SonicWall zero-days, ServiceNow RCE, Cursor IDE exploit
SonicWall confirmed that two zero‑day flaws in its SMA 1000 series, CVE‑2026‑15409 (critical SSRF, CVSS 10) and CVE‑2026‑15410 (code injection), are being exploited in the wild. Chaining the bugs lets an unauthenticated attacker execute arbitrary commands with admin privileges. SonicWall issued emergency patches; users must upgrade now to secure remote access.
Researchers discovered a pre-authentication remote code execution flaw in ServiceNow's GlideRecord API. By injecting JavaScript into query filters, they escaped the JS sandbox and seized full control of the instance and linked proxy servers. The bug enables anyone on the internet to compromise ServiceNow deployments without credentials.
Cursor on Windows runs any git.exe found in a repository’s root when the project is opened, without prompts or user consent. This lets an attacker ship a poisoned repo that executes arbitrary code with the user’s privileges, exposing millions of developers to silent compromise.
Proofpoint uncovered OAuth client ID spoofing in Microsoft Entra ID, where attackers send ROPC token requests with forged client IDs to verify usernames and passwords without creating a successful sign‑in event. The technique lets threat groups enumerate accounts at scale while evading typical log‑based alerts, forcing defenders to monitor for sign‑ins lacking a known application ID.
Researchers uncovered TuxBot v3 Evolution, a modular IoT botnet built with AI assistance that left safety warnings in the code and malfunctioning features. The framework can hijack thousands of devices via Telnet brute‑force, deploy DDoS attacks, and uses a sophisticated multi‑channel C2. Its AI‑aided creation hints at a new shortcut for malware developers, raising the threat surface for IoT ecosystems.
Kaspersky’s GReAT team reports that the OkoBot framework, active since April 2025, uses a SeedHunter module to watch for Ledger Live and Trezor Suite on Windows PCs. It injects a fake recovery‑phrase window inside the genuine app, captures the seed phrase and forwards it to a moonsand.store C2, putting crypto holders worldwide at risk.
ETH Zurich researchers unveiled a “Fourier pixel” that lets a screen emit and capture light simultaneously, effectively turning any display into a camera. This tech could covertly transform ordinary monitors into surveillance devices, raising immediate privacy concerns for both consumers and enterprises.
Objective Development released the open‑source component of Little Snitch for Linux, a macOS‑inspired network monitor and personal firewall. The repo ships eBPF kernels, Rust crates, and a web UI, letting Linux users inspect outbound connections and block hosts without buying a proprietary product.
Tracebit showed that planting a single “context bomb”, a short safety‑trigger string, inside a canary secret reduces autonomous AI agents’ success in an AWS red‑team simulation by about 90% across five leading models. The technique converts decoys into active guards, offering a practical, low‑overhead defense against misaligned agents.
Bitdefender Labs identified three bind‑link techniques, File‑Binding, Process‑Binding, and Silo‑Binding, that let an admin‑level attacker redirect trusted paths, run malicious code unnoticed, and present clean files to outside scans. This undermines EDR sensors, AMSI, AppLocker and forensic tools, expanding the Windows attack surface.
Subscribe free