Apple A12/A13 unpatchable exploit

Severity Medium

How to read this briefing

Verified facts — NVD & CISA KEV Partially verified — awaiting NVD enrichment AI analysis — synthesis, verify before acting ^[1]Inline citations — click any [N] to view the source

How our verification pipeline works →

Contextual · AI analysis Synthesized from 10 feeds · verify before acting

TL;DR

Apple A12/A13 chips have an unpatchable remote code execution vulnerability in their SecureROM burned into silicon. Gentlemen ransomware gang is actively distributing sophisticated EDR-killing tools to affiliates. Fortinet FortiBleed credential theft now affects 86,644 internet-facing devices. Klue OAuth breach spreads to cybersecurity vendors' Salesforce accounts.

THREAT LEVEL: HIGH – High-severity vulnerabilities with limited patch vectors and active malware development require immediate defensive segmentation and credential rotation.

Executive Summary

Apple A12 and A13 processors contain an unpatchable remote code execution vulnerability in the SecureROM—code burned into silicon at manufacture that cannot be reached by any software update.
The Gentlemen ransomware-as-a-service operation has matured its EDR evasion capabilities, now distributing a suite of tools targeting over 400 security processes to affiliates.
Fortinet FortiBleed credential theft campaign has escalated to 86,644 compromised internet-accessible firewall and VPN devices; CISA issued formal guidance to customers.
Klue's OAuth breach continues to expand, with cybersecurity vendors Huntress and Recorded Future confirmed as victims whose Salesforce environments were accessed.
WordPress Gravity SMTP plugin vulnerability is being actively exploited across 100,000 sites for unauthenticated information disclosure.

Top Threats Today

1. Apple A12/A13 SecureROM Unpatchable Arbitrary Code Execution (usbliter8)

Severity: HIGH Affected: Technology

Security researchers at Paradigm Shift have published a working exploit dubbed usbliter8 that achieves arbitrary code execution inside the SecureROM of Apple's A12 and A13 chips ^[1]. Because this code is burned into the silicon at manufacture, no software update can reach it; affected devices cannot be patched through normal OS updates ^[1].
Sources:[1] The Hacker News

Recommended Action

Identify and inventory devices in your organization running A12 and A13 processors (iPhone XS, XS Max, XR and earlier iPad models).
Implement additional network segmentation and access controls for affected devices until a silicon-level remediation becomes available.
Monitor Apple security advisories for hardware replacement or mitigation guidance.
Consider restricting untrusted USB connections and enforcing application allow-listing on affected devices.

2. Gentlemen Ransomware-as-a-Service Expands EDR Evasion Toolkit (GentleKiller)

Severity: HIGH Affected: Technology

The Gentlemen ransomware-as-a-service operation is actively developing and maintaining a suite of endpoint detection and response (EDR) killers under the name GentleKiller, which it distributes to affiliates for disabling system defenses before deploying the encryptor ^[1]. The Gentlemen has emerged as the second most active ransomware gang by victim count and is using an aggressive recruitment model that offers affiliates 90 percent of ransom payments ^[2].
Sources:[1] The Hacker News[2] Krebs on Security

Recommended Action

Conduct immediate EDR tuning and behavioral analysis review to detect and alert on process termination or service disabling attempts.
Implement host-based alerting on EDR tool service/driver tampering and apply kernel-level protections where supported.
Isolate and review logs for any execution of tools matching GentleKiller signatures across your estate.
Enforce application control and driver signature verification to prevent unsigned EDR killers from executing.

3. Fortinet FortiBleed Credential Theft Campaign Escalates to 86,644 Devices

Severity: HIGH Affected: Government

The sweeping credential theft campaign against Fortinet FortiGate firewalls and VPNs has now compromised approximately 86,644 internet-accessible devices, representing ⚠ roughly half of all exposed Fortinet appliances ^[1]^[2]. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued formal guidance urging Fortinet customers to take steps to secure against ongoing malicious activity ^[1].
Sources:[1] The Hacker News[2] SecurityWeek

Recommended Action

Immediately audit all internet-exposed Fortinet FortiGate appliances for signs of unauthorized access and credential compromise.
Change all administrative credentials on FortiGate devices and enforce multi-factor authentication on all remote access interfaces.
Review logs for anomalous login activity, configuration changes, and VPN access from unexpected geographic locations.
Apply the latest FortiGate security patches and disable unnecessary administrative interfaces from the internet.

4. Klue OAuth Breach Spreads Salesforce Credential Theft to Cybersecurity Vendors

Severity: HIGH Affected: Technology

Market intelligence platform Klue has publicly confirmed a security incident allowing threat actors to steal OAuth tokens used to connect to customers' Salesforce environments ^[1]. Confirmed victims include cybersecurity vendors Huntress and Recorded Future, whose Salesforce instances were accessed through the compromised Klue Battlecards application ^[2]^[3]. The new extortion group Icarus has publicly claimed responsibility for the attack ^[1].
Sources:[1] BleepingComputer[2] Dark Reading[3] SecurityWeek

Recommended Action

Audit all OAuth token grants and third-party application integrations connected to your Salesforce environment.
Revoke tokens issued to any Klue integrations and force re-authentication with new credentials.
Review Salesforce access logs for unauthorized API calls, data exports, or configuration changes dating back to the breach discovery window.
Implement IP whitelisting and session controls on all Salesforce administrative accounts.

5. WordPress Gravity SMTP Plugin Information Disclosure Actively Exploited

Severity: HIGH Affected: Technology

Threat actors are actively exploiting an unauthenticated information disclosure vulnerability in the WordPress plugin Gravity SMTP, which is active on approximately 100,000 sites ^[1].
Sources:[1] BleepingComputer

Recommended Action

Immediately update the Gravity SMTP plugin to the latest patched version across all WordPress installations.
Audit access logs to identify any unauthorized API calls or configuration data retrieval targeting Gravity SMTP endpoints.
Review SMTP credentials and API keys stored within affected plugin configurations; rotate credentials if unexposed data points suggest possible exfiltration.
Enable WordPress security monitoring specifically for plugin-level vulnerabilities and subscribe to plugin vendor security bulletins.

Today’s Action Checklist

☐ URGENT: Notify device inventory team to locate and isolate any A12/A13-based Apple devices from critical network segments pending silicon-level remediation.
☐ URGENT: Audit EDR alert rules for process termination and driver tampering; test GentleKiller detection signatures in lab environment.
☐ URGENT: Inventory all internet-exposed Fortinet FortiGate devices; initiate credential rotation and MFA enablement on all administrative accounts.
☐ HIGH: Revoke all OAuth tokens granted to Klue and other third-party Salesforce integrations; audit recent Salesforce API activity logs.
☐ HIGH: Deploy patches to Gravity SMTP across all WordPress installations and monitor plugin security advisory feeds.
☐ Monitor law enforcement and CISA channels for indicators of compromise (IOCs) related to FortiBleed and Klue breach artifacts.

🤖 This briefing was compiled by defend.network using AI-powered analysis of multiple cybersecurity sources including CISA advisories, vendor security bulletins, and threat intelligence feeds. Always verify critical intelligence through official vendor channels before taking action.

Apple A12/A13 unpatchable exploit; Gentlemen RaaS doubles EDR killers; Fortinet FortiBleed escalates

TL;DR

Executive Summary

Top Threats Today

1. Apple A12/A13 SecureROM Unpatchable Arbitrary Code Execution (usbliter8)

Recommended Action

2. Gentlemen Ransomware-as-a-Service Expands EDR Evasion Toolkit (GentleKiller)

Recommended Action

3. Fortinet FortiBleed Credential Theft Campaign Escalates to 86,644 Devices

Recommended Action

4. Klue OAuth Breach Spreads Salesforce Credential Theft to Cybersecurity Vendors

Recommended Action

5. WordPress Gravity SMTP Plugin Information Disclosure Actively Exploited

Recommended Action

Today’s Action Checklist

Get Tomorrow’s Briefing in Your Inbox

TL;DR

Executive Summary

Top Threats Today

1. Apple A12/A13 SecureROM Unpatchable Arbitrary Code Execution (usbliter8)

Recommended Action

2. Gentlemen Ransomware-as-a-Service Expands EDR Evasion Toolkit (GentleKiller)

Recommended Action

3. Fortinet FortiBleed Credential Theft Campaign Escalates to 86,644 Devices

Recommended Action

4. Klue OAuth Breach Spreads Salesforce Credential Theft to Cybersecurity Vendors

Recommended Action

5. WordPress Gravity SMTP Plugin Information Disclosure Actively Exploited

Recommended Action

Today’s Action Checklist

Get Tomorrow’s Briefing in Your Inbox

Related briefings