B\u1ea3o v\u1ec7 h\u1ec7 th\u1ed1ng c\u1ee7a b\u1ea1n ngay!<\/p>
Zero-click exploit: M\u1ed1i \u0111e d\u1ecda nghi\u00eam tr\u1ecdng leo thang 2025<\/p>
N\u0103m 2025 \u0111\u00e1nh d\u1ea5u m\u1ed9t b\u01b0\u1edbc ngo\u1eb7t quan tr\u1ecdng trong l\u0129nh v\u1ef1c an ninh m\u1ea1ng, v\u1edbi s\u1ef1 ph\u00e1t tri\u1ec3n \u0111\u00e1ng ch\u00fa \u00fd c\u1ee7a c\u00e1c k\u1ef9 thu\u1eadt khai th\u00e1c kh\u00f4ng y\u00eau c\u1ea7u t\u01b0\u01a1ng t\u00e1c ng\u01b0\u1eddi d\u00f9ng, hay c\u00f2n g\u1ecdi l\u00e0 zero-click exploit<\/strong>. C\u00e1c k\u1ef9 thu\u1eadt n\u00e0y \u0111\u00e3 thay \u0111\u1ed5i s\u00e2u s\u1eafc c\u00e1ch ch\u00fang ta nh\u00ecn nh\u1eadn v\u1ec1 b\u1ea3o m\u1eadt k\u1ef9 thu\u1eadt s\u1ed1.<\/p> Kh\u00f4ng gi\u1ed1ng nh\u01b0 c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng truy\u1ec1n th\u1ed1ng \u0111\u00f2i h\u1ecfi s\u1ef1 t\u01b0\u01a1ng t\u00e1c c\u1ee7a ng\u01b0\u1eddi d\u00f9ng, ch\u1eb3ng h\u1ea1n nh\u01b0 nh\u1ea5p v\u00e0o li\u00ean k\u1ebft \u0111\u1ed9c h\u1ea1i ho\u1eb7c t\u1ea3i xu\u1ed1ng t\u1ec7p b\u1ecb nhi\u1ec5m, c\u00e1c zero-click exploit<\/strong> ho\u1ea1t \u0111\u1ed9ng \u00e2m th\u1ea7m, b\u00ed m\u1eadt x\u00e2m nh\u1eadp thi\u1ebft b\u1ecb m\u00e0 n\u1ea1n nh\u00e2n kh\u00f4ng h\u1ec1 hay bi\u1ebft.<\/p> N\u0103m 2025 ghi nh\u1eadn \u00edt nh\u1ea5t 14 l\u1ed7 h\u1ed5ng zero-click<\/strong> nghi\u00eam tr\u1ecdng \u1ea3nh h\u01b0\u1edfng \u0111\u1ebfn h\u00e0ng t\u1ef7 thi\u1ebft b\u1ecb tr\u00ean to\u00e0n c\u1ea7u. \u0110i\u1ec1u n\u00e0y ph\u01a1i b\u00e0y m\u1ed9t th\u1ef1c t\u1ebf \u0111\u00e1ng b\u00e1o \u0111\u1ed9ng: b\u1ec1 m\u1eb7t t\u1ea5n c\u00f4ng \u0111\u00e3 m\u1edf r\u1ed9ng ra ngo\u00e0i ph\u1ea1m vi l\u1ed7i do con ng\u01b0\u1eddi g\u00e2y ra, len l\u1ecfi v\u00e0o c\u00e1c quy tr\u00ecnh t\u1ef1 \u0111\u1ed9ng m\u00e0 ch\u00fang ta tin t\u01b0\u1edfng tuy\u1ec7t \u0111\u1ed1i.<\/p> S\u1ef1 tinh vi v\u00e0 quy m\u00f4 c\u1ee7a c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng zero-click trong n\u0103m 2025 th\u1ec3 hi\u1ec7n m\u1ed9t s\u1ef1 thay \u0111\u1ed5i m\u00f4 h\u00ecnh, n\u01a1i s\u1ef1 ti\u1ec7n l\u1ee3i \u0111\u00e3 tr\u1edf th\u00e0nh l\u1ed7 h\u1ed5ng. C\u00e1c t\u00ednh n\u0103ng v\u00f4 h\u00ecnh \u0111\u01b0\u1ee3c thi\u1ebft k\u1ebf \u0111\u1ec3 mang l\u1ea1i tr\u1ea3i nghi\u1ec7m ng\u01b0\u1eddi d\u00f9ng li\u1ec1n m\u1ea1ch \u0111\u00e3 bi\u1ebfn th\u00e0nh nh\u1eefng c\u1eeda ng\u00f5 im l\u1eb7ng cho c\u00e1c m\u1ed1i \u0111e d\u1ecda dai d\u1eb3ng n\u00e2ng cao (APT).<\/p> Nh\u00f3m Threat Intelligence c\u1ee7a Google \u0111\u00e3 ghi nh\u1eadn 75 l\u1ed7 h\u1ed5ng zero-day<\/strong> b\u1ecb khai th\u00e1c t\u00edch c\u1ef1c trong n\u0103m 2024. Xu h\u01b0\u1edbng n\u00e0y ti\u1ebfp t\u1ee5c t\u0103ng t\u1ed1c v\u00e0o n\u0103m 2025 khi k\u1ebb t\u1ea5n c\u00f4ng chuy\u1ec3n h\u01b0\u1edbng sang c\u01a1 s\u1edf h\u1ea1 t\u1ea7ng doanh nghi\u1ec7p.<\/p> Ch\u1ec9 trong n\u1eeda \u0111\u1ea7u n\u0103m 2025, h\u01a1n 21.500 CVE<\/strong> m\u1edbi \u0111\u00e3 \u0111\u01b0\u1ee3c c\u00f4ng b\u1ed1, t\u0103ng 18%<\/strong> so v\u1edbi n\u0103m tr\u01b0\u1edbc. \u0110\u00e1ng b\u00e1o \u0111\u1ed9ng h\u01a1n, kho\u1ea3ng th\u1eddi gian \u201cth\u1eddi gian khai th\u00e1c\u201d (time to exploit) \u0111\u00e3 r\u00fat ng\u1eafn xu\u1ed1ng trung b\u00ecnh ch\u1ec9 c\u00f2n n\u0103m ng\u00e0y<\/strong> v\u00e0o n\u0103m 2024, gi\u1ea3m t\u1eeb 32 ng\u00e0y trong nh\u1eefng n\u0103m tr\u01b0\u1edbc. \u0110i\u1ec1u n\u00e0y khi\u1ebfn c\u00e1c chu k\u1ef3 v\u00e1 l\u1ed7i truy\u1ec1n th\u1ed1ng h\u00e0ng th\u00e1ng tr\u1edf n\u00ean l\u1ed7i th\u1eddi m\u1ed9t c\u00e1ch nguy hi\u1ec3m.<\/p> S\u1ef1 t\u0103ng t\u1ed1c n\u00e0y ph\u1ea3n \u00e1nh c\u00e1c quy tr\u00ecnh t\u1ef1 \u0111\u1ed9ng h\u00f3a tinh vi \u0111\u01b0\u1ee3c tri\u1ec3n khai b\u1edfi c\u00e1c nh\u00f3m, nh\u00e0 cung c\u1ea5p ph\u1ea7n m\u1ec1m gi\u00e1m s\u00e1t th\u01b0\u01a1ng m\u1ea1i (CSVs) v\u00e0 c\u00e1c nh\u00f3m ransomware cao c\u1ea5p, nh\u1eefng \u0111\u1ed1i t\u01b0\u1ee3ng \u0111\u00e3 c\u00f4ng nghi\u1ec7p h\u00f3a quy tr\u00ecnh khai th\u00e1c.<\/p> C\u00e1c l\u1ed7 h\u1ed5ng zero-click<\/strong>, t\u1eebng ch\u1ec9 d\u00e0nh cho nh\u1eefng \u0111\u1ed1i t\u01b0\u1ee3ng tinh hoa trong ho\u1ea1t \u0111\u1ed9ng gi\u00e1n \u0111i\u1ec7p m\u1ea1ng, \u0111\u00e3 tr\u1edf th\u00e0nh v\u0169 kh\u00ed \u0111\u01b0\u1ee3c l\u1ef1a ch\u1ecdn tr\u00ean to\u00e0n b\u1ed9 ph\u1ed5 m\u1ed1i \u0111e d\u1ecda, bao g\u1ed3m c\u1ea3 ph\u1ea7n m\u1ec1m gi\u00e1n \u0111i\u1ec7p nh\u01b0 Pegasus.<\/p> H\u1ec7 sinh th\u00e1i c\u1ee7a Apple, t\u1eeb l\u00e2u \u0111\u01b0\u1ee3c coi l\u00e0 m\u1ed9t ph\u00e1o \u0111\u00e0i an ninh, \u0111\u00e3 ph\u1ea3i \u0111\u1ed1i m\u1eb7t v\u1edbi c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng kh\u00f4ng ng\u1eebng trong su\u1ed1t n\u0103m 2025.<\/p> L\u1ed7 h\u1ed5ng CVE-2025-43300<\/strong>, \u0111\u01b0\u1ee3c c\u00f4ng b\u1ed1 v\u00e0o th\u00e1ng 8, ti\u1ebft l\u1ed9 m\u1ed9t l\u1ed7 h\u1ed5ng ghi ngo\u00e0i gi\u1edbi h\u1ea1n (out-of-bounds write) nghi\u00eam tr\u1ecdng trong framework ImageIO, \u1ea3nh h\u01b0\u1edfng \u0111\u1ebfn iOS, iPadOS v\u00e0 macOS. L\u1ed7i n\u00e0y cho ph\u00e9p th\u1ef1c thi m\u00e3 t\u1eeb xa kh\u00f4ng y\u00eau c\u1ea7u t\u01b0\u01a1ng t\u00e1c (remote code execution<\/strong> zero-click) th\u00f4ng qua c\u00e1c h\u00ecnh \u1ea3nh DNG \u0111\u1ed9c h\u1ea1i \u0111\u01b0\u1ee3c g\u1eedi qua c\u00e1c \u1ee9ng d\u1ee5ng nh\u1eafn tin, kh\u00f4ng \u0111\u00f2i h\u1ecfi b\u1ea5t k\u1ef3 t\u01b0\u01a1ng t\u00e1c n\u00e0o c\u1ee7a ng\u01b0\u1eddi d\u00f9ng. \u0110\u1ec3 t\u00ecm hi\u1ec3u th\u00eam v\u1ec1 ph\u00e2n t\u00edch b\u1ea3n v\u00e1, tham kh\u1ea3o ph\u00e2n t\u00edch c\u1ee7a Quarkslab<\/a>.<\/p> L\u1ed7 h\u1ed5ng n\u00e0y tr\u1edf n\u00ean \u0111\u1eb7c bi\u1ec7t nguy hi\u1ec3m khi \u0111\u01b0\u1ee3c k\u1ebft h\u1ee3p v\u1edbi CVE-2025-55177<\/strong>, m\u1ed9t l\u1ed7 h\u1ed5ng WhatsApp li\u00ean quan \u0111\u1ebfn vi\u1ec7c \u1ee7y quy\u1ec1n kh\u00f4ng \u0111\u1ea7y \u0111\u1ee7 c\u00e1c tin nh\u1eafn \u0111\u1ed3ng b\u1ed9 h\u00f3a thi\u1ebft b\u1ecb \u0111\u00e3 li\u00ean k\u1ebft.<\/p> C\u00f9ng v\u1edbi nhau, c\u00e1c khai th\u00e1c n\u00e0y \u0111\u00e3 h\u00ecnh th\u00e0nh m\u1ed9t chu\u1ed7i t\u1ea5n c\u00f4ng zero-click exploit<\/strong> t\u00e0n kh\u1ed1c, nh\u1eafm m\u1ee5c ti\u00eau v\u00e0o c\u00e1c nh\u00e0 b\u00e1o v\u00e0 nh\u00e0 ho\u1ea1t \u0111\u1ed9ng x\u00e3 h\u1ed9i tr\u00ean kh\u1eafp ch\u00e2u \u00c2u v\u00e0 Trung \u0110\u00f4ng. WhatsApp x\u00e1c nh\u1eadn r\u1eb1ng ch\u01b0a \u0111\u1ebfn 200 ng\u01b0\u1eddi d\u00f9ng<\/strong> \u0111\u00e3 b\u1ecb nh\u1eafm m\u1ee5c ti\u00eau trong c\u00e1c chi\u1ebfn d\u1ecbch ph\u1ea7n m\u1ec1m gi\u00e1n \u0111i\u1ec7p tinh vi, bao g\u1ed3m c\u1ea3 nh\u1eefng ng\u01b0\u1eddi b\u1ea3o v\u1ec7 nh\u00e2n quy\u1ec1n v\u00e0 chuy\u00ean gia truy\u1ec1n th\u00f4ng. Th\u00f4ng tin chi ti\u1ebft c\u00f3 t\u1ea1i b\u00e0i vi\u1ebft c\u1ee7a Fieldeffect<\/a>.<\/p> Ph\u1ea7n m\u1ec1m gi\u00e1n \u0111i\u1ec7p Graphite c\u1ee7a Paragon Solutions \u0111\u00e3 khai th\u00e1c CVE-2025-43200<\/strong>, m\u1ed9t l\u1ed7i logic trong iOS cho ph\u00e9p c\u00e1c \u1ea3nh ho\u1eb7c video \u0111\u01b0\u1ee3c t\u1ea1o \u0111\u1ed9c h\u1ea1i chia s\u1ebb qua iCloud Links k\u00edch ho\u1ea1t remote code execution<\/strong> m\u00e0 kh\u00f4ng y\u00eau c\u1ea7u t\u01b0\u01a1ng t\u00e1c ng\u01b0\u1eddi d\u00f9ng.<\/p> Ph\u00e2n t\u00edch ph\u00e1p y c\u1ee7a Citizen Lab \u0111\u00e3 x\u00e1c nh\u1eadn v\u1edbi \u0111\u1ed9 tin c\u1eady cao r\u1eb1ng c\u00e1c nh\u00e0 b\u00e1o ch\u00e2u \u00c2u \u0111\u00e3 b\u1ecb x\u00e2m ph\u1ea1m khi \u0111ang s\u1eed d\u1ee5ng iOS 18.2.1, m\u1ed9t h\u1ec7 th\u1ed1ng \u0111\u01b0\u1ee3c c\u1eadp nh\u1eadt \u0111\u1ea7y \u0111\u1ee7 t\u1ea1i th\u1eddi \u0111i\u1ec3m l\u00e2y nhi\u1ec5m. Apple \u0111\u00e3 v\u00e1 l\u1ed7 h\u1ed5ng n\u00e0y trong iOS 18.3.1, nh\u01b0ng vi\u1ec7c c\u00f4ng khai ch\u1eadm tr\u1ec5 cho \u0111\u1ebfn th\u00e1ng 6 n\u0103m 2025 \u0111\u00e3 l\u00e0m n\u1ed5i b\u1eadt \u0111\u1ed9ng l\u1ef1c m\u00e8o v\u1eddn chu\u1ed9t c\u1ee7a chi\u1ebfn tranh m\u1ea1ng hi\u1ec7n \u0111\u1ea1i. Xem th\u00eam t\u1ea1i b\u00e1o c\u00e1o c\u1ee7a Citizen Lab<\/a>.<\/p> L\u1ed7 h\u1ed5ng NICKNAME, \u0111\u01b0\u1ee3c iVerify ph\u00e1t hi\u1ec7n v\u00e0o th\u00e1ng 6 n\u0103m 2025, \u0111\u00e3 ph\u01a1i b\u00e0y m\u1ed9t l\u1ed7i h\u1ecfng b\u1ed9 nh\u1edb s\u1eed d\u1ee5ng sau khi gi\u1ea3i ph\u00f3ng (use-after-free) trong ti\u1ebfn tr\u00ecnh imagent c\u1ee7a iOS.<\/p> \u0110\u01b0\u1ee3c k\u00edch ho\u1ea1t b\u1edfi c\u00e1c b\u1ea3n c\u1eadp nh\u1eadt bi\u1ec7t danh g\u1eedi li\u00ean t\u1ee5c qua iMessage, zero-click exploit<\/strong> n\u00e0y xu\u1ea5t hi\u1ec7n trong ch\u01b0a \u0111\u1ebfn 0.001%<\/strong> nh\u1eadt k\u00fd s\u1ef1 c\u1ed1 nh\u01b0ng l\u1ea1i \u1ea3nh h\u01b0\u1edfng kh\u00f4ng c\u00e2n x\u1ee9ng \u0111\u1ebfn c\u00e1c c\u00e1 nh\u00e2n n\u1ed5i b\u1eadt, bao g\u1ed3m c\u00e1c nh\u00e2n v\u1eadt ch\u00ednh tr\u1ecb, nh\u00e0 b\u00e1o v\u00e0 gi\u00e1m \u0111\u1ed1c \u0111i\u1ec1u h\u00e0nh c\u00f4ng ty AI. M\u1eb7c d\u00f9 Apple \u0111\u00e3 v\u00e1 l\u1ed7i n\u00e0y trong iOS 18.3, b\u1eb1ng ch\u1ee9ng ph\u00e1p y cho th\u1ea5y s\u1ef1 khai th\u00e1c t\u00edch c\u1ef1c nh\u1eafm m\u1ee5c ti\u00eau v\u00e0o c\u00e1c c\u00e1 nh\u00e2n li\u00ean quan \u0111\u1ebfn c\u00e1c ho\u1ea1t \u0111\u1ed9ng \u0111i ng\u01b0\u1ee3c l\u1ea1i l\u1ee3i \u00edch. Th\u00f4ng tin t\u1eeb blog iVerify<\/a>.<\/p> C\u00e1c thi\u1ebft b\u1ecb Samsung Galaxy c\u0169ng kh\u00f4ng \u0111\u01b0\u1ee3c mi\u1ec5n tr\u1eeb. CVE-2025-21042<\/strong>, b\u1ecb khai th\u00e1c nh\u01b0 m\u1ed9t l\u1ed7 h\u1ed5ng zero-day tr\u01b0\u1edbc b\u1ea3n v\u00e1 th\u00e1ng 4 n\u0103m 2025 c\u1ee7a Samsung, \u0111\u00e3 ph\u00e2n ph\u1ed1i ph\u1ea7n m\u1ec1m gi\u00e1n \u0111i\u1ec7p LANDFALL th\u00f4ng qua c\u00e1c t\u1ec7p h\u00ecnh \u1ea3nh DNG \u0111\u1ed9c h\u1ea1i \u0111\u01b0\u1ee3c g\u1eedi qua WhatsApp.<\/p> Ph\u1ea7n m\u1ec1m gi\u00e1n \u0111i\u1ec7p Android c\u1ea5p th\u01b0\u01a1ng m\u1ea1i n\u00e0y nh\u1eafm m\u1ee5c ti\u00eau v\u00e0o c\u00e1c thi\u1ebft b\u1ecb h\u00e0ng \u0111\u1ea7u, bao g\u1ed3m d\u00f2ng Galaxy S22-S24, cho ph\u00e9p c\u00e1c kh\u1ea3 n\u0103ng gi\u00e1m s\u00e1t to\u00e0n di\u1ec7n, bao g\u1ed3m ghi \u00e2m cu\u1ed9c g\u1ecdi, theo d\u00f5i v\u1ecb tr\u00ed v\u00e0 r\u00f2 r\u1ec9 tin nh\u1eafn, t\u1ea5t c\u1ea3 \u0111\u1ec1u kh\u00f4ng c\u00f3 s\u1ef1 nh\u1eadn bi\u1ebft c\u1ee7a ng\u01b0\u1eddi d\u00f9ng.<\/p> Trong khi c\u00e1c n\u1ec1n t\u1ea3ng di \u0111\u1ed9ng th\u1ed1ng tr\u1ecb c\u00e1c ti\u00eau \u0111\u1ec1, c\u01a1 s\u1edf h\u1ea1 t\u1ea7ng doanh nghi\u1ec7p n\u1ed5i l\u00ean nh\u01b0 m\u1ed9t \u0111\u1ecba \u0111i\u1ec3m s\u0103n t\u00ecm \u01b0a th\u00edch c\u1ee7a k\u1ebb t\u1ea5n c\u00f4ng.<\/p> CVE-2025-21298<\/strong>, m\u1ed9t l\u1ed7 h\u1ed5ng CVE<\/strong> Windows OLE v\u1edbi \u0111i\u1ec3m CVSS l\u00e0 9.8<\/strong>, \u0111\u00e3 cho ph\u00e9p th\u1ef1c thi m\u00e3 t\u1eeb xa kh\u00f4ng y\u00eau c\u1ea7u t\u01b0\u01a1ng t\u00e1c (zero-click remote code execution<\/strong>) th\u00f4ng qua c\u00e1c t\u00e0i li\u1ec7u RTF \u0111\u01b0\u1ee3c t\u1ea1o \u0111\u1eb7c bi\u1ec7t trong Microsoft Outlook.<\/p> Khi n\u1ea1n nh\u00e2n m\u1edf ho\u1eb7c th\u1eadm ch\u00ed xem tr\u01b0\u1edbc c\u00e1c email \u0111\u1ed9c h\u1ea1i, l\u1ed7 h\u1ed5ng s\u1ebd t\u1ef1 \u0111\u1ed9ng k\u00edch ho\u1ea1t, c\u1ea5p cho k\u1ebb t\u1ea5n c\u00f4ng to\u00e0n quy\u1ec1n truy c\u1eadp h\u1ec7 th\u1ed1ng. Xem chi ti\u1ebft t\u1ea1i blog c\u1ee7a Offensive Security<\/a>.<\/p> H\u1ec7 sinh th\u00e1i AI c\u1ee7a Microsoft c\u0169ng kh\u00f4ng mi\u1ec5n nhi\u1ec5m. CVE-2025-32711<\/strong>, \u0111\u01b0\u1ee3c \u0111\u1eb7t t\u00ean l\u00e0 EchoLeak, \u0111\u1ea1i di\u1ec7n cho l\u1ed7 h\u1ed5ng zero-click \u0111\u1ea7u ti\u00ean ch\u1ed1ng l\u1ea1i m\u1ed9t t\u00e1c nh\u00e2n AI.<\/p> \u0110\u01b0\u1ee3c ph\u00e1t hi\u1ec7n trong Microsoft 365 Copilot, l\u1ed7 h\u1ed5ng nghi\u00eam tr\u1ecdng n\u00e0y (CVSS 9.3<\/strong>) cho ph\u00e9p k\u1ebb t\u1ea5n c\u00f4ng \u0111\u00e1nh c\u1eafp d\u1eef li\u1ec7u t\u1ed5 ch\u1ee9c nh\u1ea1y c\u1ea3m ch\u1ec9 b\u1eb1ng c\u00e1ch g\u1eedi m\u1ed9t email \u0111\u01b0\u1ee3c t\u1ea1o \u0111\u1ed9c h\u1ea1i, kh\u00f4ng c\u1ea7n ng\u01b0\u1eddi d\u00f9ng nh\u1ea5p v\u00e0o.<\/p> L\u1ed7 h\u1ed5ng \u0111\u00e3 khai th\u00e1c c\u00e1ch c\u00f4ng c\u1ee5 t\u1ea1o ph\u1ea3n h\u1ed3i t\u0103ng c\u01b0\u1eddng truy xu\u1ea5t (retrieval-augmented generation engine) c\u1ee7a Copilot tr\u1ed9n l\u1eabn \u0111\u1ea7u v\u00e0o b\u00ean ngo\u00e0i kh\u00f4ng \u0111\u00e1ng tin c\u1eady v\u1edbi d\u1eef li\u1ec7u n\u1ed9i b\u1ed9 c\u00f3 \u0111\u1eb7c quy\u1ec1n, t\u1ea1o ra m\u1ed9t con \u0111\u01b0\u1eddng r\u00f2 r\u1ec9 d\u1eef li\u1ec7u t\u1ef1 \u0111\u1ed9ng th\u00f4ng qua c\u00e1c tham chi\u1ebfu h\u00ecnh \u1ea3nh nh\u00fang.<\/p> \u0110\u1eb7c bi\u1ec7t, t\u00e1c nh\u00e2n Deep Research c\u1ee7a OpenAI ChatGPT \u0111\u00e3 tr\u1edf th\u00e0nh n\u1ea1n nh\u00e2n c\u1ee7a ShadowLeak, m\u1ed9t l\u1ed7 h\u1ed5ng zero-click ph\u00eda m\u00e1y ch\u1ee7 cho ph\u00e9p \u0111\u00e1nh c\u1eafp d\u1eef li\u1ec7u Gmail m\u1ed9t c\u00e1ch \u00e2m th\u1ea7m.<\/p> Khi \u0111\u01b0\u1ee3c k\u1ebft n\u1ed1i v\u1edbi Gmail v\u00e0 duy\u1ec7t web, m\u1ed9t email \u0111\u1ed9c h\u1ea1i duy nh\u1ea5t ch\u1ee9a c\u00e1c l\u1ec7nh ti\u00eam l\u1eddi nh\u1eafc \u1ea9n (hidden prompt injection commands) c\u00f3 th\u1ec3 k\u00edch ho\u1ea1t t\u00e1c nh\u00e2n AI t\u1ef1 \u0111\u1ed9ng \u0111\u00e1nh c\u1eafp th\u00f4ng tin h\u1ed9p th\u01b0 \u0111\u1ebfn nh\u1ea1y c\u1ea3m tr\u1ef1c ti\u1ebfp t\u1eeb c\u01a1 s\u1edf h\u1ea1 t\u1ea7ng \u0111\u00e1m m\u00e2y c\u1ee7a OpenAI, kh\u00f4ng \u0111\u1ec3 l\u1ea1i d\u1ea5u v\u1ebft m\u1ea1ng n\u00e0o cho c\u00e1c bi\u1ec7n ph\u00e1p ph\u00f2ng th\u1ee7 doanh nghi\u1ec7p ph\u00e1t hi\u1ec7n.<\/p> Giao th\u1ee9c AirPlay c\u1ee7a Apple ch\u1ee9a m\u1ed9t h\u1ecd g\u1ed3m 17 l\u1ed7 h\u1ed5ng<\/strong> \u0111\u01b0\u1ee3c g\u1ecdi chung l\u00e0 AirBorne. S\u1ef1 k\u1ebft h\u1ee3p nguy hi\u1ec3m nh\u1ea5t c\u1ee7a CVE-2025-24252<\/strong> v\u00e0 CVE-2025-24206<\/strong> cho ph\u00e9p th\u1ef1c thi m\u00e3 t\u1eeb xa kh\u00f4ng y\u00eau c\u1ea7u t\u01b0\u01a1ng t\u00e1c (zero-click remote code execution<\/strong>) tr\u00ean c\u00e1c thi\u1ebft b\u1ecb macOS \u0111\u01b0\u1ee3c k\u1ebft n\u1ed1i c\u00f9ng m\u1ea1ng.<\/p> \u0110i\u1ec1u l\u00e0m cho nh\u1eefng l\u1ed7 h\u1ed5ng n\u00e0y \u0111\u1eb7c bi\u1ec7t \u0111\u00e1ng s\u1ee3 l\u00e0 b\u1ea3n ch\u1ea5t c\u00f3 kh\u1ea3 n\u0103ng l\u00e2y lan (wormable) c\u1ee7a ch\u00fang: m\u00e3 \u0111\u1ed9c c\u00f3 th\u1ec3 t\u1ef1 \u0111\u1ed9ng lan truy\u1ec1n t\u1eeb thi\u1ebft b\u1ecb n\u00e0y sang thi\u1ebft b\u1ecb kh\u00e1c m\u00e0 kh\u00f4ng c\u1ea7n b\u1ea5t k\u1ef3 t\u01b0\u01a1ng t\u00e1c n\u00e0o c\u1ee7a con ng\u01b0\u1eddi.<\/p> CVE-2025-24132<\/strong> \u0111\u00e3 m\u1edf r\u1ed9ng m\u1ed1i \u0111e d\u1ecda n\u00e0y sang c\u00e1c thi\u1ebft b\u1ecb c\u1ee7a b\u00ean th\u1ee9 ba s\u1eed d\u1ee5ng AirPlay SDK, bao g\u1ed3m loa th\u00f4ng minh v\u00e0 h\u1ec7 th\u1ed1ng CarPlay.<\/p> L\u1ed7 h\u1ed5ng React2Shell (CVE-2025-55182<\/strong>) \u0111\u00e3 nh\u1eadn \u0111\u01b0\u1ee3c \u0111i\u1ec3m CVSS ho\u00e0n h\u1ea3o l\u00e0 10.0<\/strong>, cho th\u1ea5y m\u1ed9t l\u1ed7i th\u1ef1c thi m\u00e3 t\u1eeb xa kh\u00f4ng x\u00e1c th\u1ef1c, nghi\u00eam tr\u1ecdng trong React Server Components v\u00e0 Next.js. Xem ph\u00e2n t\u00edch chi ti\u1ebft c\u1ee7a Cymulate<\/a>.<\/p> \u1ea2nh h\u01b0\u1edfng \u0111\u1ebfn c\u00e1c phi\u00ean b\u1ea3n React 19.x v\u00e0 Next.js 15.x\/16.x, l\u1ed7 h\u1ed5ng kh\u1eed tu\u1ea7n t\u1ef1 h\u00f3a kh\u00f4ng an to\u00e0n n\u00e0y cho ph\u00e9p k\u1ebb t\u1ea5n c\u00f4ng th\u1ef1c thi m\u00e3 t\u00f9y \u00fd th\u00f4ng qua m\u1ed9t y\u00eau c\u1ea7u HTTP \u0111\u1ed9c h\u1ea1i duy nh\u1ea5t, l\u00e0m x\u00e2m nh\u1eadp h\u00e0ng tr\u0103m m\u00e1y m\u00f3c tr\u00ean c\u00e1c t\u1ed5 ch\u1ee9c \u0111a d\u1ea1ng.<\/p> C\u00e1c nh\u00e0 cung c\u1ea5p ph\u1ea7n m\u1ec1m gi\u00e1n \u0111i\u1ec7p th\u01b0\u01a1ng m\u1ea1i \u0111\u00e3 ho\u1ea1t \u0111\u1ed9ng nh\u01b0 c\u00e1c \u0111\u1ed9ng c\u01a1 ph\u1ed5 bi\u1ebfn trong su\u1ed1t n\u0103m 2025, h\u1ea1 th\u1ea5p r\u00e0o c\u1ea3n \u0111\u1ed1i v\u1edbi c\u00e1c kh\u1ea3 n\u0103ng zero-click exploit<\/strong> tinh vi.<\/p> Ph\u1ea7n m\u1ec1m gi\u00e1n \u0111i\u1ec7p Pegasus c\u1ee7a NSO Group ti\u1ebfp t\u1ee5c ph\u00e1t tri\u1ec3n v\u1edbi c\u00e1c ph\u01b0\u01a1ng ph\u00e1p zero-click, m\u1eb7c d\u00f9 c\u00e1c nh\u00e0 \u0111i\u1ec1u h\u00e0nh c\u1ee7a n\u00f3 ph\u1ea3i \u0111\u1ed1i m\u1eb7t v\u1edbi h\u1eadu qu\u1ea3 ph\u00e1p l\u00fd bao g\u1ed3m kho\u1ea3n ph\u1ea1t 167 tri\u1ec7u \u0111\u00f4 la<\/strong> t\u1eeb WhatsApp.<\/p> N\u1ec1n t\u1ea3ng Graphite c\u1ee7a Paragon \u0111\u00e3 ch\u1ee9ng minh r\u1eb1ng nhi\u1ec1u nh\u00e0 cung c\u1ea5p th\u01b0\u01a1ng m\u1ea1i hi\u1ec7n s\u1edf h\u1eefu kh\u1ea3 n\u0103ng khai th\u00e1c zero-click iPhone, l\u00e0m thay \u0111\u1ed5i c\u01a1 b\u1ea3n b\u1ed1i c\u1ea3nh m\u1ed1i \u0111e d\u1ecda cho c\u00e1c m\u1ee5c ti\u00eau c\u00f3 gi\u00e1 tr\u1ecb cao. Th\u00eam th\u00f4ng tin t\u1ea1i Infosecurity Magazine<\/a>.<\/p> N\u0103m 2025 \u0111\u00e3 mang l\u1ea1i nh\u1eefng b\u00e0i h\u1ecdc kh\u1eafc nghi\u1ec7t.<\/p> C\u00e1c t\u1ed5 ch\u1ee9c ph\u1ea3i \u00e1p d\u1ee5ng v\u00e1 l\u1ed7i d\u1ef1a tr\u00ean r\u1ee7i ro, \u01b0u ti\u00ean c\u00e1c l\u1ed7 h\u1ed5ng CVE<\/strong> b\u1ecb khai th\u00e1c t\u00edch c\u1ef1c. \u0110\u1ed3ng th\u1eddi, c\u1ea7n tri\u1ec3n khai ki\u1ebfn tr\u00fac zero-trust<\/strong> gi\u1edbi h\u1ea1n chuy\u1ec3n \u0111\u1ed9ng ngang, tri\u1ec3n khai ph\u00e2n t\u00edch h\u00e0nh vi \u0111\u1ec3 ph\u00e1t hi\u1ec7n c\u00e1c ho\u1ea1t \u0111\u1ed9ng sau x\u00e2m nh\u1eadp, v\u00e0 k\u00edch ho\u1ea1t c\u00e1c bi\u1ec7n ph\u00e1p b\u1ea3o v\u1ec7 d\u00e0nh ri\u00eang cho n\u1ec1n t\u1ea3ng, ch\u1eb3ng h\u1ea1n nh\u01b0 Ch\u1ebf \u0111\u1ed9 Kh\u00f3a iOS (iOS Lockdown Mode), cho ng\u01b0\u1eddi d\u00f9ng c\u00f3 r\u1ee7i ro cao.<\/p> Khi ch\u00fang ta kh\u00e9p l\u1ea1i n\u0103m 2025, th\u00f4ng \u0111i\u1ec7p l\u00e0 kh\u00f4ng th\u1ec3 nh\u1ea7m l\u1eabn: c\u00e1c zero-click exploit<\/strong> \u0111\u00e3 chuy\u1ec3n \u0111\u1ed5i t\u1eeb c\u00f4ng c\u1ee5 gi\u00e1n \u0111i\u1ec7p tinh hoa th\u00e0nh c\u00e1c vector t\u1ea5n c\u00f4ng ch\u1ee7 \u0111\u1ea1o.<\/p> C\u00e1c t\u00ednh n\u0103ng ti\u1ec7n l\u1ee3i h\u1ed7 tr\u1ee3 cu\u1ed9c s\u1ed1ng s\u1ed1 c\u1ee7a ch\u00fang ta \u2013 ph\u00e2n t\u00edch tin nh\u1eafn t\u1ef1 \u0111\u1ed9ng, x\u1eed l\u00fd giao th\u1ee9c li\u1ec1n m\u1ea1ch v\u00e0 c\u00e1c t\u00e1c nh\u00e2n AI th\u00f4ng minh \u2013 \u0111\u00e3 tr\u1edf th\u00e0nh con dao hai l\u01b0\u1ee1i.<\/p> Ph\u00f2ng th\u1ee7 ch\u1ed1ng l\u1ea1i th\u1ef1c t\u1ebf m\u1edbi n\u00e0y \u0111\u00f2i h\u1ecfi ph\u1ea3i suy ngh\u0129 l\u1ea1i v\u1ec1 b\u1ea3o m\u1eadt t\u1eeb c\u00e1c nguy\u00ean t\u1eafc c\u01a1 b\u1ea3n, n\u01a1i l\u00f2ng tin \u0111\u01b0\u1ee3c x\u00e1c minh li\u00ean t\u1ee5c v\u00e0 m\u1ecdi quy tr\u00ecnh t\u1ef1 \u0111\u1ed9ng \u0111\u1ec1u \u0111\u01b0\u1ee3c coi l\u00e0 m\u1ed9t vector t\u1ea5n c\u00f4ng ti\u1ec1m n\u0103ng.<\/p>S\u1ef1 Ti\u1ebfn H\u00f3a c\u1ee7a Khai Th\u00e1c Kh\u00f4ng Y\u00eau C\u1ea7u T\u01b0\u01a1ng T\u00e1c (Zero-Click Exploits)<\/h2>
\u0110\u1ecbnh Ngh\u0129a v\u00e0 T\u00e1c \u0110\u1ed9ng<\/h3>
Th\u1ed1ng K\u00ea L\u1ed7 H\u1ed5ng v\u00e0 Th\u1eddi Gian Khai Th\u00e1c<\/h3>
C\u00e1c L\u1ed7 H\u1ed5ng Zero-Click N\u1ed5i B\u1eadt N\u0103m 2025 tr\u00ean N\u1ec1n T\u1ea3ng Di \u0110\u1ed9ng<\/h2>
H\u1ec7 Sinh Th\u00e1i Apple: iOS v\u00e0 macOS<\/h3>
CVE-2025-43300<\/strong> v\u00e0 Chu\u1ed7i T\u1ea5n C\u00f4ng WhatsApp<\/h4>
CVE-2025-43200<\/strong> v\u00e0 Ph\u1ea7n M\u1ec1m Gi\u00e1n \u0110i\u1ec7p Graphite<\/h4>
L\u1ed7 H\u1ed5ng NICKNAME (imagent process)<\/h4>
Thi\u1ebft B\u1ecb Samsung Galaxy: CVE-2025-21042<\/strong> v\u00e0 LANDFALL Spyware<\/h3>
Khai Th\u00e1c Zero-Click tr\u00ean H\u1ea1 T\u1ea7ng Doanh Nghi\u1ec7p v\u00e0 AI<\/h2>
Microsoft Outlook: CVE-2025-21298<\/strong><\/h3>
H\u1ec7 Sinh Th\u00e1i AI: EchoLeak (Microsoft 365 Copilot) v\u00e0 ShadowLeak (ChatGPT)<\/h3>
Giao Th\u1ee9c Apple AirPlay: D\u00f2ng L\u1ed7 H\u1ed5ng AirBorne<\/h3>
CVE-2025-55182<\/strong>: Khai Th\u00e1c React2Shell v\u1edbi CVSS 10.0<\/h2>
Vai Tr\u00f2 c\u1ee7a C\u00e1c Nh\u00e0 Cung C\u1ea5p Ph\u1ea7n M\u1ec1m Gi\u00e1n \u0110i\u1ec7p Th\u01b0\u01a1ng M\u1ea1i<\/h2>
C\u00e1c B\u00e0i H\u1ecdc v\u00e0 Bi\u1ec7n Ph\u00e1p Ph\u00f2ng Ng\u1eeba<\/h2>
T\u1ed1c \u0110\u1ed9 V\u00e1 L\u1ed7i v\u00e0 Ki\u1ebfn Tr\u00fac Zero-Trust<\/h3>
C\u01a1 Ch\u1ebf Ph\u00f2ng Th\u1ee7 Chuy\u00ean Bi\u1ec7t<\/h3>