Tesla hacked, 37 zero-days demoed at Pwn2Own Automotive 2026
Security researchers earned $516,500 after exploiting 37 zero-day vulnerabilities on the first day of the Pwn2Own Automotive 2026 competition in Tokyo. Synacktiv Team took home $35,000 after successfully chaining an information leak and an out-of-bounds write flaw to gain root permissions on the Tesla Infotainment System in the USB-based attack category. Teams also successfully hacked EV chargers from Alpitronic, ChargePoint, Phoenix Contact, and Autel, along with multiple in-vehicle infotainment systems.
UK government warns of continued Russian hacktivist DDoS attacks
The UK’s National Cyber Security Centre (NCSC) has issued an urgent alert warning that Russian-aligned hacktivist groups continue to target critical infrastructure and local government organizations with disruptive denial-of-service attacks. The advisory specifically highlights the activities of NoName057(16), a pro-Russian hacktivist group that has persistently targeted UK organizations since 2022. The NCSC urges all organizations, especially local authorities and critical national infrastructure operators, to strengthen their DoS defenses and operational resilience.
Tennessee man pleads guilty to hacking U.S. Supreme Court filing system
Nicholas Moore, 24, of Springfield, Tennessee, has pleaded guilty to repeatedly hacking the U.S. Supreme Court’s electronic filing system at least 25 times between August and October 2023. Moore also admitted to illegally accessing AmeriCorps’ internal portal and the Department of Veterans Affairs’ medical platform using stolen credentials. He bragged about his exploits by posting screenshots to an Instagram account under the handle “@ihackedthegovernment.” Moore faces up to one year in federal prison and a fine of up to $100,000 when sentenced in April.
Cloudflare patches ACME validation bug that allowed WAF bypass
Cloudflare has addressed a vulnerability in its Automatic Certificate Management Environment (ACME) validation logic that allowed attackers to bypass Web Application Firewall protections and access origin servers directly. Security researchers at FearsOff discovered that requests to the ACME HTTP-01 challenge path could be exploited to circumvent WAF rules, rate limiting, and other security controls. The flaw was fixed in October 2025, with Cloudflare confirming no evidence of active exploitation before the patch was deployed.
Critical ACF Extended WordPress plugin flaw affects 50,000+ sites
A critical vulnerability (CVE-2025-14533, CVSS 9.8) in the Advanced Custom Fields: Extended WordPress plugin allows unauthenticated attackers to gain administrator privileges on vulnerable websites. The flaw exists in the plugin’s user registration form handling, which fails to enforce role restrictions during user creation. With approximately 100,000 active installations, site owners are urged to update to version 0.9.2.2 immediately. Security firm GreyNoise reports large-scale WordPress plugin reconnaissance activity targeting 706 plugins across over 40,000 enumeration events.
