Microsoft addressed 175 vulnerabilities affecting its core products and underlying systems, including two actively exploited zero-days, the company said in its latest security update. It’s the largest assortment of defects disclosed by the tech giant this year.

The zero-day vulnerabilities — CVE-2025-24990 affecting Agere Windows Modem Driver and CVE-2025-59230 affecting Windows Remote Access Connection Manager — both have a CVSS rating of 7.8. The Cybersecurity and Infrastructure Security Agency added both zero-days to its known exploited vulnerabilities catalog Tuesday.

Microsoft said the third-party Agere Modem drive that ships with supported Windows operating systems has been removed in the October security update. Fax modem hardware that relies on the driver will no longer work on Windows, the company said.

Attackers can achieve administrator privileges by exploiting CVE-2025-24990. “All supported versions of Windows can be affected by a successful exploitation of this vulnerability, even if the modem is not actively being used,” Microsoft said in its summary of the defect.

The improper access control vulnerability affecting Windows Remote Access Connection manager can be exploited by an authorized attacker to elevate privileges locally and gain system privileges, Microsoft said. 

Windows Remote Access Connection Manager, a service used to manage remote network connections through virtual private networks and dial-up networks, is a “frequent flyer on Patch Tuesday, appearing more than 20 times since January 2022,” Satnam Narang, senior staff research engineer at Tenable, said in an email. “This is the first time we’ve seen it exploited in the wild as a zero day.”

The most severe vulnerabilities disclosed this month include CVE-2025-55315 affecting ASP.NET core and CVE-2025-49708 affecting Microsoft Graphics Component. Microsoft said exploitation of the defects is less likely, but both have a CVSS rating of 9.9.

Microsoft flagged 14 defects as more likely to be exploited this month, including a pair of critical vulnerabilities with CVSS ratings of 9.8 — CVE-2025-59246 affecting Azure Entra ID and CVE-2025-59287 affecting Windows Server Update Service.

The vendor disclosed five critical and 121 high-severity vulnerabilities this month. The full list of vulnerabilities addressed this month is available in Microsoft’s Security Response Center.

The post Microsoft’s Patch Tuesday fixes 175 vulnerabilities, including two actively exploited zero-days appeared first on CyberScoop.

The Cybersecurity and Infrastructure Security Agency acknowledged it’s yet to get a complete handle on the scope and impact of attacks involving Cisco zero-day vulnerabilities that prompted it to release an emergency directive Thursday. 

The attack timeline dates back almost a year, according to an investigation Cisco and federal authorities did behind the scenes to identify the root cause and then coordinate the issuance of patches to address software defects under active exploitation. 

“We observed initial activity that we believe was related back in November,” Chris Butera, acting deputy executive assistant director for cybersecurity at CISA, said during a media briefing Thursday. “It started off as reconnaissance activity on these types of devices, and that’s what kicked off back in November.”

That malicious activity — read-only memory modification — “began as early as November 2024, if not earlier,” he said. 

CISA said it’s aware of hundreds of Cisco firewalls in use across the federal government that are potentially susceptible to exploitation. The mandated steps outlined in the emergency directive will help the agency understand the full scope of those devices and the extent of compromise across federal agencies, Butera said.

Critical infrastructure operators are also likely affected, and CISA is asking those organizations to report incidents as they are confirmed, Butera said. 

He also addressed a considerable delay from discovery to disclosure. Cisco said it initiated an incident response investigation into the attacks on multiple federal agencies in May, but four months passed before it disclosed the malicious activity and patched the zero-day vulnerabilities. 

During that time, CISA chose to hold off on releasing the emergency directive, which requires federal agencies to take immediate action by the end of Friday. 

“With any vulnerability coordination, it takes some time to properly understand what that vulnerability is and whether that vulnerability is being exploited, and some time for the vendors to develop a patch to mitigate that,” Butera said. “So the timeline involved both investigation and patch development for that process.”

He added that CISA and Cisco collaborated to implement mitigation steps and remediate the malicious activity. The agency also worked with Cisco through the coordinated vulnerability disclosure process “so we could appropriately address the risk as fully as possible during this time,” Butera said.

Federal officials are concerned attacks may accelerate or shift in the wake of CISA’s effort to prod agencies to thwart the threat. 

“As soon as these vulnerabilities are released to the threat actor, we believe the threat actor will likely try to pivot and change tactics,” Butera said. “We think it’s really important for our organization to try to detect that threat actor activity as quickly as possible, so that is what’s driving the tight timeline.” 

Officials declined to discuss the attackers’ origins or motivations in detail. Butera said CISA is not focused on attribution at this time, and he did not confirm research from outside threat intelligence firms pinning the espionage attacks on a China state-affiliated threat group tracked as UAT4356 and Storm-1849. 

Butera said the espionage attacks linked to the Cisco zero-day vulnerabilities are separate and not connected to the widespread and ongoing China state-sponsored attack spree Mandiant and Google Threat Intelligence Group researchers warned about Wednesday. Those attacks also involve exploitation of network edge devices.

The post CISA says it observed nearly year-old activity tied to Cisco zero-day attacks appeared first on CyberScoop.

Federal cyber authorities sounded a rare alarm Thursday, issuing an emergency directive about an ongoing and widespread attack spree involving actively exploited zero-day vulnerabilities affecting Cisco firewalls. 

Cisco said it began investigating attacks on multiple government agencies linked to the state-sponsored campaign in May. The vendor, which attributes the attacks to the same threat group behind an early 2024 campaign targeting Cisco devices it dubbed “ArcaneDoor,” said the new zero-days were exploited to “implant malware, execute commands, and potentially exfiltrate data from the compromised devices.” 

Cisco disclosed three vulnerabilities affecting its Adaptive Security Appliances  — CVE-2025-20333, CVE-2025-20363 and CVE-2025-20362 — but said “evidence collected strongly indicates CVE-2025-20333 and CVE-2025-20362 were used by the attacker in the current attack campaign.” 

The Cybersecurity and Infrastructure Security Agency said those two zero-days pose an “unacceptable risk” to federal agencies and require immediate action. 

Federal agencies are required to hunt for evidence of compromise, report findings and disconnect compromised devices by the end of Friday. Agencies running Cisco ASA firewalls are also required to apply Cisco’s patches or permanently disconnect end-of-life devices by the end of Friday.

“CISA is directing federal agencies to take immediate action due to the alarming ease with which a threat actor can exploit these vulnerabilities, maintain persistence on the device, and gain access to a victim’s network,” CISA Acting Director Madhu Gottumukkala said in a statement.

Cisco did not fully explain why it waited four months from its initial response to the attacks on federal agencies to disclose the malicious activity and patch the zero-day vulnerabilities. 

The attackers “employed advanced evasion techniques such as disabling logging, intercepting command-line interface commands, and intentionally crashing devices to prevent diagnostic analysis. The complexity and sophistication of this incident required an extensive, multi-disciplinary response across Cisco’s engineering and security teams,” the company said. 

CISA did not immediately respond to questions about why it waited four months to issue an emergency directive.

The agency described the campaign as widespread, resulting in remote-code execution and manipulation of read-only memory that persists through reboots and system upgrades. While CISA’s emergency directive only applies to federal agencies, the private sector often follows these urgent warnings closely.

“The same risks apply to any organizations using these devices. We strongly urge all entities to adopt the actions outlined in this emergency directive,” Gottumukkala said.

Cisco and CISA did not attribute the espionage attacks to a specific nation state, but Censys researchers previously said it found compelling evidence indicating a threat group based in China was behind the ArcaneDoor campaign last year. Censys noted it found evidence of multiple major Chinese networks and Chinese-developed anti-censorship software during its investigation into the early 2024 attacks.

The latest attacks initiated by the espionage group, tracked as UAT4356 by Cisco Talos and Storm-1849 by Microsoft Threat Intelligence, are a continuation or resurgence of that previous campaign involving new zero-days. 

Cisco said remote attackers can “gain full control of an affected device” by chaining together the vulnerabilities, two of which are designated as critical. 

When Storm-1849 was first identified in early 2024, the espionage group was targeting international entities, according to Sam Rubin, senior vice president of Palo Alto Networks’ Unit 42. Unit 42 also considers Storm-1849 to be affiliated with China.

“Over the past year, Unit 42 has observed them evolve their toolkit and in recent months their focus has shifted towards entities in the United States,” he said. “As we have seen before, now that patches are available, we can expect attacks to escalate as cybercriminal groups quickly figure out how to take advantage of these vulnerabilities.”

The post CISA alerts federal agencies of widespread attacks using Cisco zero-days appeared first on CyberScoop.

An attacker exploited a zero-day vulnerability in Sitecore stemming from a misconfiguration of public ASP.NET machine keys that customers implemented based on the vendor’s documentation, according to researchers.

The critical zero-day defect — CVE-2025-53690 — was exploited by the attacker using exposed keys to achieve remote code execution, Mandiant Threat Defense said in a report Wednesday. The sample machine keys were included in Sitecore’s deployment guides dating back to at least 2017.

The configuration vulnerability impacts customers who used the sample key provided with deployment instructions for Sitecore Experience Platform 9.0 and earlier, Sitecore said in a security bulletin Wednesday. The vendor warned that all versions of Experience Manager, Experience Platform and Experience Commerce may be impacted if deployed in a multi-instance mode with customer-managed static machine keys.

“The issue stems from Sitecore users copying and pasting example keys from official documentation, rather than generating unique, random ones — a move we don’t recommend,” said Ryan Dewhurst, head of proactive threat intelligence at watchTowr. “Any deployment running with these known keys was left exposed to ViewState deserialization attacks, a straight path right to remote code execution.”

Mandiant said it disrupted the attack after engaging with Sitecore, but said that effort prevented it from observing the full attack lifecycle. The incident response firm warns that many Sitecore customers used the commonly known ASP.NET machine key. 

Upon gaining access to the affected internet-exposed Sitecore instance, the attacker deployed a ViewState payload containing malware designed for internal reconnaissance, according to Mandiant. Researchers explained that ViewStates, an ASP.NET feature, are vulnerable to deserialization attacks when validation keys are absent or compromised. 

Mandiant said the unidentified attacker, whose motivations are unknown, demonstrated a deep understanding of Sitecore’s product as it progressed from initial compromise to escalate privileges and achieve lateral movement. 

Sitecore and researchers advised customers to rotate the machine key if a commonly known one was used, and hunt for evidence of ViewState deserialization attacks. Rotating keys won’t protect organizations using systems the attacker may have already intruded. 

Mandiant researchers said the attacker established footholds, deployed malware and tools to maintain persistence, conducted reconnaissance, achieved lateral movement and stole sensitive data.

“It is quite common for documentation to contain placeholder keys, such as ‘PUT_YOUR_KEY_HERE,’ or other randomly generated examples,” Dewhurst said. “It is ultimately both a failure on the user’s and Sitecore’s side. The user should know not to copy and paste public machine keys, and Sitecore should adequately warn users not to.”

The number of organizations compromised or potentially exposed to attacks remains unknown. Sitecore did not immediately respond to a request for comment.

Caitlin Condon, VP of security research at VulnCheck, said the zero-day vulnerability is an insecure configuration at its core, exacerbated by the public exposure of the sample machine key. 

“It’s entirely possible that the software supplier hadn’t meant for a sample machine key to be used indefinitely for production deployments but, as we know, software is deployed and configured in unintended ways all the time,” she said. “If there’s one takeaway from this, it’s that adversaries definitely read product docs, and they’re good at finding quirks and forgotten tricks in those docs that can be used opportunistically against popular software.”

The post Sitecore zero-day vulnerability springs up from exposed machine key appeared first on CyberScoop.

Citrix and cybersecurity researchers warn a critical, zero-day vulnerability affecting multiple versions of Citrix NetScaler products is under active exploitation. Citrix issued a security bulletin about the vulnerability — CVE-2025-7775 — and urged customers on affected versions to install upgrades Tuesday.

The memory-overflow vulnerability, which has an initial CVSS rating of 9.2, can be exploited to achieve remote-code execution or denial of service. Citrix disclosed two additional defects Tuesday, including CVE-2025-7776, another memory-overlow vulnerability affecting Citrix NetScaler ADC and its virtual private network NetScaler Gateway, and CVE-2025-8424, which affects the management interface for the products. 

Citrix products have been widely targeted in previous attack sprees. The vendor has disclosed three actively exploited zero-day vulnerabilities since mid-June, including CVE-2025-6543 and CVE-2025-5777, which threat hunters likened to “CitrixBleed,” or CVE-2023-4966, which affected the same products.

The Cybersecurity and Infrastructure Security Agency added CVE-2025-7775 to its known exploited vulnerabilities catalog Tuesday. The vendor has appeared on the agency’s list of vulnerabilities known to be exploited seven times this year, and a total of 21 times since late 2021.

Ben Harris, CEO at watchTowr said the new Citrix zero-day has already been actively exploited to deploy backdoors, facilitating total compromise. “Patching is critical, but patching alone won’t cut it,” he said in an email. “Unless organizations urgently review for signs of prior compromise and deployed backdoors, attackers will still be inside.”

While the memory-corruption vulnerability defect is severe, its impact differs from the zero-days Citrix disclosed earlier this summer, according to Harris. “Each of these vulnerabilities presents unique risks, but all share the potential for significant exploitation,” he added. 

Citrix said the vulnerability also affects older versions of NetScaler ADC and NetScaler Gateway, including versions 12.1 and 13.0, that are end of life and no longer supported with security updates. The vendor advised customers to upgrade their appliances to a newer, supported version to address the vulnerabilities. 

Scott Caveza, senior staff research engineer at Tenable, said these outdated versions of the affected products are still widely used, calling them “ticking time bombs” due to the heightened attacker interest in Citrix vulnerability exploitation. Nearly 1 in 5 NetScaler assets identified in Tenable’s telemetry data are on supported versions, he said. 

Citrix and researchers haven’t detailed the extent to which the new zero-day has been actively exploited, but researchers are concerned “It’s very likely that ransomware gangs or other advanced persistent threat groups will soon capitalize on this flaw,” Caveza said.

Less than a month after Citrix disclosed CVE-2025-5777, researchers observed more than 11.5 million attack attempts targeting thousands of sites. 

“The reality is, critical software will always attract attackers,” Harris said. 

“Some vulnerabilities are a natural part of life in complex software and are thus forgivable,” he said. “When trivial flaws repeatedly allow total compromise with little defender recourse — this veers quickly into unforgivable territory.”

The post Citrix NetScaler customers hit by third actively exploited zero-day vulnerability since June appeared first on CyberScoop.

Apple rushed an emergency software update to its customers Wednesday to address an actively exploited zero-day vulnerability affecting the software powering the company’s most popular devices. The out-of-bounds write defect — CVE-2025-43300 — allows attackers to process a malicious image file resulting in memory corruption. 

“Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals,” the company said in a series of security updates for iOS, iPadOS and macOS.

The Cybersecurity and Infrastructure Security Agency added the defect to its known exploited vulnerabilities catalog Thursday.

Apple did not say how many active exploits it’s aware of or how many people are impacted. The company did not respond to a request for comment. 

Apple typically shares limited details about in-the-wild exploitation of zero-days, yet it has used stronger language in at least five vulnerability disclosures this year to indicate when sophisticated attackers are involved or specific people are targeted by these attacks, according to Satnam Narang, senior staff research engineer at Tenable.

“This language suggests that Apple is being purposeful in its external communication,” Narang said in an email. “While the impact to the wider populace is smaller because the attackers exploiting CVE-2025-43300 had a narrow, targeted focus, Apple wants the public to pay attention to the threat and take immediate action.”

Apple said it improved bounds checking to address the vulnerability and advised customers on impacted versions of the affected software to apply the update immediately. The defect affects macOS versions before 13.7 and 15.6, iPadOS versions before 17.7 and iOS and iPadOS versions before 18.6.

“While the possibility of the average user being a target is low,” Narang said, “it’s never zero.”

The vulnerability marks the fifth zero-day Apple has addressed this year, including defects previously disclosed and patched in January, February, March and April. Apple defects have made seven appearances on CISA’s known exploited vulnerabilities this year.

More information about the vulnerability is available on Apple’s website.

The post Apple discloses actively exploited zero-day affecting iOS, iPadOS and macOS appeared first on CyberScoop.

The Chinese state-backed threat group Silk Typhoon has raised the pace of attacks targeting government, technology, legal and professional services in North America since late spring, according to CrowdStrike.

“We were calling this jokingly, ‘the summer of Murky Panda,’ because we’ve seen so much activity from them over the last couple of months,” said Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, using the firm’s nomenclature for the cyberespionage group.

CrowdStrike has worked on more than a dozen cases involving Murky Panda during the past few months, including two active incident response cases, Meyers said. The group, which has been active since at least 2023, is “one of the top-tier Chinese threats that we’ve been seeing a lot this summer,” he said.

Murky Panda exemplifies how Chinese attackers are gaining access to victim networks and infrastructure via vulnerabilities, unmanaged devices, the cloud and pivots between cloud services. 

The group’s advanced techniques in cloud environments are evident, as it enables prolonged access and lateral movement to downstream victims by abusing delegated administrative privileges in cloud solution providers, CrowdStrike said in a research report released Thursday.

Once Murky Panda compromises a cloud solutions provider it can access any cloud tenant that has granted them access, Meyers said. These types of ”trusted-relationship compromises” in the cloud are rare and only conducted by a few groups, including Murky Panda, which makes this method of initial access less monitored and harder to detect.

“A lot of organizations have rushed to implement cloud over the last couple of years, and they may have done so without fully understanding or appreciating how the cloud works,” Meyers added.

Murky Panda’s attack pathways are assorted. The group has rapidly exploited n-day and zero-day vulnerabilities, including CVE-2023-3519 affecting Citrix NetScaler products and CVE-2025-3928 affecting Commvault Web Server, according to CrowdStrike. (Editor’s note: After this story’s initial publication, CrowdStrike removed the reference to the Commvault CVE. When asked why by CyberScoop, the company did not elaborate further.)

Researchers have also observed Murky Panda exploiting internet-facing appliances, including small office/home office devices, for initial access. 

CrowdStrike’s findings expand upon research Microsoft Threat Intelligence released in March indicating Silk Typhoon shifted tactics in late 2024 to broaden access and enable follow-on attacks against downstream customers of its initial targets.

The Justice Department in March unsealed indictments charging 12 Chinese nationals for their alleged involvement in a vast espionage campaign, including multiple attacks on U.S. government agencies. Two alleged members of Silk Typhoon, Yin Kecheng and Zhou Shuai, were among those indicted.

Yet, attacks from China-sponsored threat groups haven’t waned. CrowdStrike tracked a 40% year-over-year increase in cloud-intrusion activity from China-sponsored threat groups through June, including attacks linked to Murky Panda. Intrusions of all sorts linked to China jumped 150% over the same period.

“A lot of the activity we’ve seen from China is tied to geopolitical issues and initiatives that they’re following, and Murky Panda is a subset of that,” Meyers said. As China continues to “use offensive cyber tools to position their own geopolitical initiatives, you’ll see more intrusions.”

Update, Aug. 22, 2025: This story has been updated to reflect a change in the information shared by CrowdStrike.

The post CrowdStrike warns of uptick in Silk Typhoon attacks this summer appeared first on CyberScoop.

Microsoft’s monthly batch of patches includes a vulnerability affecting on-premises Microsoft Exchange servers that the company and federal authorities warned about in a series of alerts last week. In its latest security update Tuesday, Microsoft maintained the flaw hasn’t been exploited in the wild and designated the exploitability of the defect — CVE-2025-53786 — as “more likely.”

Organizations have not applied the previously issued patch for the high-severity vulnerability en masse, despite the serious alarm raised by officials. More than 28,000 accessible Microsoft Exchange servers remained unpatched as of Monday, according to Shadowserver scans. 

The Cybersecurity and Infrastructure Security Agency’s deadline for all federal agencies to update eligible servers with a previously issued hotfix and disconnect outdated Exchange servers passed on Monday. 

Microsoft addressed 111 vulnerabilities affecting its various enterprise products, cloud services and foundational Windows systems in this month’s security update. The set of disclosures includes four additional defects affecting Microsoft Exchange Server.

The security update also comes on the heels of an attack spree targeting zero-day vulnerabilities in on-premises Microsoft SharePoint servers. More than 400 organizations were actively compromised by those attacks, including the Departments of Energy, Homeland Security and Health and Human Services. 

Those zero-days —  CVE-2025-53770 and CVE-2025-53771 — are variants of previously disclosed vulnerabilities — CVE-2025-49706 and CVE-2025-49704 — that Microsoft addressed in its security update last month.

Microsoft said none of the vulnerabilities in this month’s update are actively exploited. Yet, researchers described CVE-2025-53779, an elevation of privilege vulnerability affecting Windows Kerberos, as a zero-day because functional exploit code exists.

“While Microsoft rates this flaw as ‘exploitation less likely’ with ‘moderate’ severity, the combination of a path traversal issue in a core authentication component like Kerberos and its potential high impact is concerning,” Mike Walters, president and co-founder of Action1, said in an email. “The need for high privileges may create a false sense of security, as accounts with these rights are common in decentralized IT environments. Once compromised, they can quickly lead to full domain takeover.”

The most critical vulnerability — CVE-2025-53767 — is a maximum-severity defect affecting Azure OpenAI, a cloud-based platform that provides access to OpenAI’s large language models. Additionally, a pair of critical, remote-code execution vulnerabilities with CVSS scores of 9.8 — CVE-2025-53766 and CVE-2025-50165 — affect Windows GDI+ and the Microsoft Graphics Component, respectively. 

The vulnerability in Microsoft Graphics Component could attract threat groups due to its high rating and ubiquitous use across environments. “The attack vector is incredibly broad, as the vulnerability is triggered when the operating system processes a specially crafted JPEG image,” Ben McCarthy, lead cybersecurity engineer at Immersive Labs, said in an email. 

“This means any application that renders images — from email clients generating previews and instant messaging apps displaying photos, to office documents with embedded pictures — can become an in for the attack,” McCarthy added.

The remaining critical vulnerabilities in this month’s security update include CVE-2025-53792, which affects Azure Portal, and CVE-2025-50171, which affects Remote Desktop Server.

Nearly 2 in 5 CVEs Microsoft patched this month are elevation of privilege vulnerabilities, reflecting an “upward trend in post-compromise vulnerabilities over code execution bugs,” Satnam Narang, senior staff research engineer at Tenable, said in an email. 

Microsoft’s monthly security fix includes 17 vulnerabilities that affect Microsoft Office and standalone Office products. The full list of vulnerabilities addressed this month is available in Microsoft’s Security Response Center.

The post Microsoft Patch Tuesday follows SharePoint attacks, Exchange server warnings appeared first on CyberScoop.

The Pentagon’s two-year public competition to spur the development of cyber-reasoning systems that use large language models to autonomously find and patch vulnerabilities in open-source software concluded Friday with $8.5 million awarded to three teams of security specialists at DEF CON. 

The Defense Advanced Research Project Agency’s AI Cyber Challenge seeks to address a persistent bottleneck in cybersecurity — patching vulnerabilities before they are discovered or exploited by would-be attackers. 

“We’re living in a world right now that has ancient digital scaffolding that’s holding everything up,” DARPA Director Stephen Winchell said. “A lot of the code bases, a lot of the languages, a lot of the ways we do business, and everything we’ve built on top of it has all incurred huge technical debt… It is a problem that is beyond human scale.” 

The seven semifinalists that earned their spot out of 90 teams convened at last year’s DEF CON were scored against their models’ ability to quickly, accurately and successfully identify and generate patches for synthetic vulnerabilities across 54 million lines of code. The models discovered 77% of the vulnerabilities presented in the final scoring round and patched 61% of those synthetic defects at an average speed of 45 minutes, the competition organizers said.

The models also discovered 18 real zero-day vulnerabilities, including six in the C programming language and 12 in Java codebases. The teams’ models patched none of the C codebase zero-days, but automatically patched 11 of the Java zero-days, according to the final results shared Friday.

Team Atlanta took the first-place prize of $4 million, Trail of Bits won second place and $3 million in prize money, and Theori ranked third, taking home $1.5 million. The competition’s organizers allocated an additional $1.4 million in prize money for participants who can demonstrate when their technology is deployed into critical infrastructure. 

Representatives from the three winning teams said they plan to reinvest the majority of the prize money back into research and further development of their cyber-reasoning systems or explore ways to commercialize the technology.

Four of the models developed under the competition were made available as open source Friday, and the three remaining models will be released in the coming weeks, officials said.

“Our hope is this technology will harden source code by being integrated during the development stage, the most critical point in the software lifecycle,” Andrew Carney, program manager of the competition, said during a media briefing about the challenge last week. 

Open sourcing the cyber-reasoning systems and the AI Cyber Challenge’s infrastructure should also allow others to experiment and improve upon what the competition helped foster, he said. DARPA and partners across government and the private sector involved in the program are pursuing paths to push the technology developed during the competition into open-source software communities and commercial vendors for broader adoption.

DARPA’s AI Cyber Challenge is a public-private endeavor, with Google, Microsoft, Anthropic and OpenAI each donating $350,000 in LLM credits and additional support. The initiative seeks to test AI’s ability to identify and patch vulnerabilities in open-source code of vital importance throughout critical infrastructure, including health care. 

Jim O’Neill, deputy secretary of the Department of Health and Human Services, spoke to the importance of this work during the AI Cyber Challenge presentation at DEF CON. “Health systems are among the hardest networks to secure. Unlike other industries, hospitals must maintain 24/7 uptime, and they don’t get to reboot. They rely on highly specialized, legacy devices and complex IT ecosystems,” he said. 

“As a result, patching a vulnerability in health care can take an average of 491 days, compared to 60 to 90 days in most other industries,” O’Neill added. “Many cybersecurity products, unfortunately, are security theater. We need assertive proof-of-work approaches to keep networks, hospitals and patients safer.”

Health officials and others directly involved in the AI Cyber Challenge acknowledged the problems posed by insecure software are vast, but said the results showcased from this effort provide a glimmer of hope. 

“The magnitude of the problem is so incredibly overwhelming and unreasonable that this is starting to make it so that maybe we can actually secure networks — maybe,” Jennifer Roberts, director of resilient systems at HHS’s Advanced Research Projects Agency for Health, said during a media briefing at DEF CON after the winners were announced. 

Kathleen Fisher, director of DARPA’s Information Innovation Office, shared a similar cautiously optimistic outlook. “Software runs the world, and the software that is running the world is riddled with vulnerabilities,” she said.

“We have this sense of learned helplessness, that there’s just nothing we can do about it. That’s the way software is,” she continued. The AI Cyber Challenge “points to a brighter future where software does what it’s supposed to do and nothing else.”

The post DARPA’s AI Cyber Challenge reveals winning models for automated vulnerability discovery and patching appeared first on CyberScoop.

SonicWall warned customers to disable encryption services on Gen 7 firewalls in the wake of an active attack spree targeting a yet-to-be identified vulnerability affecting a critical firewall service. Attacks have increased notably since Friday, the company said in a blog post.

Threat hunters and incident responders from Arctic Wolf, Google and Huntress have observed a wave of ransomware attacks beginning as early as July 15. Mounting evidence points to a zero-day vulnerability affecting the secure sockets layer (SSL) VPN protocol as the initial attack vector.

“A financially motivated threat actor is actively compromising victim environments and deploying Akira ransomware,” Charles Carmakal, CTO at Mandiant Consulting, said in a LinkedIn post Tuesday. “The speed and scale of the compromises suggests a potential zero-day vulnerability in SonicWall Gen 7 firewalls.”

SonicWall said an ongoing investigation has yet to determine if the attacks involve a previously disclosed vulnerability or a zero-day. “If a new vulnerability is confirmed, we will release updated firmware and guidance as quickly as possible,” Bret Fitzgerald, senior director of global communications at SonicWall, told CyberScoop.

Researchers from multiple security companies confirmed attackers have intruded and compromised customer networks, even in environments with multi-factor authentication enabled.

Attackers are moving swiftly, pivoting directly to domain controllers within hours and deploying ransomware after short dwell times, Huntress said in a threat advisory Monday. The company said it has observed about 20 attacks, occurring in almost daily bursts, starting July 25.

Huntress said post-compromise techniques span a mix of automated scripts and hands-on keyboard activities prior to Akira ransomware deployment. This includes the abuse of privileged accounts for administrative access, backdoor implants, lateral movements to steal credentials from multiple databases and a methodical disablement of security tools and firewalls. 

Multiple attackers have gained access to internal networks via SonicWall devices. While there are some similarities across the various attacks, Huntress also noted some differences, suggesting multiple threat groups might be involved or attackers are adapting to situations upon gaining access.  

SonicWall, a repeat offender

The active mass exploitation targeting SonicWall firewalls underscores the persistent risk the vendor’s customers have confronted for years. SonicWall has 14 entries on the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog since late 2021.

The more recent and ongoing attacks are targeting a next-generation firewall, unlike last month’s series of financially motivated attacks targeting organizations using fully patched, but outdated SonicWall Secure Mobile Access 100 series appliances. Half of the exploited vulnerabilities on CISA’s catalog affect SonicWall SMA 100 appliances, including three of the four defects actively exploited this year. 

SonicWall’s recommendation to disable SSLVPN on Gen 7 firewalls, which allows users to establish encrypted connections to the corporate network, serves as an acknowledgment that the critical service can’t be trusted to serve its primary purpose. Many organizations require employees to access their corporate network via VPN.

SonicWall’s SSLVPN was the root of the problem in at least three actively exploited vulnerabilities on CISA’s known exploited vulnerabilities catalog, including CVE-2024-53704, CVE-2023-44221 and CVE-2021-20016. 

Akira ransomware impacted more than 250 organizations, claiming about $42 million in extortion payments from March 2023 to January 2024, CISA said in an advisory last year. Officials said Akira operators steal data and encrypt systems before threatening to publish data. Some Akira affiliates have also called victimized companies to apply further pressure, according to the FBI.

An investigation into the root cause of the attacks and origins of those responsible is ongoing.

The post SonicWall firewalls hit by active mass exploitation of suspected zero-day appeared first on CyberScoop.

Google this week changed how it publicly discloses vulnerabilities in a bid to give defenders early details about new software defects it discovers, shortening the early window of time between a vendor releasing a patch and customers installing the security update.

Project Zero, Google’s squad of security researchers who find and study zero-day vulnerabilities, will now publicly share when it discovers a vulnerability within one week of reporting that defect to the vendor. Google said these reports will include the affected product and name of the vendor or open-source project responsible for the software or hardware, the date the report was filed and when the 90-day disclosure deadline expires. 

Google’s new trial policy addresses a nagging, persistent challenge in vulnerability management, spanning from discovery to disclosure and patch release to adoption. Tim Willis, head of Project Zero, described this delay as the “upstream patch gap,” in a blog post announcing the change.

“This is the period when an upstream vendor has a fix available, but downstream dependents, who are ultimately responsible for shipping fixes to users, haven’t yet integrated it into their end product,” Willis said. “We’ve observed that this upstream gap significantly extends the vulnerability lifecycle.”

Google insists the policy change will not help attackers, yet may put additional public pressure and attention on unfixed defects. Google hopes this will encourage stronger communication between upstream vendors and downstream customers or dependents, resulting in faster patch development and increased patch adoption, Willis said.

“This data will make it easier for researchers and the public to track how long it takes for a fix to travel from the initial report, all the way to a user’s device,” he said in the blog post.

Project Zero will continue to adhere to a 90+30 disclosure deadline policy that gives vendors 90 days to fix a defect before public disclosure, and 30 days for customers to install the patch. When a vendor addresses a vulnerability before 90 days pass, the 30-day deadline for customers to patch kicks in. If a vendor doesn’t release a patch within 90 days, Project Zero makes details about the vulnerability public.

Early reports of discovered vulnerabilities will not include technical details, proof-of-concept code or information Google believes would help attackers discover the defect until the deadline. Willis described the policy as “an alert, not a blueprint for attackers.”

Zero-day defects are an unyielding problem for defenders, posing a steady risk to enterprise systems and critical infrastructure. Google Threat Intelligence Group tracked 75 zero-day vulnerabilities exploited in the wild last year, noting that zero-day exploitation is targeting a greater number and wider variety of technologies. 

Three of the four most-exploited vulnerabilities in 2024, all of which were contained in edge devices, were initially exploited as zero-days, Mandiant said in its annual M-Trends report released in April.

Project Zero researchers will monitor the effects of this change to when it publicly discloses newly discovered vulnerabilities. “We hope it achieves our ultimate goal,” Willis said, engendering “a safer ecosystem where vulnerabilities are remediated not just in an upstream code repository, but on the devices, systems and services that people use every day.”

The post Project Zero disclosure policy change puts vendors on early notice appeared first on CyberScoop.

The fallout from an attack spree targeting defects in on-premises Microsoft SharePoint servers continues to spread nearly a week after zero-day exploits were discovered, setting off alarms across the globe. More than 400 organizations have been actively compromised across four waves of attacks, according to Eye Security.

Multiple government agencies, including the Departments of Energy, Homeland Security and Health and Human Services, have been hit. The California Independent System Operator, which operates some of the state’s wholesale electric grid, was also impacted.

As more victims confirm varying levels of compromise from the attack spree, researchers are learning and sharing more details about post-exploit activities. One of the China-based attackers behind the initial wave of attacks, Storm-2603, deployed Warlock ransomware starting July 18, Microsoft Threat Intelligence said Wednesday in an updated blog post.

The Chinese government-affiliated threat groups Linen Typhoon and Violet Typhoon — which have been active for at least a decade — are also actively exploiting the zero-day vulnerabilities, Microsoft said. Linen Typhoon has focused on stealing intellectual property and Violet Typhoon is an espionage threat group. Storm is a moniker Microsoft uses for threat groups in development.

Microsoft said it observed Storm-2603 modifying policy settings to distribute Warlock ransomware in compromised environments. The attacker is also attempting to steal cryptographic keys from compromised SharePoint servers, which could allow attackers to maintain persistent access to victim environments after the patch has been applied. Microsoft did not say how many organizations have been hit with ransomware.

The zero-days under active exploit —  CVE-2025-53770 and CVE-2025-53771 — are variants of a pair of previously disclosed vulnerabilities — CVE-2025-49706 and CVE-2025-49704 — Microsoft addressed in its security update earlier this month. After discovering the new flaws, Microsoft scrambled to develop patches, releasing the updates for all affected versions of SharePoint by late Monday.

The exploit dubbed “ToolShell,” which allows attackers to bypass multi-factor authentication and single sign-on, contains the newly discovered defects: CVE-2025-53770, a critical remote-code execution vulnerability, and CVE-2025-53771, a security-bypass vulnerability. 

The “ToolShell” exploit chain allows attackers to fully access SharePoint content and execute code over the network, the Cybersecurity and Infrastructure Security Agency said. ESET Labs researchers said threat groups often chain all four vulnerabilities to intrude organizations.

CISA added CVE-2025-53770 to its known exploited vulnerabilities catalog Sunday, and added CVE-2025-47904 and CVE-2025-47906 to the database Tuesday. CISA said CVE-2025-53770 is a patch bypass for CVE-2025-49704 and CVE-2025-53771 is a patch bypass for CVE-2025-49706.

Officials declined to describe the level of compromise sustained across the federal government.

“Once the Microsoft SharePoint vulnerability was identified on Friday, CISA quickly launched a national coordinated response through an initial alert and two cybersecurity updates,” a Department of Homeland Security spokesperson said in a statement. “CISA has been working around the clock with Microsoft, impacted agencies, and critical infrastructure partners to share actionable information, apply mitigation efforts, implement protective measures, and assess preventative measures to shield from future attacks.”

The spokesperson said an investigation to identify potential exposure remains ongoing, adding “there is no evidence of data exfiltration at DHS or any of its components at this time.”

The Energy Department, which was impacted along with the National Nuclear Security Administration, is also unaware of any compromise of sensitive or classified information. 

Exploitation of the Microsoft SharePoint zero-day vulnerability began affecting the Energy Department and the NNSA on Friday. “The department was minimally impacted due to its widespread use of the Microsoft 365 cloud and very capable cybersecurity systems,” an agency spokesperson said in a statement.

“A very small number of systems were impacted. NNSA is taking the appropriate action to mitigate risk and transition to other offerings as appropriate,” the spokesperson added.

The Department of Health and Human Services said it is monitoring, identifying and mitigating all risks to its IT systems posed by the Microsoft SharePoint vulnerability. “This vulnerability is not unique to HHS and has been observed in other federal agencies and the private sector,” a spokesperson for the agency said in a statement. “At present, we have no indication that any information was breached as a result of this vulnerability.”

Jayme Ackemann, director of communications at the California Independent System Operator, said the nonprofit, which manages long-distance power lines across 80% of California’s grid, became aware of potential exploitation Sunday. “There has been no impact to market operations or grid reliability due to this incident,” Ackemann said. “All systems remain stable and fully operational.”

Microsoft SharePoint is prevalent across enterprise and government and deeply integrated with Microsoft’s platform. Researchers warn that attackers could use intrusions to burrow deeper into victim networks.

Attacks have spread globally but U.S.-based organizations are the most heavily targeted to date, accounting for more than 13% of attacks, according to ESET’s telemetry data. Scans from the Shadowserver Foundation showed nearly 11,000 SharePoint instances were still exposed to the internet as of Wednesday.

The post Microsoft SharePoint attacks ensnare 400 victims, including federal agencies appeared first on CyberScoop.

Microsoft said two China nation-state threat groups and a separate attacker based in China are exploiting the zero-day vulnerabilities that first caused havoc to SharePoint servers over the weekend.

Linen Typhoon and Violet Typhoon — the Chinese government-affiliated threat groups — and an attacker Microsoft tracks as Storm-2603 are exploiting the pair of zero-day vulnerabilities affecting on-premises SharePoint servers, Microsoft Threat Intelligence said in a blog post Tuesday.

The zero-days — CVE-2025-53770 and CVE-2025-53771 — have been exploited en masse to intrude hundreds of organizations globally, spanning multiple sectors, including government agencies, according to researchers. 

Both defects are variants of previously disclosed vulnerabilities that Microsoft had already addressed in its security update earlier this month. After discovering the new flaws, Microsoft scrambled to develop patches, releasing the updates for all versions of SharePoint by late Monday.

The attack spree is ongoing and spreading. 

“With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems,” Microsoft Threat Intelligence researchers said in the blog post.

Underscoring the widespread alarm caused by the attacks, the Cybersecurity and Infrastructure Security Agency issued a rare weekend alert about active attacks and added the defect to its known exploited vulnerabilities catalog Sunday.

Microsoft’s initial attribution assessment tracks with other incident responders and researchers who are swarming to combat the threat the attacks pose to critical infrastructure. The motivations and origins of threat groups behind the attacks have also spread beyond China and its government.

Charles Carmakal, chief technology officer at Mandiant Consulting, said the early zero-day exploitation was broad and opportunistic. 

“At least one of the actors responsible for this early exploitation is a China-nexus threat actor,” he said in an email. “It’s critical to understand that multiple actors are now actively exploiting this vulnerability. We fully anticipate that this trend will continue, as various other threat actors, driven by diverse motivations, will leverage this exploit as well.”

Microsoft researchers said Linen Typhoon, Violet Typhoon and Storm-2603 attempted to exploit the previously disclosed SharePoint vulnerabilities — CVE-2025-49706 and CVE-2025-49704 — as early as July 7. Typhoon is the family name Microsoft applies to nation-state threat groups originating from China, and Storm is a moniker the company uses for threat groups in development.

Linen Typhoon, which has been active since 2012, has focused on stealing intellectual property from organizations in government, defense, strategic planning and human rights, according to Microsoft. 

Violet Typhoon, which emerged in 2015, is an espionage threat group targeting former government and military personnel, non-governmental organizations, think tanks, higher education, media, finance and health-related industries in the United States, Europe and East Asia. “This group persistently scans for vulnerabilities in the exposed web infrastructure of targeting organizations, exploiting discovered weaknesses to install web shells,” Microsoft researchers said.

Storm-2603 is the China-based attacker that’s attempting to steal MachineKeys from compromised SharePoint servers, according to Microsoft. Researchers have warned that the theft of cryptographic keys could allow attackers to maintain persistent access to victim environments after the patch has been applied.

The post Microsoft SharePoint zero-day attacks pinned on China-linked ‘Typhoon’ threat groups appeared first on CyberScoop.

Attackers are actively exploiting a critical zero-day vulnerability affecting on-premises Microsoft SharePoint servers, prompting industry heavyweights to sound the alarm over the weekend. 

Researchers discovered the active, ongoing attack spree Friday afternoon and warnings were issued en masse by Saturday evening. Microsoft released urgent guidance Saturday, advising on-premises SharePoint customers to turn on and properly configure Antimalware Scan Interface in SharePoint or disconnect servers from the internet until an emergency patch is available. The company released patches for two of the three versions of SharePoint affected by the defect Sunday, but has not issued a patch for SharePoint Server 2016 as of Monday morning. 

Researchers warn that attackers have already used the exploit dubbed “ToolShell” to intrude hundreds of organizations globally, including private companies and government agencies. The Cybersecurity and Infrastructure Security Agency issued an alert about active attacks and added the defect to its known exploited vulnerabilities catalog Saturday.

“This is a high-severity, high-urgency threat,” Michael Sikorski, chief technology officer and head of threat intelligence at Palo Alto Networks Unit 42, said in a statement. 

Ryan Dewhurst, head of proactive threat intelligence at watchTowr, said hundreds of organizations across government, education and critical infrastructure have been impacted across the United States, Germany, France and Australia. “This is going global, fast,” he said, adding that initial scans for the exploit started Wednesday, and exploitation was in full swing through Thursday and Friday.

The critical remote-code execution vulnerability, CVE-2025-53770, has an initial CVSS score of 9.8 and allows attackers to intrude unauthenticated systems with full access to files, internal configurations and code execution. The defect is a variant of CVE-2025-49706, which was patched in Microsoft’s security update earlier this month. 

The new widely exploited defect “reflects a bypass around Microsoft’s original patch” for CVE-2025-49706, Dewhurst said. Microsoft confirmed attacks are targeting on-premises SharePoint server customers by exploiting vulnerabilities partially addressed in the company’s July security update.

“Attackers are bypassing identity controls, including multi-factor authentication and single sign-on, to gain privileged access. Once inside, they’re exfiltrating sensitive data, deploying persistent backdoors, and stealing cryptographic keys,” Sikorski added. 

“The attackers have leveraged this vulnerability to get into systems and are already establishing their foothold. If you have SharePoint on-prem exposed to the internet, you should assume that you have been compromised at this point,” he said. “Patching alone is insufficient to fully evict the threat.”

Palo Alto Networks Unit 42 said attackers are targeting organizations worldwide by dropping malicious ASPX payloads via PowerShell and stealing SharePoint servers’ internal cryptographic machine keys to maintain persistent access. 

“The theft of the MachineKey is critical because it allows attackers persistent, unauthenticated access that can bypass future patching,” Austin Larsen, principal threat analyst at Google Threat Intelligence Group, said in a LinkedIn post Saturday. “Organizations with vulnerable, public-facing SharePoint instances must urgently investigate for compromise and be prepared to rotate these keys to fully remediate the threat.”

Researchers at Eye Security said they’ve observed at least two waves of attacks as part of the mass exploitation campaign, and upon scanning more than 8,000 public-facing SharePoint servers determined the exploit is systemic. 

“Within hours, we identified more than dozens of separate servers compromised using the exact same payload at the same filepath. In each case, the attacker had planted a shell that leaked sensitive key material, enabling complete remote access,” Eye Security said in a blog post Saturday.

Attribution efforts are ongoing, but early signs point to nation-state attackers focused on persistence, Dewhurst said. “As always, when there is mass attention to a vulnerability, crime gangs and other threat actor groups will follow, which is what we’re seeing now.”

Shadowserver, which is working with Eye Security and watchTowr to notify impacted organizations, said its scans found about 9,300 SharePoint servers exposed to the internet daily.

“CISA was made aware of the exploitation by a trusted partner and we reached out to Microsoft immediately to take action. Microsoft is responding quickly, and we are working with the company to help notify potentially impacted entities about recommended mitigations,” Chris Butera, acting executive assistant director at CISA, said in a statement. “CISA encourages all organizations with on-premise Microsoft Sharepoint servers to take immediate recommended action.”

Microsoft declined to answer questions, as its top security executives issued updates on social media throughout the weekend, noting that the company is working urgently to release patches for all impacted versions of SharePoint. The cloud-based version of SharePoint in Microsoft 365 is not impacted.

“We’re fairly certain it’s for once acceptable to call this a close-to-worst-case scenario. We spent the weekend trying to alert organizations to their exposure and, in some cases, were forced to watch them get compromised in real-time,” Dewhurst said.

“The sad reality is that we’ll see this vulnerability exploited long into the future as organizations fail to patch or as attackers return to regain access after stealing cryptographic keys, as has been seen heavily in activity this weekend,” he said.

Sikorski noted that SharePoint’s deep integration with Microsoft’s platform, which contains all the information valuable to an attacker, makes this especially concerning. “A compromise doesn’t stay contained — it opens the door to the entire network,” he said.

“An immediate, Band-Aid fix would be to unplug your Microsoft SharePoint from the internet until a patch is available,” Sikorski added. “A false sense of security could result in prolonged exposure and widespread compromise.”

The post Mass attack spree hits Microsoft SharePoint zero-day defect appeared first on CyberScoop.