Why Secure Code Is No Longer Enough for Product Security

Modern applications and digital products go through more validation than ever before. Code reviews are a standard part of development, automated security checks are often integrated into deployment pipelines, and both functional and security testing are now common parts of the release process.

And yet, products that pass these checks still end up compromised.

The issue is not necessarily that security testing is missing or that development teams ignore security. More often, the problem is that security is still viewed too narrowly. The focus remains on the application or an individual feature, while real attack paths only become visible when the environment is viewed as a whole.

An application may have a secure authentication flow while still exposing excessive information through API responses. It may pass internal security checks while deployment settings expose debug information or internal paths. It may implement proper input validation while relying on integrations or services that unintentionally create additional attack paths.

This is where the difference between code security and product security becomes clear.

One of the patterns regularly seen during testing involves APIs that technically behave correctly but return more information than necessary. An endpoint provides legitimate data for a request, but also exposes internal identifiers, object relationships, or details about how services are connected. From a development perspective, the response is correct. From an attacker’s perspective, it becomes a system mapping tool.

A similar issue appears in authentication flows. Passwords are validated correctly, tokens are handled properly, and sessions behave as expected. But when multiple endpoints are combined, unintended paths begin to appear. One endpoint confirms whether a user exists, another allows excessive authentication attempts, while a third reveals additional account context. Individually, these behaviors may appear acceptable. Together, they form a practical attack path.

Configuration and infrastructure make the situation even more complex. During testing, it is common to see applications with no major issues in the code itself, while the deployment environment exposes internal information, environment variables, references to other services, or unnecessarily exposed administrative functionality.

These issues are not always caused by development mistakes. The problem is that product security does not end with the code.

In practice, AresISEC often sees applications that pass internal security reviews but still expose attack paths that only become visible when the application, its configuration, infrastructure, and usage patterns are evaluated together.

This is why product security is becoming much broader than application testing alone. The shift is increasingly reflected in regulatory requirements as well.

The Cyber Resilience Act gradually introduces security obligations for software and products with digital elements across the European Union. Most requirements will become applicable by the end of 2027, while obligations related to reporting actively exploited vulnerabilities and incidents will apply earlier. The regulation requires a structured approach to product security across the entire lifecycle, including vulnerability management, security updates, documentation, and risk assessment.

For organizations developing or maintaining digital products, security will no longer be only a technical or development concern, but also a regulatory obligation with potentially significant financial penalties. This changes how product security is viewed. Security is no longer just about validating individual components. It becomes a question of how the entire product behaves in a real environment under real conditions.

The key point is not that development teams fail to perform security testing. Most mature teams already do. The issue is that no single type of testing covers every perspective.

Real product security begins when the system is evaluated as a complete environment.

Sources:
European Union – Cyber Resilience Act (Regulation (EU) 2024/2847)

OWASP – Web Security Testing Guide

OWASP – Top 10 Web Application Security Risks

NIST – Technical Guide to Information Security Testing and Assessment (SP 800-115)

Do you want to understand how your application behaves outside of expected use cases?

Security Highlights Of The Week [06/26-1]

CISA Warns That Nx Console and GitHub Supply Chain Intrusions Are Hitting CI CD Pipelines
CISA said recent developer ecosystem intrusions, including the Nx Console compromise and the Megalodon campaign, show that threat actors are actively abusing CI CD tooling, code extensions, and workflows. The alert matters because it frames these incidents as a broader pattern rather than isolated package compromises.
Source: CISA

GitHub Rotates Enterprise Server Signing Key After Internal Repository Attack
GitHub said it recently detected a cyberattack and began rotating keys, including the GitHub Enterprise Server signing key, out of caution. This is a high impact follow up because the signing key is used to validate GitHub Enterprise Server binaries during manual update workflows.
Source: GitHub

Unfixed Gogs Vulnerability Allows Authenticated Remote Code Execution
Rapid7 disclosed a critical argument injection flaw in Gogs that allows any authenticated user to execute code on the server during a pull request rebase workflow. The vendor had not released a fix at publication time, which makes exposed self hosted Git environments especially risky.
Source: Rapid7

FortiClient EMS Is Being Exploited to Deliver EKZ Infostealer
Arctic Wolf observed attackers exploiting CVE-2026-35616 in FortiClient EMS and pushing a fake Fortinet patch that actually installed the EKZ infostealer. The malware focuses on browser credential theft, which turns an enterprise management weakness into a direct path for credential harvesting at scale.
Source: Arctic Wolf

Ghost CMS Flaw Was Used to Hijack More Than 700 Sites for ClickFix Attacks
Attackers exploited CVE-2026-26980 in Ghost CMS to inject malicious JavaScript into more than 700 sites and feed ClickFix attack chains. The campaign shows how compromising legitimate sites can give attackers trusted delivery infrastructure for broad social engineering operations.
Source: Cisco SD WAN Zero Day Is Being Exploited to Gain Root Access
Cisco warned that attackers are actively exploiting CVE-2026-20245 in Catalyst SD WAN Manager. The unpatched flaw allows low privileged attackers to escalate to root, which makes it especially dangerous for organizations that rely on SD WAN management planes for broad network control.
Source: BleepingComputer

Palo Alto GlobalProtect VPN Auth Bypass Is Now Exploited in Attacks
Palo Alto Networks says CVE-2026-0257 is now being used in attacks to establish unauthorized VPN connections through GlobalProtect. Because the issue affects a remote access path directly tied to corporate network entry, it creates immediate exposure for internet facing deployments that are not yet updated.
Source: Palo Alto Networks

Critical Windows Netlogon RCE Is Being Exploited Against Domain Controllers
Belgium’s national cyber authority warned that attackers are exploiting CVE-2026-41089, a critical Windows Netlogon remote code execution flaw patched in May. Since Netlogon sits at the center of domain based authentication, successful exploitation can directly threaten core Windows identity infrastructure.
Source: BleepingComputer

Oracle WebLogic Vulnerability Is Now Exploited in the Wild
CISA warned that CVE-2024-21182 in Oracle WebLogic is being exploited in real attacks nearly two years after Oracle patched it. The case shows how older enterprise flaws with public proof of concept code continue to remain operationally relevant long after a vendor release.
Source: SecurityWeek

Red Hat npm Packages Were Compromised to Steal Developer Credentials
More than 30 packages in Red Hat’s @redhat-cloud-services namespace were backdoored with a new Shai Hulud variant dubbed Miasma. The malware was designed to steal cloud secrets, SSH keys, CI tokens, and developer credentials, turning a trusted enterprise package namespace into a supply chain attack path.
Source: BleepingComputer

VS Code Zero Day Can Steal GitHub Tokens with a Single Click
Researchers released exploit code for a VS Code zero day that can install malicious extensions and steal GitHub OAuth tokens when users are lured into clicking a crafted link. The issue is especially serious because it targets a widely used developer tool and can expose private repositories through trusted workflows.
Source: BleepingComputer

WP Maps Pro Flaw Lets Attackers Create WordPress Admin Accounts
Attackers are actively exploiting CVE-2026-8732 in WP Maps Pro to create full administrator accounts on affected WordPress sites without authentication. The issue is severe because it turns a support feature into a direct path for complete site takeover.
Source: Security Affairs

Critical Flowise Flaw Can Give Attackers Full Server Control
A critical vulnerability in Flowise allows a malicious workflow import to take over a self hosted server when opened by a logged in user. Researchers also warned that the official fix can be bypassed, which keeps the exposure window open for organizations running the platform internally.
Source: Infosecurity Magazine

Dashlane Says Attackers Copied Encrypted Password Vaults from Some Accounts
Dashlane disclosed that a brute force campaign went beyond lockouts and allowed a threat actor to access some user accounts and copy encrypted vaults. Although Dashlane said its internal systems were not compromised, the incident raises the stakes because password managers concentrate highly sensitive data in one place.
Source: Help Net Security

UN World Food Programme Breach Exposed Data from 600,000 Gaza Households
The UN World Food Programme said its Palestine self registration application was breached, exposing beneficiary information from across Gaza. The affected data included names, identification numbers, phone numbers, and location details, making this a major humanitarian sector privacy and safety incident.
Source: BleepingComputer

PCPJack Hijacked 230 Cloud Servers into a Hidden SMTP Relay Network
Hunt.io found exposed operator infrastructure tied to PCPJack and linked the campaign to 230 compromised AWS, GCP, and Azure systems. The operation used Sliver, Chisel, and other tooling to build a covert SMTP relay network that could support large scale spam and follow on abuse.
Source: Hunt.io

Gamaredon Is Hiding Worm Components in NTFS Data Streams
Sekoia observed Gamaredon using alternate data streams in Windows to hide worm components while maintaining long term access inside Ukrainian networks. The technique reduces visible artifacts on disk and fits the group’s long running espionage focus on government, military, and critical infrastructure targets.
Source: Infosecurity Magazine

GoDaddy Found Malware on Nearly 2,000 WordPress Sites Using Steam as C2
GoDaddy researchers found malware on roughly 1,980 WordPress sites that pulled hidden instructions from Steam Community profile comments using invisible Unicode. The campaign stands out because it abuses a legitimate gaming platform as unconventional command and control infrastructure.
Source: Security Affairs

Operation FlutterBridge Is Spreading a New macOS Backdoor Through Malvertising
Unit 42 described an active macOS malvertising campaign called Operation FlutterBridge that delivers a backdoor named FlutterShell. Beyond adware behavior, the malware supports shell execution and file system manipulation, and some variants abuse AI summarization features during data theft flows.
Source: Unit 42

Magecart Attackers Are Using Stripe and Google Tag Manager as Trusted Cover
Sansec found a payment theft campaign that abuses Google Tag Manager and Stripe infrastructure to host both malicious checkout code and stolen card data. By hiding inside domains many stores already trust, the attackers make detection and blocking significantly harder for defenders and merchants alike.
Source: BleepingComputer

Security Highlights Of The Week [05/26-4]

Megalodon Supply Chain Attack Compromised More Than 5,000 GitHub Repositories
Megalodon was one of the most significant developer ecosystem incidents in this batch, with attackers pushing thousands of commits across more than 5,000 public GitHub repositories in only a few hours. The campaign targeted GitHub Actions workflows and aimed to steal every secret available to runners, including cloud keys, SSH material, and OIDC tokens.
Source: InfoStealers

CISA Warns That Nx Console and GitHub Supply Chain Intrusions Are Hitting CI CD Pipelines
CISA said recent developer ecosystem intrusions, including the Nx Console compromise and the Megalodon campaign, show that threat actors are actively abusing CI CD tooling, code extensions, and workflows. The alert matters because it frames these incidents as a broader pattern rather than isolated package compromises.
Source: CISA

GitHub Rotates Enterprise Server Signing Key After Internal Repository Attack
GitHub said it recently detected a cyberattack and began rotating keys, including the GitHub Enterprise Server signing key, out of caution. This is a high impact follow up because the signing key is used to validate GitHub Enterprise Server binaries during manual update workflows.
Source: GitHub

Unfixed Gogs Vulnerability Allows Authenticated Remote Code Execution
Rapid7 disclosed a critical argument injection flaw in Gogs that allows any authenticated user to execute code on the server during a pull request rebase workflow. The vendor had not released a fix at publication time, which makes exposed self hosted Git environments especially risky.
Source: Rapid7

FortiClient EMS Is Being Exploited to Deliver EKZ Infostealer
Arctic Wolf observed attackers exploiting CVE-2026-35616 in FortiClient EMS and pushing a fake Fortinet patch that actually installed the EKZ infostealer. The malware focuses on browser credential theft, which turns an enterprise management weakness into a direct path for credential harvesting at scale.
Source: Arctic Wolf

Ghost CMS Flaw Was Used to Hijack More Than 700 Sites for ClickFix Attacks
Attackers exploited CVE-2026-26980 in Ghost CMS to inject malicious JavaScript into more than 700 sites and feed ClickFix attack chains. The campaign shows how compromising legitimate sites can give attackers trusted delivery infrastructure for broad social engineering operations.
Source: The Hacker News

Carnival Confirms Data Breach Affecting Nearly 6 Million People
Carnival confirmed a large scale data breach affecting nearly 6 million individuals after claims tied to ShinyHunters surfaced earlier in the year. The size of the exposure and the sensitivity of customer information make this one of the most significant breach confirmations in this set.
Source: BleepingComputer

Silent Ransom Group Is Social Engineering Law Firms by Posing as IT Support
The FBI and CISA warned that the Silent Ransom Group, also known as Luna Moth, is targeting law firms with calls and phishing emails while impersonating IT support. The group then uses legitimate remote access tools or even in person access attempts to exfiltrate data and pressure victims into paying.
Source: IC3

JOMANGY Campaign Turns FreePBX Systems Into Toll Fraud Infrastructure
Cyble linked an active FreePBX exploitation campaign to actor INJ3CTOR3 and said the operation deploys self healing webshells that include live toll fraud logic. The scale is notable, with evidence pointing to thousands of scanned IPs and ongoing abuse of victim SIP trunks for direct financial gain.
Source: Cyble

GlassWorm Botnet Was Disrupted After Months of Open Source Ecosystem Abuse
CrowdStrike, Google, and the Shadowserver Foundation disrupted the GlassWorm botnet by simultaneously taking down its command and control channels. The botnet had used blockchain, Google Calendar, BitTorrent, and VPS based infrastructure, showing how resilient its delivery model had become before the takedown.
Source: SecurityWeek

JINX-0164 Targeted Crypto Firms Through Developers and CI CD Infrastructure
Wiz described a financially motivated actor it tracks as JINX-0164 that used recruitment themed social engineering, custom macOS malware, and CI CD targeting against cryptocurrency organizations. The campaign matters because it combined employee laptop compromise with attempts to move into code distribution and development systems.
Source: Wiz

Smishing Operation Across 19 Countries Targeted Government, Postal, and Telecom Brands
Hunt.io traced what began as Romanian impersonation activity into a broader smishing operation spanning 19 countries. The infrastructure targeted government payment portals, postal services, and telecom brands, showing a coordinated cross border fraud ecosystem rather than a local campaign.
Source: Hunt.io

Fake ChatGPT Download Site Is Infecting Windows and Mac Users With Stealers
Malwarebytes warned that a fake site mimicking the ChatGPT desktop app experience is distributing malware to both Windows and macOS users. Windows visitors receive a credential stealing loader, while Mac users are served Odyssey Stealer, showing how attackers continue to weaponize trusted AI brand recognition.
Source: Malwarebytes

GREYVIBE Shows How Russia Nexus Operations Are Integrating AI Into Campaigns
WithSecure linked GREYVIBE to persistent operations targeting Ukraine and Ukraine related entities and said the group leveraged AI during both development and operational phases. That makes it one of the more concrete current examples of state aligned activity using AI beyond generic experimentation.
Source: WithSecure

Phishers Are Abusing Google AppSheet Notifications to Deliver Account Theft Emails
Kaspersky warned that attackers are using Google AppSheet to send phishing messages from legitimate looking Google linked addresses. This makes the emails more convincing and harder for users to distrust, especially because they appear to come from a real platform rather than an obviously fake sender.
Source: Kaspersky

Security Highlights Of The Week [05/26-3]

PAN-OS Zero Day Under Active Exploitation Grants Root Access on Firewalls
Palo Alto Networks confirmed active exploitation of CVE-2026-0300 in the PAN-OS Captive Portal. The flaw allows unauthenticated remote code execution with root privileges on exposed firewalls, making it one of the most urgent perimeter risks in this cycle.
Source: Palo Alto Networks

Cisco SD-WAN Authentication Bypass Is Being Exploited in the Wild
Cisco Talos reported ongoing exploitation of CVE-2026-20182 in Catalyst SD-WAN controllers. Successful abuse lets a remote attacker bypass authentication and obtain administrative privileges, and the flaw has already been added to CISA’s KEV catalog.
Source: Cisco Talos

Critical cPanel Flaw Weaponized Against Government and MSP Networks
Threat actors were observed exploiting CVE-2026-41940 in cPanel and WHM shortly after disclosure. The activity targeted government, military, hosting, and managed service provider environments, showing rapid operationalization of the authentication bypass bug.
Source: The Hacker News

DigiCert Revokes Fraudulently Issued Certificates After Internal Portal Breach
DigiCert revoked certificates obtained after attackers compromised support systems and pivoted into an internal portal used in certificate workflows. The incident matters because it involved EV code signing certificates and directly affected trust in software signing and issuance processes.
Source: SecurityWeek

Copy Fail Linux Root Flaw Moves Into Real World Exploitation
CVE-2026-31431, known as Copy Fail, moved from disclosure to confirmed in the wild exploitation and was added to CISA’s KEV list. The bug affects major Linux distributions and can let a local attacker escalate privileges to root.
Source: SecurityWeek

NGINX CVE-2026-42945 Is Already Being Exploited
Attackers are targeting CVE-2026-42945, a heap buffer overflow in NGINX’s rewrite module, only days after public disclosure. The flaw can crash worker processes and, in certain configurations, may enable remote code execution on internet facing systems.
Source: The Hacker News

Mini Shai Hulud Hits More Than 320 npm Packages
A fresh Mini Shai Hulud supply chain campaign impacted more than 320 npm packages, along with GitHub Actions and a VS Code extension. The compromise propagated through trusted maintainer access and downstream dependencies, expanding the blast radius across developer and CI environments.
Source: SecurityWeek

GitHub Confirms Breach of 3,800 Repositories via Malicious VS Code Extension
GitHub said roughly 3,800 internal repositories were accessed after an employee device was compromised through a trojanized VS Code extension. The case highlights how developer tooling remains a direct path into high value internal code environments.
Source: BleepingComputer

OpenAI Confirms Internal Impact From the TanStack Supply Chain Attack
OpenAI disclosed that two employee devices were affected in the broader TanStack and Mini Shai Hulud campaign. The company said it found no evidence of impact to customer data, production systems, intellectual property, or deployed software, but still rotated certificates as a precaution.
Source: OpenAI

Checkmarx Jenkins AST Plugin Compromised in a Supply Chain Attack
Checkmarx warned that a malicious version of its Jenkins AST plugin was published to the Jenkins Marketplace. Because the plugin is used directly inside build and scanning pipelines, the incident placed developer credentials and CI workflows at risk.
Source: SecurityWeek

DAEMON Tools Lite Supply Chain Attack Confirmed by Vendor
DAEMON Tools confirmed unauthorized interference in its build environment after compromised installers were distributed from the official site. Signed installation packages from a trusted vendor were turned into malware delivery mechanisms, making this a clear software supply chain incident.
Source: DAEMON Tools

JDownloader Website Hacked to Deliver Python RAT Installers
The official JDownloader site was compromised and redirected users to malicious Windows and Linux installers, with the Windows variant dropping a Python based RAT. The incident shows that software download portals remain highly attractive targets for attacker controlled replacement payloads.
Source: BleepingComputer

Instructure Reaches Agreement After Canvas Data Theft Incident
Instructure said it reached an agreement with the actor behind the Canvas breach in an attempt to prevent publication of stolen data. The incident remains important because of the scale of affected schools and universities and the sensitivity of the exposed education related information.
Source: The Hacker News

Drupal Critical SQL Injection Flaw Is Now Being Targeted in Attacks
Drupal warned that attackers are attempting to exploit CVE-2026-9082, a highly critical SQL injection issue affecting PostgreSQL backed sites. The project had already cautioned that exploitation could begin within hours or days, and those attack attempts have now materialized.
Source: BleepingComputer

Critical Ollama Bug Could Expose 300,000 Deployments to Secret Theft
Researchers warned that a critical unauthenticated flaw in Ollama could expose prompts, messages, API keys, tokens, and other sensitive heap data from roughly 300,000 deployments. Since Ollama is widely used as a self hosted AI inference engine, the issue has direct enterprise impact beyond test environments.
Source: SecurityWeek

Security Highlights Of The Week [05/26-2]

PAN-OS Zero-Day Under Active Exploitation Grants Root Access on Firewalls
Palo Alto Networks says CVE-2026-0300 in the PAN-OS Captive Portal is being actively exploited and allows unauthenticated remote code execution with root privileges. Because it affects internet-facing firewalls, it is one of the most urgent issues in this week’s set.
Source: Palo Alto Networks

Cisco SD-WAN Authentication Bypass Is Under Active Exploitation
Cisco Talos reported ongoing exploitation of CVE-2026-20182 in Catalyst SD-WAN controllers, where attackers can bypass authentication and obtain administrative privileges. CISA has already added the flaw to KEV, which confirms real operational risk beyond theory.
Source: Cisco Talos

Critical cPanel Vulnerability Weaponized Against Government and MSP Networks
Threat actors were observed exploiting CVE-2026-41940 in cPanel and WHM shortly after disclosure, with activity spanning government, military, hosting, and MSP environments. The flaw enables authentication bypass and elevated control of exposed control panels.
Source: The Hacker News

DigiCert Revokes Fraudulently Issued Certificates After Support Portal Hack
DigiCert revoked certificates obtained after attackers compromised support systems and pivoted into an internal portal used for certificate handling. The incident is especially important because it involved EV code signing certificates and trust in the certificate issuance process itself.
Source: SecurityWeek

Copy Fail Linux Root Bug Moves Into Real-World Exploitation
CVE-2026-31431, known as Copy Fail, has moved from public disclosure to confirmed in-the-wild exploitation and was added to CISA’s KEV catalog. The flaw affects major Linux distributions and allows local privilege escalation to root.
Source: SecurityWeek

DAEMON Tools Lite Supply Chain Attack Confirmed by Vendor
DAEMON Tools confirmed unauthorized interference in its infrastructure after trojanized installers were distributed from the legitimate site. This is a direct supply chain compromise because trusted, signed installer packages were turned into malware delivery vehicles.
Source: DAEMON Tools

Official SAP npm Packages Compromised in TeamPCP Supply Chain Campaign
Multiple official SAP CAP and Cloud MTA npm packages were compromised with malicious install-time behavior designed to steal credentials and abuse developer environments. Because these packages sit inside normal CI/CD workflows, the impact extends beyond a single workstation compromise.
Source: Socket

Checkmarx Jenkins AST Plugin Compromised in Supply Chain Attack
Checkmarx warned that a malicious version of its Jenkins AST plugin was published to the Jenkins Marketplace as part of a supply chain attack. The issue matters because the plugin is designed to sit directly in security scanning and build pipelines.
Source: SecurityWeek

OpenAI Confirms Impact From the TanStack Supply Chain Attack
OpenAI said two employee devices were affected in the broader TanStack and Mini Shai Hulud campaign, prompting certificate rotation and repository credential response actions. The company said it found no evidence of impact to customer data, production systems, or deployed software.
Source: OpenAI

Instructure Reaches Agreement After Canvas Data Theft Incident
Instructure said it reached an agreement with the actor behind the Canvas breach in an effort to prevent publication of stolen data tied to thousands of schools and universities. The case remains significant because of the scale of affected education environments and the sensitivity of the exposed data.
Source: The Hacker News

JDownloader Site Hacked to Serve Python RAT Installers
The official JDownloader website was compromised and pointed users to malicious Windows and Linux installers, with the Windows payload deploying a Python based remote access trojan. It is another reminder that download portals remain a high-value target for supply chain abuse.
Source: BleepingComputer

Breeze Cache WordPress Plugin Is Under Active Exploitation
Attackers are actively exploiting a critical arbitrary file upload flaw in the Breeze Cache plugin for WordPress. With hundreds of thousands of active installations and remote code execution potential, the issue quickly moved from disclosure to broad attack traffic.
Source: Wordfence

Burst Statistics Flaw Could Let Attackers Fully Impersonate WordPress Admins
A critical authentication bypass in the Burst Statistics plugin can let unauthenticated attackers impersonate an administrator during REST API requests if they know a valid admin username. In a worst case scenario, that can be enough to create a new administrator account without prior access.
Source: Wordfence

Critical Ollama Bug Could Expose 300,000 AI Deployments to Secret Theft
Security researchers warned that a critical unauthenticated vulnerability in Ollama could expose prompts, messages, API keys, and other sensitive heap data from roughly 300,000 deployments. Since Ollama is widely used as a self-hosted inference engine, the finding has direct enterprise AI relevance.
Source: SecurityWeek

NGINX Rift Revives an 18-Year-Old Bug With Potential RCE Impact
Researchers disclosed memory corruption issues in NGINX, including a critical heap overflow in the rewrite module that can lead to denial of service and, in some configurations, remote code execution. The issue stands out because of NGINX’s internet-facing role and the age and reach of the vulnerable logic.
Source: depthfirst

How a Compromised User Account Becomes an Entry Point Into Your System

In most cases, an attack does not start with exploiting a system. It does not begin with complex tooling or advanced techniques. It starts with access. Most often through a user account that appears completely legitimate. The reason is simple. User accounts remain one of the easiest entry points. A reused password, a convincing phishing email, or a breach of a third party service can be enough. Once an attacker gains access to a user account, the first step does not look like an attack. The login happens through a standard channel. VPN, web application, cloud service. There are no obvious alerts. The activity looks like a normal user session.

At that point, the key question is not how the account was compromised, but what that account can access. In practice, this quickly becomes critical. Access to email can allow password resets for other accounts. Access to SharePoint or Drive exposes internal documents. VPN access provides entry into the internal network. Access to a ticketing system reveals how IT is structured and how issues are handled. This is not a vulnerability. It is normal business functionality. The issue begins when this access is used from an attacker’s perspective.

One of the common scenarios seen during testing starts with something simple. A user account has access to an internal document. That document contains server naming conventions, internal URLs, and references to services. From this, it becomes possible to understand how the environment is structured and identify key systems, including elements of the domain infrastructure. From there, testing becomes targeted. If naming conventions reveal patterns, systems that match those patterns are identified. If internal services are referenced, their exposure and configuration are tested. What started as a simple document becomes a way to move through the environment. Another frequent scenario involves file shares. A user has access to a directory that contains configuration files. One of those files includes a connection string or a reference to another system. At that point, it is no longer just a file. It becomes a path to further access. A third scenario, often the most impactful in practice, involves lateral movement inside the network. A compromised account with VPN access effectively places the attacker inside the internal environment. If segmentation is weak, additional systems can be reached without strong restrictions.

In these situations, it often becomes clear that a single user account has access to more systems than expected. Sometimes this includes services related to authentication or user management. Not because it was intentionally designed that way, but because access tends to accumulate over time and is rarely cleaned up. This is the point where a compromised account stops being just a user account and becomes an entry point into a much larger environment. It is important to note that in all of these scenarios nothing is “broken” in the traditional sense. Access exists, actions are legitimate, and the system behaves as designed. The issue is not that something was bypassed, but that too much is accessible.

In practice, this is exactly where AresISEC most often identifies real exposure. Not through a single critical vulnerability, but by connecting multiple smaller weaknesses that together form a practical attack path. One point that is often overlooked is that the password itself is rarely the problem. The real issue is what that password unlocks. If a single user account provides access to documents, configurations, and internal services without proper control, compromising that account becomes the starting point of a much larger issue. Security cannot be reduced to password strength or multi factor authentication alone. These are important controls, but they do not address structural exposure.

Real security begins with understanding how a system can be used in ways that were never intended.

Sources:
MITRE ATT&CK – Enterprise Matrix
Verizon – Data Breach Investigations Report

Do you know what a single user account can access in your environment, and how far that access really goes?

Security Highlights Of The Week [05/26-1]

PAN-OS Zero-Day Under Active Exploitation Grants Root Access on Firewalls
Palo Alto Networks warned that CVE-2026-0300 in the PAN-OS Captive Portal is being actively exploited and allows unauthenticated remote code execution with root privileges. Because the bug affects internet exposed firewalls, it stands out as one of the highest priority issues of the week.
Source: Palo Alto Networks

cPanel Vulnerability Weaponized Against Government and MSP Networks
Threat actors were observed exploiting CVE-2026-41940 in cPanel and WHM shortly after disclosure, targeting government, military, hosting, and managed service provider environments. The flaw enables authentication bypass and gives attackers elevated control over exposed control panels.
Source: The Hacker News

DigiCert Revokes Fraudulently Issued Certificates After Support Portal Hack
DigiCert revoked certificates that were obtained after attackers compromised systems through a malicious payload delivered to its support team and pivoted into an internal support portal. The incident is notable because it involved EV Code Signing certificates and exposed weaknesses in internal trust workflows.
Source: SecurityWeek

Copy Fail Linux Root Bug Moves From Disclosure to In-The-Wild Exploitation
CVE-2026-31431, also known as Copy Fail, has already been added to CISA’s KEV catalog after limited exploitation was observed. The flaw affects Linux systems across major distributions and can allow local attackers to escalate privileges to root.
Source: SecurityWeek

DAEMON Tools Supply Chain Attack Confirmed by Vendor
DAEMON Tools Lite confirmed unauthorized interference in its infrastructure after trojanized installers were distributed from the legitimate site. The case is a classic software supply chain compromise because signed installation packages from a trusted vendor were turned into malware delivery vehicles.
Source: DAEMON Tools

Official SAP npm Packages Compromised in TeamPCP Linked Supply Chain Attack
Multiple official SAP CAP and Cloud MTA npm packages were compromised with malicious code that downloaded and executed unverified binaries. Because these packages are used in real developer and CI/CD workflows, the incident creates direct risk to credentials, tokens, and build environments.
Source: Socket

AI Supply Chain Abuse Hits Hugging Face and OpenClaw Ecosystems
Acronis reported active abuse of AI platforms including Hugging Face and OpenClaw, identifying more than 575 malicious skills in the OpenClaw ecosystem. The campaign shows how attacker controlled tools inside AI ecosystems can push malware through trusted workflows rather than through classic phishing alone.
Source: Acronis

Trellix Confirms Source Code Repository Breach
Trellix disclosed unauthorized access to part of its source code repository and said it is still investigating the intrusion with forensic support. Although the company said it has not found evidence that release or distribution systems were affected, the breach is significant because it involves a major cybersecurity vendor.
Source: Trellix

Microsoft Details Large Scale Code of Conduct Phishing Campaign Leading to AiTM Token Theft
Microsoft described a broad phishing campaign using code of conduct themed lures, multi stage delivery, and legitimate email services to steal credentials and session tokens. The campaign targeted tens of thousands of users and shows how polished enterprise style phishing continues to evolve beyond basic credential harvesting.
Source: Microsoft Security Blog

Google AppSheet Abuse Linked to 30,000 Compromised Facebook Accounts
Researchers traced a phishing operation that used Google AppSheet to send authenticated messages and compromise more than 30,000 Facebook accounts. The campaign stands out because it abused trusted Google infrastructure to improve delivery and bypass many normal email trust checks.
Source: Guardio

Breeze Cache WordPress Plugin Is Under Active Exploitation
Attackers are actively exploiting a critical arbitrary file upload vulnerability in the Breeze Cache plugin for WordPress. With hundreds of thousands of active installations and remote code execution potential, this moved quickly from disclosure to widespread attack traffic.
Source: Wordfence

MetInfo CMS RCE Flaw Is Being Exploited in the Wild
Threat actors are exploiting CVE-2026-29014, a critical unauthenticated PHP code injection flaw in MetInfo CMS. The vulnerability enables remote code execution through crafted requests and has already attracted real world attacker activity.
Source: The Hacker News

Critical Ollama Bug Could Expose 300,000 AI Deployments to Secret Theft
A critical vulnerability in Ollama could let remote unauthenticated attackers extract prompts, messages, API keys, and other secrets from roughly 300,000 exposed deployments. Because Ollama is widely used as a self hosted inference engine, the issue directly affects real enterprise AI environments rather than a niche lab setup.
Source: SecurityWeek

Talos Exposes China Nexus APT UAT-8302 and Its Malware Arsenal
Cisco Talos disclosed UAT-8302 as a China nexus APT focused on obtaining and maintaining long term access to government and related entities. The group uses credential theft, open source tooling, and custom malware, and appears to share technical overlap with other sophisticated Chinese speaking threat clusters.
Source: Cisco Talos

Critical vm2 Sandbox Escape Bugs Enable Host Code Execution
Critical vulnerabilities in the vm2 Node.js sandbox library allow attackers to escape the sandbox and execute code on the host system. The issue is especially important because vm2 is commonly used to run untrusted JavaScript, which means the failure hits exactly the control boundary organizations expect it to enforce.
Source: GitHub Security Advisories

Security Highlights Of The Week [04/26-4]

Critical cPanel and WHM Auth Bypass Requires Emergency Manual Update
A critical cPanel and WHM flaw tracked as CVE-2026-41940 can allow attackers to access the control panel without authentication. The fix requires administrators to manually retrieve the patched build, which makes exposed hosting environments an immediate priority.
Source: BleepingComputer

Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202
Microsoft revised its advisory to mark CVE-2026-32202 as actively exploited in the wild after originally shipping a patch for it earlier this month. The issue stems from an incomplete fix in a previous exploit chain and can coerce authentication and expose sensitive information through malicious LNK handling.
Source: The Hacker News

Official SAP CAP and Cloud MTA npm Packages Compromised in Supply Chain Attack
Multiple official SAP npm packages tied to CAP and Cloud MTA were compromised with a malicious preinstall routine that downloaded and executed Bun and an obfuscated payload. Because these packages sit in real developer and CI/CD workflows, the incident creates direct risk to tokens, credentials, and enterprise build pipelines.
Source: Socket

Quick Page Post Redirect WordPress Plugin Hid a Dormant Backdoor for Five Years
Researchers found that the Quick Page Post Redirect plugin had contained a hidden backdoor since 2021, affecting more than 70,000 WordPress sites. The code let the operator inject arbitrary content or code while staying invisible to logged in administrators, turning a trusted plugin into a long term supply chain compromise.
Source: BleepingComputer

Qinglong Task Scheduler RCE Flaws Are Being Exploited for Cryptomining
Attackers have been abusing authentication bypass flaws in Qinglong to obtain unauthenticated remote code execution and drop the .fullgc cryptominer on exposed servers. The case is notable because a popular developer tool with broad deployment moved from open access bug to real world abuse with limited visibility outside Chinese language communities.
Source: Snyk

Hugging Face LeRobot PolicyServer Exposed to Unauthenticated RCE
CVE-2026-25874 affects the LeRobot PolicyServer because it deserializes untrusted pickle data over gRPC. An unauthenticated attacker who reaches the service can execute arbitrary operating system commands on systems that may have GPU access, robotics connectivity, and privileged internal network reach.
Source: Resecurity

UAT-4356 Continues Targeting Cisco Firepower Devices With FIRESTARTER
Cisco Talos says UAT-4356 is still exploiting previously known flaws in Firepower FXOS devices and deploying the FIRESTARTER backdoor. The implant can run arbitrary shellcode inside the LINA process, showing again how perimeter appliances remain high value espionage footholds.
Source: Cisco Talos

China Nexus Actors Rely on Covert Networks of Compromised Edge Devices
CISA and partner agencies warned that China nexus actors are strategically using large covert networks made up of compromised routers and other edge devices. These networks support the full attack chain from reconnaissance to exfiltration and are designed to be low cost, deniable, and difficult to block with static indicators alone.
Source: CISA

GopherWhisper Uses Slack, Discord, and Outlook in China Aligned Espionage
ESET revealed a previously undocumented China aligned group called GopherWhisper that targeted a Mongolian government entity with a mostly Go based toolset. The group abused Slack, Discord, Outlook, and file sharing services for command and control and exfiltration, helping malicious traffic blend into legitimate cloud activity.
Source: ESET

Vercel Finds More Compromised Accounts in Context.ai Linked Breach
Vercel said its expanded review identified additional compromised customer accounts connected to the April incident. The company says the intrusion began with a compromise at Context.ai that let the attacker pivot through a Vercel employee account and access non sensitive environment variables.
Source: Vercel

Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign
The malicious @bitwarden/cli 2026.4.0 package carried credential theft and propagation behavior tied to the broader Checkmarx campaign. Even though the issue was limited to the npm CLI package, it put developer secrets, CI artifacts, and cloud credentials at risk during normal package installation.
Source: Socket

Device Code Phishing Surges With More Than 7 Million Attacks in Four Weeks
Barracuda says device code phishing has surged past 7 million attacks in four weeks, largely driven by the EvilTokens kit. The technique abuses legitimate OAuth device login flows, giving attackers persistent authorized access without relying on classic fake login pages alone.
Source: Barracuda

BlackFile Linked to Retail and Hospitality Vishing Extortion
BlackFile has been tied to data theft and extortion attacks that begin with phone calls from attackers posing as internal IT staff. The campaigns target retail and hospitality organizations, steal credentials and one time passcodes, and then escalate into seven figure extortion demands.
Source: BleepingComputer

Coinbase Cartel Builds a 100 Plus Company Extortion Campaign on Stolen Infostealer Credentials
Hudson Rock says the Coinbase Cartel has claimed more than 100 victims while relying on old infostealer credentials rather than novel exploits or custom ransomware. The group focuses on cloud environments, FTP systems, and file transfer services, using pure data theft and extortion instead of encryption.
Source: InfoStealers

GlassWorm Activates 73 Open VSX Sleeper Extensions
Socket says the GlassWorm campaign expanded with 73 impersonation extensions on Open VSX, several of which were later activated into malware delivery vehicles. The pattern matters because the extensions can look benign at first, gain trust, and then weaponize the normal update path or transitive extension relationships.
Source: Socket

Security Highlights Of The Week [04/26-3]

Vercel Finds More Compromised Accounts in Context.ai Linked Breach
Vercel said its investigation uncovered an additional set of affected customer accounts after expanding the indicators of compromise and reviewing environment variable access logs. The incident stemmed from a compromise tied to Context.ai and shows how third party identity and OAuth exposure can ripple into a cloud platform environment.
Source: Vercel

Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign
A malicious npm package was briefly distributed as @bitwarden/cli version 2026.4.0, carrying credential theft logic and CI pipeline propagation behavior. Bitwarden said the impact was limited to the compromised CLI release window and that there is no evidence end user vault data or production systems were affected.
Source: JFrog

China Nexus Covert Networks Built From Compromised Edge Devices
CISA and NCSC warned that China nexus actors are increasingly using botnet style covert networks made up of compromised routers and edge devices for reconnaissance, delivery, command and control, and exfiltration. The advisory highlights a low cost and deniable infrastructure model that can be reshaped quickly, reducing the value of static blocking alone.
Source: CISA

UAT 4356 Continues Targeting Cisco Firepower Devices With FIRESTARTER
Cisco Talos reported continued activity against Firepower devices running FXOS, where UAT 4356 exploits n day flaws and deploys the FIRESTARTER backdoor. The malware gives the actor remote access inside a core device process, which makes perimeter appliances a direct espionage and persistence target.
Source: Cisco Talos

Breeze Cache WordPress Plugin Actively Exploited for Arbitrary File Upload
Attackers are actively exploiting a critical Breeze Cache flaw that allows unauthenticated file uploads and can lead to remote code execution on vulnerable WordPress sites. The issue requires a specific plugin setting to be enabled, but the shift from disclosure to real world attacks makes exposed sites an immediate patching priority.
Source: BleepingComputer

Marimo RCE Added to KEV as Exploitation Continues
CISA added CVE-2026-39987 in marimo to the Known Exploited Vulnerabilities catalog after attackers moved from disclosure to exploitation within hours. The flaw enables pre authentication remote code execution on exposed notebook instances and has already been used in follow on malware activity.
Source: CISA

BRIDGE:BREAK Flaws Expose Serial to IP Converters in OT and Healthcare
Researchers disclosed 22 vulnerabilities in Lantronix and Silex serial to IP converters and identified thousands of exposed devices online. Because these bridge devices often sit between older serial systems and modern networks, compromise can enable data tampering, lateral movement, and disruption in OT and healthcare environments.
Source: Forescout

Void Dokkaebi Turns Fake Job Interviews Into Developer Supply Chain Attacks
Trend Micro said the North Korea aligned group Void Dokkaebi continues using fake recruitment workflows to lure developers into running malicious code repositories. The important development is that a single compromised developer machine can become a launch point for poisoning internal repositories and downstream software contributions.
Source: Trend Micro

GopherWhisper Abuses Slack Discord and Outlook in Attacks on Mongolia
ESET disclosed a previously undocumented China aligned group named GopherWhisper targeting Mongolian government institutions. The actors use a Go based toolset and legitimate cloud services such as Slack, Discord, Outlook, and file.io for command and control and exfiltration, which helps blend malicious traffic into normal workflows.
Source: ESET

Device Code Phishing Reaches 7 Million Attacks in Four Weeks
Barracuda said it observed more than 7 million device code phishing attacks in just four weeks, reflecting rapid growth in OAuth based account takeover activity. The technique abuses legitimate device login flows to obtain persistent authorized access without needing to steal and replay a password in the usual way.
Source: Barracuda

Critical Protobuf.js Flaw Enables JavaScript Code Execution
Proof of concept exploit code is now public for a critical protobuf.js issue that can lead to JavaScript code execution through unsafe dynamic code generation. The library is heavily used across Node.js applications and cloud environments, which makes the blast radius much larger than a niche package bug.
Source: BleepingComputer

SGLang Critical RCE Lets Malicious GGUF Models Run Code
A critical vulnerability tracked as CVE-2026-5760 can let attackers achieve remote code execution on SGLang systems by feeding crafted GGUF model files through exposed functionality. The bug matters because SGLang is a popular serving layer for LLM and multimodal workloads, putting AI infrastructure directly at risk.
Source: The Hacker News

Lotus Wiper Targets the Energy and Utilities Sector in Venezuela
Kaspersky described a destructive campaign using a previously unknown wiper called Lotus Wiper against the energy and utilities sector in Venezuela. The attack chain includes scripts that prepare the environment, weaken defenses, and coordinate the final destructive stage across the network.
Source: Kaspersky

ZionSiphon Malware Shows OT Focus on Israeli Water Systems
Darktrace analyzed ZionSiphon, an OT focused malware set built to target Israeli water treatment and desalination environments. Its mix of persistence, USB propagation, ICS scanning, and sabotage logic tied to chlorine and pressure controls makes it notable beyond typical IT malware reporting.
Source: Darktrace

Telecom Surveillance Actors Exploit Mobile Signalling Infrastructure
Citizen Lab uncovered two telecom surveillance campaigns and linked attack traffic to real mobile operator signalling infrastructure. The report shows how suspected commercial surveillance vendors can exploit telecom interconnect systems for covert location tracking that may persist for years without clear visibility from defenders or users.
Source: Citizen Lab

Security Highlights Of The Week [04/26-2]

Adobe Patches Reader Zero Day Exploited for Months
Adobe released emergency updates for CVE-2026-34621 after confirming exploitation in the wild for several months. The flaw can lead to arbitrary code execution when a victim opens a malicious PDF and affects Acrobat and Reader on Windows and macOS.
Source: SecurityWeek

Microsoft Patches SharePoint Zero Day and 168 Other New Vulnerabilities
Microsoft’s April Patch Tuesday fixed 169 vulnerabilities, including the actively exploited SharePoint flaw CVE-2026-32201. Its KEV inclusion makes it a high priority issue despite the lower severity score compared with many other Patch Tuesday entries.
Source: The Hacker News

Cisco Patches Critical ISE and Webex Flaws Requiring Immediate Action
Cisco fixed critical vulnerabilities in Identity Services Engine and Webex Services that could enable code execution or unauthenticated user impersonation. For the Webex issue, customers need to take additional remediation steps and not rely only on Cisco’s backend update.
Source: SecurityWeek

Smart Slider 3 Pro Backdoor Distributed Through Official Update Channel
Attackers compromised Nextend’s update infrastructure and pushed a trojanized Smart Slider 3 Pro build to WordPress and Joomla sites. The malicious release added backdoors, hidden administrator access, and persistence, turning a routine update into a supply chain incident.
Source: Patchstack

CPUID Site Served Malware Through CPU Z and HWMonitor Downloads
Attackers abused CPUID’s download infrastructure to redirect CPU Z and HWMonitor users to trojanized files. Because the payload was delivered from the official site, the incident shows how trusted software portals remain a high value supply chain target.
Source: BleepingComputer

Iran Linked Actors Target Internet Exposed Rockwell and Allen Bradley PLCs
A joint US advisory said Iranian affiliated actors are exploiting internet facing operational technology, especially Rockwell Automation and Allen Bradley PLCs. The activity has been tied to disruption and manipulation of industrial control environments, not just reconnaissance.
Source: CISA

Marimo Pre Auth RCE Moved from Disclosure to Exploitation Within Hours
CVE-2026-39987 in marimo was exploited within hours of public disclosure and later used to deploy NKAbuse malware from Hugging Face infrastructure. The bug gives unauthenticated remote code execution through exposed notebook instances.
Source: Sysdig

Fortinet FortiClient EMS Zero Day Added to KEV After Active Exploitation
Fortinet rushed fixes for CVE-2026-35616 after exploitation was observed in the wild. The flaw affects FortiClient EMS and can lead to remote code execution without authentication, making exposed management servers an immediate risk.
Source: SecurityWeek

AI Enabled Device Code Phishing Pushes OAuth Abuse at Scale
Microsoft observed an automated device code phishing campaign that uses dynamic code generation and workflow automation to improve success rates and extend abuse of the OAuth device flow. The campaign shows how attackers are turning a previously narrower technique into repeatable account takeover at scale.
Source: Microsoft Security Blog

Attackers Hunt High Impact Node.js Maintainers After Axios Compromise
Research following the Axios incident points to a broader campaign targeting trusted Node.js and npm maintainers through tailored social engineering. The risk extends beyond one package because a compromised maintainer account can push malicious code into widely used dependencies and developer pipelines.
Source: Socket

Author: AresISEC Security Team