🔒 CRITICAL vuln in Chamilo LMS (CVE-2026-33707): Weak password reset lets attackers hijack accounts using only the victim’s email. Affected: <1.11.38, 2.0.0-alpha.1 to <2.0.0-RC.3. Upgrade ASAP! https://radar.offseq.com/threat/cve-2026-33707-cwe-640-weak-password-recovery-mech-2af5871d #OffSeq #infosec #vuln #Chamilo

CVE-2026-6057: CRITICAL path traversal in FalkorDB Browser 1.9.3 (file upload API). Unauthenticated attackers can write arbitrary files, risking RCE. No patch yet — restrict access and monitor logs. https://radar.offseq.com/threat/cve-2026-6057-cwe-22-path-traversal-in-falkordb-fa-80645f49 #OffSeq #Vulnerability #FalkorDB #InfoSec

This week's release features a 2x faster msfvenom bootup time and new modules, including exploits for the Cisco Catalyst SD-WAN Controller Authentication Bypass (CVE-2026-20127) and osTicket Arbitrary File Read (CVE-2026-22200). https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-04-10-2026/

This week's release features a 2x faster msfvenom bootup time and new modules, including exploits for the Cisco Catalyst SD-WAN Controller Authentication Bypass (CVE-2026-20127) and osTicket Arbitrary File Read (CVE-2026-22200). https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-04-10-2026/

This Week in Security: Flatpak Fixes, Android Malware, and SCADA was IOT Before IOT was Cool

Rowhammer attacks have been around since 2014, and mitigations are in place in most modern systems, but the team at gddr6.fail has found ways to apply the attack to current-generation GPUs.

Rowhammer attacks attach the electrical characteristics of RAM, using manipulation of the contents of RAM to cause changes in the contents of adjacent memory cells. Bit values are just voltage levels, after all, and if a little charge leaks across from one row to the next, you can potentially pull a bit high by writing repeatedly to its physical neighbors.

The attack was used to allow privilege escalation by manipulating the RAM defining the user data, and later, to allow reading and manipulation of any page in ram by modifying the system page table that maps memory and memory permissions. By 2015 researchers refined the attack to run in pure JavaScript against browsers, and in 2016 mobile devices were shown to be vulnerable. Mitigations have been put in place in physical memory design, CPU design, and in software. However, new attack vectors are still discovered regularly, with DDR4 and DDR5 RAM as well as AMD and RISC-V CPUs being vulnerable.

The GDDR6-Fail attack targets the video ram of modern graphics cards, and is able to trigger similar vulnerabilities in the graphics card itself, culminating in accessing and changing the memory of the PC via the PCI bus and bypassing protections.

For users who fear they are at risk — most likely larger AI customers or shared hosting environments where the code running on the GPU may belong to untrusted users — enabling error correcting (ECC) mode in the GPU reduces the amount of available RAM, but adds protection by performing checksums on the memory to detect corruption or bit flipping. For the average home user, your mileage may vary – there’s certainly easier ways to execute arbitrary code on your PC – like whatever application is running graphics in the first place!

NoVoice Android Malware

McAfee identified a malware campaign in the Android Play store targeting older devices – using vulnerabilities publicly disclosed and patched between 2016 and 2021 – that was still found in over 50 apps in the official Google store.

All of the infected apps are built using a modified Facebook SDK to avoid detection, which unpacks the actual malicious payload from inside a PNG polyglot image. By using a common SDK found in millions of apps, the app looks like any other app using common libraries, even when viewing a decompiled list of classes referenced inside the binary.

Polyglot files are files that contain multiple valid file formats simultaneously – for instance a single file for Windows, Linux, or Web Browser or a JPEG containing a ZIP of all the works of Shakespeare. Polyglot files are possible because different formats often look for the start of data at different locations or when one file format denotes the length of valid data and happily ignores extraneous information. For malware, polyglot files are often used to hide malicious content in ways that detection tools or researchers may not spot.

Once the malicious payload is extracted from the PNG image in the app, the malware collects a fingerprint of the device, contacts a control server, and downloads exploits for that specific version. After gaining root, the exploit disables SELinux protections and replaces core system libraries with Trojan copies that impact every app. McAfee reports 22 different exploits in use, including Linux IPv6 kernel and Android GPU driver vulnerabilities, however all of the exploits used were fixed as of the 2021-05-01 Android security patches.

Ultimately, the malware steals authentication tokens and message databases from WhatsApp, reading them out of the local storage of the app, extracting the key from the running WhatsApp instance, and sending the decoded databases to a remote service. The malware also contains mechanisms to survive a factory reset by modifying the system partition of the device, but a full firmware re-install is still enough to get rid of it.

Unfortunately, older Android devices are still prevalent, and devices no longer supported by their manufacturers are still vulnerable to exploits based on publicly known and fixed security issues. There isn’t a good solution for devices abandoned by manufacturers, other than alternative firmware like LineageOS, but users of devices stuck on old firmware may also not be tech savvy enough, interested enough, or in a position to risk the device becoming nonfunctional by installing custom firmware.

Flatpak and XDG Fixes

Flatpak 1.16.4 and xdg-desktop-portal 1.20.4 have been released to address multiple security issues:

• CVE-2026-34078 in Flatpak allows a complete sandbox escape from the jailed app environment
• CVE-2026-34079 allows deleting any file on the host environment
• GHSA-2fxp-43j9-pwvc allows read access to files accessible by the Flatpak system helper, a system service for integrating Flatpak apps with the rest of the system environment
• GHSA-rqr9-jwwf-wxgj in xdg-desktop-portal which allowed writing to arbitrary system files, independent of the bug in Flatpak itself

Flatpak is a Linux application packaging format that aims to provide installations that work on any Linux distribution. Normal packaging formats like deb and rpm are tightly linked to the specific version of the specific distribution they are built for. Flatpak packages all dependencies for an application, which increases the package size but reduces the load on the developer to provide builds for every possible variation. xdg-desktop-portal is a companion helper to Flatpak to manage access to system resources like screenshots, opening files outside the sandbox, and opening links in the default browser.

Flatpak attempts to introduce a modern sandboxing security model on top of Linux apps, similar to the restricted access model most mobile apps run under on Android or iOS. Traditionally, any code running has the permissions of the user running it; reducing that access can reduce the attack surface. Flaws in the sandboxing code can allow exploits in an app to impact the rest of the system.

Almost all modern Linux distributions include Flatpak support, and it may not even be obvious to users when a package comes from Flatpak versus a traditional package – many commercial Linux applications like Slack and Steam distribute as Flatpak images, and many open source tools also provide images. For all our Linux users – make sure you’ve applied any pending security updates in your distribution!

Minnesota Ransomware

In an example of real-world impacts, Minnesota has requested assistance from the National Guard after a significant ransomware attack against Winona County. The state has asked the National Guard to assist in recovering from an attack impacting unspecified systems, but which apparently was severe enough that local and state resources weren’t enough. The only definitive statements from county officials are that emergency dispatch and 911 services are not disrupted – a frighteningly low bar you hope to not see. This is the second ransomware attack this county has seen this year, reportedly from unrelated attackers.

While high-profile ransomware attacks against governments and major corporations get lots of press, smaller companies are also impacted. Ransomware continues to be a pervasive problem, especially for organizations with a small – or even no – official IT department or security positions. Many security companies offer discounted or sometimes even free support to small companies and non-profits; if this is you, there’s no better time to look into multi-factor authentication, account privilege auditing and limiting, and testing your (offline) backups!

Router Hacks Redirect DNS

Following on with the real world impacts of some of the advisories, Lumen reports a widespread campaign to exploit home routers and install authentication-hijacking malware.

The attack targets TP-Link and MikroTik routers: TP-Link is a common home router brand, while MikroTik is more common in small business and remote office environments. Lumen comments that the attack seems to focus on older models, implying that it is using older, publicly disclosed vulnerabilities in devices which have been designated end-of-life by the manufacturers. Nearly 20,000 unique IPs were seen communicating with the control servers, so there were a lot of unmaintained routers out the Internet.

Once the router was compromised, the attackers used DNS redirection to send users to fake login pages to capture authentication info for Microsoft Office and other corporate resources. By hijacking DNS in the router and passing a custom DNS server over DHCP to local systems on the network, the attackers controlled the login pages. While DNS level attacks can’t defeat protections like SSL, users may not notice that they are being phished with an unencrypted login lookalike site, or they might just ignore the SSL warnings and click through anyhow.

Lumen credits Russian state actors with the attack, with the victims including national and local governments and regulatory agencies.

Malware on 3D Printer Repos

Striking closer to home, this Reddit post points out a malware campaign targeting sites holding models for 3D printers such as Printables, Thingiverse, and Makerworld.

Abusing the ability to upload arbitrary files to the model sites, the goal appears to be to trick the user into downloading a zip file containing Blender assets with instructions on “how to convert them to a STL”. Unfortunately, Blender has an embedded scripting environment (Python) – opening untrusted Blender ‘blend’ files allows direct execution as the user running Blender! The malicious files and instructions then download traditional malware and infect the user. Vendors of 3D assets have experienced this before, but it may be a first for the printing sites to deal with.

The campaign appears to have been stopped a few days later, with the original poster reporting that the flood of fake accounts appears to have stopped a few days later.

Unfortunately this goes to show that constant vigilance is needed – if something that should be a basic 3d model expects you to download additional tools to convert it to the format used everywhere else on the site, it’s probably worth being suspicious. Formats with embedded scripting environments are a new level of unexpected behaviors users have to be aware of – difficult if you’re not already a Blender user familiar with the capabilities and risks!

PLC takeover

Finally, this week’s “you hope it’s not your problem” is an advisory from CISA, the United States cyber security agency. It appears that Iranian state-sponsored agents have been attacking Programmable Logic Controller (PLC) systems. Usually outside the realm of the home hacker, PLC systems like these are used to control factories, power plants, water treatment facilities, and other industrial scale facilities.

Before the Internet of Things took the reins as the joke category for security — “the ‘S’ in IOT stands for security” — one of the strongest contenders was SCADA, or Supervisory Control and Data Acquisition devices. SCADA fills a suspiciously parallel role to IOT in the industrial space, providing network monitoring and control of physical systems, and suffers some of the same fate. A SCADA system may be too difficult to update, too important to risk the downtime of a change gone wrong, or simply too legacy to have support from the manufacturer, and like an IOT device, generally isn’t expected to be exposed to the entire Internet.

Out of the realm of most people – even technically inclined ones – SCADA attacks may still be some of the highest profile attacks someone has heard of. The Stuxnet worm in 2010 targeted SCADA control systems and modified PLC-controlled centrifuges used for uranium refinement. In 2015 and 2016 the Ukrainian power grid suffered two major attacks targeting the SCADA control systems, closing breakers and forcing manual intervention at each substation to restore power to 250,000 people. The attacks evolved into the ‘CRASHOVERRIDE’ malware, which is specifically designed to target power grid SCADA control systems.

The simplest fix is to ensure these systems are never connected to the Internet at large. (If simple can be said to apply to processes controlling multi-million dollar facilities.) But even separated from direct connections, systems that cannot be safely updated to patch security concerns will always be at risk of router and firewall appliance compromises, or compromised PCs or laptops allowed onto the control network.

hackaday.com/2026/04/10/this-w…