Curl’s lead developer says Mythos claims are marketing, but many in the industry believe the results stem from Curl’s robust security.
The post Claude Mythos Finds Only One Curl Vulnerability; Experts Divided on What It Really Means appeared first on SecurityWeek.
Google researchers found a zero-day exploit developed by artificial intelligence and alerted the susceptible vendor to the imminent threat before a well-known cybercrime group initiated a mass-exploitation campaign, the company said in a report released Monday.
The averted disaster probably isn’t the first time attackers used AI to build a zero-day, but it is the first time Google Threat Intelligence Group found compelling evidence that this long-predicted and worrying escalation in vulnerability-exploit development is underway.
“We finally uncovered some evidence this is happening,” John Hultquist, chief analyst at GTIG, told CyberScoop. “This is probably the tip of the iceberg and it’s certainly not going to be the last.”
Google declined to identify the specific vulnerability, which has been patched, or name the “popular open-source, web-based administration tool” it affected. It did, however, note that the defect impacted a Python script that allows attackers to bypass two-factor authentication for the service.
Researchers also withheld details about how they discovered the zero-day exploit or the cybercrime group that was preparing to use it for a large-scale attack spree.
The threat group has a “strong record of high-profile incidents and mass exploitation,” Hultquist said, suggesting the attackers are prominent and well-known among cybersecurity practitioners.
GTIG is fairly confident the threat group was using AI in a meaningful way throughout the entire process, but it has yet to determine if the technology also discovered the vulnerability it ultimately developed into an exploit.
Whichever AI model the attackers used — Google is confident it wasn’t Gemini or Anthropic’s Mythos — left artifacts throughout the exploit code that are inconsistent with human developers. This evidence, which included documentation strings in Python, highly annotated code and a hallucinated but non-existent CVSS score, tipped Google off to the fact AI was heavily involved, Hultquist said.
GTIG has been warning about and expecting AI-developed exploits to hit systems in the wild, especially after its Big Sleep AI agent found a zero-day vulnerability in late 2024.
“I think the watershed moment was two years ago when we proved this was possible,” Hultquist said, adding that there are probably several other AI developed zero-days in play now.
Yet, to him, the discovery of a zero-day exploit developed by AI is less concerning than what this single instance forebodes even further.
“The game’s already begun and we expect the capability trajectory is pretty sharp,” Hultquist said. “We do expect that this will be a much bigger problem, that there will be more devastating zero-day attacks done over this, especially as capabilities grow.”
The post Google spotted an AI-developed zero-day before attackers could use it appeared first on CyberScoop.
Also called Copy Fail 2 and tracked as CVE-2026-43284 and CVE-2026-43500, the exploit was disclosed before a patch was released.
The post New ‘Dirty Frag’ Linux Vulnerability Possibly Exploited in Attacks appeared first on SecurityWeek.
Lax extension permissions and improper trust implementation allow attackers to inject prompts in the Claude Chrome extension.
The post Vulnerability in Claude Extension for Chrome Exposes AI Agent to Takeover appeared first on SecurityWeek.
CVE-2026-6973 is a high-severity vulnerability that allows an attacker who has admin privileges to execute arbitrary code.
The post Ivanti Patches EPMM Zero-Day Exploited in Targeted Attacks appeared first on SecurityWeek.
The fresh browser update resolves critical-severity integer overflow and use-after-free vulnerabilities.
The post Chrome 148 Rolls Out With 127 Security Fixes appeared first on SecurityWeek.
Attackers are actively exploiting a zero-day vulnerability affecting some Palo Alto Networks’ customers’ firewalls, the security vendor said in an advisory Tuesday.
The critical memory corruption vulnerability — CVE-2026-0300 — affects the authentication portal of PAN-OS, and allows unauthenticated attackers to run code with root privileges on the vendor’s PA-Series and VM-Series firewalls, the company said.
Palo Alto Networks did not say when or how it became aware of active exploitation, nor when the earliest known exploitation occurred. The Cybersecurity and Infrastructure Security Agency added the defect to its known exploited vulnerabilities catalog Wednesday.
The company hasn’t released a patch for the vulnerability or described the scope and objective of confirmed attacks.
“This vulnerability is specific to a limited number of customers with their User-ID Authentication Portal (Captive Portal) exposed to the public internet or untrusted IP addresses. We have observed limited exploitation of this issue and are working to release software fixes, with the first updates expected to be available on May 13,” a Palo Alto Networks spokesperson told CyberScoop.
The company said firewalls exposed to the buffer-overflow vulnerability, which has a CVSS rating of 9.3, are broadly exposed in real-world deployments, and it described the attack complexity as low.
Shadowserver scans found more than 5,800 publicly exposed VM-Series firewalls running PAN-OS as of Tuesday, yet it’s unknown how many of those instances have restricted authentication access to trusted internal IP addresses or disabled the feature altogether.
“We have provided clear mitigation guidance to our customers to secure their environments immediately. This issue does not impact Cloud NGFW or Panorama appliances. We remain committed to a transparent, security-first approach to protect our global customer base,” Palo Alto Networks’ spokesperson added.
Benjamin Harris, CEO and founder of watchTowr, noted that Palo Alto Networks proactively alerted customers to the zero-day, a step that allowed defenders to take action on potentially exposed instances.
“In a bad situation, that is the best they can do immediately. However, that also alerts everyone to the existence of a vulnerability,” he told CyberScoop.
Despite the risk, Harris said watchTowr expects attacks linked to the zero-day exploit to be “very limited.”
Palo Alto Networks and its impacted customers remain the only parties to have observed exploitation in the wild, but researchers warn that will likely change soon.
“It’s likely rules will also start to fire in third-party organizations and honeypots shortly,” Caitlin Condon, vice president of security research at VulnCheck, told CyberScoop.
“Management interfaces, login pages, and authentication portals have been common adversary targets for both opportunistic and targeted campaigns in recent years,” she added. “With researcher and community eyes on the vulnerability, it’s likely that we’ll see public exploits and broader exploitation quickly, provided the issue isn’t prohibitively difficult to exploit.”
Palo Alto Networks has yet to attribute the attacks to any known threat group, publish indicators or compromise, nor disclose the type of organizations that have been targeted and impacted.
Researchers are hunting for malicious activity and advise customers to apply patches upon release.
The post A critical Palo Alto PAN-OS zero-day is being exploited in the wild appeared first on CyberScoop.
CVE-2026-0300 affects the Captive Portal service of PAN-OS software on PA and VM series firewalls.
The post Palo Alto Networks to Patch Zero-Day Exploited to Hack Firewalls appeared first on SecurityWeek.
Dubbed Bleeding Llama, the heap out-of-bounds read issue can be exploited remotely, without authentication.
The post Critical Bug Could Expose 300,000 Ollama Deployments to Information Theft appeared first on SecurityWeek.
CVE-2026-0073 affects Android’s System component and it can be exploited without any user interaction.
The post Critical Remote Code Execution Vulnerability Patched in Android appeared first on SecurityWeek.
The most severe of these security defects could allow remote attackers to execute arbitrary code.
The post Critical, High-Severity Vulnerabilities Patched in Apache MINA, HTTP Server appeared first on SecurityWeek.
The security defects allow unauthenticated, remote attackers to execute arbitrary code through crafted requests.
The post MetInfo, Weaver E-cology Vulnerabilities in Attackers’ Crosshairs appeared first on SecurityWeek.
The vulnerabilities were reported to Meta through its bug bounty program and were patched with updates released earlier this year.
The post WhatsApp Discloses File Spoofing, Arbitrary URL Scheme Vulnerabilities appeared first on SecurityWeek.
Attackers are actively exploiting a Linux vulnerability in the wild, and researchers warn that the fallout could be broad — anyone with authenticated local access can leverage it to gain total control of a system.
But the story behind CVE-2026-31431 is almost as interesting as the bug itself. Theori, the company that discovered the bug, leaned heavily on AI to find and initially disclose it. The result is a case study that underscores the challenges that occur when the relentless hunt for defects collides with marketing impulses and inflated AI-generated language that was long on bluster but lacked technical details.
Theori dubbed the high-severity vulnerability “Copy Fail” with a vanity domain containing AI-generated content, and warned that every mainstream Linux kernel built since 2017 is in scope of potential exploitation resulting in root access.
Theori’s AI-powered penetration testing platform, Xint, discovered the local privilege-escalation flaw in a Linux kernel module and reported it to the Linux kernel security team March 23. Major Linux distributions affected by the vulnerability had issued patches prior to Theori’s disclosure, which it published alongside a proof-of-concept exploit.
The Cybersecurity and Infrastructure Security Agency added CVE-2026-31431 to its known exploited vulnerabilities catalog Friday.
Researchers have yet to determine how many organizations have been impacted by the flaw, but they noted that critical requirements for exploitation, specifically local access achieved through a separate exploit or pathway to unauthorized access, should limit potential exposure.
“The attacker would need to have already established a foothold on the target system either through some means of legitimate access or another exploit,” Spencer McIntyre, secure researcher at Rapid7, told CyberScoop. “That’s a large limiting factor since this vulnerability would therefore need to be paired with another.”
Theori’s disclosure turned heads among other vulnerability researchers who noted the defect’s broad potential impact, but also for lacking details about the proof-of-concept exploit.
“The exploit is real, there is something to worry about, but understandably, teams now have to do additional validation to know how to parse the extreme AI FUD (fear, uncertainty and doubt) from [Theori’s] blog post,” Caitlin Condon, vice president of security research at VulnCheck, told CyberScoop.
“It’s not helpful that the blog is AI slop, because it detracts from technical reality,” she added.
Theori acknowledges it used AI to discover and describe the vulnerability, explaining that it’s focusing on finding and fixing a large amount of defects.
“We used AI to help craft the disclosure site and the blog post to help speed things up, but all material was thoroughly reviewed by our internal teams for accuracy,” said Tim Becker, senior security researcher at Theori.
Theori is intentionally withholding additional details until the patch is broadly applied, he added.
“We stand by our technical description of the vulnerability. Helping downstream users to understand the impact of a security bug has always been a challenge for security researchers,” Becker said. “Copy Fail allows for trivial privilege escalation on most desktop and server Linux distributions. It also has implications for containerization including Kubernetes.”
Other researchers have drawn similar conclusions, noting that exploitation can be automated and doesn’t require specialization.
Meanwhile, hundreds of additional proof-of-concept exploits have surfaced since the vulnerability was disclosed five days ago. “As expected, the majority of these appear to be copycat AI PoCs that do nothing but add banners or different colors to the command-line interface. Many new PoCs are simply ports of the original AI PoC to a different programming language,” Condon said.
“Organizations should exercise caution when running untested research artifacts, including AI-generated exploit code that isn’t fully explained,” she added.
Becker said Theori is aware of the burden defenders confront, and insists the company’s reports contain enough information for organizations to quickly triage and validate its findings.
The post ‘Copy Fail’ is a real Linux security crisis wrapped in AI slop appeared first on CyberScoop.
CISA has added the bug to its KEV list, and Microsoft has observed limited exploitation, mainly associated with PoC testing.
The post Exploitation of ‘Copy Fail’ Linux Vulnerability Begins appeared first on SecurityWeek.
The maximum reward for a zero-click Pixel Titan M exploit with persistence has increased to $1.5 million.
The post Google Adjusts Bug Bounties: Chrome Payouts Drop as Android Rewards Rise Amid AI Surge appeared first on SecurityWeek.
A severe authentication bypass vulnerability in cPanel, one of the most widely deployed web hosting control panel platforms on the internet, is being actively exploited in the wild, according to security researchers and hosting providers.
The vulnerability, tracked as CVE-2026-41940, affects all supported versions of cPanel and WebHost Manager (WHM) released after version 11.40, as well as WP Squared, a WordPress hosting management panel built on the cPanel platform. Internet scans conducted by security firm Rapid7 using the Shodan search engine identified approximately 1.5 million cPanel instances exposed online, though the precise number of vulnerable systems remains unknown.
cPanel released a patch Tuesday. By that point, exploitation had already been underway. KnownHost, a hosting provider that relies on cPanel, said earlier this week that successful exploits had been observed in the wild prior to any fix being made available.
The Cybersecurity and Infrastructure Security Agency added the CVE to its Known Exploited Vulnerabilities (KEV) list Thursday.
Cybersecurity firm watchTowr provided technical details in a blog posted Wednesday: The flaw stems from improper handling of user input during the login process. When a user attempts to log in, cPanel writes data from the request into a server-side session file before verifying the user’s identity. An attacker can exploit this by embedding hidden line breaks into the password field of a login request — characters cPanel fails to strip out — allowing arbitrary data to be injected directly into that file.
Through a secondary step, also involving a deliberately malformed request, the injected data gets promoted into the session’s active cache, where cPanel reads it as legitimate. Once that happens, the system sees the session as already authenticated and skips password verification entirely, granting access without ever checking the user’s actual credentials.
cPanel has published a detection script designed to scan session files for indicators of compromise, including sessions that contain injected authentication timestamps, pre-authentication sessions with authenticated attributes, and password fields containing embedded newlines. WatchTowr separately released a “Detection Artifact Generator” that administrators can use to verify whether their instances remain vulnerable.
Namecheap, a major domain registrar and hosting provider, took the step of temporarily blocking connections to cPanel and WHM ports 2083 and 2087 ahead of patch availability, citing the need to protect customers while an official fix was pending. The company began applying the patch after cPanel’s release earlier this week.
cPanel’s patched releases address the issue across seven version branches, from 11.110.0 through 11.136.0, as well as WP Squared version 11.136.1. The company’s advisory notes that the fix ensures potentially dangerous input is scrubbed automatically within the core session-saving process, rather than depending on each individual part of the codebase to do so separately. The patch also adds handling for cases where a per-session encryption key is missing, a condition the original code failed to account for and that attackers were able to exploit to bypass password encoding entirely.
The CVE has been given a 9.8 on the CVSS scale.
The post cPanel’s authentication bypass bug is being exploited in the wild, CISA warns appeared first on CyberScoop.
The bugs could be exploited to bypass security controls, access restricted services, and crash firewalls.
The post SonicWall Urges Immediate Patching of Firewall Vulnerabilities appeared first on SecurityWeek.
An attacker could have planted a malicious configuration to execute commands outside the sandbox.
The post Critical Gemini CLI Flaw Enabled Host Code Execution, Supply Chain Attacks appeared first on SecurityWeek.
Login