Summary4 min read

Cybersecurity Today with Jim Love

Episode: HPE Open View Vulnerability Hits CISA Known Exploited List
Date: January 14, 2026

Overview

This episode delivers critical updates on recent cybersecurity threats impacting businesses worldwide, including new credit card skimming campaigns (Magecart), a high-severity vulnerability in HPE OneView flagged by CISA, emergent ValleyRat malware threats, rumors of a zero-click WhatsApp exploit, and the use of AI-powered defensive cyber simulations in U.S. national laboratories. Host Jim Love underscores the need for proactive, layered defense strategies as attacks evolve in subtlety and sophistication.

Key Discussion Points & Insights

1. Ongoing Magecart Skimming Campaigns

Timestamp: 01:10–03:40

Discovery:
A vast, active Magecart skimming campaign has been uncovered, operating since at least 2022 and targeting global payment card networks such as American Express, Diners Club, Discover, and MasterCard.
How Magecart Works:
Magecart isn’t a single group; it's an umbrella term for attacks using web skimmers—malicious JavaScript injected into online checkout pages to siphon payment details in real time. Originally spotted on Magento stores, these attacks now endanger any e-commerce platforms processing payments.
Threat Dynamics:
Since skimming happens client-side, it's often invisible to perimeter security; server logs may not reflect the intrusion. User-visible signs are minimal—perhaps a sudden request to re-enter payment info—but data may already be stolen, even if transactions fail.
Recommendations:
- Consumers should vigilantly monitor card statements, especially after odd checkout experiences.
- For businesses:
  “Silent Push’s findings underline the need for proactive code inspection, not just patching servers, but continuously validating the scripts actually running in production checkout flows.” (Jim Love, 03:22)

2. HPE OneView Vulnerability (CVE-2025-37164)

Timestamp: 03:41–06:10

Issue Summary:
A maximum severity (CVSS 10) remote code execution bug in HPE OneView makes it onto CISA’s Known Exploited Vulnerabilities (KEV) list. This platform centrally manages servers, storage, and networking.
Debate Over Exploitation Evidence:
HPE maintains that there are no known customer reports of exploitation, and Rapid7 corroborates, having seen no incidents. However, CISA’s listing is based on some evidence of exploitation, increasing the urgency for users.
Risk & Remediation:
Because OneView occupies a highly privileged network spot, the recommendation is unequivocal:
“The remediation is straightforward and urgent. Patch immediately. HPE has released a hotfix…” (Jim Love, 05:55)
Rapid7 advises treating the situation as if a breach has already occurred.

3. ValleyRat Malware – Persistent Credential and Data Theft

Timestamp: 06:11–08:05

Malware Capabilities:
Valirat is a new remote access trojan meant to silently steal financial data and credentials, maintain long-term surreptitious access, and facilitate lateral movement.
Stealth Techniques:
ValleyRat utilizes legitimate Windows tools (“living off the land”) to evade detection, blends in with normal activity, and establishes multiple persistent footholds.
Remediation Advice:
- Behavior-based monitoring is preferred over signature-based antivirus.
- Signs include unexpected use of PowerShell, odd outbound connections, and persistence after attempted removal.
Quote Highlight:
“ValleyRat isn’t dangerous because it’s loud. It’s dangerous because it’s patient. For security teams, the absence of alerts doesn’t mean the absence of attackers…” (Jim Love, 07:40)

4. Suspected Zero-Click WhatsApp Exploit

Timestamp: 08:06–10:30

The Vulnerability:
Reports (unconfirmed) detail a zero-day allowing attackers to compromise smartphones via a specially-crafted WhatsApp voice call—even if the call isn’t answered.
Scope & Concerns:
Details are scant; both iOS and Android devices could be vulnerable, but Meta has not confirmed nor provided a patch. No independent analysis or mass exploitation reported so far.
Cautionary Measures:
- Keep WhatsApp updated.
- Limit incoming calls where possible.
- Unexplained device behaviors (crashes, overheating) after missed calls could be a red flag.
Perspective:
“So until more details are available, mitigation options are limited. Users should ensure WhatsApp is fully updated and restrict who can call them where possible…” (Jim Love, 10:12)

5. AI in National Security – Cyber Attack Simulations

Timestamp: 10:31–12:20

Breakthroughs in Defense:
U.S. national laboratories are pioneering generative AI tools to simulate cyber attacks. At Pacific Northwest National Laboratory, AI models adversarial tactics so defenders can proactively test environments and uncover vulnerabilities before real attackers strike.
Insightful Observation:
“If you’re hearing about a classified capability, it’s probably already been surpassed internally. And the same logic applies here…” (Jim Love, 11:58)
Publicly acknowledged projects may indicate that the U.S. is already several steps ahead in the AI cyber race.

Notable Quotes & Memorable Moments

On Magecart:
“Magecart isn’t a single group. It’s a label used for a class of attacks that inject malicious JavaScript … The skimmer runs in the customer’s browser, copying payment details in real time and sending them to attacker-controlled servers.” (Jim Love, 01:50)
On Silent Threats:
“ValleyRat isn’t dangerous because it’s loud. It’s dangerous because it’s patient.” (Jim Love, 07:40)
On National Security:
“There’s an old rule in national security—if you’re hearing about a classified capability, it’s probably already been surpassed internally.” (Jim Love, 11:58)

Timestamps for Important Segments

Magecart Update: 01:10–03:40
HPE OneView Vulnerability: 03:41–06:10
ValleyRat Malware: 06:11–08:05
WhatsApp Zero-Click Exploit: 08:06–10:30
AI Cyber Defense by U.S. Labs: 10:31–12:20

Tone and Style

Jim Love delivers the news in a direct, pragmatic, and informative style. He provides both technical depth and practical security recommendations, balancing urgency with calm guidance. The tone is professional yet accessible, encouraging vigilance without fear-mongering.

Conclusion

The episode underscores a central tenet: cyber threats continue to evolve, often bypassing traditional security measures through patience and subtlety. Enterprises and individuals alike must adopt continuous monitoring, rapid patching, and behavioral detection tools, while remaining alert to both confirmed and rumored vulnerabilities. On the cutting edge, government investment in AI-driven simulation may keep defenders a step ahead, but public disclosure only hints at deeper capabilities.

Loading summary

Transcript1 lines

[00:01]
A
Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale. You can find them at meter.com CST a mage cart skimming campaign active since 2022 CISA flags HPE OneView with a CVSS score of 10, Valleyrat malware silently STE data, a potential WhatsApp exploit claiming to attack without user interaction, and US National Labs quietly deploy AI to simulate cyber attacks. This is Cybersecurity Today. I'm your host Jim Love. A vast network of domains tied to a long running and still active credit card skimming campaign has been uncovered dating back to at least early 2022, according to new research. The operation targets multiple global payment networks including American Express, Diners Club, Discover and even MasterCard. The discovery comes from Silent Push, which published its findings after mapping infrastructure linked to what's broadly known as Magecart style web skimming. Magecart isn't a single group. It's a label used for a class of attacks that inject malicious JavaScript known as web skimmers into online checkout pages. These techniques first gained attention through attacks against Magento based stores, but the campaigns now target any e commerce site that processes card payments. The skimmer runs in the customer's browser, copying payment details in real time and sending them to attacker controlled servers. Because this happens on the client side, server logs and perimeter security tools often might not see the theft. In some cases, the only visible sign for users is a subtle friction during checkout. The skimmer may cause a page to ask for payment details to be re entered or for a step to be repeated that normally completes cleanly. Even if the transaction ultimately fails, card data may have already been captured. For consumers, this makes monitoring statements critical at any time a checkout behaves unexpectedly for site operators. Silent Push's findings underline the need for proactive code inspection, not just patching servers, but continuously validating the scripts actually running in production checkout flows. A maximum severity bug in HPE OneView has landed on CISA's known exploited vulnerabilities list, which is the US government's way of saying there's evidence it's being used in real world attacks. The vulnerability is CVE2025 37164, rated with a CVSS score of 10. It's an unauthenticated remote code execution issue in HPE OneView, a platform that is used to manage servers, storage and networking from a central control plane. Now a key nuance Dark reading reports that HPE's advisory does not say the bug is under active exploitation, and an HPE spokesperson told Dark Reading that they haven't received customer reports of it being exploited. Rapid7, another company monitoring this, also said it hasn't observed exploitation, but CISA's Kev addition still raises the urgency level because that list is based on evidence of exploitation. Either way, the remediation is straightforward and urgent. Patch immediately HPE has released a hotfix and Rapid7's guidance is to treat this like an assumed breach scenario because oneview sits in a highly privileged position in the network Security researchers are warning about an active malware campaign known as Valley Rat, designed to quietly compromise organizations and steal financial and credential data while maintaining long term access to affected systems. Valirat is a remote access Trojan, or rat, which gives attackers ongoing control of infected machines. According to the researchers, its primary goal is data theft, including financial information and credentials that can later be monetized or used for deeper access. The malware is typically delivered through phishing or malicious downloads. Once installed, it can execute commands remotely, collect system and user data, and deploy additional payloads. Researchers say it relies heavily on legitimate Windows tools, so living off the land techniques allow it to blend in with normal system activity. Persistence is also a key feature. Valley Rat establishes multiple footholds on a system, making it difficult to fully remove and allowing it to survive reboots and partial cleanup efforts. Traditional antivirus alone is unlikely to catch this type of threat. Detection depends on behavioral monitoring, watching for unusual use of PowerShell or other native tools, unexpected outbound connections to unfamiliar hosts, and persistent mechanisms that reappear after the removal. Attempts on remediation organizations should assume credentials on infected systems are compromised. Rebuilding affected endpoints may be safer than attempting piecemeal cleanup. Valleyrat isn't dangerous because it's loud. It's dangerous because it's patient. For security teams, the absence of alerts doesn't mean the absence of attackers, especially when the malware is designed to look like normal activity and wait quietly for its moment to attack. Security researchers are warning about a suspected, and I emphasize suspected zero day vulnerability in WhatsApp. This vulnerability could allow attackers to compromise smartphones through a voice call without the user even having to answer. The attack was reported by the 420in, which says that the exploit has been observed in targeted attacks which may already be in use. According to the report, the attack abuses how WhatsApp processes incoming voice call data. A specially crafted call can trigger code execution on the target device simply by being received. No click, tap or interaction is required and that puts it in the category of so called zero click attacks, which are especially dangerous because they bypass user awareness entirely. The reporting suggests that Both Android and iOS devices may be affected, though technical details remain limited, there is no indication of mass exploitation and meta that owns WhatsApp has not publicly confirmed the vulnerability or released patch details. That lack of confirmation matters, but the attack pattern itself is familiar. So far no independent security lab or national cert has published corroborating technical analysis and some authorities have said they have not confirmed any such cases. But WhatsApp has been targeted before with call based zero click exploits often linked to high end surveillance operations where stealth and persistence are more important than scale. So until more details are available, mitigation options are limited. Users should ensure WhatsApp is fully updated and restrict who can call them where possible. For organizations, unexplained crashes, overheating or battery drain following missed calls should be treated as potential indicators worth investigating and finally, some of the most important advances in cyber defenses are happening quietly inside US national laboratories, and the fact that we're hearing about one of them might be the most telling detail of all. According to reporting by Axios, national labs such as Los Alamos National Laboratory, Sandia National Laboratories and Lawrence Livermore National Laboratory are behind major, largely unseen advances in cybersecurity and AI defense. At Pacific Northwest National Laboratory in Washington State, scientists have reportedly built a generative AI powered system that allows defenders to rapidly simulate cyber attacks against their own organizations. The idea is to model how real adversaries might probe, adapt and escalate before they do it for real. Instead of reacting to incidents after the fact, defenders can stress test their environments against AI driven attack scenarios and identify weak points much earlier. Now there's an old rule in national security if you're hearing about a classified capability, it's probably already been surpassed internally. And the same logic applies here. Publicly disclosed AI defense projects may signal that the US Government believes it's making real progress in keeping pace with adversarial AI, even if most of that race remains deliberately out of view. And that's our show. We'd like to thank Meter for their continuing support in bringing you this podcast. Meter delivers full stack networking infrastructure, wired, wireless and cellular to leading enterprises and working with their partners, Meter designs, deploys and manages everything required to get performant, reliable and secure connectivity into a space. They design the hardware, the first firmware, build the software, manage deployments and run support. It's a single integrated solution that scales from branch offices, warehouses and large campuses all the way to data centers. Book a demo@meter.com CST I'm your host, Jim Love. Thanks for listening.