BU-CERT – Bournemouth University Computer Emergency Response Team

Security alert: Windows 11 laptops

Posted on 20 May 2026

A security vulnerability affecting Windows 11 laptops has been identified. This is a global issue, and we are awaiting a fix from Microsoft. Increased vigilance is required until a fix has been provided.

Key risk

If a device is lost or stolen, any sensitive information stored on the laptop could be accessed.

Required additional actions

If you need to travel for work purposes (domestic or international) with your laptop, please contact the ITDS Service Desk in advance so we can add a temporary fix to ensure your device is secured
For all normal use, please be extra careful when transporting or using your Windows 11 laptop in a public setting.

General safety

Please remember it’s your responsibility to take appropriate care of your BU-provided devices. This applies at all times
Ensure your laptop/mobile device remains on your person or stored safely, such as in a locked drawer or secure office
Take additional care when travelling, working remotely, or using your laptop in public places
When working from home, only you should use your laptop
Report any lost, stolen or misplaced device immediately by calling the IT Service Desk 01202 965515 or 0808 196 2332.

How to identify if your BU assigned laptop is running Windows 11

Right click on the start menu
Select “System”
On this page scroll down to ‘Windows specifications’ look for ‘Edition’. If this contains ‘Windows 11’, the laptop is running Windows 11 and is affected by this security vulnerability.

The Windows 11 rollout is currently paused. If you haven’t upgraded yet, you won’t be able to do so for now.

We’ll share an update once we have more information from Microsoft.

CISA Admin Leaked AWS GovCloud Keys on Github

Posted on 20 May 2026

From krebsonsecurity.com

Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive included files detailing how CISA builds, tests and deploys software internally, and that it represents one of the most egregious government data leaks in recent history.

On May 15, KrebsOnSecurity heard from Guillaume Valadon, a researcher with the security firm GitGuardian. Valadon’s company constantly scans public code repositories at GitHub and elsewhere for exposed secrets, automatically alerting the offending accounts of any apparent sensitive data exposures. Valadon said he reached out because the owner in this case wasn’t responding and the information exposed was highly sensitive.

[Critical] Emergency Security Update for Google Chrome: CVE-2026-3909 and CVE-2026-3910

Posted on 14 March 2026

There have been two high-severity zero-day vulnerabilities identified in Google Chrome that are confirmed to be actively exploited in the wild. These flaws allow attackers to execute malicious code or gain unauthorized memory access simply by tricking a user into visiting a compromised website.

CVE-2026-3909 (Out-of-bounds write in Skia): A flaw in the graphics engine that can lead to memory corruption and potential code execution.
CVE-2026-3910 (Inappropriate implementation in V8): A vulnerability in the JavaScript/WebAssembly engine allowing arbitrary code execution within the browser sandbox.

Impact

A remote attacker can leverage these vulnerabilities to compromise your device, steal sensitive data, or install malware. Because Chrome is a primary tool for university work and SaaS applications, these flaws represent a significant risk to personal and institutional information security.

Required Action

Staff and students are advised to manually trigger an update for their Chrome browser immediately.

Man accidentally gains control of 7,000 robot vacuums

Posted on 23 February 2026

From popsci.com

A software engineer’s earnest effort to steer his new DJI robot vacuum with a video game controller inadvertently granted him a sneak peak into thousands of people’s homes.

While building his own remote-control app, Sammy Azdoufal reportedly used an AI coding assistant to help reverse-engineer how the robot communicated with DJI’s remote cloud servers. But he soon discovered that the same credentials that allowed him to see and control his own device also provided access to live camera feeds, microphone audio, maps, and status data from nearly 7,000 other vacuums across 24 countries. The backend security bug effectively exposed an army of internet-connected robots that, in the wrong hands, could have turned into surveillance tools, all without their owners ever knowing.

Lotus Blossom (G0030) and the Notepad++ Supply-Chain Espionage Campaign

Posted on 12 February 2026

From domaintools.com

In late 2025 and early 2026, a series of independent disclosures by software maintainers, security researchers, and national cyber authorities converged on an unsettling conclusion: for months, the update mechanism of one of the world’s most widely used open-source text editors had been quietly subverted. What initially appeared to be an isolated infrastructure anomaly was ultimately revealed to be a sustained compromise of the Notepad++ update pipeline, stretching back roughly six months. As investigators reconstructed the timeline, tracking unauthorized access to hosting infrastructure, lingering credentials that outlived initial remediation, and selectively altered update responses, a far more deliberate operation came into focus. This report is the product of analysis and parallel reconstruction of all public reporting on Lotus Blossom with additional research by DTI, drawing together technical forensics, victimology, and strategic context to assess both the campaign and the actor behind it.

Curl shutters bug bounty program to remove incentive for submitting AI slop

Posted on 27 January 2026

From theRegistrer.com

The maintainer of popular open-source data transfer tool cURL has ended the project’s bug bounty program after maintainers struggled to assess a flood of AI-generated contributions.

Curler-in-chief Daniel Stenberg last week lodged a GitHub commit named “BUG-BOUNTY.md: we stop the bug-bounty end of Jan 2026”.

‘Completely Deactivate Wi-Fi’—Cyber Agency Warns iPhone And Android Users

Posted on 16 December 2025

From forbes.com

There have been plenty of cyber agency warnings for smartphone users in recent weeks. Only use encrypted messaging. No more SMS security codes. Avoid commercial VPNs. And update phones as soon as you can — which is timely this week. But now there’s more — you’re told to “completely deactivate Wi-Fi” whenever it’s not in use.

Most of the above advice comes via CISA, America’s cyber defense agency, but the latest is from CERT-FR, France’s equivalent, in conjunction with the U.K.’s agency. There is already plenty of Wi-Fi advice, but to completely disable the interface is new.