Cisco Zero-Day, IBM i RCE, JSON Data Leak

For over seven years, a public JSON formatter saved engineers' pasted data to a public "Recent Links" feed, leaking thousands of records such as Turkish ID numbers, IBANs, and US Social Security numbers. The service also harbors a stored cross‑site scripting flaw that can run attacker code in visitors' browsers, underscoring the hidden risks of cheap debugging tools.

Security researcher discovered a pre‑authentication remote code execution flaw in IBM i Management Central that lets an attacker send crafted packets on port 5555 to execute arbitrary CL commands as QSECOFR, the root equivalent. The issue affects V7R4 and earlier systems, which still run the service by default, though IBM removed it in V7R5.

Cisco warned that CVE-2026-20245, a high‑severity (CVSS 7.8) flaw in Catalyst SD‑WAN Manager allowing authenticated local attackers to run arbitrary commands as root, is being actively exploited in the wild. No patches or mitigations are currently available, and users must rely on prior fixes and monitor for IoCs.

NVISO discovered threat actors deploying QEMU virtual machines to run malicious payloads, creating a covert command‑and‑control channel that bypasses traditional AV/EDR defenses. The blog details the QEMU command line, persistence via cron jobs, and offers hunting guidance to spot these hidden VMs.

Researchers uncovered an unprotected HTTP directory hosting a 12‑file toolkit that reveals PCPJack’s control of 230 compromised AWS, GCP, and Azure servers used as a hidden SMTP relay network. The package includes multi‑architecture Chisel binaries, Python deployers, and state logs, confirming large‑scale email‑relay operations and earlier undocumented activity.

A supply‑chain attack inserted an undeclared Monero miner into the Windows version of Hola Browser. The hidden binary adds a Defender exclusion, creates an auto‑start service, and runs when idle, affecting an estimated 0.1% of users. Hola has rebuilt its distribution pipeline and tightened code‑signing controls.

Google will roll out a policy that blocks installation of apps whose developers haven’t registered with its Play Console, beginning September 2026 in select markets and later worldwide. Unverified apps will require a cumbersome advanced sideload flow and limited‑distribution accounts, sharply restricting indie and open‑source apps.

Governor Ned Lamont signed Public Act 26‑15, requiring platforms to verify users’ ages and obtain parental consent before minors can access social media. The bipartisan bill also adds AI‑related safeguards and workforce training, positioning Connecticut as a model for state‑level digital‑safety regulation.

The Libroot collective has systematically re‑examined the Snowden archive and published seven detailed reports, revealing previously undisclosed NSA operations such as hacking the Chinese defense contractor Norinco, compromising Mexican law‑enforcement mail servers, and infiltrating Iranian transportation infrastructure. Their work adds new NSA codewords and highlights overlooked surveillance activities.

Claroty’s Team82 used Anthropic’s Claude Opus 4.6 model to automatically discover and analyze vulnerabilities in Zenitel’s TCIV‑3+ video intercom, reproducing known critical bugs and probing for new exploits. The hands‑free approach dramatically reduced research time, showcasing how large language models can reshape security testing workflows.

DeFlock is an open‑source project that crowdsources locations of ALPR cameras worldwide, displaying them on OpenStreetMap and generating privacy‑optimized routes that avoid surveillance points. By letting users report devices, it makes hidden tracking infrastructure visible and empowers the public to choose routes that minimise data collection.