Login
The Cyber Express Weekly Roundup: Escalating Breaches, Regulatory Crackdowns, and Global Cybercrime Developments
13 February 2026 at 05:53
Normal view
Received yesterday — 13 February 2026
8,000+ ChatGPT API Keys Left Publicly Accessible
13 February 2026 at 02:30
GitHub as a Discovery Engine for Exposed ChatGPT API Keys
Public GitHub repositories have become one of the most reliable sources for exposed AI credentials. During development cycles, especially in fast-moving environments, developers often embed ChatGPT API keys directly into source code, configuration files, or .env files. While the intent may be to rotate or remove them later, these keys frequently persist in commit histories, forks, archived projects, and cloned repositories. CRIL’s analysis shows that these exposures span JavaScript applications, Python scripts, CI/CD pipelines, and infrastructure configuration files. Many repositories were actively maintained or recently updated, increasing the likelihood that the exposed ChatGPT API keys remained valid at the time of discovery. Once committed, secrets are quickly indexed by automated scanners that monitor GitHub repositories in near real time. This drastically reduces the window between exposure and exploitation, often to mere hours or minutes.Exposure in Live Production Websites
Beyond repositories, CRIL uncovered roughly 3,000 public-facing websites leaking ChatGPT API keys directly in production. In these cases, credentials were embedded within JavaScript bundles, static files, or front-end framework assets, making them visible to anyone inspecting network traffic or application source code. A commonly observed implementation resembled:const OPENAI_API_KEY = "sk-proj-XXXXXXXXXXXXXXXXXXXXXXXX"; const OPENAI_API_KEY = "sk-svcacct-XXXXXXXXXXXXXXXXXXXXXXXX";The sk-proj- prefix typically denotes a project-scoped key tied to a specific environment and billing configuration. The sk-svcacct- prefix generally represents a service-account key intended for backend automation or system-level integration. Despite their differing scopes, both function as privileged authentication tokens granting direct access to AI inference services and billing resources. Embedding these keys in client-side JavaScript fully exposes them. Attackers do not need to breach infrastructure or exploit software vulnerabilities; they simply harvest what is publicly available.
“The AI Era Has Arrived — Security Discipline Has Not”
Richard Sands, CISO at Cyble, summarized the issue bluntly: “The AI Era Has Arrived — Security Discipline Has Not.” AI systems are no longer experimental tools; they are production-grade infrastructure powering chatbots, copilots, recommendation engines, and automated workflows. Yet the security rigor applied to cloud credentials and identity systems has not consistently extended to ChatGPT API keys. A contributing factor is the rise of what some developers call “vibe coding”—a culture that prioritizes speed, experimentation, and rapid feature delivery. While this accelerates innovation, it often sidelines foundational security practices. API keys are frequently treated as configuration values rather than production secrets. Sands further emphasized, “Tokens are the new passwords — they are being mishandled.” From a security standpoint, ChatGPT API keys are equivalent to privileged credentials. They control inference access, usage quotas, billing accounts, and sometimes sensitive prompts or application logic.Monetization and Criminal Exploitation
Once discovered, exposed keys are validated through automated scripts and operationalized almost immediately. Threat actors monitor GitHub repositories, forks, gists, and exposed JavaScript assets to harvest credentials at scale. CRIL observed that compromised keys are typically used to:- Execute high-volume inference workloads
- Generate phishing emails and scam scripts
- Assist in malware development
- Circumvent service restrictions and usage quotas
- Drain victim billing accounts and exhaust API credits
Cyble Vision indicates API key exposure leak (Source: Cyble Vision)[/caption]
Unlike traditional cloud infrastructure, AI API activity is often not integrated into centralized logging systems, SIEM platforms, or anomaly detection pipelines. As a result, abuse can persist undetected until billing spikes, quota exhaustion, or degraded service performance reveal the compromise.
Kaustubh Medhe, CPO at Cyble, warned: “Hard-coding LLM API keys risks turning innovation into liability, as attackers can drain AI budgets, poison workflows, and access sensitive prompts and outputs. Enterprises must manage secrets and monitor exposure across code and pipelines to prevent misconfigurations from becoming financial, privacy, or compliance issues.” How AutoSecT VMDR Tool Simplifies Vulnerability Management
13 February 2026 at 02:22
As it is said, the ‘why’ and ‘how’ is much important than ‘should’. It’s exactly applicable in today’s cyberspace. Every day, organizations survive in an unpredictable cyber-risk climate. If your defense storehouse comprises just fragmented tools and manual processes, you are not playing it safe. If you are ‘not safe’, you are just seconds away […]
The post How AutoSecT VMDR Tool Simplifies Vulnerability Management appeared first on Kratikal Blogs.
The post How AutoSecT VMDR Tool Simplifies Vulnerability Management appeared first on Security Boulevard.
Received before yesterday
Taiwan Government Agencies Faced 637 Cybersecurity Incidents in H2 2025
12 February 2026 at 02:21
Illegal Intrusion Leads the Wave of Cybersecurity Incidents
Illegal intrusion remains the leading category among reported cybersecurity incidents affecting government agencies. While the term may sound broad, it reflects deliberate attempts by attackers to gain unauthorized access to systems, often paving the way for espionage, data theft, or operational disruption. The CSAA identified four recurring attack patterns behind these incidents. The first involves the distribution of malicious programs disguised as legitimate software. Attackers impersonate commonly used applications, luring employees into downloading infected files. Once installed, these malicious programs establish abnormal external connections, creating backdoors for future control or data exfiltration. This tactic is particularly concerning for government agencies, where employees frequently rely on specialized or internal tools. A single compromised endpoint can provide attackers with a foothold into wider networks, increasing the scale of cybersecurity incidents.USB Worm Infections and Endpoint Vulnerabilities
The second major pattern behind these cybersecurity incidents involves worm infections spread through portable media devices such as USB drives. Though often considered an old-school technique, USB-based attacks remain effective—especially in environments where portable media is routinely used for operational tasks. When infected devices are plugged into systems, malicious code can automatically execute, triggering endpoint intrusion and abnormal system behavior. Such breaches can lead to lateral movement within networks and unauthorized external communications. This pattern underscores a key reality: technical sophistication is not always necessary. In many cybersecurity incidents, attackers succeed by exploiting routine workplace habits rather than zero-day vulnerabilities.Social Engineering and Watering Hole Attacks Target Trust
The third pattern involves social engineering email attacks, frequently disguised as administrative litigation or official document exchanges. These phishing emails are crafted around business topics highly relevant to government agencies, increasing the likelihood that recipients will open attachments or click malicious links. Such cybersecurity incidents rely heavily on human psychology. The urgency and authority embedded in administrative-themed emails make them particularly effective. Despite years of awareness campaigns, phishing remains one of the most successful entry points for attackers globally. The fourth pattern, known as watering hole attacks, adds another layer of complexity. In these cases, attackers compromise legitimate websites commonly visited by government officials. During normal browsing, malicious commands are silently executed, resulting in endpoint compromise and abnormal network behavior. Watering hole attacks demonstrate how cybersecurity incidents can originate from seemingly trusted digital environments. Even cautious users can fall victim when legitimate platforms are weaponized.Critical Infrastructure Faces Operational Risks
Beyond government agencies, cybersecurity incidents reported by non-government organizations primarily affected critical infrastructure providers, particularly in emergency response, healthcare, and communications sectors. Interestingly, many of these cases involved equipment malfunctions or damage rather than direct cyberattacks. System operational anomalies led to service interruptions, while environmental factors such as typhoons disrupted critical services. These incidents highlight an important distinction: not all disruptions stem from malicious activity. However, the operational impact can be equally severe. The Cybersecurity Research Institute (CRI) emphasized that equipment resilience, operational continuity, and environmental risk preparedness are just as crucial as cybersecurity protection. In an interconnected world, digital security and physical resilience must go hand in hand.Strengthening Endpoint Protection and Cyber Governance
In response to the rise in cybersecurity incidents, experts recommend a dual approach—technical reinforcement and management reform. From a technical perspective, endpoint protection and abnormal behavior monitoring must be strengthened. Systems should be capable of detecting malicious programs, suspicious command execution, abnormal connections, and risky portable media usage. Enhanced browsing and attachment access protection can further reduce the risk of malware downloads during routine operations. From a governance standpoint, ongoing education is essential. Personnel must remain alert to risks associated with fake software, social engineering email attacks, and watering hole attacks. Clear management policies regarding portable media usage, software sourcing, and external website access should be embedded into cybersecurity governance frameworks. The volume of cybersecurity incidents reported in just six months sends a clear message: digital threats targeting public institutions are persistent, adaptive, and increasingly strategic. Governments and critical infrastructure providers must move beyond reactive responses and build layered defenses that address both technology and human behavior.Hackers Use LLM to Create React2Shell Malware, the Latest Example of AI-Generated Threat
11 February 2026 at 17:46
Darktrace researchers caught a sample of malware that was created by AI and LLMs to exploit the high-profiled React2Shell vulnerability, putting defenders on notice that the technology lets even lesser-skilled hackers create malicious code and build complex exploit frameworks.
The post Hackers Use LLM to Create React2Shell Malware, the Latest Example of AI-Generated Threat appeared first on Security Boulevard.
- N-Day Vulnerability Trends: The Shrinking Window of Exposure and the Rise of “Turn-Key” Exploitation
N-Day Vulnerability Trends: The Shrinking Window of Exposure and the Rise of “Turn-Key” Exploitation
11 February 2026 at 10:46
In this post we explore the data-driven shrinkage of the Time to Exploit (TTE) window from 745 days to just 44, and examine why N-day vulnerabilities have become the "turn-key" weapon of choice for modern threat actors.
The post N-Day Vulnerability Trends: The Shrinking Window of Exposure and the Rise of “Turn-Key” Exploitation appeared first on Flashpoint.
The post N-Day Vulnerability Trends: The Shrinking Window of Exposure and the Rise of “Turn-Key” Exploitation appeared first on Security Boulevard.
Microsoft Patch Tuesday February Update Flags Exchange and Azure Vulnerabilities as High-Priority Risks
11 February 2026 at 01:44
Microsoft Patch Tuesday February has Six New Zero-Day Fixes
The most critical aspect of this Microsoft Patch Tuesday February update is the confirmation that six vulnerabilities were under active exploitation. These flaws impact core Windows components and productivity applications widely deployed in enterprise environments. The actively exploited zero-days are:- CVE-2026-21510: Windows Shell Security Feature Bypass (Severity: Important; CVSS 7.8)
- CVE-2026-21513: MSHTML Platform Security Feature Bypass (Important; CVSS 7.5)
- CVE-2026-21514: Microsoft Word Security Feature Bypass (Important; CVSS 7.8)
- CVE-2026-21519: Desktop Window Manager Elevation of Privilege (Important; CVSS 7.8)
- CVE-2026-21525: Windows Remote Access Connection Manager Denial of Service (Important; CVSS 7.5)
- CVE-2026-21533: Windows Remote Desktop Services Elevation of Privilege (Important; CVSS 7.8)
Vulnerability Distribution and Impact
Beyond the zero-days, Microsoft Patch Tuesday resolves a broad range of additional issues. Of the 54 vulnerabilities fixed, Elevation of Privilege (EoP) flaws account for 25. Remote Code Execution (RCE) vulnerabilities total 12, followed by 7 spoofing issues, 6 information disclosure flaws, 5 security feature bypass vulnerabilities, and 3 denial-of-service issues. High-risk vulnerabilities affecting enterprise infrastructure include:- CVE-2026-21527: Microsoft Exchange Server Spoofing Vulnerability (Critical; potential RCE vector)
- CVE-2026-23655: Azure Container Instances Information Disclosure (Critical)
- CVE-2026-21518: GitHub Copilot / Visual Studio Remote Code Execution (Important)
- CVE-2026-21528: Azure IoT SDK Remote Code Execution (Important)
- CVE-2026-21531: Azure SDK Vulnerability (Important; CVSS 9.8)
- CVE-2026-21222: Windows Kernel Information Disclosure (Important)
- CVE-2026-21249: Windows NTLM Spoofing Vulnerability (Moderate)
- CVE-2026-21509: Microsoft Office Security Feature Bypass (Important)
Additional CVEs and Exploitability Ratings
The official advisory states: “February 2026 Security Updates. This release consists of the following 59 Microsoft CVEs.” Among them:- CVE-2023-2804: Windows Win32K - GRFX (CVSS 6.5; Exploitation Less Likely)
- CVE-2026-0391: Microsoft Edge for Android (CVSS 6.5; Exploitation Less Likely)
- CVE-2026-20841: Windows Notepad App (CVSS 8.8; Exploitation Less Likely)
- CVE-2026-20846: Windows GDI+ (CVSS 7.5)
- CVE-2026-21218: .NET and Visual Studio (CVSS 7.5; Exploitation Unlikely)
- CVE-2026-21231: Windows Kernel (CVSS 7.8; Exploitation More Likely)
- CVE-2026-21232: Windows HTTP.sys (CVSS 7.8)
- CVE-2026-21255: Windows Hyper-V (CVSS 8.8)
- CVE-2026-21256 and CVE-2026-21257: GitHub Copilot and Visual Studio
- CVE-2026-21258–21261: Microsoft Office Excel and Word
- CVE-2026-21537: Microsoft Defender for Linux (CVSS 8.8)
Lifecycle Notes, Hotpatching, and Known Issues
The advisory reiterates that Windows 10 and Windows 11 updates are cumulative and available through the Microsoft Update Catalog. Lifecycle timelines are documented in the Windows Lifecycle Facts Sheet. Microsoft is also continuing improvements to Windows Release Notes and provides servicing stack update details under ADV990001. The Hotpatching feature is now generally available for Windows Server Azure Edition virtual machines. Customers using Windows Server 2008 or Windows Server 2008 R2 must purchase Extended Security Updates to continue receiving patches; additional information is available under 4522133. Known issues tied to this 2026 Patch Tuesday release include:- KB5075942: Windows Server 2025 Hotpatch
- KB5075897: Windows Server 23H2
- KB5075899: Windows Server 2025
- KB5075906: Windows Server 2022
How the Supreme Court’s “Third Party” Subpoena Doctrine Empowers Governments to Seize Sensitive Information Without Your Knowledge
10 February 2026 at 08:13
This article examines the widespread collection of personal data and the legal challenges individuals face from third-party subpoenas. It discusses key court rulings on government access to personal information and highlights the complexities of data privacy in the digital age.
The post How the Supreme Court’s “Third Party” Subpoena Doctrine Empowers Governments to Seize Sensitive Information Without Your Knowledge appeared first on Security Boulevard.
SmarterTools Breached by Own SmarterMail Vulnerabilities
9 February 2026 at 16:22
SmarterTools Breach Comes Amid SmarterMail Vulnerability Warnings
Curtis said SmarterTools was compromised by the Warlock ransomware group, “and we have observed similar activity on customer machines.” In a blog post today, ReliaQuest researchers said they’ve observed SmarterMail vulnerability CVE-2026-23760 exploited in attacks “attributed with moderate-to-high confidence to ‘Storm-2603.’ This appears to be the first observed exploitation linking the China-based actor to the vulnerability as an entry point for its ‘Warlock’ ransomware operations.” ReliaQuest said other ransomware actors may be targeting a second SmarterMail vulnerability. “This activity coincides with a February 5, 2026 CISA warning that ransomware actors are exploiting a second SmarterMail vulnerability (CVE-2026-24423),” ReliaQuest said. “We observed probes for this second vulnerability alongside the Storm-2603 activity. However, because these attempts originated from different infrastructure, it remains unclear whether Storm-2603 is rotating IP addresses or a separate group is capitalizing on the same window. “Specific attribution matters less than the operational reality: Internet-facing servers are being targeted by multiple vectors simultaneously,” ReliQuest added. “Patching one entry point is insufficient if the adversary is actively pivoting to another or—worse—has already established persistence using legitimate tools.” Curtis said that once Warlock actors gain access, “they typically install files and wait approximately 6–7 days before taking further action. This explains why some customers experienced a compromise even after updating—the initial breach occurred prior to the update, but malicious activity was triggered later.”SmarterTools Breach Limited by Linux Use
Curtis said the SmarterTools breach affected networks at the company office and a data center “which primarily had various labs where we do much of our QC work, etc.” “Because we are primarily a Linux company now, only about 12 Windows servers looked to be compromised and on those servers, our virus scanners blocked most efforts,” he wrote. “None of the Linux servers were affected.” He said Sentinel One “did a really good job detecting vulnerabilities and preventing servers from being encrypted.” He said that SmarterMail Build 9518 (January 15) contains fixes for the vulnerabilities, while Build 9526 (January 22) “complements those fixes with additional improvements and resolves lesser issues that have been brought to our attention and/or discovered during our internal security audits.” He said based on the company’s own breach and observations of customer incidents, Warlock actors “often attempt to take control of the Active Directory server and create new users. From there, they distribute files across Windows machines and attempt to execute files that encrypt data.” Common file names and programs abused by the threat actors have included:- Velociraptor
- JWRapper
- Remote Access
- SimpleHelp
- WinRAR (older, vulnerable versions)
- exe
- dll
- exe
- Short, random filenames such as e0f8rM_0.ps1 or abc...
- Random .aspx files
Illinois Man Charged in Massive Snapchat Hacking Scheme Targeting Hundreds of Women
9 February 2026 at 01:10
Snapchat Hacking Investigation Reveals Scale of Phishing Abuse
At the core of the Snapchat hacking investigation is a textbook example of social engineering. Between May 2020 and February 2021, Svara allegedly gathered emails, phone numbers, and Snapchat usernames using online tools and research techniques. He then deliberately triggered Snapchat’s security system to send one-time access codes to victims. Using anonymized phone numbers, Svara allegedly impersonated a Snap Inc. representative and texted more than 4,500 women, asking them to share their security codes. About 570 women reportedly complied—handing over access to their accounts without realizing they were being manipulated. Once inside, prosecutors say Svara accessed at least 59 Snapchat accounts and downloaded private images. These images were allegedly kept, sold, or exchanged on online forums. The investigation found that Svara openly advertised his services on platforms such as Reddit, offering to “get into girls’ snap accounts” for a fee or trade.Snapchat Hacking for Hire
What makes this Snapchat hacking case especially troubling is that it was not driven solely by curiosity or personal motives. Investigators allege that Svara operated as a hacking-for-hire service. One of his co-conspirators was Steve Waithe, a former Northeastern University track and field coach, who allegedly paid Svara to hack Snapchat accounts of women he coached or knew personally. Waithe was convicted in November 2023 on multiple counts, including wire fraud and cyberstalking, and sentenced to five years in prison. The link between authority figures and hired cybercriminals adds a deeply unsettling dimension to the case, one that highlights how power dynamics can be exploited through digital tools. Beyond hired jobs, Svara also allegedly targeted women in and around Plainfield, Illinois, as well as students at Colby College in Maine, suggesting a pattern of opportunistic and localized targeting.Why the Snapchat Hacking Investigation Matters
This Snapchat hacking investigation features a critical cybersecurity truth: technical defenses mean little when human trust is exploited. The victims did not lose access because Snapchat’s systems failed; they were deceived into handing over the keys themselves. It also raises serious questions about accountability on social platforms. While Snapchat provides security warnings and access codes, impersonation attacks continue to succeed at scale. The ease with which attackers can pose as platform representatives points to a larger problem of user awareness and platform-level safeguards. The case echoes other recent investigations, including the indictment of a former University of Michigan football coach accused of hacking thousands of athlete accounts to obtain private images. Together, these cases reveal a troubling pattern—female student athletes being specifically researched, targeted, and exploited.Legal Consequences
Svara faces charges including aggravated identity theft, wire fraud, computer fraud, conspiracy, and false statements related to child pornography. If convicted, he could face decades in prison, with a cumulative maximum sentence of 32 years. His sentencing is scheduled for May 18. Federal authorities have urged anyone who believes they may be affected by this Snapchat hacking scheme to come forward. More than anything, this case serves as a warning. The tools used were not sophisticated exploits or zero-day vulnerabilities—they were lies, impersonation, and manipulation. As this Snapchat hacking investigation shows, the most dangerous cyber threats today often rely on human error, not broken technology.What CISA KEV Is and Isn’t – and a Tool to Help Guide Security Teams
6 February 2026 at 14:41
CISA KEV Is Not a List of the Worst Vulnerabilities
CISA KEV is not a list of the worst vulnerabilities, and the criteria for inclusion in the KEV catalog is perhaps surprisingly narrow. “The KEV is often misunderstood as a government-curated list of the most severe vulnerabilities ever discovered, or as a catalog of hyper-critical remote code execution flaws actively being used by foreign adversaries against U.S. government systems,” the paper said. “This casual interpretation is incorrect on several counts. While KEV-listed vulnerabilities do represent confirmed exploitation, the catalog exists primarily as an operational prioritization tool rather than as a comprehensive inventory of exploited vulnerabilities.” Inclusion in the KEV Catalog is limited to vulnerabilities that meet four conditions:- The vulnerability must have an assigned Common Vulnerabilities and Exposures (CVE) identifier.
- There must be a reasonable mitigation. “This means that vulnerabilities with no realistic path to mitigation will not reach the KEV,” the paper said. The lack of a straightforward fix has kept CVE-2022-21894, aka “BlackLotus,” off the list even though the NSA has provided mitigation guidance.
- There must be evidence of exploitation. “This exploitation must be observed by CISA, either directly or through trusted reporting channels,” the paper said.
- The vulnerability must be relevant to the U.S. Federal Civilian Executive Branch (FCEB).
- Access Vector of “Network” (as opposed to “Adjacent,” “Local,” or “Physical”)
- Privileges Required of “None” (as opposed to “Low” or “High”)
- User Interaction of “None” (as opposed to “Required”)
- Integrity Impact of “High” (as opposed to “None” or “Low”)
Perfect Vulnerability Coverage ‘Unrealistic’
The paper noted that “perfect vulnerability coverage is an increasingly unrealistic goal, particularly when organizations are constrained by finite tooling, staffing, or budget. This is even true when the focus is narrowed to merely the CISA KEV catalog.” “Many KEVs now affect assets that are difficult to inventory, difficult to scan, or difficult to patch using conventional enterprise tooling,” and can’t be covered by a single product. The paper’s goal is to help security practitioners “reason about uncertainty and prioritize effort when full coverage is unattainable. In practice, organizations must decide how to sequence remediation, where to apply detection and monitoring first, and when to escalate resource allocation to meet particularly aggressive deadlines.” All source JSON files used by the KEV Collider application are available in a public GitHub repository.The Cyber Express Weekly Roundup: Global Cybersecurity Incidents and Policy Shifts
6 February 2026 at 06:21
The Cyber Express Weekly Roundup
Cyberattack Disrupts Spain’s Ministry of Science Operations
Spain’s Ministry of Science, Innovation, and Universities confirmed that a cyberattack forced a partial shutdown of its IT systems, disrupting digital services relied upon by researchers, universities, students, and businesses nationwide. Initially described as a technical incident, the disruption was later acknowledged as a cybersecurity event that required the temporary closure of the ministry’s electronic headquarters. Read more..OpenAI Expands Controlled Access to Advanced Cyber Defense Models
OpenAI announced the launch of Trusted Access for Cyber, a new initiative designed to strengthen defensive cybersecurity capabilities while limiting the potential misuse of highly capable AI systems. The program provides vetted security professionals with controlled access to advanced models such as GPT-5.3-Codex, which OpenAI identifies as its most cyber-capable reasoning model to date. Read more..French Authorities Escalate Investigations Into X and Grok AI
French police raided offices belonging to the social media platform X as European investigations expanded into alleged abuses involving its Grok AI chatbot. Authorities are examining claims that Grok generated nonconsensual sexual deepfakes, child sexual abuse material (CSAM), and content denying crimes against humanity, including Holocaust denial. Read more..AI-Generated Platform Moltbook Exposes Millions of Credentials
Security researchers disclosed that Moltbook, a viral social network built entirely using AI-generated code, exposed 1.5 million API authentication tokens, 35,000 user email addresses, and thousands of private messages due to a database misconfiguration. Wiz Security identified the issue after discovering an exposed Supabase API key embedded in client-side JavaScript, which granted unrestricted access to the platform’s production database. Read more..Substack Discloses Breach Months After Initial Compromise
Substack revealed that attackers accessed user email addresses, phone numbers, and internal metadata in October 2025, though the breach went undetected until February 3, 2026. CEO Chris Best notified affected users, stating, “I’m incredibly sorry this happened. We take our responsibility to protect your data and your privacy seriously, and we came up short here.” Read more..Weekly Takeaway
This Cyber Express weekly roundup highlights a clear takeaway for the global cybersecurity community: digital expansion without equivalent security investment increases organizational and systemic risk. AI-built platforms, advanced security tooling, and large-scale public-sector systems are being deployed rapidly, often without adequate access controls, monitoring, or testing. As recent incidents show, these gaps lead to data exposure, prolonged breach detection, and service disruption. To reduce risk, organizations must embed security controls, clear ownership, and continuous monitoring into system design and daily operations, rather than relying on post-incident fixes or policy statements.La Sapienza Cyberattack Forces Italy’s Largest University Offline
6 February 2026 at 04:46
Updates to the La Sapienza Cyberattack
Sapienza University of Rome enrolls more than 112,500 students, making the impact of the outage particularly significant. Following the incident, university officials notified Italian authorities and established a dedicated technical task force to coordinate remediation and recovery efforts. As of the latest updates, the university’s official website remains offline, and recovery status updates have been communicated primarily through social media channels, including Instagram. To mitigate disruption to students, the university announced the creation of temporary in-person “infopoints.” These locations are intended to provide access to information normally available through digital systems and databases that remain unavailable due to the cyberattack on La Sapienza.Cyberattack on La Sapienza Linked to BabLock Malware
While the university has not publicly confirmed the technical nature of the incident or identified those responsible, Italian newspaper Corriere Della Sera reports that the La Sapienza cyberattack bears the hallmarks of a ransomware operation. According to the outlet, the attack is allegedly linked to a previously unknown, pro-Russian threat actor known as “Femwar02.” The reporting suggests the attackers used BabLock malware, also referred to as Rorschach, based on observed malware characteristics and operational behavior. BabLock malware first emerged in 2023 and has attracted researchers' attention for its unusually fast encryption speeds and extensive customization capabilities. Sources cited by Corriere della Sera claim that the systems at Sapienza were encrypted and that a ransom demand exists. However, university staff reportedly have not opened the ransom note, as doing so would trigger a 72-hour countdown timer. As a result, the ransom amount has not been disclosed. This tactic, designed to pressure victims into rapid negotiations, is increasingly common in ransomware campaigns using BabLock malware.Investigation and Recovery Efforts Continue
In response to the cyberattack on La Sapienza, university technicians are working alongside Italy’s national Computer Security Incident Response Team (CSIRT), specialists from the Agenzia per la Cybersicurezza Nazionale (ACN), and the Polizia Postale. Their primary objective is to restore systems using backups, which, according to reports, were not affected by the attack. Italy’s national cybersecurity agency has confirmed that it is investigating the incident. However, neither Sapienza University nor Italian authorities have publicly verified whether the attack involved ransomware or whether any data was exfiltrated. This distinction is critical: encryption-only incidents primarily cause operational disruption, while confirmed data theft can trigger additional legal and regulatory obligations under the EU’s General Data Protection Regulation (GDPR).Critical n8n Vulnerability CVE-2026-25049 Enables Remote Command Execution
5 February 2026 at 04:19
Bypass of Previous Security Fixes for CVE-2026-25049 Vulnerability
According to an advisory released Wednesday by n8n maintainers, the issue was uncovered during follow-up analysis after the earlier disclosure. The maintainers stated, “Additional exploits in the expression evaluation of n8n have been identified and patched following CVE-2025-68613.” They further warned that “an authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n.” The vulnerability is described as an “Expression Escape Vulnerability Leading to RCE,” reflecting its ability to break out of an n8n expression sandbox and reach the host operating system. The advisory was published under GitHub Security Advisory GHSA-6cqr-8cfr-67f8 and applies to the n8n package distributed via npm.Affected Versions and Mitigation Guidance
The CVE-2026-25049 vulnerability affects all n8n versions earlier than 1.123.17 and 2.5.2. The issue has been fully patched in versions 1.123.17 and 2.5.2, and users are advised to upgrade immediately to these or later releases to remediate the risk. For organizations unable to upgrade right away, the advisory outlines temporary workarounds. These include restricting workflow creation and modification permissions to fully trusted users and deploying n8n in a hardened environment with limited operating system privileges and constrained network access. However, n8n’s maintainers emphasized that these measures do not fully resolve the vulnerability and should only be considered short-term mitigations. From a severity standpoint, n8n has adopted CVSS 4.0 as the primary scoring system for its advisories, while continuing to provide CVSS 3.1 vector strings for compatibility. Under CVSS 3.1, CVE-2026-25049 carries the vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. The CVSS 4.0 metrics similarly rate the issue as critical, citing low attack complexity, network-based exploitation, low required privileges, and high impact to confidentiality, integrity, and availability.Researcher Insights and Potential Impact
Although no specific Common Weakness Enumerations (CWEs) have been assigned, the real-world implications of exploiting this n8n vulnerability are severe. A successful attack could allow threat actors to compromise the server, steal credentials, exfiltrate sensitive data, and install persistent backdoors to maintain long-term access. The vulnerability was discovered with contributions from as many as ten security researchers. Those credited include Fatih Çelik, who also reported CVE-2025-68613, as well as Endor Labs’ Cris Staicu, Pillar Security’s Eilon Cohen, SecureLayer7’s Sandeep Kamble, and several independent researchers. In a technical deep dive covering both CVE-2025-68613 and CVE-2026-25049, Çelik stated that “they could be considered the same vulnerability, as the second one is just a bypass for the initial fix.” He explained that both issues allow attackers to escape the n8n expression sandbox mechanism and circumvent security checks designed to prevent command execution.CISA Silently Updates Vulnerabilities Exploited by Ransomware Groups
4 February 2026 at 15:46
Microsoft Leads in Vulnerabilities Exploited by Ransomware Groups
Of the 59 CVEs that flipped to “known” exploitation by ransomware groups last year, 27% were Microsoft vulnerabilities, Thorpe said. Just over a third (34%) involved edge and network CVEs, and 39% were for CVEs before 2023. And 41% of the flipped vulnerabilities occurred in a single month, May 2025. The “Fastest time-to-ransomware flip” was one day, while the longest lag between CISA KEV addition and the change to “known” ransomware exploitation status was 1,353 days. The “Most flipped vulnerability type” was Authentication Bypass at 14% of occurrences.Ransomware Groups Target Edge Devices
Edge devices accounted for a high number of the flipped vulnerabiities, Thorpe said. Fortinet, Ivanti, Palo Alto and Check Point Security edge devices were among the flipped CVEs. “Ransomware operators are building playbooks around your perimeter,” he said. Thorpe said that 19 of the 59 flipped vulnerabilities “target network security appliances, the very devices deployed to protect organizations.” But he added: “Legacy bugs show up too; Adobe Reader vulnerabilities from years ago suddenly became ransomware-relevant.” Authentication bypasses and RCE vulnerabilities were the most common, “as ransomware operators prioritize ‘get in and go’ attack chains.” The breakdown by vendor of the 59 vulnerabilities “shouldn't surprise anyone,” he said. Microsoft was responsible for 16 of the flipped CVEs, affecting SharePoint, Print Spooler, Group Policy, Mark-of-the-Web bypasses, and more. Ivanti products were affected by 6 of the flipped CVEs, Fortinet by 5 (with FortiOS SSL-VPN heap overflows standing out), and Palo Alto Networks and Zimbra were each affected by 3 of the CVEs. “Ransomware operators are economic actors after all,” Thorpe said. “They invest in exploit development for platforms with high deployment and high-value access. Firewalls, VPN concentrators, and email servers fit that profile perfectly.” He also noted that the pace of vulnerability exploitation by ransomware groups accelerated in 2025. “Today, ransomware operators are integrating fresh exploits into their playbooks faster than defenders are patching,” he said. Thorpe created an RSS feed to track the flipped vulnerabilities; it’s updated hourly.Foxit Releases Security Updates for PDF Editor Cloud XSS Vulnerabilities
4 February 2026 at 01:34
Details of Foxit PDF Editor Vulnerabilities CVE-2026-1591 and CVE-2026-1592
Two vulnerabilities were identified in Foxit PDF Editor Cloud: CVE-2026-1591 and CVE-2026-1592. Both issues fall under Cross-Site Scripting (CWE-79) and carry a Moderate severity rating, with a CVSS v3.0 score of 6.3. The vulnerabilities affect the File Attachments list and Layers panel, where attackers could inject crafted payloads into file names or layer names. CVE-2026-1591, considered the primary issue, allows attackers to exploit insufficient input validation and improper output encoding to execute arbitrary JavaScript in a user’s browser. CVE-2026-1592 presents the same risk through similar attack vectors and conditions. Both vulnerabilities were discovered and reported by security researcher Novee. Although exploitation requires user interaction, the impact can be significant. Attackers must convince authenticated users to access specially crafted attachments or layer configurations. Once triggered, the malicious JavaScript runs within the browser context, potentially enabling session hijacking, exposure of sensitive data from open PDF documents, or redirection to attacker-controlled websites.Enterprise Risk and Attack Surface Considerations
The attack surface is particularly relevant in enterprise environments where Foxit PDF Editor is widely used for document collaboration and editing. Employees often handle PDFs originating from external partners, customers, or public sources, increasing the likelihood of exposure to crafted payloads. In addition to Foxit PDF Editor Cloud, Foxit also addressed a related XSS vulnerability affecting Foxit eSign, tracked as CVE-2025-66523. This flaw carries a CVSS score of 6.1 and occurs due to improper handling of URL parameters in specially crafted links. When authenticated users visit these links, untrusted input may be embedded into JavaScript code and HTML attributes without adequate encoding, creating opportunities for privilege escalation and cross-domain data theft. The patch for Foxit eSign was released on January 15, 2026.Patches, Mitigation, and Security Guidance
Foxit confirmed that CVE-2026-1591, CVE-2026-1592, and CVE-2025-66523 have all been fully patched. The fixes include improved input validation and output encoding mechanisms designed to prevent malicious script injection. Updates for Foxit PDF Editor Cloud are deployed automatically or available through standard update mechanisms, requiring no additional configuration. Organizations using Foxit PDF Editor Cloud and Foxit eSign should confirm that their systems are running the latest versions. Administrators are also advised to monitor for unusual JavaScript execution, unexpected PDF editor behavior, or anomalies in application logs. For environments handling sensitive documents, additional controls may help reduce risk. These include limiting PDF editing to trusted networks, enforcing browser-based content security policies, and restricting access to untrusted attachments. End users should remain cautious when opening PDF files from unknown sources and avoid clicking suspicious links within eSign workflows.Critical vLLM Flaw Exposes Millions of AI Servers to Remote Code Execution
3 February 2026 at 03:19
What Is vLLM and Why CVE-2026-22778 Matters
vLLM is a high-throughput, memory-efficient inference engine designed to serve large language models efficiently in production environments. It is commonly used to address performance bottlenecks associated with traditional LLM serving, including slow inference speeds, poor GPU utilization, and limited concurrency. Compared to general-purpose local runners such as Ollama, vLLM is frequently deployed in high-load environments where scalability and throughput are critical. Because vLLM is often exposed through APIs and used to process untrusted user input, vulnerabilities like CVE-2026-22778 increase the attack surface. Any organization running vLLM with video or multimodal model support enabled is potentially affected. OX customers identified as vulnerable were notified and instructed to update their deployments.Impact: Full Server Takeover via Remote Code Execution
CVE-2026-22778 allows attackers to achieve RCE by sending a specially crafted video link to a vLLM multimodal endpoint. Successful exploitation can result in arbitrary command execution on the underlying server. From there, attackers may exfiltrate data, pivot laterally within the environment, or fully compromise connected systems. The vulnerability does not require authentication beyond access to the exposed API, making internet-facing deployments particularly at risk. Because vLLM is commonly used in clustered or GPU-backed environments, the blast radius of a single exploited instance may extend well beyond one server.Technical Analysis
The root cause of CVE-2026-22778 is a chained exploit combining an information disclosure bug with a heap overflow that ultimately leads to remote code execution. According to OX Security, the first stage involves bypassing ASLR protections through memory disclosure. When an invalid image is submitted to a multimodal vLLM endpoint, the Python Imaging Library (PIL) raises an error indicating it cannot identify the image file. In vulnerable versions, this error message includes a heap memory address. That address is located before libc in memory, reducing the ASLR search space and making exploitation more reliable. The patched code sanitizes these error messages to prevent leaking heap addresses. With the leaked address available, the attacker proceeds to the second vulnerability. vLLM relies on OpenCV for video decoding, and OpenCV bundles FFmpeg 5.1.x. That FFmpeg release contains a heap overflow flaw in its JPEG2000 decoder. JPEG2000 images use separate buffers for color channels: a large buffer for the Y (luma) channel and smaller buffers for the U and V (chroma) channels. The decoder incorrectly trusts the image’s cdef (channel definition) box, allowing channels to be remapped without validating buffer sizes. This means large Y channel data can be written into a smaller U buffer. Because the attacker controls both the image geometry and the channel mapping, they can precisely control how much data overflows and which heap objects are overwritten. By abusing internal JPEG2000 headers and crafting specific channel values, the overflow can overwrite adjacent heap memory, including function pointers. Execution can then be redirected to a libc function such as system(), resulting in full RCE.Affected Versions and Recommended Actions
The following vLLM Python package versions are affected:- Affected versions: vLLM >= 0.8.3 and < 0.14.1
- Fixed version: vLLM 0.14.1
BreachForums Breach Exposes Names of 324K Cybercriminals, Upends the Threat Intel Game
2 February 2026 at 04:30
The BreachForums marketplace has suffered a leak, exposing the identities of nearly 324,000 cybercriminals. This incident highlights a critical shift in cyberattacks, creating opportunities for law enforcement while demonstrating the risks associated with breaches in the cybercriminal ecosystem.
The post BreachForums Breach Exposes Names of 324K Cybercriminals, Upends the Threat Intel Game appeared first on Security Boulevard.
Russian APT28 Exploit Zero-Day Hours After Microsoft Discloses Office Vulnerability
2 February 2026 at 06:49
Ukraine's cyber defenders warn Russian hackers weaponized a Microsoft zero-day within 24 hours of public disclosure, targeting government agencies with malicious documents delivering Covenant framework backdoors.
Russian state-sponsored hacking group APT28 used a critical Microsoft Office zero-day vulnerability, tracked as CVE-2026-21509, in less than a day after the vendor publicly disclosed the flaw, launching targeted attacks against Ukrainian government agencies and European Union institutions.
Ukraine's Computer Emergency Response Team detected exploitation attempts that began on January 27—just one day after Microsoft published details about CVE-2026-21509.
Microsoft had acknowledged active exploitation when it disclosed the flaw on January 26, but details pertaining to the threat actors were withheld and it is still unclear if it is the same or some other exploitation campaign that the vendor meant. However, the speed at which APT28 deployed customized attacks shows the narrow window defenders have to patch critical vulnerabilities.
Also read: APT28’s Recent Campaign Combined Steganography, Cloud C2 into a Modular Infection Chain
CERT-UA discovered a malicious DOC file titled "Consultation_Topics_Ukraine(Final).doc" containing the CVE-2026-21509 exploit on January 29. Metadata revealed attackers created the document on January 27 at 07:43 UTC. The file masqueraded as materials related to Committee of Permanent Representatives to the European Union consultations on Ukraine's situation.
[caption id="attachment_109153" align="aligncenter" width="700"] Word file laced with malware (Source: CERT-UA)[/caption]
On the same day, attackers impersonated Ukraine's Ukrhydrometeorological Center, distributing emails with an attached DOC file named "BULLETEN_H.doc" to more than 60 email addresses. Recipients primarily included Ukrainian central executive government agencies, representing a coordinated campaign against critical government infrastructure.
The attack chain begins when victims open malicious documents using Microsoft Office. The exploit establishes network connections to external resources using the WebDAV protocol—a file sharing protocol that extends HTTP to enable collaborative editing. The connection downloads a shortcut file containing program code designed to retrieve and execute additional malicious payloads.
[caption id="attachment_109150" align="aligncenter" width="600"] Exploit chain. (Source CERT-UA)[/caption]
Successful execution creates a DLL file "EhStoreShell.dll" disguised as a legitimate "Enhanced Storage Shell Extension" library, along with an image file "SplashScreen.png" containing shellcode. Attackers implement COM hijacking by modifying Windows registry values for a specific CLSID identifier, a technique that allows malicious code to execute when legitimate Windows components load.
The malware creates a scheduled task named "OneDriveHealth" that executes periodically. When triggered, the task terminates and relaunches the Windows Explorer process. Because of the COM hijacking modification, Explorer automatically loads the malicious EhStoreShell.dll file, which then executes shellcode from the image file to deploy the Covenant framework on compromised systems.
Covenant is a post-exploitation framework similar to Cobalt Strike that provides attackers persistent command-and-control access. In this campaign, APT28 configured Covenant to use Filen.io, a legitimate cloud storage service, as command-and-control infrastructure. This technique, called living-off-the-land, makes malicious traffic appear legitimate and harder to detect.
CERT-UA discovered three additional malicious documents using similar exploits in late January 2026. Analysis of embedded URL structures and other technical indicators revealed these documents targeted organizations in EU countries. In one case, attackers registered a domain name on January 30, 2026—the same day they deployed it in attacks—demonstrating the operation's speed and agility.
"It is obvious that in the near future, including due to the inertia of the process or impossibility of users updating the Microsoft Office suite and/or using recommended protection mechanisms, the number of cyberattacks using the described vulnerability will begin to increase," CERT-UA warned in its advisory.
Microsoft released an emergency fix for CVE-2026-21509, but many organizations struggle to rapidly deploy patches across enterprise environments. The vulnerability affects multiple Microsoft Office products, creating a broad attack surface that threat actors will continue exploiting as long as unpatched systems remain accessible.
Read: Microsoft Releases Emergency Fix for Exploited Office Zero-Day
CERT-UA attributes the campaign to UAC-0001, the agency's designation for APT28, also known as Fancy Bear or Forest Blizzard. The group operates on behalf of Russia's GRU military intelligence agency and has conducted extensive operations targeting Ukraine since Russia's 2022 invasion. APT28 previously exploited Microsoft vulnerabilities within hours of disclosure, demonstrating consistent capability to rapidly weaponize newly discovered flaws.
CERT-UA recommends organizations immediately implement mitigation measures outlined in Microsoft's advisory, particularly Windows registry modifications that prevent exploitation. The agency specifically urges blocking or monitoring network connections to Filen cloud storage infrastructure, providing lists of domain names and IP addresses in its indicators of compromise section.
Flaw in Broadcom Wi-Fi Chipsets Illuminates Importance of Wireless Dependability and Business Continuity
2 February 2026 at 03:55
A “scary” vulnerability in Broadcom Wi-Fi chipsets could lead to long-term instability and affect how an organization operates.
The post Flaw in Broadcom Wi-Fi Chipsets Illuminates Importance of Wireless Dependability and Business Continuity appeared first on Security Boulevard.
AIs Are Getting Better at Finding and Exploiting Security Vulnerabilities
30 January 2026 at 10:35
From an Anthropic blog post:
In a recent evaluation of AI models’ cyber capabilities, current Claude models can now succeed at multistage attacks on networks with dozens of hosts using only standard, open-source tools, instead of the custom tools needed by previous generations. This illustrates how barriers to the use of AI in relatively autonomous cyber workflows are rapidly coming down, and highlights the importance of security fundamentals like promptly patching known vulnerabilities.
[…]
A notable development during the testing of Claude Sonnet 4.5 is that the model can now succeed on a minority of the networks without the custom cyber toolkit needed by previous generations. In particular, Sonnet 4.5 can now exfiltrate all of the (simulated) personal information in a high-fidelity simulation of the Equifax data breach—one of the costliest cyber attacks in historyusing only a Bash shell on a widely-available Kali Linux host (standard, open-source tools for penetration testing; not a custom toolkit). Sonnet 4.5 accomplishes this by instantly recognizing a publicized CVE and writing code to exploit it without needing to look it up or iterate on it. Recalling that the original Equifax breach happened by exploiting a publicized CVE that had not yet been patched, the prospect of highly competent and fast AI agents leveraging this approach underscores the pressing need for security best practices like prompt updates and patches.
AI models are getting better at this faster than I expected. This will be a major power shift in cybersecurity.
AIs Are Getting Better at Finding and Exploiting Security Vulnerabilities
30 January 2026 at 10:35
From an Anthropic blog post:
In a recent evaluation of AI models’ cyber capabilities, current Claude models can now succeed at multistage attacks on networks with dozens of hosts using only standard, open-source tools, instead of the custom tools needed by previous generations. This illustrates how barriers to the use of AI in relatively autonomous cyber workflows are rapidly coming down, and highlights the importance of security fundamentals like promptly patching known vulnerabilities.
[…]
A notable development during the testing of Claude Sonnet 4.5 is that the model can now succeed on a minority of the networks without the custom cyber toolkit needed by previous generations. In particular, Sonnet 4.5 can now exfiltrate all of the (simulated) personal information in a high-fidelity simulation of the Equifax data breach—one of the costliest cyber attacks in historyusing only a Bash shell on a widely-available Kali Linux host (standard, open-source tools for penetration testing; not a custom toolkit). Sonnet 4.5 accomplishes this by instantly recognizing a publicized CVE and writing code to exploit it without needing to look it up or iterate on it. Recalling that the original Equifax breach happened by exploiting a publicized CVE that had not yet been patched, the prospect of highly competent and fast AI agents leveraging this approach underscores the pressing need for security best practices like prompt updates and patches...
The post AIs Are Getting Better at Finding and Exploiting Security Vulnerabilities appeared first on Security Boulevard.
The Cyber Express Weekly Roundup: Threats, Regulations, and Digital Security Trends
30 January 2026 at 07:18
The Cyber Express Weekly Roundup
Cyberattack Hits Russian Security Firm Delta
On January 26, 2026, Delta, a Russian alarm and vehicle security provider, suffered a major cyberattack, disrupting alarms, vehicle systems, and company communications for tens of thousands of customers. While no confirmed customer data breach occurred, an unverified leak circulated online. Read more...Ad Fraud and Data Privacy: Brands Must Act Now
Ad fraud is escalating, costing the digital advertising industry billions and eroding consumer trust. Experts like Dhiraj Gupta of mFilterIt emphasize that brands can no longer rely on platform-reported metrics alone. Independent verification, real-time audits, and continuous monitoring of data flows are now essential to ensure privacy, enforce purpose limitations, and maintain accountability across complex advertising ecosystems. Read more…Ivanti Patches Critical Mobile Manager Zero-Days
Ivanti released emergency fixes for two critical zero-day code injection vulnerabilities (CVE-2026-1281 and CVE-2026-1340) in Endpoint Manager Mobile. These flaws allow attackers to execute arbitrary code, access sensitive device and user data, and track locations. CISA added CVE-2026-1281 to its KEV catalog with a two-day remediation deadline for federal agencies. Read more...Cyble Discovers ShadowHS, a Stealthy Linux Post-Exploitation Framework
Cyble Research & Intelligence Labs uncovered ShadowHS, a fileless, in-memory Linux framework providing attackers with long-term, operator-controlled access. ShadowHS uses AES-encrypted payloads and stealthy memory execution to evade traditional antivirus software, enabling credential theft, lateral movement, privilege escalation, cryptomining, and covert data exfiltration. Read more...EU Data Breach Notifications Rise Amid GDPR Reform Talks
Data breach notifications in the EU surged 22% over the past year, averaging over 400 per day. GDPR fines remained high at approximately €1.2 billion in 2025. Discussions on the Digital Omnibus legislation highlight a need to balance efficiency in reporting with protecting fundamental privacy rights amid NIS2, DORA, and ongoing cybersecurity threats. Read more...New Cyberattacks Target U.S. Companies
Several U.S. companies, including Bumble, Panera, Match Group, and CrunchBase, faced phishing and vishing attacks against employees. Bumble reported brief unauthorized access to a small portion of its network, while other firms experienced limited exposure. The ShinyHunters hacking group claims responsibility and has issued extortion demands, emphasizing social engineering as a growing threat to high-profile organizations. Read more...Weekly Takeaway
The last week of January 2026 stresses that cybersecurity is no longer just a technical concern. From attacks on critical infrastructure in Russia to post-exploitation Linux frameworks, ad fraud, and regulatory scrutiny in the EU, organizations must combine technology, governance, and proactive monitoring to protect data, trust, and operations.Ivanti Patches Two Zero-Days in Mobile Manager After Attackers Exploit Vulnerable Systems
30 January 2026 at 03:51
Two code injection vulnerabilities allowed unauthenticated attackers to execute arbitrary code and access sensitive device information across compromised networks.
Ivanti released emergency patches for two critical zero-day vulnerabilities in Endpoint Manager Mobile after discovering attackers exploited the flaws to compromise customer systems. The company confirmed a limited number of organizations fell victim to attacks leveraging CVE-2026-1281, which CISA added to its Known Exploited Vulnerabilities catalog with a February 1 remediation deadline for federal agencies.
The Code Injection Zero-Days
Both CVE-2026-1281 and CVE-2026-1340 are code injection flaws affecting EPMM's In-House Application Distribution and Android File Transfer Configuration features. Rated critical with CVSS scores of 9.8, the vulnerabilities allow unauthenticated remote attackers to execute arbitrary code on vulnerable on-premises EPMM installations without any prior authentication.
"We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure," Ivanti stated in its security advisory released Thursday. The company acknowledged it lacks sufficient information about the threat actors or comprehensive indicators of compromise due to the sophistication of the attacks.
The vulnerabilities affect only on-premises EPMM deployments and do not impact cloud-hosted Ivanti Neurons for Mobile Device Management, Ivanti Endpoint Manager, the Ivanti Sentry secure mobile gateway or any other Ivanti products. However, the company recommends organizations review Sentry logs alongside EPMM systems for potential lateral movement.
What Attackers Can Siphon
Successful exploitation grants attackers access to mobile device management infrastructure. Compromised EPMM appliances expose administrator and user credentials, including usernames and email addresses. Attackers gain visibility into managed mobile devices, accessing phone numbers, IP addresses, installed applications and device identifiers like IMEI and MAC addresses.
Organizations with location tracking enabled face additional exposure. Attackers accessing compromised systems can retrieve device location data including GPS coordinates and cellular tower information. More critically, attackers can leverage EPMM's API or web console to modify device configurations, including authentication settings.
Urgent Remediation Called For
Ivanti released RPM scripts providing temporary mitigation for affected EPMM versions. Organizations running versions 12.5.0.x, 12.6.0.x and 12.7.0.x should deploy RPM 12.x.0.x, while those operating versions 12.5.1.0 and 12.6.1.0 require RPM 12.x.1.x. The company emphasized that applying patches requires no downtime and causes no functional impact.
"If after applying the RPM script to your appliance, you upgrade to a new version you will need to reinstall the RPM," Ivanti warned. The permanent fix for this vulnerability will be included in the next product release: 12.8.0.0," scheduled for release later in Q1 2026.
Also read: Ivanti Bugs Exploited Even After Three Months of Patch Availability
Organizations suspecting compromise should not attempt to clean affected systems. Ivanti recommends either restoring EPMM from known-good backups taken before exploitation occurred or rebuilding the appliance and migrating data to replacement systems. After restoration, administrators must reset passwords for local EPMM accounts, LDAP and KDC service accounts, revoke and replace public certificates, and reset passwords for all internal and external service accounts configured with EPMM.
The company's analysis guidance shows particular risks around Sentry integration. While EPMM can be restricted to demilitarized zones with minimal corporate network access, Sentry specifically tunnels traffic from mobile devices to internal network assets. Organizations should review systems accessible through Sentry for potential reconnaissance or lateral movement.
CISA Issues a Tight Two-Day Deadline
CISA's addition of CVE-2026-1281 to the KEV catalog triggers Binding Operational Directive 22-01 requirements. Federal civilian agencies must apply vendor mitigations or discontinue using vulnerable systems by February 1, 2026. CISA strongly urges all organizations, not just federal agencies, to prioritize remediation as part of vulnerability management practices.
Notably, CISA added only CVE-2026-1281 to the KEV catalog despite Ivanti confirming exploitation of both vulnerabilities. The agency has not explained this discrepancy.
Also read: CISA Warns of New Malware Campaign Exploiting Ivanti EPMM Vulnerabilities
The disclosure continues Ivanti's troubled 2025, which saw widespread exploitation of multiple zero-day vulnerabilities across its product portfolio. Security researchers previously linked EPMM attacks to sophisticated threat actors, with some incidents attributed to China-nexus advanced persistent threat groups.
Also read: Four Critical Ivanti CSA Vulnerabilities Exploited—CISA and FBI Urge Mitigation
These management platforms represent high-value targets because compromising them effectively transforms the system into enterprise-wide command-and-control infrastructure.
Organizations should apply patches immediately and conduct thorough security assessments of potentially compromised systems to prevent further damage from these actively exploited vulnerabilities.
Cyble Research Discovers ShadowHS, an In-Memory Linux Framework for Long-Term Access
30 January 2026 at 03:25
Fileless Execution and Weaponized Hackshell
The ShadowHS Linux framework operates entirely in memory, leaving no persistent binaries on disk. CRIL’s analysis revealed that the framework uses an encrypted shell loader to deploy a heavily modified version of hackshell, enabling an interactive post-exploitation environment. The loader decrypts and reconstructs the payload in memory using AES‑256‑CBC encryption, Perl byte skipping, and gzip decompression. The payload is executed via /proc/<pid>/fd/<fd> with a spoofed argv[0], ensuring that no filesystem artifacts remain. [caption id="" align="alignnone" width="918"] Payload Reconstruction & Fileless Execution (Source: CRIL)[/caption]
Once active, ShadowHS prioritizes reconnaissance, fingerprinting host security measures, evaluating prior compromises, and providing an operator-controlled interface. Its runtime behavior is deliberately restrained, allowing attackers to selectively invoke capabilities such as credential access, lateral movement, privilege escalation, cryptomining, and covert data exfiltration.
CRIL Observations on Operator-Centric Design
According to CRIL, ShadowHS reflects mature operator tradecraft rather than the patterns of opportunistic Linux malware. Its in-memory design allows operators to assess system security posture while avoiding traditional detection mechanisms. The payload performs aggressive EDR and AV fingerprinting, checking for commercial endpoint tools such as CrowdStrike, Tanium, Sophos, and Microsoft Defender, as well as cloud and OT/ICS telemetry agents. [caption id="" align="alignnone" width="903"] Runtime Dependency Validation (Source: CRIL)[/caption]
“ShadowHS demonstrates a clear separation between restrained runtime activity and extensive dormant capabilities,” CRIL notes. “This is indicative of a deliberate operator-driven post-exploitation platform rather than automated malware.”
Covert Data Exfiltration
One of ShadowHS’s most notable features is its ability to exfiltrate data without using standard network channels. The Linux framework implements user-space tunneling over GSocket, replacing rsync’s default transport. This allows files to be transferred stealthily across firewalls and restrictive network environments. CRIL observed two variants: one using DBus-based tunneling and another employing netcat-style GSocket tunnels, both preserving timestamps, permissions, and partial transfer state.Dormant Capabilities and Lateral Movement
ShadowHS also contains dormant modules that operators can activate on demand. These include:- Memory dumping for credential theft
- SSH-based lateral movement and brute-force scanning
- Privilege escalation using kernel exploits
- Cryptocurrency mining via XMRig, GMiner, and lolMiner
Implications for Threat Defense
The discovery of ShadowHS stresses the challenges organizations face in defending Linux environments against fileless, in-memory threats. CRIL notes that traditional signature-based antivirus solutions and file-based detection mechanisms are insufficient to detect frameworks like ShadowHS. Effective defense requires monitoring process behavior, kernel-level telemetry, and memory-resident activity. “ShadowHS represents a fully operator-controlled, adaptive Linux framework designed for stealth and long-term access,” CRIL stated. “Its use of a weaponized hackshell, fileless execution, and exfiltration methods highlights the growing need for proactive threat intelligence and advanced monitoring strategies.” See ShadowHS and new cyber threats in action, schedule your Cyble demo today, and gain real-time visibility into cyber risks before they impact your organization.Security Researcher Finds Exposed Admin Panel for AI Toy
29 January 2026 at 15:46
AI Toy Admin Panel Exposed Children’s Conversations
After some investigation in the admin panel, the researchers found they had full access to “Every conversation transcript that any child has had with the toy,” which numbered in the “tens of thousands of sessions.” The panel also contained personal data about children and their family, including:- The child’s name and birth date
- Family member names
- The child’s likes and dislikes
- Objectives for the child (defined by the parent)
- The name given to the toy by the child
- Previous conversations between the child and the toy (used to give the LLM context)
- Device information, such as location via IP address, battery level, awake status, and more
- The ability to update device firmware and reboot devices
A (Very) Quick Response from Bondu
Margolis reached out to Bondu’s CEO on LinkedIn over the weekend – and the company took down the console “within 10 minutes.” “Overall we were happy to see how the Bondu team reacted to this report; they took the issue seriously, addressed our findings promptly, and had a good collaborative response with us as security researchers,” Thacker said. The company took other steps to investigate and look for additional security flaws, and also started a bug bounty program. They examined console access logs and found that there had been no unauthorized access except for the researchers’ activity, so the company was saved from a data breach. Despite the positive experience working with Bondu, the experience made Thacker reconsider buying AI toys for his own kids. “To be honest, Bondu was totally something I would have been prone to buy for my kids before this finding,” he wrote. “However this vulnerability shifted my stance on smart toys, and even smart devices in general.” “AI models are effectively a curated, bottled-up access to all the information on the internet,” he added. “And the internet can be a scary place. I’m not sure handing that type of access to our kids is a good idea.” Aside from potential security issues, “AI makes this problem even more interesting because the designer (or just the AI model itself) can have actual ‘control’ of something in your house. And I think that is even more terrifying than anything else that has existed yet,” he said. Bondu's website says the AI toy was built with child safety in mind, noting that its "safety and behavior systems were built over 18 months of beta testing with thousands of families. Thanks to rigorous review processes and continuous monitoring, we did not receive a single report of unsafe or inappropriate behavior from bondu throughout the entire beta period."Nation-State Hackers, Cybercriminals Weaponize Patched WinRAR Flaw Despite Six-Month-Old Fix
29 January 2026 at 05:38
Russian and Chinese espionage groups continue to exploit an N-day vulnerability (CVE-2025-8088) in WinRAR alongside financially motivated actors, all leveraging a path traversal vulnerability that drops malware into Windows Startup folders.
Google Threat Intelligence Group discovered widespread exploitation of a critical WinRAR vulnerability six months after the vendor patched it, with government-backed hackers from Russia and China deploying the flaw alongside financially motivated cybercriminals. The attacks demonstrate how effective exploits remain valuable long after patches become available, especially when organizations delay updates.
CVE-2025-8088, a high-severity path traversal vulnerability in WinRAR, allows attackers to write files to arbitrary system locations by crafting malicious RAR archives. RARLAB released WinRAR version 7.13 on July 30, 2025, to address the flaw. However, exploitation began at least 12 days earlier, on July 18, according to ESET research.
Read: New Zero-Day in WinRAR Abused by RomCom
The vulnerability exploits Alternate Data Streams, a Windows feature that allows multiple data streams to be associated with a single file. Attackers conceal malicious files within ADS entries of decoy documents inside archives. While victims view what appears to be a legitimate PDF or document, hidden payload streams execute in the background.
The exploit uses specially crafted paths combining ADS features with directory traversal characters. A file might carry a composite name like "innocuous.pdf:malicious.lnk" paired with a path traversing to critical directories. When victims open the archive, the ADS content extracts to destinations specified by the traversal path, frequently targeting the Windows Startup folder for automatic execution at next login.
Multiple Russian threat groups consistently exploit the vulnerability in campaigns targeting Ukrainian military and government entities using highly tailored geopolitical lures. UNC4895, also known as RomCom, conducts dual financial and espionage operations through spearphishing emails with subject lines indicating targeting of specific Ukrainian military units. The attacks deliver NESTPACKER malware, externally known as Snipbot.
APT44, tracked under the designation FROZENBARENTS, drops decoy files with Ukrainian filenames alongside malicious LNK files attempting further downloads. TEMP.Armageddon, designated CARPATHIAN, uses RAR archives to place HTA files into Startup folders, with the HTA acting as a downloader for second-stage payloads. This activity continued through January 2026.
Turla, adopted CVE-2025-8088 to deliver the STOCKSTAY malware suite using lures themed around Ukrainian military activities and drone operations. A China-nexus actor exploits the vulnerability to deliver POISONIVY malware via BAT files dropped into Startup folders, which then download droppers.
The exploitation mirrors widespread abuse of CVE-2023-38831, a previous WinRAR bug that government-backed actors heavily exploited despite available patches. The pattern demonstrates that exploits for known vulnerabilities remain highly effective when organizations fail to patch promptly.
Financially motivated threat groups quickly adopted the vulnerability. One group targeting Indonesian entities uses lure documents to drop CMD files into Startup folders. These scripts download password-protected RAR archives from Dropbox containing backdoors that communicate with Telegram bot command-and-control servers.
Another group focuses on hospitality and travel sectors, particularly in Latin America, using phishing emails themed around hotel bookings to deliver commodity remote access trojans including XWorm and AsyncRAT. A separate group targeting Brazilian users via banking websites delivered malicious Chrome extensions that inject JavaScript into pages of two Brazilian banking sites to display phishing content and steal credentials.
An actor known as "zeroplayer" advertised a WinRAR exploit in July 2025, shortly before widespread exploitation began. zeroplayer's portfolio extends beyond WinRAR. In November 2025, the actor claimed a sandbox escape remote code execution zero-day exploit for Microsoft Office, advertising it for $300,000. In late September 2025, zeroplayer advertised a remote code execution zero-day for an unnamed popular corporate VPN provider.
Starting mid-October 2025, zeroplayer advertised a Windows local privilege escalation zero-day exploit for $100,000. In early September 2025, the actor advertised a zero-day for an unspecified drive allowing attackers to disable antivirus and endpoint detection and response software for $80,000.
zeroplayer's continued activity demonstrates the commoditization of the attack lifecycle. By providing ready-to-use capabilities, actors like zeroplayer reduce technical complexity and resource demands, allowing groups with diverse motivations—from ransomware deployment to state-sponsored intelligence gathering—to leverage sophisticated capabilities.
The rapid exploitation adoption occurred despite Google Safe Browsing and Gmail actively identifying and blocking files containing the exploit. When reliable proof of concept for critical flaws enters cybercriminal and espionage marketplaces, adoption becomes instantaneous. This blurs lines between sophisticated government-backed operations and financially motivated campaigns.
The vulnerability's commoditization reinforces that effective defense requires immediate application patching coupled with fundamental shifts toward detecting consistent, predictable post-exploitation tactics.
Google published comprehensive indicators of compromise in a VirusTotal collection for registered users to assist security teams in hunting and identifying related activity.
Malicious Open Source Software Packages Neared 500,000 in 2025
28 January 2026 at 15:35
npm Leads in Malicious Open Source Software Packages
More than 99% of open source malware last year occurred on npm, the researchers said, and the kinds of threats evolved dramatically. Nation-state threat groups such as the Lazarus Group “advanced from simple droppers and crypto miners to five-stage payload chains that combined droppers, credential theft, and persistent remote access inside developer environments,” the report said, and the first self-replicating npm malware (Shai-Hulud and Sha1-Hulud) further escalated the threat to the open source software supply chain. IndonesianFoods created more than 150,000 malicious packages in a matter of days, and hijackings of major packages like chalk and debug showed that “established maintainers of high-profile packages are being targeted as entry points for mass distribution.” “Taken together, these developments mark 2025 as a grim year for open source malware: the moment when isolated incidents became an integrated campaign, and bad actors proved software supply chain attacks are now their most reliable weapon,” the researchers said.Open Source Malware Exploits Developer Processes
Open source malware exploits the pressures developers face and the rapid decision-making involved in CI/CD pipelines. “Software supply chain attackers are perfecting social and technical mimicry to target and exploit developers making development decisions fast and with incomplete information,” the researchers said. “Attackers increasingly rely less on individual mistakes and more on scale, momentum, and volume. They know developers under deadline pressure are unlikely to pay detailed attention on every dependency. If a package ‘looks right’ with mostly comprehensible code, a legitimate seeming README.MD, and a reasonable amount of downloads, it is likely to get installed.” The number of open source package vulnerabilities adds to the problem. In 2025, npm recorded 838,778 releases associated with CVSS 9.0+ vulnerabilities, the report said, adding: “This scale is what enabled watershed incidents like React2Shell ... and Shai-Hulud to have ecosystem-wide impact.” “The takeaway isn’t that open source is unsafe or that teams should slow down,” the researchers concluded. “It is that the ecosystem has matured into critical infrastructure and we need to operate it like one. That means responsible consumption, security controls that match modern development, and transparency that is produced by the build, not assembled after the fact. “Open source will keep powering innovation,” they said. “The question is whether we build the practices and infrastructure to sustain it at the scale we now depend on, or whether we keep acting like the bill is someone else’s problem.” Going forward, the increasing convergence of AI and open source software will exacerbate the problem, they predicted. “AI model hubs and autonomous agents are converging with open source into a single, fluid software supply chain — a mesh of interdependent ecosystems without uniform security standards,” the report said. “Malware authors already understand this convergence. They are embedding persistence inside containers, pickled model files, and precompiled binaries that flow between data scientists, CI/CD systems, and runtime environments.”Hackers Exploit React2Shell Vulnerability to Deploy Miners and Botnets Worldwide
28 January 2026 at 01:52
Exploiting CVE-2025-55182
The campaign was first observed in December 2025, shortly after details of the vulnerability became available. According to BI.ZONE Threat Detection and Response, attackers moved quickly. “In December 2025, BI.ZONE TDR detected malicious activity targeting companies in the Russian insurance, e-commerce, and IT sectors. The threat actors leveraged the CVE-2025-55182 (React2Shell) vulnerability,” the company reported. The primary payload observed during this phase was the XMRig cryptocurrency miner, though Kaiji, Rustobot, and the Sliver implant were also deployed. The vulnerable packages include react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack, versions 19.0 through 19.2.0. Security patches were released in 19.0.1, 19.1.2, and 19.2.1, but exploitation continued against unpatched systems.Malware Deployment Following React2Shell Exploitation
In one documented case targeting Russian organizations, attackers exploited the React2Shell vulnerability inside a container environment and executed a chained command sequence to download an ELF binary named bot from 176.117.107[.]154. This file was identified as RustoBot, a Rust-based botnet primarily associated with attacks on TOTOLINK devices. RustoBot resolves multiple domain names, including ilefttotolinkalone.anondns[.]net and rustbot.anondns[.]net—all pointing to the IP address 45.137.201[.]137. RustoBot is capable of launching UDP flood, TCP flood, and Raw IP flood DDoS attacks, with configurable parameters such as duration, target address, and packet size. The malware also embeds XMRig as a secondary payload, monetizing compromised infrastructure. Following the initial infection, attackers executed Base64-encoded shell commands that retrieved additional scripts from tr.earn[.]top. One of these, apaches.sh, installed an UPX-packed XMRig binary and established persistence through systemd services and cron jobs, storing files in /usr/local/sbin when executed as root or /tmp otherwise. Further activity included the deployment of Kaiji (Ares build) via wocaosinm.sh. Kaiji supports SYN, ACK, and UDP flood attacks, WebSocket abuse, command execution, dynamic encrypted configuration files, extensive persistence mechanisms, and replacement of system utilities such as ls, ps, and netstat. The malware also deployed XMRig and attempted to conceal its presence by masquerading as legitimate system libraries. Attackers later delivered the Sliver implant using the d5.sh script, which handled privilege-aware persistence and aggressively erased forensic traces by clearing shell history and deleting temporary files.Additional Campaigns and Global Targeting
In another case, attackers exploited the same React2Shell vulnerability to deploy XMRig version 6.24.0 using setup2.sh, a modified mining script. The miner configuration included a hardcoded wallet address and companion scripts, alive.sh and lived.sh, designed to terminate competing processes while preserving the miner. A third case involved DNS-based data exfiltration. After exploiting CVE-2025-55182, attackers executed reconnaissance commands and exfiltrated results via DNS tunneling to oastify[.]com. This was followed by the installation of XMRig from GitHub and persistence via a systemd service named system-update-service.service. Outside Russia, it has been observed that React2Shell exploitation delivers a broader malware ecosystem. Payloads included CrossC2 for Cobalt Strike, Tactical RMM, VShell, and EtherRAT. These tools enabled long-term access, command execution, encrypted C2 communication, and stealthy persistence. EtherRAT, in particular, retrieved its command-and-control address from an Ethereum smart contract, later contacting 91.215.85[.]42:3000 to fetch JavaScript payloads.Another Credential Leak, Another Dollar
28 January 2026 at 02:00
A 149M-credential breach shows why encryption alone isn’t enough. Infostealer malware bypasses cloud security by stealing passwords at the endpoint—where encryption offers no protection.
The post Another Credential Leak, Another Dollar appeared first on Security Boulevard.
CISA Flags Actively Exploited VMware vCenter RCE Flaw in KEV Catalog
27 January 2026 at 04:51
Heap Overflow Flaw Poses Severe RCE Risk
CVE-2024-37079 carries a maximum CVSS v3.1 score of 9.8, placing it firmly in the “critical” severity category. The vulnerability stems from a heap overflow weakness in the Distributed Computing Environment/Remote Procedure Call (DCE/RPC) protocol implementation within VMware vCenter Server. VMware vCenter Server is widely used by administrators to centrally manage Broadcom’s VMware ESXi hypervisors and virtual machines, making it a high-value target for attackers. DCE/RPC, or Distributed Computing Environment/Remote Procedure Calls, is used by VMware vCenter Server for internal inter-process communication. This includes sensitive services such as certificate management, directory services, and authentication. According to the CVE description, “vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet, potentially leading to remote code execution.” By exploiting CVE-2024-37079, threat actors can gain a foothold on the vCenter management plane and then move laterally to underlying hypervisors.Impact of CVE-2024-37079 Across VMware vCenter Server and Cloud Foundation
The vulnerability record for CVE-2024-37079 was published on June 18, 2024, by VMware and Broadcom. It specifies that the flaw is remotely exploitable over the network with no privileges or user interaction required. Affected products include VMware vCenter Server versions 8.0 before 8.0 U2d and 8.0 U1e, as well as version 7.0 before 7.0 U3r. VMware Cloud Foundation deployments are also impacted, specifically versions 5.x and 4.x that include vulnerable vCenter Server components. Later fixed versions are available, but no viable in-product workarounds were identified. CVE-2024-37079 is addressed as part of VMware Security Advisory VMSA-2024-0012, initially released on June 17, 2024. The advisory also covers CVE-2024-37080, another heap overflow issue in the DCE/RPC implementation, and CVE-2024-37081, a local privilege escalation vulnerability caused by sudo misconfigurations. While CVE-2024-37081 carries a lower maximum CVSS score of 7.8 and requires local authenticated access, CVE-2024-37079 and CVE-2024-37080 both reach the critical 9.8 threshold.Urgent Need for Patching as Exploitation Occurs in the Wild
On Jan. 23, 2026, VMware updated the advisory to version VMSA-2024-0012.1, adding a key note: “Broadcom has information to suggest that exploitation of CVE-2024-37079 has occurred in the wild.” This update aligns with CISA’s decision to add the vulnerability to the KEV catalog, signaling that attackers are actively abusing the flaw rather than merely researching it. VMware acknowledged the researchers who responsibly disclosed the issues. CVE-2024-37079 and CVE-2024-37080 were reported by Hao Zheng (@zhz) and Zibo Li (@zbleet) from the TianGong Team of Legendsec at Qi’anxin Group. CVE-2024-37081 was reported by Matei “Mal” Badanoiu of Deloitte Romania.Data Privacy Week 2026: Why Secure Access is the New Data Protection Perimeter
27 January 2026 at 00:49
The Death of the "Safe" Zone
By now, the concept of a "trusted network" is an architectural relic. In 2026, data is a fluid asset distributed across multi-region SaaS, edge computing nodes, and sovereign clouds rather than sitting in a central vault. The primary challenge today is the "Identity-Data Gap." While the transition away from the physical office is complete, the assumption of trust associated with it often remains. If a user connects to a resource, legacy systems frequently grant broad, persistent visibility. This level of exposure facilitates near-instant lateral movement across the network and connected devices, making such visibility a direct threat to data privacy. Protecting data privacy in this environment requires a shift from storage-centric security to visibility control. Resources must remain "dark" to everyone except the authenticated, authorised user throughout a continuously verified session.Data Privacy Week 2026: Defending Against the "Identity Hijack"
In 2026, the primary threat to data privacy is the weaponisation of legitimate access rather than sophisticated software exploits. While a user’s identity can be verified with near-total certainty, organisations remain remarkably vulnerable to the context of that identity—specifically the what, how, and when of the access request. In this model, identity has become a false proxy for trust. As identity remains under constant siege, secure access must move beyond a "gatekeeper" event to become a Continuous Adaptive Risk and Trust Assessment (CARTA). Securing the new perimeter requires the validation of three distinct pillars through persistent, 24/7/365 monitoring:- Validate the Human (Identity & Presence): Progressive organisations are adopting a multi-modal approach that combines phishing-resistant hardware verification with biometric-first identity signals. By anchoring identity in physical hardware (such as FIDO2-compliant keys) and augmenting it with continuous monitoring of liveness and presence, it is possible to ensure that the authorised individual remains physically present at the keys throughout the interaction. This layered verification prevents session hijacking or "shoulder surfing" in real-time.
- Validate the Device (Integrity & Posture): It is no longer safe to assume a device is secure simply because it is corporate-owned. The technical integrity of the endpoint must be evaluated before and during access. This involves continuous checks for managed status, OS vulnerabilities, and security software health to ensure the tool used to access data is not a compromised gateway.
- Validate the Behaviour (Intent & Monitoring): This final layer of the perimeter involves monitoring user actions for deviations from established norms. Detecting anomalies in navigation speed, timing, and data consumption allows for an assessment of whether a device is acting like a human-operated workstation or an automated exfiltration bot. The perimeter thus functions as a dynamic response system that adapts based on 'Contextual Intelligence'—the real-time risk of the intent.
Privacy-First Architecture: Micro-Segmentation of Access
The defining transition for 2026 and beyond is the shift from "Access to Resources" to "Entitlement within Resources." Under a Zero Trust Network Access (ZTNA) 2.0 framework, this is achieved through a "Privacy of Exclusion" model. Connecting a user to an application is no longer sufficient; granular actions within that application must be managed. By default, no user sees any data. Only when a specific request is validated is a "one-to-one" encrypted tunnel created, restricting the user to the precise dataset required for the task. This approach is necessary to satisfy the rigorous "Need-to-Know" requirements of global regulations like the GDPR or India’s DPDPA. Data privacy cannot be maintained if a network architecture allows a marketing executive to even ping an HR database. Secure access enforces privacy by making the unauthorised invisible.Looking Ahead: The Invisible Perimeter
The mandate for technology leaders is to de-couple security from the underlying infrastructure of the internet. Data privacy is not a checkbox; it is a continuous state of being. It is maintained only when access is granular, just-in-time, and verified with every single click. The "Castle and Moat" has been replaced by an invisible guard made of identity and intent—ensuring that privacy is a default setting rather than a manual effort.Microsoft Releases Emergency Fix for Exploited Office Zero-Day
26 January 2026 at 15:42
Microsoft Emergency Fix for Office 2016 and 2019 Coming Soon
Microsoft said that customers on Office 2021 and later “will be automatically protected via a service-side change, but will be required to restart their Office applications for this to take effect.” Office 2016 and 2019 customers will have to wait for a forthcoming security update, but can protect themselves by applying registry keys as instructed (included below). Office Client 2016 and 2019 updates “will be released as soon as possible, and when they are available, customers will be notified via a revision to this CVE,” Microsoft said. The 7.8-rated vulnerability requires user interaction to be exploited. An attacker would have to send a malicious Office file and convince users to open it for an exploit to be successful. It is the second actively exploited zero-day vulnerability fixed by Microsoft this month, following CVE-2026-20805 fixed on Patch Tuesday. Microsoft has also released out-of-band Windows and Windows Server fixes this month for Windows and Outlook bugs. Microsoft said the new CVE-2026-21509 fix addresses a vulnerability that bypasses OLE (Object Linking and Embedding) mitigations in Microsoft 365 and Microsoft Office that protect users from vulnerable COM (Component Object Model)/OLE controls. COM/OLE is the framework that allows content from one application to be integrated into another, such as from an Excel spreadsheet into a Word document. The Preview Pane is not an attack vector, Microsoft noted.Office 2016 and 2019 Mitigations
Microsoft said Office 2016 and 2019 customers can apply registry keys as described for immediate protection. Microsoft recommends first backing up your registry and exiting all Microsoft Office applications. Start the Registry Editor by tapping Start or pressing the Windows key on your keyboard, then typing regedit and pressing enter.Step 1
Locate the proper registry subkey. It will be one of the following: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\ (for 64-bit MSI Office, or 32-bit MSI Office on 32-bit Windows) or HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Common\COM Compatibility\ (for 32-bit MSI Office on 64-bit Windows) or HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Office\16.0\Common\COM Compatibility\ (for 64-bit Click2Run Office, or 32-bit Click2Run Office on 32-bit Windows) or HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Office\16.0\Common\COM Compatibility\ (for 32-bit Click2Run Office on 64-bit Windows) Note: The COM Compatibility node may not be present by default and may need to be added by right-clicking the Common node and choosing Add Key.Step 2
Add a new subkey named {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} by right-clicking the COM Compatibility node and choosing Add Key. Within that new subkey, add one new value by right-clicking the new subkey and choose New > DWORD (32-bit) Value, naming the new REG_DWORD value Compatibility Flags and assigning it a value of 400. Exit Registry Editor and start your Office application. Microsoft offered the following example: In Office 2016, 64-bit, on Windows you would locate this registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\ If the COM Compatibility node doesn't exist, you'll need to create it. Then add a subkey with the name {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}. The resulting path in this case is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}. To that subkey, add a REG_DWORD value called Compatibility Flags with a value of 400.CISA Adds Five Enterprise Software Flaws to Known Exploited Vulnerabilities Catalog
23 January 2026 at 17:21
Versa, Zimbra and VMware Enterprise Software Flaws
The Versa Concerto vulnerability is CVE-2025-34026, a 9.2-severity Improper Authentication vulnerability in the SD-WAN orchestration platform’s Traefik reverse proxy configuration that could allow an attacker to access administrative endpoints, including the internal Actuator endpoint, for access to heap dumps and trace logs. The issue affects Concerto from 12.1.2 through 12.2.0, although the National Vulnerability Database (NVD) notes that “Additional versions may be vulnerable.” Project Discovery revealed the vulnerability and two others last year. CVE-2024-37079 is a 9.8-rated Broadcom VMware vCenter Server out-of-bounds write/heap-overflow vulnerability in the implementation of the DCERPC protocol. “A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution,” the NVD entry says. The Cyber Express noted in a June 2024 article on CVE-2024-37079 and two other vCenter vulnerabilities, “With the global usage of the impacted product and the history of leveraging flaws impacting vCenter, there is strong potential for threat actors to leverage these critical vulnerabilities also.” CVE-2025-68645 is an 8.8-rated Local File Inclusion (LFI) vulnerability in the Webmail Classic UI of Zimbra Collaboration (ZCS) 10.0 and 10.1 that allows improper handling of user-supplied request parameters in the RestFilter servlet. “An unauthenticated remote attacker can craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory,” says the NVD database.Vite and Prettier Code Tool Vulnerabilities
CVE-2025-54313 is a high-severity embedded malicious code vulnerability affecting the eslint-config-prettier package for the Prettier code formatting tool that stems from a supply chain attack last July. The embedded malicious code in eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 can execute an install.js file that launches the node-gyp.dll malware on Windows, NVD notes. CVE-2025-31125 is a medium-to-high severity Improper Access Control vulnerability affecting Vite ViteJS, a frontend tooling framework for JavaScript. The vulnerability can expose the content of non-allowed files when apps explicitly expose the Vite dev server to the network. Th vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.AIs are Getting Better at Finding and Exploiting Internet Vulnerabilities
23 January 2026 at 07:01
Really interesting blog post from Anthropic:
In a recent evaluation of AI models’ cyber capabilities, current Claude models can now succeed at multistage attacks on networks with dozens of hosts using only standard, open-source tools, instead of the custom tools needed by previous generations. This illustrates how barriers to the use of AI in relatively autonomous cyber workflows are rapidly coming down, and highlights the importance of security fundamentals like promptly patching known vulnerabilities.
[…]
A notable development during the testing of Claude Sonnet 4.5 is that the model can now succeed on a minority of the networks without the custom cyber toolkit needed by previous generations. In particular, Sonnet 4.5 can now exfiltrate all of the (simulated) personal information in a high-fidelity simulation of the Equifax data breach—one of the costliest cyber attacks in history—using only a Bash shell on a widely-available Kali Linux host (standard, open-source tools for penetration testing; not a custom toolkit). Sonnet 4.5 accomplishes this by instantly recognizing a publicized CVE and writing code to exploit it without needing to look it up or iterate on it. Recalling that the original Equifax breach happened by exploiting a publicized CVE that had not yet been patched, the prospect of highly competent and fast AI agents leveraging this approach underscores the pressing need for security best practices like prompt updates and patches.
Read the whole thing. Automatic exploitation will be a major change in cybersecurity. And things are happening fast. There have been significant developments since I wrote this in October.
GitLab Releases Critical Patch Updates to Address Multiple High-Severity Vulnerabilities
23 January 2026 at 03:23
Overview of the Latest GitLab Patch Release
This GitLab patch release resolves multiple security issues affecting both GitLab Community Edition and Enterprise Edition, including several high-severity vulnerabilities. One of the most critical issues, tracked as CVE-2025-13927, involves a denial of service vulnerability in the Jira Connect integration. GitLab reported that an unauthenticated attacker could create a denial of service condition by sending crafted requests containing malformed authentication data. The vulnerability affects all GitLab CE/EE versions from 11.9 up to, but not including, versions 18.6.4, 18.7.2, and 18.8.2. The issue carries a CVSS score of 7.5. GitLab credited a92847865 for reporting the vulnerability through its HackerOne bug bounty program. Another high-severity issue, CVE-2025-13928, impacts the Releases API. Due to incorrect authorization validation in API endpoints, an unauthenticated user could trigger a denial of service condition. This vulnerability affects GitLab Community Edition and Enterprise Edition versions from 17.7 prior to the patched releases and also has a CVSS score of 7.5. The issue was reported by the same researcher. GitLab also addressed CVE-2026-0723, a vulnerability in authentication services that could have allowed an attacker with knowledge of a victim’s credential ID to bypass two-factor authentication by submitting forged device responses. This issue affects versions from 18.6 prior to the patched releases and has a CVSS score of 7.4. The vulnerability was reported by ahacker1 through HackerOne. Medium-severity issues include CVE-2025-13335, an infinite loop flaw in Wiki redirects that could allow an authenticated user to cause a denial of service by crafting malformed Wiki documents. This issue affects versions from 17.1 onward and has a CVSS score of 6.5. GitLab also fixed CVE-2026-1102, a denial-of-service vulnerability in an API endpoint triggered by repeated malformed SSH authentication requests, affecting versions from 12.3 onward with a CVSS score of 5.3. GitLab noted that this vulnerability was discovered internally by team member Thiago Figueiró.Bug Fixes and Upgrade Considerations for Self-Managed Users
In addition to addressing vulnerabilities, the GitLab patch release introduces a wide range of bug fixes across versions 18.8.2, 18.7.2, and 18.6.4. These include backported fixes for merge request reviewer crashes, searchable dropdown race conditions, container repository index repairs, Git LFS throttling exclusions, accessibility-related soft wrap issues, and Git push errors in self-managed environments. Several fixes also improve CI jobs, Sidekiq worker behavior, migration health checks, and AI catalog workflows. GitLab cautioned that this patch release includes database migrations that may impact the upgrade process. Single-node installations will experience downtime during the upgrade because migrations must be completed before GitLab can restart. Multi-node deployments, however, can apply the updates without downtime by following recommended zero-downtime upgrade procedures. Version 18.7.2 includes post-deploy migrations that can run after the main upgrade process. GitLab strongly recommends that all installations of GitLab Community Edition and Enterprise Edition running affected versions upgrade to the latest patch release as soon as possible to reduce exposure to known vulnerabilities and maintain platform stability.Fortinet Admins Report Active Exploits on “Fixed” FortiOS 7.4.9 Firmware
22 January 2026 at 07:23
Network administrators worldwide are scrambling this morning following credible reports that the critical Fortinet Single Sign-On (SSO) vulnerability, tracked as CVE-2025-59718, is being actively exploited on systems previously thought to be patched.
The vulnerability, originally disclosed in December 2025, allows unauthenticated attackers to bypass authentication on FortiGate firewalls by forging SAML assertions. At the time, Fortinet released FortiOS version 7.4.9 as the definitive fix for the 7.4 release branch. However, emerging data from the cybersecurity community suggests this update may have failed to close the door on attackers.
The "Zombie" FortiOS Vulnerability
Over the last 48 hours, a wave of reports has surfaced on community hubs like Reddit, where verified administrators have shared logs indicating successful breaches on devices running the supposedly secure FortiOS 7.4.9.
The attack pattern is distinct and alarming. Victims report observing unauthorized logins via the FortiCloud SSO mechanism—even when they do not actively use the feature for their own administration. Once access is gained, the attackers typically create a local administrator account, often named "helpdesk" or similar generic terms, to establish persistence independent of the SSO flaw.
"We have been on 7.4.9 since December 30th," wrote one frustrated administrator who shared redacted logs of the incident. "Our SIEM caught a local admin account being created. The attack vector looks exactly like the original CVE-2025-59718 exploit, but against the patched firmware.
Technical Confusion and Workarounds
The persistence of this flaw in version 7.4.9 has led to speculation that the initial patch was incomplete or that attackers have found a bypass to the mitigation logic. Some users report that Fortinet support has acknowledged the issue privately, hinting that the vulnerability might persist even into upcoming builds like 7.4.10, though this remains unconfirmed by official public advisories.
The exploit relies on the "Allow administrative login using FortiCloud SSO" setting, which is often enabled by default when a device is registered to FortiCloud.
Security experts are now advising a "trust no patch" approach for this specific vector. The only guaranteed mitigation currently circulating in professional circles is to manually disable the vulnerable feature via the Command Line Interface (CLI), regardless of the firmware version installed.
Administrators are urged to run the following command immediately on all FortiGate units:
config system global
set admin-forticloud-sso-login disable
end
Indicators of Compromise
Organizations running FortiOS 7.4.x—including version 7.4.9—should immediately audit their system event logs for the following activity:
-
Unexpected SSO Logins: Filter logs for successful logins where the method is
forticloud-sso, especially from unrecognized public IP addresses. -
New User Creation: Check for the recent creation of administrator accounts with names like
helpdesk,support, orfortinet-admin. -
Configuration Exports: Look for logs indicating a full system configuration download shortly after an SSO login.
As trust in the official patch cycle wavers, the community is once again serving as the first line of defense, sharing Indicators of Compromise (IOCs) and workarounds faster than vendors can issue bulletins. For now, disable the SSO feature, or risk compromise.
Critical Vulnerability in Advanced Custom Fields: Extended Plugin Puts 100,000 WordPress Sites at Risk
21 January 2026 at 09:40
Unauthenticated Privilege Escalation Threatens WordPress Sites
The vulnerability could allow unauthenticated attackers to register new user accounts with administrator-level privileges, potentially giving them complete control over affected WordPress sites. Since no prior access or compromised credentials are needed, the exposure is far higher than typical privilege escalation flaws that require existing user permissions. Any site running a vulnerable version of the plugin with certain configurations in place could be targeted by attackers anywhere on the internet. The Advanced Custom Fields: Extended plugin is widely used by WordPress developers and site owners to enhance how custom fields operate. As an ACF add-on plugin, it provides tools for managing front-end forms, creating options pages, defining custom post types and taxonomies, and customizing the WordPress admin interface.How the ACF Addon Plugin Flaw Works
The issue lies in the privilege escalation vulnerability caused by missing role restrictions during user registration. Specifically, the plugin’s insert_user function does not enforce limits on which WordPress roles can be assigned when a new account is created. Under normal circumstances, WordPress strictly controls role assignment during registration to prevent unauthorized privilege elevation. In this case, that safeguard was bypassed. Exploitation requires that the site uses a front-end form provided by the plugin, and that the form maps a custom field directly to the WordPress user role. When this configuration exists, the plugin accepts the submitted role value without verifying whether it is permitted. Essentially, the plugin relied on the HTML form to restrict role selection, without performing proper server-side validation. For example, a developer might configure a registration form to display only the “subscriber” role. However, an attacker could inspect the form’s HTML, intercept the HTTP request, and modify the submitted value from role=subscriber to role=administrator. The plugin would then pass this value directly to WordPress’s user creation functions without validation, granting full administrator access. The plugin changelog confirms that these issues have been addressed. Fixes include:- “Enforced front-end fields validation against their respective ‘Choices’ settings.”
- “Module: Forms – Added security measure for forms allowing user role selection.”
Patches, Updates, and Steps for Site Owners
The vulnerability affects all versions up to and including 0.9.2.1. It has been patched in version 0.9.2.2, which introduces multiple validation hooks and enhanced security checks for front-end forms and user role handling. Notable updates in the changelog include:- Module: Forms – Enforced front-end fields validation against their respective ‘Choices’ settings
- Module: Forms – Added security measure for forms, allowing user role selection
- Module: Forms – Added acfe/form/validate_value hook to validate fields individually on the front
- Module: Forms – Added acfe/form/pre_validate_value hook to bypass enforced validation
New EU Vulnerability Platform GCVE Goes Live, Reducing Reliance on Global Systems
21 January 2026 at 02:26
Why GCVE Emerged When It Did
The immediate catalyst was a brief but impactful scare surrounding the possible discontinuation of the Common Vulnerabilities and Exposures (CVE) program in 2025. Even though the CVE system has long been treated as a foundational layer of global cybersecurity, the mere risk of interruption exposed how fragile that assumption really was. Across Europe, the incident prompted vendors, researchers, and policymakers to ask an uncomfortable question: what happens if the numbering system everyone depends on suddenly becomes unavailable or constrained? GCVE formed in response, not as a rejection of CVE, but as a hedge against single-point dependency. The EU vulnerability database is the practical outcome of that realization, offering an alternative that is structurally decentralized rather than centrally approved.A Decentralized Model by Design
Unlike traditional models, where vulnerability identifiers are assigned through a central authority, GCVE operates using a Global Numbering Authority (GNA) framework. This allows participating organizations to assign and publish vulnerability identifiers autonomously. There is no waiting period for central approval and no bottleneck that can stall disclosure during critical response windows. The platform aggregates data from more than 25 distinct sources, including public vulnerability directories and GNA contributors. All incoming data is normalized, structured, and indexed, so it can be searched consistently across ecosystems. In practical terms, this means a vulnerability disclosed through GitHub Security Advisories, a national CERT, or another recognized directory can coexist in a single EU vulnerability database without losing context or traceability.What the Database Actually Shows
The Cyber Express team analyzed the platform and found that the GCVE dashboard reveals how broad that aggregation already is. Recent activity lists vulnerabilities from multiple origins, including GitHub advisories such as GHSA-QHWV-3XRQ-PJMJ, GHSA-M2W5-7XHV-W6FH, GHSA-X439-WRMP-CJ57, and dozens more. Alongside them appear traditional identifiers like CVE-2025-14559, CVE-2026-1035, and CVE-2026-24026 through CVE-2026-24020, pulled from cvelistv5 sources. [caption id="attachment_108825" align="alignnone" width="742"] EU vulnerability database dashboard (Source: GCVE)[/caption]
The dashboard tracks more than identifiers. Weekly observations, comments, bundles, known exploited vulnerabilities (KEV), sightings, and even “ghost CVEs” are surfaced to show how issues evolve after disclosure. A rolling, month-long evolution view highlights how frequently vulnerabilities are seen, confirmed, exploited, or accompanied by proof-of-concept code.
Concrete examples illustrate the breadth of historical and current coverage. Widely known issues like CVE-2021-44228 (Log4Shell), CVE-2019-19781, CVE-2018-13379, and CVE-2017-17215 appear alongside recent entries such as CVE-2025-14847, CVE-2025-55182, CVE-2025-68613, and CVE-2025-59374. Older vulnerabilities, CVE-2015-2051 or CVE-2017-18368, sit next to newly published 2026 identifiers, reinforcing that the EU vulnerability database is designed for continuity, not just novelty.
Integration Over Isolation
GCVE’s architects appear keenly aware that a database alone does not change behavior. To that end, the platform exposes an open API intended for direct integration into compliance tooling, risk management platforms, and security operations workflows. This matters for Europe’s computer security incident response teams, software vendors, researchers, and open-source maintainers, who often juggle multiple data feeds just to maintain situational awareness. By consolidating vulnerability intelligence without enforcing a single authority, GCVE positions itself as connective tissue rather than a replacement organ. The model assumes coexistence with existing systems while ensuring Europe retains the ability to operate independently if needed.Cloudflare Zero-Day Let Attackers Bypass WAF via ACME Certificate Validation Path
20 January 2026 at 08:54
How the Cloudflare Vulnerability Worked
ACME (Automatic Certificate Management Environment) automates certificate lifecycle management by requiring a domain to respond with a specific token at a well-known URL. For Cloudflare-managed certificates, Cloudflare itself responds to these validation requests at the edge. To prevent legitimate certificate issuance from failing, Cloudflare intentionally disables certain WAF features on this path, since firewall rules can interfere with validation requests from certificate authorities. The zero-day vulnerability emerged because Cloudflare’s logic disabled WAF protections for any request sent to the ACME challenge path, without verifying whether the token in the request matched an active certificate challenge for that hostname. If the token did not correspond to a Cloudflare-managed certificate order, the request was forwarded to the customer’s origin server with WAF protections still disabled. This meant an attacker could send arbitrary requests to /.well-known/acme-challenge/* and bypass all customer-configured WAF rules, regardless of whether a valid certificate challenge existed. The ACME path effectively became a universal WAF bypass.Cloudflare’s Confirmation and Technical Details
Cloudflare confirmed the issue in an official disclosure dated October 13, 2025, stating: “Security researchers from FearsOff identified and reported a vulnerability in Cloudflare's ACME (Automatic Certificate Management Environment) validation logic that disabled some of the WAF features on specific ACME-related paths.” The company explained that when a request matched an active ACME challenge token, WAF features were disabled because Cloudflare directly served the response. However, the same behavior occurred when the token belonged to a different zone or an external certificate workflow. In those cases, the request should have remained subject to WAF inspection but was instead passed through to the origin unchecked. This logic flaw created a direct path around Cloudflare’s security controls, allowing access to backend infrastructure that customers assumed was fully protected by the WAF.Mitigation and Impact
Cloudflare mitigated the vulnerability by updating its edge logic so that WAF features are only disabled when a request matches a valid ACME HTTP-01 challenge token for the specific hostname and when Cloudflare has a challenge response to serve. All other requests to the ACME path are now processed normally through WAF rulesets. According to Cloudflare, no customer action was required, and the company stated it was not aware of any malicious exploitation of the vulnerability before the fix.The Cyber Express Weekly Roundup: Leadership Changes, Blackouts, Malware, and AI Safety Actions
16 January 2026 at 06:24
The Cyber Express Weekly Roundup
X Tightens Grok AI Restrictions
X (previously Twitter) introduced new restrictions on its AI chatbot Grok to prevent the creation of nonconsensual sexualized images, including content that may constitute child sexual abuse material. Measures include blocking sexualized image edits of real people, limiting image generation to paid users, and applying geoblocking where such content is illegal. The changes follow widespread abuse reports and ongoing investigations by U.S. and European authorities. Read more…NSA Appoints Timothy Kosiba as Deputy Director
The National Security Agency announced the appointment of Timothy Kosiba as its 21st Deputy Director, making him the agency’s senior civilian official responsible for strategy execution, policy, and operational priorities. Kosiba brings more than 30 years of experience across the U.S. intelligence community, including senior roles at the NSA and U.S. Cyber Command, overseas liaison assignments, and leadership of major operational units. Read more…Iran Enters Fourth Day of Nationwide Internet Blackout
Iran entered a fourth day of a nationwide internet blackout amid widespread unrest linked to the collapse of the rial, now trading at 1.4 million to the U.S. dollar. Authorities reduced national connectivity to approximately 1%, cutting off communications for more than 80 million people. Reports indicate thousands have been detained and hundreds killed since protests began, drawing international concern over censorship, human rights, and crisis communications. Read more…Dr. Amit Chaubey Warns of Expanding “Business Blast Radius”
In an interview with The Cyber Express, Dr. Amit Chaubey said cyber incidents in 2026 are creating a broader “business blast radius,” extending beyond IT into national resilience, legal exposure, operational continuity, and public trust. He identified failures in external dependencies, such as cloud services, identity systems, connectivity, and key suppliers, as the primary drivers of large-scale disruption, warning that many organizations remain unprepared for sustained degraded operations. Read more…Endesa Data Breach Affects Energía XXI Customers
Spanish energy provider Endesa disclosed a data breach involving unauthorized access to its commercial platform, impacting customers of its regulated operator Energía XXI. Exposed data includes identification details, contact information, national identity numbers, contract data, and possible payment information such as IBANs. Endesa stated that account passwords were not compromised and reported no evidence of data misuse as investigations continue. Read more…New Android Banking Malware deVixor Identified
Cyble researchers identified a new Android banking malware called deVixor, a remote access trojan combining credential theft, device surveillance, and ransomware functionality. Active since October, the malware targets Iranian users through phishing sites distributing malicious APKs and is operated as a service-based criminal platform using Telegram and Firebase infrastructure. Researchers noted the malware’s scalability and long-term operational design. Read more…Microsoft Disrupts RedVDS Cybercrime Platform
Microsoft announced the takedown of RedVDS, a cybercrime-as-a-service platform costing $24 per month that provided criminals with disposable virtual machines for fraud operations. In coordination with international law enforcement, Microsoft seized infrastructure linked to an estimated $40 million in reported U.S. fraud losses, with victims across healthcare, real estate, nonprofit, and other sectors. The action marks Microsoft’s 35th civil case against cybercrime infrastructure. Read more…Weekly Roundup Takeaway
This week’s events highlight how cybersecurity in 2026 directly affects governance, economic stability, civil rights, and technology accountability. From intelligence leadership changes and state-imposed internet shutdowns to advanced malware, large-scale fraud platforms, and AI safety enforcement, cyber risks now demand coordinated action across policy, regulation, and operations rather than technical controls alone.New Vulnerability in n8n
15 January 2026 at 07:05
This isn’t good:
We discovered a critical vulnerability (CVE-2026-21858, CVSS 10.0) in n8n that enables attackers to take over locally deployed instances, impacting an estimated 100,000 servers globally. No official workarounds are available for this vulnerability. Users should upgrade to version 1.121.0 or later to remediate the vulnerability.
AI Security Is Top Cyber Concern: World Economic Forum
14 January 2026 at 15:43
Top AI Security Concerns
C-level leaders are also concerned about AI-related vulnerabilities, which were identified as the fastest-growing cyber risk by 87% of respondents (chart below). Cyber-enabled fraud and phishing, supply chain disruption, exploitation of software vulnerabilities and ransomware attacks were also cited as growing risks by more than half of survey respondents, while insider threats and denial of service (DoS) attacks were seen as growing concerns by about 30% of respondents. [caption id="attachment_108654" align="aligncenter" width="1041"] Growing cybersecurity risks (World Economic Forum)[/caption]
The top generative AI (GenAI) concerns include data leaks exposing personal data, advancement of adversarial capabilities (phishing, malware development and deepfakes, for example), the technical security of the AI systems themselves, and increasingly complex security governance (chart below).
[caption id="attachment_108655" align="aligncenter" width="1038"] GenAI security concerns[/caption]
Concern About AI Security Leads to Action
The increasing focus on AI security is leading to action within organizations, as the percentage of respondents assessing the security of AI tools grew from 37% in 2025 to 64% in 2026. That is helping to close “a significant gap between the widespread recognition of AI-driven risks and the rapid adoption of AI technologies without adequate safeguards,” the report said, as more organizations are introducing structured processes and governance models to more securely manage AI. About 40% of organizations conduct periodic reviews of their AI tools before deploying them, while 24% do a one-time assessment, and 36% report no assessment or no knowledge of one. The report called that “a clear sign of progress towards continuous assurance,” but noted that “roughly one-third still lack any process to validate AI security before deployment, leaving systemic exposures even as the race to adopt AI in cyber defences accelerates.” The forum report recommended protecting data used in the training and customization of AI models from breaches and unauthorized access, developing AI systems with security as a core principle, incorporating regular updates and patches, and deploying “robust authentication and encryption protocols to ensure the protection of customer interactions and data.”AI Adoption in Security Operations
The report noted the impact of AI on defensive cybersecurity tools and operations. “AI is fundamentally transforming security operations – accelerating detection, triage and response while automating labour-intensive tasks such as log analysis and compliance reporting,” the report said. “AI’s ability to process vast datasets and identify patterns at speed positions it as a competitive advantage for organizations seeking to stay ahead of increasingly sophisticated cyberthreats.” The survey found that 77% of organizations have adopted AI for cybersecurity purposes, primarily to enhance phishing detection (52%), intrusion and anomaly response (46%), and user-behavior analytics (40%). Still, the report noted a need for greater knowledge and skills in deploying AI for cybersecurity, a need for human oversight, and uncertainty about risk as the biggest obstacles facing AI adoption in cybersecurity. “These findings indicate that trust is still a barrier to widespread AI adoption,” the report said. Human oversight remains an important part of security operations even among those organizations that have incorporated AI into their processes. “While AI excels at automating repetitive, high-volume tasks, its current limitations in contextual judgement and strategic decision-making remain clear,” the report said. “Over-reliance on ungoverned automation risks creating blind spots that adversaries may exploit.” Adoption of AI cybersecurity tools varies by industry, the report found. The energy sector prioritizes intrusion and anomaly detection, according to 69% of respondents who have implemented AI for cybersecurity. The materials and infrastructure sector emphasizes phishing protection (80%); and the manufacturing, supply chain and transportation sector is focused on automated security operations (59%).Geopolitical Cyber Threats
Geopolitics was the top factor influencing overall cyber risk mitigation strategies, with 64% of organizations accounting for geopolitically motivated cyberattacks such as disruption of critical infrastructure or espionage. The report also noted that “confidence in national cyber preparedness continues to erode” in the face of geopolitical threats, with 31% of survey respondents “reporting low confidence in their nation’s ability to respond to major cyber incidents,” up from 26% in the 2025 report. Respondents from the Middle East and North Africa express confidence in their country’s ability to protect critical infrastructure (84%), while confidence is lower among respondents in Latin America and the Caribbean (13%). “Recent incidents affecting key infrastructure, such as airports and hydroelectric facilities, continue to call attention to these concerns,” the report said. “Despite its central role in safeguarding critical infrastructure, the public sector reports markedly lower confidence in national preparedness.” And 23% of public-sector organizations said they lack sufficient cyber-resilience capabilities, the report found.MS-ISAC Flags High-Risk Security Flaws in Fortinet Products
14 January 2026 at 01:31
Technical Details of MS-ISAC Advisory
MS-ISAC reports that the most severe vulnerabilities could allow arbitrary code execution within the context of affected service accounts. If those service accounts are configured with elevated privileges, an attacker could install programs, alter or delete data, or create new accounts with full user rights. Systems that enforce least-privilege access models may experience reduced impact. One of the most critical issues is a heap-based buffer overflow vulnerability (CWE-122) in the cw_acd daemon used by FortiOS and FortiSwitchManager. Identified as CVE-2025-25249, this flaw could allow a remote, unauthenticated attacker to execute arbitrary code or commands through specially crafted requests. Another high-severity vulnerability affects FortiSIEM, where an OS command injection flaw (CWE-78) tracked as CVE-2025-64155 could allow unauthenticated attackers to execute unauthorized commands via crafted TCP requests. Lower-severity vulnerabilities were also documented. These include a path traversal vulnerability in FortiVoice (CVE-2025-58693), an SQL injection flaw in FortiClientEMS (CVE-2025-59922), an SSRF vulnerability in FortiSandbox (CVE-2025-67685), and an information disclosure issue in the FortiFone web portal (CVE-2025-47855).Affected Versions, Risk Ratings, and Mitigation Guidance
The advisory lists a wide range of affected versions. FortiVoice versions 7.2.0 through 7.2.2 and 7.0.0 through 7.0.7 are impacted, while FortiSandbox versions 5.0.0 through 5.0.4 and all versions of 4.4, 4.2, and 4.0 are also affected. FortiOS versions from 6.4.0 through 7.6.3 are included, alongside multiple releases of FortiClientEMS, FortiSwitchManager, FortiSIEM, FortiFone, and FortiSASE. MS-ISAC assesses the risk as high for large and medium government organizations and businesses, medium for small government entities and small businesses, and low for home users. At the time of issuance, there were no reports of active exploitation in the wild. To reduce risk, MS-ISAC recommends applying Fortinet’s stable channel updates as soon as possible following appropriate testing. Additional guidance includes maintaining a formal vulnerability management and remediation process, conducting regular automated patching and vulnerability scans, and performing periodic penetration testing. Organizations are also advised to enforce least-privilege access, manage default and administrative accounts carefully, enable anti-exploitation protections, and segment networks to limit potential lateral movement.Microsoft Patch Tuesday January 2026: Actively Exploited Zero Day, 8 High-Risk Flaws
13 January 2026 at 16:51
Patch Tuesday January 2026 High-Risk Vulnerabilities
Microsoft judged eight vulnerabilities as “exploitation more likely.” They include: CVE-2026-20816, a 7.8-rated Windows Installer Elevation of Privilege vulnerability credited to a DCIT security researcher. The time-of-check time-of-use (toctou) race condition in Windows Installer could allow an authorized attacker to elevate privileges locally, potentially gaining SYSTEM privileges. CVE-2026-20817, a 7.8-severity Windows Error Reporting Service Elevation of Privilege vulnerability. Microsoft notes that “Improper handling of insufficient permissions or privileges in Windows Error Reporting allows an authorized attacker to elevate privileges locally,” potentially leading to SYSTEM privileges. GMO Cybersecurity was credited with the find. CVE-2026-20820 is a 7.8-rated Windows Common Log File System (CLFS) Driver Elevation of Privilege vulnerability. The heap-based buffer overflow in Windows Common Log File System Driver could allow an authorized attacker to elevate privileges locally and attain SYSTEM privileges. CVE-2026-20840 is 7.8-severity Windows NTFS Remote Code Execution vulnerability credited to Sergey Tarasov of Positive Technologies. The heap-based buffer overflow vulnerability in Windows NTFS could allow an authorized attacker to execute code locally. CVE-2026-20843 is another 7.8-rated flaw, a Windows Routing and Remote Access Service (RRAS) Elevation of Privilege vulnerability. Improper access control in Windows Routing and Remote Access Service (RRAS) could allow an authorized attacker to elevate privileges locally, potentially gaining SYSTEM privileges. CVE-2026-20860 is also rated 7.8, a Windows Ancillary Function Driver for WinSock Elevation of Privilege vulnerability credited to DEVCORE. The type confusion vulnerability in Windows Ancillary Function Driver for WinSock could allow an authorized attacker to elevate privileges locally. CVE-2026-20871, a Desktop Windows Manager Elevation of Privilege vulnerability, is also rated 7.8 and is credited to the Trend Zero Day Initiative. The use after free vulnerability in Desktop Windows Manager could allow an authorized attacker to elevate privileges locally. CVE-2026-20922 is also rated 7.8, a Windows NTFS Remote Code Execution vulnerability also credited to Tarasov. The heap-based buffer overflow vulnerability in Windows NTFS could allow an authorized attacker to execute code locally.Highest-Rated Vulnerabilities in the Patch Tuesday Update
The highest-rated vulnerabilities in the report – three 8.8-severity flaws – were judged to be at lower risk of attack by Microsoft. They include:- CVE-2026-20947, a Microsoft SharePoint Server Remote Code Execution/SQL Injection vulnerability
- CVE-2026-20963, a Microsoft SharePoint Remote Code Execution/Deserialization of Untrusted Data vulnerability
- CVE-2026-20868, a Windows Routing and Remote Access Service (RRAS) Remote Code Execution/Heap-based Buffer Overflow vulnerability
What Is a DNS Attack? Understanding the Risks and Threats
13 January 2026 at 12:54
Understanding DNS Threats
A DNS attack is any attempt to exploit vulnerabilities in the Domain Name System to disrupt normal operations, manipulate traffic, or gain unauthorized access. DNS is inherently designed for accessibility rather than security, which makes it susceptible to DNS threats. Attackers exploit the fact that DNS communications are often unencrypted, allowing them to intercept, alter, or redirect traffic. In recent research, the economic impact of DNS attacks continues to strain organizational cybersecurity budgets. According to the 2023 Global DNS Threat Report by IDC, 88% of surveyed organizations reported experiencing at least one DNS attack, and most suffered multiple incidents annually. The study found that these attacks impose an average cost of approximately $942,000 per successful breach, as well as operational disruption and reputational harm. DNS attacks are not limited to traditional web browsing; they can target internal networks, cloud-hosted DNS services, and enterprise infrastructure. A recent example occurred on January 8, 2026, when a global DNS attack caused Cisco Small Business Switches to enter repeated reboot loops. Faults in the DNS client service triggered crashes across multiple models, from CBS250 to SG550X series, affecting organizations worldwide. In many cases, disabling DNS queries temporarily stabilized networks, highlighting how dependent infrastructure can be on proper DNS functionality.How DNS Attacks Work
A DNS attack typically exploits a DNS vulnerability to manipulate traffic or disrupt service. Attackers can:- Intercept DNS queries and provide malicious responses.
- Redirect users to fraudulent websites for phishing or malware distribution.
- Overload DNS servers to cause downtime through DNS DDoS attacks.
- Exploit caching mechanisms to redirect legitimate traffic (DNS poisoning).
Common DNS Attack Types
DNS attacks come in many forms, ranging from simple hijacks to multi-vector campaigns. Understanding these types of DNS attacks is crucial for prevention.- DNS Hijacking: Attackers redirect legitimate traffic to malicious sites by altering DNS records. This can occur through compromised servers or man-in-the-middle interception, leading to data theft or malware infections.
- DNS Cache Poisoning: Also known as DNS poisoning, this attack injects false data into a DNS resolver’s cache, causing it to return incorrect IP addresses. Users unknowingly visit attacker-controlled sites.
- DNS Floodand DDoS Attacks: A DNS flood is a denial-of-service attack that overwhelms servers with excessive requests. DNS DDoS attack types often combine spoofing and amplification techniques to maximize disruption, targeting both authoritative servers and resolvers.
- DNS Tunneling: Here, attackers encapsulate malicious data within DNS queries or responses, often to exfiltrate sensitive information or maintain command-and-control channels undetected.
- Phantom Domain and Botnet-Based Attacks: Attackers may generate fake domains to overload resolvers or use a network of compromised devices to launch coordinated attacks. These DNS-based attacks are challenging to defend against due to their distributed nature.
- Cover and Malware Attacks: Some attacks manipulate DNS as a distraction, enabling other attacks to succeed. Others directly use DNS viruses or malware to disrupt network services.
Preventing DNS Attacks
Defending against DNS attacks requires both proactive monitoring and strategic configuration:- Audit DNS zones regularly to remove outdated or vulnerable entries.
- Keep DNS servers updated with the latest security patches.
- Restrict zone transfers to prevent unauthorized access.
- Disable DNS recursion on authoritative servers to prevent amplification attacks.
- Implement DNSSEC to add digital signatures to DNS data, mitigating spoofing.
- Use threat prevention tools and DNS firewalls to block malicious domains and detect exfiltration attempts.
Conclusion
A DNS attack is a potent threat that exploits the vulnerabilities of the Domain Name System to disrupt services, steal data, or redirect traffic. With common DNS attacks such as hijacking, cache poisoning, DNS floods, and tunneling, organizations must prioritize DNS security. Understanding DNS vulnerabilities, implementing preventive measures, and monitoring traffic continuously are essential for protecting both local networks and cloud infrastructure from Internet DNS attacks.CISA Warns of Attacks on PowerPoint and HPE Vulnerabilities
8 January 2026 at 10:51
CISA KEV Addition Follows CVE-2025-37164 PoC
CISA’s addition of CVE-2025-37164 to the KEV catalog follows a Proof of Concept (PoC) exploit published by Rapid7 on Dec. 19. HPE notes that CVE-2025-37164 could allow a remote unauthenticated user to perform remote code execution. The company acknowledged Nguyen Quoc Khanh for reporting the issue. HPE has released a security hotfix for any version of HPE OneView from 5.20 through version 10.20, which must be reapplied after an appliance upgrade from HPE OneView version 6.60.xx to 7.00.00, including any HPE Synergy Composer reimage. While the HPE advisory says all versions through v10.20 are affected, the Rapid7 PoC notes that “Based on our analysis, we suspect that only ‘HPE OneView for VMs’ version 6.x is vulnerable to CVE-2025-37164, whereas all unpatched versions of ‘HPE OneView for HPE Synergy’ are vulnerable to CVE-2025-37164. More clarification is needed from the vendor to confirm or deny this hypothesis.” Rapid7 also released a Metasploit module for CVE-2025-37164.CVE-2009-0556 PowerPoint Flaw First Attacked in 2009
The Microsoft PowerPoint flaw could allow remote attackers to execute arbitrary code via a PowerPoint file with an OutlineTextRefAtom containing an invalid index value that triggers memory corruption. The National Vulnerability Database (NVD) notes that CVE-2009-0556 was initially exploited in the wild in April 2009 by Exploit:Win32/Apptom.gen. Microsoft’s May 2009 security bulletin notes that an attacker who successfully exploited the remote code execution vulnerability “could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” The vulnerability triggers memory corruption when PowerPoint reads an invalid index value in a maliciously crafted PowerPoint file, which could allow an attacker to execute arbitrary code. Microsoft notes that “Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”New n8n Vulnerability (CVE-2026-21858) Allows Unauthenticated File Access and RCE
8 January 2026 at 03:33
How the n8n Webhook Content-Type Confusion Is Exploited
The vulnerability stems from how n8n handles form submissions. When a request is processed, the platform uses parseRequestBody() to determine whether to invoke a file upload parser or a regular body parser. If multipart/form-data is specified, uploaded files are parsed and stored in req.body.files. However, researchers found that certain file-handling functions are executed without verifying the Content-Type header. As a result, attackers can override req.body.files even when no file upload is present. “Since this function is called without verifying the content type is ‘multipart/form-data,’ we control the entire req.body.files object,” Attias explained. This allows an attacker to copy any local file from the server instead of an uploaded file, exposing sensitive system data to downstream workflow nodes.n8n Vulnerability Enables Admin Bypass and Remote Code Execution
The impact of CVE-2026-21858 extends beyond arbitrary file reads. Researchers demonstrated how attackers could escalate the flaw into a full system compromise. By abusing the n8n vulnerability, a threat actor could read the internal SQLite database at /home/node/.n8n/database.sqlite, extract administrator credentials, and then retrieve encryption secrets from /home/node/.n8n/config. Using this information, attackers could forge a valid admin session cookie, bypass authentication, and gain full administrative access. From there, they could create a malicious workflow containing an “Execute Command” node, achieving remote code execution on the host system. Cyera warned that the centralized nature of n8n significantly amplifies the risk. “A compromised n8n instance doesn’t just mean losing one system; it means handing attackers the keys to everything,” the company said, citing stored API credentials, OAuth tokens, and database connections as high-value targets.Patch Status and Mitigations for CVE-2026-21858
The n8n vulnerability affects all versions up to and including 1.65.0 and was patched in version 1.121.0, released on November 18, 2025. Users are strongly urged to upgrade to a fixed or newer release, such as versions 1.123.10, 2.1.5, 2.2.4, or 2.3.0. As additional mitigations, administrators are advised to avoid exposing n8n instances to the internet, enforce authentications for all Forms, and restrict or disable publicly accessible n8n webhook and form endpoints until patches can be applied. The disclosure of CVE-2026-21858 follows several other critical issues in n8n, including CVE-2025-68668 and CVE-2025-68613, highlighting the need for rigorous security controls around automation platforms that manage sensitive integrations and credentials.Unpatched TOTOLINK EX200 Flaw Enables Root-Level Telnet Access, CERT/CC Warns
7 January 2026 at 03:14
Firmware Upload Error Triggers Root-Level Telnet Access
What makes this behavior especially dangerous is that the telnet service launched under these circumstances does not require authentication. The interface, which is normally disabled and not intended to be exposed, becomes an unintended remote administration channel. CERT/CC summarized the issue clearly, stating: “An authenticated attacker can trigger an error condition in the firmware-upload handler that causes the device to start an unauthenticated root telnet service, granting full system access.” The vulnerability was discovered and responsibly reported by security researcher Leandro Kogan, who was credited by CERT/CC for identifying the flaw. The advisory was authored by Timur Snoke and published as Vulnerability Note VU#295169, with both the original release date and last revision listed as January 6, 2026.Exploitation Requirements and Potential Impact of CVE-2025-65606
While exploitation of CVE-2025-65606 does require the attacker to already be authenticated to the web management interface of the TOTOLINK EX200, the resulting impact is severe. Access to the firmware-upload functionality is enough to trigger the vulnerability. Once the malformed firmware file is processed and the device enters the abnormal error state, the unauthenticated root-level telnet service becomes available. From that point forward, an attacker gains unrestricted control of the device. CERT/CC warned that successful exploitation could lead to configuration manipulation, arbitrary command execution, or the establishment of persistent access on the network. Because the TOTOLINK EX200 functions as a network extender, compromise of the device may also enable lateral movement or broader network attacks. CERT/CC emphasized that the unintended telnet interface increases the attack surface of the device. The advisory notes that this behavior could be leveraged to hijack susceptible devices, allowing attackers to maintain long-term control without relying on the original web authentication mechanism.No Patch Available as Device Reaches End of Life
One of the most concerning aspects of CVE-2025-65606 is the absence of a vendor-provided fix. CERT/CC confirmed that TOTOLINK has not released any updates addressing the vulnerability, and the TOTOLINK EX200 is no longer actively maintained. Vendor status information was listed as “Unknown,” and the product has reached end-of-life. Publicly available information shows that the last firmware update for the TOTOLINK EX200 was released in February 2023, nearly three years before the vulnerability was disclosed. As a result, users cannot rely on an official patch to remediate the issue. In the absence of a fix, CERT/CC recommends several mitigation steps. These include restricting administrative access to trusted networks, preventing unauthorized users from accessing the management interface, and actively monitoring unexpected telnet activity. However, the advisory makes it clear that these measures are temporary protection rather than permanent solutions. CERT/CC ultimately advises users to plan for replacing the TOTOLINK EX200 with a supported and actively maintained model. Given the severity of CVE-2025-65606 and the lack of ongoing vendor support, continued use of the device poses a sustained security risk. Additional metadata associated with CVE-2025-65606 shows that the CVE was made public on January 6, 2026, with the first publication and last update occurring the same day at 14:49 UTC. The document revision is listed as version 1.Critical n8n Vulnerability Allows Arbitrary Command Execution (CVE-2025-68668)
6 January 2026 at 03:31
