All news with #iot security tag

🔒Apeman ID71 cameras contain multiple remote-exploitable vulnerabilities, including CVE-2025-11126, CVE-2025-11851, and CVE-2025-11852. One issue, CVE-2025-11126, carries a CVSS v3.1 base score of 9.8 and involves insufficiently protected credentials. Proof-of-concept exploits for all three have been publicly disclosed and the vendor did not respond to coordination; CISA recommends isolating devices and minimizing network exposure.

🔒 Falcon for XIoT now extends asset protection to medical devices and clinical systems, adding native visibility for protocols such as DICOM and HL7. The cloud-native Falcon sensor, available in beta, monitors device behavior and protocol communications to detect anomalies and block malicious actions before they affect patient care. It integrates device telemetry, AI-driven analytics, and CrowdStrike Exposure Management so security teams can discover legacy or unsupported assets, prioritize high-risk devices, and respond within existing SOC workflows. Integration with Falcon Next‑Gen SIEM and Falcon Fusion SOAR streamlines investigation and triage across IT and XIoT assets.

🎥 Check Point Research reported a surge of attempts to compromise internet‑connected surveillance cameras across the Middle East beginning 28 February, with additional focused activity in parts of Lebanon on 1 March. The campaign targeted Hikvision and Dahua devices, scanning for known authentication‑bypass and remote‑code‑execution flaws for which patches exist. Infrastructure attributed to Iran used commercial VPN exit nodes and VPS hosts. Recommended mitigations include removing WAN exposure, enforcing strong credentials, applying firmware updates, and segmenting cameras onto a dedicated VLAN.

🔒 CISA reports multiple high‑severity vulnerabilities in Gardyn Home Kit firmware, cloud API, and mobile application that could permit unauthenticated access, remote command execution, and extraction of administrative credentials. Affected versions include the mobile app prior to 2.11.0, cloud API before 2.12.2026, and firmware older than master.619. Gardyn has released fixes in updated software; users should update apps and firmware and keep devices connected to receive automatic patches.

⚠ The PUSR USR-W610 Wi‑Fi router contains multiple vulnerabilities that can disable authentication, expose credentials in transit and in the UI, and permit deauthentication-based denial-of-service. Affected firmware versions are <= 3.1.1.0; the most severe issue carries a CVSSv3 base score up to 9.8. The vendor has declared the product end-of-life and does not plan to issue patches. CISA advises minimizing network exposure, isolating affected devices behind firewalls, and using secure remote-access methods while applying other compensating controls.

🛡️ The massive Kimwolf IoT botnet has been disrupting the I2P anonymity network after thousands of infected devices attempted to join as nodes, overwhelming relays and degrading connectivity. Users reported a rapid influx of new routers and widespread connection failures starting around Feb. 3, and developers linked the outages to a Sybil-style flood. Kimwolf operators later admitted they tried to register roughly 700,000 bots on I2P, and the network is currently running at reduced capacity while a stability update is rolled out.

🛡️ Kaspersky says the threat actor tracked as Stan Ghouls (also referred to as Bloody Wolf) has conducted spear‑phishing operations to deliver NetSupport RAT to systems in Uzbekistan and Russia. Malicious PDFs embed links that download a loader which displays fake errors, limits installation attempts, retrieves the RAT from multiple domains and ensures persistence through Startup items, a Registry autorun entry and a scheduled task. Kaspersky estimates roughly 50 victims in Uzbekistan and 10 in Russia, with additional infections in Kazakhstan, Turkey, Serbia and Belarus. The vendor also discovered Mirai botnet payloads staged on infrastructure associated with the actor, raising concerns about an expanded IoT targeting capability.

🔒 CISA issued Binding Operational Directive 26-02, requiring Federal Civilian Executive Branch agencies to mitigate risks from unsupported edge devices. Agencies must inventory devices, update vendor-supported software, remove end-of-support hardware and software, and implement mature lifecycle management within specified timeframes. CISA will monitor compliance, assess progress, and encourage non-federal organizations to adopt similar measures to reduce technical debt and strengthen cyber resilience.

🔐 This Unit 42 analysis outlines the evolving Russian cyber threat to the Milano Cortina 2026 Winter Olympics, framing Russia’s IOC exclusion as a geopolitical grievance that raises the risk of disruptive operations. It reviews historical GRU-linked campaigns against prior Games and projects plausible scenarios ranging from destructive OT malware to AI-driven deepfakes and V2X manipulation. The report recommends zero‑trust visibility, IoT anomaly detection, telemetry verification, and micro‑segmentation to reduce operational impact.

🔴 Cloudflare says the Aisuru/Kimwolf botnet launched a record DDoS campaign on December 19 that peaked at 31.4 Tbps and about 200 million requests per second. The attacks, dubbed The Night Before Christmas, targeted telecommunications and IT providers and hit Cloudflare’s dashboard and infrastructure. Sources were identified as compromised Android TVs rather than typical IoT routers, and most bursts lasted one to two minutes. Cloudflare reports the attacks were detected and mitigated automatically without triggering internal alerts.

⚠️ Schneider Electric has identified multiple denial-of-service vulnerabilities in Zigbee products that use the Silicon Labs EmberZNet stack. Affected items include a broad set of Wiser, Iconic, Fuga and other connected modules. A malicious device joining a Zigbee network could trigger buffer overflows or uncontrolled resource consumption, leading to device unavailability. Customers should restrict network joins, use unique install codes and non-default keys, close pairing windows promptly, and follow Schneider Electric and CISA mitigations to reduce exploitation risk.

🔓 A trivial authentication bypass in the inetutils telnet server (CVE-2026-24061) lets attackers gain root by abusing the USER environment variable. Telnetd forwards the USER value to /usr/bin/login, so sending USER='-f root' with telnet's -a/--login option causes an automatic root login (e.g., USER='-f root' telnet -a [host_ip]). The flaw has existed for about 11 years, so many legacy and IoT devices are likely affected. Apply the vendor/distribution patch immediately or disable Telnet and restrict access to whitelisted IPs.

⚠️ CISA warns of an Authorization Bypass Through User-Controlled Key flaw (CVE-2026-1201) in Hubitat Elevation controllers that can allow an authenticated user to escalate privileges and control devices beyond their authorized scope. Affected models — C3, C4, C5, C7, C8, and C8 pro — are vulnerable prior to firmware 2.4.2.157. The issue carries a CVSS v3.1 base score of 9.1 (CRITICAL). Hubitat has released firmware 2.4.2.157 and CISA recommends timely upgrades and standard network isolation measures.

🚨A new IoT botnet, Kimwolf, has infected more than two million devices and is being used for large-scale DDoS and to relay abusive traffic. Operators abuse commercial residential proxy services—most prominently IPIDEA—to reach proxy endpoints and scan local networks, enabling lateral infections of vulnerable devices, particularly unofficial Android TV boxes. Some proxy providers have begun blocking Kimwolf-related traffic, but millions of infected endpoints remain within corporate and government networks.

🔌 AWS IoT Device Management now offers the managed integrations feature in the Middle East (UAE), enabling local organizations to onboard and manage diverse IoT devices via a single interface. The capability includes device SDKs and protocol support for ZigBee, Z-Wave, Matter, and Wi‑Fi, along with partner cloud-to-cloud connectors and 80+ device data model templates. These tools help developers accelerate integrations for home security, energy management, and elderly care monitoring, regardless of whether devices connect directly, through hubs, or via third-party clouds.

⚠️ Researchers demonstrated remote control of WHILL wheelchairs via unsecured Bluetooth connections. CISA has issued an advisory noting the devices did not enforce pairing authentication, allowing attackers within Bluetooth range to pair and control movement, override speed restrictions, and alter configuration profiles without credentials or user interaction. Users and operators should follow the advisory, apply vendor updates, and disable Bluetooth when not required.

📶 AWS IoT Device Management now offers Wi‑Fi Simple Setup (WSS) through its managed integrations feature. Developers can add QR code scanning so end users provision Wi‑Fi devices with a barcode scan, reducing manual configuration and support needs. WSS lets users store credentials in managed integrations; a new device scans a QR code, joins a hidden network broadcast by the IoT hub, and receives credentials securely for near zero‑touch onboarding. The feature is available in Canada (Central) and Europe (Ireland).

🔒 CISA reported several vulnerabilities in the YoSmart YoLink ecosystem impacting the cloud server, Smart Hub, and mobile application. Exploitation could let attackers remotely control other users' devices, intercept unencrypted MQTT traffic, and hijack sessions. YoSmart pushed server-side fixes and will deliver a hub firmware update over-the-air; users should update the YoLink mobile app to 1.40.45 or later.

🔒 Edge-deployed rugged IoT enables real-time decision-making in defense, utilities and public safety, but operates beyond traditional IT perimeters and assumptions. Devices face harsh environments, intermittent connectivity and limited physical access, which extend exposure windows and complicate patching and monitoring. CIOs must adopt adaptive, decentralized security that blends device hardening, zero-trust networking, physical protections and offline update workflows to preserve continuity, compliance and safety.

🔒 CloudSEK researchers disclosed a nine‑month campaign that has recruited IoT devices and web servers into the RondoDox botnet by exploiting the critical React2Shell flaw (CVE‑2025‑55182). Actors moved from manual scanning to hourly automated deployments, dropping cryptocurrency miners, a loader/health checker and a Mirai variant. The loader (/nuts/bolts) kills competing malware, enforces persistence and fetches the main bot. Organizations should patch Next.js, segment IoT, deploy WAFs and monitor for suspicious processes.