Dirty Frag: unpatched Linux kernel flaw grants root access on Ubuntu, RHEL and Fedora. A working exploit is already public.

Security researchers have disclosed a new unpatched vulnerability in the Linux kernel, code-named Dirty Frag, that allows an unprivileged local user to gain full root access on most major Linux distributions, including Ubuntu, RHEL, Fedora, AlmaLinux, and CentOS Stream.

Dirty Frag is related to the Dirty Pipe family of vulnerabilities but is independent of the Copy Fail mitigation, meaning systems that already applied the algif_aead blacklist remain fully exposed.

“[the flaw] can obtain root privileges on major Linux distributions by chaining the xfrm-ESP Page-Cache Write vulnerability and the RxRPC Page-Cache Write vulnerability.” reads the advisory. “Dirty Frag is a case that extends the bug class to which Dirty Pipe and Copy Fail belong. Because it is a deterministic logic bug that does not depend on a timing window, no race condition is required, the kernel does not panic when the exploit fails, and the success rate is very high.”

The researcher Hyunwoo Kim (@v4bel) first disclosed the vulnerability.

The vulnerability chains two separate flaws. The first is the xfrm-ESP Page-Cache Write bug, rooted in the Linux IPsec subsystem and introduced in a January 2017 source code commit, the same commit responsible for CVE-2022-27666, a buffer overflow affecting multiple Linux distributions. The second is the RxRPC Page-Cache Write bug, introduced in June 2023. Neither flaw alone is sufficient on all systems, but together they cover each other’s blind spots: where one path is blocked by the environment, such as Ubuntu’s AppArmor restrictions on namespace creation, the other opens. The chain is what makes Dirty Frag universally dangerous across distributions.

“What both vulnerabilities have in common is that, on a zero-copy send path where splice() plants a reference to a page cache page that the attacker only has read access to into the frag slot of the sender side skb as is, the receiver side kernel code performs in-place crypto on top of that frag.” reads the analysis. “As a result, the page cache of files that an unprivileged user only has read access to (such as /etc/passwd or /usr/bin/su) is modified in RAM, and every subsequent read sees the modified copy.”

What makes Dirty Frag particularly dangerous is its reliability. Unlike many kernel exploits that depend on precise timing windows or race conditions, this is a deterministic logic bug. It doesn’t panic the kernel on failure, and its success rate is described as very high. A working proof-of-concept is already public, reducing exploitation to a single command.

The disclosure itself was complicated: the embargo broke early after a third party published detailed technical information and the exploit code without coordination. No CVE identifier has been assigned yet.

“Chaining the two variants makes the blind spots cover each other. In an environment where user namespace creation is allowed, the ESP exploit runs first. Conversely, on Ubuntu where user namespace creation is blocked but rxrpc.ko is built, the RxRPC exploit works” concludes the report.

Until official patches are available, the recommended workaround is to blocklist the esp4, esp6, and rxrpc kernel modules to prevent them from loading.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Dirty Frag)

The Pentagon is integrating AI into military operations, transforming cybersecurity, targeting, and command systems into a unified warfare architecture.

May 2026 marks a turning point in the evolution of modern warfare: the convergence of artificial intelligence, cybersecurity, and conventional military power is no longer theoretical. It is becoming an operational reality.

The Pentagon has signed agreements with major technology companies, including OpenAI, Google, Microsoft, Amazon, and SpaceX to integrate advanced AI models into classified military networks. The stated goal is clear: transform the United States into an “AI-first” military force capable of maintaining decision superiority across every battlefield domain.

Under this strategy, AI is no longer treated as a laboratory tool or analytical assistant. It is moving directly into the military chain of command, intelligence analysis, logistics, targeting, and operational planning. More than 1.3 million Department of Defense employees are already using the GenAI.mil platform, dramatically reducing processes that once took months to just days.

The Pentagon’s doctrine reflects a major cultural shift: code and combat are no longer separate domains. Cybersecurity itself is now considered a combat capability. The ability to deploy, secure, update, and operate AI models inside classified environments has become part of national defense infrastructure.

The contracts signed with technology providers include “lawful operational use” clauses, requiring vendors to accept any use considered legitimate by the Pentagon, including autonomous weapons systems and intelligence operations. This raises profound ethical and geopolitical questions.

At the same time, the U.S. military is pushing for deep integration across defense systems. Through the Army’s new “Right to Integrate” initiative, manufacturers of missiles, drones, radars, and sensors are being asked to open their software interfaces so AI agents can connect systems in real time. The inspiration comes largely from Ukraine, where open APIs allowed rapid battlefield integration between drones, sensors, and fire-control systems.

However, this transformation creates a dangerous paradox: the same openness that enables speed and flexibility also expands the attack surface. Every API, cloud platform, and AI integration point can potentially become an entry point for sophisticated adversaries such as China, Russia, or state-sponsored APT groups.

A compromised AI-enabled military ecosystem could allow attackers to inject false sensor data, manipulate targeting systems, degrade drone communications, study operational decision patterns, or even hijack autonomous weapons platforms. In this context, software vulnerabilities and supply-chain weaknesses are no longer merely IT problems, they become military objectives.

Washington is also increasingly concerned about the cyber risks posed by advanced AI models themselves. According to reports, the White House is considering new oversight mechanisms for frontier AI systems capable of autonomously discovering software vulnerabilities or automating cyberattacks at scale. Officials fear that uncontrolled deployment of such models could lead to mass exploitation of critical infrastructure, financial systems, or global supply chains.

The strategic implications extend beyond military technology. Major cloud providers such as Amazon, Microsoft, and Google are gradually becoming part of the American defense architecture. Civilian digital infrastructure is evolving into a structural extension of military power.

This raises difficult questions for Europe and Italy. In a world where most cloud, AI, and cybersecurity infrastructures are controlled by American companies, what does technological sovereignty really mean? Sovereignty is no longer just about producing chips or funding startups. It is about controlling the digital infrastructure that supports national defense, determining who can update AI systems operating on classified networks, and deciding who sets the operational rules of software during crises.

The United States, Israel, and China are already integrating AI into military doctrine at high speed. Europe risks remaining trapped between regulation and technological dependence unless it develops its own industrial capabilities, operational autonomy, and independent evaluation frameworks.

The message coming from Washington is unmistakable: the future of strategic power will depend on who controls AI models, data, interfaces, and software-driven operational systems. In modern warfare, software has become a battlefield domain, and the speed of code deployment increasingly matters as much as firepower itself.

A more detailed analysis is available in Italian here.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, AI)

Palo Alto says hackers exploited PAN-OS zero-day CVE-2026-0300 for weeks, gaining root access to exposed firewalls and hiding traces.

Palo Alto Networks warned that suspected state-sponsored hackers have been exploiting the critical PAN-OS zero-day CVE-2026-0300 for nearly a month. After exploiting the flaw, attackers deployed tunneling tools such as EarthWorm and ReverseSocks5, used stolen credentials to probe Active Directory, and deleted logs and other evidence to hide the intrusion.

“We are aware of only limited exploitation of CVE-2026-0300 at this time. Unit 42 is tracking CL-STA-1132, a cluster of likely state-sponsored threat activity exploiting CVE-2026-0300. The attacker behind this activity exploited CVE-2026-0300 to achieve unauthenticated remote code execution (RCE) in PAN-OS software. Upon successful exploitation, the attacker was able to inject shellcode into an nginx worker process.” reads the advisory by the cybersecurity vendor. “Post-exploitation activity includes deployment of publicly available tunneling tools (EarthWorm, ReverseSocks5), Active Directory enumeration using credentials likely obtained from the firewall, and the systematic destruction of logs and other evidence of compromise.”

EarthWorm has been used in past attacks associated with several China-linked threat actors, including , APT41, CL-STA-0046, and Volt Typhoon.

The flaw is a buffer overflow that allows unauthenticated remote code execution, especially when the User-ID portal is exposed to the internet.

“A buffer overflow vulnerability in the User-ID Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets.” reads the advisory published by Palo Alto Networks. “The risk of this issue is greatly reduced if you secure access to the User-ID Authentication Portal per the best practice guidelines by restricting access to only trusted internal IP addresses.”

This week, Palo Alto Networks has warned that the critical PAN-OS vulnerability CVE-2026-0300 is actively exploited in the wild.

Below is the list of impacted products:

The cybersecurity vendor states that the issue doesn’t impact Prisma Access, Cloud NGFW and Panorama appliances.

Palo Alto Networks says the flaw is being exploited in a limited way, mainly against systems where the User-ID Authentication Portal is exposed to the public internet.

The flaw remains unpatched, with fixes expected from May 13, 2026. It affects PA-Series and VM-Series firewalls using the User-ID Authentication Portal. Palo Alto Networks notes risk is much lower for organizations that follow best practices, like limiting access to trusted internal networks only.

“Limited exploitation has been observed targeting Palo Alto Networks User-ID Authentication Portals that are exposed to untrusted IP addresses and/or the public internet.” concludes the advisory. “Customers following standard security best practices, such as restricting sensitive portals to trusted internal networks are at a greatly reduced risk.”

EarthWorm is an open-source tunneling tool written in C that works across Windows, Linux, macOS, and ARM/MIPS platforms. It acts as a SOCKS5 proxy and port-forwarding utility, enabling attackers to create covert communication channels, bypass network restrictions, and move laterally within compromised environments. Its features include forward and reverse SOCKS5 tunnels, port bridging, traffic forwarding, and multi-hop tunneling for protocols such as RDP and SSH. The tool has previously been linked to threat groups including Volt Typhoon and APT41.

ReverseSocks5 is another open-source networking tool designed to bypass firewalls and NAT protections by creating outbound connections from compromised systems to attacker-controlled servers. Once connected, it establishes a SOCKS5 proxy tunnel that allows remote access into the internal network. While commonly used by administrators for legitimate remote management, threat actors also abuse it for stealthy pivoting and post-compromise operations.

“The reliance of the attackers behind CL-STA-1132 on open-source tooling, rather than proprietary malware, minimized signature-based detection and facilitated seamless environment integration. This technical choice, combined with a disciplined operational cadence of intermittent interactive sessions over a multi-week period, intentionally remained below the behavioral thresholds of most automated alerting systems.” concludes Palo Alto Networks. “The lateral movement technique prioritized identity trust abuse over traditional network-layer pivoting, effectively reducing the attacker’s footprint. Consequently, this campaign demonstrates that operational restraint—specifically the use of non-persistent access windows—is a primary factor in maintaining long-term residency on edge infrastructure.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, PAN-OS)

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in Ivanti Endpoint Manager Mobile (EPMM) to its Known Exploited Vulnerabilities catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a flaw in the Ivanti Endpoint Manager Mobile (EPMM), tracked as CVE-2026-6973 (CVSS score of 7.1), to its Known Exploited Vulnerabilities (KEV) catalog.

Ivanti warns customers of a high‑severity zero‑day vulnerability, tracked as CVE‑2026‑6973, in Endpoint Manager Mobile that is already being exploited.

“At the time of disclosure, we are aware of very limited exploitation of CVE-2026-6973, which requires admin authentication for successful exploitation.” reads the advisory. “We are not aware of any customers being exploited by the other vulnerabilities disclosed today.”

The flaw, caused by improper input validation, allows attackers with admin privileges to execute arbitrary code on systems running EPMM 12.8.0.0 and earlier. Customers are urged to patch immediately to prevent compromise.

Ivanti EPMM 12.6.1.1, 12.7.0.1, and 12.8.0.1 address the vulnerability. The vulnerability doesn’t affect Ivanti Neurons for MDM, Ivanti’s cloud-based unified endpoint management solution, Ivanti EPM (a similarly named, but different product), Ivanti Sentry, or any other Ivanti products.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerability by May 10, 2026.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, US CISA Known Exploited Vulnerabilities catalog)

Cisco fixed several high‑severity flaws in its enterprise products, including SSRF bugs in Unity Connection that could enable code execution or service disruption.

Cisco released patches for multiple high‑severity vulnerabilities affecting its enterprise products. Successful exploitation could allow code execution, server‑side request forgery (SSRF), or denial‑of‑service attacks. Two notable flaws, CVE‑2026‑20034 and CVE‑2026‑20035, impact Cisco Unity Connection. Attackers can exploit them to trigger SSRF attacks.

“Multiple vulnerabilities in Cisco Unity Connection could allow a remote attacker to execute arbitrary code on or conduct server-side request forgery (SSRF) attacks through an affected device.” reads the advisory published by Cisco.

CVE‑2026‑20034 is a flaw in Cisco Unity Connection that allows an authenticated remote attacker to run arbitrary root‑level code on the device. The issue stems from improper validation of user input, letting an attacker send a crafted API request to fully compromise the system. Cisco has released fixes, and no workarounds exist.

“This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request.” reads the advisory. “A successful exploit could allow the attacker to execute arbitrary code as root, possibly resulting in the complete compromise of a targeted device. To exploit this vulnerability, the attacker must have valid user credentials on the affected device.”

CVE-2026-20035 flaw in Cisco Unity Connection Web Inbox UI allows an unauthenticated remote attacker to perform SSRF attacks. The issue comes from improper validation of certain HTTP requests. By sending a crafted request, an attacker could make the device send arbitrary network traffic on their behalf, potentially accessing internal services.

“A vulnerability in the web UI of Cisco Unity Connection Web Inbox could allow an unauthenticated, remote attacker to conduct SSRF attacks through an affected device.” reads the advisory.

“This vulnerability is due to improper input validation for specific HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to send arbitrary network requests that are sourced from the affected device.”

Below are the impacted releases:

Cisco PSIRT said it is not aware of any public reports or active malicious exploitation of these vulnerabilities.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Unity Connection)

A new Mirai‑based botnet, xlabs_v1, hijacks ADB‑exposed IoT devices for powerful DDoS attacks, with 21 flooding methods and DDoS‑for‑hire use.

A new Mirai‑derived botnet called xlabs_v1 is hijacking internet‑exposed devices running Android Debug Bridge (ADB) and using them for large‑scale DDoS attacks. Hunt.io discovered the bot on an unsecured server, it includes 21 flood techniques across TCP, UDP, and raw protocols, allowing it to bypass basic protections. It appears to be sold as a DDoS‑for‑hire service, especially for targeting game and Minecraft servers.

During routine monitoring, researchers spotted an exposed directory on a Netherlands‑hosted server (176.65[.]139.44) used for bulletproof hosting. The operator had left their entire toolkit publicly accessible over TCP/80 with no authentication, allowing investigators to index everything before the attacker realized it was exposed.

Open access to the server revealed a six‑file toolkit instead of a login page, exposing binaries and text files with no authentication. Two files were auto‑tagged as malicious: arm7 (Mirai) and payloads.txt (exploit content), suggesting the operator was using analyst‑grade tools on an unsecured host. The directory held about 200 KB of data, including the packed ARM bot, an unstripped x86‑64 debug build, ADB infection one‑liners, a SOCKS5 proxy, and a placeholder targets file. The debug build’s intact symbols made reconstructing the bot’s behavior straightforward.

“The xlabs_v1 codebase reads as a focused commercial product rather than an opportunistic Mirai derivative. Its twenty-one flood variants, ChaCha20 string protection, OpenNIC-aware DNS resolution, and Speedtest-driven bandwidth profiling are subsystems aimed at a single outcome: keeping a fleet of compromised IoT devices reachable, accountable, and profitable for the operator. Everything else in the binary serves that goal or protects it.” reads the report published by Hunt.io.

xlabs_v1 botnet is built entirely for commercial DDoS‑for‑hire operations, with no added features like credential theft that could increase detection risk. Its core function is to receive attack commands and launch one of 21 flood variants, many aimed at game servers, including RakNet floods for Minecraft and OpenVPN‑shaped UDP traffic to evade filters. Delivered through ADB exploits, the ARMv7 bot targets Android TVs, set‑top boxes, and IoT hardware, part of a global surface of more than 4 million devices with TCP/5555 exposed.

“nfection vector is Android Debug Bridge on TCP/5555, with multi-architecture builds covering ARM, MIPS, x86-64, ARC, and Android APK, meaning any internet-exposed device running ADB is a potential target: Android TV boxes, set-top boxes, smart TVs, residential routers, and any IoT-grade hardware shipping with ADB enabled by default.” continutes the report.

Once installed, the bot hides infection tags, profiles each device’s bandwidth by opening 8,192 TCP sockets, and reports Mbps to its panel so the operator can assign price tiers. It also kills competing botnets by scanning /proc, terminating rival processes, and removing malware on port 24936.

For resilience, xlabs_v1 resolves its C2 via OpenNIC, falls back to a firewall‑punching SOCKS‑style listener on TCP/26721, and masks itself as /bin/bash to evade casual inspection. Sensitive strings, including the C2 domain xlabslover.lol, the operator handle Tadashi, and the agent tag xlabs_v1, are encrypted with ChaCha20 but easily recovered due to key reuse.

Its command‑and‑control uses a custom TCP protocol, supporting bandwidth probes, updates, self‑restart, and attack dispatch. Together, these techniques reveal a sophisticated, commercially motivated DDoS botnet engineered for persistence, evasion, and profit.

Analysis of the xlabs_v1 botnet’s infrastructure begins with its C2 domain, xlabslover[.]lol, which resolves to a single IP in the Netherlands hosted by Offshore LC. The domain uses Ultahost nameservers, a provider often linked to bulletproof hosting, and shows no prior malware detections, suggesting a recently deployed C2.

Pivoting from the domain to its IP (176.65.139[.]134) reveals SSH as the only open port, plus past honeypot activity involving HTTP and .env‑file scanning. SSL history shows unusual self‑signed certificates, including one with the CN “Godisgood”, previously used on another IP in Germany, indicating the same operator managing multiple servers.

Three hosts within the 176.65.139.0/24 netblock appear tied to the botnet: .44 (staging), .42 (distribution), and .9 (additional distribution). Hunt.io captured open directories on these systems containing Mirai‑tagged binaries, multi‑architecture payloads, and ADB exploitation scripts.

Historical scans confirmed Mirai C2 activity in late March and early April 2026, consistent with the botnet’s active deployment period and revealing a consolidated, bulletproof infrastructure supporting xlabs_v1.

The operator behind the botnet uses the handle Tadashi, embedded in each build, while the botnet brand xlabs_v1 appears in every C2 registration, hinting at future versions. A development tag, aterna, shows earlier branding before release. OSINT searches linking “Tadashi,” “xlabs,” and “xlabslover” may reveal the operator’s DDoS‑for‑hire storefront. A decrypted banner also exposes hostility toward a rival fork, xlab 2, suggesting a code split or underground feud. Nearby infrastructure in the same netblock has hosted cryptojacking tools, though overlap with the xlabs operation remains unconfirmed.

“In commercial-criminal terms, xlabs_v1 is mid-tier. It is more sophisticated than the typical script-kiddie Mirai fork (which would lack the ChaCha20 layer, the multi-architecture binary set, the bandwidth profiling, and the registered-attack diversity), but less sophisticated than the top tier of commercial DDoS-for-hire operations (which would use TLS on the C2 channel, would not ship a debug build to production paths, would rotate cryptographic material across builds, and would not ship a hard-coded competitor-rivalry banner).” concludes the report. “This operator is competing on price and attack variety, not technical sophistication. Consumer IoT devices, residential routers, and small game-server operators are the target. Treat it accordingly.”

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, xlabs_v1 botnet)

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in Palo Alto Networks PAN-OS to its Known Exploited Vulnerabilities catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a flaw in the Palo Alto Networks PAN-OS, tracked as CVE-2026-0300 (CVSS score of 9.3), to its Known Exploited Vulnerabilities (KEV) catalog.

The flaw is a buffer overflow that allows unauthenticated remote code execution, especially when the User-ID portal is exposed to the internet.

“A buffer overflow vulnerability in the User-ID Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets.” reads the advisory published by Palo Alto Networks. “The risk of this issue is greatly reduced if you secure access to the User-ID Authentication Portal per the best practice guidelines by restricting access to only trusted internal IP addresses.”

This week, Palo Alto Networks has warned that the critical PAN-OS vulnerability CVE-2026-0300 is actively exploited in the wild.

Below is the list of impacted products:

The cybersecurity vendor states that the issue doesn’t impact Prisma Access, Cloud NGFW and Panorama appliances.

Palo Alto Networks says the flaw is being exploited in a limited way, mainly against systems where the User-ID Authentication Portal is exposed to the public internet.

The flaw remains unpatched, with fixes expected from May 13, 2026. It affects PA-Series and VM-Series firewalls using the User-ID Authentication Portal. Palo Alto Networks notes risk is much lower for organizations that follow best practices, like limiting access to trusted internal networks only.

“Limited exploitation has been observed targeting Palo Alto Networks User-ID Authentication Portals that are exposed to untrusted IP addresses and/or the public internet.” concludes the advisory. “Customers following standard security best practices, such as restricting sensitive portals to trusted internal networks are at a greatly reduced risk.”

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerability by May 9, 2026.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, US CISA Known Exploited Vulnerabilities catalog)

Taiwan high‑speed rail was disrupted after a 23‑year‑old student spoofed signals and triggered an emergency alarm, stopping four trains for nearly an hour.

Taiwan high‑speed rail system, one of the most important pieces of national infrastructure, was thrown into chaos during the Qingming Festival holiday when several trains suddenly came to an unexpected halt. Experts initially investigated a technical glitch but soon discovered the incident was caused by a cyber intrusion carried out by a 23-year-old university student.

“The Ministry of Transportation and Communications yesterday pledged to submit a report on ways to harden the communication security of railway systems after a university student hacked into Taiwan High Speed Rail Corp’s (THSRC) radio communications system and disrupted operations of four high-speed rail trains last month.” reported the Taipei Times. “Investigation by the police and prosecutors found that the university student and radio enthusiast, surnamed Lin (林), first used a software-defined radio (SDR) filter to analyze THSRC signals, downloaded the data to a computer, cracked the parameters and then programmed the codes into his radio devices.”

Authorities revealed that the student, identified only by his surname Lin, used radio equipment and software tools bought online to imitate the communication signals used inside Taiwan High-Speed Rail (THSR). By doing so, he triggered a general emergency alarm, forcing train operators to stop four trains, disrupting service for nearly an hour and delaying hundreds of passengers heading home from the holiday.

The student exploited weaknesses in TETRA, the radio communication system used by THSR for nearly two decades. Before transmitting anything, Lin reportedly intercepted and decoded the system’s parameters using software‑defined radio (SDR) tools. He analyzed the structure of the signals, then programmed the same parameters into handheld radios to impersonate legitimate THSR beacons.

Using these cloned signals, he sent a high‑priority “General Alarm” message. In the THSR safety protocol, this alarm is treated as a potential life‑or‑death alert: trains in the affected zone must immediately switch to manual emergency stop mode. The attack caused three trains to stop instantly, and a fourth received the same instruction shortly after. In total, THSR recorded 48 minutes of disruption.

What stood out most to investigators was not the complexity of the act, but the long‑standing vulnerability that made it possible. Local reports highlight that the same system parameters had been used for 19 years and were never rotated. This meant that once Lin decoded the information, nothing prevented him from reusing it without detection.

Police say Lin also received help from a 21‑year‑old acquaintance, who provided some of the technical details needed for the intrusion.

Once THSR staff realized the alarm did not match any assigned radio device, they checked their equipment and quickly concluded that the signal must have come from an unauthorized source. They contacted police, who examined station CCTV and radio network logs.

These traces eventually led investigators to Lin’s residence, where they recovered 11 handheld radios, an SDR receiver, and a laptop used for the attack.

The police arrested the student on April 28 and later released him on NT$100,000 bail, pending further investigation.

Prosecutors say Lin may have violated several laws, including articles dealing with interference with public transportation, use of unauthorized equipment, and exploiting vulnerabilities in a protected computer system. Together, the charges could result in up to 10 years in prison.

Beyond the dramatic nature of the event, the hack has sparked a broader debate in Taiwan. Politicians and cybersecurity experts questioned how a national high-speed rail system, carrying more than 80 million passengers a year, could be compromised using consumer‑grade hardware.

Investigators emphasized that even if Lin intended the act as a prank, interfering with public transportation is dangerous and illegal. The District Prosecutors Office warned that any disruption to transport networks will be prosecuted aggressively to protect public safety.

The incident ultimately highlights a simple truth: in a world where cheap radio tools and open‑source software are widely accessible, even long‑trusted systems must be updated and continuously tested. Otherwise, critical infrastructure remains exposed, not only to hostile actors, but to anyone curious enough to experiment.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Taiwan high‑speed rail)

Romanian citizen Gavril Sandu was extradited to the U.S. nearly 17 years after a hacking scheme. He was indicted in 2017 and arrested in 2026.

Romanian national Gavril Sandu, 53, has been extradited to the United States for his role in a hacking scheme that took place 17 years ago.

“On November 14, 2017, a federal grand jury in Charlotte returned a criminal indictment charging Gavril Sandu, 53, with one count of conspiracy to commit bank fraud and one count of bank fraud. Sandu was arrested in Romania on January 9, 2026. He was extradited to the United States on April 30, 2026.” reads the press release published by DoJ.

The move closes a long-running cybercrime investigation revealed by the Justice Department.

The man appeared in a U.S. court after being extradited from Romania to face charges of bank fraud and conspiracy for his role in an international vishing scheme. Indicted in 2017, Sandu was arrested in Romania on January 9, 2026, and transferred to U.S. custody on April 30, 2026.

According to prosecutors, between May 2009 and October 2010, Sandu and co-conspirators hacked into small businesses’ VoIP systems, using them to make spoofed phone calls that impersonated banks and tricked victims into revealing debit card and PIN numbers. The stolen credentials were used to access accounts and steal funds.

“Greed crosses borders, but so does our relentless pursuit of justice,” said U.S. Attorney Russ Ferguson, emphasizing that international cyberscammers will face prosecution no matter where they operate.

The case underscores how global cooperation and timely extraditions remain vital to combating cyber-enabled financial fraud.

Investigators allege that Sandu collected these stolen credentials, used them to forge magnetic stripe cards, and acted as a money mule, withdrawing cash from compromised ATMs and bank accounts. He then split the proceeds with his co‑conspirators.

Following his extradition from Romania, Sandu was placed in federal custody awaiting trial. If convicted, he faces up to 30 years in prison.

“Scams originating outside of our country are out of control. Wherever scammers operate – here or abroad – we will use every tool available to bring them to justice.” concludes U.S. Attorney Ferguson.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Gavril Sandu)

Iran-linked APT MuddyWater used ransomware-style tactics to mask espionage, combining phishing, credential theft, data exfiltration, and extortion without encryption.

A newly discovered cyber intrusion attributed to the Iran-linked APT MuddyWater (aka SeedWorm, TEMP.Zagros, Mango Sandstorm, TA450, and Static Kitten) reveals how state-sponsored attackers are increasingly leveraging ransomware tactics to disguise espionage operations. The campaign, uncovered by security researchers at Rapid7, blended social engineering, credential theft, data exfiltration, and extortion under the guise of a ransomware incident — but with no evidence of actual file encryption.

The attack unfolded in early 2026 and initially appeared to be a routine ransomware case. Victims were led to believe they were dealing with the Chaos ransomware group, which operates a leak site for stolen data. However, further investigation showed no ransomware had been deployed. Instead, the attackers relied on espionage tradecraft — lateral movement, credential harvesting, and information theft — consistent with MuddyWater’s long-standing intelligence-gathering profile.

“In early 2026, a sophisticated intrusion initially appearing to be a standard Chaos ransomware attack was assessed to be consistent with a targeted state-sponsored operation. While the threat actor operated under the banner of the Chaos ransomware-as-a-service (RaaS) group, forensic analysis revealed the incident was a “false flag” masquerade.” reads the report published by Rapid7. “Technical artifacts, including a specific code-signing certificate and Command-and-Control (C2) infrastructure, suggest with moderate confidence that this activity is linked to MuddyWater (Seedworm), an Iranian Advanced Persistent Threat (APT) affiliated with the Ministry of Intelligence and Security (MOIS).”

Rapid7’s analysis shows that the threat actors gained initial access through social engineering tactics, exploiting trust in corporate communications tools. Attackers used Microsoft Teams to contact employees directly, posing as internal IT staff or business associates. Through these conversations, they persuaded users to begin screen-sharing sessions, giving the attackers direct visibility into corporate desktops and systems.

Once connected, the hackers executed reconnaissance commands, accessed files related to VPN configurations, and tricked employees into writing their credentials into locally saved text files. In at least one case, they installed the AnyDesk remote access tool to maintain a foothold in the organization’s network.

After establishing initial access, the threat actors utilized RDP sessions and DWAgent, another remote management tool, to maintain persistence. From there, they launched secondary payloads, harvested more credentials, and exfiltrated sensitive internal information.

“From there, the TA established persistence using remote access tools such as DWAgent and AnyDesk, before deploying additional payloads and further control of the environment.” reads the report. “Following this, the TA exfiltrated data from the compromised environment and subsequently contacted the victim via email, claiming data theft and initiating ransom negotiations.”

As part of the deception, MuddyWater operatives sent extortion emails to employees, claiming to have stolen confidential data and threatening to leak it unless a ransom was paid. They directed victims to the Chaos ransomware site, where the organization was indeed listed as a “new victim.”

However, when the supposed ransom “note” could not be located, the threat actors released the stolen data publicly, revealing that the true objective was data theft, not financial gain.

Rapid7 concluded that the entire ransomware scenario was a smokescreen designed to mislead defenders. “The inclusion of extortion and negotiation elements likely aimed to focus response teams on the immediate impact, delaying detection of persistence mechanisms implanted through remote access tools,” the researchers wrote.

The recent campaign spotted by Rapid7 highlights a broader trend in which nation‑state actors blend espionage with criminal aesthetics to mislead victims and deflect investigators. By adopting the look and feel of a ransomware attack, complete with fake negotiation email threads and presence on an established leak site, MuddyWater obscured its true intent: long-term infiltration and intelligence collection.

Rapid7 assessed the attribution to MuddyWater with “moderate confidence,” citing both technical overlap and contextual consistency. The researchers noted that the incident does not represent a strategic shift toward ransomware operations, but rather an evolution in deception and misdirection techniques designed to complicate attribution and response.

By masquerading as a financially motivated actor, the Iranian APT hoped to divert attention and prolong access to compromised networks. The tactic underscores how modern cyber espionage is no longer confined to covert surveillance, it now borrows the tools, language, and theatrics of cybercrime to hide in plain sight.

The episode serves as a warning to defenders: not every ransomware attack is what it seems. When state-backed adversaries like MuddyWater adopt the same playbook as criminal gangs, distinguishing espionage from extortion becomes one of cybersecurity’s most urgent challenges.

“The use of a RaaS framework in this context may enable the actor to blur distinctions between state-sponsored activity and financially motivated cybercrime, thereby complicating attribution.” concludes the report. “Furthermore, the inclusion of extortion and negotiation elements could serve to focus defensive efforts on immediate impact, likely delaying the identification of underlying persistence mechanisms established via remote access tools such as DWAgent or AnyDesk.”

The first MuddyWater campaign was observed in late 2017, when the APT group targeted entities in the Middle East.

Experts named the campaign ‘MuddyWater’ due to the difficulty in attributing a wave of attacks between February and October 2017, targeting entities in Saudi Arabia, Iraq, Israel, the United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States. Over the years, the group has evolved by adding new attack techniques to its arsenal and has also targeted European and North American countries.

The group’s victims are mainly in the telecommunications, government (IT services), and oil sectors.

In January 2022, US Cyber Command (USCYBERCOM) officially linked the MuddyWater APT group to Iran’s Ministry of Intelligence and Security (MOIS).

The MuddyWater APT has targeted several organizations in the U.S. and Canada since early February 2026. Victims include a U.S. bank, an airport, nonprofits, and a software supplier to the defense and aerospace sectors with operations in Israel. The previously unknown backdoor Dindoor relies on the Deno runtime to execute JavaScript and TypeScript code and was signed with a certificate issued to “Amy Cherne.”

The researchers also observed an attempt to exfiltrate data from a targeted software company using Rclone to a Wasabi Technologies cloud storage bucket, though it’s unclear if the transfer succeeded. The experts also spotted a separate Python backdoor, dubbed Fakeset, on U.S. airport and nonprofit networks, signed with certificates tied to Seedworm. The malware was hosted on Backblaze servers, and shared certificates with other Seedworm-linked malware families, suggesting the Iranian group was behind the intrusions.

Recent activity linked to Iranian cyber actors shows a mix of espionage, disruption, and influence operations. The pro-Palestinian hacktivist group Handala has targeted Israeli officials and energy firms through phishing, data theft, ransomware, and leak campaigns, claiming breaches of organizations in Israel and the Gulf. Meanwhile, the Iranian APT Seedworm conducted spear-phishing attacks against academics, NGOs, and government entities to gather intelligence. Another group, Marshtreader, scanned vulnerable cameras in Israel for reconnaissance during regional tensions.

In March, the Iran-linked APT targeted U.S. organizations, deploying the new Dindoor backdoor across sectors including banks, airports, and nonprofits, Broadcom’s Symantec Threat Hunter Team revealed.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Iran)

Apache fixed several flaws in HTTP Server, including CVE-2026-23918 (CVSS score of 8.8), a double-free bug in HTTP/2 that could allow remote code execution.

The Apache Software Foundation has released updates to fix multiple vulnerabilities in its HTTP Server, including CVE-2026-23918 (CVSS score of 8.8). The issue involves a “double free” error in HTTP/2 handling that could potentially lead to remote code execution.

Researchers Bartlomiej Dmitruk, from striga.ai, and Stanislaw Strzalkowski from isec.pl discovered the vulnerability.

“Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol.” reads the advisory.

The vulnerability impacts version 2.4.66 and is resolved in version 2.4.67.

According to TheHackerNews, CVE-2026-23918 is a double-free flaw in Apache httpd 2.4.66’s mod_http2, triggered by a crafted HTTP/2 sequence that causes the same stream to be cleaned up twice, leading to memory corruption. This can easily result in denial of service, crashing worker processes with minimal effort. In certain setups, especially those using APR with mmap (common on Debian systems and official Docker images), it may also be exploited for remote code execution.

The attack requires specific conditions and some additional steps, but a working proof of concept exists. Notably, MPM prefork is not affected, though the widespread use of HTTP/2 increases exposure.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

Palo Alto Networks warns of a critical PAN-OS flaw (CVE-2026-0300) that is under active attack, allowing unauthenticated remote code execution.

Palo Alto Networks has warned that a critical PAN-OS vulnerability, tracked as CVE-2026-0300 (CVSS score of 9.3), is actively exploited in the wild. The flaw is a buffer overflow that allows unauthenticated remote code execution, especially when the User-ID portal is exposed to the internet.

“A buffer overflow vulnerability in the User-ID Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets.” reads the advisory published by Palo Alto Networks. “The risk of this issue is greatly reduced if you secure access to the User-ID Authentication Portal per the best practice guidelines by restricting access to only trusted internal IP addresses.”

Below is the list of impacted products:

The cybersecurity vendor states that the issue doesn’t impact Prisma Access, Cloud NGFW and Panorama appliances.

Palo Alto Networks says the flaw is being exploited in a limited way, mainly against systems where the User-ID Authentication Portal is exposed to the public internet.

The flaw remains unpatched, with fixes expected from May 13, 2026. It affects PA-Series and VM-Series firewalls using the User-ID Authentication Portal. Palo Alto Networks notes risk is much lower for organizations that follow best practices, like limiting access to trusted internal networks only.

“Limited exploitation has been observed targeting Palo Alto Networks User-ID Authentication Portals that are exposed to untrusted IP addresses and/or the public internet.” concludes the advisory. “Customers following standard security best practices, such as restricting sensitive portals to trusted internal networks are at a greatly reduced risk.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, PAN-OS)

A malicious PyTorch Lightning update (v2.6.3) on PyPI spread briefly, stealing credentials and raising major concerns about AI supply chain security.

A malicious update of the PyTorch Lightning library exposed developers to credential theft and remote compromise. Attackers uploaded version 2.6.3 to the Python Package Index (PyPI), where it spread among developers before maintainers removed it at the end of April.

PyTorch Lightning is an open-source framework built on top of PyTorch that simplifies how developers train and deploy deep learning models.

Given the library’s popularity in AI development, the incident raised serious concerns about the security of software supply chains.

The compromised package executed hidden code as soon as developers imported it. It launched a background process, downloaded a JavaScript runtime (Bun), and ran a large, heavily obfuscated payload. Microsoft identified the malware as ShaiWorm, a credential stealer designed to extract sensitive information from infected systems.

“lightning==2.6.3 (published on PyPI as py3-none-any wheel) contains a hidden execution chain that silently downloads a JavaScript runtime (Bun) and executes an 11.4 MB heavily obfuscated JavaScript payload upon import lightning. This payload contains credential-stealing functionality targeting cloud providers, browsers, and environment files.” reads the advisory.

The malware targeted a wide range of data. It searched for .env files, API keys, GitHub tokens, and credentials stored in browsers like Chrome, Firefox, and Brave. It also collected access keys for major cloud platforms, including AWS, Azure, and Google Cloud. Beyond data theft, the malware allowed attackers to execute arbitrary commands on the system, effectively giving them full control over compromised environments.

Lightning AI quickly warned users about the risk. The company advised anyone who used version 2.6.3 to rotate all credentials and secrets immediately. It removed the malicious release and replaced it with a safe version. At the same time, Microsoft Defender detected and blocked the threat on affected endpoints, limiting its spread to a relatively small number of systems.

It is still unclear how attackers managed to insert the backdoor. Lightning AI continues to examine whether a compromised developer account, build system, or third-party dependency enabled the attack. The company also audits other recent releases to ensure no additional malicious code remains.

“Observed activity remains limited to a small number of devices and appear contained to a narrow set of environments.” states Microsoft. “We are also investigating container-based telemetry and registry-related signals that may indicate potential compromise in some scenarios.”

This incident shows how attackers increasingly target trusted components in the AI and Python ecosystems. Widely used libraries offer an efficient entry point, allowing attackers to reach many developers at once. It highlights the need for stronger safeguards, including dependency verification, runtime monitoring, and stricter controls around software distribution and updates.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, PyTorch Lightning)

Deniss Zolotarjovs was sentenced to 8.5 years in the U.S. after pleading guilty to money laundering and fraud tied to ransomware.

Deniss Zolotarjovs, a Latvian national linked to the Karakurt ransomware gang, has been sentenced to 8.5 years in U.S. prison, marking a significant step in efforts to combat global ransomware operations.

“A Latvian national was sentenced today to 102 months in prison for his role in a major Russian ransomware organization that stole from and extorted over 54 companies.” reads the press release published by DoJ.

In August 2024, the man was charged with money laundering, wire fraud, and extortion. He was arrested in Georgia in December 2023 and extradited to the U.S. in 2014.

In 2025, he pleaded guilty to money laundering and wire fraud conspiracy. Rather than carrying out technical intrusions, Zolotarjovs acted as a negotiator and strategist.

He analyzed stolen data, set ransom demands, and communicated directly with victims, earning about 10% of ransom payments through cryptocurrency laundering. Prosecutors described him as a key intermediary within a broader cybercrime ecosystem tied to former members of the Conti ransomware group.

Between 2021 and 2023, the group targeted over 54 organizations, causing over $56 million in losses. Victims included businesses, government entities, and even a pediatric healthcare provider.

“According to court documents, Deniss Zolotarjovs (Денисс Золотарёвс), 35, of Moscow, Russia, was a member of a ransomware organization led by former leaders of the Conti ransomware group. Brands used to identify the organization in ransom notes to their victims during the time of his involvement include Conti, Karakurt, Royal, TommyLeaks, SchoolBoys Ransomware, and Akira, among others.” continues the press release. “During the time of Zolotarjovs’s active participation in the organization, approximately June 2021 to August 2023, the organization stole data from over 54 companies, including many in the United States. “

In one case, Zolotarjovs suggested leaking children’s medical data to pressure payment, highlighting the coercive tactics used. Another attack disrupted a U.S. 911 emergency dispatch system, underscoring the real-world impact of these operations.

“In one attack on a pediatric healthcare company, Zolotarjovs deliberately leveraged children’s health information for extortion.” DoJ states. “When he failed in extracting a ransom from this victim, he urged coconspirators to be “DESTROYERS” and to leak or sell copies of these pediatric health records to sow fear among future victims.”

Authorities say the case reflects the increasingly organized and professional nature of ransomware groups, which operate like businesses with defined roles such as negotiators, operators, and data brokers. It also demonstrates growing international cooperation, particularly between U.S. agencies and Georgian authorities, in tracking and prosecuting cybercriminals.

Officials from the Federal Bureau of Investigation emphasized that this sentencing sends a strong message: even individuals operating within Russia-linked cybercrime networks can be identified, pursued, and brought to justice. The case highlights both the human cost of ransomware attacks and the expanding reach of global law enforcement in tackling cyber extortion.

“With this sentence, a cruel, ruthless, and dangerous international cybercriminal is now behind bars,” said Assistant Attorney General A. Tysen Duva of the Justice Department’s Criminal Division. “Deniss Zolotarjovs helped his ransomware gang profit from hacks of dozens of companies, and even on a government entity whose 911 system was forced offline. He also used stolen children’s health information to increase his leverage to extort victim payments. The Criminal Division will continue to investigate and prosecute international hackers and extortionists from around the world, no matter where they live or operate.”

Accenture researchers first detailed the activity of the sophisticated financially motivated threat actor in December 2021. The group’s activity was first spotted in June 2021, but the group has been more active in Q3 2021.

Zolotarjovs is the first member of the Karakurt group to be sentenced in the United States.

Most of the known victims are based in North America, while the remaining are in Europe. 

The analysis of the attack chain associated with this threat actor revealed that it primarily leverages VPN credentials to gain initial access to the target’s network.

In the initial attacks, the group gained persistence by using the popular post-exploitation tool Cobalt Strike. Later, the group switched on the VPN IP pool or AnyDesk software to establish persistence and avoid detection.

Once access is gained to the target network, the group used various tools to escalate privileges, including Mimikatz or PowerShell to steal ntds.dit that contains Active Directory data.

However, the threat group in most attacks escalated privileges using previously obtained credentials.

For data exfiltration the group used 7zip and WinZip for compression, as well as Rclone or FileZilla (SFTP) to upload data to Mega.io cloud storage.

The Karakurt cyber extortion group typically gave victims one week to pay a ransom, which ranges from $25,000 to $13 million in Bitcoin. This information comes from a joint alert issued by the FBI, CISA, the Department of the Treasury, and FinCEN.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Karakurt ransomware)

Hackers stole data of 119,000 Vimeo users in April. The breach, linked to a third‑party vendor, exposed personal details.

Vimeo confirmed a data breach after the ShinyHunters gang stole personal information of 119,000 users in April 2026. According to Have I Been Pwned, the attackers accessed user data through a compromise at Anodot, a third‑party analytics vendor.

“In April 2026, the ShinyHunters extortion group listed Vimeo on their extortion portal as part of their “pay or leak” campaign. They subsequently published hundreds of gigabytes of data, predominantly consisting of video titles, technical data and metadata.” reported Have I Been Pwned.”The data also included 119k unique email addresses, sometimes accompanied by names. Vimeo attributed the exposure to a breach of Anodot, a third-party analytics vendor, and advised the incident does not include “Vimeo video content, valid user login credentials, or payment card information”.”

Vimeo confirmed that the security incident is linked to a breach at Anodot. An unauthorized actor accessed some Vimeo user and customer data, mainly technical information, video titles, metadata, and in some cases email addresses.

“Vimeo is aware of a security incident affecting Anodot, a third-party analytics vendor used by Vimeo and many other companies. The Google Threat Intelligence report associated with the unauthorized actor claiming responsibility for the Anodot incident can be found at this link.” reads the notice on the security incident published by the company.

We have identified that, as a result of the Anodot breach, an unauthorized actor accessed certain Vimeo user and customer data. Our initial findings suggest that the databases accessed primarily contain technical data, video titles and metadata, and, in some cases, customer email addresses.”

The company said no video content, login credentials, or payment data were exposed, and services were not disrupted. In response, Vimeo disabled Anodot access, removed the integration, engaged external security experts, and notified law enforcement.

The investigation is still ongoing, and updates will be shared as more details emerge.

After Vimeo’s disclosure, the ShinyHunters cybercrime group leaked a 106GB archive of stolen documents on its Tor data leak site.

ShinyHunters is a well-known name in the cybercriminal ecosystem. The group is associated with a broader loosely connected network often referred to as “the Com,” made up largely of young, English-speaking individuals. Their operations typically focus on stealing data from large organizations and using leak sites to pressure victims into paying ransoms in cryptocurrency.

ShinyHunters has recently targeted major companies and organizations, leaking data when ransom demands fail. Victims include the European Commission, Odido, Figure, Canada Goose, Rockstar, and SoundCloud. The group primarily uses social engineering, especially voice phishing, to steal credentials and access SaaS platforms like Salesforce, Okta, and Microsoft 365. 

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Vimeo)

Google patched a critical Android flaw (CVE‑2026‑0073) that lets attackers run code remotely without user action.

Google released a security update for Android to address a critical remote code execution flaw, tracked as CVE‑2026‑0073, in the System component. The bug allowed attackers to run code as the shell user without needing extra permissions, or any user interaction.

The patch prevents potential full device compromise from remote exploitation.

“The vulnerability in this section could lead to remote (proximal/adjacent) code execution as the shell user with no additional execution privileges needed. User interaction is not needed for exploitation.” reads the advisory.

The flaw impacts ‘adbd’ (Android Debug Bridge daemon), the background process on an Android device that enables communication with a computer through the Android Debug Bridge (ADB) tool.

Google is not aware of any public exploits for this issue or of attacks in the wild exploiting CVE-2026-0073.

In March, Google confirmed that another vulnerability, tracked as CVE-2026-21385 (CVSS score of 7.8), in open-source Qualcomm component has been actively exploited.

The flaw is a buffer over-read in the Graphics component that could allow attackers to access sensitive memory data, underscoring ongoing risks to Android users.

The company did not disclose technical details about the attacks exploiting this vulnerability.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Google)

Microsoft revealed a phishing campaign hitting 35,000 users in 26 countries, stealing login tokens via fake code-of-conduct emails and legit services.

Microsoft disclosed a major phishing campaign that targeted over 35,000 users across 26 countries in mid-April 2026.

Attackers used fake “code of conduct” emails sent through legitimate platforms to trick recipients into visiting bogus sites that stole authentication tokens.

“The campaign targeted tens of thousands of users, primarily in the United States, and directed them through several stages of CAPTCHA and intermediate staging pages designed to reinforce legitimacy while filtering out automated defenses.” reads the report published by Microsoft. “The lures in this campaign used polished, enterprise-style HTML templates with structured layouts and preemptive authenticity statements, making them appear more credible than typical phishing emails and increasing their plausibility as legitimate internal communications. “

Most victims (92%) were in the U.S., mainly in healthcare and finance.

Attackers used alarming, time-sensitive messages to pressure victims into action, leading them to a fake but legitimate-looking sign-in page. This adversary‑in‑the‑middle (AiTM) phishing flow let attackers intercept authentication tokens in real time, bypassing weak MFA. Microsoft urges training, anti-phishing tools, secure browsers, and SmartScreen protections to defend against such threats.

The phishing campaign impersonated internal compliance and regulatory departments, using subject lines like “Internal case log issued under conduct policy” to create urgency and legitimacy. Attackers distributed emails via a legitimate email delivery service, embedding links in PDF attachments that led to attacker-controlled domains such as acceptable-use-policy-calendly[.]de.

After completing fake Cloudflare CAPTCHAs, victims were asked to “Review & Sign” documents and then redirected to a deceptive Microsoft sign-in page. This final step launched an adversary‑in‑the‑middle (AiTM) attack chain that proxied authentication and captured tokens, giving immediate access to user accounts despite multifactor authentication.

“Following these steps, users were redirected to a third site hosting the final stage of the attack. Analysis of the underlying code indicates that the final destination varied depending on whether the user accessed the workflow from a mobile device or a desktop system.” continues the report.

The campaign’s structure mimicked legitimate workflow and compliance verification processes, making detection difficult. Microsoft described it as “one of the most sophisticated code-of-conduct‑themed credential theft operations observed to date,” confirming that the attackers’ methods reflected a high degree of operational planning and technical adaptability.

Microsoft recommends a layered approach to reduce risk. Organizations should review Exchange Online Protection and Defender for Office 365 settings, enable features like Zero-hour Auto Purge, Safe Links, and Safe Attachments, and use network protection and SmartScreen-enabled browsers.

User awareness training and phishing simulations are key, along with manual monitoring and removal of suspicious emails. Strong authentication is essential, including MFA or passwordless methods, plus conditional access for privileged accounts.

Finally, enabling automated attack disruption in Defender XDR can help detect and contain threats quickly, limiting their impact.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, phishing)

Instructure, maker of the Canvas learning platform, is investigating a cyber incident that exposed users’ personal data.

Instructure is a U.S.-based educational technology company best known for developing Canvas, one of the world’s most widely used learning management systems (LMS). 

The U.S. firm confirrmed a cybersecurity incident that exposed users’ personal information. The company is working with external cybersecurity experts and law enforcement to investigate the breach. Canvas is widely used by schools and universities to manage courses, assignments, and online learning, raising concerns about student and staff data security.

The company says the security incident appears to be contained while investigations continue. Instructure revoked privileged credentials and access tokens, deployed security patches, rotated some keys as a precaution, and increased monitoring across systems.

“Out of an abundance of caution, we rotated certain keys, even though there is no evidence they were misused – Implemented increased monitoring across all platforms.” reads the Incident Report. “While we continue actively investigating, thus far, indications are that the information involved consists of certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users. At this time, we have found no evidence that passwords, dates of birth, government identifiers, or financial information were involved.”

So far, the exposed data likely includes user identifiers such as names, email addresses, student ID numbers, and some user messages. The company states that there is currently no evidence that passwords, dates of birth, government IDs, or financial data were affected.

The educational technology firm continues to monitor the situation and will notify institutions if new findings emerge, while updating its status page and working to strengthen system security.

Instructure did not share details about the attack, however, the ShinyHunters extortion group claimed responsibility for the attack and added the company to its Tor data leak site.

“Nearly 9,000 schools worldwide affected. 275 million individuals data ranging from students, teachers, and other staff containing PII. Several billions of private messages among students and teachers and students and other students involved, containing personal conversations and other PII. Your Salesforce instance was also breached and a lot more other data is involved. Pay or Leak.” the group wrote on its leak site. “This is a final warning to reach out by 6 May 2026 before we leak along with several annoying (digital) problems that’ll come your way. Make the right decision, don’t be the next headline.,” reads the data leak site.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

Progress fixes critical MOVEit Automation flaws, including an authentication bypass bug that could let attackers gain unauthorized access to systems.

Progress Software addressed two vulnerabilities in MOVEit Automation, a critical authentication bypass flaw tracked as CVE-2026-4670 and a privilege escalation issue tracked as CVE-2026-5174. If exploited, these bugs could allow attackers to gain unauthorized access or elevate privileges.

MOVEit Automation is an enterprise managed file transfer (MFT) solution developed by Progress Software. It’s designed to securely move, schedule, and automate file transfers between systems, applications, and partners, without needing custom scripts.

MOVEit Automation is widely used to manage and automate file transfers in enterprise environments.

“Critical and high vulnerabilities in MOVEit Automation may allow authentication bypass and privilege escalation through the service backend command port interfaces” reads the advisory. “Exploitation may lead to unauthorized access, administrative control, and data exposure.”

The vulnerabilities impact the following versions:

• MOVEit Automation <= 2025.1.4
• MOVEit Automation <= 2025.0.8
• MOVEit Automation <= 2024.1.7

Airbus SecLab researchers Anaïs Gantet, Delphine Gourdou, Quentin Liddell, and Matteo Ricordeau discovered and reported the vulnerabilities.

According to the advisory, no workarounds are available.

Flaws like this are especially dangerous because they can be weaponized quickly and at scale once discovered.

A vulnerability such as an authentication bypass or privilege escalation can let attackers gain access to many systems in a short time, especially when the affected software is widely used in enterprises. Once a working exploit exists, it often gets reused in large automated campaigns, not just targeted attacks.

This is what happened in past incidents involving ransomware groups like Clop ransomware group. They repeatedly abused vulnerabilities in file transfer systems (like MOVEit in 2023) to steal data from hundreds of organizations at once, before victims even had time to patch.

In August 2023, cybersecurity firm Emsisoft shared disconcerting details about a massive hacking campaign conducted by the Cl0p ransomware group that targeted the MOVEit Transfer file transfer platform designed by Progress Software Corporation.

According to the experts, the attacks impacted approximately 1,000 Organizations and 60,144,069 individuals. The Cl0p ransomware gang exploited the zero-day vulnerability CVE-2023-34362 to hack the platforms used by organizations worldwide and steal their data.

That’s why these bugs are high-risk: they don’t just affect one company, they can become the entry point for mass exploitation, data theft, and ransomware extortion campaigns worldwide.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, MOVEit Automation)

Attackers exploit a critical cPanel flaw to target government and MSP networks across Southeast Asia and several countries, including the U.S. and Canada.

A threat actor is exploiting critical cPanel vulnerability CVE-2026-41940 to target government and military organizations in Southeast Asia, along with MSPs and hosting providers in countries like the Philippines, Laos, Canada, South Africa, and the U.S. The attacks highlight the rapid weaponization of newly disclosed flaws.

cPanel is a widely used web hosting control panel that lets users manage websites and servers through a graphical interface instead of command-line tools.

CVE-2026-41940 is an authentication bypass flaw affecting cPanel and WHM versions after 11.40. A weakness in the login flow allows remote attackers to skip or manipulate authentication checks, granting access to the control panel without valid credentials. This could let attackers manage hosting settings, access sensitive data, or take control of the server.

Cybersecurity experts at watchTowr first disclosed the flaw last week and released a tool to help defenders identify vulnerable hosts in their estates.

“As we stated above, in-the-wild exploitation has already begun, according to KnownHost.” reads the advisory by watchTowr. “Therefore, we’re releasing our Detection Artifact Generator to enable defenders to identify vulnerable hosts in their estates.”

According to the Shadowserver Foundation, thousands of instances may be exposed.

On May 2, 2026, researchers at Ctrl-Alt-Intel detected attacks exploiting CVE-2026-41940. The activity, linked to the IP address 95.111.250[.]175, targeted government and military domains in the Philippines and Laos, along with MSPs and hosting providers, using public PoCs (watchTowr-vs-cPanel-WHM-AuthBypass-to-RCE.py, check_session.py).

“On 2nd May 2026, Ctrl-Alt-Intel identified an exposed attacker staging server that provided direct visibility into one such operation.” reads the report published by Ctrl-Alt-Intel. “From this infrastructure, we observed an unknown threat actor interactively targeting government and military entities in South-East Asia, alongside a smaller set of MSPs and hosting providers in the Philippines, Laos, Canada, South Africa, and the United States. “

The same actor also used a custom exploit chain against an Indonesian defense training portal, combining SQL injection and remote code execution, after obtaining valid credentials.

Leaked data links the threat actor to a custom exploit chain targeting an Indonesian defense training portal and to earlier theft of Chinese railway-sector data. The stolen information centers on the China Railway Society Electrification Committee and related groups, mapping technical, organizational, and personal details tied to rail infrastructure and CCP-aligned scientific networks.

Researchers pointed out that cPanel exploitation was only part of the attacker’s activity. The same actor developed a custom exploit chain against an Indonesian defense training portal, using valid credentials and bypassing CAPTCHA by reading values from session cookies.

They injected SQL into a document field, escalating it to remote code execution via PostgreSQL. The attack enabled command execution and file access, with results exfiltrated through the app. An AdaptixC2 malware payload was also identified, indicating active command-and-control operations.

Analysis of exposed payloads shows the attacker used AdaptixC2 for command and control, along with a PowerShell reverse shell. They built a persistent pivoting infrastructure using OpenVPN and Ligolo, creating tunnels and routes to access internal networks. Custom Linux services ensured long-term access.

The actor moved laterally into a Chinese network, interacting with internal systems and using scripts to exfiltrate data. Around 110 files (4.37GB) were stolen, including technical documents on railway electrification and sensitive personal data such as IDs, bank details, and phone numbers.

Overall, the operation combined C2 control, stealthy persistence, network pivoting, and targeted data theft.

Ctrl-Alt-Intel has not attributed the campaign to any specific actor or country. Although Vietnamese comments appeared in scripts and tools, they are not reliable evidence and may have been intentionally added to mislead analysts and obscure attribution.

“Although we do not make a firm attribution, the combination of victimology, post-compromise pivoting, and the nature of the exfiltrated data makes this activity more significant than routine opportunistic exploitation.” concludes the report. “The targeting of South-East Asian military and government infrastructure, combined with confirmed theft of Chinese transport-sector material, is consistent with a broad regional collection effort.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2026-41940)