🚨 CRITICAL ALERT: Active Zero-Day Exploits Confirmed

Two critical vulnerabilities with CVSS scores ≥8.0 are actively being exploited in the wild. Immediate patching is required across all affected systems. Both vulnerabilities have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog with mandatory remediation deadlines for federal agencies.

Critical Vulnerabilities (CVSS ≥ 8.0)

• CVE-2025-27363 (CVSS: 8.1) – FreeType Out-of-Bounds Write: An out-of-bounds write vulnerability in FreeType versions 2.13.0 and below allows arbitrary code execution when parsing TrueType GX and variable font files. The vulnerability stems from improper data type handling where a signed short value is assigned to an unsigned long, causing heap buffer wraparound and allocation of insufficient memory. Attackers can write up to 6 signed long integers out of bounds, resulting in arbitrary code execution without requiring user interaction or elevated privileges. Active exploitation has been confirmed since March 2025. Affected products include Android System component, IBM Cognos Analytics, and any application using vulnerable FreeType versions. CISA KEV added: 2025-05-06 | Deadline: 2025-05-27 | View NVD | CISA KEV Catalog
• CVE-2026-34197 (CVSS: 8.8) – Apache ActiveMQ Code Injection: A critical authentication bypass and remote code execution vulnerability in Apache ActiveMQ Broker allows authenticated attackers to invoke arbitrary operations through the exposed Jolokia JMX-HTTP bridge at /api/jolokia/. Attackers can craft malicious discovery URIs that trigger Spring ResourceXmlApplicationContext instantiation, loading remote XML application contexts and executing arbitrary code through bean factory methods prior to configuration validation. Affects Apache ActiveMQ Broker versions before 5.19.4 and 6.0.0 through 6.2.2. CISA KEV added: 2026-04-16 | View NVD | CISA KEV Catalog

⚡ Immediate Actions Required

Priority 1 (Within 24 hours):

• Audit all systems for FreeType installations (versions ≤2.13.0) and vulnerable ActiveMQ deployments
• Prioritize patching of internet-facing systems and those processing untrusted font files or broker communications
• Enable enhanced monitoring for font parsing operations and Jolokia endpoint access attempts

Priority 2 (Within 7 days):

• Upgrade FreeType to version 2.13.1 or higher across all systems
• Upgrade Apache ActiveMQ Broker to version 5.19.4 or 6.2.3 or higher
• Review and restrict Jolokia access policies; disable if not required
• Implement network segmentation for message broker systems

Detection and Response:

• Monitor for heap buffer overflow crashes and memory access violations in applications processing fonts
• Monitor ActiveMQ logs for suspicious Jolokia /api/jolokia/ requests with exec operations
• Deploy IDS/IPS signatures for both CVE patterns
• Federal agencies: Compliance deadline is 2025-05-27 for CVE-2025-27363