Actively Exploited Zero-Days (2025): Who’s Affected and How to Block the Kill Chain By CyberDudeBivash • Date: September 20, 2025 (IST)

-


 


TL;DR — Patch-First Shortlist (with fast mitigations)

  • Chrome V8 type confusion — CVE-2025-10585 (active): Update to 140.0.7339.185+ (desktop). Block risky extensions; enable strict site isolation; monitor for child-process crashes from Chrome. BleepingComputer+1

  • Apple ImageIO — CVE-2025-43300 (exploited, targeted): Update iOS/iPadOS/macOS to the latest security release; enable Lockdown Mode for high-risk users; treat untrusted images as untrusted code. Apple Support+1

  • Ivanti Connect Secure/Policy Secure — CVE-2025-0282 (zero-day carryover): Patch to fixed releases (22.7R2.5+ etc.), rotate creds, reimage if compromise suspected; assume token/session theft. NVD+1

  • Windows CLFS kernel — CVE-2025-29824 (ransomware activity): Apply April updates; watch for LSASS access + driver load anomalies; EDR block on unsigned kernel access. Microsoft

  • Windows Fast FAT — CVE-2025-24985 (exploited): Apply March updates; hunt for suspicious removable-media events and crafted FAT images. Tenable®

  • Citrix NetScaler ADC/Gateway:

    • CVE-2025-5777 (“CitrixBleed 2”) — memory disclosure, in KEV (active). Patch immediately; revoke sessions; rotate auth secrets. CISA

    • CVE-2025-7775 — memory overflow RCE, active. Upgrade per vendor bulletin; check AAA/Gateway/IPv6 configs; hunt for webshells. CISA+1

  • Cisco ISE / ISE-PIC — CVE-2025-20281/-20282/-20337 (active): Patch; isolate mgmt plane; hunt for new admin users and odd process launches. The Hacker News+1

  • WinRAR for Windows — CVE-2025-8088 (active, RomCom): Manually update to 7.13 (no auto-update); block .rar from unknown senders; hunt for autorun file drops. WinRAR+2We Live Security+2

  • N-able N-central — CVE-2025-8876 (command injection, in KEV): Patch or isolate; assume RMM takeover if exposed; rotate API keys. CISA

  • Dassault DELMIA Apriso — CVE-2025-5086 (deserialization, in KEV): Patch and remove public exposure; inspect for odd job executions. CISA

Kill-Chain Notes (how these are being weaponized)

  • Initial Access: perimeter device bugs (Citrix NetScaler, Ivanti ICS) and user-space apps (Chrome, WinRAR) deliver code or leak tokens—often via spear-phish archives or web drive-bys. Google Cloud+2BleepingComputer+2

  • Privilege & Lateral: kernel/CLFS elevation and device-management platforms (ISE/N-central) convert footholds into domain or network control. Microsoft+1

  • Exfil/Impact: session theft (CitrixBleed-class) + webshells/RMM persistence → data theft, potential ransomware staging. CISA+1

“Who’s Affected” Quick Matrix

CVE / ProductTypical ExposureLikely TargetsFirst Moves (Blue Team)
CVE-2025-10585 Chrome V8User endpointsEveryone using Chrome/EdgeForce browser update; isolate crashy hosts; enable site isolation. BleepingComputer
CVE-2025-43300 Apple ImageIOMobile/laptopExecs, journalists, high-risk usersUpdate OS; Lockdown Mode; disable iMessage previews for VIPs. Apple Support
CVE-2025-0282 Ivanti ICS/PSVPN perimeterEnterprises w/ remote accessPatch; rotate creds; audit appliance for IOC scripts. Google Cloud
CVE-2025-29824 Windows CLFSServers/EndpointsRansomware targetsPatch; block unsigned drivers; hunt CLFS exploitation artifacts. Microsoft
CVE-2025-24985 Windows Fast FATEndpointsUsers handling removable mediaPatch; restrict autorun; monitor mount events. Tenable®
CVE-2025-5777 / 7775 Citrix NetScalerADC/GatewayRemote-access edgePatch; revoke sessions; scan for webshells; restrict mgmt to VPN. CISA+1
CVE-2025-20281+ Cisco ISENAC/IdP infraLarge enterprisesPatch; rotate admin creds; review TACACS/RADIUS logs. The Hacker News
CVE-2025-8088 WinRARUser endpointsPhish recipientsUpdate to 7.13; block .rar; hunt Startup-folder drops. WinRAR
CVE-2025-8876 N-able N-centralRMMMSPs, IT opsPatch; remove public access; rotate API keys. CISA
CVE-2025-5086 DELMIA AprisoOT/ManufacturingIndustrialPatch; remove internet exposure; validate serialized inputs. CISA

Patch-Now Playbook (90-minute run)

  1. Edge devices first: NetScaler, Ivanti, Cisco ISE — patch, revoke sessions/tokens, rotate secrets, scan for webshells. CISA+2Google Cloud+2

  2. User apps: Force Chrome/Edge update; push WinRAR 7.13; block risky file types at mail gateway. BleepingComputer+1

  3. OS fixes: Roll April & March Windows updates for CLFS/FAT; enable kernel-attack telemetry. Microsoft+1

  4. Apple fleet: Ship latest iOS/iPadOS/macOS; enable Lockdown Mode for VIPs and threat-exposed teams. Apple Support

Detection cues 

  • Citrix session scraping (CVE-2025-5777): spikes of /var reads + unusual nsconmsg invocations; sudden mass session invalidations. CISA

  • WinRAR zero-day: creation of executables within %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ immediately after .rar extraction. We Live Security

  • Chrome exploit attempts: renderer crashes followed by new process spawn chains to LOLBins (mshta, rundll32). BleepingComputer

  • CLFS abuse: unusual CLFS log operations preceding EDR-flagged credential theft or driver tampering. Microsoft



#CyberDudeBivash #ZeroDay #CVE #ExploitedInTheWild #PatchNow #Citrix #Ivanti #Chrome #WinRAR #CiscoISE #Microsoft #Apple #ThreatIntel #SOC #IR

Comments

Post a Comment

Popular posts from this blog

CyberDudeBivash Rapid Advisory — WordPress Plugin: Social-Login Authentication Bypass (Threat Summary & Emergency Playbook)

-
Image
  TL;DR: A class of vulnerabilities in WordPress social-login / OAuth plugins can let attackers bypass normal authentication flows and obtain an administrative session (or create admin users) by manipulating OAuth callback parameters, reusing stale tokens, or exploiting improper validation of the identity assertions returned by providers. If you run a site that accepts social logins (Google, Facebook, Apple, GitHub, etc.), treat this as high priority : audit, patch, or temporarily disable social login until you confirm your plugin is safe. This advisory gives you immediate actions, detection steps, mitigation, and recovery guidance. Why this matters (short) Social-login plugins often accept externally-issued assertions (OAuth ID tokens, authorization codes, user info). If the plugin fails to validate provider signatures, nonce/state values, redirect URIs, or maps identities to local accounts incorrectly , attackers can craft requests that the site accepts as authenticated. ...
Read more

Hackers Injecting Malicious Code into GitHub Actions to Steal PyPI Tokens CyberDudeBivash — Threat Brief & Defensive Playbook

-
Image
  SUMMARY  Attackers are modifying GitHub Actions workflows (via compromised accounts, malicious PRs, or forged commits) to add steps that exfiltrate PyPI (or other package registry) publishing tokens. With those tokens they publish backdoored packages or download private packages — a supply-chain multiplier. Defend by eliminating long-lived secrets, switching to OIDC/ephemeral credentials, hardening workflow controls, monitoring workflow changes and secret usage, and rotating tokens immediately if you suspect compromise. How attackers typically operate  Gain write access to repo or CI/CD config (via compromised developer account, stolen token, privilege abuse, or merge of malicious PR). Modify or add a workflow file that runs in the repo’s runner context (self-hosted or GitHub-hosted). Add steps that read repository secrets (e.g., PYPI_TOKEN ) or create credentials files ( ~/.pypirc ), then send the token to attacker-controlled endpoints or push a malicious p...
Read more

Exchange Hybrid Warning: CVE-2025-53786 can cascade into domain compromise (on-prem ↔ M365) By CyberDudeBivash — Cybersecurity & AI

-
Image
  Executive summary CVE-2025-53786 is a post-authentication elevation of privilege in Microsoft Exchange hybrid deployments . If an attacker first gains admin on an on-prem Exchange server , they can abuse the legacy “shared service principal” trust used by Hybrid Configuration to escalate into Exchange Online —potentially leading to full cloud+on-prem domain compromise . CISA issued Emergency Directive ED-25-02 with a deadline of 9:00 a.m. EDT on August 11, 2025 for U.S. federal agencies; Microsoft urges all hybrid customers to take the same steps: apply the April 2025 Hotfix Updates , migrate to the dedicated Exchange Hybrid app , and reset/clean up service principal credentials . cisa.gov +1 TECHCOMMUNITY.MICROSOFT.COM +1 Why this is dangerous: actions initiated from the on-prem Exchange side may not show up as obviously malicious in M365 audit trails, making cloud abuse harder to spot if you’ve not modernized the trust. TechRadar What is actually vulnerable? (trust...
Read more