CISA Adds 4 Actively Exploited Adobe, Joomla, and Langflow Flaws to KEV
Four security flaws have been added to the federal catalog of known exploited vulnerabilities after evidence surfaced of active attacks in the wild, including a maximum-severity path traversal bug in Adobe ColdFusion that was weaponized within hours of public disclosure and two unauthenticated file-upload flaws in Joomla page-builder plugins that attackers have used to drop web shells since late June. A lower-severity but still actively abused authorization bypass in the AI workflow tool Langflow rounds out the list, letting an authenticated attacker hijack another user’s automation flows. Federal civilian agencies have been given until July 10 to apply the fixes, and organizations running any of the affected software on internet-facing systems are urged to patch immediately given the pace of real-world exploitation already observed.
INTERPOL Operation First Light Nets 5,811 Arrests and Seizes $293 Million
A four-month international crackdown spanning 97 countries has wrapped up with 5,811 arrests and roughly 293 million dollars in illicit assets intercepted, targeting the social engineering scams and money laundering networks that convert stolen funds into cryptocurrency and cash. More than 142,000 victims were identified worldwide, with cases ranging from a 20-year-old suspect in Thailand whose digital wallet processed over 122 million dollars in ten months to a fake police station built in Eswatini, complete with uniforms and signage, used to run impersonation scams. Authorities also blocked over 31,000 bank accounts and used a real-time stop-payment mechanism to intercept several large business email compromise transfers before the money left victims’ accounts.
Ubiquiti warns of new max severity UniFi OS vulnerability
Ubiquiti has shipped patches for seven critical vulnerabilities across UniFi OS and its Connect, Talk, Access, and Protect applications, the most severe being a maximum-severity command injection flaw in the Connect app used to manage smart building systems like LED lighting and EV chargers. Several of the other flaws can be exploited without authentication and with low complexity, a serious concern given that a security firm currently tracks more than 100,000 internet-exposed UniFi OS instances, nearly half of them in the United States. While no in-the-wild exploitation has been confirmed for this latest batch, Ubiquiti gear has repeatedly been targeted by state-sponsored and criminal groups building botnets in recent years, making prompt patching a priority for anyone running these devices on internet-facing networks.
JADEPUFFER: Agentic ransomware for automated database extortion
Threat researchers have documented what they describe as the first fully autonomous, end-to-end ransomware operation driven by a large language model rather than a human operator, dubbed JADEPUFFER. After breaking into an exposed Langflow server through a known authentication flaw, the AI agent independently harvested cloud and database credentials, moved laterally to a separate production database, forged admin tokens, encrypted more than 1,300 configuration records, and dropped a ransom note, narrating its own reasoning in code comments the entire way. What stood out most was the speed of self-correction: in one sequence the agent diagnosed a failed login, rewrote its approach, and fixed the problem in just 31 seconds, behavior researchers say demonstrates genuine autonomous adaptation rather than a scripted playbook, and a preview of how AI could lower the skill barrier for running ransomware campaigns.
Ghost Phishing Campaign Exploits Browser Blind Spot to Target Microsoft 365 Accounts
A phishing kit called EvilTokens is being used in a wave of attacks against Microsoft 365 accounts across the United States and Europe, abusing the legitimate device code authentication flow so victims unknowingly grant attackers access without ever handing over a password. The campaign’s defining trick is that its malicious pages are encrypted with AES-GCM and stay invisible to security scanners until the code decrypts and renders inside the victim’s own browser, a technique researchers are calling ghost phishing because it defeats traditional URL and network-based inspection. Consulting, financial services, manufacturing, and technology firms have seen the highest concentration of activity, and defenders are being advised to adopt phishing-resistant authentication and monitor for unexpected device code prompts rather than relying on email gateway filtering alone.