Originally reported by The Hacker News, Microsoft Security, SANS ISC, MSRC Security Updates
TL;DR
CISA added a critical n8n workflow automation RCE vulnerability to the KEV catalog following active exploitation, while researchers reveal how attackers deliberately overwhelm SOC analysts and target developers through fake job interviews.
CISA added actively exploited n8n RCE vulnerability to KEV catalog with CVSS 9.9, indicating confirmed exploitation in the wild of a critical severity flaw.
Security teams face escalating threats across multiple vectors this week, from actively exploited workflow automation vulnerabilities to sophisticated campaigns designed to exhaust incident response capabilities.
CISA added CVE-2025-68613 (CVSS 9.9) to its Known Exploited Vulnerabilities catalog following evidence of active exploitation targeting the n8n workflow automation platform. The vulnerability enables remote code execution through expression injection, affecting an estimated 24,700 exposed instances according to internet scanning data.
Researchers disclosed additional critical n8n flaws including CVE-2026-27577 (CVSS 9.4) for expression sandbox escape and CVE-2026-27493 (CVSS 9.5) enabling unauthenticated credential exposure. Organizations running n8n deployments must patch immediately given the confirmed active exploitation.
Threat actors are engineering phishing campaigns specifically designed to exhaust security operations center analysts rather than just targeting end users. Security researchers warn that investigations extending from five minutes to 12 hours can shift incident outcomes from containment to full breach.
The tactic exploits resource constraints in security teams by creating deliberately complex attack chains that consume analyst time and attention. Organizations should evaluate their incident triage processes to identify potential fatigue vectors and implement automation where possible.
Microsoft's threat intelligence team documented the "Contagious Interview" campaign, where attackers impersonate recruiters from cryptocurrency and AI companies to target software developers. The operation delivers backdoors including OtterCookie and FlexibleFerret through fake coding assessments during simulated job interviews.
The malware harvests API tokens, cloud credentials, cryptocurrency wallets, and source code from infected developer workstations. The campaign demonstrates increasing threat actor focus on high-value developer targets with privileged access to critical systems and intellectual property.
Apple released security updates for older iOS, iPadOS, and macOS Sonoma versions to address CVE-2023-43010, a WebKit vulnerability exploited by the Coruna exploit kit. The flaw enables memory corruption when processing malicious web content, potentially leading to arbitrary code execution.
The backport indicates Apple identified active exploitation targeting legacy device installations that would otherwise remain vulnerable to the WebKit flaw.
Security researchers identified six new Android malware families targeting banking applications, including Brazil's Pix payment system and cryptocurrency wallets. The families include PixRevolution, TaxiSpy RAT, BeatBanker, Mirax, Oblivion RAT, and SURXRAT, ranging from traditional banking trojans to full remote administration tools.
The malware demonstrates continued threat actor investment in mobile financial fraud capabilities, particularly targeting emerging payment systems and digital asset storage.
Researchers successfully manipulated Perplexity's Comet AI browser into executing phishing actions within four minutes by exploiting the system's reasoning capabilities. The attack leverages AI browsers' tendency to rationalize their actions, using this reasoning process to lower security guardrails.
As agentic AI browsers gain adoption for autonomous web navigation, organizations must evaluate the security implications of delegating web-based actions to AI systems with potentially exploitable reasoning patterns.
Meta disabled over 150,000 accounts linked to Southeast Asian scam centers in coordination with law enforcement from 11 countries, resulting in 21 arrests by the Royal Thai Police. The operation targeted organized fraud networks using social media platforms to conduct investment and romance scams.
The enforcement action demonstrates increasing international cooperation against transnational cybercrime operations, particularly those exploiting social media platforms for financial fraud.
SAP addressed two critical vulnerabilities including CVE-2019-17571 (CVSS 9.8) affecting the Quotation Management Insurance application and CVE-2026-27685 (CVSS 9.1) involving insecure deserialization. Multiple vendors released patches for various enterprise software and network device vulnerabilities.
Microsoft published several CVE disclosures covering Go language libraries, kernel components, and Chromium-based Edge browser updates, though most represent informational changes rather than newly disclosed vulnerabilities.
Originally reported by The Hacker News, Microsoft Security, SANS ISC, MSRC Security Updates