This week in cybersecurity was marked by a relentless pace of critical disclosures and unprecedented attack volumes, underscoring the escalating challenges facing defenders.

At the forefront was Google’s emergency patch for yet another actively exploited zero-day vulnerability in its Chrome browser.

The high-severity flaw required an urgent response, highlighting the persistent threat posed by sophisticated actors targeting the world’s most popular web browser and reminding users of the critical importance of enabling automatic updates.

The theme of escalation continued with reports of a record-shattering Distributed Denial-of-Service (DDoS) attack that peaked at an astonishing 22.2 Terabits per second (Tbps).

This massive assault demonstrates a terrifying new level of firepower available to threat actors, raising serious questions about the resilience of internet infrastructure and the defensive capabilities of even the most well-prepared organizations.

The attack serves as a stark warning that the scale of cyber threats is growing exponentially, pushing the boundaries of conventional mitigation strategies.

Adding to the pressure on network administrators, Cisco disclosed a new zero-day vulnerability in its IOS XE software that is being actively exploited in the wild.

Affecting a wide range of the company’s enterprise routers and switches, the flaw could allow unauthenticated attackers to gain control of critical network devices, creating a significant risk for organizations worldwide.

Amidst the wave of vulnerabilities, the security community received a welcome update with the release of Kali Linux 2025.3. The latest version of the popular penetration testing and digital forensics distribution introduces new tools, updated packages, and kernel enhancements.

This release equips ethical hackers and security researchers with the latest capabilities to identify and address the very vulnerabilities making headlines. In this edition, we provide an in-depth analysis of these events and cover other major developments to keep you informed.

Vulnerabilities

Chrome Zero-Day Flaw Actively Exploited

A critical type confusion zero-day vulnerability in Google Chrome’s V8 JavaScript engine, identified as CVE-2025-10585, is being actively exploited by threat actors. The high-severity flaw, which has a CVSS score of 8.8, can allow for remote code execution. Attackers are reportedly using it in campaigns targeting cryptocurrency wallets and for espionage operations. The vulnerability works by manipulating the TurboFan JIT compiler. Google has released a patch, and users are urged to update to Chrome version 140.0.7339.185 or later. Read more

Critical RCE Flaw in SolarWinds Web Help Desk

SolarWinds has issued an urgent patch for a critical vulnerability (CVE-2025-26399) in its Web Help Desk software. The flaw, which has a CVSS score of 9.8, allows an unauthenticated attacker to achieve remote code execution (RCE). The vulnerability is due to the deserialization of untrusted data and is notably a patch bypass for two previously disclosed vulnerabilities. All users of version 12.8.7 are advised to apply the new hotfix immediately. Read more

Google Patches More High-Severity Chrome Flaws

Google has released another security update for Chrome, this time addressing three high-severity vulnerabilities that could lead to sensitive information leaks and system instability. The patched flaws (CVE-2025-10890, CVE-2025-10891, and CVE-2025-10892) are found in the V8 JavaScript engine. CVE-2025-10890 is a side-channel information leakage vulnerability, while the others are integer overflow issues. Users should update to Chrome version 140.0.7339.207/.208 to be protected. Read more

Salesforce CLI Installer Vulnerability

A high-severity flaw (CVE-2025-9844) has been discovered in the Salesforce CLI installer that could allow an attacker to gain SYSTEM-level access on Windows machines. The vulnerability, rated 8.8 on the CVSS scale, stems from the installer improperly handling executable file paths, which can be exploited through a binary planting technique. Versions prior to 2.106.6 are affected, and users are advised to update from official Salesforce channels. Read more

OnePlus Phones Leaking SMS Data

A significant vulnerability (CVE-2025-10184) in OnePlus’s OxygenOS (versions 12 through 15) allows any app to read SMS and MMS messages without user permission. The flaw, with a severity score of 8.2, could expose sensitive information such as two-factor authentication codes. OnePlus has acknowledged the issue and plans to roll out a fix via a software update starting in mid-October. Read more

Cisco Patches Actively Exploited IOS Zero-Day

Cisco has addressed a high-severity zero-day vulnerability (CVE-2025-20352) in its IOS and IOS XE software that is being actively exploited in the wild. The flaw resides in the Simple Network Management Protocol (SNMP) subsystem and could allow a remote authenticated attacker to cause a denial-of-service (DoS) condition or execute code with root privileges. Read more

Old Hikvision Camera Backdoor Re-Exploited

A critical, eight-year-old backdoor vulnerability (CVE-2017-7921) in Hikvision security cameras is being actively exploited again. The flaw, which has a CVSS score of 10.0, allows attackers to bypass authentication and access sensitive information, including video feeds and user credentials, by sending a crafted URL. The resurgence highlights the risk of unpatched legacy devices. Read more

Salesforce AI Agent Flaw Allowed Data Theft

A critical vulnerability chain named “ForcedLeak” was discovered in Salesforce’s Agentforce AI platform, which could have allowed attackers to steal sensitive CRM data. The flaw (CVSS score 9.4) utilized an indirect prompt injection attack, where malicious instructions were embedded in Web-to-Lead forms. Salesforce has since patched the vulnerability. Read more

GitLab Addresses High-Severity Vulnerabilities

GitLab has released patches for several high-severity vulnerabilities. Users are encouraged to update their installations to the latest version to protect against potential exploits. Read more

Cyber Attacks

SonicWall Urges Immediate Update to Counter ‘OVERSTEP’ Rootkit

SonicWall has released an urgent firmware update (version 10.2.2.2-92sv) for its Secure Mobile Access (SMA) 100 series appliances to detect and remove a known rootkit malware called OVERSTEP. The advisory, published on September 22, 2025, follows a report from Google’s Threat Intelligence Group (GTIG) detailing a campaign by the threat actor UNC6148 on end-of-life devices. The malware allows attackers to maintain persistent access, establish a reverse shell, and steal sensitive data like credentials and OTP seeds. Administrators are strongly advised to apply the patch immediately, as there is no workaround. Read More

Zloader Malware Evolves into Ransomware Gateway for Corporate Networks

The Zloader trojan, a malware family based on the Zeus banking trojan, has been repurposed as a primary tool for initial access brokers to infiltrate corporate networks and deploy ransomware. After a nearly two-year break, Zloader has returned with significant upgrades, including advanced obfuscation and anti-analysis features. Security researchers have noted that recent versions (2.11.6.0 and 2.13.7.0) have shifted from widespread campaigns to highly targeted attacks, focusing on high-value organizations for maximum impact. Read More

Malicious npm Package “yahoofinance-api” Steals Browser Data

A malicious package named “yahoofinance-api” was discovered on the npm registry, designed to steal passwords and cookies from web browsers. The package, which impersonated a legitimate library for fetching financial data, contained obfuscated code that executed a PowerShell script to download a second-stage payload. This payload would then extract sensitive information from browsers like Chrome, Edge, and Brave. The malware was active for over a month before being removed, highlighting the ongoing risks associated with open-source software supply chains. Read More

Windows 11 Vulnerability Exposes Cached Passwords in Plaintext

A security vulnerability has been identified in Windows 11 that could allow attackers with local network access to retrieve cached domain user passwords in plaintext. The flaw resides in how Windows 11 handles password caching for network authentication, potentially exposing credentials if they are not adequately protected. This issue poses a significant risk in enterprise environments where domain-joined devices are common, as a successful exploit could lead to lateral movement and privilege escalation. Read More

ShadowV2 Botnet Exploits Misconfigured Docker APIs on AWS

A new botnet, named ShadowV2, is actively exploiting misconfigured Docker Engine APIs to deploy cryptocurrency miners and other malicious payloads on Amazon Web Services (AWS) infrastructure. The botnet scans for publicly exposed Docker API endpoints and uses them to create new containers running its malware. ShadowV2 is designed for stealth and persistence, using various techniques to hide its presence and ensure its mining operations continue uninterrupted. This campaign underscores the importance of securing cloud-based container environments. Read More

LockBit 5.0 Ransomware Variant Emerges with New Features

A new version of the notorious LockBit ransomware, dubbed LockBit 5.0, has been spotted in the wild with updated capabilities. This iteration includes enhanced anti-analysis techniques, faster encryption algorithms, and new methods for evading security software. The LockBit group continues to be one of the most prolific ransomware-as-a-service (RaaS) operations, and this new variant demonstrates their commitment to evolving their tools to bypass modern defenses and maximize their impact on targeted organizations. Read More

Cisco Patches Critical Zero-Day RCE Flaw in ASA Software

Cisco has released security updates to address a critical zero-day remote code execution (RCE) vulnerability in its Adaptive Security Appliance (ASA) software. The flaw, which was reportedly being exploited in the wild, could allow an unauthenticated attacker to execute arbitrary code on an affected device, potentially leading to a full system compromise. Given the critical role that ASA devices play in network security, administrators are urged to apply the patches immediately to protect their infrastructure from this significant threat. Read More

Security Tools

New Tool “Inboxfuscation” Bypasses Microsoft Exchange Defenses

A new open-source tool named Inboxfuscation can create malicious inbox rules in Microsoft Exchange that are difficult for security tools to detect. Developed by security firm Permiso, the tool uses Unicode-based obfuscation to hide keywords in rules, allowing attackers to maintain persistence and exfiltrate data from compromised mailboxes. This technique can substitute standard characters with visually identical Unicode variants, making the rules appear harmless while functionally matching sensitive terms. While these specific obfuscation methods have not yet been observed in active attacks, their development exposes a critical blind spot in email security postures. Read more here

Critical Vulnerability in Libraesva Email Security Gateway Actively Exploited

A critical command injection vulnerability, tracked as CVE-2025-59689, has been discovered in Libraesva’s Email Security Gateway (ESG). The flaw allows attackers to execute arbitrary commands by sending an email with a specially crafted compressed attachment. According to reports, this vulnerability has already been exploited in a targeted attack attributed to a state-sponsored actor. The vulnerability affects all Libraesva ESG versions from 4.5 onwards. Libraesva responded by deploying emergency patches, which were automatically applied to all cloud and on-premise 5.x installations. Read more here

Kali Linux 2025.3 Released with 10 New Tools and Wi-Fi Upgrades

The third Kali Linux release of 2025 is now available, featuring ten new tools, enhancements for Wi-Fi hacking, and other updates. Kali Linux 2025.3 introduces several new tools, including Caido, a web security auditing toolkit; Gemini CLI, an AI agent for the terminal; and krbrelayx, a toolkit for Kerberos relaying attacks. This version also adds support for Nexmon, enabling monitor mode and frame injection for the Raspberry Pi’s built-in Wi-Fi, and includes updated configurations for HashiCorp’s Packer and Vagrant tools. Read more here

Attackers Bypass EDR Using In-Memory PE Loaders

A stealthy technique is being used by threat actors to bypass Endpoint Detection and Response (EDR) solutions by loading malicious code directly into a system’s memory. This method, known as an in-memory Portable Executable (PE) loader, downloads a malicious file (such as a Remote Access Trojan or info-stealer) and executes it within the memory of a legitimate process. Because the malicious file is never written to the disk, it evades EDR products that primarily monitor for file-based threats and suspicious process creation events. Read more here

“SetupHijack” Tool Exploits Windows Installers for Privilege Escalation

Security researchers have developed a proof-of-concept tool called SetupHijack that abuses race conditions in Windows installers and updaters to gain elevated privileges. The tool monitors world-writable directories like %TEMP% and %APPDATA% for new installer files. When a privileged setup process drops a temporary file (e.g., an MSI or EXE), SetupHijack instantly replaces it with a malicious payload before the installer can run it. This allows the attacker’s payload to be executed with SYSTEM or Administrator rights. Read more here

ZendTo File-Sharing Tool Vulnerable to Path Traversal

A critical path traversal vulnerability, identified as CVE-2025-34508, has been found in the ZendTo file-sharing application, affecting versions 6.15-7 and earlier. The flaw allows an authenticated user to craft a malicious request to access, read, or modify sensitive files on the server, including logs, user data, and application configurations. The vulnerability occurs because the application fails to properly sanitize user-supplied input when handling file uploads. ZendTo has released a patch in version 6.15-8 to address the issue. Read more here

Threats

Kawa4096 Ransomware Targets Multinational Corporations

A new ransomware group, Kawa4096, is targeting multinational organizations in the finance, education, and service sectors, with a particular focus on entities in Japan and the United States. First detected in June 2025, the group uses a double extortion strategy, combining data encryption with data theft. They operate a dedicated Tor-based platform to disclose victim information, adding pressure to meet ransom demands. The ransomware employs advanced partial encryption techniques, using the Salsa20 stream cipher to encrypt 25% of 64KB chunks of files, which significantly speeds up the process while rendering the files unusable. To facilitate its attack, the malware terminates critical processes like database servers and office applications. Read More

Malware Hidden in Steam Game Patch Steals User Data

A malicious patch for the 2D platformer game “BlockBlasters” on Steam has been used to distribute information-stealing malware. The campaign, which started on August 30, 2025, targets sensitive data such as cryptocurrency wallet information, browser credentials, and Steam login details. The attack uses a three-stage infection process that begins with a batch file (game2.bat) to collect system information and Steam credentials. It then deploys loader scripts and two main payloads: a Python-based backdoor and the StealC information stealer. The malware adds its directory to Microsoft Defender’s exclusion list to evade detection. Read More

Hackers Exploit GitHub Notifications for Malware Distribution

Threat actors are abusing GitHub’s notification system to distribute malware by mentioning users in pull requests or comments on repositories they control. This tactic lends an air of legitimacy to the notifications, as they originate from GitHub’s official domain (github.com). The notifications often contain links to malicious sites, luring victims into downloading malware. This method bypasses traditional email security filters that might otherwise block direct malicious links. Security researchers have noted that this technique has been used in various campaigns, including those targeting developers and other tech-savvy individuals with fake job offers or project collaborations. Read More

Fake Job Lures Used to Target Job Seekers with Malware

Cybercriminals are targeting job seekers with sophisticated fake job offers to deploy information-stealing malware. The threat actors impersonate recruiters and companies, using platforms like LinkedIn to initiate contact. The attack often involves a multi-stage process where victims are led through a fake recruitment process, eventually being asked to download a file, such as a “job description” or a “questionnaire,” which is actually malware. This malware is designed to steal sensitive personal and financial information from the victim’s computer. The campaigns are often highly targeted, with attackers crafting convincing lures based on a victim’s professional profile. Read More

SVG Files Weaponized to Deliver Malware

Hackers are increasingly using Scalable Vector Graphics (SVG) files to deliver malware, bypassing traditional security measures that often focus on other file types. These SVG files can contain embedded malicious JavaScript code. When a user opens the SVG file in a web browser, the script executes, leading to malware downloads or phishing attacks. This technique is effective because SVG files are often perceived as harmless images. Threat actors have been observed using this method to distribute ransomware, spyware, and banking trojans. The attacks often begin with a phishing email containing a link to the malicious SVG file. Read More

First Malicious MCP Server Discovered in the Wild

Researchers have identified the first-ever malicious Mission-Critical Push-to-Talk (MCPTT) server, indicating a new threat vector for critical communication systems. MCPTT is a standard for broadband push-to-talk communication used by public safety and enterprise organizations. The malicious server was designed to impersonate a legitimate MCPTT server, potentially allowing attackers to eavesdrop on sensitive communications, inject false information, or cause service disruptions. This discovery highlights the need for stronger security measures and authentication protocols within critical communication infrastructures to prevent such attacks. Read More

Microsoft Teams Installers Abused to Distribute Malware

Threat actors are weaponizing Microsoft Teams installers to deliver malware to unsuspecting users. In these attacks, a legitimate Teams installer is bundled with a malicious payload. When the user runs the installer, it installs Microsoft Teams as expected, but it also silently executes the malware in the background. This technique helps the malware appear legitimate and bypasses user suspicion. The payloads observed in these campaigns have included various types of malware, such as remote access trojans (RATs) and information stealers, giving attackers control over the compromised system and access to sensitive data. Read More

Data Breaches

Digital Charging Solutions GmbH Data Breach Exposes Customer Data

Digital Charging Solutions GmbH (DCS), a provider of charging services for electric vehicles, has confirmed a data breach that exposed some customer information. The incident occurred when a third-party service provider accessed customer records without proper authorization.

The exposed data includes names and email addresses. However, DCS confirmed that no complete payment data or financial records were compromised, as this information is protected by tokenization and encryption. Read more

Jaguar Land Rover Cyberattack Delays Factory Reopening

Jaguar Land Rover (JLR) has extended the production halt at its UK factories until Wednesday, October 1, 2025, as it recovers from a major cyber-attack that took place earlier in the month. The company stated the extension is necessary to create a detailed timeline for a secure and phased restart of its manufacturing operations.

JLR is collaborating with external cybersecurity experts, the UK’s National Cyber Security Center (NCSC), and law enforcement to investigate the breach and strengthen its systems. While production is paused, customer-facing operations, including sales and service, remain open. The company has thanked its customers, suppliers, and employees for their patience during the disruption. Read more

Volvo Group Discloses Data Breach

Volvo Group has also reported a data breach incident. At this time, details are limited while investigations are underway to assess the full impact and determine the necessary mitigation efforts. Read more

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Cybersecurity Newsletter Weekly – Chrome 0-Day, 22.2 Tbps DDOS Attack, Kali Linux Release, Cisco IOS 0-Day and More appeared first on Cyber Security News.