Publications

LISTEN HERE: AUSCERT “Share Today, Save Tomorrow” – ep 55: World Cup of Cyber: Inside the International Cybersecurity Challenge 2026 What happens when the world’s top young cyber talent goes head-to-head on a global stage? This episode of Share Today, Save Tomorrow dives into the excitement behind the International Cybersecurity Challenge (ICC). Host Bek Cheb is joined by Ryan Ko and Kana Smith from the UQ Cyber Research Centre at The University of Queensland to unpack what makes this competition one of the most prestigious events for young adults in the cyber security space. From elite attack-and-defence Capture the Flag challenges to global talent pipelines, ICC is about shaping the future of cyber security. With teams representing every continent and real-world scenarios unfolding over two intense days, ICC 2026 marks a major milestone as Australia hosts for the first time at AUSCERT2026 Cyber Security Conference. If you’ve ever wondered what elite cyber competition looks like, how global collaboration fuels innovation, or why ICC competitors are often snapped up by industry leaders, this episode gives you a front-row seat. Want to see it play out on the big stage? Register for AUSCERT2026 now! This episode was hosted by Bek Cheb. The AUSCERT podcast can also be found on Spotify and Apple Podcasts.

Greetings, Intelligence agencies across the Five Eyes alliance, made up by Australia, Canada, New Zealand, the United Kingdom and the United States, have issued an urgent joint warning following the discovery of a “highly sophisticated” cyber campaign targeting Cisco Catalyst SD WAN controllers. According to the advisory, attackers have been actively exploiting a newly uncovered zero day vulnerability, tracked as CVE 2026 20127, which carries the highest possible severity rating. The flaw allows unauthenticated remote actors to bypass authentication and gain administrative access to SD WAN control systems, placing core network infrastructure at immediate risk. Cisco Talos confirmed that the threat actor behind the campaign, identified as UAT 8616, paired the new zero day with an older 2022 privilege escalation vulnerability (CVE-2022-20775) to achieve root level access. Investigators found that the attackers leveraged deep protocol knowledge to infiltrate trusted network peers, insert rogue controllers, downgrade firmware to exploit the older flaw, then restore systems to cover their tracks. These techniques enabled persistent, stealthy access across critical infrastructure for nearly three years without detection. U.S. cyber security officials have responded with an emergency directive, warning that the exploited vulnerabilities pose an imminent threat to federal agencies. Security experts note that the attack is particularly severe, as SD WAN technology centralises routing, segmentation, encryption and policy enforcement into a single management plane, meaning that compromising one controller potentially grants influence over every connected branch. Investigators also report that the attackers systematically deleted logs and forensic artefacts, further complicating detection and response. Agencies across all Five Eyes nations are urging organisations to immediately apply Cisco’s security updates, conduct thorough threat hunting activities and validate the integrity of their SD WAN environments. Critical Cisco SD-WAN bug exploited in zero-day attacks since 2023 Date: 2026-02-25 Author: Bleeping Computer [See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.1820/] Cisco is warning that a critical authentication bypass vulnerability in Cisco Catalyst SD-WAN, tracked as CVE-2026-20127, was actively exploited in zero-day attacks that allowed remote attackers to compromise controllers and add malicious rogue peers to targeted networks. CVE-2026-20127 has a maximum severity of 10.0 and impacts Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage) in on-prem and SD-WAN Cloud installations. Critical SolarWinds Serv-U flaws offer root access to servers Date: 2026-02-24 Author: Bleeping Computer SolarWinds has released security updates to patch four critical Serv-U remote code execution vulnerabilities that could grant attackers root access to unpatched servers. Serv-U is the company's self-hosted Windows and Linux file transfer software that comes with both Managed File Transfer (MFT) and FTP server capabilities, enabling organizations to securely exchange files via FTP, FTPS, SFTP, and HTTP/S. Amazon: AI-assisted hacker breached 600 Fortinet firewalls in 5 weeks Date: 2026-02-21 Author: Bleeping Computer Amazon is warning that a Russian-speaking hacker used multiple generative AI services as part of a campaign that breached more than 600 FortiGate firewalls across 55 countries in five weeks. A new report by CJ Moses, CISO of Amazon Integrated Security, says that the hacking campaign occurred between January 11 and February 18, 2026, and did not rely on any exploits to breach Fortinet firewalls. Recent RoundCube Webmail Vulnerability Exploited in Attacks Date: 2026-02-23 Author: Security Week The US cybersecurity agency CISA on Friday warned of two RoundCube Webmail vulnerabilities being exploited in the wild. Prevalent within government and enterprise networks, RoundCube Webmail is a popular target for hackers, who have been observed exploiting flaws in the email client within days of public disclosure. This was the case in June last year with CVE-2025-49113 (CVSS score of 9.9), a post-authentication remote code execution (RCE) issue that was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on Friday. VMware Aria Operations Vulnerability Could Allow Remote Code Execution Date: 2026-02-24 Author: Bleeping Computer [See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.1808/] Broadcom has released patches for several vulnerabilities affecting VMware Aria Operations, including high-severity flaws. The most important of the newly patched vulnerabilities based on CVSS score (8.1) is CVE-2026-22719, a command injection issue that can be exploited by an unauthenticated attacker. ESB-2026.1820 – Cisco Catalyst SD-WAN An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non -root user account. ESB-2026.1816 – firefox-esr Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, sandbox escape, bypass of the same-origin policy, information disclosure or privilege escalation. ESB-2026.1767 – InSAT MasterSCADA BUK-TS Successful exploitation of these vulnerabilities may allow remote code execution. ESB-2026.1808 – VMware Products VMware Aria Operations contains a command injection vulnerability. Broadcom has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.1. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, Australian fintech platform YouX has confirmed a significant data breach after a hacker released sensitive information online, exposing the personal and financial details of hundreds of thousands of Australians. The Sydney based company, which provides technology for finance brokers and lenders to process loan applications, said it first became aware of a potential cyber incident last week. Subsequent investigations revealed that a threat actor had gained unauthorised access to its systems and published a large dataset claimed to have been stolen during the intrusion. According to early analysis, the exposed data includes up to 629,597 loan applications, 607,822 residential addresses and 444,538 sets of personal details, including names and phone numbers. The hacker also claims to have accessed 229,236 driver’s licences, as well as information belonging to 797 broker organisations and more than 90 downstream lenders, including major banks. In a public statement, YouX said it has notified the Office of the Australian Information Commissioner (OAIC) and begun regulatory notifications to affected individuals. The company has implemented enhanced security and monitoring measures while external cybersecurity specialists investigate the full scope of the incident. Separate cyber security reporting suggests the compromised database may have been left exposed for months, with the attacker obtaining approximately 141GB of highly sensitive material. The incident poses heightened risks of identity theft, financial fraud and sophisticated phishing attempts, given the volume and sensitivity of the leaked data. Chrome 145 Patches 11 Vulnerabilities Date: 2026-02-13 Author: Security Week Google on Tuesday announced the release of Chrome 145 to the stable channel with fixes for 11 vulnerabilities, including three high-severity bugs. First in line is CVE-2026-2313, a high-severity use-after-free issue in CSS that earned the reporting researchers an $8,000 bug bounty reward. Microsoft Discloses DNS-Based ClickFix Attack Using Nslookup for Malware Staging Date: 2026-02-15 Author: The Hacker News Microsoft has disclosed details of a new version of the ClickFix social engineering tactic in which the attackers trick unsuspecting users into running commands that carry out a Domain Name System (DNS) lookup to retrieve the next-stage payload. Specifically, the attack relies on using the "nslookup" (short for nameserver lookup) command to execute a custom DNS lookup triggered via the Windows Run dialog. Microsoft says bug causes Copilot to summarize confidential emails Date: 2026-02-18 Author: Bleeping Computer Microsoft says a Microsoft 365 Copilot bug has been causing the AI assistant to summarize confidential emails since late January, bypassing data loss prevention (DLP) policies that organizations rely on to protect sensitive information. API Threats Grow in Scale as AI Expands the Blast Radius Date: 2026-02-17 Author: Security Week Application Programming Interfaces (APIs) remain an attacker-favored exploit route. Aggressors continuously target common failures in identity, access control and exposed interfaces – often at scale and machine speed. AI is increasing the threat surface. In an analysis of more than 60,000 published vulnerabilities disclosed in 2025, Wallarm found more than 11,000 (17%) were API-related. A concurrent analysis of CISA KEV Catalog additions for 2025 found 43% of exploited vulnerabilities were API-related. Study Uncovers 25 Password Recovery Attacks in Major Cloud Password Managers Date: 2026-02-16 Author: The Hacker News A new study has found that multiple cloud-based password managers, including Bitwarden, Dashlane, and LastPass, are susceptible to password recovery attacks under certain conditions. "The attacks range in severity from integrity violations to the complete compromise of all vaults in an organization," researchers Matteo Scarlata, Giovanni Torrisi, Matilda Backendal, and Kenneth G. Paterson said. "The majority of the attacks allow the recovery of passwords." ESB-2026.1677 – Inetutils Kyu Neushwaistein discovered that telnetd in Inetutils incorrectly handled certain environment variables. A remote attacker could use this issue to bypass authentication and open a session as an administrator. ESB-2026.1643 – Splunk Enterprise Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Enterprise versions 10.0.3, 9.4.8, 9.3.9, 9.2.12, and higher. ESB-2026.1590 – Tenable Security Center A Command Injection vulnerability exists where an authenticated, remote attacker could execute arbitrary code on the underlying server where Tenable Security Center is hosted. ESB-2026.1589 – Atlassian Products The vulnerabilities reported in this Security Bulletin include 13 high-severity vulnerabilities and 3 critical-severity vulnerabilities. Stay safe, stay patched and have a good weekend! The AUSCERT team

LISTEN HERE: AUSCERT “Share Today, Save Tomorrow” – ep 54: Leveling Up: Ash Deuble Steps in as Analyst Team Manager Big news for the AUSCERT community! Ash Deuble has joined the team as our new Analyst Team Manager, and in this episode of Share Today, Save Tomorrow, he sits down with Bek Cheb to talk about the road that led him here. Long before stepping into the role, Ash was already part of the AUSCERT community through member organisations, collaborating with the team and contributing to the community that keeps Australia stronger against cyber threats. Now he’s on the inside, bringing that experience, perspective, and momentum with him. Ash shares what it means to move from community member to leader, his approach to supporting analysts, and where he sees opportunities to grow capability, connection, and impact across the network. Expect insights into teamwork, trust, and why showing up for each other is still one of the most powerful tools in cyber security. This episode was hosted by Bek Cheb. The AUSCERT podcast can also be found on Spotify and Apple Podcasts.

Greetings, A critical security vulnerability has been uncovered in the WPvivid Backup & Migration plugin for WordPress, a tool installed on more than 900,000 websites to help with backups and migrations. The flaw, tracked as CVE-2026-1357 and rated with a CVSS score of 9.8, could allow attackers to execute arbitrary code on affected sites without needing to log in by simply uploading specially crafted files. According to WordPress security researchers, the bug stems from improper error handling during RSA decryption and inadequate sanitisation of uploaded filenames. When certain operations failed, the plugin passed flawed data to encryption routines, resulting in predictable keys that could be exploited. The lack of directory path validation further made it possible for malicious files to be written outside their intended locations, potentially giving attackers full control of a site’s code. Fortunately, the vulnerability only poses a critical risk when a specific “receive backup from another site” setting is enabled, which isn’t a default feature but is commonly used during migrations and other maintenance tasks. The plugin’s developers were alerted in January 2026 and released a fix in version 0.9.124 later that month. This update adds proper decryption checks, filename sanitisation, and restricts uploads to known safe backup types, such as ZIP and SQL files. Website owners using WPvivid Backup & Migration are strongly urged to update immediately to protect their installations from potential compromise. BeyondTrust warns of critical RCE flaw in remote support software Date: 2026-02-09 Author: Bleeping Computer [AusCERT has informed the affected members via Critical MSINs] BeyondTrust warned customers to patch a critical security flaw in its Remote Support (RS) and Privileged Remote Access (PRA) software that could allow unauthenticated attackers to execute arbitrary code remotely. Tracked as CVE-2026-1731, this pre-authentication remote code execution vulnerability stems from an OS command injection weakness discovered by Harsh Jaiswal and the Hacktron AI team, and it affects BeyondTrust Remote Support 25.3.1 or earlier and Privileged Remote Access 24.3.4 or earlier. Critical Gogs Vulnerability Enables Remote Command Execution and 2FA Bypass Date: 2026-02-10 Author: Cyber Press [AUSCERT has contacted affected members where applicable] A severe flaw in Gogs, a lightweight self-hosted Git service, allows attackers to run commands remotely and skip two-factor authentication. This critical issue affects many organizations using Gogs for private code hosting. Gogs versions up to 0.13.3 suffer from CVE-2025-64111, an OS command injection bug with a CVSS score of 9.3. Apple fixes zero-day flaw used in 'extremely sophisticated' attacks Date: 2026-02-11 Author: Bleeping Computer [AUSCERT has published security bulletins for these Apple updates] Apple has released security updates to fix a zero-day vulnerability that was exploited in an "extremely sophisticated attack" targeting specific individuals. Tracked as CVE-2026-20700, the flaw is an arbitrary code execution vulnerability in dyld, the Dynamic Link Editor used by Apple operating systems, including iOS, iPadOS, macOS, tvOS, watchOS, and visionOS. Apple's security bulletin warns that an attacker with memory write capability may be able to execute arbitrary code on affected devices. Microsoft February 2026 Patch Tuesday fixes 6 zero-days, 58 flaws Date: 2026-02-10 Author: Bleeping Computer [AUSCERT has released security bulletins covering these patches] Today is Microsoft's February 2026 Patch Tuesday with security updates for 58 flaws, including 6 actively exploited and three publicly disclosed zero-day vulnerabilities. This Patch Tuesday also addresses five "Critical" vulnerabilities, 3 of which are elevation of privileges flaws and 2 information disclosure flaws. Over 60 Software Vendors Issue Security Fixes Across OS, Cloud, and Network Platforms Date: 2026-02-11 Author: The Hacker News It's Patch Tuesday, which means a number of software vendors have released patches for various security vulnerabilities impacting their products and services. Microsoft issued fixes for 59 flaws, including six actively exploited zero-days in various Windows components that could be abused to bypass security features, escalate privileges, and trigger a denial-of-service (DoS) condition. ESB-2026.1203 – GitLab AI Gateway: CVSS (Max): 9.9 GitLab has released versions 18.6.2, 18.7.1, and 18.8.1 to address a critical insecure template expansion vulnerability affecting self-hosted GitLab Duo AI Gateway installations. ESB-2026.1204 – FortiClientEMS: CVSS (Max): 9.8 Fortinet has addressed a critical SQL injection vulnerability in FortiClientEMS that could allow an unauthenticated attacker to execute malicious SQL commands over the network. Users are advised to upgrade to FortiClientEMS 7.4.5 or later to mitigate the risk. ESB-2026.1382 – Atlassian Products: CVSS (Max): 9.8 Atlassian has released fixes for 30 high-severity and 2 critical-severity vulnerabilities affecting multiple Data Center and Server products, including Bamboo, Bitbucket, Confluence, Crowd, Jira, and Jira Service Management. ESB-2026.1413 – Prisma Access Browser: CVSS (Max): 9.8 Palo Alto Networks released specified patched Prisma Browser versions to address numerous CVEs including memory safety and implementation issues. ESB-2026.1416 – Apple macOS Tahoe: CVSS (Max): 8.8* Apple addresses vulnerabilities that could allow apps to access sensitive data, gain elevated privileges, or perform denial-of-service attack in macOS Tahoe. Users should update to macOS Tahoe 26.3 or later to mitigate these issues and enhance overall system security. Stay safe, stay patched and have a good weekend! The AUSCERT team

The following white paper explores the evolving role of Computer Emergency Response Teams (CERTs) in a rapidly changing cyber threat landscape. Authored by AUSCERT and informed by more than three decades of operational experience, it examines how CERT models, mandates, and coordination mechanisms must adapt to meet the demands of 2026 and beyond. Read the full white paper here.

Greetings, Cyber security researchers have identified an active and sophisticated web traffic hijacking campaign that exploits the critical React2Shell vulnerability to silently intercept and redirect legitimate user traffic. Reported by Datadog Security Labs, the campaign demonstrates how a flaw in modern web application frameworks can be leveraged to compromise underlying infrastructure, transforming trusted websites into covert traffic relays for attackers. The activity centres on React2Shell, tracked as CVE-2025-55182 and assigned a maximum CVSS score of 10.0. The vulnerability allows unauthenticated remote code execution in React Server Components, enabling attackers to gain initial access with a single crafted request. Once inside, threat actors move beyond the application layer and target NGINX web servers, injecting malicious configuration directives that intercept inbound requests and proxy them through attacker-controlled systems before forwarding them to their original destinations. This approach makes detection particularly challenging, as websites often continue to function normally while user traffic is quietly exposed to monitoring or manipulation. Observed targets include sites using regional Asia-based top-level domains such as .in, .id, .bd, and .th, as well as government and education domains. The campaign is closely associated with hosting environments that rely on the Baota (BT) management panel and Chinese hosting infrastructure. Researchers also uncovered a modular, multi-stage toolkit designed to ensure persistence, enumerate common NGINX configurations, and generate reports on active traffic redirection rules. Intelligence from GreyNoise indicates that a small number of IP addresses account for a significant proportion of exploitation attempts, delivering payloads ranging from cryptominers to interactive reverse shells. Ivanti’s EPMM is under active attack, thanks to two critical zero-days Date: 2026-02-03 Author: CyberScoop [AUSCERT has identified the impacted members (where possible) and contacted them via email] Attackers are again focusing on a familiar target in the network edge space, actively exploiting two critical zero-day vulnerabilities in Ivanti software that allows administrators to set mobile device and application controls. Critical n8n flaws disclosed along with public exploits Date: 2026-02-04 Author: Bleeping Computer Multiple critical vulnerabilities in the popular n8n open-source workflow automation platform allow escaping the confines of the environment and taking complete control of the host server. Collectively tracked as CVE-2026-25049, the issues can be exploited by any authenticated user who can create or edit workflows on the platform to perform unrestricted remote code execution on the n8n server. Exposed MongoDB instances still targeted in data extortion attacks Date: 2026-02-01 Author: Bleeping Computer A threat actor is targeting exposed MongoDB instances in automated data extortion attacks demanding low ransoms from owners to restore the data. The attacker focuses on the low-hanging fruit, databases that are insecure due to misconfiguration that permits access without restriction. Around 1,400 exposed servers have been compromised, and the ransom note demanded a ransom of about $500 in Bitcoin. Hackers Exploit Metro4Shell RCE Flaw in React Native CLI npm Package Date: 2026-02-03 Author: The Hacker News Threat actors have been observed exploiting a critical security flaw impacting the Metro Development Server in the popular "@react-native-community/cli" npm package. Cybersecurity company VulnCheck said it first observed exploitation of CVE-2025-11953 (aka Metro4Shell) on December 21, 2025. With a CVSS score of 9.8, the vulnerability allows remote unauthenticated attackers to execute arbitrary operating system commands on the underlying host. Details of the flaw were first documented by JFrog in November 2025. Popular text editor Notepad++ was hacked to drop malware Date: 2026-02-03 Author: iTnews Notepad++, a free open source text and code editor for the Windows operating system, suffered an "infrastructure-level compromise" last year by threat actors seeking to deliver malware to selected users. A post-mortem of the incident which started in June 2025, and which was reported to Notepad++ by security researchers, suggested the shared hosting server for the text editor was compromised until December 2 last year. ESB-2026.1090 – Splunk SOAR: CVSS (Max): 9.1 Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk SOAR version 7.1.0. ESB-2026.1084 – Cisco Meeting Management: CVSS (Max): 8.8 A vulnerability in the Certificate Management feature of Cisco Meeting Management could allow an authenticated, remote attacker to upload arbitrary files, execute arbitrary commands, and elevate privileges to root on an affected system. ESB-2026.1074 – IBM Db2 Data Management Console: CVSS (Max): 7.5 Golang Go is vulnerable to a denial of service, caused by a flaw when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition. ESB-2026.1072 – Tenable Identity Exposure: CVSS (Max): 7.5 Tenable Identity Exposure leverages third-party software to help provide underlying functionality. One of the third-party components (OpenSSL) was found to contain vulnerabilities, and updated versions have been made available by the providers. ESB-2026.1067 – Google Chrome: CVSS (Max): 8.8 This update includes 2 security fixes: High CVE-2026-1861: Heap buffer overflow in libvpx and High CVE-2026-1862: Type Confusion in V8. Stay safe, stay patched and have a good weekend! The AUSCERT team

LISTEN HERE: AUSCERT “Share Today, Save Tomorrow” – ep 53: Social Engineering and the Human Factor in Cyber Security In this episode of the Share Today, Save Tomorrow podcast, host Bek Cheb and guest Chris Gatford, founder of HackLabs, explore the critical role of social engineering in modern cyber security. Their discussion unpacks how attackers exploit human behaviour, why technical controls alone aren’t enough, and strategies for building stronger resilience against these threats. This episode was hosted by Bek Cheb. The AUSCERT podcast can also be found on Spotify and Apple Podcasts.

Greetings, Yesterday was Privacy Awareness Day, which serves as an important reminder that protecting personal information is a shared responsibility for organisations, government agencies, and the broader community. In an environment where digital services, data collection, and emerging technologies are increasingly embedded in everyday life, strong privacy practices are essential to maintaining public trust and meeting legal obligations. The Office of the Australian Information Commissioner (OAIC) emphasises that privacy compliance is an ongoing commitment. Many organisations and Australian Government agencies are required to manage personal information in line with the Privacy Act 1988, ensuring information is collected lawfully, used transparently, stored securely, and disposed of appropriately when no longer needed. Embedding privacy by design into systems, policies, and processes helps reduce risk while demonstrating accountability and respect for individual rights. This year, the OAIC has reinforced these principles through increased regulatory focus, including the commencement of its first privacy compliance sweep. The initiative highlights the importance of clear, accessible privacy policies and transparency about how personal information is handled, particularly where information is collected directly from individuals. These activities reflect growing community expectations that organisations take privacy governance seriously and remain proactive in strengthening their practices. To support this, the OAIC provides a wide range of practical guidance for organisations and government agencies, covering areas such as privacy management frameworks, data breach preparedness, privacy impact assessments, and emerging issues like artificial intelligence. Privacy Awareness Day is an opportunity to revisit these resources, assess current practices, and reinforce a culture where privacy is treated as a core business priority rather than a compliance afterthought. New sandbox escape flaw exposes n8n instances to RCE attacks Date: 2026-01-28 Author: Bleeping Computer [AUSCERT has identified the impacted members (where possible) and contacted them via email] Two vulnerabilities in the n8n workflow automation platform could allow attackers to fully compromise affected instances, access sensitive data, and execute arbitrary code on the underlying host. Identified as CVE-2026-1470 and CVE-2026-0863, the vulnerabilities were discovered and reported by researchers at DevSecOps company JFrog. SolarWinds warns of critical Web Help Desk RCE, auth bypass flaws Date: 2026-01-28 Author: Bleeping Computer [AUSCERT has identified the impacted members (where possible) and contacted them via email] SolarWinds has released security updates to patch critical authentication bypass and remote command execution vulnerabilities in its Web Help Desk IT help desk software. The authentication bypass security flaws (tracked as CVE-2025-40552 and CVE-2025-40554) patched today by SolarWinds were reported by watchTowr's Piotr Bazydlo and can be exploited by remote unauthenticated threat actors in low-complexity attacks. Microsoft Patches Office Zero-Day Likely Exploited in Targeted Attacks Date: 2026-01-27 Author: Security Week [See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2026.0039.2] Microsoft has released patches for CVE-2026-21509, a newly disclosed Office zero-day vulnerability that can be exploited to bypass security features. The tech giant’s advisory for CVE-2026-21509 mentions that it’s aware of active exploitation. The vulnerability and the in-the-wild attacks were discovered by Microsoft’s own security researchers, but the company has yet to share any information on the malicious activity. Cloudflare misconfiguration behind recent BGP route leak Date: 2026-01-26 Author: Bleeping Computer Cloudflare has shared more details about a recent 25-minute Border Gateway Protocol (BGP) route leak affecting IPv6 traffic, which caused measurable congestion, packet loss, and approximately 12 Gbps of dropped traffic. The BGP system helps route data across different networks called autonomous systems (AS) that send it to destination through smaller networks on the internet. The incident was caused by an accidental policy misconfiguration on a router and affected external networks beyond Cloudflare customers. Fortinet blocks exploited FortiCloud SSO zero day until patch is ready Date: 2026-01-27 Author: Bleeping Computer [See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.0770/] Fortinet has confirmed a new, actively exploited critical FortiCloud single sign-on (SSO) authentication bypass vulnerability, tracked as CVE-2026-24858, and says it has mitigated the zero-day attacks by blocking FortiCloud SSO connections from devices running vulnerable firmware versions. The flaw allows attackers to abuse FortiCloud SSO to gain administrative access to FortiOS, FortiManager, and FortiAnalyzer devices registered to other customers, even when those devices were fully patched against a previously disclosed vulnerability. ESB-2026.0895 – openssl: CVSS (Max): 9.8 Red Hat has released an Important security update for OpenSSL on RHEL 9.2 Update Services for SAP Solutions, fixing two critical flaws that could lead to remote code execution or denial of service during CMS and PKCS#12 processing. ESB-2026.0876 – Juniper Networks Session Smart Router (SSR): CVSS (Max): 9.8 Juniper Networks has released a Critical security update for Session Smart Router, addressing numerous high-severity vulnerabilities in bundled third-party components that could enable remote code execution, privilege escalation, or denial of service. ESB-2026.0687 – inetutils: CVSS (Max): 9.8 Debian has issued an LTS security advisory for inetutils, fixing CVE-2026-24061, an authentication bypass in telnetd that could allow remote root access. ESB-2026.0673 – MozillaFirefox: CVSS (Max): 9.8 SUSE has released an Important security update for Mozilla Firefox ESR, fixing 13 vulnerabilities—including multiple critical sandbox escapes and memory safety issues. ASB-2026.0037.2 – telnetd: CVSS (Max): 9.8 A vulnerability for GNU InetUtils telnetd has been issued. CVE-2026-24061, now listed in CISA’s Known Exploited Vulnerabilities catalog, allows remote attackers to bypass authentication and gain root access. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, The ransomware group Everest is allegedly behind a major data breach affecting the popular sportswear company Under Armour, with about 72.7 million customer accounts compromised in an attack believed to have occurred in November 2025. The incident came to light after a member of the Everest group posted leaked files to a cybercrime forum on the 18th January 2026 after the company did not pay an undisclosed ransom demand within 7 days. Under Armour has not publicly acknowledged or responded to the breach. The leaked data includes a significant amount of personal information such as names, email addresses, dates of birth, genders, geographic locations and detailed purchase histories. While credit card numbers do not appear to be included in this specific dump, the sheer volume of data – estimated at over 340GB – poses a severe risk for targeted phishing and identity theft. The breach has already been integrated into the "Have I Been Pwned" notification service to help users verify their exposure. Under Armour is likely to face regulatory scrutiny. Ransomware attacks remain a significant challenge for organisations worldwide, as threat actors continue to evolve their methods with increasing sophistication and boldness. This serves as a clear reminder for businesses to implement strong cyber security policies and procedures such as keeping systems updated and patched, remaining vigilant against suspicious emails and attachments, and proactively managing potential vulnerabilities. Cisco fixed actively exploited Unified Communications zero day Date: 2026-01-21 Author: securityaffairs [See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.0554/] Cisco patched a critical zero-day remote code execution flaw, tracked as CVE-2026-20045 (CVSS score of 8.2), actively exploited in attacks. An unauthenticated, remote attacker can exploit the flaw to execute arbitrary commands on the underlying operating system of an affected device. The bug affected Cisco Unified CM, Unified CM SME, IM & Presence, Unity Connection, and Webex Calling Dedicated Instance. Actively exploited critical flaw in Modular DS WordPress plugin enables admin takeover Date: 2026-01-17 Author: Security Affairs A critical Modular DS WordPress flaw (CVE-2026-23550) is actively exploited, enabling unauthenticated privilege escalation. Threat actors are actively exploiting a critical Modular DS WordPress vulnerability tracked as CVE-2026-23550 (CVSS score of 10). Modular DS is a WordPress plugin with over 40,000 installs that helps manage multiple sites, enabling monitoring, updates, and remote administration. Credential-stealing Chrome extensions target enterprise HR platforms Date: 2026-01-17 Author: Bleeping Computer Malicious Chrome extensions on the Chrome Web Store masquerading as productivity and security tools for enterprise HR and ERP platforms were discovered stealing authentication credentials or blocking management pages used to respond to security incidents. The campaign was discovered by cybersecurity firm Socket, which says it identified five Chrome extensions targeting Workday, NetSuite, and SAP SuccessFactors, collectively installed more than 2,300 times. Attackers Abuse WSL2 to Operate Undetected on Windows Systems Date: 2026-01-19 Author: GB Hackers Windows Subsystem for Linux (WSL) has transformed the developer experience on Windows. However, it has also quietly created a powerful hiding place for attackers. With WSL2, Microsoft moved from lightweight translation to a whole virtual machine (VM) model. That architectural change gives adversaries a semi-isolated Linux environment running inside Hyper‑V that is rarely monitored by traditional endpoint security tools. Fortinet admins report patched FortiGate firewalls getting hacked Date: 2026-01-21 Author: Bleeping Computer Fortinet customers are seeing attackers exploiting a patch bypass for a previously fixed critical FortiGate authentication vulnerability (CVE-2025-59718) to hack patched firewalls. One of the affected admins said that Fortinet has allegedly confirmed that the latest FortiOS version (7.4.10) didn't fully address this authentication bypass vulnerability, which should've been patched in early December with the release of FortiOS 7.4.9. Fortinet is also reportedly planning to release FortiOS 7.4.11, 7.6.6, and 8.0.0 over the coming days to fully patch the security flaw. ESB-2026.0619 – Red Hat OpenShift GitOps v1.18.3: CVSS (Max): 9.1 Red Hat has released an Important security update for OpenShift GitOps v1.18.3, addressing multiple CVEs, bug fixes, and enhancements, with a post-upgrade audit recommended to review cross-namespace access permissions. ESB-2026.0601 – Hubitat Elevation Hubs: CVSS (Max): 9.1 CISA has issued a Critical advisory for Hubitat Elevation Hubs, warning that CVE-2026-1201 allows authenticated attackers to bypass authorization and control devices beyond their permitted scope, with remediation available in firmware v2.4.2.157. ASB-2026.0032 – Oracle Supply Chain: CVSS (Max): 9.8 Oracle has published multiple critical vulnerabilities in Oracle Agile PLM and AutoVue products, including unauthenticated remote exploits with CVSS scores up to 9.8. ASB-2026.0020 – Oracle HealthCare Applications: CVSS (Max): 9.8 Oracle has identified multiple remotely exploitable vulnerabilities in Oracle Healthcare applications, including a critical unauthenticated flaw (CVSS 9.8) that could lead to full system compromise. ESB-2026.0476 – govulncheck-vulndb: CVSS (Max): 9.9 SUSE has released a moderate security update for govulncheck-vulndb on openSUSE Leap 15.6, updating the vulnerability database with new and revised Go CVE and GHSA mappings. Stay safe, stay patched and have a good weekend! The AUSCERT team

LISTEN HERE: AUSCERT “Share Today, Save Tomorrow” – ep 52: Disinformation: The Hidden Cyber Security Threat In this episode of the Share Today, Save Tomorrow podcast, AUSCERT’s David Stockdale sits down with Meg Tapia, Managing Director of Novexus, and Ross Patterson, Senior Intelligence Consultant at Recorded Future, to unpack the rising threat of disinformation in cyber security. Together, they explore how false narratives shape risk, impact organisations, and what leaders can do to stay resilient in an age of digital deception. This episode was hosted by David Stockdale. The AUSCERT podcast can also be found on Spotify and Apple Podcasts.

Greetings, This week, Instagram confirmed it had resolved a password reset vulnerability and denied any breach of its systems, amid overlapping reports of a large dataset of Instagram user records circulating online. The social platform confirmed that a technical issue allowed third parties to trigger legitimate password reset email requests to certain users, prompting unexpected notifications. Meta, Instagram’s parent company, said it has since fixed that issue and emphasised in public statements that there was no breach of its internal systems and that users’ accounts remain secure. Recipients of unsolicited reset emails have been told they can safely ignore them unless they themselves initiated a request. The timing of the password reset problem coincided with reports from cyber security firm Malwarebytes about a dataset allegedly containing information tied to roughly 17.5 million Instagram accounts being traded on hacker forums. That dataset reportedly included usernames, email addresses, phone numbers and other contact data. While Instagram has denied any new breach, outside researchers suggest the information being circulated appears to relate to older incidents, potentially scraping or re-publishing data from earlier API exposures rather than stemming from the recent vulnerability. Experts have stressed that even in the absence of a fresh breach, such information can be abused for phishing and social engineering campaigns, and they continue to urge users to maintain strong security measures like two-factor authentication. Critical Apache Struts 2 Vulnerability Allows Attackers to Steal Sensitive Data Date: 2026-01-12 Author: Cyber Express [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.0204.2] A newly disclosed vulnerability in Apache Struts 2’s XWork component poses a significant threat to Java web applications worldwide. The flaw, tracked as CVE-2025-68493 and rated as Important severity, could expose sensitive data and enable attackers to launch denial-of-service and server-side request forgery (SSRF) attacks if systems remain unpatched. ServiceNow Patches Critical AI Platform Flaw Allowing Unauthenticated User Impersonation Date: 2026-01-13 Author: The Hacker News ServiceNow has disclosed details of a now-patched critical security flaw impacting its ServiceNow artificial intelligence (AI) Platform that could enable an unauthenticated user to impersonate another user and perform arbitrary actions as that user. The vulnerability, tracked as CVE-2025-12420, carries a CVSS score of 9.3 out of 10.0. It has been codenamed BodySnatcher by AppOmni. Fortinet Fixes Critical FortiSIEM Flaw Allowing Unauthenticated Remote Code Execution Date: 2026-01-14 Author: The Hacker News [See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.0279/] Fortinet has released updates to fix a critical security flaw impacting FortiSIEM that could allow an unauthenticated attacker to achieve code execution on susceptible instances. The operating system (OS) injection vulnerability, tracked as CVE-2025-64155, is rated 9.4 out of 10.0 on the CVSS scoring system. Trend Micro Apex Central RCE Flaw Scores 9.8 CVSS in On-Prem Windows Versions Date: 2026-01-09 Author: The Hacker News Trend Micro has released security updates to address multiple security vulnerabilities impacting on-premise versions of Apex Central for Windows, including a critical bug that could result in arbitrary code execution. The vulnerability, tracked as CVE-2025-69258, carries a CVSS score of 9.8 out of a maximum of 10.0. The vulnerability has been described as a case of remote code execution affecting LoadLibraryEX. Browser-in-the-Browser phishing is on the rise: Here's how to spot it Date: 2026-01-13 Author: Help Net Security Browser-in-the-Browser (BitB) phishing attacks are on the rise, with attackers reviving and refining the technique to bypass user skepticism and traditional security controls. The technique is being used to target users of popular services and brands like Microsoft, Facebook, the Steam gaming platform, and others. ASB-2026.0006 – AUSCERT: Microsoft Windows: CVSS (Max): 8.8 Microsoft has released its monthly security patch update for the month of January 2026. This update resolves 93 vulnerabilities across multiple products. ESB-2026.0279 – Fortinet: Fortinet Products: CVSS (Max): 9.8 An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted TCP requests. ESB-2026.0312 – Adobe: Adobe ColdFusion: CVSS (Max): 9.8 Adobe has released security updates for ColdFusion versions 2025 and 2023. These dependency update resolves a critical vulnerability that could lead to arbitrary code execution. ESB-2026.0361 – Juniper Networks: Juniper Junos OS Evolved: CVSS (Max): 7.8 A Use of Uninitialized Resource in the Linux kernel driver for Human Interface Devices (HID) in Junos OS Evolved allows a local low-privileged attacker to use a malicious input device to read information from the report buffer. This could be used to leak kernel memory, enabling the exploitation of additional vulnerabilities. ESB-2026.0373 – Tenable: Tenable Nessus Agent: CVSS (Max): 8.8 A vulnerability has been identified in the installation/uninstallation of the Nessus Agent Tray App on Windows Hosts which could lead to escalation of privileges. Stay safe, stay patched and have a good weekend! The AUSCERT team