The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning regarding critical vulnerabilities in popular TP-Link router models that are currently being actively exploited by cybercriminals. These security flaws affect widely-used home and small business networking devices, putting millions of users at risk. Critical Vulnerabilities Identified Two severe vulnerabilities have been added to […]
A new security exploit has been discovered that lets attackers slip malicious code into widely used desktop applications including Signal, 1Password, Slack, and Google Chrome by evading built-in code integrity checks. The vulnerability, tracked as Electron CVE-2025-55305, affects nearly every app built on the Chromium engine when they use Electron, a popular framework for making […]
A critical security vulnerability impacting SAP S/4HANA, an Enterprise Resource Planning (ERP) software, has come under active exploitation in the wild.
The command injection vulnerability, tracked as CVE-2025-42957 (CVSS score: 9.9), was fixed by SAP as part of its monthly updates last month.
“SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module
CISA has issued an urgent alert regarding a zero-day vulnerability in the Android operating system that is being actively exploited in real-world attacks.
The vulnerability, identified as CVE-2025-48543, is a high-severity issue that could allow attackers to gain elevated control over affected devices.
On Thursday, September 4, 2025, CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, signaling a confirmed and ongoing threat to users.
The vulnerability is described as a use-after-free vulnerability within the Android Runtime (ART), the core component responsible for executing applications on Android devices.
A malicious actor can exploit this type of memory corruption bug to bypass the robust security confines of the Chrome browser sandbox, resulting in local privilege escalation.
Android 0-Day Use-After-Free Vulnerability
A successful exploit would effectively grant an attacker higher-level permissions on the device, transforming a low-privilege compromise into a significant system-wide breach. This could enable them to install persistent malware, access sensitive user data, or take further control of the compromised device.
According to the information released by CISA, the specific threat actors or the nature of the campaigns leveraging this exploit, such as its use in ransomware attacks, are currently unknown.
However, the inclusion in the KEV catalog confirms that security researchers have observed active exploitation in the wild, meaning attackers were using the flaw before a patch was publicly available.
In response to the active threat, CISA has issued a binding operational directive to all Federal Civilian Executive Branch (FCEB) agencies. These agencies are required to apply the necessary mitigations as instructed by the vendor by a deadline of September 25, 2025.
If patches are not available, agencies are instructed to discontinue the use of the product to prevent potential compromise.
Google has addressed the vulnerability in its September 2025 Android Security Bulletin, released on September 1. CISA’s advisory urges all organizations, as well as individual Android users, to prioritize installing this security update as soon as it is made available by their device manufacturer.
Given the severity of a privilege escalation flaw, all Android users are strongly encouraged to check for and apply the latest system updates immediately. To do so, users can typically navigate to Settings > System > System update.
Prompt patching remains the most critical defense against vulnerabilities that are being actively used in cyberattacks.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a high-priority alert for a newly discovered zero-day vulnerability in the Android Runtime component. This “use-after-free” flaw could allow attackers to escape the Chrome sandbox and elevate privileges on an affected device. CISA warns that the vulnerability is under active exploitation and urges organizations and users […]
A critical, zero-click vulnerability that allows attackers to hijack online accounts by exploiting how web applications handle international email addresses.
The flaw, rooted in a technical discrepancy known as a “canonicalization mismatch,” affects password reset and “magic link” login systems, which are foundational to modern web security.
According to NullSecurityX, the attack requires no interaction from the victim, making it exceptionally dangerous. An attacker can gain full control of an account simply by requesting a password reset using a specially crafted email address that appears identical to the victim’s.
This method bypasses the need for phishing or tricking the user into clicking a malicious link.
The vulnerability stems from the interplay between Unicode, which allows for characters from various languages in domain names (Internationalized Domain Names or IDN), and Punycode, the system that converts these characters into the standard ASCII format used by internet infrastructure.
0-Click Vulnerability Using Punycode
Attackers can register a domain using Unicode characters that are visually indistinguishable from standard letters, such as a Cyrillic ‘o’ instead of a Latin ‘o’.
According to a technical analysis of the vulnerability, the attack unfolds when a web application’s backend processes a password reset request.
For example, an attacker might request a password reset for “victim@gmail.com” but submit the address using a “full-width” ‘m’ (gmail.com).
The application’s front-end or validation logic may fail to distinguish between the legitimate address and the visually confusable one, approving the request.
However, when the email system sends the reset link, it correctly routes it to the attacker-controlled Punycode version of the domain (e.g., xn--...). The attacker then receives the privileged link and takes over the account, while the legitimate user remains completely unaware.
This “0-click” nature is what makes the threat so severe. The compromise is not a result of user error but a fundamental flaw in how different layers of an application, from the user interface and validation rules to the database and mail servers, handle email addresses.
Each component may interpret the Unicode and Punycode versions differently, creating a gap that attackers can exploit, NullSecurityX said.
“The result is that two addresses that look the same to humans can be handled as different strings by the mail transport,” the research paper states.
Since email often serves as the ultimate “trust anchor” for recovering access to countless other online services, a compromise can have a cascading effect.
Experts are urging developers to immediately review and fortify their authentication systems. Mitigation requires implementing consistent normalization of email addresses across all system components, using robust validation libraries that understand Unicode confusables, and ensuring that database lookups are not susceptible to these visual tricks.
This silent but potent threat highlights the need for a deeper, code-level understanding of how seemingly simple data like an email address is processed and trusted.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Cybersecurity researchers have identified a sophisticated new command-and-control framework that exploits legitimate Google Calendar APIs to establish covert communication channels between attackers and compromised systems.
The MeetC2 framework, discovered in September 2025, represents a concerning evolution in adversarial tactics where threat actors abuse trusted cloud services to bypass traditional security controls and evade detection mechanisms.
The framework operates by masquerading malicious traffic as routine business communications through Google’s widely-trusted domains, specifically “oauth2.googleapis.com” and “www.googleapis.com”.
This approach allows malicious activities to blend seamlessly with normal organizational traffic, making detection significantly more challenging for security teams.
The cross-platform compatibility across macOS and Linux systems further amplifies its potential impact on diverse enterprise environments.
Deriv Tech researchers noted that the framework’s design demonstrates a sophisticated understanding of modern security architectures and cloud service abuse techniques.
The proof-of-concept implementation highlights how easily adversaries can leverage legitimate SaaS platforms for malicious purposes, exploiting the inherent trust organizations place in major cloud providers.
The attack methodology centers around a polling-based communication system where compromised agents send GET requests every 30 seconds to specific Google Calendar API endpoints.
When operators need to issue commands, they create calendar events with embedded instructions in the summary field, formatted as “Meeting from nobody: [COMMAND]”.
Attack chain (Source – Medium)
The victim agent identifies these command events during regular polling cycles, extracts the commands, executes them locally, and updates the same calendar event with execution results embedded within [OUTPUT] [/OUTPUT] parameters in the description field.
Technical Implementation and Evasion Mechanisms
The MeetC2 framework’s technical architecture reveals sophisticated evasion capabilities that exploit the ubiquity and trusted nature of Google services.
The authentication process utilizes standard OAuth2 flows, requiring attackers to create legitimate Google Cloud Console projects and service accounts with calendar access permissions.
This approach ensures all communications appear as authorized API interactions rather than suspicious network traffic.
The implementation requires minimal infrastructure, operating entirely through Google’s existing Calendar API infrastructure.
Operators authenticate through service accounts configured with “Make changes to events” permissions on shared calendars.
The polling mechanism employs a 30-second interval, striking a balance between operational responsiveness and avoiding excessive API requests that might trigger rate limiting or suspicious activity alerts.
Code execution occurs through command extraction from calendar event summaries, with results uploaded back to the same event’s description field.
This bidirectional communication model creates a complete command-and-control channel while maintaining the appearance of legitimate calendar synchronization activities.
The framework supports targeted command execution using host-specific syntax like “exec @host:command” or broadcast commands across multiple compromised systems simultaneously.
The persistence and stealth characteristics of MeetC2 make it particularly concerning for enterprise security teams, as the framework generates no suspicious network patterns and leverages services that organizations explicitly whitelist for business operations.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
A sophisticated cryptojacking campaign that hijacks Windows’ native Character Map utility (“charmap.exe”) to evade Windows Defender and covertly mine cryptocurrency on compromised machines. First detected in late August 2025, this attack exploits legitimate system binaries to load a custom cryptomining payload directly into memory, thwarting traditional antivirus signatures and curtailing forensic artifacts. Security researchers have […]
Security teams began observing a novel botnet strain slipping beneath the radar of standard Windows Defender defenses in early August 2025.
Dubbed NightshadeC2, this malware family leverages both C and Python-based payloads to establish persistent, remote-control access on compromised hosts.
Initial infection chains often start with customized “ClickFix” landing pages that trick users into executing commands via the Windows Run prompt, while secondary campaigns employ trojanized installers of popular utilities such as Advanced IP Scanner, CCleaner, and various VPN clients.
Once executed, NightshadeC2 rapidly escalates privileges, disables or excludes its components from Defender scans, and calls home to a dynamic command and control infrastructure.
As the campaign unfolded, eSentire analysts identified a distinctive loader component responsible for delivering the final payload.
This .NET-based loader executes in a tight loop, spawning PowerShell processes designed to add Defender exclusions for NightshadeC2 before allowing the payload to run.
Should Defender service checks fail or the user decline elevation, the loader repeats its prompts ad nauseam—a technique the researchers have termed “UAC Prompt Bombing.”
The relentless barrage of elevation requests not only frustrates malware sandbox environments but also coerces real users into granting the necessary permissions to proceed.
Upon securing Defender exclusions, the loader writes persistence entries into three separate registry locations—Winlogon, RunOnce, and Active Setup—to guarantee execution at system startup.
It then downloads and decrypts the core C variant over TCP ports typically reserved for web traffic (80 and 443) or high-numbered ports (7777, 33336, 33337).
The malware immediately collects victim system details via public geo-IP lookup services and registry queries to form a unique fingerprint, before negotiating an RC4-encrypted session key with its C2.
Through this clandestine channel, operators can issue an array of commands—ranging from reverse shell initiation to payload downloads, screen captures, and automated keylogging.
UAC Prompt Bombing: Bypassing Defender via Relentless Elevation Loops
Central to NightshadeC2’s stealth is its UAC Prompt Bombing routine. After loading the .NET module, the loader constructs a PowerShell command to add its as-yet-unwritten payload to Defender’s exclusion list:
The Second stage PowerShell loader illustrates how the loader concatenates the exclusion command.
Second stage PowerShell loader (Source – eSentire)
When Defender is disabled or non-responsive, the exit code remains nonzero, trapping sandbox analyses in an infinite loop.
This forced repetition of UAC dialogs effectively breaks automated defenses, the Evasion loop in malware sandbox.
‘Show details’ of UAC prompt (Source – eSentire)
Once a user finally approves the elevation or the service status changes, the loop breaks, and the final payload is delivered.
By leveraging this simple yet powerful mechanism, NightshadeC2 evades both automated and manual inspection, allowing its operators to perform credential theft from major browsers, establish hidden web browsers on victim desktops, and maintain long-term persistence across targeted networks.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
A sophisticated North Korean cyber operation has been exposed, revealing how state-sponsored hackers systematically monitor cybersecurity intelligence platforms to detect when their malicious infrastructure is discovered and rapidly deploy replacement assets to maintain operations. The analysis, conducted by SentinelLABS in collaboration with Validin, provides unprecedented insight into the operational practices of threat actors behind the […]
.webp)
.webp)
.webp)
.webp)