Security & IT News

The United Kingdom's National Cyber Security Centre (NCSC-UK) and international partners warned that China-nexus hackers are increasingly using large-scale proxy networks of hijacked consumer devices to evade detection and disguise their malicious activity. [...]

A previously undocumented state-backed threat actor named GopherWhisper is using a Go-based custom toolkit and legitimate services like Microsoft 365 Outlook, Slack, and Discord in attacks against government entities. [...]

Imagine a world where hackers don't sleep, don't take breaks, and find weak spots in your systems instantly. Well, that world is already here. Thanks to AI, attackers are now launching automated, large-scale exploits faster than ever before. The time you have to fix a vulnerability before it gets attacked is shrinking to zero. We call this the Collapsing Exploit Window, and it means your

The Citizen Lab found two separate surveillance vendors abusing the backbone of cellular networks to spy on several victims across the world.

div class="SCXW131754345 BCX8" div class="OutlineElement Ltr SCXW131754345 BCX8" h2 a class="c-button c-button--on-dark" href="https://urldefense.us/v3/__https://www.ncsc.gov.uk/news/defending-against-china-nexus-covert-networks-of-compromised-devices__;!!BClRuOV5cvtbuNI!Cvg8stIR3jHWVZgHhCVvEwbwDXxXIRSprOQ9JtY2YKwxUIGVovuDAu7QrFsfw3sfAVd8-gxEMIpgldwlY-jTD7G0%24" Defending against china-nexus covert networks of compromised devices /a /h2 h2 a class="c-button c-button--on-dark" href="https://urldefense.us/v3/__https://www.ncsc.gov.uk/news/executive-summary-defending-against-china-nexus-covert-networks-of-compromised-devices__;!!BClRuOV5cvtbuNI!Cvg8stIR3jHWVZgHhCVvEwbwDXxXIRSprOQ9JtY2YKwxUIGVovuDAu7QrFsfw3sfAVd8-gxEMIpgldwlYzP90Ign%24" executive summary /a /h2 h2 strong Defending against China-nexus covert networks of compromised devices nbsp; /strong /h2 p Explaining the widespread shift in tactics, techniques and procedures (TTPs) towards networks of compromised infrastructure, and how to defend against it nbsp; /p h3 strong Summary /strong /h3 p With support from the UK a href="https://www.ncsc.gov.uk/information/cyber-league" target="_blank" u Cyber League /u /a , this advisory has been jointly released by the National Cyber Security Centre (NCSC-UK) and international partners: nbsp; /p ul li Australian Signals Directorate’s (ASD’s) Australian Cyber Security Centre (ACSC) /li li Communications Security Establishment Canada’s (CSE’s) Canadian Centre for Cyber Security (Cyber Centre) /li li Germany Federal Office for the Protection of the Constitution - nbsp; nbsp; Bundesamt für Verfassungsschutz (BfV) /li li Germany Federal Intelligence Service – Bundesnachrichtendienst (BND) /li li Germany Federal Office for Information Security - Bundesamt für Sicherheit in der Informationstechnik (BSI) /li li Japan National Cybersecurity Office (NCO) - 国家サイバー統括室 /li li Netherlands General Intelligence and Security Service - Algemene Inlichtingen- en Veiligheidsdienst (AIVD) /li li Netherlands Defence Intelligence and Security Service - Militaire Inlichtingen- en Veiligheidsdienst (MIVD) /li li New Zealand National Cyber Security Centre (NCSC-NZ) /li li Spain National Cryptologic Centre – Centro Criptológico Nacional (CCN) /li li Sweden National Cyber Security Centre - Nationellt cybersäkerhetscenter (NCSC-SE) /li li United States Cybersecurity and Infrastructure Security Agency (CISA) /li li United States Department of Defense Cyber Crime Center (DC3) /li li United States Federal Bureau of Investigation (FBI) /li li United States National Security Agency (NSA) nbsp; /li /ul p Its purpose is to provide network defenders with the tools needed to defend against China-nexus cyber actors and their tactic of using large scale networks of compromised devices (covert networks) to route their cyber activity. nbsp; /p h3 strong Introduction nbsp; nbsp; /strong /h3 p Over the past few years there has been a major shift in the tactics, techniques and procedures (TTPs) use

Google Cloud will attribute a unique cryptographic ID every AI agent that will be tied to “traceable and auditable” authorization policies

p a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-113-02.json" strong View CSAF /strong /a /p h2 Summary /h2 p strong Successful exploitation of this vulnerability could enable a remote attacker to alter critical system functions or disrupt device operation. /strong /p p The following versions of Carlson Software VASCO-B GNSS Receiver are affected: /p ul li VASCO-B GNSS Receiver lt;1.4.0 (CVE-2026-3893) /li /ul div class="csaf-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS /th th role="columnheader" Vendor /th th role="columnheader" Equipment /th th role="columnheader" Vulnerabilities /th /tr /thead tbody tr td v3 9.4 /td td Carlson Software /td td Carlson Software VASCO-B GNSS Receiver /td td Missing Authentication for Critical Function /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Critical Manufacturing /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong United States /li /ul hr h2 Vulnerabilities /h2 div class="csaf-accordion" p a class="csaf-accordion-toggle-all" href="#" Expand All + /a /p div class="csaf-accordion-item" h3 a class="csaf-accordion-toggle" href="#" CVE-2026-3893 /a /h3 div class="csaf-accordion-content" p The Carlson VASCO-B GNSS Receiver lacks an authentication mechanism, allowing an attacker with network access to directly access and modify its configuration and operational functions without needing credentials. /p p a href="https://www.cve.org/CVERecord?id=CVE-2026-3893" View CVE Details /a /p hr h4 Affected Products /h4 h5 Carlson Software VASCO-B GNSS Receiver /h5 div class="ics-vendor-version-status" div class="ics-vendor" strong Vendor: /strong br Carlson Software /div div class="ics-version" strong Product Version: /strong br Carlson Software VASCO-B GNSS Receiver: lt;1.4.0 /div div class="ics-status" strong Product Status: /strong br known_affected /div /div div class="ics-remediations" h6 Remediations /h6 p strong Mitigation /strong br Carlson Software recommends users update to Version 1.4.0 or greater. For more information contact Carlson Software https://www.carlsonsw.com/support-and-training/ br a href="https://www.carlsonsw.com/support-and-training/" https://www.carlsonsw.com/support-and-training/ /a /p /div p strong Relevant CWE: /strong a href="https://cwe.mitre.org/data/definitions/306.html" CWE-306 Missing Authentication for Critical Function /a /p hr h4 Metrics /h4 div class="csaf-table csaf-metrics-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS Version /th th role="columnheader" Base Score /th th role="columnheader" Base Severity /th th role="columnheader" Vector String /th /tr /thead tbody tr td 3.1 /td td 9.4 /td td CRITICAL /

p a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-113-05.json" strong View CSAF /strong /a /p h2 Summary /h2 p strong Successful exploitation of this vulnerability could allow an attacker to bypass authentication and have remote access to sensitive information on the device. /strong /p p The following versions of Hangzhou Xiongmai Technology Co., Ltd XM530 IP Camera are affected: /p ul li IP Camera XM530V200_X6-WEQ_8M firmware V5.00.R02.000807D8.10010.346624.S.ONVIF_21.06 (CVE-2025-65856) /li /ul div class="csaf-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS /th th role="columnheader" Vendor /th th role="columnheader" Equipment /th th role="columnheader" Vulnerabilities /th /tr /thead tbody tr td v3 9.8 /td td Hangzhou Xiongmai Technology Co., Ltd /td td Hangzhou Xiongmai Technology Co., Ltd XM530 IP Camera /td td Missing Authentication for Critical Function /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Commercial Facilities /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong China /li /ul hr h2 Vulnerabilities /h2 div class="csaf-accordion" p a class="csaf-accordion-toggle-all" href="#" Expand All + /a /p div class="csaf-accordion-item" h3 a class="csaf-accordion-toggle" href="#" CVE-2025-65856 /a /h3 div class="csaf-accordion-content" p Authentication bypass vulnerability in Xiongmai XM530 IP cameras on Firmware V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06 allows unauthenticated remote attackers to access sensitive device information and live video streams. The ONVIF implementation fails to enforce authentication on 31 critical endpoints, enabling direct unauthorized video stream access. /p p a href="https://www.cve.org/CVERecord?id=CVE-2025-65856" View CVE Details /a /p hr h4 Affected Products /h4 h5 Hangzhou Xiongmai Technology Co., Ltd XM530 IP Camera /h5 div class="ics-vendor-version-status" div class="ics-vendor" strong Vendor: /strong br Hangzhou Xiongmai Technology Co., Ltd /div div class="ics-version" strong Product Version: /strong br Hangzhou Xiongmai Technology Co., Ltd IP Camera XM530V200_X6-WEQ_8M firmware: V5.00.R02.000807D8.10010.346624.S.ONVIF_21.06 /div div class="ics-status" strong Product Status: /strong br known_affected /div /div div class="ics-remediations" h6 Remediations /h6 p strong Mitigation /strong br Hangzhou Xiongmai Technology Co., Ltd has not responded to requests to work with CISA to mitigate this vulnerability. Users of affected versions of XM530 IP cameras are invited to contact Xiongmai Technology customer support for additional information (https://www.xiongmaitech.com/en/index.php/about/contact/42). br a href="https://www.xiongmaitech.com/en/index.php/about/contact/42" https://www.xiongmaitech.com/en/index.php/about/contact/42 /a /p /div p stro

h2 strong Malware Analysis Report at a Glance /strong /h2 table tbody tr th Malware Name /th td FIRESTARTER /td /tr tr th Original Publication /th td April 23, 2026 /td /tr tr th Executive Summary /th td p The Cybersecurity and Infrastructure Security Agency (CISA) analyzed a sample of FIRESTARTER malware obtained from a forensic investigation. CISA and the United Kingdom National Cyber Security Centre (NCSC) assess advanced persistent threat (APT) actors are using FIRESTARTER malware for persistence, specifically targeting publicly accessible Cisco Firepower and Secure Firewall devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software. CISA and the NCSC are releasing this Malware Analysis Report to share analysis of one FIRESTARTER malware sample operating as a backdoor and urge organizations to take key response actions. /p p strong Note: /strong The release of this Malware Analysis Report aligns with CISA’s update to a href="https://www.cisa.gov/news-events/directives/v1-ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices" V1: Emergency Directive (ED) 25-03: Identify and Mitigate Potential Compromise of Cisco Devices /a and a href="https://www.cisa.gov/news-events/directives/supplemental-direction-ed-25-03-core-dump-and-hunt-instructions" Supplemental Direction ED 25-03: Core Dump and Hunt Instructions /a . The malware outlined in this report is relevant for both Cisco Firepower and Secure Firewall devices; however, CISA has only observed a successful implant of the malware in the wild on a Cisco Firepower device running ASA software. /p /td /tr tr th Key Actions for U.S. FCEB Agencies /th td ul li strong Collect and submit core dumps /strong to CISA’s Malware Next Generation platform. /li li strong Immediately report the submission /strong via CISA’s 24/7 Operations Center; CISA will reach out with next steps. /li li strong Take no additional action until CISA provides further guidance. /strong /li /ul /td /tr tr th Key Actions for All Other Organizations /th td ul li strong Use the YARA rules /strong to detect FIRESTARTER malware against either a disk image or core dump of a device. /li li strong Report any findings to CISA or the NCSC. /strong /li li strong If compromise is confirmed /strong , conduct incident response actions. /li /ul /td /tr tr th Intended Audience /th td p strong Organizations: /strong Government and critical infrastructure organizations ( strong Note: /strong While this publication supplements CISA ED 25-03, the guidance is applicable to all organizations, including U.K. organizations.) /p p strong Sector /strong : Government Services and Facilities Sector /p p strong Roles: /strong a href="https://niccs.cisa.gov/tools/nice-framework/work-role/digital-forensics" target="_blank" title="Digital forensics analysts" Digital forensics analysts /a , a href="https://niccs.cisa.gov/tools/nice-framework/work-role/incident-response" target="_blank" title="incident responders" incid

p a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-113-01.json" strong View CSAF /strong /a /p h2 Summary /h2 p strong Successful exploitation of this vulnerability could result in an attacker being able to unlock and start the bicycle, leading to vehicle theft. /strong /p p The following versions of Yadea T5 Electric Bicycle are affected: /p ul li T5 Electric Bicycle vers:all/* (CVE-2025-70994) /li /ul div class="csaf-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS /th th role="columnheader" Vendor /th th role="columnheader" Equipment /th th role="columnheader" Vulnerabilities /th /tr /thead tbody tr td v3 7.3 /td td Yadea /td td Yadea T5 Electric Bicycle /td td Weak Authentication /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Transportation Systems /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong China /li /ul hr h2 Vulnerabilities /h2 div class="csaf-accordion" p a class="csaf-accordion-toggle-all" href="#" Expand All + /a /p div class="csaf-accordion-item" h3 a class="csaf-accordion-toggle" href="#" CVE-2025-70994 /a /h3 div class="csaf-accordion-content" p Yadea T5 Electric Bicycles have a weak authentication mechanism which is vulnerable to signal forgery after a local attacker intercepts any legitimate key fob transmissions. /p p a href="https://www.cve.org/CVERecord?id=CVE-2025-70994" View CVE Details /a /p hr h4 Affected Products /h4 h5 Yadea T5 Electric Bicycle /h5 div class="ics-vendor-version-status" div class="ics-vendor" strong Vendor: /strong br Yadea /div div class="ics-version" strong Product Version: /strong br Yadea T5 Electric Bicycle: vers:all/* /div div class="ics-status" strong Product Status: /strong br known_affected /div /div div class="ics-remediations" h6 Remediations /h6 p strong Mitigation /strong br Yadea did not respond to CISA's attempts at coordination. Users of Yadea T5 Electric Bicycles are encouraged to keep their systems up to date and lock their property securely with external mechanisms. Users can contact Yadea at https://yadea.com/contact-us. br a href="https://yadea.com/contact-us" https://yadea.com/contact-us /a /p /div p strong Relevant CWE: /strong a href="https://cwe.mitre.org/data/definitions/1390.html" CWE-1390 Weak Authentication /a /p hr h4 Metrics /h4 div class="csaf-table csaf-metrics-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS Version /th th role="columnheader" Base Score /th th role="columnheader" Base Severity /th th role="columnheader" Vector String /th /tr /thead tbody tr td 3.1 /td td 7.3 /td td HIGH /td td a href="https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H" CVSS:3.

p a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-113-03.json" strong View CSAF /strong /a /p h2 Summary /h2 p strong Successful exploitation of these vulnerabilities could crash the device being accessed or allow remote code execution. /strong /p p The following versions of Milesight Cameras are affected: /p ul li MS-Cxx63-PD lt;=51.7.0.77-r12 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) /li li MS-Cxx64-xPD lt;=51.7.0.77-r12 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) /li li MS-Cxx73-xPD lt;=51.7.0.77-r12 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) /li li MS-Cxx75-xxPD lt;=51.7.0.77-r12 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) /li li MS-Cxx83-xPD lt;=51.7.0.77-r12 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) /li li MS-Cxx74-PA lt;=3x.8.0.3-r11 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) /li li MS-C8477-HPG1 lt;=63.8.0.4-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) /li li MS-C8477-PC lt;=48.8.0.4-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) /li li MS-C5321-FPE lt;=62.8.0.4-r5 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) /li li MS-Cxx72-xxxPE lt;=61.8.0.5-r2 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) /li li MS-Cxx62-xxxPE lt;=61.8.0.5-r2 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) /li li MS-Cxx52-xxxPE lt;=61.8.0.5-r2 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) /li li MS-Cxx66-xxxPE lt;=61.8.0.5-r2 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) /li li MS-Cxx66-xxxGPE lt;=61.8.0.5-r2 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) /li li MS-Cxx61-xxxPE lt;=61.8.0.5-r2 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) /li li MS-Cxx67-xxxPE lt;=61.8.0.5-r2 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) /li li MS-Cxx71-xxxPE lt;=61.8.0.5-r2 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) /li li MS-Cxx41-xxxPE lt;=61.8.0.5-r2 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) /li li MS-Cxx76-PE lt;=61.8.0.5-r2 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) /li li MS-Cxx65-PE lt;=61.8.0.5-r2 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) /li li MS-Cxx66-xxxG1 lt;=63.8.0.5-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) /li li MS-Cxx62-xxxG1 lt;=63.8.0.5-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) /li li MS-Cxx72-xxxG1 lt;=63.8.0.5-r3 (CVE-2026

p a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-113-06.json" strong View CSAF /strong /a /p h2 Summary /h2 p strong Successful exploitation of this vulnerability could allow an attacker to read, modify, or delete files. /strong /p p The following versions of Intrado 911 Emergency Gateway (EGW) are affected: /p ul li Emergency Gateway 7.x (CVE-2026-6074) /li li Emergency Gateway 6.x (CVE-2026-6074) /li li Emergency Gateway 5.x (CVE-2026-6074) /li /ul div class="csaf-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS /th th role="columnheader" Vendor /th th role="columnheader" Equipment /th th role="columnheader" Vulnerabilities /th /tr /thead tbody tr td v3 9.8 /td td Intrado /td td Intrado 911 Emergency Gateway (EGW) /td td Path Traversal: '.../...//' /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Emergency Services /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong United States /li /ul hr h2 Vulnerabilities /h2 div class="csaf-accordion" p a class="csaf-accordion-toggle-all" href="#" Expand All + /a /p div class="csaf-accordion-item" h3 a class="csaf-accordion-toggle" href="#" CVE-2026-6074 /a /h3 div class="csaf-accordion-content" p A path traversal condition in Intrado 911 Emergency Gateway could allow an attacker with existing network access the ability to access the EGW management interface without authentication. Successful exploitation of this vulnerability could allow a user to read, modify, or delete files. /p p a href="https://www.cve.org/CVERecord?id=CVE-2026-6074" View CVE Details /a /p hr h4 Affected Products /h4 h5 Intrado 911 Emergency Gateway (EGW) /h5 div class="ics-vendor-version-status" div class="ics-vendor" strong Vendor: /strong br Intrado /div div class="ics-version" strong Product Version: /strong br Intrado Emergency Gateway: 7.x, Intrado Emergency Gateway: 6.x, Intrado Emergency Gateway: 5.x /div div class="ics-status" strong Product Status: /strong br known_affected /div /div div class="ics-remediations" h6 Remediations /h6 p strong Mitigation /strong br Intrado developed and released a software update on March 2nd, 2026, that addresses this issue and has contacted customers to coordinate applying the patch. /p p strong Mitigation /strong br If you have questions, contact Intrado E911 Support: [email protected] br a href="mailto:[email protected]" mailto:[email protected] /a /p /div p strong Relevant CWE: /strong a href="https://cwe.mitre.org/data/definitions/35.html" CWE-35 Path Traversal: '.../...//' /a /p hr h4 Metrics /h4 div class="csaf-table csaf-metrics-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS Version /th th role=

p a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-113-04.json" strong View CSAF /strong /a /p h2 Summary /h2 p strong Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information. /strong /p p The following versions of SpiceJet Online Booking System are affected: /p ul li Online Booking System vers:all/* (CVE-2026-6375, CVE-2026-6376) /li /ul div class="csaf-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS /th th role="columnheader" Vendor /th th role="columnheader" Equipment /th th role="columnheader" Vulnerabilities /th /tr /thead tbody tr td v3 7.5 /td td SpiceJet /td td SpiceJet Online Booking System /td td Authorization Bypass Through User-Controlled Key, Missing Authentication for Critical Function /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Transportation Systems /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong India /li /ul hr h2 Vulnerabilities /h2 div class="csaf-accordion" p a class="csaf-accordion-toggle-all" href="#" Expand All + /a /p div class="csaf-accordion-item" h3 a class="csaf-accordion-toggle" href="#" CVE-2026-6375 /a /h3 div class="csaf-accordion-content" p A vulnerability in SpiceJet's booking API allows unauthenticated users to query passenger name records (PNRs) without any access controls. Because PNR identifiers follow a predictable pattern, an attacker could systematically enumerate valid records and obtain associated passenger names. This flaw stems from missing authorization checks on an endpoint intended for authenticated profile access. /p p a href="https://www.cve.org/CVERecord?id=CVE-2026-6375" View CVE Details /a /p hr h4 Affected Products /h4 h5 SpiceJet Online Booking System /h5 div class="ics-vendor-version-status" div class="ics-vendor" strong Vendor: /strong br SpiceJet /div div class="ics-version" strong Product Version: /strong br SpiceJet Online Booking System: vers:all/* /div div class="ics-status" strong Product Status: /strong br known_affected /div /div div class="ics-remediations" h6 Remediations /h6 p strong Mitigation /strong br SpiceJet did not respond to CISA's requests to coordinate. Users are encouraged to reach out to SpiceJet for more information: https://corporate.spicejet.com/contactus.aspx br a href="https://corporate.spicejet.com/contactus.aspx" https://corporate.spicejet.com/contactus.aspx /a /p /div p strong Relevant CWE: /strong a href="https://cwe.mitre.org/data/definitions/639.html" CWE-639 Authorization Bypass Through User-Controlled Key /a /p hr h4 Metrics /h4 div class="csaf-table csaf-metrics-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS Version /th th

p CISA has added one new vulnerability to its a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" data-entity-type="node" data-entity-uuid="79453b83-86b9-4e2f-b1ec-abf73c6eb291" data-entity-substitution="canonical" title="Known Exploited Vulnerabilities Catalog" Known Exploited Vulnerabilities (KEV) Catalog /a , based on evidence of active exploitation. /p ul li a href="https://www.cve.org/CVERecord?id=CVE-2026-39987" CVE-2026-39987 /a Marimo Remote Code Execution Vulnerability /li /ul p This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. /p p a href="https://www.cisa.gov/binding-operational-directive-22-01" Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities /a established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the a href="https://www.cisa.gov/sites/default/files/publications/Reducing_the_Significant_Risk_of_Known_Exploited_Vulnerabilities_211103.pdf" BOD 22-01 Fact Sheet /a for more information. /p p Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" data-entity-type="node" data-entity-uuid="79453b83-86b9-4e2f-b1ec-abf73c6eb291" data-entity-substitution="canonical" title="Known Exploited Vulnerabilities Catalog" KEV Catalog vulnerabilities /a as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the a href="https://www.cisa.gov/known-exploited-vulnerabilities" data-entity-type="node" data-entity-uuid="f2adba9a-0404-494c-a90c-4363a4a5c934" data-entity-substitution="canonical" title="Reducing the Significant Risk of Known Exploited Vulnerabilities" specified criteria /a . nbsp; /p

Last week, Anthropic announced Project Glasswing, an AI model so effective at discovering software vulnerabilities that they took the extraordinary step of postponing its public release. Instead, the company has given access to Apple, Microsoft, Google, Amazon, and a coalition of others to find and patch bugs before adversaries can. Mythos Preview, the model that led to Project Glasswing, found

CISA has ordered U.S. federal agencies to patch a Microsoft Defender privilege escalation flaw (dubbed BlueHammer) that has been exploited in zero-day attacks. [...]

404 Media reports (alternate site ): The FBI was able to forensically extract copies of incoming Signal messages from a defendant’s iPhone, even after the app was deleted, because copies of the content were saved in the device’s push notification database…. The news shows how forensic extraction—­when someone has physical access to a device and is able to run specialized software on it—­can yield sensitive data derived from secure messaging apps in unexpected places. Signal already has a setting that blocks message content from displaying in push notifications; the case highlights why such a feature might be important for some users to turn on. “We learned that specifically on iPhones, if one’s settings in the Signal app allow for message notifications and previews to show up on the lock screen, [then] the iPhone will internally store those notifications/message previews in the internal memory of the device,” a supporter of the defendants who was taking notes during the trial told 404 Media.

Quorum Cyber report finds higher and further education institutions experienced 63% increase in attacks over a year

Cybersecurity researchers at Forcepoint uncover new indirect prompt injection attacks that use hidden website code to exploit AI assistants like GitHub Copilot.

Apple yesterday released iOS/iPadOS 26.4.2 and iOS/iPadOS 18.7.8. This update fixes a single Notification Services vulnerability, CVE-2026-28950: Impact: Notifications marked for deletion could be unexpectedly retained on the device Description: A logging issue was addressed with improved data redaction. Apple did not mark the vulnerability as exploited. However, recent news articles reported that the FBI used this vulnerability to extract Signal messages from a device seized in a criminal case. The suspect in the case used Signal to communicate. Signal is encrypted end-to-end and attempts not to store retrievable data on the device itself. However, Signal may display a notification on the screen whenever a new message is received. These notifications may include the sender's username and some of the message's content. Signal used Apple's Notification Services framework to generate these notifications, and iOS did not delete their contents even when they were marked for deletion. The use of OS libraries and APIs like that has caused problems before, as they may not be designed with the same threat model in mind as the one used to create secure messaging applications. -- Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu Twitter | (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.