Google credits security researcher Shaheen Fazim with reporting the exploit to Google. The dude's LinkedIn says he's a professional bug hunter, and I'd say he deserves the highest possible bug bounty for finding something that a government agency is saying "in CSS in Google Chrome before 145.0.7632.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page."
The Cybersecurity and Infrastructure Security Agency is ordering federal agencies to patch Cisco devices that have been exploited by an advanced hacker group, it said in a Thursday alert. The hacking activity targeting the devices "is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution" on various Cisco Adaptive Security Appliances, CISA said. A "zero-day" refers to a software flaw that's being exploited but has not been previously discovered, giving developers zero days to fix it.
Attackers with low-privilege SNMP creds can crash a device, while those with higher-privilege access can run arbitrary code as root - a straight shot to total box compromise. "The Cisco Product Security Incident Response Team (PSIRT) became aware of successful exploitation of this vulnerability in the wild after local Administrator credentials were compromised," the company said. "Cisco strongly recommends that customers upgrade to a fixed software release to remediate this vulnerability."
A leak happened here somewhere,” Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative (ZDI), told The Register. “And now you’ve got a zero-day exploit in the wild, and worse than that, you’ve got a zero-day exploit in the wild that bypasses the patch, which came out the next day.
