News brief: Security flaws put thousands of systems at risk

ServiceNow AI vulnerability exposes customer data and systems

A critical vulnerability in ServiceNow's platform exposed customers' data and systems to potential exploitation. The issue stemmed from weak authentication in its legacy chatbot, Virtual Agent, which used a universal credential and required only an email address for user impersonation.

The flaw became more severe with the integration of ServiceNow's advanced agentic AI, Now Assist, enabling attackers to gain admin-level access and manipulate connected systems such as Salesforce or Microsoft.

Aaron Costello, chief of security research at SaaS security vendor AppOmni, highlighted the exploit's severity, calling it the most severe AI-driven vulnerability to date. He also urged organizations to limit AI agents' capabilities and implement thorough risk reviews.

ServiceNow addressed the issue by updating credentials and disabling the exploited AI agent.

Read the full story by Nate Nelson on Dark Reading.

Critical vulnerability in n8n puts thousands of systems at risk

Thousands of enterprise systems could be exposed to a critical vulnerability that researchers discovered in the widely used n8n workflow automation platform.

The flaw, caused by a "content-type confusion" bug, has a severity score of 10 and could enable attackers to bypass automation and access sensitive credentials, including for Salesforce, AWS and OpenAI.

Researchers at cybersecurity vendor Cyera disclosed the vulnerability to n8n in November 2025, and n8n released patches that same month. Users should upgrade to version 1.121.0 if they haven't already. Currently, there is no evidence of exploitation.

Read the full story by David Jones on Cybersecurity Dive.

Critical AWS Console vulnerability threatened global supply chain security

A critical vulnerability in the AWS Console, named CodeBreach, was discovered by Wiz researchers, posing a significant risk of supply chain attacks.

The flaw was linked to triggers in AWS CodeBuild CI pipelines. Two missing characters in a Regex filter, for example, could enable unauthenticated attackers to compromise the build environment and hijack code repositories. This could have led to backdoor injections in the AWS JavaScript SDK, potentially harvesting credentials, exfiltrating sensitive data or manipulating cloud infrastructure.

AWS addressed the issue after its disclosure in August 2025. No evidence suggests the vulnerability was exploited.

Read the full story by David Jones on Cybersecurity Dive.

VoidLink malware targets Linux cloud environments

VoidLink is an advanced, modular malware framework targeting Linux environments, particularly cloud and container systems. Discovered by Check Point Research, it is designed for stealthy, long-term access and features custom loaders, implants, rootkits and plugins.

Developed by China-affiliated threat actors, VoidLink employs sophisticated evasion techniques, runtime code encryption and adaptive behavior based on its environment. It can detect major cloud providers, such as AWS, Google Cloud and Azure, as well as Kubernetes and Docker, and tailor its operations accordingly.

While no real-world infections have been reported, its capabilities pose a significant threat to Linux defenders, emphasizing the need for proactive security measures.

Read the full story by Elizabeth Montalbano on Dark Reading.

Editor's note: An editor used AI tools to aid in the generation of this news brief. Our expert editors always review and edit content before publishing.

Alissa Irei is senior site editor of Informa TechTarget Security.