Adobe Reader Zero Day Exploited for Months Through Malicious PDF Files
Researchers say a malicious PDF has been exploiting an Adobe Reader zero day in the wild since at least December, including against fully patched installations. The document appears to fingerprint the environment, abuse privileged Acrobat APIs to steal local data, and potentially stage follow on remote code execution or sandbox escape activity.
Source: BleepingComputer

Smart Slider 3 Pro Compromised Through the Official Update Channel
Attackers compromised Nextend’s update infrastructure and pushed a trojanized Smart Slider 3 Pro release through the official channel for WordPress and Joomla sites. Any site that updated to version 3.5.1.35 should be treated as potentially compromised because the malicious build installed multiple backdoors rather than merely exposing a software flaw.
Source: Patchstack

Fortinet Rushes Fixes for an Exploited FortiClient EMS Zero Day
Fortinet released emergency fixes for CVE-2026-35616 in FortiClient EMS after confirming in the wild exploitation. The bug is a critical unauthenticated access control issue that can lead to remote code execution through crafted requests.
Source: SecurityWeek

Iranian Actors Target Rockwell and Allen Bradley PLCs
US agencies warned that Iranian affiliated actors are actively targeting internet exposed Rockwell Automation and Allen Bradley PLCs in critical infrastructure. The activity includes unauthorized access to engineering projects and manipulation of HMI or SCADA data, with the advisory linking the intrusions to operational disruption and financial loss.
Source: Censys

Google Warns of UNC6783 Targeting BPOs for Downstream Data Theft
Google says UNC6783 is targeting business process outsourcing providers and help desks that support high value enterprises, then using that foothold to steal data from downstream customers. The campaign relies on social engineering and phishing, including theft of support tickets and identity related data that can support extortion or follow on access.
Source: SecurityWeek

Attackers Expand Social Engineering Campaign Against Node.js Maintainers
Socket reported that the social engineering operation behind the Axios compromise is also targeting other high impact Node.js and npm maintainers. The concern is not a single package incident but a scalable playbook aimed at high trust maintainers whose accounts can push malicious code into widely used dependencies.
Source: Socket

React2Shell Exploited for Large Scale Credential Harvesting in Next.js Apps
Talos described UAT-10608 as a large scale automated credential harvesting operation exploiting React2Shell in vulnerable Next.js applications. After initial access, the actors harvest credentials, SSH keys, cloud tokens, and environment secrets, turning each compromise into a map of the victim’s broader infrastructure.
Source: Cisco Talos

Device Code Phishing Surges as New Kits Spread Online
Device code phishing has surged as attackers abuse the OAuth device authorization flow to trick users into authorizing attacker controlled sessions on legitimate login pages. New kits have pushed the technique toward mainstream criminal use because stolen tokens can bypass normal password capture flows and extend account access beyond the initial phishing event.
Source: BleepingComputer

Apache ActiveMQ Patches a 13 Year Old Remote Code Execution Flaw
Apache ActiveMQ Classic patched CVE-2026-34197, an RCE issue in the Jolokia bridge that had been lurking for 13 years. In some versions it can become effectively unauthenticated when combined with a separate exposure flaw, turning a management feature into an internet facing execution path.
Source: Horizon3.ai

Storm 1175 Compresses the Window for Medusa Ransomware Attacks
Microsoft says Storm 1175 is exploiting newly disclosed web facing vulnerabilities at high speed to deploy Medusa ransomware, sometimes within 24 hours of initial access. The group’s focus on the short patch gap means exposed edge systems can move from N day exposure to exfiltration and encryption before normal response cycles catch up.
Source: Microsoft Security Blog