Publications

Greetings, We are excited to announce the release of AUSCERT’s 2025 Year in Review. The report offers members a valuable snapshot of our work behind the scenes, highlighting the services we deliver and the many opportunities available to support their organisations. These achievements reflect our ongoing commitment to equipping our community with the tools, insights and support needed to confidently navigate an increasingly dynamic cyber security environment. You can read the full report here. This week, Instructure, the parent company of Canvas, has allegedly paid the hackers responsible for disrupting online learning globally. The attack, attributed to the cybercriminal group ShinyHunters, involved the theft of vast amounts of data, including names, email addresses, student IDs and private messages exchanged on the platform. At least 120 Australian schools, universities and TAFEs were caught up in what has been described as one of the largest education data breaches globally. The disruption forced institutions to suspend access, extend deadlines and scramble for contingency plans as exams and assessments were impacted. Hackers initially threatened to release the stolen data unless a ransom was paid, placing significant pressure on Instructure. The company later confirmed it had reached an “agreement” with the attackers, with reports indicating the data was returned and assurances provided that it would not be published, although experts caution that such guarantees cannot be verified. While this approach may have reduced immediate risk, cyber security specialists warn it could increase the likelihood of future attacks, particularly against essential digital services like education platforms. SAP Patches Critical S/4HANA, Commerce Vulnerabilities Date: 2026-05-12 Author: Security Week The most severe of the resolved vulnerabilities are critical code injection issues in S/4HANA and Commerce that could allow attackers to leak data and execute arbitrary code. Both security defects have a CVSS score of 9.6. Tracked as CVE-2026-34260, the S/4HANA bug is described as an SQL injection issue stemming from missing input validation and sanitization. Fortinet warns of critical RCE flaws in FortiSandbox and FortiAuthenticator Date: 2026-05-12 Author: Bleeping Computer [See AUSCERT bulletins: https://portal.auscert.org.au/bulletins/ESB-2026.5015/ https://portal.auscert.org.au/bulletins/ESB-2026.5016/] Fortinet has released security updates to address two critical vulnerabilities in FortiSandbox and FortiAuthenticator that could enable attackers to run commands or arbitrary code on unpatched systems. The first one, tracked as CVE-2026-44277, impacts the company's FortiAuthenticator Identity and Access Management (IAM) solution and was patched in FortiAuthenticator versions 6.5.7, 6.6.9, and 8.0.3. New critical Exim mailer flaw allows remote code execution Date: 2026-05-13 Author: Bleeping Computer [AUSCERT has contacted impacted members where applicable] A critical vulnerability affecting certain configurations of the Exim open-source mail transfer agent could be exploited by an unauthenticated remote attacker to execute arbitrary code. Identified as CVE-2026-45185, the security issue impacts some Exim versions before 4.99.3 that use the default GNU Transport Layer Security (GnuTLS) library for secure communication. It is a user-after-free (UAF) flaw triggered during the TLS shutdown while handling BDAT chunked SMTP traffic. Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities Date: 2026-05-14 Author: Talos Intelligence [See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.5194/] [AUSCERT has contacted affected members where applicable] Talos is aware of the active, in-the-wild (ITW) exploitation of CVE-2026-20182 in Cisco Catalyst SD-WAN Controller and Manager, that allows log in to the affected system as an internal, high-privileged, non-root user account. Talos clusters the exploitation of this vulnerability and subsequent post-compromise activity under UAT-8616, whom we assess is a highly sophisticated cyber threat actor. Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages Date: 2026-05-12 Author: The Hacker News [See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2026.0102] TeamPCP, the threat actor behind the recent supply chain attack spree, has been linked to the compromise of the npm and PyPI packages from TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI as part of a fresh Mini Shai-Hulud campaign. Windows BitLocker zero-day gives access to protected drives, PoC released Date: 2026-05-13 Author: Bleeping Computer A cybersecurity researcher has published proof-of-concept (PoC) exploits for two unpatched Microsoft Windows vulnerabilities named YellowKey and GreenPlasma, which are a BitLocker bypass and a privilege-escalation flaw. Known as Chaotic Eclipse or Nightmare Eclipse, the researcher describes the BitLocker bypass issue as functioning like a backdoor because the vulnerable component is present only in the Windows Recovery Environment (WinRE), which is used to repair boot-related issues in Windows. ASB-2026.0099.2 – cPanel, WHM and WP2: CVSS (Max): 9.8 An authentication bypass security issue has been identified in the cPanel software (including DNSOnly) affecting all currently supported versions after 11.40. ESB-2026.4894 – Thunderbird 140.10.2: CVSS (Max): 9.8 Memory safety bugs present in Thunderbird ESR 140.10.1 and Thunderbird 150.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. ESB-2026.5018 – FortiOS: CVSS (Max): 8.3 An Out-Of-Bounds Write vulnerability [CWE-787] in FortiOS capwap daemon may allow an attacker controlling an authenticated FortiAP FortiExtender or FortiSwitch to gain execution privileges on the FortiGate device. ESB-2026.5030 – Adobe Connect: CVSS (Max): 9.6 Adobe has released a security update for Adobe Connect. This update resolves critical vulnerabilities that could lead to arbitrary code execution and privilege escalation. ESB-2026.5095 – Palo Alto PAN-OS: CVSS (Max): 9.2 A buffer overflow vulnerability in the DNS proxy and DNS Server features of Palo Alto Networks PAN-OS Software allows an unauthenticated attacker with network access to cause a denial of service (DoS) condition (all PAN-OS platforms except Cloud NGFW and Prisma Access) or potentially execute arbitrary. Stay safe, stay patched and have a good weekend! The AUSCERT team

AUSCERT’s 2025 Year in Review reflects the progress we’ve made, the impact we’ve delivered, and the strength of our community. This report offers valuable insights into our services, the opportunities available to members, and key industry trends shaping the future of cyber security. Click here to read the full report: Year in Review 2025

LISTEN HERE: AUSCERT “Share Today, Save Tomorrow” – ep 60: Building Defensible Architecture: Bridging Business and Cyber Security Cyber security architecture is about far more than technology, it’s about designing resilient systems that align people, process, and business strategy. In this episode, host Bek Cheb sits down with Bruce Large to unpack what security architecture actually means, why “defensible architecture” matters, and how frameworks like SABSA help organisations connect high-level risk strategy with real-world implementation. Bruce shares practical insights into balancing technical detail with broader organisational goals, the importance of service management, and why good architecture is often about asking the right questions rather than having all the answers. If you’re curious about how resilient systems are built, this episode offers an accessible look into the thinking behind modern security design.   The AUSCERT podcast can also be found on Spotify, Apple Podcasts, and YouTube.

Greetings, A major cyber incident affecting Canvas, one of the world’s most widely used education platforms, is continuing to evolve. New developments are highlighting both the scale of the exposure and an increasingly aggressive extortion campaign by the perpetrators. Queensland’s Department of Education has confirmed that students and staff across the state are among those impacted by a global data breach involving Instructure’s Canvas learning management system, which supports the QLearn platform used in schools. Early advice indicates that students or staff who studied or worked in Queensland state schools since 2020 may have had personal information exposed, including names, email addresses and school locations. Authorities have stated that there is currently no evidence that passwords, financial data or government identifiers were accessed. The incident forms part of a broader global compromise attributed to the ShinyHunters cybercriminal group, which claims to have exfiltrated large volumes of data from Canvas, potentially impacting more than 9,000 institutions and hundreds of millions of users worldwide. In addition to identifying information, the attackers claim to have obtained internal messages exchanged between students, teachers and staff, which could be leveraged in highly targeted phishing or social engineering attacks. While Instructure has moved quickly to contain the breach and engage forensic experts, the situation escalated further this week. In a related development, ShinyHunters reportedly defaced Canvas login portals for approximately 300 education institutions, briefly replacing them with ransom messages threatening to publish the stolen data by May 12 if demands are not met. As investigations continue, government agencies and affected institutions are urging vigilance, particularly around unsolicited communications and phishing attempts, while the broader sector grapples with the implications of a breach that has quickly become both a global data privacy incident and an unfolding cyber extortion case. Palo Alto warns of critical software bug used in firewall attacks Date: 2026-05-07 Author: The Record [See also AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.4671.2/] [AUSCERT has contacted affected members where applicable] Palo Alto warns of critical software bug used in firewall attacks Hackers are exploiting a new vulnerability in software from Palo Alto Networks, the company said in an advisory on Wednesday. The bug is tracked as CVE-2026-0300 and carries a severity score of 9.3 out of 10, indicating a critical issue. A patch has not been published yet and Palo Alto Networks said it will be included in releases over the next two weeks. Critical vm2 sandbox bug lets attackers execute code on hosts Date: 2026-05-06 Author: Bleeping Computer A critical vulnerability in the popular Node.js sandboxing library vm2 allows escaping the sandbox and executing arbitrary code on the host system. The security issue is tracked as CVE-2026-26956 and has been confirmed to impact vm2 version 3.10.4, although earlier releases may also be vulnerable. Proof-of-concept (PoC) exploit code has been published. Qld gov says students, staff caught in Canvas cyber incident Date: 2026-05-07 Author: itnews The Queensland government says that students and staff working or studying at state schools since 2020 may have been caught up in a breach of global education systems vendor, Instructure. QLearn, the state's digital learning management platform, is backed by Instructure’s Canvas, which was recently targeted by a well-known threat group. A case study published by the vendor states that QLearn is used by “1264 K-12 schools, their 572,160 students [and by] 73,000-plus teaching staff.” Critical Bug Could Expose 300,000 Ollama Deployments to Information Theft Date: 2026-05-05 Author: Security Week Roughly 300,000 Ollama deployments are prone to sensitive information theft through a remotely exploitable, unauthenticated critical vulnerability, Cyera warns. Ollama is an open source solution for running LLMs on local machines and is highly popular among organizations as a self-hosted AI inference engine. A heap out-of-bounds read issue in Ollama could be exploited to access sensitive information stored on the heap, including prompts, messages, and environment variables, including API keys, tokens, and secrets, Cyera says. UAT-8302 and its box full of malware Date: 2026-05-05 Author: CISCO Talos Talos assesses with high confidence that UAT-8302 is a China-nexus advanced persistent threat (APT) group tasked primarily with obtaining and maintaining long-term access to government and related entities around the world. Post-compromise activity consisted of information collection, credential extraction, and proliferation using open-source tooling such as Impacket, proxying tools, and custom-built malware. ESB-2026.4671.2 – Palo Alto PAN-OS: CVSS (Max): 9.3 Palo Alto Networks has disclosed a critical unauthenticated remote code execution vulnerability affecting the PAN-OS User-ID Authentication Portal (Captive Portal). The vulnerability is actively being exploited in the wild. ESB-2026.4729 – Apache HTTP Server: CVSS (Max): 9.8 Ubuntu has released security updates for Apache HTTP Server addressing multiple vulnerabilities across supported Ubuntu releases, including denial-of-service, information disclosure, authentication bypass and potential remote code execution. ESB-2026.4673 – IBM QRadar SIEM: CVSS (Max): 10.0 IBM has released security updates for the QRadar Investigation Assistant App addressing multiple third-party component vulnerabilities, including SSRF, remote code execution, prototype pollution, denial-of-service and path traversal. ESB-2026.4586 – Linux: CVSS (Max): 9.8 Debian has released security updates for the Linux kernel in Debian 12 “bookworm” addressing a large number of vulnerabilities that could lead to privilege escalation, denial-of-service and information disclosure. ESB-2026.4534 – Google Android: CVSS (Max): 8.8 Google’s May 2026 Android Security Bulletin addresses a critical vulnerability in the Android System component that could allow adjacent remote code execution as the shell user without user interaction. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, Vimeo has confirmed that some customer and user data was exposed following a security breach at Anodot, a third party data anomaly detection provider used by the video platform. While Vimeo itself was not directly attacked, the incident highlights how vulnerabilities in external vendors can have impacts on major digital services. According to Vimeo, the unauthorised access stemmed from the Anodot breach, where attackers stole authentication tokens and used them to access customer environments, particularly cloud data platforms such as Snowflake. In Vimeo’s case, the data accessed was largely technical in nature, including video titles and metadata. In some instances, customer email addresses were also exposed. Importantly, Vimeo stressed that no video content, user account passwords, or payment card information were compromised, and the platform’s services continued to operate normally throughout the incident. The breach has been linked to the ShinyHunters extortion group, which has publicly claimed responsibility and threatened to release stolen data unless a ransom was paid. ShinyHunters has recently listed Vimeo on its extortion site, alleging access to company data and warning of potential further disruptions. However, the group did not disclose how much Vimeo data was taken, leaving the full scope of exposure unclear. In response, Vimeo has disabled all Anodot credentials and removed the service’s integration from its systems. The company is working with third party security experts, has notified law enforcement, and says it will share further updates if new details emerge. Linux cryptographic code flaw offers fast route to root Date: 2026-04-30 Author: The Register Developers of major Linux distributions have begun shipping patches to address a local privilege escalation (LPE) vulnerability arising from a logic flaw. The newly disclosed LPE, dubbed Copy Fail (CVE-2026-31431), comes from a vulnerability in the Linux kernel's authencesn cryptographic template. "An unprivileged local user can write four controlled bytes into the page cache of any readable file on a Linux system, and use that to gain root," the writeup from security biz Theori explains. cPanel, WHM emergency update fixes critical auth bypass bug Date: 2026-04-29 Author: Bleeping Computer [See also AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2026.0099/] [AUSCERT has contacted affected members where applicable] A critical vulnerability affecting all but the latest versions of cPanel and the WebHost Manager (WHM) dashboard could be exploited to obtain access to the control panel without authentication. The security issue, currently identified as CVE-2026-41940 and with a severity score of 9.8, has been addressed in an emergency update that requires running a command manually to retrieve a patched version of the software. Chrome 147, Firefox 150 Security Updates Rolling Out Date: 2026-04-29 Author: Security Week Google and Mozilla on Tuesday announced fresh security updates for Chrome and Firefox users, addressing multiple memory safety vulnerabilities. The new Chrome 147 update is rolling out with 30 security fixes, including four for critical-severity use-after-free flaws reported by external researchers. Tracked as CVE-2026-7363, CVE-2026-7361, CVE-2026-7344, and CVE-2026-7343, the bugs impact the Canvas, iOS, Accessibility, and Views browser components. Hackers are exploiting a critical LiteLLM pre-auth SQLi flaw Date: 2026-04-28 Author: Bleeping Computer Hackers are targeting sensitive information stored in the LiteLLM open-source large-language model (LLM) gateway by exploiting a critical vulnerability tracked as CVE-2026-42208. The flaw is an SQL injection issue that occurs during LiteLLM's proxy API key verification step. An attacker can exploit it without authentication by sending a specially crafted Authorization header to any LLM API route. GitHub patches critical 'git push' remote code execution bug Date: 2026-05-29 Author: iTnews [AUSCERT has published a relevant security bulletin: https://portal.auscert.org.au/bulletins/ASB-2026.0098/] Microsoft-owned open source code hosting platform GitHub has acknowledged and patched a critical vulnerability that allowed arbitrary remote code execution, following a report from Wiz researchers. The vulnerability is rated as 8.7 out of 10 on the Common Vulnerabilities Scoring System (CVSS) scale, and affected both GitHub.com and the self-hosted GitHub Enterprise Server (GHES). ASB-2026.0099 – cPanel, WHM and WP2: CVSS (Max): 9.8 A critical authentication bypass in cPanel/WHM allows unauthenticated remote access to hosting control panels. ASB-2026.0100 – Linux Kernel: CVSS (Max): 7.8 A logic flaw in the Linux kernel’s cryptographic interface allows any unprivileged local user to reliably modify protected files and escalate to root access on most Linux systems since 2017, requiring prompt kernel patching or module mitigation. ESB-2026.4399 – NLTK: CVSS (Max): 10.0 A critical vulnerability in the NLTK library allows attackers to execute arbitrary code by tricking systems into opening a malicious zip file, requiring immediate package updates on affected Ubuntu systems. ESB-2026.4368 – MozillaFirefox: CVSS (Max): 9.8 A security update for Mozilla Firefox (ESR 140.10.0) addresses 25 vulnerabilities—including critical memory safety and privilege escalation flaws—that could allow remote compromise. ASB-2026.0098 – GitHub Enterprise Server: CVSS (Max): 8.7 A remote code execution vulnerability in GitHub Enterprise Server allows authenticated users with repository push access to run arbitrary commands on the server, requiring immediate upgrades to patched versions. Stay safe, stay patched and have a good weekend! The AUSCERT team

LISTEN HERE: AUSCERT “Share Today, Save Tomorrow” – ep 59: Making Cyber Frameworks Actually Work with Dan Goldberg Why do cyber security frameworks get such a bad reputation, and how can organisations turn them from a compliance headache into a genuine business advantage? In this episode, Bek Cheb sits down with cyber security and GRC expert Dan Goldberg to unpack the evolving world of ISO 27001, governance, risk, and compliance. With more than 25 years of experience spanning network transformations, cyber security, project management, and executive leadership, Dan shares how an unexpected career pivot led him to discover a passion for frameworks and continual improvement. This episode was hosted by Bek Cheb. The AUSCERT podcast can also be found on Spotify, Apple Podcasts, and YouTube.

Greetings, A new report has raised fresh questions about how safely powerful AI security tools are being distributed, after an unauthorised group reportedly gained access to Anthropic’s closely guarded frontier AI model, Mythos. According to a Bloomberg investigation cited by TechCrunch, members of a private online forum were able to access Mythos through the environment of a third party vendor that works with Anthropic. Mythos, announced only recently, is designed as an enterprise grade AI tool to discover software vulnerabilities and develop exploits. Anthropic has previously warned that, in the wrong hands, the technology could just as easily be used to rapidly exploit information systems on a huge scale. The group is said to have obtained access on the same day Mythos was publicly revealed, apparently by making an educated guess about where the model was hosted online based on Anthropic’s past release patterns. Bloomberg reports that the individuals involved provided evidence of their access, including screenshots and a live demonstration of the software, and have been using the tool regularly since then. The source described the group as curious experimenters rather than malicious actors, with a stated interest in exploring new models rather than causing harm. Anthropic confirmed it is investigating the claims and said the access appears to have occurred through a third party vendor, not its own systems. The company added that it has found no evidence so far that its internal infrastructure has been compromised. Mythos was made available only to a select group of partners, including major technology companies, under an initiative called Project Glasswing. The limited rollout was intended to reduce the risk of misuse. If the report is accurate, it highlights how difficult it can be to fully contain advanced AI tools once they get released, even on a limited basis. New npm supply-chain attack self-spreads to steal auth tokens Date: 2026-04-22 Author: Bleeping Computer A new supply chain attack targeting the Node Package Manager (npm) ecosystem is stealing developer credentials and attempting to spread through packages published from compromised accounts. The threat was spotted by researchers at application security companies Socket and StepSecurity in multiple packages from Namastex Labs, a company that provides AI-based agentic solutions designed to improve profitability. Microsoft Patches Critical ASP.NET Core CVE-2026-40372 Privilege Escalation Bug Date: 2026-04-22 Author: The Hacker News [See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2026.0097/] Microsoft has released out-of-band updates to address a security vulnerability in ASP.NET Core that could allow an attacker to escalate privileges. The vulnerability, tracked as CVE-2026-40372, carries a CVSS score of 9.1 out of 10.0. It's rated Important in severity. An anonymous researcher has been credited with discovering and reporting the flaw. "Improper verification of cryptographic signature in ASP.NET Core allows an unauthorized attacker to elevate privileges over a network," Microsoft said in a Tuesday advisory. "An attacker who successfully exploited this vulnerability could gain SYSTEM privileges." Recently leaked Windows zero-days now exploited in attacks Date: 2026-04-17 Author: Bleeping Computer Threat actors are exploiting three recently disclosed Windows security vulnerabilities in attacks aimed at gaining SYSTEM or elevated administrator permissions. Since the start of the month, a security researcher known as "Chaotic Eclipse" or "Nightmare-Eclipse" has published proof-of-concept exploit code for all three security issues in protest to how Microsoft's Security Response Center (MSRC) handled the disclosure process. CISA flags Apache ActiveMQ flaw as actively exploited in attacks Date: 2026-04-17 Author: Bleeping Computer The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned on Thursday that a high-severity Apache ActiveMQ vulnerability patched earlier this month is now actively exploited in attacks. Apache ActiveMQ is the most popular open-source Java-based message broker for asynchronous communication between applications. Tracked as CVE-2026-34197, the security flaw has gone undetected for 13 years and was discovered by Horizon3 researcher Naveen Sunkavally using the Claude AI assistant. Vercel's security breach started with malware disguised as Roblox cheats Date: 2026-04-20 Author: CyberScoop [AUSCERT has published a related security bulletin https://portal.auscert.org.au/bulletins/ASB-2026.0068/] Vercel customers are at risk of compromise after an attacker hopped through multiple internal systems to steal credentials and other sensitive data, the company said in a security bulletin Sunday. The attack, which didn’t originate at Vercel, showcases the pitfalls of interconnected cloud applications and SaaS integrations with overly privileged permissions. ASB-2026.0080 – Oracle Fusion Middleware: CVSS (Max): 9.8 Multiple vulnerabilities have been identified in a number of Oracle products. This Critical Patch Update contains 59 new security patches, plus additional third party patches, for Oracle Fusion Middleware. 46 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. ASB-2026.0097 – ASP.NET Core 10.0: CVSS (Max): 9.1 Microsoft has released out-of-band (OOB) security updates to patch a critical ASP.NET Core privilege escalation vulnerability. Improper verification of cryptographic signature in ASP.NET Core allows an unauthorized attacker to elevate privileges (gain SYSTEM privileges) over a network. ESB-2026.1817.2 – Cisco Catalyst SD-WAN: CVSS (Max): 9.8 Multiple vulnerabilities in Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an attacker to access an affected system, elevate privileges to root, gain access to sensitive information, and overwrite arbitrary files. ESB-2026.4002.2 – Atlassian Products: CVSS (Max): 10 The vulnerabilities reported in this Security Bulletin include 31 high-severity vulnerabilities and 7 critical-severity third-party vulnerabilities, which have been fixed in new versions of our products released in the last month. ESB-2026.4105 – IBM WebSphere Application Server: CVSS (Max): 7.5 IBM WebSphere Application Server Liberty is affected by identity spoofing when the appSecurity feature (appSecurity-1.0, appSecurity-2.0, appSecurity-3.0, appSecurity-4.0, or appSecurity-5.0) is not enabled on the server. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, A major data breach at global education publisher McGraw Hill has exposed the personal information of approximately 13.5 million users. The incident followed an extortion attempt by the ShinyHunters cybercrime group, which has since leaked more than 100GB of stolen data online. According to McGraw Hill, attackers exploited a misconfiguration in a Salesforce hosted web environment used by the company, rather than gaining access to its core internal systems. The publisher stated that its primary customer databases, learning platforms and courseware were not compromised, and that the issue appears to be linked to a broader configuration problem affecting multiple Salesforce customers. While McGraw Hill described the exposed information as a “limited” data set, independent analysis by breach notification service Have I Been Pwned shows the leaked files contain 13.5 million unique email addresses, with some records also including names, phone numbers and physical addresses. The attackers initially claimed to have accessed as many as 45 million records and threatened to release the data unless a ransom was paid. When negotiations appeared to fail, ShinyHunters followed through on its threat, publishing the information on its dark web leak site. Although no passwords, payment details or student academic records were reported among the exposed data, cyber security experts warn the information is still highly valuable to criminals. At this scale, even partial personal data can significantly increase the effectiveness of phishing, credential stuffing and other social engineering attacks. The breach highlights the growing risks associated with third party cloud platforms and shared responsibility models. As organisations increasingly rely on SaaS environments such as Salesforce, small configuration errors can have outsized consequences, reinforcing the need for ongoing security monitoring, governance and independent validation of cloud deployments. Critical flaw in wolfSSL library enables forged certificate use Date: 2026-04-13 Author: Bleeping Computer.com A critical vulnerability in the wolfSSL SSL/TLS library can weaken security via improper verification of the hash algorithm or its size when checking Elliptic Curve Digital Signature Algorithm (ECDSA) signatures. Researchers warn that an attacker could exploit the issue to force a target device or application to accept forged certificates for malicious servers or connections. Critical MCP Integration Flaw Puts NGINX at Risk Date: 2026-04-16 Author: Dark Reading Attackers are actively exploiting a critical flaw in the widely used nginx-ui interface for managing NGINX web servers. The flaw, tracked as CVE-2026-33032, (CVSS: 9.8) stems from nginx-ui's insecure implementation of the Model Context Protocol (MCP) and gives attackers a way to make unauthorized changes to NGINX server configurations with little or no authentication in some cases. Microsoft April 2026 Patch Tuesday fixes 167 flaws, 2 zero-days Date: 2026-04-14 Author: Bleeping Computer [AUSCERT has published security bulletins for these Microsoft updates] Today is Microsoft's April 2026 Patch Tuesday with security updates for 167 flaws, including 2 zero-day vulnerabilities. This Patch Tuesday also addresses eight "Critical" vulnerabilities, 7 of which are remote code execution flaws and the other is a denial of service flaw. Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621 Date: 2026-04-12 Author: The Hacker News [Please see also AUSCERT Bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.3505/] Adobe has released emergency updates to fix a critical security flaw in Acrobat Reader that has come under active exploitation in the wild. The vulnerability, assigned the CVE identifier CVE-2026-34621, carries a CVSS score of 8.6 out of 10.0. Successful exploitation of the flaw could allow an attacker to run malicious code on affected installations. Fake Claude Website Distributes PlugX RAT Date: 2026-04-13 Author: Security Week A website posing as a legitimate Anthropic Claude domain was caught serving a remote access trojan to its visitors, Malwarebytes reports. Relying on Claude’s popularity, a threat actor created a site that hosts a download link pointing to a ZIP archive allegedly containing a pro version of the LLM. The file contains an MSI installer that mimics the legitimate Anthropic installation chain and installs the real Claude application. ASB-2026.0066 – Microsoft Office, Microsoft Office Services and Web Apps: CVSS (Max): 8.4 Microsoft urges immediate patching of 14 Office and SharePoint vulnerabilities, including multiple RCE and information disclosure flaws. CVE-2026-32201 (SharePoint spoofing) is actively exploited in the wild. ESB-2026.3685 – Adobe Experience Manager: CVSS (Max): 9.8* Adobe patched multiple vulnerabilities in AEM Screens, including critical flaws. Exploitation may allow remote code execution and privilege escalation. ESB-2026.3724 – Fortinet FortiSandbox: CVSS (Max): 9.1 Fortinet patched a vulnerability affecting Fortinet products that may allow unauthorized access or code execution. ESB-2026.3787 – Cisco Identity Services Engine: CVSS (Max): 9.9 Unauthenticated Remote Code Execution vulnerability in Cisco Identity Services Engine (ISE) allows attackers to execute arbitrary commands remotely. ESB-2026.3801 – Splunk Operator for Kubernetes Add-on 3.1: CVSS (Max): 10.0 Splunk addresses critical fixes related to third-party package updates in Splunk Operator for Kubernetes. Users are advised to upgrade to version 3.1.0 or later to remediate the issues. Stay safe, stay patched and have a good weekend! The AUSCERT team

LISTEN HERE: AUSCERT “Share Today, Save Tomorrow” – ep 58: Rethinking Vulnerability Management in a Complex Threat Landscape with Peter Gigengack   Vulnerability management is often treated as a simple patch-and-move-on exercise, but as Peter Gigengack explains, that mindset only scratches the surface. This episode explores the reality of managing risk in modern environments, where unknown vulnerabilities, human error, and expanding attack surfaces make security feel like steering through an iceberg field with limited visibility. Drawing on real-world experience, Peter unpacks why patching alone isn’t enough, how factors like misconfigurations and supply chain complexity create hidden risks, and why traditional tools like CVSS scores don’t always tell the full story. He also explores the growing impact of AI on software development, the challenges of prioritisation in an overwhelming volume of vulnerabilities, and the importance of adopting an attacker mindset. This episode was hosted by Bek Cheb. The AUSCERT podcast can also be found on Spotify, Apple Podcasts, and YouTube.

Greetings, Anthropic has announced that a preview version of its new frontier model, Claude Mythos, has already uncovered thousands of previously unknown, high severity vulnerabilities across major software platforms. The findings were revealed alongside the launch of Project Glasswing, a new initiative aimed at using advanced AI systems defensively to secure critical digital infrastructure. According to Anthropic, Claude Mythos demonstrated an exceptional ability to identify zero day flaws across every major operating system and web browser. Some discoveries included decades old bugs, such as a 27 year old vulnerability in OpenBSD and a 16 year old flaw in FFmpeg. In controlled evaluations, the model also autonomously chained together multiple vulnerabilities to escape application sandboxes and even solved complex corporate network attack simulations faster than seasoned human experts. These capabilities, however, come with serious implications. In one test, Mythos was able to follow researcher instructions to break out of a secured sandbox environment, gain internet access, and communicate externally—behaviour Anthropic described as a “potentially dangerous capability.” The company emphasised that such abilities were not explicitly trained, but emerged from broader improvements in the model’s reasoning, coding skill, and autonomy. To manage this risk, Anthropic is limiting access to Mythos Preview and partnering with a small group of major technology and security organisations, including AWS, Google, Microsoft, and the Linux Foundation. The company is also committing up to $100 million in usage credits and millions more in funding to support open source security efforts. Project Glasswing, Anthropic says, is an urgent effort to ensure powerful AI tools are used to fix vulnerabilities before similar capabilities are exploited by malicious actors. Cisco Patches 9.8 CVSS IMC and SSM Flaws Allowing Remote System Compromise Date: 2026-04-02 Author: The Hacker News [Please see also AUSCERT Bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.3189/ and https://portal.auscert.org.au/bulletins/ESB-2026.3199/] [AusCERT has informed the affected members via Critical MSINs] Cisco has released updates to address a critical security flaw in the Integrated Management Controller (IMC) that, if successfully exploited, could allow an unauthenticated, remote attacker to bypass authentication and gain access to the system with elevated privileges. The vulnerability, tracked as CVE-2026-20093, carries a CVSS score of 9.8 out of a maximum of 10.0. Docker CVE-2026-34040 Lets Attackers Bypass Authorization and Gain Host Access Date: 2026-04-07 Author: The Hacker News A high-severity security vulnerability has been disclosed in Docker Engine that could permit an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The vulnerability, tracked as CVE-2026-34040 (CVSS score: 8.8), stems from an incomplete fix for CVE-2024-41110, a maximum-severity vulnerability in the same component that came to light in July 2024. 13-year-old bug in ActiveMQ lets hackers remotely execute commands Date: 2026-04-08 Author: Bleeping Computer Security researchers discovered a remote code execution (RCE) vulnerability in Apache ActiveMQ Classic that has gone undetected for 13 years and could be exploited to execute arbitrary commands. The flaw was uncovered using the Claude AI assistant, which identified an exploit path by analyzing how independently developed components interact. Tracked as CVE-2026-34197, the security issue received a high severity score of 8.8 and affects versions of Apache ActiveMQ/Broker before 5.19.4, and all versions from 6.0.0 up to 6.2.3 IBM Identity and Verify Access Vulnerabilities Allow Remote Attacker to Access Sensitive Data Date: 2026-04-08 Author: Cyber Security News A critical security bulletin highlights multiple vulnerabilities in Verify Identity Access and Security Verify Access products. If left unpatched, these widespread security flaws could allow malicious actors to access sensitive information, escalate their system privileges, or cause a complete denial-of-service of the application. Organizations relying on these authentication platforms must take immediate action to patch their infrastructure. A standout issue in the latest security advisory revolves around how the platform handles web traffic. Max severity Flowise RCE vulnerability now exploited in attacks Date: 2026-04-07 Author: Bleeping Computer Hackers are exploiting a maximum-severity vulnerability, tracked as CVE-2025-59528, in the open-source platform Flowise for building custom LLM apps and agentic systems to execute arbitrary code. The flaw allows injecting JavaScript code without any security checks and was publicly disclosed last September, with the warning that successful exploitation leads to command execution and file system access. ESB-2026.3427 – Prisma Browser: CVSS (Max): 9.8 Palo Alto Networks has released a monthly Chromium security update addressing multiple vulnerabilities in Prisma Browser, including memory corruption, integer overflows, and use-after-free issues. ESB-2026.3417 – GitLab Community Edition and Enterprise Edition: CVSS (Max): 8.5 GitLab has released patch versions 18.10.3, 18.9.5, and 18.8.9 addressing multiple security vulnerabilities affecting both Community Edition (CE) and Enterprise Edition (EE), including issues such as improper access control, denial of service, cross-site scripting, and information disclosure. ESB-2026.3354 – govulncheck-vulndb: CVSS (Max): 9.9 SUSE has released an important security update for the govulncheck-vulndb package on openSUSE Leap 15.6, several vulnerabilities are rated High to Critical severity, with potential impacts including system compromise, data exposure, or denial of service. ESB-2026.3319 – FortiClientEMS: CVSS (Max): 9.8 Fortinet has disclosed a critical authentication and authorization bypass vulnerability in FortiClient EMS that could allow an unauthenticated attacker to execute unauthorized code or commands via crafted API requests, resulting in privilege escalation. ESB-2026.3276 – chromium: CVSS (Max): 9.6 Debian has released a security update for Chromium addressing multiple vulnerabilities that could lead to arbitrary code execution, denial of service, or information disclosure if exploited. A CVE (CVE-2026-5281) has been identified on the CISA Known Exploited Vulnerabilities (KEV) list. Stay safe, stay patched and have a good weekend! The AUSCERT team

LISTEN HERE: AUSCERT “Share Today, Save Tomorrow” – ep 57: From Gut Feel to Dollar Value: Making Cyber Risk Decisions That Stick Cyber risk is often talked about in colours, heatmaps, and assumptions, but what happens when you put a dollar value behind it? In this episode, we’re joined by Jason Ha to unpack the evolving world of cyber risk quantification and why it’s becoming a critical tool for modern organisations. From his early days in “infosec” to helping businesses translate technical risk into boardroom language, Jason shares practical insights on turning uncertainty into actionable data. We explore why many organisations struggle to quantify cyber risk, how to get started without overcomplicating the process, and why communication is the real game changer. This episode was hosted by Ivano Bongiovanni. The AUSCERT podcast can also be found on Spotify, Apple Podcasts, and YouTube.

Greetings, Crunchyroll has launched an investigation into a potential data breach after a hacker claimed to have accessed personal information linked to approximately 6.8 million users. The popular anime streaming platform confirmed it is working with external cyber security experts to assess the scope of the incident and determine what data, if any, was compromised. According to Crunchyroll, the investigation is ongoing and there is currently no evidence of active or continued unauthorised access to its systems. The claims emerged after a threat actor contacted cyber security publication BleepingComputer, alleging they gained access to Crunchyroll systems on March 12 by compromising the Okta single sign on account of a customer support agent. The agent is believed to be employed by Telus International, a third party business process outsourcing provider that handles Crunchyroll support tickets. The attacker claims malware was used to steal the agent’s login credentials, which then provided access to multiple internal platforms, including Zendesk, Slack and Google Workspace. Using this access, the hacker says they downloaded approximately eight million customer support ticket records from Crunchyroll’s Zendesk system, containing roughly 6.8 million unique email addresses. Sample data reportedly included user names, email addresses, IP addresses, general location data and the contents of support requests. While some reports suggested payment data may have been exposed, it was confirmed that credit card details only appeared in cases where users voluntarily included them in support tickets, and usually in a limited form. Crunchyroll says it believes the issue is limited to customer service data associated with the third party vendor and continues to monitor the situation closely as its investigation progresses. CVE‑2026‑3055: Critical Unauthenticated Memory-Read Vulnerability in Citrix NetScaler ADC and Gateway Date: 2026-03-23 Author: Arctic Wolf [See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.2769/] On March 23, 2026, Citrix released fixes for a critical vulnerability affecting NetScaler ADC and NetScaler Gateway (CVE‑2026‑3055) that allows unauthenticated threat actors to perform out-of-bounds memory reads. Exploitation of this vulnerability requires that the affected appliance be configured as a SAML Identity Provider (IDP). TP-Link warns users to patch critical router auth bypass flaw Date: 2026-03-25 Author: Bleeping Computer TP-Link has patched several vulnerabilities in its Archer NX router series, including a critical-severity flaw that may allow attackers to bypass authentication and upload new firmware. Tracked as CVE-2025-15517, this security flaw affects Archer NX200, NX210, NX500, and NX600 wireless routers and stems from a missing authentication weakness that attackers can exploit without privileges. Popular LiteLLM PyPI package backdoored to steal credentials, auth tokens Date: 2026-03-24 Author: Bleeping Computer The TeamPCP hacking group continues its supply-chain rampage, now compromising the massively popular "LiteLLM" Python package on PyPI and claiming to have stolen data from hundreds of thousands of devices during the attack. LiteLLM is an open-source Python library that serves as a gateway to multiple large language model (LLM) providers via a single API. The package is very popular, with over 3.4 million downloads a day and over 95 million in the past month. Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets Date: 2026-03-20 Author: The Hacker News Trivy, a popular open-source vulnerability scanner maintained by Aqua Security, was compromised a second time within the span of a month to deliver malware that stole sensitive CI/CD secrets. The latest incident impacted GitHub Actions "aquasecurity/trivy-action" and "aquasecurity/setup-trivy," which are used to scan Docker container images for vulnerabilities and set up GitHub Actions workflow with a specific version of the scanner, respectively. Device Code Phishing Hits 340+ Microsoft 365 Orgs Across Five Countries via OAuth Abuse Date: 2026-03-25 Author: The Hacker News Cybersecurity researchers are calling attention to an active device code phishing campaign that's targeting Microsoft 365 identities across more than 340 organizations in the U.S., Canada, Australia, New Zealand, and Germany. The activity, per Huntress, was first spotted on February 19, 2026, with subsequent cases appearing at an accelerated pace since then. Notably, the campaign leverages Cloudflare Workers redirects with captured sessions redirected to infrastructure hosted on a platform-as-a-service (PaaS) offering called Railway, effectively turning it into a credential harvesting engine. ESB-2026.2983 – firefox-esr Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, sandbox escape, information disclosure, denial of service or privilege escalation. ESB-2026.2955 – Cisco Products Cisco IOS, IOS XE, Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability ESB-2026.2769 – NetScaler ADC and NetScaler Gateway Critical vulnerabilities have been discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) ESB-2026.2906 – NGINX Products This vulnerability allows a local, authenticated attacker to cause a denial-of-service (DoS) of the NGINX system or to possibly trigger a code execution. Stay safe, stay patched and have a good weekend! The AUSCERT team