Adversary-in-the-middle attacks can strip out the passkey option from login pages that users see, leaving targets with only authentication choices that force them to give up credentials.

Related to: https://sh.itjust.works/post/21489427

If security researchers can execute a guest-to-host attack using a zero-day vuln in the KVM open source hypervisor, Google will make it worth their while.

Cisco has patched an NX-OS zero-day exploited in April attacks to install previously unknown malware as root on vulnerable switches.

The following summary from Debian's security list:

The Qualys Threat Research Unit (TRU) discovered that OpenSSH, an implementation of the SSH protocol suite, is prone to a signal handler race condition. If a client does not authenticate within LoginGraceTime seconds (120 by default), then sshd's SIGALRM handler is called asynchronously and calls various functions that are not async-signal-safe. A remote unauthenticated attacker can take advantage of this flaw to execute arbitrary code with root privileges. This flaw affects sshd in its default configuration.

Hackers are exploiting a critical vulnerability that affects all D-Link DIR-859 WiFi routers to collect account information from the device, including passwords.