Apple’s latest operating systems for its most popular devices — iPhones, iPads and Macs — include patches for multiple vulnerabilities, but the company didn’t issue any warnings about active exploitation. 

Apple patched 27 defects with the release of iOS 26 and iPadOS 26 and 77 vulnerabilities with the release of macOS 26, including some bugs that affected software across all three devices. Apple’s new operating systems, which are now numbered for the year of their release, were published Monday as the company prepares to ship new iPhones later this week.

Users that don’t want to upgrade to the latest versions, which adopt a translucent design style Apple dubs “liquid glass,” can patch the most serious vulnerabilities by updating to iOS 18.7 and iPad 18.7 or macOS 15.7. Most Apple devices released in 2019 or earlier are not supported by the latest operating systems.

None of the vulnerabilities Apple disclosed this week appear to be under active attack, Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, told CyberScoop.

Apple previously issued an emergency software update to customers last month to patch a zero-day vulnerability — CVE-2025-43300 — that was “exploited in an extremely sophisticated attack against specific targeted individuals,” the company said in a series of updates for iOS, iPadOS and macOS.

The company has addressed five actively exploited zero-days this year, including defects previously disclosed in January, February, March and April. Seven Apple vulnerabilities have been added to the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog this year. 

Unlike many vendors, Apple doesn’t provide details about the severity of vulnerabilities it addresses in software updates. Childs noted it would be helpful if Apple issued some sort of initial severity indicator alongside the vulnerabilities it patches — even if it doesn’t follow the Common Vulnerability Scoring System.

A pair of vulnerabilities patched in macOS — CVE-2025-43298, which affects PackageKit, and CVE-2025-43304, which affects StorageKit — are concerning because exploitation could allow an attacker to gain root privileges, Childs said. 

“On the iOS side, I don’t see anything that makes me sweat immediately but there are a lot of bugs addressed,” he added.

Apple also patched seven defects in Safari 26, 19 vulnerabilities in watchOS 26, 18 bugs in visionOS 26 and five defects in Xcode 26. 

More information about the vulnerabilities and latest software versions are available on Apple’s security releases site.

The post Apple addresses dozens of vulnerabilities in latest software for iPhones, iPads and Macs appeared first on CyberScoop.

Microsoft addressed 81 vulnerabilities affecting its enterprise products and underlying Windows systems, but none have been actively exploited, the company said in its latest security update. 

The company’s monthly bundle of patches includes one high-severity vulnerability and eight critical defects, including three designated as more likely to be exploited. 

The most severe defect disclosed this month — CVE-2025-55232 — is a deserialization of untrusted data vulnerability affecting Microsoft High Performance Compute Pack with a CVSS rating of 9.8. Microsoft said exploitation is less likely, but researchers warned organizations to prioritize patching.

“A remote, unauthenticated attacker could achieve code execution on affected systems without user interaction, which makes this potentially wormable between systems with the HPC pack installed,” Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, said in a blog post. 

Childs noted that Microsoft has disclosed about 100 more vulnerabilities at this point in the year than it did in 2024. “We’ll see if this level of patches remains high throughout the rest of the year,” he added. 

Of the critical defects addressed this month, researchers are particularly concerned about CVE-2025-54918 and CVE-2025-55234 — elevation of privilege vulnerabilities with 8.8 CVSS ratings. While not actively exploited, Microsoft said exploitation is more likely for both of the improper authentication defects.

CVE-2025-55234 affects the Windows Server Message Block protocol, allowing hackers to perform relay attacks and subject users to elevation of privilege attacks. Proof-of-concept exploit code exists for this defect, according to Action1, but exploitation requires user interaction and network access.

“At its core, the vulnerability exists because SMB sessions can be established without properly validating the authentication context when key hardening measures, such as SMB signing and extended protection for authentication, are not in place,” Mike Walters, president and co-founder of Action1, said in an email.

“The potential impact is massive,” he added. “Virtually all medium to large enterprises that rely on Active Directory and Windows Server infrastructure could be affected, which amounts to hundreds of thousands of organizations worldwide.”

CVE-2025-54918 affects Windows New Technology LAN Manager (NTLM), which are security protocols for user identity authentication. “This privilege escalation allows an authenticated threat actor to escalate to SYSTEM on affected systems over the network,” Childs said.

“While not a scope change, going from a standard Windows user to SYSTEM is handy. Microsoft also notes that exploit complexity is low, so expect to see threat actors target this one,” he added.

Alex Vovk, CEO and co-founder of Action1, said the defect allows attackers to bypass and potentially undermine security controls, presenting substantial risk in sophisticated attack scenarios. “After compromising one system, attackers could use it to move laterally through networks with elevated access,” Vovk said.

“Threat actors could exploit it to deploy ransomware across multiple systems. Its high confidentiality impact means it could be used in sophisticated data theft operations,” he added. “The elevated privileges gained could also allow attackers to install backdoors or establish persistent access.”

Microsoft flagged eight defects as more likely to be exploited this month, including three that affected the Windows Kernel. The full list of vulnerabilities addressed this month is available in Microsoft’s Security Response Center.

The post Microsoft Patch Tuesday addresses 81 vulnerabilities, none actively exploited appeared first on CyberScoop.

A globally coordinated operation involving support from 18 countries in Africa, the United Kingdom and nine security organizations resulted in the arrest of 1,209 alleged cybercriminals, Interpol said Friday.

Authorities said they recovered $97.4 million and dismantled 11,432 pieces of malicious infrastructure between June and August. Financial losses attributed to the crimes allegedly committed by people involved in this widespread string of ransomware, online scams and business email compromise neared $485 million, officials said.

Operation Serengeti 2.0 identified 87,858 victims from multiple criminal syndicates and operations spanning Africa. Authorities in Zambia took down an online investment fraud scheme that impacted at least 65,000 victims who lost an estimated $300 million combined.

In Angola, authorities dismantled 25 cryptocurrency mining centers where 60 Chinese nationals were allegedly validating blockchain transactions to generate cryptocurrency. Officials said they confiscated 45 illegal power stations, mining and IT equipment valued at more than $37 million, which the government has earmarked to support power distribution in vulnerable areas. 

TRM Labs, one of the private organizations that supported the crackdown, shared details about ransomware-related operations impacted by the law enforcement action.

“In Ghana, investigators pursued leads tied to the Bl00dy ransomware group, a Conti spin-off that has targeted education, healthcare, and public sector victims. Analysis suggested elements of Bl00dy’s laundering infrastructure were active in the country,” the company said in a LinkedIn post. 

Investigators in Seychelles acted on intelligence connected to RansomHub, broadening the range of targets and dismantling additional infrastructure, TRM Labs added.

Interpol said Operation Serengeti 2.0 also disrupted a suspected human trafficking network in Zambia and a transnational inheritance scam in Côte d’Ivoire that caused about $1.6 million in losses. 

“Each Interpol-coordinated operation builds on the last, deepening cooperation, increasing information sharing and developing investigative skills across member countries,” Valdecy Urquiza, secretary general of Interpol, said in a statement. “With more contributions and shared expertise, the results keep growing in scale and impact. This global network is stronger than ever, delivering real outcomes and safeguarding victims.”

Countries involved in the crackdown include: Angola, Benin, Cameroon, Chad, Côte d’Ivoire, Democratic Republic of Congo, Gabon, Ghana, Kenya, Mauritius, Nigeria, Rwanda, Senegal, South Africa, Seychelles, Tanzania, United Kingdom, Zambia and Zimbabwe.

Cybercrime Atlas, Fortinet, Group-IB, Kaspersky, The Shadowserver Foundation, Team Cymru, Trend Micro and Uppsala Security also aided the investigation.

The post Interpol-led crackdown disrupts cybercrime networks in Africa that caused $485 million in losses appeared first on CyberScoop.

A pair of maximum-severity vulnerabilities affecting Cisco’s network access security platform are under active exploitation, the enterprise networking and IT vendor warned in a security advisory Monday.

The software defects in Cisco Identity Services Engine and Cisco ISE Passive Identity Connector — CVE-2025-20281 and CVE-2025-20337 — were disclosed and addressed by Cisco on June 25, followed by the disclosure of a third critical vulnerability in the same software, CVE-2025-20282, on July 16. Cisco said it became aware of reported attempted exploitation of CVE-2025-20281 and CVE-2025-20337 on July 21.

“Based on these reports, we have updated our security advisory to reflect the attempted exploitation,” a Cisco spokesperson said in a statement. “At this time, we are not aware of any attempted exploitation or malicious use of CVE-2025-20282, and we continue to strongly recommend that customers upgrade to fixed software releases that remediate these vulnerabilities.”

All three of the vulnerabilities have a CVSS rating of 10 and there are no workarounds for the software defects. Cisco warned that all three vulnerabilities can be exploited by an unauthenticated, remote attacker, allowing arbitrary code execution on the underlying system as root.

Cisco did not say how many customers are currently impacted.

Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, said researchers detected active exploitation of CVE-2025-20281 on July 17. “Since CVE-2025-20281 and CVE-2025-20337 are very similar, we believe both are under active attack. Proof of concept exploit code was first made public on June 27,” Childs said.

“Right now, those attacks appear to be limited and targeted. Cisco ISE is used by thousands of enterprises, so the potential impact is large,” he added.

The origins and motivations of the threat group or attacker behind the exploits remains unknown, but the potential interest is broad.

“Threat actors would be interested in these vulnerabilities because a Cisco ISE has a high degree of network visibility through logging, which gives threat actors insight for further attacks in the network,” Childs said. “An ISE also is a repository for potentially all of the users in an organization.”

The post Cisco network access security platform vulnerabilities under active exploitation appeared first on CyberScoop.

Authorities and researchers are intensifying warnings about active exploitation and pervasive scanning of a critical vulnerability affecting multiple versions of Citrix NetScaler products.

There is now widespread agreement among security professionals that the critical vulnerability, CVE-2025-5777, which Citrix disclosed June 17, is serious and harkens back to a 2023 defect in the same products: “CitrixBleed,” or CVE-2023-4966. Naturally, threat hunters are scrambling to assess and stop the strikingly similar challenges summoned by exploits of the newest CVE. 

For some Citrix customers, the warnings are too late. Vulnerability scans confirm active exploits occurred within a week of disclosure, and attackers have been swarming, hunting for exposed instances of the impacted devices since exploit details were publicly released earlier this month. 

“This vulnerability in Citrix NetScaler ADC and Gateway systems, also referred to as CitrixBleed 2, poses a significant, unacceptable risk to the security of the federal civilian enterprise,” Chris Butera, acting executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency, said in a statement. CISA added the exploit to its known exploited vulnerabilities catalog on July 10.

“As America’s cyber defense agency and the operational lead for federal civilian cybersecurity, CISA is taking urgent action by directing agencies to patch within 24 hours and we encourage all organizations to patch right away,” Butera added. The agency typically requires agencies to resolve “high risk” vulnerabilities within 30 days and “critical risk” vulnerabilities within 15 days.

The pre-authentication remote memory disclosure vulnerability, which has a CVSS score of 9.3, has been increasingly targeted for attacks globally. Imperva researchers on Friday said they’ve observed more than 11.5 million attack attempts targeting thousands of sites since the exploit was disclosed. 

“Attackers appear to be scanning extensively for exposed instances and attempting to exploit the memory-leak vulnerability to harvest sensitive data,” Imperva researchers said in a blog post.

Nearly 2 in 5 attack attempts have targeted sites in the financial services industry and 3 in 5 of those targeted sites are based in the United States, according to Imperva.

GreyNoise scans have observed 22 unique malicious IPs attempting to exploit CVE-2025-5777 thus far. The first malicious IP was observed June 23 and a spike of 11 unique malicious IPs was observed Friday. 

“I haven’t seen any attrition yet. This could be as bad or even worse than CitrixBleed,” Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, told CyberScoop. “The attack is very repeatable and those systems rarely have network monitoring. They also aren’t regularly updated, so patching them may be an issue.”

The number of Citrix customers already impacted remains unknown and victims have yet to come forward. 

“A lot of the attacks seem opportunistic, so there are likely multiple threat actors using the bug,” Childs said.

Citrix maintains there was no evidence of active exploitation when it disclosed the vulnerability. The vendor hasn’t shared much publicly in almost three weeks, other than an update in a June 26 blog post noting that CISA was aware of evidence of active exploitation. The company did not respond to a request for comment.

In the June blog post, Anil Shetty, senior vice president of engineering at NetScaler, disputed comparisons between CVE-2025-5777 and CVE-2023-4966. “While the vulnerabilities share some characteristics, Cloud Software Group has found no evidence to indicate that they are related,” Shetty wrote. Cloud Software Group is the parent company of Citrix.

Researchers are also leveling criticism at Citrix for the relative ease by which an attacker can compromise a vulnerable instance of Citrix NetScaler with just a few requests. 

‘“The term “CitrixBleed’ is used because the memory leak can be triggered repeatedly by sending the same payload, with each attempt leaking a new chunk of stack memory — effectively bleeding sensitive information,” Akamai Security Intelligence Group said in a blog post.

Akamai researchers described the root cause of the vulnerability as “an uninitialized login variable, combined with improper memory handling, lack of input validation and missing error handling in Citrix NetScaler’s authentication logic.”

Zach Edwards, an independent cybersecurity researcher, told CyberScoop that CVE-2025-5777 and CVE-2023-4966 are “extremely similar,” aside from subtle differences in the versions of NetScaler impacted.

“The fact that these pre-authentication vulnerabilities keep coming up, which can facilitate complete compromises, is disappointing to see,” Edwards said. “It’s unclear how these significant vulnerabilities keep making their way through development processes, but Citrix clients, especially in the government and enterprise sectors, should be demanding more and requiring additional public context about the steps Citrix takes to test its software prior to a release.”

The post CitrixBleed 2 beckons sweeping alarm as exploits spread across the globe appeared first on CyberScoop.

Lawrence Hoffman // With BlackHat and DefCon happening as I type it’s hard to choose what’s going to make this list. I will probably save most of the big shiny […]

The post Lawrence’s List 080516 appeared first on Black Hills Information Security, Inc..