Stay ahead of emerging threats with expert analysis, vulnerability reports, and cybersecurity insights.
Qualys discovered nine vulnerabilities in AppArmor affecting 12.6 million Linux servers. CrackArmor enables unprivileged users to achieve root via confused deputy attacks, bypass container isolation, defeat KASLR, and manipulate security policies. All kernels since 4.11 affected.
CISA added CVE-2025-68613 to KEV after confirming active exploitation of n8n automation platform. Five critical RCE vulnerabilities (CVSS 9.4-9.5) allow credential theft via encryption key extraction. 24,700 instances exposed. Federal deadline: March 25, 2026.
Read moreSentinelOne documents campaign targeting FortiGate appliances to extract AD/LDAP credentials. Attackers exploit CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858, decrypt config files, and harvest NTDS.dit. Healthcare, government, and MSPs are primary targets.
Read moreJFrog discovered malicious npm package @openclaw-ai/openclawai deploying GhostLoader RAT on macOS. The 11,700-line infostealer harvests Keychain, browser credentials, crypto wallets, SSH keys, cloud creds, and enables browser session cloning. 178 developers compromised.
Read moreTwo Chrome Featured extensions, QuickLens and ShotBird, turned malicious after ownership transfer. Attackers stripped security headers, injected C2 payloads via 1x1 pixel images, and deployed ClickFix-style attacks for full endpoint compromise. Extension supply chain attacks are accelerating.
Read moreMuddyWater deploys Dindoor backdoor using Deno JavaScript runtime against US banks, airports, and defense contractors. Campaign ties directly to Iran-US conflict escalation. Wiper threats and camera exploitation support kinetic military operations.
Read moreSymantec and Carbon Black uncovered MuddyWater (Iran MOIS) targeting US banks, airports, non-profits, and defense contractors with the new Dindoor backdoor using Deno runtime. Campaign escalated following US-Israeli strikes on Iran. Wiper threats and camera exploitation also documented.
Read moreCISA confirmed active exploitation of CVE-2017-7921 (Hikvision cameras) and CVE-2021-22681 (Rockwell Automation controllers), both CVSS 9.8. Federal agencies must patch by March 26, 2026. Legacy vulnerabilities remain potent weapons in attacker arsenals.
Read moreCISA added CVE-2026-22719 (CVSS 8.1) to the Known Exploited Vulnerabilities catalog after confirming active exploitation. The command injection flaw in VMware Aria Operations allows unauthenticated RCE. Federal agencies must patch by March 24, 2026.
Read moreAkamai confirms APT28 (Fancy Bear/GRU) was actively exploiting CVE-2026-21513 (CVSS 8.8) in the MSHTML Framework before Microsoft's February patch. The attack uses crafted LNK files to bypass Mark-of-the-Web and execute malicious payloads as trusted local content.
Read moreAkamai confirmed APT28 exploited CVE-2026-21513 (CVSS 8.8) in Windows MSHTML before Microsoft's February patch. The attack uses crafted LNK files to bypass Mark-of-the-Web and IE Enhanced Security via ShellExecuteExW invocation. Samples linked to APT28 infrastructure appeared on VirusTotal two weeks before the fix.
Read moreShadowserver reports 900+ Sangoma FreePBX instances worldwide remain infected with web shells exploiting CVE-2025-64328 (CVSS 8.6). The INJ3CTOR3 threat actor deploys EncystPHP web shells for command execution and fraudulent outbound calls. US leads with 401 compromised systems.
Read moreZscaler ThreatLabz discovered ScarCruft (APT37) running the "Ruby Jumper" campaign that bridges air-gapped networks using weaponized USB drives. The operation abuses Zoho WorkDrive for C2 and deploys multiple malware families including THUMBSBD, FOOTWINE, and BLUELIGHT for surveillance and data exfiltration.
Read moreCisco disclosed CVE-2026-20127 (CVSS 10.0), an authentication bypass in Catalyst SD-WAN that sophisticated threat actor UAT-8616 has exploited since 2023. The attack chain creates rogue peers, downgrades software to exploit older CVEs, and achieves root persistence. CISA issued Emergency Directive 26-03 requiring 24-hour patching.
Read moreFormer L3Harris contractor Peter Williams sentenced to 87 months for selling eight zero-day exploits to Russian broker Operation Zero for $4 million. The U.S. government simultaneously sanctioned Operation Zero, its leader Sergey Zelenyuk, and connected entities for acquiring cyber tools harmful to national security.
Read moreAnthropic revealed that DeepSeek, Moonshot AI, and MiniMax ran industrial-scale distillation attacks using 24,000 fraudulent accounts to systematically extract Claude's reasoning, coding, and agentic capabilities across 16 million exchanges. Google disclosed similar attacks on Gemini weeks earlier.
Read moreAmazon Threat Intelligence reveals a Russian-speaking actor with limited skills compromised 600+ FortiGate devices using DeepSeek and Claude. The campaign exploited exposed management interfaces and weak credentials, demonstrating how AI has democratized sophisticated attack capabilities.
Read moreAmazon Threat Intelligence documents a Russian-speaking threat actor who compromised 600+ FortiGate devices across 55 countries using AI-assisted tools. No zero-days were exploited—just exposed management interfaces and weak credentials, with generative AI helping an unsophisticated attacker scale their operations.
Read moreUnit 42 documents active exploitation of CVE-2026-1731 (CVSS 9.9) in BeyondTrust Remote Support and PRA. Attackers are deploying web shells, VShell, Spark RAT, and exfiltrating PostgreSQL dumps. CISA confirms ransomware campaigns are leveraging this vulnerability.
Read moreESET researchers discovered PromptSpy, an Android malware that uses Google's Gemini AI to dynamically navigate device interfaces and maintain persistence. The malware sends screen captures to Gemini, which responds with tap instructions, effectively solving Android fragmentation for attackers.
Read moreSubscribe to our newsletter and get the latest security insights delivered to your inbox.