// Articles
389 articles — page 9 of 17
TCLBanker Banking Trojan Spreads via WhatsApp and Outlook Worm Modules, Targets 59 Financial Platforms
Elastic Security has identified TCLBanker (tracked as REF3076 / Water Saci), an evolution of the Maverick banking trojan family, deploying worm modules that spread via WhatsApp message injection and Outlook email campaigns from infected machines. TCLBanker targets users of 59 financial platforms including online banking, cryptocurrency exchanges, and payment services. The malware uses DLL side-loading via legitimate Logitech software and employs anti-analysis watchdog processes to resist removal.
Eclipse BaSyx ICS Platform: CVE-2026-7411 CVSS 10.0 Path Traversal RCE Threatens Industrial Asset Administration
Two critical vulnerabilities in Eclipse BaSyx V2 — the open-source Industrial Internet of Things Asset Administration Shell implementation used in Industry 4.0 infrastructure — allow an unauthenticated attacker to achieve remote code execution and bypass network segmentation. CVE-2026-7411 (CVSS 10.0) enables arbitrary file write on the BaSyx server; CVE-2026-7412 (CVSS 8.6) enables blind SSRF that can bypass OT network isolation. Patches are available in BaSyx V2 milestone-10.
Firefox and Tor Browser CVE-2026-6770 — IndexedDB Cross-Origin Data Leak Exposes User Browsing Identity
A cross-origin data leakage vulnerability in Firefox and Tor Browser's IndexedDB implementation allows a malicious web page to read data stored by other origins in the IndexedDB API — potentially identifying users by their stored browsing data and breaking the origin isolation that Tor Browser's anonymity model depends on. CVE-2026-6770 is fixed in Firefox 130.0.1 and a Tor Browser update. Tor Browser users should update immediately given the privacy implications.
Ivanti EPMM CVE-2026-6973 — Remote Code Execution Added to CISA KEV, Patch Required
Ivanti has disclosed CVE-2026-6973, a remote code execution vulnerability in Endpoint Manager Mobile (EPMM, formerly MobileIron) that has been added to the CISA Known Exploited Vulnerabilities catalogue following confirmed limited exploitation. EPMM is a mobile device management platform used by government agencies and enterprises. Organisations should apply the available patch and audit administrator account activity. EPMM has a prior history of critical exploitation including the 2023 Norwegian government attack.
LiteLLM CVE-2026-42208 — SQL Injection in AI Gateway Proxy Added to CISA KEV
CVE-2026-42208, a SQL injection vulnerability in the LiteLLM AI gateway proxy, has been added to the CISA Known Exploited Vulnerabilities catalogue following confirmed exploitation. LiteLLM is widely deployed in enterprise environments as a unified API layer routing requests to multiple LLM providers (OpenAI, Anthropic, Azure OpenAI, Bedrock). Exploitation allows an attacker to read and modify the LiteLLM database, including API keys, user records, and model configuration. Update to LiteLLM 1.42.2 immediately.
OpenEMR: Three Critical Vulnerabilities Expose Patient Records Across 100,000 Healthcare Providers
Aisle security researchers have disclosed 38 vulnerabilities in OpenEMR — the world's most widely deployed open-source electronic medical records and practice management system, used by over 100,000 healthcare providers globally. Three of the vulnerabilities are critical, allowing unauthenticated remote code execution and patient record exfiltration. OpenEMR 7.0.2 patch 2 addresses all reported issues; unpatched instances are a direct patient data and regulatory liability.
ProFTPD CVE-2026-42167 — Authentication Bypass Leading to Remote Code Execution
A vulnerability in ProFTPD — one of the most widely deployed open-source FTP server implementations — allows a remote unauthenticated attacker to bypass authentication controls and achieve code execution on the server. CVE-2026-42167 affects ProFTPD versions prior to 1.3.9a. FTP servers are frequently forgotten in patch management programmes; administrators should verify ProFTPD version and apply the update.
Cisco CVE-2026-20188 — Unauthenticated DoS Permanently Crashes Crosswork Network Controller Until Manual Reboot
Cisco has disclosed a high-severity denial-of-service vulnerability in Crosswork Network Controller and NSO (Network Services Orchestrator) that allows an unauthenticated remote attacker to exhaust connection resources and permanently disable the device — requiring physical manual reboot to recover. CVE-2026-20188 affects the network automation and orchestration platforms used by major service providers and large enterprise networks for intent-based networking automation.
cPanel/WHM Patches Three New Vulnerabilities Including CVSS 8.8 Code Execution and Privilege Escalation
cPanel has released security updates addressing three new vulnerabilities distinct from the previously covered CVE-2026-41940 zero-day: CVE-2026-29202 (CVSS 8.8, Perl code execution), CVE-2026-29203 (CVSS 8.8, symlink-based privilege escalation), and CVE-2026-29201 (CVSS 4.3, arbitrary file read). Web hosting providers running cPanel/WHM should apply the updates urgently given the platform's current elevated threat posture following mass exploitation in May 2026.
GoDaddy ManageWP Credentials Targeted by AiTM Phishing Campaign via Malicious Google Ads
A real-time adversary-in-the-middle phishing campaign is targeting GoDaddy ManageWP administrators through malicious Google search advertisements that appear above legitimate results for ManageWP login queries. The campaign steals session tokens via a real-time proxy, bypassing MFA, and uses Telegram for credential exfiltration. Each compromised ManageWP account typically controls hundreds of WordPress sites, making this a high-leverage credential theft campaign.
Linux 'Dirty Frag' Zero-Day Chains Two Kernel Flaws for Deterministic Root — PoC Published, No Patch
Security researchers have published a proof-of-concept exploit for a new Linux kernel local privilege escalation vulnerability chain nicknamed Dirty Frag, which combines flaws in the xfrm-ESP and RxRPC page-cache subsystems to reliably achieve root access from an unprivileged user process. Unlike its predecessor CopyFail, Dirty Frag is deterministic — it does not rely on race conditions and succeeds reliably across Ubuntu, RHEL, CentOS Stream, AlmaLinux, openSUSE, and Fedora. No CVE ID or kernel patch has been issued at time of disclosure.
Salesforce Marketing Cloud Server-Side Template Injection Exposed Entire Customer Contact Database
SL Cyber researchers have disclosed five patched vulnerabilities in Salesforce Marketing Cloud (ExactTarget), the most critical of which — a server-side template injection flaw — allowed an authenticated marketing user to exfiltrate the complete contacts database and historical email campaign content of any Salesforce Marketing Cloud instance. The vulnerabilities were patched by Salesforce; organisations should verify which contact data and historical communications were accessible to marketing team members.
vm2 Node.js Sandbox Escape CVE-2026-26956 — 1.3 Million Weekly Downloads, PoC Published
A critical sandbox escape vulnerability in the vm2 Node.js sandboxing library allows a malicious script to break out of the sandbox and execute arbitrary code in the host Node.js process. CVE-2026-26956 affects all vm2 versions prior to 3.9.22 and is present in any application using vm2 to safely execute untrusted code — including serverless platforms, coding challenge sites, CI/CD systems, and plugin architectures. A PoC is publicly available.
Fortinet 2026 Global Threat Landscape: Ransomware Victims Up 389% Year-over-Year, AI Crime Industrialising
Fortinet's 2026 Global Threat Landscape Report documents 7,831 confirmed ransomware victims in 2025 — a 389% increase over 2024's approximately 1,600 — alongside the first systematic evidence of AI-enabled cybercrime tooling (WormGPT, FraudGPT, BruteForceAI) being used at scale. Manufacturing, business services, and retail are the hardest-hit sectors. The report reframes the threat environment as fundamentally changed, not merely intensified.
CISA ICS Advisory: GRASSMARLIN OT Network Visualisation Tool Vulnerability CVE-2026-6807
CISA has issued ICS advisory ICSA-26-118-01 for CVE-2026-6807, a vulnerability in GRASSMARLIN — the NSA-developed open-source network visualisation tool widely used by industrial control system operators and OT security teams to map and analyse operational technology networks. The vulnerability affects teams using GRASSMARLIN for defensive ICS visibility, creating a risk of compromise of the analyst workstations conducting that analysis.
KidsProtect Stalkerware Abuses VS Code Tunnels and Discord Webhooks as Covert C2 Infrastructure
A commercially marketed Android application called KidsProtect, presented as a parental control tool, has been analysed and found to function as stalkerware — secretly recording device location, SMS messages, call logs, and browser history without consent. The tool evades conventional network monitoring by routing command-and-control traffic through legitimate VS Code Remote Tunnels and Discord webhook endpoints. Its developer explicitly markets it as an undetectable monitoring solution on underground forums.
Microsoft Threat Intelligence: AiTM Phishing Campaign Hit 35,000 Users Across 26 Countries in Two Days
Microsoft Threat Intelligence has published analysis of a highly targeted adversary-in-the-middle phishing campaign that compromised 35,000 user accounts across healthcare and financial services organisations in 26 countries during a 48-hour window in April 2026. The campaign used polished enterprise-grade HTML templates impersonating Microsoft 365 compliance and code-of-conduct notifications, bypassing standard MFA via real-time session token interception.
OpenSSH CVE-2026-35414 — Certificate Authentication Bypass via Comma Bug Grants Root Access
A single-character defect in OpenSSH's certificate Subject Alternative Name parsing allows an attacker with a maliciously crafted certificate to bypass host-based and user certificate authentication entirely, potentially gaining unauthorised access to systems relying on certificate-based SSH for privileged access. Researchers have named the vulnerability SplitSSHell. Operators using OpenSSH certificate authentication for root or privileged user access should review their CA trust chains immediately.
PAN-OS CVE-2026-0300 — Unauthenticated RCE Zero-Day Actively Exploited in Firewall Espionage Attacks
A critical unauthenticated remote code execution vulnerability in Palo Alto Networks PAN-OS has been under active exploitation since at least early April 2026, linked to espionage-motivated threat actors targeting government and critical infrastructure networks. CVE-2026-0300 affects the User-ID authentication portal on VM-Series and hardware firewalls; CISA added it to the KEV catalogue on 6 May 2026. Patches are available — apply immediately.
108 Malicious Chrome Extensions Exfiltrating Browser Data Removed from Web Store
Google has removed 108 extensions from the Chrome Web Store after researchers identified a coordinated malicious extension campaign conducting browser credential harvesting, session cookie theft, and clipboard monitoring across millions of installations. The extensions impersonated productivity tools, ad blockers, and security tools — with some active for over 18 months before detection. Enterprise Chrome deployments should audit installed extensions against the published IOC list.
Europol Dismantles €50M Crypto Investment Fraud Network — 12 Arrested Across Six Countries
Europol has coordinated the dismantling of a €50 million cryptocurrency investment fraud network operating across six European countries, resulting in 12 arrests, 30 property searches, and the seizure of cryptocurrency holdings, luxury assets, and fraud operation infrastructure. The network ran AI-enhanced investment scam call centres and operated fraudulent crypto trading platforms that fabricated returns to sustain victim investment before executing exit scams.
Five Eyes Advisory: China-Nexus Volt Typhoon and Flax Typhoon Using SOHO Router Botnets to Pre-Position in Critical Infrastructure
A joint advisory from CISA, NCSC-UK, the Australian Signals Directorate, and Four Eyes partners confirms that China-linked threat actors including Volt Typhoon and Flax Typhoon are systematically compromising small-office and home-office routers to build operational relay networks for espionage and pre-positioned attacks against critical national infrastructure. Organisations should audit edge device inventories and enforce firmware update policies.
Lotus Wiper Targets Venezuelan Energy Infrastructure in ICS-Aware Sabotage Campaign
A destructive wiper malware tracked as Lotus Wiper has been deployed against Venezuelan state energy company PDVSA and associated electricity generation infrastructure. Unlike generic wipers, Lotus Wiper includes ICS-aware modules that identify and corrupt engineering workstation configurations, HMI databases, and OT historian data before wiping. The campaign represents the most targeted wiper deployment against Latin American energy infrastructure on record.
MacSync Stealer Delivered via Malicious Google Ad Targeting macOS Homebrew Users
A macOS infostealer tracked as MacSync has been distributed through a malicious Google search advertisement impersonating the Homebrew package manager — a tool used by virtually all macOS developers. The campaign harvests browser credentials, session tokens, macOS keychain data, and cryptocurrency wallet files from developer machines. macOS users who installed Homebrew via a Google search in the past 30 days should verify their installation source.