Ubiquiti Critical Vulnerabilities Are Now Being Exploited in Attacks
CISA warned that threat actors are actively targeting three critical UniFi OS flaws, all rated 10.0. The bugs allow unauthorized changes, file access, and deeper system manipulation on exposed devices, making this one of the most urgent edge infrastructure stories of the week.
Source: SecurityWeek
Cisco Unified CM Flaw Is Now Exploited in the Wild
Attackers are now exploiting CVE-2026-20230 in Cisco Unified Communications Manager. The issue starts as an unauthenticated SSRF flaw, but Cisco has already warned it can be used to write files and later escalate to root on affected systems.
Source: BleepingComputer
CISA Warns Lantronix EDS5000 Vulnerability Is Under Active Exploitation
CISA says CVE-2025-67038 in Lantronix EDS5000 devices is being actively exploited and has ordered rapid remediation. The flaw is a root-level command injection bug in the HTTP RPC module, which makes it especially dangerous for serial-to-IP infrastructure in operational environments.
Source: The Hacker News
PTC Windchill Sees First Confirmed Real-World Exploitation
Security researchers reported the first known in-the-wild exploitation of a PTC Windchill vulnerability. The bug allows unauthenticated remote code execution through crafted requests, and its abuse matters because Windchill sits deep inside product lifecycle and engineering environments.
Source: SecurityWeek
FFmpeg PixelSmash Can Turn a Malicious Media File Into Remote Code Execution
JFrog disclosed CVE-2026-8461, a high-severity flaw in FFmpeg’s MagicYUV decoder that can be exploited for reliable remote code execution. Since FFmpeg is embedded across video players, NAS devices, media servers, and cloud pipelines, the exposure goes far beyond a single application class.
Source: SecurityWeek
Vendor-Signed UEFI Applications Can Be Abused for Secure Boot Bypass
CERT warned that multiple vendor-signed UEFI applications are vulnerable to a Secure Boot bypass resembling a BYOVD style pre-boot attack. If a system trusts the affected certificate chain, an attacker can execute code before the operating system even starts, which raises the impact well beyond a normal post-boot compromise.
Source: CERT/CC
ShapedPlugin Supply Chain Compromise Backdoored Official WordPress Pro Releases
Wordfence reported that attackers compromised ShapedPlugin’s build and distribution pipeline and injected backdoor code into Pro plugin updates delivered through official channels. The case stands out because victims followed normal licensing and update practices and were still exposed through the vendor’s own update system.
Source: Wordfence
Mini Shai-Hulud Expanded Again Through LeoPlatform npm and Go Ecosystem Compromises
Socket tracked a new wave of the Miasma and Mini Shai-Hulud campaign affecting LeoPlatform and RStreams npm packages, GitHub Actions workflows, and a related Go module compromise. The operation continues to combine install-time execution, Bun-staged malware, CI secret theft, and AI assistant persistence into a broader developer ecosystem threat.
Source: Socket
Klue Salesforce Incident Has Now Hit BeyondTrust and LastPass
SecurityWeek reported that both BeyondTrust and LastPass were affected through the Klue incident, where a threat actor used a compromised legacy credential to generate OAuth tokens and access linked Salesforce environments. The story reinforces how third-party SaaS integrations can become a breach path into multiple downstream organizations at once.
Source: SecurityWeek
FortiBleed Shows a Large Russian Credential Harvesting Operation Against Fortinet Devices
SOCRadar’s analysis traces FortiBleed from mass reconnaissance and credential sourcing to passive sniffers, offline cracking, and targeted exfiltration. The investigation expanded from one exposed directory to more than 260 operation servers, suggesting a mature and persistent access-brokering pipeline built around Fortinet environments.
Source: SOCRadar
Photo Zip Campaign Targets Hospitality Firms with a Node.js Implant
Microsoft described an active intrusion campaign against hospitality organizations in Europe and Asia using photo-themed ZIP archives and fake image shortcut files. The chain leads to obfuscated PowerShell, a Node.js implant, registry-based persistence, and non-standard C2 communications for long-term access.
Source: Microsoft Security
Edgecution Uses a Malicious Microsoft Edge Extension to Break Out of the Browser
Zscaler linked a new malware delivery method called Edgecution to an initial access broker associated with Payouts King ransomware. By abusing the Chrome native messaging protocol through a rogue Edge extension, the attackers gain direct host access and move beyond the normal browser sandbox model.
Source: Zscaler ThreatLabz
Chinese Cluster CL-STA-1062 Targeted Southeast Asian Governments and Energy Entities
Unit 42 reported that CL-STA-1062 targeted government bodies and state-owned enterprises in Southeast Asia and used a mix of open-source tools and a newly documented backdoor called TinyRCT. The activity fits a sustained regional espionage pattern rather than a short-lived campaign.
Source: Unit 42
AutoJack Shows How One Web Page Can Turn an AI Agent Into a Host-Level Attack Path
Microsoft researchers detailed AutoJack, an exploit chain in AutoGen Studio that lets untrusted web content reach a local MCP WebSocket and spawn processes on the host. Although the affected surface never shipped in the PyPI release, the research is important because it demonstrates a real localhost trust-boundary failure in AI agent tooling.
Source: Microsoft Security
Cordyceps Exposes a Broad CI/CD Exploitation Pattern Across High-Impact Repositories
Novee said it found a systemic class of CI/CD weaknesses across roughly 30,000 high-impact repositories, including exploitable chains involving command injection, broken authentication logic, artifact poisoning, and privilege escalation in GitHub Actions workflows. The significance here is not a single product flaw, but a repeatable supply chain pattern that can scale across major open-source projects.
Source: Novee
AresISEC d.o.o. · Zagreb, Croatia · OIB: 49411602130 · info@aresisec.hr
Privacy Policy | Terms of Service | Responsible Disclosure
© 2026 AresISEC