Greetings, Microsoft has moved to address a significant identity security issue in its Entra ID platform, patching a flaw that could have enabled widespread privilege escalation and service account takeover across enterprise environments. The vulnerability, identified by researchers at Silverfort, centred on the “Agent ID Administrator” role. This feature was introduced to manage the lifecycle of AI agent identities within Entra ID. While the role was designed with a limited scope, researchers discovered it could be abused to take ownership of arbitrary service principals, including those unrelated to AI agents. By assigning themselves ownership and adding new credentials, attackers could effectively impersonate these service accounts and inherit their permissions, a scenario described as “full service principal takeover.” The risks associated with this flaw are substantial. Service principals often underpin critical enterprise functions such as automation workflows, API integrations, and cloud infrastructure operations. If compromised, particularly when linked to highly privileged roles or Microsoft Graph permissions, attackers could gain broad access to sensitive systems, escalate privileges further, and potentially take control of entire tenant environments. The root cause of the issue lies in a failure to properly enforce scope boundaries. Because AI agent identities are built on the same underlying architecture as standard service principals, the role’s permissions extended beyond their intended domain. This highlights a growing challenge in identity security, where new features layered on existing systems can inadvertently introduce unexpected access paths. Microsoft responded by deploying a fix across cloud environments on April 9, 2026, blocking the ability of the Agent ID Administrator role to modify non-agent service principals. The incident serves as a timely reminder that robust role scoping, continuous monitoring, and strict governance of non-human identities are essential as organisations adopt increasingly complex, AI-driven identity ecosystems. Critical Windows Netlogon RCE flaw now exploited in attacks Date: 2026-06-01 Author: Bleeping Computer [See AUSCERT bulletin https://portal.auscert.org.au/bulletins/ASB-2026.0110] The Centre for Cybersecurity Belgium (CCB), the country's national authority for cybersecurity, warned on Friday that threat actors are now exploiting a recently patched critical Windows Netlogon vulnerability in attacks. Netlogon is a remote procedure call (RPC) interface and a core Microsoft Windows Server background service that authenticates services and users on Windows domain-based networks. Microsoft patched this vulnerability (CVE-2026-41089) during the May 2026 Patch Tuesday, describing it as a stack-based buffer overflow in Windows Netlogon that allows attackers without privileges to gain remote code execution on targeted domain controllers. Critical Kirki flaw exploited to hijack WordPress admin accounts Date: 2026-06-02 Author: Bleeping Computer Hackers are exploiting a critical privilege escalation vulnerability (CVE-2026-8206) in the Kirki plugin for WordPress to take over any user account, including those belonging to administrators. The attacks were detected by WordPress security firm Defiant, whose Wordfence firewall blocked over 222 attempts against its customers in the past 24 hours. The full name of the plugin is Kirki – Freeform Page Builder, Website Builder & Customizer. It is a freeform visual builder and advanced theme customizer active on more than 500,000 websites. Palo Alto GlobalProtect VPN auth bypass flaw now exploited in attacks Date: 2026-05-30 Author: Bleeping Computer [See updated AUSCERT bulletin https://portal.auscert.org.au/bulletins/ESB-2026.5111.2] Palo Alto Networks is warning that hackers are now exploiting a PAN-OS GlobalProtect authentication bypass flaw, tracked as CVE-2026-0257, in attacks attempting to breach corporate networks. The company fixed the CVE-2026-0257 flaw earlier this month, warning that it could be used to establish unauthorized VPN connections on the device. "GlobalProtect portal and gateway of Palo Alto Networks PAN-OS software allows the attacker to bypass security restrictions and establish an unauthorized VPN connection," reads Palo Alto's advisory. Exploit Code Published for Critical Flowise RCE Vulnerability Date: 2026-05-30 Author: Security Week Obsidian Security has released technical information and proof-of-concept (PoC) code targeting a remote code execution (RCE) vulnerability in Flowise. The issue, tracked as CVE-2026-40933 (CVSS score of 9.9), was disclosed in April along with several other security defects impacting AI ecosystems that rely on Anthropic’s MCP protocol. Flowise, a popular open source platform that provides developers with a drag-and-drop interface for building LLM flows and AI agents, and which has over 52,000 GitHub stars, was flagged as one of the impacted products. ‘HTTP/2 Bomb’ Exploit Knocks Web Servers Offline in Seconds Date: 2026-06-03 Author: Security Week Known denial-of-service (DoS) techniques can be chained together in a new exploit that can knock major web servers offline, Calif security researchers warn. Dubbed HTTP/2 Bomb and discovered using OpenAI’s Codex, the exploit combines a compression bomb that targets HTTP/2’s header compression scheme (HPACK) with a Slowloris-style hold that prevents the server from freeing memory. ASB-2026.0110 – Microsoft Windows: CVSS (Max): 9.8 Microsoft's May 2026 Patch Tuesday update addresses 67 vulnerabilities across supported Windows desktop and server platforms, including Windows 10, Windows 11, Windows Server 2016–2025, and Windows Admin Center. ESB-2026.5111.2 – Palo Alto PAN-OS: CVSS (Max): 7.8 A high-severity authentication bypass vulnerability, affects Palo Alto Networks' GlobalProtect VPN functionality on PAN-OS firewalls. Successful exploitation allows an unauthenticated attacker to bypass security controls and establish unauthorized VPN access. ESB-2026.6009 – IBM QRadar Investigation Assistant App: CVSS (Max): 10.0 IBM has released an update for the IBM QRadar Investigation Assistant App (AI Assistant) to address numerous vulnerabilities in bundled third-party components. ESB-2026.5923 – Chormium: CVSS (Max): 9.8 Debian has released an advisory to address a large number of security vulnerabilities in Chromium. The advisory addresses vulnerabilities that could lead to, Remote code execution, Information disclosure &Denial of service. ESB-2026.6022 – Unbound: CVSS (Max): 10 Ubuntu has released an advisory to address multiple vulnerabilities in Unbound, a widely used validating, recursive DNS resolver. The advisory backports fixes for several vulnerabilities affecting older Ubuntu LTS releases. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, Carnival Corporation, the world’s largest cruise operator, has confirmed a significant cyber security incident affecting nearly six million individuals. The breach, which occurred in April 2026, was triggered by a social engineering attack in which a threat actor deceived an employee into granting access to their account. This allowed the attacker to infiltrate a limited portion of Carnival’s IT systems and ultimately extract customer data. The company detected suspicious activity on April 14 and moved to block access, later confirming on April 22 that personal information had been copied. Carnival has since begun notifying approximately 5.99 million affected individuals. While the full scope of the compromised data varies, exposed information is believed to include names, dates of birth, email addresses, and loyalty program details. The breach has been linked to the ShinyHunters cybercrime group, which claimed responsibility and alleged it stole millions of records along with large volumes of internal corporate data. The incident highlights the ongoing effectiveness of social engineering tactics, where attackers exploit human behaviour rather than technical vulnerabilities to gain entry into systems. In response, Carnival says it has strengthened its cyber security measures and engaged external experts to support its investigation. However, for millions of customers, the breach serves as a timely reminder of the importance of vigilance in protecting personal information in an increasingly digital travel landscape. LiteSpeed cPanel Plugin 0-Day Exploited in the wild to Gain Server Root Access Date: 2026-05-22 Author: Cyber Security News [AUSCERT has identified the impacted members (where possible) and contacted them via email] LiteSpeed has disclosed and patched a critical 0‑day privilege escalation flaw in its user-end cPanel plugin that is already being actively exploited to gain root access on Linux hosting servers. The bug is tracked as CVE‑2026‑48172 and affects LiteSpeed cPanel user-end plugin versions from v2.3 up to, but not including, v2.4.5. Critical Gogs RCE Vulnerability Lets Any Authenticated User Execute Arbitrary Code Date: 2026-05-28 Author: The Hacker News [AUSCERT has identified the impacted members (where possible) and contacted them via email] A critical security vulnerability has been disclosed in Gogs, a popular open-source self-hosted Git service, that allows an authenticated user to execute arbitrary code under certain conditions. The security flaw, per Rapid7, is rated 9.4 on the CVSS scoring system. It does not have a CVE identifier. “The vulnerability allows any authenticated user to achieve remote code execution (RCE) on the server by creating a pull request with a malicious branch name that injects the –exec flag into git rebase during the ‘Rebase before merging’ merge operation,” security researcher Jonah Burgess said. Trend Micro warns of Apex One zero-day exploited in the wild Date: 2026-05-22 Author: Bleeping Computer Japanese cybersecurity software company Trend Micro has addressed an Apex One zero-day vulnerability exploited in attacks targeting Windows systems. Apex One is Trend Micro’s enterprise-grade endpoint security platform that protects corporate networks from a wide range of security threats, including malware, ransomware, fileless attacks, and web-based threats. Drupal: Critical SQL injection flaw now targeted in attacks Date: 2026-05-22 Author: Bleeping Computer Drupal is warning that hackers are attempting to exploit a “highly critical” SQL injection vulnerability announced earlier this week. The content management system (CMS) project published a PSA on May 18, urging administrators to reserve time for core updates that addressed an issue that threat actors might start exploiting “within hours or days.” New 7-Zip Vulnerabilities Let Attackers Execute Arbitrary Code and Compromise Systems Date: 2026-05-26 Author: Cyber Security News A critical heap buffer overflow vulnerability has been disclosed in 7-Zip version 26.00, enabling attackers to achieve arbitrary code execution via a vtable hijack by exploiting a defect in the tool’s NTFS archive handler. Tracked as CVE-2026-48095 and assigned advisory GHSL-2026-140, the flaw resides in the CInStream::GetCuSize() function inside NtfsHandler.cpp. The function computes the NTFS compression-unit buffer size using a 32-bit shift operation: (UInt32)1 << (BlockSizeLog + CompressionUnit). ASB-2026.0111 – Microsoft SharePoint Server: CVSS (Max): 8.8 Microsoft has released a security update addressing a remote code execution vulnerability in Microsoft SharePoint Server. A deserialization of untrusted data vulnerability in Microsoft Office SharePoint allows an authenticated attacker with low privileges to exploit this flaw over the network to execute arbitrary code on the affected SharePoint server. ESB-2026.5634 – NGINX: CVSS (Max): 8.1 NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability may allow remote attackers to cause a denial-of-service (DoS) on the NGINX system or to possibly trigger a code execution. There is no control plane exposure; this is a data plane issue only. ESB-2026.5674 – IBM QRadar SIEM: CVSS (Max): 9.8* Multiple components with known vulnerabilities were addressed in IBM QRadar SIEM 7.5.0 UP15 IF03, including an off-by-one heap buffer overflow in XML::Parser when parsing deeply nested XML files. A heap overflow in the Linux kernel NFSv4.0 replay cache caused by copying oversized LOCK denied responses into a fixed 112-byte buffer without bounds checking was also addressed. Additional fixes included a use-after-free issue in Python decompressor objects after a MemoryError, a Vim modeline sandbox bypass allowing arbitrary OS command execution when opening a crafted file, and an OpenSSH scp issue that could install downloaded files as setuid or setgid under specific conditions. ESB-2026.5737 – IBM WebSphere Application Server: CVSS (Max): 9.8 IBM WebSphere Application Server and WebSphere Application Server Liberty are affected by remote code execution and HTTP request smuggling when using the optional and separately installable Web Server Plug-ins for IBM WebSphere Application Server component. ESB-2026.5761 – Jenkins: CVSS (Max): 8.8* LDAP Plugin 807.v7d7de30930cf and earlier follows LDAP referrals from the configured LDAP server. These can forward to an RMI URL that causes Jenkins to deserialize attacker-controlled data, resulting in Remote Code Execution (RCE) on the Jenkins controller if deserialization “gadgets” are available on the classpath. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, What a week it’s been! AUSCERT2026 delivered another standout chapter in Australia’s longest-running cyber security conference, bringing together practitioners, researchers, and leaders from across the globe for four days of learning, collaboration, and innovation on the Gold Coast. Celebrating its 25th year, this milestone event truly embodied its “Game On!” theme, highlighting the fast-paced, high-stakes nature of modern cyber defence and the teamwork required to succeed. The week kicked off with an expansive lineup of hands-on tutorials and workshops, spanning everything from red teaming and threat hunting to governance, AI compliance, and cloud security. These sessions created an energised environment where attendees could dive deep into technical challenges, sharpen their capabilities, and exchange insights with peers and industry experts. A highlight of the week was the keynote lineup, which once again brought big ideas and future-focused thinking to centre stage. Dr. Kawin Boonyapredee delivered a standout keynote on “Beyond Bits: Defending Data in the Quantum Age,” exploring the transformative impact of quantum computing and the urgent need to prepare cryptographic defences for the future. Meanwhile, the International CyberSecurity Challenge brought a global competitive edge to the conference, with teams from around the world competing in high-pressure scenarios that showcased emerging talent and reinforced the importance of collaboration on an international scale. This year saw Team Europe taking out the top spot, followed by Team USA and Team Oceania. Beyond the formal sessions, AUSCERT2026 thrived on its strong sense of community. Networking events, which included the welcome reception and the 25th Anniversary Gala Dinner, offered invaluable opportunities to connect, reflect, and celebrate the industry’s progress together. AUSCERT2026 sparked conversations, developed skills, and built relationships that will continue to strengthen and evolve the cyber security landscape across Australia and beyond. Here’s to another year of pushing boundaries, fostering collaboration, and staying one step ahead, because in this arena, it’s always Game On. Microsoft warns of Exchange zero-day flaw exploited in attacks Date: 2026-05-15 Author: Bleeping Computer On Thursday, Microsoft shared mitigations for a high-severity Exchange Server vulnerability exploited in attacks that allow threat actors to execute arbitrary code via cross-site scripting (XSS) while targeting Outlook on the web users. Microsoft describes this security flaw (CVE-2026-42897) as a spoofing vulnerability affecting up-to-date Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE) software. Max-severity flaw in ChromaDB for AI apps allows server hijacking Date: 2026-05-19 Author: Bleeping Computer A max-severity vulnerability in the latest Python FastAPI version of the ChromaDB project allows unauthenticated attackers to run arbitrary code on exposed servers. The flaw is tracked as CVE-2026-45829 and was reported to ChromaDB on February 17. It received the maximum severity score from HiddenLayer, the company that discovered it. NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE Date: 2026-05-17 Author: The Hacker News [AUSCERT has published relevant security bulletins from individual vendors] A newly disclosed security flaw impacting NGINX Plus and NGINX Open has come under active exploitation in the wild, days after its public disclosure, according to VulnCheck. The vulnerability, tracked as CVE-2026-42945 (CVSS score: 9.2), is a heap buffer overflow in ngx_http_rewrite_module affecting NGINX versions 0.6.27 through 1.30.0. According to AI-native security company depthfirst, the vulnerability was introduced in 2008. Hackers bypass SonicWall VPN MFA due to incomplete patching Date: 2026-05-20 Author: Bleeping Computer Threat actors brute-forced VPN credentials and bypassed multi-factor authentication (MFA) on SonicWall Gen6 SSL-VPN appliances to deploy tools used in ransomware attacks. During the intrusions, the hacker took between 30 and 60 minutes to log in, do network reconnaissance, test credential reuse on internal systems, and log out. Microsoft Rolls Out Mitigations for ‘YellowKey’ BitLocker Bypass Date: 2026-05-20 Author: Security Week Microsoft on Tuesday rolled out mitigations for YellowKey, a recently disclosed zero-day vulnerability leading to BitLocker bypass. The issue, now tracked as CVE-2026-45585 (CVSS score of 6.8), can be triggered by an attacker with physical access to a system by using a USB drive containing the publicly released YellowKey exploit code and rebooting the system into recovery mode. ESB-2026.5308 – IBM MQ container software: CVSS (Max): 9.9* Multiple vulnerabilities were addressed in IBM MQ Operator and Queue manager container images. systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. ESB-2026.5387 – IBM MQ Agent: CVSS (Max): 10.0 Multiple vulnerabilities were addressed in IBM MQ Agent images. Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starlette_client.OAuth. This vulnerability is fixed in 1.6.11. ESB-2026.5403 – Mozilla Firefox: CVSS (Max): 9.8 Firefox 151 fixes multiple high-severity vulnerabilities, including sandbox escapes, memory safety bugs with potential for code execution due to memory corruption, and several same-origin policy bypasses in DOM and networking components. The update also addresses additional issues such as privilege escalation, spoofing, information disclosure, integer overflows, mitigation bypasses, and denial-of-service vulnerabilities across multiple browser components. ESB-2026.5500 – Splunk: Splunk Enterprise CVSS (Max): 10.0 Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Enterprise versions 10.2.3, 10.0.6, 9.4.11, 9.3.12, and higher. ESB-2026.5533 – Cisco Secure Workload: CVSS (Max): 10.0 A vulnerability in the access validation of internal REST APIs of Cisco Secure Workload could allow an unauthenticated, remote attacker to access site resources with the privileges of the Site Admin role. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, We are excited to announce the release of AUSCERT’s 2025 Year in Review. The report offers members a valuable snapshot of our work behind the scenes, highlighting the services we deliver and the many opportunities available to support their organisations. These achievements reflect our ongoing commitment to equipping our community with the tools, insights and support needed to confidently navigate an increasingly dynamic cyber security environment. You can read the full report here. This week, Instructure, the parent company of Canvas, has allegedly paid the hackers responsible for disrupting online learning globally. The attack, attributed to the cybercriminal group ShinyHunters, involved the theft of vast amounts of data, including names, email addresses, student IDs and private messages exchanged on the platform. At least 120 Australian schools, universities and TAFEs were caught up in what has been described as one of the largest education data breaches globally. The disruption forced institutions to suspend access, extend deadlines and scramble for contingency plans as exams and assessments were impacted. Hackers initially threatened to release the stolen data unless a ransom was paid, placing significant pressure on Instructure. The company later confirmed it had reached an “agreement” with the attackers, with reports indicating the data was returned and assurances provided that it would not be published, although experts caution that such guarantees cannot be verified. While this approach may have reduced immediate risk, cyber security specialists warn it could increase the likelihood of future attacks, particularly against essential digital services like education platforms. SAP Patches Critical S/4HANA, Commerce Vulnerabilities Date: 2026-05-12 Author: Security Week The most severe of the resolved vulnerabilities are critical code injection issues in S/4HANA and Commerce that could allow attackers to leak data and execute arbitrary code. Both security defects have a CVSS score of 9.6. Tracked as CVE-2026-34260, the S/4HANA bug is described as an SQL injection issue stemming from missing input validation and sanitization. Fortinet warns of critical RCE flaws in FortiSandbox and FortiAuthenticator Date: 2026-05-12 Author: Bleeping Computer [See AUSCERT bulletins: https://portal.auscert.org.au/bulletins/ESB-2026.5015/ https://portal.auscert.org.au/bulletins/ESB-2026.5016/] Fortinet has released security updates to address two critical vulnerabilities in FortiSandbox and FortiAuthenticator that could enable attackers to run commands or arbitrary code on unpatched systems. The first one, tracked as CVE-2026-44277, impacts the company's FortiAuthenticator Identity and Access Management (IAM) solution and was patched in FortiAuthenticator versions 6.5.7, 6.6.9, and 8.0.3. New critical Exim mailer flaw allows remote code execution Date: 2026-05-13 Author: Bleeping Computer [AUSCERT has contacted impacted members where applicable] A critical vulnerability affecting certain configurations of the Exim open-source mail transfer agent could be exploited by an unauthenticated remote attacker to execute arbitrary code. Identified as CVE-2026-45185, the security issue impacts some Exim versions before 4.99.3 that use the default GNU Transport Layer Security (GnuTLS) library for secure communication. It is a user-after-free (UAF) flaw triggered during the TLS shutdown while handling BDAT chunked SMTP traffic. Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities Date: 2026-05-14 Author: Talos Intelligence [See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.5194/] [AUSCERT has contacted affected members where applicable] Talos is aware of the active, in-the-wild (ITW) exploitation of CVE-2026-20182 in Cisco Catalyst SD-WAN Controller and Manager, that allows log in to the affected system as an internal, high-privileged, non-root user account. Talos clusters the exploitation of this vulnerability and subsequent post-compromise activity under UAT-8616, whom we assess is a highly sophisticated cyber threat actor. Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages Date: 2026-05-12 Author: The Hacker News [See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2026.0102] TeamPCP, the threat actor behind the recent supply chain attack spree, has been linked to the compromise of the npm and PyPI packages from TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI as part of a fresh Mini Shai-Hulud campaign. Windows BitLocker zero-day gives access to protected drives, PoC released Date: 2026-05-13 Author: Bleeping Computer A cybersecurity researcher has published proof-of-concept (PoC) exploits for two unpatched Microsoft Windows vulnerabilities named YellowKey and GreenPlasma, which are a BitLocker bypass and a privilege-escalation flaw. Known as Chaotic Eclipse or Nightmare Eclipse, the researcher describes the BitLocker bypass issue as functioning like a backdoor because the vulnerable component is present only in the Windows Recovery Environment (WinRE), which is used to repair boot-related issues in Windows. ASB-2026.0099.2 – cPanel, WHM and WP2: CVSS (Max): 9.8 An authentication bypass security issue has been identified in the cPanel software (including DNSOnly) affecting all currently supported versions after 11.40. ESB-2026.4894 – Thunderbird 140.10.2: CVSS (Max): 9.8 Memory safety bugs present in Thunderbird ESR 140.10.1 and Thunderbird 150.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. ESB-2026.5018 – FortiOS: CVSS (Max): 8.3 An Out-Of-Bounds Write vulnerability [CWE-787] in FortiOS capwap daemon may allow an attacker controlling an authenticated FortiAP FortiExtender or FortiSwitch to gain execution privileges on the FortiGate device. ESB-2026.5030 – Adobe Connect: CVSS (Max): 9.6 Adobe has released a security update for Adobe Connect. This update resolves critical vulnerabilities that could lead to arbitrary code execution and privilege escalation. ESB-2026.5095 – Palo Alto PAN-OS: CVSS (Max): 9.2 A buffer overflow vulnerability in the DNS proxy and DNS Server features of Palo Alto Networks PAN-OS Software allows an unauthenticated attacker with network access to cause a denial of service (DoS) condition (all PAN-OS platforms except Cloud NGFW and Prisma Access) or potentially execute arbitrary. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, A major cyber incident affecting Canvas, one of the world’s most widely used education platforms, is continuing to evolve. New developments are highlighting both the scale of the exposure and an increasingly aggressive extortion campaign by the perpetrators. Queensland’s Department of Education has confirmed that students and staff across the state are among those impacted by a global data breach involving Instructure’s Canvas learning management system, which supports the QLearn platform used in schools. Early advice indicates that students or staff who studied or worked in Queensland state schools since 2020 may have had personal information exposed, including names, email addresses and school locations. Authorities have stated that there is currently no evidence that passwords, financial data or government identifiers were accessed. The incident forms part of a broader global compromise attributed to the ShinyHunters cybercriminal group, which claims to have exfiltrated large volumes of data from Canvas, potentially impacting more than 9,000 institutions and hundreds of millions of users worldwide. In addition to identifying information, the attackers claim to have obtained internal messages exchanged between students, teachers and staff, which could be leveraged in highly targeted phishing or social engineering attacks. While Instructure has moved quickly to contain the breach and engage forensic experts, the situation escalated further this week. In a related development, ShinyHunters reportedly defaced Canvas login portals for approximately 300 education institutions, briefly replacing them with ransom messages threatening to publish the stolen data by May 12 if demands are not met. As investigations continue, government agencies and affected institutions are urging vigilance, particularly around unsolicited communications and phishing attempts, while the broader sector grapples with the implications of a breach that has quickly become both a global data privacy incident and an unfolding cyber extortion case. Palo Alto warns of critical software bug used in firewall attacks Date: 2026-05-07 Author: The Record [See also AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.4671.2/] [AUSCERT has contacted affected members where applicable] Palo Alto warns of critical software bug used in firewall attacks Hackers are exploiting a new vulnerability in software from Palo Alto Networks, the company said in an advisory on Wednesday. The bug is tracked as CVE-2026-0300 and carries a severity score of 9.3 out of 10, indicating a critical issue. A patch has not been published yet and Palo Alto Networks said it will be included in releases over the next two weeks. Critical vm2 sandbox bug lets attackers execute code on hosts Date: 2026-05-06 Author: Bleeping Computer A critical vulnerability in the popular Node.js sandboxing library vm2 allows escaping the sandbox and executing arbitrary code on the host system. The security issue is tracked as CVE-2026-26956 and has been confirmed to impact vm2 version 3.10.4, although earlier releases may also be vulnerable. Proof-of-concept (PoC) exploit code has been published. Qld gov says students, staff caught in Canvas cyber incident Date: 2026-05-07 Author: itnews The Queensland government says that students and staff working or studying at state schools since 2020 may have been caught up in a breach of global education systems vendor, Instructure. QLearn, the state's digital learning management platform, is backed by Instructure’s Canvas, which was recently targeted by a well-known threat group. A case study published by the vendor states that QLearn is used by “1264 K-12 schools, their 572,160 students [and by] 73,000-plus teaching staff.” Critical Bug Could Expose 300,000 Ollama Deployments to Information Theft Date: 2026-05-05 Author: Security Week Roughly 300,000 Ollama deployments are prone to sensitive information theft through a remotely exploitable, unauthenticated critical vulnerability, Cyera warns. Ollama is an open source solution for running LLMs on local machines and is highly popular among organizations as a self-hosted AI inference engine. A heap out-of-bounds read issue in Ollama could be exploited to access sensitive information stored on the heap, including prompts, messages, and environment variables, including API keys, tokens, and secrets, Cyera says. UAT-8302 and its box full of malware Date: 2026-05-05 Author: CISCO Talos Talos assesses with high confidence that UAT-8302 is a China-nexus advanced persistent threat (APT) group tasked primarily with obtaining and maintaining long-term access to government and related entities around the world. Post-compromise activity consisted of information collection, credential extraction, and proliferation using open-source tooling such as Impacket, proxying tools, and custom-built malware. ESB-2026.4671.2 – Palo Alto PAN-OS: CVSS (Max): 9.3 Palo Alto Networks has disclosed a critical unauthenticated remote code execution vulnerability affecting the PAN-OS User-ID Authentication Portal (Captive Portal). The vulnerability is actively being exploited in the wild. ESB-2026.4729 – Apache HTTP Server: CVSS (Max): 9.8 Ubuntu has released security updates for Apache HTTP Server addressing multiple vulnerabilities across supported Ubuntu releases, including denial-of-service, information disclosure, authentication bypass and potential remote code execution. ESB-2026.4673 – IBM QRadar SIEM: CVSS (Max): 10.0 IBM has released security updates for the QRadar Investigation Assistant App addressing multiple third-party component vulnerabilities, including SSRF, remote code execution, prototype pollution, denial-of-service and path traversal. ESB-2026.4586 – Linux: CVSS (Max): 9.8 Debian has released security updates for the Linux kernel in Debian 12 “bookworm” addressing a large number of vulnerabilities that could lead to privilege escalation, denial-of-service and information disclosure. ESB-2026.4534 – Google Android: CVSS (Max): 8.8 Google’s May 2026 Android Security Bulletin addresses a critical vulnerability in the Android System component that could allow adjacent remote code execution as the shell user without user interaction. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, Vimeo has confirmed that some customer and user data was exposed following a security breach at Anodot, a third party data anomaly detection provider used by the video platform. While Vimeo itself was not directly attacked, the incident highlights how vulnerabilities in external vendors can have impacts on major digital services. According to Vimeo, the unauthorised access stemmed from the Anodot breach, where attackers stole authentication tokens and used them to access customer environments, particularly cloud data platforms such as Snowflake. In Vimeo’s case, the data accessed was largely technical in nature, including video titles and metadata. In some instances, customer email addresses were also exposed. Importantly, Vimeo stressed that no video content, user account passwords, or payment card information were compromised, and the platform’s services continued to operate normally throughout the incident. The breach has been linked to the ShinyHunters extortion group, which has publicly claimed responsibility and threatened to release stolen data unless a ransom was paid. ShinyHunters has recently listed Vimeo on its extortion site, alleging access to company data and warning of potential further disruptions. However, the group did not disclose how much Vimeo data was taken, leaving the full scope of exposure unclear. In response, Vimeo has disabled all Anodot credentials and removed the service’s integration from its systems. The company is working with third party security experts, has notified law enforcement, and says it will share further updates if new details emerge. Linux cryptographic code flaw offers fast route to root Date: 2026-04-30 Author: The Register Developers of major Linux distributions have begun shipping patches to address a local privilege escalation (LPE) vulnerability arising from a logic flaw. The newly disclosed LPE, dubbed Copy Fail (CVE-2026-31431), comes from a vulnerability in the Linux kernel's authencesn cryptographic template. "An unprivileged local user can write four controlled bytes into the page cache of any readable file on a Linux system, and use that to gain root," the writeup from security biz Theori explains. cPanel, WHM emergency update fixes critical auth bypass bug Date: 2026-04-29 Author: Bleeping Computer [See also AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2026.0099/] [AUSCERT has contacted affected members where applicable] A critical vulnerability affecting all but the latest versions of cPanel and the WebHost Manager (WHM) dashboard could be exploited to obtain access to the control panel without authentication. The security issue, currently identified as CVE-2026-41940 and with a severity score of 9.8, has been addressed in an emergency update that requires running a command manually to retrieve a patched version of the software. Chrome 147, Firefox 150 Security Updates Rolling Out Date: 2026-04-29 Author: Security Week Google and Mozilla on Tuesday announced fresh security updates for Chrome and Firefox users, addressing multiple memory safety vulnerabilities. The new Chrome 147 update is rolling out with 30 security fixes, including four for critical-severity use-after-free flaws reported by external researchers. Tracked as CVE-2026-7363, CVE-2026-7361, CVE-2026-7344, and CVE-2026-7343, the bugs impact the Canvas, iOS, Accessibility, and Views browser components. Hackers are exploiting a critical LiteLLM pre-auth SQLi flaw Date: 2026-04-28 Author: Bleeping Computer Hackers are targeting sensitive information stored in the LiteLLM open-source large-language model (LLM) gateway by exploiting a critical vulnerability tracked as CVE-2026-42208. The flaw is an SQL injection issue that occurs during LiteLLM's proxy API key verification step. An attacker can exploit it without authentication by sending a specially crafted Authorization header to any LLM API route. GitHub patches critical 'git push' remote code execution bug Date: 2026-05-29 Author: iTnews [AUSCERT has published a relevant security bulletin: https://portal.auscert.org.au/bulletins/ASB-2026.0098/] Microsoft-owned open source code hosting platform GitHub has acknowledged and patched a critical vulnerability that allowed arbitrary remote code execution, following a report from Wiz researchers. The vulnerability is rated as 8.7 out of 10 on the Common Vulnerabilities Scoring System (CVSS) scale, and affected both GitHub.com and the self-hosted GitHub Enterprise Server (GHES). ASB-2026.0099 – cPanel, WHM and WP2: CVSS (Max): 9.8 A critical authentication bypass in cPanel/WHM allows unauthenticated remote access to hosting control panels. ASB-2026.0100 – Linux Kernel: CVSS (Max): 7.8 A logic flaw in the Linux kernel’s cryptographic interface allows any unprivileged local user to reliably modify protected files and escalate to root access on most Linux systems since 2017, requiring prompt kernel patching or module mitigation. ESB-2026.4399 – NLTK: CVSS (Max): 10.0 A critical vulnerability in the NLTK library allows attackers to execute arbitrary code by tricking systems into opening a malicious zip file, requiring immediate package updates on affected Ubuntu systems. ESB-2026.4368 – MozillaFirefox: CVSS (Max): 9.8 A security update for Mozilla Firefox (ESR 140.10.0) addresses 25 vulnerabilities—including critical memory safety and privilege escalation flaws—that could allow remote compromise. ASB-2026.0098 – GitHub Enterprise Server: CVSS (Max): 8.7 A remote code execution vulnerability in GitHub Enterprise Server allows authenticated users with repository push access to run arbitrary commands on the server, requiring immediate upgrades to patched versions. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, A new report has raised fresh questions about how safely powerful AI security tools are being distributed, after an unauthorised group reportedly gained access to Anthropic’s closely guarded frontier AI model, Mythos. According to a Bloomberg investigation cited by TechCrunch, members of a private online forum were able to access Mythos through the environment of a third party vendor that works with Anthropic. Mythos, announced only recently, is designed as an enterprise grade AI tool to discover software vulnerabilities and develop exploits. Anthropic has previously warned that, in the wrong hands, the technology could just as easily be used to rapidly exploit information systems on a huge scale. The group is said to have obtained access on the same day Mythos was publicly revealed, apparently by making an educated guess about where the model was hosted online based on Anthropic’s past release patterns. Bloomberg reports that the individuals involved provided evidence of their access, including screenshots and a live demonstration of the software, and have been using the tool regularly since then. The source described the group as curious experimenters rather than malicious actors, with a stated interest in exploring new models rather than causing harm. Anthropic confirmed it is investigating the claims and said the access appears to have occurred through a third party vendor, not its own systems. The company added that it has found no evidence so far that its internal infrastructure has been compromised. Mythos was made available only to a select group of partners, including major technology companies, under an initiative called Project Glasswing. The limited rollout was intended to reduce the risk of misuse. If the report is accurate, it highlights how difficult it can be to fully contain advanced AI tools once they get released, even on a limited basis. New npm supply-chain attack self-spreads to steal auth tokens Date: 2026-04-22 Author: Bleeping Computer A new supply chain attack targeting the Node Package Manager (npm) ecosystem is stealing developer credentials and attempting to spread through packages published from compromised accounts. The threat was spotted by researchers at application security companies Socket and StepSecurity in multiple packages from Namastex Labs, a company that provides AI-based agentic solutions designed to improve profitability. Microsoft Patches Critical ASP.NET Core CVE-2026-40372 Privilege Escalation Bug Date: 2026-04-22 Author: The Hacker News [See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2026.0097/] Microsoft has released out-of-band updates to address a security vulnerability in ASP.NET Core that could allow an attacker to escalate privileges. The vulnerability, tracked as CVE-2026-40372, carries a CVSS score of 9.1 out of 10.0. It's rated Important in severity. An anonymous researcher has been credited with discovering and reporting the flaw. "Improper verification of cryptographic signature in ASP.NET Core allows an unauthorized attacker to elevate privileges over a network," Microsoft said in a Tuesday advisory. "An attacker who successfully exploited this vulnerability could gain SYSTEM privileges." Recently leaked Windows zero-days now exploited in attacks Date: 2026-04-17 Author: Bleeping Computer Threat actors are exploiting three recently disclosed Windows security vulnerabilities in attacks aimed at gaining SYSTEM or elevated administrator permissions. Since the start of the month, a security researcher known as "Chaotic Eclipse" or "Nightmare-Eclipse" has published proof-of-concept exploit code for all three security issues in protest to how Microsoft's Security Response Center (MSRC) handled the disclosure process. CISA flags Apache ActiveMQ flaw as actively exploited in attacks Date: 2026-04-17 Author: Bleeping Computer The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned on Thursday that a high-severity Apache ActiveMQ vulnerability patched earlier this month is now actively exploited in attacks. Apache ActiveMQ is the most popular open-source Java-based message broker for asynchronous communication between applications. Tracked as CVE-2026-34197, the security flaw has gone undetected for 13 years and was discovered by Horizon3 researcher Naveen Sunkavally using the Claude AI assistant. Vercel's security breach started with malware disguised as Roblox cheats Date: 2026-04-20 Author: CyberScoop [AUSCERT has published a related security bulletin https://portal.auscert.org.au/bulletins/ASB-2026.0068/] Vercel customers are at risk of compromise after an attacker hopped through multiple internal systems to steal credentials and other sensitive data, the company said in a security bulletin Sunday. The attack, which didn’t originate at Vercel, showcases the pitfalls of interconnected cloud applications and SaaS integrations with overly privileged permissions. ASB-2026.0080 – Oracle Fusion Middleware: CVSS (Max): 9.8 Multiple vulnerabilities have been identified in a number of Oracle products. This Critical Patch Update contains 59 new security patches, plus additional third party patches, for Oracle Fusion Middleware. 46 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. ASB-2026.0097 – ASP.NET Core 10.0: CVSS (Max): 9.1 Microsoft has released out-of-band (OOB) security updates to patch a critical ASP.NET Core privilege escalation vulnerability. Improper verification of cryptographic signature in ASP.NET Core allows an unauthorized attacker to elevate privileges (gain SYSTEM privileges) over a network. ESB-2026.1817.2 – Cisco Catalyst SD-WAN: CVSS (Max): 9.8 Multiple vulnerabilities in Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an attacker to access an affected system, elevate privileges to root, gain access to sensitive information, and overwrite arbitrary files. ESB-2026.4002.2 – Atlassian Products: CVSS (Max): 10 The vulnerabilities reported in this Security Bulletin include 31 high-severity vulnerabilities and 7 critical-severity third-party vulnerabilities, which have been fixed in new versions of our products released in the last month. ESB-2026.4105 – IBM WebSphere Application Server: CVSS (Max): 7.5 IBM WebSphere Application Server Liberty is affected by identity spoofing when the appSecurity feature (appSecurity-1.0, appSecurity-2.0, appSecurity-3.0, appSecurity-4.0, or appSecurity-5.0) is not enabled on the server. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, A major data breach at global education publisher McGraw Hill has exposed the personal information of approximately 13.5 million users. The incident followed an extortion attempt by the ShinyHunters cybercrime group, which has since leaked more than 100GB of stolen data online. According to McGraw Hill, attackers exploited a misconfiguration in a Salesforce hosted web environment used by the company, rather than gaining access to its core internal systems. The publisher stated that its primary customer databases, learning platforms and courseware were not compromised, and that the issue appears to be linked to a broader configuration problem affecting multiple Salesforce customers. While McGraw Hill described the exposed information as a “limited” data set, independent analysis by breach notification service Have I Been Pwned shows the leaked files contain 13.5 million unique email addresses, with some records also including names, phone numbers and physical addresses. The attackers initially claimed to have accessed as many as 45 million records and threatened to release the data unless a ransom was paid. When negotiations appeared to fail, ShinyHunters followed through on its threat, publishing the information on its dark web leak site. Although no passwords, payment details or student academic records were reported among the exposed data, cyber security experts warn the information is still highly valuable to criminals. At this scale, even partial personal data can significantly increase the effectiveness of phishing, credential stuffing and other social engineering attacks. The breach highlights the growing risks associated with third party cloud platforms and shared responsibility models. As organisations increasingly rely on SaaS environments such as Salesforce, small configuration errors can have outsized consequences, reinforcing the need for ongoing security monitoring, governance and independent validation of cloud deployments. Critical flaw in wolfSSL library enables forged certificate use Date: 2026-04-13 Author: Bleeping Computer.com A critical vulnerability in the wolfSSL SSL/TLS library can weaken security via improper verification of the hash algorithm or its size when checking Elliptic Curve Digital Signature Algorithm (ECDSA) signatures. Researchers warn that an attacker could exploit the issue to force a target device or application to accept forged certificates for malicious servers or connections. Critical MCP Integration Flaw Puts NGINX at Risk Date: 2026-04-16 Author: Dark Reading Attackers are actively exploiting a critical flaw in the widely used nginx-ui interface for managing NGINX web servers. The flaw, tracked as CVE-2026-33032, (CVSS: 9.8) stems from nginx-ui's insecure implementation of the Model Context Protocol (MCP) and gives attackers a way to make unauthorized changes to NGINX server configurations with little or no authentication in some cases. Microsoft April 2026 Patch Tuesday fixes 167 flaws, 2 zero-days Date: 2026-04-14 Author: Bleeping Computer [AUSCERT has published security bulletins for these Microsoft updates] Today is Microsoft's April 2026 Patch Tuesday with security updates for 167 flaws, including 2 zero-day vulnerabilities. This Patch Tuesday also addresses eight "Critical" vulnerabilities, 7 of which are remote code execution flaws and the other is a denial of service flaw. Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621 Date: 2026-04-12 Author: The Hacker News [Please see also AUSCERT Bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.3505/] Adobe has released emergency updates to fix a critical security flaw in Acrobat Reader that has come under active exploitation in the wild. The vulnerability, assigned the CVE identifier CVE-2026-34621, carries a CVSS score of 8.6 out of 10.0. Successful exploitation of the flaw could allow an attacker to run malicious code on affected installations. Fake Claude Website Distributes PlugX RAT Date: 2026-04-13 Author: Security Week A website posing as a legitimate Anthropic Claude domain was caught serving a remote access trojan to its visitors, Malwarebytes reports. Relying on Claude’s popularity, a threat actor created a site that hosts a download link pointing to a ZIP archive allegedly containing a pro version of the LLM. The file contains an MSI installer that mimics the legitimate Anthropic installation chain and installs the real Claude application. ASB-2026.0066 – Microsoft Office, Microsoft Office Services and Web Apps: CVSS (Max): 8.4 Microsoft urges immediate patching of 14 Office and SharePoint vulnerabilities, including multiple RCE and information disclosure flaws. CVE-2026-32201 (SharePoint spoofing) is actively exploited in the wild. ESB-2026.3685 – Adobe Experience Manager: CVSS (Max): 9.8* Adobe patched multiple vulnerabilities in AEM Screens, including critical flaws. Exploitation may allow remote code execution and privilege escalation. ESB-2026.3724 – Fortinet FortiSandbox: CVSS (Max): 9.1 Fortinet patched a vulnerability affecting Fortinet products that may allow unauthorized access or code execution. ESB-2026.3787 – Cisco Identity Services Engine: CVSS (Max): 9.9 Unauthenticated Remote Code Execution vulnerability in Cisco Identity Services Engine (ISE) allows attackers to execute arbitrary commands remotely. ESB-2026.3801 – Splunk Operator for Kubernetes Add-on 3.1: CVSS (Max): 10.0 Splunk addresses critical fixes related to third-party package updates in Splunk Operator for Kubernetes. Users are advised to upgrade to version 3.1.0 or later to remediate the issues. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, Anthropic has announced that a preview version of its new frontier model, Claude Mythos, has already uncovered thousands of previously unknown, high severity vulnerabilities across major software platforms. The findings were revealed alongside the launch of Project Glasswing, a new initiative aimed at using advanced AI systems defensively to secure critical digital infrastructure. According to Anthropic, Claude Mythos demonstrated an exceptional ability to identify zero day flaws across every major operating system and web browser. Some discoveries included decades old bugs, such as a 27 year old vulnerability in OpenBSD and a 16 year old flaw in FFmpeg. In controlled evaluations, the model also autonomously chained together multiple vulnerabilities to escape application sandboxes and even solved complex corporate network attack simulations faster than seasoned human experts. These capabilities, however, come with serious implications. In one test, Mythos was able to follow researcher instructions to break out of a secured sandbox environment, gain internet access, and communicate externally—behaviour Anthropic described as a “potentially dangerous capability.” The company emphasised that such abilities were not explicitly trained, but emerged from broader improvements in the model’s reasoning, coding skill, and autonomy. To manage this risk, Anthropic is limiting access to Mythos Preview and partnering with a small group of major technology and security organisations, including AWS, Google, Microsoft, and the Linux Foundation. The company is also committing up to $100 million in usage credits and millions more in funding to support open source security efforts. Project Glasswing, Anthropic says, is an urgent effort to ensure powerful AI tools are used to fix vulnerabilities before similar capabilities are exploited by malicious actors. Cisco Patches 9.8 CVSS IMC and SSM Flaws Allowing Remote System Compromise Date: 2026-04-02 Author: The Hacker News [Please see also AUSCERT Bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.3189/ and https://portal.auscert.org.au/bulletins/ESB-2026.3199/] [AusCERT has informed the affected members via Critical MSINs] Cisco has released updates to address a critical security flaw in the Integrated Management Controller (IMC) that, if successfully exploited, could allow an unauthenticated, remote attacker to bypass authentication and gain access to the system with elevated privileges. The vulnerability, tracked as CVE-2026-20093, carries a CVSS score of 9.8 out of a maximum of 10.0. Docker CVE-2026-34040 Lets Attackers Bypass Authorization and Gain Host Access Date: 2026-04-07 Author: The Hacker News A high-severity security vulnerability has been disclosed in Docker Engine that could permit an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The vulnerability, tracked as CVE-2026-34040 (CVSS score: 8.8), stems from an incomplete fix for CVE-2024-41110, a maximum-severity vulnerability in the same component that came to light in July 2024. 13-year-old bug in ActiveMQ lets hackers remotely execute commands Date: 2026-04-08 Author: Bleeping Computer Security researchers discovered a remote code execution (RCE) vulnerability in Apache ActiveMQ Classic that has gone undetected for 13 years and could be exploited to execute arbitrary commands. The flaw was uncovered using the Claude AI assistant, which identified an exploit path by analyzing how independently developed components interact. Tracked as CVE-2026-34197, the security issue received a high severity score of 8.8 and affects versions of Apache ActiveMQ/Broker before 5.19.4, and all versions from 6.0.0 up to 6.2.3 IBM Identity and Verify Access Vulnerabilities Allow Remote Attacker to Access Sensitive Data Date: 2026-04-08 Author: Cyber Security News A critical security bulletin highlights multiple vulnerabilities in Verify Identity Access and Security Verify Access products. If left unpatched, these widespread security flaws could allow malicious actors to access sensitive information, escalate their system privileges, or cause a complete denial-of-service of the application. Organizations relying on these authentication platforms must take immediate action to patch their infrastructure. A standout issue in the latest security advisory revolves around how the platform handles web traffic. Max severity Flowise RCE vulnerability now exploited in attacks Date: 2026-04-07 Author: Bleeping Computer Hackers are exploiting a maximum-severity vulnerability, tracked as CVE-2025-59528, in the open-source platform Flowise for building custom LLM apps and agentic systems to execute arbitrary code. The flaw allows injecting JavaScript code without any security checks and was publicly disclosed last September, with the warning that successful exploitation leads to command execution and file system access. ESB-2026.3427 – Prisma Browser: CVSS (Max): 9.8 Palo Alto Networks has released a monthly Chromium security update addressing multiple vulnerabilities in Prisma Browser, including memory corruption, integer overflows, and use-after-free issues. ESB-2026.3417 – GitLab Community Edition and Enterprise Edition: CVSS (Max): 8.5 GitLab has released patch versions 18.10.3, 18.9.5, and 18.8.9 addressing multiple security vulnerabilities affecting both Community Edition (CE) and Enterprise Edition (EE), including issues such as improper access control, denial of service, cross-site scripting, and information disclosure. ESB-2026.3354 – govulncheck-vulndb: CVSS (Max): 9.9 SUSE has released an important security update for the govulncheck-vulndb package on openSUSE Leap 15.6, several vulnerabilities are rated High to Critical severity, with potential impacts including system compromise, data exposure, or denial of service. ESB-2026.3319 – FortiClientEMS: CVSS (Max): 9.8 Fortinet has disclosed a critical authentication and authorization bypass vulnerability in FortiClient EMS that could allow an unauthenticated attacker to execute unauthorized code or commands via crafted API requests, resulting in privilege escalation. ESB-2026.3276 – chromium: CVSS (Max): 9.6 Debian has released a security update for Chromium addressing multiple vulnerabilities that could lead to arbitrary code execution, denial of service, or information disclosure if exploited. A CVE (CVE-2026-5281) has been identified on the CISA Known Exploited Vulnerabilities (KEV) list. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, Crunchyroll has launched an investigation into a potential data breach after a hacker claimed to have accessed personal information linked to approximately 6.8 million users. The popular anime streaming platform confirmed it is working with external cyber security experts to assess the scope of the incident and determine what data, if any, was compromised. According to Crunchyroll, the investigation is ongoing and there is currently no evidence of active or continued unauthorised access to its systems. The claims emerged after a threat actor contacted cyber security publication BleepingComputer, alleging they gained access to Crunchyroll systems on March 12 by compromising the Okta single sign on account of a customer support agent. The agent is believed to be employed by Telus International, a third party business process outsourcing provider that handles Crunchyroll support tickets. The attacker claims malware was used to steal the agent’s login credentials, which then provided access to multiple internal platforms, including Zendesk, Slack and Google Workspace. Using this access, the hacker says they downloaded approximately eight million customer support ticket records from Crunchyroll’s Zendesk system, containing roughly 6.8 million unique email addresses. Sample data reportedly included user names, email addresses, IP addresses, general location data and the contents of support requests. While some reports suggested payment data may have been exposed, it was confirmed that credit card details only appeared in cases where users voluntarily included them in support tickets, and usually in a limited form. Crunchyroll says it believes the issue is limited to customer service data associated with the third party vendor and continues to monitor the situation closely as its investigation progresses. CVE‑2026‑3055: Critical Unauthenticated Memory-Read Vulnerability in Citrix NetScaler ADC and Gateway Date: 2026-03-23 Author: Arctic Wolf [See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.2769/] On March 23, 2026, Citrix released fixes for a critical vulnerability affecting NetScaler ADC and NetScaler Gateway (CVE‑2026‑3055) that allows unauthenticated threat actors to perform out-of-bounds memory reads. Exploitation of this vulnerability requires that the affected appliance be configured as a SAML Identity Provider (IDP). TP-Link warns users to patch critical router auth bypass flaw Date: 2026-03-25 Author: Bleeping Computer TP-Link has patched several vulnerabilities in its Archer NX router series, including a critical-severity flaw that may allow attackers to bypass authentication and upload new firmware. Tracked as CVE-2025-15517, this security flaw affects Archer NX200, NX210, NX500, and NX600 wireless routers and stems from a missing authentication weakness that attackers can exploit without privileges. Popular LiteLLM PyPI package backdoored to steal credentials, auth tokens Date: 2026-03-24 Author: Bleeping Computer The TeamPCP hacking group continues its supply-chain rampage, now compromising the massively popular "LiteLLM" Python package on PyPI and claiming to have stolen data from hundreds of thousands of devices during the attack. LiteLLM is an open-source Python library that serves as a gateway to multiple large language model (LLM) providers via a single API. The package is very popular, with over 3.4 million downloads a day and over 95 million in the past month. Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets Date: 2026-03-20 Author: The Hacker News Trivy, a popular open-source vulnerability scanner maintained by Aqua Security, was compromised a second time within the span of a month to deliver malware that stole sensitive CI/CD secrets. The latest incident impacted GitHub Actions "aquasecurity/trivy-action" and "aquasecurity/setup-trivy," which are used to scan Docker container images for vulnerabilities and set up GitHub Actions workflow with a specific version of the scanner, respectively. Device Code Phishing Hits 340+ Microsoft 365 Orgs Across Five Countries via OAuth Abuse Date: 2026-03-25 Author: The Hacker News Cybersecurity researchers are calling attention to an active device code phishing campaign that's targeting Microsoft 365 identities across more than 340 organizations in the U.S., Canada, Australia, New Zealand, and Germany. The activity, per Huntress, was first spotted on February 19, 2026, with subsequent cases appearing at an accelerated pace since then. Notably, the campaign leverages Cloudflare Workers redirects with captured sessions redirected to infrastructure hosted on a platform-as-a-service (PaaS) offering called Railway, effectively turning it into a credential harvesting engine. ESB-2026.2983 – firefox-esr Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, sandbox escape, information disclosure, denial of service or privilege escalation. ESB-2026.2955 – Cisco Products Cisco IOS, IOS XE, Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability ESB-2026.2769 – NetScaler ADC and NetScaler Gateway Critical vulnerabilities have been discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) ESB-2026.2906 – NGINX Products This vulnerability allows a local, authenticated attacker to cause a denial-of-service (DoS) of the NGINX system or to possibly trigger a code execution. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, Identity protection company Aura has confirmed a data breach that exposed contact information belonging to nearly 900,000 people. The incident was disclosed this week after Aura determined that an unauthorised party gained temporary access to internal systems following a targeted voice phishing, or “vishing”, attack on one of its employees. According to Aura, the attacker was able to access an employee account for approximately one hour, which they used to extract data from a marketing tool inherited through a company acquisition in 2021. The exposed information primarily consists of names and email addresses tied to marketing contacts, with the company estimating that fewer than 20,000 current customers and fewer than 15,000 former customers were affected directly. Aura emphasised that highly sensitive data such as Social Security numbers, passwords, and financial information were not compromised in the incident. The breach came to public attention after the ShinyHunters cyber crime group claimed responsibility, alleging that they had stolen a significantly larger dataset and attempted to extort the company. While Aura has acknowledged the breach itself, it has not confirmed all the threat actor’s claims and says it is continuing to investigate the scope of the incident with the support of external cyber security experts and law enforcement. Aura has begun the process of notifying affected individuals and says it is reviewing its security controls and internal processes. Critical Unpatched Telnetd Flaw (CVE-2026-32746) Enables Unauthenticated Root RCE Date: 2026-03-18 Author: The Hacker News [AUSCERT has contacted affected members where applicable] [See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2026.0059] Cybersecurity researchers have disclosed a critical security flaw impacting the GNU InetUtils telnet daemon (telnetd) that could be exploited by an unauthenticated remote attacker to execute arbitrary code with elevated privileges. The vulnerability, tracked as CVE-2026-32746, carries a CVSS score of 9.8 out of 10.0. It has been described as a case of out-of-bounds write in the LINEMODE Set Local Characters (SLC) suboption handler that results in a buffer overflow, ultimately paving the way for code execution. Critical HPE AOS-CX Vulnerability Allows Admin Password Resets Date: 2026-03-14 Author: Security Week Hewlett Packard Enterprise (HPE) this week announced patches for a critical-severity vulnerability in Aruba Networking AOS-CX that could be exploited to reset administrator passwords. The issue, tracked as CVE-2026-23813 (CVSS score of 9.8), impacts the web-based management interface of AOS-CX switches and can be exploited remotely, without authentication, to bypass authentication controls. The bug impacts HPE Aruba Networking CX 4100i, CX 6000, CX 6100, CX 6200, CX 6300, CX 6400, CX 8320, CX 8325, CX 8360, CX 9300, and CX 10000 series switches. Storm-2561 Uses Fake Fortinet, Ivanti VPN Sites to Drop Hyrax Infostealer Date: 2026-03-17 Author: HackRead In mid-January 2026, Microsoft Defender Experts identified a devious way that cybercriminals are tricking people into giving away their private information. A group known as Storm-2561 has been setting up fake websites that look exactly like official download pages for popular office software, specifically Virtual Private Networks (VPNs). As we know it, a VPN is a tool many of us use to stay secure online. Ironically, the attackers are using this trust against us. Open VSX extensions hijacked: GlassWorm malware spreads via dependency abuse Date: 2026-03-16 Author: InfoWorld Threat actors are publishing clean extensions that later update to depend on hidden payload packages, bypassing marketplace checks and silently installing malware onto developers’ systems. Threat actors are abusing extension dependency relationships in the Open VSX registry to indirectly deliver malware in a new phase of the GlassWorm supply-chain campaign. LeakNet ransomware uses ClickFix, Deno runtime in stealthy attacks Date: 2026-03-17 Author: Bleeping Computer The LeakNet ransomware gang is now using the ClickFix technique for initial access into corporate environments and deploys a malware loader based on the open-source Deno runtime for JavaScript and TypeScript. The attacker is using the legitimate Deno to decode and execute a malicious payload directly into system memory, minimizing forensic evidence on the disk and lowering the chance of detection. ASB-2026.0059 – GNU InetUtils telnetd: CVSS (Max): 9.8 A critical (CVSS 9.8) vulnerability in GNU InetUtils telnetd has been disclosed, that allows unauthenticated remote code execution as root via a buffer overflow. ESB-2026.2593 – FreeRDP: CVSS (Max): 9.8 Multiple vulnerabilities in FreeRDP (CVE-2026-27951 and others) have been identified, caused by improper handling of RDP packets. These flaws could allow a remote attacker to crash the client (denial of service) or potentially execute arbitrary code. ESB-2026.2567 – Splunk Universal Forwarder: CVSS (Max): 9.8 This bulletin addresses multiple high-severity vulnerabilities in Splunk Universal Forwarder caused by outdated OpenSSL components. Which could impact cryptographic security. ESB-2026.2548 – CODESYS in Festo Automation Suite: CVSS (Max): 9.8 Multiple vulnerabilities have been reported in CODESYS within Festo Automation Suite (CVSS up to 9.8), including authentication bypass, weak/default security controls, path traversal, and improper access control. These flaws could allow unauthorized access, data exposure, and potential system compromise. ESB-2026.2524 – Red Hat Insights Proxy: CVSS (Max): 8.1 This bulletin addresses multiple vulnerabilities in the Red Hat Insights proxy container image. These issues may impact security and privacy in environments using the proxy. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, Salesforce customers are being urged to investigate their Experience Cloud configurations after a spike in data theft activity linked to the ShinyHunters cybercrime group. In recent alerts, Salesforce confirmed it is tracking an active campaign targeting public-facing Experience Cloud sites where guest user access has been misconfigured, potentially exposing more data than intended. According to reporting from IT Pro and BleepingComputer, attackers are not exploiting a flaw in Salesforce itself but are instead abusing overly permissive guest user profiles. These profiles are designed to allow unauthenticated visitors limited access to public content. When permissions are set too broadly, however, threat actors can directly query underlying CRM objects and extract sensitive information without logging in. ShinyHunters has claimed responsibility for the ongoing campaign and alleges that hundreds of organisations have been affected, with stolen data often repurposed for follow-on phishing and voice-based social engineering attacks. Salesforce says the attackers are using a modified version of AuraInspector, an open-source tool originally developed to help administrators identify misconfigurations. In the wrong hands, this tooling has been adapted to automate large-scale scanning of Experience Cloud sites and harvest exposed data. In response, Salesforce has published a detailed advisory outlining essential actions to reduce risk. These include auditing guest user permissions, applying the principle of least privilege, disabling unnecessary API access and closely monitoring for unusual activity. Veeam warns of critical flaws exposing backup servers to RCE attacks Date: 2026-03-12 Author: Bleeping Computer [AUSCERT has contacted affected members where applicable] Data protection company Veeam Software has patched multiple flaws in its Backup & Replication solution, including four critical remote code execution (RCE) vulnerabilities. VBR is enterprise data backup and recovery software that helps IT administrators to create copies of critical data for quick restoration following cyberattacks and hardware failures. Three RCE security flaws patched today (tracked as CVE-2026-21666, CVE-2026-21667, and CVE-2026-21669) allow low-privileged domain users to execute remote code on vulnerable backup servers in low-complexity attacks. Critical Nginx UI flaw CVE-2026-27944 exposes server backups Date: 2026-03-08 Author: Security Affairs A critical vulnerability in Nginx UI, tracked as CVE-2026-27944 (CVSS score of 9.8), allows attackers to download and decrypt full server backups without authentication. The flaw poses a serious risk to organizations exposing the management interface, potentially revealing sensitive configuration data, credentials, and encryption keys. “The /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header.” reads the advisory. “ FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials Date: 2026-03-10 Author: The Hacker News Cybersecurity researchers are calling attention to a new campaign where threat actors are abusing FortiGate Next-Generation Firewall (NGFW) appliances as entry points to breach victim networks. The activity involves the exploitation of recently disclosed security vulnerabilities or weak credentials to extract configuration files containing service account credentials and network topology information, SentinelOne said in a report published today. The security outfit said the campaign has singled out environments tied to healthcare, government, and managed service providers. ‘BlackSanta’ Malware Activates EDR and AV Killer Before Detonating Payload Date: 2026-03-11 Author: Security Week An ongoing campaign, probably originating from a Russian-speaking threat actor, uses social engineering to trick victims into downloading an ISO file from cloud storage services such as Dropbox. Once mounted, the ISO file seems to be a legitimate part of the system and can be directly accessed by the victim. Opening a file within it will trigger a chain that downloads malware, including a module that discovering firm Aryaka has dubbed BlackSanta. CISA Warns SolarWinds and Ivanti Vulnerabilities Are Actively Exploited Date: 2026-03-10 Author: Security Boulevard Organizations often prioritize patching vulnerabilities based on severity scores, assuming that lower-rated issues pose limited risk. In practice, attackers frequently exploit vulnerabilities that remain unpatched in real environments, regardless of their official severity rating. New reporting from The Hacker News highlights that the Cybersecurity and Infrastructure Security Agency (CISA) has added multiple vulnerabilities affecting products from SolarWinds, Ivanti, and other vendors to its Known Exploited Vulnerabilities (KEV) catalog, confirming that these flaws are actively being abused in the wild Hackers abuse .arpa DNS and ipv6 to evade phishing defenses Date: 2026-03-08 Author: Bleeping Computer Threat actors are abusing the special-use ".arpa" domain and IPv6 reverse DNS in phishing campaigns that more easily evade domain reputation checks and email security gateways. The .arpa domain is a special top-level domain reserved for internet infrastructure rather than normal websites. It is used for reverse DNS lookups, which allow systems to map an IP address back to a hostname. ESB-2026.2410 – Splunk AppDynamics On-Premises Enterprise Console: CVSS (Max): 9.8 Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk AppDynamics On-Premises Enterprise Console version 26.1.1, and higher. ESB-2026.2399 – GitLab Community and Enterprise Edition: CVSS (Max): 8.7 GitLab releases fixes for vulnerabilities in patch releases, versions 18.9.2, 18.8.6, 18.7.6 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action. ESB-2026.2395 – Cisco IOS XR Software: CVSS (Max): 8.8 Multiple vulnerabilities in Cisco IOS XR Software could allow an authenticated, local attacker to execute commands as root on an underlying operating system or gain full administrative control of an affected device. ESB-2026.2330 – Adobe Experience Manager: CVSS (Max): 9.8* Adobe has released updates for Adobe Experience Manager (AEM). This update resolves vulnerabilities rated important. Successful exploitation of these vulnerabilities could result in arbitrary code execution. ESB-2026.2313 – Zoom: CVSS (Max): 9.6 External Control of File Name or Path in the Mail feature of Zoom Workplace for Windows before 6.6.0 may allow an unauthenticated user to conduct an escalation of privilege via network access. Stay safe, stay patched and have a good weekend! The AUSCERT team