Mandiant: “ShinyHunters-style” vishing + SSO/MFA theft Google-owned Mandiant reports an expansion of tactics associated with “ShinyHunters” operations: vishing and victim-branded login pages to harvest SSO credentials and MFA codes, then raid SaaS apps and extort victims. The campaigns lean on believable phone calls, fake portals and quick token reuse to bypass defences. Recommended actions include […]

APT28 is poking Microsoft Office again—patch CVE-2026-21509 APT28 is exploiting CVE-2026-21509, a Microsoft Office security feature bypass. The group uses malicious RTF files to trigger the flaw and deliver either a dropper that installs an Outlook stealer (“MiniDoor”) or a loader that fetches a Covenant implant. Targets include organisations in Ukraine and parts of the […]

Notepad++ update channel hijacked: what happened and what to do Researchers linked a months-long breach of the hosting infrastructure behind Notepad++ to the China-nexus group Lotus Blossom. The attackers compromised shared hosting and intermittently redirected update checks to rogue servers, selectively delivering malicious payloads between June and December 2025. The Notepad++ developer tightened the updater’s […]

Apex Central: critical RCE in on-prem Windows builds Trend Micro patched CVE-2025-69258 (CVSS 9.8) in Apex Central for Windows (on-prem). An unauthenticated attacker can send a crafted message to MsgReceiver.exe (default TCP 20001) to load a malicious DLL via LoadLibraryEX, achieving SYSTEM execution. Two additional DoS issues (CVE-2025-69259/69260, CVSS 7.5) were fixed. Builds below 7190 […]

“BodySnatcher”: when an attacker becomes you in ServiceNow ServiceNow disclosed and fixed CVE-2025-12420 (CVSS 9.3), dubbed BodySnatcher, that could allow unauthenticated user impersonation in its AI Platform—bypassing MFA/SSO and enabling arbitrary actions as another user, including admin. Patches were deployed to most hosted instances on 30 Oct 2025; fixed versions include Now Assist AI Agents […]

FortiSIEM gets an urgent fix for unauthenticated RCE Fortinet patched CVE-2025-64155 (CVSS 9.4), an OS command injection in FortiSIEM’s phMonitor service (TCP 7900) that allows unauthenticated RCE on Super/Worker nodes. The flaw enables argument injection leading to arbitrary file write and privilege escalation to root via a cron-executed script path. A PoC was released by […]

When your AI “helper” quietly becomes a super-user A contributed analysis argues organisational AI agents (shared, broad-permission service identities) can bypass traditional user-level controls. Because actions execute under the agent’s identity, users with limited access can indirectly trigger privileged operations, with attribution blurred in logs. The piece recommends mapping agent identities to sensitive assets, monitoring […]

WordPress “Modular DS” plugin — active exploitation A CVSS 10 flaw (CVE-2026-23550) in the Modular DS WordPress plugin (≤ 2.5.1; ~40k installs) allows unauthenticated admin takeover via a routing design that bypasses authentication when “direct request” mode is enabled. Attackers can hit /api/modular-connector/login/ to gain admin access, then create new admin users or extract data. […]

Cisco patches 0-day RCE in Secure Email Gateway Cisco released fixes for CVE-2025-20393 (CVSS 10) in AsyncOS for Secure Email Gateway and Secure Email & Web Manager after confirming a China-linked APT (UAT-9686) had exploited it as a zero-day. The flaw stems from insufficient HTTP request validation in the Spam Quarantine feature and can yield […]