Windows Phone Link Exploited by CloudZ RAT to Steal Credentials and OTPs

Cybersecurity researchers have disclosed details of an intrusion that involved the use of a CloudZ remote access tool RAT and a previous undocumented plugin dubbed Pheno with the aim of facilitating credential theft. "According to the functionalities of the CloudZ RAT and Pheno plugin, this was...

CVE-2026-42514 Sensitive Data Exposure Vulnerability in e-Sushrut HMIS

This vulnerability exists in e-Sushrut due to exposure of OTPs in plaintext within API responses. A remote attacker could exploit this vulnerability by intercepting API responses containing valid OTPs. Successful exploitation of this vulnerability could allow an attacker to impersonate the target...

CVE-2026-42514

CVE-2026-42514 affects e-Sushrut HMIS. The issue is exposure of OTPs in plaintext within API responses, enabling a remote attacker to intercept responses containing valid OTPs. If exploited, an attacker could impersonate a target user and gain unauthorized access to user accounts. Metrics indicat...

CDAC e-Sushrut 安全漏洞

CDAC e-Sushrut is a system platform provided by the Indian CDAC company that facilitates hospital information management and medical process support. There is a security vulnerability in CDAC e-Sushrut, which stems from plaintext exposure of OTPs in API responses. This vulnerability could allow...

New DHL Phishing Scam Uses 11-Step Attack Chain to Steal Passwords

Forcepoint’s X-Labs reports an 11-step DHL phishing scam that uses fake OTP codes and EmailJS to harvest user credentials and device telemetry...

CVE-2026-33473

Vikunja is an open-source self-hosted task management platform. Starting in version 0.13 and prior to version 2.2.1, any user that has enabled 2FA can have their TOTP reused during the standard 30 second validity window. Version 2.2.1 patches the issue...

CVE-2026-33627

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.61 and 9.6.0-alpha.55, an authenticated user calling GET /users/me receives unsanitized auth data, including sensitive credentials such as MFA TOTP secrets and recovery...

OATH Toolkit 2.6.14

OATH Toolkit attempts to collect several tools that are useful when deploying technologies related to OATH, such as HOTP one-time passwords. It is a fork of the earlier HOTP Toolkit...

New Advanced Phishing Kits Use AI and MFA Bypass Tactics to Steal Credentials at Scale

Cybersecurity researchers have documented four new phishing kits named BlackForce, GhostFrame, InboxPrime AI, and Spiderman that are capable of facilitating credential theft at scale. BlackForce, first detected in August 2025, is designed to steal credentials and perform Man-in-the-Browser MitB...

CVE-2025-42615

In affected versions, vulnerability-lookup did not track or limit failed One-Time Password OTP attempts during Two-Factor Authentication 2FA verification. An attacker who already knew or guessed a valid username and password could submit an arbitrary number of OTP codes without causing the accoun...

CVE-2025-61482

Improper handling of OTP/TOTP/HOTP values in NetKnights GmbH privacyIDEA Authenticator v.4.3.0 on Android allows local attackers with root access to bypass two factor authentication. By hooking into app crypto routines and intercepting decryption paths, attacker can recover plaintext secrets,...

CVE-2025-61482

Improper handling of OTP/TOTP/HOTP values in NetKnights GmbH privacyIDEA Authenticator v.4.3.0 on Android allows local attackers with root access to bypass two factor authentication. By hooking into app crypto routines and intercepting decryption paths, attacker can recover plaintext secrets,...

PT-2025-43966

Name of the Vulnerable Software and Affected Versions privacyIDEA Authenticator version 4.3.0 Description A flaw exists in the handling of OTP/TOTP/HOTP values within the privacyIDEA Authenticator application on Android. A local attacker with root access can bypass two-factor authentication by...

EUVD-2007-2760

Malware in sbrugna...

EUVD-2024-21075

Malicious code in bioql PyPI...

EUVD-2024-1031

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2007-2768

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - OpenSSH, when using OPIE One-Time Passwords in Everything for PAM, allows remote attackers to determine the existence of certain user accounts, which displays a...

Veeam My Account Portal - MFA Guide

Purpose This article documents how to enable and manage the Multifactor Authentication MFA option available for the Veeam My Account portal login my.veeam.com. Solution Starting in December 2024, the option to enable MFA for My Account portal login was added. This allows users to enhance the...

Scammers Impersonate Authorities to Swipe OTPs with Remote Access Apps

SUMMARY Cybersecurity researchers at Group-IB have discovered a sophisticated refund scam where scammers are using remote access tools…...

PT-2024-34700 · Wave · Wave

Name of the Vulnerable Software and Affected Versions: Wave 2.0 Description: This issue exists due to missing rate limiting on OTP requests in an API endpoint. An authenticated remote attacker could exploit this by sending multiple OTP requests through the vulnerable API endpoint, leading to OTP...