Today’s roundup
New n8n Vulnerability (9.9 CVSS) Lets Authenticated Users Execute System Commands
Critical AdonisJS Bodyparser Flaw (CVSS 9.2) Enables Arbitrary File Write on Servers
Critical 'MongoBleed' Bug Under Active Attack, Patch Now
Kimwolf botnet leverages residential proxies to hijack 2M+ Android devices
Russia-Aligned Hackers Abuse Viber to Target Ukrainian Military and Government
Fake Booking Emails Redirect Hotel Staff to Fake BSoD Pages Delivering DCRat
Cloud file-sharing sites targeted for corporate data theft attacks
VS Code Forks Recommend Missing Extensions, Creating Supply Chain Risk in Open VSX
US broadband provider Brightspeed investigates breach claims
Ledger customers impacted by third-party Global-e data breach
Summary
A critical security vulnerability, CVE-2025-68668 with a CVSS score of 9.9, has been discovered in n8n, an open-source workflow automation platform. The flaw enables authenticated attackers to execute arbitrary system commands on the underlying host, posing a significant risk.
A critical path traversal vulnerability, CVE-2026-21440 (CVSS 9.2), has been found in the "@adonisjs/bodyparser" npm package for AdonisJS. This flaw could allow a remote attacker to write arbitrary files on the server, impacting application integrity.
A critical memory leak vulnerability, dubbed "MongoBleed," is under active exploitation, allowing unauthenticated attackers to extract sensitive data like passwords and tokens from MongoDB servers. Immediate patching is crucial to prevent data compromise.
The Kimwolf Android botnet has compromised over 2 million Android devices, primarily through exposed ADB services and residential proxy networks. The botnet offers DDoS capabilities, proxy forwarding, and remote access, often utilizing pre-infected Android TV boxes.
The Russia-aligned threat actor UAC-0184 is targeting Ukrainian military and government entities. Attackers leverage the Viber messaging platform to deliver malicious ZIP archives for intelligence gathering operations.
A new social engineering campaign, identified as PHALT#BLYX, is targeting the European hospitality sector. Fake booking emails redirect hotel staff to false Windows Blue Screen of Death (BSoD) pages, delivering the DCRat remote access trojan.
The threat actor Zestix is actively breaching corporate ShareFile, Nextcloud, and OwnCloud instances. Stolen data from dozens of companies is subsequently offered for sale, indicating a trend of direct attacks against enterprise cloud services.
AI-powered Visual Studio Code (VS Code) forks, including Cursor and Windsurf, recommend non-existent extensions in the OpenVSX registry. This creates a supply chain risk, as threat actors can claim these namespaces for malicious package publication.
Brightspeed, a major fiber broadband provider in the United States, is investigating claims made by the Crimson Collective extortion group regarding a security breach and data theft. The company is assessing the validity and scope of the alleged compromise.
Customers of crypto hardware wallet provider Ledger have had their personal data exposed following a breach at third-party payment processor Global-e. The incident impacts users who transacted through the compromised payment platform.
Want to dig deeper?
Vulnerabilities
Malware Families