CyberHappenings logo
โ˜ฐ
๐Ÿ  Home ๐Ÿ“‚ Browse โ„น๏ธ About

Google Patches Two Zero-Day Vulnerabilities Under Active Exploitation in Android

First reported
Last updated
๐Ÿ“ฐ 3 unique sources, 3 articles

Summary

Hide โ–ฒ

Google released September 2025 Android security updates addressing 111 vulnerabilities, including two zero-day flaws actively exploited in targeted attacks. The vulnerabilities allow privilege escalation without user interaction. The patches include fixes for remote code execution, information disclosure, and denial-of-service issues across various components. The updates are part of Google's monthly security bulletin, with two patch levels released to provide flexibility for Android partners. The vulnerabilities were discovered by Benoรฎt Sevens of Google's Threat Analysis Group (TAG).

Timeline

  1. 03.09.2025 14:05 ๐Ÿ“ฐ 3 articles

    Google Patches Two Zero-Day Vulnerabilities Under Active Exploitation in Android

    On September 3, 2025, Google released security updates addressing 111 vulnerabilities in Android, including two zero-day flaws actively exploited in targeted attacks. The vulnerabilities allow privilege escalation without user interaction and were discovered by Benoรฎt Sevens of Google's Threat Analysis Group (TAG). The updates also fix several remote code execution, privilege escalation, information disclosure, and denial-of-service vulnerabilities in Framework and System components. The update includes fixes for CVE-2025-38352, a race condition in POSIX CPU timers, and CVE-2025-48543, a flaw in the Android Runtime. Additionally, it addresses four critical-severity problems, including CVE-2025-48539, a remote code execution issue in Android's System component, and multiple Qualcomm component vulnerabilities. The Linux kernel vulnerability (CVE-2025-38352) is a race condition related to the handling of POSIX CPU timers. The Android Runtime vulnerability (CVE-2025-48543) affects Android Open Source Project (AOSP) releases 13, 14, 15, and 16. The 2025-09-01 security patch level addresses 58 other bugs in Framework, System, and Widevine DRM. The 2025-09-05 security patch level addresses 51 other issues affecting the Linux kernel and various components. The most severe issue in the 2025-09-01 patch level is a critical-severity remote code execution defect in the System component (CVE-2025-48539).

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Remote Code Execution Vulnerability in Samsung's libimagecodec.quram.so Library Exploited in the Wild

A remote code execution vulnerability in Samsung's libimagecodec.quram.so library, tracked as CVE-2025-21043, was actively exploited in zero-day attacks targeting Samsung Android devices running Android 13, 14, 15, or 16. The flaw, reported by Meta and WhatsApp, allows attackers to execute arbitrary code remotely due to an out-of-bounds write weakness. The CVSS score for the vulnerability is 8.8. Samsung has released a patch for the vulnerability in the September 2025 Security Maintenance Release (SMR). The exploit may affect other instant messengers using the vulnerable library. Users are advised to update their devices to the latest security patch.

Open in new tab

Akira Ransomware Exploits SonicWall SSL VPN Flaws and Misconfigurations

The Akira ransomware group has been actively exploiting vulnerabilities and misconfigurations in SonicWall SSL VPN devices to gain initial access to networks. This campaign has seen increased activity since late July 2025, targeting organizations globally, including those in Australia. The attacks leverage a year-old flaw (CVE-2024-40766) and misconfigured LDAP settings to bypass access controls and facilitate ransomware deployment. The threat actors use a combination of brute-forcing credentials, exploiting default configurations, and leveraging the Virtual Office Portal to configure multi-factor authentication (MFA) with valid accounts. These tactics allow them to bypass security measures and gain unauthorized access to networks. SonicWall has confirmed that recent SSLVPN activity is related to CVE-2024-40766, not a zero-day vulnerability. The affected firewall versions include specific models of Gen 5, Gen 6, and Gen 7 devices. Organizations are advised to update to firmware version 7.3.0 or later, rotate passwords, enforce MFA, mitigate the SSLVPN Default Groups risk, and restrict Virtual Office Portal access to trusted/internal networks to mitigate risks.

Open in new tab

Critical SAP NetWeaver Command Execution Vulnerabilities Patched

SAP has patched three critical vulnerabilities in NetWeaver, its middleware for business applications. The most severe flaw, CVE-2025-42944, allows unauthenticated attackers to execute arbitrary OS commands via insecure deserialization. Two other critical issues, CVE-2025-42922 and CVE-2025-42958, enable authenticated users to upload arbitrary files and unauthorized users to access administrative functions. These vulnerabilities affect SAP's ERP, CRM, SRM, and SCM applications, widely used in large enterprise networks. The patches come amid ongoing exploitation of another critical SAP vulnerability, CVE-2025-42957, which affects S/4HANA, Business One, and NetWeaver products. SAP released 21 new and four updated security notes on September 2025 patch day, including updates for NetWeaver AS ABAP and other SAP products. SAP has also released a patch for a high-severity missing input validation bug in SAP S/4HANA (CVE-2025-42916, CVSS score: 8.1).

Open in new tab

Active exploitation of SAP S/4HANA command injection vulnerability CVE-2025-42957

A critical command injection vulnerability in SAP S/4HANA, tracked as CVE-2025-42957, is being actively exploited in the wild. The flaw allows attackers with low-privileged user access to execute arbitrary ABAP code, potentially leading to full system compromise. The vulnerability affects both on-premise and private cloud editions of SAP S/4HANA. The exploit can result in unauthorized modification of the SAP database, creation of superuser accounts, and theft of password hashes. Organizations are advised to apply patches immediately and monitor for suspicious activity. The vulnerability was fixed by the vendor on August 11, 2025, but several systems have not applied the available security updates, and these are now being targeted by hackers who have weaponized the bug. SecurityBridge discovered the vulnerability and reported it to SAP on June 27, 2025, and even assisted in the development of a patch. SecurityBridge and Pathlock have confirmed active exploitation of the vulnerability. The patch for CVE-2025-42957 is relatively easy to reverse engineer, and successful exploitation gives attackers access to the operating system and all data in the targeted SAP system. Organizations are urged to implement additional security measures, such as SAP's Unified Connectivity framework (UCON), to restrict RFC usage and monitor logs for suspicious activity.

Open in new tab

Active exploitation of TP-Link TL-WA855RE Wi-Fi range extender vulnerability

The US Cybersecurity and Infrastructure Security Agency (CISA) has warned of active exploitation of a missing authentication vulnerability in TP-Link TL-WA855RE Wi-Fi range extender products. The flaw, tracked as CVE-2020-24363, allows attackers on the same network to send unauthenticated requests for a factory reset and reboot, potentially gaining administrative access. The vulnerability was disclosed in August 2020 and has been resolved by TP-Link in firmware updates. However, the product is now discontinued, and users are advised to discontinue its use. CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to address it by September 23, 2025. On September 4, 2025, CISA added two additional TP-Link router vulnerabilities, CVE-2023-50224 and CVE-2025-9377, to its KEV catalog, noting evidence of active exploitation. These vulnerabilities affect multiple TP-Link router models, some of which have reached end-of-life status. TP-Link released firmware updates in November 2024 to address these issues, but recommends upgrading to newer hardware for enhanced protection.

Open in new tab