IBM recommends that customers running its Advanced Interactive eXecutive (AIX) operating system apply patches as soon as possible to address two critical vulnerabilities that could allow remote attackers to execute arbitrary commands.

The AIX OS is generally deployed in critical applications powering high-value industries. The software is commonly used for mission-critical applications across the finance, banking, healthcare, and telecommunications sectors.

The vulnerabilities, CVE-2024-56346 (CVSS score: 10.0) and CVE-2024-56347 (CVSS score: 9.6), are caused by improper process controls.

CVE-2024-56346 affects AIX’s nimesis Network Installation Management (NIM) master service and CVE-2024-56347 relates to AIX’s nimsh service SSL/TLS protection mechanisms, according to IBM’s security bulletin. Both vulnerabilities can be exploited remotely in low-complexity attacks that require no privileges. However, CVE-2024-56347 requires some level of user interaction, while CVE-2024-56346 does not.

IBM did not provide many details about the vulnerabilities, stating only that AIX versions 7.2 and 7.3 are both vulnerable and should be updated immediately.

Researchers have uncovered evidence to indicate that multiple long-running WordPress-related malware campaigns are in fact related to a far larger campaign which they have called “DollyWay”. The campaign is said to have begun in 2016 and involved the attackers compromising thousands of vulnerable WordPress sites around the world.

Once compromised, the sites are put to work for the attackers who use them to generate revenue through various means, such as making them available to a Traffic Direction System (TDS). This can result in the server redirecting unsuspecting visitors to all manner of websites advertising things such as dating or gambling, or pushing other malicious content such as phishing pages or malware downloads, which may include ransomware and information-stealing Trojans.

The attackers employ a range of techniques to ensure they maximize their unwelcome stay on compromised WordPress sites. One way is the use of a popular plugin called WPCode, which is used to inject obfuscated JavaScript into WordPress pages with every page load, without having to modify the source themes or pages. This helps to keep the activities of the attacker under the radar as examining the source files will not reveal its presence.

To further maintain stealth, the WPCode plugin is hidden from the plugins list so that admins would not see it, thus reducing the risk of its discovery and deletion. In addition, the attackers also create admin accounts on the server using random strings of 32 hex characters. These accounts are also hidden from the WordPress console so that the legitimate administrator would not see them unless they queried the backend database directly, which is unlikely for many WordPress users.

Oracle is denying it was breached after a threat actor claimed to have stolen 6 million data records from the company’s Oracle Cloud federated single sign-on (SSO) login servers.

A threat actor known as rose87168 released multiple text files on March 20 containing a sample database, LDAP information, and a list of the companies they claimed were stolen from Oracle Clouds’ SSO platform. The hacker is offering the allegedly stolen data for sale for an undisclosed price or in exchange for zero-day exploits.

The threat actor claims that the data, which includes encrypted SSO passwords, Java Keystore (JKS) files, key files, and enterprise manager JPS keys, was stolen after hacking into ‘login.(region-name).oraclecloud. com’ Oracle servers.

“The SSO passwords are encrypted, they can be decrypted with the available files, also LDAP hashed password can be cracked,” rose87168 says. “I’ll list the domains of all the companies in this leak. Companies can pay a specific amount to remove their employees’ information from the list before it’s sold.”

The threat actor said they breached Oracle’s servers using a public CVE (flaw) that does not currently have a public proof of concept (PoC) or exploit.

When questioned about the alleged breach, Oracle said “[t]here has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.”

A collection of four critical vulnerabilities in the Ingress NGINX Controller for Kubernetes could result in unauthenticated remote code execution (RCE), putting more than 6,500 clusters at risk of complete takeover.

The vulnerabilities allow a remote, unauthenticated attacker to execute arbitrary commands in affected environments and completely take over Kubernetes clusters, according to researchers at Wiz who discovered the flaws.

Three of the vulnerabilities — CVE-2025-24514 (CVSS score: 8.8), CVE-2025-1097 (CVSS score: 8.8), and CVE-2025-1098 (CVSS score: 8.8) — allow attackers to inject arbitrary NGINX configuration directives, including custom routing rules and security settings, on affected systems. However, achieving RCE requires combining one of these flaws with CVE-2025-1974. This attack chain, dubbed IngressNightmare, carries a CVSS severity score of 9.8.

IngressNightmare affects the admission controller component of the Ingress NGINX Controller for Kubernetes. Approximately 43% of cloud environments, including those of Fortune 500 companies, are vulnerable to these vulnerabilities. The vulnerabilities have been addressed in Ingress NGINX Controller versions 1.12.1, 1.11.5, and 1.10.7. Users are advised to update to the latest version as soon as possible.

A critical vulnerability in the Next.js React framework can allow attackers to bypass authorization checks under certain conditions.

Next.js has more than 9 million weekly downloads on npm. It is used for building full-stack web apps and includes middleware components for authentication and authorization.

The flaw, tracked as CVE-2025-29927 (CVSS score: 9.1), enables attackers to send requests that reach destination paths without going through critical security checks. “Next.js uses an internal header x-middleware-subrequest to prevent recursive requests from triggering infinite loops,” Next.js said in an advisory. “It was possible to skip running middleware, which could allow requests to skip critical checks—such as authorization cookie validation—before reaching routes.”

The issue impacts only self-hosted versions that use “next start” with “output: standalone.” Next.js apps hosted on Vercel and Netlify, or deployed as static exports, are unaffected. The vulnerability has been addressed in Next.js versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3.

A threat group called EncryptHub (aka Water Gamayun or Larva-208) has been reported to be using a recently patched vulnerability in the Microsoft Management Console (MMC) tracked as CVE-2025-26633 (CVSS score: 7.0), which could allow an attacker to bypass security features to run malicious code. The group was spotted using an exploit in specially crafted .msc files targeting the vulnerability before it was patched in the March 2025 Patch Tuesday release.

An additional use-after-free vulnerability in Windows Win32 Kernel Subsystem tracked as CVE-2025-24983 (CVSS score: 7.0) was also used by EncryptHub in recent attacks. This vulnerability is said to have been exploited in attacks as far back as March 2023 and only patched in the recent March 2025 Patch Tuesday release.

The attacks by the group have been associated with the delivery of multiple malware, including information stealing Trojans such as the EncryptHub stealer, Stealc, and Rhadamanthys stealer. Multiple backdoor Trojans are also used, including DarkWisp and SilentPrism, to provide reliable remote access and control for the attackers. The MSC EvilTwin Trojan loader was used to help them load untrusted MSC files and evade detection. Other ransomware, such as RansomHub and BlackSuit, have also been delivered as a means to monetize the compromised computers.

Cybercriminals are exploiting Microsoft’s .NET MAUI tool to spread new Android infostealing malware with cross-platform capabilities.

Launched in 2022, .NET MAUI is an app development framework introduced by Microsoft as a replacement to Xamarin, supporting both desktop and mobile platforms.

According to McAfee researchers, threat actors are abusing the tool to disguise malicious code within seemingly legitimate applications, primarily targeting Android users.

The apps built by the threat actors using .NET MAUI “have their core functionalities written entirely in C# and stored as blob binaries,” the researchers explained. “This means that unlike traditional Android apps, their functionalities do not exist in DEX files or native libraries.” This gives an advantage to threat actors in that .NET MAUI acts as a packer, allowing the malicious artifacts to evade detection and persist on victim devices for extended periods of time.

McAfee discovered several APKs created using the .NET MAUI technique, including fake banking, communication, dating, and social media apps. The apps are spread by tricking users into clicking on links sent via messaging apps that redirect to unofficial app stores.