18-Year-Old Critical RCE Vulnerability Discovered in NGINX A severe heap buffer overflow vulnerability (CVE-2026-42945) has been uncovered in NGINX, affecting versions dating back to 2008. The flaw, assigned a CVSS score of 9.2, resides in the ngx_http_rewrite_module a core component used for URL rewriting and variable assignment in nearly all NGINX deployments. The vulnerability stems from a state mismatch in NGINX’s two-pass script engine. When a configuration combines rewrite and set directives with a question mark (`?`), the system miscalculates buffer allocation during the first pass, leading to a heap overflow in the second. This flaw enables unauthenticated remote code execution (RCE), with researchers demonstrating a working exploit on systems with ASLR disabled. A public proof-of-concept (PoC) is now available on GitHub. The bug was introduced in NGINX 0.6.27 (2008) and remained undetected until April 2026, when security firm depthfirst identified it during a code audit. The audit also revealed three additional memory corruption vulnerabilities: - CVE-2026-42946 (CVSS 8.3): A high-severity flaw in ngx_http_scgi/uwsgi_module that could trigger a ~1TB memory allocation, causing crashes. - CVE-2026-40701 (CVSS 6.3): A medium-severity use-after-free in ngx_http_ssl_module via OCSP. - CVE-2026-42934 (CVSS 6.3): A medium-severity out-of-bounds read in ngx_http_charset_module. The vulnerability impacts a broad range of F5/NGINX products, including NGINX Open Source (0.6.27–1.30.0), NGINX Plus (R32–R36), NGINX Instance Manager, NGINX App Protect WAF, and NGINX Ingress Controller. F5 released patches on May 13, 2026, with fixes available in NGINX 1.30.1/1.31.0 and updated versions of affected products. Organizations unable to patch immediately are advised to audit configurations for combined rewrite and set directives and restrict exposed deployments behind a WAF.

Hackers Exploit Trusted .arpa Domain to Bypass Phishing Detection Researchers at Infoblox have uncovered a novel phishing tactic that abuses the .arpa top-level domain (TLD) a trusted infrastructure component to evade security defenses. The attack leverages IPv6-to-IPv4 tunneling services, specifically from Hurricane Electric, to create malicious forward DNS records under the .arpa domain, which is typically reserved for reverse DNS lookups and is implicitly trusted by security tools. ### How the Attack Works 1. Abusing Free Tunneling Services – The attacker obtained IPv6 addresses from Hurricane Electric’s free tunneling service, which allows customers to designate DNS providers for their allocated space. 2. Manipulating DNS Records – Instead of creating legitimate PTR (pointer) records for reverse lookups, the attacker configured A (address) records on Cloudflare’s name servers, redirecting .arpa domains to malicious websites. 3. Bypassing Security Controls – Since .arpa is universally trusted, security tools like protective DNS and next-gen firewalls often overlook it, allowing phishing links to slip through undetected. ### Phishing Lures & Impact The campaign primarily targets consumers with two types of scams: - Fake brand surveys (e.g., department stores, supermarkets) offering "free gifts" for participation. - Subscription renewal scams claiming the victim’s cloud storage or antivirus service has been interrupted, demanding payment to restore access. When victims click embedded links in phishing emails, they are redirected through a series of malicious pages, ultimately tricked into entering credit card details under false pretenses. ### Why This Attack Is Dangerous - .arpa domains are inherently trusted, making them invisible to reputation-based security filters. - No registration details are required, eliminating typical red flags like newly registered domains. - Sophisticated threat actors could adapt this technique for spear-phishing or targeted attacks. - Not all providers are vulnerable some block unauthorized .arpa domain claims but many remain exposed. ### Mitigation Recommendations Infoblox advises organizations to: - Monitor DNS traffic for unusual .ip6.arpa queries. - Block or alert on atypical .arpa hostnames (e.g., non-standard IP address formats). - Audit IPv6 tunneling providers to prevent abuse of their services. - Ensure email security tools flag .arpa-based phishing links. The discovery highlights a critical gap in phishing defenses, proving that even trusted infrastructure components can be weaponized. While currently used for consumer scams, the technique could easily escalate to enterprise-targeted attacks.

Palo Alto Networks, Zscaler, and Cloudflare Hit by Third-Party Salesforce Breach A recent supply chain attack targeting Salesloft Drift, a third-party Salesforce integration, has compromised sensitive data from Palo Alto Networks, Zscaler, and Cloudflare, among hundreds of other organizations. The breach, disclosed on Tuesday, stemmed from stolen OAuth tokens used to access Salesforce environments via the Drift Connected App, enabling threat actors to exfiltrate business contact information, support case details, and, in some cases, credentials. ### Key Details of the Attack - Timeline: The malicious activity occurred from August 8 onward, with attackers leveraging Python/3.11 aiohttp/3.12.15 user agent strings and known threat actor IPs to execute Salesforce Object Query Language (SOQL) queries on objects like Account, Contact, Case, and Opportunity records. - Data Exposed: Primarily business contact information (names, emails, phone numbers, job titles), but also support case contents, including logs, tokens, and passwords shared with vendors. Some customers stored sensitive data in insecure notes fields, increasing exposure. - Attack Method: The threat actor mass-exfiltrated data, scanned for credentials, and deleted queries to obscure forensic traces an anti-forensics tactic. - Impact on Vendors: - Palo Alto Networks confirmed the breach was isolated to its CRM platform, with no impact on its products or services. Exposed data included customer contact and sales account details. - Zscaler reported similar exposure, noting that product licensing and commercial information may have been compromised. - Cloudflare took responsibility for enabling the third-party integration, acknowledging that support case data including customer-shared credentials was accessed. The company urged affected users to rotate compromised credentials. ### Industry Reactions and Lessons - Transparency & Accountability: Cloudflare’s disclosure was praised for its technical detail and ownership of the incident, setting a benchmark for incident response. Analysts highlighted the need for stronger SaaS security and third-party risk management. - SaaS Supply Chain Risks: The attack underscores vulnerabilities in OAuth token security and the challenges of monitoring API-level integrations, particularly as agentic AI frameworks expand. Experts warned that misconfigurations and stolen tokens remain a persistent threat. - Zero Trust & Contractual Safeguards: Recommendations included revoking unused OAuth tokens, enforcing token expiration, and auditing third-party contracts for breach notification, data handling, and sub-processor transparency. - Phishing Risks: The breach’s targeted nature leveraging real business data could fuel highly convincing phishing, smishing, and vishing campaigns, making detection harder for victims. ### Broader Implications The incident reflects the growing threat of SaaS supply chain attacks, where a single compromised vendor can expose hundreds of downstream organizations. As enterprises increasingly rely on interconnected third-party apps, securing API access, identity management, and token hygiene becomes critical to mitigating future risks.

Record-Breaking DDoS Attack by Aisuru/Kimwolf Botnet Peaks at 31.4 Tbps On December 19, Cloudflare mitigated a historic distributed denial-of-service (DDoS) attack launched by the Aisuru (also known as Kimwolf) botnet, reaching an unprecedented 31.4 Tbps and 200 million requests per second (rps). The campaign, dubbed "The Night Before Christmas," targeted telecommunications providers, IT organizations, and Cloudflare’s own infrastructure with hyper-volumetric HTTP and Layer 4 DDoS attacks. This attack surpassed Aisuru’s previous record of 29.7 Tbps, set earlier, and another Microsoft-attributed assault peaking at 15.72 Tbps from 500,000 IP addresses. Over 90% of the attacks in the campaign peaked between 1-5 Tbps, with most lasting 1-2 minutes. Despite their scale, Cloudflare’s automated systems detected and mitigated them without triggering internal alerts. The botnet’s power stems from compromised IoT devices and routers, though the December attacks primarily originated from Android TVs. Cloudflare’s 2025 Q4 DDoS Threat Report revealed a 121% year-over-year increase in DDoS attacks, with 47.1 million incidents recorded in 2025 averaging 5,376 attacks per hour. Network-layer attacks dominated (73%), while HTTP-based assaults made up the remainder. The most targeted industries included telecommunications, IT services, gambling, and gaming, with China, Hong Kong, Germany, Brazil, and the U.S. bearing the brunt of attacks. Bangladesh was the largest source of attacks, followed by Ecuador, Indonesia, and Argentina, while Russia dropped to 10th place. The report also noted a 600% increase in network-layer attacks exceeding 100 million packets per second (Mpps) and a 65% quarter-over-quarter rise in attacks over 1 Tbps. Over 71.5% of HTTP DDoS attacks were linked to known botnets.

Fallen DNA testing firm 23andMe won court approval of a bankruptcy plan that includes settlements to provide up to $62 million to resolve thousands of data breach claims. Judge Brian C. Walsh of the US Bankruptcy Court for the Eastern District of Missouri approved the plan in a Wednesday order, overruling most creditor objections and challenges from data breach victims. Many of those former customers’ objections were deemed moot or premature, and several of them didn’t appear at a court hearing on the plan. Objections from the Justice Department’s bankruptcy watchdog and a coalition of state attorneys general were resolved ...

Magecart Group Exploits Google Tag Manager in Sophisticated Credit Card Skimming Campaign A notorious Magecart threat group has weaponized Google Tag Manager (GTM) to deploy credit card skimmers on e-commerce sites, turning a trusted analytics tool into a vehicle for digital skimming. The campaign, linked to the ATMZOW skimmer, has evolved since its emergence in 2015, with attackers now leveraging highly obfuscated GTM containers to evade detection. In early 2023, the group used GTM-WJ6S9J6 to inject malicious scripts disguised as legitimate analytics services. After Google removed the container, attackers pivoted to GTM-TVKQ79ZS, introducing a new layer of obfuscation that breaks if even a single character is altered frustrating security analysis. More recently, they deployed GTM-NTV2JTB4 and GTM-MX7L8F2M as replacements. To further evade detection, the attackers registered 40 new domains with deceptive naming patterns (e.g., cdn.sketchinsightswatch[.]com, cdn.visualartinsights[.]com), blending into normal web traffic. The skimmer randomly selects two domains per victim, storing them in local storage to limit exposure of the full infrastructure. Initially, these domains were hidden behind Cloudflare, but researchers later uncovered their Hostinger-based IP addresses after the firewall provider blocked malicious traffic. The campaign highlights the group’s adaptability, combining GTM abuse, domain obfuscation, and selective payload delivery to prolong its operations. Indicators of compromise include the identified GTM containers and fake analytics domains, such as gtm-statistlc[.]com and gooqle-analytics[.]com.

The Salesloft-Drift OAuth incident involved attackers stealing OAuth tokens from Salesloft’s development platform, exploiting them to access customer data across integrated applications like Salesforce and Google Workspace. The breach, executed by the threat group UNC6395, leveraged voice phishing (vishing) to trick administrators into authorizing malicious apps, bypassing multi-factor authentication (MFA). Over 700 organizations were impacted as the compromised tokens enabled attackers to exfiltrate sensitive customer information, leading to widespread revocation of Drift integrations. The incident exposed systemic risks in SaaS supply chains, where trusted third-party integrations became attack vectors, enabling potential data theft, cloud credential abuse, outages, or ransomware. Beyond immediate data exposure, the breach triggered forensic investigations, regulatory fines, lawsuits, reputational damage, and operational disruptions, highlighting the cascading risks of N-th degree vendor dependencies in modern cybersecurity ecosystems.

Critical Zero-Day in Cloudflare WAF Exposed Origin Servers to Bypass Attacks Security researchers from FearsOff uncovered a zero-day vulnerability in Cloudflare’s Web Application Firewall (WAF) that allowed attackers to bypass security controls and directly access protected origin servers. The flaw, discovered in October 2025, stemmed from improper handling of ACME HTTP-01 challenge paths, which are used for automated SSL/TLS certificate validation. The vulnerability enabled requests to the `/.well-known/acme-challenge/` directory to evade WAF rules entirely, even when customer configurations explicitly blocked all other traffic. Normally, this path is restricted to Certificate Authorities (CAs) for domain validation, but the flaw turned it into an unintended gateway to origin servers. Researchers demonstrated the issue on test hosts (`cf-php.fearsoff.org`, `cf-spring.fearsoff.org`, and `cf-nextjs.fearsoff.org`), where ACME path requests returned origin-generated responses including framework errors and sensitive data while normal requests were correctly blocked. The root cause was a logic error in Cloudflare’s edge network: if a requested token didn’t match a Cloudflare-managed certificate order, the WAF was completely bypassed, allowing direct access to the origin. Exploitation risks included: - Spring/Tomcat applications: Path traversal attacks exposing database credentials, API tokens, and cloud keys via actuator endpoints. - Next.js applications: Leakage of server-side rendering data through unintended public responses. - PHP applications: Exploitation of local file inclusion vulnerabilities via malicious path parameters. - Custom WAF rules: Bypass of header-based blocking for ACME path traffic. FearsOff reported the vulnerability via Cloudflare’s HackerOne bug bounty program on October 9, 2025. Cloudflare validated the issue on October 13, triaged it on October 14, and deployed a permanent fix on October 27, ensuring WAF rules now apply uniformly to all paths. The company confirmed no evidence of malicious exploitation and stated that no customer action was required.

Cybersecurity researchers have identified a growing trend among ransomware affiliates and advanced persistent threat actors who are leveraging Cloudflare’s legitimate tunneling service, Cloudflared, to establish covert access channels into compromised networks. This sophisticated technique allows attackers to maintain persistent access while evading traditional network security controls that typically flag suspicious outbound connections. The exploitation of Cloudflared tunnels has emerged as a preferred persistence mechanism due to the service’s inherent design, which encapsulates data in additional protocols that only the tunnel endpoints can decrypt. This creates a secure communication channel that appears as legitimate traffic to security monitoring systems, effectively providing attackers with what amounts to local network access from remote locations.

Cloudflare Patches Critical Pingora Flaws Enabling HTTP Request Smuggling and Cache Poisoning In May 2025, Cloudflare disclosed multiple high-severity vulnerabilities in Pingora, its Rust-based proxy framework, which could allow attackers to smuggle HTTP requests, poison caches, and deliver malicious content at scale. The flaws, tracked under CVE-2025-4366, CVE-2026-2835, and CVE-2026-2836, exposed risks of data exposure, cross-tenant leaks, and traffic redirection particularly for organizations using Pingora with default caching settings. ### Key Vulnerabilities and Exploit Paths 1. CVE-2025-4366 (HTTP/1.1 Request Smuggling & Cache Poisoning) - Root Cause: Pingora failed to fully drain HTTP/1.1 request bodies before reusing connections, allowing attacker-controlled bytes to be misparsed as a separate request. - Impact: Attackers could forge Host headers or paths, tricking downstream servers into caching malicious responses. Legitimate users would then receive attacker-controlled content, including phishing pages or malware payloads. 2. CVE-2026-2835 (HTTP/1.0 Desync & Session Hijacking) - Root Cause: Improper handling of HTTP/1.0 bodies and multiple Transfer-Encoding headers caused request framing desynchronization between Pingora and backend servers. - Impact: Attackers could bypass IP-based access controls, hijack sessions, and poison caches by pairing smuggled requests with victim traffic. 3. CVE-2026-2836 (Cross-Tenant Cache Poisoning via Weak Cache Keys) - Root Cause: Pingora’s default cache key relied only on URI paths, ignoring the Host/authority component. - Impact: In multi-tenant environments, responses from one origin could be cached and served to unrelated sites, enabling cross-tenant data leaks and widespread cache poisoning. ### Cloudflare’s Response and Mitigations Cloudflare disabled affected Pingora components in April 2025, deployed fixes, and invalidated cached assets to prevent exploitation. Key mitigations include: - Pingora 0.5.0+: Mandates draining HTTP/1.1 request bodies before connection reuse (fixing CVE-2025-4366). - Pingora 0.8.0+: Hardens HTTP message parsing per RFC 9112, rejecting ambiguous Transfer-Encoding sequences (resolving CVE-2026-2835). - Cache Key Overrides: Operators must include Host/authority in cache keys to prevent cross-tenant poisoning (addressing CVE-2026-2836). While Cloudflare’s main CDN infrastructure was partially protected by stricter ingress controls, open-source Pingora adopters remain exposed if using default caching configurations. Organizations are advised to upgrade to Pingora ≥0.8.0 and validate cache key settings in multi-tenant deployments.

DOGE Employees Under Scrutiny for Alleged Election Interference and Data Misuse The U.S. Department of Justice (DOJ) has revealed in a court filing that members of Elon Musk’s "DOGE" team at the Social Security Administration (SSA) engaged in undisclosed communications with an unnamed advocacy group aiming to overturn election results in certain states. The interactions allegedly included a signed agreement that may have involved matching Social Security data with state voter rolls a potential violation of federal privacy laws. The DOGE employees have been referred for possible Hatch Act violations, which bars government officials from using their positions for political activities. According to DOJ officials, the advocacy group approached the SSA team with a request to analyze voter rolls for evidence of fraud, though the exact states targeted remain unspecified. Further concerns arose over the unauthorized use of third-party servers, including Cloudflare, to handle sensitive data contrary to a court ruling restricting access to such information. A senior adviser to Musk and the DOGE team, Steve Davis, was reportedly copied on a March 3, 2025, email containing a password-protected file with the private data of approximately 1,000 individuals from SSA systems. It remains unclear whether the data was accessed or exploited. The DOJ stated that no evidence suggests broader SSA awareness of the communications or the "Voter Data Agreement" beyond the involved DOGE members. The investigation is ongoing, with no further details on potential legal consequences or the advocacy group’s identity.

Vercel Breach Exposes Customer Credentials via Third-Party AI Tool Cloud hosting platform Vercel recently disclosed a security breach stemming from a compromised third-party AI tool. The incident, which occurred after an employee connected a Google Workspace OAuth app developed by Context AI to their corporate account, allowed threat actors to access internal systems. Vercel confirmed that a "limited subset of customers" had credentials exposed, though the company stated that those not contacted were unaffected. The breach did not impact Vercel’s popular open-source projects, including Next.js and Turbopack, but the hacker claiming responsibility under the alias "ShinyHunters" allegedly gained access to employee accounts, API keys (including NPM and GitHub tokens), and source code. The stolen data is reportedly being sold on hacking forums. The attack highlights the growing risk of supply chain compromises targeting developer tools and third-party integrations. Vercel has since implemented additional security measures and monitoring to mitigate further exposure. While the company has not verified all of the hacker’s claims, the incident underscores the increasing sophistication of attacks leveraging OAuth-based applications.

Cloudflare Report: Identity-Based Attacks Overtake Malware as Top Ransomware Threat Cloudflare’s latest annual threat report, published on Tuesday, reveals a major shift in ransomware tactics identity exploitation has surpassed malware as the primary attack vector. Cybercriminals are increasingly leveraging stolen credentials, phishing, and weak passwords to bypass defenses, blending into legitimate traffic before launching extortion operations. The report highlights that over 50% of targeted attacks now focus on manufacturing and critical infrastructure, sectors where operational disruptions create urgent financial incentives for victims to pay ransoms. Researchers describe the modern threat landscape as an “identity and access crisis,” with attackers weaponizing authorized credentials and insider access to execute high-impact breaches. Artificial intelligence is further reshaping cyber threats, enabling attackers to prioritize speed and volume over technical sophistication. Cloudflare warns that AI-driven tools such as large language models (LLMs) are automating exploit development, allowing hackers to rapidly convert vulnerabilities into functional attacks. The focus has shifted from rare technical skills to the “velocity of the outcome,” with automated campaigns overwhelming defenses through sheer persistence. In financial theft, criminals attempted to steal approximately $123.5 million in 2025, often targeting amounts around $49,000 a calculated strategy to evade executive approval thresholds. Thread-hijacking attacks, where fraudsters infiltrate legitimate conversations to request payments, are also on the rise. Cloudflare predicts generative AI will soon automate these scams at scale, maintaining the $49,000 “sweet spot” across thousands of simultaneous fraud attempts. The report also outlines distinct nation-state tactics: Russia employs high-frequency, broad targeting; China focuses on stealthy pre-positioning in critical infrastructure; Iran aligns cyber intrusions with kinetic military goals; and North Korea exploits identity weaknesses through human-centric operations. Notably, adversaries are abusing legitimate platforms such as Google Calendar, text-paste sites, and Microsoft Azure domains for command-and-control (C2) operations, complicating detection efforts.

In 2024 Cloudflare mitigated a staggering 21.3 million DDoS attacks—a 358% year-over-year jump—and in Q1 2025 alone it already repelled 20.5 million assaults, including 6.6 million aimed directly at its own infrastructure during an 18-day multi-vector campaign. The surge was driven by a 509% increase in network-layer attacks, while hyper-volumetric floods exploded: over 700 events surpassed 1 Tbps or 1 billion packets per second, averaging eight daily in Q1. Emerging threats like CLDAP reflection attacks rose 3,488% quarter-over-quarter and ESP amplification attacks grew 2,301%. Even specialized gaming servers faced hyper-volumetric onslaughts up to 1.5 billion packets per second. Most alarmingly, Cloudflare disclosed it withstood a record-breaking 5.8 Tbps DDoS blast lasting 45 seconds, eclipsing its previous 5.6 Tbps record. Although fully mitigated, these figures underscore unprecedented scale and sophistication that threaten service availability and corporate stability across industries.

Sophisticated Phishing Campaign Targets Philippine Bank Users via Trusted Platforms Since early 2024, a highly adaptive phishing campaign has targeted customers of major Philippine banks, exploiting legitimate online services to bypass security measures. The operation, still active in 2026, has distributed over 900 malicious links, impacting more than 400 victims. Attackers leveraged trusted platforms including Google Business, AMP CDN, Cloudflare Workers, and URL shorteners to disguise phishing redirects, improving email deliverability and evading secure email gateways. Phishing emails were sent from compromised accounts, often sourced from stolen credential databases, enhancing their credibility. Social engineering tactics evolved over time. Early waves in 2024 used fake transaction alerts, while later iterations in 2025 shifted to warnings about suspicious logins or account updates. Victims were redirected through multiple layers before landing on convincing fake banking pages, which used "hotlinking" to pull real assets from legitimate bank servers, reducing detection risks. The attack chain enabled real-time financial fraud. Victims entered login credentials and one-time passwords (OTPs), which were instantly transmitted to attackers via Telegram bots, allowing unauthorized transactions within minutes. In a further escalation, threat actors compromised an educational institution’s domain within the Philippine ccTLD, hosting phishing infrastructure under valid SSL certificates to enhance legitimacy. Researchers noted the campaign’s technical sophistication, including short-lived SSL certificates and rapidly rotating subdomains to avoid detection. The abuse of trusted platforms and real-time data exfiltration underscores the growing challenge of defending against modern phishing threats.

On October 7, 2023, amid a real-world conflict, Israeli websites providing critical information and alerts to civilians on rocket attacks were hit by a series of DDoS attacks. Cloudflare systems detected and mitigated these attacks, which were as intense as 1M requests per second. Pro-Palestinian hacktivist groups also targeted various Israeli websites and apps, including compromising an app alerting civilians about incoming rockets by sending fake alerts. Cloudflare's Threat Operations team discovered malicious mobile applications impersonating legitimate alert apps, which could access sensitive user data. These cyberattacks occurred alongside physical threats, creating a complex situation for Cloudflare and the affected organizations to manage, emphasizing the intersection of physical and cybersecurity domains during times of conflict.

Internet infrastructure company Cloudflare suffered one of the largest volumetric distributed denials of service (DDoS) attacks. The attack lasted less than 15 seconds and was launched from a botnet of approximately 6,000 unique bots and originated from 112 countries around the world. The company immediately detected and mitigated a 15.3 million request-per-second (rps) DDoS attack. The attack was aimed at a “crypto launchpad” which is “used to surface Decentralized Finance projects to potential investors.”

Cloudflare was disclosing a lot of private data, including login passwords and authentication cookies. Uber, Fitbit, 1Password, and OKCupid are just a few of the big names affected by the Cloudbleed security flaw in Cloudflare servers. Because mobile apps are created with the same backends as browsers for HTTPS (SSL/TLS) termination and content delivery, they are likewise impacted by Cloudbleed. The fact that Cloudflare directed Ormandy to the company's bug bounty programme and offered the expert a t-shirt as payment in lieu of cash is highly unusual.