Vulnerability | Breaking Cybersecurity News | The Hacker News

A newly discovered critical security flaw in legacy D-Link DSL gateway routers has come under active exploitation in the wild. The vulnerability, tracked as CVE-2026-0625 (CVSS score: 9.3), concerns a case of command injection in the "dnscfg.cgi" endpoint that arises as a result of improper sanitization of user-supplied DNS configuration parameters. "An unauthenticated remote attacker can inject and execute arbitrary shell commands, resulting in remote code execution," VulnCheck noted in an advisory. "The affected endpoint is also associated with unauthenticated DNS modification ('DNSChanger') behavior documented by D-Link , which reported active exploitation campaigns targeting firmware variants of the DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B models from 2016 through 2019." The cybersecurity company also noted that exploitation attempts targeting CVE-2026-0625 were recorded by the Shadowserver Foundation on November 27, 2025. Some of ...

The CERT Coordination Center (CERT/CC) has disclosed details of an unpatched security flaw impacting TOTOLINK EX200 wireless range extender that could allow a remote authenticated attacker to gain full control of the device. The flaw, CVE-2025-65606 (CVSS score: N/A), has been characterized as a flaw in the firmware-upload error-handling logic, which could cause the device to inadvertently start an unauthenticated root-level telnet service. CERT/CC credited Leandro Kogan for discovering and reporting the issue.  "An authenticated attacker can trigger an error condition in the firmware-upload handler that causes the device to start an unauthenticated root telnet service, granting full system access," CERT/CC said . Successful exploitation of the flaw requires an attacker to be already authenticated to the web management interface to access the firmware-upload functionality. CERT/CC said the firmware-upload handler enters an "abnormal error state" when certain ...

A new critical security vulnerability has been disclosed in n8n, an open-source workflow automation platform, that could enable an authenticated attacker to execute arbitrary system commands on the underlying host. The vulnerability, tracked as CVE-2025-68668 , is rated 9.9 on the CVSS scoring system. It has been described as a case of a protection mechanism failure. Cyera Research Labs' Vladimir Tokarev and Ofek Itach have been credited with discovering and reporting the flaw, which has been codenamed N8scape . It affects n8n versions from 1.0.0 up to, but not including, 2.0.0, and allows an authenticated user with permission to create or modify workflows to execute arbitrary operating system commands on the host running n8n. The issue has been addressed in version 2.0.0. "A sandbox bypass vulnerability exists in the Python Code Node that uses Pyodide," an advisory for the flaw states . "An authenticated user with permission to create or modify workflows can exp...

Users of the " @adonisjs/bodyparser " npm package are being advised to update to the latest version following the disclosure of a critical security vulnerability that, if successfully exploited, could allow a remote attacker to write arbitrary files on the server. Tracked as CVE-2026-21440 (CVSS score: 9.2), the flaw has been described as a path traversal issue affecting the AdonisJS multipart file handling mechanism. "@adonisjs/bodyparser" is an npm package associated with AdonisJS, a Node.js framework for developing web apps and API servers with TypeScript. The library is used to process AdonisJS HTTP request body . "If a developer uses MultipartFile.move() without the second options argument or without explicitly sanitizing the filename, an attacker can supply a crafted filename value containing traversal sequences, writing to a destination path outside the intended upload directory," the project maintainers said in an advisory released last week. ...

The year opened without a reset. The same pressure carried over, and in some places it tightened. Systems people assume are boring or stable are showing up in the wrong places. Attacks moved quietly, reused familiar paths, and kept working longer than anyone wants to admit. This week's stories share one pattern. Nothing flashy. No single moment. Just steady abuse of trust — updates, extensions, logins, messages — the things people click without thinking. That's where damage starts now. This recap pulls those signals together. Not to overwhelm, but to show where attention slipped and why it matters early in the year. ⚡ Threat of the Week RondoDox Botnet Exploits React2Shell Flaw — A persistent nine-month-long campaign has targeted Internet of Things (IoT) devices and web applications to enroll them into a botnet known as RondoDox. As of December 2025, the activity has been observed leveraging the recently disclosed React2Shell (CVE-2025-55182, CVSS score: 10.0) flaw as an initial...

The first ThreatsDay Bulletin of 2026 lands on a day that already feels symbolic — new year, new breaches, new tricks. If the past twelve months taught defenders anything, it's that threat actors don't pause for holidays or resolutions. They just evolve faster. This week's round-up shows how subtle shifts in behavior, from code tweaks to job scams, are rewriting what "cybercrime" looks like in practice. Across the landscape, big players are being tested, familiar threats are mutating, and smaller stories are quietly signaling bigger patterns ahead. The trend isn't about one big breach anymore; it's about many small openings that attackers exploit with precision. The pace of exploitation, deception, and persistence hasn't slowed; it's only become more calculated. Each update in this edition highlights how the line between normal operations and compromise is getting thinner by the week. Here's a sharp look at what's moving beneath the surface of the cybersecurity world as 2026 begin...

Cybersecurity researchers have disclosed details of a persistent nine-month-long campaign that has targeted Internet of Things (IoT) devices and web applications to enroll them into a botnet known as RondoDox. As of December 2025, the activity has been observed leveraging the recently disclosed React2Shell (CVE-2025-55182, CVSS score: 10.0) flaw as an initial access vector, CloudSEK said in an analysis. React2Shell is the name assigned to a critical security vulnerability in React Server Components (RSC) and Next.js that could allow unauthenticated attackers to achieve remote code execution on susceptible devices. According to statistics from the Shadowserver Foundation, there are about 90,300 instances that remain susceptible to the vulnerability as of December 31, 2025, out of which 68,400 instances are located in the U.S., followed by Germany (4,300), France (2,800), and India (1,500). RondoDox, which emerged in early 2025, has broadened its scale by adding new N-day secur...

IBM has disclosed details of a critical security flaw in API Connect that could allow attackers to gain remote access to the application. The vulnerability, tracked as CVE-2025-13915 , is rated 9.8 out of a maximum of 10.0 on the CVSS scoring system. It has been described as an authentication bypass flaw. "IBM API Connect could allow a remote attacker to bypass authentication mechanisms and gain unauthorized access to the application," the tech giant said in a bulletin. The shortcoming affects the following versions of IBM API Connect - 10.0.8.0 through 10.0.8.5 10.0.11.0 Customers are advised to follow the steps outlined below - Download the fix from Fix Central Extract the files: Readme.md and ibm-apiconnect-<version>-ifix.13195.tar.gz Apply the fix based on the appropriate API Connect version "Customers unable to install the interim fix should disable self-service sign-up on their Developer Portal if enabled, which will help minimise their exp...

The Cyber Security Agency of Singapore (CSA) has issued a bulletin warning of a maximum-severity security flaw in SmarterTools SmarterMail email software that could be exploited to achieve remote code execution. The vulnerability, tracked as CVE-2025-52691 , carries a CVSS score of 10.0. It relates to a case of arbitrary file upload that could enable code execution without requiring any authentication. "Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution," CSA said. Vulnerabilities of this kind allow the upload of dangerous file types that are automatically processed within an application's environment. This could pave the way for code execution if the uploaded file is interpreted and executed as code, as is the case with PHP files. In a hypothetical attack scenario, a bad actor could weaponize this vulnerability to place malici...

Last week's cyber news in 2025 was not about one big incident. It was about many small cracks opening at the same time. Tools people trust every day behave in unexpected ways. Old flaws resurfaced. New ones were used almost immediately. A common theme ran through it all in 2025. Attackers moved faster than fixes. Access meant for work, updates, or support kept getting abused. And damage did not stop when an incident was "over" — it continued to surface months or even years later. This weekly recap brings those stories together in one place. No overload, no noise. Read on to see what shaped the threat landscape in the final stretch of 2025 and what deserves your attention now. ⚡ Threat of the Week MongoDB Vulnerability Comes Under Attack — A newly disclosed security vulnerability in MongoDB has come under active exploitation in the wild, with over 87,000 potentially susceptible instances identified across the world. The vulnerability in question is CVE-2025-14847 (CVSS score: 8.7)...

A recently disclosed security vulnerability in MongoDB has come under active exploitation in the wild, with over 87,000 potentially susceptible instances identified across the world. The vulnerability in question is CVE-2025-14847 (CVSS score: 8.7), which allows an unauthenticated attacker to remotely leak sensitive data from the MongoDB server memory. It has been codenamed MongoBleed . "A flaw in zlib compression allows attackers to trigger information leakage," OX Security said . "By sending malformed network packets, an attacker can extract fragments of private data." The problem is rooted in MongoDB Server's zlib message decompression implementation ("message_compressor_zlib.cpp"). It affects instances with zlib compression enabled, which is the default configuration. Successful exploitation of the shortcoming could allow an attacker to extract sensitive information from MongoDB servers, including user information, passwords, and API keys. ...

A high-severity security flaw has been disclosed in MongoDB that could allow unauthenticated users to read uninitialized heap memory. The vulnerability, tracked as CVE-2025-14847 (CVSS score: 8.7), has been described as a case of improper handling of length parameter inconsistency , which arises when a program fails to appropriately tackle scenarios where a length field is inconsistent with the actual length of the associated data. "Mismatched length fields in zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client," according to a description of the flaw in CVE.org. The flaw impacts the following versions of the database - MongoDB 8.2.0 through 8.2.3 MongoDB 8.0.0 through 8.0.16 MongoDB 7.0.0 through 7.0.26 MongoDB 6.0.0 through 6.0.26 MongoDB 5.0.0 through 5.0.31 MongoDB 4.4.0 through 4.4.29 All MongoDB Server v4.2 versions All MongoDB Server v4.0 versions All MongoDB Server v3.6 versions The issue has b...

A critical security flaw has been disclosed in LangChain Core that could be exploited by an attacker to steal sensitive secrets and even influence large language model (LLM) responses through prompt injection. LangChain Core (i.e., langchain-core ) is a core Python package that's part of the LangChain ecosystem, providing the core interfaces and model-agnostic abstractions for building applications powered by LLMs. The vulnerability, tracked as CVE-2025-68664, carries a CVSS score of 9.3 out of 10.0. Security researcher Yarden Porat has been credited with reporting the vulnerability on December 4, 2025. It has been codenamed LangGrinch . "A serialization injection vulnerability exists in LangChain's dumps() and dumpd() functions," the project maintainers said in an advisory. "The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries." "The 'lc' key is used internally by LangChain to mark ser...

Fortinet on Wednesday said it observed "recent abuse" of a five-year-old security flaw in FortiOS SSL VPN in the wild under certain configurations. The vulnerability in question is CVE-2020-12812 (CVSS score: 5.2), an improper authentication vulnerability in SSL VPN in FortiOS that could allow a user to log in successfully without being prompted for the second factor of authentication if the case of the username was changed. "This happens when two-factor authentication is enabled in the 'user local' setting, and that user authentication type is set to a remote authentication method (e.g., LDAP)," Fortinet noted in July 2020. "The issue exists because of inconsistent case-sensitive matching among the local and remote authentication."

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a security flaw impacting Digiever DS-2105 Pro network video recorders (NVRs) to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2023-52163 (CVSS score: 8.8), relates to a case of command injection that allows post-authentication remote code execution. "Digiever DS-2105 Pro contains a missing authorization vulnerability which could allow for command injection via time_tzsetup.cgi," CISA said. The addition of CVE-2023-52163 to the KEV catalog comes in the multiple reports from Akamai and Fortinet about the exploitation of the flaw by threat actors to deliver botnets like Mirai and ShadowV2 . According to TXOne Research security researcher Ta-Lun Yen, the vulnerability, alongside an arbitrary file read bug (CVE-2023-52164, CVSS score: 5.1), remains unpatched due to the device reaching end-of-life (EoL) status. Successfu...

A critical security vulnerability has been disclosed in the n8n workflow automation platform that, if successfully exploited, could result in arbitrary code execution under certain circumstances. The vulnerability, tracked as CVE-2025-68613 , carries a CVSS score of 9.9 out of a maximum of 10.0. Security researcher Fatih Çelik has been credited with discovering and reporting the flaw. The package has about 57,000 weekly downloads, according to statistics on npm. "Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime," the maintainers of the npm package said . "An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of w...

WatchGuard has released fixes to address a critical security flaw in Fireware OS that it said has been exploited in real-world attacks. Tracked as CVE-2025-14733 (CVSS score: 9.3), the vulnerability has been described as a case of out-of-bounds write affecting the iked process that could allow a remote unauthenticated attacker to execute arbitrary code. "This vulnerability affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer," the company said in a Thursday advisory. "If the Firebox was previously configured with the mobile user VPN with IKEv2 or a branch office VPN using IKEv2 to a dynamic gateway peer, and both of those configurations have since been deleted, that Firebox may still be vulnerable if a branch office VPN to a static gateway peer is still configured." The vulnerability impacts the following versions of Fireware OS - 2025.1 - Fixed in 2025.1.4 12.x - Fixed in 12.11.6 1...

Certain motherboard models from vendors like ASRock, ASUSTeK Computer, GIGABYTE, and MSI are affected by a security vulnerability that leaves them susceptible to early-boot direct memory access ( DMA ) attacks across architectures that implement a Unified Extensible Firmware Interface ( UEFI ) and input–output memory management unit ( IOMMU ). UEFI and IOMMU are designed to enforce a security foundation and prevent peripherals from performing unauthorized memory accesses, effectively ensuring that DMA-capable devices can manipulate or inspect system memory before the operating system is loaded. The vulnerability, discovered by Nick Peterson and Mohamed Al-Sharifi of Riot Games in certain UEFI implementations, has to do with a discrepancy in the DMA protection status. While the firmware indicates that DMA protection is active, it fails to configure and enable the IOMMU during the critical boot phase. "This gap allows a malicious DMA-capable Peripheral Component Interconnect E...

Hewlett Packard Enterprise (HPE) has resolved a maximum-severity security flaw in OneView Software that, if successfully exploited, could result in remote code execution. The critical vulnerability, assigned the CVE identifier CVE-2025-37164 , carries a CVSS score of 10.0. HPE OneView is an IT infrastructure management software that streamlines IT operations and controls all systems via a centralized dashboard interface. "A potential security vulnerability has been identified in Hewlett Packard Enterprise OneView Software. This vulnerability could be exploited, allowing a remote unauthenticated user to perform remote code execution," HPE said in an advisory issued this week. It affects all versions of the software prior to version 11.00 , which addresses the flaw. The company has also made available a hotfix that can be applied to OneView versions 5.20 through 10.20. It's worth noting that the hotfix must be reapplied after upgrading from version 6.60 or later to ...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical flaw impacting ASUS Live Update to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2025-59374 (CVSS score: 9.3), has been described as an "embedded malicious code vulnerability" introduced by means of a supply chain compromise that could allow attackers to perform unintended actions. "Certain versions of the ASUS Live Update client were distributed with unauthorized modifications introduced through a supply chain compromise," according to a description of the flaw published in CVE.org. "The modified builds could cause devices meeting specific targeting conditions to perform unintended actions. Only devices that met these conditions and installed the compromised versions were affected." It's worth noting that the vulnerability refers to a supply chain attack that came to ligh...