Apple’s Critical iPhone Update Warning: Hundreds Of Millions Must Act Now

Apple has released iOS 26, which includes critical security fixes and improvements to the Liquid Glass design. Although adoption rates are lower than previous updates, users are advised to update immediately due to the importance of the security fixes. The Liquid Glass design, while controversial, can be adjusted to improve user experience.

CoPhish Alert: OAuth Token Phishing Attack in Microsoft Teams/OneDrive (via Copilot Studio links)

This attack poses a high risk of account compromise by leveraging legitimate-looking Microsoft Copilot Studio links. Attackers trick users into consenting to malicious OAuth token theft, granting unauthorized access to their Microsoft services like Teams and OneDrive. Imagine a

VMware vCenter Alert: Unauthenticated Remote Code Execution (RCE) in VMware vCenter

This is a critical vulnerability exposing VMware vCenter servers to unauthenticated remote code execution (RCE). Attackers can gain full control of affected servers without needing any credentials, posing an immediate and severe risk to network infrastructure. Imagine a building

From Cambodia’s cyber dens to a village in Bihar’s Bhojpur: The 20,000 calls that told a story

Bihar Police uncovered an illegal SIM-box network in Bhaluni village, Bihar, linked to cyber fraud syndicates in Cambodia and Thailand, resulting in an estimated Rs 50 crore in revenue losses to the Department of Telecommunications. The operation involved rerouting international calls through Indian mobile networks, using SIM cards obtained through fraudulent means. The Central Bureau of Investigation (CBI) has taken over the investigation, and the probe suggests the involvement of multiple distinct operations orchestrated from Southeast Asia.

Healthy Security Cultures Want People to Report Risks

The article discusses the importance of healthy security cultures where employees feel safe reporting risks. It highlights the shift from fear-based risk management to one that rewards risk identification and progress. A living risk management program, risk registries, and transp

CVE-2026-1257: Local File Inclusion in The Administrative Shortcodes plugin for WordPress

This high-severity vulnerability (CVSS 7.5) affects the Administrative Shortcodes plugin, allowing local file inclusion. This flaw could enable attackers to read sensitive files on the server, potentially exposing critical system information or credentials. Picture a library w

CVE-2025-66428: Privilege Escalation via WordPress Directory Names in WebPros WordPress Toolkit

This high-severity vulnerability (CVSS 8.8) in WebPros WordPress Toolkit allows privileged users to escalate their access. Attackers could leverage this flaw to gain higher permissions than intended, potentially leading to full control over WordPress installations. Consider a

Hackers get $1,047,000 for 76 zero-days at Pwn2Own Automotive 2026

Pwn2Own Automotive 2026 concluded with security researchers earning $1,047,000 for exploiting 76 zero-day vulnerabilities in fully patched automotive systems. The competition, held in Tokyo, targeted in-vehicle infotainment systems, EV chargers, and car operating systems. Vendors have 90 days to release security fixes for the disclosed zero-days. Team Fuzzware.io won the contest with $215,000, followed by Team DDOS and Synactiv.

ShinyHunters claim to be behind SSO-account data theft attacks

The ShinyHunters extortion gang claims responsibility for a wave of voice phishing attacks targeting SSO accounts at Okta, Microsoft, and Google. The attacks involve impersonating IT support to trick employees into entering their credentials on phishing sites. Once compromised, attackers can access corporate SaaS platforms and steal company data for extortion. The phishing kits used in these attacks allow real-time changes to the phishing site, guiding victims through the login and MFA authentication process. ShinyHunters confirmed their involvement but declined to provide further details, stating Salesforce as their primary target.

Hackers Abuse Vulnerable Training Web Apps to Breach Enterprise Cloud Environments - CySecurity News - Latest Information Security and Hacking Incidents

Hackers are exploiting poorly secured web applications designed for security training to breach enterprise cloud environments, according to a report by Pentera. These vulnerable applications, including DVWA and OWASP Juice Shop, are being used as entry points to deploy cryptocurrency miners and webshells, and to gain administrative-level control over cloud environments. Pentera identified 1,926 active vulnerable applications, many of which were tied to excessive IAM permissions and hosted across AWS, GCP, and Azure. The researchers disclosed their findings to impacted companies, which have since remediated the issues. To reduce risk, Pentera advises organizations to keep an accurate inventory of all cloud assets, enforce least-privilege IAM permissions, remove default credentials, and set expiration policies for temporary cloud resources.

CVE-2025-13374: Arbitrary File Upload in The Kalrav AI Agent plugin for WordPress

This critical-severity vulnerability (CVSS 9.8) allows attackers to upload arbitrary files to a WordPress site using the Kalrav AI Agent plugin. Such an exploit can lead to complete website takeover, including data theft and system compromise. Consider a package delivery servi

CVE-2025-56590: Unspecified Vulnerability in InsertFromURL() function of Apryse HTML2PDF SDK

This critical-severity vulnerability (CVSS 9.8) exists within the `InsertFromURL()` function of the Apryse HTML2PDF SDK. Its exploitation could grant an attacker severe control over the system, potentially leading to remote code execution or complete compromise. Imagine a fact

Researchers broke every AI defense they tested. Here are 7 questions to ask vendors. | VentureBeat

Researchers from OpenAI, Anthropic, and Google DeepMind found that adaptive attacks bypassed 12 AI defenses that claimed near-zero risk. The research showed that most AI security products are being tested against attackers that don’t behave like real attackers. The research team tested prompting-based, training-based, and filtering-based defenses under adaptive attack conditions. All collapsed. The researchers designed a rigorous methodology to stress-test those claims. Their approach included 14 authors and a $20,000 prize pool for successful attacks. The research points to specific architectural requirements. Security leaders need answers to these questions before any procurement conversation starts, as each one maps directly to a failure documented in the research.

Multi-Stage Phishing Campaign Targets Russia with Amnesia RAT and Ransomware

A multi-stage phishing campaign targeting Russia uses social engineering to deliver Amnesia RAT and ransomware. The attack utilizes GitHub and Dropbox to distribute payloads, employs defendnot to disable Microsoft Defender, and leverages Visual Basic Scripts for obfuscation. The campaign aims to suppress visibility, neutralize endpoint protection, conduct reconnaissance, inhibit recovery, and deploy destructive payloads. Microsoft recommends enabling Tamper Protection to counter the abuse of the Windows Security Center API.

CVE-2026-20750: Improper Project Ownership Validation in Gitea

This critical-severity vulnerability (CVSS 9.1) in Gitea allows improper project ownership validation during organization project operations. An attacker with existing user privileges could exploit this to illegally claim ownership of projects, leading to unauthorized code manipu

CVE-2026-0911: Unspecified Vulnerability in The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress

This high-severity vulnerability (CVSS 7.5) in the WordPress "The Hustle" plugin could allow attackers to compromise affected websites. Exploitation could lead to unauthorized actions or data exposure, impacting the site's integrity and user trust. Imagine a locked mailbox whe

GitHub - sapadianllc/snarky: A self-hosted, zero-knowledge dead drop for asynchronous secret sharing across BSD, Linux, and Windows.

Snarky is a self-hosted, RAM-only file transfer tool for securely sharing sensitive secrets. It offers zero-knowledge encryption, burn-after-reading, and ephemeral storage. It can be hosted on FreeBSD, Linux, or Windows. Follow the provided steps to set up your own instance.

Germany drafts law to expand intelligence surveillance

Germany is drafting comprehensive legislation to significantly expand the surveillance and hacking authorities of its Federal Intelligence Service, aiming to reduce reliance on U.S. intelligence and align its capabilities with European peers like the UK and France.

AI Deepfake of Belgian King Used in Sophisticated Scams

Belgian authorities warn of sophisticated scams using AI deepfakes of King Philippe to target business leaders, with fraudsters inviting victims to fake video calls and sending invitations to non-existent royal galas. Scammers impersonate the Belgian monarch and his associates, initially contacting victims through WhatsApp, email, or phone calls, claiming to need financial support for the supposed release of Belgian journalists held hostage in Syria. The scams have escalated with victims now being invited to video calls featuring AI-generated images of King Philippe. Authorities emphasize that neither the King nor any legitimate royal institution would ever contact individuals directly to request money. Public awareness and technological countermeasures are crucial in the fight against digital fraud.

TikTok Is Now Collecting Even More Data About Its Users. Here Are the 3 Biggest Changes | WIRED

TikTok's new privacy policy under its US-based ownership introduces three significant changes: it now collects precise location data from users who enable location services, it tracks interactions with AI tools, and it leverages user data to target ads across other platforms.

Call for comments: NIST guide to OT Security

NIST has initiated the process of revising SP 800-82, Guide to Operational Technology (OT) Security, to incorporate lessons learned, align with relevant NIST guidance (e.g., Cybersecurity Framework (CSF) 2.0, NIST IR 8286 Rev. 1, NIST SP 800-53 Rev. 5.2.0) and OT cybersecurity st

OPSEC tools

This GitHub project provides a Rust tool called Rayhunter for detecting IMSI catchers, also known as cell-site simulators or stingrays, on mobile hotspots. It was initially designed for the Orbic RC400L but now supports other devices as well. The tool aims to be user-friendly and minimize false positives. It includes an installation guide, an introductory blog post, and a book for more information. Users are advised to use the tool at their own risk, and those outside the US should consult local legal advice.

Microsoft Gave FBI Keys To Unlock Encrypted Data, Exposing Major Privacy Flaw

Microsoft provided the FBI with BitLocker encryption keys to access data on three laptops, raising concerns about privacy and security. The tech giant claimed this was a standard response to a court order, but privacy advocates argue that Microsoft should follow Apple and Meta's lead in not complying with such requests. This case highlights the potential for law enforcement to gain extensive access to personal data if encryption keys are not properly secured.

CVE-2025-69828: File Upload vulnerability in TMS Global Software TMS Management Console v.6.3.7.27386.20250818

This is a critical vulnerability that allows attackers to upload malicious files, potentially leading to full system compromise. Exploiting this could grant unauthorized execution of code, severely impacting the system's integrity and confidentiality. Imagine a secure building

CVE-2025-13927: Vulnerability in GitLab CE/EE affecting all versions from 11.9 before 18.6.4, 18.7.4, 18.8.1

This high-severity vulnerability impacts a wide range of GitLab CE/EE versions, necessitating prompt security updates. The flaw could allow an attacker to compromise the integrity or availability of the platform. Imagine a building's emergency exit plan that, despite being upd

CVE-2025-10856: Unrestricted Upload of File with Dangerous Type vulnerability in Solvera Software Services Trade Management System

This high-severity vulnerability enables attackers to upload files of dangerous types without restriction. This could lead to remote code execution or data compromise within the Solvera Trade Management System. Picture a bank's document submission portal that accepts any file

CVE-2026-1330: Arbitrary File Read vulnerability in MeetingHub developed by HAMASTAR Technology

This high-severity vulnerability in MeetingHub allows an unauthenticated attacker to read arbitrary files from the server. This can expose sensitive configuration files, user data, or other critical system information. Consider a public-facing bulletin board where, by leaving

Under Armour ransomware breach: data of 72 million customers appears on the dark web | Malwarebytes

Under Armour experienced a ransomware attack in November 2025, with the Everest group claiming responsibility. The company reported potential data breaches, but mounting evidence suggests that a large customer dataset is circulating online. The leaked data includes personal information and purchase histories. A class action lawsuit has been filed alleging negligence in data protection.

New Jersey Cybersecurity & Communication Integration Cell Weekly Bulliten 1/22/26