Android, WinRAR, WordPress Kirki: Three critical zero-days under active exploitation

**Executive Summary:** This briefing reports multiple high‑severity, actively exploited threats — an Android Framework zero‑day under active exploitation (CVE-2025-48595), Gamaredon leveraging a WinRAR path‑traversal (CVE-2025-8088) to deliver GammaWorm/GammaSteel against Ukrainian targets, active exploitation of WordPress Kirki privilege escalation (CVE-2026-8206) to hijack admin accounts, a CISA‑listed Oracle WebLogic vulnerability (CVE-2024-21182), and an AI‑powered ransomware toolkit automating Active Directory discovery and EDR evasion; immediate patching, credential resets, and enhanced monitoring are recommended.