p a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-148-07.json" strong View CSAF /strong /a /p h2 Summary /h2 p strong Schneider Electric is aware of a vulnerability in its EcostruxureTM Machine Expert HVAC product. The [EcostruxureTM Machine Expert HVAC](https://www.se.com/ww/en/download/document/EcoStruxureME_HVAC/) product is a programming software for Modicon M171-M172 logic controllers. Failure to apply the remediation provided below may risk in revealing sensitive information, which could result in disclosing protected source code, leading to loss of confidentiality. /strong /p p The following versions of Schnieider Electric EcoStruxure Machine Expert HVAC (SEVD-2026-132-01) are affected: /p ul li Ecostruxure™ Machine Expert HVAC vers lt;1.10.0 /li /ul div class="csaf-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS /th th role="columnheader" Vendor /th th role="columnheader" Equipment /th th role="columnheader" Vulnerabilities /th /tr /thead tbody tr td v3 5.5 /td td Schneider Electric /td td Schnieider Electric EcoStruxure Machine Expert HVAC (SEVD-2026-132-01) /td td Cleartext Storage of Sensitive Information /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Chemical, Critical Manufacturing, Energy, Water and Wastewater /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong France /li /ul hr h2 Vulnerabilities /h2 div class="csaf-accordion" p a class="csaf-accordion-toggle-all" href="#" Expand All + /a /p div class="csaf-accordion-item" h3 a class="csaf-accordion-toggle" href="#" CVE-2026-6332 /a /h3 div class="csaf-accordion-content" p CWE-312: Cleartext Storage of Sensitive Information vulnerability exists that could cause the disclosure of a sensitive information which could result in revealing protected source code and loss of confidentiality, when an authorized attacker accesses the source code for editing or compiling it. /p p a href="https://www.cve.org/CVERecord?id=CVE-2026-6332" View CVE Details /a /p hr h4 Affected Products /h4 h5 Schnieider Electric EcoStruxure Machine Expert HVAC (SEVD-2026-132-01) /h5 div class="ics-vendor-version-status" div class="ics-vendor" strong Vendor: /strong br Schneider Electric /div div class="ics-version" strong Product Version: /strong br Ecostruxure™ Machine Expert HVAC Versions prior to 1.10.0 /div div class="ics-status" strong Product Status: /strong br fixed, known_affected /div /div div class="ics-remediations" h6 Remediations /h6 p strong Vendor fix /strong br Version 1.10.0 of Ecostruxure™ Machine Expert HVAC includes a fix for this vulnerability and is available for download here: https://www.se.com/ww/en/download/document/EcoStruxureME_HVAC_1_10_0/ nbsp; br a href="https://www.se.com/ww/en/download/document/EcoStruxureME_HVAC_1_10_0/"
Security & IT News
LiveReal-time news from 13+ trusted sources — BleepingComputer, The Hacker News, Krebs on Security, Dark Reading & more.
p a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-148-03.json" strong View CSAF /strong /a /p h2 Summary /h2 p strong ABB is aware of vulnerabilities in the product versions listed as affected in the advisory. A firmware update is available that resolves these privately reported vulnerabilities in the product versions listed as affected in the advisory. An attacker who successfully exploited these vulnerabilities could access sensitive information stored inside the device and can change the configuration of the device. /strong /p p The following versions of ABB EIBPORT are affected: /p ul li EIBPORT V3 KNX (2CLA963710W1001) lt;3.9.2 /li li EIBPORT V3 KNX (2CSM256242R2001) lt;3.9.2 /li li EIBPORT V3 KNX GSM (2CLA963720W1001) lt;3.9.2 /li /ul div class="csaf-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS /th th role="columnheader" Vendor /th th role="columnheader" Equipment /th th role="columnheader" Vulnerabilities /th /tr /thead tbody tr td v3 8 /td td ABB /td td ABB EIBPORT /td td Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Critical Manufacturing, Information Technology /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong Switzerland /li /ul hr h2 Vulnerabilities /h2 div class="csaf-accordion" p a class="csaf-accordion-toggle-all" href="#" Expand All + /a /p div class="csaf-accordion-item" h3 a class="csaf-accordion-toggle" href="#" CVE-2021-22291 /a /h3 div class="csaf-accordion-content" p The vulnerability allows the successful attacker to receive a copy of the session id. /p p a href="https://www.cve.org/CVERecord?id=CVE-2021-22291" View CVE Details /a /p hr h4 Affected Products /h4 h5 ABB EIBPORT /h5 div class="ics-vendor-version-status" div class="ics-vendor" strong Vendor: /strong br ABB /div div class="ics-version" strong Product Version: /strong br EIBPORT V3 KNX (2CLA963710W1001) Version lt;3.9.2, EIBPORT V3 KNX (2CSM256242R2001) Version lt;3.9.2, EIBPORT V3 KNX GSM (2CLA963720W1001) version lt; 3.9.2 /div div class="ics-status" strong Product Status: /strong br fixed, known_affected /div /div div class="ics-remediations" h6 Remediations /h6 p strong Vendor fix /strong br ABB recommends that customers apply the update at the earliest convenience. /p /div p strong Relevant CWE: /strong a href="https://cwe.mitre.org/data/definitions/79.html" CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') /a /p hr h4 Metrics /h4 div class="csaf-table csaf-metrics-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS Version /th th role="columnheader" Base Sc
Overview Rapid7 Labs discovered a critical argument injection ( CWE-88 ) vulnerability in Gogs , a popular open-source self-hosted Git service. Rapid7 Labs scores this vulnerability as CVSSv4 9.4 (Critical). The vulnerability allows any authenticated user to achieve remote code execution (RCE) on the server by creating a pull request with a malicious branch name that injects the --exec flag into git rebase during the "Rebase before merging" merge operation. At the time of publication, the vendor has not released a patch. The exploit requires no admin privileges and no interaction with other users; an attacker operates entirely within their own account. Since Gogs ships with open registration enabled by default ( DISABLE_REGISTRATION = false ) and no limit on repository creation ( MAX_CREATION_LIMIT = -1 ), an unauthenticated attacker can simply create an account and repository on any default-configured instance. Any registered user who creates a repo is automatically its owner. From there, enabling rebase merging is a single toggle in settings, and the entire exploit chain can be operated without interaction from any other user. Alternatively, any user with write access to a repository where rebase is already enabled can exploit it directly. On instances where repository creation is restricted, an attacker still only needs write access to any repository that has (or can have) rebase merging enabled. The result is arbitrary command execution as the Gogs server process user, giving the attacker the ability to compromise the server, read every repository on the instance (including other users' private repos), dump credentials (password hashes, API tokens, SSH keys, 2FA secrets), pivot to other network-accessible systems, and modify any hosted repository's code. The latest release versions at the time of research, Gogs 0.14.2 and 0.15.0+dev (commit b53d3162 ), were confirmed to be affected. All prior versions supporting the "Rebase before merging" style are likely vulnerable as well. Product description Gogs is a lightweight, self-hosted Git service written in Go. With ~50,000 GitHub stars and over 5,000 forks , it's one of the more popular self-hosted alternatives to GitHub, commonly deployed by companies, universities, and open-source projects. A Shodan search for http.title:"Gogs" http.title:"Sign In" returns 1,141 internet-facing instances at the time of publication. The real install base is much larger since most deployments sit behind VPNs or internal networks. Credit This vulnerability was discovered by Jonah Burgess (CryptoCat), Senior Security Researcher at Rapid7, and is being disclosed in accordance with Rapid7's vulnerability disclosure policy . Impact Any Gogs instance with more than one user account is effectively "multi-tenant", meaning each user has their own repositories, credentials, and data on a shared server. This is the default for organizations, universities, and teams that use Gogs as a shared Git hosting platform. On any such
Microsoft warned the disclosure of several unpatched vulnerabilities without notice has put “customers at unnecessary risk”
State of AI Usage Report 2026 (full report here) by LayerX Security reveals the extent of the enterprise AI visibility gap and why most organizations still don't understand where their AI exposure is actually coming from. The research shows that enterprise AI risk is not distributed evenly across users or platforms. Instead, it is heavily concentrated among a small group of AI power users and a
New actor Jinx-0164 hit crypto developers with fake recruiter lures and macOS malware
Carnival Corporation, the world's largest cruise line operator, has confirmed a data breach affecting nearly 6 million people claimed by the ShinyHunters extortion gang in April 2026. [...]
ISC2 survey of cybersecurity professionals suggests that staff want their information security leaders to have experienced reacting to a significant cyber incident
GCHQ director urges urgent business cyber action as AI and quantum reshape the threat
A Canadian man was sentenced to 33 years in prison after pleading guilty to targeting more than 145 children across the United States, some as young as 6 years old, in an eight-year-long sextortion scheme. [...]
A new campaign orchestrated by a previously undocumented threat actor has targeted cryptocurrency organizations with an aim to facilitate digital asset theft using recruitment-themed social engineering and bespoke macOS malware. "These campaigns leveraged sophisticated social engineering techniques, custom macOS malware, and deep targeting of CI/CD infrastructure," Wiz researchers Shira Ayal,
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Threat actors are targeting systems with high-performance computers in an ongoing cryptojacking campaign spread through a coordinated SEO poisoning operation that also manipulated AI chatbot recommendations. [...]
Most Akira write-ups focus on the ransom note or the encryption routine. By the time those show up the interesting forensic work is over. The questions that matter to defenders sit earlier. How did they get in. When did they get domain admin. What did they touch before the binary fired. Those answers live in the days before impact. They sit in two log sources that almost never get joined. The perimeter firewall and the Windows event channel. This diary walks through a recent Akira-attributed intrusion at a mid-sized organization. The reconstruction used only SSLVPN syslog and Windows EVTX exports. No EDR. No memory captures. Every identifier in the post has been anonymized. The event types and sequencing are preserved exactly as observed. The setup The environment was a single-site Active Directory forest behind a perimeter NGFW. SSLVPN gave remote access to a small workforce. We started the engagement with the following sources available: Firewall syslog covering roughly seven days before the encryption event. Authentication, IPS and traffic categories were retained. EVTX exports from both domain controllers and three member servers. Channels covered were Security, System and Microsoft-Windows-PowerShell/Operational. The ransom note text file and a sample of encrypted files. Used only to confirm attribution. No EDR. No PCAP. No proxy logs. This is a representative starting point for many small and mid-sized organizations. It is also why the joinable signal between the firewall and the Windows event channels matters so much. Stage 1: Initial access The first useful signal came from the firewall authentication log. We filtered SSLVPN events for the 72 hours before the encryption event. An unambiguous brute-force pattern jumped out. It targeted a single local SSLVPN account. The customer confirmed later that the account had been disabled in Active Directory. It remained provisioned as a local firewall user. Two details from Figure 1 deserve a closer look. The brute force was not distributed. Every failure came from a single source IP in a hosting-provider range. One IPS rule or a geo-block would have stopped it. The successful authentication landed inside the ramp. There was no pause to test the credential. The attacker walked straight in once one matched. That is the behavioral fingerprint of credential stuffing against a known target. Mapping this to the firewall vendor known SSLVPN credential exposure issue is plausible. It is not strictly provable from the logs we had. What is provable is this. The local account had no MFA. It had been deprovisioned in AD but not in the firewall. Its password survived a six-hour online attack. Stages 2 and 3: Discovery and credential access Once on the VPN the attacker had a layer-3 path into the user VLAN. The pivot point to internal evidence was the firewall NAT log. It gave us the post-VPN source IP and the relevant time window. We joined that window against the Windows Security channel. The first internal e
Can Big Data predict markets? Learn how AI, investor behavior, and digital signals shape modern forecasting across stocks and crypto trends.
The third-party website exposed passports, selfies, and the location data of applicants who submitted their documents as part of the U.K. visa application process. Instead of fixing the issue, the website sent attorneys.
Iran’s Nimbus Manticore hackers used trojanized Zoom installers to deploy malware against US firms during a wider IRGC linked cyber campaign.
Cybercriminals used the Glassworm botnet to infect open source software projects with malware, and in turn hack the developers and companies that use that software.
Latin America and Europe become the target of two banking trojan campaigns that are designed to infect Windows and Android devices with Grandoreiro and BTMOB malware, respectively. That's according to new findings from WatchGuard and ESET, which have observed the two malware families being used to single out companies in Spain, Portugal, and Mexico, as well as mobile users in Brazil. The
Cybersecurity researchers have discovered a new malicious package on the npm registry that comes with information stealing capabilities. According to OX Security, the package, named "mouse5212-super-formatter," is designed to upload files from "/mnt/user-data," a dedicated directory used by Anthropic's Claude artificial intelligence (AI) tool to handle uploads and outputs in the background. The