A new open-source cybersecurity platform called DarkMoon has emerged as a significant advancement in autonomous penetration testing.

It provides security teams and DevSecOps professionals with a fully AI-powered vulnerability assessment system. DarkMoon integrates over 50 specialized offensive security tools, all managed through a controlled execution interface.

DarkMoon is an automated penetration testing platform that uses artificial intelligence to orchestrate complete security assessments without manual intervention.

Unlike traditional vulnerability scanners, DarkMoon deploys a multi-agent AI architecture where specialized sub-agents reason, plan, and execute real offensive security operations through a controlled Model Context Protocol (MCP) interface, a gatekeeper layer that ensures the AI never directly touches the underlying system.

The platform aligns with recognized security frameworks, including ISO 27001, NIST SP 800-115, and the MITRE ATT&CK methodology, making it a standards-compliant option for organizations seeking repeatable, evidence-based assessments.

DarkMoon AI-Powered Platform

When a target is provided via the command line, DarkMoon automatically progresses through a multi-phase assessment: discovering open ports and services, fingerprinting the technology stack, modeling the attack surface, and then deploying specialized sub-agents based on what it detects.

The platform dynamically triggers agents tailored to discovered technologies:

• CMS Agent — activates for WordPress, Drupal, Joomla, Magento, and Moodle environments
• Stack-Specific Agent — targets PHP, Node.js, Flask, ASP.NET, Spring Boot, and Ruby on Rails
• Active Directory Agent — covers NetExec, BloodHound, and 30+ Impacket scripts
• Kubernetes Agent — uses kubectl, Kubescape, and Kubeletctl
• GraphQL Agent — handles GraphQL-specific attack surfaces
• Headless Browser Agent — deployed when browser rendering is required

Multiple agents can execute in parallel across a hybrid infrastructure, significantly accelerating assessment timelines compared to sequential manual testing.

DarkMoon ships with a purpose-built Docker image housing over 50 compiled security tools organized by category.

Port scanning is handled by Naabu and Masscan; web application testing leverages Nuclei, ffuf, sqlmap, Arjun, and wafw00f; reconnaissance uses Subfinder, Katana, Waybackurls, and httpx; CMS testing relies on WPScan and CMSeeK; and network enumeration employs Hydra, dig, and SNMP tooling.

All tools are accessible inside the Docker toolbox without path configuration — the AI reasons and plans, the MCP controls execution, and the Docker container runs the tools in isolation.

DarkMoon is designed for security teams running continuous automated testing, DevSecOps engineers integrating security into CI/CD pipelines, bug bounty hunters accelerating target analysis, and security researchers exploring adaptive attack surfaces in real time.

The platform supports bug bounty mode natively, with command-line flags such as FOCUS, EXCLUDE, SEVERITY, and FORMAT=h1 interpreted directly by the AI agent.

DarkMoon is available on GitHub at github.com/ASCIT31/Dark-Moon and requires only Docker, Docker Compose, and an LLM API key from providers such as Anthropic, OpenAI, or OpenRouter with local model support via Ollama and llama.cpp also available.

The platform represents a broader industry trend toward autonomous AI-driven penetration testing that scales beyond the limits of human-only security teams.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post DarkMoon AI-Powered Autonomous Penetration Testing Platform With 50+ Tools appeared first on Cyber Security News.

Trellix, the global cybersecurity firm formed from the merger of McAfee Enterprise and FireEye, has confirmed unauthorized access to a portion of its source code repository, with the RansomHouse ransomware group formally claiming responsibility for the attack.

Trellix reported a data breach involving unauthorized access to a portion of its source code repository, which was disclosed publicly around May 2, 2026.

Upon discovering the intrusion, Trellix immediately engaged leading forensic experts to investigate and has notified law enforcement authorities.

In an official statement published on its website, the company said: “Based on our investigation to date, we have found no evidence that our source code release or distribution process was affected, or that our source code has been exploited”.

The RansomHouse ransomware group formally named Trellix on its dark web leak site, claiming the compromise occurred on April 17, 2026.

The group published multiple screenshots reportedly demonstrating access to Trellix’s internal services and management dashboards, though they have not specified the volume of data exfiltrated or its nature.

Notably, RansomHouse listed the breach status as “Evidence Depends on You,” a hallmark tactic used to pressure victims into negotiations before releasing stolen data publicly.

RansomHouse is a sophisticated ransomware-as-a-service (RaaS) group known for deploying a unique ransomware variant called Mario ESXi, whose code shares lineage with the leaked Babuk ransomware source code, alongside a tool called MrAgent to target both Windows and Linux-based virtualized environments.

The group typically targets VMware ESXi infrastructure and exploits weak domain credentials and monitoring systems to gain privileged access.

RansomHouse distinguishes itself by positioning itself as a “professional mediator community,” often seeking payment for data deletion rather than decryption.

The full extent of the data exposure remains unspecified, and Trellix has not confirmed whether corporate or customer data beyond source code was accessed.

Preliminary investigations indicate no evidence that the software distribution pipeline or customer-facing products were tampered with.

The incident highlights the growing trend of ransomware groups targeting cybersecurity vendors themselves, organizations whose proprietary source code, if weaponized, could have far-reaching consequences for enterprise defenses globally.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post Trellix Breach – RansomHouse Claims Access to Parts of Source Code appeared first on Cyber Security News.

Mozilla has fixed a total of 423 Firefox security bugs in April 2026 alone, a figure nearly 20 times higher than its monthly average of about 21 bugs throughout 2025, driven by a groundbreaking agentic AI pipeline built around Anthropic’s Claude Mythos Preview and other large language models.

The surge was triggered by Mozilla’s early access to Claude Mythos Preview, which identified 271 of the 423 vulnerabilities fixed in April.

These were primarily shipped as part of Firefox 150, released on April 21, 2026, with additional fixes flowing into Firefox 149.0.2, 150.0.1, and 150.0.2. Of the 271 bugs attributed to Claude Mythos Preview in Firefox 150, 180 were rated sec-high, 80 were sec-moderate, and 11 were sec-low, meaning most were vulnerabilities exploitable via normal user behavior, such as simply visiting a malicious webpage.

Mozilla Patches 423 Firefox 0-Day

Beyond the 271 AI-identified bugs, the remaining 152 fixes included 41 externally reported bugs and 111 discovered through internal techniques, split roughly equally between Claude Mythos fixes shipped in other releases, bugs found with other AI models, and conventional fuzzing.

Anthropic’s own Frontier Red Team was separately credited with three standalone CVEs: CVE-2026-6746, CVE-2026-6757, and CVE-2026-6758.

Mozilla publicly disclosed 12 representative bug reports to demonstrate the depth of AI analysis.

These include a 15-year-old flaw in the <legend> HTML element (Bug 2024437), triggered by meticulous orchestration of recursion stack depths and cycle collection edge cases, and a 20-year-old use-after-free (UAF) in Firefox’s XSLT engine (Bug 2025977) where reentrant key() calls caused a hash table to free its backing store while a raw pointer remained in use.

Several bugs represent critical sandbox escape primitives, including a race condition over IPC allowing a compromised content process to manipulate IndexedDB refcounts to trigger a UAF (Bug 2021894), and a raw NaN crossing an IPC boundary masquerading as a tagged JavaScript object pointer to achieve a parent-process fake-object primitive (Bug 2022034).

One exploit even simulates a malicious DNS server by intercepting glibc function calls to trigger a buffer over-read during HTTPS Record and ECH parsing (Bug 2023958).

These sandbox escape bugs are notoriously difficult to surface via traditional fuzzing methods, making AI coverage particularly valuable for this attack surface.

Mozilla’s approach evolved from early static-analysis experiments using GPT-4 and Claude Sonnet 3.5, which produced too many false positives to be practical.

The breakthrough came with agentic harness systems that not only generate bug hypotheses but also create reproducible proof-of-concept test cases to dynamically validate them. This eliminated speculative false positives and made large-scale deployment feasible.

The pipeline was built atop Mozilla’s existing fuzzing infrastructure and parallelized across multiple ephemeral virtual machines, each assigned to hunt for vulnerabilities within a specific target file.

Mozilla integrated the full security bug lifecycle into the system: deduplication against known issues, triage, patch tracking, and release management.

Over 100 contributors worked to review, test, and ship the resulting patches, a testament to the sustained operational scale required.

Key Vulnerability Breakdown

Bug ID	Type	Age / Severity
2024437	HTML <legend> UAF via edge case orchestration	15-year-old bug, sec-high
2025977	XSLT reentrant key() hash table UAF	20-year-old bug, sec-high
2021894	IPC race condition → IndexedDB UAF → sandbox escape	sec-high
2022034	NaN-as-JS-pointer IPC deserialization → sandbox escape	sec-high
2026305	rowspan=0 HTML table 16-bit bitfield overflow	sec-high, evaded fuzzers for years
2029813	RLBox in-process sandbox escape via verification gap	sec-high

Equally notable is what the AI pipeline failed to exploit, not due to limitation, but because of effective prior hardening.

Audit logs revealed numerous AI-driven attempts to exploit prototype pollution for sandbox escapes, all blocked by Mozilla’s earlier architectural decision to freeze JavaScript prototypes by default. This provided direct, measurable validation of previously shipped defense-in-depth mitigations.

Mozilla’s guidance is direct: any software project can begin using an agentic harness with a modern model today.

The initial prompts can be simple, essentially directing the model to find a bug in a specific code region and build a test case, with iteration improving effectiveness over time.

Mozilla plans to integrate this pipeline into its continuous integration (CI) system to scan incoming patches as they land, extending coverage from file-based to patch-based scanning.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post Mozilla Patches 423 Firefox Vulnerabilities with Claude Mythos and Other AI Models appeared first on Cyber Security News.

Dirty Frag is a newly disclosed, CVE-pending Linux kernel local privilege escalation (LPE) vulnerability that chains two separate page-cache write flaws, the xfrm-ESP Page-Cache Write and the RxRPC Page-Cache Write, to achieve root access on virtually all major Linux distributions, with a public exploit already in the wild following an embargo break on May 7, 2026.

Dirty Frag belongs to the same vulnerability class as Dirty Pipe and Copy Fail (CVE-2026-31431), but targets the frag member of the kernel’s struct sk_buff rather than struct pipe_buffer.

Discovered and reported by security researcher Hyunwoo Kim (@v4bel), the vulnerability exploits the zero-copy send path where splice() plants a reference to a read-only page cache page, such as /etc/passwd or /usr/bin/su — into the frag slot of a sender-side skb.

Dirty Frag Linux Vulnerability

The receiver-side kernel code then performs in-place cryptographic operations directly on top of that frag, permanently modifying the page cache in RAM.

Every subsequent read to that file sees the corrupted version, even though the unprivileged attacker was granted only read access.

Unlike race-condition exploits, Dirty Frag is a deterministic logic bug that requires no timing window, does not panic the kernel on failure, and carries an extremely high success rate.

xfrm-ESP Page-Cache Write resides in esp_input(), the IPsec ESP receive path. When an skb is non-linear but lacks a frag list, the code skips the mandatory skb_cow_data() buffer allocation step and jumps directly to in-place AEAD decryption on the attacker-planted frag.

Using the XFRMA_REPLAY_ESN_VAL netlink attribute, the attacker can control both the location (file offset) and the value (4 bytes) of each store operation, enabling them to overwrite arbitrary bytes of /usr/bin/su‘s page cache with a static root-shell ELF 192 bytes written across 48 chunks of 4 bytes each.

Authentication failure (-EBADMSG) is returned afterward, but the page cache write has already persisted. This variant requires the ability to create a user namespace (unshare(CLONE_NEWUSER)).

RxRPC Page-Cache Write resides in rxkad_verify_packet_1(), which performs an in-place single-block pcbc(fcrypt) decryption on the first 8 bytes of the RxRPC payload.

Because skb_to_sgvec() converts the splice-pinned page cache page directly into the SGL, the attacker-controlled page becomes both src and dst.

The 8-byte store value is fcrypt_decrypt(C, K), where K is a freely specifiable session key registered via add_key("rxrpc", ...) — an operation requiring no privileges at all.

The attacker brute-forces K in user space until the desired plaintext (e.g., turning /etc/passwd line 1’s password field into an empty string) is produced, enabling PAM nullok authentication bypass.

Neither vulnerability alone covers all Linux environments:

• ESP variant: Available on most distros but requires user namespace creation — blocked on some Ubuntu configurations via AppArmor policy.
• RxRPC variant: No namespace privilege required, but rxrpc.ko is absent on most distros like RHEL 10.1 by default — yet ships and auto-loads on Ubuntu.

Chaining the two exploits closes both blind spots, achieving root on essentially every major distribution. The exploit first attempts the ESP path; if unshare(CLONE_NEWUSER) fails, it automatically falls back to the RxRPC path targeting /etc/passwd.

Affected Distributions and Kernel Versions

The ESP vulnerability has been present since commit cac2661c53f3 (January 2017), and the RxRPC flaw since 2dc334f1a63a (June 2023), giving the chain an effective window of approximately 9 years. Confirmed affected distributions include:

• Ubuntu 24.04.4 (kernel 6.17.0-23-generic)
• RHEL 10.1 (kernel 6.12.0-124.49.1.el10_1.x86_64)
• openSUSE Tumbleweed (kernel 7.0.2-1-default)
• CentOS Stream 10 (kernel 6.12.0-224.el10.x86_64)
• AlmaLinux 10 (kernel 6.12.0-124.52.3.el10_1.x86_64)
• Fedora 44 (kernel 6.19.14-300.fc44.x86_64)

The ESP variant patch using the SKBFL_SHARED_FRAG flag to ensure splice-pinned pages always route through skb_cow_data() — was merged into the netdev tree on May 7, 2026.

The final merged patch was based on a shared-frag approach submitted by Kuan-Ting Chen. The RxRPC patch, which adds || skb->data_len to the existing skb_cloned() gate to force isolation of non-linear skbs, remains unmerged upstream.

No CVE identifiers have been assigned for either flaw as of publication, due to the premature embargo break by an unrelated third party on May 7, 2026 .

Immediate Mitigation

Since distribution-level patches are not yet available, administrators should immediately disable the affected kernel modules using the following command:

bashsh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"

This blacklists and unloads the esp4, esp6, and rxrpc modules, disrupting IPsec and RxRPC functionality as a trade-off.

Systems that rely on IPsec VPN tunnels should weigh operational impact carefully before applying the workaround and prioritize applying distribution-backported kernel patches once available.

The complete technical write-up and PoC exploit code are available at the researcher’s GitHub repository.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post Dirty Frag Linux Vulnerability Let Attackers Gain Root Privileges – PoC Released appeared first on Cyber Security News.

Vercel has released an extensive set of security advisories for Next.js, addressing more than a dozen vulnerabilities, including denial-of-service, middleware bypass, server-side request forgery, and cross-site scripting.

The flaws affect Next.js versions 13.x through 16.x using the App Router, as well as React Server Components packages for versions 19.x.

CVE-2026-23870: Denial of Service via React Server Components

A high-severity denial-of-service vulnerability tracked as CVE-2026-23870 affects React Server Components packages for versions 19.x and all Next.js App Router deployments on versions 13.x, 14.x, 15.x, and 16.x.

A specially crafted HTTP request sent to any App Router Server Function endpoint, when deserialized, can trigger excessive CPU usage, resulting in denial-of-service attacks in unpatched environments.

The issue is rooted in the React “Flight” protocol’s deserialization logic, which fails to adequately enforce structural or type constraints on inbound payloads.

Middleware and Proxy Authorization Bypass

Three separate advisories GHSA-267c-6grr-h53f, GHSA-26hh-7cqf-hhc6, and GHSA-492v-c6pp-mqqv address middleware bypass vulnerabilities in App Router applications.

Specially crafted .rsc and segment-prefetch URLs can resolve to the same page without being matched by intended middleware rules, allowing protected content to be accessed without proper authorization checks.

The fix now includes App Router transport variants when generating middleware matchers, ensuring middleware protections apply consistently to all request types, including prefetch variants.

Until an upgrade is possible, developers should enforce authorization directly in the underlying route or page logic rather than relying solely on middleware.

CVE-2026-44578: SSRF via WebSocket Upgrade Requests

Tracked as CVE-2026-44578 and covered under GHSA-c4j6-fc7j-m34r, this high-severity flaw enables server-side request forgery through crafted WebSocket upgrade requests on self-hosted Node.js deployments.

An attacker can manipulate the server into proxying requests to arbitrary internal or external destinations, potentially exposing internal services or cloud metadata endpoints, a particularly dangerous scenario in cloud-native environments.

Vercel-hosted deployments are explicitly noted as unaffected. The fix applies the same safety checks to WebSocket upgrade handling that already existed for standard HTTP requests.

CVE-2026-44573: Pages Router i18n Middleware Bypass

CVE-2026-44573 (GHSA-36qx-fr4f-26g5) affects applications using the Pages Router with i18n configured alongside middleware-based authorization.

Locale-less /_next/data/<buildId>/<page>.json requests bypass middleware entirely, enabling attackers to retrieve server-side rendered JSON for protected pages without passing authorization checks.

The matcher logic has been updated to apply consistent matching across both prefixed and unprefixed data routes.

Beyond the high-severity flaws, Vercel also patched several moderate and low-severity issues.

These include cross-site scripting vulnerabilities in App Router applications using CSP nonces (GHSA-ffhc-5mcf-pf4q) and in beforeInteractive scripts with untrusted input (GHSA-gx5p-jg67-6x7h), a denial-of-service bug in the Image Optimization API (GHSA-h64f-5h5j-jqjh), and cache poisoning issues in React Server Component responses (GHSA-wfc6-r584-vfw7, GHSA-vfv6-92ff-j949).

A connection exhaustion DoS in Cache Components (GHSA-mg66-mrh9-m8jx) and cache poisoning of middleware redirects (GHSA-3g8h-86w9-wvmq) round out the advisory list.

Organizations running affected Next.js versions should prioritize upgrading immediately.

For teams unable to upgrade right away, the recommended interim mitigations include enforcing authorization within individual route or page logic rather than relying on middleware alone, blocking WebSocket upgrades at the reverse proxy or load balancer level, and restricting server egress to known internal networks.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post Multiple Critical Vulnerabilities Patched in Next.js and React Server Components appeared first on Cyber Security News.

Ivanti has issued a critical security advisory for its Endpoint Manager Mobile (EPMM) product, disclosing multiple actively exploited vulnerabilities, including CVE-2026-6973, and urging all on-premises EPMM customers to apply patches immediately.

At the time of disclosure, Ivanti confirmed active exploitation of CVE-2026-6973, a vulnerability that requires admin authentication to succeed.

The flaws exclusively affect the on-premises EPMM product and are not present in Ivanti Neurons for MDM, Ivanti’s cloud-based unified endpoint management solution, Ivanti EPM, Ivanti Sentry, or any other Ivanti products.

Exploitation activity has been described as “very limited” at the time of public disclosure, though the company strongly warned that advanced AI models have dramatically collapsed the time-to-exploit window from days to mere hours after a vulnerability becomes public.

In a notable shift in vulnerability management strategy, Ivanti disclosed that it has integrated multiple advanced large language model (LLM) AI systems into its product security and engineering red team processes.

This integration has enhanced the capabilities of its internal security teams to identify and remediate vulnerabilities that traditional static analysis (SAST) and dynamic analysis (DAST) tools typically miss.

Ivanti acknowledged that some of the vulnerabilities being disclosed today were discovered directly through this AI-assisted process. The company maintains a “human in the loop” policy to verify all automated or agentic findings, ensuring responsible use of AI in its security program.

Ivanti’s EPMM has been a recurring target for sophisticated threat actors. CISA has flagged at least 31 Ivanti defects on its Known Exploited Vulnerabilities (KEV) catalog since late 2021, and at least 19 defects across Ivanti products have been exploited in the past two years alone.

Previous zero-day campaigns against EPMM include CVE-2025-4427 and CVE-2025-4428 in May 2025, and CVE-2023-35078 and CVE-2023-35082 in 2023, with some attacks attributed to Chinese state-sponsored threat groups.

The consistent targeting of EPMM underscores the product’s high-value position in enterprise mobile device management infrastructure.

The vulnerabilities disclosed in Ivanti’s May 2026 security advisory affect only on-premises EPMM deployments. Organizations running cloud-based Ivanti Neurons for MDM are not impacted.

Ivanti has published detailed remediation instructions through its official Security Advisory, with patch packages that the company says take only seconds to apply and cause no downtime.

Mitigations

Ivanti strongly urges all on-premises EPMM administrators to take immediate action:

• Apply the available security patch to all EPMM on-premises instances without delay
• Monitor Apache access logs at /var/log/httpd/https-access_log for signs of attempted or successful exploitation.
• Implement network segmentation to restrict EPMM administrative interfaces to trusted networks only.
• Review and harden mobile device management policies to reduce the overall attack surface
• Subscribe to Ivanti’s Security Blog and the Ivanti Innovators Hub for real-time vulnerability alerts

Ivanti cautioned that as AI-driven tooling becomes further embedded in its security processes, customers should expect an increase in vulnerability disclosures, a transparency initiative the company frames as a proactive step toward more resilient products rather than a sign of weakening security posture.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post New Ivanti EPMM 0-Day Vulnerability Actively Exploited in Attacks appeared first on Cyber Security News.

A critical zero-day vulnerability in Palo Alto Networks PAN-OS software has been actively exploited by a likely state-sponsored threat actor since at least April 2026, the company revealed in a security advisory published on May 6, 2026.

Tracked as CVE-2026-0300, the flaw is a buffer overflow vulnerability residing in the User-ID Authentication Portal, also known as the Captive Portal service of PAN-OS, and it allows an unauthenticated remote attacker to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls by sending specially crafted network packets.

The vulnerability enables unauthenticated remote code execution (RCE) against internet-facing PAN-OS deployments where the User-ID Authentication Portal is exposed to untrusted networks.

Upon successful exploitation, attackers can inject shellcode directly into an nginx worker process, granting them deep, persistent access to the underlying system. Prisma Access, Cloud NGFW, and Panorama appliances are not affected.

Risk is significantly elevated when the Authentication Portal is publicly reachable, making network segmentation and access restriction the most immediate mitigation step.

Palo Alto Networks’ Unit 42 threat intelligence team is tracking exploitation activity under the cluster designation CL-STA-1132, attributed to a likely state-sponsored actor.

The campaign timeline reveals a deliberate, methodical approach beginning April 9, 2026, when unsuccessful exploitation attempts were logged against a PAN-OS device.

One week later, the attackers successfully achieved RCE and injected shellcode. Immediately following the compromise, they conducted aggressive log destruction, clearing crash kernel messages, deleting nginx crash entries and records, and removing crash core dump files to impair forensic detection.

Four days after initial compromise, the attackers deployed multiple tools with root privileges and began Active Directory enumeration using service account credentials harvested from the firewall, targeting the domain root and DomainDnsZones.

Evidence of ptrace injection and SetUserID (SUID) privilege-escalation binaries was subsequently deleted from audit logs to further reduce their footprint.

On April 29, 2026, the attackers executed a SAML flood attack against the first compromised device, causing a secondary device to be promoted to Active status, inheriting the same internet-facing traffic configuration.

RCE was then achieved on this second device by downloading and deploying two open-source tunneling tools.

Earthworm and ReverseSocks5 for Post-Exploitation

The attackers relied exclusively on publicly available tooling rather than on proprietary malware, a deliberate choice that minimized the likelihood of signature-based detection.

EarthWorm, an open-source network tunneling tool written in C supporting Windows, Linux, macOS, and ARM/MIPS platforms, was used to establish covert SOCKS5 proxy tunnels and multi-hop cascaded network paths (MITRE ATT&CK T1090, T1572).

Earthworm has previously been linked to threat clusters including Volt Typhoon, APT41, UAT-8337, and CL-STA-0046.

ReverseSocks5 was used to establish outbound connections from compromised devices to an attacker-controlled controller, bypassing firewall and NAT restrictions to route traffic into the internal network via a SOCKS5 proxy tunnel.

Organizations should take one of the following immediate actions. First, restrict User-ID Authentication Portal access exclusively to trusted internal zones, and disable Response Pages in the Interface Management Profile on any L3 interface reachable from untrusted or internet-facing traffic. Second, if the Authentication Portal is not operationally required, disable it entirely.

Indicators of Compromise

Indicator	Type	Description
67.206.213[.]86	IP Address	Attacker Infrastructure
136.0.8[.]48	IP Address	Attacker Infrastructure
146.70.100[.]69	IP Address	C2 Staging Server
149.104.66[.]84	IP Address	Attacker Infrastructure
hxxp[:]//146.70.100[.]69:8000/php_sess	URL	EarthWorm Download URL
hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz	URL	ReverseSocks5 Download URL
e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584	SHA-256 Hash	EarthWorm Binary
Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36 Edg/138.0.0.0	User Agent	Attacker User Agent String
/var/tmp/linuxap, /var/tmp/linuxda, /var/tmp/linuxupdate	File Path	Tunneling Tool Artifacts
/tmp/.c	File Path	Unidentified Python Script
/tmp/R5, /var/R5	File Path	ReverseSocks5 Binary Paths

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post Palo Alto Networks Firewall Zero-Day RCE Vulnerability Exploited in the Wild Since April appeared first on Cyber Security News.

Palo Alto Networks has disclosed a critical buffer overflow vulnerability in PAN-OS software, tracked as CVE-2026-0300, that is already being actively exploited in the wild.

The flaw carries a CVSS 4.0 score of 9.3 (CRITICAL) and allows unauthenticated attackers to execute arbitrary code with full root privileges on affected PA-Series and VM-Series firewalls, with no credentials, no user interaction, and no special conditions required.

The vulnerability resides in the User-ID Authentication Portal (also known as Captive Portal) service of PAN-OS. An unauthenticated remote attacker can send specially crafted packets to trigger an out-of-bounds write (CWE-787), causing a buffer overflow that ultimately yields root-level code execution on the targeted firewall.

With a NETWORK attack vector, zero attack complexity, and no privileges required, this flaw is fully automatable, making it an ideal candidate for mass-exploitation campaigns.

The exploit maturity is classified as ATTACKED, with Palo Alto Networks confirming limited exploitation has already been observed targeting Authentication Portals exposed to untrusted IP addresses and the public internet.

Affected Products

The vulnerability impacts multiple PAN-OS versions across PA-Series and VM-Series firewalls. Affected branches include:

• PAN-OS 10.2 — versions below 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, and 10.2.18-h6
• PAN-OS 11.1 — versions below 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, and 11.1.15
• PAN-OS 11.2 — versions below 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, and 11.2.12
• PAN-OS 12.1 — versions below 12.1.4-h5 and 12.1.7

Notably, Prisma Access, Cloud NGFW, and Panorama appliances are not affected. The vulnerability only applies to firewalls with the User-ID Authentication Portal explicitly enabled and accessible from untrusted networks.

When the Authentication Portal is internet-exposed, the CVSS score reaches its maximum threat tier at 9.3. Even in adjacent-network scenarios, the score remains a severe 8.7.

Successful exploitation results in high confidentiality, integrity, and availability impacts at the product level, effectively giving threat actors complete control over the targeted firewall.

The risk profile is particularly alarming given the concentrated value density of enterprise firewalls, which serve as critical network chokepoints.

Compromising a perimeter firewall can facilitate lateral movement, traffic interception, credential harvesting, and a full network takeover.

Palo Alto Networks has confirmed that patches are rolling out between May 13 and May 28, 2026, depending on the PAN-OS branch. Until patches are applied, administrators should immediately take one of the following actions:

• Restrict Authentication Portal access to trusted internal IP addresses only, following Palo Alto’s best practice guidelines
• Disable the User-ID Authentication Portal entirely if it is not operationally required

A Threat Prevention Signature for PAN-OS 11.1 and above was made available on May 5, 2026, providing an additional detection and blocking layer for organizations that have Threat Prevention licensed.

Security teams should audit their PAN-OS configurations immediately by navigating to Device > User Identification > Authentication Portal Settings to determine exposure.

Any portal accessible from the internet or untrusted zones should be treated as an emergency remediation priority, given confirmed in-the-wild exploitation of CVE-2026-0300.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Critical Palo Alto Firewalls Vulnerability Exploited in the Wild to Gain Root Access appeared first on Cyber Security News.

Meta has disclosed a medium-severity security vulnerability in WhatsApp that could allow threat actors to exploit Instagram Reels integration to trigger arbitrary URL processing on victim devices, potentially invoking OS-level custom URL scheme handlers without user consent.

WhatsApp Vulnerabilities

The flaw, tracked as CVE-2026-23866, stems from incomplete validation of AI-rich response messages for Instagram Reels in the WhatsApp application.

The vulnerability affects both major mobile platforms, WhatsApp for iOS versions v2.25.8.0 through v2.26.15.72 and WhatsApp for Android versions v2.25.8.0 through v2.26.7.10.

The vulnerability was discovered through a Meta Bug Bounty submission by an external researcher and was independently confirmed by the Meta Security Team.

At its core, CVE-2026-23866 exploits the way WhatsApp processes AI-generated rich response messages that display Instagram Reels content.

When a user interacts with or receives such a message, the application fails to sufficiently validate the source URL of the embedded media content.

This incomplete validation allows a malicious actor to craft a specially formatted message that causes the victim’s device to fetch and process media from an arbitrary URL under the attacker’s control.

Another vulnerability tracked as CVE-2026-23863, the flaw is classified as an attachment spoofing issue affecting WhatsApp for Windows prior to version v2.3000.1032164386.258709.

The vulnerability was discovered by an external researcher through the Meta Bug Bounty Program and has since been patched by Meta.

The flaw requires no special privileges to exploit, only a single click from an unsuspecting user.

The root cause of CVE-2026-23863 lies in how WhatsApp for Windows handles filenames containing embedded NUL bytes, a null character (\x00) injected into the filename string.

This technique, commonly referred to as a NUL byte injection or null byte poisoning, exploits the difference in how high-level application logic and lower-level system calls interpret filenames.

Platform	Vulnerable Versions	Fixed Version
WhatsApp for iOS	v2.25.8.0 – v2.26.15.72	Later than v2.26.15.72
WhatsApp for Android	v2.25.8.0 – v2.26.7.10	Later than v2.26.7.10

Exploitation Status

Meta has stated that no evidence of active exploitation in the wild has been observed at the time of disclosure.

However, given the wide attack surface and WhatsApp’s global user base exceeding 2 billion, the potential impact of weaponization remains significant, particularly in targeted spyware or nation-state threat actor operations.

Mitigations

Security teams and individual users should take the following immediate actions:

• Update WhatsApp for iOS to a version later than v2.26.15.72
• Update WhatsApp for Android to a version later than v2.26.7.10
• Apply mobile device management (MDM) policies enforcing mandatory app updates across enterprise environments
• Monitor network traffic for anomalous URL scheme invocations originating from messaging applications
• Educate users about risks associated with AI-generated rich media content in messaging platforms.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post WhatsApp Vulnerability Lets Attackers Leverage Instagram Reels to Execute Malicious URLs appeared first on Cyber Security News.

A security researcher has discovered that Microsoft Edge decrypts every stored password into process memory the moment the browser launches and keeps them there as cleartext, regardless of whether the user ever visits those sites.

The finding, disclosed on April 29 by PaloAltoNtwks Norway at BigBiteOfTech, was uncovered by researcher @L1v1ng0ffTh3L4N, who systematically tested every major Chromium-based browser for credential memory handling behavior.

Edge was the only browser that exhibited this behavior, loading the entire password vault into plaintext process memory at startup and retaining it for the duration of the session.

The contrast with Google Chrome is stark. Chrome implements on-demand decryption, meaning credentials are only decrypted at the moment they are needed during autofill or when a user explicitly views a saved password.

Chrome further hardens this with App-Bound Encryption, which cryptographically binds decryption keys to an authenticated Chrome process, preventing other processes from reusing those keys to access credentials.

Edge offers none of these protections. From the moment the browser opens, every saved credential across every site in the user’s vault sits in plaintext in the browser’s process memory. This creates a persistent, wide-surface extraction target for any attacker who can read that process memory.

What makes this finding particularly contradictory is Edge’s own UI behavior. The browser still prompts users for re-authentication before revealing passwords in the Password Manager interface, yet the browser process already holds all those credentials in plaintext, completely accessible to anyone who can query process memory.

The re-authentication gate, therefore, provides only the illusion of access control, offering no actual protection against memory-based credential extraction.

The severity escalates significantly in shared or multi-user environments such as Remote Desktop Services (RDS) or terminal servers.

An attacker with administrative privileges on such a system can read the memory of every logged-on user process simultaneously.

In a published proof-of-concept video accompanying the disclosure, a compromised administrator account was used to successfully extract stored credentials from two other logged-on users, including users with disconnected (but still active) sessions, simply by reading their Edge browser process memory.

Microsoft Edge loads all your saved passwords into memory in cleartext — even when you’re not using them. pic.twitter.com/ci0ZLEYFLB

— Tom Jøran Sønstebyseter Rønning (@L1v1ng0ffTh3L4N) May 4, 2026

This transforms a single admin-level compromise into a full credential harvest across an entire multi-user environment, directly mapping to MITRE ATT&CK T1555.003 — Credentials from Web Browsers.

Microsoft Edge Passwords in Cleartext

When the researcher responsibly disclosed the finding to Microsoft, the company’s official response was that the behavior is “by design.”

Microsoft’s existing public documentation acknowledges that credentials in browser memory can be accessed under local attack conditions, categorizing such scenarios as outside the browser’s threat model.

The April 29 disclosure at BigBiteOfTech included a small educational verification tool that allows any user to confirm whether their Edge browser is holding cleartext credentials in process memory. The tool was released to raise awareness and encourage independent validation of the behavior.

Security teams managing Windows environments with Edge deployed those operating terminal servers, VDI environments, or any shared-access systems, particularly should treat this as a high-priority configuration risk and consider migrating to browsers with on-demand decryption and App-Bound Encryption until Microsoft addresses the design decision.

Free Webinar to align your endpoint security to meet new requirements – Register Now

The post Microsoft Edge Stores All Saved Passwords in Cleartext Process Memory at Launch appeared first on Cyber Security News.

The Apache Software Foundation has released a critical security update for Apache HTTP Server, patching five vulnerabilities, including a dangerous double-free flaw capable of enabling Remote Code Execution (RCE) in version 2.4.67, released on May 4, 2026. All users running version 2.4.66 or earlier are strongly urged to upgrade immediately.

The most severe of the five vulnerabilities is CVE-2026-23918, rated High with a CVSS base score of 8.8.

The flaw is a double-free memory corruption bug triggered within Apache’s HTTP/2 protocol implementation during an “early stream reset” sequence.

A double-free vulnerability occurs when a program attempts to release the same memory region twice, corrupting heap memory structures and potentially enabling an attacker to redirect execution flow in this case, opening the door to Remote Code Execution.

The vulnerability exclusively affects Apache HTTP Server version 2.4.66 and was first reported to the Apache security team on December 10, 2025, by Bartlomiej Dmitruk of striga.ai and Stanislaw Strzalkowski of isec.pl.

A fix was committed in revision r1930444 the very next day, December 11, 2025, with the public patch shipped in the 2.4.67 release on May 4, 2026.

A second flaw, CVE-2026-24072, is rated Moderate and targets mod_rewrite‘s use of ap_expr expression evaluation.

The vulnerability allows local .htaccess authors to read arbitrary files with the privileges of the httpd user, effectively enabling an escalation of privileges beyond their intended access level.

This bug affects Apache HTTP Server 2.4.66 and earlier and was reported on January 20, 2026, by researcher y7syeu.

Additional Vulnerabilities Patched

Three further lower-severity flaws were also addressed in the same 2.4.67 update:

• CVE-2026-28780 — A heap-based buffer overflow in mod_proxy_ajp via ajp_msg_check_header(). If mod_proxy_ajp connects to a malicious AJP server, that server can send a crafted AJP message causing the module to write 4 attacker-controlled bytes beyond the end of a heap buffer. Reported independently by four researchers between February and March 2026.
• CVE-2026-29168 — An uncapped resource allocation vulnerability in mod_md‘s OCSP response handler. Attackers could exploit this to exhaust server resources via oversized OCSP response data. Affects versions 2.4.30 through 2.4.66, reported by Pavel Kohout of Aisle Research on March 2, 2026.
• CVE-2026-29169 — A NULL pointer dereference in mod_dav_lock that allows an attacker to crash the server using a maliciously crafted request. Notably, mod_dav_lock is not used internally by mod_dav or mod_dav_fs — its only known use case was with mod_dav_svn from Apache Subversion versions prior to 1.2.0. As a mitigation, administrators who cannot upgrade immediately may simply remove mod_dav_lock.

CVE	Severity	Component	Impact	Affected Versions
CVE-2026-23918	High (CVSS 8.8)	HTTP/2	Double Free / RCE	2.4.66 only
CVE-2026-24072	Moderate	mod_rewrite (ap_expr)	Privilege Escalation	≤ 2.4.66
CVE-2026-28780	Low	mod_proxy_ajp	Heap Buffer Overflow	≤ 2.4.66
CVE-2026-29168	Low	mod_md (OCSP)	Resource Exhaustion	2.4.30–2.4.66
CVE-2026-29169	Low	mod_dav_lock	NULL Ptr Dereference / DoS	≤ 2.4.66

Mitigations

Given Apache HTTP Server’s enormous global footprint, the RCE risk posed by CVE-2026-23918 represents a significant threat to enterprise infrastructure worldwide. Administrators should take the following actions immediately:

1. Upgrade to Apache HTTP Server 2.4.67 — the only complete fix for all five vulnerabilities.
2. Disable HTTP/2 temporarily if an immediate upgrade is not feasible to reduce exposure to CVE-2026-23918.
3. Remove mod_dav_lock if the module is not in active use, as an interim mitigation for CVE-2026-29169.
4. Audit .htaccess permissions to limit exposure to CVE-2026-24072 in environments where local user access is a concern.

Free Webinar to align your endpoint security to meet new requirements – Register Now

The post Critical Apache HTTP Server Flaw Exposes Millions of Servers to RCE Attacks appeared first on Cyber Security News.

Microsoft Defender triggered widespread false positive alerts after a faulty security update caused it to flag two legitimate DigiCert root certificates as malicious, potentially disrupting SSL/TLS validation and code-signing operations across enterprise environments worldwide.

A Defender antimalware signature update released around April 30, 2026, introduced a detection labeled Trojan:Win32/Cerdigent.A!dha, which incorrectly identified registry entries belonging to two of the internet’s most widely trusted root certificates, DigiCert Assured ID Root CA (thumbprint: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43) and DigiCert Trusted Root G4 (thumbprint: DDFB16CD4931C973A2037D3FC83A4D7D775D05E4) — as high-severity malware threats.

The certificates reside in the Windows trust store under the registry path HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates, where Windows manages trusted root and intermediate certificate authorities.

On affected systems, Microsoft Defender automatically quarantined the flagged certificate entries as part of its standard remediation workflow, effectively removing them from the Windows trust store.

This created a serious downstream risk: without these root certificates in place, systems could fail to validate SSL/TLS connections for websites and break code-signing verification for legitimate software, a scenario that could cascade into service disruptions, browser warnings, and application failures across enterprise networks.

Organizations relying on DigiCert-signed software or HTTPS endpoints were especially exposed.

Cybersecurity researcher Florian Roth (@cyb3rops) was among the first to publicly identify and amplify the issue, posting on X and urging the security community to investigate.

Roth shared an Advanced Hunting query to help administrators check whether the DigiCert certificates had been restored on affected devices:

text| where ActionType == "RegistryKeyCreated"
| where Timestamp > datetime(2026-05-03T04:00:00)
| project Timestamp, DeviceName, ActionType, InitiatingProcessFileName
| order by Timestamp desc

He also recommended a quick command-line check for affected systems: certutil -store AuthRoot | findstr -i "digicert" .

Microsoft’s own Q&A forums quickly filled with reports from administrators confirming the false positive, with users noting that the DigiCert certificate hashes matched officially published values from DigiCert’s website, confirming no actual compromise had occurred.

Microsoft’s Response

Microsoft acknowledged the issue and moved swiftly to roll out corrective definition updates, with version .430 cited as a key fix that began restoring the quarantined certificates on affected machines.

Security observers noted that the restoration appeared to be rolling out automatically across managed endpoints, suggesting Microsoft deployed a silent remediation alongside the corrected signature update.

Administrators in environments with restricted update policies were advised to manually verify the presence of certificates using certutil and to check the Advanced Hunting logs in Microsoft Defender for Endpoint to confirm the restoration.

This incident highlights the double-edged nature of automated threat remediation. While proactive quarantine protects against certificate-store tampering a known malware technique used to intercept TLS traffic or bypass security checks the same mechanism can cause significant operational harm when triggered incorrectly.

The Cerdigent false positive serves as a reminder that even trusted security platforms must maintain rigorous quality controls around signature releases, particularly for detections targeting foundational Windows infrastructure components like the root certificate trust store.

Free Webinar to align your endpoint security to meet new requirements – Register Now

The post Microsoft Defender Mistakenly Flags DigiCert Root Certificates as Malware appeared first on Cyber Security News.

Cybersecurity giant Trellix has disclosed a significant security incident involving unauthorized access to a portion of its source code repository.

The company confirmed the breach in an official statement published on its website, stating it immediately engaged leading forensic experts upon discovering the intrusion.

Threat actors gained unauthorized access to part of Trellix’s internal source code repository — a highly sensitive target given the company’s position as a major endpoint security and extended detection and response (XDR) vendor.

Source code repositories are prime targets for attackers seeking to identify exploitable vulnerabilities, embed backdoors, or conduct supply chain attacks against downstream customers.

Trellix acted swiftly following the discovery, launching a formal investigation with external forensic specialists and notifying law enforcement authorities. According to the company’s statement, the investigation has so far found no evidence that:

• The source code release or distribution pipeline was compromised
• Any source code has been actively exploited in the wild
• Customer-facing products or security tools were tampered with

For a company whose products protect thousands of enterprise environments globally, even unauthorized read access to source code carries serious implications.

The incident echoes similar high-profile source code breaches affecting Microsoft, Okta, and LastPass in recent years.

Trellix has pledged transparency, stating it intends to share further technical details with the broader security community once its investigation concludes.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Trellix Source Code Breach – Hackers Gain Unauthorized Access to Repository appeared first on Cyber Security News.

A sophisticated adversarial campaign targeting South-East Asian government and military infrastructure, combining rapid exploitation of a critical cPanel authentication bypass with a custom zero-day exploit chain against an Indonesian defense-sector portal and ultimately pivoting to exfiltrate over 4GB of sensitive Chinese railway documents.

The campaign’s initial access vector centered on CVE-2026-41940, a critical CVSS 9.8 authentication bypass in cPanel and WHM affecting all versions after v11.40.

The flaw exploits CRLF injection in the login and session-loading processes, allowing an unauthenticated attacker to manipulate the whostmgrsession cookie and gain full root-level administrative access without valid credentials.

Exploitation was confirmed in the wild before cPanel’s patch was released on April 28, 2026, and CISA subsequently added it to its Known Exploited Vulnerabilities catalog. In this campaign, cPanel exploitation represented only one component of a broader and more alarming operation uncovered from an exposed command-and-control (C2) server.

cPanel Vulnerability Exploited

More significantly, Ctrl-Alt-Intel recovered a custom exploit targeting an Indonesian Defence sector training portal.

The threat actor already possessed valid credentials and bypassed the portal’s CAPTCHA mechanism by reading the expected CAPTCHA value directly from the server-issued session cookie, rendering the challenge completely ineffective without solving it.

Once inside, the actor targeted a document-management function, injecting SQL into the document-name field via a vulnerable save endpoint.

The SQL injection was then escalated to full operating system access by abusing PostgreSQL’s COPY ... TO PROGRAM capability, which allows the database server to spawn arbitrary shell commands.

Command output was captured to /tmp, base64-encoded, and re-ingested into application records using pg_read_file() — a stealthy, file-read-based exfiltration channel entirely native to the database layer.

The exploit script, named exploit_siak_bahasa.py (SHA-256: 974E272A...), contained Vietnamese-language comments, though Ctrl-Alt-Intel explicitly cautions this is insufficient for attribution and may represent deliberate misdirection.

For command and control, the actor deployed an AdaptixC2 payload (ELF binary named 1) configured to beacon to delicate-dew.serveftp[.]com:4455, with server-side telemetry corroborating the C2 address at 95.111.250[.]175.

A PowerShell reverse shell (init.ps1) was also recovered, establishing a TCP connection back to the same IP on port 4444.

To ensure durable, persistent access, the actor combined OpenVPN and Ligolo into a layered pivot stack. An OpenVPN server was deployed on 95.111.250[.]175:1194/UDP as early as April 8, 2026, routing through the 10.8.0.0/24 client subnet.

The Ligolo proxy agent was installed under a hidden directory /usr/local/bin/.netmon/, masqueraded as a systemd service named systemd-update.service, and configured to restart automatically — providing persistent re-entry even after reboots.

Routing through this pivot infrastructure, the actor reached an internal host at 10.16.13.88 and deployed exfil_docs_v2.sh, a custom SFTP-based exfiltration script.

In total, 110 files (~4.37GB) were stolen from the China Railway Society Electrification Committee spanning .pptx, .pdf, .docx, and .xlsx formats dating from 2020 to 2024.

Among the most sensitive materials were 2021 financial workbooks containing full names, PRC national ID numbers, bank account details, and phone numbers.

Ctrl-Alt-Intel stops short of firm attribution, though the victimology South-East Asian military and government targets combined with theft of Chinese state-adjacent transport-sector data points to a deliberate regional intelligence collection effort.

The Shadowserver Foundation confirmed on April 30, 2026, that 44,000 unique IP addresses were observed scanning for victims, launching exploits, or conducting brute-force attacks against their honeypot sensors.

Organizations running cPanel/WHM are urged to patch to the latest version immediately and audit server logs for signs of CRLF-based session manipulation.

Indicators of Compromise (IoCs)

Indicator	Type	Context
95.111.250[.]175	IP Address	Primary attacker VPS; OpenVPN, reverse shell, and pivot infrastructure
delicate-dew.serveftp[.]com	Domain	Domain associated with the same infrastructure; present in recovered certificate material
systemd-update.service	File Name	Masqueraded Linux persistence service
/usr/local/bin/.netmon/systemd-helper	File Path	Hidden Linux reverse-connect payload path
init.ps1	File Name	PowerShell reverse shell payload
64674342041873DBB18B1DD9BB1CA391AF85B5E755DEFFB4C1612EF668349325	SHA-256	Hash of init.ps1
exploit_siak_bahasa.py	File Name	Custom authenticated SQLi → PostgreSQL RCE exploit
974E272AD1DC7D5AADC3C7A48EC00EB201D04BA59EC5B0B17C2F8E9CD2F9C9CD	SHA-256	Hash of exploit_siak_bahasa.py
exfil_docs_v2.sh	File Name	Custom SFTP / lftp document exfiltration script
734F0D04DC2683E19E629B8EC7F55349B5BCFF4EB4F2F36F6ADBBDE1C023A24F	SHA-256	Hash of exfil_docs_v2.sh
1	File Name	Linux ELF reverse-connect / pivot payload recovered alongside the custom exploit chain
1CFEADF01D24182362887B7C5F683E8BDB0E84CDDCE03E3B7564B2D9AB5D15CF	SHA-256	Hash of ELF payload 1

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Hackers Breach Government and Military Servers by Exploiting cPanel Vulnerability appeared first on Cyber Security News.

A weaponized proof-of-concept (PoC) exploit framework dubbed “cPanelSniper” has been publicly released for CVE-2026-41940, a maximum-severity authentication bypass in cPanel & WHM that has already led to the compromise of tens of thousands of servers worldwide with attack activity traced as far back as late February 2026.

CVE-2026-41940 is a critical pre-authentication flaw rooted in how cPanel’s Session.pm module handles HTTP Authorization headers during login.

The vulnerability stems from the saveSession() function writing session data to disk before calling filter_sessiondata() for sanitization — meaning CRLF characters embedded in a Basic authorization header are written verbatim into the on-disk session file.

An attacker can inject fields such as user=root, hasroot=1, and tfa_verified=1 directly into the session file, effectively forging a fully authenticated root WHM session without any valid credentials.

The flaw carries a CVSS score of 9.8 (Critical) and affects all cPanel & WHM versions after 11.40, as well as WP Squared (WordPress Squared) v136.1.7. cPanel disclosed the issue on April 28, 2026, and issued emergency patches the same day, but exploitation was already actively underway.

cPanelSniper: Four-Stage Exploit Chain

Released publicly on GitHub by security researcher Mitsec (@ynsmroztas), cPanelSniper automates exploitation through a precise four-stage attack chain:

• Stage 1 — Mints a pre-auth WHM session using intentionally invalid credentials, obtaining a whostmgrsession cookie
• Stage 2 — Injects CRLF payload via a crafted Authorization: Basic header, causing cpsrvd to write poisoned session fields to disk
• Stage 3 — Triggers the internal do_token_denied gadget via /scripts2/listaccts, flushing raw session data into the cache and activating the injected fields
• Stage 4 — Verifies full WHM root access by querying /json-api/version, returning HTTP 200 and confirming a “PWNED” state

The tool requires no external dependencies; it is pure Python 3.8+ stdlib and supports bulk scanning, pipeline integration with tools like Subfinder and Shodan, interactive WHM shell access, and post-exploitation actions including command execution, account enumeration, and backdoor admin creation.

The Shadowserver Foundation confirmed on April 30, 2026, that 44,000 unique IP addresses were observed scanning for victims, launching exploits, or conducting brute-force attacks against their honeypot sensors.

Attention! cPanel/WHM CVE-2026-41940 attacks ongoing, with at least 44K IPs likely compromised & seen scanning our honeypots on 2026-04-30. Follow latest guidance to track for compromise & patch: https://t.co/z4sRvdaBwt

See Public Dashboard for stats: https://t.co/qFz265JDIK pic.twitter.com/m1aZvFEVlU

— The Shadowserver Foundation (@Shadowserver) May 1, 2026

Exploitation activity has been traced back to at least February 23, 2026, indicating that attackers were exploiting this zero-day roughly two months before any patch existed. Attack outcomes include ransomware deployment, website defacements, and botnet recruitment.

The scale of exposure is alarming: approximately 650,000 cPanel/WHM instances remain internet-facing, with roughly 1.5 million potentially vulnerable instances identified via Shodan.

CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities (KEV) catalog on May 1, 2026.

Mitigations

cPanel rolled out emergency patches across all active branches:

Branch	Vulnerable ≤	Patched Version
110.x	11.110.0.96	11.110.0.97
118.x	11.118.0.62	11.118.0.63
126.x	11.126.0.53	11.126.0.54
132.x	11.132.0.28	11.132.0.29
134.x	11.134.0.19	11.134.0.20
136.x	11.136.0.4	11.136.0.5

Administrators should immediately update via /scripts/upcp --force, restart the cpsrvd and cpdavd services, and block inbound traffic on cPanel ports 2083, 2087, 2095, and 2096 at the firewall.

Security teams should audit session directories for suspicious session files containing injected fields and rotate all administrative credentials as a precaution.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post cPanelSniper – PoC Exploit Disclosed for cPanel Vulnerability, 44,000 Servers Compromised appeared first on Cyber Security News.

Canonical, the company behind the Ubuntu Linux distribution, is currently experiencing widespread service disruptions across its core web infrastructure following a coordinated Distributed Denial-of-Service (DDoS) attack.

The hacktivist group identifying itself as “The Islamic Cyber Resistance in Iraq – 313 Team” has claimed responsibility for the offensive, marking one of the most significant attacks against open-source infrastructure in recent memory.

Widespread Outages Across Critical Services

According to Canonical’s official status page, more than a dozen services and domains have been reported as Down, spanning developer tools, security APIs, and public-facing portals. The affected components include:

• ubuntu.com and canonical.com
• security.ubuntu.com
• archive.ubuntu.com
• developer.ubuntu.com
• blog.ubuntu.com
• portal.canonical.com
• assets.ubuntu.com
• academy.canonical.com
• jaas.ai and maas.io
• Ubuntu Security API – CVEs
• Ubuntu Security API – Notices

The disruption of Ubuntu Security API – CVEs and Ubuntu Security API – Notices is particularly concerning, as these endpoints are relied upon by system administrators, patch management tools, and security automation pipelines worldwide to fetch vulnerability data and security advisories in real time.

Canonical’s web infrastructure is under a sustained, cross-border attack and we are working to address it.

We will provide more information in our official channels as soon as we are able to.

— Ubuntu (@ubuntu) May 1, 2026

Hacktivist Group Claims Responsibility

Threat intelligence account Vecert Analyzer flagged the incident on X (formerly Twitter), issuing a critical alert describing it as a “massive attack against open-source infrastructure.”

The post confirmed that the DDoS offensive was targeting Ubuntu’s primary servers and had resulted in a total disruption of the platform’s web and technical services.

The 313 Team, which presents itself under an Islamist hacktivist banner, has been known to conduct politically motivated cyberattacks against Western and technology-linked targets.

While DDoS attacks do not involve data exfiltration or system compromise, the sustained takedown of critical open-source services carries significant operational impact for the global developer and security community.

Ubuntu remains one of the world’s most widely deployed Linux distributions, with a massive user base spanning cloud providers, enterprise environments, and individual developers.

The unavailability of archive.ubuntu.com disrupts package installations and system updates, while the outage of security-related APIs could delay automated patching workflows for organizations dependent on Ubuntu’s security feed infrastructure.

As of this writing, Canonical has acknowledged the outages via its status page, though no official statement attributing the cause to the DDoS campaign has been published. Ubuntu’s official X account has also acknowledged the incident.

Security teams relying on Ubuntu’s CVE and advisory APIs are advised to implement fallback data sources, such as the NVD or OSV, until services are fully restored.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Ubuntu Website and Canonical Web Services Hit by DDoS Attack appeared first on Cyber Security News.

Wireshark, the world’s most widely used open-source network protocol analyzer, has released a major security update addressing over 40 vulnerabilities, several of which enable arbitrary code execution through malformed packet injection or malicious capture files.

Organizations and individuals relying on Wireshark for network monitoring, forensics, and traffic analysis should update immediately to Wireshark 4.6.5.

Critical Code Execution Flaws

The most severe vulnerabilities in this release carry the potential for remote code execution (RCE), moving beyond simple denial-of-service impact. Four dissectors and parsers were found susceptible:

• TLS Dissector (CVE-2026-5402) — A crash with possible code execution when parsing malformed TLS traffic (wnpa-sec-2026-14)
• SBC Codec (CVE-2026-5403) — A crash with possible code execution in the SBC audio codec processor (wnpa-sec-2026-16)
• RDP Dissector (CVE-2026-5405) — A crash with possible code execution when dissecting Remote Desktop Protocol packets (wnpa-sec-2026-17)
• Profile Import (CVE-2026-5656) — A crash with possible code execution triggered during profile import operations (wnpa-sec-2026-21)

These vulnerabilities are particularly dangerous because Wireshark is routinely run with elevated privileges in enterprise and SOC environments, meaning successful exploitation could grant attackers significant system access.

Denial-of-Service via Dissector Crashes

A large portion of the patched flaws cause application crashes when specific protocol dissectors process malformed or adversarially crafted packets. Affected dissectors span a wide range of protocols:

• Monero (CVE-2026-5409), BT-DHT (CVE-2026-5408), FC-SWILS (CVE-2026-5406), ICMPv6 (CVE-2026-5299)
• AFP (CVE-2026-5401), K12 RF5 file parser (CVE-2026-5404), AMR-NB codec (CVE-2026-5654)
• SDP (CVE-2026-5655), iLBC audio codec (CVE-2026-5657, CVE-2026-6529), DCP-ETSI (CVE-2026-5653, CVE-2026-6530)
• BEEP (CVE-2026-6538), ZigBee (CVE-2026-6537), Kismet (CVE-2026-6532)
• ASN.1 PER (CVE-2026-6527), RTSP (CVE-2026-6526), IEEE 802.11 (CVE-2026-6525)
• MySQL (CVE-2026-6524), GSM RP (CVE-2026-6870), WebSocket (CVE-2026-6869), HTTP (CVE-2026-6868)

An attacker on the same network segment can trigger these crashes by injecting specially crafted packets, requiring no authentication or prior access to the target system.

Infinite Loop and Resource Exhaustion

Several vulnerabilities cause infinite loops, effectively hanging Wireshark and consuming system resources in a sustained denial-of-service condition:

• SMB2 Dissector (CVE-2026-5407) — Infinite loop via malformed SMB2 traffic (wnpa-sec-2026-11)
• DLMS/COSEM (CVE-2026-6536), USB HID (CVE-2026-6534), SANE (CVE-2026-6531)
• GNW (CVE-2026-6523), OpenFlow v5 (CVE-2026-6521), OpenFlow v6 (CVE-2026-6520)
• MBIM (CVE-2026-6519), RPKI-Router (CVE-2026-6522), TLS Dissector (CVE-2026-6528)

These loop-based flaws are especially problematic in automated traffic capture pipelines where Wireshark runs unattended, as a single malformed packet can permanently halt analysis.

Decompression Engine Vulnerabilities

Two low-level vulnerabilities target Wireshark’s core dissection engine rather than individual protocol parsers:

• zlib Decompression Crash (CVE-2026-6535) — Impacts Issues #21097 and #21098, where malformed compressed payloads corrupt the decompression pipeline (wnpa-sec-2026-26)
• LZ77 Decompression Crash (CVE-2026-6533) — A crash triggered by malformed LZ77-compressed data during packet dissection (wnpa-sec-2026-28)

These engine-level flaws affect any protocol using compressed payloads, substantially broadening the attack surface beyond specific protocol dissectors.

Affected Versions & Remediation

Component	Vulnerability Type	CVE Examples
TLS, RDP, SBC, Profile Import	Crash + Possible Code Execution	CVE-2026-5402, 5403, 5405, 5656
SMB2, TLS, MBIM, OpenFlow	Infinite Loop / DoS	CVE-2026-5407, 6528, 6519, 6521
Multiple Dissectors (20+)	Dissector Crash / DoS	CVE-2026-5299 through CVE-2026-6870
Dissection Engine	zlib/LZ77 Decompression Crash	CVE-2026-6535, CVE-2026-6533

The Wireshark team notes this batch of fixes is partly attributed to AI-assisted vulnerability reporting, which accelerated discovery across many protocol modules simultaneously. Users are strongly advised to update to the latest patched release of Wireshark 4.6.5 immediately via the official Wireshark download page.

Organizations running Wireshark in live capture or SIEM-integrated modes should treat this update as a critical priority, given the code execution potential in TLS, RDP, and SBC components.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Critical Wireshark Vulnerabilities Let Attackers Execute Arbitrary Code Via Malformed Packets appeared first on Cyber Security News.

Anthropic has opened Claude Security to public beta for Claude Enterprise customers, bringing AI-powered vulnerability detection directly into production codebases without the need for custom tooling or API integrations.

Claude Security leverages the Opus 4.7 model to perform end-to-end security analysis across your codebase. The platform scans for vulnerabilities, validates each finding to reduce false positives, and generates suggested patches that developers can review and approve before deployment.

The goal is to eliminate the setup friction that has historically kept teams from applying large language models to security workflows.

“Many security teams have asked how to put Opus 4.7 to work on their code without standing up custom tooling,” Anthropic noted. Claude Security is designed as that direct on-ramp — no agent builds, no API wiring required.

From Research Preview to Production Use

Claude Security first appeared as a research preview in February 2026. Since then, hundreds of organizations have run it against production code, surfacing vulnerabilities that existing scanners had missed.

That real-world feedback drove a significant feature expansion ahead of the public beta launch.

New capabilities added based on early adopter input include:

• Scheduled scans — automate recurring security checks across your repositories
• Directory-level targeting — focus scans on specific paths or modules rather than the full codebase
• CSV and Markdown exports — share findings in formats that fit existing security workflows and reporting pipelines
• Webhook notifications — receive real-time alerts when new vulnerabilities are identified
• Persistent dismissals — dismissed findings carry forward across subsequent scans, reducing noise over time

The addition of validation logic to cut false positives is particularly notable. One of the biggest pain points with automated scanners is the volume of noise they generate, which leads security teams to deprioritize findings or ignore alerts altogether.

By pairing detection with model-driven validation, Claude Security aims to deliver a higher signal-to-noise ratio than traditional static analysis tools.

For enterprise security teams looking to scale vulnerability coverage without expanding headcount or building internal AI infrastructure, Claude Security’s public beta represents a low-barrier entry point.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Anthropic Launches Claude Security in Public Beta for Enterprise Customers appeared first on Cyber Security News.

Microsoft’s April 2026 cumulative security update for Windows 11 is causing significant disruptions for users relying on third-party backup software, triggering an MS-DEFCON level 3 advisory from security patch analyst Susan Bradley at AskWoody.

The problematic update, KB5083769, applies to Windows 11 versions 24H2 and 25H2 (OS Builds 26200.8246 and 26100.8246), released on April 14, 2026.

At the root of the issue is a malfunction in Microsoft’s Volume Shadow Copy Service (VSS) a critical Windows component that enables snapshot-based backup and restore operations across a wide range of enterprise and consumer backup solutions.

When VSS fails, backup jobs either stall or terminate with timeout errors, leaving systems without scheduled backup coverage a serious risk for both individual users and enterprise environments.

Affected Vendors

Multiple third-party vendors have already acknowledged the problem:

• UrBackup — File backups are failing post-update; the vendor recommends uninstalling KB5083769 for impacted users
• Macrium Reflect — VSS-related failures reported in active Reddit community threads; investigation underway
• Acronis Cyber Protect Cloud — Backup jobs failing with the error “Microsoft VSS has timed out during snapshot creation”; Acronis recommends uninstalling the update and rebooting

It is important to note that not all backup solutions are affected. Microsoft’s native Windows 11 cloud-based Backup feature does not rely on VSS and remains unaffected.

The VSS component is also foundational to Microsoft’s forthcoming Point-in-Time Restore (PITR) feature for Windows 11, first previewed during Microsoft Ignite in November 2025 via Insider build KB5070307.

Since PITR has not yet reached general availability, most standard users face no additional risk from that front.

Mitigation Steps

For users experiencing backup failures after installing KB5083769, the following rollback procedure is advised:

1. Navigate to Settings → Windows Update → Update History
2. Scroll to Related Settings and click Uninstall Updates
3. Locate Security Update for Microsoft Windows (KB5083769)
4. Click Uninstall and allow the system to reboot
5. Return to Windows Update and Pause Updates to prevent reinstallation

Before uninstalling, verify whether your specific backup solution is impacted by checking your vendor’s official support channels and forums.

MS-DEFCON 3 signals that administrators should hold off on deploying KB5083769 in production environments until Microsoft issues a fix, Susan Bradley at AskWoody said.

A patch addressing the VSS regression is anticipated in an upcoming out-of-band or May 2026 cumulative update.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Microsoft Windows 11 April 2026 Security Update Breaks Third-Party Backup Applications appeared first on Cyber Security News.

OpenAI has published a comprehensive cybersecurity action plan titled “Cybersecurity in the Intelligence Age: An Action Plan for Democratizing AI-Powered Cyber Defense,” outlining a five-pillar strategy to equip trusted defenders with advanced AI capabilities while preventing adversarial misuse.

Artificial intelligence is fundamentally reshaping the cybersecurity landscape and not just for defenders.

Malicious actors are already leveraging AI to improve phishing campaigns, automate reconnaissance, accelerate malware development, evade detection, and scale cyber operations at unprecedented speed.

Recent incidents involving critical infrastructure disruption, large-scale ransomware, and software supply-chain compromise have highlighted how urgently the defensive community needs to modernize.

OpenAI’s action plan, informed by conversations with cybersecurity and national security experts across federal and state government and major commercial entities, proposes a framework of “controlled acceleration” rapidly deploying advanced AI capabilities to trusted defenders while preserving safeguards against misuse.

OpenAI 5-Point AI-Powered Cybersecurity Plan

1. Democratizing Cyber Defense

OpenAI’s cornerstone initiative is the Trusted Access for Cyber (TAC) program, which creates a tiered pathway for vetted cyber defenders from individuals hardening personal code to large-scale organizations protecting critical infrastructure to access more capable and permissive AI models.

The program will expand to government users at federal, state, and local levels, prioritize financial sector institutions, and reach smaller hospitals, school districts, water utilities, and municipalities through trusted intermediaries such as MSSPs and CISA-supported programs. Allied democratic partners will also be incorporated over time to address the transnational nature of cyber threats.

2. Coordinating Across Government and Industry

Access alone is not sufficient without coordination. OpenAI plans to align on a shared threat model with governments, accelerate operational threat intelligence sharing, and plug into existing cyber defense and incident response channels.

The company also supports establishing a real-time AI-enabled cyber defense coordination hub and faster cross-lab information sharing through mechanisms like the Frontier Model Forum.

3. Strengthening Security Around Frontier Capabilities

To prevent theft or unauthorized replication of frontier AI models, OpenAI is tightening internal access controls, segmenting sensitive environments, enhancing software and hardware supply chain security, and strengthening insider risk management through anomaly detection and privileged-access governance.

The company also recently announced an expanded partnership with Microsoft focused on collective defense efforts to protect shared infrastructure.

4. Preserving Visibility and Control in Deployment

Deployment is not a binary decision. OpenAI is building a risk-based framework featuring tiered access based on user identity, use case, and security posture, combined with real-time safeguards, offline monitoring, and threat-intelligence enrichment.

If misuse is detected, the company can rapidly adapt configurations, restricting access tiers, reducing quotas, or revoking access altogether, ensuring that safeguards remain dynamic in an evolving threat environment.

5. Enabling Users to Protect Themselves

OpenAI emphasizes that national cyber resilience must extend beyond enterprises and governments to ordinary individuals. ChatGPT already receives over 15 million messages per month from users asking it to identify potential scams, and OpenAI plans to build on this momentum by introducing new security features for ChatGPT accounts and expanding tools to help households, parents, seniors, and small businesses adopt stronger cyber hygiene practices.

OpenAI expressed confidence that advanced AI can shift the strategic balance toward defense over offense, enabling faster patching, smarter detection, and stronger infrastructure resilience.

The company sees this as a limited but critical window of opportunity for the United States and its democratic allies to convert today’s AI capability lead into a lasting cyber defense advantage before adversaries close the gap.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post OpenAI Releases 5-Point Action Plan to Strengthen AI-Powered Cyber Defense appeared first on Cyber Security News.