Researchers are warning about the risks posed by a low-cost device that can give insiders and hackers unusually broad powers in compromising networks.

The devices, which typically sell for $30 to $100, are known as IP KVMs. Administrators often use them to remotely access machines on networks. The devices, not much bigger than a deck of cards, allow the machines to be accessed at the BIOS/UEFI level, the firmware that runs before the loading of the operating system.

This provides power and convenience to admins, but in the wrong hands, the capabilities can often torpedo what might otherwise be a secure network. Risks are posed when the devices—which are exposed to the Internet—are deployed with weak security configurations or surreptitiously connected to by insiders. Firmware vulnerabilities also leave them open to remote takeover.

No exotic zero-days here

On Tuesday, researchers from security firm Eclypsium disclosed a total of nine vulnerabilities in IP KVMs from four manufacturers. The most severe flaws allow unauthenticated hackers to gain root access or run malicious code on them.

“These are not exotic zero-days requiring months of reverse engineering,” Eclypsium researchers Paul Asadoorian and Reynaldo Vasquez Garcia wrote. “These are fundamental security controls that any networked device should implement. Input validation. Authentication. Cryptographic verification. Rate limiting. We are looking at the same class of failures that plagued early IoT devices a decade ago, but now on a device class that provides the equivalent of physical access to everything it connects to.”

https://arstechnica.com/security/2026/03/researchers-disclose-vulnerabilities-in-ip-kvms-from-4-manufacturers/

Coruna is also notable for its use by three distinct hacking groups. Google first detected its use in February of last year in an operation conducted by a “customer of a surveillance vendor.” The vulnerability exploited, tracked as CVE-2025-23222, had been patched 13 months earlier. In July 2025, a “suspected Russian espionage group” exploited CVE-2023-43000 in attacks planted on websites that were frequented by Ukrainian targets. Last December, when it was used by a “financially motivated threat actor from China,” Google was able to retrieve the complete exploit kit.

“How this proliferation occurred is unclear, but suggests an active market for ‘second hand’ zero-day exploits,” Google wrote. “Beyond these identified exploits, multiple threat actors have now acquired advanced exploitation techniques that can be re-used and modified with newly identified vulnerabilities.”

Google researchers went on to write:

We retrieved all the obfuscated exploits, including ending payloads. Upon further analysis, we noticed an instance where the actor deployed the debug version of the exploit kit, leaving in the clear all of the exploits, including their internal code names. That’s when we learned that the exploit kit was likely named Coruna internally. In total, we collected a few hundred samples covering a total of five full iOS exploit chains. The exploit kit is able to target various iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023).

The 23 exploits, along with the code names and other information, are:

CISA is adding only three of the CVEs to its catalog. They are:

• CVE-2021-30952 Apple Multiple Products Integer Overflow or Wraparound Vulnerability
• CVE-2023-41974 Apple iOS and iPadOS Use-After-Free Vulnerability
• CVE-2023-43000 Apple Multiple products Use-After-Free Vulnerability

CISA is directing agencies to “apply mitigations per vendor instructions, follow applicable… guidance for cloud services, or discontinue use of the product if mitigations are unavailable.” The agency went on to warn: “These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.”

https://arstechnica.com/security/2026/03/cisa-adds-3-ios-flaws-to-its-catalog-of-known-exploited-vulnerabilities/

The flaw is tracked as CVE-2025-54957 and its existence came to light in October 2025 after it was discovered by Google researchers.

The post Critical Dolby Vulnerability Patched in Android appeared first on SecurityWeek.

https://www.securityweek.com/critical-dolby-vulnerability-patched-in-android/

AISLE has emerged from stealth with a new AI-based cyber reasoning system (CRS). The term CRS originates from DARPA’s Cyber Grand Challenge, held in 2016 and designed for research into systems able to detect, exploit, and patch software vulnerabilities in real time.

Since that Challenge, AI-driven software has become mainstream, and AISLE’s new CRS is described as an “AI-native cyber reasoning system that autonomously identifies, triages and remediates with verification both known and zero-day application vulnerabilities.”

Ondrej Vlcek (CEO and co-founder at AISLE) explains, “AI is reshaping the economics of cybersecurity, but to date, it’s almost entirely in favor of malicious actors – speeding up attacks and driving down the costs of weaponizing vulnerabilities. AISLE flips the advantage back to defenders by solving the hardest problem in security: fast and accurate vulnerability remediation.”

The new company has co-founder pedigree: Vlcek, CEO (former CEO at Avast); Jaya Baloo, COO (former CSO at Rapid7); and Stanislav Fort, chief scientist (former research scientist at DeepMind and Anthropic). The firm’s angel investors include DeepMind’s current chief scientist, Hugging Face’s co-founder and chief science officer, Datadog’s co-founder and CEO, and Microsoft’s CPO for AI experiences.

The need for automated remediation going beyond anomaly detection is clear and becoming more urgent. “In 2024, more than 40,000 new software vulnerabilities were discovered. Each one represents potential exposure [and] even the critical ones take organizations on average 45 days to fix,” explains Vicek in an accompanying blog. Meanwhile, attackers take only five days to exploit a vulnerability. They have adopted and adapted AI for attack faster than defenders have done so for defense – the attackers have not waited to see how AI evolves: they have no company, employees nor shareholders to worry about.

AISLE aims to reverse this differential by automating the complete process of vulnerability remediation. “Our system doesn’t just identify risks – it resolves them autonomously, verifying results against a continuously updated twin of an enterprise’s software stack. This collapses the remediation loop from weeks or months to days or even minutes, while preventing any disruptions and still allowing full human oversight,” says Vicek.

The analysis process finds known and unknown vulnerabilities. In its first weeks of operation, AISLE found more than 100 new vulnerabilities within foundational software, including the Linux kernel, OpenSSL, cURL, and the Apache stack. But its analyzer also goes beyond simple code flaws. It can identify vulnerabilities such as race conditions, business logic flaws, missing authentication and more.

The remediation process automatically fixes the discovered flaws in both first party and third party code – there is no need to wait for third party patches nor any need to ignore them when they arrive. “Remediation means creating the fix (the actual code patch), validating that patch (using our Verifier Agent, that can actually create an on-the-fly docker image with the patch candidate to test it), all the way to pushing the changes to Git,” Vicek told SecurityWeek.

The existing tension between full automation (for speed and the elimination of human error), and human control (keeping a human in the loop ‘just in case…’) is configurable. “Some customers want to stay fully in control and use AISLE just in an assistant/copilot mode, which is fine. Some may prefer more autonomy, which is also supported. The point is that the level at which the human is kept in the loop can be chosen by the customer,” explained Vicek.

“Developers and security professionals can now operate together at machine speed, get free of the backlog burden, and finally move toward a future of self-defending software stacks,” he says. He describes the product as ‘accelerating to zero’ – that is, rapidly achieving a state of zero exploitable zero days.

Related: Beyond the Black Box: Building Trust and Governance in the Age of AI

Related: AI Takes Center Stage at DataTribe’s Cyber Innovation Day

Related: Google DeepMind’s New AI Agent Finds and Fixes Vulnerabilities

Related: Google Patches Gemini AI Hacks Involving Poisoned Logs, Search Results

https://www.securityweek.com/aisle-emerges-from-stealth-with-ai-based-reasoning-system-that-remediates-vulnerabilities-on-the-fly/

Trend Micro’s Zero Day Initiative (ZDI) this week published 13 advisories describing unpatched vulnerabilities in Ivanti Endpoint Manager.

One of the flaws allows local attackers to elevate their privileges and was reported to Ivanti in November 2024. The remaining 12 lead to remote code execution (RCE) and were reported in June 2025.

While the vulnerabilities are technically not zero-days, ZDI flags all of the unpatched flaws it discloses as ‘0day’. ZDI’s advisories name the vulnerable component and provide a general description of the root cause, but do not contain any other technical details.

No CVE identifier has been issued for these vulnerabilities, but ZDI notes that all of them are high-severity defects. The most severe of them has a CVSS score of 8.8, one has a CVSS score of 7.8, while the remaining 11 have CVSS scores of 7.2.

According to ZDI, the local privilege escalation bug affects the Endpoint Manager’s AgentPortal service. It exists because user-supplied input is not properly validated, resulting in deserialization of untrusted data and code execution with System privileges.

Also rooted in the lack of proper validation of user-supplied data, the RCE weaknesses were found in the product’s Report_RunPatch, MP_Report_Run2, DBDR, PatchHistory, MP_QueryDetail2, MP_QueryDetail, MP_VistaReport, and Report_Run classes, and in the GetCountForQuery and OnSaveToDB methods.

For the first 11 of the RCE vulnerabilities, the improperly validated user-supplied input is used to construct SQL queries and could lead to arbitrary code execution in the context of the service account. Authentication is required to exploit all of them.

For the last RCE issue (CVSS score of 8.8), an improperly validated user-supplied path is used in file operations, leading to code execution in the context of the user. Attackers can exploit the defect if they have admin credentials or if they can convince a user to open a malicious page or file.

ZDI says Ivanti was notified of the first security hole in November 2024 and acknowledged it in January 2025. In July, the vendor notified ZDI that patches would be released in November.

Regarding the RCE flaws, Ivanti initially said it would patch 10 of them in September, but then requested an extension until March 2026 for all 12, ZDI says.

Per its disclosure policy, ZDI allows vendors 120 days to address vulnerabilities reported to them. If by the end of the deadline the vendor is unresponsive or does not provide a reasonable statement on why fixes have not been released, ZDI publishes a limited advisory on the reported security defect.

“Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the product,” ZDI notes for each of the bugs. Additional information can be found on ZDI’s published advisories page.

“We have communicated to ZDI that the issues reported to Ivanti are complicated to fix and require additional time to resolve. We are in the middle of this work now, and we are looking at ways to further increase resources from other initiatives to accelerate this work,” an Ivanti spokesperson told SecurityWeek.

The company’s representative also underlined that the security defects do not pose a significant risk to customers, as they are difficult to exploit.

“An important part of Ivanti’s responsible disclosure is to try to ensure a fix is complete and cannot be circumvented before we disclose a vulnerability that has not been exploited in the wild. Our aim is to always balance speed with quality, with our customers’ security at the core of that decision,” the spokesperson said.

*Updated with statement from Ivanti.

Related: Sophisticated Malware Deployed in Oracle EBS Zero-Day Attacks

Related: CISA Analyzes Malware From Ivanti EPMM Intrusions

Related: Chinese Spies Exploit Ivanti Vulnerabilities Against Critical Sectors

Related: Broadcom Fails to Disclose Zero-Day Exploitation of VMware Vulnerability

https://www.securityweek.com/zdi-drops-13-unpatched-ivanti-endpoint-manager-vulnerabilities/

Apple on Friday announced significant updates to its bug bounty program and the company is now offering up to $2 million for complex exploit chains. 

Since the launch of its public bug bounty program in 2020, Apple has awarded a total of more than $35 million to over 800 security researchers. Multiple hackers earned $500,000 for their work, Apple said.

The tech giant recently unveiled Memory Integrity Enforcement (MIE), an always-on memory-safety protection for iPhones designed to combat sophisticated attacks such as the ones conducted by mercenary spyware vendors. 

Apple believes these spyware attacks are the only ones that actually pose a significant threat to its customers and the company now wants to boost the security of its products even further against sophisticated attacks. 

It’s doing this by harnessing offensive security talent from outside the company, specifically by significantly increasing bug bounties for vulnerabilities such as the ones that would be leveraged in the exploit chains of mercenary spyware attacks.

Specifically, the top reward for a zero-click exploit chain that achieves remote device compromise, has been increased from $1 million to $2 million. Apple pointed out that this is the base pay and researchers can in theory get as much as $5 million if they earn bonuses for Lockdown Mode bypasses and vulnerabilities discovered in beta software. 

Apple noted in a call with reporters on Thursday that for someone to earn a $5 million reward is not easy or likely, but it is theoretically possible.

Apple is also significantly increasing bug bounty payouts for an application sandbox escape (from $150k to $500k), attacks requiring physical access to a locked device (from $250k to $500k), wireless attacks requiring physical proximity (from $250k to $1M), and remote hacking that requires one-click user interaction (from $250k to $1M).

The company has also announced that one-click attacks through the web browser, which have to bypass its WebKit protections, will be rewarded with up to $300,000 if they can achieve code execution with a sandbox escape. The reward can increase up to $1 million if the exploit chain is taken even further to achieve unsigned code execution with arbitrary entitlements. 

The tech giant is also boosting rewards for categories where no exploit has been demonstrated to date, such as a Gatekeeper bypass on macOS ($100,000) and unauthorized iCloud access ($1 million). 

The new payouts will go into effect in November 2025. 

Apple on Friday also introduced a concept that involves flags, similar to capture-the-flag (CTF) competitions. These so-called ‘Target Flags’ are meant to make it easier for researchers to objectively demonstrate their findings and to know what reward they should expect for their report. 

“When researchers demonstrate security issues using Target Flags, the specific flag that’s captured objectively demonstrates a given level of capability — for example, register control, arbitrary read/write, or code execution — and directly correlates to the reward amount, making the award determination more transparent than ever,” Apple explained. 

“Because Target Flags can be programmatically verified by Apple as part of submitted findings, researchers who submit eligible reports with Target Flags will receive notification of their bounty award immediately upon our validation of the captured flag,” it added.

Target Flags are supported on iOS, iPadOS, macOS, visionOS, watchOS, and tvOS.

Apple also announced that exceptional research will continue to receive bonuses, and it has decided that even low-impact vulnerabilities may be rewarded with $1,000 to encourage researchers to continue reporting their findings.

Related: Apple Seeks Researchers for 2026 iPhone Security Program

Related: Apple Updates iOS and macOS to Prevent Malicious Font Attacks

Related: Apple Sends Fresh Wave of Spyware Notifications to French Users

https://www.securityweek.com/apple-bug-bounty-update-top-payout-now-2-million-35-million-paid-to-date/

A high-severity vulnerability in the popular gaming and application editor Unity can allow attackers to load arbitrary libraries and achieve code execution.

Tracked as CVE-2025-59489 (CVSS score of 8.4), the security defect resides in command-line arguments through which Unity could load and execute arbitrary code.

According to security engineer RyotaK from GMO Flatt Security, the issue is related to Unity’s support for application debugging and is straightforward to exploit locally.

“To support debugging Unity applications on Android devices, Unity automatically adds a handler for the intent containing the unity extra to the UnityPlayerActivity. This activity serves as the default entry point for applications and is exported to other applications,” RyotaK says.

Because the extra is passed as a command-line argument to Unity and any application can send the extra to a Unity application, an attacker could control the command-line arguments that are passed to a Unity application.

An attacker could build a malicious application that would extract the native library containing malicious code, and then launch the Unity application with a specific argument pointing to the malicious library, thus achieving code execution.

According to the security engineer, remote exploitation of the bug is potentially possible if a malicious website can force the browser to download a specific library and load it with a given argument.

Unity addressed the vulnerability with the release of the Unity Editor versions 6000.3.0b4, 6000.2.6f2, 6000.0.58f2, 2022.3.67f2, and 2021.3.56f2. It also pushed the fixes to discontinued versions down to 2019.1.

According to Unity, successful exploitation of the issue could allow an attacker to execute arbitrary code remotely and access information on the devices running applications built using Unity.

“Code execution would be confined to the privilege level of the vulnerable application, and information disclosure would be confined to the information available to the vulnerable application. There is no evidence of any exploitation of the vulnerability nor has there been any impact on users or customers,” Unity notes.

However, it also warns that the risk of exploitation on Windows devices is higher, due to “the presence of a registered custom URI handler for a vulnerable application or handler name”.

“If a custom URI scheme is present and can be invoked on the target system, an attacker who can cause that URI to be opened could trigger the vulnerable library-loading behavior without needing direct command-line access. Potential exploitation remains constrained to the privileges of the targeted application and to the data and services accessible to that process,” the vendor notes.

Unity has published recommendations for developers, warning that all applications built using Unity 2017.1 and later for Android, Windows, macOS, and Linux are impacted. The company has urged developers to update the editor to the latest version and then rebuild and redeploy their applications.

Microsoft says it is working on identifying potentially affected applications and games to update them, and that it has added exploitation detection rules to Microsoft Defender.

“You may be using a Microsoft app or playing a Microsoft game that should be uninstalled until an update is available. We are working to update games and applications that are potentially affected by this Unity vulnerability,” the tech giant told users. 

Valve released a new Steam Client update which blocks the launching of games that contain in the launch request one of the four command-line parameters that Unity associates with the flaw. Developers should update their games using the Steamworks SDK or the Steamworks website and submit the update to Steam.

“Unity has provided two paths to update games affected by this issue. If your game is under active development, you can use a new version of the Unity Editor to rebuild your game. For developers that are unable to rebuild their game, Unity has released patched versions of the UnityPlayer.dll runtime file that can be dropped into existing game folders,” Valve notes.

Related: Unauthenticated RCE Flaw Patched in DrayTek Routers

Related: Broadcom Fails to Disclose Zero-Day Exploitation of VMware Vulnerability

Related: Organizations Warned of Exploited Meteobridge Vulnerability

Related: Akira Ransomware’s Exploitation of SonicWall Vulnerability Continues

https://www.securityweek.com/microsoft-and-steam-take-action-as-unity-vulnerability-puts-games-at-risk/

The recent data theft and extortion campaign targeting Oracle E-Business Suite customers has been confirmed to be the work of the notorious Cl0p ransomware group, and Oracle has admitted that the hackers have exploited a zero-day vulnerability.

The attacks targeting Oracle E-Business Suite (EBS) customers came to light last week, when Google Threat Intelligence Group (GTIG) and Mandiant warned that executives at many organizations using the enterprise resource planning product received extortion emails.

The emails, apparently coming from the Cl0p group, informed recipients that sensitive data had been stolen from their Oracle EBS instance and urged them to get in touch with the cybercriminals.

GTIG and Mandiant researchers, who found that the emails were coming from compromised accounts previously associated with the FIN11 cybercrime group, initially could not confirm that Cl0p was behind the attacks. However, the researchers have now confirmed that Cl0p is indeed responsible.

This is not surprising considering that Cl0p previously conducted several other similar campaigns, including ones targeting Cleo, MOVEit, and Fortra file transfer products through the exploitation of zero-day vulnerabilities.

Charles Carmakal, CTO of Mandiant, explained that the hackers stole data from EBS customers in August and started sending out extortion emails in late September. 

While Oracle initially said the recent EBS data theft campaign involved exploitation of unspecified vulnerabilities patched in July, on Saturday the software giant’s CSO, Rob Duhart, confirmed that a zero-day has also been leveraged by the attackers.

The zero-day flaw is tracked as CVE-2025-61882 and it can be exploited for remote code execution by an unauthenticated attacker.

The vulnerability, which impacts Oracle E-Business Suite versions 12.2.3-12.2.14, has been assigned a ‘critical’ severity rating with a CVSS score of 9.8. The security hole impacts the BI Publishing Integration component of Oracle Concurrent Processing.

Oracle has released patches and shared indicators of compromise (IoCs) that customers can use to detect potential attacks. 

Mandiant has confirmed that the Cl0p attacks exploited vulnerabilities patched in July alongside CVE-2025-61882.

Other threat actors are now expected to add the vulnerabilities exploited in this campaign to their arsenal.

“Given the broad mass 0-day exploitation that has already occurred (and the n-day exploitation that will likely continue by other actors), irrespective of when the patch is applied, organizations should examine whether they were already compromised,” Carmakal warned.

The cybercrime groups Scattered Spider and ShinyHunters, which recently announced their retirement but continue to be active, might also be involved in the Oracle attack. The hackers created a new Telegram channel and posted what appear to be the EBS exploits used in the attack.

Related: Red Hat Confirms GitLab Instance Hack, Data Theft

Related: Broadcom Fails to Disclose Zero-Day Exploitation of VMware Vulnerability

https://www.securityweek.com/oracle-e-business-suite-zero-day-exploited-in-cl0p-attacks/

DrayTek on Thursday announced patches for an unauthenticated remote code execution (RCE) vulnerability affecting DrayOS routers.

Tracked as CVE-2025-10547, the issue can be exploited via crafted HTTP or HTTPS requests sent to a vulnerable device’s web user interface.

Successful exploitation of the bug, DrayTek explains in its advisory, may result in memory corruption and a system crash. In certain circumstances, it could be used to execute arbitrary code remotely, it says.

“Routers are shielded from WAN-based attacks if remote access to the WebUI and SSL VPN services is disabled, or if Access Control Lists (ACLs) are properly configured,” DrayTek notes.

“Nevertheless, an attacker with access to the local network could still exploit the vulnerability via the WebUI. Local access to the WebUI can be controlled on some models using LAN side VLANs and ACLs,” the company adds.

The company credited ChapsVision security researcher Pierre-Yves Maes for reporting the vulnerability on July 22.

DrayTek has released firmware updates that address the security defect in 35 Vigor router models, urging users to update their devices as soon as possible. However, it made no mention of the bug being exploited in the wild.

DrayTek devices are widely used by prosumers and SMBs, and are known to be popular targets for hackers. Ransomware groups last year hit hundreds of organizations by exploiting an unknown flaw in DrayTek routers.

Earlier this year, widespread Vigor router reboots reported across the UK, Australia, and other countries were blamed on potentially malicious TCP connection attempts targeting older models.

Related: Organizations Warned of Exploited Meteobridge Vulnerability

Related: Broadcom Fails to Disclose Zero-Day Exploitation of VMware Vulnerability

Related: Cisco Patches Zero-Day Flaw Affecting Routers and Switches

Related: Vulnerabilities Expose Helmholz Industrial Routers to Hacking

https://www.securityweek.com/unauthenticated-rce-flaw-patched-in-draytek-routers/

The US cybersecurity agency CISA on Thursday warned that a Meteobridge vulnerability patched in May has been exploited in attacks and added the flaw to its Known Exploited Vulnerabilities (KEV) catalog.

Meteobridge is a device that allows administrators to connect their weather stations to public weather networks. Station data collection and system management functionality is provided through the Meteobridge web interface.

While Meteobridge should not be exposed to the internet, there are roughly 100 devices that are accessible from the public web, Shodan historical data shows. This misconfiguration exposes vulnerable devices to potential attacks.

Tracked as CVE-2025-4008 (CVSS score of 8.7), the Meteobridge bug now flagged as exploited was identified in a web interface endpoint (a CGI shell script) that is prone to command injection.

The issue exists because user-controlled input is parsed and used in an eval call without sanitization. Furthermore, because the vulnerable CGI script is available in the public folder, it is not protected by authentication, allowing unauthenticated attackers to exploit the bug via a curl command.

“Remote exploitation through malicious webpage is also possible since it’s a GET request without any kind of custom header or token parameter,” Onekey explains.

On May 13, Smartbedded announced that MeteoBridge version 6.2 was released with fixes for “an application security risk”, without mentioning the CVE or the vulnerability’s exploitation.

Now, CISA warns that threat actors have exploited the flaw in attacks, urging federal agencies to address it within the next three weeks, as mandated by the Binding Operational Directive (BOD) 22-01.

While Onekey published technical details on CVE-2025-4008 and a proof-of-concept (PoC) exploit in May, there have been no reports of the bug’s in-the-wild exploitation prior to CISA adding it to KEV.

On Thursday, CISA also expanded the KEV list with a recent Samsung zero-day (CVE-2025-21043) and with three old security defects in Jenkins (CVE-2017-1000353), Juniper ScreenOS (CVE-2015-7755), and GNU Bash OS (CVE-2014-6278, aka Shellshock), which were flagged as exploited before.

All organizations are advised to address these five vulnerabilities, and all the flaws described by CISA’s KEV list.

Related: Oracle Says Known Vulnerabilities Possibly Exploited in Recent Extortion Attacks

Related: Organizations Warned of Exploited Sudo Vulnerability

Related: WireTap Attack Breaks Intel SGX Security

Related: Chrome 141 and Firefox 143 Patches Fix High-Severity Vulnerabilities

https://www.securityweek.com/organizations-warned-of-exploited-meteobridge-vulnerability/