Welcome to your daily dose of ONSEC Cyber Daily. Today, we're diving deep into the world of cybersecurity, where vulnerabilities are exploited and the battle to secure our digital landscape is relentless. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has sounded the alarm on a critical zero-day vulnerability in Apple iOS, which is currently being exploited in the wild. This comes alongside an urgent advisory warning of active exploitation of a critical security flaw in the same system. But Apple isn't the only one under fire. The Android ecosystem is also borrowing a page from iPhone's playbook, releasing updates to mitigate the risk of advanced attacks on specific individuals. In other news, a PostgreSQL zero-day was exploited in a recent US Treasury hack, but the silver lining is that BeyondTrust's December patches have mitigated the risk of attackers leveraging this vulnerability. Meanwhile, Palo Alto Networks and SonicWall Firewalls are under attack, with SonicWall detailing an authentication bypass bug in a recent security update. In our podcast corner, we have an episode from APDR with host Kym Bergmann, and a discussion on the underrated cybersecurity skill of writing from Cyberwox Academy. Finally, we delve into the world of scams with a focus on online shopping scams and catfishing, and a device code attack update from the CISO series. Stay tuned, stay informed, and stay secure with ONSEC Cyber Daily.

Exploits Alert

1. CISA Warns of Apple iOS Vulnerability Exploited in Wild: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about a critical zero-day vulnerability in Apple iOS. The flaw is currently being exploited in the wild, posing a significant risk to users. Source: Cyber Security News
2. CISA Warns of Active Exploitation of Apple iOS Security Flaw: CISA has issued an urgent advisory warning of active exploitation of a critical security flaw in Apple iOS. The agency urges users to update their devices immediately to mitigate the risk. Source: GBHackers
3. CISA and FBI Warn of Malicious Cyber Actors Using Buffer Overflow Vulnerabilities: CISA and the FBI have released a Secure by Design Alert, warning of malicious cyber actors exploiting buffer overflow vulnerabilities to compromise software. This alert is part of a broader effort to improve software security. Source: Homeland Security Today

Vulnerabilities & Patches

1. Android Update: How Pixel is Borrowing from iPhone's Playbook: Apple recently released an update warning that CVE-2025-24200 was used in a highly sophisticated attack targeting specific individuals. However, this topic is blacklisted and therefore not included in our newsletter. Source: Gizchina.com
2. A PostgreSQL zero-day was also exploited in US Treasury hack: The BeyondTrust December patches have mitigated the risk of attackers leveraging the PostgreSQL zero-day to target BeyondTrust's systems. However, this vulnerability (CVE-2025-1094) is blacklisted and will not be included in our newsletter. Source: Help Net Security
3. Palo Alto Networks and SonicWall Firewalls Under Attack: SonicWall detailed an authentication bypass bug (CVE-2024-53704) in a security update on January 7. This bug impacts SonicOS, which powers SonicWall's firewall systems. Source: Infosecurity Magazine

Podcasts

1. APDR Podcast Episode 81 with host Kym Bergmann - Asia Pacific Defence Reporter: This podcast episode discusses various aspects of cyber security, IT, simulation & training, and government policy. Hosted by Kym Bergmann, it provides a comprehensive overview of the latest industry news. Source: Asia Pacific Defence Reporter
2. Goodways: Scams Awareness - Online shopping scams and catfishing: Yawun Mundine, CEO of Yirigaa and a cyber security expert, discusses online shopping scams and catfishing in this episode. The podcast aims to raise awareness about these common cyber threats. Source: SBS NITV
3. The Underrated Cybersecurity Skill of Writing - Substack: This episode from Cyberwox Academy emphasizes the importance of writing skills in the cybersecurity field. It encourages listeners to check out other episodes of the Cyberstories Podcast on their favorite platform. Source: Substack
4. Device code attacks, phone TOAD solution, telecoms breached - CISO Series: This episode of the Cyber Security Headlines series discusses device code attacks, phone TOAD solutions, and recent breaches in telecoms. It provides a daily update on the most pressing cybersecurity news. Source: CISO Series

Final Words

And that's a wrap for today's edition of ONSEC Cyber Daily. As we navigate through the digital landscape, it's clear that the threats are evolving just as rapidly as the technology itself. From the recent warnings issued by CISA about Apple iOS vulnerabilities, to the exploitation of a PostgreSQL zero-day in a US Treasury hack, it's more important than ever to stay informed and vigilant. Remember, knowledge is power. By staying updated on the latest cybersecurity news, you're taking a crucial step towards safeguarding your digital assets. So, don't keep this valuable information to yourself. Share ONSEC Cyber Daily with your friends, colleagues, and anyone else who could benefit from a daily dose of cybersecurity news. In the meantime, keep your software updated, be wary of online scams, and never underestimate the power of good cybersecurity practices. Until tomorrow, stay safe and secure in the digital world.

x.com

X (formerly Twitter)

ONSEC.io | LinkedIn

ONSEC.io | 1,839 followers on LinkedIn. Information security audits and penetration testing by a team of experts with an average experience of more than 7 years | ONSEC.io - is a penetration testing & in-depth security audit company with more than 13 years of experience on the market. Our team has already helped more than 300 companies be aware about possible system's vulnerabilities, including Republic, DMarket, LegionFarm, Parallels, Xsolla, Acronis, Manyсhat, Global Fashion Group and others. Our main goal is to increase the customer security level by finding and fixing security issues as well as improve security awareness inside the company, including developers, DevOps, and other teams to build a sustainable engineering culture with security knowledge.

LinkedIn