Zero Day Wire

Alerts

Critical MetInfo and Weaver E-cology Flaws Under Active Exploitation — Unauthenticated RCE Targeting Chinese Enterprise Infrastructure

Two critical vulnerabilities in widely deployed Chinese enterprise software are under active exploitation, with threat actors leveraging unauthenticated remote code execution flaws in MetInfo CMS and Weaver E-cology to compromise servers without requiring any credentials. CVE-2026-29014 (CVSS 9.8) affects MetInfo, a PHP and MySQL-based enterprise content management system popular

Threats

ScarCruft Compromises Gaming Platform in Supply Chain Attack to Deploy BirdCall Backdoor on Android and Windows Against Ethnic Koreans in China

ESET researchers have uncovered a supply chain espionage campaign by North Korean APT group ScarCruft that compromised a video game platform popular with ethnic Koreans living in China's Yanbian region — a border area known as a primary transit point for North Korean defectors crossing the Tumen River into

Alerts

Critical GitHub RCE Vulnerability Exposed Millions of Public and Private Repositories to Backend Server Compromise (CVE-2026-3854)

Wiz researchers have disclosed a critical remote code execution vulnerability in GitHub's internal Git infrastructure that exposed millions of repositories across both GitHub.com and GitHub Enterprise Server. Tracked as CVE-2026-3854, the flaw allowed any authenticated user to execute arbitrary commands on GitHub's backend servers using

Alerts

Microsoft Defender Zero-Day Exploited in the Wild — BlueHammer Attack Chain Extracts SAM Hashes and Kills Defender via Race Condition

A privilege escalation vulnerability in Microsoft Defender is under active exploitation using publicly available proof-of-concept code, with Huntress confirming attacks began on April 10 — four days before Microsoft released a patch. CISA added the flaw to its Known Exploited Vulnerabilities catalog on Wednesday, setting a May 6 federal patching deadline.

Alerts

Critical Cohere AI Terrarium Sandbox Escape Allows Root Code Execution via JavaScript Prototype Chain Traversal (CVE-2026-5752)

A critical sandbox escape vulnerability has been disclosed in Terrarium, an open-source Python sandbox developed by Cohere AI for running untrusted code in Docker-deployed containers. Tracked as CVE-2026-5752 with a CVSS score of 9.3, the flaw allows attackers to break out of the sandbox and execute arbitrary system commands

Alerts

Microsoft Issues Emergency Patch for Critical ASP.NET Core Flaw Allowing SYSTEM Privilege Escalation via Forged Auth Cookies

Microsoft has pushed an emergency out-of-band security update to address CVE-2026-40372, a critical privilege escalation vulnerability in ASP.NET Core's Data Protection cryptographic APIs that allows unauthenticated attackers to forge authentication cookies and gain SYSTEM-level access on affected systems. The flaw originated from a regression introduced in the

Threats

Mustang Panda Deploys Updated LOTUSLITE Backdoor Against Indian Banking Sector and South Korean Policy Targets

Acronis researchers have identified a new variant of the LOTUSLITE backdoor being deployed by Mustang Panda in campaigns targeting India's banking sector and South Korean policy communities. The updated malware demonstrates incremental refinements over its predecessor, confirming active maintenance by the Chinese nation-state group as it broadens its

Alerts

CISA Adds Eight Exploited Vulnerabilities to KEV Catalog Including Three Cisco SD-WAN Manager Flaws and Quest KACE CVSS 10.0

CISA added eight new vulnerabilities to its Known Exploited Vulnerabilities catalog on Monday, setting aggressive federal patching deadlines after confirming active exploitation across a range of enterprise products. Three of the flaws target Cisco Catalyst SD-WAN Manager, while the remaining five affect Quest KACE, PaperCut, JetBrains TeamCity, Kentico Xperience, and

Breaches

Former Ransomware Negotiators Pleads Guilty to Running BlackCat Attacks Against the Companies They Were Hired to Protect

Angelo Martino, a 41-year-old former ransomware negotiator at cybersecurity incident response firm DigitalMint, has pleaded guilty to targeting U.S. companies with BlackCat (ALPHV) ransomware while simultaneously working as a negotiator supposedly helping victims resolve attacks. Martino is the third defendant to plead guilty in a case that exposes one

Breaches

Scattered Spider Member Pleads Guilty to Hacking Dozen Companies and Stealing $8 Million in Cryptocurrency

Tyler Robert Buchanan, a 24-year-old from Dundee, Scotland, has pleaded guilty in a California federal court to conspiracy to commit wire fraud and aggravated identity theft for his role in a hacking operation that breached at least twelve companies and stole $8 million in cryptocurrency from individual victims across the

Threats

Iranian APT Seedworm Deploys Dindoor Backdoor via Microsoft Teams Social Engineering Using Deno Runtime for In-Memory Execution

CyberProof researchers have uncovered a campaign by Iranian APT group Seedworm that uses Microsoft Teams as an initial access vector, deploying a custom backdoor called Dindoor through social engineering that impersonates IT support personnel. The campaign emerged in early March 2026, coinciding with a surge in Iranian-linked cyber activity following

Breaches

Vercel Breached via OAuth Supply Chain Attack — Attacker Bypassed MFA Without Stealing a Single Credential

A threat actor has breached Vercel's developer infrastructure through an identity supply chain attack that bypassed multi-factor authentication entirely — without stealing a single credential. The compromise, disclosed in April 2026, exploited a breached third-party OAuth integration to inherit valid Google Workspace sessions belonging to Vercel developers, representing a