An exploit kit that may have originated from a leaked U.S. government framework is behind what researchers are calling the first mass-scale attack on iOS, the operating system for Apple’s iPhones.

Traces of the exploits, found in the work of Chinese cybercriminals, also have been spotted in Russian attacks on Ukraine and used by a customer of a spyware vendor.

Those conclusions come from two pieces of research that Google Threat Intelligence Group and iVerify released separately Tuesday. Rocky Cole, co-founder of iVerify, said it represented a potential “EternalBlue moment,” with echoes of that exploit software escaping the National Security Agency to fuel the global WannaCry ransomware and NotPetya attacks in 2017.

Google said that the so-called Coruna exploit kit that’s the subject of Tuesday’s research “provides another example of how sophisticated capabilities proliferate,” as it wrote in a blog post about the zero-day — or previously undisclosed and unpatched — exploits.

“How this proliferation occurred is unclear, but suggests an active market for ‘second hand’ zero-day exploits,” Google wrote. “Beyond these identified exploits, multiple threat actors have now acquired advanced exploitation techniques that can be re-used and modified with newly identified vulnerabilities.”

Said iVerify: “While iVerify has some evidence that this tool is a leaked U.S. government framework, that shouldn’t overshadow the knowledge that these tools will find their way into the wild and will be used unscrupulously by bad actors.”

Just last week, a U.S. court sentenced a former L3 Harris executive to prison for selling zero-day exploits to a Russian broker.

Both Google and iVerify connected the exploit kit to Operation Triangulation, which Russian cybersecurity firm Kaspersky said in 2023 had targeted the company and the Russian government attributed to the U.S. government. The NSA declined to comment on that allegation.

An Apple spokesperson didn’t respond to a request for comment Tuesday afternoon. Apple issued multiple patches in response to Operation Triangulation, and worked with Google on the newest research.

Spencer Parker, chief product officer at iVerify, said the attack affected at least 42,000 devices —a “massive number” for iOS, even if it sounds small to other platforms. That number has the potential to expand as researchers dive further into the technical details, Cole said.

Other signs point to U.S. development of the exploit kit, Cole said.

“The code base for the framework and the exploits was superb,” he said. “It was elegantly written. It’s fluid and holds together very well. There were comments in the code that, as someone who’s been around the U.S. defense industrial base for years, really are reminiscent of the sort of insider jokes and insider remarks that you might see from a U.S. based coder. Certainly they were native English language speakers.”

Google said it tracked the use of the exploit kit over the course of last year in operations from an unnamed customer of a surveillance vendor to attacks on Ukrainian users from a suspected Russian espionage group, before retrieving the complete exploit kit from a financially motivated group operating out of China.

Apple-focused security researcher Patrick Wardle observed on the social media site X about the Coruna research: “Turns out even lowly cybercriminals were (ab)using 0days to hack Apple devices.”

The post Possible U.S.-developed exploits linked to first known ‘mass’ iOS attack appeared first on CyberScoop.

Attackers have been exploiting a pair of zero-day vulnerabilities in Cisco’s network edge software for at least three years, and the global campaign is ongoing, authorities said across a series of warnings released Wednesday.

The Cybersecurity and Infrastructure Security Agency issued an emergency directive about the global attacks and issued joint guidance with the Five Eyes to help defenders respond and hunt for evidence of compromise.

This marks the second series of multiple actively exploited zero-day vulnerabilities in Cisco edge technology since last spring. Both campaigns resulted in CISA emergency directives months after the attacks were first detected, and both attack sprees were underway for at least a year before they were identified.

Authorities refrained from attributing the attacks to any nation state or threat group. Cisco Talos researchers assigned the exploits and post-compromise activity to UAT-8616, which they only described as a “highly sophisticated threat actor.”

The activity cluster’s “attempted exploitation indicates a continuing trend of the targeting of network edge devices by cyber threat actors to establish persistent footholds into high-value organizations including critical infrastructure sectors,” Cisco Talos said in a threat advisory.

Malicious activity linked to this campaign is far reaching and attackers have exploited vulnerabilities in targeted systems to access and potentially compromise federal networks, Nick Andersen, CISA’s executive assistant director for cybersecurity, said during a media briefing Wednesday. 

Andersen declined to say when CISA was first aware of this activity and did not provide details about potential victims, adding that officials are working through the beginning stages of mitigation.

In the jointly issued threat hunt guide, the Five Eyes said all members were aware that the most recent zero-day — CVE-2026-20127 — was identified and confirmed actively exploited in late 2025. Officials and Cisco did not explain why it took at least two months to disclose and patch the vulnerability, and share emergency mitigation guidance. 

Attackers are gaining full control of a system in a chain by exploiting CVE-2026-20127 to bypass authentication, then downgrading software to a version vulnerable to CVE-2022-20775 to escalate privileges, said Douglas McKee, director of vulnerability intelligence at Rapid7.

“That second step allows them to move from administrative control to root on the underlying operating system. That downgrade step shows deliberate knowledge of product versioning and patch history,” he told CyberScoop. “This is not opportunistic scanning. This is structured tradecraft.”

CISA added CVE-2022-20775 and CVE-2026-20127 to its known exploited vulnerabilities catalog Wednesday.

The three-year gap between known initial attacks and detected exploitation of the zero-days showcases the attackers’ surgical use of vulnerabilities and the highly targeted nature of their campaign, said Ben Harris, founder and CEO of watchTowr. 

The timeline and known attack path also indicates operational discipline that allowed attackers to maintain long-term access in critical network infrastructure without triggering alarms, McKee said. Those activities align “more closely with state-sponsored espionage tradecraft than financially motivated crime,” he added.

CISA’s emergency directive requires federal agencies to take inventory of all vulnerable Cisco SD-WAN systems, collect logs from those systems, apply Cisco’s security updates, hunt for evidence of compromise and follow Cisco’s guidance by Friday. 

The latest campaign targeting Cisco network edge technology shares many similarities with another string of attacks officials and Cisco warned about in September. Those attacks, which involved at least two actively exploited zero-days, were underway for at least a year before they were first discovered in May. 

Cisco did not answer questions about any potential connections between the campaigns. The vendor and officials have also thus far avoided sharing any details about what occurred behind the scenes during these sustained attacks.

A spokesperson for Cisco urged customers to upgrade software and follow guidance from its advisory. 

Unfortunately, it’s too late for some Cisco SD-WAN customers to patch, Harris said. “Cisco’s advice to fully rebuild and look for prior signs of intrusion should be taken seriously.”

The post Governments issue warning over Cisco zero-day attacks dating back to 2023 appeared first on CyberScoop.

Apple disclosed a zero-day vulnerability Wednesday that the vendor warned was previously “exploited in an extremely sophisticated attack against specific targeted individuals,” the company said in a security update.

The memory-corruption vulnerability — CVE-2026-20700 — affects iPhones and iPads and was exploited on devices running versions of iOS before iOS 26. The Cybersecurity and Infrastructure Security Agency added the defect to its known exploited vulnerabilities catalog Thursday.

The disclosure marks the first zero-day reported by Apple since late 2025, and the first Apple defect flagged as actively exploited by CISA this year. 

“An attacker with memory write capability may be able to execute arbitrary code,” the company said.

Apple, which typically shares limited details about in-the-wild exploitation of zero-days, noted the latest zero-day, similar to others it disclosed last year, was exploited by sophisticated attackers targeting distinct people. 

The company did not immediately respond to a request for comment and did not describe the nature or objectives of the attacks.

Caitlin Condon, vice president of security research at VulnCheck, said the zero-day was likely exploited as part of a highly targeted spyware or surveillance attack on a very small number of individuals’ devices.

The zero-day vulnerability, which was discovered by Google Threat Intelligence Group, affects dyld, Apple’s open-source dynamic link editor that acts as a core system component to securely load applications on users’ devices. 

Apple said a pair of additional vulnerabilities affecting WebKit — CVE-2025-14174 and CVE-2025-43529 — were previously disclosed in response to attacks involving CVE-2026-20700. 

The company did not describe how the three vulnerabilities are related, but previously noted CVE-2025-43529 was “exploited in an extremely sophisticated attack against specific targeted individuals.”

All three of the memory-corruption defects affect mobile operating systems, “where sophisticated zero-day attacks are commonly employed to surveil individuals, whether those are political dissidents, journalists, public figures or other high-value targets,” Condon said.

“Memory-corruption exploits are also commonly seen in sophisticated attacks, as they’re tricky to exploit reliably but provide elevated access,” she added.

Apple’s security updates for iOS 26.3 and iPadOS 26.3 addresses 38 vulnerabilities total, but CVE-2026-20700 is the only defect it disclosed as actively exploited prior to public disclosure.

The post Apple discloses first actively exploited zero-day of 2026 appeared first on CyberScoop.

Cisco customers are confronting a fresh wave of attacks from a Chinese threat group that has actively exploited a critical zero-day vulnerability affecting the vendor’s software for email and web security since at least late November, the company said in an advisory Wednesday. 

Cisco said it became aware of the attacks Dec. 10. The defect CVE-2025-20393, which has a CVSS rating of 10, is an improper input validation vulnerability affecting Cisco AsyncOS software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager that allows attackers to execute commands with unrestricted privileges and implant persistent backdoors on compromised devices.

There is no patch for the vulnerability and Cisco declined to say when one would be made available. Cisco said “non-standard configurations” have been observed in compromised networks, specifically customer systems that are configured with a publicly exposed spam quarantine feature.

Cisco Talos researchers attributed the attacks to a Chinese advanced persistent threat group it tracks as UAT-9686, which has used tooling and infrastructure consistent with other China state-sponsored threat groups such as APT41 and UNC5174.

Cisco declined to answer questions about how many customers have been impacted. The company encouraged customers to follow guidance in its advisory to determine if they’re exposed and take steps to mitigate risk, including isolating or rebuilding affecting systems.

The spam quarantine feature, which must be on and publicly exposed for attackers to exploit the vulnerability, is not enabled by default, Cisco said. The Cybersecurity and Infrastructure Security Agency added the zero-day to its known exploited vulnerabilities catalog Thursday. 

“Highlighting non-standard configurations isn’t the same as blaming users — it’s a relevant technical detail that helps defenders assess exploitation likelihood,” Douglas McKee, director of vulnerability intelligence at Rapid7, told CyberScoop. 

“The core issue doesn’t change,” he added. “The software fails under certain conditions, and that’s on the vendor to fix. Secure design means accounting for edge cases, even when it’s hard, and not shifting responsibility when they’re exploited.”

Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, said the non-standard configurations that trigger the defect is an indication attacks are targeting specific users. Yet, he added, it’s unknown how many Cisco customers have enabled the spam quarantine feature and exposed it to the internet.

Chinese threat groups have consistently exploited Cisco vulnerabilities. The latest attacks follow a widespread attack spree involving actively exploited zero-day vulnerabilities affecting Cisco firewalls. 

Federal cyber authorities issued an emergency directive in September about the attacks, which impacted multiple government agencies in May. CISA and Cisco did not at that time fully explain why they waited four months from initial response to the attacks to disclose the malicious activity, patch the zero-days and issue the emergency directive.

A spokesperson for Cisco said there’s no evidence the recent attacks are connected to the attacks earlier this year. Cisco attributed the previous attacks to the same threat group behind an early 2024 campaign targeting Cisco devices, which it dubbed “ArcaneDoor.”

The post Cisco customers hit by fresh wave of zero-day attacks from China-linked APT appeared first on CyberScoop.

Microsoft addressed 63 vulnerabilities affecting its underlying systems and core products, including one actively exploited zero-day, the company said in its latest monthly security update. 

The zero-day vulnerability — CVE-2025-62215 — affects the Windows Kernel and has a CVSS rating of 7.0 due to a high attack complexity, according to Microsoft. Exploitation, which could allow an attacker to gain system privileges, requires an attacker to win a race condition, the company said. Microsoft did not provide any further details about the scope of exploitation. 

The race condition is notable because it indicates some race conditions are more reliable than others, Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, said in a blog post. Race conditions in vulnerabilities, which involve multiple simultaneous processes designed to trigger errors, often impede exploitation.

“Bugs like these are often paired with a code execution bug by malware to completely take over a system,” Childs added.

Mike Walters, president and co-founder at Action1, said a functional exploit for CVE-2025-62215 exists, but no public proof-of-concept has been released. “Exploitation is complex, but a functional exploit seen in the wild raises urgency, since skilled actors can reliably weaponize this in targeted campaigns,” he said in an email.

An attacker with low-privilege local access can trigger the race condition by running a specially crafted application, according to Ben McCarthy, lead cyber security engineer at Immersive. “The goal is to get multiple threads to interact with a shared kernel resource in an unsynchronized way, confusing the kernel’s memory management and causing it to free the same memory block twice,” he said in an email.

The most severe defect disclosed this month — CVE-2025-60724 — is a remote-code execution vulnerability affecting Microsoft Graphics Component with a CVSS rating of 9.8, but Microsoft designated the flaw as less likely to be exploited. 

Microsoft flagged five defects as more likely to be exploited this month, including three vulnerabilities — CVE-2025-60719, CVE-2025-62213 and CVE-2025-62217 — affecting Windows Ancillary Function Driver for WinSock with CVSS ratings of 7.0. 

The kernel-mode driver is fundamental to Windows, making defects in the component inherently high-risk, according to McCarthy. 

“Due to it being so intertwined with network-related functionality of Windows, it has the potential to be a way in for many applications in the Windows ecosystem. There have been many vulnerabilities in the past that have been weaponized in this kernel-mode driver,” he added.

The full list of vulnerabilities addressed this month is available in Microsoft’s Security Response Center.

The post Microsoft Patch Tuesday addresses 63 defects, including one actively exploited zero-day appeared first on CyberScoop.