The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Three security vulnerabilities have been disclosed in the Peripheral Component Interconnect Express (PCIe) Integrity and Data Encryption ( IDE ) protocol specification that could expose a local attacker to serious risks. The flaws impact PCIe Base Specification Revision 5.0 and onwards in the protocol mechanism introduced by the IDE Engineering Change Notice (ECN), according to the PCI Special Interest Group ( PCI-SIG ). "This could potentially result in security exposure, including but not limited to, one or more of the following with the affected PCIe component(s), depending on the implementation: (i) information disclosure, (ii) escalation of privilege, or (iii) denial of service," the consortium noted . PCIe is a widely used high-speed standard to connect hardware peripherals and components, including graphics cards, sound cards, Wi-Fi and Ethernet adapters, and storage devices, inside computers and servers. Introduced in PCIe 6.0, PCIe IDE is designed to secure data ...

Cloud security is changing. Attackers are no longer just breaking down the door; they are finding unlocked windows in your configurations, your identities, and your code. Standard security tools often miss these threats because they look like normal activity. To stop them, you need to see exactly how these attacks happen in the real world. Next week, the Cortex Cloud team at Palo Alto Networks is hosting a technical deep dive to walk you through three recent investigations and exactly how to defend against them. Secure your spot for the live session ➜ What Experts Will Cover This isn't a high-level overview. We are looking at specific, technical findings from the field. In this session, our experts will break down three distinct attack vectors that are bypassing traditional security right now: AWS Identity Misconfigurations: We will show how attackers abuse simple setup errors in AWS identities to gain initial access without stealing a single password. Hiding in A...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a security flaw impacting the WinRAR file archiver and compression utility to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2025-6218 (CVSS score: 7.8), is a path traversal bug that could enable code execution. However, for exploitation to succeed, it requires a prospective target to visit a malicious page or open a malicious file. "RARLAB WinRAR contains a path traversal vulnerability allowing an attacker to execute code in the context of the current user," CISA said in an alert. The vulnerability was patched by RARLAB with WinRAR 7.12 in June 2025. It only affects Windows-based builds. Versions of the tool for other platforms, including Unix and Android, are not affected. "This flaw could be exploited to place files in sensitive locations — such as the Windows Startup folder — potentially leading to u...

Microsoft closed out 2025 with patches for 56 security flaws in various products across the Windows platform, including one vulnerability that has been actively exploited in the wild. Of the 56 flaws, three are rated Critical, and 53 are rated Important in severity. Two other defects are listed as publicly known at the time of the release. These include 29 privilege escalation, 18 remote code execution, four information disclosure, three denial-of-service, and two spoofing vulnerabilities. In total, Microsoft has addressed a total of 1,275 CVEs in 2025, according to data compiled by Fortra. Tenable's Satnam Narang said 2025 also marks the second consecutive year where the Windows maker has patched over 1,000 CVEs. It's the third time it has done so since Patch Tuesday's inception. The update is in addition to 17 shortcomings the tech giant patched in its Chromium-based Edge browser since the release of the November 2025 Patch Tuesday update . This also consists of a s...

Fortinet, Ivanti, and SAP have moved to address critical security flaws in their products that, if successfully exploited, could result in an authentication bypass and code execution. The Fortinet vulnerabilities affect FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager and relate to a case of improper verification of a cryptographic signature. They are tracked as CVE-2025-59718 and CVE-2025-59719 (CVSS scores: 9.8). "An Improper Verification of Cryptographic Signature vulnerability [CWE-347] in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML message, if that feature is enabled on the device," Fortinet said in an advisory. The company, however, noted that the FortiCloud SSO login feature is not enabled in the default factory settings. FortiCloud SSO login is enabled when an administrator registers the device to FortiCare and has not disabled the toggle ...

Threat actors with ties to North Korea have likely become the latest to exploit the recently disclosed critical React2Shell security flaw in React Server Components (RSC) to deliver a previously undocumented remote access trojan dubbed EtherRAT . "EtherRAT leverages Ethereum smart contracts for command-and-control (C2) resolution, deploys five independent Linux persistence mechanisms, and downloads its own Node.js runtime from nodejs.org," Sysdig said in a report published Monday. The cloud security firm said the activity exhibits significant overlap with a long-running campaign codenamed Contagious Interview , which has been observed leveraging the EtherHiding technique to distribute malware since February 2025. Contagious Interview is the name given to a series of attacks in which blockchain and Web3 developers, among others, are targeted through fake job interviews, coding assignments, and video assessments, leading to the deployment of malware. These efforts typi...

Four distinct threat activity clusters have been observed leveraging a malware loader known as CastleLoader , strengthening the previous assessment that the tool is offered to other threat actors under a malware-as-a-service (MaaS) model. The threat actor behind CastleLoader has been assigned the name GrayBravo by Recorded Future's Insikt Group, which was previously tracking it as TAG-150 . The malware first emerged in early 2025. GrayBravo is "characterized by rapid development cycles, technical sophistication, responsiveness to public reporting, and an expansive, evolving infrastructure," the Mastercard-owned company said in an analysis published today. Some of the notable tools in the threat actor's toolset include a remote access trojan called CastleRAT and a malware framework referred to as CastleBot, which comprises three components: a shellcode stager/downloader, a loader, and a core backdoor. The CastleBot loader is responsible for injecting the core m...

The threat actor known as Storm-0249 is likely shifting from its role as an initial access broker to adopt a combination of more advanced tactics like domain spoofing, DLL side-loading, and fileless PowerShell execution to facilitate ransomware attacks. "These methods allow them to bypass defenses, infiltrate networks, maintain persistence, and operate undetected, raising serious concerns for security teams," ReliaQuest said in a report shared with The Hacker News. Storm-0249 is the moniker assigned by Microsoft to an initial access broker that has sold footholds into organizations to other cybercrime groups, including ransomware and extortion actors like Storm-0501 . It was first highlighted by the tech giant in September 2024. Then, earlier this year, Microsoft also revealed details of a phishing campaign mounted by the threat actor that used tax-related themes to target users in the U.S. ahead of the tax filing season and infect them with Latrodectus and the BruteR...

Zero Trust helps organizations shrink their attack surface and respond to threats faster, but many still struggle to implement it because their security tools don't share signals reliably. 88% of organizations admit they've suffered significant challenges in trying to implement such approaches, according to Accenture . When products can't communicate, real-time access decisions break down. The Shared Signals Framework (SSF) aims to fix this with a standardized way to exchange security events. Yet adoption is uneven. For example, Kolide Device Trust doesn't currently support SSF.  Scott Bean, Senior IAM and Security Engineer at MongoDB, proposed a way to solve the problem, giving teams an easy and intuitive way to operationalize SSF across their environment. In this guide, we'll share an overview of the workflow , plus step-by-step instructions for getting it up and running. The problem – IAM tools don't support SSF A core requirement of Zero Trust is continuous, reliable sig...