> ai://ti

autonomous threat intelligence feed

Top Stories

πŸ’£ Exploits
SonicWall Alerts Users to SMA1000 Zero-Day Vulnerability Exploited in Attacks
SonicWall has issued a warning regarding a zero-day vulnerability in the SMA1000 Appliance Management Console, which is being exploited in attacks. Users are urged to apply the latest hotfix to mitigate risks associated with this local privilege escalation flaw (CVE-2025-40602).

Key points:

  • The vulnerability (CVE-2025-40602) allows local privilege escalation and is linked to zero-day attacks.
  • Attackers are chaining this flaw with another critical vulnerability (CVE-2025-23006) for remote code execution.
  • SonicWall recommends users upgrade to the latest hotfix to address the security issue.
  • Over 950 SMA1000 appliances are reportedly exposed online, increasing the risk of exploitation.
  • The vulnerability poses significant risks to organizations relying on SMA1000 for secure remote access.
Sources: Bleeping Computer (1 articles)
πŸ’£ Exploits
Apple Safari Vulnerability Enables Remote Code Execution via JavaScript
A type confusion vulnerability in Apple Safari's JavaScriptCore allows remote code execution if a user visits a malicious page. Exploitation requires user interaction, making it a targeted threat.

Key points:

  • The vulnerability affects Apple Safari installations and is identified as ZDI-25-1127.
  • Exploitation requires user interaction, such as visiting a malicious website.
  • The flaw involves improper handling of the DataView byteLength property in JavaScript.
  • Attackers can execute arbitrary code in the context of the current process.
  • This vulnerability highlights the risks associated with JavaScript execution in browsers.
Sources: ZDI Published Advisories (1 articles)
🚨 Intrusions
GhostPoster Campaign Uses Malicious JavaScript in Firefox Add-on Logos
The GhostPoster campaign embeds malicious JavaScript in the logos of compromised Firefox extensions, affecting over 50,000 users. This allows attackers to hijack affiliate links and inject tracking code, posing significant privacy risks.

Key points:

  • 17 Firefox extensions have been identified as compromised, utilizing steganography to hide malicious code.
  • The JavaScript loader activates after 48 hours, fetching payloads from hardcoded domains with a low detection rate.
  • The final payload can hijack affiliate links, inject tracking scripts, and bypass CAPTCHA protections.
  • Users are advised to remove the affected extensions and reset passwords for critical accounts.
Sources: Bleeping Computer (1 articles)
🚨 Intrusions
Amazon Disrupts GRU Hackers Targeting Cloud Infrastructure
Amazon's Threat Intelligence team has thwarted operations by Russian GRU hackers targeting Western critical infrastructure, particularly in the energy sector. The attackers shifted from exploiting vulnerabilities to leveraging misconfigured edge devices for access.

Key points:

  • The GRU hackers have been active since 2021, initially exploiting vulnerabilities in various software.
  • Recent tactics focus on misconfigured customer network devices, reducing reliance on zero-day exploits.
  • Amazon observed credential harvesting and lateral movement within victim networks as primary objectives.
  • The company took immediate action to protect affected EC2 instances and notified impacted customers.
  • Recommendations include auditing network devices and enhancing security measures in AWS environments.
Sources: Bleeping Computer (1 articles)

Other Updates

πŸ’£ Exploits
Critical RCE Vulnerability in React2Shell (CVE-2025-55182) Requires Immediate Patching
React2Shell (CVE-2025-55182) poses a severe RCE threat, necessitating urgent patching and validation.

Key points:

  • CVE-2025-55182 affects React versions 19.0.0 to 19.2.0 and Next.js versions 15.0.0 to 16.0.6.
  • Exploitation in the wild has been reported, emphasizing the need for rapid validation of fixes.
  • Rapid7's DAST solution now includes a module to test for React2Shell vulnerabilities.
  • Immediate patching is advised, with specific version upgrades recommended for React and Next.js.
  • Temporary WAF rules for Flight endpoints are suggested while applying patches.
Sources: Rapid7 Research Blog (1 articles)
🚨 Intrusions
Chinese Espionage Group Ink Dragon Expands Operations in Europe
Ink Dragon targets European government networks, leveraging misconfigured servers for espionage.

Key points:

  • Ink Dragon has compromised several dozen victims, including government and telecom entities across Europe, Asia, and Africa.
  • The group exploits misconfigured Microsoft IIS and SharePoint servers to gain access without relying on high-profile vulnerabilities.
  • They have updated their FinalDraft backdoor to blend in with Microsoft cloud activity, minimizing detection.
  • Ink Dragon establishes long-term access by co-opting victims' infrastructure and deploying customized modules for relay points.
  • Similar stealth activities have been observed from another Chinese group, RudePanda, indicating a broader trend among state-sponsored cyber actors.
Sources: The Register Security (1 articles)
🚨 Intrusions
France's Interior Ministry Investigates Email Breach and Unauthorized Access to Confidential Files
France's Interior Ministry is investigating a breach that accessed confidential email accounts and documents.

Key points:

  • Unauthorized access allowed an attacker to view several professional email accounts.
  • Dozens of confidential files related to judicial records were reportedly accessed.
  • The incident has triggered a formal investigation by the Paris Public Prosecutor’s Office.
  • Emergency security measures include two-factor authentication and password changes.
  • The ministry is working with the French National Cybersecurity Agency (ANSSI) to enhance security.
Sources: The Record by Recorded Future (1 articles)
πŸ’£ Exploits
FortiGate Firewalls Targeted as Authentication Vulnerabilities Exploited
Fortinet's FortiGate firewalls face exploitation due to newly discovered authentication vulnerabilities.

Key points:

  • Arctic Wolf reports a surge in attacks exploiting Fortinet vulnerabilities since December 12, 2025.
  • CVE-2025-59718 and CVE-2025-59719 allow attackers to bypass FortiCloud SSO authentication.
  • CISA has added CVE-2025-59718 to its Known Exploited Vulnerabilities catalog, urging immediate remediation.
  • Organizations are advised to disable FortiCloud SSO, apply patches, and rotate credentials to mitigate risks.
  • Exfiltrated configuration files could lead to targeted attacks and network compromises.
Sources: CSO Online (1 articles)
πŸ’£ Exploits
Cisco alerts on unpatched AsyncOS zero-day exploited by Chinese threat group
Cisco warns of a critical AsyncOS zero-day exploited by UAT-9686, affecting specific email appliances.

Key points:

  • The vulnerability, tracked as CVE-2025-20393, is exploited when the Spam Quarantine feature is enabled and exposed to the internet.
  • Attacks involve deploying AquaShell backdoors and other malware like AquaTunnel and Chisel.
  • Cisco recommends restricting access to vulnerable appliances and implementing strong security measures.
  • The campaign has been active since at least late November 2025, with attacks detected on December 10.
  • Cisco advises affected customers to contact their Technical Assistance Center for support.
Sources: Bleeping Computer (1 articles)
πŸ“° Malware
Cellik Android Malware Offers Malicious App Creation from Google Play Store
Cellik malware enables the creation of malicious app variants from Google Play Store applications.

Key points:

  • Cellik is marketed on underground forums for $150/month or $900 for lifetime access.
  • The malware can capture real-time screen activity, intercept notifications, and exfiltrate files.
  • It claims to bypass Google Play security by embedding malware in trusted apps.
  • Cellik includes features for injecting malicious code and overlaying fake login screens.
Sources: Bleeping Computer (1 articles)

Read More by Category

All πŸ’£ Exploits 🚨 Intrusions 🎯 Campaigns ☁️ Cloud πŸ€– AI πŸͺ™ Blockchain πŸ›οΈ Policy

Additional Signals