Originally reported by BleepingComputer, Graham Cluley, Checkpoint Research, Malwarebytes Labs, SecureList (Kaspersky)
TL;DR
CISA confirmed active exploitation of a VMware Aria Operations RCE vulnerability, adding it to the KEV catalog. Major data breaches impacted LexisNexis and AkzoNobel, while threat actors continue leveraging OAuth flows and compromised infrastructure for attacks.
CISA added CVE-2026-22719 to the Known Exploited Vulnerabilities catalog, confirming active exploitation of a critical VMware Aria Operations RCE flaw. This meets the threshold for critical severity.
CISA has flagged CVE-2026-22719, a VMware Aria Operations remote code execution vulnerability, as actively exploited in the wild. The vulnerability has been added to the Known Exploited Vulnerabilities catalog, indicating confirmed exploitation by threat actors. Federal agencies must patch affected systems by the mandated deadline, while private organizations should treat this as an immediate priority given the active threat landscape.
Two significant data breaches emerged this week across different industries. LexisNexis Legal & Professional confirmed that attackers breached their servers and accessed customer and business information, with hackers subsequently leaking stolen files. Meanwhile, Dutch paint manufacturer AkzoNobel disclosed a cyberattack on one of its U.S. facilities, though the full scope of data exposure remains under investigation.
Microsoft researchers documented a campaign where attackers abuse legitimate OAuth redirection mechanisms to bypass email and browser phishing protections. The technique leverages OAuth error flows to redirect users to malicious pages while appearing to originate from trusted sources, highlighting the continued evolution of social engineering tactics that exploit trusted authentication protocols.
Flare's analysis of 200,000 underground forum posts revealed a thriving market for compromised cPanel credentials and site management panels. These compromised assets are being packaged as plug-and-play infrastructure for phishing and scam operations, demonstrating how legitimate web hosting tools become weaponized in cybercriminal ecosystems.
Security researchers identified a now-patched vulnerability in Chrome's "Live in Chrome" feature that allowed malicious extensions to inherit Google Gemini's camera, microphone, and file access permissions. The flaw demonstrates the complex permission inheritance challenges in modern browser architectures, particularly when AI services integrate deeply with browser functionality.
Check Point Research documented Iranian targeting of IP cameras during the June 2025 conflict with Israel, illustrating how cyber operations increasingly support kinetic warfare through battle damage assessment and reconnaissance. The campaign highlights the convergence of digital intrusion capabilities with traditional military intelligence gathering.
Kaspersky's 2025 mobile threat report identified several notable developments, including the Keenadu and Triada preinstalled backdoors, advanced spyware Trojans, the Kimwolf IoT botnet, and Mamont banking Trojans. The research underscores the persistent threat to Android devices from both sophisticated nation-state actors and financially motivated cybercriminals.
South Korea's National Tax Service experienced a costly operational security failure when they accidentally exposed the private key to a seized cryptocurrency wallet worth $4.8 million. The blunder resulted in the immediate theft of the funds, highlighting the technical challenges government agencies face when handling digital assets in law enforcement operations.
Google announced Chrome will shift from a four-week to two-week release cycle to accelerate security updates and feature deployments. Meanwhile, the Pentagon terminated its contract with Anthropic AI over security concerns, transitioning to OpenAI for military AI applications amid ongoing debates about AI safety in defense contexts.
Originally reported by BleepingComputer, Graham Cluley, Checkpoint Research, Malwarebytes Labs, SecureList (Kaspersky)