Notepad++ update channel hijacked: what happened and what to do Researchers linked a months-long breach of the hosting infrastructure behind Notepad++ to the China-nexus group Lotus Blossom. The attackers compromised shared hosting and intermittently redirected update checks to rogue servers, selectively delivering malicious payloads between June and December 2025. The Notepad++ developer tightened the updater’s […]

Apex Central: critical RCE in on-prem Windows builds Trend Micro patched CVE-2025-69258 (CVSS 9.8) in Apex Central for Windows (on-prem). An unauthenticated attacker can send a crafted message to MsgReceiver.exe (default TCP 20001) to load a malicious DLL via LoadLibraryEX, achieving SYSTEM execution. Two additional DoS issues (CVE-2025-69259/69260, CVSS 7.5) were fixed. Builds below 7190 […]

“BodySnatcher”: when an attacker becomes you in ServiceNow ServiceNow disclosed and fixed CVE-2025-12420 (CVSS 9.3), dubbed BodySnatcher, that could allow unauthenticated user impersonation in its AI Platform—bypassing MFA/SSO and enabling arbitrary actions as another user, including admin. Patches were deployed to most hosted instances on 30 Oct 2025; fixed versions include Now Assist AI Agents […]

FortiSIEM gets an urgent fix for unauthenticated RCE Fortinet patched CVE-2025-64155 (CVSS 9.4), an OS command injection in FortiSIEM’s phMonitor service (TCP 7900) that allows unauthenticated RCE on Super/Worker nodes. The flaw enables argument injection leading to arbitrary file write and privilege escalation to root via a cron-executed script path. A PoC was released by […]

When your AI “helper” quietly becomes a super-user A contributed analysis argues organisational AI agents (shared, broad-permission service identities) can bypass traditional user-level controls. Because actions execute under the agent’s identity, users with limited access can indirectly trigger privileged operations, with attribution blurred in logs. The piece recommends mapping agent identities to sensitive assets, monitoring […]

WordPress “Modular DS” plugin — active exploitation A CVSS 10 flaw (CVE-2026-23550) in the Modular DS WordPress plugin (≤ 2.5.1; ~40k installs) allows unauthenticated admin takeover via a routing design that bypasses authentication when “direct request” mode is enabled. Attackers can hit /api/modular-connector/login/ to gain admin access, then create new admin users or extract data. […]

Cisco patches 0-day RCE in Secure Email Gateway Cisco released fixes for CVE-2025-20393 (CVSS 10) in AsyncOS for Secure Email Gateway and Secure Email & Web Manager after confirming a China-linked APT (UAT-9686) had exploited it as a zero-day. The flaw stems from insufficient HTTP request validation in the Spam Quarantine feature and can yield […]

FortiWeb under pressure: patch now, not later. Fortinet warned that FortiWeb has a vulnerability (CVE-2025-58034) exploited in the wild, alongside a separate, more severe path-traversal (CVE-2025-64446) fixed in 8.0.2. The flaws can allow unauthenticated attackers to run admin commands or inject OS commands. Customers should upgrade to patched versions immediately and review logs for compromise […]

7-Zip: tidy little utility, messy little bug. A 7-Zip flaw (CVE-2025-11001) involving symbolic links has drawn urgent warnings. The Hacker News notes advisories that said the bug is being exploited, with fixes in 7-Zip 25.00. Admins should upgrade and be cautious opening archives from untrusted sources. (Note: subsequent NHS updates clarified they’d seen PoC availability […]