Chrome zero-day
-
CISA orders federal agencies to remediate two exploited Cisco firewall flaws
CISA ordered U.S. federal agencies to remediate two actively exploited Cisco ASA and Firepower vulnerabilities (CVE-2025-20333, CVE-2025-20362), warned that some devices reported as patched remain vulnerable, and added three flaws to its KEV catalog with a December 3, 2025 remediation deadline.
-
CISA adds VMware local privilege‑escalation zero-day to Known Exploited Vulnerabilities catalog
CISA added CVE-2025-41244, a high-severity VMware local privilege‑escalation flaw, to its Known Exploited Vulnerabilities catalog after reports of active exploitation. Broadcom-owned VMware has issued a patch, NVISO Labs reported zero-day use since October 2024, and federal agencies must apply mitigations by Nov. 20, 2025.
-
Kaspersky links Chrome zero-day campaign to Italian spyware firm Memento Labs
Kaspersky detailed Operation ForumTroll, a campaign that used a Chrome sandbox escape (CVE-2025-2783) to deliver modular spyware LeetAgent and a second implant called Dante, which researchers attribute with high confidence to Memento Labs, a firm formed from assets of the former Hacking Team.
