CISA Issues Urgent Alert on Android Runtime 0-Day Under Active Exploitation
CISA has issued an urgent alert regarding CVE-2025-48543, a zero-day vulnerability in the Android Runtime that is confirmed to be actively exploited. This use-after-free flaw occurs when the runtime continues to access memory after it has already been released, allowing attackers to corrupt the memory state and potentially execute arbitrary code. By exploiting this condition, adversaries can bypass the Chrome sandbox—a crucial isolation boundary for web content—and escalate privileges on affected Android devices. Successful exploitation would enable threat actors to gain complete control over a device, install persistent malware, harvest sensitive data, or disable protective services, posing a significant risk to individuals and organizations alike. The vulnerability was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on September 4, 2025, with a mandatory remediation deadline of September 25. Given the ubiquity of Android across billions of smartphones and enterprise endpoints, the systemic risk presented by CVE-2025-48543 is considerable. Attackers with elevated privileges could access personal communications, extract authentication tokens, intercept financial transactions, and expand operations to enterprise systems through unmanaged or poorly secured devices. This vulnerability’s exploitation profile makes it highly attractive not only to cybercriminal groups but also to state-aligned actors seeking espionage or persistent surveillance capabilities. For organizations, even a single compromised device can introduce lateral movement opportunities into corporate networks, highlighting the need for swift and coordinated response. CISA advises immediate application of vendor-supplied patches where available, enforcement of configuration hardening guidance, monitoring of Android endpoints for anomalies consistent with privilege escalation, and adherence to Binding Operational Directive 22-01 for enhanced logging. Where patches are not yet available, high-risk environments should consider temporarily removing vulnerable devices from service until updates are applied.
Electron CVE-2025-55305 Exploits Heap Snapshots to Bypass Integrity Protections
A critical vulnerability tracked as CVE-2025-55305 has been uncovered in Electron, the framework that underpins many widely used desktop applications, including Signal, 1Password, Slack, and Chromium-based browsers. The flaw centers on V8 heap snapshots, a performance mechanism inherited from Chromium that preloads serialized JavaScript objects into memory during startup. While Electron provides integrity fuses—EnableEmbeddedAsarIntegrityValidation and OnlyLoadAppFromAsar—to ensure packaged code has not been altered, these safeguards do not extend to heap snapshot files. This oversight enables attackers with local write access to user-writable application directories to inject arbitrary code into snapshots. Because snapshots load before integrity validation, malicious modifications execute immediately at runtime, bypassing signature checks and allowing attackers to subvert application behavior silently. A Trail of Bits researcher demonstrated practical exploitation by replacing standard functions with malicious logic that executed unsigned code in Slack, Signal, and 1Password. Proof-of-concept backdoors included embedding a keylogger into Slack chat windows and payloads capable of exfiltrating secure vault contents and private messages from Signal and 1Password. Even Google Chrome was shown vulnerable in cases where heap snapshots were writable, as its security model does not account for local tampering, allowing persistence without breaking digital signatures. The research highlights that performance shortcuts can create overlooked attack surfaces in modern software ecosystems. Vendors responded quickly, with 1Password patching the issue in v8.11.8-40, Signal and Slack issuing updates, and Electron itself releasing fixes. To mitigate this risk, developers should enforce integrity validation for heap snapshots, relocate snapshots to read-only directories, and adopt stronger architectural safeguards for preload files. At the same time, end users should immediately update to patched versions to ensure protection against this novel attack vector.
NightshadeC2 Botnet Uses UAC Prompt Bombing to Evade Windows Defenses
Researchers at eSentire have detailed NightshadeC2, a newly emerging botnet that weaponizes a unique UAC Prompt Bombing technique to bypass Windows Defender and disable endpoint protections. The malware’s .NET-based loader loops endlessly, spawning UAC prompts tied to PowerShell commands that add Defender exclusions for its final payload. Victims who decline are bombarded until their systems become unusable, coercing acceptance and elevating privileges. This same behavior stalls malware sandboxes, where Defender services are typically disabled, resulting in endless execution loops that prevent the analysis of payloads. NightshadeC2 exists in both C and Python-based variants, with the former offering an extensive toolkit including reverse shell access, credential theft, screen capture, hidden browser deployment, and RC4-encrypted C2 traffic. The Python variant, believed to have been adapted using automation or large language models, is leaner but more challenging to detect, focusing on reverse shells, file downloads, and payload execution while benefiting from reduced AV visibility. Distribution occurs through ClickFix-style phishing lures masquerading as CAPTCHA pages for well-known services, as well as through trojanized installers of trusted applications, including ExpressVPN, Advanced IP Scanner, and CCleaner. Once deployed, NightshadeC2 establishes persistence via Winlogon, RunOnce, and Active Setup registry keys, conducts reconnaissance with external IP-lookup services to determine VPN usage or sandbox presence, and installs keyloggers tied to hidden process windows. Logs are stored in disguised files using names including “JohniiDepp” or “LuchiiSvet” to obscure detection from defenders. Beyond Prompt Bombing, the botnet incorporates two additional privilege escalation paths: an RPC server bypass first documented in 2019, and a DiskCleanup task abuse chain on older Windows versions that leverages LOLBins for silent elevation. These layered capabilities enable NightshadeC2 to operate as a resilient and stealthy botnet, maintaining long-term control over infected hosts. To defend against this evolving threat, experts recommend disabling Windows Run prompts through Group Policy, tightening application whitelisting, deploying NGAV/EDR solutions, and training users against deceptive prompts and fake software installers, as only a multi-layered defense strategy can effectively disrupt this botnet’s advanced persistence model. Defenders should block execution from suspicious Run prompt commands, validate software downloads through trusted sources, and deploy EDR solutions capable of detecting persistence via registry keys and anomalous UAC prompt behavior.
Top CVEs of the Week
Top CVEs of the Week – As part of our ongoing vulnerability monitoring, the following CVEs highlight recent security issues that could affect a range of systems, applications, and devices. These findings reflect the constantly evolving threat landscape and reinforce the importance of timely patching, secure configurations, and proactive security practices. Below is a summary of notable vulnerabilities, including their impact and any available remediation guidance.
