While Meta stated that its infrastructure was not breached, the incident highlights the risks of relying on AI systems for sensitive account management functions.

How the Issue Worked

The problem was reportedly linked to the logic used by Meta’s AI support assistant. Instead of exploiting servers or software vulnerabilities, attackers allegedly manipulated the chatbot into triggering password recovery actions.

According to researchers, the AI system could be persuaded to send password reset links or codes without performing sufficient identity checks. In some cases, simply knowing a target’s Instagram username may have been enough to initiate the process.

This type of attack is different from traditional hacking methods because it focuses on exploiting the behavior of automated systems rather than technical flaws in infrastructure.

Researchers noted that the issue demonstrated how AI tools can become vulnerable when strict authentication controls and security safeguards are not fully enforced.

Valuable Instagram Accounts Were Targeted

Reports indicate that attackers focused primarily on high-value Instagram usernames and accounts that are often traded in underground marketplaces.

Short, rare, and highly desirable usernames can sell for significant amounts of money, making them attractive targets for cybercriminals.

Security researchers found evidence suggesting that compromised accounts were quickly offered for sale through private online channels, highlighting the growing business of account takeover operations.

This trend reflects an evolving cybercrime ecosystem where attackers target digital identities that can be rapidly monetized.

Meta Responds and Fixes the Issue

Meta has confirmed that the problem has been addressed and stated that user accounts remain secure.

According to the company, the issue allowed certain password reset requests to be triggered improperly, but there was no compromise of Meta’s backend systems or customer databases.

The company quickly implemented a fix after receiving reports from researchers and emphasized that the vulnerability has been resolved.

Lessons for Users and Platforms

The incident serves as a reminder that AI-powered support tools can introduce new security challenges if they are not carefully designed.

To reduce risk, organizations should implement:

• Strong identity verification controls
• Strict rate-limiting mechanisms
• Context-aware AI decision making
• Enhanced monitoring for abuse attempts
• Additional safeguards for account recovery processes

Researchers also noted that accounts protected with two-factor authentication (2FA) were not affected by the reported attacks.

As AI becomes more integrated into customer support and account management systems, security experts expect attackers to continue testing these technologies for weaknesses. Strong authentication and layered security controls remain essential for protecting user accounts from emerging threats.

The post Meta AI Flaw Linked to Instagram Password Resets appeared first on First Hackers News.

The flaw, tracked as CVE-2026-45247, has received a critical severity rating and can be exploited without authentication. Security researchers warn that thousands of Magento and Adobe Commerce stores may be at risk if the vulnerable plugin remains unpatched.

The issue affects the Mirasvit Cache Warmer extension, a tool commonly used to improve website performance by preloading cached pages for visitors.

How the Vulnerability Works

The vulnerability is caused by the plugin’s unsafe handling of data stored inside a cookie called CacheWarmer.

When a visitor sends a request to the website, the extension reads information from the cookie and rebuilds session data using PHP’s unserialize() function. Because the cookie data is controlled by the user and is not properly validated, attackers can supply specially crafted payloads that trigger malicious object creation on the server.

Researchers found that this behavior opens the door to PHP Object Injection attacks, which can eventually lead to remote code execution.

An attacker can potentially:

• Execute malicious code on the server
• Install webshells or backdoors
• Access sensitive store data
• Take control of the Magento environment
• Launch automated attacks against multiple stores

The vulnerability affects all Mirasvit Cache Warmer versions released before 1.11.12.

Thousands of Stores Potentially Affected

According to researchers, the extension is frequently bundled with other Mirasvit products, meaning some store owners may not even realize it is installed on their systems.

Security experts estimate that more than 6,000 Magento stores may be running vulnerable components, although the actual number could be higher.

The vendor was notified about the issue and quickly released version 1.11.12, which addresses the vulnerability.

Security teams should monitor web traffic for suspicious CacheWarmer cookie values containing unusual encoded data. Such activity could indicate attempted exploitation.

Recommended Actions

Organizations using Magento or Adobe Commerce should act immediately to reduce risk.

Recommended steps include:

• Upgrade Mirasvit Cache Warmer to version 1.11.12 or later
• Review web server logs for suspicious requests
• Scan systems for webshells and backdoors
• Inspect public-facing directories for unauthorized PHP files
• Deploy a web application firewall for additional protection
• Conduct a full compromise assessment if exploitation is suspected

Because the flaw can be exploited remotely without authentication, researchers expect attack attempts to increase following public disclosure.

Store administrators are strongly encouraged to patch affected systems as soon as possible to prevent potential compromise and data theft.

The post Magento Cache Plugin Vulnerability Enables RCE Attacks appeared first on First Hackers News.

The issues affect the Angular.ng-template extension and stem from unsafe handling of user-controlled input and insecure loading of configuration files. Researchers warned that simply opening a malicious project in VS Code could be enough to trigger an attack.

The vulnerabilities mainly target developers working with Angular projects and could lead to full system compromise if exploited successfully.

Malicious JSDoc Comments Can Trigger Command Execution

One of the vulnerabilities involves the way the extension processes JSDoc comments inside TypeScript and JavaScript files.

Researchers found that the extension enables trusted Markdown rendering, allowing embedded command links to run inside hover previews. Because the Angular language server does not properly sanitize JSDoc content, attackers can insert malicious command URIs into project files.

In a possible attack scenario:

• An attacker adds a malicious JSDoc comment to a project
• The developer opens the file in VS Code
• Hovering over the affected symbol displays the malicious link
• Clicking the link executes commands on the host system

This creates a practical path for remote code execution through normal development workflows.

Workspace Configuration Flaw Allows Silent Code Execution

A second vulnerability affects how the extension handles the TypeScript SDK (tsdk) configuration.

The extension reads settings directly from the project’s .vscode/settings.json file and loads the specified tsserverlibrary.js file without properly checking workspace trust or requesting user approval.

Attackers can abuse this behavior by:

• Placing a malicious tsserverlibrary.js file inside the repository
• Modifying workspace settings to reference the file
• Triggering automatic execution when the project is opened

Unlike the JSDoc attack, this method requires no user interaction and can run silently during extension initialization.

Researchers noted that this behavior effectively bypasses VS Code’s Workspace Trust protections, which are intended to prevent untrusted projects from executing code automatically.

High Risk for Developers

Successful exploitation could allow attackers to:

• Execute arbitrary system commands
• Access sensitive development data
• Install persistent malware
• Compromise developer environments

A developer cloning and opening a malicious repository could unknowingly trigger the attack immediately after loading the project in VS Code.

The vulnerabilities were disclosed under GitHub advisory GHSA-ccq4-xmxr-8hcq and impact all extension versions before 21.2.4.

The issues have now been fixed in the latest release, and developers are strongly advised to upgrade immediately.

Security Recommendations

To reduce risk, developers should:

• Update Angular Language Service to version 21.2.4 or later
• Avoid opening untrusted repositories
• Carefully review .vscode/settings.json files
• Use VS Code Workspace Trust features
• Monitor suspicious extension behavior
• Follow secure coding and repository validation practices

The findings highlight growing security risks targeting software development environments and trusted developer tools.

The post Angular Language Service Vulnerabilities Enable RCE Attacks appeared first on First Hackers News.

Apache OFBiz is a widely used open-source ERP platform used to manage enterprise business operations and workflows. Researchers from Aretiq AI discovered that attackers could abuse the platform’s password-change mechanism to gain unauthorized access and execute malicious code on vulnerable servers.

Authentication Bypass Through Password Reset Logic

The issue originates from the way Apache OFBiz handles forced password-change workflows. Normally, accounts marked with requirePasswordChange=Y should remain restricted until the password reset process is completed.

However, researchers found that the LoginWorker.checkLogin() method incorrectly treats the requirePasswordChange response as a successful login instead of an authentication failure.

The vulnerability becomes more dangerous because the requirePasswordChange value is read directly from user-controlled HTTP request parameters rather than securely validated against database records.

By abusing this behavior, attackers can:

• Inject password-change parameters into a crafted HTTP request
• Create an authenticated session without completing a proper login process

Researchers also warned that many OFBiz deployments still contain default demo accounts such as admin, flexadmin, and demoadmin, often configured with default credentials like ofbiz.

Remote Code Execution and Security Fixes

The authentication bypass can be chained with another vulnerability affecting ProgramExport.groovy. In vulnerable versions, the component allows execution of user-supplied Groovy code without proper sandboxing or permission checks.

This allows attackers to execute arbitrary system commands directly on the server. Researchers successfully demonstrated remote code execution on OFBiz 24.09.05 using a single crafted POST request targeting /webtools/control/ProgramExport.

Successful exploitation could allow attackers to:

• Execute malicious commands on the server
• Deploy malware or backdoors

Apache fixed the issue in version 24.09.06 by removing unsafe password-change handling, adding stricter permission checks, and introducing a secure Groovy sandbox to block dangerous command execution patterns.

Organizations are strongly advised to upgrade immediately, remove default demo accounts, change weak credentials, and restrict access to sensitive OFBiz administrative endpoints.

The post Apache OFBiz Vulnerability Enables Authentication Bypass appeared first on First Hackers News.

ExifTool is widely used to read and modify metadata in images, PDFs, and multimedia files. Because the tool is heavily integrated into media workflows, automation pipelines, and digital asset management systems, the vulnerability creates a significant security risk in environments that handle untrusted files.

The implications of the ExifTool vulnerability extend to various sectors, where data integrity and security are paramount.

How the Vulnerability Works

The issue is linked to improper sanitization of metadata fields related to file creation dates on macOS. Researchers found that attackers can embed malicious commands inside image metadata fields such as FileCreateDate or DateTimeOriginal.

When ExifTool processes the manipulated file under specific conditions, the hidden command can be executed through the system shell.

The vulnerability becomes exploitable when:

• ExifTool processes raw metadata values using the -n flag
• Malicious metadata is copied through the -tagsFromFile feature
• Unsafe input reaches a system() execution call without proper filtering

Researchers observed that ExifTool internally builds system commands using metadata values extracted directly from files. While most parameters are sanitized, one execution path allowed unfiltered user-controlled data to be passed into a shell command.

This creates a command injection scenario where attackers can run arbitrary commands with the privileges of the user processing the file.

Security Risks and Patch Information

The vulnerability is especially dangerous for organizations using automated image-processing workflows, newsroom environments, or media management platforms where files are processed automatically.

Because the malicious payload is hidden inside metadata, the image itself may appear legitimate and bypass traditional security checks.

If exploited successfully, attackers could:

• Execute malicious commands on macOS systems
• Deploy malware or backdoors
• Steal sensitive information
• Move laterally across internal networks

Researchers from Kaspersky identified the vulnerability, and ExifTool developers addressed the issue in version 13.50.

The patched release changes how system commands are executed by replacing unsafe string-based command construction with safer argument-based execution methods. This prevents shell interpretation and significantly reduces the risk of command injection.

Users and organizations are strongly advised to update to ExifTool 13.50 or later immediately. Security experts also recommend processing untrusted files inside isolated environments such as sandboxes or virtual machines to reduce exposure to malicious media files.

The incident highlights an ongoing cybersecurity challenge where even trusted file-processing tools can become attack vectors if user-controlled input is not handled securely.

The post ExifTool Flaw Allows Mac System Compromise appeared first on First Hackers News.

Security researchers observed exploitation attempts within days of the vulnerability becoming public, highlighting how quickly attackers move to abuse flaws in widely used infrastructure software.

How the NGINX Vulnerability Works

The issue is caused by a heap buffer overflow in the NGINX worker process. Attackers can trigger the flaw by sending specially crafted HTTP requests to vulnerable servers.

Because the vulnerability does not require authentication, exposed systems are at higher risk. In many cases, attackers can crash the NGINX worker process, leading to service disruption. Under specific conditions, the flaw could also be leveraged for remote code execution.

Researchers noted that full remote code execution is more likely on systems where protections such as Address Space Layout Randomization (ASLR) are disabled.

The vulnerability mainly affects servers using specific rewrite configurations, meaning not every NGINX deployment is directly exploitable. However, identifying vulnerable systems at internet scale remains difficult.

Large Exposure and Security Recommendations

Security researchers estimate that millions of internet-facing NGINX servers could potentially be affected. Even if only a fraction of those systems meet the exact exploitation conditions, the overall attack surface remains significant.

Attackers are already scanning for vulnerable or misconfigured servers, increasing the urgency for organizations to respond quickly.

To reduce risk, security teams should:

• Apply the latest NGINX patches and updates
• Review rewrite configurations carefully
• Enable protections such as ASLR
• Monitor for suspicious or unusual HTTP requests

The incident highlights how vulnerabilities in widely deployed technologies can quickly become major security threats, even when exploitation depends on specific configurations.

With active exploitation already underway, rapid patching and continuous monitoring are critical to preventing compromise.

The post NGINX Vulnerability Enables Remote Code Execution appeared first on First Hackers News.

The flaw was identified during internal security testing by MongoDB and primarily impacts core MongoDB Server deployments, particularly in self-managed environments.

Technical Overview of the Vulnerability

The vulnerability enables arbitrary code execution, a class of flaws that allows threat actors to run malicious instructions directly on the host system. This effectively bypasses standard security boundaries and can grant attackers control over the database server.

Given that MongoDB often stores centralized and high-value data, exploitation of this flaw could lead to unauthorized data access, credential exposure, and system-level compromise. Attackers may also leverage the compromised host to establish persistence or pivot laterally within the network.

The issue affects MongoDB versions 5.0 and later in self-hosted deployments, where patch management depends entirely on the organization’s update practices.

Impact and Mitigation

Managed cloud users of MongoDB Atlas are not impacted, as the vulnerability has already been addressed across the platform through centralized patch deployment.

However, self-hosted environments remain exposed until updates are applied. MongoDB has released patched versions, including updates in recent release cycles such as 7.0.31, 8.0.20, and 8.2.7, to mitigate this risk.

Although there is currently no evidence of active exploitation, the nature of arbitrary code execution vulnerabilities makes them highly attractive to attackers. Systems that remain unpatched could be quickly targeted once exploit techniques become publicly available.

Organizations should ensure their MongoDB deployments are updated to the latest secure versions and aligned with current security baselines. Maintaining timely patching and monitoring practices is essential to reduce the risk of compromise.

The post MongoDB Vulnerability Allows Arbitrary Code Execution appeared first on First Hackers News.

The vulnerabilities allow attackers with basic local access to increase their privileges and operate with administrative-level control. In real-world scenarios, this type of access is often used as a stepping stone for larger attacks, including lateral movement and data exfiltration.

Privilege Escalation Risks in Windows Environments

Two high-severity vulnerabilities, each rated with a CVSS score of 7.8, impact Zoom’s Windows-based components.

The first issue affects Zoom Rooms for Windows and is caused by an untrusted search path vulnerability within the installer. This means the application may load files from unintended locations, allowing attackers to inject malicious code during execution.

The second flaw targets the Zoom Workplace VDI Plugin. It stems from improper control over file names and paths in the installation process. By manipulating these paths, an attacker can execute arbitrary code and escalate privileges.

These vulnerabilities are particularly dangerous because they require minimal effort to exploit once initial access is obtained. Attackers can leverage them to:

• Disable or bypass endpoint security controls
• Access and extract sensitive enterprise data
• Maintain persistence within the environment
• Move laterally across systems inside the network
• Deploy additional payloads such as ransomware

Such privilege escalation flaws are highly valuable in targeted attacks, especially in corporate environments where Zoom is widely used.

iOS Vulnerability and Overall Impact

A separate vulnerability affects Zoom Workplace on iOS devices, though its severity is significantly lower. This issue involves a failure in a protection mechanism that could allow limited data exposure.

However, exploitation requires physical access to the device, which reduces the likelihood of large-scale attacks. Still, it highlights the importance of securing mobile endpoints alongside desktop systems.

The key concern across all these vulnerabilities is the potential for unauthorized access to sensitive data and system resources, particularly in organizations that rely heavily on collaboration tools.

To address these risks, Zoom Video Communications has released security patches for all affected components. Because these flaws are now publicly disclosed, unpatched systems may become targets for active exploitation.

Users and organizations should immediately update:

• Zoom Rooms for Windows to version 7.0.0 or later
• Zoom Workplace VDI Plugin to version 6.6.11 or newer
• Zoom Workplace for iOS to version 7.0.0 or above

Timely patching, combined with proper access controls and endpoint monitoring, is essential to prevent these vulnerabilities from being exploited in real-world attacks.

The post Zoom Vulnerability Allows Privilege Escalation Attacks appeared first on First Hackers News.

While some of these issues require prior access or valid credentials, the overall risk remains significant—especially for organizations relying heavily on SonicWall firewalls to protect their networks. Immediate attention and updates are strongly recommended.

Major Security Risks Identified

The most serious issue involves a flaw in how access controls are handled. Under certain conditions, an attacker on a nearby network could bypass normal authentication checks and gain access to sensitive management functions.

This type of access can be highly dangerous. If exploited, attackers may be able to:

• Change firewall rules
• Disable security protections
• Modify system configurations

In addition to this, two other vulnerabilities affect users who already have access to the system. One allows attackers to move outside restricted directories and interact with protected services, while another can overload the system and force the firewall to crash.

Breakdown of the Vulnerabilities

The advisory highlights three key issues that administrators should be aware of:

• Access control bypass flaw – Allows unauthorized access to management functions from adjacent networks
• Path traversal issue – Lets authenticated users reach restricted system areas
• Buffer overflow vulnerability – Can be used to crash the firewall and disrupt operations

Each of these issues presents a different level of risk, but together they create a serious security concern for affected systems.

What Organizations Should Do

SonicWall has provided fixes and recommended actions to reduce the risk. Organizations using SonicOS should review the advisory and apply updates as soon as possible.

Delaying patches could leave systems exposed to attacks that impact both security and uptime. Ensuring that firewall software is up to date is critical to maintaining a strong defense.

These vulnerabilities highlight how even core security systems like firewalls can become targets. A single flaw can lead to access bypass or service disruption, affecting the entire network.

Staying updated, applying patches quickly, and monitoring systems closely remain essential steps in preventing such risks.

The post SonicWall Flaw Allows Access Bypass and Firewall Crash appeared first on First Hackers News.

The flaw impacted apps like Signal, where message previews could remain on the device even after the app was deleted. This created a privacy risk, as users would assume their data was completely removed.

Apple Notification Privacy Flaw Explained

The vulnerability, tracked as CVE-2026-28950, was caused by a problem in Apple’s notification logging system. Instead of fully deleting notifications, some data was still being stored in system logs.

This meant that message previews, including private conversations, could still exist on the device. Reports showed that investigators were able to recover this data, even after the app had been uninstalled.

Why This Matters

This issue is important because it shows that even secure apps can be affected by system-level behavior. While Signal uses strong encryption, the operating system storing notification previews created an unexpected privacy gap.

Key concerns included:

• Notifications not being fully deleted
• Sensitive message previews remaining accessible
• Data exposure happening outside the app itself

Apple’s Fix and Improvements

Apple resolved the issue by improving how notification data is handled and cleared from the system.

With the update:

• Notification data is properly removed
• Previously stored data is cleared automatically
• Future notifications are no longer retained after deletion

Signal also acknowledged the fix and supported the update, highlighting its importance for user privacy.

Devices That Receive the Update

The update is available for multiple Apple devices, including:

• iPhone 11 and newer
• iPad Pro (recent models)
• iPad Air (3rd generation and later)
• iPad (8th generation and later)
• iPad mini (5th generation and later)

Older supported devices can receive similar security fixes through updated versions.

What Users Should Do

Users should update their devices as soon as possible to stay protected. Keeping your system updated helps prevent privacy risks and ensures your data is secure.

To install the update, go to Settings, tap General, and select Software Update.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

The post Apple Notification Privacy Flaw Fixed in iOS Update appeared first on First Hackers News.