Ranked by Signal Strength
Priority Threats
20
Hackers are targeting WordPress websites running a vulnerable version of the WP Maps Pro plugin, which allows creating rogue administrator accounts without authentication. [...]
Recommended Actions
- Immediately identify and update WordPress sites running WP Maps Pro plugin to the latest patched version; check plugin version via WordPress admin panel or wp-content/plugins/wp-maps-pro/readme.txt.
- Block unauthenticated access to the vulnerable endpoint (if known, e.g., /wp-admin/admin-ajax.php?action=wp_maps_pro_create_admin) via web application firewall (WAF) rule or .htaccess/nginx location block.
- Audit WordPress user accounts for recently created administrators (post meta or user_registered timestamp) and remove unauthorized accounts; use SQL query: SELECT * FROM wp_users WHERE role='administrator' AND user_registered > '2026-05-20'.
20
Dutch authorities have announced the takedown of a botnet that enslaved millions of infected devices, including computers, tablets, smartphones, and IoT devices, to carry out malicious attacks. The bot network, per the Dutch Politie and the National Cyber Security Center (NCSC), consisted of at least 17 million infected devices. More than 200 servers located in the Netherlands acted as the
Recommended Actions
- Check network egress traffic for connections to known botnet C2 IPs from the takedown (e.g., via Dutch NCSC IOCs) using SIEM queries or firewall logs; block traffic to any identified IP ranges.
- Scan internal devices for signs of compromise using the botnet's known malware hashes (if published) with endpoint detection tools like CrowdStrike or Microsoft Defender AV.
- Review and harden IoT device configurations: change default credentials, disable unnecessary services (e.g., Telnet, SSH), and segment IoT networks from critical assets.
20
A dependency confusion campaign leveraged 33 malicious npm packages to collect reconnaissance data from developer and build environments. This report details the attack chain, observed tradecraft, and detection opportunities to help organizations identify and disrupt related activity. The post Malicious npm packages abuse dependency confusion to profile developer environments appeared first on Microsoft Security Blog.
Recommended Actions
- Configure npm or Yarn to use scoped registry for internal packages (e.g., set npm config set @myco:registry https://registry.npmjs.org/) and enforce .npmrc with always-auth=true.
- Deploy egress filtering for npm registry traffic to block downloads from public registries for internal package names; use tools like Sonatype Nexus or JFrog Artifactory as a proxy.
- Monitor build logs for suspicious package installs (e.g., packages with names like 'mycompany-utils' but from public registry) and alert on mismatched hashes.
20
Microsoft is named a Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. The post Microsoft is named a Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection appeared first on Microsoft Security Blog.
20
Research Review Journal https://assets.contentstack.io/v3/assets/blt83c410d686aa5f84/blt3cff46f63887f83e/research-review-journal https://www.sans.edu/cyber-research Analysis of a Year of Files Uploaded to DShield Sensors https://isc.sans.edu/diary/Analysis%20of%20a%20Year%20of%20Files%20Uploaded%20to%20DShield%20Sensors/33026 The Word 'Toad' Gave Any Website Full Control of Chrome's Most Popular VPN https://amibeingpwned.com/blog/urban-vpn-postmessage-command-injection Silent Ransom Group...
Recommended Actions
- Review Chrome extensions for Urban VPN or similar VPN extensions; remove or update to patched versions if vulnerable to postMessage command injection.
- Deploy network monitoring for anomalous outbound connections from developer workstations (e.g., to unknown IPs on port 443) that may indicate VPN compromise.
- Implement Content Security Policy (CSP) headers on internal web apps to restrict postMessage origins and prevent cross-site scripting.
20
In this newsletter, Thor breaks down why you should stop relying solely on CVSS and start using EPSS and GCVE to focus your patching efforts on the threats that actually matter.
20
This white paper presents a concrete case study demonstrating the creation of a heap overflow vulnerability through the exploitation of the DICOM file format.
Recommended Actions
- Patch or update DICOM software (Orthanc server, pydicom, GDCM libraries) to latest versions; check for heap overflow fixes in changelogs.
- Sanitize DICOM file uploads in medical imaging systems: validate file structure with tools like dcmtk's dcm2xml before processing.
- Enable ASLR and stack canaries on systems running DICOM services (e.g., Orthanc on Linux) via compiler flags and system hardening.
20
Daily 5 min cyber security news summary. News, patches, vulnerabilities and trends in information and network security. SANS Stormcast Thursday, May 28th, 2026: Akira Ransomware; Vaultjacking; Poisoned Chatbot and Search Results;
Recommended Actions
- Block Akira ransomware indicators: file extensions (.akira), known C2 domains (e.g., via ThreatFox or Abuse.ch), and disable SMBv1 if not needed.
- Enable multi-factor authentication (MFA) on all VPN and remote access accounts (e.g., Cisco AnyConnect, Fortinet VPN) to prevent credential stuffing.
- Monitor for suspicious PsExec or WMI execution from non-admin workstations using Windows Event ID 4688 or Sysmon Event ID 1.
20
Authorities in the Netherlands have arrested the co-owners of two related Internet hosting companies for operating IT infrastructure used by Russia to carry out cyberattacks, influence operations and disinformation campaigns inside the European Union. The two men were the focus of a 2025 KrebsOnSecurity story about how their hosting companies had assumed control over the technical infrastructure of Stark Industries Solutions, an Internet service provider sanctioned last year by the EU as a...
Recommended Actions
- Block traffic to IP ranges associated with the seized hosting providers (e.g., via Dutch police published lists) at network perimeter firewalls.
- Audit external-facing services for connections from known malicious ASNs; use tools like AbuseIPDB or Shodan to scan for open ports.
- Review DNS logs for queries to domains hosted on the seized infrastructure and sinkhole any identified malicious domains.
20
Lawmakers in both houses of Congress are demanding answers from the U.S. Cybersecurity & Infrastructure Security Agency (CISA) after KrebsOnSecurity reported this week that a CISA contractor intentionally published AWS GovCloud keys and a vast trove of other agency secrets on a public GitHub account. The inquiry comes as CISA is still struggling to contain the breach and invalidate the leaked credentials.
Recommended Actions
- Immediately rotate all AWS IAM keys, especially those in GovCloud, and enable MFA for root and IAM users; use AWS CLI: aws iam create-access-key --user-name <user>.
- Scan GitHub, GitLab, and public repos for leaked credentials using tools like TruffleHog or GitGuardian; revoke any exposed keys or tokens.
- Enforce AWS IAM policies to deny actions from unrecognized IP ranges and require MFA for sensitive API calls.
20
Defending against china-nexus covert networks of compromised devices executive summary Defending against China-nexus covert networks of compromised devices Explaining the widespread shift in tactics, techniques and procedures (TTPs) towards networks of compromised infrastructure, and how to defend against it Summary With support from the UK Cyber League, this advisory has been jointly released by the National Cyber Security Centre (NCSC-UK) and international partners: ...
Recommended Actions
- Deploy network segmentation to isolate critical systems from general corporate networks; use VLANs and firewall rules to restrict east-west traffic.
- Implement strict outbound proxy rules to block traffic to known APT C2 domains (e.g., from NCSC-UK advisories) and log all allowed outbound connections.
- Enable memory scanning for rootkits on endpoints using tools like Windows Defender Credential Guard or Linux kernel module signing enforcement.
20
Advisory at a Glance Title Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure Original Publication April 7, 2026 Executive Summary Iran-affiliated advanced persistent threat (APT) actors are conducting exploitation activity targeting internet-facing operational technology (OT) devices, including programmable logic controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley. This activity has led to PLC disruptions across several...
Recommended Actions
- Immediately patch or update Rockwell Automation/Allen-Bradley PLC firmware to latest versions; check for advisories on CVE-2023-3595 or similar.
- Block internet access to OT networks: disable port forwarding for TCP/44818 (EtherNet/IP) and UDP/2222 on perimeter firewalls.
- Deploy network monitoring for anomalous Modbus or CIP traffic to/from PLCs using tools like Wireshark with ICS-specific dissectors.
0
CVE-2026-0030
In __host_check_page_state_range of mem_protect.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Recommended Actions
- Apply Android kernel patches for CVE-2026-0030 (mem_protect.c) via vendor security updates; check for patch level in /proc/version.
- Restrict direct kernel module loading via sysctl kernel.modules_disabled=1 on affected Android/Linux devices.
- Monitor for unusual dmesg logs indicating memory corruption in host_check_page_state_range.
0
CVE-2026-0029
In __pkvm_init_vm of pkvm.c, there is a possible memory corruption due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Recommended Actions
- Update Android kernel to fix CVE-2026-0029 in pkvm.c; require devices to have security patch level >= 2026-06-05.
- Disable hypervisor features (e.g., Android Protected VM) if not needed by setting ro.boot.vm=0 in bootloader config.
- Use SELinux policies to restrict access to /dev/kvm and /sys/kernel/debug/pkvm.
0
CVE-2026-0028
In __pkvm_host_share_guest of mem_protect.c, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Recommended Actions
- Patch Android kernel for CVE-2026-0028 (mem_protect.c integer overflow); verify via kernel version string.
- Enable kernel address space layout randomization (KASLR) and stack protector in kernel build config.
- Audit /proc/self/maps for unexpected shared memory regions on Android devices.
AI Daily Brief
Today's Threat Summary
Today's threat landscape is dominated by software supply chain attacks and critical application vulnerabilities. An active exploit against the WP Maps Pro WordPress plugin allows attackers to create admin accounts silently, while a malicious npm campaign steals data from developer environments. Concurrently, the takedown of a 17-million-device botnet and fallout from major credential leaks at CISA highlight systemic risks in IoT security and credential management.
- Immediately patch or disable the WP Maps Pro WordPress plugin and audit for new admin accounts.
- Configure npm/Yarn to use scoped registries and monitor builds for dependency confusion packages.
- Rotate all cloud IAM keys, enable MFA, and scan public repos for leaked credentials using TruffleHog.
Reference Data — KEV & CVEs
Immediate Attention
Known Exploited Vulns
CVE-2026-0257
Palo Alto Networks · PAN-OS
Palo Alto Networks PAN-OS contains an authentication bypass vulnerability that allows attackers to bypass security restrictions and establish an unauthorized VPN connection.
CVE-2026-8398
Daemon · Daemon Tools Lite
Daemon Tools contains an unspecified vulnerability that has a high impact on confidentiality, integrity, and availability.
CVE-2026-48027
Nx · Nx Console
Nx Console contains an embedded malicious code vulnerability that allowed a malicious version of Nx Console to be published. The compromised extension fetched an obfuscated payload that could harvested credentials from multiple sources on disk and in memory.
CVE-2026-45321
TanStack · TanStack
TanStack contains an unspecified vulnerability that allowed malicious versions of the product to be published to the npm registry to publish credential-stealing malware under a trusted identity.
CVE-2026-48172
LiteSpeed · cPanel Plugin
LiteSpeed cPanel Plugin contains privilege escalation vulnerability that is exposed via the user-end cPanel plugin, which can be abused by any cPanel user account to execute arbitrary scripts with root privileges.
CVE-2026-9082
Drupal · Core
Drupal Core contains a SQL injection vulnerability that could allow for privilege escalation and remote code execution via specially crafted requests sent with the database abstraction API.
CVE-2026-34926
Trend Micro · Apex One
Trend Micro Apex One (on-premise) contains a directory traversal vulnerability that could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code to deploy to agents on affected installations.
CVE-2025-34291
Langflow · Langflow
Langflow contains an origin validation error vulnerability in which an overly permissive CORS configuration combined with a refresh token cookie configured as SameSite=None allows a malicious webpage to perform cross-origin requests that include credentials and successfully call the refresh endpoint. This could allow the attacker to execute arbitrary code and achieve full system compromise via obtained tokens that permit access to authenticated endpoints.
CVE-2026-45498
Microsoft · Defender
Microsoft Defender contains an unspecified vulnerability that allows for denial of service.
CVE-2026-41091
Microsoft · Defender
Microsoft Defender contains a link following vulnerability that allows an authorized attacker to elevate privileges locally.
CVE-2010-0806
Microsoft · Internet Explorer
Microsoft Internet Explorer contains an use-after-free vulnerability that could allow remote attackers to execute arbitrary code via vectors involving access to an invalid pointer after the deletion of an object. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
CVE-2010-0249
Microsoft · Internet Explorer
Microsoft Internet Explorer contains an use-after-free vulnerability that could allow remote attackers to execute arbitrary code by accessing a pointer associated with a deleted object. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
CVE-2009-3459
Adobe · Acrobat and Reader
Adobe Acrobat and Reader contain a heap-based buffer overflow vulnerability which could allow remote attackers to execute arbitrary code via a crafted PDF file that triggers memory corruption.
CVE-2009-1537
Microsoft · DirectX
Microsoft DirectX contains a NULL byte overwrite vulnerability in the QuickTime Movie Parser Filter in quartz.dll in DirectShow which could allow remote attackers to execute arbitrary code via a crafted QuickTime media file.
CVE-2008-4250
Microsoft · Windows
Microsoft Windows contains a buffer overflow vulnerability in the Windows Server Service that allows remote attackers to execute arbitrary code via a crafted RPC request that triggers an overflow during path canonicalization.
CVE-2026-42897
Microsoft · Microsoft
Microsoft Exchange Server contains a cross-site scripting vulnerability during web page generation in Outlook Web Access and when certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context.
CVE-2026-20182
Cisco · Catalyst SD-WAN
Cisco Catalyst SD-WAN Controller & Manager contain an authentication bypass vulnerability that allows an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system.
CVE-2026-42208
BerriAI · LiteLLM
BerriAI LiteLLM contains a SQL injection vulnerability that allows an attacker to read data from the proxy's database and potentially modify it, leading to unauthorized access to the proxy and the credentials it manages.
CVE-2026-6973
Ivanti · Endpoint Manager Mobile (EPMM)
Ivanti Endpoint Manager Mobile (EPMM) contains an improper input validation vulnerability that allows a remotely authenticated user with administrative access to achieve remote code execution.
CVE-2026-0300
Palo Alto Networks · PAN-OS
Palo Alto Networks PAN-OS contains an out-of-bounds write vulnerability in the User-ID Authentication Portal (aka Captive Portal) service that can allow an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets.
CVE-2026-31431
Linux · Kernel
Linux Kernel contains an incorrect resource transfer between spheres vulnerability that could allow for privilege escalation.
CVE-2026-41940
WebPros · cPanel & WHM and WP2 (WordPress Squared)
WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
CVE-2026-32202
Microsoft · Windows
Microsoft Windows Shell contains a protection mechanism failure vulnerability that allows an unauthorized attacker to perform spoofing over a network.
CVE-2024-1708
ConnectWise · ScreenConnect
ConnectWise ScreenConnect contains a path traversal vulnerability which could allow an attacker to execute remote code or directly impact confidential data and critical systems.
CVE-2025-29635
D-Link · DIR-823X
D-Link DIR-823X contains a command injection vulnerability that allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to /goform/set_prohibiting via the corresponding function. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
CVE-2024-7399
Samsung · MagicINFO 9 Server
Samsung MagicINFO 9 Server contains a path traversal vulnerability that could allow an attacker to write arbitrary files as system authority.
CVE-2024-57728
SimpleHelp · SimpleHelp
SimpleHelp contains a path traversal vulnerability that allows admin users to upload arbitrary files anywhere on the file system by uploading a crafted zip file (i.e. zip slip). This can be exploited to execute arbitrary code on the host in the context of the SimpleHelp server user.
CVE-2024-57726
SimpleHelp · SimpleHelp
SimpleHelp contains a missing authorization vulnerability that could allow low-privileged technicians to create API keys with excessive permissions. These API keys can be used to escalate privileges to the server admin role.
CVE-2026-39987
Marimo · Marimo
Marimo contains an pre-authorization remote code execution vulnerability, allowing an unauthenticated attacked to shell access and execute arbitrary system commands.
CVE-2026-33825
Microsoft · Defender
Microsoft Defender contains an insufficient granularity of access control vulnerability that could allow an authorized attacker to escalate privileges locally.
CVE-2026-20133
Cisco · Catalyst SD-WAN Manager
Cisco Catalyst SD-WAN Manager contains an exposure of sensitive information to an unauthorized actor vulnerability that could allow remote attackers to view sensitive information on affected systems.
CVE-2026-20128
Cisco · Catalyst SD-WAN Manager
Cisco Catalyst SD-WAN Manager contains a storing passwords in a recoverable format vulnerability that allows an authenticated, local attacker to gain DCA user privileges by accessing a credential file for the DCA user on the filesystem as a low-privileged user.
CVE-2026-20122
Cisco · Catalyst SD-WAN Manger
Cisco Catalyst SD-WAN Manager contains an incorrect use of privileged APIs vulnerability due to improper file handling on the API interface of an affected system. An attacker could exploit this vulnerability by uploading a malicious file on the local file system. A successful exploit could allow the attacker to overwrite arbitrary files on the affected system and gain vmanage user privileges.
CVE-2025-48700
Synacor · Zimbra Collaboration Suite (ZCS)
Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability that could allow attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information.
CVE-2025-32975
Quest · KACE Systems Management Appliance (SMA)
Quest KACE Systems Management Appliance (SMA) contains an improper authentication vulnerability that could allow attackers to impersonate legitimate users without valid credentials.
CVE-2025-2749
Kentico · Kentico Xperience
Kentico Xperience contains a path traversal vulnerability that could allow an authenticated user's Staging Sync Server to upload arbitrary data to path relative locations.
CVE-2024-27199
JetBrains · TeamCity
JetBrains TeamCity contains a relative path traversal vulnerability that could allow limited admin actions to be performed.
CVE-2023-27351
PaperCut · NG/MF
PaperCut NG/MF contains an improper authentication vulnerability that could allow remote attackers to bypass authentication on affected installations via the SecurityRequestFilter class.
CVE-2026-34197
Apache · ActiveMQ
Apache ActiveMQ contains an improper input validation vulnerability that allows for code injection.
CVE-2026-32201
Microsoft · SharePoint Server
Microsoft SharePoint Server contains an improper input validation vulnerability that allows an unauthorized attacker to perform spoofing over a network.
CVE-2009-0238
Microsoft · Office
Microsoft Office Excel contains a remote code execution vulnerability that could allow an attacker to take complete control of an affected system if a user opens a specially crafted Excel file that includes a malformed object.
CVE-2026-34621
Adobe · Acrobat and Reader
Adobe Acrobat and Reader contain a prototype pollution vulnerability that allows for arbitrary code execution.
CVE-2026-21643
Fortinet · FortiClient EMS
Fortinet FortiClient EMS contains a SQL injection vulnerability that may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.
CVE-2025-60710
Microsoft · Windows
Microsoft Windows contains a link following vulnerability that allows for privilege escalation
CVE-2023-36424
Microsoft · Windows
Microsoft Windows Common Log File System Driver contains an out-of-bounds read vulnerability that could allow a threat actor for privileges escalation
CVE-2023-21529
Microsoft · Exchange Server
Microsoft Exchange Server contains a deserialization of untrusted data that allows an authenticated attacker to achieve remote code execution.
CVE-2020-9715
Adobe · Acrobat
Adobe Acrobat contains a use-after-free vulnerability that allows for code execution
CVE-2012-1854
Microsoft · Visual Basic for Applications (VBA)
Microsoft Visual Basic for Applications (VBA) contains an insecure library loading vulnerability that could allow for remote code execution.
CVE-2026-1340
Ivanti · Endpoint Manager Mobile (EPMM)
Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution.
CVE-2026-35616
Fortinet · FortiClient EMS
Fortinet FortiClient EMS contains an improper access control vulnerability that may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.
Latest CVEs
Top by Severity
CVE-2026-0030
In __host_check_page_state_range of mem_protect.c, there is …
In __host_check_page_state_range of mem_protect.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
CVE-2026-0029
In __pkvm_init_vm of pkvm.c, there is a possible memory …
In __pkvm_init_vm of pkvm.c, there is a possible memory corruption due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
CVE-2026-0028
In __pkvm_host_share_guest of mem_protect.c, there is a …
In __pkvm_host_share_guest of mem_protect.c, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
CVE-2026-0027
In smmu_detach_dev of arm-smmu-v3.c, there is a possible out …
In smmu_detach_dev of arm-smmu-v3.c, there is a possible out of bounds write due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.
CVE-2026-0026
In removePermission of PermissionManagerServiceImpl.java, …
In removePermission of PermissionManagerServiceImpl.java, there is a possible way to override any system permission due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
CVE-2026-0025
In hasImage of Notification.java, there is a possible way to …
In hasImage of Notification.java, there is a possible way to reveal information across users due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
CVE-2026-0024
In isRedactionNeededForOpenViaContentResolver of …
In isRedactionNeededForOpenViaContentResolver of MediaProvider.java, there is a possible way to reveal the location of media due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
CVE-2026-0023
In createSessionInternal of PackageInstallerService.java, …
In createSessionInternal of PackageInstallerService.java, there is a possible way for an app to update its ownership due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
CVE-2026-0021
In hasInteractAcrossUsersFullPermission of AppInfoBase.java, …
In hasInteractAcrossUsersFullPermission of AppInfoBase.java, there is a possible cross-user permission bypass due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
CVE-2026-0020
In parsePermissionGroup of ParsedPermissionUtils.java, there …
In parsePermissionGroup of ParsedPermissionUtils.java, there is a possible way to bypass a consent dialog to obtain permissions due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Reference Data — Threat Feeds & Actors
Fresh from Feeds
Threat Intel Updates
BleepingComputer
Hackers are targeting WordPress websites running a vulnerable version of the WP Maps Pro plugin, which allows creating rogue administrator accounts without authentication. [...]
Read full story →
The Hacker News
Dutch authorities have announced the takedown of a botnet that enslaved millions of infected devices, including computers, tablets, smartphones, and IoT devices, to carry out malicious attacks. The bot network, per the Dutch Politie and the National Cyber Security Center (NCSC), consisted of at least 17 million infected devices. More than 200 servers located in the Netherlands acted as the
Read full story →
BleepingComputer
Palo Alto Networks is warning that hackers are now exploiting a PAN-OS GlobalProtect authentication bypass flaw, tracked as CVE-2026-0257, in attacks attempting to breach corporate networks. [...]
Read full story →
The Hacker News
Palo Alto Networks has warned that a recently disclosed medium-severity security flaw impacting PAN-OS and Prisma Access has come under active exploitation in the wild. The vulnerability, tracked as CVE-2026-0257 (CVSS score: 7.8), refers to a case of authentication bypass that could be exploited by bad actors to set up VPN connections. "Authentication bypass vulnerabilities in the
Read full story →
Microsoft Security
A dependency confusion campaign leveraged 33 malicious npm packages to collect reconnaissance data from developer and build environments. This report details the attack chain, observed tradecraft, and detection opportunities to help organizations identify and disrupt related activity. The post Malicious npm packages abuse dependency confusion to profile developer environments appeared first on Microsoft Security Blog.
Read full story →
Rapid7
More Linux LPEsHark the age of the Linux LPE has arrived. This week’s release follows up on recent work bringing new Linux LPEs to Metasploit users. Copy Fail seemed to have kicked off a trend of similar bugs and hot on its heels is Dirty Frag. Dirty Frag is actually two vulnerabilities in a trenchcoat, individually identified as CVE-2026-43284 and CVE-2026-43500. Each is exploitable individually and comes with a new Metasploit module.New module content (5)Citrix ADC (NetScaler)...
Read full story →
Rapid7
OverviewOn May 13, 2026, Palo Alto Networks published a security advisory for CVE-2026-0257, a medium severity authentication bypass affecting PAN-OS and Prisma Access when a specific configuration is present. Successful exploitation of this vulnerability allows a remote unauthenticated attacker to successfully establish a VPN connection through the GlobalProtect gateway of an affected appliance.Rapid7 MDR identified successful exploitation across numerous customers, however we did not...
Read full story →
Microsoft Security
Microsoft is named a Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. The post Microsoft is named a Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection appeared first on Microsoft Security Blog.
Read full story →
SANS ISC
Research Review Journal https://assets.contentstack.io/v3/assets/blt83c410d686aa5f84/blt3cff46f63887f83e/research-review-journal https://www.sans.edu/cyber-research Analysis of a Year of Files Uploaded to DShield Sensors https://isc.sans.edu/diary/Analysis%20of%20a%20Year%20of%20Files%20Uploaded%20to%20DShield%20Sensors/33026 The Word 'Toad' Gave Any Website Full Control of Chrome's Most Popular VPN https://amibeingpwned.com/blog/urban-vpn-postmessage-command-injection Silent Ransom Group...
Read full story →
Cisco Talos
In this newsletter, Thor breaks down why you should stop relying solely on CVSS and start using EPSS and GCVE to focus your patching efforts on the threats that actually matter.
Read full story →
Cisco Talos
This white paper presents a concrete case study demonstrating the creation of a heap overflow vulnerability through the exploitation of the DICOM file format.
Read full story →
SANS ISC
Daily 5 min cyber security news summary. News, patches, vulnerabilities and trends in information and network security. SANS Stormcast Thursday, May 28th, 2026: Akira Ransomware; Vaultjacking; Poisoned Chatbot and Search Results;
Read full story →
KrebsOnSecurity
Authorities in the Netherlands have arrested the co-owners of two related Internet hosting companies for operating IT infrastructure used by Russia to carry out cyberattacks, influence operations and disinformation campaigns inside the European Union. The two men were the focus of a 2025 KrebsOnSecurity story about how their hosting companies had assumed control over the technical infrastructure of Stark Industries Solutions, an Internet service provider sanctioned last year by the EU as a...
Read full story →
KrebsOnSecurity
Lawmakers in both houses of Congress are demanding answers from the U.S. Cybersecurity & Infrastructure Security Agency (CISA) after KrebsOnSecurity reported this week that a CISA contractor intentionally published AWS GovCloud keys and a vast trove of other agency secrets on a public GitHub account. The inquiry comes as CISA is still struggling to contain the breach and invalidate the leaked credentials.
Read full story →
CISA Alerts
Defending against china-nexus covert networks of compromised devices executive summary Defending against China-nexus covert networks of compromised devices Explaining the widespread shift in tactics, techniques and procedures (TTPs) towards networks of compromised infrastructure, and how to defend against it Summary With support from the UK Cyber League, this advisory has been jointly released by the National Cyber Security Centre (NCSC-UK) and international partners: ...
Read full story →
CISA Alerts
Advisory at a Glance Title Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure Original Publication April 7, 2026 Executive Summary Iran-affiliated advanced persistent threat (APT) actors are conducting exploitation activity targeting internet-facing operational technology (OT) devices, including programmable logic controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley. This activity has led to PLC disruptions across several...
Read full story →Activity Pulse
Threat Actor Mentions
Storm-1567
2
Storm-1567 is the threat actor behind the Ransomware-as-a-Service Akira. They attacked Swedish organizations in March 2023. This ransomware utilizes the ChaCha encryption algorithm, PowerShell, and Wi
Luna Moth
2
Luna Moth conducts high-tempo callback phishing campaigns targeting legal and financial organizations in the U.S., using social engineering to lure victims into calling fake helpdesk numbers. Attacker
Dark Web Pulse
OTX Threat Pulses
Kimsuky's Advanced Attack Techniques: JSONPing, Webex Spoofing, and a New HttpSpy Variant
Through April 2026, Kimsuky deployed sophisticated malicious campaigns against South Korean military and corporate entities using tailored social engineering tactics including fake security software installation pages and spoofed Webex meeting pages leveraging legitimate meeting schedules. The threa
View pulse →
Operation XENOFISCAL: SideCopy deploying persistent XenoRAT targeting the MoF, Afghanistan
SideCopy APT, a Pakistan-linked threat group under the Transparent Tribe umbrella, executed a targeted spear phishing campaign against Afghanistan's Ministry of Finance and provincial revenue directorates. The attack begins with a Pashto-language LNK file disguised as a staff directory document, whi
View pulse →
Sapphire Sleet Targets macOS
We recently observed a multi-stage macOS intrusion campaign conducted by the North Korean state-sponsored threat group Sapphire Sleet (also tracked as BlueNoroff / UNC1069). The campaign specifically targets macOS environments within high-value financial sectors, including venture capital firms, Web
View pulse →
Typosquatted npm packages used to steal cloud and CI/CD secrets
A supply chain attack targeting the npm ecosystem was identified involving 14 malicious packages published under the alias vpmdhaj. These packages typosquat well-known OpenSearch, ElasticSearch, and DevOps libraries, executing malicious payloads through npm lifecycle hooks during installation. The a
View pulse →
The Gentlemen ransomware: Dissecting a self-propagating Go encryptor
The Gentlemen is a ransomware-as-a-service operation tracked as Storm-2697, distinguished by combining robust per-file encryption using Curve25519 with XChaCha20 stream cipher alongside aggressive self-propagation capabilities designed for broad network compromise. Emerging in mid-2025 and transitio
View pulse →
FortiClient EMS Exploited via CVE-2026-35616 to Deliver EKZ Infostealer Disguised as a Fortinet Patch
In May 2026, threat actors exploited CVE-2026-35616, an improper access control vulnerability in FortiClient Endpoint Management Server (EMS), to bypass API authentication and execute privileged requests without credentials. Attackers leveraged trusted endpoint management infrastructure to push mali
View pulse →
A miner with a side of RAT: the unintended gift with your TV show or book
A cybercrime campaign active since at least 2022 has been distributing cryptocurrency miners and RAT malware through illegal streaming sites and digital libraries. Victims are tricked via fake video player plugin updates or browser crash pages into downloading ZIP archives containing legitimate exec
View pulse →
A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure
JINX-0164, a financially motivated threat actor active since mid-2025, has been conducting sophisticated campaigns against cryptocurrency organizations. The actor employs LinkedIn-based social engineering, posing as recruiters or business partners to deliver custom macOS malware including AUDIOFIX (
View pulse →
Exposing a Global Smishing Operation Across 19 Countries: Governments, Postal Services, and Telecoms Targeted
A coordinated smishing operation spanning 19 countries across Europe, the Americas, and the Caucasus has been exposed, originating from fraudulent SMS messages impersonating Romania's government payment portal Ghișeul.ro. Investigation revealed 1,628 malicious URLs linked by a single 128-character c
View pulse →
The GHOST STADIUM Score: Billions At Stake At The World’s Largest Football Tournament
Researchers uncovered a massive fraud ecosystem targeting the 2026 FIFA World Cup, identifying over 4,300 fraudulent domains impersonating FIFA's official website since August 2025. At the center operates GHOST STADIUM, a Chinese-speaking threat actor running a sophisticated phishing campaign across
View pulse →