Vulnerability | Breaking Cybersecurity News | The Hacker News

OpenAI has announced the launch of an "agentic security researcher" that's powered by its GPT-5 large language model (LLM) and is programmed to emulate a human expert capable of scanning, understanding, and patching code. Called Aardvark , the artificial intelligence (AI) company said the autonomous agent is designed to help developers and security teams flag and fix security vulnerabilities at scale. It's currently available in private beta. "Aardvark continuously analyzes source code repositories to identify vulnerabilities, assess exploitability, prioritize severity, and propose targeted patches," OpenAI noted . It works by embedding itself into the software development pipeline, monitoring commits and changes to codebases, detecting security issues and how they might be exploited, and proposing fixes to address them using LLM-based reasoning and tool-use. Powering the agent is GPT‑5 , which OpenAI introduced in August 2025. The company describes it...

A China-affiliated threat actor known as UNC6384 has been linked to a fresh set of attacks exploiting an unpatched Windows shortcut vulnerability to target European diplomatic and government entities between September and October 2025. The activity targeted diplomatic organizations in Hungary, Belgium, Italy, and the Netherlands, as well as government agencies in Serbia, Arctic Wolf said in a technical report published Thursday. "The attack chain begins with spear-phishing emails containing an embedded URL that is the first of several stages that lead to the delivery of malicious LNK files themed around European Commission meetings, NATO-related workshops, and multilateral diplomatic coordination events," the cybersecurity company said. The files are designed to exploit ZDI-CAN-25373 to trigger a multi-stage attack chain that culminates in the deployment of the PlugX malware using DLL side-loading. PlugX is a remote access trojan that's also referred to as Destroy...

The exploitation of a recently disclosed critical security flaw in Motex Lanscope Endpoint Manager has been attributed to a cyber espionage group known as Tick . The vulnerability, tracked as CVE-2025-61932 (CVSS score: 9.3), allows remote attackers to execute arbitrary commands with SYSTEM privileges on on-premise versions of the program. JPCERT/CC, in an alert issued this month, said that it has confirmed reports of active abuse of the security defect to drop a backdoor on compromised systems. Tick, also known as Bronze Butler, Daserf, REDBALDKNIGHT, Stalker Panda, Stalker Taurus, and Swirl Typhoon (formerly Tellurium), is a suspected Chinese cyber espionage actor known for its extensive targeting of East Asia, specifically Japan. It's assessed to be active since at least 2006. The sophisticated campaign, observed by Sophos, involved the exploitation of CVE-2025-61932 to deliver a known backdoor referred to as Gokcpdoor that can establish a proxy connection with a remote...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA), along with international partners from Australia and Canada, have released guidance to harden on-premise Microsoft Exchange Server instances from potential exploitation. "By restricting administrative access, implementing multi-factor authentication, enforcing strict transport security configurations, and adopting zero trust (ZT) security model principles, organizations can significantly bolster their defenses against potential cyber attacks," CISA said . The agencies said malicious activity aimed at Microsoft Exchange Server continues to take place, with unprotected and misconfigured instances facing the brunt of the attacks. Organizations are advised to decommission end-of-life on-premises or hybrid Exchange servers after transitioning to Microsoft 365. Some of the best practices outlined are listed below - Maintain security updates and patching cadence Migrate end-o...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a high-severity security flaw impacting Broadcom VMware Tools and VMware Aria Operations to its Known Exploited Vulnerabilities ( KEV ) catalog, following reports of active exploitation in the wild. The vulnerability in question is CVE-2025-41244 (CVSS score: 7.8), which could be exploited by an attacker to attain root level privileges on a susceptible system. "Broadcom VMware Aria Operations and VMware Tools contain a privilege defined with unsafe actions vulnerability," CISA said in an alert. "A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM." The vulnerability was addressed by Broadcom-owned VMware last month, but not before it was exploited as a zero-day by unknown threat actors since mid-Oct...

A severe vulnerability disclosed in Chromium's Blink rendering engine can be exploited to crash many Chromium-based browsers within a few seconds. Security researcher Jose Pino, who disclosed details of the flaw, has codenamed it Brash . "It allows any Chromium browser to collapse in 15-60 seconds by exploiting an architectural flaw in how certain DOM operations are managed," Pino said in a technical breakdown of the shortcoming. At its core, Brash stems from the lack of rate limiting on " document.title " API updates, which, in turn, allows for bombarding millions of [document object model] mutations per second, causing the web browser to crash, as well as degrade system performance as a result of devoting CPU resources to this process. The attack plays out in three steps - Hash generation or preparation phase, where the attacker preloads into memory 100 unique hexadecimal strings of 512 characters that act as a seed for the browser tab title changes ...

Cybersecurity researchers are calling attention to a spike in automated attacks targeting PHP servers, IoT devices, and cloud gateways by various botnets such as Mirai , Gafgyt , and Mozi . "These automated campaigns exploit known CVE vulnerabilities and cloud misconfigurations to gain control over exposed systems and expand botnet networks," the Qualys Threat Research Unit (TRU) said in a report shared with The Hacker News. The cybersecurity company said PHP servers have emerged as the most prominent targets of these attacks owing to the widespread use of content management systems like WordPress and Craft CMS . This, in turn, creates a large attack surface as many PHP deployments can suffer from misconfigurations, outdated plugins and themes, and insecure file storage. Some of the prominent weaknesses in PHP frameworks that have been exploited by threat actors are listed below - CVE-2017-9841 - A Remote code execution vulnerability in PHPUnit CVE-2021-3129 - A Re...

Organizations in Ukraine have been targeted by threat actors of Russian origin with an aim to siphon sensitive data and maintain persistent access to compromised networks. The activity, according to a new report from the Symantec and Carbon Black Threat Hunter Team, targeted a large business services organization for two months and a local government entity in the country for a week. The attacks mainly leveraged living-off-the-land (LotL) tactics and dual-use tools, coupled with minimal malware, to reduce digital footprints and stay undetected for extended periods of time. "The attackers gained access to the business services organization by deploying web shells on public-facing servers, most likely by exploiting one or more unpatched vulnerabilities," the Broadcom-owned cybersecurity teams said in a report shared with The Hacker News. One of the web shells used in the attack was Localolive, which was previously flagged by Microsoft as put to use by a sub-group of the ...

Threat actors are actively exploiting multiple security flaws impacting Dassault Systèmes DELMIA Apriso and XWiki, according to alerts issued by the U.S. Cybersecurity and Infrastructure Security Agency ( CISA ) and VulnCheck . The vulnerabilities are listed below - CVE-2025-6204 (CVSS score: 8.0) - A code injection vulnerability in Dassault Systèmes DELMIA Apriso that could allow an attacker to execute arbitrary code. CVE-2025-6205 (CVSS score: 9.1) - A missing authorization vulnerability in Dassault Systèmes DELMIA Apriso that could allow an attacker to gain privileged access to the application. CVE-2025-24893 (CVSS score: 9.8) - An improper neutralization of input in a dynamic evaluation call (aka eval injection ) in XWiki that could allow any guest user to perform arbitrary remote code execution through a request to the "/bin/get/Main/SolrSearch" endpoint. Both CVE-2025-6204 and CVE-2025-6205 affect DELMIA Apriso versions from Release 2020 through Release 202...

The zero-day exploitation of a now-patched security flaw in Google Chrome led to the distribution of an espionage-related tool from Italian information technology and services provider Memento Labs, according to new findings from Kaspersky. The vulnerability in question is CVE-2025-2783 (CVSS score: 8.3), a case of sandbox escape which the company disclosed in March 2025 as having come under active exploitation as part of a campaign dubbed Operation ForumTroll targeting organizations in Russia. The cluster is also tracked as TaxOff/Team 46 by  Positive Technologies , Dante APT by F6, and  Prosperous Werewolf by BI.ZONE. It's known to be active since at least February 2024. The wave of infections involved sending phishing emails containing personalized, short-lived links inviting recipients to the Primakov Readings forum. Clicking the links through Google Chrome or a Chromium-based web browser was enough to trigger an exploit for CVE-2025-2783, enabling the attackers t...

Cybersecurity researchers have discovered a new vulnerability in OpenAI's ChatGPT Atlas web browser that could allow malicious actors to inject nefarious instructions into the artificial intelligence (AI)-powered assistant's memory and run arbitrary code. "This exploit can allow attackers to infect systems with malicious code, grant themselves access privileges, or deploy malware," LayerX Security Co-Founder and CEO, Or Eshed, said in a report shared with The Hacker News. The attack, at its core, leverages a cross-site request forgery ( CSRF ) flaw that could be exploited to inject malicious instructions into ChatGPT's persistent memory. The corrupted memory can then persist across devices and sessions, permitting an attacker to conduct various actions, including seizing control of a user's account, browser, or connected systems, when a logged-in user attempts to use ChatGPT for legitimate purposes. Memory, first introduced by OpenAI in February 2024, is...

The ransomware group known as Qilin (aka Agenda, Gold Feather, and Water Galura) has claimed more than 40 victims every month since the start of 2025, barring January, with the number of postings on its data leak site touching a high of 100 cases in June. The development comes as the ransomware-as-a-service (RaaS) operation has emerged as one of the most active ransomware groups , accounting for 84 victims each in the months of August and September 2025. The Russian-speaking threat group emerged around July 2022. According to data compiled by Cisco Talos, the U.S., Canada, the U.K., France, and Germany are some of the countries most impacted by Qilin. The attacks have primarily singled out manufacturing (23%), professional and scientific services (18%), and wholesale trade (10%) sectors. Attacks mounted by Qilin affiliates have likely leveraged leaked administrative credentials on the dark web for initial access using a VPN interface, followed by performing RDP connections to th...

The newly released OpenAI ChatGPT Atlas web browser has been found to be susceptible to a prompt injection attack where its omnibox can be jailbroken by disguising a malicious prompt as a seemingly harmless URL to visit. "The omnibox (combined address/search bar) interprets input either as a URL to navigate to, or as a natural-language command to the agent," NeuralTrust said in a report published Friday. "We've identified a prompt injection technique that disguises malicious instructions to look like a URL, but that Atlas treats as high-trust 'user intent' text, enabling harmful actions." Last week, OpenAI launched Atlas as a web browser with built-in ChatGPT capabilities to assist users with web page summarization, inline text editing, and agentic functions. In the attack outlined by the artificial intelligence (AI) security company, an attacker can take advantage of the browser's lack of strict boundaries between trusted user input and untru...

Microsoft on Thursday released out-of-band security updates to patch a critical-severity Windows Server Update Services (WSUS) vulnerability with a proof-of-concept (Poc) exploit publicly available and has come under active exploitation in the wild. The vulnerability in question is CVE-2025-59287 (CVSS score: 9.8), a remote code execution flaw in WSUS that was originally fixed by the tech giant as part of its Patch Tuesday update published last week. Three security researchers, MEOW, f7d8c52bec79e42795cf15888b85cbad, and Markus Wulftange with CODE WHITE GmbH, have been acknowledged for discovering and reporting the bug. The shortcoming concerns a case of deserialization of untrusted data in WSUS that allows an unauthorized attacker to execute code over a network. It's worth noting that the vulnerability does not impact Windows servers that do not have the WSUS Server Role enabled. In a hypothetical attack scenario, a remote, unauthenticated attacker could send a crafted eve...

E-commerce security company Sansec has warned that threat actors have begun to exploit a recently disclosed security vulnerability in Adobe Commerce and Magento Open Source platforms, with more than 250 attack attempts recorded against multiple stores over the past 24 hours. The vulnerability in question is CVE-2025-54236 (CVSS score: 9.1), a critical improper input validation flaw that could be abused to take over customer accounts in Adobe Commerce through the Commerce REST API. Also known as SessionReaper, it was addressed by Adobe last month. A security researcher who goes by the name Blaklis is credited with the discovery and responsible disclosure of CVE-2025-54236. The Dutch company said that 62% of Magento stores remain vulnerable to the security flaw six weeks after public disclosure, urging website administrators to apply the patches as soon as possible before broader exploitation activity picks up. Adobe has since revised its advisory to confirm reports of in-the-wil...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical security flaw impacting Motex Lanscope Endpoint Manager to its Known Exploited Vulnerabilities ( KEV ) catalog, stating it has been actively exploited in the wild. The vulnerability, CVE-2025-61932 (CVSS v4 score: 9.3), impacts on-premises versions of Lanscope Endpoint Manager, specifically Client program and Detection Agent, and could allow attackers to execute arbitrary code on susceptible systems. "Motex LANSCOPE Endpoint Manager contains an improper verification of source of a communication channel vulnerability, allowing an attacker to execute arbitrary code by sending specially crafted packets," CISA said. The flaw impacts versions 9.4.7.1 and earlier. It has been addressed in the versions below - 9.3.2.7 9.3.3.9 9.4.0.5 9.4.1.5 9.4.2.6 9.4.3.8 9.4.4.6 9.4.5.4 9.4.6.3, and 9.4.7.3 It's currently not known how the vulnerability is being exploited in rea...

Threat actors with ties to China exploited the ToolShell security vulnerability in Microsoft SharePoint to breach a telecommunications company in the Middle East after it was publicly disclosed and patched in July 2025. Also targeted were government departments in an African country, as well as government agencies in South America, a university in the U.S., as well as likely a state technology agency in an African country, a government department in the Middle East, and a finance company in a European country. According to Broadcom's Symantec Threat Hunter Team, the attacks involved the exploitation of CVE-2025-53770 , a now-patched security flaw in on-premise SharePoint servers that could be used to bypass authentication and achieve remote code execution. CVE-2025-53770, assessed to be a patch bypass for CVE-2025-49704 and CVE-2025-49706, has been weaponized as a zero-day by three Chinese threat groups , including Linen Typhoon (aka Budworm), Violet Typhoon (aka Sheathminer)...

From Detection to Resolution: Why the Gap Persists A critical vulnerability is identified in an exposed cloud asset. Within hours, five different tools alert you about it: your vulnerability scanner, XDR, CSPM, SIEM, and CMDB each surface the issue in their own way, with different severity levels, metadata, and context. What's missing is a system of action. How do you transition from the detection and identification of a security issue to remediation and resolution? The Continuous Threat Exposure Management (CTEM) framework was introduced to help organizations address this challenge, calling for a repeatable approach to scoping, discovery, validation, and ultimately, the mobilization of remediation efforts. The goal is not just to identify risk, but to act on it, continuously and at scale. In most environments, that mobilization happens, but it relies on manual processes. Findings remain fragmented across tools, each with its own format, language, and logic. The responsibility to ...