Cisco Systems has issued security updates to address a critical vulnerability in its widely deployed IOS and IOS XE network operating systems, after confirming the flaw is being exploited in active attacks.

Designated CVE-2025-20352, the vulnerability resides in the Simple Network Management Protocol (SNMP) subsystem of Cisco’s core network software. According to Cisco, the weakness stems from a stack-based buffer overflow and affects any device with SNMP enabled. The flaw allows authenticated, remote attackers with low privileges to force targeted systems to reload, causing denial of service. Higher-privileged attackers could execute arbitrary code with root-level permissions on affected Cisco IOS XE devices, effectively gaining complete control.

Cisco disclosed that the vulnerability has been exploited in the wild. The company became aware of active attacks after the compromise of local administrator credentials. Attackers have leveraged the flaw by sending crafted SNMP packets over either IPv4 or IPv6 networks.

“All devices that have SNMP enabled and have not explicitly excluded the affected object ID (OID) should be considered vulnerable,” Cisco wrote in a published advisory. The company noted the problem affects all versions of SNMP, including v1, v2c, and v3. Models such as the Meraki MS390 and Catalyst 9300 running Meraki CS 17 or earlier are impacted, with a fix arriving in a further IOS XE software release.

No known workarounds exist beyond software updates. While organizations unable to immediately upgrade can mitigate some risk by limiting SNMP access to trusted users and network segments, Cisco advises that these are only temporary measures. 

The company’s security bulletin further instructs administrators on verifying the presence of SNMP and potentially affected configurations through command-line tools. Devices running IOS XR and NX-OS are confirmed as unaffected.

The same update that addressed the SNMP flaw also included patches for 13 other vulnerabilities. Two of these are considered significant: a reflected cross-site scripting weakness (CVE-2025-20240) permitting attackers to potentially steal session cookies, and a denial-of-service flaw (CVE-2025-20149) that can be triggered by authenticated local users. Both have proof-of-concept exploit code available publicly.

Cisco’s IOS and IOS XE platforms are foundational to global networking infrastructure, making vulnerabilities with the potential for remote code execution and denial of service particularly significant for enterprise operations and internet service providers. SNMP’s pervasive use for network monitoring and management, coupled with default or weak credential usage in some environments, continues to place heightened importance on timely security response.

The post Cisco uncovers new SNMP vulnerability used in attacks on IOS devices appeared first on CyberScoop.

Apple’s latest operating systems for its most popular devices — iPhones, iPads and Macs — include patches for multiple vulnerabilities, but the company didn’t issue any warnings about active exploitation. 

Apple patched 27 defects with the release of iOS 26 and iPadOS 26 and 77 vulnerabilities with the release of macOS 26, including some bugs that affected software across all three devices. Apple’s new operating systems, which are now numbered for the year of their release, were published Monday as the company prepares to ship new iPhones later this week.

Users that don’t want to upgrade to the latest versions, which adopt a translucent design style Apple dubs “liquid glass,” can patch the most serious vulnerabilities by updating to iOS 18.7 and iPad 18.7 or macOS 15.7. Most Apple devices released in 2019 or earlier are not supported by the latest operating systems.

None of the vulnerabilities Apple disclosed this week appear to be under active attack, Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, told CyberScoop.

Apple previously issued an emergency software update to customers last month to patch a zero-day vulnerability — CVE-2025-43300 — that was “exploited in an extremely sophisticated attack against specific targeted individuals,” the company said in a series of updates for iOS, iPadOS and macOS.

The company has addressed five actively exploited zero-days this year, including defects previously disclosed in January, February, March and April. Seven Apple vulnerabilities have been added to the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog this year. 

Unlike many vendors, Apple doesn’t provide details about the severity of vulnerabilities it addresses in software updates. Childs noted it would be helpful if Apple issued some sort of initial severity indicator alongside the vulnerabilities it patches — even if it doesn’t follow the Common Vulnerability Scoring System.

A pair of vulnerabilities patched in macOS — CVE-2025-43298, which affects PackageKit, and CVE-2025-43304, which affects StorageKit — are concerning because exploitation could allow an attacker to gain root privileges, Childs said. 

“On the iOS side, I don’t see anything that makes me sweat immediately but there are a lot of bugs addressed,” he added.

Apple also patched seven defects in Safari 26, 19 vulnerabilities in watchOS 26, 18 bugs in visionOS 26 and five defects in Xcode 26. 

More information about the vulnerabilities and latest software versions are available on Apple’s security releases site.

The post Apple addresses dozens of vulnerabilities in latest software for iPhones, iPads and Macs appeared first on CyberScoop.

The Pentagon’s two-year public competition to spur the development of cyber-reasoning systems that use large language models to autonomously find and patch vulnerabilities in open-source software concluded Friday with $8.5 million awarded to three teams of security specialists at DEF CON. 

The Defense Advanced Research Project Agency’s AI Cyber Challenge seeks to address a persistent bottleneck in cybersecurity — patching vulnerabilities before they are discovered or exploited by would-be attackers. 

“We’re living in a world right now that has ancient digital scaffolding that’s holding everything up,” DARPA Director Stephen Winchell said. “A lot of the code bases, a lot of the languages, a lot of the ways we do business, and everything we’ve built on top of it has all incurred huge technical debt… It is a problem that is beyond human scale.” 

The seven semifinalists that earned their spot out of 90 teams convened at last year’s DEF CON were scored against their models’ ability to quickly, accurately and successfully identify and generate patches for synthetic vulnerabilities across 54 million lines of code. The models discovered 77% of the vulnerabilities presented in the final scoring round and patched 61% of those synthetic defects at an average speed of 45 minutes, the competition organizers said.

The models also discovered 18 real zero-day vulnerabilities, including six in the C programming language and 12 in Java codebases. The teams’ models patched none of the C codebase zero-days, but automatically patched 11 of the Java zero-days, according to the final results shared Friday.

Team Atlanta took the first-place prize of $4 million, Trail of Bits won second place and $3 million in prize money, and Theori ranked third, taking home $1.5 million. The competition’s organizers allocated an additional $1.4 million in prize money for participants who can demonstrate when their technology is deployed into critical infrastructure. 

Representatives from the three winning teams said they plan to reinvest the majority of the prize money back into research and further development of their cyber-reasoning systems or explore ways to commercialize the technology.

Four of the models developed under the competition were made available as open source Friday, and the three remaining models will be released in the coming weeks, officials said.

“Our hope is this technology will harden source code by being integrated during the development stage, the most critical point in the software lifecycle,” Andrew Carney, program manager of the competition, said during a media briefing about the challenge last week. 

Open sourcing the cyber-reasoning systems and the AI Cyber Challenge’s infrastructure should also allow others to experiment and improve upon what the competition helped foster, he said. DARPA and partners across government and the private sector involved in the program are pursuing paths to push the technology developed during the competition into open-source software communities and commercial vendors for broader adoption.

DARPA’s AI Cyber Challenge is a public-private endeavor, with Google, Microsoft, Anthropic and OpenAI each donating $350,000 in LLM credits and additional support. The initiative seeks to test AI’s ability to identify and patch vulnerabilities in open-source code of vital importance throughout critical infrastructure, including health care. 

Jim O’Neill, deputy secretary of the Department of Health and Human Services, spoke to the importance of this work during the AI Cyber Challenge presentation at DEF CON. “Health systems are among the hardest networks to secure. Unlike other industries, hospitals must maintain 24/7 uptime, and they don’t get to reboot. They rely on highly specialized, legacy devices and complex IT ecosystems,” he said. 

“As a result, patching a vulnerability in health care can take an average of 491 days, compared to 60 to 90 days in most other industries,” O’Neill added. “Many cybersecurity products, unfortunately, are security theater. We need assertive proof-of-work approaches to keep networks, hospitals and patients safer.”

Health officials and others directly involved in the AI Cyber Challenge acknowledged the problems posed by insecure software are vast, but said the results showcased from this effort provide a glimmer of hope. 

“The magnitude of the problem is so incredibly overwhelming and unreasonable that this is starting to make it so that maybe we can actually secure networks — maybe,” Jennifer Roberts, director of resilient systems at HHS’s Advanced Research Projects Agency for Health, said during a media briefing at DEF CON after the winners were announced. 

Kathleen Fisher, director of DARPA’s Information Innovation Office, shared a similar cautiously optimistic outlook. “Software runs the world, and the software that is running the world is riddled with vulnerabilities,” she said.

“We have this sense of learned helplessness, that there’s just nothing we can do about it. That’s the way software is,” she continued. The AI Cyber Challenge “points to a brighter future where software does what it’s supposed to do and nothing else.”

The post DARPA’s AI Cyber Challenge reveals winning models for automated vulnerability discovery and patching appeared first on CyberScoop.

Kent Ickler & Jordan Drysdale // Preface We had a sysadmin and security professional “AA” meeting on November 8, 2018. We met and discussed things that seem to be painfully […]

The post WEBCAST: Blue Team-Apalooza appeared first on Black Hills Information Security, Inc..