The campaign primarily targets users with notifications related to meeting transcripts, recordings, and shared documents. These messages direct victims to professionally crafted phishing pages designed to closely resemble legitimate Microsoft Teams and productivity service interfaces, making Microsoft Teams phishing a critical concern for end-users.

Attack Chain Relies on Trusted Infrastructure

The threat actors behind the campaign are using a combination of compromised business websites and cloud-hosted infrastructure to host phishing content and malware delivery mechanisms. Researchers observed malicious pages hosted on legitimate domains belonging to organizations such as hotels, law firms, schools, healthcare providers, and other small businesses across multiple countries.

Once a victim downloads and executes the installer, the malware deploys a legitimate remote access tool that has been preconfigured with attacker-controlled settings. This approach enables cybercriminals to establish remote connectivity while reducing suspicion, as the software itself is not inherently malicious.

To improve operational resilience, the attackers frequently rotate domains, infrastructure, and lure themes, allowing them to target different departments and organizations while minimizing the impact of takedowns.

Persistence and Evasion Capabilities

Analysis of the installer revealed several defense-evasion techniques designed to hinder detection and analysis. These include environment checks, anti-debugging mechanisms, delayed execution routines, and obfuscated components intended to complicate forensic investigations.

Following installation, the malware establishes multiple persistence mechanisms to ensure long-term access to compromised systems. Researchers observed the creation of Windows services, registry modifications, and authentication-related components that enable the threat actors to maintain access and potentially harvest credentials.

MITRE FRAMEWORK

Key Security Concerns

• Abuse of trusted Microsoft Teams branding to increase phishing success.
• Use of legitimate remote access software for unauthorized system access.
• Hosting of phishing infrastructure on compromised business websites.
• Multiple persistence mechanisms designed to survive remediation efforts.

The campaign highlights a growing trend in cybercrime operations where attackers increasingly rely on trusted platforms, reputable domains, and legitimate software to evade traditional security controls. Organizations should treat unexpected file downloads, meeting notifications, and transcript-sharing requests with caution, even when they appear to originate from familiar services or trusted websites.

The post Microsoft Teams-Themed Attack Deploys Remote Access Tool appeared first on First Hackers News.

What Happened?

Security researchers at Manifold discovered that ClawHub’s registry was not consistently enforcing ownership verification for plugin namespaces.

During their review, they identified 23 code-executing plugins published under the @openclaw and @clawhub namespaces by accounts that had no verified connection to either organization.

Because these namespaces are commonly associated with official software publishers, many users could easily assume the plugins were legitimate first-party integrations.

Why Namespace Verification Matters

Modern package registries use namespace prefixes such as @owner/ to indicate who published a package. This system helps users determine whether a package originates from a trusted source.

For example, developers generally trust packages published under Microsoft’s verified namespace because registry controls prevent unauthorized users from publishing under that name.

ClawHub adopted a similar namespace model for OpenClaw-compatible plugins. Official integrations such as @openclaw/whatsapp and @openclaw/codex are published under the OpenClaw namespace, reinforcing user trust.

The Scope Squatting Problem

The issue arose because unaffiliated publishers were able to create plugins using trusted namespaces without proper ownership verification.

Examples included plugins such as:

• @openclaw/security-gate
• @openclaw/fiat-wallet
• @clawhub/aisa-twitter-api

Although these plugins were not created by OpenClaw or ClawHub, their names made them appear official.

Installation commands and registry listings further increased the risk of confusion, potentially leading users to install plugins they believed were endorsed by the organizations.

Why This Is a Security Concern

Manifold’s investigation found that many plugins within the registry used scoped namespaces, but not all of them were ownership verified.

Importantly, researchers did not find obvious malware in the reviewed plugins. However, the primary concern is not the current content of these packages—it is the trust they inherit from misleading namespaces.

Many ClawHub plugins can:

• Execute code inside AI agents
• Access external APIs
• Export agent configurations
• Run Git and GitHub commands
• Perform automated actions on behalf of users

When users mistakenly trust a plugin because of its namespace, attackers gain a powerful opportunity for future abuse.

How ClawHub Responded

Manifold reported the issue to ClawHub through GitHub’s security advisory process on June 17 and later followed up via email.

Within days, ClawHub introduced several remediation measures, including:

• A namespace ownership dispute process
• Removal of misleading plugins from public listings
• Updated documentation explaining how legitimate owners can claim namespaces
• Additional review procedures for namespace ownership requests

These actions helped reduce the immediate risk and improve transparency within the registry.

Lessons for Plugin Registries

This incident highlights the importance of strong provenance controls in software ecosystems.

Any registry that introduces organizational namespaces must ensure:

• Namespace ownership verification
• Automated enforcement during publishing
• Continuous monitoring for impersonation attempts
• Fast dispute resolution and takedown processes

Without these safeguards, trusted namespaces can become an avenue for supply chain attacks and software impersonation.

Looking Ahead

As AI agents and plugin ecosystems continue to grow, so does the importance of software provenance and supply chain security.

Organizations must not only verify who publishes a plugin but also maintain visibility into what those plugins are capable of doing after installation.

The ClawHub scope squatting incident serves as a reminder that trust signals are only effective when they are backed by strong verification and enforcement mechanisms.

The post Scope Squatting Vulnerability Exposed in ClawHub Plugin Registry appeared first on First Hackers News.

Tracked as CVE-2026-20266, the vulnerability affects AI Toolkit versions prior to 5.7.4. Due to its potential impact, the flaw has received a critical severity rating and should be addressed immediately by affected organizations.

Command Injection Flaw Creates Serious Security Risk

The vulnerability is linked to improper handling of system commands within a configuration helper component. An attacker with Splunk administrator privileges could exploit the weakness to execute arbitrary commands directly on the host system.

Successful exploitation could result in:

• Unauthorized command execution
• Full system compromise
• Manipulation or deletion of security logs
• Service disruption and operational impact
• Potential lateral movement across connected environments

Because the flaw affects administrative functions, malicious activity may appear similar to legitimate system operations, making detection more difficult in some cases.

Additional Vulnerability and Recommended Actions

Alongside the critical issue, Splunk also addressed a medium-severity vulnerability that could allow low-privileged users to initiate outbound connections to untrusted external domains. This behavior may increase the risk of data exposure in environments where network traffic is not tightly restricted.

To reduce risk, organizations should:

• Upgrade the Splunk AI Toolkit to version 5.7.4 or later
• Review administrative account access and permissions
• Restrict unnecessary outbound communications
• Verify domain validation settings are properly configured
• Remove or disable the AI Toolkit if immediate patching is not possible

The disclosure highlights the growing security challenges associated with AI-enabled enterprise applications. As AI capabilities become more integrated into business platforms, maintaining strong security controls, validating inputs, and monitoring external communications remain essential for protecting critical systems.

The post Critical Splunk AI Toolkit Vulnerability Discovered appeared first on First Hackers News.

The notification covers multiple products, including NGINX Open Source, NGINX Plus, NGINX Instance Manager, NGINX Gateway Fabric, NGINX Ingress Controller, and App Protect security modules. According to F5, organizations using affected versions should prioritize updates to reduce exposure to active threats.

Critical Vulnerabilities Impact HTTP/3, HTTP/2, and gRPC Services

Among the most serious issues is CVE-2026-42530, a vulnerability within the NGINX HTTP/3 module. Attackers can exploit specially crafted HTTP/3 requests to trigger memory-related errors, causing worker processes to crash repeatedly. In certain environments, the flaw may also open a path for remote code execution.

Another high-risk vulnerability, CVE-2026-42055, affects deployments that utilize HTTP/2 or gRPC proxying. Malicious traffic can abuse weaknesses in request handling, potentially leading to service interruptions, application crashes, and in some cases, code execution risks.

Key concerns include:

• Potential remote code execution on vulnerable systems
• Denial-of-service conditions causing service outages
• Increased risk for environments using HTTP/3, HTTP/2, and gRPC
• Exposure across several NGINX-based products and services

Gateway Fabric Vulnerabilities Add Additional Risk

F5 also highlighted multiple high-severity vulnerabilities impacting NGINX Gateway Fabric deployments. These issues can affect traffic routing reliability, application availability, and overall service stability in cloud-native and gateway environments.

To address the risks, F5 has released updated versions containing security fixes and recommends that customers:

• Upgrade affected NGINX products immediately
• Review exposed HTTP/2, HTTP/3, and gRPC services
• Verify that security patches have been applied successfully
• Update Gateway Fabric deployments to the latest supported release

The advisory serves as a reminder that organizations relying on modern web application infrastructure should maintain a proactive patch management strategy, particularly when vulnerabilities affect core traffic-processing components.

Recommended Security Actions

F5 urges customers to update affected NGINX products to the latest secure versions as soon as possible.

For systems that cannot be patched immediately, organizations should disable unnecessary HTTP/3 and QUIC services, limit HTTP/2 and gRPC exposure, strengthen access controls, and enable security hardening measures to reduce the risk of exploitation.

The post F5 NGINX Vulnerabilities Patched in Critical Security Update appeared first on First Hackers News.

The campaign highlights a growing trend where threat actors abuse trusted administrative tools to blend into normal network activity, making detection significantly more difficult. Once access is established, attackers focus on identifying sensitive documents, privileged communications, intellectual property, and client-related information that can later be leaked or used for extortion.

Threat Actor Profile

Who is UNC3753?

UNC3753 is known for targeting organizations that handle valuable confidential information. Researchers observed the group using legitimate remote administration software instead of custom malware, reducing the likelihood of triggering traditional security controls.

Primary Targets

• Law firms
• Legal service providers
• Corporate legal departments
• Financial organizations
• Professional service firms

Primary Objectives

• Data theft
• Extortion
• Information brokerage
• Intelligence gathering

Initial Access Through Social Engineering

Unlike many ransomware groups that rely on vulnerability exploitation, UNC3753 often gains access through direct interaction with victims.

• Fake IT support requests
• Help desk impersonation
• Remote assistance invitations
• Phishing emails

Victims are convinced to join remote sessions or install legitimate RMM software under the assumption they are receiving technical support.

RMM Tools as an Attack Vector

After gaining initial trust, attackers deploy legitimate RMM software to maintain access.

• Persistent remote access
• File transfer capabilities
• Command execution
• Session monitoring

By leveraging legitimate software, attackers can avoid many traditional malware-based detections.

Data leak portal used by threat actors to advertise stolen information and pressure victims into complying with extortion demands.

Living-Off-The-Land Techniques

UNC3753 relies heavily on legitimate tools already trusted within enterprise environments.

• Remote access software
• File synchronization tools
• Screen-sharing applications
• Cloud storage platforms

Indicators of Compromise (IOCs)

The researchers identified multiple infrastructure indicators associated with UNC3753 operations, including attacker-controlled IP addresses, phishing support domains, and data leak platforms used for victim extortion and disclosure.

Security Recommendations

• Strengthen User Awareness
• Restrict RMM Usage
• Implement MFA
• Monitor Sensitive Data Repositories

The UNC3753 campaign demonstrates how threat actors can successfully compromise organizations without relying heavily on malware. By abusing screen-sharing sessions, legitimate RMM software, and social engineering techniques, attackers gain access to highly sensitive legal information while remaining difficult to detect. Organizations should focus on monitoring remote access activity, restricting unauthorized administrative tools, and strengthening employee awareness to reduce the risk of similar attacks.

The post UNC3753 Exploits Screen-Sharing Sessions and RMM Tools to Steal Sensitive Legal Data appeared first on First Hackers News.

The campaign primarily focused on compromising REDCap (Research Electronic Data Capture) servers, a widely used platform for managing clinical research databases and surveys. After gaining access, the attackers deployed custom malware called INFINITERED, harvested credentials, established persistence, and later abused enterprise email compliance rules to exfiltrate sensitive communications.

Campaign Overview

The operation demonstrates a sophisticated attack chain combining exploitation of public-facing applications, credential theft, malware deployment, persistence mechanisms, and stealthy data exfiltration.

Key Objectives

• Medical research intelligence
• Artificial Intelligence research
• Defense-related information
• Military health research Public health policy data

Researchers observed the activity from September 2023 through November 2025, indicating a highly patient and well-resourced espionage operation.

High-level attack flow used by UNC6508 to compromise research institutions and steal sensitive information.

Initial Access Through REDCap Servers

Why REDCap Was Targeted

REDCap is extensively used across:

• Hospitals
• Clinical research organizations
• Universities
• Government research programs
• Military health institutions

Because REDCap stores large volumes of research and patient-related information, it provides an attractive entry point for espionage-focused threat actors.

Researchers observed the attackers probing and exploiting vulnerable or legacy REDCap deployments exposed to the internet. Once access was obtained, they began internal reconnaissance and credential discovery activities.

Web Shell Deployment and Persistence

Following successful compromise, UNC6508 deployed a web shell identified as:

help.php

The web shell served multiple purposes:

• Persistent access
• File uploads
• Command execution
• Further malware deployment

This allowed the attackers to maintain long-term access even if passwords were changed or some security controls were implemented.

INFINITERED Malware Analysis

Three months after the initial intrusion, researchers observed deployment of a custom malware family called INFINITERED. This malware was specifically engineered to operate inside REDCap environments.

Modular architecture of INFINITERED malware used by UNC6508 to maintain persistence, harvest credentials, and execute commands within compromised REDCap environments.

Component 1 – Upgrade Interceptor

The malware monitors REDCap upgrade activities.

When administrators update REDCap, the malware automatically injects itself into newer versions, ensuring persistence across software upgrades

Component 2 – Credential Harvester

This module captures usernames and passwords entered into REDCap login pages.

Stolen credentials are stored within REDCap database tables and later retrieved by attackers.

Component 3 – Command-and-Control Backdoor

The third module acts as a fully functional backdoor.

Researchers found it could:

• Execute shell commands
• Upload files
• Download files
• Run SQL queries

Communication was hidden within HTTP cookie values, helping evade traditional detection mechanisms.

Abuse of Google Workspace for Data Exfiltration

One of the most interesting aspects of the campaign was the attackers’ use of legitimate Google Workspace functionality.

After obtaining administrative access, UNC6508 created a content compliance rule named:

Patroit

The rule automatically monitored emails containing specific keywords and forwarded matching messages to attacker-controlled Gmail accounts.

Attack Chain Breakdown

• External Reconnaissance
• Initial Compromise
• Persistence
• Privilege Escalation
• Intelligence Gathering

Potential Impact on Organizations

Organizations affected by this campaign could experience:

Research Theft

Loss of valuable intellectual property and scientific research.

Strategic Intelligence Exposure

Disclosure of defense and geopolitical information.

Credential Compromise

Unauthorized access to enterprise systems.

Regulatory Risks

Exposure of regulated healthcare and research data.

Alternative Indicators of Compromise (IOCs)

Security Recommendations

Upgrade REDCap Immediately

Remove legacy versions and apply the latest security updates.

Conduct Threat Hunting

Search for:

• help.php
• INFINITERED artifacts
• Unauthorized admin activity
• Credential harvesting indicators

The UNC6508 campaign highlights how modern nation-state threat actors are increasingly targeting research ecosystems to obtain strategic intelligence. By exploiting REDCap servers, deploying INFINITERED malware, and abusing legitimate cloud email features, the attackers maintained access for more than a year while collecting sensitive medical, defense, and technology research data. Organizations operating research platforms should prioritize patching, continuous monitoring, and proactive threat hunting to defend against similar espionage campaigns.

The post PRC-Linked Threat Actors Target REDCap Servers to Spy on U.S. Medical Research Organizations appeared first on First Hackers News.

Unlike traditional phishing attacks that immediately request credentials, Sniper Dz employs a multi-stage social engineering process designed to gradually build trust before redirecting users into malicious advertising and scam ecosystems. The campaign demonstrates how threat actors are increasingly combining social media platforms, legitimate web services, and browser features to maximize victim engagement.

Technical Analysis of the Campaign

Researchers found that the operation relies heavily on social engineering techniques rather than malware deployment. Victims are initially exposed to attractive Facebook advertisements promising prizes, discounts, giveaways, or exclusive offers.

The campaign then guides users through a series of seemingly legitimate web pages before ultimately triggering browser notification permissions and redirecting users into fraudulent content networks. By abusing trusted platforms and legitimate web services, the attackers are able to reduce suspicion and improve campaign effectiveness.

Sniper Dz Attack Flow

The attack follows a structured victim funnel designed to maximize conversion rates while minimizing detection.

Phase 1 – Social Media Lures

Attackers publish fraudulent advertisements and impersonation posts across social media platforms.

• Free gift offers
• Discount promotions
• Prize giveaways
• Mobile device rewards

Phase 2 – Legitimate-Looking Bridge Pages

Instead of immediately redirecting victims to malicious content, the campaign utilizes intermediary pages hosted on legitimate services.

• Link aggregation platforms
• Landing page builders
• Redirect services
• Social media profile pages

These bridge pages help bypass security filters and increase the perceived legitimacy of the campaign.

Simplified representation of the Sniper Dz victim funnel showing how users are guided from social media lures through trusted bridge pages before being exposed to browser notification abuse and scam content.

Phase 3 – Browser Notification Abuse

Once users reach the final stage, they are encouraged to allow browser notifications through deceptive prompts.

• Fake CAPTCHA pages
• “Click Allow to Continue”
• “Verify You’re Human”

After notification permissions are granted, attackers gain a persistent channel to deliver scam advertisements and fraudulent alerts directly to the victim’s browser.

Potential Risks to Users

• Financial Fraud
• Privacy Exposure
• Continuous Scam Exposure
• Credential Theft

Why Social Engineering Remains Effective

Modern scam campaigns increasingly rely on psychological manipulation rather than technical exploitation. By leveraging trusted platforms such as Facebook and legitimate web services, attackers can make fraudulent content appear authentic.

The use of multiple redirection stages also helps threat actors evade automated detection systems while increasing the likelihood that victims will complete the entire attack flow.

As users become more aware of traditional phishing techniques, attackers continue to evolve their tactics by combining social media abuse, browser notification exploitation, and deceptive marketing strategies.

Security Recommendations

• Verify Promotional Offers
• Review Browser Notifications
• Exercise Caution with Redirects
• Implement Security Awareness Training

The Sniper Dz campaign demonstrates how modern threat actors are leveraging social media impersonation, trusted bridge pages, and browser notification abuse to target users across the MENA region. Rather than relying on malware, the operation exploits user trust and social engineering tactics to drive victims toward fraudulent content, making awareness and browser security practices critical defenses against these evolving threats.

The post New Sniper Dz Scam Operation Exploits MENA Users with Fraudulent Facebook Offers appeared first on First Hackers News.

The attacks have been linked to the threat group ShinyHunters, which has reportedly targeted more than 100 organizations, with a significant concentration in the education sector. Researchers observed exploitation activity before Oracle publicly released its security advisory, classifying the vulnerability as a true zero-day.

Because Oracle PeopleSoft is widely used for managing human resources, payroll, finance, and other business-critical functions, successful exploitation could expose highly sensitive organizational data and provide attackers with deep access into enterprise environments.

Technical Breakdown of the Attack

The vulnerability resides within Oracle PeopleSoft PeopleTools, specifically affecting components exposed to the internet. Security researchers indicate that attackers can exploit the flaw without valid credentials, enabling remote execution of arbitrary commands on affected servers. The vulnerability carries a critical severity rating and may lead to full system compromise if left unmitigated.

Researchers also reported that threat actors leveraged the flaw against Environment Management Hub (PSEMHUB) endpoints. Following successful exploitation, attackers can deploy malicious tools, execute administrative commands, and establish persistent access within the targeted environment.

The Attack Chain Can Involve :

• Reconnaissance of internet-facing PeopleSoft servers.
• Identification of vulnerable PeopleTools instances.
• Exploitation of CVE-2026-35273 without authentication.
• Remote code execution on the application server.
• Deployment of web shells or remote management tools.

Multiple Other Methods Threat Actors May Use

While the zero-day vulnerability serves as the initial access vector, attackers frequently combine additional techniques to strengthen their foothold and increase operational success.

• Web shell deployment
• Credential theft
• Authentication bypass attacks
• Exploitation of legacy vulnerabilities

Modern threat actors rarely rely on a single attack technique. Instead, they combine multiple methods to gain deeper access, maintain persistence, evade security monitoring, and ultimately achieve objectives such as data theft, extortion, or ransomware deployment.

Why Enterprise Applications Remain a High-Value Target

Enterprise platforms such as Oracle PeopleSoft store some of an organization’s most valuable information, including employee records, financial data, payroll details, and operational information. Because these systems often integrate with multiple business applications, a single compromise can provide attackers with extensive visibility across the enterprise.

Threat actors increasingly target business-critical applications because successful exploitation can deliver immediate access to large volumes of sensitive data. In many environments, these platforms are internet-facing and may not receive the same level of security monitoring as endpoints, making them attractive targets for advanced threat groups.

Security Experts Recommend That Organizations

• Apply Oracle Mitigations Immediately
• Audit Internet-Facing PeopleSoft Systems
• Strengthen Access Controls
• Conduct Threat Hunting Activities

The active exploitation of CVE-2026-35273 demonstrates how rapidly threat actors can weaponize critical enterprise software vulnerabilities. With ShinyHunters reportedly targeting organizations through Oracle PeopleSoft environments, security teams should prioritize mitigation efforts, strengthen monitoring capabilities, and review exposure of internet-facing enterprise applications to reduce the risk of compromise.

The post Critical Oracle PeopleSoft Zero-Day RCE Vulnerability Actively Exploited by ShinyHunters appeared first on First Hackers News.

The issue is significant because BitLocker is widely used by enterprises and government organizations to protect sensitive data. If exploited successfully, attackers could gain access to encrypted information without requiring the BitLocker recovery key, reducing the effectiveness of one of Windows’ most important security controls.

How It Works

The GreatXML exploit reportedly abuses the way Windows Recovery Environment processes configuration files during recovery operations. Researchers observed that specially crafted XML files, including an unattend.xml file and modified recovery configuration files, can be placed within the recovery partition.

When the affected system enters Recovery Mode, these files are processed automatically. Instead of loading the expected recovery interface, the manipulated configuration may trigger a command shell running with elevated SYSTEM privileges, granting access to the unlocked BitLocker-protected volume. The exploit appears to leverage trusted recovery mechanisms rather than traditional memory corruption or kernel vulnerabilities.

The Attack Chain Can Involve

1. Initial Device Access

• Physical access to a workstation or laptop.
• Administrative access obtained through another compromise.

2. Recovery Partition Modification

• Placement of malicious XML files within the recovery partition.
• Modification of recovery configuration settings.

3. Privilege Escalation

• Launch of a SYSTEM-level command shell.
• Access to BitLocker-protected storage.

4. Data Access and Collection

• Viewing sensitive files.
• Extraction of credentials and corporate information.
• Offline forensic evasion activities.

Multiple Other Methods Threat Actors May Use

Although GreatXML focuses on recovery partition XML files, attackers frequently target BitLocker through additional techniques, including:

• indows Recovery Environment abuse
• Boot Manager manipulation
• Privilege escalation vulnerabilities
• Offline disk analysis after system theft

Modern attackers often combine multiple vulnerabilities to increase the likelihood of success and evade detection.

Why Legacy Components Remain a Risk

Many organizations focus heavily on operating system patching and endpoint detection while overlooking legacy recovery components and boot infrastructure. Recovery partitions, WinRE configurations, deployment scripts, unattended setup files, and offline maintenance tools often receive less monitoring than standard system files.

Attackers increasingly target these trusted components because they operate outside traditional security controls. Since recovery environments are designed to help administrators regain access to systems, they frequently possess elevated privileges and trusted execution paths. When abused, these features can become powerful attack vectors.

Security Experts Recommend That Organizations

To reduce exposure to GreatXML and similar recovery-environment attacks, security teams should:

Harden BitLocker Deployments

• Enable TPM + PIN authentication.
• Enforce strong recovery key management.
• Monitor BitLocker policy compliance.

Secure Recovery Environments

• Restrict unauthorized access to WinRE.
• Monitor changes to recovery partitions.
• Audit recovery-related files and configurations.

Maintain Patch Management

• Apply Microsoft security updates promptly.
• Track new advisories related to BitLocker, WinRE, and Defender Offline Scan.
• Review recovery partition configurations after major updates.

The GreatXML vulnerability serves as a reminder that encryption alone does not guarantee complete protection. Recovery environments, boot processes, and trusted system components can become attractive targets for attackers seeking to bypass traditional security controls. Organizations should adopt a layered security strategy that includes BitLocker hardening, recovery environment monitoring, physical security controls, and continuous threat detection to reduce the risk of compromise.

The post Critical GreatXML Vulnerability Enables Windows BitLocker Bypass via Recovery Partition XML Files appeared first on First Hackers News.

Security researchers demonstrated that the flaws can be chained together to achieve remote code execution with root privileges through a single specially crafted request. The vulnerabilities affect UniFi OS Server installations and pose a significant risk to organizations using exposed management interfaces, highlighting the importance of addressing UniFi OS Vulnerabilities.

Because the attack requires no authentication, security experts are urging administrators to patch affected systems immediately.

How the Attack Works

The exploit begins with vulnerabilities that allow attackers to bypass UniFi OS authentication protections.

Researchers discovered that inconsistencies in how requests are processed can allow specially crafted URLs to access internal functions that should normally require authentication. Once inside, attackers can target a separate command injection flaw within the system’s update mechanism.

The attack chain allows threat actors to:

• Bypass authentication controls
• Execute commands remotely
• Gain root-level access
• Install malicious software
• Maintain long-term access to the system

Researchers confirmed that the exploit can be executed remotely against vulnerable devices running affected versions of UniFi OS.

Potential Impact on Organizations

A successful compromise gives attackers complete control over the UniFi management platform.

With root access, attackers may be able to:

• Create persistent administrator accounts
• Access sensitive network data
• Steal encryption and authentication keys
• Extract database information
• Modify system configurations
• Maintain access even after password changes

In environments using UniFi Access and UniFi Protect, the risks extend beyond traditional IT systems.

Researchers warn that attackers could potentially:

• Unlock connected doors
• Access surveillance systems
• Monitor live camera feeds
• Delete security footage
• Access stored credential information

This makes the vulnerabilities especially concerning for organizations that rely on UniFi products for both network and physical security management.

Recommended Mitigation Steps

Administrators should immediately upgrade to the latest patched UniFi OS versions provided by Ubiquiti.

Additional security measures include:

• Restrict management interfaces from internet access
• Rotate authentication and signing keys
• Change administrative credentials
• Review systems for suspicious activity
• Rebuild potentially compromised servers
• Audit access logs and configurations

Security experts advise treating any internet-exposed, unpatched UniFi OS instance as potentially compromised due to the severity of the vulnerabilities and the ease of exploitation.

The post Critical UniFi OS Vulnerabilities Allow Root RCE appeared first on First Hackers News.