Cybersecurity News and Vulnerability Aggregator

r/netsec • Just now

New

The speaker lineup is set, and the CTF challenges are ready... Register to join us for 10 days of programming designed to learn something new, test your skills, and network with the US Cyber Games community! This virtual series of events is FREE to attend, and open to everyone -- regardless of age, skill level, professional background, etc. June 4th-14th Virtual **Season VI, US Cyber Open Series of Events**: * Kick-Off Celebration: June 4th * Beginner's Game Room CTF: June 5th-14th * Cyber Rush Week: June 8th-11th * Competitive CTF: June 8th-14th

r/cybersecurity • Just now

New

My buddy and I made this tool for automating fault injection attacks on processors. Let me know what you think! The Verilog code is hosted here: [https://github.com/Ice-Skates/voltage\_glitch](https://github.com/Ice-Skates/voltage_glitch)

Bleeping Computer • 1h ago

New

A new denial-of-service (DoS) attack dubbed HTTP/2 Bomb can be launched from a single machine to take down web servers within seconds. [...]

New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy & Cloudflare

The Hacker News • 11h ago

WIRED • 1h ago

New

PolicyCloud

Four people suing Elon Musk's AI firm under pseudonyms due to the risks of being identified may face a difficult choice: Reveal your real names, or drop the lawsuit.

CERT/CC • 2h ago

New

CVE

Overview Version 3.0.7 of the Securly Chrome Extension contains multiple vulnerabilities involving insecure data transmission, weak cryptography, and improper access control. These issues may expose sensitive filtering rules, enable the manipulation of downloaded configuration files, and allow unauthenticated access to protected resources. An attacker could exploit these weakness to steal configuration information, induce a Denial of Service (DoS), or modify content blocking rules for student users. Description The Securly Chrome Extension is a browser add-on commonly used in K–12 school-managed Chromebooks to enforce internet safety policies, filter or block websites, and provide activity monitoring for students. It is an element of the Securly classroom management platform, which helps schools comply with web filtering requirements and safely manage student online access. CVE-2026-8874 Version 3.0.7 of the Securly Chrome Extension downloads JSON files containing crisis alert keywords and filtering rules over unencrypted HTTP via the Fetch API. Other endpoints in the same extension correctly fetch Internet Watch Foundation (IWF) and Children's Internet Protection Act (CIPA) data over HTTPS, demonstrating an inconsistent implementation of TLS. CVE-2026-8876 The Securly Chrome Extension contains hardcoded, plaintext AES passphrases in securly.min.js . These keys decrypt crisis alert keyword data and intervention site data. CVE-2026-8878 The Securly Chrome Extension exposes multiple publicly accessible endpoints that allow unauthenticated access to sensitive data. The exposed information consists of SHA-1 hashes that are inadequately obfuscated using a simple Caesar ciph

VU#158530: PCTCore64.sys Windows kernel driver contains missing access control vulnerability

CERT/CC • Jun 1

VU#780781: Casdoor contains multiple authentication bypass and access management vulnerabilities

CERT/CC • May 28

r/blueteamsec • 2h ago

New

Phishing

Anyone doing dark web collection knows the throughput problem: a single Tor circuit caps out low, and when you need to archive a leak dump, a marketplace mirror, or a few hundred MB off a hidden service before it rotates or disappears, sequential pulls over one circuit are painful. I built a small Python tool for this, **OnionAccelerator**, and figured I'd share it here in case it's useful to others doing the same kind of work and because I'd like a second set of eyes on the approach. What it does: it fans downloads out across multiple SOCKS5 proxies (Tor instances), in three modes: * **multi** — pulls a list of URLs in parallel, one worker per circuit * **partial** — splits a single file into byte-range chunks, fetches each chunk over a different circuit, then merges. * **speedtest** — benchmarks each proxy port so you can drop dead/slow circuits before a run You can back it with locally Dockerised Tor instances (there's a one-liner in the README that spins up \~20) or an external SOCKS5 list. It also does User-Agent rotation, inline retries, per-host output paths so same-named files don't clobber each other, and per-job logging. Caveats I'm aware of, and would rather name than hide: it leans on running multiple circuits, so mind the load and your own OPSEC around whatever proxies you route through. It's meant for collection you're authorised to do, not for hammering anything. The code started as a personal utility, so it's rough in places. [Repo](https://github.com/euphoria95/OnionAccelerator) PRs, issues, and "you're doing X wrong" all welcome. Mostly curious whether the byte-range-across-circuits approach lines up with how others handle bulk retrieval over Tor, or if people are solving it differently.

Cloudflare • 3h ago

New

CVEAPT

Some recent route hijacks reported by Spamhaus captured our attention. In many of these hijack attempts, an apparent bad actor took advantage of unused autonomous system numbers , or ASNs. Notably in these hijacks, the actor appears to be creating fake AS_PATHs toward destinations, misdirecting traffic down an unexpected path. By creating forged AS_PATHs, the hijacker is attempting to lead traffic somewhere it isn’t normally meant to go while also trying to conceal their identity. A hijacker could strip enough information away from a network path that they could pretend to be the origin of a Border Gateway Protocol (BGP) prefix themselves. Attackers can use this hijacked route to intercept traffic and for other nefarious purposes. There is a simple solution for these cases: basic verification that a BGP peer autonomous system (AS) always includes their network as the “First AS” in an advertised route. To get a sense of how well these safeguards are implemented, we stress-tested several major networks and researched their BGP implementations. Read on to see what we learned. Examining route hijacks involving forged paths The idea that an actor is creating fake AS_PATHs is supported when we take a closer look at implausible AS relationships in the path. For example, let’s examine one of the hijacks reported by Spamhaus, involving a prefix belonging to Orange S.A., the French telecom company. Using the monocle tool, we can

r/cybersecurity • 3h ago

New

Cloud

The operator left an open directory on their C2 server with no authentication, exposing the full toolkit. Compromised business servers across AWS, GCP, and Azure were quietly converted into SMTP proxies, verified for mail relay capability, and synced to a downstream consumer every five minutes. The infrastructure was still active at time of discovery. 👉 Full breakdown here:[ https://hunt.io/blog/pcpjack-230-cloud-servers-smtp-proxy-network-sliver-chisel](https://hunt.io/blog/pcpjack-230-cloud-servers-smtp-proxy-network-sliver-chisel)

r/cybersecurity • 4h ago

New

CVECloudPhishing

CVE-2026-23479 has been sitting in Redis since 7.2.0, introduced in mid-2023 across two separate commits that were not dangerous individually but created a use-after-free condition together. It survived multiple rounds of security review and remained in every stable branch until patches landed on May 5. The flaw was not found by a human security researcher going through the code. An autonomous AI tool called Xint Code, built by Theori specifically to hunt bugs in large codebases, found it at Wiz's [ZeroDay.Cloud](http://ZeroDay.Cloud) hacking competition in London last December. The full technical writeup and working exploit chain are now public. Here's why this matters beyond the patch urgency. Redis runs in roughly 75% of cloud environments according to Wiz. Most of those instances run without a password. The exploit technically requires an authenticated session, but in a default Redis deployment the default user already holds every permission the attack chain needs: u/admin, u/scripting, u/stream, and read/write access. So for a significant portion of exposed instances, the authentication requirement is not much of a barrier in practice. The exploit itself is a three-stage chain. First a one-line Lua script leaks a heap pointer. Then the attacker grooms client memory, parks a large client on a stream, drops the memory limits to trigger the free, and immediately reclaims the freed slot with a fake client structure via a pipelined SET. Finally Redis's own memory accounting routine gets turned against itself to overwrite a function pointer in the Global Offset Table, redirecting a standard string function to system(). The next command Redis parses runs as a shell command on the host. The official Redis Docker image makes the last step easier because it ships with only partial RELRO, leaving the GOT writable at runtime. ASLR and PIE do not help here since the write targets a global with a fixed offset at build time. Patches are out. Minor upgrades within a series are designed to be drop-in, so there is no good reason to delay. If you are on a managed Redis service, check your provider's status. Redis Cloud is already patched. Patched versions by branch: 7.2.x fixed in 7.2.14, 7.4.x fixed in 7.4.9, 8.2.x fixed in 8.2.6, 8.4.x fixed in 8.4.3, 8.6.x fixed in 8.6.3. If patching immediately is not possible, keep Redis off the public internet, put it behind TLS, tighten ACLs so no single role holds u/admin and u/scripting together, and disable Lua scripting entirely if you do not use it. That last step kills Stage 1 of the exploit chain. Worth noting this is one of five RCE-class Redis flaws disclosed in the same May 5 advisory. CVE-2026-23479 is the one that got the full public exploit writeup, but the others are worth reviewing too. Redis's official security advisory covers all five. This assumes some familiarity with your environment and Redis configuration. If any of this is unclear, drop a comment and the community or myself can help.

Bleeping Computer • 4h ago

New

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that hackers are exploiting vulnerabilities in the Linux kernel and Android operating system. [...]

r/cybersecurity • 5h ago

New

RansomwareZero-DayCVEData BreachAI

Hi guys, I send out a weekly newsletter with the latest cybersecurity vendor reports and research, and thought you might find it useful, so sharing it here. All the reports and research below were published between May 25th - May 31st. You can get the below into your inbox every week if you want: [https://www.cybersecstats.com/cybersecstatsnewsletter/](https://www.cybersecstats.com/cybersecstatsnewsletter/)  # Big Picture Reports **ISC2 Research: Cybersecurity Professionals Want Leaders Who Have Been Through a Major Incident** No CISO wants to deal with a major security incident. But the upside of having lived through one is that they're way more likely to be seen as an effective leader.  **Key stats:** * 76% of people working in cybersecurity roles agree that previous leadership experience during a high-profile cybersecurity incident bolsters a leader's credibility. * 95% of cybersecurity professionals mark the ability to communicate risk to senior leadership and boards as very important in a leader. * 34% of cybersecurity professionals are very confident in the current leadership in cybersecurity. *Read the full report* [*here*](https://www.cybersecstats.com/r/0efb6399?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # AI Security  **Proprietary Problems: How Frontier Closed Models Collapse Under Iterative Pressure (Cisco)** The new AI models that companies are building look secure in a single conversation. But if you keep pushing them with follow-up attacks, they fall apart. Some get dramatically worse with each attempt. **Key stats:** * Multi-turn attack success rate ranges from 7.89% to 88.30% across proprietary flagship models. * GPT-5.4 moves from 2.74% single-turn attack success rate to 24.68% multi-turn, a ninefold increase. * Grok 4.1 Fast in non-reasoning configuration records a multi-turn attack success rate of 88.30%. *Read the full report* [*here*](https://www.cybersecstats.com/r/9d3f3f46?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # Vulnerability Management **The Detection Gap: How Exploits are Outpacing Scanners (Cogent Security)** Time to exploit is basically nothing now.  **Key stats:** * AI-assisted exploit development compressed the average time from vulnerability disclosure to a working exploit from 125 days in January 2025 to half a day by April 2026. * 62% of critical vulnerabilities with known exploits had working exploits available before scanner detection signatures were shipped. * 55.7% of critical CVEs never received any scanner coverage. *Read the full report* [*here*](https://www.cybersecstats.com/r/c186038c?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **Stop Counting CVEs: What Actually Mattered in Q1 2026 (Root Evidence)** The industry publishes tens of thousands of vulnerabilities every year. Turns out almost all of them will never actually hurt anyone.  **Key stats:** * Only 1.4% of publicly disclosed vulnerabilities are known to be exploited in real-world attacks. * 36.5% of known-exploited vulnerabilities have a CVSS score of 9.0 or higher, while 63.5% are rated high, medium, or lower. * Over 80% of known-exploited vulnerabilities have no Metasploit module. *Read the full report* [*here*](https://www.cybersecstats.com/r/d753483f?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # Cloud Security **2026 Cloud Security Report: Securing the AI Transformation (Check Point)** Organizations want to secure AI in the cloud. What they're actually capable of doing is a different story.  **Key stats:** * Only 26% of organizations report having the architecture to enforce their AI-related cloud security strategy. * 78% of organizations report confirmed or suspected AI-related security incidents over the past year. * 24% of organizations say they have no AI-specific access controls. *Read the full report* [*here*](https://www.cybersecstats.com/r/2ca9fe27?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # Industry-Specific  **Global Automotive Cybersecurity Report Q1 2026 (PCA Cyber Security)**  The automotive industry had a rough year. **Key stats:** * 265 unique automotive-specific vulnerabilities identified in Q1 2026 - a 102% year-on-year increase in automotive vulnerabilities (vs Q1 2025). * Competitors at Pwn2Own Automotive 2026 in Tokyo found 76 unique zero-days. * Ransomware groups exfiltrated nearly one terabyte of data from a major Asian vehicle manufacturer's customer and dealership environment in early January 2026 via a third-party vendor. *Read the full report* [*here*](https://www.cybersecstats.com/r/a10dcb9b?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # Regional Spotlight  **Threat Labs Report: Europe 2026 (Netskope)** Almost every organization in Europe now uses AI, and employees regularly upload regulated data and source code to their personal AI accounts. **Key stats:** * About 99% of organizations in Europe use AI. * 59% of data policy violations across AI and personal cloud applications involve regulated data. * 15% of data policy violations involve source code. *Read the full report* [*here*](https://www.cybersecstats.com/r/7c7056e5?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **Nordic CISO Report 2026 (Truesec)** Interesting data about Nordic CISOs and Nordic security budgets.  **Key stats:** * In 2026, only 9% of Nordic CISOs reported an increase in severe cybersecurity incidents, compared to 53% in 2025. * The dominant range for cybersecurity budgets among Nordic organizations remains approximately 5 to 10% of the IT budget, with an average of approximately 7%. * 32% of Nordic CISOs cited identity-related attacks as their primary concern. *Read the full report* [*here*](https://www.cybersecstats.com/r/21742480?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.*

r/cybersecurity • 5h ago

New

[https://techspective.net/2026/06/03/ot-security-problem-nobody-wants-to-own/](https://techspective.net/2026/06/03/ot-security-problem-nobody-wants-to-own/)

r/cybersecurity • 6h ago

New

We analyzed \~355,000 published CVEs and the entirety of CISA's KEV (Known Exploited Vulnerabilities) catalog. The data has a very firm opinion on when you absolutely should not be sipping something cold on a beach: midweek. Everyone knows to fear Patch Tuesday, but the quieter day right after is the most critical one: Wednesday. And CISA likes to add new CVE to the KEV on Wednesday the most! Take those two days off, and you'll have a backlog to sort through when you get back, and possibly an emergency to handle.

Bleeping Computer • 6h ago

New

Phishing

A two-week penetration test can leave roughly 345 days of real-world exposure unvalidated. Sprocket Security explores why continuous testing is becoming critical as attack surfaces constantly change. [...]

r/InfoSecNews • 6h ago

New

AIPhishing

A [recent report by Axios](https://www.axios.com/2026/05/28/ai-spending-roi-enterprise-costs) claims a company accidentally spent $500 million in one month on Claude usage after failing to implement usage limits for employees. This extreme anecdote punctuates growing uncertainty about how token usage and API bills could become a major bottleneck for companies seeking to reap the productivity benefits of AI tools. Even major tech companies are reportedly seeking to reel in their AI spending, with [The Verge](https://www.theverge.com/tech/930447/microsoft-claude-code-discontinued-notepad) reporting that Microsoft is canceling its Claude Code licenses to steer employees toward its own GitHub Copilot and Uber CTO Praveen Neppalli Naga telling [The Information](https://www.theinformation.com/newsletters/applied-ai/uber-cto-shows-claude-code-can-blow-ai-budgets) the company used up its entire AI coding budget for 2026 within four months. How does this fit into cybersecurity? With the landmark moment of Anthropic’s [Claude Mythos’ release under Project Glasswing](https://www.scworld.com/news/anthropic-claude-mythos-preview-finds-thousands-of-vulnerabilities-in-weeks), AI-driven code review and vulnerability discovery are gaining interest, but [an analysis by Contrast Security](https://www.contrastsecurity.com/security-influencers/the-hidden-cost-of-ai-security-scanners) offers a sobering look at the “hidden cost of AI security scanners.” Contrast’s research found that the biggest spend for organizations seeking to use AI to scan their code for vulnerabilities isn’t the API bill, but the cost of triaging and validating thousands of findings, including a huge number of false positives and inconsistent findings between runs and models. For example, a simple scan of 1.8 million lines of code using Claude Sonnet 4.6 surfaced 3,560 findings and cost just $315 in token usage, but those 3,560 findings don’t triage and validate themselves. Contrast calculated that if a security engineer making $150,000 per year spent half an hour triaging each finding, the labor cost would come out to $128,000. Full article: [https://www.scworld.com/feature/ai-securitys-cost-bottleneck-isnt-tokens-its-validation](https://www.scworld.com/feature/ai-securitys-cost-bottleneck-isnt-tokens-its-validation)

r/InfoSecNews • 6h ago

New

RansomwarePhishingAPT

The concerning part about AI-powered ransomware is not that it exists, it’s that capabilities like payload development, phishing, and EDR evasion are becoming easier to scale. As attackers automate more of the workflow, the gap between offensive speed and defensive response continues to grow.

The Hacker News • 7h ago

New

Cybersecurity researchers have disclosed a one-click attack via Microsoft Visual Studio Code (VS Code) that makes it possible to steal a user's GitHub token. "Just by clicking a link, it's possible for an attacker to steal a GitHub token that can read and write to your repos, including private ones," security researcher Ammar Askar said. GitHub supports a feature called GitHub.dev that runs as

Unpatched Windows Search URI Vulnerability Lets Attackers Steal NTLMv2 Hashes

The Hacker News • 10h ago

VS Code zero-day lets hackers steal GitHub tokens in one click

Bleeping Computer • 13h ago

The Hacker News • 8h ago

New

Phishing

The Fragmented State of Modern Enterprise Identity Enterprise IAM is approaching a breaking point. As organizations scale, identity becomes increasingly fragmented across thousands of applications, decentralized teams, machine identities, and autonomous systems. The result is Identity Dark Matter: identity activity that sits outside the visibility of centralized IAM and beyond the reach of

Bleeping Computer • 8h ago

New

Zero-Day

Acer is working to address two maximum-severity zero-day vulnerabilities affecting its Wave 7 mesh routers. [...]

Trail of Bits • 9h ago

New

CVEAIPhishingSupply Chain

Public skill marketplaces are being flooded with malicious skills that steal credentials, exfiltrate data, and hijack agents. In response, a segment of the security industry released skill scanners, a new family of tools designed to detect malicious skills before they’re installed. But we tested them, and they don’t work. We recently bypassed ClawHub’s malicious skill detector , Cisco’s agent skill scanner , and all three of the scanners integrated into skills.sh . These were not advanced attacks: it took us less than an hour to conceive and implement three of the four malicious skills in trailofbits/overtly-malicious-skills , using standard tricks and rapid inspection of the scanner source code. The fourth malicious skill took a few hours, but only because the prompt injection required some trial and error. Our findings demonstrate that even when skill scanners have some defenses, their static nature gives an adversary unlimited bites at the apple to tweak an attack until it finds a way through. Why skill security matters Software supply chains have long been the soft underbelly of computer security. As fragile infrastructure susceptible to both insider threats and external attackers, these supply chains were vulnerable enough when malicious code was the sole vector of compromise. But the rise in agentic systems has spawned a new style of dependency—the skill—and with it a whole new ecosystem of marketplaces and distribution channels that now run alongside traditional package managers. Malicious skills can embed harmful instructions in nat

r/cybersecurity • 10h ago

New

Data BreachPhishing

**Key Takeaways** * In May 2026, 4.9 million records from Charter Communications were exposed, including email addresses, names, phone numbers, physical addresses, and some job titles. * This incident is part of a pattern of large-scale data breaches affecting the telecommunications sector. * Affected individuals should be vigilant against phishing attempts and unsolicited communications, as their personal information is now publicly available.

Bleeping Computer • 10h ago

New

CVE

European and international law enforcement agencies have dismantled nine organized crime groups and arrested 29 suspects in a major crackdown on illegal streaming operations. [...]

Bleeping Computer • 11h ago

New

Google is introducing a new Android security feature that will detect and flag phone calls in which scammers use artificial intelligence to impersonate a user's personal contacts. [...]

Android Is Fighting Phone Scams With a New Feature to Prove Who’s Calling

WIRED • Jun 2

The Hacker News • 14h ago

New

Malware

Cybersecurity researchers have flagged a new campaign targeting Minecraft players via YouTube to spread malware capable of gaining control of victims' systems. The Minecraft-focused malware-as-a-service (MaaS) campaign has been codenamed Weedhack by McAfee Labs, stating the activity has been active since January 2026 and impersonates Minecraft clients and mods to infect users. In all, 3820

Troy Hunt • 16h ago

New

CVEData Breach

Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite Today, we welcome the 46th government onboarded to Have I Been Pwned’s free gov service: the Philippines. The Philippines’ National CERT, working with the Department of Information and Communications Technology, now has access to monitor official government domains against the data in HIBP. This gives their Cyber Threat Intel and Monitoring Section the ability to identify exposure across government email addresses and respond quickly when those accounts appear in new data breach. This is precisely what the HIBP government service was built for: helping national cyber teams better understand credential exposure across their government domain space, monitor for compromised accounts on demand via API, and receive notifications when government domains are impacted by newly loaded breach data. The Philippines joins a growing list of national CERTs and government cybersecurity teams using HIBP to help strengthen national cyber defense, protect government departments and resources, and reduce the risk posed by compromised credentials before attackers can take advantage.

Bleeping Computer • 21h ago

New

Microsoft announced today at its Build 2026 developer conference the release of Coreutils for Windows, bringing many commonly used Linux command-line utilities to Windows as native applications. [...]

Bleeping Computer • 21h ago

New

OpenAI says it's rolling out a new update that improves the existing GPT-5.5 Instant model, and this move comes ahead of the scheduled retirement of multiple legacy models, including o3. [...]

Bleeping Computer • 22h ago

New

CVE

Hackers are exploiting a critical privilege escalation vulnerability (CVE-2026-8206) in the Kirki plugin for WordPress to take over any user account, including those belonging to administrators. [...]

Google June 2026 Android Update Patches 124 Flaws, One Actively Exploited

The Hacker News • Jun 2

Critical WP Maps Pro Flaw Actively Exploited to Create Admin Accounts

The Hacker News • Jun 1

Bleeping Computer • 22h ago

New

Malware

A large-scale malware campaign dubbed WeedHack is targeting Minecraft players and has infected more than 116,000 systems since January. [...]

r/blueteamsec • 22h ago

New

RansomwarePhishing

Not particularly interesting for the Cyber security folk per-se, but useful for lunch and learn /table top for leadership/xCO set ups [https://ransomcare.io/value](https://ransomcare.io/value) it will take the players on a journey of ethical dilemmas reflective of real situations, and because there's no good answer other than 'becoming resilient to ransomware' all the answers you give will hurt one thing or another, but there's a nice report and crib sheet of actions when you're done. - sometimes leadershit switch off, but if you can get them engaged you can help them realise this defence nightmare isn't just for the SoC, it's a vertical problem with horizontal commitments. - the value page in the hyperlink is to set expectations, it'll take about 15-20 solo, and longer (for debate, in groups).

Bleeping Computer • Jun 2

New

RansomwareAPT

A threat actor is using an AI-built ransomware attack toolkit that automates Active Directory discovery and helps evade endpoint detection and response (EDR) solutions. [...]

The Hacker News • Jun 2

New

CVEMalware

The Russian hacking group known as Gamaredon has been attributed to the continued exploitation of a WinRAR vulnerability to deliver multiple malware families aimed at data theft and propagation. Per Sekoia, the activity involves the weaponization of CVE-2025-8088, a path traversal flaw in WinRAR, to launch an HTML Application payload dubbed GammaPhish, which is then used to retrieve an

The Hacker News • Jun 2

New

CVE

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a high-severity security flaw impacting Oracle WebLogic Server to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. The vulnerability, CVE-2024-21182 (CVSS score: 7.5), allows an unauthenticated attacker with network access to take control of susceptible servers. It was

Bleeping Computer • Jun 2

New

Microsoft is working to address a widespread service issue affecting the mail flow pipeline for Exchange Online customers across North America and Germany. [...]

Bleeping Computer • Jun 2

New

Multiple Instagram users had their accounts hijacked after attackers convinced Meta's AI-powered support tools that they were the legitimate owners. [...]

Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts

Krebs on Security • Jun 1

Bleeping Computer • Jun 2

New

AIPhishing

AI-powered attacks and shadow AI adoption are creating new security risks inside the browser. Push Security explains why browser visibility is becoming critical for both threat detection and AI governance. [...]

CERT/CC • Jun 2

New

CVE

Overview VoLTE deployments on Verizon’s IMS network have operated without negotiated SIP integrity protection. In observed test conditions, SIP signaling—including registration, call setup, and messaging—traveled without IPsec ESP encapsulation and without SIP Security Agreement headers, exposing it to interception and modification by on-path attackers. Recent carrier configuration updates, including Apple’s iOS 26.5 carrier bundle released on May 11, 2026, include IMS IPsec–related settings. However, such configuration entries do not confirm active deployment, successful negotiation, or functional protection in production. Description CVE-2026-10629 Verizon IMS deployments were observed transmitting SIP signaling without integrity protection. REGISTER exchanges lacked Security-Client, Security-Server, and Security-Verify headers, and no ESP-encapsulated SIP traffic was detected during subsequent signaling such as INVITE, MESSAGE, BYE, and UPDATE. This pattern persisted across devices, operating systems, and network conditions, indicating a deliberate network configuration rather than a transient issue. Per 3GPP TS 33.203 and GSMA IR.92, SIP signaling between the UE and P-CSCF must be protected using IPsec ESP following IMS AKA authentication, with negotiation occurring during registration. The absence of this protection allows attackers to manipulate SIP signaling undetected, enabling call hijacking, spoofing, denial-of-service, and misrouting of emergency calls. Verizon initially acknowledged the issue and stated that integrity support would be available upon request and extended broadly later in the year. However, the company has since ceased participation in coordination, including follow-up discussions and draft review, and has not provided verifiable evidence of mi

CERT/CC • Jun 2

New

CVE

Overview A stored cross-site scripting (XSS) vulnerability has been discovered in Appsmith, specifically in the CodeMirror based SQL query editor’s autocomplete renderer. CVE-2026-7299 has been assigned to track the vulnerability. An attacker with developer level access to a shared PostgreSQL datasource can inject arbitrary JavaScript by creating malicious database objects whose names contain XSS payloads. Successful exploitation leads to arbitrary JavaScript execution in the browser of any workspace member who triggers SQL autocomplete, enabling session hijacking, privilege escalation, or credential theft. Version 2.1 of Appsmith fixes CVE-2026-7299. Description Appsmith is an open source, low code platform intended to allow developers to build internal tools, dashboards, and applications using a UI builder, database and API integrations, and JavaScript customization. Appsmith can also be deployable either self-hosted or via the cloud. A vulnerability, tracked as CVE-2026-7299, has been discovered, allowing for XSS within the SQL query editors autocomplete function. The vulnerability description is below. CVE-2026-7299 Appsmith’s SQL query editor’s autocomplete functionality fails to sanitize database object names before rendering them in innerHTML, allowing an authenticated Developer to inject persistent XSS by a malicious table or column names triggering arbitrary code execution in the sessions of other workspace members when they interact with the same datasource. This vulnerability requires an account with developer access. A developer Appsmith account is an account designed to create, edit, and delete apps within a workspace they are assigned to. When an administrator opens the SQL editor and triggers autocomplete (e.g., by typing SELECT * FROM), the malicious ta

r/InfoSecNews • Jun 2

New

Phishing

Netlogon vulnerabilities always deserve attention because they sit so close to the heart of Active Directory. When a flaw can impact domain controllers, the conversation quickly shifts from a single vulnerable system to trust across the entire environment.

CERT/CC • Jun 2

New

CVE

Overview The Collibra Platform Agent contains vulnerabilities that can be chained by a remote, unauthenticated attacker to achieve remote code execution. An attacker can exploit these issues by uploading a crafted ZIP archive that writes attacker-controlled files to arbitrary locations on the server once extracted, resulting in code execution. Description Collibra Platform (CP) and Collibra Platform Self-Hosted (CPSH), an enterprise grade, cloud-based platform designed to help organizations locate, understand, trust, and manage their data assets. The Collibra Agent of CP and CPSH that is installed on the host system is an independent service that listens on different port than the web interface and have the following vulnerabilities. CVE-2026-10622 Privileged REST endpoints exposed under /rest/* do not properly enforce authentication or authorization. This allows a remote, unauthenticated attacker to interact with sensitive application functionality and gather information useful for further exploitation, including identifying suitable filesystem locations or application paths. Additionally, the web services hosting the vulnerable REST endpoint was observed to bind to all available network interfaces regardless of the setting passed to the installer script. This behavior may increase exposure in deployments where administrators believe access is restricted to specific interfaces or trusted networks. CVE-2026-10621 A Zip Slip vulnerability during extraction is exposed through POST /rest/restore and enables path traversal. When a ZIP archive is processed, file paths contained within the archive are not properly validated or canonicalized before extraction.

The Hacker News • Jun 2

New

AI-driven exploitation timelines are rapidly shrinking, and they are not going to stop shrinking. Vulnerabilities are being discovered, reproduced, and weaponized faster than ever in the history of enterprise security. As a result, the window between a vulnerability being disclosed and indiscriminate exploitation observed across the internet is now measured in hours, not days. The industry's

The Hacker News • Jun 2

New

Most organizations now recognize that endpoint protection alone is no longer sufficient. That's why adoption of endpoint detection and response (EDR) has accelerated rapidly in recent years. Organizations understand that modern attacks move faster, evade traditional prevention controls, and require continuous visibility into suspicious activity across the environment. But owning EDR

WIRED • Jun 2

New

The right-wing think tank is actively pushing “civil terrorism”—increasing penalties for minor crimes committed while people engage in constitutionally protected free speech.

The Hacker News • Jun 2

New

CVEMalwarePhishing

Cybersecurity researchers have disclosed details of a spear-phishing campaign likely undertaken by the Pakistan-aligned SideCopy group targeting Afghanistan's Ministry of Finance with an open-source remote access trojan called Xeno RAT. "The campaign opens with a spear phishing delivery - a ZIP archive containing a malicious LNK file bearing a carefully crafted Pashto-language filename,"

r/Malware • Jun 2

New

MalwareAI

Attackers are abusing the shared content features of AI chatbot platforms — ChatGPT and Claude — to deliver malware through pages hosted on legitimate, trusted domains, distributing the malicious links via sponsored malvertising ads on search engines.

The Hacker News • Jun 2

New

CVEAPT

Password manager Dashlane has disclosed that "fewer than" 20 users on the personal subscription plan had their encrypted vaults downloaded following a brute-force attack launched by an unknown party. On May 31, 2026, the company said an "external" threat actor launched a brute-force attack against certain Dashlane user accounts with the aim of breaking two-factor authentication (2FA)

Datadog Security Labs • Jun 2

New

Supply Chain

GitHub Actions workflows are vulnerable to pwn requests, script injection, and compromised credentials. Here's what's going wrong and what's changing.

Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm

The Hacker News • Jun 1

OpenAI Codex Authentication Tokens Stolen in codexui-android npm Supply Chain Attack

The Hacker News • Jun 1

r/netsec • Jun 1

New

Cloud

Came across an article, product like phpBB still has some potential flaws.

Synack • Jun 1

New

Key Takeaways We just got back from Tenable Exposure 2026 in Boston and three big questions dominated every conversation we had on the floor: The good news is, Synack is exactly positioned to answer these questions. Tenable Finds It. Sara AI Pentesting Proves What’s Exploitable. The Synack and Tenable integration addresses a gap that’s gotten […] The post Tenable Exposure 2026: AI Pentesting Helps Partners Scale appeared first on Synack .

Cloudflare • Jun 1

New

Phishing

Cloudflare's core is the centralized data centers that run our control plane, billing, and analytics — distinct from the globally distributed edge that handles user traffic. Core servers are bare metal, and when issues happen during reboot, the consequences can cascade fast. Their boot sequence is orchestrated by UEFI , the modern firmware standard that initializes hardware and hands off control to the operating system. Small quirks in that handoff can have outsized consequences. After a routine firmware update, some of our core servers were taking four hours to come back online, rather than just minutes as they did before. What should have been a one-day fleet-wide rollout was stretching into multi-day slogs. New nodes faced the full timeout gauntlet on their very first boot. Maintenance windows ballooned. Engineering teams had to babysit upgrades that should have run unattended. The behavior we saw was brought to light when we were bringing nodes online that had been powered off for an extended period. These nodes’ firmware was out of date and required multiple updates to resolve. Combine this with recent updates to the boot protocols used by servers in some of our locations, and boot times on the affected nodes became unacceptable. This is the story of how we tracked the cause to a firmware quirk and an over-eager linear search through every available network boot interface, and how we cut total boot and upgrade time from hours back down to minutes. Along the way, we'll share what we learned about UEFI internals, vendor-specific quirks, and the automation strategies that ultimately solved the problem. The network boot interface A network boot interface allows a server to boot its operating system over the network instead of from local storage. This is critical f

The Hacker News • Jun 1

New

Phishing

Monday hit like a cron job with anger issues. A busted auth path here, a repo-side faceplant there, some "patched-ish" thing already getting chewed on in the wild, and then the usual bonus round: poisoned dev tools, sketchy forum chatter, phishing kits pretending to be productivity, and AI lowering the bar for people who already thought 'curl | sh' had a personality. The vibe is simple: old

The Hacker News • Jun 1

New

PhishingAPT

A new cyber espionage campaign codenamed Operation Dragon Weave has been observed targeting officials and citizens in the Czech Republic and Taiwan to deliver an AdaptixC2 agent. According to Seqrite Labs, targets of the campaign include government, research, academic, technology, and financial services sectors. The activity entails distributing spear-phishing emails containing ZIP attachments

The Hacker News • Jun 1

New

Policy

Three years ago, the practical question for an MSP building a cybersecurity practice was which "vCISO platform" to buy. The term was good shorthand for the work at the time: assessments, advisory, reporting, maybe a compliance module bolted on the side. The work has since outgrown the descriptor. A Security Growth Platform is the more precise name for what MSPs and MSSPs need from the software

WIRED • Jun 1

New

In this excerpt from WIRED Book Club pick The Yahoo Boys, journalist Carlos Barragán traces one scammer’s journey from flop to fortune.

WIRED • Jun 1

New

Thanks to the newly detailed FROST technique, telltale SSD activity can be measured in the browser using simple JavaScript.

Troy Hunt • Jun 1

New

Data BreachPolicy

Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite Today, I loaded the 1,000th data breach into Have I Been Pwned . Reflecting on that milestone number, I pondered how to mark the occasion in writing, and what immediately came to mind was a very simple question: why is it still needed? Especially considering the emergence of privacy regulations such as GDPR and CCPA in the 12 and a half years since I started HIBP, what possible purpose does it still serve? The title kinda gives the answer away, and the big number we hit today coincided with another pattern that makes everything worse: increasingly long lag times for disclosure. This is all going to be anecdotal, and as far as I know, there are no hard numbers for me to cite, but the evidence is everywhere. Here's what I mean: New breach: Cruise operator Carnival was targeted in a ShinyHunters “pay or leak” attack last week. 8.7M records with 7.5M email addresses and loyalty program data were published yesterday. 85% were already in @haveibeenpwned . Read more: https://t.co/QhqNt0WucV — Have I Been Pwned (@haveibeenpwned) April 24, 2026

r/ReverseEngineering • Jun 1

New

To reduce the amount of noise from questions, we have disabled self-posts in favor of a unified questions thread every week. Feel free to ask any question about reverse engineering here. If your question is about how to use a specific tool, or is specific to some particular target, you will have better luck on the [Reverse Engineering StackExchange](http://reverseengineering.stackexchange.com/). See also /r/AskReverseEngineering.

Troy Hunt • Jun 1

New

Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite I'm finding it quite fascinating to watch the current spate of ShinyHunters breaches and dumps. There's the obvious criminality of it all, but then there's also the response from organisations (or lack thereof, as it relates to disclosure to victims), the appearance and disappearance of victims on their dark web site, the speculation around payments and so on and so forth. And it's seemingly endless - I mentioned DentaQuest during the video, and sure enough, the next day, a 233GB corpus allegedly from them was dropped. By the next update, it might be BCD Travel as well and who knows which other services will appear on the "pay or leak" list. Strange times, I can't remember it ever being this crazy before TBH.

r/Malware • May 31

New

Malware

[https://youtu.be/1W8gCFU8B0U](https://youtu.be/1W8gCFU8B0U) Thought it would be fun to share some learnings I made when building a similar lab at work but for me. Not exactly what I built at work (I think mines a bit better TBH) but this first video could be a jumping off point for different ways to do this 😄 Open to suggestions and feedback ❤️ Edit: I've fixed the audio so it should be better now!

The Hacker News • May 31

New

Malware

Dutch authorities have announced the takedown of a botnet that enslaved millions of infected devices, including computers, tablets, smartphones, and IoT devices, to carry out malicious attacks. The bot network, per the Dutch Politie and the National Cyber Security Center (NCSC), consisted of at least 17 million infected devices. More than 200 servers located in the Netherlands acted as the

WIRED • May 30

New

Ransomware

Plus: A ransomware group is now stealing data in person, BusPatrol wants to hand its license plate surveillance data to the cops, and more.

WIRED • May 29

New

The website, which compares human beings to extraterrestrials, touts arrest numbers from the Trump administration’s sweeping immigration crackdown. But some of its details are really out there.

r/netsec • May 29

New

Malware

We found a cluster of 1,001 IPs across 306 networks and 64 countries, tied to eight shared staging servers and a single TLS and HTTP fingerprint that appears nowhere else, plus smaller botnets that fall into clean separate islands.

r/netsec • May 29

New

CVEAI

I built an independent benchmark with 20 real CVEs across 15 CWE categories, 5 models (3 OpenAI, 2 Poolside Laguna), three prompt conditions: full advisory, behavioral description only, and location only (file and function, no description of the flaw). I have three findings worth sharing: * **No model reliably fixes real vulnerabilities.** The best solve rate (gpt-5.5) is 50% overall and 60% under the most favorable condition. The failure modes (e.g, wrong-search drift, budget exhaustion mid-implementation, plausible-but-incomplete patches that pass every visible test) are structured and repeatable across models and tasks. * **Token cost varies 4x for equivalent outcomes.** The Laguna models consume 3–4x more tokens than OpenAI models of the same capability tier, with no improvement in solve rate. * **The locate condition is the benchmark's sharpest instrument.** Give a model only a file and function (no description of the flaw). Every model drops. The differences between models are within noise at this scale, but it's the condition that most closely resembles what a security researcher actually does: reading code cold and recognizing independently that something is wrong. Benchmark code and evaluation traces are open sourced.

Praetorian • May 28

New

CVEPhishingAPT

Discovery During a recent network security assessment, we were working on an environment that was well-hardened – Patching was current, password policies were strong, and network segmentation was in place. So, as part of our enumeration of all network assets, we started looking for default credentials and this led us to multiple Canon enterprise printers configured with default administrator credentials. Enterprise printers are an interesting attack surface because it is common practice to have them configured with domain credentials. So, with administrative access, we tried to execute auth-back attacks by modifying the printer’s configuration to point to our server for credential capture or relay. However, network segmentation controls blocked this attack, as outbound controls prevented traffic from reaching our attacker-controlled subnet. We needed a different approach. We turned our attention to how the printer handled stored credentials. Specifically, we were curious to look at what happened to them during export. While exploring the printer’s administrative interface, we found a configuration export feature that allows administrators to back up device settings. This immediately raised a question: how were stored credentials being protected during export? Canon’s documentation states that exporting sensitive data requires encryption and the web interface presents encryption options (Security Level 1 and 2) that appear mandatory. However, we quickly discovered that these controls are implemented client-side without server-side validation. Vulnerability Canon imageRUNNER ADVANCE DX printers provide a configuration export feature that is accessible through the web management interface. The web UI appears to enforce encryption by requiring a user-supplied pass

Synack • May 28

New

Phishing

Key Takeaways AI generates findings at scale, but scale without trust creates risk. The real security challenge isn’t discovery—it’s knowing which findings are real, exploitable, and worth acting on before automated systems take action. False positives become operationally dangerous in AI-driven environments. Model hallucination, single-tool reliance, and misinterpreted context can cause AI to fabricate vulnerabilities […] The post AI Can’t Fix What It Can’t Trust: Why Continuous Security Validation Matters appeared first on Synack .

Praetorian • May 28

New

CVEAI

In previous blog posts we’ve talked about getting nerd sniped . Today we’re going to talk about a kind of nerd sniping that any offensive security tool creator is familiar with; when your tool gets signatured. This normally kicks off a frustrating spiral of back and forth changes between the tool author and security vendors until the tool author runs out of resources to keep responding to changes. Like many parts of the security space, LLMs have changed how this story might end. The Classic Offensive Security Tooling Lifecycle There’s a lifecycle to most offensive security tooling. First you encounter a problem that’s common or problematic enough that you want to automate it, so you write a tool. Then you use that tool privately until you decide the time has arrived to open source it. This is a cool moment, you get to share your techniques with the community and if you’re really lucky, maybe the fundamental problem your tool exposes is fixed. Much more likely, once it’s open sourced it eventually gets signatured to the point that you

WIRED • May 28

New

The US military has long known that cheap fixes could stop location data from exposing its troops. It adopted almost none—and now says adversaries are using the data to target soldiers during a war.

Cloudflare • May 28

New

Cloudflare processes more than a billion events every second. Our network spans 330+ cities in 120+ countries. Behind every HTTP request, every Worker invocation, every R2 read operation, there is data, and a lot of it. For years, that data was not very easy to access. It lived in dozens of production databases, ClickHouse clusters, Kafka streams, Google Cloud buckets, BigQuery datasets, and a long tail of pipelines. To answer a simple question like "How many domains that signed up today are in the Top 100 by traffic?", an analyst at Cloudflare had to know which system to ask, what credentials to use, what query language to write, and whether the data they were looking at was sampled, fresh, or seven-days stale. As a result, it was difficult to glean informed insights from the data. To solve this problem, we built two in-house tools: Town Lake, Cloudflare's unified data analytics platform, and Skipper, an AI data agent that runs on top of it. Town Lake is a single SQL interface to everything Cloudflare knows, and Skipper is how anyone at Cloudflare can ask questions in plain English and get correct, auditable answers back in seconds. This is the story of how we built both. The shape of the problem If you have ever worked at a company that went through a hyper-growth period, you know what data sprawl looks like. Ours had a few specific symptoms: Too many disparate systems. A product engineer who wanted to investigate a customer issue might need to query Postgres for account metadata, ClickHouse for analytics events, BigQuery for usage rollups, R2 for raw logs, and Kafka topics for real-time signals. Each system had its own credentials, its own language, and its own retention policy. Sampled data. This is fine for dashboards, but doesn’t work for domains like billing. Our

WIRED • May 28

New

Phishing

Customer data from more than 350 hotels around the world may have been accessed as part of realistic reservation-hijacking scams.

Datadog Security Labs • May 28

New

CVE

CVE-2026-31431 (Copy Fail) lets any unprivileged user corrupt the Linux page cache via AF_ALG sockets to escalate privileges. This post covers the exploit mechanics and how Datadog Security Research used coding agents to ship a detection content pack in a single session.

The Guardian • May 27

New

Anna Turley gives Reform leader 24 hours to report Russian hacking claim in ‘public and national interest’ The Labour chair has given Nigel Farage 24 hours to report to security services the claim that his phone was hacked by Russia-linked actors or the party will do it for him. In a letter to the Reform UK leader, Anna Turley said it was “in the public and national interest” to ensure that a suspected overseas hack of a senior politician’s phone by a hostile state was properly investigated. Continue reading...