In February, we had a few diaries about crypto wallet scams. We saw these scams use YouTube comments, but they happened via other platforms and messaging systems, not just YouTube [1]. The scam was a bit convoluted: The scammer posted the secret key to their crypto wallet. Usually, this would put their crypto wallet at risk of being emptied. But the wallet they used came with a twist: A second key was required. The scammer counted on the victim paying the transaction fee, which the scammer would receive, before attempting to withdraw the funds.
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint advisory to disseminate known tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with threat actors deploying the LummaC2 information stealer (infostealer) malware. LummaC2 malware is able to infiltrate victim computer networks and exfiltrate sensitive information, threatening vulnerable individuals’ and organizations’ computer networks across multiple U.S. critical infrastructure sectors. According to FBI information and trusted third-party reporting, this activity has been observed as recently as May 2025. The IOCs included in this advisory were associated with LummaC2 malware infections from November 2023 through May 2025.
The FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of LummaC2 malware.
Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 17. See the MITRE ATT&CK Tactics and Techniques section of this advisory for threat actor activity mapped to MITRE ATT&CK tactics and techniques.
Overview
LummaC2 malware first appeared for sale on multiple Russian-language speaking cybercriminal forums in 2022. Threat actors frequently use spearphishing hyperlinks and attachments to deploy LummaC2 malware payloads [T1566.001, T1566.002]. Additionally, threat actors rely on unsuspecting users to execute the payload by clicking a fake Completely Automated Public Turing Test to tell Computers and Humans Apart (CAPTCHA). The CAPTCHA contains instructions for users to then open the Windows Run window (Windows Button + R) and paste clipboard contents (“CTRL + V”). After users press “enter” a subsequent Base64-encoded PowerShell process is executed.
To obfuscate their operations, threat actors have embedded and distributed LummaC2 malware within spoofed or fake popular software (i.e., multimedia player or utility software) [T1036]. The malware’s obfuscation methods allow LummaC2 actors to bypass standard cybersecurity measures, such as Endpoint Detection and Response (EDR) solutions or antivirus programs, designed to flag common phishing attempts or drive-by downloads [T1027].
Once a victim’s computer system is infected, the malware can exfiltrate sensitive user information, including personally identifiable information, financial credentials, cryptocurrency wallets, browser extensions, and multifactor authentication (MFA) details without immediate detection [TA0010, T1119]. Private sector statistics indicate there were more than 21,000 market listings selling LummaC2 logs on multiple cybercriminal forums from April through June of 2024, a 71.7 percent increase from April through June of 2023.
File Execution
Upon execution, the LummaC2.exe file will enter its main routine, which includes four sub-routines (see Figure 1).
Figure 1. LummaC2 Main Routine
The first routine decrypts strings for a message box that is displayed to the user (see Figure 2).
Figure 2. Message Box
If the user selects No, the malware will exit. If the user selects Yes, the malware will move on to its next routine, which decrypts its callback Command and Control (C2) domains [T1140]. A list of observed domains is included in the Indicators of Compromise section.
After each domain is decoded, the implant will attempt a POST request [T1071.001] (see Figure 3).
Figure 3. Post Request
If the POST request is successful, a pointer to the decoded domain string is saved in a global variable for later use in the main C2 routine used to retrieve JSON formatted commands (see Figure 4).
Figure 4. Code Saving Successful Callback Request
Once a valid C2 domain is contacted and saved, the malware moves on to the next routine, which queries the user’s name and computer name utilizing the Application Programming Interfaces (APIs) GetUserNameW and GetComputerNameW respectively [T1012]. The returned data is then hashed and compared against a hard-coded hash value (see Figure 5).
Figure 5. User and Computer Name Check
The hashing routine was not identified as a standard algorithm; however, it is a simple routine that converts a Unicode string to a 32-bit hexadecimal value.
If the username hash is equal to the value 0x56CF7626, then the computer name is queried. If the computer name queried is seven characters long, then the name is hashed and checked against the hard-coded value of 0xB09406C7. If both values match, a final subroutine will be called with a static value of the computer name hash as an argument. If this routine is reached, the process will terminate. This is most likely a failsafe to prevent the malware from running on the attacker’s system, as its algorithms are one-way only and will not reveal information on the details of the attacker’s own hostname and username.
If the username and hostname check function returns zero (does not match the hard-coded values), the malware will enter its main callback routine. The LummaC2 malware will contact the saved hostname from the previous check and send the following POST request (see Figure 6).
Figure 6. Second POST Request
The data returned from the C2 server is encrypted. Once decoded, the C2 data is in a JSON format and is parsed by the LummaC2 malware. The C2 uses the JSON configuration to parse its browser extensions and target lists using the ex key, which contains an array of objects (see Figure 7).
Figure 7. Parsing of ex JSON Value
Parsing the c key contains an array of objects, which will give the implant its C2 (see Figure 8).
Figure 8. Parsing of c JSON Value
C2 Instructions
Each array object that contains the JSON key value of t will be evaluated as a command opcode, resulting in the C2 instructions in the subsections below.
1. Opcode 0 – Steal Data Generic
This command allows five fields to be defined when stealing data, offering the most flexibility. The Opcode O command option allows LummaC2 affiliates to add their custom information gathering details (see Table 1).
Table 2. Opcode 1 Options
Key
Value
p
Path to steal from
m
File extensions to read
z
Output directory to store stolen data
d
Depth of recursiveness
fs
Maximum file size
2. Opcode 1 – Steal Browser Data
This command only allows for two options: a path and the name of the output directory. This command, based on sample configuration downloads, is used for browser data theft for everything except Mozilla [T1217] (see Table 2).
Table 2. Opcode 1 Options
Key
Value
p
Path to steal from
z
Name of Browser – Output
3. Opcode 2 – Steal Browser Data (Mozilla)
This command is identical to Opcode 1; however, this option seems to be utilized solely for Mozilla browser data (see Table 3).
Table 3. Opcode 2 Options
Key
Value
p
Path to steal from
z
Name of Browser – Output
4. Opcode 3 – Download a File
This command contains three options: a URL, file extension, and execution type. The configuration can specify a remote file with u to download and create the extension specified in the ft key [T1105] (see Table 4).
Table 4. Opcode 3 Options
Key
Value
u
URL for Download
ft
File Extension
e
Execution Type
The e value can take two values: 0 or 1. This specifies how to execute the downloaded file either with the LoadLibrary API or via the command line with rundll32.exe [T1106] (see Table 5).
Table 5. Execution Types
Key
Value
e=0
Execute with LoadLibraryW()
e=1
Executive with rund1132.exe
5. Take Screenshot
If the configuration JSON file has a key of “se” and its value is “true,” the malware will take a screenshot in BMP format and upload it to the C2 server.
6. Delete Self
If the configuration JSON file has a key of “ad” and its value is “true,” the malware will enter a routine to delete itself.
The command shown in Figure 9 will be decoded and executed for self-deletion.
Figure 9. Self-Deletion Command Line
Figure 10 depicts the above command line during execution.
Figure 10. Decoded Command Line in Memory
Host Modifications
Without any C2 interactions, the LummaC2 malware does not create any files on the infected drive. It simply runs in memory, gathers system information, and exfiltrates it to the C2 server [T1082]. The commands returned from the C2 server could indicate that it drops additional files and/or saves data to files on the local hard drive. This is variable, as these commands come from the C2 server and are mutable.
Decrypted Strings
Below is a list of hard-coded decrypted strings located in the binary (see Figure 11).
Figure 11. Decoded Strings
Indicators of Compromise
See Table 6 and Table 7 for LummaC2 IOCs obtained by the FBI and trusted third parties.
Disclaimer: The authoring agencies recommend organizations investigate and vet these indicators of compromise prior to taking action, such as blocking.
Table 6. LummaC2 Executable Hashes
Executables
Type
4AFDC05708B8B39C82E60ABE3ACE55DB (LummaC2.exe from November 2023)
MD5
E05DF8EE759E2C955ACC8D8A47A08F42 (LummaC2.exe from November 2023)
MD5
C7610AE28655D6C1BCE88B5D09624FEF
MD5
1239288A5876C09D9F0A67BCFD645735168A7C80 (LummaC2.exe from November 2023)
SHA1
B66DA4280C6D72ADCC68330F6BD793DF56A853CB (LummaC2.exe from November 2023)
The following are domains observed deploying LummaC2 malware.
Disclaimer: The domains below are historical in nature and may not currently be malicious.
Pinkipinevazzey[.]pw
Fragnantbui[.]shop
Medicinebuckerrysa[.]pw
Musicallyageop[.]pw
stogeneratmns[.]shop
wallkedsleeoi[.]shop
Tirechinecarpet[.]pw
reinforcenh[.]shop
reliabledmwqj[.]shop
Musclefarelongea[.]pw
Forbidstow[.]site
gutterydhowi[.]shop
Fanlumpactiras[.]pw
Computeryrati[.]site
Contemteny[.]site
Ownerbuffersuperw[.]pw
Seallysl[.]site
Dilemmadu[.]site
Freckletropsao[.]pw
Opposezmny[.]site
Faulteyotk[.]site
Hemispheredodnkkl[.]pw
Goalyfeastz[.]site
Authorizev[.]site
ghostreedmnu[.]shop
Servicedny[.]site
blast-hubs[.]com
offensivedzvju[.]shop
friendseforever[.]help
blastikcn[.]com
vozmeatillu[.]shop
shiningrstars[.]help
penetratebatt[.]pw
drawzhotdog[.]shop
mercharena[.]biz
pasteflawwed[.]world
generalmills[.]pro
citywand[.]live
hoyoverse[.]blog
nestlecompany[.]pro
esccapewz[.]run
dsfljsdfjewf[.]info
naturewsounds[.]help
travewlio[.]shop
decreaserid[.]world
stormlegue[.]com
touvrlane[.]bet
governoagoal[.]pw
paleboreei[.]biz
calmingtefxtures[.]run
foresctwhispers[.]top
tracnquilforest[.]life
sighbtseeing[.]shop
advennture[.]top
collapimga[.]fun
holidamyup[.]today
pepperiop[.]digital
seizedsentec[.]online
triplooqp[.]world
easyfwdr[.]digital
strawpeasaen[.]fun
xayfarer[.]live
jrxsafer[.]top
quietswtreams[.]life
oreheatq[.]live
plantainklj[.]run
starrynsightsky[.]icu
castmaxw[.]run
puerrogfh[.]live
earthsymphzony[.]today
weldorae[.]digital
quavabvc[.]top
citydisco[.]bet
steelixr[.]live
furthert[.]run
featureccus[.]shop
smeltingt[.]run
targett[.]top
mrodularmall[.]top
ferromny[.]digital
ywmedici[.]top
jowinjoinery[.]icu
rodformi[.]run
legenassedk[.]top
htardwarehu[.]icu
metalsyo[.]digital
ironloxp[.]live
cjlaspcorne[.]icu
navstarx[.]shop
bugildbett[.]top
latchclan[.]shop
spacedbv[.]world
starcloc[.]bet
rambutanvcx[.]run
galxnetb[.]today
pomelohgj[.]top
scenarisacri[.]top
jawdedmirror[.]run
changeaie[.]top
lonfgshadow[.]live
liftally[.]top
nighetwhisper[.]top
salaccgfa[.]top
zestmodp[.]top
owlflright[.]digital
clarmodq[.]top
piratetwrath[.]run
hemispherexz[.]top
quilltayle[.]live
equatorf[.]run
latitudert[.]live
longitudde[.]digital
climatologfy[.]top
starofliught[.]top
MITRE ATT&CK Tactics and Techniques
See Table 8 through Table 13 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
Threat actors used LummaC2 malware to exfiltrate sensitive user information, including traditional credentials, cryptocurrency wallets, browser extensions, and MFA details without immediate detection.
Threat actors used LummaC2 malware to download files with native OS APIs.
Mitigations
The FBI and CISA recommend organizations implement the mitigations below to reduce the risk of compromise by LummaC2 malware. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s CPGs webpage for more information on the CPGs, including additional recommended baseline protections. These mitigations apply to all critical infrastructure organizations.
Separate User and Privileged Accounts: Allow only necessary users and applications access to the registry [CPG 2.E].
Monitor and detect suspicious behavior during exploitation [CPG 3.A].
Monitor and detect suspicious behavior, creation and termination events, and unusual and unexpected processes running.
Monitor API calls that may attempt to retrieve system information.
Analyze behavior patterns from process activities to identify anomalies.
Implement application controls to manage and control execution of software, including allowlisting remote access programs. Application controls should prevent installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlisting solution will block any unlisted application execution. Allowlisting is important because antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation.
Log Collection: Regularly monitoring and reviewing registry changes and access logs can support detection of LummaC2 malware [CPG 2.T].
Implement authentication, authorization, and accounting (AAA) systems [M1018] to limit actions users can perform and review logs of user actions to detect unauthorized use and abuse. Apply principles of least privilege to user accounts and groups, allowing only the performance of authorized actions.
Audit user accounts and revoke credentials for departing employees, removing those that are inactive or unnecessary on a routine basis [CPG 2.D]. Limit the ability for user accounts to create additional accounts.
Keep systems up to date with regular updates, patches, hot fixes, and service packs that may minimize vulnerabilities. Learn more by visiting CISA’s webpage: Secure our World Update Software.
Secure network devices to restrict command line access.
Use segmentation to prevent access to sensitive systems and information, possibly with the use of Demilitarized Zone (DMZ) or virtual private cloud (VPC) instances to isolate systems [CPG 2.F].
Monitor and detect API usage, looking for unusual or malicious behavior.
Validate Security Controls
In addition to applying mitigations, the FBI and CISA recommend exercising, testing, and validating your organization’s security program against threat behaviors mapped to the MITRE ATT&CK Matrix for Enterprise framework in this advisory. The FBI and CISA recommend testing your existing security controls inventory to assess performance against the ATT&CK techniques described in this advisory.
To get started:
Select an ATT&CK technique described in this advisory (see Table 8 through Table 13).
Align your security technologies against the technique.
Test your technologies against the technique.
Analyze your detection and prevention technologies’ performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.
The FBI and CISA recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
Reporting
Your organization has no obligation to respond or provide information to the FBI in response to this joint advisory. If, after reviewing the information provided, your organization decides to provide information to the FBI, reporting must be consistent with applicable state and federal laws.
The FBI is interested in any information that can be shared, to include the status and scope of infection, estimated loss, date of infection, date detected, initial attack vector, and host- and network-based indicators.
To report information, please contact the FBI’s Internet Crime Complaint Center (IC3), your local FBI field office, or CISA’s 24/7 Operations Center at report@cisa.gov or (888) 282-0870.
Disclaimer
The information in this report is being provided “as is” for informational purposes only. The FBI and CISA do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favor by the FBI and CISA.
We have been using our data to identify researchers scanning the internet for a few years. Currently, we are tracking 36 groups performing such scans, and our data feed of the IP addresses used contains around 33k addresses [1].
Like .Net, AutoIT[1] remains a popular language for years in the malware ecosystem. It's a simple language that can interact with all the components of the Windows operating system. I regularly discover AutoIT3 binaries (yes, it can be compiled). This weekend, I found a malware delivered through a double layer of AutoIT code!
The initial file is an executable called "1. Project & Profit.exe" (SHA256:b5fbae9376db12a3fcbc99e83ccad97c87fb9e23370152d1452768a3676f5aeb). This is an AutoIT compiled script. Once decompiled, the code is simple and contains interesting strings:
Global $VY9A = "hxxps://xcvbsfq32e42313[.]xyz/OLpixJTrO"
Global $ZX2B = "C:UsersPublicGuard.exe"
Global $FW3N = "C:UsersPublicPublicProfile.ps1"
$fU5L = ""hxxps://xcvbsfq32e42313[.]xyz/hYlXpuF.txt"""
$oF6L = ""C:UsersPublicSecure.au3
It's behaviour is simple: It will generate the PublicProfile.ps1 and execute it.
An AutoIT interpreter will be downloaded (and saved as "C:UsersPublicGuard.exe") as well as another piece of AutoIT script (the second layer)
Persistence is achieved via a simple .url file placed in the Startup directory:
The JavaScript script will re-execute the AutoIT interpreter ("SwiftWrite.pif") with its second script ("G"):
new ActiveXObject("Wscript.Shell").Run(""C:UsersREMAppDataLocalWordGenius TechnologiesSwiftWrite.pif" "C:UsersREMAppDataLocalWordGenius TechnologiesG"")
Let's have a look at "G", the second layer of AutoIT code. This script is pretty well obfuscated. All strings are encoded using the Wales() function. Example:
If (Execute(Wales("80]114]111]99]101]115]115]69]120]105]115]116]115]40]39]97]118]97]115]116]117]105]46]101]120]101]39]41",0/2))) ...
The Wales function is simple, here is a Python version to help to decode all strings:
remnux@remnux:/MalwareZoo/20250518$ python3
Python 3.8.10 (default, Jun 22 2022, 20:18:18)
[GCC 9.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> def Wales(encoded: str, key: int) -> str:
... parts = [p for p in encoded.split("]") if p]
... decoded = ''.join(chr(int(num) - key) for num in parts)
... return decoded
...
>>> Wales("80]114]111]99]101]115]115]69]120]105]115]116]115]40]39]97]118]97]115]116]117]105]46]101]120]101]39]41",0)
"ProcessExists('avastui.exe')"
Finally, a "jsc.exe" process is spanwed and injected with the final malware as a DLL: Urshqbgpm.dll
I'm not sure about the final malware because it tried to connect to the C2 server 139[.]99[.]188[.]124 on port 56001. This one is associated to AsyncRAT.
But, in the DLL, we can find a lot of references to PureHVNC[2]:
This was a beta version, and its user interface was subject to change. The version I released recently is a rewrite, and option -t no longer exists.
To achieve a similar result with the new version of xorsearch.py, one uses now option -P (Python) and provides a Python function that filters out printable text: IsPrintable
Option -D can then be used to dump the decoded data with an extra newline:
Here too XOR encoding with key 0x6f reveals the hidden command.
I published on the 29 Apr 2025 a diary [1] on scanning activity looking for SonicWall and since this publication this activity has grown 10-fold. Over the past 14 days, several BACS students have reported activity related to SonicWall scans all related for the same 2 URLs [4][5] previously mentioned in my last diary. My own DShield sensor was probed by 25 separate IPs during those last 14 days. The three most active IPs were all from the same subnet – 141.98.80.0/24
A couple of weeks ago, I came across a phishing campaign that highlights a recurring issue with open redirect vulnerabilities in well-known and trusted services.
Today, Microsoft released its expected update for the May patch on Tuesday. This update fixes 78 vulnerabilities. 11 are rated as critical, and 66 as important. Five of the vulnerabilities have already been exploited and two were publicly known but not yet exploited. 70 of the vulnerabilities were patched today, 8 had patches delivered earlier this month.
Apple released its expected update for all its operating systems. The update, in addition to providing new features, patches 65 different vulnerabilities. Many of these vulnerabilities affect multiple operating systems within the Apple ecosystem.
Of note is CVE-2025-31200. This vulnerability is already exploited in "targeted attacks". Apple released patches for this vulnerability in mid-April for its current operating Systems (iOS 18, macOS 15, tvOS 18, and visionOS 2). This update includes patches for older versions of macOS and iPadOS/iOS.
iOS 18.5 and iPadOS 18.5
iPadOS 17.7.7
macOS Sequoia 15.5
macOS Sonoma 14.7.6
macOS Ventura 13.7.6
watchOS 11.5
tvOS 18.5
visionOS 2.5
CVE-2025-24097: An app may be able to read arbitrary file metadata.
Affects AirDrop
x
CVE-2025-24111: An app may be able to cause unexpected system termination.
Affects Display
x
CVE-2025-24142: An app may be able to access sensitive user data.
Affects Notification Center
x
x
x
CVE-2025-24144: An app may be able to leak sensitive kernel state.
Affects Kernel
x
x
x
CVE-2025-24155: An app may be able to disclose kernel memory.
Affects WebContentFilter
x
x
CVE-2025-24213: A type confusion issue could lead to memory corruption.
Affects WebKit
x
x
x
x
x
x
CVE-2025-24220: An app may be able to read a persistent device identifier.
Affects Sandbox Profiles
x
CVE-2025-24222: Processing maliciously crafted web content may lead to an unexpected process crash.
Affects BOM
x
CVE-2025-24223: Processing maliciously crafted web content may lead to memory corruption.
Affects WebKit
x
CVE-2025-24225: Processing an email may lead to user interface spoofing.
Affects Mail Addressing
x
x
CVE-2025-24258: An app may be able to gain root privileges.
Affects DiskArbitration
x
x
CVE-2025-24259: An app may be able to retrieve Safari bookmarks without an entitlement check.
Affects Parental Controls
x
CVE-2025-24274: A malicious app may be able to gain root privileges.
Affects Mobile Device Service
x
x
x
CVE-2025-30440: An app may be able to bypass ASLR.
Affects Libinfo
x
x
x
CVE-2025-30442: An app may be able to gain elevated privileges.
Affects SoftwareUpdate
x
x
CVE-2025-30443: An app may be able to access user-sensitive data.
Affects Found in Apps
x
CVE-2025-30448: An attacker may be able to turn on sharing of an iCloud folder without authentication.
Affects iCloud Document Sharing
x
x
x
x
x
CVE-2025-30453: A malicious app may be able to gain root privileges.
Affects DiskArbitration
x
x
CVE-2025-31196: Processing a maliciously crafted file may lead to a denial-of-service or potentially disclose memory contents.
Affects CoreGraphics
x
x
x
CVE-2025-31200: Processing an audio stream in a maliciously crafted media file may result in code execution. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS released before iOS 18.4.1..
Affects CoreAudio
x
CVE-2025-31204: Processing maliciously crafted web content may lead to memory corruption.
Affects WebKit
x
x
x
x
CVE-2025-31205: A malicious website may exfiltrate data cross-origin.
Affects WebKit
x
x
x
x
x
CVE-2025-31206: Processing maliciously crafted web content may lead to an unexpected Safari crash.
Affects WebKit
x
x
x
x
x
x
CVE-2025-31207: An app may be able to enumerate a user's installed apps.
Affects FrontBoard
x
CVE-2025-31208: Parsing a file may lead to an unexpected app termination.
Affects CoreAudio
x
x
x
x
x
x
x
x
CVE-2025-31209: Parsing a file may lead to disclosure of user information.
Affects CoreGraphics
x
x
x
x
x
x
x
x
CVE-2025-31210: Processing web content may lead to a denial-of-service.
Affects FaceTime
x
x
CVE-2025-31212: An app may be able to access sensitive user data.
Affects Core Bluetooth
x
x
x
x
x
CVE-2025-31213: An app may be able to access associated usernames and websites in a user's iCloud Keychain.
Affects Security
x
x
x
x
CVE-2025-31214: An attacker in a privileged network position may be able to intercept network traffic.
Affects Baseband
x
CVE-2025-31215: Processing maliciously crafted web content may lead to an unexpected process crash.
Affects WebKit
x
x
x
x
x
x
CVE-2025-31217: Processing maliciously crafted web content may lead to an unexpected Safari crash.
Affects WebKit
x
x
x
x
x
x
CVE-2025-31218: An app may be able to observe the hostnames of new network connections.
Affects NetworkExtension
x
CVE-2025-31219: An attacker may be able to cause unexpected system termination or corrupt kernel memory.
Affects Kernel
x
x
x
x
x
x
x
x
CVE-2025-31220: A malicious app may be able to read sensitive location information.
Affects Weather
x
x
x
x
CVE-2025-31221: A remote attacker may be able to leak memory.
Affects Security
x
x
x
x
x
x
x
x
CVE-2025-31222: A user may be able to elevate privileges.
Affects mDNSResponder
x
x
x
x
x
x
x
CVE-2025-31224: An app may be able to bypass certain Privacy preferences.
Affects Sandbox
x
x
x
CVE-2025-31225: Call history from deleted apps may still appear in spotlight search results.
Affects Call History
x
CVE-2025-31226: Processing a maliciously crafted image may lead to a denial-of-service.
Affects ImageIO
x
x
x
x
x
x
CVE-2025-31227: An attacker with physical access to a device may be able to access a deleted call recording.
Affects Notes
x
CVE-2025-31228: An attacker with physical access to a device may be able to access notes from the lock screen.
Affects Notes
x
x
CVE-2025-31232: A sandboxed app may be able to access sensitive user data.
Affects Installer
x
x
x
CVE-2025-31233: Processing a maliciously crafted video file may lead to unexpected app termination or corrupt process memory.
Affects CoreMedia
x
x
x
x
x
x
x
x
CVE-2025-31234: An attacker may be able to cause unexpected system termination or corrupt kernel memory.
Affects Pro Res
x
x
x
x
CVE-2025-31235: An app may be able to cause unexpected system termination.
Affects Audio
x
x
x
x
CVE-2025-31236: An app may be able to access sensitive user data.
Affects Finder
x
CVE-2025-31237: Mounting a maliciously crafted AFP network share may lead to system termination.
Affects afpfs
x
x
x
CVE-2025-31238: Processing maliciously crafted web content may lead to memory corruption.
Affects WebKit
x
x
x
x
x
CVE-2025-31239: Parsing a file may lead to an unexpected app termination.
Affects CoreMedia
x
x
x
x
x
x
x
x
CVE-2025-31241: A remote attacker may cause an unexpected app termination.
Affects Kernel
x
x
x
x
x
x
x
x
CVE-2025-31242: An app may be able to access sensitive user data.
Affects StoreKit
x
x
x
x
CVE-2025-31244: An app may be able to break out of its sandbox.
Affects quarantine
x
CVE-2025-31245: An app may be able to cause unexpected system termination.
Affects Pro Res
x
x
x
x
x
x
x
CVE-2025-31246: Connecting to a malicious AFP server may corrupt kernel memory.
Affects afpfs
x
x
CVE-2025-31247: An attacker may gain access to protected parts of the file system.
Affects SharedFileList
x
x
x
CVE-2025-31249: An app may be able to access sensitive user data.
Affects Sandbox
x
CVE-2025-31250: An app may be able to access sensitive user data.
Affects TCC
x
CVE-2025-31251: Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory.
Affects AppleJPEG
x
x
x
x
x
x
x
x
CVE-2025-31253: Muting the microphone during a FaceTime call may not result in audio being silenced.
Affects FaceTime
x
CVE-2025-31256: Hot corner may unexpectedly reveal a user?s deleted notes.
Affects Notes
x
CVE-2025-31257: Processing maliciously crafted web content may lead to an unexpected Safari crash.
Affects WebKit
x
x
x
x
x
CVE-2025-31258: An app may be able to break out of its sandbox.
Affects RemoteViewServices
x
CVE-2025-31259: An app may be able to gain elevated privileges.
Affects SoftwareUpdate
x
CVE-2025-31260: An app may be able to access sensitive user data.
Affects Apple Intelligence Reports
x
—
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu Twitter|
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Unipi Technologies is a company developing programmable logic controllers for a number of different applications like home automation, building management, and industrial controls. The modules produced by Unipi are likely to appeal to a more professional audience. All modules are based on the "Marvis" platform, a customized Linux distribution maintained by Unipi.
Iron Castle Systems
Manage Cookie Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
