Security News

The latest security stories, summarized by AI

Defender Patch Sparks Disk-Destroying Attack Scenario
security5.04 min read

Defender Patch Sparks Disk-Destroying Attack Scenario

1 day agoSource: Ars Technica
View original source
RoguePlanet Privilege Escalation in Defender Finally Patched, No Action Needed
security
1.64 min1 day ago

RoguePlanet Privilege Escalation in Defender Finally Patched, No Action Needed

Microsoft issued security updates addressing RoguePlanet, a privilege-escalation flaw in the Microsoft Malware Protection Engine (mpengine.dll) that could spawn a SYSTEM shell. The fix arrives in Defender engine version 1.1.26060.3008 with defense-in-depth hardening. Disclosed by Chaotic Eclipse, RoguePlanet can be exploited on Windows systems with the June 2026 Patch Tuesday and works regardless of real-time protection. Microsoft says no customer action is required beyond automatic updates.

More Security Stories

ARToken: A New PhaaS Armoring EvilTokens’ Microsoft 365 Toolkit
security7 days ago

ARToken: A New PhaaS Armoring EvilTokens’ Microsoft 365 Toolkit

Cisco Talos flags ARToken as a new phishing-as-a-service platform allied with EvilTokens, offering a wide toolkit to steal Microsoft 365 tokens, maintain persistence with Primary Refresh Tokens, and access Outlook, SharePoint, and OneDrive. It uses Cloudflare Workers for deployment, supports multi-tenant campaigns, and includes inbox rules, keyword monitoring, and data exfiltration tools. The kit mirrors EvilTokens’ device-code phishing flow to bypass MFA, with research suggesting a shared ecosystem and AI-enabled workflows that automate BEC-style fraud. Security teams should prioritize behavioral AI defenses and robust email security controls.

BioShocking reveals game-like prompts can override safety in AI-powered browsers
security7 days ago

BioShocking reveals game-like prompts can override safety in AI-powered browsers

Security researchers from LayerX disclose BioShocking, a BioShock-inspired vulnerability that can coax AI-powered browsers into treating tasks as a game, bypassing real-world safety guardrails. Their PoC uses a layered puzzle and a deliberate math error (2+2=5) to steer the agent to a /code URL where it could exfiltrate credentials, with demonstrations against Claude Chrome and patch gaps in OpenAI’s Atlas; experts say effective mitigation requires multi-layer defenses and explicit user confirmations for sensitive actions.

AI-Assisted Discovery Reveals Flaw in US Festival Ticketing Network
security10 days ago

AI-Assisted Discovery Reveals Flaw in US Festival Ticketing Network

Security researcher Ian Carroll used Anthropic’s Claude Opus 4.7 to uncover a vulnerability in Front Gate Tickets’ system that could grant a super-admin the ability to issue any festival tickets and access millions of customer and staff records. The flaw was patched within 24 hours, and there’s no evidence of exploitation, illustrating both AI’s potential to uncover web vulnerabilities and the risks of centralized festival-ticketing platforms.

Massive Azure CLI credential spray uses legacy flow to bypass MFA, hits 78 accounts
security10 days ago

Massive Azure CLI credential spray uses legacy flow to bypass MFA, hits 78 accounts

Security researchers warn of a large-scale, automated password-spray against Microsoft Azure CLI that logged over 81 million login attempts and compromised at least 78 Microsoft accounts across 64 organizations. The attackers used the deprecated OAuth 2.0 Resource Owner Password Credentials (ROPC) flow to bypass Conditional Access policies, targeting credentials from breached lists and exploiting MFA configurations that didn’t cover Azure CLI logins. The activity originated largely from an IPv6 range linked to LSHIY LLC (AS32167). Recommendations include enforcing MFA for all users and apps, restricting the Azure CLI app to non-admins, and ensuring CAPs are fully configured to close gaps exposed by ROPC.

CitrixBleed Deepens: NetScaler Memory-Overread CVE-2026-8451 Exposed
security10 days ago

CitrixBleed Deepens: NetScaler Memory-Overread CVE-2026-8451 Exposed

Security researchers reveal CVE-2026-8451, a memory overread in Citrix NetScaler appliances (ADC/Gateway) triggered when configured as a SAML IdP. A lax XML attribute parser can overread input, leaking data such as IDs and assertion URLs via the NSC_TASS cookie and potentially exposing memory contents. Citrix has issued patches after extensive analysis and demonstrations by watchTowr, highlighting ongoing memory-management weaknesses in NetScaler devices.

Public PoC Reveals Critical libssh2 Pre-Auth Bug (CVE-2026-55200)
security10 days ago

Public PoC Reveals Critical libssh2 Pre-Auth Bug (CVE-2026-55200)

A public proof-of-concept exposes a critical pre-auth memory-corruption flaw in libssh2 (CVE-2026-55200) that can trigger code execution when a client connects to a malicious SSH server; affects all releases up to 1.11.1 with a CVSS of 9.2. No fixed release exists yet; the patch is in mainline and backports are underway (e.g., Debian testing). Inventory every usage of libssh2, including static or bundled copies, and apply a build containing commit 97acf3d. Until patched, restrict outbound SSH, verify host keys, and monitor for oversized-packet anomalies. Related issues CVE-2026-55199 and CVE-2025-15661 are also noted; exploitation in the wild has not been observed.

Vanguard Expands: New Anti-Cheat Update Across Riot Games
security16 days ago

Vanguard Expands: New Anti-Cheat Update Across Riot Games

A Riot Games news hub highlights Vanguard's latest anti-cheat security update, which fixes a pre-boot code-injection flaw tied to some motherboards and prompts affected users to update, while also cataloging a broad range of 2025–2026 Riot updates—from new game modes and developer updates to Pride content and esports events—demonstrating Riot's ongoing focus on security and continuous software and game updates.

Unpatchable USB flaw targets Apple SecureROM on A12/A13 chips
security21 days ago

Unpatchable USB flaw targets Apple SecureROM on A12/A13 chips

Paradigm Shift disclosed usbliter8, a hardware-level exploit that can execute code inside Apple’s SecureROM on A12/A13 by abusing a USB controller DMA bug; it requires physical access, DFU mode, and a dedicated RP2350-based board, and cannot be fixed by firmware, making it effectively unpatchable on affected devices (A12/A13/S4/S5). The public PoC covers iPhone XS/XS Max/XR, iPhone 11 line, iPad Air 3, iPad mini 5, iPad 8th gen, Apple Watch Series 4/5, and HomePod mini; A14+ appear safe. No Secure Enclave compromise reported and no CVE yet; for most users risk is low, but in high-security environments it creates a hardware boundary problem requiring device retirement or strict custody controls.

FortiBleed Breach Exposes 86K FortiGate Devices in Global Credential Campaign
security21 days ago

FortiBleed Breach Exposes 86K FortiGate Devices in Global Credential Campaign

CISA warns Fortinet customers about FortiBleed, a global credential-stuffing and brute-force campaign targeting internet-facing FortiGate firewalls and VPN gateways, with 86,644 devices compromised as of June 19, 2026. The attack, attributed to Russian-speaking actors, proceeds in two steps: scanning for exposed Fortinet endpoints, then using leaked or organization credentials to gain access, before passively harvesting more credentials. Sectors most affected include telecom, government, and education, with the U.K. NCSC calling it a worldwide campaign; many admins’ passwords remain SHA-256-hashed from older FortiGate versions, though PBKDF2 hashing is used in newer FortiOS releases. Fortinet maintains the incident data likely comes from prior breaches and brute-forcing, not a current advisory. CISA recommends terminating active sessions, resetting passwords on internet-facing systems, enforcing PBKDF2, applying strong password policies, enabling phishing-resistant MFA, reviewing logs, and reducing attack surfaces to mitigate risk.