This Weeks Headlines

• Unpatched Windows Zero-Day Exploited by Multiple State-Sponsored Groups Since 2017
• Active Exploitation of Cisco Smart Licensing Utility Vulnerabilities
• Over 300 Malicious ‘Vapor’ Apps on Google Play Amass 60 Million Downloads
• Critical Fortinet Vulnerability Actively Exploited in Ransomware Attacks
• Compromised GitHub Action Exposes CI/CD Secrets in Over 23,000 Repositories
• Hackers Exploit Critical PHP Flaw to Deploy Quasar RAT and XMRig Miners

Unpatched Windows Zero-Day Exploited by Multiple State-Sponsored Groups Since 2017

A critical, unpatched Windows zero-day vulnerability, tracked as ZDI-CAN-25373, has been actively exploited by 11 state-sponsored threat groups from nations including China, Iran, North Korea, and Russia since 2017.

This flaw allows attackers to execute hidden malicious commands on victim machines using crafted Windows Shortcut (.LNK) files.

The exploitation involves embedding concealed command-line arguments within these files, complicating detection. Notably, malware families such as Lumma Stealer, GuLoader, and Remcos RAT have been distributed using this method.

Despite the severity, Microsoft has classified the issue as low severity and currently does not plan to release a fix.

Active Exploitation of Cisco Smart Licensing Utility Vulnerabilities

Recent reports indicate that cyber attackers are actively exploiting two critical vulnerabilities in Cisco’s Smart Licensing Utility, identified as CVE-2024-20439 and CVE-2024-20440. Discovered and patched in September 2024, these flaws allow unauthenticated, remote attackers to gain administrative access using hardcoded credentials and to retrieve sensitive information from log files.

The SANS Technology Institute’s Internet Storm Center has observed exploitation attempts targeting these vulnerabilities, with attackers using default credentials to access exposed systems.

Over 300 Malicious ‘Vapor’ Apps on Google Play Amass 60 Million Downloads

Security researchers have uncovered a significant ad fraud campaign involving over 300 malicious Android applications, collectively known as ‘Vapor’ apps, on the Google Play Store. These apps, masquerading as utilities, health, fitness, and lifestyle tools, have been downloaded more than 60 million times.

Initially functional to pass Google’s review process, they were later updated to remove legitimate features, hide their icons, and bombard users with intrusive full-screen video ads, rendering devices nearly inoperative. Some apps also attempted to collect user credentials and credit card information through phishing tactics.

While Google has removed these apps from the Play Store, users who have installed them must manually uninstall them to ensure device security.

Critical Fortinet Vulnerability Actively Exploited in Ransomware Attacks

A critical authentication bypass vulnerability, identified as CVE-2025-24472, has been discovered in Fortinet’s FortiOS (versions 7.0.0 to 7.0.16) and FortiProxy (versions 7.2.0 to 7.2.12).

This flaw allows remote attackers to gain super-admin privileges by exploiting weaknesses in how these systems handle Client Server Framework (CSF) proxy requests.

Systems with exposed FortiGate firewall management interfaces are particularly vulnerable.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities catalog, citing active ransomware campaigns leveraging this flaw.

Compromised GitHub Action Exposes CI/CD Secrets in Over 23,000 Repositories

A recent supply chain attack has compromised the popular GitHub Action ’tj-actions/changed-files,’ affecting more than 23,000 repositories.

Attackers modified the action’s code, retroactively updating multiple version tags to reference a malicious commit. This alteration executes a Python script that prints CI/CD secrets—such as AWS access keys, GitHub personal access tokens, npm tokens, and private RSA keys—into GitHub Actions build logs. If these logs are publicly accessible, sensitive information could be exposed.

The compromise occurred before March 14, 2025, and has been assigned CVE-2025-30066 with a CVSS score of 8.6. Users are advised to update to version 46.0.1 of the action immediately and audit their workflows for any unauthorised changes.

Hackers Exploit Critical PHP Flaw to Deploy Quasar RAT and XMRig Miners

Cybercriminals are actively exploiting a critical vulnerability in PHP, identified as CVE-2024-4577, to distribute malware such as the Quasar Remote Access Trojan (RAT) and XMRig cryptocurrency miners.

This flaw, affecting Windows systems running PHP in CGI mode, allows remote attackers to execute arbitrary code. Since late 2024, there has been a notable increase in exploitation attempts, particularly in regions like Taiwan (54.65%), Hong Kong (27.06%), Brazil (16.39%), Japan (1.57%), and India (0.33%).

Attackers utilise this vulnerability to perform system reconnaissance, deploy malicious payloads, and, in some cases, alter firewall configurations to block competing threats. Administrators are strongly advised to update PHP installations promptly and restrict the use of tools like PowerShell to mitigate these risks.

If you’re ready to chat about how we can help protect your business from cyber threats, contact us using the form below 👇.