F5 Patches Critical NGINX Vulnerabilities Enabling RCE and DoS Attacks On June 17, 2026, F5 issued an out-of-band security advisory (K000161614) addressing multiple high-severity vulnerabilities in NGINX components, including Open Source, NGINX Plus, NGINX Instance Manager, and related modules. The flaws, which could lead to remote code execution (RCE) and denial-of-service (DoS) attacks, prompted urgent patching recommendations from F5 and national CERTs. The most severe issue, CVE-2026-42530 (CVSS 8.1/9.2), affects the NGINX `ngx_http_v3_module` when HTTP/3 QUIC is enabled. A remote attacker could exploit a use-after-free flaw in the QPACK encoder stream to crash NGINX worker processes, causing DoS or potential RCE on systems with disabled or bypassable ASLR. Affected versions include NGINX Open Source (1.31.0–1.31.1), NGINX Gateway Fabric (2.0.0–2.6.3), and NGINX Ingress Controller (5.0.0–5.5.0), with fixes available in NGINX Open Source 1.31.2 and Gateway Fabric 2.6.4. A second high-severity flaw, CVE-2026-42055 (CVSS 8.1/9.2), impacts NGINX Plus and Open Source when using the `ngx_http_proxy_v2_module` or gRPC with HTTP/2 backends. Malicious HTTP/2 or gRPC traffic could trigger memory-handling errors, leading to crashes or RCE. Patched versions include NGINX Plus 37.0.2.1 and NGINX Open Source 1.31.2/1.30.3, though some products like NGINX Instance Manager and App Protect modules remain unpatched. Additional vulnerabilities in NGINX Gateway Fabric (CVE-2026-11311, CVE-2026-50107) could disrupt routing and service integrity, with fixes available in version 2.6.4. F5 recommends immediate upgrades for affected deployments and interim mitigations, such as disabling HTTP/3/QUIC, restricting HTTP/2/gRPC exposure, and enforcing access controls. Administrators are advised to monitor F5’s security notifications for further updates.

Critical NGINX Vulnerability "nginx-poolslip" Exposes Millions of Servers to Remote Attacks A newly disclosed high-severity vulnerability in NGINX, tracked as CVE-2026-9256 (dubbed nginx-poolslip), is forcing administrators into an emergency patch cycle. The flaw affects both NGINX Open Source (versions 0.1.17–1.30.1 and 1.31.0) and NGINX Plus (R32–R36 and 37.0.0), enabling remote, unauthenticated attackers to exploit it over plain HTTP. The vulnerability resides in the ngx_http_rewrite_module, the same component targeted in the earlier "NGINX Rift" flaw (CVE-2026-42945). It occurs when a rewrite directive uses regex patterns with overlapping PCRE capture groups (e.g., `^/((.))$`) paired with replacement strings referencing multiple captures (e.g., `$1$2`). This triggers a heap buffer overflow (CWE-122) in the NGINX worker process, potentially leading to control-flow hijacking* via manipulated memory pool cleanup handlers. Unlike the Rift bug which exploited a buffer-size miscalculation nginx-poolslip abuses a pointer "slip" across adjacent linked structures in the same memory pool, bypassing the previous patch. Exploitation can result in denial-of-service (DoS) crashes or, in environments with disabled ASLR or bypassable protections, remote code execution (RCE). The flaw is rated High (8.1 CVSS v3.1) and Critical (9.2 CVSS v4.0). ### Affected Systems & Mitigations The vulnerability impacts a vast footprint, including reverse proxies, API gateways, and Kubernetes ingress controllers. Fixed versions include: - NGINX Open Source: Upgrade to 1.30.2 or 1.31.1. - NGINX Plus: Update to R36 P5, R32 P7, or R37.0.1.1. Downstream products such as NGINX Instance Manager, F5 WAF for NGINX, NGINX App Protect (WAF/DoS), NGINX Gateway Fabric, and NGINX Ingress Controller inherit the vulnerability but lack immediate fixes. The 0.x branch of NGINX Open Source will not receive patches. As a temporary workaround, F5 recommends replacing unnamed regex captures with named captures (e.g., `rewrite (?<user_id>.*)` instead of `$1`). The flaw was discovered by Mufeed VH (Winfunc Research), Nebula Security, and Vexera AI, with proof-of-concept exploits already circulating. No control-plane exposure exists; the issue is confined to the data plane.

18-Year-Old Critical RCE Vulnerability Discovered in NGINX A severe heap buffer overflow vulnerability (CVE-2026-42945) has been uncovered in NGINX, affecting versions dating back to 2008. The flaw, assigned a CVSS score of 9.2, resides in the ngx_http_rewrite_module a core component used for URL rewriting and variable assignment in nearly all NGINX deployments. The vulnerability stems from a state mismatch in NGINX’s two-pass script engine. When a configuration combines rewrite and set directives with a question mark (`?`), the system miscalculates buffer allocation during the first pass, leading to a heap overflow in the second. This flaw enables unauthenticated remote code execution (RCE), with researchers demonstrating a working exploit on systems with ASLR disabled. A public proof-of-concept (PoC) is now available on GitHub. The bug was introduced in NGINX 0.6.27 (2008) and remained undetected until April 2026, when security firm depthfirst identified it during a code audit. The audit also revealed three additional memory corruption vulnerabilities: - CVE-2026-42946 (CVSS 8.3): A high-severity flaw in ngx_http_scgi/uwsgi_module that could trigger a ~1TB memory allocation, causing crashes. - CVE-2026-40701 (CVSS 6.3): A medium-severity use-after-free in ngx_http_ssl_module via OCSP. - CVE-2026-42934 (CVSS 6.3): A medium-severity out-of-bounds read in ngx_http_charset_module. The vulnerability impacts a broad range of F5/NGINX products, including NGINX Open Source (0.6.27–1.30.0), NGINX Plus (R32–R36), NGINX Instance Manager, NGINX App Protect WAF, and NGINX Ingress Controller. F5 released patches on May 13, 2026, with fixes available in NGINX 1.30.1/1.31.0 and updated versions of affected products. Organizations unable to patch immediately are advised to audit configurations for combined rewrite and set directives and restrict exposed deployments behind a WAF.

Critical NGINX JavaScript Vulnerability (CVE-2026-8711) Enables Remote Code Execution A critical heap buffer overflow vulnerability, CVE-2026-8711, has been disclosed in NGINX JavaScript (njs), allowing unauthenticated remote attackers to crash worker processes or achieve remote code execution (RCE) under specific conditions. The flaw, revealed amid a surge of NGINX security disclosures in May 2026, highlights growing risks for organizations using the widely deployed web server. The vulnerability resides in the ngx_http_js_module and is triggered when the js_fetch_proxy directive is configured with client-controlled NGINX variables (e.g., `$http_`, `$arg_`, `$cookie_`) alongside a location block invoking ngx.fetch(). Attackers can exploit this by sending maliciously crafted HTTP requests, leading to a CWE-122 heap-based buffer overflow in NGINX worker processes. On systems with ASLR disabled*, the flaw can escalate to full RCE. Affected configurations include those passing client-controlled headers (e.g., `$http_x_user`, `$http_x_password`) directly into proxy URLs. F5 has confirmed that the issue is limited to the data plane, with no control-plane exposure. The vulnerability carries a Critical CVSS v4.0 score of 9.2 and a High CVSS v3.1 score of 8.1, affecting njs versions 0.9.4 through 0.9.8. A patch is available in njs 0.9.9, while other F5 products including NGINX Plus, BIG-IP, BIG-IQ, F5 Distributed Cloud, and F5OS remain unaffected. This disclosure follows the recent "NGINX Rift" vulnerability chain, disclosed on May 13, 2026, by DepthFirst AI. The most severe flaw in the chain, CVE-2026-42945, has existed since 2008 and has already been exploited in the wild, with proof-of-concept code publicly released. Together, these vulnerabilities enable attackers to crash processes, leak memory, or achieve RCE by exploiting deterministic heap layouts. Mitigation efforts include auditing js_fetch_proxy directives to remove client-controlled variables, enabling ASLR, monitoring worker logs for unexpected restarts, and restricting NGINX configurations. Organizations unable to patch immediately can apply a temporary workaround by replacing unnamed captures with named captures in affected rewrite directives. Given NGINX’s dominance powering over 30% of active websites CVE-2026-8711 poses a significant risk, particularly for internet-facing deployments where ASLR may not be enforced. Security teams are advised to prioritize patching in vulnerable environments.

Critical F5 BIG-IP APM Vulnerability Exploited in the Wild, CISA Flags Urgent Risk The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-53521 a critical vulnerability in F5 BIG-IP APM to its Known Exploited Vulnerabilities (KEV) Catalog, signaling active exploitation in the wild. Initially disclosed by F5 in October 2025 as a denial-of-service (DoS) flaw with a CVSS score of 7.5, the vulnerability has since been reclassified as a pre-authentication remote code execution (RCE) issue, now carrying a CVSS score of 9.8. The flaw affects BIG-IP APM systems, including those in Appliance mode, and allows unauthenticated attackers to execute arbitrary code remotely. Unlike the initial assessment, which suggested no control plane exposure, the updated risk profile has prompted urgent warnings from security experts, including watchTowr CEO Benjamin Harris, who described the shift as a "big ‘yikes’ moment." ### Affected Versions & Mitigation The vulnerability impacts the following BIG-IP APM versions: - 17.5.0 – 17.5.1.3 (fixed in 17.5.1.3) - 17.1.0 – 17.1.3 (fixed in 17.1.3) - 16.1.0 – 16.1.6.1 (fixed in 16.1.6.1) - 15.1.0 – 15.1.10.8 (fixed in 15.1.10.8) F5 has released an updated advisory, urging organizations to upgrade to patched versions or apply mitigations if immediate patching is not feasible. The company confirmed that no control plane exposure exists, but the data plane remains vulnerable until remediated. ### Exploitation & Response With evidence of in-the-wild exploitation, security teams are prioritizing patching and investigating potential breaches. The CISA KEV listing underscores the severity, as federal agencies and private sector organizations are now required to address the flaw under binding operational directives. The shift from a DoS to RCE classification highlights the evolving threat landscape, where initial vulnerability assessments may underestimate risk.

CISA Issues Critical Alert for Actively Exploited F5 BIG-IP Vulnerability The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding CVE-2025-53521, a severe remote code execution (RCE) flaw in F5 BIG-IP AMP systems that is being actively exploited in the wild. The vulnerability was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on March 27, 2026, indicating real-world attacks are underway. The flaw allows unauthenticated attackers to execute arbitrary code on vulnerable devices, granting full control over affected systems. Since F5 BIG-IP appliances often serve as load balancers, firewalls, and application gateways at network perimeters, they are prime targets for threat actors. Successful exploitation could enable attackers to intercept traffic, manipulate application requests, or establish a foothold for deeper network infiltration a risk compounded by the difficulty of detecting such intrusions with standard endpoint security tools. While it remains unclear whether ransomware groups are currently leveraging this exploit, vulnerabilities of this nature are frequently targeted by initial access brokers to sell network access to other malicious actors. Under Binding Operational Directive (BOD) 22-01, federal agencies must patch or mitigate the flaw by March 30, 2026, though CISA strongly recommends all organizations public and private prioritize remediation. If patches are unavailable, administrators are advised to disconnect vulnerable systems until a fix is deployed. The exact technical details of the vulnerability remain undisclosed, but the severity of active exploitation underscores the urgency of addressing this threat.

F5 Faces Fallout from BIG-IP Source Code Breach and Securities Lawsuits F5, Inc. recently disclosed a significant cybersecurity incident involving unauthorized access to its BIG-IP product development environment, resulting in the exfiltration of sensitive source code. The breach has had immediate financial repercussions, contributing to a reduction in F5’s fiscal 2026 revenue guidance and triggering multiple securities class action lawsuits. Plaintiffs allege that F5 misled investors about the severity of the breach and its security practices. The incident has raised concerns about F5’s security credibility, disclosure transparency, and the potential impact on customer trust in its core application delivery and security offerings. The lawsuits could influence enterprise adoption of F5’s newer solutions, particularly in AI and distributed cloud security, while also increasing legal costs and operational risks. Financially, F5’s long-term projections including $3.7 billion in revenue and $1 billion in earnings by 2028 rely on sustained 6.8% annual growth. However, the breach and legal challenges introduce near-term uncertainties, compounded by competition from hyperscale cloud providers. Investor sentiment remains divided, with fair value estimates for F5’s stock ranging widely between $152 and $290 per share. The outcome of the lawsuits and customer reactions will be critical in determining whether the breach becomes a temporary setback or a longer-term risk to F5’s market position.

High-Severity NGINX Vulnerability (CVE-2026-32647) Exposes Systems to DoS and RCE Risks A critical vulnerability, CVE-2026-32647, has been disclosed in NGINX Open Source and NGINX Plus, carrying a CVSS v4.0 score of 8.5 and a CVSS v3.1 score of 7.8. The flaw, discovered by researchers Xint Code and Pavel Kohout of Aisle Research, enables local authenticated attackers to trigger a denial-of-service (DoS) condition or potentially execute arbitrary code on affected systems. The vulnerability stems from an out-of-bounds read (CWE-125) in the ngx_http_mp4_module, a component used for MP4 file streaming. Exploitation occurs when NGINX processes a maliciously crafted MP4 file, leading to memory corruption in the worker process. This can crash the process, disrupting traffic until it restarts, or in a worst-case scenario allow remote code execution (RCE). ### Affected Versions & Scope - NGINX Plus (R32–R36) – Patched in R36 P3, R35 P2, and R32 P5. - NGINX Open Source (1.1.19–1.29.6) – Fixed in 1.28.3 and 1.29.7. - Exposure Requirement: The system must have the ngx_http_mp4_module enabled (included by default in NGINX Plus but requires explicit compilation in Open Source). Other F5 products, including BIG-IP, BIG-IQ, F5OS, and F5 Distributed Cloud, are unaffected. ### Mitigation & Patching F5 has released patched versions for all vulnerable branches. Organizations unable to update immediately can disable the MP4 module by: 1. Commenting out the `mp4` directive in NGINX configuration files. 2. Validating changes with `sudo nginx -t` before reloading the service. 3. Restricting media uploads to trusted users to prevent exploitation via malicious files. The flaw is confined to the data plane, with no control-plane exposure, but its severity underscores the need for prompt remediation.

F5 Networks recently experienced a security breach that prompted discussions with its leadership, including CEO François Locoh-Donou and CFO Cooper Werner. While management emphasized transparency to rebuild trust with customers and investors, the full extent of the breach’s impact—particularly on sales—remains unclear. Analyst Ryan Koontz (Needham) maintained a Hold rating, citing uncertainty over long-term repercussions, which are expected to surface primarily in the first half of fiscal 2026. The breach has raised concerns about potential financial and reputational damage, though the company expresses optimism about mitigation efforts. The lack of concrete data on recovery and customer behavior contributes to the cautious outlook, as stakeholders await further clarity on operational and market consequences. The incident underscores vulnerabilities in F5’s security posture, with implications for investor confidence and business continuity.

US tech company F5 confirmed a data breach in which nation-state attackers stole the source code and vulnerability information related to its BIG-IP family of networking and security products. BIG-IP is a critical infrastructure component used by enterprises for traffic management, load balancing, and security, making this breach particularly severe. The stolen data could enable adversaries to identify and exploit undiscovered flaws in BIG-IP systems, potentially leading to supply-chain attacks, unauthorized network access, or large-scale disruptions in organizations relying on F5’s solutions. The breach underscores the escalating risks of state-sponsored cyber espionage targeting foundational IT infrastructure, with implications for global cybersecurity resilience. F5 has not disclosed whether customer data was compromised, but the theft of proprietary code and vulnerability details poses a long-term threat to its product ecosystem and the broader digital supply chain.

A nation-state cyberattack compromised F5’s internal systems, granting hackers long-term access to its BIG-IP product development and engineering platforms. The breach resulted in the theft of source code (including portions of BIG-IP) and undisclosed software vulnerabilities, effectively exposing 'blueprints' to F5’s security systems—used globally by banks, hospitals, cloud providers, and government agencies. While no customer data, financial systems, or critical platforms (NGINX, Distributed Cloud, Silverline) were directly accessed, the stolen information could enable future exploits targeting traffic management, encryption, and authentication systems. CISA issued an emergency directive (ED 26-01), mandating federal agencies to audit and patch systems urgently. The breach risks cascading attacks on infrastructure relying on F5’s technology, potentially leading to data manipulation, unauthorized access, or large-scale disruptions in sectors like finance, healthcare, and government services. The U.S. Department of Justice permitted delayed disclosure until September 2025, indicating the incident’s sensitivity and ongoing investigation into the responsible nation-state actor.

F5, a Seattle-based technology vendor, suffered a sophisticated cyber intrusion by a nation-state actor who maintained long-term, persistent access to its internal systems, including the BIG-IP product development environment and engineering knowledge management platform. The attackers stole source code, embedded credentials, and API keys, along with details of unpatched vulnerabilities F5 was actively addressing. While no federal agency breaches have been confirmed yet, CISA issued an emergency directive (26-01) mandating immediate patching of F5 devices across all federal networks due to the imminent risk of credential theft, lateral network movement, and full system takeover. The breach was discovered on August 9, but public disclosure was delayed until October at the Justice Department’s request, citing national security concerns. The attack is part of a broader supply-chain campaign targeting U.S. tech infrastructure, with potential motives including intelligence gathering, future sabotage, or ransomware preparation. Experts warn the stolen source code could enable zero-day exploits before patches are available, posing risks to thousands of F5 devices in government and private-sector networks. The incident underscores vulnerabilities in critical infrastructure and the escalating threat of state-sponsored cyber espionage.

F5 Networks disclosed CVE-2025-54500, a critical HTTP/2 vulnerability dubbed MadeYouReset Attack in its BIG-IP products, enabling remote, unauthenticated attackers to exploit malformed HTTP/2 control frames. The flaw (classified under CWE-770) bypasses protocol safeguards, causing CPU exhaustion and denial-of-service (DoS) on affected systems. While the issue is confined to the data plane (no control plane compromise), it disrupts corporate networks by overwhelming resources. Vulnerable versions span BIG-IP 15.x–17.x and BIG-IP Next (20.3.0+), with hotfixes released but not fully QA-tested. Mitigations include disabling HTTP/2 or deploying ASM/Advanced WAF DoS profiles. The attack requires no authentication, amplifying risk for unpatched systems. F5 credited researchers Gal Bar Nahum, Anat Bremler-Barr, and Yaniv Harel for responsible disclosure.

In August 2025, F5 Inc. suffered a sophisticated cyberattack by a nation-state threat actor, who gained long-term unauthorized access to its BIG-IP product development environment and engineering knowledge management platform. The attackers exfiltrated portions of the BIG-IP source code, details of undisclosed vulnerabilities under active development, and customer configuration/implementation data (affecting a small percentage of clients). While F5 confirmed no evidence of supply chain tampering (source code, build, or release pipelines) or active exploitation of undisclosed flaws, the breach exposed proprietary intellectual property and sensitive customer-specific deployment information.F5 contained the incident, engaged external cybersecurity firms, and collaborated with law enforcement. Mitigation steps included credential rotation, access control hardening, network security enhancements, and automated patch management. Customers were urged to update BIG-IP software immediately, adopt threat hunting guides, and monitor for suspicious activity via SIEM integration. F5 also partnered with CrowdStrike to offer free Falcon EDR subscriptions for extended threat detection. Direct outreach was initiated to affected customers whose data may have been exposed, though no critical remote code execution vulnerabilities were confirmed as leaked or exploited.

Cybersecurity Roundup: Major Incidents and Emerging Threats Recent weeks have seen a surge in high-profile cybersecurity incidents, vulnerabilities, and state-linked attacks targeting governments, financial institutions, and critical infrastructure. Financial Sector Breaches Lloyds Banking Group confirmed a security incident affecting nearly 500,000 mobile customers, though details on the nature of the breach remain undisclosed. Meanwhile, the Dutch Ministry of Finance took treasury systems offline following a cyber incident under investigation. Critical Vulnerabilities Exploited The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Citrix NetScaler flaw (CVE-2026-3055) to its Known Exploited Vulnerabilities catalog after reports of active exploitation, with attackers probing the bug for potential data leaks. CISA also flagged a critical F5 BIG-IP AMP vulnerability under active attack. Additionally, security agencies warned of a severe flaw in PTC Windchill and FlexPLM, urging organizations to apply patches immediately. State-Sponsored Threats Russia-linked APT TA446 deployed the DarkSword exploit in a phishing campaign targeting iPhone users. China-associated groups launched advanced malware attacks against a Southeast Asian government in early 2025. Meanwhile, an Iran-linked group, Handala, compromised the personal email account of FBI Director Kash Patel, marking a significant escalation in espionage efforts. Ransomware and Supply Chain Attacks The Qilin ransomware group claimed responsibility for breaching Dow Inc., a major chemical manufacturer. Attackers also hijacked the Axios npm account, using it to distribute remote access trojan (RAT) malware to unsuspecting developers. In a separate incident, ShinyHunters asserted responsibility for hacking the European Commission, though the full impact remains unclear. Emerging Threats Apple issued urgent lock screen warnings for unpatched iPhones and iPads, highlighting ongoing risks to mobile security. A new macOS malware, Infinity Stealer, was discovered leveraging Nuitka Python payloads and ClickFix techniques to evade detection. Additionally, a new adversary-in-the-middle (AITM) phishing wave targeted TikTok Business accounts, demonstrating evolving social engineering tactics. Government and Institutional Targets The European Commission confirmed a cyberattack affecting part of its cloud infrastructure, though specifics on the attack vector and scope were not disclosed. These incidents underscore the persistent and evolving nature of cyber threats across sectors.

Critical Vulnerabilities in F5 BIG-IP and Citrix NetScaler Demand Immediate Action from UK Organizations The UK’s National Cyber Security Centre (NCSC) has issued urgent guidance for organizations to mitigate active exploitation of severe vulnerabilities in F5 BIG-IP Access Policy Manager (APM) and Citrix NetScaler ADC/Gateway. Both flaws enable unauthenticated remote code execution (RCE), posing significant risks to enterprise networks. ### F5 BIG-IP APM (CVE-2025-53521) - Impact: Affects all organizations using BIG-IP APM, particularly large enterprises. Exploitation occurs when a malicious actor sends crafted traffic to a virtual server configured with an APM access policy. - Active Exploitation: F5 has confirmed in-the-wild attacks targeting this vulnerability. - Recommended Actions: - Isolate affected systems immediately to prevent further compromise. - Update to the latest patched version or rebuild systems from scratch if updates are not feasible. - Investigate for compromise, even if systems were recently updated, as exploitation may have occurred prior to patching. - Report incidents to F5 and UK authorities if a breach is suspected. ### Citrix NetScaler ADC/Gateway Vulnerabilities - Impact: Two recently disclosed flaws in Citrix NetScaler products could allow attackers to execute arbitrary code without authentication. - Recommended Actions: - Apply vendor patches without delay. - Monitor for signs of compromise, including unusual network activity or unauthorized access. - Consider engaging an assured Cyber Incident Response provider for forensic analysis if exploitation is suspected. ### Broader Context & NCSC Support The NCSC is actively assessing the UK impact of these vulnerabilities and collaborating with industry partners to track exploitation. Organizations are advised to: - Enable continuous threat hunting to detect post-exploitation activity. - Follow NCSC’s hardening guidance to reduce attack surfaces. - Leverage the NCSC Early Warning service for real-time threat notifications. Both F5 BIG-IP APM and Citrix NetScaler are widely deployed in critical infrastructure, making these vulnerabilities high-priority targets for threat actors. Immediate remediation is essential to prevent potential breaches.

F5, a global provider of application security and multi-cloud management services, disclosed a breach by a nation-state threat actor that compromised its BIG-IP source code and undisclosed vulnerabilities. The hackers maintained long-term persistent access to F5’s development environment and exfiltrated files, including customer configuration data and API keys. While F5 stated no active exploitation of undisclosed vulnerabilities was detected, the stolen information could enable lateral movement within networks, data exfiltration, and persistent system access, risking full compromise of targeted systems. The breach also exposed implementation details for a small percentage of customers, heightening supply chain risks. CISA issued an emergency directive mandating federal agencies to patch F5 devices by October 22, 2024, and report all instances by October 29, 2024, citing potential downstream impacts on federal networks and critical infrastructure. F5 is collaborating with CrowdStrike, Mandiant, and government agencies to mitigate risks but acknowledged the incident could erode trust and pose ongoing threats to organizations relying on BIG-IP products.

CISA Adds TrueConf Client Flaw to Known Exploited Vulnerabilities Catalog The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a vulnerability in TrueConf Client to its Known Exploited Vulnerabilities (KEV) catalog, signaling active exploitation risks. The move underscores the urgency for organizations using the video conferencing software to apply patches or mitigations promptly. In other recent cybersecurity developments: - UAC-0255, a threat actor, impersonated Ukraine’s CERT-UA in phishing campaigns to distribute the AGEWHEEZE malware, targeting unsuspecting users. - The pro-Iran Handala group breached Israeli defense contractor PSK Wind Technologies, highlighting ongoing geopolitical cyber threats. - Storm-1175, a fast-moving threat group, deployed new exploits to infiltrate networks and deploy Medusa ransomware, demonstrating evolving attack techniques. - Researchers uncovered GPUBreach, an exploit leveraging GPU memory bit-flips to achieve full system compromise, posing a novel risk to hardware-based security. - Over 14,000 F5 BIG-IP APM instances remain exposed to a remote code execution (RCE) flaw, despite available patches, leaving organizations vulnerable to exploitation. - The Qilin ransomware group claimed responsibility for hacking Germany’s Die Linke political party, adding to the growing trend of cyberattacks on political entities. - North Korea-linked hackers stole $285 million from cryptocurrency platform Drift in a sophisticated attack, further fueling concerns over state-sponsored cybercrime. - A major outage disrupted Russian banking apps and metro payment systems nationwide, though the cause whether cyberattack or technical failure remains unclear. - A European Commission breach exposed data from 30 EU entities, with CERT-EU investigating the incident’s scope and impact. - German authorities (BKA) identified two REvil ransomware operators linked to 130+ attacks in Germany, marking progress in dismantling the notorious group. - An Italian spyware vendor created a fake WhatsApp app, targeting 200 users in a surveillance campaign. - Fortinet patched CVE-2026-35616, a high-severity flaw actively exploited in the wild, urging immediate updates. - Google addressed the fourth actively exploited Chrome zero-day of 2026, reinforcing the need for rapid browser security updates. - North Korean hackers leveraged phishing LNK files and GitHub command-and-control (C2) infrastructure in new cyberattacks, showcasing persistent threat tactics. These incidents reflect the escalating sophistication of cyber threats, from ransomware and espionage to supply chain and hardware-based attacks. Organizations are advised to monitor advisories and prioritize vulnerability remediation.

F5, a U.S. technology company providing foundational security and performance solutions for government networks and critical infrastructure, suffered a nation-state hack. The breach, discovered in August 2024 but active since late 2023, involved the theft of product source code and undisclosed vulnerability data, along with customer configuration data. While no evidence yet exists of exploited vulnerabilities or compromised source code, the stolen data poses a severe risk—potentially serving as a 'master key' for devastating follow-on attacks against government agencies, critical infrastructure, or global networks. The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive mandating patches for nearly 680,000 internet-facing F5 devices by October 22, 2024. Experts warn the stolen data could enable campaigns akin to those by Salt Typhoon or Volt Typhoon, nation-state actors known for targeting edge infrastructure. The Justice Department authorized delayed disclosure due to national security risks, highlighting the breach’s potential to disrupt systems underpinning public safety, defense, or economic stability.