Ranked by Signal Strength
Priority Threats
20
CVE-2026-3136
An improper authorization vulnerability in GitHub Trigger Comment Control in Google Cloud Build prior to 2026-1-26 allows a remote attacker to execute arbitrary code in the build environment. This vulnerability was patched on 26 January 2026, and no customer action is needed.
Recommended Actions
- Verify Google Cloud Build service is updated to version dated after 2026-01-26. No manual patching is required as per vendor statement.
- Audit Cloud Build triggers and service accounts to ensure least privilege, especially for triggers activated by comments.
- Review Cloud Build logs for any unusual build activity or unexpected code execution prior to the patch date.
20
Hackers are targeting WordPress websites running a vulnerable version of the WP Maps Pro plugin, which allows creating rogue administrator accounts without authentication. [...]
Recommended Actions
- Identify and inventory all WordPress installations using the 'WP Maps Pro' plugin via web application scanner or asset management.
- Immediately update WP Maps Pro plugin to the latest patched version or disable/remove it if not in use.
- Search WordPress user tables and audit logs for recently created administrator accounts, especially with unusual usernames or creation times.
20
Dutch authorities have announced the takedown of a botnet that enslaved millions of infected devices, including computers, tablets, smartphones, and IoT devices, to carry out malicious attacks. The bot network, per the Dutch Politie and the National Cyber Security Center (NCSC), consisted of at least 17 million infected devices. More than 200 servers located in the Netherlands acted as the
Recommended Actions
- Check network egress traffic for connections to known C2 IPs/domains associated with the dismantled botnet (obtain IOCs from NCSC-NL or abuse.ch).
- Review and update IoT device inventory; enforce network segmentation for IoT devices to limit lateral movement.
- Scan internal networks for devices with default or weak credentials using tools like Nmap or Nessus.
20
A dependency confusion campaign leveraged 33 malicious npm packages to collect reconnaissance data from developer and build environments. This report details the attack chain, observed tradecraft, and detection opportunities to help organizations identify and disrupt related activity. The post Malicious npm packages abuse dependency confusion to profile developer environments appeared first on Microsoft Security Blog.
Recommended Actions
- Enforce npm registry scoping and use `.npmrc` files with `@myscope:registry` settings to prevent public package hijacking.
- Deploy egress filtering for npm installs from build servers to block connections to unexpected registries.
- Scan development and CI/CD environments for the 33 malicious npm packages (e.g., using `npm audit` or `npm ls`) and remove them.
20
Microsoft is named a Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. The post Microsoft is named a Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection appeared first on Microsoft Security Blog.
20
Daily 5 min cyber security news summary. News, patches, vulnerabilities and trends in information and network security. SANS Stormcast Friday, May 29th, 2026: @sans_edu research; Honeypot Log; VPN “Toad”; Silent Ransom Group
20
In this newsletter, Thor breaks down why you should stop relying solely on CVSS and start using EPSS and GCVE to focus your patching efforts on the threats that actually matter.
20
This white paper presents a concrete case study demonstrating the creation of a heap overflow vulnerability through the exploitation of the DICOM file format.
Recommended Actions
- If using Orthanc, Pydicom, or GDCM libraries, update to latest versions and test with malformed DICOM files for heap overflow resilience.
- Implement strict input validation and memory-safe parsing for any custom DICOM processing applications.
- Deploy endpoint detection (EDR) with heap protection (e.g., Microsoft Defender ASR, CrowdStrike Overwatch) on systems processing medical imaging data.
20
Authorities in the Netherlands have arrested the co-owners of two related Internet hosting companies for operating IT infrastructure used by Russia to carry out cyberattacks, influence operations and disinformation campaigns inside the European Union. The two men were the focus of a 2025 KrebsOnSecurity story about how their hosting companies had assumed control over the technical infrastructure of Stark Industries Solutions, an Internet service provider sanctioned last year by the EU as a...
Recommended Actions
- Block network traffic to/from IP ranges associated with the seized hosting providers (e.g., Stark Industries Solutions infrastructure).
- Review any third-party hosting contracts and assess provider security practices, especially for EU-based critical services.
- Monitor for indicators of compromise (IOCs) related to Russian cyberattacks and disinformation campaigns targeting your organization.
20
Lawmakers in both houses of Congress are demanding answers from the U.S. Cybersecurity & Infrastructure Security Agency (CISA) after KrebsOnSecurity reported this week that a CISA contractor intentionally published AWS GovCloud keys and a vast trove of other agency secrets on a public GitHub account. The inquiry comes as CISA is still struggling to contain the breach and invalidate the leaked credentials.
Recommended Actions
- Immediately rotate all AWS GovCloud and AWS credentials, especially those used by contractors or in CI/CD pipelines.
- Scan public code repositories (GitHub, GitLab) for exposed secrets belonging to your organization using tools like TruffleHog or GitGuardian.
- Enforce mandatory use of secret management systems (AWS Secrets Manager, HashiCorp Vault) and block hardcoded credentials in code.
20
Defending against china-nexus covert networks of compromised devices executive summary Defending against China-nexus covert networks of compromised devices Explaining the widespread shift in tactics, techniques and procedures (TTPs) towards networks of compromised infrastructure, and how to defend against it Summary With support from the UK Cyber League, this advisory has been jointly released by the National Cyber Security Centre (NCSC-UK) and international partners: ...
Recommended Actions
- Implement network segmentation and micro-segmentation to limit lateral movement of compromised devices.
- Deploy endpoint detection and response (EDR) with behavioral analysis to identify covert C2 channels (e.g., anomalous DNS, HTTPS beaconing).
- Apply NCSC-UK advisory mitigations for China-nexus TTPs, including strict outbound proxy rules and monitoring for compromised infrastructure.
20
Advisory at a Glance Title Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure Original Publication April 7, 2026 Executive Summary Iran-affiliated advanced persistent threat (APT) actors are conducting exploitation activity targeting internet-facing operational technology (OT) devices, including programmable logic controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley. This activity has led to PLC disruptions across several...
Recommended Actions
- Immediately isolate Rockwell Automation/Allen-Bradley PLCs from the internet; place behind firewalls with strict ingress/egress rules.
- Update PLC firmware to latest versions and disable unused services (e.g., web servers, FTP) on OT devices.
- Monitor network traffic to PLCs for anomalous commands or connections using OT-aware IDS/IPS (e.g., Claroty, Nozomi Networks).
0
CVE-2025-15599
DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. Attackers can include closing rawtext tags like </textarea> in attribute values to break out of rawtext contexts and execute JavaScript when sanitized output is placed inside rawtext elements. The 3.x branch was fixed in 3.2.7; the 2.x branch was never patched.
Recommended Actions
- Update DOMPurify to version 3.2.7 or later. For version 2.x, migrate to version 3.x as 2.x is unpatched.
- If using DOMPurify with user input in `<textarea>` contexts, sanitize attribute values separately or implement additional output encoding.
- Test XSS protections by attempting to inject `</textarea>` payloads into attribute fields that are processed by DOMPurify.
0
CVE-2023-31044
An issue was discovered in Nokia Impact before Mobile 23_FP1. In Impact DM 19.11 onwards, a remote authenticated user, using the Add Campaign functionality, can inject a malicious payload within the Campaign Name. This data can be exported to a CSV file. Attackers can populate data fields that may attempt data exfiltration or other malicious activity when automatically executed by the spreadsheet software.
Recommended Actions
- Update Nokia Impact to Mobile 23_FP1 or later to patch the CSV injection vulnerability.
- Implement input validation on the 'Campaign Name' field to block characters used in CSV injection (e.g., `=`, `+`, `-`, `@`).
- Configure spreadsheet software (e.g., Microsoft Excel) to disable automatic execution of formulas when opening CSV files from external sources.
0
CVE-2021-35486
A Cross-Site Request Forgery (CSRF) vulnerability in Nokia IMPACT through 19.11.2.10-20210118042150283 allows a remote attacker to import and overwrite the entire application configuration. Specifically, in /ui/rest-proxy/entity/import, neither the X-CSRF-NONCE HTTP header nor the CSRF-NONCE cookie is validated.
Recommended Actions
- Update Nokia Impact to a version beyond 19.11.2.10-20210118042150283.
- Ensure the `X-CSRF-NONCE` HTTP header and `CSRF-NONCE` cookie are properly validated on all POST/PUT/DELETE requests to `/ui/rest-proxy/entity/import`.
- Implement CSRF tokens and same-site cookie policies for all authenticated sessions.
AI Daily Brief
Today's Threat Summary
Software supply chain attacks are the top priority, with malicious npm packages harvesting developer data and a critical Google Cloud Build flaw (CVE-2026-3136) allowing remote code execution. Concurrently, a massive Dutch botnet takedown highlights IoT risks, and the WP Maps Pro WordPress plugin is being exploited to create backdoor admin accounts.
- Scan all dev/CI environments for the 33 malicious npm packages using `npm audit` and enforce npm registry scoping.
- Audit Google Cloud Build triggers and logs for anomalous activity related to CVE-2026-3136 and enforce least-privilege service accounts.
- Inventory and immediately patch or remove the vulnerable WP Maps Pro WordPress plugin; search for rogue admin accounts.
Reference Data — KEV & CVEs
Immediate Attention
Known Exploited Vulns
CVE-2026-0257
Palo Alto Networks · PAN-OS
Palo Alto Networks PAN-OS contains an authentication bypass vulnerability that allows attackers to bypass security restrictions and establish an unauthorized VPN connection.
CVE-2026-8398
Daemon · Daemon Tools Lite
Daemon Tools contains an unspecified vulnerability that has a high impact on confidentiality, integrity, and availability.
CVE-2026-48027
Nx · Nx Console
Nx Console contains an embedded malicious code vulnerability that allowed a malicious version of Nx Console to be published. The compromised extension fetched an obfuscated payload that could harvested credentials from multiple sources on disk and in memory.
CVE-2026-45321
TanStack · TanStack
TanStack contains an unspecified vulnerability that allowed malicious versions of the product to be published to the npm registry to publish credential-stealing malware under a trusted identity.
CVE-2026-48172
LiteSpeed · cPanel Plugin
LiteSpeed cPanel Plugin contains privilege escalation vulnerability that is exposed via the user-end cPanel plugin, which can be abused by any cPanel user account to execute arbitrary scripts with root privileges.
CVE-2026-9082
Drupal · Core
Drupal Core contains a SQL injection vulnerability that could allow for privilege escalation and remote code execution via specially crafted requests sent with the database abstraction API.
CVE-2026-34926
Trend Micro · Apex One
Trend Micro Apex One (on-premise) contains a directory traversal vulnerability that could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code to deploy to agents on affected installations.
CVE-2025-34291
Langflow · Langflow
Langflow contains an origin validation error vulnerability in which an overly permissive CORS configuration combined with a refresh token cookie configured as SameSite=None allows a malicious webpage to perform cross-origin requests that include credentials and successfully call the refresh endpoint. This could allow the attacker to execute arbitrary code and achieve full system compromise via obtained tokens that permit access to authenticated endpoints.
CVE-2026-45498
Microsoft · Defender
Microsoft Defender contains an unspecified vulnerability that allows for denial of service.
CVE-2026-41091
Microsoft · Defender
Microsoft Defender contains a link following vulnerability that allows an authorized attacker to elevate privileges locally.
CVE-2010-0806
Microsoft · Internet Explorer
Microsoft Internet Explorer contains an use-after-free vulnerability that could allow remote attackers to execute arbitrary code via vectors involving access to an invalid pointer after the deletion of an object. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
CVE-2010-0249
Microsoft · Internet Explorer
Microsoft Internet Explorer contains an use-after-free vulnerability that could allow remote attackers to execute arbitrary code by accessing a pointer associated with a deleted object. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
CVE-2009-3459
Adobe · Acrobat and Reader
Adobe Acrobat and Reader contain a heap-based buffer overflow vulnerability which could allow remote attackers to execute arbitrary code via a crafted PDF file that triggers memory corruption.
CVE-2009-1537
Microsoft · DirectX
Microsoft DirectX contains a NULL byte overwrite vulnerability in the QuickTime Movie Parser Filter in quartz.dll in DirectShow which could allow remote attackers to execute arbitrary code via a crafted QuickTime media file.
CVE-2008-4250
Microsoft · Windows
Microsoft Windows contains a buffer overflow vulnerability in the Windows Server Service that allows remote attackers to execute arbitrary code via a crafted RPC request that triggers an overflow during path canonicalization.
CVE-2026-42897
Microsoft · Microsoft
Microsoft Exchange Server contains a cross-site scripting vulnerability during web page generation in Outlook Web Access and when certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context.
CVE-2026-20182
Cisco · Catalyst SD-WAN
Cisco Catalyst SD-WAN Controller & Manager contain an authentication bypass vulnerability that allows an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system.
CVE-2026-42208
BerriAI · LiteLLM
BerriAI LiteLLM contains a SQL injection vulnerability that allows an attacker to read data from the proxy's database and potentially modify it, leading to unauthorized access to the proxy and the credentials it manages.
CVE-2026-6973
Ivanti · Endpoint Manager Mobile (EPMM)
Ivanti Endpoint Manager Mobile (EPMM) contains an improper input validation vulnerability that allows a remotely authenticated user with administrative access to achieve remote code execution.
CVE-2026-0300
Palo Alto Networks · PAN-OS
Palo Alto Networks PAN-OS contains an out-of-bounds write vulnerability in the User-ID Authentication Portal (aka Captive Portal) service that can allow an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets.
CVE-2026-31431
Linux · Kernel
Linux Kernel contains an incorrect resource transfer between spheres vulnerability that could allow for privilege escalation.
CVE-2026-41940
WebPros · cPanel & WHM and WP2 (WordPress Squared)
WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
CVE-2026-32202
Microsoft · Windows
Microsoft Windows Shell contains a protection mechanism failure vulnerability that allows an unauthorized attacker to perform spoofing over a network.
CVE-2024-1708
ConnectWise · ScreenConnect
ConnectWise ScreenConnect contains a path traversal vulnerability which could allow an attacker to execute remote code or directly impact confidential data and critical systems.
CVE-2025-29635
D-Link · DIR-823X
D-Link DIR-823X contains a command injection vulnerability that allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to /goform/set_prohibiting via the corresponding function. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
CVE-2024-7399
Samsung · MagicINFO 9 Server
Samsung MagicINFO 9 Server contains a path traversal vulnerability that could allow an attacker to write arbitrary files as system authority.
CVE-2024-57728
SimpleHelp · SimpleHelp
SimpleHelp contains a path traversal vulnerability that allows admin users to upload arbitrary files anywhere on the file system by uploading a crafted zip file (i.e. zip slip). This can be exploited to execute arbitrary code on the host in the context of the SimpleHelp server user.
CVE-2024-57726
SimpleHelp · SimpleHelp
SimpleHelp contains a missing authorization vulnerability that could allow low-privileged technicians to create API keys with excessive permissions. These API keys can be used to escalate privileges to the server admin role.
CVE-2026-39987
Marimo · Marimo
Marimo contains an pre-authorization remote code execution vulnerability, allowing an unauthenticated attacked to shell access and execute arbitrary system commands.
CVE-2026-33825
Microsoft · Defender
Microsoft Defender contains an insufficient granularity of access control vulnerability that could allow an authorized attacker to escalate privileges locally.
CVE-2026-20133
Cisco · Catalyst SD-WAN Manager
Cisco Catalyst SD-WAN Manager contains an exposure of sensitive information to an unauthorized actor vulnerability that could allow remote attackers to view sensitive information on affected systems.
CVE-2026-20128
Cisco · Catalyst SD-WAN Manager
Cisco Catalyst SD-WAN Manager contains a storing passwords in a recoverable format vulnerability that allows an authenticated, local attacker to gain DCA user privileges by accessing a credential file for the DCA user on the filesystem as a low-privileged user.
CVE-2026-20122
Cisco · Catalyst SD-WAN Manger
Cisco Catalyst SD-WAN Manager contains an incorrect use of privileged APIs vulnerability due to improper file handling on the API interface of an affected system. An attacker could exploit this vulnerability by uploading a malicious file on the local file system. A successful exploit could allow the attacker to overwrite arbitrary files on the affected system and gain vmanage user privileges.
CVE-2025-48700
Synacor · Zimbra Collaboration Suite (ZCS)
Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability that could allow attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information.
CVE-2025-32975
Quest · KACE Systems Management Appliance (SMA)
Quest KACE Systems Management Appliance (SMA) contains an improper authentication vulnerability that could allow attackers to impersonate legitimate users without valid credentials.
CVE-2025-2749
Kentico · Kentico Xperience
Kentico Xperience contains a path traversal vulnerability that could allow an authenticated user's Staging Sync Server to upload arbitrary data to path relative locations.
CVE-2024-27199
JetBrains · TeamCity
JetBrains TeamCity contains a relative path traversal vulnerability that could allow limited admin actions to be performed.
CVE-2023-27351
PaperCut · NG/MF
PaperCut NG/MF contains an improper authentication vulnerability that could allow remote attackers to bypass authentication on affected installations via the SecurityRequestFilter class.
CVE-2026-34197
Apache · ActiveMQ
Apache ActiveMQ contains an improper input validation vulnerability that allows for code injection.
CVE-2026-32201
Microsoft · SharePoint Server
Microsoft SharePoint Server contains an improper input validation vulnerability that allows an unauthorized attacker to perform spoofing over a network.
CVE-2009-0238
Microsoft · Office
Microsoft Office Excel contains a remote code execution vulnerability that could allow an attacker to take complete control of an affected system if a user opens a specially crafted Excel file that includes a malformed object.
CVE-2026-34621
Adobe · Acrobat and Reader
Adobe Acrobat and Reader contain a prototype pollution vulnerability that allows for arbitrary code execution.
CVE-2026-21643
Fortinet · FortiClient EMS
Fortinet FortiClient EMS contains a SQL injection vulnerability that may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.
CVE-2025-60710
Microsoft · Windows
Microsoft Windows contains a link following vulnerability that allows for privilege escalation
CVE-2023-36424
Microsoft · Windows
Microsoft Windows Common Log File System Driver contains an out-of-bounds read vulnerability that could allow a threat actor for privileges escalation
CVE-2023-21529
Microsoft · Exchange Server
Microsoft Exchange Server contains a deserialization of untrusted data that allows an authenticated attacker to achieve remote code execution.
CVE-2020-9715
Adobe · Acrobat
Adobe Acrobat contains a use-after-free vulnerability that allows for code execution
CVE-2012-1854
Microsoft · Visual Basic for Applications (VBA)
Microsoft Visual Basic for Applications (VBA) contains an insecure library loading vulnerability that could allow for remote code execution.
CVE-2026-1340
Ivanti · Endpoint Manager Mobile (EPMM)
Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution.
CVE-2026-35616
Fortinet · FortiClient EMS
Fortinet FortiClient EMS contains an improper access control vulnerability that may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.
Latest CVEs
Top by Severity
CVE-2025-15599
DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 …
DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. Attackers can include closing rawtext tags like </textarea> in attribute values to break out of rawtext contexts and execute JavaScript when sanitized output is placed inside rawtext elements. The 3.x branch was fixed in 3.2.7; the 2.x branch was never patched.
CVE-2023-31044
An issue was discovered in Nokia Impact before Mobile …
An issue was discovered in Nokia Impact before Mobile 23_FP1. In Impact DM 19.11 onwards, a remote authenticated user, using the Add Campaign functionality, can inject a malicious payload within the Campaign Name. This data can be exported to a CSV file. Attackers can populate data fields that may attempt data exfiltration or other malicious activity when automatically executed by the spreadsheet software.
CVE-2021-35486
A Cross-Site Request Forgery (CSRF) vulnerability in Nokia …
A Cross-Site Request Forgery (CSRF) vulnerability in Nokia IMPACT through 19.11.2.10-20210118042150283 allows a remote attacker to import and overwrite the entire application configuration. Specifically, in /ui/rest-proxy/entity/import, neither the X-CSRF-NONCE HTTP header nor the CSRF-NONCE cookie is validated.
CVE-2021-35485
The Applications component of Nokia IMPACT version through …
The Applications component of Nokia IMPACT version through 19.11.2.10-20210118042150283 allows an authenticated user to arbitrarily upload server-side executable files via the /ui/rest-proxy/application fileupload parameter. This can occur during the adding of a new application, or during the editing of an existing one.
CVE-2021-35484
Nokia IMPACT through 19.11.2.10-20210118042150283 allows an …
Nokia IMPACT through 19.11.2.10-20210118042150283 allows an authenticated user to perform a Time-based Boolean Blind SQL Injection attack on the endpoint /ui/rest-proxy/campaign/statistic (for the View Campaign page) via the sortColumn HTTP GET parameter. This allows an attacker to access sensitive data from the database and obtain access to the database user, database name, and database version information.
CVE-2021-35483
The Applications component of Nokia IMPACT version through …
The Applications component of Nokia IMPACT version through 19.11.2.10-20210118042150283 allows an authenticated user to arbitrarily upload JavaScript files via the /ui/rest-proxy/application fileupload parameter. This can occur during the adding of a new application, or during the editing of an existing one. If an authenticated user visits the web page where the file is published, the JavaScript code is executed.
CVE-2026-3136
An improper authorization vulnerability in GitHub Trigger …
An improper authorization vulnerability in GitHub Trigger Comment Control in Google Cloud Build prior to 2026-1-26 allows a remote attacker to execute arbitrary code in the build environment. This vulnerability was patched on 26 January 2026, and no customer action is needed.
CVE-2026-26886
Sourcecodester Online Men's Salon Management System v1.0 is …
Sourcecodester Online Men's Salon Management System v1.0 is vulnerable to SQL Injection in /admin/services/manage_service.php.
CVE-2026-26885
Sourcecodester Online Men's Salon Management System v1.0 is …
Sourcecodester Online Men's Salon Management System v1.0 is vulnerable to SQL Injection in /classes/Master.php?f=delete_service.
CVE-2026-26884
Sourcecodester Online Men's Salon Management System v1.0 is …
Sourcecodester Online Men's Salon Management System v1.0 is vulnerable to SQL Injection in /msms/admin/appointments/view_appointment.php.
Reference Data — Threat Feeds & Actors
Fresh from Feeds
Threat Intel Updates
SANS ISC
Announcing Bitskrieg https://deadeclipse666.blogspot.com/2026/05/announcing-bitskrieg.html Vulnerability in Gogs https://www.rapid7.com/blog/post/ve-authenticated-rce-via-argument-injection-gogs-unfixed/ Oracle Critical Security Patch Update Advisory - May 2026 https://www.oracle.com/security-alerts/cspumay2026.html GlobalProtect Authentication Bypass Vulnerabilities CVE-2026-0257 https://security.paloaltonetworks.com/CVE-2026-0257
Read full story →
BleepingComputer
Hackers are targeting WordPress websites running a vulnerable version of the WP Maps Pro plugin, which allows creating rogue administrator accounts without authentication. [...]
Read full story →
The Hacker News
Dutch authorities have announced the takedown of a botnet that enslaved millions of infected devices, including computers, tablets, smartphones, and IoT devices, to carry out malicious attacks. The bot network, per the Dutch Politie and the National Cyber Security Center (NCSC), consisted of at least 17 million infected devices. More than 200 servers located in the Netherlands acted as the
Read full story →
BleepingComputer
Palo Alto Networks is warning that hackers are now exploiting a PAN-OS GlobalProtect authentication bypass flaw, tracked as CVE-2026-0257, in attacks attempting to breach corporate networks. [...]
Read full story →
The Hacker News
Palo Alto Networks has warned that a recently disclosed medium-severity security flaw impacting PAN-OS and Prisma Access has come under active exploitation in the wild. The vulnerability, tracked as CVE-2026-0257 (CVSS score: 7.8), refers to a case of authentication bypass that could be exploited by bad actors to set up VPN connections. "Authentication bypass vulnerabilities in the
Read full story →
Microsoft Security
A dependency confusion campaign leveraged 33 malicious npm packages to collect reconnaissance data from developer and build environments. This report details the attack chain, observed tradecraft, and detection opportunities to help organizations identify and disrupt related activity. The post Malicious npm packages abuse dependency confusion to profile developer environments appeared first on Microsoft Security Blog.
Read full story →
Rapid7
More Linux LPEsHark the age of the Linux LPE has arrived. This week’s release follows up on recent work bringing new Linux LPEs to Metasploit users. Copy Fail seemed to have kicked off a trend of similar bugs and hot on its heels is Dirty Frag. Dirty Frag is actually two vulnerabilities in a trenchcoat, individually identified as CVE-2026-43284 and CVE-2026-43500. Each is exploitable individually and comes with a new Metasploit module.New module content (5)Citrix ADC (NetScaler)...
Read full story →
Rapid7
OverviewOn May 13, 2026, Palo Alto Networks published a security advisory for CVE-2026-0257, a medium severity authentication bypass affecting PAN-OS and Prisma Access when a specific configuration is present. Successful exploitation of this vulnerability allows a remote unauthenticated attacker to successfully establish a VPN connection through the GlobalProtect gateway of an affected appliance.Rapid7 MDR identified successful exploitation across numerous customers, however we did not...
Read full story →
Microsoft Security
Microsoft is named a Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. The post Microsoft is named a Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection appeared first on Microsoft Security Blog.
Read full story →
SANS ISC
Daily 5 min cyber security news summary. News, patches, vulnerabilities and trends in information and network security. SANS Stormcast Friday, May 29th, 2026: @sans_edu research; Honeypot Log; VPN “Toad”; Silent Ransom Group
Read full story →
Cisco Talos
In this newsletter, Thor breaks down why you should stop relying solely on CVSS and start using EPSS and GCVE to focus your patching efforts on the threats that actually matter.
Read full story →
Cisco Talos
This white paper presents a concrete case study demonstrating the creation of a heap overflow vulnerability through the exploitation of the DICOM file format.
Read full story →
KrebsOnSecurity
Authorities in the Netherlands have arrested the co-owners of two related Internet hosting companies for operating IT infrastructure used by Russia to carry out cyberattacks, influence operations and disinformation campaigns inside the European Union. The two men were the focus of a 2025 KrebsOnSecurity story about how their hosting companies had assumed control over the technical infrastructure of Stark Industries Solutions, an Internet service provider sanctioned last year by the EU as a...
Read full story →
KrebsOnSecurity
Lawmakers in both houses of Congress are demanding answers from the U.S. Cybersecurity & Infrastructure Security Agency (CISA) after KrebsOnSecurity reported this week that a CISA contractor intentionally published AWS GovCloud keys and a vast trove of other agency secrets on a public GitHub account. The inquiry comes as CISA is still struggling to contain the breach and invalidate the leaked credentials.
Read full story →
CISA Alerts
Defending against china-nexus covert networks of compromised devices executive summary Defending against China-nexus covert networks of compromised devices Explaining the widespread shift in tactics, techniques and procedures (TTPs) towards networks of compromised infrastructure, and how to defend against it Summary With support from the UK Cyber League, this advisory has been jointly released by the National Cyber Security Centre (NCSC-UK) and international partners: ...
Read full story →
CISA Alerts
Advisory at a Glance Title Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure Original Publication April 7, 2026 Executive Summary Iran-affiliated advanced persistent threat (APT) actors are conducting exploitation activity targeting internet-facing operational technology (OT) devices, including programmable logic controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley. This activity has led to PLC disruptions across several...
Read full story →Activity Pulse
Threat Actor Mentions
Luna Moth
2
Luna Moth conducts high-tempo callback phishing campaigns targeting legal and financial organizations in the U.S., using social engineering to lure victims into calling fake helpdesk numbers. Attacker
Dark Web Pulse
OTX Threat Pulses
Kimsuky's Advanced Attack Techniques: JSONPing, Webex Spoofing, and a New HttpSpy Variant
Through April 2026, Kimsuky deployed sophisticated malicious campaigns against South Korean military and corporate entities using tailored social engineering tactics including fake security software installation pages and spoofed Webex meeting pages leveraging legitimate meeting schedules. The threa
View pulse →
Operation XENOFISCAL: SideCopy deploying persistent XenoRAT targeting the MoF, Afghanistan
SideCopy APT, a Pakistan-linked threat group under the Transparent Tribe umbrella, executed a targeted spear phishing campaign against Afghanistan's Ministry of Finance and provincial revenue directorates. The attack begins with a Pashto-language LNK file disguised as a staff directory document, whi
View pulse →
Sapphire Sleet Targets macOS
We recently observed a multi-stage macOS intrusion campaign conducted by the North Korean state-sponsored threat group Sapphire Sleet (also tracked as BlueNoroff / UNC1069). The campaign specifically targets macOS environments within high-value financial sectors, including venture capital firms, Web
View pulse →
Typosquatted npm packages used to steal cloud and CI/CD secrets
A supply chain attack targeting the npm ecosystem was identified involving 14 malicious packages published under the alias vpmdhaj. These packages typosquat well-known OpenSearch, ElasticSearch, and DevOps libraries, executing malicious payloads through npm lifecycle hooks during installation. The a
View pulse →
The Gentlemen ransomware: Dissecting a self-propagating Go encryptor
The Gentlemen is a ransomware-as-a-service operation tracked as Storm-2697, distinguished by combining robust per-file encryption using Curve25519 with XChaCha20 stream cipher alongside aggressive self-propagation capabilities designed for broad network compromise. Emerging in mid-2025 and transitio
View pulse →
FortiClient EMS Exploited via CVE-2026-35616 to Deliver EKZ Infostealer Disguised as a Fortinet Patch
In May 2026, threat actors exploited CVE-2026-35616, an improper access control vulnerability in FortiClient Endpoint Management Server (EMS), to bypass API authentication and execute privileged requests without credentials. Attackers leveraged trusted endpoint management infrastructure to push mali
View pulse →
A miner with a side of RAT: the unintended gift with your TV show or book
A cybercrime campaign active since at least 2022 has been distributing cryptocurrency miners and RAT malware through illegal streaming sites and digital libraries. Victims are tricked via fake video player plugin updates or browser crash pages into downloading ZIP archives containing legitimate exec
View pulse →
A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure
JINX-0164, a financially motivated threat actor active since mid-2025, has been conducting sophisticated campaigns against cryptocurrency organizations. The actor employs LinkedIn-based social engineering, posing as recruiters or business partners to deliver custom macOS malware including AUDIOFIX (
View pulse →
Exposing a Global Smishing Operation Across 19 Countries: Governments, Postal Services, and Telecoms Targeted
A coordinated smishing operation spanning 19 countries across Europe, the Americas, and the Caucasus has been exposed, originating from fraudulent SMS messages impersonating Romania's government payment portal Ghișeul.ro. Investigation revealed 1,628 malicious URLs linked by a single 128-character c
View pulse →
The GHOST STADIUM Score: Billions At Stake At The World’s Largest Football Tournament
Researchers uncovered a massive fraud ecosystem targeting the 2026 FIFA World Cup, identifying over 4,300 fraudulent domains impersonating FIFA's official website since August 2025. At the center operates GHOST STADIUM, a Chinese-speaking threat actor running a sophisticated phishing campaign across
View pulse →