zero-day vulnerability

as-many-as-2-million-cisco-devices-affected-by-actively-exploited-0-day

As many as 2 million Cisco devices affected by actively exploited 0-day

Biz & IT, Cisco, exploit, Security, zero-day, zero-day vulnerability / /

As many as 2 million Cisco devices are susceptible to an actively exploited zero-day that can remotely crash or execute code on vulnerable systems.

Cisco said Wednesday that the vulnerability, tracked as CVE-2025-20352, was present in all supported versions of Cisco IOS and Cisco IOS XE, the operating system that powers a wide variety of the company’s networking devices. The vulnerability can be exploited by low-privileged users to create a denial-of-service attack or by higher-privileged users to execute code that runs with unfettered root privileges. It carries a severity rating of 7.7 out of a possible 10.

Exposing SNMP to the Internet? Yep

“The Cisco Product Security Incident Response Team (PSIRT) became aware of successful exploitation of this vulnerability in the wild after local Administrator credentials were compromised,” Wednesday’s advisory stated. “Cisco strongly recommends that customers upgrade to a fixed software release to remediate this vulnerability.”

The vulnerability is the result of a stack overflow bug in the IOS component that handles SNMP (simple network management protocol), which routers and other devices use to collect and handle information about devices inside a network. The vulnerability is exploited by sending crafted SNMP packets.

To execute malicious code, the remote attacker must have possession of read-only community string, an SNMP-specific form of authentication for accessing managed devices. Frequently, such strings ship with devices. Even when modified by an administrator, read-only community strings are often widely known inside an organization. The attacker would also require privileges on the vulnerable systems. With that, the attacker can obtain RCE (remote code execution) capabilities that run as root.

As many as 2 million Cisco devices affected by actively exploited 0-day Read More »

high-severity-winrar-0-day-exploited-for-weeks-by-2-groups

High-severity WinRAR 0-day exploited for weeks by 2 groups

0-Day, Biz & IT, ESET, Security, winrar, zero-day vulnerability / /

A high-severity zero-day in the widely used WinRAR file compressor is under active exploitation by two Russian cybercrime groups. The attacks backdoor computers that open malicious archives attached to phishing messages, some of which are personalized.

Security firm ESET said Monday that it first detected the attacks on July 18, when its telemetry spotted a file in an unusual directory path. By July 24, ESET determined that the behavior was linked to the exploitation of an unknown vulnerability in WinRAR, a utility for compressing files, and has an installed base of about 500 million. ESET notified WinRAR developers the same day, and a fix was released six days later.

Serious effort and resources

The vulnerability seemed to have super Windows powers. It abused alternate data streams, a Windows feature that allows different ways of representing the same file path. The exploit abused that feature to trigger a previously unknown path traversal flaw that caused WinRAR to plant malicious executables in attacker-chosen file paths %TEMP% and %LOCALAPPDATA%, which Windows normally makes off-limits because of their ability to execute code.

ESET said it has determined that the attacks came from RomCom, its tracking designation for a financially motivated crime group operating out of Russia. The well-resourced group has been active for years in attacks that showcase its ability to procure exploits and execute fairly sophisticated tradecraft. The zero-day the group used is now being tracked as CVE-2025-8088.

“By exploiting a previously unknown zero-day vulnerability in WinRAR, the RomCom group has shown that it is willing to invest serious effort and resources into its cyberoperations,” ESET’s Anton Cherepanov, Peter Strýček, and Damien Schaeffer wrote. “This is at least the third time RomCom has used a zero-day vulnerability in the wild, highlighting its ongoing focus on acquiring and using exploits for targeted attacks.”

Oddly, RomCom wasn’t the only group exploiting CVE-2025-8088. According to Russian security firm Bi.ZONE, the same vulnerability was being actively exploited by a group it tracks as Paper Werewolf. Also tracked as GOFFEE, the group was also exploiting CVE-2025-6218, a separate high-severity WinRAR vulnerability that received a fix five weeks before CVE-2025-8088 was patched.

High-severity WinRAR 0-day exploited for weeks by 2 groups Read More »