Threat Newsletter Week 10-11

Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days

Microsoft on Tuesday released patches for a set of 84 new security vulnerabilities affecting various software components, including two that have been listed as publicly known.

Of these, eight are rated Critical, and 76 are rated Important in severity. Forty-six of the patched vulnerabilities relate to privilege escalation, followed by 18 remote code execution, 10 information disclosure, four spoofing, four denial-of-service, and two security feature bypass flaws.

The fixes are in addition to 10 vulnerabilities that have been addressed in its Chromium-based Edge browser since the release of the February 2026 Patch Tuesday update.

The two publicly disclosed zero-days are CVE-2026-26127 (CVSS score: 7.5), a denial-of-service vulnerability in .NET, and CVE-2026-21262 (CVSS score: 8.8), an elevation of privilege vulnerability in SQL Server.

Source: The hacker news / Bleeping computer / Securityweek / Krebs on security / SANS internet storm center

Link: https://thehackernews.com/2026/03/microsoft-patches-84-flaws-in-march.html

Link: https://www.bleepingcomputer.com/news/microsoft/microsoft-march-2026-patch-tuesday-fixes-2-zero-days-79-flaws/

Link: https://www.securityweek.com/microsoft-patches-83-vulnerabilities/

Link: https://krebsonsecurity.com/2026/03/microsoft-patch-tuesday-march-2026-edition/

Link: https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%20March%202026/32782

Google Fixes Two Chrome Zero-Days Exploited in the Wild Affecting Skia and V8

Google on Thursday released security updates for its Chrome web browser to address two high-severity vulnerabilities that it said have been exploited in the wild.

The list of vulnerabilities is as follows –

CVE-2026-3909 (CVSS score: 8.8) – An out-of-bounds write vulnerability in the Skia 2D graphics library that allows a remote attacker to perform out-of-bounds memory access via a crafted HTML page.
CVE-2026-3910 (CVSS score: 8.8) – An inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine that allows a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.

Both vulnerabilities were discovered and reported by Google itself on March 10, 2026. As is customary in these cases, no details are available about how the issues are being abused in the wild and who is behind the efforts. This is done so as to prevent other threat actors from exploiting the issues.

Source: The hacker news / Bleeping computer

Link: https://thehackernews.com/2026/03/google-fixes-two-chrome-zero-days.html

Link: https://www.bleepingcomputer.com/news/google/google-fixes-two-new-chrome-zero-days-exploited-in-attacks/

Oracle Patches Critical CVE-2026-21992 Enabling Unauthenticated RCE in Identity Manager

Oracle has released security updates to address a critical security flaw impacting Identity Manager and Web Services Manager that could be exploited to achieve remote code execution.

The vulnerability, tracked as CVE-2026-21992, carries a CVSS score of 9.8 out of a maximum of 10.0.

„This vulnerability is remotely exploitable without authentication,“ Oracle said in an advisory. „If successfully exploited, this vulnerability may result in remote code execution.“

CVE-2026-21992 affects the following versions –

Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0
Oracle Web Services Manager versions 12.2.1.4.0 and 14.1.2.1.0

According to a description of the flaw in the NIST National Vulnerability Database (NVD), it’s „easily exploitable“ and could allow an unauthenticated attacker with network access via HTTP to compromise Oracle Identity Manager and Oracle Web Services Manager. This, in turn, can result in the successful takeover of susceptible instances.

Source: The hacker news / Bleeping computer / Securityweek / Helpnet security / Oracle security blog

Link: https://thehackernews.com/2026/03/oracle-patches-critical-cve-2026-21992.html

Link: https://www.bleepingcomputer.com/news/security/oracle-pushes-emergency-fix-for-critical-identity-manager-rce-flaw/

Link: https://www.securityweek.com/oracle-releases-emergency-patch-for-critical-identity-manager-vulnerability/

Link: https://www.helpnetsecurity.com/2026/03/23/oracle-emergency-fix-cve-2026-21992/

Link: https://blogs.oracle.com/security/alert-cve-2026-21992

Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks

Citrix has released security updates to address two vulnerabilities in NetScaler ADC and NetScaler Gateway, including a critical flaw that could be exploited to leak sensitive data from the application.

The vulnerabilities are listed below –

CVE-2026-3055 (CVSS score: 9.3) – Insufficient input validation leading to memory overread
CVE-2026-4368 (CVSS score: 7.7) – Race condition leading to user session mixup

Cybersecurity company Rapid7 said that CVE-2026-3055 refers to an out-of-bounds read that could be exploited by unauthenticated remote attackers to leak potentially sensitive information from the appliance’s memory.

However, for exploitation to be successful, the Citrix ADC or Citrix Gateway appliance must be configured as a SAML Identity Provider (SAML IDP), which means default configurations are unaffected. To determine if the device has been configured as a SAML IDP Profile, Citrix is urging customers to inspect their NetScaler Configuration for the specified string: „add authentication samlIdPProfile .*“

Source: The hacker news / Securityweek

Link: https://thehackernews.com/2026/03/citrix-urges-patching-critical.html

Link: https://www.securityweek.com/critical-citrix-netscaler-vulnerability-poised-for-exploitation-security-firms-warn/

Zero Trust: Bridging the Gap Between Authentication and Trust

The traditional concept of a „secure perimeter“ has effectively evaporated. As the workforce has transitioned from centralized offices to a hybrid model spanning kitchen tables, coffee shops, and co-working spaces, the old way of defending the network has become obsolete. Organizations can no longer rely on the assumption that anything inside the corporate network is „safe“ and everything outside is „hostile.“

The move to Zero Trust isn’t just a passing trend, it’s a necessary evolution in security architecture. However, many organizations are finding that their current implementations are missing a critical component: the connection between identifying a user and authorizing their session.

Source: Bleeping computer

Link: https://www.bleepingcomputer.com/news/security/zero-trust-bridging-the-gap-between-authentication-and-trust/

Everyday tools, extraordinary crimes: the ransomware exfiltration playbook

Data exfiltration activity increasingly leverages legitimate native utilities, commonly deployed third-party tools, and cloud service clients, reducing the effectiveness of static indicators of compromise (IOCs) and tool-based blocking strategies.

The Exfiltration Framework systematically normalizes behavioral and forensic characteristics of these tools, enabling cross-environment comparison independent of operating system, deployment model, or infrastructure domain.

By modeling execution context, parent-child process relationships, network communication patterns, artifact persistence, and destination characteristics, the framework exposes detection-relevant signals that remain stable even when tools are renamed, relocated, or operated within trusted infrastructure.

The analysis demonstrates that reliable detection requires correlation across endpoint, network, and cloud telemetry, with emphasis on behavioral baselining, contextual anomalies, and cumulative transfer analysis rather than protocol-level or allow-list–based controls.

Source: CISCO Talos intelligence group

Link: https://blog.talosintelligence.com/everyday-tools-extraordinary-crimes-the-ransomware-exfiltration-playbook/

SAP Patches Critical FS-QUO, NetWeaver Vulnerabilities

Enterprise security firm SAP on Tuesday announced the release of 15 new security notes as part of its March 2026 Security Patch Day.

The most important of these notes resolves critical-severity vulnerabilities in Quotation Management Insurance (FS-QUO) and NetWeaver Enterprise Portal Administration. SAP describes the FS-QUO bug, tracked as CVE-2019-17571 (CVSS score of 9.8), as a code injection issue.

Initially disclosed in December 2019, it is a deserialization of untrusted data defect in Apache Log4j that could allow remote attackers to execute arbitrary code under certain conditions.

The second critical-severity bug, tracked as CVE-2026-27685 (CVSS score of 9.1), is another deserialization of untrusted data issue.

It could allow attackers to upload untrusted data that, when deserialized, could lead to code execution, denial-of-service (DoS) conditions, or privilege escalation.

Source: Securityweek

Link: https://www.securityweek.com/sap-patches-critical-fs-quo-netweaver-vulnerabilities/

NIST updates its DNS security guidance for the first time in over a decade

DNS infrastructure underpins nearly every network connection an organization makes, yet security configurations for it have gone largely unrevised at the federal guidance level for more than twelve years. NIST published SP 800-81r3, the Secure Domain Name System Deployment Guide, superseding a version that dates to 2013.

The document covers three main areas: using DNS as an active security control, securing the DNS protocol itself, and protecting the servers and infrastructure that run DNS services. It is directed at two groups: cybersecurity executives and decision-makers, and the operational networking and security teams who configure and maintain DNS environments.

Source: Helpnet security / NIST Special Publication 800

Link: https://www.helpnetsecurity.com/2026/03/23/nist-dns-security-guide-sp-800-81r3/

Link: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81r3.pdf

Threat Newsletter Week 9

Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities

Cisco has disclosed that two more vulnerabilities affecting Catalyst SD-WAN Manager (formerly SD-WAN vManage) have come under active exploitation in the wild.

The vulnerabilities in question are listed below –

CVE-2026-20122 (CVSS score: 7.1) – An arbitrary file overwrite vulnerability that could allow an authenticated, remote attacker to overwrite arbitrary files on the local file system. Successful exploitation requires the attacker to have valid read-only credentials with API access on the affected system.
CVE-2026-20128 (CVSS score: 5.5) – An information disclosure vulnerability that could allow an authenticated, local attacker to gain Data Collection Agent (DCA) user privileges on an affected system. Successful exploitation requires the attacker to have valid vManage credentials on the affected system.

Patches for the security defects, along with CVE-2026-20126, CVE-2026-20129, and CVE-2026-20133, were released by Cisco late last month in the following versions –

Earlier than Version 20.91 – Migrate to a fixed release.

Version 20.9 – Fixed in 20.9.8.2
Version 20.11 – Fixed in 20.12.6.1
Version 20.12 – Fixed in 20.12.5.3 and 20.12.6.1
Version 20.13 – Fixed in 20.15.4.2
Version 20.14 – Fixed in 20.15.4.2
Version 20.15 – Fixed in 20.15.4.2
Version 20.16 – Fixed in 20.18.2.1
Version 20.18 – Fixed in 20.18.2.1

„In March 2026, the Cisco PSIRT became aware of active exploitation of the vulnerabilities that are described in CVE-2026-20128 and CVE-2026-20122 only,“ the networking equipment major said. The company did not elaborate on the scale of the activity and who may be behind it.

Source: The hacker news / Bleeping computer / Dark reading / Securityweek / CISCO Talos intelligence group

Link: https://thehackernews.com/2026/03/cisco-confirms-active-exploitation-of.html

Link: https://thehackernews.com/2026/02/cisco-sd-wan-zero-day-cve-2026-20127.html

Link: https://www.bleepingcomputer.com/news/security/critical-cisco-sd-wan-bug-exploited-in-zero-day-attacks-since-2023/

Link: https://www.darkreading.com/vulnerabilities-threats/cisco-sd-wan-zero-day-exploitation-3-years

Link: https://www.securityweek.com/recent-cisco-catalyst-sd-wan-vulnerability-now-widely-exploited/

Link: https://www.securityweek.com/cisco-patches-catalyst-sd-wan-zero-day-exploited-by-highly-sophisticated-hackers/

Link: https://www.securityweek.com/cisco-warns-of-more-catalyst-sd-wan-flaws-exploited-in-the-wild/

Link: https://blog.talosintelligence.com/uat-8616-sd-wan/

Where Multi-Factor Authentication Stops and Credential Abuse Starts

Organizations typically roll out multi-factor authentication (MFA) and assume stolen passwords are no longer enough to access systems. In Windows environments, that assumption is often wrong. Attackers still compromise networks every day using valid credentials. The issue is not MFA itself, but coverage.

Enforced through an identity provider (IdP) such as Microsoft Entra ID, Okta, or Google Workspace, MFA works well for cloud apps and federated sign-ins. But many Windows logons rely solely on Active Directory (AD) authentication paths that never trigger MFA prompts. To reduce credential-based compromise, security teams need to understand where Windows authentication happens outside their identity stack.

Source: The hacker news

Link: https://thehackernews.com/2026/03/where-multi-factor-authentication-stops.html

Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1

Google said it identified a „new and powerful“ exploit kit dubbed Coruna (aka CryptoWaters) targeting Apple iPhone models running iOS versions between 13.0 and 17.2.1.

The exploit kit featured five full iOS exploit chains and a total of 23 exploits, Google Threat Intelligence Group (GTIG) said. It’s not effective against the latest version of iOS. The findings were first reported by WIRED.

„The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits, with the most advanced ones using non-public exploitation techniques and mitigation bypasses,“ according to GTIG. „The framework surrounding the exploit kit is extremely well engineered; the exploit pieces are all connected naturally and combined together using common utility and exploitation frameworks.“

The kit is said to have circulated among multiple threat actors since February 2025, moving from a commercial surveillance operation to a government-backed attacker, and finally, to a financially motivated threat actor operating from China by December.

It’s currently not known how the exploit kit changed hands, but the findings point to an active market for second-hand zero-day exploits, allowing other threat actors to reuse them for their own objectives. In a related report, iVerify said the exploit kit has similarities to previous frameworks developed by threat actors affiliated with the U.S. government.

Source: The hacker news / Securityweek

Link: https://thehackernews.com/2026/03/coruna-ios-exploit-kit-uses-23-exploits.html

Link: https://www.securityweek.com/nation-state-ios-exploit-kit-coruna-found-powering-global-attacks/

Link: https://www.securityweek.com/cisa-adds-ios-flaws-from-coruna-exploit-kit-to-kev/

CISA Adds Actively Exploited VMware Aria Operations Flaw CVE-2026-22719 to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a recently disclosed security flaw impacting Broadcom VMware Aria Operations to its Known Exploited Vulnerabilities (KEV) catalog, citing active exploitation in the wild.

The high-severity vulnerability, CVE-2026-22719 (CVSS score: 8.1), has been described as a case of command injection that could allow an unauthenticated attacker to execute arbitrary commands.

„A malicious unauthenticated actor may exploit this issue to execute arbitrary commands, which may lead to remote code execution in VMware Aria Operations while support-assisted product migration is in progress,“ the company said in an advisory released late last month.

Source: The hacker news / Broadcom security advisory / Bleeping computer / Dark reading / Securityweek

Link: https://thehackernews.com/2026/03/cisa-adds-actively-exploited-vmware.html

Link: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947

Link: https://www.bleepingcomputer.com/news/security/cisa-flags-vmware-aria-operations-rce-flaw-as-exploited-in-attacks/

Link: https://www.darkreading.com/cloud-security/vmware-aria-operations-bug-exploited-cloud-risk

Link: https://www.securityweek.com/vmware-aria-operations-vulnerability-could-allow-remote-code-execution/

Link: https://www.securityweek.com/vmware-aria-operations-vulnerability-exploited-in-the-wild/

SolarWinds Patches 4 Critical Serv-U 15.5 Flaws Allowing Root Code Execution

SolarWinds has released updates to address four critical security flaws in its Serv-U file transfer software that, if successfully exploited, could result in remote code execution.

The vulnerabilities, all rated 9.1 on the CVSS scoring system, are listed below –

CVE-2025-40538 – A broken access control vulnerability that allows an attacker to create a system admin user and execute arbitrary code as root via domain admin or group admin privileges.
CVE-2025-40539 – A type confusion vulnerability that allows an attacker to execute arbitrary native code as root.
CVE-2025-40540 – A type confusion vulnerability that allows an attacker to execute arbitrary native code as root.
CVE-2025-40541 – An insecure direct object reference (IDOR) vulnerability that allows an attacker to execute native code as root.

SolarWinds noted that the vulnerabilities require administrative privileges for successful exploitation. It also said that they carry a medium security risk on Windows deployments as the services „frequently run under less-privileged service accounts by default.“

The four shortcomings affect SolarWinds Serv-U version 15.5. They have been addressed in SolarWinds Serv-U version 15.5.4.

Source: The hacker news / Bleeping computer / Securityweek

Link: https://thehackernews.com/2026/02/solarwinds-patches-4-critical-serv-u.html

Link: https://www.bleepingcomputer.com/news/security/critical-solarwinds-serv-u-flaws-offer-root-access-to-servers/

Link: https://www.securityweek.com/solarwinds-patches-four-critical-serv-u-vulnerabilities/

From Exposure to Exploitation: How AI Collapses Your Response Window

We’ve all seen this before: a developer deploys a new cloud workload and grants overly broad permissions just to keep the sprint moving. An engineer generates a „temporary“ API key for testing and forgets to revoke it. In the past, these were minor operational risks, debts you’d eventually pay down during a slower cycle.

But today, within minutes, AI-powered adversarial systems can find that over-permissioned workload, map its identity relationships, and calculate a viable route to your critical assets. Before your security team has even finished their morning coffee, AI agents have simulated thousands of attack sequences and moved toward execution.

AI compresses reconnaissance, simulation, and prioritization into a single automated sequence. The exposure you created this morning can be modeled, validated, and positioned inside a viable attack path before your team has lunch.

Source: The hacker news

Link: https://thehackernews.com/2026/02/from-exposure-to-exploitation-how-ai.html

Threat Newsletter Week 7-8

Cisco warns of max severity Secure FMC flaws giving root access

Cisco has released security updates to patch two maximum-severity vulnerabilities in its Secure Firewall Management Center (FMC) software.

Secure FMC is a web or SSH-based interface for admins to manage Cisco firewalls and configure application control, intrusion prevention, URL filtering, and advanced malware protection.

Both vulnerabilities can be exploited remotely by unauthenticated attackers: the authentication bypass flaw (CVE-2026-20079) allows attackers to gain root access to the underlying operating system, while the remote code execution (RCE) vulnerability (CVE-2026-20131) lets them execute arbitrary Java code as root on unpatched devices.

„An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute a variety of scripts and commands that allow root access to the device,“ the CVE-2026-20079 advisory reads.

Source: Bleeping computer / Securityweek / Infosecurity magazine / CISCO security advisory

Link: https://www.bleepingcomputer.com/news/security/cisco-warns-of-max-severity-secure-fmc-flaws-giving-root-access/

Link: https://www.securityweek.com/cisco-patches-critical-vulnerabilities-in-enterprise-networking-products/

Link: https://www.infosecurity-magazine.com/news/cisco-issues-patches-48/

Link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-rce-NKhnULJh

CISA warns that RESURGE malware can be dormant on Ivanti devices

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released new details about RESURGE, a malicious implant used in zero-day attacks exploiting CVE-2025-0282 to breach Ivanti Connect Secure devices.

The update focuses on the implant’s undetected latency on the appliances and its „sophisticated network-level evasion and authentication techniques“ that enable covert communication with the attacker.

CISA originally documented the malware on March 28 last year, saying that it can survive reboots, create webshells for stealing credentials, create accounts, reset passwords, and escalate privileges.

Source: Bleeping computer

Link: https://www.bleepingcomputer.com/news/security/cisa-warns-that-resurge-malware-can-be-dormant-on-ivanti-devices/

Zyxel warns of critical RCE flaw affecting over a dozen routers

Taiwan networking provider Zyxel has released security updates to address a critical vulnerability affecting over a dozen router models that can allow unauthenticated attackers to gain remote command execution on unpatched devices.

Tracked as CVE-2025-13942, this command injection security flaw was found in the UPnP function of Zyxel 4G LTE/5G NR CPE, DSL/Ethernet CPE, Fiber ONTs, and wireless extenders.

Zyxel says that unauthenticated remote attackers can exploit it to execute operating system (OS) commands on an affected device using maliciously crafted UPnP SOAP requests.

However, CVE-2025-13942 attacks will likely be more limited than the severity rating suggests, as successful exploitation requires UPnP and WAN access to be enabled, with the latter disabled by default.

„It is important to note that WAN access is disabled by default on these devices, and the attack can be carried out remotely only if both WAN access and the vulnerable UPnP function have been enabled,“ Zyxel said. „Users are strongly advised to install the patches to maintain optimal protection.“

Source: Bleeping computer / Securityweek

Link: https://www.bleepingcomputer.com/news/security/zyxel-warns-of-critical-rce-flaw-affecting-over-a-dozen-routers/

Link: https://www.securityweek.com/zyxel-patches-critical-vulnerability-in-many-device-models/

How AI Assistants are Moving the Security Goalposts

AI-based assistants or “agents” — autonomous programs that have access to the user’s computer, files, online services and can automate virtually any task — are growing in popularity with developers and IT workers. But as so many eyebrow-raising headlines over the past few weeks have shown, these powerful and assertive new tools are rapidly shifting the security priorities for organizations, while blurring the lines between data and code, trusted co-worker and insider threat, ninja hacker and novice code jockey.

The new hotness in AI-based assistants — OpenClaw (formerly known as ClawdBot and Moltbot) — has seen rapid adoption since its release in November 2025. OpenClaw is an open-source autonomous AI agent designed to run locally on your computer and proactively take actions on your behalf without needing to be prompted.

If that sounds like a risky proposition or a dare, consider that OpenClaw is most useful when it has complete access to your entire digital life, where it can then manage your inbox and calendar, execute programs and tools, browse the Internet for information, and integrate with chat apps like Discord, Signal, Teams or WhatsApp.

Other more established AI assistants like Anthropic’s Claude and Microsoft’s Copilot also can do these things, but OpenClaw isn’t just a passive digital butler waiting for commands. Rather, it’s designed to take the initiative on your behalf based on what it knows about your life and its understanding of what you want done.

Source: Krebs on security

Link: https://krebsonsecurity.com/2026/03/how-ai-assistants-are-moving-the-security-goalposts/#more-73278

New Dohdoor malware campaign targets education and health care

Cisco Talos discovered an ongoing malicious campaign since at least as early as December 2025 by a threat actor we track as “UAT-10027,” delivering a previously undisclosed backdoor dubbed “Dohdoor.”

Dohdoor utilizes the DNS-over-HTTPS (DoH) technique for command-and-control (C2) communications and has the ability to download and execute other payload binaries reflectively.

UAT-10027 targeted victims in the education and health care sectors in the United States through a multi-stage attack chain.

Talos observed the actor misused various living-off-the-land executables (LOLBins) to sideload the Dohdoor and has set up the C2 infrastructure behind reputable cloud services, such as Cloudflare, to enable stealth C2 communication.

The campaign involves a multi-stage attack chain, where initial access is likely achieved through social engineering phishing techniques. The infection chain executes a PowerShell script that downloads and runs a Windows batch script from a remote staging server through a URL. Subsequently, the batch script facilitates the download of a malicious Windows dynamic-link library (DLL), which is disguised as a legitimate Windows DLL file.

The batch script then executes the malicious DLL dubbed as Dohdoor, by sideloading it to a legitimate Windows executable. Once activated, the Dohdoor employs the DNS-over-HTTPS (DoH) technique to resolve command-and-control (C2) domains within Cloudflare’s DNS service.

Utilizing the resolved IP address, it establishes an HTTPS tunnel to communicate with the Cloudflare edge network, which effectively serves as a front for the concealed C2 infrastructure. Dohdoor subsequently creates backdoored access into the victim’s environment, enabling the threat actor to download the next-stage payload directly into the victim machine’s memory and execute the potential Cobalt Strike Beacon payload, reflectively within legitimate Windows processes.

Source: CISCO Talos intelligence group

Link: https://blog.talosintelligence.com/new-dohdoor-malware-campaign/

People, Policies, and Purpose: Framing Acceptable Use and Human Behavior in Information Security

Many breaches don’t start with sophisticated hackers; they start with ordinary users doing ordinary things in unsafe ways. Let’s look at 3 ways to work toward helping people in our organizations understand better how to safeguard everyone’s information.

Because there are as many ways to create a policy as there are organizations – compounded with the numerous requirements from regulations – I won’t attempt to provide a one-size-fits-all policy for each of these. Part of the process of becoming a professional with policies is learning about all the options while also satisfying the requirements of your org. I’ve provided several links in the Resources section at the end of this article so you can check out options if you need inspiration or a headstart.

Source: Secjuice

Link: https://www.secjuice.com/people-policies-and-purpose-framing-acceptable-use-and-human-behavior-in-information-security/

Threat Newsletter Week 5-6

New Chrome Zero-Day (CVE-2026-2441) Under Active Attack — Patch Released

Google on Friday released security updates for its Chrome browser to address a security flaw that it said has been exploited in the wild.

The high-severity vulnerability, tracked as CVE-2026-2441 (CVSS score: 8.8), has been described as a use-after-free bug in CSS. Security researcher Shaheen Fazim has been credited with discovering and reporting the shortcoming on February 11, 2026.

„Use after free in CSS in Google Chrome prior to 145.0.7632.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page,“ according to a description of the flaw in the NIST’s National Vulnerability Database (NVD).

Google did not disclose any details about how the vulnerability is being exploited in the wild, by whom, or who may have been targeted, but it acknowledged that „an exploit for CVE-2026-2441 exists in the wild.“

Source: The hacker news / Bleeping computer / Securityweek / Chrome releases blog

Link: https://thehackernews.com/2026/02/new-chrome-zero-day-cve-2026-2441-under.html

Link: https://www.bleepingcomputer.com/news/security/google-patches-first-chrome-zero-day-exploited-in-attacks-this-year/

Link: https://www.securityweek.com/google-patches-first-actively-exploited-chrome-zero-day-of-2026/

Link: https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_13.html

Apple Fixes Exploited Zero-Day Affecting iOS, macOS, and Other Devices

Apple on Wednesday released iOS, iPadOS, macOS Tahoe, tvOS, watchOS, and visionOS updates to address a zero-day flaw that it said has been exploited in sophisticated cyber attacks.

The vulnerability, tracked as CVE-2026-20700 (CVSS score: 7.8), has been described as a memory corruption issue in dyld, Apple’s Dynamic Link Editor. Successful exploitation of the vulnerability could allow an attacker with memory write capability to execute arbitrary code on susceptible devices. Google Threat Analysis Group (TAG) has been credited with discovering and reporting the bug.

„Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26,“ the company said in an advisory. „CVE-2025-14174 and CVE-2025-43529 were also issued in response to this report.“

It’s worth noting that both CVE-2025-14174 and CVE-2025-43529 were addressed by Cupertino in December 2025, with the former first disclosed by Google as having been exploited in the wild. CVE-2025-14174 (CVSS score: 8.8) relates to an out-of-bounds memory access in ANGLE’s Metal renderer component. Metal is a high-performance hardware-accelerated graphics and compute API developed by Apple.

Source: The hacker news / Bleeping computer / Securityweek / SANS internet storm center

Link: https://thehackernews.com/2026/02/apple-fixes-exploited-zero-day.html

Link: https://www.bleepingcomputer.com/news/security/apple-fixes-zero-day-flaw-used-in-extremely-sophisticated-attacks/

Link: https://www.securityweek.com/apple-patches-ios-zero-day-exploited-in-extremely-sophisticated-attack/

Link: https://isc.sans.edu/diary/Apple%20Patches%20Everything%3A%20February%202026/32706%E2%80%A8

Microsoft Patches 59 Vulnerabilities Including Six Actively Exploited Zero-Days

Microsoft on Tuesday released security updates to address a set of 59 flaws across its software, including six vulnerabilities that it said have been exploited in the wild.

Of the 59 flaws, five are rated Critical, 52 are rated Important, and two are rated Moderate in severity. Twenty-five of the patched vulnerabilities have been classified as privilege escalation, followed by remote code execution (12), spoofing (7), information disclosure (6), security feature bypass (5), denial-of-service (3), and cross-site scripting (1).

It’s worth noting that the patches are in addition to three security flaws that Microsoft has addressed in its Edge browser since the release of the January 2026 Patch Tuesday update, including a Moderate vulnerability impacting the Edge browser for Android (CVE-2026-0391, CVSS score: 6.5) that could allow an unauthorized attacker to perform spoofing over a network by taking advantage of a „user interface misrepresentation of critical information.“

Topping the list of this month’s updates are six vulnerabilities that have been flagged as actively exploited –

CVE-2026-21510 (CVSS score: 8.8) – A protection mechanism failure in Windows Shell that allows an unauthorized attacker to bypass a security feature over a network.
CVE-2026-21513 (CVSS score: 8.8) – A protection mechanism failure in MSHTML Framework that allows an unauthorized attacker to bypass a security feature over a network.
CVE-2026-21514 (CVSS score: 7.8) – A reliance on untrusted inputs in a security decision in Microsoft Office Word that allows an unauthorized attacker to bypass a security feature locally.
CVE-2026-21519 (CVSS score: 7.8) – An access of resource using incompatible type (‚type confusion‘) in the Desktop Window Manager that allows an authorized attacker to elevate privileges locally.
CVE-2026-21525 (CVSS score: 6.2) – A null pointer dereference in Windows Remote Access Connection Manager that allows an unauthorized attacker to deny service locally.
CVE-2026-21533 (CVSS score: 7.8) – An improper privilege management in Windows Remote Desktop that allows an authorized attacker to elevate privileges locally.

Microsoft’s own security teams and Google Threat Intelligence Group (GTIG) have been credited with discovering and reporting the first three flaws, which have been listed as publicly known at the time of release. There are currently no details on how the vulnerabilities are being exploited, and if they were weaponized as part of the same campaign.

Source: The hacker news / Bleeping computer / Krebs on security / Securityweek / CISCO Talos intelligence group / Dark reading / SANS internet storm center

Link: https://thehackernews.com/2026/02/microsoft-patches-59-vulnerabilities.html

Link: https://www.bleepingcomputer.com/news/microsoft/microsoft-february-2026-patch-tuesday-fixes-6-zero-days-58-flaws/

Link: https://krebsonsecurity.com/2026/02/patch-tuesday-february-2026-edition/

Link: https://www.securityweek.com/6-actively-exploited-zero-days-patched-by-microsoft-with-february-2026-updates/

Link: https://blog.talosintelligence.com/microsoft-patch-tuesday-february-2026/

Link: https://www.darkreading.com/vulnerabilities-threats/microsoft-fixes-6-actively-exploited-zero-days

Link: https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%20-%20February%202026/32700

Fortinet Patches Critical SQLi Flaw Enabling Unauthenticated Code Execution

Fortinet has released security updates to address a critical flaw impacting FortiClientEMS that could lead to the execution of arbitrary code on susceptible systems.

The vulnerability, tracked as CVE-2026-21643, has a CVSS rating of 9.1 out of a maximum of 10.0.

„An improper neutralization of special elements used in an SQL Command (‚SQL Injection‘) vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests,“ Fortinet said in an advisory.

The shortcoming affects the following versions –

FortiClientEMS 7.2 (Not affected)
FortiClientEMS 7.4.4 (Upgrade to 7.4.5 or above)
FortiClientEMS 8.0 (Not affected)

Gwendal Guégniaud of the Fortinet Product Security team has been credited with discovering and reporting the flaw.

Source: The hacker news / Securityweek / Fortinet PSIRT blog

Link: https://thehackernews.com/2026/02/fortinet-patches-critical-sqli-flaw.html

Link: https://www.securityweek.com/fortinet-patches-high-severity-vulnerabilities/

Link: https://fortiguard.fortinet.com/psirt/FG-IR-25-1142

Microsoft Warns of ClickFix Attack Abusing DNS Lookups

Microsoft has warned users that threat actors are leveraging a new variant of the ClickFix technique to deliver malware. The ClickFix attack method has been increasingly used in the past year by both cybercriminals and state-sponsored threat groups.

The attack involves attackers displaying a fake error message on a compromised or malicious site. The message instructs the target to address the issue by pressing specific keys, then performing additional steps (eg, running a command). By following the attacker’s instructions, the user unknowingly grants elevated permissions, downloads malware, or executes attacker-supplied scripts.

In a recent ClickFix attack observed by Microsoft the attacker asked targets to run a command that executes a custom DNS lookoup.

Source: Securityweek

Link: https://www.securityweek.com/microsoft-warns-of-clickfix-attack-abusing-dns-lookups/

From Extension to Infection: An In-Depth Analysis of the Evelyn Stealer Campaign Targeting Software Developers

Analysis of the Evelyn Stealer campaign targeting software developers shows that threat actors are weaponizing the Visual Studio Code (VSC) extension ecosystem to deploy a multistage, information-stealing malware. The malware is designed to exfiltrate sensitive information, including developer credentials and cryptocurrency-related data. Compromised developer environments can also be abused as access points into broader organizational systems.

This activity affects organizations with software development teams that rely on VSC and third-party extensions as well as those with access to production systems, cloud resources, or digital assets.

Source: Trendmicro blog

Link: https://www.trendmicro.com/en_us/research/26/a/analysis-of-the-evelyn-stealer-campaign.html

Security Governance & Leadership

Security programs shouldn’t be tied to a specific tool or control. They need someone to own the risk. Firewalls expire, policies gather dust, controls erode, not because of maliciousness or incompetence, but because governance was either not firmly established, or because it lost accountability.

Source: Secjuice

Link: https://www.secjuice.com/security-governance-leadership/

Threat Newsletter Week 3-4

Docker Fixes Critical Ask Gordon AI Flaw Allowing Code Execution via Image Metadata

Cybersecurity researchers have disclosed details of a now-patched security flaw impacting Ask Gordon, an artificial intelligence (AI) assistant built into Docker Desktop and the Docker Command-Line Interface (CLI), that could be exploited to execute code and exfiltrate sensitive data.

The critical vulnerability has been codenamed DockerDash by cybersecurity company Noma Labs. It was addressed by Docker with the release of version 4.50.0 in November 2025.

„In DockerDash, a single malicious metadata label in a Docker image can be used to compromise your Docker environment through a simple three-stage attack: Gordon AI reads and interprets the malicious instruction, forwards it to the MCP [Model Context Protocol] Gateway, which then executes it through MCP tools,“ Sasi Levi, security research lead at Noma, said in a report shared with The Hacker News.

„Every stage happens with zero validation, taking advantage of current agents and MCP Gateway architecture.“

Source: The hacker news / Securityweek

Link: https://thehackernews.com/2026/02/docker-fixes-critical-ask-gordon-ai.html

Link: https://www.securityweek.com/dockerdash-flaw-in-docker-ai-assistant-leads-to-rce-data-theft/

Microsoft Begins NTLM Phase-Out With Three-Stage Plan to Move Windows to Kerberos

Microsoft has announced a three-phase approach to phase out New Technology LAN Manager (NTLM) as part of its efforts to shift Windows environments toward stronger, Kerberos-based options.

The development comes more than two years after the tech giant revealed its plans to deprecate the legacy technology, citing its susceptibility to weaknesses that could facilitate relay attacks and allow bad actors to gain unauthorized access to network resources. NTLM was formally deprecated in June 2024 and no longer receives updates.

„NTLM consists of security protocols originally designed to provide authentication, integrity, and confidentiality to users,“ Mariam Gewida, Technical Program Manager II at Microsoft, explained. „However, as security threats have evolved, so have our standards to meet modern security expectations. Today, NTLM is susceptible to various attacks, including replay and man-in-the-middle attacks, due to its use of weak cryptography.“

Despite the deprecated status, Microsoft said it continues to find the use of NTLM prevalent in enterprise environments where modern protocols like Kerberos cannot be implemented due to legacy dependencies, network limitations, or ingrained application logic. This, in turn, exposes organizations to security risks, such as replay, relay, and pass-the-hash attacks.

Source: The hacker news / Securityweek / Windows IT PRO blog

Link: https://thehackernews.com/2026/02/microsoft-begins-ntlm-phase-out-with.html

Link: https://www.securityweek.com/microsoft-moves-closer-to-disabling-ntlm/

Link: https://techcommunity.microsoft.com/blog/windows-itpro-blog/advancing-windows-security-disabling-ntlm-by-default/4489526

Two Ivanti EPMM Zero-Day RCE Flaws Actively Exploited, Security Updates Released

Ivanti has rolled out security updates to address two security flaws impacting Ivanti Endpoint Manager Mobile (EPMM) that have been exploited in zero-day attacks, one of which has been added by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to its Known Exploited Vulnerabilities (KEV) catalog.

The critical-severity vulnerabilities are listed below –

CVE-2026-1281 (CVSS score: 9.8) – A code injection allowing attackers to achieve unauthenticated remote code execution
CVE-2026-1340 (CVSS score: 9.8) – A code injection allowing attackers to achieve unauthenticated remote code execution

However, it bears noting that the RPM patch does not survive a version upgrade and must be reapplied if the appliance is upgraded to a new version. The vulnerabilities will be permanently addressed in EPMM version 12.8.0.0, which will be released later in Q1 2026.

Source: The hacker news / Bleeping computer / Securityweek / Ivanti security advisory

Link: https://thehackernews.com/2026/01/two-ivanti-epmm-zero-day-rce-flaws.html

Link: https://www.bleepingcomputer.com/news/security/ivanti-warns-of-two-epmm-flaws-exploited-in-zero-day-attacks/

Link: https://www.securityweek.com/ivanti-patches-exploited-epmm-zero-days/

Link: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US

SolarWinds Fixes Four Critical Web Help Desk Flaws With Unauthenticated RCE and Auth Bypass

SolarWinds has released security updates to address multiple security vulnerabilities impacting SolarWinds Web Help Desk, including four critical vulnerabilities that could result in authentication bypass and remote code execution (RCE).

The list of vulnerabilities is as follows –

CVE-2025-40536 (CVSS score: 8.1) – A security control bypass vulnerability that could allow an unauthenticated attacker to gain access to certain restricted functionality
CVE-2025-40537 (CVSS score: 7.5) – A hard-coded credentials vulnerability that could allow access to administrative functions using the „client“ user account
CVE-2025-40551 (CVSS score: 9.8) – An untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an unauthenticated attacker to run commands on the host machine
CVE-2025-40552 (CVSS score: 9.8) – An authentication bypass vulnerability that could allow an unauthenticated attacker to execute actions and methods
CVE-2025-40553 (CVSS score: 9.8) – An untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an unauthenticated attacker to run commands on the host machine
CVE-2025-40554 (CVSS score: 9.8) – An authentication bypass vulnerability that could allow an attacker to invoke specific actions within Web Help Desk

While Jimi Sebree from Horizon3.ai has been credited with discovering and reporting the first three vulnerabilities, watchTowr’s Piotr Bazydlo has been acknowledged for the remaining three flaws. All the issues have been addressed in WHD 2026.1.

Source: The hacker news / Bleeping computer / Securityweek / Infosecurity magazine / horizon3 blog

Link: https://thehackernews.com/2026/01/solarwinds-fixes-four-critical-web-help.html

Link: https://www.bleepingcomputer.com/news/security/solarwinds-warns-of-critical-web-help-desk-rce-auth-bypass-flaws/

Link: https://www.bleepingcomputer.com/news/security/cisa-flags-critical-solarwinds-rce-flaw-as-actively-exploited/

Link: https://www.securityweek.com/solarwinds-patches-critical-web-help-desk-vulnerabilities/

Link: https://www.securityweek.com/fresh-solarwinds-vulnerability-exploited-in-attacks/

Link: https://www.infosecurity-magazine.com/news/solarwinds-web-help-desk/

Link: https://horizon3.ai/attack-research/cve-2025-40551-another-solarwinds-web-help-desk-deserialization-issue/

Threat Newsletter Week 2-3

Cisco Fixes Actively Exploited Zero-Day CVE-2026-20045 in Unified CM and Webex

Cisco has released fresh patches to address what it described as a „critical“ security vulnerability impacting multiple Unified Communications (CM) products and Webex Calling Dedicated Instance that it has been actively exploited as a zero-day in the wild.

The vulnerability, CVE-2026-20045 (CVSS score: 8.2), could permit an unauthenticated remote attacker to execute arbitrary commands on the underlying operating system of a susceptible device.

„This vulnerability is due to improper validation of user-supplied input in HTTP requests,“ Cisco said in an advisory. „An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root.“

The critical rating for the flaw is due to the fact that its exploitation could allow for privilege escalation to root, it added.

Source: The hacker news / Bleeping computer / Helpnet security / CISCO security advisory

Link: https://thehackernews.com/2026/01/cisco-fixes-actively-exploited-zero-day.html

Link: https://www.bleepingcomputer.com/news/security/cisco-fixes-unified-communications-rce-zero-day-exploited-in-attacks/

Link: https://www.helpnetsecurity.com/2026/01/21/cisco-enterprise-communications-cve-2026-20045/

Link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voice-rce-mORhqY4b

Cisco Patches Zero-Day RCE Exploited by China-Linked APT in Secure Email Gateways

Cisco on Thursday released security updates for a maximum-severity security flaw impacting Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager, nearly a month after the company disclosed that it had been exploited as a zero-day by a China-nexus advanced persistent threat (APT) actor codenamed UAT-9686.

The vulnerability, tracked as CVE-2025-20393 (CVSS score: 10.0), is a remote command execution flaw arising as a result of insufficient validation of HTTP requests by the Spam Quarantine feature. Successful exploitation of the defect could permit an attacker to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance.

However, for the attack to work, three conditions must be met –

The appliance is running a vulnerable release of Cisco AsyncOS Software
The appliance is configured with the Spam Quarantine feature
The Spam Quarantine feature is exposed to and reachable from the internet

Last month, the networking equipment major revealed that it found evidence of UAT-9686 exploiting the vulnerability as early as late November 2025 to drop tunneling tools like ReverseSSH (aka AquaTunnel) and Chisel, and a log cleaning utility called AquaPurge. The attacks are also characterized by the deployment of a lightweight Python backdoor dubbed AquaShell that’s capable of receiving encoded commands and executing them.

Source: The hacker news / Bleeping computer / Securityweek

Link: https://thehackernews.com/2026/01/cisco-patches-zero-day-rce-exploited-by.html

Link: https://www.bleepingcomputer.com/news/security/cisco-finally-fixes-asyncos-zero-day-exploited-since-november/

Link: https://www.securityweek.com/cisco-patches-vulnerability-exploited-by-chinese-hackers/

Palo Alto Fixes GlobalProtect DoS Flaw That Can Crash Firewalls Without Login

Palo Alto Networks has released security updates for a high-severity security flaw impacting GlobalProtect Gateway and Portal, for which it said there exists a proof-of-concept (PoC) exploit.

The vulnerability, tracked as CVE-2026-0227 (CVSS score: 7.7), has been described as a denial-of-service (DoS) condition impacting GlobalProtect PAN-OS software arising as a result of an improper check for exceptional conditions (CWE-754)

„A vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to cause a denial-of-service (DoS) to the firewall,“ the company said in an advisory released Wednesday. „Repeated attempts to trigger this issue result in the firewall entering into maintenance mode.“

The issue, discovered and reported by an unnamed external researcher, affects the following versions –

PAN-OS 12.1 < 12.1.3-h3, < 12.1.4
PAN-OS 11.2 < 11.2.4-h15, < 11.2.7-h8, < 11.2.10-h2
PAN-OS 11.1 < 11.1.4-h27, < 11.1.6-h23, < 11.1.10-h9, < 11.1.13
PAN-OS 10.2 < 10.2.7-h32, < 10.2.10-h30, < 10.2.13-h18, < 10.2.16-h6, < 10.2.18-h1
PAN-OS 10.1 < 10.1.14-h20
Prisma Access 11.2 < 11.2.7-h8
Prisma Access 10.2 < 10.2.10-h29

Palo Alto Networks also clarified that the vulnerability is applicable only to PAN-OS NGFW or Prisma Access configurations with an enabled GlobalProtect gateway or portal. The company’s Cloud Next-Generation Firewall (NGFW) is not impacted. There are no workarounds to mitigate the flaw.

Source: The hacker news / Bleeping computer

Link: https://thehackernews.com/2026/01/palo-alto-fixes-globalprotect-dos-flaw.html

Link: https://www.bleepingcomputer.com/news/security/palo-alto-networks-warns-of-dos-bug-letting-hackers-disable-firewalls/

Exploit code public for critical FortiSIEM command injection flaw

Technical details and a public exploit have been published for a critical vulnerability affecting Fortinet’s Security Information and Event Management (SIEM) solution that could be leveraged by a remote, unauthenticated attacker to execute commands or code.

The vulnerability is tracked as CVE-2025-64155, and is a combination of two issues that permit arbitrary write with admin permissions and privilege escalation to root access.

Researchers at penetration testing company Horizon3.ai reported the security issue in mid-August 2025, but it was only fixed on January 13, 2026.

Fortinet describes the CVE-2025-64155 vulnerability as „an improper neutralization of special elements used in an OS command vulnerability in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted TCP requests.“

Horizon3.ai has published a detailed write-up explaining that the root cause of the issue is the exposure of dozens of command handlers on the phMonitor service, which can be invoked remotely without authentication.

Source: Bleeping computer / Securityweek

Link: https://www.bleepingcomputer.com/news/security/exploit-code-public-for-critical-fortisiem-command-injection-flaw/

Link: https://www.bleepingcomputer.com/news/security/hackers-now-exploiting-critical-fortinet-fortisiem-vulnerability-in-attacks/

Link: https://www.securityweek.com/fortinet-patches-critical-vulnerabilities-in-fortifone-fortisiem/

Fortinet Fixes Critical FortiSIEM Flaw Allowing Unauthenticated Remote Code Execution

Fortinet has released updates to fix a critical security flaw impacting FortiSIEM that could allow an unauthenticated attacker to achieve code execution on susceptible instances.

The operating system (OS) injection vulnerability, tracked as CVE-2025-64155, is rated 9.4 out of 10.0 on the CVSS scoring system.

„An improper neutralization of special elements used in an OS command (‚OS command injection‘) vulnerability [CWE-78] in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted TCP requests,“ the company said in a Tuesday bulletin.

Fortinet said the vulnerability affects only Super and Worker nodes, and that it has been addressed in the following versions –

FortiSIEM 6.7.0 through 6.7.10 (Migrate to a fixed release)
FortiSIEM 7.0.0 through 7.0.4 (Migrate to a fixed release)
FortiSIEM 7.1.0 through 7.1.8 (Upgrade to 7.1.9 or above)
FortiSIEM 7.2.0 through 7.2.6 (Upgrade to 7.2.7 or above)
FortiSIEM 7.3.0 through 7.3.4 (Upgrade to 7.3.5 or above)
FortiSIEM 7.4.0 (Upgrade to 7.4.1 or above)
FortiSIEM 7.5 (Not affected)
FortiSIEM Cloud (Not affected)

Horizon3.ai security researcher Zach Hanley, who is credited with discovering and reporting the flaw on August 14, 2025, said it comprises two moving parts –

An unauthenticated argument injection vulnerability that leads to arbitrary file write, allowing for remote code execution as the admin user

A file overwrite privilege escalation vulnerability that leads to root access and complete compromise of the appliance

Specifically, the problem has to do with how FortiSIEM’s phMonitor service – a crucial backend process responsible for health monitoring, task distribution, and inter-node communication via TCP port 7900 – handles incoming requests related to logging security events to Elasticsearch.

Source: The hacker news / Dark reading

Link: https://thehackernews.com/2026/01/fortinet-fixes-critical-fortisiem-flaw.html

Link: https://www.darkreading.com/vulnerabilities-threats/fortinet-critical-fortisiem-flaw-exploited

Microsoft Fixes 114 Windows Flaws in January 2026 Patch, One Actively Exploited

Microsoft on Tuesday rolled out its first security update for 2026, addressing 114 security flaws, including one vulnerability that it said has been actively exploited in the wild.

Of the 114 flaws, eight are rated Critical, and 106 are rated Important in severity. As many as 58 vulnerabilities have been classified as privilege escalation, followed by 22 information disclosure, 21 remote code execution, and five spoofing flaws. According to data collected by Fortra, the update marks the third-largest January Patch Tuesday after January 2025 and January 2022.

These patches are in addition to two security flaws that Microsoft has addressed in its Edge browser since the release of the December 2025 Patch Tuesday update, including a spoofing flaw in its Android app (CVE-2025-65046, 3.1) and a case of insufficient policy enforcement in Chromium’s WebView tag (CVE-2026-0628, CVSS score: 8.8).

The vulnerability that has come under in-the-wild exploitation is CVE-2026-20805 (CVSS score: 5.5), an information disclosure flaw impacting Desktop Window Manager. The Microsoft Threat Intelligence Center (MTIC) and Microsoft Security Response Center (MSRC) have been credited with identifying and reporting the flaw.

„Exposure of sensitive information to an unauthorized actor in Desktop Windows Manager (DWM) allows an authorized attacker to disclose information locally,“ Microsoft said in an advisory. „The type of information that could be disclosed if an attacker successfully exploited this vulnerability is a section address from a remote ALPC port, which is user-mode memory.“

There are currently no details on how the vulnerability is being exploited, the scale of such efforts, and who may be behind the activity.

Source: The hacker news / Bleeping computer / Krebs on security / Dark reading / Securityweek / CISCO Talos intelligence group / SANS internet storm center

Link: https://thehackernews.com/2026/01/microsoft-fixes-114-windows-flaws-in.html

Link: https://www.bleepingcomputer.com/news/microsoft/microsoft-january-2026-patch-tuesday-fixes-3-zero-days-114-flaws/

Link: https://krebsonsecurity.com/2026/01/patch-tuesday-january-2026-edition/

Link: https://www.darkreading.com/application-security/microsofts-starts-2026-bang-zero-day

Link: https://www.securityweek.com/microsoft-patches-exploited-windows-zero-day-111-other-vulnerabilities/

Link: https://blog.talosintelligence.com/microsoft-patch-tuesday-january-2026/

Link: https://isc.sans.edu/diary/January%202026%20Microsoft%20Patch%20Tuesday%20Summary/32624

ServiceNow Patches Critical AI Platform Flaw Allowing Unauthenticated User Impersonation

ServiceNow has disclosed details of a now-patched critical security flaw impacting its ServiceNow artificial intelligence (AI) Platform that could enable an unauthenticated user to impersonate another user and perform arbitrary actions as that user.

The vulnerability, tracked as CVE-2025-12420, carries a CVSS score of 9.3 out of 10.0. It has been codenamed BodySnatcher by AppOmni.

„This issue […] could enable an unauthenticated user to impersonate another user and perform the operations that the impersonated user is entitled to perform,“ the company said in an advisory released Monday.

The shortcoming was addressed by ServiceNow on October 30, 2025, by deploying a security update to the majority of hosted instances, with the company also sharing the patches with ServiceNow partners and self-hosted customers.

The following versions include a fix for CVE-2025-12420 –

Now Assist AI Agents (sn_aia) – 5.1.18 or later and 5.2.19 or later
Virtual Agent API (sn_va_as_service) – 3.15.2 or later and 4.0.4 or later

ServiceNow credited Aaron Costello, chief of SaaS Security Research at AppOmni, with discovering and reporting the flaw in October 2025. While there is no evidence that the vulnerability has been exploited in the wild, users are advised to apply an appropriate security update as soon as possible to mitigate potential threats.

Source: The hacker news / Dark reading

Link: https://thehackernews.com/2026/01/servicenow-patches-critical-ai-platform.html

Link: https://www.darkreading.com/remote-workforce/ai-vulnerability-servicenow

MITRE Launches New Security Framework for Embedded Systems

MITRE on Tuesday announced the launch of Embedded Systems Threat Matrix (ESTM), a cybersecurity framework designed to help organizations protect critical embedded systems.

Inspired by the popular ATT&CK framework and derived from MITRE’s theoretical research and proof-of-concept models, the ESTM categorizes specific attack tactics and techniques tailored to hardware and firmware environments.

The model maps both established and emerging attack vectors to assist organizations in identifying vulnerabilities within embedded architectures.

MITRE says the framework can be used in industries such as energy, robotics, industrial controls, transportation, and healthcare.

“The ESTM has proven valuable in various applications, including cyber threat modeling and attack path analysis, and its alignment with established cybersecurity frameworks ensures seamless integration with existing security practices,” MITRE says on its website.

The non-profit R&D organization also points out that ESTM works with the EMB3D Threat Model.

Source: Securityweek

Link: https://www.securityweek.com/mitre-launches-new-security-framework-for-embedded-systems/

Oracle’s First 2026 CPU Delivers 337 New Security Patches

Oracle has released 337 new security patches for over 30 products as part of its first Critical Patch Update (CPU) for 2026.

There appear to be roughly 230 unique CVEs in Oracle’s January 2026 CPU advisory.

More than two dozen of the fresh fixes resolve critical-severity vulnerabilities and over 235 patches address flaws that are remotely exploitable without authentication.

Roughly half a dozen patches address CVE-2025-66516 (CVSS score of 10/10), a critical defect in Apache Tika that could lead to XML External Entity (XXE) injection attacks.

Impacting three modules of Apache Tika, the vulnerability can be exploited by placing crafted XFA files inside PDF documents.

Oracle products that received patches for the issue include Commerce, Communications, Construction and Engineering, Fusion Middleware, and PeopleSoft.

Once again, Oracle Communications received the largest number of security fixes, at 56. Of these 34 resolve bugs that can be exploited by remote, unauthenticated attackers.

Source: Securityweek / Oracle security advisory

Link: https://www.securityweek.com/oracles-first-2026-cpu-delivers-337-new-security-patches/

Link: https://www.oracle.com/security-alerts/cpujan2026.html#AppendixFMW

Adobe Patches Critical Apache Tika Bug in ColdFusion

Adobe has released security updates for 11 products on January 2026 Patch Tuesday, addressing a total of 25 vulnerabilities, including a critical code execution flaw.

The critical-severity issue, tracked as CVE-2025-66516 (CVSS score of 10/10), is an XML External Entity (XXE) injection bug in Apache Tika modules that could be exploited via XFA files placed inside PDF documents.

The security defect was patched in early December, when Apache warned that successful exploitation could lead to information leaks, SSRF attacks, denial-of-service (DoS), or remote code execution (RCE).

On Tuesday, Adobe released a ColdFusion security update to resolve CVE-2025-66516, noting that all ColdFusion 2025 Update 5 and earlier versions, and ColdFusion 2023 Update 17 and earlier versions are affected, on all platforms.

The vulnerability was addressed in ColdFusion 2025 Update 6 and ColdFusion 2023 Update 18. Adobe has slapped a priority rating of ‘1’ on the security bulletin, urging users to update as soon as possible.

Another Adobe product that received an update on January 2026 Patch Tuesday is Dreamweaver. The security refresh resolves five high-severity flaws, four leading to arbitrary code execution and one leading to arbitrary system file write.

Source: Securityweek

Link: https://www.securityweek.com/adobe-patches-critical-apache-tika-bug-in-coldfusion/

SAP’s January 2026 Security Updates Patch Critical Vulnerabilities

Enterprise software maker SAP on Tuesday announced the release of 17 new security notes as part of its January 2026 Security Patch Day. Four of the notes address critical-severity vulnerabilities.

The first note in SAP’s January 2026 advisory resolves CVE-2026-0501 (CVSS score of 9.9), a critical SQL injection bug in S/4HANA.

The issue impacts a Remote Function Call-enabled module relying on the ABAP Database Connectivity (ADBC) framework for the execution of a native SQL statement, explains Onapsis, which discovered and reported the bug.

“This SQL statement is provided through an input parameter and allows an attacker to execute arbitrary SQL commands. On successful exploitation, the system can be fully compromised,” the security firm notes.

The second critical bug that SAP addressed on Tuesday is CVE-2026-0500 (CVSS score of 9.6), a remote code execution (RCE) issue in Wily Introscope Enterprise Manager.

According to Onapsis, the application allows unauthenticated attackers to craft malicious JNLP (Java Network Launch Protocol) files that can be accessed via URLs.

Source: Securityweek

Link: https://www.securityweek.com/saps-january-2026-security-updates-patch-critical-vulnerabilities/

SCANT: A (kind-of-decent) Framework for Ethical Deepfake Creation & Distribution

Lots of damage has been done with AI, and to keep from deep-sixing the forward-leaning tone I want in this article, I’ll refrain from noting any details – the internet is available for you to search to your heart’s content. I want to start with that note because how we use AI is not just an option, like whether we want a cinnamon roll or a bagel at breakfast. AI use has meaning – whether it’s dark or not depends on each of us.

Source: Secjuice

Link: https://www.secjuice.com/scant-framework-for-ethical-deepfake-creation-distribution/

Threat Newsletter Week 49-50

Warning: WinRAR Vulnerability CVE-2025-6218 Under Active Attack by Multiple Threat Groups

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a security flaw impacting the WinRAR file archiver and compression utility to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

The vulnerability, tracked as CVE-2025-6218 (CVSS score: 7.8), is a path traversal bug that could enable code execution. However, for exploitation to succeed, it requires a prospective target to visit a malicious page or open a malicious file.

„RARLAB WinRAR contains a path traversal vulnerability allowing an attacker to execute code in the context of the current user,“ CISA said in an alert.

The vulnerability was patched by RARLAB with WinRAR 7.12 in June 2025. It only affects Windows-based builds. Versions of the tool for other platforms, including Unix and Android, are not affected.

Source: The hacker news

Link: https://thehackernews.com/2025/12/warning-winrar-vulnerability-cve-2025.html

Microsoft Issues Security Fixes for 56 Flaws, Including Active Exploit and Two Zero-Days

Microsoft closed out 2025 with patches for 56 security flaws in various products across the Windows platform, including one vulnerability that has been actively exploited in the wild.

Of the 56 flaws, three are rated Critical, and 53 are rated Important in severity. Two other defects are listed as publicly known at the time of the release. These include 29 privilege escalation, 18 remote code execution, four information disclosure, three denial-of-service, and two spoofing vulnerabilities.

In total, Microsoft has addressed a total of 1,275 CVEs in 2025, according to data compiled by Fortra. Tenable’s Satnam Narang said 2025 also marks the second consecutive year where the Windows maker has patched over 1,000 CVEs. It’s the third time it has done so since Patch Tuesday’s inception.

The update is in addition to 17 shortcomings the tech giant patched in its Chromium-based Edge browser since the release of the November 2025 Patch Tuesday update. This also consists of a spoofing vulnerability in Edge for iOS (CVE-2025-62223, CVSS score: 4.3).

The vulnerability that has come under active exploitation is CVE-2025-62221 (CVSS score: 7.8), a use-after-free in Windows Cloud Files Mini Filter Driver that could allow an authorized attacker to elevate privileges locally and obtain SYSTEM permissions.

„File system filter drivers, aka minifilters, attach to the system software stack, and intercept requests targeted at a file system, and extend or replace the functionality provided by the original target,“ Adam Barnett, lead software engineer at Rapid7, said in a statement. „Typical use cases include data encryption, automated backup, on-the-fly compression, and cloud storage.“

Source: The hacker news / Dark reading / Krebs on security / Securityweek / CISCO Talos intelligence group / Infosecurity magazine / SANS internet storm center

Link: https://thehackernews.com/2025/12/microsoft-issues-security-fixes-for-56.html

Link: https://www.darkreading.com/application-security/microsoft-fixes-exploited-zero-day-light-patch-tuesday

Link: https://krebsonsecurity.com/2025/12/microsoft-patch-tuesday-december-2025-edition/

Link: https://www.securityweek.com/microsoft-patches-57-vulnerabilities-three-zero-days/

Link: https://blog.talosintelligence.com/microsoft-patch-tuesday-december-2025/

Link: https://www.infosecurity-magazine.com/news/microsoft-three-zerodays-patch/

Link: https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%20December%202025/32550

Fortinet, Ivanti, and SAP Issue Urgent Patches for Authentication and Code Execution Flaws

Fortinet, Ivanti, and SAP have moved to address critical security flaws in their products that, if successfully exploited, could result in an authentication bypass and code execution.

The Fortinet vulnerabilities affect FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager and relate to a case of improper verification of a cryptographic signature. They are tracked as CVE-2025-59718 and CVE-2025-59719 (CVSS scores: 9.8).

„An Improper Verification of Cryptographic Signature vulnerability [CWE-347] in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML message, if that feature is enabled on the device,“ Fortinet said in an advisory.

The company, however, noted that the FortiCloud SSO login feature is not enabled in the default factory settings. FortiCloud SSO login is enabled when an administrator registers the device to FortiCare and has not disabled the toggle „Allow administrative login using FortiCloud SSO“ in the registration page.

Source: The hacker news / Securityweek

Link: https://thehackernews.com/2025/12/fortinet-ivanti-and-sap-issue-urgent.html

Link: https://www.securityweek.com/ivanti-epm-update-patches-critical-remote-code-execution-flaw/

Link: https://www.securityweek.com/sap-patches-critical-vulnerabilities-with-december-2025-security-updates/

Link: https://www.securityweek.com/fortinet-patches-critical-authentication-bypass-vulnerabilities/

Critical React2Shell Flaw Added to CISA KEV After Confirmed Active Exploitation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday formally added a critical security flaw impacting React Server Components (RSC) to its Known Exploited Vulnerabilities (KEV) catalog following reports of active exploitation in the wild.

The vulnerability, CVE-2025-55182 (CVSS score: 10.0), relates to a case of remote code execution that could be triggered by an unauthenticated attacker without requiring any special setup. It’s also tracked as React2Shell.

„Meta React Server Components contains a remote code execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints,“ CISA said in an advisory.

The problem stems from insecure deserialization in the library’s Flight protocol, which React uses to communicate between a server and client. As a result, it leads to a scenario where an unauthenticated, remote attacker can execute arbitrary commands on the server by sending specially crafted HTTP requests.

Source: The hacker news / Securityweek / Infosecurity magazine / Cloudflare blog / AWS security blog

Link: https://thehackernews.com/2025/12/critical-react2shell-flaw-added-to-cisa.html

Link: https://www.securityweek.com/react2shell-attacks-linked-to-north-korean-hackers/

Link: https://www.securityweek.com/exploitation-of-react2shell-surges/

Link: https://www.infosecurity-magazine.com/news/react2shell-exploit-campaigns/

Link: https://blog.cloudflare.com/5-december-2025-outage/

Link: https://aws.amazon.com/de/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/

Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika, Requires Urgent Patch

A critical security flaw has been disclosed in Apache Tika that could result in an XML external entity (XXE) injection attack.

The vulnerability, tracked as CVE-2025-66516, is rated 10.0 on the CVSS scoring scale, indicating maximum severity.

„Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF,“ according to an advisory for the vulnerability.

It affects the following Maven packages –

org.apache.tika:tika-core >= 1.13, <= 3.2.1 (Patched in version 3.2.2)
org.apache.tika:tika-parser-pdf-module >= 2.0.0, <= 3.2.1 (Patched in version 3.2.2)
org.apache.tika:tika-parsers >= 1.13, < 2.0.0 (Patched in version 2.0.0)

XXE injection refers to a web security vulnerability that allows an attacker to interfere with an application’s processing of XML data. This, in turn, makes it possible to access files on the application server file system and, in some cases, even, achieve remote code execution.

Source: The hacker news / Dark reading / Securityweek

Link: https://thehackernews.com/2025/12/critical-xxe-bug-cve-2025-66516-cvss.html

Link: https://www.darkreading.com/application-security/apache-max-severity-tika-cve-patch-miss

Link: https://www.securityweek.com/critical-apache-tika-vulnerability-leads-to-xxe-injection/

Building SOX compliance through smarter training and stronger password practices

A SOX audit can reveal uncomfortable truths about how a company handles access to financial systems. Even organizations that invest in strong infrastructure often discover that everyday password habits weaken the controls they thought were solid. CISOs know that passwords still sit at the center of most access decisions, and any weakness in how people create, store or share them can undermine internal control over financial reporting.

Source: Helpnet security

Link: https://www.helpnetsecurity.com/2025/12/10/sox-compliance-password-practices/

Threat Newsletter Week 47-48

CISA Warns of Actively Exploited Critical Oracle Identity Manager Zero-Day Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a critical security flaw impacting Oracle Identity Manager to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

The vulnerability in question is CVE-2025-61757 (CVSS score: 9.8), a case of missing authentication for a critical function that can result in pre-authenticated remote code execution. The vulnerability affects versions 12.2.1.4.0 and 14.1.2.1.0. It was addressed by Oracle as part of its quarterly updates released last month.

Link: https://thehackernews.com/2025/11/cisa-warns-of-actively-exploited.html

Link: https://www.bleepingcomputer.com/news/security/cisa-warns-oracle-identity-manager-rce-flaw-is-being-actively-exploited/

Link: https://www.securityweek.com/cisa-confirms-exploitation-of-recent-oracle-identity-manager-vulnerability/

Link: https://www.darkreading.com/vulnerabilities-threats/critical-flaw-oracle-identity-manager-under-exploitation

Link: https://isc.sans.edu/diary/Oracle%20Identity%20Manager%20Exploit%20Observation%20from%20September%20%28CVE-2025-61757%29/32506

Link: https://slcyber.io/research-center/breaking-oracles-identity-manager-pre-auth-rce/

New SonicWall SonicOS flaw allows hackers to crash firewalls

American cybersecurity company SonicWall urged customers today to patch a high-severity SonicOS SSLVPN security flaw that can allow attackers to crash vulnerable firewalls.

Tracked as CVE-2025-40601, this denial-of-service vulnerability is caused by a stack-based buffer overflow impacting Gen8 and Gen7 (hardware and virtual) firewalls.

„A Stack-based buffer overflow vulnerability in the SonicOS SSLVPN service allows a remote unauthenticated attacker to cause Denial of Service (DoS), which could cause an impacted firewall to crash,“ SonicWall said.

„SonicWall PSIRT is not aware of active exploitation in the wild. No reports of a PoC have been made public and malicious use of this vulnerability has not been reported to SonicWall.“

However, the company added that its Gen6 firewalls, as well as the SMA 1000 and SMA 100 series SSL VPN products, are not vulnerable to attacks potentially targeting this vulnerability.

Source: Bleeping computer | Securityweek | SonicWall psirt

Link: https://www.bleepingcomputer.com/news/security/new-sonicwall-sonicos-flaw-allows-hackers-to-crash-firewalls/

Link: https://www.securityweek.com/sonicwall-patches-high-severity-flaws-in-firewalls-email-security-appliance/

Link: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0016

ShadowPad Malware Actively Exploits WSUS Vulnerability for Full System Access

A recently patched security flaw in Microsoft Windows Server Update Services (WSUS) has been exploited by threat actors to distribute malware known as ShadowPad.

„The attacker targeted Windows Servers with WSUS enabled, exploiting CVE-2025-59287 for initial access,“ AhnLab Security Intelligence Center (ASEC) said in a report published last week. „They then used PowerCat, an open-source PowerShell-based Netcat utility, to obtain a system shell (CMD). Subsequently, they downloaded and installed ShadowPad using certutil and curl.“

ShadowPad, assessed to be a successor to PlugX, is a modular backdoor widely used by Chinese state-sponsored hacking groups. It first emerged in 2015. In an analysis published in August 2021, SentinelOne called it a „masterpiece of privately sold malware in Chinese espionage.“

Source: The hacker news | hawktrace

Link: https://thehackernews.com/2025/11/shadowpad-malware-actively-exploits.html

Link: https://hawktrace.com/blog/CVE-2025-59287-UNAUTH

3 SOC Challenges You Need to Solve Before 2026

2026 will mark a pivotal shift in cybersecurity. Threat actors are moving from experimenting with AI to making it their primary weapon, using it to scale attacks, automate reconnaissance, and craft hyper-realistic social engineering campaigns.

Source: The hacker news

Link: https://thehackernews.com/2025/11/3-soc-challenges-you-need-to-solve.html

When Your $2M Security Detection Fails: Can your SOC Save You?

Enterprises today are expected to have at least 6-8 detection tools, as detection is considered a standard investment and the first line of defense. Yet security leaders struggle to justify dedicating resources further down the alert lifecycle to their superiors.

As a result, most organizations‘ security investments are asymmetrical, robust detection tools paired with an under-resourced SOC, their last line of defense.

A recent case study demonstrates how companies with a standardized SOC prevented a sophisticated phishing attack that bypassed leading email security tools. In this case study, a cross-company phishing campaign targeted C-suite executives at multiple enterprises. Eight different email security tools across these organizations failed to detect the attack, and phishing emails reached executive inboxes. However, each organization’s SOC team detected the attack immediately after employees reported the suspicious emails.

Source: The hacker news

Link: https://thehackernews.com/2025/11/when-your-2m-security-detection-fails.html

Recent 7-Zip Vulnerability Exploited in Attacks

Threat actors are exploiting a recently patched 7-Zip vulnerability that leads to remote code execution (RCE), NHS England warns.

The bug, tracked as CVE-2025-11001 (CVSS score of 7.0), is described as a file parsing directory traversal issue, and requires user interaction for successful exploitation.

The flaw impacts 7-Zip’s handling of symbolic links in ZIP files, as crafted data could be used to traverse to unintended directories during processing.

“An attacker can leverage this vulnerability to execute code in the context of a service account,” a Trend Micro Zero Day Initiative (ZDI) advisory reads. According to ZDI, attack vectors depend on implementation.

Ryota Shiga of GMO Flatt Security was credited for finding this security defect and an identical vulnerability tracked as CVE-2025-11002.

Source: Securityweek

Link: https://www.securityweek.com/recent-7-zip-vulnerability-exploited-in-attacks/

Four-Step Intelligence Model for Decision Making

The OODA loop is a four-step model used in intelligence for decision making that involves analyzing information and acting on it. In this article, I explain the roots of its history, its applications in combat operations, and how it can be utilized for time-sensitive decision making processes in cybersecurity, including other areas of our lives.

Source: Secjuice

Link: https://www.secjuice.com/time-sensitive-decision-making-with-the-ooda-loop-model/

Threat Newsletter Week 46

Microsoft Fixes 63 Security Flaws, Including a Windows Kernel Zero-Day Under Active Attack

Microsoft on Tuesday released patches for 63 new security vulnerabilities identified in its software, including one that has come under active exploitation in the wild. Of the 63 flaws, four are rated Critical and 59 are rated Important in severity. Twenty-nine of these vulnerabilities are related to privilege escalation, followed by 16 remote code execution, 11 information disclosure, three denial-of-service (DoS), two security feature bypass, and two spoofing bugs.

The patches are in addition to the 27 vulnerabilities the Windows maker addressed in its Chromium-based Edge browser since the release of October 2025’s Patch Tuesday update.

The zero-day vulnerability that has been listed as exploited in Tuesday’s update is CVE-2025-62215 (CVSS score: 7.0), a privilege escalation flaw in Windows Kernel. The Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) have been credited with discovering and reporting the issue.

„Concurrent execution using shared resource with improper synchronization (‚race condition‘) in Windows Kernel allows an authorized attacker to elevate privileges locally,“ the company said in an advisory.

That said, successful exploitation hinges on an attacker who has already gained a foothold on a system to win a race condition. Once this criterion is satisfied, it could permit the attacker to obtain SYSTEM privileges.

Source: The hacker news / Bleeping computer / Securityweek / CISCO Talos intelligence group / Dark reading / Helpnet security / Infosecurity magazine / SANS internet storm center

Link: https://thehackernews.com/2025/11/microsoft-fixes-63-security-flaws.html

Link: https://www.bleepingcomputer.com/news/microsoft/microsoft-november-2025-patch-tuesday-fixes-1-zero-day-63-flaws/

Link: https://www.securityweek.com/microsoft-patches-actively-exploited-windows-kernel-zero-day/

Link: https://blog.talosintelligence.com/microsoft-patch-tuesday-november-2025/

Link: https://www.darkreading.com/vulnerabilities-threats/patch-now-microsoft-zero-day-critical-zero-click-bugs

Link: https://www.helpnetsecurity.com/2025/11/12/patch-tuesday-microsoft-cve-2025-62215/

Link: https://www.infosecurity-magazine.com/news/microsoft-windows-kernel-zero-day/

Link: https://isc.sans.edu/diary/Microsoft+Patch+Tuesday+for+November+2025/32468/

Amazon Uncovers Attacks Exploited Cisco ISE and Citrix NetScaler as Zero-Day Flaws

Amazon’s threat intelligence team on Wednesday disclosed that it observed an advanced threat actor exploiting two then-zero-day security flaws in Cisco Identity Service Engine (ISE) and Citrix NetScaler ADC products as part of attacks designed to deliver custom malware.

„This discovery highlights the trend of threat actors focusing on critical identity and network access control infrastructure – the systems enterprises rely on to enforce security policies and manage authentication across their networks,“ CJ Moses, CISO of Amazon Integrated Security, said in a report shared with The Hacker News.

The attacks were flagged by its MadPot honeypot network, with the activity weaponizing the following two vulnerabilities –

CVE-2025-5777 or Citrix Bleed 2 (CVSS score: 9.3) – An insufficient input validation vulnerability in Citrix NetScaler ADC and Gateway that could be exploited by an attacker to bypass authentication. (Fixed by Citrix in June 2025)
CVE-2025-20337 (CVSS score: 10.0) – An unauthenticated remote code execution vulnerability in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) that could allow a remote attacker to execute arbitrary code on the underlying operating system as root. (Fixed by Cisco in July 2025)

While both shortcomings have come under active exploitation in the wild, the report from Amazon sheds light on the exact nature of the attacks leveraging them.

Source: The hacker news / Securityweek / Dark reading / AWS blog

Link: https://thehackernews.com/2025/11/amazon-uncovers-attacks-exploited-cisco.html

Link: https://www.securityweek.com/cisco-ise-citrixbleed-2-vulnerabilities-exploited-as-zero-days-amazon/

Link: https://www.darkreading.com/vulnerabilities-threats/citrixbleed-2-cisco-zero-day-bugs

Link: https://aws.amazon.com/de/blogs/security/amazon-discovers-apt-exploiting-cisco-and-citrix-zero-days/

Active Directory Under Siege: Why Critical Infrastructure Needs Stronger Security

Active Directory remains the authentication backbone for over 90% of Fortune 1000 companies. AD’s importance has grown as companies adopt hybrid and cloud infrastructure, but so has its complexity. Every application, user, and device traces back to AD for authentication and authorization, making it the ultimate target. For attackers, it represents the holy grail: compromise Active Directory, and you can access the entire network.

AD serves as the gatekeeper for everything in your enterprise. So, when adversaries compromise AD, they gain privileged access that lets them create accounts, modify permissions, disable security controls, and move laterally, all without triggering most alerts.

The 2024 Change Healthcare breach showed what can happen when AD is compromised. In this attack, hackers exploited a server lacking multifactor authentication, pivoted to AD, escalated privileges, and then executed a highly costly cyberattack. Patient care came to a screeching halt. Health records were exposed. The organization paid millions in ransom.

Once attackers control AD, they control your entire network. And standard security tools often struggle to detect these attacks because they look like legitimate AD operations.

Source: The hacker news

Link: https://thehackernews.com/2025/11/active-directory-under-siege-why.html

Cisco Warns of New Firewall Attack Exploiting CVE-2025-20333 and CVE-2025-20362

Cisco on Wednesday disclosed that it became aware of a new attack variant that’s designed to target devices running Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software releases that are susceptible to CVE-2025-20333 and CVE-2025-20362.

„This attack can cause unpatched devices to unexpectedly reload, leading to denial-of-service (DoS) conditions,“ the company said in an updated advisory, urging customers to apply the updates as soon as possible.

Both vulnerabilities were disclosed in late September 2025, but not before they were exploited as zero-day vulnerabilities in attacks delivering malware such as RayInitiator and LINE VIPER, according to the U.K. National Cyber Security Centre (NCSC).

While successful exploitation of CVE-2025-20333 allows an attacker to execute arbitrary code as root using crafted HTTP requests, CVE-2025-20362 makes it possible to access a restricted URL without authentication.

Source: The hacker news / Bleeping computer

Link: https://thehackernews.com/2025/11/cisco-warns-of-new-firewall-attack.html

Link: https://www.bleepingcomputer.com/news/security/cisa-warns-feds-to-fully-patch-actively-exploited-cisco-flaws/

Link: https://www.bleepingcomputer.com/news/security/cisco-actively-exploited-firewall-flaws-now-abused-for-dos-attacks/

SAP fixes hardcoded credentials flaw in SQL Anywhere Monitor

SAP has released its November security updates that address multiple security vulnerabilities, including a maximum severity flaw in the non-GUI variant of the SQL Anywhere Monitor and a critical code injection issue in the Solution Manager platform.

The security problem in SQL Anywhere Monitor is tracked as CVE-2025-42890 and consists of hardcoded credentials. Because of the elevated risk, the vulnerability received the maximum severity score of 10.0.

„SQL Anywhere Monitor (Non-GUI) baked credentials into the code, exposing the resources or functionality to unintended users and providing attackers with the possibility of arbitrary code execution,“ reads the description for the flaw.

Depending on how they are used, an attacker who obtains the credentials can use them to acceess administrative functions. SQL Anywhere Monitor is a database monitoring and alert tool, part of the SQL Anywhere suite, typically used by organizations managing distributed or remote databases.

Source: Bleeping computer / Securityweek / Onapsis SAP security notes

Link: https://www.bleepingcomputer.com/news/security/sap-fixes-hardcoded-credentials-flaw-in-sql-anywhere-monitor/

Link: https://www.securityweek.com/sap-patches-critical-flaws-in-sql-anywhere-monitor-solution-manager/

Link: https://onapsis.com/blog/sap-security-patch-day-november-2025/

Adobe Patches 29 Vulnerabilities

Adobe’s latest round of Patch Tuesday updates addresses 29 vulnerabilities across the company’s InDesign, InCopy, Photoshop, Illustrator, Pass, Substance 3D Stager, and Format Plugins products.

Critical vulnerabilities that can be exploited for arbitrary code execution have been addressed in InDesign, InCopy, Photoshop, Illustrator, Substance 3D Stager, and Format Plugins. A critical security bypass issue has been resolved in Pass. It’s worth noting that Adobe assigns a ‘critical’ severity to issues that, based on their CVSS score, have a ‘high’ severity rating. Adobe says there is no evidence that the vulnerabilities patched this month have been exploited in the wild.

The company has assigned a priority rating of ‘3’ to all of the bugs, which indicates that malicious exploitation is not expected. However, users were warned recently that a critical flaw in Adobe Commerce had been exploited to hack ecommerce websites.

Source: Securityweek

Link: https://www.securityweek.com/adobe-patches-29-vulnerabilities/

ICS Patch Tuesday: Vulnerabilities Addressed by Siemens, Rockwell, Aveva, Schneider

Industrial giants Siemens, Schneider Electric, Rockwell Automation, and Aveva have released Patch Tuesday advisories informing customers about vulnerabilities in their ICS/OT products.

Siemens published six new advisories. One of them covers two vulnerabilities in the Comos plant engineering software, including a critical code execution flaw, and a high-severity security bypass issue. Vulnerabilities have also been addressed in Siemens Solid Edge (remote MitM, code execution), Altair Grid Engine (code execution), Logo! 8 BM (code execution, DoS, settings tampering), and Sicam P850 (CSRF) products.

Rockwell Automation published five new advisories on November 11, each covering high-severity vulnerabilities found in various products. The company informed customers of its Verve Asset Manager OT security platform that the product is affected by a high-severity access control issue that allows unauthorized read-only users to tamper with other user accounts via an API.

Source: Securityweek

Link: https://www.securityweek.com/ics-patch-tuesday-vulnerabilities-addressed-by-siemens-rockwell-aveva-schneider/

Threat Newsletter Week 45

CISA Flags VMware Zero-Day Exploited by China-Linked Hackers in Active Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a high-severity security flaw impacting Broadcom VMware Tools and VMware Aria Operations to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation in the wild.

The vulnerability in question is CVE-2025-41244 (CVSS score: 7.8), which could be exploited by an attacker to attain root level privileges on a susceptible system.

„Broadcom VMware Aria Operations and VMware Tools contain a privilege defined with unsafe actions vulnerability,“ CISA said in an alert. „A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM.“

Quelle: The hacker news / Bleeping Computer / Security Week / Broadcom

Link: https://thehackernews.com/2025/10/cisa-flags-vmware-zero-day-exploited-by.html

Link: https://www.securityweek.com/cisa-adds-exploited-xwiki-vmware-flaws-to-kev-catalog/

Link: https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-vmware-tools-flaw-exploited-since-october-2024/

Link: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36149

CISA and NSA Issue Urgent Guidance to Secure WSUS and Microsoft Exchange Servers

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA), along with international partners from Australia and Canada, have released guidance to harden on-premise Microsoft Exchange Server instances from potential exploitation.

„By restricting administrative access, implementing multi-factor authentication, enforcing strict transport security configurations, and adopting zero trust (ZT) security model principles, organizations can significantly bolster their defenses against potential cyber attacks,“ CISA said.

The agencies said malicious activity aimed at Microsoft Exchange Server continues to take place, with unprotected and misconfigured instances facing the brunt of the attacks. Organizations are advised to decommission end-of-life on-premises or hybrid Exchange servers after transitioning to Microsoft 365.

Quelle: The hacker news / Bleeping Computer / NSA Guidance / SANS internet storm center

Link: https://thehackernews.com/2025/10/cisa-and-nsa-issue-urgent-guidance-to.html

Link: https://www.bleepingcomputer.com/news/security/cisa-and-nsa-share-tips-on-securing-microsoft-exchange-servers/

Link: https://www.nsa.gov/Portals/75/documents/resources/cybersecurity-professionals/CSI_Microsoft_Exchange_Server_Security_Best_Practices.pdf?ver=9mpKKyUrwfpb9b9r4drVMg%3d%3d

Link: https://isc.sans.edu/diary/Scans+for+Port+85308531+TCP+Likely+related+to+WSUS+Vulnerability+CVE202559287/32440

The Evolution of SOC Operations: How Continuous Exposure Management Transforms Security Operations

Security Operations Centers (SOC) today are overwhelmed. Analysts handle thousands of alerts every day, spending much time chasing false positives and adjusting detection rules reactively. SOCs often lack the environmental context and relevant threat intelligence needed to quickly verify which alerts are truly malicious. As a result, analysts spend excessive time manually triaging alerts, the majority of which are classified as benign.

Addressing the root cause of these blind spots and alert fatigue isn’t as simple as implementing more accurate tools. Many of these traditional tools are very accurate, but their fatal flaw is a lack of context and a narrow focus – missing the forest for the trees. Meanwhile, sophisticated attackers exploit exposures invisible to traditional reactive tools, often evading detection using widely-available bypass kits.

While all of these tools are effective in their own right, they often fail because of the reality that attackers don’t employ just one attack technique, exploit just one type of exposure or weaponize a single CVE when breaching an environment. Instead, attackers chain together multiple exposures, utilizing known CVEs where helpful, and employing evasion techniques to move laterally across an environment and accomplish their desired goals. Individually, traditional security tools may detect one or more of these exposures or IoCs, but without the context derived from a deeply integrated continuous exposure management program, it can be nearly impossible for security teams to effectively correlate otherwise seemingly disconnected signals.

Quelle: The hacker news

Link: https://thehackernews.com/2025/11/the-evolution-of-soc-operations-how.html

Microsoft: Patch for WSUS flaw disabled Windows Server hotpatching

An out-of-band (OOB) security update that patches an actively exploited Windows Server Update Service (WSUS) vulnerability has broken hotpatching on some Windows Server 2025 devices.

KB5070881, the emergency update causing this issue, was released on the same day that several cybersecurity companies confirmed the critical-severity CVE-2025-59287 remote code execution (RCE) flaw was being exploited in the wild. The Netherlands National Cyber Security Centre (NCSC-NL) confirmed the companies‘ findings, warning IT admins of the increased risk given that a PoC exploit is already available.

Days later, the Cybersecurity and Infrastructure Security Agency (CISA) ordered U.S. government agencies to secure their systems after adding it to its catalog of security flaws that have been abused in attacks. The Shadowserver Internet watchdog group is now tracking over 2,600 WSUS instances with the default ports (8530/8531) exposed online, although it didn’t share how many have already been patched.

Quelle: Bleeping Computer

Link: https://www.bleepingcomputer.com/news/microsoft/microsoft-patch-for-wsus-flaw-disabled-windows-server-hotpatching/

Microsoft: October Windows updates trigger BitLocker recovery

Microsoft has warned that some systems may boot into BitLocker recovery after installing the October 2025 Windows security updates.

BitLocker is a Windows security feature that encrypts storage drives to block data theft attempts. Windows computers typically enter BitLocker recovery mode after hardware changes or Trusted Platform Module (TPM) updates to regain access to protected drives.

According to a service alert seen by BleepingComputer, Microsoft stated that the bug primarily impacts Intel devices with support for Connected Standby (now known as Modern Standby), which enables the PC to remain connected to the network while in low-power mode.

Quelle: Bleeping Computer

Link: https://www.bleepingcomputer.com/news/microsoft/microsoft-october-windows-updates-trigger-bitlocker-recovery/