A new report from Mandiant indicates that 70% of 2023's total of 138 exploited vulnerabilities were zero-days when first used, with the average time-to-exploit (TTE) dropping drastically from 32 days to just five.
State-sponsored hackers have exploited two Ivanti zero-days to compromise over 1,700 ICS VPN appliances, cybersecurity firm Volexity has found.
Russian firm of uncertain backing called Operation Zero appears to be shaking up the zero-day exploit market, offering up to $20 million if hackers and researchers come to them first. Company claims that the market is undervalued.
Citizen Lab reports that the new Pegasus spyware zero-click zero-day impacts the most recent version of iOS (16.6) and likely prior versions dating back to the iPhone 8. As with the prior Pegasus attack vector, victims only need to receive a iMessage to be compromised; they do not need to open the message or interact with it.
Barracuda ESG zero-day attacks by Chinese state-sponsored threat actors compromised multiple U.S. state, local, and tribal government email servers. Over 200,000 private and government organizations worldwide depend on Barracuda email security gateway (ESG) appliances.
The report comes from Google’s TAG, which tracks over 30 of these commercial spyware vendors. The current crop of zero-days, which the report saw deployed in late 2022, targets Android and iOS as well as the Chrome web browsers.
The primary concern with Twitter’s zero-day security breach is that authoritarian governments might tie names to the anonymous accounts of activists, political opposition and journalists they are targeting.
A zero-day remote code execution vulnerability in Microsoft Office has come to light, and is considered very serious due to potential for code execution if a victim opens a malicious document in Word.
New Zero-Day RCE Vulnerability in Spring Java Framework; Could “Spring4Shell” Be the Next Log4Shell?
A new zero-day remote code execution (RCE) vulnerability in the Spring Java Framework is drawing comparisons to Log4Shell. It can be exploited by simply sending a crafted HTTP request to a target system.
New vulnerability disclosure rules announced by the Chinese government have raised the prospect of "zero-day hoarding," as anything discovered in the country must now be reported to the CCP and to no one else (in most cases).
