Your home router, the device connecting you to the internet, may have been silently compromised as part of a coordinated global espionage campaign. SecurityScorecard’s STRIKE team has uncovered Operation WrtHug. This massive hacking operation has infiltrated thousands of ASUS routers worldwide, establishing what appears to be a state-sponsored infrastructure for persistent network access and deep […]
A threat actor known as Zeroplayer has reportedly listed a zero-day remote code execution (RCE) vulnerability, combined with a sandbox escape, targeting Microsoft Office and Windows systems for sale on underground hacking forums.
Priced at $30,000, the exploit purportedly works on most Office file formats, including the latest versions, and affects fully patched Windows installations.
This development raises alarms in the cybersecurity community, as it could enable attackers to bypass Microsoft’s robust sandbox protections and execute arbitrary code with minimal user interaction.
The advertisement, posted in Russian on a prominent hacking forum, describes the vulnerability as a high-impact 0-day capable of delivering payloads through malicious Office documents.
Zeroplayer claims the exploit chain allows remote attackers to escape the Office sandbox a critical security feature designed to isolate potentially harmful code—and achieve full system compromise on Windows.
Delivery methods involve embedding the exploit in common file types like Word or Excel documents, which could be distributed via phishing emails or compromised websites.
Alleged Microsoft Office 0-Day Claim
Details of the Hacker Forum Listing
The seller invites private messages for demonstrations and proof-of-concept details, emphasizing compatibility with recent updates to mitigate detection by antivirus tools.
This isn’t Zeroplayer’s first foray into the exploit market; the actor previously offered a WinRAR zero-day RCE for $80,000 in July 2025, highlighting a pattern of targeting widely used productivity and archiving software.
Such sales underscore the lucrative underground economy for zero-days, where exploits fetch premium prices before public disclosure or patching.
Microsoft’s November 2025 Patch Tuesday addressed multiple critical RCE flaws in Office, including CVE-2025-62199, a use-after-free vulnerability exploitable via malicious documents.
However, that patch focused on known issues and did not reference this alleged 0-day, suggesting it remains unpatched and potentially more dangerous due to its sandbox escape component.
Sandbox escapes are particularly concerning, as they neutralize one of Office’s primary defenses against macro-based attacks, allowing malware to spread laterally across networks.
Experts note that Russian-language forums like the one hosting this listing often serve as hubs for state-affiliated or opportunistic threat actors, who may weaponize such exploits for ransomware, espionage, or data theft.
Similar past incidents, such as the 2023 exploitation of CVE-2023-36884 by the Russian group Storm-0978, involved Office RCE for backdoor deployment against Western targets.
The potential fallout from this 0-day is significant, especially for enterprises reliant on Microsoft 365. Attackers could leverage it to compromise supply chains or conduct targeted intrusions, evading endpoint detection responses.
Given Office’s ubiquity across over 1.4 billion devices globally, unpatched systems face a heightened risk of infection through spear-phishing.
Organizations should prioritize macro disabling in Office policies, enable Protected View for all documents, and deploy advanced threat protection tools.
Monitoring for anomalous forum activity and applying upcoming patches urgently is advised, as Microsoft may accelerate fixes if exploitation evidence emerges.
noBGP has launched pi GPT, a groundbreaking integration that transforms Raspberry Pi devices into ChatGPT-controlled development and production environments. The new tool eliminates the complexity of traditional networking, allowing developers to write, deploy, and manage code directly via natural language prompts without configuration headaches. Simplifying Local Development with AI The Pi GPT integration represents a […]
Nation-state actors are fundamentally changing how they conduct military operations. The boundary between digital attacks and physical warfare is disappearing rapidly.
Instead of treating cybersecurity and military operations as separate activities, hostile nations are now blending them together in coordinated campaigns.
These new attacks start with digital operations designed specifically to gather information that enables physical military strikes.
This represents a major shift in global security threats that organizations worldwide need to understand and prepare for.
The traditional approach to security treats digital threats and physical dangers as completely separate problems.
Cybersecurity teams focus on networks and systems, while military and physical security teams handle different concerns.
However, recent investigations reveal that this separation no longer exists in the real world. Nation-state threat groups are connecting cyber reconnaissance directly to kinetic targeting, creating a unified attack strategy that is far more dangerous than traditional cyberattacks alone.
AWS security analysts identified this trend after observing multiple coordinated campaigns across different critical infrastructure sectors.
They discovered that threat actors are methodically using cyber operations to gather real-time intelligence that directly supports military targeting decisions.
This finding comes from AWS’s unique ability to monitor cloud operations globally, analyze honeypot data that captures attacker behavior, and collaborate with enterprise customers and government agencies to validate observed threats.
The technical methods these threat actors employ show impressive coordination and planning. They use multiple layers of security tools to hide their true locations, starting with anonymizing VPN networks that obscure their origins and make attribution challenging.
They establish dedicated servers under their control to maintain persistent access and command capabilities. Once they compromise enterprise systems hosting critical infrastructure like security cameras or maritime platforms, they establish real-time data streaming channels.
These live feeds from compromised cameras and sensors provide actionable intelligence that threat actors can use to adjust targeting decisions in near real time.
One clear example involved Imperial Kitten, a threat group linked to Iran’s Revolutionary Guard. They compromised maritime vessel systems starting in December 2021, gained access to onboard CCTV cameras by August 2022, then conducted targeted searches for specific ship locations in January 2024.
Just weeks later, in February 2024, missile strikes targeted the exact vessel they had been tracking, correlating cyber reconnaissance directly with kinetic attacks.
A second case involved MuddyWater, another Iranian threat group, using compromised security cameras in Jerusalem to gather real-time intelligence before missile attacks in June 2025.
This demonstrates how cyber operations and physical military actions now operate as unified strategies rather than separate threats.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The United States, Australia, and the United Kingdom have announced coordinated sanctions against Media Land, a Russia-based bulletproof hosting provider, and related entities for supporting ransomware operations and other cybercrimes. The Department of the Treasury’s Office of Foreign Assets Control (OFAC), working with international partners and the FBI, has designated the company’s leadership team and […]
CTM360 has identified a rapidly expanding WhatsApp account-hacking campaign targeting users worldwide via a network of deceptive authentication portals and impersonation pages. The campaign, internally dubbed HackOnChat, abuses WhatsApp’s familiar web interface, using social engineering tactics to trick users into compromising their accounts.
Investigators identified thousands of malicious URLs
N-able’s N-central remote management and monitoring (RMM) platform faces critical security risks following the discovery of multiple vulnerabilities.
According to Horizon3.ai, it allows unauthenticated attackers to bypass authentication, access legacy APIs, and exfiltrate sensitive files, including credentials and database backups.
The Vulnerability Chain
Earlier this year, N-able N-central was added to the CISA Known Exploited Vulnerabilities (KEV) catalog for CVE-2025-8875 and CVE-2025-8876.
These vulnerabilities enable authenticated attackers to achieve remote code execution via deserialization and command injection.
Shodan Exposure
Horizon3.ai researchers found more serious flaws in the latest versions. They also uncovered new weaknesses and built a dangerous attack chain.
Aspect
CVE-2025-9316
CVE-2025-11700
CVE ID
CVE-2025-9316
CVE-2025-11700
Vulnerability Name
Authentication Bypass via Weak Authentication Method
XML External Entity (XXE) Information Leak
CVSS Score
9.1
8.2
Severity
Critical
High
An unauthenticated attackercan exploit CVE-2025-9316, a weak authentication bypass in the legacy SOAP API, to obtain valid session IDs.
This initial access opens doors to CVE-2025-11700, an XML External Entity (XXE) injection vulnerability that allows reading arbitrary files from the filesystem.
With approximately 3,000 N-central instances exposed on the internet according to Shodan, the attack surface is significant.
Horizon3.ai researchers demonstrated how attackers can chain these vulnerabilities to read sensitive configuration files, including /opt/nable/var/ncsai/etc/ncbackup.conf, which contains database backup credentials stored in cleartext.
Decrypting secrets given masterPassword and keystore.bcfks
Most critically, accessing the N-central database backup reveals all integration secrets: domain credentials, API keys, SSH private keys, and encrypted database entries.
Using cryptographic keys stored in the backup (masterPassword and keystore.bcfks), attackers can decrypt all stored secrets, leading to complete infrastructure compromise.
N-able addressed these vulnerabilities in version 2025.4.0.9, released on November 5, 2025, by restricting access to vulnerable legacy SOAP API endpoints.
Organizations should upgrade immediately and review logs for indicators of exploitation, including “Failed to import service template” entries in dmsservice.log.
The vulnerability chain demonstrates why legacy API endpoints pose persistent security risks in enterprise software, particularly for widely deployed RMM solutions that threat actors commonly target.
Twonky Server version 8.5.2 contains two critical authentication bypass vulnerabilities that allow unauthenticated attackers to gain full administrative access to the media server software.
Rapid7 discovered that the vulnerabilities can be chained together to compromise administrator accounts without any user interaction or valid credentials. The vulnerabilities affect Twonky Server installations on both Linux and Windows platforms.
Twonky Server is widely deployed in network-attached storage (NAS) devices, routers, set-top boxes, and gateways worldwide. With approximately 850 instances currently exposed to the public internet, according to Shodan data.
Vulnerabilities Let Attackers Bypass Authentication
The first vulnerability (CVE-2025-13315) allows attackers to bypass API authentication controls through an alternative routing mechanism.
By using the “/nmc/rpc/” prefix instead of the standard “/rpc/” path, attackers can access the log_getfile endpoint without authentication.
This endpoint exposes application logs containing the administrator’s username and encrypted password.
The second vulnerability (CVE-2025-13316) makes password decryption easy. Twonky Server uses hardcoded Blowfish encryption keys across all installations.
Rapid7 researchers identified twelve static keys embedded in the compiled binary, meaning any attacker with knowledge of the encrypted password can decrypt it to plaintext using these publicly available keys.
Rapid7 correctly reported these vulnerabilities to Lynx Technology, the vendor behind Twonky Server.
However, the vendor ceased communications after acknowledging receipt of the technical disclosure and stated that patches would not be possible.
Version 8.5.2 remains the latest available release with no security updates. Organizations using Twonky Server should immediately restrict application traffic to trusted IP addresses only.
All administrator credentials should be considered compromised and rotated if the server is exposed to untrusted networks.
Rapid7 has released a Metasploit module that demonstrates the complete exploitation chain and plans to provide detection capabilities in its vulnerability scanning tools.
Cybersecurity researchers have disclosed details of a new Android banking trojan called Sturnus that enables credential theft and full device takeover to conduct financial fraud.
“A key differentiator is its ability to bypass encrypted messaging,” ThreatFabric said in a report shared with The Hacker News. “By capturing content directly from the device screen after decryption, Sturnus can monitor
A critical authentication bypass vulnerability in the Milvus vector database could allow attackers to gain administrative access without credentials. The flaw exists in how the Milvus Proxy component handles HTTP headers, treating user-controlled data as trusted internal credentials. Critical Security Risk in Vector Database Milvus, an open-source vector database widely used for generative AI applications, […]
