CISA Adds FileZen to KEV as Multiple Critical Vulnerabilities Surface

FileZen Command Injection Added to CISA KEV Catalog

CISA added CVE-2026-25108 to its Known Exploited Vulnerabilities catalog, confirming active exploitation of a command injection vulnerability in FileZen. The flaw, scoring 8.7 on CVSS v4, allows authenticated users to execute operating system commands, presenting significant risk to organizations using the file transfer solution.

The inclusion in CISA's KEV catalog mandates federal agencies patch the vulnerability by the established deadline, signaling the severity of ongoing exploitation campaigns targeting this weakness.

GitHub Patches RoguePilot Copilot Token Theft Vulnerability

Orcaecurity researchers disclosed RoguePilot, a vulnerability in GitHub Codespaces that enabled attackers to steal GITHUB_TOKEN credentials through malicious Copilot instructions embedded in GitHub issues. Microsoft has since patched the AI-driven attack vector following responsible disclosure.

The vulnerability demonstrated how threat actors could craft hidden instructions within repository issues to manipulate GitHub Copilot's behavior, potentially leading to unauthorized repository access and token exfiltration during development workflows.

Developer Supply Chain Under Targeted Attack

Microsoft Security identified a sophisticated campaign targeting developers through malicious Next.js repositories. The attack chain leverages standard build workflows to establish covert remote code execution and command-and-control channels, demonstrating how routine development processes can be weaponized.

The campaign exemplifies the growing threat to developer environments, where trusted development tools and workflows become vectors for initial access and persistence.

Russia-Aligned UAC-0050 Expands Beyond Ukraine

Threat researchers observed UAC-0050, a Russia-aligned actor, targeting a European financial institution through social engineering and domain spoofing techniques. The campaign employed RMS malware and represents a potential expansion of the group's operations beyond Ukraine to entities supporting the nation.

This geographic expansion suggests evolving targeting strategies as threat actors adapt to geopolitical developments and seek new intelligence gathering opportunities.

Critical Infrastructure Vulnerability Management Gaps

A CYBER360 report revealed that over half of national security organizations continue relying on manual processes for sensitive data transfers. This operational security gap presents systemic risks to defense and government entities handling classified information.

The findings underscore the urgent need for automation in critical security processes, particularly as threat actors increasingly leverage advanced techniques against high-value targets.

Multiple CVE Disclosures Across Platforms

Microsoft's Security Response Center published details for several new vulnerabilities:

CVE-2026-27199: Werkzeug safe_join() bypass affecting Windows special device names
CVE-2026-2739: bn.js infinite loop vulnerability in versions before 5.2.3
CVE-2026-26960: node-tar arbitrary file read/write via hardlink manipulation
CVE-2026-27211: Cloud Hypervisor host file exfiltration through QCOW backing file abuse
CVE-2026-21620: TFTP path traversal vulnerability

Additional kernel-level fixes address WiFi driver and VDPA subsystem vulnerabilities, highlighting the breadth of security updates required across modern computing stacks.

OWASP Top 10 Reminder: Open Redirect Vulnerabilities

SANS researchers highlighted the continued relevance of open redirect vulnerabilities, originally included in OWASP's 2010 Top 10 list. Despite being merged into broader categories in subsequent versions, these vulnerabilities remain prevalent and often underestimated in impact assessment.

Open redirects enable phishing campaigns and can bypass security controls, making them valuable components in multi-stage attacks against both users and applications.

Sources