Amnesty Finds Cellebrite’s Zero-Day Used to Unlock Serbian Activist’s Android Phone - Related to active, cms, hack, unlock, police

Amnesty Finds Cellebrite’s Zero-Day Used to Unlock Serbian Activist’s Android Phone

A 23-year-old Serbian youth activist had their Android phone targeted by a zero-day exploit developed by Cellebrite to unlock the device, .

"The Android phone of one student protester was exploited and unlocked by a sophisticated zero-day exploit chain targeting Android USB drivers, developed by Cellebrite," the international non-governmental organization stated, adding the traces of the exploit were discovered in a separate case in mid-2024.

The vulnerability in question is CVE-2024-53104 (CVSS score: [website], a case of privilege escalation in a kernel component known as the USB Video Class (UVC) driver. A patch for the flaw was addressed in the Linux kernel in December 2024. It was subsequently addressed in Android earlier this month.

It's believed that CVE-2024-53104 was combined with two other flaws – CVE-2024-53197 and CVE-2024-50302 – both of which have been resolved in the Linux kernel. They are yet to be included in an Android Security Bulletin.

CVE-2024-53197 (CVSS score: N/A) - An out-of-bounds access vulnerability for Extigy and Mbox devices.

(CVSS score: N/A) - An out-of-bounds access vulnerability for Extigy and Mbox devices CVE-2024-50302 (CVSS score: [website] - A use of an uninitialized resource vulnerability that could be used to leak kernel memory.

"The exploit, which targeted Linux kernel USB drivers, enabled Cellebrite customers with physical access to a locked Android device to bypass an Android phone's lock screen and gain privileged access on the device," Amnesty presented.

"This case highlights how real-world attackers are exploiting Android's USB attack surface, taking advantage of the broad range of legacy USB kernel drivers supported in the Linux kernel."

The activist, who has been given the name "Vedran" to protect their privacy, was taken to a police station and his phone confiscated on December 25, 2024, after he attended a student protest in Belgrade.

Amnesty's analysis found that the exploit was used to unlock his Samsung Galaxy A32 and that the authorities attempted to install an unknown Android application. While the exact nature of the Android app remains unclear, the modus operandi is consistent with that of prior NoviSpy spyware infections reported in mid-December 2024.

Earlier this week, Cellebrite introduced its tools are not designed to facilitate any type of offensive cyber activity and that it works actively to curtail the misuse of its technology.

The Israeli enterprise also expressed it will no longer allow Serbia to use its software, stating "we found it appropriate to stop the use of our products by the relevant consumers at this time."

The Qilin ransomware gang has claimed responsibility for the attack at Lee Enterprises that disrupted operations on February 3, leaking samples of dat......

Microsoft on Thursday unmasked four of the individuals that it mentioned were behind an Azure Abuse Enterprise scheme that involves leveraging unauthorized......

A dataset used to train large language models (LLMs) has been found to contain nearly 12,000 live secrets, which allow for successful authentication.

CISA Flags Craft CMS Vulnerability CVE-2025-23209 Amid Active Attacks

A high-severity security flaw impacting the Craft content management system (CMS) has been added by the [website] Cybersecurity and Infrastructure Security Agency (CISA) to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

The vulnerability in question is CVE-2025-23209 (CVSS score: [website], which impacts Craft CMS versions 4 and 5. It was addressed by the project maintainers in late December 2024 in versions [website] and [website].

"Craft CMS contains a code injection vulnerability that allows for remote code execution as vulnerable versions have compromised user security keys," the agency introduced.

The vulnerability affects the following version of the software -.

In an advisory released on GitHub, Craft CMS noted that all unpatched versions of Craft with a compromised security key are impacted by the security defect.

"If you can't enhancement to a patched version, then rotating your security key and ensuring its privacy will help to mitigate the issue," it noted.

It's currently not clear how the user security keys were compromised, and in what context. To alleviate the risk posed by the vulnerability, it's recommended that Federal Civilian Executive Branch (FCEB) agencies apply the necessary fixes by March 13, 2025.

In December 2024, Craft CMS warned of active exploitation of another security flaw (CVE-2024-56145) that could result in remote code execution when PHP `register_argc_argv` config setting is enabled. The vulnerability is yet to be added to CISA's KEV catalog.

The threat actor known as Sticky Werewolf has been linked to targeted attacks primarily in Russia and Belarus with the aim of delivering the Lumma Ste......

Cybersecurity researchers have uncovered a widespread phishing campaign that uses fake CAPTCHA images shared via PDF documents hosted on Webflow's con......

Die kriminelle Online-Bande Cl0p ist für das Kopieren von Daten von Unternehmen und die darauf folgende Erpressung mit der Datenveröffentlichung bekan......

Serbian police used Cellebrite zero-day hack to unlock Android phones

Serbian authorities have reportedly used an Android zero-day exploit chain developed by Cellebrite to unlock the device of a student activist in the country and attempt to install spyware.

Cellebrite is an Israeli digital forensics organization that develops tools used by law enforcement, intelligence agencies, and private companies to extract data from smartphones and other digital devices.

Companies like Cellebrite commonly utilize zero-day exploits to access and extract data usually protected on locked phones.

The use of this Android exploit was found by Amnesty International's Security Lab in mid-2024 during forensic research on the logs of the impacted device.

The organization previously reported on cases of privacy rights abuse in Serbia in December 2024. In response to the revelations, Cellebrite presented it blocked access to its tools for the country's security services (BIA) earlier this week.

After Amnesty shared its findings with Google's Threat Analysis Group (TAG), Google's researchers were able to pinpoint three vulnerabilities in the Linux kernel USB drivers, also used in Android, that were exploited as zero-days.

CVE-2024-53104 (USB Video Class exploit).

(USB Video Class exploit) CVE-2024-53197 (ALSA USB-sound driver exploit).

(ALSA USB-sound driver exploit) CVE-2024-50302 (USB HID device exploit).

The first flaw was patched in Google's February 2025 Android security updates, marked as "under limited, targeted exploitation."

The other two flaws have not been revealed as fixed in any Android security improvement bulletins yet, and depending on the device model and how often manufacturers improvement its kernel, it might take a while.

Head of Security Lab at Amnesty, Donncha O'Cearbhaill, told BleepingComputer that patching CVE-2024-53104 might be enough to disrupt the whole exploitation chain, although they cannot be certain about it yet.

GrapheneOS told BleepingComputer that their Android distribution already has patches for CVE-2024-53197 and CVE-2024-50302 because they regularly enhancement the latest Linux kernel.

BleepingComputer asked Google when fixes for the two flaws would become available to all Android people, but we are still awaiting a response.

USB exploits commonly take advantage of vulnerabilities in a device's USB system, such as the drivers, firmware, or kernel components, to gain unauthorized access or control over the system.

The exploit may achieve memory corruption for arbitrary code execution, inject malicious commands, or bypass lock screens.

One mitigating factor is that they require physical access to the target device. In this case, and many other similar cases, this requirement was easily fulfilled by the police detaining the person and confiscating their device.

In April 2024, Google fixed two zero-day flaws (CVE-2024-29745 and CVE-2024-29748) forensic firms exploited to unlock phones without a PIN, implementing memory zeroing before USB is enabled.

Earlier this month, Apple fixed a zero day (CVE-2025-24200) Cellebrite and GrayKey leveraged for bypassing USB Restricted Mode to extract data from iPhones.

Stock Android does not have a direct equivalent to Apple's USB Restricted Mode. However, users can still mitigate the threat by turning off USB debugging (ADB), setting the cable connectivity mode to "Charge Only," and enabling Full Disk Encryption (Settings → Security & privacy → More security & privacy → Encryption & credentials → Encrypt phone).

Es sind wichtige Sicherheitspatches für die Softwareentwicklungsplattform Gitlab erschienen. Insgesamt haben die Entwickler fünf Lücken geschlossen.

One of the most notorious providers of abuse-friendly “bulletproof” web hosting for cybercriminals has started routing its operations through networks......

Die kriminelle Online-Bande Cl0p ist für das Kopieren von Daten von Unternehmen und die darauf folgende Erpressung mit der Datenveröffentlichung bekan......