Adobe Patches Reader Zero-Day Exploited for Months

The vulnerability is tracked as CVE-2026-34621 and Adobe has confirmed that it can be exploited for arbitrary code execution.

The post Adobe Patches Reader Zero-Day Exploited for Months appeared first on SecurityWeek.

https://www.justice.gov.mw/goblok.php

https://www.justice.gov.mw/goblok.php notified by Miyomar

https://www.police.gov.mw/goblok.php

https://www.police.gov.mw/goblok.php notified by Miyomar

https://www.malawi.gov.mw/goblok.php

https://www.malawi.gov.mw/goblok.php notified by Miyomar

Over 20,000 crypto fraud victims identified in international crackdown

An international law enforcement action led by the U.K.'s National Crime Agency (NCA) has identified over 20,000 victims of cryptocurrency fraud across Canada, the United Kingdom, and the United States. [...]

ChatGPT rolls out new $100 Pro subscription to challenge Claude

OpenAI has rolled out a new Pro subscription that costs $100 and is in line with Claude's pricing, which also has a $100 subscription, in addition to the $200 Max monthly plan. [...]

Hims Breach Exposes the Most Sensitive Kinds of PHI

Threat actors breached the telehealth brand, and now they may know who's bald, overweight, and impotent. What could they do with that information?

Your Next Breach Will Look Like Business as Usual

These are the fundamental detection model shifts cybersecurity teams need to make to keep up with the rising number of credential-based attacks.

Nearly 4,000 US industrial devices exposed to Iranian cyberattacks

The attack surface targeted by Iranian-linked hackers in cyberattacks against U.S. critical infrastructure networks includes thousands of Internet-exposed programmable logic controllers (PLCs) manufactured by Rockwell Automation. [...]

FINRA Launches Financial Intelligence Fusion Center to Combat Cybersecurity and Fraud Threats

Orange Business Reimagines Enterprise Voice Communications With Trust and AI

In Other News: Cyberattack Stings Stryker, Windows Zero-Day, China Supercomputer Hack

Other noteworthy stories that might have slipped under the radar: Jones Day hacked, Internet Bug Bounty program paused due to AI, new Mac stealer malware.

The post In Other News: Cyberattack Stings Stryker, Windows Zero-Day, China Supercomputer Hack appeared first on SecurityWeek.

Analysis of one billion CISA KEV remediation records exposes limits of human-scale security

Analysis of 1 billion CISA KEV remediation records reveal a breaking point for human-scale security. Qualys shows most critical flaws are exploited before defenders can patch them. [...]

Juniper Networks Patches Dozens of Junos OS Vulnerabilities

A critical-severity flaw could be exploited remotely, without authentication, to take over a vulnerable device.

The post Juniper Networks Patches Dozens of Junos OS Vulnerabilities appeared first on SecurityWeek.

Industrial Controllers Still Vulnerable As Conflicts Move to Cyber

The US government warns programmable logic controllers are being targeted, and research turns up 179 vulnerable operational technology (OT) devices.

[local] NetBT e-Fatura - Privilege Escalation

NetBT e-Fatura - Privilege Escalation

[webapps] D-Link DIR-650IN - Authenticated Command Injection

D-Link DIR-650IN - Authenticated Command Injection

CPUID hacked to deliver malware via CPU-Z, HWMonitor downloads

Hackers gained access to an API for the CPUID project and changed the download links on the official website to serve malicious executables for the popular CPU-Z and HWMonitor tools. [...]

Industry Reactions to Iran Hacking ICS in Critical Infrastructure: Feedback Friday

The US government has warned that Iran-linked hackers are manipulating PLCs and SCADA systems to cause disruption.

The post Industry Reactions to Iran Hacking ICS in Critical Infrastructure: Feedback Friday appeared first on SecurityWeek.

Can Anthropic Keep Its Exploit-Writing AI Out of the Wrong Hands?

Its Mythos Preview model, which can allegedly find and exploit critical zero-days, also comes with certain controls, the vendor said.

Microsoft: Canadian employees targeted in payroll pirate attacks

A financially motivated threat actor tracked as Storm-2755 is stealing Canadian employees' salary payments after hijacking their accounts in payroll pirate attacks. [...]

Orthanc DICOM Vulnerabilities Lead to Crashes, RCE

Attackers could exploit these vulnerabilities in denial-of-service, information disclosure, and arbitrary code execution attacks.

The post Orthanc DICOM Vulnerabilities Lead to Crashes, RCE appeared first on SecurityWeek.

Chrome 147 Patches 60 Vulnerabilities, Including Two Critical Flaws Worth $86,000

The critical vulnerabilities affect Chrome’s WebML component and they have been reported by anonymous researchers.

The post Chrome 147 Patches 60 Vulnerabilities, Including Two Critical Flaws Worth $86,000 appeared first on SecurityWeek.

Google rolls out Gmail end-to-end encryption on mobile devices

Google says Gmail end-to-end encryption (E2EE) is now available on all Android and iOS devices, allowing enterprise users to read and compose emails without additional tools. [...]

MITRE Releases Fight Fraud Framework

The document provides a behavior-based model of the tactics and techniques employed by fraudsters.

The post MITRE Releases Fight Fraud Framework appeared first on SecurityWeek.

Critical Marimo Flaw Exploited Hours After Public Disclosure

Within nine hours, a hacker built an exploit from the unauthenticated bug’s advisory and started using it in the wild.

The post Critical Marimo Flaw Exploited Hours After Public Disclosure appeared first on SecurityWeek.

Google Rolls Out Cookie Theft Protections in Chrome

New Device Bound Session Credentials render stolen session cookies unusable by cryptographically binding authentication.

The post Google Rolls Out Cookie Theft Protections in Chrome appeared first on SecurityWeek.

Microsoft Finds Vulnerability Exposing Millions of Android Crypto Wallet Users

The security hole affected an EngageLab SDK and it was reported by Microsoft to the vendor one year ago.

The post Microsoft Finds Vulnerability Exposing Millions of Android Crypto Wallet Users appeared first on SecurityWeek.

Obfuscated JavaScript or Nothing, (Thu, Apr 9th)

I spotted an interesting piece of JavaScript code that was delivered via a phishing email in a RAR archive. The file was called “cbmjlzan.JS” (SHA256:a8ba9ba93b4509a86e3d7dd40fd0652c2743e32277760c5f7942b788b74c5285) and is only identified as malicious by 15 AV’s on VirusTotal[1].

New ‘LucidRook’ malware used in targeted attacks on NGOs, universities

A new Lua-based malware, called LucidRook, is being used in spear-phishing campaigns targeting non-governmental organizations and universities in Taiwan. [...]

New VENOM phishing attacks steal senior executives' Microsoft logins

Threat actors using a previously undocumented phishing-as-a-service (PhaaS) platform called "VENOM" are targeting credentials of C-suite executives across multiple industries. [...]

Russia's 'Fancy Bear' APT Continues Its Global Onslaught

Victims don't need to match the cyber espionage group's technical sophistication, experts say. But patching and some form of zero trust are now non-negotiable.

https://cl.puma.com/media/customer_address/v/a/vanda.txt

https://cl.puma.com/media/customer_address/v/a/vanda.txt notified by VandaTheGod

https://www.lindt.co.uk//media/customer_address//v/a/vanda.txt

https://www.lindt.co.uk//media/customer_address//v/a/vanda.txt notified by VandaTheGod

https://tr.puma.com/media/customer_address/v/a/vanda.txt

https://tr.puma.com/media/customer_address/v/a/vanda.txt notified by VandaTheGod

https://uk.store.eu.panasonic.net/media/customer_address//v/a/vanda.txt

https://uk.store.eu.panasonic.net/media/customer_address//v/a/vanda.txt notified by VandaTheGod

https://www.lindt.ch//media/customer_address//v/a/vanda.txt

https://www.lindt.ch//media/customer_address//v/a/vanda.txt notified by VandaTheGod

https://www.lindt.com//media/customer_address//v/a/vanda.txt

https://www.lindt.com//media/customer_address//v/a/vanda.txt notified by VandaTheGod

https://www.chocolate.lindt.com//media/customer_address//v/a/vanda.txt

https://www.chocolate.lindt.com//media/customer_address//v/a/vanda.txt notified by VandaTheGod

https://admin.leroymerlin.co.za//media/customer_address//v/a/vanda.txt

https://admin.leroymerlin.co.za//media/customer_address//v/a/vanda.txt notified by VandaTheGod

https://leroymerlin.co.za/media/customer_address//v/a/vanda.txt

https://leroymerlin.co.za/media/customer_address//v/a/vanda.txt notified by VandaTheGod

ZDI-CAN-30380: Apple

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Michael DePlante (@izobashi) of TrendAI Zero Day Initiative' was reported to the affected vendor on: 2026-04-09, 3 days ago. The vendor is given until 2026-08-07 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

ZDI-CAN-28694: AVG

A CVSS score 7.3 AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Anonymous' was reported to the affected vendor on: 2026-04-09, 3 days ago. The vendor is given until 2026-08-07 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

ZDI-CAN-30375: Adobe

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'DongHyeon Hwang (kind_killerwhale)' was reported to the affected vendor on: 2026-04-09, 3 days ago. The vendor is given until 2026-08-07 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

'BlueHammer' Windows Zero-Day Exploit Signals Microsoft Bug Disclosure Issues

Under the alias 'Chaotic Eclipse,' a researcher released a PoC exploit for a zero-day flaw that allows for system takeover by a local user, citing an undisclosed beef with Microsoft.

Healthcare IT solutions provider ChipSoft hit by ransomware attack

Dutch healthcare software vendor ChipSoft has been impacted by a ransomware attack that forced the company to take offline its website and digital services for patients and healthcare providers. [...]

Google Chrome adds infostealer protection against session cookie theft

Google has rolled out Device Bound Session Credentials (DBSC) protection in Chrome 146 for Windows, designed to block info-stealing malware from harvesting session cookies. [...]

Do Ceasefires Slow Cyberattacks? History Suggests Not

The cybersecurity community is waiting with bated breath to see if Iranian hackers will honor a ceasefire that doesn't actually name or directly involve them.

ZDI-CAN-29340: OriginLab

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'rgod' was reported to the affected vendor on: 2026-04-09, 3 days ago. The vendor is given until 2026-08-07 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.