Security news.
Today's security brief highlights critical vulnerabilities and persistent threats, with CISA adding four new flaws to its Known Exploited Vulnerabilities catalog. We also see continued activity from state-sponsored APTs and the emergence of new malware, underscoring the need for vigilance and timely patching.
CISA Adds 4 Exploited Flaws to KEV Catalog
CISA has added four vulnerabilities impacting SimpleHelp, Samsung MagicINFO 9 Server, and D-Link DIR-823X series routers to its Known Exploited Vulnerabilities (KEV) catalog, with a May 2026 federal deadline for remediation.
China-Linked APT GopherWhisper Abuses Legitimate Services
A new China-linked APT, GopherWhisper, is actively using Go-based backdoors and custom loaders to target government entities by abusing legitimate services.
Pre-Stuxnet ‘fast16’ Malware Discovered
Researchers have uncovered "fast16," a Lua-based malware dating back to 2005, designed to sabotage high-precision engineering software, predating the notorious Stuxnet worm.
ADT Confirms Data Breach After ShinyHunters Threat
Home security giant ADT has confirmed a data breach following an extortion threat from the ShinyHunters group to leak stolen data.
Firestarter Malware Persists on Cisco Firewalls
U.S. and U.K. cybersecurity agencies warn about Firestarter, a custom malware that maintains persistence on Cisco Firepower and Secure Firewall devices even after updates and security patches.
New BlackFile Extortion Group Linked to Vishing Surge
A new financially motivated hacking group, BlackFile, is reportedly behind a wave of data theft and extortion attacks targeting retail and hospitality organizations since February 2026, often using vishing tactics.
‘Pack2TheRoot’ Flaw Grants Root Linux Access
A new vulnerability, dubbed Pack2TheRoot, in the PackageKit daemon could allow local Linux users to install or remove system packages and gain root permissions.
LMDeploy CVE-2026-33626 Exploited Within Hours
A high-severity Server-Side Request Forgery (SSRF) vulnerability (CVE-2026-33626) in LMDeploy, an LLM toolkit, was actively exploited less than 13 hours after its public disclosure.