Attack Execution and Evasion Techniques

The malicious PDF is designed to evade traditional detection mechanisms. Initial samples showed extremely low detection rates, indicating that the payload is carefully crafted to bypass antivirus engines.

Once opened, the document executes obfuscated JavaScript hidden within its structure. This script leverages legitimate application functions to interact with the system and external servers, making the activity appear less suspicious.

Key attack characteristics:

• Uses heavily obfuscated JavaScript to avoid detection
• Leverages trusted application APIs for malicious actions
• Collects system-level data to profile the victim environment
• Communicates with external infrastructure to exfiltrate data
• Maintains in-memory execution to reduce forensic traces

The attack chain is adaptive. Based on the victim’s system profile, the attacker may choose to deliver additional payloads, increasing the likelihood of a successful compromise.

Impact and Exploitation Capabilities

This vulnerability presents a high-risk scenario due to its stealth and ease of exploitation. No advanced interaction is required, making it highly effective in phishing campaigns or targeted attacks.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

Potential impact includes:

• Unauthorized access to sensitive local files
• Exposure of system and environment information
• Remote code execution leading to full system compromise
• Possible sandbox escape, bypassing built-in protections

In controlled testing, researchers confirmed that the communication channel used by the malware can support delivery of further payloads, enabling deeper system control.

Defensive Measures and Monitoring

With no official patch currently available, proactive defense becomes critical. Organizations must rely on layered security controls and behavioral monitoring to detect and mitigate threats.

Recommended defensive strategies:

• Block known malicious endpoints and monitor for new suspicious connections
• Inspect outbound traffic for unusual patterns linked to PDF processes
• Detect anomalies in application behavior, especially unexpected file access
• Monitor for suspicious User-Agent strings such as “Adobe Synchronizer”
• Restrict execution of active content within PDF files where possible

Operational Security Considerations

This incident highlights a broader trend of attackers weaponizing trusted file formats like PDFs to deliver advanced exploits. Since these files are widely used in business environments, they present an effective entry point.

Security teams should strengthen awareness around file-based threats and ensure that users are trained to handle unsolicited documents with caution. Developers and defenders alike must also stay updated with threat intelligence to quickly adapt to evolving attack techniques.

Until an official patch is released, maintaining strict control over document handling and network activity is essential to minimizing risk.

The post Adobe Reader Zero-Day Targets Users appeared first on First Hackers News.

Cisco’s security response team has confirmed real-world attacks and advises customers to take immediate action.

How the Attack Works

The issue originates in the web-based management interface, where HTTP request input is not properly validated.

Attackers can exploit this weakness by:

• Sending crafted HTTP requests to the management endpoint
• Bypassing authentication controls
• Executing commands on the operating system
• Escalating privileges to full root access

Because the flaw allows complete system takeover, Cisco classified it as Critical, prioritizing impact over traditional scoring metrics.

Impacted Cisco Products

Cisco confirmed the following products are affected, independent of configuration:

Other Cisco UC components, including Contact Center-related platforms, are confirmed not vulnerable.

Software Updates and Fix Availability

Cisco has released fixes for supported versions. Only the releases listed below are validated by Cisco PSIRT.

Unified CM, IM&P, SME, Webex Calling

Unity Connection

Cisco has observed attackers targeting unpatched deployments, likely using automated discovery techniques to locate exposed management interfaces. Environments supporting enterprise voice and collaboration services are particularly attractive targets.

The vulnerability has also been added to CISA’s Known Exploited Vulnerabilities catalog, increasing compliance pressure for affected organizations.

What Cisco Recommends

Organizations should take the following steps immediately:

• Apply Cisco security updates or upgrade to fixed releases
• Restrict access to management interfaces using network controls
• Monitor HTTP activity for abnormal request patterns
• Investigate systems for indicators of compromise

The post Cisco Unified Communications Zero-Day RCE Enables Root Access appeared first on First Hackers News.

If real, this bug could break Apple’s latest security protections and allow attackers to gain root access on modern iPhones and iPads without any user action. The seller describes it as a full-chain exploit, meaning it can move from initial entry to complete device takeover.

They also claim the attack works through malformed messages, making it a zero-click exploit that triggers as soon as the victim receives the data. The issue is described as a memory-corruption bug, a recurring weakness in complex parsing systems despite recent security improvements.

The listing claims the exploit can bypass iOS 26’s new multi-layer protections and gain full root access, exposing sensitive data like messages, photos, location, and keychain items. The seller also says it runs with high stealth and causes no crashes or alerts, making it difficult to detect.

New iOS 26 Flaw Raises Questions

iOS 26 was released in September 2025 and was promoted as a major security upgrade. Apple added new protections to strengthen the kernel and reduce memory-related vulnerabilities — the same type of flaw ResearcherX claims to have exploited.

If the listing is real, it suggests attackers may have already found ways around these new defenses. Working iOS zero-day chains on the dark web often sell for millions, usually between $2 million and $5 million. ResearcherX labeled this one as an “Exclusive Sale,” meaning it would be sold to only one buyer, likely a nation-state or private intelligence group.

Experts warn that many dark web listings are fake, even from “verified” sellers. Still, the mention of the iOS Message Parser fits with past iOS attack methods, where components like iMessage have been common targets.

Security researchers advise organizations and high-risk users to watch for quick patch releases, such as iOS 26.0.2, which may fix issues related to message-parsing vulnerabilities.

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

The post Threat Actors List iOS 26 Full-Chain 0-Day on Dark Web appeared first on First Hackers News.

Day One of Pwn2Own Ireland 2025 concluded with an extraordinary showcase of cybersecurity talent, as researchers demonstrated 34 unique zero-day vulnerabilities across a wide range of consumer devices.
The exploits earned participants a combined payout of $522,500, marking one of the most successful opening days in the competition’s history.

Hosted by Trend Micro’s Zero Day Initiative (ZDI), Pwn2Own is renowned for uncovering security flaws in real-world products. This year’s event stood out for its 100% success rate, with every single exploit attempt succeeding on the first day — a rare achievement in competitive hacking.

Teams Dominate Smart Home and NAS Devices

The first day featured 17 exploitation attempts targeting various connected devices including printers, routers, smart home systems, and NAS (Network-Attached Storage) units from major global manufacturers.

Team DDOS, made up of Bongeun Koo and Evangelos Daravigkas, took an early lead by chaining together eight vulnerabilities to compromise both a QNAP Qhora-322 router and a QNAP TS-453E NAS device.
Their impressive “SOHO Smashup” demonstration earned them $100,000 in prize money and 10 Master of Pwn points, placing them among the top contenders early in the event.

Smart Home Devices Fall to Expert Exploits

Several popular smart home products were also successfully compromised, including the Philips Hue Bridge, Synology ActiveProtect DP320, and Home Assistant Green.

Sina Kheirkhah from the Summoning Team stood out for participating in multiple successful exploits, including a powerful attack against the Synology ActiveProtect Appliance DP320 that earned an additional $50,000 in rewards.

In one of the most notable demonstrations, researcher DMDung of STAR Labs exploited a single out-of-bounds access vulnerability to take control of the Sonos Era 300 smart speaker — achieving the highest single-device payout of $50,000 and securing five Master of Pwn points.

Consumer printers were not spared from the day’s onslaught of exploits. Both Canon and HP devices were successfully hacked, highlighting ongoing concerns about the security of office and home printers.

The Canon imageCLASS MF654Cdw was a particularly popular target, with four different teams exploiting it using combinations of heap-based and stack-based buffer overflow vulnerabilities.
Meanwhile, Team Neodyme executed a stack-based buffer overflow on the HP DeskJet 2855e, earning $20,000 for their exploit.

The post Hackers Expose 34 Zero-Day Flaws at Pwn2Own Ireland 2025 — Over $522,000 Awarded on Day One appeared first on First Hackers News.

• SSRF (Server-Side Request Forgery) to coerce backend servers into making arbitrary requests.
• CRLF injection to insert custom headers into requests.
• Request smuggling to access internal endpoints and upload malicious templates.

This attack abuses the ability of JSP files to load untrusted stylesheets, allowing arbitrary code execution. Persistent HTTP connections are used to chain multiple requests, increasing reliability and reducing detection.

The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-61882 to its Known Exploited Vulnerabilities (KEV) catalog. The agency has warned that the vulnerability has already been used in ransomware campaigns. All federal agencies have been ordered to apply security patches by October 27, 2025.

Security experts have raised alarms that mass exploitation is expected within days. Cl0p has already targeted multiple organizations since August, stealing sensitive data and issuing extortion emails.

Organizations using Oracle EBS are being strongly advised to patch immediately, conduct threat hunts, and strengthen access controls. Delays in remediation could lead to significant data breaches, financial loss, and operational disruption.

SEO Keywords included: Oracle E-Business Suite, CVE-2025-61882, Cl0p ransomware, remote code execution, SSRF, CRLF injection, WatchTowr Labs, CrowdStrike, CISA KEV, cybersecurity vulnerability, patch advisory.

The post Critical Oracle EBS Vulnerability CVE-2025-61882 Actively Exploited by Cl0p Ransomware Group appeared first on First Hackers News.

Two critical zero-day vulnerabilities in Cisco’s firewall technologies—ASA (Adaptive Security Appliance) and FTD (Firepower Threat Defense)—are currently being actively exploited in the wild, prompting an emergency directive from the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Cisco confirmed the vulnerabilities, tracked as CVE-2025-20333 and CVE-2025-20362, which could allow attackers to bypass authentication, gain root access, and even tamper with device memory.

The most critical of the two flaws, CVE-2025-20333, carries a CVSS score of 9.9 and affects ASA and FTD devices configured with remote access VPNs. An authenticated attacker can exploit this vulnerability by sending a specially crafted HTTPS request, allowing them to execute arbitrary code on the device with root privileges. This level of access could allow complete takeover of the device.

The second flaw, CVE-2025-20362, with a CVSS score of 6.5, allows an unauthenticated attacker to access sensitive, restricted URLs. While not as severe as CVE-2025-20333, it could be used in combination to gain deeper access or escalate privileges.

Cisco warns that these vulnerabilities can be chained together, enabling attackers to bypass authentication protections and gain high-level access to firewall systems. More alarmingly, the attackers are reportedly able to modify the device’s read-only memory (ROM)—a serious red flag for firmware-level persistence. This means that even a device reboot or firmware update may not fully remove the attacker’s presence.

These attacks are not theoretical. Cisco confirms that real-world exploitation is already underway, and evidence suggests a sophisticated, state-sponsored threat actor may be behind the campaign.

The post Critical Cisco ASA and FTD Zero-Day Vulnerabilities Under Active Attack appeared first on First Hackers News.

The patch was rolled out swiftly on September 17, 2025, via Chrome version 140.0.7339.185 for Linux and 140.0.7339.185/.186 for Windows and macOS. This update not only addresses the zero-day but also fixes three additional high-severity issues: a use-after-free bug in Dawn (CVE-2025-10500), another in WebRTC (CVE-2025-10501), and a heap buffer overflow in ANGLE (CVE-2025-10502). Google has withheld technical details on the exploitation method to limit further attacks, but confirmed real-world abuse. Users are strongly advised to update immediately through Chrome’s settings menu, as automatic updates may take time. For businesses, enhanced network monitoring and vulnerability scanning are recommended to detect and mitigate potential breaches. This incident underscores the ongoing cat-and-mouse game in cybersecurity, where zero-days like this highlight the importance of timely patching in browser ecosystems

The post Google Chrome Zero-Day Vulnerability Exploited in the Wild: Urgent Update Required to Patch CVE-2025-10585 appeared first on First Hackers News.

The flaw, labeled CVE-2025-6558 (CVSS score: 8.8), stems from improper validation of untrusted input in the browser’s ANGLE and GPU components. This could potentially allow a sandbox escape through a specially crafted HTML page.

Although specific details on how the vulnerability has been used in attacks are scarce, Google confirmed that “an exploit for CVE-2025-6558 exists in the wild.” The discovery and reporting of this issue are credited to Clément Lecigne and Vlad Stolyarov from Google’s Threat Analysis Group (TAG).

In its latest updates, Apple also addressed CVE-2025-6558, noting that the vulnerability affects the WebKit engine, which powers Safari.

“In an advisory, Apple stated that this vulnerability exists in open-source code, with Apple software being one of the affected projects. It could potentially be exploited to cause an unexpected crash in Safari when handling maliciously crafted web content.”

The issue has been resolved in the following versions:

The vulnerability has been addressed in the following software updates:

• iOS 18.6 and iPadOS 18.6: For iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.
• iPadOS 17.7.9: For iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation.
• macOS Sequoia 15.6: For Macs running macOS Sequoia.
• tvOS 18.6: For Apple TV HD and Apple TV 4K (all models).
• watchOS 11.6: For Apple Watch Series 6 and later.
• visionOS 2.6: For Apple Vision Pro.

Although there is no evidence suggesting that the vulnerability has been exploited to target Apple device users, it’s always recommended to update to the latest software versions to ensure optimal protection and security.

The post Apple Fixes Safari Security Flaw Also Targeted in Recent Chrome Zero-Day Exploit appeared first on First Hackers News.

The uncovered flaw, CVE-2025-6965, was previously unknown to the public and exclusively leveraged by threat actors—highlighting the game-changing role of AI in modern cybersecurity defense.

Key Takeaways:

1. Google’s Big Sleep AI detected and blocked a critical SQLite 0-day vulnerability (CVE-2025-6965) before it could be exploited.
2. It marks the first instance of an AI agent proactively stopping live cyber threats in real time.
3. Leveraged threat intelligence and predictive analysis to anticipate attacks and trigger preemptive mitigation.
4. Highlights a major shift in cybersecurity—from reactive response to proactive AI-driven defense.

Big Sleep AI Prevents SQLite 0-Day Exploitation

Big Sleep, an AI agent jointly developed by Google DeepMind and Google Project Zero, successfully uncovered the critical SQLite vulnerability CVE-2025-6965 using advanced threat intelligence analysis.

This severe security flaw posed a major threat, as it was previously undisclosed and known only to malicious actors actively preparing to exploit it.

Affecting SQLite, one of the most widely deployed database engines across numerous applications and systems, the vulnerability had far-reaching implications.

Big Sleep identified the flaw by analyzing data from Google Threat Intelligence, leveraging deep insights into evolving attack patterns. Using sophisticated pattern recognition and vulnerability assessment algorithms, the AI agent accurately predicted that the SQLite exploit was on the verge of active use by attackers, enabling timely mitigation.

This proactive discovery enabled Google’s security team to deploy immediate defensive measures and collaborate with SQLite developers to patch the vulnerability before any real-world exploitation could take place.

The milestone marks a paradigm shift in cybersecurity, as Big Sleep has not only met but surpassed expectations, significantly accelerating AI-driven vulnerability research since its launch.

Unlike traditional scanners, Big Sleep uses predictive analysis and real-time threat assessment to uncover zero-day vulnerabilities before they are weaponized—offering a major leap forward in threat prevention.

This achievement builds on the AI system’s growing track record, following its first real-world vulnerability discovery in November 2024, which showcased the tremendous potential of AI to preempt security breaches.

By processing massive volumes of security data, Big Sleep has proven instrumental in safeguarding both Google’s ecosystem and widely-used open-source software from emerging threats.

According to Google’s report, the initiative reflects a strong commitment to responsible AI deployment, emphasizing secure-by-design principles, human oversight, and transparency in automated operations.

This breakthrough sets a new benchmark for proactive cyber defense, with the potential to reshape how organizations counter advanced and evolving cyber threats.

The post Google’s AI tool Big Sleep has discovered a critical zero-day vulnerability in SQLite and has successfully blocked its active exploitation appeared first on First Hackers News.

How the Vulnerability Works

The MCP Inspector, a debugging tool for Anthropic’s open-source Model Context Protocol (introduced in November 2024), lacks proper authentication and encryption by default. Attackers can exploit this by crafting malicious websites that send unauthorized requests to the tool’s Server-Sent Events (SSE) endpoint, enabling arbitrary code execution. This could allow hackers to steal data, install backdoors, or move laterally across networks, endangering AI developers and enterprise systems.

Anthropic responded swiftly, releasing MCP Inspector version 0.14.1 in June 2025, which introduces robust authentication, origin validation, and protections against DNS rebinding and CSRF attacks. Developers are urged to update immediately to mitigate risks.

Why This Matters for AI Security

This vulnerability highlights the growing cybersecurity challenges in AI development. As AI tools like MCP standardize data integration for large language models (LLMs), unpatched flaws can expose critical infrastructure to exploitation. The discovery underscores the need for secure coding practices and vigilant monitoring in AI ecosystems.

How to Protect Against This Threat

To safeguard systems, experts recommend:

• Update to MCP Inspector v0.14.1: Ensure the latest version is installed to eliminate the vulnerability.
• Restrict Network Access: Limit MCP Inspector’s exposure to the internet to prevent unauthorized access.
• Monitor for Suspicious Activity: Watch for unusual network requests or system behavior.
• Enhance Browser Security: Use modern browsers with updated security patches to mitigate “0.0.0.0-day” risks.

As AI adoption accelerates, proactive security measures are essential to protect developers and organizations from evolving cyber threats.

The post Critical Vulnerability in Anthropic’s MCP Inspector Exposes AI Developers to Remote Exploits appeared first on First Hackers News.