🚨 CISA KEV 1[−]
20 Feb KEVCISA Adds Two Known Exploited Vulnerabilities to CatalogCISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog , based on evidence of active exploitation. CVE-2025-49113 RoundCube Webmail Deserialization of Untrusted Data Vulnerability CVE-2025-68461 RoundCube Webmail Cross-site Scripting Vulnerabi…CISA.GOV
🐛 COMMON VULNERABILITIES AND EXPOSURES 6[−]
20 Feb KEVCISA Orders Emergency Patch for Actively Exploited Dell Flaw;CISA Orders Emergency Patch for Actively Exploited Dell Flaw; Texas Sues TP-Link; Massive ID Verification Data Leak; SSA Database Leak Allegations Host Jim Love covers four cybersecurity stories: Cybersecurity Today would like to thank Meter for their support in bringing you this…CYBERSECURITYTODAY.LIBSYN.COM
20 FebBeyondTrust Flaw Used for Web Shells, Backdoors, and Data ExfiltrationThreat actors have been observed exploiting a recently disclosed critical security flaw impacting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) products to conduct a wide range of malicious actions, including deploying VShell and The vulnerability, trac…THEHACKERNEWS.COM
20 FebCVE-2024-20328 ClamAV VirusEvent File Processing Command Injection VulnerabilityInformation published.MSRC.MICROSOFT.COM
20 FebChromium: CVE-2026-2649 Integer overflow in V8This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2024 ) for more information.MSRC.MICROSOFT.COM
20 FebChromium: CVE-2026-2648 Heap buffer overflow in PDFiumThis CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2024 ) for more information.MSRC.MICROSOFT.COM
20 FebChromium: CVE-2026-2650 Heap buffer overflow in MediaThis CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2024 ) for more information.MSRC.MICROSOFT.COM
⚠️ VULNERABILITY DISCLOSURE 7[−]
20 FebCline CLI 2.3.0 Supply Chain Attack Installed OpenClaw on Developer SystemsIn yet another software supply chain attack, the open-source, artificial intelligence (AI)-powered coding assistant Cline CLI was updated to stealthily install OpenClaw, a self-hosted autonomous AI agent that has become exceedingly popular in the past few months. "On February 17,…THEHACKERNEWS.COM
20 FebClickFix Campaign Abuses Compromised Sites to Deploy MIMICRAT MalwareCybersecurity researchers have disclosed details of a new ClickFix campaign that abuses compromised legitimate sites to deliver a previously undocumented remote access trojan (RAT) called MIMICRAT (aka AstarionRAT). "The campaign demonstrates a high level of operational sophistic…THEHACKERNEWS.COM
20 FebUkrainian man jailed for identity theft that helped North Koreans get jobs at US companiesA Ukrainian man has been sentenced for helping North Koreans gain fraudulent employment at dozens of U.S. companies and funnel that money back to the regime to fund its nuclear weapons program.TECHCRUNCH.COM
20 FebSpanish police say they have arrested hacker who booked luxury hotel rooms for just one centSpain's police force has announced that it has arrested a 20-year-old man who they claim managed to book luxury hotel rooms worth up to €1,000 a night for just one euro cent. Read more in my article on the Hot for Security blog.BITDEFENDER.COM
20 FebCarMax - 431,371 breached accountsIn January 2026, data allegedly sourced from US automotive retailer CarMax was published online following a failed extortion attempt . The data included 431k unique email addresses along with names, phone numbers and physical addresses.HAVEIBEENPWNED.COM
20 FebCyberRiskTV Live Coverage from Zero Trust World 2026 - Day 1CyberRisk TV is broadcasting live from Zero Trust World 2026 in Orlando, Florida! Join us Wednesday, March 4 for exclusive interviews with cybersecurity leaders, actionable insights, and the latest thinking from practitioners shaping the future of modern cyber defense from one of…YOUTUBE.COM
20 FebUsing threat modeling and prompt injection to audit CometBefore launching their Comet browser, Perplexity hired us to test the security of their AI-powered browsing features. Using adversarial testing guided by our TRAIL threat model, we demonstrated how four prompt injection techniques could extract users’ private information fr…TRAILOFBITS.COM
📢 SECURITY ADVISORIES 1[−]
20 FebRisky Biz Soap Box: The lethal trifecta of AI risksThere’s a lethal trifecta of AI risks: access to private data, exposure to untrusted content, and external communication. In this conversation, Risky Business host Patrick Gray chats with Josh Devon, the co-founder of Sondera, about how to best address these risks. There is no ma…RISKY.BIZ
🔥 INCIDENT REPORTING 3[−]
20 FebIdentity Cyber Scores: The New Metric Shaping Cyber Insurance in 2026With one in three cyber-attacks now involving compromised employee accounts, insurers and regulators are placing far greater emphasis on identity posture when assessing cyber risk. For many organizations, however, these assessments remain largely opaque. Elements such as pa…THEHACKERNEWS.COM
20 FebFBI Reports 1,900 ATM Jackpotting Incidents Since 2020, $20M Lost in 2025The U.S. Federal Bureau of Investigation (FBI) has warned of an increase in ATM jackpotting incidents across the country, leading to losses of more than $20 million in 2025. The agency said 1,900 ATM jackpotting incidents have been reported since 2020, out of which 700 took place…THEHACKERNEWS.COM
20 FebHow To Recall An Email In OutlookIndependent research shows that 91% of organizations have experienced outbound email security incidents in their Microsoft 365 environments. Human error is the primary cause of these incidents, whether that's adding an incorrect recipient, attaching the wrong file, or forgetting …KNOWBE4.COM
🕵️ THREAT INTELLIGENCE 7[−]
20 FebFriday Squid Blogging: Squid CartoonI like this one . As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy.SCHNEIER.COM
20 FebRing Cancels Its Partnership with FlockIt’s a demonstration of how toxic the surveillance-tech company Flock has become when Amazon’s Ring cancels the partnership between the two companies. As Hamilton Nolan advises, remove your Ring doorbell.SCHNEIER.COM
20 FebUkrainian National Sentenced to 5 Years in North Korea IT Worker Fraud CaseA 29-year-old Ukrainian national has been sentenced to five years in prison in the U.S. for his role in facilitating North Korea's fraudulent information technology (IT) worker scheme. In November 2025, Oleksandr "Alexander" Didenko pleaded guilty to wire fraud conspiracy and agg…THEHACKERNEWS.COM
20 FebHumans Will Give AI Anything If You Make It Sound Cool EnoughThere's a beautiful moment happening right now, and by "beautiful" I mean "horrifying in that can't-look-away-from-the-car-crash sense”.KNOWBE4.COM
20 FebGoogle's App Store: Hidden RisksGoogle blocked over 255,000 apps and banned 80,000 developer accounts for policy violations. Despite these efforts, the potential for undetected threats remains a concern. How can app stores ensure comprehensive security against malicious apps? Subscribe to our podcasts: https://…YOUTUBE.COM
20 FebOff-Topic Fridaysubmitted by shellsharks to cybersecurity 2 points | 0 comments Wanna chat about something non-infosec amongst those of us who frequent /c/cybersecurity? Here’s your chance! (Keep things civil & respectful please)INFOSEC.PUB
20 FebCyberRiskTV Live Coverage from Zero Trust World 2026 - Day 2CyberRisk TV is broadcasting live from Zero Trust World 2026 in Orlando, Florida! Join us Thursday, March 5 for exclusive interviews with cybersecurity leaders, actionable insights, and the latest thinking from practitioners shaping the future of modern cyber defense from one of …YOUTUBE.COM
📡 INFOSEC NEWS 2[−]
20 Feb‘Starkiller’ Phishing Service Proxies Real Login Pages, MFAMost phishing websites are little more than static copies of login pages for popular online destinations, and they are often quickly taken down by anti-abuse activists and security firms. But a stealthy new phishing-as-a-service offering lets customers sidestep both of these pitf…KREBSONSECURITY.COM
20 FebFormer Google Engineers Indicted Over Trade Secret Transfers to IranTwo former Google engineers and one of their husbands have been indicted in the U.S. for allegedly committing trade secret theft from the search giant and other tech firms and transferring the information to unauthorized locations, including Iran. Samaneh Ghandali, 41, and her hu…THEHACKERNEWS.COM