Good morning, ONSEC Cyber Daily readers! Today, we're diving into a whirlwind of cybersecurity updates and alerts that have been making headlines. First off, Mozilla has released an urgent patch for Windows in response to the Chrome Zero-Day Exploit. This comes as the Kuala Lumpur Airport is hit by a cyberattack, with hackers demanding a staggering $10M ransom. In other news, the Akira ransomware group has found a way to bypass EDR via a webcam, a new exploit tactic that has cybersecurity experts on high alert. Meanwhile, new variants of the macOS Malware Loader have emerged, adding to the growing list of cyber threats and machine identity exploits. Google Chrome users, it's time to update your browser to patch a critical vulnerability identified as CVE-2025-2783. This flaw was first detected by cybersecurity researchers at Kaspersky and has been linked to a targeted attack. In the world of CVEs, we're seeing a flurry of activity. From the Next.js Middleware Authorization Bypass Flaw to the critical Firefox sandbox escape flaw, patches are being released left and right to keep systems secure. CrushFTP users, take note: a critical vulnerability has been discovered that could give attackers access to internet-facing servers. Immediate action to patch is advised. Lastly, don't miss our podcast roundup where we delve into everything from Facebook bans and unsecured web servers to the future of endpoint security and EUC strategies. Stay safe and stay informed, readers. We'll be back tomorrow with more cybersecurity updates.

Exploits Alert

1. Mozilla Releases Urgent Patch for Windows After Chrome Zero-Day Exploit: Mozilla has released an urgent patch for Windows in response to the Chrome Zero-Day Exploit. The patch aims to secure users from potential cyberattacks. Source: GBHackers
2. Akira Ransomware Group Bypasses EDR via a Webcam: Cybersecurity company S-RM has revealed a new exploit tactic used by the Akira ransomware group. The group is bypassing Endpoint Detection and Response (EDR) systems via a webcam, posing a significant threat to cybersecurity. Source: INCIBE-CERT
3. New ReaderUpdate macOS Malware Loader Variants Emerge: New variants of the ReaderUpdate macOS malware loader have emerged, posing a threat to cybersecurity and machine identity. Users are advised to stay alert for system vulnerabilities. Source: ChannelE2E
4. Security Alert: Update Your Google Chrome to Patch Critical Vulnerability: A critical vulnerability, identified as CVE-2025-2783, has been detected in Google Chrome. Cybersecurity researchers at Kaspersky have linked it to a targeted cyberattack, prompting an urgent call for users to update their browsers. Source: 24/7 News

Vulnerabilities & Patches

1. SignalGate and How Not To Protect Secrets – PSW #867: This podcast episode discusses the importance of updates to CVEs and their impact on vulnerability and patch management. It also explores the availability of PoCs for any CVE. Source: SC Media
2. Mozilla warns Windows users of critical Firefox sandbox escape flaw: Mozilla has released Firefox 136.0.4 to patch a critical security vulnerability. In October, Mozilla also patched a zero-day vulnerability. Source: Bleeping Computer
3. Russian Threat Actor EncryptHub Exploits a Microsoft Management Console Zero-Day Flaw: CVE-2025-26633, a recently patched zero-day in Microsoft Management Console, is being exploited in a new EncryptHub (Water Gamayun) campaign. Source: Technadu
4. CrushFTP: Patch critical vulnerability ASAP! (CVE-2025-2825): A critical vulnerability (CVE-2025-2825) in the CrushFTP file transfer solution can give attackers access to internet-facing servers. Source: Help Net Security
5. Google patches critical Chrome zero-day exploited in journalist-targeting hack campaign: A vulnerability, reported by cybersecurity firm Kaspersky earlier this month, allowed attackers to bypass Chrome's sandbox protections. Google has since patched this critical Chrome zero-day. Source: Computing

Podcasts

1. Cyber scams are everywhere: How to avoid falling victim | Here & Now - WBUR: This podcast discusses the global industry of cyber scams, which reportedly earns around $500 billion annually. It provides insights on how to avoid falling victim to these scams. Source: WBUR
2. PODCAST: Facebook bans, unsecured web servers, and THAT Signal chat - Cyber Daily: Hosted by David Hollingworth and journalist Daniel Croft, this episode of the Cyber Uncut podcast discusses Apple backdoors, Facebook bans, and unsecured web servers. Source: Cyber Daily
3. Gartner Insights on the Future of Endpoint Security and EUC Strategies - Tech Talks Daily: This podcast episode provides a detailed look at the future of endpoint security and EUC strategies, hosted by Jay Shetty. Source: Tech Talks Daily
4. Mobile Hack Fraud | Cyber Security | Amit Dubey - YouTube: In the 15th episode of the Cyber Security Podcast Series, Cyber Crime Investigator Amit Dubey discusses how smartphone apps can listen to your conversations and track you. Source: YouTube
5. Student-Led Cybersecurity: Bridging Talent Gaps with AI at Auburn University: In this episode of the Campus Technology Insider Podcast, Editor-in-Chief Rhea Kelly speaks with Jay James, senior cybersecurity operations lead, about bridging talent gaps with AI in cybersecurity. Source: Campus Technology

Final Words

As we wrap up today's edition of 'ONSEC Cyber Daily', we hope you've found our insights and updates on the latest cybersecurity threats and patches useful. From the urgent patch released by Mozilla for Windows, to the innovative exploit tactics of the Akira ransomware group, and the emergence of new macOS malware loader variants, it's clear that the cyber landscape is constantly evolving. We've also explored the critical vulnerabilities identified in various systems and the measures being taken to patch them. We've delved into the world of cyber scams and how to avoid falling victim to them. And, we've highlighted some of the latest episodes from cybersecurity podcasts that offer further insights into these pressing issues. Remember, knowledge is power. The more informed we are, the better we can protect ourselves and our organizations from cyber threats. So, don't keep this valuable information to yourself. Share 'ONSEC Cyber Daily' with your friends and colleagues, and let's work together to create a safer cyber world. Stay vigilant, stay informed, and stay safe. See you in the next edition of 'ONSEC Cyber Daily'.

x.com

X (formerly Twitter)

ONSEC.io | LinkedIn

ONSEC.io | 1,839 followers on LinkedIn. Information security audits and penetration testing by a team of experts with an average experience of more than 7 years | ONSEC.io - is a penetration testing & in-depth security audit company with more than 13 years of experience on the market. Our team has already helped more than 300 companies be aware about possible system's vulnerabilities, including Republic, DMarket, LegionFarm, Parallels, Xsolla, Acronis, Manyсhat, Global Fashion Group and others. Our main goal is to increase the customer security level by finding and fixing security issues as well as improve security awareness inside the company, including developers, DevOps, and other teams to build a sustainable engineering culture with security knowledge.

LinkedIn