Latest Cyber News

A critical vulnerability (CVE-2025-10659) has been discovered in the Megasys Telenium Online Web Application. The flaw, rated 9.8 on the CVSS scale, allows unauthenticated attackers to achieve remote code execution. It stems from a PHP endpoint that improperly handles user-supplied input, enabling OS command injection via a crafted HTTP request. Successful exploitation could give an attacker full control over the server in the context of the web application's service account. Megasys has released a patch, and users are strongly advised to apply it immediately to mitigate the risk.

Three critical vulnerabilities have been discovered in the firmware of the TOTOLINK X6000R router. These flaws, including command injection and a security bypass, allow unauthenticated attackers to execute arbitrary code remotely. Exploitation can lead to device crashes, system file corruption, and complete network takeover. The vulnerabilities stem from improper input sanitization in the router's web interface. Users are urged to immediately update to the patched firmware version to secure their devices.

A state-sponsored espionage group known as Salt Typhoon has been systematically targeting global telecommunications infrastructure since at least 2019. The group operates under the direction of a major government but utilizes a network of pseudo-private contractor firms to maintain plausible deniability. By exploiting network edge devices like routers and firewalls, Salt Typhoon establishes deep persistence to harvest sensitive data such as subscriber metadata and call detail records. Their campaigns have successfully compromised major telecom providers and military networks in several allied nations. This hybrid operational model, blending state tasking with outsourced execution, signifies a strategic shift in nation-state cyber espionage.

The cybercrime group Detour Dog has been quietly infecting over 30,000 websites since 2020 using a sophisticated, server-side attack. The group leverages DNS TXT records as a covert channel to send commands to compromised sites, making the malicious activity invisible to most visitors. This technique allows them to selectively redirect users to scams or, more recently, deliver the powerful Strela Stealer infostealer malware. By controlling the attack from the server, the compromised websites can remain infected for long periods without detection. The campaign's vast infrastructure generates millions of DNS queries, with traffic originating from numerous global locations.

A national cyber incident response team has issued a warning about a new malware campaign deploying the CABINETRAT backdoor. Attackers are using malicious Excel add-in (XLL) files, often distributed in ZIP archives, to gain initial access to systems. The malware establishes persistence through registry modifications and scheduled tasks, cleverly loading its shellcode from a PNG image file. This full-featured backdoor is capable of information gathering, remote command execution, and file operations. To evade detection, the malware employs robust anti-virtualization and anti-analysis checks.

NVIDIA has released a security update for its NVIDIA App software on Windows, addressing a high-severity privilege escalation vulnerability. The flaw, tracked as CVE-2025-23297, allows a local unprivileged user to gain elevated system rights. It stems from improper file handling during the installation of the Frameview SDK components. A successful exploit requires no user interaction and could lead to a full compromise of the system's confidentiality, integrity, and availability. Users are strongly advised to update their NVIDIA App to version 11.0.5.245 or later to mitigate the threat.

A severe vulnerability in Red Hat OpenShift AI (CVE-2025-10725) allows low-privileged users to escalate their permissions to full cluster administrator. The flaw stems from an overly permissive ClusterRole assignment that grants any authenticated user the ability to create jobs across the entire cluster. An attacker with minimal access, such as a data scientist account, can abuse this permission to run malicious jobs with elevated rights. This could lead to a complete compromise of the cluster, including data theft and service disruption. Administrators are urged to mitigate the risk by immediately removing the insecure ClusterRoleBinding and adopting a least-privilege security model.

Researchers have developed a low-cost hardware attack called Battering RAM that defeats modern memory encryption technologies like Intel SGX and AMD SEV-SNP. The method uses a custom-built interposer, costing under $50, that sits between the CPU and system memory. This device remains dormant during system startup to pass security checks but can later be activated to maliciously redirect memory traffic. Once active, it captures encrypted data and replays it into an attacker's own secure environment, forcing the processor to decrypt the victim's sensitive information. This physical attack undermines the confidentiality and integrity guarantees of secure enclaves and virtual machines in cloud environments.

A new malicious toolkit known as MatrixPDF is enabling cybercriminals to turn standard PDF files into sophisticated phishing and malware delivery vectors. The toolkit allows attackers to embed deceptive features like blurred content overlays and fake security prompts to trick users into clicking malicious links. These weaponized PDFs often bypass traditional email security scanners because the malicious payload is delivered via an external URL only after user interaction. One attack method leverages email PDF previews to redirect users to phishing sites, while another uses embedded JavaScript to initiate malware downloads when opened in a desktop reader. This multi-stage approach highlights the need for advanced security that can analyze the entire attack chain.

A major airline has confirmed it suffered a data breach in June after a third party gained unauthorized access to its internal systems. The incident exposed customers' personal information, which could include full names, dates of birth, mailing addresses, and travel document details such as passport numbers. The airline has stated that no financial information like credit card numbers or account passwords was compromised in the attack. The company has since resolved the issue and is notifying affected individuals. Impacted customers are being offered complimentary credit monitoring and identity theft protection services.