The Hacker News | #1 Trusted Source for Cybersecurity News

Google has released security updates to address multiple security flaws in Android, including fixes for two Qualcomm bugs that were flagged as actively exploited in the wild. The vulnerabilities include CVE-2025-21479 (CVSS score: 8.6) and CVE-2025-27038 (CVSS score: 7.5), both of which were disclosed alongside CVE-2025-21480 (CVSS score: 8.6), by the chipmaker back in June 2025. CVE-2025-21479 relates to an incorrect authorization vulnerability in the Graphics component that could lead to memory corruption due to unauthorized command execution in GPU microcode. CVE-2025-27038, on the other hand, use-after-free vulnerability in the Graphics component that could result in memory corruption while rendering graphics using Adreno GPU drivers in Chrome. There are still no details on how these shortcomings have been weaponized in real-world attacks, but Qualcomm noted at the time that "there are indications from Google Threat Analysis Group that CVE-2025-21479, CVE-2025-21480, CV...

Cybersecurity researchers have disclosed a high-severity security flaw in the artificial intelligence (AI)-powered code editor Cursor that could result in remote code execution. The vulnerability, tracked as CVE-2025-54136 (CVSS score: 7.2), has been codenamed MCPoison by Check Point Research, owing to the fact that it exploits a quirk in the way the software handles modifications to Model Context Protocol (MCP) server configurations. "A vulnerability in Cursor AI allows an attacker to achieve remote and persistent code execution by modifying an already trusted MCP configuration file inside a shared GitHub repository or editing the file locally on the target's machine," Cursor said in an advisory released last week. "Once a collaborator accepts a harmless MCP, the attacker can silently swap it for a malicious command (e.g., calc.exe) without triggering any warning or re-prompt." MCP is an open-standard developed by Anthropic that allows large language mode...

In SaaS security conversations, "misconfiguration" and "vulnerability" are often used interchangeably. But they're not the same thing. And misunderstanding that distinction can quietly create real exposure. This confusion isn't just semantics. It reflects a deeper misunderstanding of the shared responsibility model, particularly in SaaS environments where the line between vendor and customer responsibility is often unclear. A Quick Breakdown Vulnerabilities are flaws in the codebase of the SaaS platform itself. These are issues only the vendor can patch. Think zero-days and code-level exploits. Misconfigurations , on the other hand, are user-controlled. They result from how the platform is set up—who has access, what integrations are connected, and what policies are enforced (or not). A misconfiguration might look like a third-party app with excessive access, or a sensitive internal site that is accidentally public. A Shared Model, but Split Responsibilities Most SaaS providers...

Why do SOC teams still drown in alerts even after spending big on security tools? False positives pile up, stealthy threats slip through, and critical incidents get buried in the noise. Top CISOs have realized the solution isn't adding more and more tools to SOC workflows but giving analysts the speed and visibility they need to catch real attacks before they cause damage.  Here's how they're breaking the cycle and turning their SOCs into true threat-stopping machines. Starting with Live, Interactive Threat Analysis The first step to staying ahead of attackers is seeing threats as they happen. Static scans and delayed reports just can't keep up with modern, evasive malware. Interactive sandboxes like ANY.RUN let analysts detonate suspicious files, URLs, and QR codes in a fully isolated, safe environment and actually interact with the sample in real time . Why CISOs give access to interactive sandboxes: Analysts can click links, open files, and mimic real user actions to trig...

Cybersecurity researchers have lifted the veil on a widespread malicious campaign that's targeting TikTok Shop users globally with an aim to steal credentials and distribute trojanized apps. "Threat actors are exploiting the official in-app e-commerce platform through a dual attack strategy that combines phishing and malware to target users," CTM360 said . "The core tactic involves a deceptive replica of TikTok Shop that tricks users into thinking theyʼre interacting with a legitimate affiliate or the real platform." The scam campaign has been codenamed ClickTok by the Bahrain-based cybersecurity company, calling out the threat actor's multi-pronged distribution strategy that involves Meta ads and artificial intelligence (AI)-generated TikTok videos that mimic influencers or official brand ambassadors. Central to the effort is the use of lookalike domains that resemble legitimate TikTok URLs. Over 15,000 such impersonated websites have been identified t...

SonicWall said it's actively investigating reports to determine if there is a new zero-day vulnerability following reports of a spike in Akira ransomware actors in late July 2025. "Over the past 72 hours, there has been a notable increase in both internally and externally reported cyber incidents involving Gen 7 SonicWall firewalls where SSLVPN is enabled," the network security vendor said in a statement. "We are actively investigating these incidents to determine whether they are connected to a previously disclosed vulnerability or if a new vulnerability may be responsible." While SonicWall is digging deeper, organizations using Gen 7 SonicWall firewalls are advised to follow the steps below until further notice - Disable SSL VPN services where practical Limit SSL VPN connectivity to trusted IP addresses Activate services such as Botnet Protection and Geo-IP Filtering Enforce multi-factor authentication Remove inactive or unused local user accounts ...

A newly disclosed set of security flaws in NVIDIA's Triton Inference Server for Windows and Linux, an open-source platform for running artificial intelligence (AI) models at scale, could be exploited to take over susceptible servers. "When chained together, these flaws can potentially allow a remote, unauthenticated attacker to gain complete control of the server, achieving remote code execution (RCE)," Wiz researchers Ronen Shustin and Nir Ohfeld said in a report published today. The vulnerabilities are listed below - CVE-2025-23319 (CVSS score: 8.1) - A vulnerability in the Python backend, where an attacker could cause an out-of-bounds write by sending a request CVE-2025-23320 (CVSS score: 7.5) - A vulnerability in the Python backend, where an attacker could cause the shared memory limit to be exceeded by sending a very large request CVE-2025-23334 (CVSS score: 5.9) - A vulnerability in the Python backend, where an attacker could cause an out-of-bounds rea...

Cybersecurity researchers are calling attention to a new wave of campaigns distributing a Python-based information stealer called PXA Stealer. The malicious activity has been assessed to be the work of Vietnamese-speaking cybercriminals who monetize the stolen data through a subscription-based underground ecosystem that automates the resale and reuse via Telegram APIs, according to a joint report published by Beazley Security and SentinelOne and shared with The Hacker News. "This discovery showcases a leap in tradecraft, incorporating more nuanced anti-analysis techniques, non-malicious decoy content, and a hardened command-and-control pipeline that frustrates triage and attempts to delay detection," security researchers Jim Walter, Alex Delamotte, Francisco Donoso, Sam Mayers, Tell Hause, and Bobby Venal said . The campaigns have infected over 4,000 unique IP addresses spanning 62 countries, including South Korea, the United States, the Netherlands, Hungary, and Austria...

Malware isn't just trying to hide anymore—it's trying to belong. We're seeing code that talks like us, logs like us, even documents itself like a helpful teammate. Some threats now look more like developer tools than exploits. Others borrow trust from open-source platforms, or quietly build themselves out of AI-written snippets. It's not just about being malicious—it's about being believable. In this week's cybersecurity recap, we explore how today's threats are becoming more social, more automated, and far too sophisticated for yesterday's instincts to catch. ⚡ Threat of the Week Secret Blizzard Conduct ISP-Level AitM Attacks to Deploy ApolloShadow — Russian cyberspies are abusing local internet service providers' networks to target foreign embassies in Moscow and likely collect intelligence from diplomats' devices. The activity has been attributed to the Russian advanced persistent threat (APT) known as Secret Blizzard (aka Turla). It likely involves using an adversary-...

Some of the most devastating cyberattacks don't rely on brute force, but instead succeed through stealth. These quiet intrusions often go unnoticed until long after the attacker has disappeared. Among the most insidious are man-in-the-middle (MITM) attacks, where criminals exploit weaknesses in communication protocols to silently position themselves between two unsuspecting parties Fortunately, protecting your communications from MITM attacks doesn't require complex measures. By taking a few simple steps, your security team can go a long way in securing users' data and keeping silent attackers at bay. Know your enemy In a MITM attack , a malicious actor intercepts communications between two parties (such as a user and a web app) to steal sensitive information. By secretly positioning themselves between the two ends of the conversation, MITM attackers can capture data like credit card numbers,  login credentials , and account details. This stolen information o...

Cybersecurity researchers have flagged a previously undocumented Linux backdoor dubbed Plague that has managed to evade detection for a year. "The implant is built as a malicious PAM (Pluggable Authentication Module), enabling attackers to silently bypass system authentication and gain persistent SSH access," Nextron Systems researcher Pierre-Henri Pezier said . Pluggable Authentication Modules refers to a suite of shared libraries used to manage user authentication to applications and services in Linux and UNIX-based systems. Given that PAM modules are loaded into privileged authentication processes, a rogue PAM can enable theft of user credentials, bypass authentication checks, and remain undetected by security tools. The cybersecurity company said it uncovered multiple Plague artifacts uploaded to VirusTotal since July 29, 2024, with none of them detected by antimalware engines as malicious. What's more, the presence of several samples signals active developme...

Everyone's an IT decision-maker now. The employees in your organization can install a plugin with just one click, and they don't need to clear it with your team first. It's great for productivity, but it's a serious problem for your security posture. When the floodgates of SaaS and AI opened, IT didn't just get democratized, its security got outpaced. Employees are onboarding apps faster than security teams can say, "We need to check this out first." The result is a sprawling mess of shadow IT, embedded AI, and OAuth permissions that would make any CISO break into a cold sweat. Here are five ways IT democratization can undermine your organization's security posture and how to prevent it from doing so. 1. You can't secure what you can't see Remember when IT security used to control what was allowed to pass the firewall? Good times. Today, anyone can find an app to do the heavy lifting for them. They won't notice or care when the app requires access to your company's Google Drive or...