Alerts

Critical Apache bRPC Vulnerability Allows Remote Command Injection (CVE-2025-60021)

Zero Day Wire

19 Jan 2026 — 1 min read

A critical remote command injection vulnerability has been discovered in Apache bRPC, with over 4,000 exposed instances identified online.

Vulnerability Details

CVE ID	CVSS Score	Type	Affected Versions
CVE-2025-60021	9.8 (Critical)	Remote Command Injection	All versions prior to 1.15.0

The flaw exists in the heap profiler's extra_options parameter. Attackers can exploit the /pprof/heap service to execute arbitrary commands on vulnerable systems without authentication.

Exposure

ZoomEye scans indicate approximately 4,000+ internet-facing bRPC instances, creating significant attack surface for exploitation.

Remediation

Organizations running Apache bRPC should upgrade to version 1.15.0 or later immediately.

As a temporary mitigation, restrict access to the /pprof/heap endpoint and ensure bRPC services are not exposed to the internet.

PayPal Confirms Six-Month Data Exposure After Loan System Code Error Leaked Social Security Numbers

PayPal has confirmed a data exposure incident affecting its Working Capital (PPWC) business loan service, where a software code change left sensitive customer information accessible for nearly six months before being detected. The exposure ran from 1 July 2025 to 12 December 2025, when the error was finally discovered and

AWS Reports 600+ FortiGate Firewalls Compromised in AI-Augmented Campaign by Russian-Speaking Cybercrime Group

A financially motivated Russian-speaking cybercrime group compromised more than 600 internet-exposed FortiGate firewalls across 55 countries in just over a month, using off-the-shelf generative AI tools to scale an operation that would traditionally require a well-resourced team, according to a new incident report from AWS. The campaign, which ran from

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

Elastic Security Labs has disclosed a new ClickFix campaign that leverages compromised legitimate websites as delivery infrastructure to deploy a previously undocumented remote access trojan dubbed MIMICRAT (also tracked as AstarionRAT). The campaign, discovered earlier this month, demonstrates significant operational sophistication — from multi-stage PowerShell chains that bypass Windows security controls

ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

A new wave of attacks is combining voice phishing (vishing) with OAuth 2.0 device authorization abuse to compromise Microsoft Entra accounts at technology, manufacturing, and financial organizations — bypassing traditional phishing infrastructure entirely. Sources told BleepingComputer they believe the ShinyHunters extortion gang is behind the campaigns, which the threat actors

Read more

PayPal Confirms Six-Month Data Exposure After Loan System Code Error Leaked Social Security Numbers

AWS Reports 600+ FortiGate Firewalls Compromised in AI-Augmented Campaign by Russian-Speaking Cybercrime Group

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse