All news with #session hijacking tag

⚠️ A new infostealer dubbed Storm surfaced on underground marketplaces in early 2026, offering subscription-based credential and session theft for under $1,000 per month. Storm harvests browser passwords, session cookies, crypto wallets, autofill data, and app tokens, then uploads encrypted artifacts and performs server-side decryption to evade endpoint detection. The platform also automates cookie restoration using supplied Google refresh tokens and geographically matched SOCKS5 proxies, enabling silent session hijacking and persistent access to web services.

🔒 The perimeter model has broken down as workforces go hybrid, and many Zero Trust deployments miss a key link between identity and session authorization. Specops Device Trust argues that authentication must be contextualized with real-time device posture checks to prevent token theft and session hijacking. Binding identity to a verified device and continuous monitoring lets organizations enforce dynamic, low-friction policies that reduce risk.

🔒 Chrome Enterprise outlines five enhancements aimed at reinforcing browser security for organizations, addressing modern risks from session theft to malware-driven credential theft. Highlights include Device Bound Session Credentials to prevent session hijacking, cache encryption to protect data at rest, and App-bound encryption to block unauthorized apps from reading browser-stored secrets. Administrators also get tighter download controls and deeper integrations with partners such as Citrix and Okta to improve access decisions and incident response.

⚠️ Multiple authentication and session-management vulnerabilities in CTEK Chargeportal could allow remote attackers to impersonate charging stations, send unauthorized OCPP commands, or disrupt charging services. The highest-severity issue (CVE-2026-25192) affects WebSocket authentication and is rated CVSS 9.4 (Critical). Other flaws enable brute-force attempts, session hijacking, and exposure of station identifiers. CTEK plans to sunset Chargeportal in April 2026; operators should restrict network exposure, isolate control networks, and contact CTEK support for guidance.

🔎 Tycoon2FA emerged in August 2023 as a phishing-as-a-service platform that provided adversary-in-the-middle (AiTM) capabilities to relay authentication flows and capture session cookies. Its web-based admin panel centralized templates, redirects, hosting, CAPTCHA, and exfiltration controls while exposing real-time metrics. Fast-moving short-lived domains, Cloudflare hosting, and heavy obfuscation let low-skill operators run scalable campaigns against MFA-protected accounts worldwide.

🔒 CISA reports multiple critical vulnerabilities in Everon OCPP Backends (api.everon.io) that permit unauthenticated access, session hijacking, credential exposure, and denial-of-service. The advisory details four CVEs, including a CVSS 3.1 score of 9.4 for missing authentication on WebSocket endpoints. Everon reportedly shut down the platform on December 1, 2025; CISA recommends isolating control networks, restricting Internet access, and using secure remote access methods.

🔒 CISA warns of multiple critical and high-severity vulnerabilities in EV Energy ev.energy software that could permit unauthorized administrative control, session hijacking, credential exposure, and denial-of-service against charging stations. The advisory identifies four CVEs (including CVE-2026-27772) affecting all versions and assigns a top CVSS score of 9.4 for the most severe issue. EV Energy did not respond to coordination requests; CISA recommends vendor fixes and immediate network hardening, including minimizing Internet exposure and restricting access to charge point endpoints.

🔒 CISA reports multiple vulnerabilities in Chargemap's public charging infrastructure that could allow attackers to impersonate charging stations, hijack sessions, and disrupt services. The most severe issue (CVE-2026-25851) involves unauthenticated OCPP WebSocket endpoints and carries a CVSS 3.1 base score of 9.4. Chargemap did not respond to coordination; users should contact vendor support and reduce network exposure until fixes are available.

⚠️ CISA warns of multiple critical vulnerabilities in CloudCharge cloudcharge.se affecting OCPP WebSocket endpoints (four CVEs, highest CVSS 9.4). Exploits can enable station impersonation, session hijacking, credential exposure, and large-scale denial of service by suppressing or misrouting telemetry. CloudCharge did not respond to coordination requests; operators should apply network mitigations and restrict Internet exposure. CISA identifies Energy and Transportation sectors as at risk worldwide.

🔒 Successful exploitation of vulnerabilities in SWITCH EV charging infrastructure could allow attackers to impersonate charging stations, hijack sessions, suppress or misroute legitimate telemetry, and manipulate backend data. The advisory identifies four CVEs affecting all product versions, including CVE-2026-27767 with a CVSS 3.1 base score of 9.4 (Critical). Vendor coordination was not received; CISA recommends minimizing network exposure, isolating control-system networks, using secure remote access, and contacting the vendor for remediation status. No known public exploitation has been reported.

🔒 CISA reports multiple critical vulnerabilities in EV2GO ev2go.io WebSocket interfaces that allow unauthenticated actors to impersonate charging stations, hijack sessions, and manipulate backend data. Exploitation can lead to large-scale denial of service, suppression or misrouting of legitimate telemetry, and unauthorized control of charging infrastructure; affected versions are all and the highest CVSS score is 9.4. Vendor coordination was not received; operators should minimize Internet exposure, isolate ICS networks, and implement stronger authentication, session management, and rate limiting.

⚠ Mobility46 charging stations running mobility46.se are affected by multiple OCPP WebSocket vulnerabilities that can allow unauthorized administrative access, session hijacking, credential exposure, and denial-of-service. Four CVEs are documented, including one critical issue with a CVSS 3.1 base score of 9.4. Mobility46 did not respond to CISA coordination; operators should isolate devices, apply network controls, and contact the vendor for guidance.

🔒 Microsoft warns of a multi-stage adversary-in-the-middle (AitM) phishing and BEC campaign targeting the energy sector. The attackers abused SharePoint file-sharing and legitimate trusted addresses (a living-off-trusted-sites, LOTS, technique) to deliver credential-harvesting links, then used stolen session cookies and inbox rules to persist and hide activity. Microsoft says simple password resets are insufficient; organizations must revoke sessions, remove malicious rules, and enforce phishing-resistant controls.

🔒 Security researchers at Socket have identified a set of malicious Google Chrome extensions that targeted major HR and ERP platforms including Workday, Netsuite and SAP SuccessFactors. The extensions, which masqueraded as productivity tools, stole authentication cookies and session tokens, uploading them to a command-and-control server and revisiting targets every 60 seconds. More than 2,300 users downloaded the extensions from the Chrome Web Store before they were removed. Socket recommends using Chrome Enterprise extension allowlists and monitoring for extensions with similar platform targeting and permission requests.

🔒 A cluster of five malicious Chrome extensions posed as productivity tools but exfiltrated session cookies to attacker-controlled infrastructure, enabling account takeover. Researchers from Socket.dev identified variants such as DataByCloud Access, Data By Cloud 1/2, Software Access and Tool Access 11 targeting HR and ERP platforms like Workday, NetSuite and SuccessFactors. Some extensions stole cookies as often as every 60 seconds and used cookie injection (e.g., chrome.cookies.set()) while others blocked admin security pages, hampering incident response.

🔒 Socket discovered malicious Chrome extensions on the Web Store that mimicked productivity and security tools for enterprise HR and ERP systems and had been installed over 2,300 times. The five extensions targeted Workday, NetSuite, and SAP SuccessFactors, employing cookie exfiltration, DOM manipulation to block admin pages, and cookie injection to enable session hijacking. Google removed the extensions after notification; affected users should report use to administrators, perform incident response, and change credentials on impacted platforms.

⚠️ Security researchers at Varonis disclosed a vulnerability, dubbed Reprompt, that could let attackers hijack a user's Copilot Personal session by embedding malicious instructions in a URL. The attack leverages the 'q' URL parameter to inject prompts that execute when the page loads, then uses chained server-side follow-up requests to maintain access and exfiltrate data after a single click. Varonis reported the issue to Microsoft on August 31, and Microsoft issued a fix on the January 2026 Patch Tuesday; users should apply the latest Windows update promptly.

🔒 CISA reported several vulnerabilities in the YoSmart YoLink ecosystem impacting the cloud server, Smart Hub, and mobile application. Exploitation could let attackers remotely control other users' devices, intercept unencrypted MQTT traffic, and hijack sessions. YoSmart pushed server-side fixes and will deliver a hub firmware update over-the-air; users should update the YoLink mobile app to 1.40.45 or later.

⚠ Security researchers at Cato Networks disclosed CVE-2025-64496, a vulnerability in Open WebUI that lets external model servers inject JavaScript via Server-Sent Events (SSE) when the Direct Connections feature is enabled. An attacker controlling a malicious model endpoint can exfiltrate JSON Web Tokens (JWTs) from the browser, enabling account takeover and access to documents, chats, and embedded API keys. If the compromised account has Workspace Tools privileges, the session token can be used to execute authenticated Python code on the backend, leading to remote code execution. The flaw affects versions up to 0.6.34 and is fixed in 0.6.35; organizations are urged to update and implement HttpOnly cookies, strict CSPs, and ban dynamic code evaluation.

🔒 Adobe issued an emergency out-of-band patch for a critical vulnerability in Magento Open Source and Adobe Commerce, tracked as CVE-2025-54236 and dubbed SessionReaper. The flaw permits unauthenticated attackers to hijack user accounts and, when file-based session storage is used, can enable remote code execution. Adobe notified Commerce customers on Sept. 4 but Magento Open Source users may not have received the same advance warning. Organizations operating Magento sites should apply the patch immediately.