Svoboda Cybersecurity Brief November 08, 2025

Critical Android Zero-Day Exploited via WhatsApp to Deploy LandFall Spyware

CVE-2025-21042, an out-of-bounds write flaw in Samsung’s libimagecodec.quram.so, was exploited via malicious DNG images sent through WhatsApp to deploy LandFall spyware. The attack targeted Samsung Galaxy S22-S24, Z Fold4, and Z Flip4 devices, enabling data theft, call recording, and location tracking. The spyware was active since July 2024.
Impact: Remote code execution, persistent surveillance.
Mitigation: Patch Samsung devices (fixed April 2025), disable auto-downloads in WhatsApp.
Source: SecurityWeek

Cisco ASA/FTD Firewalls Under Active Exploitation for DoS Attacks

Two vulnerabilities (CVE-2025-20362 and CVE-2025-20333) in Cisco ASA/FTD firewalls, previously used for RCE, are now exploited to trigger reboot loops. Over 34,000 devices remain unpatched. The attacks are linked to APT44 (Sandworm), attributed to Russian state actors.
Impact: Denial of service, network disruption.
Mitigation: Update to fixed versions (Cisco advisory Sept 2025), isolate vulnerable devices.
Source: BleepingComputer

NuGet Packages with Time-Bomb Payloads Target Industrial Systems

Nine malicious NuGet packages (e.g., Sharp7Extend, SqlDbRepository) contain logic bombs set to trigger between 2027–2028. Sharp7Extend targets Siemens PLCs, causing random process termination (20% chance) and data corruption.

Impact: Critical infrastructure disruption, delayed sabotage.
Mitigation: Audit NuGet dependencies, remove shanhai666 packages, monitor industrial systems for anomalous behavior.
Source: BleepingComputer

QNAP Fixes Seven Zero-Days Exploited at Pwn2Own 2025

QNAP patched CVE-2025-62847–62849 (QTS/QuTS flaws) and CVE-2025-59389 (Hyper Data Protector), among others, demonstrated during Pwn2Own. Updates are available for Malware Remover 6.6.8 and HBS 3 Hybrid Backup Sync 26.2.0.
Impact: Full device compromise.
Mitigation: Apply latest firmware (QTS 5.2.7.3297), disable unused services.
Source: BleepingComputer

US Congressional Budget Office Breached by Suspected Foreign Actor

The CBO confirmed a cybersecurity incident involving unauthorized access, potentially exposing draft reports and internal communications. The breach was detected early, but some offices halted email exchanges. No attribution disclosed.
Source: SecurityWeek

Clop Ransomware Claims Washington Post Breach

Clop ransomware group added The Washington Post to its leak site, alleging data theft. The group typically extorts victims by threatening leaks if ransoms aren’t paid. No evidence of data disclosure yet.
Source: DataBreaches

Keras Vulnerability Exposes AI Models to Data Theft

CVE-2025-12058 in Keras (fixed in v3.11.4) allowed SSRF and local file inclusion via maliciously crafted vocabularies. Attackers could exfiltrate SSH keys or cloud credentials via compromised models.
Impact: Sensitive data exposure, cloud compromise.
Mitigation: Update Keras, disable external vocabulary files in safe_mode.
Source: SecurityWeek

Instagram and TikTok SEO Poisoning Campaign Targets Entertainment Industry

A new campaign lures users with fake AI promotions, redirecting to StealC and Vidar infostealer payloads. The attack chain involves compromised WordPress sites and manipulated search rankings.
Impact: Credential theft, financial fraud.
Mitigation: Verify URLs, disable macros in downloaded files.

Benworth Capital Partners Negotiates with Hackers After Data Breach

A third-party breach exposed 25,000 lenders’ data (loan details, SSNs). Benworth negotiated with attackers for data deletion and offered IDX protection services. No leaks detected yet.
Source: DataBreaches

Chrome 142 Patches High-Severity WebGPU and V8 Flaws

Google fixed CVE-2025-12725 (WebGPU OOB write) and CVE-2025-12727 (V8 type confusion) in Chrome 142.0.7444.134/.135. No active exploitation reported.
Impact: Arbitrary code execution.
Mitigation: Update Chrome immediately.
Source: SecurityWeek

Share this brief: https://svo.bz/UJxJ