Chrome in crisis: a dangerous zero-day in its V8 engine was exploited in the wild—but Google moved fast to patch it. Did your browser make it through the breach?

https://thedefendopsdiaries.com/understanding-cve-2025-6554-a-deep-dive-into-chromes-latest-security-challenge/

#cve20256554
#chromevulnerability
#cybersecurity
#zeroday
#googlesecurity

CVE-2025-6554
该漏洞潜藏于Chrome核心引擎中，只需访问恶意网页，攻击者就能远程控制你的电脑。   
网络安全研究人员证实，该漏洞正在真实攻击中被利用，企业数据和个人隐私面临裸奔风险。
@board

@beyondmachines1 I know it's pedantic, but the Chrome advisory does not state that it is in fact EITW. It says that there is an exploit in the wild, but not that it's known to have been used successfully.

Google is aware that an exploit for CVE-2025-6554 exists in the wild.

Microsoft Edge 138.0.3351.65 korrigiert die schon ausgenutzte Sicherheitslücke (CVE-2025-6554)

https://www.deskmodder.de/blog/2025/07/02/microsoft-edge-138-0-3351-65-korrigiert-die-schon-ausgenutzte-sicherheitsluecke-cve-2025-6554/

🚨 A new Chrome zero-day is already being exploited in the wild.

Discovered by Google TAG on June 25, CVE-2025-6554 lets attackers run malicious code via a crafted web page.

It targets Chrome’s V8 engine—again.

Update now → https://thehackernews.com/2025/07/google-patches-critical-zero-day-flaw.html

"Google is aware that an exploit for CVE-2025-6554 exists in the wild," the browser vendor said in a security advisory issued on Monday. https://www.bleepingcomputer.com/news/security/google-fixes-fourth-actively-exploited-chrome-zero-day-of-2025/

Google Chrome 138 – CVE-2025-6554 : patchez pour vous protéger de cette nouvelle faille zero-day https://www.it-connect.fr/google-chrome-138-zero-day-cve-2025-6554/ #ActuCybersécurité #Cybersécurité #Vulnérabilité #googlechrome

Critical Google Chrome Vulnerability Exploited in the Wild: Patch Now to Stay Safe

A Wake-Up Call for Browser Security In late June 2025, Google raced to patch a severe zero-day vulnerability in its Chrome browser—one that had already been exploited in real-world attacks. The flaw, cataloged as CVE-2025-6554, was embedded in Chrome’s V8 JavaScript and WebAssembly engine and enabled attackers to hijack systems through malicious web pages. While Google acted swiftly to…

https://undercodenews.com/critical-google-chrome-vulnerability-exploited-in-the-wild-patch-now-to-stay-safe/

Google Rushes to Patch Critical Chrome Vulnerability Exploited in the Wild

Introduction: Chrome Users at Risk from Zero-Day Exploit Google has swiftly responded to a high-severity security flaw in its Chrome browser that is actively being exploited by attackers. The vulnerability, identified as CVE-2025-6554, resides in the V8 JavaScript and WebAssembly engine, a critical component responsible for rendering code on websites. With attackers already leveraging this flaw,…

https://undercodenews.com/google-rushes-to-patch-critical-chrome-vulnerability-exploited-in-the-wild/

Update your Chrome, patch for CVE-2025-6554 (Type Confusion in V8):
https://chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop_30.html

Chrome Zero-Day CVE-2025-6554 Under Active Attack — Google Issues Security Update https://thehackernews.com/2025/07/google-patches-critical-zero-day-flaw.html

Vulnerability Advisory: Sudo chroot Elevation of Privilege https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot

#linux #unix

Linux-Server: sudo hat ein riesiges Loch. Severity 9.3! Möglichst rasch Updates installieren.

https://nvd.nist.gov/vuln/detail/CVE-2025-32463

https://www.sudo.ws/security/advisories/chroot_bug/

https://ubuntu.com/security/CVE-2025-32463

https://access.redhat.com/security/cve/cve-2025-32463

Für RHEL + Alma Linux ist anscheinend noch kein Update verfügbar.

Important for #OpenBSD users is the comment in the ports-update commit message. #CVE-2025-32463 #SUDO

⚠️ sudo has a very critical security vulnerability. You should therefore update sudo ASAP!
https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot
https://nvd.nist.gov/vuln/detail/CVE-2025-32463
#ITSecurity

Kurzer Check bei mir, welche Distros die kritische #sudo Lücke CVE-2025-32463 bis jetzt behoben haben:

- Alpine 3.22: OK
- Arch Linux: OK
- Debian 12 / Devuan 5: OK
- Fedora 42: FAIL
- Void Linux: OK

#itsec

RT @0xm1rch@x.com
I published blogs detailing two vulnerabilities I recently discovered in Sudo. Update to 1.9.17p1.

CVE-2025-32462 - Sudo Host option Elevation of Privilege Vulnerability https://stratascale.com/vulnerability-alert-CVE-2025-32462-sudo-host

CVE-2025-32463 - Sudo chroot Elevation of Privilege Vulnerability https://stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot

#infosec #sudo #sysadmin

Following a recent incident, here's a reminder: #SudoConsideredHarmful

What I do use instead of #sudo? "ssh root@localhost" with keys: https://github.com/xtaran/sshudo and "alias sudo sshudo" or "ln -vis /usr/bin/sshudo /usr/bin/sudo".

(For those who wonder what I refer to: https://www.stratascale.com/vulnerability-alert-CVE-2025-32462-sudo-host and https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot)

#SSHudo #SSH #CVE_2025_32462 #CVE_2025_32463

I think I boosted information about these sudo EoP vulns yesterday but in case I didn't, here's some basic info on them.

https://www.stratascale.com/vulnerability-alert-CVE-2025-32462-sudo-host

sev:LOW 2.8 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N

Sudo before 1.9.17p1, when used with a sudoers file that specifies a host that is neither the current host nor ALL, allows listed users to execute commands on unintended machines.

https://nvd.nist.gov/vuln/detail/CVE-2025-32462

https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot

sev:CRIT 9.3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option.

https://nvd.nist.gov/vuln/detail/CVE-2025-32463

If you see this GitHub PoC for CVE-2025-5777 doing the rounds:

https://github.com/mingshenhk/CitrixBleed-2-CVE-2025-5777-PoC-

It’s not for CVE-2025-5777. It’s AI generated. The links in the README still have ChatGPT UTM sources.

The PoC itself is for a vuln addressed in 2023 - ChatGPT has hallucinated (made up) the cause of the vuln using an old BishopFox write up of the other vuln.

Citrix Bleed 2 CVE-2025–5777 wird wohl ausgenutzt

https://www.borncity.com/blog/2025/06/30/citrix-bleed-teil-2-wird-schwachstelle-cve-2025-5777-bereits-ausgenutzt/

Citrix blog on CVE-2025-5777 and some other ones https://www.netscaler.com/blog/news/netscaler-critical-security-updates-for-cve-2025-6543-and-cve-2025-5777/

Citrix NetScaler Under Siege: Critical Vulnerabilities Leave Thousands Exposed

Urgent Warning for IT Teams and CISOs A recent cybersecurity alert has sent shockwaves through IT infrastructures worldwide: thousands of Citrix NetScaler instances are now vulnerable to active exploitation due to two newly disclosed critical vulnerabilities. These security flaws—CVE-2025-5777 and CVE-2025-6543—pose a severe risk to organizations relying on Citrix NetScaler for remote access…

https://undercodenews.com/citrix-netscaler-under-siege-critical-vulnerabilities-leave-thousands-exposed/

Leute patched eure Systeme

https://www.stratascale.com/vulnerability-alert-CVE-2025-32462-sudo-host

"As a result, any command allowed by the remote host rule can be executed on the local machine."

#cve_2025_32462 #security

RT @0xm1rch@x.com
I published blogs detailing two vulnerabilities I recently discovered in Sudo. Update to 1.9.17p1.

CVE-2025-32462 - Sudo Host option Elevation of Privilege Vulnerability https://stratascale.com/vulnerability-alert-CVE-2025-32462-sudo-host

CVE-2025-32463 - Sudo chroot Elevation of Privilege Vulnerability https://stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot

#infosec #sudo #sysadmin

Following a recent incident, here's a reminder: #SudoConsideredHarmful

What I do use instead of #sudo? "ssh root@localhost" with keys: https://github.com/xtaran/sshudo and "alias sudo sshudo" or "ln -vis /usr/bin/sshudo /usr/bin/sudo".

(For those who wonder what I refer to: https://www.stratascale.com/vulnerability-alert-CVE-2025-32462-sudo-host and https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot)

#SSHudo #SSH #CVE_2025_32462 #CVE_2025_32463

I think I boosted information about these sudo EoP vulns yesterday but in case I didn't, here's some basic info on them.

https://www.stratascale.com/vulnerability-alert-CVE-2025-32462-sudo-host

sev:LOW 2.8 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N

Sudo before 1.9.17p1, when used with a sudoers file that specifies a host that is neither the current host nor ALL, allows listed users to execute commands on unintended machines.

https://nvd.nist.gov/vuln/detail/CVE-2025-32462

https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot

sev:CRIT 9.3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option.

https://nvd.nist.gov/vuln/detail/CVE-2025-32463

RCE Security has found major vulnerabilities in the Wind FTP server.

Attackers can bypass authentication on the server's web interface just by appending a NULL byte to the username followed by any random string.

https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/

🚨CVE-2025-47812: Wing FTP Server Remote Code Execution (RCE) Exploit

Link: https://github.com/4m3rr0r/CVE-2025-47812-poc

Writeup: https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/

#OT #Advisory VDE-2025-039
Pilz: Authentication Bypass in IndustrialPI Webstatus

#CVE CVE-2025-41648

https://certvde.com/en/advisories/VDE-2025-039

#CSAF https://pilz.csaf-tp.certvde.com/.well-known/csaf/white/2025/ppsa-2025-003.json

🚨 CVE-2025-41648 (CRITICAL, CVSS 9.8): Pilz IndustrialPI 4 w/ webstatus lets remote attackers bypass authentication & change all settings. No patch yet—segment networks & monitor traffic. Details: https://radar.offseq.com/threat/cve-2025-41648-cwe-704-incorrect-type-conversion-o-ea121f93 #OffSeq #ICS #Vulnerability #OTSecurity

July is starting off with a perfect 10 in some OT kit. 🥳

https://certvde.com/en/advisories/VDE-2025-045/

sev:CRIT 10.0 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

An unauthenticated remote attacker can run arbitrary commands on the affected devices with high privileges because the authentication for the Node_RED server is not configured by default.

https://nvd.nist.gov/vuln/detail/CVE-2025-41656

https://certvde.com/en/advisories/VDE-2025-039/

sev:CRIT 9.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

An unauthenticated remote attacker can bypass the login to the web application of the affected devices making it possible to access and change all available settings of the IndustrialPI.

https://nvd.nist.gov/vuln/detail/CVE-2025-41648

Are Brother's Insecure Printers Illegal in the UK?

https://shkspr.mobi/blog/2025/07/are-brothers-insecure-printers-illegal-in-the-uk/

Another day, another security disaster! This time, multiple printers from Brother have an unfixable security flaw. That's bad, obviously, but is it illegally bad⁰?

Let's take a look at details of the vulnerability:

An unauthenticated attacker who knows the target device's serial number, can generate the default administrator password for the device.

Recently, the UK brought in some laws aimed at strengthening consumer protection - the Product Security and Telecommunications Infrastructure act (PSTI). There's a readable summary on the National Cyber Security Centre's website.

There are three interesting points to note in that blog post. The first is about passwords:

The law means manufacturers must ensure that all their smart devices meet basic cyber security requirements. Specifically:

1. The manufacturer must not supply devices that use default passwords, which can be easily discovered online, and shared.

Secondly, is a question of jurisdiction:

Most smart devices are manufactured outside the UK, but the PSTI act also applies to all organisations importing or retailing products for the UK market. Failure to comply with the act is a criminal offence

Thirdly, what is actually covered:

The law applies to any ‘consumer smart device’ that connects either to the internet, or to a home network (for example by wifi).

Is a WiFi enabled printer a "consumer smart device"? One of the things that techies find confusing is that the law is not code. It usually doesn't enumerate a definitive list of what is and what isn't in scope. It gives a general outline and then allows case-law to develop. This means laws don't need to be updated when someone invents, say, an Internet connected tinfoil dispenser.

Let's move beyond the consumer-friendly summary and go to the actual law. The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023

2. Passwords must be—

   a. unique per product; or

   b. defined by the user of the product.

3. Passwords which are unique per product must not be—

   a. based on incremental counters;

   b. based on or derived from publicly available information;

   c. based on or derived from unique product identifiers, such as serial numbers, unless this is done using an encryption method, or keyed hashing algorithm, that is accepted as part of good industry practice;

   d. otherwise guessable in a manner unacceptable as part of good industry practice.

How does this apply to the printers? Rapid7, who discovered the vulnerability, have this to say about how it works:

[The vulnerability] allows an attacker to leak a serial number via the target's HTTP, HTTPS, and IPP services. However, should an attacker not be able to leverage [the vulnerability], a remote unauthenticated attacker can still discover a target device's serial number via either a PJL or SNMP query

So, yes. The default password is unique but it can be automatically derived from the serial number. That serial number is available to anyone with a network connection to the printer.

But, do printers fall under the scope of this act?

The Product Security and Telecommunications Infrastructure Act 2022 says:

4 Relevant connectable products

1. In this Part “relevant connectable product” means a product that meets conditions A and B.

2. Condition A is that the product is—

   A. an internet-connectable product, or

   B. a network-connectable product.

3. Condition B is that the product is not an excepted product (see section 6).

It goes on to define what Internet-connectable means, along with some other clarifying details. But is there a get-out clause here? Are printers an "excepted product"?

In this Part “excepted product” means a product of a description specified in regulations made by the Secretary of State.

OK, let's look at the regulations. I've expanded out the relevant bit:

Schedule 3 Excepted connectable products

5. Computers

   1. Products are excepted under this paragraph if they are computers which are—

      a. desktop computers;

      b. laptop computers;

      c. tablet computers which do not have the capability to connect to cellular networks.

Nope! The Brother printers don't appear to be exempt¹. What's the maximum penalty Brother could be subject to?

The greater of £10 million or 4% of worldwide revenue.

Ouch!

Of course, much like GDPR fines, these are headline grabbing numbers. The prosaic reality is that the enforcement policy is much more likely to suggest remedial steps. Only the most flagrant transgressors are likely to be punished harshly².

So, to recap. The law says an Internet-connected device (including printers) must have a password which is not "based on or derived from publicly available information". As I understand it, having a serial-number based password is OK as long as you don't publicise the serial number. I expect that if it were printed on a sticker that would be fine. But because the serial can be discovered remotely, it fails at this point.

In Brother's (slight) defence, unless the user has specifically connected the printer to the Internet this is only a local vulnerability. Someone on the same network would be able to monkey around with the printer but, similarly, they could plug in a USB cable for some illicit printing or break it with a hammer. Any damage is confined to the LAN.

Should users change default passwords? Yes. But manufacturers have a legal duty to ensure that people who don't are still protected.

0. I'm not a lawyer. This is not legal advice. This is just my interpretation of what's going on. If in doubt, consult someone qualified. ↩︎

1. With thanks to m'learned colleague Neil Brown who came to much the same conclusion ↩︎

2. You can see the actions they've previously taken. Because PSTI is so new, there aren't any actions against insecure IoT devices - so we'll have to wait and see how they choose to proceed. ↩︎

#CyberSecurity #IoT #law #legal #Legislation

Hey vulnerability people: Any scuttlebutt on active exploitation of CVE-2024-56337? It isn't in the KEV but ... well ....

@Sempf Are you specifically asking about EITW when the mitigation for CVE-2024-50379 was applied or regardless of the CVE-2024-50379 mitigation since CVE-2024-56337 was basically a bypass for the incomplete CVE-2024-50379 fix, right?

#OT #Advisory VDE-2025-045
Pilz: Missing Authentication in Node-RED integration

#CVE CVE-2025-41656

https://certvde.com/en/advisories/VDE-2025-045

#CSAF https://pilz.csaf-tp.certvde.com/.well-known/csaf/white/2025/ppsa-2025-002.json

July is starting off with a perfect 10 in some OT kit. 🥳

https://certvde.com/en/advisories/VDE-2025-045/

sev:CRIT 10.0 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

An unauthenticated remote attacker can run arbitrary commands on the affected devices with high privileges because the authentication for the Node_RED server is not configured by default.

https://nvd.nist.gov/vuln/detail/CVE-2025-41656

https://certvde.com/en/advisories/VDE-2025-039/

sev:CRIT 9.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

An unauthenticated remote attacker can bypass the login to the web application of the affected devices making it possible to access and change all available settings of the IndustrialPI.

https://nvd.nist.gov/vuln/detail/CVE-2025-41648

Cisco is warning about two critical vulnerabilities in Identity Services Engine (ISE)

Vulnerabilities: Insufficient validation of user input; Poor file validation

Impact: Allows an attacker to execute arbitrary commands, and upload arbitrary files and execute with root privileges

Vulnerability IDs: CVE-2025-20281, CVE-20282

Remediation: Upgrade ISE to 3.3 Patch 6 or 3.4 Patch 2 or later

#cybersecurity #vulnerabilitymanagement #Cisco

https://www.bleepingcomputer.com/news/security/cisco-warns-of-max-severity-rce-flaws-in-identity-services-engine/

Cisco centra il bersaglio: 9,8 su 10 per due RCE su Identity Services Engine e Passive Identity Connector

Cisco ha segnalato due vulnerabilità RCE critiche che non richiedono autenticazione e interessano Cisco Identity Services Engine (ISE) e Passive Identity Connector (ISE-PIC). Alle vulnerabilità sono stati assegnati gli identificatori CVE-2025-20281 e CVE-2025-20282 e hanno ottenuto il punteggio massimo di 9,8 punti su 10 sulla scala CVSS. Il primo problema riguarda le versioni 3.4 e 3.3 di ISE e ISE-PIC, mentre il secondo riguarda solo la versione 3.4.

La causa principale dell’errore CVE-2025-20281 era l’insufficiente convalida dell’input utente in un’API esposta. Ciò consentiva a un aggressore remoto e non autenticato di inviare richieste API contraffatte per eseguire comandi arbitrari come utente root. Il secondo problema, CVE-2025-20282, era causato da una convalida dei file insufficiente nell’API interna, che consentiva la scrittura di file in directory privilegiate. Questo bug consentiva ad aggressori remoti non autenticati di caricare file arbitrari sul sistema di destinazione ed eseguirli con privilegi di root.

La piattaforma Cisco Identity Services Engine (ISE) è progettata per gestire le policy di sicurezza di rete e il controllo degli accessi e in genere funge da motore di controllo degli accessi alla rete (NAC), gestione delle identità e applicazione delle policy. Questo prodotto è un elemento chiave della rete aziendale ed è spesso utilizzato da grandi aziende, enti governativi, università e fornitori di servizi.

Gli esperti Cisco segnalano che finora non si sono verificati casi di sfruttamento attivo di nuove vulnerabilità (né exploit resi pubblici), ma si consiglia a tutti gli utenti di installare gli aggiornamenti il prima possibile. Gli utenti dovrebbero aggiornare alla versione 3.3 Patch 6 (ise-apply-CSCwo99449_3.3.0.430_patch4) e alla versione 3.4 Patch 2 (ise-apply-CSCwo99449_3.4.0.608_patch1) o successive. Non esistono soluzioni alternative per risolvere i problemi senza applicare patch.

E’ ovvio che con vulnerabilità di tale entità, sia necessario procedere con urgenza all’aggiornamento delle patch, al fine di prevenire possibili tentativi di violazione. Il fornitore raccomanda pertanto di effettuare tempestivamente gli aggiornamenti necessari.

L'articolo Cisco centra il bersaglio: 9,8 su 10 per due RCE su Identity Services Engine e Passive Identity Connector proviene da il blog della sicurezza informatica.