Research
-
Multi-stage AitM phishing and BEC campaign abused SharePoint to target energy organisations
Microsoft flagged a multi-stage AitM phishing and BEC campaign using SharePoint links and inbox rules to persist. One observed case sent over 600 phishing messages. Mitigation requires revoking session cookies and deleting attacker-created rules.
-
Critical GNU InetUtils telnetd flaw allows remote root login
A critical CVE-2026-24061 in GNU InetUtils telnetd allows remote authentication bypass and potential root login on versions 1.9.3 through 2.7 rated 9.8 CVSS. Administrators are urged to patch or disable telnetd.
-
SmarterMail authentication bypass exploited days after patch enables admin reset and RCE
An authentication bypass in SmarterMail that allows resetting administrator passwords and enabling system-level command execution was exploited two days after a vendor patch. A watchTowr Labs technical analysis describes the vulnerability and exploitation timeline.
-
NIST enters 2026 with staff cuts, tighter budget and cryptography validation backlog
NIST begins 2026 with over 700 positions shed, a smaller labs budget and a cryptographic module validation backlog that averaged 348 days per recent projects, even as the agency tests post-quantum modules and seeks automation.
-
Two high severity flaws in Chainlit allow file theft and SSRF in cloud deployments
Two high severity Chainlit vulnerabilities allow arbitrary file reads and SSRF that can expose secrets and internal services. Patches were released in Chainlit 2.9.4 on December 24, 2025. Upgrades are recommended.
-
Android click-fraud trojans use TensorFlow.js to tap hidden browser ads
Android click-fraud trojans using TensorFlow.js analyze hidden WebView screenshots to tap ads. Infected apps were distributed through Xiaomi GetApps and third-party APK sites, causing battery drain and increased mobile data charges.
-
Report: North Korean-linked PurpleBravo targeted 3,136 IPs and 20 companies
Recorded Future’s technical analysis found PurpleBravo targeted 3,136 IPs and claimed 20 potential victim companies across multiple regions from August 2024 to September 2025, using infostealers and backdoors to create supply-chain risk.
-
Researchers Hack Tesla Infotainment at Pwn2Own Automotive 2026, 37 Zero‑Days Exploited on Day One
Researchers exploited 37 zero-days at Pwn2Own Automotive 2026 in Tokyo to hack Tesla’s Infotainment System and other systems, earning $516,500 on day one. Vendors have 90 days to issue fixes.
-
ChainLeak flaws in Chainlit framework risk API key exposure and SSRF
High-severity ChainLeak vulnerabilities in the Chainlit AI framework can leak cloud API keys and enable SSRF. Two CVEs were disclosed in November 2025 and patches were issued in version 2.9.4 on December 24, 2025.
-
Critical ACF Extended bug lets attackers gain admin on about 50,000 WordPress sites
A flaw in ACF Extended allows unauthenticated attackers to gain administrator privileges. The bug, CVE-2025-14533, affects versions 0.9.2.1 and earlier. About 50,000 sites may still be exposed. Update to 0.9.2.2.
