Cybersecurity Newsfeed
π
04/02/26
π‘οΈ Vulnerabilities
- CISA adds SolarWinds, Sangoma, and GitLab to KEV: CISA expanded its Known Exploited Vulnerabilities catalog with four critical flaws. Most notable is CVE-2025-40551 (SolarWinds Web Help Desk), a deserialization bug enabling unauthenticated RCE. Sangoma FreePBX faces authentication bypass (CVE-2019-19006) and OS command injection (CVE-2025-64328) currently used by the INJ3CTOR3 group. GitLabβs CVE-2021-39935 is also seeing increased SSRF exploitation. Federal agencies must patch the SolarWinds flaw by Feb 6, 2026. More info
- Metro4Shell: Critical React Native RCE exploitation: Researchers warn of active exploitation of CVE-2025-11953 in the React Native Community CLI. The flaw allows unauthenticated RCE via the Metro development server's endpoints. Attackers use a multi-stage PowerShell loader to disable Microsoft Defender before deploying a Rust-based binary. Thousands of developer environments remain exposed due to default network-binding configurations. More info | More info
- WordPress Quiz and Survey Master SQL Injection: CVE-2025-67987 affects over 40,000 sites via the QSM plugin (versions 10.3.1 and earlier). Due to poor sanitization of the
is_linking parameter in a REST API function, Subscriber-level users can exfiltrate sensitive database info. The risk was mitigated in version 10.3.2 through strict integer validation. More info
π― Adversaries
- Step Finance suffers $40M exploit: On Jan 31, the Solana-based DeFi platform was hit after hackers compromised executive devices. While $4.7M has been recovered via Token22 protections, operations remain partially halted. The breach impacted several treasury wallets during APAC hours, sparking industry speculation about the specific attack vector and potential insider involvement. More info
- Massive Citrix NetScaler recon campaign: Between Jan 28 and Feb 2, over 63,000 unique IPs (mostly residential proxies) scanned for Citrix NetScaler infrastructure. Attackers targeted the Endpoint Analysis (EPA) setup file path to enumerate versions, likely prepping for exploitation of CVE-2025-5777 or CVE-2025-5775. 36% of traffic originated from a single Azure IP using outdated Chrome user agents. More info
- Iron Mountain disputes Everest extortion claims: Iron Mountain addressed claims by the Everest group regarding a 1.4 TB breach. The company maintains the incident was limited to a single public-facing file-sharing folder containing marketing materials. Traced to a single compromised credential, the company confirmed no ransomware was deployed and no critical systems were breached. More info
- Vect: New RaaS targeting Brazil and South Africa: A new group named "Vect" emerged in Dec 2025 using a custom C++ codebase. It employs ChaCha20-Poly1305 intermittent encryption for speed across Windows, Linux, and ESXi. Attributed to experienced CIS-region actors, Vect uses Safe Mode execution to bypass security and operates a double-extortion model via TOR. More info
- Operation Neusploit: APT28 weaponizes Office bypass: The Russia-linked threat actor APT28 is exploiting CVE-2026-21509, a Microsoft Office OLE mitigation bypass. Targeting Central and Eastern Europe, the chain uses RTF documents to deploy MiniDoor (email stealer) and PixyNetLoader (steganography-based loader) to deliver the Covenant Grunt implant. More info | More info
π Trends
- GlassWorm supply chain attack on Open VSX: Legitimate extensions by publisher "oorzc" were compromised to distribute the GlassWorm malware, affecting 22,000+ users. Targeting macOS, it harvests credentials and crypto wallets. The malware is resilient, using the Solana blockchain for C2 instructions and Google Calendar for backup infrastructure. More info
- Everest claims legacy Polycom data theft: The Everest group claims to have stolen 90GB of data from Polycom (acquired by HP in 2022), including source code and logs. Analysis suggests the data is from legacy environments (2017β2019). HP has not confirmed any breach of current production systems. More info
- Sophisticated Dropbox phishing targeting corporate users: A new multi-stage campaign uses procurement-themed emails with PDF attachments containing AcroForm objects to hide links. Victims are funneled through Vercel-hosted staging sites to a fake Dropbox login. Stolen data is exfiltrated to an attacker-controlled Telegram bot. More info
π₯ Breaches & Leaks
- ShinyHunters leaks 5.1M Panera Bread records: Following a failed $2.85M ransom demand, ShinyHunters leaked 760GB of data. The breach was initiated via a vishing-based compromise of a Microsoft Entra SSO token. Leaked data includes names, emails, physical addresses, and phone numbers for millions of customers, bypassing MFA through real-time social engineering. More info
β¬
Back to Archive