All news with #zero day exploitation tag

🔒 The U.S. Treasury Department's Office of Foreign Assets Control designated Matrix LLC (doing business as Operation Zero) and its owner, Sergey Zelenyuk, under the Protecting American Intellectual Property Act, marking the first use of that law. The move coincided with the sentencing of former L3Harris manager Peter Williams, who was given 87 months for stealing eight zero‑day exploits and selling them to Operation Zero for about $1.3 million in cryptocurrency. OFAC also named related companies and individuals, including a UAE front company and a suspected Trickbot affiliate, freezing U.S. assets and warning of potential secondary sanctions for U.S. persons who transact with the designated parties.

🔒 A former senior executive at L3Harris cyber-division Trenchant, Australian national Peter Williams, has been sentenced to 87 months in prison after pleading guilty to stealing and selling zero-day exploits to a Russian broker. He admitted taking eight cyber-exploit components over three years, accepting cryptocurrency payments and providing paid follow-on support. Authorities say the theft cost Trenchant/L3Harris about $35m and posed significant national security risks. Williams was ordered to forfeit $1.3m, cryptocurrency, property and luxury items, and to serve three years of supervised release with special conditions.

🔒 Peter Williams, a 39-year-old former senior employee at L3Harris, was sentenced to just over seven years in prison after pleading guilty to selling eight zero-day exploits to the Russian exploit broker Operation Zero. Prosecutors say he received up to $4 million in cryptocurrency and has been ordered to forfeit proceeds, including properties and luxury items. The theft, which occurred between 2022 and 2025, targeted tools intended for sale only to the U.S. government and select allies and prompted criminal charges and sanctions.

🔒 Peter Williams, former head of Trenchant at L3Harris, was sentenced to 87 months in federal prison after admitting he stole and sold zero-day exploit components to the Russian broker Operation Zero. Prosecutors say he transferred at least eight protected exploit components between 2022 and 2025 using a portable external drive and encrypted channels. L3Harris estimates the theft caused $35 million in losses and the sales netted Williams $1.3 million in cryptocurrency. Authorities ordered forfeiture of the crypto, a house, and luxury items, and the U.S. Treasury announced sanctions against the broker.

🔍 The CrowdStrike 2026 Global Threat Report reviews 2025 as the year of the evasive adversary, detailing how attackers shifted to subtle, trust-based techniques across endpoint, identity, SaaS, and cloud environments. Adversaries accelerated operations using AI and exploited AI systems themselves, while supply chain compromises and zero-day usage rose markedly. The report highlights rapid breakout times, a high rate of malware-free intrusions, and significant increases in state-nexus activity, offering prioritized insights for defenders.

🔴 Palo Alto Networks' Unit 42 warns that threat actors are actively exploiting two critical zero-day vulnerabilities — CVE-2026-1281 and CVE-2026-1340 — in Ivanti Endpoint Manager Mobile (EPMM). Both flaws allow unauthenticated remote code execution, enabling attackers to seize MDM appliances and install web shells, cryptominers, or persistent backdoors that can survive initial patching. Unit 42 says more than 4,400 EPMM instances are internet-exposed, proof-of-concept exploits are public, and multiple sectors and countries have been targeted.

🔒 Palo Alto Networks Unit 42 reports active exploitation of a critical sanitization bug in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA), tracked as CVE-2026-1731 (CVSS 9.9), that allows OS command execution via the thin-scc-wrapper WebSocket interface. Threat actors have used the flaw for reconnaissance, deploying web shells and backdoors (including VShell and Spark RAT), lateral movement, and data theft. Multiple sectors across several countries are affected, and CISA has added the vulnerability to its Known Exploited Vulnerabilities catalog.

🚨 On Feb. 6, 2026, BeyondTrust published an advisory for CVE-2026-1731, a critical pre-auth remote code execution vulnerability affecting BeyondTrust Remote Support and some Privileged Remote Access deployments. The flaw allows unauthenticated attackers to inject shell commands via the WebSocket remoteVersion field during the handshake, resulting in OS command execution as the site user. Unit 42 observed active exploitation that included web shells, C2 traffic, account tampering and data theft. Immediate patching for self-hosted appliances and engagement of incident response if compromise is suspected are recommended.

🔒 Researchers report a China-linked APT exploited a previously unknown vulnerability in Dell RecoverPoint for Virtual Machines (CVE-2026-22769) to achieve unauthenticated root command execution by leveraging hardcoded Apache Tomcat Manager credentials. Google’s Mandiant traced compromises to UNC6201, which deployed web shells and backdoors including BRICKSTORM and the newer GRIMBOLT. Dell released a patch (6.0.3.1 HF1) and a remediation script; customers are urged to upgrade and isolate appliances behind segmented networks.

🔍 In the January 27, 2026 OpenSSL security release, twelve previously unknown zero-day vulnerabilities were announced, all originally discovered and responsibly disclosed by our AI research system, AISLE. Ten of the issues were assigned CVE-2025 identifiers and two received CVE-2026 identifiers. One high-profile finding, CVE-2025-15467, is a stack buffer overflow with a NIST CVSS v3 score of 9.8 and has already produced public exploits. Five of the twelve accepted fixes were directly proposed by AISLE, and several bugs dated back to 1998–2000, including code inherited from the original SSLeay implementation.

🔒 A maximum-severity vulnerability (CVE-2026-22769, CVSS 10.0) in Dell RecoverPoint for Virtual Machines has been exploited as a zero-day by a suspected China-nexus cluster tracked as UNC6201 since mid-2024. The flaw is a hard-coded Apache Tomcat Manager admin credential that allows unauthenticated attackers to upload a web shell (SLAYSTYLE) and deploy native backdoors (BRICKSTORM, later GRIMBOLT) for root access and persistence. Dell urges customers to upgrade to 6.0.3.1 HF1 (or follow staged upgrades from 5.3 SP4 P1) and to isolate RecoverPoint appliances on trusted, segmented networks until patched.

🔒 Dell has released a patch for a critical zero-day, CVE-2026-22769, in RecoverPoint for Virtual Machines after Mandiant reported exploitation by a suspected Chinese APT cluster since mid-2024. The flaw is a hardcoded credential that enables unauthenticated access to the underlying OS and potential root-level persistence on versions prior to 6.0.3.1 HF1. Mandiant links the intrusions to UNC6201, which deployed malware such as Slaystyle, Brickstorm and a native AOT C# backdoor called Grimbolt, and observed novel TTPs including VM "ghost NICs" and iptables-based single-packet authorization.

🚨 Unit 42 reports two critical zero-day RCEs in Ivanti Endpoint Manager Mobile (EPMM) — CVE-2026-1281 and CVE-2026-1340 — are being actively weaponized. Both flaws arise from unsafe legacy bash script usage invoked via Apache RewriteMap and permit unauthenticated command execution through specially crafted HTTP GET requests. Observed activity includes reverse shells, JSP web shells, deployment of monitoring agents/cryptominers, and follow-on persistence. Apply vendor RPM patches immediately, hunt for web shells and backdoors, and engage incident response if compromise is suspected.

🔒 Security researchers report that a suspected Chinese state-backed actor, UNC6201, has been exploiting a critical hardcoded-credential vulnerability (CVE-2026-22769) in Dell RecoverPoint for Virtual Machines since mid-2024. Dell says versions prior to 6.0.3.1 HF1 permit unauthenticated access that can lead to root-level persistence. The intruders deployed a new C# backdoor called Grimbolt and used stealthy VMware pivot techniques, including hidden "Ghost NICs." Customers should apply Dell's updates and mitigations immediately.

🔐 Mandiant and the Google Threat Intelligence Group (GTIG) identified exploitation of a critical vulnerability in Dell RecoverPoint for Virtual Machines, CVE-2026-22769, used by UNC6201 since mid‑2024. The actor uploaded malicious WAR files to the embedded Tomcat Manager—leveraging hard‑coded admin credentials—to deploy a SLAYSTYLE web shell and gain root. In compromised appliances, UNC6201 established persistence by modifying convert_hosts.sh and later replaced BRICKSTORM implants with a native AOT‑compiled C# backdoor named GRIMBOLT. Investigators also observed novel VMware pivoting techniques, including temporary "Ghost NICs" and iptables‑based Single Packet Authorization. Dell published mitigations and GTIG/Mandiant released IOCs, YARA rules, and hunting guidance to aid detection and response.

⚠️ Google warns IT administrators that an exploit for a newly disclosed Chrome zero-day (CVE-2026-2441) is active in the wild. The issue is a use-after-free bug in the browser's CSS engine that can allow remote code execution in the renderer sandbox when a user visits a crafted page. Patches are available — update to 145.0.7632.75/76 on Windows/Mac or 144.0.7559.75 on Linux — and Google is limiting technical details until most users are updated. Administrators should prioritize deploying the fixes and monitor browser versions and endpoints closely.

🔒 This weekly recap shows how small, trusted gaps are becoming major entry points — from a hijacked Outlook add-in (AgreeTo) turned into a phishing kit that stole over 4,000 Microsoft credentials to multiple actively exploited zero-days in Chrome and Apple platforms. It also covers a critical BeyondTrust RCE under active exploitation, new Linux botnet activity abusing SSH, and cloud-focused campaigns targeting exposed Docker, Kubernetes, and Redis instances. Attackers are combining legacy techniques, cloud misconfigurations, and AI assistance to scale access and persistence.

🔒 Google has released an urgent security update for Chrome to address CVE-2026-2441, a high-severity zero-day affecting desktop builds on Windows, macOS and Linux. The flaw, rooted in a CSS processing issue, can allow a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Google confirmed an exploit is already in the wild and credited researcher Shaheen Fazim for reporting the bug on February 11; the company issued the patch on February 13.

🔧 Google released emergency updates to fix a high-severity Chrome zero-day (CVE-2026-2441) that is being exploited in the wild. The flaw is a use-after-free caused by an iterator invalidation bug in CSSFontFeatureValuesMap, and Google pushed a backported patch across stable branches. Fixes are rolling out to Windows and macOS (145.0.7632.75/76) and Linux (144.0.7559.75); users should update or let Chrome apply updates automatically. Google noted additional related work remains tracked in bug 483936078.

⚠️ Google released updates for Chrome to patch CVE-2026-2441, a high-severity (CVSS 8.8) use-after-free vulnerability in CSS that has been confirmed as exploited in the wild. Discovered by researcher Shaheen Fazim on Feb 11, 2026, the bug can enable remote code execution inside Chrome's sandbox via a crafted HTML page. Users should update to 145.0.7632.75/76 (Windows/macOS) or 144.0.7559.75 (Linux) and ensure Chromium-based browsers receive equivalent fixes.