zero-day vulnerability

two-windows-vulnerabilities,-one-a-0-day,-are-under-active-exploitation

Two Windows vulnerabilities, one a 0-day, are under active exploitation

Biz & IT, microsoft windows vulnerabilities, Security, zero-day, zero-day vulnerability / /

Two Windows vulnerabilities—one a zero-day that has been known to attackers since 2017 and the other a critical flaw that Microsoft initially tried and failed to patch recently—are under active exploitation in widespread attacks targeting a swath of the Internet, researchers say.

The zero-day went undiscovered until March, when security firm Trend Micro said it had been under active exploitation since 2017, by as many as 11 separate advanced persistent threats (APTs). These APT groups, often with ties to nation-states, relentlessly attack specific individuals or groups of interest. Trend Micro went on to say that the groups were exploiting the vulnerability, then tracked as ZDI-CAN-25373, to install various known post-exploitation payloads on infrastructure located in nearly 60 countries, with the US, Canada, Russia, and Korea being the most common.

A large-scale, coordinated operation

Seven months later, Microsoft still hasn’t patched the vulnerability, which stems from a bug in the Windows Shortcut binary format. The Windows component makes opening apps or accessing files easier and faster by allowing a single binary file to invoke them without having to navigate to their locations. In recent months, the ZDI-CAN-25373 tracking designation has been changed to CVE-2025-9491.

On Thursday, security firm Arctic Wolf reported that it observed a China-aligned threat group, tracked as UNC-6384, exploiting CVE-2025-9491 in attacks against various European nations. The final payload is a widely used remote access trojan known as PlugX. To better conceal the malware, the exploit keeps the binary file encrypted in the RC4 format until the final step in the attack.

“The breadth of targeting across multiple European nations within a condensed timeframe suggests either a large-scale coordinated intelligence collection operation or deployment of multiple parallel operational teams with shared tooling but independent targeting,” Arctic Wolf said. “The consistency in tradecraft across disparate targets indicates centralized tool development and operational security standards even if execution is distributed across multiple teams.”

Two Windows vulnerabilities, one a 0-day, are under active exploitation Read More »

as-many-as-2-million-cisco-devices-affected-by-actively-exploited-0-day

As many as 2 million Cisco devices affected by actively exploited 0-day

Biz & IT, Cisco, exploit, Security, zero-day, zero-day vulnerability / /

As many as 2 million Cisco devices are susceptible to an actively exploited zero-day that can remotely crash or execute code on vulnerable systems.

Cisco said Wednesday that the vulnerability, tracked as CVE-2025-20352, was present in all supported versions of Cisco IOS and Cisco IOS XE, the operating system that powers a wide variety of the company’s networking devices. The vulnerability can be exploited by low-privileged users to create a denial-of-service attack or by higher-privileged users to execute code that runs with unfettered root privileges. It carries a severity rating of 7.7 out of a possible 10.

Exposing SNMP to the Internet? Yep

“The Cisco Product Security Incident Response Team (PSIRT) became aware of successful exploitation of this vulnerability in the wild after local Administrator credentials were compromised,” Wednesday’s advisory stated. “Cisco strongly recommends that customers upgrade to a fixed software release to remediate this vulnerability.”

The vulnerability is the result of a stack overflow bug in the IOS component that handles SNMP (simple network management protocol), which routers and other devices use to collect and handle information about devices inside a network. The vulnerability is exploited by sending crafted SNMP packets.

To execute malicious code, the remote attacker must have possession of read-only community string, an SNMP-specific form of authentication for accessing managed devices. Frequently, such strings ship with devices. Even when modified by an administrator, read-only community strings are often widely known inside an organization. The attacker would also require privileges on the vulnerable systems. With that, the attacker can obtain RCE (remote code execution) capabilities that run as root.

As many as 2 million Cisco devices affected by actively exploited 0-day Read More »

high-severity-winrar-0-day-exploited-for-weeks-by-2-groups

High-severity WinRAR 0-day exploited for weeks by 2 groups

0-Day, Biz & IT, ESET, Security, winrar, zero-day vulnerability / /

A high-severity zero-day in the widely used WinRAR file compressor is under active exploitation by two Russian cybercrime groups. The attacks backdoor computers that open malicious archives attached to phishing messages, some of which are personalized.

Security firm ESET said Monday that it first detected the attacks on July 18, when its telemetry spotted a file in an unusual directory path. By July 24, ESET determined that the behavior was linked to the exploitation of an unknown vulnerability in WinRAR, a utility for compressing files, and has an installed base of about 500 million. ESET notified WinRAR developers the same day, and a fix was released six days later.

Serious effort and resources

The vulnerability seemed to have super Windows powers. It abused alternate data streams, a Windows feature that allows different ways of representing the same file path. The exploit abused that feature to trigger a previously unknown path traversal flaw that caused WinRAR to plant malicious executables in attacker-chosen file paths %TEMP% and %LOCALAPPDATA%, which Windows normally makes off-limits because of their ability to execute code.

ESET said it has determined that the attacks came from RomCom, its tracking designation for a financially motivated crime group operating out of Russia. The well-resourced group has been active for years in attacks that showcase its ability to procure exploits and execute fairly sophisticated tradecraft. The zero-day the group used is now being tracked as CVE-2025-8088.

“By exploiting a previously unknown zero-day vulnerability in WinRAR, the RomCom group has shown that it is willing to invest serious effort and resources into its cyberoperations,” ESET’s Anton Cherepanov, Peter Strýček, and Damien Schaeffer wrote. “This is at least the third time RomCom has used a zero-day vulnerability in the wild, highlighting its ongoing focus on acquiring and using exploits for targeted attacks.”

Oddly, RomCom wasn’t the only group exploiting CVE-2025-8088. According to Russian security firm Bi.ZONE, the same vulnerability was being actively exploited by a group it tracks as Paper Werewolf. Also tracked as GOFFEE, the group was also exploiting CVE-2025-6218, a separate high-severity WinRAR vulnerability that received a fix five weeks before CVE-2025-8088 was patched.

High-severity WinRAR 0-day exploited for weeks by 2 groups Read More »