Let’s Encrypt temporarily suspended all certificate issuance on May 8, 2026, after engineers identified a critical issue involving a cross-signed certificate linking the organization’s Generation X root to its upcoming Generation Y root infrastructure.

The incident triggered a complete shutdown of issuance across both production and staging environments before services were restored within hours.

At 18:37 UTC on May 8, Let’s Encrypt engineers became aware of a potential incident and immediately halted all certificate issuance as a precautionary measure.

The affected components included the production and staging ACME API endpoints (acme-v02.api.letsencrypt.org and acme-staging-v02.api.letsencrypt.org), as well as the production and staging portal environments hosted across two high-assurance datacenters.

By 21:03 UTC, roughly two and a half hours later, the organization confirmed that issuance had resumed. However, as a direct result of the cross-signed certificate issue, all certificate generation was rolled back to the Generation X root.

This rollback specifically impacts two ACME certificate profiles: tlsserver and shortlived.

The timing of the incident is notable given that Let’s Encrypt had already announced three significant platform changes scheduled to go live on May 13, 2026, just five days away. Those changes include:

The tlsserver ACME profile will begin issuing 45-day certificates as part of Let’s Encrypt’s phased roadmap to reduce certificate lifetimes from 90 days down to 45 days over the next two years.

The tlsclient profile, used for TLS client authentication certificates, will be restricted exclusively to ACME accounts that have previously requested certificates from that profile. Full support for tlsclient certificates will end on July 8, 2026.

The classic ACME profile was also scheduled to transition to Generation Y intermediates, which chain to the existing X1 and X2 roots a change designed to maintain broad compatibility across client environments.

All three changes are currently live in Let’s Encrypt’s staging environment and remain on track for the May 13 production rollout, pending resolution of the root certificate issue.

Let’s Encrypt has not disclosed details about whether any incorrectly issued certificates were distributed before issuance was halted.

Administrators relying on automated ACME-based renewal workflows, particularly those using the tlsserver or shortlived profiles should monitor renewal logs closely and verify that certificates issued around the May 8 window chain correctly to the expected root. Updates and community support remain available at community.letsencrypt.org.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post Let’s Encrypt Halts Certificate Issuance After Cross-Signed Root Certificate Incident appeared first on Cyber Security News.

Microsoft has disclosed and fully remediated three critical information disclosure vulnerabilities affecting Microsoft 365 Copilot and Copilot Chat in Microsoft Edge, all released on May 7, 2026, requiring no action from end users or administrators.

Microsoft’s Security Response Center published advisories for CVE-2026-26129, CVE-2026-26164, and CVE-2026-33111 as part of its ongoing commitment to transparency in its cloud services.

All three vulnerabilities carry a Critical severity rating and fall under the Information Disclosure impact category.

Microsoft has already fully mitigated all three flaws on its end, consistent with its cloud CVE transparency initiative outlined in the “Toward Greater Transparency: Unveiling Cloud Service CVEs” program.

Microsoft 365 Copilot Vulnerabilities

CVE-2026-26129 affects Microsoft 365 Copilot’s Business Chat. The vulnerability stems from improper neutralization of special elements in output used by a downstream component, potentially allowing an unauthorized attacker to disclose sensitive information over a network.

Although full CVSS metrics were not published for this CVE, the critical severity label reflects the high confidentiality risk inherent in Copilot’s enterprise data access model.

CVE-2026-26164 also targets M365 Copilot and is classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component — Injection).

The attack vector is network-based, requires no privileges or user interaction, and has a high confidentiality impact. The exploitability assessment is rated “Exploitation Less Likely,” and exploit code maturity is listed as unproven.

CVE-2026-33111 affects Copilot Chat embedded in Microsoft Edge and is classified under CWE-77 (Improper Neutralization of Special Elements Used in a Command — Command Injection).

It shares the same CVSS score of 7.5 / 6.5 (temporal) as CVE-2026-26164, with an identical attack profile: network-accessible, no privileges required, no user interaction, and high confidentiality impact.

This is particularly concerning given the widespread deployment of Edge across enterprise environments.

All three vulnerabilities highlight a growing attack surface unique to AI-powered productivity tools.

Because M365 Copilot aggregates and processes vast amounts of organizational data, including emails, documents, and Teams conversations, weaknesses in how it handles special elements or injected commands can allow sensitive information to leak across trust boundaries.

In environments where Copilot has broad access to corporate data sources, the impact could include exposure of intellectual property, confidential communications, or restricted internal records.

Microsoft credited Estevam Arantes of Microsoft for discovering both CVE-2026-26129 and CVE-2026-26164, with additional credit to independent researcher 0xSombra for CVE-2026-26164.

No acknowledgment was listed for CVE-2026-33111. Microsoft confirmed that none of the three vulnerabilities were publicly disclosed or actively exploited prior to publication.

Since all three are cloud-side vulnerabilities, Microsoft has already deployed mitigations at the service layer. Enterprises do not need to install patches or apply configuration changes.

However, security teams are advised to review Copilot’s data access permissions and enforce least-privilege principles to reduce exposure from any future similar flaws.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post Critical Microsoft 365 Copilot Vulnerabilities Expose sensitive Information appeared first on Cyber Security News.

Škoda Auto has disclosed a significant IT security incident affecting its official online shop, revealing that unauthorized individuals exploited a vulnerability in the platform’s standard shop software to gain temporary unauthorized access to customer data.

During routine technical security monitoring, Škoda’s IT team identified that attackers had leveraged a flaw in the shop’s underlying software to infiltrate the system.

Upon discovery, Škoda immediately activated containment measures and took the online shop offline as a precautionary step.

The vulnerability has since been fully remediated, and an external IT forensics firm has been commissioned to conduct a thorough technical post-incident analysis.

The breach was also formally reported to the relevant data protection supervisory authority in compliance with regulatory obligations.

Škoda Security Incident

The Škoda online shop stores a range of personal customer data, including full names, postal addresses, email addresses, phone numbers, order history, and account login credentials.

Passwords were stored using cryptographic hashing rather than plaintext, which provides a meaningful layer of protection.

Critically, credit card details are not retained in the shop system; payment data is handled exclusively by third-party payment service providers, ruling out direct financial data exposure based on current forensic findings.

Forensic analysis confirmed that access to stored data was theoretically possible during the intrusion window. However, due to limitations in existing server-side logging protocols, investigators cannot definitively confirm whether data was actively exfiltrated or merely accessed.

Škoda states that no concrete evidence of customer data misuse has been identified so far, but is notifying affected customers as a precautionary measure, given that unauthorized access cannot be entirely excluded.

Customers whose data may have been exposed face two primary threat scenarios. First, phishing attacks where threat actors use known order details or personal information to craft convincing fraudulent emails or messages designed to harvest additional credentials or prompt victims to click malicious links.

Second, credential stuffing attacks, in which adversaries attempt to use compromised email-and-password combinations to gain unauthorized access to other online accounts, particularly when users reuse the same password across multiple services.

This incident underscores the persistent risk of e-commerce platform vulnerabilities, particularly when standard third-party shop software is deployed without sufficient hardening and continuous security monitoring.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post Škoda Security Incident Exposes Customers Data From Online Shop appeared first on Cyber Security News.

An active malware distribution campaign abusing two prominent AI platforms, Hugging Face and ClawHub, to deliver trojans, cryptominers, and infostealers disguised as legitimate AI tools and agent extensions.

The campaign marks a significant evolution in supply chain attacks, shifting from traditional software repositories to trusted AI ecosystems.

Within the OpenClaw ecosystem distributed through ClawHub, Acronis TRU identified 575 malicious skills published across 13 developer accounts.

The campaign appears to be primarily driven by two threat actors: “hightower6eu,” responsible for 334 malicious skills (58%), and “sakaen736jih,” responsible for 199 skills (34.6%), with the remaining 11 accounts contributing smaller volumes.

These trojanized skills masquerade as useful tools such as a YouTube transcript summarizer while secretly instructing users to download password-protected archives or execute encoded commands.

Hugging Face and ClawHub Leveraged

For Windows targets, payloads were detected as trojans packed with VMProtect. For macOS, a base64-encoded command connects to an external IP (91.92.242[.]30) and silently downloads and executes AMOS Stealer, a macOS-focused infostealer commonly sold as malware-as-a-service (MaaS) through Telegram and underground forums.

A second Windows payload used a 30-byte XOR key to decrypt strings at runtime, dynamically resolved NT APIs, and performed in-memory process injection into explorer.exe.

The injected code established AES-encrypted C2 communication over HTTPS to hxxps://velvet-parrot[.]com:443, downloaded a cryptominer disguised as svchost.exe, and maintained persistence via scheduled tasks and Windows Defender exclusion paths.

A critical technique observed across ClawHub campaigns is indirect prompt injection, which embeds hidden, malicious instructions within skill files that AI agents read and execute on behalf of users.

Because OpenClaw agents are designed to act autonomously based on instructions in skill definitions, attackers can effectively turn these agents into unwitting intermediaries, expanding attack impact far beyond the initial victim.

On Hugging Face, which hosts over one million machine learning models, Acronis TRU identified repositories serving as multi-stage infection chain staging points, hosting payloads across Windows, Linux, and Android. Two tracked campaigns illustrate this abuse in practice.

The ITHKRPAW campaign, targeting Vietnamese financial sector organizations in January, used a malicious LNK file to invoke Cloudflare Workers, which served a PowerShell dropper that fetched a payload from a Hugging Face dataset repository while opening a decoy cat image to mask activity.

Researchers assess with moderate confidence that the PowerShell script was LLM-generated, based on embedded Vietnamese-language comments.

The FAKESECURITY campaign used a batch script (CDC1.bat) containing an encoded PowerShell blob that downloaded a heavily obfuscated secondary batch script from a Hugging Face repository.

After stripping the Mark-of-the-Web to bypass Windows SmartScreen, the malware injected shellcode into explorer.exe and dropped a file masquerading as Windows Security.

Organizations and developers should treat AI models, datasets, and agent extensions as untrusted inputs requiring the same validation applied to any third-party code.

Specific steps include auditing installed OpenClaw skills for encoded commands or external download instructions, monitoring for unexpected process injection into explorer.exe, blocking known malicious indicators (91.92.242[.]30, velvet-parrot[.]com), and restricting Windows Defender exclusion path modifications via Group Policy.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post Hackers Leveraged Hugging Face and ClawHub With 575+ Malicious Skills to Deploy Malware appeared first on Cyber Security News.

A new open-source cybersecurity platform called DarkMoon has emerged as a significant advancement in autonomous penetration testing.

It provides security teams and DevSecOps professionals with a fully AI-powered vulnerability assessment system. DarkMoon integrates over 50 specialized offensive security tools, all managed through a controlled execution interface.

DarkMoon is an automated penetration testing platform that uses artificial intelligence to orchestrate complete security assessments without manual intervention.

Unlike traditional vulnerability scanners, DarkMoon deploys a multi-agent AI architecture where specialized sub-agents reason, plan, and execute real offensive security operations through a controlled Model Context Protocol (MCP) interface, a gatekeeper layer that ensures the AI never directly touches the underlying system.

The platform aligns with recognized security frameworks, including ISO 27001, NIST SP 800-115, and the MITRE ATT&CK methodology, making it a standards-compliant option for organizations seeking repeatable, evidence-based assessments.

DarkMoon AI-Powered Platform

When a target is provided via the command line, DarkMoon automatically progresses through a multi-phase assessment: discovering open ports and services, fingerprinting the technology stack, modeling the attack surface, and then deploying specialized sub-agents based on what it detects.

The platform dynamically triggers agents tailored to discovered technologies:

• CMS Agent — activates for WordPress, Drupal, Joomla, Magento, and Moodle environments
• Stack-Specific Agent — targets PHP, Node.js, Flask, ASP.NET, Spring Boot, and Ruby on Rails
• Active Directory Agent — covers NetExec, BloodHound, and 30+ Impacket scripts
• Kubernetes Agent — uses kubectl, Kubescape, and Kubeletctl
• GraphQL Agent — handles GraphQL-specific attack surfaces
• Headless Browser Agent — deployed when browser rendering is required

Multiple agents can execute in parallel across a hybrid infrastructure, significantly accelerating assessment timelines compared to sequential manual testing.

DarkMoon ships with a purpose-built Docker image housing over 50 compiled security tools organized by category.

Port scanning is handled by Naabu and Masscan; web application testing leverages Nuclei, ffuf, sqlmap, Arjun, and wafw00f; reconnaissance uses Subfinder, Katana, Waybackurls, and httpx; CMS testing relies on WPScan and CMSeeK; and network enumeration employs Hydra, dig, and SNMP tooling.

All tools are accessible inside the Docker toolbox without path configuration — the AI reasons and plans, the MCP controls execution, and the Docker container runs the tools in isolation.

DarkMoon is designed for security teams running continuous automated testing, DevSecOps engineers integrating security into CI/CD pipelines, bug bounty hunters accelerating target analysis, and security researchers exploring adaptive attack surfaces in real time.

The platform supports bug bounty mode natively, with command-line flags such as FOCUS, EXCLUDE, SEVERITY, and FORMAT=h1 interpreted directly by the AI agent.

DarkMoon is available on GitHub at github.com/ASCIT31/Dark-Moon and requires only Docker, Docker Compose, and an LLM API key from providers such as Anthropic, OpenAI, or OpenRouter with local model support via Ollama and llama.cpp also available.

The platform represents a broader industry trend toward autonomous AI-driven penetration testing that scales beyond the limits of human-only security teams.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post DarkMoon AI-Powered Autonomous Penetration Testing Platform With 50+ Tools appeared first on Cyber Security News.

Trellix, the global cybersecurity firm formed from the merger of McAfee Enterprise and FireEye, has confirmed unauthorized access to a portion of its source code repository, with the RansomHouse ransomware group formally claiming responsibility for the attack.

Trellix reported a data breach involving unauthorized access to a portion of its source code repository, which was disclosed publicly around May 2, 2026.

Upon discovering the intrusion, Trellix immediately engaged leading forensic experts to investigate and has notified law enforcement authorities.

In an official statement published on its website, the company said: “Based on our investigation to date, we have found no evidence that our source code release or distribution process was affected, or that our source code has been exploited”.

The RansomHouse ransomware group formally named Trellix on its dark web leak site, claiming the compromise occurred on April 17, 2026.

The group published multiple screenshots reportedly demonstrating access to Trellix’s internal services and management dashboards, though they have not specified the volume of data exfiltrated or its nature.

Notably, RansomHouse listed the breach status as “Evidence Depends on You,” a hallmark tactic used to pressure victims into negotiations before releasing stolen data publicly.

RansomHouse is a sophisticated ransomware-as-a-service (RaaS) group known for deploying a unique ransomware variant called Mario ESXi, whose code shares lineage with the leaked Babuk ransomware source code, alongside a tool called MrAgent to target both Windows and Linux-based virtualized environments.

The group typically targets VMware ESXi infrastructure and exploits weak domain credentials and monitoring systems to gain privileged access.

RansomHouse distinguishes itself by positioning itself as a “professional mediator community,” often seeking payment for data deletion rather than decryption.

The full extent of the data exposure remains unspecified, and Trellix has not confirmed whether corporate or customer data beyond source code was accessed.

Preliminary investigations indicate no evidence that the software distribution pipeline or customer-facing products were tampered with.

The incident highlights the growing trend of ransomware groups targeting cybersecurity vendors themselves, organizations whose proprietary source code, if weaponized, could have far-reaching consequences for enterprise defenses globally.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post Trellix Breach – RansomHouse Claims Access to Parts of Source Code appeared first on Cyber Security News.

Mozilla has fixed a total of 423 Firefox security bugs in April 2026 alone, a figure nearly 20 times higher than its monthly average of about 21 bugs throughout 2025, driven by a groundbreaking agentic AI pipeline built around Anthropic’s Claude Mythos Preview and other large language models.

The surge was triggered by Mozilla’s early access to Claude Mythos Preview, which identified 271 of the 423 vulnerabilities fixed in April.

These were primarily shipped as part of Firefox 150, released on April 21, 2026, with additional fixes flowing into Firefox 149.0.2, 150.0.1, and 150.0.2. Of the 271 bugs attributed to Claude Mythos Preview in Firefox 150, 180 were rated sec-high, 80 were sec-moderate, and 11 were sec-low, meaning most were vulnerabilities exploitable via normal user behavior, such as simply visiting a malicious webpage.

Mozilla Patches 423 Firefox 0-Day

Beyond the 271 AI-identified bugs, the remaining 152 fixes included 41 externally reported bugs and 111 discovered through internal techniques, split roughly equally between Claude Mythos fixes shipped in other releases, bugs found with other AI models, and conventional fuzzing.

Anthropic’s own Frontier Red Team was separately credited with three standalone CVEs: CVE-2026-6746, CVE-2026-6757, and CVE-2026-6758.

Mozilla publicly disclosed 12 representative bug reports to demonstrate the depth of AI analysis.

These include a 15-year-old flaw in the <legend> HTML element (Bug 2024437), triggered by meticulous orchestration of recursion stack depths and cycle collection edge cases, and a 20-year-old use-after-free (UAF) in Firefox’s XSLT engine (Bug 2025977) where reentrant key() calls caused a hash table to free its backing store while a raw pointer remained in use.

Several bugs represent critical sandbox escape primitives, including a race condition over IPC allowing a compromised content process to manipulate IndexedDB refcounts to trigger a UAF (Bug 2021894), and a raw NaN crossing an IPC boundary masquerading as a tagged JavaScript object pointer to achieve a parent-process fake-object primitive (Bug 2022034).

One exploit even simulates a malicious DNS server by intercepting glibc function calls to trigger a buffer over-read during HTTPS Record and ECH parsing (Bug 2023958).

These sandbox escape bugs are notoriously difficult to surface via traditional fuzzing methods, making AI coverage particularly valuable for this attack surface.

Mozilla’s approach evolved from early static-analysis experiments using GPT-4 and Claude Sonnet 3.5, which produced too many false positives to be practical.

The breakthrough came with agentic harness systems that not only generate bug hypotheses but also create reproducible proof-of-concept test cases to dynamically validate them. This eliminated speculative false positives and made large-scale deployment feasible.

The pipeline was built atop Mozilla’s existing fuzzing infrastructure and parallelized across multiple ephemeral virtual machines, each assigned to hunt for vulnerabilities within a specific target file.

Mozilla integrated the full security bug lifecycle into the system: deduplication against known issues, triage, patch tracking, and release management.

Over 100 contributors worked to review, test, and ship the resulting patches, a testament to the sustained operational scale required.

Key Vulnerability Breakdown

Equally notable is what the AI pipeline failed to exploit, not due to limitation, but because of effective prior hardening.

Audit logs revealed numerous AI-driven attempts to exploit prototype pollution for sandbox escapes, all blocked by Mozilla’s earlier architectural decision to freeze JavaScript prototypes by default. This provided direct, measurable validation of previously shipped defense-in-depth mitigations.

Mozilla’s guidance is direct: any software project can begin using an agentic harness with a modern model today.

The initial prompts can be simple, essentially directing the model to find a bug in a specific code region and build a test case, with iteration improving effectiveness over time.

Mozilla plans to integrate this pipeline into its continuous integration (CI) system to scan incoming patches as they land, extending coverage from file-based to patch-based scanning.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post Mozilla Patches 423 Firefox Vulnerabilities with Claude Mythos and Other AI Models appeared first on Cyber Security News.

Dirty Frag is a newly disclosed, CVE-pending Linux kernel local privilege escalation (LPE) vulnerability that chains two separate page-cache write flaws, the xfrm-ESP Page-Cache Write and the RxRPC Page-Cache Write, to achieve root access on virtually all major Linux distributions, with a public exploit already in the wild following an embargo break on May 7, 2026.

Dirty Frag belongs to the same vulnerability class as Dirty Pipe and Copy Fail (CVE-2026-31431), but targets the frag member of the kernel’s struct sk_buff rather than struct pipe_buffer.

Discovered and reported by security researcher Hyunwoo Kim (@v4bel), the vulnerability exploits the zero-copy send path where splice() plants a reference to a read-only page cache page, such as /etc/passwd or /usr/bin/su — into the frag slot of a sender-side skb.

Dirty Frag Linux Vulnerability

The receiver-side kernel code then performs in-place cryptographic operations directly on top of that frag, permanently modifying the page cache in RAM.

Every subsequent read to that file sees the corrupted version, even though the unprivileged attacker was granted only read access.

Unlike race-condition exploits, Dirty Frag is a deterministic logic bug that requires no timing window, does not panic the kernel on failure, and carries an extremely high success rate.

xfrm-ESP Page-Cache Write resides in esp_input(), the IPsec ESP receive path. When an skb is non-linear but lacks a frag list, the code skips the mandatory skb_cow_data() buffer allocation step and jumps directly to in-place AEAD decryption on the attacker-planted frag.

Using the XFRMA_REPLAY_ESN_VAL netlink attribute, the attacker can control both the location (file offset) and the value (4 bytes) of each store operation, enabling them to overwrite arbitrary bytes of /usr/bin/su‘s page cache with a static root-shell ELF 192 bytes written across 48 chunks of 4 bytes each.

Authentication failure (-EBADMSG) is returned afterward, but the page cache write has already persisted. This variant requires the ability to create a user namespace (unshare(CLONE_NEWUSER)).

RxRPC Page-Cache Write resides in rxkad_verify_packet_1(), which performs an in-place single-block pcbc(fcrypt) decryption on the first 8 bytes of the RxRPC payload.

Because skb_to_sgvec() converts the splice-pinned page cache page directly into the SGL, the attacker-controlled page becomes both src and dst.

The 8-byte store value is fcrypt_decrypt(C, K), where K is a freely specifiable session key registered via add_key("rxrpc", ...) — an operation requiring no privileges at all.

The attacker brute-forces K in user space until the desired plaintext (e.g., turning /etc/passwd line 1’s password field into an empty string) is produced, enabling PAM nullok authentication bypass.

Neither vulnerability alone covers all Linux environments:

• ESP variant: Available on most distros but requires user namespace creation — blocked on some Ubuntu configurations via AppArmor policy.
• RxRPC variant: No namespace privilege required, but rxrpc.ko is absent on most distros like RHEL 10.1 by default — yet ships and auto-loads on Ubuntu.

Chaining the two exploits closes both blind spots, achieving root on essentially every major distribution. The exploit first attempts the ESP path; if unshare(CLONE_NEWUSER) fails, it automatically falls back to the RxRPC path targeting /etc/passwd.

Affected Distributions and Kernel Versions

The ESP vulnerability has been present since commit cac2661c53f3 (January 2017), and the RxRPC flaw since 2dc334f1a63a (June 2023), giving the chain an effective window of approximately 9 years. Confirmed affected distributions include:

• Ubuntu 24.04.4 (kernel 6.17.0-23-generic)
• RHEL 10.1 (kernel 6.12.0-124.49.1.el10_1.x86_64)
• openSUSE Tumbleweed (kernel 7.0.2-1-default)
• CentOS Stream 10 (kernel 6.12.0-224.el10.x86_64)
• AlmaLinux 10 (kernel 6.12.0-124.52.3.el10_1.x86_64)
• Fedora 44 (kernel 6.19.14-300.fc44.x86_64)

The ESP variant patch using the SKBFL_SHARED_FRAG flag to ensure splice-pinned pages always route through skb_cow_data() — was merged into the netdev tree on May 7, 2026.

The final merged patch was based on a shared-frag approach submitted by Kuan-Ting Chen. The RxRPC patch, which adds || skb->data_len to the existing skb_cloned() gate to force isolation of non-linear skbs, remains unmerged upstream.

No CVE identifiers have been assigned for either flaw as of publication, due to the premature embargo break by an unrelated third party on May 7, 2026 .

Immediate Mitigation

Since distribution-level patches are not yet available, administrators should immediately disable the affected kernel modules using the following command:

bashsh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"

This blacklists and unloads the esp4, esp6, and rxrpc modules, disrupting IPsec and RxRPC functionality as a trade-off.

Systems that rely on IPsec VPN tunnels should weigh operational impact carefully before applying the workaround and prioritize applying distribution-backported kernel patches once available.

The complete technical write-up and PoC exploit code are available at the researcher’s GitHub repository.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post Dirty Frag Linux Vulnerability Let Attackers Gain Root Privileges – PoC Released appeared first on Cyber Security News.

Vercel has released an extensive set of security advisories for Next.js, addressing more than a dozen vulnerabilities, including denial-of-service, middleware bypass, server-side request forgery, and cross-site scripting.

The flaws affect Next.js versions 13.x through 16.x using the App Router, as well as React Server Components packages for versions 19.x.

CVE-2026-23870: Denial of Service via React Server Components

A high-severity denial-of-service vulnerability tracked as CVE-2026-23870 affects React Server Components packages for versions 19.x and all Next.js App Router deployments on versions 13.x, 14.x, 15.x, and 16.x.

A specially crafted HTTP request sent to any App Router Server Function endpoint, when deserialized, can trigger excessive CPU usage, resulting in denial-of-service attacks in unpatched environments.

The issue is rooted in the React “Flight” protocol’s deserialization logic, which fails to adequately enforce structural or type constraints on inbound payloads.

Middleware and Proxy Authorization Bypass

Three separate advisories GHSA-267c-6grr-h53f, GHSA-26hh-7cqf-hhc6, and GHSA-492v-c6pp-mqqv address middleware bypass vulnerabilities in App Router applications.

Specially crafted .rsc and segment-prefetch URLs can resolve to the same page without being matched by intended middleware rules, allowing protected content to be accessed without proper authorization checks.

The fix now includes App Router transport variants when generating middleware matchers, ensuring middleware protections apply consistently to all request types, including prefetch variants.

Until an upgrade is possible, developers should enforce authorization directly in the underlying route or page logic rather than relying solely on middleware.

CVE-2026-44578: SSRF via WebSocket Upgrade Requests

Tracked as CVE-2026-44578 and covered under GHSA-c4j6-fc7j-m34r, this high-severity flaw enables server-side request forgery through crafted WebSocket upgrade requests on self-hosted Node.js deployments.

An attacker can manipulate the server into proxying requests to arbitrary internal or external destinations, potentially exposing internal services or cloud metadata endpoints, a particularly dangerous scenario in cloud-native environments.

Vercel-hosted deployments are explicitly noted as unaffected. The fix applies the same safety checks to WebSocket upgrade handling that already existed for standard HTTP requests.

CVE-2026-44573: Pages Router i18n Middleware Bypass

CVE-2026-44573 (GHSA-36qx-fr4f-26g5) affects applications using the Pages Router with i18n configured alongside middleware-based authorization.

Locale-less /_next/data/<buildId>/<page>.json requests bypass middleware entirely, enabling attackers to retrieve server-side rendered JSON for protected pages without passing authorization checks.

The matcher logic has been updated to apply consistent matching across both prefixed and unprefixed data routes.

Beyond the high-severity flaws, Vercel also patched several moderate and low-severity issues.

These include cross-site scripting vulnerabilities in App Router applications using CSP nonces (GHSA-ffhc-5mcf-pf4q) and in beforeInteractive scripts with untrusted input (GHSA-gx5p-jg67-6x7h), a denial-of-service bug in the Image Optimization API (GHSA-h64f-5h5j-jqjh), and cache poisoning issues in React Server Component responses (GHSA-wfc6-r584-vfw7, GHSA-vfv6-92ff-j949).

A connection exhaustion DoS in Cache Components (GHSA-mg66-mrh9-m8jx) and cache poisoning of middleware redirects (GHSA-3g8h-86w9-wvmq) round out the advisory list.

Organizations running affected Next.js versions should prioritize upgrading immediately.

For teams unable to upgrade right away, the recommended interim mitigations include enforcing authorization within individual route or page logic rather than relying on middleware alone, blocking WebSocket upgrades at the reverse proxy or load balancer level, and restricting server egress to known internal networks.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post Multiple Critical Vulnerabilities Patched in Next.js and React Server Components appeared first on Cyber Security News.

Ivanti has issued a critical security advisory for its Endpoint Manager Mobile (EPMM) product, disclosing multiple actively exploited vulnerabilities, including CVE-2026-6973, and urging all on-premises EPMM customers to apply patches immediately.

At the time of disclosure, Ivanti confirmed active exploitation of CVE-2026-6973, a vulnerability that requires admin authentication to succeed.

The flaws exclusively affect the on-premises EPMM product and are not present in Ivanti Neurons for MDM, Ivanti’s cloud-based unified endpoint management solution, Ivanti EPM, Ivanti Sentry, or any other Ivanti products.

Exploitation activity has been described as “very limited” at the time of public disclosure, though the company strongly warned that advanced AI models have dramatically collapsed the time-to-exploit window from days to mere hours after a vulnerability becomes public.

In a notable shift in vulnerability management strategy, Ivanti disclosed that it has integrated multiple advanced large language model (LLM) AI systems into its product security and engineering red team processes.

This integration has enhanced the capabilities of its internal security teams to identify and remediate vulnerabilities that traditional static analysis (SAST) and dynamic analysis (DAST) tools typically miss.

Ivanti acknowledged that some of the vulnerabilities being disclosed today were discovered directly through this AI-assisted process. The company maintains a “human in the loop” policy to verify all automated or agentic findings, ensuring responsible use of AI in its security program.

Ivanti’s EPMM has been a recurring target for sophisticated threat actors. CISA has flagged at least 31 Ivanti defects on its Known Exploited Vulnerabilities (KEV) catalog since late 2021, and at least 19 defects across Ivanti products have been exploited in the past two years alone.

Previous zero-day campaigns against EPMM include CVE-2025-4427 and CVE-2025-4428 in May 2025, and CVE-2023-35078 and CVE-2023-35082 in 2023, with some attacks attributed to Chinese state-sponsored threat groups.

The consistent targeting of EPMM underscores the product’s high-value position in enterprise mobile device management infrastructure.

The vulnerabilities disclosed in Ivanti’s May 2026 security advisory affect only on-premises EPMM deployments. Organizations running cloud-based Ivanti Neurons for MDM are not impacted.

Ivanti has published detailed remediation instructions through its official Security Advisory, with patch packages that the company says take only seconds to apply and cause no downtime.

Mitigations

Ivanti strongly urges all on-premises EPMM administrators to take immediate action:

• Apply the available security patch to all EPMM on-premises instances without delay
• Monitor Apache access logs at /var/log/httpd/https-access_log for signs of attempted or successful exploitation.
• Implement network segmentation to restrict EPMM administrative interfaces to trusted networks only.
• Review and harden mobile device management policies to reduce the overall attack surface
• Subscribe to Ivanti’s Security Blog and the Ivanti Innovators Hub for real-time vulnerability alerts

Ivanti cautioned that as AI-driven tooling becomes further embedded in its security processes, customers should expect an increase in vulnerability disclosures, a transparency initiative the company frames as a proactive step toward more resilient products rather than a sign of weakening security posture.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post New Ivanti EPMM 0-Day Vulnerability Actively Exploited in Attacks appeared first on Cyber Security News.

A critical zero-day vulnerability in Palo Alto Networks PAN-OS software has been actively exploited by a likely state-sponsored threat actor since at least April 2026, the company revealed in a security advisory published on May 6, 2026.

Tracked as CVE-2026-0300, the flaw is a buffer overflow vulnerability residing in the User-ID Authentication Portal, also known as the Captive Portal service of PAN-OS, and it allows an unauthenticated remote attacker to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls by sending specially crafted network packets.

The vulnerability enables unauthenticated remote code execution (RCE) against internet-facing PAN-OS deployments where the User-ID Authentication Portal is exposed to untrusted networks.

Upon successful exploitation, attackers can inject shellcode directly into an nginx worker process, granting them deep, persistent access to the underlying system. Prisma Access, Cloud NGFW, and Panorama appliances are not affected.

Risk is significantly elevated when the Authentication Portal is publicly reachable, making network segmentation and access restriction the most immediate mitigation step.

Palo Alto Networks’ Unit 42 threat intelligence team is tracking exploitation activity under the cluster designation CL-STA-1132, attributed to a likely state-sponsored actor.

The campaign timeline reveals a deliberate, methodical approach beginning April 9, 2026, when unsuccessful exploitation attempts were logged against a PAN-OS device.

One week later, the attackers successfully achieved RCE and injected shellcode. Immediately following the compromise, they conducted aggressive log destruction, clearing crash kernel messages, deleting nginx crash entries and records, and removing crash core dump files to impair forensic detection.

Four days after initial compromise, the attackers deployed multiple tools with root privileges and began Active Directory enumeration using service account credentials harvested from the firewall, targeting the domain root and DomainDnsZones.

Evidence of ptrace injection and SetUserID (SUID) privilege-escalation binaries was subsequently deleted from audit logs to further reduce their footprint.

On April 29, 2026, the attackers executed a SAML flood attack against the first compromised device, causing a secondary device to be promoted to Active status, inheriting the same internet-facing traffic configuration.

RCE was then achieved on this second device by downloading and deploying two open-source tunneling tools.

Earthworm and ReverseSocks5 for Post-Exploitation

The attackers relied exclusively on publicly available tooling rather than on proprietary malware, a deliberate choice that minimized the likelihood of signature-based detection.

EarthWorm, an open-source network tunneling tool written in C supporting Windows, Linux, macOS, and ARM/MIPS platforms, was used to establish covert SOCKS5 proxy tunnels and multi-hop cascaded network paths (MITRE ATT&CK T1090, T1572).

Earthworm has previously been linked to threat clusters including Volt Typhoon, APT41, UAT-8337, and CL-STA-0046.

ReverseSocks5 was used to establish outbound connections from compromised devices to an attacker-controlled controller, bypassing firewall and NAT restrictions to route traffic into the internal network via a SOCKS5 proxy tunnel.

Organizations should take one of the following immediate actions. First, restrict User-ID Authentication Portal access exclusively to trusted internal zones, and disable Response Pages in the Interface Management Profile on any L3 interface reachable from untrusted or internet-facing traffic. Second, if the Authentication Portal is not operationally required, disable it entirely.

Indicators of Compromise

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar

The post Palo Alto Networks Firewall Zero-Day RCE Vulnerability Exploited in the Wild Since April appeared first on Cyber Security News.

Palo Alto Networks has disclosed a critical buffer overflow vulnerability in PAN-OS software, tracked as CVE-2026-0300, that is already being actively exploited in the wild.

The flaw carries a CVSS 4.0 score of 9.3 (CRITICAL) and allows unauthenticated attackers to execute arbitrary code with full root privileges on affected PA-Series and VM-Series firewalls, with no credentials, no user interaction, and no special conditions required.

The vulnerability resides in the User-ID Authentication Portal (also known as Captive Portal) service of PAN-OS. An unauthenticated remote attacker can send specially crafted packets to trigger an out-of-bounds write (CWE-787), causing a buffer overflow that ultimately yields root-level code execution on the targeted firewall.

With a NETWORK attack vector, zero attack complexity, and no privileges required, this flaw is fully automatable, making it an ideal candidate for mass-exploitation campaigns.

The exploit maturity is classified as ATTACKED, with Palo Alto Networks confirming limited exploitation has already been observed targeting Authentication Portals exposed to untrusted IP addresses and the public internet.

Affected Products

The vulnerability impacts multiple PAN-OS versions across PA-Series and VM-Series firewalls. Affected branches include:

• PAN-OS 10.2 — versions below 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, and 10.2.18-h6
• PAN-OS 11.1 — versions below 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, and 11.1.15
• PAN-OS 11.2 — versions below 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, and 11.2.12
• PAN-OS 12.1 — versions below 12.1.4-h5 and 12.1.7

Notably, Prisma Access, Cloud NGFW, and Panorama appliances are not affected. The vulnerability only applies to firewalls with the User-ID Authentication Portal explicitly enabled and accessible from untrusted networks.

When the Authentication Portal is internet-exposed, the CVSS score reaches its maximum threat tier at 9.3. Even in adjacent-network scenarios, the score remains a severe 8.7.

Successful exploitation results in high confidentiality, integrity, and availability impacts at the product level, effectively giving threat actors complete control over the targeted firewall.

The risk profile is particularly alarming given the concentrated value density of enterprise firewalls, which serve as critical network chokepoints.

Compromising a perimeter firewall can facilitate lateral movement, traffic interception, credential harvesting, and a full network takeover.

Palo Alto Networks has confirmed that patches are rolling out between May 13 and May 28, 2026, depending on the PAN-OS branch. Until patches are applied, administrators should immediately take one of the following actions:

• Restrict Authentication Portal access to trusted internal IP addresses only, following Palo Alto’s best practice guidelines
• Disable the User-ID Authentication Portal entirely if it is not operationally required

A Threat Prevention Signature for PAN-OS 11.1 and above was made available on May 5, 2026, providing an additional detection and blocking layer for organizations that have Threat Prevention licensed.

Security teams should audit their PAN-OS configurations immediately by navigating to Device > User Identification > Authentication Portal Settings to determine exposure.

Any portal accessible from the internet or untrusted zones should be treated as an emergency remediation priority, given confirmed in-the-wild exploitation of CVE-2026-0300.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Critical Palo Alto Firewalls Vulnerability Exploited in the Wild to Gain Root Access appeared first on Cyber Security News.

Meta has disclosed a medium-severity security vulnerability in WhatsApp that could allow threat actors to exploit Instagram Reels integration to trigger arbitrary URL processing on victim devices, potentially invoking OS-level custom URL scheme handlers without user consent.

WhatsApp Vulnerabilities

The flaw, tracked as CVE-2026-23866, stems from incomplete validation of AI-rich response messages for Instagram Reels in the WhatsApp application.

The vulnerability affects both major mobile platforms, WhatsApp for iOS versions v2.25.8.0 through v2.26.15.72 and WhatsApp for Android versions v2.25.8.0 through v2.26.7.10.

The vulnerability was discovered through a Meta Bug Bounty submission by an external researcher and was independently confirmed by the Meta Security Team.

At its core, CVE-2026-23866 exploits the way WhatsApp processes AI-generated rich response messages that display Instagram Reels content.

When a user interacts with or receives such a message, the application fails to sufficiently validate the source URL of the embedded media content.

This incomplete validation allows a malicious actor to craft a specially formatted message that causes the victim’s device to fetch and process media from an arbitrary URL under the attacker’s control.

Another vulnerability tracked as CVE-2026-23863, the flaw is classified as an attachment spoofing issue affecting WhatsApp for Windows prior to version v2.3000.1032164386.258709.

The vulnerability was discovered by an external researcher through the Meta Bug Bounty Program and has since been patched by Meta.

The flaw requires no special privileges to exploit, only a single click from an unsuspecting user.

The root cause of CVE-2026-23863 lies in how WhatsApp for Windows handles filenames containing embedded NUL bytes, a null character (\x00) injected into the filename string.

This technique, commonly referred to as a NUL byte injection or null byte poisoning, exploits the difference in how high-level application logic and lower-level system calls interpret filenames.

Exploitation Status

Meta has stated that no evidence of active exploitation in the wild has been observed at the time of disclosure.

However, given the wide attack surface and WhatsApp’s global user base exceeding 2 billion, the potential impact of weaponization remains significant, particularly in targeted spyware or nation-state threat actor operations.

Mitigations

Security teams and individual users should take the following immediate actions:

• Update WhatsApp for iOS to a version later than v2.26.15.72
• Update WhatsApp for Android to a version later than v2.26.7.10
• Apply mobile device management (MDM) policies enforcing mandatory app updates across enterprise environments
• Monitor network traffic for anomalous URL scheme invocations originating from messaging applications
• Educate users about risks associated with AI-generated rich media content in messaging platforms.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post WhatsApp Vulnerability Lets Attackers Leverage Instagram Reels to Execute Malicious URLs appeared first on Cyber Security News.

A security researcher has discovered that Microsoft Edge decrypts every stored password into process memory the moment the browser launches and keeps them there as cleartext, regardless of whether the user ever visits those sites.

The finding, disclosed on April 29 by PaloAltoNtwks Norway at BigBiteOfTech, was uncovered by researcher @L1v1ng0ffTh3L4N, who systematically tested every major Chromium-based browser for credential memory handling behavior.

Edge was the only browser that exhibited this behavior, loading the entire password vault into plaintext process memory at startup and retaining it for the duration of the session.

The contrast with Google Chrome is stark. Chrome implements on-demand decryption, meaning credentials are only decrypted at the moment they are needed during autofill or when a user explicitly views a saved password.

Chrome further hardens this with App-Bound Encryption, which cryptographically binds decryption keys to an authenticated Chrome process, preventing other processes from reusing those keys to access credentials.

Edge offers none of these protections. From the moment the browser opens, every saved credential across every site in the user’s vault sits in plaintext in the browser’s process memory. This creates a persistent, wide-surface extraction target for any attacker who can read that process memory.

What makes this finding particularly contradictory is Edge’s own UI behavior. The browser still prompts users for re-authentication before revealing passwords in the Password Manager interface, yet the browser process already holds all those credentials in plaintext, completely accessible to anyone who can query process memory.

The re-authentication gate, therefore, provides only the illusion of access control, offering no actual protection against memory-based credential extraction.

The severity escalates significantly in shared or multi-user environments such as Remote Desktop Services (RDS) or terminal servers.

An attacker with administrative privileges on such a system can read the memory of every logged-on user process simultaneously.

In a published proof-of-concept video accompanying the disclosure, a compromised administrator account was used to successfully extract stored credentials from two other logged-on users, including users with disconnected (but still active) sessions, simply by reading their Edge browser process memory.

This transforms a single admin-level compromise into a full credential harvest across an entire multi-user environment, directly mapping to MITRE ATT&CK T1555.003 — Credentials from Web Browsers.

Microsoft Edge Passwords in Cleartext

When the researcher responsibly disclosed the finding to Microsoft, the company’s official response was that the behavior is “by design.”

Microsoft’s existing public documentation acknowledges that credentials in browser memory can be accessed under local attack conditions, categorizing such scenarios as outside the browser’s threat model.

The April 29 disclosure at BigBiteOfTech included a small educational verification tool that allows any user to confirm whether their Edge browser is holding cleartext credentials in process memory. The tool was released to raise awareness and encourage independent validation of the behavior.

Security teams managing Windows environments with Edge deployed those operating terminal servers, VDI environments, or any shared-access systems, particularly should treat this as a high-priority configuration risk and consider migrating to browsers with on-demand decryption and App-Bound Encryption until Microsoft addresses the design decision.

Free Webinar to align your endpoint security to meet new requirements – Register Now

The post Microsoft Edge Stores All Saved Passwords in Cleartext Process Memory at Launch appeared first on Cyber Security News.

The Apache Software Foundation has released a critical security update for Apache HTTP Server, patching five vulnerabilities, including a dangerous double-free flaw capable of enabling Remote Code Execution (RCE) in version 2.4.67, released on May 4, 2026. All users running version 2.4.66 or earlier are strongly urged to upgrade immediately.

The most severe of the five vulnerabilities is CVE-2026-23918, rated High with a CVSS base score of 8.8.

The flaw is a double-free memory corruption bug triggered within Apache’s HTTP/2 protocol implementation during an “early stream reset” sequence.

A double-free vulnerability occurs when a program attempts to release the same memory region twice, corrupting heap memory structures and potentially enabling an attacker to redirect execution flow in this case, opening the door to Remote Code Execution.

The vulnerability exclusively affects Apache HTTP Server version 2.4.66 and was first reported to the Apache security team on December 10, 2025, by Bartlomiej Dmitruk of striga.ai and Stanislaw Strzalkowski of isec.pl.

A fix was committed in revision r1930444 the very next day, December 11, 2025, with the public patch shipped in the 2.4.67 release on May 4, 2026.

A second flaw, CVE-2026-24072, is rated Moderate and targets mod_rewrite‘s use of ap_expr expression evaluation.

The vulnerability allows local .htaccess authors to read arbitrary files with the privileges of the httpd user, effectively enabling an escalation of privileges beyond their intended access level.

This bug affects Apache HTTP Server 2.4.66 and earlier and was reported on January 20, 2026, by researcher y7syeu.

Additional Vulnerabilities Patched

Three further lower-severity flaws were also addressed in the same 2.4.67 update:

• CVE-2026-28780 — A heap-based buffer overflow in mod_proxy_ajp via ajp_msg_check_header(). If mod_proxy_ajp connects to a malicious AJP server, that server can send a crafted AJP message causing the module to write 4 attacker-controlled bytes beyond the end of a heap buffer. Reported independently by four researchers between February and March 2026.
• CVE-2026-29168 — An uncapped resource allocation vulnerability in mod_md‘s OCSP response handler. Attackers could exploit this to exhaust server resources via oversized OCSP response data. Affects versions 2.4.30 through 2.4.66, reported by Pavel Kohout of Aisle Research on March 2, 2026.
• CVE-2026-29169 — A NULL pointer dereference in mod_dav_lock that allows an attacker to crash the server using a maliciously crafted request. Notably, mod_dav_lock is not used internally by mod_dav or mod_dav_fs — its only known use case was with mod_dav_svn from Apache Subversion versions prior to 1.2.0. As a mitigation, administrators who cannot upgrade immediately may simply remove mod_dav_lock.

Mitigations

Given Apache HTTP Server’s enormous global footprint, the RCE risk posed by CVE-2026-23918 represents a significant threat to enterprise infrastructure worldwide. Administrators should take the following actions immediately:

1. Upgrade to Apache HTTP Server 2.4.67 — the only complete fix for all five vulnerabilities.
2. Disable HTTP/2 temporarily if an immediate upgrade is not feasible to reduce exposure to CVE-2026-23918.
3. Remove mod_dav_lock if the module is not in active use, as an interim mitigation for CVE-2026-29169.
4. Audit .htaccess permissions to limit exposure to CVE-2026-24072 in environments where local user access is a concern.

Free Webinar to align your endpoint security to meet new requirements – Register Now

The post Critical Apache HTTP Server Flaw Exposes Millions of Servers to RCE Attacks appeared first on Cyber Security News.

Microsoft Defender triggered widespread false positive alerts after a faulty security update caused it to flag two legitimate DigiCert root certificates as malicious, potentially disrupting SSL/TLS validation and code-signing operations across enterprise environments worldwide.

A Defender antimalware signature update released around April 30, 2026, introduced a detection labeled Trojan:Win32/Cerdigent.A!dha, which incorrectly identified registry entries belonging to two of the internet’s most widely trusted root certificates, DigiCert Assured ID Root CA (thumbprint: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43) and DigiCert Trusted Root G4 (thumbprint: DDFB16CD4931C973A2037D3FC83A4D7D775D05E4) — as high-severity malware threats.

The certificates reside in the Windows trust store under the registry path HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates, where Windows manages trusted root and intermediate certificate authorities.

On affected systems, Microsoft Defender automatically quarantined the flagged certificate entries as part of its standard remediation workflow, effectively removing them from the Windows trust store.

This created a serious downstream risk: without these root certificates in place, systems could fail to validate SSL/TLS connections for websites and break code-signing verification for legitimate software, a scenario that could cascade into service disruptions, browser warnings, and application failures across enterprise networks.

Organizations relying on DigiCert-signed software or HTTPS endpoints were especially exposed.

Cybersecurity researcher Florian Roth (@cyb3rops) was among the first to publicly identify and amplify the issue, posting on X and urging the security community to investigate.

Roth shared an Advanced Hunting query to help administrators check whether the DigiCert certificates had been restored on affected devices:

text| where ActionType == "RegistryKeyCreated"
| where Timestamp > datetime(2026-05-03T04:00:00)
| project Timestamp, DeviceName, ActionType, InitiatingProcessFileName
| order by Timestamp desc

He also recommended a quick command-line check for affected systems: certutil -store AuthRoot | findstr -i "digicert" .

Microsoft’s own Q&A forums quickly filled with reports from administrators confirming the false positive, with users noting that the DigiCert certificate hashes matched officially published values from DigiCert’s website, confirming no actual compromise had occurred.

Microsoft’s Response

Microsoft acknowledged the issue and moved swiftly to roll out corrective definition updates, with version .430 cited as a key fix that began restoring the quarantined certificates on affected machines.

Security observers noted that the restoration appeared to be rolling out automatically across managed endpoints, suggesting Microsoft deployed a silent remediation alongside the corrected signature update.

Administrators in environments with restricted update policies were advised to manually verify the presence of certificates using certutil and to check the Advanced Hunting logs in Microsoft Defender for Endpoint to confirm the restoration.

This incident highlights the double-edged nature of automated threat remediation. While proactive quarantine protects against certificate-store tampering a known malware technique used to intercept TLS traffic or bypass security checks the same mechanism can cause significant operational harm when triggered incorrectly.

The Cerdigent false positive serves as a reminder that even trusted security platforms must maintain rigorous quality controls around signature releases, particularly for detections targeting foundational Windows infrastructure components like the root certificate trust store.

Free Webinar to align your endpoint security to meet new requirements – Register Now

The post Microsoft Defender Mistakenly Flags DigiCert Root Certificates as Malware appeared first on Cyber Security News.

Cybersecurity giant Trellix has disclosed a significant security incident involving unauthorized access to a portion of its source code repository.

The company confirmed the breach in an official statement published on its website, stating it immediately engaged leading forensic experts upon discovering the intrusion.

Threat actors gained unauthorized access to part of Trellix’s internal source code repository — a highly sensitive target given the company’s position as a major endpoint security and extended detection and response (XDR) vendor.

Source code repositories are prime targets for attackers seeking to identify exploitable vulnerabilities, embed backdoors, or conduct supply chain attacks against downstream customers.

Trellix acted swiftly following the discovery, launching a formal investigation with external forensic specialists and notifying law enforcement authorities. According to the company’s statement, the investigation has so far found no evidence that:

• The source code release or distribution pipeline was compromised
• Any source code has been actively exploited in the wild
• Customer-facing products or security tools were tampered with

For a company whose products protect thousands of enterprise environments globally, even unauthorized read access to source code carries serious implications.

The incident echoes similar high-profile source code breaches affecting Microsoft, Okta, and LastPass in recent years.

Trellix has pledged transparency, stating it intends to share further technical details with the broader security community once its investigation concludes.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Trellix Source Code Breach – Hackers Gain Unauthorized Access to Repository appeared first on Cyber Security News.

A sophisticated adversarial campaign targeting South-East Asian government and military infrastructure, combining rapid exploitation of a critical cPanel authentication bypass with a custom zero-day exploit chain against an Indonesian defense-sector portal and ultimately pivoting to exfiltrate over 4GB of sensitive Chinese railway documents.

The campaign’s initial access vector centered on CVE-2026-41940, a critical CVSS 9.8 authentication bypass in cPanel and WHM affecting all versions after v11.40.

The flaw exploits CRLF injection in the login and session-loading processes, allowing an unauthenticated attacker to manipulate the whostmgrsession cookie and gain full root-level administrative access without valid credentials.

Exploitation was confirmed in the wild before cPanel’s patch was released on April 28, 2026, and CISA subsequently added it to its Known Exploited Vulnerabilities catalog. In this campaign, cPanel exploitation represented only one component of a broader and more alarming operation uncovered from an exposed command-and-control (C2) server.

cPanel Vulnerability Exploited

More significantly, Ctrl-Alt-Intel recovered a custom exploit targeting an Indonesian Defence sector training portal.

The threat actor already possessed valid credentials and bypassed the portal’s CAPTCHA mechanism by reading the expected CAPTCHA value directly from the server-issued session cookie, rendering the challenge completely ineffective without solving it.

Once inside, the actor targeted a document-management function, injecting SQL into the document-name field via a vulnerable save endpoint.

The SQL injection was then escalated to full operating system access by abusing PostgreSQL’s COPY ... TO PROGRAM capability, which allows the database server to spawn arbitrary shell commands.

Command output was captured to /tmp, base64-encoded, and re-ingested into application records using pg_read_file() — a stealthy, file-read-based exfiltration channel entirely native to the database layer.

The exploit script, named exploit_siak_bahasa.py (SHA-256: 974E272A...), contained Vietnamese-language comments, though Ctrl-Alt-Intel explicitly cautions this is insufficient for attribution and may represent deliberate misdirection.

For command and control, the actor deployed an AdaptixC2 payload (ELF binary named 1) configured to beacon to delicate-dew.serveftp[.]com:4455, with server-side telemetry corroborating the C2 address at 95.111.250[.]175.

A PowerShell reverse shell (init.ps1) was also recovered, establishing a TCP connection back to the same IP on port 4444.

To ensure durable, persistent access, the actor combined OpenVPN and Ligolo into a layered pivot stack. An OpenVPN server was deployed on 95.111.250[.]175:1194/UDP as early as April 8, 2026, routing through the 10.8.0.0/24 client subnet.

The Ligolo proxy agent was installed under a hidden directory /usr/local/bin/.netmon/, masqueraded as a systemd service named systemd-update.service, and configured to restart automatically — providing persistent re-entry even after reboots.

Routing through this pivot infrastructure, the actor reached an internal host at 10.16.13.88 and deployed exfil_docs_v2.sh, a custom SFTP-based exfiltration script.

In total, 110 files (~4.37GB) were stolen from the China Railway Society Electrification Committee spanning .pptx, .pdf, .docx, and .xlsx formats dating from 2020 to 2024.

Among the most sensitive materials were 2021 financial workbooks containing full names, PRC national ID numbers, bank account details, and phone numbers.

Ctrl-Alt-Intel stops short of firm attribution, though the victimology South-East Asian military and government targets combined with theft of Chinese state-adjacent transport-sector data points to a deliberate regional intelligence collection effort.

The Shadowserver Foundation confirmed on April 30, 2026, that 44,000 unique IP addresses were observed scanning for victims, launching exploits, or conducting brute-force attacks against their honeypot sensors.

Organizations running cPanel/WHM are urged to patch to the latest version immediately and audit server logs for signs of CRLF-based session manipulation.

Indicators of Compromise (IoCs)

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Hackers Breach Government and Military Servers by Exploiting cPanel Vulnerability appeared first on Cyber Security News.

A weaponized proof-of-concept (PoC) exploit framework dubbed “cPanelSniper” has been publicly released for CVE-2026-41940, a maximum-severity authentication bypass in cPanel & WHM that has already led to the compromise of tens of thousands of servers worldwide with attack activity traced as far back as late February 2026.

CVE-2026-41940 is a critical pre-authentication flaw rooted in how cPanel’s Session.pm module handles HTTP Authorization headers during login.

The vulnerability stems from the saveSession() function writing session data to disk before calling filter_sessiondata() for sanitization — meaning CRLF characters embedded in a Basic authorization header are written verbatim into the on-disk session file.

An attacker can inject fields such as user=root, hasroot=1, and tfa_verified=1 directly into the session file, effectively forging a fully authenticated root WHM session without any valid credentials.

The flaw carries a CVSS score of 9.8 (Critical) and affects all cPanel & WHM versions after 11.40, as well as WP Squared (WordPress Squared) v136.1.7. cPanel disclosed the issue on April 28, 2026, and issued emergency patches the same day, but exploitation was already actively underway.

cPanelSniper: Four-Stage Exploit Chain

Released publicly on GitHub by security researcher Mitsec (@ynsmroztas), cPanelSniper automates exploitation through a precise four-stage attack chain:

• Stage 1 — Mints a pre-auth WHM session using intentionally invalid credentials, obtaining a whostmgrsession cookie
• Stage 2 — Injects CRLF payload via a crafted Authorization: Basic header, causing cpsrvd to write poisoned session fields to disk
• Stage 3 — Triggers the internal do_token_denied gadget via /scripts2/listaccts, flushing raw session data into the cache and activating the injected fields
• Stage 4 — Verifies full WHM root access by querying /json-api/version, returning HTTP 200 and confirming a “PWNED” state

The tool requires no external dependencies; it is pure Python 3.8+ stdlib and supports bulk scanning, pipeline integration with tools like Subfinder and Shodan, interactive WHM shell access, and post-exploitation actions including command execution, account enumeration, and backdoor admin creation.

The Shadowserver Foundation confirmed on April 30, 2026, that 44,000 unique IP addresses were observed scanning for victims, launching exploits, or conducting brute-force attacks against their honeypot sensors.

Exploitation activity has been traced back to at least February 23, 2026, indicating that attackers were exploiting this zero-day roughly two months before any patch existed. Attack outcomes include ransomware deployment, website defacements, and botnet recruitment.

The scale of exposure is alarming: approximately 650,000 cPanel/WHM instances remain internet-facing, with roughly 1.5 million potentially vulnerable instances identified via Shodan.

CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities (KEV) catalog on May 1, 2026.

Mitigations

cPanel rolled out emergency patches across all active branches:

Administrators should immediately update via /scripts/upcp --force, restart the cpsrvd and cpdavd services, and block inbound traffic on cPanel ports 2083, 2087, 2095, and 2096 at the firewall.

Security teams should audit session directories for suspicious session files containing injected fields and rotate all administrative credentials as a precaution.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post cPanelSniper – PoC Exploit Disclosed for cPanel Vulnerability, 44,000 Servers Compromised appeared first on Cyber Security News.

Canonical, the company behind the Ubuntu Linux distribution, is currently experiencing widespread service disruptions across its core web infrastructure following a coordinated Distributed Denial-of-Service (DDoS) attack.

The hacktivist group identifying itself as “The Islamic Cyber Resistance in Iraq – 313 Team” has claimed responsibility for the offensive, marking one of the most significant attacks against open-source infrastructure in recent memory.

Widespread Outages Across Critical Services

According to Canonical’s official status page, more than a dozen services and domains have been reported as Down, spanning developer tools, security APIs, and public-facing portals. The affected components include:

• ubuntu.com and canonical.com
• security.ubuntu.com
• archive.ubuntu.com
• developer.ubuntu.com
• blog.ubuntu.com
• portal.canonical.com
• assets.ubuntu.com
• academy.canonical.com
• jaas.ai and maas.io
• Ubuntu Security API – CVEs
• Ubuntu Security API – Notices

The disruption of Ubuntu Security API – CVEs and Ubuntu Security API – Notices is particularly concerning, as these endpoints are relied upon by system administrators, patch management tools, and security automation pipelines worldwide to fetch vulnerability data and security advisories in real time.

Hacktivist Group Claims Responsibility

Threat intelligence account Vecert Analyzer flagged the incident on X (formerly Twitter), issuing a critical alert describing it as a “massive attack against open-source infrastructure.”

The post confirmed that the DDoS offensive was targeting Ubuntu’s primary servers and had resulted in a total disruption of the platform’s web and technical services.

The 313 Team, which presents itself under an Islamist hacktivist banner, has been known to conduct politically motivated cyberattacks against Western and technology-linked targets.

While DDoS attacks do not involve data exfiltration or system compromise, the sustained takedown of critical open-source services carries significant operational impact for the global developer and security community.

Ubuntu remains one of the world’s most widely deployed Linux distributions, with a massive user base spanning cloud providers, enterprise environments, and individual developers.

The unavailability of archive.ubuntu.com disrupts package installations and system updates, while the outage of security-related APIs could delay automated patching workflows for organizations dependent on Ubuntu’s security feed infrastructure.

As of this writing, Canonical has acknowledged the outages via its status page, though no official statement attributing the cause to the DDoS campaign has been published. Ubuntu’s official X account has also acknowledged the incident.

Security teams relying on Ubuntu’s CVE and advisory APIs are advised to implement fallback data sources, such as the NVD or OSV, until services are fully restored.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Ubuntu Website and Canonical Web Services Hit by DDoS Attack appeared first on Cyber Security News.