Google: GTIG 2025 Zero-Day Report, Chrome Updates Go Biweekly in September; FreeScout CVSS 10.0 Zero-Click RCE

Google Threat Intelligence Group (GTIG) has published a report on the 90 zero-day vulnerabilities they tracked in 2025, all of which were exploited in the wild. GTIG tracked 78 zero-days in 2024, and 100 zero-days in 2023. Of the 90 zero-days GTIG tracked in 2025, 25 were in Microsoft products, 11 in Google products, and eight in Apple products. Other vendors with multiple zero-days include Cisco, Fortinet, Ivanti, and VMware. GTIG writes that "52% (47) of the tracked zero-days were used to exploit end-user platforms and products ...[while] browsers accounted for less than 10% of 2025 zero-day exploitation." The flaws were most often exploited to achieve remote code execution or privilege escalation. GTIG was able to attribute 47 percent (42) of the exploitations: nearly 39 percent (15) of these were exploited by commercial surveillance vendors, followed by nearly 28 percent (12) by state sponsored espionage threat actors, and nearly 21 percent (9) by cybercrime. GTOG spotlights notable threat actor activity and techniques, including browser sandbox escapes and the SonicWall full-chain exploit.

In a March 3, 2026 blog post, Ben Mason and Deepak Ravichandran announced that starting in September 2026, Google will move Chrome from a four-week release cycle to a two-week release cycle across all platforms. Google has been releasing an updated version of Chrome every four weeks since 2021, and in 2023, the company added a weekly security update as well as an early stable release. The blog notes that "While releases will be more frequent, their smaller scope minimizes disruption and simplifies post-release debugging." The first Chrome release slated for the new schedule is Chrome 153, which will be available on Tuesday, September 8, 2026. The Extended Stable channel will remain on an eight-week release cycle, and the Dev and Canary channels will not be affected by the new release schedule.

Open-source support helpdesk and shared inbox platform FreeScout has disclosed a maximum-severity flaw in FreeScout 1.8.206 and earlier allowing remote code execution (RCE) that researchers have also determined is exploitable as "zero-click." CVE‑2026‑28289, CVSS score 10.0, allows an unauthenticated attacker with file upload permissions to remotely execute code on the server by using a zero-width space character prefix when naming and uploading a malicious file. This bypasses a file name security check implemented in a previous patch (fixing CVE-2026-27636), because "the dot-prefix check occurs before sanitization removes invisible characters," creating a time-of-check to time-of-use (TOCTOU) flaw. Researchers at OX security discovered that an unauthenticated attacker could exploit this flaw remotely and without user interaction by attaching the malicious file and a web shell to an email, which when sent to a FreeScout inbox is written to a predictable location on the FreeScout server and can be accessed and executed by the attacker. Users should update FreeScout to version 1.8.207 or later, and OX recommends disabling AllowOverrideAll in the Apache configuration on the FreeScout server.

Password manager LastPass has published a blog warning customers of an email phishing campaign ongoing since March 1, 2026, provoking users with fake support correspondence that suggests unauthorized account activity. The lure takes the form of a security warning prompting the target to secure their vault, including a phony email chain meant to show LastPass support corresponding with a third party who is trying to gain unauthorized access, "rel[ying] on the fact that many email clients (especially mobile) show only the display name, hiding the real sender address unless you expand it." The phishing page mimics a LastPass SSO login, and prompts the user to enter their master password; LastPass's advisory states that the company will never ask for master passwords, and urges users to submit suspicious emails to abuse@lastpass.com. The company is working to have the phishing sites taken down as soon as possible, and provides malicious URLs, IPs, email addresses, and subject lines as indicators of compromise (IoCs).

Threat analysts at Huntress have published a blog describing a cluster of intrusions they observed in February 2026, beginning with tech support phishing and then DLL sideloading to install the Havoc command-and-control (C2) agent before moving laterally. In five of Huntress's partner organizations, certain users received a flood of spam emails followed by a phone call from a threat actor posing as IT support, offering a solution to the spam problem. After persuading the target to grant remote system access, the threat actor opened a counterfeit Microsoft "antispam" panel and guided the target through a process that harvested their credentials and then assembled and executed the initial malware, under the guise of configuring anti-spam rules and downloading a patch. The malware abuses legitimate Windows binaries to load malicious DLLs, then leverages known EDR bypasses and loads Havoc, an open-source post-exploitation framework designed as an alternative to Cobalt Strike. Huntress states that "the battle starts at the moment an end user picks up the phone," emphasizing that malware detection is an insufficient defense. The analysts' recommendations for mitigation are to expand security awareness training and enforce out-of-band authentication; to restrict execution via application whitelisting and audit remote monitoring and management (RMM) agents; and to use host-based firewall policies to prevent lateral movement.

Cisco has released updates to fix more than 50 vulnerabilities in Cisco Catalyst SD-WAN Manager, Cisco Secure Firewall ASA, Secure FMC, and Secure FTD Software. One bulletin addresses five CVEs affecting Cisco Catalyst SD-WAN Manager, (formerly vManage): a critical authentication bypass vulnerability (CVE-2026-20129), a high-severity privilege escalation vulnerability (CVE-2026-20126), a high-severity information disclose vulnerability (CVE-2026-20133), a high-severity arbitrary file overwrite vulnerability (CVE-2026-20122), and a medium-severity information disclosure vulnerability (CVE-2026-20128). These latter two vulnerabilities, CVE-2026-20122 and CVE-2026-20128, are being actively exploited. Patches were made available in late February. Cisco has also released updates for Cisco Secure Firewall ASA, Secure FMC, and Secure FTD Software to address a total of 48 vulnerabilities, including two critical issues in Cisco Secure Firewall Management Center Software: an authentication bypass vulnerability (CVE-2026-20079) and a remote code execution vulnerability (CVE-2026-20131).

Researchers from Huntress have posted their investigation of malicious GitHub repositories purporting to be OpenClaw installers, but which actually installed information stealers and proxy malware to bypass anti-fraud and MFA checks when exploiting the stolen information. Notably, by hosting the malware on GitHub, a trusted platform, attackers poisoned search results for users searching "OpenClaw Windows," and caused Bing AI to link directly to the malicious files as its top result. The repositories were available starting on February 2, 2026, and were removed on February 10 within eight hours of Huntress reporting them. Analysis of the repository showed most of the code to be unrelated legitimate code copied from the moltworker Cloudflare project, with the malicious executable stored in an archive file in the releases section. Huntress offers indicators of compromise (IoCs) and urges wariness of the unique risks that surround popular new technologies, specifically for technical users with high privileges, who must be prepared to spot malicious installers.

An international law enforcement operation led by Europol has dismantled a subscription-based cybercrime forum that was used to trade in "leaked databases and ... archives of stolen credentials harvested through infostealer malware." LeakBase has been operational since 2021, and by the end of last year, had more than 142,000 registered users. Coordinated activity on March 3 and 4, 2026 "severely disrupted the forum’s operations and targeted its most active users." Then operation involved roughly 100 enforcement actions globally, including 13 arrests, 32 residence searches and "'knock-and-talk' interventions." Authorities also seized the LeakBase domain. The operation involved authorities from Australia, Belgium, Canada, Germany, Greece, Kosovo, Malaysia, Netherlands, Poland, Portugal, Romania, Spain, the UK, and the US. The international effort, dubbed "Operation Leak," is the latest in a series of law enforcement takedowns of cybercrime forums, including RaidForums in 2022 and BreachForums in 2023.

A coordinated international law enforcement operation took down the Tycoon2FA phishing-as-a-service platform, with support from Europol's European Cybercrime Center (EC3), authorities in Latvia, Lithuania, Portugal, Poland, Spain, and the UK, and from privacy sector partners including Microsoft, Cloudflare, Coinbase, Intel471, Proofpoint, Shadowserver Foundation, SpyCloud, eSentire, Crowell, Resecurity, and Health-ISAC. Tycoon2FA helped cybercriminals bypass multi-factor authentication and gain access to email accounts and cloud services undetected. In all, the operation took down 330 domains. Tycoon2FA accounted for more than 60 percent of phishing attempts blocked by Microsoft last year.

A breach of a software supplier to France's Health Ministry has resulted in the theft of roughly 15.8 million files containing sensitive health information. The company, Cegedim Santé, writes in a press release that they "identified abnormal application request behaviour on the accounts of doctors using the MLM (MonLogicielMedical.com) software at the end of 2025." Cegedim Santé notified the 1,500 affected physicians in early January 2026 and provided assistance to those physicians in notifying their patients and France's data privacy regulatory body, the Commission nationale de l'informatique et des libertés (CNIL) as required by the General Data Protection Regulation (GDPR). The files appear to be administrative rather than medical records; the data include "surname, first name, gender, date of birth, telephone number, address, email address." Files of roughly 169,000 patients also contained sensitive information in the form of doctors' notes. This incident follows close on the heels of a breach that compromised a database containing a list of every bank account in France.