Bleepingcomputer:

BLUF: A zero-day vulnerability in Check Point VPN products is being actively exploited in the wild. CISA has added the flaw to its Known Exploited Vulnerabilities (KEV) catalog and is mandating all federal civilian agencies patch within 3 days. Enterprise and government network defenders using Check Point VPN should treat this as priority-one remediation. DETAILS CISA has issued a binding directive requiring Federal Civilian Executive Branch (FCEB) agencies to apply patches within 3 days of the KEV listing — an accelerated timeline indicating confirmed, active exploitation The vulnerability affects Check Point VPN products; specific CVE identifier and full technical details were not confirmed in source material at time of publication — treat scope as pending vendor confirmation The flaw is classified as a zero-day, meaning exploitation was occurring before a patch was publicly available Check Point has issued a fix; patch availability is confirmed, though version specifics should be verified directly against Check Point’s official security advisory Active exploitation in the wild has been confirmed by CISA; threat actor attribution and exploitation scale are not confirmed at this time IMPACT Directly affected: U.S. federal agencies running Check Point VPN infrastructure — mandatory patch deadline applies Broader risk: Any enterprise, government, or critical infrastructure organization deploying Check Point VPN products should assume exposure until patched Attack surface: VPN gateways are high-value targets — successful exploitation may enable unauthorized network access, credential theft, or lateral movement Scope of exploitation beyond federal targets is unconfirmed but cannot be ruled out RECOMMENDED ACTIONS Patch immediately — Apply Check Point’s official fix without delay; do not wait for change windows Verify affected versions — Cross-reference your deployment against Check Point’s security advisory to confirm exposure Audit VPN logs — Review authentication and access logs for anomalous activity, particularly failed or unusual login patterns predating patch availability Isolate if unpatched — If immediate patching is not possible, consider restricting VPN gateway exposure at the network perimeter Monitor CISA KEV — Check cisa.gov/known-exploited-vulnerabilities-catalog for updated CVE details and deadlines SOURCES BleepingComputer — “CISA gives feds 3 days to patch Check Point VPN bug exploited as zero-day” CISA Known Exploited Vulnerabilities Catalog (cross-reference for CVE and deadline confirmation) Check Point official security advisory (verify directly for affected product versions) ⚠️ NOTE: CVE identifier, specific affected product versions, and threat actor details were not confirmed in available source material. Organizations should consult Check Point’s advisory directly before scoping remediation efforts.

BLUF: Google has released an emergency patch for a zero-day vulnerability in the Chrome browser that is confirmed to be actively exploited in the wild. All Chrome users on desktop platforms are affected. Apply the update now. DETAILS Google has issued an out-of-band security update for Chrome addressing a zero-day vulnerability confirmed as actively exploited at time of patch release. The vulnerability has been reported by BleepingComputer as exploited in the wild — meaning threat actors have weaponized this flaw against real targets prior to the patch being available. Specific CVE identifier, vulnerability type (e.g., use-after-free, type confusion), and affected component details are not confirmed in the information provided — treat technical specifics from secondary sources with caution until Google’s official advisory is verified. Google’s standard practice in such cases is to restrict detailed technical disclosure until a majority of users have updated, to limit further exploitation. This follows a pattern of recent zero-day activity across major platforms, including a separately patched Android zero-day and ongoing exploitation of other enterprise software. IMPACT Who: All users running unpatched versions of Google Chrome on Windows, macOS, and Linux. Chromium-based browser users (Edge, Brave, Opera, etc.) may also be at risk — patch status for those products is unconfirmed at this time. Scope: Broad consumer and enterprise exposure. Chrome holds the majority of global browser market share, making the attack surface significant. Exploitation context: Active exploitation confirmed; scale, attribution, and targeting profile (opportunistic vs. targeted) are not yet confirmed. RECOMMENDED ACTIONS Update Chrome immediately: Navigate to chrome://settings/help — Chrome will check for and apply the latest update. Restart the browser to complete installation. Verify version: Confirm you are running the patched version as specified in Google’s official security bulletin once published. Chromium-based browser users: Check your browser vendor’s advisory for patch availability — do not assume coverage. Enterprise teams: Push the update via policy/MDM without waiting for user-initiated updates. Prioritize internet-facing and privileged workstations. Monitor: Watch Google’s official Chrome Releases blog and your threat intel feeds for CVE details and IOCs as they are released. SOURCES BleepingComputer — Google patches new Chrome zero-day flaw exploited in the wild Google Chrome Releases blog (consult directly for authoritative patch version and CVE details) ⚠️ NOTE: Technical details of this vulnerability are limited in current reporting. This alert will require update as CVE specifics, affected version ranges, and exploitation context are confirmed. Do not delay patching pending those details.

BLUF: Gogs, the self-hosted Git service, has patched a critical zero-day vulnerability enabling remote code execution. All organizations running Gogs instances should apply the patch immediately. DETAILS Gogs has released a patch addressing a critical zero-day vulnerability that allows remote code execution (RCE) on affected installations. The vulnerability is classified as a zero-day, meaning it was either exploited in the wild or disclosed without a prior patch window — the specific exploitation status has not been confirmed in available source material and should be verified directly with Gogs advisories. Gogs is a widely deployed, open-source, self-hosted Git platform used by development teams and organizations to manage source code repositories. Full technical details, CVE assignment, and affected version ranges are not confirmed in the information provided — consult the official Gogs release notes and BleepingComputer’s full reporting for specifics. RCE vulnerabilities in source code management platforms carry elevated risk due to direct access to codebases, CI/CD pipelines, and stored credentials. IMPACT Who is affected: Any organization or individual running a self-hosted Gogs instance, particularly those exposed to the internet or accessible from untrusted networks. Scope: Successful exploitation could allow an unauthenticated or authenticated attacker (status unconfirmed) to execute arbitrary code on the host server, potentially compromising the underlying system, stored repositories, secrets, and connected infrastructure. Downstream risk: Compromise of a source code host can enable supply chain attacks, credential theft, and lateral movement into development or production environments. RECOMMENDED ACTIONS Patch immediately — Update all Gogs instances to the latest patched version as soon as possible. Do not delay pending testing if instances are internet-facing. Restrict access — If patching cannot occur immediately, restrict network access to Gogs instances to trusted IP ranges or place behind a VPN. Audit logs — Review Gogs access and server logs for anomalous activity, unexpected process execution, or unauthorized repository access. Rotate secrets — If exposure cannot be ruled out, rotate credentials, SSH keys, API tokens, and any secrets stored within repositories. Verify CVE details — Monitor the official Gogs GitHub repository and BleepingComputer for confirmed CVE identifiers and full technical scope. SOURCES BleepingComputer: Gogs patches critical zero-day enabling remote code execution (primary trigger) Official Gogs project advisories — verify directly for confirmed version and CVE details ⚠️ UNCERTAINTY FLAG: CVE identifier, affected version range, authentication requirements for exploitation, and confirmed in-the-wild exploitation status are not verified in available source material. Treat as critical until confirmed otherwise. ...

BLUF: Check Point has linked active zero-day exploitation of its VPN products to the Qilin ransomware group. Organizations running Check Point VPN solutions should treat this as an active threat requiring immediate action. DETAILS Check Point has publicly attributed zero-day attacks targeting its VPN infrastructure to the Qilin ransomware gang, per BleepingComputer reporting. The vulnerability is being actively exploited in the wild — this is not a theoretical or proof-of-concept threat. Qilin is an established ransomware-as-a-service (RaaS) operation known for double-extortion tactics (data theft + encryption). NOTE: Specific CVE identifier, affected product versions, and technical exploitation details have not been confirmed in the source material provided. Treat version scope as uncertain until Check Point publishes full advisory details. This follows a broader pattern of threat actors targeting VPN edge devices as initial access vectors — consistent with recent SonicWall and Cisco SD-WAN zero-day exploitation observed in parallel reporting. IMPACT Who is affected: Organizations using Check Point VPN products — scope of affected versions unconfirmed at this time. Threat: Successful exploitation likely enables initial network access, with Qilin’s established TTPs suggesting follow-on lateral movement, data exfiltration, and ransomware deployment. Severity: Critical — active exploitation by a ransomware group with a track record of high-impact attacks. VPN edge devices represent high-value targets; compromise may bypass perimeter defenses entirely. RECOMMENDED ACTIONS Monitor Check Point’s official security advisory portal immediately for patch availability and affected version confirmation. Audit VPN access logs for anomalous authentication attempts, unusual session origins, or unexpected privileged access. Restrict VPN exposure where operationally feasible — limit internet-facing attack surface pending patch guidance. Apply any available patches or mitigations from Check Point without delay once published. Alert SOC/IR teams to elevate monitoring posture for Qilin-associated indicators of compromise (IOCs). Do not assume MFA alone is sufficient protection — recent VPN zero-days have demonstrated MFA bypass capability. SOURCES BleepingComputer: Check Point links VPN zero-day attacks to Qilin ransomware gang Supporting context: Huntress active exploitation reporting (SonicWall VPNs); Cisco SD-WAN zero-day advisory (BleepingComputer) ⚠ UNCERTAINTY FLAG: CVE details, specific affected product versions, and full technical indicators have not been confirmed in available source material. This alert will require update as Check Point’s official advisory is published. Do not delay defensive action pending full details.

BLUF: Cisco has disclosed an unpatched zero-day vulnerability in its SD-WAN software that is actively being exploited in the wild. Organizations running Cisco SD-WAN products are at immediate risk. No patch is currently available. Mitigations should be applied immediately pending vendor fix. DETAILS Cisco has publicly warned of a zero-day vulnerability affecting its SD-WAN product line that is confirmed to be actively exploited in attacks No patch has been released at time of disclosure — this is an unmitigated vulnerability with known in-the-wild exploitation Source reporting originates from BleepingComputer citing Cisco’s own advisory; specific CVE identifier, CVSS score, and technical exploitation details have not been confirmed in the information provided — treat specifics as pending verification The attack vector, required privileges, and whether exploitation requires authentication are not confirmed in available details — organizations should consult Cisco’s official advisory directly for technical specifics Cisco SD-WAN is widely deployed in enterprise and service provider environments for network edge management, increasing potential blast radius IMPACT Who is affected: Organizations and managed service providers running Cisco SD-WAN solutions — scope is potentially broad given enterprise-wide deployment of this product line What is at risk: Network infrastructure, edge routing, and potentially connected internal segments depending on exploitation capability — exact impact scope unconfirmed pending full advisory details Exploitation status: Confirmed active — this is not theoretical RECOMMENDED ACTIONS Immediately review Cisco’s official security advisory at cisco.com/go/psirt for confirmed technical details, affected versions, and available workarounds Identify all SD-WAN assets in your environment and assess exposure — prioritize internet-facing management interfaces Apply any Cisco-recommended mitigations or workarounds in the absence of a patch — restrict management plane access where possible Increase monitoring on SD-WAN infrastructure for anomalous activity, unauthorized configuration changes, or lateral movement indicators Do not wait for a patch — implement compensating controls now and establish a patch deployment plan for when a fix is released Notify stakeholders and escalate to incident response posture if SD-WAN devices are exposed to untrusted networks SOURCES BleepingComputer — Cisco warns of unpatched SD-WAN zero-day exploited in attacks Cisco PSIRT (consult directly for authoritative technical details) ⚠️ UNCERTAINTY FLAG: Technical specifics including CVE, affected version list, attack vector, and exploitation method are not confirmed in available reporting. All operational decisions should be validated against Cisco’s official advisory before implementation.