#rce

Plus: The Jaguar Land Rover hack sets an expensive new record, OpenAI’s new Atlas browser raises security fears, Starlink cuts off scam compounds, and more.

Microsoft on Thursday released out-of-band security updates to patch a critical-severity Windows Server Update Service (WSUS) vulnerability with a proof-of-concept (Poc) exploit publicly available and has come under active exploitation in the wild. The vulnerability in question is CVE-2025-59287 (CVSS score: 9.8), a remote code execution flaw in WSUS that was originally fixed by the tech giant

Medusa ransomware leaks 186 GB of Comcast data, claiming 834 GB stolen after a $1.2M ransom demand apparently went unpaid.

In this week’s newsletter, Bill explores how open communication about your skills and experience can help your security team uncover hidden gaps, strengthen your defenses, and better prepare for ever-present threats.

A Magento bug called SessionReaper is doing the rounds, and researchers warn it’s letting attackers hijack real shopping sessions.

### Impact **Development mode only**. Kottster contains a pre-authentication remote code execution (RCE) vulnerability when running in development mode. The vulnerability combines two issues: 1. The `initApp` action can be called repeatedly without checking if the app is already initialized, allowing attackers to create a new root admin account and obtain a JWT token 2. The `installPackagesForDataSource` action uses unescaped command arguments, enabling command injection An attacker with access to a locally running development instance can chain these vulnerabilities to: - Reinitialize the application and receive a JWT token for a new root account - Use this token to authenticate - Execute arbitrary system commands through `installPackagesForDataSource` **Production deployments were never affected.** ### Patches Fixed in [v3.3.2](https://github.com/kottster/kottster/releases/tag/v3.3.2). Specifically, `@kottster/server` [v3.3.2](https://www.npmjs.com/package/@kottster/server/v/3...

Criminals don’t need to be clever all the time; they just follow the easiest path in: trick users, exploit stale components, or abuse trusted systems like OAuth and package registries. If your stack or habits make any of those easy, you’re already a target. This week’s ThreatsDay highlights show exactly how those weak points are being exploited — from overlooked

Cisco Talos Incident Response observed a surge in attacks exploiting public-facing applications — mainly via ToolShell targeting SharePoint — for initial access, with post-exploitation phishing and evolving ransomware tactics also persisting this quarter.

E-commerce security company Sansec has warned that threat actors have begun to exploit a recently disclosed security vulnerability in Adobe Commerce and Magento Open Source platforms, with more than 250 attack attempts recorded against multiple stores over the past 24 hours. The vulnerability in question is CVE-2025-54236 (CVSS score: 9.1), a critical improper input validation flaw that could be

### Summary An unsafe deserialization vulnerability in Scapy <v2.7.0 allows attackers to execute arbitrary code **when a malicious session file is locally loaded via the `-s` option**. This requires convincing a user to manually load a malicious session file. --- ### Details Scapy’s interactive shell supports session loading using gzip-compressed pickle files: ```bash ./run_scapy -s <session_file.pkl.gz> ``` Internally, this triggers: ```python # main.py SESSION = pickle.load(gzip.open(session_name, "rb")) ``` Since no validation or restriction is performed on the deserialized object, **any code embedded via `__reduce__()` will be executed immediately**. This makes it trivial for an attacker to drop a malicious `.pkl.gz` in a shared folder and have it executed by unsuspecting users. The vulnerability exists in the `load_session` function, which deserializes data using `pickle.load()` on `.pkl.gz` files provided via the `-s` CLI flag or programmatically through `conf.session`. ...