Trending Topics

Trend Micro Apex One 0-day Exploited in the Wild

Trend Micro is warning customers about active exploitation of critical 0-day remote code execution vulnerabilities in its Apex One endpoint security platform, and on‑premise administrators need to act immediately to reduce exposure. The flaws, tracked as CVE-2025-54948 and CVE-2025-54987, stem from unauthenticated command injection vulnerabilities in the Apex One Management Console that allow pre-authentication attackers to execute arbitrary code on vulnerable systems.

In practice, an internet-exposed or unsegmented console can be turned into an initial foothold - letting attackers upload and run malware under the console's web server account, for example, in the context of IUSR, and pivot deeper into the environment from there.

Trend Micro has not yet released a full patch. It has shipped a mitigation tool that temporarily disables the vulnerable Management Console functionality and helps block exploitation attempts until fixed builds arrive around mid-August 2026. Security advisories and national agencies are directing organizations to deploy the mitigation immediately, restrict network access to the Apex One console, and plan for the critical patch as soon as it is available. CISA has added CVE-2025-54948 to its Known Exploited Vulnerabilities catalog - a clear signal this is being exploited in real attacks and should be treated as a high-priority incident response item, not a routine patching task.

This zero-day fits a pattern. Apex One has seen multiple critical RCE issues targeted by threat actors over the past several years, including CVE-2022-40139 and CVE-2023-41179 in its client rollback and uninstaller components. The management console has repeatedly proven to be a high-value target, and exposure policy should reflect that.

For defenders, the lesson is twofold: do not expose management consoles directly to the internet, even for security products, and treat vendor mitigation tools and out‑of‑band advisories as production‑grade controls rather than optional extras. If your organization runs Apex One on‑premise, your immediate priority should be confirming console versions and exposure, applying the mitigation, tightening access on TCP ports 8080 and 4343, and preparing for the rapid deployment of Trend Micro’s upcoming patch once it is released.

Megalodon GitHub Attack: 5,561 Repos Hit In Six Hours

A mass supply chain attack dubbed "Megalodon" has hammered GitHub hard, with attackers pushing more than 5,700 malicious commits into 5,561 repositories in roughly six hours by poisoning GitHub Actions workflows. The campaign, uncovered by SafeDep, targeted CI/CD pipelines rather than source code directly - injecting malicious YAML into automated workflows that trigger on every push, pull request, or release. Fake bot-style identities like build-bot, auto-ci, ci-bot, and pipeline-bot made the commits look like routine automation noise in busy projects.

Once merged, these workflows silently exfiltrated secrets from CI environments, including cloud credentials, GitHub tokens, and API keys, giving attackers a foothold in downstream infrastructure well beyond the compromised repositories themselves.

The incident illustrates how fragile the open-source supply chain has become now that CI pipelines carry deep trust and broad permissions - sometimes including access to private repos and production accounts. In Megalodon's case, the blast radius extended further through projects like Tiledesk, where poisoned GitHub repos led to backdoored npm package releases being consumed by unsuspecting developers in their own builds. A single CI compromise cascaded through package registries and into end-user environments without any of those downstream developers knowing they were part of the chain.

For maintainers and organizations, the response is clear: audit GitHub Actions and other workflow definitions for unauthorized changes, rotate any credentials that could have been exposed in CI, and tighten workflow permissions and branch protections so that "innocent" automation commits cannot quietly rewire your build systems again.

Ubiquiti Rushes to Patch Three Critical UniFi OS Vulnerabilities

Ubiquiti has released fixes for three maximum-severity vulnerabilities in  UniFi OS devices that could allow attackers with low privileges and network access to read arbitrary files and take over accounts if left unpatched. The issues include a critical path traversal flaw, CVE-2026-22557, in the UniFi Network application, along with additional high-impact bugs now extended to the self-hosted UniFi Network Server. All three are addressed in newly published UniFi OS and UniFi Network application updates.

In practical terms, a malicious user already on the local network or with VPN access could exploit the path traversal bug to access sensitive configuration files on UniFi gateways, consoles, and self-hosted controllers, then use those secrets to hijack administrator accounts and gain full control over managed Wi-Fi, switching, and routing infrastructure.

Ubiquiti's guidance is specific. Administrators should upgrade the UniFi Network application to at least version 10.1.89 on official release tracks and 10.2.97 on release candidate builds, and update UniFi Express firmware to 4.0.13 or later, which includes a fixed controller version. UniFi OS Security Advisory Bulletin 064 also instructs UniFi OS device owners to apply the latest UniFi OS patches remediating the path traversal issue on gateways and consoles. Ubiquiti further recommends migrating self-hosted deployments to UniFi OS Server where possible, so administrators receive consolidated platform updates and future security fixes without managing standalone controller software that can fall behind.

If you run UniFi gear in production, the priorities are straightforward: schedule emergency maintenance to apply the vendor's updates, check for unexpected local accounts or configuration changes on controllers, and avoid exposing UniFi management interfaces directly to the internet so that future vulnerabilities are harder for remote attackers to reach.

Update: Cisco Fixes CVSS 10.0 Secure Workload API Flaw

Cisco has released fixes for a maximum-severity vulnerability in its Secure Workload product that allows unauthenticated attackers to call internal REST APIs and gain Site Admin-level access across tenant boundaries. Tracked as CVE-2026-20223, with a CVSS score of 10.0, the flaw stems from missing or insufficient validation and authentication on specific REST API endpoints, allowing a remote attacker to send crafted API requests, read sensitive data, and change global configuration with no prior login or credentials required.

The issue affects both SaaS and on-premise deployments of Cisco Secure Workload Cluster Software. Cisco has confirmed there are no viable workarounds - mitigation depends entirely on applying vendor updates.

Cisco says the bug was discovered through internal security testing rather than in-the-wild exploitation, and no evidence of active abuse has surfaced so far. That is good news, but it does not change the urgency. Unauthenticated access, full read and write capability, and multi-tenant impact make CVE-2026-20223 a textbook CVSS 10.0 - exactly the kind of flaw that warrants an emergency change window, particularly in environments where Secure Workload is tightly integrated with production clusters and policy engines.

Organizations running release 3.9 or earlier must migrate to a fixed version. Those on 3.10 should upgrade to 3.10.8.3, and 4.0 customers need to move to 4.0.3.17. Any exposed management interfaces and API gateways should be treated as potentially at risk until patching is confirmed complete.

Android Malware Is Silently Signing Users Up For Paid Services

A newly uncovered Android malware campaign has spent the last ten months secretly subscribing victims to premium SMS services, quietly inflating their phone bills without any visible warning. Researchers at Zimperium zLabs identified roughly 250 malicious apps involved, many impersonating popular brands like Facebook Messenger, Instagram Threads, TikTok, Minecraft, and Grand Theft Auto to trick users into installing them.

Once on a device, the malware checks the SIM card and activates only on specific mobile networks in Thailand, Croatia, Romania, and Malaysia - a tactic that keeps it under the radar by avoiding unnecessary activity on unsupported carriers. When it finds a targeted carrier, the malware cuts off Wi-Fi to force traffic over mobile data, then uses hidden WebViews, JavaScript injection, and abused Google SMS Retriever API access to request one-time codes, read them from incoming texts, and confirm premium subscriptions entirely in the background.

Different variants automate this workflow in slightly different ways. Some drive fully hidden browser sessions for DiGi customers. Others send premium SMS commands like "ON HITZ" or "ON GAM1" to specific short codes for Maxis and U Mobile subscribers. More sophisticated versions use delayed, staged SMS bursts and stolen cookies to persist sessions on Thai operator portals such as TrueMove H. A more advanced strain also reports device metadata, installation status, and successful subscription events to a private Telegram channel via the Telegram Bot API - giving operators real-time visibility into the revenue their fraud is generating.

For everyday Android users, this campaign is a reminder that sideloading APKs and trusting links from social media posts, chats, or SMS messages carries real financial risk - not just the abstract threat of "malware." Sticking to official app stores, scrutinizing app names and publishers, and watching for unexpected drops in mobile data balance or unfamiliar premium text charges are practical first lines of defense, particularly in regions where mobile billing is common and premium SMS fraud is lucrative.

If your carrier offers granular controls for premium SMS or third-party billing, disable them by default and re-enable only when necessary. Silent subscriptions like the ones used here have considerably less room to operate when the billing mechanism itself is locked down.