Researchers at Paradigm Shift published usbliter8, a working exploit that runs unauthorized code inside the SecureROM of Apple's A12 and A13 chips, the boot code burned into the silicon of devices from the iPhone XS through the iPhone 11, plus the S4 and S5 Apple Watch chips. Because the flaw lives in immutable hardware, no software update can fix it, so affected devices stay vulnerable for life. The catch is that it is not remote: an attacker needs physical possession of the device, must put it in DFU mode, and connect it to a special USB board, after which the exploit runs in under two seconds. It succeeds 2019's checkm8.
The FBI has issued a flash alert warning that the Silent Ransom Group (also tracked as Luna Moth, Chatty Spider, and UNC3753) is now sending operatives physically to US law firms to steal data. SRG actors first pose as internal IT over phone or phishing email and try to get an employee to grant a remote-desktop session; if that fails, they dispatch someone in person to plug a USB drive or external hard drive into the target's computer. The group, formed from Conti/BazarCall operators after the 2022 Conti shutdown, has targeted US legal and financial firms since 2023, extorting victims via its leak site.
A researcher who calls themselves Chaotic Eclipse - and who has weaponized every prior Windows flaw they have leaked this year - dropped working proof-of-concept code for two unpatched zero-days on May 12. YellowKey lets anyone with physical access to a Windows 11 or Server 2022/2025 machine plug in a USB stick, hold CTRL during a reboot into the Windows Recovery Environment, and get a shell with full access to the BitLocker-protected drive. GreenPlasma is a privilege escalation against the CTFMON service that hands an unprivileged user a path to SYSTEM. Independent researchers including Will Dormann and Kevin Beaumont have confirmed that YellowKey works as advertised.