p a href= https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-099-01.json strong View CSAF /strong /a /p h2 Summary /h2 p strong Successful exploitation of this vulnerability could allow an attacker to enumerate the functionality of each component associated with the PLC, reconfigure, rename, delete, perform file transfers, and make remote procedure calls. /strong /p p The following versions of Contemporary Controls BASC 20T are affected: /p ul li BASControl20 3.1 (CVE-2025-13926) /li /ul div class= csaf-table table class= tablesaw tablesaw-stack data-tablesaw-mode= stack data-tablesaw-minimap thead tr th role= columnheader data-tablesaw-priority= persist CVSS /th th role= columnheader Vendor /th th role= columnheader Equipment /th th role= columnheader Vulnerabilities /th /tr /thead tbody tr td v3 9.8 /td td Contemporary Controls Sedona Alliance /td td Contemporary Controls BASC 20T /td td Reliance on Untrusted Inputs in a Security Decision /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Commercial Facilities, Critical Manufacturing, Energy /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong United States /li /ul hr h2 Vulnerabilities /h2 div class= csaf-accordion p a class= csaf-accordion-toggle-all href= # Expand All + /a /p div class= csaf-accordion-item h3 a class= csaf-accordion-toggle href= # CVE-2025-13926 /a /h3 div class= csaf-accordion-content p An attacker could use data obtained by sniffing the network traffic to forge packets in order to make arbitrary requests to Contemporary Controls BASC 20T. /p p a href= https://www.cve.org/CVERecord?id=CVE-2025-13926 View CVE Details /a /p hr h4 Affected Products /h4 h5 Contemporary Controls BASC 20T /h5 div class= ics-vendor-version-status div class= ics-vendor strong Vendor: /strong br Contemporary Controls Sedona Alliance /div div class= ics-version strong Product Version: /strong br Contemporary Controls Sedona Alliance BASControl20: 3.1 /div div class= ics-status strong Product Status: /strong br known_affected /div /div div class= ics-remediations h6 Remediations /h6 p strong Mitigation /strong br According to Contemporary Controls, the BASC-20T is an obsolete product. It is recommended that users of the affected product contact Contemporary Controls for additional information. br a href= https://www.ccontrols.com/support/contacttech.htm https://www.ccontrols.com/support/contacttech.htm /a /p /div p strong Relevant CWE: /strong a href= https://cwe.mitre.org/data/definitions/807.html CWE-807 Reliance on Untrusted Inputs in a Security Decision /a /p hr h4 Metrics /h4 div class= csaf-table csaf-metrics-table table class= tablesaw tablesaw-stack data-tablesaw-mode= stack data-tablesaw-minimap thead tr th role= columnheader data-tablesaw-priority= persist CVSS Version /th th role= columnheader Base Score /th th role= columnheader Base Severity /th th role= col
Security & IT News
LiveReal-time news from 13+ trusted sources — BleepingComputer, The Hacker News, Krebs on Security, Dark Reading & more.
p a href= https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-099-02.json strong View CSAF /strong /a /p h2 Summary /h2 p strong Successful exploitation of this vulnerability could allow a low privileged remote attacker to manipulate register values, which would result in too much or too little odorant being injected into a gas line. /strong /p p The following versions of GPL Odorizers GPL750 are affected: /p ul li GPL750 (XL4) gt;=v1.0| /li li GPL750 (XL4 Prime) gt;=v4.0| /li li GPL750 (XL7) gt;=v13.0| /li li GPL750 (XL7 Prime) gt;=v18.4| /li /ul div class= csaf-table table class= tablesaw tablesaw-stack data-tablesaw-mode= stack data-tablesaw-minimap thead tr th role= columnheader data-tablesaw-priority= persist CVSS /th th role= columnheader Vendor /th th role= columnheader Equipment /th th role= columnheader Vulnerabilities /th /tr /thead tbody tr td v3 8.6 /td td GPL Odorizers /td td GPL Odorizers GPL750 /td td Missing Authentication for Critical Function /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Critical Manufacturing /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong United States /li /ul hr h2 Vulnerabilities /h2 div class= csaf-accordion p a class= csaf-accordion-toggle-all href= # Expand All + /a /p div class= csaf-accordion-item h3 a class= csaf-accordion-toggle href= # CVE-2026-4436 /a /h3 div class= csaf-accordion-content p A low-privileged remote attacker can send Modbus packets to manipulate register values that are inputs to the odorant injection logic such that too much or too little odorant is injected into a gas line. /p p a href= https://www.cve.org/CVERecord?id=CVE-2026-4436 View CVE Details /a /p hr h4 Affected Products /h4 h5 GPL Odorizers GPL750 /h5 div class= ics-vendor-version-status div class= ics-vendor strong Vendor: /strong br GPL Odorizers /div div class= ics-version strong Product Version: /strong br GPL Odorizers GPL750 (XL4): gt;=v1.0| lt;v6.0, GPL Odorizers GPL750 (XL4 Prime): gt;=v4.0| lt;v6.0, GPL Odorizers GPL750 (XL7): gt;=v13.0| lt;v20.0, GPL Odorizers GPL750 (XL7 Prime): gt;=v18.4| lt;v20.0 /div div class= ics-status strong Product Status: /strong br known_affected /div /div div class= ics-remediations h6 Remediations /h6 p strong Mitigation /strong br GPL Odorizers recommends users update to the latest software version of the GPL750 in connection with the latest firmware from Horner Automation for the XL4, XL4 Prime, XL7, and XL7 Prime devices.https://lincenergysystems-my.sharepoint.com/:f:/p/h_baer/IgDYaHIhXpyLQJvnKPd6b80TAUgV7Lp8qmVYBFUb0lmr7ak?e=JLeADm. br a href= https://lincenergysystems-my.sharepoint.com/:f:/p/h_baer/IgDYaHIhXpyLQJvnKPd6b80TAUgV7Lp8qmVYBFUb0lmr7ak?e=JLeADm https://lincenergysystems-my.sharepoint.com/:f:/p/h_baer/IgDYaHIhXpyLQJvnKPd6b80TAUgV7Lp8qmVYBFUb0lmr7ak?e=JLeADm /a /p p strong Mitigation /strong br GPL Odorizers recommends users clear t
macOS Malware notnullOSX targets crypto wallets over $10K, using fake apps, Terminal tricks, and backdoors to steal funds and sensitive data.
As AI tools become more accessible, employees are adopting them without formal approval from IT and security teams. While these tools may boost productivity, automate tasks, or fill gaps in existing workflows, they also operate outside the visibility of security teams, bypassing controls and creating new blind spots in what is known as shadow AI. While similar to the phenomenon of
macOS 26.4 update introduced security warnings into Terminal to prevent ClickFix attacks, so attackers have shifted to Script Editor instead
Threat actors have been exploiting a previously unknown zero-day vulnerability in Adobe Reader using maliciously crafted PDF documents since at least December 2025. The finding, detailed by EXPMON's Haifei Li, has been described as a highly-sophisticated PDF exploit. The artifact ("Invoice540.pdf") first appeared on the VirusTotal platform on November 28, 2025. A second
ProPublica has a scoop : In late 2024, the federal government’s cybersecurity evaluators rendered a troubling verdict on one of Microsoft’s biggest cloud computing offerings. The tech giant’s “lack of proper detailed security documentation” left reviewers with a “lack of confidence in assessing the system’s overall security posture,” according to an internal government report reviewed by ProPublica. Or, as one member of the team put it: “The package is a pile of shit.” For years, reviewers said, Microsoft had tried and failed to fully explain how it protects sensitive information in the cloud as it hops from server to server across the digital terrain. Given that and other unknowns, government experts couldn’t vouch for the technology’s security. […] The federal government could be further exposed if it couldn’t verify the cybersecurity of Microsoft’s Government Community Cloud High, a suite of cloud-based services intended to safeguard some of the nation’s most sensitive information. Yet, in a highly unusual move that still reverberates across Washington, the Federal Risk and Authorization Management Program, or FedRAMP, authorized the product anyway, bestowing what amounts to the federal government’s cybersecurity seal of approval. FedRAMP’s ruling—which included a kind of “buyer beware” notice to any federal agency considering GCC High—helped Microsoft expand a government business empire worth billions of dollars.
A spear-phishing campaign which spread across the Middle East between 2023 and 2024 has now been linked to Bitter APT group
An apparent hack-for-hire campaign likely orchestrated by a threat actor with suspected ties to the Indian government targeted journalists, activists, and government officials across the Middle East and North Africa (MENA), according to findings from Access Now, Lookout, and SMEX. Two of the targets included prominent Egyptian journalists and government critics, Mostafa
Eurail B.V., a European travel operator that provides digital passes covering 33 national railways, says attackers stole the personal information of over 300,000 individuals in a December 2025 data breach. [...]
SANS Institute reveals that AI agents are behind a 76% surge in non-human identities
Attackers have been exploiting a zero-day vulnerability in Adobe Reader using maliciously crafted PDF documents since at least December. [...]
Google’s threat intel team warns UNC6783, a new extortion group possibly linked to the “Raccoon” persona, is targeting BPOs and enterprises
Bitcoin Depot, which operates one of the largest Bitcoin ATM networks, says attackers stole $3.665 million worth of Bitcoin from its crypto wallets after breaching its systems last month. [...]
Microsoft has suspended developer accounts used to maintain multiple high-profile open-source projects without proper notification and no way to quickly reinstate them, effectively blocking them from publishing new software builds and security patches for Windows users. [...]
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
In a previous diary [1], we looked to see how numbers were used within passwords submitted to honeypots. One of the items of interest was how dates, and more specifically years, were represented within the data and how that changed over time. It is often seen that years and seasons are used in passwords, especially when password change requirements include frequenty password changes. Some examples we might see today: Spring2026! Spring26 April2026 April@2026 AprilShowers26 Bloom2026 Easter2026! Passover2026 How is this data represented within passwords submitted to honeypots? Are bots updated to incorporate new year values at certain intervals? Date range of data: 4//21/2024 - 3/29/2026 Number of unique passwords: 496,562 Figure 1: Top 10 contiguous numbers used in passwords submitted to sample of DShield honeypots. When looking at contiguous numbers used within passwords, we see similar data from a couple of years ago. The top two contigious numbers seen within passwords submitted to honeypots were 123 and 1 . However, rather than many of the other high volume contiguous numbers representing a subset of 123456 , the passwords included other numbers such as 100000 , 19 , 69 , 200 . It turns out that this activity was related to a potential DDoS or stress testing of and endpoing using ICMP. 100000 was the desired number of packets sent to the destionation host and the other numbers represented each octet of the destination IP. Figure 2: Passwords submitted to honeypots that were supposed to be commands run once access was gained to the honeypot. The source IP %%ip:147.45.47.117%% was attempting these commands between 11/18/2024 and 11/24/2024. The activity was seen on honeypots distributed in GCP, Digital Ocean, Azure and a residential honeypot. This was not seen on samples from an AWS honeypot. Other activities from this source were seen between 11/14/2024 and 12/1/2024. Most of the sessions from this host are repeated attempts to download a script from %%ip:45.125.66.215%% and install it as a service. Figure 3: Repeated attempts to setup and install a service using a downloaded script from %%ip:45.125.66.215%%. Unfortunately, the file was not downloaded by any of the honeypots, so there was not a file to reference. Okay, back to passwords and number usage. Let's take a look at number frequency use in the passwords submitted to honeypots. Figure 4: Individual number frequency used within passwords submitted to honeypots. Similar to the previous review, generally the lower the number, the more frequently it's used in a password. The most common digits used are 0 , 1 , 2 and 3 . What about 4-digit numbers? Figure 5: Top 10 numbers used within passwords submitted to honeypots only containing 4 digits. This was also similar to the previous review. 1234 is still the most common and usually the most prevelant year seen is the prior year. We do see 2026 in this list, but since there's only a few months of data, it hasn't quite hit the vo
A massive campaign impacting nearly 100 online stores using the Magento e-commerce platform hides credit card-stealing code in a pixel-sized Scalable Vector Graphics (SVG) image. [...]
The popular open source VPN maker is the second high-profile developer to say Microsoft locked his account without notifying him and is blocking their ability to send software updates to users.
A threat actor tracked as UNC6783 is compromising business process outsourcing (BPO) providers to gain access to high-value companies across multiple sectors. [...]