Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Critical Vulnerabili ...

 Firewall Daily

A critical security flaw has been discovered in a widely used ACF add-on plugin for WordPress, placing up to 100,000 websites at risk of a full site takeover. The vulnerability affects the Advanced Custom Fields: Extended plugin, an add-on designed to extend the functionality of the popular Advanced Custom Fields   show more ...

ecosystem. An advisory issued about the flaw assigns a severity rating of 9.8, emphasizing the serious impact it can have if exploited.  Unauthenticated Privilege Escalation Threatens WordPress Sites The vulnerability could allow unauthenticated attackers to register new user accounts with administrator-level privileges, potentially giving them complete control over affected WordPress sites. Since no prior access or compromised credentials are needed, the exposure is far higher than typical privilege escalation flaws that require existing user permissions. Any site running a vulnerable version of the plugin with certain configurations in place could be targeted by attackers anywhere on the internet.  The Advanced Custom Fields: Extended plugin is widely used by WordPress developers and site owners to enhance how custom fields operate. As an ACF add-on plugin, it provides tools for managing front-end forms, creating options pages, defining custom post types and taxonomies, and customizing the WordPress admin interface. How the ACF Addon Plugin Flaw Works The issue lies in the privilege escalation vulnerability caused by missing role restrictions during user registration. Specifically, the plugin’s insert_user function does not enforce limits on which WordPress roles can be assigned when a new account is created. Under normal circumstances, WordPress strictly controls role assignment during registration to prevent unauthorized privilege elevation. In this case, that safeguard was bypassed.  Exploitation requires that the site uses a front-end form provided by the plugin, and that the form maps a custom field directly to the WordPress user role. When this configuration exists, the plugin accepts the submitted role value without verifying whether it is permitted. Essentially, the plugin relied on the HTML form to restrict role selection, without performing proper server-side validation.  For example, a developer might configure a registration form to display only the “subscriber” role. However, an attacker could inspect the form’s HTML, intercept the HTTP request, and modify the submitted value from role=subscriber to role=administrator. The plugin would then pass this value directly to WordPress’s user creation functions without validation, granting full administrator access.  The plugin changelog confirms that these issues have been addressed. Fixes include:  “Enforced front-end fields validation against their respective ‘Choices’ settings.”  “Module: Forms – Added security measure for forms allowing user role selection.”  These updates introduce stronger server-side protections and improve validation for front-end forms, especially when user role selection is involved.  If exploited, attackers can install or modify plugins and themes, inject malicious code, create backdoor administrator accounts, steal or manipulate site data, redirect visitors, or distribute malware. In effect, this represents a complete WordPress site takeover.  Patches, Updates, and Steps for Site Owners The vulnerability affects all versions up to and including 0.9.2.1. It has been patched in version 0.9.2.2, which introduces multiple validation hooks and enhanced security checks for front-end forms and user role handling. Notable updates in the changelog include:  Module: Forms – Enforced front-end fields validation against their respective ‘Choices’ settings  Module: Forms – Added security measure for forms, allowing user role selection  Module: Forms – Added acfe/form/validate_value hook to validate fields individually on the front  Module: Forms – Added acfe/form/pre_validate_value hook to bypass enforced validation  Site owners using this ACF add-on plugin should update immediately to the latest version. If an update is not feasible, disabling the plugin until the patch can be applied is strongly recommended. Given the severity of the flaw, the lack of authentication required to exploit it, and evidence of active exploitation, any delay leaves WordPress sites exposed to complete compromise. 

image for UK Turns to Australi ...

 Cyber News

Just weeks after Australia rolled out the world’s first nationwide social media ban for children under 16, the British government has signaled it may follow a similar path. On Monday, Prime Minister Keir Starmer said the UK is considering a social media ban for children aged 15 and under, warning that “no option   show more ...

is off the table” as ministers confront growing concerns about young people’s online wellbeing. The move places the British government ban social media proposal at the center of a broader national debate about the role of technology in childhood. Officials said they are studying a wide range of measures, including tougher age checks, phone curfews, restrictions on addictive platform features, and potentially raising the digital age of consent. UK Explores Stricter Limits on Social Media Ban for Children In a Substack post on Tuesday, Starmer said that for many children, social media has become “a world of endless scrolling, anxiety and comparison.” “Being a child should not be about constant judgement from strangers or the pressure to perform for likes,” he wrote. Alongside the possible ban, the government has launched a formal consultation on children’s use of technology. The review will examine whether a social media ban for children would be effective and, if introduced, how it could be enforced. Ministers will also look at improving age assurance technology and limiting design features such as “infinite scrolling” and “streaks,” which officials say encourage compulsive use. The consultation will be backed by a nationwide conversation with parents, young people, and civil society groups. The government said it would respond to the consultation in the summer. Learning from Australia’s Unprecedented Move British ministers are set to visit Australia to “learn first-hand from their approach,” referencing Canberra’s decision to ban social media for children under 16. The Australian law, which took effect on December 10, requires platforms such as Instagram, Facebook, X, Snapchat, TikTok, Reddit, Twitch, Kick, Threads, and YouTube to block underage users or face fines of up to AU$32 million. Prime Minister Anthony Albanese made clear why his government acted. “Social media is doing harm to our kids, and I’m calling time on it,” he said. “I’ve spoken to thousands of parents… they’re worried sick about the safety of our kids online, and I want Australian families to know that the Government has your back.” Parents and children are not penalized under the Australian rules; enforcement targets technology companies. Early figures suggest significant impact. Australia’s eSafety Commissioner Julie Inman-Grant said 4.7 million social media accounts were deactivated in the first week of the policy. To put that in context, there are about 2.5 million Australians aged eight to 15. “This is exactly what we hoped for and expected: early wins through focused deactivations,” she said, adding that “absolute perfection is not a realistic goal,” but the law aims to delay exposure, reduce harm, and set a clear social norm. UK Consultation and School Phone Bans The UK’s proposals go beyond a possible social media ban. The government said it will examine raising the digital age of consent, introducing phone curfews, and restricting addictive platform features. It also announced tougher guidance for schools, making it clear that pupils should not have access to mobile phones during lessons, breaks, or lunch. Ofsted inspectors will now check whether mobile phone bans are properly enforced during school inspections. Schools struggling to implement bans will receive one-to-one support from Attendance and Behaviour Hub schools. Although nearly all UK schools already have phone policies—99.9% of primary schools and 90% of secondary schools—58% of secondary pupils reported phones being used without permission in some lessons. Education Secretary Bridget Phillipson said: “Mobile phones have no place in schools. No ifs, no buts.” Building on Existing Online Safety Laws Technology Secretary Liz Kendall said the government is prepared to take further action beyond the Online Safety Act. “These laws were never meant to be the end point, and we know parents still have serious concerns,” she said. “We are determined to ensure technology enriches children’s lives, not harms them.” The Online Safety Act has already introduced age checks for adult sites and strengthened rules around harmful content. The government said children encountering age checks online has risen from 30% to 47%, and 58% of parents believe the measures are improving safety. The proposed British government ban social media initiative would build on this framework, focusing on features that drive excessive use regardless of content. Officials said evidence from around the world will be examined as they consider whether a UK-wide social media ban for children could work in practice. As Australia’s experience begins to unfold, the UK is positioning itself to decide whether similar restrictions could reshape how children engage with digital platforms. The consultation marks the start of what ministers describe as a long-term effort to ensure young people develop a healthier relationship with technology.

image for NCSC Warns of Rising ...

 Cyber News

The UK’s National Cyber Security Centre (NCSC) has issued a fresh alert warning that Russian-aligned hacktivist groups continue to target British organisations with disruptive cyberattacks. The advisory, published on 19 January 2026, highlights a sustained campaign aimed at taking websites offline, disrupting online   show more ...

services, and disabling critical systems, particularly across local government and national infrastructure. The NCSC warning on hacktivist attacks urges organisations to strengthen their defences against denial-of-service (DoS) incidents, which, while often low in technical sophistication, can still cause widespread operational disruption. Officials say the activity is ideologically driven, reflecting geopolitical tensions linked to Western support for Ukraine, rather than financial motivations. Persistent Threat from Russian-Aligned Hacktivist Groups According to the NCSC, Russian-aligned hacktivist groups have been conducting cyber operations against UK and global organisations for several years, with activity intensifying since the Russian invasion of Ukraine. In December 2025, the NCSC co-sealed an international advisory warning that pro-Russian hacktivists were targeting government and private sector entities in NATO member states and other European countries perceived as hostile to Russia’s geopolitical interests. One group named in the advisory, NoName057(16), has been active since March 2022 and has repeatedly launched distributed denial-of-service (DDoS) attacks against public and private sector organisations. The group has targeted government bodies and businesses across Europe, including frequent DDoS attempts against UK local government services. NoName057(16) primarily operates through Telegram channels and has used GitHub and other repositories to host its proprietary DDoS tool, known as DDoSia. The group has also shared tactics, techniques, and procedures (TTPs) with followers to encourage participation in coordinated disruption campaigns. The NCSC said this activity reflects an evolution in the threat landscape, with attacks increasingly extending beyond traditional IT systems to include operational technology (OT) environments. As a result, the agency is encouraging all OT owners to review mitigation measures and harden their cyber defences. NCSC Warning on Hacktivist Attacks and Resilience Measures The NCSC warning on hacktivist attacks stresses that organisations, particularly local authorities and operators of critical national infrastructure, should review their DoS protections and improve resilience. While DoS attacks are often technically simple, a successful incident can overwhelm key websites and online systems, preventing access to essential services and causing significant operational and financial strain. NCSC Director of National Resilience Jonathon Ellison said: “We continue to see Russian-aligned hacktivist groups targeting UK organisations and although denial-of-service attacks may be technically simple, their impact can be significant. By overwhelming important websites and online systems, these attacks can prevent people from accessing the essential services they depend on every day.” He urged organisations to act quickly by reviewing and implementing the NCSC’s guidance to protect against DoS attacks and related cyber threats. Guidance to Mitigate Denial-of-Service Attacks As part of its advisory, the NCSC outlined practical steps organisations can take to reduce their exposure to DoS incidents. These include understanding where services may be vulnerable to resource exhaustion and clarifying whether responsibility for protection lies with internal teams or third-party suppliers. Organisations are encouraged to strengthen upstream defences by working closely with internet service providers and cloud vendors. The NCSC recommends understanding the DoS mitigations already in place, exploring third-party DDoS protection services, deploying content delivery networks for web-based platforms, and considering multiple service providers for critical functions. The agency also advises building systems that can scale rapidly during an attack. Cloud-native applications can be automatically scaled using provider APIs, while private data centres can deploy modern virtualisation, provided spare capacity is available. Preparing for and Responding to Attacks The advisory highlights the importance of a clear response plan that allows services to continue operating, even in a degraded state. Recommended measures include graceful degradation, retaining administrative access during an attack, adapting to changing attacker tactics, and maintaining scalable fallback options for essential services. Testing and monitoring are also central to resilience. The NCSC encourages organisations to test their defences to understand the volume and types of attacks they can withstand, and to deploy monitoring tools that can detect incidents early and support real-time analysis. Broader Context and Ongoing Threat This is not the first time the NCSC has called out malicious activity from Russian-aligned groups. In 2023, it warned of heightened risks from state-aligned adversaries following Russia’s invasion of Ukraine. The agency says the latest activity remains ideologically motivated and is carried out outside direct state control. Organisations are also being encouraged to engage with the NCSC’s heightened cyber threat reporting and information-sharing channels. Officials say building resilience now is critical as Russian-aligned hacktivist groups continue to test the UK’s digital infrastructure through persistent and disruptive campaigns.

image for Hacktivists Became M ...

 Cyber News

Hacktivists became significantly more dangerous in 2025, moving beyond their traditional DDoS attacks and website defacements to target critical infrastructure and ransomware attacks. That’s one of the conclusions of a new blog post from Cyble adapted from the threat intelligence company’s 2025 Threat Landscape   show more ...

report. The trend began in earnest with Z-Pentest’s targeting of industrial control systems (ICS) in late 2024, and grew from there. Cyble said it expects those attacks to continue to grow in 2026, along with growing use of custom tools by hacktivists and “deepening alignment between nation-state interests and hacktivists.” Hacktivist Attacks on Critical Infrastructure Soar Z-Pentest was the most active of the hacktivist groups targeting ICS, operational technology (OT) and Human Machine Interface (HMI) environments. Dark Engine (Infrastructure Destruction Squad) and Sector 16 also persistently targeted ICS environments, while Golden Falcon Team, NoName057(16), TwoNet, RipperSec, and Inteid also claimed multiple ICS attacks. HMI and web-based Supervisory Control and Data Acquisition (SCADA) interfaces were the systems most frequently targeted by hacktivists. Virtual Network Computing (VNC) environments were targeted less frequently, but “posed the greatest operational risks to several industries,” Cyble said. Building Management Systems (BMS) and Internet of Things (IoT) or edge-layer controllers were also targeted by the groups, reflecting a wider trend toward exploiting poorly secured IoT interfaces. Europe was the primary region targeted by pro-Russian hacktivist groups, with Spain, Italy, the Czech Republic, France, Poland, and Ukraine the most frequent targets of those groups. State Interests and Hacktivism Align Cyble also noted increasing alignment between hacktivist groups and state-aligned interests. When Operation Eastwood disrupted NoName057(16)’s DDoS infrastructure in July 2025, the group rapidly rebuilt its capacity and resumed operations against Ukraine, the EU, and NATO, “underscoring the resilience of state-directed ecosystems,” Cyble said. U.S. indictments “further exposed alleged structured cooperation between Russian intelligence services and pro-Kremlin hacktivist fronts,” the blog post said. The Justice Department revealed GRU-backed financing and direction of the Cyber Army of Russia Reborn (CARR) and state-sanctioned development of NoName057(16)’s DDoSia platform. Z-Pentest has also been identified as part of the CARR ecosystem and linked to GRU. Pro-Ukrainian hacktivist groups are less formally connected to state interests, but groups like the BO Team and the Ukrainian Cyber Alliance launched data destruction, encryption and wiper attacks targeting “key Russian businesses and state machinery,” and Ukrainian actors also claimed to pass exfiltrated datasets to national intelligence services. Hacktivist groups Cyber Partisans BY (Belarus) and Silent Crow significantly compromised Aeroflot’s IT environment in a long-term breach, claiming to exfiltrate more than 20TB of data, sabotaging thousands of servers, and disrupting airline systems, a breach that was confirmed by Russia’s General Prosecutor. Other hacktivists aligned with state interests include BQT.Lock (BaqiyatLock, aligned with Hezbollah) and Cyb3r Av3ngers/Mr. Soul Team, which has been linked to Iran’s Islamic Revolutionary Guard Corps (IRGC) and has also targeted critical infrastructure. Hacktivist Sightings Surge 51% Cyble said hacktivist sightings surged 51% in 2025, from 700,000 in 2024 to 1.06 million in 2025, “with the bulk of activity focused on Asia and Europe.” “Pro-Russian state-aligned hacktivists and pro-Palestinian, anti-Israel collectives continued to be the primary drivers of hacktivist activity throughout 2025, shaping the operational tempo and geopolitical focus of the threat landscape,” the researchers said. India, Ukraine and Israel were the countries most targeted by hacktivist activity in 2025 (chart below). [caption id="attachment_108842" align="aligncenter" width="825"] Hacktivist attacks by country in 2025 (Cyble)[/caption] Government & Law Enforcement, Energy & Utilities, Education, IT, Transportation & Logistics, and Manufacturing saw the most growth in hacktivist attacks, while the Agriculture & Livestock, Food & Beverages, Hospitality, Construction, Automotive, and Real Estate also saw increasing attack numbers. “Hacktivism has evolved into a geopolitically charged, ICS-focused threat, continuing to exploit exposed OT environments and increasingly weaponizing ransomware as a protest mechanism,” Cyble said. “In 2026, hacktivists and cybercriminals will increasingly target exposed HMI/SCADA systems and VNC takeovers, aided by public PoCs and automated scanning templates, creating ripple effects across the energy, water, transportation, and healthcare sectors,” the researchers predicted.

image for New EU Vulnerability ...

 Firewall Daily

Europe’s long-running conversation about digital autonomy quietly crossed a milestone with the launch of a new public vulnerability platform. The EU Vulnerability Database, created under the GCVE initiative, is now live. This signals a deliberate shift in how software weaknesses are identified, cataloged, and shared   show more ...

across Europe.   The GCVE project, short for Global Cybersecurity Vulnerability Enumeration, has delivered a free, publicly accessible platform at db.gcve.eu. The primary objective of the platform is to reduce reliance on U.S.-centric vulnerability infrastructure and enhance Europe’s digital sovereignty.   Why GCVE Emerged When It Did  The immediate catalyst was a brief but impactful scare surrounding the possible discontinuation of the Common Vulnerabilities and Exposures (CVE) program in 2025. Even though the CVE system has long been treated as a foundational layer of global cybersecurity, the mere risk of interruption exposed how fragile that assumption really was.   Across Europe, the incident prompted vendors, researchers, and policymakers to ask an uncomfortable question: what happens if the numbering system everyone depends on suddenly becomes unavailable or constrained?  GCVE formed in response, not as a rejection of CVE, but as a hedge against single-point dependency. The EU vulnerability database is the practical outcome of that realization, offering an alternative that is structurally decentralized rather than centrally approved.  A Decentralized Model by Design  Unlike traditional models, where vulnerability identifiers are assigned through a central authority, GCVE operates using a Global Numbering Authority (GNA) framework. This allows participating organizations to assign and publish vulnerability identifiers autonomously. There is no waiting period for central approval and no bottleneck that can stall disclosure during critical response windows.  The platform aggregates data from more than 25 distinct sources, including public vulnerability directories and GNA contributors. All incoming data is normalized, structured, and indexed, so it can be searched consistently across ecosystems. In practical terms, this means a vulnerability disclosed through GitHub Security Advisories, a national CERT, or another recognized directory can coexist in a single EU vulnerability database without losing context or traceability.  What the Database Actually Shows  The Cyber Express team analyzed the platform and found that the GCVE dashboard reveals how broad that aggregation already is. Recent activity lists vulnerabilities from multiple origins, including GitHub advisories such as GHSA-QHWV-3XRQ-PJMJ, GHSA-M2W5-7XHV-W6FH, GHSA-X439-WRMP-CJ57, and dozens more. Alongside them appear traditional identifiers like CVE-2025-14559, CVE-2026-1035, and CVE-2026-24026 through CVE-2026-24020, pulled from cvelistv5 sources.  [caption id="attachment_108825" align="alignnone" width="742"] EU vulnerability database dashboard (Source: GCVE)[/caption] The dashboard tracks more than identifiers. Weekly observations, comments, bundles, known exploited vulnerabilities (KEV), sightings, and even “ghost CVEs” are surfaced to show how issues evolve after disclosure. A rolling, month-long evolution view highlights how frequently vulnerabilities are seen, confirmed, exploited, or accompanied by proof-of-concept code.  Concrete examples illustrate the breadth of historical and current coverage. Widely known issues like CVE-2021-44228 (Log4Shell), CVE-2019-19781, CVE-2018-13379, and CVE-2017-17215 appear alongside recent entries such as CVE-2025-14847, CVE-2025-55182, CVE-2025-68613, and CVE-2025-59374. Older vulnerabilities, CVE-2015-2051 or CVE-2017-18368, sit next to newly published 2026 identifiers, reinforcing that the EU vulnerability database is designed for continuity, not just novelty.  Integration Over Isolation  GCVE’s architects appear keenly aware that a database alone does not change behavior. To that end, the platform exposes an open API intended for direct integration into compliance tooling, risk management platforms, and security operations workflows. This matters for Europe’s computer security incident response teams, software vendors, researchers, and open-source maintainers, who often juggle multiple data feeds just to maintain situational awareness.  By consolidating vulnerability intelligence without enforcing a single authority, GCVE positions itself as connective tissue rather than a replacement organ. The model assumes coexistence with existing systems while ensuring Europe retains the ability to operate independently if needed. 

image for Cyber Resilience in ...

 Firewall Daily

By Suresh Kanniappan, Sales Head, Infrastructure Management and Security Services, US at Happiest Minds Let’s revisit the recent ransomware attack that hit one of the biggest hospital networks in the US. The cyberattack shut down surgeries, made patients' records unavailable, and forced emergency departments to   show more ...

divert incoming cases. Unfortunately, this is not an isolated story. Throughout 2025, healthcare organisations have faced a growing wave of cyber threats, highlighting the urgent need for Cyber Resilience in Healthcare. The scale and precision of cyber threats have increased manifold, with impacts extending far beyond data breaches: disrupting care, delaying diagnoses, and even shaking the very foundation of patient trust. Why has Cyber Resilience in Healthcare Become More Critical Than Ever? The recent report released by the U.S. Department of Health and Human Services, which found that more than 133 million patient records were compromised in the first half of 2025, marking the highest number to date. More concerning is the impact of ransomware attacks, which have grown 3X, affecting everything from the electronic health record systems to connected diagnostic equipment. All these incidents have had a significant impact on human life. There were many postponed surgeries, families were afraid about what was next, and the clinicians had no access to the vital data when it was needed most. All these were not just operational challenges; they were an alarm for all healthcare systems that building a strong resilience is essential in today's highly connected digital world. What we need to understand is clear: cybersecurity in healthcare is no longer about prevention alone; it's about resilience, recovery, and readiness. So, what must the healthcare industry focus on in 2026 and beyond? Zero Trust to Replace Perimeter: Zero Trust security is already in place, but how effectively it is implemented is to be verified. Zero trust will continue to be the backbone of every industry, ensuring every user, every device, and every access is verified without exception. It is not just about restricting access; it is about knowing who has access to what and granting permission to the right people for the right requirements. AI will Redefine Defense: AI has become an integral part of our lives; it is re-shaping both cyber-attacks and defense. Cyber adversaries are using AI to create personalized phishing attacks, exploit unpatched devices, and steal data and credentials at a pace humans can't match. The advice for healthcare experts is to implement AI as a new defense engine, deploying AI-driven threat analytics, automated response workflows, and continuous monitoring to spot and contain threats in real time. This will help healthcare security teams protect data and clinical operations much faster and with higher precision. Supply Chain Vigilance to be Stepped Up: The recent breaches over the last 1 year have not happened within the boundaries of the hospitals, but it is beyond that through third-party vendors, devices, and software. It's time for the healthcare providers to look into every vendor that enforces real-time risk monitoring, contractual accountability, and shared visibility across the entire healthcare and value chain. They need to bring strong security in place to ensure resiliency. Regulations Will Drive Accountability: Global regulators are strengthening mandates around healthcare data protection, breach reporting, and AI transparency. In the coming year, leadership involvement in cybersecurity governance will need to be stronger. Boards and CXOs will need to give digital safety the same priority as patient safety. Compliance will become an ongoing practice of accountability rather than just an annual paperwork exercise. Role of the leaders Strategic Priorities of Healthcare Leaders Redefining Cyber Resilience as a Leadership Imperative: The need of the hour is resilience, and it should start from the top management itself to foster leadership commitment and shared responsibility for bringing in a positive mindset, investing in better cybersecurity tools and service providers that enable patient safety. Empower People, Not Just Systems: Resilience is not built by technology; it is to be instilled within us, and human awareness is the best barrier. Each staff member, from the frontend IT administrators to nurses, is an integral part of ensuring the organization's integrity and patients' safety. Periodically conducting simulations, awareness campaigns, and real-world readiness drills will be necessary to make security a shared responsibility rather than an isolated function. Establish a Culture of Collaboration: Threats don’t operate in isolation, and neither should our defense. Leaders must champion collaboration across hospitals, vendors, industry groups, and public-sector bodies. Proactive threat intelligence sharing and coordinated response frameworks enable healthcare organizations to anticipate disruptions rather than merely react. True resilience is never built in isolation; rather, it is forged through partnership. The Way Forward: Resilience as the Heartbeat of Healthcare Healthcare no longer remains confined to hospital premises. It has gone much beyond the walls of any hospital. Every network and every device that carries the patient's record or clinical data must be protected in today's connected world. It is more about constant trust rather than a one-time effort or technical achievement. Being resilient, even in the face of system failure, without compromising patient care, is vital. As for 2026, organizations would have to balance innovation with integrity and treat cybersecurity not just as a compliance checklist but as a shared responsibility to prioritize patient health and data. Integrating AI into cybersecurity practice will further help strengthen threat detection and response by identifying threats and containing them even before they strike. The future of health is not defined by how sophisticated AI will become but by how well it is integrated into every layer of care. Resilience will come from AI-powered systems that protect patient data, strengthen clinical operations, and make sure the promise of technology truly supports the promise of healing.

image for How to protect yours ...

 Threats

A newly discovered vulnerability named WhisperPair can turn Bluetooth headphones and headsets from many well-known brands into personal tracking beacons — regardless of whether the accessories are currently connected to an iPhone, Android smartphone, or even a laptop. Even though the technology behind this flaw was   show more ...

originally developed by Google for Android devices, the tracking risks are actually much higher for those using vulnerable headsets with other operating systems — like iOS, macOS, Windows, or Linux. For iPhone owners, this is especially concerning. Connecting Bluetooth headphones to Android smartphones became a whole lot faster when Google rolled out Fast Pair, a technology now used by dozens of accessory manufacturers. To pair a new headset, you just turn it on and hold it near your phone. If your device is relatively modern (produced after 2019), a pop-up appears inviting you to connect and download the accompanying app, if it exists. One tap, and you’re good to go. Unfortunately, it seems quite a few manufacturers didn’t pay attention to the particulars of this tech when implementing it, and now their accessories can be hijacked by a stranger’s smartphone in seconds — even if the headset isn’t actually in pairing mode. This is the core of the WhisperPair vulnerability, recently discovered by researchers at KU Leuven and recorded as CVE-2025-36911. The attacking device — which can be a standard smartphone, tablet or laptop — broadcasts Google Fast Pair requests to any Bluetooth devices within a 14-meter radius. As it turns out, a long list of headphones from Sony, JBL, Redmi, Anker, Marshall, Jabra, OnePlus, and even Google itself (the Pixel Buds 2) will respond to these pings even when they aren’t looking to pair. On average, the attack takes just 10 seconds. Once the headphones are paired, the attacker can do pretty much anything the owner can: listen in through the microphone, blast music, or — in some cases — locate the headset on a map if it supports Google Find Hub. That latter feature, designed strictly for finding lost headphones, creates a perfect opening for stealthy remote tracking. And here’s the twist: it’s actually most dangerous for Apple users and anyone else rocking non-Android hardware. Remote tracking and the risks for iPhones When headphones or a headset first shake hands with an Android device via the Fast Pair protocol, an owner key tied to that smartphone’s Google account is tucked away in the accessory’s memory. This info allows the headphones to be found later by leveraging data collected from millions of Android devices. If any random smartphone spots the target device nearby via Bluetooth, it reports its location to the Google servers. This feature — Google Find Hub — is essentially the Android version of Apple’s Find My, and it introduces the same unauthorized tracking risks as a rogue AirTag. When an attacker hijacks the pairing, their key can be saved as the headset owner’s key — but only if the headset targeted via WhisperPair hasn’t previously been linked to an Android device and has only been used with an iPhone, or other hardware like a laptop with a different OS. Once the headphones are paired, the attacker can stalk their location on a map at their leisure — crucially, anywhere at all (not just within the 14-meter range). Android users who’ve already used Fast Pair to link their vulnerable headsets are safe from this specific move, since they’re already logged in as the official owners. Everyone else, however, should probably double-check their manufacturer’s documentation to see if they’re in the clear — thankfully, not every device vulnerable to the exploit actually supports Google Find Hub. How to neutralize the WhisperPair threat The only truly effective way to fix this bug is to update your headphones’ firmware, provided an update is actually available. You can typically check for and install updates through the headset’s official companion app. The researchers have compiled a list of vulnerable devices on their site, but it’s almost certainly not exhaustive. After updating the firmware, you absolutely must perform a factory reset to wipe the list of paired devices — including any unwanted guests. If no firmware update is available and you’re using your headset with iOS, macOS, Windows, or Linux, your only remaining option is to track down an Android smartphone (or find a trusted friend who has one) and use it to reserve the role of the original owner. This will prevent anyone else from adding your headphones to Google Find Hub behind your back. The update from Google In January 2026, Google pushed an Android update to patch the vulnerability on the OS side. Unfortunately, the specifics haven’t been made public, so we’re left guessing exactly what they tweaked under the hood. Most likely, updated smartphones will no longer report the location of accessories hijacked via WhisperPair to the Google Find Hub network. But given that not everyone is exactly speedy when it comes to installing Android updates, it’s a safe bet that this type of headset tracking will remain viable for at least another couple of years. Want to find out how else your gadgets might be spying on you? Check out these posts: How to protect yourself from Bluetooth stalking and more How to track anyone via the Find My network How to stop being tracked via Bluetooth beacons like AirTag How smartphones build a dossier on you Why data brokers build dossiers on you, and how to stop them doing so

 Feed

LastPass is alerting users to a new active phishing campaign that's impersonating the password management service, which aims to trick users into giving up their master passwords. The campaign, which began on or around January 19, 2026, involves sending phishing emails claiming upcoming maintenance and urging them to create a local backup of their password vaults in the next 24 hours. The

 Feed

A security vulnerability has been disclosed in the popular binary-parser npm library that, if successfully exploited, could result in the execution of arbitrary JavaScript. The vulnerability, tracked as CVE-2026-1245 (CVSS score: N/A), affects all versions of the module prior to version 2.3.0, which addresses the issue. Patches for the flaw were released on November 26, 2025. Binary-parser is a

 Feed

Security vulnerabilities were uncovered in the popular open-source artificial intelligence (AI) framework Chainlit that could allow attackers to steal sensitive data, which may allow for lateral movement within a susceptible organization. Zafran Security said the high-severity flaws, collectively dubbed ChainLeak, could be abused to leak cloud environment API keys and steal sensitive files, or

 Feed

The recently discovered sophisticated Linux malware framework known as VoidLink is assessed to have been developed by a single person with assistance from an artificial intelligence (AI) model. That's according to new findings from Check Point Research, which identified operational security blunders by malware's author that provided clues to its developmental origins. The latest insight makes

 Feed

Every managed security provider is chasing the same problem in 2026 — too many alerts, too few analysts, and clients demanding “CISO-level protection” at SMB budgets. The truth? Most MSSPs are running harder, not smarter. And it’s breaking their margins. That’s where the quiet revolution is happening: AI isn’t just writing reports or surfacing risks — it’s rebuilding how security services are

 Feed

Gartner® doesn’t create new categories lightly. Generally speaking, a new acronym only emerges when the industry's collective "to-do list" has become mathematically impossible to complete. And so it seems that the introduction of the Exposure Assessment Platforms (EAP) category is a formal admission that traditional Vulnerability Management (VM) is no longer a viable way to secure a modern

 Feed

As many as 3,136 individual IP addresses linked to likely targets of the Contagious Interview activity have been identified, with the campaign claiming 20 potential victim organizations spanning artificial intelligence (AI), cryptocurrency, financial services, IT services, marketing, and software development sectors in Europe, South Asia, the Middle East, and Central America. The new findings

 Feed

Zoom and GitLab have released security updates to resolve a number of security vulnerabilities that could result in denial-of-service (DoS) and remote code execution. The most severe of the lot is a critical security flaw impacting Zoom Node Multimedia Routers (MMRs) that could permit a meeting participant to conduct remote code execution attacks. The vulnerability, tracked as CVE-2026-22844

 Botnet

The UK's National Cyber Security Centre (NCSC) has issued a warning about the threat posed by distributed denial-of-service (DDoS) attacks from Russia-linked hacking groups who are reported to be continuing to target British organisations. Are you prepared? Read more in my article on the Hot for Security blog.

2026-01
Aggregator history
Wednesday, January 21
THU
FRI
SAT
SUN
MON
TUE
WED
JanuaryFebruaryMarch