2026-05-15 AI创业新闻
CISA Adds Cisco SD-WAN CVE-2026-20182 to KEV After Admin Access Exploits
The U.S.Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a newly disclosed vulnerability impacting Cisco Catalyst SD-WAN Controller to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to remediate the issue by May 17, 2026. The vulnerability is a critical authentication bypass tracked as CVE-2026-20182 . It’s rated 10.0 on the CVSS scoring system, indicating maximum severity. “Cisco Catalyst SD-WAN Controller and Manager contain an authentication bypass vulnerability that allows an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system,” CISA said .
In a separate advisory, Cisco attributed the active exploitation of CVE-2026-20182 with high confidence to UAT-8616 , the same cluster behind the weaponization of CVE-2026-20127 to gain unauthorized access to SD-WAN systems. “UAT-8616 performed similar post-compromise actions after successfully exploiting CVE-2026-20182, as was observed in the exploitation of CVE-2026-20127 by the same threat actor,” Cisco Talos said. “UAT-8616 attempted to add SSH keys, modify NETCONF configurations, and escalate to root privileges.” It’s assessed that the infrastructure used by UAT-8616 to carry out exploitation and post-compromise activities overlaps with Operational Relay Box (ORB) networks, with the cybersecurity company also observing multiple threat clusters exploiting CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 beginning March 2026. The three vulnerabilities, when chained together, can allow a remote unauthenticated attacker to gain unauthorized access to the device.
They were added to the CISA’s KEV catalog last month. The activity has been found to leverage publicly available proof-of-concept exploit code to deploy web shells on hacked systems, allowing the operators to run arbitrary bash commands. One such JavaServer Pages (JSP)-based web shell has been codenamed XenShell owing to the use of a PoC released by ZeroZenX Labs. At least 10 different clusters have been linked to the exploitation of the three flaws - Cluster 1 (Active since at least March 6, 2026), which deploys the Godzilla web shell Cluster 2 (Active since at least March 10, 2026), which deploys the Behinder web shell Cluster 3 (Active since at least March 4, 2026), which deploys the XenShell web shell and a variant of Behinder Cluster 4 (Active since at least March 3, 2026), which deploys a variant of the Godzilla webshell Cluster 5 (Active since at least March 13, 2026), which malware agent compiled off the AdaptixC2 red teaming framework Cluster 6 (Active since at least March 5, 2026), which deploys the Sliver command-and-control (C2) framework Cluster 7 (Active since at least March 25, 2026), which deploys an XMRig miner Cluster 8 (Active since at least March 10, 2026), which deploys the KScan asset mapping tool and Nim-based backdoor that’s likely based on NimPlant and comes with capabilities to perform file operations, execute files using bash, and collect system information Cluster 9 (Active since at least March 17, 2026), which deploys an XMRig miner and a peer-based proxying and tunneling tool called gsocket Cluster 10 (Active since at least Mar 13, 2026), which deploys a credential stealer that attempts to obtain an admin user’s hashdump, JSON Web Tokens (JWT) key chunks that are used for REST API authentication, and AWS credentials for vManage Cisco is recommending that customers follow the guidance and recommendations outlined in the advisories for the aforementioned vulnerabilities to protect their environments.
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access
Cisco has released updates to address a maximum-severity authentication bypass flaw in Catalyst SD-WAN Controller that it said has been exploited in limited attacks. The vulnerability, tracked as CVE-2026-20182 , carries a CVSS score of 10.0. “A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system,” Cisco said . The networking equipment major said the flaw stems from a malfunction of the peering authentication mechanism, which an attacker could exploit by sending crafted requests to the affected system.
A successful exploit could permit the attacker to log in to the Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account, and then weaponize it to access NETCONF and manipulate network configuration for the SD-WAN fabric.. The vulnerability impacts the following deployments - On-Prem Deployment Cisco SD-WAN Cloud-Pro Cisco SD-WAN Cloud (Cisco Managed) Cisco SD-WAN for Government (FedRAMP) According to Rapid7, which discovered CVE-2026-20182, the shortcoming has its echoes in CVE-2026-20127 (CVSS score: 10.0), another critical authentication bypass impacting the same component. The latter is said to have been exploited by a threat actor called UAT-8616 since at least 2023. “This new authentication bypass vulnerability affects the ‘vdaemon’ service over DTLS (UDP port 12346), which is the same service that was vulnerable to CVE-2026-20127,” Rapid7 researchers Jonah Burgess and Stephen Fewer said .
“The new vulnerability is not a patch bypass of CVE-2026-20127. It is a different issue located in a similar part of the ‘vdaemon’ networking stack.” That said, the end result is the same: a remote unauthenticated attacker can abuse CVE-2026-20182 to become an authenticated peer of the target appliance and carry out privileged operations. Cisco, in its advisory, noted that it became aware of “limited exploitation” of the flaw in May 2026, urging customers to apply the latest updates as soon as possible. The company also said Catalyst SD-WAN Controller systems that are accessible over the internet and that have ports exposed are at increased risk of compromise.
It’s recommending customers to audit the “/var/log/auth.log” file for entries related to Accepted publickey for vmanage-admin from unknown or unauthorized IP addresses. Another indicator is the presence of suspicious peering events in the logs, including unauthorized peer connections that occur at unexpected times and originate from unrecognized IP addresses, or involve device types that are inconsistent with the environment’s architecture. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Stealer Backdoor Found in 3 Node-IPC Versions Targeting Developer Secrets
Cybersecurity researchers are sounding the alarm about what has been described as “malicious activity” in newly published versions of node-ipc. According to Socket and StepSecurity , three different versions of the npm package have been confirmed as malicious - node-ipc@9.1.6 node-ipc@9.2.3 node-ipc@12.0.1 “Early analysis indicates that node-ipc@9.1.6, node-ipc@9.2.3, and node-ipc@12.0.1 contain obfuscated stealer/backdoor behavior,” Socket said. “The malware appears to fingerprint the host environment, enumerate and read local files, compress and chunk collected data, wrap the payload in a cryptographic envelope, and attempt exfiltration through a network endpoint selected via DNS/address logic.” StepSecurity said the heavily obfuscated payload is triggered when the package is required at runtime, and attempts to exfiltrate a broad set of developer and cloud secrets to an external command-and-control (C2) server. This includes 90 categories of credentials, including Amazon Web Services, Google Cloud, Microsoft Azure, SSH keys, Kubernetes tokens, GitHub CLI configs, Claude AI and Kiro IDE settings, Terraform state, database passwords, shell history, and more.
The harvested data is then compressed into a GZIP archive and transmitted to the “sh.azurestaticprovider[.]net” domain. The three versions were published by an account named “atiertant,” which has no connection to the package’s original author, “riaevangelist.” Although “atiertant” appears in the maintainer list, the account has no prior publish history in connection with the node-ipc package. The previous update to the package was in August 2024. The fact that the dormant, high-download package was compromised after a 21-month gap indicates that either the “atiertant” credentials were newly compromised, or the account was specifically added as a maintainer to publish the malicious versions.
What’s notable about the activity is that it does not rely on any npm lifecycle hooks such as preinstall, install, or postinstall scripts, instead appending the malicious payload as an Immediately Invoked Function Expression ( IIFE ) to the end of “node-ipc.cjs.” This, in turn, causes the malware to fire unconditionally on every require(‘node-ipc’). The oddity doesn’t end there, for the payload performs a SHA-256 fingerprint check and compares it against a hard-coded hash assembled from eight obfuscated table fragments embedded in the code, before proceeding with system enumeration and comprehensive credential harvesting. “This means 12.0.1 is entirely inert on any machine whose primary module path does not hash to the target value,” StepSecurity researcher Sai Likhith said. “The attacker knows exactly which project or developer is being targeted and pre-computed the hash of their entry point before publishing.
The 9.x versions do not have this gate and will execute the full payload on any system that loads them.” The malware also incorporates a second exfiltration channel besides issuing an HTTPS POST to the fake Azure domain containing the compressed stolen data. This involves encoding chunks of the archive as a DNS TXT record after overriding the system’s DNS resolver with Google Public DNS to sidestep local DNS-based security controls. “It first resolves sh.azurestaticprovider.net using 1.1.1.1 (primary) or 8.8.8.8 (fallback) to obtain the C2 IP,” StepSecurity said. “Then it re-targets the resolver directly at the C2 IP for all exfiltration queries.” “The direct-to-C2 DNS sink is a notable anti-detection technique.
Because the exfiltration queries never touch public DNS resolvers, there is no observable bt.node.js activity in public DNS logs. Organizations relying solely on DNS logging through corporate resolvers would not see this traffic.” Lastly, the malware also attempts to continue execution independently of the original Node.js process by forking itself into a detached background child processes, allowing exfiltration activity to continue silently after the parent application is terminated. “This campaign reflects how software supply chain attacks are evolving beyond simple malicious packages into infrastructure-aware credential harvesting operations,” Avital Harel, security research lead at Upwind, said in a statement. “Attackers are increasingly targeting the identities and automation systems powering modern software delivery pipelines while designing malware specifically to blend into normal developer and application behavior.” This is not the first time the npm package has incorporated malicious functionality.
In March 2022, the maintainer of the package deliberately introduced destructive capability to versions 10.1.1 and 10.1.2 by overwriting files on systems located in Russia or Belarus as a form of protest following Russia’s military invasion of Ukraine. Two subsequent versions – 11.0.0 and 11.1.0 – included the “peacenotwar” dependency, which was also published by the same maintainer as a “non-violent protest against Russia’s aggression.” “The latest incident appears to involve a suspicious republishing or reintroduction of malicious code into versions of a known package, rather than a typosquatting attempt,” Socket said. Users are advised to remove the compromised node-ipc versions and re-install a known clean version (9.2.1 and 12.0.0), assume compromise and rotate credentials and secrets, audit npm publish activity for any packages accessible with the rotated tokens, review workflow run logs for suspicious activity, audit cloud logs to check if any unauthorized actions were performed by IAM identities whose credentials were available during the compromised window, and block egress traffic to the C2 domain. Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Agentic AI is Already in Your Org. Here’s How to Secure It [Free Guide]
ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories
Everything is still on fire. This week feels dumb in the worst way — bad links, weak checks, fake help desks, shady forum posts, and people turning supply chain attacks into some cursed little game for clout and cash. Half of it feels new. Half of it feels like crap we should have fixed years ago.
The mess keeps getting louder: users get tricked, boxes get popped, tools meant for normal work get used for bad stuff, and nobody seems shocked anymore. Great. Love that for us. Anyway.
Let’s get into it. Exploited PAN-OS RCE Palo Alto Networks Releases Fixes for Exploited Flaw Palo Alto Networks has released the first round of fixes to address CVE-2026-0300 , a critical buffer overflow vulnerability in the User-ID Authentication Portal service of PAN-OS software that could allow an unauthenticated attacker to execute arbitrary code with root privileges by sending specially crafted packets. The company said it has observed the flaw being exploited in limited attacks since at least last month, with unknown threat actors leveraging it to drop payloads like EarthWorm and ReverseSocks5. Private AI chats Meta Announces Incognito Chat Meta has announced Incognito Chat with Meta AI in its namesake app and WhatsApp.
Incognito Chat is “a completely private way to interact with AI, similar to how end-to-end encryption means no one can read your conversations, even Meta or WhatsApp,” CEO Mark Zuckerberg said. “Incognito Chat handles all AI inference in a Trusted Execution Environment that ensures your messages are not accessible to us. The conversations on your phone also disappear when you exit the session.” The feature is powered by Private Processing , which already underlies its message summarization and composition tools. Zero-auth data leak Defense Company Exposes Sensitive Data A defense technology company with Department of Defense contracts exposed user records and military training materials through API endpoints that lacked meaningful authorization checks.
The issue affected Schemata, an AI-powered virtual training platform used in military and defense settings. According to Strix , an ordinary low-privilege account was able to access data across multiple tenants, including user listings, organization records, course information, training metadata, and direct links to documents hosted on Schemata’s Amazon Web Services instances. In a statement posted on the company’s website, Schemata said it did not have “evidence that any third party exploited the vulnerability to access customer data.” Router update reprieve FCC Softens Foreign Router Ban The U.S. Federal Communications Commission (FCC) has extended the deadline for owners of banned internet routers to provide security updates to U.S.-based users by two years.
In March 2026, the FCC banned the import and sale of all “consumer-grade” internet routers produced in a foreign country, citing unacceptable national security risks. In a new public notice published last week, the Commission’s Office of Engineering and Technology (OET) said it is extending this deadline until “at least” January 1, 2029. That said, the extension only applies to software and firmware updates so as to ensure the continued safety of already deployed routers in the U.S. and mitigate potential harm.
“These include all software and firmware updates to ensure the continued functionality of the devices, such as those that patch vulnerabilities and facilitate compatibility with different operating systems,” per the FCC . APT phishing campaign Operation GriefLure Targets Vietnam and the Philippines A new state-sponsored threat cluster dubbed Operation GriefLure has been observed targeting Vietnam’s telecom and the Philippines’ healthcare sectors with a RAR archive distributed via spear-phishing emails to deploy a remote access trojan on compromised hosts, while leveraging credible decoy documents to give them a veneer of legitimacy and trust. The malware is capable of process enumeration, screenshot capture, file and directory listing, credential harvesting, and file execution capabilities. JPEG PowerShell lure Operation SilentCanvas Drops ScreenConnect for Remote Access A multi-stage intrusion campaign has been observed leveraging a weaponized PowerShell payload disguised as a legitimate JPEG image file to deliver a trojanized instance of ConnectWise ScreenConnect to stealthy remote access.
“The intrusion likely originated through social engineering techniques such as phishing emails, malicious attachments, deceptive file-sharing interactions, or fake update lures involving a malicious file named sysupdate.jpeg,” CYFIRMA said . “The payload was specifically crafted to exploit user trust and bypass conventional file-extension validation mechanisms while blending malicious activity with legitimate enterprise software.” Aid-themed infostealer Operation HumanitarianBait Drops Python Infostealer A targeted cyber espionage campaign is leveraging social engineering and trusted infrastructure to establish persistent access to victim systems. The activity, which employs lure themes centred around humanitarian aid, is assessed to target Russian-speaking individuals or entities. “The attack is delivered via phishing emails containing a malicious LNK file disguised within a RAR archive, using a Russian humanitarian aid request form to exploit contextual trust,” Cyble said .
“Execution triggers a stealthy, multi-stage infection chain in which a decoy document is presented to the user while a heavily obfuscated, fileless (PE-less) Python-based implant is silently deployed.” The payload is retrieved from GitHub Releases, allowing the operator to blend in with legitimate enterprise activity. The implant operates as a “full-spectrum surveillance platform,” facilitating credential harvesting, keystroke logging, clipboard and screenshot capture, sensitive data exfiltration, and covert remote access. Ransomware-like file lock New GhostLock Technique Blocks File Access A new proof-of-concept (PoC) tool dubbed GhostLock, created by Kim Dvash of Israel Aerospace Industries, has revealed that it’s possible for a domain user with read access to a file share to deny access to files without the need for deploying any ransomware or requiring elevated privileges. “By calling CreateFileW with dwShareMode = 0x00000000 across a target share, a low-privileged user holds files in an exclusively locked state indefinitely,” Dvash said .
“Other clients receive STATUS_SHARING_VIOLATION (0xC0000043) on every access attempt. ERP systems fail. Workflow queues stall. The impact is indistinguishable from encrypted ransomware.
The attack produces none of the signals that encrypted ransomware produces.” The disruptive technique is not a vulnerability, but rather documented behavior required for data integrity. GhostLock affects “any organization running SMB-backed shared file infrastructure where users have standard domain credentials and network access to file shares.” AI scan false positives Anthropic Mythos Finds Single Bug in cURL cURL developer Daniel Stenberg said that Anthropic Mythos model’s scan of the utility five “confirmed security vulnerabilities,” out of which one was a low-severity bug, while the rest were false positives. “The single confirmed vulnerability is going to end up a severity low CVE planned to get published in sync with our pending next curl release 8.21.0 in late June,” Stenberg said . “The flaw is not going to make anyone grasp for breath.
All details of that vulnerability will ofcourse not get public before then, so you need to hold out for details on that.” Stenberg, however, acknowledged that artificial intelligence powered code analyzers are significantly better at finding security flaws and mistakes in source code than any traditional code analyzers. Fraud intel pact India Announces New Measures to Tackle Cyber-Enabled Financial Fraud The Indian Cyber Crime Coordination Centre (I4C), along with the Ministry of Home Affairs, and Reserve Bank Innovation Hub (RBIH), have signed a Memorandum of Understanding (MoU) to “facilitate cooperation in the areas of fraud-risk intelligence sharing, analytical support, and operational coordination for strengthening proactive fraud detection and prevention mechanisms.” The goal is to combat cyber-enabled financial fraud and curtail mule accounts across the banking and digital payments ecosystem. OnlyFans ransomware lure New Campaign Uses OnlyFans Lures to Drop crpx0 Ransomware Attackers are enticing users seeking “free OnlyFans accounts” to download a seemingly harmless ZIP file that contains the crpx0 ransomware. The activity targets both Windows and macOS systems.
“Inside that ZIP file is a small trick, a malicious shortcut disguised as something legitimate. When the user clicks it, it quietly executes hidden commands,” Aryaka said . “A VBScript loader prepares the system and silently installs the components needed to run Python-based code. This is where the attack becomes more flexible.
Rather than relying on a single static payload, the attackers now have a programmable environment. Once the Python script is running, it connects to a remote server.” The Python-based malware allows the attackers to send commands, update the malware, or deploy new payloads. This enables system profiling, clipboard hijacking to conduct cryptocurrency theft, seed phrase harvesting, andransomware deployment. ClickFix proxy access New ClickFix Campaign Uses PySoxy A new ClickFix campaign carried out via a compromised website has been observed using scheduled tasks for persistence and PySoxy , an open-source Python SOCKS5 proxy, to establish encrypted proxy access.
“In the observed chain, one user-executed command led to persistence, domain reconnaissance, an initial PowerShell-based command-and-control (C2) channel, and a second C2 path through PySoxy, giving the attacker encrypted proxy access without relying on well-known malware or remote monitoring and management (RMM) tools,” ReliaQuest said . “This development shows ClickFix moving beyond one-time user execution into modular post-exploitation, where older open-source tools can create redundant access paths that are harder to classify and contain.” Tokenizer output hijack Manipulating Hugging Face Packages via Tokenizer Tampering HiddenLayer has demonstrated a technique called tokenizer tampering that details how modifying the “tokenizer.json” file in Hugging Face AI models can give an attacker direct control over model output, enabling an attacker to exfiltrate sensitive data via, say, stealthy tool call injections. The attack works across Safetensors, ONNX, and GGUF formats. “Tokenizer.json ships with the model in a HuggingFace repository, as shown above, and is loaded automatically when the model is initialized for inference, making it a direct attack surface,” HiddenLayer said .
“This can affect conversational responses, tool-call arguments, and any other generated text, without weight modifications, adversarial input, or knowledge of the model’s architecture.” Teams helpdesk lure Fake IT Support Message Leads to ModeloRAT Threat actors are sending Microsoft Teams messages from a fake IT Support account to trigger an attack chain that enables remote access, malware deployment, privilege escalation, credential theft, lateral movement, and exfiltration. “By abusing Teams external access, the threat actor delivered a Dropbox-hosted Python payload [called ModeloRAT ] that established command-and-control, deployed multiple backdoors, and began mapping the internal environment,” Rapid7 said . “The attacker then escalated privileges to SYSTEM using CVE-2023-36036 before deploying a fake Windows lock screen designed to harvest the user’s domain password.” The attackers then moved laterally to a second host, used legitimate tooling such as DumpIt to gather system memory, and likely exfiltrated the data via an anonymous file-sharing service. ReliaQuest has attributed the activity to a financially motivated initial access broker (IAB) tracked as KongTuke .
Supply chain contest TeamPCP and Breached Announce Supply Chain Attack Competition The notorious threat actor known as TeamPCP , which was recently linked to the compromise of TanStack’s npm packages , has teamed up with Breached forum to announce a supply chain attack competition with a $1,000 prize in Monero. As part of the announcement, the Shai-Hulud worm has been open-sourced and hosted on the forum’s content delivery network. While it was also made available on GitHub , it has since been removed. According to screenshots shared by Dark Web Informer on X, the competition rules require participants to use the worm in their attacks and submit proof that they have obtained access to a target’s environment.
“The biggest supply chain based on the amount of weekly/monthly downloads will win,” the threat actor said. “If you compromise many small packages, it will be added up.” The development marks a newfound escalation of TeamPCP’s tradecraft. “The contest essentially functions as a public recruitment stunt, turning supply chain compromise into a leaderboard for lower-tier actors willing to trade risk for recognition,” Socket said . “TeamPCP has already been positioning supply chain compromise as a way to harvest credentials, expose enterprise environments, and hand access to groups that know how to monetize it.
Now it is giving forum users an open source worm, a scoring system, and a reason to rack up compromises.” NATS-powered C2 NATS as C2 Channel An unknown threat actor has been spotted using a NATS server as a command-and-control (C2) channel rather than relying on traditional HTTP-based panels or chat platforms. The novel technique has been codenamed NATS-as-C2 by cloud security company Sysdig. The activity relates to the exploitation of CVE-2026-33017 , an unauthenticated remote code execution (RCE) vulnerability in Langflow. “Over roughly 30 minutes of hands-on activity, the operator at 159.89.205.184 (DigitalOcean) downloaded a Python worker and a Go binary,” the company said .
While threat actors have adopted legitimate platforms and services as covert communication channels, this is the first time NATS, a high-performance communications system, has been leveraged for this purpose. That’s it. Attackers keep winning with simple crap: fake prompts, trusted tools, weak checks, and old systems nobody wants to fix. Do the boring work.
Patch. Change keys. Check users. Test backups.
Block the obvious junk. We’ll be back when the fire moves. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Ghostwriter Targets Ukrainian Government With Geofenced PDF Phishing, Cobalt Strike
The Belarus-aligned threat group known as Ghostwriter has been attributed to a fresh set of attacks targeting governmental organizations in Ukraine. Active since at least 2016, Ghostwriter has been linked to both cyber espionage and influence operations targeting neighboring countries, particularly Ukraine. It’s also tracked under the monikers FrostyNeighbor, PUSHCHA, Storm-0257, TA445, UAC‑0057, Umbral Bison (formerly RepeatingUmbra), UNC1151, and White Lynx. “FrostyNeighbor has been running continual cyber operations, changing and updating its toolset regularly, updating its compromise chain and methods to evade detection – targeting victims located in Eastern Europe,” ESET said in a report shared with The Hacker News.
Previous attacks mounted by the hacking crew have leveraged a malware family known as PicassoLoader , which then acts as a conduit for Cobalt Strike Beacon and njRAT. In late 2023, the threat actor was also observed weaponizing a vulnerability in WinRAR ( CVE-2023-38831 , CVSS score: 7.8) to deploy PicassoLoader and Cobalt Strike. As recently as last year, Polish entities were at the receiving end of a phishing campaign orchestrated by Ghostwriter that exploited a cross-site flaw in Roundcube ( CVE-2024-42009 , CVSS score: 9.3) to run malicious JavaScript responsible for capturing email login credentials. In at least some cases, the threat actors are said to have leveraged the harvested credentials to analyze mailbox contents, download the contact list, and abuse the compromised account to propagate more phishing messages, per a report from CERT Polska in June 2025.
Towards the end of 2025, the group also began to incorporate an anti-analysis technique where lure documents relied on dynamic CAPTCHA checks to trigger the attack chain. “FrostyNeighbor remains a persistent and adaptive threat actor, demonstrating a high level of operational maturity with the use of diverse lure documents, evolving lure and downloader variants, and new delivery mechanisms,” ESET researcher Damien Schaeffer said. “This newest compromise chain that we detected is a continuation of the group’s willingness to update and renew its arsenal, trying to evade detection to compromise its targets.” The latest set of activities, observed since March 2026, involves using links in malicious PDFs sent via spear-phishing attachments to target government entities in Ukraine, ultimately resulting in the deployment of a JavaScript version of PicassoLoader to drop Cobalt Strike. The PDF decoy documents have been found to impersonate the Ukrainian telecommunications company Ukrtelecom.
The infection sequence incorporates a geofencing check, serving a benign PDF file to victims whose IP address does not correspond to Ukraine. The embedded link in the PDF document is used to deliver a RAR archive containing a JavaScript payload that displays a lure document to keep up the ruse, while simultaneously launching PicassoLoader in the background. The downloader is also designed to profile and fingerprint the compromised host, based on which the operators may manually decide to send a third-stage JavaScript dropper for Cobalt Strike Beacon. The system fingerprint is transmitted to attacker-controlled infrastructure every 10 minutes, allowing the threat actor to assess whether the victim is of interest.
The activity primarily appears to center around military, defense sector, and governmental organizations in Ukraine, whereas the victimology in Poland and Lithuania is much broader, targeting industrial and manufacturing, healthcare and pharmaceuticals, logistics, and government sectors. “FrostyNeighbor remains a persistent and adaptive threat actor, demonstrating a high level of operational maturity with the use of diverse lure documents, evolving lure and downloader variants, and new delivery mechanisms,” ESET said. “The payload is only delivered after server-side victim validation, combining automated checks of the requesting user agent and IP address with the manual validation by the operators.” Gamaredon Delivers GammaDrop and GammaLoad in Ukraine Attacks The disclosure comes as the Russia-affiliated Gamaredon hacking group has been tied to a spear-phishing campaign targeting Ukrainian state institutions since September 2025, with an aim to deliver GammaDrop and GammaLoad downloader malware through RAR archives that exploit CVE-2025-8088 . “These emails – spoofed or sent from compromised government accounts – deliver persistent, multi-stage VBScript downloaders that profile the infected system,” HarfangLab said .
“There is little technical novelty here, but Gamaredon has never relied on sophistication. The group’s strength lies in its relentless operational tempo and scale.” Russia Targeted by BO Team and Hive0117 The findings also follow a report from Kaspersky that the pro-Ukraine hacktivist group known as BO Team (aka Black Owl) may be working with Head Mare (aka PhantomCore) in attacks aimed at Russian organizations, citing overlapping infrastructure and tools. Attacks orchestrated by the BO Team in 2026 have employed spear-phishing to serve BrockenDoor and ZeronetKit, the latter of which is capable of also compromising Linux systems. Also observed in these attacks is a previously undocumented Go-based backdoor referred to as ZeroSSH that can execute arbitrary commands using “cmd.exe” and establish a reverse SSH channel.
As many as 20 organizations have been targeted by the BO Team in the first quarter of 2026. “The nature of the interaction between the groups remains unclear, but the recorded intersections of tools and infrastructure indicate at least the potential coordination of actions against Russian organizations,” Kaspersky said . In recent months, Russian enterprises have also been targeted by a financially motivated group called Hive0117 to steal over 14 million rubles by breaking into accountants’ computers via phishing campaigns and disguising transfers as salary payments. The phishing emails were sent to more than 3,000 Russian organizations between February and March 2026, per F6.
Besides Russia, the activity has also targeted users from Lithuania, Estonia, Belarus, and Kazakhstan. The attacks employ invoice-themed lures to distribute RAR archives that contain malicious files to drop DarkWatchman, a remote access trojan attributed to the group. “Using remote access to online banking systems via compromised accountants’ computers, they initiated payments to be credited to bank accounts listed in the registry,” F6 said . “Formerly, this looked like a payroll transfer, but the registry listed the bank accounts of mules.
If such payment transactions did not go through anti-fraud systems, the attackers were able to withdraw significant amounts from the companies’ accounts.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
PraisonAI CVE-2026-44338 Auth Bypass Targeted Within Hours of Disclosure
Threat actors have been observed attempting to exploit a recently disclosed security vulnerability in PraisonAI , an open-source multi-agent orchestration framework, within four hours of public disclosure. The vulnerability in question is CVE-2026-44338 (CVSS score: 7.3), a case of missing authentication that exposes sensitive endpoints to anyone, potentially allowing an attacker to invoke the API server’s protected functionality without a token. “ PraisonAI ships a legacy Flask API server with authentication disabled by default,” according to an advisory released by the maintainers earlier this month. “When that server is used, any caller that can reach it can access /agents and trigger the configured agents.yaml workflow through /chat without providing a token.” Specifically, the legacy Flask-based API server, src/praisonai/api_server.py, hard-codes AUTH_ENABLED = False and AUTH_TOKEN = None.
According to PraisonAI, successful exploitation of the flaw can have varied impacts, including - Unauthenticated enumeration of the configured agent file through /agents Unauthenticated triggering of the locally configured “agents.yaml” workflow through /chat Repeated consumption of the model/API quota, and Exposure of the results of PraisonAI.run() to the unauthenticated caller “The impact therefore, depends on what the operator’s agents.yaml is allowed to do, but the authentication bypass is unconditional in the shipped legacy server,” PraisonAI said. The vulnerability affects all versions of the Python package from 2.5.6 through 4.6.33. It has been patched in version 4.6.34. Security researcher Shmulik Cohen has been credited with discovering and reporting the bug.
In a report published by Sysdig this week, the cloud security company said it observed attempts to exploit the flaw within hours of it becoming public knowledge. “Within three hours and 44 minutes of the advisory becoming public, a scanner identifying itself as CVE-Detector/1.0 was probing the exact vulnerable endpoint on internet-exposed instances,” it said. “The advisory was published [on May 11, 2026,] at 13:56 UTC. The first targeted request landed at 17:40 UTC the same day.” The activity, per Sysdig, originated from the IP address 146.190.133[.]49 and followed a packaged-scanner profile that carried out two passes spaced eight minutes apart, with each pass pushing approximately 70 requests in roughly 50 seconds.
While the first pass scanned generic disclosure paths (/.env, /admin, /users/sign_in, /eval, /calculate, /Gemfile.lock), the second pass specifically singled out AI-agent surfaces, including PraisonAI. “The probe that matched CVE-2026-44338 directly was a single GET /agents with no Authorization header and User-Agent CVE-Detector/1.0,” Sysdig said. “That request returns 200 OK with body {“agent_file”:”agents.yaml”,”agents”:[…]}, confirming the bypass was successful.” The scanner has not been found to send any POST request to the “/chat” endpoint during either pass, indicating the activity is consistent with an initial check to determine if the auth bypass works and confirm if the host is exploitable via CVE-2026-44338. The rapid exploitation of the PraisonAI is the latest example of a broader trend where threat actors are increasingly adopting newly disclosed flaws into their arsenal before they can be patched.
Users are advised to apply the latest fixes as soon as possible, audit existing deployments, review model provider billing for any suspicious activity, and rotate credentials referenced in “agents.yaml.” “Adversary tooling has scaled to the entire AI and agent ecosystem – no matter the size, and not just the household names – and the operating assumption for any project that ships an unauthenticated default must be that the window between disclosure and active exploitation is measured in single-digit hours,” Sysdig said. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
How AI Hallucinations Are Creating Real Security Risks
AI hallucinations are introducing serious security risks into critical infrastructure decision-making by exploiting human trust through highly confident yet incorrect outputs. When an AI model lacks certainty, it doesn’t have a mechanism to recognize that. Instead, it generates the most probable response based on patterns in its training data, even if that response is inaccurate. These outputs may appear authoritative, making them especially dangerous when driving real-world security decisions.
Based on Artificial Analysis’s AA-Omniscience benchmark , a 2025 evaluation of 40 AI models found that all but four models tested were more likely to provide a confident, incorrect answer than a correct one on difficult questions. As AI takes on a larger role in cybersecurity operations, organizations must treat every AI-generated response as a potential vulnerability until a human has verified it. What are AI hallucinations? AI hallucinations are confidently presented, plausible-sounding outputs that are factually inaccurate.
Base language models don’t retrieve verified information; they construct responses by predicting words and phrases from learned patterns in their training data. Since their responses are statistically likely but not necessarily true, hallucinated outputs can closely resemble accurate information. While hallucinating, AI models may cite nonexistent sources, reference research that was never conducted or present fabricated data with the same conviction as trusted information. For organizations, the main issue surrounding AI hallucinations is not only inaccuracy but also misplaced trust.
When an AI output sounds like the absolute truth, employees may assume it is correct and act on it without verification. In cybersecurity environments, incorrect AI outputs pose significant security risks because they not only inform key decisions but also feed directly into automated systems that can trigger operational actions. The results can include system disruptions, financial loss and the introduction of new vulnerabilities. What causes AI hallucinations?
The first step toward mitigating the impact of AI hallucinations is understanding how they form. Here are the various factors that may contribute to AI hallucinations: Flawed training data: AI models learn from the data they are trained on. If that data contains outdated information or outright errors, the model will incorporate those flaws into its outputs. It won’t flag the discrepancies; it will learn from them.
Bias in input data: Overrepresentation of certain patterns or scenarios can cause an AI model to treat those patterns as universally applicable, even when the context differs. Lack of response validation: Base language models aren’t built to verify factual accuracy. They optimize for coherent, plausible outputs. While some systems add retrieval or grounding layers to reduce this risk, the core generation process remains vulnerable to hallucinations.
Prompt ambiguity: Vague inputs increase the likelihood that AI models will fill in gaps with assumptions, raising the risk of incorrect outputs and hallucinations. 3 ways AI hallucinations are impacting cybersecurity Not every AI hallucination has equal impact, but incorrect or fabricated information can leave organizations vulnerable to serious cyber threats. Three main ways AI hallucinations manifest are missed threats, fabricated threats and incorrect solutions. 1.
Missed threats AI threat detection often relies on identifying patterns and anomalies based on historical data and learned behavior. When a cyber attack aligns with known behaviors, the AI model performs well; but when it doesn’t, the model has nothing to compare it to, so the threat may go unnoticed. This is especially problematic for underrepresented attack techniques and zero-day attacks , which exploit vulnerabilities unknown to the vendor and are therefore unpatched. Because these threats are not reflected in training data, the AI model lacks sufficient context to flag them, resulting in a higher likelihood of undetected vulnerabilities and greater exposure within the environment.
- Fabricated threats In contrast to missed threats, AI models may also hallucinate false positives by misclassifying normal activity as malicious, alerting teams to threats that do not exist. For example, normal network traffic may be misinterpreted as suspicious, triggering alerts that prompt unnecessary incident response actions. These false alarms can lead to system shutdowns, wasted resources and disrupted operations for fabricated threats.
Over time, repeated false positives can lead to alert fatigue, where security teams become desensitized to all warnings. This increases the risk that legitimate threats will be overlooked in environments where teams have been conditioned to distrust alerts. 3. Incorrect remediation This is one of the most dangerous forms of AI hallucination since it occurs after trust has already been established.
For example, an AI system may confidently recommend deleting sensitive files, modifying system configurations or disabling firewall rules. If these actions are executed, particularly through privileged accounts, they can leave organizations exposed to identity-based attacks, lateral movement or irreversible data loss. Even when AI threat detection is accurate, hallucinated guidance can escalate a contained security incident into a broader breach. How organizations can reduce AI hallucination risks Although AI hallucinations cannot be fully eliminated, their impact can be significantly reduced through the following controls and governance measures.
Require human review before action AI-generated outputs should not trigger sensitive or privileged actions without human verification first. This is especially important for workflows involving infrastructure changes, access updates or incident response. The review requirement should not only happen when something seems wrong; models can sound equally confident whether they’re right or wrong. Treat training data as a security asset AI hallucinations often trace back to training data.
Regularly auditing the data used to train or ground AI systems by eliminating outdated records, biased datasets and inaccurate information reduces the likelihood that those flaws will appear in outputs. As AI-generated content becomes more common online, there is an increased risk of future models being trained on fabricated information produced by earlier models, in a phenomenon sometimes referred to as model collapse. Without continuous data governance, the risk of flawed AI outputs only increases. Enforce least-privilege access for AI systems AI-driven systems should be granted only the permissions they need to perform their tasks.
This may look like an AI system that is allowed to read files only, not delete them – even if a hallucinated recommendation tells it to. By restricting access with least privilege, organizations ensure that even if an AI system generates incorrect guidance, it cannot execute actions beyond what it is allowed to do. Invest in prompt engineering training AI outputs are heavily shaped by input quality, so a vague prompt gives the model more opportunity to fill gaps with incorrect assumptions, increasing the risk of hallucination. Organizations must prioritize training employees, especially those who directly interact with AI systems, on how to write specific prompts that drive the model to produce verifiable outputs.
Employees who understand that AI outputs should always be validated before use are less likely to interpret the AI system as authoritative by default. Place identity security at the center of AI governance AI hallucinations become real security risks when they lead to action, which is not primarily a model problem but rather an access problem. Security incidents arise when AI systems have enough access to act on incorrect guidance, or when a human trusts outputs without verification. Keeper® is built to provide organizations with the visibility and access controls needed to prevent unauthorized access, even when AI-driven decisions are incorrect.
By enforcing least-privilege access, monitoring privileged activity and securing both human and Non-Human Identities (NHIs), organizations can reduce the risk of AI hallucinations evolving into damaging security incidents. Note : This article was thoughtfully written and contributed for our audience by Ashley D’Andrea, Content Writer at Keeper Security. Found this article interesting? This article is a contributed piece from one of our valued partners.
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation
An anonymous cybersecurity researcher who disclosed three Microsoft Defender vulnerabilities has returned with two more zero-days involving a BitLocker bypass and a privilege escalation impacting Windows Collaborative Translation Framework (CTFMON). The security defects have been codenamed YellowKey and GreenPlasma , respectively, by the researcher, who goes by the online aliases Chaotic Eclipse and Nightmare-Eclipse. The researcher described YellowKey as “one of the most insane discoveries I ever found,” likening the BitLocker bypass to functioning as a backdoor, as the bug is present only in the Windows Recovery Environment ( WinRE ), a built-in framework designed to troubleshoot and repair common unbootable operating system issues. YellowKey affects Windows 11 and Windows Server 2022/2025.
At a high level, it involves copying specially crafted “FsTx” files on a USB drive or the EFI partition, plugging the USB drive into the target Windows computer with BitLocker protections turned on, rebooting into WinRE, and triggering a shell by holding down the CTRL key. “I think it will take a while even for MSRC to find the real root cause of the issue. I just never managed to understand why this vulnerability is sooo well hidden,” the researcher explained . “Second thing is, no, TPM+PIN does not help, the issue is still exploitable regardless.” Security researcher Will Dormann, in a post shared on Mastodon, said, “I was able to reproduce [YellowKey] with a USB drive attached,” adding, “it looks like Transactional NTFS bits on a USB Drive are able to delete the winpeshl.ini file on ANOTHER DRIVE (X:).
And we get a cmd.exe prompt, with BitLocker unlocked instead of the expected Windows Recovery environment.” “While the TPM-only BitLocker bypass is indeed interesting, I think the buried lede here is that a \System Volume Information\FsTx directory on one volume has the ability to modify the contents of another volume when it is replayed,” Dormann pointed out. “To me, this in and of itself sounds like a vulnerability.” The second vulnerability flagged by Chaotic Eclipse is a case of privilege escalation security that could be exploited to obtain a shell with SYSTEM permissions. It arises as a result of what has been described as Windows CTFMON arbitrary section creation. The released proof-of-concept (PoC) is incomplete and lacks the necessary code to obtain a full SYSTEM shell.
In its current form, the exploit can allow an unprivileged user to create arbitrary memory section objects within directory objects writable by SYSTEM, potentially enabling manipulation of privileged services or drivers that implicitly trust those paths, as a standard user does not have write access to the locations. The development comes nearly a month after the researcher published three Defender zero-days dubbed BlueHammer, RedSun, and UnDefend after allegedly expressing dissatisfaction with Microsoft’s handling of the vulnerability disclosure process. The shortcomings have since come under active exploitation in the wild. While BlueHammer was officially assigned the identifier CVE-2026-33825 and patched by Microsoft last month, Chaotic Eclipse said the tech giant appears to have “silently” addressed RedSun without issuing any advisory.
“I hope you at least attempt to resolve the situation responsibly, I’m not sure what type of reaction you expected from me when you threw more gas on the fire after BlueHammer,” the researcher said. “The fire will go as long as you want, unless you extinguish it or until there nothing left to burn.” Chaotic Eclipse also promised a “big surprise” for Microsoft, coinciding with the next Patch Tuesday release in June 2026. When reached for comment, a Microsoft spokesperson had previously told The Hacker News that it “has a customer commitment to investigate reported security issues and update impacted devices to protect customers as soon as possible,” and that it supports coordinated vulnerability disclosure, which the company said “helps ensure issues are carefully investigated and addressed before public disclosure.” BitLocker Downgrade Attack Uncovered The development comes as French cybersecurity company Intrinsec detailed an attack chain against BitLocker that leverages a boot manager downgrade by exploiting CVE-2025-48804 (CVSS score: 6.8) to bypass the encryption protection on fully patched Windows 11 systems in under five minutes. “The principle is as follows: the boot manager loads the System Deployment Image (SDI) file and the WIM referenced by it, and verifies the integrity of the legitimate WIM,” Intrinsec said .
“However, when a second WIM is added to the SDI with a modified blob table, the boot manager checks the first (legitimate) WIM while simultaneously booting from the second (controlled by the attacker). This second WIM contains a WinRE image infected with ‘cmd.exe,’ which executes with the decrypted BitLocker volume.” While fixes released by Microsoft in July 2025 plugged this security defect in July 2025, security researcher Cassius Garat said the problem lies in the fact that Secure Boot only verifies a binary’s signing certificate, not its version. As a result, a vulnerable version of “bootmgfw.efi” that does not contain the patch and is signed with the trusted PCA 2011 certificate can be used to get around BitLocker safeguards. It’s worth noting that Microsoft plans to retire the old PCA 2011 certificates next month.
“And as long as it is not revoked, even an old, vulnerable boot manager can be loaded without triggering an alert,” Intrinsec noted. To pull off the attack, a bad actor needs to have physical access to the target machine. To counter the risk, it’s essential to enable a BitLocker PIN at startup for preboot authentication and migrate the boot manager to the CA 2023 certificate and revoke the old PCA 2011 certificate. Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache Corruption
Details have emerged about a new variant of the recent Dirty Frag Linux local privilege escalation (LPE) vulnerability that allows local attackers to gain root access, making it the third such bug to be identified in the kernel within a span of two weeks. Codenamed Fragnesia , the security vulnerability is tracked as CVE-2026-46300 (CVSS score: 7.8) and is rooted in the Linux kernel’s XFRM ESP-in-TCP subsystem. It was discovered by researcher William Bowling of the V12 security team. “The vulnerability allows unprivileged local attackers to modify read-only file contents in the kernel page cache and achieve root privileges through a deterministic page-cache corruption primitive,” Google-owned Wiz said .
Advisories have been released by multiple Linux distributions - AlmaLinux Amazon Linux CloudLinux Debian Gentoo Red Hat Enterprise Linux SUSE Ubuntu “This is a separate bug in the ESP/XFRM from Dirty Frag which has received its own patch,” V12 said. “However, it is in the same surface and the mitigation is the same as for Dirty Frag. It abuses a logic bug in the Linux XFRM ESP-in-TCP subsystem to achieve arbitrary byte writes into the kernel page cache of read-only files, without requiring any race condition.” Fragnesia is similar to Copy Fail and Dirty Frag (aka Copy Fail 2) in that it immediately yields root on all major distributions by achieving a memory write primitive in the kernel and corrupting the page cache memory of the /usr/bin/su binary. A proof-of-concept (PoC) exploit has been released by V12.
“Customers who have already applied the Dirty Frag mitigation need no further action until patched kernels are released,” CloudLinux maintainers said. Red Hat said it’s performing an assessment to confirm if existing mitigations extend to CVE-2026-46300. Wiz also noted that AppArmor restrictions on unprivileged user namespaces may serve as a partial mitigation, requiring additional bypasses for successful exploitation. However, unlike Dirty Frag, no host-level privileges are required.
“A patch is available, and while no in-the-wild exploitation has been observed at this time, we urge users and organizations to apply the patch as soon as possible by running update tools,” Microsoft said . “If patching is not possible at this point, consider applying the same mitigations for Dirty Frag.” This includes disabling esp4, esp6, and related xfrm/IPsec functionality, restricting unnecessary local shell access, hardening containerized workloads, and increasing monitoring for abnormal privilege escalation activity. The development comes as a threat actor named “berz0k” has been observed advertising on cybercrime forums a zero-day Linux LPE exploit for $170,000, claiming it works on multiple major Linux distributions. “The threat actor claims the vulnerability is TOCTOU-based (Time-of-Check Time-of-Use), capable of stable local privilege escalation without causing system crashes, and leverages a shared object (.so) payload dropped into the /tmp directory,” ThreatMon said in a post on X.
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE
Cybersecurity researchers have disclosed multiple security vulnerabilities impacting NGINX Plus and NGINX Open, including a critical flaw that remained undetected for 18 years. The vulnerability, discovered by depthfirst , is a heap buffer overflow issue impacting ngx_http_rewrite_module (CVE-2026-42945, CVSS v4 score: 9.2) that could allow an attacker to achieve remote code execution or cause a denial-of-service (DoS) with crafted requests. It has been codenamed NGINX Rift . “NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module,” F5 said in an advisory released Wednesday.
“This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?).” “An unauthenticated attacker, along with conditions beyond its control, can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process, leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR ) disabled, code execution is possible.” The issue has been addressed in the following versions after responsible disclosure on April 21, 2026 - NGINX Plus R32 - R36 (Fixes introduced in R32 P6 and R36 P4) NGINX Open Source 1.0.0 - 1.30.0 (Fixes introduced in 1.30.1 and 1.31.0) NGINX Open Source 0.6.27 - 0.9.7 (No fixes planned) NGINX Instance Manager 2.16.0 - 2.21.1 F5 WAF for NGINX 5.9.0 - 5.12.1 NGINX App Protect WAF 4.9.0 - 4.16.0 NGINX App Protect WAF 5.1.0 - 5.8.0 F5 DoS for NGINX 4.8.0 NGINX App Protect DoS 4.3.0 - 4.7.0 NGINX Gateway Fabric 1.3.0 - 1.6.2 NGINX Gateway Fabric 2.0.0 - 2.5.1 NGINX Ingress Controller 3.5.0 - 3.7.2 NGINX Ingress Controller 4.0.0 - 4.0.1 NGINX Ingress Controller 5.0.0 - 5.4.1 In its own advisory, depthfirst said the vulnerability could allow a remote, unauthenticated attacker to corrupt the heap of an NGINX worker process by sending a crafted URI. What makes the vulnerability severe is that it’s reachable without authentication, can be reliably used to trigger the heap overflow, and can lead to remote code execution in the NGINX worker process.
“An attacker who can reach a vulnerable NGINX server over HTTP can send a single request that overflows the heap in the worker process and achieves remote code execution,” depthfirst said. “There is no authentication step, no prior access requirement, and no need for an existing session.” “The bytes written past the allocation are derived from the attacker’s URI, so the corruption is shaped by the attacker rather than random. Repeated requests can also be used to keep workers in a crash loop and degrade availability for every site served by the instance.” Also patched in NGINX Plus and NGINX Open Source are three other flaws - CVE-2026-42946 (CVSS v4 score: 8.3) - An excessive memory allocation vulnerability in the ngx_http_scgi_module and ngx_http_uwsgi_module modules that could allow a remote, unauthenticated attacker with adversary-in-the-middle (AitM) capabilities to control responses from an upstream server to read the memory of the NGINX worker process or restart it when scgi_pass or uwsgi_pass is configured. CVE-2026-40701 (CVSS v4 score: 6.3) - A use-after-free vulnerability in the ngx_http_ssl_module module that could allow a remote, unauthenticated attacker to have limited control of modification of data or restart the NGINX worker process when the ssl_verify_client directive is set to “on” or “optional,” and the ssl_ocsp directive is set to “on.” CVE-2026-42934 (CVSS v4 score: 6.3) - An out-of-bounds read vulnerability in the ngx_http_charset_module module that could allow a remote, unauthenticated attacker to disclose memory contents or restart the NGINX worker process when charset, source_charset, and charset_map, and proxy_pass with disabled buffering (“off”) directives are configured.
Users are advised to apply the latest versions for optimal protection. If immediate patching is not an option for CVE-2026-42945, users are advised to change the rewrite configuration by replacing unnamed captures with named captures in every affected rewrite directive. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Microsoft’s MDASH AI System Finds 16 Windows Flaws Fixed in Patch Tuesday
Microsoft has unveiled a new multi-model artificial intelligence (AI)-driven system called MDASH to facilitate vulnerability discovery and remediation at scale, adding that it’s being tested by some customers as part of a limited private preview. MDASH, short for m ulti-mo d el a gentic s canning h arness, is designed as a model-agnostic system that uses bespoke AI agents for different vulnerability classes to autonomously discover, validate, and prove exploitable defects in complex codebases like Windows. “Unlike single-model approaches, the harness orchestrates more than 100 specialized AI agents across an ensemble of frontier and distilled models to discover, debate, and prove exploitable bugs end-to-end,” Taesoo Kim, vice president of agentic security at Microsoft, said . MDASH is envisioned as a “structured pipeline” that ingests a codebase and produces validated, proven findings through a series of actions.
It starts with analyzing the source code to build a threat model and attack surface, running specialized “auditor” agents over candidate code paths to flag potential issues, running a second set of “debater” agents that validate the findings, grouping semantically equivalent findings, and then finally proving the existence of the vulnerabilities. The system is powered by a configurable panel of models, with state-of-the-art (SOTA) models used for reasoning, distilled models for validation for high-volume passes, and a second separate SOTA model for independent counterpoint. “Disagreement between models is itself a signal: when an auditor flags something as suspect and the debater can’t refute it, that finding’s posterior credibility goes up,” Microsoft explained. “An auditor does not reason like a debater, which does not reason like a prover.
Each pipeline stage has its own role, prompt regime, tools, and stop criteria.” Redmond noted that the specialized agents have been constructed based on past common vulnerabilities and exposures (CVEs) and their patches. It also said the architecture allows for portability across model generations. MDASH has already been put to test, unearthing 16 of the vulnerabilities that were fixed in this month’s Patch Tuesday release. The shortcomings span across the Windows networking and authentication stack, including two critical flaws that could pave the way for remote code execution - CVE-2026-33824 (CVSS score: 9.8) - A double-free vulnerability in “ikeext.dll” that could allow an unauthenticated attacker to send specially crafted packets to a Windows machine with Internet Key Exchange (IKE) version 2 enabled, leading to remote code execution.
CVE-2026-33827 (CVSS score: 8.1) - A race condition vulnerability in Windows TCP/IP (“tcpip.sys”) that allows an unauthorized attacker to send a specially crafted IPv6 packet to a Windows node where IPSec is enabled, leading to remote code execution exploitation. News of MDASH follows the debut of Anthropic’s Project Glasswing and OpenAI Daybreak , both of which are AI-powered cybersecurity initiatives for accelerating vulnerability discovery, validation, and remediation before they can be discovered by bad actors. “The strategic implication is clear: AI vulnerability discovery has crossed from research curiosity into production-grade defense at enterprise scale, and the durable advantage lies in the agentic system around the model rather than any single model itself,” Kim said. Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Azerbaijani Energy Firm Hit by Repeated Microsoft Exchange Exploitation
A threat actor with affiliations to China has been linked to a “multi-wave intrusion” targeting an unnamed Azerbaijani oil and gas company between late December 2025 and late February 2026, marking an expansion of its targeting. The activity has been attributed by Bitdefender with moderate-to-high confidence to a hacking group known as FamousSparrow (aka UAT-9244), which shares some level of tactical overlap with clusters tracked under the monikers Earth Estries and Salt Typhoon. The attack paves the way for the deployment of two distinct backdoors across three separate waves: Deed RAT (aka Snappybee), a successor of ShadowPad that’s used by multiple China-nexus espionage groups, and TernDoor , which was recently discovered in attacks targeting telecommunications infrastructure in South America since 2024. What’s notable about the campaign is that it repeatedly leveraged the same vulnerable Microsoft Exchange Server entry point despite several remediation attempts, swapping backdoors each time: Deed RAT on December 25, 2025, TernDoor in late January/early February 2026, and a modified Deed RAT in late February 2026.
The attackers are assessed to have exploited the ProxyNotShell chain to obtain initial access. “This targeting extends the known FamousSparrow victimology into a region where Azerbaijan’s role in European energy security has materially increased following the 2024 expiration of Russia’s Ukraine gas transit agreement and 2026 Strait of Hormuz disruptions,” the Romanian cybersecurity company said in a report shared with The Hacker News. “The intrusion illustrates that actors will exploit and re-exploit the same access path until the original vulnerability is patched, compromised credentials are rotated, and the attacker’s ability to return is fully disrupted.” The initial access is said to have been followed by attempts to deploy web shells to establish a persistent foothold, and ultimately deploy Deed RAT using an evolved DLL side-loading technique that leverages the legitimate LogMeIn Hamachi binary to load and launch a rogue DLL that’s responsible for executing the main payload. “Unlike standard DLL side-loading that relies on simple file replacement, this method overrides two specific exported functions within the malicious library,” Bitdefender explained.
“This creates a two-stage trigger that gates the Deed RAT loader’s execution through the host application’s natural control flow, further evolving the defense evasion capabilities of traditional DLL side-loading.” The attacks have also been found to conduct lateral movement to broaden their access within the compromised network and establish a redundant foothold to ensure resilience in the event that the activity is detected and removed. The second wave, on the other hand, took place nearly a month after the initial intrusion, with the adversary attempting to unsuccessfully employ DLL side-loading to drop TernDoor by means of Mofu Loader , a shellcode loader previously attributed to GroundPeony. The Azerbaijani firm was targeted a third time towards the end of February 2026, when the threat actors once again attempted to deploy a modified version of Deed RAT, indicating active efforts to refine and evolve its malware arsenal. This artifact uses “sentinelonepro [.]com” for command-and-control (C2).
“This intrusion should not be viewed as an isolated compromise, but as a sustained and adaptive operation conducted by an actor that repeatedly sought to regain and extend access within the victim environment,” Bitdefender said. “Across multiple waves of activity, the same access path was revisited, new payloads were introduced, and additional footholds were established, underscoring a high degree of persistence and operational discipline.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.