Full Report
If you use a smartphone, browse the web, or unzip files on your computer, you are in the crosshairs this week. Hackers are currently exploiting critical flaws in the daily software we all rely on—and in some cases, they started attacking before a fix was even ready. Below, we list the urgent updates you need to install right now to stop these active threats. ⚡ Threat of the Week Apple and
Analysis Summary
# Vulnerability: Apple and Google Actively Exploited Zero-Days in Mobile/Web Browsers
## CVE Details
- CVE ID: CVE-2025-14174, CVE-2025-43529
- CVSS Score: N/A (Details not provided, but described as "critical flaws")
- CWE: Memory Corruption (for CVE-2025-14174), Use-After-Free (for CVE-2025-43529)
## Affected Systems
- Products: Apple iOS, iPadOS, macOS, tvOS, watchOS, visionOS, Safari web browser, Google Chrome (due to the ANGLE library component).
- Versions: All versions prior to the patches released by Apple/Google.
- Configurations: Exploitation mechanism involves processing maliciously crafted web content.
## Vulnerability Description
Two separate zero-day vulnerabilities existed in Apple products:
1. **CVE-2025-14174**: A memory corruption issue.
2. **CVE-2025-43529**: A use-after-free bug.
Both vulnerabilities can be exploited by presenting a device with maliciously crafted web page content, leading to arbitrary code execution on the targeted device. CVE-2025-14174 specifically resided within the open-source Almost Native Graphics Layer Engine (ANGLE) library shared with Google Chrome.
## Exploitation
- Status: Exploited in the wild (Highly targeted attacks).
- Complexity: Implied to be low enough for commercial spyware vendors to utilize (suggesting targeted, high-value attacks).
- Attack Vector: Network (via web content delivery).
## Impact
- Confidentiality: High (Arbitrary code execution allows full system compromise).
- Integrity: High (Arbitrary code execution allows system modification).
- Availability: High (System compromise or crash possible).
## Remediation
### Patches
- Patches were released by Apple for iOS, iPadOS, macOS, tvOS, watchOS, visionOS, and Safari.
- A specific patch was released by Google for Chrome addressing CVE-2025-14174 within the ANGLE library.
### Workarounds
- No technical workarounds were specified in the context, though immediate patching is strongly implied as the necessary action.
## Detection
- Detection strategies were not specified, but indicators would likely involve unusual process behavior stemming from Safari or web rendering engines, particularly if linked to suspected commercial spyware activity.
## References
- Vendor Advisories: Apple security updates (specific links not provided in text).
- Relevant Links:
- hXXps://thehackernews.com/2025/12/apple-issues-security-updates-after-two.html
- hXXps://thehackernews.com/2025/12/chrome-targeted-by-active-in-wild.html
---
# Vulnerability: SOAPwn RCE in .NET HTTP Client Proxies
## CVE Details
- CVE ID: N/A (Codenamed SOAPwn)
- CVSS Score: N/A (Described as leading to RCE in the worst case)
- CWE: N/A (Relates to unexpected application behavior/misconfiguration handling)
## Affected Systems
- Products: Applications utilizing the .NET HTTP client proxies, specifically those interacting with SOAP APIs or importing External WSDLs.
- Versions: Affected versions of the .NET Framework utilizing these proxies are vulnerable.
- Configurations: The vulnerability is triggered when .NET HTTP client proxies accept non-HTTP URLs (like `file://`) and subsequently perform an action, such as writing a response or importing a WSDL.
## Vulnerability Description
SOAPwn is a vulnerability stemming from the unexpected behavior of .NET's HTTP client proxies, which can be tricked into interacting with the local filesystem instead of only making standard HTTP requests. If an attacker can control a URL passed to a SOAP API endpoint (e.g., via WSDL import or a path in a request), the proxy might write the request data to a local path instead of sending it over HTTP. This can lead to:
1. **NTLM Challenge Capture/Relay** (Best case).
2. **Remote Code Execution (RCE)** via webshell uploads or malicious PowerShell script drops (Worst case).
## Exploitation
- Status: Researchers identified the flaw; exploitation in the wild is not explicitly confirmed from this summary, but the potential for RCE demonstrates high risk.
- Complexity: Medium (Requires successful manipulation of URL input to trigger a file write to a sensitive location).
- Attack Vector: Network (Injection of malicious WSDL or URL into an application endpoint).
## Impact
- Confidentiality: High (If NTLM credentials are leaked/relayed).
- Integrity: High (RCE allows file modification and script execution).
- Availability: High (Potential for system instability or shutdown following RCE).
## Remediation
### Patches
- Microsoft guidance suggests developers are responsible for guarding against non-HTTP URLs. Specific patch information is not detailed, suggesting dependency on vendor security updates or changes to how developers interact with SOAP/WSDL features.
### Workarounds
- Developers must ensure they validate and strictly enforce that all URLs passed to .NET HTTP client proxies intended for web services are valid HTTP/HTTPS URLs and not local file paths.
- Review and sanitize all inputs used in WSDL imports.
## Detection
- Indicators of Compromise (IOCs) would include evidence of unexpected file writes to application paths or attempts to execute scripts/webshells originating from web application processes.
- Detection methods should focus on application logging for non-standard URL schemes being processed by networking components.
## References
- Vendor Advisories: Microsoft guidance on developer responsibility is cited.
- Relevant Links:
- hXXps://thehackernews.com/2025/12/net-soapwn-flaw-opens-door-for-file.html