Trending Topics

NGINX MP4 Module Flaw Enables Remote Code Execution

F5 has disclosed a high-severity vulnerability, tracked as CVE-2026-32647, in the NGINX MP4 streaming module that can be abused with crafted MP4 files to crash worker processes or, in some circumstances, execute arbitrary code on affected servers. This issue affects both NGINX Plus and NGINX Open Source when the MP4 module is enabled for serving media content, meaning organizations that use NGINX for video delivery or MP4-based applications should prioritize assessment and remediation. Although the flaw resides in NGINX, environments that pair NGINX Plus with other F5 technologies for application delivery or media streaming should still review their deployments to ensure nothing is left unaddressed. Vendor advisories confirm that multiple NGINX Plus releases in the R3x line and NGINX Open Source versions in the 1.x branch are affected, and fixed builds are already available for both commercial and open source distributions. Administrators are advised to upgrade NGINX Plus to a corrected maintenance release and NGINX Open Source to the latest patched version, following standard change management and rollback procedures, especially for high traffic or customer-facing services. Other F5 products, such as BIG-IP, BIG-IP VPN components, and F5 Distributed Cloud, have been evaluated and are not currently considered vulnerable to this specific MP4 processing flaw, although any NGINX instances deployed alongside them still require attention. Where immediate patching is not possible, the safest temporary course of action is to disable MP4 streaming on exposed servers or limit MP4 publishing and uploads to strictly trusted users until updates can be applied. Security teams should inventory all NGINX instances serving MP4 content, determine which are internet-facing or accept untrusted media, and then either remove the MP4 directive or implement tight restrictions on who can upload and access video files. In parallel, teams should increase monitoring of NGINX logs and media endpoints for unusual errors and worker restarts tied to MP4 handling, and continue to track vendor updates, since any change in exploitation details or product scope may alter the risk profile for their broader F5 and application delivery environment.

Pay2Key Expands to Linux: Ransomware-as-a-Service Targets Enterprise and Cloud Infrastructure

Linux-focused ransomware group Pay2Key is now actively going after high‑value Linux infrastructure, including enterprise servers, VMware ESXi hosts, and cloud workloads, rather than just traditional Windows endpoints. Originally known for fast, human‑operated intrusions against Israeli and Brazilian organizations, the operation has resurfaced as a ransomware‑as‑a‑service model with builder options that explicitly support Linux, which allows affiliates to generate tailored payloads for data‑rich platforms such as financial systems, SAP databases, and virtualization clusters. Multiple threat intelligence reports continue to tie Pay2Key to Iranian‑backed actors and note that its recent activity coincides with broader geopolitical tensions and fresh incidents, including a Q1 2026 intrusion on a U.S. healthcare organization. This evolution reflects a wider shift in the ransomware ecosystem toward “follow the data” targeting, where attackers prioritize the systems that concentrate critical business operations and computing power. By focusing on Linux servers, hypervisors, and cloud environments, Pay2Key can disrupt many applications at once, since a single compromised ESXi host or core database server can cause outages across dozens of virtual machines or services. Cloud and DevOps stacks are particularly at risk because they often rely on automation, service accounts, and container platforms that are less protected by traditional endpoint tools, which shortens the window for defenders to act once attackers gain administrator access. For security teams, the key takeaway is that Linux cannot be treated as a secondary concern in ransomware defense. Organizations should harden external access paths in Linux infrastructure, apply least privilege to admin and service accounts, and ensure they have Linux‑aware controls capable of stopping ransomware execution early rather than only flagging encrypted files after the fact. It is equally important to segment virtualization and cloud management networks, restrict access to hypervisor and orchestration consoles, and regularly test backup restoration so that critical workloads can be recovered without paying if Pay2Key or similar operations manage to break through.

Iran-Aligned Hacktivists Amplify Propaganda Amid Limited On-the-Ground Impact in the Gulf

Iran-aligned hacktivists have dramatically increased their online activity since the start of the Iran war, but current evidence shows their real-world impact in the Gulf remains limited and heavily inflated by propaganda. Researchers note a sharp rise in malicious email campaigns and public hacktivist claims, yet most operations either target softer, indirect victims or cannot be reliably verified beyond social media and self-published “leaks.” This gap between noise and measurable disruption has turned Iran-linked hacktivism into more of a psychological and reputational problem for regional organizations than a consistently operational one. Nasir Security publicly claimed breaches of major Middle Eastern energy companies, including Dubai Petroleum, CC Energy, and Al Safi, positioning itself as a direct attacker of strategic oil and gas infrastructure. Independent analysis shows that Nasir has actually gone after supply‑chain vendors that provide engineering, safety, and construction services and has stolen authentic project documents from those contractors, then repackaged them as evidence of “compromise” at the primary energy firms. These real but misattributed leaks help sell the narrative of high-impact attacks, even though the underlying intrusions target third parties and serve more as disinformation and intimidation than as genuine blows to national energy resilience. Broader Iran-aligned hacktivist activity follows a similar pattern. Groups such as 313 Team claim denial-of-service attacks and “defacements” against Gulf governments and military services, but public reporting points to only minor, short-lived disruptions and ambiguous attribution that often fails to match the hype in their channels. Analysts emphasize that the claim itself is part of the attack: these actors use Telegram, leak sites, and social media to create the impression that they are everywhere and constantly successful, which forces victims to manage a “fog of war” around reputation and public perception even when technical impact is low. At the same time, the most concrete and destructive operations, such as those attributed to the Handala persona, are now legally tied by U.S. Department of Justice filings to Iran’s Ministry of Intelligence and Security, reinforcing that the most capable “hacktivist” brands are in reality fronts for state-directed operations rather than independent grassroots actors.