La Gardensia di AISM

Luoghi vari - Biella
(venerdì, 6 marzo 09:00)

Distribuzione di piantine di gardenie e di ortensie a fronte di offerta minima di € 15 per sostenere l'Associazione Italiana Sclerosi Multipla.

caosbi.eu/event/la-gardensia-d…

The fourth quarter of 2025 went down as one of the most intense periods on record for high-profile, critical vulnerability disclosures, hitting popular libraries and mainstream applications. Several of these vulnerabilities were picked up by attackers and exploited in the wild almost immediately.

In this report, we dive into the statistics on published vulnerabilities and exploits, as well as the known vulnerabilities leveraged with popular C2 frameworks throughout Q4 2025.

Statistics on registered vulnerabilities

This section contains statistics on registered vulnerabilities. The data is taken from cve.org.

Let’s take a look at the number of registered CVEs for each month over the last five years, up to and including the end of 2025. As predicted in our last report, Q4 saw a higher number of registered vulnerabilities than the same period in 2024, and the year-end totals also cleared the bar set the previous year.

Total published vulnerabilities by month from 2021 through 2025 (download)

Now, let’s look at the number of new critical vulnerabilities (CVSS > 8.9) for that same period.

Total number of published critical vulnerabilities by month from 2021 to 2025< (download)

The graph shows that the volume of critical vulnerabilities remains quite substantial; however, in the second half of the year, we saw those numbers dip back down to levels seen in 2023. This was due to vulnerability churn: a handful of published security issues were revoked. The widespread adoption of secure development practices and the move toward safer languages also pushed those numbers down, though even that couldn’t stop the overall flood of vulnerabilities.

Exploitation statistics

This section contains statistics on the use of exploits in Q4 2025. The data is based on open sources and our telemetry.

Windows and Linux vulnerability exploitation

In Q4 2025, the most prevalent exploits targeted the exact same vulnerabilities that dominated the threat landscape throughout the rest of the year. These were exploits targeting Microsoft Office products with unpatched security flaws.

Kaspersky solutions detected the most exploits on the Windows platform for the following vulnerabilities:

• CVE-2018-0802: a remote code execution vulnerability in Equation Editor.
• CVE-2017-11882: another remote code execution vulnerability, also affecting Equation Editor.
• CVE-2017-0199: a vulnerability in Microsoft Office and WordPad that allows an attacker to assume control of the system.

The list has remained unchanged for years.

We also see that attackers continue to adapt exploits for directory traversal vulnerabilities (CWE-35) when unpacking archives in WinRAR. They are being heavily leveraged to gain initial access via malicious archives on the Windows operating system:

• CVE-2023-38831: a vulnerability stemming from the improper handling of objects within an archive.
• CVE-2025-6218 (formerly ZDI-CAN-27198): a vulnerability that enables an attacker to specify a relative path and extract files into an arbitrary directory. This can lead to arbitrary code execution. We covered this vulnerability in detail in our Q2 2025 report.
• CVE-2025-8088: a vulnerability we analyzed in our previous report, analogous to CVE-2025-6218. The attackers used NTFS streams to circumvent controls on the directory into which files were being unpacked.

As in the previous quarter, we see a rise in the use of archiver exploits, with fresh vulnerabilities increasingly appearing in attacks.

Below are the exploit detection trends for Windows users over the last two years.

Dynamics of the number of Windows users encountering exploits, Q1 2024 – Q4 2025. The number of users who encountered exploits in Q1 2024 is taken as 100% (download)

The vulnerabilities listed here can be used to gain initial access to a vulnerable system. This highlights the critical importance of timely security updates for all affected software.

On Linux-based devices, the most frequently detected exploits targeted the following vulnerabilities:

• CVE-2022-0847, also known as Dirty Pipe: a vulnerability that allows privilege escalation and enables attackers to take control of running applications.
• CVE-2019-13272: a vulnerability caused by improper handling of privilege inheritance, which can be exploited to achieve privilege escalation.
• CVE-2021-22555: a heap overflow vulnerability in the Netfilter kernel subsystem.
• CVE-2023-32233: another vulnerability in the Netfilter subsystem that creates a use-after-free condition, allowing for privilege escalation due to the improper handling of network requests.

Dynamics of the number of Linux users encountering exploits, Q1 2024 – Q4 2025. The number of users who encountered exploits in Q1 2024 is taken as 100% (download)

We are seeing a massive surge in Linux-based exploit attempts: in Q4, the number of affected users doubled compared to Q3. Our statistics show that the final quarter of the year accounted for more than half of all Linux exploit attacks recorded for the entire year. This surge is primarily driven by the rapidly growing number of Linux-based consumer devices. This trend naturally attracts the attention of threat actors, making the installation of security patches critically important.

Most common published exploits

The distribution of published exploits by software type in Q4 2025 largely mirrors the patterns observed in the previous quarter. The majority of exploits we investigate through our monitoring of public research, news, and PoCs continue to target vulnerabilities within operating systems.

Distribution of published exploits by platform, Q1 2025 (download)

Distribution of published exploits by platform, Q2 2025 (download)

Distribution of published exploits by platform, Q3 2025 (download)

Distribution of published exploits by platform, Q4 2025 (download)

In Q4 2025, no public exploits for Microsoft Office products emerged; the bulk of the vulnerabilities were issues discovered in system components. When calculating our statistics, we placed these in the OS category.

Vulnerability exploitation in APT attacks

We analyzed which vulnerabilities were utilized in APT attacks during Q4 2025. The following rankings draw on our telemetry, research, and open-source data.

TOP 10 vulnerabilities exploited in APT attacks, Q4 2025 (download)

In Q4 2025, APT attacks most frequently exploited fresh vulnerabilities published within the last six months. We believe that these CVEs will remain favorites among attackers for a long time, as fixing them may require significant structural changes to the vulnerable applications or the user’s system. Often, replacing or updating the affected components requires a significant amount of resources. Consequently, the probability of an attack through such vulnerabilities may persist. Some of these new vulnerabilities are likely to become frequent tools for lateral movement within user infrastructure, as the corresponding security flaws have been discovered in network services that are accessible without authentication. This heavy exploitation of very recently registered vulnerabilities highlights the ability of threat actors to rapidly implement new techniques and adapt old ones for their attacks. Therefore, we strongly recommend applying the security patches provided by vendors.

C2 frameworks

In this section, we will look at the most popular C2 frameworks used by threat actors and analyze the vulnerabilities whose exploits interacted with C2 agents in APT attacks.

The chart below shows the frequency of known C2 framework usage in attacks against users during Q4 2025, according to open sources.

TOP 10 C2 frameworks used by APTs to compromise user systems in Q4 2025 (download)

Despite the significant footprints it can leave when used in its default configuration, Sliver continues to hold the top spot among the most common C2 frameworks in our Q4 2025 analysis. Mythic and Havoc were second and third, respectively. After reviewing open sources and analyzing malicious C2 agent samples that contained exploits, we found that the following vulnerabilities were used in APT attacks involving the C2 frameworks mentioned above:

• CVE-2025-55182: a React2Shell vulnerability in React Server Components that allows an unauthenticated user to send commands directly to the server and execute them from RAM.
• CVE-2023-36884: a vulnerability in the Windows Search component that allows the execution of commands on a system, bypassing security mechanisms built into Microsoft Office applications.
• CVE-2025-53770: a critical insecure deserialization vulnerability in Microsoft SharePoint that allows an unauthenticated user to execute commands on the server.
• CVE-2020-1472, also known as Zerologon, allows for compromising a vulnerable domain controller and executing commands as a privileged user.
• CVE-2021-34527, also known as PrintNightmare, exploits flaws in the Windows print spooler subsystem, enabling remote access to a vulnerable OS and high-privilege command execution.
• CVE-2025-8088 and CVE-2025-6218 are similar directory-traversal vulnerabilities that allow extracting files from an archive to a predefined path without the archiving utility notifying the user.

The set of vulnerabilities described above suggests that attackers have been using them for initial access and early-stage maneuvers in vulnerable systems to create a springboard for deploying a C2 agent. The list of vulnerabilities includes both zero-days and well-known, established security issues.

Notable vulnerabilities

This section highlights the most noteworthy vulnerabilities that were publicly disclosed in Q4 2025 and have a publicly available description.

React2Shell (CVE-2025-55182): a vulnerability in React Server Components

We typically describe vulnerabilities affecting a specific application. CVE-2025-55182 stood out as an exception, as it was discovered in React, a library primarily used for building web applications. This means that exploiting the vulnerability could potentially disrupt a vast number of applications that rely on the library. The vulnerability itself lies in the interaction mechanism between the client and server components, which is built on sending serialized objects. If an attacker sends serialized data containing malicious functionality, they can execute JavaScript commands directly on the server, bypassing all client-side request validation. Technical details about this vulnerability and an example of how Kaspersky solutions detect it can be found in our article.

CVE-2025-54100: command injection during the execution of curl (Invoke-WebRequest)

This vulnerability represents a data-handling flaw that occurs when retrieving information from a remote server: when executing the curl or Invoke-WebRequest command, Windows launches Internet Explorer in the background. This can lead to a cross-site scripting (XSS) attack.

CVE-2025-11001: a vulnerability in 7-Zip

This vulnerability reinforces the trend of exploiting security flaws found in file archivers. The core of CVE-2025-11001 lies in the incorrect handling of symbolic links. An attacker can craft an archive so that when it is extracted into an arbitrary directory, its contents end up in the location pointed to by a symbolic link. The likelihood of exploiting this vulnerability is significantly reduced because utilizing such functionality requires the user opening the archive to possess system administrator privileges.

This vulnerability was associated with a wave of misleading news reports claiming it was being used in real-world attacks against end users. This misconception stemmed from an error in the security bulletin.

RediShell (CVE-2025-49844): a vulnerability in Redis

The year 2025 saw a surge in high-profile vulnerabilities, several of which were significant enough to earn a unique nickname. This was the case with CVE-2025-49844, also known as RediShell, which was unveiled during a hacking competition. This vulnerability is a use-after-free issue related to how the load command functions within Lua interpreter scripts. To execute the attack, an attacker needs to prepare a malicious script and load it into the interpreter.

As with any named vulnerability, RediShell was immediately weaponized by threat actors and spammers, albeit in a somewhat unconventional manner. Because technical details were initially scarce following its disclosure, the internet was flooded with fake PoC exploits and scanners claiming to test for the vulnerability. In the best-case scenario, these tools were non-functional; in the worst, they infected the system. Notably, these fraudulent projects were frequently generated using LLMs. They followed a standardized template and often cross-referenced source code from other identical fake repositories.

CVE-2025-24990: a vulnerability in the ltmdm64.sys driver

Driver vulnerabilities are often discovered in legitimate third-party applications that have been part of the official OS distribution for a long time. Thus, CVE-2025-24990 has existed within code shipped by Microsoft throughout nearly the entire history of Windows. The vulnerable driver has been shipped since at least Windows 7 as a third-party driver for Agere Modem. According to Microsoft, this driver is no longer supported and, following the discovery of the flaw, was removed from the OS distribution entirely.

The vulnerability itself is straightforward: insecure handling of IOCTL codes leading to a null pointer dereference. Successful exploitation can lead to arbitrary command execution or a system crash resulting in a blue screen of death (BSOD) on modern systems.

CVE-2025-59287: a vulnerability in Windows Server Update Services (WSUS)

CVE-2025-59287 represents a textbook case of insecure deserialization. Exploitation is possible without any form of authentication; due to its ease of use, this vulnerability rapidly gained traction among threat actors. Technical details and detection methodologies for our product suite have been covered in our previous advisories.

Conclusion and advice

In Q4 2025, the rate of vulnerability registration has shown no signs of slowing down. Consequently, consistent monitoring and the timely application of security patches have become more critical than ever. To ensure resilient defense, it is vital to regularly assess and remediate known vulnerabilities while implementing technology designed to mitigate the impact of potential exploits.

Continuous monitoring of infrastructure, including the network perimeter, allows for the timely identification of threats and prevents them from escalating. Effective security also demands tracking the current threat landscape and applying preventative measures to minimize risks associated with system flaws. Kaspersky Next serves as a reliable partner in this process, providing real-time identification and detailed mapping of vulnerabilities within the environment.

Securing the workplace remains a top priority. Protecting corporate devices requires the adoption of solutions capable of blocking malware and preventing it from spreading. Beyond basic measures, organizations should implement adaptive systems that allow for the rapid deployment of security updates and the automation of patch management workflows.

securelist.com/vulnerabilities…

Fiori in fil di ferro 2.0 l'ortensia

Zubiena - Chiostro delle illusioni - Via Pietro Micca 5
(venerdì, 6 marzo 18:00)

Fiori in Fil di Ferro 2.0 è la nuova edizione del nostro workshop dedicato alla lavorazione dei fiori in fil di ferro.
Il corso è aperto a tutti, sia a chi desidera apprendere per la prima volta questa tecnica, sia a chi ha già partecipato ai nostri workshop e vuole ampliare le proprie competenze realizzando nuovi fiori.
In questa edizione ogni partecipante creerà un’ortensia in fil di ferro, fiore inedito rispetto ai corsi precedenti.
Il workshop si svolge in un ambiente unico, accogliente e familiare, dove sentirsi a casa è parte dell’esperienza. Il Chiostro delle Illusioni diventa così uno spazio di condivisione, ascolto e creatività, in cui le mani lavorano e la mente si libera.
Prenotazione obbligatoria.

caosbi.eu/event/fiori-in-fil-d…

Alchèmica

Biellese e Canavese - Biellese e Canavese
(sabato, 7 marzo 09:00)

Il Festival delle Protagoniste del Gusto.

caosbi.eu/event/alchemica

Concerto Accademia Perosi - Louis Lortie

Biella - Sala concerti, primo piano, Accademia Perosi - Biella, Corso del Piazzo, 24, 13900 Biella BI
(venerdì, 6 marzo 20:45)

Louis Lortie si è guadagnato una reputazione internazionale come musicista versatile, acclamato dalla critica per la nuova prospettiva e l'individualità che apporta ai grandi maestri del repertorio pianistico. Richiesto in cinque continenti da oltre trent'anni, Louis Lortie si esibisce con le orchestre più prestigiose e nelle principali sale da concerto di tutto il mondo. Artista prolifico, ha prodotto più di 45 registrazioni per Chandos Records che includono i pilastri della letteratura pianistica. È seguito da oltre 300.000 ascoltatori al mese sulle piattaforme di streaming e ha generato oltre 6 milioni di stream nel 2022.
In Gran Bretagna, il suo rapporto di lunga data con la BBC, le orchestre BBC Symphony e BBC Philharmonic ha prodotto numerose registrazioni e concerti, oltre a più di dieci inviti ai BBC Proms. Nel suo Canada natale, per mezzo secolo, ha suonato regolarmente con tutte le principali orchestre: Montreal, Toronto, Vancouver, Ottawa e Calgary. Stretto collaboratore di Kurt Masur, è stato solista regolare con l'Orchestre National de France e l'orchestra del Gewandhaus durante il suo mandato di Direttore Musicale. Ha inoltre collaborato con la Deutsche Sinfonieorchester Berlin, la Dresden Philharmonic Orchestra, la Leipzig MDR Orchestra in Germania e negli Stati Uniti, la Philadelphia Orchestra, la Dallas Symphony, la San Diego Symphony, la St. Louis Symphony e la New Jersey Symphony. Oltreoceano, le sue collaborazioni includono la Shanghai Symphony Orchestra, dove è stato Artista in Residenza, la Hong Kong Philharmonic Orchestra e la National Symphony Orchestra di Taiwan, così come le Adelaide Symphony Orchestra e Sydney Symphony Orchestra e l'Orquestra Sinfônica do Estado de São Paulo in Brasile. Tra i suoi collaboratori abituali ci sono, tra gli altri, Yannick Nézet-Séguin, Edward Gardner, Sir Andrew Davis, Jaap Van Zweden, Simone Young, Antoni Wit e Thierry Fischer.

In recital e musica da camera, Louis Lortie si esibisce regolarmente alla Wigmore Hall di Londra, alla Philharmonie di Parigi, al Concertgebouw di Amsterdam, alla Carnegie Hall, alla Chicago Symphony Hall, al Beethovenfest di Bonn e al Liszt Festival Raiding. È particolarmente ricercato per la sua integrale degli Anni di Pellegrinaggio di Liszt in una sera, per gli Studi di Chopin (integrali) in una sera, o per i suoi cicli di sonate di Beethoven; l'ultimo è stato filmato alla Salle Bourgie di Montreal e trasmesso da Medici TV nel 2021. Da oltre vent'anni, con Hélène Mercier, il duo Lortie-Mercier propone nuove prospettive sul repertorio per quattro mani e due pianoforti in concerto, oltre che per le sue numerose registrazioni.

La sua discografia, pubblicata in esclusiva per Chandos, include, nel repertorio per pianoforte solo, 7 volumi di opere di Chopin, le 32 sonate di Beethoven, l'opera completa di Ravel, gli Anni di Pellegrinaggio di Liszt e due volumi di opere di Fauré. Con Edward Gardner ha registrato il Concerto e Variazioni su un tema di Paganini di Lutoslawksi con la BBC Symphony Orchestra, particolarmente elogiato dalla critica, così come i concerti completi di Saint-Saëns con l'Orchester Philharmonique de la BBC o il concerto di Vaughan Williams con la Toronto Symphony Orchestra e Peter Oundjian.

Louis Lortie è co-fondatore e direttore artistico del LacMus Festival, che si tiene ogni anno dal 2017 sul Lago di Como. È stato maestro in residenza presso la Cappella Musicale Regina Elisabetta di Bruxelles dal 2017 al 2022; continua a guidare pianisti di talento eccezionale, presentando la nuova generazione attraverso cicli di concerti, tra cui recentemente un ciclo di sinfonie di Beethoven/Liszt alla Wigmore Hall e al Dresden International Festival, nonché la Skrjabin Marathon al LacMus e al Bolzano Bozen Festival.

Louis Lortie debuttò con l'Orchestra Sinfonica di Montreal all'età di tredici anni e nel 1984 vinse il primo premio del Concorso Busoni e il quarto premio del Concorso di Leeds. Studiò con Yvonne Hubert (a sua volta allieva del leggendario Alfred Cortot) e con Dieter Weber a Vienna, e poi con Léon Fleisher. Fu insignito del titolo di "Ufficiale dell'Ordine del Canada" nel 1992 e di "Chevalier Ordre national du Québec" nel 1997, e ricevette una laurea honoris causa dall'Università di Laval nello stesso anno.

caosbi.eu/event/concerto-accad…

Light aircraft often use a heading indicator as a way to know where they’re going. Retired instrumentation engineer [Don Welch] recreated a heading indicator of his own, using cheap off-the-shelf hardware to get the job done.

The heart of the build is a Teensy 4.0 microcontroller. It’s paired with a BNO085 inertial measurement unit (IMU), which combines a 3-axis gyro, 3-axis accelerometer, and 3-axis magnetometer into a single package. [Don] wanted to build a heading indicator that was immune to magnetic disturbances, so ignored the magnetometer readings entirely, using the rest of the IMU data instead.

Upon startup, the Teensy 4.0 initializes a small round TFT display, and draws the usual compass rose with North at the top of the display. Any motion after this will update the heading display accordingly, with [Don] noting the IMU has a fast update rate of 200 Hz for excellent motion tracking. The device does not self-calibrate to magnetic North; instead, an encoder can be used to calibrate the device to match a magnetic compass you have on hand. Or, you can just ensure it’s already facing North when you turn it on.

Thanks to the power of the Teensy 4.0 and the rapid updates of the BNO085, the display updates are nicely smooth and responsive. However, [Don] notes that it’s probably not quite an aircraft-spec build. We’ve featured some interesting investigations of just how much you can expect out of MEMS-based sensors like these before, too.

youtube.com/embed/UoS7PKGJVlE?…

hackaday.com/2026/03/06/buildi…