CyberNews: 11/12/2025 Edition

Today’s roundup

Summary

Google has issued emergency security updates for its Chrome browser, patching three zero-day vulnerabilities, including one actively exploited in the wild. This marks the eighth such zero-day Google has fixed in 2025. The high-severity flaw is tracked under Chromium issue tracker ID "466192044," with Google withholding further details on the CVE and affected components.

A new campaign is leveraging Google search ads that promote fake Grok and ChatGPT guides to distribute AMOS infostealer malware on macOS systems. The "ClickFix-style" attack combines SEO poisoning with legitimate-looking AI domains, tricking users into installing the info-stealing payload.

Over 10,000 Docker Hub container images have been discovered to expose sensitive data, including live credentials to production systems, CI/CD databases, and keys for large language models (LLMs). This widespread misconfiguration poses significant supply chain risks.

The advanced persistent threat (APT) group WIRTE is actively targeting government and diplomatic entities across the Middle East. The group leverages AshenLoader sideloading to deploy a previously undocumented espionage backdoor called AshTag, a campaign identified as ongoing since 2020.

An unpatched, high-severity zero-day vulnerability (CVE-2025-8110, CVSS 8.7) in Gogs, a Go-based self-hosted Git service, is under active exploitation. Security researchers report over 700 internet-exposed instances have been compromised through this file overwrite flaw in the update API.

Active exploitation has been reported against a vulnerability in Gladinet's CentreStack and Triofox products. The flaw stems from the use of hard-coded cryptographic keys, impacting at least nine organizations and potentially allowing threat actors to gain unauthorized access and achieve remote code execution through manipulation of web.config files.

Fortinet has patched 18 vulnerabilities, including two critical authentication-bypass flaws (CVE-2025-59718, CVE-2025-59719, CVSS 9.1). These affect FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager when FortiCloud SSO is enabled, allowing unauthenticated attackers to bypass login using crafted SAML messages.

North Korea-linked threat actors are actively exploiting the critical React2Shell vulnerability (CVE-2025-55182) to deploy a new remote access trojan (RAT) dubbed EtherRAT. This sophisticated backdoor utilizes Ethereum smart contracts for resilient command and control (C2) and delivers various payloads, including cryptocurrency miners and new Linux malware families like PeerBlight and CowTunnel.

WatchTowr Labs has disclosed "SOAPwn," an "invalid cast vulnerability" in the .NET Framework's HTTP client proxies, specifically impacting `SoapHttpClientProtocol`. This flaw enables arbitrary file writes and potential remote code execution via rogue WSDL imports, affecting enterprise applications like Barracuda Service Center RMM, Ivanti Endpoint Manager (EPM), and Umbraco 8. Microsoft has stated it will not fix this framework-level issue.

Check Point researchers have published a deep dive into ValleyRAT (also known as Winos or Winos4.0), a modular backdoor associated with the Chinese Silver Fox APT. The analysis details a kernel-mode rootkit embedded in its "Driver Plugin" which remains loadable on fully updated Windows 11 systems, even bypassing modern security features like HVCI and Secure Boot. The availability of its builder and source code complicates attribution.

Want to dig deeper?

Vulnerabilities

Cyber Groups

Malware Families