Security & IT News

I found a Node.js stealer that looked pretty well obfuscated. The file was not running out-of-the-box because it was uploaded on VT as extracted-decoded.js (and reformated). The SHA256 is 049300aa5dd774d6c984779a0570f59610399c71864b5d5c2605906db46ddeb9[ 1 ]. It did not run properly in a sandbox so only a static analysis was performed. The key point is that it is a cross-platform stealer targeting Windows (WSL), macOS and Linux. Good news for us, only the wrapper that is responsible for the execution is obfuscated but the malicious payloads are embedded in plain text! The obfuscation technique looks typical to the code produced by obfuscation.io[ 2 ]. We are facing a very long array of small Base64-encoded strings: function c() { const t8 = [ W54gaGuj , pSkByhzh , WRT/WPThyG , CSomW6OXWQG , WO7dIuVcTaq , AYb2Axm , WPT3WPJdLmkS , WPTNeuWa , hCkIW64XW7C , W47cM0tcObS , WPKbWOKfW74 , W6JdNCkDWRe+ , W53dLuxcP3u , WRTUc8ocW4W , ysiSica , wCo4oser , tSkAW5v3ca , W54XaKvz , W7nTe8ooW7a , W4BcSSo/FLi , W6HvW7i+FG , W5iBabul , F8oQW4JcVCku , W5ldPCkKbcy , W6ddQcdcNq0 , Aw5Niha , Dcy9W5dcVq , C8o/eqBcHW , id0GBMu , W5FcISkyW4FcJG , WR1ieSotW4y , wSoqq8o1da , B3jKvMe , icDmB2m , uSkgW4qZiq , WO7cMSkoW7zX , W5HxW6OnW7S , W4SBWRHwW7e , zwa3W5dcOG , W4PCW79DW6a , omkrngXB , xmkVCWeJ , nCoEWQ1WWR0 , WRNcH3vwCG , W7lcTSoUCq8 , rM9sWR/cPW , W4ZcKbxcUIC , DgGGDg8 , WR7dK8kpWROP , fmo7j1et , id09psa , vSo4Cx4n , iIWImJq , WRrixrpcJq , u29JA2u , ve9swsW , WRBdHH3dUa0 , W5RcKLpdTuW , u3ruyKK , WOVcLSowW4RcPG , BwuGzgK , ugf0AdO , W63cJ3Kmaa , WPVdRCk1bti , DwrVige , C8k2WQxcTh0 , igvUDhi , tmkSl1Ld , qqvnW4pcMa , WPNdGahdO0i , nmkQWRNdPNa , WQD8qmodW6G , W4NdK8oBW5pdQq , quFcOmoQWRe , Cbyarmkq , tmkoWQHU , ewb8W4eF , vcCOWOPc , WRtdQc3dIrW , WQXIrSoqW5q , kcDqCM8 , imkUWQtcPxC , bmooW7q6hW , ... Other small functions are low-level decoders that perform a lot of arithmetic operations. There are three main payloads that all have their own purpose: The first one is a browser credential stealer. It supports: Chrome, Brave, Edge, Opera, Opera GX, Vivaldi, Kiwi, Yandex, Iridium, Comodo Dragon, SRWare Iron, Chromium, AVG Browser. const localAppDataBase = `/mnt/c/Users/${windowsUsername}/AppData/Local`; const browserRelativePaths = [ Google/Chrome/User Data , // Chrome BraveSoftware/Brave-Browser/User Data , // Brave AVG Browser/User Data , // AVG Browser Microsoft/Edge/User Data , // Edge Opera Software/Opera Stable , // Opera Opera Software/Opera GX , // Opera GX Vivaldi/User Data , // Vivaldi Kiwi Browser/User Data , // Kiwi Yandex/YandexBrowser/User Data , // Yandex Iridium/User Data , // Iridium Comodo/Dragon/User Data , // Comodo SRWare Iron/User Data , // SRWare Chromium/User Data // Chromium\n ]; The malware also looks for interesting wallet Chrome extensions: const wps = [ nkbihfbeogaeaoehlefnkodbefgpgknn , ejbalbakoplchlghecdalmeeeajnimhm , acmacodkjbdgmoleebolmdjonilkdbch , bfnaelmomeimhlpmgjnjophhpkkoljpa , ibnejdfjmmkpcnlpebklmnkoeoihofec , egjidjbpglichdcondbcbd

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added two security flaws impacting Langflow and Trend Micro Apex One to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerabilities in question are listed below - CVE-2025-34291 (CVSS score: 9.4) - An origin validation error vulnerability in Langflow that could

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

A group used Anthropic’s Mythos AI model to help find a kernel memory corruption vulnerability and exploit on Apple’s M5. News article .

Apple revealed that it blocked over $11 billion in fraudulent App Store transactions over the last six years, more than $2.2 billion in potentially fraudulent App Store transactions in 2025 alone. [...]

Modern crypto drainers don't hack wallets. They trick users into approving malicious transactions. Flare explores how the Lucifer DaaS platform scales wallet theft through phishing and automation. [...]

Cisco has released security updates to address a maximum-severity vulnerability in Secure Workload that allows attackers to gain Site Admin privileges. [...]

Recently, Rob wrote about a tool, Proxifier , that can intercept requests from specific processes. Proxifier is available for Windows, macOS, and Android. But I have not seen a generic Linux option yet. The advantage of a tool like Proxifier is the ability to target specific software. For debugging, reverse engineering, and similar tasks, selecting a specific process is quite useful, as it creates less noise to sift through and simplifies analysis. There are a few methods for how proxies are usually configured in Linux: Environment Variables Many software programs look for the environment variables http_proxy and https_proxy. These environment variables can be targeted by setting them for specific processes. Open a shell, set the environment variables, and run the software you wish to inspect in the same shell. export http_proxy= http://proxy.example.com:80 export https_proxy= http://proxy.example.com:443 ./software-under-test iptables The Linux firewall code, iptables, has a number of lesser-known interesting options that can help. For example, traffic can be redirected for a specific user: iptables -t nat -A OUTPUT -m owner --uid-owner 1234 -j REDIRECT --to-ports 8080 This example will direct all traffic generated by the user with UID 1234 to port 8080. Now start the software as this specific user (maybe set up a test user for that purpose), and you will only see traffic created by this specific user. There is no option to select a pid as pids are constantly changing, and there may be multiple pids if the process uses multiple threads, which is common for networking. Network Namespaces Usually, a particular Linux system uses a single routing table. Network namespaces enable the creation of separate routing tables for different processes. First, you create a new namespace. You need to assign interfaces to it, as namespaces cannot see network interfaces unless you explicitly add them. ip netns add testing # adding namespace 'testing' ip link set dev ens18 netns testing # add ens18 interface to testing. However, most use virtual interfaces ip netns exec testing software-under-test # execute software-under-test in namespace There are a number of more complete recipes for network namespaces available online. I find it the most versatile solution, particularly if environment variables do not work. The iptables solution is often simpler than namespaces, but you may end up with some unintended additional traffic. -- Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu Twitter | (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

The first quarter of 2026 reinforced that attackers are moving faster, operating with greater coordination, and exploiting weaknesses before most organizations can respond effectively. From escalating geopolitical tensions to increasingly aggressive ransomware operations, the latest quarterly Threat Landscape Report highlights a security environment where reactive defense strategies are becoming unsustainable. Quarterly Threat Landscape Report findings Exploits unseat social engineering for top initial access vector (IAV) One of the biggest takeaways is that vulnerability exploitation surpassed social engineering as the largest initial access vector with 38% of the total. This would be interesting on its own, but when coupled with more than 50% of all exploited vulnerabilities actively being zero-click, network facing vulnerabilities, it indicates that, at least in the short term, attackers are finding AI-enabled vulnerability exploitation easier to accomplish than exploiting human behavior. These types of vulnerabilities require no authentication and no user interaction, giving attackers rapid pathways into exposed systems and edge infrastructure. At the same time, exploitation activity was frequently preceded by large spikes in public discussion across forums, blogs, and social media platforms, demonstrating how quickly threat actors operationalize publicly available information once vulnerabilities gain visibility. Geopolitics and FBI takedowns in the threat landscape Geopolitical instability also continued to shape cyber operations throughout the quarter, particularly in the Middle East, where cyber activity was increasingly synchronized with military escalation. Iranian state-aligned groups targeted government infrastructure, financial services, and industrial systems, while Russian and Chinese campaigns focused heavily on intelligence collection, telecommunications infrastructure, and persistent access operations designed to remain undetected over long periods of time. The result is a threat landscape where organizations must prepare not only for immediate disruption, but also for long-term persistence inside enterprise environments. Meanwhile, law enforcement operations targeting underground criminal infrastructure disrupted several major ransomware and credential marketplaces during Q1, including the seizure of RAMP and LeakBase. These takedowns have created operational pressure for cybercriminal groups, pushing threat actors toward smaller, decentralized communities and increasing internal distrust. A marked shift towards "pure extortion" The report also highlights the continued evolution of ransomware operations, particularly the growing shift toward “pure extortion” tactics focused on rapid data theft rather than traditional encryption-based attacks. Threat actors increasingly leveraged zero-click vulnerabilities to gain initial access, exfiltrate sensitive data, and pressure victims without deploying ransomware payloads that create ad

AI risks threaten to permeate supply chains through unvetted code and unaudited suppliers

p a href= https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-141-05.json strong View CSAF /strong /a /p h2 Summary /h2 p strong ABB is aware of vulnerabilities in the product versions listed as affected in the advisory. An attacker who successfully exploited this vulnerability could cause the pollution of heap memory which potentially takes remote control of the product and performs a write operation to the flash memory to alter the firmware behavior. /strong /p p The following versions of ABB Terra AC Wallbox are affected: /p ul li Terra AC wallbox (JP) lt;=1.8.33, 1.8.36 (CVE-2025-10504, CVE-2025-12142, CVE-2025-12143) /li /ul div class= csaf-table table class= tablesaw tablesaw-stack data-tablesaw-mode= stack data-tablesaw-minimap thead tr th role= columnheader data-tablesaw-priority= persist CVSS /th th role= columnheader Vendor /th th role= columnheader Equipment /th th role= columnheader Vulnerabilities /th /tr /thead tbody tr td v3 6.1 /td td ABB /td td ABB Terra AC Wallbox /td td Heap-based Buffer Overflow, Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'), Stack-based Buffer Overflow /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Energy /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong Switzerland /li /ul hr h2 Vulnerabilities /h2 div class= csaf-accordion p a class= csaf-accordion-toggle-all href= # Expand All + /a /p div class= csaf-accordion-item h3 a class= csaf-accordion-toggle href= # CVE-2025-10504 /a /h3 div class= csaf-accordion-content p There is potential risk to pollute the memory when developing apps which has used to communicate with charger according to self-defined protocol if developers don’t strictly follow the field length which has not been validated in firmware. /p p a href= https://www.cve.org/CVERecord?id=CVE-2025-10504 View CVE Details /a /p hr h4 Affected Products /h4 h5 ABB Terra AC Wallbox /h5 div class= ics-vendor-version-status div class= ics-vendor strong Vendor: /strong br ABB /div div class= ics-version strong Product Version: /strong br ABB Terra AC wallbox (JP) lt;=1.8.33 /div div class= ics-status strong Product Status: /strong br fixed, known_affected /div /div div class= ics-remediations h6 Remediations /h6 p strong Vendor fix /strong br The problem is corrected in the following product version; apply the following update depending on product variant: Terra AC wallbox (JP) 1.8.36 ABB recommends that customers apply the update at earliest convenience. /p p strong Mitigation /strong br To attack with this kind of message, hackers must hijack Bluetooth first and then can send messages. Because the communication messages between BLE and charger have been encrypted. In theory, there is no way to attack the charger. /p /div p strong Relevant CWE: /strong a href= https://cwe.mitre.org/data/definitions/122.html CWE-122 Heap-based Buffer Over

p a href= https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-141-01.json strong View CSAF /strong /a /p h2 Summary /h2 p strong Hitachi Energy is aware of the vulnerability, CVE-2022-4304 in the OSS component OpenSSL, that affects the GMS600 versions that are listed below. An attacker successfully exploiting this vulnerability could send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection. For immediate mitigation /workaround information, please refer to the General Mitigation Factors/Workarounds /strong /p p The following versions of Hitachi Energy GMS600 are affected: /p ul li GMS600 vers:GMS600/ gt;=1.3.0| lt;=1.3.1 (CVE-2022-4304) /li /ul div class= csaf-table table class= tablesaw tablesaw-stack data-tablesaw-mode= stack data-tablesaw-minimap thead tr th role= columnheader data-tablesaw-priority= persist CVSS /th th role= columnheader Vendor /th th role= columnheader Equipment /th th role= columnheader Vulnerabilities /th /tr /thead tbody tr td v3 5.9 /td td Hitachi Energy /td td Hitachi Energy GMS600 /td td Observable Discrepancy /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Critical Manufacturing /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong Switzerland /li /ul hr h2 Vulnerabilities /h2 div class= csaf-accordion p a class= csaf-accordion-toggle-all href= # Expand All + /a /p div class= csaf-accordion-item h3 a class= csaf-accordion-toggle href= # CVE-2022-4304 /a /h3 div class= csaf-accordion-content p A timing-based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection. /p p a href= https://www.cve.org/CVERecord?id=CVE-2022-4304 View CVE Details /a /p hr h4 Affected Products /h4 h5 Hitachi Energy GMS600 /h5 div class= ics-vendor-version-status div class= ics-vendor strong Vendor: /strong br Hitachi Energy /div div class= ics-version strong Product Version: /strong

p a href= https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-141-03.json strong View CSAF /strong /a /p h2 Summary /h2 p strong ABB became aware of vulnerability in the product versions listed as affected in the advisory. An update is available that replaces an outdated third-party component. Although no successful exploitation was observed during testing of the affected B amp;R products, the identified vulnerabilities could present potential attack vectors that might enable unauthorized access, data exposure, or remote code execution. /strong /p p The following versions of ABB B amp;R Automation Studio are affected: /p ul li B amp;R Automation Studio lt;6.5, 6.5 (CVE-2025-6965, CVE-2025-3277, CVE-2023-7104, CVE-2022-35737, CVE-2020-15358, CVE-2020-13632, CVE-2020-13631, CVE-2020-13630, CVE-2020-13435, CVE-2020-13434, CVE-2020-11656, CVE-2020-11655, CVE-2019-19646, CVE-2019-19645, CVE-2019-8457, CVE-2018-20506, CVE-2018-20505, CVE-2018-20346, CVE-2018-8740, CVE-2017-10989, CVE-2016-6153, CVE-2015-6607, CVE-2015-5895, CVE-2015-3717, CVE-2015-3416) /li /ul div class= csaf-table table class= tablesaw tablesaw-stack data-tablesaw-mode= stack data-tablesaw-minimap thead tr th role= columnheader data-tablesaw-priority= persist CVSS /th th role= columnheader Vendor /th th role= columnheader Equipment /th th role= columnheader Vulnerabilities /th /tr /thead tbody tr td v3 9.8 /td td ABB /td td ABB B amp;R Automation Studio /td td Numeric Truncation Error, Heap-based Buffer Overflow, Improper Restriction of Operations within the Bounds of a Memory Buffer, Out-of-bounds Write, NULL Pointer Dereference, Incorrect User Management, Use After Free, Integer Overflow or Wraparound, Improper Check for Unusual or Exceptional Conditions, Uncontrolled Recursion, Out-of-bounds Read, Improper Input Validation, Exposure of Sensitive Information to an Unauthorized Actor, Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Energy /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong Switzerland /li /ul hr h2 Vulnerabilities /h2 div class= csaf-accordion p a class= csaf-accordion-toggle-all href= # Expand All + /a /p div class= csaf-accordion-item h3 a class= csaf-accordion-toggle href= # CVE-2025-6965 /a /h3 div class= csaf-accordion-content p There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. /p p a href= https://www.cve.org/CVERecord?id=CVE-2025-6965 View CVE Details /a /p hr h4 Affected Products /h4 h5 ABB B amp;R Automation Studio /h5 div class= ics-vendor-version-status div class= ics-vendor strong Vendor: /strong br ABB /div div class= ics-version strong Product Version: /strong br ABB B amp;R Automation Studio lt;6.5 /d

p a href= https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-141-02.json strong View CSAF /strong /a /p h2 Summary /h2 p strong ABB became aware of vulnerability in the product versions listed as affected in the advisory. An update is now available that addresses and remediates the vulnerability. A network attacker could exploit the vulnerabilities to execute remote code, initiate DoS attacks, conduct DNS cache poisoning, or extract sensitive information. /strong /p p The following versions of ABB B amp;R PCs are affected: /p ul li APC4100 lt;1.09, 1.09 (CVE-2023-45229, CVE-2023-45230, CVE-2023-45231, CVE-2023-45232, CVE-2023-45233, CVE-2023-45234, CVE-2023-45235, CVE-2023-45236, CVE-2023-45237) /li li APC910 lt;=1.25 (CVE-2023-45229, CVE-2023-45230, CVE-2023-45231, CVE-2023-45232, CVE-2023-45233, CVE-2023-45234, CVE-2023-45235, CVE-2023-45236, CVE-2023-45237) /li li C80 lt;1.14, 1.14 (CVE-2023-45229, CVE-2023-45230, CVE-2023-45231, CVE-2023-45232, CVE-2023-45233, CVE-2023-45234, CVE-2023-45235, CVE-2023-45236, CVE-2023-45237) /li li MPC3100 lt;1.24, 1.24 (CVE-2023-45229, CVE-2023-45230, CVE-2023-45231, CVE-2023-45232, CVE-2023-45233, CVE-2023-45234, CVE-2023-45235, CVE-2023-45236, CVE-2023-45237) /li li PPC1200 lt;1.14, 1.14 (CVE-2023-45229, CVE-2023-45230, CVE-2023-45231, CVE-2023-45232, CVE-2023-45233, CVE-2023-45234, CVE-2023-45235, CVE-2023-45236, CVE-2023-45237) /li li PPC900 lt;2.16, 2.16 (CVE-2023-45229, CVE-2023-45230, CVE-2023-45231, CVE-2023-45232, CVE-2023-45233, CVE-2023-45234, CVE-2023-45235, CVE-2023-45236, CVE-2023-45237) /li li APC2200 lt;1.35, 1.35 (CVE-2023-45229, CVE-2023-45230, CVE-2023-45231, CVE-2023-45232, CVE-2023-45233, CVE-2023-45234, CVE-2023-45235, CVE-2023-45236, CVE-2023-45237) /li li PPC2200 lt;1.35, 1.35 (CVE-2023-45229, CVE-2023-45230, CVE-2023-45231, CVE-2023-45232, CVE-2023-45233, CVE-2023-45234, CVE-2023-45235, CVE-2023-45236, CVE-2023-45237) /li li APC3100 lt;1.45, 1.45 (CVE-2023-45229, CVE-2023-45230, CVE-2023-45231, CVE-2023-45232, CVE-2023-45233, CVE-2023-45234, CVE-2023-45235, CVE-2023-45236, CVE-2023-45237) /li li PPC3100 lt;1.45, 1.45 (CVE-2023-45229, CVE-2023-45230, CVE-2023-45231, CVE-2023-45232, CVE-2023-45233, CVE-2023-45234, CVE-2023-45235, CVE-2023-45236, CVE-2023-45237) /li /ul div class= csaf-table table class= tablesaw tablesaw-stack data-tablesaw-mode= stack data-tablesaw-minimap thead tr th role= columnheader data-tablesaw-priority= persist CVSS /th th role= columnheader Vendor /th th role= columnheader Equipment /th th role= columnheader Vulnerabilities /th /tr /thead tbody tr td v3 8.3 /td td ABB /td td ABB B amp;R PCs /td td Out-of-bounds Read, Improper Restriction of Operations within the Bounds of a Memory Buffer, Loop with Unreachable Exit Condition ('Infinite Loop'), Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Energy /li li stro

p a href= https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-141-04.json strong View CSAF /strong /a /p h2 Summary /h2 p strong An update is available that resolves a vulnerability identified by B amp;Rs internal security analysis in the product versions listed as affected in this advisory. An attacker who successfully exploited these vulnerabilities could take over a remote session or execute code in the context of the user’s browser session. /strong /p p The following versions of ABB B amp;R Automation Runtime are affected: /p ul li Automation Runtime lt;6.4, 6.4 (CVE-2025-3449, CVE-2025-3448, CVE-2025-11498) /li /ul div class= csaf-table table class= tablesaw tablesaw-stack data-tablesaw-mode= stack data-tablesaw-minimap thead tr th role= columnheader data-tablesaw-priority= persist CVSS /th th role= columnheader Vendor /th th role= columnheader Equipment /th th role= columnheader Vulnerabilities /th /tr /thead tbody tr td v3 6.1 /td td B amp;R /td td ABB B amp;R Automation Runtime /td td Generation of Predictable Numbers or Identifiers, Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Improper Neutralization of Formula Elements in a CSV File /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Energy /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong Switzerland /li /ul hr h2 Vulnerabilities /h2 div class= csaf-accordion p a class= csaf-accordion-toggle-all href= # Expand All + /a /p div class= csaf-accordion-item h3 a class= csaf-accordion-toggle href= # CVE-2025-3449 /a /h3 div class= csaf-accordion-content p A Generation of Predictable Numbers or Identifiers vulnerability in the SDM component of B amp;R Automation Runtime versions before 6.4 may allow an unauthenticated network-based attacker to take over already established sessions. /p p a href= https://www.cve.org/CVERecord?id=CVE-2025-3449 View CVE Details /a /p hr h4 Affected Products /h4 h5 ABB B amp;R Automation Runtime /h5 div class= ics-vendor-version-status div class= ics-vendor strong Vendor: /strong br B amp;R /div div class= ics-version strong Product Version: /strong br Automation Runtime lt;6.4 /div div class= ics-status strong Product Status: /strong br fixed, known_affected /div /div div class= ics-remediations h6 Remediations /h6 p strong Vendor fix /strong br The problem is corrected in Automation Runtime 6.4. The System Diagnostic Manager (SDM) is disabled by default in Automation Runtime 6 and is not intended be enabled on active systems located outside properly secured production networks or in facilities lacking adequate physical and logical access controls to prevent any form of unauthorized interaction. For customers who use SDM on their systems, B amp;R recommends applying the update based on risk assessment at the earliest convenience. The process to install updates is described in the

p CISA has added two new vulnerabilities to its a href= /known-exploited-vulnerabilities-catalog data-entity-type= node data-entity-uuid= 79453b83-86b9-4e2f-b1ec-abf73c6eb291 data-entity-substitution= canonical title= Known Exploited Vulnerabilities Catalog Known Exploited Vulnerabilities (KEV) Catalog /a , based on evidence of active exploitation. /p ul li a href= https://www.cve.org/CVERecord?id=CVE-2025-34291 target= _blank CVE-2025-34291 /a Langflow Origin Validation Error Vulnerability /li li a href= https://www.cve.org/CVERecord?id=CVE-2026-34926 target= _blank CVE-2026-34926 /a Trend Micro Apex One (On-Premise) Directory Traversal Vulnerability /li /ul p These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. /p p a href= https://www.cisa.gov/binding-operational-directive-22-01 Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities /a established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the a href= https://www.cisa.gov/sites/default/files/publications/Reducing_the_Significant_Risk_of_Known_Exploited_Vulnerabilities_211103.pdf BOD 22-01 Fact Sheet /a for more information. /p p Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of a href= /known-exploited-vulnerabilities-catalog data-entity-type= node data-entity-uuid= 79453b83-86b9-4e2f-b1ec-abf73c6eb291 data-entity-substitution= canonical title= Known Exploited Vulnerabilities Catalog KEV Catalog vulnerabilities /a as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the a href= https://www.cisa.gov/known-exploited-vulnerabilities specified criteria /a . nbsp; /p

Flipper Devices, the maker of the Flipper Zero pentesting tool, is asking the community to help build Flipper One, an open Linux platform for connected devices. [...]

Microsoft has disclosed that a privilege escalation and a denial-of-service flaw in Defender has come under active exploitation in the wild. The former, tracked as CVE-2026-41091, is rated 7.8 on the CVSS scoring system. Successful exploitation of the flaw could allow an attacker to gain SYSTEM privileges. "Improper link resolution before file access ('link following') in Microsoft Defender

Consider a cached access key on a single Windows machine. It got there the way most cached credentials do - a user logged in, and the key stored itself automatically. Standard AWS behavior. No one misconfigured anything or violated a policy. Yet that single key, which was easily accessible to a minor-league attacker, could have opened a path to some 98% of entities in the company's cloud

Cybersecurity researchers have disclosed details of a vulnerability in the Linux kernel that remained undetected for nine years. The vulnerability, tracked as CVE-2026-46333 (CVSS score: 5.5), is a case of improper privilege management that could permit an unprivileged local user to disclose sensitive files and execute arbitrary commands as root on default installations of several major