Zero-Day
Unpatched critical flaws impact Fancy Product Designer WordPress plugin
Premium WordPress plugin Fancy Product Designer from Radykal is vulnerable to two critical severity flaws that remain unfixed in the current latest version. With more than 20,000 sales, the plugin allows customization of product designs (e.g. clothing, mugs, phone cases) on WooCommerce sites by changing colors, transforming text, or modifying the size. While examining the […]
Ivanti warns of new Connect Secure flaw used in zero-day attacks
Ivanti is warning that hackers exploited a Connect Secure remote code execution vulnerability tracked as CVE-2025-0282 in zero-day attacks to install malware on appliances. The company says it became aware of the vulnerabilities after the Ivanti Integrity Checker Tool (ICT) detected malicious activity on customers’ appliances. Ivanti launched an investigation and confirmed that threat actors were actively […]
New Mirai botnet targets industrial routers with zero-day exploits
A relatively new Mirai-based botnet has been growing in sophistication and is now leveraging zero-day exploits for security flaws in industrial routers and smart home devices. Exploitation of previously unknown vulnerabilities started in November 2024, according to Chainxin X Lab researchers who monitored the botnet’s development and attacks. One of the security issues is CVE-2024-12856, a […]
New botnet exploits vulnerabilities in NVRs, TP-Link routers
A new Mirai-based botnetis actively exploiting a remote code execution vulnerability that has not received a tracker number and appears to be unpatched in DigiEver DS-2105 Pro NVRs. The campaign started in October and targets multiple network video recorders and TP-Link routers with outdated firmware. One of the vulnerabilities used in the campaign was documented by TXOne […]
New Android NoviSpy spyware linked to Qualcomm zero-day bugs
The Serbian government exploited Qualcomm zero-days to unlock and infect Android devices with a new spyware named ‘NoviSpy,’ used to spy on activists, journalists, and protestors. One of the Qualcomm flaws linked to the attacks is CVE-2024-43047, which was marked as an actively exploited zero-day vulnerability by Google Project Zero in October 2024 and received a fix on Android in […]
Cleo patches critical zero-day exploited in data theft attacks
Cleo has released security updates for a zero-day flaw in its LexiCom, VLTransfer, and Harmony software, currently exploited in data theft attacks. In October, the company patched a pre-auth remote code execution vulnerability (CVE-2024-50623) in its managed file transfer software and recommended that “all customers upgrade immediately.” Huntress security researchers first spotted evidence of attacks targeting fully […]
Microsoft December 2024 Patch Tuesday fixes 1 exploited zero-day, 71 flaws
Today is Microsoft’s December 2024 Patch Tuesday, which includes security updates for 71 flaws, including one actively exploited zero-day vulnerability. This Patch Tuesday fixed sixteen critical vulnerabilities, all of which are remote code execution flaws. The number of bugs in each vulnerability category is listed below: This count does not include two Edge flaws that were […]
US sanctions Chinese firm for hacking firewalls in ransomware attacks
The U.S. Treasury Department has sanctioned Chinese cybersecurity company Sichuan Silence and one of its employees for their involvement in a series of Ragnarok ransomware attacks targeting U.S. critical infrastructure companies and many other victims worldwide in April 2020. According to the Department’s Office of Foreign Assets Control (OFAC), Sichuan Silence is a Chengdu-based cybersecurity […]
New Windows zero-day exposes NTLM credentials, gets unofficial patch
A new zero-day vulnerability has been discovered that allows attackers to capture NTLM credentials by simply tricking the target into viewing a malicious file in Windows Explorer. The flaw was discovered by the 0patch team, a platform that provides unofficial support for end-of-life Windows versions, and was reported to Microsoft. However, no official fix has been […]
Mitel MiCollab zero-day flaw gets proof-of-concept exploit
Researchers have uncovered an arbitrary file read zero-day in the Mitel MiCollab collaboration platform, allowing attackers to access files on a server’s filesystem. Mitel MiCollab is an enterprise collaboration platform that consolidates various communication tools into a single application, offering voice and video calling, messaging, presence information, audio conferencing, mobility support, and team collaboration functionalities. […]