Multiple root-level risks resolved.

SolarWinds patches four critical remote code execution vulnerabilities. A ransomware attack on Conduant puts the data of over 25 million Americans at risk. RoguePilot enables Github repository takeovers. ZeroDayRat targets Android and iOS devices. North Korea’s Lazarus group deploy Medusa ransomware against organizations in the U.S. and the Middle East. Attackers’ breakout times drop to under half an hour. CISA maintains its mission despite staffing challenges. Russian satellites draw fresh scrutiny. Two South Korean teenagers are charged with breaching Seoul’s public bike service. Krishna Sai, CTO at SolarWinds, discusses why leaders should focus less on speculating about an AI bubble, and more on how to quantify AI’s tangible contributions. The Pope pushes prayerful priests past predictable programs.

Today is Tuesday February 24th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

SolarWinds patches four critical remote code execution vulnerabilities. 

SolarWinds has released updates to address four critical remote code execution vulnerabilities in its Serv-U file transfer software, which runs on Windows and Linux systems. The most severe flaw, tracked as CVE-2025-40538, is a broken access control issue that allows attackers with high privileges to create a system administrator account and execute arbitrary code with root or administrative permissions. SolarWinds also patched two type confusion vulnerabilities and an Insecure Direct Object Reference, or IDOR, flaw, each of which could also enable root-level code execution.

Importantly, all four vulnerabilities require attackers to already have elevated access, limiting exploitation to scenarios involving stolen credentials or chained privilege escalation. Serv-U remains an attractive target due to its role in transferring sensitive data. More than 12,000 internet-exposed instances are indexed by Shodan, while Shadowserver estimates fewer than 1,200.

A ransomware attack on Conduant puts the data of over 25 million Americans at risk. 

A major data breach at Conduent has exposed the sensitive personal information of at least 25.9 million Americans, following a ransomware attack attributed to the SafePay group.

According to reporting by CSN, attackers maintained unauthorized access to Conduent’s network from October 21, 2024, through January 13, 2025. During that time, they exfiltrated approximately 8 terabytes of data, including names, Social Security numbers, dates of birth, medical records, and health insurance information. The breach primarily affects government service recipients in Texas and Oregon, where Conduent processes Medicaid, SNAP, and child support services. Texas alone accounts for 15.4 million impacted residents, while Oregon reports 10.5 million records exposed. Victims are now being notified and urged to place fraud alerts on their credit files.

The combination of Social Security and medical data creates long-term identity theft risk.

RoguePilot enables Github repository takeovers. 

Orca Security has disclosed a GitHub Codespaces vulnerability dubbed RoguePilot that could have enabled repository takeovers through malicious Copilot instructions embedded in GitHub issues.

According to Orca, attackers could inject hidden prompts into an issue description, causing the in-environment Copilot assistant to exfiltrate a privileged GITHUB_TOKEN. The attack chain combined symbolic links, automatic JSON schema downloads, and Copilot’s deep integration in Codespaces to leak tokens without user approval. Because the token provides read and write repository access, compromise could lead to full takeover.

GitHub patched the issue after responsible disclosure, Orca reports.

ZeroDayRat targets Android and iOS devices. 

ZeroDayRAT, a new mobile spyware platform, is being marketed on Telegram as a subscription-based Malware-as-a-Service offering that targets Android and iOS devices, according to research from Cyberthint.

Researchers say the platform uses SMS phishing, fake app stores, and links shared via WhatsApp and Telegram to infect victims. Promotional materials show multi-stage redirection chains, including abuse of GitHub Pages, to mask malicious links. Once installed, the malware connects to a web-based control panel that enables GPS tracking, screen recording, keystroke logging, and remote camera and microphone access. It also includes financial theft features such as cryptocurrency wallet scanning, clipboard injection, and attempts to capture credentials for digital payment services. Cyberthint noted inconsistencies in the seller’s materials, raising questions about the platform’s authenticity.

North Korea’s Lazarus group deploy Medusa ransomware against organizations in the U.S. and the Middle East. 

Hackers linked to North Korea’s Lazarus group have deployed Medusa ransomware in financially motivated attacks against organizations in the U.S. and the Middle East, according to Symantec.

Researchers attribute the activity to Lazarus, likely its Andariel subgroup, based on the use of custom backdoors, malware, and a Chrome password extractor previously tied to the group. Medusa operates as a ransomware-as-a-service platform, allowing affiliates to share ransom proceeds. Symantec notes this marks the first observed use of Medusa by Lazarus, which previously used strains such as Maui. U.S. authorities have tied earlier Maui attacks to North Korean operators, including Rim Jong Hyok, who was indicted in 2024.

This shift underscores growing overlap between nation-state actors and criminal ransomware ecosystems.

Attackers’ breakout times drop to under half an hour.  

CrowdStrike’s latest global threat report finds attackers moving faster and operating across more groups, with breakout times dropping to an average of 29 minutes in 2025.

According to CrowdStrike, the fastest observed breakout time fell to 27 seconds, down from 51 seconds a year earlier. The company tracked 281 threat groups by the end of 2025, including 24 newly named actors. Cloud-focused attacks rose 37% year over year, with a 266% surge tied to nation-state groups. Eighty-two percent of detected intrusions were malware-free, relying instead on valid credentials and legitimate tools. Zero-day exploitation increased 42%, particularly targeting edge devices such as firewalls and virtual private networks.

CISA maintains its mission despite staffing challenges. 

An analysis from the New York Times says President Trump, who established the Cybersecurity and Infrastructure Security Agency during his first term, has scaled back key parts of the agency in his second, including dismantling its election security work. Staffing has fallen from about 3,400 employees in January 2025 to fewer than 2,400, and a Department of Homeland Security funding lapse has furloughed roughly 60 percent of the remaining workforce, leaving under 1,000 on duty.

The agency is operating without a Senate-confirmed director, as nominee Sean Plankey’s confirmation has stalled. Lawmakers, including Representative Bennie Thompson, have warned that deep staffing cuts and lost institutional knowledge threaten CISA’s mission. Acting Director Madhu Gottumukkala has said essential operations will continue, but acknowledged increased strain.

Officials and former employees say morale has declined amid departures, reassignments, and uncertainty, raising concerns about readiness in the event of a major cyberattack.

Russian satellites draw fresh scrutiny. 

Russian inspector satellites are drawing fresh scrutiny after a new report found they have spent years maneuvering alongside Western commercial spacecraft in geostationary orbit. European officials now worry the mission may extend beyond signals intelligence, raising concerns about potential interference with critical communications infrastructure.

For more on what these satellites are doing, and why it matters, here’s our own Maria Varmazis.

Two Russian satellites have spent years sidling up to Western communications spacecraft in geostationary orbit, and European officials now worry the mission goes beyond eavesdropping.

An investigation by the Financial Times reports that the satellites, known publicly as Luch and Luch-5X, have maneuvered within roughly 0.1 degrees of commercial operators such as Intelsat and Eutelsat, lingering for weeks or months. The tracking data cited by independent researchers show a pattern of close approaches dating back to 2014. One satellite was moved to a graveyard orbit in 2025 and later fragmented. Its successor, launched in 2023, has repeated similar maneuvers, including near satellites supporting government and military communications.

Experts say intercepted signals could provide intelligence useful for future interference or cyber operations, particularly amid the war in Ukraine.

Two South Korean teenagers are charged with breaching Seoul’s public bike service. 

Two South Korean teenagers have been charged with breaching Seoul’s public bike service, Ttareungyi, in a June 2024 attack that exposed data on 4.62 million users, roughly 90 percent of the platform’s 5 million registrants.

Police say the pair, identified only as Persons A and B, accessed and downloaded user data including IDs, phone numbers, addresses, and dates of birth while still in middle school. The suspects met on Telegram and allegedly aimed to test their skills and profit. Authorities report no evidence the data was leaked or sold.

 

The Pope pushes prayerful priests past predictable programs. 

In a private exchange with Rome’s priests, Pope Leo XIV offered encouragement, practical counsel, and one gently barbed warning that likely landed with particular clarity.

When asked how to reach young people, he pointed first to personal witness, then to widening the circle through genuine communion. On parish life, he advised priests to truly know their communities, because loving them requires more than a passing familiarity with the parish calendar.

But it was his aside on homily preparation that drew knowing smiles. The pope urged priests to use their own minds, not artificial intelligence, to craft their sermons. He has, he noted, seen and heard what happens otherwise. Prayer, he added, cannot be outsourced either. It requires time with the Lord, not just efficient recitation.

On rivalry and the loneliness of older clergy, Leo returned to fraternity, gratitude, and humility. In other words, no shortcuts there, either. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.