Publications

Greetings, Crunchyroll has launched an investigation into a potential data breach after a hacker claimed to have accessed personal information linked to approximately 6.8 million users. The popular anime streaming platform confirmed it is working with external cyber security experts to assess the scope of the incident and determine what data, if any, was compromised. According to Crunchyroll, the investigation is ongoing and there is currently no evidence of active or continued unauthorised access to its systems. The claims emerged after a threat actor contacted cyber security publication BleepingComputer, alleging they gained access to Crunchyroll systems on March 12 by compromising the Okta single sign on account of a customer support agent. The agent is believed to be employed by Telus International, a third party business process outsourcing provider that handles Crunchyroll support tickets. The attacker claims malware was used to steal the agent’s login credentials, which then provided access to multiple internal platforms, including Zendesk, Slack and Google Workspace. Using this access, the hacker says they downloaded approximately eight million customer support ticket records from Crunchyroll’s Zendesk system, containing roughly 6.8 million unique email addresses. Sample data reportedly included user names, email addresses, IP addresses, general location data and the contents of support requests. While some reports suggested payment data may have been exposed, it was confirmed that credit card details only appeared in cases where users voluntarily included them in support tickets, and usually in a limited form. Crunchyroll says it believes the issue is limited to customer service data associated with the third party vendor and continues to monitor the situation closely as its investigation progresses. CVE‑2026‑3055: Critical Unauthenticated Memory-Read Vulnerability in Citrix NetScaler ADC and Gateway Date: 2026-03-23 Author: Arctic Wolf [See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.2769/] On March 23, 2026, Citrix released fixes for a critical vulnerability affecting NetScaler ADC and NetScaler Gateway (CVE‑2026‑3055) that allows unauthenticated threat actors to perform out-of-bounds memory reads. Exploitation of this vulnerability requires that the affected appliance be configured as a SAML Identity Provider (IDP). TP-Link warns users to patch critical router auth bypass flaw Date: 2026-03-25 Author: Bleeping Computer TP-Link has patched several vulnerabilities in its Archer NX router series, including a critical-severity flaw that may allow attackers to bypass authentication and upload new firmware. Tracked as CVE-2025-15517, this security flaw affects Archer NX200, NX210, NX500, and NX600 wireless routers and stems from a missing authentication weakness that attackers can exploit without privileges. Popular LiteLLM PyPI package backdoored to steal credentials, auth tokens Date: 2026-03-24 Author: Bleeping Computer The TeamPCP hacking group continues its supply-chain rampage, now compromising the massively popular "LiteLLM" Python package on PyPI and claiming to have stolen data from hundreds of thousands of devices during the attack. LiteLLM is an open-source Python library that serves as a gateway to multiple large language model (LLM) providers via a single API. The package is very popular, with over 3.4 million downloads a day and over 95 million in the past month. Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets Date: 2026-03-20 Author: The Hacker News Trivy, a popular open-source vulnerability scanner maintained by Aqua Security, was compromised a second time within the span of a month to deliver malware that stole sensitive CI/CD secrets. The latest incident impacted GitHub Actions "aquasecurity/trivy-action" and "aquasecurity/setup-trivy," which are used to scan Docker container images for vulnerabilities and set up GitHub Actions workflow with a specific version of the scanner, respectively. Device Code Phishing Hits 340+ Microsoft 365 Orgs Across Five Countries via OAuth Abuse Date: 2026-03-25 Author: The Hacker News Cybersecurity researchers are calling attention to an active device code phishing campaign that's targeting Microsoft 365 identities across more than 340 organizations in the U.S., Canada, Australia, New Zealand, and Germany. The activity, per Huntress, was first spotted on February 19, 2026, with subsequent cases appearing at an accelerated pace since then. Notably, the campaign leverages Cloudflare Workers redirects with captured sessions redirected to infrastructure hosted on a platform-as-a-service (PaaS) offering called Railway, effectively turning it into a credential harvesting engine. ESB-2026.2983 – firefox-esr Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, sandbox escape, information disclosure, denial of service or privilege escalation. ESB-2026.2955 – Cisco Products Cisco IOS, IOS XE, Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability ESB-2026.2769 – NetScaler ADC and NetScaler Gateway Critical vulnerabilities have been discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) ESB-2026.2906 – NGINX Products This vulnerability allows a local, authenticated attacker to cause a denial-of-service (DoS) of the NGINX system or to possibly trigger a code execution. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, Identity protection company Aura has confirmed a data breach that exposed contact information belonging to nearly 900,000 people. The incident was disclosed this week after Aura determined that an unauthorised party gained temporary access to internal systems following a targeted voice phishing, or “vishing”, attack on one of its employees. According to Aura, the attacker was able to access an employee account for approximately one hour, which they used to extract data from a marketing tool inherited through a company acquisition in 2021. The exposed information primarily consists of names and email addresses tied to marketing contacts, with the company estimating that fewer than 20,000 current customers and fewer than 15,000 former customers were affected directly. Aura emphasised that highly sensitive data such as Social Security numbers, passwords, and financial information were not compromised in the incident. The breach came to public attention after the ShinyHunters cyber crime group claimed responsibility, alleging that they had stolen a significantly larger dataset and attempted to extort the company. While Aura has acknowledged the breach itself, it has not confirmed all the threat actor’s claims and says it is continuing to investigate the scope of the incident with the support of external cyber security experts and law enforcement. Aura has begun the process of notifying affected individuals and says it is reviewing its security controls and internal processes. Critical Unpatched Telnetd Flaw (CVE-2026-32746) Enables Unauthenticated Root RCE Date: 2026-03-18 Author: The Hacker News [AUSCERT has contacted affected members where applicable] [See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2026.0059] Cybersecurity researchers have disclosed a critical security flaw impacting the GNU InetUtils telnet daemon (telnetd) that could be exploited by an unauthenticated remote attacker to execute arbitrary code with elevated privileges. The vulnerability, tracked as CVE-2026-32746, carries a CVSS score of 9.8 out of 10.0. It has been described as a case of out-of-bounds write in the LINEMODE Set Local Characters (SLC) suboption handler that results in a buffer overflow, ultimately paving the way for code execution. Critical HPE AOS-CX Vulnerability Allows Admin Password Resets Date: 2026-03-14 Author: Security Week Hewlett Packard Enterprise (HPE) this week announced patches for a critical-severity vulnerability in Aruba Networking AOS-CX that could be exploited to reset administrator passwords. The issue, tracked as CVE-2026-23813 (CVSS score of 9.8), impacts the web-based management interface of AOS-CX switches and can be exploited remotely, without authentication, to bypass authentication controls. The bug impacts HPE Aruba Networking CX 4100i, CX 6000, CX 6100, CX 6200, CX 6300, CX 6400, CX 8320, CX 8325, CX 8360, CX 9300, and CX 10000 series switches. Storm-2561 Uses Fake Fortinet, Ivanti VPN Sites to Drop Hyrax Infostealer Date: 2026-03-17 Author: HackRead In mid-January 2026, Microsoft Defender Experts identified a devious way that cybercriminals are tricking people into giving away their private information. A group known as Storm-2561 has been setting up fake websites that look exactly like official download pages for popular office software, specifically Virtual Private Networks (VPNs). As we know it, a VPN is a tool many of us use to stay secure online. Ironically, the attackers are using this trust against us. Open VSX extensions hijacked: GlassWorm malware spreads via dependency abuse Date: 2026-03-16 Author: InfoWorld Threat actors are publishing clean extensions that later update to depend on hidden payload packages, bypassing marketplace checks and silently installing malware onto developers’ systems. Threat actors are abusing extension dependency relationships in the Open VSX registry to indirectly deliver malware in a new phase of the GlassWorm supply-chain campaign. LeakNet ransomware uses ClickFix, Deno runtime in stealthy attacks Date: 2026-03-17 Author: Bleeping Computer The LeakNet ransomware gang is now using the ClickFix technique for initial access into corporate environments and deploys a malware loader based on the open-source Deno runtime for JavaScript and TypeScript. The attacker is using the legitimate Deno to decode and execute a malicious payload directly into system memory, minimizing forensic evidence on the disk and lowering the chance of detection. ASB-2026.0059 – GNU InetUtils telnetd: CVSS (Max): 9.8 A critical (CVSS 9.8) vulnerability in GNU InetUtils telnetd has been disclosed, that allows unauthenticated remote code execution as root via a buffer overflow. ESB-2026.2593 – FreeRDP: CVSS (Max): 9.8 Multiple vulnerabilities in FreeRDP (CVE-2026-27951 and others) have been identified, caused by improper handling of RDP packets. These flaws could allow a remote attacker to crash the client (denial of service) or potentially execute arbitrary code. ESB-2026.2567 – Splunk Universal Forwarder: CVSS (Max): 9.8 This bulletin addresses multiple high-severity vulnerabilities in Splunk Universal Forwarder caused by outdated OpenSSL components. Which could impact cryptographic security. ESB-2026.2548 – CODESYS in Festo Automation Suite: CVSS (Max): 9.8 Multiple vulnerabilities have been reported in CODESYS within Festo Automation Suite (CVSS up to 9.8), including authentication bypass, weak/default security controls, path traversal, and improper access control. These flaws could allow unauthorized access, data exposure, and potential system compromise. ESB-2026.2524 – Red Hat Insights Proxy: CVSS (Max): 8.1 This bulletin addresses multiple vulnerabilities in the Red Hat Insights proxy container image. These issues may impact security and privacy in environments using the proxy. Stay safe, stay patched and have a good weekend! The AUSCERT team

LISTEN HERE: AUSCERT “Share Today, Save Tomorrow” – ep 56: Building Better Cyber Teams: What LEGO Can Teach Us About Security What do LEGO bricks have to do with cyber security? In this episode of Share Today, Save Tomorrow, we’re joined by Vannessa Van Beek, Global CISO at Fortescue, to explore an unexpected but powerful tool for improving collaboration, creativity, and insight in cyber teams. Drawing on the LEGO Serious Play methodology, Vannessa shares how hands-on, creative exercises can unlock new ways of thinking, surface hidden perspectives, and give quieter voices in technical teams the space to contribute. If you’ve ever wondered how to make meetings more meaningful, bring introverted experts into the conversation, or reimagine how cyber teams solve problems, this episode might just inspire you to think with your hands. This episode was hosted by Bek Cheb. The AUSCERT podcast can also be found on Spotify and Apple Podcasts.

Greetings, Salesforce customers are being urged to investigate their Experience Cloud configurations after a spike in data theft activity linked to the ShinyHunters cybercrime group. In recent alerts, Salesforce confirmed it is tracking an active campaign targeting public-facing Experience Cloud sites where guest user access has been misconfigured, potentially exposing more data than intended. According to reporting from IT Pro and BleepingComputer, attackers are not exploiting a flaw in Salesforce itself but are instead abusing overly permissive guest user profiles. These profiles are designed to allow unauthenticated visitors limited access to public content. When permissions are set too broadly, however, threat actors can directly query underlying CRM objects and extract sensitive information without logging in. ShinyHunters has claimed responsibility for the ongoing campaign and alleges that hundreds of organisations have been affected, with stolen data often repurposed for follow-on phishing and voice-based social engineering attacks. Salesforce says the attackers are using a modified version of AuraInspector, an open-source tool originally developed to help administrators identify misconfigurations. In the wrong hands, this tooling has been adapted to automate large-scale scanning of Experience Cloud sites and harvest exposed data. In response, Salesforce has published a detailed advisory outlining essential actions to reduce risk. These include auditing guest user permissions, applying the principle of least privilege, disabling unnecessary API access and closely monitoring for unusual activity. Veeam warns of critical flaws exposing backup servers to RCE attacks Date: 2026-03-12 Author: Bleeping Computer [AUSCERT has contacted affected members where applicable] Data protection company Veeam Software has patched multiple flaws in its Backup & Replication solution, including four critical remote code execution (RCE) vulnerabilities. VBR is enterprise data backup and recovery software that helps IT administrators to create copies of critical data for quick restoration following cyberattacks and hardware failures. Three RCE security flaws patched today (tracked as CVE-2026-21666, CVE-2026-21667, and CVE-2026-21669) allow low-privileged domain users to execute remote code on vulnerable backup servers in low-complexity attacks. Critical Nginx UI flaw CVE-2026-27944 exposes server backups Date: 2026-03-08 Author: Security Affairs A critical vulnerability in Nginx UI, tracked as CVE-2026-27944 (CVSS score of 9.8), allows attackers to download and decrypt full server backups without authentication. The flaw poses a serious risk to organizations exposing the management interface, potentially revealing sensitive configuration data, credentials, and encryption keys. “The /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header.” reads the advisory. “ FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials Date: 2026-03-10 Author: The Hacker News Cybersecurity researchers are calling attention to a new campaign where threat actors are abusing FortiGate Next-Generation Firewall (NGFW) appliances as entry points to breach victim networks. The activity involves the exploitation of recently disclosed security vulnerabilities or weak credentials to extract configuration files containing service account credentials and network topology information, SentinelOne said in a report published today. The security outfit said the campaign has singled out environments tied to healthcare, government, and managed service providers. ‘BlackSanta’ Malware Activates EDR and AV Killer Before Detonating Payload Date: 2026-03-11 Author: Security Week An ongoing campaign, probably originating from a Russian-speaking threat actor, uses social engineering to trick victims into downloading an ISO file from cloud storage services such as Dropbox. Once mounted, the ISO file seems to be a legitimate part of the system and can be directly accessed by the victim. Opening a file within it will trigger a chain that downloads malware, including a module that discovering firm Aryaka has dubbed BlackSanta. CISA Warns SolarWinds and Ivanti Vulnerabilities Are Actively Exploited Date: 2026-03-10 Author: Security Boulevard Organizations often prioritize patching vulnerabilities based on severity scores, assuming that lower-rated issues pose limited risk. In practice, attackers frequently exploit vulnerabilities that remain unpatched in real environments, regardless of their official severity rating. New reporting from The Hacker News highlights that the Cybersecurity and Infrastructure Security Agency (CISA) has added multiple vulnerabilities affecting products from SolarWinds, Ivanti, and other vendors to its Known Exploited Vulnerabilities (KEV) catalog, confirming that these flaws are actively being abused in the wild Hackers abuse .arpa DNS and ipv6 to evade phishing defenses Date: 2026-03-08 Author: Bleeping Computer Threat actors are abusing the special-use ".arpa" domain and IPv6 reverse DNS in phishing campaigns that more easily evade domain reputation checks and email security gateways. The .arpa domain is a special top-level domain reserved for internet infrastructure rather than normal websites. It is used for reverse DNS lookups, which allow systems to map an IP address back to a hostname. ESB-2026.2410 – Splunk AppDynamics On-Premises Enterprise Console: CVSS (Max): 9.8 Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk AppDynamics On-Premises Enterprise Console version 26.1.1, and higher. ESB-2026.2399 – GitLab Community and Enterprise Edition: CVSS (Max): 8.7 GitLab releases fixes for vulnerabilities in patch releases, versions 18.9.2, 18.8.6, 18.7.6 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action. ESB-2026.2395 – Cisco IOS XR Software: CVSS (Max): 8.8 Multiple vulnerabilities in Cisco IOS XR Software could allow an authenticated, local attacker to execute commands as root on an underlying operating system or gain full administrative control of an affected device. ESB-2026.2330 – Adobe Experience Manager: CVSS (Max): 9.8* Adobe has released updates for Adobe Experience Manager (AEM). This update resolves vulnerabilities rated important. Successful exploitation of these vulnerabilities could result in arbitrary code execution. ESB-2026.2313 – Zoom: CVSS (Max): 9.6 External Control of File Name or Path in the Mail feature of Zoom Workplace for Windows before 6.6.0 may allow an unauthenticated user to conduct an escalation of privilege via network access. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, The Wikimedia Foundation moved quickly this week to contain a disruptive security incident after a self propagating JavaScript worm began vandalising Wikipedia pages and altering user scripts across multiple projects. Editors first raised the alarm on Wikipedia’s Village Pump, reporting sudden waves of automated edits inserting hidden scripts and defacing random pages. In response, Wikimedia engineers temporarily restricted editing platform wide while they investigated and began reverting malicious changes. According to details logged in Wikimedia’s Phabricator tracker, the attack originated from a malicious script hosted on Russian Wikipedia. The file, User:Ololoshka562/test.js, was first uploaded in March 2024 and had been associated with earlier attempts to compromise wiki platforms. The worm appears to have been triggered when the script was executed in the browser of a Wikimedia employee account during routine testing of user authored code. It remains unclear whether the execution was accidental, intentional, or the result of a compromised account. BleepingComputer’s review of the archived script shows that the worm spread by injecting a JavaScript loader into both user level and global configuration files. It modified the user common.js scripts and the global MediaWiki:Common.js causing every visitor who loaded those files to unknowingly propagate the worm further. This allowed the malicious code to persist and attempt to rewrite scripts with the privileges of each infected account. Wikimedia engineers removed the malicious code and restored normal editing operations, although a detailed post-incident report has not yet been published. Cisco warns of max severity Secure FMC flaws giving root access Date: 2026-03-04 Author: Bleeping Computer [See AUSCERT bulletins: https://portal.auscert.org.au/bulletins/ESB-2026.2114/, https://portal.auscert.org.au/bulletins/ESB-2026.2104/] Cisco has released security updates to patch two maximum-severity vulnerabilities in its Secure Firewall Management Center (FMC) software. Secure FMC is a web or SSH-based interface for admins to manage Cisco firewalls and configure application control, intrusion prevention, URL filtering, and advanced malware protection. Both vulnerabilities can be exploited remotely by unauthenticated attackers: the authentication bypass flaw (CVE-2026-20079) allows attackers to gain root access to the underlying operating system, while the remote code execution (RCE) vulnerability (CVE-2026-20131) lets them execute arbitrary Java code as root on unpatched devices. ClawJacked attack let malicious websites hijack OpenClaw to steal data Date: 2026-03-01 Author: Bleeping Computer Security researchers have disclosed a high-severity vulnerability dubbed "ClawJacked" in the popular AI agent OpenClaw that allowed a malicious website to silently bruteforce access to a locally running instance and take control over it. Oasis Security discovered the issue and reported it to OpenClaw, with a fix being released in version 2026.2.26 on February 26. OpenClaw is a self-hosted AI platform that has recently surged in popularity for enabling AI agents to autonomously send messages, execute commands, and manage tasks across multiple platforms. New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel Date: 2026-03-02 Author: The Hacker News Cybersecurity researchers have disclosed details of a now-patched security flaw in Google Chrome that could have permitted attackers to escalate privileges and gain access to local files on the system. The vulnerability, tracked as CVE-2026-0628 (CVSS score: 8.8), has been described as a case of insufficient policy enforcement in the WebView tag. It was patched by Google in early January 2026 in version 143.0.7499.192/.193 for Windows/Mac and 143.0.7499.192 for Linux. Microsoft Warns OAuth Redirect Abuse Delivers Malware to Government Targets Date: 2026-03-03 Author: The Hacker News Microsoft on Monday warned of phishing campaigns that use phishing emails and OAuth URL redirection mechanisms to bypass conventional email and browser defenses. The activity targets government and public-sector organizations, aiming to redirect victims to attacker-controlled infrastructure without stealing their tokens. The company described the attacks as an identity-based threat that abuses OAuth’s standard, by-design behavior rather than exploiting vulnerabilities or stealing credentials. This is achieved using a legitimate OAuth feature that allows IDPs to redirect to a landing page, typically in error scenarios or other defined flows. CISA flags VMware Aria Operations RCE flaw as exploited in attacks Date: 2026-03-03 Author: Bleeping Computer [See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.1808/] CISA has added a VMware Aria Operations vulnerability tracked as CVE-2026-22719 to its Known Exploited Vulnerabilities catalog, flagging the flaw as exploited in attacks. Broadcom also warned that it is aware of reports indicating the vulnerability is exploited but says it cannot independently confirm the claims. The vulnerability was originally disclosed and patched on February 24, 2026, as part of VMware's VMSA-2026-0001 advisory, which was rated Important with a CVSS score of 8.1. ESB-2026.2162 – Red Hat OpenShift AI (RHOAI): CVSS (Max): 9.8 Red Hat has disclosed multiple security vulnerabilities, including several critical CVEs. The update mitigates over 30 reported vulnerabilities affecting components within the OpenShift AI platform. ESB-2026.2114 – Cisco Secure Firewall Management Center Software: CVSS (Max): 10.0 A critical vulnerability (CVE-2026-20079) in Cisco Secure Firewall Management Center could allow an unauthenticated remote attacker to bypass authentication and execute commands to gain root access. ESB-2026.2037 – IBM MQ: CVSS (Max): 9.8 Multiple OpenSSL vulnerabilities affecting the Advanced Message Security (AMS) component of IBM MQ on IBM i could allow denial-of-service or potential code execution in certain scenarios. ESB-2026.2024 – Google Android: CVSS (Max): 9.8 The March 2026 Android Security Bulletin addresses multiple vulnerabilities across Android components, including a critical flaw that could allow remote code execution without user interaction, with fixes included in devices running the 2026-03-05 security patch level or later. ESB-2026.2004 – firefox-esr: CVSS (Max): 10.0 Multiple vulnerabilities in Mozilla Firefox ESR could allow attackers to execute arbitrary code, escape the sandbox, bypass same-origin policy protections, or disclose sensitive information, and have been fixed in firefox-esr version 140.8.0esr-1~deb11u1 for Debian 11. Stay safe, stay patched and have a good weekend! The AUSCERT team

LISTEN HERE: AUSCERT “Share Today, Save Tomorrow” – ep 55: World Cup of Cyber: Inside the International Cybersecurity Challenge 2026 What happens when the world’s top young cyber talent goes head-to-head on a global stage? This episode of Share Today, Save Tomorrow dives into the excitement behind the International Cybersecurity Challenge (ICC). Host Bek Cheb is joined by Ryan Ko and Kana Smith from the UQ Cyber Research Centre at The University of Queensland to unpack what makes this competition one of the most prestigious events for young adults in the cyber security space. From elite attack-and-defence Capture the Flag challenges to global talent pipelines, ICC is about shaping the future of cyber security. With teams representing every continent and real-world scenarios unfolding over two intense days, ICC 2026 marks a major milestone as Australia hosts for the first time at AUSCERT2026 Cyber Security Conference. If you’ve ever wondered what elite cyber competition looks like, how global collaboration fuels innovation, or why ICC competitors are often snapped up by industry leaders, this episode gives you a front-row seat. Want to see it play out on the big stage? Register for AUSCERT2026 now! This episode was hosted by Bek Cheb. The AUSCERT podcast can also be found on Spotify and Apple Podcasts.

Greetings, Intelligence agencies across the Five Eyes alliance, made up by Australia, Canada, New Zealand, the United Kingdom and the United States, have issued an urgent joint warning following the discovery of a “highly sophisticated” cyber campaign targeting Cisco Catalyst SD WAN controllers. According to the advisory, attackers have been actively exploiting a newly uncovered zero day vulnerability, tracked as CVE 2026 20127, which carries the highest possible severity rating. The flaw allows unauthenticated remote actors to bypass authentication and gain administrative access to SD WAN control systems, placing core network infrastructure at immediate risk. Cisco Talos confirmed that the threat actor behind the campaign, identified as UAT 8616, paired the new zero day with an older 2022 privilege escalation vulnerability (CVE-2022-20775) to achieve root level access. Investigators found that the attackers leveraged deep protocol knowledge to infiltrate trusted network peers, insert rogue controllers, downgrade firmware to exploit the older flaw, then restore systems to cover their tracks. These techniques enabled persistent, stealthy access across critical infrastructure for nearly three years without detection. U.S. cyber security officials have responded with an emergency directive, warning that the exploited vulnerabilities pose an imminent threat to federal agencies. Security experts note that the attack is particularly severe, as SD WAN technology centralises routing, segmentation, encryption and policy enforcement into a single management plane, meaning that compromising one controller potentially grants influence over every connected branch. Investigators also report that the attackers systematically deleted logs and forensic artefacts, further complicating detection and response. Agencies across all Five Eyes nations are urging organisations to immediately apply Cisco’s security updates, conduct thorough threat hunting activities and validate the integrity of their SD WAN environments. Critical Cisco SD-WAN bug exploited in zero-day attacks since 2023 Date: 2026-02-25 Author: Bleeping Computer [See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.1820/] Cisco is warning that a critical authentication bypass vulnerability in Cisco Catalyst SD-WAN, tracked as CVE-2026-20127, was actively exploited in zero-day attacks that allowed remote attackers to compromise controllers and add malicious rogue peers to targeted networks. CVE-2026-20127 has a maximum severity of 10.0 and impacts Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage) in on-prem and SD-WAN Cloud installations. Critical SolarWinds Serv-U flaws offer root access to servers Date: 2026-02-24 Author: Bleeping Computer SolarWinds has released security updates to patch four critical Serv-U remote code execution vulnerabilities that could grant attackers root access to unpatched servers. Serv-U is the company's self-hosted Windows and Linux file transfer software that comes with both Managed File Transfer (MFT) and FTP server capabilities, enabling organizations to securely exchange files via FTP, FTPS, SFTP, and HTTP/S. Amazon: AI-assisted hacker breached 600 Fortinet firewalls in 5 weeks Date: 2026-02-21 Author: Bleeping Computer Amazon is warning that a Russian-speaking hacker used multiple generative AI services as part of a campaign that breached more than 600 FortiGate firewalls across 55 countries in five weeks. A new report by CJ Moses, CISO of Amazon Integrated Security, says that the hacking campaign occurred between January 11 and February 18, 2026, and did not rely on any exploits to breach Fortinet firewalls. Recent RoundCube Webmail Vulnerability Exploited in Attacks Date: 2026-02-23 Author: Security Week The US cybersecurity agency CISA on Friday warned of two RoundCube Webmail vulnerabilities being exploited in the wild. Prevalent within government and enterprise networks, RoundCube Webmail is a popular target for hackers, who have been observed exploiting flaws in the email client within days of public disclosure. This was the case in June last year with CVE-2025-49113 (CVSS score of 9.9), a post-authentication remote code execution (RCE) issue that was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on Friday. VMware Aria Operations Vulnerability Could Allow Remote Code Execution Date: 2026-02-24 Author: Bleeping Computer [See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.1808/] Broadcom has released patches for several vulnerabilities affecting VMware Aria Operations, including high-severity flaws. The most important of the newly patched vulnerabilities based on CVSS score (8.1) is CVE-2026-22719, a command injection issue that can be exploited by an unauthenticated attacker. ESB-2026.1820 – Cisco Catalyst SD-WAN An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non -root user account. ESB-2026.1816 – firefox-esr Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, sandbox escape, bypass of the same-origin policy, information disclosure or privilege escalation. ESB-2026.1767 – InSAT MasterSCADA BUK-TS Successful exploitation of these vulnerabilities may allow remote code execution. ESB-2026.1808 – VMware Products VMware Aria Operations contains a command injection vulnerability. Broadcom has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.1. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, Australian fintech platform YouX has confirmed a significant data breach after a hacker released sensitive information online, exposing the personal and financial details of hundreds of thousands of Australians. The Sydney based company, which provides technology for finance brokers and lenders to process loan applications, said it first became aware of a potential cyber incident last week. Subsequent investigations revealed that a threat actor had gained unauthorised access to its systems and published a large dataset claimed to have been stolen during the intrusion. According to early analysis, the exposed data includes up to 629,597 loan applications, 607,822 residential addresses and 444,538 sets of personal details, including names and phone numbers. The hacker also claims to have accessed 229,236 driver’s licences, as well as information belonging to 797 broker organisations and more than 90 downstream lenders, including major banks. In a public statement, YouX said it has notified the Office of the Australian Information Commissioner (OAIC) and begun regulatory notifications to affected individuals. The company has implemented enhanced security and monitoring measures while external cybersecurity specialists investigate the full scope of the incident. Separate cyber security reporting suggests the compromised database may have been left exposed for months, with the attacker obtaining approximately 141GB of highly sensitive material. The incident poses heightened risks of identity theft, financial fraud and sophisticated phishing attempts, given the volume and sensitivity of the leaked data. Chrome 145 Patches 11 Vulnerabilities Date: 2026-02-13 Author: Security Week Google on Tuesday announced the release of Chrome 145 to the stable channel with fixes for 11 vulnerabilities, including three high-severity bugs. First in line is CVE-2026-2313, a high-severity use-after-free issue in CSS that earned the reporting researchers an $8,000 bug bounty reward. Microsoft Discloses DNS-Based ClickFix Attack Using Nslookup for Malware Staging Date: 2026-02-15 Author: The Hacker News Microsoft has disclosed details of a new version of the ClickFix social engineering tactic in which the attackers trick unsuspecting users into running commands that carry out a Domain Name System (DNS) lookup to retrieve the next-stage payload. Specifically, the attack relies on using the "nslookup" (short for nameserver lookup) command to execute a custom DNS lookup triggered via the Windows Run dialog. Microsoft says bug causes Copilot to summarize confidential emails Date: 2026-02-18 Author: Bleeping Computer Microsoft says a Microsoft 365 Copilot bug has been causing the AI assistant to summarize confidential emails since late January, bypassing data loss prevention (DLP) policies that organizations rely on to protect sensitive information. API Threats Grow in Scale as AI Expands the Blast Radius Date: 2026-02-17 Author: Security Week Application Programming Interfaces (APIs) remain an attacker-favored exploit route. Aggressors continuously target common failures in identity, access control and exposed interfaces – often at scale and machine speed. AI is increasing the threat surface. In an analysis of more than 60,000 published vulnerabilities disclosed in 2025, Wallarm found more than 11,000 (17%) were API-related. A concurrent analysis of CISA KEV Catalog additions for 2025 found 43% of exploited vulnerabilities were API-related. Study Uncovers 25 Password Recovery Attacks in Major Cloud Password Managers Date: 2026-02-16 Author: The Hacker News A new study has found that multiple cloud-based password managers, including Bitwarden, Dashlane, and LastPass, are susceptible to password recovery attacks under certain conditions. "The attacks range in severity from integrity violations to the complete compromise of all vaults in an organization," researchers Matteo Scarlata, Giovanni Torrisi, Matilda Backendal, and Kenneth G. Paterson said. "The majority of the attacks allow the recovery of passwords." ESB-2026.1677 – Inetutils Kyu Neushwaistein discovered that telnetd in Inetutils incorrectly handled certain environment variables. A remote attacker could use this issue to bypass authentication and open a session as an administrator. ESB-2026.1643 – Splunk Enterprise Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Enterprise versions 10.0.3, 9.4.8, 9.3.9, 9.2.12, and higher. ESB-2026.1590 – Tenable Security Center A Command Injection vulnerability exists where an authenticated, remote attacker could execute arbitrary code on the underlying server where Tenable Security Center is hosted. ESB-2026.1589 – Atlassian Products The vulnerabilities reported in this Security Bulletin include 13 high-severity vulnerabilities and 3 critical-severity vulnerabilities. Stay safe, stay patched and have a good weekend! The AUSCERT team

LISTEN HERE: AUSCERT “Share Today, Save Tomorrow” – ep 54: Leveling Up: Ash Deuble Steps in as Analyst Team Manager Big news for the AUSCERT community! Ash Deuble has joined the team as our new Analyst Team Manager, and in this episode of Share Today, Save Tomorrow, he sits down with Bek Cheb to talk about the road that led him here. Long before stepping into the role, Ash was already part of the AUSCERT community through member organisations, collaborating with the team and contributing to the community that keeps Australia stronger against cyber threats. Now he’s on the inside, bringing that experience, perspective, and momentum with him. Ash shares what it means to move from community member to leader, his approach to supporting analysts, and where he sees opportunities to grow capability, connection, and impact across the network. Expect insights into teamwork, trust, and why showing up for each other is still one of the most powerful tools in cyber security. This episode was hosted by Bek Cheb. The AUSCERT podcast can also be found on Spotify and Apple Podcasts.

Greetings, A critical security vulnerability has been uncovered in the WPvivid Backup & Migration plugin for WordPress, a tool installed on more than 900,000 websites to help with backups and migrations. The flaw, tracked as CVE-2026-1357 and rated with a CVSS score of 9.8, could allow attackers to execute arbitrary code on affected sites without needing to log in by simply uploading specially crafted files. According to WordPress security researchers, the bug stems from improper error handling during RSA decryption and inadequate sanitisation of uploaded filenames. When certain operations failed, the plugin passed flawed data to encryption routines, resulting in predictable keys that could be exploited. The lack of directory path validation further made it possible for malicious files to be written outside their intended locations, potentially giving attackers full control of a site’s code. Fortunately, the vulnerability only poses a critical risk when a specific “receive backup from another site” setting is enabled, which isn’t a default feature but is commonly used during migrations and other maintenance tasks. The plugin’s developers were alerted in January 2026 and released a fix in version 0.9.124 later that month. This update adds proper decryption checks, filename sanitisation, and restricts uploads to known safe backup types, such as ZIP and SQL files. Website owners using WPvivid Backup & Migration are strongly urged to update immediately to protect their installations from potential compromise. BeyondTrust warns of critical RCE flaw in remote support software Date: 2026-02-09 Author: Bleeping Computer [AusCERT has informed the affected members via Critical MSINs] BeyondTrust warned customers to patch a critical security flaw in its Remote Support (RS) and Privileged Remote Access (PRA) software that could allow unauthenticated attackers to execute arbitrary code remotely. Tracked as CVE-2026-1731, this pre-authentication remote code execution vulnerability stems from an OS command injection weakness discovered by Harsh Jaiswal and the Hacktron AI team, and it affects BeyondTrust Remote Support 25.3.1 or earlier and Privileged Remote Access 24.3.4 or earlier. Critical Gogs Vulnerability Enables Remote Command Execution and 2FA Bypass Date: 2026-02-10 Author: Cyber Press [AUSCERT has contacted affected members where applicable] A severe flaw in Gogs, a lightweight self-hosted Git service, allows attackers to run commands remotely and skip two-factor authentication. This critical issue affects many organizations using Gogs for private code hosting. Gogs versions up to 0.13.3 suffer from CVE-2025-64111, an OS command injection bug with a CVSS score of 9.3. Apple fixes zero-day flaw used in 'extremely sophisticated' attacks Date: 2026-02-11 Author: Bleeping Computer [AUSCERT has published security bulletins for these Apple updates] Apple has released security updates to fix a zero-day vulnerability that was exploited in an "extremely sophisticated attack" targeting specific individuals. Tracked as CVE-2026-20700, the flaw is an arbitrary code execution vulnerability in dyld, the Dynamic Link Editor used by Apple operating systems, including iOS, iPadOS, macOS, tvOS, watchOS, and visionOS. Apple's security bulletin warns that an attacker with memory write capability may be able to execute arbitrary code on affected devices. Microsoft February 2026 Patch Tuesday fixes 6 zero-days, 58 flaws Date: 2026-02-10 Author: Bleeping Computer [AUSCERT has released security bulletins covering these patches] Today is Microsoft's February 2026 Patch Tuesday with security updates for 58 flaws, including 6 actively exploited and three publicly disclosed zero-day vulnerabilities. This Patch Tuesday also addresses five "Critical" vulnerabilities, 3 of which are elevation of privileges flaws and 2 information disclosure flaws. Over 60 Software Vendors Issue Security Fixes Across OS, Cloud, and Network Platforms Date: 2026-02-11 Author: The Hacker News It's Patch Tuesday, which means a number of software vendors have released patches for various security vulnerabilities impacting their products and services. Microsoft issued fixes for 59 flaws, including six actively exploited zero-days in various Windows components that could be abused to bypass security features, escalate privileges, and trigger a denial-of-service (DoS) condition. ESB-2026.1203 – GitLab AI Gateway: CVSS (Max): 9.9 GitLab has released versions 18.6.2, 18.7.1, and 18.8.1 to address a critical insecure template expansion vulnerability affecting self-hosted GitLab Duo AI Gateway installations. ESB-2026.1204 – FortiClientEMS: CVSS (Max): 9.8 Fortinet has addressed a critical SQL injection vulnerability in FortiClientEMS that could allow an unauthenticated attacker to execute malicious SQL commands over the network. Users are advised to upgrade to FortiClientEMS 7.4.5 or later to mitigate the risk. ESB-2026.1382 – Atlassian Products: CVSS (Max): 9.8 Atlassian has released fixes for 30 high-severity and 2 critical-severity vulnerabilities affecting multiple Data Center and Server products, including Bamboo, Bitbucket, Confluence, Crowd, Jira, and Jira Service Management. ESB-2026.1413 – Prisma Access Browser: CVSS (Max): 9.8 Palo Alto Networks released specified patched Prisma Browser versions to address numerous CVEs including memory safety and implementation issues. ESB-2026.1416 – Apple macOS Tahoe: CVSS (Max): 8.8* Apple addresses vulnerabilities that could allow apps to access sensitive data, gain elevated privileges, or perform denial-of-service attack in macOS Tahoe. Users should update to macOS Tahoe 26.3 or later to mitigate these issues and enhance overall system security. Stay safe, stay patched and have a good weekend! The AUSCERT team

The following white paper explores the evolving role of Computer Emergency Response Teams (CERTs) in a rapidly changing cyber threat landscape. Authored by AUSCERT and informed by more than three decades of operational experience, it examines how CERT models, mandates, and coordination mechanisms must adapt to meet the demands of 2026 and beyond. Read the full white paper here.

Greetings, Cyber security researchers have identified an active and sophisticated web traffic hijacking campaign that exploits the critical React2Shell vulnerability to silently intercept and redirect legitimate user traffic. Reported by Datadog Security Labs, the campaign demonstrates how a flaw in modern web application frameworks can be leveraged to compromise underlying infrastructure, transforming trusted websites into covert traffic relays for attackers. The activity centres on React2Shell, tracked as CVE-2025-55182 and assigned a maximum CVSS score of 10.0. The vulnerability allows unauthenticated remote code execution in React Server Components, enabling attackers to gain initial access with a single crafted request. Once inside, threat actors move beyond the application layer and target NGINX web servers, injecting malicious configuration directives that intercept inbound requests and proxy them through attacker-controlled systems before forwarding them to their original destinations. This approach makes detection particularly challenging, as websites often continue to function normally while user traffic is quietly exposed to monitoring or manipulation. Observed targets include sites using regional Asia-based top-level domains such as .in, .id, .bd, and .th, as well as government and education domains. The campaign is closely associated with hosting environments that rely on the Baota (BT) management panel and Chinese hosting infrastructure. Researchers also uncovered a modular, multi-stage toolkit designed to ensure persistence, enumerate common NGINX configurations, and generate reports on active traffic redirection rules. Intelligence from GreyNoise indicates that a small number of IP addresses account for a significant proportion of exploitation attempts, delivering payloads ranging from cryptominers to interactive reverse shells. Ivanti’s EPMM is under active attack, thanks to two critical zero-days Date: 2026-02-03 Author: CyberScoop [AUSCERT has identified the impacted members (where possible) and contacted them via email] Attackers are again focusing on a familiar target in the network edge space, actively exploiting two critical zero-day vulnerabilities in Ivanti software that allows administrators to set mobile device and application controls. Critical n8n flaws disclosed along with public exploits Date: 2026-02-04 Author: Bleeping Computer Multiple critical vulnerabilities in the popular n8n open-source workflow automation platform allow escaping the confines of the environment and taking complete control of the host server. Collectively tracked as CVE-2026-25049, the issues can be exploited by any authenticated user who can create or edit workflows on the platform to perform unrestricted remote code execution on the n8n server. Exposed MongoDB instances still targeted in data extortion attacks Date: 2026-02-01 Author: Bleeping Computer A threat actor is targeting exposed MongoDB instances in automated data extortion attacks demanding low ransoms from owners to restore the data. The attacker focuses on the low-hanging fruit, databases that are insecure due to misconfiguration that permits access without restriction. Around 1,400 exposed servers have been compromised, and the ransom note demanded a ransom of about $500 in Bitcoin. Hackers Exploit Metro4Shell RCE Flaw in React Native CLI npm Package Date: 2026-02-03 Author: The Hacker News Threat actors have been observed exploiting a critical security flaw impacting the Metro Development Server in the popular "@react-native-community/cli" npm package. Cybersecurity company VulnCheck said it first observed exploitation of CVE-2025-11953 (aka Metro4Shell) on December 21, 2025. With a CVSS score of 9.8, the vulnerability allows remote unauthenticated attackers to execute arbitrary operating system commands on the underlying host. Details of the flaw were first documented by JFrog in November 2025. Popular text editor Notepad++ was hacked to drop malware Date: 2026-02-03 Author: iTnews Notepad++, a free open source text and code editor for the Windows operating system, suffered an "infrastructure-level compromise" last year by threat actors seeking to deliver malware to selected users. A post-mortem of the incident which started in June 2025, and which was reported to Notepad++ by security researchers, suggested the shared hosting server for the text editor was compromised until December 2 last year. ESB-2026.1090 – Splunk SOAR: CVSS (Max): 9.1 Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk SOAR version 7.1.0. ESB-2026.1084 – Cisco Meeting Management: CVSS (Max): 8.8 A vulnerability in the Certificate Management feature of Cisco Meeting Management could allow an authenticated, remote attacker to upload arbitrary files, execute arbitrary commands, and elevate privileges to root on an affected system. ESB-2026.1074 – IBM Db2 Data Management Console: CVSS (Max): 7.5 Golang Go is vulnerable to a denial of service, caused by a flaw when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition. ESB-2026.1072 – Tenable Identity Exposure: CVSS (Max): 7.5 Tenable Identity Exposure leverages third-party software to help provide underlying functionality. One of the third-party components (OpenSSL) was found to contain vulnerabilities, and updated versions have been made available by the providers. ESB-2026.1067 – Google Chrome: CVSS (Max): 8.8 This update includes 2 security fixes: High CVE-2026-1861: Heap buffer overflow in libvpx and High CVE-2026-1862: Type Confusion in V8. Stay safe, stay patched and have a good weekend! The AUSCERT team