AI Voice Cloning Exploit, Wi-Fi Kill Change, PLC Vulns, and 14 Extra Tales

A high-severity security flaw has been disclosed in Redis (CVE-2025-62507, CVSS rating: 8.8) that might probably result in distant code execution by way of a stack buffer overflow. It was mounted in model 8.3.2. JFrog’s evaluation of the flaw has revealed that the vulnerability is triggered when utilizing the brand new Redis 8.2 XACKDEL command, which was launched to simplify and optimize stream cleanup. Particularly, it resides within the implementation of xackdelCommand(), a operate answerable for parsing and processing the checklist of stream IDs provided by the consumer. “The core concern is that the code doesn’t confirm that the variety of IDs supplied by the shopper matches throughout the bounds of this stack-allocated array,” the corporate stated. “Because of this, when extra IDs are provided than the array can maintain, the operate continues writing previous the tip of the buffer. This leads to a traditional stack-based buffer overflow.” The vulnerability might be triggered remotely within the default Redis configuration simply by sending a single XACKDEL command containing a sufficiently massive variety of message IDs. “It’s also vital to notice that by default, Redis doesn’t implement any authentication, making this an unauthenticated distant code execution,” JFrog added. As of writing, there are 2,924 servers inclined to the flaw.

BaoLoader, ClickFix campaigns, and Maverick emerged as the highest three threats between September 1 and November 30, 2025, in response to ReliaQuest. In contrast to typical malware that steals certificates, BaoLoader’s operators are identified to register professional companies in Panama and Malaysia particularly to buy legitimate code-signing certificates from main certificates authorities to signal their payloads. “With these certificates, their malware seems reliable to each customers and security instruments, permitting them to function largely undetected whereas being dismissed as merely probably undesirable applications (PUPs),” ReliaQuest stated. The malware, as soon as launched, abuses “node.exe” to run malicious JavaScript for reconnaissance, in-memory command execution, and backdoor entry. It additionally routes command-and-control (C2) site visitors via professional cloud companies, concealing outbound site visitors as regular enterprise exercise and undermining reputation-based blocking.

Phishing emails disguised as vacation celebration invites, overdue invoices, tax notices, Zoom assembly requests, or doc signing notifications are getting used to ship Distant Monitoring and Administration (RMM) instruments like LogMeIn Resolve, Naverisk, and ScreenConnect in multi-stage assault campaigns. In some circumstances, ScreenConnect is used to ship secondary instruments, together with different distant entry applications, alongside HideMouse and WebBrowserPassView. Whereas the precise technique behind putting in duplicate distant entry instruments just isn’t clear, it is believed that the risk actors could also be utilizing trial licenses, forcing them to modify them to keep away from them expiring. In one other incident analyzed by CyberProof, attackers transitioned from focusing on an worker’s private PayPal account to establishing a company foothold via a multi-layered RMM technique involving the usage of LogMeIn Rescue and AnyDesk by tricking victims into putting in the software program over the telephone by pretending to be assist personnel. The e-mail is designed to create urgency by masquerading as PayPal alerts.

Dutch authorities stated they’ve arrested a 33-year-old at Schiphol for his or her alleged involvement within the operation of AVCheck, a counter-antivirus (CAV) service that was dismantled by a multinational regulation enforcement operation in Could 2025. “The service supplied by the suspect enabled cybercriminals to refine the concealment of malicious information every time,” Dutch officers stated. “It is rather vital for cybercriminals that as few antivirus applications as attainable are capable of detect the malicious exercise, to be able to maximize their probabilities of success find victims. On this method, the person enabled criminals to make use of the malware they’d developed to say as many victims as attainable.”

Apple and Google have confirmed that the following model of Siri will use Gemini and its cloud expertise in a multi-year collaboration between the 2 tech giants. “Apple and Google have entered right into a multi-year collaboration underneath which the following technology of Apple Basis Fashions can be primarily based on Google’s Gemini fashions and cloud expertise,” Google stated. “These fashions will assist energy future Apple Intelligence options, together with a extra customized Siri coming this 12 months.” Google emphasised that Apple Intelligence will proceed to run on Apple units and Personal Cloud Compute, whereas sustaining Apple’s industry-leading privateness requirements. “This looks as if an unreasonable focus of energy for Google, on condition that additionally they have Android and Chrome,” Tesla and X CEO Elon Musk stated.

China has requested home corporations to cease utilizing cybersecurity software program made by roughly a dozen corporations from the U.S. and Israel on account of nationwide security considerations, Reuters reported, citing “two folks briefed on the matter.” This consists of VMware, Palo Alto Networks, Fortinet, and Verify Level. Authorities have reportedly expressed considerations that the software program might accumulate and transmit confidential info overseas.

Safety flaws have been disclosed in open-source synthetic intelligence/machine studying (AI/ML) Python libraries revealed by Apple (FlexTok), NVIDIA (NeMo), and Salesforce (Uni2TS) that permit for distant code execution (RCE) when a mannequin file with malicious metadata is loaded. “The vulnerabilities stem from libraries utilizing metadata to configure advanced fashions and pipelines, the place a shared third-party library instantiates courses utilizing this metadata,” Palo Alto Networks Unit 42 stated. “Weak variations of those libraries merely execute the supplied information as code. This enables an attacker to embed arbitrary code in mannequin metadata, which might mechanically execute when susceptible libraries load these modified fashions.” The third-party library in query is Meta’s Hydra, particularly a operate named “hydra.utils.instantiate()” that makes it attainable to run code utilizing Python capabilities like os.system(), builtins.eval(), and builtins.exec(). The vulnerabilities, tracked as CVE-2025-23304 (NVIDIA) and CVE-2026-22584 (Salesforce), have since been addressed by the respective corporations. Hydra has additionally up to date its documentation to state that RCE is feasible when utilizing instantiate() and that it has carried out a default checklist of blocklisted modules to mitigate the danger. “To bypass it, set the env var HYDRA_INSTANTIATE_ALLOWLIST_OVERRIDE with a colon-separated checklist of modules to allowlist,” it stated.

A gaggle of teachers has devised a way known as VocalBridge that can be utilized to bypass present security defenses and execute voice cloning assaults. “Most present purification strategies are designed to counter adversarial noise in computerized speech recognition (ASR) programs somewhat than speaker verification or voice cloning pipelines,” the staff from the College of Texas at San Antonio stated. “Because of this, they fail to suppress the fine-grained acoustic cues that outline speaker identification and are sometimes ineffective towards speaker verification assaults (SVA). To handle these limitations, we suggest Diffusion-Bridge (VocalBridge), a purification framework that learns a latent mapping from perturbed to wash speech within the EnCodec latent house. Utilizing a time-conditioned 1D U-Internet with a cosine noise schedule, the mannequin permits environment friendly, transcript-free purification whereas preserving speaker-discriminative construction.”

Russia’s telecommunications watchdog Roskomnadzor has known as out 33 telecom operators for failing to put in site visitors inspection and content material filtering gear. A complete of 35 circumstances of violations have been detected on the operators’ networks. “Courts have already taken place in 4 circumstances, and fines have been issued to violators. Supplies on six information have been despatched to the court docket. The remaining operators have been summoned to attract up protocols,” the Roskomnadzor stated. Within the aftermath of Russia’s invasion of Ukraine in 2022, the company has mandated that each one telecom operators should set up gear that inspects consumer site visitors and blocks entry to “undesired” websites.

A brand new evaluation of a Turla malware referred to as Kazuar has revealed the varied methods the backdoor employs to evade security options and enhance evaluation time. This consists of the usage of the Element Object Mannequin (COM), patchless Occasion Tracing for Home windows (ETW), Antimalware Scan Interface (AMSI) bypass, and a management circulation redirection trick to hold out the first malicious routines through the second run of a operate named “Qtupnngh,” which then launches three Kazuar .NET payloads (KERNEL, WORKER, and BRIDGE) utilizing multi-stage an infection chain. “The core logic resides within the kernel, which acts as the first orchestrator. It handles job processing, keylogging, configuration information dealing with, and so forth,” researcher Dominik Reichel stated. “The employee manages operational surveillance by monitoring the contaminated host’s surroundings and security posture, amongst its varied different duties. Lastly, the bridge capabilities because the communications layer, facilitating information switch and exfiltration from the native information listing via a collection of compromised WordPress plugin paths.”

Cybersecurity researchers have disclosed particulars of a number of vital security vulnerabilities impacting the Delta Electronics DVP-12SE11T programmable logic controller (PLC) that pose extreme dangers starting from unauthorized entry to operational disruption in operational expertise (OT) environments. The vulnerabilities embrace: CVE-2025-15102 (CVSS rating: 9.8), a password safety bypass, CVE-2025-15103 (CVSS rating: 9.8), an authentication bypass through partial password disclosure, CVE-2025-15358 (CVSS rating: 7.5): a denial-of-service, and CVE-2025-15359 (CVSS rating: 9.8), an out-of-bounds reminiscence write. The problems have been addressed through firmware updates in late December 2025. “Weaknesses in PLC authentication and reminiscence dealing with can considerably enhance operational threat in OT environments, notably the place legacy programs or restricted community segmentation are current,” OPSWAT Unit 515, which found the failings throughout a security evaluation in August 2025, stated.

Mandiant has launched an open-source software to assist Salesforce admins audit misconfigurations that might expose delicate information. Known as AuraInspector, it has been described as a Swiss Military knife of Salesforce Expertise Cloud testing. “It facilitates in discovering misconfigured Salesforce Expertise Cloud functions in addition to automates a lot of the testing course of,” Google stated. This consists of discovery of accessible data from each Visitor and Authenticated contexts, the power to get the overall variety of data of objects utilizing the undocumented GraphQL Aura technique, checks for self-registration capabilities, and discovery of “Dwelling URLs”, which might permit unauthorized entry to delicate administrative performance.

A high-severity flaw (CVSS rating: 8.4) in Broadcom Wi-Fi chipset software program can permit an unauthenticated attacker inside radio vary to utterly take wi-fi networks offline by sending a single malicious body, whatever the configured community security stage, forcing routers to be manually rebooted earlier than connectivity might be restored. The flaw impacts 5GHz wi-fi networks and causes all linked shoppers, together with visitor networks, to be disconnected concurrently. Ethernet connections and the two.4 GHz community will not be affected. “This vulnerability permits an attacker to make the entry level unresponsive to all shoppers and terminate any ongoing shopper connections,” Black Duck stated. “If information transmission to subsequent programs is ongoing, the information might turn out to be corrupted or, at a minimal, the transmission can be interrupted.” The assault bypasses WPA2 and WPA3 protections, and it may be repeated indefinitely to trigger extended community disruptions. Broadcom has launched a patch to handle the reported downside. Further particulars have been withheld because of the potential threat it poses to quite a few programs that use the chipset.

Unknown risk actors have stolen $26 million value of Ether from the Truebit cryptocurrency platform by exploiting a vulnerability within the firm’s five-year-old good contract. “The attacker exploited a mathematical vulnerability within the good contract’s pricing of the TRU token, which set its worth very near zero,” Halborn stated. “With entry to a low-cost supply of TRU tokens, the attacker was capable of drain worth from the contract by promoting them again to the contract at full worth. The attacker carried out a collection of high-value mint requests that netted them a considerable amount of TRU tokens at negligible price.”

A brand new wave of assaults has been discovered to leverage invoice-themed lures in phishing emails to deceive recipients into opening a PDF attachment that shows an error message, instructing them to obtain the file by clicking on a button. A few of the hyperlinks redirect to a web page disguised as Google Drive that mimics MP4 video information, however, in actuality, drop RMM instruments resembling Syncro, SuperOps, NinjaOne, and ScreenConnect for persistent distant entry. “As they aren’t malware like backdoors or Distant Entry Trojans (RATs), risk actors are more and more leveraging them,” AhnLab stated. “It’s because these instruments have been designed to evade detection by security merchandise like firewalls and anti-malware options, that are restricted to easily detecting and blocking identified malware strains.”

A ransomware pressure dubbed CrazyHunter has compromised no less than six corporations in Taiwan, most of them being hospitals. A Go-based ransomware and a fork of the Prince ransomware, it employs superior encryption and supply strategies focused towards Home windows-based machines, per Trellix. It additionally maintains a knowledge leak web site to publicize sufferer info. “The preliminary compromise usually entails exploiting weaknesses in a corporation’s Energetic Listing (AD) infrastructure, often by leveraging weak passwords on area accounts,” the corporate stated. The risk actors have been discovered to make use of SharpGPOAbuse to distribute the ransomware payload via Group Coverage Objects (GPOs) and propagate it throughout the community. A modified Zemana anti-malware driver is used to raise their privileges and kill security processes as a part of a Carry Your Personal Weak Driver (BYOVD) assault. CrazyHunter is assessed to be energetic since no less than early 2025, with Taiwanese authorities describing it as a Chinese language hacker group comprising two people, Luo and Xu, who bought the stolen information to trafficking teams in each China and Taiwan. Two Taiwanese suspects alleged to be concerned in information trafficking have been arrested and subsequently launched on bail final August.