zero-day

as-many-as-2-million-cisco-devices-affected-by-actively-exploited-0-day

As many as 2 million Cisco devices affected by actively exploited 0-day

Biz & IT, Cisco, exploit, Security, zero-day, zero-day vulnerability / /

As many as 2 million Cisco devices are susceptible to an actively exploited zero-day that can remotely crash or execute code on vulnerable systems.

Cisco said Wednesday that the vulnerability, tracked as CVE-2025-20352, was present in all supported versions of Cisco IOS and Cisco IOS XE, the operating system that powers a wide variety of the company’s networking devices. The vulnerability can be exploited by low-privileged users to create a denial-of-service attack or by higher-privileged users to execute code that runs with unfettered root privileges. It carries a severity rating of 7.7 out of a possible 10.

Exposing SNMP to the Internet? Yep

“The Cisco Product Security Incident Response Team (PSIRT) became aware of successful exploitation of this vulnerability in the wild after local Administrator credentials were compromised,” Wednesday’s advisory stated. “Cisco strongly recommends that customers upgrade to a fixed software release to remediate this vulnerability.”

The vulnerability is the result of a stack overflow bug in the IOS component that handles SNMP (simple network management protocol), which routers and other devices use to collect and handle information about devices inside a network. The vulnerability is exploited by sending crafted SNMP packets.

To execute malicious code, the remote attacker must have possession of read-only community string, an SNMP-specific form of authentication for accessing managed devices. Frequently, such strings ship with devices. Even when modified by an administrator, read-only community strings are often widely known inside an organization. The attacker would also require privileges on the vulnerable systems. With that, the attacker can obtain RCE (remote code execution) capabilities that run as root.

As many as 2 million Cisco devices affected by actively exploited 0-day Read More »

google:-governments-are-using-zero-day-hacks-more-than-ever

Google: Governments are using zero-day hacks more than ever

Google, Security, zero-day / /

Governments hacking enterprise

A few years ago, zero-day attacks almost exclusively targeted end users. In 2021, GTIG spotted 95 zero-days, and 71 of them were deployed against user systems like browsers and smartphones. In 2024, 33 of the 75 total vulnerabilities were aimed at enterprise technologies and security systems. At 44 percent of the total, this is the highest share of enterprise focus for zero-days yet.

GTIG says that it detected zero-day attacks targeting 18 different enterprise entities, including Microsoft, Google, and Ivanti. This is slightly lower than the 22 firms targeted by zero-days in 2023, but it’s a big increase compared to just a few years ago, when seven firms were hit with zero-days in 2020.

The nature of these attacks often makes it hard to trace them to the source, but Google says it managed to attribute 34 of the 75 zero-day attacks. The largest single category with 10 detections was traditional state-sponsored espionage, which aims to gather intelligence without a financial motivation. China was the largest single contributor here. GTIG also identified North Korea as the perpetrator in five zero-day attacks, but these campaigns also had a financial motivation (usually stealing crypto).

Credit: Google

That’s already a lot of government-organized hacking, but GTIG also notes that eight of the serious hacks it detected came from commercial surveillance vendors (CSVs), firms that create hacking tools and claim to only do business with governments. So it’s fair to include these with other government hacks. This includes companies like NSO Group and Cellebrite, with the former already subject to US sanctions from its work with adversarial nations.

In all, this adds up to 23 of the 34 attributed attacks coming from governments. There were also a few attacks that didn’t technically originate from governments but still involved espionage activities, suggesting a connection to state actors. Beyond that, Google spotted five non-government financially motivated zero-day campaigns that did not appear to engage in spying.

Google’s security researchers say they expect zero-day attacks to continue increasing over time. These stealthy vulnerabilities can be expensive to obtain or discover, but the lag time before anyone notices the threat can reward hackers with a wealth of information (or money). Google recommends enterprises continue scaling up efforts to detect and block malicious activities, while also designing systems with redundancy and stricter limits on access. As for the average user, well, cross your fingers.

Google: Governments are using zero-day hacks more than ever Read More »

google-patches-its-fifth-zero-day-vulnerability-of-the-year-in-chrome

Google patches its fifth zero-day vulnerability of the year in Chrome

Biz & IT, chrome, Google, Security, Uncategorized, vulnerability, zero-day / /

MEMORY WANTS TO BE FREE —

Exploit code for critical “use-after-free” bug is circulating in the wild.

Extreme close-up photograph of finger above Chrome icon on smartphone.

Google has updated its Chrome browser to patch a high-severity zero-day vulnerability that allows attackers to execute malicious code on end user devices. The fix marks the fifth time this year the company has updated the browser to protect users from an existing malicious exploit.

The vulnerability, tracked as CVE-2024-4671, is a “use after free,” a class of bug that occurs in C-based programming languages. In these languages, developers must allocate memory space needed to run certain applications or operations. They do this by using “pointers” that store the memory addresses where the required data will reside. Because this space is finite, memory locations should be deallocated once the application or operation no longer needs it.

Use-after-free bugs occur when the app or process fails to clear the pointer after freeing the memory location. In some cases, the pointer to the freed memory is used again and points to a new memory location storing malicious shellcode planted by an attacker’s exploit, a condition that will result in the execution of this code.

On Thursday, Google said an anonymous source notified it of the vulnerability. The vulnerability carries a severity rating of 8.8 out of 10. In response, Google said, it would be releasing versions 124.0.6367.201/.202 for macOS and Windows and 124.0.6367.201 for Linux in subsequent days.

“Google is aware that an exploit for CVE-2024-4671 exists in the wild,” the company said.

Google didn’t provide any other details about the exploit, such as what platforms were targeted, who was behind the exploit, or what they were using it for.

Counting this latest vulnerability, Google has fixed five zero-days in Chrome so far this year. Three of the previous ones were used by researchers in the Pwn-to-Own exploit contest. The remaining one was for a vulnerability for which an exploit was available in the wild.

Chrome automatically updates when new releases become available. Users can force the update or confirm they’re running the latest version by going to Settings > About Chrome and checking the version and, if needed, clicking on the Relaunch button.

Google patches its fifth zero-day vulnerability of the year in Chrome Read More »