// Articles
389 articles — page 11 of 17
Scattered Spider's 'Tylerb' Pleads Guilty — Senior Member Faces 20 Years for $8M SIM Swap and Enterprise Breaches
Tyler Robert Buchanan, 24, known online as 'Tylerb', has pleaded guilty to wire fraud conspiracy and aggravated identity theft for his role in Scattered Spider's 2022 SMS phishing and SIM-swapping campaign that breached Twilio, LastPass, DoorDash, Cloudflare, and at least 130 other organisations. The guilty plea represents a significant law enforcement milestone against the English-language cybercrime group responsible for the MGM and Caesars casino breaches.
Wazuh SIEM/XDR Platform CVE-2026-30893 — CVSS 9.0 Remote Code Execution in Enterprise SOC Infrastructure
CVE-2026-30893, rated CVSS 9.0, is a remote code execution vulnerability in the Wazuh open-source security platform affecting versions 4.x and later. Wazuh is widely deployed as a SIEM, XDR, and compliance platform in enterprise SOC environments. Compromising the Wazuh manager means compromising your security monitoring backbone — patch to 4.11.2 immediately.
WordPress Redirect Plugin Carried Dormant Backdoor for Three Years Before Activation
Researchers have uncovered a dormant backdoor in a widely-installed WordPress redirect management plugin that remained inactive for approximately three years before being activated by the attackers. The backdoor, present across an estimated 200,000+ active installations, highlights the long-game threat of supply chain compromise in the WordPress plugin ecosystem and the limits of periodic security scanning.
Apache Thrift 0.23.0 Patches Out-of-Bounds Read (CVE-2026-41604) and Node.js Uncontrolled Recursion DoS (CVE-2026-41636)
Apache Thrift 0.23.0 addresses two vulnerabilities: CVE-2026-41604, an out-of-bounds read in the binary protocol parser affecting all language bindings that can crash Thrift-based services and potentially leak memory contents; and CVE-2026-41636, an uncontrolled recursion flaw in the Node.js library that enables remote denial of service via deeply nested Thrift structures. Organisations operating Thrift-based microservices or inter-service RPC should upgrade to 0.23.0.
CISA KEV Additions: Windows Shell Spoofing CVE-2026-32202 and Cisco SD-WAN Sensitive File Exposure CVE-2026-20133
CISA's late-April Known Exploited Vulnerabilities additions include a Windows Shell protection mechanism failure under active exploitation and a Cisco Catalyst SD-WAN Manager flaw allowing unauthenticated access to sensitive OS files. Federal agencies face a May 12 remediation deadline for CVE-2026-32202; enterprise organisations should treat both additions as confirmation of active threat actor interest and patch accordingly.
D-Link DIR-823X Command Injection CVE-2025-29635 Added to CISA KEV — Mirai Botnet Exploiting Actively
CVE-2025-29635, an authenticated command injection in D-Link DIR-823X routers, has been added to CISA's Known Exploited Vulnerabilities catalogue following an active Mirai botnet campaign documented by Akamai. CVSS 7.2 understates the real risk: D-Link DIR-823X reached end of life, meaning no patch will be issued. Organisations with these routers must replace them. Federal deadline: May 19, 2026.
CISA ICS Advisory: Milesight AIOT Cameras Carry Five CVEs Including CVSS 9.8 Hard-Coded SSL Key Flaw
CISA advisory ICSA-26-113-03 covers five vulnerabilities across 18-plus Milesight AIOT camera model families, including a CVSS 9.8 flaw where all devices share a hard-coded factory SSL private key that cannot be changed. An attacker with the key — which is extractable from any unit — can conduct undetectable man-in-the-middle attacks against the entire deployed fleet. Organisations using Milesight cameras in operational technology or physical security environments should isolate these devices immediately.
Spring AI CVE-2026-40978 and CVE-2026-40967 — SQL Injection and Filter Expression Injection in RAG Vector Store Components
Two injection vulnerabilities in Spring AI's vector store integration layer affect AI applications using retrieval-augmented generation pipelines. CVE-2026-40978 (CVSS 8.8) allows SQL injection through the CosmosDB vector store component; CVE-2026-40967 (CVSS 8.6) enables filter expression injection in the FilterExpressionConverter used across multiple backends. Both flaws affect Spring AI 1.0.x and 1.1.x and are patched in 1.1.5.
Spring Boot 4.0 CVE-2026-40976 — Default Security Misconfiguration Exposes All Actuator Endpoints Unauthenticated
CVE-2026-40976 in Spring Boot 4.0.0 through 4.0.5 allows unauthenticated network access to all Spring Boot Actuator management endpoints when applications rely on the default Spring Security auto-configuration but omit the spring-boot-health dependency. Exposed endpoints include heapdump, env, mappings, and loggers — enough to extract secrets and manipulate application behaviour. Upgrade to Spring Boot 4.0.6 or later.
AI Agents Can Autonomously Compromise Cloud Infrastructure With Minimal Human Oversight, Research Finds
New academic research demonstrates that AI agents equipped with common cloud security tools can autonomously identify, chain, and exploit misconfigurations in production-like cloud environments — achieving lateral movement, privilege escalation, and data exfiltration in multi-step attack sequences without human guidance. The findings have direct implications for red team methodologies, cloud security posture management, and the adversarial use of AI-assisted attack tooling.
SentinelLabs Uncovers Fast16 — NSA-Linked OT Sabotage Malware Active Five Years Before Stuxnet
SentinelLabs has published research identifying Fast16, a Lua-based OT sabotage framework compiled in 2005 that predates Stuxnet and is attributed to a US intelligence-linked operation targeting Iranian high-precision calculation software. The discovery rewrites the timeline of state-sponsored ICS sabotage and provides new technical context for understanding the development of destructive OT malware.
FTC: Americans Lost $2.1 Billion to Social Media Scams in 2025 — AI-Enhanced Fraud Doubles Investment Losses
The US Federal Trade Commission's annual consumer fraud report records $2.1 billion in social media scam losses in 2025, a 47% increase from 2024 driven by AI-generated deepfake impersonations, synthetic romance fraud accounts, and AI-personalised investment scam targeting. Investment scams account for 53% of losses at $1.1 billion. The report carries compliance implications for organisations under FTC Section 5 and EU AI Act Article 50 transparency obligations.
Hugging Face LeRobot CVE-2026-25874 — Critical Unpatched RCE via Pickle Deserialization in Unauthenticated gRPC Endpoint
A critical unpatched remote code execution vulnerability in Hugging Face's LeRobot robotics AI framework allows unauthenticated attackers to execute arbitrary code on any server running the gRPC control interface. CVE-2026-25874, rated CVSS 9.3, affects the project's dataset loading and remote control pipeline via Python pickle deserialization. No patch is available; mitigations focus on network isolation.
Medtronic Confirms Data Breach — ShinyHunters Claims 9 Million Medical Device Patient Records Stolen
Medtronic, the world's largest medical device manufacturer, has confirmed a data breach after the ShinyHunters threat actor claimed to have stolen nine million patient records. The breach includes patient names, device serial numbers, implant dates, clinic details, and in some cases diagnostic data from cardiac, diabetes, and spinal device programmes across 150 countries. Regulatory notifications under HIPAA, GDPR, and MDR are expected.
Rituals Cosmetics Discloses Data Breach — Up to 40 Million My Rituals Members' PII Potentially Exposed
Amsterdam-based luxury cosmetics brand Rituals has disclosed a breach of its My Rituals membership platform affecting potentially up to 40 million registered members across its 1,170-plus retail locations in 37 countries. Exposed data includes names, contact details, date of birth, gender, and purchase history. The breach carries significant GDPR obligations as Rituals is headquartered in the EU.
Silk Typhoon Operator Xu Zewei Extradited to US — First MSS Shanghai Bureau Hacker Held Accountable
Xu Zewei, a hacker attributed to the MSS Shanghai Bureau and the Silk Typhoon (formerly Hafnium) APT group, has been extradited from Italy to face US federal charges relating to the theft of COVID-19 vaccine research, defence contractor IP, and financial sector data via Exchange Server zero-days. The extradition marks the first successful prosecution of a Silk Typhoon operator and sends a direct signal to MSS-affiliated cyber operators.
Azure Arc Windows Agent CVE-2026-26117 Lets Low-Privilege Users Escalate to SYSTEM and Seize Cloud-Managed Identity
CVE-2026-26117, a local privilege escalation flaw in the Azure Arc Connected Machine Agent for Windows, allows any domain user on a managed host to escalate to SYSTEM and inherit the host's Azure managed identity — granting access to all Azure resources the machine identity can reach. Microsoft rated the flaw CVSS 7.8; patch immediately given Arc's growing enterprise footprint.
Itron Smart Grid Giant Discloses Internal IT Breach via SEC Filing — Critical Infrastructure Supplier Affected
Itron, the world's largest smart meter and grid management vendor, has disclosed a breach of its internal IT network in an SEC 8-K filing. Attackers accessed systems supporting grid data analytics and workforce management. No operational technology networks were confirmed compromised, but the supplier-to-utility trust relationship demands immediate third-party risk assessment.
Linux Kernel nf_tables Use-After-Free CVE-2026-23231 Enables Privilege Escalation on Most Distributions
A use-after-free vulnerability in the Linux kernel's nf_tables netfilter subsystem allows a local attacker to escalate privileges to root on unpatched systems. CVE-2026-23231 affects kernels 5.14 through 6.9 and most major distributions including RHEL 9, Ubuntu 22.04/24.04, Debian 12, and SLES 15. Stable kernel patches are available and distribution security teams are issuing advisories.
Microsoft Entra Agent ID Role Misconfiguration Enabled Full Tenant Takeover via Service Principal Hijack
A flaw in Microsoft Entra's Agent ID role assignment model allowed an attacker with low-level Entra access to hijack privileged service principals and achieve full tenant administrator rights. Microsoft silently patched the issue on April 9; organisations with agentic AI workloads or automation service accounts should audit role bindings immediately.
NIST Halts NVD Enrichment for Lowest-Priority CVEs as Submission Volume Surges 263% — Vulnerability Management Impact
NIST has announced it will no longer provide full CVSS scoring, CPE matching, and CWE classification for the lowest-priority tier of CVE submissions in the NVD. The change, driven by a 263% surge in annual CVE volumes since 2024, means thousands of CVE records will remain in an unenriched 'DEFERRED' state — with no CVSS score, no affected product mapping, and no severity rating. Enterprise vulnerability management programmes that rely on NVD as their authoritative source must adapt their workflows immediately.
OpenSSH 10.3 Patches Shell Metacharacter Injection CVE-2026-35386 in Non-Default scp Configurations
OpenSSH 10.3, released April 26, addresses CVE-2026-35386, a shell metacharacter injection flaw in the scp client that can result in unintended remote command execution when transferring files from attacker-controlled servers. While exploitation requires non-default configuration, scp is still widely used in automated backup and deployment pipelines and should be updated promptly.
SAP April 2026 Patch Day: CVE-2026-34256 ABAP Code-Overwrite Lets Authenticated Attacker Sabotage Core ERP Functions
SAP's April 2026 Security Patch Day includes a fix for CVE-2026-34256, an ABAP code-overwrite vulnerability rated CVSS 7.1 that allows an authenticated attacker with low-privilege access to modify executable ABAP programme objects, potentially corrupting core business logic in SAP ERP, S/4HANA, and BW systems. The flaw requires no special administrative roles and affects all SAP NetWeaver ABAP Server releases through the current patched version.
APT28 Operation Masquerade: GRU Hijacked 18,000 Routers to Steal Microsoft 365 OAuth Tokens
Russia's GRU Unit 26165 operated an 18,000-router DNS hijacking network targeting Microsoft 365 OAuth tokens across 120 countries. The US DOJ's Operation Masquerade dismantled US-based infrastructure on April 7 2026, but the global campaign continues. Organisations should audit DNS resolver settings, revoke OAuth sessions, and enforce Conditional Access for remote users.