Originally reported by The Hacker News, Microsoft Security, SANS ISC, MSRC Security Updates
TL;DR
CISA confirmed active exploitation of a critical F5 BIG-IP vulnerability, while Citrix NetScaler faces reconnaissance for a CVSS 9.3 flaw. TeamPCP threat actors have expanded their supply chain campaign to target PyPI packages.
CISA added CVE-2025-53521 to the KEV catalog with confirmed active exploitation of F5 BIG-IP systems, and Citrix NetScaler is under active reconnaissance for a CVSS 9.3 vulnerability.
CISA added CVE-2025-53521 (CVSS 9.3) to its Known Exploited Vulnerabilities catalog following confirmed active exploitation of F5 BIG-IP Access Policy Manager systems. The vulnerability enables remote code execution, representing a significant threat to enterprise network infrastructure. Federal agencies must patch affected systems by the mandated deadline.
Defused Cyber and watchTowr report active reconnaissance against Citrix NetScaler ADC and Gateway systems targeting CVE-2026-3055 (CVSS 9.3). The memory overread vulnerability stems from insufficient input validation and could expose sensitive information. Organizations running affected NetScaler deployments should prioritize patching as threat actors map vulnerable targets.
The TeamPCP threat group has expanded their supply chain attack beyond Trivy, KICS, and litellm to compromise the Telnyx Python package. Versions 4.87.1 and 4.87.2 published to PyPI conceal credential harvesting capabilities within WAV audio files. The sophisticated obfuscation technique demonstrates the group's evolving tactics for evading detection in developer environments.
Researchers disclosed a now-patched vulnerability in Open VSX's pre-publish scanning pipeline that could allow malicious Visual Studio Code extensions to bypass security checks. The flaw involved ambiguous boolean return values that failed to distinguish between unconfigured scanners and scanner failures, potentially allowing malicious extensions into the registry.
Proofpoint attributes a targeted spear-phishing campaign to TA446 (Callisto), a Russian state-sponsored group deploying the recently disclosed DarkSword iOS exploit kit. The campaign represents an escalation in mobile device targeting by nation-state actors, leveraging sophisticated zero-day exploitation capabilities against iOS devices.
Apple has begun sending lock screen notifications to devices running outdated iOS and iPadOS versions, warning of active web-based exploits targeting unpatched systems. The unprecedented direct notification approach indicates serious ongoing exploitation of known vulnerabilities in older iOS versions.
Microsoft's security update guide published several new CVEs:
CVE-2026-33343: etcd nested transaction vulnerability bypassing RBAC authorizationCVE-2026-2369: libsoup buffer overread from integer underflowCVE-2026-4673: Chromium WebAudio heap buffer overflowCVE-2026-32187: Microsoft Edge defense-in-depth vulnerabilityThese vulnerabilities affect core enterprise infrastructure components and require assessment for applicable environments.
Microsoft detailed how Defender applies asset-aware protection using Security Exposure Management to defend high-value targets including domain controllers and identity infrastructure. The approach prioritizes protection based on asset criticality and attack likelihood.
Originally reported by The Hacker News, Microsoft Security, SANS ISC, MSRC Security Updates