Svoboda Cybersecurity Brief December 14, 2025

Google and Apple Patch Zero-Day Exploits in Emergency Updates

Google and Apple released emergency updates addressing actively exploited zero-day vulnerabilities in Chrome and WebKit. The flaws (CVE-2025-14174, CVE-2025-43529) allowed arbitrary code execution and were linked to government-backed hacking campaigns.
Impact: Highly sophisticated attacks targeting specific individuals, likely involving mercenary spyware.
Mitigation: Update Chrome, iOS/iPadOS 26.2+, macOS Tahoe 26.2+, and Safari 26.2+.
Source: DataBreaches.net

Sierra Wireless Router Flaw Exploited for RCE Attacks

CISA added CVE-2018-4063 (CVSS 8.8) to its KEV catalog after active exploitation targeting Sierra Wireless AirLink routers. The flaw allows authenticated attackers to upload malicious files (e.g., “fw_upload_init.cgi”) for remote code execution as root.
Impact: Industrial routers compromised for botnet/miner malware (e.g., RondoDox, ShadowV2).
Mitigation: Patch or retire end-of-support devices by January 2026.
Source: The Hacker News

Apple Fixes Two WebKit Zero-Days Affecting Multiple Devices

Apple patched CVE-2025-43529 (use-after-free) and CVE-2025-14174 (memory corruption) in WebKit, exploited in targeted attacks. Flaws affect iOS, macOS, Safari, and other Apple products, enabling arbitrary code execution via malicious web content.
Impact: High-risk for devices running older iOS versions (pre-iOS 26).
Mitigation: Update to iOS/iPadOS 26.2, macOS Tahoe 26.2, or Safari 26.2.
Source: The Hacker News

Share this brief: https://svo.bz/Byr5