Maximum-severity vuln lets unauthenticated attackers execute code on trusted infra management platform Hewlett Packard Enterprise has told customers to drop whatever they're doing and patch OneView after admitting a maximum-severity bug could let attackers run code on the management platform without so much as a login prompt.... [...]

Flaw in remote-access appliance lets attackers chain bugs for root-level takeover SonicWall has warned customers of a zero-day flaw in its SMA 1000 remote-access appliance that's being actively exploited, potentially allowing attackers to escalate privileges and take over boxes.... [...]

Justice Department claims unlicensed exchange funneled ransomware profits US feds have dismantled a crypto laundering service that they say helped cybercrooks wash tens of millions of dollars in dirty digital cash, seizing its servers and unsealing charges against an alleged Russian operator.... [...]

Security boffins warn flaw is now being used for ransomware attacks against live networks Microsoft says attackers have already compromised "several hundred machines across a diverse set of organizations" via the React2Shell flaw, using the access to execute code, deploy malware, and, in some cases, deliver ransomware.... [...]

Adult site, streaming platform, and Japanese retailer expose user info, but not credentials Three very different companies have now confirmed data breaches affecting millions of users – each insisting the damage stopped well short of passwords and payment details.... [...]

Automaker admits raid that crippled its factories in August led to the theft of sensitive info Jaguar Land Rover (JLR) has reportedly told staff the cyber raid that crippled its operations in August didn't just bring production to a screeching halt – it also walked off with the personal payroll …

Both admit attackers were already exploiting the bugs, with scant detail and hints of spyware-grade abuse Apple and Google have both issued emergency patches after zero-day bugs were caught being actively exploited in what the companies describe as "sophisticated" real-world attacks.... [...]

Rights groups say digital-only record is leaking data and courting trouble Civil society groups are urging the UK's data watchdog to investigate whether the Home Office's digital-only eVisa scheme is breaching GDPR, sounding the alarm about systemic data errors and design failures that are exposing sensitive personal information while …

Wiz says React2Shell attacks accelerating, ranging from cryptominers to state-linked crews Half of the internet-facing systems vulnerable to a fast-moving React remote code execution flaw remain unpatched, even as exploitation has exploded into more than a dozen active attack clusters ranging from bargain-basement cryptominers to state-linked intrusion tooling.... [...]

Flare warns devs are unwittingly publishing production-level secrets Docker Hub has quietly become a treasure trove of live cloud keys and credentials, with more than 10,000 public container images exposing sensitive secrets from over 100 companies, including a Fortune 500 firm and a major bank.... [...]

Body confirms patient and staff details siphoned via Oracle EBS flaw as gang threatens to leak haul Barts Health NHS Trust has confirmed that patient and staff data was stolen in Clop's mass-exploitation of Oracle's E-Business Suite (EBS), and says it is now taking legal action in an effort …

Laptop maker says a vendor breach exposed some phone camera code, but not its own systems Asus has admitted that a third-party supplier was popped by cybercrims after the Everest ransomware gang claimed it had rifled through the tech titan's internal files.... [...]

State-backed attackers started poking flaw as soon as it dropped – anyone still unpatched is on borrowed time Amazon has warned that China-nexus hacking crews began hammering the critical React "React2Shell" vulnerability within hours of disclosure, turning a theoretical CVSS-10 hole into a live-fire incident almost immediately.... [...]

Plan would create statutory powers for police use of biometrics, prompting warnings of mass surveillance The UK government has kicked off plans to ramp up police use of facial recognition, undeterred by a mounting civil liberties backlash and fresh warnings that any expansion risks turning public spaces into biometric …

Silent Patch Tuesday mitigation ends ability to hide malicious commands in.lnk files Microsoft has quietly closed off a critical Windows shortcut file bug long abused by espionage and cybercrime networks.... [...]

Cloudflare data shows 29.7 Tbps record-breaker landed amid 87% surge in network-layer attacks The internet has spent the past three months ducking for cover as the Aisuru botnet hurled record-shattering DDoS barrages from an army of up to 4 million infected machines.... [...]

Ivy League school warns more than 1,400 people after attackers siphon data via zero-day The University of Pennsylvania has become the latest victim of Clop's smash-and-grab spree against Oracle's E-Business Suite (EBS) customers, with the Ivy League school now warning more than a thousand individuals that their personal …

Borough says attackers copied 'historical' info as three-council cyber woes drag on Kensington and Chelsea Council has admitted that data was quietly lifted from its systems during last week's cyber meltdown, confirming that the outage was not just an IT faceplant but a bona fide data breach.... [...]

Regulator says Illuminate ignored years of warnings, stored kids' data in plain text, and kept districts in the dark US edtech provider Illuminate Education just got dinged by the Federal Trade Commission for allegedly failing to keep an attacker from pilfering data on 10 million students.... [...]

Coupang confirms internationally routed intrusion compromised more than half of the country's population South Korean retail behemoth Coupang has admitted to a data breach that exposed the personal details of 33.7 million customers, turning the company's famed "Rocket Delivery" logistics empire into an express shipment for personal information …

Automation flaw in CI/CD workflow let a bad pull request unleash worm into npm PostHog says the Shai-Hulud 2.0 npm worm compromise was "the largest and most impactful security incident" it's ever experienced after attackers slipped malicious releases into its JavaScript SDKs and tried to auto-loot developer …

Ex-NCSC chief Ciaran Martin asked to examine how forecast ended up online ahead of schedule The Office for Budget Responsibility (OBR) has drafted in former National Cyber Security Centre (NCSC) chief Ciaran Martin to sniff out how its Budget day forecast wandered onto the open internet before the Chancellor …

ReliaQuest finds fresh crop of phishing domains and toxic tickets Scattered Lapsus$ Hunters may be circling Zendesk users for its latest extortion campaign, with new phishing domains and weaponized helpdesk tickets uncovered by ReliaQuest.... [...]

Agency flags hijacks of insecure studio-to-transmitter gear after attackers pipe in fake alerts and vulgar audio Malicious intruders have hijacked US radio gear to turn emergency broadcast tones into a profanity-laced alarm system.... [...]

Brewer finally tallies fallout from September attack as it pushes earnings into 2026 Asahi has finally done the sums on September's ransomware attack in Japan, conceding the crooks may have helped themselves to personal data tied to almost 2 million people.... [...]