Vendors
-
Chrome to adopt Merkle Tree Certificates in phased move toward quantum resistance
Google said Chrome will develop Merkle Tree Certificates to make HTTPS resilient to future quantum threats and plans a phased rollout through Q3 2027, beginning with a feasibility study with Cloudflare.
-
ClawJacked flaw let malicious websites brute force local OpenClaw instances
A high severity OpenClaw vulnerability called ClawJacked let malicious websites brute force local management passwords at hundreds of guesses per second. OpenClaw issued a fix in version 2026.2.26 on February 26 to block the attack.
-
Critical Junos flaw allows unauthenticated root takeover of PTX routers
A Junos OS Evolved flaw in PTX Series routers could allow unauthenticated remote code execution as root. Juniper issued patches and operators are advised to apply fixes or restrict access and consider disabling the vulnerable service.
-
UFP Technologies discloses data stolen in February cyber incident
UFP Technologies detected suspicious activity on February 14 that resulted in data theft from its IT systems. The firm removed the threat, restored access and does not expect a material operational or financial impact.
-
Zyxel issues patches for critical UPnP command injection affecting dozens of routers
Zyxel released updates for a critical UPnP command injection, CVE-2025-13942, that can allow unauthenticated remote command execution on many routers. Exploitation requires UPnP and WAN access to be enabled and patches are available.
-
CISA adds FileZen OS command injection CVE-2026-25108 to Known Exploited Vulnerabilities
CISA added FileZen CVE-2026-25108 to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. The OS command injection affects specified versions and requires updating to 5.0.11 or later before March 17, 2026.
-
PayPal says loan app error exposed customers’ Social Security numbers for months
A software error in PayPal’s Working Capital loan app exposed personal data including Social Security numbers from July to December 2025. The company rolled back the code change, reset passwords and is offering credit monitoring to affected users.
-
Advantest hit by ransomware that may have exposed customer or employee data
A Tokyo-based test equipment company detected a ransomware intrusion on February 15 that may have exposed customer or employee data. The firm isolated affected systems and engaged third-party cyber specialists while an investigation continues.
-
Three former Google engineers indicted over alleged trade secret theft, files reportedly sent to Iran
Three San Jose residents, including two former Google engineers, were indicted on charges of stealing trade secrets related to processor security and cryptography and transferring files to unauthorized locations including Iran, the Justice Department said.
-
Critical Grandstream GXP1600 flaw allows root takeover and silent eavesdropping
A critical stack overflow in Grandstream GXP1600 VoIP phones allows unauthenticated remote root access and silent eavesdropping. CVE-2026-2329 is rated 9.3. Firmware 1.0.7.81 fixes the vulnerability.
