Weekly Exploit Roundup

Generated 2025-11-11T08:00:13.150225+00:00 (UTC)

1. No Place Like Localhost: Unauthenticated Remote Access via Triofox Vulnerability CVE-2025-12480
   Source: Threat Intelligence | Published: 2025-11-10T14:00:00+00:00 | Score: 21.964
   Written by: Stallone D'Souza, Praveeth DSouza, Bill Glynn, Kevin O'Flynn, Yash Gupta Welcome to the Frontline Bulletin Series Straight from Mandiant Threat Defense, the "Frontline Bulletin" series brings you the latest on the threats we are seeing in the wild right now, equipping our community to understand and respond. Introduction Mandiant Threat Defense has uncovered exploitation of an unauthenticated access vulnerability within Gladinet’s Triofox file-sharing and remote access platform. This now-patched n-day vulnerability, assigned CVE-2025-12480 , allowed an attacker to bypass authentication and access the application configuration pages, enabling the upload and execution of arbitrary payloads. As early as Aug. 24, 2025, a threat cluster tracked by Google Threat Intelligence Group (GTIG) as UNC6485 exploited the unauthenticated access vulnerability and chained it with the abuse of the built-in anti-virus feature to achieve code execution. The activity discussed in this blog post
2. Hackers Exploiting Triofox Flaw to Install Remote Access Tools via Antivirus Feature
   Source: The Hacker News | Published: 2025-11-10T20:49:00+00:00 | Score: 17.267
   Google's Mandiant Threat Defense on Monday said it discovered n-day exploitation of a now-patched security flaw in Gladinet's Triofox file-sharing and remote access platform.
   The critical vulnerability, tracked as CVE-2025-12480 (CVSS score: 9.1), allows an attacker to bypass authentication and access the configuration pages, resulting in the upload and execution of arbitrary payloads. 
   The
3. CISA orders feds to patch Samsung zero-day used in spyware attacks
   Source: BleepingComputer | Published: 2025-11-10T20:00:34+00:00 | Score: 16.843
   CISA ordered U.S. federal agencies today to patch a critical Samsung vulnerability that has been exploited in zero-day attacks to deploy LandFall spyware on devices running WhatsApp. […]
4. GTIG AI Threat Tracker: Advances in Threat Actor Usage of AI Tools
   Source: Threat Intelligence | Published: 2025-11-05T14:00:00+00:00 | Score: 16.393
   Executive Summary Based on recent analysis of the broader threat landscape, Google Threat Intelligence Group (GTIG) has identified a shift that occurred within the last year: adversaries are no longer leveraging artificial intelligence (AI) just for productivity gains, they are deploying novel AI-enabled malware in active operations . This marks a new operational phase of AI abuse, involving tools that dynamically alter behavior mid-execution. This report serves as an update to our January 2025 analysis, " Adversarial Misuse of Generative AI ," and details how government-backed threat actors and cyber criminals are integrating and experimenting with AI across the industry throughout the entire attack lifecycle. Our findings are based on the broader threat landscape. At Google, we are committed to developing AI responsibly and take proactive steps to disrupt malicious activity by disabling the projects and accounts associated with bad actors, while continuously improving our models to m
5. Popular JavaScript library expr-eval vulnerable to RCE flaw
   Source: BleepingComputer | Published: 2025-11-10T18:32:29+00:00 | Score: 15.799
   A critical vulnerability in the popular expr-eval JavaScript library, with over 800,000 weekly downloads on NPM, can be exploited to execute code remotely through maliciously crafted input. […]
6. Samsung Mobile Flaw Exploited as Zero-Day to Deploy LANDFALL Android Spyware
   Source: The Hacker News | Published: 2025-11-07T18:00:00+00:00 | Score: 15.04
   A now-patched security flaw in Samsung Galaxy Android devices was exploited as a zero-day to deliver a "commercial-grade" Android spyware dubbed LANDFALL in targeted attacks in the Middle East.
   The activity involved the exploitation of CVE-2025-21042 (CVSS score: 8.8), an out-of-bounds write flaw in the "libimagecodec.quram.so" component that could allow remote attackers to execute arbitrary
7. CISA Adds One Known Exploited Vulnerability to Catalog
   Source: Alerts | Published: 2025-11-10T12:00:00+00:00 | Score: 14.405
   CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog , based on evidence of active exploitation. CVE-2025-21042 Samsung Mobile Devices Out-of-Bounds Write Vulnerability This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV
8. Landfall Android Spyware Targeted Samsung Phones via Zero-Day
   Source: SecurityWeek | Published: 2025-11-07T15:29:34+00:00 | Score: 14.366
   Threat actors exploited CVE-2025-21042 to deliver malware via specially crafted images to users in the Middle East. The post Landfall Android Spyware Targeted Samsung Phones via Zero-Day appeared first on SecurityWeek .
9. Preparing for Threats to Come: Cybersecurity Forecast 2026
   Source: Threat Intelligence | Published: 2025-11-04T14:00:00+00:00 | Score: 13.678
   Every November, we make it our mission to equip organizations with the knowledge needed to stay ahead of threats we anticipate in the coming year. The Cybersecurity Forecast 2026 report, released today, provides comprehensive insights to help security leaders and teams prepare for those challenges. This report does not contain "crystal ball" predictions. Instead, our forecasts are built on real-world trends and data we are observing right now. The information contained in the report comes directly from Google Cloud security leaders, and dozens of experts, analysts, researchers, and responders directly on the frontlines. aside_block <ListValue: [StructValue([('title', 'Cybersecurity Forecast 2026'), ('body', <wagtail.rich_text.RichText object at 0x7f705c8400a0>), ('btn_text', 'Download now'), ('href', 'https://cloud.google.com/security/resources/cybersecurity-forecast?&utm_source=cgc-blog&utm_medium=blog&utm_campaign=FY25-Q4-GLOBAL-ENT37011-website-dl-cyber-forecast-124843&utm_content=l
10. CISA Adds Two Known Exploited Vulnerabilities to Catalog
    Source: Alerts | Published: 2025-11-04T12:00:00+00:00 | Score: 12.619
    CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog , based on evidence of active exploitation. CVE-2025-11371 Gladinet CentreStack and Triofox Files or Directories Accessible to External Parties Vulnerability CVE-2025-48703 CWP Control Web Panel OS Command Injection Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CI

End of report.