[{"category":"SaaS Breach","confidence":"LOW","confidence_reason":"Open-source ransomware leak-site monitor (~150 groups). Scrapes victim claims, not verified journalism \u2014 treat as unverified OSINT. High volume (100 entries/batch); filter_uncategorized drops noise. Canonical www. URL preferred (bare domain 301s; _safe_get handles redirects but saves a hop).","created_at":"2026-07-02 03:56:02","id":522,"published_date":"2026-07-02T03:21:32+00:00","severity":"medium","source_name":"Ransomware.live","summary":"Data breach exposes employees and patients of a pediatric clinic.","title":"\ud83c\udff4\u200d\u2620\ufe0f Anubis has just published a new victim : Northeast Pediatrics & Adolescent Medicine","url":"https://www.ransomware.live/id/Tm9ydGhlYXN0IFBlZGlhdHJpY3MgJiBBZG9sZXNjZW50IE1lZGljaW5lQGFudWJpcw=="},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Duo Security / Cisco-owned security journalism (Dennis Fisher, Lindsey O'Donnell-Welch). Primary reporting, no marketing funnel. Peer-quality with Dark Reading / The Record.","created_at":"2026-07-02 03:55:48","id":107,"published_date":"2026-07-02T01:31:29+00:00","severity":"medium","source_name":"Decipher","summary":"19-year-old Peter Stokes is one of several to be arrested for their alleged participation in Scattered Spider.","title":"DoJ: Alleged Scattered Spider Member Extradited to US","url":"https://decipher.sc/2026/07/01/doj-alleged-scattered-spider-member-extradited-to-us"},{"category":"Phishing & Social Engineering","confidence":"MEDIUM","confidence_reason":"Established security journalism, enterprise-focused analysis. filter_uncategorized drops vendor press releases and thought-leadership fluff.","created_at":"2026-07-02 03:55:47","id":61,"published_date":"2026-07-01T20:31:21+00:00","severity":"medium","source_name":"Dark Reading","summary":"Attackers fingerprint victims through user-agent data to deliver OS-specific payloads, increasing compromise rates and campaign profitability.","title":"Crafty Phishing Campaigns Auto-Adapt to Victim's Device, OS","url":"https://www.darkreading.com/application-security/phishing-campaigns-auto-adapt-victims-device-os"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Established security journalism (Recorded Future-owned), strong on nation-state reporting.","created_at":"2026-07-02 03:55:47","id":102,"published_date":"2026-07-01T20:13:00+00:00","severity":"medium","source_name":"The Record","summary":"A complaint unsealed this week accuses a 19-year-old of participating in incidents including a breach of a \"luxury-jewelry retailer\" in 2025.","title":"Teen suspect in Scattered Spider hacks is extradited to US","url":"https://therecord.media/teen-suspect-in-scattered-spider-hacks-extradited-to-us"},{"category":"Malware/Infostealer","confidence":"MEDIUM","confidence_reason":"Established security journalism, enterprise-focused analysis. filter_uncategorized drops vendor press releases and thought-leadership fluff.","created_at":"2026-07-02 03:55:47","id":62,"published_date":"2026-07-01T19:46:34+00:00","severity":"medium","source_name":"Dark Reading","summary":"Researchers say the highly effective social engineering technique is no longer the exception for malware attacks \u2014 it's now the rule.","title":"And the Winner in Dominant Malware Delivery? ClickFix","url":"https://www.darkreading.com/vulnerabilities-threats/winner-dominant-malware-delivery-clickfix"},{"category":"Cloud Security","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":11,"published_date":"2026-07-01T19:40:06+00:00","severity":"high","source_name":"The Hacker News","summary":"Argo CD, a widely used tool for deploying software to Kubernetes, has an unpatched flaw in its repo-server component that lets an unauthenticated attacker run code, provided they can reach the component's internal network port. Synacktiv, which found the bug, says it can lead to a full cluster takeover. There is no fix and no CVE. The firm says it reported the flaw to Argo CD's maintainers in","title":"Unpatched Argo CD Repo-Server Flaw Could Let Attackers Take Over Kubernetes Clusters","url":"https://thehackernews.com/2026/07/unpatched-argo-cd-repo-server-flaw.html"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":12,"published_date":"2026-07-01T19:28:07+00:00","severity":"medium","source_name":"The Hacker News","summary":"A teenager accused of belonging to the hacking group Scattered Spider has been extradited from Finland to face U.S. charges of conspiracy, computer intrusion, and fraud, the U.S. Department of Justice announced on July 1. Peter Stokes, 19, a dual U.S. and Estonian citizen, appeared in a Chicago federal court on June 30, where a judge ordered him held in custody. Finnish police","title":"19-Year-Old Scattered Spider Suspect Extradited to Face U.S. Hacking Charges","url":"https://thehackernews.com/2026/07/19-year-old-scattered-spider-suspect.html"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Cybersecurity policy and industry journalism. Fills the Industry/Policy category gap.","created_at":"2026-07-02 03:56:02","id":489,"published_date":"2026-07-01T19:23:26+00:00","severity":"medium","source_name":"CyberScoop","summary":"The defect impacts a popular collection of business applications that attackers have hit before in widespread attack sprees. The post Researchers spot exploitation of another critical Oracle defect appeared first on CyberScoop.","title":"Researchers spot exploitation of another critical Oracle defect","url":"https://cyberscoop.com/oracle-ebs-critical-vulnerability-exploited"},{"category":"Uncategorized","confidence":"MEDIUM","confidence_reason":"Established security journalism with consistent editorial quality.","created_at":"2026-07-02 03:55:47","id":92,"published_date":"2026-07-01T18:08:15+00:00","severity":"medium","source_name":"SecurityWeek","summary":"Microsoft's new Teams admin policy requires organizer approval for external AI bots, giving organizations greater visibility and control over automated participants in sensitive meetings. The post Microsoft Adds New Teams Controls to Block Unauthorized AI Bots From Meetings appeared first on SecurityWeek.","title":"Microsoft Adds New Teams Controls to Block Unauthorized AI Bots From Meetings","url":"https://www.securityweek.com/microsoft-adds-new-teams-controls-to-block-unauthorized-ai-bots-from-meetings"},{"category":"SaaS Breach","confidence":"LOW","confidence_reason":"Open-source ransomware leak-site monitor (~150 groups). Scrapes victim claims, not verified journalism \u2014 treat as unverified OSINT. High volume (100 entries/batch); filter_uncategorized drops noise. Canonical www. URL preferred (bare domain 301s; _safe_get handles redirects but saves a hop).","created_at":"2026-07-02 03:56:03","id":523,"published_date":"2026-07-01T18:02:45+00:00","severity":"medium","source_name":"Ransomware.live","summary":"www.higuchi-inc.co.jp/newsrelease/company/doc/unauthorized_access_incident.pdf // We have reviewed the report issued by HIGUCHI INC. To correct their mistake: the breach did not affect just one branch, but rather 3 different branches across various regions.Your data has not been leaked yet, as you are currently within an 8-day grace period. Before we publish any of your commercial or personal data, be aware that we possess 102 GB of Sage software backups, alongside numerous commercial documents.We await your reply to our messages. Follow the correct path to ensure nothing is leaked. We are waiting for you.","title":"\ud83c\udff4\u200d\u2620\ufe0f Stormous has just published a new victim : BN: higuchi-inc Report Error & Warning\u2060","url":"https://www.ransomware.live/id/Qk46IGhpZ3VjaGktaW5jIFJlcG9ydCBFcnJvciAmIFdhcm5pbmfigaBAc3Rvcm1vdXM="},{"category":"Malware/Infostealer","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":13,"published_date":"2026-07-01T17:53:06+00:00","severity":"medium","source_name":"The Hacker News","summary":"Unknown threat actors are leveraging the ScreenConnect remote access tool as a way to deploy and execute AsyncRAT. Kaspersky said the activity is part of a \"massive, multi-domain, multi-language\" campaign that distributes malicious installer archives hosted on spoofed websites. These installers masquerade as popular software like OBS Studio, DNS Jumper, DS4Windows, and Bandicam, among others.","title":"SEO-Poisoned Software Sites Abuse ScreenConnect to Deploy AsyncRAT","url":"https://thehackernews.com/2026/07/seo-poisoned-software-sites-abuse.html"},{"category":"Malware/Infostealer","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":14,"published_date":"2026-07-01T17:18:50+00:00","severity":"medium","source_name":"The Hacker News","summary":"Cybersecurity researchers have flagged a new multi-stage malware delivery attack chain that uses social engineering and Blogger pages to deliver an information stealer called PureLogs. The activity has been codenamed VEIL#DROP by Securonix. It's suspected that the initial payloads are distributed either via spear-phishing or a drive-by compromise, which occurs when an unsuspecting user lands on","title":"VEIL#DROP Malware Chain Uses Blogger Platform to Deliver PureLogs Stealer","url":"https://thehackernews.com/2026/07/veildrop-malware-chain-uses-blogger.html"},{"category":"Malware/Infostealer","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":15,"published_date":"2026-07-01T15:26:55+00:00","severity":"medium","source_name":"The Hacker News","summary":"A Brazilian banking trojan called Ousaban is going after Windows users who bank in Spain and Portugal. Fortinet's FortiGuard Labs identified the campaign in May 2026. It opens with a phishing PDF disguised as a corrupted file, checks that the visitor is really in Spain or Portugal, and hides its real payload inside an image. The goal is the usual one: steal banking logins and take","title":"Ousaban Banking Trojan Targets Iberian Bank Users with Fake PDF Lures","url":"https://thehackernews.com/2026/07/ousaban-banking-trojan-targets-iberian.html"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":16,"published_date":"2026-07-01T15:25:46+00:00","severity":"medium","source_name":"The Hacker News","summary":"Adobe has released patches for multiple maximum-severity security flaws impacting Adobe ColdFusion and Adobe Campaign Classic. The ColdFusion updates \"resolves critical and important vulnerabilities that could lead to arbitrary code execution, privilege escalation, arbitrary file system read, and security feature bypass,\" Adobe said in an alert released Tuesday. The vulnerabilities are listed","title":"Adobe Patches 7 CVSS 10.0 Flaws in ColdFusion and Campaign Classic","url":"https://thehackernews.com/2026/07/adobe-patches-7-cvss-100-flaws-in.html"},{"category":"AI Security","confidence":"MEDIUM","confidence_reason":"Established security journalism, enterprise-focused analysis. filter_uncategorized drops vendor press releases and thought-leadership fluff.","created_at":"2026-07-02 03:55:47","id":63,"published_date":"2026-07-01T15:17:14+00:00","severity":"medium","source_name":"Dark Reading","summary":"LLMs consistently hallucinate Web domains for legitimate brands that attackers can register for malicious activity in a difficult-to-detect attack vector.","title":"'Phantom Squatting': An Emerging AI-Driven Supply Chain Threat","url":"https://www.darkreading.com/endpoint-security/phantom-squatting-ai-driven-supply-chain-threat"},{"category":"Vulnerability/CVE","confidence":"HIGH","confidence_reason":"Authoritative vulnerability disclosure program, coordinates with vendors.","created_at":"2026-07-02 03:55:59","id":438,"published_date":"2026-07-01T15:03:53+00:00","severity":"medium","source_name":"Zero Day Initiative","summary":"We\u2019re back with our look at the Apple macOS and iOS security updates. As this is a new feature for us, please let us know your feedback on the blog. For Jun 2026, Apple released 37 unique CVEs across iOS 26.5.2 / iPadOS 26.5.2, macOS Tahoe 26.5.2, Safari 26.5.2. Since Apple doesn\u2019t provide CVSS scores or other severity information, we\u2019re left to speculate on which of these bugs is the most severe. The overwhelming majority (31 of 37) are WebKit/WebRTC bugs reachable through malicious web content. Most of those are crash/DoS bugs rather than code execution, so the real risk lives in the small set of kernel bugs and the handful of WebKit sandbox escapes. However, there are a couple that stand out. - CVE-2026-43724 (Kernel) \u2013 According to Apple, \u201cAn app may be able to cause unexpected system termination or write kernel memory.\u201d A kernel memory write is the highest-value primitive here: it's the privilege-escalation half of a full exploit chain and leads to complete device control. The bug was credited to Hyunwoo Kim (@v4bel), who is known to be a serious kernel researcher. - CVE-2026-39868 (Kernel) \u2013 Another kernel bug, this one could \u201ccause unexpected system termination or corrupt kernel memory.\u201d This is kernel memory corruption, and notably credited to a roster of elite offensive researchers (STAR Labs, Positive Technologies, Baidu Security). This kind of attribution usually signals a weaponizable, possibly Pwn2Own-grade bug rather than a theoretical crash. - CVE-2026-43725 / CVE-2026-43701 (WebKit) \u2013 Apple states these bugs could allow a website to process restricted web content outside the sandbox. I'm flagging this sandbox-escape pair over the many WebKit crash bugs because a sandbox escape is the bridge that turns a web-content bug into a path toward the kernel issues above. It's the most dangerous remotely-triggered class in the release. Here\u2019s a look at all the bugs released by Apple this month: Apple Security Update \u2013 June 29, 2026 37Total CVEs 22Denial of Service 7Information Disclosure 3Memory Corruption 2Elevation of Privilege 2Sandbox Escape 1Spoofing Apple security release \u2014 June 29, 2026. \"Yes/No\" indicates whether each update is affected. CVE IDs link to NVD. CVE ID Component Impact iOS 26.5.2 / iPadOS 26.5.2 macOS Tahoe 26.5.2 Safari 26.5.2 CVE-2026-43743 IOGPUFamily An app may be able to cause unexpected system termination Yes Yes No CVE-2026-39868 Kernel An app may be able to cause unexpected system termination or corrupt kernel memory Yes Yes No CVE-2026-43722 Kernel An app may be able to leak sensitive kernel state Yes Yes No CVE-2026-43724 Kernel An app may be able to cause unexpected system termination or write kernel memory Yes Yes No CVE-2026-43703 libxslt Processing maliciously crafted web content may lead to an unexpected process crash Yes Yes No CVE-2026-43706 libxslt Processing maliciously crafted web content may lead to an unexpected process crash Yes Yes No CVE-2026-43704 Web Extensions A malicious web extension may be able to cause an unexpected process crash Yes Yes Yes CVE-2026-39872 WebKit Processing maliciously crafted web content may lead to an unexpected process crash Yes Yes Yes CVE-2026-43663 WebKit Processing maliciously crafted web content may lead to an unexpected process crash Yes Yes Yes CVE-2026-43676 WebKit Processing maliciously crafted web content may lead to an unexpected Safari crash Yes Yes Yes CVE-2026-43699 WebKit Processing maliciously crafted web content may lead to an unexpected process crash Yes Yes Yes CVE-2026-43700 WebKit Processing maliciously crafted web content may disclose sensitive user information Yes Yes Yes CVE-2026-43701 WebKit A malicious website may be able to process restricted web content outside the sandbox Yes Yes Yes CVE-2026-43705 WebKit Processing maliciously crafted web content may lead to memory corruption Yes Yes Yes CVE-2026-43707 WebKit Processing maliciously crafted web content may lead to an unexpected process crash Yes Yes Yes CVE-2026-43708 WebKit A malicious website may exfiltrate data cross-origin Yes Yes Yes CVE-2026-43709 WebKit Processing maliciously crafted web content may lead to an unexpected process crash Yes Yes Yes CVE-2026-43712 WebKit Processing maliciously crafted web content may lead to an unexpected process crash Yes Yes Yes CVE-2026-43713 WebKit Visiting a website may leak sensitive data Yes Yes Yes CVE-2026-43715 WebKit Processing maliciously crafted web content may lead to memory corruption Yes Yes Yes CVE-2026-43716 WebKit Processing maliciously crafted web content may lead to an unexpected Safari crash Yes Yes Yes CVE-2026-43725 WebKit A malicious website may be able to process restricted web content outside the sandbox Yes Yes Yes CVE-2026-43726 WebKit Processing maliciously crafted web content may lead to an unexpected process crash Yes Yes Yes CVE-2026-43727 WebKit Processing maliciously crafted web content may lead to an unexpected Safari crash Yes Yes Yes CVE-2026-43731 WebKit Processing maliciously crafted web content may lead to memory corruption Yes Yes Yes CVE-2026-43732 WebKit Processing maliciously crafted web content may disclose sensitive user information Yes Yes Yes CVE-2026-43734 WebKit Processing maliciously crafted web content may lead to an unexpected process crash Yes Yes Yes CVE-2026-43735 WebKit A malicious website may exfiltrate data cross-origin Yes Yes Yes CVE-2026-43740 WebKit Processing maliciously crafted web content may result in the disclosure of process memory Yes Yes Yes CVE-2026-43742 WebKit Processing maliciously crafted web content may lead to an unexpected process crash Yes Yes Yes CVE-2026-43745 WebKit Processing maliciously crafted web content may lead to an unexpected Safari crash Yes Yes Yes CVE-2026-43720 WebKit Canvas Processing maliciously crafted web content may lead to an unexpected Safari crash Yes Yes Yes CVE-2026-43721 WebKit Storage A malicious website may be able to silently hijack clipboard data Yes Yes Yes CVE-2026-28979 WebRTC Processing maliciously crafted web content may lead to an unexpected process crash Yes Yes Yes CVE-2026-43717 WebRTC Processing maliciously crafted web content may lead to an unexpected Safari crash Yes Yes Yes CVE-2026-43718 WebRTC Processing maliciously crafted web content may lead to an unexpected Safari crash Yes Yes Yes CVE-2026-43746 WebRTC Processing maliciously crafted web content may lead to an unexpected Safari crash Yes Yes Yes We\u2019ll continue these macOS updates if people find them useful. Stay tuned for the regularly schedule Patch Tuesday blog covering Adobe and Microsoft.","title":"The June 2026 Apple Security Update Review","url":"https://www.thezdi.com/blog/2026/6/30/the-june-2026-apple-security-update-review"},{"category":"Vulnerability/CVE","confidence":"LOW","confidence_reason":"User-submitted link aggregator, no editorial review. Signal varies wildly by submitter.","created_at":"2026-07-02 03:56:04","id":581,"published_date":"2026-07-01T14:52:02+00:00","severity":"high","source_name":"Reddit r/netsec","summary":"submitted by /u/Sandwich_1337 [link] [comments]","title":"Privilege escalation to root in Lima QEMU guests via a world-writable agent socket (CVE-2026-53657)","url":"https://www.reddit.com/r/netsec/comments/1uknvr4/privilege_escalation_to_root_in_lima_qemu_guests"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":17,"published_date":"2026-07-01T14:42:54+00:00","severity":"medium","source_name":"The Hacker News","summary":"Two flaws in Cursor, an AI code editor, could let a single, ordinary-looking prompt break out of the editor's safety sandbox and run any command on a developer's computer. There is no click to fall for and no approval box to ignore. Cato AI Labs found the pair and named them DuneSlide. They are tracked as CVE-2026-50548 and CVE-2026-50549, both rated 9.8 out of 10 (or 9.3","title":"Critical Cursor Flaws Could Let Prompt Injection Escape Sandbox and Run Commands","url":"https://thehackernews.com/2026/07/critical-cursor-flaws-could-let-prompt.html"},{"category":"Uncategorized","confidence":"MEDIUM","confidence_reason":"Duo Security / Cisco-owned security journalism (Dennis Fisher, Lindsey O'Donnell-Welch). Primary reporting, no marketing funnel. Peer-quality with Dark Reading / The Record.","created_at":"2026-07-02 03:55:48","id":108,"published_date":"2026-07-01T14:13:10+00:00","severity":"medium","source_name":"Decipher","summary":"This new ARToken operator panel has a clear lineage going back to the EvilTokens framework, which emerged in early 2026.","title":"Evil Is as Evil Does: New EvilTokens Affiliate Panel Uncovered","url":"https://decipher.sc/2026/07/01/evils-is-as-evil-does-new-eviltokens-affiliate-panel-uncovered"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":18,"published_date":"2026-07-01T13:56:18+00:00","severity":"critical","source_name":"The Hacker News","summary":"A recently disclosed critical security flaw impacting Progress Kemp LoadMaster is seeing active exploitation attempts, according to an advisory from eSentire's Threat Response Unit (TRU). The Canadian cybersecurity company said it identified exploitation attempts targeting CVE-2026-8037 (CVSS score: 9.6), an operating system (OS) command injection flaw that could be exploited to achieve","title":"Progress Kemp LoadMaster Pre-Auth RCE Flaw Faces Active Exploitation Attempts","url":"https://thehackernews.com/2026/07/latest-progress-kemp-loadmaster-pre.html"},{"category":"Ransomware","confidence":"LOW","confidence_reason":"Open-source ransomware leak-site monitor (~150 groups). Scrapes victim claims, not verified journalism \u2014 treat as unverified OSINT. High volume (100 entries/batch); filter_uncategorized drops noise. Canonical www. URL preferred (bare domain 301s; _safe_get handles redirects but saves a hop).","created_at":"2026-07-02 03:56:03","id":524,"published_date":"2026-07-01T13:50:38+00:00","severity":"medium","source_name":"Ransomware.live","summary":"Refinery Hotel is a luxury hotel located near Bryant Park in New York City, offering a modern r einterpretation of a historic hat factory. The hotel features 197 stylish rooms with industrial accents and modern amenities, alongside dining options such as the Parker & Quinn restaurant a nd the Refinery Rooftop bar. We will upload 15gb of corporate data soon. Employee personal information (passports, DLs, SSNs , w9 forms), guests information, financials, contracts and agreements, lots of NDAs, etc.","title":"\ud83c\udff4\u200d\u2620\ufe0f Akira has just published a new victim : Refinery Hotel","url":"https://www.ransomware.live/id/UmVmaW5lcnkgSG90ZWxAYWtpcmE="},{"category":"AI Security","confidence":"MEDIUM","confidence_reason":"Cybersecurity policy and industry journalism. Fills the Industry/Policy category gap.","created_at":"2026-07-02 03:56:02","id":490,"published_date":"2026-07-01T13:36:39+00:00","severity":"medium","source_name":"CyberScoop","summary":"The company and the Commerce Department say they have reached an agreement that will see the AI models released publicly with new guardrails and classifiers. The post US lifting export control restrictions on Anthropic\u2019s Mythos, Fable appeared first on CyberScoop.","title":"US lifting export control restrictions on Anthropic\u2019s Mythos, Fable","url":"https://cyberscoop.com/us-lifting-export-control-restrictions-anthropic-mythos-fable"},{"category":"Ransomware","confidence":"LOW","confidence_reason":"Open-source ransomware leak-site monitor (~150 groups). Scrapes victim claims, not verified journalism \u2014 treat as unverified OSINT. High volume (100 entries/batch); filter_uncategorized drops noise. Canonical www. URL preferred (bare domain 301s; _safe_get handles redirects but saves a hop).","created_at":"2026-07-02 03:56:03","id":525,"published_date":"2026-07-01T13:18:51+00:00","severity":"medium","source_name":"Ransomware.live","summary":"N/A","title":"\ud83c\udff4\u200d\u2620\ufe0f Qilin has just published a new victim : Dennis Waters Rental Properties","url":"https://www.ransomware.live/id/RGVubmlzIFdhdGVycyBSZW50YWwgUHJvcGVydGllc0BxaWxpbg=="},{"category":"Ransomware","confidence":"LOW","confidence_reason":"Open-source ransomware leak-site monitor (~150 groups). Scrapes victim claims, not verified journalism \u2014 treat as unverified OSINT. High volume (100 entries/batch); filter_uncategorized drops noise. Canonical www. URL preferred (bare domain 301s; _safe_get handles redirects but saves a hop).","created_at":"2026-07-02 03:56:03","id":526,"published_date":"2026-07-01T13:18:10+00:00","severity":"medium","source_name":"Ransomware.live","summary":"N/A","title":"\ud83c\udff4\u200d\u2620\ufe0f Qilin has just published a new victim : Mattatuck Industrial Scrap Metal","url":"https://www.ransomware.live/id/TWF0dGF0dWNrIEluZHVzdHJpYWwgU2NyYXAgTWV0YWxAcWlsaW4="},{"category":"Ransomware","confidence":"LOW","confidence_reason":"Open-source ransomware leak-site monitor (~150 groups). Scrapes victim claims, not verified journalism \u2014 treat as unverified OSINT. High volume (100 entries/batch); filter_uncategorized drops noise. Canonical www. URL preferred (bare domain 301s; _safe_get handles redirects but saves a hop).","created_at":"2026-07-02 03:56:03","id":527,"published_date":"2026-07-01T13:17:28+00:00","severity":"medium","source_name":"Ransomware.live","summary":"N/A","title":"\ud83c\udff4\u200d\u2620\ufe0f Qilin has just published a new victim : Laughlin Nunnally Hood & Crum","url":"https://www.ransomware.live/id/TGF1Z2hsaW4gTnVubmFsbHkgSG9vZCAmIENydW1AcWlsaW4="},{"category":"Ransomware","confidence":"LOW","confidence_reason":"Open-source ransomware leak-site monitor (~150 groups). Scrapes victim claims, not verified journalism \u2014 treat as unverified OSINT. High volume (100 entries/batch); filter_uncategorized drops noise. Canonical www. URL preferred (bare domain 301s; _safe_get handles redirects but saves a hop).","created_at":"2026-07-02 03:56:03","id":528,"published_date":"2026-07-01T13:16:37+00:00","severity":"medium","source_name":"Ransomware.live","summary":"N/A","title":"\ud83c\udff4\u200d\u2620\ufe0f Qilin has just published a new victim : Rossum Integration","url":"https://www.ransomware.live/id/Um9zc3VtIEludGVncmF0aW9uQHFpbGlu"},{"category":"AI Security","confidence":"MEDIUM","confidence_reason":"Established security journalism (Recorded Future-owned), strong on nation-state reporting.","created_at":"2026-07-02 03:55:47","id":103,"published_date":"2026-07-01T13:16:00+00:00","severity":"medium","source_name":"The Record","summary":"Anthropic said export controls on certain models had been lifted after the company came to a series of agreements with the government.","title":"US lifts export controls on Anthropic\u2019s frontier cybersecurity AI models","url":"https://therecord.media/us-lifts-export-controls-anthropic-cyber-models"},{"category":"Ransomware","confidence":"LOW","confidence_reason":"Open-source ransomware leak-site monitor (~150 groups). Scrapes victim claims, not verified journalism \u2014 treat as unverified OSINT. High volume (100 entries/batch); filter_uncategorized drops noise. Canonical www. URL preferred (bare domain 301s; _safe_get handles redirects but saves a hop).","created_at":"2026-07-02 03:56:03","id":529,"published_date":"2026-07-01T13:15:51+00:00","severity":"medium","source_name":"Ransomware.live","summary":"N/A","title":"\ud83c\udff4\u200d\u2620\ufe0f Qilin has just published a new victim : Dynamic Laser Solutions Ltd.","url":"https://www.ransomware.live/id/RHluYW1pYyBMYXNlciBTb2x1dGlvbnMgTHRkLkBxaWxpbg=="},{"category":"Ransomware","confidence":"LOW","confidence_reason":"Open-source ransomware leak-site monitor (~150 groups). Scrapes victim claims, not verified journalism \u2014 treat as unverified OSINT. High volume (100 entries/batch); filter_uncategorized drops noise. Canonical www. URL preferred (bare domain 301s; _safe_get handles redirects but saves a hop).","created_at":"2026-07-02 03:56:03","id":530,"published_date":"2026-07-01T13:15:08+00:00","severity":"medium","source_name":"Ransomware.live","summary":"N/A","title":"\ud83c\udff4\u200d\u2620\ufe0f Qilin has just published a new victim : Dixie Beverage","url":"https://www.ransomware.live/id/RGl4aWUgQmV2ZXJhZ2VAcWlsaW4="},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Established security journalism (Recorded Future-owned), strong on nation-state reporting.","created_at":"2026-07-02 03:55:47","id":104,"published_date":"2026-07-01T13:10:00+00:00","severity":"medium","source_name":"The Record","summary":"Aflac's Tokyo arm and brewer Sapporo are among the major Japanese companies to recently notify the public about data breaches.","title":"Japanese insurer, brewer, manufacturer and telecom disclose cyber breaches","url":"https://therecord.media/japan-cyber-breaches-aflac-sapporo-nidec-kddi"},{"category":"Ransomware","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":19,"published_date":"2026-07-01T12:59:19+00:00","severity":"medium","source_name":"The Hacker News","summary":"Cybersecurity researchers have flagged a new malware artifact generated using DeepSeek that constructed a novel attack path combining \"unrealistic browser-malware concepts with a real browser capability\" to turn it into a working ransomware technique that runs entirely inside the browser on both Windows and Android devices. \"This is the first documented case where a frontier AI model","title":"AI-Generated Browser Ransomware Abuses Chromium API on Windows and Android","url":"https://thehackernews.com/2026/07/ai-generated-browser-ransomware-abuses.html"},{"category":"AI Security","confidence":"MEDIUM","confidence_reason":"Vendor threat intelligence research, consumer-threat focused.","created_at":"2026-07-02 03:55:50","id":225,"published_date":"2026-07-01T12:50:59+00:00","severity":"medium","source_name":"Malwarebytes Labs","summary":"Researchers warned AI vendors about a proof-of-concept called BioShiocking that tricks agents by gamifying the outcome.","title":"BioShocking: when \u201cgaming\u201d AI agents is no longer a game","url":"https://www.malwarebytes.com/blog/ai/2026/07/bioshocking-when-gaming-ai-agents-is-no-longer-a-game"},{"category":"Uncategorized","confidence":"HIGH","confidence_reason":"UK government CERT, authoritative advisories for UK & allied operators.","created_at":"2026-07-02 03:55:48","id":132,"published_date":"2026-07-01T12:00:00+00:00","severity":"medium","source_name":"NCSC UK","summary":"Pen testers suggest what organisations can do to make their job more difficult.","title":"Building more resilient CNI: what industry pen testers told us","url":"https://www.ncsc.gov.uk/blogs/building-more-resilient-cni-what-industry-pen-testers-told-us"},{"category":"Industry/Policy","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":20,"published_date":"2026-07-01T11:30:00+00:00","severity":"medium","source_name":"The Hacker News","summary":"Organizations have never had greater awareness of cyber risk. Yet turning that awareness into operational resilience has never been more challenging. The 2026 Bitdefender Cybersecurity Assessment confirms this is the case, as this year's findings reveal a series of surprising contradictions. Here are a few examples, based on the independent survey of 1,200 IT and cybersecurity professionals","title":"2026 Cybersecurity Assessment: The Gap Between Awareness and Resilience","url":"https://thehackernews.com/2026/07/2026-cybersecurity-assessment-gap.html"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Vendor threat intelligence research. Good primary work but commercial context.","created_at":"2026-07-02 03:55:49","id":176,"published_date":"2026-07-01T11:29:38+00:00","severity":"medium","source_name":"Check Point Research","summary":"For the latest discoveries in cyber research for the week of 22nd June, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Texas Parks and Wildlife Department has been affected by a third-party data breach involving its license system vendor. The incident exposed driver\u2019s license information, passport numbers, emails, phone numbers, and residential addresses for [\u2026] The post 22nd June \u2013 Threat Intelligence Report appeared first on Check Point Research.","title":"22nd June \u2013 Threat Intelligence Report","url":"https://research.checkpoint.com/2026/22nd-june-threat-intelligence-report"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established security journalism with consistent editorial quality.","created_at":"2026-07-02 03:55:47","id":93,"published_date":"2026-07-01T11:27:07+00:00","severity":"medium","source_name":"SecurityWeek","summary":"Seven of the security defects have a maximum severity rating of 10/10 and could lead to arbitrary code execution. The post Adobe Patches Critical ColdFusion, Campaign Classic Vulnerabilities appeared first on SecurityWeek.","title":"Adobe Patches Critical ColdFusion, Campaign Classic Vulnerabilities","url":"https://www.securityweek.com/adobe-patches-critical-coldfusion-campaign-classic-vulnerabilities"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established security journalism with consistent editorial quality.","created_at":"2026-07-02 03:55:47","id":94,"published_date":"2026-07-01T11:20:45+00:00","severity":"medium","source_name":"SecurityWeek","summary":"Citrix urges customers to patch NetScaler after fixing six vulnerabilities, including the HTTP/2 Bomb flaw and a high-severity CitrixBleed-style information disclosure bug. The post Citrix Patches NetScaler Vulnerabilities, Including New \u2018HTTP/2 Bomb\u2019 Attack appeared first on SecurityWeek.","title":"Citrix Patches NetScaler Vulnerabilities, Including New \u2018HTTP/2 Bomb\u2019 Attack","url":"https://www.securityweek.com/citrix-patches-netscaler-vulnerabilities-including-new-http-2-bomb-attack"},{"category":"Cloud Security","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":21,"published_date":"2026-07-01T10:41:36+00:00","severity":"medium","source_name":"The Hacker News","summary":"Microsoft on Tuesday said it's accelerating its quantum safe security roadmap, stating technology advances in quantum computing are making it essential to replace existing encryption standards sooner than previously expected. \"Advances in quantum research and development have shifted the risk horizon,\" Mark Russinovich, chief technology officer of Microsoft Azure, said. \"We believe","title":"Microsoft Accelerates Post-Quantum Cryptography Shift to 2029","url":"https://thehackernews.com/2026/07/microsoft-accelerates-post-quantum.html"},{"category":"SaaS Breach","confidence":"LOW","confidence_reason":"Open-source ransomware leak-site monitor (~150 groups). Scrapes victim claims, not verified journalism \u2014 treat as unverified OSINT. High volume (100 entries/batch); filter_uncategorized drops noise. Canonical www. URL preferred (bare domain 301s; _safe_get handles redirects but saves a hop).","created_at":"2026-07-02 03:56:03","id":531,"published_date":"2026-07-01T10:29:35+00:00","severity":"medium","source_name":"Ransomware.live","summary":"Over 21 million Salesforce records containing some PII were compromised. The Company failed to reach an agreement with us despite our incredible patience, all the chances and offers we made. They don't care. | Size: 100GB+ | Updated: 02 July 2026 | SHA256: 6ee9bd06756efceb56e5c56fd4e8ab3a8006b9cb80e7c0b4405ed15b996c05fe","title":"\ud83c\udff4\u200d\u2620\ufe0f Shinyhunters has just published a new victim : Fluke Corporation","url":"https://www.ransomware.live/id/Rmx1a2UgQ29ycG9yYXRpb25Ac2hpbnlodW50ZXJz"},{"category":"SaaS Breach","confidence":"LOW","confidence_reason":"Open-source ransomware leak-site monitor (~150 groups). Scrapes victim claims, not verified journalism \u2014 treat as unverified OSINT. High volume (100 entries/batch); filter_uncategorized drops noise. Canonical www. URL preferred (bare domain 301s; _safe_get handles redirects but saves a hop).","created_at":"2026-07-02 03:56:03","id":532,"published_date":"2026-07-01T10:29:15+00:00","severity":"medium","source_name":"Ransomware.live","summary":"The Company failed to reach an agreement with us despite our incredible patience, all the chances and offers we made. They don't care. | Updated: 02 July 2026 | SHA256: f3c961b709bcff8f70dbb8361116831d2c86361754a09658115b9efed39308e5","title":"\ud83c\udff4\u200d\u2620\ufe0f Shinyhunters has just published a new victim : Ingram Content Group, Inc.","url":"https://www.ransomware.live/id/SW5ncmFtIENvbnRlbnQgR3JvdXAsIEluYy5Ac2hpbnlodW50ZXJz"},{"category":"Ransomware","confidence":"MEDIUM","confidence_reason":"Vendor threat intelligence research. Good primary work but commercial context.","created_at":"2026-07-02 03:55:49","id":177,"published_date":"2026-07-01T10:05:35+00:00","severity":"medium","source_name":"Check Point Research","summary":"Research by: Alexey Bukhteyev Key Takeaways Introduction Over the past several years, large language models have reshaped software development, and malware development has followed the same path. Check Point Research has documented this trend from early experiments showing that AI systems could generate offensive components, to cases of cybercriminals using ChatGPT to create malicious tools, and [\u2026] The post Browser-Only Ransomware: From LLM Hallucinations to a Practical Attack Technique appeared first on Check Point Research.","title":"Browser-Only Ransomware: From LLM Hallucinations to a Practical Attack Technique","url":"https://research.checkpoint.com/2026/browser-only-ransomware-from-llm-hallucinations-to-a-practical-attack-technique"},{"category":"Malware/Infostealer","confidence":"HIGH","confidence_reason":"Best-in-class APT campaign tracking and malware reverse engineering. Industry-leading primary research.","created_at":"2026-07-02 03:55:53","id":306,"published_date":"2026-07-01T10:00:51+00:00","severity":"medium","source_name":"Kaspersky Securelist","summary":"Kaspersky experts have uncovered a malicious network infrastructure for delivering AsyncRAT. The Trojan is dropped via compromised ScreenConnect software. In this post, we break down the infection chain and analyze the C2 infrastructure.","title":"The SOC Files: ScreenConnect masked as freeware. An inside look at a large-scale campaign","url":"https://securelist.com/tr/the-soc-files-screenconnect-campaign-with-asyncrat/120472"},{"category":"SaaS Breach","confidence":"HIGH","confidence_reason":"Top-tier threat intelligence research with strong malware analysis track record.","created_at":"2026-07-02 03:55:49","id":171,"published_date":"2026-07-01T10:00:38+00:00","severity":"medium","source_name":"Cisco Talos","summary":"Talos has identified \"ARToken,\" a phishing-as-a-service platform that targets Microsoft 365. The ARToken panel exposes 80+ API endpoints for device code phishing, Primary Refresh Token persistence, email access, BEC operations, and SharePoint exfiltration.","title":"ARToken: Inside an EvilTokens affiliate panel targeting Microsoft 365","url":"https://blog.talosintelligence.com/artoken-inside-an-eviltokens-affiliate-panel-targeting-microsoft-365"},{"category":"AI Security","confidence":"MEDIUM","confidence_reason":"Established security journalism with consistent editorial quality.","created_at":"2026-07-02 03:55:47","id":95,"published_date":"2026-07-01T10:00:00+00:00","severity":"medium","source_name":"SecurityWeek","summary":"From model selection and automation to validation and measurable results, the right questions can help enterprises separate genuine AI capabilities from marketing hype. The post Frontier AI: Six Questions Every Enterprise Should Ask Security Vendors appeared first on SecurityWeek.","title":"Frontier AI: Six Questions Every Enterprise Should Ask Security Vendors","url":"https://www.securityweek.com/frontier-ai-six-questions-every-enterprise-should-ask-security-vendors"},{"category":"Phishing & Social Engineering","confidence":"MEDIUM","confidence_reason":"Cybersecurity policy and industry journalism. Fills the Industry/Policy category gap.","created_at":"2026-07-02 03:56:02","id":491,"published_date":"2026-07-01T10:00:00+00:00","severity":"medium","source_name":"CyberScoop","summary":"Cisco Talos\u2019 research on ARToken builds on what\u2019s known about the related EvilTokens phishing-as-a-service. The post This phishing kit looks more like BEC-as-a-service appeared first on CyberScoop.","title":"This phishing kit looks more like BEC-as-a-service","url":"https://cyberscoop.com/artoken-bec-platform-cisco-talos"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established security journalism with consistent editorial quality.","created_at":"2026-07-02 03:55:47","id":96,"published_date":"2026-07-01T09:30:00+00:00","severity":"medium","source_name":"SecurityWeek","summary":"The updates fix vulnerabilities in WebKit, the kernel, WebRTC, Web Extensions, and other components affecting iPhone, iPad, Mac, and Safari users. The post Apple Patches Dozens of Vulnerabilities Across iOS, macOS, and Safari appeared first on SecurityWeek.","title":"Apple Patches Dozens of Vulnerabilities Across iOS, macOS, and Safari","url":"https://www.securityweek.com/apple-patches-dozens-of-vulnerabilities-across-ios-macos-and-safari"},{"category":"AI Security","confidence":"MEDIUM","confidence_reason":"Vendor threat intelligence research, consumer-threat focused.","created_at":"2026-07-02 03:55:50","id":226,"published_date":"2026-07-01T09:10:01+00:00","severity":"medium","source_name":"Malwarebytes Labs","summary":"AI assistants like ChatGPT are supposed to have appropriate guardrails to stop people creating harmful content. However, they don't always work.","title":"ChatGPT produced graphic violent images that shocked researchers","url":"https://www.malwarebytes.com/blog/ai/2026/07/chatgpt-produced-graphic-violent-images-that-shocked-researchers"},{"category":"Uncategorized","confidence":"MEDIUM","confidence_reason":"Established security journalism with consistent editorial quality.","created_at":"2026-07-02 03:55:47","id":97,"published_date":"2026-07-01T08:55:35+00:00","severity":"medium","source_name":"SecurityWeek","summary":"The company has publicly launched its solution to help organizations design, build, and operate secure cloud systems. The post Dawnguard Raises $6.3 Million for Security Architecture Automation Platform appeared first on SecurityWeek.","title":"Dawnguard Raises $6.3 Million for Security Architecture Automation Platform","url":"https://www.securityweek.com/dawnguard-raises-6-3-million-for-security-architecture-automation-platform"},{"category":"Cloud Security","confidence":"MEDIUM","confidence_reason":"Established security journalism with consistent editorial quality.","created_at":"2026-07-02 03:55:47","id":98,"published_date":"2026-07-01T07:46:33+00:00","severity":"medium","source_name":"SecurityWeek","summary":"Hackers were seen making over 81 million login attempts originating from systems associated with hosting provider LSHIY. The post Massive Password Spray Campaign Targeting Azure CLI appeared first on SecurityWeek.","title":"Massive Password Spray Campaign Targeting Azure CLI","url":"https://www.securityweek.com/massive-password-spray-campaign-targeting-azure-cli"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":22,"published_date":"2026-07-01T07:20:51+00:00","severity":"high","source_name":"The Hacker News","summary":"Large language models keep inventing web addresses that do not exist. Attackers have started buying those made-up domains before anyone else can, then hosting phishing pages on them to catch traffic that AI tools point their way. Palo Alto Networks' Unit 42 calls the trick phantom squatting, and its new research shows it is already happening in the wild. The reason it matters is","title":"Phantom Squatting Uses AI-Hallucinated Domains for Phishing and Malware","url":"https://thehackernews.com/2026/07/phantom-squatting-uses-ai-hallucinated.html"},{"category":"AI Security","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":23,"published_date":"2026-07-01T06:46:17+00:00","severity":"medium","source_name":"The Hacker News","summary":"Anthropic is putting Claude Fable 5 back online worldwide. On June 30, the U.S. Commerce Department lifted the export controls it had imposed on Fable and its more tightly controlled sibling Mythos 5 about two and a half weeks earlier. Fable 5 returns to users on Wednesday, July 1, across Claude.ai, the Claude Platform, Claude Code, and Claude Cowork. Export controls restrict who can","title":"Anthropic Restores Claude Fable 5 After U.S. Lifts Jailbreak-Linked Export Controls","url":"https://thehackernews.com/2026/07/anthropic-restores-claude-fable-5-after.html"},{"category":"Vulnerability/CVE","confidence":"HIGH","confidence_reason":"Best-in-class APT campaign tracking and malware reverse engineering. Industry-leading primary research.","created_at":"2026-07-02 03:55:53","id":307,"published_date":"2026-07-01T06:42:48+00:00","severity":"medium","source_name":"Kaspersky Securelist","summary":"Researching OpenClaw vulnerabilities, malicious skills, and other security issues with the popular agent, and providing tips on how to mitigate them.","title":"OpenClaw: risks for the users and how to mitigate them","url":"https://securelist.com/openclaw-security/120484"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established security journalism with consistent editorial quality.","created_at":"2026-07-02 03:55:47","id":99,"published_date":"2026-07-01T06:14:41+00:00","severity":"medium","source_name":"SecurityWeek","summary":"Fifteen of the newly patched flaws have been rated \u2018critical\u2019 and 67 have been rated \u2018high severity\u2019. The post Google Patches 382 Chrome Vulnerabilities appeared first on SecurityWeek.","title":"Google Patches 382 Chrome Vulnerabilities","url":"https://www.securityweek.com/google-patches-382-chrome-vulnerabilities"},{"category":"Cloud Security","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":24,"published_date":"2026-07-01T05:46:03+00:00","severity":"medium","source_name":"The Hacker News","summary":"Cybersecurity researchers have warned of a \"massive, ongoing, automated password spray attack\" aimed at Microsoft's Azure command-line interface (CLI), compromising dozens of accounts in the process. The activity, per Huntress, originates from an IPv6 address range (2a0a:d683::/32) controlled by internet infrastructure provider LSHIY LLC (AS32167). \"Between June 12 and June 26, the threat","title":"Azure CLI Password Spray Hits at Least 78 Microsoft Accounts in 81M+ Attempts","url":"https://thehackernews.com/2026/07/azure-cli-password-spray-hits-at-least.html"},{"category":"Malware/Infostealer","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":25,"published_date":"2026-07-01T05:32:12+00:00","severity":"medium","source_name":"The Hacker News","summary":"ClickFix, the trick that fools people into running malware by hand, has quietly grown a back office. New research shows the malicious commands behind its fake \"prove you're human\" pages are now handed out by API-driven servers that give each visitor the same malware in a different disguise. The same research also turned up a new delivery method built to slip past Windows' script scanning.","title":"Researcher Analyzes 3,000 Live ClickFix Payloads, Exposing API-Driven Malware Delivery","url":"https://thehackernews.com/2026/07/researcher-analyzes-3000-live-clickfix.html"},{"category":"Phishing & Social Engineering","confidence":"MEDIUM","confidence_reason":"Handler diaries \u2014 expert practitioner analysis, not primary research but high-quality synthesis.","created_at":"2026-07-02 03:56:04","id":578,"published_date":"2026-07-01T05:10:20+00:00","severity":"medium","source_name":"SANS Internet Storm Center","summary":"This morning, an interesting phishing email hit my mailbox. It targets Metamask[1], a cryptocurrency wallet, available as a browser extension and a mobile app, that lets users store, send, and receive crypto money. It&#x27s pretty popular, so a juicy target for criminals. In February, I already mentioned a campaign against them[2].","title":"Why Ask Credentials If There Are Secret Codes?, (Wed, Jul 1st)","url":"https://isc.sans.edu/diary/rss/33118"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":26,"published_date":"2026-07-01T03:54:22+00:00","severity":"medium","source_name":"The Hacker News","summary":"Citrix on Tuesday released security updates to address multiple flaws in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) that could be exploited by an attacker to facilitate arbitrary file reads or trigger a denial-of-service (DoS) condition. The vulnerabilities are listed below - CVE-2026-8451 (CVSS score: 8.8) - An insufficient input validation","title":"Citrix Patches Six NetScaler Flaws Allowing File Read and Denial-of-Service","url":"https://thehackernews.com/2026/07/citrix-patches-six-netscaler-flaws.html"},{"category":"Vulnerability/CVE","confidence":"HIGH","confidence_reason":"Top-tier threat intelligence research team with consistent primary analysis.","created_at":"2026-07-02 03:55:48","id":152,"published_date":"2026-07-01T01:00:11+00:00","severity":"medium","source_name":"Unit42 Palo Alto","summary":"Attackers can exploit LLM domain hallucinations through phantom squatting to target supply chains. Read the analysis to learn more. The post Phantom Squatting: AI-Hallucinated Domains as a Software Supply Chain Vector appeared first on Unit 42.","title":"Phantom Squatting: AI-Hallucinated Domains as a Software Supply Chain Vector","url":"https://unit42.paloaltonetworks.com/phantom-squatting-hallucinated-web-domains"},{"category":"Nation State/APT","confidence":"MEDIUM","confidence_reason":"Established security journalism, enterprise-focused analysis. filter_uncategorized drops vendor press releases and thought-leadership fluff.","created_at":"2026-07-02 03:55:47","id":64,"published_date":"2026-07-01T01:00:01+00:00","severity":"medium","source_name":"Dark Reading","summary":"The group compromised at least 10 regional organizations, including two state-owned entities, and deployed a new backdoor.","title":"China-Linked Group Targets Southeast Asia Critical Systems","url":"https://www.darkreading.com/threat-intelligence/china-linked-group-targets-southeast-asia-critical-systems"},{"category":"Nation State/APT","confidence":"MEDIUM","confidence_reason":"Threat intelligence firm research. Caveat: commercial framing; quality of output is high.","created_at":"2026-07-02 03:55:50","id":233,"published_date":"2026-07-01T00:00:00+00:00","severity":"medium","source_name":"Recorded Future","summary":"Discover how Iranian-nexus threat cluster TAG-182 uses MarkiRAT malware and fake VPN/media apps to conduct cyber surveillance operations against domestic targets.","title":"Iran-Nexus TAG-182 Disseminates MarkiRAT Surveillance Tool","url":"https://www.recordedfuture.com/research/nexus-tag182-disseminates-markirat"},{"category":"Malware/Infostealer","confidence":"MEDIUM","confidence_reason":"Primary cloud-security research (AWS/Azure/GCP IAM, container, CI/CD). Fills the Cloud Security depth the keyword set already anticipates. Vendor context; filter_uncategorized drops product marketing.","created_at":"2026-07-02 03:55:52","id":288,"published_date":"2026-07-01T00:00:00+00:00","severity":"medium","source_name":"Datadog Security Labs","summary":"Sharing new scenarios and adaptations to play the Datadog expansion pack of Backdoors & Breaches.","title":"Backdoors & Breaches: New scenarios and adaptations","url":"https://securitylabs.datadoghq.com/articles/backdoors-and-breaches-new-scenarios"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Cybersecurity policy and industry journalism. Fills the Industry/Policy category gap.","created_at":"2026-07-02 03:56:02","id":492,"published_date":"2026-06-30T21:46:38+00:00","severity":"high","source_name":"CyberScoop","summary":"The bulletin includes six NetScaler issues, but attention is centered on a high-severity flaw with similarities to earlier actively exploited bugs. The post Citrix patches a new NetScaler flaw with echoes of CitrixBleed appeared first on CyberScoop.","title":"Citrix patches a new NetScaler flaw with echoes of CitrixBleed","url":"https://cyberscoop.com/citrix-netscaler-flaw-cve-2026-8451-citrixbleed"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established security journalism, enterprise-focused analysis. filter_uncategorized drops vendor press releases and thought-leadership fluff.","created_at":"2026-07-02 03:55:47","id":65,"published_date":"2026-06-30T21:37:50+00:00","severity":"medium","source_name":"Dark Reading","summary":"\"Agentjacking\" is the latest demonstration of how easily attackers can exploit an AI agent's inability to differentiate between content and instructions.","title":"Fake Bug Report Hijacks AI Coding Agents at Scale","url":"https://www.darkreading.com/cyber-risk/fake-bug-report-hijacks-ai-coding-agents"},{"category":"Nation State/APT","confidence":"LOW","confidence_reason":"Independent breach-focused journalism (Dissent Doe). Covers incidents mainstream outlets skip. Editorial voice but single-author, no masthead peer review \u2014 Tier 3 until track record is established in our pipeline.","created_at":"2026-07-02 03:56:04","id":569,"published_date":"2026-06-30T21:22:32+00:00","severity":"medium","source_name":"DataBreaches.net","summary":"MEE reports: New national security legislation being rushed through the UK\u2019s parliament could criminalise British foreign correspondents and NGO workers engaging with designated state-backed groups, experts warn. The National Security (State Threats) Bill, which is moving through its final stages in parliament this week, hands the UK Home Secretary Shabana Mahmood sweeping powers to designate as a threat any... Source","title":"UK journalists and NGOs risk terrorism prosecutions under new security bill","url":"https://databreaches.net/2026/06/30/uk-journalists-and-ngos-risk-terrorism-prosecutions-under-new-security-bill?pk_campaign=feed&pk_kwd=uk-journalists-and-ngos-risk-terrorism-prosecutions-under-new-security-bill"},{"category":"Uncategorized","confidence":"MEDIUM","confidence_reason":"Cybersecurity policy and industry journalism. Fills the Industry/Policy category gap.","created_at":"2026-07-02 03:56:02","id":493,"published_date":"2026-06-30T20:51:07+00:00","severity":"medium","source_name":"CyberScoop","summary":"DHS Secretary Markwayne Mullin has been floating the idea of adding back 600 CISA personnel after deep Trump administration cuts. The post Trump budget boss Russell Vought open to re-staffing CISA appeared first on CyberScoop.","title":"Trump budget boss Russell Vought open to re-staffing CISA","url":"https://cyberscoop.com/russell-vought-cisa-staffing-trump-budget-cuts"},{"category":"Vulnerability/CVE","confidence":"LOW","confidence_reason":"Open-source ransomware leak-site monitor (~150 groups). Scrapes victim claims, not verified journalism \u2014 treat as unverified OSINT. High volume (100 entries/batch); filter_uncategorized drops noise. Canonical www. URL preferred (bare domain 301s; _safe_get handles redirects but saves a hop).","created_at":"2026-07-02 03:56:03","id":533,"published_date":"2026-06-30T19:51:25+00:00","severity":"medium","source_name":"Ransomware.live","summary":"[manufacturer] *** GmbH \u2014 a German manufacturer of medical devices founded in 1946 and now part of the PE-backed PP Medtech group (Wiesmann & Co. KG). The exfiltration captured four entire server volumes: Daten (883 GB) \u2014 File server: 289 employee home directories (547 GB), Czech subsidiary data (66 GB), production processes (162 GB), machine configurations (81 GB) EE (807 GB) \u2014 Enterprise system: Apollo ERP, VBANK banking (8 accounts), complete database backup (100.6 GB, dated June 3), product images WINDVSW1 (344 GB) \u2014 Windows server: DATEV accounting (115+ data directories including LODAS payroll), bank transfers, DMS exports dmsscan (12 GB) \u2014 Scanned documents from 51+ employee DMS mailboxes A database backup (spiel.zip.001\u2013010, 100.6 GB) was created on 2026-06-03","title":"\ud83c\udff4\u200d\u2620\ufe0f Aurora has just published a new victim : Primed Halberstadt Medizintechnik","url":"https://www.ransomware.live/id/UHJpbWVkIEhhbGJlcnN0YWR0IE1lZGl6aW50ZWNobmlrQGF1cm9yYQ=="},{"category":"Vulnerability/CVE","confidence":"LOW","confidence_reason":"User-submitted link aggregator, no editorial review. Signal varies wildly by submitter.","created_at":"2026-07-02 03:56:04","id":582,"published_date":"2026-06-30T19:40:48+00:00","severity":"high","source_name":"Reddit r/netsec","summary":"submitted by /u/dx7r__ [link] [comments]","title":"CitrixBleed To Infinity And Beyond (Citrix NetScaler Pre-Auth Memory Overread CVE-2026-8451) - watchTowr Labs","url":"https://www.reddit.com/r/netsec/comments/1ujzc5y/citrixbleed_to_infinity_and_beyond_citrix"},{"category":"Vulnerability/CVE","confidence":"HIGH","confidence_reason":"High-quality primary vulnerability research with fast disclosure cadence. Quality exception \u2014 newer brand, authoritative output.","created_at":"2026-07-02 03:55:58","id":432,"published_date":"2026-06-30T19:35:58+00:00","severity":"high","source_name":"watchTowr Labs","summary":"Well, well, well - once again, the cat has dragged us in and spat us out. Today, we find ourselves questioning the reality we sit within. Must it be so predictable, and why us? \u201cBut watchTowr, what do you mean?\u201d Well, if you\u2019re here, you likely fit","title":"CitrixBleed To Infinity And Beyond (Citrix NetScaler Pre-Auth Memory Overread CVE-2026-8451)","url":"https://labs.watchtowr.com/citrixbleed-to-infinity-and-beyond-citrix-netscaler-pre-auth-memory-overread-cve-2026-8451"},{"category":"Identity & Access","confidence":"MEDIUM","confidence_reason":"Established security journalism, enterprise-focused analysis. filter_uncategorized drops vendor press releases and thought-leadership fluff.","created_at":"2026-07-02 03:55:47","id":66,"published_date":"2026-06-30T19:11:40+00:00","severity":"medium","source_name":"Dark Reading","summary":"As AI reshapes cybersecurity workflows, John Paul Cunningham, CISO at Silverfort, says the technology is creating opportunities rather than eliminating jobs \u2014 and there are more ways than ever to break into the essential field.","title":"Why Identity Security Is Your Cyber Career Entry Point","url":"https://www.darkreading.com/cybersecurity-operations/identity-security-cyber-career-entry-point"},{"category":"Uncategorized","confidence":"MEDIUM","confidence_reason":"Established security journalism (Recorded Future-owned), strong on nation-state reporting.","created_at":"2026-07-02 03:55:47","id":105,"published_date":"2026-06-30T19:05:00+00:00","severity":"medium","source_name":"The Record","summary":"CIA Director John Ratcliffe said artificial intelligence capabilities are \"akin to digital nuclear weapons.\u201d","title":"CIA chief highlights major shifts in agency\u2019s tech approach","url":"https://therecord.media/cia-chief-ratcliffe-highlights-major-shifts-in-agencys-tech-approach"},{"category":"Industry/Policy","confidence":"HIGH","confidence_reason":"Curated Microsoft threat research, Patch Tuesday summaries, and incident analysis. Replaced the MSRC Update Guide CVE firehose (~3k advisories/quarter) with this high-signal blog feed.","created_at":"2026-07-02 03:55:50","id":220,"published_date":"2026-06-30T19:00:00+00:00","severity":"medium","source_name":"Microsoft Security Blog","summary":"We\u2019re accelerating quantum-safe readiness\u2014and sharing what organizations can do now to transition earlier and with confidence. The post Accelerating the quantum-safe timeline appeared first on Microsoft Security Blog.","title":"Accelerating the quantum-safe timeline","url":"https://www.microsoft.com/en-us/security/blog/2026/06/30/microsoft-advances-quantum-safe-security-as-the-risk-timeline-shifts"},{"category":"Phishing & Social Engineering","confidence":"MEDIUM","confidence_reason":"Established security journalism, enterprise-focused analysis. filter_uncategorized drops vendor press releases and thought-leadership fluff.","created_at":"2026-07-02 03:55:47","id":67,"published_date":"2026-06-30T18:59:46+00:00","severity":"medium","source_name":"Dark Reading","summary":"Separate but similar campaigns described by Microsoft and Trend Micro use malicious zip files to spread malware via social engineering and obsfucation, including blockchain abuse.","title":"Phishers Gain Persistence at EU, Asia Hospitality Orgs","url":"https://www.darkreading.com/cyberattacks-data-breaches/phishers-persistence-eu-asia-hospitality-orgs"},{"category":"AI Security","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":27,"published_date":"2026-06-30T17:46:07+00:00","severity":"medium","source_name":"The Hacker News","summary":"New Microsoft research shows how attackers can hijack AI agents that act on a user's behalf, using nothing more than a poisoned tool description to make the agent quietly hand over company data to an outsider. The trick is that the agent never breaks a rule. Every step looks routine, so in a default setup no alarm may fire. The work comes from Microsoft Incident Response and its","title":"Microsoft Warns Poisoned MCP Tool Descriptions Can Make AI Agents Leak Data","url":"https://thehackernews.com/2026/06/microsoft-warns-poisoned-mcp-tool.html"},{"category":"Malware/Infostealer","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":28,"published_date":"2026-06-30T17:45:25+00:00","severity":"medium","source_name":"The Hacker News","summary":"A new two-stage malware family called RustDuck is hijacking home routers, IP cameras, Android boxes, and poorly secured servers, then stitching them into a network built to knock websites and online services offline. Researchers at QiAnXin's XLab have tracked it since February 2026, and say the real story is not how big it is today, but how fast it is changing. The end goal is a","title":"RustDuck Botnet Rebuilds in Rust to Hijack Routers and Servers for DDoS","url":"https://thehackernews.com/2026/06/rustduck-botnet-rebuilds-in-rust-to.html"},{"category":"Consumer Awareness","confidence":"MEDIUM","confidence_reason":"Established security journalism (Recorded Future-owned), strong on nation-state reporting.","created_at":"2026-07-02 03:55:47","id":106,"published_date":"2026-06-30T16:23:00+00:00","severity":"medium","source_name":"The Record","summary":"The Kids Internet and Digital Safety (KIDS) Act passed with bipartisan support by a 267-117 margin, winning the two-thirds majority needed to greenlight the legislation under a process that speeds up a bill\u2019s path to a vote but requires more than a simple majority.","title":"House passes kids\u2019 online safety bill, but Senate approval unlikely","url":"https://therecord.media/house-passes-kids-online-safety-bill-senate-unlikely"},{"category":"AI Security","confidence":"HIGH","confidence_reason":"Curated Microsoft threat research, Patch Tuesday summaries, and incident analysis. Replaced the MSRC Update Guide CVE firehose (~3k advisories/quarter) with this high-signal blog feed.","created_at":"2026-07-02 03:55:50","id":221,"published_date":"2026-06-30T15:57:11+00:00","severity":"medium","source_name":"Microsoft Security Blog","summary":"MCP tool poisoning turns trusted AI agents into a control plane for data loss. Learn how threat actors manipulate tool descriptions to trigger unauthorized actions, and how to detect, contain, and prevent it. The post Securing AI agents: When AI tools move from reading to acting appeared first on Microsoft Security Blog.","title":"Securing AI agents: When AI tools move from reading to acting","url":"https://www.microsoft.com/en-us/security/blog/2026/06/30/securing-ai-agents-ai-tools-move-from-reading-acting"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":29,"published_date":"2026-06-30T15:47:20+00:00","severity":"high","source_name":"The Hacker News","summary":"Threat actors are continuing to exploit a critical Langflow vulnerability as part of fresh attacks designed to deliver a Monero cryptocurrency miner. The activity has been found to weaponize CVE-2026-33017 (CVSS score: 9.3), an unauthenticated remote code execution (RCE) vulnerability in Langflow, indicating threat actors are scanning and targeting exposed artificial intelligence (AI)","title":"Langflow RCE Exploited to Deploy Monero Miner on Exposed AI App Endpoints","url":"https://thehackernews.com/2026/06/langflow-rce-exploited-to-deploy-monero.html"},{"category":"Uncategorized","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":30,"published_date":"2026-06-30T15:40:18+00:00","severity":"medium","source_name":"The Hacker News","summary":"Cybersecurity researchers have flagged an active browser extension campaign that is designed to steal cryptocurrency by stealthily replacing wallet addresses when unsuspecting users initiate a transaction. The cryptocurrency clipper activity has been codenamed Silent Swap by McAfee Labs. \"The campaign is delivered through unsigned installers \u2013 observed in both .NET and Golang variants \u2013 that","title":"Silent Swap Crypto Clipper Uses Fake Google Notes Extension to Replace Wallet Addresses","url":"https://thehackernews.com/2026/06/silent-swap-crypto-clipper-uses-fake.html"},{"category":"OT/ICS","confidence":"MEDIUM","confidence_reason":"Cybersecurity policy and industry journalism. Fills the Industry/Policy category gap.","created_at":"2026-07-02 03:56:02","id":494,"published_date":"2026-06-30T15:14:01+00:00","severity":"medium","source_name":"CyberScoop","summary":"The Department of Homeland Security is bringing back a key cybersecurity information sharing effort with critical infrastructure, more than a year after the Trump administration shuttered an existing nerve center between government and private sector. The Alliance of National Councils for Homeland Operational Resilience \u2013 Critical Infrastructure program, first reported by CyberScoop in January, is meant [\u2026] The post DHS to unveil replacement council for critical infrastructure cybersecurity appeared first on CyberScoop.","title":"DHS to unveil replacement council for critical infrastructure cybersecurity","url":"https://cyberscoop.com/dhs-anchor-ci-cybersecurity-information-sharing"},{"category":"Nation State/APT","confidence":"LOW","confidence_reason":"Independent breach-focused journalism (Dissent Doe). Covers incidents mainstream outlets skip. Editorial voice but single-author, no masthead peer review \u2014 Tier 3 until track record is established in our pipeline.","created_at":"2026-07-02 03:56:04","id":570,"published_date":"2026-06-30T14:41:01+00:00","severity":"medium","source_name":"DataBreaches.net","summary":"From Nisos: Earlier this year, our DPRK employment fraud investigation revealed how North Korean operatives infiltrate US companies at industrial scale. In June, we released Part 2 of our research, featured on Nicole Perlroth\u2019s \u201cTo Catch a Thief\u201d podcast, that takes you inside the actual operations of a DPRK cell. When a suspicious candidate applied to... Source","title":"The Human Element: Building A Trusted Workforce in the Age of DPRK Employment Fraud","url":"https://databreaches.net/2026/06/30/the-human-element-building-a-trusted-workforce-in-the-age-of-dprk-employment-fraud?pk_campaign=feed&pk_kwd=the-human-element-building-a-trusted-workforce-in-the-age-of-dprk-employment-fraud"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Vendor threat intelligence research, consumer-threat focused.","created_at":"2026-07-02 03:55:50","id":227,"published_date":"2026-06-30T14:35:45+00:00","severity":"medium","source_name":"Malwarebytes Labs","summary":"A new Apple update fixes a multitude of browser and browser related vulnerabilities which have been public knowledge for a while","title":"Update time: Apple releases security patches for iOS, MacOS Tahoe, Safari","url":"https://www.malwarebytes.com/blog/news/2026/06/update-time-apple-releases-security-patches-for-ios-macos-tahoe-safari"},{"category":"Uncategorized","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":31,"published_date":"2026-06-30T14:26:15+00:00","severity":"medium","source_name":"The Hacker News","summary":"The safety check that is supposed to stop an AI coding agent from running a dangerous command can be walked straight past using a shell trick that has been public for decades. New research from Adversa AI, which is named the bypass GuardFall, found it works against ten of the eleven popular open-source coding and computer-use agents the firm tested. Only one, \"Continue,\" was built to","title":"GuardFall Exposes Open-Source AI Coding Agents to Decades-Old Shell Injection Risks","url":"https://thehackernews.com/2026/06/guardfall-exposes-open-source-ai-coding.html"},{"category":"Ransomware","confidence":"MEDIUM","confidence_reason":"Established security journalism with consistent editorial quality.","created_at":"2026-07-02 03:55:47","id":100,"published_date":"2026-06-30T13:56:07+00:00","severity":"high","source_name":"SecurityWeek","summary":"The Microsoft Defender vulnerability CVE-2026-33825 was exploited in the wild as a zero-day before patches were released. The post BlueHammer Vulnerability Exploited in Ransomware Attacks appeared first on SecurityWeek.","title":"BlueHammer Vulnerability Exploited in Ransomware Attacks","url":"https://www.securityweek.com/bluehammer-vulnerability-exploited-in-ransomware-attacks"},{"category":"Vulnerability/CVE","confidence":"LOW","confidence_reason":"Independent breach-focused journalism (Dissent Doe). Covers incidents mainstream outlets skip. Editorial voice but single-author, no masthead peer review \u2014 Tier 3 until track record is established in our pipeline.","created_at":"2026-07-02 03:56:04","id":571,"published_date":"2026-06-30T13:52:33+00:00","severity":"medium","source_name":"DataBreaches.net","summary":"Ransomnews has published a history and analysis of XSS Forum from its inception to its seizure in 2025. There is so much that is interesting and informative in their report that it\u2019s hard to know what to mention here, but here are just two portions below: As an overview: XSS.is, the most influential Russian-language cybercrime... Source","title":"The Fall of XSS Forum: From DaMaGeLaB to the 2025 takedown","url":"https://databreaches.net/2026/06/30/the-fall-of-xss-forum-from-damagelab-to-the-2025-takedown?pk_campaign=feed&pk_kwd=the-fall-of-xss-forum-from-damagelab-to-the-2025-takedown"},{"category":"Uncategorized","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":32,"published_date":"2026-06-30T13:49:34+00:00","severity":"medium","source_name":"The Hacker News","summary":"Researchers tested 444 AI chatbot apps for iPhone and found that 282 of them, nearly two-thirds, exposed paid AI access through their network traffic. In many cases, the path in was visible just by watching what the app sent: a plaintext API key, a reusable token, or a backend server that accepted requests with no key at all. Whoever grabs it can send model requests on the developer's account,","title":"282 iOS AI Apps Leak API Keys and Open AI Proxy Access in Network Traffic Study","url":"https://thehackernews.com/2026/06/282-ios-apps-found-leaking-llm-api-keys.html"},{"category":"Vulnerability/CVE","confidence":"LOW","confidence_reason":"Open-source ransomware leak-site monitor (~150 groups). Scrapes victim claims, not verified journalism \u2014 treat as unverified OSINT. High volume (100 entries/batch); filter_uncategorized drops noise. Canonical www. URL preferred (bare domain 301s; _safe_get handles redirects but saves a hop).","created_at":"2026-07-02 03:56:03","id":534,"published_date":"2026-06-30T13:28:21+00:00","severity":"medium","source_name":"Ransomware.live","summary":"THE CERTIFICATE AS A VULNERABILITY: Documents of Orion Registrar Inc. PROLOGUE Financial reports and...","title":"\ud83c\udff4\u200d\u2620\ufe0f Settra has just published a new victim : orion4value.com","url":"https://www.ransomware.live/id/b3Jpb240dmFsdWUuY29tQHNldHRyYQ=="},{"category":"Supply Chain","confidence":"MEDIUM","confidence_reason":"Established security journalism with consistent editorial quality.","created_at":"2026-07-02 03:55:47","id":101,"published_date":"2026-06-30T13:00:00+00:00","severity":"medium","source_name":"SecurityWeek","summary":"Decades-old Bash shell tricks can bypass safeguards in most open source AI coding agents, potentially turning malicious repositories into supply chain attack vectors. The post Decades-Old Bash Tricks Expose AI Coding Agents to Supply Chain Attacks appeared first on SecurityWeek.","title":"Decades-Old Bash Tricks Expose AI Coding Agents to Supply Chain Attacks","url":"https://www.securityweek.com/decades-old-bash-tricks-expose-ai-coding-agents-to-supply-chain-attacks"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Real-world incident breakdowns from the defender side. Strong on ransomware and SMB-targeting threats.","created_at":"2026-07-02 03:55:55","id":376,"published_date":"2026-06-30T13:00:00+00:00","severity":"medium","source_name":"Huntress","summary":"Most Microsoft 365 environments are missing more than half of the recommended security controls, even with tooling in place. Here's why that happens and what Huntress Managed ISPM does about it.","title":"Microsoft 365 Hardening and Huntress Managed ISPM","url":"https://www.huntress.com/blog/microsoft-365-identity-security-five-minute-admin"},{"category":"SaaS Breach","confidence":"LOW","confidence_reason":"Independent breach-focused journalism (Dissent Doe). Covers incidents mainstream outlets skip. Editorial voice but single-author, no masthead peer review \u2014 Tier 3 until track record is established in our pipeline.","created_at":"2026-07-02 03:56:04","id":572,"published_date":"2026-06-30T12:40:33+00:00","severity":"medium","source_name":"DataBreaches.net","summary":"Sergiu Gatlan reports: American insurance giant Aflac has disclosed a new data breach after attackers breached its Japan subsidiary\u2019s systems and stole personal and bank account information. Aflac (short for American Family Life Assurance Company) is a Fortune 500 company and the largest supplemental insurance provider in the United States, serving millions of customers in... Source","title":"Insurance giant Aflac discloses data breach at Japan subsidiary","url":"https://databreaches.net/2026/06/30/insurance-giant-aflac-discloses-data-breach-at-japan-subsidiary?pk_campaign=feed&pk_kwd=insurance-giant-aflac-discloses-data-breach-at-japan-subsidiary"},{"category":"Ransomware","confidence":"LOW","confidence_reason":"Open-source ransomware leak-site monitor (~150 groups). Scrapes victim claims, not verified journalism \u2014 treat as unverified OSINT. High volume (100 entries/batch); filter_uncategorized drops noise. Canonical www. URL preferred (bare domain 301s; _safe_get handles redirects but saves a hop).","created_at":"2026-07-02 03:56:03","id":535,"published_date":"2026-06-30T12:32:00+00:00","severity":"medium","source_name":"Ransomware.live","summary":"N/A","title":"\ud83c\udff4\u200d\u2620\ufe0f Qilin has just published a new victim : Chamco","url":"https://www.ransomware.live/id/Q2hhbWNvQHFpbGlu"},{"category":"Ransomware","confidence":"LOW","confidence_reason":"Open-source ransomware leak-site monitor (~150 groups). Scrapes victim claims, not verified journalism \u2014 treat as unverified OSINT. High volume (100 entries/batch); filter_uncategorized drops noise. Canonical www. URL preferred (bare domain 301s; _safe_get handles redirects but saves a hop).","created_at":"2026-07-02 03:56:03","id":536,"published_date":"2026-06-30T12:30:59+00:00","severity":"medium","source_name":"Ransomware.live","summary":"N/A","title":"\ud83c\udff4\u200d\u2620\ufe0f Qilin has just published a new victim : Hemmersbach GmbH & Co. KG","url":"https://www.ransomware.live/id/SGVtbWVyc2JhY2ggR21iSCAmIENvLiBLR0BxaWxpbg=="},{"category":"Ransomware","confidence":"LOW","confidence_reason":"Open-source ransomware leak-site monitor (~150 groups). Scrapes victim claims, not verified journalism \u2014 treat as unverified OSINT. High volume (100 entries/batch); filter_uncategorized drops noise. Canonical www. URL preferred (bare domain 301s; _safe_get handles redirects but saves a hop).","created_at":"2026-07-02 03:56:03","id":537,"published_date":"2026-06-30T12:20:38+00:00","severity":"medium","source_name":"Ransomware.live","summary":"Todd, Hamaker & Johnson, LLP is a professional tax and accounting firm based in Lufkin, Texas, dedicated to providing personalized services to both individuals and businesses. The firm offer s a comprehensive range of services including tax, accounting, audit, and financial guidance. We will upload 40gb of corporate data soon. Lots of client and employee personal information (p assports, SSNs, DLs and other information), detailed financials, client financials and other co nfidential client docs, contracts and agreements, etc.","title":"\ud83c\udff4\u200d\u2620\ufe0f Akira has just published a new victim : About Todd Hamaker & Johnson","url":"https://www.ransomware.live/id/QWJvdXQgVG9kZCBIYW1ha2VyICYgSm9obnNvbkBha2lyYQ=="},{"category":"Nation State/APT","confidence":"MEDIUM","confidence_reason":"Authoritative expert commentary and link blog. Analysis, not primary research.","created_at":"2026-07-02 03:56:01","id":480,"published_date":"2026-06-30T12:05:57+00:00","severity":"medium","source_name":"Schneier on Security","summary":"The Financial Times has a good article on how AI is changing the capabilities of video surveillance, with information from both Israel/Iran and Russia. I wrote about this sort of thing a few years ago, how AI enables mass spying in the way that computers and networks enabled mass surveillance. The interesting development in the article is that AI allows people to ask natural language questions about video footage to AIs\u2014and AIs can answer them. In contrast with older tools restricted to a few dozen preset searches, these new tools allow an almost unlimited range of enquiries by enabling language-based searches on video...","title":"The Realities of AI Video Surveillance","url":"https://www.schneier.com/blog/archives/2026/06/the-realities-of-ai-video-surveillance.html"},{"category":"Ransomware","confidence":"LOW","confidence_reason":"Open-source ransomware leak-site monitor (~150 groups). Scrapes victim claims, not verified journalism \u2014 treat as unverified OSINT. High volume (100 entries/batch); filter_uncategorized drops noise. Canonical www. URL preferred (bare domain 301s; _safe_get handles redirects but saves a hop).","created_at":"2026-07-02 03:56:03","id":538,"published_date":"2026-06-30T11:50:46+00:00","severity":"medium","source_name":"Ransomware.live","summary":"Advanced Business Systems, Inc. is a locally owned business serving the Quad Cities area, speci alizing in a wide range of office products and solutions including copiers, printers, IT servic es, phone systems, and furniture. We will upload 31gb of corporate data soon. Employee personal information (88 SSNs, passports a nd other docs), NDA, projects, contracts and agreements, customer information and so on.","title":"\ud83c\udff4\u200d\u2620\ufe0f Akira has just published a new victim : Advanced Business Systems","url":"https://www.ransomware.live/id/QWR2YW5jZWQgQnVzaW5lc3MgU3lzdGVtc0Bha2lyYQ=="},{"category":"Uncategorized","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":33,"published_date":"2026-06-30T11:30:00+00:00","severity":"medium","source_name":"The Hacker News","summary":"The FIFA World Cup 2026 opened on June 11. By that date, according to Check Point Research, the fraud infrastructure targeting it had already been built, staged, and partially deployed. Threat actor activity was pre-planned, months out, across three sectors and at least ten languages. Check Point Exposure Management published the FIFA World Cup 2026 Cyber Threat Report this month, covering","title":"What the Numbers Say About FIFA 2026 Cyber Risk","url":"https://thehackernews.com/2026/06/what-numbers-say-about-fifa-2026-cyber.html"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":34,"published_date":"2026-06-30T11:18:47+00:00","severity":"critical","source_name":"The Hacker News","summary":"An unknown threat actor has been observed exploiting a recently disclosed maximum-severity security flaw in SimpleHelp to deliver two previously unreported malware families, TaskWeaver and Djinn Stealer. The intrusion involves the exploitation of CVE-2026-48558 (CVSS score: 10.0), a critical authentication bypass vulnerability impacting the OpenID Connect (OIDC) flow that an unauthenticated","title":"Attackers Exploit SimpleHelp CVE-2026-48558 to Deploy TaskWeaver and Djinn Stealer","url":"https://thehackernews.com/2026/06/attackers-exploit-simplehelp-cve-2026.html"},{"category":"Identity & Access","confidence":"LOW","confidence_reason":"User-submitted link aggregator, no editorial review. Signal varies wildly by submitter.","created_at":"2026-07-02 03:56:04","id":583,"published_date":"2026-06-30T10:07:33+00:00","severity":"high","source_name":"Reddit r/netsec","summary":"submitted by /u/moltenbit-r [link] [comments]","title":"Auditing OpenReception: 16 CVEs in an end-to-end encrypted appointment booking platform (unauthenticated admin creation, account takeover, E2E bypass)","url":"https://www.reddit.com/r/netsec/comments/1ujl1k0/auditing_openreception_16_cves_in_an_endtoend"},{"category":"Nation State/APT","confidence":"HIGH","confidence_reason":"Best-in-class APT campaign tracking and malware reverse engineering. Industry-leading primary research.","created_at":"2026-07-02 03:55:53","id":308,"published_date":"2026-06-30T10:00:13+00:00","severity":"medium","source_name":"Kaspersky Securelist","summary":"An in-depth analysis of Umbrij, a new tool used by the ToddyCat APT group to compromise corporate email communications in Gmail. The attack targeted OAuth authorization tokens, allowing threat actors to gain access to Google services.","title":"ToddyCat: your hidden email assistant. Part 2","url":"https://securelist.com/toddycat-apt-umbrij-tool-and-oauth/120251"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":35,"published_date":"2026-06-30T09:27:58+00:00","severity":"medium","source_name":"The Hacker News","summary":"Two researchers have found six security flaws in AirDrop and Quick Share, the wireless features that beam files between nearby devices with no cables or shared network. An attacker within wireless range, with just a laptop and no prior connection, can crash the sharing service on a Mac or iPhone set to receive from anyone, with no tap or prompt. The same research found Quick Share flaws that","title":"AirDrop and Quick Share Flaws Let Nearby Attackers Trigger Crashes and Bypass Checks","url":"https://thehackernews.com/2026/06/airdrop-and-quick-share-flaws-let.html"},{"category":"Ransomware","confidence":"MEDIUM","confidence_reason":"Cybersecurity policy and industry journalism. Fills the Industry/Policy category gap.","created_at":"2026-07-02 03:56:02","id":495,"published_date":"2026-06-30T09:00:00+00:00","severity":"medium","source_name":"CyberScoop","summary":"From outsourced labor to tiered pricing models, an inside look at how today's top ransomware threats operate less like rogue hackers and more like Fortune 500 companies. The post How ransomware syndicates weaponize corporate-style organization appeared first on CyberScoop.","title":"How ransomware syndicates weaponize corporate-style organization","url":"https://cyberscoop.com/ransomware-syndicates-corporate-organization-op-ed"},{"category":"AI Security","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":36,"published_date":"2026-06-30T08:37:19+00:00","severity":"medium","source_name":"The Hacker News","summary":"Convince an AI browser that it is playing a game, and it can hand over your login details. That is the finding behind BioShocking, a technique from security firm LayerX that tricked six AI browsers and assistants into copying a user's credentials and sending them to an attacker. The targets included OpenAI's ChatGPT Atlas, Perplexity's Comet, and Anthropic's Claude browser extension. An","title":"New BioShocking Attack Tricks AI Browsers Into Leaking User Credentials","url":"https://thehackernews.com/2026/06/new-bioshocking-attack-tricks-ai.html"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":37,"published_date":"2026-06-30T07:38:07+00:00","severity":"critical","source_name":"The Hacker News","summary":"A critical vulnerability in Progress Kemp LoadMaster can let an unauthenticated attacker execute arbitrary commands as root on the appliance by sending a crafted request to its API. The flaw, tracked as CVE-2026-8037, carries a CVSS score of 9.8 according to ZDI. A patch is available. If you run LoadMaster with the API enabled, update now. Progress published its advisory on June","title":"Progress Kemp LoadMaster Flaw Could Let Attackers Run Root Commands Pre-Auth","url":"https://thehackernews.com/2026/06/progress-kemp-loadmaster-flaw-could-let.html"},{"category":"SaaS Breach","confidence":"LOW","confidence_reason":"Open-source ransomware leak-site monitor (~150 groups). Scrapes victim claims, not verified journalism \u2014 treat as unverified OSINT. High volume (100 entries/batch); filter_uncategorized drops noise. Canonical www. URL preferred (bare domain 301s; _safe_get handles redirects but saves a hop).","created_at":"2026-07-02 03:56:03","id":539,"published_date":"2026-06-30T05:51:46+00:00","severity":"medium","source_name":"Ransomware.live","summary":"CYBERSECURITY: ARKIN HOTEL GROUP SUFFERS MASSIVE DATA BREACH \u2014 OVER 1 TB OF GUEST AND CASINO DATA STOLENCybersecurity experts from Cyclops Threat Intelligence have reported a critical incident affecting the Ark\u0131n Group hotel chain (www.arkingroup.com), including its premium properties The Ark\u0131n Colony, The Ark\u0131n Iskele, and Ark\u0131n Palm Beach in Northern Cyprus. According to preliminary assessments, the attackers managed to exfiltrate over one terabyte of internal documents, customer databases, and transaction logs, including confidential information from the Ark\u0131n Palm Beach Casino.\u258eAttack detailsAnalysts have established that the attackers gained initial access through a compromised employee account in the reservations department. Using legitimate remote administration tools, they gradually expanded their privileges, bypassed network segmentation, and exfiltrated a dataset totalling approximately 1.4 TB. Some of the stolen information has already surfaced on underground forums and darknet marketplaces.The stolen data includes:\u2022 Full guest profiles (passport details, phone numbers, addresses, stay history);\u2022 Financial details of bookings and payment credentials;\u2022 The internal CRM system with staff notes on VIP clients;\u2022 Casino database: player IDs, deposit amounts, visit frequency, records of chip exchange transactions and fund movements;\u2022 Scanned passports, compliance check forms (KYC/AML), including source-of-funds questionnaires for high rollers.\u258eObjective and likely operatorBased on the intrusion characteristics and tactics used, experts link the incident to the threat group \u201cCryptoRex\u201d (tracked since 2023), which specialises in attacking hospitality and gambling businesses in the Mediterranean region. A combination of financial extortion and data sale to multiple buyers is considered likely. So far, no official ransom demand has been received, but portions of the archives have been put up for auction with a starting price of 8 bitcoins.\u258ePotential consequences of the leakThe leakage of confidential guest and especially casino client data entails a cascade of risks that go far beyond reputational damage.1. Personal security of high-net-worth guestsThe VIP casino player database, containing passport details, habits, and financial capabilities, serves as a direct \u201cdirectory\u201d for kidnappers, extortionists, and organised crime groups. Affected individuals may face real threats to their physical safety, as well as targeted blackmail (e.g., threats to expose gambling activity to business partners or family members in countries where gambling is stigmatised).2. Financial fraudPayment data from hotel guests and credit/debit cards linked to casino accounts will enable unauthorised transactions. Given the high credit limits of casino patrons, the scale of potential phishing and card fraud is assessed as very significant.3. Compliance nightmare and regulatory finesAlthough the international casino operators in Northern Cyprus do not directly fall under GDPR, many guests are citizens of the EU, the UK, and CIS countries. The breach demonstrates a flagrant failure to meet personal data protection standards. Lawsuits by affected individuals in national courts and scrutiny by international payment systems (Visa, Mastercard) are possible, which could suspend acquiring services.4. Risks to the casino itself and the jurisdiction[6/9/2026 1:09 PM] ChatGPT 5 | Deepseek | Claude: The exposure of internal AML records documenting the origin of funds and possible links to politically exposed persons could spark money-laundering investigations. For Northern Cyprus\u2019s gambling zone, already under close watch by the FATF, this could lead to tighter international financial monitoring and being placed on grey lists.5. Reputational ruinNo wealthy client will entrust their data to a hotel incapable of protecting basic IT infrastructure. Trust in the Ark\u0131n brand, which for decades has built an image of secluded luxury, will be undermined for years. Competitors in the elite leisure market, especially in Dubai, Monaco, and the Maldives, will immediately exploit the situation to poach wary clientele.\u258eAnalysts\u2019 recommendationsCyclops Threat Intelligence strongly advises all individuals who have ever stayed at Ark\u0131n hotels or visited Ark\u0131n Palm Beach Casino to:\u2022 Immediately block and reissue any bank cards used;\u2022 Monitor credit reports for new applications;\u2022 Enable additional authentication factors on email and financial services;\u2022 Be highly critical of any incoming calls or messages demanding identity confirmation or fund transfers \u2014 these could be targeted attacks using contextual details from the leaked staff notes.The Ark\u0131n Group press office has not yet responded to official inquiries. The company\u2019s website remains operational, but online booking sections are temporarily unavailable. Northern Cyprus authorities stated that they are \u201caware of the incident\u201d and have begun consultations with EU experts under a cyber-resilience programme.Report prepared by the Thomson Reuters cybersecurity desk based on the Cyclops Threat Intelligence analytical brief.","title":"\ud83c\udff4\u200d\u2620\ufe0f Blacknevas has just published a new victim : Arkin Group","url":"https://www.ransomware.live/id/QXJraW4gR3JvdXBAYmxhY2tuZXZhcw=="},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":38,"published_date":"2026-06-30T05:04:06+00:00","severity":"critical","source_name":"The Hacker News","summary":"A critical security flaw impacting Oracle E-Business Suite has come under active exploitation in the wild, according to Defused Cyber. The vulnerability, tracked as CVE-2026-46817 (CVSS score: 9.8), refers to an improper privilege management and authentication flaw in Oracle Payments that could be abused to take over susceptible instances. \"Easily exploitable vulnerability allows","title":"Oracle E-Business Suite Flaw CVE-2026-46817 Actively Exploited in the Wild","url":"https://thehackernews.com/2026/06/oracle-e-business-suite-flaw-cve-2026.html"},{"category":"Vulnerability/CVE","confidence":"HIGH","confidence_reason":"Top-tier threat intelligence research. Caveat: mixed with commercial marketing \u2014 filter_uncategorized drops partnership promos and thought-leadership fluff.","created_at":"2026-07-02 03:55:48","id":167,"published_date":"2026-06-30T05:00:00+00:00","severity":"medium","source_name":"CrowdStrike Blog","summary":"","title":"Browser Security: Zero-Days Are Only Part of the Problem","url":"https://www.crowdstrike.com/en-us/blog/browser-security-zero-days-are-only-part-of-the-problem"},{"category":"Ransomware","confidence":"LOW","confidence_reason":"Open-source ransomware leak-site monitor (~150 groups). Scrapes victim claims, not verified journalism \u2014 treat as unverified OSINT. High volume (100 entries/batch); filter_uncategorized drops noise. Canonical www. URL preferred (bare domain 301s; _safe_get handles redirects but saves a hop).","created_at":"2026-07-02 03:56:03","id":540,"published_date":"2026-06-30T04:54:43+00:00","severity":"medium","source_name":"Ransomware.live","summary":"May Trucking Company is a family-owned interstate transport carrier founded in 1945, headquartered in Brooks, Oregon. They provide dry freight and temperature-c... - TOTAL QUANTITY OF DATA 1 TB","title":"\ud83c\udff4\u200d\u2620\ufe0f Embargo has just published a new victim : www.maytrucking.com","url":"https://www.ransomware.live/id/d3d3Lm1heXRydWNraW5nLmNvbUBlbWJhcmdv"},{"category":"OT/ICS","confidence":"HIGH","confidence_reason":"First-party OT/ICS vendor CERT. Authoritative advisories for Siemens industrial products. Fills OT/ICS category depth.","created_at":"2026-07-02 03:55:54","id":316,"published_date":"2026-06-30T00:00:00+00:00","severity":"high","source_name":"Siemens ProductCERT","summary":"Mendix Studio Pro versions before V11.12 are affected by a file parsing vulnerability that could be triggered when the application reads specially crafted malicious project during the build pipeline. This could allow an attacker to execute arbitrary code in the context of that user. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends countermeasures for products where fixes are not, or not yet available.","title":"SSA-779310 V1.0: Arbitrary Code Execution Vulnerability in Mendix Studio Pro Before V11.12","url":"https://cert-portal.siemens.com/productcert/html/ssa-779310.html"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established security journalism, enterprise-focused analysis. filter_uncategorized drops vendor press releases and thought-leadership fluff.","created_at":"2026-07-02 03:55:47","id":68,"published_date":"2026-06-29T22:46:45+00:00","severity":"medium","source_name":"Dark Reading","summary":"The National Institute of Standards and Technology (NIST) scaled back the number of CVEs it selects for in-depth analysis, but the move has produced mixed results, according to researchers.","title":"NIST Enrichment Reductions Impact CVE Coverage, Accuracy","url":"https://www.darkreading.com/vulnerabilities-threats/nist-enrichment-reductions-cve-coverage-accuracy"},{"category":"SaaS Breach","confidence":"LOW","confidence_reason":"Independent breach-focused journalism (Dissent Doe). Covers incidents mainstream outlets skip. Editorial voice but single-author, no masthead peer review \u2014 Tier 3 until track record is established in our pipeline.","created_at":"2026-07-02 03:56:04","id":573,"published_date":"2026-06-29T22:13:43+00:00","severity":"medium","source_name":"DataBreaches.net","summary":"Fox Rothschild is a top-100 law firm whose articles and resources have been cited on DataBreaches.net and PogoWasRight.org dozens of times over the years. This time, however, they are the subject of a post because they were victims of a data breach by a well-known group that targets law firms. Introduction The group called Silent... Source","title":"EXCLUSIVE: Top-100 Law Firm Fox Rothschild Suffers Data Breach and Leak by Silent Ransom Group","url":"https://databreaches.net/2026/06/29/exclusive-top-100-law-firm-fox-rothschild-suffers-data-breach-and-leak-by-silent-ransom-group?pk_campaign=feed&pk_kwd=exclusive-top-100-law-firm-fox-rothschild-suffers-data-breach-and-leak-by-silent-ransom-group"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established security journalism, enterprise-focused analysis. filter_uncategorized drops vendor press releases and thought-leadership fluff.","created_at":"2026-07-02 03:55:47","id":69,"published_date":"2026-06-29T21:29:15+00:00","severity":"critical","source_name":"Dark Reading","summary":"The infostealer was delivered via CVE-2026-48558, a critical authentication bypass vulnerability in SimpleHelp, targeting credentials linking development and admin environments to wider enterprise systems.","title":"'Djinn' Stealer Targets Cloud, AI Credentials","url":"https://www.darkreading.com/cyberattacks-data-breaches/djinn-stealer-targets-cloud-ai-credentials"},{"category":"AI Security","confidence":"MEDIUM","confidence_reason":"Cybersecurity policy and industry journalism. Fills the Industry/Policy category gap.","created_at":"2026-07-02 03:56:02","id":496,"published_date":"2026-06-29T21:29:06+00:00","severity":"medium","source_name":"CyberScoop","summary":"The bill empowers the FTC to create a registry for sellers of AI agent software certifying their privacy and cybersecurity protections. The post Warner bill would create federally vetted list for secure, trustworthy AI agents appeared first on CyberScoop.","title":"Warner bill would create federally vetted list for secure, trustworthy AI agents","url":"https://cyberscoop.com/ai-agent-act-senate-draft-bill-mark-warner"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established security journalism, enterprise-focused analysis. filter_uncategorized drops vendor press releases and thought-leadership fluff.","created_at":"2026-07-02 03:55:47","id":70,"published_date":"2026-06-29T21:05:29+00:00","severity":"medium","source_name":"Dark Reading","summary":"One critical vulnerability, among many discovered by a researcher, could have allowed anyone to walk in and take over a national government portal.","title":"Vulnerabilities Expose Private Data in Indian Government Systems","url":"https://www.darkreading.com/vulnerabilities-threats/vulnerabilities-private-data-indian-government-systems"},{"category":"Vulnerability/CVE","confidence":"LOW","confidence_reason":"User-submitted link aggregator, no editorial review. Signal varies wildly by submitter.","created_at":"2026-07-02 03:56:04","id":584,"published_date":"2026-06-29T19:27:02+00:00","severity":"critical","source_name":"Reddit r/netsec","summary":"submitted by /u/dx7r__ [link] [comments]","title":"Enterprise Tech In, Shell Out (Progress Kemp LoadMaster Uninitialized Heap to Pre-Auth RCE CVE-2026-8037) - watchTowr Labs","url":"https://www.reddit.com/r/netsec/comments/1uj2a4w/enterprise_tech_in_shell_out_progress_kemp"},{"category":"Vulnerability/CVE","confidence":"HIGH","confidence_reason":"High-quality primary vulnerability research with fast disclosure cadence. Quality exception \u2014 newer brand, authoritative output.","created_at":"2026-07-02 03:55:58","id":433,"published_date":"2026-06-29T19:24:54+00:00","severity":"critical","source_name":"watchTowr Labs","summary":"Welcome back to another watchTowr Labs blog post. This time, we're looking at Progress Kemp LoadMaster, a load balancer that sits at the edge of a lot of enterprise networks. Edge appliances have a habit of becoming the way in rather than the thing keeping people out, and","title":"Enterprise Tech In, Shell Out (Progress Kemp LoadMaster Uninitialized Heap to Pre-Auth RCE CVE-2026-8037)","url":"https://labs.watchtowr.com/enterprise-tech-in-shell-out-progress-kemp-loadmaster-uninitialized-heap-to-pre-auth-rce-cve-2026-8037"},{"category":"Nation State/APT","confidence":"MEDIUM","confidence_reason":"Established security journalism, enterprise-focused analysis. filter_uncategorized drops vendor press releases and thought-leadership fluff.","created_at":"2026-07-02 03:55:47","id":71,"published_date":"2026-06-29T19:12:08+00:00","severity":"medium","source_name":"Dark Reading","summary":"Nation-state attackers breach water systems through weak passwords, exposed PLCs, and poor segmentation \u2014 not sophisticated malware.","title":"Iran, Russia, China Target Water Systems for Sabotage","url":"https://www.darkreading.com/ics-ot-security/iran-russia-china-target-water-systems-sabotage"},{"category":"SaaS Breach","confidence":"LOW","confidence_reason":"Independent breach-focused journalism (Dissent Doe). Covers incidents mainstream outlets skip. Editorial voice but single-author, no masthead peer review \u2014 Tier 3 until track record is established in our pipeline.","created_at":"2026-07-02 03:56:04","id":574,"published_date":"2026-06-29T18:16:56+00:00","severity":"medium","source_name":"DataBreaches.net","summary":"Niall Glynn and Auryn Cox report: The number of schools in Northern Ireland affected by a recent cyber-attack is larger than previously thought. In a letter issued by the Education Authority (EA) on Thursday, some parents were warned that their child\u2019s personal data may have been accessed. The EA said the letters were sent to 23 schools,... Source","title":"NI: Updated warning to parents over schools cyber attack","url":"https://databreaches.net/2026/06/29/ni-updated-warning-to-parents-over-schools-cyber-attack?pk_campaign=feed&pk_kwd=ni-updated-warning-to-parents-over-schools-cyber-attack"},{"category":"SaaS Breach","confidence":"LOW","confidence_reason":"Independent breach-focused journalism (Dissent Doe). Covers incidents mainstream outlets skip. Editorial voice but single-author, no masthead peer review \u2014 Tier 3 until track record is established in our pipeline.","created_at":"2026-07-02 03:56:04","id":575,"published_date":"2026-06-29T17:56:32+00:00","severity":"medium","source_name":"DataBreaches.net","summary":"Christopher Brown reports: Bellwether defendants in multi-district litigation over a massive data breach of Progress Software\u2019s MOVEit file-transfer application failed to convince a federal court to toss negligence claims against them under the laws of California, Indiana, Michigan, and Ohio. The defendants\u2014Progress and several of its customers\u2014argued that the claims were barred under the economic-loss... Source","title":"MOVEit Breach Defendants Lose 2nd Bid to Toss Negligence Claims","url":"https://databreaches.net/2026/06/29/moveit-breach-defendants-lose-2nd-bid-to-toss-negligence-claims?pk_campaign=feed&pk_kwd=moveit-breach-defendants-lose-2nd-bid-to-toss-negligence-claims"},{"category":"Ransomware","confidence":"LOW","confidence_reason":"Open-source ransomware leak-site monitor (~150 groups). Scrapes victim claims, not verified journalism \u2014 treat as unverified OSINT. High volume (100 entries/batch); filter_uncategorized drops noise. Canonical www. URL preferred (bare domain 301s; _safe_get handles redirects but saves a hop).","created_at":"2026-07-02 03:56:03","id":541,"published_date":"2026-06-29T17:34:03+00:00","severity":"medium","source_name":"Ransomware.live","summary":"N/A","title":"\ud83c\udff4\u200d\u2620\ufe0f Qilin has just published a new victim : Kunert Fashion","url":"https://www.ransomware.live/id/S3VuZXJ0IEZhc2hpb25AcWlsaW4="},{"category":"Industry/Policy","confidence":"MEDIUM","confidence_reason":"Cybersecurity policy and industry journalism. Fills the Industry/Policy category gap.","created_at":"2026-07-02 03:56:02","id":497,"published_date":"2026-06-29T17:31:44+00:00","severity":"medium","source_name":"CyberScoop","summary":"The ruling is a victory for election advocates who say the evidence overwhelmingly shows that voter fraud is rare and not tied to mail voting in general. The post Supreme Court approves mail-in ballots that arrive after Election Day appeared first on CyberScoop.","title":"Supreme Court approves mail-in ballots that arrive after Election Day","url":"https://cyberscoop.com/supreme-court-rules-legal-mail-in-ballots-after-election-day"},{"category":"Industry/Policy","confidence":"MEDIUM","confidence_reason":"Cybersecurity policy and industry journalism. Fills the Industry/Policy category gap.","created_at":"2026-07-02 03:56:02","id":498,"published_date":"2026-06-29T17:12:09+00:00","severity":"medium","source_name":"CyberScoop","summary":"Dissenting justices who criticized the ruling said it would have \u201cseismic\u201d implications for the Fourth Amendment. The post Supreme Court delivers \u2018major win\u2019 for tech privacy in Chatrie ruling appeared first on CyberScoop.","title":"Supreme Court delivers \u2018major win\u2019 for tech privacy in Chatrie ruling","url":"https://cyberscoop.com/supreme-court-geofence-warrant-ruling-phone-privacy-chatrie"},{"category":"Ransomware","confidence":"LOW","confidence_reason":"Open-source ransomware leak-site monitor (~150 groups). Scrapes victim claims, not verified journalism \u2014 treat as unverified OSINT. High volume (100 entries/batch); filter_uncategorized drops noise. Canonical www. URL preferred (bare domain 301s; _safe_get handles redirects but saves a hop).","created_at":"2026-07-02 03:56:03","id":542,"published_date":"2026-06-29T16:34:51+00:00","severity":"medium","source_name":"Ransomware.live","summary":"N/A","title":"\ud83c\udff4\u200d\u2620\ufe0f Qilin has just published a new victim : Musashino University","url":"https://www.ransomware.live/id/TXVzYXNoaW5vIFVuaXZlcnNpdHlAcWlsaW4="},{"category":"AI Security","confidence":"HIGH","confidence_reason":"Curated Microsoft threat research, Patch Tuesday summaries, and incident analysis. Replaced the MSRC Update Guide CVE firehose (~3k advisories/quarter) with this high-signal blog feed.","created_at":"2026-07-02 03:55:50","id":222,"published_date":"2026-06-29T16:27:46+00:00","severity":"medium","source_name":"Microsoft Security Blog","summary":"A malicious Chromium-based extension that spoofs the AI-powered answer engine Perplexity AI redirects browser search traffic using MV3 APIs and intermediary infrastructure. The post Chromium extension uses AI\u2011related branding to redirect browser search appeared first on Microsoft Security Blog.","title":"Chromium extension uses AI\u2011related branding to redirect browser search","url":"https://www.microsoft.com/en-us/security/blog/2026/06/29/chromium-extension-uses-airelated-branding-redirect-browser-search"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Primary vulnerability research focused on open-source software ecosystems.","created_at":"2026-07-02 03:56:00","id":449,"published_date":"2026-06-29T16:10:20+00:00","severity":"medium","source_name":"GitHub Security Lab","summary":"The GitHub Advisory Database is processing more vulnerability reports than ever before. Here's what's driving the surge, how we're responding, and how the community can help. The post Inside the Advisory Database and what happens when vulnerability volume breaks records appeared first on The GitHub Blog.","title":"Inside the Advisory Database and what happens when vulnerability volume breaks records","url":"https://github.blog/security/supply-chain-security/inside-the-advisory-database-and-what-happens-when-vulnerability-volume-breaks-records"},{"category":"Uncategorized","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":39,"published_date":"2026-06-29T16:09:21+00:00","severity":"medium","source_name":"The Hacker News","summary":"WhatsApp on Monday officially announced the start of global reservations of usernames with an aim to protect the privacy of more than three billion users on the messaging platform. The optional feature is designed to help users connect with someone on the service through usernames, as opposed to directly sharing their phone numbers. Username reservations will start rolling out starting today,","title":"WhatsApp is Finally Getting Usernames to Help Keep Phone Numbers Private","url":"https://thehackernews.com/2026/06/whatsapp-is-finally-getting-usernames.html"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Authoritative expert commentary and link blog. Analysis, not primary research.","created_at":"2026-07-02 03:56:01","id":481,"published_date":"2026-06-29T16:05:18+00:00","severity":"high","source_name":"Schneier on Security","summary":"Interesting research on a new class of weak RSA keys: keys with lots of zeros. It turns out that these keys are out in the wild. The badkeys project is an open-source service that checks public keys for known vulnerabilities. While developing this tool, Hanno collected a massive number of real-world keys from public sources, including Certificate Transparency logs, internet-wide TLS and SSH scans, PGP keys, and many others. By searching this dataset for unexpectedly sparse RSA moduli, we uncovered a large number of keys in the wild with the patterns in Figure 1...","title":"Factoring RSA Keys with Many Zeros","url":"https://www.schneier.com/blog/archives/2026/06/factoring-rsa-keys-with-many-zeros.html"},{"category":"Ransomware","confidence":"LOW","confidence_reason":"Open-source ransomware leak-site monitor (~150 groups). Scrapes victim claims, not verified journalism \u2014 treat as unverified OSINT. High volume (100 entries/batch); filter_uncategorized drops noise. Canonical www. URL preferred (bare domain 301s; _safe_get handles redirects but saves a hop).","created_at":"2026-07-02 03:56:03","id":543,"published_date":"2026-06-29T16:00:13+00:00","severity":"medium","source_name":"Ransomware.live","summary":"N/A","title":"\ud83c\udff4\u200d\u2620\ufe0f Qilin has just published a new victim : KALIACT ANCHETA et Associs","url":"https://www.ransomware.live/id/S0FMSUFDVCBBTkNIRVRBIGV0IEFzc29jaXNAcWlsaW4="},{"category":"Ransomware","confidence":"LOW","confidence_reason":"Open-source ransomware leak-site monitor (~150 groups). Scrapes victim claims, not verified journalism \u2014 treat as unverified OSINT. High volume (100 entries/batch); filter_uncategorized drops noise. Canonical www. URL preferred (bare domain 301s; _safe_get handles redirects but saves a hop).","created_at":"2026-07-02 03:56:03","id":544,"published_date":"2026-06-29T15:59:35+00:00","severity":"medium","source_name":"Ransomware.live","summary":"N/A","title":"\ud83c\udff4\u200d\u2620\ufe0f Qilin has just published a new victim : Metal Sur Famin","url":"https://www.ransomware.live/id/TWV0YWwgU3VyIEZhbWluQHFpbGlu"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":40,"published_date":"2026-06-29T15:40:00+00:00","severity":"medium","source_name":"The Hacker News","summary":"Microsoft has found a malicious Chrome extension that posed as the AI search engine Perplexity and quietly logged what people searched for. It routed every query and every character typed into the address bar through an attacker-controlled server before redirecting users to real results. Microsoft says Google removed it from the store after responsible disclosure. The extension was called \"","title":"Malicious Perplexity Chrome Extension Intercepted Searches and Address Bar Input","url":"https://thehackernews.com/2026/06/malicious-perplexity-chrome-extension.html"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":41,"published_date":"2026-06-29T15:30:00+00:00","severity":"medium","source_name":"The Hacker News","summary":"Apple on Monday released security updates for iOS, macOS, and the Safari web browser to address over three dozen flaws, including four vulnerabilities in WebKit that were discovered using artificial intelligence (AI) tools like Anthropic Claude and OpenAI Codex Security. The WebKit vulnerabilities are listed below - CVE-2026-43707 - A memory corruption issue that could result in an","title":"Apple Patches 30+ iOS, macOS, Safari Flaws, Including AI-Discovered WebKit Bugs","url":"https://thehackernews.com/2026/06/apple-patches-30-ios-macos-safari-flaws.html"},{"category":"Malware/Infostealer","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":42,"published_date":"2026-06-29T15:03:40+00:00","severity":"medium","source_name":"The Hacker News","summary":"The China-aligned espionage group Mustang Panda is running two campaigns against the Indian government and hydropower targets, deploying new malware and turning a legitimate cloud service into its command channel. Acronis Threat Research Unit found active compromises inside Indian government networks, including machines used by senior administrative staff, and worked with","title":"Mustang Panda Uses Zoho WorkDrive as Command Channel in Indian Government Attacks","url":"https://thehackernews.com/2026/06/mustang-panda-uses-zoho-workdrive-as.html"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":43,"published_date":"2026-06-29T14:41:07+00:00","severity":"medium","source_name":"The Hacker News","summary":"This week was a reminder that attackers do not always need big tricks. One small mistake, one old access path, one missed patch, and suddenly the door is open. The noise is not all noise, either. Forums are talking, researchers are finding easy cracks, and defenders have more cleanup waiting. Here\u2019s the full Monday recap. \u26a1 Threat of the Week New DirtyClone Linux Kernel Flaw Lets Local","title":"\u26a1 Weekly Recap: Linux Kernel Flaws, AI Malware Tricks, Turla Backdoor, Infostealers and More","url":"https://thehackernews.com/2026/06/weekly-recap-linux-kernel-flaws-ai.html"},{"category":"SaaS Breach","confidence":"LOW","confidence_reason":"Open-source ransomware leak-site monitor (~150 groups). Scrapes victim claims, not verified journalism \u2014 treat as unverified OSINT. High volume (100 entries/batch); filter_uncategorized drops noise. Canonical www. URL preferred (bare domain 301s; _safe_get handles redirects but saves a hop).","created_at":"2026-07-02 03:56:03","id":545,"published_date":"2026-06-29T14:22:58+00:00","severity":"medium","source_name":"Ransomware.live","summary":"Medical information services data breach.","title":"\ud83c\udff4\u200d\u2620\ufe0f Anubis has just published a new victim : ESMS Global Limited","url":"https://www.ransomware.live/id/RVNNUyBHbG9iYWwgTGltaXRlZEBhbnViaXM="},{"category":"SaaS Breach","confidence":"LOW","confidence_reason":"Open-source ransomware leak-site monitor (~150 groups). Scrapes victim claims, not verified journalism \u2014 treat as unverified OSINT. High volume (100 entries/batch); filter_uncategorized drops noise. Canonical www. URL preferred (bare domain 301s; _safe_get handles redirects but saves a hop).","created_at":"2026-07-02 03:56:03","id":546,"published_date":"2026-06-29T14:21:48+00:00","severity":"medium","source_name":"Ransomware.live","summary":"Patient data breach at yet another negligent clinic.","title":"\ud83c\udff4\u200d\u2620\ufe0f Anubis has just published a new victim : Boston Orthotics & Prosthetics","url":"https://www.ransomware.live/id/Qm9zdG9uIE9ydGhvdGljcyAmIFByb3N0aGV0aWNzQGFudWJpcw=="},{"category":"Supply Chain","confidence":"MEDIUM","confidence_reason":"Vendor threat intelligence research. Good primary work but commercial context.","created_at":"2026-07-02 03:55:49","id":178,"published_date":"2026-06-29T14:06:59+00:00","severity":"medium","source_name":"Check Point Research","summary":"For the latest discoveries in cyber research for the week of 29th June, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Polymarket, a large cryptocurrency-based prediction market, has confirmed a supply chain attack after a third-party frontend vendor breach led to malicious JavaScript being injected into its website. Attackers tricked users into approving fraudulent [\u2026] The post 29th June \u2013 Threat Intelligence Report appeared first on Check Point Research.","title":"29th June \u2013 Threat Intelligence Report","url":"https://research.checkpoint.com/2026/29th-june-threat-intelligence-report-2"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Real-world incident breakdowns from the defender side. Strong on ransomware and SMB-targeting threats.","created_at":"2026-07-02 03:55:55","id":377,"published_date":"2026-06-29T14:00:00+00:00","severity":"medium","source_name":"Huntress","summary":"Cybercriminals are hijacking Microsoft 365 accounts in seconds. Learn the 2026 hacker tactics, including ConsentFix, that bypass security training and exploit normal user behavior.","title":"The Hacker's 2026 Playbook: Dark Web Tactics Targeting You","url":"https://www.huntress.com/blog/hacker-tactics-2026-dark-web-playbook"},{"category":"Ransomware","confidence":"LOW","confidence_reason":"Open-source ransomware leak-site monitor (~150 groups). Scrapes victim claims, not verified journalism \u2014 treat as unverified OSINT. High volume (100 entries/batch); filter_uncategorized drops noise. Canonical www. URL preferred (bare domain 301s; _safe_get handles redirects but saves a hop).","created_at":"2026-07-02 03:56:03","id":547,"published_date":"2026-06-29T13:32:09+00:00","severity":"medium","source_name":"Ransomware.live","summary":"N/A","title":"\ud83c\udff4\u200d\u2620\ufe0f Qilin has just published a new victim : Lam Soon","url":"https://www.ransomware.live/id/TGFtIFNvb25AcWlsaW4="},{"category":"Ransomware","confidence":"LOW","confidence_reason":"Open-source ransomware leak-site monitor (~150 groups). Scrapes victim claims, not verified journalism \u2014 treat as unverified OSINT. High volume (100 entries/batch); filter_uncategorized drops noise. Canonical www. URL preferred (bare domain 301s; _safe_get handles redirects but saves a hop).","created_at":"2026-07-02 03:56:03","id":548,"published_date":"2026-06-29T13:31:30+00:00","severity":"medium","source_name":"Ransomware.live","summary":"N/A","title":"\ud83c\udff4\u200d\u2620\ufe0f Qilin has just published a new victim : Bristol Place","url":"https://www.ransomware.live/id/QnJpc3RvbCBQbGFjZUBxaWxpbg=="},{"category":"Ransomware","confidence":"LOW","confidence_reason":"Open-source ransomware leak-site monitor (~150 groups). Scrapes victim claims, not verified journalism \u2014 treat as unverified OSINT. High volume (100 entries/batch); filter_uncategorized drops noise. Canonical www. URL preferred (bare domain 301s; _safe_get handles redirects but saves a hop).","created_at":"2026-07-02 03:56:03","id":549,"published_date":"2026-06-29T13:30:51+00:00","severity":"medium","source_name":"Ransomware.live","summary":"N/A","title":"\ud83c\udff4\u200d\u2620\ufe0f Qilin has just published a new victim : Gsma","url":"https://www.ransomware.live/id/R3NtYUBxaWxpbg=="},{"category":"Ransomware","confidence":"HIGH","confidence_reason":"Gold-standard intrusion analysis with full kill-chain TTPs. Peer-reviewed, reproducible, community-trusted.","created_at":"2026-07-02 03:56:02","id":499,"published_date":"2026-06-29T13:07:17+00:00","severity":"medium","source_name":"The DFIR Report","summary":"Key Takeaways This case was first reported to customers in a threat brief released in July 2025 and in a public flash alert in August 2025 in partnership with Swisscom B2B CSIRT, which observed another intrusion tied to the same campaign. This report contains data from both intrusions. We plan to release a DFIR Labs [\u2026] The post From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira appeared first on The DFIR Report.","title":"From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira","url":"https://thedfirreport.com/2026/06/29/from-bing-search-to-ransomware-bumblebee-and-adaptixc2-deliver-akira-3"},{"category":"Ransomware","confidence":"LOW","confidence_reason":"Open-source ransomware leak-site monitor (~150 groups). Scrapes victim claims, not verified journalism \u2014 treat as unverified OSINT. High volume (100 entries/batch); filter_uncategorized drops noise. Canonical www. URL preferred (bare domain 301s; _safe_get handles redirects but saves a hop).","created_at":"2026-07-02 03:56:03","id":550,"published_date":"2026-06-29T12:56:04+00:00","severity":"medium","source_name":"Ransomware.live","summary":"A Taiwanese manufacturer with forty years of experience, specializing in the high-precision production of metal fasteners, precision-machined parts, and components for the electronics and automotive industries.","title":"\ud83c\udff4\u200d\u2620\ufe0f Dragonforce has just published a new victim : hwaseng","url":"https://www.ransomware.live/id/aHdhc2VuZ0BkcmFnb25mb3JjZQ=="},{"category":"SaaS Breach","confidence":"LOW","confidence_reason":"Open-source ransomware leak-site monitor (~150 groups). Scrapes victim claims, not verified journalism \u2014 treat as unverified OSINT. High volume (100 entries/batch); filter_uncategorized drops noise. Canonical www. URL preferred (bare domain 301s; _safe_get handles redirects but saves a hop).","created_at":"2026-07-02 03:56:03","id":551,"published_date":"2026-06-29T12:55:11+00:00","severity":"medium","source_name":"Ransomware.live","summary":"development of specialized software (SaaS) for automating agribusiness management and monitoring field personnel","title":"\ud83c\udff4\u200d\u2620\ufe0f Dragonforce has just published a new victim : agroprime","url":"https://www.ransomware.live/id/YWdyb3ByaW1lQGRyYWdvbmZvcmNl"},{"category":"Ransomware","confidence":"LOW","confidence_reason":"Independent breach-focused journalism (Dissent Doe). Covers incidents mainstream outlets skip. Editorial voice but single-author, no masthead peer review \u2014 Tier 3 until track record is established in our pipeline.","created_at":"2026-07-02 03:56:04","id":576,"published_date":"2026-06-29T12:54:45+00:00","severity":"medium","source_name":"DataBreaches.net","summary":"Alex Scroxton reports: Fear of stigmatisation is likely leading businesses across the UK to drastically underreport data on ransomware attacks, especially when they have paid a ransom to a cyber criminal gang, as admission of such is often seen as supporting further criminal activity or defying compliance regulations. Data gleaned from the national Report Fraud service \u2013 which... Source","title":"UK businesses fear stigma of ransomware","url":"https://databreaches.net/2026/06/29/uk-businesses-fear-stigma-of-ransomware?pk_campaign=feed&pk_kwd=uk-businesses-fear-stigma-of-ransomware"},{"category":"SaaS Breach","confidence":"LOW","confidence_reason":"Independent breach-focused journalism (Dissent Doe). Covers incidents mainstream outlets skip. Editorial voice but single-author, no masthead peer review \u2014 Tier 3 until track record is established in our pipeline.","created_at":"2026-07-02 03:56:04","id":577,"published_date":"2026-06-29T12:54:40+00:00","severity":"medium","source_name":"DataBreaches.net","summary":"SafaAlharathy reports: Libya\u2019s central bank (CBL) says it is investigating data published on the dark web following a recent cyberattack. In a statement, the bank said its technical teams, working with international experts, were analysing the data to determine its nature and whether it is linked to the attack reported earlier this month. The bank... Source","title":"Central Bank of Libya investigates alleged data leak after cyberattack","url":"https://databreaches.net/2026/06/29/central-bank-of-libya-investigates-alleged-data-leak-after-cyberattack?pk_campaign=feed&pk_kwd=central-bank-of-libya-investigates-alleged-data-leak-after-cyberattack"},{"category":"Ransomware","confidence":"LOW","confidence_reason":"Open-source ransomware leak-site monitor (~150 groups). Scrapes victim claims, not verified journalism \u2014 treat as unverified OSINT. High volume (100 entries/batch); filter_uncategorized drops noise. Canonical www. URL preferred (bare domain 301s; _safe_get handles redirects but saves a hop).","created_at":"2026-07-02 03:56:03","id":552,"published_date":"2026-06-29T12:54:14+00:00","severity":"medium","source_name":"Ransomware.live","summary":"Creating accurate virtual replicas involves production facilities, workshops, and equipment for modeling, testing, and optimizing technological processes.","title":"\ud83c\udff4\u200d\u2620\ufe0f Dragonforce has just published a new victim : stni.co.kr","url":"https://www.ransomware.live/id/c3RuaS5jby5rckBkcmFnb25mb3JjZQ=="},{"category":"Ransomware","confidence":"LOW","confidence_reason":"Open-source ransomware leak-site monitor (~150 groups). Scrapes victim claims, not verified journalism \u2014 treat as unverified OSINT. High volume (100 entries/batch); filter_uncategorized drops noise. Canonical www. URL preferred (bare domain 301s; _safe_get handles redirects but saves a hop).","created_at":"2026-07-02 03:56:03","id":553,"published_date":"2026-06-29T12:53:22+00:00","severity":"medium","source_name":"Ransomware.live","summary":"VIP Imaging is the largest mobile nuclear imaging company in Southern California, specializing in cardiac PET/CT and SPECT studies for cardiologists. The company is employee-owned and prides itself on having the best technicians and technology in the industry, ensuring high-quality patient care and support for proper billing.","title":"\ud83c\udff4\u200d\u2620\ufe0f Dragonforce has just published a new victim : vipimaging","url":"https://www.ransomware.live/id/dmlwaW1hZ2luZ0BkcmFnb25mb3JjZQ=="},{"category":"Vulnerability/CVE","confidence":"HIGH","confidence_reason":"Emergent threat response team. Primary exploit analysis on actively exploited vulns, peer-quality with ZDI.","created_at":"2026-07-02 03:55:51","id":259,"published_date":"2026-06-29T12:37:04+00:00","severity":"high","source_name":"Rapid7","summary":"As AI-driven vulnerability discovery accelerates, the cybersecurity ecosystem is being forced to examine whether the standards, disclosure processes, and prioritization frameworks defenders rely on can still keep pace. Many of those systems were built around human-speed discovery, manageable vulnerability volumes, and exploitability confirmed after the fact, which leaves them under increasing strain as frontier AI capabilities mature. During a private sector consultation with the White House in June, Corey Thomas and I presented Rapid7\u2019s new policy paper, Modernizing Global Vulnerability Standards, which lays out where today\u2019s vulnerability management infrastructure is breaking under AI-era conditions and what governments, security companies, and frontier AI providers need to do next. In recent guidance, the Five Eyes cyber security agencies warned that AI is rapidly transforming cyber risk by increasing the speed, scale, and sophistication of threats, lowering barriers for malicious actors, and requiring leaders to reassess long-standing assumptions about resilience and accountability. AI vulnerability discovery is changing the rules In April 2026, Anthropic, OpenAI, and Google DeepMind each announced production-grade AI systems capable of discovering, chaining, and, in some cases, remediating software vulnerabilities at machine speed. In the same period, the Stanford HAI AI Index 2026 Cybench benchmark showed unguided AI agent solve rates on cybersecurity tasks rising from 15% to 93% in a single year. These are deployed capabilities on a steep improvement curve. Faster discovery can help security teams identify weaknesses earlier, validate risk more effectively, and improve remediation workflows. It also increases the pressure on every system that decides how vulnerabilities are verified, scored, disclosed, prioritized, and fixed. Vulnerability management standards were built for human speed For decades, the security community has depended on shared infrastructure to make vulnerability management work. CVE identifiers, CVSS scoring, the National Vulnerability Database, the CISA Known Exploited Vulnerabilities catalog, and the Exploit Prediction Scoring System all help organizations understand what a vulnerability is, how severe it may be, whether it is being exploited, and how urgently it should be addressed. Those systems were built around several assumptions: vulnerability discovery would be human-led, volume would remain manageable, exploitability would usually be confirmed after the fact, and organizations would have time to assess and respond. As AI-driven discovery challenges each of those assumptions, existing strain across the vulnerability ecosystem becomes much harder to absorb. CVE submissions already grew 263% between 2020 and 2025 from human-speed growth alone. NIST acknowledged in April 2026 that the National Vulnerability Database can no longer keep pace and is shifting to risk-based triage. If AI-driven discovery dramatically increases volume, the prioritization problem becomes even more acute. The issue for defenders is whether organizations can understand which vulnerabilities are actually exploitable, which are reachable in their environments, which can be chained together, and which require immediate action. AI-era vulnerability prioritization needs reform The paper argues that the prioritization gap is the most urgent and least addressed part of the problem. Traditional severity scores can miss the way attackers chain multiple lower-severity issues into a serious compromise. KEV remains one of the strongest signals available to defenders, but it is retrospective by design because it depends on confirmed exploitation in the wild. EPSS is trained on historical attacker behavior, which may not reflect what AI-assisted attackers can now do. To close that gap, we propose reforms that would help move vulnerability prioritization closer to real-world risk. These include recognizing verified AI-demonstrated exploitability, adding chaining-risk metadata to vulnerability records, and requiring reachability guidance alongside AI-discovered findings. The goal is to help organizations understand how dangerous a vulnerability is in practice, in their environment, rather than relying only on abstract severity. AI vulnerability policy needs verification, access, and accountability The paper also outlines a broader policy agenda - we call for updates to the Vulnerabilities Equities Process, investment in CVE and NVD infrastructure, standardized capability disclosure from AI labs, stronger international coordination, and clear CISA leadership. We also propose three access and verification standards for the security community: Independent verification before access expansion Broad but curated access through transparent processes Rigorous data standards for published capability claims The frontier model providers building these capabilities deserve credit for acting responsibly as they develop programs in real time. But individual access programs cannot carry the weight of ecosystem governance on their own. The security community needs shared standards backed by independent verification and institutional accountability. The next phase of cybersecurity resilience This paper is part of a wider conversation we recently explored on Rapid7\u2019s Experts on Experts: Commanding Perspectives, where Corey and I discussed AI, compliance, industry accountability, and the shift toward more resilient security operations. AI-driven vulnerability discovery has crossed a threshold. The question now is whether the policy, standards, and operational systems around it can adapt quickly enough to help defenders use these capabilities safely and effectively. Read the full paper, Modernizing Global Vulnerability Standards, to explore Rapid7\u2019s recommendations for verification, access, disclosure, prioritization, and institutional accountability in the age of AI-driven vulnerability discovery.","title":"Modernizing Global Vulnerability Standards For The Age Of AI","url":"https://www.rapid7.com/blog/post/ai-modernizing-global-vulnerability-standards"},{"category":"Ransomware","confidence":"LOW","confidence_reason":"Open-source ransomware leak-site monitor (~150 groups). Scrapes victim claims, not verified journalism \u2014 treat as unverified OSINT. High volume (100 entries/batch); filter_uncategorized drops noise. Canonical www. URL preferred (bare domain 301s; _safe_get handles redirects but saves a hop).","created_at":"2026-07-02 03:56:03","id":554,"published_date":"2026-06-29T12:23:59+00:00","severity":"medium","source_name":"Ransomware.live","summary":"The Pakistani pharmaceutical company Medipak Limited (***.com) specializes in the manufacture of infusion solutions, medical devices, and pharmaceutical products.","title":"\ud83c\udff4\u200d\u2620\ufe0f Dragonforce has just published a new victim : medipakpharma.com","url":"https://www.ransomware.live/id/bWVkaXBha3BoYXJtYS5jb21AZHJhZ29uZm9yY2U="},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Handler diaries \u2014 expert practitioner analysis, not primary research but high-quality synthesis.","created_at":"2026-07-02 03:56:04","id":579,"published_date":"2026-06-29T12:00:54+00:00","severity":"medium","source_name":"SANS Internet Storm Center","summary":"I&&#x23;x26;&#x23;39;m in the throes of target host recon for another pentest, and thought I&&#x23;x26;&#x23;39;d share some workflow / automation stuff.","title":"Adding some Automation to the favicon.ico method of Host Recon, (Mon, Jun 29th)","url":"https://isc.sans.edu/diary/rss/33110"},{"category":"Phishing & Social Engineering","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":44,"published_date":"2026-06-29T11:57:40+00:00","severity":"medium","source_name":"The Hacker News","summary":"New findings unearthed by Infoblox show that more than 236,000 websites are using investment scam templates built using a legitimate Chinese open-source, cross-platform application development framework called DCloud Uni-App. The templates power bogus cryptocurrency exchanges, multi-language pig-butchering operations, WhatsApp phishing networks, fake gambling platforms, brand-impersonation","title":"236,000 DCloud Uni-App Sites Used in Crypto Scams, Phishing, and Wallet Drainers","url":"https://thehackernews.com/2026/06/236000-dcloud-uni-app-sites-used-in.html"},{"category":"Cloud Security","confidence":"MEDIUM","confidence_reason":"Established security journalism, enterprise-focused analysis. filter_uncategorized drops vendor press releases and thought-leadership fluff.","created_at":"2026-07-02 03:55:47","id":72,"published_date":"2026-06-29T11:44:42+00:00","severity":"high","source_name":"Dark Reading","summary":"Adversaries could plant a malicious repository that can execute arbitrary code and steal cloud credentials by exploiting the vulnerability, which showcases growing MCP risk.","title":"Amazon Q VS Extension Flaw Leads to Cloud Credential Theft","url":"https://www.darkreading.com/cloud-security/amazon-q-vs-extension-flaw-leads-cloud-credential-theft"},{"category":"Industry/Policy","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":45,"published_date":"2026-06-29T11:42:16+00:00","severity":"medium","source_name":"The Hacker News","summary":"Today\u2019s encrypted data, such as credentials, may no longer remain confidential in the future because the public-key cryptography protecting it will soon be broken by quantum computers. Although no machine today can break elliptic curve cryptography or RSA, quantum hardware is advancing rapidly and will inevitably change how organizations protect their data. Ciphertext and credentials captured by","title":"Why Post-Quantum Cryptography Starts With Credentials","url":"https://thehackernews.com/2026/06/why-post-quantum-cryptography-starts.html"},{"category":"Nation State/APT","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":46,"published_date":"2026-06-29T11:40:24+00:00","severity":"medium","source_name":"The Hacker News","summary":"A Russian advanced persistent threat (APT) group has continued to evolve and expand its malware arsenal as part of its ongoing cyber onslaught against Ukraine throughout 2025. Slovakian cybersecurity company ESET said it observed 35 distinct spear-phishing campaigns mounted by Gamaredon against new targets, with most of them taking place in the second half of the year. Primary targets of these","title":"Gamaredon Expands Ukraine Attacks with New Malware and Cloud Service Abuse","url":"https://thehackernews.com/2026/06/gamaredon-expands-ukraine-attacks-with.html"},{"category":"Ransomware","confidence":"HIGH","confidence_reason":"Best-in-class APT campaign tracking and malware reverse engineering. Industry-leading primary research.","created_at":"2026-07-02 03:55:53","id":309,"published_date":"2026-06-29T10:00:35+00:00","severity":"medium","source_name":"Kaspersky Securelist","summary":"Kaspersky researchers analyze incidents related to The Gentlemen RaaS group, disclose their tools and TTPs, and find a new ransomware variant.","title":"The Gentlemen are knocking: \u0441ustom backdoors and evolving tactics","url":"https://securelist.com/the-gentlemen-raas/120447"},{"category":"Malware/Infostealer","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":47,"published_date":"2026-06-29T08:32:31+00:00","severity":"medium","source_name":"The Hacker News","summary":"Microsoft has shut down a long-running malicious extension operation on the Edge Add-ons store that hid its payloads inside ordinary image and font files, then woke up days after install to steal credentials and run ad fraud. The company calls it StegoAd, a mash-up of steganography and adware, and ties 119 extensions to a single threat actor it says has been active since at least 2021.","title":"Microsoft Removes 119 Edge Extensions That Hid Malware in Images and Fonts","url":"https://thehackernews.com/2026/06/microsoft-removes-119-edge-extensions.html"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":48,"published_date":"2026-06-29T07:06:34+00:00","severity":"medium","source_name":"The Hacker News","summary":"A public proof-of-concept is now out for CVE-2026-55200, a critical flaw in libssh2 that lets a malicious or compromised SSH server trigger memory corruption on a connecting client, with possible code execution. No credentials, no user interaction. The bug affects every release up to and including 1.11.1 and carries a CVSS 4.0 score of 9.2. libssh2 is a client-side SSH library, not a server.","title":"Public PoC Released for Critical libssh2 CVE-2026-55200 Client-Side SSH Flaw","url":"https://thehackernews.com/2026/06/public-poc-released-for-critical.html"},{"category":"Industry/Policy","confidence":"MEDIUM","confidence_reason":"Real-world incident breakdowns from the defender side. Strong on ransomware and SMB-targeting threats.","created_at":"2026-07-02 03:55:55","id":378,"published_date":"2026-06-29T07:00:00+00:00","severity":"medium","source_name":"Huntress","summary":"","title":"These Recent Insider Threat Allegations","url":"https://www.huntress.com/blog/insider-threat-claims"},{"category":"Identity & Access","confidence":"MEDIUM","confidence_reason":"Real-world incident breakdowns from the defender side. Strong on ransomware and SMB-targeting threats.","created_at":"2026-07-02 03:55:55","id":379,"published_date":"2026-06-29T07:00:00+00:00","severity":"medium","source_name":"Huntress","summary":"Huntress analyzed a credential dumping attack where threat actors disabled Defender, killed monitoring tools, and used Mimikatz to steal credentials.","title":"Defence Impairment Olympics","url":"https://www.huntress.com/blog/mimikatz-credential-dumping-defence-impairment"},{"category":"Malware/Infostealer","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":49,"published_date":"2026-06-29T05:36:06+00:00","severity":"medium","source_name":"The Hacker News","summary":"Cybersecurity researchers have uncovered two hijacked npm packages and a cluster of Go packages that are designed to deploy a Python-based information stealer on compromised Windows, Linux, and macOS hosts. \"This attack avoids the most common npm execution paths through lifecycle scripts, perhaps in an attempt to remain 'compatible' with npm v12's security hardenings,\" JFrog said in a","title":"Hijacked npm and Go Packages Use VS Code Tasks to Deploy Python Infostealer","url":"https://thehackernews.com/2026/06/hijacked-npm-and-go-packages-use-vs.html"},{"category":"Ransomware","confidence":"LOW","confidence_reason":"Open-source ransomware leak-site monitor (~150 groups). Scrapes victim claims, not verified journalism \u2014 treat as unverified OSINT. High volume (100 entries/batch); filter_uncategorized drops noise. Canonical www. URL preferred (bare domain 301s; _safe_get handles redirects but saves a hop).","created_at":"2026-07-02 03:56:03","id":555,"published_date":"2026-06-29T03:26:37+00:00","severity":"medium","source_name":"Ransomware.live","summary":"N/A","title":"\ud83c\udff4\u200d\u2620\ufe0f Qilin has just published a new victim : Axionlog","url":"https://www.ransomware.live/id/QXhpb25sb2dAcWlsaW4="},{"category":"Ransomware","confidence":"LOW","confidence_reason":"Open-source ransomware leak-site monitor (~150 groups). Scrapes victim claims, not verified journalism \u2014 treat as unverified OSINT. High volume (100 entries/batch); filter_uncategorized drops noise. Canonical www. URL preferred (bare domain 301s; _safe_get handles redirects but saves a hop).","created_at":"2026-07-02 03:56:03","id":556,"published_date":"2026-06-29T03:25:58+00:00","severity":"medium","source_name":"Ransomware.live","summary":"N/A","title":"\ud83c\udff4\u200d\u2620\ufe0f Qilin has just published a new victim : NASCO","url":"https://www.ransomware.live/id/TkFTQ09AcWlsaW4="},{"category":"Vulnerability/CVE","confidence":"LOW","confidence_reason":"Open-source ransomware leak-site monitor (~150 groups). Scrapes victim claims, not verified journalism \u2014 treat as unverified OSINT. High volume (100 entries/batch); filter_uncategorized drops noise. Canonical www. URL preferred (bare domain 301s; _safe_get handles redirects but saves a hop).","created_at":"2026-07-02 03:56:03","id":557,"published_date":"2026-06-28T21:29:58+00:00","severity":"medium","source_name":"Ransomware.live","summary":"Deep access to Microsoft Dynamics GP containing complete corporate accounting, invoices, vendor details, and commercial transactions.Access to internal legal documents, partnership agreements, and customer contracts (such as CBIF OSMO agreements).Exfiltration of operational spreadsheets, financial reports, and executive documents via corporate","title":"\ud83c\udff4\u200d\u2620\ufe0f Stormous has just published a new victim : eogb.co.uk","url":"https://www.ransomware.live/id/ZW9nYi5jby51a0BzdG9ybW91cw=="},{"category":"Vulnerability/CVE","confidence":"LOW","confidence_reason":"Open-source ransomware leak-site monitor (~150 groups). Scrapes victim claims, not verified journalism \u2014 treat as unverified OSINT. High volume (100 entries/batch); filter_uncategorized drops noise. Canonical www. URL preferred (bare domain 301s; _safe_get handles redirects but saves a hop).","created_at":"2026-07-02 03:56:03","id":558,"published_date":"2026-06-28T21:28:57+00:00","severity":"medium","source_name":"Ransomware.live","summary":"During our routine network security audits, our team discovered critical structural vulnerabilities within Palatine School, which granted us full, unrestricted access to their central server (PALDC2020). We had the technical capacity to access every directory, including pupil databases (\u2060 StudentData NHS NO ) \u2060, \u2060Pupil Admin - Users -FocusIT\u2060) and staff records \u2060Personnel\u2060.We want to announce that we have locked down this operation and decided to leak absolutely nothing.This is an institution dedicated to children and special needs education. Unlike corporate thieves or ruthless threat actors, we operate with a strict code of ethics: we do not target children, schools, or healthcare facilities.Instead of destroying them, we have chosen to act as an uninvited security audit. We are using our platform to publicly invite the administration of Palatine School to contact us privately. We will provide them with the full technical details of the critical vulnerabilities we discovered and guide them on how to patch their system for free, ensuring they are protected from other ruthless cyber criminals.","title":"\ud83c\udff4\u200d\u2620\ufe0f Stormous has just published a new victim : Official Statement: Protecting palatineschool.org Infrastructure","url":"https://www.ransomware.live/id/T2ZmaWNpYWwgU3RhdGVtZW50OiBQcm90ZWN0aW5nIHBhbGF0aW5lc2Nob29sLm9yZyBJbmZyYXN0cnVjdHVyZUBzdG9ybW91cw=="},{"category":"Ransomware","confidence":"LOW","confidence_reason":"Open-source ransomware leak-site monitor (~150 groups). Scrapes victim claims, not verified journalism \u2014 treat as unverified OSINT. High volume (100 entries/batch); filter_uncategorized drops noise. Canonical www. URL preferred (bare domain 301s; _safe_get handles redirects but saves a hop).","created_at":"2026-07-02 03:56:03","id":559,"published_date":"2026-06-28T20:58:26+00:00","severity":"medium","source_name":"Ransomware.live","summary":"N/A","title":"\ud83c\udff4\u200d\u2620\ufe0f Qilin has just published a new victim : 1-800-dentist","url":"https://www.ransomware.live/id/MS04MDAtZGVudGlzdEBxaWxpbg=="},{"category":"Ransomware","confidence":"LOW","confidence_reason":"Open-source ransomware leak-site monitor (~150 groups). Scrapes victim claims, not verified journalism \u2014 treat as unverified OSINT. High volume (100 entries/batch); filter_uncategorized drops noise. Canonical www. URL preferred (bare domain 301s; _safe_get handles redirects but saves a hop).","created_at":"2026-07-02 03:56:03","id":560,"published_date":"2026-06-28T20:57:47+00:00","severity":"medium","source_name":"Ransomware.live","summary":"N/A","title":"\ud83c\udff4\u200d\u2620\ufe0f Qilin has just published a new victim : Transcore","url":"https://www.ransomware.live/id/VHJhbnNjb3JlQHFpbGlu"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Troy Hunt's curated breach disclosure feed. Low volume (~2-4/month), high trust, universally cited. Each entry names the breached org, account count, and exposed data types.","created_at":"2026-07-02 03:56:02","id":502,"published_date":"2026-06-28T15:57:29+00:00","severity":"critical","source_name":"Have I Been Pwned","summary":"In June 2026, the food distribution company Sysco was targeted by a ShinyHunters \"pay or leak\" extortion campaign. Data was subsequently published containing 2.7M unique email addresses belonging to staff and customers. The data also contained largely corporate contact information including names, phone numbers, physical addresses, internal job titles, and customer feedback.","title":"Sysco - 2,691,852 breached accounts","url":"https://haveibeenpwned.com/Breach/Sysco"},{"category":"Vulnerability/CVE","confidence":"LOW","confidence_reason":"User-submitted link aggregator, no editorial review. Signal varies wildly by submitter.","created_at":"2026-07-02 03:56:04","id":585,"published_date":"2026-06-28T11:56:40+00:00","severity":"medium","source_name":"Reddit r/netsec","summary":"submitted by /u/ezzzzz [link] [comments]","title":"I tried a Local AI model (Qwen 3.6 27b) for security research and it works surprisingly well.","url":"https://www.reddit.com/r/netsec/comments/1uhveou/i_tried_a_local_ai_model_qwen_36_27b_for_security"},{"category":"Nation State/APT","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":50,"published_date":"2026-06-27T17:27:11+00:00","severity":"medium","source_name":"The Hacker News","summary":"The Security Service of Ukraine (SSU) said it, together with the U.S. Federal Bureau of Investigation (FBI), uncovered a long-running campaign orchestrated by Russian intelligence services to break into the messaging accounts of government officials, military personnel, politicians, and activists in Ukraine, Europe, and the U.S. The systematic cyber attacks aimed at stealing sensitive","title":"Ukraine Says Russian Intelligence Used Fake Support Texts to Steal Messaging Credentials","url":"https://thehackernews.com/2026/06/ukraine-says-russian-intelligence-used.html"},{"category":"AI Security","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":51,"published_date":"2026-06-27T12:19:37+00:00","severity":"medium","source_name":"The Hacker News","summary":"OpenAI on Friday released three versions of GPT-5.6, called Sol, Terra, and Luna, as a limited preview to a small number of companies as part of an ongoing engagement with the U.S. government. While Sol is the latest flagship model and the most powerful, Terra strikes a balance between efficiency and power, and Luna is fine-tuned for speed and affordability. \"GPT\u20115.6 Sol launches with our most","title":"OpenAI Previews GPT-5.6 Sol With Restricted Access and Stronger Cyber Safeguards","url":"https://thehackernews.com/2026/06/openai-limits-gpt-56-rollout-as-sol.html"},{"category":"Ransomware","confidence":"MEDIUM","confidence_reason":"Established security journalism, enterprise-focused analysis. filter_uncategorized drops vendor press releases and thought-leadership fluff.","created_at":"2026-07-02 03:55:47","id":73,"published_date":"2026-06-27T11:48:05+00:00","severity":"medium","source_name":"Dark Reading","summary":"Rising threats from third-party actors are forcing institutions to play defense to protect student data from ransomware and other attacks.","title":"Third-Party Breaches Teach Education Sector a Costly Lesson in Vendor Risk","url":"https://www.darkreading.com/cyber-risk/third-party-breaches-teaches-education-lesson-vendor-risk"},{"category":"Ransomware","confidence":"LOW","confidence_reason":"Open-source ransomware leak-site monitor (~150 groups). Scrapes victim claims, not verified journalism \u2014 treat as unverified OSINT. High volume (100 entries/batch); filter_uncategorized drops noise. Canonical www. URL preferred (bare domain 301s; _safe_get handles redirects but saves a hop).","created_at":"2026-07-02 03:56:03","id":561,"published_date":"2026-06-27T00:52:38+00:00","severity":"medium","source_name":"Ransomware.live","summary":"Aptora is an aggressively growing software company in Lenexa, KS. The company offers award-winning software and consulting services to the service and contracting industries. In 2006, the company were voted one of the top twenty-five companies in the Kansas City area by the Business Journal. Aptora also provides data hosting and processing services for its clients on its own infrastructure. During our visit, we took not only the company\u2019s own data but also the databases of its clients. Unfortunately, the company showed no interest in preserving its clients\u2019 data. When we contacted them, they told us the company had assured them there was no leak. That\u2019s not true. For the release, we have prepared not only Aptora data but also archives containing the databases of more than 100 of its clients. This could affect Aptora leadership, and they may decide to prevent publication.","title":"\ud83c\udff4\u200d\u2620\ufe0f Dragonforce has just published a new victim : Aptora","url":"https://www.ransomware.live/id/QXB0b3JhQGRyYWdvbmZvcmNl"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":52,"published_date":"2026-06-26T19:38:29+00:00","severity":"medium","source_name":"The Hacker News","summary":"The FBI and CISA have updated their March warning about Russian intelligence phishing Signal accounts, and the operators have added a step: they now coax targets into handing over their Signal Backup Recovery Key. Hand it over once, and the attacker can restore the account's backup, read the private and group message history, and take over the account. Worse, the key keeps working.","title":"FBI Warns Russian Intelligence Hackers Target Signal Backup Recovery Keys","url":"https://thehackernews.com/2026/06/fbi-warns-russian-intelligence-hackers.html"},{"category":"Vulnerability/CVE","confidence":"HIGH","confidence_reason":"Emergent threat response team. Primary exploit analysis on actively exploited vulns, peer-quality with ZDI.","created_at":"2026-07-02 03:55:51","id":260,"published_date":"2026-06-26T19:32:52+00:00","severity":"critical","source_name":"Rapid7","summary":"Help shape the future of Metasploit Framework We are planning future work in relation to the evasion capabilities present in Metasploit Framework, and how they function/are presented to users. We are currently accepting responses to our feedback form, which means that you can shape the future of how evasive capabilities are implemented in Metasploit Framework. The proposal for the changes can be found here, and you can submit your responses to the form here. The form will stop accepting responses on the 1st of July, 2026. New module content and improvements have also been added this week. This includes a Next.js Middleware Authorization Bypass scanner, LiteLLM Proxy SQL Injection, an unauthenticated API authentication bypass scanner for Audiobookshelf, a deserialization RCE in Dalfox, and improvements to service and host reporting in bruteforce-related modules. New module content (4) Audiobookshelf Unauthenticated API Authentication Bypass Scanner Authors: Kenneth LaCroix and swiftbird07 Type: Auxiliary Pull request: #21565 contributed by kenlacroix Path: scanner/http/audiobookshelf_auth_bypass AttackerKB reference: CVE-2025-25205 Description: Adds audiobookshelf_auth_bypass, a detection module for CVE-2025-25205 \u2014 an unauthenticated API authentication bypass in Audiobookshelf (self-hosted audiobook/podcast server), affecting versions 2.17.0 \u2013 2.19.0 (fixed in 2.19.1). BerriAI LiteLLM Proxy Pre-Auth SQL Injection Scanner Authors: Kenneth LaCroix and Tencent YunDing Security Lab Type: Auxiliary Pull request: #21567 contributed by kenlacroix Path: scanner/http/litellm_proxy_sqli AttackerKB reference: CVE-2026-42208 Description: Adds auxiliary/scanner/http/litellm_proxy_sqli, a detection module for CVE-2026-42208 (CVSS 9.3, on the CISA KEV list) \u2014 a pre-authentication SQL injection in BerriAI LiteLLM proxy. Next.js Middleware Authorization Bypass Scanner Authors: Kenneth LaCroix, Rachid Allam, and Yasser Allam Type: Auxiliary Pull request: #21566 contributed by kenlacroix Path: scanner/http/nextjs_middleware_auth_bypass AttackerKB reference: CVE-2025-29927 Description: Adds nextjs_middleware_auth_bypass, a detection module for CVE-2025-29927 (CVSS 9.1) \u2014 an authorization bypass in self-hosted Next.js applications. Dalfox Found-Action Deserialization RCE Authors: Emmanuel David and Takahiro Yokoyama Type: Exploit Pull request: #21493 contributed by Takahiro-Yoko Path: linux/http/dalfox_server_rce_cve_2026_45087 AttackerKB reference: CVE-2026-45087 Description: This adds an exploit module for Dalfox Server versions <= 2.12.0 which are vulnerable to an unauthenticated RCE tracked as CVE-2026-45087. The vulnerability allows attackers to send arbitrary commands via found-action post parameter which gets deserialized and run in the context of the user running the server. Enhancements and features (2) #21396 from g0tmi1k - This makes improvements to the auth_brute mixin. It adds report_host and report_service calls to the mixin and removes duplicate printing of IP:PORT in the print_brute statements. #21562 from zeroSteiner - Updated the usage of rex-socket's recvfrom method to align with the standard library implementation. This also allows rex-socket to now be used as a drop-in replacement for Ruby's UDPSocket. Documentation You can find the latest Metasploit documentation on our docsite at docs.metasploit.com. Get it As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub: Pull Requests 6.4.140...6.4.141 Full diff 6.4.140...6.4.141 If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro","title":"Weekly Metasploit Update: Modules for Audiobookshelf, LiteLLM, Next.js, Dalfox and more","url":"https://www.rapid7.com/blog/post/pt-weekly-metasploit-update-modules-for-audiobookshelf-litellm-next-js-dalfox-and-more"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established security journalism, enterprise-focused analysis. filter_uncategorized drops vendor press releases and thought-leadership fluff.","created_at":"2026-07-02 03:55:47","id":74,"published_date":"2026-06-26T19:11:02+00:00","severity":"medium","source_name":"Dark Reading","summary":"Companies are still experimenting with automated AI systems to find security weaknesses, but fewer are relying on the technology.","title":"AI Decline? Confidence in Autonomous Penetration Testing Falls","url":"https://www.darkreading.com/cybersecurity-operations/ai-decline-confidence-autonomous-penetration-testing"},{"category":"Identity & Access","confidence":"HIGH","confidence_reason":"Top-tier threat intelligence research team with consistent primary analysis.","created_at":"2026-07-02 03:55:48","id":153,"published_date":"2026-06-26T19:05:33+00:00","severity":"medium","source_name":"Unit42 Palo Alto","summary":"We provide guidance for preparing for and mitigating large-scale credential attacks, focusing on recent campaigns targeting security vendors' devices. The post Threat Brief: Mitigating Large-Scale Credential Attacks appeared first on Unit 42.","title":"Threat Brief: Mitigating Large-Scale Credential Attacks","url":"https://unit42.paloaltonetworks.com/large-scale-credential-attacks"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":53,"published_date":"2026-06-26T18:17:46+00:00","severity":"medium","source_name":"The Hacker News","summary":"A newly discovered cyber attack campaign has been observed delivering a previously undocumented malware family called SharkLoader that acts as a loader for deploying Cobalt Strike Beacon on compromised hosts. Kaspersky, which is tracking the activity under the moniker StrikeShark, said the campaign has targeted a diplomatic organization in Indonesia, government organizations in Taiwan,","title":"New SharkLoader Malware Deploys Cobalt Strike in StrikeShark Cyberattacks","url":"https://thehackernews.com/2026/06/new-sharkloader-malware-deploys-cobalt.html"},{"category":"OT/ICS","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":54,"published_date":"2026-06-26T16:21:25+00:00","severity":"medium","source_name":"The Hacker News","summary":"A Chinese-speaking advanced persistent threat (APT) actor has been linked to a new custom backdoor called TinyRCT as part of cyber attacks aimed at government entities and critical infrastructure in Southeast Asia. The activity, particularly aimed at state-owned enterprises in the energy and government sectors, has been attributed to a threat actor called CL-STA-1062, which Palo Alto Networks","title":"Chinese-Speaking APT Deploys New TinyRCT Backdoor in Southeast Asia Campaign","url":"https://thehackernews.com/2026/06/chinese-speaking-apt-deploys-new.html"},{"category":"Nation State/APT","confidence":"MEDIUM","confidence_reason":"Duo Security / Cisco-owned security journalism (Dennis Fisher, Lindsey O'Donnell-Welch). Primary reporting, no marketing funnel. Peer-quality with Dark Reading / The Record.","created_at":"2026-07-02 03:55:48","id":109,"published_date":"2026-06-26T14:43:32+00:00","severity":"medium","source_name":"Decipher","summary":"Known historically for its tight ties to Russia\u2019s FSB and its development of the Snake implant, Turla has leveraged STOCKSTAY to target sensitive government and military organizations.","title":"New Turla Stockstay Backdoor Emerges","url":"https://decipher.sc/2026/06/26/new-turla-stockstay-backdoor-emerges"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":55,"published_date":"2026-06-26T13:57:55+00:00","severity":"high","source_name":"The Hacker News","summary":"A flaw in the Linux kernel's traffic-control subsystem can let a local unprivileged user gain root on affected systems. CVE-2026-46331, nicknamed \"pedit COW,\" is an out-of-bounds write in the packet-editing action (act_pedit) that corrupts shared page-cache memory. A public, working exploit appeared within a day of the CVE assignment on June 16. Red Hat rates the flaw as","title":"New Linux pedit COW Exploit Enables Root Access by Poisoning Cached Binaries","url":"https://thehackernews.com/2026/06/new-linux-pedit-cow-exploit-enables.html"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":56,"published_date":"2026-06-26T13:53:00+00:00","severity":"medium","source_name":"The Hacker News","summary":"A high-severity flaw in Amazon Q Developer let a malicious repository run commands and steal a developer's cloud credentials. The path was short: a developer opens the repo, trusts the workspace, and Amazon Q does the rest. Amazon has patched it. Tracked as CVE-2026-12957 (CVSS 8.5), the bug sat in how Amazon's AI coding assistant handled Model Context Protocol (MCP) servers. Wiz","title":"Amazon Q Developer Flaw Could Let Malicious Repos Run Code via MCP Configs","url":"https://thehackernews.com/2026/06/amazon-q-developer-flaw-could-let.html"},{"category":"OT/ICS","confidence":"HIGH","confidence_reason":"Best-in-class APT campaign tracking and malware reverse engineering. Industry-leading primary research.","created_at":"2026-07-02 03:55:53","id":310,"published_date":"2026-06-26T13:00:14+00:00","severity":"medium","source_name":"Kaspersky Securelist","summary":"Analysis of CVE-2024-2658 as found in Schneider Electric's Floating License Manager. Discover how this FlexNet Publisher vulnerability potentially allows attackers to escalate to NT AUTHORITY\\SYSTEM privileges and expand their foothold; learn how to mitigate the risk.","title":"Beware of the license manager: how a Schneider Electric software vulnerability puts industrial facilities at risk","url":"https://securelist.com/tr/schneider-electric-cve-2024-2658-vulnerability/120436"},{"category":"Ransomware","confidence":"LOW","confidence_reason":"Open-source ransomware leak-site monitor (~150 groups). Scrapes victim claims, not verified journalism \u2014 treat as unverified OSINT. High volume (100 entries/batch); filter_uncategorized drops noise. Canonical www. URL preferred (bare domain 301s; _safe_get handles redirects but saves a hop).","created_at":"2026-07-02 03:56:03","id":562,"published_date":"2026-06-26T12:50:33+00:00","severity":"medium","source_name":"Ransomware.live","summary":"Precise Forms, Inc. specializes in manufacturing high-quality aluminum forms for concrete construction, offering a complete line of standard and decorative forms along with necessary accessories. Their products cater to a variety of applications including residential homes, commercialbuildings, and swimming pools, designed for rapid setting and stripping to meet the needs of competitive contractors.We will upload 10gb of corporate data soon. Employee personal information (DLs (at least 15 numbers), 75 SSNs, and other personal docs), NDAs, projects, contracts and agreements, customer information and so on.","title":"\ud83c\udff4\u200d\u2620\ufe0f Akira has just published a new victim : Precise Forms","url":"https://www.ransomware.live/id/UHJlY2lzZSBGb3Jtc0Bha2lyYQ=="},{"category":"Malware/Infostealer","confidence":"MEDIUM","confidence_reason":"Vendor threat intelligence research, consumer-threat focused.","created_at":"2026-07-02 03:55:50","id":228,"published_date":"2026-06-26T12:44:01+00:00","severity":"medium","source_name":"Malwarebytes Labs","summary":"A phishing campaign installs a malicious Chrome extension to hijack browser sessions and compromise Windows devices.","title":"Malware steals Chrome session cookies to take over your accounts","url":"https://www.malwarebytes.com/blog/news/2026/06/malware-steals-chrome-session-cookies-to-take-over-your-accounts"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":57,"published_date":"2026-06-26T12:31:56+00:00","severity":"critical","source_name":"The Hacker News","summary":"The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a critical remote code execution vulnerability impacting PTC Windchill PDMlink and PTC FlexPLM enterprise Product Data Management (PDM) and Product Lifecycle Management (PLM) software to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability in question is","title":"CISA Adds Exploited PTC Windchill RCE Flaw to KEV as Web Shell Attacks Continue","url":"https://thehackernews.com/2026/06/cisa-adds-exploited-ptc-windchill-rce.html"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":58,"published_date":"2026-06-26T11:51:35+00:00","severity":"high","source_name":"The Hacker News","summary":"DirtyClone is a new Linux kernel privilege escalation in the DirtyFrag family. JFrog Security Research published a working exploit walkthrough for the flaw on June 25, the first public demonstration for this variant. Tracked as CVE-2026-43503 (CVSS 8.8), it lets a local user corrupt file-backed memory through a cloned network packet and gain root. The patch landed in","title":"New DirtyClone Linux Kernel Flaw Lets Local Users Gain Root via Cloned Packets","url":"https://thehackernews.com/2026/06/new-dirtyclone-linux-kernel-flaw-lets.html"},{"category":"AI Security","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":59,"published_date":"2026-06-26T11:30:00+00:00","severity":"medium","source_name":"The Hacker News","summary":"AI agents are moving through enterprise environments, inheriting permissions, traversing systems, and executing decisions at machine speed with minimal oversight. The identity infrastructure built to govern human access wasn't designed for autonomous actors, and the gap between what enterprises are deploying and what their governance programs actually cover is widening fast. This guide breaks","title":"Guardian Agents: The Next Layer of Identity Governance","url":"https://thehackernews.com/2026/06/guardian-agents-next-layer-of-identity.html"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Established security journalism. Caveat: SEO-heavy and rewrite-reliant \u2014 often reframes other sources rather than primary reporting.","created_at":"2026-07-02 03:55:46","id":60,"published_date":"2026-06-26T11:05:45+00:00","severity":"high","source_name":"The Hacker News","summary":"Cybersecurity researchers have flagged yet another evolution of the supply chain attack linked to the Mini Shai-Hulud, Miasma, and Hades malware family that has compromised a new set of npm packages, even as it has propagated to the Go ecosystem. \"The latest activity includes malicious npm releases affecting LeoPlatform and RStreams packages, GitHub Actions workflow abuse, and a related Go","title":"Miasma Malware Targets npm Packages and GitHub Actions in Supply Chain Attack","url":"https://thehackernews.com/2026/06/miasma-malware-targets-npm-packages-and.html"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Authoritative expert commentary and link blog. Analysis, not primary research.","created_at":"2026-07-02 03:56:01","id":482,"published_date":"2026-06-26T11:03:21+00:00","severity":"medium","source_name":"Schneier on Security","summary":"A database of almost a million passports from around the world was leaked online. Note what happened. A high-value credential\u2014a passport\u2014was used in an ancillary low-value authentication system: ID verification for cannabis dispensaries. And it\u2019s the low-value system that got hacked, putting the high-value credential at risk.","title":"One Million Passports Leaked Online","url":"https://www.schneier.com/blog/archives/2026/06/one-million-passports-leaked-online.html"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Vendor threat intelligence research, consistent technical malware reports. filter_uncategorized drops consumer lifestyle and parenting content.","created_at":"2026-07-02 03:55:49","id":198,"published_date":"2026-06-26T08:50:00+00:00","severity":"medium","source_name":"ESET WeLiveSecurity","summary":"Your business may be small, but its attack surface is anything but. Readiness is the first step to resilience.","title":"SMB cyber readiness: the road to resilience starts here","url":"https://www.welivesecurity.com/en/business-security/smb-cyber-readiness-road-resilience-starts-here"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Troy Hunt's curated breach disclosure feed. Low volume (~2-4/month), high trust, universally cited. Each entry names the breached org, account count, and exposed data types.","created_at":"2026-07-02 03:56:02","id":503,"published_date":"2026-06-26T07:17:23+00:00","severity":"high","source_name":"Have I Been Pwned","summary":"In June 2026, telecommunications tower infrastructure company American Tower was the target of a ShinyHunters \"pay or leak\" extortion campaign. The group subsequently published data allegedly taken from the company containing more than 200k unique email addresses belonging to employees, contractors, customers, and leads. Exposed data also included names, addresses, and phone numbers.","title":"American Tower - 216,601 breached accounts","url":"https://haveibeenpwned.com/Breach/AmericanTower"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Real-world incident breakdowns from the defender side. Strong on ransomware and SMB-targeting threats.","created_at":"2026-07-02 03:55:55","id":380,"published_date":"2026-06-26T04:00:00+00:00","severity":"medium","source_name":"Huntress","summary":"Learn what the average cost of a data breach is and how factors like industry and location impact it. Plus, learn how to protect yourself from costly breaches.","title":"What\u2019s the Average Cost of a Data Breach in 2025? | Huntress","url":"https://www.huntress.com/blog/average-cost-of-a-data-breach"},{"category":"Malware/Infostealer","confidence":"HIGH","confidence_reason":"Curated Microsoft threat research, Patch Tuesday summaries, and incident analysis. Replaced the MSRC Update Guide CVE firehose (~3k advisories/quarter) with this high-signal blog feed.","created_at":"2026-07-02 03:55:50","id":223,"published_date":"2026-06-25T22:30:29+00:00","severity":"medium","source_name":"Microsoft Security Blog","summary":"Microsoft Threat Intelligence identified an active multi-stage intrusion campaign targeting hospitality organizations in Europe and Asia. The campaign uses photo-themed ZIP archives and fake image shortcut files to deliver a persistent Node.js implant and evade detection. The post Photo ZIP campaign targeting hospitality industry delivers Node.js implant for persistent access appeared first on Microsoft Security Blog.","title":"Photo ZIP campaign targeting hospitality industry delivers Node.js implant for persistent access","url":"https://www.microsoft.com/en-us/security/blog/2026/06/25/photo-zip-campaign-targeting-hospitality-industry-delivers-node-js-implant-persistent-access"},{"category":"OT/ICS","confidence":"HIGH","confidence_reason":"Top-tier threat intelligence research team with consistent primary analysis.","created_at":"2026-07-02 03:55:48","id":154,"published_date":"2026-06-25T22:00:52+00:00","severity":"medium","source_name":"Unit42 Palo Alto","summary":"Government entities and critical infrastructure were targeted for espionage in SE Asia by attackers using a hybrid toolkit, including custom TinyRCT backdoor. The post CL-STA-1062 Targets Southeast Asian Governments and Critical Infrastructure appeared first on Unit 42.","title":"CL-STA-1062 Targets Southeast Asian Governments and Critical Infrastructure","url":"https://unit42.paloaltonetworks.com/cl-sta-1062-tinyrct-backdoor"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established security journalism, enterprise-focused analysis. filter_uncategorized drops vendor press releases and thought-leadership fluff.","created_at":"2026-07-02 03:55:47","id":75,"published_date":"2026-06-25T21:54:34+00:00","severity":"critical","source_name":"Dark Reading","summary":"The flaw enables server-side request forgery (SSRF) and escalates privileges to root, impacting Cisco Unified CM and Unified CM SME deployments.","title":"In Less Than 24 Hours, Attackers Weaponize Cisco CUCM Flaw","url":"https://www.darkreading.com/cyberattacks-data-breaches/less-than-24-hours-attackers-weaponize-cisco-cucm-flaw"},{"category":"Ransomware","confidence":"LOW","confidence_reason":"Open-source ransomware leak-site monitor (~150 groups). Scrapes victim claims, not verified journalism \u2014 treat as unverified OSINT. High volume (100 entries/batch); filter_uncategorized drops noise. Canonical www. URL preferred (bare domain 301s; _safe_get handles redirects but saves a hop).","created_at":"2026-07-02 03:56:04","id":563,"published_date":"2026-06-25T21:25:04+00:00","severity":"medium","source_name":"Ransomware.live","summary":"- Full Database Backup- Banking & Financial Data- Accounting & Ledger Records- Customer Databases- HR / Workforce Data- User, Role & Permission data- ERP & Critical Business Application Data","title":"\ud83c\udff4\u200d\u2620\ufe0f Nightspire has just published a new victim : Grupo Riquelme","url":"https://www.ransomware.live/id/R3J1cG8gUmlxdWVsbWVAbmlnaHRzcGlyZQ=="},{"category":"Nation State/APT","confidence":"MEDIUM","confidence_reason":"Established security journalism, enterprise-focused analysis. filter_uncategorized drops vendor press releases and thought-leadership fluff.","created_at":"2026-07-02 03:55:47","id":76,"published_date":"2026-06-25T21:12:01+00:00","severity":"medium","source_name":"Dark Reading","summary":"The FSB state-sponsored operation has gotten a lot better at loading its malware and hiding its servers.","title":"Russian APT 'Gamaredon' Upgrades Its Arsenal, Requiring New Defenses","url":"https://www.darkreading.com/threat-intelligence/russia-apt-gamaredon-arsenal-defense"},{"category":"SaaS Breach","confidence":"LOW","confidence_reason":"Open-source ransomware leak-site monitor (~150 groups). Scrapes victim claims, not verified journalism \u2014 treat as unverified OSINT. High volume (100 entries/batch); filter_uncategorized drops noise. Canonical www. URL preferred (bare domain 301s; _safe_get handles redirects but saves a hop).","created_at":"2026-07-02 03:56:04","id":564,"published_date":"2026-06-25T15:48:47+00:00","severity":"medium","source_name":"Ransomware.live","summary":"Clearview Eye Centre is a state-of-the-art ophthalmology clinic run by doctors Faisal Adatia and Ryan Yau in Calgary, Alberta. They disregard security regulations and medical confidentiality, show no respect for their clients' privacy, and make no attempt to protect the information stored in their databases. Their practices are extremely lax, resulting in client information including medical records, personal data, incident reports, and financial and tax information being exposed to you.","title":"\ud83c\udff4\u200d\u2620\ufe0f Interlock has just published a new victim : Clearview Eye Centre","url":"https://www.ransomware.live/id/Q2xlYXJ2aWV3IEV5ZSBDZW50cmVAaW50ZXJsb2Nr"},{"category":"Vulnerability/CVE","confidence":"LOW","confidence_reason":"User-submitted link aggregator, no editorial review. Signal varies wildly by submitter.","created_at":"2026-07-02 03:56:04","id":586,"published_date":"2026-06-25T15:30:44+00:00","severity":"medium","source_name":"Reddit r/netsec","summary":"submitted by /u/AlbatrossMaximum4489 [link] [comments]","title":"CVE-2025-52465 geoserver arbitrary file write vulnerability","url":"https://www.reddit.com/r/netsec/comments/1ufdc3k/cve202552465_geoserver_arbitrary_file_write"},{"category":"Consumer Awareness","confidence":"MEDIUM","confidence_reason":"Real-world incident breakdowns from the defender side. Strong on ransomware and SMB-targeting threats.","created_at":"2026-07-02 03:55:55","id":381,"published_date":"2026-06-25T14:00:00+00:00","severity":"medium","source_name":"Huntress","summary":"Learn how MSPs/MSSPs can identify if a client is a DoD contractor handling CUI.","title":"How to Spot a Client in the DoD Industrial Base That Handles CUI","url":"https://www.huntress.com/blog/how-to-identify-dod-cui-clients"},{"category":"Vulnerability/CVE","confidence":"HIGH","confidence_reason":"Emergent threat response team. Primary exploit analysis on actively exploited vulns, peer-quality with ZDI.","created_at":"2026-07-02 03:55:51","id":261,"published_date":"2026-06-25T13:00:00+00:00","severity":"medium","source_name":"Rapid7","summary":"This week on Experts on Experts, I sat down with Sabeen Malik, Rapid7\u2019s VP of Global Government Affairs and Public Policy, to discuss a shift security leaders can\u2019t afford to treat as separate threads: frontier AI, vulnerability discovery, cybersecurity compliance, and operational resilience. AI is changing how quickly vulnerabilities can be found, validated, and potentially exploited. At the same time, regulators, boards, and customers are asking for stronger proof that controls are working and risk is being reduced. Security leaders are being pushed to move at machine speed while proving the business is resilient. AI vulnerability discovery is moving faster than security standards Sabeen and I started with the policy question. Many of the systems security teams rely on today were designed for a slower era of human-led discovery. Vulnerability disclosure processes, scoring systems, prioritization frameworks, and regulatory expectations all assume organizations have time to assess, verify, and respond. Frontier AI challenges that assumption. If models can help find and chain vulnerabilities faster, the industry needs stronger standards around verification, access, disclosure, and accountability. Access to powerful models matters, but access alone does not solve the governance problem. The bigger question is whether the ecosystem can responsibly validate, prioritize, and act on what these systems produce. AI in cybersecurity must move from discovery to risk reduction For defenders, faster discovery is only useful if it leads to faster action. Finding more vulnerabilities does not automatically make organizations safer. In many cases, it creates more noise for teams already under pressure. The real challenge is exploitability. Security teams need to understand which risks are actually reachable, which issues matter most in their environment, and where action will reduce exposure fastest. That is where the shift from reactive security to preemptive security becomes critical. The goal is to use data, context, AI, and expertise to act earlier, not simply respond faster after something happens. Cybersecurity compliance is becoming continuous We also discussed how the compliance environment is changing. Organizations are no longer being asked to prove readiness once a year. Increasingly, they need to provide detailed evidence on shorter timelines across a growing set of regulatory and assurance requirements. That creates a real challenge when evidence is collected manually or disconnected from live security operations. Leaders need to show what changed, what was fixed, who owns the response, and what risk remains. Static snapshots are no longer enough. Cyber GRC connects security operations, risk, and compliance One of the clearest themes from the conversation is that the future of security operations will be AI-driven, but human-led. AI can help teams move faster, surface what matters, and respond with greater scale and consistency. But governance, accountability, and judgment still matter. That same principle applies to compliance. Security and compliance teams need live operational context, not disconnected reports. They need to connect what they detect, what they fix, and what they can prove. Watch the full episode to hear our conversation on what this moment means for AI in cybersecurity, cybersecurity compliance, and resilient security operations: \u2800","title":"Experts on Experts: Why AI and Compliance Are Forcing A New Security Operating Model","url":"https://www.rapid7.com/blog/post/it-experts-video-series-ai-compliance-force-new-security-operating-models"},{"category":"Industry/Policy","confidence":"MEDIUM","confidence_reason":"Duo Security / Cisco-owned security journalism (Dennis Fisher, Lindsey O'Donnell-Welch). Primary reporting, no marketing funnel. Peer-quality with Dark Reading / The Record.","created_at":"2026-07-02 03:55:48","id":110,"published_date":"2026-06-25T12:37:15+00:00","severity":"medium","source_name":"Decipher","summary":"As part of the takedown, SocGholish infrastructure tied to fake browser-update scams was heavily impacted, including remediation of nearly 15,000 compromised WordPress sites.","title":"Targeting Cybercrime \u2018Assembly Lines:\u2019 Europol Announces Malware Crackdown","url":"https://decipher.sc/2026/06/25/targeting-cybercrime-assembly-lines-europol-announces-malware-crackdown"},{"category":"Vulnerability/CVE","confidence":"LOW","confidence_reason":"Single-author blog on AI/LLM security. Quality is good, but single source in an emerging niche \u2014 corroboration matters.","created_at":"2026-07-02 03:56:01","id":485,"published_date":"2026-06-25T12:20:58+00:00","severity":"medium","source_name":"Embrace The Red","summary":"Last year, Jun Kokatsu disclosed an interesting vulnerability with ChatGPT Operator by exploiting a race condition. I was wondering if I could reproduce this attack chain, and this post describes the results of that research. I had this post drafted for months, and yesterday at the Real-world AI security conference I included a video demo of this attack in my talk and that reminded me that I should finally publish this.","title":"Computer-Use and TOCTOU: What You Click Is Not What You Get!","url":"https://embracethered.com/blog/posts/2026/toctou-agent-what-you-click-is-not-what-you-get"},{"category":"Ransomware","confidence":"LOW","confidence_reason":"Open-source ransomware leak-site monitor (~150 groups). Scrapes victim claims, not verified journalism \u2014 treat as unverified OSINT. High volume (100 entries/batch); filter_uncategorized drops noise. Canonical www. URL preferred (bare domain 301s; _safe_get handles redirects but saves a hop).","created_at":"2026-07-02 03:56:04","id":565,"published_date":"2026-06-25T12:20:23+00:00","severity":"medium","source_name":"Ransomware.live","summary":"JMS Southeast, Inc. specializes in high-quality temperature measurement and control products, i ncluding thermocouples, RTDs, thermowells, and transmitters, catering to various industries suc h as aerospace, pharmaceuticals, and oil and gas. We will upload 25gb of corporate data soon. Employee personal information (name, addresses and so on), payment details, NDAs, projects, contracts and agreements, agreements with government, customer information and so on.","title":"\ud83c\udff4\u200d\u2620\ufe0f Akira has just published a new victim : JMS Southeast","url":"https://www.ransomware.live/id/Sk1TIFNvdXRoZWFzdEBha2lyYQ=="},{"category":"Ransomware","confidence":"LOW","confidence_reason":"Open-source ransomware leak-site monitor (~150 groups). Scrapes victim claims, not verified journalism \u2014 treat as unverified OSINT. High volume (100 entries/batch); filter_uncategorized drops noise. Canonical www. URL preferred (bare domain 301s; _safe_get handles redirects but saves a hop).","created_at":"2026-07-02 03:56:04","id":566,"published_date":"2026-06-25T11:50:30+00:00","severity":"medium","source_name":"Ransomware.live","summary":"Padget Technologies specializes in advanced robotics and automation solutions tailored for effi cient and cost-effective production. Their services include designing and fabricating custom ma chinery, assembly systems, and pre-engineered robotic palletizing cells. We will upload corporate data soon. Employee personal docs (DLs, SSNs, w9s and other sensitive docs), payment details, lot of NDAs, projects, contracts and agreements, client information, et c.","title":"\ud83c\udff4\u200d\u2620\ufe0f Akira has just published a new victim : Padget Technologies","url":"https://www.ransomware.live/id/UGFkZ2V0IFRlY2hub2xvZ2llc0Bha2lyYQ=="},{"category":"AI Security","confidence":"MEDIUM","confidence_reason":"Authoritative expert commentary and link blog. Analysis, not primary research.","created_at":"2026-07-02 03:56:01","id":483,"published_date":"2026-06-25T11:23:58+00:00","severity":"medium","source_name":"Schneier on Security","summary":"This is a fascinating explotation of how LLMs fall for prompt injection attacks. It turns out that they learn to recognize the style of text in different role/instruction blocks, and not just the tags. Their conclusion: Role tags were a formatting trick that became the security architecture and the cognitive scaffolding of modern LLMs. We\u2019ve shown that this architecture doesn\u2019t survive into the model\u2019s actual representations, and that such role confusion is linked to prompt injection. Unless LLMs achieve genuine role perception, we think injection defense will remain a perpetual whack-a-mole game. And the continuous nature of role boundaries opens the threat of injections designed to subtly shift LLM states through seemingly innocuous text, legally and at scale...","title":"Interesting Paper Exploring Prompt Injection","url":"https://www.schneier.com/blog/archives/2026/06/interesting-paper-exploring-prompt-injection.html"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Vendor threat intelligence research, consumer-threat focused.","created_at":"2026-07-02 03:55:50","id":229,"published_date":"2026-06-25T11:04:48+00:00","severity":"medium","source_name":"Malwarebytes Labs","summary":"Chrome has patched 18 vulnerabilities, including four critical flaws. Two WebGL bugs could allow attackers to escape the browser's security sandbox.","title":"Update Chrome to patch critical browser security flaws","url":"https://www.malwarebytes.com/blog/news/2026/06/update-chrome-to-patch-critical-browser-security-flaws"},{"category":"Phishing & Social Engineering","confidence":"HIGH","confidence_reason":"Best-in-class APT campaign tracking and malware reverse engineering. Industry-leading primary research.","created_at":"2026-07-02 03:55:53","id":311,"published_date":"2026-06-25T10:00:59+00:00","severity":"medium","source_name":"Kaspersky Securelist","summary":"Kaspersky researchers analyze the threat landscape for SMBs in 2026: the rise of attacks involving fake AI tools, phishing schemes, and data sold on the dark web.","title":"Inside the 2026 SMB threat landscape: From phishing and scams to fake AI tools","url":"https://securelist.com/smb-threat-report-2026/120357"},{"category":"Ransomware","confidence":"MEDIUM","confidence_reason":"Established security journalism, enterprise-focused analysis. filter_uncategorized drops vendor press releases and thought-leadership fluff.","created_at":"2026-07-02 03:55:47","id":77,"published_date":"2026-06-25T10:00:00+00:00","severity":"medium","source_name":"Dark Reading","summary":"After a global lull, ransomware gangs are setting sights on a rich new arena: attacking EU organizations and their suppliers.","title":"Europe Evolves Into Ransomware's Favorite Region","url":"https://www.darkreading.com/cybersecurity-analytics/europe-evolves-ransomware-favorite-region"},{"category":"Cloud Security","confidence":"MEDIUM","confidence_reason":"Vendor threat intelligence research, consumer-threat focused.","created_at":"2026-07-02 03:55:50","id":230,"published_date":"2026-06-25T09:08:05+00:00","severity":"medium","source_name":"Malwarebytes Labs","summary":"Personal data belonging to politicians, military leaders, and executives was left publicly accessible in what looks like a security misconfiguration.","title":"Elite network says it was hacked after members\u2019 personal data was left exposed","url":"https://www.malwarebytes.com/blog/privacy/2026/06/elite-network-says-it-was-hacked-after-members-personal-data-was-left-exposed"},{"category":"AI Security","confidence":"LOW","confidence_reason":"Open-source ransomware leak-site monitor (~150 groups). Scrapes victim claims, not verified journalism \u2014 treat as unverified OSINT. High volume (100 entries/batch); filter_uncategorized drops noise. Canonical www. URL preferred (bare domain 301s; _safe_get handles redirects but saves a hop).","created_at":"2026-07-02 03:56:04","id":567,"published_date":"2026-06-25T04:20:19+00:00","severity":"medium","source_name":"Ransomware.live","summary":"I-SYS is a Russian software development and business automation company with 25 years of experience, offering custom development, digital transformation consulting, and DevOps services, with core products including the DocTrix electronic document management platform and the AI assistant \u041c\u0430\u0442\u0440\u0451\u0448\u043a\u0430, serving over half of Russia's TOP-100 enterprises.","title":"\ud83c\udff4\u200d\u2620\ufe0f Auditteam has just published a new victim : I-SYS","url":"https://www.ransomware.live/id/SS1TWVNAQXVkaXRUZWFt"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Real-world incident breakdowns from the defender side. Strong on ransomware and SMB-targeting threats.","created_at":"2026-07-02 03:55:55","id":382,"published_date":"2026-06-25T04:00:00+00:00","severity":"medium","source_name":"Huntress","summary":"Learn about the biggest data breaches of the past 20 years, how they happened, and how you can better protect your organization from major threats.","title":"27 Biggest Data Breaches in History: Famous Examples","url":"https://www.huntress.com/blog/biggest-data-breaches"},{"category":"Ransomware","confidence":"LOW","confidence_reason":"Open-source ransomware leak-site monitor (~150 groups). Scrapes victim claims, not verified journalism \u2014 treat as unverified OSINT. High volume (100 entries/batch); filter_uncategorized drops noise. Canonical www. URL preferred (bare domain 301s; _safe_get handles redirects but saves a hop).","created_at":"2026-07-02 03:56:04","id":568,"published_date":"2026-06-25T03:55:16+00:00","severity":"medium","source_name":"Ransomware.live","summary":"N/A","title":"\ud83c\udff4\u200d\u2620\ufe0f Qilin has just published a new victim : ISOPLUS","url":"https://www.ransomware.live/id/SVNPUExVU0BxaWxpbg=="},{"category":"Ransomware","confidence":"MEDIUM","confidence_reason":"Threat intelligence firm research. Caveat: commercial framing; quality of output is high.","created_at":"2026-07-02 03:55:50","id":234,"published_date":"2026-06-25T00:00:00+00:00","severity":"medium","source_name":"Recorded Future","summary":"Explore an analysis of Mexico\u2019s 2025\u20132030 National Cybersecurity Plan. Discover how Mexico is addressing critical threats like ransomware, organized crime, and AI-driven attacks while preparing its digital infrastructure for the 2026 FIFA World Cup and beyond","title":"Evaluating Mexico\u2019s New Cybersecurity Plan","url":"https://www.recordedfuture.com/research/mexico-new-cybersecurity-plan-evaluation"},{"category":"Phishing & Social Engineering","confidence":"MEDIUM","confidence_reason":"Established security journalism, enterprise-focused analysis. filter_uncategorized drops vendor press releases and thought-leadership fluff.","created_at":"2026-07-02 03:55:47","id":78,"published_date":"2026-06-24T20:29:08+00:00","severity":"medium","source_name":"Dark Reading","summary":"Persistent cybercrime, social engineering, and infrastructure threats continue to plague the FIFA 2026 World Cup across the US, Canada, and Mexico.","title":"2026 FIFA World Cup Faces Surge in Cyber Threats","url":"https://www.darkreading.com/cybersecurity-operations/2026-fifa-world-cup-faces-surge-cyber-threats"},{"category":"Malware/Infostealer","confidence":"MEDIUM","confidence_reason":"Established security journalism, enterprise-focused analysis. filter_uncategorized drops vendor press releases and thought-leadership fluff.","created_at":"2026-07-02 03:55:47","id":79,"published_date":"2026-06-24T16:56:49+00:00","severity":"medium","source_name":"Dark Reading","summary":"OpenClaw removed five packages from its ClawHub skills marketplace that bypassed security checks even though they included infostealers and other threats.","title":"More Malicious OpenClaw Skills Threaten AI Supply Chain","url":"https://www.darkreading.com/cyber-risk/malicious-openclaw-skills-clawhub-threaten-ai-supply-chain"},{"category":"Vulnerability/CVE","confidence":"LOW","confidence_reason":"User-submitted link aggregator, no editorial review. Signal varies wildly by submitter.","created_at":"2026-07-02 03:56:04","id":587,"published_date":"2026-06-24T16:34:14+00:00","severity":"medium","source_name":"Reddit r/netsec","summary":"submitted by /u/EatonZ [link] [comments]","title":"Exploiting vulnerabilities in Johnson & Johnson web apps","url":"https://www.reddit.com/r/netsec/comments/1ueiif9/exploiting_vulnerabilities_in_johnson_johnson_web"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Troy Hunt's curated breach disclosure feed. Low volume (~2-4/month), high trust, universally cited. Each entry names the breached org, account count, and exposed data types.","created_at":"2026-07-02 03:56:02","id":504,"published_date":"2026-06-24T13:02:33+00:00","severity":"critical","source_name":"Have I Been Pwned","summary":"In June 2026, the sports and entertainment company Madison Square Garden Sports was the target of a ShinyHunters \"pay or leak\" extortion campaign. The group later published the alleged data, which included almost 10M unique email addresses spanning staff and customers, along with extensive personal, employment and customer relationship information.","title":"Madison Square Garden Sports - 9,796,738 breached accounts","url":"https://haveibeenpwned.com/Breach/MadisonSquareGardenSports"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established offensive security research firm. Pentest tooling, vulnerability research, red team techniques.","created_at":"2026-07-02 03:56:00","id":451,"published_date":"2026-06-24T13:00:00+00:00","severity":"medium","source_name":"Bishop Fox","summary":"AI got a security consultant 80% of the way through a real web application assessment. The other 20% was where the actual security work happened. This walkthrough shows where AI delivered, where it produced confident but impossible explanations, and why human judgment still drives real findings.","title":"AI Finds Vulnerabilities. Security Experts Find Impact.","url":"https://bishopfox.com/blog/ai-finds-vulnerabilities-security-experts-find-impact"},{"category":"Nation State/APT","confidence":"MEDIUM","confidence_reason":"Duo Security / Cisco-owned security journalism (Dennis Fisher, Lindsey O'Donnell-Welch). Primary reporting, no marketing funnel. Peer-quality with Dark Reading / The Record.","created_at":"2026-07-02 03:55:48","id":111,"published_date":"2026-06-24T12:57:45+00:00","severity":"medium","source_name":"Decipher","summary":"Gaslight is a Rust-based backdoor that researchers from SentinelOne have attributed to DPRK-aligned threat actors.","title":"macOS Gaslight Backdoor Weaponizes Prompt Injection Against Security Analysts","url":"https://decipher.sc/2026/06/24/macos-gaslight-backdoor-weaponizes-prompt-injection-against-security-analysts"},{"category":"Malware/Infostealer","confidence":"MEDIUM","confidence_reason":"Vendor threat intelligence research, consistent technical malware reports. filter_uncategorized drops consumer lifestyle and parenting content.","created_at":"2026-07-02 03:55:49","id":199,"published_date":"2026-06-24T12:35:24+00:00","severity":"medium","source_name":"ESET WeLiveSecurity","summary":"ESET researchers assisted in the global disruption of the Amadey botnet and Stealc infostealer, providing technical analysis, infrastructure tracking, and affiliate-level insights","title":"ESET takes part in Operation Endgame to disrupt Amadey and Stealc","url":"https://www.welivesecurity.com/en/eset-research/eset-takes-part-operation-endgame-disrupt-amadey-stealc"},{"category":"Malware/Infostealer","confidence":"HIGH","confidence_reason":"Curated Microsoft threat research, Patch Tuesday summaries, and incident analysis. Replaced the MSRC Update Guide CVE firehose (~3k advisories/quarter) with this high-signal blog feed.","created_at":"2026-07-02 03:55:50","id":224,"published_date":"2026-06-24T12:30:00+00:00","severity":"medium","source_name":"Microsoft Security Blog","summary":"On June 24, 2026, Microsoft\u2019s Digital Crimes Unit (DCU) facilitated the takedown, suspension, and blocking of domains that formed the backbone of the StealC and Amadey infrastructure. This blog is a technical breakdown of StealC and Amadey. The post StealC and Amadey: Breaking down infostealers and the cybercrime services that deliver them appeared first on Microsoft Security Blog.","title":"StealC and Amadey: Breaking down infostealers and the cybercrime services that deliver them","url":"https://www.microsoft.com/en-us/security/blog/2026/06/24/stealc-and-amadey-breaking-down-infostealers-and-the-cybercrime-services-that-deliver-them"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established security journalism, enterprise-focused analysis. filter_uncategorized drops vendor press releases and thought-leadership fluff.","created_at":"2026-07-02 03:55:47","id":80,"published_date":"2026-06-24T12:00:00+00:00","severity":"medium","source_name":"Dark Reading","summary":"Attackers can exploit the issue to disable security and integrated browser tools without needing administrator privileges or kernel exploits.","title":"Apple's MacOS Gap Lets Users Disable Security Tools","url":"https://www.darkreading.com/application-security/apple-macos-security-gap-users-disable-security-tools"},{"category":"Malware/Infostealer","confidence":"MEDIUM","confidence_reason":"Authoritative expert commentary and link blog. Analysis, not primary research.","created_at":"2026-07-02 03:56:01","id":484,"published_date":"2026-06-24T11:03:10+00:00","severity":"medium","source_name":"Schneier on Security","summary":"At least one malware developer is adding text about nuclear and biological weapons to their spyware, in an effort to stop automatic AI analysis. Details: The _index.js payload begins with a large JavaScript block comment containing fake system instructions and policy-triggering content. Because it is inside a comment, it does not affect JavaScript execution. The runtime skips it. The real malware begins after the comment with a try{eval(\u2026)} wrapper around a large character-code array and a ROT-style substitution function. This header appears designed for AI-mediated analysis, not for Node, Bun, or Python. It attempts to derail scanners or analyst copilots that feed the beginning of a file to a language model without clearly isolating the content as untrusted data. In weak pipelines, this can cause refusal behavior, prompt confusion, context pollution, or premature classification before the scanner reaches the actual malware...","title":"Embedding Forbidden Text in Spyware to Discourage AI Analysis","url":"https://www.schneier.com/blog/archives/2026/06/embedding-forbidden-text-in-spyware-to-discourage-ai-analysis-2.html"},{"category":"Malware/Infostealer","confidence":"HIGH","confidence_reason":"Best-in-class APT campaign tracking and malware reverse engineering. Industry-leading primary research.","created_at":"2026-07-02 03:55:53","id":312,"published_date":"2026-06-24T10:00:03+00:00","severity":"medium","source_name":"Kaspersky Securelist","summary":"Kaspersky researchers analyze a new global campaign dubbed StrikeShark that delivers Cobalt Strike Beacon via custom SharkLoader malware.","title":"StrikeShark: investigating a new campaign delivering Cobalt Strike through SharkLoader","url":"https://securelist.com/strikeshark-campaign/120326"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Handler diaries \u2014 expert practitioner analysis, not primary research but high-quality synthesis.","created_at":"2026-07-02 03:56:04","id":580,"published_date":"2026-06-24T06:29:03+00:00","severity":"medium","source_name":"SANS Internet Storm Center","summary":"In a previous diary, I talked about stack strings&&#x23;x26;&#x23;x5b;1&&#x23;x26;&#x23;x5d; with a practical example of them. Since my SEC670 class, I&&#x23;x26;&#x23;xe2;&&#x23;x26;&#x23;x80;&&#x23;x26;&#x23;x99;m even more interested&&#x23;x26;&#x23;xc2;&&#x23;x26;&#x23;xa0;in malware obfuscation techniques. I had&&#x23;x26;&#x23;xc2;&&#x23;x26;&#x23;xa0;a look at process names. When you list running processes on a computer, can you trust what you see&&#x23;x26;&#x23;x3f; If you&&#x23;x26;&#x23;39;re facing a rootkit, malicious processes can be simply hidden (the API calls or commands to list processed have been tampered). But a malicious process&&#x23;x26;&#x23;xc2;&&#x23;x26;&#x23;xa0;can also mimic a non-suspicious name by masquerading their name. This technique (T1036 in the MITRE ATT&&#x23;x26;CK framework&&#x23;x26;&#x23;x5b;2&&#x23;x26;&#x23;x5d;) has been used by attackers in many campaigns. A good example of the Velvet Ant Chinese group&&#x23;x26;&#x23;x5b;3&&#x23;x26;&#x23;x5d;. The goal is to hide the &&#x23;x26;&#x23;xe2;&&#x23;x26;&#x23;x80;\u0153malware&&#x23;x26;&#x23;xe2;&&#x23;x26;&#x23;x80;\u009d process name by replacing it with something&&#x23;x26;&#x23;xc2;&&#x23;x26;&#x23;xa0;that won&&#x23;x26;&#x23;xe2;&&#x23;x26;&#x23;x80;&&#x23;x26;&#x23;x99;t attract the Security Analyst&&#x23;x26;&#x23;xe2;&&#x23;x26;&#x23;x80;&&#x23;x26;&#x23;x99;s eyes or defeat security controls.","title":"Linux Process Name Masquerading, (Wed, Jun 24th)","url":"https://isc.sans.edu/diary/rss/33102"},{"category":"AI Security","confidence":"HIGH","confidence_reason":"Top-tier threat intelligence research. Caveat: mixed with commercial marketing \u2014 filter_uncategorized drops partnership promos and thought-leadership fluff.","created_at":"2026-07-02 03:55:48","id":168,"published_date":"2026-06-24T05:00:00+00:00","severity":"medium","source_name":"CrowdStrike Blog","summary":"","title":"The Identity Problem Hiding in AI Agent Deployments","url":"https://www.crowdstrike.com/en-us/blog/the-identity-problem-hiding-in-ai-agent-deployments"},{"category":"Cloud Security","confidence":"MEDIUM","confidence_reason":"Primary cloud-security research (AWS/Azure/GCP IAM, container, CI/CD). Fills the Cloud Security depth the keyword set already anticipates. Vendor context; filter_uncategorized drops product marketing.","created_at":"2026-07-02 03:55:52","id":289,"published_date":"2026-06-24T00:00:00+00:00","severity":"medium","source_name":"Datadog Security Labs","summary":"Datadog Security Research investigates a June 2026 adversary-in-the-middle phishing campaign that cloned the AWS console login page to harvest victim credentials and multi-factor authentication codes.","title":"Behind the console: An AiTM phishing kit harvesting AWS console credentials and beyond","url":"https://securitylabs.datadoghq.com/articles/behind-the-console-aws-aitm-phishing-kit-and-beyond"},{"category":"Malware/Infostealer","confidence":"HIGH","confidence_reason":"Top-tier threat intelligence research team with consistent primary analysis.","created_at":"2026-07-02 03:55:48","id":155,"published_date":"2026-06-23T22:00:51+00:00","severity":"medium","source_name":"Unit42 Palo Alto","summary":"Unit 42's analysis of ClawHub revealed evasive malicious skills bypassing automated scanners to deploy infostealers and execute agentic financial fraud. The post OpenClaw\u2019s Skill Marketplace and the Emerging AI Supply Chain Threat appeared first on Unit 42.","title":"OpenClaw\u2019s Skill Marketplace and the Emerging AI Supply Chain Threat","url":"https://unit42.paloaltonetworks.com/openclaw-ai-supply-chain-risk"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Established security journalism, enterprise-focused analysis. filter_uncategorized drops vendor press releases and thought-leadership fluff.","created_at":"2026-07-02 03:55:47","id":81,"published_date":"2026-06-23T20:44:09+00:00","severity":"critical","source_name":"Dark Reading","summary":"More victims have emerged after attackers breached application vendor Klue and used its OAuth tokens to steal customers' Salesforce data.","title":"Scope of Salesforce Attacks Expands as Icarus Leaks Data","url":"https://www.darkreading.com/cyberattacks-data-breaches/scope-salesforce-attacks-expands-icarus-leaks-data"},{"category":"Cloud Security","confidence":"MEDIUM","confidence_reason":"Established security journalism, enterprise-focused analysis. filter_uncategorized drops vendor press releases and thought-leadership fluff.","created_at":"2026-07-02 03:55:47","id":82,"published_date":"2026-06-23T19:16:42+00:00","severity":"medium","source_name":"Dark Reading","summary":"The CI/CD workflow weakness affects Microsoft's Azure Sentinel, Google's AI Agent Development Kit, Apache's Doris analytics database, Cloudflare's Workers SDK, and Python Software Foundation's Black.","title":"'Cordyceps': Mushrooming Malicious Pull Requests Threaten Developer Workflows","url":"https://www.darkreading.com/application-security/cordyceps-malicious-pull-requests-developer-workflows"},{"category":"Vulnerability/CVE","confidence":"HIGH","confidence_reason":"Emergent threat response team. Primary exploit analysis on actively exploited vulns, peer-quality with ZDI.","created_at":"2026-07-02 03:55:51","id":262,"published_date":"2026-06-23T17:03:34+00:00","severity":"medium","source_name":"Rapid7","summary":"Rapid7 has been named a Major Player in the IDC MarketScape: Worldwide SIEM 2026 Vendor Assessment (#US54126826, June 2026). This is the first IDC SIEM MarketScape to bring the enterprise and SMB markets into a single evaluation, and we believe it arrives at a time when the way teams buy and run a SOC is changing quickly. Security teams are no longer evaluating detection and response in isolation. They want their threat data, automation, and view of the attack surface working together, rather than spread across a stack of disconnected tools. We believe Incident Command reflects that shift by bringing threat data, automation, and attack surface context into one platform instead of leaving teams to work across disconnected tools. It also speaks to a broader change in security operations, where context matters more, speed matters more, and teams need a clearer path from alert to action. That same direction runs through Rapid7\u2019s wider point of view on preemptive security: exposure, detection, and response work better when they inform each other through shared context, AI, and human expertise. Incident Command brings detection, response, and exposure context together Incident Command brings SIEM, SOAR, attack surface management, and threat intelligence together on a shared data model. That gives analysts access to asset risk, vulnerability data, and exposure context during an investigation, so they can understand whether a detection affects a high-risk, internet-facing asset without having to jump between separate products. According to the IDC MarketScape, \u201cIncident Command is a strong fit for midmarket to enterprise organizations that want a fully integrated security operations platform with predictable costs.\u201d The teams we talk to are tired of stitching tools together and dealing with surprise ingestion bills. They want fewer blind spots, faster investigations, and a clearer answer to what is urgent and what to do next. Incident Command addresses that by bringing exposure context, threat intelligence, and response automation into the SIEM workflow, helping teams investigate faster and act with more clarity. For organizations looking for additional managed coverage, Rapid7 MDR is available as a separate offering. As attacks move faster and environments become harder to manage, security operations work better when exposure, threat, and response data are connected through an open platform that gives teams the context they need to move with more speed and clarity. AI and automation, pressure-tested by a global SOC Many vendors talk about AI in the SOC. For customers, the more important question is how those capabilities are developed, tested, and refined so they are useful in real investigations rather than just sounding good in a product story. We believe the IDC MarketScape called out what that means in Rapid7\u2019s case: \u201cAI models and automation capabilities are tested in the MDR SOC before release to product customers, providing a feedback loop between managed service outcomes and product development that organizations without their own MDR equivalent cannot replicate.\u201d Our MDR analysts work real incidents across thousands of customer environments every day. The detections, triage models, and automation that come out of that work are tested against live attacks before they reach product customers. That feedback loop helps make the AI Engine more useful in practice by handling repetitive work such as classifying alerts, compiling evidence, and surfacing next steps, while analysts spend their time on the decisions that actually require human judgment. That balance also reflects Rapid7\u2019s broader platform story: AI-powered, backed by human expertise. What we believe this IDC MarketScape recognition says about the future of SIEM The 2026 IDC MarketScape is a useful signal of where the market is heading. Organizations are looking for platforms where exposure and detection inform each other instead of living in separate systems, and where AI helps teams move faster without removing the human judgment needed to make the right call. We believe that is very much in line with the platform Rapid7 has been building through Incident Command and the wider Command Platform story. We\u2019ll continue investing in the AI Engine, deeper attack surface context, and the integrations customers rely on. The goal remains straightforward: help defenders move faster to keep their environment safe, investigate with more context, and respond with machine speed and confidence. Want to see Incident Command in action? Request a demo or explore the packages built to meet your team where it is.","title":"Why SIEM is Moving Toward Unified Security Operations: Rapid7 Named a Major Player in IDC MarketScape","url":"https://www.rapid7.com/blog/post/dr-siem-moving-toward-unified-security-operations-rapid7-named-idc-marketscape-major-player"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Established independent investigative security journalism. High rigor, frequently breaks news.","created_at":"2026-07-02 03:55:46","id":1,"published_date":"2026-06-23T16:12:49+00:00","severity":"medium","source_name":"Krebs on Security","summary":"Two men pleaded guilty in the United Kingdom this week to criminal charges stemming from an August 2024 cyberattack that crippled Transport for London, the entity responsible for the public transport network in the Greater London area. The duo were key members of a prolific cybercrime group known as Scattered Spider, and their guilty pleas came on the first day of what was expected to be a six-week trial.","title":"Scattered Spider Hackers Plead Guilty on Day 1 of Trial","url":"https://krebsonsecurity.com/2026/06/scattered-spider-hackers-plead-guilty-on-day-1-of-trial"},{"category":"Consumer Awareness","confidence":"MEDIUM","confidence_reason":"Vendor threat intelligence research, consumer-threat focused.","created_at":"2026-07-02 03:55:50","id":231,"published_date":"2026-06-23T15:52:17+00:00","severity":"medium","source_name":"Malwarebytes Labs","summary":"We spent 48 hours exploring the dark web and found stolen identities, malware, scams, and a thriving cybercrime economy.","title":"Inside the dark web: Stolen identities for 95\u00a2, malware, and scams-for-hire","url":"https://www.malwarebytes.com/blog/threat-intel/2026/06/inside-the-dark-web-stolen-identities-for-95%c2%a2-malware-and-scams-for-hire"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Vendor threat intelligence research, consumer-threat focused.","created_at":"2026-07-02 03:55:50","id":232,"published_date":"2026-06-23T10:30:57+00:00","severity":"medium","source_name":"Malwarebytes Labs","summary":"A breach at a Texas Parks and Wildlife Department vendor exposed personal information belonging to more than three million Texans.","title":"Hackers steal passport and driver\u2019s license data of 3 million Texans","url":"https://www.malwarebytes.com/blog/data-breaches/2026/06/hackers-steal-passport-and-drivers-license-data-of-3-million-texans"},{"category":"Vulnerability/CVE","confidence":"LOW","confidence_reason":"User-submitted link aggregator, no editorial review. Signal varies wildly by submitter.","created_at":"2026-07-02 03:56:04","id":588,"published_date":"2026-06-23T10:18:55+00:00","severity":"medium","source_name":"Reddit r/netsec","summary":"Kind of crazy to look at the graph in this blog. CVE drops on 04/29, they develop a patch on 4/30, and deploy it across all of their servers on 05/01. Obviously they have the engineers to write BPF-LSM patches, but I think it points to a future where they can (almost) keep up with vulnerability disclosures. submitted by /u/xmull1gan [link] [comments]","title":"Cloudflare patches Copy-Fail across every server in two days","url":"https://www.reddit.com/r/netsec/comments/1udd811/cloudflare_patches_copyfail_across_every_server"},{"category":"Vulnerability/CVE","confidence":"LOW","confidence_reason":"User-submitted link aggregator, no editorial review. Signal varies wildly by submitter.","created_at":"2026-07-02 03:56:04","id":589,"published_date":"2026-06-23T09:52:01+00:00","severity":"high","source_name":"Reddit r/netsec","summary":"A vulnerability in Cisco Unified Communications Manager allows unauthenticated attackers to arbitrarily write files in the server which could be used to run arbitrary commands or code on the server. submitted by /u/SSDisclosure [link] [comments]","title":"New Cisco RCE was fixed","url":"https://www.reddit.com/r/netsec/comments/1udcrb8/new_cisco_rce_was_fixed"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Deep malware analysis with detection rules (YARA, Sigma). Vendor context but strong primary research.","created_at":"2026-07-02 03:55:52","id":277,"published_date":"2026-06-23T00:00:00+00:00","severity":"medium","source_name":"Elastic Security Labs","summary":"How Elastic's security team built an AI agent with RAG against MITRE's CWE and CAPEC catalogues to draft CVE advisories from raw vulnerability reports, including the full prompt and crawler configs.","title":"From vulnerability report to CVE draft in minutes: how Elastic automated security advisories with AI","url":"https://www.elastic.co/security-labs/security-advisory-automation-rag-elastic-agent-builder"},{"category":"Vulnerability/CVE","confidence":"HIGH","confidence_reason":"Top-tier threat intelligence research team with consistent primary analysis.","created_at":"2026-07-02 03:55:48","id":156,"published_date":"2026-06-22T22:00:04+00:00","severity":"medium","source_name":"Unit42 Palo Alto","summary":"Unit 42 research details how attackers could exploit global name uniqueness in bucket hijacking to redirect cloud data streams across major CSPs. The post The Global Namespace Risk: Universal Bucket Hijacking Technique for Cloud Data Exfiltration appeared first on Unit 42.","title":"The Global Namespace Risk: Universal Bucket Hijacking Technique for Cloud Data Exfiltration","url":"https://unit42.paloaltonetworks.com/cloud-bucket-hijacking-risks"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established security journalism, enterprise-focused analysis. filter_uncategorized drops vendor press releases and thought-leadership fluff.","created_at":"2026-07-02 03:55:47","id":83,"published_date":"2026-06-22T21:14:11+00:00","severity":"medium","source_name":"Dark Reading","summary":"Four vulnerabilities allow attackers to exploit Dify, a platform for AI application building and management, to silently access and exfiltrate sensitive data.","title":"DifyTap Bugs Let Attackers 'Wiretap' AI Chat Histories","url":"https://www.darkreading.com/application-security/difytap-bugs-wiretap-ai-chat-histories"},{"category":"Vulnerability/CVE","confidence":"HIGH","confidence_reason":"CERT/CC vulnerability coordination center. Authoritative vuln notes, partially replaces dead CISA feeds.","created_at":"2026-07-02 03:55:48","id":117,"published_date":"2026-06-22T18:41:47+00:00","severity":"high","source_name":"CERT Vulnerability Notes","summary":"Overview Two vulnerabilities have been identified in FastStone Image Viewer 8.3 that may allow remote code execution or control-flow corruption when processing specially crafted image files. The affected components include the JPEG 2000 (JP2) parser and the PSD file parser. An attacker can exploit these vulnerabilities by causing the application to automatically or interactively process malicious image files. Description FastStone Image Viewer is a software tool for browsing, editing, and managing images, offering features like full\u2011screen viewing, batch processing, red\u2011eye removal, and a wide range of editing effects. It supports virtually all major image and RAW formats and includes conveniences like slideshows, comparison tools, scanner support, and screen capture. CVE-2026-30040 A critical heap-based buffer overflow vulnerability exists in FastStone Image Viewer, versions 8.3 and earlier. The issue is triggered during the parsing of JPEG 2000 (JP2) files due to a malformed QCD (quantization default, 0xFF5C) marker in the FSViewer.exe process. By exploiting this flaw, a remote attacker can overwrite the EIP (instruction pointer) and execute arbitrary code in the context of the current process via a crafted JP2 file. Notably, this issue does not require the victim to directly open the crafted JP2 file. When the application enumerates directories during automatic thumbnail generation, files within two directory levels are parsed by the JP2 decoder. If the malicious JP2 file is present within this enumeration range (for example in the user\u2019s Downloads folder), the vulnerability is triggered automatically. CVE-2026-30041 An integer overflow vulnerability exists in the PSD parser of FastStone Image Viewer, versions 8.3 and earlier. The vulnerability is caused by a lack of proper validation for the height value in PSD files, leading to a subsequent heap-based buffer overflow. Successful exploitation could allow a remote attacker to execute arbitrary code or cause a persistent denial-of-service (crash) via a crafted PSD file. Impact Successful exploitation of CVE-2026-30040 could allow arbitrary code execution in the context of the user running FastStone Image Viewer. Additionally, an attacker could exploit CVE-2026-30041 to overwrite the instruction pointer and control the program's execution flow, crashing the application or potentially enabling arbitrary code execution. The impact severity depends on the privileges of the user running the application. Code executed under elevated permissions would result in significantly higher risk. Solution Unfortunately, we were unable to reach the vendor for coordination, and a patch is not yet available. To limit the risk of this vulnerability, run the software using a restricted local account and enforce policies that prevent users from downloading or saving JP2 or PSD files from untrusted sources. Acknowledgements This vulnerability was disclosed by Sunghun Oh. This document was written by Bob Kemerer.","title":"VU#936962: Multiple file parsing vulnerabilities in FastStone Image Viewer 8.3.0.0","url":"https://kb.cert.org/vuls/id/936962"},{"category":"Vulnerability/CVE","confidence":"LOW","confidence_reason":"User-submitted link aggregator, no editorial review. Signal varies wildly by submitter.","created_at":"2026-07-02 03:56:04","id":590,"published_date":"2026-06-22T18:31:27+00:00","severity":"high","source_name":"Reddit r/netsec","summary":"submitted by /u/AlbatrossMaximum4489 [link] [comments]","title":"CVE-2026-25860 turn XSS to RCE","url":"https://www.reddit.com/r/netsec/comments/1ucsrw0/cve202625860_turn_xss_to_rce"},{"category":"Vulnerability/CVE","confidence":"HIGH","confidence_reason":"CERT/CC vulnerability coordination center. Authoritative vuln notes, partially replaces dead CISA feeds.","created_at":"2026-07-02 03:55:48","id":118,"published_date":"2026-06-22T16:16:08+00:00","severity":"medium","source_name":"CERT Vulnerability Notes","summary":"Overview Microsoft Windows Recovery Environment (WinRE) provides a mechanism for recovering and repairing Windows systems using an alternate boot environment. Under certain platform implementations, access to WinRE may allow an attacker to bypass firmware security controls, including administrator-configured UEFI/BIOS passwords. An attacker with physical or administrative access to a device may be able to leverage WinRE-related boot mechanisms to circumvent firmware protections and gain unauthorized access to system resources. Description Microsoft Windows versions 10 and 11 include the WinRE capability, a recovery platform that supports features such as the F11 recovery menu and the Reset this PC functionalities. WinRE is commonly used for system recovery, troubleshooting, and remote support scenarios. When WinRE is invoked, the system reboots into a recovery environment that may use an alternate boot path from the standard operating system startup sequence. Depending on the platform and firmware implementation, the alternate boot path may not consistently enforce the same UEFI/BIOS security controls that are applied during a normal boot process. A security concern has been identified in certain WinRE implementations where administrative UEFI/BIOS passwords may not be enforced during specific recovery operations. This inconsistency in the boot execution path may allow an attacker with physical access to a device to bypass firmware-level protections. Such scenarios are commonly associated with \"Evil Maid\" attacks, in which an attacker gains temporary physical access to an unattended system and modifies its boot configuration or security settings. In UEFI-based systems, the UEFI boot manager supports the BootNext variable, which specifies a one-time boot target stored in non-volatile memory (NVRAM). The UEFI trust model assumes that only privileged software or the platform owner can modify NVRAM variables; however, the BootNext variable itself is not authenticated and takes precedence over the normal BootOrder configuration during the next boot cycle. When Secure Boot is enabled, firmware validates the integrity and signature of the boot application specified by BootNext before execution. The UEFI specification does not explicitly mandate a full platform reset when the BootNext variable is configured, leaving reset-handling and user authentication flows to the specific implementation. Consequently, the effectiveness of pre-boot security controls (such as UEFI/BIOS password protections and BitLocker full-disk encryption) can be bypassed via recovery environments like WinRE, provided a user has the privileges required to initiate such recovery. Organizations with high security requirements for their devices should not rely solely on UEFI/BIOS passwords to protect systems where WinRE or such recovery environments are accessible to untrusted users. Additional controls should be implemented to protect against both physical-access and privileged-user attacks. Impact An attacker with access to the Windows Recovery Environment may be able to bypass administrator-configured UEFI/BIOS password protections on affected systems. Depending on the device configuration and firmware implementation, an attacker may also be able to perform actions that weaken or circumvent BitLocker full-disk encryption protections, potentially resulting in unauthorized access to sensitive data. Solution Microsoft has published an advisory related to recovery-environment hardening and secure boot configurations, including mitigations for vulnerabilities affecting WinRE mechanisms. Organizations should review applicable vendor guidance and evaluate whether their systems are susceptible to WinRE-based firmware security bypasses. In addition to standard recommendations (e.g., enabling Secure Boot), the following mitigations are advised for highly sensitive systems: Disable or restrict WinRE on systems where recovery functionality is not operationally required. Require administrative authorization with ephemeral one-time access before enabling or invoking recovery environments. Enable BitLocker with TPM + PIN or TPM + Startup Key to ensure additional authentication is required during recovery and pre-boot scenarios. Enable restrictions of pluggable media with EFI System Partitions (ESP) and any modifications to sensitive items in UEFI NVRAM such as BootNext and BootOrder. Deploy endpoint detection and response (EDR) solutions or end-point restrictions that support pre-boot security along with remote attestation and measured boot technologies to detect or block unauthorized boot modifications. Implement physical security controls, including device locks, secure storage, tamper-evident protections, and chain-of-custody procedures for high-value systems. These recommendations should be evaluated in accordance with organizational recovery requirements and operational constraints. Some of the recommendations were adapted from Eclypsium research blog Acknowledgements Thanks to Beatriz Fresno Naumova for reporting this vulnerability. This document was written by Vijay Sarvepalli.","title":"VU#226679: Microsoft WinRE allows for bypass of UEFI/BIOS password enforcement","url":"https://kb.cert.org/vuls/id/226679"},{"category":"Consumer Awareness","confidence":"MEDIUM","confidence_reason":"Established security journalism, enterprise-focused analysis. filter_uncategorized drops vendor press releases and thought-leadership fluff.","created_at":"2026-07-02 03:55:47","id":84,"published_date":"2026-06-22T14:12:11+00:00","severity":"medium","source_name":"Dark Reading","summary":"Threat actors can easily steal one-time passwords sent by text when they conduct a SIM swap attack. This can lead to account takeovers, so users must layer up their security measures.","title":"He Thought He Was Secure; His Phone Number Was Stolen Anyway","url":"https://www.darkreading.com/cyber-risk/how-a-sim-swap-attack-led-to-a-near-account-takeover"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Real-world incident breakdowns from the defender side. Strong on ransomware and SMB-targeting threats.","created_at":"2026-07-02 03:55:55","id":383,"published_date":"2026-06-22T13:00:00+00:00","severity":"medium","source_name":"Huntress","summary":"During the June Tradecraft Tuesday, Huntress researchers looked at device code phishing variations and why threat actors love this attack so much.","title":"We Need to Talk About Device Code Phishing","url":"https://www.huntress.com/blog/tradecraft-tuesday-device-code-phishing-explained"},{"category":"Industry/Policy","confidence":"HIGH","confidence_reason":"UK government CERT, authoritative advisories for UK & allied operators.","created_at":"2026-07-02 03:55:48","id":133,"published_date":"2026-06-22T12:00:00+00:00","severity":"medium","source_name":"NCSC UK","summary":"","title":"The AI shift in cyber risk: why leaders must act now","url":"https://www.ncsc.gov.uk/news/the-ai-shift-in-cyber-risk-why-leaders-must-act-now"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Real-world incident breakdowns from the defender side. Strong on ransomware and SMB-targeting threats.","created_at":"2026-07-02 03:55:55","id":384,"published_date":"2026-06-22T12:00:00+00:00","severity":"medium","source_name":"Huntress","summary":"Move past basic credential harvesting. Discover how modern attackers use ClickFix, BitB, and OAuth consent phishing\u2014and how to train your users with Huntress SAT.","title":"Next-Gen Phishing Tactics Users Aren\u2019t Ready For | Huntress","url":"https://www.huntress.com/blog/advanced-phishing-tradecraft"},{"category":"Malware/Infostealer","confidence":"HIGH","confidence_reason":"Best-in-class APT campaign tracking and malware reverse engineering. Industry-leading primary research.","created_at":"2026-07-02 03:55:53","id":313,"published_date":"2026-06-22T10:00:38+00:00","severity":"medium","source_name":"Kaspersky Securelist","summary":"A Kaspersky researcher analyzes a global malicious campaign that distributes VBS scripts via WhatsApp delivering a UEMS RMM agent through a multi-stage infection chain.","title":"A VBScript campaign distributed through WhatsApp deploying RMM software","url":"https://securelist.com/whatsapp-vbs-rmm-campaign/120290"},{"category":"SaaS Breach","confidence":"LOW","confidence_reason":"User-submitted link aggregator, no editorial review. Signal varies wildly by submitter.","created_at":"2026-07-02 03:56:04","id":591,"published_date":"2026-06-22T06:06:05+00:00","severity":"medium","source_name":"Reddit r/netsec","summary":"submitted by /u/AnimalStrange [link] [comments]","title":"Exploiting Auth0 Defaults in XSS Attacks - elttam","url":"https://www.reddit.com/r/netsec/comments/1uccgi1/exploiting_auth0_defaults_in_xss_attacks_elttam"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Primary cloud-security research (AWS/Azure/GCP IAM, container, CI/CD). Fills the Cloud Security depth the keyword set already anticipates. Vendor context; filter_uncategorized drops product marketing.","created_at":"2026-07-02 03:55:52","id":290,"published_date":"2026-06-22T00:00:00+00:00","severity":"critical","source_name":"Datadog Security Labs","summary":"We summarize the Klue supply chain attack and provide detection guidance for Salesforce environments monitored by Datadog Cloud SIEM.","title":"Detecting the Klue supply chain attack in Salesforce instances","url":"https://securitylabs.datadoghq.com/articles/detecting-the-klue-supply-chain-attack-in-salesforce"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Troy Hunt's curated breach disclosure feed. Low volume (~2-4/month), high trust, universally cited. Each entry names the breached org, account count, and exposed data types.","created_at":"2026-07-02 03:56:02","id":505,"published_date":"2026-06-20T03:02:45+00:00","severity":"critical","source_name":"Have I Been Pwned","summary":"In June 2026, retailer JCPenney and associated brands were targeted in a ShinyHunters \"pay or leak\" extortion campaign. Data allegedly obtained from JCPenney through the exploitation of a critical zero-day vulnerability in Oracle PeopleSoft was later published publicly. The exposed records indicated they primarily related to internal HR systems and impacted current and former employees. The data included 368k corporate and personal email addresses, names, dates of birth, Social Security numbers, phone numbers and home addresses.","title":"JCPenney - 368,418 breached accounts","url":"https://haveibeenpwned.com/Breach/JCPenney"},{"category":"Vulnerability/CVE","confidence":"LOW","confidence_reason":"User-submitted link aggregator, no editorial review. Signal varies wildly by submitter.","created_at":"2026-07-02 03:56:04","id":592,"published_date":"2026-06-19T19:15:45+00:00","severity":"medium","source_name":"Reddit r/netsec","summary":"submitted by /u/everping [link] [comments]","title":"Use-after-free in the QPACK encoder of nginx HTTP/3 - CVE-2026-42530","url":"https://www.reddit.com/r/netsec/comments/1uab0j6/useafterfree_in_the_qpack_encoder_of_nginx_http3"},{"category":"Identity & Access","confidence":"HIGH","confidence_reason":"Emergent threat response team. Primary exploit analysis on actively exploited vulns, peer-quality with ZDI.","created_at":"2026-07-02 03:55:51","id":263,"published_date":"2026-06-19T17:08:23+00:00","severity":"high","source_name":"Rapid7","summary":"This week's release includes five new modules, including a full unauthenticated RCE chain for Paperclip AI and a VS Code extension persistence technique. On the post-exploitation side, the new windows/local/ntlm_relay_2_self module coerces the local machine account to authenticate via OpenEncryptedFileRaw (WebDAV), relays that NTLM authentication to a Domain Controller's LDAP service, then uses the resulting LDAP session to write Shadow Credentials and obtain a Kerberos service ticket as Administrator via S4U2Proxy, enabling PsExec back to itself for SYSTEM access. On the enhancement side, the new MCP server plugin lets AI tools assist operators directly within a running msfconsole instance, and module check codes now return richer detail for users. New module content (5) Paperclip AI RCE using a chain of six API calls (CVE-2026-41679) Authors: Sagilayani https://github.com/sagilayani and h00die-gr3y h00die.gr3y@gmail.com Type: Exploit Pull request: #21547 contributed by h00die-gr3y Path: linux/http/paperclipai_unauth_rce_cve_2026_41679 AttackerKB reference: CVE-2026-41679 Description: Adds an exploit module for CVE-2026-41679 which exploits Paperclip. An unauthenticated attacker can achieve full remote code execution on any network-accessible Paperclip instance running in authenticated mode with default configuration. The entire chain is six API calls. Xerte Online Toolkits Arbitrary File Upload - Unauthenticated Media Upload Author: bootstrapbool bootstrapbool@gmail.com Type: Exploit Pull request: #21371 contributed by bootstrapbool Path: multi/http/xerte_unauthenticated_mediaupload AttackerKB reference: CVE-2026-41459 Description: Exploits authentication failure (CVE-2026-34413), extension blacklist (CVE-2026-34415), and path traversal (CVE-2026-34414) vulnerabilities in Xerte Online Toolkits versions 3.15 and earlier. VS Code Extension Persistence Author: h00die Type: Exploit Pull request: #21465 contributed by h00die Path: multi/persistence/vscode_extension Description: Adds a new persistence module that achieves persistence by installing a malicious extension into a user's VS Code extensions directory. The next time the target opens VS Code, the extension executes and delivers a shell back to the attacker. NTLM Relay to Self (HTTP to LDAP) - Post Exploitation Author: jheysel-r7 Type: Exploit Pull request: #21430 contributed by jheysel-r7 Path: windows/local/ntlm_relay_2_self Description: Adds a module that exploits the NTLMRelay2Self attack. It requires a low-privilege user session on a Windows host. Linux Kernel __ptrace_may_access() Exit Race Change File Disclosure Authors: 0xdeadbeefnetwork and bhaskarbhar Type: Post Pull request: #21472 contributed by bhaskarbhar Path: linux/gather/cve_2026_46333_chage AttackerKB reference: CVE-2026-46333 Description: Adds a post module that leverages CVE-2026-46333, a vulnerability in the Linux kernel whereby a race condition exists when tearing down a process. A local attacker can exploit this to obtain file handles they would not otherwise have access to. In the exploit, this is leveraged to leak the contents of the /etc/shadow file. Enhancements and features (7) #21254 from golem445 - Nmap imports will include domain name if supplied by the user for the scan. #21259 from g0tmi1k - Adds a number of enhancements to msfconsole's search functionality by cleaning up some inconsistencies and giving users the option to hide the child elements of search results with the -c flag. Also introduces two global options, SearchSort and SearchChildMode, that users can set and forget in order to control ascending/descending search results and whether or not child items appear under search results respectively. #21367 from g0tmi1k - Adds a number of enhancements to the rexec_login module including more detailed output, a check for an rDNS failure, an update to the module description, and removal of duplicate IP:PORT printing. #21454 from adfoster-r7 - Updates many modules by adding additional details to the check codes that are returned by the #check method, which provides additional information for the user. Also updates the requirements of new modules to contain this extra information moving forward. #21512 from adfoster-r7 - Updates the Metasploit MCP tool to expose note information on Metasploit modules, as well as host comments. #21537 from dwelch-r7 - Adds a plugin to start and stop a Model Context Protocol (MCP) server within msfconsole. When compared to the standalone msfmcpd tool, this has the significant advantage of automatically loading the RPC server within the context of a running framework instance which enables AI tools to assist the operator without needing to restart Metasploit. #21542 from h00die - Updates the scanner/redis/redis_server module to output server INFO details as a readable table. Bugs fixed (4) #21441 from dwelch-r7 - Improves the MCP server lifecycle control and enables graceful shutdowns by transitioning from Rack's handler to direct Puma server API management. #21564 from adfoster-r7 - Fixes a crash in the smb_version module when run against SMBv1 targets. #21570 from sjanusz-r7 - Fixes an issue where it was not possible to generate ARM Big Endian payloads. #21571 from dwelch-r7 - Deleted files are now excluded when running msfconsole reload commands. Documentation You can find the latest Metasploit documentation on our docsite at docs.metasploit.com. Get it As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub: Pull Requests 6.4.137...6.4.139 Full diff 6.4.137...6.4.139 If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro","title":"Weekly Metasploit Update: NTLM Relay Priv Esc, MCP Server Integration, Paperclip AI RCE Chain, and more","url":"https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-19-06-2026"},{"category":"Nation State/APT","confidence":"HIGH","confidence_reason":"University of Toronto \u2014 gold-standard surveillance/spyware research. NSO Group, Predator, Pegasus. filter_uncategorized drops political commentary, keeps classified threat research.","created_at":"2026-07-02 03:55:55","id":423,"published_date":"2026-06-19T15:19:28+00:00","severity":"medium","source_name":"The Citizen Lab","summary":"Meta\u2019s WhatsApp said it will ask a US court to hold NSO Group in contempt for using WhatsApp to lure targets into downloading the surveillance spyware. The post WhatsApp Accuses NSO of Fresh Pegasus Targeting appeared first on The Citizen Lab.","title":"WhatsApp Accuses NSO of Fresh Pegasus Targeting","url":"https://citizenlab.ca/whatsapp-accuses-nso-of-fresh-pegasus-targeting"},{"category":"Vulnerability/CVE","confidence":"LOW","confidence_reason":"User-submitted link aggregator, no editorial review. Signal varies wildly by submitter.","created_at":"2026-07-02 03:56:04","id":594,"published_date":"2026-06-19T13:27:18+00:00","severity":"medium","source_name":"Reddit r/netsec","summary":"A crafted MPLS packet can trigger an out-of-bounds read in mpls_do_error, leaking 4 bytes of adjacent kernel stack memory back in an ICMP/MPLS error response. It requires MPLS enabled, but the leak is remote and repeatable. Fixed in OpenBSD-current on 2026-06-18. submitted by /u/Emergency_Stable_923 [link] [comments]","title":"OpenBSD MPLS kernel stack leaks remotely (CVE-2026-56099)","url":"https://www.reddit.com/r/netsec/comments/1ua20fg/openbsd_mpls_kernel_stack_leaks_remotely"},{"category":"Vulnerability/CVE","confidence":"LOW","confidence_reason":"User-submitted link aggregator, no editorial review. Signal varies wildly by submitter.","created_at":"2026-07-02 03:56:04","id":593,"published_date":"2026-06-19T10:21:41+00:00","severity":"medium","source_name":"Reddit r/netsec","summary":"submitted by /u/qwerty0x41 [link] [comments]","title":"Squidbleed (CVE-2026-47729) - Heartbleed-style vulnerability that leaks internal memory from every version of Squid Proxy, in its default configuration","url":"https://www.reddit.com/r/netsec/comments/1u9y7yw/squidbleed_cve202647729_heartbleedstyle"},{"category":"Cloud Security","confidence":"MEDIUM","confidence_reason":"Deep malware analysis with detection rules (YARA, Sigma). Vendor context but strong primary research.","created_at":"2026-07-02 03:55:52","id":278,"published_date":"2026-06-19T00:00:00+00:00","severity":"medium","source_name":"Elastic Security Labs","summary":"Azure AD Graph Activity Logs land in Elastic with full ECS parsing. Detect ROADrecon and AADInternals enumeration with ready-to-use detection rules.","title":"Azure AD Graph Activity Logs: Ingestion and threat detection to close the visibility gap","url":"https://www.elastic.co/security-labs/aad-graph-activity-logs-threat-detection"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Deep malware analysis with detection rules (YARA, Sigma). Vendor context but strong primary research.","created_at":"2026-07-02 03:55:52","id":279,"published_date":"2026-06-19T00:00:00+00:00","severity":"medium","source_name":"Elastic Security Labs","summary":"Find out how a new obfuscated loader evades static detection using .reloc section abuse, five anti-VM/language checks and MBA obfuscation to deliver infostealer malware via Google Ads.","title":"Lost in relocation: analysis of a new loader distributing CASTLESTEALER","url":"https://www.elastic.co/security-labs/oxloader-malware-loader-infostealer"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Troy Hunt's curated breach disclosure feed. Low volume (~2-4/month), high trust, universally cited. Each entry names the breached org, account count, and exposed data types.","created_at":"2026-07-02 03:56:02","id":506,"published_date":"2026-06-18T22:48:34+00:00","severity":"high","source_name":"Have I Been Pwned","summary":"In June 2026, fashion retailer Ralph Lauren was targeted in a ShinyHunters \"pay or leak\" extortion campaign. The group subsequently published hundreds of gigabytes of data they claimed was obtained from the organisation's Salesforce instance, including 140k unique email addresses along with names, phone numbers, genders and age groups.","title":"Ralph Lauren - 139,903 breached accounts","url":"https://haveibeenpwned.com/Breach/RalphLauren"},{"category":"Malware/Infostealer","confidence":"MEDIUM","confidence_reason":"Troy Hunt's curated breach disclosure feed. Low volume (~2-4/month), high trust, universally cited. Each entry names the breached org, account count, and exposed data types.","created_at":"2026-07-02 03:56:02","id":507,"published_date":"2026-06-18T20:08:06+00:00","severity":"medium","source_name":"Have I Been Pwned","summary":"On 18 June 2026, the latest phase of Operation Endgame targeted the SocGholish malware operation, a prolific malware distribution network used to compromise systems and facilitate further cybercrime. Coordinated by international law enforcement agencies with support from Europol and Eurojust, the operation remediated almost 15,000 compromised websites and disrupted more than 100 servers and domains used to distribute malware. Authorities initially provided HIBP with 154k impacted email addresses and more than half a million previously unseen passwords recovered during the operation. The following week, a further 4M email addresses and 9M passwords relating to the StealC malware operation targeted by Operation Endgame were provided to HIBP, bringing the total to almost 4.2M unique email addresses.","title":"Operation Endgame 4.0 - 4,160,519 breached accounts","url":"https://haveibeenpwned.com/Breach/OperationEndgame4"},{"category":"Cloud Security","confidence":"HIGH","confidence_reason":"CERT/CC vulnerability coordination center. Authoritative vuln notes, partially replaces dead CISA feeds.","created_at":"2026-07-02 03:55:48","id":119,"published_date":"2026-06-18T19:41:08+00:00","severity":"high","source_name":"CERT Vulnerability Notes","summary":"Overview Multiple vendor-signed UEFI applications are vulnerable to Secure Boot bypass via a \"Bring Your Own Vulnerable Driver\" (BYOVD)-style attack. If a target system trusts the affected vendor\u2019s certificate, an attacker can exploit these applications to execute arbitrary code during the early pre-boot phase before the operating system initializes. To mitigate this risk, system administrators should apply updates to the UEFI Forbidden Signature Database (DBX) that revoke trust in the affected vendor-signed binaries, preventing these vulnerable applications from executing during the boot process. Description The Unified Extensible Firmware Interface (UEFI) standard defines the modern firmware architecture used to initialize hardware and transfer control to the operating system during system startup. On systems with Secure Boot enabled, UEFI applications and drivers must be cryptographically signed and verified before execution. Trust for these signatures is established through several firmware-managed databases, including the authorized signature database (DB), which commonly contains certificates from original equipment manufacturer (OEM) vendors, operating system authorities, and other supply-chain partners in the UEFI ecosystem. The UEFI shell is a command-line application that allows advanced users to interact directly with the UEFI environment to run diagnostics or special tasks prior to the operating system boot. Other UEFI applications, such as bootloaders, manage the operating system startup sequence or load specific drivers before the main OS initializes. Some of these applications possess functionalities that can manipulate system memory, modify sensitive NVRAM variables, or load raw drivers. If a vendor-signed application inadvertently exposes these capabilities without strict access controls, attackers can abuse them to circumvent Secure Boot policies and execute unverified code. This exposure effectively results in an early compromise of the pre-boot environment, bypassing the Secure Boot policy. Researchers from ESET identified multiple UEFI applications vulnerable to this type of abuse. To neutralize the risk, the affected binaries will be added to vendor-specific DBX revocation lists to prevent them from executing on the target systems. Impacted UEFI Applications [Vendor, Application and vulnerable function Authenticode SHA hash SHA256 file hash] Acer `GRUB2` insmod 71DCE405964C67779DB92DBC01F683D6E29075AB 6cc0e9501420ec036f0ad74df2d17f4d6360f26585f265042537b9f8c2780c30 Acer `UEFI shell` mm,dmpstore D275C2DFD884D2B7842C7F861C527A9FFC6E59DD b0af2158f11535d8458b8497a35e96d5afc76e43825f255d2d6aa2da74bad883 Acer `UEFI shell` mm,dmpstore 42C4923E676A9FD0A93C08631AD7A8244A8F2174 0784c30a83bfcc45bf42804e5729323987957f0a104fcb693d0ff10d76d5b42c Acer `UEFI shell` mm,dmpstore 04BE47C873F116B85111FBF8EE9191C87CEE2619 b0af2158f11535d8458b8497a35e96d5afc76e43825f255d2d6aa2da74bad883 Acer Emdoor `UEFI shell` mm,setvar CD5E3EAD6F78526BF9301DEEF66906618654F604 14a493007443c72050ce644562db1470e36bf9d04baf5dec6b046e32cbdbb61b AMD `UEFI shell` mm,dmpstore 744565FBB35DB710BCC1547292204763C731DC55 58bc1e460a1b7e18e6ad12dae8020c38bd7b3d6217130dd127ae232e4b248406 ASUS schenker-tech.de(XMG) `UEFI shell` mm,dmpstore DC18D31E46A541C9E42F9588554ADDC7DECE124B 61ee9a23c366a102ceb34c78af7816413769791658cdb668b02cb81ec94f7c70 ECS `UEFI Shell` mm,dmpstore 59BA2B5C239AF3CC7FCE74AA5E65AAA8CE3C454F 81da15d6acdfb7868ecea44d41c869c2295603af9a44a2d106d4c0e57d66908 Getac `UEFI Shell` mm,dmpstore 35FBD8ED5ED31D281A6146360CDEFE7E8CEC31DA 09d895bb03bdac3188ef61b09ab72b99492cfd0b785cbc3eb2eb75657a2f9fa0 GIGABYTE Maibenben `UEFI Shell` mm,setvar,dmpstore 6CC172CBFEEA24B2806B477F8EDF897334ECC486 2944da098861619e21b522a642235bb2ec189ff20ef96e100b2ffdd9a39c3416 Toshiba `UEFI Shell` mm,dmpstore 2EAE2807A4265D9C30EECA68A8C59C7A6D1ACFE7 cad246ae8a5db51f32f128896ccef5efc30e5d65c9d9722b449988d43da53d51 Uniwill Maingear schenker-tech.de(XMG) `UEFI Shell` mm,dmpstore 8CED62F9BD5C987A80598DA1E13414391BBB1ADE 55682bec887134a2ccaa2cd5458cd3fe6395ea93bb88c9dc541806428b14fc66 Impact This vulnerability only impacts systems where the specific affected vendor's certificate is trusted within the UEFI Authorized Signature Database (DB). On such systems, an attacker with administrative privileges or physical access could leverage the vulnerable application to bypass Secure Boot protections and execute arbitrary code before the operating system loads. Code executed during this early boot phase can achieve persistent platform compromise, including the ability to load unsigned or malicious kernel components that survive system reboots and operating system reinstallations. Because this activity occurs before the operating system and endpoint security products initialize, malicious code executed through this technique may completely evade detection by standard security controls and endpoint detection and response (EDR) solutions. Solution Apply the latest firmware and software updates provided by your hardware or software vendor. Please refer to the Vendor Information section for details. Updated software packages will replace vulnerable UEFI applications with corrected versions that incorporate the latest upstream security fixes.Additionally, administrators should update and verify the UEFI DBX on affected systems to ensure the vulnerable binaries are revoked and can no longer execute during the boot process. Acknowledgements Thanks to Martin Smolar of ESET for researching and reporting this vulnerability. This document was written by Vijay Sarvepalli.","title":"VU#457458: Vendor-signed UEFI applications found vulnerable to Secure Boot bypass","url":"https://kb.cert.org/vuls/id/457458"},{"category":"Nation State/APT","confidence":"MEDIUM","confidence_reason":"Established security journalism, enterprise-focused analysis. filter_uncategorized drops vendor press releases and thought-leadership fluff.","created_at":"2026-07-02 03:55:47","id":85,"published_date":"2026-06-18T19:09:21+00:00","severity":"medium","source_name":"Dark Reading","summary":"The threat group's curious business model may combine opportunistic monetization alongside intel collection, without much coordination between the two.","title":"Operation Escaneo Signals Shift in LatAm Threat Landscape","url":"https://www.darkreading.com/cybersecurity-operations/operation-escaneo-signals-shift-latam-threat-landscape"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established security journalism, enterprise-focused analysis. filter_uncategorized drops vendor press releases and thought-leadership fluff.","created_at":"2026-07-02 03:55:47","id":86,"published_date":"2026-06-18T18:20:07+00:00","severity":"medium","source_name":"Dark Reading","summary":"A hacker could have \"Rickrolled\" the World Cup \u2014 or worse \u2014 thanks to FIFA's unenforced Entra access controls.","title":"FIFA Bug Exposes World Cup Streams to Remote Takeover","url":"https://www.darkreading.com/application-security/fifa-bug-world-cup-streams-remote-takeover"},{"category":"Vulnerability/CVE","confidence":"LOW","confidence_reason":"User-submitted link aggregator, no editorial review. Signal varies wildly by submitter.","created_at":"2026-07-02 03:56:04","id":595,"published_date":"2026-06-18T18:05:44+00:00","severity":"high","source_name":"Reddit r/netsec","summary":"submitted by /u/Ecstatic_Priority514 [link] [comments]","title":"CVE-2026-5667: Unauthenticated Remote Control of Mitsubishi MAC-577IF-2E WiFi Adapters via Probe Request Reconnaissance","url":"https://www.reddit.com/r/netsec/comments/1u9dncq/cve20265667_unauthenticated_remote_control_of"},{"category":"Malware/Infostealer","confidence":"MEDIUM","confidence_reason":"Established independent investigative security journalism. High rigor, frequently breaks news.","created_at":"2026-07-02 03:55:46","id":2,"published_date":"2026-06-18T17:37:58+00:00","severity":"medium","source_name":"Krebs on Security","summary":"For the past four years, a sprawling Android-based botnet called Popa has forced millions of consumer TV boxes to relay Internet traffic linked to advertising fraud, account takeovers, and mass data-scraping efforts. This week, researchers from multiple security firms concluded that the Popa botnet is linked to NetNut, a \"residential proxy\" provider operated by the publicly-traded Israeli firm Alarum Technologies Ltd [NASDAQ: ALAR].","title":"\u2018Popa\u2019 Botnet Linked to Publicly-Traded Israeli Firm","url":"https://krebsonsecurity.com/2026/06/popa-botnet-linked-to-publicly-traded-israeli-firm"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Established security journalism, enterprise-focused analysis. filter_uncategorized drops vendor press releases and thought-leadership fluff.","created_at":"2026-07-02 03:55:47","id":87,"published_date":"2026-06-18T16:49:04+00:00","severity":"critical","source_name":"Dark Reading","summary":"Klue's Battlecards is now the third integrated application that has been compromised to steal customers' Salesforce data, and victims include Huntress, the cybersecurity vendor.","title":"Salesforce Data Thefts Continue via Klue App Compromise","url":"https://www.darkreading.com/cyberattacks-data-breaches/salesforce-data-thefts-klue-app-compromise"},{"category":"Phishing & Social Engineering","confidence":"MEDIUM","confidence_reason":"Duo Security / Cisco-owned security journalism (Dennis Fisher, Lindsey O'Donnell-Welch). Primary reporting, no marketing funnel. Peer-quality with Dark Reading / The Record.","created_at":"2026-07-02 03:55:48","id":112,"published_date":"2026-06-18T14:54:38+00:00","severity":"medium","source_name":"Decipher","summary":"The campaign is not the result of a compromise of Fortinet itself, but rather involves the attackers testing a custom list of known passwords for Fortinet devices.","title":"FortiBleed Credential Theft Campaign Marches On","url":"https://decipher.sc/2026/06/18/fortibleed-credential-theft-campaign-marches-on"},{"category":"Cloud Security","confidence":"HIGH","confidence_reason":"Emergent threat response team. Primary exploit analysis on actively exploited vulns, peer-quality with ZDI.","created_at":"2026-07-02 03:55:51","id":264,"published_date":"2026-06-18T14:45:55+00:00","severity":"medium","source_name":"Rapid7","summary":"Security leaders are facing an unusual set of circumstances. The drumbeat for better security prioritization has been rising for years in boardrooms around the world. The desire is there, but the processes of the past aren\u2019t meeting the needs of the new moment we find ourselves in. That gap is not a technology problem. It's an operating model problem. At the opening keynote of Rapid7\u2019s 2026 Global Cybersecurity Summit, Craig Adams, Chief Product Officer, Rapid7, Brian Castagna, CSO, Rapid7 and IDC\u2019s Research VP, Craig Robinson framed a simple idea: cyber defense needs to start earlier. For more on this, download our new ebook, Preemptive Security: From Resilience to Action. Complexity is outpacing control Security environments have never been more connected or more difficult to manage. Cloud adoption, SaaS sprawl, third-party dependencies, and identity growth have expanded the attack surface in ways most programs were not designed to handle. Many teams have responded by adding more tools and more telemetry. This has resulted in more fragmentation, more dashboards, and more opportunities for important information to slip through the cracks. Teams are spending more time stitching context together than they are effectively reducing risk. This shows up in daily operations with analysts moving between multiple systems to validate alerts, and leaders lacking the clear picture to explain risk to the business. In a time when exposure management and detection & response can live on one platform, that level of fragmentation makes no sense. Reactive security creates operational drag The traditional model still dominates most security programs. It goes like this (stop us if you\u2019ve heard this before): 1) Detect an alert. 2) Investigate. 3) Contain. 4) Recover. 5) Repeat, forever. Sounds simple, right? And it worked great when environments were simpler and attackers moved slower. That is no longer the case. Today, initial access often happens quietly through identity abuse or misconfiguration. Attack paths form before an alert even fires. By the time a signal reaches the security team, attackers may already be moving laterally or accessing sensitive systems. This creates a cycle of constant response without consistent risk reduction. Teams get better at handling incidents but struggle to remove the conditions that enable them. Security operations centers can receive thousands of alerts per day, many of which are low value or false positives. This leaves analysts spending hours triaging signals instead of focusing on the exposures most likely to lead to impact. More alerts do not make you safer. They create drag. Better context creates better outcomes. The issue is prioritization, not visibility Most organizations are not lacking data. They are lacking the clarity needed to understand the data they have and contextualize it as it relates to their business. Telemetry alone does not answer the question that matters most: what should we do first? Attackers look for the most effective path into an environment, often combining smaller weaknesses across assets, identities, and systems until they create meaningful access. Security teams need a similarly connected view, one that helps them understand which exposures are exploitable, which assets are most critical, and how those risks relate across the environment. When teams can see that full picture, they can focus remediation on the issues most likely to be used in a real attack, making risk reduction more targeted, efficient, and defensible. The result is effort without impact. Why security needs to start earlier The summit\u2019s keynote message is direct: meaningful action must move earlier in the lifecycle. Preemptive Security introduces an operating model designed for that shift. It connects four core elements: Exposure management to identify and prioritize risk Managed detection and response (MDR) to monitor and act Artificial intelligence to reduce noise and accelerate analysis Human expertise to validate and decide Together, these capabilities create a system that acts before risk becomes impact. Instead of waiting for alerts, teams identify likely breach paths. Instead of reacting to incidents, they reduce exposure ahead of time. Instead of managing disconnected tools, they operate with shared context and clear priorities. Detection and response becomes one leg of the stool with exposure management taking the lead in reducing risk before it becomes an emergency. What changes for security leaders For CISOs and security leaders, this shift means designing programs around likely attack paths, not isolated findings. It means prioritizing investments based on risk reduction, not tool coverage and enabling teams to act decisively without increasing headcount or complexity. It also changes how success is measured. The goal is fewer surprises, faster containment and reduced exposure before exploitation. It means starting earlier, to increase the likelihood of success. These are outcomes the business understands. A new starting point for security Ultimately, the environment has changed faster than the operating model. So the operating model needs to change. Luckily, there\u2019s a proven path forward that can prevent the attacks from bad actors already moving in earlier, using technology to scale their operations, and exploiting small weaknesses to get a foothold. Preemptive Security provides the framework to close that gap. It helps teams reduce noise, focus on what matters, and act with confidence before disruption occurs. Security does not start with an alert. It starts with understanding risk early enough to do something about it. Watch the keynote on demand or download the eBook, Preemptive Security: From Resilience to Action, to explore the model in more detail.","title":"Why Security Teams Need To Start Earlier","url":"https://www.rapid7.com/blog/post/it-why-security-teams-need-to-start-earlier"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established security journalism, enterprise-focused analysis. filter_uncategorized drops vendor press releases and thought-leadership fluff.","created_at":"2026-07-02 03:55:47","id":88,"published_date":"2026-06-18T13:00:00+00:00","severity":"medium","source_name":"Dark Reading","summary":"Teams digging out of security debt need to answer only two simple questions: Which vulnerabilities in our systems are exposed, and how long should they stay that way?","title":"Get Out of Security Debt by Tackling the Exposure Problem","url":"https://www.darkreading.com/cyber-risk/security-debt-tackle-exposure-problem"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established offensive security research firm. Pentest tooling, vulnerability research, red team techniques.","created_at":"2026-07-02 03:56:00","id":452,"published_date":"2026-06-18T13:00:00+00:00","severity":"medium","source_name":"Bishop Fox","summary":"The following document describes identified vulnerabilities in the Shynet application version 0.13.1.","title":"Shynet | VERSION 0.13.1","url":"https://bishopfox.com/blog/shynet-version-0-13-1"},{"category":"AI Security","confidence":"HIGH","confidence_reason":"UK government CERT, authoritative advisories for UK & allied operators.","created_at":"2026-07-02 03:55:48","id":134,"published_date":"2026-06-18T12:00:00+00:00","severity":"medium","source_name":"NCSC UK","summary":"Different code deserves different levels of oversight, so calibrate your approach to \u2018vibe coding\u2019 accordingly.","title":"The 'vibe coding spectrum' approach to AI-assisted software development","url":"https://www.ncsc.gov.uk/blogs/the-vibe-coding-spectrum-approach-to-ai-assisted-software-development"},{"category":"Industry/Policy","confidence":"HIGH","confidence_reason":"UK government CERT, authoritative advisories for UK & allied operators.","created_at":"2026-07-02 03:55:48","id":135,"published_date":"2026-06-18T12:00:00+00:00","severity":"medium","source_name":"NCSC UK","summary":"Organisations using Fortinet services are being urged to take action following a campaign affecting firewalls and VPN gateways.","title":"Alert: NCSC issues advice following global targeting of Fortinet firewalls and VPN gateways","url":"https://www.ncsc.gov.uk/news/advice-following-global-targeting-of-fortinet-firewalls-and-vpn-gateways"},{"category":"AI Security","confidence":"HIGH","confidence_reason":"Top-tier threat intelligence research with strong malware analysis track record.","created_at":"2026-07-02 03:55:49","id":172,"published_date":"2026-06-18T10:00:05+00:00","severity":"medium","source_name":"Cisco Talos","summary":"Cisco Talos detailed a new approach to reverse engineering that pairs local AI agents with traditional analysis tools like the VB6 disassembler vbdec. Instead of awkwardly bolting AI onto the software, vbdec exposes its parsed data through a live COM interface.","title":"Scripting the disassembler: Local agentic reverse engineering through vbdec\u2019s live COM object model","url":"https://blog.talosintelligence.com/scripting-the-disassembler"},{"category":"Ransomware","confidence":"MEDIUM","confidence_reason":"Vendor threat intelligence research, consistent technical malware reports. filter_uncategorized drops consumer lifestyle and parenting content.","created_at":"2026-07-02 03:55:49","id":200,"published_date":"2026-06-18T09:46:32+00:00","severity":"medium","source_name":"ESET WeLiveSecurity","summary":"ESET Research shares the results of a months-long investigation into the suite of EDR killers maintained by the RaaS gang Gentlemen","title":"Killing me gently: Inside Gentlemen\u2019s EDR killer framework","url":"https://www.welivesecurity.com/en/eset-research/killing-me-gently-inside-gentlemens-edr-killer-framework"},{"category":"AI Security","confidence":"MEDIUM","confidence_reason":"Established security journalism, enterprise-focused analysis. filter_uncategorized drops vendor press releases and thought-leadership fluff.","created_at":"2026-07-02 03:55:47","id":89,"published_date":"2026-06-18T07:00:00+00:00","severity":"medium","source_name":"Dark Reading","summary":"\"Shield-6G\" will combine AI threat detection, digital twins, honeypots, and more, to help carriers protect 6G networks against the threats of tomorrow.","title":"EU Gets a Head Start in Developing 6G Network Security","url":"https://www.darkreading.com/cybersecurity-operations/eu-6g-network-security"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Real-world incident breakdowns from the defender side. Strong on ransomware and SMB-targeting threats.","created_at":"2026-07-02 03:55:55","id":385,"published_date":"2026-06-18T07:00:00+00:00","severity":"critical","source_name":"Huntress","summary":"Huntress was one of many vendors impacted by a recent incident at Klue. We dug into the incident to figure out what happened.","title":"Cybercrime Breaches Klue: Salesforce Data Impacted for Many Victims, including Huntress","url":"https://www.huntress.com/blog/klue-breach-investigation"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Troy Hunt's curated breach disclosure feed. Low volume (~2-4/month), high trust, universally cited. Each entry names the breached org, account count, and exposed data types.","created_at":"2026-07-02 03:56:02","id":508,"published_date":"2026-06-18T03:22:51+00:00","severity":"medium","source_name":"Have I Been Pwned","summary":"In March 2026, the financial consulting and advisory firm CFGI was the target of a ShinyHunters \"pay-or-leak\" extortion campaign. The group subsequently publicised data allegedly obtained from CFGI comprising corporate contact information, including 243k unique email addresses, names, phone numbers and physical addresses.","title":"CFGI - 248,235 breached accounts","url":"https://haveibeenpwned.com/Breach/CFGI"},{"category":"Nation State/APT","confidence":"MEDIUM","confidence_reason":"Primary cloud-security research (AWS/Azure/GCP IAM, container, CI/CD). Fills the Cloud Security depth the keyword set already anticipates. Vendor context; filter_uncategorized drops product marketing.","created_at":"2026-07-02 03:55:52","id":291,"published_date":"2026-06-18T00:00:00+00:00","severity":"medium","source_name":"Datadog Security Labs","summary":"Continuing our Agent ID series, this post demonstrates how a privileged agent could be compromised through its third-party blueprint. This leads to a cross-tenant incident similar to Midnight Blizzard, since an attacker with control over an agent blueprint can authenticate as any agent associated with that blueprint.","title":"Entra Agent ID: Inside a cross-tenant agent compromise","url":"https://securitylabs.datadoghq.com/articles/agent-id-inside-agent-compromise"},{"category":"Vulnerability/CVE","confidence":"HIGH","confidence_reason":"CERT/CC vulnerability coordination center. Authoritative vuln notes, partially replaces dead CISA feeds.","created_at":"2026-07-02 03:55:48","id":120,"published_date":"2026-06-17T21:02:44+00:00","severity":"medium","source_name":"CERT Vulnerability Notes","summary":"Overview The SignalRGB kernel driver, SignalIo.sys, contains two vulnerabilities involving improper access control and unsafe memory handling. The device object is created with an overly permissive Discretionary Access Control List (DACL) that allows user-mode processes to access privileged hardware operations through input/output control (IOCTL) commands. Additionally, several IOCTL handlers are susceptible to NULL pointer dereference conditions, which further enables low-privilege users to trigger kernel crashes and cause Denial of Service (DoS). Version 1.3.7.0 of the SignalRGB driver remediates these vulnerabilities. Description SignalRGB is a Windows application used for RGB lighting control and hardware monitoring. Its kernel component, SignalIo.sys, provides the low-level interfaces required to access and interact with hardware resources. The SignalIo.sys driver exposes privileged functionality intended for administrative or security operations, but the device object is created without a restrictive security descriptor. Specifically, the driver does not apply security best practices by using either Security Descriptor Definition Language (SDDL) or the IoCreateDeviceSecure API, thereby allowing unprivileged user-mode processes to open handles to the device and issue privileged IOCTL requests. CVE-2026-8049 The \\\\.\\SignalIo device object is created without an explicit SDDL security descriptor and without FILE_DEVICE_SECURE_OPEN. This results in overly permissive default access control, allowing any authenticated local user to obtain a handle to the device and issue privileged IOCTLs. CVE-2026-8050 Seven of the sixteen IOCTL handlers dereference the SystemBuffer pointer without first verifying that it is non-NULL. Sending an IOCTL with an empty input buffer causes a NULL pointer dereference, resulting in a kernel crash. Impact The device's insufficient access control enables user-mode interaction with privileged IOCTL interfaces and sensitive driver functionality, including read/write access to the PCI configuration space of system devices. Additionally, an authenticated local attacker can trigger repeated kernel crashes by accessing the \\\\.\\SignalIo device and sending NULL input buffers to any of the seven vulnerable IOCTLs. Notably, the affected SignalRGB drivers already include custom kernel-enforced port whitelists to block I/O access to several high-risk ports, which helps to limit the scope of sensitive operations available through the IOCTL interface. Solution SignalRGB has remediated these vulnerabilities in the recent 1.3.7.0 driver release. Users and organizations should update and/or block the previous vulnerable driver version where possible and implement mitigations designed to reduce exposure to BYOVD attacks, including restricting administrative privileges, enforcing Microsoft's recommended driver block rules, and enabling protections such as Windows Defender Application Control (WDAC) or an equivalent EDR solution for your environment. Acknowledgements Thanks to Shravan Kumar Sheri for researching and reporting this vulnerability, and to SignalRGB for their prompt engagement and remediation efforts. This document was written by Molly Jaconski.","title":"VU#380058: SignalRGB kernel driver contains improper access control and IOCTL vulnerabilities","url":"https://kb.cert.org/vuls/id/380058"},{"category":"Phishing & Social Engineering","confidence":"LOW","confidence_reason":"User-submitted link aggregator, no editorial review. Signal varies wildly by submitter.","created_at":"2026-07-02 03:56:04","id":596,"published_date":"2026-06-17T20:10:41+00:00","severity":"medium","source_name":"Reddit r/netsec","summary":"I've been reversing the 2M+ user Volume Booster Chrome extension and found something interesting. Between v1.0.3 (2025-06-27) and v1.0.4 (2025-07-02), the extension added: \"content_scripts\": [{ \"matches\": [\"<all_urls>\"], \"js\": [ \"vendor/GiveFreely-content.umd.js\", \"content-script.js\" ] }] The previous version was essentially a small audio booster. The newer version introduces a Give Freely / Wildlink component that appears to support merchant detection, affiliate attribution, and donation campaigns. No new permissions were added, meaning existing users would have received the update automatically without a new Chrome permission approval prompt. I've also found the same Give Freely / Wildlink infrastructure in multiple unrelated extensions, which makes me think it's being distributed as a white-label monetization/fundraising SDK. I'm still investigating and considering whether this is worth adding to MalExt. At this point I don't have evidence of malware, credential theft, or anything overtly malicious just a significant expansion of functionality in a 2M-user extension. Curious what others think. Is this a transparency/privacy concern, or just a normal extension monetization model? Any opinions or prior research on Give Freely / Wildlink would be appreciated so i can added to malext.io submitted by /u/Huge-Skirt-6990 [link] [comments]","title":"Worth a MalExt Report? A 2 Million-User Chrome Extension Added Give Freely/Wildlink in a 5-Day Update","url":"https://www.reddit.com/r/netsec/comments/1u8l66d/worth_a_malext_report_a_2_millionuser_chrome"},{"category":"Ransomware","confidence":"MEDIUM","confidence_reason":"Established security journalism, enterprise-focused analysis. filter_uncategorized drops vendor press releases and thought-leadership fluff.","created_at":"2026-07-02 03:55:47","id":90,"published_date":"2026-06-17T19:46:25+00:00","severity":"medium","source_name":"Dark Reading","summary":"And one of those basics is focusing on sectors where a ransomware disruption creates immediate pressure to pay up, like with healthcare.","title":"INC Ransomware Thrives by Mastering the Basics","url":"https://www.darkreading.com/cyberattacks-data-breaches/inc-ransomware-thrives-by-mastering-the-basics"},{"category":"Malware/Infostealer","confidence":"HIGH","confidence_reason":"University of Toronto \u2014 gold-standard surveillance/spyware research. NSO Group, Predator, Pegasus. filter_uncategorized drops political commentary, keeps classified threat research.","created_at":"2026-07-02 03:55:55","id":424,"published_date":"2026-06-17T19:15:12+00:00","severity":"medium","source_name":"The Citizen Lab","summary":"Senior legal advisor Siena Anstis and senior researcher John Scott-Railton spoke with Forbes about the lagging safeguards that let spyware proliferate. The post How Freedom Tech Is Pushing Back Against Digital Authoritarianism appeared first on The Citizen Lab.","title":"How Freedom Tech Is Pushing Back Against Digital Authoritarianism","url":"https://citizenlab.ca/how-freedom-tech-is-pushing-back-against-digital-authoritarianism"},{"category":"Nation State/APT","confidence":"MEDIUM","confidence_reason":"Established security journalism, enterprise-focused analysis. filter_uncategorized drops vendor press releases and thought-leadership fluff.","created_at":"2026-07-02 03:55:47","id":91,"published_date":"2026-06-17T14:06:34+00:00","severity":"medium","source_name":"Dark Reading","summary":"Attackers are actively targeting various sectors across nearly 200 countries and already have compiled a list of working credentials for tens of thousands of compromised devices.","title":"Sweeping Credential-Harvesting Heist Compromises 30K+ Fortinet Devices","url":"https://www.darkreading.com/cyberattacks-data-breaches/sweeping-credential-harvesting-heist-compromises-30k-fortinet-devices"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Real-world incident breakdowns from the defender side. Strong on ransomware and SMB-targeting threats.","created_at":"2026-07-02 03:55:55","id":386,"published_date":"2026-06-17T14:00:00+00:00","severity":"medium","source_name":"Huntress","summary":"Huntress Managed ISPM finds and closes Microsoft 365 identity gaps before attackers do. Learn why visibility isn't enough and what real identity hardening takes.","title":"Why Your Organization Needs ISPM","url":"https://www.huntress.com/blog/why-your-organization-needs-ispm"},{"category":"Uncategorized","confidence":"MEDIUM","confidence_reason":"Vendor threat intelligence research. Good primary work but commercial context.","created_at":"2026-07-02 03:55:49","id":179,"published_date":"2026-06-17T13:38:55+00:00","severity":"medium","source_name":"Check Point Research","summary":"Key Points Introduction In this research, we analyze a clipboard hijacker campaign that is hidden inside a collection of \u201csolutions\u201d and \u201ctools\u201d that claim to give users an unfair advantage. These offers include Solana and Pump.fun sniper bots (automated tools that try to buy new tokens or meme coins faster than other traders), Aviator Predictor [\u2026] The post From Stars to Upvotes: Fake Reputation Fueling a Crypto Clipboard Hijacker appeared first on Check Point Research.","title":"From Stars to Upvotes: Fake Reputation Fueling a Crypto Clipboard Hijacker","url":"https://research.checkpoint.com/2026/from-stars-to-upvotes-fake-reputation-fueling-a-crypto-clipboard-hijacker"},{"category":"Supply Chain","confidence":"MEDIUM","confidence_reason":"Duo Security / Cisco-owned security journalism (Dennis Fisher, Lindsey O'Donnell-Welch). Primary reporting, no marketing funnel. Peer-quality with Dark Reading / The Record.","created_at":"2026-07-02 03:55:48","id":113,"published_date":"2026-06-17T13:22:27+00:00","severity":"medium","source_name":"Decipher","summary":"The unknown threat actor gained unauthorized access to legitimate npm accounts, allowing them to inject malicious dependencies into widely used packages.","title":"Mastra AI Hit By npm Compromise","url":"https://decipher.sc/2026/06/17/mastra-ai-hit-by-npm-compromise"},{"category":"AI Security","confidence":"MEDIUM","confidence_reason":"Vendor threat intelligence research. Caveat: already filtered for noise via filter_uncategorized.","created_at":"2026-07-02 03:55:49","id":191,"published_date":"2026-06-17T13:00:35+00:00","severity":"medium","source_name":"SentinelOne","summary":"SentinelOne\u2019s Purple AI Agentic Investigation, now GA, solves the SOC investigation capacity gap with zero-click, machine-speed alert analysis.","title":"The Agentic SOC: Solving Security\u2019s Investigation Capacity Crisis in the Frontier AI Era","url":"https://www.sentinelone.com/blog/frontier-ai-and-agentic-soc"},{"category":"OT/ICS","confidence":"HIGH","confidence_reason":"UK government CERT, authoritative advisories for UK & allied operators.","created_at":"2026-07-02 03:55:48","id":136,"published_date":"2026-06-17T12:00:00+00:00","severity":"medium","source_name":"NCSC UK","summary":"Dr Richard Horne highlighted the scale of cyber threats against the UK\u2019s critical infrastructure at RUSI\u2019s Annual Security Lecture.","title":"NCSC CEO: Hostile states linked to three-quarters of cyber attacks affecting UK's critical systems","url":"https://www.ncsc.gov.uk/news/ncsc-ceo-hostile-states-linked-to-three-quarters-of-cyber-attacks"},{"category":"Vulnerability/CVE","confidence":"HIGH","confidence_reason":"Emergent threat response team. Primary exploit analysis on actively exploited vulns, peer-quality with ZDI.","created_at":"2026-07-02 03:55:51","id":265,"published_date":"2026-06-17T11:20:10+00:00","severity":"medium","source_name":"Rapid7","summary":"Executive summary Rapid7 researchers have identified a sophisticated malware campaign attributed to the threat actor \"Dropping Elephant,\" characterized by the use of a China-themed decoy document to deliver a heavily reworked, in-memory remote access trojan (RAT). This campaign demonstrates advanced evasion techniques, including DLL side-loading with a legitimate Microsoft binary (Fondue.exe) and the use of \"Donut\" shellcode to map the RAT directly into memory, effectively bypassing traditional disk-based security controls. The revamped RAT significantly complicates detection by using control-flow flattening, runtime API reconstruction, and hardened C2 communications. Despite these modifications, Rapid7's deep analysis confirms this activity is a direct evolution of Dropping Elephant's tradecraft, based on shared beaconing patterns, screenshot logic, and command-handler structures. This discovery underscores the importance of proactive threat hunting and memory-level visibility in detecting modern, low-footprint implants. Rapid7 is actively monitoring the infrastructure and tradecraft associated with this actor so we can provide comprehensive protection and intelligence to our customers. Defenders should not rely on the IOCs alone. The most durable detection opportunities in this campaign are the behaviors: a shortcut file spawning PowerShell, files staged in C:\\Users\\Public\\, a scheduled task named GoogleErrorReport executing every minute, and Fondue.exe loading APPWIZ.cpl from C:\\Users\\Public\\ rather than a legitimate Windows directory. Because the final RAT is loaded directly into memory through Donut, defenders should also review whether their endpoint tooling can detect memory-resident payloads and security-control patching within a process, including AMSI, WLDP, and ETW tampering. Overview During a proactive threat hunt, Rapid7 identified a malicious Windows shortcut that matched activity previously associated with Dropping Elephant. The shortcut used a China energy-sector contract lure and led to a payload chain that shared the family\u2019s delivery patterns but ended in a substantially reworked RAT. The decoy document was a contract completion and acceptance notice for the GRES-3 project and referenced delivery of industrial seawater circulation pump systems. Because the final payload differed significantly from known samples, Rapid7 analyzed the chain from the initial shortcut through the final in-memory RAT. Luckily, during the analysis, the staging server was active which allowed us to download all attack artifacts. The recovered files use Fondue.exe, a legitimate Microsoft binary, to side-load a malicious loader. The loader decrypts an AES-wrapped payload stored on disk. The decrypted payload contains a Donut shellcode loader that embeds the final RAT and uses Chaskey block cipher as part of its payload protection scheme. Donut then decrypts the final 32-bit native RAT, maps it, and executes it in memory. We found that the final RAT differs significantly from older Dropping Elephant RAT samples. The malware uses control-flow flattening, runtime API reconstruction, and static CRT linking to complicate analysis. It also hardens C2 communications through HTTPS transport, Salsa20-protected C2 fields, and additional environment checks. Despite these changes, code-level comparison still identifies shared lineage with a Dropping Elephant RAT reference sample through command-handler structure, screenshot capture logic, WININET request flow, beaconing patterns, and repeated buffer constants. Technical analysis and observed attacker behavior Figure 1: Full delivery chain from LNK to in-memory RAT \u2800 Stage 1: GRES3001.lnk The attack starts when a user executes GRES3001.lnk, a malicious Windows shortcut disguised as a PDF. When opened, the shortcut spawns an obfuscated PowerShell downloader using conhost.exe. The PowerShell uses basic string-splitting obfuscation (e.g., iw''r, g''c''i, r''e''n, c''p''i, and &(g''cm sch*)) to evade keyword detection. The downloader connects to the staging server chinagreenenergy[.]org and retrieves the decoy GRES3001.pdf along with additional malware files. It immediately opens the China energy-sector lure document to distract the victim while staging the remaining payloads in the background. Figure 2: GRES3001.lnk structure showing conhost.exe proxy, Edge icon spoof, and embedded PowerShell downloader \u2800 Figure 3: GRES-3 contract completion decoy document used as victim lure \u2800 Stage 2: Payload staging Several payload files are downloaded with junk extensions such as .ezxzez, .cypyly, and .dzlzlz, then renamed by stripping filler characters to reconstruct Fondue.exe, APPWIZ.cpl, msvcp140.dll, and vcruntime140.dll in C:\\Users\\Public\\. The encrypted payload editor.dat is written to the C:\\Windows\\Tasks\\ folder. File Path Description SHA GRES3001.pdf C:\\Users\\Public\\ Decoy document 56d656d684077e7b3231393f5464447cdc8eea81b6415c5f010bc52f0c8cb317 Fondue.exe C:\\Users\\Public\\ Legitimate Microsoft side-loading host b58351ead08db413ca499cfeb1b1091ed8bfd68f4089605e452fa01ed46f42b1 APPWIZ.cpl C:\\Users\\Public\\ Malicious loader DLL 914da75a4ad6d70db856a2bc318d8828f28894622f017ee78d470b4794faafa6 editor.dat C:\\Windows\\Tasks\\ Base64 text wrapping AES-256-CBC ciphertext a5e448af73b0ff6b6fcfe6ef7808120e1fd7e5c4c9b4edd68e1c980e5ea3406b Table 1: Files retrieved from the stager server After staging the files, the script creates a scheduled task named GoogleErrorReport, configured to run Fondue.exe every minute. It then deletes the original shortcut, leaving the scheduled task to trigger the next execution stage through the Fondue.exe side-loading chain. &(gcm sch*) /create /Sc minute /tn GoogleErrorReport /tr \"$b\\Public\\Fondue\" Figure 4: Scheduled task creation command using gcm sch* obfuscation Stage 3: DLL side-loading The Fondue.exe loads the malicious APPWIZ.cpl staged alongside it in the C:\\Users\\Public\\ directory. The side-loaded APPWIZ.cpl exports RunFODW, the function expected by Fondue.exe. RunFODW serves as the loader entry point and continues the payload chain by reading and decrypting editor.dat. Stage 4: Encrypted payload and Donut loader APPWIZ.cpl sha256: 914da75a4ad6d70db856a2bc318d8828f28894622f017ee78d470b4794faafa6, original name for the metadata is bluetooth_callback.dll. Figure 5: APPWIZ.cpl PE metadata showing original filename bluetooth_callback.dll \u2800 It reads editor.dat, Base64-decodes it, and decrypts the result with AES-256-CBC via Windows CNG (bcrypt.dll). The 32-byte key and 16-byte IV are assembled on the stack from immediate mov operands: KEY (32B): 1f1e1d1c1b1a101108090a0b0c0d0e0f00020405040102031011121415181611 IV (16B): 000803030902060708090a0b0c0d0e0f The loader maps the shellcode into an RWX memory region using VirtualAlloc followed by memcpy call. Then it transfers execution indirectly by passing the shellcode address as the callback argument to EnumUILanguagesW. Figure 6: EnumUILanguagesW callback proxy transferring execution to Donut shellcode \u2800 The decrypted output is a Donut shellcode blob, not the final RAT. Donut uses Chaskey-CTR to protect the embedded PE, maps it in memory, resolves imports, applies relocations, and transfers execution without writing the RAT to disk. Before running the payload, Donut patches AMSI, WLDP, and ETW inside the current process, reducing in-memory scanning, code-integrity checks, and event telemetry for the unpacked RAT. The final payload is a native 32-bit C++ implant SHA 7099c33933716c00c1f4bdb0281c230b981c76b23d7d1c83abc6f58968267d54. It runs entirely in memory after the Donut stage maps it. At startup, the RAT first calls FreeConsole() to detach from any console so nothing shows up on screen. After that, it resolves its required APIs dynamically through a LoadLibrary / GetProcAddress loop. After API resolution, the RAT stages its crypto and builds C2 hostname, gcl-power[.]org. The cipher is Salsa20, and the key material is hardcoded. It is a 32-byte key tn9905083tfbsxqrxs7qe4ryw1nif8h1 with 8-byte nonce lPvymwIk. Next, it calls sub_40F4A0 subroutine which walks the running process list and checks each entry against a built-in list of debuggers, sandbox tools, and VM artifacts. During debugging, we observed the process scan, however, the implant continued normally, without killing security processes. Both the process scan and public-IP geolocation check executed during dynamic testing without triggering self-termination. The RAT still reported the full process list in the mkeoldkf beacon field, exposing debuggers, sandbox tools, and other analysis artifacts to the operator. After process scan, the malware creates a mutex \u201ckshdkfhskdfjkhsdkfhsjkdfhkj\u201d to prevent reinfection and reduce duplicate-process noise. Finally, the RAT fingerprints the host, derives its bot ID, and enters sub_415750(), where it begins polling for commands from the C2 server. Unfortunately, during the analysis the C2 was already down. Host fingerprinting Before beaconing, the RAT collects seven fields describing the victim host and packs them into the registration POST body: Field Meaning umnome Username pmjodf Computer name idkdfjej Bot ID / cid vrjdmej OS version ndlpeip Public IP and country cokenme Country mkeoldkf Full running-process list Table 2: RAT registration beacon fields and their meaning During fingerprinting, the RAT makes a one-time call to api.ipify.org to learn the host's own public IP, then passes that IP to ip2c.org to resolve the country. The user-agent used in the recon phase is Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 . The bot ID is not hardcoded. It is derived at runtime from the host and submitted in the idkdfjej field. Each field is independently wrapped as base64url(Salsa20(base64url(value))). Command and control The RAT periodically sends HTTPS POST requests to the C2 server on port 443 (INTERNET_FLAG_SECURE). It uses a 23-character token, RRn926EmIRfm9IlJyP1yVO2 for C2 traffic to gcl-power[.]org. Each beacon loop iteration follows the same pattern: POSTs dine=<cid> to the command-poll endpoint /prjozifvkpkfhkr/gedhagammgjvvva/; blocks on InternetReadFile while waiting for a task; treats MMMMM==YYYYY as the idle sentinel, sleeps for approximately three seconds, and re-polls; C2 tasks are wrapped in < > ( ) * delimiters. The RAT strips these characters and decodes the payload back to the original command using base64url(Salsa20(base64url(value))) again. Figure 7: RAT beacon loop showing connectivity check, command poll, and idle sentinel handling \u2800 Each cycle, the RAT first confirms the host is actually online by quietly pinging google.com, yahoo.com, and cloudflare.com. Only if that succeeds does it beacon to its C2. When all's well it checks in every 10 seconds and if a check-in fails it retries every 2 seconds, until it recovers. Operator capabilities During our analysis we confirmed 5 command handlers. Token Capability Behavior fl Directory listing Recursively enumerates files dw Download and execute Fetches a file, writes it to disk, and runs it sc Screenshot Captures the virtual screen with BitBlt, encodes it with WIC, and exfiltrates it to a dedicated endpoint. This behavior is command-gated, not periodic. cmx Shell execution Runs cmd.exe /c chcp 65001 | <cmd> and captures stdout uf File upload Exfiltrates a specified file Table 3: Confirmed RAT command handlers with dispatch tokens and behavior The RAT identifies tasks by looking for command tokens in the C2 response. Each token is followed by the delimiter ==zz==oo==pp==. For example, fl==zz==oo==pp== tells the RAT to run the file-listing handler. Anti-analysis The RAT uses several anti-analysis techniques, including control-flow flattening, opaque predicates, dynamic API resolution, stack-built strings, static CRT linking, process blacklist checks, CPUID hypervisor checks, VM artifact checks, and public-IP geolocation checks. Figure 8: Control-flow flattening dispatcher skeleton in decompiler output \u2800 During dynamic testing, the process scan and public-IP geolocation checks are executed without triggering self-termination. The RAT built its registration beacon with the full process list in the mkeoldkf field and attempted to send it to gcl-power[.]org. The connection returned HTTP 522, so the beacon did not reach the origin server during testing. Based on this run, we can confirm the environment checks and reporting behavior. Unfortunately, we cannot determine whether the operator would have killed the session, continued tasking, or taken another action after receiving the process list. The full list of processes and security tools cancould be found in the IOCs section below. Attribution To test whether the RAT delivered by Donut was related to Dropping Elephant, we compared it with a known family sample documented by Arctic Wolf in July 2025: SHA-256 8b6acc087e403b913254dd7d99f09136dc54fa45cf3029a8566151120d34d1c2. That report provides the family context for the reference sample. BinDiff produced low signal, with 8.6% overall similarity. We do not treat this as evidence against shared lineage. The new sample uses control-flow flattening, which changes the control-flow graph structure that BinDiff depends on. Therefore we also compared the samples with Diaphora, using pseudocode and AST-level features less affected by control-flow flattening. Diaphora identified four function-level overlaps that pointed to a shared code usage. Functionality Shared traits Command execution Similar allocation, encoding, formatting, and POST structure; repeated use of the 0x2710 buffer constant Screenshot handling Same GDI screenshot pattern, including GetSystemMetrics values 78 and 79 and BitBlt with 0xCC0020; the newer sample uses WIC instead of GDI+ for encoding C2 connection Same WININET request flow: open, connect, open request, send request, read response; the newer sample moves from HTTP to HTTPS with INTERNET_FLAG_SECURE Shell execution Shared hidden-window execution and cmd.exe /c chcp 65001 output-capture pattern Table 4: Code-level overlaps between editor.extracted.exe and old_rat.exe identified by Diaphora The LNK lure and delivery chain also resemble prior Dropping Elephant reporting, including PowerShell staging, legitimate binary abuse, scheduled task persistence, extension manipulation during downloads, and DLL side-loading. These overlaps supported the initial hypothesis, but the payload comparison provides the primary evidence for the lineage assessment. Mitigation guidance MITRE ATT&CK techniques Tactic Technique Observable Initial Access Phishing: Spearphishing Attachment [T1566.001] Malicious GRES3001.lnk used as the initial lure artifact; no email artifact recovered Execution User Execution: Malicious File [T1204.002] User opens GRES3001.lnk Execution Command and Scripting Interpreter: PowerShell [T1059.001] LNK launches conhost.exe, which starts the PowerShell downloader Execution Command and Scripting Interpreter: Windows Command Shell [T1059.003] RAT cmx handler runs cmd.exe /c chcp 65001 | <cmd> Persistence Scheduled Task/Job: Scheduled Task [T1053.005] GoogleErrorReport runs C:\\Users\\Public\\Fondue.exe every minute Defense Evasion Hijack Execution Flow: DLL Side-Loading [T1574.002] Fondue.exe loads the malicious APPWIZ.cpl staged alongside it Defense Evasion Masquerading: Match Legitimate Name or Location [T1036.005] Edge icon spoofing, GoogleErrorReport task name, staging in C:\\Users\\Public\\ Defense Evasion Obfuscated Files or Information [T1027] Junk file extensions, string splitting, encrypted payload container, encoded C2 fields Defense Evasion Reflective Code Loading [T1620] Donut maps the final PE in memory without writing it to disk Defense Evasion Impair Defenses: Disable or Modify Tools [T1562.001] Donut patches in-process AMSI and WLDP functions before payload execution Defense Evasion Virtualization/Sandbox Evasion: System Checks [T1497.001] CPUID, VM artifact, process blacklist, and public-IP geolocation checks Discovery Process Discovery [T1057] RAT enumerates running processes and sends the process list in mkeoldkf Discovery System Information Discovery [T1082] RAT collects username, computer name, OS version, and host profile fields Discovery System Network Configuration Discovery [T1016] RAT obtains public IP through api.ipify.org Discovery System Location Discovery [T1614] RAT queries ip2c.org for country/geolocation Discovery File and Directory Discovery [T1083] fl handler enumerates files Collection Screen Capture [T1113] sc handler captures the virtual screen with BitBlt and encodes it with WIC Collection Data from Local System [T1005] uf handler exfiltrates files; fl handler lists local files Command and Control Application Layer Protocol: Web Protocols [T1071.001] HTTPS C2 traffic to gcl-power[.]org Command and Control Data Encoding: Standard Encoding [T1132.001] C2 fields use Base64 wrapping Command and Control Encrypted Channel: Symmetric Cryptography [T1573.001] C2 field content is protected with Salsa20 Command and Control Ingress Tool Transfer [T1105] Initial staging downloads and dw download-and-execute capability Exfiltration Exfiltration Over C2 Channel [T1041] Host fingerprinting, screenshots, command output, and files leave over the C2 channel Indicators of compromise (IOCs) File hashes SHA-256 File Comment a8ecbd9c049044ca4990a0e5960d19ce782a3b42d7763e9693d7c91ead24a0b7 GRES3001.lnk Initial-access shortcut; launches conhost.exe \u2192 PowerShell downloader 56d656d684077e7b3231393f5464447cdc8eea81b6415c5f010bc52f0c8cb317 GRES3001.pdf Decoy lure document b58351ead08db413ca499cfeb1b1091ed8bfd68f4089605e452fa01ed46f42b1 Fondue.exe Legitimate Microsoft side-loading host 914da75a4ad6d70db856a2bc318d8828f28894622f017ee78d470b4794faafa6 APPWIZ.cpl Malicious side-loaded loader; exports RunFODW 718812adb0d669eea9606432202371e358c7de6cdeafeddad222c36ae0d3f263 msvcp140.dll Bundled VC++ runtime; verify against known-good 09d1e604e8cdd06176fcc3d3698861be20638a4391f9f2d9e23f868c1576ca94 vcruntime140.dll Bundled VC++ runtime; verify against known-good a5e448af73b0ff6b6fcfe6ef7808120e1fd7e5c4c9b4edd68e1c980e5ea3406b editor.dat Base64-wrapped AES-256-CBC encrypted payload file ecab0e747bff16a1163bbd9bb494e68dd4d7ca655ac7279bd4dd73221f7df57c editor.decrypted.bin AES-decrypted Donut loader blob 7099c33933716c00c1f4bdb0281c230b981c76b23d7d1c83abc6f58968267d54 editor.extracted.exe Final RAT, carved from memory Network indicators Indicator Type Notes chinagreenenergy.org Domain Staging and delivery server https://chinagreenenergy.org/doc/35566/SXxls URL Decoy PDF download https://chinagreenenergy.org/doc/list/load-list/dfe87bbc-53e0-489f-a9e6-ab8f4be47cb9 URL Fondue.exe download https://chinagreenenergy.org/doc/list/load-list/8daaa3e4-c85e-40c1-a2a2-94679e94c417 URL APPWIZ.cpl download https://chinagreenenergy.org/doc/list/load-list/ecdc6b92-62b5-4acd-99f2-af09902938e1 URL msvcp140.dll download https://chinagreenenergy.org/doc/list/load-list/e7477b17-45f0-420b-b2b1-811d4c1556ea URL vcruntime140.dll download https://chinagreenenergy.org/doc/list/load-list/000bd4a8-814d-414c-8be8-f0c77a9c7e1e URL editor.dat download gcl-power.org Domain Operational C2 over HTTPS/443 /prjozifvkpkfhkr/ URI path Registration / check-in /prjozifvkpkfhkr/gedhagammgjvvva/ URI path Command polling endpoint /prjozifvkpkfhkr/spxbjdhxtapivrk/ URI path Screenshot exfiltration endpoint api.ipify.org Domain Public-IP lookup used during host fingerprinting ip2c.org Domain Geolocation lookup used during host fingerprinting More IOCs can be found on our GitHub. Conclusion The campaign analyzed in this blog demonstrates continued Dropping Elephant operational investment and tooling development. The actor reused recognizable delivery patterns, including a China-themed lure, PowerShell-based staging, scheduled task persistence, shortcut-based execution, and DLL side-loading through a trusted Microsoft binary. At the same time, it evolved the final payload into a more evasive, memory-resident implant. The final RAT represents a notable evolution from previously documented Dropping Elephant tooling. It executes entirely in memory, patches AMSI, WLDP, and ETW before running, and incorporates additional obfuscation and anti-analysis techniques that make detection and analysis more difficult. For defenders, the practical takeaway is that Dropping Elephant\u2019s tooling may be changing faster than its operational approach. Hashes, filenames, and infrastructure are likely to change across campaigns, but the path into execution still creates opportunities to detect and disrupt the activity before the final implant runs.","title":"Malware \u00e0 la Mode: Tracking Dropping Elephant Tradecraft Through a China-Themed Loader Chain","url":"https://www.rapid7.com/blog/post/tr-malware-tracking-dropping-elephant-tradecraft-china-themed-loader-chain"},{"category":"AI Security","confidence":"HIGH","confidence_reason":"Top-tier threat intelligence research. Caveat: mixed with commercial marketing \u2014 filter_uncategorized drops partnership promos and thought-leadership fluff.","created_at":"2026-07-02 03:55:48","id":169,"published_date":"2026-06-17T05:00:00+00:00","severity":"medium","source_name":"CrowdStrike Blog","summary":"","title":"After Executive Order 14409: Next Steps for Securing AI","url":"https://www.crowdstrike.com/en-us/blog/after-executive-order-14409-next-steps-for-securing-ai"},{"category":"Malware/Infostealer","confidence":"MEDIUM","confidence_reason":"Threat intelligence firm research. Caveat: commercial framing; quality of output is high.","created_at":"2026-07-02 03:55:50","id":235,"published_date":"2026-06-17T00:00:00+00:00","severity":"medium","source_name":"Recorded Future","summary":"Explore the state digital surveillance risk landscape. Learn how governments use spyware, AI, and network interception to monitor travelers and how to mitigate these risks.","title":"State Digital Surveillance Risk Landscape","url":"https://www.recordedfuture.com/research/state-digital-surveillance-risk-landscape"},{"category":"Vulnerability/CVE","confidence":"LOW","confidence_reason":"User-submitted link aggregator, no editorial review. Signal varies wildly by submitter.","created_at":"2026-07-02 03:56:04","id":597,"published_date":"2026-06-16T20:26:26+00:00","severity":"high","source_name":"Reddit r/netsec","summary":"Absolutely wild find by Argus-Systems. A remote authentication bypass hiding in OpenBSD's kernel PPP stack since it was imported from FreeBSD in July 1999. An attacker could essentially bypass authentication via a null-auth flaw and intercept/read PPPoE traffic without credentials. It survived every single release for nearly three decades until the patch. OpenBSD already released a patch. submitted by /u/Emergency_Stable_923 [link] [comments]","title":"27 Years in the Dark: OpenBSD Fixes Ancient Remote Kernel Auth Bypass","url":"https://www.reddit.com/r/netsec/comments/1u7p4rj/27_years_in_the_dark_openbsd_fixes_ancient_remote"},{"category":"Malware/Infostealer","confidence":"MEDIUM","confidence_reason":"Real-world incident breakdowns from the defender side. Strong on ransomware and SMB-targeting threats.","created_at":"2026-07-02 03:55:55","id":387,"published_date":"2026-06-16T14:00:00+00:00","severity":"medium","source_name":"Huntress","summary":"A ClickFix infection drops Potemkin loader and RMMProject RAT, leading to browser theft, hidden remote desktop, and lateral movement across over 11 hosts.","title":"Potemkin Loader & RMMProject The Anatomy of a ClickFix Attack","url":"https://www.huntress.com/blog/potemkin-loader-rmmproject-clickfix-attack"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established offensive security research firm. Pentest tooling, vulnerability research, red team techniques.","created_at":"2026-07-02 03:56:00","id":453,"published_date":"2026-06-16T13:00:00+00:00","severity":"high","source_name":"Bishop Fox","summary":"A single unauthenticated request can kill SolarWinds Serv-U, and the heap corruption underneath it looked like it could be more. Bishop Fox chased three separate roads to remote code execution and hit a wall on every one. Here is what we found, why it matters, and how to detect exposure safely.","title":"A Crash, Not a Shell: SolarWinds Serv-U CVE-2026-28318","url":"https://bishopfox.com/blog/a-crash-not-a-shell-solarwinds-serv-u-cve-2026-28318"},{"category":"Vulnerability/CVE","confidence":"HIGH","confidence_reason":"Top-tier threat intelligence research team with consistent primary analysis.","created_at":"2026-07-02 03:55:48","id":157,"published_date":"2026-06-16T10:00:29+00:00","severity":"high","source_name":"Unit42 Palo Alto","summary":"Unit 42 discovered a Vertex AI Python SDK vulnerability that allows remote code execution via bucket squatting. Read the article for more. The post Pickle in the Middle \u2013 Hijacking Vertex AI Model Uploads for Cross-Tenant RCE appeared first on Unit 42.","title":"Pickle in the Middle \u2013 Hijacking Vertex AI Model Uploads for Cross-Tenant RCE","url":"https://unit42.paloaltonetworks.com/hijacking-vertex-ai-model"},{"category":"Uncategorized","confidence":"HIGH","confidence_reason":"Best-in-class APT campaign tracking and malware reverse engineering. Industry-leading primary research.","created_at":"2026-07-02 03:55:53","id":314,"published_date":"2026-06-16T09:00:11+00:00","severity":"medium","source_name":"Kaspersky Securelist","summary":"Since late 2025, malware has been spreading rapidly through the Steam Workshop, the gaming platform's built-in service for players to create and share custom content. The attackers are primarily targeting gamers in China and Russia.","title":"Dozens of malicious wallpapers found on Steam Workshop: gamers\u2019 accounts at risk","url":"https://securelist.com/dozens-of-malicious-wallpapers-found-on-steam-workshop/120186"},{"category":"Malware/Infostealer","confidence":"MEDIUM","confidence_reason":"Vendor threat intelligence research, consistent technical malware reports. filter_uncategorized drops consumer lifestyle and parenting content.","created_at":"2026-07-02 03:55:49","id":201,"published_date":"2026-06-16T08:54:04+00:00","severity":"medium","source_name":"ESET WeLiveSecurity","summary":"ESET researchers have discovered SprySOCKS for Windows, FishMonger\u2019s backdoor weaponizing a kernel driver for advanced stealthiness","title":"FishMonger\u2019s arsenal upgraded: SprySOCKS for Windows","url":"https://www.welivesecurity.com/en/eset-research/fishmongers-arsenal-upgraded-sprysocks-windows"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Primary cloud-security research (AWS/Azure/GCP IAM, container, CI/CD). Fills the Cloud Security depth the keyword set already anticipates. Vendor context; filter_uncategorized drops product marketing.","created_at":"2026-07-02 03:55:52","id":292,"published_date":"2026-06-16T00:00:00+00:00","severity":"medium","source_name":"Datadog Security Labs","summary":"In this post, we walk through different threats to Salesforce and how to detect them.","title":"Mapping out your unknown: A threat hunter\u2019s guide to Salesforce","url":"https://securitylabs.datadoghq.com/articles/mapping-out-your-unknown-threat-hunters-guide-to-salesforce"},{"category":"Vulnerability/CVE","confidence":"HIGH","confidence_reason":"Top-tier threat intelligence research team with consistent primary analysis.","created_at":"2026-07-02 03:55:48","id":158,"published_date":"2026-06-15T23:00:19+00:00","severity":"medium","source_name":"Unit42 Palo Alto","summary":"Attackers can move from access to exfiltration in 72 minutes. Learn how modern SOC teams close the speed gap with Unit 42's AI-driven automation, threat hunting, MDR and Managed XSIAM. The post Inside the Modern SOC: The 72-Minute Race appeared first on Unit 42.","title":"Inside the Modern SOC: The 72-Minute Race","url":"https://unit42.paloaltonetworks.com/soc-72-minute-race"},{"category":"Malware/Infostealer","confidence":"MEDIUM","confidence_reason":"Troy Hunt's curated breach disclosure feed. Low volume (~2-4/month), high trust, universally cited. Each entry names the breached org, account count, and exposed data types.","created_at":"2026-07-02 03:56:02","id":509,"published_date":"2026-06-15T19:30:15+00:00","severity":"medium","source_name":"Have I Been Pwned","summary":"In June 2026, a collection of accumulated stealer logs from various sources was added to HIBP. The corpus comprised 56M unique email addresses across hundreds of millions of stealer log records. The data also contained 124M unique passwords, which have been added to Pwned Passwords and are now searchable. Individuals can view any records captured against their email address in the stealer logs section of their dashboard. Organisations can see logs affecting their domain via the stealer logs API.","title":"June 2026 Stealer Logs - 56,278,397 breached accounts","url":"https://haveibeenpwned.com/Breach/June2026StealerLogs"},{"category":"Supply Chain","confidence":"HIGH","confidence_reason":"Emergent threat response team. Primary exploit analysis on actively exploited vulns, peer-quality with ZDI.","created_at":"2026-07-02 03:55:51","id":266,"published_date":"2026-06-15T17:29:15+00:00","severity":"medium","source_name":"Rapid7","summary":"The NIS2 directive asks covered organizations to take a more structured approach to risk management, governance, supply chain security, and incident reporting. It expands the scope of who may be covered, raises expectations around management body accountability, introduces clearer and more enforceable requirements, and increases pressure on organizations to show that security is being managed in a consistent, defensible way. Reporting timelines are one of the most visible parts of that shift, with early warning required within 24 hours of awareness for significant incidents, incident notification within 72 hours, and a final report within one month. It also arrived in a landscape that is still uneven, with member states continuing to implement the directive in different ways across the EU. That combination has created a familiar challenge for CISOs and security teams, as the questions coming from boards and leadership are no longer just about whether the organization understands the regulation, but whether it can meet the requirements in practice. NIS2 reaches into risk management, reporting, governance, and supply chain oversight, which means readiness depends on how well security works across the business, not just on how well a policy is written. That is why the most useful way to think about NIS2 is as an operational resilience exercise. Compliance still matters, of course, and teams need to know what the directive requires. What tends to make the difference over time is whether security leaders can connect those requirements to the real conditions of the environment: what is exposed, where ownership sits, how incident response works in practice, how supply chain risk is monitored, and how quickly the organization can move when something material happens. Regulations are easier to absorb than operating model changes. A team may understand that NIS2 raises expectations around governance and incident handling, while still finding it difficult to answer basic questions quickly when pressure rises. Which business services are most critical? Which third parties matter most? Who owns the decision when a serious issue lands? How prepared are we to investigate, communicate, and report inside the timelines the directive expects? Those are the questions that separate a compliance project from a resilience program. That is also why we have been building practical content to help teams move from interpretation to action. Our ebook is the best place to start if you want the wider context. It is designed to help security leaders understand what NIS2 means in practical terms, how to think about the directive beyond a narrow checklist, and how to connect compliance obligations to a broader resilience strategy. If your team needs a stronger narrative for internal stakeholders, or a clearer way to explain why NIS2 should influence operational priorities, the ebook is the most useful first read. Next, our infographic, seen below, is the quickest asset to use when you need to communicate one of the most tangible parts of NIS2: the 24-hour reporting requirement. Some stakeholders need the long-form explanation. Others need a practical view of what has to happen between incident awareness and early notification. The infographic helps teams bring that operational pressure into planning conversations, leadership updates, and internal alignment without requiring everyone to start with a longer asset first. \u2800 Taken together, these assets are useful because they serve different parts of the same problem. The ebook gives you a strategic view and the infographic helps communicate the big picture quickly and clearly. Enforcement expectations, reporting maturity, and national interpretation continue to evolve, and security teams are working through those changes at the same time as the wider threat landscape becomes more complex. A stronger response starts with clarity, but it needs to move quickly into coordination, ownership, and repeatable process if it is going to hold up under pressure. If your organization is still treating NIS2 as a point-in-time compliance exercise, now is a good moment to widen the lens. The directive is pushing security leaders beyond a comply-once approach and toward a model of being continuously secure. Teams that build better visibility, stronger governance, and clearer response processes for NIS2 will be better prepared not only for regulatory scrutiny, but for the wider operational demands that are already shaping the market.","title":"NIS2 is raising the bar. Here\u2019s how to turn readiness into resilience.","url":"https://www.rapid7.com/blog/post/so-nis2-compliance-turn-readiness-into-resilience"},{"category":"Cloud Security","confidence":"HIGH","confidence_reason":"Emergent threat response team. Primary exploit analysis on actively exploited vulns, peer-quality with ZDI.","created_at":"2026-07-02 03:55:51","id":267,"published_date":"2026-06-15T17:24:20+00:00","severity":"medium","source_name":"Rapid7","summary":"If your organization operates in the EU, or works with organizations that do, NIS2 is no longer something on the horizon. It is here and it applies to a far wider range of sectors than its predecessor, the original NIS Directive (Directive (EU) 2016/1148), and it comes with real consequences for organizations that cannot demonstrate they are meeting its requirements. The good news? You do not have to figure out how to approach it alone. Rapid7 has developed a dedicated NIS2 resource page that shows how the Command Platform can support key technical and operational aspects of NIS2 readiness, highlights common security program gaps, and explains where our solutions can help strengthen visibility, prioritization, detection, and reporting readiness. It is not a substitute for the broader organizational, legal, and governance measures the directive also requires, but it can be a useful starting point if you are evaluating your security capabilities and want a clearer picture of where tooling can support your approach. If you are in the early stages of assessing readiness, or further along and looking for a clearer view of the technical side, it is worth 10 minutes of your time. What are the NIS2 requirements organizations need to meet? NIS2, formally Directive (EU) 2022/2555, expands the scope of EU cybersecurity regulation significantly. More sectors are covered,the requirements are more demanding, and, crucially, the expectations have shifted from \"do you have policies in place?\" to \"can you demonstrate that your controls actually work, continuously?\". Article 21 mandates specific risk-management measures, including risk analysis, incident handling, business continuity, supply chain security, vulnerability handling, access control, and policies regarding the use of cryptography and encryption.. Article 23 introduces strict incident reporting timelines: an early warning within 24 hours, a full notification within 72 hours, and a detailed report within one month of a significant incident. For many security teams, these timelines necessitate a shift in operational readiness. Timely and accurate incident reporting requires pre-established detection workflows, investigation processes, and contemporaneous documentation practices to be in place prior to an incident.. NIS2 also raises the stakes at a leadership level. Executive accountability for cybersecurity is now formalised. This is not just a technical team problem. It is a governance issue that touches CISOs, boards, and senior leadership across every in-scope organization. Why traditional compliance approaches fall short of NIS2 Many security programs were designed around a different set of expectations. Periodic vulnerability scans.,annual audits, and compliance reports that reflected a moment in time rather than ongoing operational health. NIS2 necessitates a move toward continuous, defensible risk management. This involves maintaining comprehensive asset visibility, identifying threat-aware exposures with high likelihood of exploitability, and validating the effectiveness of detection capabilities to support regulatory reporting requirements.. It is a meaningful operational shift, and it is exactly the kind of shift where having the right platform and the right partner matters. How does Rapid7 support NIS2 compliance? Rapid7 views NIS2 as an operational readiness challenge. The objective is to assist organizations in transitioning from periodic compliance assessments to continuous resilience: a sustained, measurable security posture designed to support regulatory alignment and strengthen defense-in-depth against emerging threats. The platform integrates exposure management, vulnerability management, cloud security, SIEM, and managed detection and response to provide broad support for the core requirements of Article 21 within a unified, connected view of risk.. That means organizations can move from scattered, point-in-time security activity to continuous visibility, threat-informed prioritization, faster incident workflows, and the kind of evidence and reporting that NIS2 and regulators actually demand. A few areas where this makes a real difference: Knowing what you are actually exposed to Rapid7 is positioned as a Leader in the 2025 Gartner\u00ae Magic Quadrant\u2122 for Exposure Assessment Platforms, a technology category fundamental to the Continuous Threat Exposure Management (CTEM) framework, which supports the proactive risk-management objectives of NIS2. Surface Command provides centralized visibility across internal and external environments, supporting the identification of unmanaged assets, shadow IT, and security control gaps that may otherwise remain undetected. Exposure Command utilizes active risk scoring and attack path analysis to identify and prioritize exposures based on reachability and threat context, helping teams focus remediation efforts on high-impact risks. Responding and reporting faster Rapid7's SIEM and MDR capabilities are designed to support the detection, investigation, and reporting speed necessitated by NIS2. 24/7 monitoring and managed response facilitate the capture of essential telemetry and investigation trails within the SIEM, streamlining the evidence collection process for regulatory reporting. Demonstrating that controls work NIS2 is not satisfied by a list of tools you have purchased. It wants evidence that your controls are effective. Rapid7 provides continuous risk scoring, detection metrics, and audit-ready reporting that translates security activity into governance-ready language for leadership and regulators. Where to go next for NIS2 readiness This post covers the highlights, but Rapid7's NIS2 resource page goes much deeper. It walks through each of Article 21's requirements in plain language, maps them to specific Rapid7 capabilities, and shows how the platform supports risk analysis... MFA monitoring, and technical assessment of cryptographic configurations. Whether you are a CISO seeking a strategic overview, a security manager evaluating technical controls, or a compliance lead mapping regulatory requirements to platform capabilities, our guidance is designed to support your objectives. NIS2 is operational; your approach to resilience should be as well. NIS2 is operational and your readiness should be too. See how Rapid7 supports NIS2 compliance here.","title":"Does Your Security Programme Align With NIS2 Requirements?","url":"https://www.rapid7.com/blog/post/so-aligning-security-programmes-with-nis2-requirements"},{"category":"SaaS Breach","confidence":"HIGH","confidence_reason":"Emergent threat response team. Primary exploit analysis on actively exploited vulns, peer-quality with ZDI.","created_at":"2026-07-02 03:55:51","id":268,"published_date":"2026-06-15T14:44:28+00:00","severity":"high","source_name":"Rapid7","summary":"Security leaders rarely struggle to gather data, but they often struggle to turn that data into something clear and meaningful for the business. In a typical week, a CISO might receive a report listing hundreds or even thousands of vulnerabilities, most of them accompanied by CVSS scores that make the entire list look urgent, while also managing the wider set of operational, regulatory, and strategic demands that already come with the role. That difficulty becomes more obvious when the same information has to be carried into the boardroom, where the questions are rarely about CVE IDs or exploit counts in isolation. What leadership wants to understand is whether the organization\u2019s revenue, uptime, legal exposure, or broader resilience could be affected, and how quickly those risks need to be addressed. This is where many security programs lose momentum, because the technical view of severity does not always line up neatly with the business view of consequence. Bridging that gap has traditionally been slow, manual work, which is one reason AI is starting to matter more in vulnerability management: it can help translate technical findings into business context that is clearer, faster to act on, and easier for leadership to understand. Why CVSS alone does not reflect real-world business risk For years, the industry has relied on CVSS as a quick way to judge urgency, and while the framework does account for factors such as attack vector, attack complexity, and other attack requirements, the score is still calculated in isolation and often misses the conditions that shape real risk inside an organization. A CVSS 9.8 vulnerability affecting a legacy printer in a segmented branch office may look critical on paper, but it is unlikely to carry the same business impact as a 7.5 vulnerability affecting an internet-facing database that holds sensitive customer data. One of the long-standing weaknesses of static scoring is that it tells you how severe a flaw may be in theory, but not how much disruption it could cause in your own environment, how exposed the affected asset is, or how closely it is tied to a revenue-generating or business-critical process. That is where AI becomes more useful, because it can add the missing context that helps security teams judge not just how serious a vulnerability looks, but how much it matters in practice. Machine learning models can now process a much broader set of inputs, including attacker activity, exploit availability, internal network topology, and the business value attached to the asset or process involved. Rather than leaving teams with a static queue of scores, that creates a live view of risk shaped by reachability, exposure, and business consequence, making it easier to separate technical severity from actual organizational risk. How AI helps connect vulnerabilities to business impact One of the more practical ways AI can improve vulnerability management is by helping security teams connect technical findings to the parts of the business they actually affect. A vulnerability tied to an obscure IP address may not mean much on its own, but the picture changes quickly when that asset is identified as part of a regional payment system, a customer-facing portal, or a supply chain application the business depends on. That kind of asset attribution has traditionally taken time, context, and manual investigation. AI can help shorten that process by linking technical findings to business function much more quickly. Instead of relying only on severity scores or yesterday\u2019s alerts, AI can weigh a broader set of signals, including exploit activity, attacker behavior, asset exposure, and internal topology, which gives security teams a more grounded way to judge where risk is most likely to become operationally significant. The benefit is not simply speed, but a clearer picture of which vulnerabilities are most likely to affect revenue, uptime, or business continuity if they are left unresolved. At the leadership level, this same approach can help turn a large volume of technical output into something more usable. Rather than forcing CISOs to manually translate thousands of low-level alerts into board-facing language, AI can support that reporting by summarizing likely business impact, highlighting where exposure is growing, and making it easier to explain how remediation work is reducing financial and operational risk. Two vulnerabilities, two very different business outcomes To see how this plays out in practice, it helps to compare two vulnerabilities that might appear similarly urgent in a standard scanner, but look very different once business context is added. Vulnerability A: The ghost in the machine A scanner flags a CVSS 9.8 critical remote code execution flaw in an aging media server. On paper, that score suggests immediate attention. Once more context is added, the picture changes. The asset sits on a segmented guest Wi-Fi VLAN, has no path to the corporate core, and has not been linked to in-the-wild exploitation for more than two years. In practical terms, the business impact is low. The issue still needs to be addressed, but it is unlikely to justify urgent remediation ahead of higher-consequence exposures. Vulnerability B: The quiet threat A second finding carries a lower CVSS 7.2 high severity score, but affects a common web framework running on the organization\u2019s primary customer portal. When AI correlates that vulnerability with asset and business context, the risk profile changes quickly. The portal is identified as a critical business process, estimated to support $250,000 in transactions per hour, while external signals point to growing exploit interest around the same framework. In that case, the business impact is far more serious. What looks like a lower-priority technical issue becomes a potential source of revenue disruption measured in millions per day. This is where AI-assisted prioritization becomes useful. It helps teams move beyond the assumption that the highest score always deserves the fastest response and instead focus on the vulnerabilities most likely to create operational or financial harm. In practice, that means spending less time working through a queue in score order and more time reducing the exposures that matter most to the business. How AI helps CISOs explain vulnerability risk in business terms When security leaders can move beyond reporting how many patches were deployed and begin showing how exposure is changing in financial or operational terms, the conversation becomes much more useful. A reduction in mean time to remediate may matter to a security team, but it carries more weight at the leadership level when it is tied to a lower likelihood of downtime, reduced regulatory exposure, or less risk to a revenue-generating service. When vulnerability data is tied to business context, it becomes easier to justify automation, tooling, or headcount based on their contribution to resilience, continuity, and measurable risk reduction, rather than on activity alone. At that level, the conversation is less about severity scores and more about what is exposed, what it could affect, and where action matters most. One of the more practical benefits of AI is that it can help security teams explain risk in a way leadership can act on. Instead of adding another layer of technical output, it can support clearer reporting on why one issue matters more than another, what is most likely to affect the business, and where action should come first. As attack surfaces expand and exploit timelines continue to shrink, the gap between technical findings and business understanding will only become harder to manage. Organizations that can connect those two views more effectively will be in a much stronger position to prioritize the right work, explain risk more clearly, and make vulnerability management a more meaningful part of business decision-making.","title":"Beyond the Score: Using AI to Translate CVEs into Real-World Business Risk","url":"https://www.rapid7.com/blog/post/ai-beyond-the-score-translating-cves-into-real-business-risk"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Real-world incident breakdowns from the defender side. Strong on ransomware and SMB-targeting threats.","created_at":"2026-07-02 03:55:55","id":388,"published_date":"2026-06-15T14:00:00+00:00","severity":"medium","source_name":"Huntress","summary":"A compromised terminal server became a phishing stager. A fake Boots survey aimed at 8.9 million inboxes, with the payload on a hacked Bolivian government site.","title":"The Devil, Eight Million Emails, and a Whole Lot of Milk | Phishing Stager Exposed","url":"https://www.huntress.com/blog/terminal-server-phishing-stager-exposed"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Vendor threat intelligence research. Good primary work but commercial context.","created_at":"2026-07-02 03:55:49","id":180,"published_date":"2026-06-15T13:40:44+00:00","severity":"medium","source_name":"Check Point Research","summary":"For the latest discoveries in cyber research for the week of 15th June, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES The University of Nottingham, a UK research university, has suffered a data breach after ShinyHunters accessed its student records system. The incident affected about 454,600 current and former students and exposed contact details, [\u2026] The post 15th June \u2013 Threat Intelligence Report appeared first on Check Point Research.","title":"15th June \u2013 Threat Intelligence Report","url":"https://research.checkpoint.com/2026/15th-june-threat-intelligence-report"},{"category":"Phishing & Social Engineering","confidence":"MEDIUM","confidence_reason":"Vendor threat intelligence research, consistent technical malware reports. filter_uncategorized drops consumer lifestyle and parenting content.","created_at":"2026-07-02 03:55:49","id":202,"published_date":"2026-06-15T08:55:00+00:00","severity":"medium","source_name":"ESET WeLiveSecurity","summary":"A phishing kit subverting Microsoft\u2019s legitimate authentication flow lets attackers break into accounts without stealing passwords or creating fake login pages","title":"EvilTokens: A phishing attack that doesn\u2019t steal your password","url":"https://www.welivesecurity.com/en/cybercrime/eviltokens-phishing-doesnt-steal-password"},{"category":"AI Security","confidence":"HIGH","confidence_reason":"Top-tier threat intelligence research. Caveat: mixed with commercial marketing \u2014 filter_uncategorized drops partnership promos and thought-leadership fluff.","created_at":"2026-07-02 03:55:48","id":170,"published_date":"2026-06-15T05:00:00+00:00","severity":"medium","source_name":"CrowdStrike Blog","summary":"","title":"CrowdStrike Announces Continuous Identity for AI Agents","url":"https://www.crowdstrike.com/en-us/blog/crowdstrike-announces-continuous-identity-for-ai-agents"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Troy Hunt's curated breach disclosure feed. Low volume (~2-4/month), high trust, universally cited. Each entry names the breached org, account count, and exposed data types.","created_at":"2026-07-02 03:56:02","id":510,"published_date":"2026-06-15T04:09:04+00:00","severity":"high","source_name":"Have I Been Pwned","summary":"In March 2026, the commercial real estate finance company Berkadia was the target of a ShinyHunters \"pay or leak\" extortion campaign. The group subsequently published data they alleged was taken from Berkadia's Salesforce instance, including over 300k unique email addresses as well as names, physical addresses and phone numbers, among other data.","title":"Berkadia - 305,216 breached accounts","url":"https://haveibeenpwned.com/Breach/Berkadia"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Troy Hunt's curated breach disclosure feed. Low volume (~2-4/month), high trust, universally cited. Each entry names the breached org, account count, and exposed data types.","created_at":"2026-07-02 03:56:02","id":511,"published_date":"2026-06-15T01:03:42+00:00","severity":"high","source_name":"Have I Been Pwned","summary":"In March 2026, the student information system Infinite Campus was targeted in a ShinyHunters \"pay or leak\" extortion campaign. The group subsequently published data they alleged was taken from Infinite Campus, containing 137k unique email addresses along with names, phone numbers, physical addresses and support tickets. Infinite Campus subsequently sent notifications, advising that the exposed data largely consisted of \"names and contact information for school staff\" and that \"the majority is directory information commonly found on school websites\".","title":"Infinite Campus - 137,123 breached accounts","url":"https://haveibeenpwned.com/Breach/InfiniteCampus"},{"category":"Cloud Security","confidence":"MEDIUM","confidence_reason":"Primary cloud-security research (AWS/Azure/GCP IAM, container, CI/CD). Fills the Cloud Security depth the keyword set already anticipates. Vendor context; filter_uncategorized drops product marketing.","created_at":"2026-07-02 03:55:52","id":293,"published_date":"2026-06-15T00:00:00+00:00","severity":"medium","source_name":"Datadog Security Labs","summary":"This post explores four vectors for threat actors to abuse Azure Storage to maliciously encrypt victim blobs, including step-by-step explanations and event codes for detection.","title":"Holding blobs for ransom: Four methods for Azure Storage ransomware","url":"https://securitylabs.datadoghq.com/articles/azure-blob-storage-ransomware-four-methods"},{"category":"Vulnerability/CVE","confidence":"HIGH","confidence_reason":"Emergent threat response team. Primary exploit analysis on actively exploited vulns, peer-quality with ZDI.","created_at":"2026-07-02 03:55:51","id":269,"published_date":"2026-06-13T00:22:18+00:00","severity":"high","source_name":"Rapid7","summary":"New Tracing Options As hard as we try to ensure that Metasploit is bug free, issues inevitably come up. Whether you\u2019re running a module on an op or writing a new one, what we can do is make the debugging experience easier. To that end one of our two Google Summer of Code (GSoC) projects is here to deliver. Building on the previous pattern of HttpTrace comes two new options KerberosTicketTrace and CertificateTrace. These options, when enabled, will enable debugging output of Kerberos tickets and Certificates that are both sent and received by applicable modules. Now when things aren\u2019t going quite right, users have new levers to reach for to inspect what\u2019s happening under the hood. For example, to inspect exactly what\u2019s happening when using the auxiliary/admin/kerberos/get_ticket module: msf auxiliary(admin/kerberos/get_ticket) > set KerberosTicketTrace true KerberosTicketTrace => true msf auxiliary(admin/kerberos/get_ticket) > run [*] Running module against 192.168.159.10 [*] 192.168.159.10:88 - Getting TGT for smcintyre@msflab.local #################### # Kerberos Request: AS-REQ #################### Protocol Version: 5 Message Type: 10 (AS-REQ) Pre-Authentication Data: Entry[0]: Type: 128 (PA_PAC_REQUEST) Value: [binary 7 bytes: 3005a0030101ff] Request Body: KDC Options: Value: 1082195984 Flags: - FORWARDABLE - RENEWABLE - CANONICALIZE - RENEWABLE_OK Client Name: Name Type: 1 (NT_PRINCIPAL) Name String: - smcintyre Realm: MSFLAB.LOCAL Server Name: Name Type: 1 (NT_PRINCIPAL) Name String: - krbtgt - MSFLAB.LOCAL Till: 2026-06-12T18:21:36Z Rtime: 2026-06-12T18:21:36Z Nonce: 6831592 Encryption Type: - 18 (AES256) - 17 (AES128) - 23 (RC4_HMAC) - 3 (DES_CBC_MD5) - 16 (DES3_CBC_SHA1) #################### # Kerberos Response: KRB-ERROR #################### Protocol Version: 5 Message Type: 30 (KRB-ERROR) Server Time: 2026-06-11T18:21:36Z Server Microseconds: 862696 Error Code: Name: KDC_ERR_PREAUTH_REQUIRED Value: 25 Description: Additional pre-authentication required Realm: MSFLAB.LOCAL Server Name: Name Type: 1 (NT_PRINCIPAL) Name String: - krbtgt - MSFLAB.LOCAL Error Data: [binary 87 bytes: 30553032a103020113a22b04293027301ea003020112a1171b154d53464c41422e4c4f43414c736d63696e747972653005a0030201173009a103020102a20204003009a103020110a20204003009a10302010fa2020400] #################### # Kerberos Request: AS-REQ #################### Protocol Version: 5 Message Type: 10 (AS-REQ) Pre-Authentication Data: Entry[0]: Type: 2 (PA_ENC_TIMESTAMP) Value: [binary 67 bytes: 3041a003020112a23a0438724f4965bd3deb1f061e807b616a09b613f59d9a6749eaee895e2ec3ed3045403cb28874acaa371681e3957a3ec23879141411ba788886f3] Entry[1]: Type: 128 (PA_PAC_REQUEST) Value: [binary 7 bytes: 3005a0030101ff] Request Body: KDC Options: 1350565888 Client Name: Name Type: 1 (NT_PRINCIPAL) Name String: - smcintyre Realm: MSFLAB.LOCAL Server Name: Name Type: 1 (NT_PRINCIPAL) Name String: - krbtgt - MSFLAB.LOCAL Till: 2026-06-12T18:21:36Z Rtime: 2026-06-12T18:21:36Z Nonce: 7068778 Encryption Type: - 18 (AES256) - 23 (RC4_HMAC) #################### # Kerberos Response: AS-REP #################### Protocol Version: 5 Message Type: 11 (AS-REP) Pre-Authentication Data: Entry[0]: Type: 19 (PA_ETYPE_INFO2) Value: [binary 34 bytes: 3020301ea003020112a1171b154d53464c41422e4c4f43414c736d63696e74797265] Client Realm: MSFLAB.LOCAL Client Name: Name Type: 1 (NT_PRINCIPAL) Name String: - smcintyre Ticket: Ticket Version Number: 5 Realm: MSFLAB.LOCAL Server Name: Name Type: 1 (NT_PRINCIPAL) Name String: - krbtgt - MSFLAB.LOCAL Encrypted Part: Encryption Type: 18 (AES256) Key Version Number: 2 Cipher: [binary 1098 bytes: a3b825bd279344fd0bc454654f7906e31c8f4918c7c69319515e6a722515b55da36e2ae26f107d9f6278b029ba4c1b937a8a4e9df04f4a54da43794b2216fd5d7762582e94e3aa72fd14bfa0cfb9ff5c9a138acecd57351ff7ca98a9d7d890445316b04359e9210f93ba72c578a1605fb5502ba00fe67d9b55417e356e6400ef3bd07b9e1a8e4aedeb62249bef9f56f0cda3a30969d33fe6999a4855ae8f666b82fdff29047b14d4bcd77b31a6b9ce1ee3a4425cd197250af0cc878995afbeb4de42fb7e55d6095ab27ab3fa7f0afb0010b8e8f5e721a3d0417c7342df77619f6520e726652dc4417d2dbc044529236557441f87a50a7188242fb177e5f1bd45d31902c877d51cd05af7215e520c410e9b7036bc78c1ddad458b0ad99832c4fdd6f8f523ca4241aee8ebce4a0000202ebfb870761833feffc2c248683751a11d556bba4c59b20c7a1627b187d4d4679e19b1928f3ab7edeef3f01b459324178a9e49976519b58d6d7164b29c77e20625c4e710e3bbb0bb32452d4bdb9ed0c3e9873b9511cadf36fb0b372af5f67310319f160c0242d2fff1095bc467c4eb6da0382ab0587d519e5390e56eacb6db4f98c2c25b7ac22edf40db2e0e0eca03dfeba48327916a8caa85c382d04dcea16116c76132dcbfc168b7e3435a37f812f479f1e8309b124a9dcbac1e2ae83063a5e49c1ea584f13f64832c713577f07b3229e83c0fe73c3dc350640a69ea643ef24b66ed17114c262d3e5cdddb8182d8da49173e597b23d94f8ef652433713bf1d5e91c7f984945940d27755584137b00baa9696cdd121c641870830ffc86c8f9989254b6b804912c4989014b3f849cd02e6b06d3cc6401fd3f830cfcd36a0ecf31309d5b6dc82a65b427818694002bcf5fac9c936e1d64205a397126f39f684903803a5405baff041881339c4c8d325a2f446178b66383c209f3dba61bdda626f6e6d63c473638191e447d58aebfcb5a98104c2f96afa3283ac3aca675937afd7c497f1bd41a3dd1b52a6a16db791421a4ab9189d9fa0d610713d9c1eeb2f9c46d6ea197f48e2e643fe773ece0855c63b44b6020044fb7cc1396b26b4747941484b73108b7c1c90e2670cf723033274cc24ceb66a7054b35a9653cd7391a4f81b2c977ee251c9295e47be46b14c66b4031c6758415e543153bde190af0f1abe0f207d84145e3521850f89765997ab72cccaaeb4c5ce8b8be9b33712090d59424c2517e4cd539740750f5792f171fec2b4e4b4bc00cb77bc308abe1b70c75684734aa9ef03c4b419d2e10b4ea6229faf5a4b2af9483156ea32bc4b298f158067ac45afd5c812c407bda57880434cb93a60ac19799004a9adc72d845401ebb8e2a31ed0edf539233d293b1141bb49b36b6475d87c0fd114d97a946e82e39ed58e6c2e0d72826059600d412bd05aaf0af5602ade2f1ff6db363ec33e25756c4bc417b248344ba19ecd8d80d2cd2c2ff32aa355c22ee96166fc7043204dcc48b5595416c4312855c7d6e31d422c93c1d6f3df1a5890b45fc55f1b757b8e] Encrypted Part: Encryption Type: 18 (AES256) Key Version Number: 3 Cipher: [binary 271 bytes: 357637faf370a69ec4780f1fc4308e3d639e59ebbdb5d208cf6df75470bcefdd5210a098aa716055f758d9ec58674abc4b56cec2923329309e2be192db3ee1a63c6f0133a96c440707a0f29f2e075f90c54e2ab7626132f8e898112f81cbde6905d992d9ec6a4c26087043ea8f97c1a876354c47b4a6a76e3321f42edc483530d5248f8daa01db15ab019ac4179dfdb5f6d6c1f2666b9983cd02989612acdad2b2efe352fb9708a080fd304d17a87ff1e152dc8ca981de6cff418f38c5c28612766bfc13fbac51bad1a01fcd7aae544c7d839124e1bce745d20d06c8aca5c7125afe069e8d5299a10cd27b392bd8ae3893181f132f3d49dd746c6c70c6d2b651df998c59be84f2d5b83e5b3c0a71b2] [+] 192.168.159.10:88 - Received a valid TGT-Response [*] 192.168.159.10:88 - TGT MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20260611142136_default_192.168.159.10_mit.kerberos.cca_918073.bin #################### # Kerberos Credential: TGT #################### Creds: 1 Credential[0]: Server: krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL Client: smcintyre@MSFLAB.LOCAL Ticket etype: 18 (AES256) Key: 58b969939485b53dee75e4399253524d132cc2ca145f4da4e4951c04a843e544 Subkey: false Ticket Length: 1188 Ticket Flags: 0x50e10000 (FORWARDABLE, PROXIABLE, RENEWABLE, INITIAL, PRE_AUTHENT, CANONICALIZE) Addresses: 0 Authdatas: 0 Times: Auth time: 2026-06-11 14:21:36 -0400 Start time: 2026-06-11 14:21:36 -0400 End time: 2026-06-12 00:21:36 -0400 Renew Till: 2026-06-12 14:21:36 -0400 Ticket: Ticket Version Number: 5 Realm: MSFLAB.LOCAL Server Name: krbtgt/MSFLAB.LOCAL Encrypted Ticket Part: Ticket etype: 18 (AES256) Key Version Number: 2 Cipher: o7glvSeTRP0LxFRlT3kG4xyPSRjHxpMZUV5qciUVtV2jbiribxB9n2J4sCm6TBuTeopOnfBPSlTaQ3lLIhb9XXdiWC6U46py/RS/oM+5/1yaE4rOzVc1H/fKmKnX2JBEUxawQ1npIQ+TunLFeKFgX7VQK6AP5n2bVUF+NW5kAO870HueGo5K7etiJJvvn1bwzaOjCWnTP+aZmkhVro9ma4L9/ykEexTUvNd7Maa5zh7jpEJc0ZclCvDMh4mVr7603kL7flXWCVqyerP6fwr7ABC46PXnIaPQQXxzQt93YZ9lIOcmZS3EQX0tvARFKSNlV0Qfh6UKcYgkL7F35fG9RdMZAsh31RzQWvchXlIMQQ6bcDa8eMHdrUWLCtmYMsT91vj1I8pCQa7o685KAAAgLr+4cHYYM/7/wsJIaDdRoR1Va7pMWbIMehYnsYfU1GeeGbGSjzq37e7z8BtFkyQXip5Jl2UZtY1tcWSynHfiBiXE5xDju7C7MkUtS9ue0MPphzuVEcrfNvsLNyr19nMQMZ8WDAJC0v/xCVvEZ8TrbaA4KrBYfVGeU5Dlbqy220+YwsJbesIu30DbLg4OygPf66SDJ5FqjKqFw4LQTc6hYRbHYTLcv8Fot+NDWjf4EvR58egwmxJKncusHiroMGOl5JwepYTxP2SDLHE1d/B7MinoPA/nPD3DUGQKaepkPvJLZu0XEUwmLT5c3duBgtjaSRc+WXsj2U+O9lJDNxO/HV6Rx/mElFlA0ndVWEE3sAuqlpbN0SHGQYcIMP/IbI+ZiSVLa4BJEsSYkBSz+EnNAuawbTzGQB/T+DDPzTag7PMTCdW23IKmW0J4GGlAArz1+snJNuHWQgWjlxJvOfaEkDgDpUBbr/BBiBM5xMjTJaL0RheLZjg8IJ89umG92mJvbm1jxHNjgZHkR9WK6/y1qYEEwvlq+jKDrDrKZ1k3r9fEl/G9QaPdG1KmoW23kUIaSrkYnZ+g1hBxPZwe6y+cRtbqGX9I4uZD/nc+zghVxjtEtgIARPt8wTlrJrR0eUFIS3MQi3wckOJnDPcjAzJ0zCTOtmpwVLNallPNc5Gk+Bssl37iUckpXke+RrFMZrQDHGdYQV5UMVO94ZCvDxq+DyB9hBReNSGFD4l2WZercszKrrTFzouL6bM3EgkNWUJMJRfkzVOXQHUPV5Lxcf7CtOS0vADLd7wwir4bcMdWhHNKqe8DxLQZ0uELTqYin69aSyr5SDFW6jK8SymPFYBnrEWv1cgSxAe9pXiAQ0y5OmCsGXmQBKmtxy2EVAHruOKjHtDt9TkjPSk7EUG7SbNrZHXYfA/RFNl6lG6C457VjmwuDXKCYFlgDUEr0FqvCvVgKt4vH/bbNj7DPiV1bEvEF7JINEuhns2NgNLNLC/zKqNVwi7pYWb8cEMgTcxItVlUFsQxKFXH1uMdQiyTwdbz3xpYkLRfxV8bdXuO [*] Auxiliary module execution completed msf auxiliary(admin/kerberos/get_ticket) > Stay tuned for future enhancements like KerberosTicketTraceLevel which should have verbosity toggles such as meta, ticket, and full. We\u2019d like to thank our GSoC contributors eve0805 and Pushpenderrathore for their hard work on this project. Upcoming Evasion Module Changes Metasploit is currently reconsidering the UX of evasion modules whereby users are currently required to use the module, set the payload, run it, then return to their exploit and copy the generated output from the evasion module into the exploit. This is a cumbersome process and we think we can do better but before we commit to a direction, we are soliciting feedback from the community on what they think would be the best path forward. To that end, we\u2019ve published a writeup of the options we\u2019re considering and a form through which we\u2019re hoping to receive feedback. The form contains 3 questions and will be open until July 1st, 2026. New module content (1) ClickFix Server Authors: boredchilada and h00die Type: Exploit Pull request: #21212 contributed by h00die Path: multi/misc/clickfix_server Description: Adds a new Metasploit exploit module exploit/multi/misc/clickfix_server that runs an HTTP server to deliver a \"ClickFix\"-style social-engineering page which copies a generated command payload to the victim\u2019s clipboard that they are prompted execute. Enhancements and features (9) #21008 from EclipseAditya - Adds kernel_rex_version to Msf::Post::Linux::Kernel, a new helper that extracts the upstream kernel version from uname -r and returns a Rex::Version. This eliminates an ArgumentError crash that occurred when 15+ Linux local exploit modules encountered distro-specific kernel version suffixes. #21198 from Pushpenderrathore - This adds a CertificateTracePresenter, implementing certificate tracing using the presenter pattern aligned with existing Metasploit conventions. This can be enabled by setting the CertificateTrace datastore option when using modules like icpr_cert and get_ticket to see the X.509 certificates being sent and received. #21222 from g0tmi1k - Standardizes the log output across many Metasploit modules to improve the host and port log details when IPv6 addresses are present. #21266 from zeroSteiner - This improves how we log SMB services. If the service is detected but authentication fails, the client still logs what dialect was negotiated so we log the service even if we couldn't authenticate to it. #21383 from zeroSteiner - This bumps Ruby SMB to version 3.1.21 and closes a feature gap between Ruby SMB and the Rex SMB client. With the feature gap closed, modules/auxiliary/admin/smb/samba_symlink_traversal.rb can now be switched from Rex to the RubySMB client. One less module in the way of dropping the ancient Rex client. #21466 from eve0805 - This adds introduces KerberosTicketTrace support as a datastore option for Metasploit's Kerberos authentication flows. Enabling KerberosTicketTrace allows users to see the following requests and responses as they are sent and received: AS-REQ, AS-REP, TGS-REQ, TGS-REP, KRB-ERROR. Inbound messages are colored blue and outgoing messages are colored red to match the existing HttpTrace functionality. The coloring can be turned off and on with the KerberosTicketTraceColors datastore option. #21528 from h00die - This PR updates Metasploit module metadata by adding Exploit-DB (EDB) reference IDs to existing modules that already have CVE references, improving cross-referencing for higher-fidelity vulnerability tracking. #21535 from adfoster-r7 - Updates multiple HTTP login scanners to validate the remote target as a pre-requisite to running the login attempts. #21554 from sjanusz-r7 - Make WebDAV upload PHP exploit checks less strict. Bugs fixed (4) #20618 from Aaditya1273 - Updates the MSSQL modules to no longer crash when running stored procedures like EXEC sp_linkedservers; against a remote host. #21543 from sjanusz-r7 - Addresses a recent issue stemming from the recently-made changes to the webdav upload php module, where a false positive was being reported based on only the response code. #21549 from 4ravind-b - Adds the missing https://github.com/advisories/GHSA-hxj9-549w-4pcq reference to modules/auxiliary/scanner/smtp/smtp_relay.rb. #21557 from adfoster-r7 - Fixes a db_import crash when importing zip files. Documentation You can find the latest Metasploit documentation on our docsite at docs.metasploit.com. Get it As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub: Pull Requests 6.4.136...6.4.137 Full diff 6.4.136...6.4.137 If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro","title":"Weekly Metasploit Update: New Kerberos/Certificate tracing options, and multiple new modules","url":"https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-13-06-2026"},{"category":"Uncategorized","confidence":"HIGH","confidence_reason":"Top-tier threat intelligence research team with consistent primary analysis.","created_at":"2026-07-02 03:55:48","id":159,"published_date":"2026-06-12T22:00:14+00:00","severity":"medium","source_name":"Unit42 Palo Alto","summary":"Unit 42 has discovered a new macOS Tahoe 26 forensic artifact that tracks user menu selections across the operating system. Learn more here. The post Tracing Digital Intent: New MacOS Tahoe 26 Artifact Discovered appeared first on Unit 42.","title":"Tracing Digital Intent: New MacOS Tahoe 26 Artifact Discovered","url":"https://unit42.paloaltonetworks.com/new-macos-artifact-discovered"},{"category":"Vulnerability/CVE","confidence":"HIGH","confidence_reason":"High-quality primary vulnerability research with fast disclosure cadence. Quality exception \u2014 newer brand, authoritative output.","created_at":"2026-07-02 03:55:58","id":434,"published_date":"2026-06-12T20:35:13+00:00","severity":"critical","source_name":"watchTowr Labs","summary":"Three posts? In three days? Are we insane? We're home alone, there's no one to stop us, and we're up past bedtime. So, we need to talk about Splunk. On June 10th, Splunk published this CVE-2026-20253 advisory: It has everything that we","title":"Why Use App-Level Auth When Every Database Has Auth? (Splunk Enterprise CVE-2026-20253 Pre-Auth RCE)","url":"https://labs.watchtowr.com/why-use-app-level-auth-when-every-database-has-auth-splunk-enterprise-cve-2026-20253-pre-auth-rce"},{"category":"Malware/Infostealer","confidence":"HIGH","confidence_reason":"University of Toronto \u2014 gold-standard surveillance/spyware research. NSO Group, Predator, Pegasus. filter_uncategorized drops political commentary, keeps classified threat research.","created_at":"2026-07-02 03:55:55","id":425,"published_date":"2026-06-12T17:31:57+00:00","severity":"medium","source_name":"The Citizen Lab","summary":"Citizen Lab director Ron Deibert spoke to Politiken about the spyware industry, calling it \u201ca symptom that something is fundamentally wrong.\u201d The post Who Watches the Watchers? appeared first on The Citizen Lab.","title":"Who Watches the Watchers?","url":"https://citizenlab.ca/who-watches-the-watchers"},{"category":"Cloud Security","confidence":"HIGH","confidence_reason":"Emergent threat response team. Primary exploit analysis on actively exploited vulns, peer-quality with ZDI.","created_at":"2026-07-02 03:55:51","id":270,"published_date":"2026-06-12T13:43:04+00:00","severity":"critical","source_name":"Rapid7","summary":"Overview On June 10, 2026, Oracle published a security alert for CVE-2026-35273, a critical vulnerability in the Updates Environment Management component of PeopleSoft Enterprise PeopleTools. Oracle released an out-of-band patch the same day as the advisory, underscoring the urgency of remediation. The vulnerability has a CVSSv3.1 score of 9.8 and is remotely exploitable without authentication. Per the vendor advisory, successful exploitation may result in remote code execution (RCE). TrendAI has classified the underlying flaw as a server-side request forgery (CWE-918). PeopleTools versions 8.61 and 8.62 are affected. CVE-2026-35273 was reported to Oracle through TrendAI's Zero Day Initiative. According to a report published by Mandiant on June 11, 2026, this vulnerability has been exploited in the wild as a zero-day prior to the vendor security alert, with active exploitation observed between May 27 and June 9, 2026, predating Oracle's advisory by two weeks. The vulnerability was added to the CISA KEV on June 12, 2026. Mandiant has attributed the campaign to UNC6240 (ShinyHunters), a financially motivated cybercriminal collective known for data theft and extortion. ShinyHunters has been linked to breaches across cloud services, SaaS platforms, and telecommunications providers, frequently exploiting weak authentication controls, stolen credentials, and cloud misconfigurations rather than deploying sophisticated malware. Based on information published by Mandiant, the campaign heavily targeted the higher education sector; 68 percent of the more than 100 notified organizations were universities and colleges. The observed exploitation targeted PeopleSoft's Environment Management Hub (PSEMHUB) endpoints, and data stolen during the campaign was published on the ShinyHunters Data Leak Site (DLS) on June 9, 2026. The /PSIGW/HttpListeningConnector URI path appears in both the indicators of compromise for this campaign and in a PeopleSoft exploit chain for CVE-2013-3821, detailed by Lexfo in 2017. A related XML External Entity (XXE) vulnerability, CVE-2017-3548, targeted a different Integration Gateway connector (PeopleSoftServiceListeningConnector) under the same /PSIGW/ path. Technical overview TrendAI's detection signatures for CVE-2026-35273 classify the underlying vulnerability as an SSRF. These include IPS Rule 1012580 (\"Oracle Peoplesoft PeopleTools SSRF Vulnerability\") and DDI Rule 5855 (\"Peoplesoft PeopleTools Environment Management Hub (PSEMHUB) SSRF Exploit\"). Mandiant describes CVE-2026-35273 as a critical remote code execution vulnerability, indicating that the SSRF serves as the mechanism through which code execution is achieved. Based on Mandiant's analysis, two endpoints are involved in exploitation: /PSEMHUB/hub and /PSIGW/HttpListeningConnector. The exploit chain may also cause the target system to make outbound SMB connections (TCP port 445) to external destinations, potentially allowing attackers to capture Windows machine-account NetNTLM hashes. Post-exploitation activity observed by Mandiant included the deployment of MeshCentral (an open-source, and self-hosted web-based remote monitoring and management platform) remote management agents configured to masquerade as Microsoft Azure services (e.g., meshagent64-azure-ops.exe), with C2 communications directed to wss://azurenetfiles[.]net:443/agent.ashx. The attackers performed internal reconnaissance of PeopleSoft configurations, deployed lateral movement scripts, and exfiltrated data using zstd compression. Mitigation guidance Organizations running PeopleTools versions 8.61 or 8.62 should apply the vendor-supplied patch on an emergency basis, without waiting for a regular patch cycle to occur. Oracle has characterized this as a high-priority risk reduction measure. In addition to patching, organizations should implement the following compensating controls: Disable the Environment Management Hub (EMHub) Service in multi-server configurations, or completely remove the PSEMHUB application in single-server configurations. Block external access to /PSEMHUB/* and /PSIGW/HttpListeningConnector at the network perimeter or firewall level. Per Mandiant, restricting these endpoints is considered non-breaking for standard end-user PeopleSoft Internet Architecture (PIA) browser sessions. Monitor outbound SMB traffic (TCP port 445) from PeopleSoft servers to untrusted external destinations. Given that exploitation occurred as early as May 27, 2026, Rapid7 strongly recommends investigating for signs of compromise even after patching, using the indicators of compromise outlined below. For the latest mitigation guidance, please refer to the Oracle security alert and Mandiant's report. Rapid7 customers Exposure Command, InsightVM, and Nexpose Exposure Command, InsightVM, and Nexpose customers can assess exposure to CVE-2026-35273 with authenticated vulnerability checks available in the 12th June 2026 content release. Intelligence Hub Customers leveraging Rapid7's Intelligence Hub can track the latest developments surrounding CVE-2026-35273, including indicators of compromise (IOCs) from the Mandiant report published on June 11, 2026. Indicators of compromise The following indicators of compromise are sourced from Mandiant's report. Mandiant has also published a GTI collection with additional IOCs for registered users. Network indicators Staging and C2 infrastructure: 142.11.200[.]186 142.11.200[.]187 142.11.200[.]188 142.11.200[.]189 142.11.200[.]190 azurenetfiles[.]net (C2 domain masquerading as Microsoft Azure) 176.120.22[.]24 (ShinyHunters DLS mirror) File indicators Filename Description SHA-256 meshagent64-azure-ops.exe Pre-configured Windows MeshCentral agent f02a924c9ff92a8780ce812511341182c6b509d45bc59f3f7b522e37225d24fc meshagent64-v2.exe Pre-configured Windows MeshCentral agent d83fdb9e53c5ff03c4cb0451ea1bebd79b53f29eadc1e2fa394c7af13a86ce2f meshagent32-azure-ops.exe Pre-configured Windows MeshCentral agent (32-bit) c7e9332731b06644fc73e0046a2a89eaa59b09f54250e9bd622467187351711f meshagent Unconfigured Linux MeshCentral agent 68257a6f9ff196179ec03624e849927f26599eb180a7c82e14ef5bc4e93bc309 .bash_history Attacker command history 2ab684d93c1553fad87041b4dea97188a97e78589deee2a7bacff905564f3a35 Host-based indicators Unexpected .jsp files under <PS_CFG_HOME>/webserv/<domain>/applications/peoplesoft/PSEMHUB.war/ Unauthorized files or directories under .../PSEMHUB.war/envmetadata/transactions/ Unexpected directories named logs, persistantstorage, or scratchpad under PSEMHUB paths Recently created or modified .xml files under <docroot>/envmetadata/data/environment/ (potential XMLDecoder persistence) Defacement and extortion marker file: README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT Log-based indicators HTTP POST requests to the following endpoints from external source IPs: /PSEMHUB/hub /PSIGW/HttpListeningConnector Requests to /PSIGW/HttpListeningConnector containing loopback addresses (127.0.0.1, localhost, ::1) or internal IP ranges within request headers or parameters may indicate SSRF exploitation. Updates June 12, 2026: Initial publication. June 12, 2026: CVE added to CISA KEV.","title":"Active Exploitation of Oracle PeopleSoft Zero-Day (CVE-2026-35273)","url":"https://www.rapid7.com/blog/post/etr-active-exploitation-of-oracle-peoplesoft-zero-day-cve-2026-35273"},{"category":"AI Security","confidence":"MEDIUM","confidence_reason":"Vendor threat intelligence research. Caveat: already filtered for noise via filter_uncategorized.","created_at":"2026-07-02 03:55:49","id":192,"published_date":"2026-06-12T08:59:49+00:00","severity":"medium","source_name":"SentinelOne","summary":"Learn how SentinelOne empowers modern enterprises to safely adopt Claude with Prompt Security, AI SIEM, and Wayfinder Frontier AI.","title":"SentinelOne + Claude: Integrations for AI Visibility, Governance, and Defense","url":"https://www.sentinelone.com/blog/sentinelone-and-claude-integrations-for-ai-visibility-governance-and-defense"},{"category":"Ransomware","confidence":"MEDIUM","confidence_reason":"Real-world incident breakdowns from the defender side. Strong on ransomware and SMB-targeting threats.","created_at":"2026-07-02 03:55:55","id":389,"published_date":"2026-06-12T07:00:00+00:00","severity":"medium","source_name":"Huntress","summary":"A recent investigation uncovered an Akira affiliate abusing a website owned by file-sharing app LimeWire for data exfiltration. Here's how the attack unfolded.","title":"Akira, LimeWire, and the Sour Taste of Data Exfiltration","url":"https://www.huntress.com/blog/akira-ransomware-limewire-data-exfiltration"},{"category":"Vulnerability/CVE","confidence":"HIGH","confidence_reason":"High-quality primary vulnerability research with fast disclosure cadence. Quality exception \u2014 newer brand, authoritative output.","created_at":"2026-07-02 03:55:58","id":435,"published_date":"2026-06-12T05:17:20+00:00","severity":"critical","source_name":"watchTowr Labs","summary":"It is yet another day in this parallel universe of security, where the devices we bolt onto the edge of our networks to keep the bad people out are, with remarkable consistency, the exact thing that let the bad people in. While we\u2019ve seemingly had a breather from","title":"Marking Your Own Homework (Check Point Remote Access VPN IKEv1 Authentication Bypass CVE-2026-50751)","url":"https://labs.watchtowr.com/marking-your-own-homework-check-point-remote-access-vpn-ikev1-authentication-bypass-cve-2026-50751"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Duo Security / Cisco-owned security journalism (Dennis Fisher, Lindsey O'Donnell-Welch). Primary reporting, no marketing funnel. Peer-quality with Dark Reading / The Record.","created_at":"2026-07-02 03:55:48","id":114,"published_date":"2026-06-12T01:08:11+00:00","severity":"high","source_name":"Decipher","summary":"\u201cBecause this activity predates Oracle's June 10, 2026 advisory, the vulnerability was exploited as a zero-day,\" said Mandiant researchers.","title":"Oracle Zero-Day Linked to Latest ShinyHunters Attacks","url":"https://decipher.sc/2026/06/11/oracle-zero-day-linked-to-latest-shinyhunters-attacks"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Real-world incident breakdowns from the defender side. Strong on ransomware and SMB-targeting threats.","created_at":"2026-07-02 03:55:55","id":390,"published_date":"2026-06-11T18:00:00+00:00","severity":"medium","source_name":"Huntress","summary":"Huntress traced device code phishing from Tencent Cloud to Kali365, a Microsoft 365 kit that steals tokens and keeps access even after MFA or password resets.","title":"Inside Kali365, a Device Code Phishing Ecosystem | Huntress","url":"https://www.huntress.com/blog/kali365-device-code-phishing-kit"},{"category":"Vulnerability/CVE","confidence":"HIGH","confidence_reason":"CERT/CC vulnerability coordination center. Authoritative vuln notes, partially replaces dead CISA feeds.","created_at":"2026-07-02 03:55:48","id":121,"published_date":"2026-06-11T14:30:20+00:00","severity":"medium","source_name":"CERT Vulnerability Notes","summary":"Overview A vulnerability has been discovered in the Haskell TLS software stack, commonly used by applications built in the Haskell programming language to securely connect to servers over the internet. Specifically, the libraries \"crypton-x509-validation\" fail to enforce a key security feature called NameConstraints, a standard defined in RFC 5280 that helps organizations control which domains a certificate authority (CA) is allowed to issue certificates for. This vulnerability allows an attacker with access to the sub-CA to create certificates that will validate successfully with any Haskell TLS connection, allowing the attacker access to full session visibility. Version 1.91 for crypton-x509-validation have been released to address the vulnerability, tracked as CVE-2026-9648. Description Haskell is a programming language often used in enterprise, academic, and financial systems such as banks, insurance companies, and data processing platforms, which use it for backend services like fraud detection, risk modeling, and other sensitive connections. The Haskell TLS software stack is the implementation used by Haskell applications to establish secure HTTPS or TLS connections to servers, just like OpenSSL or Go\u2019s TLS libraries do in other ecosystems. A vulnerability has been discovered within the stack; crypton-x509-validation, which do not enforce the NameContstraints security feature that other libraries, such as OpenSSL or Go, do. The description for CVE-2026-9648 is as follows: The crypton-x509-validation Haskell library fails to enforce X.509 NameConstraints, allowing TLS clients to accept certificates whose Subject Alternative Names fall outside the issuing CA\u2019s permitted subtrees. This oversight enables an attacker who compromises a name-constrained sub-CA to impersonate domains beyond its intended scope. NameConstraints are a security mechanism in digital certificates that tell a CA exactly which domains it\u2019s allowed to issue certificates for. The crypton-x509-validation, which handle certificate validation in Haskell\u2019s TLS connections, ignore these constraints entirely, so they never check whether a certificate\u2019s Subject Alternative Name (SAN) falls within what the issuing CA is permitted to cover. This enables a threat actor who gains access to a sub-CA key to create a certificate that includes a SAN for a protected domain, tricking Haskell clients into accepting it and enabling full impersonation of those services. Practically, a TA could set up a web server presenting the malicious CA, tracking any Haskell client to connect to the malicious web server, allowing them to capture any credentials or sensitive data transferred during the process. Impact An attacker that successfully exploits CVE-2026-9648 can capture any traffic sent between a Haskell client to their server, potentially giving access to sensitive financial information, credential theft, and secret theft. This vulnerability is likely to affect industries that use delegated PKI structures, or structures that allow delegated systems to create and assign their own CAs. This is typical in banks or other financial industries. Solution The vulnerability requires considerable setup and victim interaction in order to be successful, but vulnerable parties should update their libraries to version 1.9.1 of the crypton-x509-validation libraries as soon as possible, as all version prior are vulnerable. Acknowledgements Thanks to the reporter, Ben Smyth.This document was written by Christopher Cullen.","title":"VU#862559: crypton-x509-validation Haskell libraries do not enforce X.509 NameConstraints","url":"https://kb.cert.org/vuls/id/862559"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Vendor threat intelligence research. Good primary work but commercial context.","created_at":"2026-07-02 03:55:49","id":181,"published_date":"2026-06-11T13:37:11+00:00","severity":"high","source_name":"Check Point Research","summary":"By Yarden Porat AI agents need memory. Frameworks like LangGraph provide it through checkpointers \u2013 persistence layers that store execution state. But what happens when that persistence layer isn\u2019t locked down? Key Points Background LangGraph is an open-source framework for building stateful, multi-agent AI systems with built-in persistence. It\u2019s an extension of LangChain, with over [\u2026] The post From SQLi to RCE \u2013 Exploiting LangGraph\u2019s Checkpointer appeared first on Check Point Research.","title":"From SQLi to RCE \u2013 Exploiting LangGraph\u2019s Checkpointer","url":"https://research.checkpoint.com/2026/from-sqli-to-rce-exploiting-langgraphs-checkpointer"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Established offensive security research firm. Pentest tooling, vulnerability research, red team techniques.","created_at":"2026-07-02 03:56:00","id":454,"published_date":"2026-06-11T13:00:00+00:00","severity":"medium","source_name":"Bishop Fox","summary":"PCI DSS v4.0.1 made internal penetration testing more complex, bringing cloud infrastructure, SaaS apps, and build pipelines explicitly into scope. Derek Rush breaks down how to scope a compliant IPT, what to test, and what a QSA-ready deliverable actually looks like in practice.","title":"Enabling Proper PCI Testing with Internal Penetration Tests","url":"https://bishopfox.com/blog/enabling-proper-pci-testing-with-internal-penetration-tests"},{"category":"Vulnerability/CVE","confidence":"HIGH","confidence_reason":"Top-tier threat intelligence research team with consistent primary analysis.","created_at":"2026-07-02 03:55:48","id":160,"published_date":"2026-06-11T10:00:24+00:00","severity":"medium","source_name":"Unit42 Palo Alto","summary":"Protect enterprise AI agents from supply chain risks by auditing third-party skills for hidden vulnerabilities and multi-stage attack chains. The post Trust No Skill: Integrity Verification for AI Agent Supply Chains appeared first on Unit 42.","title":"Trust No Skill: Integrity Verification for AI Agent Supply Chains","url":"https://unit42.paloaltonetworks.com/ai-agent-supply-chain-risks"},{"category":"Nation State/APT","confidence":"MEDIUM","confidence_reason":"Vendor threat intelligence research, consistent technical malware reports. filter_uncategorized drops consumer lifestyle and parenting content.","created_at":"2026-07-02 03:55:49","id":203,"published_date":"2026-06-11T08:45:00+00:00","severity":"medium","source_name":"ESET WeLiveSecurity","summary":"A shift in operational pattern of the infamous Vietnam-aligned APT group","title":"OceanLotus: From external espionage to domestic targeting","url":"https://www.welivesecurity.com/en/eset-research/oceanlotus-external-espionage-domestic-targeting"},{"category":"AI Security","confidence":"MEDIUM","confidence_reason":"Primary cloud-security research (AWS/Azure/GCP IAM, container, CI/CD). Fills the Cloud Security depth the keyword set already anticipates. Vendor context; filter_uncategorized drops product marketing.","created_at":"2026-07-02 03:55:52","id":294,"published_date":"2026-06-11T00:00:00+00:00","severity":"medium","source_name":"Datadog Security Labs","summary":"Entra Agent ID is an extension of Entra's application model that provides identities for AI agents. Unlike applications, the agent identity model allows linking a single app registration (blueprint) to multiple identities and their associated privileges, increasing the potential blast radius of a compromised agent.","title":"Entra Agent ID: The blueprint blast radius","url":"https://securitylabs.datadoghq.com/articles/agent-id-blueprint-blast-radius"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Troy Hunt's curated breach disclosure feed. Low volume (~2-4/month), high trust, universally cited. Each entry names the breached org, account count, and exposed data types.","created_at":"2026-07-02 03:56:02","id":512,"published_date":"2026-06-10T22:13:31+00:00","severity":"medium","source_name":"Have I Been Pwned","summary":"In June 2026, the University of Nottingham was the target of a cyber attack, later linked to a ShinyHunters \"pay or leak\" extortion campaign. Tens of gigabytes of data were subsequently published online and included 455k unique email addresses along with extensive personal information including names, addresses, phone numbers, ethnicities, disabilities, passport numbers and information relating to academic enrolments and fee payments. In a post about the incident, the university advised that the breach affected both \"current students, and alumni\".","title":"University of Nottingham - 454,635 breached accounts","url":"https://haveibeenpwned.com/Breach/UniversityOfNottingham"},{"category":"Malware/Infostealer","confidence":"HIGH","confidence_reason":"University of Toronto \u2014 gold-standard surveillance/spyware research. NSO Group, Predator, Pegasus. filter_uncategorized drops political commentary, keeps classified threat research.","created_at":"2026-07-02 03:55:55","id":426,"published_date":"2026-06-10T20:32:28+00:00","severity":"medium","source_name":"The Citizen Lab","summary":"Citizen Lab director Ron Deibert gave a keynote speech about the Greek spyware scandal at an event hosted by Eteron think tank in Athens in May. The post Ron Deibert Speaks About \u201cGreek Watergate\u201d appeared first on The Citizen Lab.","title":"Ron Deibert Speaks About \u201cGreek Watergate\u201d","url":"https://citizenlab.ca/ron-deibert-speaks-about-greek-watergate"},{"category":"Vulnerability/CVE","confidence":"HIGH","confidence_reason":"Emergent threat response team. Primary exploit analysis on actively exploited vulns, peer-quality with ZDI.","created_at":"2026-07-02 03:55:51","id":271,"published_date":"2026-06-10T16:26:33+00:00","severity":"medium","source_name":"Rapid7","summary":"Blake McDermott is Senior Threat Hunter at Rapid7. Every week, threat hunt teams are faced with a steady flow of blogs, advisories, and DFIR reports containing valuable intelligence about adversary behaviors, tactics, techniques, and procedures. The challenge is turning that intelligence into repeatable, behavior-based hunting logic quickly enough to be useful. Indicators of compromise still have value, but they age quickly. Behavioral detections give defenders a better way to look for how attackers operate, rather than relying only on what they leave behind. To help solve this, Rapid7\u2019s Internal Security team built an automated threat hunting pipeline that transforms threat intelligence reporting into structured, executable hunt plans. The pipeline uses large language models to extract adversary behaviors, map them to MITRE ATT&CK techniques, generate detection queries across multiple tools, and support analyst-ready briefings in minutes rather than days. Why manual threat hunting does not scale A single threat intelligence report can describe dozens of adversary behaviors across multiple ATT&CK techniques. Translating that report into useful hunt logic often requires an analyst to read the full source, identify relevant behaviors, map them to ATT&CK, write queries for each security tool, validate syntax, execute searches, and triage the results. For a report covering 40 to 50 techniques, that process can consume much of a working week. When multiple high-quality reports land at once, manual hunting quickly becomes unsustainable. The goal of this project was to reduce the mechanical work involved in building hunt plans, while keeping analysts in control of validation, interpretation, and decision-making. How the automated threat hunting pipeline works The pipeline runs in four stages, each designed to be inspectable, repeatable, and easy for analysts to refine over time. Stage 1: Threat intelligence ingestion The pipeline accepts a threat intelligence blog or report via URL or pasted text. It extracts the core article body, removes navigation and boilerplate content, and validates the material to ensure there is enough substance for analysis. This creates a clean input for the model and reduces the risk of irrelevant page content influencing the output. Stage 2: ATT&CK technique extraction The cleaned content is then sent to a large language model with a structured prompt that instructs it to act as a MITRE ATT&CK analyst. The model identifies adversary techniques referenced in the report and returns each one with its technique ID, technique name, tactic category, and a short summary of how the threat actor used it. The prompt is tuned to focus on offensive behaviors and adversary tradecraft. Defensive recommendations, control guidance, and mitigation strategies are excluded from this specific workflow so the output reflects what the attacker did, rather than what defenders should implement in response. That focus helps preserve the hunting value of the source material while leaving room for separate workflows that generate defensive recommendations or control improvements. For example, when applied to a Rapid7 threat research report on BPFdoor activity in telecom networks, the pipeline identified 16 techniques across seven ATT&CK tactics, including Initial Access, Persistence, Defense Evasion, Credential Access, Collection, Command and Control, and Execution. That structured extraction became the foundation for a hunt plan with detection coverage across InsightIDR, Velociraptor, and Sigma, giving analysts a faster path from source intelligence to behavior-based hunting logic. Stage 3: Detection query generation For each identified technique, the pipeline generates detection content across several tools and formats. This includes LEQL queries for InsightIDR, targeting activity such as process execution, authentication events, network connections, and file modifications. It also includes Velociraptor VQL queries and artifact recommendations for live host interrogation, Sigma rules that can be shared across teams or converted into other SIEM formats, and YARA rules where relevant. Every generated query is reviewed by an analyst before use. LLMs can accelerate drafting and reduce repetitive work, but analyst validation remains essential for accuracy, syntax, and operational fit. Stage 4: Hunt plan assembly The pipeline assembles a structured markdown hunt plan organized by ATT&CK tactic. Each report includes an executive summary, an IOC sweep section when indicators are present, and a behavioral hunting section containing generated queries in fenced code blocks with clear explanations of what each query is designed to detect. This gives analysts a consistent output they can inspect, edit, execute, and reuse. Building a reusable detection query library A key design decision was the introduction of a persistent query cache. Each technique\u2019s generated queries are saved as standalone markdown files, creating a growing library of reusable detection content. This cache reduces cost and execution time because techniques seen in previous reports can be loaded from the library rather than regenerated. It also creates a practical feedback loop: analysts can correct, tune, and improve cached queries over time, and those improvements persist across future hunt plans. By tracking which reports and campaigns reference each technique, the team can build an organic view of recurring adversary behavior and identify which techniques appear across multiple actors or campaigns. Over time, this helps narrow the focus to behaviors most relevant to the environment, providing useful context. Executing hunts and analyzing results Once a hunt plan has been reviewed and validated, a separate process executes approved queries against InsightIDR. Results are then parsed and summarized into a briefing that highlights which queries returned results, why those results may matter, which findings may require immediate investigation, and how the activity relates to the threat actor\u2019s known tradecraft. Analysts can then ask follow-up questions conversationally, such as which findings should be prioritized, which hosts or users require deeper review, or how results should be interpreted based on risk. Velociraptor queries are still executed manually because of the level of access involved. Given the potential impact of live host interrogation, the team made the deliberate decision to keep that execution under direct analyst control. Practical use cases for automated threat hunting The pipeline has already proven useful across several hunting scenarios: For advanced threat actor reporting, it can process DFIR reports and APT advisories to quickly determine whether known tradecraft appears in the environment. For insider threat hunting, it can be adapted to focus on data movement, anomalous access patterns, staging, and exfiltration behaviors. For security hardening, it can process reports about common persistence mechanisms and misconfigurations to validate whether the environment is exposed to known attack paths. Across each use case, the value comes from shortening the path between intelligence and action. Automating the repetitive work, not the expertise By automating the repetitive work of reading reports, mapping techniques, and drafting queries, analysts can spend more time interpreting results, understanding context, and making decisions. The pipeline turns a daily flood of threat intelligence into structured, queryable, and continuously improving detection content. What previously required hours or days of manual effort can now be completed in minutes, while the underlying library compounds in value with every report processed.","title":"Automated Threat Hunting: Turning Threat Intelligence into Executable Hunt Plans","url":"https://www.rapid7.com/blog/post/ai-automated-threat-hunting-turns-threat-intelligence-into-executable-hunt-plans"},{"category":"Ransomware","confidence":"MEDIUM","confidence_reason":"Established independent investigative security journalism. High rigor, frequently breaks news.","created_at":"2026-07-02 03:55:46","id":3,"published_date":"2026-06-10T14:03:44+00:00","severity":"medium","source_name":"Krebs on Security","summary":"A cybercrime group known as The Gentlemen has emerged as the second most active ransomware gang by victim count, rapidly attracting a talented pool of hackers through an aggressive recruitment strategy that promises affiliates 90 percent of any ransom paid by victims. This post examines clues pointing to a real life identity for the administrator of The Gentlemen ransomware group.","title":"Who Runs the Ransomware Group \u2018The Gentlemen?\u2019","url":"https://krebsonsecurity.com/2026/06/who-runs-the-ransomware-group-the-gentlemen"},{"category":"Malware/Infostealer","confidence":"MEDIUM","confidence_reason":"Real-world incident breakdowns from the defender side. Strong on ransomware and SMB-targeting threats.","created_at":"2026-07-02 03:55:55","id":391,"published_date":"2026-06-10T14:00:00+00:00","severity":"medium","source_name":"Huntress","summary":"Deceptive installers disguised as legit macOS software deliver infostealers that grab passwords, cookies, and crypto wallets. Learn how to detect them.","title":"Deceptive Installers: How Fake Apps Target macOS","url":"https://www.huntress.com/blog/deceptive-installers-macos-infostealers"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Duo Security / Cisco-owned security journalism (Dennis Fisher, Lindsey O'Donnell-Welch). Primary reporting, no marketing funnel. Peer-quality with Dark Reading / The Record.","created_at":"2026-07-02 03:55:48","id":115,"published_date":"2026-06-10T13:10:35+00:00","severity":"medium","source_name":"Decipher","summary":"Anthropic researchers warned that modern AI tools are further intensifying the existing issue of threat actors creating N-day exploits.","title":"Anthropic Warns of LLMs\u2019 Impact on (Already Shrinking) N-Day Exploit Gap","url":"https://decipher.sc/2026/06/10/anthropic-warns-of-llms-impact-on-already-shrinking-n-day-exploit-gap"},{"category":"Vulnerability/CVE","confidence":"HIGH","confidence_reason":"Emergent threat response team. Primary exploit analysis on actively exploited vulns, peer-quality with ZDI.","created_at":"2026-07-02 03:55:51","id":272,"published_date":"2026-06-10T10:21:07+00:00","severity":"critical","source_name":"Rapid7","summary":"Overview On June 9, 2026, Ivanti published a security advisory for two critical vulnerabilities affecting Ivanti Sentry (formerly known as MobileIron Sentry), which per the vendor website is an \u201cin-line gateway that manages, encrypts, and secures traffic between the mobile device and back-end enterprise systems\u201d. The most severe issue, CVE-2026-10520, is an OS command injection vulnerability with a CVSS score of 10.0 that allows a remote unauthenticated attacker to achieve remote code execution (RCE) with root privileges. The second vulnerability, CVE-2026-10523, is an authentication bypass vulnerability with a CVSS score of 9.9 that allows a remote unauthenticated attacker to create arbitrary administrative accounts and obtain full administrative access. Ivanti has stated that they are not aware of any customers being exploited by either of these vulnerabilities at the time of disclosure. CVE CVSSv3.1 CWE CVE-2026-10520 10.0 (Critical) OS Command Injection (CWE-78) CVE-2026-10523 9.9 (Critical) Authentication Bypass Using an Alternate Path or Channel (CWE-288) On June 10, 2026, watchTowr published a technical analysis of CVE-2026-10520 that includes a proof-of-concept (PoC) exploit for unauthenticated RCE. Given the trivial nature of exploitation and the availability of a public PoC, exploitation in-the-wild is likely to begin. Ivanti Sentry has featured on the CISA KEV list twice in the past (for the vulnerabilities CVE-2023-38035 and CVE-2020-15505), so we know threat actors will likely target this product. On June 11, 2026, CVE-2026-10520 was added to the U.S. Cybersecurity and Infrastructure Security Agency\u2019s (CISA) list of known exploited vulnerabilities (KEV), based on evidence of active exploitation. With active exploitation now occurring, organizations running affected versions of Ivanti Sentry should remediate these issues on an urgent basis, outside of normal patching cycles. Technical overview for CVE-2026-10520 Based upon the technical analysis by watchTowr, CVE-2026-10520 resides in the ConfigServiceController class within the Sentry web application, which is accessible via a POST request to the unauthenticated endpoint /mics/api/v2/sentry/mics-config/handleMessage. The handleMessage endpoint accepts an attacker supplied message parameter that is parsed as an internal configuration command. This ultimately results in arbitrary OS command execution as root with an attacker control OS command. Shown below is an example HTTP request generated by the public PoC to execute the id command on an affected system: POST /mics/api/v2/sentry/mics-config/handleMessage HTTP/1.1 Host: [redacted] User-Agent: python-requests/2.33.0 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 161 message=execute+system+%2Fconfiguration%2Fsystem%2Fcommandexec+%3Ccommandexec%3E%3Cindex%3E1%3C%2Findex%3E%3Creqandres%3Eid%3C%2Freqandres%3E%3C%2Fcommandexec%3E Mitigation guidance A vendor-supplied update is available to remediate both CVE-2026-10520 and CVE-2026-10523. The following versions of Ivanti Sentry are affected: Ivanti Sentry 10.7.0 and below Ivanti Sentry 10.6.1 and below Ivanti Sentry 10.5.1 and below The following fixed versions of Ivanti Sentry remediate both vulnerabilities: Ivanti Sentry 10.7.1 Ivanti Sentry 10.6.2 Ivanti Sentry 10.5.2 Given the critical severity of these vulnerabilities, the availability of a public PoC exploit for CVE-2026-10520, and the unauthenticated attack vector, Rapid7 strongly recommends updating affected Ivanti Sentry appliances on an urgent basis, outside of normal patching cycles. For the latest mitigation guidance, please refer to the vendor's security advisory. Rapid7 customers Exposure Command, InsightVM, and Nexpose Exposure Command, InsightVM, and Nexpose customers can assess exposure to CVE-2026-10520 and CVE-2026-10523 with unauthenticated vulnerability checks available in the June 11 content release. Updates June 10, 2026: Initial publication. June 11, 2026: Updated to reflect availability of vulnerability checks. June 12, 2026: Updated Overview to add new CISA KEV reference.","title":"CVE-2026-10520, CVE-2026-10523 - Multiple critical vulnerabilities affecting Ivanti Sentry","url":"https://www.rapid7.com/blog/post/etr-cve-2026-10520-cve-2026-10523-multiple-critical-vulnerabilities-affecting-ivanti-sentry"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Vendor threat intelligence research, consistent technical malware reports. filter_uncategorized drops consumer lifestyle and parenting content.","created_at":"2026-07-02 03:55:49","id":204,"published_date":"2026-06-10T09:00:00+00:00","severity":"medium","source_name":"ESET WeLiveSecurity","summary":"A company that's expecting a cyberattack but hasn\u2019t actively prepared for it risks making the hardest decisions at the worst possible moment","title":"Unpacking SMB cyber-readiness \u2013 and what makes or breaks it","url":"https://www.welivesecurity.com/en/business-security/smb-cyber-readiness-what-makes-breaks-it"},{"category":"Vulnerability/CVE","confidence":"HIGH","confidence_reason":"High-quality primary vulnerability research with fast disclosure cadence. Quality exception \u2014 newer brand, authoritative output.","created_at":"2026-07-02 03:55:58","id":436,"published_date":"2026-06-10T00:52:20+00:00","severity":"critical","source_name":"watchTowr Labs","summary":"Today, Ivanti published an advisory. \u201cNo way?\u201d we hear you say. \"Yes way!\" Today\u2019s advisory outlines two vulnerabilities in Ivanti\u2019s Sentry product, appealing directly to our inner desire for sophisticated server-side, pre-authenticated vulnerabilities. CVE-2026-10520 An OS Command Injection","title":"More Evidence That Words Don't Mean What We Thought They Meant (Ivanti Sentry Pre-Auth OS Command Injection CVE-2026-10520)","url":"https://labs.watchtowr.com/more-evidence-that-words-dont-mean-what-we-thought-they-meant-ivanti-sentry-pre-auth-os-command-injection-cve-2026-10520"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established independent investigative security journalism. High rigor, frequently breaks news.","created_at":"2026-07-02 03:55:46","id":4,"published_date":"2026-06-09T22:07:28+00:00","severity":"medium","source_name":"Krebs on Security","summary":"Microsoft today released software updates to plug nearly 200 security holes across its Windows operating systems and supported software, a record number of fixes for the company's monthly Patch Tuesday cycle. Nearly three dozen of those bugs earned Microsoft's most dire \"critical\" rating, and exploit code for at least three of the weaknesses is now publicly available.","title":"A Record-Breaking Patch Tuesday for June 2026","url":"https://krebsonsecurity.com/2026/06/a-record-breaking-patch-tuesday-for-june-2026"},{"category":"Malware/Infostealer","confidence":"HIGH","confidence_reason":"Top-tier threat intelligence research team with consistent primary analysis.","created_at":"2026-07-02 03:55:48","id":161,"published_date":"2026-06-09T22:00:21+00:00","severity":"medium","source_name":"Unit42 Palo Alto","summary":"Unit 42 research examines attack scenarios targeting cloud logging services. Learn how to defend against log manipulation and defense evasion. The post Blinding the Watchmen: Abusing Cloud Logging Services for Defense Evasion and Visibility appeared first on Unit 42.","title":"Blinding the Watchmen: Abusing Cloud Logging Services for Defense Evasion and Visibility","url":"https://unit42.paloaltonetworks.com/cloud-logging-defense-evasion"},{"category":"Vulnerability/CVE","confidence":"HIGH","confidence_reason":"Top-tier threat intelligence research with strong malware analysis track record.","created_at":"2026-07-02 03:55:49","id":173,"published_date":"2026-06-09T21:21:00+00:00","severity":"medium","source_name":"Cisco Talos","summary":"Microsoft Patch Tuesday details for June 2026.","title":"Microsoft Patch Tuesday for June 2026 \u2014 Snort rules and prominent vulnerabilities","url":"https://blog.talosintelligence.com/microsoft-patch-tuesday-for-june-2026-snort-rules-and-prominent-vulnerabilities"},{"category":"Cloud Security","confidence":"HIGH","confidence_reason":"Emergent threat response team. Primary exploit analysis on actively exploited vulns, peer-quality with ZDI.","created_at":"2026-07-02 03:55:51","id":273,"published_date":"2026-06-09T21:04:53+00:00","severity":"critical","source_name":"Rapid7","summary":"Microsoft is publishing 200 vulnerabilities on June 2026 Patch Tuesday. Microsoft is not aware of exploitation in the wild for any of these vulnerabilities, and is aware of public disclosure for three. This is similar to last month\u2019s Patch Tuesday, however several of last month\u2019s vulnerabilities ended up on CISA KEV in the days following their publication. So far this month, Microsoft has provided patches to address 360 browser vulnerabilities, which is an order of magnitude more than has been typical in any given month over the past few years. As usual, browser vulns are not included in the Patch Tuesday count above. Indeed, the vast, and presumably sustained, uptick in the number of browser vulnerabilities has led to Microsoft no longer enumerating Chromium CVEs in the Security Update Guide. Other vulnerability categories, especially Linux kernel vulnerabilities, are seeing a similar increase in AI-assisted vulnerability reports. What's the opposite of coordinated disclosure? In recent weeks, an independent vulnerability researcher going by the pseudonym Nightmare Eclipse has attracted significant attention by publishing details of six Microsoft vulnerabilities, including elevation of privilege vulnerabilities in Defender, and a Secure Boot disk encryption bypass. The researcher provided full proof-of-concept code for some, and provided significant-but-incomplete detail around the path to exploitation for others. Microsoft has confirmed that these disclosures were not coordinated, and it is clear that the relationship between this researcher and Microsoft is less than cordial. Two of the disclosures emerged in the hours after last month\u2019s Patch Tuesday, which provides maximum visibility, while limiting Microsoft\u2019s ability to respond without out-of-cycle patches. At time of writing, Microsoft has provided mitigation advice and patches for CVE-2026-33825, CVE-2026-45585, CVE-2026-45498, and CVE-2026-41091, leaving only two elevation of privilege vulnerabilities unpatched, known as MiniPlasma and GreenPlasma. However, a recent blog post by Nightmare Eclipse with the title \u201c7\u201d has been widely interpreted to mean that there is at least one more vulnerability to come. The post contained no content other than an image of Albert Vesker, a character from the Resident Evil video game series who formerly worked as a researcher for a technology corporation before going rogue. Any inference around the possible meaning of the image is left as an exercise for the reader. Given the timing of last month\u2019s disclosures in the hours following Patch Tuesday, a further high-friction disclosure today would perhaps be unsurprising. Indeed, a new blog post and a new GitHub account from the same researcher have emerged in the hours following Microsoft\u2019s publication of the June 2026 Patch Tuesday updates. The apparent seventh disclosure is nicknamed RoguePlanet, and appears to describe another elevation of privilege to SYSTEM in Defender. It is not at all difficult to understand why Microsoft and many blue team practitioners are deeply alarmed by the partial or even full disclosure of proof-of-concept code for an ongoing series of vulnerabilities affecting fully-patched Windows systems. However, multiple leading voices in the broader vulnerability disclosure community have expressed concern that Microsoft\u2019s invocation of the Digital Crimes Unit in a May 27, 2026 blog post may yet prove counterproductive, especially if it causes other researchers to back away from mutually beneficial engagements with MSRC. A few days later, MSRC issued a further statement clarifying that they have no intention of pursuing action against security researchers, but only those who break the law or engage in malicious activity causing real harm. For now, one safe conclusion is that this unusually sensational Microsoft vulnerability management story arc is far from over. HTTP/2: denial of service Every so often, a new round of denial of service vulnerabilities emerge which affect web servers implementing HTTP/2 and HTTP/3 standards. This class of vulnerabilities is likely to expand further as researchers, including the discoverers of CVE-2026-49160, use advances in LLM capability to probe not just specific software, but also the standards on which software rests. Microsoft warns that exploitation leads to uncontrolled resource consumption over a network, and expects that exploitation is more likely. The advisory credits both a third-party research firm and OpenAI\u2019s Codex. Microsoft has not yet directly addressed another HTTP/2 vulnerability which allows trivial denial-of-service against the default HTTP/2 configuration of multiple web server platforms, including Microsoft IIS. CVE-2026-49975, also known as HTTP/2 Bomb, became public knowledge a week ago. This denial of service works by exhausting memory on the target server, and unlike a distributed denial of service attack, there is no requirement that an attacker control a large amount of bandwidth. Patches are available for NGINX and Apache, with IIS presumably to follow at some point. If practically possible, disabling HTTP/2 is a valid mitigation. PowerToys: SYSTEM EoP The Microsoft PowerToys utility provides a wide variety of useful control and configuration options for Windows power users which aren\u2019t otherwise easily accessible. It turns out that PowerToys also offers an undocumented extra: local elevation of privilege to SYSTEM via successful exploitation of CVE-2026-42902. It is worth noting that the fix was included in PowerToys v0.99.1 on April 29, 2026, without any apparent mention in the release notes. Attackers with patch-diffing toolkits may well take note of this discrepancy. Microsoft lifecycle update There are no significant Microsoft product lifecycle changes this month. SQL Server 2016 moves beyond regular extended support and into the pay-to-play Extended Security Updates (ESU) phase after July 14, 2026. On that same date, SharePoint 2016 and 2019 will also move past extended support, but since there\u2019s no ESU available, the only remaining option for fully-supported self-hosted SharePoint after the middle of next month will be SharePoint Subscription Edition. Summary charts Vulnerabilities by Product Family Apps vulnerabilities CVE Title Exploitation status Publicly disclosed? CVSS v3 base scoreCVE-2026-45650 Microsoft Bing Search Spoofing Vulnerability Exploitation Less Likely No 4.3CVE-2026-49161 Microsoft PC Manager Security Feature Bypass Vulnerability Exploitation Unlikely No 7.8CVE-2026-42902 Microsoft PowerToys Elevation of Privilege Vulnerability Exploitation Less Likely No 7.8CVE-2026-45649 Office for Android Spoofing Vulnerability Exploitation Unlikely No 7.1CVE-2026-44803 Windows Graphics Component Remote Code Execution Vulnerability Exploitation More Likely No 7.8CVE-2026-44812 Windows Graphics Component Remote Code Execution Vulnerability Exploitation More Likely No 7.8 Azure vulnerabilities CVE Title Exploitation status Publicly disclosed? CVSS v3 base scoreCVE-2026-32193 Azure Kubernetes Service (AKS) Remote Code Execution Vulnerability Exploitation Unlikely No 8.8CVE-2026-47643 Azure Stack Edge Remote Code Execution Vulnerability Exploitation Unlikely No 9.8CVE-2026-41098 Azure Stack Edge Spoofing Vulnerability Exploitation Less Likely No 8.4 Developer Tools vulnerabilities CVE Title Exploitation status Publicly disclosed? CVSS v3 base scoreCVE-2026-45490 .NET SDK Elevation of Privilege Vulnerability Exploitation Less Likely No 7.8CVE-2026-45491 .NET Tampering Vulnerability Exploitation Unlikely No 6.2CVE-2026-45591 ASP.NET Core Denial of Service Vulnerability Exploitation Less Likely No 7.5CVE-2026-45644 Microsoft Live Share Canvas SDK Elevation of Privilege Vulnerability Exploitation Less Likely No 8.0CVE-2026-45482 Microsoft Visual Studio Code CoPilot Chat Extension Security Feature Bypass Vulnerability Exploitation Less Likely No 8.4CVE-2026-40376 Visual Studio Code Elevation of Privilege Vulnerability Exploitation Less Likely No 7.5CVE-2026-47281 Visual Studio Code Elevation of Privilege Vulnerability Exploitation Unlikely No 9.6CVE-2026-47284 Visual Studio Code Information Disclosure Vulnerability Exploitation Less Likely No 6.5CVE-2026-47292 Visual Studio Code MSSQL Extension Remote Code Execution Vulnerability Exploitation Less Likely No 7.8CVE-2026-48569 Visual Studio Code Security Feature Bypass Vulnerability Exploitation Less Likely No 7.1CVE-2026-47287 Visual Studio Code Tampering Vulnerability Exploitation Less Likely No 6.5 ESU vulnerabilities CVE Title Exploitation status Publicly disclosed? CVSS v3 base scoreCVE-2025-10263 ARM: CVE-2025-10263 Completion of affected memory accesses might not be guaranteed by completion of a TLBI [kernel] Exploitation Less Likely No 9.3CVE-2026-44815 DHCP Client Service Remote Code Execution Vulnerability Exploitation Less Likely No 9.8CVE-2026-49160 HTTP.sys Denial of Service Vulnerability Exploitation More Likely Yes 7.5CVE-2026-47291 HTTP.sys Remote Code Execution Vulnerability Exploitation More Likely No 9.8CVE-2026-45642 Microsoft Azure Attestation service and Device Health Attestation Service Spoofing Vulnerability Exploitation Less Likely No 3.9CVE-2026-45637 Microsoft DWM Core Library Elevation of Privilege Vulnerability Exploitation Less Likely No 7.8CVE-2026-45504 Microsoft Exchange Server Elevation of Privilege Vulnerability Exploitation Unlikely No 8.8CVE-2026-45502 Microsoft Exchange Server Information Disclosure Vulnerability Exploitation Unlikely No 5.0CVE-2026-45503 Microsoft Exchange Server Information Disclosure Vulnerability Exploitation Unlikely No 8.1CVE-2026-45583 Microsoft Exchange Server Remote Code Execution Vulnerability Exploitation Less Likely No 7.5CVE-2026-45500 Microsoft Exchange Server Spoofing Vulnerability Exploitation Less Likely No 6.1CVE-2026-45501 Microsoft Exchange Server Spoofing Vulnerability Exploitation Less Likely No 6.5CVE-2026-47631 Microsoft Exchange Server Spoofing Vulnerability Exploitation Less Likely No 8.1CVE-2026-42986 Microsoft Graphics Component Elevation of Privilege Vulnerability Exploitation More Likely No 7.8CVE-2026-41092 Microsoft Kinect Elevation of Privilege Vulnerability Exploitation Less Likely No 7.8CVE-2026-45606 Microsoft UxTheme Library (uxtheme.dll) Denial of Service Vulnerability Exploitation Less Likely No 5.5CVE-2026-42980 NT OS Kernel Elevation of Privilege Vulnerability Exploitation More Likely No 7.8CVE-2026-42916 NT OS Kernel Elevation of Privilege Vulnerability Exploitation Less Likely No 7.8CVE-2026-47289 Remote Desktop Client Remote Code Execution Vulnerability Exploitation Less Likely No 8.8CVE-2026-47653 Remote Desktop Client Remote Code Execution Vulnerability Exploitation Unlikely No 8.8CVE-2026-48563 Remote Desktop Client Remote Code Execution Vulnerability Exploitation Less Likely No 7.5CVE-2026-42909 Remote Desktop Client Remote Code Execution Vulnerability Exploitation Unlikely No 7.5CVE-2026-42992 Remote Desktop Client Remote Code Execution Vulnerability Exploitation Less Likely No 7.5CVE-2026-44799 Remote Desktop Client Remote Code Execution Vulnerability Exploitation Less Likely No 7.5CVE-2026-44801 Remote Desktop Client Remote Code Execution Vulnerability Exploitation Less Likely No 7.5CVE-2026-42985 Remote Desktop Client Remote Code Execution Vulnerability Exploitation More Likely No 8.8CVE-2026-42993 Remote Desktop Client Remote Code Execution Vulnerability Exploitation Less Likely No 7.5CVE-2026-45588 Secure Boot Security Feature Bypass Vulnerability Exploitation Less Likely No 7.9CVE-2026-48568 Secure Boot Security Feature Bypass Vulnerability Exploitation Less Likely No 7.9CVE-2026-48570 Secure Boot Security Feature Bypass Vulnerability Exploitation Less Likely No 7.9CVE-2026-48573 Secure Boot Security Feature Bypass Vulnerability Exploitation Less Likely No 7.9CVE-2026-48575 Secure Boot Security Feature Bypass Vulnerability Exploitation Less Likely No 7.9CVE-2026-48576 Secure Boot Security Feature Bypass Vulnerability Exploitation Less Likely No 7.9CVE-2026-48578 Secure Boot Security Feature Bypass Vulnerability Exploitation Less Likely No 7.9CVE-2026-45656 UEFI Secure Boot Security Feature Bypass Vulnerability Exploitation Less Likely No 7.8CVE-2026-8863 UEFI Secure Boot Security Feature Bypass Vulnerability Exploitation Less Likely No 7.8CVE-2026-34335 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Exploitation Unlikely No 7.0CVE-2026-45601 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Exploitation Less Likely No 7.0CVE-2026-45598 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Exploitation Less Likely No 7.0CVE-2026-45596 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Exploitation Less Likely No 7.0CVE-2026-45638 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Exploitation Less Likely No 7.8CVE-2026-45603 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Exploitation Less Likely No 7.0CVE-2026-42911 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Exploitation Less Likely No 7.0CVE-2026-45594 Windows Application Identity (AppID) Information Disclosure Vulnerability Exploitation Less Likely No 5.5CVE-2026-45655 Windows BitLocker Security Feature Bypass Vulnerability Exploitation Less Likely No 5.3CVE-2026-45658 Windows BitLocker Security Feature Bypass Vulnerability Exploitation More Likely No 7.8CVE-2026-50507 Windows BitLocker Security Feature Bypass Vulnerability Exploitation More Likely Yes 6.8CVE-2026-45640 Windows Bluetooth Port Driver Elevation of Privilege Vulnerability Exploitation Less Likely No 7.0CVE-2026-45605 Windows Bluetooth Service Elevation of Privilege Vulnerability Exploitation Less Likely No 7.8CVE-2026-47656 Windows Boot Manager Security Feature Bypass Vulnerability Exploitation Less Likely No 7.9CVE-2026-45586 Windows Collaborative Translation Framework (CTFMON) Elevation of Privilege Vulnerability Exploitation More Likely Yes 7.8CVE-2026-42987 Windows Deployment Services (WDS) Remote Code Execution Exploitation Less Likely No 8.1CVE-2026-33828 Windows Device Health Attestation (DHA) Elevation of Privilege Vulnerability Exploitation Unlikely No 7.8CVE-2026-45634 Windows DHCP Client Information Disclosure Vulnerability Exploitation Unlikely No 5.5CVE-2026-45608 Windows DHCP Client Information Disclosure Vulnerability Exploitation Unlikely No 6.8CVE-2026-41108 Windows DNS Client Elevation of Privilege Vulnerability Exploitation Unlikely No 7.0CVE-2026-42905 Windows DWM Core Library Elevation of Privilege Vulnerability Exploitation More Likely No 7.8CVE-2026-42983 Windows DWM Core Library Elevation of Privilege Vulnerability Exploitation Less Likely No 7.8CVE-2026-44802 Windows DWM Core Library Elevation of Privilege Vulnerability Exploitation Less Likely No 7.8CVE-2026-45602 Windows Dynamic Host Configuration Protocol (DHCP) Tampering Vulnerability Exploitation Less Likely No 9.1CVE-2026-42836 Windows Function Discovery Service (fdwsd.dll) Elevation of Privilege Vulnerability Exploitation Less Likely No 7.0CVE-2026-44803 Windows Graphics Component Remote Code Execution Vulnerability Exploitation More Likely No 7.8CVE-2026-44812 Windows Graphics Component Remote Code Execution Vulnerability Exploitation More Likely No 7.8CVE-2026-42972 Windows Hyper-V Information Disclosure Vulnerability Exploitation Less Likely No 5.5CVE-2026-45607 Windows Hyper-V Remote Code Execution Vulnerability Exploitation Less Likely No 8.4CVE-2026-45641 Windows Hyper-V Remote Code Execution Vulnerability Exploitation Less Likely No 8.4CVE-2026-45592 Windows Internet (wininet.dll) Elevation of Privilege Vulnerability Exploitation Unlikely No 7.8CVE-2026-42903 Windows Kerberos Denial of Service Vulnerability Exploitation Unlikely No 6.5CVE-2026-42914 Windows Kerberos Denial of Service Vulnerability Exploitation Less Likely No 5.3CVE-2026-47288 Windows Kerberos Key Distribution Center (KDC) Remote Code Execution Exploitation Unlikely No 7.1CVE-2026-48583 Windows Kernel Elevation of Privilege Vulnerability Exploitation Less Likely No 7.8CVE-2026-45653 Windows Kernel Elevation of Privilege Vulnerability Exploitation Unlikely No 7.0CVE-2026-42984 Windows Kernel Elevation of Privilege Vulnerability Exploitation Unlikely No 7.0CVE-2026-45595 Windows Mark of the Web Security Feature Bypass Vulnerability Exploitation Less Likely No 5.4CVE-2026-48574 Windows Media Remote Code Execution Vulnerability Exploitation Less Likely No 7.8CVE-2026-45636 Windows NTFS Remote Code Execution Vulnerability Exploitation Less Likely No 7.8CVE-2026-50508 Windows NTLM Spoofing Vulnerability Exploitation More Likely No 6.5CVE-2026-45487 Windows Program Compatibility Assistant Service Elevation of Privilege Vulnerability Exploitation Unlikely No 7.8CVE-2026-42828 Windows Projected File System Elevation of Privilege Vulnerability Exploitation Less Likely No 7.8CVE-2026-42837 Windows Projected File System Elevation of Privilege Vulnerability Exploitation Less Likely No 7.8CVE-2026-42969 Windows Push Notification Information Disclosure Vulnerability Exploitation Unlikely No 5.5CVE-2026-42971 Windows Push Notification Information Disclosure Vulnerability Exploitation Less Likely No 5.5CVE-2026-42970 Windows Push Notification Information Disclosure Vulnerability Exploitation Less Likely No 5.5CVE-2026-42973 Windows Push Notification Information Disclosure Vulnerability Exploitation Less Likely No 5.5CVE-2026-42978 Windows Push Notifications Elevation of Privilege Vulnerability Exploitation Unlikely No 7.8CVE-2026-42977 Windows Push Notifications Elevation of Privilege Vulnerability Exploitation Unlikely No 7.8CVE-2026-42979 Windows Push Notifications Elevation of Privilege Vulnerability Exploitation Unlikely No 7.8CVE-2026-42991 Windows Push Notifications Elevation of Privilege Vulnerability Exploitation Unlikely No 7.8CVE-2026-45639 Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability Exploitation Less Likely No 7.5CVE-2026-42908 Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability Exploitation Less Likely No 7.5CVE-2026-45593 Windows SDK Elevation of Privilege Vulnerability Exploitation Less Likely No 7.8CVE-2026-42906 Windows Shell Information Disclosure Vulnerability Exploitation Less Likely No 5.5CVE-2026-42907 Windows Shell Information Disclosure Vulnerability Exploitation Less Likely No 6.5CVE-2026-47648 Windows Storage Elevation of Privilege Vulnerability Exploitation Unlikely No 7.0CVE-2026-42915 Windows TCP/IP Denial of Service Vulnerability Exploitation Less Likely No 5.7CVE-2026-42904 Windows TCP/IP Elevation of Privilege Vulnerability Exploitation Unlikely No 9.6CVE-2026-42968 Windows Telephony Server Information Disclosure Vulnerability Exploitation Less Likely No 5.5CVE-2026-42912 Windows Telephony Service Elevation of Privilege Vulnerability Exploitation Less Likely No 7.0CVE-2026-40409 Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability Exploitation Less Likely No 7.8CVE-2026-40404 Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability Exploitation Less Likely No 7.8CVE-2026-45599 Windows UPnP Device Host Remote Code Execution Vulnerability Exploitation Less Likely No 8.1CVE-2026-45635 Windows UPnP Device Host Remote Code Execution Vulnerability Exploitation Less Likely No 8.1CVE-2026-42989 Winlogon Elevation of Privilege Vulnerability Exploitation More Likely No 7.8 Mariner vulnerabilities CVE Title Exploitation status Publicly disclosed? CVSS v3 base scoreCVE-2026-40930 LIBPNG: Chunk smuggling in push-mode APNG parser via unconsumed chunk body n/a No 5.4 Microsoft Dynamics vulnerabilities CVE Title Exploitation status Publicly disclosed? CVSS v3 base scoreCVE-2026-40371 Microsoft Dynamics 365 (on-premises) Elevation of Privilege Vulnerability Exploitation Less Likely No 8.8 Microsoft Office vulnerabilities CVE Title Exploitation status Publicly disclosed? CVSS v3 base scoreCVE-2026-44822 Microsoft Excel Information Disclosure Vulnerability Exploitation Unlikely No 8.2CVE-2026-45455 Microsoft Excel Information Disclosure Vulnerability Exploitation Less Likely No 3.3CVE-2026-45469 Microsoft Excel Remote Code Execution Vulnerability Exploitation Less Likely No 7.8CVE-2026-44817 Microsoft Excel Remote Code Execution Vulnerability Exploitation Unlikely No 7.8CVE-2026-44818 Microsoft Excel Remote Code Execution Vulnerability Exploitation Less Likely No 7.0CVE-2026-44820 Microsoft Excel Remote Code Execution Vulnerability Exploitation Less Likely No 7.8CVE-2026-44823 Microsoft Excel Remote Code Execution Vulnerability Exploitation Less Likely No 7.8CVE-2026-45459 Microsoft Excel Security Feature Bypass Vulnerability Exploitation Less Likely No 3.3CVE-2026-47293 Microsoft Office Click-To-Run Elevation of Privilege Vulnerability Exploitation Less Likely No 7.0CVE-2026-45485 Microsoft Office Information Disclosure Vulnerability Exploitation Less Likely No 3.3CVE-2026-44821 Microsoft Office Information Disclosure Vulnerability Exploitation Less Likely No 5.5CVE-2026-45460 Microsoft Office Information Disclosure Vulnerability Exploitation Unlikely No 4.7CVE-2026-45483 Microsoft Office Project Server Spoofing Vulnerability Exploitation Less Likely No 4.6CVE-2026-45475 Microsoft Office Remote Code Execution Vulnerability Exploitation Less Likely No 7.8CVE-2026-45472 Microsoft Office Remote Code Execution Vulnerability Exploitation Less Likely No 8.4CVE-2026-45474 Microsoft Office Remote Code Execution Vulnerability Exploitation Less Likely No 8.4CVE-2026-44819 Microsoft Office Remote Code Execution Vulnerability Exploitation Less Likely No 7.8CVE-2026-44824 Microsoft Office Remote Code Execution Vulnerability Exploitation Less Likely No 7.8CVE-2026-45461 Microsoft Office Remote Code Execution Vulnerability Exploitation Less Likely No 8.4CVE-2026-45645 Microsoft Office Remote Code Execution Vulnerability Exploitation Less Likely No 7.8CVE-2026-45463 Microsoft Office Remote Code Execution Vulnerability Exploitation Less Likely No 8.4CVE-2026-45456 Microsoft Outlook and Word Remote Code Execution Vulnerability Exploitation Less Likely No 8.4CVE-2026-45458 Microsoft Outlook and Word Remote Code Execution Vulnerability Exploitation Less Likely No 8.4CVE-2026-47635 Microsoft Outlook and Word Remote Code Execution Vulnerability Exploitation Less Likely No 8.4CVE-2026-45484 Microsoft SharePoint Elevation of Privilege Vulnerability Exploitation Less Likely No 8.8CVE-2026-45454 Microsoft SharePoint Remote Code Execution Vulnerability Exploitation Less Likely No 6.5CVE-2026-47298 Microsoft SharePoint Server Remote Code Execution Vulnerability Exploitation Less Likely No 8.0CVE-2026-45467 Microsoft SharePoint Server Spoofing Vulnerability Exploitation Less Likely No 4.6CVE-2026-45468 Microsoft SharePoint Server Spoofing Vulnerability Exploitation Less Likely No 4.6CVE-2026-45479 Microsoft SharePoint Server Spoofing Vulnerability Exploitation Less Likely No 4.6CVE-2026-45453 Microsoft SharePoint Server Spoofing Vulnerability Exploitation Less Likely No 5.4CVE-2026-47636 Microsoft SharePoint Server Spoofing Vulnerability Exploitation Less Likely No 5.4CVE-2026-47637 Microsoft SharePoint Server Spoofing Vulnerability Exploitation Less Likely No 4.6CVE-2026-47638 Microsoft SharePoint Server Spoofing Vulnerability Exploitation Less Likely No 4.6CVE-2026-47639 Microsoft SharePoint Server Spoofing Vulnerability Exploitation Unlikely No 5.4CVE-2026-47641 Microsoft SharePoint Server Spoofing Vulnerability Exploitation Less Likely No 4.6CVE-2026-33113 Microsoft SharePoint Server Spoofing Vulnerability Exploitation Less Likely No 5.4CVE-2026-45462 Microsoft SharePoint Server Spoofing Vulnerability Exploitation Less Likely No 4.6CVE-2026-45464 Microsoft SharePoint Server Spoofing Vulnerability Exploitation Less Likely No 5.4CVE-2026-45465 Microsoft SharePoint Server Spoofing Vulnerability Exploitation Less Likely No 5.4CVE-2026-47634 Microsoft SharePoint Server Spoofing Vulnerability Exploitation More Likely No 7.3CVE-2026-47640 Microsoft SharePoint Server Spoofing Vulnerability Exploitation Unlikely No 4.6CVE-2026-45481 Microsoft SharePoint Server Spoofing Vulnerability Exploitation More Likely No 7.3CVE-2026-48560 Microsoft SharePoint Server Spoofing Vulnerability Exploitation Less Likely No 5.4CVE-2026-48562 Microsoft SharePoint Server Spoofing Vulnerability Exploitation Less Likely No 4.6CVE-2026-42835 Microsoft Teams for Android Information Disclosure Vulnerability Exploitation Less Likely No 8.1CVE-2026-45466 Microsoft Word Information Disclosure Vulnerability Exploitation Unlikely No 3.3CVE-2026-45471 Microsoft Word Remote Code Execution Vulnerability Exploitation Less Likely No 7.8CVE-2026-45486 Microsoft Word Remote Code Execution Vulnerability Exploitation Less Likely No 7.8CVE-2026-45643 Microsoft Word Remote Code Execution Vulnerability Exploitation Less Likely No 7.8CVE-2026-45457 Microsoft Word Remote Code Execution Vulnerability Exploitation Less Likely No 7.8CVE-2026-45649 Office for Android Spoofing Vulnerability Exploitation Unlikely No 7.1CVE-2026-44803 Windows Graphics Component Remote Code Execution Vulnerability Exploitation More Likely No 7.8CVE-2026-44812 Windows Graphics Component Remote Code Execution Vulnerability Exploitation More Likely No 7.8 Open Source Software vulnerabilities CVE Title Exploitation status Publicly disclosed? CVSS v3 base scoreCVE-2026-11463 USCiLab Cereal Shared Pointer type confusion n/a No 7.3CVE-2026-49975 Apache HTTP Server: mod_http2 denial of service n/a No 7.5CVE-2026-50265 Rejected reason: This CVE ID was assigned as a duplicate of CVE-2026-50292 n/a No 5.3CVE-2026-40930 LIBPNG: Chunk smuggling in push-mode APNG parser via unconsumed chunk body n/a No 5.4CVE-2026-10879 DBI versions before 1.648 for Perl have a heap overflow when preparsing SQL statements with more than 9 binders n/a No 8.6CVE-2026-50261 Xorg-x11-server: xorg-x11-server-xwayland: xorg-x11-server: use-after-free in syncchangecounter() n/a No 7.8CVE-2026-50256 Xorg-x11-server: xorg-x11-server-xwayland: xorg-x11-server: stack buffer overflow in font alias resolution due to libxfont2 name length mismatch n/a No 7.8CVE-2026-50262 Xorg-x11-server: xorg-x11-server-xwayland: xorg-x11-server: out-of-bounds read/write in glx changedrawableattributes n/a No 5.5CVE-2026-50260 Xorg-x11-server: xorg-x11-server-xwayland: xorg-x11-server: use-after-free in freecounter() n/a No 6.6CVE-2026-50259 Xorg-x11-server: xorg-x11-server-xwayland: xorg-x11-server: stack buffer overflow in xkb setmap request via mapwidths indexing n/a No 7.8CVE-2026-50257 Xorg-x11-server: xorg-x11-server-xwayland: xorg-x11-server: use-after-free in misyncdestroyfence() n/a No 6.6CVE-2026-50258 Xorg-x11-server: xorg-x11-server-xwayland: xorg-x11-server: stack buffer overflow in xkb key types due to unchecked shift levels n/a No 7.8CVE-2026-50263 Xorg-x11-server: xorg-x11-server-xwayland: xorg-x11-server: use-after-free information disclosure in createsaverwindow() n/a No 5.5 Other vulnerabilities CVE Title Exploitation status Publicly disclosed? CVSS v3 base scoreCVE-2026-45476 Microsoft Azure Network Adapter Elevation of Privilege Vulnerability Exploitation Less Likely No 8.2CVE-2026-26142 Nuance PowerScribe Remote Code Execution Vulnerability Exploitation Less Likely No 9.8 Server Software vulnerabilities CVE Title Exploitation status Publicly disclosed? CVSS v3 base scoreCVE-2026-45504 Microsoft Exchange Server Elevation of Privilege Vulnerability Exploitation Unlikely No 8.8CVE-2026-45502 Microsoft Exchange Server Information Disclosure Vulnerability Exploitation Unlikely No 5.0CVE-2026-45503 Microsoft Exchange Server Information Disclosure Vulnerability Exploitation Unlikely No 8.1CVE-2026-45583 Microsoft Exchange Server Remote Code Execution Vulnerability Exploitation Less Likely No 7.5CVE-2026-45500 Microsoft Exchange Server Spoofing Vulnerability Exploitation Less Likely No 6.1CVE-2026-45501 Microsoft Exchange Server Spoofing Vulnerability Exploitation Less Likely No 6.5CVE-2026-47631 Microsoft Exchange Server Spoofing Vulnerability Exploitation Less Likely No 8.1 System Center vulnerabilities CVE Title Exploitation status Publicly disclosed? CVSS v3 base scoreCVE-2026-45647 Microsoft Defender for Endpoint for Mac Elevation of Privilege Vulnerability Exploitation Less Likely No 5.5 Windows vulnerabilities CVE Title Exploitation status Publicly disclosed? CVSS v3 base scoreCVE-2025-10263 ARM: CVE-2025-10263 Completion of affected memory accesses might not be guaranteed by completion of a TLBI [kernel] Exploitation Less Likely No 9.3CVE-2026-44815 DHCP Client Service Remote Code Execution Vulnerability Exploitation Less Likely No 9.8CVE-2026-49160 HTTP.sys Denial of Service Vulnerability Exploitation More Likely Yes 7.5CVE-2026-47291 HTTP.sys Remote Code Execution Vulnerability Exploitation More Likely No 9.8CVE-2026-45642 Microsoft Azure Attestation service and Device Health Attestation Service Spoofing Vulnerability Exploitation Less Likely No 3.9CVE-2026-44810 Microsoft Cryptographic Services Elevation of Privilege Vulnerability Exploitation Less Likely No 8.4CVE-2026-45637 Microsoft DWM Core Library Elevation of Privilege Vulnerability Exploitation Less Likely No 7.8CVE-2026-42986 Microsoft Graphics Component Elevation of Privilege Vulnerability Exploitation More Likely No 7.8CVE-2026-41092 Microsoft Kinect Elevation of Privilege Vulnerability Exploitation Less Likely No 7.8CVE-2026-45606 Microsoft UxTheme Library (uxtheme.dll) Denial of Service Vulnerability Exploitation Less Likely No 5.5CVE-2026-42980 NT OS Kernel Elevation of Privilege Vulnerability Exploitation More Likely No 7.8CVE-2026-42916 NT OS Kernel Elevation of Privilege Vulnerability Exploitation Less Likely No 7.8CVE-2026-47289 Remote Desktop Client Remote Code Execution Vulnerability Exploitation Less Likely No 8.8CVE-2026-47653 Remote Desktop Client Remote Code Execution Vulnerability Exploitation Unlikely No 8.8CVE-2026-47654 Remote Desktop Client Remote Code Execution Vulnerability Exploitation Unlikely No 7.5CVE-2026-48563 Remote Desktop Client Remote Code Execution Vulnerability Exploitation Less Likely No 7.5CVE-2026-42909 Remote Desktop Client Remote Code Execution Vulnerability Exploitation Unlikely No 7.5CVE-2026-42913 Remote Desktop Client Remote Code Execution Vulnerability Exploitation Unlikely No 7.5CVE-2026-42992 Remote Desktop Client Remote Code Execution Vulnerability Exploitation Less Likely No 7.5CVE-2026-44799 Remote Desktop Client Remote Code Execution Vulnerability Exploitation Less Likely No 7.5CVE-2026-44801 Remote Desktop Client Remote Code Execution Vulnerability Exploitation Less Likely No 7.5CVE-2026-42985 Remote Desktop Client Remote Code Execution Vulnerability Exploitation More Likely No 8.8CVE-2026-42993 Remote Desktop Client Remote Code Execution Vulnerability Exploitation Less Likely No 7.5CVE-2026-45588 Secure Boot Security Feature Bypass Vulnerability Exploitation Less Likely No 7.9CVE-2026-48568 Secure Boot Security Feature Bypass Vulnerability Exploitation Less Likely No 7.9CVE-2026-48570 Secure Boot Security Feature Bypass Vulnerability Exploitation Less Likely No 7.9CVE-2026-48573 Secure Boot Security Feature Bypass Vulnerability Exploitation Less Likely No 7.9CVE-2026-48575 Secure Boot Security Feature Bypass Vulnerability Exploitation Less Likely No 7.9CVE-2026-48576 Secure Boot Security Feature Bypass Vulnerability Exploitation Less Likely No 7.9CVE-2026-48578 Secure Boot Security Feature Bypass Vulnerability Exploitation Less Likely No 7.9CVE-2026-45654 Secure Boot Security Feature Bypass Vulnerability Exploitation Less Likely No 7.9CVE-2026-45656 UEFI Secure Boot Security Feature Bypass Vulnerability Exploitation Less Likely No 7.8CVE-2026-8863 UEFI Secure Boot Security Feature Bypass Vulnerability Exploitation Less Likely No 7.8CVE-2026-45648 Windows Active Directory Domain Services Remote Code Execution Vulnerability Exploitation Unlikely No 8.8CVE-2026-42829 Windows Administrator Protection Secure Feature Bypass Vulnerability Exploitation Less Likely No 7.8CVE-2026-34335 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Exploitation Unlikely No 7.0CVE-2026-45601 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Exploitation Less Likely No 7.0CVE-2026-45598 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Exploitation Less Likely No 7.0CVE-2026-45596 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Exploitation Less Likely No 7.0CVE-2026-45638 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Exploitation Less Likely No 7.8CVE-2026-45603 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Exploitation Less Likely No 7.0CVE-2026-42911 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Exploitation Less Likely No 7.0CVE-2026-45594 Windows Application Identity (AppID) Information Disclosure Vulnerability Exploitation Less Likely No 5.5CVE-2026-45655 Windows BitLocker Security Feature Bypass Vulnerability Exploitation Less Likely No 5.3CVE-2026-45658 Windows BitLocker Security Feature Bypass Vulnerability Exploitation More Likely No 7.8CVE-2026-50507 Windows BitLocker Security Feature Bypass Vulnerability Exploitation More Likely Yes 6.8CVE-2026-45640 Windows Bluetooth Port Driver Elevation of Privilege Vulnerability Exploitation Less Likely No 7.0CVE-2026-45605 Windows Bluetooth Service Elevation of Privilege Vulnerability Exploitation Less Likely No 7.8CVE-2026-47656 Windows Boot Manager Security Feature Bypass Vulnerability Exploitation Less Likely No 7.9CVE-2026-45586 Windows Collaborative Translation Framework (CTFMON) Elevation of Privilege Vulnerability Exploitation More Likely Yes 7.8CVE-2026-44809 Windows Common Log File System Driver Elevation of Privilege Vulnerability Exploitation Unlikely No 7.8CVE-2026-42987 Windows Deployment Services (WDS) Remote Code Execution Exploitation Less Likely No 8.1CVE-2026-33828 Windows Device Health Attestation (DHA) Elevation of Privilege Vulnerability Exploitation Unlikely No 7.8CVE-2026-45634 Windows DHCP Client Information Disclosure Vulnerability Exploitation Unlikely No 5.5CVE-2026-45608 Windows DHCP Client Information Disclosure Vulnerability Exploitation Unlikely No 6.8CVE-2026-41108 Windows DNS Client Elevation of Privilege Vulnerability Exploitation Unlikely No 7.0CVE-2026-42905 Windows DWM Core Library Elevation of Privilege Vulnerability Exploitation More Likely No 7.8CVE-2026-44811 Windows DWM Core Library Elevation of Privilege Vulnerability Exploitation Less Likely No 7.8CVE-2026-44808 Windows DWM Core Library Elevation of Privilege Vulnerability Exploitation Less Likely No 7.8CVE-2026-44807 Windows DWM Core Library Elevation of Privilege Vulnerability Exploitation Less Likely No 7.8CVE-2026-42983 Windows DWM Core Library Elevation of Privilege Vulnerability Exploitation Less Likely No 7.8CVE-2026-44802 Windows DWM Core Library Elevation of Privilege Vulnerability Exploitation Less Likely No 7.8CVE-2026-44813 Windows DWM Core Library Elevation of Privilege Vulnerability Exploitation Less Likely No 7.8CVE-2026-44804 Windows DWM Core Library Elevation of Privilege Vulnerability Exploitation Less Likely No 7.8CVE-2026-48566 Windows DWM Core Library Information Disclosure Vulnerability Exploitation Less Likely No 5.5CVE-2026-44814 Windows DWM Core Library Information Disclosure Vulnerability Exploitation Less Likely No 5.5CVE-2026-45602 Windows Dynamic Host Configuration Protocol (DHCP) Tampering Vulnerability Exploitation Less Likely No 9.1CVE-2026-42836 Windows Function Discovery Service (fdwsd.dll) Elevation of Privilege Vulnerability Exploitation Less Likely No 7.0CVE-2026-44803 Windows Graphics Component Remote Code Execution Vulnerability Exploitation More Likely No 7.8CVE-2026-44812 Windows Graphics Component Remote Code Execution Vulnerability Exploitation More Likely No 7.8CVE-2026-42910 Windows Hotpatch Monitoring Service Elevation of Privilege Vulnerability Exploitation Less Likely No 7.8CVE-2026-42972 Windows Hyper-V Information Disclosure Vulnerability Exploitation Less Likely No 5.5CVE-2026-45607 Windows Hyper-V Remote Code Execution Vulnerability Exploitation Less Likely No 8.4CVE-2026-45641 Windows Hyper-V Remote Code Execution Vulnerability Exploitation Less Likely No 8.4CVE-2026-47652 Windows Hyper-V Remote Code Execution Vulnerability Exploitation Less Likely No 8.2CVE-2026-45592 Windows Internet (wininet.dll) Elevation of Privilege Vulnerability Exploitation Unlikely No 7.8CVE-2026-42903 Windows Kerberos Denial of Service Vulnerability Exploitation Unlikely No 6.5CVE-2026-42914 Windows Kerberos Denial of Service Vulnerability Exploitation Less Likely No 5.3CVE-2026-47288 Windows Kerberos Key Distribution Center (KDC) Remote Code Execution Exploitation Unlikely No 7.1CVE-2026-48583 Windows Kernel Elevation of Privilege Vulnerability Exploitation Less Likely No 7.8CVE-2026-45653 Windows Kernel Elevation of Privilege Vulnerability Exploitation Unlikely No 7.0CVE-2026-42984 Windows Kernel Elevation of Privilege Vulnerability Exploitation Unlikely No 7.0CVE-2026-45657 Windows Kernel Remote Code Execution Vulnerability Exploitation Less Likely No 9.8CVE-2026-45600 Windows Kernel-Mode Driver Elevation of Privilege Vulnerability Exploitation Unlikely No 7.8CVE-2026-45604 Windows Managed Installer Information Disclosure Vulnerability Exploitation Less Likely No 5.5CVE-2026-45595 Windows Mark of the Web Security Feature Bypass Vulnerability Exploitation Less Likely No 5.4CVE-2026-48574 Windows Media Remote Code Execution Vulnerability Exploitation Less Likely No 7.8CVE-2026-48565 Windows Narrator Braille Elevation of Privilege Vulnerability Exploitation Less Likely No 7.8CVE-2026-44805 Windows Network Controller (NC) Host Agent Denial of Service Vulnerability Exploitation Unlikely No 5.5CVE-2026-45636 Windows NTFS Remote Code Execution Vulnerability Exploitation Less Likely No 7.8CVE-2026-50508 Windows NTLM Spoofing Vulnerability Exploitation More Likely No 6.5CVE-2026-42981 Windows Performance Monitor Remote Code Execution Vulnerability Exploitation Less Likely No 8.1CVE-2026-42974 Windows Performance Monitor Remote Code Execution Vulnerability Exploitation Less Likely No 8.1CVE-2026-45487 Windows Program Compatibility Assistant Service Elevation of Privilege Vulnerability Exploitation Unlikely No 7.8CVE-2026-42828 Windows Projected File System Elevation of Privilege Vulnerability Exploitation Less Likely No 7.8CVE-2026-42837 Windows Projected File System Elevation of Privilege Vulnerability Exploitation Less Likely No 7.8CVE-2026-42969 Windows Push Notification Information Disclosure Vulnerability Exploitation Unlikely No 5.5CVE-2026-42971 Windows Push Notification Information Disclosure Vulnerability Exploitation Less Likely No 5.5CVE-2026-42970 Windows Push Notification Information Disclosure Vulnerability Exploitation Less Likely No 5.5CVE-2026-42973 Windows Push Notification Information Disclosure Vulnerability Exploitation Less Likely No 5.5CVE-2026-42978 Windows Push Notifications Elevation of Privilege Vulnerability Exploitation Unlikely No 7.8CVE-2026-42977 Windows Push Notifications Elevation of Privilege Vulnerability Exploitation Unlikely No 7.8CVE-2026-42979 Windows Push Notifications Elevation of Privilege Vulnerability Exploitation Unlikely No 7.8CVE-2026-42991 Windows Push Notifications Elevation of Privilege Vulnerability Exploitation Unlikely No 7.8CVE-2026-45639 Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability Exploitation Less Likely No 7.5CVE-2026-42908 Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability Exploitation Less Likely No 7.5CVE-2026-45593 Windows SDK Elevation of Privilege Vulnerability Exploitation Less Likely No 7.8CVE-2026-42906 Windows Shell Information Disclosure Vulnerability Exploitation Less Likely No 5.5CVE-2026-42907 Windows Shell Information Disclosure Vulnerability Exploitation Less Likely No 6.5CVE-2026-47648 Windows Storage Elevation of Privilege Vulnerability Exploitation Unlikely No 7.0CVE-2026-42915 Windows TCP/IP Denial of Service Vulnerability Exploitation Less Likely No 5.7CVE-2026-42904 Windows TCP/IP Elevation of Privilege Vulnerability Exploitation Unlikely No 9.6CVE-2026-42968 Windows Telephony Server Information Disclosure Vulnerability Exploitation Less Likely No 5.5CVE-2026-42912 Windows Telephony Service Elevation of Privilege Vulnerability Exploitation Less Likely No 7.0CVE-2026-45597 Windows UI Automation Manager (uiamanager.dll) Elevation of Privilege Vulnerability Exploitation Unlikely No 7.0CVE-2026-40409 Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability Exploitation Less Likely No 7.8CVE-2026-40404 Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability Exploitation Less Likely No 7.8CVE-2026-45599 Windows UPnP Device Host Remote Code Execution Vulnerability Exploitation Less Likely No 8.1CVE-2026-45635 Windows UPnP Device Host Remote Code Execution Vulnerability Exploitation Less Likely No 8.1CVE-2026-42989 Winlogon Elevation of Privilege Vulnerability Exploitation More Likely No 7.8 Zero-Day Vulnerabilities: Publicly Disclosed (No known exploitation) CVE Title Exploitation status Publicly disclosed? CVSS v3 base scoreCVE-2026-49160 HTTP.sys Denial of Service Vulnerability Exploitation More Likely Yes 7.5CVE-2026-50507 Windows BitLocker Security Feature Bypass Vulnerability Exploitation More Likely Yes 6.8CVE-2026-45586 Windows Collaborative Translation Framework (CTFMON) Elevation of Privilege Vulnerability Exploitation More Likely Yes 7.8 Critical RCEs CVE Title Exploitation status Publicly disclosed? CVSS v3 base scoreCVE-2025-10263 ARM: CVE-2025-10263 Completion of affected memory accesses might not be guaranteed by completion of a TLBI [kernel] Exploitation Less Likely No 9.3CVE-2026-47643 Azure Stack Edge Remote Code Execution Vulnerability Exploitation Unlikely No 9.8CVE-2026-44815 DHCP Client Service Remote Code Execution Vulnerability Exploitation Less Likely No 9.8CVE-2026-47291 HTTP.sys Remote Code Execution Vulnerability Exploitation More Likely No 9.8CVE-2026-26142 Nuance PowerScribe Remote Code Execution Vulnerability Exploitation Less Likely No 9.8CVE-2026-47281 Visual Studio Code Elevation of Privilege Vulnerability Exploitation Unlikely No 9.6CVE-2026-45602 Windows Dynamic Host Configuration Protocol (DHCP) Tampering Vulnerability Exploitation Less Likely No 9.1CVE-2026-45657 Windows Kernel Remote Code Execution Vulnerability Exploitation Less Likely No 9.8CVE-2026-42904 Windows TCP/IP Elevation of Privilege Vulnerability Exploitation Unlikely No 9.6","title":"Patch Tuesday - June 2026","url":"https://www.rapid7.com/blog/post/em-patch-tuesday-june-2026"},{"category":"Industry/Policy","confidence":"HIGH","confidence_reason":"University of Toronto \u2014 gold-standard surveillance/spyware research. NSO Group, Predator, Pegasus. filter_uncategorized drops political commentary, keeps classified threat research.","created_at":"2026-07-02 03:55:55","id":427,"published_date":"2026-06-09T19:19:51+00:00","severity":"medium","source_name":"The Citizen Lab","summary":"On May 25, senior research associate Kate Robertson appeared before SECD to testify on Bill C-8. The post Submission to the Standing Senate Committee on National Security, Defence and Veterans Affairs of Bill C-8 appeared first on The Citizen Lab.","title":"Submission to the Standing Senate Committee on National Security, Defence and Veterans Affairs of Bill C-8","url":"https://citizenlab.ca/submission-to-the-standing-senate-committee-on-national-security-defence-and-veterans-affairs-of-bill-c-8"},{"category":"Cloud Security","confidence":"HIGH","confidence_reason":"Authoritative vulnerability disclosure program, coordinates with vendors.","created_at":"2026-07-02 03:55:59","id":439,"published_date":"2026-06-09T18:12:18+00:00","severity":"critical","source_name":"Zero Day Initiative","summary":"I\u2019ve made it through Pwn2Own Berlin, had a little vacation, and now I\u2019m back for Patch Tuesday. Microsoft and Adobe didn\u2019t disappoint. In fact, they have heralded my return with the largest Patch Tuesday release ever. Thanks? Take a break from your regularly scheduled activities and let\u2019s take a look at the latest security patches from Adobe and Microsoft. If you\u2019d rather watch the full video recap covering the entire release, you can check it out here: Adobe Patches for June 2026 For May, June released 11 bulletins addressing 123 unique CVEs in Adobe Acrobat Reader, ColdFusion, Experience Manager, Experience Manager Forms, InDesign, InCopy, Substance 3D Sampler, Content Credentials SDK, Dreamweaver, Format Plugins, and Adobe Campaign Classic. A total of 11 of these CVEs were reported through the ZDI program. Here\u2019s this month\u2019s overview table: Bulletin ID Product CVE Count Highest Severity Highest CVSS Exploited Deployment Priority APSB26-66 Adobe Campaign Classic 2 Critical 10.0 No 1 APSB26-64 Adobe ColdFusion 7 Critical 9.6 No 1 APSB26-63 Adobe Acrobat Reader 20 Critical 7.8 No 2 APSB26-57 Adobe Experience Manager Forms 3 Critical 9.3 No 2 APSB26-62 Adobe Dreamweaver 5 Critical 8.6 No 3 APSB26-65 Adobe Format Plugins 2 Critical 7.8 No 3 APSB26-59 Adobe InCopy 3 Critical 7.8 No 3 APSB26-58 Adobe InDesign 12 Critical 7.8 No 3 APSB26-60 Adobe Substance 3D Sampler 4 Critical 7.8 No 3 APSB26-61 Content Credentials SDK 8 Critical 7.5 No 3 APSB26-56 Adobe Experience Manager 57 Important 5.4 No 3 TOTAL 11 bulletins 123 Obviously, the update for Campaign Classic should be on the top of your deployment list if you\u2019re a user. A CVSS 10 is rare; two in the same bulletin is pretty much a unicorn. Adobe says there are no active attacks, but I would expect heavy research into creating one. The update for Coldfusion is also a Priority 1, but again, no known attacks is the wild. I suspect the Reader patch will also receive a lot of attention as malicious PDFs are common in ransomware attacks. The update for Experience Manager may be large, but it\u2019s mostly just cross-site scripting (XSS) bugs. Microsoft Patches for June 2026 This month, Microsoft released a new record 208 CVEs Windows and Windows components, Office and Office Components, Microsoft Edge (Chromium-based), Azure, .NET and Visual Studio, Github Copilot, Defender, Exchange Server, Hyper-V, Secure Boot, and BitLocker. At least, that\u2019s my count. Microsoft\u2019s tools seem to be having some issues, as they initially included a CVE from 2020 in this release. Regardless, the count is over 200, and I counted several times. One of these bugs came through the ZDI program, but bugs submitted during Pwn2Own Berlin remain unpatched. If you include the Chromium and other third-party bugs, the total CVE count for June comes to a staggering 571 CVEs. 38 of these cases are rated Critical while the rest are rated Important in severity. I\u2019ve been counting CVEs on Patch Tuesday since 2017, and this is by far the largest monthly release in that time. The previous record was 177 set last year. It is extraordinary that Microsoft can produce so many patches in a single month, but it does raise concerns. How many of these cases were found using AI tools? How many patches were generated using AI to assist in coding or testing? What quality issues may exist in these patches? And likely most importantly, is this the new normal? The last two months were also large releases. Should sysadmins adjust their processes for prioritization and patch deployment based on this new volume of updates? Unfortunately, Microsoft is not providing those answers right now. Hopefully that changes in the future. BTW \u2013 just a note \u2013 the current number of CVEs shipped by Microsoft this year exceeds the total number of CVEs shipped in all of 2018. One of the bugs patched by Microsoft this month is listed as under active exploitation and three others are listed as publicly known at the time of release. Let\u2019s take a closer look at some of the more interesting updates for this month, starting with the bug being exploited in the wild. - CVE-2026-41091 - Microsoft Defender Elevation of Privilege VulnerabilitySince Microsoft doesn\u2019t provide info on how widespread exploitation is, we must read some tea leaves. For this patch, several different people were acknowledged, which indicates multiple parties say this is in the wild, meaning exploitation is likely significant. The good news is that most people won\u2019t need to take action as Defender updates itself. However, if you don\u2019t have this configured or are in an isolated environment, you\u2019ll need to update to the latest version. - CVE-2026-45657 - Windows Kernel Remote Code Execution VulnerabilityThis CVSS 9.8 bug allows remote, unauthenticated attackers to execute code at SYSTEM level without user interaction. Yup \u2013 this is wormable. The problem lies in the way the kernel handles TCP/IP. This was listed as \u201cExploitation Less Likely\u201d by Microsoft, but rest assured that every researcher and bug shop on the planet is reversing this patch right now trying to create an exploit. Test and deploy this patch quickly. - CVE-2026-47291 - HTTP.sys Remote Code Execution VulnerabilityOur second CVSS 9.8 bug of the month, this also allows remote, unauthenticated attackers to execute code on affected systems without user interaction. However, there is a caveat. Systems using the default MaxRequestBytes registry value used by the Windows HTTP stack are not affected by this bug. You can edit your registry settings if you need protection while you test and deploy the patch. The bulletin includes instructions and even a PowerShell script for doing this action. Microsoft lists this as \u201cExploitation more likely\u201d, so I would definitely check your registry settings. - CVE-2026-44815 - DHCP Client Service Remote Code Execution VulnerabilityHere\u2019s another CVSS 9.8 that has an odd incongruity. Although the CVSS says no permissions are required for exploitation, the write-up states it must be an \u201cauthenticated\u201d user. I would err on the side of caution here and believe the CVSS. If that\u2019s correct, then we have another bug where a remote, unauthenticated attacker could execute code on affected systems without user interaction. And since the DHCP client is on every OS, it\u2019s a juicy target. This is another one to test and deploy with haste. - CVE-2026-45585/CVE-2026-50507 - Windows BitLocker Security Feature Bypass VulnerabilityIf you\u2019ve followed the ongoing saga of Nightmare Eclipse vs. MSRC, the bugs should look familiar. One is definitely a fix for \u201cYellowKey\u201d, while the other appears to be a fix for \u201cGreenPlasma\u201d. The researcher has promised a \u201cbone shattering\u201d drop on June 14, so let\u2019s hope Microsoft is able to reach some understanding with the researcher before more 0-days are released. Also, there is a script provided by Microsoft as a mitigation, but the better strategy is to test and deploy the updates. Here\u2019s the full list of CVEs released by Microsoft for June 2026: CVE Title Severity CVSS Public Exploited XI Type CVE-2026-41091 Microsoft Defender Elevation of Privilege Vulnerability Important 7.8 Yes Yes 0 EoP CVE-2026-49160 HTTP.sys Denial of Service Vulnerability Important 7.5 Yes No 1 DoS CVE-2026-50507 Windows BitLocker Security Feature Bypass Vulnerability Important 6.8 Yes No 1 SFB CVE-2026-45586 Windows Collaborative Translation Framework (CTFMON) Elevation of Privilege Vulnerability Important 7.8 Yes No 1 EoP CVE-2025-10263 * ARM: CVE-2025-10263 Completion of affected memory accesses might not be guaranteed by completion of a TLBI [kernel] Critical 9.3 No No 2 EoP CVE-2026-48567 Azure HorizonDB Elevation of Privilege Vulnerability Critical 10 No No N/A EoP CVE-2026-32193 Azure Kubernetes Service (AKS) Remote Code Execution Vulnerability Critical 8.8 No No 3 RCE CVE-2026-47644 Copilot Chat (Microsoft Edge) Information Disclosure Vulnerability Critical 6.5 No No 2 Info CVE-2026-44815 DHCP Client Service Remote Code Execution Vulnerability Critical 9.8 No No 2 RCE CVE-2026-47291 HTTP.sys Remote Code Execution Vulnerability Critical 9.8 No No 1 RCE CVE-2026-42824 M365 Copilot Information Disclosure Vulnerability Critical 6.5 No No N/A Info CVE-2026-45476 Microsoft Azure Network Adapter Elevation of Privilege Vulnerability Critical 8.2 No No 2 EoP CVE-2026-44810 Microsoft Cryptographic Services Elevation of Privilege Vulnerability Critical 8.4 No No 2 EoP CVE-2026-48579 Microsoft Exchange Online Information Disclosure Vulnerability Critical 9.1 No No N/A Info CVE-2026-47655 Microsoft Graph Information Disclosure Vulnerability Critical 6.5 No No N/A Info CVE-2026-45497 Microsoft M365 Copilot Remote Code Execution Vulnerability Critical 7.7 No No N/A RCE CVE-2026-45460 Microsoft Office Information Disclosure Vulnerability Critical 4.7 No No 3 Info CVE-2026-45472 Microsoft Office Remote Code Execution Vulnerability Critical 8.4 No No 2 RCE CVE-2026-45474 Microsoft Office Remote Code Execution Vulnerability Critical 8.4 No No 2 RCE CVE-2026-45461 Microsoft Office Remote Code Execution Vulnerability Critical 8.4 No No 2 RCE CVE-2026-45463 Microsoft Office Remote Code Execution Vulnerability Critical 8.4 No No 2 RCE CVE-2026-45456 Microsoft Outlook and Word Remote Code Execution Vulnerability Critical 8.4 No No 2 RCE CVE-2026-45458 Microsoft Outlook and Word Remote Code Execution Vulnerability Critical 8.4 No No 2 RCE CVE-2026-47635 Microsoft Outlook and Word Remote Code Execution Vulnerability Critical 8.4 No No 2 RCE CVE-2026-26142 Nuance PowerScribe Remote Code Execution Vulnerability Critical 9.8 No No 2 RCE CVE-2026-47289 Remote Desktop Client Remote Code Execution Vulnerability Critical 8.8 No No 2 RCE CVE-2026-47654 Remote Desktop Client Remote Code Execution Vulnerability Critical 7.5 No No 3 RCE CVE-2026-48563 Remote Desktop Client Remote Code Execution Vulnerability Critical 7.5 No No 2 RCE CVE-2026-42992 Remote Desktop Client Remote Code Execution Vulnerability Critical 7.5 No No 2 RCE CVE-2026-44799 Remote Desktop Client Remote Code Execution Vulnerability Critical 7.5 No No 2 RCE CVE-2026-44801 Remote Desktop Client Remote Code Execution Vulnerability Critical 7.5 No No 2 RCE CVE-2026-42985 Remote Desktop Client Remote Code Execution Vulnerability Critical 8.8 No No 1 RCE CVE-2026-45648 Windows Active Directory Domain Services Remote Code Execution Vulnerability Critical 8.8 No No 3 RCE CVE-2026-42987 Windows Deployment Services (WDS) Remote Code Execution Critical 8.1 No No 2 RCE CVE-2026-33828 Windows Device Health Attestation (DHA) Elevation of Privilege Vulnerability Critical 7.8 No No 3 EoP CVE-2026-44803 Windows Graphics Component Remote Code Execution Vulnerability Critical 7.8 No No 1 RCE CVE-2026-44812 Windows Graphics Component Remote Code Execution Vulnerability Critical 7.8 No No 1 RCE CVE-2026-45607 Windows Hyper-V Remote Code Execution Vulnerability Critical 8.4 No No 2 RCE CVE-2026-45641 Windows Hyper-V Remote Code Execution Vulnerability Critical 8.4 No No 2 RCE CVE-2026-47652 Windows Hyper-V Remote Code Execution Vulnerability Critical 8.2 No No 2 RCE CVE-2026-47288 Windows Kerberos Key Distribution Center (KDC) Remote Code Execution Critical 7.1 No No 3 RCE CVE-2026-45657 Windows Kernel Remote Code Execution Vulnerability Critical 9.8 No No 2 RCE CVE-2026-48574 Windows Media Remote Code Execution Vulnerability Critical 7.8 No No 2 RCE CVE-2026-45490 .NET SDK Elevation of Privilege Vulnerability Important 7.8 No No 2 EoP CVE-2026-45491 .NET Tampering Vulnerability Important 6.2 No No 3 Tampering CVE-2026-45591 ASP.NET Core Denial of Service Vulnerability Important 7.5 No No 2 DoS CVE-2026-47643 Azure Stack Edge Remote Code Execution Vulnerability Important 9.8 No No 3 RCE CVE-2026-41098 Azure Stack Edge Spoofing Vulnerability Important 8.4 No No 2 Spoofing CVE-2026-45642 Microsoft Azure Attestation service and Device Health Attestation Service Spoofing Vulnerability Important 3.9 No No 2 Spoofing CVE-2026-45650 Microsoft Bing Search Spoofing Vulnerability Important 4.3 No No 2 Spoofing CVE-2026-45637 Microsoft DWM Core Library Elevation of Privilege Vulnerability Important 7.8 No No 2 EoP CVE-2026-45647 Microsoft Defender for Endpoint for Mac Elevation of Privilege Vulnerability Important 5.5 No No 2 EoP CVE-2026-40371 Microsoft Dynamics 365 (on-premises) Elevation of Privilege Vulnerability Important 8.8 No No 2 EoP CVE-2026-44822 Microsoft Excel Information Disclosure Vulnerability Important 8.2 No No 3 Info CVE-2026-45455 Microsoft Excel Information Disclosure Vulnerability Important 3.3 No No 2 Info CVE-2026-45469 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No 2 RCE CVE-2026-44817 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No 3 RCE CVE-2026-44818 Microsoft Excel Remote Code Execution Vulnerability Important 7 No No 2 RCE CVE-2026-44820 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No 2 RCE CVE-2026-44823 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No 2 RCE CVE-2026-45459 Microsoft Excel Security Feature Bypass Vulnerability Important 3.3 No No 2 SFB CVE-2026-45504 Microsoft Exchange Server Elevation of Privilege Vulnerability Important 8.8 No No 3 EoP CVE-2026-45502 Microsoft Exchange Server Information Disclosure Vulnerability Important 5 No No 3 Info CVE-2026-45503 Microsoft Exchange Server Information Disclosure Vulnerability Important 8.1 No No 3 Info CVE-2026-45583 Microsoft Exchange Server Remote Code Execution Vulnerability Important 7.5 No No 2 RCE CVE-2026-45500 Microsoft Exchange Server Spoofing Vulnerability Important 6.1 No No 2 Spoofing CVE-2026-45501 Microsoft Exchange Server Spoofing Vulnerability Important 6.5 No No 2 Spoofing CVE-2026-47631 Microsoft Exchange Server Spoofing Vulnerability Important 8.1 No No 2 Spoofing CVE-2026-42986 Microsoft Graphics Component Elevation of Privilege Vulnerability Important 7.8 No No 1 EoP CVE-2026-41092 Microsoft Kinect Elevation of Privilege Vulnerability Important 7.8 No No 2 EoP CVE-2026-45644 Microsoft Live Share Canvas SDK Elevation of Privilege Vulnerability Important 8 No No 2 EoP CVE-2026-47293 Microsoft Office Click-To-Run Elevation of Privilege Vulnerability Important 7 No No 2 EoP CVE-2026-45485 Microsoft Office Information Disclosure Vulnerability Important 3.3 No No 2 Info CVE-2026-44821 Microsoft Office Information Disclosure Vulnerability Important 5.5 No No 2 Info CVE-2026-45483 Microsoft Office Project Server Spoofing Vulnerability Important 4.6 No No 2 Spoofing CVE-2026-45475 Microsoft Office Remote Code Execution Vulnerability Important 7.8 No No 2 RCE CVE-2026-44819 Microsoft Office Remote Code Execution Vulnerability Important 7.8 No No 2 RCE CVE-2026-44824 Microsoft Office Remote Code Execution Vulnerability Important 7.8 No No 2 RCE CVE-2026-45645 Microsoft Office Remote Code Execution Vulnerability Important 7.8 No No 2 RCE CVE-2026-49161 Microsoft PC Manager Security Feature Bypass Vulnerability Important 7.8 No No 3 SFB CVE-2026-42902 Microsoft PowerToys Elevation of Privilege Vulnerability Important 7.8 No No 2 EoP CVE-2026-45484 Microsoft SharePoint Elevation of Privilege Vulnerability Important 8.8 No No 2 EoP CVE-2026-45454 Microsoft SharePoint Remote Code Execution Vulnerability Important 6.5 No No 2 RCE CVE-2026-47298 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8 No No 2 RCE CVE-2026-45467 Microsoft SharePoint Server Spoofing Vulnerability Important 4.6 No No 2 Spoofing CVE-2026-45468 Microsoft SharePoint Server Spoofing Vulnerability Important 4.6 No No 2 Spoofing CVE-2026-45479 Microsoft SharePoint Server Spoofing Vulnerability Important 4.6 No No 2 Spoofing CVE-2026-45453 Microsoft SharePoint Server Spoofing Vulnerability Important 5.4 No No 2 Spoofing CVE-2026-47636 Microsoft SharePoint Server Spoofing Vulnerability Important 5.4 No No 2 Spoofing CVE-2026-47637 Microsoft SharePoint Server Spoofing Vulnerability Important 4.6 No No 2 Spoofing CVE-2026-47638 Microsoft SharePoint Server Spoofing Vulnerability Important 4.6 No No 2 Spoofing CVE-2026-47639 Microsoft SharePoint Server Spoofing Vulnerability Important 5.4 No No 3 Spoofing CVE-2026-47641 Microsoft SharePoint Server Spoofing Vulnerability Important 4.6 No No 2 Spoofing CVE-2026-33113 Microsoft SharePoint Server Spoofing Vulnerability Important 5.4 No No 2 Spoofing CVE-2026-45462 Microsoft SharePoint Server Spoofing Vulnerability Important 4.6 No No 2 Spoofing CVE-2026-45464 Microsoft SharePoint Server Spoofing Vulnerability Important 5.4 No No 2 Spoofing CVE-2026-45465 Microsoft SharePoint Server Spoofing Vulnerability Important 5.4 No No 2 Spoofing CVE-2026-47634 Microsoft SharePoint Server Spoofing Vulnerability Important 7.3 No No 1 Spoofing CVE-2026-47640 Microsoft SharePoint Server Spoofing Vulnerability Important 4.6 No No 3 Spoofing CVE-2026-45481 Microsoft SharePoint Server Spoofing Vulnerability Important 7.3 No No 1 Spoofing CVE-2026-48560 Microsoft SharePoint Server Spoofing Vulnerability Important 5.4 No No 2 Spoofing CVE-2026-48562 Microsoft SharePoint Server Spoofing Vulnerability Important 4.6 No No 2 Spoofing CVE-2026-42835 Microsoft Teams for Android Information Disclosure Vulnerability Important 8.1 No No 2 Info CVE-2026-45606 Microsoft UxTheme Library (uxtheme.dll) Denial of Service Vulnerability Important 5.5 No No 2 DoS CVE-2026-45482 Microsoft Visual Studio Code CoPilot Chat Extension Security Feature Bypass Vulnerability Important 8.4 No No 2 SFB CVE-2026-45466 Microsoft Word Information Disclosure Vulnerability Important 3.3 No No 3 Info CVE-2026-45471 Microsoft Word Remote Code Execution Vulnerability Important 7.8 No No 2 RCE CVE-2026-45486 Microsoft Word Remote Code Execution Vulnerability Important 7.8 No No 2 RCE CVE-2026-45643 Microsoft Word Remote Code Execution Vulnerability Important 7.8 No No 2 RCE CVE-2026-45457 Microsoft Word Remote Code Execution Vulnerability Important 7.8 No No 2 RCE CVE-2026-42980 NT OS Kernel Elevation of Privilege Vulnerability Important 7.8 No No 1 EoP CVE-2026-42916 NT OS Kernel Elevation of Privilege Vulnerability Important 7.8 No No 2 EoP CVE-2026-45649 Office for Android Spoofing Vulnerability Important 7.1 No No 3 Spoofing CVE-2026-47653 Remote Desktop Client Remote Code Execution Vulnerability Important 8.8 No No 3 RCE CVE-2026-42909 Remote Desktop Client Remote Code Execution Vulnerability Important 7.5 No No 3 RCE CVE-2026-42913 Remote Desktop Client Remote Code Execution Vulnerability Important 7.5 No No 3 RCE CVE-2026-42993 Remote Desktop Client Remote Code Execution Vulnerability Important 7.5 No No 2 RCE CVE-2026-45588 Secure Boot Security Feature Bypass Vulnerability Important 7.9 No No 2 SFB CVE-2026-48568 Secure Boot Security Feature Bypass Vulnerability Important 7.9 No No 2 SFB CVE-2026-48570 Secure Boot Security Feature Bypass Vulnerability Important 7.9 No No 2 SFB CVE-2026-48573 Secure Boot Security Feature Bypass Vulnerability Important 7.9 No No 2 SFB CVE-2026-48575 Secure Boot Security Feature Bypass Vulnerability Important 7.9 No No 2 SFB CVE-2026-48576 Secure Boot Security Feature Bypass Vulnerability Important 7.9 No No 2 SFB CVE-2026-48578 Secure Boot Security Feature Bypass Vulnerability Important 7.9 No No 2 SFB CVE-2026-45654 Secure Boot Security Feature Bypass Vulnerability Important 7.9 No No 2 SFB CVE-2026-45656 UEFI Secure Boot Security Feature Bypass Vulnerability Important 7.8 No No 2 SFB CVE-2026-8863 UEFI Secure Boot Security Feature Bypass Vulnerability Important 7.8 No No 2 SFB CVE-2026-40376 Visual Studio Code Elevation of Privilege Vulnerability Important 7.5 No No 2 EoP CVE-2026-47281 Visual Studio Code Elevation of Privilege Vulnerability Important 9.6 No No 3 EoP CVE-2026-47284 Visual Studio Code Information Disclosure Vulnerability Important 6.5 No No 2 Info CVE-2026-47292 Visual Studio Code MSSQL Extension Remote Code Execution Vulnerability Important 7.8 No No 2 RCE CVE-2026-48569 Visual Studio Code Security Feature Bypass Vulnerability Important 7.1 No No 2 SFB CVE-2026-47287 Visual Studio Code Tampering Vulnerability Important 6.5 No No 2 Tampering CVE-2026-42829 Windows Administrator Protection Secure Feature Bypass Vulnerability Important 7.8 No No 2 SFB CVE-2026-34335 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Important 7 No No 3 EoP CVE-2026-45601 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Important 7 No No 2 EoP CVE-2026-45598 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Important 7 No No 2 EoP CVE-2026-45596 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Important 7 No No 2 EoP CVE-2026-45638 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Important 7.8 No No 2 EoP CVE-2026-45603 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Important 7 No No 2 EoP CVE-2026-42911 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Important 7 No No 2 EoP CVE-2026-45594 Windows Application Identity (AppID) Information Disclosure Vulnerability Important 5.5 No No 2 Info CVE-2026-45655 Windows BitLocker Security Feature Bypass Vulnerability Important 5.3 No No 2 SFB CVE-2026-45658 Windows BitLocker Security Feature Bypass Vulnerability Important 7.8 No No 1 SFB CVE-2026-45640 Windows Bluetooth Port Driver Elevation of Privilege Vulnerability Important 7 No No 2 EoP CVE-2026-45605 Windows Bluetooth Service Elevation of Privilege Vulnerability Important 7.8 No No 2 EoP CVE-2026-47656 Windows Boot Manager Security Feature Bypass Vulnerability Important 7.9 No No 2 SFB CVE-2026-44809 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No 3 EoP CVE-2026-45634 Windows DHCP Client Information Disclosure Vulnerability Important 5.5 No No 3 Info CVE-2026-45608 Windows DHCP Client Information Disclosure Vulnerability Important 6.8 No No 3 Info CVE-2026-41108 Windows DNS Client Elevation of Privilege Vulnerability Important 7 No No 3 EoP CVE-2026-42905 Windows DWM Core Library Elevation of Privilege Vulnerability Important 7.8 No No 1 EoP CVE-2026-44811 Windows DWM Core Library Elevation of Privilege Vulnerability Important 7.8 No No 2 EoP CVE-2026-44808 Windows DWM Core Library Elevation of Privilege Vulnerability Important 7.8 No No 2 EoP CVE-2026-44807 Windows DWM Core Library Elevation of Privilege Vulnerability Important 7.8 No No 2 EoP CVE-2026-42983 Windows DWM Core Library Elevation of Privilege Vulnerability Important 7.8 No No 2 EoP CVE-2026-44802 Windows DWM Core Library Elevation of Privilege Vulnerability Important 7.8 No No 2 EoP CVE-2026-44813 Windows DWM Core Library Elevation of Privilege Vulnerability Important 7.8 No No 2 EoP CVE-2026-44804 Windows DWM Core Library Elevation of Privilege Vulnerability Important 7.8 No No 2 EoP CVE-2026-48566 Windows DWM Core Library Information Disclosure Vulnerability Important 5.5 No No 2 Info CVE-2026-44814 Windows DWM Core Library Information Disclosure Vulnerability Important 5.5 No No 2 Info CVE-2026-45602 Windows Dynamic Host Configuration Protocol (DHCP) Tampering Vulnerability Important 9.1 No No 2 Tampering CVE-2026-42836 Windows Function Discovery Service (fdwsd.dll) Elevation of Privilege Vulnerability Important 7 No No 2 EoP CVE-2026-42910 Windows Hotpatch Monitoring Service Elevation of Privilege Vulnerability Important 7.8 No No 2 EoP CVE-2026-42972 Windows Hyper-V Information Disclosure Vulnerability Important 5.5 No No 2 Info CVE-2026-45592 Windows Internet (wininet.dll) Elevation of Privilege Vulnerability Important 7.8 No No 3 EoP CVE-2026-42903 Windows Kerberos Denial of Service Vulnerability Important 6.5 No No 3 DoS CVE-2026-42914 Windows Kerberos Denial of Service Vulnerability Important 5.3 No No 2 DoS CVE-2026-48583 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No 2 EoP CVE-2026-45653 Windows Kernel Elevation of Privilege Vulnerability Important 7 No No 3 EoP CVE-2026-42984 Windows Kernel Elevation of Privilege Vulnerability Important 7 No No 3 EoP CVE-2026-45600 Windows Kernel-Mode Driver Elevation of Privilege Vulnerability Important 7.8 No No 3 EoP CVE-2026-45604 Windows Managed Installer Information Disclosure Vulnerability Important 5.5 No No 2 Info CVE-2026-45595 Windows Mark of the Web Security Feature Bypass Vulnerability Important 5.4 No No 2 SFB CVE-2026-45636 Windows NTFS Remote Code Execution Vulnerability Important 7.8 No No 2 RCE CVE-2026-50508 Windows NTLM Spoofing Vulnerability Important 6.5 No No 1 Spoofing CVE-2026-48565 Windows Narrator Braille Elevation of Privilege Vulnerability Important 7.8 No No 2 EoP CVE-2026-44805 Windows Network Controller (NC) Host Agent Denial of Service Vulnerability Important 5.5 No No 3 DoS CVE-2026-42981 Windows Performance Monitor Remote Code Execution Vulnerability Important 8.1 No No 2 RCE CVE-2026-42974 Windows Performance Monitor Remote Code Execution Vulnerability Important 8.1 No No 2 RCE CVE-2026-45487 Windows Program Compatibility Assistant Service Elevation of Privilege Vulnerability Important 7.8 No No 3 EoP CVE-2026-42828 Windows Projected File System Elevation of Privilege Vulnerability Important 7.8 No No 2 EoP CVE-2026-42837 Windows Projected File System Elevation of Privilege Vulnerability Important 7.8 No No 2 EoP CVE-2026-42969 Windows Push Notification Information Disclosure Vulnerability Important 5.5 No No 3 Info CVE-2026-42971 Windows Push Notification Information Disclosure Vulnerability Important 5.5 No No 2 Info CVE-2026-42970 Windows Push Notification Information Disclosure Vulnerability Important 5.5 No No 2 Info CVE-2026-42973 Windows Push Notification Information Disclosure Vulnerability Important 5.5 No No 2 Info CVE-2026-42978 Windows Push Notifications Elevation of Privilege Vulnerability Important 7.8 No No 3 EoP CVE-2026-42977 Windows Push Notifications Elevation of Privilege Vulnerability Important 7.8 No No 3 EoP CVE-2026-42979 Windows Push Notifications Elevation of Privilege Vulnerability Important 7.8 No No 3 EoP CVE-2026-42991 Windows Push Notifications Elevation of Privilege Vulnerability Important 7.8 No No 3 EoP CVE-2026-45639 Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability Important 7.5 No No 2 Info CVE-2026-42908 Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability Important 7.5 No No 2 Info CVE-2026-45593 Windows SDK Elevation of Privilege Vulnerability Important 7.8 No No 2 EoP CVE-2026-42906 Windows Shell Information Disclosure Vulnerability Important 5.5 No No 2 Info CVE-2026-42907 Windows Shell Information Disclosure Vulnerability Important 6.5 No No 2 Info CVE-2026-47648 Windows Storage Elevation of Privilege Vulnerability Important 7 No No 3 EoP CVE-2026-42915 Windows TCP/IP Denial of Service Vulnerability Important 5.7 No No 2 DoS CVE-2026-42904 Windows TCP/IP Elevation of Privilege Vulnerability Important 9.6 No No 3 EoP CVE-2026-42968 Windows Telephony Server Information Disclosure Vulnerability Important 5.5 No No 2 Info CVE-2026-42912 Windows Telephony Service Elevation of Privilege Vulnerability Important 7 No No 2 EoP CVE-2026-45597 Windows UI Automation Manager (uiamanager.dll) Elevation of Privilege Vulnerability Important 7 No No 3 EoP CVE-2026-45599 Windows UPnP Device Host Remote Code Execution Vulnerability Important 8.1 No No 2 RCE CVE-2026-45635 Windows UPnP Device Host Remote Code Execution Vulnerability Important 8.1 No No 2 RCE CVE-2026-40409 Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability Important 7.8 No No 2 EoP CVE-2026-40404 Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability Important 7.8 No No 2 EoP CVE-2026-42989 Winlogon Elevation of Privilege Vulnerability Important 7.8 No No 1 EoP * Indicates this CVE had been released by a third party and is now being included in Microsoft releases. \u2020 Indicates further administrative actions are required to fully address the vulnerability. Looking at the other Critical-rated bugs in this release, the scariest-looking one is actually nothing to concern yourself with at all. The CVSS 10 bug in Azure HorizonDB has already been addressed by Microsoft and is just being documented now. That\u2019s also the case for five others. Of course, there wouldn\u2019t be a release without Office bugs that have the Preview Pane as an attack vector. There are multiple in June. There\u2019s a handful of bugs in the Remote Desktop Client, but these rely on connecting to a malicious RDP server. There are three patches for Hyper-V that allow for guest-to-host code execution. The bug in Active Directory requires authentication, but any authenticated user can hit it. For the Windows Directory Service vulnerability, it needs to be listening for TFTP. You have blocked that everywhere, right? The bug in Azure Network Adapter is somewhat unique as you need to update your Linux kernel to be protected. The bug in Azure Kubernetes allows an attacker to break out of a container and gain control of the AKS worker node. Finally, the bug in the Kerberos Key Distribution Center (KDC) seems unlikely, but if exploited, it could allow authenticated attackers to get code execution on affected systems. Moving on to the other code execution bugs, there are the ubiquitous open-an-own bugs in Office components like Excel and Word. The code injection bug in Exchange Server looks troubling, but it requires a machine-in-the-middle (MiTM), so exploitation is unlikely. The bugs in SharePoint require authentication, but you should note that the patch applies to both SharePoint Server 2016 and SharePoint Enterprise Server 2016. The two bugs in UPnP are interesting. Both can lead to code execution by causing an error during the handling of specially crafted data, which could lead to a Use After Free (UAF) bug. The bugs in RDP Client all require connecting to a malicious RDP server, but it\u2019s not clear why some are rated Critical and some are rated Important. The NTFS vulnerability requires a user to mount a virtual hard drive on an affected system. The last RCE bug this month is in Azure Stack Edge and requires the attacker to send a specially crafted file upload request that includes a manipulated file name or path, leading to code execution. There are more than 60 Elevation of Privilege (EoP) bugs in this month\u2019s release, and as usual, most simply lead to local attackers executing their code at SYSTEM-level privileges or administrative privileges, so there\u2019s not much to add without further technical details about the bugs themselves. A notable exception is in Exchange Server, where a user on Outlook Web Access (OWA) could gain access to other mailboxes. The bug in Visual Studio Code could allow attackers to gain permissions associated with the MCP Server\u2019s managed identity. The bugs in Windows SDK and Windows UI Automation Manager could let attacker go from low integrity up to medium integrity code execution. The bug in Bluetooth just allows \u201celevated\u201d privileges without really describing what elevated might be. Moving on to the more than 20 security feature bypass (SFB) bugs in the June release, there are a total of 10 that impact Secure Boot. All carry scope change (S:C) in the CVSS, meaning successful exploitation affects security boundaries beyond the vulnerable component itself \u2014 specifically the ability to load untrusted code at boot, bypass Virtual Secure Mode, and undermine boot integrity guarantees. CVE-2026-45654 explicitly calls out VSM exposure. The bulk of these are credited to Alon Leviev (STORM), which is notable given his prior BootKitty/BlackLotus-adjacent research. The bugs in the Windows Boot Manager have a similar impact as the Secure Boot bugs. The UEFI Secure Boot vulnerabilities go a layer deeper. They require either local admin or physical access but could allow for the running of untrusted code even before the OS loads. Rootkits anyone? The four bugs in BitLocker all require physical access but could yield encrypted data if exploited. The bug in Windows Administration Protection allows attackers to bypass the feature that prevents standard-user apps from performing admin-level actions. The bug in Visual Studio Copilot Chat could be the most interesting non-boot bug here as it allows authentication impersonation. Mark of the Web (MotW) and Excel vulns could bypass user warnings. Lastly, the bug in PC Manager bypasses expected user controls. Turning our attention to the mass of spoofing bugs in the release, we instantly see 18 impacting SharePoint Server. Fortunately, these are simply cross-site scripting (XSS) bugs. It\u2019s the Exchange bugs we should really watch for. One is an XSS that an attacker can exploit by convincing an Exchange administrator to open a malicious link or message, which then runs code in the admin's web session. That's a meaningful privilege escalation path. Another is listed as an SSRF-based attack, but no other details are available. The last is a lower-impact XSS with limited confidentiality/integrity loss. The bug in Bing Search (remember Bing?) is a classic search result spoofing. The bug in Azure Stack Edge is interesting as it could allow access to resources outside the vulnerable component's security boundary. The bug in Office for Android requires user interaction. The Office Project Server bug is an authenticated XSS with low impact. The final spoofing bug is in Azure Attestation but has already been addressed. You should still verify you are protected by following the instructions in the write-up from Microsoft. There are 30 different information disclosure bugs in this release, and fortunately, the vast majority of these simply result in info leaks consisting of unspecified memory contents or memory addresses. The two bugs in Visual Studio require user interaction and could \u201cdisclose information over a network.\u201d How obtuse. The bug in GitHub Copilot and Visual Studio Code could disclose discloses a sign-in access token for a user's work account. That's a meaningful credential exposure, not just random memory. That leaves the two bugs in Exchange Server. One could allow an authenticated user to gain information about which network services that the Exchange server can reach. The other sounds much like the spoofing bug in OWA as it allows attackers to see information in mailboxes they should not have access to. I\u2019ve never been a fan of the \u201ctampering\u201d category, as it could mean so many different things. For example, the bug in .NET simply says it could allow an unauthorized attacker to perform tampering locally. Similarly, the bug in Visual Studio says the same, expect here the tampering occurs over a network. Microsoft doesn\u2019t even bother with a CWE for the tampering bug in the DHCP Server, so your guess is as good as mine. There are seven DoS bugs in the June release, and as usual, Microsoft provides little to no actionable information about the vulnerabilities. The most interesting is the bug in HTTP.sys, which is listed as publicly known. This is an uncontrolled resource consumption, rated \"Exploitation More Likely,\" and publicly disclosed. Since, HTTP.sys sits at the core of IIS and Windows web services, a network-accessible DoS here can take down any Windows server running HTTP-based services. Based on the Acknowledgement, it looks like this bug may have been found using AI. There are no real details for the other bugs, but based simply on the impact, I would focus on the Kerberos and TCP/IP bugs if you had to prioritize. No new advisories are being released this month. Looking Ahead The next Patch Tuesday will be on July 14 and will be the last one before Black Hat/DEFCON. It\u2019s usually a big release, so strap in and hang on. I\u2019ll be back then to give you my full thoughts. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!","title":"The June 2026 Security Update Review","url":"https://www.thezdi.com/blog/2026/6/9/the-june-2026-security-update-review"},{"category":"Vulnerability/CVE","confidence":"HIGH","confidence_reason":"CERT/CC vulnerability coordination center. Authoritative vuln notes, partially replaces dead CISA feeds.","created_at":"2026-07-02 03:55:48","id":122,"published_date":"2026-06-09T18:10:32+00:00","severity":"high","source_name":"CERT Vulnerability Notes","summary":"Overview Microsoft-signed UEFI bootloaders of the open-source shim project, primarily from version 0.9 and earlier, were identified as vulnerable to Secure Boot bypass. To mitigate this risk, the affected bootloaders will be added to the Microsoft UEFI Forbidden Signature Database (DBX). Once the DBX update is applied, these bootloaders will no longer be trusted for execution during the boot process. An attacker could exploit these vulnerable shim bootloaders using a Bring Your Own Vulnerable Driver (BYOVD)-style technique to execute arbitrary code during the early boot phase, prior to operating system initialization, thereby bypassing Secure Boot protections. Description The Unified Extensible Firmware Interface (UEFI) standard defines the modern firmware architecture used to initialize hardware and transfer control to the operating system during system startup. On systems with Secure Boot enabled, UEFI applications and drivers must be cryptographically signed and verified before execution. Trust for these signatures is established through several firmware-managed databases, including the authorized signature database (DB), which commonly contains the \"Microsoft Corporation UEFI CA 2011\" certificate. This Microsoft certificate is widely used to sign third-party boot components intended to run under Secure Boot. The open-source UEFI shim project is a small, signed bootloader that Microsoft signed using the \"Microsoft Corporation UEFI CA 2011\" certificate. Shim acts as a bridge between the motherboard's UEFI firmware and the operating system (typically a Linux distribution). Its purpose is to allow Linux distributions to boot with Secure Boot enabled without requiring every individual distribution's key to be built into the motherboard's NVRAM settings. In doing so, shim allows Linux distributions and other third parties to establish their own trust model through the use of Machine Owner Keys (MOKs), enabling additional bootloaders, kernels, and related components to execute within the Secure Boot chain. The shim project also introduced Secure Boot Advanced Targeting (SBAT), which provides a version-based revocation mechanism for boot components and simplifies future security updates and revocations. Over time, multiple security vulnerabilities were identified and corrected in the upstream shim project. However, a number of vendors had previously forked or customized older versions of shim for their own products and boot environments. In many cases, these vendor-specific bootloaders were not updated after vulnerabilities in the upstream project became publicly known. As a result, vulnerable bootloaders remained signed and trusted by Secure Boot systems because they had not been revoked through the Microsoft-signed DBX revocation list. This created a long-term supply chain exposure in which outdated and vulnerable boot components could still be executed on fully patched systems. Researchers from ESET identified multiple vulnerable shim bootloaders affected by these issues. The affected bootloaders will be added to Microsoft's official DBX revocation list as part of this coordinated disclosure. Impacted shim bootloaders [Vendor and Product Information Authenticode SHA hash SHA256 file hash CVE ID] Spyrus WTGCreator () from UEFI shim loader(0.7 (or lower)) AE75F0D82BA3DF824FBFC69340CC3B4D66C598373B1AB54CDB6C8BFD83A6B961 1D18DF4B15D3BC3DFFA1777A557075210DD0C53B CVE-2026-8863 RedHat RedHat Enterprise Linux (7.2) from UEFI shim loader(0.9) 7B2A3F5C96F95BD8086CE54B0825E300F9C8F11FE3401BB631B3215C8DE9EB10 3F24DD838C5C9E35B104FA2F3B74AC6A5BF92FD2 CVE-2026-10797 RedHat CentOS (7.2) from UEFI shim loader(0.9) EB86FA1386FE6E4533B8B938DCC1250616D2F1C14C15E2FCF80834A161018A0A E133BE08E8AD17AC00E3C8ED215499C5F3C54E64 CVE-2026-10797 baramundi software baramundi Management Suite (up to 2024R1) from UEFI shim loader(0.8) FD23D6E57DE6F4E1F9D7118DA1C5F31A8AF6BE5E5D9E8170F9493447268D50C5 8637D7EFA23A8A5738F2E4AACB6C9919B405AA2C CVE-2026-8863 WhiteCanyon/Blancco WipeDrive (versions 8.0.0 through 8.1.3.) from UEFI shim loader(0.7) a0de9333442c1bf9349a460141ae5e80f911955c6506040fa3d021bf6c1ae3e4 8A402AFCD3C23D9253BBEA08576113C63E448AD0 CVE-2026-8863 Finland's Matriculation Examination Board Abitti 1 (1.0) from UEFI shim loader(0.8) 95B6D71FC0C0F8C5E1533A37AEF92CF6B0C961E2CC612A97117FA6759CE5FC06 8A83FA30DBF0073F33EAD298A7D5CD69A47C3A4B CVE-2026-8863 NTC IT ROSA, LLC ROSA Linux (R10, R9) from UEFI shim loader(0.9) 236A9CB0D71951C36398A32EB660CE2CD4A52CCFA7CF751CC6A35D9DE549E19B 8F9E8DB8E2C2157C2A591F2BE070FF96BFE318C7 CVE-2026-8863 Oracle America, Inc. OracleLinux (7.2) from UEFI shim loader(0.9) 5E594C448760A3135B1A3A83E07A4F2E6FBE49414EF2C7CAB1CBA77F284FA63B A16136899A12AD214FA4FBA60072BA72FBAB8BCA CVE-2026-8863 PC-Doctor, Inc. PC Doctor Service Center (15, 16) from UEFI shim loader(0.9) 8A964D5F8373948D20A1D4296FB92E545DAD4617A0C810F3B934B53D98AE8963 BC01320D8FF8343B348EF8F3C947A66EB8FD9CE2 CVE-2026-8863 OpenSuse OpenSuse UEFI Shim loader (0.9) 410260B1B6F5AF5FBEEB9EA3220658435E876CB3247126EE907A437F312DB373 3CF8BEB1E2885F51CA04002425C4F3C796D105BC CVE-2026-8863 OpenSuse OpenSuse Shim (2.1) from UEFI Shim loader (0.9) 96275DFD6282A522B011177EE049296952AC794832091F937FBBF92869028629 6DB5266E80C9D51CDD54421E736DF2E6E6879A56 CVE not provided Impact An attacker with administrative privileges or the ability to modify the boot process could use one of the vulnerable shim bootloaders to bypass Secure Boot protections and execute arbitrary code before the operating system loads. Code executed during this early boot phase may achieve persistent compromise of the platform, including the ability to load unsigned or malicious kernel components that can survive system reboots and, in some cases, operating system reinstallation. Because this activity occurs before the operating system and many security products initialize, malicious code executed through this technique may evade detection by operating system security controls and Endpoint Detection and Response (EDR) solutions. Solution Apply a Patch Apply the latest software updates along with latest bootloader updates as provided by your hardware or software vendor. See the Vendor Information section for details. Updated software should replace any vulnerable shim bootloaders with versions that incorporate the latest upstream security fixes and SBAT protections. Additionally, Microsoft DBX updates should be applied to all UEFI-based systems to ensure that vulnerable bootloaders can no longer be executed during the Secure Boot process. Recommendations for Enterprises and Developers Because modifications to the DBX (Forbidden Signature Database) can affect system boot behavior, vendors and administrators should thoroughly test these updates before broad deployment to ensure systems remain bootable. When deploying Secure Boot updates, it is recommended the latest authorized signature database (DB) is updated before applying DBX revocations. In practice, this means updating trusted boot applications and certificates first, followed by deployment of the revocation list. Failure to follow this order may cause systems to reject newly updated boot components. Enterprises, virtualization providers, and cloud operators managing large-scale deployments should prioritize validation and deployment of these updates to prevent the execution of vulnerable or unsigned binaries during physical or virtual machine startup. Microsoft also provides DBX update files and related tooling through the following repository: SecureBoot Objects Audit tools such as Check-UEFISecureBootVariables for Windows systems using PowerShell, and uefi-dbx-audit for Linux systems, can be used to help verify that current DBX updates have been applied to UEFI-based laptops, desktops, servers, and virtual machines with Secure Boot enabled. These tools can also assist enterprise administrators in identifying revoked or vulnerable boot components present on a system. Audit and verification capabilities may vary depending on platform firmware implementation and support for revocation mechanisms such as SBAT and the newer Microsoft-specific Secure Version Numbering (SVN) enforcement. Acknowledgements Thanks to Martin Smolar of ESET for researching and reporting this vulnerability. This document was written by Vijay Sarvepalli.","title":"VU#616257: Microsoft-signed UEFI shim bootloaders vulnerable to Secure Boot bypass","url":"https://kb.cert.org/vuls/id/616257"},{"category":"Uncategorized","confidence":"MEDIUM","confidence_reason":"Duo Security / Cisco-owned security journalism (Dennis Fisher, Lindsey O'Donnell-Welch). Primary reporting, no marketing funnel. Peer-quality with Dark Reading / The Record.","created_at":"2026-07-02 03:55:48","id":116,"published_date":"2026-06-09T14:33:36+00:00","severity":"medium","source_name":"Decipher","summary":"We've arrived at a point where billions of us have opted in to types of surveillance that would have caused massive demonstrations just a couple of decades ago.","title":"The Ugly Roots of the Surveillance State","url":"https://decipher.sc/2026/06/09/the-ugly-roots-of-the-surveillance-state"},{"category":"Vulnerability/CVE","confidence":"HIGH","confidence_reason":"Top-tier threat intelligence research team with consistent primary analysis.","created_at":"2026-07-02 03:55:48","id":162,"published_date":"2026-06-09T14:05:42+00:00","severity":"medium","source_name":"Unit42 Palo Alto","summary":"We include indicators of activity and mitigations for PAN-OS vulnerability CVE-2026-0257. The post Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257 appeared first on Unit 42.","title":"Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257","url":"https://unit42.paloaltonetworks.com/active-exploitation-of-pan-os-cve-2026-0257"},{"category":"Vulnerability/CVE","confidence":"HIGH","confidence_reason":"Emergent threat response team. Primary exploit analysis on actively exploited vulns, peer-quality with ZDI.","created_at":"2026-07-02 03:55:51","id":274,"published_date":"2026-06-09T13:35:36+00:00","severity":"high","source_name":"Rapid7","summary":"Wade Woolwine is Senior Director, Product Security at Rapid7. Rapid7 is excited to join Anthropic\u2019s Project Glasswing, which includes access to Claude Mythos Preview, giving our teams the opportunity to explore how frontier AI can support legitimate, internal defensive security workflows led by experienced security practitioners. Anthropic has now expanded Project Glasswing from its initial cohort to a broader group of organizations, underscoring how quickly this conversation is moving from model capability to industry readiness. This access comes at a critical moment for security operations. Attackers are moving faster, attack surfaces are expanding, and fragmented security data makes it harder for teams to correlate context and respond at scale. The industry is entering a period where powerful frontier AI models with advanced cyber capabilities require new operating norms, stronger safeguards, and better infrastructure for how vulnerabilities are verified, disclosed, fixed, and deployed. Frontier AI will raise expectations for how quickly security teams can understand risk, make decisions, and prove that action has reduced exposure. Rapid7 has already been tracking what Project Glasswing means for security leaders: faster discovery is only part of the story, and the real test is how defenders handle everything that follows, from prioritization and remediation to validation, detection, and response. Rapid7\u2019s involvement gives us another opportunity to help shape how advanced LLMs are evaluated and applied to real defensive security work. The organizations best positioned to benefit from frontier AI will be those that pair advanced models with trusted security context, expert oversight, and mature operational workflows. That is the lens Rapid7 is bringing to our internal exploration of Claude Mythos Preview, and it reflects the same principle that guides our broader AI strategy: advanced technology delivers the most value when grounded in security expertise, operational context, and measurable outcomes. Exploring Claude Mythos Preview inside Rapid7 In the first week of Rapid7\u2019s access to Claude Mythos Preview , it has already given our researchers, security engineers, and analysts another way to explore how frontier AI can strengthen the security workflows we already rely on. Our use is internal and practitioner-led, with a focus on learning where these models can create defensive value, where human expertise remains essential, and where responsible guardrails are required. Cybersecurity impact depends on more than model capability. A model may help identify a potential vulnerability and confirm exploitability, but reducing risk requires deeper operational work: understanding affected systems, mapping business context, prioritizing remediation, validating the fix, and ensuring detection coverage is in place. Anthropic\u2019s latest Project Glasswing update reinforces that same shift: as AI makes discovery faster, the next challenge becomes helping the industry scale verification, disclosure, fixing, and deployment. For more than 25 years, Rapid7 has helped organizations understand risk in real environments and take action against it. Access to Project Glasswing gives us another way to explore how LLMs can support that mission, while reinforcing the same principle that guides our broader AI strategy: advanced technology delivers the most value when grounded in security expertise, operational context, and measurable outcomes. How Rapid7 is using Claude Mythos Preview internally Our initial exploration is focused on internal defensive use cases that can help strengthen our product security, improve our research, and create better security outcomes overall. The goal is to understand how frontier AI can support highly specialized security work while helping us evaluate these capabilities with the discipline and caution they require. In product security, we are exploring how Claude Mythos Preview can support assessment of our code and infrastructure, helping identify potential vulnerabilities, weaknesses, or risky patterns that traditional product security tools may miss. Used responsibly, this type of workflow can help engineering and product security teams reduce risk earlier in the development lifecycle. We are also evaluating how frontier AI can support vulnerability validation and exploitation analysis in authorized environments. This includes exploring how models can help researchers reason across unfamiliar code, validate severity, build safe proof-of-concept exploit paths, and translate findings into practical remediation guidance. Our work also includes zero-day research and frontier model evaluation. As models become more capable, security teams need a clear view of where they perform well, where they struggle, and how their outputs should be governed. Evaluating these models against vulnerability discovery and exploitation tasks helps Rapid7 understand their practical value, limitations, and safeguards. We are also applying frontier AI to red-teaming, detection, and response research. As AI becomes more embedded in enterprise systems and security operations, it also needs to be tested adversarially. Frontier models can help practitioners explore attack paths, challenge assumptions, enrich investigations, reduce noise, and support faster decisions when paired with the right telemetry and human judgment. Why frontier AI needs cybersecurity expertise The industry conversation around frontier AI often starts with what models can find, especially as they become more capable at reasoning across large codebases and surfacing potential flaws. However, security teams reduce risk by knowing which findings matter, acting on them quickly, and proving that exposure has been reduced. As we\u2019ve written before, the challenge is turning faster discovery into faster action, which requires teams to understand their environment well enough to apply emerging models with intent. That is why expertise matters. AI can help accelerate parts of the workflow, but security impact comes from connecting discovery to validation, remediation, detection, and response. Without that connection, faster discovery can create more volume for teams that are already stretched. With the right context and operating model, it can help defenders move earlier and with more confidence. This is the lens Rapid7 brings to Project Glasswing. Our teams are exploring these capabilities as practitioners who understand the real-world pressures customers face: incomplete asset visibility, fragmented ownership, growing vulnerability backlogs, expanding identity and cloud risk, and alert volumes that can outpace human-only workflows. From frontier AI adoption to preemptive security Rapid7\u2019s broader strategy is focused on helping organizations move toward preemptive security, where exposure management, and detection and response work together to disrupt attackers before risk becomes impact. As AI accelerates both attacker activity and defender workflows, security teams need more than faster vulnerability discovery. They need rich contextual prioritization, trusted AI-driven decision making, and mitigations beyond patching so they can prioritize, validate, and respond at speed and scale. The next phase of cybersecurity will require speed, scale, and consistency across the entire security lifecycle. The industry challenge is expanding from finding vulnerabilities to the harder operational work of verifying, disclosing, fixing, and deploying remediations. While vulnerability and alert volumes will increase, cyber resilience depends on what happens both before and after discovery. In a reality where vulnerabilities can be exploited or chained together quickly, teams need the ability to prioritize exposures that have real impact, investigate quickly with full context, and keep operating in the face of disruption. Preemptive security also means mitigation must extend beyond patching. Timely patching at scale is not always practical, so security teams need the ability to intercept and disrupt exploit paths through virtual patching, controls management, and rapid response actions. That is why Rapid7 is approaching frontier AI through the lens of preemptive security. Our AI foundation is built around unified security data and shared operational context across exposures, assets, identities, behavior, and activity, and transparent AI decisions validated by experts and governed by policy-driven workflows. Access to Claude Mythos Preview is another step in exploring how LLMs can help security teams move earlier, act faster, and build more resilient programs without losing the human expertise and accountability that effective security requires. Anthropic also unveiled Fable 5 today, its first publicly available Mythos-class model, which will only further underscore the importance of having an integrated, AI-ready security plan that can turn this new benchmark of visibility into meaningful security improvement.","title":"Rapid7 Gains Access To Anthropic\u2019s Project Glasswing To Explore Frontier AI For Cybersecurity","url":"https://www.rapid7.com/blog/post/ai-rapid7-accesses-anthropics-project-glasswing-exploring-frontier-artificial-cybersecurity-intelligence"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established offensive security research firm. Pentest tooling, vulnerability research, red team techniques.","created_at":"2026-07-02 03:56:00","id":455,"published_date":"2026-06-09T13:00:00+00:00","severity":"medium","source_name":"Bishop Fox","summary":"AI is raising the ceiling for skilled researchers and flooding bug bounty programs with polished but inaccurate submissions at the same time. Both things are true, and the reconciling variable is the harness built around the model and the expertise of the person driving it.","title":"Mythos Doesn't Deploy Itself","url":"https://bishopfox.com/blog/mythos-doesnt-deploy-itself"},{"category":"OT/ICS","confidence":"HIGH","confidence_reason":"First-party OT/ICS vendor CERT. Authoritative advisories for Siemens industrial products. Fills OT/ICS category depth.","created_at":"2026-07-02 03:55:54","id":317,"published_date":"2026-06-09T00:00:00+00:00","severity":"medium","source_name":"Siemens ProductCERT","summary":"Palo Alto Networks has published [1] information on vulnerabilities in PAN-OS. This advisory lists the related Siemens Industrial products affected by these vulnerabilities. Siemens is preparing fix versions and recommends countermeasures for products where fixes are not, or not yet available. Customers are advised to consult and implement the workarounds provided in Palo Alto Networks\u2019 upstream security notifications. [1] https://security.paloaltonetworks.com/","title":"SSA-967325 V1.1 (Last Update: 2026-06-09): Multiple Vulnerabilities in Palo Alto Networks PAN-OS on RUGGEDCOM APE1808 Devices","url":"https://cert-portal.siemens.com/productcert/html/ssa-967325.html"},{"category":"OT/ICS","confidence":"HIGH","confidence_reason":"First-party OT/ICS vendor CERT. Authoritative advisories for Siemens industrial products. Fills OT/ICS category depth.","created_at":"2026-07-02 03:55:54","id":318,"published_date":"2026-06-09T00:00:00+00:00","severity":"medium","source_name":"Siemens ProductCERT","summary":"Several industrial products contain an out of bounds read vulnerability that could allow an attacker to cause a Blue Screen of Death (BSOD) crash of the underlying Windows kernel, leading to denial of service condition. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends countermeasures for products where fixes are not, or not yet available.","title":"SSA-962515 V1.6 (Last Update: 2026-06-09): Out of Bounds Read Vulnerability in Industrial Products","url":"https://cert-portal.siemens.com/productcert/html/ssa-962515.html"},{"category":"OT/ICS","confidence":"HIGH","confidence_reason":"First-party OT/ICS vendor CERT. Authoritative advisories for Siemens industrial products. Fills OT/ICS category depth.","created_at":"2026-07-02 03:55:54","id":319,"published_date":"2026-06-09T00:00:00+00:00","severity":"high","source_name":"Siemens ProductCERT","summary":"Simcenter Femap is affected by file parsing vulnerabilities in Datakit library and Parasolid Translator Component that could be triggered when the application reads files in IPT or IGS format. If a user is tricked to open a malicious file with the affected application, an attacker could leverage the vulnerability to perform remote code execution in the context of the current process. Siemens has released a new version for Simcenter Femap and recommends to update to the latest version.","title":"SSA-870926 V1.1 (Last Update: 2026-06-09): Datakit and Parasolid Vulnerabilities in Simcenter Femap","url":"https://cert-portal.siemens.com/productcert/html/ssa-870926.html"},{"category":"OT/ICS","confidence":"HIGH","confidence_reason":"First-party OT/ICS vendor CERT. Authoritative advisories for Siemens industrial products. Fills OT/ICS category depth.","created_at":"2026-07-02 03:55:54","id":320,"published_date":"2026-06-09T00:00:00+00:00","severity":"medium","source_name":"Siemens ProductCERT","summary":"Fortinet has published information on vulnerabilities in FortiOS. This advisory lists the related Siemens Industrial products. Siemens is preparing fix versions and recommends to consult and implement the workarounds provided in Fortinet\u2019s upstream security notifications.","title":"SSA-864900 V1.8 (Last Update: 2026-06-09): Multiple Vulnerabilities in Fortigate NGFW on RUGGEDCOM APE1808 Devices","url":"https://cert-portal.siemens.com/productcert/html/ssa-864900.html"},{"category":"OT/ICS","confidence":"HIGH","confidence_reason":"First-party OT/ICS vendor CERT. Authoritative advisories for Siemens industrial products. Fills OT/ICS category depth.","created_at":"2026-07-02 03:55:54","id":321,"published_date":"2026-06-09T00:00:00+00:00","severity":"medium","source_name":"Siemens ProductCERT","summary":"SINEC INS before V1.0 SP2 Update 6 is affected by multiple vulnerabilities. Siemens has released a new version for SINEC INS and recommends to update to the latest version.","title":"SSA-860189 V1.0: Multiple Vulnerabilities in SINEC INS Before V1.0 SP2 Update 6","url":"https://cert-portal.siemens.com/productcert/html/ssa-860189.html"},{"category":"OT/ICS","confidence":"HIGH","confidence_reason":"First-party OT/ICS vendor CERT. Authoritative advisories for Siemens industrial products. Fills OT/ICS category depth.","created_at":"2026-07-02 03:55:54","id":322,"published_date":"2026-06-09T00:00:00+00:00","severity":"medium","source_name":"Siemens ProductCERT","summary":"Nozomi Networks has published information on vulnerabilities in Nozomi Guardian/CMC. This advisory lists the related Siemens Industrial products affected by these vulnerabilities. Siemens has released a new version for RUGGEDCOM APE1808 and recommends to update to the latest version.","title":"SSA-827968 V1.3 (Last Update: 2026-06-09): Vulnerability in Nozomi Guardian/CMC Before  V26.2.0 on RUGGEDCOM APE1808 Devices","url":"https://cert-portal.siemens.com/productcert/html/ssa-827968.html"},{"category":"OT/ICS","confidence":"HIGH","confidence_reason":"First-party OT/ICS vendor CERT. Authoritative advisories for Siemens industrial products. Fills OT/ICS category depth.","created_at":"2026-07-02 03:55:54","id":323,"published_date":"2026-06-09T00:00:00+00:00","severity":"medium","source_name":"Siemens ProductCERT","summary":"This advisory documents the impact of CVE-2024-3596 (also dubbed \u201cBlastradius\u201d), a vulnerability in the RADIUS protocol, to SIPROTEC, SICAM and related products. The vulnerability could allow on-path attackers, located between a Network Access Server (the RADIUS client, e.g., a SICAM device) and a RADIUS server, to forge Access-Request packets in a way that enables them to modify the corresponding server response packet at will, e.g., turning an \u201cAccess-Reject\u201d message into an \u201cAccess-Accept\u201d. This would cause the Network Access Server to grant the attackers access to the network with the attackers desired authorization (and without the need of knowing or guessing legitimate access credentials). Further details incl. external references can be found in the chapter \u201cAdditional Information\u201d. Siemens has released new versions for several affected products and recommends to update to the latest versions, and to configure the updated systems as recommended in the chapter \u201cAdditional Information\u201d. Siemens is preparing further fix versions and recommends specific countermeasures for products where fixes are not, or not yet available. See chapter \u201cAdditional Information\u201d for details.","title":"SSA-794185 V1.3 (Last Update: 2026-06-09): RADIUS Protocol Susceptible to Forgery Attacks (CVE-2024-3596) - Impact to SIPROTEC, SICAM and Related Products","url":"https://cert-portal.siemens.com/productcert/html/ssa-794185.html"},{"category":"OT/ICS","confidence":"HIGH","confidence_reason":"First-party OT/ICS vendor CERT. Authoritative advisories for Siemens industrial products. Fills OT/ICS category depth.","created_at":"2026-07-02 03:55:54","id":324,"published_date":"2026-06-09T00:00:00+00:00","severity":"medium","source_name":"Siemens ProductCERT","summary":"This advisory documents the impact of CVE-2024-3596 (also dubbed \u201cBlastradius\u201d), a vulnerability in the RADIUS protocol, to SCALANCE, RUGGEDCOM and related products. The vulnerability could allow on-path attackers, located between a Network Access Server (the RADIUS client, e.g., SCALANCE or RUGGEDCOM devices) and a RADIUS server (e.g., SINEC INS), to forge Access-Request packets in a way that enables them to modify the corresponding server response packet at will, e.g., turning an \u201cAccess-Reject\u201d message into an \u201cAccess-Accept\u201d. This would cause the Network Access Server to grant the attackers access to the network with the attackers desired authorization (and without the need of knowing or guessing legitimate access credentials). Further details incl. external references can be found in the chapter \u201cAdditional Information\u201d. Siemens has released new versions for several affected products and recommends to update to the latest versions, and to configure the updated systems as recommended in the chapter \u201cAdditional Information\u201d. Siemens is preparing further fix versions and recommends specific countermeasures for products where fixes are not, or not yet available. See chapter \u201cAdditional Information\u201d for details.","title":"SSA-723487 V2.0 (Last Update: 2026-06-09): RADIUS Protocol Susceptible to Forgery Attacks (CVE-2024-3596) - Impact to SCALANCE, RUGGEDCOM and Related Products","url":"https://cert-portal.siemens.com/productcert/html/ssa-723487.html"},{"category":"OT/ICS","confidence":"HIGH","confidence_reason":"First-party OT/ICS vendor CERT. Authoritative advisories for Siemens industrial products. Fills OT/ICS category depth.","created_at":"2026-07-02 03:55:54","id":325,"published_date":"2026-06-09T00:00:00+00:00","severity":"high","source_name":"Siemens ProductCERT","summary":"Siemens\u2019 User Management Component (UMC) is affected by multiple vulnerabilities that could allow an unauthenticated remote attacker to execute arbitrary code or to cause a denial of service condition. Siemens has released a new version for User Management Component (UMC) and recommends to update to the latest version. Siemens recommends specific countermeasures for products where fixes are not, or not yet available.","title":"SSA-722410 V1.2 (Last Update: 2026-06-09): Multiple Vulnerabilities in User Management Component (UMC)","url":"https://cert-portal.siemens.com/productcert/html/ssa-722410.html"},{"category":"OT/ICS","confidence":"HIGH","confidence_reason":"First-party OT/ICS vendor CERT. Authoritative advisories for Siemens industrial products. Fills OT/ICS category depth.","created_at":"2026-07-02 03:55:54","id":326,"published_date":"2026-06-09T00:00:00+00:00","severity":"high","source_name":"Siemens ProductCERT","summary":"Affected products do not properly restrict access permissions to a local Windows Named Pipe and do not properly sanitize user-controllable input sent to that Named Pipe. This could allow a local authenticated attacker to cause a type confusion and execute arbitrary code within the affected application and its privileges. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends specific countermeasures for products where fixes are not, or not yet available.","title":"SSA-693808 V1.3 (Last Update: 2026-06-09): Deserialization Vulnerability in Siemens Engineering Platforms","url":"https://cert-portal.siemens.com/productcert/html/ssa-693808.html"},{"category":"OT/ICS","confidence":"HIGH","confidence_reason":"First-party OT/ICS vendor CERT. Authoritative advisories for Siemens industrial products. Fills OT/ICS category depth.","created_at":"2026-07-02 03:55:54","id":327,"published_date":"2026-06-09T00:00:00+00:00","severity":"medium","source_name":"Siemens ProductCERT","summary":"Siemens ET 200 devices contain a denial-of-service vulnerability that could be triggered by sending a valid S7 protocol Disconnect Request (COTP DR TPDU), causing the device to become unresponsive and require a power cycle to recover. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends specific countermeasures for products where fixes are not, or not yet available.","title":"SSA-674753 V1.2 (Last Update: 2026-06-09): Denial-of-Service Vulnerability in ET 200 Devices","url":"https://cert-portal.siemens.com/productcert/html/ssa-674753.html"},{"category":"OT/ICS","confidence":"HIGH","confidence_reason":"First-party OT/ICS vendor CERT. Authoritative advisories for Siemens industrial products. Fills OT/ICS category depth.","created_at":"2026-07-02 03:55:54","id":328,"published_date":"2026-06-09T00:00:00+00:00","severity":"high","source_name":"Siemens ProductCERT","summary":"OpenSSL has published a stack based buffer overflow vulnerability that allows a remote attacker to cause a denial of service (DoS) or potentially allow for remote code execution. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends specific countermeasures for products where fixes are not, or not yet available.","title":"SSA-434797 V1.0: Buffer Overflow Vulnerability in OpenSSL affecting Siemens Products","url":"https://cert-portal.siemens.com/productcert/html/ssa-434797.html"},{"category":"OT/ICS","confidence":"HIGH","confidence_reason":"First-party OT/ICS vendor CERT. Authoritative advisories for Siemens industrial products. Fills OT/ICS category depth.","created_at":"2026-07-02 03:55:54","id":329,"published_date":"2026-06-09T00:00:00+00:00","severity":"medium","source_name":"Siemens ProductCERT","summary":"SIPROTEC 5 is vulnerable to arbitrary file uploads by authenticated users using the DIGSI 5 protocol. This could allow an attacker to upload malicious configuration files, potentially causing a permanent denial of service condition. As a mitigation measure, users of the CP050 and CP150 device models are advised to upgrade to version 9.90 or later. For CP300 device models, devices 7ST85 and 7ST86 are advised to upgrade to version 10.00 or later, while the remaining models should upgrade to version 9.90 or later. These versions introduce an allow-list feature that restricts arbitrary file uploads and reduces the risk associated with this vulnerability. Siemens is preparing fix versions and recommends specific countermeasures for products where fixes are not, or not yet available.","title":"SSA-139483 V1.0: File Upload Vulnerability in SIPROTEC 5 Using DIGSI5 Protocol","url":"https://cert-portal.siemens.com/productcert/html/ssa-139483.html"},{"category":"OT/ICS","confidence":"HIGH","confidence_reason":"First-party OT/ICS vendor CERT. Authoritative advisories for Siemens industrial products. Fills OT/ICS category depth.","created_at":"2026-07-02 03:55:54","id":330,"published_date":"2026-06-09T00:00:00+00:00","severity":"medium","source_name":"Siemens ProductCERT","summary":"WinCC Certificate Manager insufficiently protects key material that could allow an attacker to extract sensitive information. Siemens has released a new version for SIMATIC WinCC Unified PC Runtime V21 and recommends to update to the latest version. Siemens recommends specific countermeasures for products where fixes are not, or not yet available.","title":"SSA-063511 V1.0: Insufficient protection of key material in WinCC Certificate Manager","url":"https://cert-portal.siemens.com/productcert/html/ssa-063511.html"},{"category":"Uncategorized","confidence":"HIGH","confidence_reason":"Top-tier threat intelligence research team with consistent primary analysis.","created_at":"2026-07-02 03:55:48","id":163,"published_date":"2026-06-08T23:00:45+00:00","severity":"medium","source_name":"Unit42 Palo Alto","summary":"Attackers are increasingly targeting collaboration platforms like Microsoft Teams. Learn the risks and key steps to strengthen your organization's security. The post When \u201cHi, This Is IT\u201d Comes Through Microsoft Teams appeared first on Unit 42.","title":"When \u201cHi, This Is IT\u201d Comes Through Microsoft Teams","url":"https://unit42.paloaltonetworks.com/microsoft-teams-phishing"},{"category":"Ransomware","confidence":"HIGH","confidence_reason":"Emergent threat response team. Primary exploit analysis on actively exploited vulns, peer-quality with ZDI.","created_at":"2026-07-02 03:55:51","id":275,"published_date":"2026-06-08T17:05:16+00:00","severity":"critical","source_name":"Rapid7","summary":"Overview On June 8, 2026, Check Point published a security advisory for CVE-2026-50751, a critical authentication bypass vulnerability affecting Check Point Remote Access VPN, Mobile Access, and Spark Firewall products. The vulnerability affects deployments configured to use the deprecated IKEv1 key exchange protocol where gateways accept legacy Remote Access clients and do not require a machine certificate for connections. CVE-2026-50751, classified as improper authentication (CWE-287), has a CVSS score of 9.3. The vulnerability stems from a logic flow weakness in how Remote Access and Mobile Access components validate certificates during IKEv1 key exchange; successful exploitation allows an unauthenticated attacker to establish a VPN session without providing valid credentials. Per the vendor, additional post-authentication activity is required to access internal resources or escalate privileges. Check Point has indicated that CVE-2026-50751 is being actively exploited in the wild, with observed activity dating back to May 7, 2026 and an increase in early June. The vendor characterizes the campaign as limited in scope, affecting several dozen organizations. At least one incident has been linked to a Qilin ransomware affiliate, which Check Point assesses with medium confidence. Rapid7 has observed two cases with high confidence that can be attributed to CVE-2026-50751. As of June 8, 2026, this vulnerability has been added to the CISA KEV. Separately, during its investigation Check Point identified a related vulnerability, CVE-2026-50752 (CVSS 7.4), in the same IKEv1 code path that could enable a man-in-the-middle attack against site-to-site VPN tunnels under certain configurations. No exploitation of CVE-2026-50752 has been observed. Check Point VPN products have been targeted by zero-day vulnerabilities in the past. In May 2024, CVE-2024-24919, a high-severity information disclosure vulnerability in Check Point Quantum Security Gateways, was exploited in the wild and subsequently added to the CISA Known Exploited Vulnerabilities (KEV) catalog. Organizations running affected Check Point products are urged to apply the available hot fixes and follow the vendor guidance to remediate these issues. Mitigation guidance Check Point has released hotfixes to remediate CVE-2026-50751. Affected organizations should apply the available updates on an emergency basis, without waiting for a regular patch cycle to occur. The following products and versions are affected (Remote Access VPN, Mobile Access / SSL VPN, Spark Firewall): R80.20.X (End of Support) R80.40 (End of Support) R81 (End of Support) R81.10 (End of Support) R81.10.X R81.20 R82 R82.00.X R82.10 Notably, four of the nine affected version branches (R80.20.X, R80.40, R81, R81.10) have reached End of Support. Organizations still running these versions should prioritize migration to a supported release. For organizations unable to immediately apply the hotfix, Check Point has provided the following alternative mitigations: Remove support for the legacy remote access client Configure global properties for Remote Access VPN authentication to IKEv2 only Set machine certificate authentication as mandatory Enable IPS and download the latest signatures Rapid7 strongly recommends looking for signs of compromise even after the hotfix has been applied. Per Check Point's advisory, incident response teams should prioritize forensic log audits and configuration reviews starting from May 7, 2026, the earliest known date of exploitation. For the latest mitigation guidance, please refer to the vendor advisory. Rapid7 customers Exposure Command, InsightVM, and Nexpose Exposure Command, InsightVM, and Nexpose customers can assess exposure to CVE-2026-50751 with a vulnerability check available in the June 9 content release. Intelligence Hub IntelHub customers can look into the platform to search for more details and correlate the indicators of compromise, like known malicious IPs and known post exploitation ELF payloads, with the data from their own environment. Managed Detection Response (MDR) The following detection rules are available for InsightIDR and Managed Detection Response (MDR) customers: Suspicious Network Connection - Critical Check Point VPN Zero-Day Exploited in the Wild (CVE-2026-50751) Suspicious Process - Critical Check Point VPN Zero-Day Exploited in the Wild (CVE-2026-50751) Indicators of compromise Check Point has published the following indicators associated with the CVE-2026-50751 exploitation campaign. The attacker infrastructure consists of VPS hosts from several providers (Kaupo Cloud HK, Shock Hosting, Vultr Holdings), and Check Point notes that in some cases, the VPS region matched the geography of the targeted organization. IP addresses: 45.77.149[.]152 209.182.225[.]136 38.60.157[.]139 162.33.177[.]101 45.76.26[.]42 144.208.127[.]155 38.54.88[.]201 38.54.107[.]167 66.42.99[.]200 File hashes (MD5): 52fda5c1b9704544f32ee98d9060e689 51d39aa39478beeac94f2d12f682ecce Check Point observed post-exploitation attempts to retrieve ELF payloads from attacker-controlled servers, and identified ties to the Qilin ransomware operation based on binary analysis. For the full and most current list of IOCs, please refer to the vendor advisory. Updates June 8, 2026: Initial publication. June 8, 2026: Rapid 7 observations of EITW. June 9, 2026: CVE added to CISA KEV. June 10, 2026: Updated to reflect availability of a vulnerability check and information for Intelligence Hub customers. June 11, 2026: Additional exploitation information determined by Rapid7.","title":"Critical Check Point VPN Zero-Day Exploited in the Wild (CVE-2026-50751)","url":"https://www.rapid7.com/blog/post/etr-critical-check-point-vpn-zero-day-exploited-in-the-wild-cve-2026-50751"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Vendor threat intelligence research. Good primary work but commercial context.","created_at":"2026-07-02 03:55:49","id":182,"published_date":"2026-06-08T14:47:59+00:00","severity":"critical","source_name":"Check Point Research","summary":"For the latest discoveries in cyber research for the week of 8th June, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES DentaQuest, a U.S. dental benefits administrator owned by Sun Life, has suffered a data breach after threat group ShinyHunters leaked exfiltrated data. Analysts assessed that 2.6 million accounts were exposed, including names, emails, [\u2026] The post 8th June \u2013 Threat Intelligence Report appeared first on Check Point Research.","title":"8th June \u2013 Threat Intelligence Report","url":"https://research.checkpoint.com/2026/8th-june-threat-intelligence-report"},{"category":"Nation State/APT","confidence":"HIGH","confidence_reason":"Best-in-class APT campaign tracking and malware reverse engineering. Industry-leading primary research.","created_at":"2026-07-02 03:55:53","id":315,"published_date":"2026-06-08T08:00:36+00:00","severity":"medium","source_name":"Kaspersky Securelist","summary":"Hacktivist outfits, namely 4BID, Hakerskii Kit, and C.A.S., are now targeting organizations across Kazakhstan, the UAE, Egypt, and Syria.","title":"From cause to cash: a cross-border look at hacktivist activity","url":"https://securelist.com/tr/hacktivists-broaden-attack-geography/120115"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Threat intelligence firm research. Caveat: commercial framing; quality of output is high.","created_at":"2026-07-02 03:55:50","id":236,"published_date":"2026-06-08T00:00:00+00:00","severity":"medium","source_name":"Recorded Future","summary":"In May 2026, Insikt Group\u00ae identified 41 high-impact vulnerabilities that should be prioritized for remediation, all of which had a Very Critical Recorded Future Risk Score. This represents a 11% increase from last month.","title":"May 2026 CVE Landscape","url":"https://www.recordedfuture.com/blog/may-2026-cve-landscape"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Troy Hunt's curated breach disclosure feed. Low volume (~2-4/month), high trust, universally cited. Each entry names the breached org, account count, and exposed data types.","created_at":"2026-07-02 03:56:02","id":513,"published_date":"2026-06-07T06:16:36+00:00","severity":"medium","source_name":"Have I Been Pwned","summary":"In May 2026, the HVAC/R wholesale distributor Baker Distributing Company was added to the ShinyHunters data extortion group's \"pay or leak\" site. In early June, the group publicly published data they claimed had been obtained from Baker's SharePoint and Salesforce infrastructure including 103k unique email addresses along with names, physical addresses, phone numbers and tickets relating to the company's HVAC contractor customer base. The exposed data was largely corporate contact and support information with limited sensitivity.","title":"Baker Distributing - 102,935 breached accounts","url":"https://haveibeenpwned.com/Breach/BakerDistributing"},{"category":"Vulnerability/CVE","confidence":"HIGH","confidence_reason":"Emergent threat response team. Primary exploit analysis on actively exploited vulns, peer-quality with ZDI.","created_at":"2026-07-02 03:55:51","id":276,"published_date":"2026-06-05T17:01:48+00:00","severity":"high","source_name":"Rapid7","summary":"When Open Source is a bit too Open Several fun modules landed this week, including an Apache RCE, Windows Kernel pointer collection, and Gogs RCE via naming. Leading off is Gogs' RCE that allows an attacker to execute commands by naming their branch --exec <command> and requesting a rebase. Another useful post module by CharlesQuinnDev enumerates the Kernel pointers leaked via the popular NtQuerySystemInformation technique. Those exposed pointers, combined with a good write primitive, make local privilege escalation easier to accomplish. Several local privilege escalations already use that technique, so exposing just that technique was a great call! New module content (3) Apache ActiveMQ RCE via Jolokia addNetworkConnector Authors: dinosn and h00dieType: ExploitPull request: #21497 contributed by h00diePath: multi/http/apache_activemq_jolokia_rceAttackerKB reference: CVE-2026-34197 Adds a new exploit module exploit/multi/http/apache_activemq_jolokia_rce targeting CVE-2026-34197 in Apache ActiveMQ. The module abuses the Jolokia JMX-over-HTTP API exposed at /api/jolokia/ by calling the addNetworkConnector() MBean operation with a crafted brokerConfig=xbean:http://... URI. ActiveMQ fetches the attacker-controlled URL and instantiates it as a Spring XML application context, achieving remote code execution via a java.lang.ProcessBuilder bean. Authentication is required to exploit this vulnerability. Gogs Git Rebase Argument Injection RCE Author: Crypto-CatType: ExploitPull request: #21515 contributed by jburgess-r7Path: multi/http/gogs_rebase_rce This adds an exploit module for the Gogs rebase Remote Code Execution (RCE) vulnerability. The module leverages an argument injection flaw residing in the pull request merge workflow of Gogs versions <= 0.14.2 and <= 0.15.0+dev. Windows Kernel Pointer Exposure Enumerator Author: CharlesQuinnDevType: PostPull request: #21039 contributed by CharlesQuinnDevPath: windows/gather/windows_kernel_pointer_enum Adds a new post module for Windows that enumerates kernel object pointers exposed through NtQuerySystemInformation on x64 systems. The module collects observable handle metadata and provides analysis of pointer distribution, object types, and ALPC usage, then saves the results to a CSV loot file for review. Also introduces a reusable Windows kernel handle-enumeration library. Enhancements and features (7) #20881 from h00die - This adds support for cracking Kerberos type hashes in Metasploit, specifically timeroasting, krb5tgs* and krb5asrep. #21087 from jbx81-1337 - The new payloads_manager plugin lets you maintain a local archive of custom payloads and stage them into the data directory. Use the fetch or add subcommands to download or import a payload, then select to symlink it into place so it's available to other modules. The plugin tracks each payload's name, hash, tags, and description in a database. #21412 from zeroSteiner - Updates Metasploit's post modules to now run by default against the last opened alive session, unless explicitly specified. #21429 from zeroSteiner - Removes the now redundant Linux-specific method for finding the arch so there's a single source of truth that works in a superset of platform / session-type combinations. #21488 from sjanusz-r7 - Updates HTTP login scanners to report the detected service hierarchy. #21504 from h00die - Adds missing CVE references to seven existing modules: gladinet_storage_access_ticket_forge (CVE-2025-14611), cassandra_web_file_read (CVE-2020-36939), pretalx_file_read_cve_2023_28459 (CVE-2023-28459 and CVE-2023-28458), centreon_pollers_auth_rce (CVE-2019-19699), wp_responsive_thumbnail_slider_upload (CVE-2015-10144), xerte_unauthenticated_template_import_rce (CVE-2026-32985), and solarwinds_storage_manager_sql (CVE-2012-2576). #21526 from zeroSteiner - Makes stability and logging improvements to the ipmi_cipher_zero, ipmi_dumphashes, and ipmi_version modules. Bugs fixed (7) #21432 from 4ravind-b - Fixes a bug in modules that invoke other modules that prevented datastore options from being validated. #21448 from kx7m2qd - Fixes an issue where CIDR range filters in the addresses parameter of the db.hosts RPC endpoint were not processed correctly. #21484 from zeroSteiner - Fixes python ssl command shell payloads that failed with AttributeError: module 'ssl' has no attribute 'wrap_socket'. #21489 from h00die - Improves the GitLab version scanner by handling additional exceptions in the scanner for non-GitLab targets and adding additional version fingerprints for real GitLab targets. #21502 from h00die - Fixes a crash in the scanner/snmp/snmp_enum module when the system date was read as Null. #21506 from h00die - Adds a guard clause when running uname -r in WSL startup_folder persistence. #21514 from orbit-bot - Fixes a couple of references to outdated msfvenom options. Documentation You can find the latest Metasploit documentation on our docsite at docs.metasploit.com. Get it As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub: Pull Requests 6.4.135...6.4.136 Full diff 6.4.135...6.4.136 If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro.","title":"Weekly Metasploit Update: Apache ActiveMQ RCE, Gogs Rebase RCE, and Windows Kernel Pointer Enum","url":"https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-05-06-2026"},{"category":"Industry/Policy","confidence":"MEDIUM","confidence_reason":"Real-world incident breakdowns from the defender side. Strong on ransomware and SMB-targeting threats.","created_at":"2026-07-02 03:55:55","id":392,"published_date":"2026-06-05T14:00:00+00:00","severity":"medium","source_name":"Huntress","summary":"Defense contractors can achieve CMMC compliance without the expense or delays of FedRAMP-authorized cloud services. Discover how Huntress uses Sensitive Data Mode for logical separation and cost-effective security.","title":"Why Huntress Doesn\u2019t Need FedRAMP","url":"https://www.huntress.com/blog/fedramp-alternative-for-defense-contractors"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established offensive security research firm. Pentest tooling, vulnerability research, red team techniques.","created_at":"2026-07-02 03:56:00","id":456,"published_date":"2026-06-05T13:00:00+00:00","severity":"high","source_name":"Bishop Fox","summary":"A three-part vulnerability chain in UniFi OS Server lets an unauthenticated attacker bypass the auth gateway, hit a command injection sink, and escalate to root in a single request. Bishop Fox confirmed the chain end to end and breaks down the attack, the impact, and how to detect it safely.","title":"Popping Root on UniFi OS Server: Unauthenticated RCE Chain Detection & Analysis","url":"https://bishopfox.com/blog/popping-root-on-unifi-os-server-unauthenticated-rce-chain-detection-analysis"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Troy Hunt's curated breach disclosure feed. Low volume (~2-4/month), high trust, universally cited. Each entry names the breached org, account count, and exposed data types.","created_at":"2026-07-02 03:56:02","id":514,"published_date":"2026-06-05T06:53:15+00:00","severity":"medium","source_name":"Have I Been Pwned","summary":"In May 2026, the corporate travel management company BCD Travel was claimed as a victim of the ShinyHunters \"pay or leak\" extortion campaign. Data allegedly obtained from BCD was subsequently published publicly in early June and contained 396k unique email addresses. Other exposed data included names, addresses, phone numbers, job titles and employer names, spanning a variety of different data sets including leads, internal staff and support tickets.","title":"BCD Travel - 396,313 breached accounts","url":"https://haveibeenpwned.com/Breach/BCDTravel"},{"category":"Supply Chain","confidence":"HIGH","confidence_reason":"UK government CERT, authoritative advisories for UK & allied operators.","created_at":"2026-07-02 03:55:48","id":137,"published_date":"2026-06-04T12:00:00+00:00","severity":"medium","source_name":"NCSC UK","summary":"Attackers are compromising open-source packages to spread malware. Cyber defenders are asked to review dependencies to reduce risks","title":"Software supply chain attacks: check your dependencies","url":"https://www.ncsc.gov.uk/blogs/software-supply-chain-attacks-check-your-dependencies"},{"category":"AI Security","confidence":"MEDIUM","confidence_reason":"Threat intelligence firm research. Caveat: commercial framing; quality of output is high.","created_at":"2026-07-02 03:55:50","id":237,"published_date":"2026-06-04T00:00:00+00:00","severity":"medium","source_name":"Recorded Future","summary":"Threat assessment for the 2026 FIFA World Cup (US, Mexico, Canada) covering organized crime, AI-powered cyber fraud, state espionage, and political influence operations.","title":"Threats to the 2026 FIFA World Cup","url":"https://www.recordedfuture.com/research/2026-fifa-world-cup-threats"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Troy Hunt's curated breach disclosure feed. Low volume (~2-4/month), high trust, universally cited. Each entry names the breached org, account count, and exposed data types.","created_at":"2026-07-02 03:56:02","id":515,"published_date":"2026-06-03T22:56:30+00:00","severity":"critical","source_name":"Have I Been Pwned","summary":"In May 2026, the dental benefits administrator DentaQuest was the target of a ShinyHunters \"pay or leak\" extortion campaign that resulted in the group publicly publishing hundreds of gigabytes of data allegedly obtained from the company. The data included 2.6M unique email addresses along with names, addresses and phone numbers. Much of the data appeared in healthcare enrollment files (ASC X12 transaction sets) with some containing Medicaid IDs, while additional data appeared in member records and related files. DentaQuest acknowledged \"a cybersecurity incident involving unauthorized access to a limited portion of our network\", and advised they had contained the attack and mitigated the threat.","title":"DentaQuest - 2,553,599 breached accounts","url":"https://haveibeenpwned.com/Breach/DentaQuest"},{"category":"Vulnerability/CVE","confidence":"HIGH","confidence_reason":"CERT/CC vulnerability coordination center. Authoritative vuln notes, partially replaces dead CISA feeds.","created_at":"2026-07-02 03:55:48","id":123,"published_date":"2026-06-03T17:58:03+00:00","severity":"high","source_name":"CERT Vulnerability Notes","summary":"Overview Version 3.0.7 of the Securly Chrome Extension contains multiple vulnerabilities involving insecure data transmission, weak cryptography, and improper access control. These issues may expose sensitive filtering rules, enable the manipulation of downloaded configuration files, and allow unauthenticated access to protected resources. An attacker could exploit these weakness to steal configuration information, induce a Denial of Service (DoS), or modify content blocking rules for student users. Description The Securly Chrome Extension is a browser add-on commonly used in K\u201312 school-managed Chromebooks to enforce internet safety policies, filter or block websites, and provide activity monitoring for students. It is an element of the Securly classroom management platform, which helps schools comply with web filtering requirements and safely manage student online access. CVE-2026-8874 Version 3.0.7 of the Securly Chrome Extension downloads JSON files containing crisis alert keywords and filtering rules over unencrypted HTTP via the Fetch API. Other endpoints in the same extension correctly fetch Internet Watch Foundation (IWF) and Children's Internet Protection Act (CIPA) data over HTTPS, demonstrating an inconsistent implementation of TLS. CVE-2026-8876 The Securly Chrome Extension contains hardcoded, plaintext AES passphrases in securly.min.js. These keys decrypt crisis alert keyword data and intervention site data. CVE-2026-8878 The Securly Chrome Extension exposes multiple publicly accessible endpoints that allow unauthenticated access to sensitive data. The exposed information consists of SHA-1 hashes that are inadequately obfuscated using a simple Caesar cipher, which can be easily reversed to recover the original hash values and access the protected data. CVE-2026-8879 The Securly Chrome Extension dynamically registers content13.min.js as a content script via chrome.scripting.registerContentScripts() at runtime. This script is NOT declared in manifest.json and bypasses Chrome Web Store static security review. It runs on all URLs and immediately hides all page content, creates a full-page overlay, pauses all videos, and only restores content when the service worker confirms the page passes filtering. If Securly's servers are unreachable, pages remain indefinitely hidden. CVE-2026-8881 The Securly Chrome Extension uses EVP_BytesToKey key derivation with MD5 and a single iteration for AES encryption. MD5 has been broken since 2004 and a single iteration provides no key stretching. This weak derivation method significantly reduces the effective security of the encryption, making the protected data vulnerable to efficient offline cracking. CVE-2026-8888 The Securly Chrome Extension downloads config.json over HTTP and compiles server-provided patterns as JavaScript regular expressions via new RegExp() without complexity validation. An on-path attacker can inject specific patterns to cause catastrophic backtracking, resulting in denial of service on all browsing. CVE-2026-8889 The Securly Chrome Extension uses deprecated SHA-1 hashing for IWF CSAM URL matching (25,020 hashes) and CIPA blocklist matching (12,352 hashes). Impact These vulnerabilities collectively enable multiple attack paths and threaten the security and privacy of student users, for which the extension may be academically mandatory. The HTTP configuration downloads (CVE\u20112026\u20118874, CVE\u20112026\u20118888) and weak cryptographic primitives (CVE\u20112026\u20118876, CVE\u20112026\u20118881, CVE\u20112026\u20118889) allow a network\u2011adjacent attacker to intercept, modify, or decrypt data related to keyword filtering. The presence of unauthenticated, publicly accessible endpoints with trivially reversible obfuscation (CVE\u20112026\u20118878) further exposes internal keyword lists, blocklists, and rule definitions. These weaknesses enable the reconstruction and manipulation of the extension\u2019s filtering logic. For student users, this could result in exposure to content that the filtering system is intended to block, or the inappropriate blocking of legitimate educational resources. Additionally, the undeclared, dynamically\u2011registered content script (CVE\u20112026\u20118879) can be abused to fully obscure web pages, leading to DoS conditions for end users. Solution Unfortunately, Securly could not be reached for coordination of these vulnerabilities. Until a patch is available, administrators can lower their potential exposure by restricting usage of the extension on untrusted or public networks, installing school-managed VPNs on the underlying devices, and monitoring for unexpected or abnormal filtering behavior. Acknowledgements Thanks to the reporter Santh for discovering and researching these vulnerabilities. This document was written by Molly Jaconski.","title":"VU#595768: Securly Chrome Extension contains multiple weak encryption and access control vulnerabilities","url":"https://kb.cert.org/vuls/id/595768"},{"category":"Phishing & Social Engineering","confidence":"MEDIUM","confidence_reason":"Vendor threat intelligence research. Good primary work but commercial context.","created_at":"2026-07-02 03:55:49","id":183,"published_date":"2026-06-03T13:21:44+00:00","severity":"medium","source_name":"Check Point Research","summary":"Research by: Alexey Bukhteyev Key Takeaways Introduction When we search Google for a popular piece of software, we usually click the first result, sometimes without even looking at the rest, because official project sites tend to rank highest and appear near the top of the results. After landing on a site with a professional design and [\u2026] The post Impersonation, Click Hijacking, and TDS: Inside a Malware Distribution Ecosystem appeared first on Check Point Research.","title":"Impersonation, Click Hijacking, and TDS: Inside a Malware Distribution Ecosystem","url":"https://research.checkpoint.com/2026/impersonation-click-hijacking-and-tds-inside-a-malware-distribution-ecosystem"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established offensive security research firm. Pentest tooling, vulnerability research, red team techniques.","created_at":"2026-07-02 03:56:00","id":457,"published_date":"2026-06-03T13:00:00+00:00","severity":"medium","source_name":"Bishop Fox","summary":"MCP servers introduce a new attack surface, but the security fundamentals are familiar. In this final otto-support post, we use nmap, a Nuclei template, and MCP Inspector to discover, enumerate, and exploit an authorization gap without ever touching an LLM.","title":"Otto Support - Testing MCP Servers","url":"https://bishopfox.com/blog/otto-support-testing-mcp-servers"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Vendor threat intelligence research, consistent technical malware reports. filter_uncategorized drops consumer lifestyle and parenting content.","created_at":"2026-07-02 03:55:49","id":205,"published_date":"2026-06-03T08:50:00+00:00","severity":"medium","source_name":"ESET WeLiveSecurity","summary":"Your child\u2019s first data breach may happen before they\u2019ve even opened a bank account. Here\u2019s how to keep their digital life safe.","title":"Lessons for life: Why children\u2019s data is a long-term identity risk","url":"https://www.welivesecurity.com/en/kids-online/lessons-life-childrens-data-long-term-identity-risk"},{"category":"Vulnerability/CVE","confidence":"HIGH","confidence_reason":"Top-tier threat intelligence research team with consistent primary analysis.","created_at":"2026-07-02 03:55:48","id":164,"published_date":"2026-06-02T17:30:33+00:00","severity":"medium","source_name":"Unit42 Palo Alto","summary":"Unit 42 analyzes npm supply chain evolution post-Shai Hulud. Discover wormable malware, CI/CD persistence, multi-stage attacks and more. The post The npm Threat Landscape: Attack Surface and Mitigations (Updated June 2) appeared first on Unit 42.","title":"The npm Threat Landscape: Attack Surface and Mitigations (Updated June 2)","url":"https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks"},{"category":"Vulnerability/CVE","confidence":"HIGH","confidence_reason":"CERT/CC vulnerability coordination center. Authoritative vuln notes, partially replaces dead CISA feeds.","created_at":"2026-07-02 03:55:48","id":124,"published_date":"2026-06-02T14:27:25+00:00","severity":"medium","source_name":"CERT Vulnerability Notes","summary":"Overview VoLTE deployments on Verizon\u2019s IMS network have operated without negotiated SIP integrity protection. In observed test conditions, SIP signaling\u2014including registration, call setup, and messaging\u2014traveled without IPsec ESP encapsulation and without SIP Security Agreement headers, exposing it to interception and modification by on-path attackers. Recent carrier configuration updates, including Apple\u2019s iOS 26.5 carrier bundle released on May 11, 2026, include IMS IPsec\u2013related settings. However, such configuration entries do not confirm active deployment, successful negotiation, or functional protection in production. Description CVE-2026-10629 Verizon IMS deployments were observed transmitting SIP signaling without integrity protection. REGISTER exchanges lacked Security-Client, Security-Server, and Security-Verify headers, and no ESP-encapsulated SIP traffic was detected during subsequent signaling such as INVITE, MESSAGE, BYE, and UPDATE. This pattern persisted across devices, operating systems, and network conditions, indicating a deliberate network configuration rather than a transient issue. Per 3GPP TS 33.203 and GSMA IR.92, SIP signaling between the UE and P-CSCF must be protected using IPsec ESP following IMS AKA authentication, with negotiation occurring during registration. The absence of this protection allows attackers to manipulate SIP signaling undetected, enabling call hijacking, spoofing, denial-of-service, and misrouting of emergency calls. Verizon initially acknowledged the issue and stated that integrity support would be available upon request and extended broadly later in the year. However, the company has since ceased participation in coordination, including follow-up discussions and draft review, and has not provided verifiable evidence of mitigation. As remediation remains unconfirmed, this disclosure proceeds to inform users of an ongoing security exposure. Independent verification would require observation of successful SIP security negotiation, ESP-protected traffic, or official confirmation from Verizon. Impact Without integrity protection, on-path attackers can intercept, replay, or alter SIP messages with no risk of detection. This undermines core VoLTE security assumptions and enables signaling spoofing, call disruption, and manipulation of emergency routing. Although recent configuration changes suggest potential progress, their operational status remains unverified. Until protections are confirmed, the risk persists. Solution Remediation requires coordinated network and device-side changes. Verizon must enable and enforce SIP security negotiation and ESP protection in its IMS core infrastructure, and devices must receive and apply correct carrier configuration to support IPsec. Verification should confirm successful SIP security negotiation and ESP-protected signaling, either through observed headers, traffic capture, or operator confirmation. Until then, organizations relying on high-assurance VoLTE should treat signaling as untrusted Acknowledgements The authors thank DongWon Lee, Jeongmin Choi, and CheolJun Park from Kyung Hee University for their technical analysis, coordination efforts, and identification of the iOS 26.5 configuration updates. Their work has advanced understanding of this issue and ensured disclosures remain grounded in observable evidence. This report was prepared by Timur Snoke, with AI-assisted drafting to support clarity and accuracy.","title":"VU#615987: Missing IPsec Integrity Protection for IMS SIP Signaling in Verizon VoLTE Deployments","url":"https://kb.cert.org/vuls/id/615987"},{"category":"Identity & Access","confidence":"HIGH","confidence_reason":"CERT/CC vulnerability coordination center. Authoritative vuln notes, partially replaces dead CISA feeds.","created_at":"2026-07-02 03:55:48","id":125,"published_date":"2026-06-02T14:06:35+00:00","severity":"high","source_name":"CERT Vulnerability Notes","summary":"Overview A stored cross-site scripting (XSS) vulnerability has been discovered in Appsmith, specifically in the CodeMirror based SQL query editor\u2019s autocomplete renderer. CVE-2026-7299 has been assigned to track the vulnerability. An attacker with developer level access to a shared PostgreSQL datasource can inject arbitrary JavaScript by creating malicious database objects whose names contain XSS payloads. Successful exploitation leads to arbitrary JavaScript execution in the browser of any workspace member who triggers SQL autocomplete, enabling session hijacking, privilege escalation, or credential theft. Version 2.1 of Appsmith fixes CVE-2026-7299. Description Appsmith is an open source, low code platform intended to allow developers to build internal tools, dashboards, and applications using a UI builder, database and API integrations, and JavaScript customization. Appsmith can also be deployable either self-hosted or via the cloud. A vulnerability, tracked as CVE-2026-7299, has been discovered, allowing for XSS within the SQL query editors autocomplete function. The vulnerability description is below. CVE-2026-7299 Appsmith\u2019s SQL query editor\u2019s autocomplete functionality fails to sanitize database object names before rendering them in innerHTML, allowing an authenticated Developer to inject persistent XSS by a malicious table or column names triggering arbitrary code execution in the sessions of other workspace members when they interact with the same datasource. This vulnerability requires an account with developer access. A developer Appsmith account is an account designed to create, edit, and delete apps within a workspace they are assigned to. When an administrator opens the SQL editor and triggers autocomplete (e.g., by typing SELECT * FROM), the malicious table name executes their stored payload, which can allow for privesc. Impact Successful exploitation of CVE-2026-7299 leads to arbitrary code execution in the browser of any workspace member who triggers SQL autocomplete, enabling session hijacking, privilege escalation, or credential theft. Solution Version 2.1 of Appsmith fixes this vulnerability. Users should update their installations as soon as possible. Acknowledgements Thanks to the reporter, Stuart Beck. This document was written by Christopher Cullen.vrf26-04-DQBSN_exploit.py","title":"VU#265691: Appsmiths SQL Query autocomplete renderer contains a cross site scripting vulnerability","url":"https://kb.cert.org/vuls/id/265691"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Real-world incident breakdowns from the defender side. Strong on ransomware and SMB-targeting threats.","created_at":"2026-07-02 03:55:55","id":393,"published_date":"2026-06-02T14:00:00+00:00","severity":"medium","source_name":"Huntress","summary":"The same NTLM leakage primitive that got patched in the Snipping Tool exists in Windows Explorer's search: handler. No CVE. No fix. If your patching relies on CVE coverage, you have a blind spot.","title":"Unpatched NTLM Leakage in Windows search: URI Handler, Same Bug, No CVE, No Fix","url":"https://www.huntress.com/blog/unpatched-ntlm-leak-windows-search-uri-handler"},{"category":"SaaS Breach","confidence":"HIGH","confidence_reason":"CERT/CC vulnerability coordination center. Authoritative vuln notes, partially replaces dead CISA feeds.","created_at":"2026-07-02 03:55:48","id":126,"published_date":"2026-06-02T13:54:00+00:00","severity":"high","source_name":"CERT Vulnerability Notes","summary":"Overview The Collibra Platform Agent contains vulnerabilities that can be chained by a remote, unauthenticated attacker to achieve remote code execution. An attacker can exploit these issues by uploading a crafted ZIP archive that writes attacker-controlled files to arbitrary locations on the server once extracted, resulting in code execution. Description Collibra Platform (CP) and Collibra Platform Self-Hosted (CPSH), an enterprise grade, cloud-based platform designed to help organizations locate, understand, trust, and manage their data assets. The Collibra Agent of CP and CPSH that is installed on the host system is an independent service that listens on different port than the web interface and have the following vulnerabilities. CVE-2026-10622 Privileged REST endpoints exposed under /rest/* do not properly enforce authentication or authorization. This allows a remote, unauthenticated attacker to interact with sensitive application functionality and gather information useful for further exploitation, including identifying suitable filesystem locations or application paths. Additionally, the web services hosting the vulnerable REST endpoint was observed to bind to all available network interfaces regardless of the setting passed to the installer script. This behavior may increase exposure in deployments where administrators believe access is restricted to specific interfaces or trusted networks. CVE-2026-10621 A Zip Slip vulnerability during extraction is exposed through POST /rest/restore and enables path traversal. When a ZIP archive is processed, file paths contained within the archive are not properly validated or canonicalized before extraction. A remote attacker can supply a crafted ZIP archive containing directory traversal sequences, such as ../, to write files outside of the intended extraction directory. This may allow attackers to write custom files to arbitrary locations on the underlying host. In an observed exploitation path, this arbitrary file write can be used to place a malicious JSP file into a web-accessible directory, enabling remote code execution when the file is subsequently requested over HTTP. Impact A remote, unauthenticated attacker can chain these vulnerabilities to achieve remote code execution on the affected system. An attacker who successfully exploits these issues may be able to: - install a persistent web shell - read, modify, or delete application data - disrupt system availability - potentially pivot further into surrounding environment Because exploitation does not require authentication, deployments reachable across public internet may be at significant risk. Solution Collibra has released the following versions to address these vulnerabilities. Collibra Plaform (SaaS): 2026.05 2026.04.5 2026.03.4 2026.02.6 2025.11.7 2025.10.9 Collibra Platform Self Hosted (on-prem): 2026.03 (Build 2026.03.356) 2025.10 (Build 2025.10.399) Users are strongly encouraged to update to the fixed release as soon as possible. Refer to Collibra documentation and release notes for patching and deployment guidance. Administrators should ensure that interfaces exposing REST endpoints are not exposed to untrusted networks and should restrict access to management interfaces wherever possible. Acknowledgements Thanks to the reporter who wishes to remain anonymous. This document was written by Michael Bragg. VU#873170.2 Path traversal in restore handler in Collibra Agent, allows an attacker to write arbitrary files via a crafted ZIP archive. Collibra Agent fails to properly validate and canonicalize file path during ZIP extraction, this can allow an attacker to write files outside the intended extraction directory. VU#873170.1 Improper Authentication in REST API in Collibra Agent, allows a remote unauthenticated attacker to access privileged functionality via exposed /rest/* endpoints.","title":"VU#873170: Collibra Agent contains improper authentication and path traversal vulnerabilities","url":"https://kb.cert.org/vuls/id/873170"},{"category":"Malware/Infostealer","confidence":"HIGH","confidence_reason":"Top-tier threat intelligence research team with consistent primary analysis.","created_at":"2026-07-02 03:55:48","id":165,"published_date":"2026-06-02T10:00:31+00:00","severity":"medium","source_name":"Unit42 Palo Alto","summary":"Operation FlutterBridge is a malvertising campaign targeting macOS users. It distributed the new backdoor FlutterShell, built using the Flutter framework. The post Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor appeared first on Unit 42.","title":"Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor","url":"https://unit42.paloaltonetworks.com/flutterbridge-new-fluttershell-backdoor"},{"category":"Nation State/APT","confidence":"MEDIUM","confidence_reason":"Threat intelligence firm research. Caveat: commercial framing; quality of output is high.","created_at":"2026-07-02 03:55:50","id":238,"published_date":"2026-06-02T00:00:00+00:00","severity":"medium","source_name":"Recorded Future","summary":"Iran's MOIS expands its Handala brand to hybrid cyber and physical threat operations, recruiting proxies to conduct attacks, espionage, and sabotage against US and Israeli interests","title":"Iran Expands Handala Brand to Physical Threats","url":"https://www.recordedfuture.com/research/iran-handala-physical-threats"},{"category":"AI Security","confidence":"MEDIUM","confidence_reason":"Deep malware analysis with detection rules (YARA, Sigma). Vendor context but strong primary research.","created_at":"2026-07-02 03:55:52","id":280,"published_date":"2026-06-02T00:00:00+00:00","severity":"medium","source_name":"Elastic Security Labs","summary":"Find out how Elastic Security ingests Google Threat Intelligence for continuous detection and uses AI-driven workflows to enrich alerts in real time, from API key to live detections in minutes.","title":"From API key to live threat detections in minutes: how Elastic Security ingests Google Threat Intelligence","url":"https://www.elastic.co/security-labs/elastic-security-google-threat-intelligence"},{"category":"Identity & Access","confidence":"MEDIUM","confidence_reason":"Primary cloud-security research (AWS/Azure/GCP IAM, container, CI/CD). Fills the Cloud Security depth the keyword set already anticipates. Vendor context; filter_uncategorized drops product marketing.","created_at":"2026-07-02 03:55:52","id":295,"published_date":"2026-06-02T00:00:00+00:00","severity":"medium","source_name":"Datadog Security Labs","summary":"GitHub Actions workflows are vulnerable to pwn requests, script injection, and compromised credentials. Here's what's going wrong and what's changing.","title":"The case for GitHub Actions security after recent supply chain attacks","url":"https://securitylabs.datadoghq.com/articles/case-for-github-actions-security"},{"category":"OT/ICS","confidence":"HIGH","confidence_reason":"First-party OT/ICS vendor CERT. Authoritative advisories for Siemens industrial products. Fills OT/ICS category depth.","created_at":"2026-07-02 03:55:54","id":331,"published_date":"2026-06-02T00:00:00+00:00","severity":"medium","source_name":"Siemens ProductCERT","summary":"SINEC OS before V4.0 contains multiple vulnerabilities. Siemens has released a new version for RUGGEDCOM RST2428P and recommends to update to the latest version.","title":"SSA-253495 V1.0: Multiple Vulnerabilities in SINEC OS before V4.0","url":"https://cert-portal.siemens.com/productcert/html/ssa-253495.html"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established independent investigative security journalism. High rigor, frequently breaks news.","created_at":"2026-07-02 03:55:46","id":5,"published_date":"2026-06-01T17:32:50+00:00","severity":"medium","source_name":"Krebs on Security","summary":"The Instagram accounts for the Obama White House and the Chief Master Sergeant of the U.S. Space Force were briefly defaced with pro-Iranian images and messages over the weekend, after instructions began circulating on Telegram showing how to trick Meta's \"AI support assistant\" bot into resetting account passwords.","title":"Hackers Used Meta\u2019s AI Support Bot to Seize Instagram Accounts","url":"https://krebsonsecurity.com/2026/06/hackers-used-metas-ai-support-bot-to-seize-instagram-accounts"},{"category":"Identity & Access","confidence":"HIGH","confidence_reason":"CERT/CC vulnerability coordination center. Authoritative vuln notes, partially replaces dead CISA feeds.","created_at":"2026-07-02 03:55:48","id":127,"published_date":"2026-06-01T16:21:07+00:00","severity":"high","source_name":"CERT Vulnerability Notes","summary":"Overview The PCTCore64.sys Windows kernel driver from PC Tools Internet Security exposes its \\\\.\\PCTCoreDriver device interface with no access control, allowing any user-mode process to interact with the driver and invoke privileged IOCTL (I/O Control) commands. In a Bring Your Own Vulnerable Driver (BYOVD) scenario, a local attacker with the ability to load a Windows driver can exploit the exposed interface to perform sensitive low-level operations on the target device. Description PCTCore64.sys is a Windows kernel driver that implements system monitoring and protection functionality on local Windows systems. The driver creates a Windows Driver Model (WDM) device object \\\\.\\PCTCoreDriver via IoCreateDevice and provides user-mode access through a DOS device symbolic link via IoCreateSymbolicLink. The driver exposes privileged functionality intended for administrative or security operations; however, the device object is created without a restrictive security descriptor. Specifically, the driver does not apply security best practices using either Security Descriptor Definition Language (SDDL) or the IoCreateDeviceSecure API, allowing unprivileged user-mode processes to open handles to the device and issue privileged IOCTL requests. As a result, an attacker may invoke IOCTL handlers capable of performing sensitive low-level operations, including: System-wide handle enumeration Cross-process handle manipulation Credential extraction from lsass.exe Forced termination of arbitrary processes, including Protected Process Light (PPL)-protected processes Although the original PC Tools Internet Security product line was discontinued in 2013 and is no longer maintained, the driver remains signed and can still be abused in BYOVD attacks. An attacker may load the vulnerable driver on a target system and leverage the exposed IOCTL interface to access privileged kernel functionality. One vulnerable IOCTL permits the acquisition of a PROCESS_ALL_ACCESS handle to sensitive processes such as lsass.exe, enabling credential theft operations including extraction of NTLM hashes and Kerberos authentication material. Additional IOCTL handlers permit the termination of arbitrary processes regardless of PPL protections, enabling attackers to disable security software such as Microsoft Defender and other critical system services. Other exposed interfaces enable arbitrary handle operations against external processes, potentially resulting in process instability, crashes, or undefined behavior. Collectively, these vulnerabilities can be exploited to provide a practical attack path for credential theft, defense evasion, privilege escalation, and broader system compromise. CVE-2026-8501 Improper access control in the PCTCore64.sys Windows kernel driver from PC Tools Internet Security allows user-mode processes to access the PCTCoreDriver WDM device interface and invoke privileged IOCTL handlers. A local attacker with the ability to access or load the affected driver can exploit this vulnerability to perform sensitive and privileged operations on the target system. Impact A local attacker with the ability to load a Windows kernel driver may exploit the vulnerable PCTCore64.sys driver to access sensitive processes such as lsass.exe and other PPL-protected services. Successful exploitation can enable credential theft, arbitrary process termination, denial-of-service (DoS) conditions, and broader system compromise through privileged kernel-level operations. Solution The PC Tools Internet Security product line and its PCTCore64.sys driver are no longer actively maintained and should not be used in production environments. Organizations should remove and block the vulnerable driver where possible and implement mitigations designed to reduce exposure to BYOVD attacks, including restricting administrative privileges, enforcing Microsoft recommended driver block rules, and enabling protections such as Hypervisor-Protected Code Integrity (HVCI), Windows Defender Application Control (WDAC), and Credential Guard. Acknowledgements Thanks to Tzachi Hazan for researching and reporting this vulnerability. This document was written by Molly Jaconski.","title":"VU#158530: PCTCore64.sys Windows kernel driver contains missing access control vulnerability","url":"https://kb.cert.org/vuls/id/158530"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Vendor threat intelligence research. Good primary work but commercial context.","created_at":"2026-07-02 03:55:49","id":184,"published_date":"2026-06-01T14:43:11+00:00","severity":"medium","source_name":"Check Point Research","summary":"For the latest discoveries in cyber research for the week of 1st June, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Carnival Corporation, a global cruise line operator, has confirmed a data breach affecting nearly 6 million people after attackers used social engineering to compromise an employee account. Exposed information may include names, contact [\u2026] The post 1st June \u2013 Threat Intelligence Report appeared first on Check Point Research.","title":"1st June \u2013 Threat Intelligence Report","url":"https://research.checkpoint.com/2026/1st-june-threat-intelligence-report"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Troy Hunt's curated breach disclosure feed. Low volume (~2-4/month), high trust, universally cited. Each entry names the breached org, account count, and exposed data types.","created_at":"2026-07-02 03:56:02","id":516,"published_date":"2026-06-01T07:39:02+00:00","severity":"medium","source_name":"Have I Been Pwned","summary":"In January 2026, the automotive research and car-shopping platform Edmunds was listed by the ShinyHunters hacking group as having been breached. Data purportedly obtained in the incident was later published publicly and included 178k unique email addresses, usernames, passwords, IP addresses, phone numbers and vehicle-related records.","title":"Edmunds - 177,860 breached accounts","url":"https://haveibeenpwned.com/Breach/Edmunds"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Troy Hunt's curated breach disclosure feed. Low volume (~2-4/month), high trust, universally cited. Each entry names the breached org, account count, and exposed data types.","created_at":"2026-07-02 03:56:02","id":517,"published_date":"2026-05-30T23:35:29+00:00","severity":"medium","source_name":"Have I Been Pwned","summary":"In May 2026, the GTA V and CS2 cheat service Atlas Menu suffered a data breach. An attacker claimed to have gained access to all Atlas systems and published the service's database to a public GitHub repository. The incident exposed 64k unique email addresses along with usernames, IP addresses, support tickets and passwords stored as bcrypt hashes.","title":"Atlas Menu - 63,926 breached accounts","url":"https://haveibeenpwned.com/Breach/AtlasMenu"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established offensive security research firm. Pentest tooling, vulnerability research, red team techniques.","created_at":"2026-07-02 03:56:00","id":458,"published_date":"2026-05-29T13:00:00+00:00","severity":"high","source_name":"Bishop Fox","summary":"A CVSS 10.0 path traversal in UniFi Network Application lets unauthenticated attackers read controller backups, extract credentials, and take over every managed device on the network. Bishop Fox breaks down the attack paths, the preconditions, and a safe detection tool to check your exposure.","title":"Looting UniFi Controllers: Detecting and Weaponizing CVE-2026-22557","url":"https://bishopfox.com/blog/looting-unifi-controllers-detecting-and-weaponizing-cve-2026-22557"},{"category":"OT/ICS","confidence":"MEDIUM","confidence_reason":"Vendor threat intelligence research, consistent technical malware reports. filter_uncategorized drops consumer lifestyle and parenting content.","created_at":"2026-07-02 03:55:49","id":206,"published_date":"2026-05-29T07:30:00+00:00","severity":"high","source_name":"ESET WeLiveSecurity","summary":"In this roundup, Tony looks at attacks against Polish water treatment facilities, how AI-directed attacks failed in Mexico, and what Google believes is the first AI-generated zero-day exploit","title":"This month in security with Tony Anscombe \u2013 May 2026 edition","url":"https://www.welivesecurity.com/en/videos/month-security-tony-anscombe-may-2026"},{"category":"Vulnerability/CVE","confidence":"HIGH","confidence_reason":"First-party OT/ICS vendor CERT. Authoritative advisories for Siemens industrial products. Fills OT/ICS category depth.","created_at":"2026-07-02 03:55:54","id":332,"published_date":"2026-05-29T00:00:00+00:00","severity":"medium","source_name":"Siemens ProductCERT","summary":"KACO blueplanet Inverters contain multiple vulnerabilities that could allow an attacker to derive the credentials from the devices serial number and misuse them to gain unauthorized access. KACO new energy GmbH has released new versions for several affected products and recommends to update to the latest versions. KACO new energy GmbH is preparing further fix versions and recommends countermeasures for products where fixes are not, or not yet available.","title":"SSA-545643 V1.1 (Last Update: 2026-05-29): Multiple Vulnerabilities in KACO Blueplanet Inverters","url":"https://cert-portal.siemens.com/productcert/html/ssa-545643.html"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Troy Hunt's curated breach disclosure feed. Low volume (~2-4/month), high trust, universally cited. Each entry names the breached org, account count, and exposed data types.","created_at":"2026-07-02 03:56:02","id":518,"published_date":"2026-05-28T20:00:34+00:00","severity":"medium","source_name":"Have I Been Pwned","summary":"In May 2026, the telecommunications company Charter Communications (the parent company behind the consumer broadband and cable brand Spectrum) was named by the ShinyHunters group in a \"pay or leak\" extortion campaign. The group later published the data, which exposed 4.9M unique email addresses along with names, phone numbers and physical addresses. A subset of approximately 85k records originating from an internal employee directory also included job titles. Charter confirmed the incident, but stated that no sensitive personal information or customer proprietary network information (CPNI) was exfiltrated.","title":"Charter - 4,851,517 breached accounts","url":"https://haveibeenpwned.com/Breach/Charter"},{"category":"Vulnerability/CVE","confidence":"HIGH","confidence_reason":"Top-tier threat intelligence research with strong malware analysis track record.","created_at":"2026-07-02 03:55:49","id":174,"published_date":"2026-05-28T18:00:27+00:00","severity":"medium","source_name":"Cisco Talos","summary":"In this newsletter, Thor breaks down why you should stop relying solely on CVSS and start using EPSS and GCVE to focus your patching efforts on the threats that actually matter.","title":"Less panic patching, more precision","url":"https://blog.talosintelligence.com/less-panic-patching-more-precision"},{"category":"Identity & Access","confidence":"HIGH","confidence_reason":"CERT/CC vulnerability coordination center. Authoritative vuln notes, partially replaces dead CISA feeds.","created_at":"2026-07-02 03:55:48","id":128,"published_date":"2026-05-28T16:13:02+00:00","severity":"high","source_name":"CERT Vulnerability Notes","summary":"Overview Casdoor versions 2.362.0 and earlier contain several identity and access management vulnerabilities that enable broad authentication bypass and privilege escalation. These flaws relate to Casdoor\u2019s Security Assertion Markup Language (SAML) processing, account binding, and token exchange mechanisms. An attacker able to interact with Casdoor\u2019s authentication interface may impersonate users, bypass multifactor authentication (MFA), forge and replay assertions, and achieve persistent unauthorized access. Description Casdoor is an open-source identity and access management (IAM) platform and Model Context Protocol (MCP) gateway that provides authentication, single sign-on, and multi-protocol identity services. It is designed to centralize and streamline access control, allowing organizations to manage user identities and permissions across multiple applications and environments. CVE-2026-9090 Casdoor versions 2.362.0 and earlier contain a vulnerability that allows an attacker to bypass authentication by supplying an arbitrary signing certificate. The buildSpCertificateStore function extracts the X.509 certificate directly from the incoming SAMLResponse instead of using the trusted pre-configured Identity Provider certificate, allowing an attacker to forge assertions signed with an attacker-controlled key. CVE-2026-9091 A logic flaw in Casdoor's social\u2011login binding flow allows users to bypass configured MFA requirements. The binding\u2011rule code path in controllers/auth.go calls HandleLoggedIn directly without invoking checkMfaEnable. Any user authenticating via this path is logged in without MFA enforcement. CVE-2026-9092 Casdoor contains a vulnerability involving unverified email binding that may enable account takeover. The getExistUserByBindingRule function matches users by email address without checking the email_verified claim returned from upstream providers, and the idp.UserInfo struct does not include a EmailVerified field. Therefore, an attacker can supply an unverified email claim from an upstream provider to take over accounts that use the same email address. CVE-2026-9093 Casdoor's SAML service provider implementation does not validate the AudienceRestriction element in SAML assertions. Casdoor never sets the AudienceURI field to specify which service provider the assertion is intended for, and does not check for audience mismatch warnings alerted by WarningInfo.NotInAudience. As a result, Casdoor may improperly accept assertions that were issued for a different service provider. CVE-2026-9094 Casdoor contains a vulnerability that enables cross-organization token exchange. The GetTokenExchangeToken function in object/token_oauth.go validates JWT signatures but does not verify that the token's user belongs to the same organization as the target application. This can result in privilege escalation across organizational boundaries. CVE-2026-9095 Casdoor maps SAML assertions to user sessions without replay protection. The ParseSamlResponse() function in object/saml_sp.go calls sp.RetrieveAssertionInfo() and immediately maps the result to a user session. There is no assertion ID cache, OneTimeUse condition enforcement, or replay detection anywhere in the SAML SP code path. As a result, an attacker can replay a previously captured SAML assertion to obtain an authenticated session for the assertion\u2019s subject, including administrator accounts, without needing the user\u2019s password or MFA credentials. CVE-2026-9096 Casdoor does not enforce SAML assertion time bounds. The gosaml2 library reports all time-validation results, including NotOnOrAfter and NotBefore, in the assertionInfo.WarningInfo field. However, ParseSamlResponse() never reads this field, meaning that time bounds are computed by the library but silently discarded before the user session is issued. CVE-2026-9097 Casdoor does not verify that a JWT used for token exchange is still active. The GetTokenExchangeToken() function in object/token_oauth.go validates the JWT signature and parses its claims, but never queries the Token table to verify whether the subject token has been revoked or invalidated. Because the revocation check is entirely absent, administrators are unable to terminate active sessions or revoke compromised tokens. CVE-2026-9098 The SAML callback handler in controllers/auth.go accepts any well-formed SAMLResponse sent to /api/acs without verifying that it corresponds to an AuthnRequest previously issued by Casdoor. Additionally, if an administrator disables or deletes an identity provider (IdP) after a SAML flow has started, the handler still processes the response using the provider snapshot loaded at the start of the request. As a result, an attacker controlling a registered upstream IdP can send unsolicited SAML responses, or replay a legitimately captured response in a different session or after the original flow has ended. In both cases, Casdoor accepts the response and issues a session, enabling persistent unauthorized access. Impact Exploitation of these vulnerabilities can allow attackers to impersonate users, bypass authentication controls, and escalate privileges across Casdoor deployments. CVE\u20112026\u20119090, CVE\u20112026\u20119093, CVE\u20112026\u20119095, CVE\u20112026\u20119096, CVE\u20112026\u20119098: Multiple flaws in SAML processing allow assertion forgery or replay, misuse of assertions across sessions, and the processing of expired or unsolicited SAML responses. Because certificate trust is not enforced, time bounds and audience restrictions are ignored, and responses are not correlated to prior AuthnRequests, attackers can submit malicious or previously-captured assertions to obtain authenticated sessions for arbitrary users, including administrators. CVE\u20112026\u20119091, CVE\u20112026\u20119092: Weaknesses in MFA protection and binding logic further contribute to the risk of account compromise, enabling attackers to bypass MFA and potentially take over other accounts via unverified email claims. An attacker can exploit these flaws to gain persistent unauthorized access by bypassing configured authentication requirements or security controls. CVE\u20112026\u20119094, CVE\u20112026\u20119097: The discovered token-exchange flaws enable cross\u2011organization privilege escalation and prevent administrators from reliably revoking tokens. Because user\u2011organization membership is not validated and token revocation status is not checked, compromised or malicious tokens may be exchanged for elevated privileges in other organizations, and administrators cannot reliably terminate active sessions. Solution Unfortunately, we were unable to reach the Casdoor team to coordinate this vulnerability, and a patch is not yet available. Users are advised to implement stricter identity governance controls and utilize external validation tools to better enforce application boundaries. Restrict identity provider (IdP) usage only to trusted providers, reinforce high-privilege accounts with additional authentication paths such as downstream MFA, and monitor logs for any unusual SAML or token activity to reduce the exploitability of these issues. Acknowledgements We extend our thanks to Zixu (Jason) Zhou (University of Toronto, PhD student), David Lie (University of Toronto, Professor), Ilya Grishchenko (University of Toronto, Postdoc), and Xiangyu Guo (University of Toronto, PhD student) for researching and reporting these vulnerabilities. This document was written by Molly Jaconski.","title":"VU#780781: Casdoor contains multiple authentication bypass and access management vulnerabilities","url":"https://kb.cert.org/vuls/id/780781"},{"category":"OT/ICS","confidence":"HIGH","confidence_reason":"Top-tier threat intelligence research team with consistent primary analysis.","created_at":"2026-07-02 03:55:48","id":166,"published_date":"2026-05-28T10:00:53+00:00","severity":"medium","source_name":"Unit42 Palo Alto","summary":"The 2026 World Cup presents major cyber risks from ransomware groups, state-aligned actors, and other groups targeting critical infrastructure. Learn more here. The post 2026 World Cup: Discussing The World\u2019s Biggest Game\u2019s Attack Surface appeared first on Unit 42.","title":"2026 World Cup: Discussing The World\u2019s Biggest Game\u2019s Attack Surface","url":"https://unit42.paloaltonetworks.com/fifa-world-cup-attack-surface"},{"category":"Nation State/APT","confidence":"MEDIUM","confidence_reason":"Vendor threat intelligence research, consistent technical malware reports. filter_uncategorized drops consumer lifestyle and parenting content.","created_at":"2026-07-02 03:55:49","id":207,"published_date":"2026-05-28T08:45:00+00:00","severity":"medium","source_name":"ESET WeLiveSecurity","summary":"An overview of the activities of selected APT groups investigated and analyzed by ESET Research in Q4 2025 and Q1 2026","title":"ESET APT Activity Report Q4 2025\u2013Q1 2026","url":"https://www.welivesecurity.com/en/eset-research/eset-apt-activity-report-q4-2025-q1-2026"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Troy Hunt's curated breach disclosure feed. Low volume (~2-4/month), high trust, universally cited. Each entry names the breached org, account count, and exposed data types.","created_at":"2026-07-02 03:56:02","id":519,"published_date":"2026-05-28T07:22:18+00:00","severity":"medium","source_name":"Have I Been Pwned","summary":"In April 2026, the American insurance holding company Kemper Corporation was named by the ShinyHunters ransomware group in a \"pay or leak\" extortion campaign. The attackers allegedly accessed Kemper's Salesforce environment via social engineering as part of a broader campaign targeting hundreds of organisations using the same method. The group later published tens of gigabytes of data they claimed included internal directory data, Salesforce records and Stripe payment logs. Among the 269k unique email addresses were names, phone numbers, physical addresses and partial payment card data including the last 4 digits, expiry dates and card brands. Kemper confirmed the incident and stated they had engaged third-party cybersecurity experts and notified law enforcement.","title":"Kemper - 269,299 breached accounts","url":"https://haveibeenpwned.com/Breach/Kemper"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Primary cloud-security research (AWS/Azure/GCP IAM, container, CI/CD). Fills the Cloud Security depth the keyword set already anticipates. Vendor context; filter_uncategorized drops product marketing.","created_at":"2026-07-02 03:55:52","id":296,"published_date":"2026-05-28T00:00:00+00:00","severity":"medium","source_name":"Datadog Security Labs","summary":"CVE-2026-31431 (Copy Fail) lets any unprivileged user corrupt the Linux page cache via AF_ALG sockets to escalate privileges. This post covers the exploit mechanics and how Datadog Security Research used coding agents to ship a detection content pack in a single session.","title":"From Exploit Code to Production Detection: Building a CVE-2026-31431 (Copy Fail) detection with Agents","url":"https://securitylabs.datadoghq.com/articles/cve-2026-31431-copy-fail-exploit-detection-with-agents"},{"category":"Vulnerability/CVE","confidence":"HIGH","confidence_reason":"Top-tier threat intelligence research with strong malware analysis track record.","created_at":"2026-07-02 03:55:49","id":175,"published_date":"2026-05-27T14:00:14+00:00","severity":"medium","source_name":"Cisco Talos","summary":"Talos researchers find 4 heap-based buffer overflow vulnerabilities in MediaArea's MediaInfoLib.","title":"MediaArea heap-based buffer overflow vulnerabilities","url":"https://blog.talosintelligence.com/mediaarea-heap-based-buffer-overflow-vulnerabilities"},{"category":"Industry/Policy","confidence":"HIGH","confidence_reason":"UK government CERT, authoritative advisories for UK & allied operators.","created_at":"2026-07-02 03:55:48","id":138,"published_date":"2026-05-27T12:00:00+00:00","severity":"medium","source_name":"NCSC UK","summary":"New guidance explains how to design Zero Trust Network Access architectures aligned with zero trust principles and not built on old trust assumptions.","title":"Designing secure access with ZTNA","url":"https://www.ncsc.gov.uk/blogs/designing-secure-access-with-ztna"},{"category":"Consumer Awareness","confidence":"MEDIUM","confidence_reason":"Vendor threat intelligence research, consistent technical malware reports. filter_uncategorized drops consumer lifestyle and parenting content.","created_at":"2026-07-02 03:55:49","id":208,"published_date":"2026-05-27T08:50:00+00:00","severity":"medium","source_name":"ESET WeLiveSecurity","summary":"Using chatbots for medical advice could elicit hallucinations and even expose you to security and privacy risks. Here\u2019s what\u2019s at stake and how to stay safe.","title":"What to consider before asking an AI chatbot for health advice","url":"https://www.welivesecurity.com/en/privacy/what-consider-asking-ai-chatbot-health-advice"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Troy Hunt's curated breach disclosure feed. Low volume (~2-4/month), high trust, universally cited. Each entry names the breached org, account count, and exposed data types.","created_at":"2026-07-02 03:56:02","id":520,"published_date":"2026-05-27T05:17:45+00:00","severity":"medium","source_name":"Have I Been Pwned","summary":"In April 2026, the luxury fashion e-commerce platform Mytheresa was listed as a victim of the ShinyHunters \"pay or leak\" extortion group. After the ransom deadline passed, the group publicly released the data which contained 84k unique email addresses. The exposed data also included names, phone numbers, physical addresses, purchases and partial credit card data including card type, last 4 digits and expiry date.","title":"Mytheresa - 84,108 breached accounts","url":"https://haveibeenpwned.com/Breach/Mytheresa"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Troy Hunt's curated breach disclosure feed. Low volume (~2-4/month), high trust, universally cited. Each entry names the breached org, account count, and exposed data types.","created_at":"2026-07-02 03:56:02","id":521,"published_date":"2026-05-26T22:03:42+00:00","severity":"medium","source_name":"Have I Been Pwned","summary":"In March 2026, the financial services firm Ameriprise Financial was named by the ShinyHunters group in a \"pay or leak\" extortion campaign. The group claimed possession of more than 200GB of compressed data exfiltrated from Ameriprise's Salesforce environment and internal SharePoint infrastructure, and subsequently published the data after negotiations allegedly failed. The published data contained 500k unique email addresses as well as names, phone numbers, physical addresses and employer information. In their disclosure to state attorneys general, Ameriprise reported 47,876 affected people; the larger email address population represents contacts from Ameriprise's broader operational systems, including internal staff. Ameriprise further advised that they have \"implemented heightened monitoring of your account(s) to include enhanced identity verification procedures\".","title":"Ameriprise - 502,597 breached accounts","url":"https://haveibeenpwned.com/Breach/Ameriprise"},{"category":"OT/ICS","confidence":"MEDIUM","confidence_reason":"Established offensive security research firm. Pentest tooling, vulnerability research, red team techniques.","created_at":"2026-07-02 03:56:00","id":459,"published_date":"2026-05-26T13:00:00+00:00","severity":"medium","source_name":"Bishop Fox","summary":"Sparkplug B is the dominant protocol in ICS and SCADA environments, but no public security fuzzer existed for it until now. Bishop Fox used AI-assisted development to build one from scratch, covering all 9 message types, 19 data types, and 87+ field paths from the full specification.","title":"Sparkplug B Protocol Fuzzing with AI Assistance","url":"https://bishopfox.com/blog/sparkplug-b-protocol-fuzzing-with-ai-assistance"},{"category":"Ransomware","confidence":"MEDIUM","confidence_reason":"Vendor threat intelligence research. Good primary work but commercial context.","created_at":"2026-07-02 03:55:49","id":185,"published_date":"2026-05-26T10:09:59+00:00","severity":"medium","source_name":"Check Point Research","summary":"Executive Summary During the March\u2013April 2026 reporting period, AI use in offensive operations advanced from development and planning to real-time operational deployment. Multiple independent cases, involving individual criminal actors, mass exploitation platforms, ransomware groups, and state-sponsored espionage, show evidence of commercial AI models executing autonomous attack workflows across extended campaigns. Key findings: AI as Live [\u2026] The post AI Threat Landscape Digest March-April 2026 appeared first on Check Point Research.","title":"AI Threat Landscape Digest March-April 2026","url":"https://research.checkpoint.com/2026/ai-threat-landscape-digest-march-april-2026"},{"category":"Identity & Access","confidence":"MEDIUM","confidence_reason":"Real-world incident breakdowns from the defender side. Strong on ransomware and SMB-targeting threats.","created_at":"2026-07-02 03:55:55","id":394,"published_date":"2026-05-26T07:00:00+00:00","severity":"medium","source_name":"Huntress","summary":"See how session hijacking reshaped cyber threats. Learn how stolen tokens enable rapid breaches, bypass security, and impact enterprise protection.","title":"From Cookies to Keys: The Threat of Session Hijacking","url":"https://www.huntress.com/blog/why-hackers-don't-need-passwords-anymore"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Deep malware analysis with detection rules (YARA, Sigma). Vendor context but strong primary research.","created_at":"2026-07-02 03:55:52","id":281,"published_date":"2026-05-26T00:00:00+00:00","severity":"medium","source_name":"Elastic Security Labs","summary":"Tycoon 2FA bypasses MFA on Entra ID and Google Workspace. We map telemetry fingerprints across both platforms, ship detection rules for both tiers, and contain incidents in under 10 seconds with Elastic Workflows.","title":"Detecting Tycoon 2FA AiTM attacks across Entra ID and Google Workspace","url":"https://www.elastic.co/security-labs/tycoon-2fa-aitm-detection-engineering"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Vendor threat intelligence research. Good primary work but commercial context.","created_at":"2026-07-02 03:55:49","id":186,"published_date":"2026-05-25T15:08:40+00:00","severity":"medium","source_name":"Check Point Research","summary":"For the latest discoveries in cyber research for the week of 25th May, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES 7-Eleven, the global convenience store chain, confirmed a breach after an unauthorized access to systems used for franchisee documents. ShinyHunters claimed responsibility and said it stole more than 600,000 Salesforce records containing personal [\u2026] The post 25th May \u2013 Threat Intelligence Report appeared first on Check Point Research.","title":"25th May \u2013 Threat Intelligence Report","url":"https://research.checkpoint.com/2026/25th-may-threat-intelligence-report"},{"category":"Industry/Policy","confidence":"MEDIUM","confidence_reason":"Established independent investigative security journalism. High rigor, frequently breaks news.","created_at":"2026-07-02 03:55:46","id":6,"published_date":"2026-05-25T13:21:49+00:00","severity":"medium","source_name":"Krebs on Security","summary":"Authorities in the Netherlands have arrested the co-owners of two related Internet hosting companies for operating IT infrastructure used by Russia to carry out cyberattacks, influence operations and disinformation campaigns inside the European Union. The two men were the focus of a 2025 KrebsOnSecurity story about how their hosting companies had assumed control over the technical infrastructure of Stark Industries Solutions, an Internet service provider sanctioned last year by the EU as a frequent staging ground for cyber mischief from Russia's intelligence agencies.","title":"Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks","url":"https://krebsonsecurity.com/2026/05/netherlands-seizes-800-servers-arrests-2-for-aiding-cyberattacks"},{"category":"Cloud Security","confidence":"MEDIUM","confidence_reason":"Established independent investigative security journalism. High rigor, frequently breaks news.","created_at":"2026-07-02 03:55:46","id":7,"published_date":"2026-05-22T16:34:24+00:00","severity":"medium","source_name":"Krebs on Security","summary":"Lawmakers in both houses of Congress are demanding answers from the U.S. Cybersecurity & Infrastructure Security Agency (CISA) after KrebsOnSecurity reported this week that a CISA contractor intentionally published AWS GovCloud keys and a vast trove of other agency secrets on a public GitHub account. The inquiry comes as CISA is still struggling to contain the breach and invalidate the leaked credentials.","title":"Lawmakers Demand Answers as CISA Tries to Contain Data Leak","url":"https://krebsonsecurity.com/2026/05/lawmakers-demand-answers-as-cisa-tries-to-contain-data-leak"},{"category":"Nation State/APT","confidence":"MEDIUM","confidence_reason":"Vendor threat intelligence research. Good primary work but commercial context.","created_at":"2026-07-02 03:55:49","id":187,"published_date":"2026-05-22T15:09:29+00:00","severity":"medium","source_name":"Check Point Research","summary":"Key Findings Introduction During the recent geopolitical tensions in the Middle East, we reported on multiple Iran-nexus threat actors advancing Iran\u2019s strategic objectives through cyber operations. These activities included targeting internet-connected cameras, conducting destructive attacks against US and Israeli entities, and exfiltrating data from cloud environments to support broader kinetic and intelligence-gathering efforts. Nimbus Manticore (also tracked as UNC1549) is an IRGC-affiliated threat [\u2026] The post Fast and Furious \u2013 Nimbus Manticore Operations During the Iranian Conflict appeared first on Check Point Research.","title":"Fast and Furious \u2013 Nimbus Manticore Operations During the Iranian Conflict","url":"https://research.checkpoint.com/2026/fast-and-furious-nimbus-manticore-operations-during-the-iranian-conflict"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established offensive security research firm. Pentest tooling, vulnerability research, red team techniques.","created_at":"2026-07-02 03:56:00","id":460,"published_date":"2026-05-22T13:00:00+00:00","severity":"high","source_name":"Bishop Fox","summary":"CVE-2026-0265 lets unauthenticated attackers forge a JWT and log in as any trusted user on CAS-enabled PAN-OS deployments. Bishop Fox built a detection tool that returns a definitive verdict from a single anonymous request, and breaks down exactly how the bug works and what to do about it.","title":"Detecting CVE-2026-0265 at Scale: PAN-OS CAS Authentication Bypass","url":"https://bishopfox.com/blog/detecting-cve-2026-0265-at-scale-pan-os-cas-authentication-bypass"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Vendor threat intelligence research, consistent technical malware reports. filter_uncategorized drops consumer lifestyle and parenting content.","created_at":"2026-07-02 03:55:49","id":209,"published_date":"2026-05-22T08:50:00+00:00","severity":"medium","source_name":"ESET WeLiveSecurity","summary":"Watch out for bogus World Cup websites that mimic official ticket and merchandise flows to steal money and personal data","title":"Foul play: Fake FIFA websites target soccer fans looking for World Cup tickets, merchandise","url":"https://www.welivesecurity.com/en/cybersecurity/foul-play-fake-fifa-world-cup-websites-tickets"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established offensive security research firm. Pentest tooling, vulnerability research, red team techniques.","created_at":"2026-07-02 03:56:00","id":461,"published_date":"2026-05-22T07:00:00+00:00","severity":"high","source_name":"Bishop Fox","summary":"A sanitization bypass in Strapi 4.0.0 through 5.36.1 lets unauthenticated attackers extract an admin's password reset token character by character and take over the account. With over 20,000 internet-facing hosts exposed, Bishop Fox breaks down how the exploit works and how to remediate it.","title":"CVE-2026-27886: Unauthenticated Boolean-Oracle Exfiltration of Administrator Secrets in Strapi","url":"https://bishopfox.com/blog/cve-2026-27886-unauthenticated-boolean-oracle-exfiltration-of-administrator-secrets-in-strapi"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established independent investigative security journalism. High rigor, frequently breaks news.","created_at":"2026-07-02 03:55:46","id":8,"published_date":"2026-05-21T21:50:25+00:00","severity":"medium","source_name":"Krebs on Security","summary":"Canadian authorities on Wednesday arrested a 23-year-old Ottawa man on suspicion of building and operating Kimwolf, a fast spreading Internet-of-Things botnet that enslaved millions of devices for use in a series of massive distributed denial-of-service (DDoS) attacks over the past six months. KrebsOnSecurity publicly named the suspect in February 2026 after the accused launched a volley of DDoS, doxing and swatting campaigns against this author and a security researcher. He now faces criminal hacking charges in both Canada and the United States.","title":"Alleged Kimwolf Botmaster \u2018Dort\u2019 Arrested, Charged in U.S. and Canada","url":"https://krebsonsecurity.com/2026/05/alleged-kimwolf-botmaster-dort-arrested-charged-in-u-s-and-canada"},{"category":"Ransomware","confidence":"MEDIUM","confidence_reason":"Real-world incident breakdowns from the defender side. Strong on ransomware and SMB-targeting threats.","created_at":"2026-07-02 03:55:55","id":395,"published_date":"2026-05-21T07:00:00+00:00","severity":"medium","source_name":"Huntress","summary":"Two recent incidents involving The Gentlemen ransomware show the use of defense evasion tactics, including logs being cleared and attempts to add antivirus exclusions.","title":"The Gentleman Ransomware | Defense Evasion TTPs Uncovered | Huntress","url":"https://www.huntress.com/blog/the-gentlemen-ransomware-defense-evasion-ttps"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Threat intelligence firm research. Caveat: commercial framing; quality of output is high.","created_at":"2026-07-02 03:55:50","id":239,"published_date":"2026-05-21T00:00:00+00:00","severity":"medium","source_name":"Recorded Future","summary":"Boards are asking about AI-driven vulnerability discovery. The leaders who answer that question well will come out with more credibility and more resources. Here's how to be one of them.","title":"The Vulnerability Flood Is Now a Board Conversation. Here's How to Lead It.","url":"https://www.recordedfuture.com/blog/vulnerability-board-conversation"},{"category":"Cloud Security","confidence":"MEDIUM","confidence_reason":"Primary cloud-security research (AWS/Azure/GCP IAM, container, CI/CD). Fills the Cloud Security depth the keyword set already anticipates. Vendor context; filter_uncategorized drops product marketing.","created_at":"2026-07-02 03:55:52","id":297,"published_date":"2026-05-21T00:00:00+00:00","severity":"medium","source_name":"Datadog Security Labs","summary":"A look at how Kubernetes CVE-2021-25740 allows users with EndpointSlice access to redirect traffic via shared ingress and load balancer services.","title":"Unpatchable Vulnerabilities of Kubernetes: CVE-2021-25740","url":"https://securitylabs.datadoghq.com/articles/unpatchable-kubernetes-vulnerabilities-cve-2021-25740"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Internet-wide scanning and exploitation intelligence. Early warning on mass exploitation campaigns.","created_at":"2026-07-02 03:56:01","id":478,"published_date":"2026-05-21T00:00:00+00:00","severity":"medium","source_name":"GreyNoise","summary":"A new SonicWall scanning surge mirrors the pattern that preceded CVE-2026-0400. GreyNoise details the activity and what defenders should watch.","title":"A New SonicWall Scanning Spike Echoes the Pattern That Preceded CVE-2026-0400","url":"https://www.greynoise.io/blog/sonicwall-scanning-spike-echoes-pattern-preceded-cve-2026-0400"},{"category":"Cloud Security","confidence":"HIGH","confidence_reason":"CERT/CC vulnerability coordination center. Authoritative vuln notes, partially replaces dead CISA feeds.","created_at":"2026-07-02 03:55:48","id":129,"published_date":"2026-05-20T21:23:46+00:00","severity":"high","source_name":"CERT Vulnerability Notes","summary":"Overview A privilege escalation vulnerability, nicknamed \"Dirty Frag,\" has been discovered in the Linux kernel versions 4.10 and later. This vulnerability is a result of chaining together two previously discovered vulnerabilities, xfrm-ESP Page-Cache Write CVE-2026-43284 and the RxRPC Page-Cache Write CVE-2026-43500. This vulnerability was publicly disclosed on May 07, 2026. Description Dirty Frag is a Linux kernel vulnerability affecting the IPv4/IPv6 fragmentation and reassembly subsystem. The issue stems from improper handling of overlapping or malformed fragment offsets during the reassembly process. An attacker capable of sending crafted network packets to a vulnerable host can exploit the flaw to trigger memory corruption conditions. The publicly documented proof of concept demonstrates that fragmentation logic can be manipulated such that the kernel processes inconsistent fragment states, enabling a controlled write out-of-bounds scenario. When successfully exploited, this can result in local or remote denial of service (kernel panic) and, depending on configuration and kernel build options, may create a primitive for more advanced memory manipulation. The vulnerability arises from insufficient validation of fragment metadata during reassembly, specifically around: Incorrect or incomplete enforcement of fragment boundary checks Acceptance of overlapping fragments in unsafe sequences Inadequate cleanup when transitions occur between valid and invalid fragment states The fragment queue logic in affected kernels does not fully verify that fragment offsets, sizes, and overlap conditions remain consistent throughout reassembly. This allows malformed sequences to be processed without proper rejection. Impact The primary security concern is potential privilege escalation, similar in nature to the previously disclosed VU#260001 (\"Copy Fail\") vulnerability. Depending on system configuration, kernel hardening features, and network exposure, successful exploitation may result in: Local or remote denial of service through kernel panic Memory corruption within the Linux networking stack Privilege escalation Container escape in certain containerized environments Additional exploit primitives when chained with other vulnerabilities Solution Update Linux distribution Update your distribution\u2019s kernel package as soon as vendor patches become available. Most major Linux distributions are expected to release fixes through their standard update channels. Workarounds (if patching is not immediately possible): 1) Disable at-risk modules (if loaded and loadable): Use the following command to remove the modules in which the vulnerabilities occur and clear the page cache. sh -c \"printf 'install esp4 /bin/false\\ninstall esp6 /bin/false\\ninstall rxrpc /bin/false\\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; echo 3 > /proc/sys/vm/drop_caches; true\" Note: you can verify if a module is currently being used using lsmod and the Used field or reviewing refcnt data in /sys/module/<module_name>/refcnt for e.g., cat /sys/module/esp4/refcnt 2) If affected modules esp4, esp6, rxrpc are compiled into the kernel (not a dynamic module), the following parameter can be added to grub, systemd-boot, or grubby, depending on your boot configuration: initcall_blacklist=esp4,esp6,rxrpc This prevents the module from initializing at boot time. A system reboot is required for this change to take effect. Mitigation for Containers For containerized environments, where this vulnerability may be leveraged for container escape, consider applying one or more of the following mitigations: Secure computing (seccomp) filtering: Restrict or deny system calls that create sockets using the AF_ALG address family (protocol 38) and AF_RXRPC (protocol 33) . AppArmor policies: Use AppArmor to block creation of AF_ALG sockets and AF_RXRPC via the network alg rule. eBPF-based enforcement: Deploy BPF-based controls to deny socket creation with address family AF_ALG (38) and AF_RXRPC (33). Acknowledgements This vulnerability was disclosed by Hyunwoo Kim. This document was written by Bob Kemerer.","title":"VU#980487: Local privilege escalation in Linux Kernel (Dirty Frag)","url":"https://kb.cert.org/vuls/id/980487"},{"category":"Ransomware","confidence":"MEDIUM","confidence_reason":"Real-world incident breakdowns from the defender side. Strong on ransomware and SMB-targeting threats.","created_at":"2026-07-02 03:55:55","id":396,"published_date":"2026-05-20T13:00:00+00:00","severity":"medium","source_name":"Huntress","summary":"The ransomware name on the ransom note doesn't tell the full story. See how RaaS affiliates drive initial access, persistence, and exfiltration and what defenders should watch for.","title":"Inside the RaaS Ecosystem: Operators, Affiliates & Attack Tradecraft | Huntress","url":"https://www.huntress.com/blog/raas-ecosystem-ransomware-tradecraft"},{"category":"Nation State/APT","confidence":"MEDIUM","confidence_reason":"Vendor threat intelligence research, consistent technical malware reports. filter_uncategorized drops consumer lifestyle and parenting content.","created_at":"2026-07-02 03:55:49","id":210,"published_date":"2026-05-20T08:40:00+00:00","severity":"medium","source_name":"ESET WeLiveSecurity","summary":"ESET researchers describe new tools and techniques that the Webworm APT group recently added to its arsenal","title":"Webworm: New burrowing techniques","url":"https://www.welivesecurity.com/en/eset-research/webworm-new-burrowing-techniques"},{"category":"AI Security","confidence":"MEDIUM","confidence_reason":"Vendor threat intelligence research. Caveat: already filtered for noise via filter_uncategorized.","created_at":"2026-07-02 03:55:49","id":193,"published_date":"2026-05-19T13:43:37+00:00","severity":"medium","source_name":"SentinelOne","summary":"Prompt for Agentic AI Security empowers organizations with proactive governance, meaning security teams can deploy agents with confidence.","title":"Turn Blind Trust into Verified Control with Prompt Security for Agentic AI","url":"https://www.sentinelone.com/blog/prompt-security-for-agentic-ai"},{"category":"Cloud Security","confidence":"MEDIUM","confidence_reason":"Real-world incident breakdowns from the defender side. Strong on ransomware and SMB-targeting threats.","created_at":"2026-07-02 03:55:55","id":397,"published_date":"2026-05-19T07:00:00+00:00","severity":"medium","source_name":"Huntress","summary":"Exposed RDP is still one of the most reliable ways attackers get in and most teams don't know it's open. See real cases where it was caught before it became a catastrophe.","title":"Exposed RDP: The Misconfiguration Attackers Keep Exploiting","url":"https://www.huntress.com/blog/exposed-rdp-misconfiguration-risks"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Threat intelligence firm research. Caveat: commercial framing; quality of output is high.","created_at":"2026-07-02 03:55:50","id":240,"published_date":"2026-05-19T00:00:00+00:00","severity":"medium","source_name":"Recorded Future","summary":"Frontier AI models like Mythos are making vulnerability discovery fast and cheap. Here's how defenders use threat intelligence and agentic processing to prioritize and act at the same speed.","title":"At Mythos Speed: A Defender's Playbook for the AI Vulnerability Surge in 2026","url":"https://www.recordedfuture.com/blog/ai-vulnerability-playbook"},{"category":"Cloud Security","confidence":"MEDIUM","confidence_reason":"Established independent investigative security journalism. High rigor, frequently breaks news.","created_at":"2026-07-02 03:55:46","id":9,"published_date":"2026-05-18T20:48:21+00:00","severity":"medium","source_name":"Krebs on Security","summary":"Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive included files detailing how CISA builds, tests and deploys software internally, and that it represents one of the most egregious government data leaks in recent history.","title":"CISA Admin Leaked AWS GovCloud Keys on Github","url":"https://krebsonsecurity.com/2026/05/cisa-admin-leaked-aws-govcloud-keys-on-github"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Vendor threat intelligence research. Good primary work but commercial context.","created_at":"2026-07-02 03:55:49","id":188,"published_date":"2026-05-18T14:58:29+00:00","severity":"medium","source_name":"Check Point Research","summary":"For the latest discoveries in cyber research for the week of 18th May, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Vodafone, a major international telecom, has sustained a source code leak claimed by the Lapsus$ extortion group. The company confirmed limited access to GitHub files through compromised third-party development software, while stating that [\u2026] The post 18th May \u2013 Threat Intelligence Report appeared first on Check Point Research.","title":"18th May \u2013 Threat Intelligence Report","url":"https://research.checkpoint.com/2026/18th-may-threat-intelligence-report"},{"category":"Malware/Infostealer","confidence":"MEDIUM","confidence_reason":"Real-world incident breakdowns from the defender side. Strong on ransomware and SMB-targeting threats.","created_at":"2026-07-02 03:55:55","id":398,"published_date":"2026-05-18T14:00:00+00:00","severity":"medium","source_name":"Huntress","summary":"Threat actors are actively targeting your security tools. Learn how threat actors disable antivirus and EDR through vulnerable drivers, tampering attacks, and malicious firewall rules, and how Huntress detects.","title":"Threat Actor Defense Evasion: How Attackers Disable AV & EDR","url":"https://www.huntress.com/blog/how-attackers-disable-av-edr"},{"category":"Malware/Infostealer","confidence":"MEDIUM","confidence_reason":"Vendor threat intelligence research. Caveat: already filtered for noise via filter_uncategorized.","created_at":"2026-07-02 03:55:49","id":194,"published_date":"2026-05-18T13:00:42+00:00","severity":"medium","source_name":"SentinelOne","summary":"SHub Reaper bypasses Apple's Terminal mitigation, steals credentials and documents, and plants a persistent backdoor for continued access after infection.","title":"SHub Reaper | macOS Stealer Spoofs Apple, Google, and Microsoft in a Single Attack Chain","url":"https://www.sentinelone.com/blog/shub-reaper-macos-stealer-spoofs-apple-google-and-microsoft-in-a-single-attack-chain"},{"category":"Vulnerability/CVE","confidence":"HIGH","confidence_reason":"CERT/CC vulnerability coordination center. Authoritative vuln notes, partially replaces dead CISA feeds.","created_at":"2026-07-02 03:55:48","id":130,"published_date":"2026-05-18T10:40:34+00:00","severity":"high","source_name":"CERT Vulnerability Notes","summary":"Overview Three vulnerabilities have been discovered in the SGLang project, two enabling remote code execution (RCE), and one regarding a path traversal vulnerability. In order for an attacker to exploit these vulnerabilities, the multimodal generation mode must be enabled, and an attacker must have network access to the SGLang service. No patch is available at this time, and no response was obtained from the project maintainers during coordination. Description SGLang is an open-source framework for serving large language models (LLMs) and multimodal AI models, supporting models such as Qwen, DeepSeek, Mistral, and Skywork, and is compatible with OpenAI APIs. Three vulnerabilities have been discovered within the tool and are tracked as follows: CVE-2026-7301 The multimodal generation runtime scheduler's ROUTER socket contains a sink that calls pickle.loads() on incoming messages, enabling RCE when exposed to the internet. This vulnerability is distinct from CVE-2026-3060 and CVE-2026-3059, which would be open to the Internet via the ZMQ broker, which automatically binded to all network interfaces without user awareness. CVE-2026-7301 is exposed to the internet by default through the scheduler host, which binds to 0.0.0.0 by default. CVE-2026-7302 The multimodal generation runtime is vulnerable to an unauthenticated path traversal vulnerability, allowing an attacker to write arbitrary files anywhere the server process has write access, by including ../ sequences in the upload filename when sent to specific endpoints. CVE-2026-7304 The multimodal generation runtime is vulnerable to unauthenticated remote code execution when the --enable-custom-logit-processor option is enabled, as Python objects loaded via dill.loads() will be deserialized without validation. Impact If exploited, these vulnerabilities could allow an unauthenticated attacker to achieve remote code execution or arbitrary file writes on the host running SGLang. Deployments that expose the affected interface to untrusted networks are at the highest risk of exploitation. Solution Until a patch is available, affected users should consider the following mitigations: Mitigation Restrict access to the service interfaces and ensure they are not exposed to untrusted networks. Implement network segmentation and access controls to prevent unauthorized interaction with the vulnerable endpoints. Acknowledgements Thanks to the reporter, Alon Shakevsky. This document was written by Christopher Cullen.","title":"VU#777338: SGLang contains two remote code execution and one path traversal vulnerability","url":"https://kb.cert.org/vuls/id/777338"},{"category":"Cloud Security","confidence":"MEDIUM","confidence_reason":"Primary cloud-security research (AWS/Azure/GCP IAM, container, CI/CD). Fills the Cloud Security depth the keyword set already anticipates. Vendor context; filter_uncategorized drops product marketing.","created_at":"2026-07-02 03:55:52","id":298,"published_date":"2026-05-18T00:00:00+00:00","severity":"medium","source_name":"Datadog Security Labs","summary":"Introducing Pathfinding Labs, a collection of intentionally vulnerable AWS environments for red teamers and blue teamers to deploy, exploit, and use for detection validation.","title":"Pathfinding Labs: Deploy, test, and learn from 100+ intentionally vulnerable AWS environments","url":"https://securitylabs.datadoghq.com/articles/introducing-pathfinding-labs"},{"category":"SaaS Breach","confidence":"HIGH","confidence_reason":"Authoritative vulnerability disclosure program, coordinates with vendors.","created_at":"2026-07-02 03:55:59","id":440,"published_date":"2026-05-16T10:38:50+00:00","severity":"high","source_name":"Zero Day Initiative","summary":"Following two days of intense competition, Day Three of Pwn2Own Berlin 2026 brought the curtain down on an incredible event. Security researchers delivered their final exploits, pushing enterprise systems to the limit one last time as the race for Master of Pwn came to a close. Day Three added to an already historic event, bringing the final totals to $1,298,250 awarded for 47 unique 0-day vulnerabilities across three days of competition. DEVCORE claimed the title of Master of Pwn with a commanding 50.5 points and $505,000 \u2014 a dominant performance across all three days. STARLabs SG finished in second with 25 points and $242,500, followed by Out Of Bounds in third with 12.75 points and $95,750. Congratulations to all the researchers who participated, and a special thank you to OffensiveCon for hosting. We'll see you at the next Pwn2Own. Here are the results of Day Three: SUCCESS/COLLISION - Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) used two bugs to exploit Red Hat Linux, but one of the bugs was previously known. He still earns $7,000 and 1.5 Master of Pwn points. SUCCESS - Le Tran Hai Tung (@tacbliw), dungnm (@dungnm_) and hieuvd (@gr4ss341) of Viettel Cyber Security (@vcslab) used an integer overflow to escalate privileges on #Windows 11. Their 5th round win nets them $7,500 and 3 Master of Pwn points. SUCCESS - Satoki Tsuji (@satoki00) of Ikotas Labs, Inc. abused an external control to exploit OpenAI Codex and pop a host of calcs. He earns $20,000 and 4 Master of Pwn points. FAILURE - Unfortunately, Giuseppe Cal\u00ec of Summoning Team (@SummoningTeam) could not get their exploit of VMware ESXi working within the time allotted. COLLISON - Although successful on stage, Emanuele Barbeno, Cyrill Bannwart, Yves Bieri, Lukasz D., Urs Mueller (@compasssecurity) of Compass Security targeted Anthropic Claude Code, hitting a one-vulnerability collision with a previous attempt and earning $20,000 and 2 Master of Pwn points. SUCCESS - Hyunwoo Kim (@v4bel) chained a use-after-free and uninitialized memory bug to escalate privileges on Red Hat Enterprise Linux for Workstations in the fourth round, earning $5,000 and 2 Master of Pwn points. SUCCESS - splitline (@splitline) of DEVCORE Research Team chained 2 bugs to exploit Microsoft SharePoint, earning $100,000 and 10 Master of Pwn points. SUCCESS - Nguyen Hoang Thach (@hi_im_d4rkn3ss) of STARLabs SG (@starlabs_sg) used a Memory Corruption bug to exploit VMware ESXi with the Cross-tenant Code Execution add-on, earning $200,000 and 20 Master of Pwn points. COLLISON - While Byung Young Yi (@yibarrack) of Out Of Bounds successfully demonstrated their exploit of Anthropic Claude Code, the bug used had been previously disclosed. They still earn $20,000 and 2 Master of Pwn points.","title":"Pwn2Own Berlin 2026: Day Three Results and Master of Pw","url":"https://www.thezdi.com/blog/2026/5/16/pwn2own-berlin-2026-day-three-results-and-master-of-pwn"},{"category":"Cloud Security","confidence":"MEDIUM","confidence_reason":"Real-world incident breakdowns from the defender side. Strong on ransomware and SMB-targeting threats.","created_at":"2026-07-02 03:55:55","id":399,"published_date":"2026-05-15T19:00:00+00:00","severity":"medium","source_name":"Huntress","summary":"Learn about some of the most common cloud security challenges facing modern businesses today, plus why it matters for you and your employees.","title":"19 Cloud Security Challenges and How to Mitigate Risk | Huntress","url":"https://www.huntress.com/blog/cloud-security-challenges"},{"category":"Supply Chain","confidence":"MEDIUM","confidence_reason":"Vendor threat intelligence research. Caveat: already filtered for noise via filter_uncategorized.","created_at":"2026-07-02 03:55:49","id":195,"published_date":"2026-05-15T13:00:53+00:00","severity":"medium","source_name":"SentinelOne","summary":"Learn how adversaries weaponize CI/CD pipelines and how continuous behavioral monitoring helps protect against software supply chain attacks.","title":"Living Off the Pipeline: Defending Against CI/CD Subversion","url":"https://www.sentinelone.com/blog/living-off-the-pipeline-defending-against-ci-cd-subversion"},{"category":"AI Security","confidence":"HIGH","confidence_reason":"UK government CERT, authoritative advisories for UK & allied operators.","created_at":"2026-07-02 03:55:48","id":139,"published_date":"2026-05-15T12:00:00+00:00","severity":"medium","source_name":"NCSC UK","summary":"When it comes to using agentic AI, make sure you can walk before you run.","title":"Thinking carefully before adopting agentic AI","url":"https://www.ncsc.gov.uk/blogs/thinking-carefully-before-adopting-agentic-ai"},{"category":"Consumer Awareness","confidence":"MEDIUM","confidence_reason":"Vendor threat intelligence research, consistent technical malware reports. filter_uncategorized drops consumer lifestyle and parenting content.","created_at":"2026-07-02 03:55:49","id":211,"published_date":"2026-05-15T08:50:00+00:00","severity":"medium","source_name":"ESET WeLiveSecurity","summary":"Conflict is a boon for opportunistic fraudsters. Look out for their ploys.","title":"Why geopolitical turmoil is a gift for scammers, and how to stay safe","url":"https://www.welivesecurity.com/en/scams/geopolitical-turmoil-gift-scammers-how-stay-safe"},{"category":"SaaS Breach","confidence":"HIGH","confidence_reason":"Authoritative vulnerability disclosure program, coordinates with vendors.","created_at":"2026-07-02 03:55:59","id":441,"published_date":"2026-05-15T07:29:43+00:00","severity":"critical","source_name":"Zero Day Initiative","summary":"Day Two of Pwn2Own Berlin 2026 and the stakes continue to rise! Security researchers are back on the Pwn2Own stage, pushing enterprise systems to their limits as the competition heats up. More exploits, more surprises, and more standout moments are unfolding, so follow along here for live updates as the race for Master of Pwn intensifies. There were plenty of big targets on the schedule today, including SharePoint, Exchange, and Safari. Following an action-packed Day One where $523,000 was awarded for 24 unique 0-day vulnerabilities, Day Two added another $385,750 and 15 unique 0-days, bringing event totals to $908,750 with 39 unique vulnerabilities overall. DEVCORE holds a commanding lead for Master of Pwn with 40.5 points and $405,000, but with one day still to go, anything can happen. Here are the standings as of Day Two but we'll see what the final day of the contest brings. Stay tuned! We\u2019ll be posting real-time updates and results throughout the competition right here on our blog and across social media. Stay up to date by following us on Twitter, Mastodon, LinkedIn, and Bluesky, and join the conversation using #Pwn2Own Berlin and #P2OBerlin for continuous coverage. FAILURE - Unfortunately, Tao Yan & Edouard Bochin of Palo Alto Networks could not get their exploit of Apple Safari \u2013 Renderer Only working within the time allotted. FAILURE - Unfortunately, Stephen Fewer of Rapid7 could not get their exploit of Microsoft SharePoint working within the time allotted. SUCCESS - Ben Koo (@kiddo_pwn) of Team DDOS used a use-after-free bug to escalate privileges on Red Hat Enterprise Linux for Workstations in the second round, earning $10,000 and 1 Master of Pwn point. SUCCESS - Dialed in! Nikolaos Mourousias (@deltaclock), Caue Obici (@caueobici) & Bruno Halltari (@BrunoModificato) of OtterSec used a Code Injection bug to exploit LM Studio in the second round, earning $20,000 and 4 Master of Pwn points. Full win! COLLISON - Although successful on stage, Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) targeting Claude Desktop in the Coding Agent category used a bug that was previously known. They still earn $10,000 and 2 Master of Pwn points. SUCCESS - Le Duc Anh Vu (@vulda17) of Viettel Cyber Security (@vcslab) exploited Cursor, earning $30,000 and 3 Master of Pwn points. Full win! WITHDRAWAL - Kiyong Kwak of Kakaogames and Song Nuri of Samsung Electronics has withdrawn their entry for Apple Safari \u2013 Renderer Only in the Web Browser category. FAILURE - Unfortunately, Ruitong of Abstract Team, University of Colorado Boulder could not get their exploit of Red Hat Enterprise Linux for Workstations working within the time allotted. SUCCESS - Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) exploited OpenAI Codex in the second round, earning $20,000 and 4 Master of Pwn points. COLLISON - Although successful on stage, Billy (@st424204), Bruce Chen (@bruce30262), Pan Zhenpeng (@Peterpan980927) & Weiming Shi (@bestswngs) of STARLabs SG (@starlabs_sg) targeting NVIDIA Megatron Bridge used a bug that was previously known. They still earn $2,500 and 1 Master of Pwn point. WITHDRAWAL - Alon Ben Tsur (@iamgweej), Yahav Azran (@_yahav) have withdrawn their entry for Red Hat Enterprise Linux for Workstations in the Local Escalation of Privilege category. SUCCESS - Orange Tsai (@orange_8361) of DEVCORE Research Team chained 3 bugs to achieve Remote Code Execution as SYSTEM on Microsoft Exchange, earning $200,000 and 20 Master of Pwn points. SUCCESS / COLLISON - David Tae & Louis Hur of Out Of Bounds targeted Ollama, hitting a one-vulnerability collision with a previous attempt and earning $28,000 and 3 Master of Pwn points. FAILURE - Nguyen Thanh Dat (@rewhiles) of Viettel Cyber Security (@vcslab) could not get their exploit of Mozilla Firefox \u2013 Renderer Only working within the time allotted. SUCCESS - Cyrill Bannwart, Emanuele Barbeno, Yves Bieri, Lukasz D., Urs Mueller (@compasssecurity) of Compass Security exploited Cursor in the second round, earning $15,000 and 3 Master of Pwn points. SUCCESS - Siyeon Wi used an integer overflow bug to escalate privileges on Microsoft Windows 11 in the fourth round, earning $7,500 and 3 Master of Pwn points. SUCCESS / COLLISON - Byung Young Yi (@yibarrack) of Out Of Bounds targeted LiteLLM, hitting a one-vulnerability collision with a previous attempt and earning $17,750 and 3.75 Master of Pwn points. SUCCESS - Confirmed! 0xDACA (@0xDACA) & Noam Trobishi (@NTrobishi) used a use-after-free bug to exploit NV Container Toolkit in the second round, earning $25,000 and 5 Master of Pwn points.","title":"Pwn2Own Berlin 2026 - Day Two Results","url":"https://www.thezdi.com/blog/2026/5/15/pwn2own-berlin-2026-day-two-results"},{"category":"Identity & Access","confidence":"MEDIUM","confidence_reason":"Real-world incident breakdowns from the defender side. Strong on ransomware and SMB-targeting threats.","created_at":"2026-07-02 03:55:55","id":400,"published_date":"2026-05-15T04:00:00+00:00","severity":"medium","source_name":"Huntress","summary":"Learn what single sign-on (SSO) login is, how it\u2019s used in role management and cybersecurity, and how to set it up at your organization.","title":"What Is Single Sign-On? The Practical Guide | Huntress","url":"https://www.huntress.com/blog/what-is-sso-login"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Threat intelligence firm research. Caveat: commercial framing; quality of output is high.","created_at":"2026-07-02 03:55:50","id":241,"published_date":"2026-05-15T00:00:00+00:00","severity":"medium","source_name":"Recorded Future","summary":"In April 2026, Insikt Group\u00ae identified 37 high-impact vulnerabilities that should be prioritized for remediation, 35 of which had a Very Critical Recorded Future Risk Score. This represents a 19% increase from last month.","title":"April 2026 CVE Landscape","url":"https://www.recordedfuture.com/blog/april-cve-landscape"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established offensive security research firm. Pentest tooling, vulnerability research, red team techniques.","created_at":"2026-07-02 03:56:00","id":462,"published_date":"2026-05-14T13:00:00+00:00","severity":"medium","source_name":"Bishop Fox","summary":"If any of the MCP attack classes in this series happened in your environment today, would you detect it? Most MCP servers log only a tool name and a timestamp. This post walks through what that gap looks like in practice, how EchoLeak exploited it, and what proper audit logging actually requires.","title":"Otto Support - Logging and Visibility in MCP Servers","url":"https://bishopfox.com/blog/otto-support-logging-visibility-in-mcp-servers"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Real-world incident breakdowns from the defender side. Strong on ransomware and SMB-targeting threats.","created_at":"2026-07-02 03:55:55","id":401,"published_date":"2026-05-14T11:00:00+00:00","severity":"high","source_name":"Huntress","summary":"Learn how critical Linux kernel flaws in CopyFail, Dirty Frag, and Fragnesia let unprivileged users escalate to root access. See what security teams can do to remediate.","title":"Panic at the Distro","url":"https://www.huntress.com/blog/linux-kernel-flaws-copyfail-dirty-frag-fragnesia"},{"category":"Vulnerability/CVE","confidence":"HIGH","confidence_reason":"Authoritative vulnerability disclosure program, coordinates with vendors.","created_at":"2026-07-02 03:55:59","id":442,"published_date":"2026-05-14T08:27:32+00:00","severity":"medium","source_name":"Zero Day Initiative","summary":"Welcome to Day One of Pwn2Own Berlin 2026! Today, 22 entries took the Pwn2Own stage to target AI Databases, Coding Agents, Local Inferences, and a separate category for NVIDIA products, as the world\u2019s top security researchers push technology to its limits. Exploits, surprises, and breakthrough discoveries are unfolding. After Day One, we awarded $523,000 for 24 unique 0-days! DEVCORE is currently in the lead for Master of Pwn, but a pack of teams are right on their heels. Stay tuned tomorrow for more results and surprises. Follow the action live! We\u2019ll be posting real-time updates and results throughout the competition on our blog and across social media. Stay up to date by following us on Twitter, Mastodon, LinkedIn, and Bluesky, and join the conversation using #Pwn2Own Berlin and #P2OBerlin for continuous coverage. FAILURE - Unfortunately, Le Duc Anh Vu (@vulda17) of Viettel Cyber Security (@vcslab) could not get their exploit of OpenAI Codex working within the time allotted. SUCCESS - Orange Tsai (@orange_8361) of DEVCORE Research Team (@d3vc0r3) chained 4 logic bugs to achieve a sandbox escape on Microsoft Edge, earning $175,000 and 17.5 Master of Pwn points. SUCCESS - chompie of IBM X-Force Offensive Research (XOR) used a single bug to exploit NV Container Toolkit, earning $50,000 and 5 Master of Pwn points. SUCCESS - k3vg3n chained 3 bugs including SSRF and Code Injection to take down LiteLLM. $40,000 and 4 Master of Pwn points. Full win. SUCCESS - Satoki Tsuji (@satoki00) of Ikotas Labs, Inc. used an Overly Permissive Allowed List bug to exploit NVIDIA Megatron Bridge, earning $20,000 and 2 Master of Pwn points. FAILURE - Unfortunately, Park Jae Min could not get their exploit of Oracle Autonomous AI Database working within the time allotted. #Pwn2Own #P2OBerlin SUCCESS - Emanuele Barbeno, Cyrill Bannwart, Yves Bieri, Lukasz D., Urs Mueller of Compass Security (@compasssecurity) used a single CWE-150 bug to exploit OpenAI Codex, earning $40,000 and 4 Master of Pwn points. SUCCESS - Angelboy (@scwuaptx) & TwinkleStar03 (@_twinklestar03) of DEVCORE Research Team used an Improper Access Control bug to escalate privileges on Microsoft Windows 11, earning $30,000 and 3 Master of Pwn points. WITHDRAWAL - Ben Koo (@kiddo_pwn) of Team DDOS has withdrawn their entry for Mozilla Firefox \u2013 Renderer Only in the Web Browser category FAILURE - Unfortunately, Interrupt Labs could not get their exploit of NV Container Toolkit working within the time allotted COLLISON - Although successful on stage, the Ikotas Labs, Inc. team targeting LiteLLM in the Local Inference category used bugs that were previously known. They still earn $8,000 and 1.75 Master of Pwn points. SUCCESS - Yoseop Kim (@pwning_me) used a CWE-470 bug to exploit NVIDIA Megatron Bridge in the second round, earning $10,000 and 2 Master of Pwn points. COLLISON - Although successful on stage, maitai (@MaitaiThe) of Doyensec (@Doyensec) targeting OpenAI Codex in the Coding Agent category used a bug that was previously known to the vendor. They still earn $10,000 and 2 Master of Pwn points. WITHDRAWAL - Yoseop Kim(@pwning_me) has withdrawn their entry for Mozilla Firefox \u2013 Renderer Only in the Web Browser category SUCCESS - haehae (@haehaeYang) of Out Of Bounds chained 2 bugs (CWE-190, CWE-362) to exploit Chroma, earning $20,000 and 2 Master of Pwn points. SUCCESS - Billy (@st424204), Pan Zhenpeng (@Peterpan980927) & Weiming Shi (@bestswngs) of STARLabs SG (@starlabs_sg) chained 5 bugs (incl. SSRF and Code Injection) to exploit LM Studio, earning $40,000 and 4 Master of Pwn points. Full win! SUCCESS - Marcin Wi\u0105zowski used a heap-based buffer overflow to escalate privileges on Microsoft Windows 11 in the second round, earning $15,000 and 3 Master of Pwn points. WITHDRAWAL - Qrious Secure (@qriousec) has withdrawn their entry for LM Studio in the Local Inference category. SUCCESS - Chompie of IBM X-Force Offensive Research (XOR) used a race condition to escalate privileges on Red Hat Enterprise Linux for Workstations, earning $20,000 and 2 Master of Pwn points. COLLISON - Although successful on stage, Nguyen Thanh Dat (@rewhiles) of Viettel Cyber Security (@vcslab) targeting Anthropic Claude Code in the Coding Agent category used a bug that was previously known to the vendor. They still earn $20,000 and 2 Master of Pwn points SUCCESS - haehae (@haehaeYang) of Out Of Bounds used a Path Traversal bug to exploit NVIDIA Megatron Bridge in the second round, earning $10,000 and 2 Master of Pwn points. Full win! SUCCESS - Kentaro Kawane of GMO Cybersecurity by Ierae chained 2 Use-After-Free bugs to escalate privileges on Microsoft Windows 11 in the third round, earning $15,000 and 3 Master of Pwn points.","title":"Pwn2Own Berlin 2026 - Day One Results","url":"https://www.thezdi.com/blog/2026/5/13/pwn2own-berlin-2026-day-one-results"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Threat intelligence firm research. Caveat: commercial framing; quality of output is high.","created_at":"2026-07-02 03:55:50","id":242,"published_date":"2026-05-14T00:00:00+00:00","severity":"medium","source_name":"Recorded Future","summary":"NVD enrichment now covers only 15\u201320% of CVEs. Learn how Recorded Future Vulnerability Intelligence prioritizes risk using real attacker behavior signals.","title":"NIST NVD Enrichment Policy Change: Prioritizing Vulnerabilities with Attacker Behavior Signals","url":"https://www.recordedfuture.com/blog/nist-nvd-enrichment"},{"category":"Industry/Policy","confidence":"MEDIUM","confidence_reason":"Threat intelligence firm research. Caveat: commercial framing; quality of output is high.","created_at":"2026-07-02 03:55:50","id":243,"published_date":"2026-05-14T00:00:00+00:00","severity":"medium","source_name":"Recorded Future","summary":"The real question in modern cyber defense isn't who has more technology. It's who uses their resources more efficiently. Here's how AI fused with threat intelligence tips that balance.","title":"Beyond Acceleration and Automation: How AI + Intelligence Changes Cyber Defense","url":"https://www.recordedfuture.com/blog/ai-intelligence-cyber-defense"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Primary cloud-security research (AWS/Azure/GCP IAM, container, CI/CD). Fills the Cloud Security depth the keyword set already anticipates. Vendor context; filter_uncategorized drops product marketing.","created_at":"2026-07-02 03:55:52","id":299,"published_date":"2026-05-14T00:00:00+00:00","severity":"medium","source_name":"Datadog Security Labs","summary":"An analysis of backdoored node-ipc npm releases that add an obfuscated credential collection and DNS exfiltration payload to the CommonJS entrypoint.","title":"Backdoored node-ipc npm releases steal developer credentials through DNS queries","url":"https://securitylabs.datadoghq.com/articles/node-ipc-npm-malware-analysis"},{"category":"Supply Chain","confidence":"MEDIUM","confidence_reason":"Primary cloud-security research (AWS/Azure/GCP IAM, container, CI/CD). Fills the Cloud Security depth the keyword set already anticipates. Vendor context; filter_uncategorized drops product marketing.","created_at":"2026-07-02 03:55:52","id":300,"published_date":"2026-05-14T00:00:00+00:00","severity":"medium","source_name":"Datadog Security Labs","summary":"We investigate how a coordinated supply chain campaign that compromised npm and PyPI packages also backdoored the official Cemu Nintendo Wii U emulator GitHub release, reaching nearly 20,000 Linux users.","title":"Backdoored Cemu release linked to TanStack and Mistral supply chain campaign","url":"https://securitylabs.datadoghq.com/articles/backdoored-cemu-release-teampcp-supply-chain-campaign"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Vendor threat intelligence research. Caveat: already filtered for noise via filter_uncategorized.","created_at":"2026-07-02 03:55:49","id":196,"published_date":"2026-05-13T18:11:51+00:00","severity":"high","source_name":"SentinelOne","summary":"SentinelOne\u2019s latest report examines the evolving 'secrets' threatscape, showing how modern cloud and AI infrastructures are being exploited.","title":"The Convergence of Cloud Secrets & AI Risk","url":"https://www.sentinelone.com/blog/the-convergence-of-cloud-secrets-and-ai-risk"},{"category":"SaaS Breach","confidence":"HIGH","confidence_reason":"Authoritative vulnerability disclosure program, coordinates with vendors.","created_at":"2026-07-02 03:55:59","id":443,"published_date":"2026-05-13T16:23:07+00:00","severity":"medium","source_name":"Zero Day Initiative","summary":"Willkommen! (Welcome!) Pwn2Own Berlin 2026 has arrived at OffensiveCon, and the world\u2019s top security researchers are ready. This year\u2019s enterprise-focused competition features AI Databases, Coding Agents, Local Inferences, and a separate category for NVIDIA products. Earlier today, we held the random draw to determine attempt order. Below is the official schedule. All times are Berlin local time (CET) and may change as the competition progresses. Check back for live updates. In case you missed it, you can watch the draw here. Jump to: Day One Day Two Day Three DAY ONE Thursday, May 14 - 1030 chompie of IBM X-Force Offensive Research (XOR) targeting NV Container Toolkit in the NVIDIA category for a total of $50,000 and 5 Master of Pwn points Le Duc Anh Vu ( @vulda ) of Viettel Cyber Security (@vcslab) targeting OpenAI Codex in the Coding Agent category for a total of $40,000 and 4 Master of Pwn points Orange Tsai (@orange_8361) of DEVCORE Research Team (@d3vc0r3) targeting Microsoft Edge \u2013 Sandbox Escape in the Web Browser category for a total of $175,000 and 17.5 Master of Pwn points Thursday, May 14 - 1130 k3vg3n targeting LiteLLM in the Local Inference category for a total of $40,000 and 4 Master of Pwn points Satoki Tsuji (@satoki00) / Ikotas Labs, Inc. targeting Megatron Bridge in the NVIDIA category for a total of $20,000 and 2 Master of Pwn points Thursday, May 14 - 1300 Angelboy (@scwuaptx) of DEVCORE Research Team and TwinkleStar03 (@_twinklestar03), working with DEVCORE Internship Program targeting Microsoft Windows 11 in the Local Escalation of Privilege category for a total of $30,000 and 3 Master of Pwn points Emanuele Barbeno, Cyrill Bannwart, Yves Bieri, Lukasz D., Urs Mueller of Compass Security (@compasssecurity) targeting OpenAI Codex in the Coding Agent category for a total of $40,000 and 4 Master of Pwn points Park Jae Min (@hiariz) targeting Oracle Autonomous AI Database in the AI Database category for a total of $40,000 and 4 Master of Pwn points Thursday, May 14 - 1400 Satoki Tsuji (@satoki00) / Ikotas Labs, Inc. targeting LiteLLM in the Local Inference category for a total of $40,000 and 4 Master of Pwn points. Yoseop kim(@pwning_me) targeting Megatron Bridge in the NVIDIA category for a total of $20,000 and 2 Master of Pwn points Thursday, May 14 - 1500 Ben Koo (@kiddo_pwn) of Team DDOS targeting Mozilla Firefox \u2013 Renderer Only in the Web Browser category for a total of $50,000 and 5 Master of Pwn points Interrupt Labs targeting NV Container Toolkit in the NVIDIA category for a total of $50,000 and 5 Master of Pwn points Thursday, May 14 - 1530 maitai (@MaitaiThe) of Doyensec (@Doyensec) targeting OpenAI Codex in the Coding Agent category for a total of $40,000 and 4 Master of Pwn points Thursday, May 14 - 1600 Billy (@st424204), Pan Zhenpeng(@Peterpan980927), Weiming Shi (@bestswngs) of STARLabs SG (@starlabs_sg) targeting LM Studio in the Local Inference category for a total of $40,000 and 4 Master of Pwn points Marcin Wi\u0105zowski targeting Microsoft Windows 11 in the Local Escalation of Privilege category for a total of $30,000 and 3 Master of Pwn points Thursday, May 14 - 1630 haehae (@haehaeYang) of Out Of Bounds targeting Chroma in the AI Database category for a total of $20,000 and 2 Master of Pwn points Thursday, May 14 - 1730 chompie of IBM X-Force Offensive Research (XOR) targeting Red Hat Enterprise Linux for Workstations in the Local Escalation of Privilege category for a total of $20,000 and 2 Master of Pwn points Yoseop Kim(@pwning_me) targeting Mozilla Firefox \u2013 Renderer Only in the Web Browser category for a total of $50,000 and 5 Master of Pwn points Thursday, May 14 - 1800 @rewhiles of Viettel Cyber Security (@vcslab) targeting Anthropic Claude Code in the Coding Agent category for a total of $40,000 and 4 Master of Pwn points Thursday, May 14 - 1830 Kentaro Kawane of GMO Cybersecurity by Ierae targeting Microsoft Windows 11 in the Local Escalation of Privilege category for a total of $30,000 and 3 Master of Pwn points Qrious Secure (@qriousec) targeting LM Studio in the Local Inference category for a total of $40,000 and 4 Master of Pwn points Thursday, May 14 - 1900 haehae (@haehaeYang) of Out of Bounds targeting Megatron Bridge in the NVIDIA category for a total of $20,000 and 2 Master of Pwn points Back to top DAY TWO Friday, May 15 - 1030 Ben Koo (@kiddo_pwn) of Team DDOS targeting Red Hat Enterprise Linux for Workstations in the Local Escalation of Privilege category for a total of $20,000 and 2 Master of Pwn points Stephen Fewer (Rapid7) targeting Microsoft SharePoint in the Server category for a total of $100,000 and 10 Master of Pwn points Tao Yan (@Ga1ois) and Edouard Bochin (@le_douds) from Palo Alto Networks targeting Apple Safari \u2013 Renderer Only in the Web Browser category for a total of $75,000 and 7.5 Master of Pwn points Friday, May 15 - 1130 Le Duc Anh Vu ( @vulda ) of Viettel Cyber Security (@vcslab) targeting Cursor in the Coding Agent category for a total of $30,000 and 3 Master of Pwn points Nikolaos Mourousias (@deltaclock), Caue Obici (@caueobici) and Bruno Halltari (@BrunoModificato) of OtterSec targeting LM Studio in the Local Inference category for a total of $40,000 and 4 Master of Pwn points Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam). targeting Anthropic Claude Code in the Coding Agent category for a total of $40,000 and 4 Master of Pwn points Friday, May 15 - 1300 Ruitong from the Abstract Team at the University of Colorado Boulder targeting Red Hat Enterprise Linux for Workstations in the Local Escalation of Privilege category for a total of $20,000 and 2 Master of Pwn points Friday, May 15 - 1330 Kiyong Kwak of Kakaogames and Song Nuri of Samsung Electronics targeting Apple Safari \u2013 Renderer Only in the Web Browser category for a total of $75,000 and 7.5 Master of Pwn points Orange Tsai (@orange_8361) of DEVCORE Research Team targeting Microsoft Exchange in the Server category for a total of $200,000 and 20 Master of Pwn points Friday, May 15 - 1400 Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam). targeting OpenAI Codex in the Coding Agent category for a total of $40,000 and 4 Master of Pwn points Friday, May 15 - 1430 Billy (@st424204), Bruce Chen(@bruce30262), Pan Zhenpeng(@Peterpan980927), Weiming Shi (@bestswngs ) of STARLabs SG (@starlabs_sg) targeting Megatron Bridge in the NVIDIA category for a total of $20,000 and 2 Master of Pwn points David Tae, Louis Hur of Out Of Bounds targeting Ollama in the Local Inference category for a total of $40,000 and 4 Master of Pwn points Friday, May 15 - 1530 Team: Alon Ben Tsur (@iamgweej), Yahav Azran (@_yahav) targeting Red Hat Enterprise Linux for Workstations in the Local Escalation of Privilege category for a total of $20,000 and 2 Master of Pwn points Friday, May 15 - 1600 @rewhiles of Viettel Cyber Security (@vcslab) targeting Mozilla Firefox \u2013 Renderer Only in the Web Browser category for a total of $50,000 and 5 Master of Pwn points Siyeon Wi targeting Microsoft Windows 11 in the Local Escalation of Privilege category for a total of $30,000 and 3 Master of Pwn points Friday, May 15 - 1630 Byung Young Yi (@yibarrack) of Out Of Bounds targeting LiteLLM in the Local Inference category for a total of $40,000 and 4 Master of Pwn points Friday, May 15 - 1700 Emanuele Barbeno, Cyrill Bannwart, Yves Bieri, Lukasz D., Urs Mueller of Compass Security (@compasssecurity) targeting Cursor in the Coding Agent category for a total of $30,000 and 3 Master of Pwn points Friday, May 15 - 1800 Daniel Cohen Hillel (@0xDACA) targeting NV Container Toolkit in the NVIDIA category for a total of $50,000 and 5 Master of Pwn points Back to top DAY THREE Saturday, May 16 - 1100 Le Tran Hai Tung (@tacbliw), dungnm (@dungnm_) and hieuvd (@gr4ss341) of Viettel Cyber Security (@vcslab) targeting Microsoft Windows 11 in the Local Escalation of Privilege category for a total of $30,000 and 3 Master of Pwn points Satoki Tsuji (@satoki00) / Ikotas Labs, Inc. targeting OpenAI Codex in the Coding Agent category for a total of $40,000 and 4 Master of Pwn points Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam). targeting Red Hat Enterprise Linux for Workstations in the Local Escalation of Privilege category for a total of $20,000 and 2 Master of Pwn points Saturday, May 16 - 1330 Emanuele Barbeno, Cyrill Bannwart, Yves Bieri, Lukasz D., Urs Mueller of Compass Security (@compasssecurity) targeting Anthropic Claude Code in the Coding Agent category for a total of $40,000 and 4 Master of Pwn points Hyunwoo Kim (@v4bel) targeting Red Hat Enterprise Linux for Workstations in the Local Escalation of Privilege category for a total of $20,000 and 2 Master of Pwn points Team: Giuseppe Cal\u00ec (@_gcali) of Summoning Team targeting VMware ESXi in the Virtualization category with the Cross-tenant Code Execution Addon add-on for a total of $200,000 and 20 Master of Pwn points Saturday, May 16 - 1430 splitline (@_splitline_) of DEVCORE Research Team targeting Microsoft SharePoint in the Server category for a total of $100,000 and 10 Master of Pwn points Saturday, May 16 - 1600 Byung Young Yi (@yibarrack) of Out Of Bounds targeting Anthropic Claude Code in the Coding Agent category for a total of $40,000 and 4 Master of Pwn points Nguyen Hoang Thach (@hi_im_d4rkn3ss) of STARLabs SG (@starlabs_sg) targeting VMware ESXi in the Virtualization category with the Cross-tenant Code Execution Addon add-on for a total of $200,000 and 20 Master of Pwn points Follow the action live! We\u2019ll be posting real-time updates and results throughout the competition on our blog and across social media. Stay up to date by following us on Twitter, Mastodon, LinkedIn, and Bluesky, and join the conversation using #Pwn2Own Berlin and #P2OBerlin for continuous coverage.","title":"Pwn2Own Berlin 2026: The Full Schedule","url":"https://www.thezdi.com/blog/2026/5/13/pwn2own-berlin-2026-the-full-schedule"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Vendor threat intelligence research. Good primary work but commercial context.","created_at":"2026-07-02 03:55:49","id":189,"published_date":"2026-05-13T13:01:01+00:00","severity":"medium","source_name":"Check Point Research","summary":"Key Points Introduction The Gentlemen ransomware\u2011as\u2011a\u2011service (RaaS) operation is a relatively new group that emerged around mid\u20112025. Its operators advertise the service across multiple underground forums, promoting their ransomware platform and inviting penetration testers and other technically skilled actors to join as affiliates. In 2026, based on victims listed on the data leak site (DLS), [\u2026] The post Thus Spoke\u2026The Gentlemen appeared first on Check Point Research.","title":"Thus Spoke\u2026The Gentlemen","url":"https://research.checkpoint.com/2026/thus-spoke-the-gentlemen"},{"category":"AI Security","confidence":"MEDIUM","confidence_reason":"Established offensive security research firm. Pentest tooling, vulnerability research, red team techniques.","created_at":"2026-07-02 03:56:00","id":463,"published_date":"2026-05-13T13:00:00+00:00","severity":"medium","source_name":"Bishop Fox","summary":"What if the MCP server itself is the attacker? Supply chain risk in MCP tools is structural, and the postmark-mcp and ClawHub compromises made it concrete. This post pairs those case studies with otto-support's selfpwn module to show exactly what a hostile MCP server can access the moment it runs.","title":"Otto-Support - Supply Chain Risks in MCP Servers","url":"https://bishopfox.com/blog/otto-support-supply-chain-risks-mcp-servers"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Primary cloud-security research (AWS/Azure/GCP IAM, container, CI/CD). Fills the Cloud Security depth the keyword set already anticipates. Vendor context; filter_uncategorized drops product marketing.","created_at":"2026-07-02 03:55:52","id":301,"published_date":"2026-05-13T00:00:00+00:00","severity":"high","source_name":"Datadog Security Labs","summary":"A static analysis of the open-sourced Shai-Hulud offensive framework attributed to TeamPCP, covering its credential harvesting, supply chain poisoning, and exfiltration capabilities.","title":"Shai-Hulud Goes Open Source","url":"https://securitylabs.datadoghq.com/articles/shai-hulud-open-source-framework-static-analysis"},{"category":"OT/ICS","confidence":"HIGH","confidence_reason":"First-party OT/ICS vendor CERT. Authoritative advisories for Siemens industrial products. Fills OT/ICS category depth.","created_at":"2026-07-02 03:55:54","id":333,"published_date":"2026-05-13T00:00:00+00:00","severity":"high","source_name":"Siemens ProductCERT","summary":"Solid Edge SE2026 before Update 5 is affected by two file parsing vulnerabilities that could be triggered when the application reads specially crafted files in PAR format. This could allow an attacker to crash the application or execute arbitrary code. Siemens has released a new version for Solid Edge SE2026 and recommends to update to the latest version.","title":"SSA-921111 V1.1 (Last Update: 2026-05-13): Two File Parsing Vulnerabilities in Solid Edge Before Version SE226 Update 5","url":"https://cert-portal.siemens.com/productcert/html/ssa-921111.html"},{"category":"Vulnerability/CVE","confidence":"HIGH","confidence_reason":"Gold-standard primary vulnerability research. Detailed, reproducible, responsibly disclosed.","created_at":"2026-07-02 03:55:57","id":428,"published_date":"2026-05-12T22:00:00+00:00","severity":"medium","source_name":"Google Project Zero","summary":"We recently published an exploit chain for the Google Pixel 9 that demonstrated it was possible to go from a zero-click context to root on Android in just two exploits. The Dolby 0-click vulnerability existed across all of Android, until it was patched in January 2026. While we had an exploit chain for the Pixel 9, we wanted to see if it was possible to write a similar exploit chain for Pixel 10. Updating the Dolby Exploit Altering our exploit for CVE-2025-54957 was fairly straightforward. The majority of needed changes involved updating offsets calculated for the specific version of the library we targeted on the Pixel 9 to similar offsets in the library for Pixel 10. The only challenge (outside of wishing we\u2019d better documented which syncframes contained offsets) was that the Pixel 10 uses RET PAC in the place of -fstack-protector, which meant that __stack_chk_fail wasn\u2019t available to be overwritten by code. After a bit of trial and error, we used dap_cpdp_init, initialization code that can be overwritten without causing functional problems, as it is called once when the decoder is initialized and never again.","title":"A 0-click exploit chain for the Pixel 10: When a Door Closes, a Window Opens","url":"https://projectzero.google/2026/05/pixel-10-exploit.html"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established independent investigative security journalism. High rigor, frequently breaks news.","created_at":"2026-07-02 03:55:46","id":10,"published_date":"2026-05-12T21:46:45+00:00","severity":"medium","source_name":"Krebs on Security","summary":"Artificial intelligence platforms may be just as susceptible to social engineering as human beings, but they are proving remarkably good at finding security vulnerabilities in human-made computer code. That reality is on full display this month with some of the more widely-used software makers -- including Apple, Google, Microsoft, Mozilla and Oracle -- fixing near record volumes of security bugs, and/or quickening the tempo of their patch releases.","title":"Patch Tuesday, May 2026 Edition","url":"https://krebsonsecurity.com/2026/05/patch-tuesday-may-2026-edition"},{"category":"Cloud Security","confidence":"HIGH","confidence_reason":"Authoritative vulnerability disclosure program, coordinates with vendors.","created_at":"2026-07-02 03:55:59","id":444,"published_date":"2026-05-12T18:38:43+00:00","severity":"critical","source_name":"Zero Day Initiative","summary":"I\u2019m currently in Berlin helping set up for Pwn2Own Berlin, but that doesn\u2019t stop Patch Tuesday from coming, and it\u2019s another big one. At least nothing is listed as being in the wild \u2013 for now. Take a break from your regularly scheduled activities and let\u2019s take a look at the latest security patches from Adobe and Microsoft. Due to technical difficulties, there will not be a video companion for this month. Adobe Patches for May 2026 For May, Adobe released 10 bulletins addressing 52 unique CVEs in Adobe Commerce, After Effects, Adobe Connect, Illustrator, Media Encoder, Premiere Pro, Substance 3D Painter, Substance 3D Sampler, Content Authenticity SDK, and the Adobe Substance 3D Designer. Here\u2019s this month\u2019s overview table: Bulletin ID Product CVE Count Highest Severity Highest CVSS Exploited Deployment Priority APSB26-49 Adobe Commerce 15 Critical 8.7 No 2 APSB26-48 Adobe After Effects 4 Critical 7.8 No 3 APSB26-50 Adobe Connect 2 Critical 9.6 No 3 APSB26-51 Adobe Illustrator 4 Critical 7.8 No 3 APSB26-47 Adobe Media Encoder 2 Critical 7.8 No 3 APSB26-46 Adobe Premiere Pro 3 Critical 7.8 No 3 APSB26-55 Adobe Substance 3D Painter 2 Critical 7.8 No 3 APSB26-54 Adobe Substance 3D Sampler 1 Critical 7.8 No 3 APSB26-53 Content Authenticity SDK 14 Critical 7.5 No 3 APSB26-52 Adobe Substance 3D Designer 5 Important 6.3 No 3 TOTAL 10 bulletins 52 The obvious priority this month is the patch for Commerce, with its 15 bugs and deployment priority of 2. The Connect fix should also rank up there since both of its CVEs are CVSS 9s. Beyond those, it\u2019s a pretty typical month for Adobe, with most of the bugs either being cross-site scripting (XSS) or open-and-own code executions. Microsoft Patches for May 2026 This month, Microsoft released a whopping 138 new CVEs in Windows and Windows components, Office and Office Components, Microsoft Edge (Chromium-based), Azure, .NET and Visual Studio, Copilot Chat, Github Copilot, M365 Copilot, SQL Server, TCP/IP, and the Telnet Client \u2013 yes, the Telnet client. Two of these bugs were reported through the TrendAI ZDI program. 30 of these bugs are rated Critical, three are rated as Moderate, one is rated Low, and the rest are rated Important in severity. This large volume of fixes follows the largest monthly release in Microsoft\u2019s history and reflects the trend across the industry of a high number of submissions. While not all of these bugs were found by AI, it\u2019s likely they had an AI-related component \u2013 even if it was just AI writing the submission. I should also point out the Pwn2Own Berlin occurs in just a few days, and it\u2019s typical for vendors to patch as much as they can before the event. None of the bugs patched by Microsoft this month are listed as publicly known or under active attack at the time of release, so we\u2019ve got that going for us. Let\u2019s take a closer look at some of the more interesting updates for this month, starting with a nasty-looking bug in DNS: - CVE-2026-41096 - Windows DNS Client Remote Code Execution VulnerabilityThis patch fixes a heap-based buffer overflow in the DNS Client triggered by a malicious DNS response. No authentication or user interaction needed, and since the DNS Client runs on virtually every Windows machine, the attack surface is enormous. An attacker with a position to influence DNS responses (MitM, rogue server) could achieve unauthenticated RCE across your enterprise. - CVE-2026-41089 - Windows Netlogon Remote Code Execution VulnerabilityThis update covers another CVSS 9.8 bug, which is a stack-based buffer overflow that lets an unauthenticated remote attacker execute code on a domain controller by sending a specially crafted network request \u2014 no credentials, no user interaction required. Yup \u2013 that makes it wormable. This is the highest-impact bug that requires immediate patching: a compromised domain controller is a compromised domain. - CVE-2026-42898 - Microsoft Dynamics 365 On-Premises Remote Code Execution VulnerabilityThis bug rates a CVSS 9.9(!) and represents a code injection in Dynamics 365. It allows any authenticated user to execute code with a scope change, meaning exploitation can break out and affect resources beyond the vulnerable component itself. Scope changes are pretty rare, so if you\u2019re running Dynamics 365 On-Prem, definitely test and deploy this patch quickly. - CVE-2026-40415 - Windows TCP/IP Remote Code Execution VulnerabilityThis bug in the TCP/IP stack results from a use-after-free (UAF) and could allow a remote, unauthenticated threat actor to execute code without user interaction. That makes this another wormable bug. However, this one is much less likely to be exploited. The target needs to be under sustained low-memory (memory pressure) conditions, which is pretty rare. Still, no need to tempt fate here. Test and deploy this one quickly. Here\u2019s the full list of CVEs released by Microsoft for May 2026: CVE Title Severity CVSS Public Exploited Type CVE-2026-35435 Azure AI Foundry Elevation of Privilege Vulnerability Critical 8.6 No No EoP CVE-2026-35428 Azure Cloud Shell Spoofing Vulnerability Critical 9.6 No No Spoofing CVE-2026-42826 Azure DevOps Information Disclosure Vulnerability Critical 10 No No Info CVE-2026-32207 Azure Machine Learning Notebook Spoofing Vulnerability Critical 8.8 No No Spoofing CVE-2026-33109 Azure Managed Instance for Apache Cassandra Remote Code Execution Vulnerability Critical 9.9 No No RCE CVE-2026-33844 Azure Managed Instance for Apache Cassandra Remote Code Execution Vulnerability Critical 9 No No RCE CVE-2026-41105 Azure Monitor Action Group Notification System Elevation of Privilege Vulnerability Critical 8.1 No No EoP CVE-2026-33111 Copilot Chat (Microsoft Edge) Information Disclosure Vulnerability Critical 7.5 No No Info CVE-2026-26129 M365 Copilot Information Disclosure Vulnerability Critical 7.5 No No Info CVE-2026-26164 M365 Copilot Information Disclosure Vulnerability Critical 7.5 No No Info CVE-2026-33821 Microsoft Dynamics 365 Customer Insights Elevation of Privilege Vulnerability Critical 7.7 No No EoP CVE-2026-42898 Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability Critical 9.9 No No RCE CVE-2026-40379 Microsoft Enterprise Security Token Service (ESTS) Spoofing Vulnerability Critical 9.3 No No Spoofing CVE-2026-40363 Microsoft Office Remote Code Execution Vulnerability Critical 8.4 No No RCE CVE-2026-40358 Microsoft Office Remote Code Execution Vulnerability Critical 8.4 No No RCE CVE-2026-34327 Microsoft Partner Center Spoofing Vulnerability Critical 8.2 No No Spoofing CVE-2026-40365 Microsoft SharePoint Server Remote Code Execution Vulnerability Critical 8.8 No No RCE CVE-2026-41103 Microsoft SSO Plugin for Jira & Confluence Elevation of Privilege Vulnerability Critical 9.1 No No EoP CVE-2026-33823 Microsoft Team Events Portal Information Disclosure Vulnerability Critical 9.6 No No Info CVE-2026-40364 Microsoft Word Remote Code Execution Vulnerability Critical 8.4 No No RCE CVE-2026-40366 Microsoft Word Remote Code Execution Vulnerability Critical 8.4 No No RCE CVE-2026-40361 Microsoft Word Remote Code Execution Vulnerability Critical 8.4 No No RCE CVE-2026-40367 Microsoft Word Remote Code Execution Vulnerability Critical 8.4 No No RCE CVE-2026-42831 Office for Android Remote Code Execution Vulnerability Critical 7.8 No No RCE CVE-2026-41096 Windows DNS Client Remote Code Execution Vulnerability Critical 9.8 No No RCE CVE-2026-35421 Windows GDI Remote Code Execution Vulnerability Critical 7.8 No No RCE CVE-2026-40403 Windows Graphics Component Remote Code Execution Vulnerability Critical 8.8 No No RCE CVE-2026-40402 Windows Hyper-V Elevation of Privilege Vulnerability Critical 9.3 No No EoP CVE-2026-32161 Windows Native WiFi Miniport Driver Remote Code Execution Vulnerability Critical 7.5 No No RCE CVE-2026-41089 Windows Netlogon Remote Code Execution Vulnerability Critical 9.8 No No RCE CVE-2026-32175 .NET Core Tampering Vulnerability Important 4.3 No No Tampering CVE-2026-32177 .NET Elevation of Privilege Vulnerability Important 7.3 No No EoP CVE-2026-35433 .NET Elevation of Privilege Vulnerability Important 7.3 No No EoP CVE-2025-54518 * AMD: CVE-2025-54518 CPU OP Cache Corruption Important No No RCE CVE-2026-42899 ASP.NET Core Denial of Service Vulnerability Important 7.5 No No DoS CVE-2026-40381 Azure Connected Machine Agent Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2026-42823 \u2020 Azure Logic Apps Elevation of Privilege Vulnerability Important 9.9 No No EoP CVE-2026-33833 Azure Machine Learning Notebook Spoofing Vulnerability Important 8.2 No No Spoofing CVE-2026-32204 Azure Monitor Agent Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2026-42830 Azure Monitor Agent Metrics Extension Elevation of Privilege Vulnerability Important 6.5 No No EoP CVE-2026-33117 Azure SDK for Java Security Feature Bypass Vulnerability Important 9.1 No No SFB CVE-2026-41109 GitHub Copilot and Visual Studio Code Security Feature Bypass Vulnerability Important 8.8 No No SFB CVE-2026-35424 Internet Key Exchange (IKE) Protocol Denial of Service Vulnerability Important 7.5 No No DoS CVE-2026-41614 M365 Copilot for Desktop Spoofing Vulnerability Important 6.2 No No Spoofing CVE-2026-41100 Microsoft 365 Copilot for Android Spoofing Vulnerability Important 4.4 No No Spoofing CVE-2026-40377 Microsoft Cryptographic Services Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2026-41094 Microsoft Data Formulator Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2026-40417 Microsoft Dynamics 365 Business Central Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2026-42833 Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability Important 9.1 No No RCE CVE-2026-42838 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Important 5.4 No No EoP CVE-2026-40360 Microsoft Excel Information Disclosure Vulnerability Important 7.8 No No Info CVE-2026-40359 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE CVE-2026-40362 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE CVE-2026-42832 Microsoft Excel Spoofing Vulnerability Important 7.7 No No Spoofing CVE-2026-34329 Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2026-40419 Microsoft Office Click-To-Run Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2026-40418 Microsoft Office Click-To-Run Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2026-35436 Microsoft Office Click-To-Run Elevation of Privilege Vulnerability Important 8.8 No No EoP CVE-2026-40420 Microsoft Office Click-To-Run Elevation of Privilege Vulnerability Important 8.8 No No EoP CVE-2026-42893 Microsoft Outlook for iOS Tampering Vulnerability Important 7.4 No No Tampering CVE-2026-40374 Microsoft Power Automate Desktop Information Disclosure Vulnerability Important 6.5 No No Info CVE-2026-41102 Microsoft PowerPoint for Android Spoofing Vulnerability Important 7.1 No No Spoofing CVE-2026-35439 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2026-40368 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8 No No RCE CVE-2026-33110 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2026-33112 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2026-40357 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2026-32185 Microsoft Teams Spoofing Vulnerability Important 5.5 No No Spoofing CVE-2026-41101 Microsoft Word for Android Spoofing Vulnerability Important 7.1 No No Spoofing CVE-2026-35440 Microsoft Word Information Disclosure Vulnerability Important 5.5 No No Info CVE-2026-40421 Microsoft Word Information Disclosure Vulnerability Important 4.3 No No Info CVE-2026-41097 Secure Boot Security Feature Bypass Vulnerability Important 6.7 No No SFB CVE-2026-40370 \u2020 SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2026-41613 Visual Studio Code Elevation of Privilege Vulnerability Important 8.8 No No EoP CVE-2026-41612 Visual Studio Code Information Disclosure Vulnerability Important 5.5 No No Info CVE-2026-41611 Visual Studio Code Remote Code Execution Vulnerability Important 7.8 No No RCE CVE-2026-41610 Visual Studio Code Security Feature Bypass Vulnerability Important 6.3 No No SFB CVE-2026-33839 Win32k Elevation of Privilege Vulnerability Important 7 No No EoP CVE-2026-33840 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2026-34330 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2026-34331 Win32k Elevation of Privilege Vulnerability Important 7 No No EoP CVE-2026-35423 Windows 11 Telnet Client Information Disclosure Vulnerability Important 5.4 No No Info CVE-2026-35438 Windows Admin Center Elevation of Privilege Vulnerability Important 8.3 No No EoP CVE-2026-41086 Windows Admin Center in Azure Portal Elevation of Privilege Vulnerability Important 8.8 No No EoP CVE-2026-34344 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2026-34345 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Important 7 No No EoP CVE-2026-35416 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Important 7 No No EoP CVE-2026-41088 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2026-34343 Windows Application Identity (AppID) Subsystem Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2026-35418 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2026-33835 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2026-34337 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2026-40407 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2026-40397 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2026-42896 Windows DWM Core Library Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2026-35419 Windows DWM Core Library Information Disclosure Vulnerability Important 5.5 No No Info CVE-2026-34336 Windows DWM Core Library Information Disclosure Vulnerability Important 7.8 No No Info CVE-2026-33834 Windows Event Logging Service Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2026-32209 Windows Filtering Platform (WFP) Security Feature Bypass Vulnerability Important 4.4 No No SFB CVE-2026-33841 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2026-35420 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2026-40369 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2026-34332 Windows Kernel-Mode Driver Remote Code Execution Vulnerability Important 8 No No RCE CVE-2026-34339 Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability Important 5.5 No No DoS CVE-2026-34341 Windows Link-Layer Discovery Protocol (LLDP) Elevation of Privilege Vulnerability Important 7 No No EoP CVE-2026-33838 Windows Message Queuing (MSMQ) Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2026-34342 Windows Print Spooler Elevation of Privilege Vulnerability Important 7 No No EoP CVE-2026-41095 Windows Projected File System Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2026-34340 Windows Projected File System Elevation of Privilege Vulnerability Important 7 No No EoP CVE-2026-40398 Windows Remote Desktop Services Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2026-21530 Windows Rich Text Edit Elevation of Privilege Vulnerability Important 6.7 No No EoP CVE-2026-32170 Windows Rich Text Edit Elevation of Privilege Vulnerability Important 6.7 No No EoP CVE-2026-40410 Windows SMB Client Elevation of Privilege Vulnerability Important 7 No No EoP CVE-2026-35415 Windows Storage Spaces Controller Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2026-34350 Windows Storport Miniport Driver Denial of Service Vulnerability Important 6.5 No No DoS CVE-2026-40405 Windows TCP/IP Denial of Service Vulnerability Important 7.5 No No DoS CVE-2026-40414 Windows TCP/IP Denial of Service Vulnerability Important 7.4 No No DoS CVE-2026-40401 Windows TCP/IP Denial of Service Vulnerability Important 6.2 No No DoS CVE-2026-40413 Windows TCP/IP Denial of Service Vulnerability Important 7.4 No No DoS CVE-2026-35422 Windows TCP/IP Driver Security Feature Bypass Vulnerability Important 6.5 No No SFB CVE-2026-34351 Windows TCP/IP Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2026-40399 Windows TCP/IP Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2026-34334 Windows TCP/IP Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2026-40406 Windows TCP/IP Information Disclosure Vulnerability Important 7.5 No No Info CVE-2026-33837 Windows TCP/IP Local Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2026-40415 Windows TCP/IP Remote Code Execution Vulnerability Important 8.1 No No RCE CVE-2026-42825 Windows Telephony Service Elevation of Privilege Vulnerability Important 7 No No EoP CVE-2026-34338 Windows Telephony Service Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2026-40382 Windows Telephony Service Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2026-40380 Windows Volume Manager Extension Driver Remote Code Execution Vulnerability Important 6.2 No No RCE CVE-2026-40408 Windows WAN ARP Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2026-34333 Windows Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2026-34347 Windows Win32k Elevation of Privilege Vulnerability Important 7 No No EoP CVE-2026-35417 Windows Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2026-42891 Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability Moderate 6.5 No No Spoofing CVE-2026-35429 Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability Moderate 4.3 No No Spoofing CVE-2026-41107 Microsoft Edge (Chromium-based) Information Disclosure Vulnerability Moderate 7.4 No No Info CVE-2026-40416 Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability Low 4.3 No No Spoofing * Indicates this CVE had been released by a third party and is now being included in Microsoft releases. \u2020 Indicates further administrative actions are required to fully address the vulnerability. Looking at the other Critical-rated bugs in this month\u2019s release, there are quite a few scary-looking bugs (including a CVSS 10!), but there\u2019s no action for the end user as Microsoft has already mitigated these bugs and is just now documenting them. There\u2019s also this month\u2019s crop of Office bugs where the Preview Pane is an attack vector. However, the bug in Office for Android does not have the Preview Pane vector; it\u2019s simple open and own. The bug in the WiFi driver needs a network adjacent attacker. The SharePoint bug requires authentication, but anyone with site privileges has the authentication needed. The bug in SSO Plugin for Jira & Confluence should really be called an authentication bypass, since it allows an unauthenticated attacker to gain access to a system. Looking at the other code execution bugs, most are of the open and own variety as expected. The bug in Dynamic 365 (On Prem) requires high privileges. The Message Queueing bug requires an adjacent attacker. The bug in SQL Server requires authentication, but as usual, patching won\u2019t be straightforward. Finally, there\u2019s a bug in the kernel that leads to code execution. Most kernel bugs are privilege escalations, but this one could allow code execution if an attacker sends specially crafted NVMe over Fabrics (NVMe\u2011oF) response messages during the connection handshake process that contains an invalid header length value. Neat. As usual, the vast majority of the Microsoft release fixes Elevation of Privilege (EoP) bugs. Also as usual, most simply lead to local attackers executing their code at SYSTEM-level privileges or administrative privileges, so there\u2019s not much to add without further technical details about the bugs themselves. There are also a few bugs that just state the attacker could \u201cgain ELEVATED privileges.\u201d How obtuse. The bugs in Azure allow an attacker to access data otherwise hidden from them. The Edge bug allows threat actors to elevate to the privileges of the running application. The bug in Visual Studio allows attackers to get permissions associated with the MCP Server\u2019s managed identity. Finally, there are a couple of sandbox escapes, too, which are always useful. This month's update includes six Security Feature Bypass vulnerabilities. The most severe is in the Azure SDK for Java (CVSS 9.1). An attacker over the network can bypass the integrity protection provided by authentication tags on encrypted data, effectively manipulating encrypted input in a way that slips past integrity checks during decryption. Close behind is the bypass affecting the GitHub Copilot integration in Visual Studio Code (CWE-74). This one requires a user interaction, but it allows an attacker to circumvent the path validation safeguards that normally control which files Copilot is permitted to modify. The other Visual Studio Code bypass involves cross-site scripting, improper link resolution, and information exposure triggered when a user opens or views a maliciously crafted notebook. On the Windows networking side there are two bypasses. The first hits the Windows TCP/IP driver via an authentication bypass using an alternate channel. The other impacts the Windows Filtering Platform through improper access control, allowing a local, low-privileged attacker to bypass FQDN-based network security rules. Finally, there\u2019s a Secure Boot bypass that, you guessed it, bypasses secure boot features. Moving on to the Information Disclosure bugs fixed this month, we have 15 different CVEs. As usual, the majority of these simply result in info leaks consisting of unspecified memory contents or memory addresses. The bug in Power Automate could expose data marked \u201cSensitive\u201d within Power Automate Desktop flows. One of the Word bugs could disclose NLTM hashes. The bug in Edge could disclose your cookies, which seems rude. The bug in Visual Studio could expose file path information. Finally, there\u2019s a bug in Telnet for Windows 11 that leaks information being used by Telnet at the time. I didn\u2019t even realize Windows 11 still had a telnet client. The May release contains 10 spoofing bugs (plus the ones already addressed by Microsoft). The bug in Azure Machine Learning Notebooks vulnerability requires user interaction, but it could expose info through the Azure ML web interface to the attacker. There\u2019s a cluster of fixes for Microsoft's mobile Office suite on Android. Excel, Word, and PowerPoint for Android all carry spoofing flaws rooted in improper access control. Two Copilot products are also affected by spoofing vulns. The M365 Copilot for Desktop has no details provided. The M365 Copilot for Android variant requires low privileges and producing only limited impact on confidentiality and integrity. Microsoft Teams for Android rounds out the mobile app spoofing bugs. Three Edge bugs close things out, all involving misrepresentation of information in the browser UI. There are two Tampering bugs in this month\u2019s release. The one in .NET Core allows threat actors to write files to an affected system. The other is in Outlook for iOS and manifests as a command injection bug. There are eight DoS bugs in the May release, but as always, Microsoft provides little to no actionable information about the vulnerabilities. The most interesting from a practical standpoint are two TCP/IP bugs that allow a low-privilege Hyper-V guest to crash the host. Both are triggered from the adjacent network. On the broader network-exposure side, the ASP.NET Core bug is a straightforward infinite loop condition \u2014 an unauthenticated attacker sends a crafted request over the network and the server stops responding. No new advisories are being released this month. Looking Ahead Assuming I survive Pwn2Own Berlin (which is looking iffy at the moment), I\u2019ll return on June 9th on what will hopefully be a smaller release than this one. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!","title":"The May 2026 Security Update Review","url":"https://www.thezdi.com/blog/2026/5/12/the-may-2026-security-update-review"},{"category":"Industry/Policy","confidence":"MEDIUM","confidence_reason":"Real-world incident breakdowns from the defender side. Strong on ransomware and SMB-targeting threats.","created_at":"2026-07-02 03:55:55","id":402,"published_date":"2026-05-12T14:00:00+00:00","severity":"medium","source_name":"Huntress","summary":"The Huntress \u00d7 Acrisure Cyber Insurance Program now simplifies cyber insurance. Get streamlined coverage and a $0 deductible on Tech E&O or Cyber policies when using Managed EDR and Managed ITDR.","title":"Huntress \u00d7 Acrisure Cyber Insurance Program","url":"https://www.huntress.com/blog/huntress-acrisure-cyber-insurance-program"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established offensive security research firm. Pentest tooling, vulnerability research, red team techniques.","created_at":"2026-07-02 03:56:00","id":464,"published_date":"2026-05-12T13:00:00+00:00","severity":"medium","source_name":"Bishop Fox","summary":"Bishop Fox is releasing Joro, a collaborative web exploitation framework built almost entirely with AI. From intercepting proxy to C2 integration, this post covers how it was built, what it does, and what AI-assisted security tool development actually looks like in practice.","title":"Introducing Joro: Using AI to Build Security Tooling","url":"https://bishopfox.com/blog/introducing-joro-using-ai-build-security-tooling"},{"category":"Vulnerability/CVE","confidence":"HIGH","confidence_reason":"Authoritative vulnerability disclosure program, coordinates with vendors.","created_at":"2026-07-02 03:55:59","id":445,"published_date":"2026-05-12T12:21:51+00:00","severity":"critical","source_name":"Zero Day Initiative","summary":"We\u2019ve received some feedback from those who read the Patch Blog that they would like something similar for macOS updates. Unfortunately, Apple doesn\u2019t schedule these for a particular day, but we can provide our thoughts and analysis on the days they do release their latest patches. For May 2026, Apple released 82 unique CVEs across the three macOS versions: 79 for macOS Tahoe 26.5, 45 for macOS Sequoia 15.7.7, and 42 for macOS Sonoma 14.8.7. Since Apple doesn\u2019t provide CVSS scores or other severity information, we\u2019re left to speculate on which of these bugs is the most severe. However, there are a couple that stand out. - CVE-2026-28819 (Wi-Fi) stands out as the strongest candidate for the most severe as it states, \u201cAn app may be able to execute arbitrary code with kernel privileges.\u201d The combination of arbitrary code execution at the kernel level is about as bad as it gets on a severity scale. Plus, it affects all three macOS versions (Tahoe, Sequoia, and Sonoma). - CVE-2026-43668 (mDNSResponder) also piques my interest since, \u201cA remote attacker may be able to cause unexpected system termination or corrupt kernel memory.\u201d The remote attack vector with kernel memory corruption on all three OS versions makes this a serious one, especially since mDNSResponder is always running. - CVE-2026-28972 (Kernel) This one states that \u201cAn app may be able to cause unexpected system termination or write kernel memory.\u201d An out-of-bounds write directly into kernel memory on all three OS versions. This one may also have implications in the upcoming Pwn2Own Berlin contest. Here\u2019s a look at all the bugs released by Apple this month: 82Unique CVEs 79macOS Tahoe 26.5 45macOS Sequoia 15.7.7 42macOS Sonoma 14.8.7 CVE ID Component Impact macOS Tahoe 26.5 macOS Sequoia 15.7.7 macOS Sonoma 14.8.7 CVE-2026-28991 Accelerate An app may be able to cause a denial-of-service Yes No No CVE-2026-28988 Accounts An app may be able to bypass certain Privacy preferences Yes No No CVE-2026-28959 APFS An app may be able to cause unexpected system termination Yes Yes Yes CVE-2026-28995 App Intents A malicious app may be able to break out of its sandbox Yes No No CVE-2026-1837 AppleJPEG Processing a maliciously crafted image may lead to a denial-of-service Yes No No CVE-2026-28956 AppleJPEG Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory Yes Yes Yes CVE-2026-39869 Audio Processing an audio stream in a maliciously crafted media file may terminate the process Yes Yes Yes CVE-2026-28922 CoreMedia An app may be able to access private information Yes Yes Yes CVE-2026-28936 CoreServices Processing a maliciously crafted file may lead to unexpected app termination Yes No Yes CVE-2026-28918 CoreSymbolication Parsing a maliciously crafted file may lead to an unexpected app termination Yes No No CVE-2026-28878 Crash Reporter An app may be able to enumerate a user's installed apps No Yes No CVE-2026-28915 CUPS An app may be able to gain root privileges Yes Yes Yes CVE-2026-43659 FileProvider An app may be able to access sensitive user data Yes Yes Yes CVE-2026-28923 GPU Drivers A malicious app may be able to break out of its sandbox Yes Yes Yes CVE-2026-28925 HFS An app may be able to cause unexpected system termination or write kernel memory Yes Yes Yes CVE-2025-43524 Icons An app may be able to break out of its sandbox No Yes Yes CVE-2026-43661 ImageIO Processing a maliciously crafted image may corrupt process memory Yes No No CVE-2026-28977 ImageIO Processing a maliciously crafted file may lead to unexpected app termination Yes Yes Yes CVE-2026-28990 ImageIO Processing a maliciously crafted image may corrupt process memory Yes Yes Yes CVE-2026-28978 Installer A malicious app may be able to break out of its sandbox Yes Yes Yes CVE-2026-28992 IOHIDFamily An attacker may be able to cause unexpected app termination Yes Yes Yes CVE-2026-28943 IOHIDFamily An app may be able to determine kernel memory layout Yes Yes Yes CVE-2026-28969 IOKit An app may be able to cause unexpected system termination Yes Yes Yes CVE-2026-43655 IOSurfaceAccelerator An app may be able to cause unexpected system termination or read kernel memory Yes No No CVE-2026-43654 Kernel An app may be able to disclose kernel memory Yes Yes Yes CVE-2026-28908 Kernel An app may be able to modify protected parts of the file system Yes Yes Yes CVE-2026-28954 Kernel A maliciously crafted disk image may bypass Gatekeeper checks Yes Yes Yes CVE-2026-28897 Kernel A local user may be able to cause unexpected system termination or read kernel memory Yes Yes Yes CVE-2026-28952 Kernel An app may be able to cause unexpected system termination Yes Yes Yes CVE-2026-28951 Kernel An app may be able to gain root privileges Yes Yes Yes CVE-2026-28972 Kernel An app may be able to cause unexpected system termination or write kernel memory Yes Yes Yes CVE-2026-28986 Kernel An app may be able to cause unexpected system termination Yes Yes Yes CVE-2026-28987 Kernel An app may be able to leak sensitive kernel state Yes Yes Yes CVE-2026-28983 LaunchServices A remote attacker may be able to cause a denial of service Yes No No CVE-2026-28929 Mail Drafts Replying to an email could display remote images in Mail in Lockdown Mode Yes Yes Yes CVE-2026-43653 mDNSResponder An attacker on the local network may be able to cause a denial-of-service Yes No Yes CVE-2026-28985 mDNSResponder An attacker on the local network may be able to cause a denial-of-service Yes No No CVE-2026-43668 mDNSResponder A remote attacker may be able to cause unexpected system termination or corrupt kernel memory Yes Yes Yes CVE-2026-43666 mDNSResponder An attacker on the local network may be able to cause a denial-of-service Yes Yes Yes CVE-2026-28941 Model I/O Processing a maliciously crafted file may lead to a denial-of-service or potentially disclose memory contents Yes Yes No CVE-2026-28940 Model I/O Processing a maliciously crafted image may corrupt process memory Yes Yes No CVE-2026-28961 Network Extensions An attacker with physical access to a locked device may be able to view sensitive user information Yes No No CVE-2026-28906 Networking An attacker may be able to track users through their IP address Yes Yes Yes CVE-2026-28840 PackageKit An app may be able to gain root privileges No Yes Yes CVE-2026-43656 Quick Look Parsing a maliciously crafted file may lead to an unexpected app termination Yes Yes Yes CVE-2026-43652 Sandbox An app may be able to access protected user data Yes No No CVE-2026-39870 SceneKit Processing a maliciously crafted image may corrupt process memory Yes Yes Yes CVE-2026-28846 SceneKit A remote attacker may be able to cause unexpected app termination Yes Yes Yes CVE-2026-28993 Shortcuts An app may be able to access user-sensitive data Yes Yes Yes CVE-2026-28848 SMB A remote attacker may be able to cause unexpected system termination Yes Yes No CVE-2026-28930 Spotlight An app may be able to access protected user data Yes No No CVE-2026-28974 Spotlight An app may be able to cause a denial-of-service Yes Yes No CVE-2026-28996 Storage An app may be able to access sensitive user data Yes Yes Yes CVE-2026-28919 StorageKit An app may be able to gain root privileges Yes Yes Yes CVE-2026-28924 Sync Services An app may be able to access Contacts without user consent Yes Yes Yes CVE-2026-39871 TV App An app may be able to observe unprotected user data Yes Yes Yes CVE-2026-28976 UserAccountUpdater An app may be able to gain root privileges Yes No No CVE-2026-43660 WebKit Processing maliciously crafted web content may prevent Content Security Policy from being enforced Yes No No CVE-2026-28907 WebKit Processing maliciously crafted web content may prevent Content Security Policy from being enforced Yes No No CVE-2026-28962 WebKit Processing maliciously crafted web content may disclose sensitive user information Yes No No CVE-2026-43658 WebKit Processing maliciously crafted web content may lead to an unexpected Safari crash Yes No No CVE-2026-28905 WebKit Processing maliciously crafted web content may lead to an unexpected process crash Yes No No CVE-2026-28847 WebKit Processing maliciously crafted web content may lead to an unexpected process crash Yes No No CVE-2026-28904 WebKit Processing maliciously crafted web content may lead to an unexpected process crash Yes No No CVE-2026-28955 WebKit Processing maliciously crafted web content may lead to an unexpected process crash Yes No No CVE-2026-28903 WebKit Processing maliciously crafted web content may lead to an unexpected process crash Yes No No CVE-2026-28953 WebKit Processing maliciously crafted web content may lead to an unexpected process crash Yes No No CVE-2026-28902 WebKit Processing maliciously crafted web content may lead to an unexpected process crash Yes No No CVE-2026-28901 WebKit Processing maliciously crafted web content may lead to an unexpected process crash Yes No No CVE-2026-28913 WebKit Processing maliciously crafted web content may lead to an unexpected process crash Yes No No CVE-2026-28883 WebKit Processing maliciously crafted web content may lead to an unexpected process crash Yes No No CVE-2026-28958 WebKit An app may be able to access sensitive user data Yes No No CVE-2026-28917 WebKit Processing maliciously crafted web content may lead to an unexpected process crash Yes No No CVE-2026-28947 WebKit Processing maliciously crafted web content may lead to an unexpected Safari crash Yes No No CVE-2026-28946 WebKit Processing maliciously crafted web content may lead to an unexpected Safari crash Yes No No CVE-2026-28942 WebKit Processing maliciously crafted web content may lead to an unexpected Safari crash Yes No No CVE-2026-28971 WebKit A malicious iframe may use another website's download settings Yes No No CVE-2026-28944 WebRTC Processing maliciously crafted web content may lead to an unexpected process crash Yes No No CVE-2026-28819 Wi-Fi An app may be able to execute arbitrary code with kernel privileges Yes Yes Yes CVE-2026-28994 Wi-Fi An attacker in a privileged network position may be able to perform denial-of-service attack using crafted Wi-Fi packets Yes Yes Yes CVE-2026-28914 zip A maliciously crafted ZIP archive may bypass Gatekeeper checks Yes No No CVE-2026-28920 zlib Visiting a maliciously crafted website may leak sensitive data Yes Yes Yes CVEs marked with the scarab logo were reported through the TrendAI Zero Day Initiative program. We\u2019ll continue these macOS updates if people find them useful. Stay tuned for the regularly schedule Patch Tuesday blog covering Adobe and Microsoft.","title":"The Apple macOS Security Update Review","url":"https://www.thezdi.com/blog/2026/5/12/the-apple-macos-security-update-review"},{"category":"OT/ICS","confidence":"HIGH","confidence_reason":"First-party OT/ICS vendor CERT. Authoritative advisories for Siemens industrial products. Fills OT/ICS category depth.","created_at":"2026-07-02 03:55:54","id":334,"published_date":"2026-05-12T00:00:00+00:00","severity":"medium","source_name":"Siemens ProductCERT","summary":"Fortinet has published information on vulnerabilities in FORTIOS. This advisory lists the related Siemens Industrial products. Siemens has released a new version for RUGGEDCOM APE1808 and recommends to update to the latest version.","title":"SSA-975644 V1.1 (Last Update: 2026-05-12): Multiple Vulnerabilities in Fortigate NGFW on RUGGEDCOM APE1808 Devices","url":"https://cert-portal.siemens.com/productcert/html/ssa-975644.html"},{"category":"OT/ICS","confidence":"HIGH","confidence_reason":"First-party OT/ICS vendor CERT. Authoritative advisories for Siemens industrial products. Fills OT/ICS category depth.","created_at":"2026-07-02 03:55:54","id":335,"published_date":"2026-05-12T00:00:00+00:00","severity":"medium","source_name":"Siemens ProductCERT","summary":"Ruggedcom Rox contains an improper access control vulnerability that could allow an authenticated remote attacker to read arbitrary files with root privileges from the underlying operating system\u2019s filesystem. Siemens has released new versions for the affected products and recommends to update to the latest versions.","title":"SSA-973901 V1.0: Arbitrary File Disclosure Vulnerability in Ruggedcom Rox Before V2.17.1","url":"https://cert-portal.siemens.com/productcert/html/ssa-973901.html"},{"category":"OT/ICS","confidence":"HIGH","confidence_reason":"First-party OT/ICS vendor CERT. Authoritative advisories for Siemens industrial products. Fills OT/ICS category depth.","created_at":"2026-07-02 03:55:54","id":336,"published_date":"2026-05-12T00:00:00+00:00","severity":"medium","source_name":"Siemens ProductCERT","summary":"A sensitive data exposure vulnerability in SIPROTEC 5 can allow an attacker to retrieve sensitive session data from browser history, logs, or other storage mechanisms, potentially leading to unauthorized access. Siemens is preparing fix versions and recommends countermeasures for products where fixes are not, or not yet available.","title":"SSA-904646 V1.1 (Last Update: 2026-05-12): Sensitive Data Exposure Vulnerability in SIPROTEC 5 Devices","url":"https://cert-portal.siemens.com/productcert/html/ssa-904646.html"},{"category":"OT/ICS","confidence":"HIGH","confidence_reason":"First-party OT/ICS vendor CERT. Authoritative advisories for Siemens industrial products. Fills OT/ICS category depth.","created_at":"2026-07-02 03:55:54","id":337,"published_date":"2026-05-12T00:00:00+00:00","severity":"high","source_name":"Siemens ProductCERT","summary":"Siemens gPROMS Web Applications Publisher (gWAP) is affected by a remote code execution vulnerability introduced through a third-party component, namely the Axios HTTP client library. The vulnerability stems from a specific \u201cGadget\u201d attack chain that allows prototype pollution in other third-party libraries, potentially allowing an attacker to execute arbitrary code. Siemens has released a new version for gWAP and recommends to update to the latest version.","title":"SSA-876049 V1.0: Prototype Pollution Vulnerability in Axios Library Affecting Siemens gWAP Before V3.1.1","url":"https://cert-portal.siemens.com/productcert/html/ssa-876049.html"},{"category":"OT/ICS","confidence":"HIGH","confidence_reason":"First-party OT/ICS vendor CERT. Authoritative advisories for Siemens industrial products. Fills OT/ICS category depth.","created_at":"2026-07-02 03:55:54","id":338,"published_date":"2026-05-12T00:00:00+00:00","severity":"medium","source_name":"Siemens ProductCERT","summary":"Siemens Teamcenter is affected by multiple vulnerabilities which could potentially lead to a compromise in availability, integrity and confidentiality. Siemens has released new versions for the affected products and recommends to update to the latest versions.","title":"SSA-827383 V1.0: Multiple Vulnerabilities in Teamcenter","url":"https://cert-portal.siemens.com/productcert/html/ssa-827383.html"},{"category":"OT/ICS","confidence":"HIGH","confidence_reason":"First-party OT/ICS vendor CERT. Authoritative advisories for Siemens industrial products. Fills OT/ICS category depth.","created_at":"2026-07-02 03:55:54","id":339,"published_date":"2026-05-12T00:00:00+00:00","severity":"high","source_name":"Siemens ProductCERT","summary":"The SIPROTEC 5 devices do not use sufficiently random numbers to generate session identifiers. This could facilitate a brute-force attack against a valid session identifier which could allow an unauthenticated remote attacker to hijack a valid user session. The affected session identifiers are only used in a subset of the endpoints that are provided by the affected products. Siemens is preparing fix versions and recommends countermeasures for products where fixes are not, or not yet available.","title":"SSA-786884 V1.0: Insufficient Randomness in Session Identifier Vulnerability in SIPROTEC 5","url":"https://cert-portal.siemens.com/productcert/html/ssa-786884.html"},{"category":"OT/ICS","confidence":"HIGH","confidence_reason":"First-party OT/ICS vendor CERT. Authoritative advisories for Siemens industrial products. Fills OT/ICS category depth.","created_at":"2026-07-02 03:55:54","id":340,"published_date":"2026-05-12T00:00:00+00:00","severity":"medium","source_name":"Siemens ProductCERT","summary":"The web server in SENTRON 7KT PAC1261 Data Manager Before V2.1.0 contains a request smuggling vulnerability in the Go Project\u2019s net/http package that could allow an attacker to retrieve authorization tokens that can be used to gain administrative control over the device. Siemens has released a new version for SENTRON 7KT PAC1261 Data Manager and recommends to update to the latest version.","title":"SSA-783943 V1.0: HTTP Request Smuggling Vulnerability in SENTRON 7KT PAC1261 Data Manager Before V2.1.0","url":"https://cert-portal.siemens.com/productcert/html/ssa-783943.html"},{"category":"OT/ICS","confidence":"HIGH","confidence_reason":"First-party OT/ICS vendor CERT. Authoritative advisories for Siemens industrial products. Fills OT/ICS category depth.","created_at":"2026-07-02 03:55:54","id":341,"published_date":"2026-05-12T00:00:00+00:00","severity":"medium","source_name":"Siemens ProductCERT","summary":"SIMATIC S7 PLCs contain multiple vulnerabilities in the web server that could allow an attacker to perform cross-site scripting attacks. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends specific countermeasures for products where fixes are not, or not yet available.","title":"SSA-688146 V1.0: Multiple Cross-Site Scripting Vulnerabilities in SIMATIC S7 PLCs Web Server","url":"https://cert-portal.siemens.com/productcert/html/ssa-688146.html"},{"category":"OT/ICS","confidence":"HIGH","confidence_reason":"First-party OT/ICS vendor CERT. Authoritative advisories for Siemens industrial products. Fills OT/ICS category depth.","created_at":"2026-07-02 03:55:54","id":342,"published_date":"2026-05-12T00:00:00+00:00","severity":"medium","source_name":"Siemens ProductCERT","summary":"Ruggedcom Rox before v2.17.1 contain multiple third-party vulnerabilities. Siemens has released new versions for the affected products and recommends to update to the latest versions.","title":"SSA-577017 V1.0: Multiple Vulnerabilities in Ruggedcom Rox Before 2.17.1","url":"https://cert-portal.siemens.com/productcert/html/ssa-577017.html"},{"category":"OT/ICS","confidence":"HIGH","confidence_reason":"First-party OT/ICS vendor CERT. Authoritative advisories for Siemens industrial products. Fills OT/ICS category depth.","created_at":"2026-07-02 03:55:54","id":343,"published_date":"2026-05-12T00:00:00+00:00","severity":"medium","source_name":"Siemens ProductCERT","summary":"SIMATIC S7-1500 devices contain a vulnerability that could allow an attacker to inject code by tricking a legitimate user into importing a specially crafted trace file in the web interface. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends specific countermeasures for products where fixes are not, or not yet available.","title":"SSA-452276 V1.3 (Last Update: 2026-05-12): Eval Injection Vulnerability in SIMATIC S7-1500","url":"https://cert-portal.siemens.com/productcert/html/ssa-452276.html"},{"category":"OT/ICS","confidence":"HIGH","confidence_reason":"First-party OT/ICS vendor CERT. Authoritative advisories for Siemens industrial products. Fills OT/ICS category depth.","created_at":"2026-07-02 03:55:54","id":344,"published_date":"2026-05-12T00:00:00+00:00","severity":"medium","source_name":"Siemens ProductCERT","summary":"Multiple industrial devices contain a vulnerability that could allow an attacker to cause a denial of service condition. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends specific countermeasures for products where fixes are not, or not yet available.","title":"SSA-392349 V1.0: Denial of Service Vulnerability in Industrial Devices","url":"https://cert-portal.siemens.com/productcert/html/ssa-392349.html"},{"category":"OT/ICS","confidence":"HIGH","confidence_reason":"First-party OT/ICS vendor CERT. Authoritative advisories for Siemens industrial products. Fills OT/ICS category depth.","created_at":"2026-07-02 03:55:54","id":345,"published_date":"2026-05-12T00:00:00+00:00","severity":"high","source_name":"Siemens ProductCERT","summary":"SIMATIC HMI Unified Comfort Panels before V21.0 are affected by a vulnerability that allows an unauthenticated attacker to access the web browser via the help link. This vulnerability allows an attacker to access the web browser through the Control Panel if it is not protected by the corresponding security mechanisms. This opens the possibility for the attacker to find backdoors, which might lead to unwanted misconfigurations. Siemens has released new versions for the affected products and recommends to update to the latest versions.","title":"SSA-387223 V1.0: Unauthenticated Control Panel Escape Vulnerability on SIMATIC HMI Unified Comfort before V21.0","url":"https://cert-portal.siemens.com/productcert/html/ssa-387223.html"},{"category":"OT/ICS","confidence":"HIGH","confidence_reason":"First-party OT/ICS vendor CERT. Authoritative advisories for Siemens industrial products. Fills OT/ICS category depth.","created_at":"2026-07-02 03:55:54","id":346,"published_date":"2026-05-12T00:00:00+00:00","severity":"medium","source_name":"Siemens ProductCERT","summary":"ROS# contains a ROS service file_server, that before version 2.2.2 contains a path traversal vulnerability which could allow an attacker to access, i.e. read and write, arbitrary files, which are accessible with the user rights of the user that runs the service, on the system that hosts service. Siemens has released a new version for ROS# and recommends to update to the latest version.","title":"SSA-357982 V1.0: Path Traversal Vulnerability in ROS# Before 2.2.2","url":"https://cert-portal.siemens.com/productcert/html/ssa-357982.html"},{"category":"OT/ICS","confidence":"HIGH","confidence_reason":"First-party OT/ICS vendor CERT. Authoritative advisories for Siemens industrial products. Fills OT/ICS category depth.","created_at":"2026-07-02 03:55:54","id":347,"published_date":"2026-05-12T00:00:00+00:00","severity":"medium","source_name":"Siemens ProductCERT","summary":"SCALANCE M-800 and SC-600 families are affected by improper input validation in the OpenVPN authentication. Siemens has released new versions for the affected products and recommends to update to the latest versions.","title":"SSA-280834 V1.1 (Last Update: 2026-05-12): Improper OpenVPN Credential Validation Vulnerability in SCALANCE M-800 and SC-600 Families","url":"https://cert-portal.siemens.com/productcert/html/ssa-280834.html"},{"category":"OT/ICS","confidence":"HIGH","confidence_reason":"First-party OT/ICS vendor CERT. Authoritative advisories for Siemens industrial products. Fills OT/ICS category depth.","created_at":"2026-07-02 03:55:54","id":348,"published_date":"2026-05-12T00:00:00+00:00","severity":"medium","source_name":"Siemens ProductCERT","summary":"Multiple vulnerabilities have been identified in the additional GNU/Linux subsystem of the SIMATIC S7-1500 TM MFP V1.1. Siemens is preparing fix versions and recommends specific countermeasures for products where fixes are not, or not yet available.","title":"SSA-265688 V2.2 (Last Update: 2026-05-12): Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 TM MFP V1.1","url":"https://cert-portal.siemens.com/productcert/html/ssa-265688.html"},{"category":"OT/ICS","confidence":"HIGH","confidence_reason":"First-party OT/ICS vendor CERT. Authoritative advisories for Siemens industrial products. Fills OT/ICS category depth.","created_at":"2026-07-02 03:55:54","id":349,"published_date":"2026-05-12T00:00:00+00:00","severity":"medium","source_name":"Siemens ProductCERT","summary":"Multiple vulnerabilities has been identified in Siemens SIMATIC IPCs, SIMATIC Tablet PCs, and SIMATIC Field PGs that can allow an authenticated attacker to alter the secure boot and password configurations. Siemens has released new versions of BIOS for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends specific countermeasures for products where fixes are not, or not yet available.","title":"SSA-216014 V1.5 (Last Update: 2026-05-12): Vulnerabilities in EFI variable of SIMATIC IPCs, SIMATIC Tablet PCs, and SIMATIC Field PGs","url":"https://cert-portal.siemens.com/productcert/html/ssa-216014.html"},{"category":"OT/ICS","confidence":"HIGH","confidence_reason":"First-party OT/ICS vendor CERT. Authoritative advisories for Siemens industrial products. Fills OT/ICS category depth.","created_at":"2026-07-02 03:55:54","id":350,"published_date":"2026-05-12T00:00:00+00:00","severity":"high","source_name":"Siemens ProductCERT","summary":"Opcenter RDnL is affected by missing authentication in critical function in \u2018ActiveMQ Artemis\u2019. An unauthenticated attacker within the adjacent network could use the Core protocol to force a target broker to establish an outbound Core federation connection to an attacker-controlled rogue broker. This could potentially result in availability impacts or message injection into any queue via the rogue broker. Breaking the integrity of a message has a low impact due to missing auto refresh functionality and it does not contain any confidential information. ActiveMQ Artemis has released a new version and Siemens recommends to update to the latest version.","title":"SSA-085541 V1.0: Missing Authentication in Critical Function in ActiveMQ Artemis (CVE-2026-27446) in Opcenter RDnL","url":"https://cert-portal.siemens.com/productcert/html/ssa-085541.html"},{"category":"OT/ICS","confidence":"HIGH","confidence_reason":"First-party OT/ICS vendor CERT. Authoritative advisories for Siemens industrial products. Fills OT/ICS category depth.","created_at":"2026-07-02 03:55:54","id":351,"published_date":"2026-05-12T00:00:00+00:00","severity":"medium","source_name":"Siemens ProductCERT","summary":"Multiple vulnerabilities have been identified in the additional GNU/Linux subsystem of the firmware version V3.1.5 for the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP (incl. SIPLUS variant). Siemens is preparing fix versions and recommends countermeasures for products where fixes are not, or not yet available.","title":"SSA-082556 V1.5 (Last Update: 2026-05-12): Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1.5","url":"https://cert-portal.siemens.com/productcert/html/ssa-082556.html"},{"category":"OT/ICS","confidence":"HIGH","confidence_reason":"First-party OT/ICS vendor CERT. Authoritative advisories for Siemens industrial products. Fills OT/ICS category depth.","created_at":"2026-07-02 03:55:54","id":352,"published_date":"2026-05-12T00:00:00+00:00","severity":"high","source_name":"Siemens ProductCERT","summary":"Ruggedcom Rox contains an input validation vulnerability in the Scheduler functionality that could allow an authenticated remote attacker to execute arbitrary commands with root privileges on the underlying operating system. Siemens has released new versions for the affected products and recommends to update to the latest versions.","title":"SSA-081142 V1.0: Arbitrary Code Execution Vulnerability in Ruggedcom Rox Before 2.17.1","url":"https://cert-portal.siemens.com/productcert/html/ssa-081142.html"},{"category":"OT/ICS","confidence":"HIGH","confidence_reason":"First-party OT/ICS vendor CERT. Authoritative advisories for Siemens industrial products. Fills OT/ICS category depth.","created_at":"2026-07-02 03:55:54","id":353,"published_date":"2026-05-12T00:00:00+00:00","severity":"high","source_name":"Siemens ProductCERT","summary":"Ruggedcom Rox contains an input validation vulnerability in the feature key installation process that could allow an authenticated remote attacker to execute arbitrary commands with root privileges on the underlying operating system. Siemens has released new versions for the affected products and recommends to update to the latest versions.","title":"SSA-078743 V1.0: Remote Code Execution Vulnerability in Ruggedcom Rox Before V2.17.1","url":"https://cert-portal.siemens.com/productcert/html/ssa-078743.html"},{"category":"OT/ICS","confidence":"HIGH","confidence_reason":"First-party OT/ICS vendor CERT. Authoritative advisories for Siemens industrial products. Fills OT/ICS category depth.","created_at":"2026-07-02 03:55:54","id":354,"published_date":"2026-05-12T00:00:00+00:00","severity":"medium","source_name":"Siemens ProductCERT","summary":"SIMATIC CN 4100 contains multiple vulnerabilities which could potentially lead to a compromise in availability, integrity and confidentiality. Siemens has released a new version for SIMATIC CN 4100 and recommends to update to the latest version.","title":"SSA-032379 V1.0: Multiple Vulnerabilities in SIMATIC CN 4100 Before V5.0","url":"https://cert-portal.siemens.com/productcert/html/ssa-032379.html"},{"category":"OT/ICS","confidence":"HIGH","confidence_reason":"First-party OT/ICS vendor CERT. Authoritative advisories for Siemens industrial products. Fills OT/ICS category depth.","created_at":"2026-07-02 03:55:54","id":355,"published_date":"2026-05-12T00:00:00+00:00","severity":"high","source_name":"Siemens ProductCERT","summary":"Siemens Industrial Edge Devices contain an authorization bypass vulnerability that could facilitate an unauthenticated remote attacker to circumvent authentication and impersonate a legitimate user. Siemens has released new versions for the affected products and recommends to update to the latest versions.","title":"SSA-001536 V1.1 (Last Update: 2026-05-12): Authorization Bypass Vulnerability in Siemens Industrial Edge Devices","url":"https://cert-portal.siemens.com/productcert/html/ssa-001536.html"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Real-world incident breakdowns from the defender side. Strong on ransomware and SMB-targeting threats.","created_at":"2026-07-02 03:55:55","id":403,"published_date":"2026-05-11T17:00:00+00:00","severity":"medium","source_name":"Huntress","summary":"Device code phishing doesn't need stolen passwords or malware\u2014just a legitimate auth flow. Learn how EvilTokens weaponized AI to run this attack across 344 organizations.","title":"How EvilTokens Turbocharges Old School Phishing with AI","url":"https://www.huntress.com/blog/device-code-phishing-ai-mfa-bypass"},{"category":"Vulnerability/CVE","confidence":"HIGH","confidence_reason":"CERT/CC vulnerability coordination center. Authoritative vuln notes, partially replaces dead CISA feeds.","created_at":"2026-07-02 03:55:48","id":131,"published_date":"2026-05-11T16:49:36+00:00","severity":"high","source_name":"CERT Vulnerability Notes","summary":"Overview dnsmasq is affected by multiple memory safety and input validation vulnerabilities, including heap buffer overflows, heap corruption, and code execution flaws. Collectively, these vulnerabilities enable attackers to poison cached DNS records, bypass security controls, crash the dnsmasq process, or under certain conditions, achieve local privilege escalation. dnsmasq has released version 2.92rel2 to fix the vulnerabilities. Description dnsmasq is an open-source networking tool that provides DNS forwarding, DHCP, and network boot services for small-to-medium sized networks and home routing devices. It can also function as a DNS resolver, which is the primary exploitation use case for several of the vulnerabilities described below, tracked collectively as CVE-2026-2291, CVE-2026-4890, CVE-2026-4891, CVE-2026-4892, CVE-2026-4893, and CVE-2026-5172. CVE-2026-2291 dnsmasq's extract_name() function can be abused to cause a heap buffer overflow, enabling an attacker to inject false DNS cache entries. This could cause DNS queries to be redirected to attacker-controlled IP addresses or result in a Denial of Service (DoS). CVE-2026-4890 An infinite-loop flaw in the DNSSEC validation of dnsmasq allows remote attackers to cause Denial of Service (DoS) conditions via a crafted DNS packet. CVE-2026-4891 A heap-based out-of-bounds read vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to leak memory information via a crafted DNS packet. CVE-2026-4892 A heap-based out-of-bounds write vulnerability in the DHCPv6 implementation of dnsmasq allows local attackers to execute arbitrary code with root privileges via a crafted DHCPv6 packet. CVE-2026-4893 An information disclosure vulnerability in dnsmasq allows remote attackers to bypass source checks via a crafted DNS packet containing RFC 7871 client-subnet information. CVE-2026-5172 A buffer overflow vulnerability in dnsmasq\u2019s extract_addresses() function allows attackers to trigger a heap out-of-bounds read and crash dnsmasq by exploiting a malformed DNS response. Impact These vulnerabilities collectively pose various risks: DoS (CVE-2026-2291, CVE-2026-4890, CVE-2026-5172) \u2014 dnsmasq may crash or become unresponsive, terminating DNS resolution and affecting dependent services. Cache Poisoning / Redirection (CVE-2026-2291, CVE-2026-4893) \u2014 Attackers may overwrite cache entries or manipulate response routing, enabling the silent redirection of users to malicious domains. Information Disclosure (CVE-2026-4891, CVE-2026-4893) \u2014 Internal memory and network information may be inadvertently exposed. Local Privilege Escalation (CVE-2026-4892) \u2014 A local attacker may execute arbitrary code as root via DHCPv6 manipulation. Solution dnsmasq has released version 2.92rel2 to fix the above vulnerabilities, and various vendors have published patches to address individual remediations. A full list of affected vendors and vendor patches can be found in the References section below. This note, as well as the CVE listings, will be updated as additional patches become available. Acknowledgements Thank you to the reporters for discovering these vulnerabilities: * Hugo Martinez (hugomray@gmail.com) - CVE-2026-5172, CVE-2026-2291 * Andrew Fasano (NIST) - CVE-2026-2291 * Royce M (royce@xchglabs.com) - CVE-2026-4893, CVE-2026-4892, CVE-2026-4891, CVE-2026-4890, CVE-2026-2291 * Asim Viladi Oglu Manizada - CVE-2026-4892 * Mattia Ricciardi (mindless) - CVE-2026-2291 This document was written by Christopher Cullen and Molly Jaconski. Special thanks to Simon Kelly of dnsmasq and all participating vendors for their prompt engagement and coordination efforts.","title":"VU#471747: dnsmasq contains several vulnerabilities, including attacker DNS redirect, privilege escalation, and heap manipulation","url":"https://kb.cert.org/vuls/id/471747"},{"category":"Ransomware","confidence":"HIGH","confidence_reason":"Gold-standard intrusion analysis with full kill-chain TTPs. Peer-reviewed, reproducible, community-trusted.","created_at":"2026-07-02 03:56:02","id":500,"published_date":"2026-05-11T14:05:04+00:00","severity":"medium","source_name":"The DFIR Report","summary":"The EtherRAT malware family was first reported by Sysdig back in December 2025. At that time, the initial access vector was exploitation of CVE-2025-55182 (React2Shell) targeting Linux servers. In March 2026, a Windows variant campaign was reported by Atos, with their investigation showing evidence of activity going back to the previous December. In April, we [\u2026] The post Flash Alert: EtherRat and TukTuk C2 End in The Gentleman Ransomware appeared first on The DFIR Report.","title":"Flash Alert: EtherRat and TukTuk C2 End in The Gentleman Ransomware","url":"https://thedfirreport.com/2026/05/11/flash-alert-etherrat-and-tuktuk-c2-end-in-the-gentleman-ransomware"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Vendor threat intelligence research. Good primary work but commercial context.","created_at":"2026-07-02 03:55:49","id":190,"published_date":"2026-05-11T12:49:37+00:00","severity":"critical","source_name":"Check Point Research","summary":"For the latest discoveries in cyber research for the week of 11th May, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Instructure, the US education technology company behind the Canvas learning platform, has confirmed a major data breach affecting its cloud-hosted environment. Exposed data reportedly includes student and staff records and private messages, while [\u2026] The post 11th May \u2013 Threat Intelligence Report appeared first on Check Point Research.","title":"11th May \u2013 Threat Intelligence Report","url":"https://research.checkpoint.com/2026/11th-may-threat-intelligence-report"},{"category":"Vulnerability/CVE","confidence":"HIGH","confidence_reason":"UK government CERT, authoritative advisories for UK & allied operators.","created_at":"2026-07-02 03:55:48","id":140,"published_date":"2026-05-11T12:00:00+00:00","severity":"medium","source_name":"NCSC UK","summary":"Using Artificial Intelligence to find vulnerabilities can bring added security considerations.","title":"10 questions to ask when using AI models to find vulnerabilities","url":"https://www.ncsc.gov.uk/blogs/10-questions-ask-using-ai-models-find-vulnerabilities"},{"category":"AI Security","confidence":"MEDIUM","confidence_reason":"Primary cloud-security research (AWS/Azure/GCP IAM, container, CI/CD). Fills the Cloud Security depth the keyword set already anticipates. Vendor context; filter_uncategorized drops product marketing.","created_at":"2026-07-02 03:55:52","id":302,"published_date":"2026-05-11T00:00:00+00:00","severity":"medium","source_name":"Datadog Security Labs","summary":"Learn how malicious Claude Code skills can abuse dynamic context commands to execute before model-level prompt injection defenses can intervene.","title":"Malicious Coding Agent Skills and the Risk of Dynamic Context","url":"https://securitylabs.datadoghq.com/articles/malicious-skills-supply-chain-risks-in-coding-agents-with-dynamic-context"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Deep malware analysis with detection rules (YARA, Sigma). Vendor context but strong primary research.","created_at":"2026-07-02 03:55:52","id":282,"published_date":"2026-05-09T00:00:00+00:00","severity":"critical","source_name":"Elastic Security Labs","summary":"This research analyzes the Linux kernel privilege escalation vulnerabilities Copy Fail and DirtyFrag, which exploit subtle page cache corruption bugs to create reliable paths to root access. Additionally, Elastic Security Labs is releasing detection logic for these vulnerabilities.","title":"Copy Fail and DirtyFrag: Linux Page Cache Bugs in the Wild","url":"https://www.elastic.co/security-labs/copy-fail-dirtyfrag-linux-page-bugs-in-the-wild"},{"category":"AI Security","confidence":"MEDIUM","confidence_reason":"Established offensive security research firm. Pentest tooling, vulnerability research, red team techniques.","created_at":"2026-07-02 03:56:00","id":465,"published_date":"2026-05-08T13:00:00+00:00","severity":"medium","source_name":"Bishop Fox","summary":"When an agent reads attacker-controlled content and acts on it using its own privileges, the user's name ends up on every audit log entry. From Microsoft Copilot to ConfusedPilot, this post walks through how confused deputy attacks work and the layered controls that help contain them.","title":"Otto Support - The Confused Deputy","url":"https://bishopfox.com/blog/otto-support-confused-deputy"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Deep malware analysis with detection rules (YARA, Sigma). Vendor context but strong primary research.","created_at":"2026-07-02 03:55:52","id":283,"published_date":"2026-05-08T00:00:00+00:00","severity":"medium","source_name":"Elastic Security Labs","summary":"This article shows how a customized Elastic Security ES|QL detection rule can identify web server probing and fuzzing activity in Traefik logs and automatically block the attacking IP via Cloudflare.","title":"Detecting Web Server Probing & Fuzzing in Traefik with Automated Cloudflare Response","url":"https://www.elastic.co/security-labs/detecting-web-server-probing-and-fuzzing"},{"category":"Cloud Security","confidence":"MEDIUM","confidence_reason":"Primary cloud-security research (AWS/Azure/GCP IAM, container, CI/CD). Fills the Cloud Security depth the keyword set already anticipates. Vendor context; filter_uncategorized drops product marketing.","created_at":"2026-07-02 03:55:52","id":303,"published_date":"2026-05-08T00:00:00+00:00","severity":"medium","source_name":"Datadog Security Labs","summary":"A look at how to secure Kubernetes secrets","title":"Kubernetes security fundamentals: Secrets","url":"https://securitylabs.datadoghq.com/articles/kubernetes-security-fundamentals-part-8"},{"category":"Malware/Infostealer","confidence":"MEDIUM","confidence_reason":"Real-world incident breakdowns from the defender side. Strong on ransomware and SMB-targeting threats.","created_at":"2026-07-02 03:55:55","id":404,"published_date":"2026-05-07T23:00:00+00:00","severity":"medium","source_name":"Huntress","summary":"We dug into a recent malspam campaign that involved an installer for a commercially sold remote monitoring and management (RMM) tool called Tiflux.","title":"Threat Actors Weaponize Tiflux RMMs in Malspam Attacks","url":"https://www.huntress.com/blog/tiflux-rmm-install"},{"category":"SaaS Breach","confidence":"MEDIUM","confidence_reason":"Established offensive security research firm. Pentest tooling, vulnerability research, red team techniques.","created_at":"2026-07-02 03:56:00","id":466,"published_date":"2026-05-07T13:00:00+00:00","severity":"high","source_name":"Bishop Fox","summary":"SSRF and token passthrough are not new, but MCP servers are reintroducing them at scale. From a chained SSRF-to-RCE in mcp-atlassian to Microsoft's MarkItDown and OpenClaw, this post walks through three recent disclosures and the controls that actually prevent them.","title":"Otto Support - SSRF and Token Passthrough with MCP","url":"https://bishopfox.com/blog/otto-support-ssrf-token-passthrough-with-mcp"},{"category":"Mobile Security","confidence":"MEDIUM","confidence_reason":"Vendor threat intelligence research, consistent technical malware reports. filter_uncategorized drops consumer lifestyle and parenting content.","created_at":"2026-07-02 03:55:49","id":212,"published_date":"2026-05-07T08:51:19+00:00","severity":"medium","source_name":"ESET WeLiveSecurity","summary":"ESET researchers uncovered fraudulent apps on Google Play that claim to provide the call history \u201cfor any number\u201d and had been downloaded more than seven million times before being taken down","title":"Fake call logs, real payments: How CallPhantom tricks Android users","url":"https://www.welivesecurity.com/en/eset-research/fake-call-logs-real-payments-how-callphantom-tricks-android-users"},{"category":"Industry/Policy","confidence":"MEDIUM","confidence_reason":"Threat intelligence firm research. Caveat: commercial framing; quality of output is high.","created_at":"2026-07-02 03:55:50","id":244,"published_date":"2026-05-07T00:00:00+00:00","severity":"medium","source_name":"Recorded Future","summary":"Learn how the \"Harvest Now, Decrypt Later\" (HNDL) risk exposes long-lived sensitive data today, regardless of when Cryptographically Relevant Quantum Computers (CRQCs) arrive.","title":"Quantum Risk Explained","url":"https://www.recordedfuture.com/research/quantum-risk-explained"},{"category":"Malware/Infostealer","confidence":"MEDIUM","confidence_reason":"Deep malware analysis with detection rules (YARA, Sigma). Vendor context but strong primary research.","created_at":"2026-07-02 03:55:52","id":284,"published_date":"2026-05-07T00:00:00+00:00","severity":"medium","source_name":"Elastic Security Labs","summary":"REF3076 uses a trojanized Logitech installer to deploy TCLBANKER, a Brazilian banking trojan with environment-gated payloads, WPF fraud overlays, and self-propagating WhatsApp and Outlook worm modules.","title":"TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook","url":"https://www.elastic.co/security-labs/tclbanker-brazilian-banking-trojan"},{"category":"AI Security","confidence":"MEDIUM","confidence_reason":"Established offensive security research firm. Pentest tooling, vulnerability research, red team techniques.","created_at":"2026-07-02 03:56:00","id":467,"published_date":"2026-05-06T13:00:00+00:00","severity":"medium","source_name":"Bishop Fox","summary":"AI agents connected to too many tools don't just create risk, they've already caused real damage. From deleted databases to mass-wiped mailboxes, excessive agency has a track record. This post breaks down what it looks like in practice and how role-aware tool registration can help contain it.","title":"Otto Support - Excessive Agency and Tool Privileges","url":"https://bishopfox.com/blog/otto-support-excessive-agency-and-tool-privileges"},{"category":"Vulnerability/CVE","confidence":"MEDIUM","confidence_reason":"Established offensive security research firm. Pentest tooling, vulnerability research, red team techniques.","created_at":"2026-07-02 03:56:00","id":468,"published_date":"2026-05-06T13:00:00+00:00","severity":"high","source_name":"Bishop Fox","summary":"Bishop Fox researchers confirmed a critical pre-authentication SQL injection in LiteLLM proxy affecting versions 1.81.16 through 1.83.6. Attackers can exploit it without credentials, and it blends into normal logs. In-the-wild exploitation was observed within 36 hours of the advisory going public.","title":"CVE-2026-42208: Pre-Authentication SQL Injection in LiteLLM Proxy","url":"https://bishopfox.com/blog/cve-2026-42208-pre-authentication-sql-injection-in-litellm-proxy"},{"category":"Ransomware","confidence":"MEDIUM","confidence_reason":"Threat intelligence firm research. Caveat: commercial framing; quality of output is high.","created_at":"2026-07-02 03:55:50","id":245,"published_date":"2026-05-06T00:00:00+00:00","severity":"medium","source_name":"Recorded Future","summary":"Behind every ransomware demand, botnet, or threat activity group is a server sitting in a data center.","title":"Threat Activity Enablers: The Backbone of Today\u2019s Threat Landscape","url":"https://www.recordedfuture.com/blog/threat-activity-enablers"}]
