The issue involves the Internet Explorer WebBrowser control, a component still embedded in various applications built with technologies such as .NET, Visual Basic, and C++. Because it continues to inherit Internet Explorer’s security behavior, attackers may be able to abuse it to execute malicious code on a victim’s system.

How the Attack Works

Researchers found that the WebBrowser control still follows Internet Explorer’s security zone model, which grants additional privileges to trusted locations such as localhost and local files.

This becomes dangerous when desktop applications expose web interfaces through localhost. If an attacker finds a vulnerability such as cross-site scripting (XSS) in one of these applications, they may be able to move from a remote web page into a more trusted local environment.

The attack chain can involve:

• Exploiting a vulnerable localhost application
• Downloading malicious files without standard security warnings
• Opening local files through the WebBrowser control
• Executing scripts in a trusted local context
• Launching commands through insecure ActiveX components

Researchers demonstrated that malicious files downloaded through certain localhost scenarios may not receive Microsoft’s Mark-of-the-Web (MOTW) protection. Without this security label, Windows may not display its usual warnings when potentially dangerous content is executed.

Multiple Paths to Code Execution

The research also revealed several additional techniques that attackers could use to increase the chances of compromise.

Potential attack methods include:

• Abusing ActiveX components to launch programs
• Using media playlist files to leak NTLM hashes
• Exploiting ClickOnce and Office-related file formats
• Using clickjacking to trick users into opening malicious files
• Abusing drag-and-drop functionality to execute shortcuts

In some proof-of-concept demonstrations, attackers used invisible frames to disguise malicious file interactions. A victim might believe they are clicking on a normal webpage when they are actually interacting with local files or applications.

Researchers also showed how malicious shortcuts could be disguised with trusted-looking icons and placed in locations where users are likely to interact with them.

Why Legacy Components Remain a Risk

The findings highlight a common cybersecurity challenge: retired software components can continue creating security risks long after the original product is no longer supported.

Many organizations still rely on applications that use the Internet Explorer WebBrowser control behind the scenes. As long as these components remain active, attackers may continue searching for ways to abuse them.

Security experts recommend that organizations:

• Identify applications using the WebBrowser control
• Remove unnecessary legacy dependencies
• Restrict risky ActiveX components
• Limit exposure of localhost web interfaces
• Monitor systems for unusual browser-based activity

The post Internet Explorer Component Flaw Enables RCE Attacks appeared first on First Hackers News.

The latest release includes security improvements across several Chrome components, including ANGLE, GPU, Network, Ozone, FileSystem, Password Manager, Chromecast, Cast Streaming, and Chromoting.

Given the number and severity of the fixes, users and organizations are strongly encouraged to update their browsers as soon as possible.

Critical Bugs Could Lead to Serious Attacks

Many of the critical vulnerabilities are related to memory safety issues such as use-after-free and out-of-bounds memory access errors.

These types of flaws are frequently targeted by attackers because they can sometimes be used to:

• Execute malicious code
• Crash the browser
• Bypass security protections
• Access sensitive information
• Escape browser restrictions

Several of the vulnerabilities affect Chrome’s GPU and ANGLE components, which handle graphics processing and hardware acceleration. Because these components interact closely with system hardware, they are often attractive targets for threat actors.

Google has not released full technical details for many of the vulnerabilities yet. The company commonly delays disclosure until most users have installed the updates, reducing the risk of attackers developing exploits before systems are patched.

Multiple Browser Components Affected

The security fixes span a wide range of Chrome functionality.

Affected areas include:

• ANGLE graphics framework
• GPU processing components
• Network services
• Ozone platform layer
• FileSystem functionality
• Password management features
• Chromecast services
• Cast Streaming technology
• Chrome Remote Desktop (Chromoting)

Researchers warn that vulnerabilities affecting network services, file handling, and password-related components could become particularly dangerous if combined with additional exploits.

Issues involving Chromecast and remote streaming features also highlight that browser-related risks extend beyond simple web browsing and may impact connected devices and remote-access capabilities.

Update Recommended Immediately

Google reports that many of the vulnerabilities were discovered by both internal security teams and external researchers. Some high-impact findings earned bug bounty rewards of up to $97,000.

Organizations should prioritize deploying the latest Chrome version as part of their patch management process. Regular browser updates remain one of the most effective ways to reduce exposure to web-based attacks.

The release serves as another reminder that browsers remain one of the most heavily targeted applications and require continuous security updates to defend against evolving threats.

22 Critical Vulnerabilities

The post Google Patches 429 Chrome Security Flaws appeared first on First Hackers News.

The vulnerabilities, tracked as CVE-2026-41722, CVE-2026-41723, and CVE-2026-41724, were published under security advisory VMSA-2026-0004 on June 8, 2026. The flaws carry a CVSS score of 8.0, highlighting the potential risk to enterprise environments running affected versions of VCF Operations.

Because these vulnerabilities involve stored cross-site scripting (XSS), attackers may be able to plant malicious code that executes whenever administrators access compromised sections of the platform.

How the Vulnerabilities Work

According to VMware, the flaws stem from improper handling of user-supplied input within VCF Operations management interfaces.

The platform fails to properly validate and sanitize certain data before displaying it to users. As a result, attackers can store malicious JavaScript code within the application. When an administrator or another privileged user later views the affected page, the malicious script automatically executes in their browser.

Unlike reflected XSS attacks, stored XSS remains embedded in the application until removed, increasing the chances of successful exploitation.

A successful attack could allow threat actors to:

• Hijack administrator sessions
• Steal authentication tokens
• Access sensitive information
• Modify configuration settings
• Perform unauthorized actions
• Maintain persistence within the environment
• Potentially move deeper into connected infrastructure

Why Organizations Should Take This Seriously

VCF Operations often serves as a central management platform for virtualization, cloud resources, and infrastructure operations. In many organizations, it integrates with other VMware services, including vCenter and cloud automation environments.

Because of this connectivity, a successful compromise could have broader consequences beyond a single application.

Security experts warn that attackers may attempt to combine these vulnerabilities with other weaknesses or misconfigurations to gain additional access and privileges across enterprise environments.

The risk is especially high in organizations where multiple administrators regularly access shared management consoles, as any authorized user visiting a compromised interface could unknowingly trigger the malicious code.

No Workarounds Available

VMware has confirmed that there are currently no workarounds for these vulnerabilities.

Organizations are strongly advised to install the latest security updates as soon as possible. Delaying remediation could increase the risk of exploitation, particularly if proof-of-concept code becomes publicly available.

Administrators should also consider the following security measures:

• Apply VMware security patches immediately
• Restrict access to VCF Operations interfaces
• Monitor logs for unusual activity
• Review administrator account permissions
• Watch for suspicious session behavior
• Investigate unexpected script execution events
• Strengthen overall access controls

While web application firewalls and browser security controls may provide limited protection, VMware emphasizes that these measures should not replace patching.

The disclosure of these vulnerabilities serves as another reminder that enterprise management platforms remain valuable targets for attackers. Securing these critical control systems is essential for protecting modern virtualized and cloud-based environments.

The post VMware Stored XSS Flaws Put Enterprise Environments at Risk appeared first on First Hackers News.

Because these tools are already installed on most systems and commonly used by administrators, malicious activity can easily blend in with normal operations.

ANY.RUN Report Reveals Growing Threat

According to ANY.RUN’s analysis of more than 2 million malware and phishing investigations during the first quarter of 2026, threat actors are rapidly shifting toward stealthier attack techniques.

The report highlights:

• Loader-based attacks nearly doubled
• Credential theft increased significantly
• Living-off-the-Land (LotL) techniques grew by more than 58%
• Attackers increasingly abused trusted system utilities
• Malware campaigns became more automated and difficult to detect

Researchers noted that attackers often use tools such as PowerShell, WMI, Certutil, MSHTA, and JavaScript execution environments to perform malicious actions while appearing legitimate.

These trusted tools allow attackers to:

• Download malware payloads
• Execute fileless attacks
• Establish persistence
• Move laterally through networks
• Avoid traditional antivirus detection

Security experts warn that attackers can establish persistence within seconds, leaving defenders with very little time to respond.

Credential Theft Continues to Drive Attacks

ANY.RUN researchers found that credential theft remains one of the primary goals for modern threat actors.

Once attackers obtain valid credentials, they can access systems while appearing to be legitimate users. Combined with trusted tool abuse, this creates a dangerous scenario where malicious activity can remain hidden for extended periods.

Many attackers begin with lightweight loaders that quietly gain initial access before deploying more dangerous payloads such as:

• Ransomware
• Remote Access Trojans (RATs)
• Information stealers
• Credential theft tools

This approach allows cybercriminals to scale attacks while minimizing detection.

Strengthening Defenses Against Trusted Tool Abuse

Because legitimate tools generate normal-looking activity, ANY.RUN recommends focusing on behavioral monitoring rather than relying solely on traditional signature-based security solutions.

Organizations should monitor for:

• Unusual PowerShell commands
• Suspicious script execution
• Abnormal command-line arguments
• Unexpected network connections
• Unusual administrative activity
• Suspicious parent-child process relationships

Additional recommendations include:

• Enforcing least-privilege access
• Restricting script execution
• Using application control policies
• Leveraging threat intelligence
• Deploying sandbox analysis solutions
• Improving incident response capabilities

The findings show that attackers are becoming increasingly skilled at hiding in plain sight. As trusted tools continue to be weaponized, organizations must focus on behavior-based detection and rapid response strategies to identify threats before they can cause significant damage

The post Hackers Exploit Trusted Tools Malware for Attacks appeared first on First Hackers News.

Security researchers demonstrated that the flaws can be chained together to achieve remote code execution with root privileges through a single specially crafted request. The vulnerabilities affect UniFi OS Server installations and pose a significant risk to organizations using exposed management interfaces, highlighting the importance of addressing UniFi OS Vulnerabilities.

Because the attack requires no authentication, security experts are urging administrators to patch affected systems immediately.

How the Attack Works

The exploit begins with vulnerabilities that allow attackers to bypass UniFi OS authentication protections.

Researchers discovered that inconsistencies in how requests are processed can allow specially crafted URLs to access internal functions that should normally require authentication. Once inside, attackers can target a separate command injection flaw within the system’s update mechanism.

The attack chain allows threat actors to:

• Bypass authentication controls
• Execute commands remotely
• Gain root-level access
• Install malicious software
• Maintain long-term access to the system

Researchers confirmed that the exploit can be executed remotely against vulnerable devices running affected versions of UniFi OS.

Potential Impact on Organizations

A successful compromise gives attackers complete control over the UniFi management platform.

With root access, attackers may be able to:

• Create persistent administrator accounts
• Access sensitive network data
• Steal encryption and authentication keys
• Extract database information
• Modify system configurations
• Maintain access even after password changes

In environments using UniFi Access and UniFi Protect, the risks extend beyond traditional IT systems.

Researchers warn that attackers could potentially:

• Unlock connected doors
• Access surveillance systems
• Monitor live camera feeds
• Delete security footage
• Access stored credential information

This makes the vulnerabilities especially concerning for organizations that rely on UniFi products for both network and physical security management.

Recommended Mitigation Steps

Administrators should immediately upgrade to the latest patched UniFi OS versions provided by Ubiquiti.

Additional security measures include:

• Restrict management interfaces from internet access
• Rotate authentication and signing keys
• Change administrative credentials
• Review systems for suspicious activity
• Rebuild potentially compromised servers
• Audit access logs and configurations

Security experts advise treating any internet-exposed, unpatched UniFi OS instance as potentially compromised due to the severity of the vulnerabilities and the ease of exploitation.

The post Critical UniFi OS Vulnerabilities Allow Root RCE appeared first on First Hackers News.

The campaign, linked to a Telegram channel with thousands of followers, reportedly used artificial intelligence to generate content, manage online operations, and support cybercriminal activities with very little cost or effort.

The case highlights how AI can be abused to increase the scale and efficiency of malicious online campaigns.

AI Used to Automate Content and Operations

According to researchers, the attacker found ways to bypass Gemini’s built-in safety protections through carefully crafted prompts and configuration changes.

Once these restrictions were bypassed, the AI was used for a variety of tasks, including:

• Generating large volumes of content
• Automating Telegram posts
• Managing stolen API keys
• Assisting with infrastructure setup
• Supporting online fraud operations

Researchers found that the actor relied on dozens of stolen Gemini API keys, allowing continuous access to AI capabilities while avoiding operational costs.

The Telegram channel evolved over time, eventually becoming heavily dependent on AI-generated content designed to engage and influence followers.

From Influence Campaigns to Cybercrime

Beyond content creation, investigators found evidence that AI was also used to assist with technical tasks often associated with cybercrime.

The AI reportedly helped with:

• Script troubleshooting and development
• Cloud service configuration
• Infrastructure deployment
• Password variation generation
• Account compromise activities

Researchers linked the operation to several compromised WordPress administrator accounts and at least one cryptocurrency theft incident.

The campaign also promoted a fake cryptocurrency wallet application that allegedly provided attackers with access to victim systems and digital assets.

Growing Concerns Around AI Abuse

Security experts believe the operation was primarily motivated by financial gain rather than political objectives.

The findings demonstrate how a single individual can now perform activities that previously required larger teams, thanks to automation and AI assistance.

At the same time, the case raises concerns about weaknesses in AI safety controls. Researchers noted that prompt manipulation, persistent jailbreak techniques, and language-based inconsistencies continue to create opportunities for abuse.

The incident serves as another example of how cybercriminals are adapting emerging AI technologies to support fraud, account compromise, and large-scale online influence operations.

The post Stolen Gemini API Keys Power Automated Telegram Campaign appeared first on First Hackers News.

While Meta stated that its infrastructure was not breached, the incident highlights the risks of relying on AI systems for sensitive account management functions.

How the Issue Worked

The problem was reportedly linked to the logic used by Meta’s AI support assistant. Instead of exploiting servers or software vulnerabilities, attackers allegedly manipulated the chatbot into triggering password recovery actions.

According to researchers, the AI system could be persuaded to send password reset links or codes without performing sufficient identity checks. In some cases, simply knowing a target’s Instagram username may have been enough to initiate the process.

This type of attack is different from traditional hacking methods because it focuses on exploiting the behavior of automated systems rather than technical flaws in infrastructure.

Researchers noted that the issue demonstrated how AI tools can become vulnerable when strict authentication controls and security safeguards are not fully enforced.

Valuable Instagram Accounts Were Targeted

Reports indicate that attackers focused primarily on high-value Instagram usernames and accounts that are often traded in underground marketplaces.

Short, rare, and highly desirable usernames can sell for significant amounts of money, making them attractive targets for cybercriminals.

Security researchers found evidence suggesting that compromised accounts were quickly offered for sale through private online channels, highlighting the growing business of account takeover operations.

This trend reflects an evolving cybercrime ecosystem where attackers target digital identities that can be rapidly monetized.

Meta Responds and Fixes the Issue

Meta has confirmed that the problem has been addressed and stated that user accounts remain secure.

According to the company, the issue allowed certain password reset requests to be triggered improperly, but there was no compromise of Meta’s backend systems or customer databases.

The company quickly implemented a fix after receiving reports from researchers and emphasized that the vulnerability has been resolved.

Lessons for Users and Platforms

The incident serves as a reminder that AI-powered support tools can introduce new security challenges if they are not carefully designed.

To reduce risk, organizations should implement:

• Strong identity verification controls
• Strict rate-limiting mechanisms
• Context-aware AI decision making
• Enhanced monitoring for abuse attempts
• Additional safeguards for account recovery processes

Researchers also noted that accounts protected with two-factor authentication (2FA) were not affected by the reported attacks.

As AI becomes more integrated into customer support and account management systems, security experts expect attackers to continue testing these technologies for weaknesses. Strong authentication and layered security controls remain essential for protecting user accounts from emerging threats.

The post Meta AI Flaw Linked to Instagram Password Resets appeared first on First Hackers News.

The statement comes after criticism from the cybersecurity community following a dispute involving a researcher known as “Nightmare-Eclipse.” Many researchers were concerned that Microsoft’s earlier comments could discourage independent security research and vulnerability disclosure.

The company has now clarified that its focus is on individuals who intentionally cause harm, not those conducting legitimate security research.

Dispute Sparked by Public Vulnerability Disclosures

The controversy began when Nightmare-Eclipse started releasing details of several previously unpatched Windows vulnerabilities, along with proof-of-concept exploit code.

The disclosed flaws affected important Windows security features, including Microsoft Defender and BitLocker. Some of the vulnerabilities were later confirmed to be actively exploited in real-world attacks.

According to the researcher, the public disclosures were driven by frustration over previous interactions with Microsoft’s vulnerability reporting process. The researcher claimed that access to Microsoft’s reporting platform had been removed and that submitted findings were not handled appropriately.

Microsoft later criticized the public release of unpatched vulnerabilities and stated that such disclosures could place customers at risk. The company’s comments also referenced potential legal action against individuals involved in harmful activities, which triggered widespread debate across the cybersecurity community.

Microsoft Reassures the Security Community

Following the backlash, Microsoft issued a new statement to clarify its position.

The company emphasized that it supports security research and has no intention of pursuing legal action against researchers who identify and disclose vulnerabilities. Microsoft said legal measures would only be considered in cases involving unlawful actions that cause actual harm to customers.

The company also acknowledged that some interactions with researchers may not have met expectations and expressed its commitment to improving communication and collaboration.

Microsoft reaffirmed its support for Coordinated Vulnerability Disclosure (CVD), encouraging researchers to report vulnerabilities through official channels before making findings public.

Importance of Researcher-Vendor Collaboration

The incident highlights the delicate relationship between technology vendors and the security research community.

Security researchers play a critical role in identifying weaknesses before cybercriminals can exploit them. At the same time, vendors rely on responsible disclosure processes to develop patches and protect users.

Microsoft stated that it continues to welcome vulnerability reports through its public reporting portal and remains committed to working with researchers regardless of previous interactions.

The situation serves as a reminder that effective communication and cooperation between vendors and researchers are essential for improving cybersecurity and protecting users worldwide.

The post Microsoft Denies Lawsuit Threats Against Researchers appeared first on First Hackers News.

The flaw, tracked as CVE-2026-45247, has received a critical severity rating and can be exploited without authentication. Security researchers warn that thousands of Magento and Adobe Commerce stores may be at risk if the vulnerable plugin remains unpatched.

The issue affects the Mirasvit Cache Warmer extension, a tool commonly used to improve website performance by preloading cached pages for visitors.

How the Vulnerability Works

The vulnerability is caused by the plugin’s unsafe handling of data stored inside a cookie called CacheWarmer.

When a visitor sends a request to the website, the extension reads information from the cookie and rebuilds session data using PHP’s unserialize() function. Because the cookie data is controlled by the user and is not properly validated, attackers can supply specially crafted payloads that trigger malicious object creation on the server.

Researchers found that this behavior opens the door to PHP Object Injection attacks, which can eventually lead to remote code execution.

An attacker can potentially:

• Execute malicious code on the server
• Install webshells or backdoors
• Access sensitive store data
• Take control of the Magento environment
• Launch automated attacks against multiple stores

The vulnerability affects all Mirasvit Cache Warmer versions released before 1.11.12.

Thousands of Stores Potentially Affected

According to researchers, the extension is frequently bundled with other Mirasvit products, meaning some store owners may not even realize it is installed on their systems.

Security experts estimate that more than 6,000 Magento stores may be running vulnerable components, although the actual number could be higher.

The vendor was notified about the issue and quickly released version 1.11.12, which addresses the vulnerability.

Security teams should monitor web traffic for suspicious CacheWarmer cookie values containing unusual encoded data. Such activity could indicate attempted exploitation.

Recommended Actions

Organizations using Magento or Adobe Commerce should act immediately to reduce risk.

Recommended steps include:

• Upgrade Mirasvit Cache Warmer to version 1.11.12 or later
• Review web server logs for suspicious requests
• Scan systems for webshells and backdoors
• Inspect public-facing directories for unauthorized PHP files
• Deploy a web application firewall for additional protection
• Conduct a full compromise assessment if exploitation is suspected

Because the flaw can be exploited remotely without authentication, researchers expect attack attempts to increase following public disclosure.

Store administrators are strongly encouraged to patch affected systems as soon as possible to prevent potential compromise and data theft.

The post Magento Cache Plugin Vulnerability Enables RCE Attacks appeared first on First Hackers News.

The attack works by abusing modern browser storage features and measuring tiny changes in SSD response times. Researchers warned that simply visiting a malicious website could allow attackers to observe activity happening in other browser tabs, applications, or even different browsers running on the same system.

The FROST SSD Timing Attack works by abusing modern browser storage features and measuring tiny changes in SSD response times. Researchers warned that simply visiting a malicious website could allow attackers to observe activity happening in other browser tabs, applications, or even different browsers running on the same system.

The findings highlight growing concerns around browser APIs and performance features that may unintentionally expose sensitive system behavior.

How the FROST Attack Works

The technique relies on the Origin Private File System (OPFS), a browser storage feature designed to improve web application performance.

Researchers found that a malicious website can create a large file inside the browser’s storage sandbox and continuously perform random disk reads. These operations force the SSD to handle real disk activity instead of using cached memory.

When other applications or browser tabs access the same SSD, small delays and latency spikes occur due to resource contention. The malicious page measures these timing differences using high-resolution browser timers.

To improve accuracy, attackers can enable cross-origin isolation settings that unlock more precise timing measurements through APIs such as performance.now().

The collected timing data is then analyzed using machine learning models to identify patterns linked to specific websites or applications.

Researchers Demonstrated Cross-Browser Tracking

During testing, researchers showed that the attack could monitor user activity across multiple browser instances on macOS systems.

In one experiment:

• A malicious Chrome tab monitored SSD timing activity
• A victim opened websites in Safari
• The timing patterns were analyzed using a neural network model
• The system successfully identified visited websites with high accuracy

The researchers reported strong detection results while testing against popular websites.

They also demonstrated a covert communication channel on Linux and macOS systems where SSD contention signals were used to transfer information between applications.

Privacy and Security Concerns

The research shows how modern browser performance features may weaken traditional browser isolation protections.

Unlike traditional malware, the attack does not require installing software on the victim’s device. Instead, a single visit to a malicious webpage may be enough to begin collecting timing information silently in the background.

Researchers warned that the technique could potentially be used for:

• Cross-browser activity tracking
• User behavior monitoring
• Website fingerprinting
• Covert communication channels
• Privacy-invasive surveillance techniques

The findings also raise concerns about how high-resolution timers and advanced browser storage APIs can unintentionally create new side-channel attack surfaces.

While the attack currently requires specific conditions and technical expertise, the research demonstrates how low-level hardware behavior can increasingly be abused for remote tracking and surveillance purposes.

The post New FROST Technique Lets Websites Monitor SSD Activity appeared first on First Hackers News.