"Apple released security updates for iOS, iPadOS, macOS, tvOS, watchOS, visionOS, and Safari web browser to address two zero-days that the company said have been exploited in highly targeted attacks. CVE-2025-14174 has been described as a memory corruption issue, while the second, CVE-2025-43529, is a use-after-free bug. They can both be exploited using maliciously crafted web content to execute arbitrary code."
"Cybersecurity researchers uncovered an unexpected behavior of HTTP client proxies in .NET applications, potentially allowing attackers to achieve remote code execution. The vulnerability has been codenamed SOAPwn. At its core, the problem has to do with how .NET applications might be vulnerable to arbitrary file writes because .NET's HTTP client proxies also accept non-HTTP URLs such as files, a behavior that Microsoft says developers are responsible for guarding against - but not likely to expect."
Multiple actively exploited vulnerabilities target widely used platforms and development frameworks. Apple and Google released patches for two zero-days — CVE-2025-14174 (memory corruption) and CVE-2025-43529 (use-after-free) — that can execute arbitrary code via malicious web content; CVE-2025-14174 also affects Chrome through the ANGLE library. Evidence suggests commercial spyware vendors weaponized the flaws. Separately, the SOAPwn vulnerability arises from .NET HTTP client proxies accepting non-HTTP URLs, enabling arbitrary file writes and creating RCE paths via web shells and malicious PowerShell scripts. Many .NET applications, including commercial products, can be affected, and developers are urged to validate accepted URL schemes.
#zero-day-exploits #apple-iosmacos-security #net-soapwn-rce #anglechrome-vulnerability #commercial-spyware
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]