Spring Cloud Config provides crucial server-side and client-side support for externalized configuration in distributed systems.

Recently, the Spring development team disclosed four security vulnerabilities impacting the Spring Cloud Config Server.

These flaws range from medium to critical severity, exposing environments to unauthorized arbitrary file access, cloud secrets leakage, and logging misconfigurations.

Because centralized configuration servers often hold sensitive keys for an entire microservice architecture, system administrators must immediately review and patch their infrastructure.

Spring Cloud Vulnerabilities

Directory Traversal Vulnerabilities

The most severe issue is CVE-2026-40982, a critical directory traversal vulnerability affecting the platform.

The Spring Cloud Config module allows applications to serve both text and binary files over the network.

An attacker can exploit this module by sending a specially crafted URL to the server, thereby bypassing restricted directories and accessing arbitrary files on the host system.

Security researchers Swapnil Paliwal, the AxiomCode security team, August 829, and rash18mi responsibly identified and reported this critical flaw.

Target GCP Secrets and Git Directories

Two additional high-severity vulnerabilities threaten Spring Cloud Config deployments.

CVE-2026-40981 affects organizations that use Google Secrets Manager as the backend for their configuration server.

Malicious actors can craft specific requests to the config server, exposing sensitive secrets from unintended Google Cloud Platform projects.

Meanwhile, CVE-2026-41002 introduces a time-of-check-time-of-use attack surface.

This vulnerability specifically targets the server’s base directory used to clone Git repositories.

Threat actors can manipulate files during the cloning process due to this race condition.

Security researcher Yu Bao from PayPal received credit for discovering and reporting this Git-related vulnerability.

Trace Logging Exposes Sensitive Information

A medium-severity vulnerability (CVE-2026-41004) affects the server’s internal logging mechanisms.

When administrators enable trace logging, the system inadvertently writes sensitive information in plain text directly to the log files.

This misconfiguration could expose credentials or configuration secrets to unauthorized internal users who possess read access to the system logs.

All four vulnerabilities impact the same branches of the Spring Cloud Config ecosystem.

The affected release lines include 3.1.x, 4.1.x, 4.2.x, 4.3.x, and 5.0.x. Older, unsupported versions of the software also remain highly vulnerable to these exploits.

Users must upgrade immediately to secure their environments against potential compromise.

The Spring team has released patched versions across their different support tiers.

Open-source software users must upgrade to 4.3. x environments to version 4.3.3 and their 5.0. x environments to version 5.0.3.

Enterprise support customers have access to dedicated fixes in versions 3.1.14, 4.1.10, and 4.2.7.

If immediate patching is impossible for the GCP secrets vulnerability, administrators can implement a temporary configuration workaround.

By setting the spring.cloud.config.server.gcp-secret-manager.token-mandatory=true property, the server forces clients to send a valid token.

The system then verifies this token to ensure the client actually has legitimate access to the requested project secrets.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post Critical Spring Vulnerabilities Expose Arbitrary Files and GCP Secrets appeared first on Cyber Security News.

WatchGuard has released urgent security updates to address multiple high-severity vulnerabilities affecting the WatchGuard Agent on Windows.

The most critical of these flaws allows authenticated local attackers to escalate their privileges to the highest system level, granting them complete control over the compromised machine.

Additional vulnerabilities discovered in the software include network-based buffer overflows that can trigger severe denial-of-service conditions.

Chained Local Privilege Escalation

The most severe security advisory, WGSA-2026-00013, highlights two vulnerabilities: CVE-2026-6787 and CVE-2026-6788.

These flaws, with a high CVSS score of 8.5, involve chained agent service vulnerabilities in the Windows client.

When an attacker successfully links these exploits together, they can execute a local privilege escalation attack to gain NT AUTHORITY\SYSTEM access.

Obtaining this level of unrestricted access enables threat actors to turn off security monitoring tools, deploy persistent malware, extract sensitive endpoint data, or create new hidden administrative accounts.

Another significant privilege escalation vulnerability, tracked as CVE-2026-41288, holds a CVSS score of 7.3.

This specific flaw stems from an incorrect permission assignment within the patch management component of the WatchGuard Agent.

An authenticated local user can exploit this structural misconfiguration to seamlessly elevate their privileges from a standard user to SYSTEM level.

This indicates that even a highly restricted, low-privileged employee account could fully compromise the local endpoint device if the software remains unpatched.

Alongside the privilege escalation risks, WatchGuard engineers also addressed two stack-based buffer overflow vulnerabilities residing in the agent’s discovery service.

Tracked under CVE-2026-41286 and CVE-2026-41287, both vulnerability variants carry a CVSS score of 7.1.

Unlike the privilege escalation bugs, which require local access, these overflow flaws allow unauthenticated attackers situated on the same local network to send specially crafted requests that overflow memory buffers.

A successful exploit immediately crashes the agent service, causing a denial-of-service state that temporarily blinds the endpoint’s security management and monitoring capabilities, potentially paving the way for further network attacks.

According to the official WatchGuard advisories, all four vulnerabilities impact the WatchGuard Agent on Windows versions up to and including 1.25.02.0000.

WatchGuard explicitly notes that there are currently no available mitigations or technical workarounds to prevent exploitation without applying the official software patch.

To protect endpoint environments against both local privilege escalation and network-based service disruptions, cybersecurity organizations and IT administrators should immediately update their fleets to WatchGuard Agent on Windows version 1.25.03.0000.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post WatchGuard Agent Vulnerabilities Let Attackers Grant Full SYSTEM Privileges on Windows appeared first on Cyber Security News.

Five dangerous vulnerabilities in Redis expose Redis Cloud, Redis Software, and all open-source community editions to potential remote code execution, giving authenticated attackers a direct path to compromise affected systems.

All require authenticated access to exploit, but successful exploitation can lead to arbitrary code execution, full system compromise, data exfiltration, or service disruption.

The advisory, released on May 5, 2026, was published by Riaz Lakhani as part of Redis’s continued security initiatives. Four flaws were rated High severity with CVSS scores of 7.7, while one received a Medium severity score of 6.1.

Redis RCE Vulnerabilities

CVE-2026-23479 is a use-after-free vulnerability in the unblock client flow.

When a blocked client is evicted while re-executing a blocked command, the code fails to handle the error returned by processCommandAndResetClient, allowing an authenticated user to trigger a use-after-free condition and potentially execute remote code.

CVE-2026-25243 affects the Redis RESTORE command. An authenticated user can trigger an invalid memory access by sending a specially crafted serialized payload, potentially leading to arbitrary code execution within the Redis server context.

Independent researcher Emil Lerner discovered the double-free variant, and Joseph Surin identified an integer overflow and out-of-bounds read in VectorSets.

CVE-2026-25588 and CVE-2026-25589 are closely related flaws in the RESTORE command when used with the RedisTimeSeries and RedisBloom modules, respectively.

Both allow authenticated attackers to trigger invalid memory accesses via crafted serialized payloads, resulting in the same RCE impact.

Joseph Surin, John Stephenson, and Annie Nie discovered the TimeSeries flaw; Daniel Firer and Joseph Surin identified multiple RedisBloom issues, including out-of-bounds reads and writes, integer overflow, and heap buffer overflow.

CVE-2026-23631 is a medium-severity Lua use-after-free flaw. An authenticated user can exploit the master-replica synchronization mechanism to trigger the vulnerability.

It specifically affects Redis replicas configured with replica-read-only disabled and exists across all Redis versions with Lua scripting enabled. Researcher Yoni Sherez (@yoyosh__) discovered this flaw.

All Redis Cloud deployments have already been patched with no customer action required. For self-managed deployments, all Redis OSS/CE releases are affected. The following fixed versions have been released:

Redis OSS/CE: 6.2.22, 7.2.14, 7.4.9, 8.2.6, 8.4.3, and 8.6.3. Redis Software versions up to and including 8.0.6 are impacted, with fixes available in builds 8.0.10-64, 7.22.2-79, 7.8.6-253, 7.4.6-279, and 7.2.4-153.

Module-specific fixes include RedisTimeSeries v1.12.14, v1.10.24, v1.8.23, and RedisBloom v2.8.20, v2.6.28, v2.4.23.

How to Protect Your Redis Instance

Redis confirms there is no evidence of active exploitation in the wild as of publication.

However, organizations running self-managed instances should act immediately. Key mitigations include:

Upgrading to the latest fixed release is the primary remediation step. Downloads are available at redis.io/downloads.

Beyond patching, administrators should restrict network access using firewalls and network policies to allow only trusted sources.

Strong authentication must be enforced across all instances, and Redis protected-mode should remain enabled in CE and OSS deployments.

User permissions should follow the principle of least privilege, limiting access to potentially dangerous commands.

Indicators of potential exploitation include unauthorized access attempts, unexplained server crashes with Lua engine stack traces, anomalous command execution by the redis-server user, and unexpected changes to Redis configuration or persistent files.

Several vulnerabilities were discovered through Wiz’s ZeroDay.Cloud platform in partnership with Redis.

Reflecting the growing role of collaborative bug bounty and vulnerability research programs in proactively securing widely deployed open-source infrastructure.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post Critical Redis Vulnerabilities Enables Remote Code Execution Attacks appeared first on Cyber Security News.

VM2 has been hit by 11 critical vulnerabilities, putting countless applications that rely on it at risk of executing untrusted code.

Affecting all versions up to 3.11.1, each flaw provides attackers with a clear path out of the sandbox and into the host system, with full command execution capabilities. Worse, two of the eleven remain completely unpatched.

vm2 is a Node.js npm package that executes untrusted JavaScript inside an isolated container, powering everything from code execution platforms and CI pipelines to plugin engines and multi-tenant cloud services.

Its entire security model rests on one promise: keep malicious code inside, keep the host safe. Researchers have now shredded that promise across eleven distinct techniques, exposing just how thin the walls of that container truly were.

The library’s core promise that code running inside a VM instance cannot reach the host system has been fundamentally broken by these disclosures, with all vulnerabilities enabling full remote code execution (RCE) on the underlying host.

vm2 Node.js Library Vulnerabilities

Among the most severe issues is CVE-2026-24118, which exploits __lookupGetter__ behavior to escape the sandbox. At the same time, CVE-2026-24120 bypasses Promise species protections to execute commands via child_process.execSync.

Another flaw, CVE-2026-24781, abuses Node.js’ util module. Inspect internals to expose raw host objects and bypass VM2’s proxy isolation layer.

Newer JavaScript features also introduced attack paths. CVE-2026-26332 leverages DisposableStack and SuppressedError mechanics in Node.js v24 to expose the host Function object.

CVE-2026-26956 targets Node.js v25 using a WebAssembly try_table instruction that bypasses vm2’s sanitization entirely. Researchers demonstrated full root-level code execution through this technique.

Additional vulnerabilities exploit prototype chains and module loading logic. CVE-2026-43997 and CVE-2026-44006 abuse util. Inspect and prototype traversal to achieve sandbox escapes.

CVE-2026-43999 bypasses vm2’s built-in module restrictions using Module._load(), even when child_process is explicitly blocked.

Prototype pollution also remains a serious concern. CVE-2026-44005 allows attackers to modify shared host prototypes, such as Object. prototype and Function. prototype, potentially impacting the entire Node.js process.

A dangerous configuration flaw tracked as GHSA-8hg8-63c5-gwmx revealed that enabling nesting: true effectively defeats require: false, allowing sandboxed code to create unrestricted inner VMs and achieve full RCE despite security restrictions.

Most concerning, two critical vulnerabilities, CVE-2026-44008 and CVE-2026-44009, remain unpatched in versions up to 3.11.1.

These flaws exploit how array species are handled and exception logic to expose host-side objects and regain unrestricted access to the host Function constructor.

CVE ID	Affected Versions	Patched Version
CVE-2026-24118	≤ 3.10.4	3.11.0
CVE-2026-24120	≤ 3.10.3	3.10.5
CVE-2026-24781	≤ 3.10.3	3.11.0
CVE-2026-26332	≤ 3.10.4	3.11.0
CVE-2026-26956	3.10.4	3.10.5
CVE-2026-43997	≤ 3.10.5	3.11.0
CVE-2026-43999	3.10.5	3.11.0
CVE-2026-44005	3.9.6–3.10.5	3.11.0
CVE-2026-44006	≤ 3.10.5	3.11.0
CVE-2026-44008	≤ 3.11.1	No patch available
CVE-2026-44009	≤ 3.11.1	No patch available
—	≤ 3.11.0	3.11.1

According to reports published by patriksimek on GitHub, the eleven vulnerabilities highlight ongoing weaknesses in vm2’s sandbox security model, putting applications that execute untrusted code at significant risk.

Operators should immediately upgrade VM2 to version 3.11.1 to address all currently patched vulnerabilities.

For CVE-2026-44008 and CVE-2026-44009, no fix is available, and teams should consider disabling VM2-based sandboxing altogether, replacing it with kernel-level isolation technologies such as Docker, gVisor, or Firecracker microVMs.

Developers must avoid the nesting: true option and wildcard built-in configurations, such as ['*', '-child_process'], in any environment running untrusted code.

Given the sheer volume and diversity of these bypass techniques, spanning JavaScript prototype manipulation, WebAssembly exception handling, Promise species overwriting, and built-in module loading.

vm2’s JavaScript-only isolation model should be considered fundamentally insufficient for high-security use cases.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Critical vm2 Node.js Library Vulnerabilities Enables Arbitrary Code Execution Attacks appeared first on Cyber Security News.

A severe zero-authorization vulnerability in Schemata’s API, an AI-powered virtual training platform holding active Department of Defense (DoD) contracts, recently exposed highly sensitive military training materials and U.S. service member records.

Discovered by the open-source AI hacking agent Strix, the flaw allowed ordinary, low-privileged accounts to access cross-tenant data across the entire platform.

The vulnerability stemmed from a complete lack of authorization boundaries and tenant isolation on the application’s API.

When Strix established a low-privilege baseline and mapped reachable API surfaces, it successfully replayed high-value collection endpoints using a standard session.

The API failed to enforce organizational scoping or permission checks. Instead of returning data restricted to the test account, the system globally returned data across the entire platform.

Furthermore, the absence of authorization checks on write-enabled routes meant a malicious actor could have potentially modified or deleted training courses entirely.

Zero-Auth Flaw Exposes DoD Contractor

The scope of the exposed data represented a massive operational security risk.

Through a user-listing endpoint, the unprivileged test account accessed the entire user base, revealing names, email addresses, enrollment data, and the specific military bases where U.S. service members were stationed.

This level of exposure leaves personnel highly vulnerable to targeted phishing and doxing attacks.

Beyond personal records, course and organization endpoints leaked metadata and direct AWS S3 links to hundreds of confidential training manuals.

This included a 3D virtual training course for naval maintenance personnel marked as proprietary, as well as Army field manuals detailing the safe handling, arming sequences, and tactical deployment of explosive ordnance.

Strix first reported the vulnerability privately to Schemata on December 2, 2025, highlighting challenges in responsible disclosure.

Despite multiple follow-up attempts warning of the critical nature of the exploit, the vulnerability remained live for months.

It was not until May 1, 2026, 150 days after the initial disclosure and following a final notice of impending publication, that Schemata acknowledged the exposed endpoints and applied an immediate patch. The researchers have since verified the remediation.

For defense contractors, API security is a strict regulatory requirement under federal rules such as DFARS 252.204-7012.

The Cybersecurity Maturity Model Certification (CMMC) requires contractors handling Controlled Unclassified Information (CUI) to have mandatory cybersecurity and breach-reporting obligations.

A platform serving military training data with no API authorization layer represents a foundational security failure.

Customers and partners in the defense sector are strongly encouraged to inquire about access logs, the duration of the exposure, and whether affected users have been formally notified.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Zero-Auth Flaw Exposes DoD Contractor to Cross-Tenant Data Access appeared first on Cyber Security News.

In a significant supply chain security incident, the popular video hosting platform Vimeo has confirmed a data breach that exposed user information.

Discovered in April 2026, the breach exposed 119,000 unique email addresses and other metadata.

The incident highlights the growing risks associated with third-party service providers, as the compromise did not occur directly on Vimeo’s infrastructure but rather through an analytics vendor.

The notorious extortion group known as ShinyHunters claimed responsibility for the attack.

They added Vimeo to their public extortion portal as part of an aggressive “pay or leak” campaign.

Following the initial threat, the threat actors published hundreds of gigabytes of stolen data online.

Google Threat Intelligence has also released a report detailing the expansion of ShinyHunters’ software-as-a-service data theft operations, directly associating the threat group with this specific vendor compromise.

Vimeo Data Breach

While the sheer volume of leaked data is massive, the contents primarily consist of technical records rather than highly sensitive financial information.

The exposed databases contained video titles, system metadata, and technical logs.

However, the most concerning aspect for users is the exposure of 119,000 unique email addresses, which were sometimes accompanied by user names.

Data breach notification service Have I Been Pwned analyzed and added 119,200 accounts to its database, noting 56% were already exposed in prior breaches.

Cybercriminals frequently use this type of personal information to launch targeted phishing campaigns or credential stuffing attacks across other platforms.

Vimeo has stepped forward to reassure its user base regarding the limitations of the breach.

According to their official security advisory, the unauthorized access did not compromise actual Vimeo video content.

Furthermore, the company confirmed that valid user login credentials, passwords, and payment card information remain entirely secure.

The incident also did not disrupt Vimeo’s core systems or daily hosting services, meaning platform operations continue to function normally without interruption.

The root cause of the data exposure stems from Anodot, a third-party analytics vendor used by Vimeo and several other organizations.

The threat actors breached Anodot’s systems, gaining unauthorized access to specific Vimeo customer data stored in the analytics environment.

This indirect compromise underscores the critical importance of monitoring vendor security and managing data access permissions within integrated enterprise supply chains.

Upon discovering the unauthorized access, Vimeo’s security team immediately initiated its incident response protocols.

The company promptly revoked all Anodot credentials and completely removed the vendor’s integration from Vimeo’s internal systems to prevent further data exfiltration.

Additionally, Vimeo engaged external third-party cybersecurity experts to assist with a comprehensive forensic investigation.

The company has also notified relevant law enforcement agencies and stated that it will continue to monitor the situation and update users as the ongoing investigation progresses.

Security experts strongly recommend that affected Vimeo users implement precautionary measures.

Even though passwords were not exposed, individuals should remain highly vigilant against incoming communications.

Threat actors often leverage exposed names and email addresses to craft highly convincing phishing messages designed to steal passwords or deploy malware.

Users are encouraged to use a reputable password manager to generate and store strong, unique passwords for all their online accounts, ensuring that a breach on one platform does not compromise another.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Vimeo Data Breach Exposes 119,000 Users Unique Email Addresses appeared first on Cyber Security News.

Cloud identity security relies heavily on Microsoft Entra ID (formerly Azure AD) Conditional Access. It acts as the primary digital gatekeeper, checking user locations, calculating risk scores, and verifying device health before granting access.

However, an authorized red team engagement by Howler Cell recently revealed a critical attack path that entirely bypasses these vital protections.

Starting with a single set of valid credentials, often purchased for just a few hundred dollars on cybercriminal markets, researchers successfully compromised a production tenant containing over 16,000 users.

This attack required no interaction with corporate endpoints. It deployed no malware, highlighting severe gaps in default device registration and compliance validation.

The engagement by Howler Cell closely mirrored real-world tactics used by Storm-2372, a suspected Russian state-aligned threat actor.

Both the researchers and threat actors exploited unprotected Device Registration Service (DRS) endpoints to establish initial footholds, proving that blocked credentials are not a dead end for sophisticated attackers.

Azure AD Conditional Access Bypassed

According to Howler Cell’s comprehensive research, the operation began with valid credentials explicitly blocked by a CA policy, resulting in an AADSTS53003 error.

To bypass this, researchers targeted the DRS endpoint using the device code authentication flow, an avenue left open by unenforced security policies.

This allowed them to authenticate successfully and proceed to the next phase of the attack.

Using a single command, the Howler Cell team registered a phantom device with a signed Azure AD certificate and private key.

The DRS API does not validate if the caller is a physical Windows machine, allowing a Linux laptop to masquerade as a legitimate endpoint.

This step leveraged the MITRE ATT&CK technique for Account Manipulation (T1098.005).

With the phantom device registered, researchers minted a Primary Refresh Token (PRT) containing false device claims.

When this PRT was exchanged for an access token, Azure AD determined that the session was device-authenticated.

This completely bypassed CA policies that required a compliant or joined device, granting access to the broader tenant environment for directory enumeration.

To bypass policies strictly requiring an Intune-compliant device, the researchers exploited a known gap in Intune enrollment restrictions.

By claiming hybrid domain-join status, the phantom device bypassed pre-registration requirements.

Intune trusted the client’s self-declared domain membership without verifying it against on-premises Active Directory.

Once enrolled, the device achieved compliance despite lacking BitLocker, Secure Boot, or antivirus software.

Intune’s evaluation logic treated missing health attestation responses as “not applicable” rather than non-compliant.

This permissive default posture allowed the researchers to download internal enterprise applications, and extracting a single package revealed critical internal server naming conventions and network architecture.

Escalation and Mitigation

Independent of device spoofing, researcher Howler Cell from Cyderes identified a structural risk in hybrid identity environments.

They discovered 255 highly privileged directory roles, including multiple Global Administrators, synced directly from on-premises Active Directory. 

Compromising these on-premises accounts provides attackers with a direct path to complete cloud tenant takeover without needing any cloud-specific exploits.

To defend against these complex attack chains, organizations must harden their device trust models.

Crucial mitigations include:

• Enforcing report-only CA policies that block device code flows and require MFA for device registration.
• Mandating TPM 2.0 attestation as a strict prerequisite for all PRT issuance.
• Requiring external validation of device health through the Microsoft Health Attestation Service rather than relying on self-reported data.
• Scoping user-level Graph API access to prevent unauthorized bulk directory enumeration.
• Restricting privileged directory roles exclusively to cloud-only accounts managed through Privileged Identity Management.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Azure AD Conditional Access Bypassed Via Phantom Device Registration and PRT Abuse appeared first on Cyber Security News.

GnuTLS version 3.8.13 has been officially released to patch a dozen security vulnerabilities, including critical flaws affecting secure network communications.

The update is highly recommended for all systems using GnuTLS, as it addresses memory corruption, authentication bypasses, and certificate validation errors.

Four vulnerabilities discovered in this release are categorized as High severity and require immediate attention from security teams.

These critical flaws primarily impact the Datagram Transport Layer Security (DTLS) implementation and specific authentication configurations.

Threat actors often target these types of memory corruption and bypass vulnerabilities to compromise remote servers or disrupt services.

The update fixes a wide range of bugs, from timing side channels to critical heap overruns.

The table below highlights the most significant vulnerabilities patched in version 3.8.13:

CVE ID	Severity	Issue Type	Summary
CVE-2026-33846	High	Heap Overwrite	Missing checks could let attackers overwrite memory.
CVE-2026-42010	High	Auth Bypass	Flawed username handling allows login bypass.
CVE-2026-33845	High	Heap Overrun	Memory error may let attackers overflow data remotely.
CVE-2026-42009	High	Undefined Behavior	Packet sorting flaw may cause unpredictable issues.
CVE-2026-42013	Medium	Cert Validation Issue	Improper certificate checks could weaken security.
CVE-2026-42014	Medium	Use-After-Free	Memory bug triggered during PIN changes.
CVE-2026-3833	Moderate	Constraint Bypass	Domain checks ignore case rules, risking validation bypass.
CVE-2026-5419	Low	Timing Leak	Timing flaw may expose sensitive information.

According to the GnuTLS Security Advisory 2026, admins should upgrade to GnuTLS 3.8.13 to mitigate these threats.

Public-facing servers utilizing DTLS or RSA-PSK authentication are at the highest risk. They should be patched during the next available maintenance window.

To proactively defend, security operations centers should update their monitoring tools to detect anomalous DTLS traffic or malformed RSA-PSK authentication attempts.

Ensuring that foundational cryptographic libraries remain up to date is a critical strategy for preventing initial network compromise.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post GnuTLS 3.8.13 Released with Fix for 12 Vulnerabilities Affecting Network Communications appeared first on Cyber Security News.

Cisco has announced its intent to acquire Astrix Security Ltd., an industry leader in Non-Human Identity (NHI) security.

This strategic acquisition aims to protect enterprise environments from the expanding attack surface created by the rapid deployment of AI agents.

The modern workplace is undergoing a massive shift. Employees are increasingly supported by “agentic AI” automated AI agents that work at machine speed to access data, make decisions, and execute tasks.

While these agents unlock incredible productivity, they also introduce severe security vulnerabilities if left unmonitored.

Cisco to Acquire Astrix Security

Unlike human users, AI agents rely on non-human identities to connect to enterprise systems.

These identities include API keys, service accounts, and OAuth tokens. If threat actors compromise these credentials, they can execute malicious actions at scale.

According to Cisco’s AI Readiness Index, only 24% of organizations currently have the guardrails needed to control AI agent actions safely.

Furthermore, emerging AI-driven threats, such as the Mythos model, are forcing security teams to confront high-impact, accelerated cyber attacks.

Astrix Security has spent the last five years specializing in protecting credentials that power machine-to-machine interactions.

By acquiring Astrix, Cisco gains deep technical capabilities to discover, monitor, and secure every AI agent and NHI across an organization.

The integration of Astrix will bring four core capabilities to Cisco’s security portfolio:

• Discovery and governance: Security teams can map all AI agent activity, resolve hygiene issues, and prevent compliance violations.
• Lifecycle management: Administrators can easily manage AI agents from initial provisioning through final decommissioning.
• Threat detection and response: The platform automatically detects compromised credentials and blocks out-of-scope agent actions.
• Secrets management: Organizations gain centralized protection for sensitive keys and tokens across cloud environments and vaults.

Upgrading Cisco Zero Trust

Cisco plans to integrate Astrix’s technology into Cisco Identity Intelligence, enhancing context and visibility across its entire security platform.

These new NHI features will also extend into Cisco Secure Access and Duo Identity and Access Management.

This allows companies to authenticate and authorize non-human identities under a strict Zero Trust model, treating AI agents with the same security scrutiny as human employees.

By feeding this intelligence into Splunk or other SIEM tools, security operations centers (SOCs) get a unified view of agent behavior to investigate threats in real time.

This acquisition is a critical step in Cisco’s broader strategy to secure the AI era.

It builds on recent infrastructure upgrades such as Project Glasswing, Live Protect, and the Galileo acquisition.

By locking down the non-human credentials that AI agents abuse, Cisco is helping organizations adopt automation securely and at scale.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Cisco to Acquire Astrix Security to Strengthen AI Agent and Non-Human Identity Security appeared first on Cyber Security News.

A critical unauthenticated remote code execution vulnerability in the Weaver E-cology platform is currently being actively exploited in the wild.

CVE-2026-22679 carries a maximum CVSS score of 9.8 and affects Weaver E-cology 10.0 builds released before 20260312.

The security flaw exists in an exposed debug endpoint that allows attackers to execute arbitrary commands without requiring any authentication.

By sending specially crafted POST requests, attackers can pass malicious input directly to the operating system.

The earliest evidence of exploitation was observed on March 17, 2026, just five days after the vendor patch was released.

The Vega Threat Research team has uncovered a series of attacks that began just days after the vendor released an official patch.

This rapid weaponization highlights how quickly threat actors can adopt new exploits to compromise enterprise platforms.

Weaver E-cology RCE exploited

The attackers began their campaign by verifying their remote code execution capabilities through simple ping callbacks.

Using the Tomcat-bundled Java Virtual Machine, they launched a series of ping commands directed at a callback infrastructure associated with the Goby vulnerability-scanning framework.

This technique allowed the attackers to easily confirm their access by checking the HTTP response body for unique marker tokens.

Following their initial access, the operators aggressively attempted to deliver various malicious payloads over three days.

They tried to drop multiple executable files and a Windows Installer package specifically named to reflect the targeted Weaver software.

Fortunately, robust endpoint detection and response defenses successfully quarantined these attempts, effectively preventing the deployment of the malicious files.

After security tools blocked their initial payloads, the attackers shifted to active evasion.

They copied the legitimate Windows PowerShell executable into a plain-text file to bypass standard process-name detection.

Through this renamed binary, they attempted to fetch and execute fileless PowerShell scripts directly in memory. However, these actions were also successfully intercepted.

Throughout the attack sequence, the threat actors continuously executed system discovery commands like whoami and tasklist.

Because the vulnerable debug endpoint reflects the output of executed commands directly in the HTTP response, the attackers did not need to establish a persistent shell on the victim host.

This strict request-and-response behavior allowed them to effortlessly conduct discovery and payload delivery concurrently.

Organizations running Weaver E-cology must urgently update their systems to build 20260312 or later, which completely removes the vulnerable debug endpoint.

The Vega Threat Research teams should actively monitor for anomalous processes parented by the Java Virtual Machine, particularly those involving network utilities or command-line interpreters.

Implementing robust endpoint defenses and routinely reviewing network traffic to the affected API paths can also help identify potential compromise attempts.

Indicators of Compromise (IOCs)

Network Indicators

IP Address	Purpose	Associated URLs / Activity
152.32.173[.]138	Callback verification (Goby framework)	http://152.32.173[.]138/U<16hex>.<8hex>
205.209.116[.]54	Initial payload hosting	/vsgbt.exe, /hjchhb.exe
161.132.49[.]114	Base64 stager hosting	/config.js
141.11.89[.]42	MSI payload delivery	/fanwei0324.msi
132.243.172[.]2	Fileless PowerShell scripts	/config/xx.ps1, /w-2026/x.ps1

File Hash

File Name	SHA256 Hash
fanwei0324[.]msi	147ac3f24b2b63544d65070007888195a98d30e380f2d480edffb3f07a78377f

Filenames / Artifacts

Filename	Description
vsgbt[.]exe	Initial stager
hjchhb[.]exe	Initial stager
nvm[.]exe	Fake Node Version Manager binary
fanwei0324[.]msi	Malicious MSI installer
2[.]txt	Renamed PowerShell binary
config[.]js	Base64 stager
xx[.]ps1 / x[.]ps1	Fileless PowerShell payloads

---

Host Indicators

Indicator Type	Description
Suspicious Processes	java[.]exe spawning cmd[.]exe, powershell[.]exe, ping[.]exe
Exploitation Sign	Unauthorized command execution via debug endpoint

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Critical Weaver E-cology RCE Vulnerability Actively Exploited in Attacks appeared first on Cyber Security News.

Meta has announced that Instagram will officially discontinue its optional end-to-end encrypted direct message feature on May 8, 2026.

The feature was initially rolled out for testing in 2021 to provide users with a secure communication channel accessible only by the sender and recipient.

Meta cites very low adoption rates among its user base as the primary reason for sunsetting this privacy feature.

Once the May 8 deadline passes, all direct messages on the platform will revert to standard Transport Layer Security.

Transport Encryption Versus Privacy

The transition away from end-to-end encryption marks a significant shift in how user data is handled on Instagram.

With end-to-end encryption, cryptographic keys are stored exclusively on user devices, preventing intercepted messages from being read by anyone.

By reverting to standard transport encryption, data remains secure while traveling across the network, but is decrypted once it reaches Meta’s servers.

This architectural change allows Meta to perform several new actions on your private messages.

• Automated scanning for safety violations and malicious links.
  
• Integration of private chat data into machine learning and AI training models.
  
• Fulfillment of legal requests or law enforcement subpoenas using plaintext data.
  
• Routine moderation using server-side keyword tracking and behavioral analysis.

Furthermore, cybersecurity experts note that removing end-to-end encryption increases the risk of data exposure in the event of a server-side data breach.

Users who previously relied on the encrypted chat feature must take immediate action to preserve their communication history.

Meta is actively sending notifications urging affected users to export their encrypted chat data before the infrastructure changes take effect.

After the cutoff date, previously encrypted threads will become fully accessible to Meta’s automated moderation algorithms.

You have four days left to enjoy encrypted chats on Instagram.

Once May 8th rolls around, your chats will be visible to Meta. pic.twitter.com/k1JftFSLbe

— Malwarebytes (@Malwarebytes) May 4, 2026

To safeguard their data, users should navigate to their account security settings and request a secure download of their personal information.

Failing to export this data before the deadline means those private conversations will seamlessly be added to the platform’s scannable database.

Community Backlash and Alternatives

The cybersecurity community and privacy advocates have strongly criticized this sudden policy change.

Threat intelligence experts emphasize that removing built-in security features contradicts the growing global demand for robust digital privacy.

Social media discussions, including alerts from security firms like Malwarebytes, highlight public frustration over corporate data harvesting.

In response to the changes, security researchers continue to recommend migrating sensitive conversations to dedicated secure platforms.

Meta actively encourages users seeking privacy to transition to WhatsApp. However, many privacy-conscious individuals are shifting to independent messengers like Signal.

The post Instagram’s to End Encrypted Chats for Direct Messages appeared first on Cyber Security News.

Google has published the May 2026 Android Security Bulletin, alerting the ecosystem to a highly severe remote code execution (RCE) flaw.

Tracked as CVE-2026-0073, this critical vulnerability resides deep within the core Android System component.

It allows an attacker to gain remote shell access without requiring a single tap, download, or click from the device owner.

Threat actors can launch this zero-click attack proximally, meaning they only need to be on the same local network or in physical proximity to exploit a vulnerable mobile device.

Android Zero-Click Vulnerability

The root of CVE-2026-0073 lies within the adbd subcomponent, which stands for the Android Debug Bridge daemon.

Developers traditionally utilize this system service to communicate with a device, run terminal commands, and modify system behavior.

Because the flaw grants remote code execution as a “shell” user, attackers can bypass normal application sandboxes.

They do not need any special execution privileges or user interaction to deploy their malicious payloads successfully.

Imagine the adbd service as a restricted maintenance door on a secure corporate building.

This vulnerability acts like a master key that works over a wireless connection, allowing an intruder to quietly unlock the door and issue commands to the building’s internal systems without the security guard ever noticing.

This frictionless level of access makes the vulnerability highly dangerous and incredibly attractive to advanced threat actors.

Because the adbd service is a Project Mainline component distributed via Google Play system updates, the flaw affects multiple recent generations of the operating system.

Android 14, Android 15, Android 16, and Android 16-QPR2 devices are currently at risk.

Google has resolved this critical issue in the May 1, 2026, security patch level, as detailed in the Android Security Bulletin May 2026.

All Android hardware partners were notified of this vulnerability at least a month in advance to help them prepare over-the-air firmware updates.

Corresponding source code patches are also being pushed to the Android Open Source Project (AOSP) repository to ensure ongoing platform stability for the wider ecosystem.

Device owners must prioritize installing the latest security updates immediately to block potential exploitation.

To confirm that a device is protected, navigate to system settings and verify that the security patch level is May 1, 2026, or later.

Users should also manually check for pending Google Play system updates, as some devices running Android 10 or later may receive targeted component patches via this alternative channel.

Free Webinar to align your endpoint security to meet new requirements – Register Now

The post Critical Android Zero-Click Vulnerability Grants Remote Shell Access appeared first on Cyber Security News.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Linux kernel zero-day vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, warning federal agencies and organizations worldwide to patch immediately or discontinue use of affected systems.

Tracked as CVE-2026-31431 and dubbed “Copy Fail”, the flaw carries a CVSS score of 7.8 (High) and is classified under CWE-699 (Incorrect Resource Transfer Between Spheres).

The vulnerability resides in the algif_aead module of the Linux kernel’s AF_ALG cryptographic subsystem specifically, a logic bug in the authentication cryptographic template that causes improper memory handling during in-place operations.

What makes this flaw particularly alarming is its exploitability: a 732-byte Python script is all an unprivileged local user needs to reliably escalate privileges to root.

Nine-Year-Old Bug Hiding in Plain Sight

Despite being disclosed publicly on April 29, 2026, the vulnerability has roots stretching back nearly a decade.

It was introduced through three separate, individually harmless changes made to the Linux kernel in 2011, 2015, and 2017, none of which raised red flags independently.

The flaw affects every major Linux distribution running kernels built since 2017, including Ubuntu 24.04 LTS, Amazon Linux 2023, Red Hat Enterprise Linux 10.1, SUSE 16, Debian, Fedora, and Arch Linux.

The attack chain exploits the interaction between the AF_ALG socket interface, the splice() system call, and improper error handling during a failed copy operation.

This results in a controlled 4-byte overwrite in the kernel page cache, allowing an attacker to corrupt setuid binaries and other sensitive kernel-managed data entirely within kernel space, bypassing traditional user-space protections.

Critically, exploitation requires no root privileges inside containers, no kernel modules, and no network access, making it a powerful post-exploitation tool in containerized environments, including Kubernetes clusters and Docker CI runners.

CISA added CVE-2026-31431 to its KEV catalog on May 1, 2026, with a mandatory remediation deadline of May 15, 2026, for all federal civilian agencies. Patches are available in Linux kernel versions 6.18.22, 6.19.12, and 7.0.

Organizations running Red Hat Enterprise Linux can apply configuration-level mitigations while patches are deployed.

CISA directs all organizations to apply vendor-issued mitigations immediately, follow BOD 22-01 guidance for cloud services, or discontinue use of unpatched systems.

Security teams are strongly urged to audit Linux kernel versions across cloud workloads, container environments, and on-premises infrastructure without delay, as active exploitation in the wild has already been confirmed.

Free Webinar to align your endpoint security to meet new requirements – Register Now

The post CISA Warns of Linux Kernel 0-Day Vulnerability Exploited in Attacks appeared first on Cyber Security News.

The Apache MINA project has issued urgent security updates to address two critical vulnerabilities that could allow attackers to execute arbitrary code on affected systems.

Developers relying on this network application framework are strongly urged to update their software immediately to protect their environments from potential exploitation.

Developers widely use Apache MINA to create high-performance, scalable network applications.

Because it handles active data streams between clients and servers, vulnerabilities in its processing of incoming data can have severe security implications for enterprise networks.

Apache MINA Vulnerabilities

Interestingly, the Apache MINA team actually created fixes for these specific vulnerabilities for a previous release.

However, due to a repository management mistake, the patched code never successfully merged into two specific release branches.

The project maintainers caught the error and have now officially pushed the fixes to the public.

The project initially announced the release of version 2.0.12 on their developer mailing list.

However, project member Emmanuel Lécharny quickly issued a correction confirming the actual patched versions are 2.2.7 and 2.1.12.

The security update resolves two specific Common Vulnerabilities and Exposures (CVEs) related to how Apache MINA handles incoming, untrusted data. Both vulnerabilities stem from insecure deserialization processes.

Deserialization is the process by which a program takes data formatted for network transfer (such as a stream of bytes) and rebuilds it into a functional object in the computer’s memory.

When this process lacks proper security checks, hackers can slip malicious code into the data stream, tricking the server into executing it.

The two fixed vulnerabilities include:

• CVE-2026-42778: This flaw involves the deserialization of untrusted data (CWE-502), occurring when the application accepts data from an unknown source without validating it before reconstruction.
  
• CVE-2026-42779: This is a severe Remote Code Execution (RCE) vulnerability found in the AbstractIoBuffer.resolveClass() method.

A logic flaw causes a specific branch to skip the necessary acceptMatchers filter, leading to full object deserialization.

Mitigation Steps

These vulnerabilities do not affect every single Apache MINA deployment.

The risk is isolated to applications that specifically utilize the AbstractIoBuffer.getObject() method.

If your application uses this method to deserialize Java classes sent by a client over the network, your system is completely vulnerable to these remote code execution attacks.

Administrators and developers should immediately review their codebases to determine whether they use the affected method.

To secure your infrastructure, upgrade your Apache MINA deployments to versions 2.2.7 or 2.1.12.

The official downloads and patch notes are currently available directly on the Apache MINA project website.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Apache MINA Vulnerabilities Enables Remote Code Execution Attacks appeared first on Cyber Security News.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning regarding a critical security flaw affecting widely used web hosting management platforms.

CISA recently added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, indicating that threat actors are actively abusing it in real-world attacks.

Tracked as CVE-2026-41940, the defect targets WebPros cPanel & WHM (WebHost Manager) as well as WP2 (WordPress Squared).

Understanding the Authentication Bypass Flaw

CVE-2026-41940 is officially classified as a “Missing Authentication for Critical Function” vulnerability, mapped to the weakness identifier CWE-306.

The security gap exists directly within the login flow of the affected products.

Because the software fails to properly verify user identities during the authentication process, unauthenticated remote attackers can bypass security checks completely.

This means a cybercriminal does not need valid usernames or passwords to break in.

Instead, they can exploit the login mechanism to instantly gain unauthorized administrative access to the hosting control panel.

WebPros cPanel & WHM is a popular suite that simplifies website and server management, while WP2 provides streamlined WordPress operations.

Control panels are highly attractive targets for attackers because they serve as the administrative backbone for thousands of websites, databases, and server configurations.

The widespread adoption of these tools means a single flaw can expose countless domains to immediate compromise.

Once an attacker bypasses the login screen, they effectively hold the keys to the kingdom.

They can modify website files, steal sensitive database information, reroute web traffic, or establish persistent backdoors for future access.

While CISA notes that it is currently unknown if this specific vulnerability is tied to ongoing ransomware campaigns, the risk remains severe.

Compromised hosting environments are frequently weaponized to host phishing pages, run cryptomining scripts, or launch coordinated attacks against other networks.

Required Mitigations and Deadlines

To counter this active threat, CISA mandates immediate action from federal agencies, and private organizations are strongly encouraged to adopt the same protective measures.

Security teams and system administrators should prioritize the following steps:

• Apply the latest security patches provided by the vendor immediately to secure the login flow.
• Follow the security guidance outlined in CISA’s Binding Operational Directive (BOD) 22-01 specifically regarding cloud services.
• Discontinue the use of the vulnerable product entirely if updates or practical mitigations are unavailable for your specific environment.

CISA originally added this vulnerability to the KEV catalog on April 30, 2026, and set a strict remediation deadline of May 3, 2026.

Because this deadline has already passed, organizations that have not yet patched their systems must treat this as a critical incident response priority.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post CISA Warns of cPanel & WHM Vulnerability Exploited in Attacks appeared first on Cyber Security News.

Progress Software has issued a critical security bulletin for its MOVEit Automation platform.

This April 2026 alert warns of two highly severe vulnerabilities that could allow attackers to bypass security checkpoints and gain full system control.

MOVEit Automation is widely used by enterprises to manage and automate secure file transfers, making it a high-value target for cybercriminals.

Organizations using this software must apply the latest patches immediately to prevent unauthorized data access and potential breaches.

MOVEit Authentication Bypass Flaw

The critical alert focuses on two distinct flaws discovered and reported by a team of researchers at Airbus SecLab, including Anaïs Gantet, Delphine Gourdou, Quentin Liddell, and Matteo Ricordeau.

Threat actors can exploit these vulnerabilities directly through the service backend command port interfaces.

If an attacker successfully exploits these flaws, they can bypass login screens, steal sensitive files, and gain complete administrative control of the server.

Security teams should actively hunt for threats by checking their audit logs for unexpected privilege changes or anomalous backend activity.

The technical breakdown of the flaws includes:

• CVE-2026-4670: A primary weakness causing an authentication bypass, allowing unauthenticated external users to access the system without valid credentials.
  
• CVE-2026-5174: An improper input validation vulnerability that results in privilege escalation, letting attackers elevate their standard access to administrative rights.

These security flaws impact several generations of the MOVEit Automation software.

Progress Software urges system administrators to verify their current installation by opening the Web Admin dashboard and checking the “About” section under the “Help” menu.

The vulnerabilities exist in the following software builds:

• MOVEit Automation 2025.1.4 and all earlier versions.
• MOVEit Automation 2025.0.8 and all earlier versions.
• MOVEit Automation 2024.1.7 and all prior versions.

Progress Software has addressed both vulnerabilities in its newest software releases.

Applying these official updates using the full installer is the only recognized method to close the security gaps.

IT teams should plan for a brief system outage while the installation process completes.

Administrators must update their systems to the following secure versions:

• Upgrade to MOVEit Automation 2025.1.5 to secure the 2025.1 track.
• Upgrade to MOVEit Automation 2025.0.9 to secure the 2025.0 track.
• Upgrade to MOVEit Automation 2024.1.8 to secure the 2024.1 track.

Customers with an active maintenance agreement can access the necessary upgrade files directly through the Progress Community portal.

Organizations currently running older, unsupported versions must transition to a modern, supported lifecycle release to ensure their file transfer environments remain secure against these critical threats.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Critical MOVEit Vulnerabilities Enables Authentication Bypass appeared first on Cyber Security News.

The FreeBSD Project has released a critical security advisory addressing a severe flaw in its default IPv4 DHCP client.

Tracked as CVE-2026-42511, this vulnerability allows a local network attacker to execute arbitrary code as root, granting them complete control over the compromised machine.

Discovered by Joshua Rogers of the AISLE Research Team, the vulnerability affects all currently supported versions of FreeBSD.

FreeBSD DHCP Client Vulnerability

The core issue resides in how dhclient(8) processes network configuration parameters from DHCP servers.

When a device joins a network, it requests IP configuration data. The DHCP client takes the provided BOOTP file field and writes it to a local DHCP lease file.

However, a critical parsing error occurs during this process: the software fails to escape embedded double-quotes properly.

This oversight allows a malicious actor to inject arbitrary configuration directives directly into the dhclient.conf file.

When the lease file is later re-parsed, such as during a system restart or a network service reload, these attacker-controlled fields are passed to dhclient-script(8).

Because this script evaluates the input with high-level system privileges, the injected commands are executed as root.

To successfully exploit CVE-2026-42511, an attacker must be on the same broadcast domain (local network) as the target.

By deploying a rogue DHCP server, the attacker can intercept and respond to the victim’s DHCP requests with maliciously crafted data packets.

Once triggered, the vulnerability results in total system compromise. An attacker could establish persistent backdoors, deploy ransomware, or pivot deeper into the corporate network.

From a threat intelligence perspective, this aligns with MITRE ATT&CK techniques for Adversary-in-the-Middle (T1557) and Command and Scripting Interpreter (T1059).

The vulnerability is present across all supported FreeBSD releases and stable branches, specifically:

• FreeBSD 15.0 (15.0-RELEASE and 15.0-STABLE)
• FreeBSD 14.4 and 14.3 (14.4-RELEASE, 14.3-RELEASE, and 14.4-STABLE)
• FreeBSD 13.5 (13.5-RELEASE and 13.5-STABLE)

Remediation and Mitigation Strategies

The FreeBSD Project has already rolled out security patches.

System administrators should update their operating systems immediately using one of the following methods, as outlined in the FreeBSD advisory (FreeBSD-SA-26:12.dhclient).

1. Base System Packages:

For systems installed using base packages (amd64/arm64 on FreeBSD 15.0), run:

# pkg upgrade -r FreeBSD-base

2. Binary Distributions:

For other release versions, utilize the update utility:

# freebsd-update fetch

# freebsd-update install

There is no direct software workaround for devices that must run dhclient.

However, network administrators can neutralize this threat by enabling DHCP snooping on enterprise network switches.

DHCP snooping acts as a firewall between untrusted hosts and trusted DHCP servers, effectively blocking rogue DHCP servers from delivering the malicious payload to vulnerable endpoints. Systems not running dhclient(8) are completely unaffected.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post FreeBSD DHCP Client Vulnerability Enables Remote Code Execution as Root appeared first on Cyber Security News.

The Exim development team has released version 4.99.2 to address four newly discovered security vulnerabilities affecting their mail server software.

These flaws allow attackers to potentially crash servers, corrupt memory, or leak sensitive information.

Because Exim is one of the most widely used message transfer agents on the internet, system administrators need to apply this update immediately to secure their email infrastructure.

Breakdown of the Discovered Vulnerabilities

The latest security update patches four distinct Common Vulnerabilities and Exposures (CVEs) that affect how the server processes external inputs.

• CVE-2026-40684 causes a crash with malicious DNS data malformed PTR records trigger an octal printing error on systems using the musl C library, resulting in a complete crash of the connection instance.
  
• CVE-2026-40685 triggers out-of-bounds read and write operations on corrupted JSON configurations that use JSON operators on invalid external input, which can directly lead to heap corruption.
  
• CVE-2026-40686 exposes out-of-bounds read issues via large UTF-8 trailing characters; processing malformed headers might leak data if error messages are required for subsequent emails in the same connection.
  
• CVE-2026-40687 creates out-of-bounds vulnerabilities in the SPA authenticator; connecting to a compromised external SPA or NTLM service can cause the instance to crash or leak heap memory.

Mail servers act as the central communication backbone for modern organizations, making them highly attractive targets for threat actors.

When attackers exploit out-of-bounds read and write vulnerabilities, they manipulate how a program allocates its memory space.

This allows malicious users to extract sensitive data they shouldn’t be able to access or to overwrite data, disrupting normal server operations.

The DNS-related crash specifically highlights how a simple malformed record can cause a denial-of-service condition for systems that rely on the musl C library.

Threat actors routinely deploy automated scanners to identify unpatched mail servers connected to the internet.

Leaving these endpoints exposed makes them highly vulnerable to automated exploitation and targeted data extraction campaigns.

Mitigation Steps

System administrators should prioritize upgrading to Exim 4.99.2 immediately.

The official security release is currently available as a tarball download from the primary Exim FTP site. It can also be pulled directly from the official Exim Git repository.

According to the advisory, older versions of Exim are no longer actively maintained, and network defenders should take note.

This means legacy deployments may carry these vulnerabilities permanently unless upgraded to the current branch.

Administrators should also review their email header configurations to ensure proper validation of externally provided JSON and UTF-8 inputs.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Multiple Exim Mail Server Vulnerabilities Leads to Crash with Malicious DNS data appeared first on Cyber Security News.

A massive supply chain attack has been uncovered in the Quick Page/Post Redirect Plugin, a popular WordPress plugin with over 70,000 active installations.

Security researcher Austin Ginder discovered a dormant backdoor introduced five years ago that silently injects arbitrary code into websites.

The malicious code bypassed official security checks by leveraging a custom remote update checker, effectively turning the plugin into a vehicle for parasite SEO and remote code execution.

Backdoored WordPress Plugin

The investigation began when routine security audits on a hosting fleet flagged anomalies in plugin version 5.2.3.

While the affected websites reported running version 5.2.3, the file hashes did not match those of the official release on the WordPress repository.

The tampered files contained an unauthorized function that reached out to a third-party server and injected returned content directly into website pages.

To evade detection, the injection was specifically hidden from logged-in administrators and only triggered for regular visitors and search engine crawlers.

The compromise was executed through a highly sophisticated, multi-stage process involving two distinct backdoors.

The active backdoor was a bundled copy of a plugin update checker library configured to poll a server controlled by the developer, rather than the official WordPress infrastructure.

This mechanism allowed the malicious actor to push unauthorized updates with full administrative privileges.

The passive backdoor was the injected payload itself, which quietly fetched and displayed hidden content from a remote command-and-control server.

Although the command-and-control server is currently offline and the backdoor is dormant, the update mechanism remains fully functional and could be reactivated at any time.

An Inside Supply Chain Attack

Extensive analysis of the plugin’s commit history revealed that the attack was orchestrated by the plugin’s original author, anadnet.

The developer intentionally committed the malicious self-updater to the official repository in late 2020, allowing it to propagate to thousands of websites.

Months later, the author distributed the tampered payload through their private server before quietly removing the custom updater from the official source code.

This deliberate maneuver erased obvious traces of the compromise from the official repository while leaving existing installations permanently tethered to the attacker’s infrastructure.

The WordPress plugin review team temporarily pulled the Quick Page/Post Redirect Plugin from the directory in April 2026 pending a full investigation.

Since attackers can spoof version numbers, traditional vulnerability scanners often fail to detect this type of supply chain compromise.

According to a report by Austin Ginder at Anchor, administrators should use the built-in WordPress command-line tool to verify plugin checksums against the official repository.

Any mismatch indicates a compromised file, and security experts recommend completely uninstalling the affected plugin in favor of actively maintained alternatives.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post WordPress Plugin Hacked Since 2020 to Inject Malicious Code Silently appeared first on Cyber Security News.

In early 2026, two critical authentication bypass vulnerabilities in the popular open-source Qinglong task scheduler were actively exploited by hackers.

According to Snyk security reports, unauthenticated attackers breached publicly accessible panels, achieving remote code execution to install a hidden, resource-draining cryptominer named .fullgc.

Qinglong is a self-hosted task scheduling dashboard that supports multiple scripting languages, including Python 3 and JavaScript.

Snyk notes that the project has gained massive popularity, particularly among the Chinese developer community, accumulating over 19,000 stars on GitHub.

Users frequently deploy the platform on cloud virtual private servers and home networks using Docker containers.

Cryptomining Campaign

Around February 7, 2026, administrators began noticing abnormal activity. BleepingComputer highlights that sudden CPU spikes pushed server capacity to 100%.

Attackers exploited the unpatched flaws to modify Qinglong’s configuration script, quietly downloading the. fullgc cryptominer disguised as a Java garbage collection process.

This deceptive naming convention was designed to delay administrative investigations while the malware consumed system resources.

The attacks were made possible by two severe flaws in Qinglong versions 2.20.1 and earlier.

Snyk researchers explain that both vulnerabilities stem from a mismatch between the security middleware assumptions and the Express.js framework’s routing behavior.

CVE-2026-3965, detailed in GitHub Issue #2933, arises from a URL rewrite rule that incorrectly maps /open/* requests to protected /api/* endpoints.

This flaw allows an attacker to reinitialize and reset administrative credentials with a single unauthenticated request.

CVE-2026-4047, detailed in GitHub Issue #2934, exploits case-insensitive URL handling by altering request casing (e.g., /aPi/) to bypass protections on /api/ endpoints.

Snyk’s vulnerability database shows that this grants direct remote code execution without requiring a credential reset.

Incident Timeline

The exploitation remained largely unnoticed by the English-speaking security community while wreaking havoc on developer forums.

• February 7-8: Initial users report the .fullgc cryptominer causing severe CPU exhaustion.
  
• February 10: The community requests a public warning as infections spread across different deployment setups.
  
• February 27: Researchers publicly disclose the root cause as two distinct authentication bypass vulnerabilities.
  
• March 1: The platform maintainers confirm the security flaws and urge users to apply the latest updates.

Initially, GitHub pull requests showed the community attempting to mitigate the threat by filtering malicious inputs, but this proved inadequate against the underlying access control flaw.

The maintainers ultimately resolved the vulnerability by directly fixing the middleware’s authentication logic.

To secure their systems, operators should immediately update their Docker containers, audit for hidden .fullgc files, and place self-hosted panels behind secure VPNs.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Qinglong Task Scheduler RCE Vulnerabilities Exploited in the Wild appeared first on Cyber Security News.