Links submitted by the Threat Radar community and AI curated for defenders.

Community Curated

CVE Database V5

AlienVault OTX General

SANS ISC Handlers Diary

SecurityWeek

Threatpost

Exploit-DB RSS Feed

ThreatFox MISP Feed

CIRCL OSINT Feed

Kaspersky Security Blog

Check Point Research

The Hacker News

Reddit NetSec

Reddit InfoSec News

Dark Reading

AlienVault OTX Vulnerabilities

AlienVault OTX Malware

A security flaw has been discovered in UTT HiPER 810G up to 1.7.7-1711. Affected by this issue is the function strcpy of the file /goform/getOneApConfTempEntry. Performing a manipulation results in buffer overflow. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks.

Detailed information about CVE-2026-3814: Buffer Overflow in UTT HiPER 810G affecting UTT HiPER 810G. Get real-time updates, technical details, and mitigation s

CVE-2026-3814: Buffer Overflow in UTT HiPER 810G - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2026-3814: Buffer Overflow in UTT HiPER 810G

A targeted campaign has been identified distributing a trojanized version of the Red Alert rocket warning Android app to Israeli users via SMS messages impersonating official Home Front Command communications. The malicious app retains full rocket alert functionality while running malicious code in the background. It bypasses Android security checks through certificate spoofing and runtime manipulation. Once installed, the malware collects sensitive data including SMS messages, contacts, location data, device accounts, and installed applications. The stolen data is transmitted to a remote command-and-control server. This campaign exploits user trust in emergency services during periods of geopolitical tension, combining social engineering with mobile espionage for maximum impact.

Detailed information about Mobile spyware campaign impersonates Israel's Red Alert rocket warning system. Get real-time updates, technical details, and mitigati

Mobile spyware campaign impersonates Israel's Red Alert rocket warning system - Live Threat Intelligence - Threat Radar | OffSeq.com

Mobile spyware campaign impersonates Israel's Red Alert rocket warning system

InstallFix is a novel attack technique where adversaries clone legitimate developer tool installation pages and distribute malicious install commands via Google Ads. This campaign targets users of Claude Code by delivering the Amatera Stealer malware through staged payloads that evade detection. The attack exploits users' trust in common 'curl to bash' installation methods and bypasses traditional email security controls by leveraging malvertising and legitimate hosting services. It specifically preys on the growing adoption of AI-related developer tools by non-technical users. The malware uses multiple evasion techniques and staged execution to avoid discovery. Indicators include numerous malicious domains and URLs mimicking official sources. Organizations relying on developer tools and AI platforms are at risk, especially where such tools are widely adopted. Mitigations require user education, strict validation of install commands, and enhanced monitoring of network traffic for suspicious domains. Countries with significant AI and developer tool usage are most likely affected. The threat severity is assessed as high due to the potential for credential theft and system compromise without requiring user authentication but relying on user interaction.

The InstallFix attack technique involves adversaries creating counterfeit installation guides that closely mimic legitimate developer tool installation pages, particularly targeting Claude Code users. These fake pages are distributed primarily through Google Ads, exploiting the trust users place in familiar installation methods such as executing 'curl' commands piped directly to a shell ('curl to bash'). When users follow these malicious instructions, they inadvertently download and execute the Amatera Stealer malware. This malware is designed to steal sensitive information and credentials. The attack bypasses traditional email security filters by leveraging malvertising and legitimate hosting platforms, making detection more difficult. The payload employs staged execution, where initial code downloads further components, and uses various evasion techniques to avoid antivirus and endpoint detection systems. This campaign capitalizes on the increasing adoption of AI-related developer tools by non-technical users who may not scrutinize installation sources carefully. Numerous malicious domains and URLs have been identified, many impersonating official Claude Code or related developer tool sites. The attack chain includes social engineering, domain impersonation, and exploitation of trusted installation workflows, making it a sophisticated threat vector in the current cybersecurity landscape.

Detailed information about InstallFix: How attackers are weaponizing malvertized install guides. Get real-time updates, technical details, and mitigation strate

InstallFix: How attackers are weaponizing malvertized install guides - Live Threat Intelligence - Threat Radar | OffSeq.com

InstallFix: How attackers are weaponizing malvertized install guides

A phishing campaign uses fake Zoom and Google Meet web pages to trick victims into joining fraudulent video calls. These fake meeting interfaces mimic real meetings and prompt users to download files disguised as Zoom updates. The downloaded payloads include executables, MSI installers, and commercial remote support or monitoring software configured for covert remote access. Attackers leverage multiple domains hosting identical fake meeting pages, some linked to previous campaigns like ClickFix. The goal is to establish persistent remote access using whichever tool is most effective. This campaign exploits social engineering and trusted video conferencing brands to bypass user suspicion. No CVE or known exploits in the wild are reported yet. The campaign poses a medium severity risk due to the potential for unauthorized remote access and data compromise. Indicators include numerous malicious domains and file hashes associated with the campaign.

This threat involves a sophisticated phishing campaign that impersonates popular video conferencing platforms Zoom and Google Meet by hosting fake meeting web pages on multiple malicious domains. These pages simulate active meetings with expected participants to lure victims into joining. Once a victim interacts with the fake meeting, they are prompted to download a file purportedly a Zoom update. The delivered payloads vary and include malicious executables disguised as legitimate meeting software updates, MSI installers that deploy legitimate remote support tools such as ConnectWise Control, and commercial monitoring software like Teramind configured for stealthy remote access. The attackers aim to establish persistent remote access to victim systems, enabling espionage, data theft, or further lateral movement. The campaign leverages social engineering techniques (T1566) and masquerades as trusted software updates (T1204) to bypass user caution. The use of legitimate remote support software complicates detection, as these tools are often whitelisted in enterprise environments. Multiple domains with similar naming conventions and URLs have been identified, some previously linked to the ClickFix campaign, indicating possible reuse of infrastructure or threat actor overlap. Although no CVE or known exploits in the wild are reported, the campaign's use of remote access tools and social engineering tactics presents a credible threat vector. The campaign is attributed to the adversary group Storm-1865. Indicators of compromise include specific file hashes and URLs/domains hosting the fake meeting pages. The campaign highlights the ongoing risk of phishing attacks exploiting remote work tools and the need for vigilance around software update prompts from unverified sources.

Detailed information about Remote Access Delivered Through Fake Zoom and Google Meet Calls. Get real-time updates, technical details, and mitigation strategies.

Remote Access Delivered Through Fake Zoom and Google Meet Calls - Live Threat Intelligence - Threat Radar | OffSeq.com

Remote Access Delivered Through Fake Zoom and Google Meet Calls

CVE-2026-3813 is a medium severity injection vulnerability in the opencc JFlow product affecting the Calculate function in WF_CCForm. java. The flaw allows remote attackers to perform injection attacks without authentication or user interaction. The vulnerability exists in a specific commit version of JFlow, which uses a rolling release model, complicating version tracking. Although an exploit is publicly available, there are no known active exploits in the wild yet. The vendor has been informed but has not issued a response or patch. The vulnerability could lead to partial compromise of confidentiality, integrity, and availability of affected systems. Organizations using opencc JFlow should prioritize code review and implement strict input validation as immediate mitigations. Countries with significant use of opencc JFlow, especially those with strategic interest in workflow automation, are at higher risk. The CVSS 4.

CVE-2026-3813 is an injection vulnerability identified in the opencc JFlow product, specifically in the Calculate function within the WF_CCForm.java file. The vulnerability arises from improper handling of input data, allowing an attacker to inject malicious content remotely without requiring authentication or user interaction. The affected version is identified by a specific commit hash (5badc00db382d7cb82dad231e6a866b18e0addfe), but due to the product's rolling release system, precise versioning is challenging. Injection vulnerabilities typically allow attackers to manipulate program logic, potentially leading to unauthorized data access, modification, or disruption of service. The vulnerability was responsibly disclosed early to the project maintainers, but no patch or official response has been released yet. Publicly available exploits exist, increasing the risk of exploitation, although no active exploitation has been reported. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges or user interaction required, and limited impact on confidentiality, integrity, and availability. This suggests that while the vulnerability is remotely exploitable, the overall impact is moderate. The lack of vendor response and patch availability necessitates immediate attention from users of opencc JFlow to mitigate potential risks.

Detailed information about CVE-2026-3813: Injection in opencc JFlow affecting opencc JFlow. Get real-time updates, technical details, and mitigation strategies.

CVE-2026-3813: Injection in opencc JFlow - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2026-3813: Injection in opencc JFlow

CVE-2025-33022 is a vulnerability record that was reserved but later rejected by the assigner Nokia. There are no technical details, affected versions, or exploit information available. No CVSS score has been assigned, and no known exploits exist in the wild. Due to the lack of concrete information and the rejection status, this entry does not represent an active or confirmed security threat. Organizations do not need to take specific actions related to this CVE. The absence of details and the rejection indicate it is not a valid or exploitable vulnerability at this time.

CVE-2025-33022 was reserved as a potential vulnerability identifier by Nokia on April 15, 2025, but the record is marked as REJECTED. This means that after review, the vulnerability was determined to be invalid, not applicable, or otherwise not qualifying as a security issue. There are no affected product versions, no technical details, no patches, and no known exploits associated with this CVE. The lack of a CVSS score further reflects the absence of a confirmed security impact. As such, this CVE does not describe an actual vulnerability and should not be considered a threat.

Detailed information about CVE-2025-33022. Get real-time updates, technical details, and mitigation strategies.

CVE-2025-33022 - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-33022

CVE-2026-3812 is a medium severity cross-site scripting (XSS) vulnerability found in itsourcecode Payroll Management System version 1. 0, specifically in the /manage_employee_allowances. php file. The vulnerability arises from improper sanitization of the 'ID' parameter, allowing remote attackers to inject malicious scripts. Exploitation requires no authentication but does require user interaction, such as a victim clicking a crafted link. Although the exploit has been publicly disclosed, no known active exploitation in the wild has been reported. The vulnerability could lead to session hijacking, credential theft, or unauthorized actions performed in the context of the victim's session. Organizations using this payroll system should prioritize patching or applying mitigations to prevent potential attacks. Countries with significant deployments of this software or with high reliance on payroll management systems in similar sectors are at greater risk. The CVSS 4.

CVE-2026-3812 is a cross-site scripting vulnerability identified in itsourcecode Payroll Management System version 1.0. The flaw exists in an unspecified function within the /manage_employee_allowances.php file, where the 'ID' parameter is improperly sanitized. This allows an attacker to inject malicious JavaScript code remotely by manipulating the 'ID' argument. The vulnerability does not require any authentication or privileges, making it accessible to unauthenticated remote attackers. However, exploitation requires user interaction, such as a victim clicking on a maliciously crafted URL or link. The vulnerability can lead to the execution of arbitrary scripts in the context of the victim's browser session, potentially enabling session hijacking, theft of sensitive information, or unauthorized actions performed on behalf of the victim. The vulnerability has been publicly disclosed, increasing the risk of exploitation, although no active exploits in the wild have been reported to date. The CVSS 4.0 base score of 5.3 reflects a medium severity, considering the network attack vector, low attack complexity, no privileges required, and user interaction needed. The vulnerability impacts confidentiality and integrity but does not affect availability. No official patches or updates have been linked yet, so mitigation relies on input validation, output encoding, and possibly web application firewalls until an official fix is released.

Detailed information about CVE-2026-3812: Cross Site Scripting in itsourcecode Payroll Management System affecting itsourcecode Payroll Management System. Get r

CVE-2026-3812: Cross Site Scripting in itsourcecode Payroll Management System - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2026-3812: Cross Site Scripting in itsourcecode Payroll Management System

Improper Input Validation vulnerability in Apache IoTDB.

This issue affects Apache IoTDB: from 1.0.0 before 1.3.7, from 2.0.0 before 2.0.7.

Users are recommended to upgrade to version 1.3.7 or 2.0.7, which fixes the issue.

CVE-2026-24713 identifies an improper input validation vulnerability in Apache IoTDB, an open-source time-series database designed for efficient storage and analysis of IoT data. The vulnerability exists in versions 1.0.0 up to but not including 1.3.7, and 2.0.0 up to but not including 2.0.7. Improper input validation (CWE-20) means that the software does not adequately verify or sanitize incoming data, which can lead to unexpected behavior such as injection attacks, data corruption, or denial of service. Since IoTDB handles large volumes of sensor and device data, improper validation can allow attackers to craft malicious inputs that disrupt database operations or corrupt stored data. The flaw could be exploited remotely if the attacker can send specially crafted requests to the database service, potentially without requiring authentication depending on deployment configurations. No public exploits have been reported yet, but the vulnerability is significant given the critical role of IoTDB in industrial IoT, smart city infrastructure, and other data-intensive IoT applications. The Apache Software Foundation has addressed the issue in versions 1.3.7 and 2.0.7, recommending users upgrade promptly to mitigate risk.

Detailed information about CVE-2026-24713: CWE-20 Improper Input Validation in Apache Software Foundation Apache IoTDB affecting Apache Software Foundation Apac

CVE-2026-24713: CWE-20 Improper Input Validation in Apache Software Foundation Apache IoTDB - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2026-24713: CWE-20 Improper Input Validation in Apache Software Foundation Apache IoTDB

A vulnerability in Apache IoTDB.

This issue affects Apache IoTDB: from 1.0.0 before 1.3.7, from 2.0.0 before 2.0.7.

Users are recommended to upgrade to version 1.3.7 or 2.0.7, which fixes the issue.

CVE-2026-24015 is a security vulnerability identified in the Apache IoTDB project, an open-source time-series database designed for managing large-scale IoT data. The vulnerability is classified under CWE-1327, which involves binding a service to an unrestricted IP address. Specifically, affected versions of Apache IoTDB (from 1.0.0 before 1.3.7 and from 2.0.0 before 2.0.7) improperly bind their network service interfaces to IP addresses without adequate restrictions. This misconfiguration can allow the IoTDB server to listen on all network interfaces, including public or untrusted networks, rather than limiting access to trusted or internal IP ranges. As a result, attackers on the network could connect to the IoTDB service without authentication or authorization barriers imposed by network segmentation or firewall rules. Although no known exploits have been reported in the wild, the vulnerability presents a significant risk because it exposes sensitive time-series data and database management functions to unauthorized parties. The flaw can lead to unauthorized data access, data manipulation, or denial of service if exploited. The issue is resolved in Apache IoTDB versions 1.3.7 and 2.0.7, where binding behavior is corrected to restrict network exposure. The vulnerability does not require user interaction and can be exploited remotely, increasing its risk profile. Organizations using Apache IoTDB in IoT, industrial control, or telemetry systems should urgently apply the updates to mitigate potential attacks.

Detailed information about CVE-2026-24015: CWE-1327 Binding to an Unrestricted IP Address in Apache Software Foundation Apache IoTDB affecting Apache Software F

CVE-2026-24015: CWE-1327 Binding to an Unrestricted IP Address in Apache Software Foundation Apache IoTDB - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2026-24015: CWE-1327 Binding to an Unrestricted IP Address in Apache Software Foundation Apache IoTDB

CVE-2025-69279 is a high-severity vulnerability in the NR modem components of Unisoc T8100, T9100, T8200, and T8300 chipsets. It stems from improper input validation (CWE-20) that can cause a system crash, resulting in a remote denial of service (DoS) without requiring any privileges or user interaction. The affected devices run Android versions 13 through 16. Exploitation is possible over the network, making it a significant risk for mobile devices using these chipsets. No known exploits are currently in the wild, and no patches have been published yet. The vulnerability impacts availability but does not affect confidentiality or integrity. Organizations relying on devices with these chipsets should prioritize monitoring and mitigation to prevent service disruption.

CVE-2025-69279 is a vulnerability identified in the NR (New Radio) modem firmware of Unisoc's T8100, T9100, T8200, and T8300 chipsets, which are commonly integrated into various Android devices running versions 13 through 16. The root cause is improper input validation (classified under CWE-20), where malformed or unexpected inputs sent to the modem can trigger a system crash. This crash leads to a denial of service condition remotely, without requiring any authentication or user interaction, highlighting the ease of exploitation. The vulnerability affects the availability of the device by causing it to become unresponsive or reboot, potentially disrupting network connectivity and device functionality. The CVSS v3.1 score of 7.5 reflects a high severity due to network attack vector, low complexity, no privileges required, and no user interaction needed. Although no exploits are publicly known yet and no patches have been released, the risk remains significant given the widespread use of these chipsets in mobile devices. The vulnerability does not compromise confidentiality or integrity but can severely impact device availability and user experience.

Detailed information about CVE-2025-69279: cwe-20 Improper Input Validation in Unisoc (Shanghai) Technologies Co., Ltd. T8100/T9100/T8200/T8300 affecting Unisoc

CVE-2025-69279: cwe-20 Improper Input Validation in Unisoc (Shanghai) Technologies Co., Ltd. T8100/T9100/T8200/T8300 - Live Threat Intelligence - Threat Radar | OffSeq.com

Title	Severity	Type	Source	Date

Threat Intelligence Database

Stop chasing alerts. Route them.

Check if your credentials are on the dark web

Filter Threats

Threat Intelligence

Lead Pen Test Professional

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility