Today’s roundup
Critical Juniper Networks PTX flaw allows full router takeover
Trend Micro warns of critical Apex One code execution flaws
UAT-10027 campaign hits U.S. education and healthcare with stealthy Dohdoor backdoor
U.S. CISA adds Cisco SD-WAN flaws to its Known Exploited Vulnerabilities catalog
Total Recall – Retracing Your Steps Back to NT AUTHORITY\SYSTEM
European DYI chain ManoMano data breach impacts 38 million customers
12 Million exposed .env files reveal widespread security failures
Aeternum C2 Botnet Stores Encrypted Commands on Polygon Blockchain to Evade Takedown
Previously harmless Google API keys now expose Gemini AI data
Former Air Force officer arrested for conspiring with hacker to provide flight training to Chinese military
Summary
Juniper Networks issued an emergency patch for CVE-2026-21902, a critical (CVSS 9.3) remote code execution flaw in Junos OS Evolved on PTX Series routers. The vulnerability in the On-Box Anomaly Detection framework allows unauthenticated attackers to execute code as root, potentially leading to full device takeover.
Trend Micro addressed two critical remote code execution vulnerabilities (CVE-2025-71210, CVE-2025-71211, CVSS 9.8) in its Apex One management console, affecting Windows systems. These directory traversal issues allow remote attackers with console access to upload and execute malicious code, with patches released for on-premise deployments.
Cisco Talos identified UAT-10027, a new threat cluster deploying the stealthy Dohdoor backdoor against U.S. education and healthcare sectors since December 2025. The malware utilizes DNS-over-HTTPS via Cloudflare for resilient command-and-control, employs EDR evasion techniques, and is capable of deploying additional payloads like Cobalt Strike.
The U.S. CISA added two Cisco SD-WAN flaws, including the critical, actively exploited zero-day CVE-2026-20127 (CVSS 10.0), to its Known Exploited Vulnerabilities catalog. A sophisticated threat actor, UAT-8616, has exploited this authentication bypass since 2023 to gain full administrative access, with CISA mandating federal agencies to apply patches.
Security researchers from MDSec disclosed a Windows 11 elevation of privilege vulnerability (CVE-2025-60710) related to the Microsoft Recall feature. The flaw, exploited by the MDSec red team in 2025, abused recursive file/folder deletion in the NT AUTHORITY\SYSTEM context due to a lack of junction/symlink checks. Microsoft has since issued a patch after an initial bypass was identified.
European DIY retail chain ManoMano has disclosed a data breach impacting 38 million customers. The incident, which exposed personal data, resulted from the compromise of a third-party service provider.
Mysterium VPN research revealed over 12 million IP addresses globally exposing publicly accessible .env configuration files. These misconfigurations lead to the direct leakage of sensitive information, including database credentials, API keys, and cloud tokens, with the United States showing the highest number of affected IPs.
A new botnet loader, Aeternum C2, has been discovered leveraging a blockchain-based command-and-control (C2) infrastructure on the Polygon network. This innovative technique aims to enhance the botnet's resilience against traditional takedown efforts, complicating disruption by cybersecurity defenses.
Security researchers discovered that Google API keys, previously considered benign when exposed in client-side code for services such as Maps, can now be exploited. These keys can authenticate to the Gemini AI assistant, potentially leading to the exposure of private user data.
A 65-year-old former U.S. Air Force officer, Gerald Eddie Brown, was arrested for allegedly conspiring with a hacker to provide combat aircraft training to the Chinese Air Force. The indictment states he lived in China for three years while engaged in this national security breach.
Want to dig deeper?
Vulnerabilities
Malware Families