Decoding Threats.
Watching the Wire.
Daily security intelligence curated from the world's leading sources, mapped across 8 core security disciplines — from threat intelligence to application security.
8
Security Domains
Daily
Updates
CVEs
Tracked Live
Latest Intelligence
Recent Articles
CVE-2026-50751: Check Point Security Gateway Authentication Bypass Actively Exploited in Ransomware Campaigns
CISA added CVE-2026-50751 to the Known Exploited Vulnerabilities catalogue on 8 June with a three-day remediation deadline and confirmed ransomware campaign use. The vulnerability is a CVSS 9.3 authentication bypass in Check Point Security Gateway's IKEv1 VPN protocol handling that allows unauthenticated attackers to bypass remote access VPN authentication entirely. An emergency hotfix is available.
CVE-2026-42271: BerriAI LiteLLM Command Injection Reaches CISA KEV — AI Infrastructure Under Attack
CISA added CVE-2026-42271 in BerriAI LiteLLM to the Known Exploited Vulnerabilities catalogue on 8 June, confirming active exploitation of a command injection vulnerability that allows API keys with limited privileges to execute arbitrary commands on the LiteLLM host. Organisations running LiteLLM as an AI gateway should update to v1.83.7-stable immediately.
Meta Files Contempt Motion Against NSO Group Over WhatsApp Spear-Phishing Attack on Journalists
Meta has filed a federal contempt motion against NSO Group alleging the Israeli spyware vendor violated a 2021 court order by deploying new WhatsApp-based spear-phishing infrastructure targeting journalists and human rights defenders. The case highlights the persistent challenge of enforcement against commercial spyware vendors whose products operate outside regulatory frameworks.
UNC3753: Vishing Calls Combined With Physical Office Intrusions in U.S. Data Theft Extortion Campaign
Threat group UNC3753 has been documented combining voice phishing (vishing) with physical office intrusions to conduct data theft and extortion against U.S. organisations. The group uses vishing to gather employee credentials and facility access information, then deploys operatives physically to compromise targets. The hybrid TTPs represent a significant escalation in social engineering attack sophistication.
VerdantBamboo Deploys BSD Variant of BRICKSTORM Backdoor Against Linux and BSD Network Appliances
China-nexus threat cluster VerdantBamboo has deployed a BSD-compatible variant of the BRICKSTORM backdoor, extending its implant capability beyond Linux ESXi hosts to commercial network appliances running FreeBSD-derived operating systems. The implant uses HTTPS command and control via legitimate TLS certificates, survives reboots, and operates below enterprise EDR visibility.
VS Code Adds Two-Hour Extension Auto-Update Delay to Reduce Supply Chain Attack Window
Microsoft has released VS Code 1.101 with a configurable two-hour delay on automatic extension updates. The change is a direct response to supply chain attacks in which malicious updates were pushed to popular extensions, executing on developer machines within minutes of publication. The delay gives security teams a detection window before malicious updates execute across the developer fleet.
China-Nexus Threat Groups and the Shift to Linux and BSD Appliance Targeting
A pattern documented across multiple China-nexus threat actors in 2025–2026 shows a deliberate move from Windows endpoint compromise toward Linux-based network appliances and BSD-running security devices. Network devices running proprietary Linux/BSD derivatives sit at the network edge with high-privilege routing access — and typically outside the enterprise's EDR coverage.
Assessing Network Perimeter Device Security: A Methodology for Firewalls, VPN Gateways, and Load Balancers
Network perimeter devices — firewalls, VPN gateways, and load balancers — are the most frequently exploited initial access category in enterprise breaches. Despite this, they are often excluded from regular security assessments. This methodology covers how to assess the security posture of perimeter network devices without disrupting production operations.
Opinion & Analysis
Commentary
VPN Gateways Are Where Ransomware Gets In. CVE-2026-50751 Is Not the Last One.
Check Point CVE-2026-50751 joins a long list of critical authentication bypass and remote code execution vulnerabilities in enterprise VPN gateways that have been exploited in ransomware campaigns. The pattern is consistent enough that it is no longer useful to treat each as a one-off incident — it is a structural category of risk that requires a structural response.
CipherWatch Editorial
Security Intelligence Platform
Why China-Nexus Actors Are Targeting Network Appliances — and Why Your EDR Won't Tell You
The BRICKSTORM BSD variant developed by VerdantBamboo is not a technical curiosity. It is evidence of a deliberate strategic investment by China-nexus threat actors in precisely the attack surface that most enterprise security programmes cannot see. Appliance-targeting is not the path of least resistance — it is the path of least detection.
CipherWatch Editorial
Security Intelligence Platform
For CISOs, CIOs & Board Members
CIO Briefings
Security events translated into business language — financial exposure, regulatory obligations, and board-ready summaries.
Check Point VPN Authentication Bypass CVE-2026-50751 — Ransomware Groups Actively Exploiting
A critical vulnerability in Check Point Security Gateway allows attackers to bypass VPN authentication entirely without any credentials, gaining direct access to internal networks. Ransomware groups are actively using this technique. CISA has issued an emergency three-day remediation deadline. All organisations running Check Point Security Gateways must act immediately.
Gentelman Ransomware Surges Against Healthcare — 15 Victims in 72 Hours
A ransomware group known as Gentelman (Storm-2697) has recorded at least 15 confirmed victims in healthcare and professional services between 1 and 3 June 2026. The attack chain exploits unpatched remote management tools. Healthcare organisations with internet-exposed remote access software should audit and patch immediately.
CRITICAL: Oracle WebLogic CVE-2024-21182 on CISA KEV — Ransomware Delivery Confirmed, Federal Deadline June 4
CISA added CVE-2024-21182 to the KEV on 1 June as honeypots confirm ransomware delivery via Oracle WebLogic T3/IIOP unauthenticated code execution. Despite a patch being available since January 2024, unpatched WebLogic deployments are being actively targeted. Organisations running WebLogic 12.2.1.4.0 or 14.1.1.0.0 must patch immediately.
Security Domains
Browse by Domain
Security intelligence mapped across 8 core disciplines.
Risk Mgmt
Governance, compliance, ethics, risk frameworks, legal regulations, and business continuity planning.
Assets
Data classification, ownership, privacy protection, retention policies, and data security standards.
Architecture
Secure design principles, cryptography, physical security, and security models.
Network
Network architecture, protocols, secure communication channels, and network attacks.
IAM
Authentication, authorization, access control models, identity federation, and MFA.
Assessment
Vulnerability assessment, penetration testing, audit strategies, and security metrics.
SecOps
Incident response, forensics, threat intelligence, SIEM, and operational security.
AppSec
Secure SDLC, code review, application vulnerabilities, DevSecOps, and software security testing.
Stay Vigilant
Intelligence is your first line of defence.
CipherWatch compiles and synthesises security news daily from Krebs on Security, The Hacker News, BleepingComputer, CISA advisories, and more — so you stay ahead of the threat curve.
Learn how it works →