# Top Stories

Iran-affiliated cyber actors are targeting internet-exposed programmable logic controllers (PLCs) across U.S. critical infrastructure sectors, causing diminished PLC functionality, manipulated display data, operational disruptions, and financial losses. Federal agencies warn these attacks against operational technology devices represent an escalation in threats to critical infrastructure operations.

Russian military intelligence unit APT28 (Forest Blizzard) exploited vulnerabilities in MikroTik and TP-Link routers to hijack DNS traffic and harvest Microsoft Office authentication tokens from over 18,000 networks. The campaign allowed state-backed hackers to steal credentials without deploying malware by redirecting traffic through attacker-controlled infrastructure.

Federal agencies disrupted Russia-backed Forest Blizzard espionage network that compromised 18,000 devices to steal credentials and tokens for Microsoft accounts and other services. The GRU-attributed threat group hijacked network traffic through compromised SOHO routers in a large-scale credential theft operation.

Americans lost a record $21 billion to cybercrime in 2025, representing a 26% increase from the previous year according to the FBI's annual report. Investment scams, business email compromise, tech support fraud, and data breaches were the primary drivers of these unprecedented financial losses.

Hackers are actively exploiting CVE-2025-59528, a maximum-severity vulnerability in the Flowise AI platform that allows remote code execution through improper validation of user-supplied JavaScript. Over 12,000 Flowise instances are exposed to the internet, with VulnCheck confirming active exploitation of the CVSS 10.0 flaw.

Docker Engine vulnerability CVE-2026-34040 (CVSS 8.8) allows attackers to bypass authorization plugins (AuthZ) and gain host access under specific circumstances. The flaw stems from an incomplete fix for CVE-2024-41110, a previous maximum-severity vulnerability in the same component discovered in July 2024.

A critical vulnerability in the Ninja Forms File Uploads premium WordPress add-on allows unauthenticated attackers to upload arbitrary files and execute remote code. The flaw affects the popular WordPress form builder plugin's premium file upload functionality.

Microsoft identifies Storm-1175, a China-based cybercrime group deploying Medusa ransomware through exploitation of N-day and zero-day vulnerabilities in high-velocity attacks. The financially motivated threat actor demonstrates proficiency in rapidly identifying and compromising exposed perimeter assets.

Over a dozen companies suffered data theft attacks after a SaaS integration provider was breached and Snowflake customer authentication tokens were stolen. The attacks highlight supply chain risks when third-party integrators handle access credentials for multiple downstream customers.

Fortinet issued emergency patches for CVE-2026-35616, an authentication bypass zero-day in FortiClient that is being actively exploited in the wild. This represents the latest in a series of Fortinet vulnerabilities that threat actors have successfully weaponized against enterprise networks.