Security news.
Today's cybersecurity news highlights active exploitation of critical vulnerabilities, with a Marimo RCE flaw being exploited within hours of disclosure and a new Ivanti EPMM vulnerability added to CISA's KEV catalog. Additionally, law enforcement's use of ad data for device tracking raises privacy concerns, while Iranian-linked actors continue to target US industrial control systems.
Law Enforcement Used Webloc to Track 500 Million Devices via Ad Data
Citizen Lab reports that Hungarian intelligence, El Salvador police, and several U.S. law enforcement agencies used Webloc, an advertising-based global geolocation surveillance system from Israeli company Cobwebs Technologies (now Penlink), to track 500 million devices.
Critical Marimo RCE Flaw Exploited Hours After Public Disclosure
A critical pre-authenticated remote code execution vulnerability (CVE-2026-39987) in Marimo, an open-source Python notebook, was actively exploited within 10 hours of its public disclosure.
CISA Adds Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability to KEV Catalog
CISA has added CVE-2026-1340, a code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM), to its Known Exploited Vulnerabilities Catalog due to active exploitation.
Nearly 4,000 US Industrial Devices Exposed to Iranian Cyberattacks
Thousands of Internet-exposed Rockwell Automation Programmable Logic Controllers (PLCs) in the U.S. are vulnerable to cyberattacks by Iranian-linked hackers, who are actively targeting critical infrastructure.
CPUID Hacked to Deliver Malware via CPU-Z, HWMonitor Downloads
Threat actors compromised CPUID's API, altering download links on the official website to distribute malicious executables for popular tools like CPU-Z and HWMonitor in a supply chain attack.
Backdoored Smart Slider 3 Pro Update Distributed via Compromised Nextend Servers
Threat actors hijacked the update system for the Smart Slider 3 Pro plugin (version 3.5.1.35) for WordPress and Joomla, pushing a backdoored version via compromised Nextend servers.
Chrome 147 Patches 60 Vulnerabilities, Including Two Critical Flaws
Google Chrome version 147 addresses 60 security vulnerabilities, including two critical flaws in the WebML component reported by anonymous researchers, with bounties totaling $86,000.
Google Chrome Adds Infostealer Protection Against Session Cookie Theft
Google has rolled out Device Bound Session Credentials (DBSC) protection in Chrome 146 for Windows, designed to prevent info-stealing malware from harvesting and reusing session cookies.