InfoSec.Watch

Send us Fan MailWe track how trust boundaries fail across the modern stack, from CI/CD supply chain compromise to phishing-driven account takeover and remote assistance abuse. We also break down actively exploited vulnerabilities and a practical tier 0 validation loop that treats patching like incident response, not routine maintenance.• supply chain compromise risk when trusted CI/CD tooling is abused for credential theft• behavior-based hunting on build systems, including anomalous execution and network egress• phishing campaigns against Signal and WhatsApp framed as identity compromise at scale• Microsoft Teams social engineering path to Quick Assist remote access and intrusion expansion• vulnerability triage for active exploitation, including Cisco FMC CVE-2026-20131 and rapid weaponization of new disclosures• mobile exploit kit reporting and why device takeover belongs in tier 0 thinking• IoT botnet disruption as a prompt to inventory unmanaged devices and validate network visibility• one-week tier 0 validation loop: verify versions, remove exposure, review logs, rotate secretsFollow the show on X, Facebook, and LinkedIn, and subscribe at https://infosec.watch.Support the showThanks for listening to InfoSec.Watch! Subscribe to our newsletter for in-depth analysis: https://infosec.watch Follow us for daily updates: - X (Twitter) - LinkedIn - Facebook - Stay secure out there!

Send us Fan MailWe track how attackers keep turning trusted channels into reliable intrusion paths, from extension marketplaces to chat platforms and developer dependencies. We also lay out what defenders should patch first and how to validate fixes so security work actually reduces risk.• Glasswarm escalation against Open VSX using a modular loader for stealthier propagation• Why defenders need full intrusion chain telemetry across execution, persistence and C2• Microsoft Teams phishing that impersonates IT and abuses Quick Assist for remote access• Living off the land detection focused on behaviors rather than specific malware files• Astronata backdooring React Native packages to steal crypto wallets and developer credentials• Software supply chain hygiene through provenance checks and dependency trust path reviews• Chrome vulnerabilities exploited in the wild and why pre-patch hunting matters• Veeam critical flaws and treating backup infrastructure as a tier zero asset• VPN credential theft campaigns and enforcing MFA across every authentication path• Post-patching rigor with version checks, exposure validation, log review and secret rotationSupport the showThanks for listening to InfoSec.Watch! Subscribe to our newsletter for in-depth analysis: https://infosec.watch Follow us for daily updates: - X (Twitter) - LinkedIn - Facebook - Stay secure out there!

Send us Fan MailWe track a clear theme across this week’s security headlines: everything is getting bigger, faster, and harder to manage, from AI-generated malware to massive patch waves. We focus on cutting blast radius with risk-based patching, resilience-first strategy, and automation that can keep up with machine-scale attacks. • AI-assisted malware as a volume play that strains signature-based detection • CISA KEV additions affecting physical security tech and industrial OT environments • Cisco firewall patch surge and why perfect-10 bugs demand rapid edge triage • Risk-based prioritization starting with the most exposed internet-facing devices • VMware ARIA Operations auth bypass as a high-impact management-plane risk • Nginx UI remote code execution as a supply chain style weak link • Resilience mindset built on detection, response, and rehearsed incident response plans • Automated sandboxing and modern EDR to counter high-volume malware • Continuous security awareness training that teaches and builds security culture Don't forget to follow us on X, Facebook, or LinkedIn, and be sure to subscribe to our newsletter at infosec.watch for the latest updates. Support the showThanks for listening to InfoSec.Watch! Subscribe to our newsletter for in-depth analysis: https://infosec.watch Follow us for daily updates: - X (Twitter) - LinkedIn - Facebook - Stay secure out there!

Send us Fan MailA wave of edge and control‑plane threats drives urgent patching and smarter validation across Cisco SD‑WAN, EV charging, FileZen, and Serve‑U. We map real exploits, spotlight APT28 tradecraft, unpack Google risk shifts, and share a post‑patch playbook that assumes breach.• Cisco SD‑WAN 10.0 authentication bypass and active exploitation• CISA KEV update for FileZen and patch prioritization• EV charging platform flaws enabling session hijack and station impersonation• APT28 targeting MSHTML and legacy components as modern vectors• One Uptime 10.0 root‑level exploit via traceroute probes• Google localhost WebSocket risk and policy reversals on token proxying• Governance for agentic AI with supervised fine‑tuning and oversight• Quick hits on North Korean air‑gap tools and UNC2814 disruption• Serve‑U critical updates and file transfer exposure• EU CRA impacts on open source supply chains• Post‑patch validation: verify versions, confirm exposure is gone, hunt logs, rotate secrets• Continuous exposure management for control planes and edge systemsFor more in-depth analysis and links to everything we discussed today, be sure to subscribe to our newsletter at infosec.watchSupport the showThanks for listening to InfoSec.Watch! Subscribe to our newsletter for in-depth analysis: https://infosec.watch Follow us for daily updates: - X (Twitter) - LinkedIn - Facebook - Stay secure out there!

Send us Fan MailWe track a wave of high-impact vulnerabilities and social engineering campaigns that target management planes and edge devices, then lay out a concrete four-step validation playbook. The theme is simple: initial access is cheap, but control plane compromise multiplies damage.• Windows Admin Center privilege escalation and urgent patching• IceWarp critical flaws enabling total takeover paths• Fake CAPTCHA campaigns delivering Letrodyctus, Supers, and new RATs• BeyondTrust RCE exploited in the wild with VShell and SparkRat• Grandstream VoIP unauthenticated buffer overflow and asset hygiene• Dell RecoverPoint zero day linked to suspected state activity• CISA KEV additions signaling active exploitation and patch deadlines• Fake adversary-built RMM tools and software due diligence• Device code phishing abusing OAuth to bypass MFA• Four-step patch validation and assumed-breach log review• Final theme: protect control planes and edge surfacesBe sure to follow us on X, Facebook, or LinkedIn for daily updatesAnd don't forget to subscribe to our newsletter for all this and more right in your inboxYou can find that at infosec.watchSupport the showThanks for listening to InfoSec.Watch! Subscribe to our newsletter for in-depth analysis: https://infosec.watch Follow us for daily updates: - X (Twitter) - LinkedIn - Facebook - Stay secure out there!

Send us Fan MailThis week on the InfoSec.Watch Podcast, we examine a growing risk that many organizations still underestimate: operational choke points.The episode opens with the BridgePay ransomware attack, which forced the payment gateway offline and disrupted credit card processing for multiple municipalities and utilities. The incident highlights a harsh reality—third-party processors are effectively critical infrastructure. When they go down, downstream governments and businesses lose revenue, disrupt services, and erode public trust. The key question: do you have a plan B?Next, the discussion turns to a critical pre-authentication remote code execution vulnerability in BeyondTrust Remote Support and Privileged Remote Access (CVE-2026-1731). With exploitation observed almost immediately after disclosure, defenders faced a race against mass internet scanning. The hosts emphasize an “assume-breach” posture for internet-facing control plane appliances and outline why patching alone is not enough—you must hunt for persistence and validate trust after remediation.The episode also revisits Ivanti Endpoint Manager Mobile (EPMM), where additional critical vulnerabilities continue to surface. With MDM platforms inherently exposed to the internet by design, attackers increasingly view them as high-leverage entry points. The takeaway is clear: reduce direct exposure wherever possible and treat MDM platforms as Tier-Zero assets.The broader trend? Choke-point targeting. Payment gateways, remote support tools, MDM systems—these services sit between organizations and their users. For ransomware operators and initial access brokers, compromising one appliance can yield access to dozens or hundreds of downstream victims.The conversation then shifts to the KEV-driven patch treadmill, as CISA’s Known Exploited Vulnerabilities catalog continues to grow. With time-to-exploitation shrinking to hours in some cases, organizations must implement emergency patch processes for internet-facing appliances instead of waiting for standard change windows.Tool of the Week highlights GreyNoise, a powerful platform for distinguishing background scanning from meaningful exploitation activity—helping security teams prioritize response when new vulnerabilities drop.The episode closes with a practical and high-impact Actionable Defense Move of the Week: identify your top three vendor choke points and document failover steps, key rotation procedures, required log sources, and communications plans before an outage forces your hand.Key themes this week:Third-party services as operational single points of failurePre-auth RCEs in internet-facing control planesKEV-driven emergency patch processesPlanning for vendor compromise and outageAs the hosts conclude: If it sits between you and your users—payments, support, identity, or device control—it is part of your perimeter. Plan for its failure as rigorously as you defend your own firewall.For full coverage and links to everything discussed, subscribe at infosec.watch and follow InfoSec.Watch on X, Facebook, and LinkedIn.Support the showThanks for listening to InfoSec.Watch! Subscribe to our newsletter for in-depth analysis: https://infosec.watch Follow us for daily updates: - X (Twitter) - LinkedIn - Facebook - Stay secure out there!

Send us Fan MailEdges are where attackers thrive—and where many teams see the least. We dive into how identity-adjacent features, single sign-on, and device management planes have become high-impact targets, and why routers, VPNs, and firewalls now sit at the center of modern intrusion campaigns. From unsupported hardware to multi-terabit DDoS events, we break down what matters most and the steps that actually change your risk.We walk through CISA’s directive to remove end-of-life edge devices and translate it into a practical playbook: inventory every public IP, map models and firmware to vendor support, and set non-negotiable retirement deadlines. Then we stress-test DDoS readiness at today’s scale, with concrete checks for always-on scrubbing, runbooks, and confirmed capacity with your CDN, WAF, and upstream providers. On the software side, we examine fresh NPM and PyPI compromises and outline a developer-first defense: dependency pinning, integrity checks, SBOM usage, mirrored registries, and CI/CD policies that block unknown maintainers by default.Urgency ramps up with active exploits added to CISA’s Known Exploited Vulnerabilities list. We prioritize SmarterMail, SolarWinds Web Help Desk, and GitLab SSRF with rapid patching, strict segmentation, emergency hardening, token rotation, and egress controls. We also spotlight a trend to watch: adversary-in-the-middle frameworks targeting routers and edge devices to hijack traffic. The counter is clear—treat the edge as a tier-one detection surface with telemetry for config drift, new admins, DNS and NTP anomalies, and require phishing-resistant MFA like FIDO2 or passkeys for all admin access.To help teams move faster, we highlight the KEV catalog’s machine-readable feed and show how to wire it into vulnerability management to auto-open tickets and enforce tight SLAs based on real-world exploitation. We close with an actionable one-week project: enumerate public edges, flag end-of-support gear, and either replace it, shield it behind managed services, or lock its management plane behind VPN with strict allow lists. Subscribe, share with your team, and leave a review with the one control you’ll implement first—what’s your next move to harden the edge?Support the showThanks for listening to InfoSec.Watch! Subscribe to our newsletter for in-depth analysis: https://infosec.watch Follow us for daily updates: - X (Twitter) - LinkedIn - Facebook - Stay secure out there!

Send us Fan MailThis week on the InfoSec.Watch Podcast, we break down a series of actively exploited vulnerabilities targeting some of the most trusted control planes in enterprise environments—firewalls, identity integrations, and mobile device management platforms.The episode opens with active exploitation of Fortinet’s FortiCloud SSO authentication bypass (CVE-2026-24858), impacting FortiManager, FortiAnalyzer, and FortiPortal deployments with SSO enabled. With CISA publishing mitigation guidance, the hosts explain why FortiCloud SSO must be treated as an exposure multiplier, and why defenders should assume compromise, hunt for persistence, and validate trust even after patching.Next, the focus shifts to Ivanti Endpoint Manager Mobile (EPMM), where a pre-auth remote code execution (CVE-2026-1281)—alongside a second critical path traversal flaw—is being exploited in the wild. Grant and Sloane outline why MDM platforms are Tier-Zero assets, capable of controlling entire mobile fleets, and walk through the post-patch actions required to detect chaining, persistence, and credential theft.The episode also examines a ransomware incident impacting New Britain, Connecticut, highlighting the real-world consequences for local governments when core services go offline. The discussion emphasizes segmentation between public safety and business systems, offline operating procedures, and the importance of tested restores for directory services, VoIP, and line-of-business applications.In the Vulnerability Spotlight, the hosts take a deeper look at how attackers abuse alternate authentication paths, particularly SSO flows and SAML integrations, to bypass perimeter defenses. This leads into the Trend to Watch: identity convenience is becoming the new perimeter, and SSO features increasingly represent cascading failure points across cloud and on-prem infrastructure.The Policy & Regulation Watch covers new FCC guidance on ransomware preparedness, reinforcing the need for offline recovery validation and tabletop exercises focused on restoring critical services under active attack.Tool of the Week highlights CISA’s alert feed and KEV updates, with practical advice on wiring alerts directly into vulnerability triage workflows and enforcing same-day response SLAs for confirmed exploitation.The episode closes with a highly actionable Defense Move of the Week: implementing a repeatable validation loop for Tier-Zero systems—verify versions, confirm exposure removal, review logs, and rotate secrets—to ensure remediation actually worked.Key themes this week:SSO as an alternate intrusion pathMDM and firewalls as Tier-Zero assetsActive exploitation requires validation, not trustPatch fast—but always hunt and verifyFor the full weekly brief and ongoing coverage, subscribe at infosec.watch and follow InfoSec.Watch on X, Facebook, and LinkedIn.Support the showThanks for listening to InfoSec.Watch! Subscribe to our newsletter for in-depth analysis: https://infosec.watch Follow us for daily updates: - X (Twitter) - LinkedIn - Facebook - Stay secure out there!

Send us Fan MailThis week on the InfoSec.Watch Podcast, we break down a wave of high-impact security events underscoring a hard truth for defenders: management planes and dependencies are now primary intrusion paths.The episode opens with active exploitation of a Cisco Unified Communications zero-day (CVE-2026-20045), an unauthenticated web-management RCE capable of delivering full root-level compromise across multiple UC platforms. With exploitation confirmed and CISA adding the flaw to its Known Exploited Vulnerabilities list, the hosts explain why UC management interfaces must be treated as Tier-Zero assets, and why assumed-breach reviews are mandatory even after patching.Next, the discussion turns to Oracle’s January Critical Patch Update, delivering more than 300 fixes across its portfolio. Grant and Sloane walk through a practical prioritization strategy—patching by exposure, not product name—and explain how to use Oracle’s own exploitability flags and compensating controls to avoid patch paralysis.The episode also covers Ingram Micro’s ransomware-related data exposure, highlighting the growing risk of third-party concentration. The hosts outline what every organization should have ready before a supplier breach occurs, from notification SLAs and data minimization to pre-staged third-party incident response playbooks.In the Vulnerability Spotlight, the focus shifts to two expanding attack surfaces:Unauthenticated management UI exploitation as a recurring root-compromise patternMalicious code embedded in developer dependencies, including a widely used package now listed in CISA’s KEV catalogThe Trend to Watch ties these threads together: attackers are moving up the stack, blending classic perimeter weaknesses with modern software supply-chain abuse. Management planes, CI/CD pipelines, and automation platforms are increasingly being scanned, scripted, and poisoned at scale.The episode closes with a decisive Actionable Defense Move of the Week—formally defining your Tier-Zero systems and enforcing strict controls around access, exposure, monitoring, and containment—followed by a clear final warning: if a management interface is reachable from the internet, attackers will automate it.For deeper coverage and weekly briefings delivered straight to your inbox, subscribe at infosec.watch and follow InfoSec.Watch on X, Facebook, and LinkedIn.Support the showThanks for listening to InfoSec.Watch! Subscribe to our newsletter for in-depth analysis: https://infosec.watch Follow us for daily updates: - X (Twitter) - LinkedIn - Facebook - Stay secure out there!

Send us Fan MailThis week on the InfoSec.Watch Podcast, we break down a series of high-impact threats targeting the systems organizations rely on most—email gateways, Windows endpoints, and operational infrastructure that does not fail gracefully.The episode opens with an urgent look at Cisco AsyncOS (CVE-2025-20393), an actively exploited, unauthenticated remote-code-execution flaw affecting Cisco Secure Email Gateway and Secure Email and Web Manager deployments. The hosts explain why email gateways must be treated as Tier-Zero assets, outline post-patch hunting requirements, and discuss the real-world risk of persistence on perimeter infrastructure.Next, the conversation turns to Microsoft’s January Patch Tuesday, including CVE-2026-20805, an actively exploited Windows zero-day now listed in CISA’s Known Exploited Vulnerabilities catalog. While the vulnerability appears low-severity on paper, Grant and Sloane explain how information-disclosure bugs are routinely chained into full compromise—especially on jump hosts, VDI, and privileged systems.The episode also examines a ransomware attack on the AZ Monica hospital network in Belgium, highlighting the operational and patient-safety consequences when healthcare infrastructure goes offline. The discussion focuses on availability planning, segmentation, paper-mode readiness, and the importance of rehearsed downtime procedures.In the Vulnerability Spotlight, the hosts cover active exploitation of a high-severity flaw in Gogs, a self-hosted Git service, and an unauthenticated denial-of-service condition impacting Palo Alto Networks GlobalProtect. Both cases reinforce a central theme: development and remote-access infrastructure must be treated as production-critical systems.The Trend to Watch explores a growing supply-chain risk in workflow automation platforms like n8n, where compromised community plugins can expose stored credentials and API tokens—effectively turning automation tools into high-value credential vaults.The episode closes with a practical Actionable Defense Move of the Week, urging teams to focus on one high-impact service class and validate patching, exposure, logging, and rapid containment capabilities—before the next advisory drops.Key themes this week:Email gateways as Tier-Zero infrastructureActive exploitation outweighs CVSS scoresAvailability is a primary security concernControl planes and automation platforms are high-leverage targetsFor full coverage, subscribe to the newsletter at infosec.watch and follow InfoSec.Watch on X, Facebook, and LinkedIn.Support the showThanks for listening to InfoSec.Watch! Subscribe to our newsletter for in-depth analysis: https://infosec.watch Follow us for daily updates: - X (Twitter) - LinkedIn - Facebook - Stay secure out there!

Send us Fan MailWelcome back to the InfoSec.Watch Podcast, your weekly briefing on the security threats that matter.In Episode 120, we break down a clear and recurring theme across this week’s incidents: control planes have become prime attack planes.We start with active exploitation of a critical flaw in HPE OneView, underscoring why management-plane software must be treated as Tier Zero infrastructure. From there, we examine unpatchable risk posed by actively exploited, end-of-life D-Link DSL gateways, and a critical unauthenticated RCE (CVSS 9.8) in Trend Micro Apex Central, where compromise could allow attackers to disable security controls at scale.In the Vulnerability Spotlight, we cover:A jsPDF path traversal flaw highlighting real-world software supply chain riskMultiple Veeam Backup & Replication fixes, reinforcing why backup platforms remain high-value ransomware targetsOur Trend to Watch looks at a growing enterprise data-loss vector: prompt-poaching via malicious browser extensions, where entire GenAI conversations — including sensitive code and data — are being exfiltrated from tools like ChatGPT.We also discuss:CISA’s move to formally retire early Emergency Directives in favor of a mature KEV-driven vulnerability processWhy organizations should adopt their own “KEV-style” prioritization modelChainsaw, a high-performance open-source tool for rapid Windows EVTX triageIn this week’s Actionable Defense Move, we walk through a 30-minute management-plane exposure sweep — a fast, high-impact exercise to identify publicly exposed admin interfaces before attackers do.Final takeaway: attackers will always gravitate toward systems where privileges are concentrated. If a control plane must exist, it must be tightly restricted, aggressively patched, and continuously monitored.For a full written breakdown of these stories and more, subscribe to the InfoSec.Watch newsletter at infosec.watch, and follow us on X, Facebook, and LinkedIn for updates throughout the week.Support the showThanks for listening to InfoSec.Watch! Subscribe to our newsletter for in-depth analysis: https://infosec.watch Follow us for daily updates: - X (Twitter) - LinkedIn - Facebook - Stay secure out there!

Send us Fan MailIn this week’s episode of the InfoSec.Watch Podcast, hosts Grant Lawson and Sloane Parker break down the security stories that defenders can’t afford to ignore.The episode opens with urgent patching guidance for an actively exploited WatchGuard IKEv2 VPN remote code execution flaw, followed by analysis of “MongoBleed” (CVE-2025-14847)—a memory disclosure vulnerability in MongoDB now seeing real-world exploitation. Grant and Sloane walk through not just why these issues matter, but what defenders should be doing after patching, including log review, threat hunting, and hardening exposed services.The discussion then turns to a growing threat targeting security teams themselves: malicious GitHub proof-of-concept repositories that masquerade as exploit code but actually deploy WebRAT malware. The hosts explain how researchers and blue teams can safely handle PoCs without becoming the next breach.Other highlights include:A breakdown of the Aflac breach notification affecting 22.65 million individuals and why incident response doesn’t end at containmentOngoing DDoS disruptions impacting French postal and banking services, with a focus on operational resilience and customer communicationA Vulnerability Spotlight on a critical SmarterMail flaw enabling arbitrary file upload and likely RCETool of the Week: Praetorian’s Gato, which maps attack paths in CI/CD environments using GitHub Actions and self-hosted runnersA Deep Dive into the accelerating weaponization of AI-driven phishing campaignsThe episode wraps with an Actionable Defense Move of the Week, outlining a formal, repeatable process for safely handling exploit code, and a Final Word on why fundamentals—patching, exposure management, and disciplined workflows—still define the fastest path to compromise.For full analysis, links, and takeaways, subscribe to the newsletter at infosec.watch and follow along on X, LinkedIn, and Facebook.Support the showThanks for listening to InfoSec.Watch! Subscribe to our newsletter for in-depth analysis: https://infosec.watch Follow us for daily updates: - X (Twitter) - LinkedIn - Facebook - Stay secure out there!

Send us Fan MailIn this week’s InfoSec.Watch Podcast, we break down a series of critical security developments shaping the threat landscape. The episode opens with urgent guidance on two actively exploited, unauthenticated remote-code-execution vulnerabilities—one affecting WatchGuard Firebox appliances and the other impacting HPE OneView across multiple versions. The hosts outline the immediate actions every defender must take, from emergency patching to post-patch hunting and access-control validation.The Vulnerability Spotlight shifts to escalating attacks on email security gateways, a high-leverage target where compromise grants adversaries deep visibility and control across an organization’s communications. Grant and Sloane detail how attackers are abusing these systems for redirection, injection, and lateral movement—and why defenders must adopt a more aggressive hunt posture on these assets.In Trend to Watch, they examine a troubling new campaign uncovered by Kaspersky: a WebRAT distributed through GitHub repositories masquerading as Proof-of-Concept exploits. The campaign specifically targets students and early-career researchers, weaponizing curiosity to compromise analyst workstations. The hosts share essential operational security guidance for safely handling PoCs and research tooling.This week’s Quick Hits include new FBI IC3 warnings about rapport-building scams that shift victims to encrypted messaging apps—along with a reminder to expand phishing simulations to include voice and messaging impersonation scenarios.The Actionable Defense Move of the Week highlights a powerful preparedness tactic: creating a one-hour response checklist for critical edge devices and administrative interfaces. Grant and Sloane walk through what belongs on that list—from isolation steps and forensic captures to credential rotations and enhanced monitoring—emphasizing that speed, not perfection, wins the first hour of a zero-day event.They close with a Final Word on attacker strategy: adversaries are increasingly targeting high-leverage choke points such as email gateways, identity pathways, and management services. Real resilience now depends on reducing time-to-mitigate and protecting systems that function as force multipliers for attackers.Stay ahead of the threats that matter with this week’s briefing, and subscribe at infosec.watch for full coverage and daily updates.Support the showThanks for listening to InfoSec.Watch! Subscribe to our newsletter for in-depth analysis: https://infosec.watch Follow us for daily updates: - X (Twitter) - LinkedIn - Facebook - Stay secure out there!

Send us Fan MailIn this week's InfoSec.Watch Podcast, we dive into the latest high-impact threats targeting enterprise security choke points.Key stories include:A sophisticated campaign against Cisco Secure Email appliances, with essential guidance on hardening management interfaces and proactive threat hunting.Chainalysis' alarming report on North Korea-linked actors stealing a record $2.02 billion in cryptocurrency in 2025 through fewer, more targeted attacks.Ongoing disruption of municipal services, underscoring the urgent need for OT/IT segmentation and manual failover planning.The Vulnerability Spotlight focuses on two actively exploited Apple WebKit zero-days (now added to CISA's KEV catalog), emphasizing rapid patching via MDM and broader attack surface awareness.Also covered: FBI warnings on AI-generated voice deepfakes in impersonation scams, a new security tool called Proximity for scanning AI agent MCP servers, and practical defenses against evolving social engineering.The Actionable Defense Move of the Week: Build a pre-prepared one-hour containment checklist for critical edge and admin systems to enable fast, decisive incident response.Wrap-up theme: Attackers are zeroing in on high-leverage assets—make "time-to-mitigate" a core KPI for resilience in 2026 and beyond.Subscribe at infosec.watch for deeper analysis and daily updates. Stay secure!Support the showThanks for listening to InfoSec.Watch! Subscribe to our newsletter for in-depth analysis: https://infosec.watch Follow us for daily updates: - X (Twitter) - LinkedIn - Facebook - Stay secure out there!

Send us Fan MailThis week’s episode dives into a packed slate of high-impact cybersecurity threats shaking the industry. We break down React2Shell (CVE-2025-55182) — a rapidly evolving remote code execution flaw driving mass scanning across the internet and prompting CISA to issue an urgent KEV directive. They also unpack Apple’s emergency WebKit zero-day patches and Microsoft’s latest actively exploited kernel and security-bypass vulnerabilities from December Patch Tuesday.The team explores BRICKSTORM, a stealthy backdoor campaign targeting VMware vSphere hypervisors through fileless techniques and persistent access to virtualization control planes — a growing focus for state-sponsored actors. They then analyze the massive Global Mart data breach, a four-month compromise stemming from a single misconfigured cloud storage bucket.Tool of the Week spotlights GreyNoise Threat Explorer, a powerful resource for separating malicious activity from internet background noise — especially valuable amid surging React2Shell exploitation.The episode closes with a look at Phantom Voice, a new wave of AI-generated voice-cloning phishing attacks capable of convincingly mimicking executives to trigger financial fraud and data exposure.Topics Covered:React2Shell RCE and widespread exploitationApple & Microsoft zero-day patches underwayBRICKSTORM: hypervisor-level persistence against VMwareGlobal Mart breach impacting 50M customersGreyNoise Threat ExplorerPhantom Voice AI-driven voice-clone phishingStay ahead of emerging threats at infosec.watch and follow us on X, Facebook, and LinkedIn.Support the showThanks for listening to InfoSec.Watch! Subscribe to our newsletter for in-depth analysis: https://infosec.watch Follow us for daily updates: - X (Twitter) - LinkedIn - Facebook - Stay secure out there!

Send us Fan MailIn this week’s episode of InfoSec.Watch Weekly, Grant Lawson and Sloane Parker take listeners on a guided tour of the entire modern attack surface — from developer laptops to mobile devices to the physical circuit boards inside IoT hardware. Three major security stories illustrate how deeply interconnected and exposed the stack has become.We begin with React2Shell, a newly surfaced command-injection vulnerability in the widely used react-dev-utils package. Grant and Sloane break down how an attacker can hijack a developer’s workstation simply by manipulating the BROWSER environment variable — turning a harmless npm start command into a reverse shell. The discussion dives into real-world implications: source code theft, credential compromise, CI/CD tampering, and supply chain subversion. The hosts outline the immediate fixes, and the long-term lessons around SCA tooling, EDR visibility on developer endpoints, and securing the build environment itself.Next, the conversation shifts to two actively exploited Android zero-days uncovered in the latest Android Security Bulletin — one in the kernel and another in the Mali GPU driver. The hosts explain why GPU-level vulnerabilities are so dangerous, enabling screen capture, keystroke interception, and attack overlays at the hardware layer. The pair discuss BYOD risk, commercial spyware operators, and why MDM-powered patch gating and user education remain critical for corporate resilience.Finally, Grant and Sloane descend to the bottom of the stack with BRICKSTORM, a new piece of destructive malware designed not to steal or encrypt data but to permanently kill hardware. By abusing exposed JTAG debug ports, BRICKSTORM halts the CPU and overwrites the device’s bootloader with garbage — bypassing Secure Boot entirely and rendering the device unrecoverable. The hosts dig into what this means for critical infrastructure, operational technology, IoT fleets, and why cybersecurity strategy must now include physical security, supply chain controls, and hardware tamper protections.Throughout the episode, a recurring theme emerges: the corporate perimeter no longer exists. React2Shell targets the dev environment, Android zero-days compromise personal devices tied into corporate systems, and BRICKSTORM attacks the hardware itself. Defense-in-depth isn’t optional — it’s the only workable model across modern organizations.Tune in for practical insights, technical breakdowns, and the connective tissue between these headline stories. Follow us on X, Facebook, and LinkedIn — and subscribe at infosec.watch to get every briefing first.Support the showThanks for listening to InfoSec.Watch! Subscribe to our newsletter for in-depth analysis: https://infosec.watch Follow us for daily updates: - X (Twitter) - LinkedIn - Facebook - Stay secure out there!

Send us Fan MailIn this week’s InfoSec.Watch episode, hosts Grant Lawson and Sloane Parker analyze the top cybersecurity stories: an actively exploited Oracle IdM zero-day added to CISA’s Known Exploited Vulnerabilities catalog, OpenAI cutting off Mixpanel after a data breach, and ransomware disrupting the CodeRED emergency alert system. Additional coverage includes FortiWeb WAF vulnerabilities, SonicWall SSL VPN exploitation by Akira ransomware, Windows kernel privilege-escalation flaws, and the escalating risks posed by third-party vendor ecosystems. Stay ahead by subscribing at https://www.infosec.watchSupport the showThanks for listening to InfoSec.Watch! Subscribe to our newsletter for in-depth analysis: https://infosec.watch Follow us for daily updates: - X (Twitter) - LinkedIn - Facebook - Stay secure out there!

Send us Fan MailIn this episode of the InfoSec.Watch Podcast, we unpack one of the most consequential weeks of cybersecurity developments in 2025. This episode covers a rare convergence of AI-augmented state-backed espionage, logistics and retail supply-chain ransomware, and Europe’s accelerating drive toward digital sovereignty—and this episode takes you step-by-step through every story, every insight, and every actionable takeaway.Whether you're a CISO, a threat intelligence analyst, a red teamer, SOC lead, architect, or anyone responsible for defending modern infrastructure, this episode will help you make sense of a rapidly shifting threat landscape.We’ll explore how adversaries are leveraging cutting-edge technologies, why certain industries are becoming high-value systemic targets, and what new policies and vulnerabilities demand your immediate attention. From the rise of agentic AI in offensive operations, to the expanding blast radius of supply-chain–centric ransomware, to the geopolitical drivers behind Germany’s NIS2 implementation act, this episode equips you with the context you need to stay ahead.Support the showThanks for listening to InfoSec.Watch! Subscribe to our newsletter for in-depth analysis: https://infosec.watch Follow us for daily updates: - X (Twitter) - LinkedIn - Facebook - Stay secure out there!

Send us Fan MailHere’s what we cover in Episode 112:Actively Exploited Windows Kernel 0-Day: A privilege-escalation flaw in the Windows kernel is now being abused in real attacks. We cover what’s known, how attackers are chaining it, and the immediate mitigations security teams should prioritize.FortiWeb Critical Vulnerability Added to CISA’s KEV Catalog: A newly disclosed remote code execution vulnerability in Fortinet FortiWeb has officially landed in the Known Exploited Vulnerabilities list. We explain exploitation paths, affected versions, and patch timelines.Akira Ransomware Expands to Nutanix Virtualized Environments: Akira operators have widened their targeting to include Nutanix AHV systems, giving them deeper access into enterprise virtualization layers. We break down how they’re gaining initial entry and what defenders can harden right now.Clear explanations. No fluff. Practical takeaways you can use today.Actionable Cybersecurity Insights — Every Week. Visit InfoSec.Watch for the full newsletter and links to all sources mentioned in this episode.Support the showThanks for listening to InfoSec.Watch! Subscribe to our newsletter for in-depth analysis: https://infosec.watch Follow us for daily updates: - X (Twitter) - LinkedIn - Facebook - Stay secure out there!