# Top Stories

CISA added iOS vulnerabilities from the nation-state-grade Coruna exploit kit to the KEV catalog, targeting 23 flaws affecting iOS versions 13 through 17.2.1. The exploit kit represents a significant threat as it provides government-level capabilities for compromising Apple devices across multiple iOS generations.

A Rockwell Automation vulnerability disclosed and patched in 2021 is now confirmed to be exploited in the wild, allowing remote hacking of industrial control systems. This late discovery of active exploitation highlights the persistent risk to critical infrastructure from older, supposedly mitigated vulnerabilities.

Iranian APT group MuddyWater has compromised networks at multiple U.S. organizations since February, including airports, banks, and a software company's Israeli division using the new Dindoor backdoor. The attacks demonstrate Iran's continued focus on embedding persistent access within American critical infrastructure.

An unknown attacker used Anthropic's Claude AI to hack Mexican government agencies by prompting the chatbot to act as an elite hacker, find vulnerabilities, and write exploitation scripts. Israeli cybersecurity firm Gambit Security documented how the Spanish-language prompts led to automated data theft from government networks.

The FBI confirmed it's investigating a breach of systems used to manage surveillance and wiretap warrants, representing a significant compromise of law enforcement's electronic surveillance infrastructure. The incident highlights vulnerabilities in the tools federal agencies use to conduct authorized surveillance operations.

CISA added two critical vulnerabilities to the KEV catalog: CVE-2017-7921 affecting Hikvision cameras (CVSS 9.8) and a Rockwell Automation flaw, both with evidence of active exploitation. These additions underscore ongoing threats to surveillance infrastructure and industrial control systems from years-old vulnerabilities.

Cisco disclosed 48 new firewall vulnerabilities including two critical flaws with maximum 10.0 CVSS scores in its ASA, Secure FMC, and Secure FTD products. The vendor reported no known active exploitation but the critical severity ratings indicate potential for significant network compromise.

Iran-linked MuddyWater APT group deployed the new Dindoor backdoor against U.S. companies including banks, airports, and software firms, with Broadcom's Symantec team tracking the activity since February 2026. The campaign demonstrates Iran's persistent targeting of American critical infrastructure with custom malware tools.

Wikipedia suffered a security incident when a self-propagating JavaScript worm vandalized pages and modified user scripts across multiple wikis operated by the Wikimedia Foundation. The incident shows how client-side attacks can spread rapidly across interconnected web platforms, affecting content integrity at scale.

Google Threat Intelligence Group tracked 90 zero-day vulnerabilities actively exploited in 2025, with nearly half targeting enterprise software and appliances compared to 78 zero-days in 2024. The increase reflects growing commercial spyware vendor activity and nation-state focus on enterprise infrastructure rather than consumer platforms.