Lmst
Login

#zeroDay

AllAboutSecurityallaboutsecurity
2026-01-23

Bekannte Sicherheitslรผcken als grรถรŸtes Cyber-Risiko: Warum N-Day-Schwachstellen Unternehmen gefรคhrden

all-about-security.de/bekannte

SOC Goulashsoc_goulash@infosec.exchange
2026-01-22

It's been a busy 24 hours in the cyber world with critical zero-days, active exploitation of known flaws, nation-state activity, and important updates on regulatory enforcement and government cyber agencies. Let's dive in:

Energy Sector Phishing & Ransomware Leader Guilty ๐Ÿšจ

- Microsoft has detailed a multi-stage phishing and Business Email Compromise (BEC) campaign targeting energy sector organisations. Attackers used compromised Microsoft accounts, SharePoint URLs, and credential harvesting to take over inboxes and send hundreds of phishing emails to internal and external contacts.
- Attackers set inbox rules to delete incoming emails and out-of-office replies, and even responded to queries about the legitimacy of the phish, demonstrating sophisticated social engineering.
- In other news, Russian national Ianis Antropenko pleaded guilty to leading a ransomware conspiracy (Zeppelin, GlobeImposter) that targeted at least 50 victims over four years, causing $1.5 million in losses. Authorities seized over $3.4 million in cryptocurrency and cash from him.

๐Ÿ•ต๐Ÿผ The Register | go.theregister.com/feed/www.th
๐Ÿคซ CyberScoop | cyberscoop.com/ianis-antropenk

DPRK Abuses VS Code Tunnels, Malicious PyPI Package Spreads Miner ๐ŸŒ‘

- North Korean actors are deploying spear-phishing campaigns that abuse Microsoft VS Code's built-in tunneling feature to gain full remote control of targeted systems. This technique allows attackers to bypass traditional C2 infrastructure and custom malware, blending in with legitimate developer activity.
- The attacks, primarily targeting South Korean entities, use JSE files disguised as HWPX documents to install VS Code and establish a tunnel, giving attackers interactive access to the VS Code terminal and file browser via trusted Microsoft infrastructure.
- Separately, a malicious PyPI package named `sympy-dev` has been found impersonating the legitimate `SymPy` library to deploy an XMRig cryptocurrency miner on Linux hosts. The malware is designed to trigger only when specific polynomial routines are called and uses memory-backed file descriptors to reduce on-disk artifacts.

๐ŸŒ‘ Dark Reading | darkreading.com/endpoint-secur
๐Ÿšจ The Hacker News | thehackernews.com/2026/01/mali

Cisco Zero-Day Under Active Exploitation โš ๏ธ

- Cisco has released emergency patches for a critical zero-day vulnerability, CVE-2026-20045 (CVSS 8.2), affecting multiple Unified Communications products and Webex Calling Dedicated Instance.
- The flaw allows unauthenticated remote attackers to execute arbitrary commands on the underlying operating system and escalate privileges to root via crafted HTTP requests to the web-based management interface.
- CISA has added CVE-2026-20045 to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies apply fixes by February 11, 2026. No workarounds are available, so immediate patching is crucial.

๐Ÿšจ The Hacker News | thehackernews.com/2026/01/cisc
๐Ÿ•ต๐Ÿผ The Register | go.theregister.com/feed/www.th

FortiGate SSO Bypass Exploited, SmarterMail Auth Bypass Also Hit ๐Ÿ›ก๏ธ

- Arctic Wolf has warned of automated malicious activity targeting Fortinet FortiGate devices, involving unauthorised firewall configuration changes via compromised SSO accounts. Attackers are creating persistence accounts, modifying VPN/firewall rules, and exfiltrating configuration files.
- This activity aligns with exploitation of CVE-2025-59718 and CVE-2025-59719, SSO authentication bypasses patched in December 2025. However, some administrators report exploitation on fully patched FortiOS 7.4.10, suggesting a patch bypass, with Fortinet reportedly preparing further fixes.
- In other news, a critical authentication bypass (WT-2026-0001) in SmarterTools SmarterMail email software was actively exploited just two days after a patch release. The flaw allows unauthenticated users to reset the system administrator password and then achieve Remote Code Execution (RCE) via a built-in volume mount command feature.

๐Ÿšจ The Hacker News | thehackernews.com/2026/01/auto
๐Ÿ•ต๐Ÿผ The Register | go.theregister.com/feed/www.th
๐Ÿšจ The Hacker News | thehackernews.com/2026/01/smar

Ancient Telnet Bug Hands Out Root Access ๐Ÿ‘ด

- A critical, 11-year-old vulnerability (CVE-2026-24061, CVSS 9.8) in the GNU InetUtils telnet daemon (`telnetd`) has been disclosed and is being actively exploited.
- The bug allows attackers to trivially gain root access by sending a crafted `USER` environment variable (`-f root`) during connection, bypassing normal authentication.
- Experts strongly recommend decommissioning `telnetd` entirely due to its unencrypted nature, or at minimum, patching immediately and restricting network access to the telnet port to trusted clients only.

๐Ÿ•ต๐Ÿผ The Register | go.theregister.com/feed/www.th

AI Agents Pose New Insider Threat, Financial Sector Still Lags on Basics, New CVE System Launched ๐Ÿง 

- A Davos panel highlighted AI agents as a potential "ultimate insider threat," posing new security challenges as they can access sensitive data and perform harmful tasks. Recommendations include implementing zero trust, least-privilege access, and "guard agents" to monitor AI behaviour.
- The UK's 2025 CBEST report revealed that financial organisations continue to miss basic cybersecurity safeguards, with common weaknesses including poor access controls, misconfigured/unpatched systems, and ineffective detection. Social engineering remains a significant threat due to poor staff culture and awareness.
- The Computer Incident Response Center Luxembourg (CIRCL) has launched the Global CVE Allocation System (GCVE), a decentralised alternative to MITRE's CVE program. GCVE allows independent numbering authorities to assign vulnerability identifiers, aiming to address concerns about CVE's governance and sustainability.

๐Ÿ•ต๐Ÿผ The Register | go.theregister.com/feed/www.th
๐Ÿ•ต๐Ÿผ The Register | go.theregister.com/feed/www.th
๐Ÿคซ CyberScoop | cyberscoop.com/gcve-vulnerabil

Cellebrite Misused by Jordan, Spain Closes Pegasus Probe โš–๏ธ

- Citizen Lab reported that Jordanian authorities used Cellebrite digital forensic software to extract data from phones of at least seven activists critical of the Gaza war, often during interrogations or detentions. This highlights the ongoing misuse of surveillance technology against civil society.
- Separately, a Spanish judge closed a probe into the use of Pegasus spyware against top government officials due to a lack of cooperation from Israel, which regulates NSO Group's exports. The court found evidence of crimes that "jeopardised the security of the Spanish State."

๐Ÿ—ž๏ธ The Record | therecord.media/jordan-used-ce
๐Ÿ—ž๏ธ The Record | therecord.media/spanish-judge-

GDPR Fines Surge as Breach Notifications Hit Record High ๐Ÿ“ˆ

- DLA Piper's latest survey shows GDPR fines surpassed โ‚ฌ1.2 billion in 2025, bringing the total since May 2018 to โ‚ฌ7.1 billion. Daily data breach notifications surged 22% to an average of 443, the first time exceeding 400.
- Ireland remains the top enforcer, with a โ‚ฌ530 million fine against TikTok being the largest in 2025. The report attributes the rise in breaches to geopolitics, cyber incidents, and new reporting regimes like NIS2 and DORA.

๐Ÿ•ต๐Ÿผ The Register | go.theregister.com/feed/www.th

CISA and NIST Face Staffing Challenges ๐Ÿ“‰

- CISA's acting head, Madhu Gottumukkala, faced intense questioning from lawmakers over significant personnel reductions (nearly 1,000 staff lost since 2017) and reported attempts to fire the agency's CIO. Democrats expressed concern about weakened defences and reassignments, while Republicans suggested CISA was "doing more with less."
- NIST is also grappling with staff cuts (over 700 positions lost since 2025) and a shrinking budget, impacting its critical work on cybersecurity, AI, and post-quantum encryption. The Information Technology Laboratory (ITL) lost 89 employees, forcing a narrower focus and hindering efforts to reduce backlogs in its human-intensive cryptographic validation program.

๐Ÿคซ CyberScoop | cyberscoop.com/cisa-madhu-gott
๐Ÿคซ CyberScoop | cyberscoop.com/encryption-nist

#CyberSecurity #ThreatIntelligence #Vulnerability #ZeroDay #RCE #APT #Ransomware #Malware #DataPrivacy #GDPR #InfoSec #CISA #NIST #AI #SocialEngineering #FortiGate #Cisco #Telnet #CyberAttack

Frankie โœ…Some_Emo_Chick
2026-01-22

Tesla hacked, 37 zero-days demoed at 2026

bleepingcomputer.com/news/secu

TechNadutechnadu@infosec.exchange
2026-01-22

Tesla was among the systems successfully exploited at Pwn2Own Automotive 2026, where researchers demonstrated chained zero-day vulnerabilities against IVI systems and EV charging hardware.

All findings fall under coordinated disclosure, reinforcing the importance of independent testing, patch timelines, and supply-chain visibility as vehicles evolve into software-defined platforms.

Source: bleepingcomputer.com/news/secu

Measured discussion welcome. Follow TechNadu for neutral automotive security coverage.

#Tesla #AutomotiveInfosec #ZeroDay #Pwn2Own #EVSecurity #ResponsibleDisclosure

Tesla hacked, 37 zero-days demoed at Pwn2Own Automotive 2026
SOC Goulashsoc_goulash@infosec.exchange
2026-01-22

Alright team, it's been a pretty packed 24 hours in the cyber world! We've got some major breaches, a new AI-assisted Linux malware framework, critical vulnerabilities in popular software and automotive systems, and some serious discussions around ransomware negotiation ethics and government surveillance. Let's dive in:

Under Armour Data Breach โš ๏ธ

- Have I Been Pwned (HIBP) has ingested data from an alleged Everest ransomware attack in November, affecting 72.7 million Under Armour accounts.
- The leaked data includes names, email addresses, dates of birth, genders, geographic locations, and purchase details.
- Under Armour has yet to publicly acknowledge the breach, despite Everest's claims and a class-action lawsuit filed on behalf of customers.

๐Ÿ•ต๐Ÿผ The Register | go.theregister.com/feed/www.th

PcComponentes Credential Stuffing Attack ๐Ÿ”’

- Spanish tech retailer PcComponentes denies claims of a 16.3 million customer data breach but confirms a credential stuffing attack.
- Their investigation found no unauthorised access to internal systems, but info-stealer logs from other breaches were used to compromise a "small number" of accounts.
- As a response, PcComponentes has enforced mandatory two-factor authentication (2FA) for all accounts, invalidated active sessions, and added CAPTCHA to login pages.

๐Ÿค– Bleeping Computer | bleepingcomputer.com/news/secu

LastPass Phishing Campaign ๐ŸŽฃ

- LastPass is warning users about an active phishing campaign impersonating the password manager, urging them to "create a local backup" of their vaults due to "upcoming maintenance."
- These emails, sent from suspicious addresses with urgent subject lines, redirect users to phishing sites designed to steal their master passwords.
- LastPass stresses they will never ask for a master password and advises users to report suspicious emails to abuse@lastpass.com, noting that the campaign was timed over a US holiday weekend to reduce detection.

๐Ÿ“ฐ The Hacker News | thehackernews.com/2026/01/last
๐Ÿค– Bleeping Computer | bleepingcomputer.com/news/secu
๐Ÿ•ต๐Ÿผ The Register | go.theregister.com/feed/www.th
๐Ÿ‘๏ธ Dark Reading | darkreading.com/application-se

CrashFix Malware Leverages Browser Crashes for Corporate Infiltration ๐Ÿ’ฅ

- A new "CrashFix" variant of the ClickFix scam, attributed to the KongTuke threat actor, intentionally crashes victims' browsers via a malicious extension (NexShield).
- It then presents a fake security message prompting users to run a "fix," which executes a PowerShell script to contact a C2 server.
- Domain-joined corporate systems receive ModeloRAT, a Python-based remote access Trojan with extensive reconnaissance capabilities, while home users appear to be part of a testing phase.

๐Ÿ‘๏ธ Dark Reading | darkreading.com/cyberattacks-d

VoidLink Linux Malware & AI's Impact on Cybercrime ๐Ÿค–

- The sophisticated Linux malware framework, VoidLink, is believed to have been predominantly developed by a single actor with significant AI assistance, reaching 88,000 lines of code in under a week.
- Check Point Research identified operational security blunders, including TRAE-generated helper files and LLM-generated internal planning documents, suggesting a "Spec Driven Development" approach using AI agents.
- This highlights how AI is industrialising cybercrime, lowering the barrier to entry for complex attacks and enabling threat actors to rapidly envision, create, and iterate sophisticated systems, as also noted by Group-IB.

๐Ÿ“ฐ The Hacker News | thehackernews.com/2026/01/void

Black Basta Ringleader Identified ๐Ÿšจ

- Oleg Evgenievich Nefedov, 35, has been publicly identified by German police as the alleged leader of the Black Basta ransomware group and added to Europol and Interpol's most-wanted lists.
- This identification follows raids in Ukraine on the homes of two other Russian nationals accused of participating in Black Basta's crimes, seizing data and cryptocurrency.
- Nefedov is accused of extorting over 100 companies in Germany and 600 globally, with authorities suggesting prior involvement with the Conti ransomware group.

๐Ÿคซ CyberScoop | cyberscoop.com/black-basta-lea

SMS Blaster Scams: Fake Cell Towers in Cars ๐Ÿš—

- Greek police arrested suspects using a fake cell tower hidden in a car trunk to send mass phishing messages across Athens.
- The device, an "SMS blaster," mimicked legitimate telecom infrastructure, forcing nearby phones to downgrade to less secure 2G networks to harvest data.
- Attackers then sent phishing links, posing as banks or couriers, to steal payment card details, a tactic previously seen in Thailand, Indonesia, Qatar, and the UK, often using similar Chinese-manufactured equipment.

๐Ÿ—ž๏ธ The Record | therecord.media/greek-police-a

Fortinet FortiGate Patch Bypass Under Active Exploitation ๐Ÿ›ก๏ธ

- Fortinet customers are reporting that patched FortiGate firewalls (FortiOS 7.4.9 and 7.4.10) are still vulnerable to a patch bypass for CVE-2025-59718, a critical SSO authentication flaw.
- Attackers are exploiting this by creating local admin accounts via malicious SSO logins, similar to previous attacks seen in December 2025.
- Fortinet is reportedly preparing new FortiOS versions (7.4.11, 7.6.6, 8.0.0) to fully address the issue; until then, admins are advised to disable the FortiCloud login feature if enabled.

๐Ÿค– Bleeping Computer | bleepingcomputer.com/news/secu

ACF Extended WordPress Plugin RCE ๐ŸŒ

- A critical vulnerability (CVE-2025-14533) in the Advanced Custom Fields: Extended (ACF Extended) WordPress plugin allows unauthenticated attackers to gain administrative privileges.
- The flaw, affecting versions 0.9.2.1 and earlier, stems from a lack of role restriction enforcement during form-based user creation/updates, even when role limitations are configured.
- Roughly 50,000 sites remain exposed, and while no active exploitation of this specific flaw has been observed, large-scale WordPress plugin reconnaissance activity is ongoing, targeting other known vulnerabilities.

๐Ÿค– Bleeping Computer | bleepingcomputer.com/news/secu

GitLab Patches 2FA Bypass and DoS Flaws ๐Ÿ’ป

- GitLab has released patches for high-severity vulnerabilities, including a two-factor authentication (2FA) bypass (CVE-2026-0723) and multiple denial-of-service (DoS) flaws.
- The 2FA bypass allows attackers with knowledge of a victim's credential ID to circumvent multi-factor authentication by submitting forged device responses.
- Admins are strongly advised to upgrade self-managed GitLab installations to versions 18.8.2, 18.7.2, or 18.6.4 immediately to address these issues.

๐Ÿค– Bleeping Computer | bleepingcomputer.com/news/secu

Chainlit AI Framework Flaws Enable Data Theft and SSRF ๐Ÿค–

- High-severity "ChainLeak" vulnerabilities (CVE-2026-22218, CVE-2026-22219) were found in the open-source Chainlit AI framework, allowing arbitrary file reads and Server-Side Request Forgery (SSRF).
- These flaws can be combined to steal sensitive data, leak cloud environment API keys, and enable lateral movement within an organisation.
- Patches were released in Chainlit version 2.9.4, highlighting how traditional software vulnerabilities are now being embedded into AI infrastructure, creating new attack surfaces.

๐Ÿ“ฐ The Hacker News | thehackernews.com/2026/01/chai

Microsoft MarkItDown MCP Server Vulnerability โ˜๏ธ

- A vulnerability dubbed "MCP fURI" in Microsoft's MarkItDown Model Context Protocol (MCP) server allows arbitrary calling of URI resources, leading to privilege escalation, SSRF, and data leakage.
- This flaw affects the server when running in AWS EC2 instances using IDMSv1, potentially allowing attackers to obtain instance credentials and access AWS accounts.
- BlueRock's analysis found over 36.7% of 7,000 MCP servers are likely exposed; mitigation includes using IMDSv2, private IP blocking, and restricting metadata service access.

๐Ÿ“ฐ The Hacker News | thehackernews.com/2026/01/chai

`binary-parser` npm Library Bug Allows Node.js RCE โš™๏ธ

- A security vulnerability (CVE-2026-1245) in the popular `binary-parser` npm library allows for arbitrary JavaScript execution with Node.js process privileges.
- The flaw stems from a lack of sanitisation of user-supplied values when JavaScript parser code is dynamically generated at runtime using the "Function" constructor.
- Users of `binary-parser` are advised to upgrade to version 2.3.0 and avoid passing untrusted input into parser field names or encoding parameters.

๐Ÿ“ฐ The Hacker News | thehackernews.com/2026/01/cert

Cloudflare WAF Bypass Bug Fixed ๐Ÿ›ก๏ธ

- Cloudflare has patched a logic flaw in its ACME (Automatic Certificate Management Environment) validation that allowed attackers to bypass its Web Application Firewall (WAF) and directly access origin servers.
- The "side door" was caused by the WAF disabling features for ACME challenge tokens without verifying the token matched an active challenge for the hostname.
- While no evidence of in-the-wild exploitation was found, researchers warn that such WAF bypasses could become more dangerous with AI-driven attacks.

๐Ÿ•ต๐Ÿผ The Register | go.theregister.com/feed/www.th

EU Proposes Phasing Out "High-Risk" Telecom Suppliers ๐Ÿ‡ช๐Ÿ‡บ

- The European Commission (EC) is proposing a revised Cybersecurity Act that could force member states to phase out IT and telecoms kit from "high-risk suppliers" (implicitly Huawei and ZTE) within three years.
- This move aims to bolster cybersecurity across the bloc by addressing supply chain security challenges in critical infrastructure and simplifying certification frameworks.
- China has accused the EU of protectionism, with Huawei stating the proposal violates basic legal principles and WTO obligations by targeting suppliers based on country of origin rather than factual evidence.

๐Ÿ•ต๐Ÿผ The Register | go.theregister.com/feed/www.th
๐Ÿ—ž๏ธ The Record | therecord.media/eu-unveils-new

Curl Shuts Down Bug Bounty Program Due to AI "Slop" ๐Ÿšซ

- Daniel Stenberg, the maintainer of the popular open-source `cURL` tool, has ended the project's bug bounty program, citing a struggle to assess a flood of AI-generated contributions.
- Stenberg hopes this move will "remove the incentive for people to submit crap and non-well researched reports," which have placed a high load on the `cURL` security team.
- While acknowledging AI can aid bug hunting, he maintains that developers should only report bugs they fully understand and can reproduce, reserving the right to publicly criticise those who waste the team's time.

๐Ÿ•ต๐Ÿผ The Register | go.theregister.com/feed/www.th

#CyberSecurity #ThreatIntelligence #Ransomware #Phishing #Vulnerabilities #ZeroDay #AI #Malware #IncidentResponse #DataBreach #InfoSec #WordPress #Fortinet #GitLab #CloudSecurity #AutomotiveSecurity #Regulation #Privacy #OpenSource

Mike Williamsonsleepycat@infosec.exchange
2026-01-21

"Security researcher Sean Heelan recently tested two sophisticated systems built on GPT-5.2 and Opus 4.5, challenging them to develop exploits for a #zeroday flaw in the #QuickJS Javascript interpreter.

The results point to a significant shift in offensive cybersecurity capabilities, where automated systems can generate functional attack code without human intervention."

#llms

cybersecuritynews.com/new-stud

Hacker Newsh4ckernews
2026-01-21

Cloudflare zero-day: Accessing any host globally

fearsoff.org/research/cloudfla

TattooedHorrorGrannytattooedgranny.bsky.social@bsky.brid.gy
2026-01-20

51) Zero Day (2002) #NowWatching on YouTube #2026FirstTimeWatch 44 #FilmSky #ZeroDay

Poster for the 2002 film with the title in black and red at the bottom below a picture of the two leads in read and black window panes and other pictures
SOC Goulashsoc_goulash@infosec.exchange
2026-01-16

It's been a busy 24 hours in the cyber world with significant updates on nation-state activity, a couple of actively exploited vulnerabilities, new malware evasion techniques, and a reminder about the ever-evolving privacy landscape. Let's take a look:

Anchorage Police & Canadian Investment Regulator Breaches ๐Ÿšจ

- The Anchorage Police Department took servers offline and disabled third-party access after a cyberattack on their data migration provider, Whitebox Technologies. While no evidence of APD system compromise or data acquisition exists, the incident highlights third-party risk.
- Canada's Investment Regulatory Organization (CIRO) confirmed a sophisticated phishing attack last August impacted approximately 750,000 investors. Compromised data includes dates of birth, SINs, government IDs, and investment account numbers, though no evidence of misuse has been found.
- These incidents underscore the critical importance of supply chain security and robust incident response, especially for organisations handling sensitive public or financial data.

๐Ÿ—ž๏ธ The Record | therecord.media/anchorage-poli
๐Ÿ—ž๏ธ The Record | therecord.media/canada-ciro-in

China-Linked APTs Target Critical Infrastructure & US Policy ๐Ÿ‡จ๐Ÿ‡ณ

- Cisco Talos identified "UAT-8837," a China-backed APT, targeting North American critical infrastructure using compromised credentials and exploiting vulnerabilities like CVE-2025-53690 in SiteCore products, suggesting access to zero-day exploits.
- Another China-linked group, Mustang Panda (aka UNC6384, Twill Typhoon), used Venezuela-themed spear phishing lures to target US government agencies and policy organisations, deploying a new DLL-based backdoor called Lotuslite for espionage.
- Meanwhile, the GootLoader malware has evolved its evasion tactics, using malformed ZIP archives with 500-1,000 concatenated archives and truncated EOCD records to bypass security tools, while remaining readable by Windows' default unarchiver.

๐Ÿ—ž๏ธ The Record | therecord.media/china-hackers-
๐Ÿ•ต๐Ÿผ The Register | go.theregister.com/feed/www.th
๐Ÿ“ฐ The Hacker News | thehackernews.com/2026/01/lotu
๐Ÿ“ฐ The Hacker News | thehackernews.com/2026/01/goot

Black Basta Ring Leader Hunted ๐Ÿ’ฐ

- German and Ukrainian authorities have identified two Ukrainians as "hash crackers" for the Russia-linked Black Basta ransomware group and placed the alleged ringleader, Oleg Evgenievich Nefekov (aka 'tramp', 'Washingt0n'), on an international most-wanted list.
- Nefekov, 35, is accused of founding and leading Black Basta, responsible for extorting over $100 million from approximately 700 organisations worldwide since 2022.
- This coordinated law enforcement action highlights ongoing efforts to dismantle ransomware operations and hold key individuals accountable, with seized digital assets and cryptocurrency indicating active investigations.

๐Ÿ•ต๐Ÿผ The Register | go.theregister.com/feed/www.th
๐Ÿ—ž๏ธ The Record | therecord.media/police-raid-ho

Critical Vulnerabilities Under Active Exploitation โš ๏ธ

- Cisco has finally patched CVE-2025-20393, a maximum-severity RCE zero-day in AsyncOS for Secure Email Gateway and Secure Email and Web Manager, which was actively exploited by China-linked APT UAT-9686 since late November 2025.
- A critical RCE flaw (CVE-2025-37164) in HPE OneView, a data centre management platform, is now being exploited at scale by the RondoDox botnet, with over 40,000 automated attack attempts observed globally, primarily targeting government, financial, and industrial sectors.
- AMD CPUs are vulnerable to "StackWarp" (CVE-2025-29943), a low-severity flaw in SEV-SNP secure virtualisation, allowing malicious hypervisors to access VM secrets, recover private keys, and escalate privileges by manipulating the stack pointer when SMT is enabled. Patches are available.

๐Ÿ•ต๐Ÿผ The Register | go.theregister.com/feed/www.th
๐Ÿ“ฐ The Hacker News | thehackernews.com/2026/01/cisc
๐Ÿ•ต๐Ÿผ The Register | go.theregister.com/feed/www.th
๐Ÿ•ต๐Ÿผ The Register | go.theregister.com/feed/www.th

More Vulnerabilities and IoT Risks ๐Ÿ”’

- CISA's own "Software Acquisition Guide: Supplier Response Web Tool" was found to have a simple cross-site scripting (XSS) vulnerability, highlighting that even tools promoting secure development can have basic flaws.
- A bankrupt Estonian e-scooter startup, ร„ike, left all its devices vulnerable by shipping them with a single, default private key, allowing any scooter within Bluetooth range to be unlocked by reverse-engineering the Android app.
- These incidents serve as a stark reminder that fundamental security practices, from input validation to proper key management, remain crucial across all software and IoT deployments.

๐Ÿคซ CyberScoop | cyberscoop.com/cisa-secure-sof
๐Ÿ•ต๐Ÿผ The Register | go.theregister.com/feed/www.th

AI for Defence & Initial Access Brokers ๐Ÿ›ก๏ธ

- The Pacific Northwest National Laboratory (PNNL) has developed ALOHA, an AI-based system using Agentic LLMs to significantly reduce attack reconstruction time from weeks to hours, aiding purple teams in quickly testing defences against new threats.
- A Jordanian initial access broker (IAB) operating as "r1z" pleaded guilty to selling access to 50 company networks and powerful EDR-killing malware for $15,000, demonstrating the sophistication and value of IABs in the cybercrime ecosystem.
- These developments highlight both the accelerating pace of cyber defence through AI and the persistent, foundational role of IABs in enabling broader cyberattacks, including ransomware.

๐ŸŒ‘ Dark Reading | darkreading.com/cybersecurity-
๐Ÿ—ž๏ธ The Record | therecord.media/jordanian-init

Carlsberg Experience Exposes Visitor Data ๐Ÿป

- The Carlsberg exhibition in Copenhagen had a vulnerability where visitor names, images, and videos, accessed via wristband IDs, could be easily brute-forced due to predictable ID formats and a lack of effective rate limiting.
- Pen Test Partners researcher Ken Munro discovered the flaw, which exposed personal data of thousands of visitors monthly, raising GDPR concerns.
- The incident also highlighted challenges in responsible disclosure, with Carlsberg's slow response and ineffective patching attempts.

๐Ÿ•ต๐Ÿผ The Register | go.theregister.com/feed/www.th

CISOs Ascend to Executive Suite ๐Ÿ“ˆ

- A new report indicates that CISO titles are increasingly becoming executive-level positions, surpassing VP or director roles, especially in large publicly traded companies.
- This shift is driven by the growing digital dependency of businesses, the rising tide of cyberattacks, and increasing regulatory pressures, such as those from the SEC and updated Gramm-Leach-Bliley Act, which mandate accountability for cybersecurity.
- While the executive title offers a seat at the strategic table and can help with security prioritisation, concerns about CISO burnout persist, particularly in smaller organisations with fewer resources and broader responsibilities.

๐ŸŒ‘ Dark Reading | darkreading.com/cybersecurity-

#CyberSecurity #ThreatIntelligence #APT #Ransomware #Malware #Vulnerability #ZeroDay #RCE #ActiveExploitation #SupplyChainSecurity #DataPrivacy #CISO #AI #IncidentResponse #InfoSec

OTX Bottechbot@social.raytec.co
2026-01-16

Targets critical infrastructure sectors in North America

UAT-8837, assessed as a China-nexus advanced persistent threat actor, has been targeting critical infrastructure sectors in North America since 2025. The group exploits vulnerabilities, including zero-days, to gain initial access and deploys open-source tools for reconnaissance, credential harvesting, and lateral movement. Their toolkit includes GoTokenTheft, Earthworm, DWAgent, SharpHound, Impacket, GoExec, Rubeus, and Certipy. UAT-8837 conducts extensive domain and Active Directory reconnaissance, creates backdoor accounts, and exfiltrates sensitive data. The actor's focus on obtaining initial access to high-value organizations and their use of sophisticated tools and techniques indicate a significant threat to critical infrastructure sectors.

Pulse ID: 696a3dc15e8d8c495dbd889b
Pulse Link: otx.alienvault.com/pulse/696a3
Pulse Author: AlienVault
Created: 2026-01-16 13:31:45

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #China #CredentialHarvesting #CyberSecurity #InfoSec #NorthAmerica #OTX #OpenThreatExchange #RAT #RCE #Worm #ZeroDay #bot #AlienVault

(in)sicurezza digitaleblog@insicurezzadigitale.com
2026-01-16

Origin-mo: il trucco pigro che ha aperto 40.000 siti WordPress agli hacker

I ricercatori hanno scoperto una vulnerabilitร  critica nel plugin Modular DS per WordPress che ha permesso a hacker di compromettere oltre 40.000 siti con un metodo sorprendentemente semplice. La vulnerabilitร  CVE-2026-23550 Il plugin Modular DS, installato su decine di migliaia di siti WordPress, presentava una falla di privilege escalation classificata con un punteggio CVSS di 10.0, il massimo livello di severitร . Questa debolezza, identificata come CVE-2026-23550 e catalogata nel [โ€ฆ]

insicurezzadigitale.com/origin

SOC Goulashsoc_goulash@infosec.exchange
2026-01-15

It's been a busy 24 hours in the cyber world with significant updates on recent breaches, major cybercrime infrastructure takedowns, a raft of critical vulnerabilities, and ongoing discussions around AI's impact on security and privacy. Let's dive in:

Recent Cyber Attacks and Breaches โš ๏ธ

- South Korean conglomerate Kyowon Group has confirmed a ransomware attack that disrupted operations and led to the exfiltration of customer data, potentially impacting over 9.6 million accounts.
- In the UK, West Midlands Police are investigating a data breach at a GP surgery in Walsall, with a staff member accused of theft and released on bail.
- These incidents highlight the persistent threat of ransomware and insider threats, even for organisations with significant customer bases or sensitive data.

๐Ÿค– Bleeping Computer | bleepingcomputer.com/news/secu
๐Ÿ•ต๐Ÿผ The Register | go.theregister.com/feed/www.th

Cybercrime-as-a-Service Disrupted: RedVDS Takedown ๐Ÿšจ

- Microsoft, in a coordinated international effort with Europol and German authorities, has disrupted RedVDS, a massive cybercrime-as-a-service platform.
- RedVDS offered disposable virtual Windows cloud servers for as little as $24 a month, enabling criminals to conduct mass phishing, BEC schemes, and account takeovers, leading to an estimated $40 million in US fraud losses since March 2025.
- The operation involved civil lawsuits in the US and UK, seizing malicious infrastructure and taking RedVDS's marketplace offline, revealing that its customers often leveraged AI tools like ChatGPT to craft more convincing phishing lures and impersonations.

๐Ÿค– Bleeping Computer | bleepingcomputer.com/news/secu
๐Ÿ“ฐ The Hacker News | thehackernews.com/2026/01/micr
๐Ÿ•ต๐Ÿผ The Register | go.theregister.com/feed/www.th

AI Prompt Injection Risks in Anthropic's Cowork ๐Ÿง 

- PromptArmor researchers have demonstrated that Anthropic's new Cowork productivity AI is vulnerable to a Files API exfiltration attack chain, a prompt injection risk previously reported and acknowledged but not fully fixed by Anthropic for Claude Code.
- The attack allows Cowork to be tricked into transmitting sensitive files from connected local folders to an attacker's Anthropic account without additional user approval.
- Anthropic acknowledges prompt injection as an industry-wide issue and advises users to avoid connecting Cowork to sensitive documents, limit its Chrome extension to trusted sites, and monitor for suspicious actions, placing the onus on users to manage this complex risk.

๐Ÿ•ต๐Ÿผ The Register | go.theregister.com/feed/www.th

Critical Vulnerabilities and Active Exploitation ๐Ÿ›ก๏ธ

- **Modular DS WordPress Plugin:** A maximum severity flaw (CVE-2026-23550) in Modular DS (versions 2.5.1 and older), used by over 40,000 WordPress sites, is being actively exploited to bypass authentication and gain admin-level privileges. Users should update to version 2.5.2 immediately.
- **AWS CodeBuild Misconfiguration:** A critical misconfiguration (dubbed CodeBreach) in AWS CodeBuild's webhook filters allowed researchers to take over AWS's own GitHub repositories, including the JavaScript SDK, by bypassing ACTOR_ID filters due to unanchored regex patterns. AWS has since fixed the issue, confirming no customer impact.
- **Google Fast Pair Protocol:** A critical vulnerability (CVE-2025-36911, WhisperPair) in Google's Fast Pair protocol affects hundreds of millions of Bluetooth audio devices, allowing unauthenticated attackers to forcibly pair, track users via Google's Find Hub, and eavesdrop on conversations. Firmware updates from manufacturers are the only defence.
- **Palo Alto Networks PAN-OS DoS:** Palo Alto Networks patched a high-severity DoS vulnerability (CVE-2026-0227) affecting PAN-OS 10.1+ and Prisma Access when GlobalProtect is enabled, allowing unauthenticated attackers to disable firewall protections. While not actively exploited yet, immediate patching is advised given past active exploitation of similar flaws.
- **Delta Industrial PLCs:** Researchers found three critical (CVSS 9.1-9.8) and one high-severity vulnerability in Delta Electronics DVP-12SE11T PLCs, popular in Asian industrial sites, which could allow authentication bypass, password information leakage, or device freezing. Patching is crucial, though challenging in OT environments.

๐Ÿค– Bleeping Computer | bleepingcomputer.com/news/secu
๐Ÿ“ฐ The Hacker News | thehackernews.com/2026/01/aws-
๐Ÿ•ต๐Ÿผ The Register | go.theregister.com/feed/www.th
๐Ÿค– Bleeping Computer | bleepingcomputer.com/news/secu
๐Ÿค– Bleeping Computer | bleepingcomputer.com/news/secu
๐Ÿ’ก Dark Reading | darkreading.com/ics-ot-securit

Threat Landscape Commentary ๐Ÿ“Š

- **Oceania's Shifting Targets:** New data from Cyble indicates a shift in attacker focus in Australia and New Zealand from critical infrastructure to non-critical sectors like retail, professional services, and construction, driven by the efficiency of targeting less secure, data-rich environments. Initial access brokers and major ransomware groups like INC, Qilin, Lynx, Akira, and Dragonforce are capitalising on these softer targets.
- **AI Normalises Foreign Influence:** A report from the Foundation for Defense of Democracies highlights how AI, particularly LLMs, inadvertently normalises foreign propaganda by prioritising readily available state-aligned media in citations, as credible independent news sources are often behind paywalls or block AI scraping. This creates a structural issue where users seeking unbiased information are directed towards state-controlled narratives.
- **Vulnerability Reporting Surge:** 2025 saw a record 48,177 CVEs assigned, marking the ninth consecutive year of increase. This surge is attributed more to a healthier, expanding vulnerability reporting ecosystem (especially from WordPress security firms and the Linux Kernel CNA) and the use of LLMs by novice researchers, rather than a direct increase in cyber risk. However, data quality issues in the NVD persist, complicating patching efforts.

๐Ÿ’ก Dark Reading | darkreading.com/cybersecurity-
๐Ÿคซ CyberScoop | cyberscoop.com/the-quiet-way-a
๐Ÿ’ก Dark Reading | darkreading.com/cybersecurity-

Data Privacy and Regulatory Action ๐Ÿ”’

- **GM Banned from Selling Driver Data:** The US Federal Trade Commission (FTC) has finalised an order banning General Motors (GM) and its subsidiary OnStar from selling drivers' precise location and driving behaviour data to consumer reporting agencies for five years. This follows allegations that GM collected data without consent via its "Smart Driver" feature, leading to higher insurance rates.
- **Google Settles Children's Privacy Lawsuit:** Google has agreed to pay $8.25 million to settle a class-action lawsuit alleging it illegally collected data from children under 13 via Android Play Store apps using its AdMob SDK, despite developers pledging COPPA compliance. This follows a separate $30 million settlement regarding YouTube's collection of children's data.

๐Ÿค– Bleeping Computer | bleepingcomputer.com/news/secu
๐Ÿ•ต๐Ÿผ The Register | go.theregister.com/feed/www.th
๐Ÿ—ž๏ธ The Record | therecord.media/google-youtube

Regulatory Scrutiny on X and AI Content โš–๏ธ

- Ofcom, the UK communications regulator, is continuing its formal investigation into X (formerly Twitter) despite the platform's announcement that it has implemented measures to block its AI chatbot, Grok, from generating non-consensual sexualised images of people.
- X's changes include technological blocks on "nudifying" images and geoblocking the creation of images of real people in revealing clothing in jurisdictions where it's illegal, applying to all users, including paid subscribers, after initial attempts to limit it to paid users drew strong criticism.
- California's Attorney General has also opened an investigation into X over the issue, highlighting growing international pressure on AI platforms to address the creation and dissemination of non-consensual intimate images.

๐Ÿ•ต๐Ÿผ The Register | go.theregister.com/feed/www.th
๐Ÿ—ž๏ธ The Record | therecord.media/musk-x-grok-bl

Government Cyber Strategy and Leadership ๐Ÿ›๏ธ

- **Germany-Israel Cyber Cooperation:** Germany and Israel have signed a cyber and security cooperation agreement to counter cyber threats and bolster critical infrastructure protection. Germany aims to build its own "cyber dome" based on Israel's semi-automated real-time cyber defence system, exchanging expertise and jointly developing new tools.
- **NSA/Cyber Command Nominee:** Army Lt. Gen. Joshua Rudd, the Trump administration's nominee to lead both US Cyber Command and the National Security Agency, defended his record during a Senate hearing, addressing concerns about his lack of direct digital warfare and intelligence experience by emphasising his leadership background and reliance on the organisations' talent.

๐Ÿ—ž๏ธ The Record | therecord.media/germany-cyber-
๐Ÿ—ž๏ธ The Record | therecord.media/nsa-cyber-comm

#CyberSecurity #ThreatIntelligence #Ransomware #Vulnerabilities #ZeroDay #SupplyChainAttack #AI #PromptInjection #DataPrivacy #RegulatoryCompliance #Cybercrime #InfoSec #IncidentResponse #OTSecurity #ICS

SOC Goulashsoc_goulash@infosec.exchange
2026-01-14

It's been a busy 24 hours in the cyber world with a flurry of significant data breaches, critical vulnerabilities (including an actively exploited zero-day), and some fascinating new threat intelligence on malware and attack techniques. Let's dive in:

Recent Cyber Attacks and Breaches ๐Ÿšจ

- Multiple organisations have reported data breaches, affecting millions of individuals. Monroe University disclosed a 2024 breach impacting over 320,000 people, exposing personal, financial, and health data. Spanish energy giant Endesa is investigating claims of a 1.05 TB data theft affecting 20 million customers.
- Australia's Victorian Department of Education reset student passwords after an attack exposed names, school details, and encrypted passwords, while cloud marketplace Pax8 accidentally exposed internal business and Microsoft licensing data for 1,800 MSP partners.
- Eurail confirmed a breach exposing passport numbers, bank details, and even photocopies of IDs for some DiscoverEU travellers. In Belgium, AZ Monica hospitals were hit by a cyberattack, forcing surgery cancellations and the transfer of critical patients, likely due to ransomware. Poland also thwarted a major cyberattack on its power grid, attributing it to Russia.
- Ukraine's Defense Forces were targeted in a charity-themed campaign by the Russian 'Void Blizzard' (aka 'Laundry Bear') group, delivering the PluggyApe backdoor via malicious PIF files in instant messages.

๐Ÿค– Bleeping Computer | bleepingcomputer.com/news/secu
๐Ÿ•ต๐Ÿผ The Register | go.theregister.com/feed/www.th
๐Ÿค– Bleeping Computer | bleepingcomputer.com/news/secu
๐Ÿค– Bleeping Computer | bleepingcomputer.com/news/secu
๐Ÿ•ต๐Ÿผ The Register | go.theregister.com/feed/www.th
๐Ÿ•ต๐Ÿผ The Register | go.theregister.com/feed/www.th
๐Ÿ—ž๏ธ The Record | therecord.media/belgium-hospit
๐Ÿ—ž๏ธ The Record | therecord.media/poland-cyberat
๐Ÿค– Bleeping Computer | bleepingcomputer.com/news/secu

New Threat Research and Tradecraft ๐Ÿ›ก๏ธ

- North Korea's IT worker scheme and cryptocurrency heists continue to fund its weapons program, impacting over 40 countries. The U.S. urged UN member states to take tougher action, highlighting the sophisticated identity theft and remote work fraud used by these actors.
- A new, advanced cloud-native Linux malware framework, VoidLink, has been discovered. Written in Zig, Go, and C, it features custom loaders, implants, rootkits, and over 30 plugins designed for modern cloud environments (Kubernetes, Docker, AWS, GCP, Azure), with sophisticated anti-analysis and anti-forensics capabilities.
- Researchers identified a "Reprompt" attack method that could hijack Microsoft Copilot sessions, allowing attackers to exfiltrate sensitive data via hidden malicious prompts in URLs. This leverages parameter-to-prompt injection, double-request, and chain-request techniques to bypass safeguards.
- The DeadLock ransomware gang is using Polygon smart contracts to hide their command-and-control (C2) infrastructure, making it difficult for defenders to block their operations. This novel technique allows for frequent rotation of proxy server URLs, a method also observed with North Korean state-sponsored attackers.
- Microsoft, in collaboration with international law enforcement, disrupted RedVDS, a fast-growing cybercrime-as-a-service marketplace. RedVDS facilitated over $40 million in fraud, providing cybercriminals with disposable virtual computers for phishing, business email compromise, and real estate scams.
- Predator spyware operators are using sophisticated anti-analysis techniques, including an error code system (e.g., "error code 304" for security tools detected) to diagnose failed infections and evade researchers. It also suppresses crash logs and can detect network monitoring by privacy-conscious users.
- The Kimwolf botnet, a splinter of the Aisuru DDoS botnet, has rapidly grown to over 2 million infected unofficial Android TV devices. Its operators abuse residential proxy networks for local control, primarily targeting Minecraft servers with short, high-volume DDoS attacks.

๐Ÿ—ž๏ธ The Record | therecord.media/40-countries-i
๐Ÿค– Bleeping Computer | bleepingcomputer.com/news/secu
๐Ÿ•ต๐Ÿผ The Register | go.theregister.com/feed/www.th
๐Ÿค– Bleeping Computer | bleepingcomputer.com/news/secu
๐Ÿ•ต๐Ÿผ The Register | go.theregister.com/feed/www.th
๐Ÿคซ CyberScoop | cyberscoop.com/microsoft-seize
๐Ÿ—ž๏ธ The Record | therecord.media/microsoft-redv
๐Ÿคซ CyberScoop | cyberscoop.com/predator-spywar
๐Ÿคซ CyberScoop | cyberscoop.com/kimwolf-aisuru-

Vulnerabilities and Exploitation โš ๏ธ

- Microsoft's January Patch Tuesday addressed 112 vulnerabilities, including one actively exploited information disclosure zero-day (CVE-2026-20805) in Desktop Window Manager. This medium-severity flaw (CVSS 5.5) can leak memory addresses, potentially aiding privilege escalation or arbitrary code execution, and CISA has added it to its Known Exploited Vulnerabilities catalog.
- Vulnerabilities in popular AI/ML Python libraries (NeMo, Uni2TS, FlexTok) used in Hugging Face models allow remote attackers to hide and execute malicious code in metadata. These RCE flaws, tracked by CVEs, stem from improper use of Hydra's instantiate() function, affecting models with millions of downloads.
- A "most severe AI-driven vulnerability to date" in ServiceNow's Virtual Agent chatbot allowed arbitrary attackers to gain full platform control. Authentication issues (universal credential, email-only user impersonation) combined with agentic AI capabilities enabled admin account creation and lateral movement to connected systems.
- A critical Node.js vulnerability (CVE-2025-59466, CVSS 7.5) can cause server crashes via async_hooks stack overflow, leading to denial-of-service. This impacts numerous frameworks and APM tools like React Server Components, Next.js, and Datadog, as Node.js exits instead of gracefully handling the exception.
- Exploit code has been publicly released for a critical FortiSIEM command injection flaw (CVE-2025-25256), allowing unauthenticated remote attackers to execute commands or code. The vulnerability, a combination of arbitrary write with admin permissions and privilege escalation to root, affects versions 6.7 to 7.5.

๐Ÿคซ CyberScoop | cyberscoop.com/microsoft-patch
๐Ÿ•ต๐Ÿผ The Register | go.theregister.com/feed/www.th
๐Ÿ—ž๏ธ The Record | therecord.media/desktop-window
๐Ÿ•ต๐Ÿผ The Register | go.theregister.com/feed/www.th
๐Ÿšจ Dark Reading | darkreading.com/remote-workfor
๐Ÿ“ฐ The Hacker News | thehackernews.com/2026/01/crit
๐Ÿค– Bleeping Computer | bleepingcomputer.com/news/secu

Threat Landscape Commentary ๐ŸŒ

- Taiwan is experiencing a significant increase in cyber pressure from China, with an average of 2.63 million attacks daily in 2025, a 6% rise from the previous year. Energy infrastructure saw a tenfold increase, and emergency/hospital systems a 54% jump, indicating a deliberate attempt to disrupt critical infrastructure during both peacetime and potential conflict.
- Western cyber agencies, including the NCSC, CISA, and FBI, have issued new guidance warning about growing digital threats to industrial operational technology (OT). With OT systems increasingly connected, they present a larger attack surface for ransomware gangs and state-backed hackers, necessitating strong authentication, network segmentation, and minimised remote access.

๐Ÿšจ Dark Reading | darkreading.com/cyber-risk/tai
๐Ÿ—ž๏ธ The Record | therecord.media/cyber-agencies

Data Privacy ๐Ÿ”’

- California's Attorney General has launched an investigation into xAI's Grok AI tool over allegations it's being used to create nonconsensual sexually explicit deepfakes of women and children. This follows similar probes by the UK's Ofcom and the Paris Prosecutor's Office, highlighting growing regulatory concern over AI-generated content.
- The California Privacy Protection Agency (CPPA) Board has appointed Nicole Ozer, a privacy and surveillance expert and former ACLU leader, as a new member. This appointment is expected to significantly influence the agency's data privacy policy decisions.

๐Ÿ—ž๏ธ The Record | therecord.media/california-gro
๐Ÿคซ CyberScoop | cyberscoop.com/california-ag-i
๐Ÿ—ž๏ธ The Record | therecord.media/ccpa-appoints-

Regulatory Issues and Changes โš–๏ธ

- France's data protection regulator, CNIL, has fined telecom companies Free and Free Mobile a collective โ‚ฌ42 million ($48.9 million) for GDPR violations stemming from an October 2024 data breach that compromised over 24 million customer records, including IBANs. The fines were due to inadequate security measures (weak VPN authentication, ineffective detection), insufficient breach notification, and excessive data retention.

๐Ÿ•ต๐Ÿผ The Register | go.theregister.com/feed/www.th
๐Ÿ—ž๏ธ The Record | therecord.media/france-data-re
๐Ÿค– Bleeping Computer | bleepingcomputer.com/news/secu

Government Staffing and Program Changes ๐Ÿ›๏ธ

- Alex Fitzsimmons, acting director of the Department of Energyโ€™s Office of Cybersecurity, Energy and Emergency Response (CESER), endorsed new cybersecurity bills for the energy sector and highlighted a new AI-driven cyber defence program, AI-FORTS. This comes amidst Democratic concerns over thousands of job cuts at the Department of Energy impacting cybersecurity and reliability.
- Sean Plankey has been re-nominated by President Trump to lead the Cybersecurity and Infrastructure Security Agency (CISA). His previous nomination stalled in the Senate last year due to holds from Senators over unrelated issues.

๐Ÿคซ CyberScoop | cyberscoop.com/ceser-chief-tou
๐Ÿคซ CyberScoop | cyberscoop.com/sean-plankey-re

Everything Else ๐Ÿ’ก

- Anthropic, an AI upstart, has invested $1.5 million in the Python Software Foundation (PSF) to enhance security in the Python ecosystem, specifically CPython and the Python Package Index (PyPI). This aims to protect millions of PyPI users from supply-chain attacks and could benefit other open-source package repositories.
- Microsoft has resolved a known issue where security applications were incorrectly flagging a core Windows component, WinSqlite3.dll, as vulnerable to a memory corruption flaw (CVE-2025-6965). The update addresses these false positive detections across various Windows client and server platforms.

๐Ÿ•ต๐Ÿผ The Register | go.theregister.com/feed/www.th
๐Ÿค– Bleeping Computer | bleepingcomputer.com/news/micr

#CyberSecurity #ThreatIntelligence #DataBreach #Ransomware #Vulnerability #ZeroDay #APT #Malware #AI #CloudSecurity #OTSecurity #GDPR #InfoSec #PatchTuesday #IncidentResponse

sayzardsayzard@mastodon.sayzard.org
2026-01-14

AvaxJ.nochillio (@avaxjesus)

KYC ๋™์˜์ƒ ์ธ์ฆ์„ ์‚ฌ์šฉํ•˜๋Š” ์„œ๋น„์Šค๋“ค์€ ์ด๋ฒˆ ์ด์Šˆ๋ฅผ '์ œ๋กœ๋ฐ์ด(0-day)' ์ทจ์•ฝ์ ์œผ๋กœ ๋ด์•ผ ํ•œ๋‹ค๋Š” ๊ฒฝ๊ณ ๋กœ, ์ฆ‰๊ฐ์ ์ธ ๋ณด์•ˆ ์ ๊ฒ€๊ณผ ๋Œ€์‘์ด ํ•„์š”ํ•จ์„ ๊ฐ•์กฐํ•ฉ๋‹ˆ๋‹ค.

x.com/avaxjesus/status/2011426

#kyc #security #zeroday #videoverification

CyberNetsecIOnetsecio
2026-01-14

๐Ÿ“ฐ CISA Mandates Patch for Exploited Windows Zero-Day Used in Attack Chains

๐Ÿšจ CISA adds actively exploited Windows zero-day CVE-2026-20805 to its KEV catalog! The info-disclosure flaw in Desktop Window Manager is used to bypass ASLR in attack chains. Federal agencies must patch by Feb 3. โš ๏ธ

๐Ÿ”— cyber.netsecops.io/articles/ci

Christoph SchmeesPC_Fluesterer@social.tchncs.de
2026-01-14

Microsoft Flickentag 2026-01

Zum Beginn des Jahres bringt Microsoft (MS) Flicken fรผr 113 Sicherheitslรผcken - eine ganze Menge. Von denen wird eine (CVE-2026-20805) bereits fรผr Angriffe ausgenutzt (Zero-Day); eine andere (CVE-2026-21265) war schon lange bekannt, aber wird (noch) nicht fรผr Angriffe genutzt. Von den jetzt geflickten Sicherheitslรผcken stuft MS 8 als kritisch ein, 5 von denen stecken in Komponenten von MS-Office. Die bereits ausgenutzte CVE-2026-20805 stuft MS nur als wichtig (nicht als kritisch) ein, das verstehe wer will. Die CISA hat diese Lรผcke in den KEV (Known Exploited Vulnerabilities) Katalog aufgenommen und eine Order erlassen, nach der Behรถrden

pc-fluesterer.info/wordpress/2

#Warnung #0day #exploits #Microsoft #office #sicherheit #UnplugTrump #windows #zahlen #zeroday

SOC Goulashsoc_goulash@infosec.exchange
2026-01-14

It's been a busy 24 hours in the cyber world with significant updates on recent attacks, actively exploited vulnerabilities, new malware campaigns, and a reminder about the ever-evolving privacy landscape. Let's take a look:

Kyowon Group Hit by Suspected Ransomware โš ๏ธ
- South Korea's Kyowon Group, a major education and lifestyle company, shut down parts of its network after identifying a suspected ransomware attack.
- The company confirmed an extortion demand and is investigating potential data leakage, including sensitive customer information, possibly affecting millions.
- This incident follows other high-profile data breaches in South Korea, prompting pledges for stronger data protection laws.

๐Ÿ—ž๏ธ The Record | therecord.media/kyowon-group-s

Dutch Port Hacked for Cocaine Smuggling ๐Ÿšจ
- A Dutch appeals court upheld a seven-year prison sentence for a man who hacked port IT systems using malware-stuffed USB sticks to aid cocaine smugglers.
- The attacker gained months of remote access, exploring the network and hunting for admin rights, even live-blogging the break-in via encrypted chats.
- The case highlights the real-world impact of cyber intrusions facilitating organised crime, with the hack directly enabling a 210 kg cocaine shipment.

๐Ÿ•ต๐Ÿผ The Register | go.theregister.com/feed/www.th

Black Axe Leaders Arrested in Spain ๐Ÿ•ต๏ธ
- Spanish police, supported by Europol, arrested 34 alleged cybercriminals, including leaders of the transnational Black Axe organisation, across four cities.
- Black Axe is known for business email compromise (BEC) scams, money laundering, and vehicle trafficking, with estimated fraud exceeding $6.9 million.
- The operation froze $139,000 in bank accounts and seized cash, vehicles, and devices, significantly disrupting the hierarchical, Nigerian-led group.

๐Ÿคซ CyberScoop | cyberscoop.com/black-axe-disru

Supreme Court Filing System Hack ๐Ÿ›๏ธ
- A Tennessee man is expected to plead guilty to a misdemeanor charge for hacking into the U.S. Supreme Courtโ€™s electronic case filing system on 25 occasions between August and October 2023.
- Nicholas Moore, 24, "intentionally accessed a computer without authorization," though details on the specific information accessed were not released.
- This incident underscores ongoing vulnerabilities in federal judicial systems, which have seen strengthened protections following sophisticated cyberattacks.

๐Ÿ—ž๏ธ The Record | therecord.media/guilty-plea-ha

Malicious Chrome Extension Steals MEXC API Keys ๐Ÿ’ฐ
- A malicious Google Chrome extension, "MEXC API Automator," is actively stealing API keys from the MEXC cryptocurrency exchange by masquerading as a trading tool.
- The extension programmatically creates new API keys with withdrawal permissions, hides these permissions in the UI, and exfiltrates the keys to a Telegram bot.
- This attack leverages an already authenticated browser session, bypassing traditional authentication, and grants attackers unfettered access to victims' crypto accounts.

๐Ÿ“ฐ The Hacker News | thehackernews.com/2026/01/mali

Gogs Zero-Day Under Active Exploitation ๐Ÿ›ก๏ธ
- CISA has added CVE-2025-8110, a high-severity path traversal vulnerability in the Gogs self-hosted Git service, to its KEV catalog due to active exploitation.
- The flaw allows authenticated users to bypass previous fixes (CVE-2024-55947) by exploiting symbolic link handling in the PutContents API, leading to remote code execution.
- With no official patch yet, federal agencies are mandated to apply mitigations by February 2, 2026, or cease using Gogs, while other users should disable open registration and restrict access.

๐Ÿ“ฐ The Hacker News | thehackernews.com/2026/01/13/c
๐Ÿ•ต๐Ÿผ The Register | go.theregister.com/feed/www.th

ServiceNow AI Platform Critical Flaw ๐Ÿ”’
- ServiceNow patched CVE-2025-12420, a critical 9.3 CVSS vulnerability in its AI Platform, allowing unauthenticated users to impersonate others and perform arbitrary actions.
- The flaw stemmed from a universal credential ("servicenowexternalagent") and lack of password/MFA for user identity verification, which could lead to full platform takeover.
- Although no in-the-wild exploitation has been confirmed, the vulnerability was deemed the "most severe AI-driven vulnerability to date" due to ServiceNow's deep integration across enterprise IT.

๐Ÿ“ฐ The Hacker News | thehackernews.com/2026/01/serv
๐ŸŒ‘ Dark Reading | darkreading.com/remote-workfor

AI/ML Python Libraries RCE Vulnerabilities ๐Ÿ
- Vulnerabilities in popular AI/ML Python libraries (Nvidia's NeMo, Salesforce's Uni2TS, Apple/EPFL VILAB's FlexTok) allow remote code execution via poisoned metadata.
- The flaws exploit Hydra's instantiate() function, which can execute arbitrary callables, enabling attackers to hide malicious code in model metadata that runs automatically upon loading.
- Patches have been issued for NeMo (CVE-2025-23304) and Uni2TS (CVE-2026-22584), with FlexTok also fixed, urging users to only load models from trusted sources.

๐Ÿ•ต๐Ÿผ The Register | go.theregister.com/feed/www.th

Kremlin-linked Hackers Target Ukraine Military ๐Ÿช–
- CERT-UA reports a new cyber-espionage campaign by Void Blizzard (UAC-0190) targeting Ukraine's military personnel using a novel PluggyApe malware.
- Attackers impersonate charitable organisations and use messaging apps like Signal and WhatsApp to deliver password-protected malicious executables.
- This campaign highlights a shift towards highly tailored social engineering, leveraging trusted communication channels and detailed target knowledge to deliver malware.

๐Ÿ—ž๏ธ The Record | therecord.media/kremlin-linked

SHADOW#REACTOR Delivers Remcos RAT ๐Ÿ‘ป
- A new campaign, SHADOW#REACTOR, uses an evasive multi-stage Windows attack chain to deploy the Remcos RAT for persistent remote access.
- The infection leverages obfuscated VBS launchers, PowerShell downloaders, fragmented text-based payloads, and a .NET Reactor-protected loader to complicate detection.
- This broad, opportunistic activity, likely by initial access brokers, abuses LOLBins like MSBuild.exe and employs self-healing mechanisms to ensure payload delivery.

๐Ÿ“ฐ The Hacker News | thehackernews.com/2026/01/new-

AsyncRAT Campaign Abuses Cloudflare & Python โ˜๏ธ
- An emerging phishing campaign is delivering AsyncRAT by exploiting Cloudflare's free-tier services (TryCloudflare tunneling) and legitimate Python downloads.
- Attackers use Dropbox links with double-extension files (.pdfurl) in phishing emails, installing a full Python environment to inject code into explorer.exe.
- This technique masks malicious activity under trusted domains and legitimate tools, making detection challenging and highlighting the ongoing effectiveness of phishing and abuse of legitimate services.

๐ŸŒ‘ Dark Reading | darkreading.com/endpoint-secur

AVCheck Malware Kingpin Arrested ๐Ÿšซ
- Dutch police arrested a 33-year-old man at Amsterdam's Schiphol Airport, believed to be the mastermind behind the AVCheck online platform.
- AVCheck was a counter-antivirus (CAV) service, shuttered in May by Operation Endgame, that allowed cybercriminals to test malware against various AV products to evade detection.
- The arrest underscores ongoing international law enforcement efforts to dismantle critical components of the cybercrime ecosystem.

๐Ÿ•ต๐Ÿผ The Register | go.theregister.com/feed/www.th

North Korea's IT Worker & Crypto Theft Schemes ๐Ÿ‡ฐ๐Ÿ‡ต
- The U.S. urged UN member states to take tougher action against North Korea's IT worker scheme and cryptocurrency heists, which fund its weapons programs.
- A 140-page report highlights that over 40 countries are impacted, with North Korean IT workers stealing identities to secure remote jobs and laundered crypto funds exceeding $2 billion last year.
- China and Russia were criticised for providing safe havens, with 1,500 North Korean IT workers estimated in China alone, violating UN Security Council Resolutions.

๐Ÿ—ž๏ธ The Record | therecord.media/40-countries-i

India's Strict Crypto KYC/AML Rules ๐Ÿ‡ฎ๐Ÿ‡ณ
- India's Financial Intelligence Unit (FIU-IND) updated regulations for crypto service providers, requiring strict client due diligence for all serving Indian residents, even offshore.
- New rules mandate collecting identity documents, bank details, occupation, income, and crucially, "Latitude and longitude coordinates of the onboarding location with date and timestamp along with IP address," plus a selfie.
- These measures aim to combat fraud, money laundering, and terrorism financing in the anonymous and instantaneous crypto transaction landscape.

๐Ÿ•ต๐Ÿผ The Register | go.theregister.com/feed/www.th

US Cyber Command Leadership Shake-up ๐Ÿ‡บ๐Ÿ‡ธ
- Air Force Lt. Col. Jason Gargan, commander of a Cyber National Mission Force task force aligned against Russia, was "relieved for cause" due to operational disagreements.
- This unusual dismissal highlights a "loss of trust and confidence" in command ability, with Gargan now expected to retire by the end of 2026.
- The incident occurs amidst other top-rank changes at Cyber Command, which has been without a Senate-confirmed leader for over nine months.

๐Ÿ—ž๏ธ The Record | therecord.media/senior-militar

US Cyber Offense vs. Defense Debate โš–๏ธ
- A House Homeland Security subcommittee debated the U.S. approach to cyber deterrence, with some lawmakers warning against expanding offensive cyber operations before strengthening defenses.
- Concerns were raised about CISA losing one-third of its workforce and the potential for offensive actions to provoke retaliation if U.S. networks are not adequately defended.
- While acknowledging the importance of offense, experts suggested a hybrid approach where the private sector supports government offensive operations, with CISA coordinating and receiving legal protections.

๐Ÿคซ CyberScoop | cyberscoop.com/us-offensive-cy

Mandiant's Salesforce Security Tool ๐Ÿ› ๏ธ
- Mandiant has open-sourced AuraInspector, a tool designed to help Salesforce admins detect misconfigurations in Aura (Experience Cloud sites) that could expose sensitive data.
- The tool targets access control issues, such as unauthenticated users gaining access to Salesforce Account object records, and can bypass 2,000-record limits via GraphQL API abuse.
- AuraInspector automates potential abuse techniques and remediation strategies, providing read-only operations to identify damaging misconfigurations without modifying Salesforce instances.

๐Ÿ•ต๐Ÿผ The Register | go.theregister.com/feed/www.th

#CyberSecurity #ThreatIntelligence #Ransomware #Vulnerability #ZeroDay #RCE #Malware #APT #NationState #Cybercrime #DataPrivacy #InfoSec #IncidentResponse #CloudSecurity #AI #BrowserSecurity #KYC #AML

Christoph SchmeesPC_Fluesterer@social.tchncs.de
2026-01-13

Interessante Erkenntnisse aus einem Angriff

Dieser Fall ist fรผr uns vor allem durch verschiedene politische Aspekte interessant: Ein Sicherheitsunternehmen (Huntress) hat im Dezember 2025 einen Angriff beobachtet und untersucht. Die forensische Analyse brachte zutage, dass es sich um einen technisch hรถchst ausgefeilten Angriff chinesischer Hacker handelte, der anscheinend von langer Hand vorbereitet worden war. Er nutzte drei Sicherheitslรผcken in der Virtualisierungs-Software VMWare aus, die รถffentlich nicht bekannt waren (Zero-Day).

pc-fluesterer.info/wordpress/2

#Allgemein #Empfehlung #Hintergrund #Warnung #0day #closedsource #cybercrime #exploits #hersteller #sicherheit #vorfรคlle #vpn #wissen #zeroday #unplugTrump #virtualisierung #vmware

SOC Goulashsoc_goulash@infosec.exchange
2026-01-12

It's been a busy 24 hours in the cyber world with significant updates on recent breaches, critical vulnerabilities, evolving threat actor tactics, and a deep dive into AI security. Let's take a look:

Recent Cyber Attacks and Breaches ๐Ÿšจ

- The University of Hawaii Cancer Center was hit by a ransomware attack in August 2025, leading to the theft of study participant data, including Social Security numbers from the 1990s. The university paid a ransom to obtain a decryptor and ensure data deletion, highlighting the ongoing challenge of protecting legacy data.
- Spanish energy provider Endesa and its Energรญa XXI operator disclosed unauthorised access to their commercial platform, exposing basic identification, contact, national identity numbers, contract, and payment details for over 10 million customers. Threat actors are allegedly selling a 1TB database with 20 million records.
- Hackers claim to have stolen 860 GB of Target's internal source code and developer documentation, publishing samples on Gitea. Following inquiries, Target's internal Git server (`git.target.com`) was taken offline, suggesting a potential breach of private development infrastructure.
- The notorious cybercrime forum, BreachForums, suffered a data breach in August 2025, exposing email addresses, usernames, and hashed passwords for approximately 324,000 users. The leaked database, posted to `shinyhunte.rs`, includes records linked to real cybercriminals and PGP keys, potentially aiding law enforcement.
- Players of Apex Legends experienced disruptions as a "bad actor" remotely controlled characters, disconnected players, and changed nicknames, with some reports suggesting administrative privilege access. Respawn, the publisher, resolved the incident, attributing it to anti-cheat circumvention rather than RCE or malware.
- Higham Lane School in the UK closed for a week following a cyberattack that disabled electronic gates, fire alarms, and student record systems, making it unsafe to open. This incident highlights the critical impact of cyberattacks on essential services and physical safety.

๐Ÿค– Bleeping Computer | bleepingcomputer.com/news/secu
๐Ÿค– Bleeping Computer | bleepingcomputer.com/news/secu
๐Ÿค– Bleeping Computer | bleepingcomputer.com/news/secu
๐Ÿ•ต๐Ÿผ The Register | go.theregister.com/feed/www.th
๐Ÿค– Bleeping Computer | bleepingcomputer.com/news/secu
๐Ÿ•ต๐Ÿผ The Register | go.theregister.com/feed/www.th
๐Ÿ“ฐ The Hacker News | thehackernews.com/2026/01/week

Critical Vulnerabilities and Exploitation โš ๏ธ

- A maximum-severity flaw, dubbed "Ni8mare" (CVE-2026-21858), allows unauthenticated remote code execution on locally deployed n8n instances (versions prior to 1.121.0). This improper input validation vulnerability in form-based workflows affects nearly 60,000 exposed instances and could lead to full system compromise.
- CISA has ordered federal agencies to patch a high-severity Gogs RCE flaw (CVE-2025-8110), actively exploited as a zero-day. This path traversal vulnerability in the PutContents API allows authenticated attackers to bypass previous patches and overwrite files via symbolic links, enabling arbitrary command execution.
- Veeam patched four vulnerabilities, including a critical RCE (CVE-2025-59470, CVSS 9.0) that allows a Backup or Tape Operator account to execute arbitrary code. This flaw is particularly dangerous as ransomware actors often gain this level of access post-initial compromise, using it to accelerate attacks and disrupt backups.
- A vulnerability in Telegram's Android and iOS clients allows an attacker to reveal a user's real IP address with a single click on a specially crafted proxy link. The app automatically attempts a test connection to the specified server, bypassing configured proxies, making it a silent and effective deanonymisation tool.
- Chinese-speaking threat actors likely developed and exploited a trio of VMware ESXi flaws (CVE-2025-22224, -22225, -22226) over a year before public disclosure, using a compromised SonicWall VPN as an initial access vector. The exploit allowed memory leakage and code execution as the VMX process, targeting a wide range of ESXi versions.
- A critical buffer overflow vulnerability in zlib's `untgz` utility (CVE-2026-22184, versions up to 1.3.1.2) can lead to memory corruption, denial of service, and potentially remote code execution. The flaw, with a CVSS score of 9.3, is due to an unbounded `strcpy()` call on attacker-controlled input.

๐Ÿค– Bleeping Computer | bleepingcomputer.com/news/secu
๐Ÿ“ฐ The Hacker News | thehackernews.com/2026/01/rese
๐Ÿค– Bleeping Computer | bleepingcomputer.com/news/secu
๐Ÿ•ต๐Ÿผ The Register | go.theregister.com/feed/www.th
๐Ÿค– Bleeping Computer | bleepingcomputer.com/news/secu
๐Ÿ“ฐ The Hacker News | thehackernews.com/2026/01/week

Evolving Threat Actor Tactics and Malware ๐Ÿ›ก๏ธ

- Researchers uncovered service providers like "Penguin Account Store" and "UWORK" fuelling industrial-scale pig butchering fraud. These services offer full fraud kits, including stolen social media accounts, pre-registered SIMs, character sets, automated victim engagement platforms (SCRM AI), and even turnkey scam websites with KYC panels and mobile apps, significantly lowering the barrier to entry for criminals.
- A new wave of GoBruteforcer attacks is targeting cryptocurrency and blockchain project databases by exploiting weak credentials. The botnet, leveraging common usernames and passwords often propagated by AI-generated server deployment examples, can brute-force FTP, MySQL, PostgreSQL, and phpMyAdmin on Linux servers, with observed activity including scanning for TRON blockchain addresses with non-zero funds.
- Two distinct campaigns are actively targeting exposed Large Language Model (LLM) services, amounting to nearly 100,000 attack sessions. One campaign, likely by ethical hackers, exploits SSRF vulnerabilities, while the other, more malicious, systematically probes over 73 LLM model endpoints (OpenAI, Anthropic, Google, etc.) to identify misconfigured proxy servers for potential future exploitation.
- The Kimwolf botnet, an Android variant of Aisuru malware, has infected over two million devices, primarily by exploiting vulnerabilities in residential proxy networks. It abuses proxy providers to access local network addresses and ports, allowing direct interaction with Android Debug Bridge (ADB) services exposed on internal networks.
- A sophisticated threat actor, UAT-7290, is conducting a long-running cyber-espionage campaign targeting high-value telecommunications infrastructure in South Asia since at least 2022. The group focuses on extensive reconnaissance before deploying Linux malware families like RushDrop, DriveSwitch, and SilentRaid, highlighting the strategic value of these networks.
- Two malicious Chrome extensions, "Chat GPT for Chrome with GPT-5..." and "AI Sidebar with DeepSeek...", collectively installed 900,000 times, were found exfiltrating OpenAI ChatGPT and DeepSeek conversations, along with browsing data, to attacker-controlled servers. This technique, dubbed "Prompt Poaching," underscores the risk of third-party browser add-ons.

๐Ÿ“ฐ The Hacker News | thehackernews.com/2026/01/rese
๐Ÿ“ฐ The Hacker News | thehackernews.com/2026/01/gobr
๐ŸŒ‘ Dark Reading | darkreading.com/endpoint-secur
๐Ÿ“ฐ The Hacker News | thehackernews.com/2026/01/week

Threat Landscape and AI Security Insights ๐Ÿง 

- The US appears to be shifting towards a "gray zone" cyber approach, using cyber interference against economic and civilian infrastructure as part of sustained pressure campaigns, rather than isolated actions. This strategy, drawing lessons from Russia's hybrid warfare, leverages persistent access and calibrated disruption to shape behaviour below the threshold of open conflict.
- A World Economic Forum survey indicates a significant increase in organisations assessing AI tool security risks, with 64% doing so before deployment, almost double the previous year. While AI is seen as the most significant driver of cybersecurity change, data leaks and the advancement of adversarial AI capabilities remain top concerns for leaders.
- Block's CISO, James Nettesheim, revealed their red team successfully used a prompt injection attack to deploy an infostealer on an employee's laptop via their open-source AI agent, Goose. This highlights the critical need for least-privilege access for AI agents and humans, and the ongoing challenge of prompt injection, which Block is addressing with features like recipe install warnings and suspicious Unicode character detection.
- Illicit cryptocurrency activity reached a record $158 billion in 2025, a 145% increase from 2024, with over 80% linked to Russia-linked entities. Despite the volume, illicit activity's share of overall crypto transactions continues to decline, suggesting improved visibility and a maturing ecosystem where illicit actors operate at scale, similar to traditional finance.

๐Ÿคซ CyberScoop | cyberscoop.com/gray-zone-cyber
๐Ÿ•ต๐Ÿผ The Register | go.theregister.com/feed/www.th
๐Ÿ•ต๐Ÿผ The Register | go.theregister.com/feed/www.th
๐Ÿ“ฐ The Hacker News | thehackernews.com/2026/01/week

Data Privacy Concerns ๐Ÿ”’

- Meta addressed an issue allowing external parties to request password reset emails for some Instagram users, but denied any system breach or data theft. This clarification follows claims of 17.5 million Instagram accounts having sensitive information stolen, likely from an older scraped dataset.
- China has issued draft regulations to govern personal information collection and use from the internet, emphasising legality, legitimacy, necessity, and integrity. The rules aim to safeguard user rights, promote transparency, and require explicit consent for data collection, especially sensitive personal information, with app developers responsible for security and compliance.
- Gulshan Management Services, operating 150 Handi gas stations, disclosed a data breach from September last year, affecting 377,082 customers. A phishing attack led to IT system encryption and exposure of names, SSNs, contact info, and driver's license numbers, raising concerns about delayed notification and potential legal action.

๐Ÿ•ต๐Ÿผ The Register | go.theregister.com/feed/www.th
๐Ÿ“ฐ The Hacker News | thehackernews.com/2026/01/week
๐Ÿ•ต๐Ÿผ The Register | go.theregister.com/feed/www.th

#CyberSecurity #ThreatIntelligence #Ransomware #Vulnerabilities #ZeroDay #RCE #APT #Malware #DataBreach #AIsecurity #PromptInjection #GrayZone #Cybercrime #InfoSec #IncidentResponse

13reak :fedora:13reak@infosec.exchange
2026-01-09

Zyxel claimed on 2024-11-27 that the attack wave of ransomware group 'Helldown' was not related to a zero day (even though multiple researchers incl. my team suspected a zero day and warned Zyxel):

zyxel.com/global/en/support/se

On 2024-11-25 (two days before) a researcher team at Galaxus reported a zero day to Zyxel which now got confirmed:

galaxus.de/en/page/on-the-hunt

So much for that...

#zyxel #zeroday #CVE-2024-12010 #cve

Client Info

Server: https://mastodon.social
Version: 2025.07
Repository: https://github.com/cyevgeniy/lmst