In today’s cybersecurity news…
Critical Microsoft SharePoint flaw now exploited in attacks
According to CISA, this CVE-numbered flaw, which was patched in January, is now being exploited. (CVE-2026-20963) It affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. Successful exploitation “enables threat actors without privileges to achieve remote code execution on unpatched servers in low-complexity attacks that exploit a deserialization of untrusted data weakness.” SharePoint Server 2007, SharePoint Server 2010, and SharePoint Server 2013 are also vulnerable to attacks but being end-of-support they no longer receive security updates. Consequently, admins are advised to upgrade a supported version to block attacks.
1stProtect reveals endpoint security platform intended to prevent cyberattacks in real time
A startup by the name of 1stProtect emerged from stealth mode yesterday to announce its endpoint security platform that “monitors system behavior and user intent to prevent cyberattacks in real time.” Their solution “enforces security policies at runtime, blocking malicious behavior at the operating system level, instead of relying on a cloud architecture for decision-making.” It does this by analyzing the attack’s destination and intent and operates as a self-defending system even in disconnected or restricted environments. The startup’s chief executive officer, Kervin Pillay, previously served as chief technology officer of Automation at Cisco, while its chief technology officer, Rafel Ivgi, held senior leadership positions at SentinelOne, CrowdStrike, Symantec, and Forcepoint.
CISA urges U.S. organizations to secure Microsoft Intune systems following Stryker breach
This warning refers to Microsoft’s published guidance on hardening Intune administrative controls, shortly after days after Stryker was breached in an incident that has been since claimed by Iranian-linked hacktivist group Handala. A source familiar with the incident, in which 50 terabytes of data were stolen and nearly 80,000 devices were wiped, said the attack used a new Global Administrator account created after compromising an administrator account. CISA is now urging all U.S. organizations to “harden their Intune environments to make them more resilient against similar attacks that could target their own networks.”
Salt Security launches agentic security platform for the AI stack
This release, named the Salt Agentic Security Platform, has been designed to enable organisations to adopt AI agents safely and at scale. To enhance connectivity the platform allows visibility into “the full set of relationships between LLMs, MCP servers, and APIs that enable agent behaviour. According to Roey Eliyahu, CEO and co-founder of Salt Security,: “most AI security solutions focus on prompts and models, but the real enterprise risk is not just in what an agent can say. It is in what an agent can do through MCP servers and APIs.”
Huge thanks to our sponsor, Adaptive Security
Maximum severity Ubiquiti UniFi flaw may allow account takeover
Ubiquiti has now “patched two vulnerabilities in the UniFi Network Application, including a maximum-severity flaw that may allow attackers to take over user accounts.” The flaw, which has a CVE number, (CVE-2026-22557), impacts UniFi Network application version 10.1.85 and earlier and is addressed in versions 10.1.89 or later. “Successful exploitation enables threat actors without privileges to exploit a path traversal vulnerability to access files on the targeted devices and potentially hijack user accounts in low-complexity attacks that don’t require user interaction.”
Russian hackers exploit Zimbra flaw to breach Ukrainian maritime agency
A Russian state-backed hacker group, likely APT28 (aka Fancy Bear) has targeted a Ukrainian government agency by sending phishing emails through a vulnerability in Zimbra webmail software, this according to research from cybersecurity firm Seqrite. The victim was the State Hydrographic Service of Ukraine which plays a role in maritime navigation and other critical infrastructure services. The attackers exploited a CVE-numbered cross-site scripting flaw (CVE-2025-66376), “allowing them to inject malicious code directly into an email viewed through Zimbra’s browser-based interface.” The attack did not use an attachment but instead, embedded the exploit within the body of a single email.
Navia incident exposes health plan information for over 2.6 million people
Navia Benefit Solutions, a third-party administrator for more than 10,000 companies, has announced that almost 2.7 million people had health plan information, Social Security numbers and other sensitive data stolen during a security incident that began in December. Navia manages “company healthcare benefits like Health Reimbursement Arrangements (HRAs) and Flexible Spending Accounts..
Perseus Android Banking malware exploits Notes apps
Researchers at ThreatFabric are warning of a new Android malware family called Perseus whose mission is device takeover and financial fraud. As a more flexible and capable platform than its parents, Cerberus and Phoenix, Perseus monitors user notes, indicating a focus on extracting high-value personal or financial information.” Campaigns are currently focusing on Turkey and Italy.