nRootTag: Bluetooth Exploit Turns Apple’s Find My Network Into a Covert Tracking System
Security researchers have identified nRootTag, a Bluetooth-based tracking vulnerability in Apple's Find My network, which could turn nearly any Bluetooth-enabled device into a covert tracking beacon. The exploit takes advantage of Apple’s offline finding protocol, which allows lost devices to broadcast encrypted Bluetooth signals that nearby Apple devices relay to Apple’s servers. Researchers found that Apple does not authenticate whether these Bluetooth signals originate from legitimate Apple devices, allowing attackers to inject spoofed tracking signals into the network. This flaw enables unauthorized surveillance by leveraging Apple’s vast 1.5 billion-device ecosystem to track individuals without their knowledge. Attackers can spoof Bluetooth signals from compromised computers, smartphones, or even IoT devices, using precomputed cryptographic keys to access their location through Apple’s tracking system. Apple has released patches in iOS, macOS, and watchOS updates (15.2–18.2) to validate device signatures, but many unpatched devices remain vulnerable. Researchers demonstrated that even a single outdated Apple device near a spoofed tracker could still relay its location, keeping the attack viable despite updates. Testing showed that low-cost GPU clusters could generate tracking keys in minutes, making the attack scalable and accessible. Security experts warn that third-party tracking networks could adopt similar techniques, increasing the risk of widespread covert tracking through Bluetooth-enabled devices. To mitigate this threat, enterprises should audit Bluetooth-enabled assets, monitor anomalous Bluetooth traffic, and enforce firmware updates to ensure that vulnerable devices are patched against potential exploitation.
PolarEdge Botnet Exploits EoL devices
Security researchers have uncovered PolarEdge, a botnet campaign targeting End-of-life (EoL) devices from Cisco, ASUS, QNAP, and Synology, which exploit multiple vulnerabilities to gain control over compromised systems. One of the primary exploits used is CVE-2023-20118, a flaw in Cisco Small Business routers that allows arbitrary command execution. These routers have reached EoL status, meaning no patches will be released, leaving them permanently vulnerable unless mitigations, which include disabling remote management and blocking ports 443 and 60443. The PolarEdge malware, deployed through a shell script named "q", establishes a TLS backdoor, allowing attackers to maintain persistent access, execute commands, and convert infected devices into Operational Relay Boxes for launching cyberattacks. The malware operates continuously, connecting to its command-and-control infrastructure, relaying infection details, and executing malicious payloads. The attack is believed to be well-coordinated, with payloads being distributed from an IP address associated with Huawei Cloud and primarily affecting devices in the United States, Taiwan, Russia, India, Brazil, Australia, and Argentina. Researchers estimate that PolarEdge has compromised over 2,000 unique IP addresses, highlighting the scale of the campaign. The botnet’s complexity suggests it is operated by skilled threat actors, potentially for espionage, data exfiltration, or large-scale cyberattacks. The malware’s persistence mechanisms ensure continued control over infected systems, with attackers modifying system files to maintain execution even after reboots. Additionally, similar payloads targeting QNAP and Synology NAS devices have been observed, indicating that the operation is expanding beyond routers to other edge infrastructure. Security teams are urged to isolate vulnerable devices, apply available mitigations, and monitor network traffic for connections to known PolarEdge command-and-control servers.
Cisco Warns of Critical Command Injection Vulnerability in Nexus NX-OS Switches
Cisco has issued a critical security advisory for CVE-2025-20161, a command injection vulnerability affecting Nexus 3000 and 9000 Series Switches running standalone NX-OS mode. The flaw allows attackers with administrative privileges to execute arbitrary OS commands with root-level access during software upgrades by embedding malicious instructions into firmware images. This vulnerability stems from insufficient validation mechanisms in the image verification subsystem, allowing tampered firmware packages to bypass security checks. Exploitation could lead to network reconnaissance, traffic interception, lateral movement, and persistent backdoors on compromised devices. While Nexus 9000 switches in ACI mode, MDS storage switches, and Firepower appliances are unaffected, all standalone NX-OS Nexus 3000 and 9000 models remain at risk. Cisco has not observed active exploitation but urges immediate patching. The recommended fix is upgrading to NX-OS 15.2(9)E1 for Nexus 3000 and NX-OS 10.4(3a)F for Nexus 9000. As no viable workarounds exist, Cisco mandates strict firmware verification, RBAC enforcement, and restricted administrative access to management interfaces. Organizations unable to upgrade immediately should implement network segmentation, continuous monitoring for unauthorized CLI commands, and strict access controls to mitigate risks. Cisco’s PSIRT team emphasizes that timely patch deployment is critical, as this vulnerability could be leveraged for stealthy configuration manipulation and traffic interception without triggering traditional intrusion detection mechanisms.
