Security Radar

Page 1 of 10 · 624 stories from the last 30 days across 19 trusted sources.

Actively exploited 19 actively exploited CVEs in current coverage

CVE-2026-10520
An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution
1storyEPSS 99%
CVE-2026-20253
In Splunk Enterprise 10.2 versions below 10.2.4 and 10 versions below 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint. The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials. Splunk Enterprise versions 9.4 and earlier are not affected. If you cannot immediately upgrade to a fixed version, you can mitigate this vulnerability by disabling the PostgreSQL sidecar service.
6storiesEPSS 92%
CVE-2026-35273
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
2storiesEPSS 90%
CVE-2026-48907
A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution.
1storyEPSS 80%
CVE-2026-50751
A logic flow weakness in Remote Access and Mobile Access certificate validation in deprecated IKEv1 key exchange allows an unauthenticated remote attacker to bypass user authentication and establish a remote access VPN connection without a valid user password.
1storyEPSS 71%
CVE-2024-40766
An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash. This issue affects SonicWall Firewall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older versions.
1storyEPSS 16%

BleepingComputer 3h ago

Anthropic is testing desktop-like Claude Cowork for mobile

Anthropic appears to be testing Claude Cowork support on mobile, allowing you to manage long-running Claude tasks from your phone. [...]

BleepingComputer 4h ago

Poland busts SIM-swapping gang tied to millions in crypto theft

Authorities in Poland have arrested four members of an organized cybercrime group accused of breaching telecommunications partners and hijacking email accounts to carry out SIM-swapping attacks. [...]

Microsoft Security 4h ago

Photo ZIP campaign targeting hospitality industry delivers Node.js implant for persistent access

Microsoft Threat Intelligence identified an active multi-stage intrusion campaign targeting hospitality organizations in Europe and Asia. The campaign uses photo-themed ZIP archives and fake image shortcut files to deliver a persistent Node.js implant and evade detection. The ...

microsoft

Unit 42 4h ago

CL-STA-1062 Targets Southeast Asian Governments and Critical Infrastructure

Government entities and critical infrastructure were targeted for espionage in SE Asia by attackers using a hybrid toolkit, including custom TinyRCT backdoor. The post CL-STA-1062 Targets Southeast Asian Governments and Critical Infrastructure appeared first on Unit 42.

apt

Dark Reading · CISA Alerts · Security Affairs · Help Net Security · The Hacker News · SecurityWeek · BleepingComputer7 stories

Cisco Unified CM Flaw Exploited After PoC Reveals File-Write Path to Root

AICisco Unified CM SSRF flaw (CVE-2026-20230) actively exploited for webshell deployment after PoC release.

Open narrative →

vulnerabilityzero day Actively exploited · EPSS 34%

Show all coverage

Dark Reading4h agoIn Less Than 24 Hours, Attackers Weaponize Cisco CUCM Flaw
CISA Alerts14h agoCISA Adds Two Known Exploited Vulnerabilities to Catalog
Security Affairs1d agoCisco Unified CM Flaw CVE-2026-20230 Actively Exploited in the Wild
Help Net Security1d agoCisco Unified CM flaw actively exploited to drop webshells (CVE-2026-20230)
The Hacker News1d agoCisco Unified CM Flaw Exploited After PoC Reveals File-Write Path to Root
SecurityWeek1d agoHackers Exploiting Cisco Unified CM Vulnerability
BleepingComputer2d agoCisco Unified CM flaw CVE-2026-20230 now exploited in attacks

Dark Reading 5h ago

Russian APT 'Gamaredon' Upgrades Its Arsenal, Requiring New Defenses

The FSB state-sponsored operation has gotten a lot better at loading its malware and hiding its servers.

malwareapt

Security Affairs · BleepingComputer · The Record3 stories

Tata Electronics confirms cyberattack as hackers leak data

AITata Electronics confirmed a cyberattack that leaked data, including alleged Apple and Tesla documents, but said operations were unaffected.

Open narrative →

data breach

Show all coverage

Security Affairs5h agoTata Electronics Confirms Data Breach After 630GB Leak Claim Targets Apple and Tesla
BleepingComputer2d agoTata Electronics confirms cyberattack as hackers leak data
The Record2d agoTata Electronics confirms cyberattack after alleged Apple, Tesla documents appear online

Dark Reading 6h ago

EdTech Attackers Shift From Schools to Their Software Suppliers

Educational institutions, the edtech companies they rely on, and, more concerningly, the challenges they pose for schools are the focus of the latest Reporters' Notebook video series.

CyberScoop 6h ago

FCC passes new cybersecurity rules for emergency systems, undersea cables

The new rules would overhaul national emergency systems to protect against hijacking and update federal security review rules for undersea cables providers The post FCC passes new cybersecurity rules for emergency systems, undersea cables appeared first on CyberScoop.

BleepingComputer 6h ago

Order-tracking app Shop abused to push callback phishing attacks

Threat actors are increasingly abusing Shop, the order-tracking app from Shopify, by adding fake purchase receipts in users' order histories to trick them into providing sensitive data or installing remote access software. [...]

phishing

Security Affairs · SecurityWeek2 stories

25-Year-Old Vulnerability Patched in Curl

AICurl patched 18 vulnerabilities, including a 25-year-old bug, addressing auth bypass, memory safety, and host validation issues.

Open narrative →

vulnerability

Show all coverage

Security Affairs7h agoCurl Fixes a 25-Year-Old Bug in Its Largest CVE Release Yet
SecurityWeek17h ago25-Year-Old Vulnerability Patched in Curl

Dark Reading 7h ago

Local Police Collusion Hampers Crackdown on Asian Scam Centers

With tens of billions of dollars flowing into regional economies from cybercrime, scam centers continue to flourish, despite international and law-enforcement efforts.

The Record 7h ago

DHS chief says president has met with potential CISA nominee; agency plans to hire 600

Once a new CISA director is in place, the agency will ramp up hiring efforts, Homeland Security Markwayne Mullin told lawmakers. The White House has not yet announced a nominee.

BleepingComputer 8h ago

Microsoft quietly extends free Windows 10 ESU support to October 2027

Microsoft has quietly extended its free Windows 10 Extended Security Updates (ESU) program for consumers by an additional year, allowing enrolled devices to continue receiving security updates until October 12, 2027. [...]

microsoft

Cisco Talos 8h ago

Beyond IOCs: AI-enabled threat intelligence

In this week’s newsletter, Martin considers how AI will help threat intelligence by creating an easily queryable data source of intelligence reports.

Schneier on Security 9h ago

AI and Liability

Earlier this month, a German court ruled that Google is liable for its AI search summaries. Rejecting defenses like “users can check for themselves,” and that they generally know “that information generated with AI should not be blindly trusted,” the court held that the AI’s s...

BleepingComputer 10h ago

New macOS malware embeds fake errors to confuse AI analysis tools

A newly discovered macOS malware dubbed "Gaslight" is designed to confuse AI-assisted malware analysis tools by hiding prompt injection strings and fake debugging data within the executable. [...]

malware

CyberScoop 10h ago

Federal court rules Trump election-focused executive order illegal

Provisions setting up federal voter lists for each state and restricting mail ballots through USPS were declared unconstitutional. The post Federal court rules Trump election-focused executive order illegal appeared first on CyberScoop.

Microsoft Security 10h ago

Microsoft a Leader in The Forrester Wave™ for Endpoint Management Platforms

Microsoft named a Leader in the Forrester Wave™: Endpoint Management Platforms, Q2 2026, with the highest scores in the current offering and strategy categories. The post Microsoft a Leader in The Forrester Wave™ for Endpoint Management Platforms appeared first on Microsoft Se...

microsoft

BleepingComputer 11h ago

PirloTV sports piracy network disrupted as 44 domains seized

A major sports piracy ring linked to the illegal PirloTV streaming platform has been disrupted in an action that targeted 44 domains. [...]