Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label vulnerability patch. Show all posts
Zero-Click Exploit
cybersecurity threat Digital Espionage iOS Vulnerability Mobile Security Remote Code Execution Spyware Attack Vulnerabilities and Exploits vulnerability patch WhatsApp Security Zero-Click Exploit

Critical WhatsApp Zero Click Vulnerability Abused with DNG Payload

 


It has been reported that attackers are actively exploiting a recently discovered vulnerability in WhatsApp's iOS application as a part of a sophisticated cyber campaign that underscores how zero-day vulnerabilities are becoming weaponised in today's cyber warfare. With the zero-click exploit identified as CVE-2025-55177 with a CVSS score of 5.4, malicious actors can execute unauthorised content processing based on any URL on a victim's device without the need for user interaction whatsoever. 

A vulnerability referred to as CVE-2025-55177 provides threat actors with a way to manipulate WhatsApp's synchronization process, so they may force WhatsApp to process attacker-controlled content during device linking when they manipulate the WhatsApp synchronization process. 

Even though the vulnerability could have allowed crafted content to be injected or disrupted services, its real danger arose when it was combined with Apple's CVE-2025-43300, another security flaw that affects the ImageIO framework, which parses image files. In addition to this, there were also two other vulnerabilities in iOS and Mac OS that allowed out-of-bounds memory writing, which resulted in remote code execution across these systems. 

The combination of these weaknesses created a very powerful exploit chain that could deliver malicious images through the incoming message of a WhatsApp message, causing infection without the victim ever having to click, tap or interact with anything at all—a quintessential zero-click attack scenario. Investigators found that the targeting of the victims was intentional and highly selective. 

In the past, WhatsApp has confirmed that it has notified fewer than 200 people about potential threats in its apps, a number that is similar to earlier mercenary spyware operations targeting high-value users. Apple has also acknowledged active exploitation in the wild and has issued security advisories concurrently. 

Researchers from Amnesty International noted that, despite initial signs suggesting limited probing of Android devices, this campaign was mainly concerned with Apple's iOS and macOS ecosystems, and therefore was focused on those two ecosystems mainly. The implications are particularly severe for businesses.

Corporate executives, legal teams, and employees with privileged access to confidential intellectual property are at risk of being spied on or exfiltrated through using WhatsApp on their work devices, which represents a direct and potentially invisible entry point into corporate data systems. 

Cybersecurity and Infrastructure Security Agency (CISA) officials say that the vulnerability was caused by an "incomplete authorisation of linked device synchronisation messages" that existed in WhatsApp for iOS versions before version 2.25.2.173, WhatsApp Business for iOS versions of 2.25.1.78, and WhatsApp for Mac versions of 2.25.21.78. 

This flaw is believed to have been exploited by researchers as part of a complex exploit chain, which was created using the flaw in conjunction with a previously patched iOS vulnerability known as CVE-2025-43300, allowing for the delivery of spyware onto targeted devices. A U.S. government advisory has been issued urging federal employees to update their Apple devices immediately because the campaign has reportedly affected approximately 200 people. 

A new discovery adds to the growing body of evidence that advanced cyber threat actors increasingly rely on chaining multiple zero-day exploits to circumvent hardened defences and compromise remote devices. In 2024, Google's Threat Analysis Group reported 75 zero-day exploits that were actively exploited, a figure that reflects how the scale of these attacks is accelerating. 

This stealthy intrusion method continues to dominate as the year 2025 unfolds, resulting in nearly one-third of all recorded compromise attempts worldwide occurring this year. It is important for cybersecurity experts to remind us that the WhatsApp incident demonstrates once more the fragility of digital trust, even when it comes to encrypting platforms once considered to be secure. 

It has been uncovered that the attackers exploited a subtle logic flaw in WhatsApp’s device-linking system, allowing them to disguise malicious content to appear as if it was originating from the user’s own paired device, according to a technical analysis.

Through this vulnerability, a specially crafted Digital Negative (DNG) file could be delivered, which, once processed automatically by the application, could cause a series of memory corruption events that would result in remote code execution. Researchers at DarkNavyOrg have demonstrated the proof-of-concept in its fullest sense, showing how an automated script is capable of authenticating, generating the malicious DNG payload, and sending it to the intended victim without triggering any security alerts. 

In order to take advantage of the exploit, there are no visible warnings, notification pop-ups, or message notifications displayed on the user's screen. This allows attackers to gain access to messages, media, microphones, and cameras unrestrictedly, and even install spyware undetected. It has been reported to WhatsApp and Apple that the vulnerability has been found, and patches have been released to mitigate the risks. 

Despite this, security experts recommend that users install the latest updates immediately and be cautious when using unsolicited media files—even those seemingly sent by trusted contacts. In the meantime, organisations should ensure that endpoint monitoring is strengthened, that mobile device management controls are enforced, and that anomalous messaging behaviour is closely tracked until the remediation has been completed. 

There is a clear need for robust input validation, secure file handling protocols, and timely security updates to prevent silent but highly destructive attacks targeting mainstream communication platforms that can be carried out against mainstream communication platforms due to the incident. Cyber adversaries have, for a long time, been targeting companies such as WhatsApp, and WhatsApp is no exception. 

It is noteworthy that despite the platform's strong security framework and end-to-end encryption, threat actors are still hunting for new vulnerabilities to exploit. Although there are several different cyberattack types, security experts emphasise that zero-click exploits remain the most insidious, since they can compromise devices without the user having to do anything. 

V4WEB Cybersecurity founder, Riteh Bhatia, made an explanation for V4WEB's recent WhatsApp advisory, explaining that it pertains to one of these zero-click exploits--a method of attacking that does not require a victim to click, download, or applaud during the attack. Bhatia explained that, unlike phishing, where a user is required to click on a malicious link, zero-click attacks operate silently, working in the background. 

According to Bhatia, the attackers used a vulnerability in WhatsApp as well as a vulnerability in Apple's iOS to hack into targeted devices through a chain of vulnerabilities. He explained to Entrepreneur India that this process is known as chaining vulnerabilities. 

Chaining vulnerabilities allows one weakness to provide entry while the other provides control of the system as a whole. Further, Bharatia stressed that spyware deployed by these methods is capable of doing a wide range of invasive functions, such as reading messages, listening through the microphone, tracking location, and accessing the camera in real time, in addition to other invasive actions. 

As a warning sign, users might notice excessive battery drain, overheating, unusual data usage, or unexpected system crashes, all of which may indicate that the user's system is not performing optimally. Likewise, Anirudh Batra, a senior security researcher at CloudSEK, stated that zero-click vulnerabilities represent the "holy grail" for hackers, as they can be exploited seamlessly even on fully updated and ostensibly secure devices without any intervention from the target, and no action is necessary on their part.

If this vulnerability is exploited effectively, attackers will be able to have full control over the targeted devices, which will allow them to access sensitive data, monitor communications, and deploy additional malware, all without the appearance of any ill effect. As a result of this incident, it emphasises that security risks associated with complex file formats and cross-platform messaging apps persist, since flaws in file parsers continue to serve as common pathways for remote code execution.

There is a continuing investigation going on by DarkNavyOrg, including one looking into a Samsung vulnerability (CVE-2025-21043), which has been identified as a potential security concern. There was a warning from both WhatsApp and Apple that users should update their operating systems and applications immediately, and Meta confirmed that less than 200 users were notified of in-app threats. 

It has been reported that some journalists, activists, and other public figures have been targeted. Meta's spokesperson Emily Westcott stressed how important it is for users to keep their devices current and to enable WhatsApp's privacy and security features. Furthermore, Amnesty International has also noted possible Android infections and is currently conducting further investigation. 

In the past, similar spyware operations occurred, such as WhatsApp's lawsuit against Israel's NSO Group in 2019, which allegedly targeted 1,400 users with the Pegasus spyware, which later became famous for its role in global cyberespionage. While sanctions and international scrutiny have been applied to such surveillance operations, they continue to evolve, reflecting the persistent threat that advanced mobile exploits continue to pose. 

There is no doubt that the latest revelations are highlighting the need for individuals and organisations to prioritise proactive cyber security measures rather than reactive ones, as zero-click exploits are becoming more sophisticated, the traditional boundaries of digital security—once relying solely on the caution of users—are eroding rapidly. It has become increasingly important for organisations to keep constant vigilance, update their software quickly, and employ layered defence strategies to protect both their personal and business information. 

Organisations need to invest in threat intelligence solutions, continuous monitoring systems, and regular mobile security audits if they want to be on the lookout for potential threats early on. In order for individual users to reduce their exposure, they need to maintain the latest version of their devices and applications, enable built-in privacy protections, and avoid unnecessary third-party integrations. 

The WhatsApp exploit is an important reminder that even trusted, encrypted platforms may be compromised at some point. The cyber espionage industry is evolving into a silent and targeted operation, and digital trust must be reinforced through transparent processes, rapid patching, and global cooperation between tech companies and regulators. A strong defence against invisible intrusions still resides in awareness and timely action.
Read more »
vulnerability patch
breach servers Cyber Security PHP exploit PHP RCE vulnerability Ransomware attack ransomware mitigation Remote Code Execution server security TellYouThePass ransomware vulnerability patch

TellYouThePass Ransomware Exploits Recent PHP RCE Vulnerability to Compromise Servers

 

The TellYouThePass ransomware gang has been exploiting the recently patched CVE-2024-4577 remote code execution vulnerability in PHP to deliver webshells and execute their ransomware payload on target systems.

The attacks began on June 8, less than 48 hours after PHP maintainers released security updates, utilizing publicly available exploit code. TellYouThePass is notorious for quickly adopting public exploits for widespread vulnerabilities. In November, they exploited an Apache ActiveMQ RCE, and in December 2021, they used the Log4j exploit to breach companies.

In the latest attacks observed by researchers at cybersecurity company Imperva, TellYouThePass leveraged the critical-severity CVE-2024-4577 bug to execute arbitrary PHP code. They used the Windows mshta.exe binary to run a malicious HTML application (HTA) file. This file contained VBScript with a base64-encoded string that decoded into a binary, loading a .NET variant of the ransomware into the host's memory.

Ransomware Impact and Tactics

Upon execution, the malware sends an HTTP request to a command-and-control (C2) server disguised as a CSS resource request and encrypts files on the infected machine. It then leaves a ransom note, "READ_ME10.html," with instructions for the victim on how to restore their files. User posts on the BleepingComputer forum indicate that TellYouThePass attacks have claimed victims since June 8, demanding 0.1 BTC (around $6,700) for the decryption key. One user reported that the ransomware campaign affected multiple websites hosted on their server.

Vulnerability Details and Response

CVE-2024-4577 is a critical RCE vulnerability that affects all PHP versions since 5.x. It originates from unsafe character encoding conversions on Windows when used in CGI mode. The vulnerability was discovered on May 7 by Devcore's Orange Tsai, who reported it to the PHP team. A fix was released on June 6 with PHP versions 8.3.8, 8.2.20, and 8.1.29.

The following day, WatchTowr Labs released a proof-of-concept (PoC) exploit code for CVE-2024-4577. The Shadowserver Foundation observed exploitation attempts on their honeypots the same day. According to a report from Censys, over 450,000 exposed PHP servers could be vulnerable to the CVE-2024-4577 RCE vulnerability, with most located in the United States and Germany. Wiz, a cloud security startup, estimated that around 34% of these instances might be vulnerable.
Read more »
vulnerability patch
active exploitation CISA advisory Cyber Security file transfer security Fortra GoAnywhere MFT software exploitation Threat actors vulnerability patch

Fortra's GoAnywhere MFT Software Faces Exploitation, No Evidence of Active Exploitation Detected

 

Reports on the exploitation of Fortra's GoAnywhere MFT file transfer software raised concerns due to the potential development of exploit code from a publicly released Proof of Concept (PoC). As of Thursday afternoon, there was no evidence of active exploitation.

Researchers from Shadowserver, in a post dated January 25, noted over 120 instances of exploits based on the publicly released PoC code. However, they suggested that widespread success for attackers is unlikely due to the limited exposure of admin portals (only 50) and the majority being patched.

The vulnerability, identified as CVE-2024-0204 with a CVSSv3 score of 9.8, enables hackers to remotely create a new admin user through the software’s administration portal. This issue emerged a year after the Clop ransomware gang exploited a GoAnywhere MFT zero-day vulnerability, compromising over 130 organizations. Fortra responded by releasing a patch on January 22, urging immediate action from security teams. The company had notified customers on December 4 and released the patch on December 7.

Ashley Leonard, CEO at Syxsense, emphasized the critical nature of the CVE, stating that the vulnerability allows unauthorized users to bypass authentication and create a new admin account remotely.

Despite the lack of active exploitation, the Cybersecurity and Infrastructure Security Agency (CISA) has not included the vulnerability in its Known Exploited Vulnerabilities (KEV) catalog. CISA defines "active exploitation" based on real-time success demonstrated by threat actors in the wild.

Ransomware groups have historically utilized file transfer software in their tactics, with examples like REvil using GoAnywhere MFT for deploying malware and exfiltrating sensitive data. Though REvil is no longer active, similar tactics persist, and groups like LockBit are known to exploit new vulnerabilities swiftly. Security experts advise organizations leveraging the software to patch immediately, considering the potential threat.

Callie Guenther, senior manager of cyber threat research at Critical Start, highlighted the relative ease of exploiting the Fortra GoAnywhere MFT vulnerability, described as a "1998 style" path traversal flaw. With the PoC available and the simplicity of exploitation, there are concerns that threat actors might start scanning for vulnerable instances of GoAnywhere MFT to exploit the flaw. While it's uncertain if CISA will include this flaw in the KEV catalog, they have previously issued advisories for similar vulnerabilities and added a remote code injection issue in Fortra's GoAnywhere MFT (CVE-2023-0669) to the catalog.
Read more »
vulnerability patch
AI research division Azure Statistical Analysis System tokens Data Breach Microsoft data leak Safety Security vulnerability patch

Ethical Hackers Uncover 38TB Microsoft Data Breach via Azure Storage

 

The recent Microsoft data leak, stemming from the inadvertent sharing of open-source training data on GitHub by AI researchers, has been successfully addressed. Microsoft swiftly responded to a vulnerability that exposed a significant 38TB of private data from its AI research division. 

The breach was uncovered by ethical hackers from cloud security firm Wiz, who identified a shareable link utilizing Azure Statistical Analysis System tokens on June 22, 2023. Promptly reporting their findings to the Microsoft Security Response Center, the SAS token was invalidated by June 24. Subsequently, on July 7, the token on the original GitHub page was replaced.

The exploit revolved around Shared Access Signature (SAS) tokens, a feature of Azure for file-sharing. Such tokens, when mishandled, can leave systems vulnerable. Wiz's initial detection of this vulnerability occurred during their search for improperly configured storage containers online, a known entry point for cloud-hosted data breaches. 

Their investigation led them to 'robust-models-transfer', a repository housing open-source code and AI models used for image recognition within Microsoft's AI research division.

The root of the problem traced back to a Shared Access Signature token associated with an internal storage account. A Microsoft employee, while engaged in the development of open-source AI learning models, inadvertently shared a URL for a Blob store (a form of object storage in Azure) containing an AI dataset on a public GitHub repository. Leveraging this misconfigured URL, the Wiz team gained unauthorized access to the entire storage account.

Upon following the link, the hackers gained access to a repository containing disk backups of two former employees’ workstation profiles, along with internal Microsoft Teams messages. This repository housed a staggering 38TB of sensitive information, including secrets, private keys, passwords, and the open-source AI training data.

Notably, SAS tokens lack expiration dates, making them ill-suited for sharing critical data externally. In a security advisory on September 7, Microsoft underscored that "Attackers may create a high-privileged SAS token with long expiry to preserve valid credentials for a long period."

It's worth emphasizing that no customer data was compromised, and there was no threat to other Microsoft services stemming from the AI dataset exposure. This incident isn't unique to Microsoft's AI endeavors; any large-scale open-source dataset could potentially face similar risks. Wiz, in its blog post, highlighted that "Researchers collect and share massive amounts of external and internal data to construct the required training information for their AI models. This poses inherent security risks tied to high-scale data sharing."

To prevent similar incidents, organizations are advised to caution employees against oversharing data. In this instance, the Microsoft researchers could have safeguarded the public AI dataset by relocating it to a dedicated storage account. Additionally, vigilance against supply chain attacks is crucial. These attacks may occur if malicious code is injected into files that are accessible to the public due to improper permissions.

"As we see wider adoption of AI models within companies, it’s important to raise awareness of relevant security risks at every step of the AI development process, and make sure the security team works closely with the data science and research teams to ensure proper guardrails are defined,” the Wiz team wrote in their blog post.

Ami Luttwak, CTO and cofounder of Wiz, released the following statement to TechRepublic: “As AI adoption increases, so does data sharing. AI is built on collecting and sharing lots of large models and quantities of data, and so what happens is you get high volumes of information flowing between teams. This incident reveals the importance of sharing data in a secure manner. Wiz also recommends security teams gain more visibility into the process of AI research, and work closely with their development counterparts to address risks early and set guardrails.”
Read more »
Zenbleed Vulnerability
AMD Zen 2 CPUs CVE-2023-20593 Exploits Microsoft’s Xbox Series S and Series X PlayStation 5 Vulnerabilities and Exploits vulnerability patch vzeroupper Zenbleed Zenbleed Vulnerability

Zenbleed: Security Flaw Steals Data from AMD Zen 2 CPUs


After initially disclosing the flaw to AMD on May 15, Google security researcher Tavis Ormandy published an overview of it on his blog. Because of the Zenbleed vulnerability, AMD’s entire Zen 2 product line is said to be affected.

The flaw apparently enables attackers to take control of private information stored in the AMD Zen 2 class CPUs – which includes PS5, XBox, and desktop and data center computers – such as encryption keys and logins. Remote attackers can use website Javascript to exploit Zenbleed, according to cloud infrastructure provider Cloudflare.

AMD Zen 2 CPU

AMD’s Zen 2 CPU, launched in 2019, is the third generation of the company’s Ryzen processors. The processors include Ryzen 4000U/H desktop chips, Ryzen 5000U for mobile applications, Threadripper 3000 for high-performance workstations, and Ryzen 4000G Accelerated Processing Unit (APU) system-on-a-chip.

Moreover, the processors also powers Sony’s PlayStation 5, Microsoft’s Xbox Series S and Series X, and Steam’s Steam Deck. Zen 2 CPUs are also used across a number of standalone computers and data center servers.

The CPUs, as mentioned earlier are now affected by Zenbleed – labeled as CVE-2023-20593 – which relies on an error in the way how CPUs execute a process known as speculative execution.

CPU Misprediction 

Modern CPUs are designed such that they increase processing speed, by preloading a number of alternatives, to predict what it needs to do next so that the CPU does not have to wait for them to load after finishing the current instruction. This technique is known as speculative execution.

While, the predictions that are eventually of no use are eliminated using a command called vzeroupper, that rolls back the guess by "zeroing out" the memory space, known as a YMM register, that had been prepared for those predictions.

However, Tavis Ormandy discovered that the chip does not always delete the data stored in the YMM register—which are also used by regular CPU instructions that move and copy data—when Zen 2 CPUs predict the next instruction will be vzeroupper, and it turns out to be a misprediction.

He further notes that the memory space may include sensitive data like passwords, credit-card details, encryption keys, etc. and well executed exploit can dupe the CPU into recovering in a way that it will enable threat actors to steal data from affected systems at a speed of 30KB per core/second.

Since the flaw related to the normal operation of the CPU, it operates regardless of the operating system, programs, virtual machines, or security tools that are installed on the system.

Patching the Underlying Vulnerability

Ormandy, in his post has recently released the exploit code along with a PoC exploit, that has already been published. This flaw is said to be simpler to exploit than other recent CPU bugs like Spectre and Meltdown.

Moreover, AMD has released a temporary patch that will be applied to the affected systems’ core chips and is also planning to release a full update on the equipment manufacturers by October. 

Cloudflare announced that it is "patching [its] entire fleet of potentially impacted servers with AMD's microcode." 

Citrix has provided a patch, and the developers of the Linux operating systems Debian and Red Hat have also responded. Red Hat has categorized the vulnerability as having "moderate impact" and has cautioned that an appropriate solution is not currently available.

Security experts have further advised companies to assess their impact by the bug, by reviewing use of their systems based on Zen 2 CPUs. They also advise businesses to be mindful of other, related hardware bugs like RAMBleed that allow data to be read straight from CPU and memory hardware.  

Read more »
Subscribe to: Comments (Atom)