News from the AI & ML world

DeeperML - #zeroday

@The DefendOps Diaries //

Water Gamayun Abuses Zero-Day for Code Execution - Water Gamayun, a suspected Russian threat actor, abuses a zero-day vulnerability in Microsoft Management Console (CVE-2025-26633) to execute malicious code using sophisticated delivery methods and custom payloads, including backdoors and stealers.
A Russian threat actor, known as Water Gamayun or EncryptHub, is actively exploiting a zero-day vulnerability in the Microsoft Management Console (MMC) framework, identified as CVE-2025-26633. This flaw, dubbed MSC EvilTwin, enables attackers to execute malicious code on infected Windows systems. The attackers manipulate .msc files and the MMC's Multilingual User Interface Path (MUIPath) to bypass security features and deploy various malicious payloads.

Water Gamayun employs sophisticated delivery methods, including provisioning packages, signed MSI files, and Windows MSC files. The group's arsenal includes custom backdoors like SilentPrism and DarkWisp, as well as variants of the EncryptHub Stealer, Stealc, and Rhadamanthys. These payloads are designed to maintain persistence, steal sensitive data, and exfiltrate it to command-and-control servers, using encrypted channels and anti-analysis techniques. Organizations can protect themselves through up-to-date patch management and advanced threat detection technologies.

Recommended read:
References :
  • www.cybersecuritydive.com: Russian threat actor weaponized Microsoft Management Console flaw
  • www.trendmicro.com: Trend Research discusses the delivery methods, custom payloads, and techniques used by Water Gamayun, the suspected Russian threat actor abusing a zero-day vulnerability in the Microsoft Management Console framework (CVE-2025-26633) to execute malicious code on infected machines.
  • iHLS: A threat actor is leveraging a zero-day vulnerability in the Microsoft Management Console (MMC) to distribute malware.
  • Virus Bulletin: Trend Micro researchers identified a campaign by the Russian threat actor Water Gamayun exploiting CVE-2025-26633, a zero-day vulnerability in the Microsoft Management Console.
  • doublepulsar.com: Bleeping Computer reports on claims of a breach of Oracle Cloud federated SSO login servers.
  • www.cybersecuritydive.com: Confirmation of patient data stolen in alleged cloud breach.
  • www.healthcareitnews.com: Reports indicate Oracle Health customers received a letter about a data compromise.
  • Techzine Global: Oracle acknowledged the breach related to their health tech division.
  • www.cybersecuritydive.com: Security firms brace for impact of potential Oracle Cloud breach
  • DataBreaches.Net: Oracle attempt to hide serious cybersecurity incident from customers in Oracle SaaS service
  • infosec.exchange: Oracle is apparently dealing with two separate breaches — one affecting Oracle Cloud, and one Oracle Health — but the company refuses to say what's actually going on.
  • Risky Business Media: Risky Bulletin: Oracle's healthtech division hacked, customers extorted
  • aboutdfir.com: Oracle Health breach compromises patient data at US hospitals A breach at Oracle Health impacts multiple US healthcare organizations and hospitals after a threat actor stole patient data from legacy servers. Oracle Health has not yet publicly disclosed the incident, but in private communications sent to impacted customers and from conversations with those involved, BleepingComputer confirmed […] The post appeared first on .
  • techcrunch.com: Oracle under fire for its handling of separate security incidents
  • techxplore.com: Oracle warns health customers of patient data breach
  • The Register - Security: 1990s incident response in 2025 Two Oracle data security breaches have been reported in the past week, and the database goliath not only remains reluctant to acknowledge the disasters publicly – it may be scrubbing the web of evidence, too.…
  • www.csoonline.com: Oracle’s healthcare subsidiary, Oracle Health, has suffered a data breach, potentially exposing customers’ sensitive data, the company told some of its customers.
  • SiliconANGLE: Oracle denies cloud breach, while researchers point to credible indicators
  • Danny Palmer: NEW: Oracle is apparently dealing with two separate breaches — one affecting Oracle Cloud, and one Oracle Health — but the company refuses to say what's actually going on. Both public and employees are confused at this point, as there is little transparency. Here's a recap of what's happening.
Pierluigi Paganini@Security Affairs //

Russian Brokers Offering Millions for Telegram Exploits - Operation Zero, a Russian zero-day broker, is offering up to $4 million for zero-day exploits against Telegram, indicating Russian government and private organizations' interest in exploiting Telegram's security flaws for targeted attacks.
A Russian zero-day broker known as Operation Zero is offering up to $4 million for zero-day exploits targeting the Telegram messaging app. This broker exclusively sells vulnerabilities to Russian government and private organizations, suggesting a significant interest from these entities in exploiting Telegram's security flaws. The high bounty offered indicates the immense value of potential targets to these organizations and their willingness to invest heavily in acquiring such exploits.

Operation Zero has released multiple bounty tiers for security vulnerabilities targeting Telegram, with the price depending on the user interaction required. Remote code execution vulnerabilities needing one user interaction fetch $500,000, while a zero-click RCE vulnerability is valued at $1.5 million. A complete exploit chain capable of compromising the entire system may command up to $4 million. This highlights the potential for targeted attacks on individuals or user groups through the platform, given Telegram's user base of over a billion.

Recommended read:
References :
  • CyberInsider: Russian Zero-Day Firm Offers Record $4 Million for Telegram Exploits
  • infosec.exchange: NEW: A zero-day provider that exclusively sells to the Russian government is offering up to $4 million for flaws in Telegram. This announcement offers a glimpse into what the Russian government may be especially interested in, and willing to pay (even at a premium), right now. Sources in the industry tell me the prices offered are broadly right.
  • techcrunch.com: Russian zero-day seller is offering up to $4 million for Telegram exploits
  • securityaffairs.com: Zero-day broker Operation Zero offers up to $4 million for Telegram exploits
  • securityonline.info: The Russian vulnerability broker, Operation Zero, is a company specializing in the acquisition and sale of security vulnerabilities—whether The post appeared first on .
  • Davey Winder: The Russian exploit brokerage firm, Operation Zero, is offering up to $4 million for zero-day vulnerabilities in Telegram. This signifies heightened state-sponsored interest in hacking Telegram.
  • hackread.com: A broker that only sells to Russian private and government organizations has just offered $4 million for a zero-day hack attack against the Telegram messenger app.
@csoonline.com //

Active Exploitation of Critical VMware Zero-Day Vulnerabilities - Three critical zero-day vulnerabilities in VMware products were exploited in the wild, potentially allowing attackers to execute arbitrary code and escalate privileges.
Three critical zero-day vulnerabilities have been discovered in VMware products, leading to active exploitation in the wild. The vulnerabilities affect VMware ESXi, Workstation, and Fusion, potentially allowing attackers to execute arbitrary code and escalate privileges. Microsoft's Threat Intelligence Center (MSTIC) uncovered the vulnerabilities, and they have since been added to CISA's Known Exploited Vulnerabilities Catalog.

Affected VMware products include ESXi versions 8.0 and 7.0, Workstation 17.x, Fusion 13.x, Cloud Foundation 5.x and 4.5.x, and Telco Cloud Platform 5.x, 4.x, 3.x, and 2.x. The vulnerabilities, identified as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, carry CVSSv3 scores of 9.3, 8.2, and 7.1 respectively. Organizations using these VMware products are strongly advised to apply the available patches immediately to mitigate the risks associated with these flaws.

Recommended read:
References :
  • cyble.com: Three critical zero-day vulnerabilities in VMware products, affecting VMware ESXi, Workstation, and Fusion, were reported as exploited in the wild.
  • research.kudelskisecurity.com: Three critical zero-day vulnerabilities found in VMware products were actively being exploited in the wild.
  • MSSP feed for Latest: Multiple zero-day vulnerabilities in VMware's ESXi, Workstation, and Fusion products were identified and confirmed by VMware, with evidence of active exploitation.
Pierluigi Paganini@Security Affairs //

Actively Exploited Microsoft Power Pages Flaw - Microsoft Power Pages suffered a critical vulnerability (CVE-2025-24989) that is being exploited, allowing unauthorized access and privilege escalation; Microsoft has issued updates.
Microsoft has issued updates to address a critical vulnerability, CVE-2025-24989, impacting its Power Pages platform. This flaw, a high-severity issue, is already being actively exploited in the wild, allowing unauthorized access to websites. Threat actors can leverage the vulnerability to achieve privilege escalation within targeted networks and evade user registration controls, granting them unauthorized access to sites.

Microsoft reports that the vulnerability, CVE-2025-24989, only impacts certain Power Pages users. The company urges users to examine their websites for possible compromise. The U.S. CISA has added the Microsoft Power Pages flaw to its Known Exploited Vulnerabilities catalog.

Recommended read:
References :
  • securityaffairs.com: U.S. CISA adds Microsoft Power Pages flaw to its Known Exploited Vulnerabilities catalog
  • socradar.io: Microsoft Patches Power Pages Zero-Day (CVE-2025-24989) & Recent PAN-OS Flaw (CVE-2025-0111) Joins CISA KEV
  • www.scworld.com: Actively exploited Microsoft Power Pages flaw patched
  • Report Boom: Microsoft has addressed a high-severity issue in Power Pages, CVE-2025-24989...

Benchmarks

Blogs

Research Tools