Google patches actively exploited flaw in Chrome

Google has patched an actively exploited zero-day vulnerability (CVE-2025-6554) in Chrome's V8 JavaScript engine that allows remote attackers to perform arbitrary read/write operations through malicious HTML pages. The flaw was reported by Google's Threat Analysis Group, which typically investigates government-backed attacks, suggesting potential state-sponsored exploitation.

**One more urgent patch for Chrome - Google is again patching an actively exploited flaw in Chrome, and exploitation is just a visit to a malicious site. DONT WAIT! Patch all your Chrome and Chromium browsers (Edge, Opera, Brave, Vivaldi...). Updating the browser is easy, all your tabs reopen after the patch.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/google-patches-actively-exploited-flaw-in-chrome-1-1-a-i-r/gD2P6Ple2L

Critical Citrix Netscaler "Citrix Bleed 2" flaw actively exploited

A critical vulnerability in Citrix NetScaler devices, dubbed "Citrix Bleed 2" (CVE-2025-5777), is now being actively exploited by threat actors according to ReliaQuest, raising concerns of a repeat of the devastating 2023 "Citrix Bleed" campaign that affected major companies like Boeing and Comcast's 36 million customers.

**This is now important and URGENT. Your Citrix NetScaler ADC or Gateway, exposed on the internet, they are actively attacked and exploited. After patching, you must terminate all active ICA and PCoIP sessions since they may already be compromised by attackers.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/critical-citrix-netscaler-citrix-bleed-2-flaw-actively-exploited-4-y-j-i-q/gD2P6Ple2L

Active exploitation of critically vulnerable WordPress Motors theme

WordPress sites using the "Motors" automotive theme are under active attack through a critical privilege escalation vulnerability (CVE-2025-4322) that allows unauthenticated attackers to hijack administrator accounts by changing passwords without proper validation. Since mass exploitation began on June 7, 2025, Wordfence has blocked over 23,100 exploit attempts.

**If you are running Motors theme on your Wordpress, update IMMEDIATELY! Your site is vulnerable and hackers are attacking it. Don't delay this one, it urgent and important!**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/active-exploitation-of-critically-vulnerable-wordpress-motors-theme-2-9-p-u-4/gD2P6Ple2L

Multiple exploited critical vulnerabilities reported in PTZOptics and other Pan-Tilt-Zoom Cameras

CISA is reporting actively exploited critical vulnerabilities affecting PTZOptics and other pan-tilt-zoom camera systems. PTZOptics has released patches, but the other vendors so far have not responded to CISA or released patches.

**If you have PTZOptics cameras (PT12X, PT20X, PT30X series) or pan-tilt-zoom cameras from ValueHD, multiCAM Systems, or SMTAV, make sure to isolate these devices from the internet as they're being actively exploited. Apply PTZOptics firmware updates, and reach out to your vendor. If no patches are available, consider replacing cameras from other vendors or enforcing strict network isolation.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/multiple-critical-vulnerabilities-reported-in-ptzoptics-and-other-pan-tilt-zoom-cameras-2-j-9-u-e/gD2P6Ple2L

Coordinated cyberattacks target two years old Zyxel firewall flaw

A coordinated global cyberattack campaign on June 16, 2025, involved 244 unique IP addresses exploiting a critical command injection vulnerability (CVE-2023-28771) in Zyxel firewall and VPN devices that allows unauthenticated remote code execution via a single malicious packet to UDP port 500. Even though patches are available for over two years since the vulnerability's original disclosure in April 2023, organizations worldwide remain vulnerable.

**If you still haven't patched your ZyXel firewall, and it's exposed on UDP port 500 to the internet, time to act NOW! Isolate the UDP port 500 from the internet, and start patching your firewalls. And check for any indicators of compromise, if possible even do a factory reset and load a trusted configuration.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/coordinated-cyberattacks-target-two-years-old-zyxel-firewall-flaw-1-b-6-0-7/gD2P6Ple2L

Paragon's Graphite Spyware targets European journalists through iPhone flaws

Forensic investigation by Citizen Lab confirmed that Paragon's Graphite spyware platform conducted zero-click attacks against European journalists using CVE-2025-43200, a critical iOS vulnerability that enabled remote code execution through maliciously crafted iCloud Link photos or videos sent via iMessage in early 2025. Apple patched the zero-day vulnerability in iOS 18.3.1 on February 10, 2025.

**You may not be a prominent journalist, but this flaw is already six months old, and even ordinary criminals will find a way to exploit it. Patch your iPhone and iPad to latest version ASAP!**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/paragon-s-graphite-spyware-targets-european-journalists-through-iphone-flaws-w-x-y-7-s/gD2P6Ple2L

Mirai Botnet variant exploits TBK DVR Devices flaw

A new Mirai botnet variant is actively exploiting CVE-2024-3721 (CVSS 6.3) in TBK DVR devices to execute command injection attacks that download ARM32 binaries and add vulnerable systems into a botnet infrastructure. An estimated 50,000-114,000 internet-exposed devices are potentially at risk. The attack is complicated by extensive device rebranding across multiple vendors, making patch availability unclear.

**If you have TBK DVR devices (or rebranded versions like Novo, CeNova, QSee, Pulnix, Night OWL, etc.), make sure to isolate these devices from the internet. Then check for and apply any available firmware updates from your vendor to patch CVE-2024-3721. If the device has been exposed, consider performing a factory reset before isolating it in a protected network.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/mirai-botnet-variant-exploits-tbk-dvr-devices-flaw-l-8-e-m-m/gD2P6Ple2L

Destructive npm packages enable remote system destruction

Security researchers at Socket discovered two destructive npm packages (express-api-sync and system-health-sync-api) that masquerade as legitimate utilities but contain hidden backdoors designed to completely wipe production systems. The more sophisticated variant includes reconnaissance capabilities, multi-framework support, and OS-specific deletion commands targeting both Windows and Unix systems.

**Always vet external packages before installation. Make sure to use packages with a lot of contributors and and a lot of users. Avoid brand new packages and packages with a single contributor and NEVER just trust packages suggested by AI. If possible, implement automated package scanning tools and behavioral monitoring in your CI/CD pipeline.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/destructive-npm-packages-enable-remote-system-destruction-a-r-q-2-1/gD2P6Ple2L

Critical Wazuh Server vulnerability exploited by Mirai Botnet

A critical vulnerability (CVE-2025-24016, CVSS 9.9) in the widely-used Wazuh SIEM platform is being actively exploited by threat actors to deploy Mirai botnet variants for DDoS attacks.

**If you're running Wazuh server versions 4.4.0 through 4.9.0, first make sure to estrict API access to only essential authorized users. Then plan a quick update to version 4.9.1 or later. Exposed Wazuh instances will quickly become part of a botnet.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/critical-wazuh-server-vulnerability-exploited-by-mirai-botnet-4-o-c-r-n/gD2P6Ple2L

CISA warns of ZKTeco BioTime flaw actively exploited in State-Sponsored attacks

CISA reports active exploitation of CVE-2023-38950 (CVSS 7.5) affecting ZKTeco BioTime time and attendance management software. The path traversal vulnerability allows unauthenticated attackers to read arbitrary files through the iclock API.

**If you are using ZKTeco BioTime time to patch it. The attackers targeting these systems are well funded and skilled. Check for any indicators of compromise and patch ASAP!**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/cisa-warns-of-zkteco-biotime-flaw-actively-exploited-in-state-sponsored-attacks-n-z-i-z-3/gD2P6Ple2L

Microsoft Scripting Engine flaw exploited in wild, Proof-of-Concept published

Microsoft warns that CVE-2025-30397, a memory corruption vulnerability in its legacy JScript engine with a CVSS score of 7.5, is now being actively exploited to achieve remote code execution when users click malicious URLs in Microsoft Edge's Internet Explorer Mode. The vulnerability was patched in May 2025, and users should update immediately or disable Internet Explorer Mode as a temporary mitigation measure.

**If you needed one more argument to patch your Windows, how about that hackers are persistent enough to target even the legacy Internet Explorer 11 mode in unpatched systems? Don't wait, patching Windows is not that hard.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/microsoft-scripting-engine-flaw-exploited-in-wild-proof-of-concept-published-z-k-t-v-z/gD2P6Ple2L

Critical vBulletin Pre-Authentication remote code execution flaws actively exploited

vBulletin forum software contains two critical vulnerabilities (CVE-2025-48827 and CVE-2025-48828) affecting versions 5.0.0-5.7.5 and 6.0.0-6.0.3 on PHP 8.1+ that allow unauthenticated remote code execution. Active exploitation is confirmed in the wild since May 26, 2025. Despite patches being quietly released, many sites remain vulnerable due to delayed updates or administrators being unaware of the security fixes.

**If you're running vBulletin versions 5.0.0-5.7.5 or 6.0.0-6.0.3 on PHP 8.1+, immediately upgrade to vBulletin 6.1.1 or apply the latest security patches. Your software is vulnerable and the flaws are being actively exploited. If you cannot upgrade immediately, consider temporarily taking your forum offline or restricting access until patches can be applied.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/critical-vbulletin-pre-authentication-remote-code-execution-flaws-actively-exploited-3-2-4-h-2/gD2P6Ple2L

XSS vulnerability in Zimbra collaboration suite under active exploitation

A cross-site scripting (XSS) vulnerability (CVE-2024-27443) in Zimbra Collaboration Suite's CalendarInvite feature is being actively exploited in the wild, potentially by the APT28/Fancy Bear group targeting webmail credentials.

**Update your Zimbra Collaboration Suite to version 10.0.7 or 9.0.0 Patch 39 ASAP. This flaw is is being actively exploited by hackers who will steal credentials through malicious calendar invitations.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/xss-vulnerability-in-zimbra-collaboration-suite-under-active-exploitation-x-7-6-3-o/gD2P6Ple2L

SAP fixes second actively exploited NetWeaver vulnerability

SAP has patched a second critical vulnerability (CVE-2025-42999, CVSS 9.1) in NetWeaver Visual Composer that attackers have been chaining with the previously exploited CVE-2025-31324 since January 2025, allowing remote command execution without privileges and potentially compromising hundreds of systems including those of Fortune 500 companies.

**Update all your SAP NetWeaver systems immediately with the second emergency patch for CVE-2025-42999. Alternatively, disable the Visual Composer service until you can patch. And make sure you have already patched the CVE-2025-31324 or restricted access to the /developmentserver/metadatauploader endpoint. Finally, scan your environment for unauthorized files that could indicate you've already been hacked.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/sap-fixes-second-actively-exploited-netweaver-vulnerability-l-n-w-b-h/gD2P6Ple2L

Samsung makes a second patch for actively exploited flaw in MagicINFO 9 Server

Samsung released security updates for MagicINFO 9 Server to address CVE-2025-4632, a path traversal vulnerability allowing attackers to write arbitrary files with system privileges that's being actively exploited to deploy Mirai botnet malware. All versions prior to 21.1052 remain vulnerable to this flaw, which bypasses a previous patch.

**If you are running Samsung MagicINFO 8 or 9 Server, first make sure it's isolated from the internet and accessible only from trusted networks. Then plan a quick patch even if it was patched again. Your MagicINFO server is being hacked, or can be used to hack your entire network.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/samsung-makes-a-second-patch-for-actively-exploited-flaw-in-magicinfo-9-server-w-7-x-5-7/gD2P6Ple2L

Vulnerability in Output Messenger actively exploited

A critical directory traversal vulnerability (CVE-2025-27920) in Output Messenger has been actively exploited since April 2025 by the Marbled Dust cyberespionage group. The exploit allows attackers to upload malicious files that can access communications, steal data, and compromise systems.

**If you're using Output Messenger, immediately update to version 2.0.63 for Windows or 2.0.62 for Server. It has a flaw that's being actively exploited by hackers.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/vulnerability-in-output-messenger-actively-exploited-f-p-6-x-3/gD2P6Ple2L

CISA reports active exploitation of two GeoVision Device vulnerabilities

CISA is reporting active exploitation of two critical OS command injection vulnerabilities (CVE-2024-6047 and CVE-2024-11120) in end-of-life GeoVision devices that allow unauthenticated remote attackers to execute arbitrary system commands. Approximately 17,000 internet-facing devices remain vulnerable and being targeted by a botnet for DDoS attacks and cryptomining operations.

**If you are using GeoVision devices (models GV-VS12, GV-VS11, GV-DSP_LPR_V3, GVLX 4 V2, and GVLX 4 V3) make sure they are isolated from the internet and accessible only from trusted network Then reach out to GeoVision for a possible patch and start planning areplacement, since they are end-of-life products that won't be maintained further. And they are critically vulnerable and actively exploited by attackers.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/cisa-reports-active-exploitation-of-two-geovision-device-vulnerabilities-0-2-t-l-f/gD2P6Ple2L

Samsung MagicINFO 9 server flaw actively exploited

Arctic Wolf security researchers report active exploitation of CVE-2024-7399, a path traversal vulnerability in Samsung MagicINFO 9 Server that allows attackers to write and execute arbitrary code with system privileges.

**If you are running Samsung MagicINFO 9 Server, first make sure it's isolated from the internet and accessible only from trusted networks. Then plan a quick patch, because you don't want your signage to show hacked content or be used to hack your entire network.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/samsung-magicinfo-9-server-flaw-actively-exploited-8-v-1-g-b/gD2P6Ple2L

Critical OttoKit WordPress Plugin vulnerability patched after active exploitation

Patchstack has disclosed a critical vulnerability (CVE-2025-27007, CVSS 9.8) in the OttoKit WordPress plugin affecting over 100,000 installations that allows unauthenticated attackers to gain complete website control by creating administrator accounts. Exploitation attempts began just 90 minutes after disclosure on May 5, 2025.

**If you're using the OttoKit WordPress plugin, update IMMEDIATELY to version 1.0.83 or later. The flaw is actively exploited and your Wordpress is exposed to the internet. DON'T DELAY, updating a plugin is trivial. After updating, check your user accounts for any unauthorized administrator accounts that may have been created by attackers.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/critical-ottokit-wordpress-plugin-vulnerability-patched-after-active-exploitation-7-c-u-3-f/gD2P6Ple2L

CISA reports critical Apache HTTP Server flaw actively exploited

CISA reports that vulnerability CVE-2024-38475 (CVSS 9.1) in Apache HTTP Server's mod_rewrite module (affecting versions 2.4.59 and earlier) is being actively exploited, allowing attackers to manipulate URL mapping to access unintended filesystem locations leading to arbitrary code execution, sensitive data exposure, and lateral network movement.

**If you are using Apache HTTP Server, upgrade to version 2.4.60 or later to patch as soon as possible vulnerability that allows attackers to access unintended filesystem locations and potentially execute malicious code. If you can't patch, review and modify your RewriteRules to ensure substitutions are appropriately constrained.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/cisa-reports-critical-apache-http-server-flaw-actively-exploited-a-k-8-v-t/gD2P6Ple2L