Security Highlights Of The Week [07/26-2]

Januscape Opens a New VM Escape Path on Both Intel and AMD
Researchers disclosed Januscape, a Linux KVM vulnerability that allows guest-to-host escape on both Intel and AMD systems. Because it affects the shadow MMU path in KVM and was reportedly used as a zero-day in Google’s kvmCTF program, it stands out as one of the most important virtualization flaws of the week.
Source: BleepingComputer

Critical Gitea Flaw Is Already Being Exploited
Researchers warned that attackers are actively exploiting CVE-2026-20896 in Gitea’s reverse-proxy authentication logic. On affected Docker deployments, a single crafted HTTP header can be enough to access internet-facing instances when only a valid username is known.
Source: SecurityWeek

Ubiquiti Ships Broad UniFi Security Fixes After Earlier Weaponization
Ubiquiti released updates for critical flaws across UniFi Connect, Talk, Access, Protect, and UniFi OS. The most notable point is that three UniFi OS bugs had already been flagged by CISA as weaponized in real-world attacks, so this is not a routine patch cycle.
Source: The Hacker News

Microsoft Closes the RoguePlanet Defender Zero-Day
Microsoft fixed RoguePlanet, tracked as CVE-2026-50656, through an update to the Microsoft Malware Protection Engine. The flaw allowed attackers to move from a standard user context to SYSTEM, making it highly relevant for post-compromise privilege escalation on Windows systems.
Source: Malwarebytes

Zimbra Urges Immediate Patching for Critical Web Client XSS
Zimbra warned customers to patch a critical stored XSS flaw in the Classic Web Client. The issue can be triggered through a specially crafted email and executes malicious code when the message is opened, which makes it especially dangerous in large mail environments.
Source: BleepingComputer

China-Aligned Cluster Targets Universities Through Roundcube
Proofpoint’s UNK_MassTraction activity is targeting Roundcube servers at US and Canadian universities, especially physics and engineering departments tied to sensitive research. The campaigns use multiple Roundcube n-days to steal credentials, deploy webshells, or load VShell directly into memory while keeping a low detection profile.
Source: Hackread

Fake IT Support Calls on Teams Are Delivering EtherRAT
Attackers are using Microsoft Teams voice calls, phishing emails, and remote management tooling to trick employees into installing EtherRAT. The campaign shows how collaboration platforms are now being used not just for phishing lures, but for live social engineering that creates immediate initial access.
Source: BleepingComputer

Vishing Campaigns Now Target Microsoft Entra Passkey Enrollment
Okta reported that a threat actor tracked as O-UNC-066 is using voice phishing and passkey-themed domains to push victims into fraudulent Microsoft 365 passkey enrollment flows. The campaign is aimed at enterprise targets across multiple sectors and is tied to data extortion rather than simple credential harvesting.
Source: Okta

Rogue Agent Shows How One Permission Could Poison Dialogflow CX
Varonis disclosed Rogue Agent, a Dialogflow CX issue that allowed persistent malicious code injection into conversational agent workflows. The attack could silently exfiltrate conversations and support phishing at scale, highlighting how cloud AI platforms are creating new privilege and trust-boundary problems.
Source: Varonis

HalluSquatting Turns AI Hallucinations Into a Supply Chain Attack Path
Researchers showed that attackers can register package names hallucinated by AI coding assistants and wait for those assistants to fetch or run them automatically. The result is a practical bridge between model hallucination and real code execution on developer machines, especially where agents are allowed to access outside resources with little review.
Source: The Hacker News

KDDI Says More Than 12 Million People Were Impacted by an ISP Platform Breach
Japanese telecom giant KDDI disclosed that a breach affecting a shared email platform exposed email addresses and passwords linked to more than 12 million people. The incident affected multiple ISPs and is one of the larger consumer-facing telecom breaches reported this week.
Source: BleepingComputer

GigaWiper Combines Backdoor Access With Destructive Sabotage Options
Microsoft detailed GigaWiper, a Golang-based backdoor that combines command-and-control capability with wiping, fake ransomware, and broader system sabotage. Its importance lies in how it assembles multiple malware capabilities into one flexible destructive platform rather than relying on a single fixed payload.
Source: Microsoft Security

WP-SHELLSTORM Exposed a Large Webshell Access-Broker Operation
SOCRadar says an exposed Python SimpleHTTPServer revealed the internal toolkit, logs, and target lists of a large WordPress-focused access-brokerage campaign. The exposed operation allegedly targeted more than 1.4 million domains, weaponized 27 CVEs, and maintained thousands of active webshells.
Source: SOCRadar

Talos Tracks UAT-7810 as It Expands ORB Infrastructure
Cisco Talos says UAT-7810 continues building and maintaining operational relay box networks through its LapDogs infrastructure and evolving SHORTLEASH malware. These ORB networks matter because they are designed to support secondary threat actors and provide resilient routing layers for future intrusions against high-value targets.
Source: Cisco Talos

ESET’s H1 2026 Report Shows the AI Skill Ecosystem Becoming a Security Problem of Its Own
ESET’s H1 2026 threat report says attackers are scaling established techniques faster and adapting them to new platforms, especially AI ecosystems. The report highlights nearly 900,000 AI skills analyzed in the first half of the year, including tens of thousands of suspicious and thousands of clearly malicious instances.
Source: ESET

Scroll to top