Chrome zero-day
-
China-linked UNC3886 targeted Singapore telcos, agency says
Singapore’s Cyber Security Agency said UNC3886 targeted all four major telcos using a zero-day and rootkits. Authorities closed access points and expanded monitoring and found no evidence of customer data loss.
-
Microsoft issues emergency patch for Office zero-day CVE-2026-21509
Microsoft issued out-of-band patches for Office zero-day CVE-2026-21509, rated 7.8. Service-side protection covers newer builds and a registry workaround is provided for older Office versions. Federal agencies must remediate by February 16, 2026.
-
Researchers Hack Tesla Infotainment at Pwn2Own Automotive 2026, 37 Zero‑Days Exploited on Day One
Researchers exploited 37 zero-days at Pwn2Own Automotive 2026 in Tokyo to hack Tesla’s Infotainment System and other systems, earning $516,500 on day one. Vendors have 90 days to issue fixes.
-
Cisco warns of active exploitation of AsyncOS zero-day by China-nexus APT
Cisco warned that a maximum-severity AsyncOS zero-day (CVE-2025-20393) is being actively exploited by a China-nexus APT, targeting Secure Email Gateway and Secure Email and Web Manager appliances; exploitation requires the Spam Quarantine feature to be exposed to the internet, and Cisco, CISA and other firms have issued mitigations and alerts.
-
Google patches Chrome flaw in ANGLE library that is being actively exploited
Google released Chrome security updates on Dec. 11 that fix three vulnerabilities, including a high-severity flaw in the ANGLE graphics library tracked as Chromium issue 466192044 and reported to be exploited in the wild; users should update to the latest 143.0.7499 builds.
-
Unpatched Gogs vulnerability being actively exploited; hundreds of instances compromised
Wiz researchers say a high-severity unpatched flaw in Gogs (CVE-2025-8110) is being actively exploited, with more than 700 compromised instances; the issue allows file overwrites via symbolic links and can lead to remote code execution. Researchers recommend disabling open registration, limiting internet exposure and scanning for random repositories while a fix is developed.
-
Leaked Intellexa Materials Link Predator Spyware to Zero-Day Exploits and Diverse Delivery Vectors
Leaked documents and technical analysis link Intellexa’s Predator spyware to exploitation of multiple zero-day vulnerabilities and a range of delivery methods, including messaging links and malicious ads, according to Amnesty International, Google Threat Intelligence and Recorded Future; Pakistan has denied the allegations.
-
Active exploitation reported for 7‑Zip ZIP symbolic link vulnerability
NHS England Digital warned that CVE-2025-11001, a 7‑Zip vulnerability affecting symbolic link handling and allowing remote code execution, is being actively exploited; 7‑Zip 25.00 released in July 2025 contains fixes and users are urged to update.
-
Google issues Chrome security update for actively exploited V8 bug
Google released Chrome updates to fix two V8 type confusion vulnerabilities, including CVE-2025-13223 which is being actively exploited; users should update to the listed Chrome versions and other Chromium-based browser vendors should apply fixes when available.
-
Logitech discloses data breach tied to zero-day; Cl0p claims responsibility
Logitech disclosed a data breach in which a zero-day in a third-party platform was exploited and certain internal IT data was copied; Cl0p has claimed responsibility and Logitech said it does not expect the incident to materially affect its business.
