Security researchers have disclosed a critical zero-day vulnerability in the Linux kernel dubbed “Copy Fail” (CVE-2026-31431), which allows unprivileged local users to gain root access. Using a tiny 732-byte Python script, attackers can exploit a logic flaw present in major Linux distributions released since 2017. Copy Fail is a local privilege escalation (LPE) vulnerability found […]

The post Linux Kernel 0-Day “Copy Fail” Grants Root Access Across Major Distros Since 2017 appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding a newly discovered zero-day vulnerability affecting Microsoft Windows. On April 28, 2026, the agency officially added CVE-2026-32202 to its Known Exploited Vulnerabilities (KEV) catalog. This critical flaw involves a failure of a protection mechanism within the Microsoft Windows Shell, and active exploitation […]

The post CISA Warns of Windows Shell Zero-Day Exploited in Attacks appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning regarding a critical zero-day vulnerability affecting Google Chrome and other Chromium-based web browsers. Officially tracked as CVE-2026-5281, this security flaw has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog because hackers are actively exploiting it in real-world attacks. The vulnerability originates […]

The post CISA Issues Alert on Chrome Zero-Day Under Active Exploitation appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

As 2025 draws to a close, yet another critical Cisco zero-day has emerged, joining earlier high-severity disclosures: two RCE flaws in Cisco ISE and SE-PIC (CVE-2025-20281 and CVE-2025-20282) and a September zero-day in Cisco IOS and IOS XE (CVE-2025-20352). The latest uncovered Cisco vulnerability, identified as CVE-2025-20393, affects AsyncOS Software and reaches a maximum-severity CVSS score of 10.0. The flaw is already under active exploitation by a China-linked APT group tracked as UAT-9686.  

Exploitation of zero-day vulnerabilities is increasing, while the time to patch them is shrinking, making prompt updates more critical than ever. The 2025 Verizon DBIR report highlights a 34% year-over-year rise in breaches initiated via vulnerability exploitation, highlighting the need for proactive defenses. China-backed espionage campaigns are driving this trend, with operations increasingly emphasizing stealth and operational security over the past five years. China-aligned APT clusters remain among the fastest and most active state-sponsored actors, often weaponizing newly disclosed exploits almost immediately, further complicating the global cybersecurity landscape.

In early December, a new maximum-severity vulnerability in React Server Components, known as React2Shell, was observed being exploited in multiple China-linked campaigns, with activity quickly accelerating in both scale and pace and broadening its targeting scope. Another maximum-severity vulnerability (CVE-2025-20393), recently discovered in Cisco AsyncOS Software, has been causing a stir in the cyber threat arena, which requires ultra-vigilance from defenders. 

Sign up for SOC Prime Platform, offering the world’s largest detection Intelligence dataset and covering a full pipeline from detection to simulation to take your SOC to the next level and proactively thwart APT attacks, exploitation campaigns, and cyber threats of any scale and sophistication. Press Explore Detections to reach a comprehensive context-enriched rule set addressing critical exploits, filtered by the corresponding “CVE” tag.

Explore Detections

The above-mentioned SOC content is supported across 40+ SIEM, EDR, and Data Lake platforms to enable cross-platform content utilization and is mapped to the most recent MITRE ATT&CK® v18.1 framework. Security teams can further accelerate end-to-end detection engineering workflows with Uncoder AI, which enables smooth rule creation from live threat intelligence, instant detection logic refinement and validation, automatic Attack Flow visualization, IOC-to-hunt query conversion, and AI-backed translation of detection content across multiple language formats.

CVE-2025-20393 Analysis

Cisco has recently warned the global defender community of a critical zero-day in its AsyncOS Software tracked as CVE-2025-20393 that is being actively exploited by a China-linked APT group, UAT-9686, targeting Cisco Secure Email Gateway and Cisco Secure Email and Web Manager.

The company reported becoming aware of the campaign on December 10, 2025, noting that only a limited subset of appliances with certain internet-exposed ports appear to be affected. The total number of impacted customers remains unclear.

According to the vendor, the flaw enables threat actors to execute arbitrary commands with root privileges on affected appliances. Investigators have also found evidence of a persistence mechanism planted to maintain control over compromised devices.

The vulnerability remains unpatched and stems from improper input validation, allowing attackers to run malicious commands with elevated privileges on the underlying operating system.

All versions of Cisco AsyncOS are impacted, though exploitation requires specific conditions across both physical and virtual deployments of Cisco Secure Email Gateway and Cisco Secure Email and Web Manager. The Spam Quarantine feature must be enabled and accessible from the internet—an important detail, as this feature is disabled by default. Cisco advises administrators to verify its status via the web management interface by checking the relevant network interface settings.

The vendor traced exploitation activity back to at least late November 2025, when the China-linked actor UAT-9686 began abusing the flaw to deploy tunneling tools such as ReverseSSH (AquaTunnel) and Chisel, along with a log-cleaning utility named AquaPurge. AquaTunnel has previously been associated with diverse Chinese groups, including APT41 and UNC5174. Adversaries also deployed a lightweight Python backdoor, AquaShell, which passively listens for unauthenticated HTTP POST requests, decodes specially crafted payloads, and executes commands via the system shell.

Until a patch becomes available, Cisco recommends hardening affected appliances by restricting internet exposure, placing them behind firewalls that allow only trusted hosts, separating mail and management interfaces, disabling HTTP access to the main admin portal, and closely monitoring web logs for anomalous activity. Additional guidance includes disabling unnecessary services, enforcing strong authentication mechanisms such as SAML or LDAP, and replacing default administrator credentials with stronger passwords. The company emphasized that in confirmed compromise scenarios, rebuilding the appliance is currently the only effective way to remove attacker persistence.

In response to the increasing threat, CISA has added CVE-2025-20393 to its KEV catalog, mandating that Federal Civilian Executive Branch agencies implement mitigations by December 24, 2025.

In addition, GreyNoise reported detecting a coordinated, automated credential-stuffing campaign targeting enterprise VPN infrastructure, including Cisco SSL VPN and Palo Alto Networks GlobalProtect portals. The activity involves large-scale scripted login attempts rather than vulnerability exploitation, with consistent infrastructure and timing suggesting a single campaign pivoting across multiple VPN platforms.

The fast-moving exploitation of CVE-2025-20393 and its active use by a China-backed hacking group suggest a rising risk of follow-on attacks against organizations worldwide. To minimize the risks of exploitation attempts, rely on SOC Prime’s AI-Native Detection Intelligence Platform, which equips SOC teams with cutting-edge technologies and top cybersecurity expertise to stay ahead of emerging threats while maintaining operational effectiveness. 

The post CVE-2025-20393 Exploitation: A Maximum-Severity Zero-Day Vulnerability in Cisco AsyncOS Software Abused in Attacks by the China-Backed APT UAT-9686  appeared first on SOC Prime.

Zero-day vulnerabilities continue to pose increasing risks, enabling attackers to weaponize undisclosed weaknesses ahead of defensive fixes. Following a disclosure of a critical zero-day in Gladinet’s Triofox (CVE-2025-12480), a new zero-day vulnerability is already being exploited in the wild, underscoring the narrow window defenders have to act. Apple has confirmed that a newly discovered WebKit zero-day vulnerability, known as CVE-2025-14174, alongside CVE-2025-43529, has been actively exploited in highly targeted attacks. CVE-2025-14174 and CVE-2025-43529 affect all Apple devices capable of rendering web content, including Safari and every browser on iOS and iPadOS, leaving any unpatched system exposed to compromise.

WebKit, the cross-platform browser engine behind Safari and numerous applications on macOS, iOS, Linux, and Windows, continues to be a high-value target for attackers, particularly because it is mandatory for all browsers on iOS and iPadOS. For instance, in the early spring of 2025, a zero-day flaw tracked as CVE-2025-24201 was discovered in WebKit weaponized via maliciously crafted web content to break out of the Web Content sandbox. 

With the latest fixes, Apple has now addressed nine zero-day vulnerabilities exploited in the wild in 2025. This reflects a clear trend that attackers are heavily investing in browser engines and rendering pipelines to bypass sandboxing and silently compromise critical targets. 

Register for SOC Prime’s AI-Native Detection Intelligence Platform for SOC teams backed by cutting-edge technologies and top cybersecurity expertise to outscale cyber threats and build a resilient cybersecurity posture. Click Explore Detections to access the comprehensive collection of SOC content for vulnerability exploit detection, filtered by the custom “CVE” tag.

Explore Detections

Detections from the dedicated rule set can be applied across 40+ SIEM, EDR, and Data Lake platforms and are mapped to the latest MITRE ATT&CK® framework v18.1. Security teams can also leverage Uncoder AI to accelerate detection engineering end-to-end by generating rules directly from live threat reports, refining and validating detection logic, auto-visualizing Attack Flows, converting IOCs into custom hunting queries, and instantly translating detection code across diverse language formats.

CVE-2025-14174 Analysis

On December 12, Apple issued out-of-band security patches across its ecosystem after confirming that two WebKit zero-day vulnerabilities are under active exploitation in the wild. The weaponized security issues are CVE-2025-43529, a use-after-free vulnerability in WebKit that could allow attackers to achieve arbitrary code execution, and CVE-2025-14174 (with a CVSS of 8.8), a WebKit zero-day that may result in memory corruption when handling maliciously crafted web pages. Both flaws can be exploited through specially crafted web content, requiring no app installation or user interaction beyond visiting a malicious page

Apple confirmed it is aware that the flaws may have been exploited in an extremely sophisticated attack against specific targeted individuals running iOS versions prior to iOS 26.

Notably, CVE-2025-14174 is the same vulnerability Google patched in Chrome on December 10, 2025. Google described it as an out-of-bounds memory access issue in ANGLE, its open-source graphics library, specifically within the Metal renderer. Because ANGLE is shared across platforms, this points to cross-browser exploitation rather than an isolated bug.

Both vulnerabilities were identified through collaboration between Apple Security Engineering and Architecture and Google Threat Analysis Group. The fact that both flaws affect WebKit strongly suggests they were weaponized for highly targeted surveillance campaigns. Any device capable of rendering WebKit content, including iPhone 11 and later, supported iPads, Apple Watch Series 6+, Apple TV, and Vision Pro, was within scope. 

Apple released fixes across almost its entire ecosystem, including iOS and iPadOS (26.2 and 18.7.3), macOS Tahoe 26.2, tvOS 26.2, watchOS 26.2, visionOS 26.2, and Safari 26.2 for macOS Sonoma and Sequoia.

As potential CVE-2025-43529 and CVE-2025-14174 mitigation measures, Organizations should enforce immediate OS and browser updates across all Apple devices, verify MDM compliance to prevent patch deferral, and treat any delay in applying updates as a real security exposure. Defenders should assume modern web-based exploits can bypass app-level controls, actively monitor for anomalous browser or network behavior following patch deployment, and, for high-risk users, recognize that patch latency directly expands the attack surface.

WebKit zero-days underscore a critical reality: today’s most dangerous attacks often begin in the browser. The combination of stealthy exploitation, zero user interaction, and the potential for complete device takeover makes these vulnerabilities especially dangerous and demands rapid, decisive action from defenders. Rely on SOC Prime Platform to reach ​​the world’s largest detection intelligence dataset, adopt an end-to-end pipeline that spans detection through simulation while streamlining security operations and speeding up response workflows, reduce engineering overhead, and always stay ahead of emerging threats. 

The post CVE-2025-14174 Vulnerability: A New Memory Corruption Zero-Day Vulnerability in Apple WebKit Exploited in Targeted Attacks appeared first on SOC Prime.

Hot on the heels of CVE-2025-66516, the maximum-severity Apache Tika XXE vulnerability, a couple of other security flaws have emerged in Windows products. In its December 2025 security update, Microsoft addressed 57 vulnerabilities, including two zero-days, CVE-2025-62221 and CVE-2025-54100.

Microsoft’s technologies underpin a vast share of the global digital infrastructure, making the security of its ecosystem especially critical. The 2025 BeyondTrust Microsoft Vulnerabilities Report notes that 2024 set a new record with 1,360 disclosed Microsoft vulnerabilities—an 11% jump from the previous year—with Elevation of Privilege (EoP) and RCE issues standing out as the most severe. That trend continued into 2025, with Tenable noting that Microsoft delivered patches for 1,129 CVEs in 2025—the second consecutive year the company exceeded the thousand-vulnerability threshold. In the December 2025 Patch Tuesday rollout, EoP flaws made up half of all addressed vulnerabilities, with RCE vulnerabilities following at roughly one-third (33.9%). The above-mentioned zero-days addressed in the December 2025 Patch Tuesday also fit into these threat categories. 

Register for SOC Prime Platform, the industry-first AI-Native Detection Intelligence Platform for real-time defense, to explore a collection of 600,000+ detection rules addressing the latest threats and equip your team with AI and top cybersecurity expertise. Click Explore Detections to reach the extensive rule set for vulnerability exploit detection, pre-filtered using the custom “CVE” tag.

Explore Detections

All detection rules can be used across multiple SIEM, EDR, and Data Lake platforms and are aligned with the latest MITRE ATT&CK® framework v18.1. Explore AI-native threat intelligence, including CTI references, attack timelines, audit configurations, triage recommendations, and more threat context each rule is enriched with.

Security teams can also significantly reduce detection engineering overhead with Uncoder AI by instantly converting detection logic across multiple language formats for enhanced translation accuracy, crafting detections from raw threat reports, visualizing Attack Flows, accelerating enrichment and fine-tuning while streamlining validation workflows. 

CVE-2025-62221and CVE-2025-54100 Analysis

Microsoft is wrapping up the year by releasing patches for 57 security vulnerabilities in Windows products covered in its December 2025 security update release, including two zero-days with a CVSS score of 7.8, CVE-2025-62221 and CVE-2025-54100.

The actively exploited flaw, CVE-2025-62221, is a use-after-free elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver that allows an authenticated local attacker to escalate privileges to SYSTEM. By exploiting this flaw, adversaries can gain full control of affected Windows systems without user interaction, though local access is required.

The vendor has confirmed 2025-62221 active exploitation in the wild; however, specific attack methods remain undisclosed. The vulnerability impacts systems with the Cloud Files minifilter, which is present even if apps like OneDrive, Google Drive, or iCloud aren’t installed. 

Due to the increasing exploitation risks, CISA has recently added CVE-2025-62221 to its KEV catalog, requiring Federal Civilian Executive Branch agencies to apply the update by December 30, 2025. 

Another zero-day, CVE-2025-54100, is an RCE flaw in Windows PowerShell that allows unauthenticated attackers to run arbitrary code if they can get a user to execute a crafted PowerShell command, for instance, via Invoke-WebRequest.

The risk becomes more pronounced when paired with common social-engineering tactics: adversaries could trick a user or administrator into running a PowerShell snippet that retrieves malicious content from a remote server, triggering a parsing bug and enabling code execution or implant delivery. Although the issue is publicly known, Microsoft reports no active exploitation and currently rates the likelihood of exploitation as low. The flaw requires no privileges but does rely on user interaction, making social engineering the most probable attack path.

As potential  2025-62221 and CVE-2025-54100 mitigation measures, organizations that rely on the corresponding Windows products are urged to apply the patches immediately. With SOC Prime’s AI-Native Detection Intelligence Platform, SOC teams can source detection content from the largest and up-to-date repository, seamlessly adopt the full pipeline from detection to simulation into their security processes, orchestrate workflows in their natural language, and smoothly navigate the ever-changing threat landscape while strengthening defenses at scale.

The post CVE-2025-62221 and CVE-2025-54100: Windows Elevation of Privilege and RCE Zero-Day Vulnerabilities Patched appeared first on SOC Prime.