Security Articles

Stay ahead of emerging threats with expert analysis from 95+ security articles, vulnerability reports, and cybersecurity insights — updated daily with the latest CVEs, threat actor campaigns, and security advisories. This week (Apr 21-25, 2026): a FIRESTARTER backdoor survives Cisco firewall patches in the ArcaneDoor federal breach, Microsoft ships a CVSS 9.1 ASP.NET Core flaw that lets attackers forge authentication cookies on Linux, three Microsoft Defender zero-days chain into SYSTEM takeover with two still unpatched, and Apple patches an iOS notification bug the FBI used to pull deleted Signal messages off an iPhone.

All Articles Advisory Cyber Attack Data Breach Exploit Malware Threat Actor Vulnerability

Severity: All Critical High Medium Low

35 articles found

Featured Story

highCVE AdvisoryVulnerability

HIGH: APT28 Exploits Incomplete Windows Shell Patch for Zero-Click NTLM Theft (CVE-2026-32202)

Microsoft has confirmed active exploitation of CVE-2026-32202, a Windows Shell spoofing flaw that turns out to be an incomplete patch for an APT28 zero-day from earlier this year. The Russian GRU-linked group is using crafted LNK files to silently steal NTLM credentials with zero clicks, and the original April 14 advisory dramatically understated the severity until Microsoft corrected it on April 27.

By Danny MercerRead Full Article

CVE AdvisoryVulnerability•Apr 27, 2026

HIGH: Bitwarden CLI Hit by Shai-Hulud Third Coming Worm in Checkmarx Supply Chain Cascade

A poisoned build of @bitwarden/cli version 2026.4.0 lived on the npm registry for roughly ninety minutes on April 22, 2026, infecting around 334 developer machines with the third generation of the Shai-Hulud worm. The attack chained off the prior compromise of the checkmarx/ast-github-action GitHub Action, harvested cloud credentials, GitHub and npm tokens, and AI coding tool configs, then self-propagated by injecting malicious workflows into accessible repositories.

CVE AdvisoryVulnerability•Apr 24, 2026

HIGH: LMDeploy CVE-2026-33626 SSRF Exploited Within Hours of Disclosure

A server-side request forgery flaw in the LMDeploy vision-language pipeline was under active exploitation twelve hours and thirty-one minutes after public disclosure, and no upstream patch has shipped yet. Attackers are already probing exposed instances for AWS metadata credentials, Redis on localhost, and loopback services.

CVE AdvisoryVulnerability•Apr 23, 2026

HIGH: Apple Patches iOS Notification Bug That Let the FBI Pull Deleted Signal Messages Off an iPhone (CVE-2026-28950)

Apple shipped iOS 26.4.2, iPadOS 26.4.2, iOS 18.7.8, and iPadOS 18.7.8 to fix CVE-2026-28950, a data retention flaw in the Notification Services framework that kept the text of deleted notifications in an internal database. The FBI used the bug to recover Signal message content from a seized iPhone after the Signal app had been deleted. Patch every managed iPhone today and enforce preview redaction on sensitive messaging apps.

CVE AdvisoryVulnerability•Apr 21, 2026

HIGH: Three Microsoft Defender Zero-Days Chain Into SYSTEM Takeover With Two Still Unpatched

Three zero-day vulnerabilities in Microsoft Defender, nicknamed BlueHammer, RedSun, and UnDefend, are under active exploitation after researcher Chaotic Eclipse dumped working proof-of-concept code. Only BlueHammer (CVE-2026-33825, CVSS 7.8) has been patched. RedSun escalates local users to SYSTEM on fully patched systems while UnDefend silently disables Defender definition updates, making the chained attack especially dangerous until the May 13 Patch Tuesday.

CVE AdvisoryVulnerability•Apr 15, 2026

HIGH: Scattered Spider Returns: UK Retail Giants Fall to Social Engineering Blitz

Scattered Spider, the group behind the MGM and Caesars attacks, has hit Marks & Spencer, Co-op, and Harrods in a coordinated campaign deploying DragonForce ransomware. The attacks relied on social engineering help desk staff rather than technical exploits.

CVE AdvisoryVulnerability•Apr 13, 2026

HIGH: Your Phone Ads Are Snitching on You: Inside the 500-Million-Device Surveillance Machine

Citizen Lab revealed that law enforcement agencies worldwide are using Webloc, a tool built by Israeli intelligence company Cobwebs Technologies, to track 500 million mobile devices through advertising data without warrants. Clients include ICE, US military, and police departments across America.

CVE AdvisoryVulnerability•Apr 12, 2026

HIGH: CPUID Website Breach Spreads STX RAT Through Trojanized CPU-Z and HWMonitor Downloads

The official CPUID website was compromised for 19 hours, redirecting users to malicious downloads of CPU-Z and HWMonitor that delivered STX RAT. Over 150 victims identified across retail, manufacturing, telecom, and individual users in Brazil, Russia, and China.

CVE AdvisoryVulnerability•Apr 11, 2026

HIGH: Fortinet Warns of Persistent Access Technique That Survives Even After Patching

Fortinet has disclosed that threat actors are using a symlink-based technique to maintain read-only access to FortiGate devices even after security patches are applied. The method exploits the SSL-VPN language files directory to create persistent filesystem access.

CVE AdvisoryVulnerability•Apr 5, 2026

HIGH: 36 Malicious npm Packages Masquerade as Strapi Plugins to Deploy Persistent Implants

Security researchers discovered 36 malicious npm packages impersonating Strapi CMS plugins. The packages exploit Redis and PostgreSQL databases, deploy reverse shells, harvest credentials, and target cryptocurrency platforms with hard-coded database credentials.

CVE AdvisoryVulnerability•Apr 2, 2026

HIGH: Chrome Zero-Day Number Four Just Dropped: CVE-2026-5281 Hits the WebGPU Stack

Google patched CVE-2026-5281, a high-severity use-after-free vulnerability in Chrome's Dawn WebGPU implementation that is being actively exploited in the wild. This marks the fourth Chrome zero-day of 2026, and CISA has already added it to the Known Exploited Vulnerabilities catalog.

CVE AdvisoryVulnerability•Mar 30, 2026

Russian CTRL Toolkit Uses Named Pipes to Evade Detection

Censys discovered CTRL, a Russian RAT using named pipes and RDP tunneling to evade network monitoring. Built to stay hidden while maintaining full network access.

CVE AdvisoryVulnerability•Mar 26, 2026

HIGH: Device Code Phishing Campaign Hammers 340+ Microsoft 365 Organizations

Over 340 organizations across five countries compromised in aggressive device code phishing campaign exploiting OAuth device authorization flow. Attackers harvest tokens that survive password resets using PhaaS platform EvilTokens.

CVE AdvisoryVulnerability•Mar 22, 2026

HIGH: DOJ Dismantles Massive IoT Botnet Network Behind Record-Breaking 31.4 Tbps DDoS Attacks

U.S. authorities dismantled four IoT botnets (AISURU, Kimwolf, JackSkid, Mossad) responsible for the largest DDoS attacks ever recorded. Over 3 million enslaved devices generated attacks exceeding 31 Tbps.

CVE AdvisoryVulnerability•Mar 22, 2026

Kubernetes RBAC Exploited for Cryptomining: 2,000+ Clusters Hit

Over 2,000 Kubernetes clusters compromised through RBAC misconfigurations. Attackers deploy cryptominers via default service accounts. Check your clusters now.

CVE AdvisoryVulnerability•Mar 16, 2026

HIGH: Google Patches Two Chrome Zero-Days Actively Exploited in the Wild

Google patched CVE-2026-3909 (Skia OOB write) and CVE-2026-3910 (V8 sandbox escape), both CVSS 8.8 and actively exploited. CISA added to KEV with March 27 deadline. Update to Chrome 146.0.7680.75/76.

Threat IntelCyber Attack•Mar 9, 2026

Chrome Extensions Turn Malicious After Ownership Transfer: The Supply Chain Attack You Didn't See Coming

Two Chrome Featured extensions, QuickLens and ShotBird, turned malicious after ownership transfer. Attackers stripped security headers, injected C2 payloads via 1x1 pixel images, and deployed ClickFix-style attacks for full endpoint compromise. Extension supply chain attacks are accelerating.

CVE AdvisoryVulnerabilityCVE-2026-21513 CVSS 8.8 •Mar 2, 2026

Russia's APT28 Was Already Exploiting That Windows MSHTML Flaw Before Microsoft Patched It

Akamai confirmed APT28 exploited CVE-2026-21513 (CVSS 8.8) in Windows MSHTML before Microsoft's February patch. The attack uses crafted LNK files to bypass Mark-of-the-Web and IE Enhanced Security via ShellExecuteExW invocation. Samples linked to APT28 infrastructure appeared on VirusTotal two weeks before the fix.

Threat IntelCyber AttackINJ3CTOR3 •Feb 28, 2026

Over 900 FreePBX Phone Systems Still Compromised — Is Your Business One of Them?

Shadowserver reports 900+ Sangoma FreePBX instances worldwide remain infected with web shells exploiting CVE-2025-64328 (CVSS 8.6). The INJ3CTOR3 threat actor deploys EncystPHP web shells for command execution and fraudulent outbound calls. US leads with 401 compromised systems.

Threat IntelApt CampaignScarCruft / APT37 North Korea •Feb 27, 2026

North Korea's ScarCruft Jumps the Air Gap With USB Malware and Cloud C2

Zscaler ThreatLabz discovered ScarCruft (APT37) running the "Ruby Jumper" campaign that bridges air-gapped networks using weaponized USB drives. The operation abuses Zoho WorkDrive for C2 and deploys multiple malware families including THUMBSBD, FOOTWINE, and BLUELIGHT for surveillance and data exfiltration.

Is Your Mobile App Secure?

Our CyberOne MobileAssess platform performs deep static analysis, source code decompilation, and runtime security testing for iOS and Android apps. From one-time assessments to year-long continuous testing, we find what surface-level scanners miss.

Learn About Mobile Pen Testing MSP Partner Program

Page 1 of 2Next

Stay Informed

Subscribe to our newsletter and get the latest security insights delivered to your inbox.

512-518-4408 Free Security Quiz →