By the CyberWire staff
At a glance.
- Critical Roundcube flaw has an exploit.
- Google issues fix for actively exploited Chrome zero-day.
- Qualcomm patches three zero-days affecting Adreno GPUs.
- Technical details for maximum-severity Cisco flaw have been released.
- Researchers discover covert user tracking technique used by Meta and Yandex.
- Billions of records belonging to Chinese citizens exposed in unsecured database.
- Ukrainian intelligence claims to have hacked Russian aircraft manufacturer.
Critical Roundcube flaw has an exploit.
A threat actor is selling a working exploit for CVE-2025-49113, a critical flaw in Roundcube Webmail that was patched on June 1st, BleepingComputer reports. The vulnerability, which received a CVSS score of 9.9, involves deserialization of untrusted data and can allow an authenticated threat actor to achieve remote code execution.
FearsOff CEO Kirill Firsov, who discovered and reported the flaw, published technical details following reports of exploitation. Firsov notes that while an attacker needs login credentials in order to exploit the flaw, these can be obtained via cross-site request forgery (CSRF). The threat actor selling the exploit also claims that the credentials can be extracted from the logs.
Google issues fix for actively exploited Chrome zero-day.
Google has patched an actively exploited high-severity zero-day (CVE-2025-5419) affecting the Chrome browser, SecurityWeek reports. According to the vulnerability's description, an "out-of-bounds read and write in V8 in Google Chrome prior to 137.0.7151.68 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page."
The vulnerability was discovered by researchers at Google's Threat Analysis Group. The company is keeping details of the flaw and its exploitation under wraps until a majority of users have applied the fix.
Stop Identity-Based Cybercrime with SpyCloud’s Holistic Identity Threat Protection
Stolen identity data is the hot commodity for cybercriminals. With the full scope of your users’ digital footprints at risk for exposure, traditional account-centric security is no longer enough to protect your business from cyberattacks. SpyCloud helps security teams correlate and automatically remediate individuals' hidden identity exposures from breaches, malware, and phishing across their many online personas. Eliminate identity-based cyber threats and proactively defend against account takeover, fraud, and ransomware with SpyCloud.
Qualcomm patches three zero-days affecting Adreno GPUs.
Qualcomm has released patches for three actively exploited zero-days affecting Adreno GPUs, BleepingComputer reports. Two of the vulnerabilities (CVE-2025-21479 and CVE-2025-21480) are incorrect authorization flaws with a CVSS score of 8.6, while the third (CVE-2025-27038) is a use-after-free bug assigned a score of 7.5. The zero-days were discovered and reported by researchers at Google, who observed indications of "limited, targeted exploitation."
Qualcomm stated, "Patches for the issues affecting the Adreno Graphics Processing Unit (GPU) driver have been made available to OEMs in May together with a strong recommendation to deploy the update on affected devices as soon as possible. Please contact your device manufacturer for more information on the patch status about specific devices."
Technical details for maximum-severity Cisco flaw have been released.
Researchers at Horizon3 have released technical details about a recently patched maximum-severity vulnerability (CVE-2025-20188) affecting Cisco's IOS XE Software for Wireless LAN Controllers. Horizon3 hasn't published a proof-of-concept (PoC) exploit, but BleepingComputer warns that threat actors will likely attempt to craft one now that the information is public. Users are urged to patch to version 17.12.04 or newer before a PoC is released.
Cisco explained in an advisory on May 7th, "This vulnerability is due to the presence of a hard-coded JSON Web Token (JWT) on an affected system. An attacker could exploit this vulnerability by sending crafted HTTPS requests to the AP image download interface. A successful exploit could allow the attacker to upload files, perform path traversal, and execute arbitrary commands with root privileges."
Researchers discover covert user tracking technique used by Meta and Yandex.
Ars Technica reports that Meta and Yandex abused legitimate Internet protocols to covertly track and deanonymize potentially billions of Android users across websites. The companies sent identifiers from Firefox and Chromium-based browsers to apps installed on the user's device, linking the user's browsing history to accounts logged into Android apps for Facebook, Instagram, and various Yandex apps. Yandex has been using this technique since 2017, while Meta began using it last September. Meta and Yandex both appear to have ceased the practice following the disclosure.
The researchers who discovered the technique explained, "These native Android apps receive browsers' metadata, cookies, and commands from the Meta Pixel and Yandex Metrica scripts embedded on thousands of web sites. These JavaScripts load on users' mobile browsers and silently connect with native apps running on the same device through localhost sockets. As native apps access programatically device identifiers like the Android Advertising ID (AAID) or handle user identities as in the case of Meta apps, this method effectively allows these organizations to link mobile browsing sessions and web cookies to user identities, hence de-anonymizing users' visiting sites embedding their scripts."
Billions of records belonging to Chinese citizens exposed in unsecured database.
Cybernews and security researcher Bob Diachenko discovered an exposed database containing extensive personal and financial information belonging to potentially hundreds of millions of Chinese citizens. The database contained 631 gigabytes with more than four billion records. The database was taken offline shortly after the researchers found it.
It's unclear who the database belongs to, but the researchers believe its purpose was to build "comprehensive behavioral, economic, and social profiles of nearly any Chinese citizen." They note, "The sheer volume and diversity of data types in this leak suggests that this was likely a centralized aggregation point, potentially maintained for surveillance, profiling, or data enrichment purposes."
Ukrainian intelligence claims to have hacked Russian aircraft manufacturer.
Ukraine's Main Intelligence Directorate (HUR) claims to have hacked Russia’s state-owned aerospace and defense company Tupolev, which manufactures Russia's strategic bombers, BleepingComputer reports. The hackers allegedly stole 4.4 gigabytes of classified information, including "personal data of Tupolev personnel, internal communications (including messages exchanged by the company's management), procurement documents, resumes of engineers and designers, and minutes of closed meetings."
The Kyiv Post cites an anonymous HUR source as saying, "The value of the data obtained is hard to overstate. There is now virtually nothing secret left in Tupolev's operations as far as Ukrainian intelligence is concerned. We now have comprehensive information on individuals directly involved in maintaining Russia's strategic aviation."
Tupolev hasn't commented on the claims, but the Record notes that the company's website was defaced to show an image associated with HUR's cyber operations.
