=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 20-05-2026 18:00 − Donnerstag 21-05-2026 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Guenes Holler
=====================
= News =
=====================
∗∗∗ Hackers bypass SonicWall VPN MFA due to incomplete patching ∗∗∗
---------------------------------------------
Threat actors brute-forced VPN credentials and bypassed multi-factor authentication (MFA) on SonicWall Gen6 SSL-VPN appliances to deploy tools used in ransomware attacks. [..] SonicWall warned in a security advisory for CVE-2024-12802 that installing the firmware update alone on Gen6 devices does not fully mitigate the vulnerability, and a manual reconfiguration of the LDAP server is required. Failing to do so leaves open the possibility of bypassing MFA protection.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hackers-bypass-sonicwall-vpn…
∗∗∗ A New SonicWall Scanning Spike Echoes the Pattern That Preceded CVE-2026-0400 ∗∗∗
---------------------------------------------
Between May 9 and May 18, 2026, GreyNoise observed a significant new spike in scanning of SonicWall SonicOS management interfaces. The May 12 peak — approximately 597,000 sessions — was the largest single-day total recorded on the SonicWall SonicOS API Scanner tag in the past 90 days, roughly 46× the typical daily volume for this tag in the 30 days before the elevation.
---------------------------------------------
https://www.greynoise.io/blog/sonicwall-scanning-spike-echoes-pattern-prece…
∗∗∗ Google publishes exploit code threatening millions of Chromium users ∗∗∗
---------------------------------------------
Google on Wednesday published exploit code for an unfixed vulnerability in its Chromium browser codebase [..] The proof-of-concept code exploits the Browser Fetch programming interface, a standard that allows long videos and other large files to be downloaded in the background. An attacker can use the exploit to create a connection for monitoring some aspects of a user’s browser usage and as a proxy for viewing sites and launching denial-of-service attacks. [..] The unfixed vulnerability can be exploited by any website a user visits. [..] Users of Chromium browsers should be suspicious of download dropdowns that appear for no reason.
---------------------------------------------
https://arstechnica.com/security/2026/05/google-publishes-exploit-code-thre…
∗∗∗ Attackers spill plaintext passwords of 46k Myspace93 users after 2021 breach ∗∗∗
---------------------------------------------
Users of the Myspace93 parody web art site be warned: the dataset spilled after a reported breach in 2021 included the plaintext usernames and passwords of more than 46,000 registered users. [..] In addition to the clear-as-day passwords and usernames, HIBP said email addresses and IP addresses were also among the exposed data.
---------------------------------------------
https://www.theregister.com/security/2026/05/21/46k-plaintext-passwords-pwn…
∗∗∗ The npm Threat Landscape: Attack Surface and Mitigations (Updated May 20) ∗∗∗
---------------------------------------------
Unit 42 analyzes npm supply chain evolution post-Shai Hulud. Discover wormable malware, CI/CD persistence, multi-stage attacks and more.
---------------------------------------------
https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/
∗∗∗ Webworm: New burrowing techniques ∗∗∗
---------------------------------------------
ESET researchers analyzed the 2025 activity of Webworm, a China-aligned APT group that started out targeting organizations in Asia, but has recently shifted its focus to Europe.
---------------------------------------------
https://www.welivesecurity.com/en/eset-research/webworm-new-burrowing-techn…
∗∗∗ Europe dismantles VPN service used by cybercriminals to hide ransomware attacks ∗∗∗
---------------------------------------------
The international operation targeted a service known as First VPN, which had been marketed for years on Russian-speaking cybercrime forums as a secure way for criminals to evade law enforcement.
---------------------------------------------
https://therecord.media/europe-dismantles-first-vpn
∗∗∗ Microsoft warnt vor Defender 0-Days und patcht ∗∗∗
---------------------------------------------
Microsoft hat zum 19. Mai 2026 zwei 0-Day-Schwachstellen CVE-2026-41091 und CVE-2026-45498 im Defender durch Update der Defender Antimalware Platform geschlossen. Die Schwachstellen betrafen die Defender Antimalware Platform Version 4.18.26030.3011 und älter.
---------------------------------------------
https://borncity.com/blog/2026/05/21/microsoft-warnt-vor-defender-0-days-un…
∗∗∗ Unpatchable Vulnerabilities of Kubernetes: CVE-2021-25740 ∗∗∗
---------------------------------------------
For this post, we're going to look at the last of the four unpatchable Kubernetes CVEs, CVE-2021-25740, which relates to how Kubernetes ingress or LoadBalancer features can be abused to bypass network security controls in a cluster.
---------------------------------------------
https://securitylabs.datadoghq.com/articles/unpatchable-kubernetes-vulnerab…
=====================
= Vulnerabilities =
=====================
∗∗∗ Sicherheitspatches Atlassian: Bamboo, Confluence & Co. sind verwundbar ∗∗∗
---------------------------------------------
Angreifer können an mehreren Softwareschwachstellen unter anderem in Atlassian Bamboo Data Center and Server, Confluence Data Center and Server und Jira Data Center and Server ansetzen und betroffene Systeme im schlimmsten Fall vollständig kompromittieren. Sicherheitsupdates sind verfügbar.
---------------------------------------------
https://www.heise.de/news/Sicherheitspatches-Atlassian-Bamboo-Confluence-Co…
∗∗∗ Grafikkartentreiber von Nvidia unter Linux und Windows angreifbar ∗∗∗
---------------------------------------------
Nutzen Angreifer Schwachstellen im Grafikkartentreiber von Nvidia erfolgreich aus, können sie Dienste abstürzen lassen, unbefugt auf Informationen zugreifen oder sogar Schadcode ausführen. Dagegen stehen abgesicherte Versionen für Linux und Windows zum Download bereit. Weiterhin haben die Entwickler Lücken in der vGPU-Software geschlossen.
---------------------------------------------
https://www.heise.de/news/Grafikkartentreiber-von-Nvidia-unter-Linux-und-Wi…
∗∗∗ Kritische Sicherheitslücke in Drupal Core - Updates verfügbar ∗∗∗
---------------------------------------------
In Drupal Core existiert eine SQL-Injection-Schwachstelle in der Datenbank-Abstraktions-API. Speziell gestaltete Anfragen können zu beliebigen SQL-Injections führen. Die Schwachstelle ist ausschließlich für Drupal-Installationen relevant, die PostgreSQL als Datenbank einsetzen, und kann ohne Authentifizierung durch anonyme Benutzer:innen ausgenutzt werden.
---------------------------------------------
https://www.cert.at/de/warnungen/2026/5/kritische-sicherheitslucke-in-drupa…
∗∗∗ Cisco Secure Workload Unauthorized API Access Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Splunk: SVD-2026-0515: Third-Party Package Updates in Splunk User Behavior Analytics - May 2026 ∗∗∗
---------------------------------------------
https://advisory.splunk.com//advisories/SVD-2026-0515
∗∗∗ LWN: Security updates for Thursday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1073860/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 19-05-2026 18:00 − Mittwoch 20-05-2026 18:00
Handler: Guenes Holler
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Datenklau: Hacker wollen 4.000 private Github-Repos geplündert haben ∗∗∗
---------------------------------------------
Die Cybergang TeamPCP setzt Github unter Druck. Sie will an Daten aus Tausenden privaten Code-Repos gelangt sein und stellt diese nun zum Verkauf.
---------------------------------------------
https://www.golem.de/news/datenklau-hacker-wollen-4-000-private-github-repo…
∗∗∗ Microsoft shares mitigation for YellowKey Windows zero-day ∗∗∗
---------------------------------------------
Microsoft has shared mitigations for YellowKey, a recently disclosed Windows BitLocker zero-day vulnerability that grants access to protected drives.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/microsoft-shares-mitigation…
∗∗∗ Stealer Spoofs Google, Microsoft & Apple, Then Backdoors macOS ∗∗∗
---------------------------------------------
The SHub Reaper stealer, which hides behind fake WeChat and Miro installers, marks a shift from ClickFix social engineering to Apple script-based execution.
---------------------------------------------
https://www.darkreading.com/threat-intelligence/stealer-spoofs-google-micro…
∗∗∗ How an image could compromise your Mac: understanding an ExifTool vulnerability (CVE-2026-3102) ∗∗∗
---------------------------------------------
We explain how a flaw in ExifTool allows attackers to compromise macOS systems via a malicious image (CVE-2026-3102).
---------------------------------------------
https://securelist.com/exiftool-compromise-mac/119866/
∗∗∗ Trapdoor Android Ad Fraud Scheme Hit 659 Million Daily Bid Requests Using 455 Apps ∗∗∗
---------------------------------------------
Cybersecurity researchers have disclosed details of a new ad fraud and malvertising operation dubbed Trapdoor targeting Android device users.The activity, per HUMANs Satori Threat Intelligence and Research Team, encompassed 455 malicious Android apps and 183 threat actor-owned command-and-control (C2) domains, turning the infrastructure into a pipeline for multi-stage fraud.
---------------------------------------------
https://thehackernews.com/2026/05/trapdoor-android-ad-fraud-scheme-hit.html
∗∗∗ Microsoft shuts down illegal code-signing operation used by ransomware crims to mask their malware ∗∗∗
---------------------------------------------
Thousands of US victims, including 12+ machines owned and operated by Redmond.
---------------------------------------------
https://www.theregister.com/security/2026/05/19/microsoft-disrupts-alleged-…
∗∗∗ Neue Phishing-Masche: Gutschrift nach "Fehler" von booking.com als Köder ∗∗∗
---------------------------------------------
Kriminelle versenden via WhatsApp Nachrichten, in denen sie sich als Gästebetreuung eines Hotels ausgeben und eine Rückbuchung versprechen. Angeblich sei aufgrund eines technischen Fehlers bei booking.com ein falscher Betrag eingezogen worden. Besonders problematisch: Die Eckdaten stimmen mit einer echten Buchung überein! Wer der aufgebauten Falle folgt, liefert den Drahtziehern seine Logindaten fürs Onlinebanking.
---------------------------------------------
https://www.watchlist-internet.at/news/phishing-gutschrift-booking/
∗∗∗ Tracking TamperedChef Clusters via Certificate and Code Reuse ∗∗∗
---------------------------------------------
Unit 42 analyzes TamperedChef malware clusters that use trojanized productivity apps and malvertising to deliver stealthy payloads to targets. The post Tracking TamperedChef Clusters via Certificate and Code Reuse appeared first on Unit 42.
---------------------------------------------
https://unit42.paloaltonetworks.com/tracking-tampered-chef-clusters/
∗∗∗ Huawei zero-day attack behind last year’s crash of Luxembourgs entire telecoms network ∗∗∗
---------------------------------------------
There is no evidence that the incident has recurred, but the flaw remains unexplained and has not been publicly acknowledged by the company.
---------------------------------------------
https://therecord.media/huawei-zero-day-behind-last-year-luxembourg-telecom…
∗∗∗ How OLTs may have exposed entire ISP networks ∗∗∗
---------------------------------------------
This is the fifteenth article I have written over the past three years at Quarkslab, and without a doubt, it has been the most thrilling and fun to put together. The hidden world of ISP (Internet Service Provider) network security might sound complex, but what I am about to reveal could shake up how you see network defenses. In this post, I dive deep into how vulnerabilities in critical devices can lead to the complete takeover of service provider networks.
---------------------------------------------
http://blog.quarkslab.com/how-olts-may-have-exposed-entire-isp-networks.html
∗∗∗ durabletask: TeamPCPs Latest PyPi Compromise ∗∗∗
---------------------------------------------
Discover the latest on malicious versions of the pypi package durabletask, matching TeamPCP tactics.
---------------------------------------------
https://www.wiz.io/blog/durabletask-teampcp-supply-chain-attack
∗∗∗ Popular Go Decimal Library Targeted by Long-Running Typosquat with DNS Backdoor ∗∗∗
---------------------------------------------
Sockets Threat Research Team identified a malicious Go module published as github.com/shopsprint/decimal, a typosquat of the widely used github.com/shopspring/decimal arbitrary precision arithmetic library. The typosquatted module has been present on the Go ecosystem since 2017-11-08 and was weaponized on 2023-08-19 when version v1.3.3 added a malicious init() function that opens a DNS TXT record command and control channel to a threat actor controlled subdomain on a free dynamic DNS provider.
---------------------------------------------
https://socket.dev/blog/popular-go-decimal-library-typosquat-dns-backdoor?u…
=====================
= Vulnerabilities =
=====================
∗∗∗ Max-severity flaw in ChromaDB for AI apps allows server hijacking ∗∗∗
---------------------------------------------
A max-severity vulnerability in the latest Python FastAPI version of the ChromaDB project allows unauthenticated attackers to run arbitrary code on exposed servers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/max-severity-flaw-in-chromad…
∗∗∗ Node.js: Vier kritische Sicherheitslücken mit Höchstwertung in vm2 geschlossen ∗∗∗
---------------------------------------------
Angreifer können abermals aus der Node.js-Sandbox vm2 ausbrechen und Schadcode im Hostsystem ausführen. Sicherheitsupdates schaffen Abhilfe.
---------------------------------------------
https://www.heise.de/news/Node-js-Vier-kritische-Sicherheitsluecken-mit-Hoe…
∗∗∗ Hunderte bösartige npm-Pakete im AntV-Ökosystem entdeckt ∗∗∗
---------------------------------------------
In einer neuen Mini-Shai-Hulud-Lieferkettenattacke haben Bedrohungsakteure am 19. Mai mehr als 600 bösartige Versionen von npm-Paketen verbreitet. Hauptziel der Attacke war das Datenvisualisierungs-Ökosystem AntV. Die infizierten Versionen sind mittlerweile entfernt.
---------------------------------------------
https://heise.de/-11300242
∗∗∗ LWN Security updates for Wednesday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1073713/
∗∗∗ MISP 2.5.38 - UI and security update ∗∗∗
---------------------------------------------
https://github.com/MISP/MISP/releases/tag/v2.5.38
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Montag 18-05-2026 18:00 − Dienstag 19-05-2026 18:00
Handler: Guenes Holler
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Vorankündigung: Kritische Sicherheitslücke in Drupal Core - Patch-Verfügbarkeit am 20. Mai 2026 ∗∗∗
---------------------------------------------
Drupal hat eine Vorankündigung (Pre-Announcement) zu einer als kritisch eingestuften Sicherheitslücke in Drupal Core veröffentlicht. Für alle unterstützten Versionszweige wird am 20. Mai 2026 zwischen 19:00 und 23:00 CEST eine Sicherheitsaktualisierung bereitgestellt. Zum Zeitpunkt dieser Vorankündigung sind noch keine Details zur Schwachstelle und kein Patch verfügbar.
---------------------------------------------
https://www.cert.at/de/aktuelles/2026/5/drupal-critical-preannounce
∗∗∗ GitHub Actions Supply Chain Attack Redirects Tags to Steal CI/CD Credentials ∗∗∗
---------------------------------------------
In yet another software supply chain attack, threat actors have compromised the popular GitHub Actions workflow, actions-cool/issues-helper, to run malicious code that harvests sensitive credentials and exfiltrates them to an attacker-controlled server.
---------------------------------------------
https://thehackernews.com/2026/05/github-actions-supply-chain-attack.html
∗∗∗ Compromised Nx Console 18.95.0 Targeted VS Code Developers with Credential Stealer ∗∗∗
---------------------------------------------
Cybersecurity researchers have flagged a compromised version of the Nx Console extension that was published to the Microsoft Visual Studio Code (VS Code) Marketplace. The extension in question is rwl.angular-console (version 18.95.0), a popular user interface and plugin for code editors like VS Code, Cursor, and JetBrains. The VS Code extension has more than 2.2 million installations.
---------------------------------------------
https://thehackernews.com/2026/05/compromised-nx-console-18950-targeted.html
∗∗∗ DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability ∗∗∗
---------------------------------------------
Proof-of-concept (PoC) exploit code has now been released for a recently patched security flaw in the Linux kernel that could allow for local privilege escalation (LPE).
---------------------------------------------
https://thehackernews.com/2026/05/dirtydecrypt-poc-released-for-linux.html
∗∗∗ Cyberangriff Grafana: Erpresser kopieren Sourcecode und drohen mit Leak ∗∗∗
---------------------------------------------
Grafana Labs ist Opfer einer Cyberattacke geworden. Dabei hatten Angreifer Zugriff auf die Codebasis von Grafana. Darunter fallen alle zu einem Projekt gehörenden Quelltext- und Konfigurationsdateien. Also offensichtlich mehr, als die Open-Source-Anwendung auf GitHub ohnehin öffentlich preisgibt. [..] Die Entwickler versichern, dass nach jetzigem Kenntnisstand keine Kundendaten oder persönliche Daten von Mitarbeitern von dem Vorfall betroffen sind.
---------------------------------------------
https://www.heise.de/news/Cyberattacke-Angreifer-kopieren-Sourcecode-von-Gr…
∗∗∗ CISA Admin Leaked AWS GovCloud Keys on Github ∗∗∗
---------------------------------------------
Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive included files detailing how CISA builds, tests and deploys software internally, and that it represents one of the most egregious government data leaks in recent history.
---------------------------------------------
https://krebsonsecurity.com/2026/05/cisa-admin-leaked-aws-govcloud-keys-on-…
∗∗∗ 32-jähriger SMS-Betrüger in Wien festgenommen ∗∗∗
---------------------------------------------
Ermittlern des Landeskriminalamts Wien ist ein Schlag gegen mutmaßliche Cyberkriminelle gelungen, die über sogenannte "SMS Blaster" millionenfach betrügerische Phishing-SMS versendet haben sollen. Seit dem 6. April sollen die Phishing-SMS insbesondere bei größeren Veranstaltungen verschickt worden sein. Am 14. Mai wurde ein Verdächtiger ausgeforscht und von Cobra-Beamten festgenommen. [..] Bei den eingesetzten Geräten handelt es sich um sogenannte "SMS Blaster". Das Gerät imitiert Mobilfunkzellen oder nutzt Mobilfunknetze automatisiert. Damit können tausende Nachrichten gleichzeitig an Mobiltelefone in der Umgebung gesendet werden.
---------------------------------------------
https://www.derstandard.at/story/3000000321362/32-jaehriger-sms-betrueger-i…
∗∗∗ Microsoft Details Storm-2949 Cloud Attack on Azure and Microsoft 365 ∗∗∗
---------------------------------------------
Microsoft Threat Intelligence has disclosed details of a cyberattack carried out by a threat actor tracked as Storm-2949, which escalated from a targeted identity compromise into a large-scale breach of cloud infrastructure and sensitive enterprise systems. The campaign focused heavily on data theft from Microsoft 365 services, Azure-hosted production environments, and cloud storage resources, demonstrating how compromised identities can become gateways to an organization’s entire cloud ecosystem.
---------------------------------------------
https://thecyberexpress.com/microsoft-storm-2949-azure-m365-cloud-breach/
∗∗∗ When Filenames Become Attack Surfaces: Weaponizing NASAs CFITSIO Extended Filename Syntax ∗∗∗
---------------------------------------------
This research was recently presented at BSides Luxembourg 2026. This blogpost documents our findings presented during the talk. [..] We’ll focus on perfectly documented features, useful during file processing, but chained together to achieve some unexpected offensive primitives.
---------------------------------------------
https://blog.doyensec.com/2026/05/19/cfitsio-weaponized-filenames.html
=====================
= Vulnerabilities =
=====================
∗∗∗ SEPPMail Secure E-Mail Gateway Vulnerabilities Enable RCE and Mail Traffic Access ∗∗∗
---------------------------------------------
Critical security vulnerabilities have been disclosed in SEPPMail Secure E-Mail Gateway, an enterprise-grade email security solution, that could be exploited to achieve remote code execution and enable an attacker to read arbitrary mails from the virtual appliance. [..] One significant hurdle that an attacker must overcome to achieve remote code execution is that syslogd re-reads the configuration only upon receiving the SIGHUP (aka "signal hang up") signal.
---------------------------------------------
https://thehackernews.com/2026/05/seppmail-secure-e-mail-gateway.html
∗∗∗ Linux kernel flaw opens root-only files to unprivileged users ∗∗∗
---------------------------------------------
Despite its official designation, a demo exploit on GitHub calls it ssh-keysign-pwn. It is not quite as catchy a name as Copy Fail, or Dirty Frag, or indeed Fragnesia, but we feel it is safe to say it hasn't been a good month. [..] The good news is that it's already been fixed [..] This time, the culprit is CVE-2026-46333, a local kernel vulnerability that lets an unprivileged user read files they should not be able to access, including those normally available only to root. An attacker who already has login access to an affected machine could therefore potentially grab SSH keys, password files, or other confidential credentials.
---------------------------------------------
https://www.theregister.com/security/2026/05/18/linux-kernel-flaw-opens-roo…
∗∗∗ TYPO3 Security Advisories 19.05.2026 ∗∗∗
---------------------------------------------
TYPO3 has release security advisories for ceselector, tt_address, ke_search, news, crawler and sf_register.
---------------------------------------------
https://typo3.org/security
∗∗∗ Mozilla Foundation Security Advisories for Firefox 19.05.2026 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/
∗∗∗ LWN: Security updates for Tuesday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1073542/
∗∗∗ DFIR-IRIS advisories ∗∗∗
---------------------------------------------
https://github.com/sbaresearch/advisories/commit/3b38de4446b06c28191ae872bb…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 15-05-2026 18:00 − Montag 18-05-2026 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Guenes Holler
=====================
= News =
=====================
∗∗∗ Tycoon2FA hijacks Microsoft 365 accounts via device-code phishing ∗∗∗
---------------------------------------------
The Tycoon2FA phishing kit now supports device-code phishing attacks and abuses Trustifi click-tracking URLs to hijack Microsoft 365 accounts.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/tycoon2fa-hijacks-microsoft-…
∗∗∗ Recent Kernel exploits, attack surface reduction, example IPSEC ∗∗∗
---------------------------------------------
Multiple of the recent kernel exploits have affected the "esp" Linux Kernel module. ESP is, as far as I understand, part of IPSEC, and I think it's fair to say that IPSEC is not widely used these days.
---------------------------------------------
https://www.openwall.com/lists/oss-security/2026/05/16/3
∗∗∗ NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE ∗∗∗
---------------------------------------------
A newly disclosed security flaw impacting NGINX Plus and NGINX Open has come under active exploitation in the wild, days after its public disclosure, according to VulnCheck. The vulnerability, tracked as CVE-2026-42945 (CVSS score: 9.2), is a heap buffer overflow in ngx_http_rewrite_module affecting NGINX versions 0.6.27 through 1.30.0. According to AI-native security company depthfirst, the vulnerability was introduced in 2008.
---------------------------------------------
https://thehackernews.com/2026/05/nginx-cve-2026-42945-exploited-in-wild.ht…
∗∗∗ Microsoft Edge: Keine Klartext-Passwörter mehr im Browserprozess ∗∗∗
---------------------------------------------
Microsofts Edge hatte alle Passwörter aus dem Passwort-Manager beim Start geladen und im Klartext vorgehalten. Jetzt aber nicht mehr.
---------------------------------------------
https://www.heise.de/news/Microsoft-Edge-Keine-Klartext-Passwoerter-mehr-im…
∗∗∗ Microsoft rejects critical Azure vulnerability report, no CVE issued ∗∗∗
---------------------------------------------
A security researcher claims Microsoft quietly fixed an Azure Backup for AKS vulnerability after rejecting his report, and without issuing a CVE. Microsoft disputes the claim, telling BleepingComputer the behavior was expected and that "no product changes were made," despite the researcher documenting a silent fix.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/microsoft-rejects-critical-a…
∗∗∗ Fake-Mail: Angebliche PayPal-Zahlung führt in Phishing-Falle ∗∗∗
---------------------------------------------
Derzeit sind betrügerische E-Mails im Umlauf, die angeblich von PayPal stammen und eine hohe Zahlung melden. Wer erschrickt und unüberlegt klickt, landet auf einer Fake-Website!
---------------------------------------------
https://www.watchlist-internet.at/news/angebliche-paypal-zahlung-klicks/
∗∗∗ Hackers Use PyInstaller and AMSI Patching to Deliver XWorm RAT v7.4 ∗∗∗
---------------------------------------------
Hackers are hiding XWorm malware in PyInstaller files to bypass Windows security, steal data and remotely control devices through ads.
---------------------------------------------
https://hackread.com/hackers-pyinstaller-amsi-patching-xworm-rat-v7-4/
∗∗∗ Welcome to BlackFile: Inside a Vishing Extortion Operation ∗∗∗
---------------------------------------------
Google Threat Intelligence Group (GTIG) has continued to track an expansive extortion campaign by UNC6671, a threat actor operating under the "BlackFile" brand, that targets organizations via sophisticated voice phishing (vishing) and single sign-on (SSO) compromise.
---------------------------------------------
https://cloud.google.com/blog/topics/threat-intelligence/blackfile-vishing-…
=====================
= Vulnerabilities =
=====================
∗∗∗ Forscher eskaliert: Gefährlicher Zero-Day-Exploit für Windows geleakt ∗∗∗
---------------------------------------------
Der Miniplasma genannte Exploit nutzt eine Windows-Lücke aus, die eigentlich schon seit 2020 gepatcht sein sollte. Das ist offenkundig nicht der Fall. [..] Der unter dem Namen Chaotic Eclipse bekannte Sicherheitsforscher, der zuletzt mehrere ungepatchte Lücken in Windows aufgedeckt hatte, hat dafür einen neuen Exploit veröffentlicht. Angreifer sollen damit unter Windows Systemrechte erlangen können. [..] Chaotic Eclipse hat ihn nach eigenen Angaben unter Windows 11 und Windows Server 2025 getestet. In beiden Fällen soll er trotz aktuellen Patch-Standes funktionieren und eine Shell mit Systemrechten starten. Der Forscher geht davon aus, dass alle Windows-Versionen betroffen sind.
---------------------------------------------
https://www.golem.de/news/forscher-eskaliert-gefaehrlicher-zero-day-exploit…
∗∗∗ Microsoft Exchange: Zero-Day-Lücke wird angegriffen ∗∗∗
---------------------------------------------
In der Schwachstellenbeschreibung erklärt Microsoft, dass es sich um unzureichende Filterung von Eingaben bei der Generierung von Webseiten handelt, eine Cross-Site-Scripting-Lücke. Dadurch können nicht authentifizierte Angreifer aus dem Netz Spoofing-Angriffe ausführen (CVE-2026-42897, CVSS 8.1, Risiko „hoch“). Den Schweregrad stuft Microsoft jedoch als „kritisch“ ein. Ein Blog-Beitrag von Microsofts Exchange-Team erklärt das sowie die Gegenmaßnahmen etwas ausführlicher.
---------------------------------------------
https://www.heise.de/news/Microsoft-Exchange-Zero-Day-Luecke-wird-angegriff…
∗∗∗ Microsoft Authenticator: Kritische Sicherheitslücke ermöglicht Token-Diebstahl ∗∗∗
---------------------------------------------
Microsoft warnt vor einer Sicherheitslücke im Authenticator. Angreifer können Sign-in-Token abgreifen und damit Zugriff erlangen. [..] Zum Missbrauch der Lücke müssen Angreifer ein Opfer dazu bringen, mit einer legitim erscheinenden, bösartigen Anfrage zu interagieren. [..] Aktualisierte Versionen des Authenticators von Microsoft stehen in den jeweiligen App-Stores bereit.
---------------------------------------------
https://www.heise.de/news/Microsoft-Authenticator-Kritische-Sicherheitsluec…
∗∗∗ PostgreSQL: Updates stopfen hochriskante Sicherheitslecks ∗∗∗
---------------------------------------------
Die Entwickler von PostgreSQL schreiben in einer Versionsankündigung, dass die neu verfügbaren Fassungen 18.4, 17.10, 16.14, 15.18 und 14.23 insgesamt elf Schwachstellen ausbessern.
---------------------------------------------
https://www.heise.de/news/PostgreSQL-Updates-stopfen-hochriskante-Sicherhei…
∗∗∗ LWN: Security updates for Monday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1073356/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 13-05-2026 18:00 − Freitag 15-05-2026 18:00
Handler: Guenes Holler
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ West Pharmaceutical says hackers stole data, encrypted systems ∗∗∗
---------------------------------------------
West Pharmaceutical Services disclosed that it was the target of a cyberattack that resulted in data exfiltration and system encryption.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/west-pharmaceutical-says-hac…
∗∗∗ KongTuke hackers now use Microsoft Teams for corporate breaches ∗∗∗
---------------------------------------------
Initial access broker KongTuke has moved to Microsoft Teams for social engineering attacks, taking as little as five minutes to gain persistent access to corporate networks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/kongtuke-hackers-now-use-mic…
∗∗∗ Inside the REMUS Infostealer: Session Theft, MaaS, and Rapid Evolution ∗∗∗
---------------------------------------------
Stolen browser sessions and authentication tokens are becoming more valuable than stolen passwords. Flare explains how the REMUS infostealer evolved around session theft and operational scalability.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/inside-the-remus-infostealer…
∗∗∗ SOHO router attack by APT28 ∗∗∗
---------------------------------------------
Few weeks ago, one particular large scale cyber-attack hit the mainstream news everywhere. Russian cyber actor APT28 attacked SOHO routers and managed to compromise some credentials through that. The attack itself was carried in multiple phases and was quite interesting.
---------------------------------------------
https://en.blog.nic.cz/2026/05/14/soho-router-attack-by-apt28/
∗∗∗ Kimsuky targets organizations with PebbleDash-based tools ∗∗∗
---------------------------------------------
Kaspersky researchers analyze a range of new PebbleDash-based tools used in recent Kimsuky campaigns and reveal their connection to the AppleSeed malware cluster.
---------------------------------------------
https://securelist.com/kimsuky-appleseed-pebbledash-campaigns/119785/
∗∗∗ How AI Hallucinations Are Creating Real Security Risks ∗∗∗
---------------------------------------------
AI hallucinations are introducing serious security risks into critical infrastructure decision-making by exploiting human trust through highly confident yet incorrect outputs.
---------------------------------------------
https://thehackernews.com/2026/05/how-ai-hallucinations-are-creating-real.h…
∗∗∗ PraisonAI CVE-2026-44338 Auth Bypass Targeted Within Hours of Disclosure ∗∗∗
---------------------------------------------
Threat actors have been observed attempting to exploit a recently disclosed security vulnerability in PraisonAI, an open-source multi-agent orchestration framework, within four hours of its public disclosure.
---------------------------------------------
https://thehackernews.com/2026/05/praisonai-cve-2026-44338-auth-bypass.html
∗∗∗ FrostyNeighbor: Fresh mischief and digital shenanigans ∗∗∗
---------------------------------------------
ESET researchers uncovered new activities attributed to FrostyNeighbor, updating its compromise chain to support the group’s continual cyberespionage operations.
---------------------------------------------
https://www.welivesecurity.com/en/eset-research/frostyneighbor-fresh-mischi…
∗∗∗ Device Code Phishing via Fake File-Sharing Invitation ∗∗∗
---------------------------------------------
Truesec has observed a phishing attempt where a customer received an email claiming that a sender wanted to share a document. The message prompted the recipient to click “Open”, which redirected the user to a website designed to appear legitimate.
---------------------------------------------
https://www.truesec.com/hub/blog/device-code-phishing-via-fake-file-sharing…
∗∗∗ China-Linked Twill Typhoon Uses Fake Apple and Yahoo Sites for Espionage ∗∗∗
---------------------------------------------
A new Darktrace report reveals how Chinese hackers use fake Apple and Yahoo sites and the FDMTP malware framework to spy on organisations.
---------------------------------------------
https://hackread.com/chinatwill-typhoon-fake-apple-yahoo-sites-espionage/
∗∗∗ FamousSparrow Targeted Oil and Gas Industry via MS Exchange Server Exploit ∗∗∗
---------------------------------------------
Bitdefender Labs reveals how the China-linked FamousSparrow hacking group targeted an Azerbaijani energy firm using ProxyNotShell, Deed RAT, and Terndoor malware across three persistent waves.
---------------------------------------------
https://hackread.com/famoussparrow-oil-gas-ms-exchange-server-exploit/
∗∗∗ CalPhishing Scam Uses EvilTokens Kit, Outlook Invites to Steal M365 Sessions ∗∗∗
---------------------------------------------
Hackers are exploiting Outlook calendar invites and device code phishing to steal M365 session tokens, bypass MFA and breach enterprise accounts.
---------------------------------------------
https://hackread.com/calphishing-eviltokens-kit-outlook-invites-m365/
∗∗∗ Anatomy of a WooCommerce Skimmer: A Technical Deep-Dive ∗∗∗
---------------------------------------------
One malicious change to a trusted JavaScript file can turn your checkout page into a silent credit-card skimmer, siphoning customer data off to criminals while the website looks secure and continues to work as normal. That creates serious organisational risk: PCI exposure, regulatory consequences, reputational damage, and a breach that remains invisible until long after the damage is done.
---------------------------------------------
https://scotthelme.ghost.io/anatomy-of-a-woocommerce-skimmer-a-technical-de…
∗∗∗ Backdoored Cemu release linked to TanStack and Mistral supply chain campaign ∗∗∗
---------------------------------------------
We investigate how a coordinated supply chain campaign that compromised npm and PyPI packages also backdoored the official Cemu Nintendo Wii U emulator GitHub release, reaching nearly 20,000 Linux users.
---------------------------------------------
https://securitylabs.datadoghq.com/articles/backdoored-cemu-release-teampcp…
∗∗∗ Backdoored node-ipc npm releases steal developer credentials through DNS queries ∗∗∗
---------------------------------------------
An analysis of backdoored node-ipc npm releases that add an obfuscated credential collection and DNS exfiltration payload to the CommonJS entrypoint.
---------------------------------------------
https://securitylabs.datadoghq.com/articles/node-ipc-npm-malware-analysis/
∗∗∗ New critical Exim mailer flaw allows remote code execution ∗∗∗
---------------------------------------------
A critical vulnerability affecting certain configurations of the Exim open-source mail transfer agent could be exploited by an unauthenticated remote attacker to execute arbitrary code.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-critical-exim-mailer-fla…
=====================
= Vulnerabilities =
=====================
∗∗∗ Fragnesia: Schon wieder gefährliche Root-Lücke im Linux-Kernel ∗∗∗
---------------------------------------------
Dirty Frag und Copy Fail beschäftigen bereits unzählige Linux-Admins. Die nächste Root-Lücke ist bereits identifiziert – und die Patches sind spät dran.
---------------------------------------------
https://www.golem.de/news/fragnesia-schon-wieder-gefaehrliche-root-luecke-i…
∗∗∗ Webserver gefährdet: 18 Jahre alte Sicherheitslücke in Nginx entdeckt ∗∗∗
---------------------------------------------
Nginx-Webserver sollen sich durch eine seit 2008 präsente Lücke zum Absturz bringen lassen. Manchmal ist wohl auch eine Schadcodeausführung möglich.
---------------------------------------------
https://www.golem.de/news/webserver-gefaehrdet-18-jahre-alte-sicherheitslue…
∗∗∗ Update stopft 79 Sicherheitslücken in Google Chrome ∗∗∗
---------------------------------------------
Das wöchentliche Chrome-Update schließt insgesamt 79 Sicherheitslücken. Davon gelten 14 als kritisch.
---------------------------------------------
https://www.heise.de/news/Update-stopft-79-Sicherheitsluecken-in-Google-Chr…
∗∗∗ Jetzt patchen! Angreifer attackieren Cisco Catalyst SD-WAN Controller ∗∗∗
---------------------------------------------
Angreifer nutzen derzeit eine kritische Sicherheitslücke in Cisco Catalyst SD-WAN Controller aus. Sicherheitsupdates sind verfügbar.
---------------------------------------------
https://heise.de/-11294491
∗∗∗ Ivanti EPM: Sicherheitslücken ermöglichen SQL-Iinjection und Rechteausweitung ∗∗∗
---------------------------------------------
Ivanti warnt vor drei Sicherheitslücken im Endpoint Manager (EPM). Sie ermöglichen SQL-Injection oder Rechteausweitung.
---------------------------------------------
https://heise.de/-11294605
∗∗∗ VMware Fusion: Angreifer können sich root-Rechte verschaffen ∗∗∗
---------------------------------------------
Nutzen Angreifer eine Schwachstelle in VMware Fusion erfolgreich aus, können sie sich unter bestimmten Bedingungen Root-Nutzerrechte verschaffen. Nun haben die Entwickler die Lücke geschlossen.
---------------------------------------------
https://heise.de/-11294685
∗∗∗ F5 BIG-IP: Quartalssicherheitsupdate schließt zahlreiche Lücken ∗∗∗
---------------------------------------------
Der Netzwerkausrüster F5 hat unter anderem für verschiedene BIG-IP-Produkte wichtige Sicherheitsupdates veröffentlicht.
---------------------------------------------
https://heise.de/-11294929
∗∗∗ Zero-Click-Lücke in Outlook: Angreifer können Systeme per E-Mail kompromittieren ∗∗∗
---------------------------------------------
Das bloße Senden einer E-Mail reicht aus, um über Microsoft Outlook Schadcode zur Ausführung zu bringen. Ein Klick auf einen Link ist nicht nötig.
---------------------------------------------
https://www.golem.de/news/zero-click-luecke-in-outlook-angreifer-koennen-sy…
∗∗∗ Mdash: Microsofts KI findet vier kritische Lücken in Windows ∗∗∗
---------------------------------------------
Microsofts Projekt MDash soll beim Finden von Sicherheitslücken sogar noch besser sein als Anthropics Claude Mythos.
---------------------------------------------
https://www.golem.de/news/mdash-microsofts-ki-findet-vier-kritische-luecken…
∗∗∗ telnetd 2.7 Buffer Overflow ∗∗∗
---------------------------------------------
https://cxsecurity.com/issue/WLB-2026050010
∗∗∗ WPS Office improper access restriction to its named pipe ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN14434132/
∗∗∗ Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco Catalyst SD-WAN Manager Vulnerabilities ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco Crosswork Network Controller and Cisco Network Services Orchestrator Advisory ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ [R1] Tenable Network Monitor 6.5.4 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2026-14
∗∗∗ LWN Security updates for Thursday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1072838/
∗∗∗ LWN Security updates for Friday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1073059/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 12-05-2026 18:00 − Mittwoch 13-05-2026 18:00
Handler: Guenes Holler
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Azerbaijani Energy Firm Hit by Repeated Microsoft Exchange Exploitation ∗∗∗
---------------------------------------------
A threat actor with affiliations to China has been linked to a "multi-wave intrusion" targeting an unnamed Azerbaijani oil and gas company between late December 2025 and late February 2026, marking an expansion of its targeting.
---------------------------------------------
https://thehackernews.com/2026/05/azerbaijani-energy-firm-hit-by-repeated.h…
∗∗∗ Angriff umgeht BitLocker mittels Windows Recovery Environment ∗∗∗
---------------------------------------------
BitLocker soll vertrauliche Daten auch vor physischen Angriffen schützen. Die Windows Recovery Environment hebelt den Schutz aus.
---------------------------------------------
https://www.heise.de/news/Angriff-umgeht-BitLocker-mittels-Windows-Recovery…
∗∗∗ Datenpanne bei Best Western Hotels: Hacker konnten monatelang Buchungsdaten abgreifen ∗∗∗
---------------------------------------------
Angreifer konnten sich wohl rund ein halbes Jahr lang ungestört im System von Best Western Hotels umsehen und Daten der Hotelgäste ausleiten.
---------------------------------------------
https://www.golem.de/news/best-western-hotels-hacker-konnten-monatelang-auf…
∗∗∗ RubyGems Suspends New Signups After Hundreds of Malicious Packages Are Uploaded ∗∗∗
---------------------------------------------
RubyGems, the standard package manager for the Ruby programming language, has temporarily paused account sign ups following what has been described as a "major malicious attack."
---------------------------------------------
https://thehackernews.com/2026/05/rubygems-suspends-new-signups-after.html
∗∗∗ Thus Spoke…The Gentlemen ∗∗∗
---------------------------------------------
The Gentlemen ransomware‑as‑a‑service (RaaS) operation is a relatively new group that emerged around mid‑2025. Its operators advertise the service across multiple underground forums, promoting their ransomware platform and inviting penetration testers and other technically skilled actors to join as affiliates.
---------------------------------------------
https://research.checkpoint.com/2026/thus-spoke-the-gentlemen/
∗∗∗ Claude Code RCE: Exploiting Deeplink Handlers via Settings Injection ∗∗∗
---------------------------------------------
Of course I took a peek at the Claude Code source.
---------------------------------------------
https://0day.click/recipe/2026-05-12-cc-rce/
=====================
= Vulnerabilities =
=====================
∗∗∗ Patchday Microsoft: Kritische DNS-Client-Lücke bedroht Windows ∗∗∗
---------------------------------------------
Microsoft hat wichtige Sicherheitsupdates für unter anderem Azure, Edge, Office und Windows veröffentlicht. Viele Lücken wurden mit KI-Agenten entdeckt.
---------------------------------------------
https://www.heise.de/news/Patchday-Microsoft-Kritische-DNS-Client-Luecke-be…
∗∗∗ Patchday: Adobe schließt mehr als 50 Lücken in After Effects & Co. ∗∗∗
---------------------------------------------
Wichtige Sicherheitsupdates reparieren diverse Adobe-Anwendungen. Bislang gibt es keine Berichte zu laufenden Attacken.
---------------------------------------------
https://heise.de/-11292536
∗∗∗ Fortinet stopft elf Sicherheitslücken in mehreren Produkten ∗∗∗
---------------------------------------------
Fortinet hat zum „Patch-Dienstag“ elf Sicherheitsflicken konzertiert veröffentlicht. Zwei der Lecks gelten als kritisch.
---------------------------------------------
https://heise.de/-11292861
∗∗∗ 1,000,000 WordPress Sites Affected by Arbitrary File Read and SQL Injection Vulnerabilities in Avada Builder WordPress Plugin ∗∗∗
---------------------------------------------
On March 21st, 2026, we received a submission for an Arbitrary File Read and an SQL Injection vulnerability in Avada Builder, a WordPress plugin with an estimated 1,000,000 active installations.The post 1,000,000 WordPress Sites Affected by Arbitrary File Read and SQL Injection Vulnerabilities in Avada Builder WordPress Plugin appeared first on Wordfence.
---------------------------------------------
https://www.wordfence.com/blog/2026/05/1000000-wordpress-sites-affected-by-…
∗∗∗ New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution ∗∗∗
---------------------------------------------
Exim has released security updates to address a severe security issue affecting certain configurations that could enable memory corruption and potential code execution.
---------------------------------------------
https://thehackernews.com/2026/05/new-exim-bdat-vulnerability-exposes.html
∗∗∗ LWN Security updates for Wednesday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1072596/
∗∗∗ NCSC-2026-0147 [1.00] [M/H] Kwetsbaarheden verholpen in Siemens-producten ∗∗∗
---------------------------------------------
https://advisories.ncsc.nl/advisory?id=NCSC-2026-0147
∗∗∗ FortiGuard Labs: Improper access control on API endpoints ∗∗∗
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-26-128
∗∗∗ FortiGuard Labs: Incorrect global authorization ∗∗∗
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-26-136
∗∗∗ FortiGuard Labs: Out-of-bounds access in CAPWAP daemon ∗∗∗
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-26-123
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Montag 11-05-2026 18:00 − Dienstag 12-05-2026 18:00
Handler: Felician Fuchs
Co-Handler: Guenes Holler
=====================
= News =
=====================
∗∗∗ New GhostLock tool abuses Windows API to block file access ∗∗∗
---------------------------------------------
A security researcher has released a proof-of-concept tool named GhostLock that demonstrates how a legitimate Windows file API can be abused in attacks to block access to files stored locally or on SMB network shares.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-ghostlock-tool-abuses-wi…
∗∗∗ Cyberangriff trifft Fahrzeughersteller: Kundendaten von Skoda kompromittiert ∗∗∗
---------------------------------------------
Ein unbekannter Angreifer hat ein von Skoda genutztes Shopsystem infiltriert und konnte auf Kundendaten zugreifen. Auch Zugangsdaten sind betroffen.
---------------------------------------------
https://www.golem.de/news/cyberangriff-trifft-fahrzeughersteller-kundendate…
∗∗∗ Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation ∗∗∗
---------------------------------------------
Google on Monday disclosed that it identified an unknown threat actor using a zero-day exploit that it said was likely developed with an artificial intelligence (AI) system, marking the first time the technology has been put to use in the wild in a malicious context for vulnerability discovery and exploit generation.
---------------------------------------------
https://thehackernews.com/2026/05/hackers-used-ai-to-develop-first-known.ht…
∗∗∗ cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor ∗∗∗
---------------------------------------------
A threat actor named Mr_Rot13 has been attributed to the exploitation of a recently disclosed critical cPanel flaw to deploy a backdoor codenamed Filemanager on compromised environments.
---------------------------------------------
https://thehackernews.com/2026/05/cpanel-cve-2026-41940-under-active.html
∗∗∗ Prüfportal für Gutscheinkarten? Wie ein kurzer Check das Guthaben absaugt ∗∗∗
---------------------------------------------
Wer im Zuge eines Online-Privatverkaufs dazu gedrängt wird, für die Zahlung gekaufte Gutscheinkarten auf einem dubiosen Portal zu überprüfen, sollte den Deal sofort abblasen. Hier wird nämlich nichts geprüft, die Plattform ist lediglich ein praktischer Weg für Kriminelle, an das Guthaben auf den Karten zu gelangen.
---------------------------------------------
https://www.watchlist-internet.at/news/pruefportal-fuer-gutscheinkarten/
∗∗∗ Seedworm: Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign ∗∗∗
---------------------------------------------
Iran-linked threat actor abused signed Fortemedia and SentinelOne binaries for DLL sideloading and exfiltrated data through a public file-transfer service.
---------------------------------------------
https://www.security.com/threat-intelligence/iran-seedworm-electronics
=====================
= Vulnerabilities =
=====================
∗∗∗ SAP fixes critical vulnerabilities in Commerce Cloud and S/4HANA ∗∗∗
---------------------------------------------
SAP has released the May 2026 security updates addressing 15 vulnerabilities across multiple products, including two critical flaws in the Commerce Cloud enterprise-grade e-commerce platform and the S/4HANA ERP suite.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/sap-fixes-critical-vulnerabi…
∗∗∗ VU#471747: dnsmasq contains several vulnerabilities, including attacker DNS redirect, privilege escalation, and heap manipulation ∗∗∗
---------------------------------------------
dnsmasq is affected by multiple memory safety and input validation vulnerabilities, including heap buffer overflows, heap corruption, and code execution flaws. Collectively, these vulnerabilities enable attackers to poison cached DNS records, bypass security controls, crash the dnsmasq process, or under certain conditions, achieve local privilege escalation. dnsmasq has released version 2.92rel2 to fix the vulnerabilities.
---------------------------------------------
https://kb.cert.org/vuls/id/471747
∗∗∗ Anonymisierendes Linux Tails: Notfallupdate 7.7.3 fixt DirtyFrag-Lücke ∗∗∗
---------------------------------------------
Das anonymisierende Linux Tails ist als nächstes Notfallupdate in Version 7.7.3 erschienen. Es schließt die DirtyFrag-Lücke.
---------------------------------------------
https://www.heise.de/news/Anonymisierendes-Linux-Tails-Notfallupdate-7-7-3-…
∗∗∗ Node.js: Abermals Ausbruch aus vm2-Sandbox möglich ∗∗∗
---------------------------------------------
Eine kritische Sicherheitslücke in der Node.js-Sandbox vm2 kann Schadcode passieren lassen. Ein Sicherheitspatch steht zum Download bereit.
---------------------------------------------
https://www.heise.de/news/Node-js-Abermals-Ausbruch-aus-vm2-Sandbox-moeglic…
∗∗∗ OpenSearch-Client für Node.js ist auch kompromittiert – Teil 2 ∗∗∗
---------------------------------------------
Die Hiobsbotschaften reißen heute nicht ab. Im Beitrag Neuer Shai-Hulud Lieferkettenangriff auf npm tanstack-Pakete; CheckMarx Jenkins-Paket infiziert hatte ich über zwei Lieferkettenangriffe der letzten beiden Stunden berichtet. Der Mini Shai Hulud-Lieferkettenangriff auf npm tanstack-Pakete hat sich ausgeweitet und der OpenSearch-Client für Node.js ist auch kompromittiert.
---------------------------------------------
https://borncity.com/blog/2026/05/12/opensearch-client-fuer-node-js-ist-auc…
∗∗∗ May 2026 Security Update ∗∗∗
---------------------------------------------
Ivanti is disclosing vulnerabilities in Ivanti Secure Access Client, Xtraction, Virtual Traffic Manager and Endpoint Manager (EPM).
---------------------------------------------
https://www.ivanti.com/blog/may-2026-security-update
∗∗∗ Postmortem: TanStack npm supply-chain compromise ∗∗∗
---------------------------------------------
On 2026-05-11 between 19:20 and 19:26 UTC, an attacker published 84 malicious versions across 42 @tanstack/* npm packages by combining: the pull_request_target "Pwn Request" pattern, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of an OIDC token from the GitHub Actions runner process. No npm tokens were stolen and the npm publish workflow itself was not compromised.
---------------------------------------------
https://tanstack.com/blog/npm-supply-chain-compromise-postmortem
∗∗∗ Pi-hole-Update schließt dnsmasq-Sicherheitslücken ∗∗∗
---------------------------------------------
https://www.heise.de/news/Pi-hole-Update-schliesst-dnsmasq-Sicherheitslueck…
∗∗∗ LWN Security updates for Tuesday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1072498/
∗∗∗ Firefox 150.0.3 korrigiert Passwort-Druck-Bug ∗∗∗
---------------------------------------------
https://borncity.com/blog/2026/05/12/firefox-150-0-3-korrigiert-passwort-dr…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 08-05-2026 18:00 − Montag 11-05-2026 18:00
Handler: Felician Fuchs
Co-Handler: Alexander Riepl
=====================
= News =
=====================
∗∗∗ Hackers abuse Google ads, Claude.ai chats to push Mac malware ∗∗∗
---------------------------------------------
Attackers are abusing Google Ads and legitimate Claude.ai shared chats in an active malvertising campaign. Users searching for "Claude mac download" may come across sponsored search results that list claude.ai as the target website, but lead to instructions that install malware on their Mac.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hackers-abuse-google-ads-cla…
∗∗∗ Messenger: So will Signal Phishing-Angriffe erschweren ∗∗∗
---------------------------------------------
Nachdem die Messenger-App Signal Ziel einer Phishing-Attacke unter anderem auf Politiker geworden ist, sollen solche Angriffe erschwert werden.
---------------------------------------------
https://www.golem.de/news/messenger-so-will-signal-phishing-angriffe-erschw…
∗∗∗ Fake OpenAI Privacy Filter Repo Hits #1 on Hugging Face, Draws 244K Downloads ∗∗∗
---------------------------------------------
A malicious Hugging Face repository managed to take a spot in the platform's trending list by impersonating OpenAI's Privacy Filter open-weight model to deliver a Rust-based information stealer to Windows users.
---------------------------------------------
https://thehackernews.com/2026/05/fake-openai-privacy-filter-repo-hits-1.ht…
∗∗∗ Checkmarx tackles another TeamPCP intrusion as Jenkins plugin sabotaged ∗∗∗
---------------------------------------------
Cybercrooks ruin engineers weekends with Saturday attack. Checkmarx’s software engineers are still working to remove a malicious version of the code security outfit's Jenkins plugin after detecting an unauthorized upload over the weekend.
---------------------------------------------
https://www.theregister.com/devops/2026/05/11/checkmarx-tackles-another-tea…
∗∗∗ Yarbo responds to robot flaws that could mow down their owners ∗∗∗
---------------------------------------------
A researcher found a host of vulnerabilities in Yarbo garden robots that could expose Wi-Fi passwords, hijack cameras, and run over their owners on command.
---------------------------------------------
https://www.malwarebytes.com/blog/news/2026/05/yarbo-responds-to-robot-flaw…
∗∗∗ E-Mail zur Erneuerung der ID Austria App ist fake ∗∗∗
---------------------------------------------
Aktuell ist eine betrügerische E-Mail im Umlauf, die Nutzer:innen zu einem angeblich notwendigen Update der ID-Austria-App auffordert. Das Ziel: Zugang zu privaten Daten und Accounts zu erlangen.
---------------------------------------------
https://www.watchlist-internet.at/news/erneuerung-der-id-austria-app-fake/
∗∗∗ Flash Alert: EtherRat and TukTuk C2 End in The Gentleman Ransomware ∗∗∗
---------------------------------------------
In April, we observed an intrusion linked to the Atos-reported campaign where an EtherRAT was installed via a malicious MSI masquerading as a Sysinternals tool. Later in the intrusion, we observed the deployment of a new malware framework named TukTuk, first reported by Evangelos G, which, according to their analysis, is AI-generated.
---------------------------------------------
https://thedfirreport.com/2026/05/11/flash-alert-etherrat-and-tuktuk-c2-end…
∗∗∗ Vulnerability Garden: A growing list of named vulnerabilities, attack techniques and exploits ∗∗∗
---------------------------------------------
A growing list of 966 named vulnerabilities, attack techniques and exploits.
---------------------------------------------
https://vulnerability.garden/
∗∗∗ the 90 day disclosure policy is dead ∗∗∗
---------------------------------------------
The 90 day responsible disclosure window was built for a world where bug finders were rare and exploit development was slow. That world is gone. LLMs have compressed both timelines to near-zero. I have seen it first hand, and so has everyone else paying attention.
---------------------------------------------
https://blog.himanshuanand.com/2026/05/the-90-day-disclosure-policy-is-dead/
∗∗∗ Hunting ClickFix Win + X Variants ∗∗∗
---------------------------------------------
It has been just over a year since my post on ClickFix, where I explored the technique in depth. Since then, defenders have adopted countermeasures that detect ClickFix execution through the Windows Run prompt shortcut (Win + R), or have disabled that vector entirely through the Windows registry. This post focuses on variants that leverage the Windows Power User Menu (Win + X) and user-driven Terminal launches to paste and execute commands.
---------------------------------------------
https://detect.fyi/hunting-clickfix-win-x-variants-ff06e4c62bd9
=====================
= Vulnerabilities =
=====================
∗∗∗ Per DHCP-Antwort zum Root: KI findet 21 Jahre alte Schadcode-Lücke in FreeBSD ∗∗∗
---------------------------------------------
Auf unzähligen FreeBSD-basierten Systemen lässt sich über einen bösartigen DHCP-Server im Netzwerk Schadcode einschleusen und als Root ausführen.
---------------------------------------------
https://www.golem.de/news/per-dhcp-antwort-zum-root-ki-findet-21-jahre-alte…
∗∗∗ Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak ∗∗∗
---------------------------------------------
Cybersecurity researchers have disclosed a critical security vulnerability in Ollama that, if successfully exploited, could allow a remote, unauthenticated attacker to leak its entire process memory. The out-of-bounds read flaw, which likely impacts over 300,000 servers globally, is tracked as CVE-2026-7482 (CVSS score: 9.1). It has been codenamed Bleeding Llama by Cyera.
---------------------------------------------
https://thehackernews.com/2026/05/ollama-out-of-bounds-read-vulnerability.h…
∗∗∗ JDownloader verteilte Malware-Downloads ∗∗∗
---------------------------------------------
Die Webseite des recht populären Downloader-Tools JDownloader wurde kompromittiert. Sie hat dadurch falsche Installationspakete ausgeliefert, die mit Malware verseucht sind. Inzwischen haben die Betreiber die Webseite bereinigt. Auch bei den Daemon Tools gab es solch einen Vorfall; inzwischen haben auch dort die Inhaber reagiert und stellen nun saubere Installer bereit.
---------------------------------------------
https://www.heise.de/news/JDownloader-verteilte-Malware-Downloads-11288832.…
∗∗∗ Sicherheitspatch: Abermals Sicherheitslücken in cPanel und WHM geschlossen ∗∗∗
---------------------------------------------
Angreifer können cPanel und WebHost Manager unter anderem mit Schadcode attackieren. Sicherheitspatches sind verfügbar.
---------------------------------------------
https://www.heise.de/news/Sicherheitspatch-Abermals-Sicherheitsluecken-in-c…
∗∗∗ Schadcode-Lücke bedroht IBM App Connect Enterprise und IBM Integration Bus ∗∗∗
---------------------------------------------
Angreifer können IBM App Connect Enterprise und IBM Integration Bus for z/OS attackieren. Updates lösen das Sicherheitsproblem.
---------------------------------------------
https://heise.de/-11289112
∗∗∗ LWN Security updates for Monday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1072301/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 07-05-2026 18:00 − Freitag 08-05-2026 18:00
Handler: Felician Fuchs
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ New PCPJack worm steals credentials, cleans TeamPCP infections ∗∗∗
---------------------------------------------
A new malware framework called PCPJack is stealing credentials from exposed cloud infrastructure while actively removing TeamPCP's access to the systems. Among the targeted services are Docker, Kubernetes, Redis, MongoDB, RayML, and vulnerable web applications. In many cases, the threat actor moves laterally on the network. [..] To mitigate this risk, the researchers recommend enforcing multi-factor authentication (MFA), using IMDSv2 in AWS, ensuring proper authentication for Docker and Kubernetes services, following least-privilege principles, and avoiding storing secrets in plaintext.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-pcpjack-worm-steals-cred…
∗∗∗ Ende-zu-Ende-Verschlüsselung: Instagram deaktiviert Privatsphärenschutz ∗∗∗
---------------------------------------------
Es flog etwas unter dem Radar, doch ab dem heutigen Freitag wird es Ernst: Instagram verwässert den Privatsphärenschutz des sozialen Netzwerks. Die Opt-in-Option zur Ende-zu-Ende-Verschlüsselung (End-to-End-Encryption, E2EE) schaltet Meta für Direktnachrichten global ab. [..] Als Erklärung dazu, warum die Ende-zu-Ende-Verschlüsselung nun nicht mehr möglich sein soll, liefert ein aktualisierter Facebook-Blog-Beitrag eine Antwort: Demnach haben nur sehr wenige Menschen die Möglichkeit der Aktivierung der Ende-zu-Ende-Verschlüsselung in Direktnachrichten genutzt.
---------------------------------------------
https://www.heise.de/news/Ende-zu-Ende-Verschluesselung-Instagram-deaktivie…
∗∗∗ ShinyHunters escalates Canvas attacks with school login defacements ∗∗∗
---------------------------------------------
According to new reporting, ShinyHunters has now hit Instructure again, this time moving from quiet data theft to very visible extortion. Using another vulnerability in Instructure’s systems, the attackers were able to modify Canvas login portals for hundreds of educational institutions, defacing both web logins and the Canvas app with an on‑screen ransom message.
---------------------------------------------
https://www.malwarebytes.com/blog/news/2026/05/shinyhunters-escalates-canva…
∗∗∗ ClaudeBleed Vulnerability Lets Hackers Hijack Claude Chrome Extension to Steal Data ∗∗∗
---------------------------------------------
Cybersecurity researchers from LayerX have found a major security flaw in the Claude for Chrome browser extension that could allow hackers to take full control of the AI assistant. They have named this vulnerability ClaudeBleed, and their research shows that even a basic extension with no special permissions can hijack Claude to steal private files and send emails without the user’s knowledge or consent. [..] After being notified by LayerX, Anthropic released a patch on 6 May in version 1.0.70. This update added new pop-up windows to ask for user permission. However, the LayerX team quickly found a way around them, discovering that by forcing the extension into a privileged mode, aka Act without asking mode, they could skip the permission screens entirely.
---------------------------------------------
https://hackread.com/claudebleed-vulnerability-hackers-claude-chrome-extens…
∗∗∗ Kubernetes security fundamentals: Secrets ∗∗∗
---------------------------------------------
In this post, we'll be exploring secrets management in Kubernetes. Securely handling secrets is essential for any cluster operator, and there are several important nuances to keep in mind.
---------------------------------------------
https://securitylabs.datadoghq.com/articles/kubernetes-security-fundamental…
∗∗∗ Behind the Scenes Hardening Firefox with Claude Mythos Preview ∗∗∗
---------------------------------------------
Two weeks ago we announced that we had identified and fixed an unprecedented number of latent security bugs in Firefox with the help of Claude Mythos Preview and other AI models. In this post, we’ll go into more detail about how we approached this work, what we found, and advice for other projects on making good use of emerging capabilities to harden themselves against attack.
---------------------------------------------
https://hacks.mozilla.org/2026/05/behind-the-scenes-hardening-firefox/
∗∗∗ Stop MITM on the first SSH connection, on any VPS or cloud provider ∗∗∗
---------------------------------------------
This little script stops attacks on the first SSH connection to a new VM, even on providers (like Hetzner Cloud) that don't offer a proprietary solution; we only need cloud-init, which is widely supported.
---------------------------------------------
https://www.joachimschipper.nl/Stop%20MITM%20on%20the%20first%20SSH%20conne…
=====================
= Vulnerabilities =
=====================
∗∗∗ Lokale Privilegieneskalation im Linux-Kernel ("Dirty Frag" und "Copy Fail 2") - PoCs verfügbar, kein Patch ∗∗∗
---------------------------------------------
Am 7. Mai 2026 wurden zwei neue Schwachstellen im Linux-Kernel öffentlich gemacht, die unter den Namen „Dirty Frag“ und „Copy Fail 2: Electric Boogaloo“ bekannt sind. Beide Schwachstellen ermöglichen lokalen, nicht privilegierten Benutzer:innen eine Eskalation auf root. [..] Es handelt sich um deterministische Logikfehler ohne Race-Condition; bei einem Fehlschlag tritt keine Kernel-Panik auf, die Erfolgswahrscheinlichkeit wird als hoch beschrieben. [..] Bestehende Gegenmaßnahmen gegen „Copy Fail“ (CVE-2026-31431), insbesondere das Sperren des Moduls algif_aead, schützen NICHT gegen „Dirty Frag“ oder „Copy Fail 2“. [..] Betroffen sind die meisten aktuellen Linux-Distributionen mit aktiviertem Page-Cache-Pfad in esp4/esp6 bzw. rxrpc. [..] Zum Zeitpunkt der Veröffentlichung dieser Warnung liegen für die meisten Distributionen noch keine vollständig gepatchten Kernel vor.
---------------------------------------------
https://www.cert.at/de/warnungen/2026/5/linux-lpe-dirty-frag-copy-fail-2
∗∗∗ LWN Security updates for Friday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1071859/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 06-05-2026 18:00 − Donnerstag 07-05-2026 18:00
Handler: Felician Fuchs
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Hackers abuse Google ads for GoDaddy ManageWP login phishing ∗∗∗
---------------------------------------------
A phishing campaign delivered through Google sponsored search results is targeting credentials for ManageWP, GoDaddys platform for managing fleets of WordPress websites.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hackers-abuse-google-ads-for…
∗∗∗ Fake Claude AI website delivers new Beagle Windows malware ∗∗∗
---------------------------------------------
A fake version for the Claude AI website offers a malicious Claude-Pro Relay download that pushes a previously undocumented backdoor for Windows named Beagle.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fake-claude-ai-website-deliv…
∗∗∗ When DNSSEC goes wrong: how we responded to the .de TLD outage ∗∗∗
---------------------------------------------
On May 5, 2026, DENIC published broken DNSSEC signatures for the .de TLD, making millions of domains unreachable. Heres what 1.1.1.1 saw, how serve stale cushioned the impact, and how we restored resolution.
---------------------------------------------
https://blog.cloudflare.com/de-tld-outage-dnssec/
∗∗∗ How Cloudflare responded to the “Copy Fail” Linux vulnerability ∗∗∗
---------------------------------------------
When a critical Linux kernel privilege escalation was publicly disclosed, Cloudflares security and engineering teams detected, investigated, and mitigated the threat across our global fleet, confirming zero customer impact and no malicious exploitation.
---------------------------------------------
https://blog.cloudflare.com/copy-fail-linux-vulnerability-mitigation/
∗∗∗ Mirai-Based xlabs_v1 Botnet Exploits ADB to Hijack IoT Devices for DDoS Attacks ∗∗∗
---------------------------------------------
Cybersecurity researchers have exposed a new Mirai-derived botnet that self-identifies as xlabs_v1 and targets internet-exposed devices running Android Debug Bridge (ADB) to enlist them in a network capable of carrying out distributed denial-of-service (DDoS) attacks.
---------------------------------------------
https://thehackernews.com/2026/05/mirai-based-xlabsv1-botnet-exploits-adb.h…
∗∗∗ Insolvenzmasse: Kriminelle imitieren neben Anwaltskanzleien nun auch Autohändler, Großhändler und Wirtschaftsprüfer ∗∗∗
---------------------------------------------
Die Masche bleibt gleich, aber die Deckmäntel ändern sich. Wurde früher ausschließlich die Identität von Anwaltskanzleien missbraucht, um über Vorschussbetrug an das Geld von Opfern zu gelangen, haben die Kriminellen nun ihr Portfolio erweitert. Sie geben sich mittlerweile auch als eine Vielzahl anderer Unternehmen und Agenturen aus. Ein Update.
---------------------------------------------
https://www.watchlist-internet.at/news/insolvenzmasse-autohaendler-grosshae…
∗∗∗ World Password Day 2026: Why “Strong Passwords” Can’t Save You from AI, Infostealers, and the Telegram Underground ∗∗∗
---------------------------------------------
As we recognize World Password Day in 2026, the traditional advice to “use a complex password with numbers and symbols” feels hopelessly outdated. Today, a 16-character password is useless if an infostealer malware extracts it directly from a browser cache, or if an employee willingly pastes it into an unmanaged AI chatbot. Welcome to the real World Password Day 2026.
---------------------------------------------
https://blog.checkpoint.com/security/world-password-day-2026-why-strong-pas…
∗∗∗ Polish intelligence warns hackers attacked water treatment control systems ∗∗∗
---------------------------------------------
The agency did not publicly attribute the incidents to a specific group or country but said Poland faced intensified hostile cyber activity in 2024 and 2025, “with particular emphasis on the special services of the Russian Federation.”
---------------------------------------------
https://therecord.media/polish-intelligence-warns-hackers-attacked-water-tr…
∗∗∗ Warnung vor IONOS/1&1 Rechnungs-Phishing ∗∗∗
---------------------------------------------
Ich stelle mal eine kurze Warnung hier im Blog ein, weil mir bereits zum zweiten Monat eine Phishing-Mail von 1&1 in meinem Postfach zugestellt wurde, die Rechnungs-Phishing bei IONOS versucht.
---------------------------------------------
https://borncity.com/blog/2026/05/07/warnung-vor-ionos-11-rechnungs-phishin…
∗∗∗ Best OSINT Tools for Investigations and Threat Intelligence in 2026 ∗∗∗
---------------------------------------------
Explore the best OSINT tools for your digital investigations, threat intelligence, reconnaissance, and tracking online activity in 2026.
---------------------------------------------
https://hackread.com/best-osint-tools-investigate-threat-intelligence-2026/
∗∗∗ Plastic Flowers to Protect the Hive ∗∗∗
---------------------------------------------
Agentic development has fundamentally changed the software ecosystem. Modern coding agents are trained and prompted to seek out tools that will help with their assigned coding tasks. They will install those tools into their user’s environment, with little to no oversight on what the installed package actually does, relying on name pattern matching more than any other signal.
---------------------------------------------
https://phildini.dev/slopsquatting-for-good
∗∗∗ Operation Epic Fury Exposes Critical OT Security Gaps in U.S. Oil and Gas Sector ∗∗∗
---------------------------------------------
The cybersecurity posture of the U.S. oil and gas sector has come under renewed scrutiny following Operation Epic Fury, with a new independent survey revealing a disconnect between operator confidence and actual operational technology (OT) security capabilities.
---------------------------------------------
https://thecyberexpress.com/operation-epic-fury-ot-security-detection-gaps/
∗∗∗ ClickFix Campaign Evolves with Targeting of MacOS Users ∗∗∗
---------------------------------------------
ClickFix started as a Windows problem. It is no longer one. Microsofts Defender Security Research Team published a detailed analysis documenting an active ClickFix campaign that is targeting macOS users since at least January 2026. The primary goal is delivering infostealers by convincing users to paste malicious commands into their own Terminal, framed as routine system maintenance.
---------------------------------------------
https://thecyberexpress.com/clickfix-campaign-evolves-targets-macos-users/
=====================
= Vulnerabilities =
=====================
∗∗∗ Cisco: Codeschmuggel-Leck in Unity Connection und weitere Lücken ∗∗∗
---------------------------------------------
Cisco hat fast zwei Handvoll Sicherheitsupdates veröffentlicht. Sie schließen mehrere hochriskante Lücken etwa in Unity Connection.
---------------------------------------------
https://www.heise.de/news/Cisco-Codeschmuggel-Leck-in-Unity-Connection-und-…
∗∗∗ May 2026 EPMM Security Update ∗∗∗
---------------------------------------------
Ivanti has released updates for Ivanti Endpoint Manager Mobile (EPMM) which addresses five high severity vulnerabilities.
---------------------------------------------
https://www.ivanti.com/blog/may-2026-epmm-security-update
∗∗∗ Node.js 25: Ausbrüche aus JavaScript-Sandbox vm2 vorstellbar ∗∗∗
---------------------------------------------
Die Sandbox-Komponente vm2 der Open-Source-JavaScript-Laufzeitumgebung Node.js ist mit bestimmten Einstellungen verwundbar.
---------------------------------------------
https://heise.de/-11285063
∗∗∗ Salesforce Marketing Cloud Vulnerabilities Expose Cross-Tenant Subscriber Data Risks ∗∗∗
---------------------------------------------
A recently disclosed set of vulnerabilities in Salesforce Marketing Cloud, widely known as SFMC, has drawn attention to the security risks tied to centralized marketing infrastructure. The flaws, which affected components tied to AMPScript, CloudPages, and email-rendering workflows, could have enabled attackers to access subscriber information, enumerate marketing emails, and potentially affect organizations across multiple tenants.
---------------------------------------------
https://thecyberexpress.com/salesforce-sfmc-ampscript-vulnerability/
∗∗∗ Authenticated Arbitrary File Upload Vulnerability Patched in Slider Revolution 7 WordPress Plugin ∗∗∗
---------------------------------------------
https://www.wordfence.com/blog/2026/05/authenticated-arbitrary-file-upload-…
∗∗∗ LWN Security updates for Thursday ∗∗∗
---------------------------------------------
https://lwn.net/Articles/1071700/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/