Apple's OS 26.1 Update Fixes Critical WebKit Flaw That Allowed Undesired Cross-Origin Data Access

Apple's OS 26.1 Update Fixes Critical WebKit Flaw That Allowed Undesired Cross-Origin Data Access

Category: <h2 class="cBlue inline m-r-10">Arti<span class="cOrange">cles</span></h2>

Apple's OS 26.1 Update Fixes Critical WebKit Flaw That Allowed Undesired Cross-Origin Data Access

Information:

  The vulnerability is assigned CVE-2025-43480. It has been rated with a CVSS 3.1 severity score of 8.1, which is considered High. The issue was discovered in WebKit, the browser engine that powers Safari and web rendering in most applications on Apple’s operating systems.

  The vulnerability is classified as a cross-origin data access attack. The vulnerability was discovered by Aleksejs Popovs.

Incident:

  This vulnerability enables a malicious website (Site A), visited by a user, to covertly steal data from another website (Site B) that the user has open or is logged into in a separate tab. This could include data from email, social media, or even online banking sessions.

  Normally, browsers implement a security mechanism known as the Same-Origin Policy (SOP). This policy is designed to prevent a script from one website (e.g., evil.com) from reading data from another website (e.g., mybank.com). However, CVE-2025-43480 introduces a flaw in this protective mechanism.

  This vulnerability impacts most Apple operating systems, affecting versions prior to the latest updates.

Incident:

  The affected products include:

  • iOS (prior to version 26.1)
  • iPadOS (prior to version 26.1)
  • watchOS (prior to version 26.1)
  • tvOS (prior to version 26.1)
  • visionOS (prior to version 26.1)
  • Safari (prior to version 26.1)

Recommendation:

  Apple has released a patch to address this vulnerability. Users are strongly encouraged to check and update their devices to the latest versions, as follows:

  • iOS 26.1
  • iPadOS 26.1
  • watchOS 26.1
  • tvOS 26.1
  • visionOS 26.1
  • Safari 26.1 (for macOS users)

  This update is critically important, especially for individuals who use their devices for financial transactions or manage sensitive information, to prevent the risk of personal data theft.

The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)
061 387 9439 (Ms.Sirilak)
092 257 6902 (Ms.Narusorn)
063 197 7510 (Mr.Yanotai)
065 725 7405 (Ms.Nattharini)

References :

Weekly Interesting CVE

NO.

CVE Name

Published Date

Last Update

Device/Appplication/OS Target

Attack Type

CVSS
Severity Rating

Detail

Solution

Reference
1

CVE‑2025‑64385

11/3/2014

31/10/2025

Circutorรุ่น TCPRS1plus เวอร์ชัน 1.0.14

Incorrect

9.2

The equipment initially can be configured using the manufacturer's application, by Wi-Fi, by the web server or with the manufacturer’s software.
Using the manufacturer's software, the device can be configured via UDP. Analyzing this communication, it has been observed that any aspect of the initial configuration can be changed by means of the device's MAC without the need for authentication.

Update to the latest version

 

https://app.opencve.io/cve/CVE-2025-64385
2

CVE-2025-49552

11/3/2014

31/10/2025

Adobe Connect versions 12.9 and earlier

Cross Site Scripting

8.1

The WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes) plugin for WordPress is vulnerable to arbitrary file uploads when importing recipes via CSV in all versions up to, and including, 1.9.0. This flaw allows an attacker with at least Contributor-level permissions to upload a malicious PHP file by providing a remote URL during a recipe import process, leading to Remote Code Execution (RCE).

Update to the latest version

https://app.opencve.io/cve/CVE-2025-11755
3

CVE-2025-62708

22/10/2025

27/10/2025

PYPDF Prior to version 6.1.3

Denial of Service

7.5

pypdf is a free and open-source pure-python PDF library. Prior to version 6.1.3, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream of a page using the LZWDecode filter. This has been fixed in pypdf version 6.1.3.

Update to version 6.1.3 or latest version

https://www.cvedetails.com/cve/CVE-2025-62708/

 
 4

CVE-2025-62612

22/10/2025

27/10/2025

FastGPT Prior to version 4.11.1

Server-Side Request Forgery (SSRF)

6.9

FastGPT is an AI Agent building platform. Prior to version 4.11.1, in the workflow file reading node, the network link is not security-verified, posing a risk of SSRF attacks. This issue has been patched in version 4.11.1.

Update to the latest version

https://www.cvedetails.com/cve/CVE-2025-62612/
5

CVE-2025-62717

24/10/2025

28/10/2025

Emlog Pro version 2.5.23

Improper Authentication

9.1

Emlog is an open source website building system. In version 2.5.23, Emlog Pro is vulnerable to a session verification code error due to a clearing logic error. This means the verification code could be reused anywhere an email verification code is required. This issue has been fixed in commit 1f726df.

Update to the latest version

https://www.cvedetails.com/cve/CVE-2025-62717/

Malware News or Campaign IOC/IOA | EN

No

Campaign Name

Detection Date

Attack

Type

  

Description

  

Mitigation/Remediation
1

New HttpTroy Backdoor Poses as VPN Invoice in Targeted Cyberattack on South Korea

03/11/2025

Spear-Phishing, Dropper/Loader

The Kimsuky group has released a phishing campaign targeting users in South Korea. The attack involves an attached fake ZIP file named to resemble a "VPN invoice" (or similar).When the contained SCR file is opened, it installs the HttpTroy Backdoor malware.Key Technical DetailsMulti-layered Structure: The malware utilizes a complex, multi-stage structure (dropper $ ightarrow$ loader $ ightarrow$ backdoor).Evasion Technique: It impersonates an AhnLab process, a well-known security software company in South Korea, to avoid detection.HttpTroy Capabilities:Remote command and control (C2).Upload/download files, capture screenshots, and execute privileged commands.Open a reverse shell and perform file cleanup to remove traces of the attack.Uses advanced obfuscation techniques (API hashing, dynamic API loading, XOR string encoding) to evade detection.TargetsThe campaign primarily targets organizations and individuals in South Korea, particularly those who use VPNs and external connection systems.​
  • Avoid opening ZIP/SCR files that claim to be VPN documents or invoices without verifying the source.​
  • Limit Admin privileges on user devices and review any new services or tasks that are created without authorization.​
  • Build awareness by conducting simulated phishing exercises and training users to verify attached files or links before opening them.​

Ref:https://thehackernews.com/2025/11/new-httptroy-backdoor-poses-as-vpn.html

 

 

11 November 2025

Viewed 578 time

Engine by shopup.com