As shared in my previous blogpost, I reverse-engineered the TP-Link Tapo C260 webcam for the SPIRITCYBER IoT hardware hacking contest. Despite being one of the latest Tapo webcams, I was able to discover some pretty interesting vulnerabilities – local file disclosure (CVE-2026-0651), guest-privilege Remote Code Execution (CVE-2026-0652), and privilege escalation […]

# The MCP AuthN/Z Nightmare 05 Mar 2026 – Posted by Francesco Lacerenza This article shares our perspective on the current state of authentication and authorization in enterprise-ready, remote MCP server deployments. Before diving into that discussion, we’ll first outline the most common attack vectors. Understanding these threats is essential […]

When a phone starts “taking action” on its own, it’s no longer just answering questions like how to get a cheaper takeout—it can actually open apps, compare prices, and place orders. Control shifts from the user’s fingers to an intelligent agent capable of seeing the screen, planning, and executing tasks. […]

## Key Findings – During the ongoing conflict, we identified intensified targeting of IP cameras from two manufacturers starting on February 28, originating from infrastructure we attribute to Iranian threat actors. – The targeting extends across Israel, Qatar, Bahrain, Kuwait, the UAE, and Cyprus – countries that have also experienced […]

In recent months, Check Point Research (CPR) has been tracking a sophisticated, Chinese-aligned threat group whose activity demonstrates operational correlation with campaigns previously associated with APT41. We have designated this activity cluster as Silver Dragon. This group actively targets organizations in Southeast Asia and Europe, with a particular focus on […]

# Sometimes, You Can Just Feel The Security In The Design (Junos OS Evolved CVE-2026-21902 RCE) On today’s ‘good news disguised as other things’ segment, we’re turning our gaze to CVE-2026-21902 – a recently disclosed “Incorrect Permission Assignment for Critical Resource” vulnerability affecting Juniper’s Junos OS Evolved platform. This vulnerability […]

CVE-2025-64736 An out-of-bounds read vulnerability exists in the ABF parsing functionality of The Biosig Project libbiosig 3.9.2 and Master Branch (5462afb0). A specially crafted .abf file can lead to an information leak. An attacker can provide a malicious file to trigger this vulnerability. The versions below were either tested or […]

CVE-2026-20777 A heap-based buffer overflow vulnerability exists in the Nicolet WFT parsing functionality of The Biosig Project libbiosig 3.9.2 and Master Branch (db9a9a63). A specially crafted .wft file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. The versions below were either […]

CVE-2026-22891 A heap-based buffer overflow vulnerability exists in the Intan CLP parsing functionality of The Biosig Project libbiosig 3.9.2 and Master Branch (db9a9a63). A specially crafted Intan CLP file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. The versions below were […]

# The App You Asked Your Employees to Install Can Leak Their Bank Account Details to Hackers Security audit of shift scheduling and workforce management apps finds flaws that expose Plaid banking tokens, allow fake messages under the employer’s brand, and let attackers silently delete shift notifications. Oversecured, a mobile […]