All articles tagged with #exploit
Google published exploit code for a long-unpatched Chromium vulnerability that uses the Browser Fetch API to trigger a persistent backdoor via malicious sites, potentially turning millions of Chromium-based browsers into a botnet; disclosed in 2022 and rated S1, the flaw remained unfixed for 29 months, affecting Chrome, Edge and other Chromium-based browsers while Firefox and Safari are unaffected.
A zero-day named YellowKey bypasses Windows 11’s default TPM-only BitLocker protection by exploiting a crafted FsTx/Transactional NTFS folder on a USB drive, enabling a CMD prompt and full drive access during Windows Recovery without needing the BitLocker key. Microsoft is investigating. The flaw highlights that TPM-only BitLocker may be insufficient security, with experts recommending BIOS passwords and PINs in addition to TPM protections.
A YouTuber named JustGarrison demonstrates a glitch that lets Bully players bring the BB rifle into free roam, a weapon normally limited to the shooting range; the exploit works without mods and can damage NPCs, hinting the rifle was either unfinished or cut during development. Rockstar apparently didn’t intend for it to be used outside the minigame, likely due to safety concerns given Bully’s school setting.
A rogue researcher, Nightmare-Eclipse, released a second Windows Defender privilege-escalation exploit (RedSun) after Microsoft patched the first CVE-2026-33825 vulnerability. The PoC allegedly lets unprivileged users gain SYSTEM privileges by abusing Defender to overwrite system files; the researcher warns of more remote code execution exploits to come. Microsoft patched the flaw on Patch Tuesday and credited Zen Dodd and Yuanpei Xu, while the researcher continues to air grievances and threaten further disclosures.
Adobe has issued an emergency security update for Acrobat and Reader to fix CVE-2026-34621, a zero-day that allowed malicious PDFs to bypass sandboxing and run privileged JavaScript, enabling arbitrary file reading and data exfiltration; the flaw was observed in the wild, linked to Russian-language oil-and-gas documents, with affected products including Acrobat DC, Acrobat Reader DC, and Acrobat 2024; Adobe downgraded the severity from 9.6 to 8.6 after changing the attack vector to local, and users should update via Help > Check for Updates or the official installer; exercise caution with PDFs from unknown sources and consider sandboxing suspicious files.
DarkSword, a web-based iPhone exploit, has been released on GitHub and is reportedly used by Russia-linked groups to compromise iPhones simply by visiting a compromised site; it targets iOS versions 18.4–18.6.2, exfiltrates data quickly, and does not require malware installation. Lookout and iVerify link it to the same infrastructure as earlier campaigns, with Google noting deployment by UNC6353 on Ukrainian government sites. Apple has issued a critical security update and urged users to update or enable Lockdown Mode; devices on older iOS versions should upgrade to newer releases (iOS 15 for 13/14).
Slay The Spire 2 sold 3 million copies and logged over 250 million runs in its first week of Early Access; Mega Crit Games is patching out a billion-HP exploit by capping HP at 999,999,999, while also planning balance tweaks, bug fixes, art updates, Steam Workshop support, multiplayer QoL improvements, and other features ahead.
Google released Chrome security updates to fix two high-severity zero-days exploited in the wild: CVE-2026-3909 (out-of-bounds write in Skia) and CVE-2026-3910 (V8 sandbox escape). Users should update to Chrome 146.0.7680.75/76 on Windows/macOS and 146.0.7680.75 on Linux; CISA added these flaws to the KEV catalog with a March 27, 2026 deadline for federal agencies.
Marathon (2025)’s Deluxe Edition grants extra Silk, and players have found a Silk overflow bug that lets them repeatedly restart to reclaim 200 Silk, quickly maxing the Season One reward pass in minutes. Bungie maintains a no-cheating policy (with possible rollbacks for abuse), and Silk is in-game currency used only for cosmetics, not real money purchases. The launch also saw other bugs, but this issue centers on the exploit’s impact on cosmetic rewards.
Cybersecurity researchers have discovered a vulnerability in OpenAI's ChatGPT Atlas browser that allows attackers to inject malicious instructions into the AI's persistent memory via a CSRF flaw, potentially leading to unauthorized code execution, account hijacking, and malware deployment, especially due to weak anti-phishing controls and the ability of tainted memories to persist across sessions and devices.
Cisco warns of two critical zero-day vulnerabilities in its ASA and FTD software, actively exploited in the wild, prompting CISA to issue an emergency mitigation directive for federal agencies. The vulnerabilities allow remote code execution and unauthorized access, with ongoing attacks linked to a threat group called ArcaneDoor, posing significant risks to affected networks.
A security flaw in the Gemini CLI coding tool allows hackers to execute malicious commands silently, bypassing user notifications, due to inadequate command whitelisting. The vulnerability was exploited through crafted prompt injections that tricked the tool into running harmful commands without alerting the user. Users are advised to update to version 0.1.14 and run untrusted code in sandboxed environments to mitigate risks.
Google released emergency patches for Chrome after discovering a high-severity zero-day vulnerability (CVE-2025-5419) actively exploited in the wild, affecting the V8 engine and prompting users to update their browsers immediately.
Thousands of ASUS routers have been compromised by a persistent botnet that survives firmware updates and reboots, potentially controlled by a nation state, with affected models including RT-AC3100, RT-AC3200, and RT-AX55. The only recommended mitigation is to factory reset the routers and then update the firmware, as the infection cannot be removed by updates alone.
Velocore, a decentralized exchange on the zkSync and Linea blockchains, suffered a $10 million exploit targeting its liquidity provider tokens. Despite passing security audits, hackers transferred over 700 ETH to the Ethereum mainnet. While Velocore's stable pools were unaffected, the team is working with security experts and centralized exchanges to freeze the stolen assets. The incident caused a 5% drop in Velocore's native token VC, though zkSync and Linea blockchains remained largely unaffected.