Security Articles

Stay ahead of emerging threats with expert analysis from 118 published security articles, vulnerability reports, and cybersecurity insights — updated daily with the latest CVEs, threat actor campaigns, and security advisories. Opening the week of May 18 – May 24, 2026 (Tuesday outlook): the new week kicks off with back-to-back CRITICAL advisories — NGINX rewrite-module flaw CVE-2026-42945 hit active exploitation within days of disclosure on Monday, an 18-year-old bug now sitting on every NGINX-fronted application stack, and Cisco Catalyst SD-WAN CVE-2026-20182 landed Sunday at CVSS 10.0 under active exploitation by UAT-8616 with no workaround. Carrying forward from last week, Microsoft Exchange XSS CVE-2026-42897 remains under active attack with CISA listing in the Known Exploited Vulnerabilities catalog, May 2026 Patch Tuesday's unauthenticated Netlogon and DNS RCE pair stays the priority server-side patch at CVSS 9.8, and Ivanti EPMM CVE-2026-6973 still triggers the 3-day federal deadline for any organization running on-prem mobile device management. If your business depends on an NGINX-fronted application, a Cisco SD-WAN fabric, on-premises Exchange, or Ivanti EPMM, this week's advisories require action today — start with the article-level remediation steps below.

All Articles Advisory Cyber Attack Data Breach Exploit Malware Threat Actor Vulnerability

Severity: All Critical High Medium Low

120 articles found

critical

Feb 14, 2026

criticalThreat IntelCyber Attack

The Chrome Extension Problem Just Got a Lot Worse

Multiple coordinated campaigns have compromised millions of Chrome users through fake AI assistants, social media tools, and utility extensions. The AiFrame campaign alone infected 300,000 users with fake ChatGPT and Gemini extensions that steal emails and credentials, while 287 extensions with 37 million installs were found exfiltrating browsing history to data brokers.

By Danny MercerRead Full Article

high

Threat IntelData Breach•Feb 13, 2026

First Malicious Outlook Add-In Ever Detected in the Wild Steals 4,000+ Credentials

Security researchers at Koi Security discovered the first known malicious Microsoft Outlook add-in, dubbed AgreeToSteal. Attackers hijacked an abandoned legitimate calendar tool by claiming its orphaned Vercel URL, turning Microsoft's own infrastructure into a phishing delivery mechanism that harvested over 4,000 Microsoft account credentials.

CVE-2026-20700

critical

CVSS 8.8

CVE AdvisoryVulnerabilityCVE-2026-20700 CVSS 8.8 •Feb 12, 2026

Apple's First Zero-Day of 2026: Inside the Three-Stage Exploit Chain Targeting High-Value Individuals

Apple patches CVE-2026-20700, a memory corruption flaw in dyld exploited in sophisticated attacks. The vulnerability completes a three-stage exploit chain with two December 2025 bugs (CVE-2025-14174, CVE-2025-43529) discovered by Google TAG, likely used in mercenary spyware operations.

CVE-2026-21510

critical

CVSS 8.8

CVE AdvisoryVulnerabilityCVE-2026-21510 CVSS 8.8 •Feb 11, 2026

Microsoft's February Patch Tuesday Drops a Bombshell: Six Zero-Days Under Active Attack

Microsoft's February 2026 Patch Tuesday fixes 59 vulnerabilities including six actively exploited zero-days. CISA has added all six to KEV with March 3rd deadline. Critical bugs in Windows Shell, MSHTML, Word, and privilege escalation in Desktop Window Manager and Remote Desktop.

high

Threat IntelRansomwareWarlock (Storm-2603) •Feb 10, 2026

When the Shoemaker Goes Barefoot: Warlock Ransomware Hits SmarterTools Via Their Own Unpatched SmarterMail

SmarterTools confirms the Warlock ransomware gang breached their network through a forgotten, unpatched SmarterMail server. The attackers exploited known vulnerabilities (CVE-2026-23760, CVE-2026-24423) to gain access, then moved laterally before deploying ransomware.

high

Threat IntelApt CampaignTGR-STA-1030 Asia (suspected China) •Feb 10, 2026

Shadow Campaigns: The Asian Espionage Group That Hacked 70 Governments While Nobody Was Looking

TGR-STA-1030, a state-backed Asian threat group, breached 70+ government and critical infrastructure organizations across 37 countries since January 2024. They exfiltrated financial negotiations, military updates, and banking info using Cobalt Strike, web shells, and eBPF rootkits.

CVE-2025-1974

critical

CVSS 9.8

CVE AdvisoryVulnerabilityCVE-2025-1974 CVSS 9.8 •Feb 8, 2026

Ingress-NGINX Remote Code Execution: Your Kubernetes Cluster's Front Door Is Wide Open

Critical vulnerabilities in Kubernetes Ingress-NGINX (CVE-2025-1974 and related) allow unauthenticated attackers with pod network access to achieve RCE via file descriptor injection. Default installations expose all cluster Secrets. Public exploit available.

high

Threat IntelCyber AttackAISURU/Kimwolf China •Feb 7, 2026

31.4 Tbps—The Biggest DDoS Attack Ever Just Happened, and Your Android TV Might Be to Blame

Cloudflare mitigated a record-breaking 31.4 Tbps DDoS attack from the AISURU/Kimwolf botnet, powered by 2 million compromised Android devices. DDoS attacks surged 121% in 2025 with 47.1 million incidents. The botnet spread via trojanized Android apps and fake Windows binaries.

CVE-2026-25049

critical

CVSS 9.4

CVE AdvisoryVulnerabilityCVE-2026-25049 CVSS 9.4 •Feb 5, 2026

n8n Sandbox Escape: A Critical Reminder That Patches Need Patches

CVE-2026-25049 (CVSS 9.4) bypasses the fix for CVE-2025-68613 using JavaScript destructuring tricks. Authenticated users can escape n8n expression sandbox and achieve RCE via webhook-triggered workflows. Four additional CVEs disclosed alongside.

CVE-2025-25257

critical

CVSS 9.8

CVE AdvisoryVulnerabilityCVE-2025-25257 CVSS 9.8 •Feb 4, 2026

FortiWeb's Pre-Auth SQL Injection Is Being Exploited Right Now

CVE-2025-25257 is a pre-authentication SQL injection in FortiWeb Fabric Connector that enables remote code execution. Actively exploited in the wild with public PoC available. Affects FortiWeb 7.0.x through 7.6.x. CISA KEV listed.

high

CVSS 7.5

CVE AdvisoryVulnerabilityCVSS 7.5 •Feb 4, 2026

When Your AI Assistant Turns Against You: The Docker Ask Gordon Vulnerability

Researchers discovered DockerDash, a critical vulnerability in Docker Ask Gordon AI feature that lets attackers execute code by hiding malicious instructions in image metadata. The attack exploits blind trust between the AI assistant and MCP Gateway. Patched in Docker Desktop 4.50.0.

high

Threat IntelData Breach•Feb 3, 2026

Your Inbox Is a Goldmine: How Email Stealers Are Quietly Looting Corporate Secrets

Email-stealing malware has become a cornerstone of modern espionage and cybercrime. Here's how these tools work, why attackers love them, and what you can do about it.

CVE-2026-21509

high

CVSS 7.8

CVE AdvisoryVulnerabilityCVE-2026-21509 CVSS 7.8 •Feb 3, 2026

APT28 Weaponized That Office Zero-Day in Three Days Flat

Russia's APT28 began exploiting Microsoft Office CVE-2026-21509 just 72 hours after disclosure, targeting Ukraine, Slovakia, and Romania with email-stealing malware and Covenant implants.

informational

CVE AdvisoryVulnerability•Feb 2, 2026

Microsoft Finally Pulls the Plug on NTLM — And It's About Time

Microsoft announces three-phase plan to disable NTLM by default in Windows, pushing enterprises toward Kerberos authentication after decades of security issues.

critical

Threat IntelNation StateGTG-1002 China •Feb 1, 2026

When AI Became the Hacker: Inside the First Autonomous Cyber Espionage Campaign

A Chinese state-sponsored group turned Anthropic's Claude into the hacker itself, building a framework that allowed the AI to independently infiltrate networks, harvest credentials, and steal data. This was the first documented case of AI doing the hacking, not just assisting it.

critical

Threat IntelGeneral•Jan 31, 2026

Weekly Recap: Google Disrupts IPIDEA, Kimwolf Botnet Spreads, React2Shell Exploited, Microsoft Patches 114 Flaws & More

This week's cybersecurity developments demonstrate how quickly attackers are co-opting existing infrastructure. From Google's disruption of the IPIDEA residential proxy network to Microsoft's 114-flaw Patch Tuesday, the patterns show attackers prioritizing persistence over speed.

CVE-2026-24858

critical

CVSS 9.8

CVE AdvisoryVulnerabilityCVE-2026-24858 CVSS 9.8 •Jan 30, 2026

CRITICAL: Fortinet FortiCloud SSO Authentication Bypass - Actively Exploited

A critical authentication bypass vulnerability (CVSS 9.8) in Fortinet FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb allows attackers with a FortiCloud account to access devices registered to other accounts when FortiCloud SSO is enabled. This vulnerability is actively being exploited in the wild.

CVE-2026-21509

high

CVSS 7.8

CVE AdvisoryVulnerabilityCVE-2026-21509 CVSS 7.8 •Jan 28, 2026

HIGH: Microsoft Office OLE Security Feature Bypass Zero-Day - Actively Exploited

A high-severity Microsoft Office zero-day (CVE-2026-21509) is being actively exploited to bypass security controls designed to block risky COM and OLE content. Successful exploitation requires a user to open a malicious Office document, enabling follow-on payload execution and intrusion activity. Apply Microsoft's out-of-band update immediately or deploy the recommended registry-based mitigation if patching is delayed.

medium

Threat IntelCyber Attack•Jan 15, 2026

CVE-2026-20805: The Windows Zero-Day That Makes Exploitation Reliable

CVE-2026-20805 is an information disclosure vulnerability in the Windows Desktop Window Manager that allows attackers to defeat ASLR protections. Despite its medium CVSS score of 5.5, the flaw is actively being exploited as a critical enabler for exploit chains.

CVE-2025-55182

high

CVSS 8.2

CVE AdvisoryVulnerabilityCVE-2025-55182 CVSS 8.2 •Dec 15, 2025

HIGH: React2Shell and React Server Components Security Risks - Exploitation Paths Emerging

React2Shell refers to a newly disclosed set of exploitation paths affecting React Server Components and modern server-side rendering workflows. In vulnerable implementations, attackers may escalate from user-driven application behavior into sensitive server-side execution, data access, or compromise of backend services. Organizations using RSC or SSR patterns should audit server-executed components, reduce dynamic execution paths, and apply strict validation and least-privilege controls.

Is Your Mobile App Secure?

Our CyberOne MobileAssess platform performs deep static analysis, source code decompilation, and runtime security testing for iOS and Android apps. From one-time assessments to year-long continuous testing, we find what surface-level scanners miss.

Learn About Mobile Pen Testing MSP Partner Program

PreviousPage 6 of 6

Stay Informed

Subscribe to our newsletter and get the latest security insights delivered to your inbox.