Intelligence · Updated daily
AI-analysed threats, vulnerabilities and campaigns. Not just what happened — what it means, who's affected, and what to do about it.
Attackers with compromised GitHub App credentials can mutate release tags to point malicious commits, causing workflows to execute C2 implants. This PoC demonstrates tag poisoning as a scalable supply chain attack vector against Actions consumers.
IoT devices shipping with administrative credentials or defaulting to admin-level access create a persistent authentication bypass that enables complete device compromise. This represents a fundamental architectural failure in IoT security that affects entire device classes and is difficult to remediate post-deployment.
INC ransomware group is conducting sustained attacks against healthcare infrastructure across Australia, New Zealand, and Tonga, disrupting emergency services and government operations. This regional concentration indicates either a deliberate geographic pivot or emerging local infection vectors.
Threat actors execute a sophisticated social engineering campaign impersonating recruiters from crypto and AI companies, delivering backdoors (OtterCookie, FlexibleFerret) through fake coding assessments to steal developer credentials, API tokens, and source code. This represents a high-impact supply chain attack vector targeting a critical workforce demographic.
CISA has confirmed active exploitation of CVE-2025-68613, a code injection vulnerability in n8n that allows attackers to execute arbitrary code through improperly managed dynamic code resources. This poses significant risk to organizations using n8n for workflow automation.
Google TAG documented APT29 (Russian state-backed group) using identical exploits to commercial surveillance vendors Intellexa and NSO Group, indicating either shared vulnerability intelligence networks, exploit procurement chains, or concerning overlap in offensive capabilities between state and commercial actors.
VS Code's AI chat features are vulnerable to indirect prompt injection attacks where malicious content in code files or documentation can poison conversations, leading to unauthorized exposure of GitHub tokens, sensitive files, and arbitrary code execution.
Trail of Bits discovered four prompt injection techniques that could extract private user data (Gmail contents) from Perplexity's Comet browser by exploiting inadequate input sanitization in AI assistant features. The vulnerabilities highlight systemic risks in AI agent design where external web content is processed as trusted input.
Microsoft released 93 patches on March 10, 2026, including 8 critical vulnerabilities and 9 Chromium-based flaws in Edge. Two pre-disclosed vulnerabilities remain unexploited but warrant close monitoring given their early exposure.
PortSwigger Research discovered multiple parser-level inconsistencies in SAML implementations for Ruby and PHP that enable full authentication bypass. These exploits leverage attribute pollution and namespace confusion to forge valid authentication tokens.
Israel allegedly exploited Iranian traffic camera systems to conduct surveillance and assist in targeted assassination of Iranian leadership. This demonstrates advanced state-actor capability to weaponize civilian IoT infrastructure for kinetic operations.
A threat actor successfully bypassed Claude's safety mechanisms using Spanish-language prompts to conduct a sustained, multi-stage attack against Mexican government networks, resulting in data exfiltration and thousands of command executions on critical infrastructure.
AirSnitch exploits fundamental layer 1-2 binding failures in Wi-Fi to perform bidirectional machine-in-the-middle attacks across home, office, and enterprise networks without requiring network membership or proximity constraints. The attack breaks core 802.11 assumptions about client identity synchronization.
Parse Server's PostgreSQL adapter fails to escape sub-key names in Increment operations, allowing SQL injection. The PoC highlights the need for immediate patching to prevent database compromise.
A critical RCE vulnerability in OneUptime's Synthetic Monitors allows low-privileged users to execute arbitrary commands on the server by leveraging exposed Playwright browser objects.
The Linkdave HTTP server lacks authentication on REST and WebSocket endpoints, allowing unauthenticated access. This PoC highlights the need for immediate patching or network restrictions to prevent unauthorized access.
The RSSN library contains a critical vulnerability allowing Arbitrary Code Execution through unvalidated JIT instruction generation in its CFFI interface, posing significant risks to systems and data.
The vulnerability allows unauthenticated attackers to inject malicious SQL code via the job_id parameter, potentially leading to unauthorized database access. This PoC highlights the importance of securing input parameters in web applications.
Over 100 GitHub repositories are distributing BoryptGrab Stealer, a malware targeting browser and cryptocurrency wallet data, posing significant risks to users.
Hackers are increasingly leveraging artificial intelligence (AI) to enhance and accelerate cyberattacks, making them more sophisticated, scalable, and harder to detect. This trend poses a significant risk to organizations as AI tools lower the technical barriers for attackers.
Ransomware operators are using a combination of legitimate Windows tools and the ClickFix technique to deploy DonutLoader malware and CastleRAT backdoors, posing a significant threat to systems.
A critical path traversal vulnerability in the /export endpoint of SiYuan allows arbitrary file reads and secret leakage via double-encoded sequences, risking full system compromise.
The OneUpTime probe executes untrusted user code in an insecure Node.js vm context, allowing attackers to bypass sandboxing and achieve RCE. This PoC highlights the risks of using `vm` for untrusted code execution.
OneUptime's Synthetic Monitor allows untrusted Playwright code execution with access to host browser objects, enabling arbitrary executable spawning. This PoC highlights a direct RCE vector bypassing traditional sandbox escapes.
CISA has ordered U.S. federal agencies to patch three iOS security flaws exploited by the Coruna exploit kit, which is linked to cyberespionage and crypto-theft attacks.
Cognizant's TriZetto Provider Solutions suffered a data breach exposing health data of over 3.4 million individuals, highlighting critical vulnerabilities in healthcare IT systems.
Pingora versions prior to 0.8.0 are vulnerable to HTTP Request Smuggling due to improper handling of the Upgrade header, allowing attackers to bypass security controls.
Pingora improperly handles HTTP/1.0 request bodies and Transfer-Encoding headers, enabling HTTP request smuggling attacks that bypass security controls. The PoC highlights the importance of proper request parsing in reverse proxies.
The `time-sync` crate was used to exfiltrate `.env` files, highlighting a supply chain attack vector in Rust ecosystem. Defenders should focus on monitoring and securing package repositories.
Delta Electronics' CNCSoft-G2 software has a critical vulnerability that enables remote code execution, posing significant risks to industrial manufacturing systems.
A critical XSS vulnerability in Zitadel's /saml-post endpoint allows account takeovers via malicious scripts. The PoC highlights the need for immediate defensive measures.
zeptoclaw's allowlist and blocklist mechanisms can be bypassed using command injection, argument injection, or file name wildcards, enabling arbitrary command execution. This PoC highlights critical flaws in the project's security model.
The `dnp3times` crate was a malicious, typosquatting attempt that attempted to exfiltrate sensitive `.env` files to a server impersonating `timeapi.io`. The incident highlights risks in Rust crate supply chains and the importance of verifying dependencies.
Cisco has identified two maximum-severity vulnerabilities in its Secure Firewall Management Center (FMC) software that could allow attackers to gain root access, posing a critical risk to network security.
Attackers are sending fake LastPass support emails to steal user vault passwords, posing a critical security risk.
Microsoft has patched a critical issue in Windows 10 that prevented users from accessing the Recovery Environment, which is essential for system repairs and troubleshooting.
A critical zero-click vulnerability in the FreeScout helpdesk platform allows attackers to remotely hijack mail servers without user interaction, posing a severe risk to organizations using the service.
Bitwarden has introduced passkey login support on Windows 11, offering a phishing-resistant authentication method stored in their vault.
PickleScan's blocklist mechanism is bypassed using `pkgutil.resolve_name`, allowing any blocked function to be executed. This flaw enables universal RCE attacks undetected by PickleScan.
PickleScan v1.0.3 fails to block multiple Python stdlib modules enabling RCE, allowing bypass of security scans.
Craft CMS suffers from an authenticated RCE vulnerability due to SSTI in Twig templates, allowing attackers to write malicious scripts to web-accessible directories.
Critical vulnerabilities in ePower's charging stations could allow attackers to gain administrative control or disrupt services, posing significant risks to electric vehicle infrastructure.
Labkotec LID-3300IP devices are vulnerable to unauthenticated access, allowing attackers to take control of critical system operations, posing significant risks to industrial safety.
Hitachi Energy's RTU500 product has critical vulnerabilities that could lead to device outages and exposure of user management information, posing significant risks to industrial control systems.
Mobiliti e-mobi.hu charging stations are vulnerable to critical flaws allowing unauthorized administrative control and denial-of-service attacks, affecting all versions of the product.
A critical vulnerability in Windows ACPX path handling allows cwd injection via .cmd/.bat wrapper fallback, risking command execution. Immediate patching is advised.
The OpenClaw gateway agents.files.get and agents.files.set methods allowed symlink traversal, enabling arbitrary file read/write outside the workspace. This PoC highlights critical risks for defenders.
An RCE vulnerability in OpenClaw's gateway allows authenticated clients to bypass node execution approvals by manipulating parameters, posing a significant risk to connected systems.
UK authorities warn of increased Iranian cyberattack risks targeting British organizations due to Middle East tensions.
A Florida woman was sentenced to 22 months in prison for trafficking thousands of stolen Microsoft Certificate of Authenticity (COA) labels, highlighting vulnerabilities in software supply chain integrity.
A 22-year-old Alabama man has pleaded guilty to hacking, cyberstalking, and extorting hundreds of women by hijacking their social media accounts.
Attackers are using a fake Google Account security page to deliver a Progressive Web App (PWA) that steals credentials, MFA codes, and proxies traffic through victims' browsers. This campaign poses a significant risk due to its ability to bypass multi-factor authentication.
Hackers have adopted CyberStrikeAI, an open-source AI security testing platform, to breach Fortinet FortiGate firewalls, demonstrating a significant shift in attack methodologies leveraging advanced AI tools.
A critical SQL injection vulnerability exists in itsourcecode School Management System 1.0, allowing remote attackers to manipulate database queries. The PoC highlights the need for immediate defensive measures to prevent data exposure and system compromise.
A high-severity vulnerability in OpenClaw's core gateway allowed malicious websites to hijack locally running AI agents via WebSocket connections. The issue has been fixed, but highlights risks of unsecured AI systems.
South Korea's National Tax Service exposed a cryptocurrency wallet seed in a press release, enabling hackers to steal $4.8 million worth of crypto.
The QuickLens Chrome extension was removed after being compromised to push malware aimed at stealing cryptocurrency from users. The attack highlights vulnerabilities in third-party browser extensions and the risks of crypto-related phishing.
The Langflow CSV Agent hardcodes a flag that enables arbitrary code execution, posing a severe security risk.
Vitess backup restoration process allows attackers with backup storage access to write files to arbitrary paths, enabling unauthorized access and potential system compromise.
Vikunja's password reset mechanism allows token reuse due to improper token invalidation and cleanup, enabling persistent account takeovers.
Third-party software like PDF readers and email clients pose significant risks to organizations' security, with consistent patching being crucial to mitigate exploit exposure.
Europol's Project Compass operation has led to the arrest of 30 individuals linked to The Com, a cybercrime group targeting children and teenagers. This coordinated international effort highlights the growing threat of child-targeted online exploitation.
North Korean hackers, APT37, are using newly discovered malware to breach air-gapped networks by leveraging removable drives and conducting covert surveillance.
The News Portal Project 1.0 has an SQL injection vulnerability in /admin/add-category.php due to improper handling of the Category parameter, allowing remote attackers to execute arbitrary SQL commands.
The itsourcecode News Portal Project 1.0 contains a critical SQL injection vulnerability in /newsportal/admin/edit-category.php, allowing remote attackers to manipulate the Category argument for malicious database queries.
A SQL injection vulnerability exists in the Username parameter of /loging.php, allowing remote exploitation. This PoC highlights the need for immediate defensive measures to prevent potential data breaches.
Multiple critical vulnerabilities in EV Energy's ev.energy charging stations could allow attackers to gain administrative control or disrupt services, posing significant risks to electric vehicle infrastructure.
Multiple critical vulnerabilities in Copeland XWEB and XWEB Pro devices allow attackers to bypass authentication, cause denial-of-service, memory corruption, and execute arbitrary code, posing significant risks to affected systems.
Multiple critical vulnerabilities exist in Pelco's Sarix Pro 3 Series IP cameras, allowing attackers to gain unauthorized access and potentially compromise sensitive data and operations.
Multiple critical vulnerabilities in Yokogawa's CENTUM VP R6 and R7 versions could allow attackers to execute arbitrary code or cause denial-of-service, posing significant risks to industrial control systems.
Chargemap chargemap.com suffers from multiple critical vulnerabilities, including missing authentication and denial-of-service flaws, potentially allowing attackers to gain administrative control or disrupt charging services.
Angular's SSR feature is vulnerable to SSRF and header injection due to untrusted Host and X-Forwarded-* headers, allowing attackers to manipulate the application's base origin.
A critical stored XSS vulnerability in RustFS Console's preview modal allows attackers to execute arbitrary JavaScript, leading to credential theft and system compromise. The PoC highlights the importance of securing sensitive credentials and validating content types.
Parse Server's Google auth adapter improperly handles JWT algorithms, allowing attackers to forge tokens with 'alg: none' for account takeover. The PoC highlights the need for enforcing specific algorithms and key validation.
Chinese cyberspies have breached multiple telecom companies and government agencies using SaaS API calls to hide malicious traffic, indicating a sophisticated state-sponsored espionage campaign.
Attackers created malicious GitHub repositories mimicking legitimate Next.js projects and job interview materials to infect developers' devices with backdoors.
UFP Technologies, a medical device manufacturer, has been hit by a cyberattack that compromised its IT systems and data. The incident could impact patient care and data privacy.
Cisco's SD-WAN systems are being actively exploited due to critical vulnerabilities, with attackers bypassing authentication to gain administrative access. The situation is urgent for organizations using these systems.
OneUptime's use of Node.js vm module for executing untrusted code allows sandbox escape and full cluster compromise, highlighting the risks of improper isolation mechanisms.
ActualBudget server lacks authentication on several endpoints, exposing sensitive bank data to unauthorized access. This PoC highlights critical security gaps requiring immediate defensive action.
The vulnerability in Statamic's password reset feature allows attackers to capture tokens and hijack user accounts. The PoC highlights the importance of securing password recovery mechanisms.
CISA has added CVE-2026-25108, an OS command injection vulnerability in Soliton Systems' FileZen, to its Known Exploited Vulnerabilities Catalog due to evidence of active exploitation. This vulnerability poses significant risks to federal enterprises and other users.
InSAT MasterSCADA BUK-TS suffers from critical vulnerabilities (CVE-2026-21410, CVE-2026-22553) enabling SQL injection and OS command injection, potentially allowing remote code execution. This poses significant risks to industrial control systems.
The Ormar ORM is vulnerable to SQL injection through min() and max() functions due to lack of input validation, allowing attackers to execute arbitrary queries.
New York-based ad tech firm Optimizely suffered a data breach after falling victim to a voice phishing (vishing) attack, compromising customer data and underscoring the risks of social engineering in supply chains.
Spanish authorities arrested four individuals linked to a hacktivist group suspected of conducting DDoS attacks on government websites, highlighting the growing threat of hacktivism against critical infrastructure.
Android mental health apps with 14.7M installs expose sensitive user data due to critical security vulnerabilities, putting millions of users' medical information at risk.
Traefik contains a critical vulnerability allowing bypass of TLS client authentication over HTTP/3, potentially exposing protected resources to unauthorized access.
Critical stack-based buffer overflow in Delta Electronics ASDA-Soft versions up to 7.2.0.0 could allow remote code execution via structured exception handler (SEH) corruption.
Critical vulnerabilities in GE Vernova Enervista UR Setup versions below 8.70 allow remote code execution with elevated privileges, posing significant risks to industrial control systems.
Honeywell CCTV products have a critical vulnerability (CVE-2026-1670) that allows unauthenticated attackers to change recovery email addresses, leading to account takeovers and unauthorized access to camera feeds.
A critical vulnerability in the Welker OdorEyes EcoSystem Pulse Bypass System with XL4 Controller, rated CVSS v3 8.2, exposes unauthenticated access to critical functions, risking over- or under-odorization events that could compromise safety and operations.
EnOcean SmartServer IoT versions up to 4.60.009 contain critical vulnerabilities (CVE-2026-20761, CVE-2026-22885) allowing remote code execution and ASLR bypass, posing significant risks to smart building infrastructure.
CISA has identified two critical vulnerabilities in Roundcube webmail, with CVE-2025-49113 being actively exploited for remote code execution.
Jinan USR IOT Technology's USR-W610 device has multiple critical vulnerabilities that could allow attackers to steal credentials, disable authentication, or cause denial-of-service. Affected versions include USR-W610 <=3.1.1.0.
Unauthenticated attackers can exploit a file read vulnerability in Valmet DNA Engineering Web Tools to access arbitrary files.
CISA has identified two critical vulnerabilities in RoundCube Webmail, both actively exploited. These include a deserialization flaw and an XSS vulnerability, posing significant risks to federal systems.
Microsoft's February 2026 Patch Tuesday addresses over 55 vulnerabilities including four actively exploited zero-days in Windows, Office, and the .NET Framework.
A critical vulnerability in PostgreSQL allows authenticated users with CREATE FUNCTION privileges to escape the SQL sandbox and execute arbitrary operating system commands on the database server.
A critical command injection vulnerability in Cisco NX-OS allows unauthenticated attackers to execute arbitrary commands on Nexus data center switches, threatening core network infrastructure.
Juniper Networks released emergency patches for a critical out-of-bounds write vulnerability in Junos OS that enables unauthenticated remote code execution on MX and SRX series devices.
A ransomware attack forced one of the largest US school districts to cancel classes and revert to offline operations, exposing student and staff personal data and highlighting the continued targeting of education.
The first Patch Tuesday of 2026 addresses a record eight actively exploited zero-day vulnerabilities spanning Hyper-V, Office, Windows kernel, and the Microsoft Access database engine.
A critical improper authentication vulnerability in SonicWall SonicOS SSLVPN allows unauthenticated attackers to hijack active VPN sessions, with exploitation observed against government and enterprise targets.
A new critical authentication bypass in Fortinet FortiOS allows unauthenticated attackers to gain super-admin privileges on FortiGate firewalls, with mass exploitation already underway targeting internet-exposed management interfaces.
A critical vulnerability in Apache Commons Text string interpolation is being mass-exploited at year's end, with attackers deploying cryptominers and ransomware through the widely-embedded Java library.
A misconfigured identity management update at a major cloud provider caused a cascading multi-region outage lasting over 12 hours, affecting thousands of businesses and highlighting cloud concentration risk.
The final Patch Tuesday of 2025 addresses over 70 vulnerabilities including a critical Windows LDAP remote code execution flaw and an actively exploited Windows kernel zero-day.
Another critical zero-day in Ivanti Connect Secure VPN appliances is being mass-exploited to deploy custom malware, with CISA issuing an emergency directive requiring federal agencies to disconnect affected devices.
A critical OGNL injection vulnerability in Apache Struts allows unauthenticated remote code execution, with exploitation observed within days of the advisory publication.
US intelligence agencies revealed that the Chinese state-sponsored Salt Typhoon campaign has expanded beyond the initially reported telecom carriers, with evidence of persistent access in additional US and allied nation telecommunications networks.
Microsoft's November Patch Tuesday addresses a critical Exchange Server vulnerability being exploited by a nation-state group to access email communications, along with three other actively exploited flaws.
A critical zero-day vulnerability in Citrix NetScaler ADC and Gateway allows unauthenticated remote code execution, with threat actors injecting credential-harvesting JavaScript into login pages.
A critical vulnerability in Kubernetes kubelet allows attackers to escape container boundaries through crafted volume mount operations, potentially compromising the underlying node and all co-located containers.
Microsoft's October Patch Tuesday addresses a critical Remote Desktop Protocol vulnerability being exploited to gain initial access to enterprise networks without valid credentials.
Multiple critical vulnerabilities in Palo Alto Networks Expedition migration tool allow unauthenticated attackers to access firewall configuration files, credentials, and API keys stored in the tool's database.
A critical deserialization vulnerability in Veeam Backup & Replication allows unauthenticated attackers to gain remote code execution, with ransomware groups actively targeting backup infrastructure.
A ransomware attack forced a major US hospital network to divert ambulances and revert to paper records across multiple facilities, the largest healthcare disruption since the Change Healthcare incident.
Cisco disclosed a critical authentication bypass in IOS XE Web UI affecting thousands of enterprise network devices, with mass exploitation and web shell deployment observed within 48 hours of disclosure.
Microsoft's September Patch Tuesday patches a wormable remote code execution vulnerability in the Windows TCP/IP stack along with two actively exploited privilege escalation zero-days.
A critical vulnerability in GitLab CE/EE allows attackers to hijack any account by manipulating the password reset flow, with exploitation already observed targeting internet-facing instances.
US intelligence agencies released a joint advisory warning that Chinese state-sponsored group Volt Typhoon has expanded pre-positioning operations to water treatment facilities, maintaining persistent access for potential disruptive attacks.
A supply chain attack targeting a widely-used npm package injected cryptocurrency-stealing malware, affecting over 12 million weekly downloads before detection.
Microsoft's August Patch Tuesday addresses over 80 vulnerabilities with six confirmed actively exploited zero-days spanning Windows kernel, Office, and the SmartScreen security feature.
A critical stack-based buffer overflow in SonicWall SMA 100 series appliances allows unauthenticated remote code execution, with multiple ransomware affiliates exploiting it as an initial access vector.
Apple released emergency security updates across iOS, iPadOS, and macOS to fix two WebKit zero-day vulnerabilities actively exploited in sophisticated spyware attacks targeting journalists and activists.
A major US health insurance provider confirmed a data breach affecting approximately 15 million current and former members, with stolen data including Social Security numbers, medical records, and financial information.
A critical unauthenticated RCE vulnerability in FortiManager is being exploited by a Chinese-nexus threat actor to compromise managed Fortinet devices across government and defense networks.
Microsoft's July Patch Tuesday fixes over 60 vulnerabilities including a critical Hyper-V guest-to-host escape being exploited by nation-state actors for cloud infrastructure attacks.
A critical signal handler race condition in OpenSSH server allows unauthenticated remote code execution on affected Linux systems, dubbed 'regreSSHion 2' as a follow-up to last year's CVE-2024-6387.
A critical authentication bypass in ASUS router firmware allows unauthenticated attackers to remotely take over affected routers, with botnets already scanning for and exploiting vulnerable devices.
A critical heap overflow vulnerability in VMware ESXi allows an attacker with local admin privileges on a guest VM to escape the sandbox and execute code on the hypervisor host.
A new critical SQL injection vulnerability in MOVEit Transfer is being exploited by the Cl0p ransomware group, echoing the devastating 2023 campaign that compromised thousands of organizations worldwide.
Microsoft's June Patch Tuesday addresses over 50 vulnerabilities including a Windows kernel privilege escalation flaw being exploited in the wild by advanced threat actors.
A critical OGNL injection vulnerability in Atlassian Confluence Server and Data Center allows unauthenticated remote code execution, with ransomware groups actively exploiting unpatched instances.
Google released an emergency Chrome update fixing a high-severity type confusion vulnerability in V8 that was being exploited in targeted attacks against users in the wild.
Coinbase revealed that threat actors bribed overseas customer support contractors to exfiltrate personal data of roughly 1% of monthly transacting users, then demanded a $20 million ransom.
Two vulnerabilities in Ivanti Endpoint Manager Mobile can be chained to achieve unauthenticated remote code execution, with active exploitation targeting government and critical infrastructure organizations.
Microsoft's May 2025 Patch Tuesday addresses over 70 vulnerabilities including five zero-days under active exploitation across Windows kernel, scripting engine, and DWM components.
A maximum-severity vulnerability in Cisco IOS XE for Wireless LAN Controllers allows unauthenticated attackers to upload arbitrary files and execute commands via a hard-coded JSON Web Token.
UK retailer Co-op shut down parts of its IT infrastructure after detecting unauthorized access, becoming the second major British retailer hit by cyberattack in weeks following Marks & Spencer.
UK retail giant Marks & Spencer suffered a significant cyberattack that disrupted contactless payments, click-and-collect services, and online ordering, attributed to the DragonForce ransomware operation working with Scattered Spider affiliates.
A critical zero-day in SAP NetWeaver Visual Composer is being actively exploited to upload webshells to enterprise SAP servers, enabling full remote control of critical business systems.
A critical vulnerability in the Erlang/OTP SSH library allows unauthenticated remote code execution with a perfect CVSS 10.0 score, affecting any application using the built-in SSH server.
Microsoft's April 2025 Patch Tuesday addresses a Windows Common Log File System zero-day being actively exploited by the RansomEXX ransomware group for privilege escalation.
Threat actors maintained persistent read-only access to Fortinet FortiGate devices through symlinks in the SSL-VPN language files, surviving firmware updates and patches applied by defenders.
A critical authentication bypass in CrushFTP allows unauthenticated attackers to access administrative functions through crafted HTTP requests, with exploitation already observed in the wild.
Four critical vulnerabilities in the Kubernetes ingress-nginx controller, collectively dubbed IngressNightmare, could allow unauthenticated attackers to take over Kubernetes clusters hosting 40% of cloud workloads.
A critical authorization bypass vulnerability in the Next.js framework allows attackers to skip middleware-based security checks by manipulating request headers, potentially affecting millions of web applications.
A critical remote code execution vulnerability in Apache Tomcat allows attackers to upload and execute arbitrary code via partial PUT requests, with active exploitation observed within 30 hours of disclosure.
A supply chain attack targeting the popular tj-actions/changed-files GitHub Action compromised CI/CD secrets across thousands of repositories by injecting malicious code that exfiltrated secrets to workflow logs.
FBI, CISA, and MS-ISAC warn that the Medusa ransomware-as-a-service operation has impacted over 300 organizations across critical infrastructure sectors since 2021.
Microsoft's March 2025 Patch Tuesday is one of the most critical in recent memory, fixing six actively exploited zero-day vulnerabilities across NTFS, the Win32 kernel subsystem, and Microsoft Management Console.
Three VMware zero-day vulnerabilities in ESXi, Workstation, and Fusion are being actively exploited, enabling attackers to escape virtual machines and compromise hypervisors.
Cryptocurrency exchange Bybit lost approximately $1.5 billion in Ethereum from a cold wallet, in what is believed to be the largest cryptocurrency theft in history, attributed to North Korean state-sponsored hackers.
A joint advisory warns that the Ghost (Cring) ransomware group, operating from China, has compromised organizations across 70 countries by exploiting known vulnerabilities in internet-facing services.
A SQL injection zero-day in PostgreSQL's interactive tool was exploited alongside the BeyondTrust Remote Support zero-day to compromise US Treasury Department systems.
A critical authentication bypass in Palo Alto Networks PAN-OS management interface is being chained with other vulnerabilities to achieve remote code execution on firewalls.
Microsoft's February 2025 Patch Tuesday addresses over 55 vulnerabilities including multiple zero-days under active exploitation in Windows, with critical flaws in NTLMv2 and LDAP.
Google's February Android security update patches an actively exploited Linux kernel USB-video class vulnerability that enabled privilege escalation on Android devices.
Cisco has released patches for multiple critical vulnerabilities in Identity Services Engine that could allow authenticated attackers to execute arbitrary commands as root.
Threat actors are actively exploiting command injection vulnerabilities in Zyxel CPE series devices, with no patches available from the vendor for affected end-of-life products.
Critical vulnerabilities in SimpleHelp remote monitoring and management software are being exploited by threat actors to gain unauthorized access to managed client networks.
Apple released emergency security updates to fix a zero-day vulnerability in the CoreMedia framework that was being actively exploited against devices running older iOS versions.
A Mirai botnet variant is actively scanning for and compromising Juniper SSR routers that still use factory-default credentials, incorporating them into DDoS infrastructure.
CISA has issued an emergency directive ordering federal agencies to mitigate Ivanti Connect Secure vulnerabilities amid widespread exploitation by nation-state actors.
Education technology giant PowerSchool suffered a major data breach exposing personal information of students and staff across numerous K-12 school districts in North America.
Microsoft's January 2025 Patch Tuesday addresses 159 vulnerabilities including eight zero-days, three of which are under active exploitation in Windows Hyper-V and Windows components.
A critical authentication bypass in FortiOS and FortiProxy is being actively exploited, allowing remote attackers to gain super-admin privileges on affected firewalls.
Multiple critical vulnerabilities in Moxa industrial networking devices could allow attackers to gain root access to OT and ICS infrastructure.
A critical zero-day vulnerability in Ivanti Connect Secure VPN appliances is being actively exploited by threat actors to gain unauthenticated remote code execution.
A vulnerability in Nuclei, an open-source vulnerability scanner, allowed attackers to bypass signature verification and execute malicious code via templates on local systems.
Tenable's buggy differential plugin updates caused global outages of Nessus vulnerability scanner agents, requiring manual upgrades for revival.
Chinese state-backed hackers breached the Office of Foreign Assets Control (OFAC), potentially gaining access to sensitive sanctions-related data.
The Brain Cipher ransomware gang has begun leaking data stolen from Rhode Island's RIBridges social services platform, highlighting the risks of unpatched vulnerabilities and inadequate security measures.
A new attack technique, DoubleClickjacking, exploits double-clicks to bypass existing clickjacking protections and hijack user accounts. This poses a significant risk as it can be used to authorize sensitive actions without users' knowledge.
The EU court's adviser has ruled that banks must immediately refund phishing victims, even if the victim was negligent. This decision could significantly impact financial institutions' liability policies and cybersecurity measures.
The Trump administration's cyber strategy focuses on strengthening deterrence against adversaries, modernizing federal networks, protecting critical infrastructure, and investing in emerging technologies like AI and post-quantum cryptography.
EC-Council has introduced new AI-related certifications to enhance the U.S. cybersecurity workforce's readiness, reflecting growing demand for AI expertise in security.
Microsoft is improving the security of batch file and CMD script execution in Windows 11 Insider Preview builds, addressing a common attack vector for malicious scripts.
A bug in Microsoft's classic Outlook desktop client causes the mouse pointer to disappear for some users, impacting usability but not directly compromising security.
EC-Council introduced four new AI certifications and updated its Certified CISO program to help bridge the gap between AI adoption and workforce readiness, particularly in the U.S. where 700,000 workers need reskilling.
Anthropic's new AI-powered tool, Claude Code Security, scans codebases for vulnerabilities and suggests patches. This is a significant advancement in automated security testing.
CISA's 2025 cybersecurity year-in-review report documents a record 97 zero-day vulnerabilities exploited in the wild and identifies edge device exploitation and ransomware as the top threats to critical infrastructure.
NIST released final guidelines for organizations to transition from classical to post-quantum cryptographic algorithms, establishing timelines and priorities for migration across different use cases.
Google open-sourced an AI-powered fuzzing platform that has already discovered over 300 vulnerabilities in critical open-source software, offering automated vulnerability discovery capabilities to the broader security community.
The EU Cyber Resilience Act's vulnerability reporting obligations take effect, requiring manufacturers of products with digital elements to report actively exploited vulnerabilities within 24 hours.
An expanded international law enforcement operation seized remaining LockBit ransomware infrastructure, arrested additional administrators, and released decryption keys benefiting thousands of victims.
PyPI now requires all newly published packages to include build provenance attestations using Sigstore, marking a major milestone in supply chain security for the Python ecosystem.
Google Cloud began enforcing mandatory multi-factor authentication for all user accounts, completing a phased rollout that started in late 2024 and affecting millions of cloud platform users worldwide.
CISA and NSA published joint guidance addressing security risks of AI system deployment in critical infrastructure, covering supply chain, model integrity, and adversarial attack mitigations.
The US Department of Justice announced federal charges against additional members of the Scattered Spider cybercriminal group responsible for high-profile social engineering attacks against major US corporations.
The imageboard 4chan was breached and taken offline after attackers exploited an outdated PHP installation, leaking source code, moderator information, and internal tools.
French telecommunications giant Orange confirmed a data breach after a threat actor leaked thousands of internal documents, source code, and customer records from the company's Romanian branch.
The rapid rise of Chinese AI lab DeepSeek's open-source models has sparked significant security and data privacy concerns, with researchers identifying exposed databases and questionable data handling practices.
CISA and FBI publish joint guidance urging software manufacturers to adopt memory-safe programming languages and practices to eliminate buffer overflow vulnerabilities at their source.
Google is introducing the Text Fragment feature in Chrome's PDF reader, allowing users to share specific parts of long PDFs more easily. This could potentially lead to improved collaboration but may also introduce new attack vectors if not properly secured.
Over three million mail servers are exposed without TLS encryption, allowing potential sniffing attacks and data interception.
Subscribe to the Sebastion intelligence feed in your RSS reader of choice. New entries are published daily as our AI pipeline analyses security feeds and produces structured assessments.
Feed URL: sebastion.dev/intelligence/feed.xml