Patches for Apple and Cisco, multiple groups exploiting a Windows flaw, phishing campaigns validating email accounts, UAC being bypassed...
Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.
Vulnerabilities and Patches
Apple Patches Two Actively Exploited iOS Flaws Used in Sophisticated Targeted Attacks
Apple on Wednesday released security updates for iOS, iPadOS, macOS Sequoia, tvOS, and visionOS to address two security flaws that it said have come under active exploitation in the wild. The vulnerabilities in question are listed below:
- CVE-2025-31200 (CVSS score: 7.5) – A memory corruption vulnerability in the Core Audio framework that could allow code execution when processing an audio stream in a maliciously crafted media file.
- CVE-2025-31201 (CVSS score: 6.8) – A vulnerability in the RPAC component that could be used by an attacker with arbitrary read and write capability to bypass Pointer Authentication.
The iPhone maker said it addressed CVE-2025-31200 with improved bounds checking and CVE-2025-31201 by removing the vulnerable section of code. Both the vulnerabilities have been credited to Apple, along with Google Threat Analysis Group (TAG) for reporting CVE-2025-31200. The updates are available for the following devices and operating systems:
- iOS 18.4.1 and iPadOS 18.4.1 – iPhone XS and later, iPad Pro 13-inch, iPad Pro 13.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
- macOS Sequoia 15.4.1 – Macs running macOS Sequoia
- tvOS 18.4.1 – Apple TV HD and Apple TV 4K (all models)
- visionOS 2.4.1 – Apple Vision Pro
Cisco Releases Security Advisory for Webex App
Cisco has released a security advisory to address a high severity vulnerability affecting Webex App. This vulnerability affects Cisco Webex App versions 44.6 to 44.6.2.30588 and 44.7. The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory. CVE-2025-20236 is an ‘insufficient input validation’ vulnerability with a CVSSv3 score of 8.8. If exploited, a remote, unauthenticated attacker could achieve remote code execution (RCE) by persuading the end user to click on a malicious meeting link. A vulnerability in the custom URL parser of Cisco Webex App could allow an unauthenticated, remote attacker to persuade a user to download arbitrary files, which could allow the attacker to execute arbitrary commands on the host of the targeted user. This vulnerability is due to insufficient input validation when Cisco Webex App processes a meeting invite link. An attacker could exploit this vulnerability by persuading a user to click a crafted meeting invite link and download arbitrary files. A successful exploit could allow the attacker to execute arbitrary commands with the privileges of the targeted user. Affected organisations are encouraged to review Cisco Security Advisory cisco-sa-webex-app-client-rce-ufyMMYLC and apply the relevant updates as soon as practicable.
Cyber Attacks
SonicWall Flags Old Vulnerability as Actively Exploited
SonicWall this week updated its security advisory for an SMA 100 series vulnerability patched in 2021 to warn customers that the flaw has been exploited in the wild. The vulnerability is tracked as CVE-2021-20035 and it has been described by SonicWall as an authenticated arbitrary command execution vulnerability. “Improper neutralization of special elements in the SMA100 management interface allows a remote authenticated attacker to inject arbitrary commands as a ‘nobody’ user, which could potentially lead to code execution,” SonicWall’s advisory explains. The flaw impacts the SMA 200, 210, 400, 410 and 500v products running software versions prior to 10.2.1.1-19sv, 10.2.0.8-37sv and 9.0.0.11-31sv. When the patches were announced in September 2021, the vulnerability went largely unnoticed, likely because it was assigned a ‘medium severity’ rating (CVSS of 5.5) and due to its exploitation requiring authentication. However, the vendor has made two updates to its advisory this week: one to warn customers about potential in-the-wild exploitation, and one to assign it a new CVSS score of 7.2, which makes the flaw ‘high severity’. “This vulnerability is believed to be actively exploited in the wild,” SonicWall wrote in the updated advisory. There does not appear to be any public information about the attacks exploiting CVE-2021-20035. Considering that exploitation requires authentication, the attacks may involve a second vulnerability — either a known issue or a zero-day.
Multiple Groups Exploit NTLM Flaw in Microsoft Windows
Multiple attackers are actively exploiting a recently patched Windows vulnerability that exposes authentication credentials, despite Microsoft releasing a fix for it in March.
CVE-2025-24054 is an NTLM (for NT LAN Manager) hash disclosure spoofing vulnerability that Microsoft identified as being of moderate severity and something that attackers were less likely to exploit, even though it requires only minimal user interaction to trigger. Like many previous NTLM-related flaws, CVE-2025-24054 exploits weaknesses in how Windows handles authentication over the network. The bug gives attackers a way to intercept and abuse user credentials without needing direct access to the victim’s system. Attackers can exploit CVE-2025-24054 by tricking users into opening a zip archive containing a malicious library-ms file. Victims don’t need to open or execute the malicious file to trigger the vulnerability. Researchers at Check Point observed attacks targeting the bug starting March 19, just eight days atter Microsoft issued a patch for it as part of the company’s scheduled security update for the month. “Microsoft’s patch documentation indicated that the vulnerability could even be triggered with minimal user interaction, such as right-clicking, dragging and dropping, or simply navigating to the folder containing the malicious file,” Check Point said. “This exploit appears to be a variant of a previously patched vulnerability, CVE-2024-43451, as both share several similarities.”
In Other News...
Phishing Campaigns Use Real-Time Checks to Validate Victim Emails Before Credential Theft
Cybersecurity researchers are calling attention to a new type of credential phishing scheme that ensures that the stolen information is associated with valid online accounts. The technique has been codenamed precision-validating phishing by Cofense, which it said employs real-time email validation so that only a select set of high-value targets are served the fake login screens. “This tactic not only gives the threat actors a higher success rate on obtaining usable credentials as they only engage with a specific pre-harvested list of valid email accounts,” the company said. Unlike “spray-and-pray” credential harvesting campaigns that typically involve the bulk distribution of spam emails to obtain victims’ login information in an indiscriminate fashion, the latest attack tactic takes spear-phishing to the next level by only engaging with email addresses that attackers have verified as active, legitimate, and high-value. In this scenario, the email address entered by the victim in a phishing landing page is validated against the attacker’s database, after which the bogus login page is displayed. If the email address does not exist in the database, the page either returns an error or the user is redirected to an innocuous page like Wikipedia to evade security analysis. The checks are carried out by integrating an API- or JavaScript-based validation service into the phishing kit that confirms the email address before proceeding to the password capture step. “It increases the efficiency of the attack and the likelihood that stolen credentials belong to real, actively used accounts, improving the quality of harvested data for resale or further exploitation,” Cofense said.
New Windows Task Scheduler Bugs Let Attackers Bypass UAC and Tamper with Logs
Cybersecurity researchers have detailed four different vulnerabilities in a core component of the Windows task scheduling service that could be exploited by local attackers to achieve privilege escalation and erase logs to cover up evidence of malicious activities. The issues have been uncovered in a binary named “schtasks.exe,” which enables an administrator to create, delete, query, change, run, and end scheduled tasks on a local or remote computer. “A [User Account Control] bypass vulnerability has been found in Microsoft Windows, enabling attackers to bypass the User Account Control prompt, allowing them to execute high-privilege (SYSTEM) commands without user approval,” Cymulate security researcher Ruben Enkaoua said in a report shared. “By exploiting this weakness, attackers can elevate their privileges and run malicious payloads with Administrators’ rights, leading to unauthorized access, data theft, or further system compromise”. The problem, the cybersecurity company said, occurs when an attacker creates a scheduled task using Batch Logon (i.e., a password) as opposed to an Interactive Token, causing the task scheduler service to grant the running process the maximum allowed rights. However, for this attack to work, it hinges on the threat actor acquiring the password through some other means, such as cracking an NTLMv2 hash after authenticating against an SMB server or exploiting flaws such as CVE-2023-21726. A net result of this issue is that a low-privileged user can leverage the schtasks.exe binary and impersonate a member of groups such as Administrators, Backup Operators, and Performance Log Users with a known password to obtain the maximum allowed privileges.