CityWorks zero-day

A zero-day in Trimble CitiWorks (CVE-2025-0994) has been exploited in the wild. The flaw allows remote code execution in Microsoft Internet Information Services (IIS) web servers. Trimble is a GIS-based geolocation and transportation technology company, mostly used in public infrastructures such as local governments, airports and public works.

‍

[mitigate]Check that your current IIS identity permissions are restricted; ensure that your attachment directory is restricted to folders or subfolders meant exclusively for attachments[/mitigate]

Simple RRM targeted by ransomware

Ransomware actors are targeting recently discovered vulnerabilities in SimpleHelp (CVE-2024-57726/7/8). The flaws, which lead to privilege escalation and information disclosure, were leveraged for gaining initial access and maintaining a persistent remote connection to the compromised systems. SimpleHelp is a Remote Monitoring and Management(RMM) software.

‍

[mitigate]Block access from 213.173.45[.]230, 194.76.227[.]171, 45.9.148[.]136, 45.9.149[.]112[/mitigate]

Chinese group exploits zero-days in edge devices against the manufacturing sector

A new cyberespionage campaign led by an unspecified Chinese actor is targeting suppliers of manufacturing items and materials in sensitive domains, including the chemical sector. The attacks are leveraging zero-days in edge devices such as VPS and routers – a tactic reminiscent of Volt Typhoon’s activities against US critical infrastructures in 2023-24.

‍

‍

A Fortinet vuln provides super-admin privileges to attackers

A newly patched vulnerability in FortiOS and FortiProxy (CVE-2025-24472), triggered through crafted CSF Proxy requests, provides attackers with super-admin privileges on Fortinet firewalls. The flaw is similar to recently exploited vulnerability (CVE-2024-55591), which has been used to create both admin or local users on compromised devices, consequently adding them to SSL VPN user groups. It is unclear if the new flaw has been exploited in the wild, as Fortinet has retracted a prior statement admitting current exploitation against corporate targets.

‍

Limit IP addresses that can reach the administrative interface via local-in policies and block access from 45.55.158.47, 87.249.138.47, 155.133.4.175, 37.19.196.65 and 149.22.94.37

Targeted Linux kernel flaw in driver for UVC devices

A Linux kernel flaw (CVE-2024-53104) has been used in limited but targeted attacks. The out-of-bounds write vulnerability lies in a peripheral driver used for USB Video Class (UVC) devices, supposed to capture streaming video or webcams. An attacker with physical or virtual access to the device, and able to control the captured frame data, can use this flaw to elevate privilege. Moreover, as the attacker can overwrite kernel data, the availability and integrity of the targeted system might also be impacted.

‍

[mitigate]Make configuration changes to prevent the “uvcvideo” module from automatically loading in the Linux kernel.[/mitigate]

Sophisticated attacks use USB against Apple users

Apple patched a zero-day (CVE-2025-24200) exploited in “highly sophisticated” attacks against iPhone and iPad users. The vulnerability allows to bypass the USB Restricted Mode, a security feature preventing USB devices from creating a data connection if the computer has been locked for more than an hour.

‍

‍

Moniker Link bypasses Outlook protections

A flaw in Microsoft Outlook (CVE-2024-21413), allowing to bypass Outlook protections for malicious links, is now exploited in the wild. The vulnerability, nicknamed Moniker Link, circumvents Outlook’s Protected View responsible for opening suspicious content in read-only mode. It also affects the Preview Pane. Its exploitation leads to the exfiltration of NTLM credentials and the execution of arbitrary code.

‍

[mitigate]Block outgoing traffic on port 445 in the external firewall[/mitigate]

An flaw in Ancillary Function Driver for WinSock raises concerns

A newly patched vulnerability in the Windows Ancillary Function Driver (AFD.sys) for WinSock (CVE-2025-21418) has been observed in the wild. The flaw lets attackers elevate privileges to SYSTEM. This is only the second exploited flaw in AFD.sys since 2022, then another flaw (CVE-2024-38193) has been used by the infamous North Korean group Lazarus to upload a rootkit and maintain persistence on compromised hosts.

‍

A vulnerability letting delete files from storage

Microsoft fixed another actively exploited Windows flaw (CVE-2025-21391). By exploiting the vulnerability, threat actors can delete files from Windows Storage, eventually affecting the service’s availability.

‍

After LDAP Nightmare, a new LDAP flaw discovered

A new LDAP vulnerability (CVE-2025-21376) is considered by Microsoft as “more likely” to be exploited soon. The flaw is triggered through simple crafted requested and allows an unauthenticated attacker to foment a buffer overflow which could be leveraged for remote code execution. However, the attacker must first win a race condition. A month ago, the LDAP Nightmare vulnerability (CVE-2024-49113), able to crash any unpatched Windows server, has already raised concerns.

‍

[mitigate]Monitor Tenable Plugins 21622-23, 21626-29, 21631-32, 21634, 21636, 21639-40[/mitigate]

A new OpenSSL high severity vulnerability

A vulnerability has been found in OpenSSL (CVE-2024-12797), causing server authentication failures for clients using raw public keys (RPKs). The  flaw enables man-in-the-middle attacks, since the clients might not be able to detect the handshake failure while believing the authentication actually succeeded. It should be noted that RPKs are by default disabled for TLS clients and servers and are used only when specifically configured. This is the first high-severity OpenSSL vulnerability discovered since 2023.

‍

Google: cybercrime poses national security threats

Google claimed that cybercrime groups are growingly posing national security threats. Google’s researchers put an accent on Russian state actors acquiring tools from cybercrime marketplaces; and on hybrid groups and cybercriminals engaged in activities supporting state objectives. These include the Russian RomCom (aka UNC4895), who recently leveraged zero-days in Microsoft Word (CVE-2023-36884) and Firefox (CVE-2024-9680) against Ukrainian targets; and the Chinese UNC5174 who quickly weaponized zero-days in ConnectWise ScreenConnect (CVE-2024-1709) and PAN-OS (CVE-2024-3400) against hundreds of institutions in North America.