Active exploitation of CVE-2025-11001 has been observed in the wild. A security researcher has also publicly released a proof-of-concept (PoC) exploit for CVE-2025-11001.
The PoC allows attackers to abuse symbolic-link handling to write files outside of the intended extraction folder, which in some scenarios, can enable arbitrary code execution.
Read more…
Source: NHS Digital
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- CISA Adds Eight Known Exploited Vulnerabilities to Catalog
September 18, 2023
CISA has added eight new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2022-22265 Samsung Mobile Devices Use-After-Free Vulnerability CVE-2014-8361 Realtek SDK Improper Input Validation Vulnerability CVE-2017-6884 Zyxel EMG2926 Routers Command Injection Vulnerability Read more… Source: U.S. Cybersecurity and Infrastructure Security Agency Related: CISA Adds One Known Vulnerability to Catalog
- Kuwait’s finance ministry says cyberattack hit one of its systems
September 18, 2023
Kuwait’s finance ministry said on Monday that one of its systems had suffered a cyberattack in the early morning but that the ministry continued to work normally. The ministry said in a statement that protection systems and procedures had been activated and “the level of the hacking attempt is being assessed.” Read more… Source: Alarabiya News
- CISA Releases Three Industrial Control Systems Advisories
September 12, 2023
CISA released three Industrial Control Systems (ICS) advisories on September 12, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-23-255-01 Hitachi Energy Lumada APM Edge ICSA-23-255-02 Fujitsu Software Infrastructure Manager Read more… Source: U.S. Cybersecurity and Infrastructure Security Agency
- Unusually low 5 critical vulnerabilities included in Microsoft September Patch Tuesday, along with two zero-days
September 12, 2023
Microsoft disclosed 65 vulnerabilities across its suite of products and software Tuesday, only five of which are considered critical, which is very low compared to Microsoft’s usual security updates. However, there are two issues disclosed and patched this month that have already been exploited in the wild. Fifty-six of the vulnerabilities included in this month’s Patch ...
- Deleting Your Way Into SYSTEM: Why Arbitrary File Deletion Vulnerabilities Matter
September 11, 2023
Windows arbitrary file deletion vulnerabilities should no longer be considered mere annoyances or tools for Denial-of-Service (DoS) attacks. Over the past couple of years, these vulnerabilities have matured into potent threats capable of unearthing a portal to full system compromise. This transformation is exemplified in CVE-2023-27470 (an arbitrary file deletion vulnerability in N-Able’s Take Control Agent ...
- Apple fixes zero-day bugs used to plant Pegasus spyware
September 7, 2023
Apple released security updates on Thursday that patch two zero-day exploits — meaning hacking techniques that were unknown at the time Apple found out about them — used against a member of a civil society organization in Washington, D.C., according to the researchers who found the vulnerabilities. Citizen Lab, an internet watchdog group that investigates government ...