Cisco has rolled out updates to fix a critical authentication bypass flaw in Catalyst SD-WAN Controller that it said has been exploited in limited attacks. The vulnerability, tracked as CVE-2026-20182, allows a remote attacker to bypass authentication and obtain administrative privileges. The vulnerability exists due to improper authentication in the peering authentication mechanism when handling control connection handshaking requests. A remote attacker can send crafted requests to bypass authentication and obtain administrative privileges. US CISA has also acknowledged in-the-wild exploitation in its Known Exploited Vulnerabilities (KEV) Catalog.
Exim has released security updates to patch a critical vulnerability that could allow memory corruption and possible remote code execution in certain server configurations. The flaw, tracked as CVE-2026-45185 aka “Dead.Letter,” affects the open-source mail transfer agent Exim. The issue stems from a use-after-free vulnerability in Exim’s binary data transmission (BDAT) message parsing when Transport Layer Security (TLS) sessions are handled using GnuTLS.
A pre-auth remote code execution flaw was found in the CWMP implementation of ipTIME routers. The vulnerability exists due to command injection in the easycwmp CWMP handling logic when processing parameter values from SOAP messages. A remote attacker can send a specially crafted CWMP request to execute arbitrary code. The flaw affects ipTIME firmware version 15.324. As of the time of writing, the vendor has yet to acknowledge the vulnerability, so it remains unpatched.
An 18-year-old vulnerability in the NGINX web server has been discovered. Tracked as CVE-2026-42945, the flaw is a heap buffer overflow in the ngx_http_rewrite_module affecting NGINX versions 0.6.27 through 1.30.0. Attackers could exploit it to cause denial-of-service attacks and, in some cases, achieve remote code execution. Besides CVE-2026-42945, F5 has also patched a bunch of less dangerous denial-of-service flaws.
Threat actors began attempting to exploit a vulnerability in PraisonAI just four hours after it became public. The flaw, tracked as CVE-2026-44338, stems from missing authentication protections that leave sensitive API endpoints exposed. Which means, attackers could access protected server functionality without requiring a valid authentication token.
An anonymous cybersecurity researcher has disclosed two new Windows vulnerabilities. The issues, codenamed YellowKey and GreenPlasma, involve a BitLocker bypass and a privilege escalation vulnerability affecting the Windows Collaborative Translation Framework (CTFMON). The flaws could allow attackers to bypass disk encryption protections and gain elevated system privileges.
Cybersecurity company Fortinet has released security updates to fix a number of vulnerabilities across its FortiAuthenticator, FortiSandbox, FortiNDR, FortiMail, and FortiAP products.
Microsoft has released its monthly Patch Tuesday security updates, addressing over a hundred flaws. This release does not fix any zero-days or previously disclosed flaws, although it does patch a number of high-risk vulnerabilities, including an RCE issue in Microsoft Windows GDI, and a bunch of code execution flaws in Microsoft Edge.
A threat actor, tracked as “Mr_Rot13,” has been linked to active exploitation of the critical cPanel & WHM vulnerability (CVE-2026-41940), leveraging the flaw to deploy a cross-platform backdoor known as “Filemanager” on compromised servers.
Researchers at Google’s Google Threat Intelligence Group (GTIG) say they have discovered what may be the first known zero-day exploit likely developed with the help of artificial intelligence. The exploit targeted an unnamed open-source web administration platform and was designed to bypass two-factor authentication (2FA).
Researchers at ESET uncovered new cyberespionage activity linked to the Belarus-aligned threat group Ghostwriter, also known as FrostyNeighbor. The campaign targeted Ukrainian government organizations through spearphishing emails containing malicious PDF attachments. Since March 2026, the group has updated its attack chain by using links embedded in PDFs to deploy a JavaScript-based version of PicassoLoader, which ultimately delivers a Cobalt Strike payload to compromised systems.
Check Point has analyzed the data that was hacked and leaked from The Gentlemen RaaS, including details on initial access paths (Fortinet and Cisco edge appliances, NTLM relay, OWA/M365 credential logs), the division of roles, the shared toolsets, and the group’s active tracking and evaluation of modern CVEs such as CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073.
Chinese-affiliated threat actor tracked as FamousSparrow has been linked to a cyber espionage campaign targeting an Azerbaijani oil and gas company. The attackers reportedly exploited the Microsoft Exchange “ProxyNotShell” vulnerability chain to gain initial access, repeatedly breaching the same server despite remediation attempts. Researchers said the campaign came in three separate waves, with the hackers using the Deed RAT and TernDoor malware families to maintain persistence and evade detection.
Iran-linked espionage group tracked as Seedworm has orchestrated a widespread campaign that targeted at least nine organizations across four continents earlier this year, including a major South Korean electronics manufacturer where attackers reportedly maintained access for a week in February 2026. The attackers utilized a toolkit previously observed in Seedworm operations, including DLL sideloading using legitimate signed software.
A previously unknown threat actor used advanced AI tools from Anthropic and OpenAI in an attempted takeover of a local water utility in Mexico. The incident was part of a broader campaign targeting nine federal, state and municipal government agencies across Mexico between December 2025 and February 2026. Researchers found that attackers used AI platforms including Claude Code and GPT-4.1 AP to automate tasks, including reconnaissance, exploit customization, credential harvesting and privilege escalation.
A new wave of the Shai-Hulud supply-chain attack has compromised hundreds of npm and PyPI packages, spreading credential-stealing malware targeting developers and CI/CD systems. Researchers say the TeamPCP threat group used stolen OpenID Connect (OIDC) tokens to push malicious updates through legitimate release pipelines while generating valid SLSA Level 3 attestations to make the packages appear trustworthy. The campaign initially hit TanStack and Mistral AI packages before expanding to projects associated with Guardrails AI, UiPath, OpenSearch, Bitwarden CLI, and SAP.
Additionally, OpenAI disclosed that two employees’ devices were compromised in the TanStack supply chain attack. As a precaution, the company rotated code-signing certificates for its applications. OpenAI stated that the breach did not affect customer data, production systems, intellectual property, or deployed software.
In yet another TeamPCP incident, a malicious version of the Checkmarx Jenkins Application Security Testing (AST) plugin was uploaded to the Jenkins Marketplace. TeamPCP reportedly gained access to Checkmarx GitHub repositories using credentials stolen during the March compromise of the Trivy vulnerability scanner project.
According to BleepingComputer, TeamPCP is threatening to leak source code stolen from the Mistral AI project unless a buyer purchases the data. In a post on a hacking forum, the attackers claimed to have obtained nearly 450 repositories and are offering the dataset for $25,000. Mistral AI confirmed that hackers breached one of its codebase management systems following the Mini Shai-Hulud software supply-chain attack.
In a separate incident, threat actors infected the node-ipc npm package with credential stealer. More information is available in reports from Socket and StepSecurity.
The initial access broker KongTuke has shifted to using Microsoft Teams to conduct social engineering attacks, sometimes achieving corporate network access in as little as five minutes. Attackers manipulate users into running a malicious PowerShell command, which installs ModeloRAT, a remote access tool previously linked to ClickFix-related campaigns.
The official website for JDownloader was compromised in a supply chain attack that distributed malicious installers to Windows and Linux users. The attackers exploited an unpatched vulnerability that allowed unauthorized changes to website access control lists and content.
RubyGems has temporarily disabled new account registrations following what maintainers described as a major malicious attack targeting the package registry. RubyGems said the attack had been stopped after bot accounts were identified and removed. The organization added that more than 500 malicious packages uploaded during the campaign had been yanked from the registry.
Sohaib Akhter, a former federal contractor, was convicted of helping delete dozens of US government databases after being fired in February 2025. Prosecutors said he and his twin brother illegally accessed company systems within hours of their dismissal and erased data connected to more than 45 federal agencies. His brother, Muneeb Akhter, is still awaiting trial.
German authorities have shut down a relaunched version of the Crimenetwork underground platform and arrested its alleged operator in a coordinated international operation.
In a separate case, US authorities have indicted Owe Martin Andresen, the alleged main administrator of the Dream Market dark web marketplace, on twelve money laundering charges linked to the platform’s operations. The 49-year-old faces up to 20 years in prison for each US charge and was also arrested in Germany on separate money laundering charges carrying penalties of up to five years each.
Argentine authorities have detained 26-year-old Russian citizen Dmitry Novikov, accusing him of leading a Kremlin-linked disinformation network operating across Latin America. Authorities say Novikov headed “La Compañía,” also known as the “Lakhta” network, a covert influence operation allegedly linked to Russian intelligence services and the Wagner private military company. The network was reportedly first established by late Wagner chief Yevgeny Prigozhin before later falling under the control of Russia’s Foreign Intelligence Service.