Publications

Greetings, What a week it’s been! AUSCERT2026 delivered another standout chapter in Australia’s longest-running cyber security conference, bringing together practitioners, researchers, and leaders from across the globe for four days of learning, collaboration, and innovation on the Gold Coast. Celebrating its 25th year, this milestone event truly embodied its “Game On!” theme, highlighting the fast-paced, high-stakes nature of modern cyber defence and the teamwork required to succeed. The week kicked off with an expansive lineup of hands-on tutorials and workshops, spanning everything from red teaming and threat hunting to governance, AI compliance, and cloud security. These sessions created an energised environment where attendees could dive deep into technical challenges, sharpen their capabilities, and exchange insights with peers and industry experts. A highlight of the week was the keynote lineup, which once again brought big ideas and future-focused thinking to centre stage. Dr. Kawin Boonyapredee delivered a standout keynote on “Beyond Bits: Defending Data in the Quantum Age,” exploring the transformative impact of quantum computing and the urgent need to prepare cryptographic defences for the future. Meanwhile, the International CyberSecurity Challenge brought a global competitive edge to the conference, with teams from around the world competing in high-pressure scenarios that showcased emerging talent and reinforced the importance of collaboration on an international scale. This year saw Team Europe taking out the top spot, followed by Team USA and Team Oceania. Beyond the formal sessions, AUSCERT2026 thrived on its strong sense of community. Networking events, which included the welcome reception and the 25th Anniversary Gala Dinner, offered invaluable opportunities to connect, reflect, and celebrate the industry’s progress together. AUSCERT2026 sparked conversations, developed skills, and built relationships that will continue to strengthen and evolve the cyber security landscape across Australia and beyond. Here’s to another year of pushing boundaries, fostering collaboration, and staying one step ahead, because in this arena, it’s always Game On. Microsoft warns of Exchange zero-day flaw exploited in attacks Date: 2026-05-15 Author: Bleeping Computer On Thursday, Microsoft shared mitigations for a high-severity Exchange Server vulnerability exploited in attacks that allow threat actors to execute arbitrary code via cross-site scripting (XSS) while targeting Outlook on the web users. Microsoft describes this security flaw (CVE-2026-42897) as a spoofing vulnerability affecting up-to-date Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE) software. Max-severity flaw in ChromaDB for AI apps allows server hijacking Date: 2026-05-19 Author: Bleeping Computer A max-severity vulnerability in the latest Python FastAPI version of the ChromaDB project allows unauthenticated attackers to run arbitrary code on exposed servers. The flaw is tracked as CVE-2026-45829 and was reported to ChromaDB on February 17. It received the maximum severity score from HiddenLayer, the company that discovered it. NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE Date: 2026-05-17 Author: The Hacker News [AUSCERT has published relevant security bulletins from individual vendors] A newly disclosed security flaw impacting NGINX Plus and NGINX Open has come under active exploitation in the wild, days after its public disclosure, according to VulnCheck. The vulnerability, tracked as CVE-2026-42945 (CVSS score: 9.2), is a heap buffer overflow in ngx_http_rewrite_module affecting NGINX versions 0.6.27 through 1.30.0. According to AI-native security company depthfirst, the vulnerability was introduced in 2008. Hackers bypass SonicWall VPN MFA due to incomplete patching Date: 2026-05-20 Author: Bleeping Computer Threat actors brute-forced VPN credentials and bypassed multi-factor authentication (MFA) on SonicWall Gen6 SSL-VPN appliances to deploy tools used in ransomware attacks. During the intrusions, the hacker took between 30 and 60 minutes to log in, do network reconnaissance, test credential reuse on internal systems, and log out. Microsoft Rolls Out Mitigations for ‘YellowKey’ BitLocker Bypass Date: 2026-05-20 Author: Security Week Microsoft on Tuesday rolled out mitigations for YellowKey, a recently disclosed zero-day vulnerability leading to BitLocker bypass. The issue, now tracked as CVE-2026-45585 (CVSS score of 6.8), can be triggered by an attacker with physical access to a system by using a USB drive containing the publicly released YellowKey exploit code and rebooting the system into recovery mode. ESB-2026.5308 – IBM MQ container software: CVSS (Max): 9.9* Multiple vulnerabilities were addressed in IBM MQ Operator and Queue manager container images. systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. ESB-2026.5387 – IBM MQ Agent: CVSS (Max): 10.0 Multiple vulnerabilities were addressed in IBM MQ Agent images. Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.11, there is no CSRF protection on the cache feature in authlib.integrations.starlette_client.OAuth. This vulnerability is fixed in 1.6.11. ESB-2026.5403 – Mozilla Firefox: CVSS (Max): 9.8 Firefox 151 fixes multiple high-severity vulnerabilities, including sandbox escapes, memory safety bugs with potential for code execution due to memory corruption, and several same-origin policy bypasses in DOM and networking components. The update also addresses additional issues such as privilege escalation, spoofing, information disclosure, integer overflows, mitigation bypasses, and denial-of-service vulnerabilities across multiple browser components. ESB-2026.5500 – Splunk: Splunk Enterprise CVSS (Max): 10.0 Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Enterprise versions 10.2.3, 10.0.6, 9.4.11, 9.3.12, and higher. ESB-2026.5533 – Cisco Secure Workload: CVSS (Max): 10.0 A vulnerability in the access validation of internal REST APIs of Cisco Secure Workload could allow an unauthenticated, remote attacker to access site resources with the privileges of the Site Admin role. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, We are excited to announce the release of AUSCERT’s 2025 Year in Review. The report offers members a valuable snapshot of our work behind the scenes, highlighting the services we deliver and the many opportunities available to support their organisations. These achievements reflect our ongoing commitment to equipping our community with the tools, insights and support needed to confidently navigate an increasingly dynamic cyber security environment. You can read the full report here. This week, Instructure, the parent company of Canvas, has allegedly paid the hackers responsible for disrupting online learning globally. The attack, attributed to the cybercriminal group ShinyHunters, involved the theft of vast amounts of data, including names, email addresses, student IDs and private messages exchanged on the platform. At least 120 Australian schools, universities and TAFEs were caught up in what has been described as one of the largest education data breaches globally. The disruption forced institutions to suspend access, extend deadlines and scramble for contingency plans as exams and assessments were impacted. Hackers initially threatened to release the stolen data unless a ransom was paid, placing significant pressure on Instructure. The company later confirmed it had reached an “agreement” with the attackers, with reports indicating the data was returned and assurances provided that it would not be published, although experts caution that such guarantees cannot be verified. While this approach may have reduced immediate risk, cyber security specialists warn it could increase the likelihood of future attacks, particularly against essential digital services like education platforms. SAP Patches Critical S/4HANA, Commerce Vulnerabilities Date: 2026-05-12 Author: Security Week The most severe of the resolved vulnerabilities are critical code injection issues in S/4HANA and Commerce that could allow attackers to leak data and execute arbitrary code. Both security defects have a CVSS score of 9.6. Tracked as CVE-2026-34260, the S/4HANA bug is described as an SQL injection issue stemming from missing input validation and sanitization. Fortinet warns of critical RCE flaws in FortiSandbox and FortiAuthenticator Date: 2026-05-12 Author: Bleeping Computer [See AUSCERT bulletins: https://portal.auscert.org.au/bulletins/ESB-2026.5015/ https://portal.auscert.org.au/bulletins/ESB-2026.5016/] Fortinet has released security updates to address two critical vulnerabilities in FortiSandbox and FortiAuthenticator that could enable attackers to run commands or arbitrary code on unpatched systems. The first one, tracked as CVE-2026-44277, impacts the company's FortiAuthenticator Identity and Access Management (IAM) solution and was patched in FortiAuthenticator versions 6.5.7, 6.6.9, and 8.0.3. New critical Exim mailer flaw allows remote code execution Date: 2026-05-13 Author: Bleeping Computer [AUSCERT has contacted impacted members where applicable] A critical vulnerability affecting certain configurations of the Exim open-source mail transfer agent could be exploited by an unauthenticated remote attacker to execute arbitrary code. Identified as CVE-2026-45185, the security issue impacts some Exim versions before 4.99.3 that use the default GNU Transport Layer Security (GnuTLS) library for secure communication. It is a user-after-free (UAF) flaw triggered during the TLS shutdown while handling BDAT chunked SMTP traffic. Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities Date: 2026-05-14 Author: Talos Intelligence [See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.5194/] [AUSCERT has contacted affected members where applicable] Talos is aware of the active, in-the-wild (ITW) exploitation of CVE-2026-20182 in Cisco Catalyst SD-WAN Controller and Manager, that allows log in to the affected system as an internal, high-privileged, non-root user account. Talos clusters the exploitation of this vulnerability and subsequent post-compromise activity under UAT-8616, whom we assess is a highly sophisticated cyber threat actor. Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages Date: 2026-05-12 Author: The Hacker News [See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2026.0102] TeamPCP, the threat actor behind the recent supply chain attack spree, has been linked to the compromise of the npm and PyPI packages from TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI as part of a fresh Mini Shai-Hulud campaign. Windows BitLocker zero-day gives access to protected drives, PoC released Date: 2026-05-13 Author: Bleeping Computer A cybersecurity researcher has published proof-of-concept (PoC) exploits for two unpatched Microsoft Windows vulnerabilities named YellowKey and GreenPlasma, which are a BitLocker bypass and a privilege-escalation flaw. Known as Chaotic Eclipse or Nightmare Eclipse, the researcher describes the BitLocker bypass issue as functioning like a backdoor because the vulnerable component is present only in the Windows Recovery Environment (WinRE), which is used to repair boot-related issues in Windows. ASB-2026.0099.2 – cPanel, WHM and WP2: CVSS (Max): 9.8 An authentication bypass security issue has been identified in the cPanel software (including DNSOnly) affecting all currently supported versions after 11.40. ESB-2026.4894 – Thunderbird 140.10.2: CVSS (Max): 9.8 Memory safety bugs present in Thunderbird ESR 140.10.1 and Thunderbird 150.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. ESB-2026.5018 – FortiOS: CVSS (Max): 8.3 An Out-Of-Bounds Write vulnerability [CWE-787] in FortiOS capwap daemon may allow an attacker controlling an authenticated FortiAP FortiExtender or FortiSwitch to gain execution privileges on the FortiGate device. ESB-2026.5030 – Adobe Connect: CVSS (Max): 9.6 Adobe has released a security update for Adobe Connect. This update resolves critical vulnerabilities that could lead to arbitrary code execution and privilege escalation. ESB-2026.5095 – Palo Alto PAN-OS: CVSS (Max): 9.2 A buffer overflow vulnerability in the DNS proxy and DNS Server features of Palo Alto Networks PAN-OS Software allows an unauthenticated attacker with network access to cause a denial of service (DoS) condition (all PAN-OS platforms except Cloud NGFW and Prisma Access) or potentially execute arbitrary. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT’s 2025 Year in Review reflects the progress we’ve made, the impact we’ve delivered, and the strength of our community. This report offers valuable insights into our services, the opportunities available to members, and key industry trends shaping the future of cyber security. Click here to read the full report: Year in Review 2025

LISTEN HERE: AUSCERT “Share Today, Save Tomorrow” – ep 60: Building Defensible Architecture: Bridging Business and Cyber Security Cyber security architecture is about far more than technology, it’s about designing resilient systems that align people, process, and business strategy. In this episode, host Bek Cheb sits down with Bruce Large to unpack what security architecture actually means, why “defensible architecture” matters, and how frameworks like SABSA help organisations connect high-level risk strategy with real-world implementation. Bruce shares practical insights into balancing technical detail with broader organisational goals, the importance of service management, and why good architecture is often about asking the right questions rather than having all the answers. If you’re curious about how resilient systems are built, this episode offers an accessible look into the thinking behind modern security design.   The AUSCERT podcast can also be found on Spotify, Apple Podcasts, and YouTube.

Greetings, A major cyber incident affecting Canvas, one of the world’s most widely used education platforms, is continuing to evolve. New developments are highlighting both the scale of the exposure and an increasingly aggressive extortion campaign by the perpetrators. Queensland’s Department of Education has confirmed that students and staff across the state are among those impacted by a global data breach involving Instructure’s Canvas learning management system, which supports the QLearn platform used in schools. Early advice indicates that students or staff who studied or worked in Queensland state schools since 2020 may have had personal information exposed, including names, email addresses and school locations. Authorities have stated that there is currently no evidence that passwords, financial data or government identifiers were accessed. The incident forms part of a broader global compromise attributed to the ShinyHunters cybercriminal group, which claims to have exfiltrated large volumes of data from Canvas, potentially impacting more than 9,000 institutions and hundreds of millions of users worldwide. In addition to identifying information, the attackers claim to have obtained internal messages exchanged between students, teachers and staff, which could be leveraged in highly targeted phishing or social engineering attacks. While Instructure has moved quickly to contain the breach and engage forensic experts, the situation escalated further this week. In a related development, ShinyHunters reportedly defaced Canvas login portals for approximately 300 education institutions, briefly replacing them with ransom messages threatening to publish the stolen data by May 12 if demands are not met. As investigations continue, government agencies and affected institutions are urging vigilance, particularly around unsolicited communications and phishing attempts, while the broader sector grapples with the implications of a breach that has quickly become both a global data privacy incident and an unfolding cyber extortion case. Palo Alto warns of critical software bug used in firewall attacks Date: 2026-05-07 Author: The Record [See also AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.4671.2/] [AUSCERT has contacted affected members where applicable] Palo Alto warns of critical software bug used in firewall attacks Hackers are exploiting a new vulnerability in software from Palo Alto Networks, the company said in an advisory on Wednesday. The bug is tracked as CVE-2026-0300 and carries a severity score of 9.3 out of 10, indicating a critical issue. A patch has not been published yet and Palo Alto Networks said it will be included in releases over the next two weeks. Critical vm2 sandbox bug lets attackers execute code on hosts Date: 2026-05-06 Author: Bleeping Computer A critical vulnerability in the popular Node.js sandboxing library vm2 allows escaping the sandbox and executing arbitrary code on the host system. The security issue is tracked as CVE-2026-26956 and has been confirmed to impact vm2 version 3.10.4, although earlier releases may also be vulnerable. Proof-of-concept (PoC) exploit code has been published. Qld gov says students, staff caught in Canvas cyber incident Date: 2026-05-07 Author: itnews The Queensland government says that students and staff working or studying at state schools since 2020 may have been caught up in a breach of global education systems vendor, Instructure. QLearn, the state's digital learning management platform, is backed by Instructure’s Canvas, which was recently targeted by a well-known threat group. A case study published by the vendor states that QLearn is used by “1264 K-12 schools, their 572,160 students [and by] 73,000-plus teaching staff.” Critical Bug Could Expose 300,000 Ollama Deployments to Information Theft Date: 2026-05-05 Author: Security Week Roughly 300,000 Ollama deployments are prone to sensitive information theft through a remotely exploitable, unauthenticated critical vulnerability, Cyera warns. Ollama is an open source solution for running LLMs on local machines and is highly popular among organizations as a self-hosted AI inference engine. A heap out-of-bounds read issue in Ollama could be exploited to access sensitive information stored on the heap, including prompts, messages, and environment variables, including API keys, tokens, and secrets, Cyera says. UAT-8302 and its box full of malware Date: 2026-05-05 Author: CISCO Talos Talos assesses with high confidence that UAT-8302 is a China-nexus advanced persistent threat (APT) group tasked primarily with obtaining and maintaining long-term access to government and related entities around the world. Post-compromise activity consisted of information collection, credential extraction, and proliferation using open-source tooling such as Impacket, proxying tools, and custom-built malware. ESB-2026.4671.2 – Palo Alto PAN-OS: CVSS (Max): 9.3 Palo Alto Networks has disclosed a critical unauthenticated remote code execution vulnerability affecting the PAN-OS User-ID Authentication Portal (Captive Portal). The vulnerability is actively being exploited in the wild. ESB-2026.4729 – Apache HTTP Server: CVSS (Max): 9.8 Ubuntu has released security updates for Apache HTTP Server addressing multiple vulnerabilities across supported Ubuntu releases, including denial-of-service, information disclosure, authentication bypass and potential remote code execution. ESB-2026.4673 – IBM QRadar SIEM: CVSS (Max): 10.0 IBM has released security updates for the QRadar Investigation Assistant App addressing multiple third-party component vulnerabilities, including SSRF, remote code execution, prototype pollution, denial-of-service and path traversal. ESB-2026.4586 – Linux: CVSS (Max): 9.8 Debian has released security updates for the Linux kernel in Debian 12 “bookworm” addressing a large number of vulnerabilities that could lead to privilege escalation, denial-of-service and information disclosure. ESB-2026.4534 – Google Android: CVSS (Max): 8.8 Google’s May 2026 Android Security Bulletin addresses a critical vulnerability in the Android System component that could allow adjacent remote code execution as the shell user without user interaction. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, Vimeo has confirmed that some customer and user data was exposed following a security breach at Anodot, a third party data anomaly detection provider used by the video platform. While Vimeo itself was not directly attacked, the incident highlights how vulnerabilities in external vendors can have impacts on major digital services. According to Vimeo, the unauthorised access stemmed from the Anodot breach, where attackers stole authentication tokens and used them to access customer environments, particularly cloud data platforms such as Snowflake. In Vimeo’s case, the data accessed was largely technical in nature, including video titles and metadata. In some instances, customer email addresses were also exposed. Importantly, Vimeo stressed that no video content, user account passwords, or payment card information were compromised, and the platform’s services continued to operate normally throughout the incident. The breach has been linked to the ShinyHunters extortion group, which has publicly claimed responsibility and threatened to release stolen data unless a ransom was paid. ShinyHunters has recently listed Vimeo on its extortion site, alleging access to company data and warning of potential further disruptions. However, the group did not disclose how much Vimeo data was taken, leaving the full scope of exposure unclear. In response, Vimeo has disabled all Anodot credentials and removed the service’s integration from its systems. The company is working with third party security experts, has notified law enforcement, and says it will share further updates if new details emerge. Linux cryptographic code flaw offers fast route to root Date: 2026-04-30 Author: The Register Developers of major Linux distributions have begun shipping patches to address a local privilege escalation (LPE) vulnerability arising from a logic flaw. The newly disclosed LPE, dubbed Copy Fail (CVE-2026-31431), comes from a vulnerability in the Linux kernel's authencesn cryptographic template. "An unprivileged local user can write four controlled bytes into the page cache of any readable file on a Linux system, and use that to gain root," the writeup from security biz Theori explains. cPanel, WHM emergency update fixes critical auth bypass bug Date: 2026-04-29 Author: Bleeping Computer [See also AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2026.0099/] [AUSCERT has contacted affected members where applicable] A critical vulnerability affecting all but the latest versions of cPanel and the WebHost Manager (WHM) dashboard could be exploited to obtain access to the control panel without authentication. The security issue, currently identified as CVE-2026-41940 and with a severity score of 9.8, has been addressed in an emergency update that requires running a command manually to retrieve a patched version of the software. Chrome 147, Firefox 150 Security Updates Rolling Out Date: 2026-04-29 Author: Security Week Google and Mozilla on Tuesday announced fresh security updates for Chrome and Firefox users, addressing multiple memory safety vulnerabilities. The new Chrome 147 update is rolling out with 30 security fixes, including four for critical-severity use-after-free flaws reported by external researchers. Tracked as CVE-2026-7363, CVE-2026-7361, CVE-2026-7344, and CVE-2026-7343, the bugs impact the Canvas, iOS, Accessibility, and Views browser components. Hackers are exploiting a critical LiteLLM pre-auth SQLi flaw Date: 2026-04-28 Author: Bleeping Computer Hackers are targeting sensitive information stored in the LiteLLM open-source large-language model (LLM) gateway by exploiting a critical vulnerability tracked as CVE-2026-42208. The flaw is an SQL injection issue that occurs during LiteLLM's proxy API key verification step. An attacker can exploit it without authentication by sending a specially crafted Authorization header to any LLM API route. GitHub patches critical 'git push' remote code execution bug Date: 2026-05-29 Author: iTnews [AUSCERT has published a relevant security bulletin: https://portal.auscert.org.au/bulletins/ASB-2026.0098/] Microsoft-owned open source code hosting platform GitHub has acknowledged and patched a critical vulnerability that allowed arbitrary remote code execution, following a report from Wiz researchers. The vulnerability is rated as 8.7 out of 10 on the Common Vulnerabilities Scoring System (CVSS) scale, and affected both GitHub.com and the self-hosted GitHub Enterprise Server (GHES). ASB-2026.0099 – cPanel, WHM and WP2: CVSS (Max): 9.8 A critical authentication bypass in cPanel/WHM allows unauthenticated remote access to hosting control panels. ASB-2026.0100 – Linux Kernel: CVSS (Max): 7.8 A logic flaw in the Linux kernel’s cryptographic interface allows any unprivileged local user to reliably modify protected files and escalate to root access on most Linux systems since 2017, requiring prompt kernel patching or module mitigation. ESB-2026.4399 – NLTK: CVSS (Max): 10.0 A critical vulnerability in the NLTK library allows attackers to execute arbitrary code by tricking systems into opening a malicious zip file, requiring immediate package updates on affected Ubuntu systems. ESB-2026.4368 – MozillaFirefox: CVSS (Max): 9.8 A security update for Mozilla Firefox (ESR 140.10.0) addresses 25 vulnerabilities—including critical memory safety and privilege escalation flaws—that could allow remote compromise. ASB-2026.0098 – GitHub Enterprise Server: CVSS (Max): 8.7 A remote code execution vulnerability in GitHub Enterprise Server allows authenticated users with repository push access to run arbitrary commands on the server, requiring immediate upgrades to patched versions. Stay safe, stay patched and have a good weekend! The AUSCERT team

LISTEN HERE: AUSCERT “Share Today, Save Tomorrow” – ep 59: Making Cyber Frameworks Actually Work with Dan Goldberg Why do cyber security frameworks get such a bad reputation, and how can organisations turn them from a compliance headache into a genuine business advantage? In this episode, Bek Cheb sits down with cyber security and GRC expert Dan Goldberg to unpack the evolving world of ISO 27001, governance, risk, and compliance. With more than 25 years of experience spanning network transformations, cyber security, project management, and executive leadership, Dan shares how an unexpected career pivot led him to discover a passion for frameworks and continual improvement. This episode was hosted by Bek Cheb. The AUSCERT podcast can also be found on Spotify, Apple Podcasts, and YouTube.

Greetings, A new report has raised fresh questions about how safely powerful AI security tools are being distributed, after an unauthorised group reportedly gained access to Anthropic’s closely guarded frontier AI model, Mythos. According to a Bloomberg investigation cited by TechCrunch, members of a private online forum were able to access Mythos through the environment of a third party vendor that works with Anthropic. Mythos, announced only recently, is designed as an enterprise grade AI tool to discover software vulnerabilities and develop exploits. Anthropic has previously warned that, in the wrong hands, the technology could just as easily be used to rapidly exploit information systems on a huge scale. The group is said to have obtained access on the same day Mythos was publicly revealed, apparently by making an educated guess about where the model was hosted online based on Anthropic’s past release patterns. Bloomberg reports that the individuals involved provided evidence of their access, including screenshots and a live demonstration of the software, and have been using the tool regularly since then. The source described the group as curious experimenters rather than malicious actors, with a stated interest in exploring new models rather than causing harm. Anthropic confirmed it is investigating the claims and said the access appears to have occurred through a third party vendor, not its own systems. The company added that it has found no evidence so far that its internal infrastructure has been compromised. Mythos was made available only to a select group of partners, including major technology companies, under an initiative called Project Glasswing. The limited rollout was intended to reduce the risk of misuse. If the report is accurate, it highlights how difficult it can be to fully contain advanced AI tools once they get released, even on a limited basis. New npm supply-chain attack self-spreads to steal auth tokens Date: 2026-04-22 Author: Bleeping Computer A new supply chain attack targeting the Node Package Manager (npm) ecosystem is stealing developer credentials and attempting to spread through packages published from compromised accounts. The threat was spotted by researchers at application security companies Socket and StepSecurity in multiple packages from Namastex Labs, a company that provides AI-based agentic solutions designed to improve profitability. Microsoft Patches Critical ASP.NET Core CVE-2026-40372 Privilege Escalation Bug Date: 2026-04-22 Author: The Hacker News [See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2026.0097/] Microsoft has released out-of-band updates to address a security vulnerability in ASP.NET Core that could allow an attacker to escalate privileges. The vulnerability, tracked as CVE-2026-40372, carries a CVSS score of 9.1 out of 10.0. It's rated Important in severity. An anonymous researcher has been credited with discovering and reporting the flaw. "Improper verification of cryptographic signature in ASP.NET Core allows an unauthorized attacker to elevate privileges over a network," Microsoft said in a Tuesday advisory. "An attacker who successfully exploited this vulnerability could gain SYSTEM privileges." Recently leaked Windows zero-days now exploited in attacks Date: 2026-04-17 Author: Bleeping Computer Threat actors are exploiting three recently disclosed Windows security vulnerabilities in attacks aimed at gaining SYSTEM or elevated administrator permissions. Since the start of the month, a security researcher known as "Chaotic Eclipse" or "Nightmare-Eclipse" has published proof-of-concept exploit code for all three security issues in protest to how Microsoft's Security Response Center (MSRC) handled the disclosure process. CISA flags Apache ActiveMQ flaw as actively exploited in attacks Date: 2026-04-17 Author: Bleeping Computer The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned on Thursday that a high-severity Apache ActiveMQ vulnerability patched earlier this month is now actively exploited in attacks. Apache ActiveMQ is the most popular open-source Java-based message broker for asynchronous communication between applications. Tracked as CVE-2026-34197, the security flaw has gone undetected for 13 years and was discovered by Horizon3 researcher Naveen Sunkavally using the Claude AI assistant. Vercel's security breach started with malware disguised as Roblox cheats Date: 2026-04-20 Author: CyberScoop [AUSCERT has published a related security bulletin https://portal.auscert.org.au/bulletins/ASB-2026.0068/] Vercel customers are at risk of compromise after an attacker hopped through multiple internal systems to steal credentials and other sensitive data, the company said in a security bulletin Sunday. The attack, which didn’t originate at Vercel, showcases the pitfalls of interconnected cloud applications and SaaS integrations with overly privileged permissions. ASB-2026.0080 – Oracle Fusion Middleware: CVSS (Max): 9.8 Multiple vulnerabilities have been identified in a number of Oracle products. This Critical Patch Update contains 59 new security patches, plus additional third party patches, for Oracle Fusion Middleware. 46 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. ASB-2026.0097 – ASP.NET Core 10.0: CVSS (Max): 9.1 Microsoft has released out-of-band (OOB) security updates to patch a critical ASP.NET Core privilege escalation vulnerability. Improper verification of cryptographic signature in ASP.NET Core allows an unauthorized attacker to elevate privileges (gain SYSTEM privileges) over a network. ESB-2026.1817.2 – Cisco Catalyst SD-WAN: CVSS (Max): 9.8 Multiple vulnerabilities in Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an attacker to access an affected system, elevate privileges to root, gain access to sensitive information, and overwrite arbitrary files. ESB-2026.4002.2 – Atlassian Products: CVSS (Max): 10 The vulnerabilities reported in this Security Bulletin include 31 high-severity vulnerabilities and 7 critical-severity third-party vulnerabilities, which have been fixed in new versions of our products released in the last month. ESB-2026.4105 – IBM WebSphere Application Server: CVSS (Max): 7.5 IBM WebSphere Application Server Liberty is affected by identity spoofing when the appSecurity feature (appSecurity-1.0, appSecurity-2.0, appSecurity-3.0, appSecurity-4.0, or appSecurity-5.0) is not enabled on the server. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, A major data breach at global education publisher McGraw Hill has exposed the personal information of approximately 13.5 million users. The incident followed an extortion attempt by the ShinyHunters cybercrime group, which has since leaked more than 100GB of stolen data online. According to McGraw Hill, attackers exploited a misconfiguration in a Salesforce hosted web environment used by the company, rather than gaining access to its core internal systems. The publisher stated that its primary customer databases, learning platforms and courseware were not compromised, and that the issue appears to be linked to a broader configuration problem affecting multiple Salesforce customers. While McGraw Hill described the exposed information as a “limited” data set, independent analysis by breach notification service Have I Been Pwned shows the leaked files contain 13.5 million unique email addresses, with some records also including names, phone numbers and physical addresses. The attackers initially claimed to have accessed as many as 45 million records and threatened to release the data unless a ransom was paid. When negotiations appeared to fail, ShinyHunters followed through on its threat, publishing the information on its dark web leak site. Although no passwords, payment details or student academic records were reported among the exposed data, cyber security experts warn the information is still highly valuable to criminals. At this scale, even partial personal data can significantly increase the effectiveness of phishing, credential stuffing and other social engineering attacks. The breach highlights the growing risks associated with third party cloud platforms and shared responsibility models. As organisations increasingly rely on SaaS environments such as Salesforce, small configuration errors can have outsized consequences, reinforcing the need for ongoing security monitoring, governance and independent validation of cloud deployments. Critical flaw in wolfSSL library enables forged certificate use Date: 2026-04-13 Author: Bleeping Computer.com A critical vulnerability in the wolfSSL SSL/TLS library can weaken security via improper verification of the hash algorithm or its size when checking Elliptic Curve Digital Signature Algorithm (ECDSA) signatures. Researchers warn that an attacker could exploit the issue to force a target device or application to accept forged certificates for malicious servers or connections. Critical MCP Integration Flaw Puts NGINX at Risk Date: 2026-04-16 Author: Dark Reading Attackers are actively exploiting a critical flaw in the widely used nginx-ui interface for managing NGINX web servers. The flaw, tracked as CVE-2026-33032, (CVSS: 9.8) stems from nginx-ui's insecure implementation of the Model Context Protocol (MCP) and gives attackers a way to make unauthorized changes to NGINX server configurations with little or no authentication in some cases. Microsoft April 2026 Patch Tuesday fixes 167 flaws, 2 zero-days Date: 2026-04-14 Author: Bleeping Computer [AUSCERT has published security bulletins for these Microsoft updates] Today is Microsoft's April 2026 Patch Tuesday with security updates for 167 flaws, including 2 zero-day vulnerabilities. This Patch Tuesday also addresses eight "Critical" vulnerabilities, 7 of which are remote code execution flaws and the other is a denial of service flaw. Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621 Date: 2026-04-12 Author: The Hacker News [Please see also AUSCERT Bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.3505/] Adobe has released emergency updates to fix a critical security flaw in Acrobat Reader that has come under active exploitation in the wild. The vulnerability, assigned the CVE identifier CVE-2026-34621, carries a CVSS score of 8.6 out of 10.0. Successful exploitation of the flaw could allow an attacker to run malicious code on affected installations. Fake Claude Website Distributes PlugX RAT Date: 2026-04-13 Author: Security Week A website posing as a legitimate Anthropic Claude domain was caught serving a remote access trojan to its visitors, Malwarebytes reports. Relying on Claude’s popularity, a threat actor created a site that hosts a download link pointing to a ZIP archive allegedly containing a pro version of the LLM. The file contains an MSI installer that mimics the legitimate Anthropic installation chain and installs the real Claude application. ASB-2026.0066 – Microsoft Office, Microsoft Office Services and Web Apps: CVSS (Max): 8.4 Microsoft urges immediate patching of 14 Office and SharePoint vulnerabilities, including multiple RCE and information disclosure flaws. CVE-2026-32201 (SharePoint spoofing) is actively exploited in the wild. ESB-2026.3685 – Adobe Experience Manager: CVSS (Max): 9.8* Adobe patched multiple vulnerabilities in AEM Screens, including critical flaws. Exploitation may allow remote code execution and privilege escalation. ESB-2026.3724 – Fortinet FortiSandbox: CVSS (Max): 9.1 Fortinet patched a vulnerability affecting Fortinet products that may allow unauthorized access or code execution. ESB-2026.3787 – Cisco Identity Services Engine: CVSS (Max): 9.9 Unauthenticated Remote Code Execution vulnerability in Cisco Identity Services Engine (ISE) allows attackers to execute arbitrary commands remotely. ESB-2026.3801 – Splunk Operator for Kubernetes Add-on 3.1: CVSS (Max): 10.0 Splunk addresses critical fixes related to third-party package updates in Splunk Operator for Kubernetes. Users are advised to upgrade to version 3.1.0 or later to remediate the issues. Stay safe, stay patched and have a good weekend! The AUSCERT team

LISTEN HERE: AUSCERT “Share Today, Save Tomorrow” – ep 58: Rethinking Vulnerability Management in a Complex Threat Landscape with Peter Gigengack   Vulnerability management is often treated as a simple patch-and-move-on exercise, but as Peter Gigengack explains, that mindset only scratches the surface. This episode explores the reality of managing risk in modern environments, where unknown vulnerabilities, human error, and expanding attack surfaces make security feel like steering through an iceberg field with limited visibility. Drawing on real-world experience, Peter unpacks why patching alone isn’t enough, how factors like misconfigurations and supply chain complexity create hidden risks, and why traditional tools like CVSS scores don’t always tell the full story. He also explores the growing impact of AI on software development, the challenges of prioritisation in an overwhelming volume of vulnerabilities, and the importance of adopting an attacker mindset. This episode was hosted by Bek Cheb. The AUSCERT podcast can also be found on Spotify, Apple Podcasts, and YouTube.

Greetings, Anthropic has announced that a preview version of its new frontier model, Claude Mythos, has already uncovered thousands of previously unknown, high severity vulnerabilities across major software platforms. The findings were revealed alongside the launch of Project Glasswing, a new initiative aimed at using advanced AI systems defensively to secure critical digital infrastructure. According to Anthropic, Claude Mythos demonstrated an exceptional ability to identify zero day flaws across every major operating system and web browser. Some discoveries included decades old bugs, such as a 27 year old vulnerability in OpenBSD and a 16 year old flaw in FFmpeg. In controlled evaluations, the model also autonomously chained together multiple vulnerabilities to escape application sandboxes and even solved complex corporate network attack simulations faster than seasoned human experts. These capabilities, however, come with serious implications. In one test, Mythos was able to follow researcher instructions to break out of a secured sandbox environment, gain internet access, and communicate externally—behaviour Anthropic described as a “potentially dangerous capability.” The company emphasised that such abilities were not explicitly trained, but emerged from broader improvements in the model’s reasoning, coding skill, and autonomy. To manage this risk, Anthropic is limiting access to Mythos Preview and partnering with a small group of major technology and security organisations, including AWS, Google, Microsoft, and the Linux Foundation. The company is also committing up to $100 million in usage credits and millions more in funding to support open source security efforts. Project Glasswing, Anthropic says, is an urgent effort to ensure powerful AI tools are used to fix vulnerabilities before similar capabilities are exploited by malicious actors. Cisco Patches 9.8 CVSS IMC and SSM Flaws Allowing Remote System Compromise Date: 2026-04-02 Author: The Hacker News [Please see also AUSCERT Bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.3189/ and https://portal.auscert.org.au/bulletins/ESB-2026.3199/] [AusCERT has informed the affected members via Critical MSINs] Cisco has released updates to address a critical security flaw in the Integrated Management Controller (IMC) that, if successfully exploited, could allow an unauthenticated, remote attacker to bypass authentication and gain access to the system with elevated privileges. The vulnerability, tracked as CVE-2026-20093, carries a CVSS score of 9.8 out of a maximum of 10.0. Docker CVE-2026-34040 Lets Attackers Bypass Authorization and Gain Host Access Date: 2026-04-07 Author: The Hacker News A high-severity security vulnerability has been disclosed in Docker Engine that could permit an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The vulnerability, tracked as CVE-2026-34040 (CVSS score: 8.8), stems from an incomplete fix for CVE-2024-41110, a maximum-severity vulnerability in the same component that came to light in July 2024. 13-year-old bug in ActiveMQ lets hackers remotely execute commands Date: 2026-04-08 Author: Bleeping Computer Security researchers discovered a remote code execution (RCE) vulnerability in Apache ActiveMQ Classic that has gone undetected for 13 years and could be exploited to execute arbitrary commands. The flaw was uncovered using the Claude AI assistant, which identified an exploit path by analyzing how independently developed components interact. Tracked as CVE-2026-34197, the security issue received a high severity score of 8.8 and affects versions of Apache ActiveMQ/Broker before 5.19.4, and all versions from 6.0.0 up to 6.2.3 IBM Identity and Verify Access Vulnerabilities Allow Remote Attacker to Access Sensitive Data Date: 2026-04-08 Author: Cyber Security News A critical security bulletin highlights multiple vulnerabilities in Verify Identity Access and Security Verify Access products. If left unpatched, these widespread security flaws could allow malicious actors to access sensitive information, escalate their system privileges, or cause a complete denial-of-service of the application. Organizations relying on these authentication platforms must take immediate action to patch their infrastructure. A standout issue in the latest security advisory revolves around how the platform handles web traffic. Max severity Flowise RCE vulnerability now exploited in attacks Date: 2026-04-07 Author: Bleeping Computer Hackers are exploiting a maximum-severity vulnerability, tracked as CVE-2025-59528, in the open-source platform Flowise for building custom LLM apps and agentic systems to execute arbitrary code. The flaw allows injecting JavaScript code without any security checks and was publicly disclosed last September, with the warning that successful exploitation leads to command execution and file system access. ESB-2026.3427 – Prisma Browser: CVSS (Max): 9.8 Palo Alto Networks has released a monthly Chromium security update addressing multiple vulnerabilities in Prisma Browser, including memory corruption, integer overflows, and use-after-free issues. ESB-2026.3417 – GitLab Community Edition and Enterprise Edition: CVSS (Max): 8.5 GitLab has released patch versions 18.10.3, 18.9.5, and 18.8.9 addressing multiple security vulnerabilities affecting both Community Edition (CE) and Enterprise Edition (EE), including issues such as improper access control, denial of service, cross-site scripting, and information disclosure. ESB-2026.3354 – govulncheck-vulndb: CVSS (Max): 9.9 SUSE has released an important security update for the govulncheck-vulndb package on openSUSE Leap 15.6, several vulnerabilities are rated High to Critical severity, with potential impacts including system compromise, data exposure, or denial of service. ESB-2026.3319 – FortiClientEMS: CVSS (Max): 9.8 Fortinet has disclosed a critical authentication and authorization bypass vulnerability in FortiClient EMS that could allow an unauthenticated attacker to execute unauthorized code or commands via crafted API requests, resulting in privilege escalation. ESB-2026.3276 – chromium: CVSS (Max): 9.6 Debian has released a security update for Chromium addressing multiple vulnerabilities that could lead to arbitrary code execution, denial of service, or information disclosure if exploited. A CVE (CVE-2026-5281) has been identified on the CISA Known Exploited Vulnerabilities (KEV) list. Stay safe, stay patched and have a good weekend! The AUSCERT team

LISTEN HERE: AUSCERT “Share Today, Save Tomorrow” – ep 57: From Gut Feel to Dollar Value: Making Cyber Risk Decisions That Stick Cyber risk is often talked about in colours, heatmaps, and assumptions, but what happens when you put a dollar value behind it? In this episode, we’re joined by Jason Ha to unpack the evolving world of cyber risk quantification and why it’s becoming a critical tool for modern organisations. From his early days in “infosec” to helping businesses translate technical risk into boardroom language, Jason shares practical insights on turning uncertainty into actionable data. We explore why many organisations struggle to quantify cyber risk, how to get started without overcomplicating the process, and why communication is the real game changer. This episode was hosted by Ivano Bongiovanni. The AUSCERT podcast can also be found on Spotify, Apple Podcasts, and YouTube.