Security & IT News

Your attack surface no longer lives on one operating system, and neither do the campaigns targeting it. In enterprise environments, attackers move across Windows endpoints, executive MacBooks, Linux infrastructure, and mobile devices, taking advantage of the fact that many SOC workflows are still fragmented by platform. For security leaders, this creates a

p CISA has added one new vulnerability to its a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" data-entity-type="node" data-entity-uuid="79453b83-86b9-4e2f-b1ec-abf73c6eb291" data-entity-substitution="canonical" title="Known Exploited Vulnerabilities Catalog" Known Exploited Vulnerabilities (KEV) Catalog /a , based on evidence of active exploitation. /p ul li a href="https://www.cve.org/CVERecord?id=CVE-2026-35616" target="_blank" CVE-2026-35616 /a - Fortinet FortiClient EMS Improper Access Control Vulnerability /li /ul p This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. /p p a href="https://www.cisa.gov/binding-operational-directive-22-01" Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities /a established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the a href="https://www.cisa.gov/sites/default/files/publications/Reducing_the_Significant_Risk_of_Known_Exploited_Vulnerabilities_211103.pdf" BOD 22-01 Fact Sheet /a for more information. /p p Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" data-entity-type="node" data-entity-uuid="79453b83-86b9-4e2f-b1ec-abf73c6eb291" data-entity-substitution="canonical" title="Known Exploited Vulnerabilities Catalog" KEV Catalog vulnerabilities /a as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the a href="https://www.cisa.gov/known-exploited-vulnerabilities" data-entity-type="node" data-entity-uuid="f2adba9a-0404-494c-a90c-4363a4a5c934" data-entity-substitution="canonical" title="Reducing the Significant Risk of Known Exploited Vulnerabilities" specified criteria /a . nbsp; /p

The most active piece of enterprise infrastructure in the company is the developer workstation. That laptop is where credentials are created, tested, cached, copied, and reused across services, bots, build tools, and now local AI agents. In March 2026, the TeamPCP threat actor proved just how valuable developer machines are. Their supply chain attack on

In one of his recent diaries, Johannes discussed how open redirects are actively being sought out by threat actors[ 1 ], which made me wonder about how commonly these mechanisms are actually misused Although open redirect is not generally considered a high-impact vulnerability on its own, it can have multiple negative implications. Johannes already covered one in connection with OAuth flows, but another important (mis)use case for them is phishing. The reason is quite straightforward links pointing to legitimate domains (such as google.com) included in phishing messages may appear benign to recipients and can also evade simpler e-mail scanners and other detection mechanisms. Even though open redirect has not been listed in OWASP Top 10 for quite some time, it is clear that attackers have never stopped looking for it or using it. If I look at traffic on almost any one of my own domains, hardly a month goes by when I don t see attempts to identify potentially vulnerable endpoints, such as: /out.php?link=https://domain.tld/ While these attempts are not particularly frequent, they are generally consistent. We also continue to see open redirect used in phishing campaigns. Last year, I wrote about a campaign using a half-open (i.e., easily abusable) redirect mechanism on Google [ 2 ], and similar cases still seem to appear regularly. But how regular are they, actually? To find out, I reviewed phishing e-mails collected through my own filters and spam traps, as well as samples sent to us here at the ISC (either by our professional colleagues, or by threat actors themselves), over the first quarter of this year. Although the total sample only consisted of slightly more than 350 individual messages (and is therefore far from statistically representative), it still provided quite interesting results. Redirect-based phishing accounted for a little over 21 % of all analyzed messages sent out over the first 3 months of 2026 specifically for 32 % in January, 18 % in February and 16.5 % in March. It should be noted that if a message contained multiple malicious links and at least one of them used a redirect, the entire message was counted exclusively as a redirect sample, and that not all redirect cases were classic open redirects . In fact, the abused redirect mechanisms varied widely. Some behaved similarly to the aforementioned Google-style half-open redirects (see details below), while others were fully open. In some cases, the redirectors were part of tracking or advertising systems, while in others, they were implemented as logout endpoints or similar mechanisms. It should be noted that URL shorteners were also counted as redirectors (although these were not particularly common). As we mentioned, the Google-style redirects are not fully open. They do require a specific valid token to work, however, since these tokens are typically reusable, have a very long lifetime, and are not tied to any specific context (such as IP address or session), they can be and

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Scammers are sending fake "Notice of Default" traffic violation text messages impersonating state courts across the U.S., pressuring recipients to scan a QR code that leads to a phishing site demanding a $6.99 payment while stealing personal and financial information. [...]

Cybersecurity researchers have discovered 36 malicious packages in the npm registry that are disguised as Strapi CMS plugins but come with different payloads to facilitate Redis and PostgreSQL exploitation, deploy reverse shells, harvest credentials, and drop a persistent implant. "Every package contains three files (package.json, index.js, postinstall.js), has no description, repository,

Device code phishing attacks that abuse the OAuth 2.0 Device Authorization Grant flow to hijack accounts have surged more than 37 times this year. [...]

CVSSv3 Score: 9.1 An Improper Access Control vulnerability [CWE-284] in FortiClient EMS may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.Fortinet has observed this to be exploited in the wild and urges vulnerable customers to install the hotfix for FortiClient EMS 7.4.5 and 7.4.6, by following the instructions at:https://docs.fortinet.com/document/forticlient/7.4.5/ems-release-notes/832484 - for FortiClientEMS 7.4.5https://docs.fortinet.com/document/forticlient/7.4.6/ems-release-notes/832484 - for FortiClientEMS 7.4.6Upcoming FortiClientEMS 7.4.7 will also include a fix for this issue. In the meantime the hotfix above is sufficient to prevent it entirely. Revised on 2026-04-04 00:00:00

A new report dubbed "BrowserGate" warns that Microsoft's LinkedIn is using hidden JavaScript scripts on its website to scan visitors' browsers for installed extensions and collect device data. [...]

Additional Adapters and More Modules This week, we added a whole new bunch of HTTP/HTTPS-based CMD payloads for X64 and X86 versions of Windows. The additional breadth of selectable payloads and delivery techniques allows users new options to tailor the attack workflow for their environment. This was contributed by bwatters-r7 . Adding new architectures for adapted payloads is surprisingly easy and something a first-time contributor might want to look into! New modules added to Metasploit Framework also allow for targeting FreeScout and Grav CMS, both of which result in remote code execution. These modules were contributed by Chocapikk and x1o3 respectively. Thanks! Thanks to g0tmi1k , Metasploit Framework now also includes an exploit module, multi/http/os_cmd_exec, which allows for targeting generic HTTP command execution vulnerabilities where user-supplied input is directly passed to system execution functions via an HTTP request. This can result in a Meterpreter shell on the remote target. To round this week off, we have a new persistence technique on Windows, thanks to Nayeraneru , which abuses the HKCU\Environment\UserInitMprLogonScript registry value to execute a payload at user logon. New module content (5) FreeScout Unauthenticated RCE via ZWSP .htaccess Bypass Authors: Moses Bhardwaj (MosesOX) , Nir Zadok (nirzadokox) , Valentin Lobstein [email protected] , and offensiveee Type: Exploit Pull request: #21069 contributed by Chocapikk Path: multi/http/freescout_htaccess_rce AttackerKB reference: CVE-2026-27636 Description: This adds an exploit module for CVE-2026-28289, an unauthenticated remote code execution vulnerability in FreeScout versions prior or equal to 1.8.206. Grav CMS Admin Direct Install Authenticated Plugin Upload RCE Authors: binneko and x1o3 Type: Exploit Pull request: #21029 contributed by x1o3 Path: multi/http/grav_admin_direct_install_rce_cve_2025_50286 AttackerKB reference: CVE-2025-50286 Description: This adds a new exploit module for CVE-2025-50286, an authenticated RCE vulnerability in Grav CMS 1.1.x–1.7.x with Admin Plugin 1.2.x–1.10.x. The module exploits the Direct Install feature to upload a malicious plugin ZIP and execute an arbitrary PHP payload as the web server user. Generic HTTP Command Execution Authors: egypt [email protected] and g0tmi1k Type: Exploit Pull request: #21023 contributed by g0tmi1k Path: multi/http/os_cmd_exec Description: Adds a new exploits/multi/http/os_cmd_exec module that targets generic HTTP command execution vulnerabilities where user-supplied input is directly passed to system execution functions via an HTTP request. Windows Persistence via UserInitMprLogonScript Author: Nayera Type: Exploit Pull request: #21032 contributed by Nayeraneru Path: windows/persistence/userinit_mpr_logon_script Description: This adds a new Windows persistence module that abuses the HKCU\Environment\UserInitMprLogonScript registry value to execute a payload at user logon. HTTP and HTTPS Fetch Authors:

A China-aligned threat actor has set its sights on European government and diplomatic organizations since mid-2025, following a two-year period of minimal targeting in the region. The campaign has been attributed to TA416, a cluster of activity that overlaps with DarkPeony, RedDelta, Red Lich, SmugX, UNC6384, and Vertigo Panda. "This TA416 activity included multiple

Threat actors are increasingly using HTTP cookies as a control channel for PHP-based web shells on Linux servers and to achieve remote code execution, according to findings from the Microsoft Defender Security Research Team. "Instead of exposing command execution through URL parameters or request bodies, these web shells rely on threat actor-supplied cookie values to gate execution,

What you’ll learn in this article This article explains why many breaches are driven by gaps in visibility rather than advanced exploits, how attackers move through modern environments, and what changes when organizations start connecting assets, identities, and attack paths into a single view. What is a visibility problem in cybersecurity? A visibility problem exists when security teams cannot clearly answer three basic questions: what assets exist, who or what can access them, and how those elements connect. When those answers are incomplete, decisions are made based on assumptions – and that creates conditions where risk can grow, unnoticed. As environments expand across cloud, SaaS, and hybrid infrastructure, the number of systems and identities grows quickly. What often falls behind is a clear understanding of how they relate to each other, and that gap is where attackers tend to operate. How visibility gaps turn into breaches A large medical technology organization experienced a breach driven by a series of compounding gaps rather than a single exploit. Internet-exposed assets created the initial entry point, while inconsistencies in device posture and identity enforcement, including gaps in platforms like Intune, weakened the security boundary. Attackers leveraged exposed or reused credentials and over-permissioned access to move laterally across systems. Without unified visibility across assets, identities, and managed devices, the attack path remained invisible until critical systems were reached. Each of these conditions is common on its own, but what makes them dangerous is how they connect. Why most attacks are not about flashy exploits This breach did not rely on a zero-day vulnerability or an advanced technique. It depended on an exposed asset, valid credentials, and inconsistent enforcement across identity and devices. Those elements exist in most environments, but without visibility into how they overlap, they can be combined into a viable attack path. Security teams often evaluate vulnerabilities individually, while attackers focus on how those weaknesses can be chained together. The risk is not just in what is vulnerable, but in how exposure allows movement. What a visibility-first approach looks like Improving outcomes depends on understanding how exposure exists across the environment and how different elements relate to each other. Asset visibility is the starting point. Many organizations cannot confidently identify everything that is externally accessible, and attackers often find assets that were never intended to be exposed. Continuously mapping assets across cloud and on-prem environments reduces that uncertainty and limits entry points. Identity is just as critical. Once access is established, movement depends on credentials and permissions. Stolen credentials, over-permissioned accounts, and weak authentication paths allow attackers to move beyond initial entry. Treating identity exposure as part of the attack surface

The maintainer of the Axios npm package has confirmed that the supply chain compromise was the result of a highly-targeted social engineering campaign orchestrated by North Korean threat actors tracked as UNC1069. Maintainer Jason Saayman said the attackers tailored their social engineering efforts "specifically to me" by first approaching him under the guise of the founder of a

The next major breach hitting your clients probably won't come from inside their walls. It'll come through a vendor they trust, a SaaS tool their finance team signed up for, or a subcontractor nobody in IT knows about. That's the new attack surface, and most organizations are underprepared for it. Cynomi's new guide, Securing the Modern Perimeter: The Rise of Third-Party

Cybersecurity researchers have discovered a new version of the SparkCat malware on the Apple App Store and Google Play Store, more than a year after the trojan was discovered targeting both the mobile operating systems. The malware has been found to conceal itself within seemingly benign apps, such as enterprise messengers and food delivery services, while

A former core infrastructure engineer has pleaded guilty to locking Windows admins out of 254 servers as part of a failed extortion plot targeting his employer, an industrial company headquartered in Somerset County, New Jersey. [...]

Solana-based decentralized exchange Drift has confirmed that attackers drained about $285 million from the platform during a security incident that took place on April 1, 2026. "Earlier today, a malicious actor gained unauthorized access to Drift Protocol through a novel attack involving durable nonces, resulting in a rapid takeover of Drift’s Security Council administrative powers," the&

Starting this week, Microsoft has begun force-upgrading unmanaged devices running Windows 11 24H2 Home and Pro editions to Windows 11 25H2. [...]