A Microsoft Defender vulnerability is being actively exploited by ransomware groups, yet CISA does not proactively notify users when KEV-listed vulnerabilities enter active exploitation by ransomware campaigns.
North Korean APT Sapphire Sleet executed targeted supply-chain attack against npm ecosystem, compromising 140+ packages with malicious dependencies for automatic injection into developer environments.
The USA has announced a reward for information about Russian hackers behind organized phishing attacks against Signal users,a sign of escalating state-sponsored cyber operations targeting Western communications infrastructure.
CISA has added the SimpleHelp vulnerability to its Known Exploited Vulnerabilities catalog, and multiple malware families (TaskWeaver, Djinn Stealer) are being deployed post-exploitation,indicating coordinated, active attack campaigns.
Attackers actively exploit an authentication bypass in SimpleHelp to deliver malware that specifically targets developer credentials, SSH keys, and cryptocurrency wallets,suggesting supply-chain and development-pipeline targeting.
BSI warns of multiple critical vulnerabilities in Firefox, Firefox ESR and Thunderbird enabling code execution, sandbox escape and memory corruption , specific CVEs and patch status required for priority assessment.
The BSI called Windchill administrators at night to warn of a critical, actively exploited vulnerability,a sign of serious ongoing compromises in the manufacturing sector.
Critical
Russian ransomware group (identity unclear, but linked to eCrime operations) C3
A significant number of Fortigate customers are already compromised via dormant admin accounts planted by ransomware groups , strategic backdoor infrastructure for future attacks.
CISA warns of credential exposure in Fortinet devices, indicating active exploitation or threats that extend beyond generic security updates and require targeted hardening measures.
BSI alert on multiple critical vulnerabilities in 7-Zip enabling local and remote code execution; patch status and affected versions should be verified.
The BSI warns of multiple privilege escalation vulnerabilities in sudo; without CVE numbers, it remains unclear whether these are already-known or newly disclosed flaws.
BSI issues warning on multiple Chrome/Edge vulnerabilities without specific CVE numbers; incomplete details suggest a coordination or staged-update scenario.
The BlueHammer vulnerability is already being exploited by ransomware groups in active attacks, not merely in theoretical scenarios; this indicates an immediate threat to unpatched Windows systems.
Multiple vendor-signed UEFI applications enable Secure Boot bypass via BYOVD-style attacks, allowing arbitrary code execution during the firmware phase before OS initialization.
Threat actors abuse ClickOnce applications to establish persistent remote access and update malware via the built-in update mechanism without requiring new user interaction.
Microsoft introduces agent-based AI systems (MDASH) for automated vulnerability discovery and extends threat protection to AWS databases alongside enhanced identity backup capabilities.
Active attack campaign exploits authentication bypass in RMM tools to gain admin access and deploy credential-stealing malware in enterprise environments , an attack pattern enabling widespread compromise.
A critical remote-access vulnerability in SimpleHelp is being actively exploited to deploy a new information stealer , a risk for organizations using this tool for technical support.
Russian intelligence services impersonate messenger support to steal backup recovery keys and gain access to high-value targets (government officials, military, journalists) , a new tactic in the phishing context.
Critical
NEW CyberAv3ngers, IRGC-linked groups, Russian state actors, Chinese state actors C3
State-sponsored actors from Iran, Russia, and China exploit basic attack vectors such as weak passwords and exposed PLCs rather than sophisticated malware to sabotage critical infrastructure.
Russian state-sponsored groups are conducting active campaigns against Western government and military personnel, indicating targeted cyber-warfare activity with potential spillover effects on European critical infrastructure and supply chains.
Kaspersky documents new tactics and custom backdoors deployed by an established APT group targeting Western infrastructure, relevant to DACH manufacturing and industrial sectors.
Gamaredon is intensifying attacks against Ukraine with 35 new spear-phishing campaigns in 2025 and increasing abuse of cloud services for obfuscation; this signals an escalation of Russian cyber operations in the European context.
The Interior Ministry's clarification of Cyberdome signals strengthened government coordination against cyberattacks in the DACH region and may require IT vendors to achieve 'Cyberdome-ready' certification.
A directory-traversal vulnerability in Microsoft Edge enables remote code execution through visiting a malicious web page, was demonstrated at Pwn2Own, and has been assigned CVSS 7.5.
Chaining of two previously known kernel vulnerabilities enables memory corruption and local privilege escalation on Linux 4.10+; public PoC available since May 2026.
The authentication vulnerability allows unauthorized access to GSSAPI-authenticated systems without valid credentials, but primarily affects environments with explicitly configured JNDIRealm.
Leaked exploits for a Linux kernel vulnerability signal immediate attack readiness for any Ubuntu/Linux environment and significantly elevate the risk of local compromise.
The vulnerability was discovered at Pwn2Own and enables arbitrary cross-origin script execution, but requires active user interaction with a malicious page or file.
75,000 Fortinet devices have been compromised with exported admin passwords; the data is recent and may already be circulating in eCrime networks with structured victim profiling.
BSI warning of multiple critical vulnerabilities in Firefox/Thunderbird without specific CVE references or version details,organizational patching required.
Attackers are actively exploiting two critical RCE vulnerabilities (CVE-2026-39808 and CVE-2026-25089) in FortiSandbox over the internet without prior authentication.
A coordinated campaign since at least 2021 exploited 119 malicious Edge extensions to hide malware in image and font files, stealing credentials and conducting ad fraud days after installation.
The BSI advisory indicates a vulnerability in RHEL that can be exploited by an authenticated attacker to achieve code execution , the absence of CVE numbers and PoC status makes technical triage impossible without further details.
BSI alerts to multiple Chrome vulnerabilities; without specific CVE numbers, this is a generic warning category but requires immediate patch verification.
119 malicious browser extensions with 2.6 million installations were discovered in Microsoft Edge despite obfuscation techniques , an active supply-chain risk for enterprise endpoints.
An unnamed vulnerability in 7-Zip allows attackers to bypass security mechanisms and manipulate files, which is critical in environments with data protection requirements.
The vulnerability requires authentication and low privileges, which limits immediate risk but still poses high exploitability for insider-based or locally-triggered attacks.
DirtyClone (CVE-2026-43503, CVSS 8.8) is a new Linux kernel variant of DirtyFrag with active abuse by groups like ShinyHunters, enabling immediate root privilege escalation on unpatched or incompletely patched systems.
An established MaaS campaign for Chinese-speaking cybercriminal groups leverages BadIIS to compromise IIS servers for SEO fraud and traffic redirection, with multi-year development history and persistent mechanisms.
Report aggregates multiple unrelated attacks and vulnerabilities (Polymarket supply-chain attack, KDDI breach, Cisco zero-day, Fortinet vulnerabilities) without focus on a single active campaign; serves as a weekly threat intelligence digest.