Security researchers warn that the vulnerabilities could allow attackers to escalate privileges, disrupt systems, and strengthen post-exploitation attacks inside compromised environments.

Privilege Escalation Flaw in Microsoft Defender

The most critical vulnerability, CVE-2026-41091, is an elevation of privilege flaw with a CVSS score of 7.8. The issue is caused by improper link resolution before file access, a weakness categorized under CWE-59.

According to Microsoft, attackers with limited access to a system can exploit the flaw locally to gain higher privileges without requiring user interaction. Because the vulnerability has low attack complexity, it becomes especially dangerous once threat actors gain initial access through phishing, malware infections, or another compromised application.

Successful exploitation could allow attackers to:

• Gain elevated system privileges
• Access sensitive information
• Modify security settings or disable protections

Microsoft confirmed that exploitation activity has already been detected in the wild, making rapid patching critical for affected environments.

Denial-of-Service Vulnerability and Security Risks

The second flaw, CVE-2026-45498, is a denial-of-service vulnerability with a lower CVSS score of 4.0. Despite its lower severity rating, Microsoft also confirmed active exploitation attempts targeting this issue.

The vulnerability can cause systems running Microsoft Defender to become unstable or unresponsive. Although it does not directly impact confidentiality or integrity, disrupting endpoint security services can weaken defensive visibility and create opportunities for additional attacks.

Researchers noted that both vulnerabilities share several high-risk characteristics:

• No user interaction required
• Low attack complexity
• Active exploitation already observed

Security experts believe the privilege escalation flaw could be used as part of larger attack chains in ransomware operations or advanced persistent threat (APT) campaigns. Attackers commonly use these techniques after gaining initial access to move deeper into enterprise environments and maintain persistence.

Microsoft has released security updates addressing both vulnerabilities, and organizations are strongly advised to deploy patches immediately. Security teams should also monitor endpoint logs, investigate suspicious privilege escalation activity, and strengthen endpoint detection and response capabilities.

The disclosure highlights an ongoing cybersecurity challenge where even widely trusted security products can themselves become targets for advanced attackers.

The post Microsoft Defender Zero-Day Discovered appeared first on First Hackers News.

Apache OFBiz is a widely used open-source ERP platform used to manage enterprise business operations and workflows. Researchers from Aretiq AI discovered that attackers could abuse the platform’s password-change mechanism to gain unauthorized access and execute malicious code on vulnerable servers.

Authentication Bypass Through Password Reset Logic

The issue originates from the way Apache OFBiz handles forced password-change workflows. Normally, accounts marked with requirePasswordChange=Y should remain restricted until the password reset process is completed.

However, researchers found that the LoginWorker.checkLogin() method incorrectly treats the requirePasswordChange response as a successful login instead of an authentication failure.

The vulnerability becomes more dangerous because the requirePasswordChange value is read directly from user-controlled HTTP request parameters rather than securely validated against database records.

By abusing this behavior, attackers can:

• Inject password-change parameters into a crafted HTTP request
• Create an authenticated session without completing a proper login process

Researchers also warned that many OFBiz deployments still contain default demo accounts such as admin, flexadmin, and demoadmin, often configured with default credentials like ofbiz.

Remote Code Execution and Security Fixes

The authentication bypass can be chained with another vulnerability affecting ProgramExport.groovy. In vulnerable versions, the component allows execution of user-supplied Groovy code without proper sandboxing or permission checks.

This allows attackers to execute arbitrary system commands directly on the server. Researchers successfully demonstrated remote code execution on OFBiz 24.09.05 using a single crafted POST request targeting /webtools/control/ProgramExport.

Successful exploitation could allow attackers to:

• Execute malicious commands on the server
• Deploy malware or backdoors

Apache fixed the issue in version 24.09.06 by removing unsafe password-change handling, adding stricter permission checks, and introducing a secure Groovy sandbox to block dangerous command execution patterns.

Organizations are strongly advised to upgrade immediately, remove default demo accounts, change weak credentials, and restrict access to sensitive OFBiz administrative endpoints.

The post Apache OFBiz Vulnerability Enables Authentication Bypass appeared first on First Hackers News.

ExifTool is widely used to read and modify metadata in images, PDFs, and multimedia files. Because the tool is heavily integrated into media workflows, automation pipelines, and digital asset management systems, the vulnerability creates a significant security risk in environments that handle untrusted files.

The implications of the ExifTool vulnerability extend to various sectors, where data integrity and security are paramount.

How the Vulnerability Works

The issue is linked to improper sanitization of metadata fields related to file creation dates on macOS. Researchers found that attackers can embed malicious commands inside image metadata fields such as FileCreateDate or DateTimeOriginal.

When ExifTool processes the manipulated file under specific conditions, the hidden command can be executed through the system shell.

The vulnerability becomes exploitable when:

• ExifTool processes raw metadata values using the -n flag
• Malicious metadata is copied through the -tagsFromFile feature
• Unsafe input reaches a system() execution call without proper filtering

Researchers observed that ExifTool internally builds system commands using metadata values extracted directly from files. While most parameters are sanitized, one execution path allowed unfiltered user-controlled data to be passed into a shell command.

This creates a command injection scenario where attackers can run arbitrary commands with the privileges of the user processing the file.

Security Risks and Patch Information

The vulnerability is especially dangerous for organizations using automated image-processing workflows, newsroom environments, or media management platforms where files are processed automatically.

Because the malicious payload is hidden inside metadata, the image itself may appear legitimate and bypass traditional security checks.

If exploited successfully, attackers could:

• Execute malicious commands on macOS systems
• Deploy malware or backdoors
• Steal sensitive information
• Move laterally across internal networks

Researchers from Kaspersky identified the vulnerability, and ExifTool developers addressed the issue in version 13.50.

The patched release changes how system commands are executed by replacing unsafe string-based command construction with safer argument-based execution methods. This prevents shell interpretation and significantly reduces the risk of command injection.

Users and organizations are strongly advised to update to ExifTool 13.50 or later immediately. Security experts also recommend processing untrusted files inside isolated environments such as sandboxes or virtual machines to reduce exposure to malicious media files.

The incident highlights an ongoing cybersecurity challenge where even trusted file-processing tools can become attack vectors if user-controlled input is not handled securely.

The post ExifTool Flaw Allows Mac System Compromise appeared first on First Hackers News.

Researchers found that VoidStealer can extract encryption keys directly from browser memory, allowing attackers to steal active sessions and access accounts even on fully updated systems.

How VoidStealer Bypasses Chrome Protections

Google introduced App-Bound Encryption in Chrome 127 to strengthen protection around sensitive browser data such as cookies, passwords, and session tokens. The feature was designed to prevent malware running with normal user privileges from accessing Chrome’s encryption keys.

Unlike older protection methods based on DPAPI, ABE binds encryption keys directly to the Chrome application. A dedicated system process validates that only Chrome can request access to those keys.

However, VoidStealer avoids interacting with Chrome through official APIs. Instead, it targets the moment when Chrome decrypts sensitive data in memory.

Researchers observed that the malware:

• Attaches itself to the Chrome process as a debugger
• Monitors the browser’s decryption workflow
• Pauses execution when encryption keys are loaded into memory
• Extracts the decrypted keys directly from RAM

Because the attack focuses on runtime behavior rather than stored files, it bypasses many of the protections implemented by App-Bound Encryption.

Impact on Chromium Browsers and Security Risks

Once attackers obtain the decrypted session data, they can hijack active sessions without needing usernames or passwords. This allows threat actors to access accounts as if they were the legitimate user.

The malware affects multiple Chromium-based browsers, including:

• Google Chrome
• Microsoft Edge
• Brave
• Opera
• Vivaldi

Researchers also noted that VoidStealer is being distributed through a malware-as-a-service model, allowing cybercriminals to rent the malware and scale attacks more easily.

The discovery highlights an ongoing challenge in browser security. Even with stronger encryption mechanisms, attackers continue to focus on runtime memory access, where sensitive data must temporarily exist in decrypted form during legitimate browser operations.

To reduce exposure, security experts recommend avoiding untrusted software downloads, keeping browsers fully updated, using strong endpoint protection, and storing credentials in dedicated password managers instead of directly in browsers.

The post VoidStealer Steals Chrome Browser Data appeared first on First Hackers News.

Security researchers observed exploitation attempts within days of the vulnerability becoming public, highlighting how quickly attackers move to abuse flaws in widely used infrastructure software.

How the NGINX Vulnerability Works

The issue is caused by a heap buffer overflow in the NGINX worker process. Attackers can trigger the flaw by sending specially crafted HTTP requests to vulnerable servers.

Because the vulnerability does not require authentication, exposed systems are at higher risk. In many cases, attackers can crash the NGINX worker process, leading to service disruption. Under specific conditions, the flaw could also be leveraged for remote code execution.

Researchers noted that full remote code execution is more likely on systems where protections such as Address Space Layout Randomization (ASLR) are disabled.

The vulnerability mainly affects servers using specific rewrite configurations, meaning not every NGINX deployment is directly exploitable. However, identifying vulnerable systems at internet scale remains difficult.

Large Exposure and Security Recommendations

Security researchers estimate that millions of internet-facing NGINX servers could potentially be affected. Even if only a fraction of those systems meet the exact exploitation conditions, the overall attack surface remains significant.

Attackers are already scanning for vulnerable or misconfigured servers, increasing the urgency for organizations to respond quickly.

To reduce risk, security teams should:

• Apply the latest NGINX patches and updates
• Review rewrite configurations carefully
• Enable protections such as ASLR
• Monitor for suspicious or unusual HTTP requests

The incident highlights how vulnerabilities in widely deployed technologies can quickly become major security threats, even when exploitation depends on specific configurations.

With active exploitation already underway, rapid patching and continuous monitoring are critical to preventing compromise.

The post NGINX Vulnerability Enables Remote Code Execution appeared first on First Hackers News.

Also tracked as UAC-0010 or Shuckworm, Gamaredon continues to exploit CVE-2025-8088, a directory traversal vulnerability in WinRAR that allows malicious files to be written outside the intended extraction directory. Although the flaw has been widely abused since 2025, researchers noted that Gamaredon’s campaigns stand out due to their persistence, rapid infrastructure rotation, and repeated targeting of Ukrainian government entities.

Phishing Campaign Delivers GammaDrop Malware

The attacks begin with carefully crafted spearphishing emails sent either from compromised Ukrainian government accounts or spoofed domains designed to appear legitimate. Many of these emails mimic official court summons, legal notices, or government-related communications to increase the likelihood of user interaction.

The phishing attachments typically contain malicious RAR or ARJ archives disguised as regular documents. Inside the archive, researchers identified:

• A decoy PDF document used to distract the victim
• A hidden VBScript payload stored using NTFS Alternate Data Streams (ADS)

When the archive is extracted, the WinRAR vulnerability is abused to silently place the malicious VBScript into the Windows Startup folder. This ensures persistence on the infected machine without requiring additional user interaction.

The first-stage payload, known as GammaDrop, functions as a downloader responsible for retrieving additional malware from attacker-controlled infrastructure. Researchers observed that the script is heavily obfuscated using randomized variables, junk code, and automated generation techniques commonly associated with Gamaredon operations.

GammaLoad Expands Persistence and Reconnaissance

After execution, GammaDrop downloads a second-stage malware component called GammaLoad from infrastructure hosted through Cloudflare Workers. The payload is delivered as an HTA file and launched using mshta.exe in a hidden window to avoid drawing attention.

GammaLoad acts as both a persistence mechanism and a reconnaissance tool. It creates RunOnce registry entries and continuously communicates with command-and-control servers to receive instructions and additional payloads.

The malware collects system-level information including:

• Computer name
• System drive details
• Volume serial numbers
• Victim identification data

This information is embedded into beaconing traffic, allowing attackers to uniquely track infected systems and selectively deliver follow-up malware.

Researchers also observed that Gamaredon frequently rotates its infrastructure using fast-flux DNS, dynamic DNS services, and short-lived domains to evade detection. Communication traffic is disguised using legitimate browser user-agent strings, while some newer variants imitate automated services such as Bingbot to blend malicious traffic with normal network activity.

The Security Service of Ukraine (SSU), along with regional government and law enforcement organizations, remains one of the primary targets of these campaigns. Researchers believe the operation’s success is also supported by weak email authentication practices across some targeted domains, where missing or poorly configured SPF, DKIM, and DMARC policies allow attackers to spoof trusted senders more effectively.

Although the malware itself is not considered highly advanced, Gamaredon continues to maintain a strong operational presence through continuous adaptation, large-scale phishing activity, and aggressive infrastructure management.

Security teams are advised to patch vulnerable WinRAR installations immediately, strengthen email authentication controls, monitor suspicious archive-based phishing activity, and block known malicious infrastructure associated with the campaign.

The post Gamaredon Phishing Attacks Use GammaDrop Malware appeared first on First Hackers News.

Initially linked to a limited number of attacks targeting organizations in South Korea, Gunra previously relied on ransomware code associated with the leaked Conti source. However, the group has since developed its own custom ransomware payload and infrastructure, signaling a shift toward long-term operational independence.

Transition to a Ransomware-as-a-Service Model

The move to a RaaS model has significantly expanded Gunra’s reach. Instead of operating alone, the group now allows affiliates to deploy its ransomware tools in exchange for a share of ransom payments.

This affiliate-based structure enables the operation to scale more efficiently while maintaining centralized control over key parts of the attack lifecycle. Researchers observed Gunra actively operating within underground cybercrime forums, where the group promotes its services, recruits affiliates, and advertises stolen data obtained from compromised organizations.

Evidence also suggests coordination between operators and affiliates, with multiple threat actors sharing victim-related data within the same ecosystem. Unlike many established ransomware groups, Gunra permits affiliates to customize branding, increasing the likelihood of attacks appearing under different ransomware names while still relying on the same backend infrastructure.

Technical Capabilities and Operational Risks

Gunra’s ransomware platform supports both Windows and Linux environments, allowing attackers to target a broader range of enterprise infrastructure. The operation includes a feature-rich affiliate management panel designed to streamline ransomware deployment and victim negotiations.

The platform reportedly provides:

• Payload deployment and lock management
• File handling and communication tools
• Negotiation support for ransom operations
• Custom branding options for affiliates

Researchers also identified modifications within the Linux variant, including changes to execution behavior, encryption processes, and logging functions. Some cryptographic weaknesses were observed during analysis, which may assist future defensive research efforts.

One of the more concerning aspects of Gunra’s operation is its lack of strict targeting restrictions. Unlike certain ransomware groups that avoid critical sectors such as healthcare, Gunra appears willing to target organizations across multiple industries without significant limitations.

As the group continues expanding its RaaS ecosystem, security teams are advised to strengthen endpoint monitoring, maintain reliable offline backups, enforce strict access controls, and prioritize timely patch management to reduce the risk of ransomware intrusion and lateral movement within enterprise networks.

The post Gunra Ransomware Expands Through RaaS Operations appeared first on First Hackers News.

Security researchers from Wordfence identified the flaw and warned that attackers could gain administrator-level access without needing valid login credentials.

Authentication Bypass Creates Major Risk

The vulnerability, tracked as CVE-2026-8181, affects Burst Statistics versions 3.4.0 through 3.4.1.1. It carries a critical CVSS score of 9.8 due to the ease of exploitation and the level of access it provides.

The issue is linked to improper authentication handling within the plugin’s MainWP integration. In certain cases, the plugin incorrectly accepts invalid authentication responses as successful, allowing attackers to bypass security checks.

By sending specially crafted requests to WordPress REST API endpoints, attackers can impersonate an administrator if they know a valid admin username. No password cracking or credential theft is required.

This significantly lowers the barrier for exploitation and increases the risk of automated internet-wide attacks targeting vulnerable websites.

Potential Website Takeover and Security Response

Once exploited, attackers could create new administrator accounts and gain persistent access to the website. From there, they may modify content, inject malicious code, redirect visitors, or deploy additional malware.

Because the attack only requires knowledge of an administrator username, exposed websites could become easy targets for mass scanning campaigns.

Researchers acted quickly after discovering the issue, and firewall protections were rapidly deployed for users of Wordfence security products. The plugin developer also responded quickly by releasing version 3.4.2, which properly validates authenticated WordPress user sessions before granting access.

Website owners using the Burst Statistics plugin are strongly advised to update immediately to the latest patched version to prevent unauthorized access and possible site compromise.

The post WordPress Plugin Bug Exposes Websites appeared first on First Hackers News.

The flaw was identified during internal security testing by MongoDB and primarily impacts core MongoDB Server deployments, particularly in self-managed environments.

Technical Overview of the Vulnerability

The vulnerability enables arbitrary code execution, a class of flaws that allows threat actors to run malicious instructions directly on the host system. This effectively bypasses standard security boundaries and can grant attackers control over the database server.

Given that MongoDB often stores centralized and high-value data, exploitation of this flaw could lead to unauthorized data access, credential exposure, and system-level compromise. Attackers may also leverage the compromised host to establish persistence or pivot laterally within the network.

The issue affects MongoDB versions 5.0 and later in self-hosted deployments, where patch management depends entirely on the organization’s update practices.

Impact and Mitigation

Managed cloud users of MongoDB Atlas are not impacted, as the vulnerability has already been addressed across the platform through centralized patch deployment.

However, self-hosted environments remain exposed until updates are applied. MongoDB has released patched versions, including updates in recent release cycles such as 7.0.31, 8.0.20, and 8.2.7, to mitigate this risk.

Although there is currently no evidence of active exploitation, the nature of arbitrary code execution vulnerabilities makes them highly attractive to attackers. Systems that remain unpatched could be quickly targeted once exploit techniques become publicly available.

Organizations should ensure their MongoDB deployments are updated to the latest secure versions and aligned with current security baselines. Maintaining timely patching and monitoring practices is essential to reduce the risk of compromise.

The post MongoDB Vulnerability Allows Arbitrary Code Execution appeared first on First Hackers News.

The vulnerabilities allow attackers with basic local access to increase their privileges and operate with administrative-level control. In real-world scenarios, this type of access is often used as a stepping stone for larger attacks, including lateral movement and data exfiltration.

Privilege Escalation Risks in Windows Environments

Two high-severity vulnerabilities, each rated with a CVSS score of 7.8, impact Zoom’s Windows-based components.

The first issue affects Zoom Rooms for Windows and is caused by an untrusted search path vulnerability within the installer. This means the application may load files from unintended locations, allowing attackers to inject malicious code during execution.

The second flaw targets the Zoom Workplace VDI Plugin. It stems from improper control over file names and paths in the installation process. By manipulating these paths, an attacker can execute arbitrary code and escalate privileges.

These vulnerabilities are particularly dangerous because they require minimal effort to exploit once initial access is obtained. Attackers can leverage them to:

• Disable or bypass endpoint security controls
• Access and extract sensitive enterprise data
• Maintain persistence within the environment
• Move laterally across systems inside the network
• Deploy additional payloads such as ransomware

Such privilege escalation flaws are highly valuable in targeted attacks, especially in corporate environments where Zoom is widely used.

iOS Vulnerability and Overall Impact

A separate vulnerability affects Zoom Workplace on iOS devices, though its severity is significantly lower. This issue involves a failure in a protection mechanism that could allow limited data exposure.

However, exploitation requires physical access to the device, which reduces the likelihood of large-scale attacks. Still, it highlights the importance of securing mobile endpoints alongside desktop systems.

The key concern across all these vulnerabilities is the potential for unauthorized access to sensitive data and system resources, particularly in organizations that rely heavily on collaboration tools.

To address these risks, Zoom Video Communications has released security patches for all affected components. Because these flaws are now publicly disclosed, unpatched systems may become targets for active exploitation.

Users and organizations should immediately update:

• Zoom Rooms for Windows to version 7.0.0 or later
• Zoom Workplace VDI Plugin to version 6.6.11 or newer
• Zoom Workplace for iOS to version 7.0.0 or above

Timely patching, combined with proper access controls and endpoint monitoring, is essential to prevent these vulnerabilities from being exploited in real-world attacks.

The post Zoom Vulnerability Allows Privilege Escalation Attacks appeared first on First Hackers News.