All news with #zero day exploitation tag

🔒 Agentic AI is accelerating vulnerability discovery and shrinking the window between unknown flaws and active exploitation. A zero-day is dangerous because it exists in a defensive vacuum with no vendor patch and no established playbook, forcing emergency responses. Automated agents can probe, adapt and iterate continuously, so periodic assurance measures like quarterly scans and annual penetration tests are no longer sufficient as the primary resilience strategy. Organizations should emphasize data minimization, strict API discipline, least-privilege controls and micro-segmentation while embedding security into day-to-day IT operations and aligning CIO and CISO responsibilities.

🔐 Anthropic launched Project Glasswing to apply a preview of its frontier model, Claude Mythos, to find and help remediate security vulnerabilities in critical software. The company says Mythos Preview has already identified thousands of high‑severity zero‑day flaws and autonomously developed complex exploits in testing. Access is restricted to a small set of vendors and foundations due to abuse risks. Anthropic committed significant usage credits and donations to support coordinated defensive patching while acknowledging prior operational leaks and the risk that the same capabilities could be misused.

🔎 Anthropic's Project Glasswing uses Claude Mythos Preview to autonomously hunt software vulnerabilities and is being offered to a closed consortium of more than 40 organizations, including Amazon, Microsoft, Apple, Google and the Linux Foundation. Anthropic says early tests found thousands of high-severity flaws across operating systems, browsers, and other widely used software, including an allegedly 27-year-old OpenBSD bug. Security leaders warn the development could upend bug-bounty economics, push security upstream, shorten exposure windows, and raise dual-use control questions.

🚨 Security researchers report active exploitation of Flowise via CVE-2025-59528, a CVSS-10 arbitrary JavaScript injection that can lead to remote command execution and filesystem access. The flaw stems from the CustomMCP node unsafely evaluating user-supplied mcpServerConfig, allowing execution of supplied scripts. The developer fixed the issue in Flowise 3.0.6; users should upgrade to 3.1.1 or at minimum 3.0.6 and restrict public exposure.

⚠️ Microsoft warns that Storm-1175 — an actor linked to Medusa ransomware — is rapidly exploiting internet-facing systems, often moving from initial access to data theft and encryption within 24 hours. The group has abused more than 16 vulnerabilities since 2023, including zero-days, and frequently chains exploits to establish persistence and accelerate operations. Targets include healthcare, education, professional services, and finance in Australia, the UK and the US.

⚠️ Microsoft says financially motivated actor Storm-1175 has run a high-tempo campaign that weaponizes both n-day and zero-day vulnerabilities to deliver Medusa ransomware against internet-facing systems. The group has exploited at least 16 flaws since 2023, including the zero-day CVE-2025-10035 affecting GoAnywhere MFT, and has impacted healthcare, education, professional services and finance in Australia, the UK and the US. Recommended protections include perimeter scanning, isolating web-facing systems behind VPNs, WAFs or a DMZ, enforcing MFA for RMM tools, enabling tamper protection and configuring XDR to detect and block common ransomware tactics.

🔒 China-linked threat actor Storm-1175 has been observed exploiting a mix of zero-day and N-day flaws to quickly compromise internet-facing systems and deploy Medusa ransomware. Microsoft reports the group moves with high operational tempo, chaining exploits and abusing legitimate RMM tools to evade detection. Targets include healthcare, education, professional services and finance across Australia, the UK and the US. Intrusions often lead to rapid data exfiltration and encryption within days, sometimes under 24 hours.

🚨 A security researcher published exploit code for an unpatched Windows privilege escalation vulnerability dubbed BlueHammer, citing dissatisfaction with how Microsoft's Security Response Center handled the report. The public proof-of-concept reportedly combines a TOCTOU and path confusion to access the SAM database and escalate to SYSTEM or elevated administrator privileges. The PoC contains bugs and is not reliably successful across all Windows editions, and Microsoft had not issued a patch at publication, leaving the flaw classified as a zero-day.

🛡️ Microsoft says the China-based, financially motivated threat group Storm-1175, an affiliate that deploys Medusa ransomware, has been rapidly weaponizing n-day and zero-day vulnerabilities to gain access and move to data exfiltration and encryption within days, sometimes within 24 hours. Microsoft observed the operators chaining exploits to create accounts, deploy remote management tools, steal credentials, and disable security controls before dropping ransomware, with recent victims across healthcare, education, professional services, and finance in Australia, the United Kingdom, and the United States.

⚠️ CISA has ordered federal agencies to patch FortiClient EMS instances by April 9 after the discovery of CVE-2026-35616, a pre-authentication API access bypass. Fortinet released emergency hotfixes and said unauthenticated attackers can execute code via specially crafted requests. Administrators are urged to apply hotfixes or upgrade to 7.4.7 immediately to mitigate active exploitation.

🔒Storm-1175 conducts high-tempo ransomware campaigns that rapidly weaponize recently disclosed and, in some cases, pre-disclosure zero-day vulnerabilities to gain initial access to web-facing systems. After exploitation the actor moves quickly to establish persistence, perform credential theft, tamper with security controls, and exfiltrate data before deploying Medusa ransomware. Microsoft observed intrusions affecting healthcare, education, professional services, and finance across Australia, the United Kingdom, and the United States, often completing impact within days or less. Recommended defenses include perimeter asset discovery, robust patching, RMM hardening, and tamper protection for endpoint security.

⚡ This week’s incidents include a supply-chain compromise of the popular Axios npm package by actors attributed to North Korea (UNC1069) and an actively exploited Chrome zero-day (CVE-2026-5281) in the Dawn/WebGPU component. Other notable events include active exploitation of Fortinet FortiClient EMS, a TrueConf update-integrity bypass, and an accidental large code leak from Anthropic’s Claude development. Organizations should treat developer tooling, CI/CD, and dependencies as part of the attack surface and apply patches and integrity checks promptly.

⚠️ Fortinet released an emergency weekend hotfix to address a critical pre-authentication flaw in FortiClient EMS (CVE-2026-35616) that is being actively exploited in the wild. The improper access control defect allows unauthenticated attackers to execute commands via specially crafted API requests and affects versions 7.4.5 and 7.4.6. Fortinet urges immediate installation of the hotfixes or upgrading to 7.4.7 when available. Shadowserver reports over 2,000 exposed EMS instances, primarily in the US and Germany.

🔧 Fortinet has released an out‑of‑band hotfix for a critical pre‑authentication API access bypass in FortiClient EMS (CVE-2026-35616, CVSS 9.1) that has been observed exploited in the wild. The flaw allows unauthenticated attackers to bypass API authentication and authorization protections and execute commands on affected systems, impacting versions 7.4.5–7.4.6. Fortinet urges immediate installation of the hotfix and says a full remediation will be included in 7.4.7.

🛡️ Google has patched a fourth zero-day in Chrome this year, addressing CVE-2026-5281 in Dawn, the browser's WebGPU implementation, which allowed remote code execution via a crafted HTML page when the renderer process was compromised. The company confirmed an exploit exists in the wild and urges users to update to Chrome 146.0.7680.178 or newer. This fix follows earlier 2026 patches for CSS memory handling, the Skia graphics library, and the V8 JavaScript engine.

🔓 Google researchers released a report describing Coruna, a sophisticated iPhone exploitation toolkit that chains 23 distinct iOS vulnerabilities into five full exploit techniques capable of bypassing device defenses and silently installing malware when a user visits a crafted website. Analysts note the code’s professional, English-language provenance and say it bears hallmarks of previously attributed US government modules. Reporting from TechCrunch cites former L3Harris employees who say the company’s Trenchant surveillance division helped develop parts of the toolkit and that an insider may have sold components to foreign actors, raising urgent questions about loss of control over offensive cyber capabilities.

🔒 Apple has expanded availability of iOS 18.7.7 to a broader set of iPhones and iPads to ensure devices remaining on iOS 18 receive protections against the actively exploited DarkSword exploit kit. The update delivers fixes for multiple vulnerabilities first mitigated in 2025 and addresses additional CVEs disclosed through 2026. Users with Automatic Updates enabled on eligible devices will receive these protections automatically. Researchers observed deployment of information-stealing and backdoor malware families including GhostBlade, GhostKnife, and GhostSaber in attacks exploiting these flaws.

⚠️ Check Point researchers report attackers exploited a TrueConf zero-day (CVE-2026-3502) to replace legitimate updates with malicious executables delivered from compromised on-premises servers. The vulnerability stems from a missing integrity check in the update mechanism and affected versions 8.1.0 through 8.5.2; TrueConf released a patch in 8.5.3 (March 2026). The campaign, tracked as TrueChaos, targeted government entities in Southeast Asia and likely leveraged Havoc C2, DLL sideloading, and a UAC bypass.

🔎 Researcher Hung Nguyen used simple prompts with Anthropic’s Claude Code to rapidly discover zero-day remote code execution flaws in Vim and GNU Emacs, showing that legacy codebases can be probed far faster by advanced LLMs than by conventional fuzzing. Within minutes Claude Code located missing security checks and generated proof-of-concept exploit ideas, prompting a quick patch for Vim (CVE-2026-34714). Emacs' maintainers declined to treat the finding as an Emacs bug, pointing to Git and leaving suggested manual mitigations for affected releases. The episode highlights both the power of AI-assisted research and the attendant risks of simpler exploit development.

🔒 Google released updates for Chrome to fix 21 vulnerabilities, including a zero-day (CVE-2026-5281) that has been exploited in the wild. Dawn, the WebGPU implementation, contains a use-after-free bug allowing a remote attacker with access to the renderer process to execute arbitrary code via crafted HTML. Users should update to versions 146.0.7680.177/178 on Windows and macOS and 146.0.7680.177 on Linux, and ensure Chromium-based browsers receive vendor patches.