Daily Brief

Fortinet firewalls are experiencing exploitation through a bypass of a previously patched critical authentication vulnerability, CVE-2025-59718, affecting multiple FortiGate versions. Administrators report unauthorized admin account creation via malicious SAML messages, indicating the vulnerability persists in FortiOS version 7.4.10. Fortinet plans to release updated versions 7.4.11, 7.6.6, and 8.0.0 to address the ongoing security flaw comprehensively. Administrators are advised to disable the vulnerable FortiCloud SSO feature temporarily to mitigate the risk of unauthorized access. Over 25,000 Fortinet devices were initially exposed online with FortiCloud SSO enabled; this number has been reduced to approximately 11,000. CISA has mandated federal agencies to patch the CVE-2025-59718 vulnerability within a week due to active exploitation. A separate critical vulnerability in Fortinet FortiSIEM is also being targeted, with proof-of-concept exploit code available for attackers.

Recorded Future's Insikt Group identified the North Korean PurpleBravo campaign targeting 3,136 IP addresses, affecting 20 organizations across AI, cryptocurrency, and financial sectors. The campaign, active from August 2024 to September 2025, targeted companies in Europe, South Asia, the Middle East, and Central America, posing significant cyber espionage and financial theft risks. Attackers used malicious Microsoft Visual Studio Code projects and LinkedIn personas to distribute malware, exploiting trusted developer workflows for infiltration. PurpleBravo managed two command-and-control server sets for malware distribution, using Astrill VPN and IP ranges in China for operational security. The campaign's tactics overlap with another North Korean operation, Wagemole, which involves IT workers seeking unauthorized employment for espionage and financial gain. Victims executing malicious code on corporate devices increased organizational exposure, highlighting vulnerabilities in IT software supply chains to North Korean adversaries. Organizations outsourcing work to affected regions face heightened supply-chain risks, necessitating enhanced defenses against data leakage to North Korean threat actors.

LastPass has issued a warning about a phishing campaign masquerading as a maintenance notification, urging users to back up their vaults within 24 hours. The fraudulent emails contain links directing users to a site intended to steal vault master passwords or hijack accounts. The campaign, believed to have started on January 19, uses deceptive email addresses and subjects to mimic authentic LastPass communications. Attackers timed the campaign to coincide with a U.S. holiday weekend, potentially exploiting reduced staffing for quicker infiltration. LastPass emphasizes it never requests master passwords and advises users to report suspicious emails to 'abuse@lastpass.com'. The phishing site ‘mail-lastpass[.]com’ is currently offline, indicating possible mitigation efforts. LastPass users frequently face phishing threats, with recent campaigns exploiting themes like fake death claims and breach alerts.

Zoom has issued a critical update to fix a command injection vulnerability in its Node Multimedia Routers, which could allow remote code execution by meeting participants. The vulnerability, identified as CVE-2026-22844, holds a CVSS score of 9.9, indicating its potential severity if exploited. Zoom advises users of Node Meetings, Hybrid, or Meeting Connector deployments to upgrade to the latest version to mitigate risks. No current evidence suggests this Zoom vulnerability has been exploited in real-world scenarios. Concurrently, GitLab has released patches for high-severity vulnerabilities in its Community and Enterprise Editions, addressing potential DoS and 2FA bypass issues. GitLab's updates also rectify medium-severity bugs that could lead to DoS conditions via malformed Wiki documents and SSH authentication requests. These proactive measures by Zoom and GitLab aim to enhance security and protect users from potential exploitation.

The Everest ransomware group claims to have breached Under Armour, affecting 72.7 million customer accounts, with data leaked on a cybercrime forum. Leaked information includes names, email addresses, birth dates, genders, locations, and purchase histories; Everest alleges additional data types were compromised. Under Armour has not publicly acknowledged the breach or responded to inquiries regarding the incident, maintaining silence since the alleged attack in November. Everest's tactics include double extortion, network access brokerage, and insider recruitment, allowing diverse revenue streams while avoiding high-profile scrutiny. A class action lawsuit has been filed against Under Armour by a customer, potentially leading to significant legal and financial repercussions for the company. Everest, active since 2020, has a history of targeting high-profile organizations, including Collins Aerospace and the Brazilian government, indicating a persistent threat. The incident underscores the ongoing risk posed by ransomware groups and the importance of robust cybersecurity measures and timely breach disclosures.

Phishing attacks have matured into a sophisticated service economy, leveraging Phishing-as-a-Service (PhaaS) platforms to bypass modern defenses and exploit human vulnerabilities. Flare researchers analyzed over 8,600 underground conversations, revealing the industrialization of phishing, with 36% reflecting real-world threat activity and 20% showing operational intent. Attackers utilize AI-powered tools like PhishGPT to craft personalized, context-aware scam messages, increasing the scale and effectiveness of phishing campaigns. The phishing ecosystem includes rotating domains, bulletproof hosting, and proxy networks, making campaigns resilient and difficult to block. Phishing kits are sold as turnkey products, complete with hosting and customer support, lowering the barrier to entry for low-skill operators. Psychological tactics exploit urgency and emotional timing, targeting users when they are distracted or emotionally engaged, increasing the likelihood of success. The report emphasizes the need for awareness and vigilance, as even cybersecurity professionals can fall victim to well-crafted phishing attacks.

GitLab addressed a critical two-factor authentication bypass vulnerability (CVE-2026-0723) affecting both community and enterprise editions, potentially allowing attackers to circumvent authentication with known account IDs. Two high-severity denial-of-service vulnerabilities (CVE-2025-13927, CVE-2025-13928) were also patched, which could be exploited via malformed requests and incorrect API endpoint validation. Additional medium-severity DoS vulnerabilities involved malformed Wiki documents and repeated SSH requests, necessitating immediate updates to versions 18.8.2, 18.7.2, and 18.6.4. GitLab has urged administrators to upgrade to the latest versions to mitigate these risks, noting that GitLab.com is already secure, with no action needed for GitLab Dedicated customers. The vulnerabilities could impact over 45,000 devices with GitLab fingerprints, as identified by Shodan, and nearly 6,000 exposed GitLab CE instances tracked by Shadowserver. GitLab's platform, used by over 30 million users and 50% of Fortune 100 companies, underscores the importance of timely updates to protect critical infrastructure. Previous patches in June 2025 addressed account takeover and missing authentication issues, reinforcing the need for ongoing vigilance in security practices.

Threat actors are exploiting misconfigured web applications used for security training to infiltrate cloud environments of Fortune 500 companies and security vendors. Security testing apps like DVWA and OWASP Juice Shop, when publicly exposed, become entry points for deploying crypto miners and webshells. Pentera's investigation revealed 1,926 vulnerable applications linked to overly privileged IAM roles on major cloud platforms like AWS, GCP, and Azure. Companies including Cloudflare, F5, and Palo Alto Networks were notified of these vulnerabilities and have since addressed the issues. Many instances were found using default credentials, risking unauthorized access to critical cloud resources such as S3 buckets and Azure Blob Storage. Active exploitation has been confirmed, with attackers using tools like XMRig for cryptocurrency mining and scripts for persistence. Recommendations include maintaining a comprehensive inventory of cloud resources, enforcing least-privilege IAM roles, and changing default credentials.

The European Commission (EC) is pushing for a revised Cybersecurity Act to mitigate risks from third-country IT and telecom suppliers, including Huawei and ZTE. The proposed legislation aims to phase out high-risk suppliers from EU networks within three years, impacting countries heavily reliant on these vendors. Concerns center around potential backdoors in telecom equipment, which could enable espionage or network disruptions by foreign governments. The EC's plan includes strengthening the European Union Agency for Cybersecurity (ENISA) and simplifying the cybersecurity certification framework across Europe. Huawei, a major supplier in EU networks, argues the proposal violates EU principles and WTO obligations, committing to monitor legislative developments closely. The UK previously mandated the removal of Huawei technology by 2027, highlighting challenges in balancing security with service quality and network expansion. Industry experts warn the EC's approach may lead to fragmentation in the global telecoms ecosystem, potentially hindering innovation and collaboration.

Ireland's government plans to introduce a bill enabling police to intercept communications, including encrypted messages, and legally use spyware, replacing outdated legislation from 1993. The Communications (Interception and Lawful Access) Bill aims to empower law enforcement to access communications from IoT devices, emails, and electronic messaging services. The proposed legislation promises a robust legal framework with privacy and security safeguards, although specifics on breaking encryption remain unclear. Privacy advocates express concerns over potential rights infringements, citing the expansive surveillance powers and their implications for civil liberties. Ireland will align with the EU's guidelines on lawful spyware use, ensuring measures are necessary, proportionate, and subject to judicial oversight. The bill complements the Recording Devices Bill, which could expand police use of biometric recognition technology, raising further privacy concerns. Critics warn that such surveillance powers, once normalized, could be misused, leading to routine application beyond serious crime investigations.

The UK government introduced a new initiative, enlisting companies like Cisco, Palo Alto, and Accenture as ambassadors to promote the Software Security Code of Practice. Digital Economy Minister Liz Lloyd emphasized the importance of software security as a commercial imperative, linking it to economic growth and AI advancement. The program aims to enhance trust in digital systems, with the UK boasting strong cyber defenses and significant expertise clusters in Cheltenham, Manchester, Belfast, and Scotland. Despite previous groundwork, only 25% of organizations consider cybersecurity when purchasing software, prompting calls for more regulation and oversight. The initiative seeks to emulate the success of the WHO's hand hygiene code, aiming for cybersecurity practices to become universally adopted and straightforward. UK-based companies such as Sage, Nexor, and Salus join international firms in committing to champion secure software and serve as role models. Financial institutions like Lloyds and Santander are also involved, highlighting the initiative's broad industry support.

Security researchers at Pwn2Own Automotive 2026 exploited 37 zero-day vulnerabilities, earning $516,500 in rewards for hacking various automotive systems, including Tesla's Infotainment System. The Synacktiv Team successfully chained an information leak with an out-of-bounds write flaw, achieving root permissions on Tesla's system, earning $35,000. Fuzzware.io and PetoWorks teams also demonstrated significant exploits, targeting EV chargers and navigation systems, collectively earning over $168,000. The competition, held in Tokyo, focuses on automotive technologies, with researchers targeting fully patched systems, including electric vehicle chargers and infotainment systems. Vendors have 90 days to patch the identified vulnerabilities before public disclosure by TrendMicro's Zero Day Initiative, emphasizing the need for rapid response. The event highlights ongoing security challenges in automotive technology, with previous competitions revealing numerous vulnerabilities in electric car systems. The Pwn2Own contest serves as a critical platform for identifying and addressing security flaws, driving improvements in automotive cybersecurity.

Managed Security Service Providers (MSSPs) face challenges with alert overload, limited staff, and client demands for high-level protection at lower costs. Traditional scaling methods relied on increasing headcount, leading to strained resources and diminishing profit margins. AI technology is transforming MSSP operations by automating assessments, benchmarking, and reporting, allowing teams to focus on strategic tasks. Early adopters of AI are experiencing significant margin improvements and expedited client onboarding without needing additional staff. Secure Cyber Defense's CISO, Chad Robinson, utilized Cynomi's AI platform to enhance service delivery and revenue through automation and standardization. The shift to AI-driven operations enables MSSPs to expand service offerings, such as advisory roles, effectively turning junior analysts into "virtual CISOs." Industry leaders emphasize that future success in the MSSP sector hinges on adopting smarter, AI-driven operational models rather than increasing workforce size.

Gartner's new Magic Quadrant for Exposure Assessment Platforms (EAPs) marks a strategic shift from traditional vulnerability management to Continuous Threat Exposure Management (CTEM). EAPs aim to address the inefficiencies of legacy vulnerability tools by providing a unified view of exposures across cloud, on-prem, and identity layers. Traditional vulnerability management often results in alert fatigue, with 74% of exposures being "dead ends" that do not pose a real threat to critical systems. EAPs focus on mapping attacker pathways, enabling organizations to prioritize remediation efforts and reduce unplanned downtime by 30% by 2027. The market is divided between legacy vendors adding exposure features and native players like XM Cyber, which use attack graph-based modeling to lead the category. The new approach shifts security metrics from the number of patched vulnerabilities to the elimination of critical attack paths, aligning security with business objectives. EAPs are positioned to enhance efficiency by guiding remediation efforts based on attacker movement, optimizing resource allocation for security teams.

Zafran Security discovered critical vulnerabilities in the Chainlit AI framework, potentially allowing attackers to steal sensitive data and perform server-side request forgery (SSRF) attacks. The vulnerabilities, named ChainLeak, can be exploited to access cloud environment API keys and sensitive files, posing a significant risk to organizations using the framework. Chainlit, a tool for developing conversational chatbots, has been downloaded over 7.3 million times, indicating widespread potential exposure. Attackers can combine the vulnerabilities to escalate privileges and move laterally within affected systems, threatening the security of AI applications. The issues were responsibly disclosed on November 23, 2025, and addressed in Chainlit version 2.9.4, released on December 24, 2025. The discovery highlights the risks associated with embedding longstanding software vulnerabilities into AI infrastructure, necessitating vigilant security practices. Organizations are urged to update to the latest version of Chainlit and review their AI framework security to prevent exploitation.