Google warns that various threat actors, including those linked to Russia and China, are exploiting a critical flaw in WinRAR to gain access and deploy malware. This vulnerability, CVE-2025-8088, allows attackers to execute malicious code by manipulating archive files, leading to widespread attacks on multiple targets.

Researchers revealed a nine-month campaign exploiting the React2Shell vulnerability to build the RondoDox botnet. The botnet scans for vulnerable devices and installs various malware, including cryptocurrency miners and a Mirai variant. Organizations are urged to update software and implement security measures to defend against these attacks.

This article details a vulnerability in Triofox that allowed unauthenticated remote access, enabling attackers to bypass authentication and execute arbitrary code. Mandiant discovered that this flaw was exploited by a threat group, allowing them to create admin accounts and run malicious scripts. The issue has been patched in newer versions of the software.

Hackers exploited a zero-day vulnerability in Triofox, a file-sharing platform, to bypass authentication and deploy malicious payloads. They manipulated HTTP host headers to gain access and configured the system's anti-virus feature to run their own scripts, allowing further exploitation.

Chinese hackers known as Bronze Butler exploited a critical vulnerability in Motex Lanscope Endpoint Manager to deploy their Gokcpdoor malware. This flaw, CVE-2025-61932, allowed them to execute arbitrary code on affected systems, leading to data theft. Organizations are urged to patch the vulnerability as no workarounds exist.

This article outlines five key security features expected to dominate in 2026, including supply chain malware detection and AI-based vulnerability management. It also highlights three important capabilities that should be prioritized, such as advanced application detection and real-time AI threat modeling.

The RondoDox botnet is exploiting a critical RCE vulnerability in XWiki, tracked as CVE-2025-24893. CISA has flagged this flaw as actively exploited, with RondoDox using it to execute malicious payloads on affected servers. Immediate patching is recommended for vulnerable versions.

A vulnerability has been discovered in Canon printer drivers that allows hackers to execute malicious code on affected systems. Users are advised to update their drivers to mitigate potential security risks associated with this flaw. The issue highlights the importance of maintaining up-to-date software for safeguarding devices against cyber threats.

A newly discovered WinRAR vulnerability, tracked as CVE-2025-8088, has been exploited in phishing attacks to deploy RomCom malware. The flaw allows attackers to create malicious archives that can extract executables into paths that enable remote code execution when a user logs in. Users are urged to update to WinRAR 7.13 to mitigate this risk.

CISA has released an analysis detailing malware used in attacks exploiting vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), specifically an authentication bypass and a code injection issue. The vulnerabilities, already being exploited by a China-nexus espionage group, allow for arbitrary code execution and data exfiltration. CISA recommends immediate patching of affected systems and treating mobile device management solutions as high-value assets.

Samsung has addressed a critical remote code execution vulnerability (CVE-2025-21043) affecting Android devices running version 13 or later, which was exploited in zero-day attacks. Discovered in a closed-source image parsing library, the flaw allows attackers to execute malicious code remotely. Meta and WhatsApp reported the vulnerability, highlighting the importance of keeping devices updated to mitigate such risks.

A significant vulnerability in ESET software has been discovered, which could be exploited by attackers to deploy malware, specifically linked to the ToddyCat APT group. This flaw poses a heightened risk to users of ESET’s security products, emphasizing the need for immediate updates to mitigate potential threats.

A critical security vulnerability (CVE-2025-22457) in Ivanti Connect Secure VPN appliances is being actively exploited by a suspected China-nexus threat actor, UNC5221, leading to remote code execution and the deployment of various malware families. Organizations are urged to upgrade their systems immediately to mitigate potential risks associated with this vulnerability.

Researchers have identified two Secure Boot exploits, with Microsoft addressing only one in its latest security update. The patched vulnerability, affecting over 50 device manufacturers, allows attackers with physical access to disable Secure Boot and potentially install malware before the operating system loads. The exploit's root cause lies in a critical vulnerability in firmware flashing tools used by DT Research, which were improperly authenticated for wider device compatibility.