Tracked as CVE-2026-20266, the vulnerability affects AI Toolkit versions prior to 5.7.4. Due to its potential impact, the flaw has received a critical severity rating and should be addressed immediately by affected organizations.

Command Injection Flaw Creates Serious Security Risk

The vulnerability is linked to improper handling of system commands within a configuration helper component. An attacker with Splunk administrator privileges could exploit the weakness to execute arbitrary commands directly on the host system.

Successful exploitation could result in:

• Unauthorized command execution
• Full system compromise
• Manipulation or deletion of security logs
• Service disruption and operational impact
• Potential lateral movement across connected environments

Because the flaw affects administrative functions, malicious activity may appear similar to legitimate system operations, making detection more difficult in some cases.

Additional Vulnerability and Recommended Actions

Alongside the critical issue, Splunk also addressed a medium-severity vulnerability that could allow low-privileged users to initiate outbound connections to untrusted external domains. This behavior may increase the risk of data exposure in environments where network traffic is not tightly restricted.

To reduce risk, organizations should:

• Upgrade the Splunk AI Toolkit to version 5.7.4 or later
• Review administrative account access and permissions
• Restrict unnecessary outbound communications
• Verify domain validation settings are properly configured
• Remove or disable the AI Toolkit if immediate patching is not possible

The disclosure highlights the growing security challenges associated with AI-enabled enterprise applications. As AI capabilities become more integrated into business platforms, maintaining strong security controls, validating inputs, and monitoring external communications remain essential for protecting critical systems.

The post Critical Splunk AI Toolkit Vulnerability Discovered appeared first on First Hackers News.

The notification covers multiple products, including NGINX Open Source, NGINX Plus, NGINX Instance Manager, NGINX Gateway Fabric, NGINX Ingress Controller, and App Protect security modules. According to F5, organizations using affected versions should prioritize updates to reduce exposure to active threats.

Critical Vulnerabilities Impact HTTP/3, HTTP/2, and gRPC Services

Among the most serious issues is CVE-2026-42530, a vulnerability within the NGINX HTTP/3 module. Attackers can exploit specially crafted HTTP/3 requests to trigger memory-related errors, causing worker processes to crash repeatedly. In certain environments, the flaw may also open a path for remote code execution.

Another high-risk vulnerability, CVE-2026-42055, affects deployments that utilize HTTP/2 or gRPC proxying. Malicious traffic can abuse weaknesses in request handling, potentially leading to service interruptions, application crashes, and in some cases, code execution risks.

Key concerns include:

• Potential remote code execution on vulnerable systems
• Denial-of-service conditions causing service outages
• Increased risk for environments using HTTP/3, HTTP/2, and gRPC
• Exposure across several NGINX-based products and services

Gateway Fabric Vulnerabilities Add Additional Risk

F5 also highlighted multiple high-severity vulnerabilities impacting NGINX Gateway Fabric deployments. These issues can affect traffic routing reliability, application availability, and overall service stability in cloud-native and gateway environments.

To address the risks, F5 has released updated versions containing security fixes and recommends that customers:

• Upgrade affected NGINX products immediately
• Review exposed HTTP/2, HTTP/3, and gRPC services
• Verify that security patches have been applied successfully
• Update Gateway Fabric deployments to the latest supported release

The advisory serves as a reminder that organizations relying on modern web application infrastructure should maintain a proactive patch management strategy, particularly when vulnerabilities affect core traffic-processing components.

Recommended Security Actions

F5 urges customers to update affected NGINX products to the latest secure versions as soon as possible.

For systems that cannot be patched immediately, organizations should disable unnecessary HTTP/3 and QUIC services, limit HTTP/2 and gRPC exposure, strengthen access controls, and enable security hardening measures to reduce the risk of exploitation.

The post F5 NGINX Vulnerabilities Patched in Critical Security Update appeared first on First Hackers News.

The campaign primarily focused on compromising REDCap (Research Electronic Data Capture) servers, a widely used platform for managing clinical research databases and surveys. After gaining access, the attackers deployed custom malware called INFINITERED, harvested credentials, established persistence, and later abused enterprise email compliance rules to exfiltrate sensitive communications.

Campaign Overview

The operation demonstrates a sophisticated attack chain combining exploitation of public-facing applications, credential theft, malware deployment, persistence mechanisms, and stealthy data exfiltration.

Key Objectives

• Medical research intelligence
• Artificial Intelligence research
• Defense-related information
• Military health research Public health policy data

Researchers observed the activity from September 2023 through November 2025, indicating a highly patient and well-resourced espionage operation.

High-level attack flow used by UNC6508 to compromise research institutions and steal sensitive information.

Initial Access Through REDCap Servers

Why REDCap Was Targeted

REDCap is extensively used across:

• Hospitals
• Clinical research organizations
• Universities
• Government research programs
• Military health institutions

Because REDCap stores large volumes of research and patient-related information, it provides an attractive entry point for espionage-focused threat actors.

Researchers observed the attackers probing and exploiting vulnerable or legacy REDCap deployments exposed to the internet. Once access was obtained, they began internal reconnaissance and credential discovery activities.

Web Shell Deployment and Persistence

Following successful compromise, UNC6508 deployed a web shell identified as:

help.php

The web shell served multiple purposes:

• Persistent access
• File uploads
• Command execution
• Further malware deployment

This allowed the attackers to maintain long-term access even if passwords were changed or some security controls were implemented.

INFINITERED Malware Analysis

Three months after the initial intrusion, researchers observed deployment of a custom malware family called INFINITERED. This malware was specifically engineered to operate inside REDCap environments.

Modular architecture of INFINITERED malware used by UNC6508 to maintain persistence, harvest credentials, and execute commands within compromised REDCap environments.

Component 1 – Upgrade Interceptor

The malware monitors REDCap upgrade activities.

When administrators update REDCap, the malware automatically injects itself into newer versions, ensuring persistence across software upgrades

Component 2 – Credential Harvester

This module captures usernames and passwords entered into REDCap login pages.

Stolen credentials are stored within REDCap database tables and later retrieved by attackers.

Component 3 – Command-and-Control Backdoor

The third module acts as a fully functional backdoor.

Researchers found it could:

• Execute shell commands
• Upload files
• Download files
• Run SQL queries

Communication was hidden within HTTP cookie values, helping evade traditional detection mechanisms.

Abuse of Google Workspace for Data Exfiltration

One of the most interesting aspects of the campaign was the attackers’ use of legitimate Google Workspace functionality.

After obtaining administrative access, UNC6508 created a content compliance rule named:

Patroit

The rule automatically monitored emails containing specific keywords and forwarded matching messages to attacker-controlled Gmail accounts.

Attack Chain Breakdown

• External Reconnaissance
• Initial Compromise
• Persistence
• Privilege Escalation
• Intelligence Gathering

Potential Impact on Organizations

Organizations affected by this campaign could experience:

Research Theft

Loss of valuable intellectual property and scientific research.

Strategic Intelligence Exposure

Disclosure of defense and geopolitical information.

Credential Compromise

Unauthorized access to enterprise systems.

Regulatory Risks

Exposure of regulated healthcare and research data.

Alternative Indicators of Compromise (IOCs)

Security Recommendations

Upgrade REDCap Immediately

Remove legacy versions and apply the latest security updates.

Conduct Threat Hunting

Search for:

• help.php
• INFINITERED artifacts
• Unauthorized admin activity
• Credential harvesting indicators

The UNC6508 campaign highlights how modern nation-state threat actors are increasingly targeting research ecosystems to obtain strategic intelligence. By exploiting REDCap servers, deploying INFINITERED malware, and abusing legitimate cloud email features, the attackers maintained access for more than a year while collecting sensitive medical, defense, and technology research data. Organizations operating research platforms should prioritize patching, continuous monitoring, and proactive threat hunting to defend against similar espionage campaigns.

The post PRC-Linked Threat Actors Target REDCap Servers to Spy on U.S. Medical Research Organizations appeared first on First Hackers News.

The issue involves the Internet Explorer WebBrowser control, a component still embedded in various applications built with technologies such as .NET, Visual Basic, and C++. Because it continues to inherit Internet Explorer’s security behavior, attackers may be able to abuse it to execute malicious code on a victim’s system.

How the Attack Works

Researchers found that the WebBrowser control still follows Internet Explorer’s security zone model, which grants additional privileges to trusted locations such as localhost and local files.

This becomes dangerous when desktop applications expose web interfaces through localhost. If an attacker finds a vulnerability such as cross-site scripting (XSS) in one of these applications, they may be able to move from a remote web page into a more trusted local environment.

The attack chain can involve:

• Exploiting a vulnerable localhost application
• Downloading malicious files without standard security warnings
• Opening local files through the WebBrowser control
• Executing scripts in a trusted local context
• Launching commands through insecure ActiveX components

Researchers demonstrated that malicious files downloaded through certain localhost scenarios may not receive Microsoft’s Mark-of-the-Web (MOTW) protection. Without this security label, Windows may not display its usual warnings when potentially dangerous content is executed.

Multiple Paths to Code Execution

The research also revealed several additional techniques that attackers could use to increase the chances of compromise.

Potential attack methods include:

• Abusing ActiveX components to launch programs
• Using media playlist files to leak NTLM hashes
• Exploiting ClickOnce and Office-related file formats
• Using clickjacking to trick users into opening malicious files
• Abusing drag-and-drop functionality to execute shortcuts

In some proof-of-concept demonstrations, attackers used invisible frames to disguise malicious file interactions. A victim might believe they are clicking on a normal webpage when they are actually interacting with local files or applications.

Researchers also showed how malicious shortcuts could be disguised with trusted-looking icons and placed in locations where users are likely to interact with them.

Why Legacy Components Remain a Risk

The findings highlight a common cybersecurity challenge: retired software components can continue creating security risks long after the original product is no longer supported.

Many organizations still rely on applications that use the Internet Explorer WebBrowser control behind the scenes. As long as these components remain active, attackers may continue searching for ways to abuse them.

Security experts recommend that organizations:

• Identify applications using the WebBrowser control
• Remove unnecessary legacy dependencies
• Restrict risky ActiveX components
• Limit exposure of localhost web interfaces
• Monitor systems for unusual browser-based activity

The post Internet Explorer Component Flaw Enables RCE Attacks appeared first on First Hackers News.

The latest release includes security improvements across several Chrome components, including ANGLE, GPU, Network, Ozone, FileSystem, Password Manager, Chromecast, Cast Streaming, and Chromoting.

Given the number and severity of the fixes, users and organizations are strongly encouraged to update their browsers as soon as possible.

Critical Bugs Could Lead to Serious Attacks

Many of the critical vulnerabilities are related to memory safety issues such as use-after-free and out-of-bounds memory access errors.

These types of flaws are frequently targeted by attackers because they can sometimes be used to:

• Execute malicious code
• Crash the browser
• Bypass security protections
• Access sensitive information
• Escape browser restrictions

Several of the vulnerabilities affect Chrome’s GPU and ANGLE components, which handle graphics processing and hardware acceleration. Because these components interact closely with system hardware, they are often attractive targets for threat actors.

Google has not released full technical details for many of the vulnerabilities yet. The company commonly delays disclosure until most users have installed the updates, reducing the risk of attackers developing exploits before systems are patched.

Multiple Browser Components Affected

The security fixes span a wide range of Chrome functionality.

Affected areas include:

• ANGLE graphics framework
• GPU processing components
• Network services
• Ozone platform layer
• FileSystem functionality
• Password management features
• Chromecast services
• Cast Streaming technology
• Chrome Remote Desktop (Chromoting)

Researchers warn that vulnerabilities affecting network services, file handling, and password-related components could become particularly dangerous if combined with additional exploits.

Issues involving Chromecast and remote streaming features also highlight that browser-related risks extend beyond simple web browsing and may impact connected devices and remote-access capabilities.

Update Recommended Immediately

Google reports that many of the vulnerabilities were discovered by both internal security teams and external researchers. Some high-impact findings earned bug bounty rewards of up to $97,000.

Organizations should prioritize deploying the latest Chrome version as part of their patch management process. Regular browser updates remain one of the most effective ways to reduce exposure to web-based attacks.

The release serves as another reminder that browsers remain one of the most heavily targeted applications and require continuous security updates to defend against evolving threats.

22 Critical Vulnerabilities

The post Google Patches 429 Chrome Security Flaws appeared first on First Hackers News.

The vulnerabilities, tracked as CVE-2026-41722, CVE-2026-41723, and CVE-2026-41724, were published under security advisory VMSA-2026-0004 on June 8, 2026. The flaws carry a CVSS score of 8.0, highlighting the potential risk to enterprise environments running affected versions of VCF Operations.

Because these vulnerabilities involve stored cross-site scripting (XSS), attackers may be able to plant malicious code that executes whenever administrators access compromised sections of the platform.

How the Vulnerabilities Work

According to VMware, the flaws stem from improper handling of user-supplied input within VCF Operations management interfaces.

The platform fails to properly validate and sanitize certain data before displaying it to users. As a result, attackers can store malicious JavaScript code within the application. When an administrator or another privileged user later views the affected page, the malicious script automatically executes in their browser.

Unlike reflected XSS attacks, stored XSS remains embedded in the application until removed, increasing the chances of successful exploitation.

A successful attack could allow threat actors to:

• Hijack administrator sessions
• Steal authentication tokens
• Access sensitive information
• Modify configuration settings
• Perform unauthorized actions
• Maintain persistence within the environment
• Potentially move deeper into connected infrastructure

Why Organizations Should Take This Seriously

VCF Operations often serves as a central management platform for virtualization, cloud resources, and infrastructure operations. In many organizations, it integrates with other VMware services, including vCenter and cloud automation environments.

Because of this connectivity, a successful compromise could have broader consequences beyond a single application.

Security experts warn that attackers may attempt to combine these vulnerabilities with other weaknesses or misconfigurations to gain additional access and privileges across enterprise environments.

The risk is especially high in organizations where multiple administrators regularly access shared management consoles, as any authorized user visiting a compromised interface could unknowingly trigger the malicious code.

No Workarounds Available

VMware has confirmed that there are currently no workarounds for these vulnerabilities.

Organizations are strongly advised to install the latest security updates as soon as possible. Delaying remediation could increase the risk of exploitation, particularly if proof-of-concept code becomes publicly available.

Administrators should also consider the following security measures:

• Apply VMware security patches immediately
• Restrict access to VCF Operations interfaces
• Monitor logs for unusual activity
• Review administrator account permissions
• Watch for suspicious session behavior
• Investigate unexpected script execution events
• Strengthen overall access controls

While web application firewalls and browser security controls may provide limited protection, VMware emphasizes that these measures should not replace patching.

The disclosure of these vulnerabilities serves as another reminder that enterprise management platforms remain valuable targets for attackers. Securing these critical control systems is essential for protecting modern virtualized and cloud-based environments.

The post VMware Stored XSS Flaws Put Enterprise Environments at Risk appeared first on First Hackers News.

The campaign, linked to a Telegram channel with thousands of followers, reportedly used artificial intelligence to generate content, manage online operations, and support cybercriminal activities with very little cost or effort.

The case highlights how AI can be abused to increase the scale and efficiency of malicious online campaigns.

AI Used to Automate Content and Operations

According to researchers, the attacker found ways to bypass Gemini’s built-in safety protections through carefully crafted prompts and configuration changes.

Once these restrictions were bypassed, the AI was used for a variety of tasks, including:

• Generating large volumes of content
• Automating Telegram posts
• Managing stolen API keys
• Assisting with infrastructure setup
• Supporting online fraud operations

Researchers found that the actor relied on dozens of stolen Gemini API keys, allowing continuous access to AI capabilities while avoiding operational costs.

The Telegram channel evolved over time, eventually becoming heavily dependent on AI-generated content designed to engage and influence followers.

From Influence Campaigns to Cybercrime

Beyond content creation, investigators found evidence that AI was also used to assist with technical tasks often associated with cybercrime.

The AI reportedly helped with:

• Script troubleshooting and development
• Cloud service configuration
• Infrastructure deployment
• Password variation generation
• Account compromise activities

Researchers linked the operation to several compromised WordPress administrator accounts and at least one cryptocurrency theft incident.

The campaign also promoted a fake cryptocurrency wallet application that allegedly provided attackers with access to victim systems and digital assets.

Growing Concerns Around AI Abuse

Security experts believe the operation was primarily motivated by financial gain rather than political objectives.

The findings demonstrate how a single individual can now perform activities that previously required larger teams, thanks to automation and AI assistance.

At the same time, the case raises concerns about weaknesses in AI safety controls. Researchers noted that prompt manipulation, persistent jailbreak techniques, and language-based inconsistencies continue to create opportunities for abuse.

The incident serves as another example of how cybercriminals are adapting emerging AI technologies to support fraud, account compromise, and large-scale online influence operations.

The post Stolen Gemini API Keys Power Automated Telegram Campaign appeared first on First Hackers News.

While Meta stated that its infrastructure was not breached, the incident highlights the risks of relying on AI systems for sensitive account management functions.

How the Issue Worked

The problem was reportedly linked to the logic used by Meta’s AI support assistant. Instead of exploiting servers or software vulnerabilities, attackers allegedly manipulated the chatbot into triggering password recovery actions.

According to researchers, the AI system could be persuaded to send password reset links or codes without performing sufficient identity checks. In some cases, simply knowing a target’s Instagram username may have been enough to initiate the process.

This type of attack is different from traditional hacking methods because it focuses on exploiting the behavior of automated systems rather than technical flaws in infrastructure.

Researchers noted that the issue demonstrated how AI tools can become vulnerable when strict authentication controls and security safeguards are not fully enforced.

Valuable Instagram Accounts Were Targeted

Reports indicate that attackers focused primarily on high-value Instagram usernames and accounts that are often traded in underground marketplaces.

Short, rare, and highly desirable usernames can sell for significant amounts of money, making them attractive targets for cybercriminals.

Security researchers found evidence suggesting that compromised accounts were quickly offered for sale through private online channels, highlighting the growing business of account takeover operations.

This trend reflects an evolving cybercrime ecosystem where attackers target digital identities that can be rapidly monetized.

Meta Responds and Fixes the Issue

Meta has confirmed that the problem has been addressed and stated that user accounts remain secure.

According to the company, the issue allowed certain password reset requests to be triggered improperly, but there was no compromise of Meta’s backend systems or customer databases.

The company quickly implemented a fix after receiving reports from researchers and emphasized that the vulnerability has been resolved.

Lessons for Users and Platforms

The incident serves as a reminder that AI-powered support tools can introduce new security challenges if they are not carefully designed.

To reduce risk, organizations should implement:

• Strong identity verification controls
• Strict rate-limiting mechanisms
• Context-aware AI decision making
• Enhanced monitoring for abuse attempts
• Additional safeguards for account recovery processes

Researchers also noted that accounts protected with two-factor authentication (2FA) were not affected by the reported attacks.

As AI becomes more integrated into customer support and account management systems, security experts expect attackers to continue testing these technologies for weaknesses. Strong authentication and layered security controls remain essential for protecting user accounts from emerging threats.

The post Meta AI Flaw Linked to Instagram Password Resets appeared first on First Hackers News.

The statement comes after criticism from the cybersecurity community following a dispute involving a researcher known as “Nightmare-Eclipse.” Many researchers were concerned that Microsoft’s earlier comments could discourage independent security research and vulnerability disclosure.

The company has now clarified that its focus is on individuals who intentionally cause harm, not those conducting legitimate security research.

Dispute Sparked by Public Vulnerability Disclosures

The controversy began when Nightmare-Eclipse started releasing details of several previously unpatched Windows vulnerabilities, along with proof-of-concept exploit code.

The disclosed flaws affected important Windows security features, including Microsoft Defender and BitLocker. Some of the vulnerabilities were later confirmed to be actively exploited in real-world attacks.

According to the researcher, the public disclosures were driven by frustration over previous interactions with Microsoft’s vulnerability reporting process. The researcher claimed that access to Microsoft’s reporting platform had been removed and that submitted findings were not handled appropriately.

Microsoft later criticized the public release of unpatched vulnerabilities and stated that such disclosures could place customers at risk. The company’s comments also referenced potential legal action against individuals involved in harmful activities, which triggered widespread debate across the cybersecurity community.

Microsoft Reassures the Security Community

Following the backlash, Microsoft issued a new statement to clarify its position.

The company emphasized that it supports security research and has no intention of pursuing legal action against researchers who identify and disclose vulnerabilities. Microsoft said legal measures would only be considered in cases involving unlawful actions that cause actual harm to customers.

The company also acknowledged that some interactions with researchers may not have met expectations and expressed its commitment to improving communication and collaboration.

Microsoft reaffirmed its support for Coordinated Vulnerability Disclosure (CVD), encouraging researchers to report vulnerabilities through official channels before making findings public.

Importance of Researcher-Vendor Collaboration

The incident highlights the delicate relationship between technology vendors and the security research community.

Security researchers play a critical role in identifying weaknesses before cybercriminals can exploit them. At the same time, vendors rely on responsible disclosure processes to develop patches and protect users.

Microsoft stated that it continues to welcome vulnerability reports through its public reporting portal and remains committed to working with researchers regardless of previous interactions.

The situation serves as a reminder that effective communication and cooperation between vendors and researchers are essential for improving cybersecurity and protecting users worldwide.

The post Microsoft Denies Lawsuit Threats Against Researchers appeared first on First Hackers News.

The flaw, tracked as CVE-2026-45247, has received a critical severity rating and can be exploited without authentication. Security researchers warn that thousands of Magento and Adobe Commerce stores may be at risk if the vulnerable plugin remains unpatched.

The issue affects the Mirasvit Cache Warmer extension, a tool commonly used to improve website performance by preloading cached pages for visitors.

How the Vulnerability Works

The vulnerability is caused by the plugin’s unsafe handling of data stored inside a cookie called CacheWarmer.

When a visitor sends a request to the website, the extension reads information from the cookie and rebuilds session data using PHP’s unserialize() function. Because the cookie data is controlled by the user and is not properly validated, attackers can supply specially crafted payloads that trigger malicious object creation on the server.

Researchers found that this behavior opens the door to PHP Object Injection attacks, which can eventually lead to remote code execution.

An attacker can potentially:

• Execute malicious code on the server
• Install webshells or backdoors
• Access sensitive store data
• Take control of the Magento environment
• Launch automated attacks against multiple stores

The vulnerability affects all Mirasvit Cache Warmer versions released before 1.11.12.

Thousands of Stores Potentially Affected

According to researchers, the extension is frequently bundled with other Mirasvit products, meaning some store owners may not even realize it is installed on their systems.

Security experts estimate that more than 6,000 Magento stores may be running vulnerable components, although the actual number could be higher.

The vendor was notified about the issue and quickly released version 1.11.12, which addresses the vulnerability.

Security teams should monitor web traffic for suspicious CacheWarmer cookie values containing unusual encoded data. Such activity could indicate attempted exploitation.

Recommended Actions

Organizations using Magento or Adobe Commerce should act immediately to reduce risk.

Recommended steps include:

• Upgrade Mirasvit Cache Warmer to version 1.11.12 or later
• Review web server logs for suspicious requests
• Scan systems for webshells and backdoors
• Inspect public-facing directories for unauthorized PHP files
• Deploy a web application firewall for additional protection
• Conduct a full compromise assessment if exploitation is suspected

Because the flaw can be exploited remotely without authentication, researchers expect attack attempts to increase following public disclosure.

Store administrators are strongly encouraged to patch affected systems as soon as possible to prevent potential compromise and data theft.

The post Magento Cache Plugin Vulnerability Enables RCE Attacks appeared first on First Hackers News.