Security & IT News

p a href= https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-139-05.json strong View CSAF /strong /a /p h2 Summary /h2 p strong Successful exploitation of this vulnerability could allow an attacker to take control of the victim's browser. /strong /p p The following versions of Kieback amp; Peter DDC Building Controllers are affected: /p ul li DDC4002 lt;=1.12.14 (CVE-2026-4293) /li li DDC4100 lt;=1.12.14 (CVE-2026-4293) /li li DDC4200 lt;=1.12.14 (CVE-2026-4293) /li li DDC4200-L lt;=1.12.14 (CVE-2026-4293) /li li DDC4400 lt;=1.12.14 (CVE-2026-4293) /li li DDC4002e lt;=1.23.4 (CVE-2026-4293) /li li DDC4200e lt;=1.23.4 (CVE-2026-4293) /li li DDC4400e lt;=1.23.4 (CVE-2026-4293) /li li DDC4020e lt;=1.23.4 (CVE-2026-4293) /li li DDC4040e lt;=1.23.4 (CVE-2026-4293) /li li DDC520 lt;=1.24.1 (CVE-2026-4293) /li /ul div class= csaf-table table class= tablesaw tablesaw-stack data-tablesaw-mode= stack data-tablesaw-minimap thead tr th role= columnheader data-tablesaw-priority= persist CVSS /th th role= columnheader Vendor /th th role= columnheader Equipment /th th role= columnheader Vulnerabilities /th /tr /thead tbody tr td v3 5.3 /td td Kieback amp; Peter /td td Kieback amp; Peter DDC Building Controllers /td td Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Commercial Facilities, Communications, Financial Services, Food and Agriculture, Government Services and Facilities, Healthcare and Public Health, Information Technology /li li strong Countries/Areas Deployed: /strong Austria, China, France, Germany, United Arab Emirates /li li strong Company Headquarters Location: /strong Germany /li /ul hr h2 Vulnerabilities /h2 div class= csaf-accordion p a class= csaf-accordion-toggle-all href= # Expand All + /a /p div class= csaf-accordion-item h3 a class= csaf-accordion-toggle href= # CVE-2026-4293 /a /h3 div class= csaf-accordion-content p The affected products are vulnerable to cross-site scripting (XSS), enabling JavaScript to be executed by the victim's browser, which allows the attacker to control the browser. /p p a href= https://www.cve.org/CVERecord?id=CVE-2026-4293 View CVE Details /a /p hr h4 Affected Products /h4 h5 Kieback amp; Peter DDC Building Controllers /h5 div class= ics-vendor-version-status div class= ics-vendor strong Vendor: /strong br Kieback amp; Peter /div div class= ics-version strong Product Version: /strong br Kieback amp; Peter DDC4002: lt;=1.12.14, Kieback amp; Peter DDC4100: lt;=1.12.14, Kieback amp; Peter DDC4200: lt;=1.12.14, Kieback amp; Peter DDC4200-L: lt;=1.12.14, Kieback amp; Peter DDC4400: lt;=1.12.14, Kieback amp; Peter DDC4002e: lt;=1.23.4, Kieback amp; Peter DDC4200e: lt;=1.23.4, Kieback amp; Peter DDC4400e: lt;=1.23.4, Kieback amp; Peter DDC4020e: lt;=1.23.4, Kieback amp; Peter DDC4040e: lt;=1.23.4, Kieback amp; Peter DDC520: lt;=1.24.1 /d

p a href= https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-139-02.json strong View CSAF /strong /a /p h2 Summary /h2 p strong A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets. Siemens is preparing fix versions and recommends countermeasures for products where fixes are not, or not yet available. Customers are advised to consult and implement the workarounds provided in Palo Alto Networks' upstream security notifications. [1] https://security.paloaltonetworks.com/ /strong /p p The following versions of Siemens RUGGEDCOM APE1808 Devices are affected: /p ul li RUGGEDCOM APE1808 vers:all/* (CVE-2026-0300) /li /ul div class= csaf-table table class= tablesaw tablesaw-stack data-tablesaw-mode= stack data-tablesaw-minimap thead tr th role= columnheader data-tablesaw-priority= persist CVSS /th th role= columnheader Vendor /th th role= columnheader Equipment /th th role= columnheader Vulnerabilities /th /tr /thead tbody tr td v3 10 /td td Siemens /td td Siemens RUGGEDCOM APE1808 Devices /td td Out-of-bounds Write /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Critical Manufacturing /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong Germany /li /ul hr h2 Vulnerabilities /h2 div class= csaf-accordion p a class= csaf-accordion-toggle-all href= # Expand All + /a /p div class= csaf-accordion-item h3 a class= csaf-accordion-toggle href= # CVE-2026-0300 /a /h3 div class= csaf-accordion-content p A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets. /p p a href= https://www.cve.org/CVERecord?id=CVE-2026-0300 View CVE Details /a /p hr h4 Affected Products /h4 h5 Siemens RUGGEDCOM APE1808 Devices /h5 div class= ics-vendor-version-status div class= ics-vendor strong Vendor: /strong br Siemens /div div class= ics-version strong Product Version: /strong br RUGGEDCOM APE1808 /div div class= ics-status strong Product Status: /strong br known_affected /div /div div class= ics-remediations h6 Remediations /h6 p strong Mitigation /strong br Disable Response Pages in the Interface Management Profile attached to every L3 interface in any zone where untrusted/internet traffic can ingress. Keep Response Pages enabled only on interfaces in trust/internal zones where legitimate users' browsers ingress /p p strong Mitigation /strong br Disable User-ID™ Authentication Portal if not required /p p strong Mitigation /strong br Restrict access to the User

p a href= https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-139-01.json strong View CSAF /strong /a /p h2 Summary /h2 p strong An update is available that resolves vulnerability in the product versions listed as affected in this advisory. A path traversal vulnerability in these products can allow unauthenticated users to gain access to restricted directories. Exploiting this vulnerability can lead to complete system compromise and exposure of sensitive information. /strong /p p The following versions of ABB CoreSense HM and CoreSense M10 are affected: /p ul li CoreSense™ HM lt;=2.3.1, 2.3.4 (CVE-2025-3465) /li li CoreSense™ M10 lt;=1.4.1.12, 1.4.1.31 (CVE-2025-3465) /li /ul div class= csaf-table table class= tablesaw tablesaw-stack data-tablesaw-mode= stack data-tablesaw-minimap thead tr th role= columnheader data-tablesaw-priority= persist CVSS /th th role= columnheader Vendor /th th role= columnheader Equipment /th th role= columnheader Vulnerabilities /th /tr /thead tbody tr td v3 7.1 /td td ABB /td td ABB CoreSense HM and CoreSense M10 /td td Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Food and Agriculture, Commercial Facilities, Critical Manufacturing /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong Switzerland /li /ul hr h2 Vulnerabilities /h2 div class= csaf-accordion p a class= csaf-accordion-toggle-all href= # Expand All + /a /p div class= csaf-accordion-item h3 a class= csaf-accordion-toggle href= # CVE-2025-3465 /a /h3 div class= csaf-accordion-content p A path traversal vulnerability in these products can allow unauthenticated users to gain access to restricted directories. Exploiting this vulnerability can lead to complete system compromise and exposure of sensitive information. /p p a href= https://www.cve.org/CVERecord?id=CVE-2025-3465 View CVE Details /a /p hr h4 Affected Products /h4 h5 ABB CoreSense HM and CoreSense M10 /h5 div class= ics-vendor-version-status div class= ics-vendor strong Vendor: /strong br ABB /div div class= ics-version strong Product Version: /strong br CoreSense™ HM lt;=2.3.1, CoreSense™ M10 lt;=1.4.1.12 /div div class= ics-status strong Product Status: /strong br fixed, known_affected /div /div div class= ics-remediations h6 Remediations /h6 p strong Vendor fix /strong br The vulnerabilities are corrected in the following version: CoreSense™ HM v2.3.4 amp; CoreSense™ M10 v1.4.1.31 ABB recommends that customers apply the update at the earliest convenience. /p /div p strong Relevant CWE: /strong a href= https://cwe.mitre.org/data/definitions/22.html CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') /a /p hr h4 Metrics /h4 div class= csaf-table csaf-metrics-table table class= tablesaw tablesaw-stack data-tablesaw-mode= stack data-table

p a href= https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-139-04.json strong View CSAF /strong /a /p h2 Summary /h2 p strong Successful exploitation of this vulnerability could result in information disclosure, including capture of camera account credentials. /strong /p p The following versions of ZKTeco CCTV Cameras are affected: /p ul li SSC335-GC2063-Face-0b77 Solution /li /ul div class= csaf-table table class= tablesaw tablesaw-stack data-tablesaw-mode= stack data-tablesaw-minimap thead tr th role= columnheader data-tablesaw-priority= persist CVSS /th th role= columnheader Vendor /th th role= columnheader Equipment /th th role= columnheader Vulnerabilities /th /tr /thead tbody tr td v3 9.1 /td td ZKTeco /td td ZKTeco CCTV Cameras /td td Authentication Bypass Using an Alternate Path or Channel /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Commercial Facilities /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong China /li /ul hr h2 Vulnerabilities /h2 div class= csaf-accordion p a class= csaf-accordion-toggle-all href= # Expand All + /a /p div class= csaf-accordion-item h3 a class= csaf-accordion-toggle href= # CVE-2026-8598 /a /h3 div class= csaf-accordion-content p An undocumented configuration export port is accessible on some models of ZKTeco CCTV cameras. This port does not require authentication and exposes critical information about the camera such as open services and camera account credentials. /p p a href= https://www.cve.org/CVERecord?id=CVE-2026-8598 View CVE Details /a /p hr h4 Affected Products /h4 h5 ZKTeco CCTV Cameras /h5 div class= ics-vendor-version-status div class= ics-vendor strong Vendor: /strong br ZKTeco /div div class= ics-version strong Product Version: /strong br ZKTeco SSC335-GC2063-Face-0b77 Solution: lt;V5.0.1.2.20260421 /div div class= ics-status strong Product Status: /strong br known_affected /div /div div class= ics-remediations h6 Remediations /h6 p strong Mitigation /strong br ZKTeco has patched this vulnerability in firmware version V5.0.1.2.20260421. ZKTeco recommends that users upgrade to firmware version V5.0.1.2.20260421 or later at their earliest opportunity. /p p strong Mitigation /strong br Please see the security advisory from ZKTeco here: https://www.zkteco.com/en/announcement/23 for further information. br a href= https://www.zkteco.com/en/announcement/23 https://www.zkteco.com/en/announcement/23 /a /p /div p strong Relevant CWE: /strong a href= https://cwe.mitre.org/data/definitions/288.html CWE-288 Authentication Bypass Using an Alternate Path or Channel /a /p hr h4 Metrics /h4 div class= csaf-table csaf-metrics-table table class= tablesaw tablesaw-stack data-tablesaw-mode= stack data-tablesaw-minimap thead tr th role= columnheader data-tablesaw-priority= persist CVSS Version /th th role= columnheader Base Score /th th role= columnheader Base Severity /th

Digital.ai data reveals 87% of apps were attacked over the past year

In February 2026, a phishing-as-a-service (PhaaS) platform called EvilTokens went live. Within five weeks, it had compromised more than 340 Microsoft 365 organizations across five countries. The targets of the platform received a message asking them to enter a short code at microsoft.com/devicelogin and complete their normal MFA challenge, then walked away believing they had verified a

Microsoft says customers in restricted network environments may encounter Windows Update failures after installing the January 2026 optional non-security preview updates. [...]

Not by name, but Laurie Anderson quotes me in one of the tracks of her new album: My favorite quote is from a cryptologist who said “If you think technology will solve your problems, you don’t understand technology and you don’t understand your problems.” Also in interviews : “Of course, it’s ridiculous, outrageous, blah, blah, blah,” Anderson says about the ad. ‘But, I mean, my favorite quote on this is from a cryptologist who said, ‘If you think technology will solve your problems, you don’t understand technology ­ and you don’t understand your problems.’ And I think I’m completely on board with that.” People are telling me that she has been reciting this quote in performances for years. (I lost track of her since college and her 1981 hit “ O Superman .”) The origins of the quote is from Roger Needham : If you think cryptography can solve your problem, you don’t understand your problem and you don’t understand cryptography. I modified the quote in the preface to my 2000 book Secrets and Lies : A few years ago I heard a quotation, and I am going to modify it here: If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology. I can’t tell you why me in 2000 didn’t credit Needham by name. I should have. I have used the quote pretty consistently since then. Somewhere along the line I dropped “security” from the phrase, and now say it more like Anderson quotes me: If you think technology will solve your problem, you don’t understand your problem and you don’t understand technology. I sometimes use singular and sometimes use plural. Sometimes I say “the problem” and “the technology.” But I think the quote flows better ending with just the word “technology.”

Drupal has issued an alert stating that it intends to release a "core security release" for all supported branches on May 20, 2026, from 5-9 p.m. UTC. "The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days," the maintainers of the PHP-based content management system (CMS) said. "Not all configurations are

There’s a quiet pattern among the agencies that consistently outperform their competitors. Their client retention rates are higher.…

Hackers are actively exploiting the Nginx Rift vulnerability affecting NGINX and F5 products, exposing servers to denial-of-service attacks.

Critical security vulnerabilities have been disclosed in SEPPMail Secure E-Mail Gateway, an enterprise-grade email security solution, that could be exploited to achieve remote code execution and enable an attacker to read arbitrary mails from the virtual appliance. "These vulnerabilities could have been exploited to read all mail traffic or as an entry vector into the internal network,"

Open source tool maker Grafana says hackers stole codebase via GitHub breach

Bridewell report calls out emergence of “fix-style” attacks

Cybersecurity researchers have flagged a compromised version of the Nx Console extension that was published to the Microsoft Visual Studio Code (VS Code) Marketplace. The extension in question is rwl.angular-console (version 18.95.0), a popular user interface and plugin for code editors like VS Code, Cursor, and JetBrains. The VS Code extension has more than 2.2 million installations. The Open

In yet another software supply chain attack, threat actors have compromised the popular GitHub Actions workflow, actions-cool/issues-helper, to run malicious code that harvests sensitive credentials and exfiltrates them to an attacker-controlled server. "Every existing tag in the repository has been moved to point to an imposter commit that does not appear in the action's normal commit history,

Cybersecurity researchers have discovered a fresh software supply chain attack campaign that has compromised various npm packages associated with the @antv ecosystem as part of the ongoing Mini Shai-Hulud attack wave. "The attack affects packages tied to the npm maintainer account atool, including echarts-for-react, a widely used React wrapper for Apache ECharts with roughly 1.1 million weekly

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

In this article Attack chain overview Cloud compromise: Microsoft Entra ID and Microsoft 365 Initial access and persistence through targeted social engineering and SSPR abuse Directory discovery and persistence Microsoft 365 discovery and exfiltration Cloud compromise: Microsoft Azure Azure App Service and Key Vault compromise Azure Storage and SQL data exfiltration Azure Virtual Machines compromise ScreenConnect installation and defense evasion Post-compromise activity using ScreenConnect Mitigation and protection guidance Ensure adequate security coverage across attack surfaces Security hardening and best practices General hygiene recommendations Indicators of compromise (IOCs) Microsoft Defender XDR detections Learn more Microsoft Threat Intelligence recently uncovered a methodical, sophisticated, and multi-layered attack, where a threat actor we track as Storm-2949 launched a relentless campaign with a singular focus: to exfiltrate as much sensitive data from a target organization’s high-value assets as possible. The attack exfiltrated data from Microsoft 365 applications, file-hosting services, and Azure-hosted production environments, where the organization’s production application ecosystem resides. What began as a targeted identity compromise rapidly evolved into a full-spectrum assault on the organization’s cloud infrastructure. The attack spanned various Azure resources, with emphasis on software-as-a-service (SaaS), platform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS) layers. Storm-2949 didn’t rely on traditional malware and other on-premises tactics, techniques, and procedures (TTPs). Instead, they leveraged legitimate cloud and Azure management features to gain control-plane and data-plane access, which they then used to execute code remotely on VMs, and access sensitive cloud resources such as Key Vaults and storage accounts, among others. These activities allowed them to move laterally across cloud and endpoint environments while blending into expected administrative behavior. As organizations continue to adopt cloud infrastructure at scale, threat actors are increasingly targeting identity and control plane access rather than individual devices. When cloud identities are compromised, legitimate administrative features can be used to achieve outcomes similar to traditional lateral movement, often with fewer indicators of compromise. Behavior-based detections across endpoints, cloud environments, and identities—such as those provided by Microsoft Defender—can help teams identify and correlate these activities. In this blog, we unpack the full attack chain from initial access to cloud and endpoint takeover. We then offer actionable insights into how organizations can detect, contain, and prevent similar identity-driven threats in their environments. Attack chain overview The campaign that Storm-2949 deployed can be divided into two phases: targeted identity compromise and cloud infrastructure compromise. We discuss ea

More than 200 individuals were arrested for cybercrime activities during INTERPOL's Operation Ramz, which focused on the Middle East and North Africa. [...]