 | CVE-2025-60716 | Use after free in Windows DirectX allows an authorized attacker to elevate privileges locally. |
VULNEREBILITY |
|
| 12.11.25 | CVE-2025-62215 | This vulnerability is already being exploited. It is a privilege escalation vulnerability in the Windows Kernel. These types of vulnerabilities are often exploited as part of a more complex attack chain; however, exploiting this specific vulnerability is likely to be relatively straightforward, given the existence of prior similar vulnerabilities. |
VULNEREBILITY |
|
| 12.11.25 | CVE-2025-60274 | A critical GDI+ remote execution vulnerability. GDI+ parses various graphics files. The attack surface is likely huge, as anything in Windows (Browsers, email, and Office Documents) will use this library at some point to display images. We also have a critical vulnerability in Direct-X CVE-2025-60716. Microsoft classifies this as a privilege escalation issue, yet still rates it as critical. |
VULNEREBILITY |
|
| 12.11.25 | CVE-2025-62199 | A code execution vulnerability in Microsoft Office. Another component with a huge attack surface that is often exploited. |
VULNEREBILITY |
|
| 12.11.25 | CVE-2025-5777 | Insufficient input validation leading to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server |
VULNEREBILITY |
|
| 12.11.25 | CVE-2025-20337 | A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. |
VULNEREBILITY |
|
| 12.11.25 | Maverick | Maverick: a new banking Trojan abusing WhatsApp in a mass-scale distribution | MALWARE | Banking Trojan |
| 12.11.25 | Coyote Banking Trojan | Coyote Banking Trojan Extends Reach & Targets Users through WhatsApp | MALWARE | Banking Trojan |
| 12.11.25 | Gootloader | Gootloader Returns: What Goodies Did They Bring? | MALWARE | Loader |
| 11.11.25 | EndClient RAT | New Kimsuky Malware “EndClient RAT”: First Technical Report and IOCs | MALWARE | RAT |
| 11.11.25 | Fantasy Hub | Fantasy Hub: Another Russian Based RAT as M-a-a-S | MALWARE | M-a-a-S |
| 11.11.25 | Comebacker | Lazarus Group targets Aerospace and Defense with new Comebacker variant | MALWARE | Loader |
| 11.11.25 | CVE-2025-12480 | Triofox versions prior to 16.7.10368.56560, are vulnerable to an Improper Access Control flaw that allows access to initial setup pages even after setup is complete. |
VULNEREBILITY |
|
| 10.11.25 | I Paid Twice | Phishing Campaigns “I Paid Twice” Targeting Booking.com Hotels and Customers | CAMPAIGN | PHISHING |
| 9.11.25 | Vulnerability in expr-eval JavaScript library can lead to remote code execution. | The npm package expr-eval is a JavaScript library that evaluates mathematical expressions and is used in various applications, including NLP and AI. A vulnerability in this library has been disclosed that could allow arbitrary code execution by an attacker using maliciously crafted input. | ALERT | ALERT |
| 9.11.25 | Line Dancer | In-memory shellcode loader targeting Cisco Adaptive Security Appliance (ASA) devices | MALWARE | Loader |
| 9.11.25 | Line Runner | Persistent webshell targeting Cisco Adaptive Security Appliance (ASA) devices. | MALWARE | Loader |
| 9.11.25 | CVE-2025-20363 | Cisco Secure Firewall Adaptive Security Appliance Software, Secure Firewall Threat Defense Software, IOS Software, IOS XE Software, and IOS XR Software Web Services Remote Code Execution Vulnerability |
VULNEREBILITY |
|
| 9.11.25 | CVE-2025-20358 | A vulnerability in the Contact Center Express (CCX) Editor application of Cisco Unified CCX could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative permissions pertaining to script creation and execution. |
VULNEREBILITY |
|
| 9.11.25 | CVE-2024-20359 | Cisco Adaptive Security Appliance and Firepower Threat Defense Software Persistent Local Code Execution Vulnerability |
VULNEREBILITY |
|
| 9.11.25 | CVE-2024-20353 | Cisco Adaptive Security Appliance and Firepower Threat Defense Software Web Services Denial of Service Vulnerability |
VULNEREBILITY |
|
| 9.11.25 | CVE-2025-6205 - DELMIA Apriso vulnerability exploited in the wild | CVE-2025-6205 is a recently disclosed critical (CVSS score 9.1) missing authorization vulnerability affecting DELMIA Apriso from release 2020 through release 2025. If successfully exploited the flaw might allow attackers to gain privileged access to the vulnerable application instances. This vulnerability has been added just last week to the CISA Known Exploited Vulnerabilities (KEV) Catalog following the reports of the in-the-wild exploitation. | VULNEREBILITY | |
| 9.11.25 | Attackers target cargo and freight companies with RMM tools | Remote monitoring and management (RMM) tools are a common payload in today's threat landscape. A recent report by researchers at Proofpoint details campaigns against cargo and freight companies to attempt cargo theft. | CAMPAIGN | |
| 9.11.25 | BankBot mobile malware | A new variant of the BankBot mobile malware has been reported by the researchers from Cyfirma. This strain implements updated anti-emulation techniques. During initialization, it inspects device attributes like device manufacturer and model identifiers to detect virtualized or sandboxed environments, dynamically altering its behavior to evade automated analysis. | VIRUS | |
| 9.11.25 | Recent activity focusing on organizations influencing U.S. policy | China-linked actors continue to show interest in U.S. organizations with links to or involvement in policy issues, including an intrusion earlier this year into a U.S. non-profit organization that is active in attempting to influence U.S. government policy on international issues. | APT | |
| 9.11.25 | New NGate mobile malware campaign targeting Polish banking users | CERT Polska has uncovered a new mobile malware campaign called NGate that uses an NFC Relay attack to drain cash from victims' bank accounts at ATMs. The attack targets users of Polish banks and starts with a fake security message (email or SMS) concerning a technical issue or incident, tricking the victim into installing a malicious Android app. | VIRUS | |
| 9.11.25 | RMM Abuse Continues — Malicious LogMeIn Resolve Activity on the Rise | In recent weeks we observed a decline in malicious ScreenConnect activity and a concurrent rise in campaigns abusing LogMeIn Resolve RMM (aka GoTo Resolve) – Using the “Unattended Access” feature within Resolve, which allows access to and control of computers or servers without an end user being present. | VIRUS | |
| 9.11.25 | CVE-2025-24893 - XWiki Platform injection vulnerability exploited in the wild | CVE-2025-24893 is a recently disclosed template-injection vulnerability affecting XWiki, which is a open-source wiki software platform. If successfully exploited the flaw might allow unauthenticated attackers to inject and execute arbitrary Groovy code through crafted requests. | VULNEREBILITY | |
| 9.11.25 | Multi-Stage In-Memory Agent Tesla Campaign Targets LATAM | Symantec has identified a new Agent Tesla campaign leveraging business-themed social engineering to target organizations across Latin America, Spain, and other international sectors. The actor impersonates a company that advertises outsourced management, consulting, and facility services. | CAMPAIGN | |
| 9.11.25 | CVE-2025-54247 - Adobe Experience Manager vulnerability | CVE-2025-54247 is a recently disclosed improper input validation vulnerability affecting Adobe Experience Manager versions 6.5.23.0 and earlier. If successfully exploited the flaw might allow low-privileged attackers to bypass security measures and gain unauthorized read access. Product vendor has already released respective security patches to address this vulnerability. | VULNEREBILITY | |
| 9.11.25 | Threat actors spoof Aramex services to steal credentials | Aramex, a global logistics and transportation company based in Dubai, offers services such as express courier delivery, freight forwarding, and supply chain management for businesses and consumers. Symantec has detected a new wave of phishing attacks that mimic Aramex services to steal credentials. | ALERTS | PHISHING |
| 9.11.25 | CVE-2025-54236 - Adobe Commerce and Magento vulnerability | CVE-2025-54236 (aka SessionReaper) is a recently disclosed critical (CVSS score 9.1) improper input validation vulnerability affecting Adobe Commerce and Magento solution. If successfully exploited the flaw might allow an attacker for a session takeover through the Commerce REST API. | VULNEREBILITY | |
| 9.11.25 | CVE-2025-11371 - Gladinet CenterStack LFI vulnerability exploited in the wild | CVE-2025-11371 is a recently disclosed local file inclusion (LFI) vulnerability in Gladinet CenterStack and Triofox platforms, which are self-hosted file sharing solutions. If successfully exploited the flaw might allow attackers to perform unauthenticated remote file inclusion, retrieval of configuration keys and subsequent remote code execution. The vulnerability has been reported as being exploited in the wild. | VULNEREBILITY | |
| 9.11.25 | New phishing campaign targets Tether users with fake anti-money laundering notices | A new phishing campaign has been observed, spoofing Tether and targeting its users with fraudulent anti-money laundering (AML) notice emails. Tether, a widely adopted stablecoin with tokens pegged 1-to-1 to fiat currencies and backed by reserves, is a popular target for such scams. | ALERTS | PHISHING |
| 9.11.25 | Tangerine Turkey, coming from a USB drive near you | Tangerine Turkey is a crypto mining campaign, delivered by the less-than-efficient mechanism of removable USB drives. The USB contains all the necessary components to complete the attack. Execution starts with a .vbs file which drops and executes a .bat. | CRYPTOCURRENCY | |
| 9.11.25 | BlueNoroff targets Crypto Sector with GhostCall and GhostHire campaigns | Two new campaigns by the BlueNoroff APT group, dubbed GhostCall and GhostHire, targeting cryptocurrency and Web3 professionals, have been reported by Kaspersky. In GhostCall, attackers impersonate venture capitalists or startup founders luring victims into fake online meetings via Zoom or Teams and prompting them to install a “security update” that deploys multi-stage malware on macOS or Windows. | ALERTS | CAMPAIGN |
| 9.11.25 | Airstalk malware | Airstalk, a Windows-based malware recently discovered by researchers at Unit42 of Palo Alto Networks. The name is derived from the malware's use of the AirWatch API for mobile device management (MDM) for C2 communications. Variants written in both PowerShell and .NET have been observed, with the .NET variant having more capabilities. | VIRUS | |
| 9.11.25 | Attackers linked to Russia continue activity against Ukraine | Attacks against a large business services organization and a local government organization were recently observed by our Threat Hunter team. Fueled by a heavy reliance on Living-off-the-Land tactics and dual-use tools, the attacker's goal appears to be establishing persistence and theft of sensitive information. | APT | |
| 9.11.25 | CVE-2025-59287: Microsoft WSUS RCE exploited in the wild | Microsoft patched a critical unauthenticated RCE in Windows Server Update Services (CVE‑2025‑59287) with an out-of-band update on Oct 23, 2025, after the initial October Patch Tuesday release proved incomplete. Exploit code and active attacks were observed within hours, prompting warnings from security vendors, incident responders and CISA’s KEV catalog. | VULNEREBILITY | |
| 9.11.25 | GhostGrab Android malware | An advanced Android malware strain named GhostGrab that is actively used to mine cryptocurrency and steal banking credentials from compromised devices has been reported by CYFIRMA. | VIRUS | |
| 9.11.25 | CVE-2025-20343 | Cisco Identity Services Engine RADIUS Suppression Denial of Service Vulnerability |
VULNEREBILITY |
|
| 9.11.25 | CVE-2025-20354 | A vulnerability in the Java Remote Method Invocation (RMI) process of Cisco Unified CCX could allow an unauthenticated, remote attacker to upload arbitrary files and execute arbitrary commands with root permissions on an affected system. |
VULNEREBILITY |
|
| 9.11.25 | Death by a Thousand Prompts: Open Model Vulnerability Analysis | Open-weight models provide researchers and developers with accessible foundations for diverse downstream applications. We tested the safety and security postures of eight open-weight large language models (LLMs) models to identify vulnerabilities that may impact subsequent fine-tuning and deployment. | PAPERS | PAPERS |
| 9.11.25 | InputSnatch: Stealing Input in LLM Services via Timing Side-Channel Attacks | Large language models (LLMs) possess extensive knowledge and question-answering capabilities, having been widely deployed in privacy-sensitive domains like finance and medical consultation. During LLM inferences, cache-sharing methods are commonly employed to enhance efficiency by reusing cached states or responses for the same or similar inference requests. | PAPERS | PAPERS |
| 9.11.25 | What Was Your Prompt? A Remote Keylogging Attack on AI Assistan | AI assistants are becoming an integral part of society, used for asking advice or help in personal and confidential issues. In this paper, we unveil a novel side-channel that can be used to read encrypted responses from AI Assistants over the web: the token-length side-channel. | PAPERS | PAPERS |
| 9.11.25 |
WHISPER LEAK: A
SIDE-CHANNEL ATTACK ON LARGE LANGUAGE MODE |
Large Language Models (LLMs) are increasingly deployed in sensitive domains including healthcare, legal services, and confidential communications, where privacy is paramount. This paper introduces Whisper Leak, a side-channel attack that infers user prompt topics from encrypted LLM traffic by analyzing packet size and timing patterns in streaming responses. | PAPERS | PAPERS |
| 8.11.25 | CVE-2025-59287 | Windows Server Update Service (WSUS) Remote Code Execution Vulnerability |
VULNEREBILITY |
|
| 8.11.25 | XLoader 8.0 | Cracking XLoader with AI: How Generative Models Accelerate Malware Analysis | MALWARE | Loader |
| 8.11.25 | Operation Peek-a-Baku | Initial Findings. Technical Analysis. Campaign – I The LNK Way. Malicious SILENT LOADER Malicious LAPLAS Implant – TCP & TLS. Malicious .NET Implant – SilentSweeper Campaign –... | OPERATION | OPERATION |
| 8.11.25 | LANDFALL | LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices | MALWARE | ANDROID |
| 8.11.25 | TOLLBOOTH | REF3927 abuses publicly disclosed ASP.NET machine keys to compromise IIS servers and deploy TOLLBOOTH SEO cloaking modules globally. | MALWARE | FRAMEWORK |
| 8.11.25 | CVE-2017-17562 | Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked. This is a result of initializing the environment of forked CGI scripts using untrusted HTTP request parameters in the cgiHandler function in cgi.c |
VULNEREBILITY |
|
| 8.11.25 | CVE-2017-9805 | The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads. |
VULNEREBILITY |
|
| 8.11.25 | CVE-2021-44228 | Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints |
VULNEREBILITY |
|
| 8.11.25 | CVE-2022-26134 | In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. |
VULNEREBILITY |
|
| 7.11.25 | BLATANTLY MALICIOUS | Ransomvibing appears in VS Code extensions | RANSOMWARE | RANSOMWARE |
| 7.11.25 | ESET APT Activity Report Q2 2025–Q3 2025 | RUSSIA-ALIGNED APTs RAMP UP ATTACKS AGAINST UKRAINE AND ITS STRATEGIC PARTNERS | REPORT | REPORT |
| 7.11.25 | CVE-2025-20362 | Cisco Secure Firewall Adaptive Security Appliance Software and Secure Firewall Threat Defense Software VPN Web Server Unauthorized Access Vulnerability |
VULNEREBILITY |
|
| 7.11.25 | CVE-2025-20333 | Cisco Secure Firewall Adaptive Security Appliance Software and Secure Firewall Threat Defense Software VPN Web Server Remote Code Execution Vulnerability |
VULNEREBILITY |
|
| 6.11.25 | Curly COMrades | Curly COMrades: Evasion and Persistence via Hidden Hyper-V Virtual Machines | GROUP | GROUP |
| 6.11.25 | PROMPTFLUX | GTIG AI Threat Tracker: Advances in Threat Actor Usage of AI Tools | MALWARE | AI |
| 6.11.25 | HackedGPT | HackedGPT: Novel AI Vulnerabilities Open the Door for Private Data Leakage | HACKING | AI |
| 5.11.25 | UNK_SmudgedSerpent | Crossed wires: a case study of Iranian espionage and attribution | GROUP | GROUP |
| 5.11.25 | CVE-2025-11371 | (CVSS score: 7.5) - A vulnerability in files or directories accessible to external parties in Gladinet CentreStack and Triofox that could result in unintended disclosure of system files. |
VULNEREBILITY |
|
| 5.11.25 | CVE-2025-48703 | (CVSS score: 9.0) - An operating system command injection vulnerability in Control Web Panel (formerly CentOS Web Panel) that results in unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. |
VULNEREBILITY |
|
| 4.11.25 | CVE-2025-11953 | Critical RCE Vulnerability CVE-2025-11953 Puts React Native Developers at Risk |
VULNEREBILITY |
|
| 4.11.25 | CVE-2024-38197 | Microsoft Teams for iOS Spoofing Vulnerability |
VULNEREBILITY |
|
| 4.11.25 | CVE-2025-43429 | A buffer overflow vulnerability that may lead to an unexpected process crash when processing maliciously crafted web content (addressed through improved bounds checking) |
VULNEREBILITY |
|
| 4.11.25 | CVE-2025-43430 | An unspecified vulnerability that could result in an unexpected process crash when processing maliciously crafted web content (addressed through improved state management) |
VULNEREBILITY |
|
| 4.11.25 | CVE-2025-43431 | Two unspecified vulnerabilities that may lead to memory corruption when processing maliciously crafted web content (addressed through improved memory handling) |
VULNEREBILITY |
|
| 4.11.25 | CVE-2025-43433 | Two unspecified vulnerabilities that may lead to memory corruption when processing maliciously crafted web content (addressed through improved memory handling) |
VULNEREBILITY |
|
| 4.11.25 | CVE-2025-43434 | A use-after-free vulnerability that may lead to an unexpected Safari crash when processing maliciously crafted web content (addressed through improved state management) |
VULNEREBILITY |
|
| 4.11.25 | SesameOp | SesameOp: Novel backdoor uses OpenAI Assistants API for command and control | MALWARE | Backdoor |
| 4.11.25 | SleepyDuck | SleepyDuck malware invades Cursor through Open VSX | MALWARE | RAT |
| 4.11.25 | HttpTroy | DPRK’s Playbook: Kimsuky’s HttpTroy and Lazarus’s New BLINDINGCAN Variant | MALWARE | Dropper |
| 4.11.25 | BLINDINGCAN | DPRK’s Playbook: Kimsuky’s HttpTroy and Lazarus’s New BLINDINGCAN Variant | MALWARE | Tool |
| 3.11.25 | CVE-2025-61932 | Lanscope Endpoint Manager (On-Premises) (Client program (MR) and Detection agent (DA)) improperly verifies the origin of incoming requests, allowing an attacker to execute arbitrary code by sending specially crafted packets. |
VULNEREBILITY |
|
| 3.11.25 | CN APT | CN APT targets Serbian Government | APT | APT |
| 3.11.25 | Tap-and-Steal | Tap-and-Steal: The Rise of NFC Relay Malware on Mobile Devices | HACKING | Malware |
| 3.11.25 | CVE-2023-20273 | Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature |
VULNEREBILITY |
|
| 3.11.25 | CVE-2024-24919 | Check Point Quantum Security Gateways Information Disclosure Vulnerability |
VULNEREBILITY |
|
| 3.11.25 | CVE-2024-1086 | Linux Kernel Use-After-Free Vulnerability |
VULNEREBILITY |
|
| 3.11.25 | CVE-2024-1086 | A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. |
VULNEREBILITY |
|
| 3.11.25 | CVE-2025-11705 | Anti-Malware Security and Brute-Force Firewall – Missing Authorization to Authenticated (Subscriber+) Arbitrary File Read – POC |
VULNEREBILITY |
|
| 3.11.25 | BADCANDY | Don’t take BADCANDY from strangers – How your devices could be implanted and what to do about it | EXPLOIT | Shell |
| 2.11.25 | Agenda Ransomware | Agenda Ransomware Deploys Linux Variant on Windows Systems Through Remote Management Tools and BYOVD Techniques | RANSOMWARE | RANSOMWARE |
| 2.11.25 | CryptoChameleon | CryptoChameleon: New Phishing Tactics Exhibited in FCC-Targeted Attack | GROUP | GROUP |
| 2.11.25 | CVE-2024-11972 | The Hunk Companion WordPress plugin before 1.9.0 does not correctly authorize some REST API endpoints, allowing unauthenticated requests to install and activate arbitrary Hunk Companion WordPress plugin before 1.9.0 from the WordPress.org repo, including vulnerable Hunk Companion WordPress plugin before 1.9.0 that have been closed. |
VULNEREBILITY |
|
| 2.11.25 | CVE-2024-9707 | The Hunk Companion plugin for WordPress is vulnerable to unauthorized plugin installation/activation due to a missing capability check on the /wp-json/hc/v1/themehunk-import REST API endpoint in all versions up to, and including, 1.8.4. |
VULNEREBILITY |
|
| 2.11.25 | CVE-2024-9234 | The GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the install_and_activate_plugin_from_external() function (install-active-plugin REST API endpoint) in all versions up to, and including, 2.1.0. |
VULNEREBILITY |
|
| 1.11.25 | Minecraft RAT | RL's analysis of an STD Group-operated RAT yielded file indicators to better detect the malware and two YARA rules. | MALWARE | RAT |
| 1.11.25 | Hezi Rash: Rising Kurdish Hacktivist Group Targets Global Sites | GROUP | GROUP | |
| 1.11.25 | APT-C-60 | APT-C-60 intensified operations against Japanese organizations during Q3 2025, deploying three updated SpyGlace backdoor versions with refined tracking mechanisms, modified encryption, and sophisticated abuse of GitHub, StatCounter, and Git for stealthy malware distribution. | APT | APT |
| 1.11.25 | Operation SkyCloak | Authors: Sathwik Ram Prakki and Kartikkumar Jivani Contents Introduction Key Targets Industries Geographical Focus Infection and Decoys Technical Analysis PowerShell Stage Persistence Configuration Infrastructure and Attribution Conclusion SEQRITE Protection IOCs MITRE ATT&CK Introduction SEQRITE Labs has identified a campaign... | OPERATION | OPERATION |
| 1.11.25 | Android/BankBot-YNRK | Investigation Report: Android/BankBot-YNRK Mobile Banking Trojan Executive Summary This report covers the analysis and findings related to three Android application packages (APKs) | MALWARE | Android |
| 1.11.25 | HijackLoader | The SonicWall Capture Labs threat research team has recently been monitoring new variants of the HijackLoader malware that are being delivered through SVG files. | MALWARE | Loader |
| 1.11.25 | Tangerine Turkey Operations | From Scripts to Systems: A Comprehensive Look at Tangerine Turkey Operations | OPERATION | OPERATION |
| 1.11.25 | UNC6384 | UNC6384 Weaponizes ZDI-CAN-25373 Vulnerability to Deploy PlugX Against Hungarian and Belgian Diplomatic Entities | GROUP | GROUP |
| 1.11.25 | Airstalk | Suspected Nation-State Threat Actor Uses New Airstalk Malware in a Supply Chain Attack | MALWARE | MALWARE |
| 1.11.25 | CVE-2025-61932 | Lanscope Endpoint Manager (On-Premises) (Client program (MR) and Detection agent (DA)) improperly verifies the origin of incoming requests, allowing an attacker to execute arbitrary code by sending specially crafted packets. |
VULNEREBILITY |
|
| 1.11.25 | BRONZE BUTLER | BRONZE BUTLER exploits Japanese asset management software vulnerability | APT | APT |
| 1.11.25 | gokcpdoor | The sophisticated campaign, observed by Sophos, involved the exploitation of CVE-2025-61932 to deliver a known backdoor referred to as | MALWARE | Backdoor |
| 1.11.25 | CVE-2025-41244 | Broadcom VMware Aria Operations and VMware Tools Privilege Defined with Unsafe Actions Vulnerability |
VULNEREBILITY |
|
| 1.11.25 | CVE-2025-24893 | XWiki Platform Eval Injection Vulnerability |
VULNEREBILITY |
|