{"id":7093,"date":"2025-09-21T10:03:37","date_gmt":"2025-09-21T10:03:37","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/09\/21\/top-zero-day-vulnerabilities-exploited-in-the-wild-in-2025\/"},"modified":"2025-09-21T10:03:37","modified_gmt":"2025-09-21T10:03:37","slug":"top-zero-day-vulnerabilities-exploited-in-the-wild-in-2025","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/09\/21\/top-zero-day-vulnerabilities-exploited-in-the-wild-in-2025\/","title":{"rendered":"Top Zero-Day Vulnerabilities Exploited in the Wild in 2025"},"content":{"rendered":"<p>    Top Zero-Day Vulnerabilities Exploited in the Wild in 2025<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>The cybersecurity landscape in 2025 has been marked by an unprecedented surge in zero-day vulnerabilities actively exploited by threat actors. <\/p>\n<p>According to recent data, more than 23,600 vulnerabilities were published in the first half of 2025 alone, representing a 16% increase over 2024. <\/p>\n<p>This alarming trend has seen sophisticated threat actors, including nation-state groups and ransomware operators, weaponizing unknown vulnerabilities faster than ever before. <\/p>\n<p>Nearly 30% of Known Exploited Vulnerabilities (KEVs) were weaponized within 24 hours of disclosure, with some high-profile edge devices experiencing zero-day exploitation before patches were even available.<a href=\"https:\/\/www.morphisec.com\/blog\/the-top-exploited-vulnerabilities-leading-to-ransomware-in-2025-and-how-to-stay-ahead\/\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgVFNgNmo6tKELXB518iPuW_4IXFvi0wKmfiVsbcT-q6EwCHN_CXrhEJpSWBvAlssOa2fblJi8ufbruk9X_8-H1azJ9OcY7x_5jBAMuVqSb1M4ZNUwb1XWQyb5vLEyIF12q-zllgPYj-ueDehF8WnNdZQxhZkBLibaxAMKAdJkUu9u_UXk6EgMWr2tK7Fa6\/s2400\/dec59c2b_imresizer.webp?ssl=1\" alt=\"\"><figcaption class=\"wp-element-caption\">Zero-Day Vulnerabilities Exploited by Vendor\/Platform in 2025<\/figcaption><\/figure>\n<\/div>\n<p>The scope and sophistication of these attacks have evolved dramatically, targeting everything from widely-used web browsers to critical enterprise infrastructure. <\/p>\n<p>This comprehensive analysis examines the most significant zero-day vulnerabilities that have been actively exploited throughout 2025, providing cybersecurity professionals with detailed technical insights, impact assessments, and mitigation strategies.<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th>CVE<\/th>\n<th>Product<\/th>\n<th>Type<\/th>\n<th>Impact<\/th>\n<th>Attack Vector<\/th>\n<th>Patch Date<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><a href=\"https:\/\/cybersecuritynews.com\/google-chrome-0-day-vulnerability-exploited\/\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2025-10585<\/a><\/td>\n<td>Google Chrome<\/td>\n<td>Type Confusion<\/td>\n<td>Arbitrary Code Execution<\/td>\n<td>Malicious JavaScript<\/td>\n<td>2025-09-17<\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/cybersecuritynews.com\/google-chrome-0-day-vulnerability-exploited\/\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2025-6558<\/a><\/td>\n<td>Google Chrome<\/td>\n<td>ANGLE GPU Exploit<\/td>\n<td>Sandbox Escape<\/td>\n<td>Malicious Graphics<\/td>\n<td>2025-07-15<\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/cybersecuritynews.com\/citrix-0-day-vulnerability-exploited\/\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2025-7775<\/a><\/td>\n<td>Citrix NetScaler<\/td>\n<td>Memory Overflow<\/td>\n<td>Remote Code Execution<\/td>\n<td>Network, Unauthenticated<\/td>\n<td>2025-08-26<\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/cybersecuritynews.com\/toolshell-exploit-chain-sharepoint-servers\/\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2025-53770<\/a><\/td>\n<td>Microsoft SharePoint<\/td>\n<td>Unsafe Deserialization<\/td>\n<td>Remote Code Execution<\/td>\n<td>HTTP Requests<\/td>\n<td>2025-07-18<\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/cybersecuritynews.com\/toolshell-exploit-chain-sharepoint-servers\/\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2025-53771<\/a><\/td>\n<td>Microsoft SharePoint<\/td>\n<td>Header Spoofing<\/td>\n<td>Authentication Bypass<\/td>\n<td>HTTP Headers<\/td>\n<td>2025-07-18<\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/cybersecuritynews.com\/sap-may-2025-patch-tuesday\/\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2025-31324<\/a><\/td>\n<td>SAP NetWeaver<\/td>\n<td>Arbitrary File Upload<\/td>\n<td>Full System Compromise<\/td>\n<td>HTTP Requests<\/td>\n<td>2025-08-26<\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/cybersecuritynews.com\/android-security-update\/\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2025-38352<\/a><\/td>\n<td>Android<\/td>\n<td>Race Condition<\/td>\n<td>Local Privilege Escalation<\/td>\n<td>Local Access<\/td>\n<td>2025-09-03<\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/cybersecuritynews.com\/android-security-update\/\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2025-48543<\/a><\/td>\n<td>Android<\/td>\n<td>Use-After-Free<\/td>\n<td>Chrome Sandbox Escape, Privilege Escalation<\/td>\n<td>Local Access<\/td>\n<td>2025-09-03<\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/cybersecuritynews.com\/samsung-zero-day-exploited\/\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2025-21043<\/a><\/td>\n<td>Samsung Android<\/td>\n<td>Out-of-Bounds Write<\/td>\n<td>Remote Code Execution<\/td>\n<td>Malicious Image Processing<\/td>\n<td>2025-09-11<\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/cybersecuritynews.com\/apple-fixes-0-day-vulnerabilities\/\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2025-43300<\/a><\/td>\n<td>Apple iOS\/macOS<\/td>\n<td>Out-of-Bounds Write<\/td>\n<td>Arbitrary Code Execution<\/td>\n<td>Malicious Image Files<\/td>\n<td>2025-08-24<\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/cybersecuritynews.com\/microsoft-patch-tuesday-august\/\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2025-53779<\/a><\/td>\n<td>Microsoft Windows<\/td>\n<td>Kerberos Authentication Bypass<\/td>\n<td>Active Directory Compromise<\/td>\n<td>Kerberos Protocol<\/td>\n<td>2025-08-13<\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/cybersecuritynews.com\/microsoft-patch-tuesday-april-2025\/\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2025-29824<\/a><\/td>\n<td>Microsoft Windows<\/td>\n<td>Elevation of Privilege<\/td>\n<td>Ransomware Deployment<\/td>\n<td>Post-Compromise<\/td>\n<td>2025-05-07<\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/cybersecuritynews.com\/microsoft-patch-tuesday-june-2025\/\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2025-33053<\/a><\/td>\n<td>Microsoft Windows<\/td>\n<td>WebDAV Vulnerability<\/td>\n<td>Remote Code Execution<\/td>\n<td>HTTP Requests<\/td>\n<td>2025-06-11<\/td>\n<\/tr>\n<tr>\n<td><a href=\"https:\/\/cybersecuritynews.com\/sitecore-zero-day-vulnerability\/\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2025-53690<\/a><\/td>\n<td>Sitecore<\/td>\n<td>ViewState Deserialization<\/td>\n<td>Remote Code Execution<\/td>\n<td>HTTP Requests<\/td>\n<td>2025-09-02<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<h2 class=\"wp-block-heading\" id=\"google-chrome-the-browser-under-siege\"><strong>Google Chrome: The Browser Under Siege<\/strong><\/h2>\n<h3 class=\"wp-block-heading\"><strong>CVE-2025-10585: The Latest Chrome Zero-Day<\/strong><\/h3>\n<p>The most recent addition to Chrome\u2019s vulnerability roster, <a href=\"https:\/\/cybersecuritynews.com\/google-chrome-0-day-vulnerability-exploited\/\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2025-10585<\/a>, was discovered on September 16, 2025, and patched within 24 hours.<\/p>\n<p>This <a href=\"https:\/\/cybersecuritynews.com\/chrome-security-update-type-confusion\/\" target=\"_blank\" rel=\"noreferrer noopener\">type confusion<\/a> vulnerability in Chrome\u2019s V8 JavaScript and WebAssembly engine represents the sixth Chrome zero-day exploited in 2025.<\/p>\n<p>Google\u2019s Threat Analysis Group (TAG) confirmed active exploitation, suggesting sophisticated threat actors, likely nation-state groups, were leveraging this flaw in targeted campaigns.<a href=\"https:\/\/securityaffairs.com\/182322\/uncategorized\/cve-2025-10585-is-the-sixth-actively-exploited-chrome-zero-day-patched-by-google-in-2025.html\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p><strong>Technical Details:<\/strong><\/p>\n<ul class=\"wp-block-list\">\n<li>\n<strong>Vulnerability Type:<\/strong> Type confusion in V8 engine<\/li>\n<li>\n<strong>Attack Vector:<\/strong> Malicious websites with crafted JavaScript<\/li>\n<li>\n<strong>Impact:<\/strong> Arbitrary code execution, complete browser compromise<\/li>\n<li>\n<strong>Affected Versions:<\/strong> Chrome prior to 140.0.7339.185\/.186<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\"><strong>CVE-2025-6558: ANGLE GPU Exploitation<\/strong><\/h2>\n<p>Earlier in July 2025, <a href=\"https:\/\/cybersecuritynews.com\/google-chrome-0-day-vulnerability-exploited\/\">CVE-2025-6558<\/a> emerged as another critical Chrome zero-day, exploiting the ANGLE (Almost Native Graphics Layer Engine) and GPU components.<\/p>\n<p>This vulnerability enabled attackers to escape Chrome\u2019s sandbox through specially crafted graphics calls, leading to out-of-bounds memory access and potential arbitrary code execution.<a href=\"https:\/\/www.secpod.com\/blog\/google-chrome-zero-day-vulnerability-actively-exploited-in-the-wild\/\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p><strong>Technical Impact:<\/strong><\/p>\n<ul class=\"wp-block-list\">\n<li>\n<strong>CVSS Score:<\/strong> Not disclosed<\/li>\n<li>\n<strong>Exploitation Method:<\/strong> Malicious HTML pages with crafted graphics calls<\/li>\n<li>\n<strong>Consequence:<\/strong> Browser sandbox escape, system-level access<\/li>\n<li>\n<strong>Fixed Version:<\/strong> Chrome 138.0.7204.157\/.158<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\"><strong>Chrome\u2019s 2025 Zero-Day Portfolio<\/strong><\/h2>\n<p>Throughout 2025, Chrome has been targeted by multiple zero-day exploits, including CVE-2025-2783, CVE-2025-4664, CVE-2025-5419, CVE-2025-6554, and <a href=\"https:\/\/cybersecuritynews.com\/google-chrome-0-day-vulnerability-exploited\/\">CVE-2025-6558<\/a>.<\/p>\n<p>This sustained assault on Chrome underscores the browser\u2019s critical role as an attack vector and the sophistication of modern threat actors targeting web-based technologies.<a href=\"https:\/\/thehackernews.com\/2025\/09\/google-patches-chrome-zero-day-cve-2025.html\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 class=\"wp-block-heading\" id=\"citrix-netscaler-critical-infrastructure-under-att\"><strong>Citrix NetScaler: Critical Infrastructure Under Attack<\/strong><\/h2>\n<h3 class=\"wp-block-heading\" id=\"h-cve-2025-7775-the-netscaler-rce-zero-day\"><strong><a href=\"https:\/\/cybersecuritynews.com\/citrix-0-day-vulnerability-exploited\/\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2025-7775<\/a>: The NetScaler RCE Zero-Day<\/strong><\/h3>\n<p>On August 26, 2025, Citrix disclosed CVE-2025-7775, a critical memory overflow vulnerability in NetScaler ADC and NetScaler Gateway that had been actively exploited as a zero-day. <\/p>\n<p>With a CVSS score of 9.2, this vulnerability represents one of the most severe threats to enterprise network infrastructure in 2025.<a href=\"https:\/\/www.rapid7.com\/blog\/post\/etr-cve-2025-7775-critical-netscaler-vulnerability-exploited-in-the-wild\/\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p><strong>Vulnerability Analysis:<\/strong><\/p>\n<ul class=\"wp-block-list\">\n<li>\n<strong>CVSS Score:<\/strong> 9.2 (Critical)<\/li>\n<li>\n<strong>Attack Complexity:<\/strong> High (requires sophisticated exploitation techniques)<\/li>\n<li>\n<strong>Authentication Required:<\/strong> None (unauthenticated exploitation)<\/li>\n<li>\n<strong>Impact:<\/strong> Remote Code Execution and Denial of Service<\/li>\n<\/ul>\n<p>The vulnerability affects NetScaler appliances configured as Gateway or AAA virtual servers, impacting versions 13.1, 14.1, 13.1-FIPS, and NDcPP. <\/p>\n<p>According to Shadowserver data, over 28,200 instances remained exposed and vulnerable following the disclosure. <\/p>\n<p>The exploitation has been linked to sophisticated threat actors capable of deploying web shells for persistent access.<a href=\"https:\/\/socprime.com\/blog\/cve-2025-7775-vulnerability\/\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p><strong>Mitigation Requirements:<\/strong><\/p>\n<p>Organizations must immediately upgrade to fixed versions: 14.1-47.48+, 13.1-59.22+, 13.1-FIPS\/NDcPP 13.1-37.241+, and 12.1-FIPS\/NDcPP 12.1-55.330+.<\/p>\n<h2 class=\"wp-block-heading\" id=\"microsoft-sharepoint-the-toolshell-campaign\"><strong>Microsoft SharePoint: The ToolShell Campaign<\/strong><\/h2>\n<h3 class=\"wp-block-heading\" id=\"h-cve-2025-53770-and-cve-2025-53771-chained-exploitation\"><strong>CVE-2025-53770 And CVE-2025-53771: Chained Exploitation<\/strong><\/h3>\n<p>In July 2025, Microsoft issued emergency out-of-band patches for two interconnected zero-day vulnerabilities affecting on-premises SharePoint servers. <\/p>\n<p>These vulnerabilities, exploited in a campaign dubbed \u201cToolShell,\u201d demonstrate the evolution of multi-stage attack chains.<a href=\"https:\/\/blog.qualys.com\/vulnerabilities-threat-research\/2025\/07\/21\/toolshell-zero-day-microsoft-rushes-emergency-patch-for-actively-exploited-sharepoint-vulnerabilities\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p><strong><a href=\"https:\/\/cybersecuritynews.com\/toolshell-exploit-chain-sharepoint-servers\/\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2025-53770<\/a> Technical Profile:<\/strong><\/p>\n<ul class=\"wp-block-list\">\n<li>\n<strong>CVSS Score:<\/strong> 9.8 (Critical)<\/li>\n<li>\n<strong>Vulnerability Type:<\/strong> Unsafe deserialization of untrusted data<\/li>\n<li>\n<strong>Impact:<\/strong> Remote Code Execution<\/li>\n<li>\n<strong>Authentication:<\/strong> Bypassed through CVE-2025-53771<\/li>\n<\/ul>\n<p><strong><a href=\"https:\/\/cybersecuritynews.com\/toolshell-exploit-chain-sharepoint-servers\/\">CVE-2025-53771<\/a> Technical Profile:<\/strong><\/p>\n<ul class=\"wp-block-list\">\n<li>\n<strong>CVSS Score:<\/strong> 6.3 (Medium)<\/li>\n<li>\n<strong>Vulnerability Type:<\/strong> Header spoofing vulnerability<\/li>\n<li>\n<strong>Impact:<\/strong> Authentication bypass<\/li>\n<li>\n<strong>Exploitation Method:<\/strong> Crafted Referer header<\/li>\n<\/ul>\n<p>The attack chain operates by first exploiting CVE-2025-53771 to bypass authentication through header spoofing, then leveraging CVE-2025-53770 for code execution through malicious deserialization. <\/p>\n<p>This sophisticated approach allows attackers to extract cryptographic machine keys, enabling long-term persistence even after the initial vulnerability is patched.<a href=\"https:\/\/www.wiz.io\/blog\/sharepoint-vulnerabilities-cve-2025-53770-cve-2025-53771-everything-you-need-to-k\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p><strong>Attribution and Impact:<\/strong><\/p>\n<p>Unit 42 research identified overlapping activity with the Storm-2603 cluster, with exploitation attempts observed as early as July 17, 2025. <\/p>\n<p>The campaign has evolved rapidly, with threat actors adjusting tactics to evade detection and shifting from .NET modules to web shell payloads.<\/p>\n<h2 class=\"wp-block-heading\" id=\"sap-netweaver-enterprise-erp-under-fire\"><strong>SAP NetWeaver: Enterprise ERP Under Fire<\/strong><\/h2>\n<h3 class=\"wp-block-heading\"><strong>CVE-2025-31324: The Perfect CVSS 10.0 Vulnerability<\/strong><\/h3>\n<p><a href=\"https:\/\/cybersecuritynews.com\/sap-may-2025-patch-tuesday\/\">CVE-2025-31324<\/a> achieved the rare distinction of a perfect CVSS score of 10.0, representing maximum severity across all metrics.<\/p>\n<p>This vulnerability in SAP NetWeaver Visual Composer allows unauthenticated attackers to upload arbitrary files, leading to immediate system compromise.<a href=\"https:\/\/onapsis.com\/blog\/active-exploitation-of-sap-vulnerability-cve-2025-31324\/\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p><strong>Critical Vulnerability Details:<\/strong><\/p>\n<ul class=\"wp-block-list\">\n<li>\n<strong>CVSS Score:<\/strong> 10.0 (Critical)<\/li>\n<li>\n<strong>Component:<\/strong> SAP NetWeaver Visual Composer<\/li>\n<li>\n<strong>Attack Vector:<\/strong> HTTP\/HTTPS over Internet<\/li>\n<li>\n<strong>Authentication:<\/strong> None required<\/li>\n<li>\n<strong>Exploitation:<\/strong> \/developmentserver\/metadatauploader endpoint<\/li>\n<\/ul>\n<p>The vulnerability was first exploited as a zero-day nearly three weeks before public disclosure, with evidence linking exploitation to both sophisticated APT groups and the Qilin ransomware operation. <\/p>\n<p>OP Innovate\u2019s incident response revealed communication with known Cobalt Strike infrastructure, suggesting the vulnerability\u2019s use in broader ransomware campaigns.<a href=\"https:\/\/op-c.net\/blog\/sap-cve-2025-31324-qilin-breach\/\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p><strong>Secondary Exploitation Wave:<\/strong><\/p>\n<p>Following public disclosure, <a href=\"https:\/\/cybersecuritynews.com\/sap-may-2025-patch-tuesday\/\">CVE-2025-31324<\/a> experienced secondary exploitation waves by opportunistic attackers leveraging previously established web shells.<\/p>\n<p>This pattern demonstrates how zero-day vulnerabilities continue to pose threats even after initial remediation efforts.<\/p>\n<h2 class=\"wp-block-heading\"><strong>CVE-2025-42999: The Root Cause Fix<\/strong><\/h2>\n<p>On May 13, 2025, SAP released Security Note 3604119 addressing CVE-2025-42999 (CVSS 9.1), which corrected the underlying root cause of CVE-2025-31324. <\/p>\n<p>This follow-up vulnerability emerged from forensic analysis conducted by Onapsis Research Labs, highlighting the complex nature of enterprise software vulnerabilities.<a href=\"https:\/\/onapsis.com\/blog\/active-exploitation-of-sap-vulnerability-cve-2025-31324\/\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 class=\"wp-block-heading\" id=\"android-ecosystem-mobile-platform-targets\"><strong>Android Ecosystem: Mobile Platform Targets<\/strong><\/h2>\n<h3 class=\"wp-block-heading\" id=\"h-cve-2025-38352-and-cve-2025-48543-targeted-mobile-exploitation\"><strong>CVE-2025-38352 And CVE-2025-48543: Targeted Mobile Exploitation<\/strong><\/h3>\n<p>Google\u2019s September 2025 Android Security Bulletin addressed two actively exploited zero-day vulnerabilities affecting the Android ecosystem. <\/p>\n<p>Both vulnerabilities enable local privilege escalation and have been confirmed under \u201climited, targeted exploitation,\u201d suggesting spyware campaigns against high-value individuals.<a href=\"https:\/\/cyberscoop.com\/android-security-update-september-2025\/\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p><strong><a href=\"https:\/\/cybersecuritynews.com\/android-security-update\/\">CVE-2025-38352<\/a> Analysis:<\/strong><\/p>\n<ul class=\"wp-block-list\">\n<li>\n<strong>Component:<\/strong> Linux kernel POSIX CPU timers<\/li>\n<li>\n<strong>Vulnerability Type:<\/strong> Race condition<\/li>\n<li>\n<strong>CVSS Score:<\/strong> 7.4<\/li>\n<li>\n<strong>Impact:<\/strong> Local privilege escalation<\/li>\n<li>\n<strong>Affected Versions:<\/strong> Android 10 and later<\/li>\n<\/ul>\n<p><strong><a href=\"https:\/\/cybersecuritynews.com\/android-security-update\/\">CVE-2025-48543<\/a> Analysis:<\/strong><\/p>\n<ul class=\"wp-block-list\">\n<li>\n<strong>Component:<\/strong> Android Runtime (ART)<\/li>\n<li>\n<strong>Vulnerability Type:<\/strong> Use-after-free<\/li>\n<li>\n<strong>Impact:<\/strong> Chrome sandbox escape, privilege escalation<\/li>\n<li>\n<strong>Target:<\/strong> Android system_server compromise<\/li>\n<\/ul>\n<p>The targeting pattern and discovery by Google\u2019s Threat Analysis Group strongly suggest these vulnerabilities were weaponized in mercenary spyware operations against specific high-risk users.<a href=\"https:\/\/www.helpnetsecurity.com\/2025\/09\/04\/google-fixes-actively-exploited-android-vulnerabilities-cve-2025-48543-cve-2025-38352\/\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 class=\"wp-block-heading\"><strong>Samsung-Specific Android Vulnerability<\/strong><\/h2>\n<p><a href=\"https:\/\/cybersecuritynews.com\/samsung-zero-day-exploited\/\">CVE-2025-21043<\/a> represents a critical Android vulnerability specific to Samsung devices, discovered in the libimagecodec.quram.so library developed by Quramsoft.<\/p>\n<p>This out-of-bounds write vulnerability enables remote code execution through malicious image processing.<a href=\"https:\/\/thehackernews.com\/2025\/09\/samsung-fixes-critical-zero-day-cve.html\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p><strong>Samsung Vulnerability Profile:<\/strong><\/p>\n<ul class=\"wp-block-list\">\n<li>\n<strong>CVSS Score:<\/strong> 8.8 (High)<\/li>\n<li>\n<strong>Component:<\/strong> libimagecodec.quram.so<\/li>\n<li>\n<strong>Discovery Date:<\/strong> August 13, 2025 (privately disclosed)<\/li>\n<li>\n<strong>Affected Versions:<\/strong> Android 13, 14, 15, 16<\/li>\n<li>\n<strong>Attribution:<\/strong> Reported by Meta and WhatsApp security teams<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\" id=\"apple-ecosystem-the-persistent-target\"><strong>Apple Ecosystem: The Persistent Target<\/strong><\/h2>\n<h3 class=\"wp-block-heading\" id=\"h-cve-2025-43300-imageio-framework-exploitation\"><strong><a href=\"https:\/\/cybersecuritynews.com\/apple-fixes-0-day-vulnerabilities\/\">CVE-2025-43300<\/a>: ImageIO Framework Exploitation<\/strong><\/h3>\n<p>Apple issued emergency security updates in August 2025 for CVE-2025-43300, the seventh zero-day vulnerability patched by Apple in 2025. <\/p>\n<p>This out-of-bounds write vulnerability in Apple\u2019s ImageIO framework has been confirmed as exploited in \u201cextremely sophisticated attacks against specific targeted individuals.\u201d<a href=\"https:\/\/thehackernews.com\/2025\/08\/apple-patches-cve-2025-43300-zero-day.html\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p><strong>Apple Zero-Day Profile:<\/strong><\/p>\n<ul class=\"wp-block-list\">\n<li>\n<strong>CVSS Score:<\/strong> 8.8 (High)<\/li>\n<li>\n<strong>Component:<\/strong> ImageIO framework<\/li>\n<li>\n<strong>Attack Vector:<\/strong> Malicious image files<\/li>\n<li>\n<strong>Impact:<\/strong> Memory corruption, arbitrary code execution<\/li>\n<li>\n<strong>Scope:<\/strong> iOS, iPadOS, macOS across multiple versions<\/li>\n<\/ul>\n<p>The vulnerability demonstrates the evolution of attack techniques targeting Apple\u2019s ecosystem, with simple image viewing potentially compromising entire device security. <\/p>\n<p>Apple\u2019s acknowledgment of sophisticated targeted attacks suggests nation-state involvement in the exploitation campaigns.<a href=\"https:\/\/aardwolfsecurity.com\/apple-zero-day-vulnerability-affects-ios-ipados-macos\/\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p><strong>Apple\u2019s 2025 Zero-Day Timeline:<\/strong><\/p>\n<p>Throughout 2025, Apple has patched seven zero-day vulnerabilities: CVE-2025-24085, CVE-2025-24200, CVE-2025-24201, CVE-2025-31200, CVE-2025-31201, CVE-2025-43200, and CVE-2025-43300. <\/p>\n<p>This escalation indicates increasing attacker focus on Apple platforms and sophisticated threat research capabilities.<\/p>\n<h2 class=\"wp-block-heading\" id=\"microsoft-windows-enterprise-os-under-siege\"><strong>Microsoft Windows: Enterprise OS Under Siege<\/strong><\/h2>\n<h3 class=\"wp-block-heading\"><strong>The May 2025 Zero-Day Cluster<\/strong><\/h3>\n<p>Microsoft\u2019s May 2025 Patch Tuesday addressed five actively exploited zero-day vulnerabilities, representing one of the most significant monthly zero-day disclosures in recent memory. <\/p>\n<p>These vulnerabilities span multiple Windows components and enable various attack outcomes from privilege escalation to remote code execution.<a href=\"https:\/\/safecomputing.umich.edu\/security-alerts\/patching-microsoft-systems-5-zero-day-exploits\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p><strong>Critical Windows Zero-Days:<\/strong><\/p>\n<ol class=\"wp-block-list\">\n<li>\n<strong>CVE-2025-30397<\/strong> \u2013 Scripting Engine Memory Corruption (CVSS 7.5)<\/li>\n<li>\n<strong>CVE-2025-30400<\/strong> \u2013 Desktop Window Manager Elevation of Privilege (CVSS 7.8)<\/li>\n<li>\n<strong>CVE-2025-32701<\/strong> \u2013 Common Log File System Driver EoP (CVSS 7.8)<\/li>\n<li>\n<strong>CVE-2025-32706<\/strong> \u2013 Windows CLFS Driver EoP (CVSS 7.8)<\/li>\n<li>\n<strong>CVE-2025-32709<\/strong> \u2013 Windows Ancillary Function Driver EoP (CVSS 7.8)<\/li>\n<\/ol>\n<h2 class=\"wp-block-heading\"><strong>CVE-2025-53779: Kerberos Authentication Bypass<\/strong><\/h2>\n<p>Microsoft\u2019s August 2025 Patch Tuesday included <a href=\"https:\/\/cybersecuritynews.com\/microsoft-patch-tuesday-august\/\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2025-53779<\/a>, a publicly disclosed zero-day affecting Windows Kerberos authentication.<\/p>\n<p>This privilege escalation vulnerability, discovered by Akamai researcher Yuval Gordon, stems from relative path traversal and enables Active Directory domain compromise.<a href=\"https:\/\/thehackernews.com\/2025\/08\/microsoft-august-2025-patch-tuesday.html\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p><strong>Kerberos Vulnerability Details:<\/strong><\/p>\n<ul class=\"wp-block-list\">\n<li>\n<strong>CVSS Score:<\/strong> 7.2<\/li>\n<li>\n<strong>Component:<\/strong> Windows Kerberos<\/li>\n<li>\n<strong>Technique Name:<\/strong> BadSuccessor<\/li>\n<li>\n<strong>Impact:<\/strong> Active Directory domain compromise through dMSA object abuse<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\" id=\"h-cve-2025-29824-clfs-exploitation-leading-to-ransomware\"><strong>CVE-2025-29824: CLFS Exploitation Leading To Ransomware<\/strong><\/h2>\n<p>Microsoft Threat Intelligence discovered post-compromise exploitation of <a href=\"https:\/\/cybersecuritynews.com\/windows-security-in-2025\/\">CVE-2025-29824<\/a>, a zero-day elevation of privilege vulnerability in the Windows Common Log File System (CLFS).<\/p>\n<p><span style=\"box-sizing: border-box; margin: 0px; padding: 0px;\">The Storm-2460 threat group actively deployed this\u00a0vulnerability<\/span> in conjunction with PipeMagic malware for ransomware deployment.<a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/04\/08\/exploitation-of-clfs-zero-day-leads-to-ransomware-activity\/\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p><strong>CLFS Zero-Day Campaign:<\/strong><\/p>\n<ul class=\"wp-block-list\">\n<li>\n<strong>Threat Actor:<\/strong> Storm-2460<\/li>\n<li>\n<strong>Malware Family:<\/strong> PipeMagic backdoor<\/li>\n<li>\n<strong>Attack Outcome:<\/strong> RansomEXX ransomware deployment<\/li>\n<li>\n<strong>Target Sectors:<\/strong> IT, real estate, financial, software, retail<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\" id=\"sitecore-viewstate-deserialization-attack\"><strong>Sitecore: ViewState Deserialization Attack<\/strong><\/h2>\n<h3 class=\"wp-block-heading\" id=\"h-cve-2025-53690-viewstate-zero-day-exploitation\"><strong><a href=\"https:\/\/cybersecuritynews.com\/sitecore-zero-day-vulnerability\/\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2025-53690<\/a>: ViewState Zero-Day Exploitation<\/strong><\/h3>\n<p>Google\u2019s Mandiant successfully disrupted an active ViewState deserialization attack targeting Sitecore products through CVE-2025-53690. <\/p>\n<p>This zero-day vulnerability enabled remote code execution through improper handling of ViewState data, particularly affecting deployments using exposed sample keys from public documentation.<a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/viewstate-deserialization-zero-day-vulnerability\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p><strong>Sitecore Attack Chain:<\/strong><\/p>\n<ul class=\"wp-block-list\">\n<li>\n<strong>Initial Access:<\/strong> ViewState deserialization vulnerability<\/li>\n<li>\n<strong>Malware Deployed:<\/strong> WEEPSTEEL reconnaissance tool<\/li>\n<li>\n<strong>Persistence Tools:<\/strong> EARTHWORM tunnel, DWAGENT remote access<\/li>\n<li>\n<strong>Reconnaissance:<\/strong> SHARPHOUND Active Directory enumeration<\/li>\n<\/ul>\n<p>The sophisticated attack progression from initial compromise to privilege escalation demonstrates the threat actor\u2019s deep understanding of the exploited vulnerability and target environment.<a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/viewstate-deserialization-zero-day-vulnerability\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>The zero-day vulnerability landscape of 2025 represents an inflection point in cybersecurity, characterized by unprecedented exploitation velocity, sophisticated attack chains, and broad target diversity. <\/p>\n<p>From Chrome browsers to enterprise SAP systems, no technology stack has proven immune to determined adversaries. <\/p>\n<p>The consistent pattern of exploitation across major vendors, Apple, Google, Microsoft, Citrix, and others underscores the systematic nature of modern zero-day campaigns.<\/p>\n<p>Organizations must recognize that zero-day exploitation is no longer an exceptional event but a routine component of the threat landscape. <\/p>\n<p>Success in this environment requires moving beyond traditional patch-and-pray approaches to comprehensive defense-in-depth strategies that assume compromise and focus on detection, containment, and rapid response.<\/p>\n<p>The lessons from 2025\u2019s zero-day campaigns are clear: attackers are moving faster, targeting more diverse platforms, and demonstrating increasingly sophisticated techniques. <\/p>\n<p>Defenders must match this evolution with equally sophisticated defensive capabilities, industry collaboration, and a fundamental shift toward proactive security architectures designed to withstand unknown threats.<\/p>\n<p>As we advance through 2025, the cybersecurity community must continue adapting to this new reality where zero-day exploitation is not just possible but probable, requiring constant vigilance and continuous improvement of defensive capabilities across all technology platforms and organizational boundaries.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 89%,rgb(169,184,195) 100%)\"><strong>Find this Story Interesting! Follow us on <a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>,\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>,\u00a0and\u00a0<a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener\">X<\/a>\u00a0to Get More Instant Updates<\/strong>.<\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/popular-zero-day-vulnerabilities\/\">Top Zero-Day Vulnerabilities Exploited in the Wild in 2025<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Guru Baran<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/popular-zero-day-vulnerabilities\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Top Zero-Day Vulnerabilities Exploited in the Wild in 2025 The cybersecurity landscape in 2025 has been marked by an unprecedented surge in zero-day vulnerabilities actively exploited by threat actors. According to recent data, more than 23,600 vulnerabilities were published in the first half of 2025 alone, representing a 16% increase over 2024. This alarming trend [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,1499,517],"tags":[130],"class_list":["post-7093","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-cybersecurity-research","category-zero-day","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/7093"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=7093"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/7093\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=7093"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=7093"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=7093"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}