Even the sleekest systems have their cracks. Apple has patched a critical CoreMedia vulnerability that hackers have already exploited to target devices. The flaw, which impacts how audio and video are processed, had been actively used against earlier versions of iOS prior to iOS 17.2. Apple’s fix is now available for iPhones XS and later, select iPads, and the company’s latest hardware.

Security shouldn’t feel like Swiss cheese. Yet, SonicWall’s SMA1000 appliances are under siege, with attackers exploiting a critical vulnerability to install malware without requiring credentials. Despite a patch being available, over 5,000 devices remain exposed, allowing hackers to hijack SSL VPN sessions remotely.

Think twice before clicking on that delivery notification. Phishers posing as USPS are sending fraudulent SMS messages claiming a package couldn’t be delivered due to “incomplete address information.” With over 630 phishing pages spanning 50 countries, the campaign targets unsuspecting individuals at an alarming scale. In today’s digital landscape, not all deliveries are worth opening - especially the fraudulent ones.

Top Vulnerabilities Reported in the Last 24 Hours

Apple patches zero-day bug

Apple has fixed a security bug in its software affecting iPhones, iPads, Vision Pro goggles, Apple TVs, and macOS Sequoia Macs, warning that some hackers have already abused the bug. This vulnerability, CVE-2025-24085, is a flaw in the CoreMedia component that handles audio and video. Apple stated that this issue may have been actively used against versions of iOS prior to iOS 17.2. The fix is available for iPhones XS and later, certain iPads, Apple Vision Pro, Apple TV models, and Apple Watch Series 6. 

Hackers exploit new SonicWall 0-day

SonicWall confirmed that hackers are actively exploiting a newly discovered vulnerability (CVE-2025-23006) in its SMA1000 remote access appliance. This vulnerability allows anyone on the internet to install malware on affected devices without needing a login. Although a fix is available, over 5,000 SonicWall firewalls remain vulnerable. The vulnerability allows attackers to remotely hijack active SSL VPN client sessions. SonicWall has urged its partners to implement the security update quickly to mitigate the threat.

GitHub flaw exposes user credentials

Several critical vulnerabilities in Git-related projects can expose sensitive data due to improper handling of credential protocols. One flaw in GitHub Desktop (CVE-2025-23040) allows credential leakage because of a parsing error in the tool’s credential helper. In Git Credential Manager, a misuse of the StreamReader class (CVE-2024-50338) allows attackers to manipulate input and potentially send credentials to fake endpoints. Similar issues exist in Git LFS, where it fails to properly validate credentials, allowing attackers to bypass safeguards. Vulnerabilities were also found in GitHub CLI and Codespaces, where faulty logic allowed unauthorized hosts to receive access tokens. 

Top Scams Reported in the Last 24 Hours

Another USPS smishing campaign

Attackers pretending to be from USPS are executing a large-scale mobile phishing campaign that relies on people's trust in PDF files. This campaign uses SMS messages to inform individuals that their package delivery failed due to "incomplete address information.”  The messages encourage recipients to click on a PDF file containing a malicious link, leading to a website that asks for personal information, including name, address, email, and phone number. It further redirects users to input payment card details for service fees related to package delivery. This phishing scheme includes over 630 phishing pages and 20 malicious PDF files, and could affect organizations across more than 50 countries.

Royal Mail fake delivery fee scam

A convincing smishing scam impersonating Royal Mail has been targeting individuals with fake delivery notifications and requesting personal and payment details. The scam involves redirecting victims to a fraudulent website, mimicking the official Royal Mail page, and asking for personal information and a small re-delivery fee. The scam appears convincing due to its professional appearance, urgency, and multi-step process.