All news with #vulnerability disclosure tag

🔎 Unit 42 observed automated scans targeting CVE-2023-33538 in several end-of-life TP‑Link routers (TL‑WR940N, TL‑WR740N, TL‑WR841N). Payloads resembled Mirai-like botnet binaries and attempted to download and execute an arm7 ELF, but in-the-wild attempts were flawed and generally failed. Emulation and reverse engineering confirmed a real command-injection flaw in the ssid1 parameter that reaches a system shell, but successful exploitation requires web authentication (default credentials like admin:admin remain a practical risk). TP‑Link lists the devices as EOL with no patches; Unit 42 recommends replacing affected units and avoiding default credentials while using layered protections.

🔒 Cisco Talos disclosed a use-after-free flaw in Foxit Reader (TALOS-2026-2365 / CVE-2026-3779) exploitable via malicious PDF JavaScript, and six vulnerabilities in LibRaw including heap-based buffer overflows and integer overflows across multiple CVEs. All issues were patched by vendors following Cisco’s disclosure policy. Administrators should apply vendor updates and deploy Snort rules from Talos to detect exploitation.

🛡️ This week's bulletin highlights both legacy and emerging threats, including a published Microsoft Defender privilege escalation exploit (RedSun) and a 17‑year‑old Excel RCE (CVE‑2009‑0238) newly added to CISA's KEV. Incidents range from a Zerion hot-wallet compromise (~$100K stolen through AI‑enabled social engineering) to a fake macOS Ledger app that drained about $9.5M. Researchers also disclosed novel C2 frameworks, a WordPress plugin supply-chain backdoor affecting 180k+ installs, and a surge in SonicWall/FortiGate brute-force probing. The collection underscores the need to patch promptly, validate app-store integrity, rotate credentials, and audit third-party dependencies.

🔍VulnCheck's analysis indicates Anthropic's controlled-access Project Glasswing has only one publicly attributable CVE: CVE-2026-4747, a FreeBSD NFS remote code execution flaw described as autonomously identified and exploited. Researcher Patrick Garrity reviewed the CVE database and found 75 records mentioning Anthropic, but only 40 credited to its researchers and a single CVE tied explicitly to Glasswing. Industry observers warn that public attribution may understate the model's potential, and Anthropic plans a fuller accounting by July 2026.

🔒 At VulnCon26 in April, Lindsey Cerkovnik of CISA urged that AI firms like OpenAI and Anthropic be more directly represented in the CVE program to help manage a surge in reported vulnerabilities. She warned that new AI tools both accelerate discovery of valid flaws and generate lower-value noise, putting pressure on disclosure workflows. Recent vendor developments — Anthropic’s Mythos Preview and OpenAI’s GPT-5.4-Cyber — illustrate how automated research is already changing the threat landscape. Cerkovnik said CVE funding is secure and the program remains a CISA priority.

⚠️ Two high-severity vulnerabilities in Composer's Perforce VCS driver (CVE-2026-40176, CVSS 7.8; CVE-2026-40261, CVSS 8.8) can enable arbitrary command injection when processing a malicious repository configuration or a crafted source reference. The issues affect releases prior to 2.9.6 and 2.2.27 and are fixed in those versions; users should upgrade immediately. If you cannot patch, inspect composer.json files for Perforce fields, restrict repositories to trusted sources, and avoid dist-preferred installs. Composer reported no evidence of public exploitation and disabled Perforce metadata publishing on Packagist.org as a precaution.

⚠️ A critical remote code execution vulnerability, tracked as CVE-2025-0520 (aka CNVD-2020-26585), is being actively exploited against unpatched instances of ShowDoc. The flaw is an unrestricted, unauthenticated file upload caused by improper file-extension validation, allowing attackers to deploy PHP web shells and execute arbitrary code. The bug was fixed in ShowDoc 2.8.7 (October 2020) and the project now ships as version 3.8.1, but researchers observed an exploit dropping a web shell on a U.S.-based honeypot and note more than 2,000 internet-facing instances, most located in China. Administrators should upgrade immediately and scan for signs of compromise.

🔍 Anthropic's new Claude Mythos Preview and its Project Glasswing effort have focused industry attention on AI-driven cyberattack capabilities. Anthropic says it will not release the model publicly, citing the risk that it can automatically generate operational exploits, and is running the model against public and proprietary code to find and patch vulnerabilities before they can be weaponized. The announcement produced substantial PR impact, prompting rival vendors to echo similar caution. Security observers note defenders still hold an advantage—finding flaws is easier than turning them into attacks—but that margin is shrinking as models improve.

🔔 Emergency updates address a critical PDF zero‑day in Adobe Acrobat Reader (CVE-2026-34621, CVSS 8.6) that executes malicious JavaScript when specially crafted documents are opened. The report also highlights Anthropic's Mythos being used as an exploit-generation engine, state-linked interference with infrastructure, and research showing telecom optical fibers can be abused for acoustic eavesdropping. Prioritize patching, credential hygiene, and detection for fileless and AI-driven attacks.

🔔 CISA added seven vulnerabilities to the Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation, affecting Microsoft, Adobe, and Fortinet products. The CVEs cover insecure library loading, use‑after‑free, deserialization, out‑of‑bounds read, link following, SQL injection, and prototype pollution. Under BOD 22‑01, Federal Civilian Executive Branch agencies must remediate KEV entries by required dates, and CISA urges all organizations to prioritize timely remediation as part of routine vulnerability management.

⚠️ A critical pre-auth remote code execution (RCE) in Marimo (CVE-2026-39987) permits unauthenticated access to an interactive shell via the /terminal/ws WebSocket endpoint in versions 0.20.4 and earlier. Sysdig observed exploitation beginning within 10 hours of the public disclosure, with attackers quickly harvesting .env files, cloud credentials and SSH keys. Marimo released v0.23.0 to patch the issue; users should upgrade immediately, restrict external access, monitor WebSocket connections, and rotate any exposed secrets.

⚠️ Researchers disclosed a critical remote code execution flaw in Apache ActiveMQ Classic that remained undetected for 13 years and can allow arbitrary system command execution. Tracked as CVE-2026-34197 with a CVSS score of 8.8, the bug affects Classic releases before 5.19.4 and 6.0.0 through 6.2.3; fixes were released in 5.19.4 and 6.2.3. Administrators should apply the updates, review Jolokia access controls, and inspect broker logs for indicators of compromise.

⚠ A critical arbitrary file upload vulnerability has been identified in the Ninja Forms – File Upload Plugin for WordPress, impacting versions up to 3.3.26 and rated CVSS 9.8. The flaw allows unauthenticated attackers to upload malicious files (including .php), bypass validation, and achieve remote code execution. Wordfence validated the report after it was disclosed on January 8, 2026, and the developer issued a complete patch in version 3.3.27 on March 19; administrators should update immediately.

⚠️ CISA has added CVE-2026-1340, a code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM), to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. The agency notes that code injection is a common, high-risk attack vector with significant implications for federal networks. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate identified KEV entries by the required deadlines, and CISA urges all organizations to prioritize timely fixes to reduce exposure.

🔍 Anthropic has launched Project Glasswing, an initiative that uses Claude Mythos Preview to autonomously locate and remediate undiscovered cybersecurity vulnerabilities in critical software. The private model — described by Anthropic as highly capable for coding and agentic tasks — was tested with launch partners including AWS, Google and Microsoft and reportedly found thousands of previously unidentified zero-day flaws. Anthropic committed up to $100m in usage credits and $4m in donations to support open-source security while keeping Mythos Preview restricted to defenders with guardrails.

⚠️ A critical vulnerability in the Ninja Forms File Uploads premium add-on (identified as CVE-2026-0740) allows unauthenticated attackers to upload arbitrary files, including PHP, enabling remote code execution. Wordfence reports active exploitation and has blocked thousands of attempts. The flaw affects versions up to 3.3.26; the vendor issued a full fix in 3.3.27 on March 19. Users of the File Upload extension should upgrade immediately and apply available mitigations.

🔴 New findings show threat actors are actively exploiting a maximum-severity code injection flaw in Flowise (CVE-2025-59528) that can lead to remote code execution. The issue stems from the CustomMCP node executing user-supplied JavaScript in the mcpServerConfig string, granting access to sensitive Node.js modules and full runtime privileges. Flowise released a fix in the npm package v3.0.6; affected deployments should upgrade immediately. VulnCheck reports exploitation activity originating from a single Starlink IP and warns of 12,000+ internet-exposed instances.

🛑 The Internet Bug Bounty program, administered by HackerOne and backed by multiple major software companies, has paused submissions and payouts while it reassesses how best to support open source security. HackerOne said the rise of AI-assisted vulnerability discovery has increased both coverage and speed, shifting the balance between new findings and remediation capacity. Projects such as Node.js will continue to accept and triage reports via HackerOne but may not issue rewards from the paused fund. Similar changes have hit other programs, including curl and recent restrictions at Google's open source rewards effort.

🔒 Apple has widened rollout of iOS 18.7.7 and iPadOS 18.7.7 to more devices, enabling users who remain on iOS 18 to receive critical fixes without upgrading to iOS 26. The broadened distribution, announced on April 1, addresses vulnerabilities exploited by the DarkSword exploit kit in web-based watering‑hole attacks. Devices with automatic updates will be patched automatically; others can update manually. Researchers warn the toolkit has been linked to multiple threat actors and to payloads such as GhostBlade, GhostKnife and GhostSaber, and that a public leak raises the risk of wider abuse.

⚠️ CISA has added CVE-2026-3502 to its Known Exploited Vulnerabilities (KEV) Catalog following evidence of active exploitation. The vulnerability affects the TrueConf client and permits downloaded code to be executed without an integrity check, increasing the risk that attackers can deliver tampered or malicious payloads. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by the required deadline; CISA strongly urges all organizations to prioritize timely remediation and strengthen routine vulnerability management.