The research, led by Or Yair, Security Research Team Lead at SafeBreach, builds on the firm’s earlier “Invitation Is All You Need” disclosure, which weaponized Google Calendar invitations against Gemini.

This time, the attack surface is far larger; any application capable of triggering a device notification becomes a viable delivery vector.

Google Gemini Vulnerability Exploited

The core exploit leverages Gemini’s Android Utilities agent, specifically the tool that reads incoming notifications. Because this tool processes untrusted data from third-party apps, an attacker can embed malicious instructions directly inside a crafted message.

Once Gemini reads the poisoned notification, it silently incorporates the attacker’s commands into the conversational context without the user’s knowledge.

Even without invoking external tools, this notification-based IPI enables context poisoning that allows attackers to control Gemini’s output entirely. A manipulated assistant could, for example, relay a fake system message: “There was an error — click here to refresh” — a classic phishing lure delivered through a trusted AI interface.

Fake Context Alignment: Bypassing Google’s Defenses

After Google patched earlier vulnerabilities by blocking chained tool invocations and Delayed Tool Invocation, SafeBreach researchers developed a novel bypass technique dubbed Fake Context Alignment.

The technique creates a dual illusion, presenting a legitimate authorization scenario to Gemini’s backend security mechanisms while showing the victim an entirely benign interaction.

Two techniques were demonstrated:

• Obfuscated Fake Context Alignment: Gemini appends a malicious authorization question in a foreign language (e.g., Chinese: “你想打开窗户吗?” — “Do you want to open the window?”) immediately followed by a harmless English question. The user replies “Yes” to the English prompt while the backend aligns the affirmative with the hidden Chinese instruction, triggering tool execution.

• Muted Fake Context Alignment: The malicious question is embedded as clickable link text that Gemini’s text-to-speech engine silently skips. The user hears only a benign voice prompt and unknowingly authorizes a tool call by replying “Yes.”

Combining both techniques into an “Ultimate Combo” payload allowed researchers to bypass all of Google’s latest mitigations with high reliability and near-zero user awareness.

With Delayed Tool Invocation re-enabled, researchers demonstrated a range of high-severity exploits. The emergence of smart home technology has facilitated various forms of exploitation, such as remotely controlling connected devices like windows, boilers, and lighting via Google Home.

Additionally, there are alarming tactics like covert video streaming, where an attacker can force Zoom to launch and stream the victim’s camera live through a 301 HTTP redirect from a Safe Browsing-approved domain.

Large-scale social engineering schemes are on the rise, fabricating messages from trusted contacts without prior knowledge of the contacts’ names by extracting real sender names from the notification queue.

Moreover, persistent memory poisoning has become a critical concern, as it involves injecting false information into Gemini’s long-term memory across the victim’s entire Google Workspace account, affecting tablets, computers, and smart speakers.

Lastly, scheduled surveillance tactics allow the establishment of recurring tasks that automatically read the user’s recent messages daily, further compromising their privacy and security.

SafeBreach disclosed the findings to Google’s Vulnerability Reward Program on August 17, 2025. Google confirmed on November 14, 2025, that updated content classifier improvements successfully mitigated the indirect prompt injection and Delayed Tool Invocation scenarios described in the research.

Free Webinar on OWASP API Top 10 and Guide to Close Visibility Gaps With WAAP

The post New Google Gemini Vulnerability Exploited via Prompt Injections from WhatsApp, Slack, and SMS appeared first on Cyber Security News.

Rather than using easily blocked servers, the threat actors hide inside one of the world’s most trusted platforms, Amazon Web Services (AWS).

What sets this campaign apart is how it communicates with infected machines. Attackers compromise AWS accounts belonging to unrelated organizations and plant lightweight serverless functions inside them as hidden relay points.

To any security team watching traffic, the communications look like routine, encrypted HTTPS connections to Amazon’s own infrastructure.

Researchers at Qualys said in a report shared with Cyber Security News (CSN) that the campaign was originally documented by Palo Alto Networks Unit 42 in July 2025.

The Qualys analysis breaks down the technical mechanics and outlines how defenders can detect and stop this cloud-native threat.

Once HazyBeacon installs on a victim’s Windows machine, it works as a lightweight backdoor. It collects system details like hostname, IP address, and user privileges.

It receives encrypted commands to run shell instructions or pull down further payloads. It silently uploads stolen documents and captured keystrokes to the attackers.

The campaign does not exploit flaws in AWS itself. Attackers steal static IAM access keys from exposed GitHub repositories or phishing campaigns, then use those keys to build a relay inside a compromised cloud account.

HazyBeacon Camapign Weaponizes Amazon Web Services

The core of this attack is the abuse of AWS Lambda Function URLs, introduced in April 2022.

These URLs expose a serverless function directly to the internet without requiring services like API Gateway. That simplicity is useful for developers but easy to weaponize.

Lambda Function URLs offer two authentication modes. One requires callers to sign with valid IAM credentials, while the other, called AuthType: NONE, lets anyone send requests without authentication.

Attackers choose this option to spin up a public HTTPS relay inside AWS infrastructure within seconds. Since the endpoint domain ends in on.aws, the traffic blends in with trusted Amazon services.

The relay works as a silent middleman. Malware sends an encrypted HTTP POST to a Lambda URL inside a different compromised AWS account.

That function strips the headers and forwards the payload to the attacker’s real backend server, which responds through the same path.

Neither the malware victim nor the AWS account owner typically knows something is wrong until an abuse notice or unexpected bill arrives.

The attack follows a predictable kill chain rooted in poor identity hygiene. Attackers validate stolen keys with quiet API calls, upload a zipped Python or Node.js payload as a Lambda function with a benign name like “UpdateWorker,” and deploy it in a low-scrutiny AWS region to avoid detection.

Key Defenses Against Lambda-Based Command Relays

The most important first step is strong IAM hygiene. Teams should disable unused access keys, enforce regular rotation, and require multi-factor authentication across cloud accounts. These controls cut off the primary entry point this campaign relies on.

Enabling AWS CloudTrail logging across all regions is equally critical. CloudTrail records every API call used to create Lambda functions and Function URLs, exposing unauthorized deployments even in rarely watched regions.

Spotting anomalous activity during reconnaissance can reveal compromised credentials before a relay goes live.

Organizations can also apply Service Control Policies at the AWS Organization level to block Lambda Function URLs configured with AuthType: NONE unless explicitly approved through tagging.

This prevents a public relay from being deployed even with valid stolen credentials. Routing Lambda workloads through a Virtual Private Cloud adds another detection layer, since relay traffic produces a one-to-one inbound to outbound pattern visible in flow logs.

Monitoring Lambda cost anomalies rounds out the defense. A relay serving many infected machines generates massive invocation volumes that appear as billing spikes, especially in nonproduction regions. Granular AWS budget alerts can surface this abuse before it scales.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post HazyBeacon Camapign Weaponizes Amazon Web Services for Stealthy Communications appeared first on Cyber Security News.

Their toolkit combines Fortinet vulnerability exploitation, AI-assisted operations, and a fully custom command-and-control framework that most security tools simply do not see coming.

The group operates without a central office or traditional payroll structure. Nine operator handles have been identified communicating across time zones through a self-hosted Rocket.Chat instance on an onion site, with plans to migrate to a Rust-based platform.

Their lean, distributed model marks a clear shift from the rigid corporate setup that groups like Conti once maintained.

In May 2026, the Ransom-ISAC research team extracted 3,366 messages from The Gentlemen’s Rocket.Chat server, exposing internal plans, tooling discussions, and victim targeting details.

Analysts at Vectra AI noted the findings in a report shared with Cyber Security News (CSN), observing that while the group’s tools have changed considerably, the core weaknesses they exploit in victim networks have stayed nearly the same since 2022.

The leaked messages also uncovered a connection between The Gentlemen and earlier ransomware brands. A negotiator known by the handle “Tinker” appeared in both Black Basta chats and The Gentlemen’s logs, performing the same operational role across both groups.

A shared Matrix homeserver, bestflowers247.online, was present in archives from both groups, anchoring that infrastructure link with hard evidence.

This pattern points to a larger truth: ransomware operators do not retire, they rebrand. The same people carry their knowledge and access from one criminal enterprise to the next, making group takedowns far less effective than many defenders might hope.

Gentlemen Ransomware Uses Fortinet Exploits, AI, and Custom C2 Frameworks

Fortinet remains the front door of choice for The Gentlemen. The Rocket.Chat logs mention FortiGate 81 times, with CVE-2024-55591, a FortiOS authentication bypass flaw, called out explicitly as their primary way into victim networks.

Halcyon’s separate analysis found the group brute-forcing roughly 1,000 Fortinet VPNs, in some cases using reused passwords like gentlemen25 and gentle26 across multiple victims.

Once inside, the group deploys a custom C2 framework called G-BOT. This previously undocumented control panel supports per-beacon SOCKS5 tunneling and uploads builders to temporary file-sharing sites, replacing commercial tools like Cobalt Strike.

That switch makes detection harder for security teams relying on known signatures.

The group also targets hypervisors directly. Their Linux locker attacks Hyper-V Volume Manager, encrypting at the hypervisor level so that endpoint agents inside virtual machines cannot see the attack.

The locker drops the extension .i8p14s and leaves a ransom note named README-GENTLEMEN.txt, signaling that no layer of infrastructure is off limits.

AI and Credential Theft Complete the Kill Chain

The Gentlemen have moved AI from a novelty into a working part of their operation. Operators reference using GPT and Claude models to assist with ransom negotiations, with one operator describing them as automatic response writers for victim communications.

The group also discusses renting GPUs on vast.ai and running uncensored AI models from Hugging Face to triage large volumes of stolen data.

For credential theft, the group relies on Phemedrone Stealer V2.3.2, LummaC2, XenAllPasswordPro, Chrome App-Bound Encryption Decryption, and DumpBrowserSecrets.

These tools pull saved passwords directly out of browsers without triggering login failures, meaning standard authentication logs show nothing unusual. Stolen data then moves out through rclone to MEGA, following the same exfiltration pattern ransomware groups have used for years.

Defenders have clear steps based on what the leaked chats reveal. Security teams should audit edge devices including Palo Alto, Fortinet, Citrix, F5, and Cisco gear against the CVE list discussed in operator chats.

Treating NTDS.dit and VSS backup access as an immediate severity-one alert, rather than a forensic discovery made weeks later, can stop domain-wide compromises before they fully develop.

Hunting for tools like rclone, MEGAcmd, WinSCP, and Velociraptor on hosts that have no reason to run them adds an early warning layer that logs alone cannot provide.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post The Gentlemen Ransomware Group Uses Fortinet Exploits, AI, and Custom C2 Frameworks appeared first on Cyber Security News.

Researchers have uncovered a previously unknown piece of malware that disguises itself as an everyday business document — a purchase order, a quote, or a request for proposal.

Once an unsuspecting employee opens the attached file, attackers silently gain persistent access to the entire company network.

The malware, named JS.MonoGlyphRAT, is delivered as an ordinary-looking JavaScript file attached to phishing emails. It is actively targeting organizations across the United States, with confirmed victims in the technology sector, managed security service providers (MSSPs), telecommunications, and education.

Cases have also been spotted in Germany, Sweden, Australia, and several other countries, making this a growing concern well beyond US borders.

Analysts at ANY.RUN identified this malware cluster and published a detailed report shared with Cyber Security News (CSN).

The team named it after its signature obfuscation method, where variable and function names are constructed from repeated characters in mixed case — for example, IiIiIiIiiIII or KkkKKKkKkK — making the code extremely difficult to read and analyze with standard security tools.

The following analysis is based on sandbox session

Stop threats before they become costly incidents. Integrate ANY.RUN to detect, investigate, and block attacks like JS.MonoGlyphRAT early. Get for your team.

What makes JS.MonoGlyphRAT especially dangerous is that it currently shows up as “Unknown malware” on major threat intelligence platforms like VirusTotal and ThreatFox.

Standard antivirus programs that rely on known signatures simply cannot detect it. The only reliable way to catch it is by watching for suspicious behavior on a system in real time rather than matching files against a known signature database.

The financial consequences of a successful infection can reach well into the millions. Organizations face risks including ransomware deployment, data theft, regulatory penalties, business email compromise, and extended operational downtime.

Since MonoGlyphRAT can download and deploy additional malicious payloads, even a single compromised machine can become the starting point of a far larger and costlier breach for the entire organization.

Hackers Use Fake Purchase Orders

The attack begins with a single email. Employees in procurement, sales, or finance receive a message containing a JavaScript file named something like PURCHASE ORDER_12258.js or QUOTE_B2026.js.

These filenames are designed to look like routine business documents that someone in a buying or selling role would open without a second thought.

Once the file runs through Windows Script Host (WSH), it silently copies itself into a subfolder within the user’s profile directory and registers itself in the Windows registry.

This gives attackers a permanent foothold, as the malware starts automatically every time the computer reboots without showing any visible sign to the user.

The malware then reaches out to its command-and-control (C2) server over HTTP on non-standard ports to stay off the radar.

It collects key system details including the username, domain, operating system version, and hardware profile, then sends that data back to the attacker and enters a silent waiting state ready for further instructions.

How JS.MonoGlyphRAT Operates Under the Radar

Once the connection is established, attackers can download additional payloads, run encrypted PowerShell commands, load malicious code entirely in memory without leaving files on disk, and remotely update or remove the implant.

The malware can also patch Windows’ built-in security scanning to suppress detection attempts going forward.

All C2 communication runs through custom HTTP response headers — X-S carries the active session ID, and X-A delivers the command code.

Data exchanged between the infected machine and the attacker is encrypted using AES-128 and XOR encoding, with part of the key hardcoded directly into the malware. This layered approach makes forensic investigation significantly more difficult.

Using Interactive Sandbox, analysts can safely execute suspicious JavaScript attachments and immediately observe malicious behaviors associated with MonoGlyphRAT, including the execution of wscript.exe, PowerShell spawning, registry-based persistence, C2 communications, and payload delivery attempts.

MonoGlyphRAT C2 protocol operation scheme (Source – Any.Run)

Security teams are strongly advised to monitor for behavioral signals rather than relying solely on antivirus signatures.

Key warning signs include wscript.exe executing JavaScript files from user directories, PowerShell processes launched with encoded command flags, new registry run keys pointing to .js files, and HTTP POST traffic to unusual ports with patterns like a=iz&b=.

Detecting this threat early requires behavioral monitoring and sandbox-based analysis, not traditional signature matching. Try ANY.RUN to strengthen your proactive defense.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Use Fake Purchase Orders to Deploy JS.MonoGlyphRAT Targeting US Enterprises appeared first on Cyber Security News.

Automatic Tank Gauge systems, commonly known as ATG systems, are used across the United States to remotely monitor fuel levels, liquid volumes, temperatures, and potential leaks in storage tanks.

These systems sit quietly in the background, keeping operations running at gas stations, farms, chemical plants, and transportation hubs. Now, threat actors are actively going after them.

ATG systems are deployed across the Energy, Chemical, Food and Agriculture, and Transportation sectors. They are critical because they automate what would otherwise require constant manual oversight.

But that same network connectivity that makes them useful has also made them a target. Attackers are exploiting the fact that many of these systems are left exposed to the open internet, often with weak or default passwords still in place.

CISA, in a report shared with Cyber Security News (CSN), along with the FBI, NSA, DOE, EPA, TSA, DOT, and USDA, confirmed active malicious cyber activity targeting U.S.-based ATG systems.

The agencies noted that threat actors are compromising internet-exposed devices and actively modifying them through direct command execution. The U.S. government has not yet attributed the activity to any specific nation-state or threat group.

The attacks are not theoretical. Threat actors are gaining access, running commands, and in some cases taking full control of these systems as if they were standing right in front of the hardware.

Once inside, they can change network settings, adjust tank volume readings, alter pump controls, and disable the alerts that operators rely on to catch dangerous problems early.

The consequences could reach well beyond a network intrusion. A compromised ATG system can create what experts call a “denial of view” condition, where operators can no longer see accurate fill levels.

Left unchecked, this could lead to physical damage to tank infrastructure, environmental hazards, or spills from relay failures.

CISA and Partners Warns of Cyberattacks

The attack methods described in the advisory are not exotic, but they are effective. Threat actors exploit authentication bypass flaws and hardcoded credentials to slip past device management interfaces without a valid login.

Once they have a foothold, they use operating system command execution and SQL injection to run arbitrary code and manipulate the underlying databases that manage tank data.

From there, privilege escalation gives attackers full administrator control over both the device software and the operating system.

They can make devices report false readings, suppress safety alarms, or cause components to malfunction in ways that are hard to detect until real damage is done. The simplicity of these entry points is especially concerning given how widely ATG devices are deployed across critical industries.

Steps to Protect ATG Systems Now

CISA and its partner agencies have outlined clear steps that ATG owners and operators should take immediately. The most urgent action is removing these systems from direct internet exposure.

The ATG serial port, which defaults to TCP ports 8001, 9001, or 10001, should never be publicly accessible. If remote access is truly needed, it must be protected behind a firewall, an access control list, or a VPN.

Operators should change any default passwords right away and set strong, unique credentials for every interface, including the serial port. Where possible, phishing-resistant multifactor authentication should be enabled.

Keeping software patched and working with certified service providers to apply the latest manufacturer updates is equally important.

Organizations should enable detailed logging and regularly audit those logs for signs of unauthorized access, unusual alarm activity, or unexpected configuration changes.

Any suspected incidents should be reported to CISA at report@cisa.gov or by calling 888-282-0870. The FBI also accepts complaints through the Internet Crime Complaint Center at www.ic3.gov.

The threat to ATG systems is a reminder that industrial control devices are in the crosshairs of attackers. Leaving them exposed and unprotected is no longer an option.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post CISA and Partners Warns of Cyberattacks Targeting U.S.-based Automatic Tank Gauge Systems appeared first on Cyber Security News.

OpenClaw, which integrates AI agents with services such as Slack, Discord, Microsoft Teams, Matrix, and Telegram, relies heavily on user-defined allowlists to determine who can interact with an agent.

This trust model assumes that only explicitly approved identities can issue commands to agents that may have access to sensitive data, internal APIs, or system-level execution capabilities.

However, Philip Garabandic found that this trust model breaks down due to improper identity resolution during allowlist processing.

Five OpenClaw 0-Days

The vulnerabilities stem from a recurring design flaw in which human-readable identifiers, such as display names, are resolved to stable user IDs during service initialization.

Because display names are mutable across most chat platforms, attackers can impersonate trusted users simply by renaming themselves to match an allowlisted identity.

This issue was initially identified in OpenClaw’s Telegram integration and patched under advisory GHSA-mj5r-hh7j-4gxf.

Despite the fix, the same root cause persisted across five additional channel extensions, specifically Slack, Discord, Matrix, Zalo, and Microsoft Teams.

Each implementation independently reintroduced the same insecure pattern, highlighting a broader issue in distributed development and inconsistent security enforcement.

At the core of the vulnerability is a flawed startup resolution process. While runtime checks typically validate stable user IDs, the initialization logic resolves allowlist entries via directory lookups based on mutable fields such as displayName or username.

If an attacker changes their display name to match an allowlisted user before a service restart, the system may incorrectly bind the attacker’s ID into the trusted allowlist.

Once this occurs, the attacker gains full control over agent interactions while the legitimate user is silently excluded.

The vulnerabilities were identified using a specialized AI-driven static analysis tool called agentgg, which generates custom detectors based on historical advisories.

By analyzing prior OpenClaw vulnerabilities, the tool developed targeted detection logic for recurring anti-patterns, ultimately identifying a flaw replicated across multiple modules.

Each finding has since been acknowledged and addressed by OpenClaw maintainers, with fixes that enforce strict ID-based matching and gate name-based resolution behind explicit configuration flags.

From a security perspective, this class of vulnerability aligns with CWE-639, which describes bypassing authorization through user-controlled identifiers.

The impact is particularly severe in AI agent environments, where compromised access can translate into arbitrary command execution, data exfiltration, or lateral movement within integrated systems.

According to Philip Garabandic, the incident highlights that patching one component does not eliminate the underlying vulnerability class.

Without systemic detection mechanisms, the same flaw can silently propagate across parallel implementations.

By operationalizing past incident data into automated detection workflows, organizations can prevent repeated failures and strengthen trust boundaries in increasingly complex AI-driven architectures.

Free Webinar on OWASP API Top 10 and Guide to Close Visibility Gaps With WAAP

The post Five OpenClaw 0-Days let Attackers to Hijack Trusted AI Agent Access appeared first on Cyber Security News.

Tracked as CVE-2026-8206 with a CVSS score of 9.8, the vulnerability impacts Kirki plugin versions 6.0.0 through 6.0.6.

The issue allows unauthenticated attackers to escalate privileges by abusing a flawed password reset mechanism, ultimately enabling full compromise of administrator accounts.

The vulnerability was discovered by security researcher Choigyeongmin and reported through the Wordfence Bug Bounty Program, earning a reward of $6,436.

Wordfence validated the issue on May 8, 2026, and quickly deployed firewall protections for premium users on May 9, ahead of public disclosure.

WordPress Plugin Vulnerability Exposes Websites

Kirki, a popular plugin used for WordPress customizer enhancements and page building, exposes a REST API endpoint responsible for handling password reset requests.

The vulnerability exists in the handle_forgot_password() function, where user input is improperly trusted during the reset process.

In a secure implementation, a password reset request should send a reset link only to the email address associated with the targeted user account.

However, in the vulnerable versions, the plugin accepts both username and email parameters without verifying their relationship.

When a valid username is supplied, the plugin correctly identifies the user account. However, it continues to use the attacker-controlled email address provided in the request.

This logic flaw enables a straightforward exploitation scenario. An attacker submits a password reset request with a legitimate username, such as an administrator, alongside an arbitrary email address they control.

The plugin then generates a valid reset token and sends it to the attacker’s email instead of the legitimate user’s.

Using the reset link, the attacker can set a new password and gain unauthorized access to the account. Successful exploitation can lead to complete site compromise.

Attackers may install malicious plugins, inject backdoors, create rogue administrator accounts, or deploy persistent webshells, aligning with common post-exploitation techniques mapped to privilege escalation and persistence tactics.

Wordfence reported the flaw to Themeum on May 15, 2026, and a patch was released in version 6.0.7 just three days later.

Mitigation is straightforward but urgent. Website administrators are strongly advised to update the Kirki plugin to version 6.0.7 or later immediately.

Additional protections are available through Wordfence firewall rules, with premium users already protected and free users scheduled to receive coverage on June 8, 2026.

Given the ease of exploitation and high impact, this vulnerability represents a significant risk to WordPress environments, particularly those with exposed user enumeration or publicly accessible login functionality. Prompt patching and monitoring for suspicious password reset activity are essential to prevent compromise.

Free Webinar on OWASP API Top 10 and Guide to Close Visibility Gaps With WAAP

The post WordPress Plugin Vulnerability Exposes 500,000+ Websites to Privilege Escalation Attacks appeared first on Cyber Security News.

The activity was identified after a suspicious endpoint triggered alerts tied to payloads stored in a user directory.

Investigation revealed a collection of malicious components forming a structured attack toolkit. These included customized Cobalt Strike profiles designed to mimic legitimate web traffic.

Telegram bot–based command-and-control channel to hide communications within trusted infrastructure.

Python scripts capable of injecting shellcode into legitimate Windows executables while maintaining normal functionality. A Cloudflare Worker was also used as a redirector to obscure the true backend C2 server.

Hackers Use AI Red Team Tools

A key finding was the presence of partially AI-generated Python scripts, many written in Russian, alongside a Git repository that contained a broader automation framework.

This framework combined an automated AD discovery panel with a controlled lab environment used to iteratively develop and test malware against leading EDR platforms such as Sophos, CrowdStrike, and Microsoft Defender.

The AD discovery system did not operate as a fully autonomous large language model. Instead, it followed a structured decision tree model, collecting results from executed tasks, selecting predefined next steps, and dispatching actions to remote agents.

This allowed semi-automated reconnaissance across enterprise environments while maintaining predictable execution paths. The threat actor built the testing environment using virtual machines provisioned through Ludus.

Multiple Windows Server 2022 systems were configured to evaluate bypass techniques against different EDR agents, alongside a separate Ubuntu system hosting a Sliver command-and-control server.

Development was supported by an AI-native IDE, Cursor, and coordinated through multiple AI agents with assigned roles.

One primary AI agent, powered by Claude Opus, managed orchestration and rule-setting. In contrast, others handled testing, operational security improvements, documentation, and infrastructure deployment.

Communication between agents and the code repository was managed using the Model Context Protocol, enabling automated commits and iterative development cycles.

The framework also incorporated research on external threats. AI agents were instructed to ingest publicly available security blogs, extract attack techniques, map them to MITRE ATT&CK, and reproduce them within the lab.

Sources included well-known security firms and red team research providers. This process enabled rapid prototyping of attack techniques based on real-world methodologies.

At the core of the framework was a modular payload generator written in Python that produced executables in Rust and Go.

These payloads were wrapped in layers of encryption and evasion logic, allowing attackers to test over 70 different techniques.

While initial success rates were low, repeated iterations reportedly improved bypass effectiveness, though results remain partially unverified.

Sophos researchers assess that this framework, while presented as red team tooling, is likely intended for real-world intrusions, including ransomware deployment and data theft.

The use of AI significantly accelerates development cycles but does not fundamentally change defensive requirements.

Organizations are advised to maintain strong security baselines, including timely patching, multi-factor authentication, and comprehensive EDR deployment, as attackers increasingly use AI to identify and exploit defensive gaps.

Free Webinar on OWASP API Top 10 and Guide to Close Visibility Gaps With WAAP

The post Hackers Using AI Tools to Automate Active Directory Attacks and EDR Evasion appeared first on Cyber Security News.

Tracked as CVE-2026-42253, the issue impacts both Apache ActiveMQ and Apache ActiveMQ Web components.

The flaw originates from the MessageServlet within the ActiveMQ web console API, which copies all Java Message Service (JMS) message properties directly into HTTP response headers without applying validation or sanitization.

This behavior creates a dangerous attack surface that allows adversaries to craft JMS messages with malicious header values, resulting in HTTP response header injection.

Because HTTP headers play a critical role in enforcing browser-side security controls such as Content Security Policy (CSP), X-Frame-Options, and Strict-Transport-Security (HSTS), attackers can abuse this flaw to overwrite or inject headers that weaken security protections.

Apache ActiveMQ Vulnerability

In real-world scenarios, this could enable cross-site scripting (XSS), session hijacking, or clickjacking attacks, especially when the ActiveMQ web console is exposed to untrusted users or integrated into enterprise workflows.

The vulnerability affects Apache ActiveMQ versions before 5.19.7 and versions from 6.0.0 up to but not including 6.2.6. Similarly, Apache ActiveMQ Web versions before 5.19.7 and 6.x versions before 6.2.6 are also vulnerable.

The Apache Software Foundation has addressed the issue by disabling and deprecating the MessageServlet component in patched releases, significantly reducing the attack surface.

In parallel, another important flaw, CVE-2026-49157, has been identified in Apache ActiveMQ involving incorrect default permissions.

This vulnerability allows authenticated low-privilege users to retain access to Jolokia broker management endpoints.

Due to overly permissive default authorization settings, non-admin users could execute sensitive broker operations such as creating or deleting queues, actions typically restricted to administrative roles.

This flaw raises concerns about privilege escalation and unauthorized broker manipulation in multi-user environments.

Both vulnerabilities highlight systemic risks in management interfaces exposed via web consoles and APIs, particularly when input validation and access control mechanisms are insufficient.

Attackers targeting enterprise messaging systems could chain these issues to manipulate broker behavior while simultaneously weakening frontend security protections.

Security researchers Vishal Shukla, pyn3rd, uname, and 4ra1n were credited with discovering the header injection flaw. At the same time, Leon Johnson reported the Jolokia permission issue.

Organizations using Apache ActiveMQ are strongly advised to upgrade immediately to versions 5.19.7 or 6.2.6, as both vulnerabilities have been remediated in those versions.

Additionally, administrators should review the exposure of the ActiveMQ web console, restrict access to trusted networks, and audit message-handling logic for the unsafe propagation of user-controlled data into HTTP responses.

Given ActiveMQ’s widespread use in enterprise messaging and microservices architectures, these vulnerabilities pose a significant risk if left unpatched, particularly in environments where web console access is not tightly controlled.

Free Webinar on OWASP API Top 10 and Guide to Close Visibility Gaps With WAAP

The post Critical Apache ActiveMQ Vulnerability Allows Malicious Security Header Injections appeared first on Cyber Security News.

 The flaw, tracked as CVE-2026-9614, affects both cloud and on-premises deployments and has been assigned a CVSS score of 8.8, indicating a significant security risk in enterprise environments. The vulnerability stems from improper access control, categorized under CWE-284.

According to Ivanti, a remote authenticated attacker can exploit this issue without requiring user interaction, enabling unauthorized elevation to administrator-level permissions.

The CVSS vector highlights that the attack can be executed over the network with low complexity and limited privileges, while potentially impacting confidentiality, integrity, and availability.

Ivanti ITSM Vulnerability

Ivanti Neurons for ITSM is widely used for IT service management workflows, including ticketing, asset tracking, and automation.

Administrative access within such platforms can expose sensitive organizational data and allow attackers to manipulate system configurations or create persistent backdoors.

For example, an attacker with compromised low-level credentials could exploit CVE-2026-9614 to elevate privileges and modify user roles, effectively taking control of the ITSM environment. The vulnerability impacts on-premises versions 2025.4 and earlier.

Ivanti has released patches to address the issue in version 2025.4 Patch 1, as well as backported fixes in 2025.3 Patch 1 and 2025.2 Patch 1.

Organizations running affected versions are strongly advised to update immediately through the Ivanti License System portal.

For cloud customers, Ivanti has already applied fixes across all environments. The company confirmed that patches were deployed during updates rolled out on May 24 and 25, specifically in versions 2026.1 Patch 9 and 2026.2 Patch 1.

Additional updates were later issued to resolve a separate logging issue affecting IP address tracking. However, this secondary bug is unrelated to the core vulnerability.

At the time of disclosure, Ivanti stated that there is no evidence of active exploitation in the wild. However, given the ease of exploitation and the potential impact, the company issued an out-of-band security advisory to accelerate remediation efforts.

Ivanti also noted that there are currently no publicly available indicators of compromise associated with this vulnerability.

As a precaution, organizations are encouraged to audit role-based access controls and verify that administrative privileges are restricted to intended users. Misconfigured roles could increase exposure and make exploitation easier.

Security teams should prioritize patching and conduct internal reviews of access permissions within their ITSM deployments. Given the critical role these platforms play in enterprise operations, timely remediation is essential to prevent potential abuse by threat actors.

Free Webinar on OWASP API Top 10 and Guide to Close Visibility Gaps With WAAP

The post Ivanti ITSM Vulnerability Lets Attackers Gain Admin Privilege appeared first on Cyber Security News.