Adobe’s latest Patch Tuesday fixes 55 vulnerabilities across 11 products, including critical code-execution bugs in Acrobat Reader, ColdFusion, and multiple Creative Cloud apps. ColdFusion receives a priority-1 advisory for five critical flaws that have been exploited in the past, while Adobe reports no known in-the-wild exploitation for the newly patched issues;…
Category: Cyber Security News
Microsoft’s April 2026 Patch Tuesday fixes 165 vulnerabilities, including a SharePoint Server zero-day tracked as CVE-2026-32201 that has been exploited in the wild. CVE-2026-32201 is an ‘important’ spoofing flaw (CVSS 6.5) added to CISA’s KEV with a federal patch deadline of April 28, and 19 other bugs were flagged as “exploitation…
McGraw-Hill says unauthorized access to a limited webpage hosted on Salesforce resulted from a Salesforce platform misconfiguration, but its Salesforce accounts, customer databases, courseware, and internal systems were not accessed. The company reports the exposed data was limited and non-sensitive, is working with Salesforce and external experts after extortion claims, and faces public pressure from threat actor ShinyHunters. #McGrawHill #ShinyHunters
Microsoft released the Windows 10 KB5082200 extended security update to address the April 2026 Patch Tuesday fixes, patching 167 vulnerabilities including two zero-day flaws and updating builds to 19045.7184 (19044.7184 for LTSC 2021). The update adds Remote Desktop .rdp phishing protections, Secure Boot dynamic status reporting and a phased rollout of new Secure Boot certificates, and is available via Windows Update for Enterprise LTSC and ESU-enrolled devices. #KB5082200 #Windows10
Mirax, a nascent Android remote access trojan, is being spread via Meta ads that lure Spanish-speaking users to dropper pages masquerading as streaming services and has reached over 220,000 accounts. It couples full RAT functionality with a SOCKS5 residential proxy using Yamux multiplexing to enable real-time device control, credential theft via…
Researchers revealed Pushpaganda, a novel ad-fraud campaign that uses search engine poisoning and AI-generated news to push deceptive stories into Google Discover and trick users into enabling persistent browser push notifications that deliver scareware and financial scams. The operation generated roughly 240 million bid requests tied to 113 domains in one…
Google has integrated a Rust-based DNS parser into Pixel modem firmware to reduce memory-safety vulnerabilities and harden the cellular baseband, starting with the Pixel 10. The implementation adapts the hickory-proto crate for embedded use, uses cargo-gnaw to manage dependencies, and complements prior mitigations to address issues like CVE-2024-27227. #Pixel10 #CVE-2024-27227…
Russia’s internet regulator Roskomnadzor reportedly added the decentralized social network Bluesky to its registry of banned websites, the latest step in a widening crackdown on foreign online services. The block comes amid broader restrictions on Telegram, WhatsApp and other platforms, continued use of VPNs to bypass controls, and intermittent mobile internet…
Stolen credentials accounted for 22% of known initial access vectors in 2025 and remain the most common way attackers breach networks. Identity-centric Zero Trust—enforcing least privilege, continuous context-aware authentication, device trust, granular segmentation, and centralized governance—limits escalation and lateral movement, reducing breach impact. #Specops #ActiveDirectory
SAP released 20 security notes in its April 2026 patch day, including a critical CVE-2026-27681 SQL injection in Business Planning and Consolidation and Business Warehouse that can lead to arbitrary code execution. A separate high-severity missing authorization (CVE-2026-34256) affects ERP and S/4 HANA, and numerous medium- and low-severity fixes across BusinessObjects,…
Basic-Fit, Europe’s largest gym chain, disclosed a breach in which unauthorized access was detected and blocked within minutes. Personal details for roughly 1 million members — including names, contact details, dates of birth, and bank account information — were downloaded, with about 200,000 members in the Netherlands affected. #BasicFit #Netherlands…
Anthropic’s Claude Mythos collapses the time between vulnerability detection and exploitation, creating the potential for near-instantaneous, AI-powered attacks that defenders are currently ill-prepared for. The Cloud Security Alliance urges organizations to use Project Glasswing’s temporary restraint to harden basics—patching, segmentation, MFA, AI-driven defenses, and tabletop exercises—before Mythos-like capabilities proliferate. #ClaudeMythos #CloudSecurityAlliance…
A critical Remote Code Execution vulnerability in the Kali Forms WordPress plugin (all versions up to 2.4.9) was publicly disclosed and rapidly exploited in the wild, enabling unauthenticated attackers to run arbitrary PHP via manipulated form placeholders. The flaw originates in improper validation in prepare_post_data() that allows attacker-controlled values to reach…
New research from the Molly Rose Foundation and YouthInsight finds that over half of Australian children aged 12–15 continue to access restricted platforms such as TikTok, YouTube, and Instagram despite the country’s under-16 social media ban. The study highlights weak platform enforcement, widespread active underage accounts, and mixed impacts on safety,…
Goldman Sachs is taking a cautious, proactive stance toward Anthropic’s advanced AI model Mythos because of its ability to autonomously discover and exploit software vulnerabilities that could significantly disrupt financial systems. The bank is collaborating with Anthropic, cybersecurity partners, and other major firms through Project Glasswing to assess risks and strengthen…