In today’s cybersecurity news…
Adobe patches months-old Reader zero-day
Following up on a story we covered on Friday, “Adobe on Saturday released emergency patches for a critical Acrobat and Reader zero-day that has been exploited in the wild for several months.” This CVE numbered vulnerability (CVE-2026-34621 ) has a CVSS score of 9.6 and stems from improperly controlled modifications to prototype attributes and can be exploited to execute arbitrary code. It impacts Acrobat and Reader for Windows and macOS. Adobe confirms that it has been exploited in the wild.
Critical Marimo flaw now under active exploitation
Researchers at Sysdig are warning that Hackers have started to exploit a critical vulnerability in the Marimo open-source reactive Python notebook platform just 10 hours after its public disclosure. Marimo is an open-source Python notebook environment, typically used by data scientists, researchers, and developers building data apps or dashboards. The flaw allows remote code execution without authentication. It has a CVE number (CVE-2026-39987) and GitHub has given it a critical score of 9.3 out of 10.
Hackers claim control over Venice anti-flood pumps
A breach, which reportedly began in late March, saw attackers accessing the control interface of the pumping system, and soon afterwards began releasing evidence in the form of screenshots of control panels, system layouts, and valve states. The hackers, using names like “Infrastructure Destruction Squad” and “Dark Engine” said, in a Chinese language Telegram post, that their goal was to expose critical infrastructure weaknesses, and offered to sell full root access to the system for just $600, to highlight the severity of the breach and the low barrier to potential misuse. They additionally warned that “no system updates can expel us. We have been here for months and will remain here for months to come.”
Juniper Networks patches dozens of vulnerabilities
Last week, the company released patches for nearly three dozen vulnerabilities, many of which could lead to privilege escalation, denial-of-service (DoS), and command execution. The most severe (CVE-2026-33784) has a CVSS score of 9.8 – it is a default password in the Support Insights (JSI) Virtual Lightweight Collector (vLWC). The company explained that “vLWC software images ship with an initial password for a high-privileged account. A change of this password is not enforced during the provisioning of the software, which can make full access to the system by unauthorized actors possible.”
Huge thanks to our sponsor, Conveyor
A starter trust center is table stakes and the best security teams have moved way past that.
Conveyor gives you an agentic trust center, AI questionnaire automation, and a self-serve layer so sales can move deals forward without pinging you every five minutes.
Companies like Atlassian and Zapier made the switch. See why at conveyor.com.
Open-source tool attacks reveal the future of supply chain compromise
A feature article in The Register this week looks at the future of supply chain attacks. This follows two recent attacks, both of which we reported on, one from North Korea linked Axios and the other from Trivy, which is associated with TeamPCP. The attacks “infected open-source tools with malware and used this access to steal secrets from tens of thousands of organizations.” Mandiant Consulting CTO Charles Carmakal, speaking to The Register, said, “the data that was taken a few weeks ago will likely be leveraged this week, next week, next month – probably for several months – and the blast radius will continue to expand.” Cisco Talos outreach lead Nick Biasini told The Register, attackers are starting to really look at the supply chain and open-source packages and figure out ways to compromise developers to deliver malware or gather data, depending on the type of threat,” with increased use of AI to make social engineering campaigns more believable and hyper-personalized.
Over 20,000 crypto fraud victims identified in international crackdown
A joint international law enforcement action led by the U.K.’s National Crime Agency (NCA) “has identified over 20,000 victims of cryptocurrency fraud across Canada, the United Kingdom, and the United States. This activity, named Operation Atlantic, occurred in March and is said to have disrupted numerous fraud networks across the world. More than $12 million in suspected criminal proceeds was frozen. The focus of the campaign was “approval phishing” attacks, in which “scammers trick victims into granting them access to their cryptocurrency wallets, typically via investment scams.”
Russian submarine activity detected near UK undersea cables
The British government announced on Thursday it had exposed a “covert Russia submarine operation around cables in waters north of the United Kingdom.” The activity was discovered by the UK’s Main Directorate of Deep-Sea Research which operates specialized deep-sea units to survey underwater infrastructure. UK Defense Secretary John Healey said, “British and allied forces tracked the three Russian submarines over several weeks and dropped sonobuoys to inform the submarine units they were being monitored, and their mission was ‘no longer covert as had been planned.’”