The Cyber Express Weekly Roundup 

European Commission Mobile Infrastructure Breach Raises Supply Chain Questions 

Ransomware Disrupts Senegal’s National Identity Systems 

Australian Court Imposes Landmark Cybersecurity Penalty 

Crypto Investment Scam Leader Sentenced in Absentia 

India Brings AI-Generated Content Under Formal Regulation 

Weekly Takeaway 

GitHub as a Discovery Engine for Exposed ChatGPT API Keys 

Exposure in Live Production Websites 

const OPENAI_API_KEY = "sk-proj-XXXXXXXXXXXXXXXXXXXXXXXX"; const OPENAI_API_KEY = "sk-svcacct-XXXXXXXXXXXXXXXXXXXXXXXX";  

“The AI Era Has Arrived — Security Discipline Has Not” 

Monetization and Criminal Exploitation 

• Execute high-volume inference workloads 
• Generate phishing emails and scam scripts 
• Assist in malware development 
• Circumvent service restrictions and usage quotas 
• Drain victim billing accounts and exhaust API credits 

As it is said, the ‘why’ and ‘how’ is much important than ‘should’. It’s exactly applicable in today’s cyberspace. Every day, organizations survive in an unpredictable cyber-risk climate. If your defense storehouse comprises just fragmented tools and manual processes, you are not playing it safe. If you are ‘not safe’, you are just seconds away […]

The post How AutoSecT VMDR Tool Simplifies Vulnerability Management appeared first on Kratikal Blogs.

The post How AutoSecT VMDR Tool Simplifies Vulnerability Management appeared first on Security Boulevard.

Illegal Intrusion Leads the Wave of Cybersecurity Incidents

USB Worm Infections and Endpoint Vulnerabilities

Social Engineering and Watering Hole Attacks Target Trust

Critical Infrastructure Faces Operational Risks

Strengthening Endpoint Protection and Cyber Governance

Darktrace researchers caught a sample of malware that was created by AI and LLMs to exploit the high-profiled React2Shell vulnerability, putting defenders on notice that the technology lets even lesser-skilled hackers create malicious code and build complex exploit frameworks.

The post Hackers Use LLM to Create React2Shell Malware, the Latest Example of AI-Generated Threat appeared first on Security Boulevard.

In this post we explore the data-driven shrinkage of the Time to Exploit (TTE) window from 745 days to just 44, and examine why N-day vulnerabilities have become the "turn-key" weapon of choice for modern threat actors.

The post N-Day Vulnerability Trends: The Shrinking Window of Exposure and the Rise of “Turn-Key” Exploitation appeared first on Flashpoint.

The post N-Day Vulnerability Trends: The Shrinking Window of Exposure and the Rise of “Turn-Key” Exploitation appeared first on Security Boulevard.

Microsoft Patch Tuesday February has Six New Zero-Day Fixes

• CVE-2026-21510: Windows Shell Security Feature Bypass (Severity: Important; CVSS 7.8) 
• CVE-2026-21513: MSHTML Platform Security Feature Bypass (Important; CVSS 7.5) 
• CVE-2026-21514: Microsoft Word Security Feature Bypass (Important; CVSS 7.8) 
• CVE-2026-21519: Desktop Window Manager Elevation of Privilege (Important; CVSS 7.8) 
• CVE-2026-21525: Windows Remote Access Connection Manager Denial of Service (Important; CVSS 7.5) 
• CVE-2026-21533: Windows Remote Desktop Services Elevation of Privilege (Important; CVSS 7.8) 

Vulnerability Distribution and Impact 

• CVE-2026-21527: Microsoft Exchange Server Spoofing Vulnerability (Critical; potential RCE vector) 
• CVE-2026-23655: Azure Container Instances Information Disclosure (Critical) 
• CVE-2026-21518: GitHub Copilot / Visual Studio Remote Code Execution (Important) 
• CVE-2026-21528: Azure IoT SDK Remote Code Execution (Important) 
• CVE-2026-21531: Azure SDK Vulnerability (Important; CVSS 9.8) 
• CVE-2026-21222: Windows Kernel Information Disclosure (Important) 
• CVE-2026-21249: Windows NTLM Spoofing Vulnerability (Moderate) 
• CVE-2026-21509: Microsoft Office Security Feature Bypass (Important) 

Additional CVEs and Exploitability Ratings 

• CVE-2023-2804: Windows Win32K - GRFX (CVSS 6.5; Exploitation Less Likely) 
• CVE-2026-0391: Microsoft Edge for Android (CVSS 6.5; Exploitation Less Likely) 
• CVE-2026-20841: Windows Notepad App (CVSS 8.8; Exploitation Less Likely) 
• CVE-2026-20846: Windows GDI+ (CVSS 7.5) 
• CVE-2026-21218: .NET and Visual Studio (CVSS 7.5; Exploitation Unlikely) 
• CVE-2026-21231: Windows Kernel (CVSS 7.8; Exploitation More Likely) 
• CVE-2026-21232: Windows HTTP.sys (CVSS 7.8) 
• CVE-2026-21255: Windows Hyper-V (CVSS 8.8) 
• CVE-2026-21256 and CVE-2026-21257: GitHub Copilot and Visual Studio 
• CVE-2026-21258–21261: Microsoft Office Excel and Word 
• CVE-2026-21537: Microsoft Defender for Linux (CVSS 8.8) 

Lifecycle Notes, Hotpatching, and Known Issues 

• KB5075942: Windows Server 2025 Hotpatch 
• KB5075897: Windows Server 23H2 
• KB5075899: Windows Server 2025 
• KB5075906: Windows Server 2022 

This article examines the widespread collection of personal data and the legal challenges individuals face from third-party subpoenas. It discusses key court rulings on government access to personal information and highlights the complexities of data privacy in the digital age.

The post How the Supreme Court’s “Third Party” Subpoena Doctrine Empowers Governments to Seize Sensitive Information Without Your Knowledge appeared first on Security Boulevard.

SmarterTools Breach Comes Amid SmarterMail Vulnerability Warnings

SmarterTools Breach Limited by Linux Use

• Velociraptor
• JWRapper
• Remote Access
• SimpleHelp
• WinRAR (older, vulnerable versions)
• exe
• dll
• exe
• Short, random filenames such as e0f8rM_0.ps1 or abc...
• Random .aspx files

Snapchat Hacking Investigation Reveals Scale of Phishing Abuse

Snapchat Hacking for Hire

Why the Snapchat Hacking Investigation Matters

Legal Consequences

CISA KEV Is Not a List of the Worst Vulnerabilities

• The vulnerability must have an assigned Common Vulnerabilities and Exposures (CVE) identifier.
• There must be a reasonable mitigation. “This means that vulnerabilities with no realistic path to mitigation will not reach the KEV,” the paper said. The lack of a straightforward fix has kept CVE-2022-21894, aka “BlackLotus,” off the list even though the NSA has provided mitigation guidance.
• There must be evidence of exploitation. “This exploitation must be observed by CISA, either directly or through trusted reporting channels,” the paper said.
• The vulnerability must be relevant to the U.S. Federal Civilian Executive Branch (FCEB).

• Access Vector of “Network” (as opposed to “Adjacent,” “Local,” or “Physical”)
• Privileges Required of “None” (as opposed to “Low” or “High”)
• User Interaction of “None” (as opposed to “Required”)
• Integrity Impact of “High” (as opposed to “None” or “Low”)

Perfect Vulnerability Coverage ‘Unrealistic’

The Cyber Express Weekly Roundup 

Cyberattack Disrupts Spain’s Ministry of Science Operations 

OpenAI Expands Controlled Access to Advanced Cyber Defense Models 

French Authorities Escalate Investigations Into X and Grok AI 

AI-Generated Platform Moltbook Exposes Millions of Credentials 

Substack Discloses Breach Months After Initial Compromise 

Weekly Takeaway 

Updates to the La Sapienza Cyberattack

Cyberattack on La Sapienza Linked to BabLock Malware 

Investigation and Recovery Efforts Continue 

Bypass of Previous Security Fixes for CVE-2026-25049 Vulnerability 

Affected Versions and Mitigation Guidance 

Researcher Insights and Potential Impact

Microsoft Leads in Vulnerabilities Exploited by Ransomware Groups

Ransomware Groups Target Edge Devices

Details of Foxit PDF Editor Vulnerabilities CVE-2026-1591 and CVE-2026-1592 

Enterprise Risk and Attack Surface Considerations 

Patches, Mitigation, and Security Guidance 

What Is vLLM and Why CVE-2026-22778 Matters 

Impact: Full Server Takeover via Remote Code Execution 

Technical Analysis 

Affected Versions and Recommended Actions 

• Affected versions: vLLM >= 0.8.3 and < 0.14.1
• Fixed version: vLLM 0.14.1

The BreachForums marketplace has suffered a leak, exposing the identities of nearly 324,000 cybercriminals. This incident highlights a critical shift in cyberattacks, creating opportunities for law enforcement while demonstrating the risks associated with breaches in the cybercriminal ecosystem.

The post BreachForums Breach Exposes Names of 324K Cybercriminals, Upends the Threat Intel Game appeared first on Security Boulevard.

Ukraine's cyber defenders warn Russian hackers weaponized a Microsoft zero-day within 24 hours of public disclosure, targeting government agencies with malicious documents delivering Covenant framework backdoors.

Russian state-sponsored hacking group APT28 used a critical Microsoft Office zero-day vulnerability, tracked as CVE-2026-21509, in less than a day after the vendor publicly disclosed the flaw, launching targeted attacks against Ukrainian government agencies and European Union institutions.

Ukraine's Computer Emergency Response Team detected exploitation attempts that began on January 27—just one day after Microsoft published details about CVE-2026-21509.

Microsoft had acknowledged active exploitation when it disclosed the flaw on January 26, but details pertaining to the threat actors were withheld and it is still unclear if it is the same or some other exploitation campaign that the vendor meant. However, the speed at which APT28 deployed customized attacks shows the narrow window defenders have to patch critical vulnerabilities.

Also read: APT28’s Recent Campaign Combined Steganography, Cloud C2 into a Modular Infection Chain

CERT-UA discovered a malicious DOC file titled "Consultation_Topics_Ukraine(Final).doc" containing the CVE-2026-21509 exploit on January 29. Metadata revealed attackers created the document on January 27 at 07:43 UTC. The file masqueraded as materials related to Committee of Permanent Representatives to the European Union consultations on Ukraine's situation.

On the same day, attackers impersonated Ukraine's Ukrhydrometeorological Center, distributing emails with an attached DOC file named "BULLETEN_H.doc" to more than 60 email addresses. Recipients primarily included Ukrainian central executive government agencies, representing a coordinated campaign against critical government infrastructure.

The attack chain begins when victims open malicious documents using Microsoft Office. The exploit establishes network connections to external resources using the WebDAV protocol—a file sharing protocol that extends HTTP to enable collaborative editing. The connection downloads a shortcut file containing program code designed to retrieve and execute additional malicious payloads.

Successful execution creates a DLL file "EhStoreShell.dll" disguised as a legitimate "Enhanced Storage Shell Extension" library, along with an image file "SplashScreen.png" containing shellcode. Attackers implement COM hijacking by modifying Windows registry values for a specific CLSID identifier, a technique that allows malicious code to execute when legitimate Windows components load.

The malware creates a scheduled task named "OneDriveHealth" that executes periodically. When triggered, the task terminates and relaunches the Windows Explorer process. Because of the COM hijacking modification, Explorer automatically loads the malicious EhStoreShell.dll file, which then executes shellcode from the image file to deploy the Covenant framework on compromised systems.

Covenant is a post-exploitation framework similar to Cobalt Strike that provides attackers persistent command-and-control access. In this campaign, APT28 configured Covenant to use Filen.io, a legitimate cloud storage service, as command-and-control infrastructure. This technique, called living-off-the-land, makes malicious traffic appear legitimate and harder to detect.

CERT-UA discovered three additional malicious documents using similar exploits in late January 2026. Analysis of embedded URL structures and other technical indicators revealed these documents targeted organizations in EU countries. In one case, attackers registered a domain name on January 30, 2026—the same day they deployed it in attacks—demonstrating the operation's speed and agility.

"It is obvious that in the near future, including due to the inertia of the process or impossibility of users updating the Microsoft Office suite and/or using recommended protection mechanisms, the number of cyberattacks using the described vulnerability will begin to increase," CERT-UA warned in its advisory.

Microsoft released an emergency fix for CVE-2026-21509, but many organizations struggle to rapidly deploy patches across enterprise environments. The vulnerability affects multiple Microsoft Office products, creating a broad attack surface that threat actors will continue exploiting as long as unpatched systems remain accessible.

Read: Microsoft Releases Emergency Fix for Exploited Office Zero-Day

CERT-UA attributes the campaign to UAC-0001, the agency's designation for APT28, also known as Fancy Bear or Forest Blizzard. The group operates on behalf of Russia's GRU military intelligence agency and has conducted extensive operations targeting Ukraine since Russia's 2022 invasion. APT28 previously exploited Microsoft vulnerabilities within hours of disclosure, demonstrating consistent capability to rapidly weaponize newly discovered flaws.

CERT-UA recommends organizations immediately implement mitigation measures outlined in Microsoft's advisory, particularly Windows registry modifications that prevent exploitation. The agency specifically urges blocking or monitoring network connections to Filen cloud storage infrastructure, providing lists of domain names and IP addresses in its indicators of compromise section.

A “scary” vulnerability in Broadcom Wi-Fi chipsets could lead to long-term instability and affect how an organization operates.

The post Flaw in Broadcom Wi-Fi Chipsets Illuminates Importance of Wireless Dependability and Business Continuity  appeared first on Security Boulevard.

From an Anthropic blog post:

In a recent evaluation of AI models’ cyber capabilities, current Claude models can now succeed at multistage attacks on networks with dozens of hosts using only standard, open-source tools, instead of the custom tools needed by previous generations. This illustrates how barriers to the use of AI in relatively autonomous cyber workflows are rapidly coming down, and highlights the importance of security fundamentals like promptly patching known vulnerabilities.

[…]

A notable development during the testing of Claude Sonnet 4.5 is that the model can now succeed on a minority of the networks without the custom cyber toolkit needed by previous generations. In particular, Sonnet 4.5 can now exfiltrate all of the (simulated) personal information in a high-fidelity simulation of the Equifax data breach—one of the costliest cyber attacks in history­­using only a Bash shell on a widely-available Kali Linux host (standard, open-source tools for penetration testing; not a custom toolkit). Sonnet 4.5 accomplishes this by instantly recognizing a publicized CVE and writing code to exploit it without needing to look it up or iterate on it. Recalling that the original Equifax breach happened by exploiting a publicized CVE that had not yet been patched, the prospect of highly competent and fast AI agents leveraging this approach underscores the pressing need for security best practices like prompt updates and patches.

AI models are getting better at this faster than I expected. This will be a major power shift in cybersecurity.

From an Anthropic blog post:

In a recent evaluation of AI models’ cyber capabilities, current Claude models can now succeed at multistage attacks on networks with dozens of hosts using only standard, open-source tools, instead of the custom tools needed by previous generations. This illustrates how barriers to the use of AI in relatively autonomous cyber workflows are rapidly coming down, and highlights the importance of security fundamentals like promptly patching known vulnerabilities.

[…]

A notable development during the testing of Claude Sonnet 4.5 is that the model can now succeed on a minority of the networks without the custom cyber toolkit needed by previous generations. In particular, Sonnet 4.5 can now exfiltrate all of the (simulated) personal information in a high-fidelity simulation of the Equifax data breach—one of the costliest cyber attacks in history­­using only a Bash shell on a widely-available Kali Linux host (standard, open-source tools for penetration testing; not a custom toolkit). Sonnet 4.5 accomplishes this by instantly recognizing a publicized CVE and writing code to exploit it without needing to look it up or iterate on it. Recalling that the original Equifax breach happened by exploiting a publicized CVE that had not yet been patched, the prospect of highly competent and fast AI agents leveraging this approach underscores the pressing need for security best practices like prompt updates and patches...

The post AIs Are Getting Better at Finding and Exploiting Security Vulnerabilities appeared first on Security Boulevard.

The Cyber Express Weekly Roundup 

Cyberattack Hits Russian Security Firm Delta 

Ad Fraud and Data Privacy: Brands Must Act Now 

Ivanti Patches Critical Mobile Manager Zero-Days 

Cyble Discovers ShadowHS, a Stealthy Linux Post-Exploitation Framework 

EU Data Breach Notifications Rise Amid GDPR Reform Talks 

New Cyberattacks Target U.S. Companies 

Weekly Takeaway 

Two code injection vulnerabilities allowed unauthenticated attackers to execute arbitrary code and access sensitive device information across compromised networks.

Ivanti released emergency patches for two critical zero-day vulnerabilities in Endpoint Manager Mobile after discovering attackers exploited the flaws to compromise customer systems. The company confirmed a limited number of organizations fell victim to attacks leveraging CVE-2026-1281, which CISA added to its Known Exploited Vulnerabilities catalog with a February 1 remediation deadline for federal agencies.

The Code Injection Zero-Days

Both CVE-2026-1281 and CVE-2026-1340 are code injection flaws affecting EPMM's In-House Application Distribution and Android File Transfer Configuration features. Rated critical with CVSS scores of 9.8, the vulnerabilities allow unauthenticated remote attackers to execute arbitrary code on vulnerable on-premises EPMM installations without any prior authentication.

"We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure," Ivanti stated in its security advisory released Thursday. The company acknowledged it lacks sufficient information about the threat actors or comprehensive indicators of compromise due to the sophistication of the attacks.

The vulnerabilities affect only on-premises EPMM deployments and do not impact cloud-hosted Ivanti Neurons for Mobile Device Management, Ivanti Endpoint Manager, the Ivanti Sentry secure mobile gateway or any other Ivanti products. However, the company recommends organizations review Sentry logs alongside EPMM systems for potential lateral movement.

What Attackers Can Siphon

Successful exploitation grants attackers access to mobile device management infrastructure. Compromised EPMM appliances expose administrator and user credentials, including usernames and email addresses. Attackers gain visibility into managed mobile devices, accessing phone numbers, IP addresses, installed applications and device identifiers like IMEI and MAC addresses.

Organizations with location tracking enabled face additional exposure. Attackers accessing compromised systems can retrieve device location data including GPS coordinates and cellular tower information. More critically, attackers can leverage EPMM's API or web console to modify device configurations, including authentication settings.

Urgent Remediation Called For

Ivanti released RPM scripts providing temporary mitigation for affected EPMM versions. Organizations running versions 12.5.0.x, 12.6.0.x and 12.7.0.x should deploy RPM 12.x.0.x, while those operating versions 12.5.1.0 and 12.6.1.0 require RPM 12.x.1.x. The company emphasized that applying patches requires no downtime and causes no functional impact.

"If after applying the RPM script to your appliance, you upgrade to a new version you will need to reinstall the RPM," Ivanti warned. The permanent fix for this vulnerability will be included in the next product release: 12.8.0.0," scheduled for release later in Q1 2026.

Also read: Ivanti Bugs Exploited Even After Three Months of Patch Availability

Organizations suspecting compromise should not attempt to clean affected systems. Ivanti recommends either restoring EPMM from known-good backups taken before exploitation occurred or rebuilding the appliance and migrating data to replacement systems. After restoration, administrators must reset passwords for local EPMM accounts, LDAP and KDC service accounts, revoke and replace public certificates, and reset passwords for all internal and external service accounts configured with EPMM.

The company's analysis guidance shows particular risks around Sentry integration. While EPMM can be restricted to demilitarized zones with minimal corporate network access, Sentry specifically tunnels traffic from mobile devices to internal network assets. Organizations should review systems accessible through Sentry for potential reconnaissance or lateral movement.

CISA Issues a Tight Two-Day Deadline

CISA's addition of CVE-2026-1281 to the KEV catalog triggers Binding Operational Directive 22-01 requirements. Federal civilian agencies must apply vendor mitigations or discontinue using vulnerable systems by February 1, 2026. CISA strongly urges all organizations, not just federal agencies, to prioritize remediation as part of vulnerability management practices.

Notably, CISA added only CVE-2026-1281 to the KEV catalog despite Ivanti confirming exploitation of both vulnerabilities. The agency has not explained this discrepancy.

Also read: CISA Warns of New Malware Campaign Exploiting Ivanti EPMM Vulnerabilities

The disclosure continues Ivanti's troubled 2025, which saw widespread exploitation of multiple zero-day vulnerabilities across its product portfolio. Security researchers previously linked EPMM attacks to sophisticated threat actors, with some incidents attributed to China-nexus advanced persistent threat groups.

Also read: Four Critical Ivanti CSA Vulnerabilities Exploited—CISA and FBI Urge Mitigation

These management platforms represent high-value targets because compromising them effectively transforms the system into enterprise-wide command-and-control infrastructure.

Organizations should apply patches immediately and conduct thorough security assessments of potentially compromised systems to prevent further damage from these actively exploited vulnerabilities.

Fileless Execution and Weaponized Hackshell 

CRIL Observations on Operator-Centric Design 

Covert Data Exfiltration 

Dormant Capabilities and Lateral Movement 

• Memory dumping for credential theft 
• SSH-based lateral movement and brute-force scanning 
• Privilege escalation using kernel exploits 
• Cryptocurrency mining via XMRig, GMiner, and lolMiner 

Implications for Threat Defense 

AI Toy Admin Panel Exposed Children’s Conversations

• The child’s name and birth date
• Family member names
• The child’s likes and dislikes
• Objectives for the child (defined by the parent)
• The name given to the toy by the child
• Previous conversations between the child and the toy (used to give the LLM context)
• Device information, such as location via IP address, battery level, awake status, and more
• The ability to update device firmware and reboot devices

A (Very) Quick Response from Bondu

npm Leads in Malicious Open Source Software Packages

Open Source Malware Exploits Developer Processes

Exploiting CVE-2025-55182 

Malware Deployment Following React2Shell Exploitation 

Additional Campaigns and Global Targeting 

A 149M-credential breach shows why encryption alone isn’t enough. Infostealer malware bypasses cloud security by stealing passwords at the endpoint—where encryption offers no protection.

The post Another Credential Leak, Another Dollar appeared first on Security Boulevard.

Heap Overflow Flaw Poses Severe RCE Risk 

Impact of CVE-2024-37079 Across VMware vCenter Server and Cloud Foundation 

Urgent Need for Patching as Exploitation Occurs in the Wild 

The Death of the "Safe" Zone 

Data Privacy Week 2026: Defending Against the "Identity Hijack" 

1. Validate the Human (Identity & Presence): Progressive organisations are adopting a multi-modal approach that combines phishing-resistant hardware verification with biometric-first identity signals. By anchoring identity in physical hardware (such as FIDO2-compliant keys) and augmenting it with continuous monitoring of liveness and presence, it is possible to ensure that the authorised individual remains physically present at the keys throughout the interaction. This layered verification prevents session hijacking or "shoulder surfing" in real-time. 

1. Validate the Device (Integrity & Posture): It is no longer safe to assume a device is secure simply because it is corporate-owned. The technical integrity of the endpoint must be evaluated before and during access. This involves continuous checks for managed status, OS vulnerabilities, and security software health to ensure the tool used to access data is not a compromised gateway. 

1. Validate the Behaviour (Intent & Monitoring): This final layer of the perimeter involves monitoring user actions for deviations from established norms. Detecting anomalies in navigation speed, timing, and data consumption allows for an assessment of whether a device is acting like a human-operated workstation or an automated exfiltration bot. The perimeter thus functions as a dynamic response system that adapts based on 'Contextual Intelligence'—the real-time risk of the intent. 

Privacy-First Architecture: Micro-Segmentation of Access 

Looking Ahead: The Invisible Perimeter 

Microsoft Emergency Fix for Office 2016 and 2019 Coming Soon

Office 2016 and 2019 Mitigations

Step 1

Step 2

Versa, Zimbra and VMware Enterprise Software Flaws

Vite and Prettier Code Tool Vulnerabilities

Really interesting blog post from Anthropic:

In a recent evaluation of AI models’ cyber capabilities, current Claude models can now succeed at multistage attacks on networks with dozens of hosts using only standard, open-source tools, instead of the custom tools needed by previous generations. This illustrates how barriers to the use of AI in relatively autonomous cyber workflows are rapidly coming down, and highlights the importance of security fundamentals like promptly patching known vulnerabilities.

[…]

A notable development during the testing of Claude Sonnet 4.5 is that the model can now succeed on a minority of the networks without the custom cyber toolkit needed by previous generations. In particular, Sonnet 4.5 can now exfiltrate all of the (simulated) personal information in a high-fidelity simulation of the Equifax data breach—­one of the costliest cyber attacks in history—­using only a Bash shell on a widely-available Kali Linux host (standard, open-source tools for penetration testing; not a custom toolkit). Sonnet 4.5 accomplishes this by instantly recognizing a publicized CVE and writing code to exploit it without needing to look it up or iterate on it. Recalling that the original Equifax breach happened by exploiting a publicized CVE that had not yet been patched, the prospect of highly competent and fast AI agents leveraging this approach underscores the pressing need for security best practices like prompt updates and patches.

Read the whole thing. Automatic exploitation will be a major change in cybersecurity. And things are happening fast. There have been significant developments since I wrote this in October.

Overview of the Latest GitLab Patch Release

Bug Fixes and Upgrade Considerations for Self-Managed Users 

Network administrators worldwide are scrambling this morning following credible reports that the critical Fortinet Single Sign-On (SSO) vulnerability, tracked as CVE-2025-59718, is being actively exploited on systems previously thought to be patched.

The vulnerability, originally disclosed in December 2025, allows unauthenticated attackers to bypass authentication on FortiGate firewalls by forging SAML assertions. At the time, Fortinet released FortiOS version 7.4.9 as the definitive fix for the 7.4 release branch. However, emerging data from the cybersecurity community suggests this update may have failed to close the door on attackers.

The "Zombie" FortiOS Vulnerability

Over the last 48 hours, a wave of reports has surfaced on community hubs like Reddit, where verified administrators have shared logs indicating successful breaches on devices running the supposedly secure FortiOS 7.4.9.

The attack pattern is distinct and alarming. Victims report observing unauthorized logins via the FortiCloud SSO mechanism—even when they do not actively use the feature for their own administration. Once access is gained, the attackers typically create a local administrator account, often named "helpdesk" or similar generic terms, to establish persistence independent of the SSO flaw.

"We have been on 7.4.9 since December 30th," wrote one frustrated administrator who shared redacted logs of the incident. "Our SIEM caught a local admin account being created. The attack vector looks exactly like the original CVE-2025-59718 exploit, but against the patched firmware.

Technical Confusion and Workarounds

The persistence of this flaw in version 7.4.9 has led to speculation that the initial patch was incomplete or that attackers have found a bypass to the mitigation logic. Some users report that Fortinet support has acknowledged the issue privately, hinting that the vulnerability might persist even into upcoming builds like 7.4.10, though this remains unconfirmed by official public advisories.

The exploit relies on the "Allow administrative login using FortiCloud SSO" setting, which is often enabled by default when a device is registered to FortiCloud.

Security experts are now advising a "trust no patch" approach for this specific vector. The only guaranteed mitigation currently circulating in professional circles is to manually disable the vulnerable feature via the Command Line Interface (CLI), regardless of the firmware version installed.

Administrators are urged to run the following command immediately on all FortiGate units:

config system global
    set admin-forticloud-sso-login disable
end

Indicators of Compromise

Organizations running FortiOS 7.4.x—including version 7.4.9—should immediately audit their system event logs for the following activity:

1. Unexpected SSO Logins: Filter logs for successful logins where the method is forticloud-sso, especially from unrecognized public IP addresses.

2. New User Creation: Check for the recent creation of administrator accounts with names like helpdesk, support, or fortinet-admin.

3. Configuration Exports: Look for logs indicating a full system configuration download shortly after an SSO login.

As trust in the official patch cycle wavers, the community is once again serving as the first line of defense, sharing Indicators of Compromise (IOCs) and workarounds faster than vendors can issue bulletins. For now, disable the SSO feature, or risk compromise.

Unauthenticated Privilege Escalation Threatens WordPress Sites

How the ACF Addon Plugin Flaw Works

• “Enforced front-end fields validation against their respective ‘Choices’ settings.” 
• “Module: Forms – Added security measure for forms allowing user role selection.” 

Patches, Updates, and Steps for Site Owners

• Module: Forms – Enforced front-end fields validation against their respective ‘Choices’ settings 
• Module: Forms – Added security measure for forms, allowing user role selection 
• Module: Forms – Added acfe/form/validate_value hook to validate fields individually on the front 
• Module: Forms – Added acfe/form/pre_validate_value hook to bypass enforced validation 

Why GCVE Emerged When It Did 

A Decentralized Model by Design 

What the Database Actually Shows 

Integration Over Isolation 

How the Cloudflare Vulnerability Worked

Cloudflare’s Confirmation and Technical Details

Mitigation and Impact

The Cyber Express Weekly Roundup 

X Tightens Grok AI Restrictions 

NSA Appoints Timothy Kosiba as Deputy Director 

Iran Enters Fourth Day of Nationwide Internet Blackout 

Dr. Amit Chaubey Warns of Expanding “Business Blast Radius” 

Endesa Data Breach Affects Energía XXI Customers 

New Android Banking Malware deVixor Identified 

Microsoft Disrupts RedVDS Cybercrime Platform 

Weekly Roundup Takeaway 

This isn’t good:

We discovered a critical vulnerability (CVE-2026-21858, CVSS 10.0) in n8n that enables attackers to take over locally deployed instances, impacting an estimated 100,000 servers globally. No official workarounds are available for this vulnerability. Users should upgrade to version 1.121.0 or later to remediate the vulnerability.

Three technical links and two news links.

Top AI Security Concerns

Concern About AI Security Leads to Action

AI Adoption in Security Operations

Geopolitical Cyber Threats

Technical Details of MS-ISAC Advisory 

Affected Versions, Risk Ratings, and Mitigation Guidance 

Patch Tuesday January 2026 High-Risk Vulnerabilities

Highest-Rated Vulnerabilities in the Patch Tuesday Update

• CVE-2026-20947, a Microsoft SharePoint Server Remote Code Execution/SQL Injection vulnerability
• CVE-2026-20963, a Microsoft SharePoint Remote Code Execution/Deserialization of Untrusted Data vulnerability
• CVE-2026-20868, a Windows Routing and Remote Access Service (RRAS) Remote Code Execution/Heap-based Buffer Overflow vulnerability

Understanding DNS Threats 

How DNS Attacks Work 

• Intercept DNS queries and provide malicious responses. 
• Redirect users to fraudulent websites for phishing or malware distribution. 
• Overload DNS servers to cause downtime through DNS DDoS attacks. 
• Exploit caching mechanisms to redirect legitimate traffic (DNS poisoning). 

Common DNS Attack Types 

• DNS Hijacking: Attackers redirect legitimate traffic to malicious sites by altering DNS records. This can occur through compromised servers or man-in-the-middle interception, leading to data theft or malware infections.
• DNS Cache Poisoning: Also known as DNS poisoning, this attack injects false data into a DNS resolver’s cache, causing it to return incorrect IP addresses. Users unknowingly visit attacker-controlled sites. 
• DNS Floodand DDoS Attacks: A DNS flood is a denial-of-service attack that overwhelms servers with excessive requests. DNS DDoS attack types often combine spoofing and amplification techniques to maximize disruption, targeting both authoritative servers and resolvers.
• DNS Tunneling: Here, attackers encapsulate malicious data within DNS queries or responses, often to exfiltrate sensitive information or maintain command-and-control channels undetected.
• Phantom Domain and Botnet-Based Attacks: Attackers may generate fake domains to overload resolvers or use a network of compromised devices to launch coordinated attacks. These DNS-based attacks are challenging to defend against due to their distributed nature.
• Cover and Malware Attacks: Some attacks manipulate DNS as a distraction, enabling other attacks to succeed. Others directly use DNS viruses or malware to disrupt network services. 

Preventing DNS Attacks 

• Audit DNS zones regularly to remove outdated or vulnerable entries. 
• Keep DNS servers updated with the latest security patches. 
• Restrict zone transfers to prevent unauthorized access. 
• Disable DNS recursion on authoritative servers to prevent amplification attacks. 
• Implement DNSSEC to add digital signatures to DNS data, mitigating spoofing. 
• Use threat prevention tools and DNS firewalls to block malicious domains and detect exfiltration attempts. 

Conclusion 

CISA KEV Addition Follows CVE-2025-37164 PoC

CVE-2009-0556 PowerPoint Flaw First Attacked in 2009

How the n8n Webhook Content-Type Confusion Is Exploited 

n8n Vulnerability Enables Admin Bypass and Remote Code Execution 

Patch Status and Mitigations for CVE-2026-21858 

Firmware Upload Error Triggers Root-Level Telnet Access 

Exploitation Requirements and Potential Impact of CVE-2025-65606 

No Patch Available as Device Reaches End of Life 

Sandbox Bypass in the Python Code Node 

Patch Details and Security Improvements 

Mitigations, Workarounds, and Broader Context for CVE-2025-68668