The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

The danger isn't that AI agents have bad days — it's that they never do. They execute faithfully, even when what they're executing is a mistake. A single misstep in logic or access can turn flawless automation into a flawless catastrophe. This isn't some dystopian fantasy—it's Tuesday at the office now. We've entered a new phase where autonomous AI agents act with serious system privileges. They execute code, handle complex tasks, and access sensitive data with unprecedented autonomy. They don't sleep, don't ask questions, and don't always wait for permission. That's powerful. That's also risky. Because today's enterprise threats go way beyond your garden-variety phishing scams and malware. The modern security perimeter? It's all about identity management. Here's the million-dollar question every CISO should be asking: Who or what has access to your critical systems, can you secure and govern that access, and can you actually prove it? Ho...

Cybersecurity researchers have disclosed details of a recently patched critical security flaw in WatchGuard Fireware that could allow unauthenticated attackers to execute arbitrary code. The vulnerability, tracked as CVE-2025-9242 (CVSS score: 9.3), is described as an out-of-bounds write vulnerability affecting Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.3 and 2025.1. "An out-of-bounds write vulnerability in the WatchGuard Fireware OS iked process may allow a remote unauthenticated attacker to execute arbitrary code," WatchGuard said in an advisory released last month. "This vulnerability affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer." It has been addressed in the following versions - 2025.1 - Fixed in 2025.1.1 12.x - Fixed in 12.11.4 12.3.1 (FIPS-certified release) - Fixed in 12.3.1_Update3 (B722811) 12.5.x (T15 & T35 models) -...

Microsoft on Thursday disclosed that it revoked more than 200 certificates used by a threat actor it tracks as Vanilla Tempest to fraudulently sign malicious binaries in ransomware attacks. The certificates were "used in fake Teams setup files to deliver the Oyster backdoor and ultimately deploy Rhysida ransomware," the Microsoft Threat Intelligence team said in a post shared on X. The tech giant said it disrupted the activity earlier this month after it was detected in late September 2025. In addition to revoking the certificates, its security solutions have been updated to flag the signatures associated with the fake setup files, Oyster backdoor, and Rhysida ransomware. Vanilla Tempest (formerly Storm-0832) is the name given to a financially motivated threat actor also called Vice Society and Vice Spider that's assessed to be active since at least July 2022, delivering various ransomware strains such as BlackCat, Quantum Locker, Zeppelin, and Rhysida over the year...

A threat actor with ties to the Democratic People's Republic of Korea (aka North Korea) has been observed leveraging the EtherHiding technique to distribute malware and enable cryptocurrency theft, marking the first time a state-sponsored hacking group has embraced the method. The activity has been attributed by Google Threat Intelligence Group (GTIG) to a threat cluster it tracks as UNC5342 , which is also known as CL-STA-0240 (Palo Alto Networks Unit 42), DeceptiveDevelopment (ESET), DEV#POPPER (Securonix), Famous Chollima (CrowdStrike), Gwisin Gang (DTEX), Tenacious Pungsan (Datadog), and Void Dokkaebi (Trend Micro). The attack wave is part of a long-running campaign codenamed Contagious Interview , wherein the attackers approach potential targets on LinkedIn by posing as recruiters or hiring managers, and trick them into running malicious code under the pretext of a job assessment after shifting the conversation to Telegram or Discord. The end goal of these efforts is to ...

A financially motivated threat actor codenamed UNC5142 has been observed abusing blockchain smart contracts as a way to facilitate the distribution of information stealers, such as Atomic (AMOS), Lumma, Rhadamanthys (aka RADTHIEF), and Vidar, targeting both Windows and Apple macOS systems. "UNC5142 is characterized by its use of compromised WordPress websites and 'EtherHiding,' a technique used to obscure malicious code or data by placing it on a public blockchain, such as the BNB Smart Chain," Google Threat Intelligence Group (GTIG) said in a report shared with The Hacker News. As of June 2025, Google said it flagged about 14,000 web pages containing injected JavaScript that exhibit behavior associated with an UNC5142, indicating indiscriminate targeting of vulnerable WordPress sites. However, the tech giant noted that it has not spotted any UNC5142 activity since July 23, 2025, either signaling a pause or an operational pivot. EtherHiding was first documented ...

An investigation into the compromise of an Amazon Web Services (AWS)-hosted infrastructure has led to the discovery of a new GNU/Linux rootkit dubbed LinkPro , according to findings from Synacktiv. "This backdoor features functionalities relying on the installation of two eBPF [extended Berkeley Packet Filter] modules, on the one hand to conceal itself, and on the other hand to be remotely activated upon receiving a 'magic packet,'" security researcher Théo Letailleur said . The infection, per the French cybersecurity company, involved the attackers exploiting an exposed Jenkins server vulnerable to CVE-2024-23897 (CVSS score: 9.8) as the starting point, following which a malicious Docker Hub image named "kvlnt/vv" (now removed) was deployed on several Kubernetes clusters. The Docker image consists of a Kali Linux base along with a folder called "app" containing three files - start.sh, a shell script to start the SSH service and execute the...

Scaling the SOC with AI - Why now?  Security Operations Centers (SOCs) are under unprecedented pressure. According to SACR's AI-SOC Market Landscape 2025 , the average organization now faces around 960 alerts per day , while large enterprises manage more than 3,000 alerts daily from an average of 28 different tools . Nearly 40% of those alerts go uninvestigated , and 61% of security teams admit to overlooking alerts that later proved critical. The takeaway is clear: the traditional SOC model can't keep up. AI has now moved from experimentation to execution inside the SOC. 88% of organizations that don't yet run an AI-driven SOC plan to evaluate or deploy one within the next year. But as more vendors promote "AI-powered SOC automation," the challenge for security leaders has shifted from awareness to evaluation. The key question is no longer whether AI belongs in the SOC, but how to measure its real impact and select a platform that delivers value without introducing signi...

Cybersecurity researchers have disclosed details of a new campaign that exploited a recently disclosed security flaw impacting Cisco IOS Software and IOS XE Software to deploy Linux rootkits on older, unprotected systems. The activity, codenamed Operation Zero Disco by Trend Micro, involves the weaponization of CVE-2025-20352 (CVSS score: 7.7), a stack overflow vulnerability in the Simple Network Management Protocol (SNMP) subsystem that could allow an authenticated, remote attacker to execute arbitrary code by sending crafted SNMP packets to a susceptible device. The intrusions have not been attributed to any known threat actor or group. The shortcoming was patched by Cisco late last month, but not before it was exploited as a zero-day in real-world attacks. "The operation primarily impacted Cisco 9400, 9300, and legacy 3750G series devices, with additional attempts to exploit a modified Telnet vulnerability (based on CVE-2017-3881 ) to enable memory access," research...

Penetration testing helps organizations ensure IT systems are secure, but it should never be treated in a one-size-fits-all approach. Traditional approaches can be rigid and cost your organization time and money – while producing inferior results.  The benefits of pen testing are clear. By empowering "white hat" hackers to attempt to breach your system using similar tools and techniques to an adversary, pen testing can provide reassurance that your IT set-up is secure. Perhaps more importantly, it can also flag areas for improvement.  As the UK's National Cyber Security Centre (NCSC) notes, it's comparable to a financial audit . "Your finance team tracks expenditure and income day to day. An audit by an external group ensures that your internal team's processes are sufficient." While the advantages are obvious, it's vital to understand the true cost of the process: indeed, the classic approach can often demand significant time and effort from your team. You need to get yo...

The online world is changing fast. Every week, new scams, hacks, and tricks show how easy it's become to turn everyday technology into a weapon. Tools made to help us work, connect, and stay safe are now being used to steal, spy, and deceive. Hackers don't always break systems anymore — they use them. They hide inside trusted apps, copy real websites, and trick people into giving up control without even knowing it. It's no longer just about stealing data — it's about power, money, and control over how people live and communicate. This week's ThreatsDay issue looks at how that battle is unfolding — where criminals are getting smarter, where defenses are failing, and what that means for anyone living in a connected world. Crypto empire built on slavery Historic Operation Targets SE Asian Scam Networks with $15B Seizure The U.S. government has seized $15 billion (approximately 127,271 bitcoin) worth of cryptocurrency assets from one of the world's largest operators ...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical security flaw impacting Adobe Experience Manager to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation. The vulnerability in question is CVE-2025-54253 (CVSS score: 10.0), a maximum-severity misconfiguration bug that could result in arbitrary code execution. According to Adobe, the shortcoming impacts Adobe Experience Manager (AEM) Forms on JEE versions 6.5.23.0 and earlier. It was addressed in version 6.5.0-0108 released early August 2025, alongside CVE-2025-54254 (CVSS score: 8.6). Details of the two vulnerabilities were disclosed by Searchlight Cyber researchers Adam Kues and Shubham Shah in July 2025, describing CVE-2025-54253 as an "authentication bypass to [remote code execution] chain via Struts2 devmode" and CVE-2025-54254 as an XML external entity (XXE) injection within AEM Forms web services. The flaw results from the dan...

A threat actor with ties to China has been attributed to a five-month-long intrusion targeting a Russian IT service provider, marking the hacking group's expansion to the country beyond Southeast Asia and South America. The activity, which took place from January to May 2025, has been attributed by Broadcom-owned Symantec to a threat actor it tracks as Jewelbug , which it said overlaps with clusters known as CL-STA-0049 (Palo Alto Networks Unit 42), Earth Alux (Trend Micro), and REF7707 (Elastic Security Labs). The findings suggest Russia is not off-limits for Chinese cyber espionage operations despite increased "military, economic, and diplomatic" relations between Moscow and Beijing over the years. "Attackers had access to code repositories and software build systems that they could potentially leverage to carry out supply chain attacks targeting the company's customers in Russia," the Symantec Threat Hunter Team said in a report shared with The ...

U.S. cybersecurity company F5 on Wednesday disclosed that unidentified threat actors broke into its systems and stole files containing some of BIG-IP's source code and information related to undisclosed vulnerabilities in the product. It attributed the activity to a "highly sophisticated nation-state threat actor," adding the adversary maintained long-term, persistent access to its network. The company said it learned of the breach on August 9, 2025, per a Form 8-K filing with the U.S. Securities and Exchange Commission (SEC). F5 said it delayed the public disclosure at the request of the U.S. Department of Justice (DoJ). "We have taken extensive actions to contain the threat actor," it noted . "Since beginning these activities, we have not seen any new unauthorized activity, and we believe our containment efforts have been successful." F5 did not say for how long the threat actors had access to its BIG-IP product development environment, but em...

New research has uncovered that publishers of over 100 Visual Studio Code (VS Code) extensions leaked access tokens that could be exploited by bad actors to update the extensions, posing a critical software supply chain risk. "A leaked VS Code Marketplace or Open VSX PAT [personal access token] allows an attacker to directly distribute a malicious extension update across the entire install base," Wiz security researcher Rami McCarthy said in a report shared with The Hacker News. "An attacker who discovered this issue would have been able to directly distribute malware to the cumulative 150,000 install base." The cloud security firm noted in many cases publishers failed to account for the fact that VS Code extensions, while distributed as .vsix files, can be unzipped and inspected, exposing hard-coded secrets embedded into them. In all, Wiz said it found over 550 validated secrets, distributed across more than 500 extensions from hundreds of distinct publishers....

TLDR Even if you take nothing else away from this piece, if your organization is evaluating passkey deployments, it is insecure to deploy synced passkeys. Synced passkeys inherit the risk of the cloud accounts and recovery processes that protect them, which creates material enterprise exposure. Adversary-in-the-middle (AiTM) kits can force authentication fallbacks that circumvent strong authentication all together Malicious or compromised browser extensions can hijack WebAuthn requests, manipulate passkey registration or sign-in, and drive autofill to leak credentials and one-time codes. Device-bound passkeys in hardware security keys offer higher assurance and better administrative control than synced passkeys, and should be mandatory for enterprise access use cases Synced Passkey Risks Synced passkey vulnerabilities Passkeys are credentials stored in an authenticator. Some are device-bound, others are synced across devices through consumer cloud services like iCloud and Go...

Microsoft on Tuesday released fixes for a whopping 183 security flaws spanning its products, including three vulnerabilities that have come under active exploitation in the wild, as the tech giant officially ended support for its Windows 10 operating system unless the PCs are enrolled in the Extended Security Updates ( ESU ) program. Of the 183 vulnerabilities, eight of them are non-Microsoft issued CVEs. As many as 165 flaws have been rated as Important in severity, followed by 17 as Critical and one as Moderate. The vast majority of them relate to elevation of privilege vulnerabilities (84), with remote code execution (33), information disclosure (28), spoofing (14), denial-of-service (11), and security feature bypass (11) issues accounting for the rest. The updates are in addition to the 25 vulnerabilities Microsoft addressed in its Chromium-based Edge browser since the release of September 2025's Patch Tuesday update . The two Windows zero-days that have come under activ...

Cybersecurity researchers have disclosed two critical security flaws impacting Red Lion Sixne t remote terminal unit (RTU) products that, if successfully exploited, could result in code execution with the highest privileges. The shortcomings, tracked as CVE-2023-40151 and CVE-2023-42770 , are both rated 10.0 on the CVSS scoring system. "The vulnerabilities affect Red Lion SixTRAK and VersaTRAK RTUs, and allow an unauthenticated attacker to execute commands with root privileges," Claroty Team 82 researchers said in a report published Tuesday. Red Lion's Sixnet RTUs provide advanced automation, control, and data acquisition capabilities in industrial automation and control systems, primarily across energy, water, and wastewater treatment, transportation, utilities, and manufacturing sectors. These industrial devices are configured using a Windows utility called Sixnet IO Tool Kit, with a proprietary Sixnet "Universal" protocol used to interface and enable ...

Cybersecurity researchers have disclosed that a critical security flaw impacting ICTBroadcast, an autodialer software from ICT Innovations, has come under active exploitation in the wild. The vulnerability, assigned the CVE identifier CVE-2025-2611 (CVSS score: 9.3), relates to improper input validation that can result in unauthenticated remote code execution due to the fact that the call center application unsafely passes session cookie data to shell processing. This, in turn, allows an attacker to inject shell commands into a session cookie that can get executed in the vulnerable server. The security flaw affects ICTBroadcast versions 7.4 and below. "Attackers are leveraging the unauthenticated command injection in ICTBroadcast via the BROADCAST cookie to gain remote code execution," VulnCheck's Jacob Baines said in a Tuesday alert. "Approximately 200 online instances are exposed." The cybersecurity firm said that it detected in-the-wild exploitation o...

SAP has rolled out security fixes for 13 new security issues , including additional hardening for a maximum-severity bug in SAP NetWeaver AS Java that could result in arbitrary command execution. The vulnerability, tracked as CVE-2025-42944, carries a CVSS score of 10.0. It has been described as a case of insecure deserialization. "Due to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting a malicious payload to an open port," according to a description of the flag in CVE.org. "The deserialization of such untrusted Java objects could lead to arbitrary OS command execution, posing a high impact to the application's confidentiality, integrity, and availability." While the vulnerability was first addressed by SAP last month, security company Onapsis said the latest fix provides extra safeguards to secure against the risk posed by deserialization. "The additional...

Threat actors with ties to China have been attributed to a novel campaign that compromised an ArcGIS system and turned it into a backdoor for more than a year. The activity, per ReliaQuest, is the handiwork of a Chinese state-sponsored hacking group called Flax Typhoon , which is also tracked as Ethereal Panda and RedJuliett. According to the U.S. government, it's assessed to be a publicly-traded, Beijing-based company known as Integrity Technology Group. "The group cleverly modified a geo-mapping application's Java server object extension (SOE) into a functioning web shell," the cybersecurity company said in a report shared with The Hacker News. "By gating access with a hardcoded key for exclusive control and embedding it in system backups, they achieved deep, long-term persistence that could survive a full system recovery." Flax Typhoon is known for living up to the "stealth" in its tradecraft by extensively incorporating living-off-the-l...