VulnHub

Cybersecurity researchers have uncovered that a group of Chinese-speaking hackers exploited vulnerabilities in VMware ESXi, using a compromised SonicWall VPN appliance to deploy an exploit toolkit. This toolkit appears to have been created over a year before the vulnerabilities were publicly disclosed. This means that the attackers had access to these exploits long before companies were aware of their existence, potentially allowing them to infiltrate networks unnoticed. Organizations using VMware ESXi should be particularly vigilant, as the vulnerabilities could lead to significant security breaches. The incident underscores the need for companies to regularly update their systems and monitor for unusual activity, as these types of attacks can have serious implications for data security.

A serious vulnerability has been discovered in HPE OneView, a management tool used for IT infrastructure. This flaw allows attackers to execute code remotely without needing any authentication, which poses a significant risk to organizations using this software. As the vulnerability is actively being exploited, affected companies must act quickly to protect their systems. This incident highlights the need for organizations to regularly update their software and apply security patches to defend against such attacks. Users of HPE OneView should prioritize checking for updates and implementing any recommended security measures to mitigate the risk of exploitation.

The RondoDox botnet has been identified exploiting a serious vulnerability known as React2Shell (CVE-2025-55182) to compromise Next.js servers. This flaw allows attackers to inject malware and cryptominers into systems that have not been properly secured. Organizations using Next.js frameworks are particularly at risk, as the botnet targets these servers directly. This incident underscores the necessity for companies to regularly update their software and apply security patches to prevent such attacks. The ongoing exploitation of this vulnerability poses significant risks to data integrity and can lead to unauthorized resource usage, impacting both performance and costs for affected users.

Users of the Trust Wallet Chrome extension have reported significant cryptocurrency losses after a malicious update was released on December 24. This compromised update allowed attackers to drain wallets, leading to millions in losses for affected individuals. In conjunction with this incident, researchers discovered a phishing domain set up by the hackers, further indicating a coordinated effort to exploit Trust Wallet users. The company has responded urgently, advising users to take precautions and remain vigilant to avoid further losses. This incident serves as a stark reminder of the risks associated with browser extensions and the importance of ensuring that software updates are legitimate and secure.

Fortinet has alerted users about the active exploitation of a five-year-old vulnerability in its FortiOS SSL VPN, identified as CVE-2020-12812. This flaw, which has a CVSS score of 5.2, involves improper authentication and is particularly dangerous under specific configurations. Researchers have recently observed this vulnerability being abused in real-world attacks, which means organizations using affected versions of FortiOS SSL VPN should take immediate action to secure their systems. The ongoing exploitation of such an outdated vulnerability underscores the need for companies to regularly update their security measures and ensure proper configuration to protect against potential attacks.

The FBI has reported an ongoing issue involving deepfake technology being used to impersonate U.S. government officials. This tactic has been traced back to 2023 and involves impersonators using realistic video or audio to deceive victims. The FBI has shared details about the specific methods and talking points these impersonators utilize to lure people into scams. This situation is concerning as it undermines trust in government communications and could potentially lead to financial losses or other harms for those targeted. As deepfake technology improves, it raises significant questions about verification and security in digital communications.

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a serious vulnerability, tracked as CVE-2025-59374, found in the Asus Live Update tool. This flaw acts as a backdoor that attackers can exploit, making it a significant concern for anyone using affected Asus devices. The vulnerability stems from a supply chain attack, meaning it was introduced during the software development process rather than through direct hacking. This situation puts users at risk, as the compromised update tool could allow unauthorized access to their systems. Asus users should take this warning seriously and ensure their devices are not vulnerable to exploitation.

This week’s ThreatsDay Bulletin reveals a variety of cybersecurity incidents where attackers are modifying existing tools and utilizing new tactics to exploit vulnerabilities. Notably, there are reports of WhatsApp accounts being hijacked, which can lead to unauthorized access to personal information and communications. Additionally, leaks related to Managed Cloud Providers (MCP) expose sensitive data, raising concerns for businesses relying on cloud services. Other activities involve advancements in AI reconnaissance techniques and the exploitation of the React2Shell vulnerability, which could impact numerous applications. As these tactics evolve, it’s crucial for users and organizations to stay vigilant and update their security measures to prevent potential breaches.