9.8 CVSS flaws in Vertiv UPS cards, OpenBSD fixes 27-year-old bug

Team82 discovered two CVSS 9.8 vulnerabilities, CVE‑2025‑46412 (auth bypass) and CVE‑2025‑41426 (RCE), in Vertiv’s Liebert IS‑UNITY‑DP UPS network cards. Exploiting them could let an attacker take control of power infrastructure, shut down servers, and cause extensive downtime in data centers. Vertiv has issued firmware patches, but unpatched units remain a high‑impact attack surface.

A one‑line bug in OpenBSD’s PPP PAP authentication, introduced in July 1999, let an attacker send zero‑length credentials and bypass login, granting remote kernel access. The flaw also allowed a heap over‑read. OpenBSD patched it now, ending a 27‑year exposure.

Google Threat Intelligence Group and Mandiant uncovered UNC6508, a new China‑aligned actor, running a year‑long espionage campaign against US medical, academic and military research labs. The group deployed custom REDCap malware, Infini, to siphon credentials and exfiltrate data stealthily. The breach exposes billions in research funding and highlights a fresh supply‑chain threat to critical health research.

The Popa botnet, a four‑year‑old Android‑based network that hijacks millions of cheap TV boxes for ad fraud and data‑scraping, has been tied to Alarum Technologies Ltd, the publicly‑traded Israeli firm behind residential proxy service NetNut. This link implicates a legit‑listed company in a massive proxy‑farm that could be weaponized for future credential‑theft or espionage.

International police forces removed SocGholish malware from 14,971 WordPress sites and shut down 106 servers tied to the Russian Evil Corp botnet, disrupting a key infection chain. The operation, part of Europol’s “Operation Endgame,” aims to curb the malware’s role in delivering ransomware and other trojans.

A spyware author is inserting large comment blocks about nuclear and biological weapons into code, banking on AI safety filters to block automated analysis. The trick thwarts naive LLM‑first triage tools, though traditional static detection still works, highlighting a new anti‑analysis arms race.

Attackers SEO‑optimized fake Tronscan sites to appear first on DuckDuckGo, prompting users to connect wallets and silently approve unlimited token transfers to attacker addresses. The brief, rotating gateways bypass bans, exposing privacy‑focused users to large TRX losses and highlighting risks of trust in search results.

Researchers uncovered a dataset of working admin and VPN credentials for about 75,000 FortiGate firewalls across 194 countries, exposing roughly half of all internet‑facing Fortinet devices. The breach enables persistent network access and highlights that many devices still store passwords in weak formats, keeping them vulnerable despite recent firmware updates.

From Aug 3 2026 Google will repurpose IP addresses of users in the UK, EEA and Switzerland to identify devices for ad measurement and personalization, a use that triggers consent under GDPR. The move revives fingerprinting concerns and puts the ICO’s new consent rules to the test.

Talon shows how enabling vbdec’s remote‑scripting exposes its parsed project as a COM object in the Windows ROT. An AI agent can bind to vbdec.vbp, walk the full object graph of forms, classes and P‑code, and automate deep VB6 analysis without modifying the tool. This turns a static disassembler into a programmable data server for local agentic workflows.

AMD quietly disabled Transparent Secure Memory Encryption (TSME) on non‑PRO Ryzen chips in AGESA 1.2.7.0, leaving users unaware their memory is no longer encrypted against physical attacks. The change is undocumented and only detectable via deep Linux inspection, raising concerns about hidden security regressions.