Trending Topics

Docker’s Silent AuthZ Failure: CVE‑2026‑34040 Turns One Oversized Request into Full Host Takeover

A newly disclosed high‑severity flaw in Docker Engine, tracked as CVE‑2026‑34040 (CVSS 8.8), allows attackers to bypass authorization plugins and gain full control of the underlying host with a single oversized HTTP API request. The bug is an incomplete fix for CVE‑2024‑41110 and affects Docker deployments that rely on AuthZ plugins (such as OPA, Prisma Cloud, Casbin, or custom policies) for fine‑grained access control. Cyera’s research shows that when a request body exceeds roughly 1 MB, Docker silently drops the body before it reaches any authorization plugin, yet the daemon still processes the request normally, meaning policy engines see a null body and may approve operations they would have otherwise denied. Because Docker underpins an estimated 92% of enterprise container deployments, the impact is broad: a single padded API call can be enough to spin up a privileged container with host filesystem access, exposing cloud credentials, SSH keys, kubeconfigs, and other secrets mounted into the container environment. The vulnerability is exploitable across typical enterprise setups, including CI/CD pipelines and management platforms that talk to the Docker API over TCP/TLS, and does not require complex race conditions; it only requires the ability to send a crafted request to the daemon. Docker has released fixed builds in Docker Engine 29.3.1 and Docker Desktop 4.66.1, and security advisories stress that anyone depending on AuthZ plugins to enforce policy should treat patching as urgent. Until patches are fully deployed, defenders should assume AuthZ controls can be silently bypassed and layer compensating protections around the Docker API. Recommended actions include: immediately upgrading to the fixed versions where possible; adding a reverse proxy or API gateway with a strict body‑size limit (for example 512 KB) in front of the Docker API; reviewing logs for warnings like “Request body is larger than” as potential exploitation indicators; and tightening which users, systems, and AI or automation agents are allowed to interact with the Docker daemon at all. Longer term, security teams should revisit their trust model around container runtimes, treating access to the Docker API as equivalent to root on the host, and ensuring that authorization logic is not solely dependent on plugins that can be bypassed by subtle request‑handling bugs of this kind.

Forest Blizzard’s Home Router Botnet: How Russian Spies Turn SOHO Devices into a Global Listening Post

A Russian military‑linked group known as Forest Blizzard (a.k.a. Fancy Bear), along with a sub‑cluster tracked as Storm‑2754, has been exploiting thousands of small office/home office (SOHO) routers worldwide to build a covert surveillance and espionage network. Microsoft’s latest research shows the actors compromising over 5,000 consumer devices and impacting at least 200 organizations since August 2025, using DNS hijacking and the legitimate dnsmasq tool to silently reroute traffic through attacker‑controlled infrastructure. By manipulating the Domain Name System, the “phonebook” of the internet, the group gains persistent, passive visibility into victims’ network activity at scale. The operation has evolved from simple traffic monitoring into full AiTM attacks, with a particular focus on Microsoft Outlook Web Access users. Target sectors include energy, IT, and telecommunications, and researchers report successfully intercepting sensitive data from at least three African government organizations. Because the compromised devices are often home and SOHO routers used by remote and hybrid workers, this tactic effectively bypasses stronger corporate perimeters and exposes cloud access and confidential data even when the main office network appears secure. For organizations, the campaign underscores that home routers are now part of the attack surface: relying on cheap consumer gear for corporate tasks creates real exposure. Recommended defenses include requiring MFA or passwordless logins for all cloud and email access, avoiding basic home routers for sensitive work, and ensuring that any SOHO or remote‑access equipment is enterprise‑grade, regularly patched, and centrally managed where possible. Security teams should also educate users about router hygiene (firmware updates, strong admin passwords, disabling unused remote‑management features) and treat traffic from unmanaged home networks as potentially untrusted, applying conditional access and additional scrutiny to remote sessions.

Contagious Interview’s Cross-Ecosystem Trap: North Korean Hackers Turn Open-Source Packages into Silent Developer Implants

A North Korea–linked campaign dubbed Contagious Interview has dramatically expanded its reach by publishing at least 1,700 malicious packages across five major ecosystems, npm, PyPI, Go, Rust, and PHP’s Packagist, since early 2025. The loaders impersonate legitimate logging and utility libraries (e.g., dev-log-core, logkitx, logtrace, logutilkit, fluxhttp), but quietly fetch platform-specific second‑stage malware with infostealer and RAT capabilities focused on data from browsers, password managers, and cryptocurrency wallets. A Windows variant delivered via license-utils-kit goes further, acting as a full post‑compromise implant that can run shell commands, log keystrokes, steal browser data, deploy AnyDesk for remote access, and download additional modules. What makes this wave especially insidious is that malicious code does not execute at install time; instead, it is embedded inside normal‑looking functions aligned with each package’s advertised purpose. For example, in the Rust package logtrace, the payload hides inside Logger::trace(i32), a method name that would not typically raise suspicion during casual review. This stealthy design, combined with cross‑ecosystem coverage, shows a well‑resourced supply chain operation aimed at breaching developer environments for both espionage and financial gain, and it dovetails with broader DPRK activity such as the Axios npm poisoning by UNC1069/BlueNoroff, where social engineering against maintainers was used to push the WAVESHAPER.V2 implant. For security teams and engineering leaders, this campaign reinforces that open‑source registries are now a primary initial‑access vector, not a peripheral risk. Defenses should include mandatory package reputation checks and code review for new dependencies, use of tools that scan for known malicious packages, and runtime policies that restrict outbound connections and credential access from build and developer environments. Organizations should also harden developer identity (to resist account takeover), educate staff about long‑running social engineering campaigns over LinkedIn, Telegram, Slack, and fake meeting invites, and treat seemingly benign utility libraries, especially new logging, “helper,” or licensing packages, as high‑risk until vetting proves otherwise.

OpenSSL’s RSA KEM Flaws: When Key Encapsulation Becomes a Data‑Leak Liability

OpenSSL has disclosed multiple vulnerabilities in its handling of the RSA Key Encapsulation Mechanism (KEM), warning that attackers could extract sensitive data from application memory during cryptographic operations if systems are left unpatched. The most prominent issue, tracked as CVE‑2026‑31790, affects the RSASVE encapsulation process and can expose portions of plaintext, intermediate values, or key material when specially crafted inputs are processed, undermining the confidentiality guarantees expected from key‑exchange workflows. Because OpenSSL underpins TLS, VPNs, email, and countless embedded products, any flaw in how it encapsulates and decapsulates keys has a wide blast radius, particularly for servers that terminate large volumes of encrypted traffic. These data‑exposure bugs arrive on the heels of earlier OpenSSL advisories that patched 12 CVEs in January 2026, including CVE‑2025‑15467, a CMS AuthEnvelopedData AEAD parsing overflow that can lead to denial‑of‑service or remote code execution, and a set of 2025 issues (CVE‑2025‑9230, CVE-2025-9231, and CVE-2025-9232) that enabled memory corruption and even private key recovery via timing side‑channels in SM2 signatures on 64‑bit ARM. Together, they highlight how subtle parsing errors (in CMS, PKCS#12, and KEK unwrap logic) and side‑channel weaknesses in OpenSSL can cascade from “just” crashes to full code execution or long‑term compromise of cryptographic keys that underpin entire infrastructures. Security researchers also note that many of these issues remained hidden in the codebase for years and were only surfaced after targeted, often AI‑assisted audits, underscoring how legacy cryptographic libraries can harbor high‑impact bugs well beyond their initial design era. For defenders, the message is that OpenSSL hygiene has to be treated as a first‑class priority, not a background maintenance task. Organizations should immediately inventory OpenSSL versions across servers, appliances, and applications; apply the latest patches that address CVE‑2026‑31790 and related issues; and, where feasible, prefer configurations that minimize the use of rarely deployed constructs, such as password‑based CMS encryption or custom SM2 providers, which expand the attack surface. Security teams should also assume that historical traffic could be at risk if private keys are ever recovered: that means planning for key rotation, certificate re‑issuance, and closer monitoring for anomalies on endpoints and services that rely heavily on OpenSSL‑backed TLS.

Update: Iran’s OT Escalation and the Blurring Line Between Cyber Ops and Influence

This update extends earlier coverage of Iran’s multi‑domain cyber escalation by focusing on a new wave of attacks against U.S. critical infrastructure that directly target internet‑facing operational technology devices, particularly programmable logic controllers (PLCs). U.S. agencies report that Iran‑affiliated actors are abusing exposed Rockwell Automation/Allen‑Bradley CompactLogix and Micro850 PLCs in government, water and wastewater, and energy sectors, leading to diminished PLC functionality, manipulated HMI/SCADA displays, and, in some cases, operational disruption and financial loss. Attackers are leveraging leased third‑party infrastructure and tools like Studio 5000 Logix Designer to establish “legitimate” connections, then deploying Dropbear SSH on port 22 for C2, project‑file theft, and live data manipulation. The campaign sits within a broader Iranian playbook that couples hard OT targeting with a coordinated ecosystem of DDoS, hack‑and‑leak, and information operations run through MOIS‑aligned personas such as Homeland Justice, Karma/KarmaBelow80, and Handala Hack. New analysis from DomainTools describes these groups less as separate hacktivists and more as interchangeable “veneers” on a single capability stack, using shared infrastructure and tradecraft while segmenting branding and messaging to shape narratives and complicate attribution. At the same time, state actor MuddyWater is increasingly tied into the criminal ecosystem, operating CastleRAT and related CastleLoader components (ChainShell and Tsundere) against Israeli targets, with PowerShell loaders that pull C2 data from Ethereum smart contracts and rely on commercially developed Malware‑as‑a‑Service (MaaS) frameworks originally linked to Russian actors. For defenders, this reinforces prior guidance: Iranian cyber activity against Western and Israeli interests is no longer limited to IT networks or symbolic defacements, but actively blends OT disruption, proxy “hacktivist” brands, and off‑the‑shelf criminal tooling. Critical‑infrastructure operators should immediately remove PLCs from direct internet exposure, enforce MFA and firewalls or proxies in front of any remote access, keep firmware and software current, and disable unused authentication features while monitoring for unusual SSH and HMI/SCADA traffic. Organizations in defense, aerospace, energy, and government, especially those previously tracking MuddyWater activity, should also account for CastleRAT/ChainShell/Tsundere in their threat models, recognizing that they now face threats combining state‑level targeting precision with agile, commercially sourced offensive tools.