Here are the most relevant headlines of the week, download our full report and take note:

GitHub exposes its RSA SSH host key by mistake

GitHub announced last Friday that they had replaced their RSA SSH host key used to protect Git operations.

Apple fixes an actively exploited 0-day

Apple has released security updates fixing an actively exploited 0-day vulnerability in older iPhone, macOS, and iPad devices.
Flaw identified as CVE-2023-23529 is a WebKit-type confusion bug, which has a CVSS of 8.8

Supply chain attack via 3XC video conferencing platform

Researchers from various security firms such as SentinelOne, Sophos y CrowdStrike have warned of a supply chain attack via the 3CX video conferencing program.

Analysis of campaigns exploiting 0-days on Android, iOS and Chrome

Google’s Threat Analysis Group has shared details about two campaigns that used 0-day exploits against Android, iOS, and Chrome.
First campaign: 0-day exploit strings targeting Android and iOS were detected and distributed via shortened links sent via SMS: Vulnerability, already fixed in 2022, which affected iOS in versions prior to 15.1, is identified as CVE-2022-42856 and CVSS 8.8 (type confusion bug in the JIT compiler).
More about this campaign:  Vulnerability CVE-2021-30900, with CVSS 7.8, also fixed.
As for the bugs, all fixed:
CVE-2022-3723 (CVSS 8.8), type confusion in Chrome; 
CVE-2022-4135 (CVSS 9.6), buffer overflow in Chrome’s GPU;  
CVE-2022-38181 (CVSS 8.8), privilege escalation.

Second campaign: targeting devices in the United Arab Emirates via SMS, consisting of several 0-days and n-days targeting Samsung’s web browser.
Link exploits vulnerabilities CVE-2022-4262, CVE-2022-3038, CVE-2022-22706 and CVE-2023-0266.