Google researchers found a zero-day exploit developed by artificial intelligence and alerted the susceptible vendor to the imminent threat before a well-known cybercrime group initiated a mass-exploitation campaign, the company said in a report released Monday.

The averted disaster probably isn’t the first time attackers used AI to build a zero-day, but it is the first time Google Threat Intelligence Group found compelling evidence that this long-predicted and worrying escalation in vulnerability-exploit development is underway.

“We finally uncovered some evidence this is happening,” John Hultquist, chief analyst at GTIG, told CyberScoop. “This is probably the tip of the iceberg and it’s certainly not going to be the last.”

Google declined to identify the specific vulnerability, which has been patched, or name the “popular open-source, web-based administration tool” it affected. It did, however, note that the defect impacted a Python script that allows attackers to bypass two-factor authentication for the service.

Researchers also withheld details about how they discovered the zero-day exploit or the cybercrime group that was preparing to use it for a large-scale attack spree.

The threat group has a “strong record of high-profile incidents and mass exploitation,” Hultquist said, suggesting the attackers are prominent and well-known among cybersecurity practitioners. 

GTIG is fairly confident the threat group was using AI in a meaningful way throughout the entire process, but it has yet to determine if the technology also discovered the vulnerability it ultimately developed into an exploit.

Whichever AI model the attackers used — Google is confident it wasn’t Gemini or Anthropic’s Mythos — left artifacts throughout the exploit code that are inconsistent with human developers. This evidence, which included documentation strings in Python, highly annotated code and a hallucinated but non-existent CVSS score, tipped Google off to the fact AI was heavily involved, Hultquist said. 

GTIG has been warning about and expecting AI-developed exploits to hit systems in the wild, especially after its Big Sleep AI agent found a zero-day vulnerability in late 2024.

“I think the watershed moment was two years ago when we proved this was possible,” Hultquist said, adding that there are probably several other AI developed zero-days in play now. 

Yet, to him, the discovery of a zero-day exploit developed by AI is less concerning than what this single instance forebodes even further.

“The game’s already begun and we expect the capability trajectory is pretty sharp,” Hultquist said. “We do expect that this will be a much bigger problem, that there will be more devastating zero-day attacks done over this, especially as capabilities grow.”

The post Google spotted an AI-developed zero-day before attackers could use it appeared first on CyberScoop.

Attackers are hitting Ivanti customers yet again — circling back to a common target and consistently susceptible vendor in the network edge space — by exploiting a zero-day vulnerability in one of the company’s most besieged products. 

Ivanti warned customers that attackers have successfully exploited CVE-2026-6973, an improper input validation defect in Ivanti Endpoint Manager Mobile (EPMM) that allows authenticated users with administrative privileges to run code remotely. The company alerted customers to the threat in a security advisory Thursday while also disclosing four additional high-severity vulnerabilities in the same product.

“At the time of disclosure, Ivanti is aware of very limited exploitation in the wild of CVE-2026-6973, which requires authenticated administrative access to implement,” a spokesperson for Ivanti said in a statement.

Ivanti did not say when the first instance of exploitation occurred, or precisely how many customers have already been impacted.

The Cybersecurity and Infrastructure Security Agency added the zero-day to its known exploited vulnerabilities catalog within hours of Ivanti’s disclosure.

The company released patches for all five vulnerabilities Thursday, including the four additional defects — CVE-2026-5787, CVE-2026-5788, CVE-2026-6973 and CVE-2026-7821 — which it said haven’t been exploited in the wild.

“Ivanti discovered these vulnerabilities in recent weeks through internal detection processes which are supported by advanced AI, customer collaboration, and responsible disclosure,” the company spokesperson said. One of the defects was discovered and responsibly reported to Ivanti by a former employee.

The company suggested at least one of the root causes for the latest zero-day may be traced to lingering risk posed by a pair of separate, critical zero-days — CVE-2026-1281 and CVE-2026-1340 — that were exploited starting in late January. The fallout from those exploited vulnerabilities in Ivanti EPMM spread to nearly 100 victims, including The Netherlands’ Dutch Data Protection Authority and the Council for the Judiciary, by early February.

The latest Ivanti EPMM zero-day “requires authenticated administrative access to exploit, which is why customers who followed Ivanti’s recommendation in January to rotate EPMM credentials are at significantly reduced risk. Customers unaffected by the prior vulnerability are also at a much lower risk,” the company spokesperson said.

Caitlin Condon, vice president of security research at VulnCheck, said the administrative privileges required to exploit CVE-2026-6973 indicates it was possibly exploited as part of an attack chain relying on another method for initial access. 

“No attribution was shared on threat actor exploitation of CVE-2026-6973, but two other 2026 CVEs in Ivanti EPMM — CVE-2026-1281 and CVE-2026-1340 — have been exploited by a range of threat actors, including China- and Iran-attributed groups,” Condon told CyberScoop. 

“Those vulnerabilities notably were code-injection vulnerabilities that were remotely exploitable without authentication, unlike CVE-2026-6973,” she added. “Both CVE-2026-1281 and CVE-2026-1340 appear to have been fixed in today’s Ivanti release. Comparatively, these earlier vulns were of higher initial concern than today’s fresh zero-day vulnerability, which requires admin authentication.”

Attacks involving Ivanti defects are a recurring problem for the vendor’s customers and security practitioners at large, including many vulnerabilities that attackers exploited before the company caught or fixed the errors. 

The Cybersecurity and Infrastructure Security Agency has flagged 34 Ivanti defects on its known exploited vulnerabilities catalog since late 2021. At least 22 defects across Ivanti products have been exploited in the past two years, including five vulnerabilities in Ivanti EPMM in the last year.

During an interview with CyberScoop in March at the RSAC Conference, Ivanti Chief Security Officer Daniel Spicer said the company’s transparency partly explains the high number of vulnerabilities reported and disclosed in its products. 

“My position here at Ivanti is it doesn’t do our customers any good to be quiet about this,” he said, describing the company’s communication stance with the public, CISA and global partners as “very aggressive.”

That’s not always the case with other vendors, Spicer said. “I don’t know that transparency is a core tenant of all other organizations.”

The company, which serves many government agencies and critical infrastructure operators, also routinely notes that highly skilled and resourced attackers, including those backed by nation-states, are often responsible for these waves of attacks on its customers.

Ivanti maintains that it’s trying to consistently improve the security of its products. “Through continued investment in its product security program, including the use of advanced AI paired with human verification, Ivanti is strengthening its ability to identify, remediate, and disclose issues quickly, helping customers stay ahead of an increasingly compressed threat landscape,” the spokesperson said.

The way Spicer put it in March: “We want to make sure that people understand that we are trying to do the right thing.”

The post Ivanti customers confront yet another actively exploited zero-day appeared first on CyberScoop.

CVE-2026-6973 is a high-severity vulnerability that allows an attacker who has admin privileges to execute arbitrary code.

The post Ivanti Patches EPMM Zero-Day Exploited in Targeted Attacks appeared first on SecurityWeek.

The cybersecurity firm has not explicitly accused China of being behind the attack, but the evidence suggests it was. 

The post Palo Alto Zero-Day Exploited in Campaign Bearing Hallmarks of Chinese State Hacking appeared first on SecurityWeek.

Attackers are actively exploiting a zero-day vulnerability affecting some Palo Alto Networks’ customers’ firewalls, the security vendor said in an advisory Tuesday.

The critical memory corruption vulnerability — CVE-2026-0300 — affects the authentication portal of PAN-OS, and allows unauthenticated attackers to run  code with root privileges on the vendor’s PA-Series and VM-Series firewalls, the company said.

Palo Alto Networks did not say when or how it became aware of active exploitation, nor when the earliest known exploitation occurred. The Cybersecurity and Infrastructure Security Agency added the defect to its known exploited vulnerabilities catalog Wednesday.

The company hasn’t released a patch for the vulnerability or described the scope and objective of confirmed attacks.

“This vulnerability is specific to a limited number of customers with their User-ID Authentication Portal (Captive Portal) exposed to the public internet or untrusted IP addresses. We have observed limited exploitation of this issue and are working to release software fixes, with the first updates expected to be available on May 13,” a Palo Alto Networks spokesperson told CyberScoop.

The company said firewalls exposed to the buffer-overflow vulnerability, which has a CVSS rating of 9.3, are broadly exposed in real-world deployments, and it described the attack complexity as low.

Shadowserver scans found more than 5,800 publicly exposed VM-Series firewalls running PAN-OS as of Tuesday, yet it’s unknown how many of those instances have restricted authentication access to trusted internal IP addresses or disabled the feature altogether.

“We have provided clear mitigation guidance to our customers to secure their environments immediately. This issue does not impact Cloud NGFW or Panorama appliances. We remain committed to a transparent, security-first approach to protect our global customer base,” Palo Alto Networks’ spokesperson added.

Benjamin Harris, CEO and founder of watchTowr, noted that Palo Alto Networks proactively alerted customers to the zero-day, a step that allowed defenders to take action on potentially exposed instances. 

“In a bad situation, that is the best they can do immediately. However, that also alerts everyone to the existence of a vulnerability,” he told CyberScoop.

Despite the risk, Harris said watchTowr expects attacks linked to the zero-day exploit to be “very limited.” 

Palo Alto Networks and its impacted customers remain the only parties to have observed exploitation in the wild, but researchers warn that will likely change soon. 

“It’s likely rules will also start to fire in third-party organizations and honeypots shortly,” Caitlin Condon, vice president of security research at VulnCheck, told CyberScoop. 

“Management interfaces, login pages, and authentication portals have been common adversary targets for both opportunistic and targeted campaigns in recent years,” she added. “With researcher and community eyes on the vulnerability, it’s likely that we’ll see public exploits and broader exploitation quickly, provided the issue isn’t prohibitively difficult to exploit.”

Palo Alto Networks has yet to attribute the attacks to any known threat group, publish indicators or compromise, nor disclose the type of organizations that have been targeted and impacted. 

Researchers are hunting for malicious activity and advise customers to apply patches upon release.

The post A critical Palo Alto PAN-OS zero-day is being exploited in the wild appeared first on CyberScoop.

CVE-2026-0300 affects the Captive Portal service of PAN-OS software on PA and VM series firewalls.

The post Palo Alto Networks to Patch Zero-Day Exploited to Hack Firewalls appeared first on SecurityWeek.

The authentication bypass flaw allows attackers to gain administrative access to vulnerable servers.

The post Critical cPanel & WHM Vulnerability Exploited as Zero-Day for Months appeared first on SecurityWeek.

Experts say this is the second-largest Microsoft Patch Tuesday ever based on CVE count.

The post Microsoft Patches Exploited SharePoint Zero-Day and 160 Other Vulnerabilities appeared first on SecurityWeek.

The vulnerability is tracked as CVE-2026-34621 and Adobe has confirmed that it can be exploited for arbitrary code execution.

The post Adobe Patches Reader Zero-Day Exploited for Months appeared first on SecurityWeek.

Reputable researcher Haifei Li has come across what appears to be a PDF designed to exploit an unpatched vulnerability.

The post Adobe Reader Zero-Day Exploited for Months: Researcher appeared first on SecurityWeek.

Fortinet released an emergency software update over the weekend to address an actively exploited vulnerability in FortiClient EMS, an endpoint management tool for customer devices.

The zero-day vulnerability — CVE-2026-35616 — has a CVSS rating of 9.8 and was added to the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerability catalog Monday. 

Fortinet said in a Saturday security advisory that it has seen the vulnerability being actively exploited in the wild.  The company issued a hotfix and plans to release a more comprehensive software update later, though that update is not yet available.

The security vendor did not say when the earliest known exploit occurred nor how many instances have already been impacted. 

Unknown attackers were first observed attempting to exploit the vulnerability March 31, Benjamin Harris, founder and CEO at watchTowr, told CyberScoop. 

“Exploitation attempts and probes were initially limited, reflecting typical attacker desire to try and keep usage of a zero-day from discovery and observation,” he added. “As of April 6, given attention and Fortinet issuing a hotfix, exploitation has ramped up, indicating growing attacker interest and likely broader targeting.”

Shadowserver scans found nearly 2,000 publicly exposed instances of FortiClient EMS on Sunday. It’s unclear how many of those instances are running vulnerable versions of the software.

The recently discovered zero-day shares similarities with CVE-2026-21643, another unauthenticated FortiClient EMS defect that Fortinet disclosed Feb. 6. The vendor and cyber authorities last week warned that CVE-2026-21643 has been exploited in the wild. 

Researchers have yet to find any significant link between the vulnerabilities or attribute the attacks to known threat actors, but both defects were actively exploited in a short timeframe and both allow attackers to execute code remotely. 

“Fortinet solutions are popular targets for threat actors generally, so exploitation isn’t necessarily surprising,” said Caitlin Condon, vice president of security research at VulnCheck.

CISA has added 10 Fortinet defects to its known exploited vulnerabilities catalog since early 2025. 

While there is no full patch for CVE-2026-35616, Harris credited Fortinet for rushing out a hotfix over a holiday weekend, adding that it reflects how urgently the company is treating the matter. 

“The timing of the ramp-up of in-the-wild exploitation of this zero-day is likely not coincidental,” he said. “Attackers have shown repeatedly that holiday weekends are the best time to move. Security teams are at half strength, on-call engineers are distracted, and the window between compromise and detection stretches from hours to days. Easter, like any other holiday, represents opportunity.”

A Fortinet spokesperson said response and remediation efforts are ongoing and the company is communicating directly with customers to advise on necessary actions.

“The best time to apply the hotfix was yesterday,” Harris said. “The second-best time is right now.”

The post Fortinet customers confront actively exploited zero-day, with a full patch still pending appeared first on CyberScoop.

A Chinese threat actor exploited the video conferencing platform to perform reconnaissance, escalate privileges, and execute additional payloads.

The post TrueConf Zero-Day Exploited in Asian Government Attacks appeared first on SecurityWeek.

Google has announced fixes for CVE-2026-5281, a zero-day affecting Chrome’s Dawn component. 

The post Exploited Zero-Day Among 21 Vulnerabilities Patched in Chrome appeared first on SecurityWeek.

Voice-based phishing, a form of social engineering where attackers call employees or IT help desks under false pretenses in an attempt to gain access to victim networks, surged in 2025, Mandiant said Monday in its annual M-Trends report. 

These points of intrusion, which have been a hallmark of attacks attributed to members of the cybercrime collective The Com, including offshoots such as Scattered Spider, accounted for 11% of all incidents Mandiant investigated last year.

Exploited vulnerabilities remained the top initial access vector for the sixth-consecutive year, giving attackers footholds in 32% of all incidents last year, the company said. Yet, the rise of voice phishing marks a concerning shift in tactics, especially in large-scale attacks with sweeping impacts.

“This type of social engineering attack is extremely powerful. It is more time consuming, obviously it requires skills and impersonation skills that the threat actors need to have, especially when they contact their IT help desk,” Jurgen Kutscher, vice president at Mandiant, told CyberScoop. “We’ve clearly seen several threat actors being very specialized and very successful with this type of attack.”

Voice-based phishing was at the root of multiple attack sprees Mandiant responded to last year, including campaigns targeting Salesforce customers attributed to threat groups Google Threat Intelligence Group tracks as UNC6040 and UNC6240.

This global shift in attacks was most clearly seen in the sharp drop in email-based phishing., For years, phishing has been a popular method because it’s cheap and requires little technical skill. It works much like high-volume advertising — a spray-and-pray strategy focused on reaching as many people as possible rather than specific targeting.

Email phishing is no longer a top initial access vector, according to Mandiant. The incident response firm said it was only responsible for 6% of intrusions last year, down from 14% in 2024 and 22% in 2022.

“The higher the investment, the higher the payout needs to be,” Kutscher said. “[Interactive phishing] takes a significant amount of time and investment. So as an attacker, you’ve got to do that when you believe that there’s a significant return.”

These techniques are difficult to defend against because they’re designed to exploit human instincts and bypass many security controls. “We’ve always said, unfortunately the human tends to be the weakest link,” Kutscher said. 

Social engineering, of course, wasn’t the only way attackers gained access to victim networks last year. Exploited defects remain a persistent problem.

The top three vulnerabilities Mandiant observed as the initial access vector in 2025 include CVE-2025-31324 in SAP NetWeaver, CVE-2025-61882 in Oracle E-Business Suite and CVE-2025-53770 in Microsoft SharePoint.

Attackers of various origins and objectives exploited all three of the vulnerabilities en masse and as zero-days. 

Mandiant clocked 500,000 combined hours of incident response investigations globally last year, up from 450,000 hours in 2024.

Technology companies were the most frequently attacked in 2025, accounting for 17% of all incidents. The following most-targeted industries included finance at 14.6%, business and professional services at 13.3% and health care at 11.9%.

The post The phone call is the new phishing email appeared first on CyberScoop.

CVE-2026-21992 can be used without authentication for remote code execution and it may have been exploited in the wild. 

The post Oracle Releases Emergency Patch for Critical Identity Manager Vulnerability appeared first on SecurityWeek.

Cisco customers have confronted a flood of actively exploited vulnerabilities affecting the vendor’s network edge software since late February, and researchers say that five of the nine vulnerabilities Cisco disclosed in its firewalls and SD-WAN systems over the past three weeks have already been exploited in the wild. 

Attackers exploited a pair of these defects — zero-day vulnerabilities in Cisco SD-WANs — for at least three years before the vendor and authorities discovered and issued warnings about the threat. Cisco disclosed an additional five SD-WAN vulnerabilities that same day, and three of those defects have since been confirmed actively exploited as well.

Weaknesses lurking in Cisco security products don’t end there. Amazon Threat Intelligence on Wednesday said one of the two max-severity defects Cisco reported in its firewall management software earlier this month has been actively exploited by Interlock ransomware since Jan. 26, more than a month before those vulnerabilities were publicly disclosed.

Some organizations, officials and members of the security community at large have missed widening risks as more of the defects come under attack. The flurry of Cisco SD-WAN and firewall vulnerabilities includes defects with low CVSS ratings, zero-days and others that were determined actively exploited after disclosure.

“These are not random bugs in low-value software. These are management-plane and control-plane weaknesses in devices at the network edge, which often function as trust anchors in enterprise environments,” Douglas McKee, director of vulnerability intelligence at Rapid7, told CyberScoop.

“If you compromise SD-WAN or firewall management, you’re landing on policy, visibility, routing, segmentation, and, in many cases, administrative trust over a large swath of the environment,” he added. “Attackers know that and, when they find a pre-auth path into those systems, especially one that can be chained to root, that’s about as attractive as it gets.”

The full slate of recently disclosed Cisco vulnerabilities affecting these systems include:

• SD-WAN vulnerabilities: CVE-2026-20127, CVE-2022-20775, CVE-2026-20122, CVE-2026-20126, CVE-2026-20128, CVE-2026-20129 and CVE-2026-20133
• Cisco Secure Firewall Management Center software vulnerabilities: CVE-2026-20079 and CVE-2026-20131

Researchers from multiple firms and Cisco have observed or been notified of active exploitation of CVE-2026-20127, CVE-2022-20775, CVE-2026-20122, CVE-2026-20128 and CVE-2026-20131.

The Cybersecurity and Infrastructure Security Agency has only added two of the defects — CVE-2022-20775 and CVE-2026-20127 — to its known exploited vulnerabilities catalog thus far. The agency, which last week added new hunting and reporting requirements to an emergency directive it issued for the defects in late February, did not answer questions about the updated order or explain why other actively exploited Cisco vulnerabilities haven’t been added to the catalog. The agency has been operating under a funding shutdown since February.

Interlock ransomware hits Cisco firewalls

The ongoing ransomware campaign Amazon Threat Intelligence spotted involving CVE-2026-20131 confirmed “Interlock had a zero-day in their hands, giving them a week’s head start to compromise organizations before defenders even knew to look,” researchers said Wednesday.

Interlock’s observed attack path and operations are extensive, including post-compromise reconnaissance scripts, custom remote access trojans, a webshell and legitimate tool abuse. Amazon did not identify specific victims, and said the group threatens organizations with data encryption, regulatory fines and compliance valuations.

“Interlock has historically targeted specific sectors where operational disruption creates maximum pressure for payment,” Amazon Threat Intelligence researchers said in the blog post. These sectors include education, engineering, architecture, construction, manufacturing, industrial, health care and government entities. 

4 Cisco SD-WAN defects under attack

The swarm of vulnerabilities in Cisco SD-WANs poses additional risk for customers. Cisco Talos previously attributed long-running attacks involving CVE-2026-20127 and CVE-2022-20775 to UAT-8616, but it’s unclear if the same threat group is responsible for all of the Cisco SD-WAN exploits. 

“Other threat groups are likely to pick up public research in order to weaponize or adapt it opportunistically, so we may see follow-on attempts by additional threat actors, including low-skilled attackers,” Caitlin Condon, vice president of security research at VulnCheck, told CyberScoop.

Researchers said vulnerabilities are often disclosed in clusters after a meaningful defect is identified in a specific product, such as Cisco’s SD-WAN systems.

Cisco declined to answer questions and said customers can find the latest information on its security advisories page.

Condon and McKee both noted that Cisco has been responsive in releasing software fixes, threat-hunting intelligence and, in the case of the SD-WAN zero-days, coordinated government guidance. 

“This is what a good crisis response is supposed to look like once exploitation is identified,” McKee said. 

“The harder question is whether the industry is getting early-enough visibility into the defects in edge-management software that sophisticated actors are clearly prioritizing,” he added. “Are our organizations equipped with the right people and tools to perform this level of exposure management?”

The expanding exploits Cisco customers are combating on firewalls and SD-WANs is a reminder that organizations shouldn’t deprioritize less notorious vulnerabilities or those with lower CVSS scores, Condon said. 

“Several of the exploited vulnerabilities in this tranche of Cisco SD-WAN bugs don’t have critical CVSS scores, meaning teams using CVSS as a prioritization mechanism might miss medium- or high-scored flaws that still have real-world adversary utility,” she added.

The attacks also collectively reflect a persistent pattern of attackers targeting network edge systems from multiple vendors, including Cisco.

“Attackers continue to treat network edge and management infrastructure as prime real estate, and when defenders see pre-authentication, management-plane flaws with evidence of pre-disclosure exploitation, they need to assume compromise, not just exposure,” McKee said. 

“Attackers are investing time and capability into finding and operationalizing previously unknown defects in Cisco edge and management infrastructure because the payoff is enormous,” he added. “These platforms give you a privileged position, broad visibility, and a path to durable access inside high-value organizations. That’s exactly why they keep getting hit.”

The post Cisco’s latest vulnerability spree has a more troubling pattern underneath appeared first on CyberScoop.

Google disclosed one actively exploited zero-day vulnerability Monday, warning that the high-severity defect affecting an open-source Qualcomm display component for Android devices “may be under limited, targeted exploitation.”

The memory-corruption vulnerability — CVE-2026-21385 — which Google’s Android security team reported to Qualcomm Dec. 18, affects 234 chipsets, Qualcomm said in a security bulletin. Qualcomm said it notified customers of the vulnerability Feb. 2.

Qualcomm declined to say when the earliest known instance of exploitation occurred, how many victims have been directly impacted, and what occurred during the 10-week period between the reporting and public disclosure of the vulnerability. 

“We commend the researchers from Google’s Threat Analysis Group for using coordinated disclosure practices,” a Qualcomm spokesperson told CyberScoop. “Fixes were made available to our customers in January 2026. We encourage end users to apply security updates as they become available from device makers.”

A Google spokesperson said Qualcomm marked the vulnerability as exploited. “We don’t have any info or access to the exploit reports,” the spokesperson added.

Google addressed 129 defects in its monthly security update for Android devices, reflecting a surge in vulnerability disclosures from the vendor. The company’s latest security update contains the highest number of Android vulnerabilities patched in a single month since April 2018.

Google’s public vulnerability disclosure and reporting program for Android has been uneven. The company typically issued dozens of security patches each month, but that cadence has shifted to a more occasional routine. 

So far this year, Google addressed one Android vulnerability in January and none in February. There were occasional lulls last year as well when Google reported no vulnerabilities in July and October, six in August and two vulnerabilities in November. Yet, disclosures for 2025 peaked with 120 defects in September and rebounded again in December with 107 vulnerabilities, including two zero-days. 

Google previously responded to questions about dips in the amount of vulnerabilities it discloses each month, noting that it remains focused on defects that pose the greatest danger.

“Android stops most vulnerability exploitation at the source with extensive platform hardening, like our use of the memory-safe language Rust and advanced anti-exploitation protections,” a Google spokesperson said in December. “Android and Pixel continuously address known security vulnerabilities and prioritize fixing and patching the highest-risk ones first.”

The Android security bulletin for March includes two patch levels — 2026-03-01 and 2026-03-05 — allowing Android partners to address common vulnerabilities on different devices. Android device manufacturers release security patches on their own schedule after they’ve customized operating system updates for their specific hardware.

The primary security update contains 63 vulnerabilities, including 32 in the framework, 19 in the system and 12 affecting Google Play. Nearly half of those vulnerabilities have CVE identifiers from 2025.

The second patch addresses 66 vulnerabilities, including 15 vulnerabilities affecting the kernel, one Arm component defect, seven Imagination Technologies flaws and seven vulnerabilities in Unisoc components. 

The second patch level also contains fixes for eight vulnerabilities in closed-source Qualcomm components and seven high-severity defects in open-source Qualcomm components, including CVE-2026-21385. 

Google said source code for all vulnerabilities addressed in this month’s Android security bulletin will be released to the Android Open Source Project repository by Wednesday.

The post Google addresses actively exploited Qualcomm zero-day in fresh batch of 129 Android vulnerabilities appeared first on CyberScoop.

Attackers have been exploiting a pair of zero-day vulnerabilities in Cisco’s network edge software for at least three years, and the global campaign is ongoing, authorities said across a series of warnings released Wednesday.

The Cybersecurity and Infrastructure Security Agency issued an emergency directive about the global attacks and issued joint guidance with the Five Eyes to help defenders respond and hunt for evidence of compromise.

This marks the second series of multiple actively exploited zero-day vulnerabilities in Cisco edge technology since last spring. Both campaigns resulted in CISA emergency directives months after the attacks were first detected, and both attack sprees were underway for at least a year before they were identified.

Authorities refrained from attributing the attacks to any nation state or threat group. Cisco Talos researchers assigned the exploits and post-compromise activity to UAT-8616, which they only described as a “highly sophisticated threat actor.”

The activity cluster’s “attempted exploitation indicates a continuing trend of the targeting of network edge devices by cyber threat actors to establish persistent footholds into high-value organizations including critical infrastructure sectors,” Cisco Talos said in a threat advisory.

Malicious activity linked to this campaign is far reaching and attackers have exploited vulnerabilities in targeted systems to access and potentially compromise federal networks, Nick Andersen, CISA’s executive assistant director for cybersecurity, said during a media briefing Wednesday. 

Andersen declined to say when CISA was first aware of this activity and did not provide details about potential victims, adding that officials are working through the beginning stages of mitigation.

In the jointly issued threat hunt guide, the Five Eyes said all members were aware that the most recent zero-day — CVE-2026-20127 — was identified and confirmed actively exploited in late 2025. Officials and Cisco did not explain why it took at least two months to disclose and patch the vulnerability, and share emergency mitigation guidance. 

Attackers are gaining full control of a system in a chain by exploiting CVE-2026-20127 to bypass authentication, then downgrading software to a version vulnerable to CVE-2022-20775 to escalate privileges, said Douglas McKee, director of vulnerability intelligence at Rapid7.

“That second step allows them to move from administrative control to root on the underlying operating system. That downgrade step shows deliberate knowledge of product versioning and patch history,” he told CyberScoop. “This is not opportunistic scanning. This is structured tradecraft.”

CISA added CVE-2022-20775 and CVE-2026-20127 to its known exploited vulnerabilities catalog Wednesday.

The three-year gap between known initial attacks and detected exploitation of the zero-days showcases the attackers’ surgical use of vulnerabilities and the highly targeted nature of their campaign, said Ben Harris, founder and CEO of watchTowr. 

The timeline and known attack path also indicates operational discipline that allowed attackers to maintain long-term access in critical network infrastructure without triggering alarms, McKee said. Those activities align “more closely with state-sponsored espionage tradecraft than financially motivated crime,” he added.

CISA’s emergency directive requires federal agencies to take inventory of all vulnerable Cisco SD-WAN systems, collect logs from those systems, apply Cisco’s security updates, hunt for evidence of compromise and follow Cisco’s guidance by Friday. 

The latest campaign targeting Cisco network edge technology shares many similarities with another string of attacks officials and Cisco warned about in September. Those attacks, which involved at least two actively exploited zero-days, were underway for at least a year before they were first discovered in May. 

Cisco did not answer questions about any potential connections between the campaigns. The vendor and officials have also thus far avoided sharing any details about what occurred behind the scenes during these sustained attacks.

A spokesperson for Cisco urged customers to upgrade software and follow guidance from its advisory. 

Unfortunately, it’s too late for some Cisco SD-WAN customers to patch, Harris said. “Cisco’s advice to fully rebuild and look for prior signs of intrusion should be taken seriously.”

The post Governments issue warning over Cisco zero-day attacks dating back to 2023 appeared first on CyberScoop.

Cyberattacks reached victims faster and came from a wider range of threat groups than ever last year, CrowdStrike said in its annual global threat report released Tuesday, adding that cybercriminals and nation-states increasingly relied on predictable tactics to evade detection by exploiting trusted systems.

The average breakout time — how long it took financially-motivated attackers to move from initial intrusion to other network systems — dropped to 29 minutes in 2025, a 65% increase in speed from the year prior. “The fastest breakout time a year ago was 51 seconds. This year it’s 27 seconds,” Adam Meyers, head of counter adversary operations at CrowdStrike, told CyberScoop.

Defenders are falling behind because attackers are refining their techniques, using social engineering to access high-privilege systems faster and move through victims’ cloud infrastructure undetected.

“Threat actors are exploiting those cross-domain gaps to gain access to environments, so they’re wriggling in between the seams in cloud, identity, enterprise and unmanaged network devices,” Meyers said. 

Starting from an already disadvantaged position — made worse by faster attacks and living-off-the-land techniques — defenders face burnout, stress and other factors that can lead to mistakes, he added. 

The myriad sources of these problems are spreading, too. 

CrowdStrike tracked 281 threat groups at the end of 2025, including 24 new threats it named throughout the year. Researchers at the cybersecurity firm are also tracking 150 active malicious activity clusters and emerging threat groups.

Cybercriminals seeking a payout and nation states committing espionage or implanting footholds into critical infrastructure for prolonged access are increasingly seizing on security weaknesses in cloud-based environments to break into victim networks. 

These cloud-focused attacks have seen a reported 37% year-over-year increase, with a 266% surge in this activity from nation-state threat groups.

The vast majority of attacks detected last year, 82%, were free of malware — highlighting attackers’ enduring shift toward hands-on-keyboard operations and the abuse of legitimate tools and credentials, CrowdStrike said in the report. More than 1 in 3 incident response cases involving cloud intrusions last year were linked back to a valid or abused credential that granted attackers access, according to CrowdStrike. 

Attacks originating from or sponsored by North Korea increased 130% last year, while incidents linked to China jumped 38% during the same period.

Chinese threat groups achieved immediate system access with two-thirds of the vulnerabilities they exploited last year, and 40% of those exploits targeted edge devices.

Zero-day exploits — especially defects in edge devices such as firewalls, routers and virtual private networks — allowed nation-state and cybercrime threat groups to break into systems, execute code and escalate privileges undetected.

CrowdStrike said it observed a 42% year-over-year increase in the number of zero-day vulnerabilities exploited prior to public disclosure last year. 

Meyers said he expects that number to grow further, predicting an explosion of activity from attackers using artificial intelligence to find and exploit zero-day vulnerabilities in various products during the next three to nine months.

CrowdStrike’s annual global threat report is full of figures moving in the wrong direction, yet the most worrying finding for Meyers comes down to attacker speed.

“The speed at which we’re seeing these breakout times accelerate is one of the markers,” he said, adding that it’s only a matter of time before the fastest attacks drop down to seconds, if not milliseconds.

The post CrowdStrike says attackers are moving through networks in under 30 minutes appeared first on CyberScoop.

Researchers uncovered more worrying details about a long-running cyber espionage campaign suspected to be backed by the Chinese government, exemplifying how such attacks often go undetected until they’ve already caused significant damage.

Google Threat Intelligence Group and Mandiant said the Chinese threat group UNC6201 has been exploiting a zero-day vulnerability in Dell RecoverPoint for Virtual Machines since at least mid-2024. The group overlaps with UNC5221, also known as Silk Typhoon, which has been burrowing into critical infrastructure and government agency networks undetected since at least 2022.

The zero-day exploitation marks an escalation from this particular cluster of actors.  State-sponsored attackers spent years implanting Brickstorm malware into networks before the campaign was finally detected last summer. By September, however, the attackers had replaced Brickstorm with Grimbolt, a more advanced malware that’s harder to detect, Google security researchers said Tuesday.

The zero-day vulnerability — CVE-2026-22769 — hinges on a hardcoded administrator password in Dell RecoverPoint for Virtual Machines that was pulled from Apache Tomcat. It carries a 10/10 CVSS rating. The Chinese threat group has been using the hardcoded password, which triggers the vulnerability and allows unauthenticated remote attackers to gain full system access with root-level persistence for at least 18 months, Google said. 

Dell Technologies disclosed and released a patch for the vulnerability Tuesday. A company spokesperson urged customers to follow guidance in its security advisory.

“We are aware of less than a dozen impacted organizations, but because the full scale of this campaign is unknown we recommend that organizations previously targeted by Brickstorm look out for Grimbolt in their environments,” Austin Larsen, principal analyst at GTIG, told CyberScoop.

When the Cybersecurity and Infrastructure Security Agency unveiled new details about the campaign in December, Google said dozens of U.S. organizations, not including downstream victims, had already been impacted by Brickstorm. 

“The actor is likely still active in unpatched and remediated environments, and because exploitation has been occurring since mid-2024, they have had significant time to establish persistence and carry out long-term espionage,” Larsen added.

The campaign — one of many concurrent efforts by China state-sponsored groups to embed themselves into networks for long-term access, disruptions and potential sabotage — remains a top area of concern for national security.

CISA, the National Security Agency and Canadian Centre for Cyber Security released new analysis on Brickstorm last week to share indicators and compromise that could help potential victims detect malicious activity on their networks.

Yet, the China-linked groups involved in this campaign have already moved on to Grimbolt, in some cases replacing older Brickstorm binaries with the new backdoor that’s more difficult to reverse engineer, according to Google.

Marci McCarthy, director of public affairs at CISA, told CyberScoop the agency will share further information on Wednesday.

Google’s fresh research on the China state-sponsored campaign demonstrates how the threat group’s tenacity, and ability to dwell undetected in networks longer than 400 days, keeps defenders and cyber authorities at a disadvantage.

The threat groups typically target edge applications and devices running on systems without endpoint detection and response, but researchers don’t know how attackers broke into the networks of the most recently discovered victims. 

Researchers only have a narrow view of the threat groups’ activities at large. 

“We suspect a significant portion of UNC5221 and UNC6201’s activity likely remains unknown, and there is a strong probability that they are developing or using undiscovered zero-days and malware,” Larsen said. “The most concerning aspect of this campaign is that additional organizations were likely compromised as part of this campaign and do not know it yet.”

The post Chinese hackers exploited a Dell zero-day for 18 months before anyone noticed appeared first on CyberScoop.