Unit 42 details CVE-2026-0300, a buffer overflow vulnerability in the PAN-OS User-ID Authentication Portal. Read now for details.
The post Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution appeared first on Unit 42.
DarkSword is a sophisticated piece of malware—probably government designed—that targets iOS.
Google Threat Intelligence Group (GTIG) has identified a new iOS full-chain exploit that leveraged multiple zero-day vulnerabilities to fully compromise devices. Based on toolmarks in recovered payloads, we believe the exploit chain to be called DarkSword. Since at least November 2025, GTIG has observed multiple commercial surveillance vendors and suspected state-sponsored actors utilizing DarkSword in distinct campaigns. These threat actors have deployed the exploit chain against targets in Saudi Arabia, Turkey, Malaysia, and Ukraine.
DarkSword supports iOS versions 18.4 through 18.7 and utilizes six different vulnerabilities to deploy final-stage payloads. GTIG has identified three distinct malware families deployed following a successful DarkSword compromise: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. The proliferation of this single exploit chain across disparate threat actors mirrors the previously discovered Coruna iOS exploit kit. Notably, UNC6353, a suspected Russian espionage group previously observed using Coruna, has recently incorporated DarkSword into their watering hole campaigns.
A week after it was identified, a version of it leaked onto the internet, where it is being used more broadly.
This news is a month old. Your devices are safe, assuming you patch regularly.
A critical zero-day vulnerability, tracked as CVE-2026-41940, is currently being actively exploited across the web hosting industry. This CVSS 9.8 flaw allows unauthenticated remote attackers to bypass cPanel and WHM login mechanisms, granting them full administrative control over servers. The vulnerability stems from a Carriage Return Line Feed (CRLF) injection flaw within the application’s session […]
The post Attackers Exploit cPanel Authentication Bypass 0-Day After PoC Release appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
Security researchers have disclosed a critical zero-day vulnerability in the Linux kernel dubbed “Copy Fail” (CVE-2026-31431), which allows unprivileged local users to gain root access. Using a tiny 732-byte Python script, attackers can exploit a logic flaw present in major Linux distributions released since 2017. Copy Fail is a local privilege escalation (LPE) vulnerability found […]
The post Linux Kernel 0-Day “Copy Fail” Grants Root Access Across Major Distros Since 2017 appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
That’s a lot. No, it’s an extraordinary number:
Since February, the Firefox team has been working around the clock using frontier AI models to find and fix latent security vulnerabilities in the browser. We wrote previously about our collaboration with Anthropic to scan Firefox with Opus 4.6, which led to fixes for 22 security-sensitive bugs in Firefox 148.
As part of our continued collaboration with Anthropic, we had the opportunity to apply an early version of Claude Mythos Preview to Firefox. This week’s release of Firefox 150 includes fixes for 271 vulnerabilities identified during this initial evaluation...
The post Claude Mythos Has Found 271 Zero-Days in Firefox appeared first on Security Boulevard.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding a newly discovered zero-day vulnerability affecting Microsoft Windows. On April 28, 2026, the agency officially added CVE-2026-32202 to its Known Exploited Vulnerabilities (KEV) catalog. This critical flaw involves a failure of a protection mechanism within the Microsoft Windows Shell, and active exploitation […]
The post CISA Warns of Windows Shell Zero-Day Exploited in Attacks appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
That’s a lot. No, it’s an extraordinary number:
Since February, the Firefox team has been working around the clock using frontier AI models to find and fix latent security vulnerabilities in the browser. We wrote previously about our collaboration with Anthropic to scan Firefox with Opus 4.6, which led to fixes for 22 security-sensitive bugs in Firefox 148.
As part of our continued collaboration with Anthropic, we had the opportunity to apply an early version of Claude Mythos Preview to Firefox. This week’s release of Firefox 150 includes fixes for 271 vulnerabilities identified during this initial evaluation.
As these capabilities reach the hands of more defenders, many other teams are now experiencing the same vertigo we did when the findings first came into focus. For a hardened target, just one such bug would have been red-alert in 2025, and so many at once makes you stop to wonder whether it’s even possible to keep up.
Our experience is a hopeful one for teams who shake off the vertigo and get to work. You may need to reprioritize everything else to bring relentless and single-minded focus to the task, but there is light at the end of the tunnel. We are extremely proud of how our team rose to meet this challenge, and others will too. Our work isn’t finished, but we’ve turned the corner and can glimpse a future much better than just keeping up. Defenders finally have a chance to win, decisively.
They’re right. Assuming the defenders can patch, and push those patches out to users quickly, this technology favors the defenders.
News article.
Unit 42 finds frontier AI models enhance vulnerability discovery, acting as full-spectrum security researchers. They enable autonomous zero-day discovery and faster N-day patching.
The post Fracturing Software Security With Frontier AI Models appeared first on Unit 42.
Attackers are exploiting three recently disclosed zero-day flaws in Microsoft Defender to gain higher privileges on compromised systems. The vulnerabilities, called BlueHammer, RedSun, and UnDefend, were revealed by a researcher known as Chaotic Eclipse after criticizing Microsoft’s handling of the disclosure.
Chaotic Eclipse also published proof-of-concept code for the unpatched Windows bug.
BlueHammer and RedSun let attackers escalate privileges locally in Microsoft Defender. UnDefend instead triggers a denial-of-service, blocking security definition updates and weakening protection.
At this time, Microsoft has only fixed the BlueHammer flaw, tracked as CVE-2026-33825, but the others remain unpatched.
Huntress researchers reported attackers are exploiting the three Windows flaws to target systems, though the victims and attackers remain unknown.
Huntress said it saw real-world exploitation of all three flaws. Attackers used BlueHammer starting April 10, 2026, then followed with RedSun and UnDefend proof-of-concept exploits on April 16.
Researchers believe attackers are using public exploit code released online by Chaotic Eclipse.
The Huntress SOC is observing the use of Nightmare-Eclipse's BlueHammer, RedSun, and UnDefend exploitation techniques.
— Huntress (@HuntressLabs) April 16, 2026
Investigation by: @wbmmfq, @Curity4201, + @_JohnHammondpic.twitter.com/ZFRI2XAYIA
Huntress said attackers started exploiting BlueHammer on April 10, 2026, then followed with RedSun and UnDefend proof-of-concept exploits on April 16.
And today, April 16:
— Huntress (@HuntressLabs) April 16, 2026
→ C:Users[REDACTED]DownloadsRedSun.exe
This triggered a Defender EICAR file alert, as is part of its attack technique. pic.twitter.com/LulC1QNiBn
When exploit code becomes publicly available, threat actors can quickly weaponize it in attacks in the wild.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Microsoft defender)
31 high-impact vulnerabilities were actively exploited in March 2026, with a Cisco firewall zero-day abused by the Interlock ransomware group emerging as one of the most dangerous threats to enterprise networks. Affected vendors span core enterprise and developer ecosystems, including Cisco, Microsoft, Google, ConnectWise, Langflow, Citrix, Aquasecurity, Nginx UI, Qualcomm, F5, Craft CMS, Laravel, Apple, […]
The post Cisco FMC Zero-Day Among 31 High-Impact Vulnerabilities Exploited in March appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
Microsoft Patch Tuesday security updates addressed 165 vulnerabilities, making it one of the largest updates by CVE count. One of the most interesting flaws fixed by the IT giant is a critical SharePoint zero-day, tracked as CVE-2026-32201, already exploited in attacks in the wild.
Security experts highlight the scale and urgency of this release, urging organizations to apply patches quickly to reduce exposure and prevent potential compromise from actively targeted flaws.
Eight of these flaws are rated Critical, two are rated as Moderate, and the rest are rated Important in severity.
CVE-2026-32201 (CVSS score of 6.5) is a spoofing vulnerability in Microsoft SharePoint Server, likely related to cross-site scripting (XSS). While details are limited, it could allow attackers to view or modify exposed information. Microsoft has not disclosed how widespread exploitation is, but given the potential impact, organizations, especially those with internet-facing SharePoint servers—should prioritize testing and applying the patch quickly.
“Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network.” reads the advisory. “An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality), make changes to disclosed information (Integrity), but cannot limit access to the resource (Availability).” “Exploitation Detected”
“By my count, this is the second-largest monthly release in Microsoft’s history. There are many things we could speculate on to justify the size, but if Microsoft is like the other programs out there (including ours), they are likely seeing a rise in submissions found by AI tools. For us, our incoming rate has essentially tripled, making triage a challenge, to say the least.” reported ZDI. “Whatever the reason, we have a lot of bugs to deal with this month. I should also point out that the Pwn2Own Berlin occurs next month, and it’s typical for vendors to patch as much as they can before the event.”
The full list of vulnerabilities addressed by Microsoft is available here.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Microsoft Patch Tuesday)
The post CISA Adds 7 Fresh Exploits to KEV Catalog appeared first on Daily CyberSecurity.
Hackers used an Adobe Reader zero-day for months to deliver a sophisticated PDF exploit. Cybersecurity researcher Haifei Li, founder of Expmon, discovered the malicious file and warned the community.
On March 26, a suspicious PDF was submitted to EXPMON and flagged by its advanced “detection in depth” feature, despite low antivirus detection (13/64 on VirusTotal).
The system marked it for manual review, highlighting potential hidden threats. EXPMON identifies exploits through automated alerts, analyst inspection of logs and indicators, and large-scale data analysis. This case shows how advanced detection can uncover sophisticated zero-day activity that traditional tools may miss, though it requires expert analysis to confirm.
He is now asking security experts to help analyze the exploit, understand how it works, and determine its impact, as the vulnerability appears unpatched and actively abused in real-world attacks.
A researcher who goes online with the moniker Gi7w0rm reported that documents employed in the campaign contain Russian language lures and refer to issues regarding current events related to the oil and gas industry in Russia.
Apparent #0day in Adobe Reader has been observed in the wild. Seems to exploit part of Adobe Readers JavaScript engine. Documents observed contain Russian language lures and refer to issues regarding current events related to the oil and gas industry in Russia. https://t.co/QRu63fuAP4
— Gi7w0rm (@Gi7w0rm) April 8, 2026
The sample analyzed by the Li works as an initial exploit that abuses an unpatched Adobe Reader flaw to run privileged APIs on fully updated systems.
It uses “util.readFileIntoStream()” to read local files and collect sensitive data. Then it calls “RSS.addFeed()” to send stolen data to a remote server and receive more malicious JavaScript.
“Based on our analysis, the sample acts as an initial exploit with the capability to collect and leak various types of information, potentially followed by remote code execution (RCE) and sandbox escape (SBX) exploits. It abuses zero-day/unpatched vulnerability in Adobe Reader that allows it to execute privileged Acrobat APIs, and it is confirmed to work on the latest version of Adobe Reader.” reads the report published by Haifei Li. “Specifically, it calls the “util.readFileIntoStream()” API, allowing it to read arbitrary files (accessible by the sandboxed Reader process) on the local system. In this way, it can collect a wide range of information from the local system and steal local file data.”
This lets attackers profile victims, steal information, and decide whether to launch further attacks, including remote code execution or sandbox escape if the target meets specific conditions.
During the tests, researchers connected to the server but received no response or additional exploit. The attacker likely requires specific target conditions that the test setup did not meet.
“However, during our tests, we were unable to obtain the said additional exploit – the server was connected but no response.” continues the report. “This could be due to various reasons – for example, our local testing environments may not have met the attacker’s specific criteria.”
On April 8, 2025, researcher @greglesnewich found a new variant that connects to the IP address 188.214.34.20:34123. This sample appeared was uploaded on VirusTotal on November 28, 2025, a circumstance that suggests the hacking campaign has been ongoing for at least four months.
The researcher N3mes1s published a full forensic analysis of the Adobe Reader Zero-Day PDF exploit.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Adobe Reader)
Entrar