Android Zero-Day Exploits Exposed in March 2025 Security Update
Google has patched 43 security flaws in its March 2025 Android update, including two actively exploited zero-days. One of these, CVE-2024-50302, is a high-severity information disclosure vulnerability in the Linux kernel’s Human Interface Device driver. Serbian authorities reportedly used this flaw, part of a zero-day exploit chain developed by Cellebrite, to bypass security on confiscated Android devices. This exploit chain also included CVE-2024-53104, a USB Video Class zero-day patched last month, and another vulnerability in the ALSA USB-sound driver. Amnesty International’s Security Lab uncovered these exploits while analyzing logs from a compromised device. The second zero-day, CVE-2024-43093, is a privilege escalation flaw in the Android Framework. Attackers could leverage improper Unicode normalization to access restricted directories without requiring execution privileges or user interaction. Alongside these, Google addressed multiple remote code execution risks and distributed two security patch levels. Pixel devices received updates immediately, while other manufacturers are expected to roll them out in stages. These zero-days highlight ongoing threats to Android security, with previous incidents, including a Serbian government-backed spyware attack in late 2024, using a different Android zero-day. Google was aware of the vulnerabilities before public reports and had already shared fixes with OEMs in January.
Three VMware Zero-Days Exploited in the Wild
Threat Broadcom has alerted customers to three newly discovered VMware zero-day vulnerabilities that have been exploited in attacks, according to Microsoft Threat Intelligence Center reports. These flaws—CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226—affect VMware ESX products, including ESXi, vSphere, Workstation, Fusion, Cloud Foundation, and Telco Cloud Platform. Attackers with privileged administrator or root access can chain these vulnerabilities to break out of a virtual machine’s sandbox and gain control of the hypervisor. CVE-2025-22224 is a critical VCMI heap overflow vulnerability that allows local attackers with administrative privileges on a virtual machine to execute code on the host system. CVE-2025-22225 is an ESXi arbitrary write flaw that enables the VMX process to manipulate kernel memory, leading to a full sandbox escape. CVE-2025-22226 is an HGFS information disclosure vulnerability that could allow attackers with admin permissions to leak memory from the VMX process. Broadcom confirmed that these vulnerabilities have been exploited in the wild. VMware products are frequent targets for ransomware groups and state-sponsored hackers due to their widespread use in enterprise environments handling sensitive corporate data. Microsoft has yet to provide additional details on these attacks.
Mass Exploitation Campaign Targets ISPs in China and U.S. West Coast
Internet service providers in China and the United States West Coast are under attack in a large-scale exploitation campaign deploying information stealers and cryptocurrency miners. The Splunk Threat Research Team uncovered the activity, revealing that attackers use various binaries to exfiltrate data and establish persistence on compromised systems while keeping operations minimal to avoid detection. The threat actors rely on scripting languages like Python and PowerShell, leveraging API calls, including Telegram, for command-and-control operations. Their attacks begin with brute-force attempts exploiting weak credentials, originating from over 4,000 IP addresses linked to Eastern Europe. Once inside a target system, the attackers use PowerShell to drop executables designed for network scanning, data theft, and XMRig cryptocurrency mining, abusing the victim’s processing power. Before launching their payloads, the attackers disable security features and terminate services that detect cryptominers. The stealer malware captures screenshots and functions as a clipper, monitoring clipboard content for cryptocurrency wallet addresses, including Bitcoin, Ethereum, Binance Chain BEP2, Litecoin, and TRON. Stolen data is sent to a Telegram bot. Additional binaries are deployed on infected machines, including Auto.exe, which downloads password and IP lists for brute-force attacks, and Masscan.exe, a network scanning tool used to identify open ports for further exploitation. The attackers specifically targeted CIDR ranges belonging to ISPs in China and the U.S. West Coast, scanning large numbers of IP addresses for vulnerabilities before launching brute-force attempts.
