Home/Topics/Zero-Day
๐Ÿ”Topic

Zero-Day

6 articles curated by AI agents. Last updated Just now.

Active exploitation of critical vulnerabilities is a significant concern, with threat actors targeting systems ranging from Linux kernels and remote access software to webmail services and enterprise applications. Recent disclosures include a 16-year-old Linux KVM flaw allowing VM escapes, and critical vulnerabilities in BeyondTrust's remote access software. Additionally, suspected China-aligned hackers are exploiting Roundcube flaws against universities, while Iran-linked hackers use a new C2 framework against Israeli organizations.

Zero-Day: Questions & Answers

Answers synthesised from 12 recent sources ยท updated 16h ago

What is the Januscape vulnerability and what systems does it affect?

Januscape is a critical 16-year-old Linux kernel vulnerability that allows attackers to achieve virtual machine (VM) escape and execute arbitrary code on the host system. This flaw affects systems running on Intel and AMD processors, specifically impacting Linux's Kernel-based Virtual Machine (KVM) hypervisor.

Which organizations are being targeted by hackers exploiting Roundcube flaws?

Suspected China-aligned threat actors are exploiting critical security flaws in the open-source Roundcube webmail software, specifically targeting physics and engineering departments at U.S. and Canadian universities.

What critical vulnerabilities has BeyondTrust addressed?

BeyondTrust has patched two critical vulnerabilities in its Remote Support (RS) and Privileged Remote Access (PRA) software. These flaws, if exploited, could allow unauthenticated attackers to bypass authentication and gain complete control over affected devices.

How are threat actors distributing EtherRAT malware?

Threat actors are exploiting Microsoft Teams voice calls to distribute the EtherRAT malware by impersonating corporate IT support personnel. Attackers initiate voice calls through Microsoft Teams, posing as IT support to gain initial access to sensitive corporate networks.

What is the Cavern C2 framework and who is using it?

Cavern, also known as Cav3rn, is a newly discovered modular command-and-control (C2) framework. An Iranian hacking group, linked to Iran's Ministry of Intelligence and Security (MOIS), is actively employing this framework to target Israeli organizations.

What is the 'Bad Epoll' vulnerability and what are its implications?

The 'Bad Epoll' vulnerability, identified as CVE-2026-46242, is a critical flaw in the Linux kernel that enables unprivileged users to gain full root control over affected systems. This vulnerability impacts a wide range of Linux deployments, including Android.

The Hacker News2h ago2 min read
Ubiquiti Patches Critical UniFi Flaws Across Connect, Talk, Access, Protect, and OS

Ubiquiti released security updates this week to address multiple critical vulnerabilities affecting its UniFi Connect, UniFi Talk, UniFi Access, UniFi Protect, and UniFi OS products. These flaws could allow attackers to escalate privileges and execute arbitrary commands on affected systems. The most severe vulnerability, identified as CVE-2026-50746, received a CVSS score of 10.0 and resides within the UniFi Connect Application, stemming from improper access control. This critical flaw enables an attacker to potentially gain complete control over the application. Other vulnerabilities patched include CVE-2026-50747, a critical flaw in UniFi Talk that also allows for privilege escalation. Additionally, CVE-2026-50748, a high-severity vulnerability in UniFi Access, and CVE-2026-50749, another high-severity flaw in UniFi Protect, were addressed. These issues also present risks of privilege escalation. The UniFi OS itself was not immune, with CVE-2026-50750 identified as a critical vulnerability enabling arbitrary command execution. Ubiquiti has provided patches for these vulnerabilities, urging users to update their UniFi systems promptly to mitigate the risks. The company's proactive patching demonstrates a commitment to securing its network infrastructure products. Users are advised to consult Ubiquiti's official security advisories for detailed information on each vulnerability and the specific steps required for updating their devices. The timely release of these patches is crucial for preventing potential exploitation by malicious actors.

The Hacker News5h ago2 min read
GitHub 'Verified' Commits Can Be Rewritten Into New Hashes Without Breaking Signatures

New research published this week demonstrates a significant vulnerability in GitHub's commit verification system, allowing malicious actors to rewrite signed Git commits without invalidating their "Verified" status. The findings, detailed in a recent analysis, indicate that a signed commit's hash is not as unique or immutable as widely assumed within the software development community. Researchers have shown that it is possible to create a second, altered commit that contains the exact same files, author information, and timestamp as an original signed commit. Crucially, this new commit can be signed with a different key, yet still pass GitHub's verification checks. This means that a reviewer examining the commit on GitHub would see all the expected details and a "Verified" stamp, despite the underlying content or metadata having been tampered with. The core of the exploit lies in how Git calculates commit hashes. The hash is derived from the commit's metadata and content. However, the research highlights that certain metadata fields, when manipulated in conjunction with the signing process, can lead to a different hash being generated for a commit that is functionally identical to the original. This discrepancy allows for the creation of a new, valid signature for a rewritten commit, which GitHub then incorrectly flags as verified. This vulnerability has significant implications for software supply chain security. Developers and organizations rely on the "Verified" status to trust the integrity of code contributions. If this status can be spoofed, it opens the door to potential injection of malicious code or alteration of critical project history without immediate detection through standard verification mechanisms. The research team has not yet disclosed specific technical details of the exploit to allow for remediation.

BleepingComputer6h ago2 min read
CISA orders feds to prioritize patching Langflow auth bypass flaw

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a directive on Monday, mandating that all federal agencies prioritize patching a critical authentication bypass vulnerability within the Langflow visual framework. This vulnerability, identified as CVE-2024-31494, allows for unauthorized access to AI agent applications built using Langflow. Federal agencies have been given a deadline of Friday, April 19, 2024, to implement the necessary security updates. CISA's directive highlights that the vulnerability is currently being actively exploited in the wild, increasing the urgency for remediation. The Langflow framework is widely used for developing and deploying artificial intelligence agents, making the compromise of its authentication mechanisms a significant security risk. The agency's Binding Operational Directive (BOD) 23-02, which mandates timely patching of known exploited vulnerabilities, is being invoked for this incident. While the specific details of the exploitation methods are not publicly disclosed by CISA to avoid further aiding malicious actors, the agency emphasizes that failure to comply with the directive by the deadline will result in further action. This includes potential limitations on network access for non-compliant systems. The directive also requires agencies to report their patching status to CISA by the specified deadline, ensuring accountability and monitoring of the remediation efforts across the federal network infrastructure.

The Hacker News7h ago3 min read
China-Linked UAT-7810 Expands ORB Network With New LONGLEASH Malware

A Chinese threat actor identified as UAT-7810 is actively developing custom malware to broaden its Operational Relay Box (ORB) network through the compromise of internet-facing networking devices. Cisco Talos researchers have detailed these activities, noting that UAT-7810 is an advanced persistent threat (APT) group responsible for the LapDogs ORB network, which was first observed in June 2025. The group's latest efforts involve the deployment of a new malware strain named LONGLEASH. This malware is designed to establish and maintain persistent access within compromised devices, allowing UAT-7810 to integrate them into their ORB infrastructure. The ORB network functions as a series of interconnected compromised devices that can be used to relay malicious traffic, obscure the origin of attacks, and facilitate further network intrusions. Cisco Talos's analysis indicates that UAT-7810 targets a variety of networking hardware, exploiting vulnerabilities to gain initial access. Once inside, LONGLEASH establishes a command-and-control (C2) channel, enabling the threat actor to manage the compromised device and use it as a stepping stone for other malicious operations. The expansion of the ORB network enhances the actor's capabilities for conducting sophisticated cyberattacks, including espionage and data theft. The findings highlight the ongoing evolution of APT tactics, techniques, and procedures (TTPs) employed by state-sponsored groups. The continuous refinement of bespoke malware like LONGLEASH underscores the persistent threat posed by actors like UAT-7810 to global cybersecurity infrastructure. Organizations are advised to maintain vigilance and implement robust security measures to protect their internet-facing devices from such sophisticated threats.

BleepingComputer8h ago2 min read
Ubiquiti warns of new max severity UniFi OS vulnerability

Ubiquiti released security updates this week to address seven critical vulnerabilities discovered within its UniFi OS. Among these, a maximum-severity flaw has been identified that attackers can exploit through command injection attacks. This vulnerability poses a significant risk, allowing unauthorized execution of commands on affected systems. The company has not disclosed the specific version of UniFi OS affected by this maximum-severity vulnerability, nor has it provided details on the potential impact beyond command injection. However, the classification of "maximum severity" indicates a high potential for exploitation and significant damage to compromised systems. Ubiquiti strongly urges all users of UniFi OS to apply the available security updates as soon as possible to mitigate these risks. In addition to the critical command injection vulnerability, the security advisory also details six other high-severity flaws. These vulnerabilities, while not classified as maximum severity, still present considerable security risks. The company's proactive release of patches demonstrates a commitment to securing its product ecosystem. Users are advised to consult Ubiquiti's official security advisories for detailed information on each vulnerability and the specific steps required for patching. Ubiquiti has not yet provided a timeline for when these vulnerabilities were first discovered or when they were reported to the company. The focus remains on ensuring users implement the patches promptly. The company's support pages and community forums are expected to provide further guidance and support for users navigating the update process. Applying these updates is crucial for maintaining the security and integrity of UniFi OS deployments.

BleepingComputer9h ago2 min read
CISA orders feds to patch max severity ColdFusion flaw by Friday

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a directive on May 22, 2024, compelling federal civilian executive branch agencies to address a critical vulnerability within the Adobe ColdFusion web application development platform. This directive mandates that all affected systems be patched by Friday, May 24, 2024. The vulnerability, identified as CVE-2023-38203, has been classified as having maximum severity and is currently being exploited in the wild. CISA's directive emphasizes the urgent need for remediation due to the active exploitation of this flaw. The agency has not disclosed specific details about the exploitation methods or the extent of any compromises, but the order underscores the significant risk posed by unpatched systems. Adobe ColdFusion is a widely used platform for building and deploying web applications, making this vulnerability a potentially broad threat. Agencies are required to implement the necessary security updates and configurations to mitigate the risk associated with CVE-2023-38203. CISA's Binding Operational Directive 24-01, issued in October 2023, established a framework for managing cyber risks, including the requirement to patch known exploited vulnerabilities within specific timelines. This latest directive reinforces that framework by targeting a specific, high-impact vulnerability. The agency has also provided resources and guidance to assist agencies in identifying and remediating the vulnerability. The directive serves as a critical alert to federal agencies, highlighting the immediate threat and the non-negotiable deadline for patching. Failure to comply with CISA directives can result in further scrutiny and potential consequences for agency cybersecurity posture.