Briefs

A China-nexus threat actor is utilizing Google Calendar as a command and control (C2) infrastructure to conduct stealthy operations.

CVE-2026-20963, a SharePoint deserialization vulnerability, is under active exploitation and has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, requiring immediate patching and auditing of potentially compromised data.

An unprivileged user may exploit CVE-2026-3888 to escalate privileges to root by creating malicious files in the /tmp/.snap directory.

Law enforcement has disrupted significant IoT botnets responsible for launching record-breaking distributed denial-of-service (DDoS) attacks, impacting the availability of targeted systems.

VoidStealer leverages Chrome debugging capabilities to extract sensitive information, such as credentials and session cookies, directly from the browser's memory.

A Russian APT group is exploiting a Zimbra XSS vulnerability (details unspecified) to target the Ukrainian government in an operation dubbed 'GhostMail'.

SnappyClient is a multi-functional malware delivered via HijackLoader that steals data from browsers, takes screenshots, logs keystrokes, and establishes a remote terminal for attacker command and control.

Vulnerabilities in Paxton Net2 Access Control Units (ACUs) could allow unauthorized remote access and control of secured doors, potentially affecting prisons and other high-security facilities.

CISA is urging hardening of endpoint management systems following a cyberattack against a US organization, highlighting the potential for significant impact via compromised management infrastructure.

A new exploit dubbed 'DarkSword' is being actively exploited in infostealer campaigns targeting iPhones, potentially leading to unauthorized data access and device compromise.

A memory exhaustion vulnerability (CVE-2026-33155) exists in a widely used Python library, affecting services like SageMaker, DataHub, and acryl-datahub due to an incomplete patch for CVE-2025-58367, requiring pinning to version 8.6.2.

Analysis of North Korean IT workers reveals techniques for infiltrating Western tech companies, including fake identity creation, internal training, and recruitment of collaborators.

A newly discovered Mark of the Web (MOTW) bypass technique utilizes a chain of CAB, TAR, and 7-Zip archives to circumvent SmartScreen and execute files without security warnings.

Researchers have disclosed unspecified vulnerabilities in IP KVM devices from four manufacturers, potentially allowing attackers to gain unauthorized access to connected systems.

CVE-2026-22729 is a JSONPath Injection vulnerability found in Spring AI's PgVectorStore, potentially allowing for unauthorized data access or modification.

Two critical XSS vulnerabilities, Reflected XSS in the /image-proxy endpoint and Stored XSS in bookmark cards, were discovered in AFFiNE, a self-hosted alternative to Notion, with the vendor being unresponsive.

CISA is urging US organizations to secure their Microsoft Intune systems due to a breach at Stryker, highlighting potential vulnerabilities in cloud-based device management that could lead to unauthorized access and control over managed devices.

The DarkSword exploit chain targets iOS versions 18 and under by exploiting a WebKit vulnerability, and is being adopted by multiple threat actors for initial access and execution.

Kimsuky is using malware that leverages the Dropbox API for command and control, enabling file exfiltration and remote code execution.

A remote code execution vulnerability exists in the GNU Inetutils Telnet server, potentially allowing unauthenticated attackers to execute arbitrary code on vulnerable systems.

CrowdStrike Falcon AIDR now supports NVIDIA NeMo Guardrails (v0.20.0) to protect AI agents from prompt injection, data exposure, and unauthorized actions, enabling safer deployment of AI applications.

StoatWaffle is malware employed by the WaterPlum threat actor, used for an unknown purpose.

The Interlock ransomware campaign is targeting enterprise firewalls to encrypt sensitive data and demand ransom payment.

ScreenConnect version 26.1 has a vulnerability related to the insufficient protection of server-level cryptographic material, potentially allowing unauthorized access and data compromise.

The Warlock group utilizes web shells and tunneling to deploy ransomware within compromised environments, impacting victim data confidentiality and availability.

RegPwnBOF exploits a registry symlink race condition in the Windows Accessibility ATConfig mechanism, enabling a normal user to write arbitrary values to protected HKLM registry keys for persistence and privilege escalation.

An unpatched vulnerability in QEMU's virtio-snd component allows for a hypervisor escape due to an uncontrolled heap overflow.

CVE-2026-3888 allows a local attacker to escalate privileges to root on Ubuntu 24.04 systems due to a vulnerability in the snapd service.

A trojanized EmEditor installer was distributed through a trusted source, delivering an infostealer, highlighting how attackers exploit legitimate software distribution channels to bypass user trust and security controls.

Modification of the issuer URL of a federated identity credential in Entra ID can allow an attacker to authenticate as the application's service principal, granting persistent access to Azure resources by pointing to an attacker-controlled identity provider and bypassing normal authentication.