Google has released an update for its Chrome browser to patch four security vulnerabilities, including one zero-day. A zero-day vulnerability refers to a bug that has been found and exploited by cybercriminals before the vendor even knew about it (they have “zero days” to fix it).

This update is crucial since it addresses one vulnerability which is already being actively exploited and, reportedly, can be abused when the user visits a malicious website. It probably doesn’t require any further user interaction, which means the user doesn’t need to click on anything in order for their system to be compromised.

The Chrome update brings the version number to 140.0.7339.185/.186 for Windows, Mac and 140.0.7339.185 for Linux. So, if your Chrome is on the version number 140.0.7339.185 or later, it’s protected against exploitation of these vulnerabilities.

The easiest way to update Chrome is to allow it to update automatically, but you can end up lagging behind if you never close your browser or if something goes wrong—such as an extension stopping you from updating the browser.

To manually get the update, click the more menu (three stacked dots), then choose Settings > About Chrome. If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is reload Chrome in order for the update to complete, and for you to be safe from the vulnerabilities.

You can find more elaborate update instructions and how to read the version number in our article on how to update Chrome on every operating system.

Technical details on the zero-day vulnerability

Google describes the zero-day vulnerability tracked as CVE-2025-10585 as a type confusion in V8. Reported by Google Threat Analysis Group on 2025-09-16.

Despite the short statement—Google never reveals a lot of details until everyone has had a chance to update—there are a few conclusions we can draw.

It helps to know that V8 is Google’s open-source Javascript engine.

A “type confusion” vulnerability happens when code doesn’t verify the object type passed to it and then uses the object without type-checking. So, a program mistakenly treats one type of data as if it were another, like confusing a list for a single value or interpreting a number as text. This mix-up can cause the software to behave unpredictably, creating opportunities for attackers to break in, steal data, crash programs, or even run malicious code.

Google’s Threat Analysis Group (TAG) focuses on spyware and nation-state attackers who abuse zero days for espionage purposes.

So, it stands to reason that an attacker used Javascript to create a malicious site that exploited this vulnerability and lured targeted victims to that website.

TAG reported the bug on September 16, and Google issued the patch one day later. That implies that the bug was urgent, or very easy to fix, and probably that both of those statements are true to some extent.

Usually, as more details become known or a patch gets reverse engineered, cybercriminals will start using the vulnerability in less targeted attacks.

Users of other Chromium-based browsers, such as Microsoft Edge, Brave, Opera, and Vivaldi, are also advised to keep an eye out for updates and install them when they become available.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Apple has released security updates for iPhones, iPads, Apple Watches, Apple TVs, and Macs as well as for Safari, and Xcode to fix dozens of vulnerabilities which could give cybercriminals access to sensitive data.

How to update your devices

How to update your iPhone or iPad

For iOS and iPadOS users, you can check if you’re using the latest software version, go to Settings > General > Software Update. It’s also worth turning on Automatic Updates if you haven’t already. You can do that on the same screen.

How to update macOS on any version

To update macOS on any supported Mac, use the Software Update feature, which Apple designed to work consistently across all recent versions. Here are the steps:

• Click the Apple menu in the upper-left corner of your screen.
• Choose System Settings (or System Preferences on older versions).
• Select General in the sidebar, then click Software Update on the right. On older macOS, just look for Software Update directly.
• Your Mac will check for updates automatically. If updates are available, click Update Now (or Upgrade Now for major new versions) and follow the on-screen instructions. Before you upgrade to macOS Tahoe 26, please read these instructions.
• Enter your administrator password if prompted, then let your Mac finish the update (it might need to restart during this process).
• Make sure your Mac stays plugged in and connected to the internet until the update is done.

How to update Apple Watch

• Ensure your iPhone is paired with your Apple Watch and connected to Wi-Fi.
• Keep your Apple Watch on its charger and close to your iPhone.
• Open the Watch app on your iPhone.
• Tap General > Software Update.
• If an update appears, tap Download and Install.
• Enter your iPhone passcode or Apple ID password if prompted.

Your Apple Watch will automatically restart during the update process. Make sure it remains near your iPhone and on charge until the update completes.

How to update Apple TV

• Turn on your Apple TV and make sure it’s connected to the internet.
• Open the Settings app on Apple TV.
• Navigate to System > Software Updates.
• Select Update Software.
• If an update appears, select Download and Install.

The Apple TV will download the update and restart as needed. Keep your device connected to power and Wi-Fi until the process finishes.

Updates for your particular device

Apple has today released version 26 for all its software platforms. This new version brings in a new “Liquid Glass” design, expanded Apple Intelligence, and new features. You can choose to update to that version, or just update to fix the vulnerabilities:

iOS 26 and iPadOS 26	iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later
iOS 18.7 and iPadOS 18.7	iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later
iOS 16.7.12 and iPadOS 16.7.12	iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
iOS 15.8.5 and iPadOS 15.8.5	iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)
macOS Tahoe 26	Mac Studio (2022 and later), iMac (2020 and later), Mac Pro (2019 and later), Mac mini (2020 and later), MacBook Air with Apple silicon (2020 and later), MacBook Pro (16-inch, 2019), MacBook Pro (13-inch, 2020, Four Thunderbolt 3 ports), and MacBook Pro with Apple silicon (2020 and later)
macOS Sequoia 15.7	macOS Sequoia
macOS Sonoma 14.8	macOS Sonoma
tvOS 26	Apple TV HD and Apple TV 4K (all models)
watchOS 26	Apple Watch Series 6 and later
visionOS 26	Apple Vision Pro
Safari 26	macOS Sonoma and macOS Sequoia
Xcode 26	macOS Sequoia 15.6 and later

Technical details

Apple did not mention any actively exploited vulnerabilities, but there are two that we would like to highlight.

A vulnerability tracked as CVE-2025-43357 in Call History was found that could be used to fingerprint the user. Apple addressed this issue with improved redaction of sensitive information. This issue is fixed in macOS Tahoe 26, iOS 26, and iPadOS 26.

A vulnerability in the Safari browser tracked as CVE-2025-43327 where visiting a malicious website could lead to address bar spoofing. The issue was fixed by adding additional logic.

Address bar spoofing is a trick cybercriminals might use to make you believe you’re on a trusted website when in reality you’re not. Instead of showing the real address, attackers exploit browser flaws or use clever coding so the address bar displays something like login.bank.com even though you’re not on your bank’s site at all. This would allow the criminals to harvest your login credentials when you enter them on what is really their website.

---

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Two ethical hackers say they have uncovered massive security vulnerabilities in the platforms hosted by Restaurant Brands International (RBI).

RBI is one of the world’s largest quick service restaurant companies. It was formed in 2014 through a $12.5 billion merger of the American fast food chain Burger King and the Canadian coffee and restaurant chain Tim Hortons. Since then, RBI has expanded its brand portfolio to include Popeyes Louisiana Kitchen, acquired in 2017, and Firehouse Subs. It operates a global network of over 32,000 restaurants across more than 120 countries and territories.

The two researchers that scrutinized the security were far from impressed. Their, now removed but archived, blog states:

“Their security was about as solid as a paper Whopper wrapper in the rain.
We stumbled upon vulnerabilities so catastrophic that we could access every single store in their global empire. From a Burger King in Times Square to that lonely Tim Hortons where Bugs Bunny shoulda taken a left turn at Albuquerque. Oh, and did we mention we could listen to your actual drive-thru conversations? Yeah, that happened too.”

The researchers say they found that RBI uses AWS Cognito but forgot to turn off user signups. AWS Cognito is a managed service from Amazon Web Services that helps developers handle user signups, sign-ins, and access control without building these features from scratch.

Disabling user signups is important to make sure that only authorized personnel get accounts, which may be created and managed centrally by IT administrators. This approach reduces the attack surface by blocking open self-registration and unauthorized account creation, which is critical for protecting sensitive internal resources and services. Administrators can then validate and approve accounts before enabling user access to applications managed via Cognito.

After managing their way in through that gateway, the researchers said they realised they could have saved themselves the trouble because they found an even easier signup endpoint that completely bypassed email verification, resulting in an email with the password in plain text.

The researchers say they found three assistant platforms (domains bk.com, popeyes.com, and timhortons.com) were all vulnerable and could enable an attacker to:

• Access voice recordings of customer orders
• Add/remove/manage franchise stores
• View and edit employee accounts
• Access store analytics and sales data
• Upload files and send notifications to any store’s systems
• Use a self-install device ordering system (with the password hard coded into the HTML)

They also say they found that the voice recordings of customer orders, raw audio files of real people ordering food, complete with background conversations, car radios, and sometimes personally identifiable information (PII), were fed into an AI to analyze things like:

• Customer sentiment
• Employee friendliness levels
• Upsell success rates
• Order processing times
• How many times employees said “You rule” (because that’s definitely a crucial business metric)

The only good thing about this story is that despite the researchers finding all these vulnerabilities in one day, RBI fixed them the same day. But apparently without acknowledging the researchers or commenting on the vulnerabilities.

If you were involved in this or any other data breach, please read: Involved in a data breach? Here’s what you need to know.

Do not share further personal information. Avoid sharing additional personal details publicly on social media or online directories that could be linked to your exposed information. You can check what information is already out there about you by using our free Digital Footprint Scanner.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

TP-Link has issued a warning about a botnet exploiting two vulnerabilities to infect small office/home (SOHO) routers, which are then weaponized to attack Microsoft 365 accounts. 

The vulnerabilities affect the Archer C7 and TL-WR841N/ND routers, though other models may also be at risk. Despite the fact that these routers have reached end-of-life (EOL), TP-Link has nonetheless released firmware updates to address the flaws.

If you have a router issued by your internet service provider (ISP) this also deserves checking. Several ISPs have used the TP-Link Archer C7 and TL-WR841N/ND routers, sometimes rebranding them for distribution to customers, especially in Europe and North America. For example, Dutch ISP Ziggo is known to have rebranded the TP-Link Archer C7 as the “Wifibooster Ziggo C7”, supplying it to customers with Ziggo-specific firmware.

The two vulnerabilities, tracked as CVE-2023-50224 and CVE-2025-9377, are chained to add a router to a botnet. CVE-2025-50224 is a vulnerability that allows an attacker to steal passwords from the router and CVE-2025-9377 is a known Parental Control command injection RCE exploit, allowing the attacker to run their code on the router.

The botnet, called Quad7 (aka 7777) uses the infected routers to perform password-spraying attacks against Microsoft 365 accounts. Password spraying literally means trying common passwords across many accounts or using many common passwords against the same account.

Last year, Microsoft warned about the same botnet but the specific vulnerabilities were unknown at the time. Detection remains difficult for defenders, as the botnet uses thousands of IP addresses from home users and small businesses. TP-Link urges owners of these router models to install the updated firmware or switch to a fully supported router. The company is also investigating reports that other models might be vulnerable. Meanwhile, the US Cybersecurity and Infrastructure Security Agency (CISA) has also issued advisories for these two flaws.

Recommendations for owners of TP-Link routers

It is rare that a manufacturer would issue a firmware update for a EOL product, which emphasizes the importance of deploying that update. Being a part of a botnet is not just a danger to others, it can considerably slow down your home device(s).

• Check if your router is an Archer C7 or TL-WR841N/ND, or another older TP-Link model. If so, update your firmware immediately with the version provided by TP-Link.
• If firmware updates are no longer provided or your router is out of support, strongly consider upgrading to a supported model.
• Change your router’s admin password to a strong, unique value, meaning you should avoid reusing passwords from other accounts.
• Disable remote management features unless absolutely necessary and always check that parental control pages are only accessible by authenticated users.

Recommendations for Microsoft 365 users

Since the botnet is used at this moment in time to take over Microsoft 365 accounts, there are a few things you can do to make this a lot harder.

• Use a strong, unique password for your Microsoft 365 account. Avoid using common or guessable words and passwords.
• Enable multi-factor authentication (MFA) for added protection. This significantly reduces the risk of unauthorized access, even if your password is exposed.
• Watch for suspicious sign-in attempts or alerts from Microsoft, and review your login history regularly.
• If you suspect your account has been targeted, reset your password immediately and run a security checkup on your account.

Staying ahead of threats like botnets means keeping devices patched, using strong authentication practices, and remaining alert for updates on device security. Don’t wait until your router—or your Microsoft 365 account—becomes part of someone else’s attack toolkit.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Google has patched 111 vulnerabilities in Android, including two critical flaws, in its September 2025 Android Security Bulletin.

While the last few months have been quite calm regarding the number of vulnerabilities, this month is a real whopper with 111, compared to 6 in August and none in July.

The September updates are available for Android 13, 14, 15, and 16. Android vendors are notified of all issues at least a month before publication, however, this doesn’t always mean that the patches are available for all devices immediately.

You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for them yourself.

For most phones it works like this: Under About phone or About device you can tap on Software updates to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version you’re on.

If your Android phone shows patch level 2025-09-05 or later then you can consider the issues as fixed.

Keeping your device as up to date as possible protects you from known vulnerabilities and helps you to stay safe.

Technical information

Google notes that:

“there are indications that the following may be under limited, targeted exploitation.

CVE-2025-38352

CVE-2025-48543”

But it doesn’t provide any details about how and against whom these vulnerabilities were used. So, let’s have a closer look at those two first.

CVE-2025-38352 is a race condition vulnerability in the Linux kernel time subsystem, which may allow a local attacker to gain an elevation of privilege (EoP).

A race condition vulnerability means that during a moment where different threads (processes or programs) use the same resource,  but they are not synchronized, it creates a brief period during which an attacker could exploit the race window.

In this case the resource is the CPU time, the amount of time that a central processing unit (CPU) was used for processing instructions of a computer program or operating system.

A “local attacker” which can also be an installed app or shell could exploit this vulnerability to gain permissions it would normally not get or have.

CVE-2025-48543 is a vulnerability in Android runtime. The Android Runtime (ART) is the system responsible for running applications on Android devices. Basically it translates instructions into machine code which the processor understands. The vulnerability could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

And then there is the vulnerability tracked as CVE-2025-48539. This critical vulnerability was found in the System component and could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed and no user interaction required.

The part where the description says remote (proximal/adjacent) is a bit of a mystery, but our best guess is this means an attacker could compromise a device from a short distance, so it might be by means of Bluetooth, NFC, or Wi-Fi Direct.

This type of vulnerability always makes researchers nervous, because they could be “wormable,” meaning they can spread from one device to the next. And if that is true, they can spread like wildfire in crowded environments like concerts and conferences.

---

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

WhatsApp says it has issued an update to patch a vulnerability that has been used in conjunction with an Apple vulnerability to target specific users and compromise their devices.

Reportedly, attackers used this exploit against dozens of WhatsApp users, and WhatsApp has notified those affected:

“Our investigation indicates that a malicious message may have been sent to you through WhatsApp and combined with other vulnerabilities in your device’s operating system to compromise your device and the data it contains, including messages.

While we don’t know with certainty that your device has been compromised, we wanted to let you know out of an abundance of caution so you can take steps to secure your device and information.”

WhatsApp advised the affected users to perform a full factory reset of their phone in order to make sure they are rid of the malware.

“We’ve made changes to prevent this specific attack from occurring through WhatsApp. However, your device’s operating system could remain compromised by the malware or targeted in other ways.

To best protect yourself, we recommend a full device factory reset. We also strongly urge you to keep your devices updated to the latest version of the operating system, and ensure that your WhatsApp app is up to date.”

According to the Amnesty International Security Lab, the vulnerability was part of a zero-click attack against both iPhone and Android users. A zero-click attack is a type of attack which allows the cybercriminals to break into devices or apps without the victim needing to click, tap, or respond to anything. Unlike classic scams that rely on tricking someone into clicking a sketchy link, zero-click threats can land on a device simply because an app receives a message or notification crafted to exploit a hidden flaw.

Technical details

The zero-click attack required two vulnerabilities.

For iOS and Mac users these vulnerabilities were tracked as CVE-2025-43300 and lie in the Image I/O framework, the part of macOS and iOS that an app needs to open or save a picture. The problem came from an out-of-bounds write. Apple stepped in and tightened the rules with better bounds checking, closing off the hole so attackers can no longer use it.

An out-of-bounds write vulnerability means that the attacker can manipulate parts of the device’s memory that should be out of their reach. Such a flaw in a program allows it to read or write outside the bounds the program sets, enabling attackers to manipulate other parts of the memory allocated to more critical functions. Attackers can write code to a part of the memory where the system executes it with permissions that the program and user should not have.

In this case, an attacker could construct an image to exploit the vulnerability.  Processing such a malicious image file would result in memory corruption. Attackers can exploit memory corruption flaws to crash important processes or execute their own code.

The second vulnerability, CVE-2025-55177 for WhatsApp users, is caused by incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78 and could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target’s device.

What to do

The infection chain described in the security advisories from Apple and WhatsApp relies on two components: an Apple vulnerability (CVE-2025-43300) in the Image I/O framework and a WhatsApp vulnerability (CVE-2025-55177) that allowed the hijacking of devices by synchronizing messages.

Attackers exploited the Apple ImageIO bug via malicious image files, which is dangerous because this core library is used by multiple apps (not just WhatsApp) for opening and previewing pictures. In affected WhatsApp versions for iOS and Mac, the sync message bug could trigger arbitrary URL processing, creating a powerful combo for chaining exploits and compromising devices without any user action.

While Android users were mentioned among potential targets in advanced spyware campaigns reported by Amnesty, the most severe zero-click risk described applies only to Apple devices. For Android, the WhatsApp vulnerability may have exposed users to attacks, but not via the same chained infection vectors. As always, updating WhatsApp and enabling advanced security features (like Google Advanced Protection on Android) is highly recommended. So is using security protection on your devices.

If you’ve received one of the notifications from WhatsApp, we’d advise you to follow the instructions.

---

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Apple has released security updates for iPhones, iPads and Macs to fix a zero-day vulnerability (a vulnerability which Apple was previously unaware of) that is reportedly being used in targeted attacks.

The updates cover:

• iOS 18.6.2 and iPadOS 18.6.2 (iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later);
• iPadOS 17.7.10 (iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation);
• macOS Sequoia 15.6.1;
• macOS Sonoma 14.7.8; and
• macOS Ventura 13.7.8.

Apple has acknowledged reports that attackers may have already used this flaw in a highly sophisticated operation aimed at specific, high‑value targets.

But history teaches us that once a patch goes out, attackers waste little time recycling the same vulnerability into broader, more opportunistic campaigns. What starts as a highly targeted campaign often trickles down into mass exploitation against everyday users.

That’s why it’s important that everyone takes the time to update now.

How to update your iPhone or iPad

For iOS and iPadOS users, you can check if you’re using the latest software version, go to Settings > General > Software Update. You want to be on iOS 18.6.2 or iPadOS 18.6.2 (or 17.7.10 for older models), so update now if you’re not. It’s also worth turning on Automatic Updates if you haven’t already. You can do that on the same screen.

How to update your Mac

For Mac users, click on the Apple menu in the top-left corner of your screen and open System Settings. From there, scroll down until you find General, then select Software Update. Your Mac will automatically check for new updates. If an update is available, you’ll see the option to download and install it. Depending on the size of the update, this process might take anywhere from a few minutes to an hour, and your machine will need to restart to complete the installation.

As always, it’s a good idea to make sure you’ve saved your work before using the Restart Now button. Updates can sometimes require more than one reboot, so allow some downtime. After you install the update, your system gains stronger protection, and you can use your Mac without the constant worry of this vulnerability hanging over you.

Technical details

The flaw is tracked as CVE-2025-43300 and lies in the Image I/O framework, the part of macOS that does the heavy lifting whenever an app needs to open or save a picture. The problem came from an out-of-bounds write. Apple stepped in and tightened the rules with better bounds checking, closing off the hole so attackers can no longer use it.

An out-of-bounds write vulnerability means that the attacker can manipulate parts of the device’s memory that should be out of their reach. Such a flaw in a program allows it to read or write outside the bounds the program sets, enabling attackers to manipulate other parts of the memory allocated to more critical functions. Attackers can write code to a part of the memory where the system executes it with permissions that the program and user should not have.

In this case, an attacker could construct an image to exploit the vulnerability.  Processing such a malicious image file would result in memory corruption. Memory corruption issues can be manipulated to crash a process or run attacker’s code.

---

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

In the August 2025 patch Tuesday round Microsoft fixed a total of 111 Microsoft vulnerabilities. A few of them are very important for people to apply.

Even if you’re not a tech expert, keeping your Windows system up to date is one of the simplest and most effective ways to protect yourself from online threats. Microsoft releases important updates on the second Tuesday of every month, called “Patch Tuesday.” These updates fix security problems and keep your Windows system up to date.

Here is a step-by-step guide for updating your Windows 11 (it might be slightly different for older versions) computer this August 2025:

1. Open Settings

• Click the Start button (the Windows logo at the bottom left of your screen).
• Click on Settings (it looks like a little gear).

2. Go to Windows Update

• In the Settings window, look for Windows Update (usually at the bottom of the menu on the left).
• Click on Windows Update.

3. Check for Updates

• You’ll see a button that says Check for updates. Click it.
• Windows will now look for the August 2025 Patch Tuesday updates.

If you have selected automatic updates earlier you may see this:

And this:

• Which means all you have to do is restart your system and you’re done updating.
• If not, continue with the below.

4. Download and Install

• If updates are found, they will start downloading right away. When that’s done, you’ll see a button that says Install or Restart now.
• Click Install if needed and follow any prompts. Your computer will usually need a restart to finish the update. If it does, click Restart now.

5. Double-check everything Is updated

• After restarting, go back to Windows Update and check again. If it says You’re up to date, you’re all set!

The vulnerabilities

Of the 111 fixed flaws, a few stand out. Let’s have a look at why this round is important.

CVE-2025-50165: Untrusted pointer dereference in Microsoft Graphics Component allows an unauthorized attacker to execute code over a network.

This vulnerability can be exploited without user interaction and for example be exploited by sending a target a specially .jpeg file in an Office document or other documents and files. Successful exploitation allows arbitrary remote code execution (RCE) which basically means your machine is at their control.

CVE-2025-53766: Heap-based buffer overflow in Windows GDI+ allows an unauthorized attacker to execute code over a network.

A buffer overflow occurs when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region.

GDI+ (Graphics Device Interface Plus) is a component of the Windows operating system that provides a way for applications to display graphics and formatted text on screens and printers.

An attacker could trigger this vulnerability by convincing a victim to download and open a document that contains a specially crafted metafile. Successful exploitation of this vulnerability could cause remote code execution or information disclosure on web services that are parsing documents that contain a specially crafted metafile, without involvement of the target. In the worst-case scenario, an attacker could trigger this vulnerability on web services by uploading documents containing a specially crafted metafile.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

On July 30, 2025, WinRAR released a new version (7.13 Final) to patch a vulnerability which was used in two separate malware campaigns. WinRAR is a popular file archiving and data compression tool that allows users to compress files into smaller archives, like RAR and ZIP, and can also unpack various archive formats.

The vulnerability, tracked as CVE-2025-8088, is a path traversal flaw that affects the Windows version of WinRAR and allows the attackers to execute arbitrary code by crafting malicious archive files.

A path traversal vulnerability, also known as a directory traversal vulnerability, is a type of security flaw that allows attackers to access files and directories they should not be able to reach. They typically occur in web applications but can affect any software that handles file paths.

In one campaign, attributed to Russia-aligned group RomCom, the vulnerability was used to drop files in folders other than those stipulated by the user. This allowed cybercriminals to drop files in startup folders and other important areas of the Operating System (OS).

The RomCom attackers used the vulnerability from July 18 – 21 against financial, manufacturing, defense, and logistics companies in Europe and Canada. The malicious archives were sent out in phishing campaigns where the attackers posed as job applicants and sent their resumes as attachments.

Another group called Paper Werewolf used the same vulnerability to target Russian organizations. In early July, researchers discovered this activity in targeted phishing campaigns. The attackers posed as employees of a Russian research institute and attached a letter supposedly from one of the ministries.

At the time, the vulnerability was still a zero-day. Now that a patch is available and more details have emerged, other cybercriminals will almost certainly try to weaponize the same vulnerability, possibly by including malware in online downloads.

Therefore, users of WinRAR are under advice to install the latest version as soon as possible. To check the version of WinRAR you have installed, open WinRAR and navigate to Help > About WinRAR. This will display a window showing the version number and other details.

Stay safe

Some guidelines to stay safe from these types of malware campaigns:

• Keep your software and devices up to date.
• Use an up-to-date, real-time anti-malware solution, preferably with a web protection component.
• Only download software from trusted places, such as the vendor’s website.
• Don’t open unsolicited attachments. If an attachment arrives unexpectedly, verify its legitimacy through a different channel before opening it.
• Be cautious around files from unknown or untrusted sources.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.