Detecteam

🚨 New APT37 Campaign Shows That Air-Gapped Systems Aren’t Untouchable cybersecuritynews.com/north-korean-a… North Korean group APT37 is running a new campaign, “Ruby Jumper,” built to reach air-gapped systems. The infection chain starts with a malicious LNK file and moves through custom loaders, using USB drives to bridge isolated machines. For teams relying on physical isolation, this is a reminder to revisit removable media controls and endpoint monitoring. #ThreatIntelligence #CyberSecurity #APT37

🚨 Palo Alto Networks Firewall Vulnerability Allows Attacker to Force Firewalls into a Reboot Loop Source: cybersecuritynews.com/palo-alto-netw… A critical denial-of-service (DoS) flaw in Palo Alto Networks’ PAN-OS software could let unauthenticated attackers crash firewalls into endless reboot cycles, potentially crippling enterprise networks. Dubbed CVE-2026-0229, the vulnerability lurks in the Advanced DNS Security (ADNS) feature. An attacker sends a maliciously crafted packet to trigger a system reboot. Repeated exploitation forces the firewall into maintenance mode, halting traffic inspection and exposing organizations to outages. Palo Alto Networks detailed the issue in a security advisory, confirming that it affects only specific PAN-OS versions when ADNS is enabled alongside a spyware profile set to block, sinkhole, or alert traffic. #cybersecuritynews #vulnerability

🛡️ We added Microsoft vulnerability CVE-2024-43468, Notepad++ vulnerability CVE-2025-15556, SolarWinds vulnerability CVE 2025-40536, & Apple vulnerability CVE-2026-20700 to our KEV Catalog. Apply mitigations to protect your org from cyberattacks. go.dhs.gov/Z3Q

🚨 1,800 Windows Servers Compromised by BADIIS Malware in Large-Scale Cyberattack Source: cybersecuritynews.com/over-1800-wind… A sophisticated cyber campaign has compromised over 1,800 Windows servers globally, using a potent malware strain known as BADIIS. This operation targets Internet Information Services (IIS) environments, transforming legitimate infrastructure into a massive network for SEO poisoning. By hijacking these servers, threat actors manipulate search engine results to promote illicit gambling platforms and fraudulent cryptocurrency sites, effectively monetizing compromised systems while evading traditional security defenses. #cybersecuritynews

🚨 CISA Adds Six Microsoft 0-Day Flaws to KEV Catalog Following Active Exploitation Source: cybersecuritynews.com/microsoft-0-da… CISA has urgently expanded its Known Exploited Vulnerabilities (KEV) Catalog by adding six zero-day vulnerabilities, all affecting Microsoft products. This move underscores escalating threats from nation-state actors and cybercriminals actively exploiting these flaws in the wild. Evidence of active exploitation gathered from vendor reports, threat intelligence, and incident response trigger additions. These six entries highlight persistent vulnerabilities in the Microsoft ecosystem as prime attack vectors for ransomware, espionage, and lateral movement. #cybersecuritynews #microsoft

Critical Jinjava flaw CVE-2026-25526 (CVSS 9.8) breaks sandbox security. Attackers can execute Java code via template loops. Update to v2.8.3 now. #Jinjava #HubSpot #CyberSecurity #CVE202625526 #Java #RCE #InfoSec #SSTI securityonline.info/cve-2026-25526…

🚨 A critical pre-auth RCE has been disclosed in BeyondTrust Remote Support and PRA (CVE-2026-1731, CVSS 9.9) Our intel suggests this is another websocket vuln, similar to CVE-2024-12356 🍯We have added a BeyondTrust RS honeypot stream for Defused TF 👉 console.defusedcyber.com/signup

⚠️ Critical FortiClientEMS Vulnerability Let Attackers Execute Malicious Code Remotely | Source: cybersecuritynews.com/forticlientems… Fortinet has issued a critical security advisory warning administrators to immediately patch instances of FortiClientEMS, its central management solution for endpoint protection. The vulnerability, tracked as CVE-2026-21643, carries a CVSSv3 score of 9.1 and could allow unauthenticated, remote attackers to execute arbitrary code or unauthorized commands on affected servers. The flaw is categorized as an SQL Injection (SQLi) vulnerability, formally identified as an "improper neutralization of special elements used in an SQL Command" (CWE-89). #cybersecuritynews #vulnerability #fortinet

⚠️ Critical RCE flaw in n8n (CVE-2026-25049, CVSS 9.4) lets authenticated users execute system commands via crafted workflow expressions. Public webhooks exposed → remote trigger, credential theft, server takeover. 🔗 Exploit path, affected versions, patch details → thehackernews.com/2026/02/critic…

GhostKatz bypasses EDR by dumping LSASS credentials directly from physical memory. Learn how this new Red Team tool abuses signed drivers to stay invisible. meterpreter.org/screaming-at-t…

🚨CVE-2026-21962 (CVSS 10.0 critical unauth RCE) disclosed in various Oracle products (HTTP Server, Weblogic Proxy plugin) No POCs exists as of right now - perfect time to deploy some honeypots! We've added a Oracle HTTP Server stream into Defused 🍯 console.defusedcyber.com/signup

⚠️⚠️ CVE-2025-68493: Critical Security Warning: Apache Struts 2 "XML Trap" 🔗FOFA Link: en.fofa.info/result?qbase64… 🎯2.4M+ Results are found on the en.fofa.info nearly year. FOFA Query: app="Struts2" 🔖Refer: securityonline.info/the-xml-trap-c… #OSINT #FOFA #CyberSecurity #Vulnerability

🛠️ InvisibleJS Tool Hides Executable ES Modules in Empty Files Using Zero-Width Steganography Source: cybersecuritynews.com/invisiblejs-to… InvisibleJS, a new open-source tool that conceals JavaScript code using invisible zero-width Unicode characters, raises alarms about potential misuse in malware campaigns. A small bootstrap loader then decodes and runs the hidden payload at runtime, making the code invisible to the naked eye in editors like VS Code. InvisibleJS could amplify such threats, enabling stealthy malware loaders in Node.js environments or web apps, complicating threat detection. #CybersecurityNews

🛠️ Forensic-Timeliner - Windows Forensic Tool for DFIR Investigators Read more: cybersecuritynews.com/forensic-timel… Forensic-Timeliner, a Windows forensic tool for DFIR investigators, has released version 2.2, which offers enhanced automation and improved artifact support for digital forensics and incident response operations. This high-speed processing engine consolidates CSV output from leading triage utilities into a unified timeline, empowering analysts to reconstruct event sequences and identify key indicators of compromise rapidly. The engine applies YAML-driven filters defined in config/keywords/keywords.yaml, automatically detecting files by name, folder, or header patterns. #cybersecuritynews #DFIR #Windows

🚨 Top 10 High-Risk Vulnerabilities Of 2025 that Exploited in the Wild Source: cybersecuritynews.com/10-high-risk-v… The cybersecurity landscape in 2025 has been marked by an unprecedented surge in critical vulnerabilities, with over 21,500 CVEs disclosed in the first half of the year alone, representing a 16-18% increase compared to 2024. Among these, a select group of vulnerabilities stands out due to their exceptional severity, active exploitation in the wild, and potential for enterprise-wide compromise. This comprehensive analysis examines the ten most significant high-risk vulnerabilities of 2025, detailing their technical mechanisms, real-world impact, and implications for organizations worldwide. #cybersecuritynews #vulnerabilities

MongoDB servers are under active exploitation via CVE-2025-14847, a pre-auth memory leak. Censys found 87,000 exposed instances. The default zlib compression flaw can leak passwords and API keys over time. 🔗 Read → thehackernews.com/2025/12/mongod…

🚨 #mongobleed (CVE-2025-14847) Now Exploited in the Wild: #MongoDB Servers at Risk Source: cybersecuritynews.com/mongobleed-vul… A high-severity unauthenticated information-leak vulnerability in MongoDB Server, dubbed MongoBleed after the infamous Heartbleed bug, is now being actively exploited in real-world attacks. #MongoDB has disclosed CVE-2025-14847, a critical flaw affecting multiple supported and legacy server versions that allows unauthenticated remote attackers to exfiltrate sensitive data and authentication credentials from vulnerable instances. A working exploit became publicly available on December 26, 2025, with confirmed real-world exploitation reported shortly thereafter. #cybersecuritynews #vulnerabilitynews

MongoBleed (CVE-2025-14847) - Unauthenticated Memory Leak PoC github.com/joe-desimone/m… By @dez_ #bugbountytips #bugbounty #cybersecurity

⚠️ MongoDB fixed a server flaw that lets unauthenticated users read uninitialized heap memory. The bug, CVE-2025-14847 (8.7), affects releases from 3.6 through 8.2 and is tied to zlib compression handling. Patches are available now. 🔗 Read → thehackernews.com/2025/12/new-mo…

🚨 CVE-2025-14847 + MongoBleed POC: Threat Hunting in Action A newly disclosed vulnerability in MongoDB (CVE-2025-14847) allows unauthenticated clients to read uninitialized heap memory via malformed Zlib headers. This affects multiple versions — including 8.2.x, 8.0.x, 7.0.x, and earlier — and poses a serious risk if servers are internet-facing. To help defenders proactively hunt for exposed and unpatched MongoDB instances, I built a KQL query using Microsoft Defender’s Advanced Hunting. It identifies: - Devices running MongoDB Database Server - Versions not matching patched builds - Public IP exposure (internet-facing) 💡 If this query triggers, patch immediately. The risk of data leakage is real — and exploitable. github.com/joe-desimone/m… 🔍 Defender + KQL = powerful visibility. Threat hunting starts with knowing what’s exposed. #ThreatHunting #MongoDB #MongoBleed #MicrosoftDefender