New Dohdoor malware campaign targets education and health care

Cisco Talos discovered an ongoing malicious campaign since at least as early as December 2025 by a threat actor we track as "UAT-10027," delivering a previously undisclosed backdoor dubbed "Dohdoor." Dohdoor utilizes the DNS-over-HTTPS DoH technique for command-and-control C2 communications and h...

Veeam Operations Fail When the Backup Server Has Limited Internet Access

Article Applicability This article addresses an issue that may occur when using a Windows-based deployment of Veeam Backup & Replication v13, where the Veeam Backup Server or other Windows-based component servers are isolated from the internet or subject to significant firewall restrictions...

Ubuntu 22.04 LTS / 24.04 LTS / 25.10 : DNSdist vulnerabilities (USN-8037-1)

The remote Ubuntu 22.04 LTS / 24.04 LTS / 25.10 host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-8037-1 advisory. It was discovered that HTTP/2, which is used/vendored by DNSdist, did not properly account for resources when handling client-trigger...

USN-8037-1 dnsdist vulnerabilities

It was discovered that HTTP/2, which is used/vendored by DNSdist, did not properly account for resources when handling client-triggered stream resets. An attacker could possibly use this issue to cause a denial of service. CVE-2025-8671 It was discovered that DNSdist did not properly manage memor...

USN-8037-1: DNSdist vulnerabilities

It was discovered that HTTP/2, which is used/vendored by DNSdist, did not properly account for resources when handling client-triggered stream resets. An attacker could possibly use this issue to cause a denial of service. CVE-2025-8671 It was discovered that DNSdist did not properly manage memor...

Denial of Service (DoS)

Overview Affected versions of this package are vulnerable to Denial of Service DoS via the DNS cache. An attacker can cause the controller to panic and become unavailable by inserting a specially crafted DNS response into the cache, either by intercepting and modifying DNS traffic or by controlli...

PT-2026-6430

Impact The cert-manager-controller performs DNS lookups during ACME DNS-01 processing for zone discovery and propagation self-checks. By default, these lookups use standard unencrypted DNS. An attacker who can intercept and modify DNS traffic from the cert-manager-controller pod can insert a...

Azure Linux 3.0 Security Update: bind (CVE-2024-12705)

The version of bind installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-12705 advisory. - Clients using DNS-over-HTTPS DoH can exhaust a DNS resolver's CPU and/or memory by flooding it with crafted...

Evasion-Resilient Detection of DNS-Over-HTTPS Data Exfiltration: A Practical Evaluation and Toolkit

The purpose of this project is to assess how well defenders can detect DNS-over-HTTPS DoH file exfiltration, and which evasion strategies can be used by attackers. While providing a reproducible toolkit to generate, intercept and analyze DoH exfiltration, and comparing Machine Learning vs...

CISA Reports PRC Hackers Using BRICKSTORM for Long-Term Access in U.S. Systems

The U.S. Cybersecurity and Infrastructure Security Agency CISA on Thursday released details of a backdoor named BRICKSTORM that has been put to use by state-sponsored threat actors from the People's Republic of China PRC to maintain long-term persistence on compromised systems. "BRICKSTORM is a...

PRC State-Sponsored Actors Use BRICKSTORM Malware Across Public Sector and Information Technology Systems

The Cybersecurity and Infrastructure Security Agency CISA is aware of ongoing intrusions by People’s Republic of China PRC state-sponsored cyber actors using BRICKSTORM malware for long-term persistence on victim systems. BRICKSTORM is a sophisticated backdoor for VMware vSphere1,2 and Windows...

TencentOS Server 4: bind (TSSA-2025:0564)

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2025:0564 advisory. Package updates are available for TencentOS Server 4 that fix the following vulnerabilities...

curl: Integer Overflow to Heap Overflow in DoH Response Handling

Summary: An integer overflow vulnerability exists in the dohprobewritecb function in lib/doh.c. This function is used as a write callback for DNS-over-HTTPS DoH responses. When a malicious DoH server sends a response with a crafted size, the multiplication of size and nmemb can overflow. This lea...

EUVD-2020-19485

Malware in sbrugna...

EUVD-2024-22909

Malicious code in bioql PyPI...

EUVD-2024-51062

Malicious code in bioql PyPI...

FreeBSD : dnsdist -- Denial of service via crafted DoH exchange (c2253bff-9952-11f0-b6e2-6805ca2fa271)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the c2253bff-9952-11f0-b6e2-6805ca2fa271 advisory. [email protected] reports: In some circumstances, when DNSdist is configured to use the nghttp2...

jetty: HTTP/2 (including DNS over HTTPS) contains a design flaw and is vulnerable to "MadeYouReset" DoS attack through HTTP/2 control frames

A flaw was found in Jetty where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts...

RHEL 9 : Red Hat Product OCP Tools 4.17 OpenShift Jenkins (RHSA-2025:16456)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2025:16456 advisory. Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron...

SUSE CVE-2025-30187

In some circumstances, when DNSdist is configured to use the nghttp2 library to process incoming DNS over HTTPS queries, an attacker might be able to cause a denial of service by crafting a DoH exchange that triggers an unbounded I/O read loop, causing an unexpected consumption of CPU resources...