Trending Topics

Trend Micro Apex One 0-day Exploited in the Wild

Trend Micro is warning customers about active exploitation of critical 0-day remote code execution vulnerabilities in its Apex One endpoint security platform, and on‑premise administrators need to act immediately to reduce exposure. The flaws, tracked as CVE-2025-54948 and CVE-2025-54987, stem from unauthenticated command injection vulnerabilities in the Apex One Management Console that allow pre-auth attackers to execute arbitrary code on vulnerable systems. In practice, this means an internet‑exposed or unsegmented console can be turned into an initial foothold, letting attackers upload and run malware under the console’s web server account, for example, in the context of IUSR, and pivot deeper into the environment. Trend Micro has not yet released a full patch; it has shipped a mitigation tool that temporarily disables vulnerable functionality in the Management Console and helps block exploitation attempts until fixed builds land around mid‑August 2025. Security advisories and national agencies stress that organizations should deploy the mitigation immediately, restrict network access to the Apex One console, and plan to install the upcoming critical patch as soon as it is available. CISA has already added CVE-2025-54948 to its Known Exploited Vulnerabilities catalog, a clear signal that this bug is being exploited in real attacks and should be treated as a high‑priority incident response item rather than a routine patching task. This latest 0-day fits a pattern for Apex One, which has seen multiple critical RCE issues targeted by threat actors over the last several years, including CVE-2022-40139 and CVE-2023-41179 in its client rollback and uninstaller components. For defenders, the lesson is twofold: do not expose management consoles directly to the internet, even for security products, and treat vendor mitigation tools and out‑of‑band advisories as production‑grade controls rather than optional extras. If your organization runs Apex One on‑premise, your immediate priority should be confirming console versions and exposure, applying the mitigation, tightening access on TCP ports 8080 and 4343, and preparing for the rapid deployment of Trend Micro’s upcoming patch once it is released.

Megalodon GitHub Attack: 5,561 Repos Hit In Six Hours

A new mass supply chain attack dubbed “Megalodon” has hammered GitHub, with attackers pushing more than 5,700 malicious commits into 5,561 repositories in roughly six hours, primarily by poisoning GitHub Actions workflows. The campaign, uncovered by SafeDep, targeted CI and CD pipelines rather than just source code, injecting malicious YAML into automated workflows that run on every push, pull request, or release, and using fake bot‑style identities like build‑bot, auto‑ci, ci‑bot, and pipeline‑bot so the commits looked like routine automation noise in busy projects. Once merged, these workflows silently exfiltrated secrets, including cloud credentials, GitHub tokens, and API keys, from CI environments, giving attackers a powerful foothold in downstream infrastructure well beyond the compromised repositories themselves. The incident illustrates how fragile the open-source supply chain has become, now that CI pipelines are deeply trusted and heavily permissioned, sometimes with broad access to private repos and production accounts. In Megalodon’s case, the blast radius extended further through projects like Tiledesk, where poisoned GitHub repos led to backdoored npm package releases, which were then consumed by unsuspecting developers in their own builds, showing how a single CI compromise can cascade through registries and, eventually, into end-user environments. For maintainers and organizations, audit GitHub Actions and other workflow definitions for unauthorized changes, rotate any credentials that could have been exposed in CI, and tighten workflow permissions and branch protections so that “innocent” automation commits cannot quietly rewire the heart of your build systems again.

Ubiquiti Rushes to Patch Three Critical UniFi OS Vulnerabilities

Ubiquiti has released fixes for three maximum severity vulnerabilities in UniFi OS devices that could allow attackers with low privileges and network access to read arbitrary files and potentially take over accounts if left unpatched. According to Ubiquiti’s latest security advisory, the issues include a critical path traversal flaw, CVE-2026-22557, in the UniFi Network application, as well as additional high-impact bugs now extended to the self‑hosted UniFi Network Server, all of which are addressed in newly published UniFi OS and UniFi Network application updates. In practical terms, a malicious user already on the local network or with VPN access could exploit the path traversal bug to access sensitive configuration files on UniFi gateways, consoles, and self‑hosted controllers, then use those secrets to hijack administrator accounts and gain full control over managed Wi‑Fi, switching, and routing infrastructure. Ubiquiti urges admins to upgrade the UniFi Network application to at least version 10.1.89 on official release tracks and 10.2.97 on release candidate builds, and to update UniFi Express firmware to 4.0.13 or later, which includes a fixed controller version; the UniFi OS Security Advisory Bulletin 064 further instructs UniFi OS device owners to apply the latest UniFi OS patches that remediate the newly disclosed path traversal issue on gateways and consoles. The company also recommends moving self‑hosted deployments to UniFi OS Server where possible, so administrators receive consolidated platform updates and future security fixes more quickly, rather than managing standalone controller software that can easily fall behind. If you run UniFi gear in production, the priority now is to schedule emergency maintenance to apply the vendor’s updates, check for unexpected local accounts or configuration changes on controllers, and avoid exposing UniFi management interfaces directly to the internet so that any similar flaws in the future are harder for remote attackers to reach.

Update: Cisco Fixes CVSS 10.0 Secure Workload API Flaw

Cisco has released fixes for a maximum severity vulnerability in its Secure Workload product that allows unauthenticated attackers to call internal REST APIs and gain Site Admin‑level access across tenant boundaries. Tracked as CVE-2026-20223 with a CVSS score of 10.0, the flaw stems from missing or insufficient validation and authentication for specific REST API endpoints, allowing a remote attacker to send crafted API requests to read sensitive data and change global configuration with no prior login or credentials. The issue affects both SaaS and on‑prem deployments of Cisco Secure Workload Cluster Software, and, according to Cisco, there are no viable workarounds; mitigation therefore, depends entirely on applying vendor updates. Cisco says the bug was discovered during internal security testing rather than through in-the-wild exploitation, and at this time, there is no evidence that threat actors have abused it. Even so, the combination of unauthenticated access, full read and write capability, and multi‑tenant impact makes CVE-2026-20223 a textbook example of why CVSS 10.0 issues demand emergency change windows, particularly in environments where Secure Workload is tightly integrated with production clusters and policy engines. Organizations running releases 3.9 and earlier must migrate to a fixed version, while those on 3.10 should upgrade to 3.10.8.3, and 4.0 customers need to move to 4.0.3.17 as soon as possible, treating any exposed management interfaces and API gateways as potentially at risk until patching is complete.

Android Malware Is Silently Signing Users Up For Paid Services

A newly uncovered Android malware campaign has spent the last ten months secretly subscribing victims to premium SMS services, quietly inflating their phone bills without any visible warning. Researchers at Zimperium zLabs found roughly 250 malicious apps involved, many of which impersonated popular brands like Facebook Messenger, Instagram Threads, TikTok, Minecraft, and Grand Theft Auto to trick users into installing them. Once on a device, the malware checks the SIM card and activates only on specific mobile networks in Thailand, Croatia, Romania, and Malaysia, a tactic that helps it stay under the radar by avoiding unnecessary activity on unsupported carriers. When it finds a targeted carrier, the malware cuts off Wi‑Fi to force traffic over mobile data, then uses hidden WebViews, JavaScript injection, and abused Google SMS Retriever API access to request one‑time codes, read them from incoming texts, and confirm premium subscriptions in the background. Different variants automate this workflow in slightly different ways, from driving fully hidden browser sessions for DiGi customers, to sending premium SMS commands like “ON HITZ” or “ON GAM1” to specific short codes for Maxis and U Mobile, and even using delayed, staged SMS bursts and stolen cookies to persist sessions on Thai operator portals such as TrueMove H. A more advanced strain also reports device metadata, installation status, and successful subscription events to a private Telegram channel via the Telegram Bot API, giving operators real‑time insight into the revenue their fraud is generating. For everyday Android users, this campaign is a reminder that side‑loading APKs and trusting links in social media posts, chats, or SMS messages carries real financial risk, not just the abstract threat of “malware.” Sticking to official stores, scrutinizing app names and publishers, and watching for unexpected drops in mobile data balance or new premium text charges are now basic self‑defense, particularly in regions where mobile billing is common and premium SMS fraud is lucrative. If your operator offers granular controls for premium SMS or third‑party billing, it is worth disabling them by default, then re‑enabling only when absolutely necessary, so that silent subscriptions like the ones used in this campaign have less chance to drain your account in the first place.