Cloud Break research shows how attackers can silently take over IoT devices by impersonating them to cloud-managed firewalls and routers, abusing weak serial number–based identity and vendor control planes instead of firmware bugs. This article breaks down the attack path and maps practical defences for security teams running cloud-managed edge gear.
A new vulnerability in the W3 Total Cache WordPress plugin, tracked as CVE-2025-9501, lets unauthenticated attackers run PHP commands on the server by posting crafted comments. Because W3TC powers more than a million sites, this command injection bug creates an attractive path to remote code execution and full site takeover. This article explains how the flaw works, which versions are affected, and how to respond quickly without breaking performance.
Researchers uncovered serious AI bugs across Meta, Nvidia, Microsoft and open-source inference frameworks after tracking a ShadowMQ deserialization pattern built on ZeroMQ and Python pickle. At the same time, new research shows how Cursor’s AI IDE can be hijacked via rogue MCP servers, turning developer workstations into high-value malware delivery platforms if teams ignore AI supply-chain security.
Zoom delivered security fixes for Windows clients after investigators identified CVE-2025-49457, an untrusted DLL search path that can enable local privilege escalation and broader compromise. Because attackers chain DLL hijacking with lateral movement, admins should update Windows endpoints to version 6.3.10 and validate explicit path loading. This analysis explains affected apps, exploitation flow, high-signal detection, and quick remediation steps so defenders can reduce risk without adding noise.
APT37 used stolen Google credentials to access Find Hub, check Android device locations, and trigger remote factory resets. The tactic lives in the cloud, not on the handset, so identity controls matter most. Enforce phishing-resistant MFA, restrict console actions, and rehearse rapid re-enrollment.
ClickFix campaigns scale by coaching users to “fix” access issues with copy-paste commands. After the click, actors steal Microsoft 365 tokens or credentials and, in some cases, drop PureRAT for persistence. Break the flow by enforcing admin-only app consent, requiring phishing-resistant MFA, and blocking browser-to-shell chains. Investigate mailbox rules, token reuse, and OAuth grants whenever ClickFix pages appear in referral logs.
Cephalus ransomware breaks in through exposed or weak RDP, steals data, and launches a Go-based encryptor that disables backups and evades analysis with DLL sideloading and key obfuscation. Consequently, victims encounter fast double-extortion pressure and noisy business disruption unless identity and remote-access controls stop the chain early.
A China-linked crew still breaks in through legacy CVEs Log4j, Struts, Confluence, GoAhead then hides behind scheduled tasks and msbuild.exe to run memory-resident payloads. They probe domain controllers with DCSync, and they target misconfigured IIS by abusing ASP.NET machine keys to deploy TOLLBOOTH with SEO cloaking. Reduce risk by patching edge services, restricting LOLBAS on servers, rotating machine keys, and alerting on replication from non-DC hosts.
Researchers documented CVSS 8.9 command injection in three official Claude Desktop extensions Chrome, iMessage, and Apple Notes. Because those connectors built AppleScript commands with unescaped user input, prompt injection could pivot from web content to local shell execution on macOS. Anthropic patched the issues. This analysis explains the exploit chain, the fixes, and the validation steps security teams should run to keep MCP servers safe.
EDR-Redir V2 blinds Microsoft Defender by abusing Windows file-system filter drivers with bind links that redirect or corrupt EDR working paths. This practitioner’s guide explains the method, highlights reliable artifacts, and lists resilient mitigations so teams can validate exposure, restore telemetry, and protect Windows 11 fleets without breaking production.