Cybersecurity Newsfeed - 06/05/26
Daily cybersecurity news covering vulnerabilities, adversaries, trends, breaches, and other notable security developments.
Cybersecurity Newsfeed
📅 06/05/26
🛡️ Vulnerabilities
Critical Apache HTTP/2 Flaw (CVE-2026-2591): A high-severity vulnerability has been discovered in Apache’s HTTP/2 implementation. The memory corruption issue during frame processing could lead to DoS or remote code execution. Given Apache’s footprint, immediate patching is prioritized. More info
Android System Privilege Escalation (CVE-2026-0073): Google’s May 2026 update addresses a critical flaw in the Android System component. The bug allows malicious apps to bypass sandbox restrictions and gain elevated privileges without user interaction. More info
MetInfo CMS RCE (CVE-2026-29014): A critical flaw in the MetInfo CMS is seeing active exploitation. Unauthenticated attackers can execute remote code to deploy web shells and take full control of affected websites. More info
WhatsApp File Spoofing & URL Handling: WhatsApp has disclosed two vulnerabilities involving file spoofing and arbitrary URL schemes. These flaws could allow attackers to trick users into opening malicious content to steal data or execute scripts. More info
🎯 Adversaries
UAT-8302 Targets Gov and Industrial Sectors: The threat actor UAT-8302 is conducting coordinated espionage using custom malware. Campaigns begin with targeted spear-phishing aimed at gathering intelligence on critical infrastructure and policy. More info
DAEMON Tools Supply Chain Attack: The official DAEMON Tools website was compromised to distribute trojanized installers. The modified software deploys a backdoor for persistent remote access, bypassing traditional perimeter defenses. More info
Microsoft Warns of Compliance-Themed Phishing: A sophisticated campaign uses fake HR and security compliance notifications to harvest Microsoft 365 credentials, facilitating lateral movement and business email compromise. More info
📈 Trends & Critical Incidents
Taiwan High Speed Rail Breach: A former student exploited ticketing and management systems to trigger emergency brakes on the railway. While no injuries occurred, the incident highlights the physical safety risks of industrial control system (ICS) vulnerabilities. More info
FTC Bans Kochava from Selling Geolocation Data: In a landmark privacy move, the FTC has prohibited data broker Kochava from selling sensitive location history that could track individuals to medical clinics or places of worship without consent. More info
💥 Breaches & Leaks
- Vimeo Data Breach Affects 119k Users: A breach originating from a legacy database has exposed names and email addresses of approximately 119,000 Vimeo users. Payment info and passwords were reportedly not compromised. More info