Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: physical-access (3 articles)Clear

Unpatchable BootROM exploit hits Apple A12 and A13 chips via USB

Researchers at Paradigm Shift published usbliter8, a working exploit that runs unauthorized code inside the SecureROM of Apple's A12 and A13 chips, the boot code burned into the silicon of devices from the iPhone XS through the iPhone 11, plus the S4 and S5 Apple Watch chips. Because the flaw lives in immutable hardware, no software update can fix it, so affected devices stay vulnerable for life. The catch is that it is not remote: an attacker needs physical possession of the device, must put it in DFU mode, and connect it to a special USB board, after which the exploit runs in under two seconds. It succeeds 2019's checkm8.

Check
Assess whether high-risk staff or sensitive workflows rely on older Apple devices with A12 or A13 chips (iPhone XS through iPhone 11), which could be compromised if physically seized or lost.
Affected
Apple devices on A12 and A13 chips, roughly iPhone XS through iPhone 11 plus Apple Watch S4 and S5; exploitation needs physical access and DFU mode, so remote risk is nil.
Fix
There is no software fix. Retire or replace affected older devices for high-risk users, enforce strong passcodes and device encryption, keep physical control of devices, and avoid leaving them unattended.

FBI flash alert: Silent Ransom Group (Luna Moth/UNC3753) sends operatives in person to plug USB drives into US law firm computers

The FBI has issued a flash alert warning that the Silent Ransom Group (also tracked as Luna Moth, Chatty Spider, and UNC3753) is now sending operatives physically to US law firms to steal data. SRG actors first pose as internal IT over phone or phishing email and try to get an employee to grant a remote-desktop session; if that fails, they dispatch someone in person to plug a USB drive or external hard drive into the target's computer. The group, formed from Conti/BazarCall operators after the 2022 Conti shutdown, has targeted US legal and financial firms since 2023, extorting victims via its leak site.

Check
Brief reception and staff at law/finance firms: verify any in-person 'IT support' visit through a known internal channel before granting access. Alert SOC to unexpected USB-storage mounts.
Affected
US law firms and financial-services organizations. SRG poses as internal IT via phone/phishing, escalating to physical USB-drive theft if remote-access social engineering fails.
Fix
Enforce device-control policy blocking unauthorized USB mass storage. Require multi-channel verification for IT-support remote-access requests. Lock workstations and restrict physical access. Run callback-phishing awareness training.

Unpatched Windows BitLocker bypass and SYSTEM elevation PoCs dropped on GitHub by a disgruntled researcher - YellowKey and GreenPlasma hit Windows 11 and Server 2022/2025

A researcher who calls themselves Chaotic Eclipse - and who has weaponized every prior Windows flaw they have leaked this year - dropped working proof-of-concept code for two unpatched zero-days on May 12. YellowKey lets anyone with physical access to a Windows 11 or Server 2022/2025 machine plug in a USB stick, hold CTRL during a reboot into the Windows Recovery Environment, and get a shell with full access to the BitLocker-protected drive. GreenPlasma is a privilege escalation against the CTFMON service that hands an unprivileged user a path to SYSTEM. Independent researchers including Will Dormann and Kevin Beaumont have confirmed that YellowKey works as advertised.

Check
Inventory which Windows 11, Server 2022, and Server 2025 endpoints have BitLocker in TPM-only mode (the default on most consumer hardware), and identify machines that ever leave secured premises.
Affected
Windows 11 and Windows Server 2022/2025 with BitLocker in TPM-only mode. Windows 10 is unaffected. GreenPlasma privilege escalation hits Windows 11 and Server 2022/2025.
Fix
No patch yet. Switch BitLocker from TPM-only to TPM+PIN, set a BIOS or UEFI admin password, and disable USB boot in firmware. Watch for a Microsoft out-of-band release before next Patch Tuesday.