The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Fortinet has patched a critical security flaw that it said has been exploited as a zero-day in attacks targeting FortiVoice enterprise phone systems. The vulnerability, tracked as CVE-2025-32756, carries a CVSS score of 9.6 out of 10.0. "A stack-based overflow vulnerability [CWE-121] in FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera may allow a remote unauthenticated attacker to execute arbitrary code or commands via crafted HTTP requests," the company said in an advisory. The company said it observed the flaw being exploited in the wild on FortiVoice systems, but did not disclose the scale of the attacks and the identity of the threat actors behind them. It further noted that the threat actor performed device network scans, erased system crash logs, and enabled fcgi debugging to log credentials from the system or SSH login attempts. The issue affects the following products and versions - FortiCamera 1.1, 2.0 (Migrate to a fixed release) FortiCamer...

Ivanti has released security updates to address two security flaws in Endpoint Manager Mobile (EPMM) software that have been chained in attacks to gain remote code execution. The vulnerabilities in question are listed below - CVE-2025-4427 (CVSS score: 5.3) - An authentication bypass in Ivanti Endpoint Manager Mobile allowing attackers to access protected resources without proper credentials CVE-2025-4428 (CVSS score: 7.2) - A remote code execution vulnerability in Ivanti Endpoint Manager Mobile allowing attackers to execute arbitrary code on the target system The flaws impact the following versions of the product - 11.12.0.4 and prior (Fixed in 11.12.0.5) 12.3.0.1 and prior (Fixed in 12.3.0.2)  12.4.0.1 and prior (Fixed in 12.4.0.2) 12.5.0.0 and prior (Fixed in 12.5.0.1) Ivanti, which credited CERT-EU for reporting the issues, said it's "aware of a very limited number of customers who have been exploited at the time of disclosure" and that the vulnera...

A recently disclosed critical security flaw impacting SAP NetWeaver is being exploited by multiple China-nexus nation-state actors to target critical infrastructure networks. "Actors leveraged CVE-2025-31324 , an unauthenticated file upload vulnerability that enables remote code execution (RCE)," EclecticIQ researcher Arda Büyükkaya said in an analysis published today. Targets of the campaign include natural gas distribution networks, water and integrated waste management utilities in the United Kingdom, medical device manufacturing plants oil and gas exploration and production companies in the United States, and government ministries in Saudi Arabia that are responsible for investment strategy and financial regulation. The findings are based on a publicly exposed directory uncovered on attacker-controlled infrastructure ("15.204.56[.]106") that contained event logs capturing the activities across multiple compromised systems. The Dutch cybersecurity company h...

Cybersecurity researchers have discovered a malicious package on the Python Package Index (PyPI) repository that purports to be an application related to the Solana blockchain, but contains malicious functionality to steal source code and developer secrets. The package, named solana-token, is no longer available for download from PyPI, but not before it was downloaded 761 times . It was first published to PyPI in early April 2024, albeit with an entirely different version numbering scheme. "When installed, the malicious package attempts to exfiltrate source code and developer secrets from the developer's machine to a hard-coded IP address," ReversingLabs researcher Karlo Zanki said in a report shared with The Hacker News. In particular, the package is designed to copy and exfiltrate the source code contained in all the files in the Python execution stack under the guise of a blockchain function named "register_node()." This unusual behavior suggests that...

The cybersecurity landscape has been dramatically reshaped by the advent of generative AI. Attackers now leverage large language models (LLMs) to impersonate trusted individuals and automate these social engineering tactics at scale.  Let's review the status of these rising attacks, what's fueling them, and how to actually prevent, not detect, them.  The Most Powerful Person on the Call Might Not Be Real Recent threat intelligence reports highlight the growing sophistication and prevalence of AI-driven attacks: Voice Phishing Surge: According to CrowdStrike's 2025 Global Threat Report , there was a 442% increase in voice phishing (vishing) attacks between the first and second halves of 2024, driven by AI-generated phishing and impersonation tactics. Social Engineering Prevalence: Verizon's 2025 Data Breach Investigations Report indicates that social engineering remains a top pattern in breaches, with phishing and pretexting accounting for a significant portion of inc...

The North Korea-linked threat actor known as Konni APT has been attributed to a phishing campaign targeting government entities in Ukraine, indicating the threat actor's targeting beyond Russia . Enterprise security firm Proofpoint said the end goal of the campaign is to collect intelligence on the "trajectory of the Russian invasion." "The group's interest in Ukraine follows historical targeting of government entities in Russia for strategic intelligence gathering purposes," security researchers Greg Lesnewich, Saher Naumaan, and Mark Kelly said in a report shared with The Hacker News. Konni APT , also known as Opal Sleet, Osmium, TA406, and Vedalia , is a cyber espionage group that has a history of targeting entities in South Korea, the United States, and Russia. It's operational since at least 2014. Attack chains mounted by the threat actor often involve the use of phishing emails to distribute malware called Konni RAT (aka UpDog) and redirect r...

Moldovan law enforcement authorities have arrested a 45-year-old foreign man suspected of involvement in a series of ransomware attacks targeting Dutch companies in 2021. "He is wanted internationally for committing several cybercrimes (ransomware attacks, blackmail, and money laundering) against companies based in the Netherlands," officials said in a statement Monday. In conjunction with the arrest, police seized over €84,000 ($93,000) in cash, an electronic wallet, two laptops, a mobile phone, a tablet, six bank cards, two data storage devices, and six memory cards. The suspect's name was not disclosed. But he is said to have been detained after a search of his residence in Moldova. In at least one instance, the individual conducted a ransomware attack on the Netherlands Organization for Scientific Research (NWO), causing material damage worth approximately €4.5 million. The attack took place in February 2021, resulting in the leak of internal documents after th...

A Türkiye-affiliated threat actor exploited a zero-day security flaw in an Indian enterprise communication platform called Output Messenger as part of a cyber espionage attack campaign since April 2024. "These exploits have resulted in a collection of related user data from targets in Iraq," the Microsoft Threat Intelligence team said . "The targets of the attack are associated with the Kurdish military operating in Iraq, consistent with previously observed Marbled Dust targeting priorities." The activity has been attributed to a threat group it tracks as Marbled Dust (formerly Silicon), which is also known as Cosmic Wolf, Sea Turtle, Teal Kurma, and UNC1326. The hacking crew is believed to have been active since at least 2017, although it wasn't until two years later that Cisco Talos documented attacks targeting public and private entities in the Middle East and North Africa. Early last year, it was also identified as targeting telecommunication, media, in...

ASUS has released updates to address two security flaws impacting ASUS DriverHub that, if successfully exploited, could enable an attacker to leverage the software in order to achieve remote code execution. DriverHub is a tool that's designed to automatically detect the motherboard model of a computer and display necessary driver updates for subsequent installation by communicating with a dedicated site hosted at "driverhub.asus[.]com." The flaws identified in the software are listed below - CVE-2025-3462 (CVSS score: 8.4) - An origin validation error vulnerability that may allow unauthorized sources to interact with the software's features via crafted HTTP requests CVE-2025-3463 (CVSS score: 9.4) - An improper certificate validation vulnerability that may allow untrusted sources to affect system behavior via crafted HTTP requests Security researcher MrBruh, who is credited with discovering and reporting the two vulnerabilities, said they could be exploite...

What do a source code editor, a smart billboard, and a web server have in common? They've all become launchpads for attacks—because cybercriminals are rethinking what counts as "infrastructure." Instead of chasing high-value targets directly, threat actors are now quietly taking over the overlooked: outdated software, unpatched IoT devices, and open-source packages. It's not just clever—it's reshaping how intrusion, persistence, and evasion happen at scale. ⚡ Threat of the Week 5Socks Proxy Using IoT, EoL Systems Dismantled in Law Enforcement Operation — A joint law enforcement operation undertaken by Dutch and U.S. authorities dismantled a criminal proxy network, known as anyproxy[.]net and 5socks[.]net, that was powered by thousands of infected Internet of Things (IoT) and end-of-life (EoL) devices, enlisting them into a botnet for providing anonymity to malicious actors. The illicit platform, active since 2004, advertised more than 7,000 online proxies daily, with infected ...

Detecting leaked credentials is only half the battle. The real challenge—and often the neglected half of the equation—is what happens after detection. New research from GitGuardian's State of Secrets Sprawl 2025 report reveals a disturbing trend: the vast majority of exposed company secrets discovered in public repositories remain valid for years after detection, creating an expanding attack surface that many organizations are failing to address. According to GitGuardian's analysis of exposed secrets across public GitHub repositories, an alarming percentage of credentials detected as far back as 2022 remain valid today: "Detecting a leaked secret is just the first step," says GitGuardian's research team. "The true challenge lies in swift remediation." Why Exposed Secrets Remain Valid This persistent validity suggests two troubling possibilities: either organizations are unaware their credentials have been exposed (a security visibility problem),...