The vulnerabilities, tracked as CVE-2026-41722, CVE-2026-41723, and CVE-2026-41724, were published under security advisory VMSA-2026-0004 on June 8, 2026. The flaws carry a CVSS score of 8.0, highlighting the potential risk to enterprise environments running affected versions of VCF Operations.

Because these vulnerabilities involve stored cross-site scripting (XSS), attackers may be able to plant malicious code that executes whenever administrators access compromised sections of the platform.

How the Vulnerabilities Work

According to VMware, the flaws stem from improper handling of user-supplied input within VCF Operations management interfaces.

The platform fails to properly validate and sanitize certain data before displaying it to users. As a result, attackers can store malicious JavaScript code within the application. When an administrator or another privileged user later views the affected page, the malicious script automatically executes in their browser.

Unlike reflected XSS attacks, stored XSS remains embedded in the application until removed, increasing the chances of successful exploitation.

A successful attack could allow threat actors to:

• Hijack administrator sessions
• Steal authentication tokens
• Access sensitive information
• Modify configuration settings
• Perform unauthorized actions
• Maintain persistence within the environment
• Potentially move deeper into connected infrastructure

Why Organizations Should Take This Seriously

VCF Operations often serves as a central management platform for virtualization, cloud resources, and infrastructure operations. In many organizations, it integrates with other VMware services, including vCenter and cloud automation environments.

Because of this connectivity, a successful compromise could have broader consequences beyond a single application.

Security experts warn that attackers may attempt to combine these vulnerabilities with other weaknesses or misconfigurations to gain additional access and privileges across enterprise environments.

The risk is especially high in organizations where multiple administrators regularly access shared management consoles, as any authorized user visiting a compromised interface could unknowingly trigger the malicious code.

No Workarounds Available

VMware has confirmed that there are currently no workarounds for these vulnerabilities.

Organizations are strongly advised to install the latest security updates as soon as possible. Delaying remediation could increase the risk of exploitation, particularly if proof-of-concept code becomes publicly available.

Administrators should also consider the following security measures:

• Apply VMware security patches immediately
• Restrict access to VCF Operations interfaces
• Monitor logs for unusual activity
• Review administrator account permissions
• Watch for suspicious session behavior
• Investigate unexpected script execution events
• Strengthen overall access controls

While web application firewalls and browser security controls may provide limited protection, VMware emphasizes that these measures should not replace patching.

The disclosure of these vulnerabilities serves as another reminder that enterprise management platforms remain valuable targets for attackers. Securing these critical control systems is essential for protecting modern virtualized and cloud-based environments.

The post VMware Stored XSS Flaws Put Enterprise Environments at Risk appeared first on First Hackers News.

Because these tools are already installed on most systems and commonly used by administrators, malicious activity can easily blend in with normal operations.

ANY.RUN Report Reveals Growing Threat

According to ANY.RUN’s analysis of more than 2 million malware and phishing investigations during the first quarter of 2026, threat actors are rapidly shifting toward stealthier attack techniques.

The report highlights:

• Loader-based attacks nearly doubled
• Credential theft increased significantly
• Living-off-the-Land (LotL) techniques grew by more than 58%
• Attackers increasingly abused trusted system utilities
• Malware campaigns became more automated and difficult to detect

Researchers noted that attackers often use tools such as PowerShell, WMI, Certutil, MSHTA, and JavaScript execution environments to perform malicious actions while appearing legitimate.

These trusted tools allow attackers to:

• Download malware payloads
• Execute fileless attacks
• Establish persistence
• Move laterally through networks
• Avoid traditional antivirus detection

Security experts warn that attackers can establish persistence within seconds, leaving defenders with very little time to respond.

Credential Theft Continues to Drive Attacks

ANY.RUN researchers found that credential theft remains one of the primary goals for modern threat actors.

Once attackers obtain valid credentials, they can access systems while appearing to be legitimate users. Combined with trusted tool abuse, this creates a dangerous scenario where malicious activity can remain hidden for extended periods.

Many attackers begin with lightweight loaders that quietly gain initial access before deploying more dangerous payloads such as:

• Ransomware
• Remote Access Trojans (RATs)
• Information stealers
• Credential theft tools

This approach allows cybercriminals to scale attacks while minimizing detection.

Strengthening Defenses Against Trusted Tool Abuse

Because legitimate tools generate normal-looking activity, ANY.RUN recommends focusing on behavioral monitoring rather than relying solely on traditional signature-based security solutions.

Organizations should monitor for:

• Unusual PowerShell commands
• Suspicious script execution
• Abnormal command-line arguments
• Unexpected network connections
• Unusual administrative activity
• Suspicious parent-child process relationships

Additional recommendations include:

• Enforcing least-privilege access
• Restricting script execution
• Using application control policies
• Leveraging threat intelligence
• Deploying sandbox analysis solutions
• Improving incident response capabilities

The findings show that attackers are becoming increasingly skilled at hiding in plain sight. As trusted tools continue to be weaponized, organizations must focus on behavior-based detection and rapid response strategies to identify threats before they can cause significant damage

The post Hackers Exploit Trusted Tools Malware for Attacks appeared first on First Hackers News.

Security researchers demonstrated that the flaws can be chained together to achieve remote code execution with root privileges through a single specially crafted request. The vulnerabilities affect UniFi OS Server installations and pose a significant risk to organizations using exposed management interfaces, highlighting the importance of addressing UniFi OS Vulnerabilities.

Because the attack requires no authentication, security experts are urging administrators to patch affected systems immediately.

How the Attack Works

The exploit begins with vulnerabilities that allow attackers to bypass UniFi OS authentication protections.

Researchers discovered that inconsistencies in how requests are processed can allow specially crafted URLs to access internal functions that should normally require authentication. Once inside, attackers can target a separate command injection flaw within the system’s update mechanism.

The attack chain allows threat actors to:

• Bypass authentication controls
• Execute commands remotely
• Gain root-level access
• Install malicious software
• Maintain long-term access to the system

Researchers confirmed that the exploit can be executed remotely against vulnerable devices running affected versions of UniFi OS.

Potential Impact on Organizations

A successful compromise gives attackers complete control over the UniFi management platform.

With root access, attackers may be able to:

• Create persistent administrator accounts
• Access sensitive network data
• Steal encryption and authentication keys
• Extract database information
• Modify system configurations
• Maintain access even after password changes

In environments using UniFi Access and UniFi Protect, the risks extend beyond traditional IT systems.

Researchers warn that attackers could potentially:

• Unlock connected doors
• Access surveillance systems
• Monitor live camera feeds
• Delete security footage
• Access stored credential information

This makes the vulnerabilities especially concerning for organizations that rely on UniFi products for both network and physical security management.

Recommended Mitigation Steps

Administrators should immediately upgrade to the latest patched UniFi OS versions provided by Ubiquiti.

Additional security measures include:

• Restrict management interfaces from internet access
• Rotate authentication and signing keys
• Change administrative credentials
• Review systems for suspicious activity
• Rebuild potentially compromised servers
• Audit access logs and configurations

Security experts advise treating any internet-exposed, unpatched UniFi OS instance as potentially compromised due to the severity of the vulnerabilities and the ease of exploitation.

The post Critical UniFi OS Vulnerabilities Allow Root RCE appeared first on First Hackers News.

The flaw, tracked as CVE-2026-45247, has received a critical severity rating and can be exploited without authentication. Security researchers warn that thousands of Magento and Adobe Commerce stores may be at risk if the vulnerable plugin remains unpatched.

The issue affects the Mirasvit Cache Warmer extension, a tool commonly used to improve website performance by preloading cached pages for visitors.

How the Vulnerability Works

The vulnerability is caused by the plugin’s unsafe handling of data stored inside a cookie called CacheWarmer.

When a visitor sends a request to the website, the extension reads information from the cookie and rebuilds session data using PHP’s unserialize() function. Because the cookie data is controlled by the user and is not properly validated, attackers can supply specially crafted payloads that trigger malicious object creation on the server.

Researchers found that this behavior opens the door to PHP Object Injection attacks, which can eventually lead to remote code execution.

An attacker can potentially:

• Execute malicious code on the server
• Install webshells or backdoors
• Access sensitive store data
• Take control of the Magento environment
• Launch automated attacks against multiple stores

The vulnerability affects all Mirasvit Cache Warmer versions released before 1.11.12.

Thousands of Stores Potentially Affected

According to researchers, the extension is frequently bundled with other Mirasvit products, meaning some store owners may not even realize it is installed on their systems.

Security experts estimate that more than 6,000 Magento stores may be running vulnerable components, although the actual number could be higher.

The vendor was notified about the issue and quickly released version 1.11.12, which addresses the vulnerability.

Security teams should monitor web traffic for suspicious CacheWarmer cookie values containing unusual encoded data. Such activity could indicate attempted exploitation.

Recommended Actions

Organizations using Magento or Adobe Commerce should act immediately to reduce risk.

Recommended steps include:

• Upgrade Mirasvit Cache Warmer to version 1.11.12 or later
• Review web server logs for suspicious requests
• Scan systems for webshells and backdoors
• Inspect public-facing directories for unauthorized PHP files
• Deploy a web application firewall for additional protection
• Conduct a full compromise assessment if exploitation is suspected

Because the flaw can be exploited remotely without authentication, researchers expect attack attempts to increase following public disclosure.

Store administrators are strongly encouraged to patch affected systems as soon as possible to prevent potential compromise and data theft.

The post Magento Cache Plugin Vulnerability Enables RCE Attacks appeared first on First Hackers News.

The attack works by abusing modern browser storage features and measuring tiny changes in SSD response times. Researchers warned that simply visiting a malicious website could allow attackers to observe activity happening in other browser tabs, applications, or even different browsers running on the same system.

The FROST SSD Timing Attack works by abusing modern browser storage features and measuring tiny changes in SSD response times. Researchers warned that simply visiting a malicious website could allow attackers to observe activity happening in other browser tabs, applications, or even different browsers running on the same system.

The findings highlight growing concerns around browser APIs and performance features that may unintentionally expose sensitive system behavior.

How the FROST Attack Works

The technique relies on the Origin Private File System (OPFS), a browser storage feature designed to improve web application performance.

Researchers found that a malicious website can create a large file inside the browser’s storage sandbox and continuously perform random disk reads. These operations force the SSD to handle real disk activity instead of using cached memory.

When other applications or browser tabs access the same SSD, small delays and latency spikes occur due to resource contention. The malicious page measures these timing differences using high-resolution browser timers.

To improve accuracy, attackers can enable cross-origin isolation settings that unlock more precise timing measurements through APIs such as performance.now().

The collected timing data is then analyzed using machine learning models to identify patterns linked to specific websites or applications.

Researchers Demonstrated Cross-Browser Tracking

During testing, researchers showed that the attack could monitor user activity across multiple browser instances on macOS systems.

In one experiment:

• A malicious Chrome tab monitored SSD timing activity
• A victim opened websites in Safari
• The timing patterns were analyzed using a neural network model
• The system successfully identified visited websites with high accuracy

The researchers reported strong detection results while testing against popular websites.

They also demonstrated a covert communication channel on Linux and macOS systems where SSD contention signals were used to transfer information between applications.

Privacy and Security Concerns

The research shows how modern browser performance features may weaken traditional browser isolation protections.

Unlike traditional malware, the attack does not require installing software on the victim’s device. Instead, a single visit to a malicious webpage may be enough to begin collecting timing information silently in the background.

Researchers warned that the technique could potentially be used for:

• Cross-browser activity tracking
• User behavior monitoring
• Website fingerprinting
• Covert communication channels
• Privacy-invasive surveillance techniques

The findings also raise concerns about how high-resolution timers and advanced browser storage APIs can unintentionally create new side-channel attack surfaces.

While the attack currently requires specific conditions and technical expertise, the research demonstrates how low-level hardware behavior can increasingly be abused for remote tracking and surveillance purposes.

The post New FROST Technique Lets Websites Monitor SSD Activity appeared first on First Hackers News.

The issue was initially noticed by a Motorola Razr 60 Ultra user who observed unusual behavior when opening the Amazon app. Instead of launching normally, the device briefly opened a web browser before redirecting back to Amazon with a tracking identifier attached.

Further investigation revealed that a preinstalled background application named Smart Feed was responsible for the redirects.

Hidden App Injects Affiliate Tracking Codes

Researchers found that the hidden app communicates with an external server identified as devicenative[.]com. The server appears to provide affiliate-related settings and redirect instructions used by the application.

When users tap shopping apps from the launcher, the hidden service intercepts the request and inserts affiliate tracking data before sending users to the final destination.

The observed behavior includes:

• Intercepting Amazon app launches
• Opening browser-based redirect links
• Injecting affiliate tracking parameters
• Connecting to remote servers for configuration updates
• Running silently in the background

Because Android automatically handles supported links inside apps, most users are unlikely to notice the redirection process.

Researchers Warn About Potential Risks

Security experts noted that the technique shares similarities with behaviors commonly seen in adware and mobile malware.

The concerns go beyond affiliate monetization because the same infrastructure could theoretically be modified to redirect users toward malicious websites, phishing pages, or credential theft portals.

Researchers also highlighted several worrying characteristics:

• Hidden system-level persistence
• External server-controlled behavior
• Intent interception techniques
• Limited user visibility or control
• Difficulty removing the application

Since the application relies on remote configuration from external servers, its behavior could potentially change without any operating system update.

The issue has currently been confirmed on the Motorola Razr 60 Ultra, although it is still unclear whether other Motorola devices are affected.

While reports suggest a third-party monetization partner may be involved, researchers argue that smartphone manufacturers remain responsible for software bundled with their devices.

Motorola has not publicly commented on the findings at the time of reporting.

The post Hidden Motorola App Redirects Amazon Traffic appeared first on First Hackers News.

EU regulators accuse Google of favoring its own services in search results, including Google Shopping, Google Maps, and Google Flights. Officials believe this practice reduces visibility for competing platforms and limits user choice.

The investigation began in March 2025 and could lead to one of the largest penalties issued under the DMA so far.

Google Faces Scrutiny Over Search Practices

The Digital Markets Act was introduced to prevent dominant technology platforms from abusing their market power. Under the regulation, companies classified as “gatekeepers” must maintain fair competition and avoid giving unfair advantages to their own services.

According to reports, regulators are concerned that Google’s search engine may be prioritizing internal products over rival platforms.

The DMA requires major platforms to:

• Maintain fair search rankings
• Avoid self-preferencing practices
• Improve platform transparency
• Support interoperability
• Prevent unfair use of competitor data

Violations under the DMA can result in fines reaching up to 10% of a company’s global annual revenue.

Possible Record DMA Penalty

Reports suggest the upcoming penalty could reach several hundred million euros, making it the biggest DMA-related fine issued to date. The final decision is expected before the EU summer recess.

This is not the first time Google has faced regulatory action in Europe. The company has previously received multi-billion-euro fines related to Google Shopping, Android dominance, and online advertising practices.

Recent investigations also focused on adtech self-preferencing and concerns around digital market competition.

Beyond competition issues, the case highlights broader concerns about algorithm transparency and platform control. Regulators increasingly view fair ranking systems as important for maintaining trust, information visibility, and a balanced digital ecosystem.

The enforcement action may also create political tension between the EU and the United States, especially as debates around Big Tech regulation continue globally.

If confirmed, the case will become a major milestone in enforcing the Digital Markets Act and signal stronger EU action against powerful technology companies.

The post EU Moves Closer to Major Fine Against Google appeared first on First Hackers News.

Researchers from Mysk reported that WhatsApp uses a shared container linked to Meta applications, identified as group.com.facebook.family. On Apple devices, app group containers allow applications from the same developer to share data and resources.

Because Facebook, Instagram, and WhatsApp belong to the same ecosystem, the shared architecture could introduce privacy and security concerns if exploited alongside operating system vulnerabilities.

Shared Containers Raise Privacy Concerns

The researchers found that WhatsApp chat databases stored inside these containers are not encrypted at rest. This means the data may remain readable if attackers gain access to the device or exploit weaknesses in the operating system.

According to the report, the following risks were identified:

• Chat histories may be stored in plaintext
• Other Meta-owned apps could theoretically access shared data
• Users receive no alerts when such access occurs
• The issue affects both macOS and iOS environments

Researchers also demonstrated that WhatsApp chat histories could be extracted from iPhone backups, where the same unencrypted storage structure was observed.

The findings highlight an important distinction in security design. While WhatsApp uses end-to-end encryption to protect messages during transmission, that protection does not automatically secure data stored locally on the device.

macOS Vulnerability Increases Exposure Risk

The risk becomes more serious when combined with a recently disclosed macOS vulnerability tracked as CVE-2026-28910. The flaw affected Apple’s Archive Utility tool and reportedly allowed attackers to bypass App Sandbox protections.

By abusing this vulnerability, attackers could potentially:

• Access protected application containers
• Extract sensitive information from apps
• Bypass Apple’s Transparency, Consent, and Control protections
• Access chat histories from applications like WhatsApp

Researchers presented a proof-of-concept demonstration showing how the vulnerability could be combined with WhatsApp’s storage behavior to retrieve chat data.

Security Debate Around the Findings

Not all experts agree on the severity of the issue. WABetaInfo stated that although the databases may not be encrypted locally, Apple’s sandboxing system still provides strong isolation between applications.

From this perspective, attackers would still require elevated system privileges or a separate operating system exploit to access the stored data.

However, researchers at Mysk argue that shared app group permissions between Meta applications reduce isolation boundaries and increase the potential attack surface.

The discussion highlights broader concerns about local data protection in modern mobile ecosystems, especially when multiple applications share common storage environments.

Recommendations for Users

Security experts recommend several steps to reduce potential exposure risks:

• Enable encrypted Finder or iTunes backups
• Keep macOS and iOS updated with the latest security patches
• Use strong device passcodes and device encryption
• Limit unnecessary applications from the same developer ecosystem
• Regularly review application permissions and backup settings

At the time of reporting, there were no confirmed cases of widespread exploitation linked to the findings. However, the research highlights the importance of protecting sensitive data not only during transmission but also while stored on devices.

The post WhatsApp Chat Data Found Stored Without Encryption appeared first on First Hackers News.

Researchers observed the campaign throughout 2025 and into 2026, with most targets including government agencies, diplomatic entities, and commercial organizations in Russia and Belarus. The operation combines phishing attacks, legacy vulnerabilities, custom malware, and stealthy persistence techniques to maintain long-term access inside victim environments.

The campaign demonstrates how attackers are increasingly blending legitimate administration tools with advanced malware techniques to avoid detection and maintain covert remote access.

Initial Access Through Phishing and Exploits

Cloud Atlas APT continues to rely heavily on phishing emails as its primary entry point. Attackers distribute ZIP archives containing malicious LNK shortcut files designed to silently execute PowerShell commands from attacker-controlled infrastructure.

At the same time, the threat actors also weaponize Microsoft Office documents exploiting the Equation Editor vulnerability, CVE-2018-0802, to download additional payloads onto infected systems.

Once executed, the PowerShell scripts establish persistence by saving a secondary script named fixed.ps1 in the Windows temporary directory and creating autorun entries through the Windows Registry.

To distract victims and reduce suspicion, the malware downloads a decoy archive, extracts a PDF document, and displays it on the screen while malicious activities continue in the background. During this stage, forensic traces are deleted and the primary payloads are launched.

VBCloud and PowerShower Backdoors

The fixed.ps1 script functions as a loader for two major malware components named VBCloud and PowerShower.

VBCloud File-Stealing Malware

VBCloud is mainly used for data theft. The malware deploys an encrypted payload named video.mds, which is decrypted in memory using RC4 encryption and executed through a Visual Basic Script (VBS) loader.

The malware searches for and exfiltrates sensitive files, including:

• DOC and DOCX documents
• PDF files
• XLS and spreadsheet data
• Other confidential business documents

Collected data is transmitted to attacker-controlled servers for further analysis and espionage purposes.

PowerShower for Reconnaissance and Lateral Movement

PowerShower focuses on reconnaissance, credential harvesting, and internal network movement. The malware gathers system and domain information, executes remote PowerShell commands, and supports lateral movement across enterprise environments.

Researchers observed the malware performing Kerberoasting attacks to extract Active Directory service account credentials. It also includes a credential harvesting module that abuses the fodhelper.exe UAC bypass technique to gain elevated privileges.

With administrative access, attackers can retrieve sensitive data from the SAM and SECURITY registry hives through Windows shadow copies.

Modification of termsrv.dll Enables Multiple RDP Sessions

A significant evolution in this campaign is the use of a PowerShell script called rdp_new.ps1, which directly modifies the Windows termsrv.dll library.

The termsrv.dll component controls Remote Desktop session management and normally prevents multiple simultaneous user logins. Cloud Atlas bypasses this restriction by taking ownership of the DLL file, patching specific byte sequences, and restarting the RDP service.

After modification, multiple concurrent RDP sessions become possible on the infected machine. This allows attackers to maintain hidden remote access without disconnecting legitimate users, significantly lowering the risk of detection.

This technique provides threat actors with stealthy persistence while blending malicious activity with normal administrator behavior.

Reverse SSH Tunnels and Stealth Persistence

To strengthen persistence and ensure continued remote access, Cloud Atlas deploys multiple tunneling and proxy mechanisms.

The attackers establish reverse SSH tunnels from compromised systems to remote servers under their control. These tunnels bypass inbound firewall restrictions and provide continuous access into internal networks.

The operation also uses:

• VBS scripts executed through PsExec
• Scheduled tasks for automatic tunnel recovery
• Modified file permissions to protect SSH keys
• Customized OpenSSH builds with altered cryptographic libraries
• RevSocks tunneling utilities written in Go
• Tor hidden services for anonymous RDP connectivity

These layered persistence mechanisms make incident response and remediation significantly more difficult.

PowerCloud Malware Uses Google Sheets for Data Exfiltration

Researchers also identified a newer tool called PowerCloud that collects administrative user information and exfiltrates the data to Google Sheets using Base64-encoded content.

The use of legitimate cloud services highlights Cloud Atlas’ growing focus on blending malicious traffic with normal enterprise activity, making traditional security monitoring more challenging.

Ongoing Threat to Government and Enterprise Networks

Telemetry linked to the campaign shows a strong focus on government, diplomatic, and high-value enterprise organizations, consistent with Cloud Atlas’ long-standing espionage objectives.

Although some infrastructure overlaps with activity associated with the Head Mare group have been observed, researchers noted that the malware families, techniques, and operational behavior remain distinct.

The continued use of publicly available tools such as SSH, Tor, PsExec, and RevSocks alongside advanced techniques like RDP manipulation demonstrates the group’s evolving capabilities and operational maturity.

Security teams are advised to closely monitor:

• Unauthorized changes to termsrv.dll
• Suspicious PowerShell execution
• Unexpected RDP configuration changes
• Reverse SSH connections
• Scheduled tasks linked to remote access tools
• Unusual use of cloud platforms for data transfers

The campaign highlights the increasing sophistication of modern cyber espionage operations and the importance of continuous monitoring for stealthy persistence mechanisms inside enterprise networks.

The post Cloud Atlas APT Uses Modified termsrv.dll to Enable Hidden RDP Access appeared first on First Hackers News.

ExifTool is widely used to read and modify metadata in images, PDFs, and multimedia files. Because the tool is heavily integrated into media workflows, automation pipelines, and digital asset management systems, the vulnerability creates a significant security risk in environments that handle untrusted files.

The implications of the ExifTool vulnerability extend to various sectors, where data integrity and security are paramount.

How the Vulnerability Works

The issue is linked to improper sanitization of metadata fields related to file creation dates on macOS. Researchers found that attackers can embed malicious commands inside image metadata fields such as FileCreateDate or DateTimeOriginal.

When ExifTool processes the manipulated file under specific conditions, the hidden command can be executed through the system shell.

The vulnerability becomes exploitable when:

• ExifTool processes raw metadata values using the -n flag
• Malicious metadata is copied through the -tagsFromFile feature
• Unsafe input reaches a system() execution call without proper filtering

Researchers observed that ExifTool internally builds system commands using metadata values extracted directly from files. While most parameters are sanitized, one execution path allowed unfiltered user-controlled data to be passed into a shell command.

This creates a command injection scenario where attackers can run arbitrary commands with the privileges of the user processing the file.

Security Risks and Patch Information

The vulnerability is especially dangerous for organizations using automated image-processing workflows, newsroom environments, or media management platforms where files are processed automatically.

Because the malicious payload is hidden inside metadata, the image itself may appear legitimate and bypass traditional security checks.

If exploited successfully, attackers could:

• Execute malicious commands on macOS systems
• Deploy malware or backdoors
• Steal sensitive information
• Move laterally across internal networks

Researchers from Kaspersky identified the vulnerability, and ExifTool developers addressed the issue in version 13.50.

The patched release changes how system commands are executed by replacing unsafe string-based command construction with safer argument-based execution methods. This prevents shell interpretation and significantly reduces the risk of command injection.

Users and organizations are strongly advised to update to ExifTool 13.50 or later immediately. Security experts also recommend processing untrusted files inside isolated environments such as sandboxes or virtual machines to reduce exposure to malicious media files.

The incident highlights an ongoing cybersecurity challenge where even trusted file-processing tools can become attack vectors if user-controlled input is not handled securely.

The post ExifTool Flaw Allows Mac System Compromise appeared first on First Hackers News.