Patches
CISA issued an alert on a newly disclosed high-severity issue in on‑premises Microsoft Exchange. The agency says the vulnerability poses significant risk if left unpatched or mitigated incorrectly and urges organizations to implement vendor guidance immediately. Recommended steps include prompt patching, configuration hardening, and thorough review of logs and indicators of compromise. CISA notes it is monitoring the situation alongside Microsoft and partners, and it emphasizes asset inventory checks and prioritization of mission-critical systems while tracking exploitation attempts.
Talos disclosed multiple vulnerabilities across WWBN AVideo, MedDream PACS Premium, and the Eclipse ThreadX FileX component. Findings range from cross-site scripting and a race condition in AVideo that can chain to code execution, to credential exposure, file-upload privilege escalation, reflected XSS, and unauthenticated SSRF in MedDream. Talos also reported a buffer overflow in FileX’s RAM disk driver that could enable code execution on embedded devices. Vendors have released patches; Talos provides Snort detection and detailed advisories. Administrators should validate patch deployment, audit exposed services, and apply compensating controls such as input validation and network filtering to reduce exposure.
Research
A new analysis from Unit 42 details “BadSuccessor,” a privilege‑escalation technique targeting delegated Managed Service Accounts (dMSAs) introduced with Windows Server 2025. By setting specific attributes (including msDS-ManagedAccountPrecededByLink and msDS-DelegatedMSAState), an attacker with delegated rights to create dMSAs in an OU can effectively inherit the target account’s permissions via redirected authentication, even blocking the superseded account’s old‑password logons. The write‑up maps concrete detection points—Windows Security events such as 4662, 5136, 5137, 4741, 4624, and Kerberos event 2946—and distinguishes malicious attribute edits from expected migration flows. With no vendor patch available at publication, the guidance emphasizes enabling auditing, ingesting the provided hunting queries, tightening OU delegation, and monitoring for unexpected dMSA activity.
Unit 42 also examines why the affiliate actor Muddled Libra commands outsized defender attention within the RaaS ecosystem. Consistent operations, effective English‑language vishing, and industry‑focused waves of intrusions make incidents easier to link, raising visibility. In 2025 cases reviewed, roughly half of engagements attributed to this actor culminated in DragonForce ransomware deployment and data theft. Practical mitigations highlighted include correctly configured Conditional Access policies and broad telemetry correlation to surface suspicious activity, illustrating how lessons from a prominent actor can generalize to other affiliates with similar playbooks.
Platforms
Microsoft released Secure Future Initiative (SFI) patterns and practices—a practical library distilling internal program lessons into deployable controls. The initial eight patterns cover phishing‑resistant MFA, eliminating identity lateral movement, decommissioning legacy systems, standardized secure CI/CD, production inventories, rapid detection and response, log retention standards, and accelerated vulnerability mitigation. Each pattern outlines problem statements, implementation steps, and trade‑offs, aligning “secure by design, by default, and in operations” with day‑to‑day execution in engineering and SOC workflows.
Palo Alto announced an integration between its Prisma AIRS platform and Portkey’s AI gateway, placing runtime guardrails at the gateway layer for generative AI applications. The integration enforces protections—including blocking prompt injection, preventing leakage of PII and secrets, suppressing unsafe outputs, and mitigating resource‑exhaustion—without requiring application code changes. Visibility spans Portkey logs and the Prisma AIRS dashboard, centralizing detection and response while maintaining a developer‑friendly gateway experience.
Incidents
Bitdefender reports that Ukraine’s Defence Intelligence (HUR) claims to have exfiltrated sensitive files from Russia’s newly commissioned ballistic missile submarine Knyaz Pozharsky. The alleged trove includes combat manuals, operational schedules, schematics, survivability protocols, and full crew lists, plus documentation around a damaged communications buoy. Russian authorities have not responded, and the claim remains unverified by independent experts. If accurate, the disclosure could have operational implications for the broader Borei‑A fleet; as presented, the report underscores the risk of sensitive military data exposure amid conflict.
Krebs recounts law‑enforcement action against the XSS cybercrime forum, where a 38‑year‑old suspect in Kyiv is alleged to have administered the site and operated a linked encrypted Jabber service whose logs were seized. Forum users report that backups, private messages, and contact rosters were taken, prompting concerns that cross‑linked datasets could deanonymize participants. A relaunched forum instance on Tor with dismissed moderators and reset balances has fueled distrust. The case highlights the investigative value of seized communications and the destabilizing effect on cybercrime marketplaces.
Fortra details how a 2023 Royal ransomware intrusion at German mobile insurance and repair provider Einhaus Gruppe halted operations, led to a ransom payment, and contributed to insolvency. Authorities subsequently seized cryptocurrency believed tied to the attackers but did not return funds during the investigation, which the company says impeded restructuring and factored into bankruptcy. The account illustrates how technical disruption can cascade into legal and financial hurdles that outlast initial recovery.
Graham Cluley reports a Thai hospital was fined after printed patient records—sent to a contractor for destruction—were found reused as street‑food wrappers. Investigators cited inadequate custody and handling; more than 1,000 records were exposed. The incident underscores that disposal practices and third‑party oversight are essential components of healthcare data protection, including clear contracts, chain‑of‑custody, and auditable shredding or incineration.