“`html
This week in cybersecurity experienced a relentless series of significant disclosures and record-breaking attack volumes, emphasizing the mounting difficulties faced by defenders.
Taking center stage was Google’s urgent fix for yet another actively exploited zero-day vulnerability in its Chrome browser.
The high-severity imperfection necessitated an immediate reaction, underscoring the ongoing peril posed by sophisticated actors targeting the world’s most popular web browser and reminding users of the vital significance of enabling automatic updates.
The theme of escalation persisted with reports of an unprecedented Distributed Denial-of-Service (DDoS) attack that peaked at a staggering 22.2 Terabits per second (Tbps).
This colossal onslaught illustrates a frightening new level of firepower accessible to threat actors, raising critical concerns regarding the resilience of internet infrastructure and the defensive proficiency of even the most prepared organizations.
The attack acts as a clear reminder that the scale of cyber threats is expanding at an exponential rate, stretching the limits of traditional mitigation approaches.
Adding to the strain on network administrators, Cisco unveiled a new zero-day vulnerability in its IOS XE software that is currently being actively exploited.
Impacting a broad array of the company’s enterprise routers and switches, this flaw has the potential to permit unauthenticated attackers to seize control of essential network devices, posing a significant risk for organizations globally.
In the midst of the barrage of vulnerabilities, the security community received a positive update with the launch of Kali Linux 2025.3. The latest iteration of the popular penetration testing and digital forensics distribution unveils new tools, refreshed packages, and kernel improvements.
This release empowers ethical hackers and security researchers with the latest capabilities to identify and resolve the very vulnerabilities generating headlines. In this edition, we present a comprehensive analysis of these events and spotlight other major developments to keep you updated.
Vulnerabilities
Chrome Zero-Day Flaw Actively Exploited
A significant type confusion zero-day vulnerability in Google Chrome’s V8 JavaScript engine, classified as CVE-2025-10585, is being actively exploited by malicious actors. The high-severity flaw, boasting a CVSS score of 8.8, can facilitate remote code execution. Attackers are reportedly deploying it in operations targeting cryptocurrency wallets and for espionage efforts. The vulnerability functions by manipulating the TurboFan JIT compiler. Google has released a patch, and users are encouraged to upgrade to Chrome version 140.0.7339.185 or later. Read more
Critical RCE Flaw in SolarWinds Web Help Desk
SolarWinds has issued a crucial patch for a critical vulnerability (CVE-2025-26399) in its Web Help Desk software. This flaw, which has a CVSS score of 9.8, enables an unauthenticated attacker to achieve remote code execution (RCE). The vulnerability arises from the deserialization of untrusted data and is particularly a patch bypass for two previously disclosed vulnerabilities. All users of version 12.8.7 are urged to implement the new hotfix immediately. Read more
Google Patches More High-Severity Chrome Flaws
Google has rolled out another security update for Chrome, addressing three high-severity vulnerabilities that could lead to sensitive information exposure and system instability. The remedied flaws (CVE-2025-10890, CVE-2025-10891, and CVE-2025-10892) are located within the V8 JavaScript engine. CVE-2025-10890 represents a side-channel information leakage vulnerability, while the others pertain to integer overflow issues. Users should update to Chrome version 140.0.7339.207/.208 for protection. Read more
Salesforce CLI Installer Vulnerability
A high-severity imperfection (CVE-2025-9844) has been identified in the Salesforce CLI installer that could allow an attacker to achieve SYSTEM-level access on Windows systems. The vulnerability, rated 8.8 on the CVSS scale, originates from the installer mishandling executable file paths, which can be exploited using a binary planting technique. Versions earlier than 2.106.6 are affected, and users should update through official Salesforce channels. Read more
OnePlus Phones Leaking SMS Data
A serious vulnerability (CVE-2025-10184) in OnePlus’s OxygenOS (versions 12 through 15) permits any application to access SMS and MMS messages without user consent. The flaw, rated with a severity score of 8.2, could expose sensitive information such as two-factor authentication codes. OnePlus has acknowledged the concern and plans to issue a fix via a software update beginning in mid-October. Read more
Cisco Fixes Actively Exploited IOS Zero-Day
Cisco has remedied a high-severity zero-day vulnerability (CVE-2025-20352) in its IOS and IOS XE software that is currently being actively exploited in the wild. The flaw exists within the Simple Network Management Protocol (SNMP) subsystem and may enable a remote authenticated attacker to trigger a denial-of-service (DoS) condition or execute code with root privileges. Read more
Old Hikvision Camera Backdoor Re-Exploited
A critical, eight-year-old backdoor vulnerability (CVE-2017-7921) within Hikvision security cameras is being actively exploited once more. The flaw, which has a CVSS score of 10.0, enables attackers to circumvent authentication and access sensitive information, including video streams and user credentials, by sending a specifically crafted URL. The resurgence underscores the dangers associated with unpatched legacy devices. Read more
Salesforce AI Agent Flaw Permitted Data Theft
A critical vulnerability chain dubbed “ForcedLeak” was uncovered in Salesforce’s Agentforce AI platform, which could have enabled attackers to extract sensitive CRM data. The imperfection (CVSS score 9.4) exploited an indirect prompt injection.
“““html
assault, where harmful instructions were encoded in Web-to-Lead forms. Salesforce has subsequently rectified the security flaw. Read more
GitLab Resolves Critical Vulnerabilities
GitLab has issued updates for several critical vulnerabilities. Users are urged to upgrade their installations to the most recent version in order to safeguard against possible exploits. Read more
Cyber Assaults
SonicWall Recommends Immediate Update to Combat ‘OVERSTEP’ Rootkit
SonicWall has launched an urgent firmware update (version 10.2.2.2-92sv) for its Secure Mobile Access (SMA) 100 series devices to identify and eliminate a known rootkit malware named OVERSTEP. The advisory, issued on September 22, 2025, follows a report from Google’s Threat Intelligence Group (GTIG) outlining a campaign by the threat actor UNC6148 on obsolete devices. The malware enables attackers to maintain continuous access, establish a reverse shell, and extract confidential information like credentials and OTP seeds. Administrators are highly encouraged to apply the update without delay, as no workaround exists. Read More
Zloader Malware Transforms into Ransomware Gateway for Corporate Networks
The Zloader trojan, a malware family derived from the Zeus banking trojan, has been converted into a primary instrument for initial access brokers to infiltrate corporate networks and deploy ransomware. After nearly a two-year hiatus, Zloader has re-emerged with notable enhancements, including advanced obfuscation and anti-analysis capabilities. Security experts have observed that recent versions (2.11.6.0 and 2.13.7.0) have shifted focus from broad campaigns to highly concentrated attacks targeting valuable organizations for maximum impact. Read More
Malicious npm Package “yahoofinance-api” Captures Browser Data
A harmful package named “yahoofinance-api” was uncovered on the npm registry, aimed at acquiring passwords and cookies from web browsers. The package, which masqueraded as a legitimate library for retrieving financial data, included obfuscated code that executed a PowerShell script to download a secondary payload. This payload would subsequently extract sensitive information from browsers like Chrome, Edge, and Brave. The malware remained active for over a month before being eliminated, emphasizing the persistent threats associated with open-source software supply chains. Read More
Windows 11 Flaw Exposes Cached Passwords in Plaintext
A security flaw has been detected in Windows 11 that could allow attackers with local network access to obtain cached domain user passwords in plaintext. The defect lies in how Windows 11 manages password caching for network authentication, potentially compromising credentials if they are not sufficiently protected. This concern poses a significant risk in corporate settings where domain-joined devices are prevalent, as a successful exploit could enable lateral movement and privilege escalation. Read More
ShadowV2 Botnet Capitalizes on Misconfigured Docker APIs on AWS
A new botnet, called ShadowV2, is actively exploiting improperly configured Docker Engine APIs to deploy cryptocurrency miners and other harmful payloads on Amazon Web Services (AWS) infrastructure. The botnet seeks out publicly accessible Docker API endpoints and utilizes them to create new containers running its malware. ShadowV2 is designed for stealth and longevity, employing various strategies to disguise its presence and ensure its mining activities proceed without interruption. This operation highlights the necessity of securing cloud-based container environments. Read More
LockBit 5.0 Ransomware Variant Appears with Enhanced Features
A new iteration of the infamous LockBit ransomware, named LockBit 5.0, has been identified in the wild with upgraded functionalities. This version incorporates improved anti-analysis techniques, quicker encryption algorithms, and novel methods for evading security software. The LockBit group remains one of the most prolific ransomware-as-a-service (RaaS) operations, and this new variant illustrates their dedication to advancing their tools to circumvent modern defenses and maximize their impact on chosen organizations. Read More
Cisco Addresses Critical Zero-Day RCE Vulnerability in ASA Software
Cisco has announced security updates to tackle a critical zero-day remote code execution (RCE) flaw in its Adaptive Security Appliance (ASA) software. The vulnerability, which was allegedly being exploited in the field, could enable an unauthenticated attacker to execute arbitrary code on an affected device, potentially resulting in complete system compromise. Given the essential role of ASA devices in network security, administrators are urged to implement the patches immediately to secure their infrastructure from this grave threat. Read More
New Tool “Inboxfuscation” Evades Microsoft Exchange Defenses
A new open-source tool named Inboxfuscation can generate harmful inbox rules in Microsoft Exchange that are challenging for security tools to identify. Developed by the security firm Permiso, the tool employs Unicode-based obfuscation to conceal keywords in rules, allowing attackers to maintain persistence and siphon data from compromised mailboxes. This technique can replace standard characters with visually identical Unicode variants, making the rules seem innocuous while functionally matching sensitive terms. While these specific obfuscation techniques have not yet been seen in active assaults, their development reveals a significant blind spot in email security postures. Read more here
Critical Vulnerability in Libraesva Email Security Gateway Actively Exploited
A critical command injection vulnerability, tracked as CVE-2025-59689, has been unearthed in Libraesva’s Email Security Gateway (ESG). The flaw permits attackers to execute arbitrary commands by sending an email with a specially crafted compressed attachment. According to reports, this vulnerability has already been exploited in a targeted attack linked to a state-sponsored actor. The vulnerability impacts all Libraesva ESG versions from 4.5 and up. Libraesva responded with emergency patches, which were automatically applied to all cloud and on-premise 5.x installations. Read more here
Kali Linux 2025.3 Released with 10 New Tools and Wi-Fi Enhancements
The third Kali Linux release of 2025 is now live, featuring ten new tools, advancements for Wi-Fi hacking, and other updates. Kali Linux 2025.3 introduces several new tools, including Caido, a web security auditing toolkit; Gemini CLI, an AI agent for the terminal; and krbrelayx, a toolkit for Kerberos relaying attacks. This version also adds support for Nexmon, enabling monitor mode and frame injection for the Raspberry Pi’s integrated Wi-Fi, and includes updated configurations for HashiCorp’s Packer and Vagrant tools. Read more here
Attackers Evade EDR Using In-Memory PE Loaders
A covert technique is being employed by threat actors to circumvent Endpoint Detection and Response (EDR) solutions by loading harmful code directly into a system’s memory. This approach, referred to as an in-memory Portable Executable (PE) loader, retrieves a
“““html
A harmful file (such as a Remote Access Trojan or info-stealer) is executed within the memory of a legitimate process. Since the harmful file is never saved to the disk, it bypasses EDR products that mainly track file-based dangers and dubious process initiation events. Read more here
“SetupHijack” Utility Exploits Windows Installers for Privilege Elevation
Security investigators have created a proof-of-concept utility named SetupHijack that exploits race conditions in Windows installers and updaters to obtain elevated permissions. The utility observes world-writable directories like %TEMP% and %APPDATA% for new installer files. When a privileged setup procedure drops a temporary file (e.g., an MSI or EXE), SetupHijack immediately substitutes it with a harmful payload before the installer can execute it. This enables the attacker’s payload to run with SYSTEM or Administrator rights. Read more here
ZendTo File-Sharing Application Vulnerable to Path Traversal
A significant path traversal vulnerability, recognized as CVE-2025-34508, has been discovered in the ZendTo file-sharing application, impacting versions 6.15-7 and earlier. The flaw permits an authenticated user to craft a malicious request to access, read, or alter sensitive files on the server, including logs, user data, and application settings. The vulnerability arises due to the application’s failure to adequately sanitize user-supplied input when managing file uploads. ZendTo has issued a patch in version 6.15-8 to rectify the issue. Read more here
Threats
Kawa4096 Ransomware Targets Global Corporations
A new ransomware group, Kawa4096, is focusing on multinational entities in the finance, education, and service industries, particularly targeting organizations in Japan and the United States. First detected in June 2025, the group employs a dual extortion strategy, combining data encryption with data theft. They run a dedicated Tor-based platform to reveal victim details, increasing pressure to comply with ransom demands. The ransomware utilizes advanced partial encryption methods, employing the Salsa20 stream cipher to encrypt 25% of 64KB chunks of files, significantly accelerating the process while making the files unusable. To facilitate its attack, the malware halts critical processes such as database servers and office applications. Read More
Malware Concealed in Steam Game Patch Acquires User Data
A harmful patch for the 2D platformer game “BlockBlasters” on Steam has been used to spread information-stealing malware. The campaign, which commenced on August 30, 2025, has targeted sensitive information such as cryptocurrency wallet details, browser credentials, and Steam login information. The attack employs a three-phase infection method that starts with a batch file (game2.bat) to gather system information and Steam credentials. It then deploys loader scripts and two primary payloads: a Python-based backdoor and the StealC information thief. The malware adds its directory to Microsoft Defender’s exclusion list to avoid detection. Read More
Hackers Manipulate GitHub Notifications for Malware Distribution
Malicious actors are exploiting GitHub’s notification system to disseminate malware by mentioning users in pull requests or comments on repositories they control. This strategy lends an appearance of authenticity to the notifications, as they originate from GitHub’s official domain (github.com). The notifications frequently contain links to harmful sites, enticing victims into downloading malware. This method circumvents traditional email security filters that might otherwise block direct harmful links. Security researchers have observed the use of this technique in various campaigns, including those directed at developers and tech-savvy individuals with fake job offers or project collaborations. Read More
Fake Job Offers Used to Target Job Seekers with Malware
Cybercriminals are directing their efforts towards job seekers with sophisticated fake job offers to deploy information-stealing malware. The threat actors impersonate recruiters and organizations, utilizing platforms like LinkedIn to initiate communication. The attack often involves a multi-phase process where victims are guided through a counterfeit recruitment process and ultimately asked to download a file, such as a “job description” or “questionnaire,” that is actually malware. This malware is crafted to extract sensitive personal and financial details from the victim’s computer. The campaigns are frequently highly targeted, with attackers creating convincing lures based on the victim’s professional profile. Read More
SVG Files Weaponized to Deploy Malware
Hackers are increasingly employing Scalable Vector Graphics (SVG) files to transmit malware, circumventing conventional security protocols that often focus on different file types. These SVG files can harbor embedded harmful JavaScript code. When a user opens the SVG file in a web browser, the script activates, leading to malware downloads or phishing attempts. This approach is effective as SVG files are often viewed as innocuous images. Threat actors have been noted using this method to spread ransomware, spyware, and banking trojans. The attacks often commence with a phishing email that contains a link to the harmful SVG file. Read More
First Malicious MCP Server Found in the Wild
Researchers have discovered the first-ever malicious Mission-Critical Push-to-Talk (MCPTT) server, signaling a new threat vector for essential communication systems. MCPTT is a standard for broadband push-to-talk communication employed by public safety and enterprise organizations. The malicious server was crafted to impersonate a legitimate MCPTT server, potentially enabling attackers to eavesdrop on confidential communications, inject false information, or instigate service interruptions. This finding underscores the necessity for reinforced security measures and authentication protocols within vital communication infrastructures to prevent such assaults. Read More
Microsoft Teams Installers Exploited to Spread Malware
Malicious actors are weaponizing Microsoft Teams installers to deliver malware to unsuspecting users. In these attacks, a legitimate Teams installer is combined with a harmful payload. When the user executes the installer, it installs Microsoft Teams as expected, while also quietly running the malware in the background. This tactic aids the malware in appearing legitimate and bypasses user suspicion. The payloads seen in these campaigns have encompassed various types of malware, such as remote access trojans (RATs) and information stealers, granting attackers control over the compromised system and access to sensitive data. Read More
Data Breaches
Digital Charging Solutions GmbH Data Breach Exposes Client Information
Digital Charging Solutions GmbH (DCS), a provider of charging solutions for electric vehicles, has confirmed a data breach that exposed certain client data. The incident transpired when a third-party service provider accessed customer records without appropriate authorization.
The exposed data encompasses names and email addresses. However, DCS confirmed that no complete payment information or financial records were compromised, as this data is secured through tokenization and encryption. Read more
Jaguar Land Rover Cyberattack Delays Factory Reopening
Jaguar Land Rover (JLR) has prolonged the production suspension at its UK facilities until Wednesday, October 1, 2025, as it recovers from a significant cyber-attack that occurred earlier in the month. The company noted that the extension is essential to formulate an accurate timeline for a secure and phased restart of its manufacturing operations.
JLR is collaborating with external cybersecurity specialists, the UK’s National Cyber Security Center (NCSC), and law enforcement to investigate the breach and enhance its systems. While production is halted, customer-facing operations, including sales and service, remain active. The company has expressed gratitude to its customers, suppliers, and employees for their patience during the disruption. Read more
Volvo Group Discloses Data Breach
Volvo Group has similarly reported a data breach incident. Currently, details are scarce as investigations are underway to evaluate the full impact and determine the necessary mitigation strategies. Read more
“`