CVEs, zero-days, PoCs, patch advisories
Kubernetes has become a popular choice for enterprise software development, attracting increased attacks from cybercriminals using sophisticated exploits. Newly created Kubernetes clusters can be targeted by malicious scans within minutes, with attackers employing automated methods to find and exploit vulnerabilities.
Researchers have discovered a critical vulnerability named 'ClawJacked' in the AI agent OpenClaw. This flaw allows malicious websites to silently bruteforce access to local OpenClaw instances, enabling attackers to steal data and gain control.
The QuickLens Chrome extension was compromised and used to distribute malware, with the goal of stealing cryptocurrency from users. Google has since removed the malicious extension from its Web Store.
OpenClaw has patched a critical security flaw that allowed malicious websites to hijack local AI agents. The vulnerability resided in the core OpenClaw gateway, enabling unauthorized control over AI agents running on a user's machine.
A critical vulnerability in Juniper Networks PTX series routers running Junos OS Evolved could allow an unauthenticated attacker to execute code with root privileges. The vulnerability, which lies in the On-Box Anomaly detection framework, affects versions earlier than 25.4R1-S1-EVO and 25.4R2-EVO, but not the standard Junos OS.
Researchers at Truffle Security discovered that Google Cloud API keys, traditionally used for billing, now also authenticate access to Gemini AI project data due to a silent change by Google. This allows anyone who scrapes the API keys from websites to access uploaded files, cached content, and consume tokens, potentially generating large bills for project owners.
AI assistants designed to find software vulnerabilities are showing promise, but current versions are not meeting the expectations of enterprises and developers. Experts note that these tools struggle with speed and accuracy, limiting their effectiveness in real-world security assessments.
Microsoft is testing security improvements in Windows 11 Insider Preview builds that aim to improve the security and performance when executing batch files (CMD scripts). The improvements focus on mitigating potential security risks associated with script execution.
Over 900 Sangoma FreePBX instances are still compromised with web shells following attacks that exploited a command injection vulnerability that began in December 2025. The majority of infected instances are located in the U.S., followed by Brazil, Canada, Germany, and France. The compromises were discovered by the Shadowserver Foundation.
CISA has released information regarding RESURGE malware, used in conjunction with the CVE-2024-1709 exploit, targeting Ivanti Connect Secure devices. RESURGE is a malicious implant that can remain dormant on compromised systems.
A malicious Go module, disguised as a legitimate crypto library, steals passwords entered in the terminal and deploys the Rekoobe backdoor on Linux systems. The module, github[.]com/xinfeisoft/crypto, mimics the 'golang.org/x/crypto' codebase but contains malicious code for data exfiltration and backdoor deployment.
This SecurityWeek article summarizes several cybersecurity news items, including the formation of the ATT&CK Advisory Council, Russian cyberattacks aiding missile strikes, and the Predator spyware bypassing iOS indicators. It also mentions a surge in cyber valuations, OpenAI disrupting malicious AI use, and ShinyHunters claiming the Odido breach.
This article discusses the often-overlooked attack surface created by third-party software and the increased risk of exploitation due to unpatched vulnerabilities. Action1 advocates for consistent patching strategies to mitigate exposure across all endpoints, highlighting the importance of managing third-party software vulnerabilities.
The article discusses the security implications of Claude Code, an AI tool. While it shows promise in code security, researchers caution that its impact may have been overstated and that it's not perfect.
Approximately 900 Sangoma FreePBX instances have been infected with web shells. The attacks leveraged a post-authentication command injection vulnerability present in the endpoint manager interface.
Researchers at Oasis Security discovered a vulnerability chain, dubbed ClawJacked (CVE-2026-25253), in OpenClaw that allows malicious websites to gain full control of a locally running agent by exploiting the implicit trust of "localhost" connections. By bypassing rate limits and enabling unauthorized device pairing, attackers can access the agent's privileges, workflows, and credentials. OpenClaw promptly fixed the flaw after being notified.
The article argues that application security should start at the load balancer, which is often treated as a performance device rather than a security control. The author provides an example from the financial services industry where weak TLS configurations at the load balancer allowed attackers to exploit vulnerabilities. They recommend enforcing strong TLS versions and cipher suites at the load balancer to establish a secure trust boundary.
Juniper Networks has released an out-of-band security update for Junos OS Evolved to address a remote code execution vulnerability, CVE-2026-21902, affecting PTX routers. This vulnerability requires immediate patching to prevent potential exploitation.
CISA has released an advisory regarding four vulnerabilities discovered in Gardyn Home and Gardyn Studio smart gardens. These flaws could potentially allow for remote hacking of the devices.
This article summarizes several cybersecurity incidents, including the investigation of a Russian man for extorting the Conti ransomware group, the takedown of a Chinese espionage operation by Google, the hacking of the Mexican government using Claude, and the discovery of a Cisco zero-day exploited for three years.
A zero-day vulnerability, CVE-2026-20127, in Cisco SD-WAN has been under exploitation for three years by a sophisticated, unknown threat actor. The vulnerability is considered to be of maximum severity and the attacker left very little trace of their activities.
Google API keys, initially intended for services like Maps and embedded in client-side code, can now be exploited to authenticate to the Gemini AI assistant. This access could potentially expose private user data stored within Gemini.
Trend Micro has addressed two critical remote code execution (RCE) vulnerabilities in its Apex One security software. Successful exploitation of these flaws could allow attackers to execute arbitrary code on affected Windows systems.
A critical vulnerability in Juniper Networks' Junos OS Evolved, affecting PTX Series routers, enables unauthenticated remote code execution with root privileges. The flaw poses a significant risk, potentially allowing attackers to gain complete control of affected routers.
A new attack called AirSnitch can break Wi-Fi encryption in homes, offices, and enterprises. The attack potentially compromises the security of guest networks.
Veracode's annual State of Software Security report indicates that more vulnerabilities are being created than fixed, exacerbated by rapid AI-driven development. This widening remediation gap makes achieving comprehensive security increasingly difficult, according to the report based on data from 1.6 million applications.
This article summarizes various cybersecurity threats identified this week, ranging from AI-powered attacks to software vulnerabilities. It highlights the subtle nature of initial attack vectors and the increasing speed and sophistication of malicious tactics.
Anthropic has patched vulnerabilities in Claude, its AI assistant. Check Point demonstrated the impact of these vulnerabilities by using malicious configuration files to silently hack developer devices.
Zyxel has released patches to address a critical vulnerability affecting the UPnP function in multiple device models. Successful exploitation of this flaw could lead to remote code execution.
Large Language Models (LLMs) are generating predictable passwords with noticeable patterns. These include starting with a specific letter and number, uneven character choices, and an avoidance of repeating characters.
CISA has released an alert regarding an authentication bypass vulnerability (CVE-2026-1241) in Pelco, Inc. Sarix Pro 3 Series IP Cameras. Successful exploitation could allow attackers to gain unauthorized access to sensitive device data and bypass surveillance controls.
Multiple vulnerabilities have been identified in EV2GO ev2go.io charging stations, potentially allowing attackers to impersonate stations, hijack sessions, cause denial of service, and manipulate backend data. The most severe vulnerability, CVE-2026-24731, involves a lack of authentication for WebSocket endpoints.
CISA has released an alert regarding multiple vulnerabilities affecting EV Energy's ev.energy charging stations. Successful exploitation of these vulnerabilities could allow attackers to gain unauthorized administrative control or disrupt charging services through denial-of-service attacks.
Chargemap chargemap.com is affected by multiple vulnerabilities, including missing authentication, improper restriction of authentication attempts, insufficient session expiration, and insufficiently protected credentials. Successful exploitation could lead to unauthorized administrative control over charging stations or denial-of-service attacks.
CISA has released an alert regarding multiple vulnerabilities affecting Mobility46 charging stations. Successful exploitation of these vulnerabilities could allow attackers to gain unauthorized administrative control or disrupt charging services through denial-of-service attacks.
CISA has issued an alert regarding vulnerabilities in SWITCH EV swtchenergy.com charging stations. Successful exploitation could allow attackers to impersonate charging stations, hijack sessions, cause denial of service, and manipulate backend data; multiple CVEs are associated with the affected versions.
CISA has released an alert regarding multiple vulnerabilities in CloudCharge cloudcharge.se charging stations. Successful exploitation of these vulnerabilities could allow attackers to impersonate charging stations, hijack sessions, cause denial of service, and manipulate data sent to the backend.
Multiple vulnerabilities have been identified in Yokogawa CENTUM VP R6 and R7 Vnet/IP Interface Packages. Successful exploitation of these vulnerabilities could allow an attacker to terminate software processes, cause a denial-of-service condition, or execute arbitrary code.
CISA has released an alert regarding multiple vulnerabilities in Johnson Controls, Inc. Frick Controls Quantum HD versions <=10.22. Successful exploitation of these vulnerabilities could lead to pre-authentication remote code execution, information leaks, or denial of service.
CISA has released an alert regarding multiple vulnerabilities in Copeland XWEB and XWEB Pro versions 1.12.1 and prior. Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication, cause a denial-of-service condition, cause memory corruption, and execute arbitrary code.
The Five Eyes intelligence alliance has issued a rare joint alert warning organizations to patch two Cisco Catalyst SD-WAN vulnerabilities. These vulnerabilities are actively being exploited and pose a significant risk of root takeover.
A malicious NuGet package, "StripeApi.Net," was discovered impersonating the official Stripe.net library to steal API tokens. The imposter package, uploaded by a deceptive user, aimed to target the financial sector.
Trend Micro has addressed eight critical and high-severity vulnerabilities affecting its Apex One endpoint security products on Windows and macOS. The vulnerabilities could potentially allow attackers to compromise systems.
Cisco has patched a zero-day vulnerability in Catalyst SD-WAN, which is being actively exploited by sophisticated hackers. The vulnerability allows attackers to bypass authentication and gain administrative privileges, and it has been added to CISA's KEV catalog.
Google Project Zero researchers analyzed the GetProcessHandleFromHwnd API, noting its potential for exploitation in UAC bypass scenarios. The API allows a caller with UIAccess to obtain a process handle, which can be abused if the caller and target process run as the same user.
A zero-day vulnerability, CVE-2026-20127, affecting Cisco Catalyst SD-WAN Controller and Manager has been actively exploited since 2023. The flaw, with a CVSS score of 10.0, allows unauthenticated remote attackers to bypass authentication and gain administrative access.
The article discusses the benefits of using open-source security tools for cybersecurity. It highlights that open-source solutions are often supported by active communities and offer numerous high-quality options for preventing breaches and data leaks. It suggests nine open-source security tools that CISOs and their teams should consider using, for purposes such as vulnerability scanning, protocol analysis, forensics, and threat intelligence support.
Security vulnerabilities in Claude Code allowed attackers to remotely execute code on users' machines and steal API keys. The vulnerabilities involved injecting malicious configurations into repositories, exploiting the trust developers place in cloned projects.
Cisco SD-WAN vulnerabilities CVE-2026-20127 and CVE-2022-20775 are being actively exploited. These vulnerabilities affect SD-WAN deployments and could allow attackers to compromise systems.
The Five Eyes alliance issued an emergency directive regarding active exploitation of a zero-day vulnerability, CVE-2026-20127, in Cisco SD-WAN controllers. Threat actors are leveraging this flaw to gain unauthorized, administrative-level access to SD-WAN control systems, potentially manipulating network configurations and establishing persistent access.
