Researchers revealed on Thursday that two European journalists had their iPhones hacked with spyware made by Paragon. Apple says it has fixed the bug that was used to hack their phones.
The Citizen Lab wrote in its report, shared with TechCrunch ahead of its publication, that Apple had told its researchers that the flaw exploited in the attacks had been “mitigated in iOS 18.3.1,” a software update for iPhones released on February 10.
Until this week, the advisory of that security update mentioned only one unrelated flaw, which allowed attackers to disable an iPhone security mechanism that makes it harder to unlock phones.
On Thursday, however, Apple updated its February 10 advisory to include details about a new flaw, which was also fixed at the time but not publicized.
“A logic issue existed when processing a maliciously crafted photo or video shared via an iCloud Link. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals,” reads the now-updated advisory.
In the final version of its report published Thursday, The Citizen Lab confirmed this is the flaw used against Italian journalist Ciro Pellegrino and an unnamed “prominent” European journalist
It’s unclear why Apple did not disclose the existence of this patched flaw until four months after the release of the iOS update, and an Apple spokesperson did not respond to a request for comment seeking clarity.
The Paragon spyware scandal began in January, when WhatsApp notified around 90 of its users, including journalists and human rights activists, that they had been targeted with spyware made by Paragon, dubbed Graphite.
Then, at the end of April, several iPhone users received a notification from Apple alerting them that they had been the targets of mercenary spyware. The alert did not mention the spyware company behind the hacking campaign.
On Thursday, The Citizen Lab published its findings confirming that two journalists who had received that Apple notification were hacked with Paragon’s spyware.
It’s unclear if all the Apple users who received the notification were also targeted with Graphite. The Apple alert said that “today’s notification is being sent to affected users in 100 countries.”
An APT hacking group known as 'Stealth Falcon' exploited a Windows WebDav RCE vulnerability in zero-day attacks since March 2025 against defense and government organizations in Turkey, Qatar, Egypt, and Yemen.
Stealth Falcon (aka 'FruityArmor') is an advanced persistent threat (APT) group known for conducting cyberespionage attacks against Middle East organizations.
The flaw, tracked under CVE-2025-33053, is a remote code execution (RCE) vulnerability that arises from the improper handling of the working directory by certain legitimate system executables.
Specifically, when a .url file sets its WorkingDirectory to a remote WebDAV path, a built-in Windows tool can be tricked into executing a malicious executable from that remote location instead of the legitimate one.
This allows attackers to force devices to execute arbitrary code remotely from WebDAV servers under their control without dropping malicious files locally, making their operations stealthy and evasive.
The vulnerability was discovered by Check Point Research, with Microsoft fixing the flaw in the latest Patch Tuesday update, released yesterday.
Google on Monday released a fresh Chrome 137 update to address three vulnerabilities, including a high-severity bug exploited in the wild.
Tracked as CVE-2025-5419, the zero-day is described as an out-of-bounds read and write issue in the V8 JavaScript engine.
“Google is aware that an exploit for CVE-2025-5419 exists in the wild,” the internet giant’s advisory reads. No further details on the security defect or the exploit have been provided.
However, the company credited Clement Lecigne and Benoît Sevens of Google Threat Analysis Group (TAG) for reporting the issue.
TAG researchers previously reported multiple vulnerabilities exploited by commercial surveillance software vendors, including such bugs in Chrome. Flaws in Google’s browser are often exploited by spyware vendors and CVE-2025-5419 could be no different.
According to a NIST advisory, the exploited zero-day “allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page”. It should be noted that the exploitation of out-of-bounds defects often leads to arbitrary code execution.
The latest browser update also addresses CVE-2025-5068, a medium-severity use-after-free in Blink that earned the reporting researcher a $1,000 bug bounty. No reward will be handed out for the zero-day.
The latest Chrome iteration is now rolling out as version 137.0.7151.68/.69 for Windows and macOS, and as version 137.0.7151.68 for Linux.
During the second day of Pwn2Own Berlin 2025, competitors earned $435,000 after exploiting zero-day bugs in multiple products, including Microsoft SharePoint, VMware ESXi, Oracle VirtualBox, Red Hat Enterprise Linux, and Mozilla Firefox.
The highlight was a successful attempt from Nguyen Hoang Thach of STARLabs SG against the VMware ESXi, which earned him $150,000 for an integer overflow exploit.
Dinh Ho Anh Khoa of Viettel Cyber Security was awarded $100,000 for hacking Microsoft SharePoint by leveraging an exploit chain combining an auth bypass and an insecure deserialization flaw.
Palo Alto Networks' Edouard Bochin and Tao Yan also demoed an out-of-bounds write zero-day in Mozilla Firefox, while Gerrard Tai of STAR Labs SG escalated privileges to root on Red Hat Enterprise Linux using a use-after-free bug, and Viettel Cyber Security used another out-of-bounds write for an Oracle VirtualBox guest-to-host escape.
In the AI category, Wiz Research security researchers used a use-after-free zero-day to exploit Redis and Qrious Secure chained four security flaws to hack Nvidia's Triton Inference Server.
On the first day, competitors were awarded $260,000 after successfully exploiting zero-day vulnerabilities in Windows 11, Red Hat Linux, and Oracle VirtualBox, reaching a total of $695,000 earned over the first two days of the contest after demonstrating 20 unique 0-days.
The Pwn2Own Berlin 2025 hacking competition focuses on enterprise technologies, introduces an AI category for the first time, and takes place during the OffensiveCon conference between May 15 and May 17.
This Google Threat Intelligence Group report presents an analysis of detected 2024 zero-day exploits.
Google Threat Intelligence Group (GTIG) tracked 75 zero-day vulnerabilities exploited in the wild in 2024, a decrease from the number we identified in 2023 (98 vulnerabilities), but still an increase from 2022 (63 vulnerabilities). We divided the reviewed vulnerabilities into two main categories: end-user platforms and products (e.g., mobile devices, operating systems, and browsers) and enterprise-focused technologies, such as security software and appliances.
Vendors continue to drive improvements that make some zero-day exploitation harder, demonstrated by both dwindling numbers across multiple categories and reduced observed attacks against previously popular targets. At the same time, commercial surveillance vendors (CSVs) appear to be increasing their operational security practices, potentially leading to decreased attribution and detection.
We see zero-day exploitation targeting a greater number and wider variety of enterprise-specific technologies, although these technologies still remain a smaller proportion of overall exploitation when compared to end-user technologies. While the historic focus on the exploitation of popular end-user technologies and their users continues, the shift toward increased targeting of enterprise-focused products will require a wider and more diverse set of vendors to increase proactive security measures in order to reduce future zero-day exploitation attempts.
SAP has released out-of-band emergency NetWeaver updates to fix a suspected remote code execution (RCE) zero-day flaw actively exploited to hijack servers.
A threat actor claims to offer a zero-day exploit for an unauthenticated remote code execution vulnerability in Fortinet firewalls.
Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) have discovered post-compromise exploitation of a zero-day elevation of privilege vulnerability in the Windows Common Log File System (CLFS) against a small number of targets. The targets include organizations in the information technology (IT) and real estate sectors of the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia. Microsoft released security updates to address the vulnerability, tracked as CVE-2025-29824, on April 8, 2025.
EncryptHub, a notorious threat actor linked to breaches at 618 organizations, is believed to have reported two Windows zero-day vulnerabilities to Microsoft, revealing a conflicted figure straddling the line between cybercrime and security research.
Fortinet has disclosed a second authentication bypass vulnerability that was fixed as part of a January 2025 update for FortiOS and FortiProxy devices.
The ZDI team offers an analysis of how CVE-2025-0411, a zero-day vulnerability in 7-Zip was actively exploited to target Ukrainian organizations through spear-phishing and homoglyph attacks.
In a first-of-its-kind report, the US government has revealed that it disclosed 39 zero-day software vulnerabilities to vendors or the public in 2023 for the purpose of getting the vulnerabilities patched or mitigated, as opposed to retaining them to use in hacking operations.
It’s the first time the government has revealed specific numbers about its controversial Vulnerabilities Equities Process (VEP) — the process it uses to adjudicate decisions about whether zero-day vulnerabilities it discovers should be kept secret so law enforcement, intelligence agencies, and the military can exploit them in hacking operations or be disclosed to vendors to fix them. Zero-day vulnerabilities are security holes in software that are unknown to the software maker and are therefore unpatched at the time of discovery, making systems that use the software at risk of being hacked by anyone who discovers the flaw.
After identifying a significant overlap between IPs exploiting CVE-2024-40891 and those classified as Mirai, the team investigated a recent variant of Mirai and confirmed that the ability to exploit CVE-2024-40891 has been incorporated into some Mirai strains.
GreyNoise is observing active exploitation attempts targeting a zero-day critical command injection vulnerability in Zyxel CPE Series devices tracked as CVE-2024-40891. At this time, the vulnerability is not patched, nor has it been publicly disclosed. Attackers can leverage this vulnerability to execute arbitrary commands on affected devices, leading to complete system compromise, data exfiltration, or network infiltration. At publication, Censys is reporting over 1,500 vulnerable devices online.
Apple has released security updates to fix this year's first zero-day vulnerability, tagged as actively exploited in attacks targeting iPhone users.
On Wednesday, January 8, 2025, Ivanti disclosed two CVEs affecting Ivanti Connect Secure, Policy Secure, and Neurons for ZTA gateways. CVE-2025-0282 is a stack-based buffer overflow vulnerability that allows remote, unauthenticated attackers to execute code on the target device. CVE-2025-0283 is a stack-based buffer overflow that allows local authenticated attackers to escalate privileges on the device.
In 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022, allowing them to conduct cyber operations against higher-priority targets. In 2023, the majority of the most frequently exploited vulnerabilities were initially exploited as a zero-day, which is an increase from 2022, when less than half of the top exploited vulnerabilities were exploited as a zero-day.
Malicious cyber actors continue to have the most success exploiting vulnerabilities within two years after public disclosure of the vulnerability. The utility of these vulnerabilities declines over time as more systems are patched or replaced. Malicious cyber actors find less utility from zero-day exploits when international cybersecurity efforts reduce the lifespan of zero-day vulnerabilities.
On Wednesday, October 23, 2024, security company Fortinet published an advisory on CVE-2024-47575, a critical zero-day vulnerability affecting their FortiManager network management solution. The vulnerability arises from a missing authentication for a critical function [CWE-306] in the FortiManager fgfmd daemon that allows a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests. The vulnerability carries a CVSS v3 score of 9.8.
EXC: Security researchers at Google and Amnesty International discovered hackers exploiting the bug in an active hacking campaign.
American IT software company Ivanti has released security updates to fix three new Cloud Services Appliance (CSA) zero-days tagged as actively exploited in attacks.
Intruders accessed machines via tool bundled with ScienceLogic, 'limited' info taken, customers told not to worry
